Hi Diego,
Which release of USS is this?
I think we can force USS to check authentication against EEM only and nothing against its own database in portal-ext.properties file of USS:
Look for
auth.pipeline.enable.liferay.check=true
CHANGE IT TO
auth.pipeline.enable.liferay.check=false
Restart USS for this to be effective.
If its already set to false, there maybe some Liferay policy that's causing a conflict unknowingly. Give this a shot and see if it works.
Is EEM configured against some external LDAP?
How are they changing their password, with in LDAP?
Based on what you said above, I think they are able to login properly using updated password directly to EEM, correct?
Thx
_R