PADL Software Pty Ltd

PADL Software Pty Ltd


About PADL


Commercial Software

Contacting PADL


Open Source Software



Research and Development

Technical Support


Advanced Open Directory Configuration

In this article, we answer some questions about advanced configurations of the Open Directory server in Mac OS X 10.2. The Open Directory server is essentially OpenLDAP 2.1.0 (with some fixes from later releases) with the LDAP/NetInfo bridge, developed by PADL for Apple. The source code for Open Directory is available as part of Darwin.

Please note that some of the configurations discussed here may not be supported by Apple. This document is not endorsed by Apple.

Can I configure the Open Directory server on the client version of Mac OS X 10.2?

Yes, however you will need to configure it manually. First, make sure that you have configured a parent NetInfo server (the default configuration is a single parent, or two-level hierarchy, but more complicated setups will also work; see below for more information). The procedure for doing this has not changed significantly since NEXTSTEP, and we do not document it here.

Then, install and run the binddnsdomain tool, which will configure a distinguished name suffix for your parent domain. If you have configured a multi-level NetInfo hierarchy, make sure you specify the correct tag (for example, world, a common root tag for a three-level hierarchy).

Finally, make sure the line:


is present in /etc/hostconfig. After rebooting, LDAP server should be enabled. Some features provided by OS X Server, such as the password server and managed clients, are not available in this configuration.

How do I configure the NetInfo bridge for the local domain or a multi-level NetInfo hierarchy?

Apple ship a static slapd.conf (LDAP server configuration file) that is configured for a single parent domain, using the tag network. For multi-level NetInfo hierarchies, or to publish the local NetInfo domain via LDAP, you will need to use the mkslapdconf tool to generate slapd.conf. A sample usage is shown below; you may also choose to modify the LDAP startup script to automatically invoke it at boot time.

# /System/Library/StartupItems/LDAP/LDAP stop
# mkslapdconf > /etc/openldap/slapd.conf
# /System/Library/StartupItems/LDAP/LDAP start

See the mkslapdconf(1) manual page, or the list of enhancements at the end of this article, for more information on this tool.

How do I prevent LDAP clients writing to clone servers?

The default LDAP server configuration shipped with 10.2 does not prevent LDAP clients writing to clone, if the bridge is enabled on those machines. To fix this, you should use mkslapdconf to generate the configuration file. We recommend you obtain the enhanced version from below, which will also configure slapd to refer attempted updates on clones to the master server.

Why do some modifications fail with a schema violation after running mkslapdconf?

The mkslapdconf tool configures slapd with schema checking enabled, which is not the default in the shipped slapd.conf. To fix this, download the version from the URL below and run mkslapdconf with the –s option:

# mkslapdconf –sn > /etc/openldap/slapd.conf

Note that the –n option omits the local domain, which is consistent with the default configuration on 10.2.

Why is schema checking disabled in the default configuration?

Unlike X.500, NetInfo does not have the concept of schema; only a convention of hierarchical organization of well known keys and values. As such, many Apple customers have created directory entries that lack attributes that are mandatory in RFC 2307. This is apparently commonplace when creating users for AFP-only file service. We would recommend that schema checking be re-enabled where possible, by regenerating slapd.conf. This will ease any migration to other directories that do not permit schema checking to be disabled.

Why do I receive referrals like cldap://broadcasthost/ from the bridge?

If you have configured the bridge for the local domain, and you are using broadcast binding to find your parent NetInfo server, then CLDAP (UDP) referrals will be returned from searches in the local domain. You have three options:

  • change from broadcast to static IP binding
  • do not chase referrals, but configure the LDAP search order separately
  • recompile the LDAP framework to support CLDAP (not trivial, and only useful if you have a single network interface in the present implementation)

How do I configure lookupd to use LDAP for the local domain?

Although this is not a supported configuration, there is a local-only LDAP agent in the Darwin repository. Check out the netinfo project, and build and install the bundle in agents/LL. Alternatively, you could configure DirectoryServices to do this. You will probably need to adjust the lookupd configuration to remove NIAgent from the search path. At this stage, there is no compelling advantage to using LDAP for accessing the local domain.

Why does ldapsearch not work?

There are two possible reasons: first, IPv6 LDAP clients (including the ::1 loopback address, which localhost resolves to) are presently not supported by the bridge. Try using –h instead. Secondly, you will probably need to use the –x option to disable SASL authentication.

Can I use OpenLDAP ACLs as well as NetInfo access control?

Yes, but unless you have configured slapd using the -a option to mkslapdconf (enhanced version only), the NetInfo authorization semantics will always apply.

Will Open Directory work with other LDAP clients?

Any LDAP client that supports RFC 2307 (NIS schema) or RFC 2798 (inetOrgPerson) will work usefully with the bundled Open Directory server. We have successfully tested nss_ldap on AIX, Linux and Solaris, and our NIS/LDAP Gateway against the bridge. OS X Server 10.2 provides an out-of-the-box, LDAP server with excellent management tools that is useful in a heterogeneous UNIX environment.

Does Open Directory support SSL/TLS?

The Open Directory client supports SSL access to LDAP servers. The default configuration of the server does not, but you can enable SSL/TLS in the same way would for any OpenLDAP server.


PADL have made the following enhancements to the mkslapdconf tool shipped with 10.2. A list of differences follows:

  • a new option, -a, to disable NetInfo authorization semantics
  • a new option, -n, to omit the configuration stanza for the local NetInfo domain
  • a new option, -s, to add the "schemacheck off" directive to slapd.conf
  • configuration updated so that updates on clone servers will be referred to the master server
  • corrections to manual page

On a machine with a single parent domain, the following usage will create a configuration file identical to the default:

# mkslapdconf -sn

Binaries of the enhanced version of mkslapdconf are available here. Source code is available in the PR-2984309 branch of the netinfo/tools/mkslapdconf CVS module.

Home | Bugzilla

Copyright 1999-2013 PADL Software Pty Ltd ABN 16 085 895 585. All rights reserved.
PADL is a registered trademark of PADL Software Pty Ltd.