MongoDB is not tied in with LDAP synchronously - it caches the LDAP group information for a user (with LDAP group names as the mongodb role grants).
In the current merged code the groups/roles of a user will be fetched and used at the first check, and if the groups are updated in LDAP there won't be a change in the roles the user has in their mongodb connections. The workaround at the moment would be to also run the invalidateUserCache command, which is not commonly-known as well as being extra work.
Let's implement the ldapUserCacheInvalidationInterval parameter plus add a background thread that periodically checks the groups of authenticated users, and if the groups/roles have changed then update the roles.
TBD: if updating the roles will invalidate the user's action privileges set automatically. I think it does. But if not then the background thread should do that as well after changing the roles.