A common use case in LDAP/AD setup is the hierarchical structuring of groups - a.k.a. adding groups to other groups. Such nesting groups can help reduce the number of roles that need to be managed.
Current zeppelin realm implementations doesn't have support for looking up memberships throughout nested group structures.
E.g. consider the following nested group scenario:
User 'bob' is in Group 'sub_department_x'.
Notebook 'note1' has a Reader Role assignment for 'department_a' or 'acme_employees'.
Then access must be granted for 'bob' on 'note1'.
In AD enviroments this scenarios can be efficiently implemented using the so called LDAP_MATCHING_RULE_IN_CHAIN operator '1.2.840.113518.104.22.1681'.