Hey Michael,
I just took a read through 6.0.3 admin guide on Dynamic member attribute and found (page 2-35):
In the Fetch group information from LDAP group object area, specify the attributes in the appropriate box.
• The Static members attribute relates to objects with multi-valued membership attributes such as the attribute that contains the list of the user’s DNs, for example, groupofNames, groupofUniqueNames.
• The Dynamic members attribute determines membership by executing an LDAP URL, for example, groupOfURLs, or an LDAP query that specifies criteria for a group’s membership.
Note: There is no group object, as such. That is, the LDAP URL exists only in the application that is using it.
To be honest i'm not a real LDAP guru but hopefully that helps.
So are you using LDAP for authentication or Group Mapping? Are you on 6.0.2 or 6.0.3? If so are you doing Resource Group mapping in each individual Master Group or globally? There may be a lot of value for you in separating up your Resource Group mappings on a per-Master Group basis. Perhaps this may save you having to maintain an LDAP database from hell ;-)
Kind Regards,
Mal