Please strongly consider adding a configuration option that disables "fall back to non-TLS LDAP if StartTLS doesn't work" behavior.

Testing that one's certificates are configured properly and that StartTLS works right now (your ldapsearch wiki examples) proves nothing about tomorrow.

[ ] Fallback to unencrypted authentication of TLS upgrade fails

or

[ * ] Require encrypted authentication