You are using an UCS master as MS/AD member so the ad-connector only replicates from MS/AD to OpenLDAP. However the Univention SelfService module can be configured to also work in such an environment.
1.Step - Create an delegated User in MS/AD
In case you prefer not to use an existing administrative account (e.g. Domain Administrator) you should create a delegated user who has access to reset passwords of other users.
2. Step - Configure SelfService
To enable the SelfService module, the UCR variables
ad/reset/password need to be set to this respective credentials.