With LDAP user federation handling users and groups, adding a user to a newly created group causes the group mapper to perform a full sync of groups to ldap. During a full group sync, the entirety of every group entry in LDAP gets rewritten even if none of that entry's attributes have changed. This is problematic in our environment for a few reasons:

• We have 10,000+ groups, the RESTful call to add a user to a new group can take full minutes to return
• RESTful calls to other nodes in the meantime may incur an Infinispan replication timeout, and we cannot prevent request delivery to faulting nodes due to case 01721387
• Rewriting unchanged LDAP entries places an unnecessary load on LDAP multi-master replication