diff --git a/roles/krb5kdcldap/tasks/main.yml b/roles/krb5kdcldap/tasks/main.yml
index 16b7850..bee6ec7 100644
--- a/roles/krb5kdcldap/tasks/main.yml
+++ b/roles/krb5kdcldap/tasks/main.yml
@@ -211,11 +211,11 @@
     mode: '0640'
   notify: restart slapd
 
-- name: "make 'kerberos' and 'ldap' alias hostnames resolvable from the LAN"
+- name: "make 'kerberos' an alias hostname"
   replace:
     path: /etc/hosts
     regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$"
-    replace: '\1 kerberos ldap'
+    replace: '\1 kerberos'
   when: not krb5kdc.stat.exists
 
 ########################
diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml
index 25bcf84..6acabec 100644
--- a/roles/ldap/tasks/main.yml
+++ b/roles/ldap/tasks/main.yml
@@ -53,6 +53,13 @@
     dest: /usr/local/sbin/debian-lan
     mode: 0744
 
+- name: allow ldap service in firewalld
+  firewalld:
+    zone: internal
+    service: ldap
+    permanent: true
+    immediate: true
+    state: enabled
 
 - name: add dummy user foo
   ldap_entry:
@@ -82,12 +89,3 @@
     bind_dn: "cn=admin,{{ basedn }}"
     bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
   when: foo_pwd is defined and foo_pwd | length > 0
-
-
-- name: allow ldap service in firewalld
-  firewalld:
-    zone: internal
-    service: ldap
-    permanent: true
-    immediate: true
-    state: enabled
diff --git a/roles/ldap/tasks/setup.yml b/roles/ldap/tasks/setup.yml
index c0e207b..013ebf8 100644
--- a/roles/ldap/tasks/setup.yml
+++ b/roles/ldap/tasks/setup.yml
@@ -87,6 +87,12 @@
     regexp: "^(TLS_CACERT\\s+/etc/ssl/certs/ca-certificates.crt)$"
     replace: '#\1\nTLS_CACERT\t{{ certpub }}'
 
+- name: "make 'ldap' an alias hostname"
+  replace:
+    path: /etc/hosts
+    regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$"
+    replace: '\1 ldap'
+
 - name: enable pam-mkhomedir
   command: pam-auth-update --enable mkhomedir
   when: foo_pwd is defined and foo_pwd | length > 0