diff --git a/pkg/ccl/testccl/authccl/testdata/ldap b/pkg/ccl/testccl/authccl/testdata/ldap
index 8ed9d1df12cf..1f5537dbe07e 100644
--- a/pkg/ccl/testccl/authccl/testdata/ldap
+++ b/pkg/ccl/testccl/authccl/testdata/ldap
@@ -352,7 +352,7 @@ CREATE ROLE "ldap-parent-synced";
 ----
 ok
 
-ldap_mock set_groups=(ldap_user,cn=ldap-parent-synced,cn=ldap-parent-unsynced)
+ldap_mock set_groups=(ldap_user,cn=ldap-parent-unsynced,cn=ldap-parent-synced)
 ----
 
 connect user=ldap_user password="ldap_pwd"
diff --git a/pkg/sql/authorization.go b/pkg/sql/authorization.go
index c12be52b389c..daea0309f22e 100644
--- a/pkg/sql/authorization.go
+++ b/pkg/sql/authorization.go
@@ -739,11 +739,13 @@ func EnsureUserOnlyBelongsToRoles(
 		if len(rolesToRevoke) > 0 {
 			revokeStmt := strings.Builder{}
 			revokeStmt.WriteString("REVOKE ")
-			for i, role := range rolesToRevoke {
-				if i > 0 {
+			addComma := false
+			for _, role := range rolesToRevoke {
+				if addComma {
 					revokeStmt.WriteString(", ")
 				}
 				revokeStmt.WriteString(role.SQLIdentifier())
+				addComma = true
 			}
 			revokeStmt.WriteString(" FROM ")
 			revokeStmt.WriteString(user.SQLIdentifier())
@@ -757,12 +759,14 @@ func EnsureUserOnlyBelongsToRoles(
 		if len(rolesToGrant) > 0 {
 			grantStmt := strings.Builder{}
 			grantStmt.WriteString("GRANT ")
-			for i, role := range rolesToGrant {
+			addComma := false
+			for _, role := range rolesToGrant {
 				if roleExists, _ := RoleExists(ctx, txn, role); roleExists {
-					if i > 0 {
+					if addComma {
 						grantStmt.WriteString(", ")
 					}
 					grantStmt.WriteString(role.SQLIdentifier())
+					addComma = true
 				}
 			}
 			grantStmt.WriteString(" TO ")