Is it possible to prevent anonymous and unauthenticated binds to ldaps:// 636 but allow them on ldap:// 389? 

 

I want to allow staff to query my ldaps:// outside of my network while requiring them to login to do so but allow anyone to bind (anonymous, unauthenticated, or authenticated) internally on ldaps//:  389.

 

I know:

Anonymous bind can be disabled by "disallow bind_anon" and Unauthenticated bind mechanism is disabled by default.  But if I use "disallow bind_anon it stops in on both ports.  I want to stop it just on ldaps://.