Too many LDAP user federation connections


we are using user federation with an LDAP user storage provider. This has Periodic Full sync enabled and Use Kerberos for Password Authentication active.

I assumed that Keycloak would then get most data from the (database) storage and not go to LDAP. Not even for passwords, as we have Kerberos enabled here and active in the authentication flow for the browser.
However, there is very frequent LDAP communication.
Why is that? Can we get Keycloak to primarily use the database and Kerberos for password authentication and not use LDAP outside of scheduled synchs?

Any hints are appreciated.

Thanks, Karl