At my company, we currently use Crowd with Jira and Confluence to provide authentication and authorization against our corporate LDAP server. Other systems also use the LDAP server (for example, version control, Windows domain logon, etc). This means that we frequently use LDAP groups for access control in Confluence and Jira - for example, in the Release Engineering space, the "releng" group in LDAP is permissioned as the adminstrators of the space in Confluence.

This works quite well for us, by and large. We've been greatly looking forward to the Delegated Directory feature in Crowd, though, because it gives us the opportunity to create Confluence-specific groups that don't need to exist in LDAP (such as, for example, confluence-administrators). Unfortunately, moving to a Delegated Directory would mean that we would lose the ability to use the existing LDAP groups in Confluence and Jira.

What we'd really like is for there to be a fallback option: if a group doesn't exist in the internal directory, it could check for it in the connector-based directory, and if it exists there, use that one. That would mean that we'd have to make sure not to create any internal-directory groups that have the same name as an LDAP group, but I think we could manage that.