diff --git a/lib/puppet/provider/keystone_user/openstack.rb b/lib/puppet/provider/keystone_user/openstack.rb
index 6dcf99586..6c8d04aa2 100644
--- a/lib/puppet/provider/keystone_user/openstack.rb
+++ b/lib/puppet/provider/keystone_user/openstack.rb
@@ -62,6 +62,8 @@ Puppet::Type.type(:keystone_user).provide(
     return nil if resource[:password] == nil
     # if the user is disabled then the password can't be changed
     return resource[:password] if resource[:enabled] == :false
+    # if replacing password is disabled, then don't change it
+    return resource[:password] if resource[:replace_password] == :false
     # we can't get the value of the password but we can test to see if the one we know
     # about works, if it doesn't then return nil, causing it to be reset
     endpoint = nil
@@ -157,6 +159,14 @@ Puppet::Type.type(:keystone_user).provide(
     end
   end
 
+  def replace_password
+    instance(resource[:name])[:replace_password]
+  end
+
+  def replace_password=(value)
+    @property_flush[:replace_password] = value
+  end
+
   def email=(value)
     @property_flush[:email] = value
   end
diff --git a/lib/puppet/type/keystone_user.rb b/lib/puppet/type/keystone_user.rb
index e27f14cd6..ce3a5623d 100644
--- a/lib/puppet/type/keystone_user.rb
+++ b/lib/puppet/type/keystone_user.rb
@@ -61,6 +61,14 @@ Puppet::Type.newtype(:keystone_user) do
     end
   end
 
+  newparam(:replace_password) do
+    newvalues(/(t|T)rue/, /(f|F)alse/, true, false)
+    defaultto(true)
+    munge do |value|
+      value.to_s.downcase.to_sym
+    end
+  end
+
   autorequire(:keystone_tenant) do
     self[:tenant]
   end
diff --git a/spec/unit/provider/keystone_user/openstack_spec.rb b/spec/unit/provider/keystone_user/openstack_spec.rb
index 2f8c95143..51d1dfce2 100644
--- a/spec/unit/provider/keystone_user/openstack_spec.rb
+++ b/spec/unit/provider/keystone_user/openstack_spec.rb
@@ -250,5 +250,39 @@ username="foo"
       password = provider.password
       expect(password).to eq(nil)
     end
+
+    describe 'when updating a user with unmanaged password' do
+
+      let(:user_attrs) do
+        {
+          :name             => 'foo',
+          :ensure           => 'present',
+          :enabled          => 'True',
+          :password         => 'foo',
+          :replace_password => 'False',
+          :tenant           => 'foo',
+          :email            => 'foo@example.com',
+          :auth             => {
+            'username'      => 'test',
+            'password'      => 'abc123',
+            'tenant_name'   => 'foo',
+            'auth_url'      => 'http://127.0.0.1:5000/v2.0',
+          }
+        }
+      end
+
+      let(:resource) do
+        Puppet::Type::Keystone_user.new(user_attrs)
+      end
+
+      let :provider do
+        provider_class.new(resource)
+      end
+
+      it 'should not try to check password' do
+        expect(provider.password).to eq('foo')
+      end
+    end
+
   end
 end