Kiwi Syslog Server是一款應用於Windows系統的系統日誌守護進程,能夠接收並記錄系統日誌,各種設備的SYSLOG消息,內置豐富的日誌記錄選項,能詳細記錄各種防火牆日誌,並進行篩選分析。
本文主要介紹Kiwi Syslog Server配置Active Directory集成身份認證。
安裝教程:
【逗老師帶你學IT】Kiwi Syslog Server安裝教程
https://blog.csdn.net/ytlzq0228/article/details/104827014
在多用戶環境中使用Kiwi Syslog時,使用Active Directory集成認證有助於用戶賬號授權的管理。這樣,您可以控制誰可以通過AD認證訪問Kiwi Syslog Web Access界面,避免管理非常多個本地帳戶帶來的麻煩。
設置非常簡單。
文章目錄
一、Kiwi Syslog Web Active Directory集成的前提條件:
1、Kiwi中的AD集成使用TCP端口389上的LDAP連接到域控制器,提前確認Kiwi Sylog Server跟域控之間的TCP 389端口正常通信。
2、Kiwi Syslog的服務器必須加入用於認證的AD域。
二、Active Directory準備工作
1、在Active Directory中創建一個用戶組或安全組,以用於控制對Kiwi Syslog的身份驗證,或者選擇已有的用戶組或安全組,例如IT部門羣組。
2、將授權訪問Kiwi的用戶帳戶添加到上面創建的安全組中,您希望它們能夠登錄到Kiwi Syslog Web Client。
三、Kiwi Syslog Web Access中設置Active Director的步驟
1、登錄Kiwi Syslog Web Access
使用管理員帳戶登錄Kiwi Syslog Web Access
2、Active Directory集成配置
打開“ Admin”->“ Active Directory Setting”
3、Active Directory認證配置參數
3.1、輸入您的Active Directory環境的域URL
如果是AD域控制器,輸入AD域控服務器DNS域名
如:csdn.com
如果是其他LDAP服務器,需要輸入完整的LDAP URL
如ldap:// DomainController1:389 / ou = Groups,dc = npgdom,dc = com
3.2、將身份驗證類型留爲空白,默認爲Secure。如果對LDAP使用其他身份驗證類型,請進行更改。如果不知道這項什麼意思,請將其留空。
3.3、在“用戶組”字段中輸入您在AD中創建的用戶組的名稱。可以使用多個用戶組並用分號分隔。
3.4、點擊保存設置。
查看AD域控制器的Windows防火牆,和沿途所有防火牆,確認運行Kiwi Syslog Server可以訪問AD域控的TCP 389端口。
四、測試使用域帳戶登錄Kiwi Syslog Web訪問
1、註銷登錄當前管理員賬號,或新開一個瀏覽器小號窗口。
2、使用Domain\username的格式進行登錄,比如CSDN\doulaoshi。注意如果使用域賬號登錄,必須添加域名前綴
3、新用戶第一次登錄會出現一條提示,不要慌,這不是報錯!
第一次登錄系統需要在Kiwi Syslog中創建一個同名的本地帳戶,再次登錄即可以正常登錄
管理員可以看到用戶管理中,新添加了一個域賬戶。
五、域帳戶登錄Kiwi Syslog Web權限
域賬戶登錄之後的權限是標準用戶權限,可以查詢所有的日誌,編輯過濾器,但是無權限訪問Admin選項卡
六、參考資料
參考資料
1.如何集成Kiwi與活動目錄:Network Pro Guide | How to Integrate Kiwi Syslog Web Access with Active Directory
官方手冊
2.Kiwi web server AD認證設置:Solarwinds | Active Directory Authentication setting for Kiwi Syslog Server Web Access
3.Kiwi web Access AD認證:Solarwinds | Kiwi SyslogTM Web Access - AD Authentication
所有支持的LDAP認證類型:
| Auth types | description |
|---|---|
| Anonymous | No authentication is performed. |
| Delegation | Enables Active Directory Services Interface (ADSI) to delegate the user’s security context, which is necessary for moving objects across domains. |
| Encryption | Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit. |
| FastBind | Specifies that ADSI will not attempt to query the Active Directory Domain Services objectClass property. Therefore, only the base interfaces that are supported by all ADSI objects will be exposed. Other interfaces that the object supports will not be available. A user can use this option to boost the performance in a series of object manipulations that involve only methods of the base interfaces. However, ADSI does not verify if any of the request objects actually exist on the server. |
| None | Equates to zero, which means to use basic authentication (simple bind) in the LDAP provider. |
| ReadonlyServer | For a WinNT provider, ADSI tries to connect to a domain controller. For Active Directory Domain Services, this flag indicates that a writable server is not required for a serverless binding. |
| Sealing | Encrypts data using Kerberos. The Secure flag must also be set to use sealing. |
| Secure | Requests secure authentication. When this flag is set, the WinNT provider uses NTLM to authenticate the client. Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client. When the user name and password are a null reference (Nothing in Visual Basic), ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating. |
| SecureSocketsLayer | Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit. Active Directory Domain Services requires the Certificate Server be installed to support Secure Sockets Layer (SSL) encryption. |
| ServerBind | If your ADsPath includes a server name, specify this flag when using the LDAP provider. Do not use this flag for paths that include a domain name or for server less paths. Specifying a server name without also specifying this flag results in unnecessary network traffic. |
| Signing | Verifies data integrity to ensure that the data received is the same as the data sent. The Secure flag must also be set to use signing. |
往期回顧:
【逗老師帶你學IT】Kiwi Syslog Server安裝和配置教程
【逗老師帶你學IT】Kiwi Syslog Web Access與Active Directory集成認證
【逗老師帶你學IT】vMware ESXi 6.7合併第三方硬件驅動
【逗老師帶你學IT】Windows Server Network Policy Service(NPS)記賬與審計
【逗老師帶你學IT】Windows Server NPS服務構建基於AD域控的radius認證
【逗老師帶你學IT】AD域控和freeradius集成認證環境,PAP,MSCHAPV2
【逗老師帶你學IT】PRTG監控系統配合樹莓派採集企業內部無線網絡質量
【逗老師帶你學IT】深信服SSL遠程接入與深信服行爲審計同步登陸用戶信息
【逗老師帶你學IT】PRTG監控系統合併多個傳感器通道數據
【逗老師帶你學IT】PRTG監控系統通過企業微信推送告警消息