LDAPS should not be an advanced setting
When authenticating using ldap, a simple bind is used. This exposes the admin dn (account used to search ldap), and users username and password.
I was able to confirm this while running wireshark on the ldap server that openfire authenticates with.
This can be mitigated by using ldaps and starttls.