Define search policies in Directory Utility on Mac
Using Directory Utility, you can configure a Mac computer’s authentication and contacts search policies to be defined:
Automatically: Uses the local directory domain and LDAP directory server specified by the DHCP service and is the default configuration for the authentication and contacts search policies.
Custom: Uses the local directory domain, and can also include the Open Directory domain (and other LDAP directory domains), the Active Directory domain, and shared directory domains. If a directory domain specified on a computer’s custom search policy is not available, a delay occurs when the computer starts up.
Local: Uses only the local directory and limits the access a computer has to authentication information and other administrative data. If you restrict a computer’s authentication search policy to use only the local directory, only users with local accounts can log in.
Some apps, such as Mail and Contacts, can access LDAP directories directly, without using Open Directory. To set up one of these apps to access LDAP directories directly, open the app and choose the correct setting.
WARNING: If you configure macOS to use an automatic authentication search policy and a DHCP-supplied LDAP server or a DHCP-supplied shared directory domain, you increase the risk of a malicious user gaining control of your computer. The risk is even higher if your computer is configured to connect to a wireless network. See Protect your Mac from a malicious DHCP server.
After changing the search policy in the Authentication pane or the Contacts pane of Directory Utility, wait 10 or 15 seconds for the change to take effect.
Define automatic search policies
In the Directory Utility app on your Mac, click Search Policy.
Click the lock icon.
Enter an administrator’s user name and password, then click Modify Configuration (or use Touch ID).
Choose a search policy:
Authentication: Shows the search policy used for authentication and most other administrative data.
Contacts: Shows the search policy used for contact information in apps such as Contacts.
Click the Search Path pop-up menu, choose Automatic, then click Apply.
Choose Apple menu > System Settings, click Network in the sidebar, then make sure the computer’s configured to use DHCP or DHCP with a manual IP address on the right. (You may need to scroll down.)
Define custom search policies
In the Directory Utility app on your Mac, click Search Policy.
Click the lock icon.
Enter an administrator’s user name and password, then click Modify Configuration (or use Touch ID).
Choose a search policy.
Authentication: Shows the search policy used for authentication and most other administrative data.
Contacts: Shows the search policy used for contact information in apps such as Contacts.
Click the Search Path pop-up menu, then choose “Custom path”.
Add directory domains as needed by clicking Add, selecting directories, then clicking Add again.
Change the order of the listed directory domains as needed by dragging them up or down in the list.
Remove listed directory domains that you don’t want in the search policy by selecting them and clicking Delete (–).
Confirm the removal by clicking OK, then click Apply.
Define local directory search policies
In the Directory Utility app on your Mac, click Search Policy.
Click the lock icon.
Enter an administrator’s user name and password, then click Modify Configuration (or use Touch ID).
Choose a search policy:
Authentication: Shows the search policy used for authentication and most other administrative data.
Contacts: Shows the search policy used for contact information in apps such as Contacts.
Click the Search Path pop-up menu, choose “Local directory”, then click Apply.