Resolution:
After a user binds to an LDAP server successfully, EMS searches for groups the user is a member of. If the user belongs to a large number groups, group results returned from the LDAP server will be very large. You can limit the group results or return the user in specific LDAP group by the following:

- Configure smaller scope of ldap_group_base_dn
- Configure "ldap_static_group_member_filte" in tibemsd.conf.  For example,

ldap_static_group_member_filter = (&(cn=test*)(member=%s))

%s is the holder of the user DN.

Search sent to LDAP server is the following:

ldap_search_ext_s(0000000004C64480, "DC=ad,DC=for,DC=messaging,DC=support", LDAP_SCOPE_SUBTREE, "(&(cn=test*)(member=CN=testuser,CN=Users,DC=ad,DC=for,DC=messaging,DC=support))", [cn, member, NULL], 0, [NULL], [NULL], 0)

Search result only includes groups which have the name pattern as "test*" (i.e test1, test2) and have member "testuser".