Ok, after testing some more, it seems things DO work.
Unexpectedly for us, for password changes for END-USERS to work, the
keycloak AD service account needs "Domain Admins" permissions.
We expected the end-user password change to be done logged on *as* the
end-user himself, with a a delete and an add operation. No need
for Domain Admin access level.
This is what microsoft says on that subject:
There are two possible ways to modify the unicodePwd attribute. The
first is similar to a normal "user change password" operation. In
this case, the modify request must contain both a delete and an add
operation. The delete operation must contain the current password
with quotes around it. The add operation must contain the desired new
password with quotes around it.
The second way to modify this attribute is analogous to an
administrator resetting a password for a user. In order to do this,
the client must bind as a user with sufficient permissions to modify
another user's password. This modify request should contain a single
replace operation with the new desired password surrounded by quotes.
If the client has sufficient permissions, this password become the
new password, regardless of what the old password was.
Anyway: the password change works for us (on samba AD) too. Thanks.
Best regards,
MJ