ZCS 6.0.4, samba/posix extensions and password change

[crony]

Hello everyone !

Few days ago I was working on Zimbra's configuration with samba/posix extensions. I was using Greg's howto for ZCS 6.0.X : UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 - Zimbra :: Wiki

(and few others) and everything was working correctly except password synchronization (samba/posix) and password changing, ex. when user test1 logs in to the Linux system (user and password are retrieved from ZCS LDAP) and user wants to change password by 'passwd' command, he can't do this (Insufficient access)

I'm pretty sure that the problem is too restrictive LDAP ACL for zmposix and zmposixroot users:

dn: olcDatabase={2}hdb,cn=config
changetype:modify
delete: olcAccess
olcAccess: {9}
-
add: olcAccess
olcAccess: {9}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by * read

dn: olcDatabase={2}hdb,cn=config
changetype:modify
add: olcAccess
olcAccess: {10}to dn.subtree="dc=gregzimbra1,dc=zimbra,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {11}to dn.subtree="ou=machines,dc=gregzimbra1,dc=zimbra,d c=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {12}to dn.subtree="ou=groups,dc=gregzimbra1,dc=zimbra,dc= com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {13}to dn.subtree="ou=people,dc=gregzimbra1,dc=zimbra,dc= com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none


Are 'LDAP's ACLs' correct for ZCS 6.0.4 based on Greg's howto?
Have you got similar problems ?