# Storing connection data within LDAP ### Defining the `guacConfigGroup` object class When connection data is stored within your LDAP directory, each connection is represented by a special type of LDAP group, and permissions related to Keeper Connection Manager's connections can be managed directly with LDAP based on user membership of these groups. Doing this requires schema modifications which add a new object class called `guacConfigGroup`. An LDIF file defining the schema changes in a manner compatible with OpenLDAP is provided by the `kcm-guacamole-auth-ldap` package within `/opt/keeper/share/guacamole-auth-ldap/schema/guacConfigGroup.ldif`. This file can be applied to your OpenLDAP server using the “ldapadd” command: {% code overflow="wrap" %} ``` $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /opt/keeper/share/guacamole-auth-ldap/schema/guacConfigGroup.ldif ``` {% endcode %} Once this is done, connections can be defined by creating new `guacConfigGroup` objects within the LDAP directory. Each `guacConfigGroup` accepts a single guacConfigProtocol attribute, defining the protocol associated with the connection, and any number of guacConfigParameter attributes, each defining a connection parameter name/value pair. Users that should have access to the connection must be added as members of the `guacConfigGroup` using the member attribute. For example, a connection accessible to two users which uses VNC to connect to localhost at port 5900 with the password “secret” could be defined with the following LDIF file: ``` dn: cn=Example Connection,ou=groups,dc=example,dc=net objectClass: guacConfigGroup objectClass: groupOfNames cn: Example Connection guacConfigProtocol: vnc guacConfigParameter: hostname=localhost guacConfigParameter: port=5900 guacConfigParameter: password=secret member: cn=user1,ou=people,dc=example,dc=net member: cn=user2,ou=people,dc=example,dc=net ``` ### Configuring KCM to read connections from LDAP #### Auto Docker And Docker Compose Install Methods: To read connection data from LDAP, modify the `/etc/kcm-setup/docker-compose.yml` file. The base DN of all connections defined within LDAP must be specified using the `LDAP_CONFIG_BASE_DN` property. This base DN should be the DN of the portion of the LDAP directory whose subtree contains all Keeper connections accessible via LDAP. Only connections defined within the subtree of this base DN will be visible. The `EXTENSION_PRIORITY` [property](https://docs.keeper.io/keeper-connection-manager/authentication/authenticating-users-with-ldap/pages/PrGlvnEjhFxQkUuBMC4I#id-.glyptodon-guacamolev2.x-guacdguacd_) specifies the order that extensions should be loaded relative to each other. In the following example, all other extensions take priority over LDAP: ``` guacamole: image: keeper/guacamole:2 environment: ACCEPT_EULA: "Y" GUACD_HOSTNAME: "guacd" MYSQL_HOSTNAME: "db" MYSQL_DATABASE: "guacamole_db" MYSQL_USERNAME: "guacamole_user" MYSQL_PASSWORD: "xxxxxxx" # LDAP Connection LDAP_HOSTNAME: "localhost" LDAP_PORT: 389 LDAP_ENCRYPTION_METHOD: "none" ## Optional Settings ## # Read Connections from LDAP LDAP_CONFIG_BASE_DN: "ou=connections,dc=example,dc=net" # Force all other extensions to take priority over LDAP EXTENSION_PRIORITY: "*, ldap" ``` ### Controlling access using group membership #### Auto Docker and Docker Compose Install Method To control group membership using LDAP, modify the `/etc/kcm-setup/docker-compose.yml` file. It is also possible grant entire groups access to connections using the `seeAlso` attribute. This attribute is a standard LDAP attribute, and will be taken into account by Keeper if the `LDAP_GROUP_BASE_DN` property is defined. This property defines the root of the subtree containing all groups which may apply to Keeper Connection Manager users authenticated using LDAP: ``` guacamole: image: keeper/guacamole:2 environment: ACCEPT_EULA: "Y" GUACD_HOSTNAME: "guacd" MYSQL_HOSTNAME: "db" MYSQL_DATABASE: "guacamole_db" MYSQL_USERNAME: "guacamole_user" MYSQL_PASSWORD: "xxxxxxx" # LDAP Connection LDAP_HOSTNAME: "localhost" LDAP_PORT: 389 LDAP_ENCRYPTION_METHOD: "none" ## Optional Settings ## # Mapping Guacamole groups to LDAP DN's LDAP_GROUP_BASE_DN: "ou=groups,dc=example,dc=net" LDAP_GROUP_NAME_ATTRIBUTE: "cn" ``` ### Completing installation #### Auto Docker Install Method ``` sudo ./kcm-setup.run stop sudo ./kcm-setup.run upgrade ``` #### Docker Compose Install Method ``` docker-compose stop docker-compose up -d ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeper-connection-manager/authentication/authenticating-users-with-ldap/storing-connection-data-within-ldap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.