Sigh. One paragraph, one thinko/edit error... I wrote:
As the slapd.conf manpage says, the above directives tell slapd to hash the password (and how to do so)
No they tell it how to do so. Default {SSHA} like it says.
if the client changes a password using the Password Modify extended operation, but not if it uses plain Add/Modify operations.