Our goal was a Moodle server with SSL logins and using Active Directory authentication. We want students to not get hassled on their logins with the profile settings and we don’t want moodle to require (or use) email. We intend for staff to regulate their classrooms enrolment using a classroom key. This streamlined login will present the least headache for our staff and students. Besides, who wants to sit at a server terminal and type things manually?

What is moodle? Well, if you don’t know what moodle is, then this information isn’t going to be very handy.


NOTE: the format of this webpage screws with some characters such as “mysqldump -u root –password” may becomes “mysqldump -u root .password” when copied through putty. Double check all syntax after pasting.

Install the OS. There are plenty of toots out there to instruct one to do that. Once the OS is up, set a static IP and create a DNS record. If not already installed, be sure to install openssh-server by typing “sudo apt-get install -y openssh-server”. IT should be installed with the server edition automatically.  Then return to your workstation and ssh into the moodle server. The rest of this tutorial assumes you are sitting at a workstation and you can copy and paste into your ssh window.

Installing the software
login to your sever using ssh.

sudo apt-get clean
sudo apt-get autoclean
mkdir sc
cd sc
nano install.sc

{paste the following}

apt-get update
apt-get -y upgrade
apt-get install -y curl libcurl3 libcurl3-dev php5-curl openssh-server
apt-get install -y curl samba samba-common smbfs apache2 php5 php5-xmlrpc php5-ldap libnet-ssleay-perl sendmail libauthen-pam-perl libio-pty-perl libmd5-perl smartmontools mysql-server php5-mysql ssl-cert clamav aspell unzip zip
#apt-get instal -y libcupsys2 #broken, Doesn’t seem very important
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.500_all.deb
dpkg -i webmin_1.500_all.deb
wget http://download.moodle.org/stable19/moodle-latest-19.tgz
tar -zvxf moodle-latest-19.tgz
rm /var/www/index.html
cp -R moodle/* /var/www/
mkdir /var/moodledata
chown -R www-data.www-data /var/www
chown -R www-data.www-data /var/moodledata
/etc/init.d/apache2 restart
mkdir -p /var/lib/clamav/quarantine

{end paste}

chmod +x ~/install.sc
sudo ./install.sc

Depending on your internet connection speed, this may take some time. You should still go get a cup of coffee. That is what automation is all about!

When you come back, point your web browser to your moodle server and you should connect and begin to create and populate your database. Choose an admin password that meets their standards, but don’t lose it!


Setting up Active Directory Authentication

Log into your domain controller
In active directory create a user named MoodleUser in the OU accounts. This user needs not be a domain admin. At least, that is what they say. But I couldn’t get it to work as a limited account.

For your staff and students you will need to fill in some fields in the account so that they are not hung on the profile section; See this ‘feature’, aka bug. If you don’t want students to have email (like we dont’) just put in a fake email address for the email field in Active Directory. They will also need an office, as well as first and last name.
Active Directory Email

If you don’t want our moodle to email anyone at all, and if you don’t want the fake email (or functional email) to be displayed in moodle, then this will require a little tweaking in the moodle database. Go to your moodle severs webmin that was installed above. That would be https://serverName:10000. Expand Servers, MySQL server, and click on the Moodle database. From the “Or Edit Table:” drop down list, choose mdl_user. select emailstop and make it look like this.
emailstop
then select maildisplay and make it look like this.
maildisplay

Login to moodle web gui as a moodle admin
Navigate to Users – Authentication – Manage Authentication
Click the closed eye (aka enable) for the LDAP server setting. Then click settings. Then enter the following case sensitive data, but do not include the quotes.

Host URL “ldap://DOMAINCONTROLLERNAME.DOMAINNAME.local”
Version “2″
LDAP “encoding utf-8″
Hide Password “YES”
Distinguished Name “cn=moodleuser,ou=accounts,dc=DOMAINNAME,dc=local”
Password “{moodleusers’s password}
User Type “MS ActiveDirectory”
Context “cn=Users,dc=DOMAINNAME,dc=local;ou=accounts,dc=DOMAINNAME,dc=local”
{note those are 2 different OU paths separated by a ; you could include more paths if needed by separating them with a ;}
Search subcontexts “YES”
Dereference aliases “NO”
User attribute “sAMAccountName”
Member attribute “memberOf”
Force change passsword “NO”
Use standard Change Password Page “NO”
Password format “Plain Text”
Expiration “no”
Expiration warning “10″
Create users externally “No”
Creators “cn=Users,dc=DOMAINNAME,dc=local;ou=teachers,ou=staff,ou=accounts,dc=DOMAINNAME,dc=local”
{see the note for Context, above}
Removed ext user “Keep internal”
NTLM SSO Enable “NO”
MMS IE fast path? “NO”
First name “givenName”
update local On “every login”
update external “never”
lock value “unlocked”
{repeat these settings for all entries below this point}
Surname “sn”
Email address “mail”
City/town “physicalDeliveryOfficeName”
Country “United States”
Language “English”
Be certain to test your active directory logins before proceeding.

Setup for SSL login
# Good read: https://help.ubuntu.com/community/forum/server/apache2/SSL
Screwing something up here can lock you out of your server. Do not proceed unless you are prepared to rebuild your server. But then again, I wouldn’t log into an LDAP device wth out SSL. The following steps are fairly fool proof, but I make a full disclaimer on any responsibility should something go wrong, or a command not work and you loose data. If you are running the moodle server on a VM (like me) then you should take a snap shot now. WARNING!! The quotes don’t seem to want to copy and past from this site through putty. I suggest you double check the script before executing!! Also, beware of the possible word wrapping, particularly with the line that begins “sudo openssl req -config… ” If you run this script twice, you will need to “sudo rm /etc/apache2/sites-enabled/ssl.old”

nano setup_ssl.sc

{paste in the following}

sudo mkdir /etc/apache2/ssl
sudo /etc/init.d/apache2 force-reload
sudo rm /etc/apache2/ssl/apache.pem
cp /usr/share/ssl-cert/ssleay.cnf /tmp
sed -i “s/@CountryName@/US/” /tmp/ssleay.cnf
sed -i “s/@StateName@/Illinois/” /tmp/ssleay.cnf
sed -i “s/@LocalityName@/yourcity/” /tmp/ssleay.cnf
sed -i “s/@HostName@/yourservername/” /tmp/ssleay.cnf
sudo mkdir /etc/apache2/ssl
sudo openssl req -config /tmp/ssleay.cnf -new -x509 -days 1460 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem
sudo chmod 600 /etc/apache2/ssl/apache.pem
rm /tmp/ssleay.cnf
sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
sudo a2ensite ssl
sudo a2enmod ssl
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
sudo mv /etc/apache2/sites-enabled/ssl /etc/apache2/sites-enabled/ssl.old
ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl
sudo /etc/init.d/apache2 restart{end paste}

nano setup_ssl.sc

{if you haven’t already, go back and edit yourcountry yourstate etc}

chmod +x setup_ssl.sc
sudo ./setup_ssl.sc

sudo nano /etc/apache2/sites-available/default

{replace * with *:80, it probably already is *:80}

sudo nano /etc/apache2/sites-available/ssl

{replace * or *:80 with *:443, it could show up either way.}
{then paste the following 2 lines right under}

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

{end paste}

sudo /etc/init.d/apache2 restart

Publishing SSL certificates in AD

With the goal of streamlining the login process for students and staff; we need to get away from the pesky certification warnings in the users browsers. This is pretty easy using Active Directory.
Get the certificate
Use your browser and go to the moodle server and accept and install the certificate. If you can log into your moodle server, then you have already done this. I used fire fox for the following steps. I know it can be done in IE with a few changes.
Go to Tools and select options. Then click advanced and then the Encryption tab. Select View certificates and another form will pop up called Certificate Manager. Choose the Authorities tab and then scroll down until you find your moodle server. Highlight it and click the export button. Make a note of the path and the file name.
Create the GPO
Create and link a GPO called “Trusted Root Certification Authorities”
Make the initial configuration settings match the following, except the Certificates part, that will come immediately next.
moodlecert1
Drill down: Computer Configuration, Secuirty Settings, Public Key Policies, Trusted Root Certification Authorities. Then Right click on the right pane and select ‘Import’. This launches a wizard that wants to know where your certificate was that you save to earlier. Navigate to that certificate to upload it to your domain controller.

Log into a Workstation (in the linked OU) as a domain admin and type “gpupdate /force /boot”. When the computer comes back up, it should not prompt the users to accept the certificate.

Other Configurations

Virus scanning with clamav
log into your moodle server and drill down to Site Administration, Security, Anti-Virus, and make it look like this.clamav

System Paths – other installed applications
log into your moodle server and drill down to Site Administration, Server, System paths, and make it look like this. syspaths

Maximum File Size If you are stuck at a ridiculously small upload file amount open a terminal and

sudo nano /etc/php5/apache2/php.ini

and change the lines

post_max_size = 8M
upload_max_filesize = 2M

to

post_max_size = 50M
upload_max_filesize = 50M

then restart apache

sudo /etc/init.d/apache2 restart

Now you should have the option of setting default classroom file size limits much higher. Even though it is opened up for 50Mb, I set the classroom limite to 10Mb.

Backup up the moodle server
Here we are going to use samba, cron, and this script to connect to a windows backup server store our moodle backups. With this script we do a daily backup of moodle and overwrite the previous weeks backups. For a brief overview of samba read samba quick and dirtyand pay special attention to the client settings. We are not setting up a samba server.

backup script

sudo nano /bin/bkupmoodle.sc

{copy and paste the following. beware of word wrapping, particularly the line that begins with “mount -t cifs” }

BACKUPSERVER={name or IP of a windows backup server}
BACKUPDRIVE={share or admin drive letter on the backup server}
BACKUPADMIN=Name of the Windows user with write access on the backup server
BACKUPPASS=Password of the Windows user with write access on the backup server
mkdir /mnt/$BACKUPSERVER
umount /mnt/$BACKUPSERVER
mount -t cifs //$BACKUPSERVER/$BACKUPDRIVE /mnt/$BACKUPSERVER -o user=$BACKUPADMIN,pass=$BACKUPPASS
ls /mnt/$BACKUPSERVER

#backup the database
mysqldump -u root –password=MOODLEDATABASEPASSWORD -C -Q -e -a moodle > moodle-database.sql
tar -cvzf $(date +%a).moodle-database.sql.tar.gz moodle-database.sql
mv $(date +%a).moodle-database.sql.tar.gz /mnt/$BACKUPSERVER
rm moodle-database.sql

#backup the files
cd /var
tar czvf $(date +%a).var.www.tar.gz ./www
tar czvf $(date +%a).var.moodledata.tar.gz ./moodledata
mv $(date +%a).var.www.tar.gz /mnt/$BACKUPSERVER
mv $(date +%a).var.moodledata.tar.gz /mnt/$BACKUPSERVER
ls /mnt/$BACKUPSERVER/*.tar.gz
umount /mnt/$BACKUPSERVER

{end copy and paste}
Since the user name and password are in plain text, we need to change the permissions on the script so only the root user can read the file.

sudo chmod 700 /bin/bkupmoodle.sc

To set cron to backup the server every day at 2:10 (not yet confirmed)

sudo crontab -e

paste in

10 2 * * * /bin/bkupmoodle.sc

and, while you are here, lets tell clamav to update once an hour. So paste in

1 * * * * /usr/local/bin/freshclam –quiet

This tells clamav to update every hour.

UPDATE:
My moodle project was killed. Administration chose to go with another product. So for the time being there will be no more updates to this entry. I’ll still answer any questions if I can.