The automember plug-in currently checks ADD operations to see if the entry matches one of the defined automember rules.  Existing entries are not checked when they are modified to avoid a performance impact to modify operations.  We should provide a way to have the automember plug-in check existing entries to see if any automember work needs to be done.  This is something that the FreeIPA project would like to see.

A good way of accomplishing this would be to add a task to the automember plug-in.  The creator of the task would provide a search filter and base.  All matching entries would be checked against the defined automember rules to see if they should be added to any groups.  This allows one to add the triggering attributes/values after the entry was initially added, and then trigger the task to perform automember updates.  The nice thing about this approach is that we don't cause any negative performance impact on normal modify operations.