Explainer: Open Directory

Operating systems have to store a lot of information about users, services, machines, mounts, and all sorts of other things. In traditional Unix, this was largely accomplished using system configuration files. NeXTSTEP version 0.9 changed this when it introduced a centralised NetInfo service. A controversial move, its acceptance was initially hampered by the inclusion of DNS name server lookups; when those failed to complete, the whole NetInfo service ground to a halt, and could lock the user out.

Nevertheless, NetInfo was built into the first versions of Mac OS X, until it was progressively replaced with a standard-based alternative known as Open Directory, which first appeared in Mac OS X Server 10.2 in 2002, and subsumed NetInfo completely in Mac OS X client and Server 10.5.

Open Directory is Apple’s implementation of the Lightweight Directory Access Protocol, LDAP. On standalone Macs, a local Open Directory database contains detailed information about each user, groups, all the other information which had been in NetInfo such as services, and links with the password service and Kerberos. The latter is a ticket-based authentication protocol widely used on Windows, Unix and similar systems, which supports signing-on with a single password for multiple services.

An example of the use of Open Directory is with file permissions. When any given user wants access to read or write a file, the system has to check, using their UID such as 501, whether they’re the owner; failing that, it falls back to whether user 501 is a member of the group which has read-write access. Open Directory can answer the question as to whether user 501 is a member of the admin group, for example, thus allowing the system to determine what level of access user 501 has to every file and directory.

Centralised password services are another essential feature of an operating system. They allow the user to log on once and thus to gain access to all the services to which they’re privileged, instead of having to sign on to each service individually.

Open Directory’s services become even more important across a network, where users may need to log into different systems which could be in different locations. In the days of Mac OS X Server, Open Directory services were one of its key features. Clients looked up information on the server’s database, and authentication was performed against its Kerberos Key Distribution Centre, enabling a user to log onto any of the managed systems on that network. To ensure maximum availability and support up to 200,000 user records, Open Directory databases can be replicated across multiple servers.

Open Directory supports multiple platforms too, including Windows and Linux as well as macOS clients. Similarly, it integrates with mixed server architectures, including Active Directory in Windows Server, and other LDAP services on Unix and Linux servers. In 2005, Apple provided a Technology Brief giving a detailed overview of Open Directory and how it worked in Mac OS X Server.

With the effective demise of macOS Server from 2015 onwards, Open Directory is now almost exclusively seen in its cut-down role in individual macOS systems. Even so, Open Directory and Directory Services play a prominent part in many systems within macOS, and their entries are frequent in the Unified Log.

Even for advanced macOS users, exposure to Open Directory is usually minimal, and confined to very infrequent use of its Directory Utility, itself tucked well out of sight in the /System/Library/CoreServices/Applications folder.

Open Directory has become something of a Cinderella, still handling many fundamental tasks in macOS, even with the arrival of the Secure Enclave, T2 chips, and now the M1 series. And it doesn’t now have anything to do with DNS lookups.