OpenIDM 2.x currently enforces a re-authentication policy when updating a managed users password attribute. This policy should not apply to users who authenticated via mutual auth and have the 'openidm-cert' role.
Mutual auth is used by the OpenDJ account-change-handler plugin and therefore the re-auth policy breaks the plugins ability to update the user password.
1. Edit the OpenIDM conf/policy.json file
2. Locate the 'password' property section
3. Update the 're-auth-required' policy to exclude the 'openidm-cert' role by inserting:
to the list of 'exceptRoles'.