It has to be public (or at least not too locked down) or things like Address Book in outlook would stop working. Lots of weird things depend on the LDAP tree being broadly accessible. It's just that it leaks more information than most people think.
Still, it's a tool made for another era. It would be sufficient to let it return one search result at a time, or complete specified group aliases, in order to work for groupware clients. Applications mostly needs to authenticate a specific user.
The ability to walk the tree is something else. Just like we don't allow zone transfers for dns anymore, there should have been similar best practice changes to ldap if people just gave it some love.
