I'm using ldap in conjunction with kerberos and samba to serve up 4000
accounts to windows and linux clients (about 250 computers in all). I can
say at this point that no, openldap will not sacle up to 35000+ users.
I'm sure postfix would work okay, but openldap is a weak link.
I've found that the database is quite easily corrupted, as there's no
write-locking (at least that I can tell) on the database, so if you use
pam_ldap to change passwords, there is a possibility for corruption. I
use special scripts that feed into a serializing postgreSQL table to make
sure that writes are only done by one process. I'm sure this can be
remedied, but I haven't looked much into it. (You could use SQL as a
backend for ldap, but there are some downsides to this.) I stop my
openldap server (I only have one at the moment) and dump out the database
in text ldif form every night for backup purposes. (CVS can work with
this, but 35000 entries would be a challenge -- a binary backup of
/var/ldap would be in order.)
I've also been having significant problems with openldap (I'm using 2.0.16
or 17) leaking file handles until it can't operate anymore. I solve this
by restarting ldap several times a day. Definitely not what you'd want in
your environment. I've not followed this list too closely; maybe it's
been addressed and fixed by now. (The same problem existed in 1.2.x some
time ago, I learned from google.com.)
I've not got ldap replication setup but I've heard it's problematic.
You'd definitely need several servers for load-balancing (slapd can get
quite demanding) and reliablility.
On the positive side, it's quite adequate for our mixed environment. It's
no doubt at least as stable as microsoft's active directory! From the
traffic on this list, it's clear that work is progressing and these
problems will be worked out sooner or later.
That's my experience thus far.
cheers,
Michael