authentication_policy: fix credential recovery on password expiration

Credential Recovery are supposed to be related to persons, not logins.
Extend the tests to make sure that after the credential recovery is
accepted a reset password email is sent and fix authentication_policy
scripts to create a Credential Recovery related to the person.