That depends on your authentication mechanism and authorisation model.

• If you have a small number of users it's a non-issue.
• If you have a larger number of users but small number of database users (aka authorisation groups) the HTTP user should not be identical with your webapp user, instead you have one apache user for each level of authorisation you want to give. You receive the HTTP authentication header, use your own method of authenticating the user, then set the HTTP user to be your database/system user. That way, you can have a different HTTP user for, say, admin, user and guest and each of these will only have access to their own database passwords.
• If you have a large number of database users you are entirely correct, my solution doesn't scale and you should do something else.