Various samples bundled with OpenIDM include sync.json files with mappings which sync Managed User passwords to external resources.
In most cases the mapping to the external resource does not properly handle password sync and therefore demonstrates bad practices which when adopted by customers result in support tickets.
Take the following extract of the sync-with-ldap-bideirectional sample:
The above is flawed in that it results in the managed user password always being pushed out to the target account. Effectively a recon run with the above mapping will always result in the target account being updated irrespective of whether a change has occurred within the managed user. A proper implementation of password synchronization must track the old password in order to implement a proper condition whereby a check of the old/new passwords can be performed.
Samples within OpenIDM are intended to be narrow in scope and demonstrate very specific use-cases. Samples which do not specifically demonstrate password synchronization should not map managed user passwords to external resources.