Some identifier gets enrolled into the Gluu LDAP whenever a credential is enrolled.
For example, if you enable and use the U2F custom script, a public key will be enrolled into the server. If you use the script for an external authentication service like Duo Security, a device ID will be enrolled into the Gluu Server.
The exception is passwords. If you use a backend AD / LDAP server with existing passwords, those would **not** be stored in Gluu. However, if you enroll new users and passwords directly into Gluu, then the passwords would get stored.