If the user is changing their own password then return None so the current password is prompted for, otherwise return a fixed value to be ignored later.
ipaserver.plugins.passwd
ipaserver.plugins.passwd.passwd