Change Username (typically via OIM APIs) doesn't update group memberships. When we change username, the cn of the user changes. Since the dn comprises of cn and the dc, the referenced group memberships are orphaned.
This is because, by default, "Referential Integrity" is turned OFF in OID and OIM.
Please see table in link for scenarios when this property is not consistent in OIM and OID.
- Turn on Referential Integrity Check in OID :
cn=dsaconfig,cn=configsets,cn=oracle internet directory [Default value is 0]
In OIM, modify System property :XL.IsReferentialIntegrityEnabled to TRUE
The above will make sure change username is seamless and doesn't cause any data corruption issues. Obviously, we need to have LDAP Sync turned on between OIM and OID to make sure that this works as expected.