Background:
Groups (not all of them) have two added attributes: SSAppID (Class
SSGroup with attribute SSAppID)
The value of SSAppID is a Single Valued String

Users have an added attribute: SSAppList (Class SSUser with attribute
SSAppList)
The value of SSAppList is a Multi-valued String.

When a user is added to a group with a value for attribute SSAppID, the
value of the SSAppID attribute is written to the User's SSAppList attribute.

The extended attributes for users and groups only reside in eDir, while
the groups and users are synchronized in both AD and eDir.

My Challenge:

I need help writing the code that will allow me to watch for a modified
user or a modified group. I need to keep the SSAppID and SSAppList in
sync when the user or group arrive in edir.

Going AD to eDir, when a Group in AD is modified with 4 new members, you
get this returned from the publisher's event transformation policy:

<nds dtdversion="2.2">
<source>
<product version="3.5.10.20070918 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="Group" event-id="0"
src-dn="CN=GRP1,CN=Users,DC=thewhiteshouse,DC=net">
<association>a4340854443ec64aa66ff4c311e855f7</association>
<modify-attr attr-name="Member">
<remove-all-values/>
<add-value>
<value naming="false" type="dn">\ASH\Whites\Users\jjacob</value>
<value naming="false" type="dn">\ASH\Whites\Users\nicole</value>
<value naming="false" type="dn">\ASH\Whites\Users\megan</value>
<value naming="false" type="dn">\ASH\Whites\Users\lauren</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>

On the other side, I modified a user and place that user into two groups
(GRP2 and GRP3) simultaneously. AD looks to handle that separately:
(from the publisher's event transformation) (only showing GRP3 since
GRP2 was identical).

<nds dtdversion="2.2">
<source>
<product version="3.5.10.20070918 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="Group" event-id="0"
src-dn="CN=GRP3,CN=Users,DC=thewhiteshouse,DC=net">
<association>cc9d3f00acd99e4c89e24ba6ef40c2e5</association>
<modify-attr attr-name="Member">
<remove-all-values/>
<add-value>
<value naming="false" type="dn">\ASH\Whites\Users\jjacob</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>


Psuedo code for what I need:

If the class is group and modified and the member(s) changing,
If the group has an SSAppID attribute with a value,
Update each of the members SSAppList
with the value from SSAppID

It looks like the same code would apply in these two cases:
1. Modify a group in AD by adding multiple users.
2. Modify a user in AD when assigning to multiple groups.