thank you for the link
Joke aside, I know this, at least enough to deploy it world wide for (very) large company because I did it already
I fully share that lack of default LDAPS is a concern because of base64. I believe that reason of such design is that LDAP, at least at the beginning, was not designed to be accessible out of Zentyal box. Remember that default FW rules are not opening LDAP protocol. So I suspect this "bug" is inherited from this initial "all in one box" concept.
This doesn't prevent Zentyal to improve it. One more entry in the request features section?