If a user is authenticated via ldap then a corresponding mojoPortal siteUser is created in the database but we don't know any other information about the user such as name. We take a guess for the email I think at least with Active Directory. The user or an admin may need to update the account to correct the email or name.
When the site user is created in the database a random password is created with that row that could also be used to login if database authentication is also enabled along with ldap authentication. The user could obtain that password by password recovery. We don't store the ldap password anywhere.
If the users already has mojoportal accounts before you changed to ldap and if database authentication is also enabled then they can login also with the previous user accounts. When they later logged in with ldap nothing connected that with their previous accounts, a new mojoPortal account was created basedon the ldap authentication and nothing grants the new account any roles unless an admin does it whereas their previous accounts may have had roles previously granted.
You should be able to grant the needed roles to the new accounts that were created at the first ldap login for the user. Then you can delete their old account and update the ldap account with the email address that was on the users previous mojoportal account.
Not being able to edit the email is a separate issue. Is there anything unusual about the email address? Can you reproduce the problem by creating a user on our demo site and then editing the email?
It won't let you use the same email on more than one mojoportal account though so you cannot update the new user that uses ldap to have an email address that is already in use on a different mojoportal user account so you would have to delete that old user to do it.
Hope that helps,