Use tokenGroups attribute for nested group retrievals on AD

It might be possible to improve the performance of nested groups on Active Directory by using the tokenGroups attribute. This is a computed attribute that lists all the nested members of a group by their SID ("objectSid" attribute).

This was originally suggested in a forum post for Confluence, then developed as a popular custom Atlassian-User implementation by Swisscomm on CONF-17150.

Workaround

You can take advantage of how Crowd uses the configuration, and force AD to do this anyway. This will mean your groups are all flattened in Crowd, but you will receive the same performance benefit. To do this, configure the following in the directory in Crowd:

1. On the "Connector" tab:
   • Uncheck "Use Nested Groups"
   • Uncheck "Use memberOf for group memberships"
   • Check "Use the User Membership Attribute"
2. On the "Configuration" tab:
   • Change the "User Group Attribute" to "memberOf:1.2.840.113556.1.4.1941:"
3. Perform a full sync in Crowd
   • If you had the directory configured to perform incremental synchronization, you will need to change it to full synchronization so that Crowd captures changes on nested groups.