diff --git a/roles/xmpp_server/tasks/main.yml b/roles/xmpp_server/tasks/main.yml
index 9df0f8e82e12d4c5d65af7036ed197951306fe95..3d9530728e052b1c23cf9c0cb826b0fc3f2a786b 100644
--- a/roles/xmpp_server/tasks/main.yml
+++ b/roles/xmpp_server/tasks/main.yml
@@ -4,6 +4,23 @@
   apt:
     name: python-apt
 
+- name: Add Debian backports repository for Debian Stretch
+  apt_repository:
+    repo: "deb http://ftp.debian.org/debian {{ ansible_distribution_release }}-backports main"
+    filename: "backports"
+    state: present
+    mode: 0644
+  when: "ansible_distribution_release == 'stretch'"
+
+- name: Pin the lua-ldap package to backports repository for Debian Stretch
+  template:
+    src: "lua_ldap_backports_pin.j2"
+    dest: "/etc/apt/preferences.d/lua-ldap"
+    owner: root
+    group: root
+    mode: 0644
+  when: "ansible_distribution_release == 'stretch'"
+
 - name: Add Prosody repository apt key
   apt_key:
     data: "{{ lookup('file', 'prosody-debian-packages.gpg') }}"
@@ -14,15 +31,18 @@
     repo: "deb http://packages.prosody.im/debian {{ ansible_distribution_release }} main"
     state: present
 
-- name: Install Lua Sec library (needed for TLS)
-  apt:
-    name: lua-sec
-    state: present
-
+# Stick to the 'latest' state to ensure we get pinned package
+# installed in case of distribution upgrades.
 - name: Install Lua LDAP library
   apt:
     name: lua-ldap
-    state: present
+    # [403] Package installs should not use latest
+    #   The latest has to be used when upgrading existing systems to get
+    #   the correct version of lua-ldap with support for Lua 5.2 from
+    #   the backports repository.
+    state: latest  # noqa 403
+  notify:
+    - Restart Prosody
 
 - name: Install Prosody
   apt: