You're confusing yourself here.
Originally Posted by Diranged
startTLS == ENCRYPTED
ldaps == ENCRYPTED
So in either case, the connection is encrypted. One works over the normal ldap:// port, the other one is a secure port only. Using ldaps:// means *any* connection is encrypted. Using startTLS means that connections that request startTLS be initiated are encrypted. The connections from Zimbra by default use startTLS. Since you don't really say much about what it is you are doing, I don't know exactly what it is you are trying to be sure gets encrypted. As I noted before, you can create the same behavior as ldaps (everything is encrypted) by requiring startTLS be in effect using the security directive in slapd.conf.in, and at that point, all connections will be required to be encrypted.
There is no way with "ldaps" to fall back to unencrypted, since it's encrypted from the get-go.
Zimbra :: the leader in open source messaging and collaboration