diff --git a/doc/integration/ldap.md b/doc/integration/ldap.md
index fa8a51ec4cb99861064e48b347593ecc4028ed69..606b426e98e909078b7d065a59204216a5f3053e 100644
--- a/doc/integration/ldap.md
+++ b/doc/integration/ldap.md
@@ -359,3 +359,24 @@ Here, `sync_time` is set to `1800` seconds, meaning the LDAP cache will expire e
 For manual GitLab installations, simply uncomment the `sync_time` entry in your `gitlab.yml` and set it to the value you desire.
 
 Please note that changing the LDAP sync time can influence the performance of your GitLab instance.
+
+## What sort of queries can my LDAP server expect from GitLab EE?
+
+Active GitLab users trigger 'permission updates' by signing in or
+interacting with GitLab, and in addtion all GitLab users (active or not) get a
+permission update during the daily sweep. The number of permission updates per
+day depends on how many of your GitLab users are active and on how many
+LDAP-enabled GitLab users exist in your GitLab SQL database.
+
+During a 'permission update' for a user, GitLab does 1-2 queries for the
+specific user, and 1 queries for each LDAP group known to GitLab. GitLab
+fetches all available attributes of LDAP user and group objects on most
+queries. If you use Active Directory, GitLab performs additional
+'extensibleMatch' queries to check for nested group membership and whether the
+user is blocked, one of each per user and group.
+
+Note that usually not all user and group objects in an organization's LDAP tree
+will be known to GitLab. GitLab only queries LDAP user objects corresponding to
+users who use or have used GitLab. Similarly, GitLab only queries LDAP group
+objects that have been (manually) linked to a GitLab group by a GitLab user or
+administrator.
diff --git a/lib/gitlab/ldap/access.rb b/lib/gitlab/ldap/access.rb
index 672b6ce86d3d062329a24704fc280786084d57d0..e66e4f597cdee8b1af2da774ea730918b949ba0a 100644
--- a/lib/gitlab/ldap/access.rb
+++ b/lib/gitlab/ldap/access.rb
@@ -108,7 +108,7 @@ module Gitlab
         ldap_email = ldap_user.email.last.to_s.downcase
 
         return false if user.email == ldap_email
-        
+
         user.skip_reconfirmation!
         user.update(email: ldap_email)
       end
@@ -131,6 +131,10 @@ module Gitlab
       end
 
       # Loop throug all ldap conneted groups, and update the users link with it
+      #
+      # We documented what sort of queries an LDAP server can expect from
+      # GitLab EE in doc/integration/ldap.md. Please remember to update that
+      # documentation if you change the algorithm below.
       def update_ldap_group_links
         gitlab_groups_with_ldap_link.each do |group|
           active_group_links = group.ldap_group_links.where(cn: cns_with_access)