When processing a modify-password command, the NotesDriverShim checks for an existing and valid 'old-password' match. Thus if the modify-password command is missing an <old-password> value and the existing Notes User already has an HTTPPassword (web password) value set, the modify-password command will fail.
If the old HTTPPassword value is known (and currently valid in Notes), adding an <old-password> element with the old HTTPPassword value to the <modify-password> command should work. Here's an example:
<modify-password class-name="Person" event-id="pwd-subscribe" src-dn="\PWDSYNCTREE\sync\dom\poc\JohnDoe" src-entry-id="35952">
<old-password><!-- content suppressed --></old-password>
<password><!-- content suppressed --></password>
If you don't know the old-password, to overcome this security check, try setting the HTTPPassword attribute directly. A command like the following received by the NotesDriverShim should work:
<modify class-name="Person" event-id="pwd-subscribe" src-dn="\PWDSYNCTREE\sync\dom\poc\JohnDoe" src-entry-id="35952">
<modify-attr attr-name="HTTPPassword" is-sensitive="true"><!-- content suppressed -></modify-attr>
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.