Define search policies
Using Directory Utility, you can configure a Mac computer’s authentication and contacts search policies to be defined:
Automatically: Uses the local directory domain and LDAP directory server specified by the DHCP service and is the default configuration for the authentication and contacts search policies.
Custom: Uses the local directory domain, and can also include the Open Directory domain (and other LDAP directory domains), the Active Directory domain, shared directory domains, and an NIS domain. If a directory domain specified on a computer’s custom search policy is not available, a delay occurs when the computer starts up.
Local: Uses only the local directory and limits the access a computer has to authentication information and other administrative data. If you restrict a computer’s authentication search policy to use only the local directory, only users with local accounts can log in.
Some apps, such as Mail and Contacts, can access LDAP directories directly, without using Open Directory. To set up one of these apps to access LDAP directories directly, open the app and set the correct preference.
WARNING: If you configure macOS to use an automatic authentication search policy and a DHCP-supplied LDAP server or a DHCP-supplied shared directory domain, you increase the risk of a malicious user gaining control of your computer. The risk is even higher if your computer is configured to connect to a wireless network. For more information, see Protect computers from a malicious DHCP server.
After changing the search policy in the Authentication pane or the Contacts pane of Directory Utility, wait 10 or 15 seconds for the change to take effect.
Define automatic search policies
Click Search Policy, then choose a search policy:
Authentication: Shows the search policy used for authentication and most other administrative data.
Contacts: Shows the search policy used for contact information in apps such as Contacts.
Click the Search pop-up menu, choose Automatic, then click Apply.
In System Preferences, make sure the computer’s Network preferences are configured to use DHCP or DHCP with a manual IP address.
Define custom search policies
Click Search Policy, then choose a search policy.
Authentication: Shows the search policy used for authentication and most other administrative data.
Contacts: Shows the search policy used for contact information in apps such as Contacts.
Click the Search pop-up menu, then choose “Custom path.”
Add directory domains as needed by clicking Add, selecting directories, then clicking Add again.
Change the order of the listed directory domains as needed by dragging them up or down in the list.
Remove listed directory domains that you don’t want in the search policy by selecting them and clicking Delete (–).
Confirm the removal by clicking OK, then click Apply.
Define local directory search policies
Click Search Policy, then choose a search policy:
Authentication: Shows the search policy used for authentication and most other administrative data.
Contacts: Shows the search policy used for contact information in apps such as Contacts.
Click the Search pop-up menu, choose “Local directory,” then click Apply.