Issue Summary

When using OpenLDAP with POSIX schema (posixGroup/memberUid) with multiple directories configured with different user filters syncing from the same LDAP source, group membership synchronization throws harmless warnings in the logs:

"Could not add the following missing users to group '<groupname>': [<username>]"

Steps to Reproduce

1. Set up OpenLDAP with POSIX groups (objectClass: posixGroup) containing memberUid attributes.
2. Create Directory A in Embedded Crowd using OpenLDAP (Read-Only Posix Schema) with user filter: (employeeType=engineering).
3. Create Directory B in Embedded Crowd using OpenLDAP (Read-Only Posix Schema) with user filter: (employeeType=sales).
4. Both directories point to the same LDAP source.
5. Create a POSIX group qa_team in LDAP with memberUid entries for users from both departments (e.g., memberUid: moga, memberUid: vena).
6. User moga has employeeType=engineering, user vena has employeeType=sales.
7. Synchronize Directory A - succeeds.
8. Synchronize Directory B - fails to add cross-department users.

Expected Results

1. Directory A syncs: users matching filter, groups with appropriate members.
2. Directory B syncs: users matching filter, groups with appropriate members.
3. No warnings in logs.
4. OR: If memberUid references users outside the filter, they are silently skipped.

Actual Results

1. Directory B sync logs warning: "Could not add the following missing users to group 'qa_team': [moga]".
2. The warning repeats on every subsequent sync.

The below exception is thrown in the atlassian-bitbucket.log file:

WARN [...] c.a.c.d.DbCachingRemoteChangeOperations Could not add the following missing users to group 'qa_team': [moga]

Root Cause

The OpenLDAP POSIX schema implementation retrieves memberUid values directly from LDAP without applying the directory's user filter. However, users are only synced into the directory cache if they match that filter. This creates a mismatch:

1. LDAP group contains memberUid: [moga, vena] (unfiltered).
2. POSIX schema implementation reads these memberUid without applying filter: [moga, vena].
3. Directory B user sync only caches users matching filter: [vena] (moga excluded).
4. Sync attempts to add [moga, vena] to Directory B's group.
5. vena succeeds, moga fails (doesn't exist in Directory B's cache).
6. Warning is logged.
7. On next sync, situation repeats forever.

This differs from the standard OpenLDAP implementation (groupOfUniqueNames) which applies the user filter when retrieving members.

Impact

Important: This issue does not break any functionality. The warning messages appear in the logs on every sync, but:

• Users are still synced correctly into their respective directories
• Group memberships work correctly for users that match the directory's filter
• No data corruption or sync failures occur
• The warnings can be safely ignored - the warnings are cosmetic and indicate that the sync attempted to add users that don't exist in that directory's cache (by design, due to the user filter). This is confusing but harmless.

Workaround

• Option 1: Use only one directory per LDAP source (eliminates filter boundaries).
• Option 2: Use standard OpenLDAP schema (groupOfUniqueNames with uniqueMember) instead of POSIX schema, this requires LDAP schema changes.