Then this explains…
When CentralUsers are configured, IntegrationServer will connect to the configured JDBC CentralUsers pool, and will grab the DirectoryService URL, for example ldap://some.host.
It will use a internal library and perform a direct connection to the LDAP server, and uppon customer login request will verify credentials on first request.
This will be cached for some time (can’t remember how long).
Now if you change user credentials on the LDAP server, IS will not be aware for the new password until cache is cleared and a new real request is done to the LDAP.
On the other side if you change something for the user on IntegrationServer who cannot write to LDAP, it will work until it has to fetch the “old” credentials not updated in the LDAP.
Always perform changes on LDAP (or any other DirectoryService source).
Hope this helps.