This feature request stems from a specfic use case, where customers need to be able to easily move users from one external directory to another simply by changing one of the user's external attributes, for example - DepartmentNumber.

For example:
1) Jira has 2 external directories - Directory-51 and Directory-68, with Directory-51 on top of 68, both pointing to the same LDAP server (his is a common scenario where customers use multiple user directories for easier permission management);
2) User51 exists in external Directory-51 with user filter using DepartmentNumber=51 as limiting the scope of users that are allowed to login to Jira
3) Customer would like to move that user to department 68, so they change DepartmentNumber attribute to 68 at the LDAP side, expecting that next time directory synchronization occurs - User51 will disappear from Directory-51 and will appear in Directory-68, thus still having access to Jira

Actual results will vary in this scenario.
Result 1 - undesired
If Jira Administrator leaves it to Jira to handle the migration, then what may happen, is that if Directory-51 is synchronized first - then User51 will get marked as inactive & disabled
Synchronizing Directory 68 later will not help here as the disabled user will remain in Directory-51.
There will be 2 users in cwd_user table - one is inactive in directory-51, another - active in Directory-68 but because the later is below Directory-51 - the user won't be able to login, even though the external_id for both users in cwd_directory is exactly the same.
Manual work will be required here to remedidate.

Result 2 - desired
To avoid Result 1, it is very important to synchronize the gaining directory-68 first, this way, when Directory-51 is synchronized next, Jira will 'understand' what happened and merge the two users together, and even in cwd_user table only one record for that user will remain, thus avoiding creating of duplicates

Proposed solution:
It'd be great if Jira could 'understand' that there's more than one user directory pointing to the same LDAP server and perhaps not be that harsh in cases like that? Perhaps create a hidden 'transit' directory where such users will be placed for a configurable length of time? For example if user is genuinely deleted from LDAP, that's fine, mark it as inactive&disabled but then next time the directory synchs maybe check if that user is now in scope of another directory and then merge the two together, otherwise leave as disabled?

Or maybe a 'allow merging' options under directory configuration - to make the directory aware that there's more than just one user directory pointing to the same LDAP server and Jira should take caution when simply disabling such user to prevent them from not being able to login?

Jira could also throw a warning or log an error that the directory was synchronized, this user was marked as inactive in this directory but it's still active in LDAP - jira can perform another check during the synch for such users and notify Administrators that these users are disabled only temporarily, once user sycnhronizes the directory below - the user from the 'sending' directory will disappear and will now appear in the gaining one.

This is actually on a border of a bug because the two users have exactly the same external_id, Jira should be able to handle this better.