Welcome to the LedgerSMB Forums - Open Source accounting software

Installing on OpenBSD 4.5

I have not yet gotten LedgerSMB fully functional in chrooted Apache.
I intend to continue experimenting until I find a complete answer, but for now, please use:
# httpd -u
to start Apache.

Prepare Apache for use.

Make suexec setuid:
# chmod u+s /usr/sbin/suexec

Check the file /etc/fstab
The /var partition is set by default to nosuid (no setuser id):


/dev/wd0a / ffs rw 1 1

/dev/wd0d /tmp ffs rw,nodev,nosuid 1 2

/dev/wd0g /usr ffs rw,nodev 1 2

/dev/wd0f /var ffs rw,nodev,nosuid 1 2

/dev/wd0h /home ffs rw,nodev,nosuid 1 2

This will not allow Apache to function.
Change:

/dev/wd0f /var ffs rw,nodev,nosuid 1 2
to:
/dev/wd0f /var ffs rw,nodev 1 2

Edit /etc/rc.conf.local to have the following:
# use -u to disable chroot, see httpd(8) httpd_flags="-u" # for normal use: "" (or "-DSSL" after reading ssl(8))

Reboot.

Install Needed Packages

Postgresql

Specify a PKG_PATH, for OpenBSD 4.5, use a similar command:

# export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.5/packages/i386/

Then add PostgreSQL server and client:

# pkg_add -i postgresql-server

This will add the server and will also add the client package.

You will get the message:
To use the PostgreSQL server you have to create a database first. You find detailed instructions on how to install a database in the file /usr/local/share/doc/postgresql/README.OpenBSD.

Which contains, as of 4.5:

Using PostgreSQL in an OpenBSD environment

At least two different accounts are involved when working with PostgreSQL: One is an OpenBSD userid, '_postgresql', which is used as the userid of files that are part of PostgreSQL. The other, usually named 'postgres', is not an OpenBSD userid, i.e. you will not find it in /etc/passwd, but an account internal to the database system. The 'postgres' account is called the dba account (database administrator) and is created when a new database is initialized using the initdb command.

If you are installing PostgreSQL for the first time, you have to create a default database first. In the following example we install a database in /var/postgresql/data with a dba account 'postgres' and md5 authentication. We will be prompted for a password to protect the dba account:

# su - _postgresql $ mkdir /var/postgresql/data $ initdb -D /var/postgresql/data -U postgres -A md5 -W

It is strongly advised that you do not work with the postgres dba account other than creating more users and/or databases or for administrative task. Use the PostgreSQL permission system to make sure that a database is only accessed by programs/users that have the right to do so.

Please consult the PostgreSQL website for more information, especially when you are upgrading an existing database installation.

Auto Start and Stop

To start PostgreSQL at boot and shut it down when the system shuts down, add the following lines to /etc/rc.local and /etc/rc.shutdown, respectively:

/etc/rc.local:

if [ -x /usr/local/bin/pg_ctl ]; then
        echo -n ' postgresql'
        su -l _postgresql -c "nohup /usr/local/bin/pg_ctl start \
            -D /var/postgresql/data -l /var/postgresql/logfile \
            -o '-D /var/postgresql/data' >/dev/null"
fi

/etc/rc.shutdown:

if [ -f /var/postgresql/data/postmaster.pid ]; then
        su -l _postgresql -c "/usr/local/bin/pg_ctl stop -m fast \
             -D /var/postgresql/data"
        rm -f /var/postgresql/data/postmaster.pid
fi

Network Connections and Tuning

To allow connections over TCP (and other options) edit the file:

/var/postgresql/data/postgresql.conf

and also edit the pg_hba.conf (in the same directory) making the appropriate changes to allow connection from your network.

The default sizes in the GENERIC kernel for SysV semaphores are not really large enough for a database with more than a handful of connections. A server running such a database should have at least the following in /etc/sysctl.conf:

        kern.seminfo.semmni=256
        kern.seminfo.semmns=2048

To serve a large number of connections (>250), you may also need to increase the maximum shared memory segment size, on the i386 try:

        kern.shminfo.shmmax=50331648    # this is 48MB.
                                        # default on i386 is 32MB
                                        # other archs will vary

These numbers should be tuned depending on system use. You will also need to tune the values in the postgresql.conf file to increase the number of connections to the backend.

By default, the _postgresql user, and so the postmaster and backend processes run in the login(1) class of "daemon". On a busy server, it may be advisable to put the _postgresql user and processes in their own login(1) class with tuned resources, such as more open file descriptors etc.

For example, add this to the login.conf(5) file:

        postgresql:\
                :openfiles-cur=768:\
                :tc=daemon:

Rebuild the login.conf.db file if necessary:

        # cap_mkdb /etc/login.conf

Change the login class with either vipw(8) or chsh(8).

For more than about 250 connections, these numbers should be increased. Please report any changes and experiences to the package maintainers so that we can update this file for future versions.

Kerberos authentication

By default the postgresql server requires it's own krb5.keytab file. It should be readable only by the _postgresql user. The default location of the file is '/etc/postgresql/krb5.keytab' but is tunable by setting the krb_server_keyfile line in postgresql.conf.

To generate the keytab:


        # mkdir /etc/postgresql
        # ktutil -k /etc/postgresql/krb5.keytab get postgres/server.domain
        # chown _postgresql:_postgresql /etc/postgresql/krb5.keytab

Clients/Frontends

Many applications can use the PostgreSQL database right away. To facilitate administration of a PostgreSQL database, two clients are notable:

www/phppgadmin          A web based user interface that uses PHP5
databases/pgadmin3      A graphical user interface that uses wxWidgets

Follow the steps for creating a superuser - postgres - above.
You will need to enter a superuser password for postgres. This is NOT the same as the passwords you will use later on!
You should also add the sections to /etc/rc.local and /etc/rc.shutdown.
Note: Once you add the section to /etc/rc.shutdown, $ shutdown -hp now will no longer work!
You will need to use: $ sudo shutdown -hp now or else you cannot stop PostgreSQL server!

Now follow the instructions to start PostgreSQL server:

$ pg_ctl -D /var/postgresql/data -l logfile start
This step needs to be done while still operating as _postgresql user. Then you should exit as that user.
$ exit
You could also reboot if you wish to check that everything is working correctly in /etc/rc.local.

Add additional needed packages:

# pkg_add -i p5-DBI
# pkg_add -i p5-DBD-Pg
# pkg_add -i p5-MIME-Lite
# pkg_add -i p5-Class-Std
# pkg_add -i p5-HTML-Tagset
# pkg_add -i p5-Data-Dump
# pkg_add -i p5-Test-Tester
# pkg_add -i texlive_base
# pkg_add -i p5-Parse-RecDescent (optional for CLI host scripts)

I think adding these may be helpful with CPAN. p5-YAML is not essential.
# pkg_add -i p5-YAML
# pkg_add -i ncftp
# pkg_add -i wget

Note: OpenBSD 4.5 does not offer Locale::Maketext::Lexicon at version 0.56+ (it is 0.47 through packages), so use cpan to install a later version.
OpenBSD 4.5 now has a recent enough version of Module::Build, so you no longer need to add that through CPAN.
# cpan cpan> install Locale::Maketext::Lexicon
cpan> install Config::Std
cpan> install HTML::Entities
cpan> install Test::Trap

If this is your first time using cpan, it will send you through a manual setup dialog. Just answer everything as default unless you know of settings you need to change.

Some dependencies are only needed for specific functionality and may not be required in all circumstances. These include:

# cpan
cpan> install Net::TCLink
* Net::TCLink for credit card processing in a POS environment
cpan> install HTML::LinkExtor

Install ledgersmb package

Put ledgersmb-1.2.18.tar.gz into /var/www/htdocs/
Untar:

# tar xzf ledgersmb-1.2.18.tar.gz

Most of the further steps depend on your being in the ledgersmb directory or they will fail. Please note that!

Dataset Creation

Known issues with OpenBSD: Dataset creation does not work on OpenBSD

Workaround: Create the database manually.

These instructions assume you are in the LedgerSMB root directory (/var/www/htdocs/ledgersmb/ by default).

From the shell, create the database:

$ createdb -U postgres lsmbdata
Install PLPGSQL into that database:

$ createlang -U postgres -d lsmbdata plpgsql
Create a postgresql admin database role (or user), by convention named 'ledgersmb':

$ createuser --no-superuser --createdb --no-createrole -U postgres --pwprompt --encrypted ledgersmb

This will first ask for ledgersmb-user-password twice, then postgres-user-password once
The prompted password (referred to as ledgersmb-user-password) will later be used in the DBConnect: string in the configuration file 'ledgersmb.conf'

If you prefer to work in PostgreSQL's psql console, the equivalent SQL statement to create the ledgersmb role (user) is:

=> CREATE ROLE ledgersmb LOGIN PASSWORD 'ledgersmb-user-password' NOINHERIT CREATEDB;

Further commands and database interaction should be conducted using the new LedgerSMB admin role 'ledgersmb'.
Create a central user database, owned by the LedgerSMB admin role, 'ledgersmb':

$ createdb -U ledgersmb -O ledgersmb ledgersmb

The equivalent SQL statement is:

=> CREATE DATABASE ledgersmb WITH ENCODING='SQL_ASCII' OWNER=ledgersmb;
Connect to the database:

$ psql -U ledgersmb -d lsmbdata
Import the Pg-database file:

lsmbdata=> \i sql/Pg-database.sql
Import the appropriate chart of accounts (these are all listed in the sql directory with file names ending in chart.sql). For this example, we will use Default-chart.sql, but if there is a local version you should use that:

$ psql -U ledgersmb -d lsmbdata lsmbdata=> \i sql/Default-chart.sql
If there is a local GIFI file (ending in -gifi.sql), for your chart, load that in the same way.
It is very important that you perform the next step in the correct database.
You may use the command:
lsmbdata=> \c ledgersmb ledgersmb=> You are now connected to database "ledgersmb".

-OR-

You may use the commands:
lsmbdata=> \q

$ psql -U ledgersmb -d ledgersmb
The SQL commands created an LedgerSMB-managed admin user, e.g. a row in the users and users_conf table. You must now update the 'admin' user's password in users_conf from the default password.
ledgersmb=> \i sql/Pg-central.sql ledgersmb=> UPDATE users_conf SET password = md5('ledgersmb-user-password') WHERE id = 1;

(Change ledgersmb-password to your preferred administrative password, which is separate, but can be the same spelling as postgres-user-password).
(Note, If you are security aware enough to be using OpenBSD, you probably realize having different passwords is a good thing, not a bad thing!)

ledgersmb=> \q
Edit the LEDGERPATH/ledgersmb.conf file:
Copy 'ledgersmb.conf.default' to 'ledgersmb.conf'
$ cp ledgersmb.conf.default ledgersmb.conf
Make sure to set the section under [globaldb] to point to the central user and session database, using password ledgersmb-user-password:

[globaldb] DBname = ledgersmb DBhost = 127.0.0.1 This should be changed from localhost to 127.0.0.1 to avoid problems
DBport = 5432 DBUserName = ledgersmb DBPassword = ledgersmb-user-password
Add configuration to Apache:

I have not had any luck with using sh configure_apache.sh and ledgersmb-httpd.conf.
It seems simpler to me to just create a user/group just for ledgersmb.
Change the ledgersmb directory and files ownership to that user/group.

DO NOT USE:$ sh configure_apache.sh
One Correct Solution:

# adduser lsmbuser
Etc. ....
# cat ledgersmb-httpd.conf | sed "s|WORKING_DIR|$(pwd)|" > /var/www/conf/modules/ledgersmb-httpd.conf
# cd ..
# chown -R lsmbuser:lsmbuser ledgersmb
# cd ledgersmb

Modify /var/www/conf/httpd.conf directly as I show below.
All of this satisfies suexec's security requirements, which are wise, if not perfect.

Here are my changes to httpd.conf:

ServerType standalone
ServerRoot "/var/www"
PidFile logs/httpd.pid
ScoreBoardFile logs/apache_runtime_status
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0
MaxCPUPerChild 0
MaxDATAPerChild 0
MaxNOFILEPerChild 0
MaxRSSPerChild 0
MaxSTACKPerChild 0
Include /var/www/conf/modules/*.conf
Port 80
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>
User www
Group www
ServerAdmin you@your.address
ServerName 127.0.0.1
DocumentRoot "/var/www/htdocs"
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>
<Directory "/var/www/htdocs">
    Options Indexes FollowSymLinks ExecCGI
#Best to remove Indexes above if you don't need them.
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
UserDir disabled
DirectoryIndex index.html
AccessFileName .htaccess
<Files .htaccess>
    Order allow,deny
    Deny from all
</Files>
UseCanonicalName On
TypesConfig conf/mime.types
DefaultType text/plain
<IfModule mod_mime_magic.c>
    MIMEMagicFile conf/magic
</IfModule>
HostnameLookups Off
ErrorLog logs/error_log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog logs/access_log common
Alias /icons/ "/var/www/icons/"
<Directory "/var/www/icons">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
ScriptAlias /cgi-bin/ "/var/www/htdocs/cgi-bin/"
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>
IndexOptions FancyIndexing
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
DefaultIcon /icons/unknown.gif
ReadmeName README
HeaderName HEADER
AddEncoding x-compress Z
AddEncoding x-gzip gz
AddLanguage en .en
AddLanguage fr .fr
AddLanguage de .de
AddLanguage da .da
AddLanguage el .el
AddLanguage it .it
LanguagePriority en fr de
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
</IfDefine>
<IfModule mod_ssl.c>
SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:logs/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  sem
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLRandomSeed startup file:/dev/arandom  512
SSLLog      logs/ssl_engine_log
SSLLogLevel info
</IfModule>
<IfDefine SSL>
<VirtualHost _default_:443>
DocumentRoot /var/www/htdocs
ServerName new.host.name
ServerAdmin you@your.address
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCertificateFile    /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
CustomLog logs/ssl_request_log \
  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>                                  
</IfDefine>

Restart Apache.
# apachectl stop
# httpd -u
Check Dependencies:

The Build.PL script can be used to test for unmet dependencies and run other tests. It doesn't install anything yet, but it will tell you what you are missing. To check for dependencies, run:

$ perl Build.PL

Missing dependencies can generally be installed via pkg_add -i, or by CPAN. (Build.PL itself uses Module::Build.)

Once this is done and dependencies are satisfied, you can check to see whether the installation nominally works by running:

$ ./Build test

The test suites currently check to make sure all the perl modules load and that a number of numeric tests are passed.
Restart Apache.
# apachectl stop; httpd -u

Create Datasets and Users

Note: 'insert-your-hostname' probably equals '127.0.0.1' or 'localhost'

Create Datasets:

Browse to:  http://'insert-your-hostname'/ledgersmb/admin.pl

login with 'ledgersmb-password'

Select Pg Database Administration Button
Create dataset(s) with:

User: ledgersmb   Password: ledgersmb-password

Superuser: postgres   Password: (postgres-password)

Create one dataset (a PostgreSQL database) for each separate company which will use LedgerSMB for accounting, e.g.:

Ledgeracme or ledgerbigco or smalltoysguy, etc.
Create User(s) pointing to specific datasets (companies) from above:

Browse to: http://'insert-your-hostname'/ledgersmb/admin.pl

login with 'ledgersmb-password'

Select Add User Button
Create user(s) pointing to a specific dataset (ledgeracme, etc.), each with their own password 'user-password', with database login information:

User: ledgersmb
Password: ledgersmb-password

User: johndoe
Password: user-johndoe-password

Congratulations, you have installed and configured LedgerSMB 1.2

Load the Accounting Program

Browse to: http://'insert-your-hostname'/ledgersmb/login.pl

Enter a User Name and Password (This time you won't be using postgres or ledgersmb, but one of the created users.)

User: johndoe
Password: user-johndoe-password

Good Luck!! Enjoy!!

Last Updated May 30, 2009

LedgerSMB Sites:

LedgerSMB Wiki

Main LedgerSMB Site