[LDAP] Add flag to disable search nested groups (ydb-platform#8354)

ydb/core/protos/auth.proto

@@ -105,6 +105,10 @@ message TLdapAuthentication {
         optional TCertRequire CertRequire = 3 [default = DEMAND];
     }
 
+    message TExtendedSettings {
+        optional bool EnableNestedGroupsSearch = 1 [default = false];
+    }
+
     optional string Host = 1; // DEPRECATED: Use Hosts instead it
     optional uint32 Port = 2;
     optional string BaseDn = 3;
@@ -116,4 +120,5 @@ message TLdapAuthentication {
     optional string RequestedGroupAttribute = 9;
     repeated string Hosts = 10;
     optional string Scheme = 11 [default = "ldap"];
+    optional TExtendedSettings ExtendedSettings = 12;
 }

ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp

@@ -149,7 +149,8 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
             NKikimrLdap::BerFree(ber, 0);
         }
         std::vector<TString> allUserGroups;
-        if (!directUserGroups.empty()) {
+        auto& extendedSettings = Settings.GetExtendedSettings();
+        if (extendedSettings.GetEnableNestedGroupsSearch() && !directUserGroups.empty()) {
             // Active Directory has special matching rule to fetch nested groups in one request it is MatchingRuleInChain
             // We don`t know what is ldap server. Is it Active Directory or OpenLdap or other server?
             // If using MatchingRuleInChain return empty list of groups it means that ldap server isn`t Active Directory
@@ -159,6 +160,8 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
                 allUserGroups = std::move(directUserGroups);
                 GetNestedGroups(ld, &allUserGroups);
             }
+        } else {
+            allUserGroups = std::move(directUserGroups);
         }
         NKikimrLdap::MsgFree(entry);
         NKikimrLdap::Unbind(ld);