I'm trying to convert three relational databases into LDAP, which is where some of the fun comes from. (especially since one is a Win3.11 app that I have to manually export)

The actions do depend on the entity, but it gets more complex than that, as someone can either be from multiple sources, or from multiple pulls in the same source.

I'm doing my best to do the third point. The previous scripts tried to do everything, so the student sync script would sometimes mung an account that was both a student and a faculty member. The scripts that hit the databases just generate the account if it is missing and put down flags saying which stored procedure it is found in.
There is a list of permissions granted by each stored procedure (login, email, etc). The script that I am working on now goes through each ldap user and builds a set of what actual permissions they are granted, and then makes sure that they have them (and no others). Some of them (such as an email address and application specific things) shouldn't be recreated each time.