Cannot add user to Internal Delegated LDAP directory manually, if username already exists in the Confluence Internal Directory

Summary

User directories do not work as expected. Internal Confluence Directory and Internal Delegated LDAP directory are not treated as separate when adding a user manually to the Internal Delegated LDAP directory.

If a username (USERA) exists in the Confluence Internal directory, the same username cannot be manually added to the Internal Delegated LDAP directory unless the user in the Confluence Internal directory is deleted. In some cases accounts may not be deleted because they have created content. Disabling the account does not work either. When you attempt to manually add USERA to the Internal Delegated LDAP directory, Confluence will display the "A user with this username already exists" error. The end result is that the LDAP user is unable to be added, and Confluence is not shadowing the accounts. The intended functionality is that the account should be able to be added. It is possible to add the account if the Copy user on login functionality is selected in the Internal Delegated LDAP directory settings.

Steps to Reproduce

1. Add USERA to Confluence Internal Directory
2. Create an Internal Delegated LDAP directory
3. Do not select "Copy user on login"
4. Ensure the Internal Delegated LDAP directory is in the first position
5. Attempt to add USERA to the Internal Delegated LDAP directory (Note: USERA is an existing valid LDAP user)
6. Receive "A user with this username already exists" error message

Expected Results

Confluence should allow the creation of USERA in the Internal Delegated LDAP directory even if USERA also exists in the Confluence Internal directory because they are separate directories. Confluence should then shadow the accounts and treat them as one profile because the usernames are the same.

Confluence should be querying the cwd_user table when checking for the duplicate username, but it appears it may be querying the user_mapping table instead. However, we were not able to confirm the queries being run with DEBUG logging on the crowd logs.

Actual Results

Confluence will not allow the creation of USERA even though the Internal Delegated LDAP directory is in the first position. Instead, Confluence displays "A user with this username already exists" error.

The same error is displayed even if you disable USERA in the Confluence Internal directory.

Notes

If we rename USERA in the Internal Confluence directory to something else, ex: USERA1, Confluence then allows the USERA to be added manually to the Internal Delegated LDAP directory, however then the accounts are not shadowed. If USERA in the Confluence Internal directory had any user information, it would now be treated as a second account.

We were not able to confirm the queries being run as enabling DEBUG logging on:
com.atlassian.crowd.directory
com.atlassian.crowd.embedded
com.atlassian.confluence.user.crowd

Only logged:

2016-02-05 17:59:44,443 DEBUG [http-nio-5814-exec-1] [confluence.user.crowd.CachedCrowdMembershipDao] isUserDirectMember checking direct membership for user [ admin ] and group [ confluence-administrators ]

Workaround

To workaround this issue, you can use the "Copy user on login" function. Then when USERA logs in with their LDAP credentials, it will automatically create the account without error, even though USERA already exists in the Confluence Internal Directory.

1. Go to General Configuration > User Directories
2. Ensure your Internal Delegated LDAP directory is in the first position
3. Edit the Internal Delegated LDAP
4. Check the Copy users on Login box
5. Enter in your desired Default Group Memberships for the users who are able to successfully authenticate, such as confluence-users
6. Select Test Settings
7. Select Save Settings
8. Have desired users log in, and an account will be created in the Internal Delegated LDAP directory, and will shadow the account from the Confluence Internal Directory
9. If you would not like to continue automatically copying users on login, go back to the Internal Delegated LDAP settings and uncheck the box and test and save the settings