The default value of "ldap ssl" is start_tls, but actually the default value is "On" .
Indeed in source/param/loadparm.c:
Globals.ldap_ssl = LDAP_SSL_ON;
Actually, the default is "" as LDAP_SSL_ON is not defined at all.
We will have a look at this one...
I removed "ldap ssl = on" completely as ldaps is realized with ldaps URLs in the "passdb backend" meanwhile.
The default has been changed to "ldap ssl = no" which does not change the default behaviour, but a more sensible value.
The manpage has been updated accordingly.
Closing out bug report.
Thanks for reporting!
I will check when later version is released.
I found this bug occurred when Samba 3.0.23 was released.