To reproduce:

• configure Jenkins with LDAP security
• check "Group membership: Parse user attribute for list of groups"
• this will lead to the following entry in config.xml:

  <groupMembershipStrategy class="jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy"/>

• configure full logging for the org.acegisecurity package (all log levels)
• log in with an arbitrary (probably best new) user, let's call him HORST
• check the logs, you will see something like this:

  Searching for roles for user 'HORST', DN = 'cn=HORST,ou=KEVIN,ou=GUENTHER,dc=big,dc=expensive,dc=corporation,dc=com', with filter (| (member={0}) (uniqueMember={0}) (memberUid={1})) in search base 'OU=KEVIN,OU=GUENTHER'

• I.e. Jenkins is using the potentially very expensive default group filter on login, although the user configured to use memberOf instead.

The reason for this is this call here https://github.com/jenkinsci/ldap-plugin/blob/master/src/main/java/hudson/security/LDAPSecurityRealm.java#L1010:

super.getGroupMembershipRoles(userDn,username)

Which in turn uses the configured groupSearchFilter in org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator.

This should probably instead call the code in FromUserRecordLDAPGroupMembershipStrategy.getGrantedAuthorities, like it is called here.

I would have created a pull request, but it is a bit beyond me how to access groupMembershipStrategy from AuthoritiesPopulatorImpl.