Operating systems have to store a lot of information about users, services, machines, mounts, and all manner of other things. In traditional Unix, this had been largely accomplished using system configuration files. NeXTSTEP version 0.9 changed this in 1988 when it introduced a centralised NetInfo service. A controversial move, its acceptance was initially hampered by its inclusion of DNS name server lookups; when those failed to complete, the whole NetInfo service ground to a halt, and could lock the user out.

Nevertheless, NetInfo was built into the first versions of Mac OS X, until it was progressively replaced with Apple’s standard-based alternative named Open Directory, which first appeared in Mac OS X Server 10.2 Jaguar in 2002, and subsumed NetInfo completely in Mac OS X client and Server 10.5 Leopard.

NetInfo Manager, like its successor Directory Utility, was also used to enable the root user and set its password, important features at that time. Above is NetInfo Manager in 2001, and below shows it in the following year.

Open Directory is Apple’s implementation of the Lightweight Directory Access Protocol, LDAP, released as LDAPv3 in 1997, and Mac OS X has supported both LDAPv2 and v3. On standalone Macs, a local Open Directory database contains detailed information about each user, groups, all the other information that had previously been in NetInfo such as services, and links with the password service and Kerberos. The latter is a ticket-based authentication protocol widely used on Windows, Unix and similar systems, supporting signing-on with a single password for multiple services.

NetInfo Manager’s replacement Directory Utility is seen here in 2007, when it was still relatively new.

An example of the use of Open Directory is with file permissions. When any given user wants access to read or write a file, the system has to check, using their ID number such as 501, whether they’re the owner; failing that, it falls back to whether user 501 is a member of the group that has read-write access. Open Directory can answer the question as to whether user 501 is a member of the admin group, for example, thus allowing the system to determine what level of access user 501 has to every file and directory.

Centralised password services are another essential feature of an operating system. They allow the user to log on once and thus to gain access to all the services to which they’re privileged, instead of having to sign on to each service individually.

Open Directory’s services become even more important across a network, where users may need to log into different systems which could be in different locations. In the days of Mac OS X Server, Open Directory services were one of its key features. Clients looked up information on the server’s database, and authentication was performed against its Kerberos Key Distribution Centre, enabling a user to log onto any of the managed systems on that network. To ensure maximum availability and support up to 200,000 user records, Open Directory databases can be replicated across multiple servers.

Open Directory supports multiple platforms, including Windows and Linux as well as macOS clients. Similarly, it integrates with mixed server architectures, including Active Directory in Windows Server, and other LDAP services on Unix and Linux servers. In 2005, Apple provided a Technology Brief giving a detailed overview of Open Directory and how it worked in Mac OS X Server.

Directory Utility above is from 2011, and has evolved into the current version below.

With the effective demise of macOS Server from 2015 onwards, Open Directory is now almost exclusively seen in its cut-down role in individual macOS systems. But Open Directory and Directory Services play a prominent part in many systems within macOS, and their entries are frequent in the log. Open Directory’s section in Apple’s developer documentation is now but an empty shell, lacking descriptions and explanations.

Even for advanced macOS users, exposure to Open Directory is usually minimal, and confined to very infrequent use of Directory Utility, tucked well out of sight in the /System/Library/CoreServices/Applications folder.

Open Directory has become something of a Cinderella, still handling many fundamental tasks in macOS, even with the arrival of the Secure Enclave in T2 and Apple silicon chips. And it doesn’t have anything to do with DNS lookups.

The kernel at the heart of macOS is XNU, standing for X is Not Unix, as, however much macOS might have in common with Unix, once you scratch its surface it’s all very different. Several of you commented recently that what I referred to as a user’s UniqueID should have been termed User ID as it would be in Unix. But dig deeper and you’ll see that macOS does indeed refer to that internally as the UniqueID, because that’s how it’s named for Directory Services in macOS.

Older versions of macOS used to provide advanced options for users in Users & Groups settings, where you could even change a user’s UUID. Then a bright spark thought it would be fun to tell users to change that in a misguided bid to improve their privacy. When someone who seems to know what they’re writing about tells you to do that, you go and try it, don’t you? Only changing a user’s UUID is catastrophic, and most who did so ended up having to rebuild the contents of their Mac from scratch to put the damage right. The lesson is that you should never try anything you don’t understand, for which there’s no simple undo, and which might have serious side-effects. Please don’t do that: it’s such a crazy idea that it’s malicious in intent. As a result, Apple has progressively removed those dangerous advanced user settings, to keep them out of harm’s way.

But there are times when you do need to make such changes, or at least check what current settings are. For those you’ll need Directory Services’ editor, Directory Utility, which is carefully hidden in /System/Library/CoreServices/Applications. Whatever you do, please don’t authenticate to Directory Utility, to ensure that you can’t inadvertently change anything that could give you grief.

Modern Directory Services have a long history that I’ll explain on Saturday morning, but they’re basically descended from NeXTSTEP’s NetInfo and the Lightweight Directory Access Protocol (LDAP) implemented in Apple’s successor Open Directory. These flourished in the days of Mac OS X Server, but since then have carried on quietly serving macOS with information about users, groups, and a whole lot more.

Directory Utility may be hidden away, but it’s still well documented, and its Help book is worth browsing. Unless your Mac is connected to a server delivering it LDAPv3, Active Directory or similar services, once you’ve selected the Directory Editor at the top, view Users in the node /Local/Default, as your Mac’s local directory. There you’ll find your personal details, including your UUID as GeneratedUID, your Home folder as NFSHomeDirectory, long user name as RealName, short name as RecordName, and user ID as UniqueID.

Listed as users are many of the services your Mac connects to on your behalf, including the App Store, Apple Pay, Find My and more. Each of these has its own UniqueID, PrimaryGroupID, and more. There may also be hidden users that you thought had been removed, and shared folders from years ago. Don’t give way to any temptation to try ‘cleaning’ this up, as it’s all too easy to wreak havoc unintentionally.

In the past, Directory Utility was commonly used to enable the root user and change its password, features that may still available today in its Edit menu once you’ve authenticated. At one time this was useful, but shouldn’t be used any more unless you’re advised to by Apple.

Directory Utility is now mainly used when integrating a Mac with a network directory server, including Open Directory (formerly in Mac OS X Server), LDAP on a Linux or other server, and Microsoft’s Active Directory. For the advanced user it gathers important information in one place, and every once in a blue moon it can unscramble a Mac or user account that would otherwise require starting from scratch. But please don’t authenticate and start making changes, as you’ll most likely regret it.