While trying to deploy https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/482237/ I realized that the python3-ldap3 library that we get from apt is really old. Newer versions of the library provide nice features like easy support for paged result sets. See this diff in gerrit for an example of the difference in lines of code needed for this common use-case.
Also we have different versions on various hosts due to some usage of backports and pinning. Both role::labs::db::maintain_dbusers and toollabs::maintain_kubeusers pin to the jessie backports package (0.9.9.3-1~bpo8+2) which is just slightly newer than the default jessie package (0.9.4.2-1).
Even more fun, newer versions of the library are not compatible with existing usage in several scripts. Once we start building things out on Buster (which has python3-ldap3 2.4.1-1) this is going to cause problems with the following scripts:
openstack::puppet::master::enc also installs python3-ldap3, but it does not seem to be used directly there. This appears to be leftover from an earlier version of the modules/profile/files/puppetmaster/labs-puppet-enc.py script (rOPUPc658ac3d3795).