14.3.7. Password Hashing

When the password of user is updated from Keycloak and sent to LDAP, it is always sent in plain-text. This is different from updating the password to built-in Keycloak database, when the hashing and salting is applied to the password before it is sent to DB. In the case of LDAP, the Keycloak relies on the LDAP server to provide hashing and salting of passwords.

Most of LDAP servers (Microsoft Active Directory, RHDS, FreeIPA) provide this by default. Some others (OpenLDAP, ApacheDS) may store the passwords in plain-text by default and you may need to explicitly enable password hashing for them. See the documentation of your LDAP server more details.