We have not figured out how to do it over ldaps or over ssl yet, but it is on our todo list.
Our Active Directory setup allows GSSAPI and GSS-SPNEGO
I was able to find out using the following command:
ldapsearch -h ad.yourdomain.com -D "CN= youruseraccount,CN=Users,DC=yourdomain,DC=com" -x -W -b "" -s base -LLL supportedSASLMechanisms
I think GSSAPI uses Kerberos V to provide secure authentication services
I was able to get it working securely on my powerbook using ldapsearch and iirc I got it to work on debian after installing some Kerberos packages (although it has been awhile since I looked at this).
I am going to be traveling to conferences the next 10 days so I doubt I will have time to help out, but I hope to contribute to figuring this part out when I get back (if you haven't already figured it out with Michael).