As part of the group sync, the LDAP module loads LDAP groups and recursively loads any member entry to get sub-members.
For each member of a group there are 3 cases:
1/ The member is a group it's members will be loaded
2/ The member is a user and the user should be added but nothing more
3/ The member is nothing like that and could be an "LDAP query" representing more users and should be tried as a filter
In the current implementation (tested on 5.4.7), even in the case 2/ the case 3/ will be tried although the member was successfully loaded as a user. This should not be the case.
I could not provide a patch because the way the code is written significant refactoring is needed. In the use case I had, it was either to remove step 3/ Altogether as I don't needed it in my case. It would be good to have an option to drop step 3/ as it might not be needed in many cases and can generate extra queries.