RFE: Support for AD Token Groups

Please add Token Group support to Nexus:


Currently Nexus only supports looking up group membership from queries against the user object in LDAP (typically by looking at the “memberOf” attribute). This attribute does not include groups to which a user is a member via nested groups (being in a group that is also a member of another group). An LDAP filter can be added to the user group lookup which uses recursive filters to find all groups, however, that approach has the following problems:

  • Recursive lookups are slow
  • Recursive lookups include non-security groups (such as email distribution groups)

TokenGroups is a virtual LDAP attribute found on AD groups (not users) that is server-side optimized and only includes security groups. However, the TokenGroups attribute cannot simply be queried with an LDAP filter. The TokenGroups attribute can only be retrieved from base-level searches and returns a list (LDAP array) of SIDs.

If you are interested in code examples of how to implement Token Groups the “Active Directory” plugin for Jenkins implements this feature.