diff --git a/ldap/client_test.go b/ldap/client_test.go
index d191223..09424c1 100644
--- a/ldap/client_test.go
+++ b/ldap/client_test.go
@@ -130,6 +130,12 @@ func TestClient_NewClient(t *testing.T) {
 			wantErrIs:       ErrInvalidParameter,
 			wantErrContains: "invalid 'tls_min_version' in config",
 		},
+		{
+			name: "valid-tls-max",
+			conf: &ClientConfig{
+				TLSMaxVersion: "tls13",
+			},
+		},
 		{
 			name: "invalid-tls-max",
 			conf: &ClientConfig{
diff --git a/ldap/config.go b/ldap/config.go
index a861694..1038f68 100644
--- a/ldap/config.go
+++ b/ldap/config.go
@@ -35,7 +35,7 @@ const (
 	DefaultTLSMinVersion = "tls12"
 
 	// DefaultTLSMaxVersion for the ClientConfig.TLSMaxVersion
-	DefaultTLSMaxVersion = "tls12"
+	DefaultTLSMaxVersion = "tls13"
 
 	// DefaultOpenLDAPUserPasswordAttribute defines the attribute name for the
 	// openLDAP default password attribute which will always be excluded