the AD plugin in LDAP mode can use startTLS to upgrade a plain text connection to a secure one.

However if this upgrade fails the connection reverts to a plain text one.

This is actually documented, however it is somewhat at odd with the flag from SECURITY-1389

As an AD server may not be exposed on the SSL ports but only the plain text with upgrades, there may be no way for a user to configure the AD plugin to use an encrypted LDAP connection.
(requireTLS forces the connection to use the ssl port)

Rather if both startTLS and requireTLS are both set then the upgrade should be done with the START_TLS command and for any failure the connection should abort.

Documentation would need to be changed accordingly.