You will need to install a Password Synchronization Agent ( aka PSync Agent ) on your endpoint. The PSync Agent is specific to each endpoint and is intercepting passwords changed on the endpoint.
CA have password sync mechanism for the following endpoint types: ADS, NT, UNIX, OS400, ACF2/TSS (LDS)
For any other endpoints it is up to customer to find a way to capture the change and build a tool to submit the change to the Provisioning Server as ldap
If the PSYNC supports PWD Validitity Check then it will first send the operation to ask that to the Prov Server. The Prov Server will either determine on its own or ask IM to validate it.
IM will then either determine on its own or ask SM. Regardless of who does the validation, the response is given back to the PSYNC. The communication between PSYNC and Prov Server is via LDAP.
PSYNC can then send the PWD Change to the Provisioning Server to update the Acct pwd. The Provisioning Server will lookup the GU associated with the account and check if PSYNC is enabled for that GU. This essentially check if the 'Enable Password Synchronization' checked in their Password tab. It not, this password change will not propagate further.
If it is then Provisioning Server will update the GU pwd (which will create an inbound notify event) and propagate to associated account while excluding the originator.
To enable the password synchronization from the provisioning server to IDM you will need to enable the Inbound synchronization mechanism that allows different data including the global user's password to be sent down to IDM. You should learn how to enable this mechanism but in a nutshell you'll need to use the provisioning manager -> System -> Identity Manager
set up and define the URL for Identity Manager . You also will need to go into the identity manager management console (/idmmanage) -> IME -> Provisioning Section and define your attribute mapping between the IDM corporate user and the provisioning global user. In this mapping you'll need to ensure that the password ( %PASSWORD% ) is mapped.
The inbound event is processed by IM as it normally is which will cause the corporate user (IM user store) to have the pwd updated.