Hello

If a user is already member in a AD group when the AD LDAP fulfiller
runs you get this error:
[Command failure: Type: ADD_PERMISSION_TO_USER: [[LDAP: error code 68 -
00000562: UpdErr: DSID-031A1261, problem 6005 (ENTRY_EXISTS), data 0 ]]]

It's an unnecessary error.

The AD LDAP fulfiller should use the LDAP_SERVER_PERMISSIVE_MODIFY_OID
control.

One scenario, the customer has a technical role "BASE" containing AD
group A, B and C and another technical role "EXTENDED" containing AD
group A, B, C, D and E.

I request the BASE role and it's approved. The AD fullfiller adds me to
the AD groups A, B and C.

I don't do a collection/publication since it takes a long time so we
only do it at night, so IG doesn't know I have those permissions yet.

I decide that I actually need the EXTENDED role and request it.
It's approved.

The AD fulfiller tries to add me to group A, B, C, D and E.
A, B and C fail with ENTRY_EXISTS which causes confusion.

Thanks

-alekz