1. 技术文章
  2. Jenkins: Configure ActiveDirectorySecurityRealm Plugin using Groovy

Jenkins: Configure ActiveDirectorySecurityRealm Plugin using Groovy

|▌冷眼眸甩不掉的悲伤 提交于 2019-12-24 08:04:35

问题


I'm currently spending some time setting up a generic configuration using Jenkins AD-SecurityRealm (ActiveDirectorySecurityRealm) Plugin (v2.6) and stuck over a nasty issue: It seems that my approach to (auto) set up a valid AD-connection (following the corresponding documentation) is not working at all. Every time I'll re-init my Jenkins instance an incomplete config.xml will provide - the "bindName" property (XML-node) is always missing. This property is required by the ad-server I'll use and so I've to override the config manually to solve this issue.

I haven't the vaguest idea why this still happens.

my groovy code (excerpt)

String _domain = 'my-primary-ad-server-running.acme.org'
String _site = 'jenkins.acme.org'
String _bindName = 'ad-bind-user'
String _bindPassword = 'ad-bind-password-super-secret-123'
String _server = 'my-primary-ad-server-running.acme.org'

def hudsonActiveDirectoryRealm = new ActiveDirectorySecurityRealm(_domain, _site, _bindName, _bindPassword, _server)

def instance = Jenkins.getInstance()
    instance.setSecurityRealm(hudsonActiveDirectoryRealm)
    instance.save()

my config.xml result (excerpt)

<securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@2.6">
    <domains>
      <hudson.plugins.active__directory.ActiveDirectoryDomain>
        <name>my-primary-ad-server-running.acme.org</name>
        <servers>my-primary-ad-server-running.acme.org:3268</servers>
        <bindPassword>{###-fancy-crypted-super-password-nobody-can-decrypt-anymore-###}</bindPassword>
      </hudson.plugins.active__directory.ActiveDirectoryDomain>
    </domains>
    <startTls>true</startTls>
    <groupLookupStrategy>AUTO</groupLookupStrategy>
    <removeIrrelevantGroups>false</removeIrrelevantGroups>
    <tlsConfiguration>TRUST_ALL_CERTIFICATES</tlsConfiguration>
</securityRealm>

my config.xml required (excerpt)

<securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@2.6">
    <domains>
      <hudson.plugins.active__directory.ActiveDirectoryDomain>
        <name>my-primary-ad-server-running.acme.org</name>
        <servers>my-primary-ad-server-running.acme.org:3268</servers>
        <bindName>ad-bind-user</bindName>
        <bindPassword>{###-fancy-crypted-super-password-nobody-can-decrypt-anymore-###}</bindPassword>
      </hudson.plugins.active__directory.ActiveDirectoryDomain>
    </domains>
    <startTls>true</startTls>
    <groupLookupStrategy>AUTO</groupLookupStrategy>
    <removeIrrelevantGroups>false</removeIrrelevantGroups>
    <tlsConfiguration>TRUST_ALL_CERTIFICATES</tlsConfiguration>
</securityRealm>

回答1:


If you look at the source code for ActiveDirectorySecurityRealm you will see that the bindName is marked as transient, thus it won't be persisted as part of the config XML.

The only solution to get the desired config.xml is to force the config.xml by providing a custom static one and not use the init script.




回答2:


Thanks @kosta. Following script also works using active-directory 2.10 and jenkins 2.150.1 This also include site information.

import hudson.plugins.active_directory.ActiveDirectoryDomain
import hudson.plugins.active_directory.ActiveDirectorySecurityRealm
import hudson.plugins.active_directory.GroupLookupStrategy

String _domain = 'dev.test.com'
String _site = 'HQ'
String _bindName = 'dev\jenkins'
String _bindPassword = 'test'
String _server = 'dev.test.com:2328'

def hudsonActiveDirectoryRealm = new ActiveDirectorySecurityRealm(_domain, _site, _bindName, _bindPassword, _server)
hudsonActiveDirectoryRealm.getDomains().each({
    it.bindName = hudsonActiveDirectoryRealm.bindName
    it.bindPassword = hudsonActiveDirectoryRealm.bindPassword
    it.site = hudsonActiveDirectoryRealm.site
})
def instance = Jenkins.getInstance()
instance.setSecurityRealm(hudsonActiveDirectoryRealm)
instance.save()

Check this screenshot: Configure Global Security




回答3:


I was able to solve this issue by adding the following code at the end (Tested on 2.6 and 2.8). You also need to make sure that your credentials are valid because the plugin is doing an initial connectivity check https://issues.jenkins-ci.org/browse/JENKINS-48513

hudsonActiveDirectoryRealm.getDomains().each({
    it.bindName = hudsonActiveDirectoryRealm.bindName
    it.bindPassword = hudsonActiveDirectoryRealm.bindPassword
})
instance.setSecurityRealm(hudsonActiveDirectoryRealm)
instance.save()


来源:https://stackoverflow.com/questions/48441808/jenkins-configure-activedirectorysecurityrealm-plugin-using-groovy

标签
Jenkins
groovy
jenkins-plugins
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!