Upon login, it still copies the usernames and their passwords (in encrypted form) to the jbp_users table if you follow the tutorial.
Dito when you use LDAPExtUserModule, as in my example for active directory in the wiki.
yes and no
Basically the reason about synchronization to DB is because you cannot map all needed user properties to LDAP attributes. So in theory, you can:
1) Alter profile-config.xml and make all properties map to LDAP (its tough as LDAP schema is limited)
2) in identity-config.xml get rid of DelegatingUserProfileModuleImpl and just setup LDAPUserProfileModuleImpl as the main one.
With this no synchronization will occur. But... if your only concern is about keeping user passwords in DB you can just set 'randomSynchronizePassword' option and this will do the job. DB will contain only randomly generated password value. There is also 'defaultSynchronizePassword' - this value will be put in database for every synchronized user. Actually the reason about putting anything in password field is that I if anyone by accident enable such synchronize database with portal... But if you prefer I can add 'synchronizePassword' switch and let it just go with empty value.
Look at the docs:
Random passwords are good enough for me, thanks!