diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 821548ef5bf577119cf45f43256d00b86971941c..f6e10e52db86ed2effb36b2d05b0097edcc7c826 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -626,10 +626,20 @@ Parameters
 
 **ldap_entries** (list, optional, ``[]``)
   List of entries that should be kept in the LDAP directory. Each item is a
-  dictionary describing a single LDAP entry, with all of its attributes
-  listed. The keys in this dictionary should be the attribute names. The values
-  should be either strings, for setting a single attribute value, or a list of
-  strings if it is necessary to set multiple values for the same attribute.
+  dictionary describing a single LDAP entry with the following keys:
+
+  **dn** (string, mandatory)
+    LDAP DN entry.
+
+  **state** (string, optional, ``present``)
+    Whether the entry should be present or not. Value can be anything supported
+    by the ``ldap_entry`` module.
+
+  **attributes** (dictionary, mandatory)
+    Dictionary describing remaining attributes (except ``dn``). The keys in this
+    dictionary should be the attribute names. The values should be either
+    strings, for setting a single attribute value, or a list of strings if it is
+    necessary to set multiple values for the same attribute.
 
 **ldap_permissions** (list, optional, ``see below``)
   List of LDAP access rules to apply to base DN served by the LDAP server. The
@@ -766,19 +776,22 @@ Here is an example configuration for setting-up LDAP server:
 
   ldap_entries:
     - dn: ou=people,dc=example,dc=com
-      objectClass: organizationalUnit
-      ou: people
+      attributes:
+        objectClass: organizationalUnit
+        ou: people
     - dn: ou=groups,dc=example,dc=com
-      objectClass: organizationalUnit
-      ou: groups
+      attributes:
+        objectClass: organizationalUnit
+        ou: groups
     - dn: uid=john,dc=example,dc=com
-      objectClass:
-        - inetOrgPerson
-        - simpleSecurityObject
-      userPassword: somepassword
-      uid: john
-      cn: John Doe
-      sn: Doe
+      attributes:
+        objectClass:
+          - inetOrgPerson
+          - simpleSecurityObject
+        userPassword: somepassword
+        uid: john
+        cn: John Doe
+        sn: Doe
 
 
 XMPP Server