Dynamic RDP backend based on LDAP Group

Hi everyone,

I would like to dynamically select RDP backends based on a users group membership.

From what i have read, i need to create a lua script to register a fetch and use that fetch in an acl.

I created a simple lua script with a fetch named test_ldap, loaded it into haproxy.cfg and added

use_backend backend1 { if lua.test_ldap() -m bool }

to the frontend section.

Now i’m struggling on how to access or pass the rdp cookie to that lua function. I tried different things but it all resulted in nil values.

I would really appreciate if anyone can give me an example on how to access the rdp cookie within a lua script.

Thanks in advance

Ok, i have it working now and i’ll post it here in case someone else needs it.

Package lualdap is needed.

/etc/haproxy/haproxy.cfg

global
        lua-load /etc/haproxy/ldap_group_check.lua
        ...

frontend frdp
        ...
        # The parameter gets cut at the first ",". Hence replacing them with ";" for now.
        # Why is this happening?
        use_backend back_rdp_special if { lua.ldap_group_check('cn=special;dc=domain;dc=local') -m bool }
        default_backend back_rdp

/etc/haproxy/ldap_group_check.lua

local lualdap = require("lualdap");

local function ldap_group_check(txn, group_dn)
    group_dn = group_dn:gsub(";", ",", g)

    local cookie = txn.f:rdp_cookie('mstshash')
    -- Remove the domain part. 
    -- Ex. 'DOMAIN\user1' becomes 'user1'
    cookie = cookie:gsub('%a+[\\]+','')

    local retval = false

    local ld = lualdap.open_simple("ldap://<ldapserver>:<port>",
                                                      "<binddn>",
                                                      "<passwor>")

    if ld then
        local search_filter = "(&(uid=" .. cookie ..")(memberOf=" .. group_dn .. "))"

        for _, _ in ld:search { base = "dc=domain,dc=local",
                                   scope = "subtree",
                                   filter = search_filter } do
            retval = true
            break
        end
    else
      core.log(core.err, "LDAP not connected!")
    end

    return retval
end

core.register_fetches('ldap_group_check', ldap_group_check)

This works as expected but one things makes me nuts.
I have to replace all “,” in the parameter (group DN) passed to my lua function as otherwise it gets cut at the first “,”.

Can someone explain me why this happens?

Regards