Ryan lane

Did you read Special:Code/MediaWiki/78427#c12153? Fomafix 12:55, 4 January 2011 (UTC)Reply

I thought I had gone back and fixed the rest of it. I had forgotten. Thanks for the reminder. Fixed. Ryan lane 14:04, 4 January 2011 (UTC)Reply

Hey guys, a small off-topic. Why this tread is in My new messages? Juan de Vojníkov 14:24, 26 February 2011 (UTC)Reply

No idea. Maybe you had watched my user page at some point in time? Ryan lane 14:52, 26 February 2011 (UTC)Reply

Ya, It might be an issue. So I should not watch your DP than? Juan de Vojníkov 14:06, 16 March 2011 (UTC)Reply

I don't care if you do, just saying that may be why you are getting updates ;). Ryan lane 16:58, 17 March 2011 (UTC)Reply

But than its a bug of LiquidThreads. Juan de Vojníkov 09:42, 4 April 2011 (UTC)Reply

Report it in bugzilla then :) Ryan lane 23:08, 4 April 2011 (UTC)Reply

In the ACTRIAL discussion you said:

Why don't we instead make a policy that marks "crap" articles as being poor

quality, then funnel our efforts into make them good? Instead of deleting

something, why don't you take a few minutes to make it better?

Maybe that was just rhetoric, but if it was a serious question, the reason is that, though many articles are indeed flagged for improvement, when we refer to crap articles created as first edit by non-autoconfirmed users, we mean "articles" like "Ryan X born 7 August 1997 is the coolest man in the universe" or "Tommy Z is gay and has no friends" or (a few from my recent deletion log):

"dandrummerdan" is a youtube page of a boy named Danny. He is a musician, skater, and does all kinds of stuff. Recently, he started getting paid for his video views. His youtube Channel is [www.youtube.com/dandrummerdan] www.youtube.com/dandrummerdan

hello ,welcome to my page . Hope you enjoy your stay here . Share my favourite cheap louis vuitton bags from http://www.louisvuitton30.com with you , hope you like the discount louis vuitton handbags as well , very appreciate for your opinion .

<name redacted> is a talented young girl who has a passion for music. She is 13 years old and was born in Gillingham. She plays guitar, saxophone and she has an incredible singing voice. She attends Rainham Mark Grammar School and she is currently choosing her options.

What really sets a car dealership apart these days? Convenient Location: To visit our dealership, check our Map and Location and Department Hours. We would like to meet you in person and help you with your car ownership needs. Our dealership is conveniently located next door with Cliffs Ice cream and worth the drive. (details omitted)

A fuu prii prounounced (four-pwu) originates from the 2011 word fuu plu, this word from the language fuu prii also icludes famous words such as possibrably

JohnCD 23:12, 7 November 2011 (UTC)Reply

Yes, and there are examples of legitimate content and non-crap stub articles being deleted because the person didn't cite sources, or it's a stub. In the old days this content would be marked as [citation needed], or marked as a stub. This leaves around content that others see as needing citation or being a stub and it entices them to make it better. Ryan lane 23:28, 7 November 2011 (UTC)Reply

Yes, certainly there are examples of that, but you seemed to be saying that deletion is always bad because it removes information that could have been improved. People often say that who do not know what the actual new page list of an anyone-can-edit site looks like. My point was to illustrate that many new "articles" are not amenable to improvement, and those are the "crap articles" people were talking about. JohnCD 12:25, 8 November 2011 (UTC)Reply

I'm not saying that there is no bad content. I'm saying that there is also good content that gets thrown out rather than being improved. I want to avoid us throwing out the good with the bad, and for us to try to be more helpful instead of telling people to go away. Ryan lane 17:42, 8 November 2011 (UTC)Reply

You don't know what your talking about! those are just some people who wanted to share something! 69.115.159.223 17:47, 22 November 2011 (UTC)Reply

Interested in development of Wikimedia Labs as a tool for extension development. I have SVN commit access - would it be possible to get that linked to a Labs account? Thank you! Varnent 21:39, 29 November 2011 (UTC)Reply

Yep. Labs isn't fully set up for an easy extension development environment right now, but if you are willing to set most things up manually right now, it'll work. I need the following information from you:

1. Your preferred wiki user name
2. Your SVN account name
3. Your preferred email address

You can send me this via wiki email, or via rlane at wikimedia dot org. Ryan lane 02:29, 2 December 2011 (UTC)Reply

Hello. I'm interested in running my en.wikipedia bots on Labs. If possible, could I please have a labs account? Thanks, FASTILY ^(TALK) 22:14, 25 January 2012 (UTC)Reply

Please drop into #wikimedia-labs on freenode, and we'll get an account set up for you. Ryan lane 22:17, 31 January 2012 (UTC)Reply

Hi Ryan,

 Spent the last few hours scouring all sorts of info over the wsDomain issues. I see that there is still no fix, and still lots of confusion.

I just finished an installation of Mediawiki + Ldap and immediatly ran into the issue. config: Apache 2, Server 2008 r2 x64, Mysql, Php 5.2 thread safe - vc6, xcache for php 5.2

I was trying to dig into it, and to do so i did a quick "search in all files" in the mediawiki root dir for "wsdomain" (not case sensitive). I got 133 hits in 3 files, only 4 of which were not in LdapAuthentication.php. In fact those 4 are the only hits outside of the LDAP plugin at all. (My resutls might be a *slight* bit off as i have added some of the "fixes" ive read about...nothing is working) I can produce this error ever time, by simply visiting the main wiki page and then clicking login. I have so far *only* seen it when a user is *not* logged in. Logging in makes it go away, and in fact possibly not come back. I logged in and out on Firefox and the problem went away...so i had to use Chrome to see it again. As long as i dont log in on Chrome i can make it happen over and over.

The question is...where is $_SESSSION['wsDomain'] being set? I cant find it? Everywhere i find it, its being refrenced, not set.

Id like to help fix this. I can collect any information you want, and if needed we may even be able to give you remmote access to examine the setup/system. Fozzy 01:16, 26 January 2012 (UTC)Reply

Hey. I was reading your File:Ryan_Lane_-_How_to_be_a_part_of_the_MediaWiki_developer_community.pdf that you had linked on the mailing list. It looks like quite a good introduction for newbies, but one thing that was bothering me is on page 11 you had:

$escID = $dbr->addQuotes( $id );
$dbr->query( "SELECT * FROM foo WHERE foo_id= $escID" );

as acceptable. Really to be acceptable, foo needs to be escaped with $dbr->tableName('foo') or the code won't work on wikis that use db prefixes. Bawolff (talk) 23:33, 16 February 2012 (UTC)Reply

It's acceptable from a "you're not going to get owned" POV. There's a reason I mention later that there's a recommended way. Ryan lane (talk) 23:52, 16 February 2012 (UTC)Reply

Hi Ryan,

may you give me access to Git ? I need it as new way to publish my Extension:Mail2Facebook. Starwhooper (talk) 20:50, 2 March 2012 (UTC)Reply

Hi Ryan,

please give me a hint, if this the wront place to request the GIT access.

Regards, Starwhooper (talk) 15:42, 4 March 2012 (UTC)Reply

You should ask sumanah, or ^demon, or reedy on IRC in #mediawiki on freenode. Ryan lane (talk) 20:02, 8 March 2012 (UTC)Reply

Hey Ryan,

please give me a hint. I'am searching for a possibility to access a special colum at the ldap. For example, if a user want to log in, at first, I want to check if this user exists or not. After this step, I want to check a special attribute. Only User, which have an entry at these attribute are allowed to log in. But I don't know how and where to set these filter. I thought, perhaps here at the LocalSettings.php? but I'am really not sure.

$wgLDAPSearchAttributes = array( "array"=>"uid" xx>>here?<< );

xxI want to search for something like: "eduPersonEntitlement = urn:mace:dir:entitlement...."

Thanks for help.

Best regards Cescovo (talk) 15:44, 7 March 2012 (UTC)Reply

Gday Ryan. I am doing some work on a project with Dirk Beetstra, which he has running on Labs. Beestra is after some support and menial work and suggested that I should contact you to get access to Labs so that I could assist. Is that possible? It is a number of years since I have done shell work, though did act as postmaster and listmaster for RootsWeb for a number of years and that included about ten years of shell access. Thanks for your consideration on this matter. — billinghurst sDrewth 09:17, 18 March 2012 (UTC)Reply

Please ask here: http://www.mediawiki.org/wiki/Developer_access Ryan lane (talk) 22:52, 7 April 2012 (UTC)Reply

Hi. Per Sumana, I'd like to get a Labsconsole account so I can submit merge requests. Username DCOLLINS, email address dcollinsn@gmail.com. I do not have a svn account. ST47 (talk) 21:46, 18 March 2012 (UTC)Reply

Please ask here: http://www.mediawiki.org/wiki/Developer_access Ryan lane (talk) 22:52, 7 April 2012 (UTC)Reply

Hi Ryan, I was unable to create an account there just now. I made a note of my attempt on Talk:Wikimedia_Labs#Create_account_26228. Rogerhc (talk) 05:25, 13 April 2013 (UTC)Reply

It worked this evening however. Rogerhc (talk) 03:51, 15 April 2013 (UTC)Reply

Hi. I didn't know where to ask that. You might be interested and/or help me. Thanks. ” T_eleS (T _{M @ C S}) 00:32, 21 March 2012 (UTC)Reply

Hi, Ryan! I am the maintainer of Extension:GeoGebra and Extension:FormelApplet. I was requested to move my code to GIT. At this page you are told to be the recommended contactee.

Username: Rudolf.Grossmann
Email: rg58(at)gmx.de
No SVN account. Rudolf.Grossmann (talk) 21:19, 26 March 2012 (UTC)Reply

Please leave your request at http://www.mediawiki.org/wiki/Developer_access Ryan lane (talk) 22:51, 7 April 2012 (UTC)Reply

Done! Tnx for your advice. What comes next? Please see also Help_talk:SSH

Next step is here: Git/New_repositories#Step_3:_Request_space_for_your_extension

Thank you, Sumanah, for your patience at IRC. Rudolf.Grossmann (talk) 15:32, 9 April 2012 (UTC)Reply

I'm a contributor on Chinese Wikipedia, and have lots of contributions on Chinese Wikipedia, and I'm interested in mediawiki developing. Besides that, I'm going to attend the Hackathon on Wikimania 2012 in Washinton D.C., I want to require an account on Wikimedia Labs to have some experiments and practice on mediawiki before the Hackathon.

I've already submitted my require on developer access page.

Thx~ Shujenchang (talk) 02:08, 23 April 2012 (UTC)Reply

Thank you~

--Shujenchang (talk) 06:06, 23 April 2012 (UTC)Reply

Hi,

Do you have any plans to update the Extension:SmoothGallery and/or to move it from SVN to GIT?

Best, 555 (talk) 02:52, 1 July 2012 (UTC)Reply

Hello,

where i can search for advices on how to confgure LDAP authentication?

i'm trying to make auth over Win 2008 AD. mediawiki installed on ubuntu. and i've tried to look on http://www.mediawiki.org/wiki/Extension:LDAP_Authentication_Configuration_Examples#Configuration_for_an_AD_server but i get incorrect password and all. ( Yaroslav 11:59, 19 September 2012 (UTC)

also, maybe it will help,

media wiki works throught nginx + php+fpm

and all error i see is "Incorrect password entered. Please try again." 82.140.109.25 12:56, 19 September 2012 (UTC)Reply

whenever I try to download the plugin, I get the following error:

"Invalid response from Extension Distributor remote client."

I would really like to implement this, is there another way to get the plugin? Erik 09:41, 17 October 2012 (UTC)

Hello,

I try to use your Extension, but I get

Notice: Undefined offset: 0 in C:\xampp\htdocs\vorlage\extensions\Ldap\LdapAuthentication.php on line 1639
Notice: Undefined offset: 0 in C:\xampp\htdocs\vorlage\extensions\Ldap\LdapAuthentication.php on line 1640

after I try to login

My settings:

require_once('extensions/Ldap/LdapAuthentication.php');                         
$wgAuth = new LdapAuthenticationPlugin();                                    

$wgLDAPServerNames = array('SK_LDAP' => 'ldap.server.com');    
$wgLDAPDomainNames = array('SK_LDAP');                                  
$wgLDAPSearchAttributes = array('SK_LDAP' => 'cn');                        
$wgLDAPBaseDNs = array('SK_LDAP' => 'o=SK');              

$wgLDAPUseSSL = false;                                                        
$wgMinimalPasswordLength = 1;                                               

$wgLDAPRequiredGroups = array('SK_LDAP' => array('cn=local_admin,ou=group,ou=DE,o=SK'));
$wgLDAPGroupUseFullDN = array('SK_LDAP' => true);
$wgLDAPGroupObjectclass = array('SK_LDAP' => 'groupOfNames');       
$wgLDAPGroupAttribute = array('SK_LDAP' => 'member');
$wgLDAPGroupSearchNestedGroups = array('SK_LDAP' => false);

Can you help me? 178.15.132.6 14:12, 7 November 2012 (UTC)Reply

Hi, I am running mediawiki on a 2008 windows server.
Mediawiki 1.20.2
PHP 5.3.19 (cgi-fcgi)
MySQL 5.5.29

I am trying to set up an active directory with my work where it will access the employee database so everyone can log in with their username and password. It's not working, plus it even says that the admin username and password are incorrect. I have uncommented the php_ldap.dll extension and downloaded the LDAP authentication extension.

Local Settings:
require_once( “$IP/extensions/LdapAuthentication/ LdapAuthentication.php” );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( “my.work.com” );
$wgLDAPServerNames = array( “my.work.com” => “my.domain.my.work.com” );
$wgLDAPEncryptionType = array( “my.work.com” => “clear” );
$wgLDAPUseSSL = array( “my.work.com” => false );
$wgLDAPRetrievePrefs = array( “my.work.com” => true );
$wgLDAPMinimalPasswordLength = 1;
$wgLDAPSearchStrings = array( “my.work.com” => “my\\USER-NAME” );
$wgLDAPBaseDNs = array( “my.work.com” => “dc=my, dc=work, dc=com” );

I have some group permissions in my local settings as well and can post those if needed. 98.103.126.114 16:11, 18 January 2013 (UTC)Reply

Could you please post some kind of a Labs status update with the ETA for database replication? Many were hoping by the end of the month/quarter, and the main Labs page says something about the end of February, but no status updates since last year. It would help to plan. 71.212.224.191 10:25, 22 March 2013 (UTC)Reply

https://wikitech.wikimedia.org/wiki/ToolLabsDatabasePlan Ryan lane (talk) 20:04, 2 April 2013 (UTC)Reply

I see you created the Nova Resource page. Might want to check out m:Talk:List_of_Wikipedias#Minangkabau_Wikipedia πr² (t • c) 05:10, 22 May 2013 (UTC)Reply

I created the project for someone, but it's Dzahn that manages that. Ryan lane (talk) 05:20, 22 May 2013 (UTC)Reply

In reference to https://wikitech.wikimedia.org/wiki/Https
1. Is this information accurate, and
2. Is it the same for Wikipedia?
3. Based on information I could obtain via probing, you appear to be using nginx with openSSL 1.0.1 as load balancing proxy for another server. The proxy connects to the server over plain HTTP. Is this correct? Until I know this, I can't accurately make suggestions on what to change in your configuration files.

First impression issues:

1. Server does not enforce cipher suite order and lets the client choose.
2. Performance first configuration, offers next to no security.
3. The server certificates used are valid for too long a stretch of time, considering the "weak" cryptographic primitives they rely on.
4. Plain HTTP is the default.

I would propose you make the following changes to your infrastructure (most important first):

1. Sniff the crawlers for the most popular search engines, inform them of such a change and permanently redirect all URLs they access to a TLS secured one. This would have a significant number of users visit the site moderately securely very quickly.
2. You enforce the cipher suite order and change it to something like this:

ECDHE-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA256:AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:CAMELLIA256-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:CAMELLIA128-SHA:RC4-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:-SEED-SHA:-IDEA-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-DSS-3DES-EDE-CBC-SHA:PSK-AES256-CBC-SHA:PSK-AES128-CBC-SHA:PSK-3DES-EDE-CBC-SHA:PSK-RC4-SHA:-ECDHE-RSA-DES-CBC3-SHA:-ECDHE-ECDSA-DES-CBC3-SHA:-ECDH-RSA-DES-CBC3-SHA:-ECDH-ECDSA-DES-CBC3-SHA:-DES-CBC3-SHA:!DES:!LOW:!EDH:!EXP:!NULL:!aNULL:!MD5

It includes all selectable options as of openSSL 1.0.1e, sorted by their arithmetic safety rating (assuming < 4096-bit RSA, < ~300-bit ECDSA and popular browser capability), except those permanently excluded via the parameters at the end. To disable a cipher suite, put a dash after the colon in front of it. I would recommend, unless you still have a large set of users connecting with IE6 on Windows XP SP2 and prior, that you remove all 3DES cipher suites as well.
3. Get new SSL certificates using at least 2048-bit RSA and ~240-bit elliptic curve keys and sha-256 authentication. Make sure each individual server has its own public key pairs. Include each servers own unique host name first in the list of subject alternative names of the public certificate that is transmitted with each TLS connection. Make sure your certificates expire before they could be arithmetically broken (That's sometime late 2014 for 2048-bit RSA). Remove and revoke all current certificates. Optional (compatibility): Create and have certificates signed which all have the same public key for each server but all FQDNs the server serves in the subject canonical name field and add them to the server configuration before the wildcard certificate.
4. Make sure all certificates and their public keys are mentioned in order of preference in the server configuration.
5. Enable Strict Transport Security headers for all HTTPS connections
6. Disable SSL3.0
7. Enable OCSP stapling
8.


_{Will add more later, may revise text, in the meantime, this may be a good read: https://www.ssllabs.com/projects/best-practices/ even though it gets a few key things wrong and refrains from mentioning others to keep the document short. I've got to do something else now.} Dorian Muthig (talk) 03:53, 3 August 2013 (UTC)Reply

Did you run an ssllabs test against en.wikipedia.org? Did you even run openssl s_client against en.wikipedia.org or check our certificates? To answer your questions:

On your first set of assertions:

1. That's not correct. You can even see our nginx configuration in our puppet repo. All of Wikipedia's configuration is open to the public, feel free to check it out.
2. That page hasn't been updated in a while, but the configuration isn't performance first. It's a mix of performance and security.
3. What stretch of time would you recommend? It's a 4 year cert an is 2048 bit. There's no research that indicates this is too long of a period of time.

For your second set of assertions:

1. Did you read the blog post? By setting rel=canonical to https you inform search engines that they should be indexing the https version of a page. At minimum google support this and that's roughly 45% of our referrer traffic (the lion's share of our referrer traffic is internal, most other search engines referrer traffic are miniscule). We will of course alert other search engines that don't support rel=canonical.
2. TLS 1.2 is enabled, but I haven't added the GCM ciphers to the list yet. Was planning on doing this when I got back from Wikimania (I'm not going to make changes when the majority of the ops team isn't readily available). Otherwise, we don't plan on enabling perfect forward secrecy ciphers yet, as it's not very useful to have forward secrecy without first solving the problem of traffic analysis. Otherwise, the current cipher list we're using is a fairly standard configuration that protects against BEAST and offers a set of stronger ciphers for clients that ignore server preference.
3. We already use 2048 certs. Just use openssl s_client to confirm.
4. I have no idea what you mean by this, it makes no sense.
5. We can't do this without blocking access to readers of Wikipedia in countries that block HTTPS. # This will cause compatibility issues for older clients. We support relatively old browsers (I think our general metric is any browser with >1% of our traffic). Can't do this.
6. This is a performance setting, not a security setting. I didn't bother to mention performance things in the post, but we'll be doing a number of things to increase performance. OCSP stapling will be one along with some other likely things: SSL session tokens, SNI using domain specific certs for supported browsers and a unified cert for unsupported browsers, possible elimination of an intermediary CA, a distributed SSL cache across all SSL terminators, etc. etc.

Based on your twitter assertions, I was hoping for something terrifying ;). Ryan lane (talk) 07:53, 3 August 2013 (UTC)Reply

Yes, and yes. Apparently you however haven't: https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fen.wikipedia.org

Please pay special attention to handshake simulation. I also ran my own tests, which are, well, a bit more extreme.

1. TLS works in wonderful ways. The client sends an ordered list of supported cipher suites to the server, and the server matches it to its own list and negotiates one (it also sends this list to the client, but that's not really important, client renegotiation should be disabled). If you enforce the cipher suite order (that's ssl_prefer_server_ciphers on; in nginx.conf) it iterates through the server specified list looking for a match in the client specified list, if you don't, it works the other way round. The first match is used.
   If you could point me to where those configuration fles are in the repository, that would be splendid. I've been searching for a while yesterday, without luck.
2. Actually, this is rather black and white. And a color you can't see. Security first (the right way), performance first, or completely misguided in either approach.
3. Without forward secrecy (and that currently has its own flaws)? 24 hours, or until the current session ends, whichever is sooner. Now, this is of course not very practical by any stretch of the imagination. I have a solution for this, but it's not easy to implement, so I'm not going to burden you with it. For authentication alone, it should be valid only until it becomes feasible to solve either a for a collision of the digest or factoring the public key and derive the private key.
   The larger the key size, the better. Expiry of PKI will compromise all past communication, expiry of digest compromise authentication. And SHA-1 is bad juju.

--

1. No, I did not. What's the point? What you are doing further requires 1. search engine support and 2. the crawler to revisit the page. The first one only Google does, and the second one, well, takes too long without a nudge. You can use search engine webmaster tools to tell those search engines your site is available elsewhere (even if it isn't) and use HTTP 301 to make it work with the ordinary crawlers.
2. Prioritizing RC4 does not protect against a BEAST type attack, if anything, it makes all non-vulnerable clients vulnerable, because RC4 in TLS is broken just the same.
3. Not always. I have been served three different ones during my tests. Equifax/GeoTrust 1024-bit sha1RSA (expiry: Sunday, ‎August ‎23, ‎2015 12:23:10 AM), RapidSSL/GeoTrust 2048-bit sha1RSA (expiry: ???/can't find it anymore), and DigiCert 2048-bit sha1RSA (expiry: Wednesday, ‎January ‎20, ‎2016 2:00:00 PM)
4. You can add multiple certificates to a server configuration, even for the same domain. The server will automatically pick one to serve a client during the handshake, depending on what it says it supports. You can add ECDSA and RSA keys, the one first in the order listed that is compatible will be used.
5. Sure you can.
   if ($scheme = https) { add_header Strict-Transport-Security "max-age=31556926; includeSubdomains;"; }
   Since it requires the use of a compatible client with a working connection before being active, it will ensure all future visits will be secure. It won't block plain text access.
6. I have explained this above. (also, you forgot a new line before that #, that's confusing)
7. Not entirely true. It may allow the server to lie or provide revocation information the client would otherwise not know about.

I also wasn't done yet. Like it said there. I'm saving the terrifying stuff for later. Those were just the basics. The obvious, not so time consuming things. Dorian Muthig (talk) 11:45, 3 August 2013 (UTC)Reply

1. Part of the nginx config is here. If you look at the ssl nodes in site.pp you can trace the config down to its files. It's very obviously enabled, and ssllabs obviously shows that's the case. I don't understand what you're seeing.
2. This is absurd. You can both be secure and have good performance. There's obviously trade-offs like not enabling PFS. But in general being secure doesn't cause any massive issues with performance.
3. Anything past PFS is an absurd approach for this. Let's not even bother talking alternatives because any alternative is just a stupid approach to PFS.

----

1. Are you seriously saying you're just guessing at what we are doing? Well, this is the end of our conversation. I honestly was spending my time pointing out inaccuracies in your assertions to help you learn, but it's obvious that you don't care to understand this any better. I'm not going to bother responding to any of the rest of these... Ryan lane (talk) 19:39, 3 August 2013 (UTC)Reply

1. Thanks, will have a look. What I am seeing is, client says if TLS1.2, we don't have RC4, then 3-DES is next in line. This is bad. I don't think I need to explain to you why. I also have other probing data from handshakes with server supported cipher suites in various sorting orders, where the choice does not fall correctly (as specified by the server). It's TLS1.1 related, may be a bug in the server software or your SSL stack and how it handles your particular choice of cipher suites, though.
2. It's not. While it is true, you can have security with good performance, dropping to arithmetically weaker cipher suites is not the approach you should take. Your "trade-offs" lower the effort required to circumvent it. And that's definitely not good.
3. It's not absurd to use a non-standard method to achieve the same result, especially with limited compatibility, but I am starting to have serious doubts you even care.

----

1. Do you mean this? Number 3 is a really bad idea, number 5 is completely misguided, enabling it is surely better than leaving it off, and number 1 and 6 will leave China hanging, you shouldn't do that to the Chinese Wikipedia (at least not for those on IPv4).
   I don't need you to help me learn, you don't even know who I am, and from what I can tell you are beyond incompetent in understanding the matter at hand anyway. And with that attitude, you surely aren't going to win against the NSA (and all the others I'm sure you don't really care for).

I wish you the best of luck in doing nothing and leaving everyone hanging out to dry. If you change your mind, I'm easy to find. Dorian Muthig (talk) 23:34, 3 August 2013 (UTC)Reply

When I say help you learn, I specifically mean our architecture. It's simply not possible to apply theoretical best practice and apply them at scale. Take a look at any of the top 10 sites and you'll notice that no one is applying theoretical perfect SSL practices. You have to consider compatibility and also need to weigh cost of implementing something versus its potential benefit.

You are offering help on an infrastructure you didn't put any effort into learning about. You didn't look at our public config, you didn't read the blog post specifically addressing our plans, and you didn't do most of the basic investigation to properly profile our implementation.

I'm more than happy to discuss implementation details and our plans and take suggestions, but I'm not really willing to take lectures on theory and I'm not going to put effort into answering your incorrect assertions if you aren't willing to put the effort in to learn how things are currently working. Ryan lane (talk) 07:10, 4 August 2013 (UTC)Reply

Like the beginning of my first post says, I already mentioned that I do not have all the information on your architecture and that anything I said stems from probing your active production infrastructure as this is the most accurate data I can use. Though all this information is more or less publicly available, finding specifically all the things related to properly implementing what you refer to as "theoretical best practice" would take more than a day, even if you provided me with pointers to where I can find it.

You leading me to look into what the other top 10 sites are doing isn't very helpful either, because they mostly do not care about doing it properly, they only care about their users believing that they do and want to spend as little time and money on the issue as possible. If you feel the same way, we have nothing further to talk about. I will consider compatibility and end user guidance alone in the approach, anything else is a futile waste of time. Dorian Muthig (talk) 05:10, 5 August 2013 (UTC)Reply

.... as I tried to login into wikitech, my password didn't run; I asked for another, I got a temporary one, using that temporary password I login and I have been redirected into "Reset password" form; I tried... and I got the error message "There was either an authentication database error or you are not allowed to update your external account.", I found that's a known bug. :-(

I feel myself a little bit discouraged.... Alex brollo (talk) 06:02, 8 August 2013 (UTC)Reply

Ugh. I renamed you in MediaWiki, but forgot to do so in LDAP. It should work now. Ryan lane (talk) 06:18, 8 August 2013 (UTC)Reply

OK! Thank you. Alex brollo (talk) 07:34, 8 August 2013 (UTC)Reply

hey Yhz1221 (talk) 05:54, 10 August 2013 (UTC)Reply

hey

Great work on the LDAP extension--thanks for your time! VanShunt (talk) 14:40, 25 October 2016 (UTC)Reply

Hi, this is me. I just sent two different emails to you. One is about the language list, another is about the discussion schedule tomorrow. Please check. If you did not find them, please check the junk.

Waiting for your reply,

Yhz1221 Yhz1221 (talk) 10:47, 10 August 2013 (UTC)Reply

I didn't get either one and I can't find them in my spam folder. Can you please update this thread with any details? Ryan lane (talk) 18:22, 10 August 2013 (UTC)Reply

Dear Ryan, WikiLab is the working title for a planned project at the intersection of the Education as well as the GLAM initiatives in the German Wikipedia. As the title fits very well, I want to keep it. Is that OK? I'm just asking, because one might think it is too close to Wikimedia Labs. Regards, Andreas Möllenkamp (talk) 14:55, 5 April 2014 (UTC)Reply

It's a really bad idea. It's incredibly close to Wikimedia Labs and we already have issues with Tool Labs (a project inside of Labs) being confused for Wikimedia Labs (which is an infrastructure). You should really consider a new name.

Of course, I'm not a Wikimedia employee and I don't really have much say. Ryan lane (talk) 09:54, 6 April 2014 (UTC)Reply

Older MW installation (1.15.1) running ``LDAP Authentication Plugin (Version 1.2a (beta)).

In the process of moving it all (this one and another wiki that was at 1.12!) to a new host. One needs LDAP (AD) the other doesn't.

If I install the latest version of the LDAP extension under MW 1.15.1 will it work? I want to get it working as before on the new host before I update to 1.23.

Peter Plaws (talk) 22:21, 23 June 2014 (UTC)Reply

Actually ... never mind. I think it's all working under 1.15.1. Just need to sort out all the redirects, etc, and then I can update to the latest. Plaws (talk) 18:26, 24 June 2014 (UTC)Reply

Hello, a few questions :

1) after turning on https by default for anonymous readers, will they have a way to use the usual http at desktop view? For example, readers can use compressive Google and Opera servers - they will no longer be able to use them?

2) mobile version will also be https by default?

3) beta testing program [1] will still work? have any plans for the time of the beginning of beta? If a separate wiki has a consensus for inclusion https by default now, you can do it now?

4) If not, what do you think about the inclusion of https now through a script in MediaWiki:Common.js in a separate langeage X.wikipedia.org?

if (window.location.protocol !== "https:" && window.location.host === 'ru.wikipedia.org' && typeof wgUserId === 'undefined')
   window.location.href = "https:" + window.location.href.substring(window.location.protocol.length);

importMW = function (name) { importScript('MediaWiki:'+name+'.js') }

importScript_ = importScript
importScript = function (page, proj){
if (!proj) importScript_(page)
else {
  if (proj.indexOf('.')==-1) proj += '.wikipedia.org'
  importScriptURI('//'+proj+'/w/index.php?action=raw&ctype=text/javascript&title='+mw.util.wikiUrlencode(page))
 }
} Sunpriat (talk) 21:38, 27 September 2014 (UTC)Reply

Hi. We have set up a wiki and some custom namespaces ns:database ns:unix

Now, when logging in to wiki we validate though AD groups cn=unix team... and cn=database team We only want a user which is a member of ex unix team to be able to edit things in ns:unix and database team to ns:database. They should not be able to edit other namespaces

How can this be done? 194.71.19.244 16:28, 12 November 2014 (UTC)Reply

I hope usable tree bbs　like this hierarchy.--[[User:Takahiro4|Takahiro4]] Takahiro4 (talk) 06:44, 19 July 2015 (UTC)Reply

Is there going to be any new versions? 148.137.25.79 (talk) 18:47, 1 December 2015 (UTC)Reply

New versions of what? In general I don't maintain anything mediawiki related. Ryan lane (talk) 19:13, 29 July 2016 (UTC)Reply

new version LdapAuthentication for latest wiki version 1.32? 2A00:18C8:3E27:3012:3C2A:D988:B0D:45D8 (talk) 15:23, 6 February 2019 (UTC)Reply

Hello,

I am having the same issue with MediaWiki v1.27.1 running in IIS on Windows 2012 R2. I downloaded and untar'd the file to C:\inetpub\wwwroot\mediawiki\extensions\LdapAuthentication. The moment I uncomment the code below, all of the MediaWiki pages won't load and stay blank (white). I even ran php maintenance/update.php after making the changes to no avail. Thoughts? Is something up with my config? See below. I have to comment out all of the LDAP-related text below for any of the MediaWiki pages to load again.

# Enabled extensions. Most of the extensions are enabled by adding

# wfLoadExtensions('ExtensionName');

# to LocalSettings.php. Check specific extension documentation for more details.

# The following extensions were automatically enabled:

wfLoadExtension( 'PdfHandler' );

wfLoadExtension( 'LdapAuthentication' );

# End of automatically generated settings.

# Add more configuration options below.

require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( “myserver” );

$wgLDAPServerNames = array( “myserver”=>”myserver.www.domain.domain.com”  );

$wgLDAPBaseDNs = array( “myserver”=>”dc=myserver,dc=www,dc=domain,dc=domain,dc=com” );

$wgLDAPSearchStrings = array(“myserver” => “mydomain\\USER-NAME”);

$wgLDAPSearchAttributes = array( “myserver”=>”sAMAccountName” );

$wgLDAPLowerCaseUsername = array( “myserver”=>true );

$wgLDAPGroupUseFullDN = array( “myserver”=>true );

$wgLDAPGroupsUseMemberOf = array( “myserver”=>true );

$wgLDAPGroupObjectclass = array( “myserver”=>”group” );

$wgLDAPGroupAttribute = array( “myserver”=>”member” );

$wgLDAPGroupSearchNestedGroups = array( “myserver”=>true );

$wgLDAPGroupNameAttribute = array( “myserver”=>”cn” );

$wgLDAPPreferences = array( “myserver”=>true );

$wgLDAPDisableAutoCreate = array( “myserver”=>false );

$wgMinimalPasswordLength = 1;

$wgLDAPUseSSL = false;

$wgLDAPEncryptionType = array( “myserver”=>”clear” );

$wgUseLocal = false; Jedunbar (talk) 20:51, 15 November 2016 (UTC)Reply

Winged Blades of Godric (talk) 08:51, 24 May 2017 (UTC)Reply

Hi Ryan,

I hope you can help me.

We try to restrict the access based on LDAP group but it is not working.

This is the current config:

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( 'DOMAIN');

$wgLDAPServerNames = array( 'DOMAIN' => 'xx1.corp.DOMAIN.com xx2.corp.DOMAIN.com');

$wgLDAPSearchStrings = array('DOMAIN' => 'DOMAIN\\USER-NAME');

$wgLDAPEncryptionType = array( 'DOMAIN' => 'false');

$wgLDAPUseLocal = false;

$wgMinimalPasswordLength = 1;

$wgLDAPBaseDNs = array( 'DOMAIN' => 'DC=corp,DC=DOMAIN,DC=com');

$wgLDAPUserBaseDNs = array( 'DOMAIN' => 'OU=users,DC=corp,DC=DOMAIN,DC=com' );

$wgLDAPGroupBaseDNs = array( 'DOMAIN' => 'OU=applications,OU=groups,DC=corp,DC=DOMAIN,DC=com' );

$wgLDAPSearchAttributes = array( 'DOMAIN' => 'usernameoftheaccount' );

$wgLDAPGroupNameAttribute = array( 'DOMAIN' => 'cn' );

$wgLDAPActiveDirectory = array( 'DOMAIN' => true );

$wgLDAPUseLDAPGroups = array( 'DOMAIN' => true );

$wgLDAPGroupUseFullDN = array( 'DOMAIN' => true );

$wgLDAPGroupObjectclass = array( 'DOMAIN' => 'group');

$wgLDAPGroupAttribute = array( 'DOMAIN' => 'user' );

$wgLDAPRequiredGroups = array( 'DOMAIN' => array( 'CN=thisisthenameoftheadgroup,OU=applications,OU=groups,DC=corp,DC=DOMAIN,DC=com' ) );

In the log i can see that not able to find user in the 'thisisthenameoftheadgroup' group.

Do you have any idea why?

The login is working without the LDAPRequiredGroups paramter.

Thank you in advance,

Br,

Janaboy Janaboy (talk) 14:58, 18 April 2018 (UTC)Reply

Just for the future, if somebody will have the same issue, here this parameter caused the issue:

$wgLDAPSearchAttributes

The working one is this:

$wgLDAPSearchAttributes = array( 'DOMAIN' => 'sAMAccountName' ); Janaboy (talk) 13:07, 20 April 2018 (UTC)Reply

Is this document compatible with older version of MediaWiki? I use MediaWiki V 1.16 on windows 7 . ElinazT (talk) 15:35, 5 June 2019 (UTC)Reply

Hi Ryan, I've just found out that the Ldap Authentification plugin does not work anymore with Mediawiki version 1.33. I found the following discussion about this: Topic:V2uhxauzg1zj7owv

It seems that the $wgAuth setting was completeley removed and the Ldap plugin is not loaded any more. Do you maintain this plugin or where should I report this issue? TheNetStriker (talk) 13:59, 29 July 2019 (UTC)Reply