[midPoint] role to role (group to group) association error

[Jason Everling]

I was trying to create an association for inbound role assignment for the
entitlement kind using

         <association>
            <c:ref>ri:group</c:ref>
            <matchingRule>mr:stringIgnoreCase</matchingRule>
            <displayName>Domain Groups</displayName>
<inbound>
<authoritative>true</authoritative>
                                <tolerant>false</tolerant>
<strength>strong</strength>
<expression>
<assignmentTargetSearch>
<targetType>c:RoleType</targetType>
        <filter>
                <q:equal>
                <q:path>extension/bshp:ldapDn</q:path>
<expression>
<script>
<code>
entitlement1 = midpoint.resolveEntitlement(input);
log.info("### entitlementName: " + entitlement?.getName())
return entitlement?.getName();
</code>
</script>
</expression>
                </q:equal>
            </filter>
        </assignmentTargetSearch>
</expression>
<target>
<path>assignment</path>
</target>
</inbound>
            <kind>entitlement</kind>
            <intent>group</intent>
            <direction>objectToSubject</direction>
            <associationAttribute>ri:member</associationAttribute>
            <valueAttribute>ri:dn</valueAttribute>
            <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
</association>


The user has one, creates inbound group to role mapping and works like a
charm, using the above for an entitlement itself, which are roles members
of other roles, results in an error,

Couldn't add object. Schema violation: Schema violation during processing
shadow: shadow: null (OID:null): Invalid attribute:
org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong
DN 'CN=null,null': ERR_04201 No more characters available at position
12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201
No more characters available at position 12): Couldn't add object. Schema
violation: Schema violation during processing shadow: shadow: null
(OID:null): Invalid attribute:
org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong
DN 'CN=null,null': ERR_04201 No more characters available at position
12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201
No more characters available at position 12): Couldn't add object. Schema
violation: Schema violation during processing shadow: shadow: null
(OID:null): Invalid attribute:
org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong
DN 'CN=null,null': ERR_04201 No more characters available at position
12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201
No more characters available at position 12): Couldn't add object. Schema
violation: Schema violation during processing shadow: shadow: null
(OID:null): Invalid attribute:
org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong
DN 'CN=null,null': ERR_04201 No more characters available at position
12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201
No more characters available at position 12)

When looking from the GUI the associations show up correctly for the role
but the error happens when trying to apply the assignment

Any ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190226/3c5dd3af/attachment.htm>