Most orgs put an OpenLDAP proxy in front of their AD server. AD has multiple known crash vulnerabilities in its protocol parser (fuzzing attacks can easily break it) and is too slow to handle the load generated from open internet access.
Howard, obviously no one is more of an OpenLDAP expert than you... You have users who expose OpenLDAP to the internet directly? I've got no qualms against OpenLDAP, it is amazing software, but that still seems insane.
