Change LDAP directory access in Directory Utility on Mac

In the Directory Utility app on your Mac, click Services.

Click the lock icon.

Enter an administrator’s username and password, then click Modify Configuration (or use Touch ID).

Select LDAPv3, then click the Edit button (looks like a pencil).

If the list of server configurations is hidden, click Show Options.

In the list, select a server configuration.

You can also click Duplicate to make a copy of an existing server configuration, then make minor changes to connect to a different LDAP server.

Make changes as needed to the following settings:

• Configuration Name: Double-click a configuration name to edit it.

• Server Name or IP Address: Double-click a server name or IP address to change it.

• LDAP Mapping: Click the pop-up menu, choose a template, enter the search base suffix for the LDAP directory, then click OK.

  If you choose a template (Open Directory or RFC2307), you must enter a search base suffix or the computer can’t find information in the LDAP directory. Typically, the search base suffix is derived from the server’s DNS host name. For example, for a server whose DNS host name is ods.example.com, the search base suffix is “dc=ods,dc=example,dc=com”.

  If you choose From Server instead of a template, a search base suffix is not needed. In this case, Open Directory assumes the search base suffix is the first level of the LDAP directory.

  If you choose Custom, you must set up mappings between macOS record types and attributes and the classes and attributes of the LDAP directory you’re connecting to. See Configure LDAP Searches & Mappings.

• SSL: Click to enable or disable encrypted communications using the SSL protocol. Before you select SSL, ask your Open Directory administrator if SSL is needed.

To change the following default settings for this LDAP configuration, click Edit to display the options, make changes, then click OK when you’ve finished:

• Click Connection to set timeout options and to specify a custom port. See Change connection settings for an LDAP or Open Directory server.

• Click Search & Mappings to set up searches and mappings for an LDAP server. See Configure LDAP Searches & Mappings.

• Click Security to set up an authenticated connection (instead of trusted binding) and other security policy options. See Change the LDAP connection security policy.

• Click Bind to set up trusted binding, or click Unbind to stop trusted binding. (You might not see these buttons if the LDAP directory doesn’t permit trusted binding.) See Set up authenticated binding for an LDAP directory.

To finish changing the configuration, click OK.

If you want the computer to access this LDAP directory configuration, add the directory to a custom search policy in the Authentication or Contacts panes of Search Policy in Directory Utility. See Define search policies.

In the Directory Utility app on your Mac, click Services.

Click the lock icon.

Enter an administrator’s username and password, then click Modify Configuration (or use Touch ID).

Select LDAPv3, then click the Edit button (looks like a pencil).

If the list of server configurations is hidden, click Show Options.

Select a server configuration, click Delete, then click OK.

• If you see an alert saying the computer is bound to the LDAP directory and you want to stop trusted binding, click OK, then enter the name and password of an LDAP directory administrator (not a local computer administrator).

• If you see an alert saying the computer can’t contact the LDAP server, you can click OK to forcibly stop trusted binding. If you forcibly stop trusted binding, this computer still has a computer record in the LDAP directory. Notify the LDAP directory administrator so the administrator knows to remove the computer from the computer group.

The deleted configuration is removed from the custom search policies for authentication and contacts.