Issue Summary

Inactive (and deleted) LDAP users are not being replaced by their active accounts.

This can happen in the following scenario:

1. The user present in the 1st User Directory:
   1. Had data associated to them;
   2. Was removed from the LDAP or from the location configured in Jira, causing Jira to show the user as inactive/deleted ("MorimotS [X]") status

1. Then, a 2nd Directory was added into Jira with an active copy of the same user

Steps to Reproduce

1. Considering the following directory order:
   1. Active Directory - LDAP1
   2. Internal Jira Directory
2. LDAP1 is enabled in Jira with the following user object filter:

   • (&(objectCategory=Person)(sAMAccountName=*)(memberOf=CN=apac-users*)) 

1. Account "MorimotS" is active on LDAP1 and must create an issue in Jira
2. In LDAP, remove the user from group "apac_users" or delete the user completely
3. Run Full Synchronization for LDAP1
4. User shows up in Jira with deleted status "MorimotS [X]"
5. Disabled LDAP1
6. Created a new account "MorimotS" in your Jira Internal directory
   1. At this moment, we can properly see the active account from the Jira Internal Directory being displayed
7. Re-enable LDAP1 keeping this LDAP on top
8. Run a new Full LDAP Synchronization

Expected Results

The active account from Jira Internal Directory should be displayed

Actual Results

 The inactive/deleted account ("MorimotS [X]") is being displayed instead of the active account, keeping the user from authenticating.

Workaround

1. In your LDAP1, re-add the user into the group or recreate the user
2. Run a Full LDAP Synchronization in Jira
   1. You should notice that Jira has changed the status of the LDAP user to active
3. Once again, delete the user or remove the user from the group
4. Run a Full LDAP Synchronization in Jira
   1. As a result, the active account from your 2nd User Directory will be displayed