Offline LDAP authentication

LDAP user federation works a treat, as long as the KeyCloak server can connect to the AD server. However, my KeyCloak servers will be off-site with an unreliable VPN connection to AD. Now, I’m looking for a credentials caching mechanism to allow user authentication while AD is off line.
Is there a way to cache the last successful login credentials for each federated user, like the way a Windows client will authenticate any user it has previously seen?

I’ve already looked into using OpenLDAP as a proxy, but it seems over-complicated and I couldn’t get it to work anyway.
Can anyone point me in the right direction?

Thank you!

In my research, I have come across SSSD and FreeIPA. It seems that SSSD is able to store LDAP credentials, and there is also a way to federate SSSD into KeyCloak.

Have any of you tried such a setup?

Active Directory > SSSD > KeyCloak

Any hints for best practice would be appreciated!