Try something along the lines:
# allow everybody to bind, and self to change password access to attrs=userPassword by self write by anonymous auth
# allow everybody searching for objectClass access to filter="(objectClass=inetOrgPerson)" attrs=objectClass by * search
# allow everybody to read the entry and the cn access to filter="(objectClass=inetOrgPerson)" attrs=entry,cn by * read
# allow only users to read the rest of the entry access to filter="(objectClass=inetOrgPerson)" by users read
# allow everybody to search (but not see) everything else access to * by * search
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------