It will be nice if picketlink supports additional modification of some attributes after successful password update.

For example, when new user is created in Active Directory, he is usually in state disabled (attribute userAccountControls has value 514), but later when I update password of this attribute, I want to automatically enable user (aka change userAccountControls to 512 so user is enabled).

See here about AD userAccountControls attribute: http://support.microsoft.com/kb/305144

Just a note that we supported this scenario in IDM 1.x, We had option "passwordUpdateAttributeValues", which contains additional LDAP attributes to be modified after password update. See for example config file https://github.com/gatein/gatein-portal/blob/master/web/portal/src/main/webapp/WEB-INF/conf/organization/picketlink-idm/examples/picketlink-idm-msad-config.xml#L246 .