There may be a better way, but we are looking at using the loopback
driver to ensure a large environment of 25,000+ users are synchronized
correctly according to group memberships.

My plan at the moment is along the following:

For each user:
Gather a list of all groups assigned to the user.
For each 'Group Membership' attr on the user:
Set the 'Security Equals' to that group.
For the Group:
Set the 'Member' attr to the user
Set the 'Equal To Me' to the user

I know there are tools out there to manually fix users and groups.
We've looked at a perl script that will accomplish this. I need
something that is more automated for my customer. This is where I am
currently.

<rule>
<description>Fix User Group Membership</description>
<comment xml:space="preserve">Fix User Group Membership</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-op-attr name="Group Membership" op="available"/>
</and>
</conditions>
<actions>
<do-for-each>
<arg-node-set>
<token-attr name="Group Membership"/>
</arg-node-set>
<arg-actions>
<do-set-src-attr-value name="Security Equals">
<arg-value>
<token-parse-dn>
<token-src-attr name="Group Membership"/>
</token-parse-dn>
</arg-value>
</do-set-src-attr-value>
<do-for-each>
<arg-node-set>
<token-parse-dn>
<token-src-attr name="Group Membership"/>
</token-parse-dn>
</arg-node-set>
<arg-actions>
<do-set-src-attr-value name="Member">
<arg-value>
<token-parse-dn>
<token-src-attr name="User"/>
</token-parse-dn>
</arg-value>
</do-set-src-attr-value>
<do-set-src-attr-value name="Equivalent To Me">
<arg-value>
<token-parse-dn>
<token-src-attr name="User"/>
</token-parse-dn>
</arg-value>
</do-set-src-attr-value>
</arg-actions>
</do-for-each>
</arg-actions>
</do-for-each>
</actions>
</rule>