I believe there is an issue in the interaction between Miq_LDAP and the LDAP authenticator.
The LDAP authenticator creates new users in
create_user_from_ldap and, if they have a UPN, sets their user ID to the UPN, else it is set to their DN.
However, in MIQ_LDAP’s
get_user_object, which is called when the provisioning request is created, if the LDAP mode is set to
samaccountname then the code executed expects to be able to parse the
samaccountname from the user id. This would be find if all user ids were the DN, but if they are the UPN this fails. A work around is to set the LDAP mode to UPN.
I am unsure if in most orgs the UPN is set to
<samaccountname>@<domain> but that it not the case for me, resulting in this error.