This can be a little confusing to explain. I will try to be clear.

I have two user groups linked to Active Directory via LDAP.

A user is a member of both groups in AD. One of the groups is set as his "Primary group" in AD.

Foreman associates this user only with the group which is NOT his primary group. If I switch which group is primary and refresh the group membership, Foreman associates the user only with the non-primary group again.

I discovered and tested this with a real user, and retested with a test account. I have several examples of real users with multiple group membership which behave as expected, but whenever an account's primary group is associated with a Foreman group, Foreman does not associate the user with that group.