This is a request to add support for the Token Groups LDAP attribute included in Active Directory’s LDAP implementation:

   https://docs.microsoft.com/en-us/windows/win32/adschema/a-tokengroups

Currently Atlas/Mongo only supports looking up group membership from queries against the user object in LDAP (typically by looking at the “memberOf” attribute). This attribute does not include groups to which a user is a member via nested groups (being in a group that is also a member of another group). An LDAP filter can be added to the user group lookup which uses recursive filters to find all groups, however, that approach has the following problems:

• Recursive lookups are slow
• Recursive lookups include non-security groups (such as email distribution groups)

TokenGroups is a virtual LDAP attribute found on AD groups (not users) that is server-side optimized and only includes security groups. However, the TokenGroups attribute cannot simply be queried with an LDAP filter. The TokenGroups attribute can only be retrieved from base-level searches and returns a list (LDAP array) of SIDs.

If you are interested in code examples of how to implement Token Groups the “Active Directory” plugin for Jenkins implements this feature.