I need to set up an apacheDS instance. I am using standalone 1.5.5 on Linux. I have removed the example partition and added two of my own, each with their own suffixes. I have imported LDIFs for the two partitions and everything looks correct data-wise.

I need to configure ApacheDS to disallow anonymous access. I was able to do that by following some of the directions here: http://directory.apache.org/apacheds/1.5/145-enable-and-disable-anonymous-access.html http://directory.apache.org/apacheds/1.5/32-basic-authorization.html

Now only the administrator account (uid=admin,ou=system) can log in and make queries.

I need to establish an admin account, and a "regular user" account which can read and write only certain entries within each partition. I tried to read the above docs and I got nuthin'. The second page "basic authorization" is completely incomprehensible to me.

When I tried to add a "prescriptiveACI" to it using Apache Directory Studio, I get:

Administration point, does not contain an administrativeRole attribute! An administrativeRole attribute in the administrative point is required to add a subordinate subentry.

where my partition is "ou=abc,o=def". I have no clue what is going on and the docs are really not helping, I am at a complete loss here. How can it possibly be this hard to just restrict access?

P.S. can someone with proper rep please change the tag "apache" to the new tag "ApacheDS"?

  • 592
  • 4
  • 12
  • 123
  • 1
  • 5

2 Answers2


You need to define an administrativeRole attribute for your context entry:

dn: o=ou=abc,o=def
changetype: modify
add: administrativeRole
administrativeRole: accessControlSpecificArea

http://directory.apache.org/apacheds/1.5/32-basic-authorization.html#3.2.Basicauthorization-Furtherconfigurationtaskstoperformafterwards should be clear enough.

BTW, I would suggest to ask such specific questions at the ApacheDS user mailing list.

  • I said I had read those docs already, but I still don't understand them. I missed the first line of the section you pointed me to so I tried to do that. I tried importing this ldif file: dn: ou=abc,o=def changetype: modify add: administrativeRole administrativeRole: accessControlSpecificArea I also tried: dn: o=ou=abc,o=def Neither of those worked, I got the error: Error while importing - Record is invalid When I tried to create the entry using Apache Directory Studio it complained about the schema not allowing it or something like that. I'm so confused =( – cmyers Mar 07 '10 at 00:25

There were a couple different failures, it turns out. The biggest thing was that at some point, I had already successfully created the presctiptiveACI piece. Apache Directory Studio does not show them unless you right click and select "fetch subentries" and "fetch operational attributes". accessControlSpecificArea is an operational attribute and prescriptiveACI is a subentry.

Clear as mud now? Great.

  • 123
  • 1
  • 5