If a user configures MongoDB to talk to an LDAP server with the srv: or srv_raw: prefix, the server does a DNS lookup for an SRV record and uses the port specified in the record to connect to. However, Active Directory specifies port 389 by default. This causes problems when TLS is enabled since the default port for ldaps is 636. As a result, there is currently no way for mongods to talk to many Active Directory LDAP servers via SRV and TLS. 

We should investigate and determine a workaround for this so that ldaps works with SRV and Active Directory.

One possible solution is to connect to port 636 if security.ldap.transportSecurity is set to 'tls' and the SRV record returned contains port 389. If the port in the record points to any other port, the server will assume it is a non-default one and will try connecting to it directly regardless of whether TLS is enabled.

Alternatively, we may not want to blindly ignore port 389 if it is on the SRV record and TLS is enabled. If there's a way to glean additional information as to whether we're dealing with Active Directory/handle ldaps separately when performing SRV record lookup, that would preferable to the above approach.