The default user search filter specified in 3.4 and earlier could find user accounts that don't contain username attributes. After upgrade, if the filter finds bad data, this will prevent any LDAP synchronisation from completing, and will make any upgrade attempt with this configuration fail.
We should automatically tighten the filter during the upgrade process to include the relevant username attribute by 'and'ing it with the one given by the user. E.g. for Active Directory, with the username attribute 'sAMAccountName', the user search filter could be given as '(objectCategory=person)', but we should be change it to '(&(objectCategory=Person)(sAMAccountName=*))'. For LDAP, with the username attribute 'cn', the user search filter could be given as '(objectClass=inetorgperson)', but we should change it to '(&(objectClass=inetorgperson)(cn=*))'. The same could be done for user attribute 'oid', and so forth.
While we're implementing this, we should validate that any given wildcard part of the search filter matches the user attribute - if they don't match, we'll never see any results we can use.
Before upgrading, change atlassian-user.xml so it's got a filter for the username attribute in it. For example with Active Directory: