LDAPS is not used when connecting to Active Directory. Safeguard connects via LDAP TCP/389, and uses Kerberos / GSS-API and SASL to authenticate and encrypt LDAP communications.
Safeguard follows the standard behavior of Windows / Microsoft protocols and attempts to use the highest level of security that the connection will allow. This is the same mechanism used by Windows desktop AD logins. Unsecured LDAP is not used.