Minor Description
Given the test setup :
groupA
members: subjectA
groupB
members: subjectA
Ldappc will provision subjectA as :
cn=subjectA
isMemberOf : groupA
isMemberOf : groupB
Then delete groupA, and run ldappc -memberships, which will not change the provisioning of subjectA !
This is because, as Arnaud points out, the subject dn's membership is not removed since the subject is a member of another group. GrouperProvisioner.buildSourceSubjectDnSet slurps all subjects which are members via the filter "(&(uid=)(|(isMemberOf=)(objectClass=eduMember))", which in the case above includes subjectA. Then, when iterating over the groups to be provisioned, subjectA is removed from the memberships to be deleted since they are a member of another group !
buildSourceSubjectDnSet(existingSubjectDns, existingObjectDns);
for (Group group : groups) {
for(Member member : (Set<Member) group.getMembers()) {
...
existingSubjectDns.remove(subjectDn);
try {
clearSubjectEntryMemberships(existingSubjectDns);