Here's some details/solution:
LDAP user’ password should not be changed in AEM. If such a change is done, then AEM stores the user’s password within AEM and from then on the user is validated against the password stored in AEM and not from LDAP.
If such a change is done on AEM, the solution to reset the user is to Delete user from AEM and have them re-login using LDAP credentials. This allows AEM to register the user as an LDAP user.
AEM also follows an order between the login methods. The configuration will be listed under <server>/system/console/jaas
A typical ranking is
- AEM local user.. if not then LDAP (Higher rank comes first)