> There are some good instances where StartTLS isn't attractive: when the LDAP servers are behind F5 BigIPs for example. > My 2 cents. Yeah, true. Depends on environment and some kit just won't do StartTLS.