> My impression regarding A) is, that the LDAP-extension-plugin does not > support cleartext communication with the LDAP-server out of the box, so > unless you explicitly set the option to use cleartext, you will be safe. > Am I right? >
The default is LDAP via StartTLS, and it is enforced. You can change to LDAPS or cleartext LDAP, if you so choose. > B) seems to be a little more complicated. If I don't want to use SSL for > the whole wiki site (and I do want to avoid the additional processor load) > I need to secure the login-page only or at least the data submitted to the > wiki-server when the user clicks login. Are there extensions for this. Did > anyone hack his installation so that the login-page is restricted to SSL? > How do other LDAP-users handle this problem? > I believe there is a way to do this. You'll need to make sure your cookies are marked as secure, and the web server ensures that login pages are forced SSL. There used to be a configuration hack, but it looks like the documentation is no longer on mediawiki.org. I'd find it in the history, but it may be gone for a reason. - Ryan Lane _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
