In CQ 5.3, when ldap authentication is enabled and a CQ5 user's group membership is removed by an administrator then if the membership was acquired via the jaas configuration's
autocreate.user.membership setting then the membership to this group will be re-added on the user"s next login. In 5.2.1 the group membership was not re-added on subsequent logins.
To explain this more clearly, here is a scenario to demonstrate:
autocreate.user.membership="site-users" in the jaas configuration, the site-users group already exists in CQ5 and has ACLs set for editing all pages.
This functionality was intentionally changed in CQ5.3. For further information, please see the documentation here.
CQ 5.2.x to 5.3 Upgrade