Securing cn=config

I'm using OpenLDAP 2.4.11 on FreeBSD 6.2 RELEASE. I have a one user DIT 
(dc=example,dc=com), a cn=monitor DIT (with a rootdn and rootpw) and 
cn=config DIT (with rootdn and rootpw). Access to all the DITs uses 
simple binds. I configured the system to use TLS/SSL on the standard 636 
port. and every works perfectly for all DITs. I can log in either with 
ldap(389) or ldaps (636) schemes.
So I decided to lock down the box and prevent any non-TLS access (to 
DITs). By simply removing the listen on 389 (slapd -h ldaps:/// -u ldap) 
I could accomplish this - but the (perhaps minor) collateral damage was 
that access to cn=subschema with an anonymous bind obviously no longer 
worked (but obviously did using ldaps scheme). In an attempt to get this 
feature back I put back  the listen on port 389 (slapd -h "ldap:/// 
ldaps:///" -u ldap) and added a global ACL of
access to * tls_ssf=128 break
Which works perfectly for the user DIT but obviously since I login to 
cn=monitor an cn=config via the rootdn had no effect. I removed the 
global ACL and added
security simple_bind=128
And this where is got interesting:
1. Access via ldap on the user DIT and on cn=monitor where both 
inhibited and connections (rightly) refused whereas in both cases access 
via ldaps was accepted.
2. I could bind anonymously to rootDSE and cn=subschema which I wanted
3. cn=config would accept either a ldap (389) or an ldaps (636) 
connection. Apparently by-passing the security simple_bind=128 check.
a. Is this expected?
b. is there a better way to do it?
c. Am I (more than likely) missing something? (on searching the archives 
I saw a note from Quannah suggesting that he was using some sort of SASL 
service to inhibit access).