Taken from

• http://www.atlassian.com/software/jira/docs/v3.13/ldap.html

Technically, this behaviour is due to Credentials (password) checking being a separate operation to user-profile lookups. The profile can be loaded from the JIRA database, but the password looked up from LDAP. Furthermore, multiple credentials providers can be specified (here, LDAP and OSUser), and if one fails, the other will be used. This allows non-LDAP users to log in with their JIRA password.

The entire page is difficult to understand, but in the bolded section how about we just say, if the LDAP lookup fails, then the local JIRA credentials will be used. The way we set up LDAP means that you must have LDAP provider set up before the JIRA provider, so we should make it clearer which will be used first.