One thing to watch when using software tunnels is that there was (is still?) a bug in the ldap protocol library underneath the server where if packets are fragmented in strange and unnatural ways, the server just won't work properly (it fails to decode the LDAP PDU header properly). This happens for example if the tunnel software ends up sending only a few bytes of the beginning of a PDU as a TCP segment. Basically you can send perfectly correct LDAP but fragmented in just the wrong way the server will not decode it correctly. I'm not sure if this is a real issue any longer but thought it worth mentioning.
