Hi @alecks,
the STARTTLS command is supported on port 389, and is the preferred method if the clients have it.
Check the admin’s password has been correctly set. The admin’s DN should be
uid=admin,ou=People,dc=directory,dc=nh
or, if your domain part is example.com
uid=admin,ou=People,dc=example,dc=com
The port 636 is disabled by default: it could be enabled with a couple of commands…