Allow disabling users which are sourced from a read-only LDAP directory

Users currently can not be disabled from within Confluence if they are sourced from an LDAP directory which is configured as read-only.

Until Confluence 5.1.4 (fixed in CONF-22337), a link was offered hinting that it was possible to do so, but on trying to perform the operation users were confronted with an error message like

User "xxxxxx" could not be disabled. The directory may be read-only.

The active column in cwd_user table (Embedded Crowd cache) indicates if a user is disabled as F(alse). If a user is disabled, he is not counted towards the license since he is not able to use Confluence. Currently, this property is not synchronised back to the LDAP directory (e.g. in form of a custom attribute).

CWD-995 is going to change this behaviour for Active Directory connectors, meaning that disabling a user would synchronise back to the User-Account-Control attribute. Once this is implemented, we will be working on getting it shipped in Confluence.

In order to currently disable a user which is sourced from a read-only LDAP directory, one must remove the user from the groups granting him use permission (e.g. confluence-users) or configure the directory with Read Only, with Local Groups and only assign use permission to those local groups.

This issue tracks a possible feature allowing disabling users which are sourced from an LDAP directory configured as read-only from within Confluence. Before voting on it, please make sure you've read Connecting to an LDAP Directory and have considered alternative solutions. You will give this issue more momentum by detailing your use case in a comment and the reason why this can not be solved otherwise.