Advanced search policy settings
Each Mac computer has a search policy, also known as a search path, that specifies which directory domains Open Directory can access, such as the computer’s local directory domain and a shared directory.
The search policy also specifies the order in which Open Directory accesses directory domains. Open Directory searches each directory domain and stops searching when it finds a match. For example, Open Directory stops searching for a user record when it finds a record whose user name matches the name it’s looking for.
dsconfigad automatically adds and removes Active Directory servers to the search policy. You can’t disable this option.
Directory Utility defines the following search policies:
Authentication: macOS uses the authentication search policy to locate and retrieve user authentication information and other administrative data from directory domains.
Contacts: macOS uses the contacts search policy to locate and retrieve name, address, and other contact information from directory domains. The Contacts app on your Mac uses this information. Other apps can also be programmed to use it.
Each search policy consists of a list of directory domains. The order in the list defines the search policy. Starting at the top of the list, macOS searches each directory domain until it finds the information it needs or reaches the end of the list without finding the information.
The authentication and contacts search policies can have one of the following settings:
Automatic: Starts with the local directory domain and can include an LDAP directory supplied by DHCP and directory domains that the computer is connected to.
Local directory: Includes only the local directory domain.
Custom path: Starts with the local directory domain and includes your choice of LDAP directories, an Active Directory domain, shared directory domains, and an NIS domain.
The /BSD/local folder is always included in the search path, and is always dimmed.
WARNING: If you configure your Mac to use an automatic authentication search policy and a DHCP-supplied LDAP server, you increase the risk of a malicious user gaining control of your computer. The risk is even higher if your computer is configured to connect to a wireless network. For more information, see Protect computers from a malicious DHCP server.