I wasn’t aware that you use OpenLDAP. Have a look at this thread.
It was found that OpenLDAP fails to work with STARTTLS as for binding will use anonymous user and not bind_dn value.
The workaround there was to use either SSL or enable anonymous access in OpenLDAP and keep STARTTLS on. Unfortunately, the second workaround opens the door to OpenLDAP wide.
Also, in your config you’re pointing to port 636. STARTTLS is using port 389.