[Mediawiki-l] Passwords in cleartext via SSL-Loginpage
amuenzeb at rockwellcollins.com
amuenzeb at rockwellcollins.com
Wed Oct 6 15:00:37 UTC 2010
Hi all,
When setting up the LDAP-extension (great work btw. Thank you Ryan!) I
stumpled upon the need to encrypt the passwords when they are sent over
the network. This was of no concern before, since this is an internal wiki
that contained no really important information.
But if authorization is handled via LDAP, the password for login into the
wiki will be effectively the same than the one used to authenticate with
nearly all other services, so security becomes an issue. From what I
already knew and have read in the LDAP extension documentation on
mediawiki.org and ryans blog (especially the guide
http://ryandlane.com/blog/2009/03/23/using-the-ldap-authentication-plugin-for-mediawiki-the-basics-part-1/
which was _really_ helpful. Got it up and running in no time!) there are 2
areas to be taken care of:
A) The communication between the mediawiki-server and the LDAP-server
B) The communication between the mediawiki-server and the end-user-PC.
My impression regarding A) is, that the LDAP-extension-plugin does not
support cleartext communication with the LDAP-server out of the box, so
unless you explicitly set the option to use cleartext, you will be safe.
Am I right?
B) seems to be a little more complicated. If I don't want to use SSL for
the whole wiki site (and I do want to avoid the additional processor load)
I need to secure the login-page only or at least the data submitted to the
wiki-server when the user clicks login. Are there extensions for this. Did
anyone hack his installation so that the login-page is restricted to SSL?
How do other LDAP-users handle this problem?
Thanks in advance,
Arnd Münzebrock
More information about the MediaWiki-l
mailing list