Ok - I'll create an LDAP user specifically for changing passwords, and set that as my "ldap admin dn" in the smb.conf, so the change won't be done by the rootdn, as recommended by Adam and yourself. I'll then create an entry in the slapd.conf like the one below and give that a shot.
Excellent, I'm very interested to see what happens at that point.
# ACL's access to attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange by self write by * auth
access toattrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange,pwdChangedTime,pwdHistory by dn="cn=pwchanger,dc=example,dc=com" write
access to * by * read