Ouch! Fortunately we're already keen to limiting the number of records returned because we don't want to make it too easy for spammers to suck up all our email addresses.
The primary reason for the old OpenLDAP system was to provide an employee email directory (~5000 records). The new system will be used for that purpose also, but primarily for authentication purposes (20K records storing about 10 times more data than before).
Thanks for the references. I already have the O'Reilly book but wouldn't have thought to peruse it for LDAP info.