diff --git a/roles/ldap_server/molecule/default/tests/test_mandatory.py b/roles/ldap_server/molecule/default/tests/test_mandatory.py
index 26d6d7b0b7d9c1c68557ab1b3a2236b34793242d..51efd6cd9cfce0361c962aaebb822b70802ec914 100644
--- a/roles/ldap_server/molecule/default/tests/test_mandatory.py
+++ b/roles/ldap_server/molecule/default/tests/test_mandatory.py
@@ -1,7 +1,11 @@
 import os
 
+import pytest
+
 import testinfra.utils.ansible_runner
 
+from tls_ciphers import ALL_CIPHERS
+
 
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')
@@ -68,14 +72,50 @@ def test_tls_configuration(host):
     assert old_tls_versions_disabled.rc != 0
     assert "CONNECTED" in old_tls_versions_disabled.stdout
 
-    cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory.local:636")
-    assert cipher.rc == 0
-    assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout
 
-    cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory.local:636")
-    assert cipher.rc != 0
-    assert "CONNECTED" in cipher.stdout
-    assert "ECDHE-RSA-AES128-SHA" not in cipher.stdout
+# @TODO: Under Debian Stretch, the DHE ciphers are not usable due to a
+# bug present in OpenLDAP 2.4.44. See
+# https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979 for
+# details. It should be possible to fix this problem once switch to
+# buster is made.
+ENABLED_CIPHERS = [
+    # "DHE-RSA-AES128-GCM-SHA256",
+    # "DHE-RSA-AES256-GCM-SHA384",
+    # "DHE-RSA-CHACHA20-POLY1305",
+    "ECDHE-RSA-AES128-GCM-SHA256",
+    "ECDHE-RSA-AES256-GCM-SHA384",
+    "ECDHE-RSA-CHACHA20-POLY1305",
+]
+
+DISABLED_CIPHERS = sorted(list(set(ALL_CIPHERS)-set(ENABLED_CIPHERS)))
+
+
+@pytest.mark.parametrize("cipher", ENABLED_CIPHERS)
+def test_enabled_tls_ciphers(host, cipher):
+    """
+    Tests available TLS ciphers on the server.
+    """
+
+    hostname = host.run('hostname').stdout.strip()
+    fqdn = hostname
+
+    client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:636", cipher, fqdn)
+    assert client.rc == 0
+    assert cipher in client.stdout
+
+
+@pytest.mark.parametrize("cipher", DISABLED_CIPHERS)
+def test_disabled_tls_ciphers(host, cipher):
+    """
+    Tests available TLS ciphers on the server.
+    """
+
+    hostname = host.run('hostname').stdout.strip()
+    fqdn = hostname
+
+    client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:636", cipher, fqdn)
+    assert client.rc != 0
+    assert cipher not in client.stdout
 
 
 def test_ssf_configuration(host):