diff --git a/docs/releasenotes.rst b/docs/releasenotes.rst
index 3961f395604a5fb73c31e4806d703a72da835f63..042f144430ecabae944a5bcbacd3375c1be06677 100644
--- a/docs/releasenotes.rst
+++ b/docs/releasenotes.rst
@@ -17,10 +17,15 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11
   * ``passlib`` Python package is now (explicitly) required for using
     the roles.
 
+* ``ldap_server`` role
+
+  * The role no longer officially supports older versions of TLS
+    (TLSv1.1 and lower).
+
 * ``web_server`` role
 
   * The role no longer officially supports older versions of TLS
-    (TLSv1.1 and below).
+    (TLSv1.1 and lower).
 
 **New features/improvements**
 
@@ -29,6 +34,11 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11
   * Switched to using Paramiko + SFTP backend (instead of pexpect +
     SFTP), which should improve the backup performance.
 
+* ``ldap_server`` role
+
+  * TLSv1.3 is now enabled by default (in addition to TLSv1.2),
+    alongside the mandatory ciphers.
+
 * ``web_server`` role
 
   * TLSv1.3 is now enabled by default (in addition to TLSv1.2),
diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 0a3e1301378af4a052ce9b7b89f6bc6f2a79d961..ca20f083cedd3eabdd6bdc97ca671e16ca8c7504 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -765,7 +765,7 @@ Parameters
   Minimum *Security Strength Factor* to require from all incoming
   connections. This applies for both remote and local connections.
 
-**ldap_tls_ciphers** (string, optional ``NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+SHA512:+AEAD:+AES-128-GCM:+AES-256-GCM:+CHACHA20-POLY1305:+CURVE-ALL``)
+**ldap_tls_ciphers** (string, optional ``NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384:+SIGN-RSA-PSS-RSAE-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+SHA512:+AEAD:+AES-128-GCM:+AES-256-GCM:+CHACHA20-POLY1305:+CURVE-ALL``)
 
   .. warning::
      Under Debian Bullseye and upwards, slapd does not use the DH
@@ -774,11 +774,11 @@ Parameters
      <https://www.ietf.org/rfc/rfc7919.txt>`_. This is based on the
      size of role-generated parameters.
 
-  TLS ciphers to enable on the LDAP server. This should be a GnuTLS-compatible
-  cipher specification that should also include what TLS protocol versions
-  should be used. Value should be compatible with OpenLDAP server option
-  ``olcTLSCipherSuite``. Default value allows only TLSv1.2 and strong PFS
-  ciphers.
+  TLS ciphers to enable on the LDAP server. This should be a
+  GnuTLS-compatible cipher specification that should also include what
+  TLS protocol versions should be used. Value should be compatible
+  with OpenLDAP server option ``olcTLSCipherSuite``. Default value
+  allows TLSv1.2/TLSv1.3 with strong PFS ciphers and RSA private keys.
 
 
 Distribution compatibility
diff --git a/roles/ldap_server/defaults/main.yml b/roles/ldap_server/defaults/main.yml
index 208e3fa0c8d9a4a957be8a798f02a1a5077a7dce..fddfab030cd3b63495671f3cc98011d46dd6faaf 100644
--- a/roles/ldap_server/defaults/main.yml
+++ b/roles/ldap_server/defaults/main.yml
@@ -32,11 +32,15 @@ ldap_permissions:
 
 ldap_tls_ciphers: "NONE:\
 +VERS-TLS1.2:\
++VERS-TLS1.3:\
 +CTYPE-X509:\
 +COMP-NULL:\
 +SIGN-RSA-SHA256:\
 +SIGN-RSA-SHA384:\
 +SIGN-RSA-SHA512:\
++SIGN-RSA-PSS-RSAE-SHA256:\
++SIGN-RSA-PSS-RSAE-SHA384:\
++SIGN-RSA-PSS-RSAE-SHA512:\
 +DHE-RSA:\
 +ECDHE-RSA:\
 +SHA256:\
diff --git a/roles/ldap_server/molecule/default/group_vars/parameters-optional.yml b/roles/ldap_server/molecule/default/group_vars/parameters-optional.yml
index ec2718e61b8440ee0143a4eddc2ae9ea1c0c15f7..9fe2adc68486ace4fbf79901dc7880f9d46fb71f 100644
--- a/roles/ldap_server/molecule/default/group_vars/parameters-optional.yml
+++ b/roles/ldap_server/molecule/default/group_vars/parameters-optional.yml
@@ -55,7 +55,7 @@ ldap_server_domain: "local"
 ldap_server_organization: "Example"
 ldap_server_log_level: 0
 ldap_server_ssf: 0
-ldap_tls_ciphers: "NONE:+VERS-TLS1.1:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:\
+ldap_tls_ciphers: "NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:\
 +SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA1:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"
 
 # ldap_client
diff --git a/roles/ldap_server/molecule/default/tests/test_mandatory.py b/roles/ldap_server/molecule/default/tests/test_mandatory.py
index ad9eea7926a6fa34c6935dab17e845e0790c6e0b..696680218870356df326cfd70084396b44c278c7 100644
--- a/roles/ldap_server/molecule/default/tests/test_mandatory.py
+++ b/roles/ldap_server/molecule/default/tests/test_mandatory.py
@@ -73,9 +73,12 @@ def test_tls_version_and_ciphers(host):
     Tests if the correct TLS version and ciphers have been enabled.
     """
 
-    expected_tls_versions = ["TLSv1.2"]
+    expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
 
     expected_tls_ciphers = [
+        "TLS_AKE_WITH_AES_128_GCM_SHA256",
+        "TLS_AKE_WITH_AES_256_GCM_SHA384",
+        "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
diff --git a/roles/ldap_server/molecule/default/tests/test_optional.py b/roles/ldap_server/molecule/default/tests/test_optional.py
index 11f196b93e58dae612afb86adebe8b3fd8b69959..481bdd0c3d2e3d7ad8291ba488640173ef5b1681 100644
--- a/roles/ldap_server/molecule/default/tests/test_optional.py
+++ b/roles/ldap_server/molecule/default/tests/test_optional.py
@@ -75,7 +75,7 @@ def test_tls_version_and_ciphers(host):
     Tests if the correct TLS version and ciphers have been enabled.
     """
 
-    expected_tls_versions = ["TLSv1.1", "TLSv1.2"]
+    expected_tls_versions = ["TLSv1.2"]
 
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",