I have an administrative user "uid=admin,ou=people,dc=compnay,dc=com"
and The first ACI sentence is like this

access to *
	by dn="
uid=admin,ou=people,dc=compnay,dc=com" manage
... {omitted} by * break
access to .....
    {omitted}

I assume that allows this admin user to manage all the attribute (*) including changing userPassword for all users. But it turns out that I still need to set pwdAllowUserChange to TRUE in the default pwdpolicy. But as I understand this password policy controls users changing their own password, not an administrator covered by above ACI. Here I copied from the man page. 
pwdAllowUserChange
       This attribute specifies whether users are allowed to change their  own
       passwords  or  not.   If pwdAllowUserChange is set to "TRUE", or if the
       attribute is not present, users will be allowed	to  change  their  own
       passwords.   If	its  value  is	"FALSE",  users will not be allowed to
       change their own passwords.

There must be some misundersanding here.  Anyone can help?

Thanks

Frank