Requiring certificates, or not, is configured with TLSVerifyClient. If you don't want to require certificates, TLSVerifyClient at any setting other than "demand" should work, depending on your local preferences.
At a server-wide level, you can set "security <factor>" in slapd.conf. For instance, "security tls=1" will force TLS (of any flavor) to be utilized. When slapd is set to deny the non-TLS operation, neglecting to use SSL on ldaps port will result in SSL handshake failure, while failure to issue a StartTLS on the ldap port will return "Confidentiality Required" error. Should you desire more fine-grained control, "tls_ssf" is a valid "<who>" in an ACL clause. I've never used these, but I'm guessing they will return "insufficient access" since they're ACLs. See slapd.conf(5) and slapd.access(5) man pages and the Admin Guide for more details on these directives.
