summarising your post - heres your "active" ACL's by the looks:
access to dn.base="cn=Subschema" by * read access to attrs=userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to attrs=userPassword by dn="cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" write by * read access to dn="ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy" by dn="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
The rule for "usuariomoodle-admin" is inaccessable. As ACL's are only processed until a match is found you can never get to this rule - the preceeding rule says give read to * so the ACL will always stop there if it hasn't been already caught by one of the others. Simple move that last access rule above the access to * on and you should get things moving in the right direction.
Shane.