I was arguing "passwords visible", not general security challenges (as SSL certs are). And Linux ldap client has been kerberized since forever. Even Linux services (including telnet - lol) been kerberized since rhel5.
So, yeah, ldap is more secure with kerberos, obviously. And that how everyone is "doing it". Including windows ad (that includes distributing trusted cert, btw).