>> Are you aware that SSL on port 636 is now considered deprecated in favor of
>> START_TLS on port 389?
> No, I'm not (I actually thought that it was the other way round)
>
> (...)
>
> What are the pro and cons of both approaches?
>
> Comments more than welcome
You can, as an example, consult the Wikipedia article on LDAP. It states:
---------------------------------------------------
StartTLS
The StartTLS operation establishes Transport Layer Security (the
descendant of SSL) on the connection. It can provide data
confidentiality (to protect data from being observed by third parties)
and/or data integrity protection (which protects the data from
tampering). During TLS negotiation the server sends its X.509
certificate to prove its identity. The client may also send a
certificate to prove its identity. After doing so, the client may then
use SASL/EXTERNAL. By using the SASL/EXTERNAL, the client requests the
server derive its identity from credentials provided at a lower level
(such as TLS). Though technically the server may use any identity
information established at any lower level, typically the server will
use the identity information established by TLS.
Servers also often support the non-standard "LDAPS" ("Secure LDAP",
commonly known as "LDAP over SSL") protocol on a separate port, by
default 636. LDAPS differs from LDAP in two ways: 1) upon connect, the
client and server establish TLS before any LDAP messages are transferred
(without a StartTLS operation) and 2) the LDAPS connection must be
closed upon TLS closure.
LDAPS was used with LDAPv2, because the StartTLS operation had not yet
been defined. The use of LDAPS is deprecated, and modern software should
only use StartTLS .
http://en.wikipedia.org/wiki/LDAP
---------------------------------------------------
A quick search will provide plenty of articles about the subject.