Because of http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?h=f25&id=592250ebfbcc7aa47f22bf1f8613fe20f33fd39a slapd will always disable all ciphers except some SHA1 and MD5 ones. All SHA1 and MD5 ciphers are disabled for some clients (ldapsearch for example) so using openldap is impossible. Idea: Revert to openssl, as openssl supports setting a list of cipher suites, which is important for servers.
Efforts towards OpenSSL are currently in progress, see bug 1400570 for more info. I'm fixing the issue in NSS implementation by issuing following commits: http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?h=f25&id=22dbdbf78a40c4f6b65eb6aed0f35ff10032fd7a http://pkgs.fedoraproject.org/cgit/rpms/openldap.git/commit/?h=f25&id=0cc5bf72542ebb0e26227e09fc1950dabda739bf
openldap-2.4.44-7.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ceb1b8659e
openldap-2.4.44-7.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ceb1b8659e
openldap-2.4.44-7.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.