I am using start_tls, but how come it only works on port 389 ?

If you want to use ldaps, then the tcp port number 636 is in use, this is for ldap over ssl. Un-secure or clear text communications happen on tcp port 389 by default, but there is the option to run an extended operation called startTLS, to establish a security layer before the bind operation, when using tcp port 389. So the connection starts in clear text, and then switch to an encrypted channel using TLS, and then a bind operation happens. See RFC 4511 and 4513.

Example of log for startTLS, on port 389:

[17/Oct/2007:14:32:52 -0700] conn=936 fd=68 slot=68 connection from to    
[17/Oct/2007:14:32:52 -0700] conn=936 op=0 EXT oid="" name="startTLS"    
[17/Oct/2007:14:32:52 -0700] conn=936 op=0 RESULT err=0 tag=120 nentries=0 etime=0    
[17/Oct/2007:14:32:52 -0700] conn=936 TLSv1.1 256-bit AES    

The “err=0 tag=120” show a result from an extended operation.

Example of log for ssl, on port 636:

[18/Oct/2007:08:54:53 -0700] conn=253 fd=64 slot=64 TLSv1.1 connection from to    
[18/Oct/2007:08:54:53 -0700] conn=253 TLSv1.1 256-bit AES    
Last modified on 1 March 2015