The following default ACIs are defined on the root DSE:
All users have anonymous access to the directory for search, compare, and read operations (except for the userpassword attribute).
Bound users can modify their own password.
Users in the group cn=Administrators,cn=config have full access to all entries. This is equivalent to Directory Manager access, although unlike Directory Manager, users in the Administration Group are subject to ACIs.