My impression regarding A) is, that the
LDAP-extension-plugin does not
support cleartext communication with the LDAP-server out of the box, so
unless you explicitly set the option to use cleartext, you will be safe.
Am I right?
The default is LDAP via StartTLS, and it is enforced. You can change
to LDAPS or cleartext LDAP, if you so choose.
B) seems to be a little more complicated. If I
don't want to use SSL for
the whole wiki site (and I do want to avoid the additional processor load)
I need to secure the login-page only or at least the data submitted to the
wiki-server when the user clicks login. Are there extensions for this. Did
anyone hack his installation so that the login-page is restricted to SSL?
How do other LDAP-users handle this problem?
I believe there is a way to do this. You'll need to make sure your
cookies are marked as secure, and the web server ensures that login
pages are forced SSL. There used to be a configuration hack, but it
looks like the documentation is no longer on
mediawiki.org. I'd find
it in the history, but it may be gone for a reason.
- Ryan Lane