False alarm. But if you want to test if SASL/EXTERNAL is available
on a connection, check supportedSASLMechanisms in the root DSE.
(ldapi:// offers it, ldap:// does not unless you supplied a client cert)
Er, ldapi:// *usually* offers it. I guess there may be platforms
where it doesn't.