https://bugster.forgerock.org/jira/browse/OPENIDM-10984 revealed that the sync-with-ldap-bidirectional sample, when combined with users created with roles with assignments/attributes, will not scale. The latency of implicit sync operations associated with user creation increased exponentially, latency traced to the manipulation of ldap static group membership.
A sample should be created to model group membership via dynamic groups. Static ldap groups model group membership by aggregating the list of members, and the latency of manipulating these groups increases proportionally to group size. Use cases which assign multiple relationships and sync these relationships to ldap via assignments will not scale if the groups grow beyond a few thousand members.
Dynamic groups aggregate group membership via an attribute search (much like a conditional role). They do not appear to grant an attribute to group members, but rather determine group membership via the presence of the specific attribute used to define the dynamic group search url. It appears to be common practice to model larger, oft-modified groups via dynamic groups, performance which may be more appropriate in a sync sample which supports the creation of managed users with roles/assignments. Such a sample would be recommended for syncing managed users with roles and assignments/attributes.
The improvement specified in this JIRA would involve researching DS dynamic groups and creating the ldif and provisioner state necessary to support group membership via user attribute state, and confirming that these dynamic groups do indeed scale.