As said on IRC:
<nickvergessen> well this all is strange anyway
<nickvergessen> e.g. ldap should not allow to reset the password
<nickvergessen> and stuff like that
<nickvergessen> so maybe we should just not touch it
<nickvergessen> and wait for it to be fixed by a rework on the architecture

Especially: the password_manager (which is used only in login) shouldn't be required in the constructor. And ldap auth shouldn't require it at all (like apache auth)