I need to support Mac clients who need to access a LDAP server to locate SMIME keys.
Since the keys are already in AD, and it's easy for me to create a RODC or read only forest where I push the certificates to, is it acceptable to expose unauthenticated LDAP and LDAPs to the internet?
One issue I can think of is an LDAP form of a directory harvest attack, where a spammer could determine which addresses are valid and which aren't.
No, it would not be generally acceptable. Not sure what you are trying to achieve but I would say the correct way is to first establish a VPN connection and then connect to LDAP.
It depends completely on what's in the LDAP directory.
For Active Directory, absolutely not, even for an RODC - the security profile of these devices is designed for being inside your network (the RODC specifically is hardened against physical compromise, so you can keep it in a closet - a physical compromise of a normal DC would give an attacker control of the domain and all users' password hashes).
An attacker could gain a mountain of information from AD - usernames to try to authenticate with, system names, some amount of network topology.. if not enough to attack with directly (password attacks against a different public endpoint, like VPN?), certainly enough to put together a solid social engineering or spear phishing attack.
