Cool Solution - Install Moodle

From Univention Wiki

Revision as of 11:38, 28 August 2018 by Hpeter (talk | contribs)
Jump to: navigation, search
Produktlogo UCS Version 4.3
Produktlogo UCS@School Version 4.3

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.


This article introduces you to the usage of Moodle. It covers the installation on a dedicated school server, as well as the users authentication with the LDAP. If further integration packages are needed, like loading classes from the LDAP or using the Microsoft Windows authentication for already logged in users, feel free to contact Univention for assistance.

Prepare UCS

It's important that every user, that should use Moodle, must have an e-mail address. If currently no user has an e-mail address, install the Mailserver component from the App center to manage an e-mail domain and assign e-mail addresses to users.

Prerequisites

This section will cover the preparation and installation of Moodle on the system. Please make sure that every command is executed as root user.

To install necessary packages, execute the following command:

univention-install univention-mysql libapache2-mod-php php php-common php-json php-xml php-cli php-curl php-readline php-mbstring php-intl php-mysql php-ldap php-xmlrpc php-soap php-zip php-gd

To use Moodle effectively, it is recommended to raise the maximum size for uploads, e. g. 20 MB, to provide small programs to students. The changes must be done in the /etc/php/7.0/apache2/php.ini file:

post_max_size = 20M
upload_max_filesize = 20M

For the changes to take effect, the Apache webserver must be reloaded:

systemctl reload apache2.service

Moodle furthermore needs three MySQL global variables set to provide full UTF-8 support. (Read more here for details) You can easily set the variables innodb_file_format, innodb_file_per_table and innodb_large_prefix by using the following UCR command and afterwards restarting the MySQL Service:

ucr set \
 mysql/config/mysqld/innodb_file_format="Barracuda" \
 mysql/config/mysqld/innodb_file_per_table=1 \
 mysql/config/mysqld/innodb_large_prefix=1

systemctl restart mysqld.service

Installing Moodle

This section handles the basic configuration and LDAP connection for Moodle and how to delete users in Moodle that are not in the LDAP anymore.

Create a database

Hint: It is recommended to create a Moodle user with appropriate privileges on the Moodle database.

Use the following commands to setup a MySQL User and Database with UTF8 default encoding. The Moodle MySQL User password will be saved in file /etc/mysql-moodle.secret and used later during the install.

# Generate your database password according to your machine password policy and save it in a secret file
eval "$(ucr --shell search machine/password/length machine/password/complexity)"
if [ -z "$machine_password_length" ]; then machine_password_length=20; fi
if [ -z "$machine_password_complexity" ]; then machine_password_complexity="scn"; fi
moodle_db_password="$(pwgen -1 -${machine_password_complexity} ${machine_password_length} | tee /etc/mysql-moodle.secret)"

# Create your moodle database and moodle database user
mysql -u root --password=$(cat /etc/mysql.secret) -e \
"CREATE DATABASE moodle DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; 
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,CREATE TEMPORARY TABLES,DROP,INDEX,ALTER ON moodle.* TO 'moodle'@'localhost' IDENTIFIED BY '$moodle_db_password';"

Install Moodle code

The next step is, to download and extract Moodle. You can use the following script:

tmpdir=$(mktemp -d) # A temporary working directory

# Download Moodle and extract it
wget --show-progress -O $tmpdir/moodle-3.5.1.tgz https://download.moodle.org/download.php/direct/stable35/moodle-3.5.1.tgz
tar -xvzf $tmpdir/moodle-3.5.1.tgz -C /var/www/

# Set the correct folder and file permissions (This might take a few seconds)
chown -R root:root /var/www/moodle
find /var/www/moodle/ -type f -exec chmod 644 {} \;
find /var/www/moodle/ -type d -exec chmod 755 {} \;

# Create Moodle's data directory
mkdir /var/moodledata
chmod 0777 /var/moodledata

# Remove the temporary working directory again
rm -R $tmpdir


Now the Moodle service can be reached by opening the web page in a webbrowser:

https://<server>/moodle

You can either install Moodle using the web configuration or by using the following script:
(Note: Don't forget to set the variables on the script top first. You will be able to confirm all given values once more during installation)

# Please set the basic data of your moodle and admin here
moodle_name_full="<YOUR_SITE_NAME>"
moodle_name_short="<YOUR_SITE_NAME_SHORT>"
moodle_summary="<YOUR_FRONT_PAGE_SUMMARY>"
admin_username="Admin"
admin_password="<YOUR_ADMIN_PASSWORD>"
admin_email="<YOUR_ADMIN_MAIL_ADDRESS>"

# Install Moodle
php /var/www/moodle/admin/cli/install.php \
 --chmod=0777 \
 --lang="en" \
 --wwwroot="https://$(hostname -f)/moodle" \
 --dataroot="/var/moodledata" \
 --dbtype="mariadb" \
 --dbhost="localhost" \
 --dbsocket=1 \
 --dbname="moodle" \
 --dbuser="moodle" \
 --dbpass="$(cat /etc/mysql-moodle.secret)" \
 --fullname="$moodle_name_full" \
 --shortname="$moodle_name_short" \
 --summary="$moodle_summary" \
 --adminuser="$admin_username" \
 --adminpass="$admin_password" \
 --adminemail="$admin_email"

Note that the generated Config-File will most likely have the wrong file permissions assigned. Use the following command, if the Moodle web page returns a HTTP 500 error code:

chmod 644 /var/www/moodle/config.php

LDAP authentification

After the basic configuration is done, https should be activated in Site Administration -> Security -> HTTP security. Next, in Site Administration -> Plugins -> Authentication -> Manage authentication the option Email-based self-registration should be deactivated and LDAP server (pre installed Plugin) should be activated.

Next, a simple authentication account should be created using the UDM. This account can then be used for an authenticated bind. Follow the LDAP search user Cool Solution to create one. To find the DN of the account issue the following command on the command line:

udm users/ldap list --filter username=<NAME_OF_THE_ACCOUNT> | grep DN

Now the LDAP connection can be configured. You can either use the webbrowser under Site Administration -> Plugins -> Authentication -> Manage authentication -> LDAP Server -> Settings as described below, or use the following script:

# Please set the data of an simple authentication account here. Instructions how one is created can be found here: https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user
ldap_search_user="uid=moodle-search,cn=users,<YOUR_LDAP_BASE>"
ldap_search_password="<YOUR_LDAP_SEARCH_PASSWORD>"
ldap_contexts="cn=users,<YOUR_LDAP_BASE>;cn=users,ou=<school>,<YOUR_LDAP_BASE>" # Separated with semicolons (';')

# Obtain global domain configuration data
eval "$(ucr --shell search domainname \
ldap/base \
ldap/server/name \
ldap/server/addition
)"

ldap_server_name=$(echo "$ldap_server_name" | sed "s/'\|\"//g")
ldap_server_addition=$(echo "$ldap_server_addition" | sed "s/'\|\"//g")
ldap_hosts=$(echo "ldaps://$ldap_server_name:7636")
if [ -n "$ldap_server_addition" ]; then 
    for host in $ldap_server_addition; do
        ldap_hosts="$ldap_hosts;ldaps://$host:7636"
    done
fi

# Configure the LDAP Plugin
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="host_url" --set="$ldap_hosts"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="ldap_version" --set="3"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="bind_dn" --set="$ldap_search_user"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="bind_pw" --set="$ldap_search_password"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="contexts" --set="$ldap_contexts"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="search_sub" --set="1"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="user_attribute" --set="uid"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="removeuser" --set="2"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_city" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_country" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_department" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_description" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_email" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_firstname" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_idnumber" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_institution" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_lastname" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_phone1" --set="locked"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_lock_phone2" --set="locked"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_city" --set="l"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_country" --set="c"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_department" --set="departmentNumber"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_description" --set="description"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_email" --set="mailPrimaryAddress"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_firstname" --set="givenName"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_idnumber" --set="uidNumber"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_institution" --set="o"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_lastname" --set="sn"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_phone1" --set="telephoneNumber"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_map_phone2" --set="mobile"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_city" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_country" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_department" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_descriptiont" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_email" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_firstname" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_idnumber" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_institution" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_lastname" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_phone1" --set="onlogin"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updatelocal_phone2" --set="onlogin"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_city" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_country" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_department" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_description" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_email" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_firstname" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_idnumber" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_institution" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_lastname" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_phone1" --set="0"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="field_updateremote_phone2" --set="0"

php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="memberattribute" --set="memberof"
php /var/www/moodle/admin/cli/cfg.php --component="auth_ldap" --name="memberattribute_isdn" --set="1"

You should now be able to login as any user below your set ldap_contexts containers. Note that some attributes like Email address are mandatory for moodle. Users without valid email addresses inside UCS won't be able to leave their profile settings page, so you should make sure that all moodle users own a valid email.

Alternative: LDAP configuration using the web browser

Change the following values under the web page Site Administration -> Plugins -> Authentication -> Manage authentication -> LDAP Server -> Settings to successfully configure the LDAP plugin:

Key Value
LDAP server settings
Host URL ldaps://<school server's FQDN>:7636
Version 3
Bind settings
Distinguished Name <DN of the authentication account>
Password <Password of the authentication account>
User lookup settings
Contexts cn=users,<YOUR_LDAP_BASE>;cn=users,ou=<school>,<YOUR_LDAP_BASE>
Search subcontexts Yes
User Attribute uid
Member Attribute memberof
Member attribute uses dn 1
User account synchronisation
Removed ext user Full delete internal
Data mapping (for all entries)
Update local On Every Login
Update external Never
Lock value Locked
Data mapping attributes
First name givenName
Surname sn
Email address mailPrimaryAddress
City/town l
Country c
Description description
ID number uidNumber
Institution o
Department departmentNumber
Phone telephoneNumber
Mobile phone mobile

Hint: To obtain the LDAP basis, execute the following command on the school server:

ucr get ldap/base

Hint: To obtain the system's FQDN, execute the following command on the relevant system:

hostname -f

You should now be able to login as any user below your set Contexts containers. Note that some attributes like Email address are mandatory for moodle. Users without valid email addresses inside UCS won't be able to leave their profile settings page, so you should make sure that all moodle users own a valid email.

Cronjob for deleting users

In order for Moodle to remove users from its database that are deleted in the LDAP, a cronjob must be defined in the UDM.

ucr set \
cron/moodle/command='php /var/www/moodle/admin/cli/cron.php' \
cron/moodle/time='*/10 * * * *'

Restrictions

  1. Class mapping: This article does not handle mappings between UCS@School classes and Moodle groups. If you need assistance to create the respective mapping or would like to have the setup packaged, feel free to contact Univention for an offer to create either.

References

Further links

Archive

  • There is a version of this article for UCS 4.2.
Personal tools