Yes, you do need to write the proc still, but you can just say:
return { password_status not_supported }
It should never get called, anyway, but that's the polite thing to do, in case someone chooses to write new code that invokes the service contract directly.
See the auth-ldap package for an example.
(I just changed the body of RetrievePassword from being empty to returning not_supported.)
/Lars
