There appears to be a bug in the underlying libldap library that will set the ssf level to 128 when talking to OpenLDAP in EL6 systems iff there is a 128 bit cipher set in the cipher list.
This affects both the LDAP command line utilities as well as SSSD and needs to be addressed in both places.
The impact of this is that EL6 systems will not be able to talk to a server with an ssf setting over 128.
Issue discovered by when running the system in FIPS mode during final release testing for 6.0.0-0
Issue debugged, code in development.