If I create a Principal (or later change its password) using the SOAP-API, the password is always saved in plaintext in the database. The authenticatePrincipal call fails then, because it correctly tries the hashed form of the password.

Setting the password on the same principal using the Web-GUI saves the hashed form in the database and the authentication works.

The Repro can be found here: http://jira.atlassian.com/browse/CWD-1645

The only workaround is to use plaintext passwords for the directory. Alternatively it should be possible to use the hashcode-APIs of the framework to calculate the password hashes on the client-side and pass the hashed password into the SOAP-call (createPrincipal, updatePrincipalCredential). Neither solution is satisfactory as it is just a workaround.