[Mediawiki-l] Passwords in cleartext via SSL-Loginpage

amuenzeb at rockwellcollins.com amuenzeb at rockwellcollins.com
Wed Oct 6 15:00:37 UTC 2010

Hi all,

When setting up the LDAP-extension (great work btw. Thank you Ryan!) I 
stumpled upon the need to encrypt the passwords when they are sent over 
the network. This was of no concern before, since this is an internal wiki 
that contained no really important information.

But if authorization is handled via LDAP, the password for login into the 
wiki will be effectively the same than the one used to authenticate with 
nearly all other services, so security becomes an issue. From what I 
already knew and have read in the LDAP extension documentation on 
mediawiki.org and ryans blog (especially the guide 
which was _really_ helpful. Got it up and running in no time!) there are 2 
areas to be taken care of:

A) The communication between the mediawiki-server and the LDAP-server
B) The communication between the mediawiki-server and the end-user-PC.

My impression regarding A) is, that the LDAP-extension-plugin does not 
support cleartext communication with the LDAP-server out of the box, so 
unless you explicitly set the option to use cleartext, you will be safe. 
Am I right?

B) seems to be a little more complicated. If I don't want to use SSL for 
the whole wiki site (and I do want to avoid the additional processor load) 
I need to secure the login-page only or at least the data submitted to the 
wiki-server when the user clicks login. Are there extensions for this. Did 
anyone hack his installation so that the login-page is restricted to SSL? 
How do other LDAP-users handle this problem?

Thanks in advance,

        Arnd Münzebrock

More information about the MediaWiki-l mailing list