When a group has lots of non-subgroup users in it, the default AuthLDAPSubGroupAttribute will not screen out these users and mod_ldap will do an ldap_compare to check if each user is of class AuthLDAPSubGroupClass to determine if it's a subgroup. This causes a large flat group to generate many compares / take a long time if we check them for subgroups. Meanwhile. AuthLDAPGroupAttribute makes us iterate through different attributes, but we don't check all the attributes for a flat-group match before trying subgroups.
This has been fixed with r1231255, r1231257 for trunk and with r1374256 for 2.4.x. It is part of the release 2.4.3. Keeping issue open for others to decide whether a backport for 2.2 is recommended.
no nested groups in 2.2