Here’s the problem.
We have connected a Windows AD as a source for Keycloak in ReadOnly mode.
Due to a migration from openLDAP to Windows AD, the password fields of all existing users in LDAP are now stored as SSHA hash in the userPassword field (like it was before in the openLDAP). I can also see this field when communicating directly via LDAP protocol (for example with the Apache Directory Studio).
But Windows itself manages the passwords separately. I don’t see this field in LDAP for the time being. Also if I try to authenticate via Keycloak - the Password in userPassword is ignored - instead keycloak accept only the password set via Windows AD.
This means that we now have to ask all our users to setup a new password when we activate the login via Keycloak.
Is there a way to not let Keycloak use the Windows AD password field for password verification? But instead use the userPassword LDAP field with the SSHA hash? In other words - any type of password mapper or a configuration change in keycloak to define which is the password field.
Thanks in advance.