LDAP (slapd) – Authenticated User Cannot Modify Self

I'm a total LDAP newbie, and am probably making some really stupid mistake, so hopefully somebody can point me in the correct direction. I'm running slapd from openldap 2.4.23, under Linux. The problem that I'm having is that, from the management account I set up in slapd.conf (cn=Manager,dc=example,dc=com), I can set an end user's password without any problems:

# ldappasswd -D 'cn=Manager,dc=example,dc=com' -W -S 'uid=tsuraan,ou=People,dc=example,dc=com'

However, from the end user's point of view, I can run searches and the like, but I cannot change the password:

$ ldapsearch -x -D "uid=tsuraan,ou=People,dc=example,dc=com" -W  
Enter LDAP Password:
<results>
$ ldappasswd -D 'uid=tsuraan,ou=People,dc=example,dc=com' -W -S 'uid=tsuraan,ou=People,dc=example,dc=com'
New password: 
Re-enter new password: 
Enter LDAP Password: 
Result: Insufficient access (50)

I've also tried using ldapmodify to directly change the userPassword attribute, and it gives the same Insufficient access (50) message. My slapd ACL section looks like this:

access to *
    by dn="uid=root,ou=People,dc=example,dc=com" write
    by users read
    by self write
    by anonymous auth

access to attrs=userPassword,gecos,description,loginShell
    by self write

access to attrs="userPassword"
    by dn="uid=root,ou=People,dc=example,dc=com" write
    by anonymous auth
    by self write
    by * none

And, I have a non-root user whose LDIF looks like this:

dn: uid=tsuraan,ou=People,dc=example,dc=com
uid: tsuraan
cn: tsuraan
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}x
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/tsuraan

Google isn't giving me any love today, and I can't see why my user cannot write to his own LDAP node, given that I have "by self write" all over the place, so hopefully somebody can give me a hand.