I was trying to optimise the LDAP query for a very large AD , found this query really cool for LDAP Auth:
(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%USERNAME%))
It searches only for user accounts which are not disabled…goes much better with directories which are big (>1000 objects).