<div dir="ltr"><div dir="ltr"><div dir="ltr">I meant to reply earlier, It was because of the 2nd order inducement from a metarole, it was trying to create a user account for the role when a role was assigned to another role. I just had to add <focusType>c:UserType</focusType> to the 2nd order inducement.</div><div dir="ltr"><br></div><div>Thanks!<br><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 26, 2019 at 11:38 AM Jason Everling <<a href="mailto:jeverling@bshp.edu">jeverling@bshp.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">I was trying to create an association for inbound role assignment for the entitlement kind using</div><div dir="ltr"><br></div><div dir="ltr"><div dir="ltr">         <association></div><div dir="ltr">            <c:ref>ri:group</c:ref></div><div dir="ltr">            <matchingRule>mr:stringIgnoreCase</matchingRule></div><div dir="ltr">            <displayName>Domain Groups</displayName></div><div dir="ltr"><span style="white-space:pre-wrap">                     </span><inbound></div><div dir="ltr"><span style="white-space:pre-wrap">                              </span><authoritative>true</authoritative></div><div dir="ltr">               <span style="white-space:pre-wrap">       </span>                <tolerant>false</tolerant></div><div dir="ltr"><span style="white-space:pre-wrap">                               </span><strength>strong</strength></div><div dir="ltr"><span style="white-space:pre-wrap">                              </span><expression></div><div dir="ltr"><span style="white-space:pre-wrap">                                   </span><assignmentTargetSearch></div><div dir="ltr"><span style="white-space:pre-wrap">                                       </span><targetType>c:RoleType</targetType></div><div dir="ltr"><span style="white-space:pre-wrap">                      </span>        <span style="white-space:pre-wrap">    </span><filter></div><div dir="ltr"><span style="white-space:pre-wrap">                       </span>                <q:equal></div><div dir="ltr"><span style="white-space:pre-wrap">                      </span>                <span style="white-space:pre-wrap">        </span><q:path>extension/bshp:ldapDn</q:path></div><div dir="ltr"><span style="white-space:pre-wrap">                                                           </span><expression></div><div dir="ltr"><span style="white-space:pre-wrap">                                                                   </span><script></div><div dir="ltr"><span style="white-space:pre-wrap">                                                                               </span><code></div><div dir="ltr"><span style="white-space:pre-wrap">                                                                                 </span>entitlement1 = midpoint.resolveEntitlement(input);</div><div dir="ltr"><span style="white-space:pre-wrap">                                                                                   </span><a href="http://log.info" target="_blank">log.info</a>("### entitlementName: " + entitlement?.getName())</div><div dir="ltr"><span style="white-space:pre-wrap">                                                                                   </span>return entitlement?.getName();</div><div dir="ltr"><span style="white-space:pre-wrap">                                                                               </span></code></div><div dir="ltr"><span style="white-space:pre-wrap">                                                                        </span></script></div><div dir="ltr"><span style="white-space:pre-wrap">                                                              </span></expression></div><div dir="ltr"><span style="white-space:pre-wrap">                  </span>                </q:equal></div><div dir="ltr"><span style="white-space:pre-wrap">                     </span>            </filter></div><div dir="ltr"><span style="white-space:pre-wrap">                    </span>        </assignmentTargetSearch></div><div dir="ltr"><span style="white-space:pre-wrap">                          </span></expression></div><div dir="ltr"><span style="white-space:pre-wrap">                          </span><target></div><div dir="ltr"><span style="white-space:pre-wrap">                                       </span><path>assignment</path></div><div dir="ltr"><span style="white-space:pre-wrap">                          </span></target></div><div dir="ltr"><span style="white-space:pre-wrap">                      </span></inbound></div><div dir="ltr">            <kind>entitlement</kind></div><div dir="ltr">            <intent>group</intent></div><div dir="ltr">            <direction>objectToSubject</direction></div><div dir="ltr">            <associationAttribute>ri:member</associationAttribute></div><div dir="ltr">            <valueAttribute>ri:dn</valueAttribute></div><div dir="ltr">            <shortcutValueAttribute>ri:dn</shortcutValueAttribute></div><div dir="ltr"><span style="white-space:pre-wrap">         </span> </association></div></div><div dir="ltr"><br><div><br></div><div>The user has one, creates inbound group to role mapping and works like a charm, using the above for an entitlement itself, which are roles members of other roles, results in an error,</div><div><br></div><div>Couldn't add object. Schema violation: Schema violation during processing shadow: shadow: null (OID:null): Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong DN 'CN=null,null': ERR_04201 No more characters available at position 12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201 No more characters available at position 12): Couldn't add object. Schema violation: Schema violation during processing shadow: shadow: null (OID:null): Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong DN 'CN=null,null': ERR_04201 No more characters available at position 12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201 No more characters available at position 12): Couldn't add object. Schema violation: Schema violation during processing shadow: shadow: null (OID:null): Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong DN 'CN=null,null': ERR_04201 No more characters available at position 12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201 No more characters available at position 12): Couldn't add object. Schema violation: Schema violation during processing shadow: shadow: null (OID:null): Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong DN 'CN=null,null': ERR_04201 No more characters available at position 12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201 No more characters available at position 12)<br></div><div><br clear="all"><div><div dir="ltr" class="gmail-m_190908839137596908gmail_signature"><div dir="ltr">When looking from the GUI the associations show up correctly for the role but the error happens when trying to apply the assignment</div><div dir="ltr"><br></div><div>Any ideas?</div></div></div></div></div></div></div></div></div>
</blockquote></div></div></div>