Daniel,

I'm not sure if you've found an answer to your problem, but I believe I had the same problem and was just able to resolve it.  For you or anyone else that may stumble over this question, I thought I would offer up my solution to the problem.  In my case, I started with the Quickstart that splits credentials (LDAP) and relationships (JPA).  I am using the simple/sample JPA entities for the storage.  I am attempting to store Roles in JPA and grant those roles to Users (LDAP) and it was failing to properly link things together.

After a lot of time in the code, I figured out that it was trying to find the User within the JPA store despite the fact that it was located in LDAP.  The crux of the problem seemed to be the use of the RelationshipIdentityTypeEntity from the sample entities which was relating the entities via a database relationship.  While stepping through the code, I noticed that there was the ability to use a String-based mapping for the identifier rather than a direct object-to-object mapping in JPA.  I added a new JPA entity to my application that replaced the JPA relationship with a simple String attribute and used that instead of RelationshipIdentityTypeEntity.  The guts of entity class look like the following:

@Entity
public class RelationshipIdentityTypeViaIdentifierEntity implements Serializable {

    private static final long serialVersionUID = -3619372498444894118L;

    @Id
    @GeneratedValue
    private Long identifier;

    @RelationshipDescriptor
    private String descriptor;

    @RelationshipMember
    private String identityTypeIdentifier;

    @OwnerReference
    @ManyToOne
    private RelationshipTypeEntity owner;

With this entity in place, my Role grants seem to be working as I would expect.

Craig