Slave is always one group membership change behind the Master for the user LDAP record

If a user is added to a group (or a *_plugin group) through the User Manager then the "memberOF" lines in the users dn does not get replicated to a slave until another group change is performed. This means that the slave is always one change behind. This gives a problem if publishing LDAP and then validating against it. You can see this with the command ldapsearch -H ldaps://10.10.10.96:636 -D cn=manager,ou=Internal,dc=iepc-local,dc=com -x -w 'PLDh/vnH4Cjwdqnp' '(&(objectClass=sambaSamAccount)(uid=testuser1)(memberof=cn=testgrp,ou=Groups,ou=Accounts,dc=iepc-local,dc=com))' dn -LLL at Indorama. It you repeat the test against the PDC on 10.10.10.3 you often get a different result. When testing locally obviously change all the relevant parameters.

You can also see the issue with the command slapcat -n3 | grep 'dn: cn=testuser1' -A 30 | grep memberOf on both servers.

Note the group synchronises correctly so slapcat -n3 | grep 'dn: cn=testgrp' -A 30 returns the same answer on both Master and Slave.

The same bug is being filed against app-central-management, app-ldap and app-openldap as I am not sure where it lies.