I think the best solution to your issue should be having support for STARTTLS and SSL, and of course the use of a custom x509 CA (and restricting validation to that CA), plus the option to enforce using client certificates in the LDAP module, yes, you could definitely file a feature request for that.
If you have technical resources available with knowledge about how ldap, ssl and x509 works, (which are very non-mendix-specific things) you could probably work together with the ldap module maintainer to build this functionality. At Mendix, we might not have the resources to setup an installation of all possible ldap implementations, together with their quircks you might encounter in practice.
Using LDAP/SSL (tcp 636), you could expose the tcp port to the outside world, enforce client certificate verification and connect to it from your application. This would imply the same level of security as a custom VPN solution, or in fact, even better, because it's an end-to-end encryption as opposed to a vpn covering part of the network path between your application and the ldap server.
You might also think about setting up an SSL tunnel between the cloud and the customer.
Off course this needs assistence of Mendix and the customer.