Crowd should amalgamate all group memberships for the same username across multiple directories. This works when querying the members of a group, but not when querying the group memberships of a user.
This works (pseudo-code):
This does not:
Here's the offending REST endpoint:
What this can mean in downstream applications is that all groups are amalgamated when a user logs in to Confluence, but when they log in to the admin console, they only get the memberships from the top directory in Crowd. This has caused problems for users where their confluence-administrators and jira-administrators groups are in the second place directory, and logging in to the admin console means they lose these groups and authentication fails.