Install Moodle on NS7

Install Moodle on NS7

Prerequisites:
– NS7
– webserver
– mysql (MariaDB)

Update the server

It’s a good habit to work with an up-to-date installation of your server. NS7 can be updated through software center. Make sure all updates are done.

Install NS7 modules

Install the webserver module
Install the mysql(mariadb) module

Install other prerequisites

Install php through the commandline:

yum install php php-mysql
yum install php-iconv php-mbstring php-curl php-openssl php-tokenizer php-xmlpc php-soap php-ctype php-zip php-gd php-simplexml php-spl php-pcre php-dom php-xml php-intl php-json php-ldap php-pecl-apc php-xmlrpc

Create a mysql database and user for Moodle

The password for mariadb root account is stored in /var/lib/nethserver/secrets/mysql.

cat /var/lib/nethserver/secrets/mysql

Copy the password.
Now open a mysql prompt:
mysql -u root -p
Fill in the copied password and you will be in the Mariadb prompt:
MariaDB [(none)]>
Remember, every command you give in the Mariadb prompt must end with a ;

MariaDB [(none)]> create database moodle;
MariaDB [(none)]> create user 'moodle'@'localhost' identified by 'chooseyourmoodlepassword';
MariaDB [(none)]> grant all privileges on moodle.* to 'moodle'@'localhost';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
Bye

CD into the wwwroot of your server:
cd /var/www/html
download the latest version of moodle
wget https://download.moodle.org/download.php/direct/stable31/moodle-latest-31.tgz

Extract the tarball
tar -xvf moodle-latest-31.tgz

give rights to the moodle directory to www-data (apache)
chown -R apache:apache /var/www/html/moodle
chmod -R 755 /var/www/html/moodle

Create a data directory for moodle under /var/www/ named as ‘moodledata’ which will be used by moodle.
Change permissions and ownership for that directory to www-data(apache) user. Moodledata can not be in the html directory since it is not considered secure if that directory is externally accessable.
cd /var/www/
mkdir moodledata
chmod -R 755 /var/www/moodledata
chown -R apache:apache /var/www/moodledata
Restart httpd services
systemctl restart httpd

Configure Moodle for first time use

Installation process is over at this stage, lets configure moodle server, open a browser type ip_address/moodle

Follow the instructions in the webinterface:

Choose the language for your install prcedure
click Next

Check the paths. Change if necessary. These are the paths you created during first install.
Click Next

Choose the database driver. Go for the default (mysqli) driver.
Click Next

Fill in the database settings. These are the settings you used when creating the database and the database user. If you defined a custom Database port and/or Unix socket, fill those in. For a default NS7 server you can leave those empty.
Click Next

Accept the conditions to use Moodle. You agree Moodle is opensource software and you will act according the GNU GPL3 license or newer.
Click Continue

Check if your moodle install meets all prerequisites
Click Continue

If all went well you see a long list of items in green with success
Scroll all the way down and click Next

You end up at the admin user profile page. Fill in the required fields:
– New Password
– First Name
– Surname
– Email address

Click update profile

Fill in what you want to show on the Moodle frontpage. Set the Location for your Moodle server.
Authentication will be covered later, since we want to use the account provider of our NS7 server.

Click Save Changes

Your Moodle install is finished. You are now at the Moodle Start Page and logged in as Admin.

At this point there is no account provider configured. I will add both OpenLDAP and Samba4 configurations later.
For more information on Moodle see the Moodle website

Finally, when both OpenLDAP and Samba4 accountproviders are integrated, I could use some help with making this an NS7 RPM package so it can be added to NethForge repository.

Configuring Samba4 AD authentication

To be able to authenticate users with their network credentials, we need a accountprovider to be installed, configured and provisioned.

Install the Samba4 AD account provider from Software center. The Samba4 AD package runs in a separate container. After you installed the module, you have to configure it:

  • Give the container an IP address on the same subnet as your green interface.
  • This IP address can not be used by another device (including your NS7 server!). Also it is advised to choose an IP address outside the DHCP scope of your DHCP server.
  • the green network must be bound to a bridged interface, so that the Linux Container can attach its virtual interface to it.

Change the administrator password.
Create a user to test the settings.

Now head back to the Moodle login page and log in as admin. When logged in, click the site administration link (on a default moodle install on the left of the screen)


Find and click “plugins”
Click Authentication
Click Manage Authentication

On the right you will see a lot of different autentication methods. By default only 2 are active: Manual accounts and No login.
Find LDAP Server and click the crossed eye icon to activate LDAP authentication
LDAP Server will become active. Now click Settings

LDAP Server settings:
Host URL: ldap://IPAddress of your Samba4 container
Version: 3
Use TLS: No
LDAP encoding: ulf-8
Page Size: 250

Bind Settings
Don’t cache passwords: yes (you don’t want your administrator password end up in the Moodle database)
Distinguished name: DN of your Administrator account in the Samba4 Tree. In a default NS7 install this is CN=Administrator,CN=Users,DC=yourdomain,DC=TLD

User lookup settings
User type: Active Directory
Contexts: DN of your users ou. cn=users,dc=yourdomain,dc=tld
Search subcontexts: yes
Dereference aliases: No
Suspended attribute: samaccountname
Object class: user

Force change password
Force change password: No (These are Samba4 accounts. Don’t change them in Moodle, rather change them through the NS7 options)
Use standard page for changing password: No (Moodle doesn’t take care of user accounts)
Password format: plain text

LDAP password expiration settings
Expiration: No
Expiration warning: stick to default, it is not enabled.
Grace Login: No

Course Creator:
Here you can define what users and/or groups are automatically enabled as course creators. This is depending how you give permissions to your users in Samba4 AD. For example if you want the staff group as Course creator, and you have staff as an ou in the Users ou:
Example of possible entries: cn=staff,ou=Users,DC=test,DC=lan

User account synchronisation
Removed ext user: Full delete internal
Synchronize local user suspension status: No

NTLM SSO
Enable: Yes
Subnet: 192.168.11.0/24 (subnet of your local LAN)
MS IE fastpath: Yes attempt NTLM other browsers
Authentication type: Kerberos
Remote username format: %domain%%username%

Data mapping
First Name: givenName
Surname: sn
Email address: userPrincipalName
the rest can be left blank.
Scroll down and click save changes.

Log out off Admin user and log in with a Samba4 AD user

If you are logged in with a Samba4 AD account on your pc or laptop, you will be logged in authomagically. Otherwise, log in with your Samba4 AD credentials and you will end up in your Moodle home page.
Enjoy!

To do:

  • OpenLDAP authentication
  • Create RPM so it can be added to NethForge repository.

Note: Monday 28th of November Moodle 3.2 will be released. For now I think it is best to stick with 3.1 version. As soon Moodle 3.2 is proven stable enough we can consider upgrading the software.

11 Likes

Excellent my brother

That’s a huge howto! @syntaxerrormmm @apradoc @paspo @pfinardi take a look at this!
I’d like also to invite @areguera in this discussion, he can help you regarding a new module

I would like to receive some comments too. I am not sure if the settings I used are the most secure thinkable. They ended up as “it works”. But are not necessarily the best. Please suggest any other options.

Trying it out right away :wink:

2 Likes

So here’s my experience:

The guide is good, precise and quite smooth to follow… at least until I followed it (yeah, sorry, I’ve been made like that). I implemented the following additional experimentations:

  • Moodle site is not a folder within the main website but it is a separate vhost (in my case, moodle.sys42.eu);
  • I had already set up OpenLDAP as backend, so no SAMBA 4.

Regarding the guide:

  • If you have installed “Web server” and “MariaDB (MySQL) server”, you may only need the following packages to be added by hand:

    yum -y install php-pecl-apcu php-soap php-xmlrpc
    Additional check may not be a bad idea, though, and they surely need to be implemented in rpms, IMHO.

  • Default folder permissions: they may be correct during setup phase, but once you have it installed, I would reset them for security reason with the following:

    chown -R root:root /var/www/html/moodle
    find /var/www/html/moodle -type d -exec chmod 0755 {} ;
    find /var/www/html/moodle -type f -exec chmod 0644 {} ;
    chown -R apache:apache /var/www/moodledata

  • Guide misses creation of config.php file if you don’t have permissions to write to the main moodle folder. The wizard should output a pre-formatted text with the configuration for Moodle. You simply have to copy and paste it in a file named config.php right in the root folder of Moodle (in case of @robb howto, full path would be /var/www/html/moodle/config.php). Please remember to set it read-only for ‘other’ group (e.g. chmod 0644 /var/www/html/moodle/config.php) and assign it correct owner/group (I support root/root);

  • I have changed moodledata folder to /var/lib/moodledata. YMMV, but indications from @robb are correct in any case (separating moodledata is a security-driven choice and it is good);

  • Configured LDAP integration as follows:



Leaved all other settings as indicated by @robb or default (blank, most of the times). Bind dn/password can be found inside NS7 WebGUI within Status > Domain accounts.

Pros:

  • Logins work;
  • Course creator membership also works (the docentimoodle group you may see right above)

Cons:

  • Cannot correctly configure other user data (First Name, Surname): fields are lacking on user creation interface;
  • Would love to use Let’sEncrypt SSL certificate within vhost, but a specific certificate cannot be associated: only “default” or self-signed certificate are available from the dropdown menu inside vhost configuration. Tried also to add the certificate afterwards without success.

So cheers for the great howto :wink: Maybe in the future I would provide one for Chamilo…

5 Likes

Not in the future! I want it right now!! :smile:
Thanks for your proofreading Emiliano, @robb

1 Like

Hi,

Is there any change to create a repository to host all this effort? For example: https://github.com/NethServer/nethserver-moodle

Note that the moodle package itself would be installed from epel repository and produced by epel guys not us here in nethserver community. Our duty would be to create nethserver-moodle package to do the nethserver-specific stuff (e.g., database creation, web ui actualization to include a moodle box to applications, etc.) and keep it synced to moodle package from epel so everything does work as expected. Most dependencies would be handled by moodle package itself not the nethserver-moodle package.

Suggestions from people with previous experience in maintaining NethServer Repositories and Packaging are very welcomed and highly appreciated.

Best Regards.

3 Likes

playing with the rpm of epel, once the database created (manually) and settings written in /var/www/moodle/web/config.php that’s all

needs also to install php-soap php-pecl-zendopcache and of course nethserver-mysql

the difficulty will be to change the settings of the plugin ldap in the mysqldb (i guess that all settings are in the database)

just for my information, a question relative to the authentication…how do you see it only ldap…free registration…both

Not really. Integration with OpenLDAP/SAMBA AD has been done by hand and by the means of the web interface. I would like to integrate it directly out of “yum” and based on which of the two directory package you have installed. I think it is all feasible.

I think the best should be manage the users via NethServer directory (SAMBA AD or OpenLDAP). I would leave out the possibility to free signup. If I need that, I would just dump the moodle tarball in a folder on the default website and configure the DB by hand.

yep it is

I assume that I discovered moodle, 1 hour ago, so probably I can say something wrong. the settings n the database can be altered like this

1 Like

When configuring Samba4 AD auth, I received the message that php-ldap wasn’t installed with moodle package from epel. So that one needs to be added too.
Also when you just install from epel, you have to change permissions for the (virtual) host. Default settings gives a 403.
And as @syntaxerrormmm said: all changes that are set during configuration of moodle webbased steps are set in the moodle database in the mdl_config table.

2 Likes

Citing from another site:
To get MySQL support in PHP, we can install the php5-mysql package. But as we use MariaDB here, it is better to use the newer php5-mysqlnd package as the old drivers from php5-mysql will cause warning messages in the logs

This is for debian, but please be aware that it could be true for centos too

1 Like

did a play, not so easy ;(

yep need to be allowed to your local network or to the www

thanks, added

My concern is that php-mysql is called by some web application like wordpress for example but php-mysql and php-mysqlnd are conflicting each other

Resolving Dependencies
--> Running transaction check
---> Package php-mysqlnd.x86_64 0:5.4.16-36.3.el7_2 will be installed
--> Processing Conflict: php-mysql-5.4.16-36.3.el7_2.x86_64 conflicts php-mysqlnd
--> Finished Dependency Resolution
Error: php-mysql conflicts with php-mysqlnd-5.4.16-36.3.el7_2.x86_64

software collection are more intelligent, you have only php5{4,5,6}-php-mysqlnd.x86_64

17 posts were split to a new topic: Working on nethserver-moodle module

Moved all devs comments on a new topic
Let’s keep this thread open only for improving the howto

@robb @syntaxerrormmm I would know if this setting is a mandatory, because it end by an error when I try to log with a Linux client and it fails back by the normal login. Therefore it is not nice to see it.

can we find a name convention here, ‘staff’ is enough good for me, but we could have another way.

In fact I’m really close to find how to authenticate directly in moodle, my concern is that during the web installation moodle is waiting a blank database, so all mysql Injection could be done only after the end of this process. I think that we could launch manually a script for inserting mysql data

=> thoughts please

I do not think Kerberos is mandatory. I would just like that (maybe optionally), you may use the users you created within LDAP as users also of the Moodle platform. Are you using the SAMBA DC container, right?[quote=“stephdl, post:18, topic:5029”]
can we find a name convention here, ‘staff’ is enough good for me, but we could have another way.
[/quote]

Yeah, I do not like it so much, but we may settle for it if we cannot find any valid alternatives. I would suggest Course Creators.[quote=“stephdl, post:18, topic:5029”]
so all mysql Injection could be done only after the end of this process. I think that we could launch manually a script for inserting mysql data
[/quote]

In my mind, all the setup should be silent and with little choice for the user. Basically, the scripts that are configuring the LDAP modules has to be injected right after the database has been created in the provided way by the RPM specfile, then we should leave a choice to the user (better if with a web module) to use internal users or LDAP/AD ones (a flag or a combo-box would be perfect). Only when the option to take users from LDAP/AD has been taken, we should run (internally inside an event) the last piece of SQL injection that will enable LDAP authentication with the chosen methods (and provide a way to fall back if the user changes his/her mind, also).

Well, at least this is what I will try to get to. A lot of work, I know, but this will make the module perfect for production.

1 Like

for now my first attempts are with SAMBA4AD

Since it is a group name, I prefer on one word, not sure about side effects :slight_smile:

I like KISS, so I agree to make something difficult for me, and easy for the end users.

The way I found right now is

  • create the database
  • inject the creation of all tables
  • inject the authentication settings following the state of $sssd (ldap or Samba4 or internal account(means do nothing))

then only the admin account and the field of the website name must be created by the sysadmin.

1 Like