Jenkins:使用Groovy配置ActiveDirectorySecurityRealm插件

Question

目前，我正在使用(ActiveDirectorySecurityRealm)插件(v2.6)设置一个通用配置，并解决了一个棘手的问题:我的(auto)设置一个有效的AD连接(遵循相应的文档)的方法似乎根本不起作用。每次我重新插入我的Jenkins实例时，都会提供一个不完整的config.xml - "bindName“属性(XML)。这个属性是我将要使用的广告服务器所需要的，所以我必须手动覆盖配置来解决这个问题。

我不太清楚为什么还会发生这种事。

我的groovy代码(摘录)

String _domain = 'my-primary-ad-server-running.acme.org'
String _site = 'jenkins.acme.org'
String _bindName = 'ad-bind-user'
String _bindPassword = 'ad-bind-password-super-secret-123'
String _server = 'my-primary-ad-server-running.acme.org'

def hudsonActiveDirectoryRealm = new ActiveDirectorySecurityRealm(_domain, _site, _bindName, _bindPassword, _server)

def instance = Jenkins.getInstance()
    instance.setSecurityRealm(hudsonActiveDirectoryRealm)
    instance.save()

我的config.xml结果(节选)

<securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@2.6">
    <domains>
      <hudson.plugins.active__directory.ActiveDirectoryDomain>
        <name>my-primary-ad-server-running.acme.org</name>
        <servers>my-primary-ad-server-running.acme.org:3268</servers>
        <bindPassword>{###-fancy-crypted-super-password-nobody-can-decrypt-anymore-###}</bindPassword>
      </hudson.plugins.active__directory.ActiveDirectoryDomain>
    </domains>
    <startTls>true</startTls>
    <groupLookupStrategy>AUTO</groupLookupStrategy>
    <removeIrrelevantGroups>false</removeIrrelevantGroups>
    <tlsConfiguration>TRUST_ALL_CERTIFICATES</tlsConfiguration>
</securityRealm>

my config.xml required (节选)

<securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@2.6">
    <domains>
      <hudson.plugins.active__directory.ActiveDirectoryDomain>
        <name>my-primary-ad-server-running.acme.org</name>
        <servers>my-primary-ad-server-running.acme.org:3268</servers>
        <bindName>ad-bind-user</bindName>
        <bindPassword>{###-fancy-crypted-super-password-nobody-can-decrypt-anymore-###}</bindPassword>
      </hudson.plugins.active__directory.ActiveDirectoryDomain>
    </domains>
    <startTls>true</startTls>
    <groupLookupStrategy>AUTO</groupLookupStrategy>
    <removeIrrelevantGroups>false</removeIrrelevantGroups>
    <tlsConfiguration>TRUST_ALL_CERTIFICATES</tlsConfiguration>
</securityRealm>

Answer 1

如果您查看ActiveDirectorySecurityRealm的源代码，您将看到bindName被标记为临时的，因此它不会作为配置XML的一部分被持久保存。

获得所需config.xml的唯一解决方案是通过提供自定义静态config.xml而不使用init脚本来强制config.xml。

Answer 2

谢谢@kosta。下面的脚本还使用active-目录2.10和jenkins 2.150.1，这也包括站点信息。

import hudson.plugins.active_directory.ActiveDirectoryDomain
import hudson.plugins.active_directory.ActiveDirectorySecurityRealm
import hudson.plugins.active_directory.GroupLookupStrategy

String _domain = 'dev.test.com'
String _site = 'HQ'
String _bindName = 'dev\jenkins'
String _bindPassword = 'test'
String _server = 'dev.test.com:2328'

def hudsonActiveDirectoryRealm = new ActiveDirectorySecurityRealm(_domain, _site, _bindName, _bindPassword, _server)
hudsonActiveDirectoryRealm.getDomains().each({
    it.bindName = hudsonActiveDirectoryRealm.bindName
    it.bindPassword = hudsonActiveDirectoryRealm.bindPassword
    it.site = hudsonActiveDirectoryRealm.site
})
def instance = Jenkins.getInstance()
instance.setSecurityRealm(hudsonActiveDirectoryRealm)
instance.save()

查看这个截图：配置全局安全

Answer 3

我能够通过在最后添加以下代码来解决这个问题(在2.6和2.8上进行了测试)。您还需要确保凭据是有效的，因为插件正在执行初始连接性检查( https://issues.jenkins-ci.org/browse/JENKINS-48513 )。

hudsonActiveDirectoryRealm.getDomains().each({
    it.bindName = hudsonActiveDirectoryRealm.bindName
    it.bindPassword = hudsonActiveDirectoryRealm.bindPassword
})
instance.setSecurityRealm(hudsonActiveDirectoryRealm)
instance.save()