it works with AD if there are no alias entries used, see https://github.com/bluedynamics/node.ext.ldap/issues/29
The fix is very simple and described there. @rnixx and I are overloaded with work, but if a PR is provided I can cut a release.
TLS with Python and LDAP is a PITA. Providing certificates on OS level and let them pick up by python/python-ldap/node.ext.ldap is probably a good idea. pas.plugins.ldap/node.ext.ldap is already prepared to make this configurable TTW, but it is not finished nor tested.
There are several reasons to not use plone.app.ldap, but if it works for you in your environment there's also no reason to switch.
pas.plugins.ldap is in several ways more flexible and also gives you sane group handling and sane configuration. It's not a bunch of stacked layers around an old-style UserFolder. It does not need monkey patches all the way down. And it is supported and active developed.