First, I am not asking for the ability to decrypt an existing password.
What I am requesting is the value from the user's change password form. So, it would only be set in the case that the user is changing his own password. This is needed because, if you are relying on your LDAP server to manage the password policy, changes made by an admin account typically ignore some or all of the password policy requirements. Therefore, you must use the user account itself to change the password, which in turn means you need the old password supplied in the form to bind as that user. In order to get that value it must be part of the User object because it is all that is available to the exporter called by the UserListener hook. You already supply getPasswordUnencrypted, so add this additional value should not be that much of a stretch. Anyway, for now I think I will have to create a UserLocalServiceImplWrapper and a UserImplWrapper to pass this through.