oxTrust Cache Refresh does not currently support StartTLS. If you're a coder, you could probably submit a PR for oxTrust to implement this, because the underlying library we are using does support it. But demand for startTLS has been very low (you're the first one I remember asking for it in years). Use LDAPS if you want to keep it easy.