The caching realm seems to work as advertised with open ldap and Red Hat Directory Server when I add a user-password-mapper after setting:

<user-password-mapper from="userPassword" writable="true" verifiable="true" />

When I change the password in LDAP, the caching realm reacts, and I can login with the new password. Also when I call `set-password`:

/subsystem=elytron/ldap-realm=ldap-realm:set-password(identity=testUser, clear=

)

It changes the password correctly in LDAP.

Neither of these work in Active Directory. Active Directory stores the password, by default using the field "UnicodePwd" rather than "userPassword", so I tried having them map the user password to that field:

/subsystem=elytron/ldap-realm=ldap-realm:write-attribute(name=identity-mapping.user-password-mapper.from, value=UnicodePwd)

But it it can't set the password because the password code needs to write it with a different character set when writing to active directory. See the different between the code in ldap/UserPasswordCredentialLoader.java and in the special case for Active Directory in Keycloak[1]

It can't react to external changes to the directory because Active Directory doesn't support the listening mechanism used.

There is a potential to be able to change the active directory settings so "userPassword" runs in compatibility mode[2], but that's not a normal thing to be able to do is most environments.

[1] Keycloak - AD UnicodePWD https://github.com/keycloak/keycloak/blob/e12c245355f5fcbabab4a6807a9975fd8c7b04de/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPIdentityStore.java#L320
[2] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f3adda9f-89e1-4340-a3f2-1f0a6249f1f8