Jira throws ugly exception when it is not able to change password of Crowd connected user INSUFF_ACCESS_RIGHTS

Imagine this setup (also recommended by Atlassian): Jira -> Crowd -> LDAP/AD.

As normal in most corporations AD/LDAP is read only and we connect it to Crowd in order to allow people to use their corporate logins.

Now the problem is that when a user is Jira tries to login and fails to login, they assume their password is not good and they try to reset their password.

Jira provides ZERO information in the login and password reset window regarding the fact the AD/LDAP users are not allowed to reset their password and that they have to use the corporate method for doing this.

Users trying to reset their password get something like this:

The password could not be changed by the credentials provider. org.springframework.ldap.NoPermissionException: [LDAP: error code 50 - 00000005: SecErr: DSID-031A1190, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]; nested exception is javax.naming.NoPermissionException: [LDAP: error code 50 - 00000005: SecErr: DSID-031A1190, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]; remaining name 'cn=john doe,ou=user accounts,ou=emea,dc=example,dc=com'

This is a cross-product design bug, because while the Crowd directory is editable from Jira, some of the accounts are not editable (the LDAP/AD ones).

We do get one report like this every 2 weeks, and that's clearly not a good experience at all.

If JIRA would allow us to configure a text message on the login and password reset screens this problem could be prevented.