This behavior is by design. Accepting multiple credentials for the same account allows non-disruptive transition from database to LDAP authentication. It's also important for site administrators (at a minimum) to have an alternate authentication means, in case the LDAP server goes down or its configuration changes. The documentation should clarify the fact that LabKey attempts to authenticate every login using all configured mechanisms.

If you want to proactively prevent LDAP users from using their database passwords you can delete the appropriate rows from core.Logins.

Adam