Since I had to look around to get an idea how to do it I'd decided to let others know how we solved that.
Scenario: We have a database (A) with userdata; users are added and deleted from that. The moderators of that db have nothing to do with moodle. We also have moodle, where the users from A take courses. Moodle moderators have no access to db A. The users have no email accounts, so when they forget their password it needs to be reset by a moodle moderator (users and moderators are online at the same time, so that's not the issue, also no access to the system from the internet). The easiest way to synchronize db A with moodle db seemed the external database authentication; run as cron and the moodle users table is always up to date. Problem: Resetting passwords (you can't change passwords in external db from within moodle - which is good ).
Solution: We wrote a script that grabs all the data that is needed for moodle (names etc) and saves that data to a new db. We generate what is needed (and isn't part of the data yet) like username, fake email and a password (using initials and birthdate here).
Then comes the sync-users script from moodle, getting all the data from that db and adding any users that are not yet in its db.
Finally a third script inserts the generated passwords into mdl_user table, changes the auth type in mdl_user to "manual" (it shows "db" for the external db auth mode on new entries) and adds an entry for each new arrival to user_preferrences with name "auth_forcepasswordchange" and value "1". That way each new user will have to change their password on first access.
All 3 scripts run via cron on daily basis.
It might not be the best solution (the new db isn't really needed, but the original db A contains very sensible data and that way data can be manipulated without endangering the original), but it works like a charm.
Maybe that gives other people an idea how something like that can be done.