Foreman not showing updates from Active Directory groups

Foreman 3.7.0
Per Foreman documentation, Foreman should refresh Active Directory group information when a user attempts to login in to the Foreman web UI. We have an Active Directory group which contains Foreman admins. Foreman has a user group linked to this external group. Historic users can login in with expected privileges. If historic users are removed from the Foreman group and as a Foreman user, their user is recreated in Foreman the next time they log in.
We have a new user in the Active Directory group who is unable to log in to Foreman, using the web UI. They are also unable to use hammer commands.
On the system, RHEL8, which also uses AD authentication, the ‘id’ and ‘getent’ commands show the user as a member for the Foreman admin group.
Using ldapsearch, with the base DN and group base DN that Foreman uses, the user is a member of the Foreman admin group.
‘Automatically Create Accounts In Foreman’ is selected in Authentication Sources.
‘Usergroup Sync’ is selected in Authentication Sources.
In the Foreman (local) database, ‘select host, updated_at from auth_sources’ is showing a date which is several days old, even though we have users loggin in as existing and newly re-created users.

foreman-rake ldap:refresh_usergroups
foreman-rake fix_db_cache
have had any effect.
Are there other things I should check? Are there other debugging options?