Additionally, the nmap script I mentioned previously checks for the ciphers supported by the appliance (as well as others), but does not find the matching ciphers on the LDAP server.
It appears I overlooked an error with the openssl s_client output when specifying the desired cipher, so I've included the output below in case it is helpful. (I added the -servername as I saw several forum posts indicating the error may be due to SNI.)
$ openssl s_client -connect freeipa-01.example.com:389 -starttls ldap -cipher ECDHE-ECDSA-AES256-SHA384 -servername freeipa-01.example.com CONNECTED(00000003) 140205386876816:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 104 bytes and written 183 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1592520534 Timeout : 300 (sec) Verify return code: 0 (ok) ---
I should note the connection succeeds with a number of other ciphers. I appears the server supports the ciphers, but the connection still fails.