The new LdapUserPasswordCredentialManager can be used as a replacement of the standard (db only) UserPasswordCredentialManager and automatically handle LDAP based authentication.
When using this LdapUserPasswordCredentialManager the LdapAuthenticationProvider is not needed to be configured (still remains useful with readonly LDAP configurations).
Also the PasswordCredentials maintenance is handled as a wrapped/layered solution on top of the standard database, supporting creation/updating of LDAP passwords as well as simultaneously tracking them in the database as well.
For the LDAP password encoding a new LdapCredentialPasswordEncoder is provided which supports (Unix) CRYPT, SHA, SSHA, MD5 and SMD5 hashing.
This LDAP password encoder can also be used for the database persistent storage, or an alternative encoder can be configured.
The encoding algorithms have been borrowed and adapted from the Apache Directory Studio project.
As the LdapUserPasswordCredentialManager fully supports the UserPasswordCredentialPolicyManager (with regards to the database representation of the PasswordCredential), all features like credential pre/post processing, (custom) password validation interceptors, etc. can be leveraged for LDAP too.
Also, changing a password can be configured to be executed through the administrative LDAP account (default) or only by the current user itself. The latter is useful for LDAP environments which enforce this as a requirement.
Note: this implementation does not support Active Directory which requires special (additional) handling, but the needed "hooks" are already provided to support extending this implementation for that purpose.