[ApacheDS] prescriptiveACI not working

[Ron Woods]

HI,

I have been going through the examples on this page in the manual 
http://directory.apache.org/apacheds/1.5/32-basic-authorization.html
(I am using ApacheDS 1.5.7 with Apache Directory Studio Version: 
1.5.3.v20100330)

I am trying to apply the prescriptiveACI's to my own company directory 
partition, "o=vaytek".
Per the instructions, I enabled the "accessControlEnabled" flag in server.xml.
I have added to the top node "o=vaytek" the attribute "administrativeRole" with 
value "accessControlSpecificArea" to make it the administrative point.
I have added a subentry with prescriptiveACI's

1)      to deny allUsers access to the userPassword,

2)      to allow allUsers to search and compare other attributes, and

3)      to assign a specific user as the directory manager with full access,
as follows:

dn: cn=vaytekAuthorizationRequirementsACISubentry,o=vaytek
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: vaytekAuthorizationRequirementsACISubentry
subtreeSpecification: { }
prescriptiveACI: {
    identificationTag "allUsersACI",
    precedence 10,
    authenticationLevel simple,
    itemOrUserFirst userFirst:
    {
        userClasses { allUsers },
        userPermissions
        {
            {
                protectedItems
                {
                    attributeType { userPassword }
                }
                ,
                grantsAndDenials
                {
                    denyCompare,
                    denyFilterMatch,
                    denyRead
                }
            }
            ,
            {
                protectedItems { allUserAttributeTypesAndValues, entry },
                grantsAndDenials
                {
                    grantRead,
                    grantReturnDN,
                    grantCompare,
                    grantDiscloseOnError,
                    grantBrowse,
                    grantFilterMatch
                }
            }
        }
    }
}
prescriptiveACI: {
    identificationTag "directoryManagerFullAccessACI",
    precedence 11,
    authenticationLevel simple,
    itemOrUserFirst userFirst:
    {
        userClasses
        {
            name { "uid=rwoods,ou=Users,o=vaytek" }
        }
        ,
        userPermissions
        {
            {
                protectedItems { allUserAttributeTypesAndValues, entry },
                grantsAndDenials
                {
                    grantReturnDN,
                    grantDiscloseOnError,
                    grantExport,
                    grantRemove,
                    grantFilterMatch,
                    grantBrowse,
                    grantModify,
                    grantImport,
                    grantRead,
                    grantRename,
                    grantCompare,
                    grantInvoke,
                    grantAdd
                }
            }
        }
    }
}

However, when I connect in Apache Directory Studio as user rwoods, then all I 
can see is RootDSE and nothing below it.
Ditto if I connect as any other user.  The user entries are in 
"ou=users,o=vaytek", in a similar manner to the doc example 
"ou=people,o=sevenSeas".
I checked the mailing list archives and found this thread
http://mail-archives.apache.org/mod_mbox/directory-users/201105.mbox/%3cbanlktimqo8skb4na--tsybhr5mf1qqv...@mail.gmail.com%3e
but I've already set the administrativeRole attribute.
Any help to get this working would be greatly appreciated.

Ron Woods