Hi,
I'm evaluating the use of MediaWiki in a corporate server. In such environment, my need for the "login" stage is only to identify people. I do not need them to authenticate (no need to password). The need is to know who made what, in a "confident" world.
Is it possible to configure MediaWiki to only require a login (without password) and only check that this login exists in a LDAP database?
Thanks in advance for any tips.
Is it possible to configure MediaWiki to only require a login (without password) and only check that this login exists in a LDAP database?
You could instruct everyone to register with (or register for them with) an empty password ("") (or remove the password box from the signup page and hardcode it to ""), it seems they are allowed by default ($wgMinimalPasswordLength = 0 is the default). You could probably go in and remove the password box on the logon form (or setting it to hidden might be easier) as well.
On 3/9/07, Guilhem Bonnefille guilhem.bonnefille@gmail.com wrote:
In such environment, my need for the "login" stage is only to identify people. I do not need them to authenticate (no need to password). The need is to know who made what, in a "confident" world.
Identification implies authentication. Otherwise, how do you distinguish between the real PersonA and PersonA's malicious impersonator?
Is it possible to configure MediaWiki to only require a login (without password) and only check that this login exists in a LDAP database?
It's _possible_ - though IMO this is a bad idea. Why not just use the LDAP authentication extension?
http://meta.wikimedia.org/wiki/LDAP_Authentication
On 3/9/07, Thomas Dalton thomas.dalton@gmail.com wrote:
Is it possible to configure MediaWiki to only require a login (without password) and only check that this login exists in a LDAP database?
You could instruct everyone to register with (or register for them with) an empty password ("") (or remove the password box from the signup page and hardcode it to ""), it seems they are allowed by default ($wgMinimalPasswordLength = 0 is the default). You could probably go in and remove the password box on the logon form (or setting it to hidden might be easier) as well.
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Identification implies authentication. Otherwise, how do you distinguish between the real PersonA and PersonA's malicious impersonator?
I think the idea is that the only people with access to his wiki are employees, and he trusts them not to impersonate eachother.
2007/3/9, Thomas Dalton thomas.dalton@gmail.com:
Identification implies authentication. Otherwise, how do you distinguish between the real PersonA and PersonA's malicious impersonator?
I think the idea is that the only people with access to his wiki are employees, and he trusts them not to impersonate eachother.
One procedure that works well in out environment is this: we use an authentication plugin so that users that are already logged in to our Intranet portal can click on a link that logs them in on the wiki. They are added to the wiki user table on the fly if needed. They don't have to identify themselves again (single sign-on).
If they want to access a wiki page directly through a link, that also works because we used the "remember me" option in the login form that was called behind the scenes.
In the worst case scenario, if the explicitly log out of the wiki and then access a direct link to a page, they have to identify themselves, but just once, because their login will be remembered.
This could be improved by a plugin that used their Windows user as a source for single sign-on.
My conclusion is that it is possible to have good integration and ease of use without being insecure.
This could be improved by a plugin that used their Windows user as a source for single sign-on.
My conclusion is that it is possible to have good integration and ease of use without being insecure.
Sure thing. If you restrict yourself to Internet Explorer, one could use some kind of NTLM/MediaWiki authentication bridge to effective achieve transparent SSO.
I'm just saying that I don't like the idea of letting people say "Oh yeah - I'm that guy" without providing any evidence (password). Even in a corporate environment. But that's just me - I'm paranoid. :)
-- Jim
On 3/9/07, Fernando Correia fernandoacorreia@gmail.com wrote:
2007/3/9, Thomas Dalton thomas.dalton@gmail.com:
Identification implies authentication. Otherwise, how do you
distinguish
between the real PersonA and PersonA's malicious impersonator?
I think the idea is that the only people with access to his wiki are employees, and he trusts them not to impersonate eachother.
One procedure that works well in out environment is this: we use an authentication plugin so that users that are already logged in to our Intranet portal can click on a link that logs them in on the wiki. They are added to the wiki user table on the fly if needed. They don't have to identify themselves again (single sign-on).
If they want to access a wiki page directly through a link, that also works because we used the "remember me" option in the login form that was called behind the scenes.
In the worst case scenario, if the explicitly log out of the wiki and then access a direct link to a page, they have to identify themselves, but just once, because their login will be remembered.
This could be improved by a plugin that used their Windows user as a source for single sign-on.
My conclusion is that it is possible to have good integration and ease of use without being insecure.
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
2007/3/9, Jim Wilson wilson.jim.r@gmail.com:
I'm just saying that I don't like the idea of letting people say "Oh yeah - I'm that guy" without providing any evidence (password). Even in a corporate environment. But that's just me - I'm paranoid. :)
I concur. And I think there is little gain from having no passwords, and much to lose. Anyway, I guess there are still many shops where "blank password" is a common choice.
Hi,
I am trying to set up differnent wikis with the mainly the same source code (because installation and update is easier):
I set up two directories: wWikiA and wWikiB:
wWikiA is the full installation
wWikiB should only hold the LocalSettings.php and the files from the main dir, like index.php.
To access the code in wWikiA/includes etc. from wWikiB, I changed some in LocalSettings.php:
$IP = 'c:/Programme/xampp/htdocs/wWikiA'; $wgScriptPath = "/wWikiB"; $wgUploadPath = "/wWikiB/images"; #actually not necessary $wgStylePath = "/wWikiA/skins"; $wgDBprefix = "wb_";
Unfortunatly the wiki did not start. Some files need to be in the includes directory: Defines.php ProfileStub.php Setup.php WebStart.php
Is this a feature or a bug?
GunterS
PS: I can live with that, only 4 files and the files from the main folder are easy to replace.
I'm don't know the answer to your question, Gunter, but I have a few pieces of advice:
1) If these are production, publicly available wikis, you really shouldn't be using xampp - it's not made for that. (If these are internal wikis, then please disregard).
2) If you want to make things really easy, and if you have access to do so, you should consider using an operating system which supports "soft linking". Then just point the second wiki's subdirectories at the first wiki's dirs.
3) If you're stuck with windows/xampp, the easiest thing may be to just actually install MediaWiki twice (once for each), then explore some kind of script (batch file?) to make upgrading easier. The Windows XCOPY command is probably all you need. Do "XCOPY /?" in the command prompt to see what options are available.
-- Jim
On 3/10/07, Gunter News2006@freenet.de wrote:
Hi,
I am trying to set up differnent wikis with the mainly the same source code (because installation and update is easier):
I set up two directories: wWikiA and wWikiB:
wWikiA is the full installation
wWikiB should only hold the LocalSettings.php and the files from the main dir, like index.php.
To access the code in wWikiA/includes etc. from wWikiB, I changed some in LocalSettings.php:
$IP = 'c:/Programme/xampp/htdocs/wWikiA'; $wgScriptPath = "/wWikiB"; $wgUploadPath = "/wWikiB/images"; #actually not necessary $wgStylePath = "/wWikiA/skins"; $wgDBprefix = "wb_";
Unfortunatly the wiki did not start. Some files need to be in the includes directory: Defines.php ProfileStub.php Setup.php WebStart.php
Is this a feature or a bug?
GunterS
PS: I can live with that, only 4 files and the files from the main folder are easy to replace.
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Although I agree with pretty much everyone else here in thinking this is a terrible idea... Someone else obviously had this terrible idea as well. I think this site has exactly what you are looking for:
http://adarshbhat.blogspot.com/2006/01/ldap-authentication-for-mediawiki .html
You must *really* trust your users (or anyone who can figure out usernames).
Using Kerberos, NTLM, SSL, Shibboleth, or some other type of auto-authentication is a MUCH better idea if you can possibly use it.
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Guilhem Bonnefille Sent: Friday, March 09, 2007 2:18 PM To: mediawiki-l@lists.wikimedia.org Subject: [Mediawiki-l] Identification without Authentication
Hi,
I'm evaluating the use of MediaWiki in a corporate server. In such environment, my need for the "login" stage is only to identify people. I do not need them to authenticate (no need to password). The need is to know who made what, in a "confident" world.
Is it possible to configure MediaWiki to only require a login (without password) and only check that this login exists in a LDAP database?
Thanks in advance for any tips.
Guilhem BONNEFILLE -=- #UIN: 15146515 JID: guyou@im.apinc.org MSN: guilhem_bonnefille@hotmail.com -=- mailto:guilhem.bonnefille@gmail.com -=- http://nathguil.free.fr/
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org