The reason for that cache is that some LDAP servers cannot keep up with tons of authentications a second, so doing a lookup for a group membership constantly can slow down regular authentications. When it does an authentication, it will cache the group memberships for X seconds, which prevents another group lookup. It will check the authenticaton for the password, every time, however. If you are doing testing and changing AD group memberships, you can click on clear cache to test if the user is getting the correct LDAP group membership.