In too many organizations, AD is too large and login takes too long. The bulk of this time is spent on looking up group memberships.

We should do more aggressive caching of the memberships to cut down this cost. In particular, we should cache the map from DN of group/user to its memberOf attributes.

We can have a long cache retention value (say 24hrs?) to improve the out of the box experience.

Where this hurts is when a group membership changes. Possible mitigations are:

• Let the user login immediately, but uses that loging credential in the background to recompute membership asynchronously. When the result is available, update the group list after the fact.
• Expose a method for Groovy script to purge the cache
• Have a system property to control the cache timeout