Do not deploy LDAP and KDC during installation as it adds too much complexity.

roles/ldap/tasks/main.yml

@@ -5,7 +5,7 @@
   when: ansible_domain | length == 0
 
 - name: check if slapd is already there
-  stat: path=/usr/sbin/slapd
+  stat: path=/etc/ldap/slapd.d/slapd-config.ldif
   register: slapd
 
 - name: preseed ldap domain
@@ -53,7 +53,7 @@
     src: slapd-config.ldif
     dest: /etc/ldap/slapd.d/slapd-config.ldif
   when: not slapd.stat.exists
-  
+
 - name: activate ppolicy schema
   command: ldapadd  -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
   when: not slapd.stat.exists
@@ -116,18 +116,9 @@
     bind_pw: "{{ ldap_admin_pwd }}"
   when: foo_pwd is defined and foo_pwd | length > 0
 
-#############################
-
 - name: allow ldap service in firewalld
   firewalld:
     zone: internal
     service: ldap
     permanent: yes
     state: enabled
-  when: not run_in_installer|default(false)|bool
-
-## Use firewall-offline-cmd when run during installation:
-
-- name: allow ldap service in firewalld
-  command: "firewall-offline-cmd --zone=internal --add-service=ldap"
-  when: run_in_installer|default(false)|bool