slapconfig -- tool to configure slapd and related daemons

slapconfig command [command-options] [-q]

slapconfig is a utility for configuring slapd. It must be run by root.

Slapd stand-alone LDAP daemon, responds to LDAP connections .

-q suppress prompts.


-defaultsuffix default suffix which is based on the machine's DNS name, or hostname if DNS is not available.
sudo slapconfig -defaultsuffix
-getclientconfig LDAP client, not a client, or advanced.
sudo slapconfig -getclientconfig
4 - Advanced
-getldapconfig LDAP server settings.
sudo slapconfig -getldapconfig
Search base:
Maximum search results: 500
Search timeout: 60
SSL: off
Backend: (null)
-getmacosxodpolicy property list containing the directory binding settings.
-getmasterconfig list of replicas and replication interval.

sudo slapconfig -getmasterconfig
Not a LDAP server

-getpasswordserveraddress the IP address of the default password server.

sudo slapconfig -getpasswordserveraddress
2016-02-10 22:35:54 +0000 slapconfig -getpasswordserveraddress
2016-02-10 22:35:54 +0000 bool GetPasswordServerAddress(NSString **): Unable to open ldap node: 2000 Node name wasn't found.
2016-02-10 22:35:54 +0000 The passwordserver is not configured.

-getreplicaconfig the master address and last update date.

sudo slapconfig -getreplicaconfig
Not a LDAP serve

-getstyle master, replica, client, or standalone.

sudo slapconfig -getstyle
3 - standalone

-help usage .
-ver sudo slapconfig -ver
LDAP Setup Tool (slapconfig), Apple, Inc., Version 10.11


[--serverID num]
[--guid GGGG-UU-IIII replica-address
Adds a replication link with the specified server. The serverID and GUID of the remote machine you'd like to replicate with. The serverID and GUID can be viewed in the target machine's computer record. Replication links are unidirec- tional, the corresponding command should be run on the target server as well to get full replication working. Caution should be exercised with this command, it is best to avoid replication loops.
-changeip old-ip new-ip
[old-host new-host]
Updates configuration records and files to contain the new host information. It does not change the IP address in Network preferences.
[--certAuthName Name]
[--certAdminEmail Email
[--certOrgName Name]
new-admin new-fullname new-uid
[search base suffix> [realm>]]
Creates a new master LDAP server. Copies the root account to the new master domain. Creates a new directory node administrator.
[--certAdminEmail Email] master IP or name admin user
Create a new replica from an existing LDAP master.
Name Email
Create a CA on the OD master.
-destroyldapserver [diradmin] Turns off the LDAP server and deletes its database. The optional argument of the diradmin account name will then prompt for the diradmin password and will inform all replication peers of the server's destruction.
-promotereplica admin-user archive-path Converts an existing replica into a master using the current database. Path to an archive from the master can given in order to add the root CA's keys to the promoted master.
[--guid GGGG-UU-IIIIDDD] -replica-address
Removes a replication link with the specified server. The GUID of the remote server being removed should be passed in with the --guid option. Replication links are unidirectional, so the corresponding command should be run on the target server to remove the other half of an existing replication link.
-setclient Configures the machine to bind using DHCP if it is not already a client.
-setldapconfig [-maxresults maximum search results>] [-searchtimeout timeout] [-ssl on|off] [-sslcert path to cert>] [-sslkey ] [-sslcacert path to CA cert>]

Applies the specified settings and restarts slapd. Settings not specified are unchanged.

-setstandalone Configures the machine to only use the local directory.
-setmacosxodpolicy [-binding [disabled|enabled|required]] [-cleartext [blocked|allowed]] [-encrypt [yes|no]] [-sign [yes|no]] [-clientcaching [yes|no]] [-man-in-middle [blocked|allowed]]

Sets directory binding options.

-startldapserver Configures launchd to run slapd.
-stopldapserver Configures launchd not to run slapd.
-updateaddresses Merges new interfaces into the list of LDAP replicas.

Password Server

-pwsrekey keysize Divorces the password server from a replicated system and issues a new RSA key. Users in the local and LDAP directories are migrated to the new key. Valid key sizes are 1024, 2048, and 3072. There is a performance penalty when using large keys.
user directory-admin
Converts a user account to have an Open Directory authentication type. A new password server slot and kerberos principal are created. If the user was previously an Open Directory user, the old slot and principal are deleted and replaced.
-startpasswordserver Sets up a launchd plist file and starts the password server.
-stoppasswordserver Sets the launchd plist file to be disabled and stops the password server.


-enableslapdlog Turns on the LDAP server logging to /var/log/slapd.log.
[yes | no]
The LDAP server defaults to running in a "full sync mode" to ensure database transactions are fully flushed to disk. This improves data integrity in the event of a power loss, but can result in slower performance when importing large datasets. Setting this option to no disables this functionality temporarily in order to speed up large imports. After the import has been completed, this option should be set back to yes for normal operation.

Backup and Restore

-backupdb path> Creates an archive containing the LDAP, Password Server and Kerberos databases. It also contains Certificate Authority related data.
-restoredb path> Restores a directory to the backed-up state.


SSOUtilDebugLevel can be set to change the verbosity of the log. Valid values are [0-9]. The default value is 1.


 PID 58581
    currentStepNumber 6
    currentTask backing up LDAP master
    failureCode 78
    failureMessage Error: Cannot backup the server because it is not an Open Directory master.
    percentComplete 100
    timestamp 2016-02-10 22:44:36 +0000