We archive inactive entries by removing them from the "active" part of
the DIT and then recreating them in an "inactive" branch, where
permissioning prevents all but a few administrative apps from seeing
them. This allows us to prevent further use of the account while at the
same time preserving information that might be helpful in an audit. If a
user becomes active again (e.g. where an employee is rehired), we simply
restore their entry to the active part of the tree.
The two problems with this approach are accidental creation of duplicate
entries (like when an employee returns after having a name change) and
the fact that no off-the-shelf tool will do the archive/unarchive
operation for you. I handle the former by yelling at HR alot and the
latter by deploying some in-house created cgi scripts.
The problem with using an "inactive" flag is that every COTS vendor who
interfaces with LDAP has a different standard, and few are very
customizable. Entrenched homegrown apps pose the same issue.
Theoretically, the number of entries in a particular directory or
directory container shouldn't be an issue. Unfortunately, many
developers insist on treating LDAP like an RDMS, doing massive "data
mining" queries and invoking Server Side Sort to boot. As a result,
anything you can do to reduce the number of entries they can search
through helps.