The binddnsdomain tool permits one to configure the top-level suffix of Apple's LDAP/NetInfo Bridge. It is part of the NeST tool in Mac OS X Server 10.2.

This procedure is necessary because, unlike most LDAP servers, the LDAP/NetInfo bridge does not store the domain suffix with each entry; instead, it is determined at runtime using the heuristics documented in mkslapdconf(8). (This property is inherited from NetInfo having disjoint namespaces for directories and domains.)

At this time you cannot use it to configure mid-level suffixes; PADL recommend that you accept the default mapping of NetInfo subdomains to organizationalUnits.

Usage is as follows:

binddnsdomain [-r] [<tag>] [<suffix>]

Both the tag and suffix are optional. If the tag is unspecified, the tag network is used. If the suffix is unspecified, the RFC 2247 mapping of the local DNS domain is used. The tag must be on the local machine. If the -r option is specified, then the NetInfo protocol will be used to update the suffix, otherwise the database will be updated directly.

As of binddnsdomain-7, if a suffix is not specified, then the correct attributes will be added to the root directory for the domain objectClass, for internal consistency. At present if a suffix is specified, you must add the necessary objectClass and naming attributes to the root directory yourself.

Here are some examples:

# binddnsdomain world
Bound suffix dc=padl,dc=com to /machines/lennie on tag world.
Updated root directory of tag network with domain objectClass.

# binddnsdomain -r world "o=PADL Software"
Bound suffix o=PADL Software to /machines/lennie on tag world.


  • the suffix configured in the first example above;
  • the NetInfo directory /users/lukeh;
  • the NetInfo domain /Research;
  • the default RFC 2307 schema mapping;

the distinguished name would be:


A subtree or one-level search rooted at the distinguished name cn=users,ou=Research,dc=padl,dc=com would return a search continuation reference (referral) to cn=users,dc=padl,dc=com.

Please note that neither PADL nor Apple offer any support for this tool.

binddnsdomain is available for download via FTP or HTTP.

