diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 0f50c06daeb81bc31f8e511467eeb36546f5d90c..d54c328fed64d97aacebaf59cd5e2e17f8e883d0 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -410,16 +410,44 @@ The role implements the following:
 Parameters
 ~~~~~~~~~~
 
-**ldap_entries** (list, mandatory)
+**ldap_entries** (list, optional, ``[]``)
   List of entries that should be kept in the LDAP directory. Each item is a
   dictionary describing a single LDAP entry, with all of its attributes
   listed. The keys in this dictionary should be the attribute names. The values
   should be either strings, for setting a single attribute value, or a list of
   strings if it is necessary to set multiple values for the same attribute.
 
-**ldap_permissions** (list, mandatory)
+**ldap_permissions** (list, optional, ``see below``)
   List of LDAP access controls to apply to directories served by the LDAP
-  server. Each item is a dictionary with the following options describing the
+  server.
+
+  Default value is:
+
+  .. code-block:: yaml
+
+    - filter: '(olcSuffix=BASEDN)'
+      rules:
+        - >
+          to *
+          by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
+          by * break
+        - >
+          to attrs=userPassword,shadowLastChange
+          by self write
+          by anonymous auth
+          by dn="cn=admin,BASEDN" write
+          by * none
+        - >
+          to dn.base=""
+          by * read
+        - >
+          to *
+          by self write
+          by dn="cn=admin,BASEDN" write
+          by users read
+          by * none
+
+  Each item is a dictionary with the following options describing the
   permissions:
 
   **filter** (string, mandatory)
@@ -436,31 +464,31 @@ Parameters
     the same as described in `OpenLDAP Administrator's Guide
     <http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20via%20Dynamic%20Configuration>`.
 
-**ldap_server_domain** (string, mandatory)
+**ldap_server_domain** (string, optional, ``ansible_facts[host]['domain']``)
   Domain that should be used for constructing the base DN of default user LDAP
   database. This should be a sub-domain dedicated to organisation. The base DN
   will be constructed by putting all elements of the sub-domain as ``dc``
   entries (as per standard Debian convention). I.e. ``example.com`` would get
   transformed into ``dc=example,dc=com``.
 
-**ldap_server_organization** (string, mandatory)
+**ldap_server_organization** (string, optional, ``Private``)
   Organization that should be specified in the base DN entry.
 
-**ldap_server_log_level** (string, mandatory)
+**ldap_server_log_level** (string, optional, ``256``)
   Log level to use for the server. This should be compatible with OpenLDAP
   configuration option ``olcLogLevel``. See `OpenLDAP Administrator's Guide
   <http://www.openldap.org/doc/admin24/slapdconf2.html#cn=config>` for value
   description and syntax.
 
-**ldap_server_tls_certificate** (string, mandatory)
+**ldap_server_tls_certificate** (string, optional, ``/etc/ssl/certs/FQDN_ldap.pem``)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for LDAP service. The file will be copied to directory ``/etc/ssl/certs/``.
 
-**ldap_server_tls_key** (string, mandatory)
+**ldap_server_tls_key** (string, optional, ``/etc/ssl/private/FQDN_ldap.key``)
   Path to file on Ansible host that contains the private key used for TLS for
   LDAP service. The file will be copied to directory ``/etc/ssl/private/``.
 
-**ldap_server_ssf** (number, mandatory)
+**ldap_server_ssf** (number, optional, ``128``)
   Minimum *Security Strength Factor* to require from all incoming
   connections. This applies for both remote and local connections.
 
diff --git a/roles/ldap_server/defaults/main.yml b/roles/ldap_server/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ee9597f97d6fa12a768dbc46f6839f7dce0aea07
--- /dev/null
+++ b/roles/ldap_server/defaults/main.yml
@@ -0,0 +1,32 @@
+---
+
+ldap_entries: []
+ldap_server_domain: "{{ ansible_facts[host]['domain'] }}"
+# Internal value, base DN.
+ldap_server_int_basedn: "{{ ldap_server_domain | regex_replace('\\.', ',dc=') | regex_replace('^', 'dc=') }}"
+ldap_server_organization: "Private"
+ldap_server_log_level: 256
+ldap_server_tls_certificate: "/etc/ssl/certs/{{ ansible_facts[host]['fqdn'] }}_ldap.pem"
+ldap_server_tls_key: "/etc/ssl/private/{{ ansible_facts[host]['fqdn'] }}_ldap.key"
+ldap_server_ssf: 128
+ldap_permissions:
+  - filter: '(olcSuffix={{ ldap_server_int_basedn }})'
+    rules:
+      - >
+        to *
+        by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
+        by dn="cn=admin,{{ ldap_server_int_basedn }}" manage
+        by * break
+      - >
+        to attrs=userPassword,shadowLastChange
+        by self write
+        by anonymous auth
+        by * none
+      - >
+        to dn.base=""
+        by * read
+      - >
+        to *
+        by self write
+        by dn="cn=admin,{{ ldap_server_int_basedn }}" write
+        by * none