Seek alternative to Active Directory recursive filter search
Zendesk issue: https://gitlab.zendesk.com/agent/tickets/23086
The LDAP_MATCHING_RULE_IN_CHAIN filter we use to resolve AD subgroups can be really intense. We had a customer report that setting active_directory: false in configuration reduced sync time from 144 seconds to 2 seconds on a test machine. They reported the problem because in production the sync was taking 900 seconds and was pegging the AD server's CPU and triggering operations alerts.
Is there a more efficient way to get recursive membership?