Keep ldap as backend and use Keycloak for saml, oidc, user-facing console etc. Openldap is not going anywhere and keeping multiple hashes is not a commn feature.
If it's enough you can plug in any hash algorithm into keycloak.
When it comes to LDAP integration keycloak doesn't even store the password hashes itself, it sends them straight to the LDAP server to be hashed on both update and login.
Generally speaking you never, ever want to pull password hashes out of your LDAP server - and most will fight you tooth and nail when you try.
Generally speaking you never, ever want to pull password hashes out of your LDAP server - and most will fight you tooth and nail when you try.