That sounds like a legacy Microsoft Windows NT4 and 2000 AD Best Common Practice (BCP), and nothing to do with OpenLDAP.

Back before AD came out, the Netscape iPlanet lineage (aka RHDS/389) could do tens of thousands of user objects, easily.  I know OpenLDAP has been used for such as well.  They are based on the same Michigan LDAPv3 code as AD as well.

However, the NTdom/AD functionality has many other RPC operations that cause most other exchange and issues though.  That's where the limits come from, regardless of implementation.

Also understand OpenLDAP is *NOT* an PDC/AD replacement.  That is also the case with even RHDS (or Fedora's 389), let alone Enterprise Identity Management in EL6.1 (or FreeIPA 2.x) -- all based on the iPlanet lineage.

The only "direct replacement" for AD is Samba4.  However, one can setup Samba as a legacy NTuser domain (NT4-style) PDC, with or without LDAP, and even support the Kerberos SSPI with Kerberos and LDAP as a limited store.  But it's still not a full AD replacement as I understand it.

I don't know what the current argument of Samba4 v. Samba3+OpenLDAP setups though.  That should be explored.  I know several people I know are enjoying Samba4 for as a PDC replacement without absolutely full AD functionality, and prefer it instead of the prior, manual Samba3+OpenLDAP setup.

I.e., as I understand it, Samba4 at least does it "as good" as the Samba3+OpenLDAP.  But I don't have the experience to make a hard recommendation.

-- Bryan

P.S.  Samba4 (for Windows client) with password sync to EntID/IPA (for UNIX/Linux clients) is a powerful, enterprise solution with multi-master replication and Kerberos on both ends.