Stopping users that are "unauthenticated" makes no sense; everything's unauthenticated at time=0. You might as well stop slapd if you want a 100% inability to serve data.
You can deny anonymous users that aren't plaintext, including any ldaps:/// connections, with something like:
access to * by anonymous ssf=0 transport_ssf=0 tls_ssf=0 sasl_ssf=0 none break by anonymous none
early on in your ACL stanzas. I'm pretty sure this'll deny anonymous StartTLS users on 389, though; not sure if that's what you want. I can't think of any way to use the slapd access language to differentiate based on listeners, which would probably be the most elegant way to handle what you asked. To be fair, this entire exercise seems really odd from where I sit -- are you positive that this will have the desired effect? (If somebody out in Peru is permitted to connect in unencrypted and make anonymous queries, why not allow them to make those same queries encrypted? What's the difference?)