A quick search will provide plenty of articles about the subject.
Thanks, I had actually thought of using a search engine (as somebody put it, part of the fun with configuring OpenLDAP is that you definitely have to).
What I cannot find (yet) is whether there is a way to require StartTLS only for external connections and allow it plain on the local network?
The reason why I (think I) need both is that many third party apps on the server (PHP applications typically) do not easily manage StartTLS. Meanwhile, having two different ports make it easier to manage via iptables.