diff --git a/roles/ldap_server/meta/main.yml b/roles/ldap_server/meta/main.yml
index d2e19c5..e59e67d 100644
--- a/roles/ldap_server/meta/main.yml
+++ b/roles/ldap_server/meta/main.yml
@@ -1,7 +1,5 @@
 ---
-
 dependencies:
-  - {role: dhparams}
   - {role: kerberos}
   - {role: ldap}
   - {role: saslauthd}
diff --git a/roles/ldap_server/templates/slapd.conf.j2 b/roles/ldap_server/templates/slapd.conf.j2
index 5e35eeb..cc08319 100644
--- a/roles/ldap_server/templates/slapd.conf.j2
+++ b/roles/ldap_server/templates/slapd.conf.j2
@@ -45,11 +45,9 @@ moduleload constraint.la
 TLSCertificateFile {{ tls_certs }}/{{ ldap_server_cert }}.crt
 TLSCertificateKeyFile {{ tls_private }}/{{ ldap_server_cert }}.key
 TLSCACertificatePath /etc/openldap/certs
-TLSDHParamFile {{ tls_certs }}/ffdhe3072.pem
-TLSVerifyClient try
+TLSVerifyClient allow
 TLSECName prime256v1
-TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-TLSProtocolMin 3.3
+TLSProtocolMin 3.4
 
 # force hostname to get kerberos working correctly behind proxies
 sasl-host ldap.foo.sh