>If I create a user in the Gluu interface, shouldn't the cache refresh then sync that user to the backend ldap server when it runs?
I'm almost sure it won't, if it will find out that user with the same `uid` already exists, it should throw some kind of exception, either to its own log, or mb to `wrapper.log`, and fail to update it. What CR does normally should exclude any local user entries' handling. It's possible still to both have users in some backend directory and in the internal directory, and authenticate to both, if advaned custom auth scripts are employed, but that's a bit.. unusual approach to it. And of course you'll still need to ensure they have different `uid`'s.
>I have not been seeing it work that way. But, if I create a user in the backend ldap using the ldapadd command from the terminal I do see that user show up in the Gluu interface.
That's how it's expected to work. Usually, if backend directory(s) is involved, organizations start to use it both for user storage and authentication. Those entries CR creates internally are still needed to cache/aggregate attributes in one place. They don't even have passwords on them.