Symptoms

An LDAP based Directory containing an OU with three groups "jira-administrators", "jira-developers" and "jira-users" and groups containing the real users are nested into these. Results looks OK in Crowd.

Jira is populated with "jira-administrators", "jira-developers" and "jira-users", and all users that should be there. Looking at a group, it displays the correct members. However, looking at the users, they have no group membership.

It is possible to log in to Jira but user has no privileges other than being recognized as belonging to "jira-users".

Cause

Nested groups don't belong to the Base DN defined in the Directory Connector (Eg: they are siblings rather than children of the Base DN)

Resolution

Increase the scope of the directory seen by Crowd by changing the Base DN.
This can cause unwanted groups to appear in the Crowd console but the problem can be mitigated taking advantage of the Group Object Filter to filter all but the specified group name patterns:

(&(objectCategory=Group)(|(cn=desired-group-A)(cn=desired-group-B)(cn=jira*)))