I configured this in my environment just to check. Here is the setup tha works perfectly as expected:
Business role:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Bundle PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Bundle created="1741978124499" displayName="Accounts Receivable Admin" id="c0a80a01958b11a8819595fcc0d30835" modified="1741978124509" name="Accounts Receivable Admin" significantModified="1741978124509" type="business">
<Attributes>
<Map>
<entry key="accountSelectorRules"/>
<entry key="allowDuplicateAccounts" value="false"/>
<entry key="allowMultipleAssignments" value="false"/>
<entry key="mergeTemplates" value="false"/>
<entry key="sysDescriptions">
<value>
<Map>
<entry key="en_US"/>
</Map>
</value>
</entry>
</Map>
</Attributes>
<Owner>
<Reference class="sailpoint.object.Identity" id="0a00004a86b211688186b25872c50109" name="Ryan.Russell"/>
</Owner>
<Requirements>
<Reference class="sailpoint.object.Bundle" id="c0a80a01958b11a8819595fc366b0828" name="Accounts Re Admin IT"/>
</Requirements>
</Bundle>
IT role
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Bundle PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Bundle created="1741978089067" displayName="Accounts Re Admin IT" id="c0a80a01958b11a8819595fc366b0828" modified="1741978124510" name="Accounts Re Admin IT" significantModified="1741978124510" type="it">
<Attributes>
<Map>
<entry key="accountSelectorRules">
<value>
<AccountSelectorRules>
<ApplicationAccountSelectorRules>
<ApplicationAccountSelectorRule>
<ApplicationRef>
<Reference class="sailpoint.object.Application" id="0a00002088761e968188a9f2ab721832" name="OpenLDAP"/>
</ApplicationRef>
<RuleRef>
<Reference class="sailpoint.object.Rule" id="c0a80a01958b11a8819595fc202c0827" name="SelectionRule_AccRec"/>
</RuleRef>
</ApplicationAccountSelectorRule>
</ApplicationAccountSelectorRules>
</AccountSelectorRules>
</value>
</entry>
<entry key="allowDuplicateAccounts" value="false"/>
<entry key="allowMultipleAssignments" value="false"/>
<entry key="mergeTemplates" value="false"/>
<entry key="sysDescriptions">
<value>
<Map>
<entry key="en_US"/>
</Map>
</value>
</entry>
</Map>
</Attributes>
<Owner>
<Reference class="sailpoint.object.Identity" id="0a00004a86b21ea18186b22f044900ea" name="spadmin"/>
</Owner>
<Profiles>
<Profile created="1741978089070" id="c0a80a01958b11a8819595fc366e0829">
<ApplicationRef>
<Reference class="sailpoint.object.Application" id="0a00002088761e968188a9f2ab721832" name="OpenLDAP"/>
</ApplicationRef>
<Constraints>
<Filter operation="CONTAINS_ALL" property="groups">
<Value>
<List>
<String>cn=accounts-receivables,ou=groups,dc=example,dc=org</String>
</List>
</Value>
</Filter>
</Constraints>
</Profile>
</Profiles>
</Bundle>
My rule minus the signature
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="1741978083372" id="c0a80a01958b11a8819595fc202c0827" language="beanshell" modified="1741979885703" name="SelectionRule_AccRec" type="AccountSelector">
<Description>AccountSelector Rules are used by the role modeler to automatically select a target account for provisioning when there are multiple candidates.
The return value is a Link instance that represents the selection. Value can be:
null - indicates that no automatic selection can be made
"prompt" - indicates that a separate account selector should be presented for the role
existing Link - the selected Link from the list of possible target Links
a new Link instance - indicates that a new account must be created with the identity specified by the create policy, or manually; in this case, the Link instance returned will have a null nativeIdentity attribute</Description>
<Source>
import com.acme.rule.VariousRules;
VariousRules variousRules = new VariousRules();
return variousRules.accountSelectionRule(identity, links, context);
</Source>
</Rule>
And finaly the selection java
public class VariousRules {
public Link accountSelectionRule(Identity identity, List<Link> links, SailPointContext context) {
String nativeIdentity = "cn=admin."+identity.getFirstname()+"."+identity.getLastname()+",ou=users,dc=example,dc=org";
Link newLink = new Link();
newLink.setNativeIdentity(nativeIdentity);
return newLink;
}
}
Once I request that role for one of the identitites that already has an account in that ldap this is the plan I get inside the workflow case:
<ProvisioningPlan targetIntegration="OpenLDAP" trackingId="fdda638faa0d4033aa2d37ed002e538e">
<AccountRequest application="OpenLDAP" assignmentIds="fd7eb55360a247eaa55b39f2f93a6245" nativeIdentity="cn=admin.Alice.Ford,ou=users,dc=example,dc=org" op="Create" sourceRole="Accounts Re Admin IT">
<Attributes>
<Map>
<entry key="selectorRuleSource" value="Accounts Re Admin IT"/>
</Map>
</Attributes>
<AttributeRequest name="groups" op="Add">
<Value>
<List>
<String>cn=accounts-receivables,ou=groups,dc=example,dc=org</String>
</List>
</Value>
</AttributeRequest>
<AttributeRequest name="password" op="Set" value="abcd1234">
<Attributes>
<Map>
<entry key="secret" value="true"/>
</Map>
</Attributes>
</AttributeRequest>
<AttributeRequest name="cn" op="Set" value="Alice.Ford"/>
<AttributeRequest name="givenName" op="Set" value="Alice"/>
<AttributeRequest name="sn" op="Set" value="Ford"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="identityRequestId" value="0000001081"/>
<entry key="requester" value="spadmin"/>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
<Requesters>
<Reference class="sailpoint.object.Identity" id="0a00004a86b21ea18186b22f044900ea" name="spadmin"/>
</Requesters>
</ProvisioningPlan>
But my provisioning plicy for dn is:
<Field displayName="con_prov_policy_ldap_user_DN" helpKey="help_con_prov_policy_ldap_user_DN" name="dn" required="true" type="string">
<Script>
<Source>"cn="+identity.getFirstname()+"."+identity.getLastname()+",ou=users,dc=example,dc=org";</Source>
</Script>
</Field>
So now you have a working example 
Hoope this helps
