The Password Capture plug-in is invoked by the Directory Server core each time the server is about to process an LDAP ADD or an LDAP MODIFY operation. The plug-in inspects the changes, and if there is a password change, it inserts the idmpasswd attribute/value pair, where the value is the encrypted password.
Passwords captured by the Password Capture plug-in are encrypted using a shared key. (The same shared key is used by the configured LDAP Resource Adapter to decrypt the password.)
If the change is accepted by the server, then the Retro Changelog plug-in logs the changes, including the new value for the idmpasswd attribute, into the Retro-Changelog database. The LDAP resource adapter processes the change to the idmpasswd attribute and makes the value available to other components inside Identity Manager in the form of an encrypted string.
The idmpasswd attribute does not appear in the Directory Server’s regular database when the user changes password.