Robb, this is always feasible, technically speaking at least
I mean this has nothing to do with LDAP. Once VPN is established, you are virtually - BTW this is the goal - connect on local network, then can access any service open to your network range. This said, it might not be practical, for service provider, to connect server that is on the other hand, reachable via internet, to any VPN. And even if this is feasible, this has to be strongly controlled by the one managing targeted network.
Please let me explain why VPN is not the secret wonderful answer to any situation:
if you establish VPN link with device that has other interfaces open out of VPN tunnel, you have to be 100% sure that there is NO routing capability on this device, otherwise it will provide access to your network for all devices accessing this "router".
let's rephrase it: if H2Desk is connecting to your network via VPN but is, on the other side, open to internet because this is the way clients are accessing it, in case this server is compromised, then access to your network via VPN may occur.
If you compare this with LDAPS and firewall rules allowing only H2Desk server to access using only LDAPS protocol...