Per summary, the LDAP AuthN system should use the entryUUID attribute (or objectGUID, if AD) as the key in the stub records. Per https://tools.ietf.org/html/rfc4530 , this would protect against LDAP entries being renamed or moved.
Assigning to Loic
Please assess the impact of this issue and update the severity accordingly. Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition. If it's something like a tracker bug where it doesn't matter, please set the severity to Low.