Improve performance of Active Directory groups expansion at serve time

[GoogleCodeExporter]

Currently SharePoint connector implements very inefficient way for AD groups 
expansion, i.e. it reads nested AD groups recursively and in our case it takes 
literally 2-5 minutes. 

In this patch we have added two additional ways for AD groups expansion:

1. Using IN_CHAIN filter
"The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to 
provide a method to look up the ancestry of an object. Many applications using 
AD and AD LDS usually work with hierarchical data, which is ordered by 
parent-child relationships. Previously, applications performed transitive group 
expansion to figure out group membership, which used too much network 
bandwidth; applications needed to make multiple roundtrips to figure out if an 
object fell "in the chain" if a link is traversed through to the end"
http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx

2. Using tokenGroups attribute
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680275(v=vs.85).aspx

We've also made this behavior configurable, so you can choose one of the three 
options (recursive, in chain, token groups) on the UI screen.

In our testing tokenGroups approach showed the best performance, i.e. it takes 
~ 0.3 sec, which is 500 times faster than the recursive one.

I'm attaching the patch with this feature. Please note that this patch is 
against 2.8.6 release.

Original issue reported on code.google.com by [email protected] on 14 Sep 2012 at 10:26

Attachments:

• AdGroupsExpansion.patch