The caching realm seems to work as advertised with open ldap and Red Hat Directory Server when I add a user-password-mapper after setting:
<user-password-mapper from="userPassword" writable="true" verifiable="true" />
When I change the password in LDAP, the caching realm reacts, and I can login with the new password. Also when I call `set-password`:
It changes the password correctly in LDAP.
Neither of these work in Active Directory. Active Directory stores the password, by default using the field "UnicodePwd" rather than "userPassword", so I tried having them map the user password to that field:
But it it can't set the password because the password code needs to write it with a different character set when writing to active directory. See the different between the code in ldap/UserPasswordCredentialLoader.java and in the special case for Active Directory in Keycloak
It can't react to external changes to the directory because Active Directory doesn't support the listening mechanism used.
There is a potential to be able to change the active directory settings so "userPassword" runs in compatibility mode, but that's not a normal thing to be able to do is most environments.
 Keycloak - AD UnicodePWD https://github.com/keycloak/keycloak/blob/e12c245355f5fcbabab4a6807a9975fd8c7b04de/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPIdentityStore.java#L320