> The reason why I (think I) need both is that many third party apps on > the server (PHP applications typically) do not easily manage StartTLS. > Meanwhile, having two different ports make it easier to manage via iptables. > You can also use StartTLS over the network and LDAPI (connection over Unix sockets, which are inherently secure) for apps running on the server. I use it, both with OpenLDAP and 389 Directory Server (a.k.a. Fedora DS, Red Hat DS).