I have a use case where "application roles" assigned to users in LDAP correspond to CQ5 groups and when a user first logs in to CQ5, the user sync event results in them being assigned to all the correct CQ5 groups. However, a user's LDAP record can be updated to add or remove these "application roles" at at time, and we need a way to detect when this happens so we can re-sync the user account.
Is it possible to (1) detect any change in a user's LDAP profile and (2) force a re-sync such that any changes to group membership (adding or removing) will be reflected - as though the user account were deleted and synced fresh?