There are another issue here : I think webserver and LDAP (or other plugin) don't need user->password or user->email.

I think it's better if we remove the rules for required email and password. Only username must be required.

First of all, I think the email synchronization from LDAP may be useful( in case you cant to contact users from a group, ...).

As for the password synchronization to the internal LS DB is concerned, some person would argue that it could be useful as a last resort login option when the LDAP directory is offline. Howerve I'm against this option, because it is a security hole, and because a directory must be online 24H/24H (with redundancy of course).

@lemeur : i think user can allow 'local' logins or disallow. Maybe in external plugin but have a way to do it.

mdekker have some idea for this one with a combination of the 2 system.

Ok, by reading agin more carefully the ticket description, I see that the issue is more related to the fact that an ldap-user can 'update' his personal data inside LS-db when, in fact, they should only be synchronized from LDAP.
Idea1 maybe easier to implement: it would enforce both login from a given plugin, and exclusive Data-Update from a given plugin.

Quick fix (tested) : deactivate newLoginForm , this allow to use remote control with LS core access, but disallow HTTP login.

NOt great but it's a solution

I add this in my WordPress autoLogin:

    if($this->get('authwp_cookies') && $this->get('authwp_default') && $this->get('authwp_redirect')){

        $sRedirectUrl=$this->get('authwp_redirect');
        if(in_array(parse_url($sRedirectUrl, PHP_URL_SCHEME),array('http','https'))){
            if(filter_var($sRedirectUrl, FILTER_VALIDATE_URL) !== false){
                //header('Status: 401 Unauthorized', false, 401);
                header("Location: $sRedirectUrl");
                exit();
            }
        }
    }

This disallow connexion via LS auth

Fix committed to 2.06 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=15026