[Mediawiki-l] Passwords in cleartext via SSL-Loginpage

Ryan Lane rlane32 at gmail.com
Wed Oct 6 15:27:02 UTC 2010


> My impression regarding A) is, that the LDAP-extension-plugin does not
> support cleartext communication with the LDAP-server out of the box, so
> unless you explicitly set the option to use cleartext, you will be safe.
> Am I right?
>

The default is LDAP via StartTLS, and it is enforced. You can change
to LDAPS or cleartext LDAP, if you so choose.

> B) seems to be a little more complicated. If I don't want to use SSL for
> the whole wiki site (and I do want to avoid the additional processor load)
> I need to secure the login-page only or at least the data submitted to the
> wiki-server when the user clicks login. Are there extensions for this. Did
> anyone hack his installation so that the login-page is restricted to SSL?
> How do other LDAP-users handle this problem?
>

I believe there is a way to do this. You'll need to make sure your
cookies are marked as secure, and the web server ensures that login
pages are forced SSL. There used to be a configuration hack, but it
looks like the documentation is no longer on mediawiki.org. I'd find
it in the history, but it may be gone for a reason.

- Ryan Lane



More information about the MediaWiki-l mailing list