Identification without Authentication

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Identification without Authentication

Guilhem Bonnefille-3
Hi,

I'm evaluating the use of MediaWiki in a corporate server.
In such environment, my need for the "login" stage is only to identify
people. I do not need them to authenticate (no need to password). The
need is to know who made what, in a "confident" world.

Is it possible to configure MediaWiki to only require a login (without
password) and only check that this login exists in a LDAP database?

Thanks in advance for any tips.
--
Guilhem BONNEFILLE
-=- #UIN: 15146515 JID: [hidden email] MSN: [hidden email]
-=- mailto:[hidden email]
-=- http://nathguil.free.fr/

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Identification without Authentication

Thomas Dalton
> Is it possible to configure MediaWiki to only require a login (without
> password) and only check that this login exists in a LDAP database?

You could instruct everyone to register with (or register for them
with) an empty password ("") (or remove the password box from the
signup page and hardcode it to ""), it seems they are allowed by
default ($wgMinimalPasswordLength = 0 is the default). You could
probably go in and remove the password box on the logon form (or
setting it to hidden might be easier) as well.

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Identification without Authentication

Jim R. Wilson
On 3/9/07, Guilhem Bonnefille <[hidden email]> wrote:
> In such environment, my need for the "login" stage is only to identify
> people. I do not need them to authenticate (no need to password). The
> need is to know who made what, in a "confident" world.

Identification implies authentication.  Otherwise, how do you distinguish
between the real PersonA and PersonA's malicious impersonator?

> Is it possible to configure MediaWiki to only require a login (without
> password) and only check that this login exists in a LDAP database?

It's _possible_ - though IMO this is a bad idea.  Why not just use the LDAP
authentication extension?

http://meta.wikimedia.org/wiki/LDAP_Authentication

On 3/9/07, Thomas Dalton <[hidden email]> wrote:

>
> > Is it possible to configure MediaWiki to only require a login (without
> > password) and only check that this login exists in a LDAP database?
>
> You could instruct everyone to register with (or register for them
> with) an empty password ("") (or remove the password box from the
> signup page and hardcode it to ""), it seems they are allowed by
> default ($wgMinimalPasswordLength = 0 is the default). You could
> probably go in and remove the password box on the logon form (or
> setting it to hidden might be easier) as well.
>
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Identification without Authentication

Thomas Dalton
> Identification implies authentication.  Otherwise, how do you distinguish
> between the real PersonA and PersonA's malicious impersonator?

I think the idea is that the only people with access to his wiki are
employees, and he trusts them not to impersonate eachother.

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Identification without Authentication

Fernando Correia
2007/3/9, Thomas Dalton <[hidden email]>:
> > Identification implies authentication.  Otherwise, how do you distinguish
> > between the real PersonA and PersonA's malicious impersonator?
>
> I think the idea is that the only people with access to his wiki are
> employees, and he trusts them not to impersonate eachother.

One procedure that works well in out environment is this: we use an
authentication plugin so that users that are already logged in to our
Intranet portal can click on a link that logs them in on the wiki.
They are added to the wiki user table on the fly if needed. They don't
have to identify themselves again (single sign-on).

If they want to access a wiki page directly through a link, that also
works because we used the "remember me" option in the login form that
was called behind the scenes.

In the worst case scenario, if the explicitly log out of the wiki and
then access a direct link to a page, they have to identify themselves,
but just once, because their login will be remembered.

This could be improved by a plugin that used their Windows user as a
source for single sign-on.

My conclusion is that it is possible to have good integration and ease
of use without being insecure.

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Identification without Authentication

Jim R. Wilson
> This could be improved by a plugin that used their Windows user as a
> source for single sign-on.
>
> My conclusion is that it is possible to have good integration and ease
> of use without being insecure.

Sure thing. If you restrict yourself to Internet Explorer, one could use
some kind of NTLM/MediaWiki authentication bridge to effective achieve
transparent SSO.

I'm just saying that I don't like the idea of letting people say "Oh yeah -
I'm that guy" without providing any evidence (password).  Even in a
corporate environment.  But that's just me - I'm paranoid. :)

-- Jim

On 3/9/07, Fernando Correia <[hidden email]> wrote:

>
> 2007/3/9, Thomas Dalton <[hidden email]>:
> > > Identification implies authentication.  Otherwise, how do you
> distinguish
> > > between the real PersonA and PersonA's malicious impersonator?
> >
> > I think the idea is that the only people with access to his wiki are
> > employees, and he trusts them not to impersonate eachother.
>
> One procedure that works well in out environment is this: we use an
> authentication plugin so that users that are already logged in to our
> Intranet portal can click on a link that logs them in on the wiki.
> They are added to the wiki user table on the fly if needed. They don't
> have to identify themselves again (single sign-on).
>
> If they want to access a wiki page directly through a link, that also
> works because we used the "remember me" option in the login form that
> was called behind the scenes.
>
> In the worst case scenario, if the explicitly log out of the wiki and
> then access a direct link to a page, they have to identify themselves,
> but just once, because their login will be remembered.
>
> This could be improved by a plugin that used their Windows user as a
> source for single sign-on.
>
> My conclusion is that it is possible to have good integration and ease
> of use without being insecure.
>
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Identification without Authentication

Fernando Correia
2007/3/9, Jim Wilson <[hidden email]>:
> I'm just saying that I don't like the idea of letting people say "Oh yeah -
> I'm that guy" without providing any evidence (password).  Even in a
> corporate environment.  But that's just me - I'm paranoid. :)

I concur. And I think there is little gain from having no passwords,
and much to lose. Anyway, I guess there are still many shops where
"blank password" is a common choice.

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Sharing mediawiki source code

Gunter-2
Hi,

I am trying to set up differnent wikis with the mainly the same source
code (because installation and update is easier):

I set up two directories: wWikiA and wWikiB:

wWikiA is the full installation

wWikiB should only hold the LocalSettings.php and the files from the
main dir, like index.php.

To access the code in wWikiA/includes etc. from wWikiB, I changed some
in LocalSettings.php:

$IP = 'c:/Programme/xampp/htdocs/wWikiA';
$wgScriptPath       = "/wWikiB";
$wgUploadPath       = "/wWikiB/images"; #actually not necessary
$wgStylePath        = "/wWikiA/skins";
$wgDBprefix         = "wb_";

Unfortunatly the wiki did not start. Some files need to be in the
includes directory:
Defines.php
ProfileStub.php
Setup.php
WebStart.php

Is this a feature or a bug?

GunterS

PS: I can live with that, only 4 files and the files from the main
folder are easy to replace.





_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Sharing mediawiki source code

Jim R. Wilson
I'm don't know the answer to your question, Gunter, but I have a few pieces
of advice:

1) If these are production, publicly available wikis, you really shouldn't
be using xampp - it's not made for that. (If these are internal wikis, then
please disregard).

2) If you want to make things really easy, and if you have access to do so,
you should consider using an operating system which supports "soft
linking".  Then just point the second wiki's subdirectories at the first
wiki's dirs.

3) If you're stuck with windows/xampp, the easiest thing may be to just
actually install MediaWiki twice (once for each), then explore some kind of
script (batch file?) to make upgrading easier.  The Windows XCOPY command is
probably all you need.  Do "XCOPY /?" in the command prompt to see what
options are available.

-- Jim

On 3/10/07, Gunter <[hidden email]> wrote:

>
> Hi,
>
> I am trying to set up differnent wikis with the mainly the same source
> code (because installation and update is easier):
>
> I set up two directories: wWikiA and wWikiB:
>
> wWikiA is the full installation
>
> wWikiB should only hold the LocalSettings.php and the files from the
> main dir, like index.php.
>
> To access the code in wWikiA/includes etc. from wWikiB, I changed some
> in LocalSettings.php:
>
> $IP = 'c:/Programme/xampp/htdocs/wWikiA';
> $wgScriptPath       = "/wWikiB";
> $wgUploadPath       = "/wWikiB/images"; #actually not necessary
> $wgStylePath        = "/wWikiA/skins";
> $wgDBprefix         = "wb_";
>
> Unfortunatly the wiki did not start. Some files need to be in the
> includes directory:
> Defines.php
> ProfileStub.php
> Setup.php
> WebStart.php
>
> Is this a feature or a bug?
>
> GunterS
>
> PS: I can live with that, only 4 files and the files from the main
> folder are easy to replace.
>
>
>
>
>
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Identification without Authentication

Lane, Ryan
In reply to this post by Guilhem Bonnefille-3
Although I agree with pretty much everyone else here in thinking this is
a terrible idea... Someone else obviously had this terrible idea as
well. I think this site has exactly what you are looking for:

http://adarshbhat.blogspot.com/2006/01/ldap-authentication-for-mediawiki
.html

You must *really* trust your users (or anyone who can figure out
usernames).

Using Kerberos, NTLM, SSL, Shibboleth, or some other type of
auto-authentication is a MUCH better idea if you can possibly use it.

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of
> Guilhem Bonnefille
> Sent: Friday, March 09, 2007 2:18 PM
> To: [hidden email]
> Subject: [Mediawiki-l] Identification without Authentication
>
> Hi,
>
> I'm evaluating the use of MediaWiki in a corporate server.
> In such environment, my need for the "login" stage is only to
> identify people. I do not need them to authenticate (no need
> to password). The need is to know who made what, in a
> "confident" world.
>
> Is it possible to configure MediaWiki to only require a login (without
> password) and only check that this login exists in a LDAP database?
>
> Thanks in advance for any tips.
> --
> Guilhem BONNEFILLE
> -=- #UIN: 15146515 JID: [hidden email] MSN:
> [hidden email]
> -=- mailto:[hidden email]
> -=- http://nathguil.free.fr/
>
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l