Was using ldap://my_ldap_server (port 389) and TLS without an issue until I was told that was only for testing. For production, I now have to use ldaps://my_ldap_server (port 636) and SSL without TLS. Now, I cannot bind with my service account. I'm able to run ldapsearch on the same system (using ldaps://) that Drupal is running on, and ldapsearch works fine. ldap.conf file is same.
I did a tcpdump trace and found that the drupal ldap module doesn't seem to be sending a SSLv2 "Client Hello," which is the first packet after the TCP handshake using ldapsearch. Drupal seems to send a SSL "Continuation Data" packet, instead of the client hello.