Leave identity-config.xml untouched (db configuration), in login-config.xml comment out IdentityLoginConfig, and use SynchronizingLoginModule or SynchronizingExtLoginModule with options 'synchronizeIdentity' and 'synchronizeRoles' set to 'false'. Then you'll have to keep users between LDAP and DB in sync on your own.