Currently, confluence upgrade fails to copy external_users to internal group mappings, if the customer has an LDAP definition in atlassian-user.xml file, but doesn't copy over the atlassian-user.xml file into CONFLUENCE_35/../WEB-INF/classes directory.

The local users get migrated and their permissions do get migrated.

We should detect that there are entries in EXTERNAL_* tables and warn the user. Perhaps it's also prudent to not perform the upgrade, and ask the user for confirmation?