ldapi without TLS and ldap with TLS?

[Patrick Lists <openldap-list@puzzled.xs4all.nl>]

Hi,

I'm tying achieve the following with OpenLDAP RE24 from last week:

Connections on ldapi:/// are plain text and ldap connections require TLS 
with client cert auth. I thought I could do that with:

# global configuration settings
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap34/slapd34.args
olcPidFile: /var/run/openldap34/slapd34.pid
olcLogFile: /var/log/openldap34/slapd34.log
olcLogLevel: -1
olcTLSCACertificateFile: /etc/pki/tls/certs/ca.crt
olcTLSCertificateFile: /etc/pki/tls/certs/server.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/server.key
olcTLSCipherSuite: TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH
olcTLSVerifyClient: demand  <---
olcLocalSSF: 0  <---
olcSecurity: tls=256  <---

Since I'm seeing the error below clearly I thought wrong:

5121a107 >>> slap_listener(ldapi:///)
5121a107 daemon: listen=11, new connection on 15
5121a107 daemon: added 15r (active) listener=(nil)
5121a107 conn=1009 fd=15 ACCEPT from PATH=/var/run/ldapi 
(PATH=/var/run/ldapi)
[snip]
5121a107 conn=1009 op=0 BIND dn="cn=ReadOnly,dc=example,dc=com" method=128
5121a107 do_bind: version=3 dn="cn=ReadOnly,dc=example,dc=com" method=128
5121a107 send_ldap_result: conn=1009 op=0 p=3
5121a107 send_ldap_result: err=13 matched="" text="TLS confidentiality 
required"
[snip]
5121a107 conn=1009 op=0 RESULT tag=97 err=13 text=TLS confidentiality 
required

Anyone have an idea how I can achieve my goal?

Thanks!
Patrick