Using OpenLDAP ppolicy overlay we cannot change user passwords when NOT using RootDN (result 53 must supply old password to change to a new one)

I have seen the issue raised but no answers, we have a working OpenLDAP(Symas Gold 2.4.59-3)configuration that will allow Non RootDN admin users to reset user passwords. We want to enable lockout using ppolicy, but with the ppolicy overlay loaded we get result code 53, must supply correct old password to change to a new one". As our admin user I can delete the userPassword attribute and create it again to effectively change the password, but our upstream user provisioning system cannot handle that. I am beginning to wonder if this is a 'feature' of OpenLDAP/ppolicy. Has anyone successfully implemented this?

Any insight will be greatly appreciated!

The following is a configuration snippet:

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///opt/symas/etc/openldap/schema/core.ldif
include: file:///opt/symas/etc/openldap/schema/cosine.ldif
include: file:///opt/symas/etc/openldap/schema/inetorgperson.ldif
include: file:///opt/symas/etc/openldap/schema/openam.ldif
include: file:///opt/symas/etc/openldap/schema/ppolicy.ldif

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulepath: /opt/symas/lib64/openldap
olcModuleload: {0}back_mdb
olcModuleLoad: {1}back_monitor.la
olcModuleLoad: {2}lastbind.la
olcModuleLoad: {3}ppolicy.la
olcModuleLoad: {4}syncprov.la

dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcMonitoring: TRUE
olcDbDirectory: /ldap/db/myssoldap
olcSuffix: dc=viasat,dc=com
olcRootDN: cn=manager,dc=viasat,dc=com
olcRootPW: XXXX
olcDbMaxSize: 8192000000
olcDbCheckpoint: 8192 15
olcDbNoSync: TRUE
olcLastMod: TRUE
olcDbIndex: default pres,eq
olcDbIndex: uid
olcDbIndex: entryUUID
olcDbIndex: cn,sn pres,eq,sub
olcDbIndex: objectClass eq
olcAccess: to attrs=userPassword
   by self write
   by anonymous auth
   by dn.exact="uid=admin,ou=administrators,dc=viasat,dc=com" manage
   by * none
olcAccess: to *
   by dn.exact="uid=admin,ou=administrators,dc=viasat,dc=com" manage
   by * read
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyHashCleartext: TRUE
olcPPolicyDefault: cn=passwordDefault,ou=Policies,dc=viasat,dc=com
olcPPolicyUseLockout: FALSE
dn: ou=Policies, dc=viasat,dc=com
objectClass: top
objectClass: organizationalunit
ou: People

dn: cn=passwordDefault,ou=Policies,dc=viasat,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordDefault
sn: passwordDefault
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdMinAge: 0
pwdMaxAge: 0
pwdMinLength: 6
pwdInHistory: 0
pwdMaxFailure: 6
pwdFailureCountInterval: 900
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdAllowUserChange: TRUE
pwdExpireWarning: 37324800000
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE