diff --git a/PVE/API2/Domains.pm b/PVE/API2/Domains.pm
index 8ae1db0..b3c3ac4 100644
--- a/PVE/API2/Domains.pm
+++ b/PVE/API2/Domains.pm
@@ -88,6 +88,9 @@ __PACKAGE__->register_method ({
     code => sub {
 	my ($param) = @_;
 
+	# always extract, add it with hook
+	my $password = extract_param($param, 'password');
+
 	PVE::Auth::Plugin::lock_domain_config(
 	    sub {
 
@@ -117,6 +120,13 @@ __PACKAGE__->register_method ({
 
 		$ids->{$realm} = $config;
 
+		my $opts = $plugin->options();
+		if (defined($password) && !defined($opts->{password})) {
+		    $password = undef;
+		    warn "ignoring password parameter";
+		}
+		$plugin->on_add_hook($realm, $config, password => $password);
+
 		cfs_write_file($domainconfigfile, $cfg);
 	    }, "add auth server failed");
 
@@ -137,6 +147,9 @@ __PACKAGE__->register_method ({
     code => sub {
 	my ($param) = @_;
 
+	# always extract, update in hook
+	my $password = extract_param($param, 'password');
+
 	PVE::Auth::Plugin::lock_domain_config(
 	    sub {
 
@@ -154,8 +167,10 @@ __PACKAGE__->register_method ({
 		my $delete_str = extract_param($param, 'delete');
 		die "no options specified\n" if !$delete_str && !scalar(keys %$param);
 
+		my $delete_pw = 0;
 		foreach my $opt (PVE::Tools::split_list($delete_str)) {
 		    delete $ids->{$realm}->{$opt};
+		    $delete_pw = 1 if $opt eq 'password';
 		}
 
 		my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
@@ -171,6 +186,13 @@ __PACKAGE__->register_method ({
 		    $ids->{$realm}->{$p} = $config->{$p};
 		}
 
+		my $opts = $plugin->options();
+		if ($delete_pw || defined($password)) {
+		    $plugin->on_update_hook($realm, $config, password => $password);
+		} else {
+		    $plugin->on_update_hook($realm, $config);
+		}
+
 		cfs_write_file($domainconfigfile, $cfg);
 	    }, "update auth server failed");
 
@@ -233,10 +255,13 @@ __PACKAGE__->register_method ({
 
 		my $cfg = cfs_read_file($domainconfigfile);
 		my $ids = $cfg->{ids};
-
 		my $realm = $param->{realm};
 
-		die "domain '$realm' does not exist\n" if !$ids->{$realm};
+		die "authentication domain '$realm' does not exist\n" if !$ids->{$realm};
+
+		my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
+
+		$plugin->on_delete_hook($realm, $ids->{$realm});
 
 		delete $ids->{$realm};
 
diff --git a/PVE/Auth/Plugin.pm b/PVE/Auth/Plugin.pm
index 7a08d27..1413053 100755
--- a/PVE/Auth/Plugin.pm
+++ b/PVE/Auth/Plugin.pm
@@ -268,4 +268,32 @@ sub delete_user {
     # do nothing by default
 }
 
+# called during addition of realm (before the new domain config got written)
+# `password` is moved to %param to avoid writing it out to the config
+# die to abort additon if there are (grave) problems
+# NOTE: runs in a domain config *locked* context
+sub on_add_hook {
+    my ($class, $realm, $config, %param) = @_;
+    # do nothing by default
+}
+
+# called during domain configuration update (before the updated domain config got
+# written). `password` is moved to %param to avoid writing it out to the config
+# die to abort the update if there are (grave) problems
+# NOTE: runs in a domain config *locked* context
+sub on_update_hook {
+    my ($class, $realm, $config, %param) = @_;
+    # do nothing by default
+}
+
+# called during deletion of realms (before the new domain config got written)
+# and if the activate check on addition fails, to cleanup all storage traces
+# which on_add_hook may have created.
+# die to abort deletion if there are (very grave) problems
+# NOTE: runs in a storage config *locked* context
+sub on_delete_hook {
+    my ($class, $realm, $config) = @_;
+    # do nothing by default
+}
+
 1;