diff --git a/roles/ldap/nss/tasks/main.yml b/roles/ldap/nss/tasks/main.yml
index fb0e329..5627ffd 100644
--- a/roles/ldap/nss/tasks/main.yml
+++ b/roles/ldap/nss/tasks/main.yml
@@ -17,6 +17,12 @@
     - shadow
     - group
 
+- name: configure netgroup to use ldap
+  lineinfile:
+    path: /etc/nsswitch.conf
+    regexp: "^netgroup:.*"
+    line: "netgroup: ldap"
+
 - name: allow nslcd user to read host key
   user:
     name: nslcd