You have configured an internal directory and an LDAP directory with the permission "Read Only, with Local Groups" where you have configured the default group membership to be "jira-users". Configuration was successful and synchronization was without any problem. When you try to login as an LDAP user, it fails with the error "You do not have a permission to log in. If you think this is incorrect, please contact your JIRA administrators." When you try to associate the user with the jira-users group from the UI, you are faced with the error "You cannot add user 'xxxx' to group 'xxxxxx'. The user's directory is read only."
The following error appears in the log
The groups in the LDAP server are read-only and because you have placed the LDAP directory at the top position, the users from LDAP server take precedence with the groups duplicated across. Associating the user with LDAP group which is read only will fail.