<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">I was trying to create an association for inbound role assignment for the entitlement kind using</div><div dir="ltr"><br></div><div dir="ltr"><div dir="ltr">         <association></div><div dir="ltr">            <c:ref>ri:group</c:ref></div><div dir="ltr">            <matchingRule>mr:stringIgnoreCase</matchingRule></div><div dir="ltr">            <displayName>Domain Groups</displayName></div><div dir="ltr"><span style="white-space:pre">                  </span><inbound></div><div dir="ltr"><span style="white-space:pre">                           </span><authoritative>true</authoritative></div><div dir="ltr">               <span style="white-space:pre">    </span>                <tolerant>false</tolerant></div><div dir="ltr"><span style="white-space:pre">                            </span><strength>strong</strength></div><div dir="ltr"><span style="white-space:pre">                           </span><expression></div><div dir="ltr"><span style="white-space:pre">                                        </span><assignmentTargetSearch></div><div dir="ltr"><span style="white-space:pre">                                    </span><targetType>c:RoleType</targetType></div><div dir="ltr"><span style="white-space:pre">                   </span>        <span style="white-space:pre"> </span><filter></div><div dir="ltr"><span style="white-space:pre">                    </span>                <q:equal></div><div dir="ltr"><span style="white-space:pre">                   </span>                <span style="white-space:pre">     </span><q:path>extension/bshp:ldapDn</q:path></div><div dir="ltr"><span style="white-space:pre">                                                                </span><expression></div><div dir="ltr"><span style="white-space:pre">                                                                        </span><script></div><div dir="ltr"><span style="white-space:pre">                                                                            </span><code></div><div dir="ltr"><span style="white-space:pre">                                                                                      </span>entitlement1 = midpoint.resolveEntitlement(input);</div><div dir="ltr"><span style="white-space:pre">                                                                                        </span><a href="http://log.info">log.info</a>("### entitlementName: " + entitlement?.getName())</div><div dir="ltr"><span style="white-space:pre">                                                                                  </span>return entitlement?.getName();</div><div dir="ltr"><span style="white-space:pre">                                                                            </span></code></div><div dir="ltr"><span style="white-space:pre">                                                                     </span></script></div><div dir="ltr"><span style="white-space:pre">                                                           </span></expression></div><div dir="ltr"><span style="white-space:pre">                       </span>                </q:equal></div><div dir="ltr"><span style="white-space:pre">                  </span>            </filter></div><div dir="ltr"><span style="white-space:pre">                 </span>        </assignmentTargetSearch></div><div dir="ltr"><span style="white-space:pre">                               </span></expression></div><div dir="ltr"><span style="white-space:pre">                               </span><target></div><div dir="ltr"><span style="white-space:pre">                                    </span><path>assignment</path></div><div dir="ltr"><span style="white-space:pre">                               </span></target></div><div dir="ltr"><span style="white-space:pre">                   </span></inbound></div><div dir="ltr">            <kind>entitlement</kind></div><div dir="ltr">            <intent>group</intent></div><div dir="ltr">            <direction>objectToSubject</direction></div><div dir="ltr">            <associationAttribute>ri:member</associationAttribute></div><div dir="ltr">            <valueAttribute>ri:dn</valueAttribute></div><div dir="ltr">            <shortcutValueAttribute>ri:dn</shortcutValueAttribute></div><div dir="ltr"><span style="white-space:pre">              </span> </association></div></div><div dir="ltr"><br><div><br></div><div>The user has one, creates inbound group to role mapping and works like a charm, using the above for an entitlement itself, which are roles members of other roles, results in an error,</div><div><br></div><div>Couldn't add object. Schema violation: Schema violation during processing shadow: shadow: null (OID:null): Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong DN 'CN=null,null': ERR_04201 No more characters available at position 12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201 No more characters available at position 12): Couldn't add object. Schema violation: Schema violation during processing shadow: shadow: null (OID:null): Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong DN 'CN=null,null': ERR_04201 No more characters available at position 12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201 No more characters available at position 12): Couldn't add object. Schema violation: Schema violation during processing shadow: shadow: null (OID:null): Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong DN 'CN=null,null': ERR_04201 No more characters available at position 12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201 No more characters available at position 12): Couldn't add object. Schema violation: Schema violation during processing shadow: shadow: null (OID:null): Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong DN 'CN=null,null': ERR_04201 No more characters available at position 12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201 No more characters available at position 12)<br></div><div><br clear="all"><div><div dir="ltr" class="gmail_signature"><div dir="ltr">When looking from the GUI the associations show up correctly for the role but the error happens when trying to apply the assignment</div><div dir="ltr"><br></div><div>Any ideas?</div></div></div></div></div></div></div></div></div>