When a User is stored in an LDAP server it would be nice if the password change could be additionally validated using the Password Policy currently implemented by the LDAP server; using a LDAP provider the password is stored only on the LDAP server and not in the Keycloak DB, therefore it's impossible to use the "Not recently used" policy provided by Keycloak.
As of now Keycloak binds to the LDAP server using the directory manager credentials, thus allowing it to bypass any existing password policy. My suggestion would be to differentiate password updates on the basis of the requester; if the operation has been requested by an admin we use the current workflow, otherwise we bind using the current User credentials, forcing the new password to be verified by the LDAP server. At last, a new mapper would be required, to parse eventual errors coming from the LDAP server.
I've already coded a working implementation of the proposed change, which can be found at: https://github.com/mobimesh/keycloak