Currently, Keycloak uses the UPDATE_PASSWORD required action for two different operations:

1. Password reset
2. Password change

Keycloak performs password updates through the updateCredential interface method, which for Active Directory results in a REPLACE_ATTRIBUTE(newPassword) operation on unicodePwd.

Problem is that this requires extra permissions for the service account.
A password change in AD can be performed using REMOVE_ATTRIBUTE(oldPassword) + ADD_ATTRIBUTE(newPassword) of unicodePwd, which does not require elevated permissions for the service account.

It is currently also assumed that to change a password in AD, the edit mode must be WRITABLE
Keycloak also writes to the pwdLastSet and userAccountControl attributes after a password change, which should not be needed I think, aren't they always updated automatically after a password update?

Users should be able to change their own password through the account console at any time, or be forced to by Keycloak when Active Directory returns an error code for "expired" (532) or "must reset" (773), this should not require special permissions for the service account in use, the authentication currently fails when the edit mode is not set to WRITABLE (onAuthenticationFailure returns false in MSADUserAccountControlStorageMapper)

Proposed enhancement:

• new required action: CHANGE_PASSWORD
  • initially as a preview feature
  • configurable to set when CHANGE_PASSWORD should be used instead of UPDATE_PASSWORD:
    • temporary passwords
    • expired passwords (expired through password policy in Keycloak, or for AD: when error code 532 is returned after authentication)
    • self service requests: this would currently be through the "updateAction" that is returned by the account/credentials endpoint (getCredentialTypeMetadata method in PasswordCredentialProvider)
• new interface method: changeCredentials(..., oldCredential, newCredential)

To be able to update and/or change passwords without needing the edit mode to be writable, 2 additional config settings can be added to the ldap provider, for example:

• allow password update in any edit mode
• allow password change in any edit mode

These would then be used together with the check for WRITABLE (in updateCredential and changeCredential implementation of LDAPStorageProvider)
processAuthErrorCode in MSADUserAccountControlStorageMapper and MSADLDSUserAccountControlStorageMapper will also be changed to not only check for WRITABLE

When both required actions are present during an authentication session, the first one (based on priority) will be executed, the second one will be ignored and removed if present on the user object.

Goals are:

• have a clear separation between password reset and change operations
• prevent unnecessary service account privileges where possible (reset password, write permissions)
• avoid unnecessary attribute updates in AD (e.g. pwdLastSet, userAccountControl)
• remove dependency on LDAP WRITABLE edit mode if we only want to be able to change and/or update(reset) passwords

If this change, or a modified version based on feedback is acceptable, I could work on a (draft) pull request for this.