User password not read from LDAP


While running on Keycloak 8.0.1, I am encountering a strange issue with federated LDAP users.
When I create a new user with a temporary password, the user is created in LDAP correctly.
At the first login, the user has to change his password and the new password is properly stored in LDAP too (checked using an LDAP browser).
But when trying to login for the 2nd time, the new password is not accepted.
When trying to login using the temporary password, this still works but the user is not prompted to change it.

My guess is that Keycloak stores the password in it’s own database and uses it during authentication instead of retrieving the password from LDAP.

Hopefully someone can direct me to the correct solution to solve this issue.

Thanks in advance!


It is a known issue that has been addressed in later versions of Keycloak.

Try upgrading to Keycloak 10.x