Difference between revisions of "Cool Solution - Install Moodle"

From Univention Wiki

Jump to: navigation, search
(Revert mistake)
(Upgrade to UCS 4.3)
Line 1: Line 1:
{{Version|UCS=4.2}}
+
{{Version|UCS=4.3}}
{{Version|school=4.2}}
+
{{Version|school=4.3}}
 
{{Cool Solutions Disclaimer|Repository=no}}
 
{{Cool Solutions Disclaimer|Repository=no}}
 
{{#seo:
 
{{#seo:
Line 10: Line 10:
 
This article introduces you to the usage of Moodle. It covers the installation on a dedicated school server, as well as the users authentication with the LDAP. If further integration packages are needed, like loading classes from the LDAP or using the Microsoft Windows authentication for already logged in users, feel free to contact Univention for assistance.
 
This article introduces you to the usage of Moodle. It covers the installation on a dedicated school server, as well as the users authentication with the LDAP. If further integration packages are needed, like loading classes from the LDAP or using the Microsoft Windows authentication for already logged in users, feel free to contact Univention for assistance.
  
== Prerequisites ==
+
== Prepare UCS ==
  
 
It's important that every user, that should use Moodle, must have an e-mail address. If currently no user has an e-mail address, install the '''Mailserver''' component from the App center to manage an e-mail domain and assign e-mail addresses to users.
 
It's important that every user, that should use Moodle, must have an e-mail address. If currently no user has an e-mail address, install the '''Mailserver''' component from the App center to manage an e-mail domain and assign e-mail addresses to users.
  
== Installation ==
+
=== Prerequisites ===
  
 
This section will cover the preparation and installation of Moodle on the system. Please make sure that every command is executed as root user.
 
This section will cover the preparation and installation of Moodle on the system. Please make sure that every command is executed as root user.
  
To install necessary packages, execute the following command to install apache2, php5 and mysql
+
To install necessary packages, execute the following command:
<pre> apt-get install apache2 php5 mysql-server php5-mysql libapache2-mod-php5 php5-gd php5-curl php5-xmlrpc php5-intl php5-ldap
+
<pre>univention-install univention-mysql libapache2-mod-php php php-common php-json php-xml php-cli php-curl php-readline php-mbstring php-intl php-mysql php-ldap php-xmlrpc php-soap php-zip php-gd</pre>
</pre>
 
  
The MySQL database modules must be included in PHP. Add the following two lines into the '''/etc/php5/apache2/php.ini''' file:
+
To use Moodle effectively, it is recommended to raise the maximum size for uploads, e. g. 20 MB, to provide small programs to students. The changes must be done in the '''/etc/php/7.0/apache2/php.ini''' file:
<pre>
+
<syntaxhighlight lang="bash">
extension=mysql.so
 
extension=gd.so
 
</pre>
 
 
 
To use Moodle effectively, it is recommended to raise the maximum size for uploads, e. g. 20 MB, to provide small programs to students. The changes must be done in the '''/etc/php5/apache2/php.ini''' file:
 
<pre>
 
 
post_max_size = 20M
 
post_max_size = 20M
 
upload_max_filesize = 20M
 
upload_max_filesize = 20M
</pre>
+
</syntaxhighlight>
  
For the changes to take effect, the Apache webserver must be restarted:
+
For the changes to take effect, the Apache webserver must be reloaded:
 
<pre>
 
<pre>
/etc/init.d/apache2 restart
+
systemctl reload apache2.service
 
</pre>
 
</pre>
  
 +
Moodle furthermore needs three MySQL global variables set to provide full UTF-8 support. (Read more [https://docs.moodle.org/35/en/MySQL#Configure_full_UTF-8_support here] for details)
 +
You can easily set the variables ''innodb_file_format'', ''innodb_file_per_table'' and ''innodb_large_prefix'' by using the following UCR command and afterwards restarting the MySQL Service:
 +
<syntaxhighlight lang="bash">
 +
ucr set \
 +
mysql/config/mysqld/innodb_file_format="Barracuda" \
 +
mysql/config/mysqld/innodb_file_per_table=1 \
 +
mysql/config/mysqld/innodb_large_prefix=1
  
== Configuration ==
+
systemctl restart mysqld.service
 +
</syntaxhighlight>
 +
 
 +
== Installing Moodle ==
  
 
This section handles the basic configuration and LDAP connection for Moodle and how to delete users in Moodle that are not in the LDAP anymore.
 
This section handles the basic configuration and LDAP connection for Moodle and how to delete users in Moodle that are not in the LDAP anymore.
  
=== Basic configuration ===
+
=== Create a database ===
  
 
''Hint'': '''It is recommended to create a Moodle user with appropriate privileges on the Moodle database.'''
 
''Hint'': '''It is recommended to create a Moodle user with appropriate privileges on the Moodle database.'''
  
To setup the MySQL Database, execute the following command:
+
Use the following commands to setup a MySQL User and Database with UTF8 default encoding. The Moodle MySQL User password will be saved in file ''/etc/mysql-moodle.secret'' and used later during the install.
 +
<syntaxhighlight lang="bash">
 +
# Generate your database password according to your machine password policy and save it in a secret file
 +
eval "$(ucr --shell search machine/password/length machine/password/complexity)"
 +
if [ -z "$machine_password_length" ]; then machine_password_length=20; fi
 +
if [ -z "$machine_password_complexity" ]; then machine_password_complexity="scn"; fi
 +
moodle_db_password="$(pwgen -1 -${machine_password_complexity} ${machine_password_length} | tee /etc/mysql-moodle.secret)"
  
<pre>
+
# Create your moodle database and moodle database user
mysql -u root -p
+
mysql -u root --password=$(cat /etc/mysql.secret) -e \
</pre>
+
"CREATE DATABASE moodle DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
Enter your password
+
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,CREATE TEMPORARY TABLES,DROP,INDEX,ALTER ON moodle.* TO 'moodle'@'localhost' IDENTIFIED BY '$moodle_db_password';"
 +
</syntaxhighlight>
 +
 
 +
=== Install Moodle code ===
  
Create the Moodle database
+
The next step is, to download and extract Moodle. You can use the following script:
<pre>
+
<syntaxhighlight lang="bash">
mysql> CREATE DATABASE moodle;
+
tmpdir=$(mktemp -d) # A temporary working directory
</pre>
 
  
Then ensure that the database is set to UTF8 which is required by later distributions of Moodle  
+
# Download Moodle and extract it
<pre>
+
wget --show-progress -O $tmpdir/moodle-3.5.1.tgz https://download.moodle.org/download.php/direct/stable35/moodle-3.5.1.tgz
mysql> ALTER DATABASE moodle charset=utf8;
+
tar -xvzf $tmpdir/moodle-3.5.1.tgz -C /var/www/
</pre>
 
Then exit the database
 
<pre>
 
mysql> exit;
 
</pre>
 
  
 +
# Set the correct folder and file permissions (This might take a few seconds)
 +
chown -R root:root /var/www/moodle
 +
find /var/www/moodle/ -type f -exec chmod 644 {} \;
 +
find /var/www/moodle/ -type d -exec chmod 755 {} \;
  
The next step is, to download Moodle from the following site [https://download.moodle.org/releases/latest/] (latest Version: 2.9):
+
# Create Moodle's data directory
 +
mkdir /var/moodledata
 +
chmod 0777 /var/moodledata
  
Unpack the file with the following command:
+
# Remove the temporary working directory again
<pre>
+
rm -R $tmpdir
tar -zxvf <your-file>
+
</syntaxhighlight>
</pre>
 
The file will probably be located in your current folder. Move the 'Moodle' file to ''/var/www'':
 
<pre>
 
mv moodle /var/www
 
</pre>
 
  
Switch to the correct directory
 
<pre>
 
cd /var/www
 
</pre>
 
Set ownership and permissions so that Apache can access the files
 
<pre>
 
chown -R www-data:www-data moodle
 
chmod -R 755 moodle
 
</pre>
 
  
Switch the directory again
+
Now the Moodle service can be reached by opening the web page in a webbrowser:
<pre>
 
cd /var/
 
</pre>
 
Create a directory for user and course files
 
<pre>
 
mkdir moodledata
 
</pre>
 
Set ownership and permissions so that Apache can access the files
 
<pre>
 
chown -R www-data:www-data moodledata
 
</pre>
 
Now the Moodle service can be reached and configured by opening the web page in a webbrowser:
 
 
<pre>
 
<pre>
 
http://<server>/moodle
 
http://<server>/moodle
Starting with standard web configuration and MySQL standard Port: 3306 should be sufficient.
 
 
</pre>
 
</pre>
  
 +
You can either install Moodle using the web configuration or by using the following script: <br>
 +
(Note: Don't forget to set the variables on the script top first. You will be able to confirm all given values once more during installation)
 +
<syntaxhighlight lang="bash">
 +
# Please set the basic data of your moodle and admin here
 +
moodle_name_full="<YOUR_SITE_NAME>"
 +
moodle_name_short="<YOUR_SITE_NAME_SHORT>"
 +
moodle_summary="<YOUR_FRONT_PAGE_SUMMARY>"
 +
admin_username="Admin"
 +
admin_password="<YOUR_ADMIN_PASSWORD>"
 +
admin_email="<YOUR_ADMIN_MAIL_ADDRESS>"
 +
 +
# Install Moodle
 +
php /var/www/moodle/admin/cli/install.php \
 +
--chmod=0777 \
 +
--lang="en" \
 +
--wwwroot="http://$(hostname -f)/moodle" \
 +
--dataroot="/var/moodledata" \
 +
--dbtype="mariadb" \
 +
--dbhost="localhost" \
 +
--dbsocket=1 \
 +
--dbname="moodle" \
 +
--dbuser="moodle" \
 +
--dbpass="$(cat /etc/mysql-moodle.secret)" \
 +
--fullname="$moodle_name_full" \
 +
--shortname="$moodle_name_short" \
 +
--summary="$moodle_summary" \
 +
--adminuser="$admin_username" \
 +
--adminpass="$admin_password" \
 +
--adminemail="$admin_email"
 +
</syntaxhighlight>
 +
 +
Note that the generated Config-File will most likely have the wrong file permissions assigned. Use the following command, if the Moodle web page returns a HTTP 500 error code:
 +
<syntaxhighlight lang="bash">
 +
chmod 644 /var/www/moodle/config.php
 +
</syntaxhighlight>
  
 
=== LDAP authentification ===
 
=== LDAP authentification ===
  
After the basic configuration is done, https should be activated in '''Site Administration''' -> '''Security''' -> '''HTTP security'''. Next, in '''Site Administration''' -> '''Plugin''' -> '''Authentication''' -> '''Manage authentication''' the option '''Email-based self-registration''' should be deactivated and '''LDAP server (pre installed Plugin)''' should be activated.
+
After the basic configuration is done, https should be activated in '''Site Administration''' -> '''Security''' -> '''HTTP security'''. Next, in '''Site Administration''' -> '''Plugins''' -> '''Authentication''' -> '''Manage authentication''' the option '''Email-based self-registration''' should be deactivated and '''LDAP server (pre installed Plugin)''' should be activated.
  
Next, a simple authentication account should be created using the UDM. This account can then be used for an authenticated bind. You may like to create such a user as described in the following link: [https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user]. To find the DN of the account issue the following command on the command line:
+
Next, a simple authentication account should be created using the UDM. This account can then be used for an authenticated bind. Follow the [https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user LDAP search user] Cool Solution to create one. To find the DN of the account issue the following command on the command line:
 
<pre>
 
<pre>
udm users/user list --filter username=<NAME of the account> | grep DN
+
udm users/ldap list --filter username=<NAME_OF_THE_ACCOUNT> | grep DN
 
</pre>
 
</pre>
  
Now the LDAP connection can be configured under  '''Site Administration''' -> '''Plugin''' -> '''Authentication''' -> '''Manage authentication''' -> '''LDAP Server''' -> '''Settings'''. The table gives information which default settings must be changed:
+
Now the LDAP connection can be configured. You can either use the webbrowser under  '''Site Administration''' -> '''Plugins''' -> '''Authentication''' -> '''Manage authentication''' -> '''LDAP Server''' -> '''Settings''' as described below, or use the following script:
 +
<syntaxhighlight lang="bash">
 +
# Please set the data of an simple authentication account here. Instructions how one is created can be found here: https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user
 +
ldap_search_user="uid=moodle-search,cn=users,<YOUR_LDAP_BASE>"
 +
ldap_search_password="<YOUR_LDAP_SEARCH_PASSWORD>"
 +
ldap_contexts="cn=users,<YOUR_LDAP_BASE>;cn=users,ou=<school>,<YOUR_LDAP_BASE>" # Separated with semicolons (';')
 +
 
 +
# Obtain global domain configuration data
 +
eval "$(ucr --shell search domainname \
 +
ldap/base \
 +
ldap/server/name \
 +
ldap/server/addition
 +
)"
 +
 
 +
ldap_server_name=$(echo "$ldap_server_name" | sed "s/'\|\"//g")
 +
ldap_server_addition=$(echo "$ldap_server_addition" | sed "s/'\|\"//g")
 +
ldap_hosts=$(echo "ldaps://$ldap_server_name:7636")
 +
if [ -n "$ldap_server_addition" ]; then
 +
    for host in $ldap_server_addition; do
 +
        ldap_hosts="$ldap_hosts;ldaps://$host:7636"
 +
    done
 +
fi
 +
 
 +
# Configure the LDAP Plugin
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="host_url" --set="$ldap_hosts"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="ldap_version" --set="3"
 +
 
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="bind_dn" --set="$ldap_search_user"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="bind_pw" --set="$ldap_search_password"
 +
 
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="contexts" --set="$ldap_contexts"
 +
 
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="search_sub" --set="1"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="user_attribute" --set="uid"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="removeuser" --set="2"
 +
 
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_city" --set="locked"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_country" --set="locked"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_department" --set="locked"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_description" --set="locked"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_email" --set="locked"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_firstname" --set="locked"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_idnumber" --set="locked"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_institution" --set="locked"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_lastname" --set="locked"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_phone1" --set="locked"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_phone2" --set="locked"
 +
 
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_city" --set="l"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_country" --set="c"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_department" --set="departmentNumber"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_description" --set="description"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_email" --set="mailPrimaryAddress"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_firstname" --set="givenName"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_idnumber" --set="uidNumber"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_institution" --set="o"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_lastname" --set="sn"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_phone1" --set="telephoneNumber"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_phone2" --set="mobile"
 +
 
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_city" --set="onlogin"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_country" --set="onlogin"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_department" --set="onlogin"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_descriptiont" --set="onlogin"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_email" --set="onlogin"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_firstname" --set="onlogin"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_idnumber" --set="onlogin"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_institution" --set="onlogin"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_lastname" --set="onlogin"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_phone1" --set="onlogin"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_phone2" --set="onlogin"
 +
 
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_city" --set="0"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_country" --set="0"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_department" --set="0"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_description" --set="0"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_email" --set="0"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_firstname" --set="0"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_idnumber" --set="0"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_institution" --set="0"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_lastname" --set="0"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_phone1" --set="0"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_phone2" --set="0"
 +
 
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="memberattribute" --set="memberof"
 +
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="memberattribute_isdn" --set="1"
 +
</syntaxhighlight>
 +
 
 +
You should now be able to login as any user below your set ''ldap_contexts'' containers. Note that some attributes like Email address are mandatory for moodle. Users without valid email addresses inside UCS won't be able to leave their profile settings page, so you should make sure that all moodle users own a valid email.
 +
 
 +
==== Alternative: LDAP configuration using the web browser ====
 +
 
 +
Change the following values under the web page '''Site Administration''' -> '''Plugins''' -> '''Authentication''' -> '''Manage authentication''' -> '''LDAP Server''' -> '''Settings''' to successfully configure the LDAP plugin:
  
 
{|class="wikitable"
 
{|class="wikitable"
Line 125: Line 237:
 
!Value
 
!Value
 
|-
 
|-
!colspan="2"|LDAP server settings
+
!colspan="2"| LDAP server settings
 +
|-
 +
| Host URL
 +
| ldaps://<school server's FQDN>:7636
 +
|-
 +
| Version
 +
| 3
 +
|-
 +
!colspan="2"| Bind settings
 +
|-
 +
| Distinguished Name
 +
| <DN of the authentication account>
 +
|-
 +
| Password
 +
| <Password of the authentication account>
 +
|-
 +
!colspan="2"| User lookup settings
 +
|-
 +
| Contexts
 +
| cn=users,<YOUR_LDAP_BASE>;cn=users,ou=<school>,<YOUR_LDAP_BASE>
 +
|-
 +
| Search subcontexts
 +
| Yes
 +
|-
 +
| User Attribute
 +
| uid
 
|-
 
|-
|Host URL
+
| Member Attribute
|ldap://<school server's FQDN>:7389
+
| memberof
 
|-
 
|-
|Version
+
| Member attribute uses dn
|3
+
| 1
 
|-
 
|-
!colspan="2"|Bind settings
+
!colspan="2"| User account synchronisation
 
|-
 
|-
|Distinguished Name
+
| Removed ext user
|<DN of the authentication account>
+
| Full delete internal
 
|-
 
|-
|Password
+
!colspan="2"| Data mapping (for all entries)
|<Password of the authentication account>
 
 
|-
 
|-
!colspan="2"|User lookup settings
+
| Update local
 +
| On Every Login
 
|-
 
|-
|Contexts
+
| Update external
|cn=users,ou=<school>,dc=<domain>,dc=<domain>
+
| Never
 
|-
 
|-
|Search subcontexts
+
| Lock value
|Yes
+
| Locked
 
|-
 
|-
|User Attribute
+
!colspan="2"| Data mapping attributes
|uid
 
 
|-
 
|-
!colspan="2"|Cron synchronization script
+
| First name
 +
| givenName
 
|-
 
|-
|Removed ext user
+
| Surname
|Full delete internal
+
| sn
 
|-
 
|-
!colspan="2"|Data mapping
+
| Email address
 +
| mailPrimaryAddress
 
|-
 
|-
|Update local
+
| City/town
|On Every Login
+
| l
 
|-
 
|-
|Update external
+
| Country
|Never
+
| c
 
|-
 
|-
|Lock value
+
| Description
|Locked
+
| description
 +
|-
 +
| ID number
 +
| uidNumber
 +
|-
 +
| Institution
 +
| o
 +
|-
 +
| Department
 +
| departmentNumber
 +
|-
 +
| Phone
 +
| telephoneNumber
 +
|-
 +
| Mobile phone
 +
| mobile
 
|}
 
|}
  
Line 179: Line 332:
 
</pre>
 
</pre>
  
 +
You should now be able to login as any user below your set ''Contexts'' containers. Note that some attributes like Email address are mandatory for moodle. Users without valid email addresses inside UCS won't be able to leave their profile settings page, so you should make sure that all moodle users own a valid email.
  
=== LDAP mapping ===
+
==== Cronjob for deleting users ====
 
 
Furthermore, the following mapping applies for LDAP entries:
 
 
 
{|class="wikitable"
 
!Key
 
!Value
 
|-
 
|First name
 
|givenName
 
|-
 
|Surname
 
|sn
 
|-
 
|Email address
 
|mailPrimaryAddress
 
|-
 
|Phone 1
 
|telephoneNumber
 
|-
 
|Phone 2
 
|homePhone
 
|-
 
|City/town
 
|l
 
|-
 
|Country
 
|c
 
|}
 
 
 
 
 
Note: Some fields like Email address are mandatory for moodle, so you should make sure all moodle users have a valid email in UCS.
 
 
 
=== Cronjob for deleting users ===
 
  
 
In order for Moodle to remove users from its database that are deleted in the LDAP, a cronjob must be defined in the UDM.
 
In order for Moodle to remove users from its database that are deleted in the LDAP, a cronjob must be defined in the UDM.
  
chown -R www-data:www-data moodle \
+
<syntaxhighlight lang="bash">
ucr set cron/moodle/command='wget -q -O /dev/null http://localhost/moodle/admin/cron.php'\
+
ucr set \
cron/moodle/time='*/10 * * * *'
+
cron/moodle/command='wget -q -O /dev/null http://localhost/moodle/admin/cron.php' \
 +
cron/moodle/time='*/10 * * * *'
 +
</syntaxhighlight>
  
 
== Restrictions ==
 
== Restrictions ==
  
#'''OU''': At this time it is not possible for Moodle to search for all users using the LDAP base DN.
 
 
#'''Class mapping''': This article does not handle mappings between UCS@School classes and Moodle groups. If you need assistance to create the respective mapping or would like to have the setup packaged, feel free to contact Univention for an offer to create either.
 
#'''Class mapping''': This article does not handle mappings between UCS@School classes and Moodle groups. If you need assistance to create the respective mapping or would like to have the setup packaged, feel free to contact Univention for an offer to create either.
  
Line 229: Line 351:
  
 
* Moodle - https://moodle.org/
 
* Moodle - https://moodle.org/
* Moodle LDAP - https://docs.moodle.org/28/en/LDAP_authentication
+
* Moodle LDAP - https://docs.moodle.org/35/en/LDAP_authentication
* Moodle LDAP Enrolment - https://docs.moodle.org/29/en/LDAP_enrolment
+
* Moodle LDAP Enrolment - https://docs.moodle.org/35/en/LDAP_enrolment
* Moodle 2.8 Documentation - https://docs.moodle.org/28/en/New_features
+
* Moodle 3.5 Documentation - https://docs.moodle.org/35/en/New_features
  
 
== Further links ==
 
== Further links ==
  
* Moodle Installation - https://docs.moodle.org/35/en/Installing_Moodle_on_Debian_based_distributions
+
* Moodle Installation - https://docs.moodle.org/28/en/Installing_Moodle_on_Debian_based_distributions
 +
 
 +
== Archive ==
 +
 
 +
* There is a version of this article for [https://wiki.univention.de/index.php?title=Cool_Solution_-_Install_Moodle_and_setup_ldap_authentication&oldid=13479 UCS 4.2].
  
 
[[Category:EN]]
 
[[Category:EN]]

Revision as of 10:01, 28 August 2018

Produktlogo UCS Version 4.3
Produktlogo UCS@School Version 4.3

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.


This article introduces you to the usage of Moodle. It covers the installation on a dedicated school server, as well as the users authentication with the LDAP. If further integration packages are needed, like loading classes from the LDAP or using the Microsoft Windows authentication for already logged in users, feel free to contact Univention for assistance.

Prepare UCS

It's important that every user, that should use Moodle, must have an e-mail address. If currently no user has an e-mail address, install the Mailserver component from the App center to manage an e-mail domain and assign e-mail addresses to users.

Prerequisites

This section will cover the preparation and installation of Moodle on the system. Please make sure that every command is executed as root user.

To install necessary packages, execute the following command:

univention-install univention-mysql libapache2-mod-php php php-common php-json php-xml php-cli php-curl php-readline php-mbstring php-intl php-mysql php-ldap php-xmlrpc php-soap php-zip php-gd

To use Moodle effectively, it is recommended to raise the maximum size for uploads, e. g. 20 MB, to provide small programs to students. The changes must be done in the /etc/php/7.0/apache2/php.ini file:

post_max_size = 20M
upload_max_filesize = 20M

For the changes to take effect, the Apache webserver must be reloaded:

systemctl reload apache2.service

Moodle furthermore needs three MySQL global variables set to provide full UTF-8 support. (Read more here for details) You can easily set the variables innodb_file_format, innodb_file_per_table and innodb_large_prefix by using the following UCR command and afterwards restarting the MySQL Service:

ucr set \
 mysql/config/mysqld/innodb_file_format="Barracuda" \
 mysql/config/mysqld/innodb_file_per_table=1 \
 mysql/config/mysqld/innodb_large_prefix=1

systemctl restart mysqld.service

Installing Moodle

This section handles the basic configuration and LDAP connection for Moodle and how to delete users in Moodle that are not in the LDAP anymore.

Create a database

Hint: It is recommended to create a Moodle user with appropriate privileges on the Moodle database.

Use the following commands to setup a MySQL User and Database with UTF8 default encoding. The Moodle MySQL User password will be saved in file /etc/mysql-moodle.secret and used later during the install.

# Generate your database password according to your machine password policy and save it in a secret file
eval "$(ucr --shell search machine/password/length machine/password/complexity)"
if [ -z "$machine_password_length" ]; then machine_password_length=20; fi
if [ -z "$machine_password_complexity" ]; then machine_password_complexity="scn"; fi
moodle_db_password="$(pwgen -1 -${machine_password_complexity} ${machine_password_length} | tee /etc/mysql-moodle.secret)"

# Create your moodle database and moodle database user
mysql -u root --password=$(cat /etc/mysql.secret) -e \
"CREATE DATABASE moodle DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; 
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,CREATE TEMPORARY TABLES,DROP,INDEX,ALTER ON moodle.* TO 'moodle'@'localhost' IDENTIFIED BY '$moodle_db_password';"

Install Moodle code

The next step is, to download and extract Moodle. You can use the following script:

tmpdir=$(mktemp -d) # A temporary working directory

# Download Moodle and extract it
wget --show-progress -O $tmpdir/moodle-3.5.1.tgz https://download.moodle.org/download.php/direct/stable35/moodle-3.5.1.tgz
tar -xvzf $tmpdir/moodle-3.5.1.tgz -C /var/www/

# Set the correct folder and file permissions (This might take a few seconds)
chown -R root:root /var/www/moodle
find /var/www/moodle/ -type f -exec chmod 644 {} \;
find /var/www/moodle/ -type d -exec chmod 755 {} \;

# Create Moodle's data directory
mkdir /var/moodledata
chmod 0777 /var/moodledata

# Remove the temporary working directory again
rm -R $tmpdir


Now the Moodle service can be reached by opening the web page in a webbrowser:

http://<server>/moodle

You can either install Moodle using the web configuration or by using the following script:
(Note: Don't forget to set the variables on the script top first. You will be able to confirm all given values once more during installation)

# Please set the basic data of your moodle and admin here
moodle_name_full="<YOUR_SITE_NAME>"
moodle_name_short="<YOUR_SITE_NAME_SHORT>"
moodle_summary="<YOUR_FRONT_PAGE_SUMMARY>"
admin_username="Admin"
admin_password="<YOUR_ADMIN_PASSWORD>"
admin_email="<YOUR_ADMIN_MAIL_ADDRESS>"

# Install Moodle
php /var/www/moodle/admin/cli/install.php \
 --chmod=0777 \
 --lang="en" \
 --wwwroot="http://$(hostname -f)/moodle" \
 --dataroot="/var/moodledata" \
 --dbtype="mariadb" \
 --dbhost="localhost" \
 --dbsocket=1 \
 --dbname="moodle" \
 --dbuser="moodle" \
 --dbpass="$(cat /etc/mysql-moodle.secret)" \
 --fullname="$moodle_name_full" \
 --shortname="$moodle_name_short" \
 --summary="$moodle_summary" \
 --adminuser="$admin_username" \
 --adminpass="$admin_password" \
 --adminemail="$admin_email"

Note that the generated Config-File will most likely have the wrong file permissions assigned. Use the following command, if the Moodle web page returns a HTTP 500 error code:

chmod 644 /var/www/moodle/config.php

LDAP authentification

After the basic configuration is done, https should be activated in Site Administration -> Security -> HTTP security. Next, in Site Administration -> Plugins -> Authentication -> Manage authentication the option Email-based self-registration should be deactivated and LDAP server (pre installed Plugin) should be activated.

Next, a simple authentication account should be created using the UDM. This account can then be used for an authenticated bind. Follow the LDAP search user Cool Solution to create one. To find the DN of the account issue the following command on the command line:

udm users/ldap list --filter username=<NAME_OF_THE_ACCOUNT> | grep DN

Now the LDAP connection can be configured. You can either use the webbrowser under Site Administration -> Plugins -> Authentication -> Manage authentication -> LDAP Server -> Settings as described below, or use the following script:

# Please set the data of an simple authentication account here. Instructions how one is created can be found here: https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user
ldap_search_user="uid=moodle-search,cn=users,<YOUR_LDAP_BASE>"
ldap_search_password="<YOUR_LDAP_SEARCH_PASSWORD>"
ldap_contexts="cn=users,<YOUR_LDAP_BASE>;cn=users,ou=<school>,<YOUR_LDAP_BASE>" # Separated with semicolons (';')

# Obtain global domain configuration data
eval "$(ucr --shell search domainname \
ldap/base \
ldap/server/name \
ldap/server/addition
)"

ldap_server_name=$(echo "$ldap_server_name" | sed "s/'\|\"//g")
ldap_server_addition=$(echo "$ldap_server_addition" | sed "s/'\|\"//g")
ldap_hosts=$(echo "ldaps://$ldap_server_name:7636")
if [ -n "$ldap_server_addition" ]; then 
    for host in $ldap_server_addition; do
        ldap_hosts="$ldap_hosts;ldaps://$host:7636"
    done
fi

# Configure the LDAP Plugin
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="host_url" --set="$ldap_hosts"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="ldap_version" --set="3"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="bind_dn" --set="$ldap_search_user"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="bind_pw" --set="$ldap_search_password"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="contexts" --set="$ldap_contexts"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="search_sub" --set="1"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="user_attribute" --set="uid"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="removeuser" --set="2"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_city" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_country" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_department" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_description" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_email" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_firstname" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_idnumber" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_institution" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_lastname" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_phone1" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_phone2" --set="locked"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_city" --set="l"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_country" --set="c"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_department" --set="departmentNumber"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_description" --set="description"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_email" --set="mailPrimaryAddress"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_firstname" --set="givenName"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_idnumber" --set="uidNumber"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_institution" --set="o"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_lastname" --set="sn"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_phone1" --set="telephoneNumber"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_phone2" --set="mobile"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_city" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_country" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_department" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_descriptiont" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_email" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_firstname" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_idnumber" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_institution" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_lastname" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_phone1" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_phone2" --set="onlogin"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_city" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_country" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_department" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_description" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_email" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_firstname" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_idnumber" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_institution" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_lastname" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_phone1" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_phone2" --set="0"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="memberattribute" --set="memberof"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="memberattribute_isdn" --set="1"

You should now be able to login as any user below your set ldap_contexts containers. Note that some attributes like Email address are mandatory for moodle. Users without valid email addresses inside UCS won't be able to leave their profile settings page, so you should make sure that all moodle users own a valid email.

Alternative: LDAP configuration using the web browser

Change the following values under the web page Site Administration -> Plugins -> Authentication -> Manage authentication -> LDAP Server -> Settings to successfully configure the LDAP plugin:

Key Value
LDAP server settings
Host URL ldaps://<school server's FQDN>:7636
Version 3
Bind settings
Distinguished Name <DN of the authentication account>
Password <Password of the authentication account>
User lookup settings
Contexts cn=users,<YOUR_LDAP_BASE>;cn=users,ou=<school>,<YOUR_LDAP_BASE>
Search subcontexts Yes
User Attribute uid
Member Attribute memberof
Member attribute uses dn 1
User account synchronisation
Removed ext user Full delete internal
Data mapping (for all entries)
Update local On Every Login
Update external Never
Lock value Locked
Data mapping attributes
First name givenName
Surname sn
Email address mailPrimaryAddress
City/town l
Country c
Description description
ID number uidNumber
Institution o
Department departmentNumber
Phone telephoneNumber
Mobile phone mobile

Hint: To obtain the LDAP basis, execute the following command on the school server:

ucr get ldap/base

Hint: To obtain the system's FQDN, execute the following command on the relevant system:

hostname -f

You should now be able to login as any user below your set Contexts containers. Note that some attributes like Email address are mandatory for moodle. Users without valid email addresses inside UCS won't be able to leave their profile settings page, so you should make sure that all moodle users own a valid email.

Cronjob for deleting users

In order for Moodle to remove users from its database that are deleted in the LDAP, a cronjob must be defined in the UDM.

ucr set \
cron/moodle/command='wget -q -O /dev/null http://localhost/moodle/admin/cron.php' \
cron/moodle/time='*/10 * * * *'

Restrictions

  1. Class mapping: This article does not handle mappings between UCS@School classes and Moodle groups. If you need assistance to create the respective mapping or would like to have the setup packaged, feel free to contact Univention for an offer to create either.

References

Further links

Archive

  • There is a version of this article for UCS 4.2.
Personal tools