When assigning a role to a user or deleting it in the admin UI, this should trigger an LDAP modify request with a single add or delete operation for the user's DN only.
However, the current implementation in LDAPUtils.addMember(..) and LDAPUtils.deleteMember(..) triggers a replace operation on the member attribute that replaces the whole group memberships.
Apart from being highly dangerous, the replace operation fails on groups that contain more users than the maximum page size on our LDAP server.
Interestingly, if a group exceeds the maximum page size, the modify request contains two replace operations: One for the page_size-1 users, and a second one for the user to be added.
This request fails on my test role, but we had situations that role memberships suddenly disappeared on our LDAP server. I'm not sure if this was the reason, but I can imagine that the second replace might have replaced all the other memberships.