Hi Mark,
the testing update, that @giacomo recommended, should solve all these problems.
With this update the binary password is not used in sogo anymore. An ldapservice user is now used in sogo (and other LDAP apps):
My updated testserver:
bindDN = "ldapservice@AD.DOMAIN.LOCAL";
bindPassword = "tpiym4sZtGS3YZKB";
baseDN = "dc=ad,dc=domain,dc=local";
hostname = ldaps://ad.domain.local;