When using LDAP authentication, every time a new user logs in, his/her account type is marked as "External" and "Enabled." If an administrator clicks on the user account and makes any changes -- assign/remove roles, edit e-mail address, etc. -- the user account changes to "Disabled." This affects reports scheduled by that user as well as write access for the user regardless of his/her role. There is currently no way to re-enable the user (other than deleting the account).
The only half-way work-around I found to add/remove roles was to go to the role itself and add or remove the user, instead of going to the user and adding/removing the role. This is only an interim fix and it does not provide a work-around for the user's e-mail address. Just a spawn request: there should be a way to import the user's e-mail address from LDAP.