I stopped reading at this part in Samba::LDAP:

    if ( $self->{ldapTLS} == 1 ) {
        $ldap_master->start_tls(
            verify     => $self->{verify},
            clientcert => $self->{clientcert},
            clientkey  => $self->{clientkey},
            cafile     => $self->{cafile},
        );
    }

    $ldap_master->bind( $self->{masterDN}, password => $self->{masterP
+w}, );
[download]

Please, please, please confirm that the requested TLS connection worked before you send a Domain Admin privileged account and password over the connection. The needed code looks like:

    $ladp_master->code && die "failed to start TLS: ", $ldap_master->e
+rror ;
[download]

The same holds true for the _slave function.

Updated: Okay I read some more. I'm twitching about:

    if ($homedir) {
        my @rmargs = ('-rf');

        # print "rm @rmargs $homedir\n";
        system( 'rm', @rmargs, $homedir );
    }
[download]

in Samba::LDAP::User. So many possible values of $homedir lead to ruin.

In general, there appears to be a lot of shelling out functionality that could be done in pure perl.