The mask option simply gonna change passwords into asterisk like we see on Cisco switches. On the other hand encrypt option as the name says encrypts the password which again can only be decrypted by ESA.

Here's a config snippet,

Mask password

<ldap>
<ldap_server>
<ldap_server_name>LabAD</ldap_server_name>
<ldap_server_port>389</ldap_server_port>
<ldap_server_hostname>X.X.X.X</ldap_server_hostname>
<ldap_server_type>ad</ldap_server_type>
<ldap_server_pass>*****</ldap_server_pass>

Encrypt password

ldap>
<ldap_server>
<ldap_server_name>LabAD</ldap_server_name>
<ldap_server_port>389</ldap_server_port>
<ldap_server_hostname>X.X.X.X</ldap_server_hostname>
<ldap_server_type>ad</ldap_server_type>
<ldap_server_pass>8dH+PEfzkHCS+KARBtogTmb+LHQU/WSqrJNqjypVwE0LieqoPHGjus78GsCNFEWG</ldap_server_pass>