Incremental directory synchronisation not working properly

The setup:

I have a deployment containing Crowd, JIRA and Confluence.

JIRA and Confluence are set up to talk to Crowd, have public sign-ups enabled, and use SSO.

Crowd has 2 Internal Directories defied... one called Public and one called Internal

In Crowd, the JIRA and Confluence apps are set to authenticate against both the Public and Internal directories, with the appropriate groups jira-users, confluence-users, etc. defined in both directories. Public is set up as the first in the ordering list and allows for Add users permission to the apps. Internal disallows the Add users permission.

Both directories are also allowing nested groups.

In the Internal directory I have the following groups:internal-users, internal-admins

In the Public directory I have public-users

These groups have been added to belong to their respective jira-users confluence-users , etc, in a nested fashion.

For example, a user foo in directory Public that belongs to the group public-users is automatically part (through nesting) of the following groups: jira-users, confluence-users.

Finally, the Options tab for the directory Public specifies that new users should be automatically added to the public-users group (such that they automatically obtain access to jira and confluence).

Both JIRA and Confluence have been set up to access the Crowd directory, enable read/write access and group nesting, and incremental synchronisation.

The problem:

Once a new user signs up via the JIRA public sign-up link, the user is properly added to the public-users group (and seems to also be added automatically to jira-users, i assume by JIRA itself, which is redundant, but ok). The new user is able to access JIRA just fine, but has trouble accessing Confluence. The user's password is recognized, but a message indicating that the user doesn't have permissions to view the space is displayed. (I have manually triggered a synchronization action to happen before attempting to log in as the new user). At this point, if I log in as administrator to Confluence and go into the page showing the list of users, and look at the details of the new user, in the groups section I only see jira-users, but not the default public-users and confluence-users that I would've expected to see.

The workaround:

With everything set up as described above, the only change to make is to instruct Confluence NOT to do incremental synchronization in the User Directories section for the Crowd directory I've set up. That means that every synchronization attempt will perform FULL synchronization. With FULL synchronization everything works as expected. If I look at the users' details I can see all the groups that are supposed to be there: confluence-users jira-users and public-users.

Hopefully a fix can be implemented so that incremental synchronization works properly.

JIRA does not seem to have this problem, even though incremental synchronization is enabled.