Currently SharePoint connector implements very inefficient way for AD groups
expansion, i.e. it reads nested AD groups recursively and in our case it takes
literally 2-5 minutes.
In this patch we have added two additional ways for AD groups expansion:
1. Using IN_CHAIN filter
"The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to
provide a method to look up the ancestry of an object. Many applications using
AD and AD LDS usually work with hierarchical data, which is ordered by
parent-child relationships. Previously, applications performed transitive group
expansion to figure out group membership, which used too much network
bandwidth; applications needed to make multiple roundtrips to figure out if an
object fell "in the chain" if a link is traversed through to the end"
http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx
2. Using tokenGroups attribute
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680275(v=vs.85).aspx
We've also made this behavior configurable, so you can choose one of the three
options (recursive, in chain, token groups) on the UI screen.
In our testing tokenGroups approach showed the best performance, i.e. it takes
~ 0.3 sec, which is 500 times faster than the recursive one.
I'm attaching the patch with this feature. Please note that this patch is
against 2.8.6 release.
Original issue reported on code.google.com by ase...@gmail.com on 14 Sep 2012 at 10:26
Original issue reported on code.google.com by
ase...@gmail.comon 14 Sep 2012 at 10:26Attachments: