This is on SSO 12.7 SP2 (RHEL 7.x), AD 2012 as the user Store.
SMTrace log has several LDAP search queries related to "objectclass=*", its not reading global search filters from sm.registry file as below. Active Directory server team mentioned they saw queries that try to find 6 million+ entries. I would think it might be SiteMinder sending a broader query "objectclass=*".
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\UserClassFilters=599500353
LDAP:= inetOrgPerson,organizationalPerson,person; REG_SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\GroupClassFilters=1022604861
LDAP:= groupOfNames,groupOfUniqueNames,group; REG_SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\OrgClassFilters=769973378
LDAP:= organization,organizationalUnit; REG_SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\ClassFilters=535339799
LDAP:= organization,organizationalUnit,groupOfNames,groupOfUniqueNames,group; REG_SZ
Both the "User Object", "User Class" properties are BLANK in the user Directory definition.
Any idea why SM defaults its search filter: "objectclass=*" and not using filters from registry settings ?