infra/ansible/roles/openldap_server/tasks/tls.yaml

- name: Configure TLS cert
  community.general.ldap_attrs:
    dn: cn=config
    state: present
    attributes:
      olcTLSCertificateFile: "{{ ldap_cert_path }}"
      olcTLSCertificateKeyFile: "{{ ldap_key_path }}"
      olcTLSProtocolMin: "3.3"    # TLS 1.2+
      olcTLSCipherSuite: HIGH:!aNULL:!MD5
  args:
    server_uri: ldapi:///
    sasl_class: external

- name: Require TLS
  community.general.ldap_attrs:
    dn: olcDatabase={2}mdb,cn=config
    state: present
    attributes:
      olcSecurity: tls=1
  args:
    server_uri: ldapi:///
    sasl_class: external