Configure Open Directory access in Directory Utility on Mac
When using Directory Utility to bind to an Open Directory server, you must know the server’s DNS name or IP address and whether the server uses Secure Sockets Layer (SSL).
Important: If your computer name contains a hyphen, you might not be able to bind to a directory domain such as LDAP or Active Directory. To establish binding, use a computer name that does not contain a hyphen.
In the Directory Utility app on your Mac, click Services.
Click the lock icon.
Enter an administrator’s user name and password, then click Modify Configuration (or use Touch ID).
Select LDAPv3, then click the Edit button (looks like a pencil).
Enter the server name or IP address of the Open Directory server in the Server Name or IP Address field.
Select Encrypt using SSL if you want Open Directory to use Secure Sockets Layer (SSL) for connections.
Before you select this, ask your Open Directory administrator if SSL is needed.
If Directory Utility can’t contact the Open Directory server, you might need to adjust your configuration access settings. See Change connection settings for an LDAP or Open Directory server.
Select the new Open Directory server in the list, then click Edit.
Click Search & Mappings.
Click the “Access this LDAPv3 server using” pop-up menu, choose Open Directory, then enter a search base.
You must enter a search base suffix so the Mac can find information on the Open Directory server. Typically, the search base suffix is derived from the server’s DNS host name. For example, the search base suffix could be “dc=server,dc=example,dc=com” for a server whose DNS host name is server.example.com.
If the directory server supports trusted binding, click Bind, then enter the name and password of a directory administrator.
Binding might be optional.
Trusted binding is mutual. Each time the Mac connects to the LDAP directory, they authenticate each other. If trusted binding is set up or the LDAP directory doesn’t support trusted binding, the Bind button does not appear. Make sure you supplied the correct Mac computer name.
If you see an alert saying that a computer record exists in the directory, try again using a different Mac computer name, or click Overwrite to replace the existing computer record.
The existing computer record might be abandoned, or belong to another computer if the name is identical.
Before you replace an existing computer record, notify the LDAP directory administrator to make sure that replacing the record doesn’t disable another computer. In this case, the LDAP directory administrator must give the disabled computer a different name and add it back to the computer group it belonged to.
If the Open Directory requires authentication to connect, select “Use authentication when connecting,” then enter the distinguished name and password of a user account in the directory.
An authentication connection is not mutual: the LDAP server authenticates the Mac but the Mac doesn’t authenticate the LDAP server.
The distinguished name can specify any user account that has permission to see data in the directory. For example, a user account whose short name is dirauth on an LDAP server and whose address is server.example.com would have the distinguished name uid=dirauth,cn=users,dc=server,dc=example,dc=com.
Important: If the distinguished name or password is incorrect, you cannot log in to the Mac using LDAP directory user accounts.
Click OK to finish creating the Open Directory connection.
Click OK to finish configuring LDAPv3 options.
If you want the Mac to access the LDAP directory you created a configuration for, add the directory to a custom search policy in the Authentication and Contacts panes of Search Policy in Directory Utility. See Define search policies.
Important: If you change the IP address and computer name of your Mac with macOS Server installed while you’re connected to a directory server, you must disconnect and reconnect to the directory server to update the directory with the new computer name and IP address. If you don’t, the directory doesn’t update and continues to use the old computer name and IP address.