Current implementation uses following algorithm:
- For a given user find all groups that user is a member of. (A list of LDAP groups is constructed as a result of that request)
- Match this list of groups with provided group filter.
Time/Memory complexity of this approach is O(N) on client side, where N – is a number of groups the user has membership in. On a large directory (800+ groups per user) we can observe up to 2x performance degradation and failures because of size of LDAP response (LDAP: error code 4 - Sizelimit Exceeded).
Some Directory Services (Microsoft Active Directory for instance) provide a virtual attribute for User Object that contains a list of groups that user belongs to. This attribute can be used to quickly determine whether this user passes or fails the group filter.