Currently when an LDAP server is connected to a Liferay bundle it is necessary to both Enable the LDAP Authentication and toggle the Required option for users to authenticate against the LDAP server. In certain situations toggling the Required option may not be a viable choice and using the Import feature may also not be viable (such as in clustering).
This presents a scenario were a user's password can be updated in the LDAP however as the LDAP authentication is not Required their password does not update in the Liferay bundle. This occurs as the user authenticates against the Liferay bundle and not the LDAP. The Liferay bundle has the "old" password and the user can log into the Liferay bundle using that "old" password. It should be noted that if the user logs into the bundle using their new password their information is updated, seemingly due to the LDAP being used as a backup when the user fails to authenticate against Liferay's stored password.
The capacity to optionally prioritize user(s) authentication to the LDAP or to Liferay. Ideally this would be some form of rule that would allow for specific users/roles/groups to be selected for the prioritized authentication.