diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml
index 598c20ab54c90b0f92588725de7ad64c05ab5dfa..a3fcaf7a6bc511196c8a48c0eb15c6dbc5cb5495 100644
--- a/roles/ldap_server/tasks/main.yml
+++ b/roles/ldap_server/tasks/main.yml
@@ -91,6 +91,20 @@
   command: "ldapadd -H ldapi:/// -Q -Y EXTERNAL -f /etc/ldap/schema/misc.ldif"
   when: not ldap_misc_schema_present.stdout
 
+# Technically, the only thing this does is pick the size of DH
+# parameters to use, with GnuTLS (against which slapd is linked
+# against under Debian) picking a matching DH parameter from RFC-7919
+# (https://www.ietf.org/rfc/rfc7919.txt).
+- name: Generate the LDAP server Diffie-Hellman parameter
+  openssl_dhparam:
+    owner: root
+    group: openldap
+    mode: 0640
+    path: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.dh.pem"
+    size: 2048
+  notify:
+    - Restart slapd
+
 - name: Deploy LDAP TLS private key
   template:
     src: "ldap_tls_key.j2"
@@ -160,6 +174,13 @@
     values: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
     state: exact
 
+- name: Configure DH parameter
+  ldap_attr:
+    dn: cn=config
+    name: olcTLSDHParamFile
+    values: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.dh.pem"
+    state: exact
+
 - name: Configure TLS cipher suites
   ldap_attr:
     dn: cn=config