I have an 14" M1 Max that gets very poor battery life, which I suspect is mainly due to the installed internet filter, Qustodio, causing high CPU usage from opendirectoryd. As per activity monitor, opendirectoryd is constantly using ~20% CPU, but can spike to 40. There is a very causal relationship between opendirectoryd usage and Qustodio. If Qustodio is uninstalled, the usage disappears, and there is an instant spike in usage the moment Qustodio is reinstalled. Opening the console, I see no error messages relating either to opendirectoryd or to Qustodio. Unfortunately, that is as far as I was able to figure out on my own. I don't know why Qustodio is causing such high opendirectoryd usage, nor do I know how to fix it. **What should I do to investigate further, and what can possibly be done do fix it?** Thank you.

When saving a Microsoft Word document directly to a SMB share which was mounted using a bookmark and authenticated with an Open Directory "Network User Account", the saved document becomes invisible. This seems to be caused by the quarantine flag, which all network shares have when mounted with a bookmark (or AppleScript, for that matter). The flag can be seen by using the mount command in Terminal.app: % mount //test@someServer.local/test on /Volumes/test (smbfs, nodev, nosuid, quarantine, mounted by someUser) **Questions:** 1. Is there a way to create a SMB bookmark that doesn't result in the mounted volume having the quarantine flag? 2. Is there a way to prevent Word.app (or whatever process is responsible) from making the file invisible? **Affected Environment:** - macOS Server versions: macOS 11, 10.15, 10.14, 10.13, 10.12 and possibly others - macOS Client versions: macOS 11, 10.15 and possibly others - Word versions: 16.48, 16.46, 16.45 and possibly others - Local user account type: irrelevant; happens to admins, regular users and guests - User account type to connect to SMB share: "Network User Account" via Apple Open Directory and possibly other directory accounts **Steps to reproduce:** 1) Open Finder 2) Press Cmd-K to connect to a server 3) Enter server address "smb://someServer" (where someServer can be a domain or an IP address) 4) Select the entered server address and drag it to the desktop, thereby creating a bookmark to the specified SMB server 5) Double-click bookmark the open it. The typical dialog prompting for user credentials should appear. 6) Enter your user credentials (of a network user account from Open Directory) 7) Mount any share 8) Open Word.app 9) Create a new document and enter some text 10) Save the document on the mounted share Result: The saved document might appear for an instant, but will then vanish. It can be made visible again using chflags nohidden, so it actually is saved but just made invisible by some unknown process.

I have a problem with slow login times in Yosemite. Logging in is speedy after booting, but after a while (a few days usually) it slows down and can take 20-30 seconds. The time to load a new Terminal window / tab also increases. If I reboot, the problem is fixed...for a while. I tried the answers in [this question](https://apple.stackexchange.com/questions/41743/how-do-i-speed-up-new-terminal-tab-loading-time) and nothing seemed to work. I ran the profiling suggested [here](https://apple.stackexchange.com/a/170842/37113) and this part of the output looks suspicious: + ! 8118 ??? (in login) load address 0x10583c000 + 0x2a8f [0x10583ea8f] + ! 8118 openpam_dispatch (in libpam.2.dylib) + 277 [0x7fff86957a7d] + ! 8117 ??? (in ) [0x1058c4bf2] + ! : 8117 ??? (in ) [0x1058c40e9] + ! : 8117 ODRecordAuthenticationAllowed (in CFOpenDirectory) + 258 [0x7fff9161df85] + ! : 8117 transaction_simple (in CFOpenDirectory) + 448 [0x7fff91615274] + ! : 8117 _dispatch_semaphore_wait_slow (in libdispatch.dylib) + 213 [0x7fff955c07f6] + ! : 8117 semaphore_wait_trap (in libsystem_kernel.dylib) + 10 [0x7fff882b751a] But further Googling hasn't turned up anything helpful for solving the problem. Any ideas on how I can further diagnose or fix this issue?

When I click on the "Finder" icon on my bottom bar, it always open the "Recent" folder like this: Now, I want to open a specific folder for example "Documents" when click on the "Finder" icon. How am I able to do that? Like this:

Here's the procedure I have followed: 1. Install a fresh copy of macOS Mojave to an APFS volume 2. Perform initial OS configuration and create 'admin' user at first launch. Assign a static IP from 192.168.168.0/24 private network. Use a DNS server located in private network. Ensure IP resolves to a FQDN ('test.mydomain.com') and vice versa. 3. Download macOS Server application (5.7) from App Store 4. Open macOS Server application 5. Create a new Open Directory domain with default options 6. Create a new user 'testuser' to Local Network Directory 7. Create a new group 'testgroup' to Local Network Directory 8. Assign newly created 'testuser' to 'testgroup' 9. Open System Preferences application 10. Open Sharing preferences 11. Enable File Sharing 12. Create a Shared Folder 'myshare' and assign 'testgroup' and 'admin' Read&Write access to it 13. Select 'myshare' and click Options button to ensure SMB sharing is enabled for it 14. Attempt to connect to the file server from a client computer within the same subnet via smb://test.mydomain.com/myshare or alternatively smb://192.168.168.X/myshare either using 'admin' or 'testuser' credentials In the last step connection fails for both 'admin' and 'testuser' accounts. If I turn Open Directory to Off, I can connect with 'admin' user. Restarts in any phase of the procedure make no difference. **Why can't I access SMB when Open Directory is enabled?** Here are the opendirectoryd log entries from creating the OD master (step 5): https://pastebin.com/uQm8b8NM Here are the opendirectoryd and smbd log entries from login attempt (step 14): https://pastebin.com/U2RS3LYC & https://pastebin.com/7bFNfd8V

If I run dscl . -readall Aliases I get the following: dsAttrTypeNative:members: root AppleMetaNodeLocation: /Local/Default RecordName: administrator RecordType: dsRecTypeStandard:Aliases - dsAttrTypeNative:members: root AppleMetaNodeLocation: /Local/Default RecordName: dumper RecordType: dsRecTypeStandard:Aliases - dsAttrTypeNative:members: postmaster AppleMetaNodeLocation: /Local/Default RecordName: MAILER-AGENT RecordType: dsRecTypeStandard:Aliases - dsAttrTypeNative:members: postmaster AppleMetaNodeLocation: /Local/Default RecordName: MAILER-DAEMON RecordType: dsRecTypeStandard:Aliases - dsAttrTypeNative:members: root AppleMetaNodeLocation: /Local/Default RecordName: manager RecordType: dsRecTypeStandard:Aliases - dsAttrTypeNative:members: root AppleMetaNodeLocation: /Local/Default RecordName: nobody RecordType: dsRecTypeStandard:Aliases - dsAttrTypeNative:members: root AppleMetaNodeLocation: /Local/Default RecordName: operator RecordType: dsRecTypeStandard:Aliases - dsAttrTypeNative:members: root AppleMetaNodeLocation: /Local/Default RecordName: postmaster RecordType: dsRecTypeStandard:Aliases When are these aliases used? In particular, I'm worried that a nobody user (which is also a real user) is aliased to root.

I created Open Directory and ProfileManager with self-signed certificate. Now I try to replace the self-signed certificate with the already Signed Certificated currently use on our Active Directory 2008. I do an Export .pfx cert from this link: http://www.digicert.com/ssl-support/pfx-import-export-iis-7.htm When I try "Import a Certificate Identity" from Certificate Menu on Left Sidebar of Server.app the application hangs. I also use the keychain to import .pfx by follow this link http://www.digicert.com/ssl-support/p12-import-export-mac-server.htm but it also not available in Server.app Certificate. Is there any command line that could help or a better way to add a private key + cert to Server.app?

A Mac OS X Lion 10.7.5 server running Open Directory hung. SSH was still possible but the sudo reboot command didn't restart the server within 15 minutes. That is why a power cycle was issued. After the power cycle Open Directory would no longer start and the System log is filled with a new message every 10 seconds: com.apple.launchd (org.openldap.slapd): Exited with code: 1 com.apple.launchd (org.openldap.slapd): Throttling respawn: Will start in 10 seconds Repairing disk permission, neither another reboot doesn't solve the issue. Slapd in Tool mode outputs: $ sudo /usr/libexec/slapd -Tt bdb(dc=nl2,dc=probackup,dc=nl): unable to allocate memory for mutex; resize mutex region bdb_db_open: database "dc=nl2,dc=probackup,dc=nl" cannot be opened, err 12. Restore from backup! backend_startup_one (type=bdb, suffix="dc=nl2,dc=probackup,dc=nl"): bi_db_open failed! (12) slap_startup failed (test would succeed using the -u switch) How to fix this?

I wonder if there's any equivalent terminal command that can output the same data displayed when the I search for the domain user Under Users in the OD node (/Active Directory/MYCOMP/...) the data is a dictionary with fields like AltSecurityIdentities, dsAttrTypeNative:.. , and more. I'm looking for macOS(10.12+) native, command line tool, that can extract an input user AD details that contains fields like AuthenticationAuthority and AltSecurityIdentities quite similar to Diretory Utility Gui based application (/System/Library/CoreServices/Applications/Directory Utility.app). Is it possible to script user lookups?

I have encountered this problem of slow login (https://apple.stackexchange.com/questions/405048/how-can-i-debug-an-extremely-slow-login) , and have not found a solution. However, this phenomenon does not exist if I boot up into a fresh system. Since I have a backup of the system sometime ago that was working, I think that if I copy all the system files from that backup over, and then reinstall the system, the issue should be resolved. However, I don't want to copy all system files, because some of them can be outdated, some of them can be databases that are regularly updated, etc. Hence, I wonder if I can just copy over the opendirectory folders over and see if things get better (I have backups so I'm not afraid of breaking the system), but I don't know where is that information stored on disk. Where is the data files stored for opendirectory?

I am unable to add new accounts nor delete existing accounts in Open Directory despite being authenticated as diradmin. I can change existing user passwords though. Tried rebooting, no change. I was able to create and delete accounts earlier today. The options to create/delete accounts are disabled in the OSX Server Mountain Lion GUI. Suggestions are appreciated.

I am working on a security setting for my company that requires users to not have a password hint. Since we have several users that either 1. ignore our security options and 2. purposely go against ones they don't like, I need a way to turn it off in terminal for 10.13-10.15. I know I could create a script that pulls the User lists, and repopulates the opendirectory command to insert a 'blank' password (dscl . -merge /Users/username hint "password hint"), but I would like to turn off the ability as part of the setup. I have scoured the Internet and found nothing so far. Does anyone have any suggestions? PS. I also want to build a profile for it, but we are a ways away from profile management but any suggestions on that would be helpful as well.

Since a couple of days my 2011 13" MBA (i5, 1,7Ghz) has a very strange issue which I don't know how to get rid of. Every now and then (sometimes more times a day) a process called opendirectoryd takes up 99-101% of my CPUs. This causes the temperature to go up and after a short while the fans kick in. My MBA is logged in as part of an Active Directory Domain. First I tried waiting a couple of minutes, but the process didn't stop. Rebooting the machine seems to always fix the problem, but that's not exactly my preferred solution for this problem. For now I stick to force kill the process. I need to repeat this 1-2 times per iteration and then there's a undefined period of time in which I'm safe. I'm not sure if it is related to the 10.7.2 update or to something else. I found others having a similar problem . In that case it seems to be related to a Livescribe pen. While I have a Livescribe pen (updated to the latest version of the client software) I don't have any suspicious entries in Console.app. Any help would be appreciated.

I am using MacOs Hight Sierra version 10.13.6. For some time, the computer has been heating up to a high temperature and it may even shut down at times. After searching the web, I discovered that one of the causes could be an opendirectoryd process that uses up to 90% of the CPU. It's my first time using Mac, I don't know what to do. Some solutions talk about symlinks but I don't even know how to find them. thank you for helping me

I'm using Catalina 10.15.4 OSX as client and FreeBSD 12-1 with openldap-sasl-server-2.4.48_1 as Openldap server. I've configured the LDAP server using Direct Utility. - I can see the LDAP users on Directory Editor tab; - I can use "id user" in terminal showing the user, its groups etc; - I can use "dscl localhost -read /Search/Users/user" that shows all user info; - I can use "dscacheutil -q user -a name user" that shows all user info; - I can change to root in terminal and then "su - user" and it works (I've created the home directory and mapped to #/Users/$uid$; - BUT I CAN'T login using user. All network users are enabled to login. I've tried using "ssh user@localhost" and at Login Window. It doesn't work. Setting debug with "odutil set log debug" and taking a look in Console logs: opendirectoryd failed CRAM-MD5 authentication for authzid - '' authcid - '' error 49 opendirectoryd ODRecordVerifyPassword failed with result ODErrorCredentialsInvalid opendirectoryd nw_path_evaluator_start [78C31F06-08D0-4EF9-B584-EB41028A814D IPv6#0d17d740.389 generic, local: IPv6#ef0057ec.49455, indefinite] path: unsatisfied (No network route) On server, CRAM-MD5 is available. supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: SCRAM-SHA-256 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM What's going wrong? How to use LDAP users on OSX? - There are some tutorial on the Internet about editing a directory configuration file (plist). However, this had worked in later versions of OSX. For example: /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string DIGEST-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string CRAM-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string NTLM" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string GSSAPI" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist In Catalina we can't edit anymore this file (yourldapserver.plist). I've tried to usa another tool, **defaults**, but the file can only be altered if we copy it to another place. At the normal system location we can't edit to test these configurations.

I've read how to obtain the user's password hash on OSX using sudo defaults read /var/db/dslocal/nodes/Default/users/user.plist ShadowHashData. However, after giving Terminal "Full Disk Access" on macOS Mojave, I get the following error: The domain/default pair of (/var/db/dslocal/nodes/Default/users/user.plist, ShadowHashData) does not exist. However, the ShadowHashData key can be read by plutil and dscl, so why don't defaults work? Edit: dscl (works for obtaining user's hash): nlykkei-mbp:~ nlykkei$ sudo dscl . -read /Users/nlykkei dsAttrTypeNative:ShadowHashData dsAttrTypeNative:ShadowHashData: 62706c69 73743030 d2010203 ... defaults (doesn't work for obtaining user's hash): sudo defaults read /var/db/dslocal/nodes/Default/users/nlykkei ShadowHashData 2019-08-07 09:16:32.697 defaults[1123:33825] The domain/default pair of (/var/db/dslocal/nodes/Default/users/nlykkei, ShadowHashData) does not exist whoami (user's identity): nlykkei-mbp:~ nlykkei$ whoami nlykkei nlykkei-mbp:~ nlykkei$ id uid=501(nlykkei) gid=20(staff) groups=20(staff),502(access_bpf),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),701(com.apple.sharepoint.group.1) uname (OS version): nlykkei-mbp:~ nlykkei$ uname -a Darwin nlykkei-mbp 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64 x86_64 defaults (works without domain argument): nlykkei-mbp:~ nlykkei$ sudo defaults read | head -n 10 { "Apple Global Domain" = { AKLastIDMSEnvironment = 0; AppleKeyboardUIMode = 3; "com.apple.sound.beep.flash" = 0; }; bluetoothaudiod = { }; "com.apple.AppleMultitouchMouse" = { MouseButtonDivision = 55; ...

I'm trying to set up SMB file sharing from one Mac running macOS Mojave to another. The serving Mac runs Server.app and an Open Directory master with Local Network Users. The client is bound to the master. The user accounts on the client are 'Mobile Accounts' except for the administrator account on each Mac. I have a HFS+ volume on the computer that shares, which enabled me to separately test AFP and SMB sharing. AFP sharing of a folder on the HFS+ volume works (with registered user). SMB sharing of a folder on the APFS volume does not work. It looks like an authentication/configuration problem. Looking on the serving side, I see this in log: default 10:02:52.426557 +0100 smbd Server requires signing, but not auth-bound to Directory Service default 10:02:52.427298 +0100 smbd Too many groups requested (2147483647). Can cause performance issues when network directories are involved default 10:02:52.433288 +0100 smbd Too many groups requested (2147483647). Can cause performance issues when network directories are involved default 10:02:52.448680 +0100 digest-service digest-request: uid=0 default 10:02:52.448713 +0100 digest-service digest-request: init request default 10:02:52.452971 +0100 securityd found a non-proper sample, skipping... default 10:02:52.468923 +0100 opendirectoryd Failed to talk to secd after 4 attempts. default 10:02:52.472453 +0100 digest-service digest-request: init return domain: ALBUS server: ALBUS indomain was: default 10:02:52.472607 +0100 smbd Server requires signing, but not auth-bound to Directory Service It does work when I set the "Windows File Sharing" flag for a user on. But that only is possible for Local Directory users not Local Network Directory users. I think I should be able to solve this by solving the smbd Server requires signing, but not auth-bound to Directory Service issue. Or I must find to add the Local Network Directory users to "Windows File Sharing" (but given the lower security of that it is not what I would like). I've done all the 'normal' things such as rebooting, turning services off and on again (and both), add specific access in Server.app (pf) for SMB and (S)LDAP and I'm now officially out of options.

In attempts to solve my file sharing issues I have at some point on macOS Mojave + Server, using Directory Utility, bound the Open Directory server to itself using Directory Utility (I was quite desperate). Now, with all the changes I made I was able to get the client machine use authenticated binding to the server machine and now SMB file sharing works. So far so good, but I cannot change the passwords of users anymore. When I try, I get the following error: existing connection is not authenticated and the old password is not present: password change denied DNS is ok. What I can find is that in the past one could 'rekerberize' the server but that information is old (Mavericks) so I don't want to try. I was looking at removing the local authenticated binding on macOS Mojave Server. But in Directory Utility that is greyed out. And I do not dare to remove/recreate the LDAP server with Directory Utility on a production server yet (very scared).

I work for a small business, for the few years we've been running we've had individual MacBooks with local user accounts. We need to formalise this a bit in order to get an industry security accreditation, we need to prove password rotation and things like that. I've set up Apple Server on a spare Mac Mini and created the network, I'm able to set up new users and login via the connected macbooks. The issue I have is we've all got long established profiles, apps, settings and so on, so I need a way to get these existing profiles tied to the users, there doesn't seem to be a standard way to do this and any guides/videos I find are very outdated. I created a open directory user matching my local user, renamed my user (home) directory, deleted my local account using the root user and signed in to my network user on my macbook, then logged back into the root got rid of the network users user (home) directory and renamed my old one back, I tried to set the ownership of the directory to the network user account but when I logged in it was a world of pain, I couldn't even open apps due to the permissions. I ended up losing my old local account, luckily I was able to get all of my files back and set the user and group permissions to my new user, although I've lost my settings and configs. There was obviously a whole load of other files I wasn't aware of in the Library that just didn't like the change. Is there a way I can link Open Directory users to already existing local mac users, or somehow switch over? Thanks!

I have a Mac High Sierra (10.13.2) connected to Open Directory. The server is a OpenLDAP Linux Server With Apple Configurator I created a Email Profile to config email account. In local users I don't have any problem to install the profile, but with network users "Profile installation failed: No user identifier found in record": The message in Console is: > error 15:38:54.023485 +0100 > com.apple.preferences.configurationprofiles.remoteservice [ERROR] > Profile installation (Mail_Profile > (Mail_Profile.98A029D9-5514-4A3B-A938-9CB338D4DC43:2C9546DD-2002-4486-9D55-395AEAD8555E)) > (Error Domain=CPProfileManager Code=-202 "No user identifier found in > record." UserInfo={NSLocalizedDescription=No user identifier found in > record.}) How I can fix this error? Thanks!