From discussion with Yilin:

Our support engineers generally recommend against giving write access from Crowd/JIRA/etc to LDAP because of network security. We recommend admins manage their users directly from LDAP.

An example setup: if you want to have JIRA public sign-up and read-only integration with LDAP for internal users/employees, configure JIRA to write to an internal user directory for public sign-up. (Crowd's internal user directory, or one in JIRA? would need write access to Crowd)

Other relevant details:

• Passwords are always in LDAP - both delegated and connector. Passwords only in Crowd when using an internal directory.
• Group membership is in LDAP with connector, Crowd with delegated. When using delegated, no group information is inherited from LDAP at all.
• Application permissions (space access, project permissions) always in application
• Most attributes in LDAP aren't brought into Crowd/JIRA. Internal directories can have attributes added to them to track stuff like phone numbers.
• You CAN disable or even delete JIRA's internal directory, but it can cause serious problems if there are users in it.