How to begin using Apple Open Directory

Apple Directory Utility
Directory Services is a central location to store passwords and users for corporate and enterprise users. Here’s how you can use it on macOS. Many enterprises need a central location to store information on users, passwords and groups, computers and other networked entities. This need is met in most organizations by using either Lightweight Directory Access Protocol servers (LDAP), or Active Directory, Microsoft’s directory service built on LDAP. Apple’s NetInfo directory service was included in Mac OS X when it released in 2000 after Apple purchased NeXT. Apple also shipped a program called NetInfo Manager, which was later renamed Directory Utility. This allowed users access to NetInfo servers in order to find out information about groups and users. Directory Services is the collective name for these services. Directory services are designed to consolidate user and device information in one place, and then use these services to authorize users to access network resources. NetInfo was not well liked by users or administrators and was removed from Mac OS X version 10.4 Tiger. Apple began to migrate away from NetInfo, as it was no longer popular. Instead, Apple began moving towards LDAP because it had become a standard for directory services. Mac OS X Server Mac OS X Server is an add-on application that was created after Apple released Mac OS X Server. This included an LDAP Server as well as many other services. The app can be downloaded from the Mac App Store, and added to retail macOS. The original Mac OS X Server retail packaging. OS X Server allowed organizations run their own LDAP servers to store user information and authorize users. Server was discontinued in 2022. Apple Open Directory Apple Open Directory is a fork from the OpenLDAP Project. Apple Open Directory includes a Kerberos ticket based authentication server. Apple Open Directory in macOS is managed by an opendirectoryd background daemon. Microsoft Active Directory Microsoft Active Directory was developed during this time. It was introduced with Windows Server 2000. Active Directory is the most widely used Directory Service in corporate and organization networks. AD offers a variety of services, including LDAP and Windows Domain Services. It also provides Group Policy, encryption, certificates, and Federation Services. Microsoft Entra ID is a cloud-based user information service and directory. All of these Directory Services can be used together to query and authenticate user information and users for network resource usage, and to search for contact information for specific users. A domain is a directory of user or device objects in Directory Services. Frameworks and development
For development, Apple provides two frameworks that can be added to any Xcode project and linked to a built Mac app: DirectoryServices.framework, and OpenDirectory.framework. To add these frameworks into your Xcode Project, navigate to a Target within your Xcode Project, then click on the “+” icon in the Frameworks Libraries and Embedded content pane of the General tab. From the sheet that appears, add DirectoryServices.framework, and OpenDirectory.framework
For additional UNIX Directory Services access, also add the libcodedirectory.tbd static library. Apple Open Directory API has a surprising simplicity: only 9 classes and 1 protocol (QDQueryDelegate). Using ODNode and QDQuery objects, you can create an OD session. You can then configure it with ODConfiguration, and query a Directory Services Server to manipulate OD Records. The QDQueryDelegate protocol returns results after submitting a OD query. It consists of a method: func search(ODQuery! Or in Objective-C:
– query:foundResults:error:
To add this functionality to your app, declare a class that conforms to the QDQueryDelegate protocol, then implement the query:foundResults:error method. Your code can decide what to do with any data or errors returned. Adding the Directory Services Frameworks in Xcode. When the OD query finishes, this method will include the original query object and any results returned for that query. It will also contain any errors returned. For more info on the OpenDirectory.framework, see the Apple Developer Documentation. Directory Utility Apple originally shipped the Directory Utility application in the /Utilities directory included with macOS. Today, however, the app is hidden away in /System/Library/Core Services/Applications – most probably due to the push to move organizations to the cloud. Directory Utility will not work if you copy it or move it. Make an alias for the app instead by dragging it into the Dock of the Mac’s Finder. You can also create an Alias for the app by holding Command-Option while dragging it to a specific location on your hard drive. If you use Kerberos services, another app called Ticket Viewer is located in the same folder. Ticket Viewer has a simple interface and only allows you to add or remove Identities, select one Identity as default and change the password. Directory Utility Directory Utility offers several services. You can connect to any Directory Services server supported by using the File->Connect Menu item or you can use the three tabs on the top of the main Window: Services
Search Policy
Directory EditorYou must have an admin password for the services that you wish to edit in order to use the Directory Editor. The Services tab offers two options: Active Directory and LDAPv3. Click the Lock icon located at the bottom of your window and then select the server type you want to use. The small pencil icon at the bottom displays a sheet of Directory Services servers. Clicking the New button on the sheet will allow you to create a new Directory Services Configuration. In the Search Policy tab of Directory Utility, you can view Authentication, Contacts, and Search Path information using Automatic, Local or Custom search paths. The Search Policy tab lets you view information about users in different directory domains. You can edit Directory Services information directly using the Directory Editor tab, but you will need an admin password. The Directory Editor tab is a dangerous place to be as it’s very easy to change important information. Under the Editor tab you can see just about any Directory Services information, including settings for dozens different daemons and services, as well as networking. If you are not careful, you could make changes to services that will render your Mac or server unusable. Directory Editor tab of Directory Utility. For more information on how to use Directory Utility, please refer to the Apple Directory Utility User Guide. Apple has a page called Integrate Mac Computers With Active Directory in its Apple Platform Deployment Guide if you need to connect to a Windows Active Directory Server. LDAP can be a complicated topic that may take some time to learn. Check out the LDAPWiki for a concise overview.