At least some methods in CryptPasswordStorageScheme try to cleanup memory of plaintext/crypted passwords and cipher material, which is IMHO a good thing. However, I think they do it in a more or less unreliable way (no cleanup, if an exception occures) and using Strings - since they are immutable one can't clean them up (just hope, that GC collects them in time), so IMHO wrt. crypto stuff, byte arrays should be used everywhere and one should not rely on called methods to cleanup passed params (sounds odd anyway).
So it might be good idea, to review all passwd related stuff and adjust it accordingly. Perhaps http://src.iws.cs.ovgu.de/source/xref/forgerock/opendj2-jel/src/server/org/opends/server/extensions/CryptPasswordStorageScheme.java#sunmd5CryptPasswordMatches etc. could be a pattern to use.