diff --git a/src/Model/Migration/Definitions.hs b/src/Model/Migration/Definitions.hs
index b41b8f61b..543f4121c 100644
--- a/src/Model/Migration/Definitions.hs
+++ b/src/Model/Migration/Definitions.hs
@@ -49,6 +49,7 @@ import qualified Data.Time.Zones as TZ
 data ManualMigration
   = Migration20230524QualificationUserBlock
   | Migration20230703LmsUserStatus
+  | Migration20240312OAuth2
   deriving (Eq, Ord, Read, Show, Enum, Bounded, Generic)
   deriving anyclass (Universe, Finite)
 
@@ -177,6 +178,23 @@ customMigrations = mapF $ \case
         ;  
       |]
 
+  Migration20240312OAuth2 -> whenM (columnExists "user" "ldap_primary_key") $ do
+    [executeQQ|
+      ALTER TABLE "user" ADD COLUMN "password_hash" VARCHAR NULL;
+    |]
+    let getPWHashes = [queryQQ| SELECT "id", "authentication"->'pw-hash' FROM "user" WHERE "authentication"->'pw-hash' IS NOT NULL; |]
+        migratePWHash [ fromPersistValue -> Right (uid :: UserId), fromPersistValue -> Right (pwHash :: Text) ] = [executeQQ| UPDATE "user" SET "password_hash" = #{pwHash} WHERE "id" = #{uid}; |]
+        migratePWHash _ = error "otherwise case reached!" -- TODO: return ()
+     in runConduit $ getPWHashes .| C.mapM_ migratePWHash
+    [executeQQ|
+      ALTER TABLE "user" DROP COLUMN "authentication";
+    |]
+
+    [executeQQ|
+      ALTER TABLE "user" RENAME COLUMN "last_ldap_synchronisation" TO "password_hash";
+      ALTER TABLE "user" DROP COLUMN "ldap_primary_key";
+    |]
+
 
 tableExists :: MonadIO m => Text -> ReaderT SqlBackend m Bool
 tableExists table = do