LDAP password changes fail with "Insufficient access" errors when using passwd

Greetings,
I have a Linux server running OpenLDAP-2.4.10, which a number of
client systems (Linux & Mac) use for ssh/shell account authentication.
 I'm hitting the frustrating problem where all attempts by any user
to change their LDAP password with 'passwd' fail with:
LDAP password information update failed: Insufficient access
passwd: Permission denied

I strongly suspect this is due to wrong ACLs in slapd.conf, but I've
following the official doc (
http://www.openldap.org/doc/admin23/slapdconfig.html#Configuration%20File%20Example
) without any improvement.

I've got the following in /etc/openldap/slapd.conf :
####################
database        bdb
suffix          "dc=cuda-fs0,dc=foo,dc=com"
rootdn          "cn=Manager,dc=cuda-fs0,dc=foo,dc=com"
rootpw          {MD5}XXXXXXXXXXXXXXXXXX==
access to attrs=userPassword
      by self write
      by anonymous auth
      by dn.base="cn=Manager,dc=cuda-fs0,dc=foo,dc=com" write
      by * none
access to *
      by * read
####################

I kicked the LDAP server to debug level 256 to attempt to figure out
exactly what is going wrong, and saw the following output at the time
of an attempted (and failed) password change:

conn=8 op=6 BIND
dn="uid=lfriedman,ou=People,dc=cuda-fs0,dc=foo,dc=com" method=128
conn=8 op=6 BIND
dn="uid=lfriedman,ou=People,dc=cuda-fs0,dc=foo,dc=com" mech=SIMPLE ssf=0
conn=8 op=6 RESULT tag=97 err=0 text=
conn=8 op=7 MOD dn="uid=lfriedman,ou=People,dc=cuda-fs0,dc=foo,dc=com"
conn=8 op=7 MOD attr=userPassword
conn=8 op=7 RESULT tag=103 err=50 text=

That "tag=103 err=50" seems to be the critical bit of info, however
I've googled on it for a while, and the consensus seems to be that
incorrect ACLs would cause it.  However since I'm using exactly what
is suggested in the official dox, that seems unlikely.

/etc/pam.d/passwd on the Linux client systems hasn't changed for ages,
and contains:
#########
auth       include      system-auth
account    include      system-auth
password   include      system-auth
#########

/etc/pam.d/system-auth on the Linux client systems also hasn't changed
recently, and contains:
#########
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
#########

Any & all suggestions would be appreciated.

thanks!