When STARTTLS fails for a domain controller don't bail out: instead keep

trying the other domain controllers. E.g. it could fail for the same

reason that unencrypted binds could fail: server unavailability.
This change ensures that unavailable servers as well as servers with

unrecognized certificates are skipped while still logging a decent

message for server admins to find out what's going on.
NOTE: this patch applies to 2.0.x and master as well and looks to apply cleanly to 1.0.x, 1.5.x and 1.6.x as well but I'm not sure that those are still maintained (their release branches still live on github).

Tested this on my company's review board server. Without it I get a failure every few login-attempts when one of our domain controllers is down (I've got TLS enabled for active directory authentication). With this patch it only logs a warning and goes on with the next server.
The fact that it only fails every once in a while is probably related due to SRV order-randomisation within the same priority level (all of our domain controllers get assigned the same priority).