Currently Crowd makes a query for all the attributes on a given entity: role, group or user. This results in a very large dataset being returned for all searches, regardless of purpose.

At a minimum, we should only request attributes which are used by Crowd: the name, description and member attributes for groups and roles, and all the mapped attributes for users.

Even better would be to retrieve only the membership attributes when searching for memberships, only the group attributes when looking up groups, and so on.

The minimum requirement is quite easy to implement, and I'll attach a simple (completely untested) patch that I'd like to see tested in the future. The second option would be harder, requiring some redesign of the SpringLDAPConnector, which currently has only has one place where SearchControls objects are constructed for all LDAP searches.