The REST API to list users /security/users is documented to return no more than 100 users at a time for anything other than the 'default' realm ( user-source ).
The criteria is set in code here.
However when the source=LDAP and there are more than one LDAP servers configured, then the actual limit is 100 users per LDAP server queried.
So the general contract currently implemented is
if user source not set
- then return max 100 users for each realm (user-source) and for LDAP source, max 100 per defined LDAP server
else if source is LDAP
- max 100 per defined LDAP server
else if other source
- max 100 users
Any limits we impose on the REST API should be documented and enforced correctly on realms we maintain.
The javadoc for UserSearchCriteria public API getLimit() should document how to impose the limit for custom realms/user sources third parties may implement. Currently there is none there.