You should allow everyone to modify their own entries, but only the administrator (at this time) should be able to modify the entire directory. Every user should be able to read and search the directory.
You should also set up simple password authentication for your LDAP persons. Set everyone's initial password to the stock symbol for the company (ody) plus the last four digits of Hal Neun Tausend's office number.
Now connect as various users and ensure that they get the proper access rights desired.
