[midPoint] Initial LDAP password after import

[Luca]

Dear midPoint community,

I currently have a configured OpenLDAP resource that syncs users and entitlements using the ou=People architecture.

I can successfully import users into the midPoint internal repository. 

However, I was not able to understand how midPoint manages the initial password sync. Since OpenLDAP stores the password with SSHA, it's of course impossible for midPoint to access the raw value.

For example, after the user is imported, I tried to log in with it. I was expecting that it would not work since the password is not yet in the midPoint repository. However, I thought it would try to bind to the LDAP user, check if it works and then also save the password in the internal repository.

I have then setup flexible authentication with the LDAP Auth module. I was able to log in with the new user and it was successfully linked to the internal user. The problem is that even with that, I cannot change the user's password. 

Midpoint will say "incorrect old password. Password was not changed".

Would it be possible to understand how midPoint can save the user's password after an import?

Thanks a lot in advance!

Best regards,
Luca