Security Software

We are hosting a directory server containing approximately 30,000 entries of people who either currently work here, or have in the past. One of the attributes of each entry is a boolean, "activePerson", which is set to true if the person is employed here, and "false" if they no longer work here. We want to limit access to any information for accounts with status activePerson=false to only one account, and deny it for all others. I have been trying to use a targetfilter as part of an ACI to prevent access, but it is not working as expected. We are running Sun Directory Server 5.2 (build 2003.143.0020) and currently cannot upgrade to a later release. Here is the specific ACI I am attempting to use:

aci: (targetattr = "*") (targetfilter = "(activePerson=false)")
(version 3.0;acl "deny access to activePerson=false";deny (all)
(userdn != "ldap:///uid=priv_acct,o=sys_accounts");)

I have tried quite a few variations on this ACI, and still have the same problem with it. The problem we have is that accounts other than the priv_acct are still able to see attributes of entries with activePerson=false. It is as if the targetfilter isn't working as I am expecting. Oddly enough, when searches are done from other accounts, it will find entries marked as activePerson=false and display some attributes from them, but not others. (ie. if you search on roomnumber and department number, it will find people who were in departmentnumber or roomnumber 1006 - who are activePerson=false - and it will show things like their cn, sn, and telephonenumber, but it won't show departmentnumber of roomnumber.) Am I using that wrong? Is there another way to do this. There are no other inherited ACIs that affect this.

Any assistance would be greatly appreciated!