Summary

Currently, Confluence and Jira will only synchronize the main user attributes, such as user full name, email address, usernames, etc. Other additional user attributes, such as user's phone number, position, department and location will not be synced over to Confluence and Jira accordingly, and vice versa.

As the additional user attributes are not synced over from LDAP, specifically in Confluence, users are able to add or modify their additional user attributes manually from the User Profile page. This data would then be stored in Confluence's Database - os_propertyentry table in specific, whereas the synced user attributes/details synchronized over from LDAP is stored in the tables prefixes with cwd, e.g. cwd_user table.

Steps to Reproduce

1. First, set up an LDAP User Directory in Jira with Read Only settings.
2. Then in Confluence, please set up a Jira User Directory
   Both Jira and Confluence users would be pulled from LDAP
3. Once you've done this, please try to modify your phone number only from the User Profile page in Confluence and save the changes.

Expected Results

By right Confluence should then allow the user to edit their additional user attributes from the User Profile page as this data is managed locally in Confluence and will not be synced over to other external user directories (LDAP or Jira).

Actual Results

Modifying only an additional user attribute (e.g. phone number) from the User Profile page, Confluence will actually perform the LDAP application permission validation which then will then cause the APPLICATION_PERMISSION_DENIED that we're seeing as LDAP user directory is configured to Read Only. By right, on additional user attribute edit Confluence does not have to validate the LDAP directory again as the additional user attribute is stored locally. It should only do this when the user modify their full name or email address from the User Profile page.

The below exception is thrown in the <Confluence-Home>/logs/atlassian-confluence.log file:

2018-09-19 17:09:13,422 WARN [http-nio-6614-exec-9] [confluence.user.actions.EditMyProfileAction] doEdit Failed to update user profile.
 -- referer: http://localhost:6614/c614/users/editmyprofile.action | url: /c614/users/doeditmyprofile.action | traceId: e3ee830189874605 | userName: lauretha | action: doed
itmyprofile
com.atlassian.crowd.exception.runtime.OperationFailedException: com.atlassian.crowd.exception.ApplicationPermissionException: <?xml version="1.0" encoding="UTF-8" standalon
e="yes"?><error><reason>APPLICATION_PERMISSION_DENIED</reason><message>Cannot update user 'lauretha' because directory 'LDAP server' does not allow updates.</message></erro
r>
        at com.atlassian.crowd.embedded.core.CrowdServiceImpl.updateUser(CrowdServiceImpl.java:377)
...
Caused by: com.atlassian.crowd.exception.ApplicationPermissionException: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><error><reason>APPLICATION_PERMISSION_DENIED</reason><message>Cannot update user 'lauretha' because directory 'LDAP server' does not allow updates.</message></error>
        at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.throwError(RestExecutor.java:614)

With the following error message thrown in the Confluence UI: