https://bugs.openldap.org/show_bug.cgi?id=9938
--- Comment #3 from Howard Chu hyc@openldap.org --- Until someone writes an RFC for this, we should not deprecate anything.
Some of the points raised in https://www.rfc-editor.org/rfc/rfc2595#section-7 are certainly no longer relevant. E.g., nobody uses 40 bit "export" ciphers any more. Coming from the opposite side, SASL has recently been neutered and new mechanisms don't include a security layer, instead relying on TLS to do that job. (I.e., the "SL" in "SASL" doesn't exist in any modern SASL mechanisms.)
Personally I'm opposed to using a separate port. IMO the default port should always be 389, clients can default to using TLS, and servers can auto-detect if a TLS or cleartext connection is being established. Regardless of whether you use TLS or StartTLS and a dedicated port 636 or not, it all comes down to site-specific policies and configurations, and the specific default values you choose are irrelevant.
Since any server can listen on any arbitrary port number, using different port numbers to distinguish cleartext vs TLS sessions was always an idiotic idea. That useless practice needs to end.