check Unix membership before LDAP add

lam/lib/modules/posixAccount.inc

@@ -2848,15 +2848,25 @@ class posixAccount extends baseModule implements passwordService {
 		// add users to groups
 		elseif ($temp['counter'] < sizeof($temp['groups'])) {
 			if (isset($temp['dn'][$temp['groups'][$temp['counter']]])) {
-				$success = @ldap_mod_add($_SESSION['ldap']->server(), $temp['dn'][$temp['groups'][$temp['counter']]], array('memberUID' => $temp['members'][$temp['groups'][$temp['counter']]]));
+				$memberUid = $temp['members'][$temp['groups'][$temp['counter']]];
-				$errors = array();
+				$dnToUpdate = $temp['dn'][$temp['groups'][$temp['counter']]];
-				if (!$success) {
+				$groupAttrs = ldapGetDN($dnToUpdate, array('memberUID'));
-					$errors[] = array(
+				if (!empty($groupAttrs['memberuid'])) {
-						"ERROR",
+					// skip members that are already set
-						_("LAM was unable to modify group memberships for group: %s"),
+					$memberUid = array_delete($groupAttrs['memberuid'], $memberUid);
-						getDefaultLDAPErrorString($_SESSION['ldap']->server()),
+				}
-						array($temp['groups'][$temp['counter']])
+				if (!empty($memberUid)) {
-					);
+					$toAdd = array('memberUID' => $memberUid);
+					$success = @ldap_mod_add($_SESSION['ldap']->server(), $dnToUpdate, $toAdd);
+					$errors = array();
+					if (!$success) {
+						$errors[] = array(
+							"ERROR",
+							_("LAM was unable to modify group memberships for group: %s"),
+							getDefaultLDAPErrorString($_SESSION['ldap']->server()),
+							array($temp['groups'][$temp['counter']])
+						);
+					}
 				}
 				$temp['counter']++;
 				return array (