Self-Funded Moodle Wipeout

Self-Funded Moodle Wipeout

by Timothy Takemoto -
Number of replies: 48

Two and a half years ago I got a job with my current employer as an x-programming, Japanophone, English educator.

I was given instructions to of get online education going at our institution. They wanted something to get students to practice TOEIC style questions, to get the students to listen to an understand some English outside of class.

We had used proprietry systems such as that provided by "ALC" but it had not been working too well mainly because the systems did not allow teachers to monitor how much work the students had done. They students did not use the systems. A lot of money went to waste.

I found Moodle, and with the help of the Moodle community got over a few initial problems with security and Japanese. I wrote a moodle integrated textbook (with I hope to open source) and a couple of thousand questions. I have about 500 students in 22 classes doing homework from a moodle installation. I think that this was what my employer had in mind.

The university had a large grant. They invested half of it in another system which had content. They invested the other half in creating a new system of our own, two which another educators content will be imported.

Yesterday the design for the new system was unvieled. It cost about as much as a top range mercedes. It seems to have functionality which could be provided by Gordon Bateson's Hotpot module, the lesson module, or even, with a little investment, by the quiz module.

The large grant continues for another couple of years. I think that monies will continue to be spent on the new inhouse system, and that by the end of the budget, and the cost of a Ferrari, the inhouse system will provide testing capability to match that of Moodle. Since testing is the only thing for which there is a demand here, it seems likely that the new system will become a standard of sorts.

My boss has not given any clear reason why Moodle should not be used.

  • He mentions truisms such as "no system can do anything, designing ones own has advantages."

    He makes fun of the "moodle" name, rhyming it with "noodle" dead.
  • He mentions Total Cost of Ownership and suggests that it may be higher in the case of an open source system.
  • At first he mentioned something about a question database which would include data not supported by the current system, such as difficulty level and copyright.
  • I think that the biggest reason is that he is hoping to be able to sell the new testing system as a CD which could be sold along with TOEIC test preparation books. I will bring that up on another thread, since I think that it a valid point and a good idea.

I guess there is a chance that I will be asked to move my content onto the new system at some point in the future. After all there is no point in getting students to become familiar with more than one system, or having content created for more than one system. But why?

I put in a proposal to have loads of content (a Ferrari's worth) created for moodle.

All in all I am not doing very well wry smile.

Tim

Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by Bill Burgos -
Tim,

I am going to give two presentations this month to university people on Moodle. My second presentation will be in Hyogo Prefecture on Nov. 24. I can head out further west to Yamaguchi for the 25th if you think it will help.

Contact me directly if you think this is an idea worth pursuing.

Bill
Average of ratings: -
In reply to Bill Burgos

Re: Self-Funded Moodle Wipeout

by Timothy Takemoto -
Dear Bill,

That is kind of you, but I don't think that there is any money available for Moodle and while I have wiped out, I seem to be okay at presenting Moodle. Perhaps you might like me to come to Hyogo with you smile.

Tim
Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by Arthur Ferruzzi -
Is the Open Source Course Exchange idea relevant to this?

http://moodle.org/mod/forum/discuss.php?d=24306#153756

Hope This Helps,

Art
Average of ratings: -
In reply to Arthur Ferruzzi

Re: Self-Funded Moodle Wipeout

by Timothy Takemoto -

Art

Yes...Thank you. You raise a very important point.  Whatever my university does, whatever any university does with a new system, Moodle will win if the Moodle exchange thrives. Moodle is a standard.

There is a moodle content exchange at
http://moodle.org/course/view.php?id=15
I am very keen on it.

BTW I plan to release my textbook there, perhaps on a "free publich reciprocal licence" (must put derivs on the web and inform author) and my tests on some sort of "other classroom" licence since I can't have my own students taking my tests online.

Thanks to those that have expressed their support privately and above.

Tim

Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
Management doesn't necessarily mean quality and efficiency. These type of stories are unfortunately not uncommon. sad

What could be done? For one, you need stamina. Just don't give up! And the second thing, don't play the dirty game, that'll back fire!!

The time will come when an even higher brass smells the loss by comparing some simple benchmark figures. Take for example the now non-existent "Swiss Air". They were living in heaven. Once it started falling down it took billions of public money to the drain. The saga is not yet finished.

There were board members who earned a "top range mercedes" by attending just _one_ board meeting per year! Anyway, to make a long story short, now the whole board face damage charges in courts!!

The moral: Times change.

Average of ratings: -
In reply to Visvanath Ratnaweera

Re: Self-Funded Moodle Wipeout

by Timothy Takemoto -

Thanks Visvanath,

I agree that times change, and hope that I can find the stamina.

By the way, I certainly do *not *mean to suggest that my boss has taken funds for himself, like those inlovled with "Swiss Air". My boss works very hard, without financial reward (other than his salary). All the money spent on the new system was used to pay for a programmer and others involved with importing content to the new system. 

The major issue seems to be explanation. 

On the one hand I failed to explain Moodle's capabilities.

On the other management does not seem to have explained the capabilities that the new system offers over and above Moodle.

For myself, I like to think that that there are various psychological barriers to the former. I am not Japanese. Moodle is not Japanese. Moodle does not have exhaustive documentation. Open source is not yet well understood, or even, perhaps, well defined.

For my boss, I should point out that the money spent on the inhouse system is only as much as the yearly fees for a commercial system such as Blackboard/WebCT. If (as seems probable) the inhouse system provides the desired functionality within the next three years, it will still represent a vast saving over the option of using a commercial system, as is used in many institutions worldwide. 

Bearing in mind the high fees charged by commercial providers, I think that inhouse systems will proliferate. And yet, even so, they will face the drawback, as mentioned by Art above, of not representing a standard. 

Not wishing to be unfair to moodle, it seems to me that the functionality of an LMS as required by any particular institution can be programmed at a manageable level of expense. As advances in programming (libraries, IDEs etc) continue this weakness will not go away.

The future of an LMS depends, it seems to me, on the extent to which it can become a standard. The level of standardisation of an LMS affects both functionality and content. 

At the moment we see the functional standardisation of Moodle realising great benefits in the form of numerous modules. By this I mean modularity. The "M" of Moodle stands for "Modular." No inhouse system can promise the sort of modularity, or functional expandability, that Moodle (or Blackboard/WebCT) now offers. But when objectives are limited (as in our case to testing) then modularity is not so important.

What will always remain important is content. And here Moodle can beat the pants off any inhouse system, either by incorporating other standards such as SCORM, and IMS, or by virtue of its user base and the content shared within that standard.

I do hope that the exchange takes off.

Tim

Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
Hi Timothy

Sorry, I wasn't clear about the mismanagement: Embezzlement is a clearly an offence. In the case of Swiss Air it was not about pocketing money but about _wasting_. Like buying an inferior product for more money.

I was surprised that the Board was charged in courts. Switzerland is in this way very liberal. Recently there was a case about two Managers (was it ABB?) taking home over 100 M$ for their "golden handshake". On private protest, the govt. investigated and came to the conclusion "no criminal offence"!

Two years ago the local schools made a big shift towards Microsoft, although the community offered various solutions cheaper and on free software. On my question in a public debate, the Ministress of Education gave me a curt anwser "Breaking monopolies is not my duty!".

I'm too wondering when the tide will change sad
Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by John Rodgers -
Timothy:

After the initial wipeout, I hope you aren't discouraged.  I enjoy reading your posts here in the Moodle community.

I'm not a programmer but I would be really surprized if an in house system can match the development path of Moodle, when you consider the advantages of so many eyes and users debugging, testing scalability, suggesting and testing features.  I would be really interested to see how it compares in development dollars.  If you get a chance to ask your boss in a respectful manner what the assumptions are in the development model, you might be able to get some good information from the like of Martin Langhoff, Martin D. and Michael Penney to name but a few as to their validity.

I was similarly discouraged a little while ago when my province chose an LMS for their e learning program.  I'm now starting to realize the assumptions behind the decisions are going to wind up in the project floundering anyways.  I continue to beaver away doing what I know is right.


Average of ratings: -
In reply to John Rodgers

Re: Self-Funded Moodle Wipeout

by Timothy Takemoto -

Thanks John,

I agree. I was pretty sure that the new system would not be able to match Moodle.

If the project succeeds it will be the limited area of online testing. The in-house project appears similar to a replication of the cloze question and multiple choice part of Hot Potatoes, rather than Moodle as a whole. However, there seems to be very little demand for anything else.

At the moment I have only seen screen shots. They may even be mock-up screen shots!

The third, 'other system' (a commercial system) does seem to be having problems (java-related and lack of admin-side flexibility for grade management). I think that it may flounder. I am not sure how the licence works, but perhaps thelicence will not be renewed. The in-house piece of software is ours of course, and has no licence. It has already been the target of considerable investment, it has two people or more people working on it. Soon the English teaching staff will start piloting it. I think that it has a certain momentum.

Another issue is that, in my position I should be helping out with the new in-house system. At first I said I would pilot the new system in one of my new classes. But then I felt quite ill! It seems that I lack the maturity to help out in the initial stages. I am not sure how much of a promblem this is going to be. I may suggest that it would be a good idea for me to continue working on Moodle as a backup should the new system fail. But I think that soon I will be expected to help out with the development of the new in-house system. [Deep squeezy feeling]!

Tim

Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by Bernard Boucher -
Hi Timothy,
I am very sorry. After all yours effortssad. I understand you because my organisation still use another LMS system but they "tolerate" that I use Moodle using my personnal time and my personnal server. Maybe that year they will pay for a real server.

I don't know if it is too late, but if you find some Japanese studies ( others may not be considerable ) about the cost of the developpement of lms or parts of lms, maybe you boss will take in account that starting with Moodle will save him about 50 men*years of work and money. And he will not be forced to put the modifications done by his programmer in public domain. He may change the name of the modified software if he desire!

Good luck,

Bernard

p.s. Totally off topic: I just find an english version of the manual of Copilot if you want to think about an other subject.


Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by Timothy Takemoto -

Shortly after I wrote the above post I found out more.

For some time my boss (or the highest level university employee that I come into contact with) has hmmed and hrred about the difficulty of choosing a "platform" or LMS-EMS for our university. I thought that he was constrained by others.

At a recent top level meeting (I am there as the representative of my department, not as  decision makter) I found out that it is my very own boss (of all the thousands of employees at this university) who is leading the drive to bring university education systems online.

So at the micro level, my boss is involved in the development of a new testing system (similar to like Hot Pot JCloze) and at the macro level my boss is the leader of the working group for the development of a an all incompassing (web based traing, credits, educational-bureaucratic, 'social') do everything educational information system for the university.

Bearing in mind the size of the plans that my boss appears to have and the direction he seems to be taking them in (i.e. a new system built by our university), it is not surprising that Moodle should be seen as insignificant at best. Perhaps my university will succeed. I have not been asked to take part in that process.

I may start a thread about "Why it would be difficult, or easy for a university to make their own moodle." 50 man years of work....and all that.

Tim

Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by Mark Stevens -
A colleague and I are researching one of the issues that you mentioned.  Our current research focuses on our region, but it looks like we might have to expand it smile
Here's a blurb from our project:
The presenters will reveal that despite Moodles impressive credentials as a tool to facilitate meaningful language learning, collaboration, and critical thinking, many teachers who have chosen to use this free CMS at universities in the Middle East have been met with challenges from their administrations.

Can we use your story anonymously?  Any others out there?
Average of ratings: -
In reply to Mark Stevens

Re: Self-Funded Moodle Wipeout

by D.I. von Briesen -
I've got one for you Mark ( 6 months later) pasted below:

subject line was: BB 1, Moodle 0


To: di.vonbriesen@cpcc.edu
Date: Jun 6 2006 - 11:43am

Hi D.I.,

Just want to share some of what's going on at XXXXX CC.  Got an email this AM from our program lead (strongly) suggesting that I use BlackBoard rather than Moodle.  Since I have not used BlackBoard yet and had no plans on adopting it unless I was assigned a distance Ed class, I figured the powers that be would be pleased that I'm paying for the hosting and the college has no obligations.  Wrong! Here's part of a response from our BlackBoard (and other things) administrator:

The systems office has not considered it in part because it is open source, which raises much concern about support.  In addition, it uses
php/mysql, which raises some concern about scalable to meet the needs of the entire VCCS.

Ouch!  Open source and php/mysql (or other SQL) are reasons I'd choose it over BB.

Could be that I will continue to develop my Moodle site just for the discipline it will force upon me. I'll keep you posted as this goes on.



Average of ratings: -
In reply to D.I. von Briesen

Re: Self-Funded Moodle Wipeout

by Worth Bishop -

See:  http://moodle.org/mod/forum/discuss.php?d=47662

Folks who prefer listening to vendors' arguments over actual experience tend to not be risk takers, preferring the perceived safety of the herd. If you can show them that the herd has changed direction and they are about to be left behind, they'll sometimes trot to catch up...

Good luck.

Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by Ger Tielemans -
The only advise I can give is: stay calm, wait and offer the board facts.
Or better let someone else (students in the school newspaper?) offer facts, like:
  • Why are Universities in the USA so stupid to make the move to silly Moodle?
  • Why chooses THE distance learning institute (OU England) for Moodle?
  • Why is the SAKAI project in love with Moodle?
  • Why spending so much money on a local product while there are so many options for free? (Your boss is right, thinking that a single tool can solve all is naive, but nobody prohibits him to combine several free products, he even can choose the best combination for his institute...)
The point is that you seem te be to far ahead of the heard (I recognise this feeling: if you open your mouth and say only the truth, you loose your job.)
  • In 1999 anybody laughed about my love for educational WIKI's (what a stupid word wiki-wiki)  ...now is anybody thrilled by wikipedia, and is thinking that it is only for creating online encyclopedia together. (pfff)
  • in 1997 we reintroduced live education as part of ICT. a famous Dutch professor even shouted during one of my presentations that it was not allowed what I was doing with computers... Now he and others call it blended learning.
  • In 1993 I proposed a combination of forms and a database as the backbone of a new educational approach: educational (web)groupware, based on Lotus Notes... it was rejected for funding by Dutch SURF as too advanced.
    In 1998 we still realised that dream: TeLeTOP. 
    It was a big succes, I saw my new budget ..until my boss got jealous.. I was a little tired... and in the end I lost my project, I got no money to make it a better product, I even was not allowed to call it in public "only the first prototype", So I lost the joy in my job, I moved to a new job and then I found Moodle (and IMS/LD)..

     Funny how live can go. I have now freedom and fun and people respect my efforts (I am the local wizzard) instead of fighting with other university staff about budget cuts or filling huge pills of sheets to get a small grant for some stupid senseless project. (OK, OK, my salary did not grow... )
Last month I was allowed to speak about Moodle in front of all the Dutch University e-Learning managers on a conference: All of them use BB (or my TeLeTOP) for six years and invested a lot in teacher training...

So talking about moving to Moodle or Sakai was senseless. So I teased them a little, for example offering them this dilemma:
IF I was one of you, looking at all our investments, I MUST choose to go on with our current product, but I KNOW that I will get fired in four years for my lack of educational courage and vision...
This remark did hurt.. "The day after" they all where shouting on their edu blogs *) that there was no reason to move to Open Source: Sakai was not far enough developed and Moodle was to complex, all these options for simple professors... the most ashaming argument was that they said that their professors did not even use the current simple options of BB (Jim Farmer and I told them that, so..), so why buy a better VLE?
They even organise seminars about using blogs *) as the new alternativ for the failing VLE approach. How deep can managers sink..
.
.
*) 'blog = random thoughts, organised by date'.
Yes, I still hate blogs: the core of human learning is reflection. In a blog you only shout and try to attract an audiance.. and when that audiance shouts also, you as blog-owner use your censor power... so, no reflection, just exhibitionism. 
In forums You (or should I see I smile) can shout and get sound answers like these from you in our Fromm discussion..
Forums with positiv people are the core of our educational community, powered by forums and wiki's, a little teasing is allowed, but the core is uttering thoughts, raising questions and then rethinking your thoughts, in perspective of the other remarks, and creating a compromise about the current truth. (That is the scientific approach, A.D. de Groot, methodology 1961) 
Plan B
Do not fight with bosses, the other bosses will always cover their mate: the next time they may need his help... 
Try to stay on speaking terms with your boss. Try to convince him how wise it could be to have a plan B available when his core project would fail. Many ICT projects fail.. feed the doubts..
Then offer your help to work on a plan B.
  • Call from that day on your Moodle: project B 
  • remove anywhere the word Moodle (sorry Martin)
  • ... and when the day comes, let your boss proudly present plan B to the other desperate members of the board.
Average of ratings: -
In reply to Ger Tielemans

Re: Self-Funded Moodle Wipeout

by N Hansen -
Reading things like this makes me really glad I am going into business for myself, with Moodle making it possible. All the bureaucracy, politics and regulations of academia is stifling. Somewhere along the line, the needs and wants of the students get lost...Tim, why don't you take the Moodle tool and go into business for yourself offering something related to what you teach? 
Average of ratings: -
In reply to N Hansen

Re: Self-Funded Moodle Wipeout

by Timothy Takemoto -

Hi Ger, N.,
Thank you. Plan B and business. I will bear them both in mind.

Tim

Average of ratings: -
In reply to N Hansen

Re: Self-Funded Moodle Wipeout

by Timothy Takemoto -

Thanks again Ger and N.

At the top of this thread I was being pretty paranoid and in retrospect, I don't think that the lack of support for moodle is due to the big plans my boss has for implementing another system. I don't thick that is the case.

I think rather what I am seeing is a lot of conflicting interests (including my own) that are not being unified under any banner at the moment.

Based upon other information it was suggested that the real reason that moodle is not being used is that the computer support staff are not keen on it. I took that up with the computer support staff. As mentioned in other threads it seems that my university uses a particular type of load bearing server that prevents access to session data to all but the root user. This means that any software running on the array must use the login system provided by the university, or run as root. Obviously, running as root presents a serious compromise to the system.

At my university there are very few users using only management systems of any kind. Most users at the university are probably grateful that there is an readily accessible user-authentication system and a fast load sharing server array. The server array in existance is thus well suited to the needs of the staff here.

When people want to use more sophisticated systems however, that have their own login management, the lack of access to the session data becomes a problem.

One way of overcoming this problem is by creating a new system that uses the universities authentication mechanism.

There was a system being built by one of the support staff when I first arrived. I would have used it but alas it did not have sufficient functionality to be used in a production environment.

Another way is to provide a seperate server (I am following up on that one now), or to make moodle compatible with our existing system. Perhaps the work that Jamie Pratt is doing at the moment to make moodle compatible with Japanese mobile phones may enable the use of moodle without session data!

So, I think that at the moment there are a multiplicty factors which contribute to the lack of popularity of this system.

Perhaps there are some that would rather be left with a free hand to develop something new and unique.

Perhaps there are others that do not want to see their efforts or university resources (server-wise, programming wise) go to waste.

Perhaps there are other teachers interested in other systems and nother functionality.

In the meantime, I have aged quite a lot. I guess that this is what happens.

I will stick with plan B and business.

I have just got a global ip, so I can bring my red hat box home.

Tim

Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by Jamie Pratt -
Hi Tim,

Perhaps the work that Jamie Pratt is doing at the moment to make moodle compatible with Japanese mobile phones may enable the use of moodle without session data

I'm afraid not Tim. Without sessions Moodle would have no way of tracking who was accessing what page at all. Any page access would basically be identical to Moodle with no way to log someone in or track their progress through materials.

What I've done and what I'm just preparing for release now is a patch to allow sessions to work without cookies, since many mobile phones won't accept cookies.

Normally Moodle stores a session id parameter in a cookie that the user must accept. This session id refers to a file on the server which contains information such as who this user is logged in as. I've made Moodle attach the session id to all urls in a page. So instead of the session id being stored in a cookie it is passed from page to page appended to all urls.

I don't really understand the problem that you are having with Moodle with the set up at your university. I tried to find other threads where you mentioned this but in my quick search was unable to locate them. Could you provide links to these threads. I don't see how their could be a problem with sessions but perhaps there could be a problem with storing session data in the file system.

Perhaps the solution to your problem would be to use Moodle's in built db session support. Instead of storing your session data in the file system you can put the session data in a database. The database of course doesn't need to be even on the same machine as your web server.
Average of ratings: -
In reply to Jamie Pratt

db session support

by Jamie Pratt -
Found the other thread here about the load sharing servers here :

http://moodle.org/mod/forum/discuss.php?d=34913

I think db session support might help you here. All your servers could access the same db which the session data is stored in. There won't be a problem of permissions.

I'm not sure if there is a howto on setting this up somewhere. It might just be a simple case of editing your config.php
Average of ratings: -
In reply to Jamie Pratt

Re: db session support

by Timothy Takemoto -
Thanks a lot Jamie
I will look into the use of db session support.
I am thrilled to hear that the cookieless moodle is soon to be releasedcool!
Tim
Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by Michael Penney -

You should be able to set Moodle to authenticate against your institutions authentication system, if they are using a standard authentication system. Common ones include CAS, LDAP, AD, etc. If you look under Admin/Users/Authentication methods, there are a number of options for external authentication.

What kind of system are they using? i would suggest that it would make more sense for your institution to use a standard central authentication system (like LDAP) rather than build an LMS to fit with a custom auth. method (assuming it is not a standard one).

Average of ratings: -
In reply to Michael Penney

Re: Self-Funded Moodle Wipeout

by Timothy Takemoto -

Dear Michael

Thank you for your advice.

My university is using Basic Authentication (link to apache documents), which they consider to be very standard, or even the most standard.

I think that it may well be standard. But it also, under our implementation, results in the session data (session id included) not being available to all but the root users.

The idea behind the current implementation is, I think, that at my university most teachers want above all the ability to put large (possible video) files on the net in a password protected area. The university system was built, well, to service that need. It takes care of load balancing and of authentication. But by taking care of authentication at such a level, it makes it difficult for any other system to manage authentication as well.

I would love there to be a way to use Moodle on their load balanced servers. I think that this incompatability between Moodle and the university servers acts as a focal point for a variety of non-Moodle-supportive-interests.

The fact that others have programmed things, or are using other things are valid oppositions. But such oppositions can be countered by the arguement "hey look, Moodle can do yet more." 

When it comes to security concerns however, there is a sort of finality that is difficult to counter. Security is the flag, the cornerstone of power, in a diverse bureacratic institution.  Time and again I have seen security wheeled out as the reason for pursuing one policy or other.

Incidentally, I read that "basic authentication" may be itself inherently insecure. But that would be a rather combatative stance to take.

Any suggestions?

Tim

Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by Michael Penney -

Hi Tim, ahh, I think I see, so individual users (such as the Moodle user) are not allowed to access websites on your servers without authenticating via Apache's basic auth? So you can't, for instance, run a publicly accessible website, say at www.youruniversity.edu/~tim?

Your server admins only allow access via www.youruniversity.edu/tim and anyone wanting to see your web files has to use a password you provide them?

This isn't really so much a server security issue as it is a file security issue, e.g. your IT folks don't want any of your web files to be publically accessible?

Generally, Basic Auth would be used to authenticate the Moodle user, and then users of Moodle would authenticate via one of the Moodle authentication methods. As noted, Basic Auth is not secure unless you are also using SSL. Probably you are, the big problem with Basic Auth (with SSL) is not so much security, but scalability (see below).

Are you allowed to set up web pages that don't require a password to view? If so, then Moodle should work fine if set up in this sort of directory.

If not, have you tried using PAM authentication method to access the system usernames? However, in any event basic auth is not really the right way to do enterprise scale authentication:

"Basic authentication and digest authentication both suffer from the same major flaw. They use text files to store the authentication information. The problem with this is that looking something up in a text file is very slow. It's rather like trying to find something in a book that has no index."

http://httpd.apache.org/docs/1.3/howto/auth.html#basic

So even if your IT folks do program a quiz module that worked via basic authentication, it won't work very well for very many users (at least not without a heck of alot of money spent on hardwaresurprise). This is where something like LDAP (lightweight directory access protocol) is preferable, it acts something lik an index in a book, and scales well.

If your U plans to serve hundreds or thousands of students with an online quiz application, it would be a good idea for them to set up LDAP to handle this. And once they have done that, then authenticating with Moodle (or any other enterprise capable LMS) should be pretty easysmile.

Average of ratings: -
In reply to Michael Penney

Re: Self-Funded Moodle Wipeout

by Timothy Takemoto -

Dear Michael,

Thanks for your continued attention.

I fear that the situation may be more illogical than you propose.

I can set up web sites like www.youruniversity.edu/~tim. And Moodle does run a site such as this at the momement, using an IMAP not basic authentication.

But apparently Moodle can only run using the apache setting "BecomeRoot true." I think that the php process must be allowed to run "as root" (becoming root) in order to be able to access the session data. I am not sure why it has to run using BecomeRoot but that is the case.

At least one person in the computing department is happy with this setting. But the main system administrator is not happy. I can see why. I can envisage that in a while we may be asked to move moodle from the main university server. And as mentioned above, this may be a major reason why moodle is not seen as an appropriate target of funding.

I wonder if by using PAM it would be possible to run Moodle without the BecomeRoot true
?

We are not using SSL, so as you and the apache documentation says, the system is not secure. But I am not sure who is going to take my word for it.

The truth is that at the moment there is no other system in operation so I would have to argue hypothetically. "Your system is not going to scale..." Again, I am not sure who is going to take my word for it.

By the way, the other thing I have noticed about the system is that it is impossible to use .htaccess to control access. One must use certain directory names, such as myuniversity.com/~tim/teachers/ which ensures that only those with teacher (basic authentication) passwords can access the site. Once can also limit access to a subset of users by doing *something like* place a file called users.txt (instead of a combination of .htaccess and .htpasswords) in the folder in question. It seems to be set up as "basic authentication for dummies" or rather for college profs. And I think that being fast and easy to secure it is quite popular.

I think that the load balanced system is indeed fast or at least very scalable.

Tim

Average of ratings: -
In reply to Timothy Takemoto

Dealing with over-restrictive administration policies

by Martin Dougiamas -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
" apparently Moodle can only run using the apache setting "BecomeRoot true.""

This is completely false in the general case and Moodle requires nothing of the sort. Moodle does require some write access to the moodledata folder to store data, but there are many ways to set this up securely without resorting to settings like that!

Even for sessions, you can use the database for them instead of moodledata directory by setting

   $CFG->dbsessions = true;     /// in your config.php
Average of ratings: -
In reply to Martin Dougiamas

Re: Dealing with over-restrictive administration policies

by Timothy Takemoto -

Hear hear. I should have made it more clear that I am only refering to the specific case of the particularl load balancing server and authentication system in operation at my university.

I am trying to find out whether dbsessions true will allow the becomeroot to be turned off, i.e. whether the problem is write permission to the session files, or whether it is some sort of read permission problem. I.e. that on our specific server only root has asscess to the session data.

I see no reason why one would need to become root to save to moodledata, so I rather suspect the the latter.

Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by Michael Penney -

Hi Tim, I see Martin has aready answered, just to second him (not that he needs any secondingsmile, this is the first time I've heard of needing to run PHP as root to access moodle session data.

On the systems I've set up, Apache/PHP certainy is not running as root, I don't think that would be a good idea.

It sounds like your server is set up in a very non-standard way, it may not be possibe to get full function from Moode in that environment if your sysadmin is not wiling to set up apache in a standard manner for Moodle to use (he could, for instance run a separate install of apache with standard settings on a different port just for Moodle) however as Martin pointed out, using dbsessions shoud solve the session problem.

Regarding whether a system written to use basic authentication will scale, well I guess if your sysadmins won't take the advice of the authors of apache, it will be hard for mere mortals to convince themsmile.

Average of ratings: -
In reply to Michael Penney

Re: Self-Funded Moodle Wipeout

by Timothy Takemoto -
Michael

Thanks again. This problem is important even if illogical and trivial and I appreciate your explanation of the problem.

I think that the "very non-standard" way that the system is set up was geared to the way that other educators use the server.

I know of almost no teachers that are using dynamic conent let along content with its own authentication system. The non-techno-friendly teachers, average age about 50, just want a place to plonk files and put a password on them. My university's system administrators came up with the present system to cater for these needs. I guess that there may have been other ways of achieving the same end, but they now have 100 tetrabytes of server space with at least 5 (that was when they had 300 tetrabytes, so it may be 15) fast load balanced BSD servers.

I hope that dbsessions cures the problem, but if it is that, then for instance won't backups, which are also written to moodledata will also require that setting?

The biggest problem is the lack of communication between the server administrator and the user, me. All the same, I fear I am going to get told off for ignoring official lines of communication and going directly to the guy who runs the server.

I guess that if I show them the apache documentation they will say something like "We will cross that bridge when we come to it. The system is working fine for everything except your needs." But I will try and point out the scaling problem in a friendly way.

I will also bear in mind the possibility of another apache on another port. It seems that custom authentication service is the problem rather than the load balancing, so I guess that his could work quite well. As far as I know the university is not using https at the moment so perhaps that could be the way to go. Then I could claim that I am asking for the extra apache not because of any problems with the server but to improve security.

Tim
Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by Jamie Pratt -
The php documentation says the following $_SERVER variables should be available to a PHP script :

'PHP_AUTH_USER'
When running under Apache or IIS (ISAPI on PHP 5) as module doing HTTP authentication this variable is set to the username provided by the user.
'PHP_AUTH_PW'
When running under Apache or IIS (ISAPI on PHP 5) as module doing HTTP authentication this variable is set to the password provided by the user.
Depending on how your server is set up this script :

<?php
echo $_SERVER['PHP_AUTH_USER']."<br />";
echo $_SERVER['PHP_AUTH_PW'];
?>

uploaded to your server should output the username and password you entered when the browser pops up a window asking you to login.

If you do have access to these variables and you are stuck with basic authentication you could program Moodle to use the basic authentication user name to sign the user in in Moodle.

This along with dbsessions could solve most of your problems using the strange set up at your university. I wonder though if php will be able to write to the file system - to the Moodle data directory??


Average of ratings: -
In reply to Jamie Pratt

Re: Self-Funded Moodle Wipeout

by Jamie Pratt -
Actually this idea I guess won't help you with the problems you're reporting but it might be a nice idea to implement so that users only have to log in once with their university wide username and password.
Average of ratings: -
In reply to Jamie Pratt

Re: Self-Funded Moodle Wipeout

by Timothy Takemoto -
Dear Jamie,

At the moment I am using IMAP so that they are using their university wide username and password.

But perhaps getting the special server related variables using PHP on my non-standard load-balancing server, with special basic-authentication-for-dummies, require becomeroot. Something about the server and moodle interaction requires becomeroot. I am sure he would not have set it if he did not have to.

I really need to find out more. I will find out about the setup in detail this week.

Thank you for your suggestions!

Tim
Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by Bernard Boucher -
Hi Timothy,
                 one precision and one suggestion.

The 50 man*year estimated increase  at least one year each month due to the quality and the quantity of moodle developpers all around the world. That is hard to beat with only one programmer!

For the suggestion:
I think it is possible for you to install and run an Moodle site on your personnal   account http://www.youruniversity.edu/~tim with minimal support from your IT services ( creating database ). 

Using  $CFG->dbsessions = true; you will not need special privileges in others directories of your university servers.

Your installation will run as a normal Moodle installed in an standard ISP but with all the power of your cluster.

All that without confronting your IT department with apache or safety problems. As Martin and Michael pointed out, you will probably be able to configure Moodle authentification with the one used by your university.

Good luck,

Bernard




Average of ratings: -
In reply to Bernard Boucher

Re: Self-Funded Moodle Wipeout

by Timothy Takemoto -
By the way, a year later the self-funded would be moodle did not materialise despite the money that could have been spent on moodle.
Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by John Rodgers -
It's nice to hear from you again Timothy.

I hate to say I told you so, particularly since I know you already suspected as much.

So I won't.
Average of ratings: -
In reply to John Rodgers

Re: Self-Funded Moodle Wipeout

by Timothy Takemoto -

And you John smile

This year they went back to the package that they bought before they attempted to self-fund a wipe out, the one that no one used.

With all this money we could have had the TOEIC training machine to beat all comers.

Proof positive of my lack of interpersonal skills, not that I needed any.

Tim

Average of ratings: -
In reply to Timothy Takemoto

Re: Self-Funded Moodle Wipeout

by Thomas Robb -

And by the way, despite Tim's failure (so far) to get Moodle implemented at his school, the documentation in Japanese that I received from him when *MY* school was debating which LMS to adopt was instrumental in their decision to go with Moodle.  We are now into our 2nd year of Moodle use with 12000 some users!

Thank you, Tim!

Average of ratings: -
In reply to Michael Penney

Re: Self-Funded Moodle Wipeout

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Basic Authentication can use text files, but it can also use dbm/ndbm/db files, mysql databases, and LDAP backends and PAM based configurations (with the right modules).

Basic Authentication only has to do with the way client browser and web server exchange security credentials. It has nothing to do with the way the server verifies those credentials.

Saludos. Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: Self-Funded Moodle Wipeout

by Timothy Takemoto -

Thank you very much Mr. Inaki Arenaza

I am not sure how this affects things but I will bear that in mind.  

I think that we are not using basic, basic authentication as is, but a system based upon basic authentication.

So basic authentication is no doubt compatible with moodle when combined with LDAP or PAM as you say, but I think that is is the particular basic-authentication-made-easy-for-old-lecturers system that we have in place that is getting in the way. I will find out more.

Timothy

Average of ratings: -
In reply to Michael Penney

Re: Self-Funded Moodle Wipeout

by Jamie Pratt -
I agree using basic authentication is more insecure than the standard Moodle setup where the username and password are sent unencrypted across the internet. The difference is that with basic authentication the username and password are sent unencrypted for every page request. Unless Tim's institution are using 'digest authentication'.

I think Michael's quote from the apache doc :

"Basic authentication and digest authentication both suffer from the same major flaw. They use text files to store the authentication information. The problem with this is that looking something up in a text file is very slow. It's rather like trying to find something in a book that has no index."

Is used in a way which is a little misleading. The quote is an introduction to a section of the document describing how to use databases with basic authentication.
Average of ratings: -
In reply to Jamie Pratt

Re: Self-Funded Moodle Wipeout

by Michael Penney -

How is the quote misleading? It seemed to me that Tim's U was planning a quizzing system that would use Apache's basic auth for user authentication. Presumably, this would include a method to authenticate and track individual students as they login and take the quiz? So I pointed out that doing this within the limits of a basic auth (using a text file for usernames/passwords) was not recommended (by Apache) for large numbers of users.

Now I suppose they could be planning a system which would have a unique instance installed for each teacher, which would use it's own text file for access. In fact we built something like this years ago:

http://www.humboldt.edu/~storage/dkw1/index372.htm

In shockwave. In the above system, students self register, take the quizzes, and print out their results to show for credit, and stores data in a flat text file. It was an interesting solution that avoided the need for a database, which was important at the time, and it would also run (as a directory application) locally if installed from a CD, but I wouldn't recommend it for a large scale solution, esp. if many folks are 'logging in' at the same time.

So the point I was trying to make (from the apache docs) was that moving toward a system where hundreds of students may be using it concurrently (so that apache would be searching the text file to find each of those users each time they accessed the directory with the quiz application), it is recommended to use a database rather than a flat text file for authentication.

Thus in my opinion, the current system at Tim's university (if I understand their system correctly) is incompatable with their goals for a larger scale quizzing system, and they will need to move toward a different system for authentication and directory access for their planned quizzing system, whether they use Moodle or some custom coded application for it.

The apache docs point out that flat text files are not expected to scale, and that one should move towards a database based system for large numbers of users.  How is this misleading?

Average of ratings: -
In reply to Michael Penney

Re: Self-Funded Moodle Wipeout

by Timothy Takemoto -

Dear Michael

Clueless and at the recieving end of such much advice, first of all I would like to say thanks again, and because I am also greatful to Jamie I would like to add that,

I think that Jamie's comment refers to the situation in my mind rather than your post. Having worked with me on other projects Jamie is probably more aware of the extent of my ignorance, the ways I am likely to misunderstand, and also the particular situation at my university.

Indeed I had misunderstood so it was a good thing also that you clarified things. When you suggested that Basic Authentication may not be scalable I had thought more of the situation where many students were attempting to log in at once, rather than "hundreds of students" taking a test at once.

On a monday morning (before classes on Monday afternoon) there are still only 10 students enrolled on my English moodle (of about 500 in 22 classes). Hence even the the situation where hundreds of students are logged in (rather than attempting to log in) at once is going to be one quite a long way downstream. So thanks to your clarification, I realise that I should hold off on the scalability issue just yet.

The first thing I am going to do is find out more about the system. Perhaps get some documentation.

Tim

Average of ratings: -
In reply to Michael Penney

Re: Self-Funded Moodle Wipeout

by Jamie Pratt -
So sorry Michael!

I confused my terms. I thought that 'basic authentication' referred to the mechanism where the browser prompts the user for a username and password and sends the username and password as part of the http header to the server. Rereading the Apache documents it seems that 'basic authentication' as Apache uses the term does indeed mean using a flat text file. On the other hand the way the http specification uses a similar term 'the basic authentication scheme' could be handled by the server by checking usernames and passwords against a flat file or a db. I notice also that Mr Iñaki Arenaza understands the term 'basic authentication' to not preclude using a db.

What I thought was referred to as 'basic authentication' should probably more unambiguosly be refered to as 'http authentication'. I thought that you were saying that http authentication had to be done using a flat file. I misunderstood what you meant.


Average of ratings: -
In reply to Jamie Pratt

Re: Self-Funded Moodle Wipeout

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
In fact this works like a charm here (apache 1.3.x, Debian Sarge, using mod_auth_db, which is included with stock apache), which is 100% Basic Authentication on every sense:
<Directory /var/www/protected>
  AuthType Basic
  AuthName "This is a protected area"
  AuthDbUserFile /var/www/private/userfile
  AuthDbGroupFile /var/www/private/userfile
  Require valid-user
</Directory>
You the create/update your userfile with dbmmanage (included with apache), with something like:
dbmmanage /var/www/private/userfile add iarenaza -
dbmmanage /var/www/private/userfile update iarenaza - 
You can do similar things with mod_auth_mysql, mod_auth_ldap, etc. (all this are not provided with stock apache, but are available at http://modules.apache.org).

Saludos. Iñaki.

Average of ratings: -
In reply to Iñaki Arenaza

Re: Self-Funded Moodle Wipeout

by Jamie Pratt -
The Apache docs refer to this as 'Database Authentication'. As Michael quoted from the docs previously :

"Basic authentication and digest authentication both suffer from the same major flaw. They use text files to store the authentication information."

It is pretty clear the way they use the term it means authentication using a flat text file.

I wonder what Tim's institution means when it says it uses 'Basic Authentication'.


Average of ratings: -