Agreed that few are relying on Lion servers. But the security flaw is at the side of the Mac client, not the server. If you have Lion clients authenticating against OpenLDAD hosted on, say, a Linux server, then only the username is checked and any password is accepted. IMHO this is a serious security flaw that should be fixed as soon as possible by Apple.