We recently ran into problems when we started using Autodesk MatchMover2010. Starting this application from our Samba-server on an Windows XP client (member of an Samba controlled domain) takes forever! It turns out that starting this application causes the function get_memberuids() in passdb/pdb_interface.c to be called about 300 - 400 times (don't ask me why...), each call takes about 5 seconds (getting our entire LDAP user database from the LDAP-server and looping through all the entries).
Shouldn't all handling of users, groups, and so on, be done directly from LDAP when ldapsam is being used? In this particular case I imagine it would be A LOT faster to get all members of a group by searching the LDAP-database instead of making a detour through the "normal" user/group library calls.
That's exactly what ldapsam:trusted was designed to fix. You might give it a try, but be aware that this has more strict requirements on the records in LDAP (i.e. a root and a guest account have to exist in LDAP etc).
If that does not reduce the load, please re-open the bug.