I wrote:
False alarm. But if you want to test if SASL/EXTERNAL is available on a connection, check supportedSASLMechanisms in the root DSE. (ldapi:// offers it, ldap:// does not unless you supplied a client cert)
Er, ldapi:// *usually* offers it. I guess there may be platforms where it doesn't.