Pet peeve: While it doesn't help your problem, you should in addition to
this:
use something like 'security simple_bind=128 update_ssf=128'. This
>> access to *
>> by tls_ssf=128 ssf=128 anonymous auth
>> by tls_ssf=128 ssf=128 self write
gives the result code confidentialityRequired instead of
invalidCredentials when the ssf is insufficient. Thus users who did not
use TLS don't get the impression that they just sent the wrong password
- and maybe then send the unprotected password again