LDAP directory read only with local groups should support mixed memberships.

Problem:

When creating an LDAP directory type connector with LDAP Permissions set to Read Only, with Local Groups, you can't include members into groups that are pulled from the LDAP.

Steps to reproduce:

1. Create a connector directory and set it to read-only with local groups;
2. Find a group that was pulled from the LDAP and attempt to include other members, it will throw the following message:

   2014-10-29 16:57:35,371 ERROR [http-bio-8090-exec-274] [bucket.user.DefaultUserAccessor] addMembership Failed to add 'test-user' as a member of 'LDAP-group'
    -- url: /confluence/admin/users/adduserstogroup.action | userName: admin | referer: https://ironman/confluence/admin/users/domembersofgroupsearch.action?membersOfGroupTerm=LDAP-group | action: adduserstogroup
   com.atlassian.user.EntityException: com.atlassian.crowd.exception.OperationNotPermittedException: com.atlassian.crowd.exception.ApplicationPermissionException: Could not add user test-user to group LDAP-group in directory Active Directory server because the directory or group is read-only.
   

Suggestion:

We should allow mixed memberships composed by the list of group members pulled from the LDAP, plus members included manually within Confluence web interface.