An LDAP server with (lets say) 1000 users in a group.
When authentication, a query is done to retrieve the groups for the user.

Most LDAP servers will limit the attributes send back based on authorization of the user, but can be configured to return all information.

The cause is:

/ Query for roles matching the role filter
SearchControls constraints = new SearchControls();
constraints.setSearchScope(searchScope);
constraints.setTimeLimit(searchTimeLimit);
rolesSearch(ctx, constraints, username, userDN, recursion, 0);

this used to also have:
constraints.setReturningAttributes(new String[0]);
at some time this was taken out.

It needs to go back in