This is achieved with the TLSCipherSuite option. An example is documented at LDAP security chapter of the OpenLDAP Zytrax book. With it you can tell OpenLDAP the cipher suites that your server will accept. For example, you can tell that you don't want a NULL cipher suite (ie: non encrypted session).
Be careful though that OpenLDAP can be linked against OpenSSL or GnuTLS libraries. Those use different cipher lists to describe their encryption support. The OpenSSL cipher list can be obtained with a command like openssl ciphers -v and the GnuTLS list with gnutls-cli -l.
The simplest way to disable connecting without encryption would then be:
dn: cn=configchangetype: modifyreplace: olcTLSCipherSuiteolcTLSCipherSuite: ALL:!NULLA more specific restriction using GnuTLS syntax:
dn: cn=configchangetype: modifyreplace: olcTLSCipherSuiteolcTLSCipherSuite: TLS_RSA_CAMELLIA_128_CBC_SHA1:TLS_RSA_CAMELLIA_256_CBC_SHA1:!NULLA more complete example might be (using OpenSSL syntax):
dn: cn=configchangetype: modifyreplace: olcTLSCipherSuiteolcTLSCipherSuite: HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:@STRENGTH:+SHA:+MD5:!NULLThere's an OpenLDAP mailing list discussion worth reading about a similar question.
It's also worth noting that the OpenLDAP cli tools, like ldapsearch, are automatically switching to using TLS when connecting to a server forbidding the unencrypted connections. That means that you do not need to add -Z to the args list.
