diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 4968a4a93aa0b3efaf68b5bfb415828598c81527..a1054ebd6c87d68591cd0ac4a665df9887556d9d 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -449,6 +449,8 @@ destination machine.
 The role implements the following:
 
 * Deploys LDAP TLS private key and certificate.
+* Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers. **Note:**
+  older clients may have problems connecting.
 * Installs OpenLDAP server (package ``slapd``).
 * Configures OpenLDAP server (base DN - domain, organisation, TLS, SSF, log levels).
 * Sets-up separate log file for OpenLDAP server at ``/var/log/slapd.log`` (with
diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml
index cda8c4c0906f86816d2dc40d0a51463d3d497b72..7b8787fde3ea0779f36bcba07bc815a2390a7c10 100644
--- a/roles/ldap_server/tasks/main.yml
+++ b/roles/ldap_server/tasks/main.yml
@@ -60,8 +60,9 @@
   notify:
     - Restart slapd
 
-- name: Configure TLS for slapd
+- name: Configure TLS for slapd (includes hardening)
   ldap_entry: dn=cn=config state=replace olcTLSCertificateFile="/etc/ssl/certs/{{ ldap_server_tls_certificate | basename }}" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ldap_server_tls_key | basename }}"
+              olcTLSCipherSuite="NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"
   notify:
     - Restart slapd