Sync user federation ldap passwords with keycloak local user store

I’m trying to figure out the best way to approach this.

I have a our legacy LDAP configured in User Federation and have all users imported into Keycloak’s user store. I’ve noticed that if I click the “Unlink users” button it unlinks all the users as expected. What I didn’t expect was the users existing passwords that was set in the legacy LDAP not longer works for those users. Lets say I have thousands of users. I don’t want to have to send a reset password to all those users.

Is there a way to sync the LDAP passwords with Keycloak’s local user store before I unlink the users?

My understanding is the answer is no. Apparently it is not possible to pull the passwords from LDAP and is a technical limitation.

Keycloak has other issues too when unlinking users we just found out. It removes all their client roles. I opened a bug for this. This is a show stopper bug for us. I guess keycloak’s LDAP provider implementation isn’t really meant for migrating users and then turning it off.

Ugh. So I guess the best way to do this would be to first migrate all users from the legacy LDAP to a new LDAP, federate that LDAP and just continue to use that user federation.