Hi all,
When setting up the LDAP-extension (great work btw. Thank you Ryan!) I stumpled upon the need to encrypt the passwords when they are sent over the network. This was of no concern before, since this is an internal wiki that contained no really important information.
But if authorization is handled via LDAP, the password for login into the wiki will be effectively the same than the one used to authenticate with nearly all other services, so security becomes an issue. From what I already knew and have read in the LDAP extension documentation on mediawiki.org and ryans blog (especially the guide http://ryandlane.com/blog/2009/03/23/using-the-ldap-authentication-plugin-fo... which was _really_ helpful. Got it up and running in no time!) there are 2 areas to be taken care of:
A) The communication between the mediawiki-server and the LDAP-server B) The communication between the mediawiki-server and the end-user-PC.
My impression regarding A) is, that the LDAP-extension-plugin does not support cleartext communication with the LDAP-server out of the box, so unless you explicitly set the option to use cleartext, you will be safe. Am I right?
B) seems to be a little more complicated. If I don't want to use SSL for the whole wiki site (and I do want to avoid the additional processor load) I need to secure the login-page only or at least the data submitted to the wiki-server when the user clicks login. Are there extensions for this. Did anyone hack his installation so that the login-page is restricted to SSL? How do other LDAP-users handle this problem?
Thanks in advance,
Arnd Münzebrock
My impression regarding A) is, that the LDAP-extension-plugin does not support cleartext communication with the LDAP-server out of the box, so unless you explicitly set the option to use cleartext, you will be safe. Am I right?
The default is LDAP via StartTLS, and it is enforced. You can change to LDAPS or cleartext LDAP, if you so choose.
B) seems to be a little more complicated. If I don't want to use SSL for the whole wiki site (and I do want to avoid the additional processor load) I need to secure the login-page only or at least the data submitted to the wiki-server when the user clicks login. Are there extensions for this. Did anyone hack his installation so that the login-page is restricted to SSL? How do other LDAP-users handle this problem?
I believe there is a way to do this. You'll need to make sure your cookies are marked as secure, and the web server ensures that login pages are forced SSL. There used to be a configuration hack, but it looks like the documentation is no longer on mediawiki.org. I'd find it in the history, but it may be gone for a reason.
- Ryan Lane
You can find the "secure login page" extension in the code examples of my MediaWiki book:
http://oreilly.com/catalog/9780596519681
Click "Examples" to download the code for free.
Note that this secures only the login page, and not the "change password" feature in My Preferences.
DanB
mediawiki-l-bounces@lists.wikimedia.org schrieb am 06.10.2010 17:27:02:
My impression regarding A) is, that the LDAP-extension-plugin does not support cleartext communication with the LDAP-server out of the box,
so
unless you explicitly set the option to use cleartext, you will be
safe.
Am I right?
The default is LDAP via StartTLS, and it is enforced. You can change to LDAPS or cleartext LDAP, if you so choose.
Secure out of the box. Well designed :-) Thanks for reassuring.
[...]
I believe there is a way to do this. You'll need to make sure your cookies are marked as secure, and the web server ensures that login pages are forced SSL. There used to be a configuration hack, but it looks like the documentation is no longer on mediawiki.org. I'd find it in the history, but it may be gone for a reason.
I used the extension promoted by Daniel Barret in his reply to my post. As fas as I understood the source code, it does exactly what you describe here. And it works like a charme.
- Ryan Lane
Thank you Ryan and Daniel!
CU Arnd
mediawiki-l@lists.wikimedia.org