diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index ad0df851a0deb64a13a5564dc8e89b7ab80bd8c0..5f9f3e4fa3009f8679ae641a514b924901468178 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -484,7 +484,7 @@ destination machine.
 The role implements the following:
 
 * Deploys LDAP TLS private key and certificate.
-* Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers.
+* Configures TLS versions and ciphers suppported by the server.
 * Installs OpenLDAP server (package ``slapd``).
 * Configures OpenLDAP server (base DN - domain, organisation, TLS, SSF, log levels).
 * Sets-up separate log file for OpenLDAP server at ``/var/log/slapd.log`` (with
@@ -643,6 +643,12 @@ Parameters
   Minimum *Security Strength Factor* to require from all incoming
   connections. This applies for both remote and local connections.
 
+**ldap_tls_ciphers** (string, optional ``NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL``)
+  TLS ciphers to enable on the LDAP server. This should be a GnuTLS-compatible
+  cipher specification that should also include what TLS protocol versions
+  should be used. Value should be compatible with OpenLDAP server option
+  ``olcTLSCipherSuite``. Default value only TLSv1.2 and strong PFS ciphers.
+
 
 Examples
 ~~~~~~~~