> For the complete documentation index, see [llms.txt](https://newdocs.keeper.io/kcm-linux-rpm-method/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://newdocs.keeper.io/kcm-linux-rpm-method/authentication/authenticating-users-with-ldap/storing-connection-data-within-ldap.md).
# Storing connection data within LDAP
{% hint style="danger" %}
**This documentation assumes that you have already configured Guacamole to use LDAP for authentication**. If have not already done so, please [configure Guacamole for LDAP authentication](/kcm-linux-rpm-method/authentication/authenticating-users-with-ldap.md) before proceeding.
{% endhint %}
### Defining the `guacConfigGroup` object class
When connection data is stored within your LDAP directory, each connection is represented by a special type of LDAP group, and permissions related to Guacamole connections can be managed directly with LDAP based on user membership of these groups. Doing this requires schema modifications which add a new object class called `guacConfigGroup`.
An LDIF file defining the schema changes in a manner compatible with OpenLDAP is provided by the kcm-guacamole-auth-ldap package within `/opt/keeper/share/guacamole-auth-ldap/schema/guacConfigGroup.ldif`. This file can be applied to your OpenLDAP server using the “ldapadd” command:
```
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /opt/keeper/share/guacamole-auth-ldap/schema/guacConfigGroup.ldif
```
Once this is done, connections can be defined by creating new `guacConfigGroup` objects within the LDAP directory. Each `guacConfigGroup` accepts a single guacConfigProtocol attribute, defining the protocol associated with the connection, and any number of guacConfigParameter attributes, each defining a connection parameter name/value pair. Users that should have access to the connection must be added as members of the `guacConfigGroup` using the member attribute.
For example, a connection accessible to two users which uses VNC to connect to localhost at port 5900 with the password “secret” could be defined with the following LDIF file:
```
dn: cn=Example Connection,ou=groups,dc=example,dc=net
objectClass: guacConfigGroup
objectClass: groupOfNames
cn: Example Connection
guacConfigProtocol: vnc
guacConfigParameter: hostname=localhost
guacConfigParameter: port=5900
guacConfigParameter: password=secret
member: cn=user1,ou=people,dc=example,dc=net
member: cn=user2,ou=people,dc=example,dc=net
```
### Configuring Guacamole to read connections from LDAP
#### Auto Docker And Docker Compose Install Methods:
To read connection data from LDAP, Guacamole’s main configuration file, modify the `/etc/kcm-setup/docker-compose.yml` file.
The base DN of all connections defined within LDAP must be specified using the LDAP\_CONFIG\_BASE\_DN property. This base DN should be the DN of the portion of the LDAP directory whose subtree contains all Guacamole connections accessible via LDAP. Only connections defined within the subtree of this base DN will be visible:
```
guacamole:
image: keeper/guacamole:2
environment:
ACCEPT_EULA: "Y"
GUACD_HOSTNAME: "guacd"
MYSQL_HOSTNAME: "db"
MYSQL_DATABASE: "guacamole_db"
MYSQL_USERNAME: "guacamole_user"
MYSQL_PASSWORD: "xxxxxxx"
# LDAP Connection
LDAP_HOSTNAME: "localhost"
LDAP_PORT: 389
LDAP_ENCRYPTION_METHOD: "none"
ADDITIONAL_GUACAMOLE_PROPERTIES: "extension-priority: *, ldap"
## Optional Settings ##
# Read Connections from LDAP
LDAP_CONFIG_BASE_DN: "ou=connections,dc=example,dc=net"
```
#### Advanced Linux Install Method:
To read connection data from LDAP, Guacamole’s main configuration file, `/etc/guacamole/guacamole.properties`, must be modified to define the subtree containing these connections:
```
$ sudo vi /etc/guacamole/guacamole.properties
```
The base DN of all connections defined within LDAP must be specified using the ldap-config-base-dn property. This base DN should be the DN of the portion of the LDAP directory whose subtree contains all Guacamole connections accessible via LDAP. Only connections defined within the subtree of this base DN will be visible:
```
##
## [LDAP-4] LDAP base DN for Guacamole connections ("guacConfigGroup")
##
## The base DN for all Guacamole connections defined directly within the LDAP
## directory using "guacConfigGroup" objects. If connections will not be stored
## within the directory, this property is unnecessary.
##
## If the kcm-guacamole-auth-ldap package has been installed, the LDAP
## schema for "guacConfigGroup" objects can be found at:
##
## /usr/share/guacamole-auth-ldap/schema/guacConfigGroup.ldif
##
## Alternatively, if your LDAP directory does not accept LDIF files, the schema
## source for "guacConfigGroup" can be found at:
##
## /usr/share/guacamole-auth-ldap/schema/guacConfigGroup.schema
##
#ldap-config-base-dn: ou=connections,dc=example,dc=net
```
### Controlling access using group membership
#### Auto Docker and Docker Compose Install Method
To control group membership using LDAP, modify the `/etc/kcm-setup/docker-compose.yml` file.
It is also possible grant entire groups access to connections using the seeAlso attribute. This attribute is a standard LDAP attribute, and will be taken into account by Guacamole if the LDAP\_GROUP\_BASE\_DN property is defined. This property defines the root of the subtree containing all groups which may apply to Guacamole users authenticated using LDAP:
```
guacamole:
image: keeper/guacamole:2
environment:
ACCEPT_EULA: "Y"
GUACD_HOSTNAME: "guacd"
MYSQL_HOSTNAME: "db"
MYSQL_DATABASE: "guacamole_db"
MYSQL_USERNAME: "guacamole_user"
MYSQL_PASSWORD: "xxxxxxx"
# LDAP Connection
LDAP_HOSTNAME: "localhost"
LDAP_PORT: 389
LDAP_ENCRYPTION_METHOD: "none"
ADDITIONAL_GUACAMOLE_PROPERTIES: "extension-priority: *, ldap"
## Optional Settings ##
# Mapping Guacamole groups to LDAP DN's
LDAP_GROUP_BASE_DN: "ou=groups,dc=example,dc=net"
LDAP_GROUP_NAME_ATTRIBUTE: "cn"
```
#### Advanced Linux Install Method
It is also possible grant entire groups access to connections using the seeAlso attribute. This attribute is a standard LDAP attribute, and will be taken into account by Guacamole if the ldap-group-base-dn property is defined. This property defines the root of the subtree containing all groups which may apply to Guacamole users authenticated using LDAP:
```
##
## [LDAP-5] LDAP group / group DN description
##
## The base DN of all Guacamole groups within the LDAP directory, and the
## attribute which should be used by Guacamole to uniquely identify the
## group.
##
## If connections are being stored within LDAP using "guacConfigGroup" objects,
## and you wish to control access to these connections via LDAP groups, this is
## accomplished using the standard "seeAlso" attribute and the
## ldap-group-base-dn property is required.
##
## If connections are being stored outside of LDAP, such as within a database,
## and you wish to control access using LDAP groups, both ldap-group-base-dn
## and ldap-group-name-attribute will be required. The group membership of a
## user cannot be queried without a base DN, and the unique name to be used by
## other parts of Guacamole to represent the group cannot be determined without
## the name attribute.
##
#ldap-group-base-dn: ou=groups,dc=example,dc=net
#ldap-group-name-attribute: cn
```
### Completing installation
Changes to Guacamole’s LDAP configuration will generally only be reread from `guacamole.properties` during the startup process. To apply the configuration changes, Guacamole must be restarted:
#### Advanced Linux Install Method
```
$ sudo systemctl restart guacamole
```
{% hint style="info" %}
**If you do not have a standalone "guacamole" service**
You will not have a standalone "guacamole" service if you have not deployed Guacamole automatically with the "kcm-guacamole-standalone" package. This will be the case if:
* You have chosen to manually deploy Guacamole under your own install of Apache Tomcat or JBoss, rather than use the provided version of Tomcat.
* You are maintaining a deployment of Glyptodon Enterprise that was originally installed before[ the 2.5 release](https://newdocs.keeper.io/kcm-linux-rpm-method/authentication/authenticating-users-with-ldap/pages/ZqnMdyCaG68yVINbbLIh#id-.changelogv2.x-2.52.5version2.5) (2021-09-16).
You will instead need to manually restart your install of Tomcat:
```
$ sudo systemctl restart tomcat
```
{% endhint %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://newdocs.keeper.io/kcm-linux-rpm-method/authentication/authenticating-users-with-ldap/storing-connection-data-within-ldap.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.