So I think I've designed myself into a corner here, but an outsiders viewpoint might just see through the muck to the answer.
We have a custom web app that users use to change passwords (via LDAP).
In order to enforce password history, when a user changes their password, the application does a SET password to a random value, then uses that random value to do a CHANGE password. This enforces password history for the user then.
This also results in two password changes going from eDir to AD.
What I'd like to do is be able to pickup if a user's password is changed on AD directly and an upstream sync is attempted.
I have a rule to compare the password coming in the publisher to the distribution password and to notify if they do not match, however, the publisher loopback is about a minute behind and as a result the password has again been changed.
There obviously isn't any way to serialize the events, but I'm wondering if there might be some way to associate the pairs of changes together, or perhaps to query the password history via policy.