Basic setup using sample2b as base. Create custom roles, following the steps described in the provrole README. Disable implicit sync in the mapping from ManagedUser to LDAP System. Then remove a role from the user (it is not sync'ed yet since enableSync = false). However, after reconciliation, the user is still a member of the corresponding groups assigned to the removed role.
The same sequence is working as expected when adding a role.
The "oldSource" object is always undefined in the "defaultMapping.js" script when performing a reconciliation.