The following ACIs allow anonymous read, search, and compare on select attributes of inetOrgPerson entries while authenticated users can access several more. An authenticated user inherits the privileges of the anonymous ACI and can also change userPassword.

aci: (targetattr="objectclass || uid || cn || mail || sn || givenName")(targetfilter="(objectClass=inetorgperson)")
(version 3.0; acl "Anyone can access names and email addresses of entries representing people";
allow (read,search,compare) userdn="ldap:///anyone";)
aci: (targetattr="departmentNumber || manager || isMemberOf")(targetfilter="(objectClass=inetorgperson)")
(version 3.0; acl "Authenticated users can access these fields for entries representing people";
allow (read,search,compare) userdn="ldap:///all";)
aci: (targetattr="userPassword")(version 3.0; acl "Authenticated users can change password";
allow (write) userdn="ldap:///all";)

To prevent anonymous access to the Directory Server, set the global configuration property reject-unauthenticated-requests to true.