2 files changed, 1652 insertions, 1548 deletions

diff --git a/distrib/gitblit.properties b/distrib/gitblit.properties
index ee050a48..3419e005 100644
--- a/distrib/gitblit.properties
+++ b/distrib/gitblit.properties
@@ -1,1169 +1,1189 @@
-#

-# Git Servlet Settings

-#

-

-# Base folder for repositories.

-# This folder may contain bare and non-bare repositories but Gitblit will only

-# allow you to push to bare repositories.

-# Use forward slashes even on Windows!!

-# e.g. c:/gitrepos

-#

-# SINCE 0.5.0

-# RESTART REQUIRED

-git.repositoriesFolder = git

-

-# Build the available repository list at startup and cache this list for reuse.

-# This reduces disk io when presenting the repositories page, responding to rpcs,

-# etc, but it means that  Gitblit will not automatically identify repositories

-# added or deleted by external tools.

-#

-# For this case you can use curl, wget, etc to issue an rpc request to clear the

-# cache (e.g. https://localhost/rpc?req=CLEAR_REPOSITORY_CACHE)

-#

-# SINCE 1.1.0

-git.cacheRepositoryList = true

-

-# Search the repositories folder subfolders for other repositories.

-# Repositories MAY NOT be nested (i.e. one repository within another)

-# but they may be grouped together in subfolders.

-# e.g. c:/gitrepos/libraries/mylibrary.git

-#      c:/gitrepos/libraries/myotherlibrary.git

-#

-# SINCE 0.5.0

-git.searchRepositoriesSubfolders = true

-

-# Maximum number of folders to recurse into when searching for repositories.

-# The default value, -1, disables depth limits.

-#

-# SINCE 1.1.0

-git.searchRecursionDepth = -1

-

-# List of regex exclusion patterns to match against folders found in

-# *git.repositoriesFolder*.

-# Use forward slashes even on Windows!!

-# e.g. test/jgit\.git

-#

-# SPACE-DELIMITED

-# CASE-SENSITIVE

-# SINCE 1.1.0

-git.searchExclusions =

-

-# List of regex url patterns for extracting a repository name when locating

-# submodules.

-#   e.g. git.submoduleUrlPatterns = .*?://github.com/(.*) will extract

-#   *gitblit/gitblit.git* from *git://github.com/gitblit/gitblit.git*

-# If no matches are found then the submodule repository name is assumed to be

-# whatever trails the last / character. (e.g. gitblit.git).

-#

-# SPACE-DELIMITED

-# CASE-SENSITIVE

-# SINCE 1.1.0

-git.submoduleUrlPatterns = .*?://github.com/(.*)

-

-# Allow push/pull over http/https with JGit servlet.

-# If you do NOT want to allow Git clients to clone/push to Gitblit set this

-# to false.  You might want to do this if you are only using ssh:// or git://.

-# If you set this false, consider changing the *web.otherUrls* setting to

-# indicate your clone/push urls.

-#

-# SINCE 0.5.0

-git.enableGitServlet = true

-

-# If you want to restrict all git servlet access to those with valid X509 client

-# certificates then set this value to true.

-#

-# SINCE 1.2.0

-git.requiresClientCertificate = false

-

-# Enforce date checks on client certificates to ensure that they are not being

-# used prematurely and that they have not expired.

-#

-# SINCE 1.2.0

-git.enforceCertificateValidity = true

-

-# List of OIDs to extract from a client certificate DN to map a certificate to

-# an account username.

-#

-# e.g. git.certificateUsernameOIDs = CN

-# e.g. git.certificateUsernameOIDs = FirstName LastName

-#

-# SPACE-DELIMITED

-# SINCE 1.2.0

-git.certificateUsernameOIDs = CN

-

-# Only serve/display bare repositories.

-# If there are non-bare repositories in git.repositoriesFolder and this setting

-# is true, they will be excluded from the ui. 

-#

-# SINCE 0.9.0

-git.onlyAccessBareRepositories = false

-

-# Allow an authenticated user to create a destination repository on a push if

-# the repository does not already exist.

-#

-# Administrator accounts can create a repository in any project.

-# These repositories are created with the default access restriction and authorization

-# control values.  The pushing account is set as the owner.

-#

-# Non-administrator accounts with the CREATE role may create personal repositories.

-# These repositories are created as VIEW restricted for NAMED users.

-# The pushing account is set as the owner.

-#

-# SINCE 1.2.0

-git.allowCreateOnPush = true

-

-# The default access restriction for new repositories.

-# Valid values are NONE, PUSH, CLONE, VIEW

-#  NONE = anonymous view, clone, & push

-#  PUSH = anonymous view & clone and authenticated push

-#  CLONE = anonymous view, authenticated clone & push

-#  VIEW = authenticated view, clone, & push

-#

-# SINCE 1.0.0

-git.defaultAccessRestriction = NONE

-

-# The default authorization control for new repositories.

-# Valid values are AUTHENTICATED and NAMED

-#  AUTHENTICATED = any authenticated user is granted restricted access

-#  NAMED = only named users/teams are granted restricted access

-#

-# SINCE 1.1.0

-git.defaultAuthorizationControl = NAMED

-

-# Enable JGit-based garbage collection. (!!EXPERIMENTAL!!)

-#

-# USE AT YOUR OWN RISK!

-#

-# If enabled, the garbage collection executor scans all repositories once a day

-# at the hour of your choosing.  The GC executor will take each repository "offline",

-# one-at-a-time, to check if the repository satisfies it's GC trigger requirements.

-#

-# While the repository is offline it will be inaccessible from the web UI or from

-# any of the other services (git, rpc, rss, etc).

-#

-# Gitblit's GC Executor MAY NOT PLAY NICE with the other Git kids on the block,

-# especially on Windows systems, so if you are using other tools please coordinate

-# their usage with your GC Executor schedule or do not use this feature.

-#

-# The GC algorithm complex and the JGit team advises caution when using their

-# young implementation of GC.

-#

-# http://wiki.eclipse.org/EGit/New_and_Noteworthy/2.1#Garbage_Collector_and_Repository_Storage_Statistics

-#

-# EXPERIMENTAL

-# SINCE 1.2.0

-# RESTART REQUIRED

-git.enableGarbageCollection = false

-

-# Hour of the day for the GC Executor to scan repositories.

-# This value is in 24-hour time.

-#

-# SINCE 1.2.0

-git.garbageCollectionHour = 0

-

-# The default minimum total filesize of loose objects to trigger early garbage

-# collection.

-#

-# You may specify a custom threshold for a repository in the repository's settings.

-# Common unit suffixes of k, m, or g are supported.

-#

-# SINCE 1.2.0

-git.defaultGarbageCollectionThreshold = 500k

-

-# The default period, in days, between GCs for a repository.  If the total filesize

-# of the loose object exceeds *git.garbageCollectionThreshold* or the repository's

-# custom threshold, this period will be short-circuited. 

-#

-# e.g. if a repository collects 100KB of loose objects every day with a 500KB

-# threshold and a period of 7 days, it will take 5 days for the loose objects to

-# be collected, packed, and pruned.

-#

-# OR

-#

-# if a repository collects 10KB of loose objects every day with a 500KB threshold

-# and a period of 7 days, it will take the full 7 days for the loose objects to be

-# collected, packed, and pruned.

-#

-# You may specify a custom period for a repository in the repository's settings.

-#

-# The minimum value is 1 day since the GC Executor only runs once a day.

-#

-# SINCE 1.2.0

-git.defaultGarbageCollectionPeriod = 7

-

-# Number of bytes of a pack file to load into memory in a single read operation.

-# This is the "page size" of the JGit buffer cache, used for all pack access

-# operations. All disk IO occurs as single window reads. Setting this too large

-# may cause the process to load more data than is required; setting this too small

-# may increase the frequency of read() system calls.

-#

-# Default on JGit is 8 KiB on all platforms.

-#

-# Common unit suffixes of k, m, or g are supported.

-# Documentation courtesy of the Gerrit project.

-#

-# SINCE 1.0.0

-# RESTART REQUIRED

-git.packedGitWindowSize = 8k

-

-# Maximum number of bytes to load and cache in memory from pack files. If JGit

-# needs to access more than this many bytes it will unload less frequently used

-# windows to reclaim memory space within the process. As this buffer must be shared

-# with the rest of the JVM heap, it should be a fraction of the total memory available.

-#

-# The JGit team recommends setting this value larger than the size of your biggest

-# repository. This ensures you can serve most requests from memory.

-#

-# Default on JGit is 10 MiB on all platforms.

-#

-# Common unit suffixes of k, m, or g are supported.

-# Documentation courtesy of the Gerrit project.

-#

-# SINCE 1.0.0

-# RESTART REQUIRED

-git.packedGitLimit = 10m

-

-# Maximum number of bytes to reserve for caching base objects that multiple deltafied

-# objects reference. By storing the entire decompressed base object in a cache Git

-# is able to avoid unpacking and decompressing frequently used base objects multiple times.

-#

-# Default on JGit is 10 MiB on all platforms. You probably do not need to adjust

-# this value.

-#

-# Common unit suffixes of k, m, or g are supported.

-# Documentation courtesy of the Gerrit project.

-#

-# SINCE 1.0.0

-# RESTART REQUIRED

-git.deltaBaseCacheLimit = 10m

-

-# Maximum number of pack files to have open at once. A pack file must be opened

-# in order for any of its data to be available in a cached window.

-#

-# If you increase this to a larger setting you may need to also adjust the ulimit

-# on file descriptors for the host JVM, as Gitblit needs additional file descriptors

-# available for network sockets and other repository data manipulation.

-#

-# Default on JGit is 128 file descriptors on all platforms.

-# Documentation courtesy of the Gerrit project.

-#

-# SINCE 1.0.0

-# RESTART REQUIRED

-git.packedGitOpenFiles = 128

-

-# Largest object size, in bytes, that JGit will allocate as a contiguous byte

-# array. Any file revision larger than this threshold will have to be streamed,

-# typically requiring the use of temporary files under $GIT_DIR/objects to implement

-# psuedo-random access during delta decompression.

-#

-# Servers with very high traffic should set this to be larger than the size of

-# their common big files. For example a server managing the Android platform

-# typically has to deal with ~10-12 MiB XML files, so 15 m would be a reasonable

-# setting in that environment. Setting this too high may cause the JVM to run out

-# of heap space when handling very big binary files, such as device firmware or

-# CD-ROM ISO images. Make sure to adjust your JVM heap accordingly. 

-#

-# Default is 50 MiB on all platforms.

-#

-# Common unit suffixes of k, m, or g are supported.

-# Documentation courtesy of the Gerrit project.

-#

-# SINCE 1.0.0

-# RESTART REQUIRED

-git.streamFileThreshold = 50m

-

-# When true, JGit will use mmap() rather than malloc()+read() to load data from

-# pack files.  The use of mmap can be problematic on some JVMs as the garbage

-# collector must deduce that a memory mapped segment is no longer in use before

-# a call to munmap() can be made by the JVM native code.

-#

-# In server applications (such as Gitblit) that need to access many pack files,

-# setting this to true risks artificially running out of virtual address space, 

-# as the garbage collector cannot reclaim unused mapped spaces fast enough.

-#

-# Default on JGit is false. Although potentially slower, it yields much more

-# predictable behavior.

-# Documentation courtesy of the Gerrit project.

-#

-# SINCE 1.0.0

-# RESTART REQUIRED

-git.packedGitMmap = false

-

-#

-# Groovy Integration

-#

-

-# Location of Groovy scripts to use for Pre and Post receive hooks.

-# Use forward slashes even on Windows!!

-# e.g. c:/groovy

-#

-# RESTART REQUIRED

-# SINCE 0.8.0

-groovy.scriptsFolder = groovy

-

-# Specify the directory Grape uses for downloading libraries.

-# http://groovy.codehaus.org/Grape

-#

-# RESTART REQUIRED

-# SINCE 1.0.0

-groovy.grapeFolder = groovy/grape

-

-# Scripts to execute on Pre-Receive.

-#

-# These scripts execute after an incoming push has been parsed and validated

-# but BEFORE the changes are applied to the repository.  You might reject a

-# push in this script based on the repository and branch the push is attempting

-# to change.

-#

-# Script names are case-sensitive on case-sensitive file systems.  You may omit

-# the traditional ".groovy" from this list if your file extension is ".groovy" 

-#

-# NOTE:

-# These scripts are only executed when pushing to *Gitblit*, not to other Git

-# tooling you may be using.  Also note that these scripts are shared between

-# repositories. These are NOT repository-specific scripts!  Within the script

-# you may customize the control-flow for a specific repository by checking the

-# *repository* variable.

-#

-# SPACE-DELIMITED

-# CASE-SENSITIVE

-# SINCE 0.8.0

-groovy.preReceiveScripts =

-

-# Scripts to execute on Post-Receive.

-#

-# These scripts execute AFTER an incoming push has been applied to a repository.

-# You might trigger a continuous-integration build here or send a notification.

-#

-# Script names are case-sensitive on case-sensitive file systems.  You may omit

-# the traditional ".groovy" from this list if your file extension is ".groovy" 

-#

-# NOTE:

-# These scripts are only executed when pushing to *Gitblit*, not to other Git

-# tooling you may be using.  Also note that these scripts are shared between

-# repositories. These are NOT repository-specific scripts!  Within the script

-# you may customize the control-flow for a specific repository by checking the

-# *repository* variable.

-# 

-# SPACE-DELIMITED

-# CASE-SENSITIVE

-# SINCE 0.8.0

-groovy.postReceiveScripts =

-

-# Repository custom fields for Groovy Hook mechanism

-#

-# List of key=label pairs of custom fields to prompt for in the Edit Repository

-# page.  These keys are stored in the repository's git config file in the 

-# section [gitblit "customFields"].  Key names are alphanumeric only.  These

-# fields are intended to be used for the Groovy hook mechanism where a script

-# can adjust it's execution based on the custom fields stored in the repository

-# config.

-#

-# e.g. "commitMsgRegex=Commit Message Regular Expression" anotherProperty=Another

-#

-# SPACE-DELIMITED

-# SINCE 1.0.0

-groovy.customFields = 

-

-#

-# Authentication Settings

-#

-

-# Require authentication to see everything but the admin pages

-#

-# SINCE 0.5.0

-# RESTART REQUIRED

-web.authenticateViewPages = false

-

-# Require admin authentication for the admin functions and pages

-#

-# SINCE 0.5.0

-# RESTART REQUIRED

-web.authenticateAdminPages = true

-

-# Allow Gitblit to store a cookie in the user's browser for automatic

-# authentication.  The cookie is generated by the user service.

-#

-# SINCE 0.5.0

-web.allowCookieAuthentication = true

-

-# Config file for storing project metadata

-#

-# SINCE 1.2.0

-web.projectsFile = projects.conf

-

-# Either the full path to a user config file (users.conf)

-# OR the full path to a simple user properties file (users.properties)

-# OR a fully qualified class name that implements the IUserService interface.

-#

-# Alternative user services:

-#    com.gitblit.LdapUserService

-#    com.gitblit.RedmineUserService

-#

-# Any custom user service implementation must have a public default constructor.

-#

-# SINCE 0.5.0

-# RESTART REQUIRED

-realm.userService = users.conf

-

-# How to store passwords.

-# Valid values are plain, md5, or combined-md5.  md5 is the hash of password.

-# combined-md5 is the hash of username.toLowerCase()+password.

-# Default is md5.

-#

-# SINCE 0.5.0 

-realm.passwordStorage = md5

-

-# Minimum valid length for a plain text password.

-# Default value is 5.  Absolute minimum is 4.

-#

-# SINCE 0.5.0 

-realm.minPasswordLength = 5

-

-#

-# Gitblit Web Settings

-#

-# If blank Gitblit is displayed.

-#

-# SINCE 0.5.0

-web.siteName =

-

-# If *web.authenticateAdminPages*=true, users with "admin" role can create

-# repositories, create users, and edit repository metadata.

-#

-# If *web.authenticateAdminPages*=false, any user can execute the aforementioned

-# functions. 

-#

-# SINCE 0.5.0 

-web.allowAdministration = true

-

-# Allows rpc clients to list repositories and possibly manage or administer the 

-# Gitblit server, if the authenticated account has administrator permissions.

-# See *web.enableRpcManagement* and *web.enableRpcAdministration*.

-#

-# SINCE 0.7.0 

-web.enableRpcServlet = true

-

-# Allows rpc clients to manage repositories and users of the Gitblit instance,

-# if the authenticated account has administrator permissions.

-# Requires *web.enableRpcServlet=true*.

-#

-# SINCE 0.7.0 

-web.enableRpcManagement = false

-

-# Allows rpc clients to control the server settings and monitor the health of this

-# this Gitblit instance, if the authenticated account has administrator permissions.

-# Requires *web.enableRpcServlet=true* and *web.enableRpcManagement*.

-#

-# SINCE 0.7.0 

-web.enableRpcAdministration = false

-

-# Full path to a configurable robots.txt file.  With this file you can control

-# what parts of your Gitblit server respectable robots are allowed to traverse.

-# http://googlewebmastercentral.blogspot.com/2008/06/improving-on-robots-exclusion-protocol.html

-#

-# SINCE 1.0.0

-web.robots.txt = 

-

-# If true, the web ui layout will respond and adapt to the browser's dimensions.

-# if false, the web ui will use a 940px fixed-width layout.

-# http://twitter.github.com/bootstrap/scaffolding.html#responsive

-#

-# SINCE 1.0.0

-web.useResponsiveLayout = true

-

-# Allow Gravatar images to be displayed in Gitblit pages.

-#

-# SINCE 0.8.0

-web.allowGravatar = true

-

-# Allow dynamic zip downloads.

-#

-# SINCE 0.5.0   

-web.allowZipDownloads = true

-

-# Allow optional Lucene integration. Lucene indexing is an opt-in feature.

-# A repository may specify branches to index with Lucene instead of using Git

-# commit traversal. There are scenarios where you may want to completely disable

-# Lucene indexing despite a repository specifying indexed branches.  One such

-# scenario is on a resource-constrained federated Gitblit mirror.

-#

-# SINCE 0.9.0

-web.allowLuceneIndexing = true

-

-# Controls the length of shortened commit hash ids

-#

-# SINCE 1.2.0

-web.shortCommitIdLength = 6

-

-# Use Clippy (Flash solution) to provide a copy-to-clipboard button.

-# If false, a button with a more primitive JavaScript-based prompt box will

-# offer a 3-step (click, ctrl+c, enter) copy-to-clipboard alternative.

-#

-# SINCE 0.8.0

-web.allowFlashCopyToClipboard = true

-

-# Default number of entries to include in RSS Syndication links

-#

-# SINCE 0.5.0

-web.syndicationEntries = 25

-

-# Show the size of each repository on the repositories page.

-# This requires recursive traversal of each repository folder.  This may be

-# non-performant on some operating systems and/or filesystems. 

-#

-# SINCE 0.5.2

-web.showRepositorySizes = true

-

-# List of custom regex expressions that can be displayed in the Filters menu

-# of the Repositories and Activity pages.  Keep them very simple because you

-# are likely to run into encoding issues if they are too complex.

-#

-# Use !!! to separate the filters 

-#

-# SINCE 0.8.0

-web.customFilters =

-

-# Show federation registrations (without token) and the current pull status

-# to non-administrator users. 

-#

-# SINCE 0.6.0

-web.showFederationRegistrations = false

-

-# This is the message displayed when *web.authenticateViewPages=true*.

-# This can point to a file with Markdown content.

-# Specifying "gitblit" uses the internal login message.

-#

-# SINCE 0.7.0

-web.loginMessage = gitblit

-

-# This is the message displayed above the repositories table.

-# This can point to a file with Markdown content.

-# Specifying "gitblit" uses the internal welcome message.

-#

-# SINCE 0.5.0

-web.repositoriesMessage = gitblit

-

-# Ordered list of charsets/encodings to use when trying to display a blob.

-# If empty, UTF-8 and ISO-8859-1 are used.  The server's default charset

-# is always appended to the encoding list.  If all encodings fail to cleanly

-# decode the blob content, UTF-8 will be used with the standard malformed

-# input/unmappable character replacement strings.

-# 

-# SPACE-DELIMITED

-# SINCE 1.0.0

-web.blobEncodings = UTF-8 ISO-8859-1

-

-# Manually set the default timezone to be used by Gitblit for display in the 

-# web ui.  This value is independent of the JVM timezone.  Specifying a blank

-# value will default to the JVM timezone.

-# e.g. America/New_York, US/Pacific, UTC, Europe/Berlin

-#

-# SINCE 0.9.0

-# RESTART REQUIRED

-web.timezone =

-

-# Use the client timezone when formatting dates.

-# This uses AJAX to determine the browser's timezone and may require more

-# server overhead because a Wicket session is created.  All Gitblit pages

-# attempt to be stateless, if possible.

-#

-# SINCE 0.5.0

-# RESTART REQUIRED

-web.useClientTimezone = false

-

-# Time format

-# <http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html>

-#

-# SINCE 0.8.0

-web.timeFormat = HH:mm

-

-# Short date format

-# <http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html>

-#

-# SINCE 0.5.0

-web.datestampShortFormat = yyyy-MM-dd

-

-# Long date format

-#

-# SINCE 0.8.0

-web.datestampLongFormat = EEEE, MMMM d, yyyy

-

-# Long timestamp format

-# <http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html>

-#

-# SINCE 0.5.0

-web.datetimestampLongFormat = EEEE, MMMM d, yyyy HH:mm Z

-

-# Mount URL parameters

-# This setting controls if pretty or parameter URLs are used.

-# i.e.

-# if true:

-#     http://localhost/commit/myrepo/abcdef

-# if false:

-#     http://localhost/commit/?r=myrepo&h=abcdef

-#

-# SINCE 0.5.0

-# RESTART REQUIRED

-web.mountParameters = true

-

-# Some servlet containers (e.g. Tomcat >= 6.0.10) disallow '/' (%2F) encoding

-# in URLs as a security precaution for proxies.  This setting tells Gitblit

-# to preemptively replace '/' with '*' or '!' for url string parameters.

-#

-# <https://issues.apache.org/jira/browse/WICKET-1303>

-# <http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10>

-# Add *-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true* to your

-# *CATALINA_OPTS* or to your JVM launch parameters

-#

-# SINCE 0.5.2

-web.forwardSlashCharacter = /

-

-# Show other URLs on the summary page for accessing your git repositories

-# Use spaces to separate urls. {0} is the token for the repository name.

-# e.g.

-# web.otherUrls = ssh://localhost/git/{0} git://localhost/git/{0}

-#

-# SPACE-DELIMITED

-# SINCE 0.5.0

-web.otherUrls = 

-

-# Choose how to present the repositories list.

-#   grouped = group nested/subfolder repositories together (no sorting)

-#   flat = flat list of repositories (sorting allowed)

-#

-# SINCE 0.5.0

-web.repositoryListType = grouped

-

-# If using a grouped repository list and there are repositories at the

-# root level of your repositories folder, you may specify the displayed

-# group name with this setting.  This value is only used for web presentation.

-#

-# SINCE 0.5.0

-web.repositoryRootGroupName = main

-

-# Display the repository swatch color next to the repository name link in the 

-# repositories list. 

-#

-# SINCE 0.8.0

-web.repositoryListSwatches = true

-

-# Choose the diff presentation style: gitblt, gitweb, or plain

-#

-# SINCE 0.5.0

-web.diffStyle = gitblit

-

-# Control if email addresses are shown in web ui

-#

-# SINCE 0.5.0

-web.showEmailAddresses = true

-

-# Shows a combobox in the page links header with commit, committer, and author

-# search selection.  Default search is commit.

-#

-# SINCE 0.5.0

-web.showSearchTypeSelection = false

-

-# Generates a line graph of repository activity over time on the Summary page.

-# This uses the Google Charts API.

-#

-# SINCE 0.5.0 

-web.generateActivityGraph = true

-

-# The number of days to show on the activity page.

-# Value must exceed 0 else default of 14 is used

-#

-# SINCE 0.8.0

-web.activityDuration = 14

-

-# The number of commits to display on the summary page

-# Value must exceed 0 else default of 20 is used

-#

-# SINCE 0.5.0

-web.summaryCommitCount = 16

-

-# The number of tags/branches to display on the summary page.

-# -1 = all tags/branches

-# 0 = hide tags/branches

-# N = N tags/branches

-#

-# SINCE 0.5.0

-web.summaryRefsCount = 5

-

-# The number of items to show on a page before showing the first, prev, next

-# pagination links.  A default if 50 is used for any invalid value.

-#

-# SINCE 0.5.0

-web.itemsPerPage = 50

-

-# Registered file extensions to ignore during Lucene indexing

-#

-# SPACE-DELIMITED

-# SINCE 0.9.0

-web.luceneIgnoreExtensions = 7z arc arj bin bmp dll doc docx exe gif gz jar jpg lib lzh odg odf odt pdf ppt png so swf xcf xls xlsx zip

-

-# Registered extensions for google-code-prettify

-#

-# SPACE-DELIMITED

-# SINCE 0.5.0

-web.prettyPrintExtensions = c cpp cs css frm groovy htm html java js php pl prefs properties py rb scala sh sql xml vb

-

-# Registered extensions for markdown transformation

-#

-# SPACE-DELIMITED

-# CASE-SENSITIVE

-# SINCE 0.5.0

-web.markdownExtensions = md mkd markdown MD MKD

-

-# Image extensions

-#

-# SPACE-DELIMITED

-# SINCE 0.5.0

-web.imageExtensions = bmp jpg gif png 

-

-# Registered extensions for binary blobs

-#

-# SPACE-DELIMITED

-# SINCE 0.5.0

-web.binaryExtensions = jar pdf tar.gz zip

-

-# Aggressive heap management will run the garbage collector on every generated

-# page.  This slows down page generation a little but improves heap consumption. 

-#

-# SINCE 0.5.0

-web.aggressiveHeapManagement = false

-

-# Run the webapp in debug mode

-#

-# SINCE 0.5.0

-# RESTART REQUIRED

-web.debugMode = false

-

-# Enable/disable global regex substitutions (i.e. shared across repositories)

-#

-# SINCE 0.5.0

-regex.global = true

-

-# Example global regex substitutions

-# Use !!! to separate the search pattern and the replace pattern

-# searchpattern!!!replacepattern

-# SINCE 0.5.0

-regex.global.bug = \\b(Bug:)(\\s*[#]?|-){0,1}(\\d+)\\b!!!<a href="http://somehost/bug/$3">Bug-Id: $3</a>

-# SINCE 0.5.0

-regex.global.changeid = \\b(Change-Id:\\s*)([A-Za-z0-9]*)\\b!!!<a href="http://somehost/changeid/$2">Change-Id: $2</a>

-

-# Example per-repository regex substitutions overrides global

-# SINCE 0.5.0

-regex.myrepository.bug = \\b(Bug:)(\\s*[#]?|-){0,1}(\\d+)\\b!!!<a href="http://elsewhere/bug/$3">Bug-Id: $3</a>

-

-#

-# Mail Settings

-# SINCE 0.6.0

-#

-# Mail settings are used to notify administrators of received federation proposals

-#

-

-# ip or hostname of smtp server

-#

-# SINCE 0.6.0

-mail.server =

-

-# port to use for smtp requests

-#

-# SINCE 0.6.0

-mail.port = 25

-

-# debug the mail executor

-#

-# SINCE 0.6.0

-mail.debug = false

-

-# if your smtp server requires authentication, supply the credentials here

-#

-# SINCE 0.6.0

-mail.username =

-# SINCE 0.6.0

-mail.password =

-

-# from address for generated emails

-#

-# SINCE 0.6.0

-mail.fromAddress = 

-

-# List of email addresses for the Gitblit administrators

-#

-# SPACE-DELIMITED

-# SINCE 0.6.0

-mail.adminAddresses = 

-

-# List of email addresses for sending push email notifications.

-#

-# This key currently requires use of the sendemail.groovy hook script.

-# If you set sendemail.groovy in *groovy.postReceiveScripts* then email

-# notifications for all repositories (regardless of access restrictions!)

-# will be sent to these addresses.

-#

-# SPACE-DELIMITED

-# SINCE 0.8.0

-mail.mailingLists =

-

-#

-# Federation Settings

-# SINCE 0.6.0

-#

-# A Gitblit federation is a way to backup one Gitblit instance to another.

-#

-# *git.enableGitServlet* must be true to use this feature.

-

-# Your federation name is used for federation status acknowledgments.  If it is

-# unset, and you elect to send a status acknowledgment, your Gitblit instance

-# will be identified by its hostname, if available, else your internal ip address.

-# The source Gitblit instance will also append your external IP address to your

-# identification to differentiate multiple pulling systems behind a single proxy.

-#

-# SINCE 0.6.0

-federation.name =

-

-# Specify the passphrase of this Gitblit instance.

-#

-# An unspecified (empty) passphrase disables processing federation requests.

-#

-# This value can be anything you want: an integer, a sentence, an haiku, etc.

-# Keep the value simple, though, to avoid Java properties file encoding issues.

-#

-# Changing your passphrase will break any registrations you have established with other

-# Gitblit instances.

-#

-# CASE-SENSITIVE

-# SINCE 0.6.0

-# RESTART REQUIRED *(only to enable or disable federation)*

-federation.passphrase =

-

-# Control whether or not this Gitblit instance can receive federation proposals

-# from another Gitblit instance.  Registering a federated Gitblit is a manual

-# process.  Proposals help to simplify that process by allowing a remote Gitblit

-# instance to send your Gitblit instance the federation pull data.

-#

-# SINCE 0.6.0

-federation.allowProposals = false

-

-# The destination folder for cached federation proposals.

-# Use forward slashes even on Windows!!

-#

-# SINCE 0.6.0

-federation.proposalsFolder = proposals

-

-# The default pull frequency if frequency is unspecified on a registration

-#

-# SINCE 0.6.0

-federation.defaultFrequency = 60 mins

-

-# Federation Sets are named groups of repositories.  The Federation Sets are 

-# available for selection in the repository settings page.  You can assign a

-# repository to one or more sets and then distribute the token for the set.

-# This allows you to grant federation pull access to a subset of your available

-# repositories.  Tokens for federation sets only grant repository pull access.

-#

-# SPACE-DELIMITED

-# CASE-SENSITIVE

-# SINCE 0.6.0

-federation.sets = 

-

-# Federation pull registrations

-# Registrations are read once, at startup.

-#

-# RESTART REQUIRED

-#

-# frequency:

-#   The shortest frequency allowed is every 5 minutes

-#   Decimal frequency values are cast to integers

-#   Frequency values may be specified in mins, hours, or days

-#   Values that can not be parsed or are unspecified default to *federation.defaultFrequency*

-#

-# folder:

-#   if unspecified, the folder is *git.repositoriesFolder*

-#   if specified, the folder is relative to *git.repositoriesFolder*

-#

-# bare:

-#   if true, each repository will be created as a *bare* repository and will not

-#   have a working directory.

-#

-#   if false, each repository will be created as a normal repository suitable

-#   for local work.

-#

-# mirror:

-#   if true, each repository HEAD is reset to *origin/master* after each pull.

-#   The repository will be flagged *isFrozen* after the initial clone.

-#

-#   if false, each repository HEAD will point to the FETCH_HEAD of the initial

-#   clone from the origin until pushed to or otherwise manipulated.

-#

-# mergeAccounts:

-#   if true, remote accounts and their permissions are merged into your 

-#   users.properties file 

-#

-# notifyOnError:

-#   if true and the mail configuration is properly set, administrators will be

-#   notified by email of pull failures

-#

-# include and exclude:

-#   Space-delimited list of repositories to include or exclude from pull

-#   may be * wildcard to include or exclude all

-#   may use fuzzy match (e.g. org.eclipse.*)

-

-#

-# (Nearly) Perfect Mirror example

-#

-

-#federation.example1.url = https://go.gitblit.com

-#federation.example1.token = 6f3b8a24bf970f17289b234284c94f43eb42f0e4

-#federation.example1.frequency = 120 mins

-#federation.example1.folder =

-#federation.example1.bare = true 

-#federation.example1.mirror = true 

-#federation.example1.mergeAccounts = true

-

-#

-# Advanced Realm Settings

-#

-

-# URL of the LDAP server.

-# To use encrypted transport, use either ldaps:// URL for SSL or ldap+tls:// to

-# send StartTLS command.

-#

-# SINCE 1.0.0

-realm.ldap.server = ldap://localhost

-

-# Login username for LDAP searches.

-# If this value is unspecified, anonymous LDAP login will be used.

-# 

-# e.g. mydomain\\username

-#

-# SINCE 1.0.0

-realm.ldap.username = cn=Directory Manager

-

-# Login password for LDAP searches.

-#

-# SINCE 1.0.0

-realm.ldap.password = password

-

-# The LdapUserService must be backed by another user service for standard user

-# and team management.

-# default: users.conf

-#

-# SINCE 1.0.0

-# RESTART REQUIRED

-realm.ldap.backingUserService = users.conf

-

-# Delegate team membership control to LDAP.

-#

-# If true, team user memberships will be specified by LDAP groups.  This will

-# disable team selection in Edit User and user selection in Edit Team.

-#

-# If false, LDAP will only be used for authentication and Gitblit will maintain

-# team memberships with the *realm.ldap.backingUserService*.

-#

-# SINCE 1.0.0

-realm.ldap.maintainTeams = false

-

-# Root node for all LDAP users

-#

-# This is the root node from which subtree user searches will begin.

-# If blank, Gitblit will search ALL nodes.

-#

-# SINCE 1.0.0

-realm.ldap.accountBase = OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain

-

-# Filter criteria for LDAP users

-#

-# Query pattern to use when searching for a user account. This may be any valid 

-# LDAP query expression, including the standard (&) and (|) operators.

-#

-# Variables may be injected via the ${variableName} syntax.

-# Recognized variables are:

-#    ${username} - The text entered as the user name

-#

-# SINCE 1.0.0

-realm.ldap.accountPattern = (&(objectClass=person)(sAMAccountName=${username}))

-

-# Root node for all LDAP groups to be used as Gitblit Teams

-#

-# This is the root node from which subtree team searches will begin.

-# If blank, Gitblit will search ALL nodes.  

-#

-# SINCE 1.0.0

-realm.ldap.groupBase = OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain

-

-# Filter criteria for LDAP groups

-#

-# Query pattern to use when searching for a team. This may be any valid 

-# LDAP query expression, including the standard (&) and (|) operators.

-#

-# Variables may be injected via the ${variableName} syntax.

-# Recognized variables are:

-#    ${username} - The text entered as the user name

-#    ${dn} - The Distinguished Name of the user logged in

-#

-# All attributes from the LDAP User record are available. For example, if a user

-# has an attribute "fullName" set to "John", "(fn=${fullName})" will be 

-# translated to "(fn=John)".

-#

-# SINCE 1.0.0

-realm.ldap.groupMemberPattern = (&(objectClass=group)(member=${dn}))

-

-# LDAP users or groups that should be given administrator privileges.

-#

-# Teams are specified with a leading '@' character.  Groups with spaces in the

-# name can be entered as "@team name".

-#

-# e.g. realm.ldap.admins = john @git_admins "@git admins"

-#

-# SPACE-DELIMITED

-# SINCE 1.0.0

-realm.ldap.admins = @Git_Admins

-

-# Attribute(s) on the USER record that indicate their display (or full) name.

-# Leave blank for no mapping available in LDAP.

-#

-# This may be a single attribute, or a string of multiple attributes.  Examples:

-#  displayName - Uses the attribute 'displayName' on the user record

-#  ${personalTitle}. ${givenName} ${surname} - Will concatenate the 3 

-#       attributes together, with a '.' after personalTitle

-#

-# SINCE 1.0.0

-realm.ldap.displayName = displayName

-

-# Attribute(s) on the USER record that indicate their email address.

-# Leave blank for no mapping available in LDAP.

-#

-# This may be a single attribute, or a string of multiple attributes.  Examples:

-#  email - Uses the attribute 'email' on the user record

-#  ${givenName}.${surname}@gitblit.com -Will concatenate the 2 attributes

-#       together with a '.' and '@' creating something like first.last@gitblit.com 

-#

-# SINCE 1.0.0

-realm.ldap.email = email

-

-# The RedmineUserService must be backed by another user service for standard user

-# and team management.

-# default: users.conf

-#

-# RESTART REQUIRED

-realm.redmine.backingUserService = users.conf

-

-# URL of the Redmine.

-realm.redmine.url = http://example.com/redmine

-

-#

-# Server Settings

-#

-

-# The temporary folder to decompress the embedded gitblit webapp. 

-#

-# SINCE 0.5.0

-# RESTART REQUIRED

-server.tempFolder = temp

-

-# Use Jetty NIO connectors.  If false, Jetty Socket connectors will be used.

-#

-# SINCE 0.5.0

-# RESTART REQUIRED

-server.useNio = true

-

-# Context path for the GO application.  You might want to change the context

-# path if running Gitblit behind a proxy layer such as mod_proxy.

-#

-# SINCE 0.7.0

-# RESTART REQUIRED

-server.contextPath = /

-

-# Standard http port to serve.  <= 0 disables this connector.

-# On Unix/Linux systems, ports < 1024 require root permissions.

-# Recommended value: 80 or 8080

-#

-# SINCE 0.5.0

-# RESTART REQUIRED

-server.httpPort = 0

-

-# Secure/SSL https port to serve. <= 0 disables this connector.

-# On Unix/Linux systems, ports < 1024 require root permissions.

-# Recommended value: 443 or 8443

-#

-# SINCE 0.5.0

-# RESTART REQUIRED

-server.httpsPort = 8443

-

-# Port for serving an Apache JServ Protocol (AJP) 1.3 connector for integrating

-# Gitblit GO into an Apache HTTP server setup.  <= 0 disables this connector.

-# Recommended value: 8009

-#

-# SINCE 0.9.0

-# RESTART REQUIRED

-server.ajpPort = 0

-

-# Specify the interface for Jetty to bind the standard connector.

-# You may specify an ip or an empty value to bind to all interfaces.

-# Specifying localhost will result in Gitblit ONLY listening to requests to

-# localhost.

-#

-# SINCE 0.5.0

-# RESTART REQUIRED

-server.httpBindInterface = localhost

-

-# Specify the interface for Jetty to bind the secure connector.

-# You may specify an ip or an empty value to bind to all interfaces.

-# Specifying localhost will result in Gitblit ONLY listening to requests to

-# localhost.

-#

-# SINCE 0.5.0

-# RESTART REQUIRED

-server.httpsBindInterface = localhost

-

-# Specify the interface for Jetty to bind the AJP connector.

-# You may specify an ip or an empty value to bind to all interfaces.

-# Specifying localhost will result in Gitblit ONLY listening to requests to

-# localhost.

-#

-# SINCE 0.9.0

-# RESTART REQUIRED

-server.ajpBindInterface = localhost

-

-# Password for SSL keystore.

-# Keystore password and certificate password must match.

-# This is provided for convenience, its probably more secure to set this value

-# using the --storePassword command line parameter.

-#

-# If you are using the official JRE or JDK from Oracle you may not have the

-# JCE Unlimited Strength Jurisdiction Policy files bundled with your JVM.  Because

-# of this, your store/key password can not exceed 7 characters.  If you require

-# longer passwords you may need to install the JCE Unlimited Strength Jurisdiction

-# Policy files from Oracle.

-#

-# http://www.oracle.com/technetwork/java/javase/downloads/index.html

-#

-# Gitblit and the Gitblit Certificate Authority will both indicate if Unlimited

-# Strength encryption is available.

-#

-# SINCE 0.5.0

-# RESTART REQUIRED

-server.storePassword = gitblit

-

-# If serving over https (recommended) you might consider requiring clients to

-# authenticate with ssl certificates.  If enabled, only https clients with the

-# a valid client certificate will be able to access Gitblit.

-#

-# If disabled, client certificate authentication is optional and will be tried

-# first before falling-back to form authentication or basic authentication.

-#

-# Requiring client certificates to access any of Gitblit may be too extreme,

-# consider this carefully.

-#

-# SINCE 1.2.0

-# RESTART REQUIRED

-server.requireClientCertificates = false

-

-# Port for shutdown monitor to listen on.

-#

-# SINCE 0.5.0

-# RESTART REQUIRED

-server.shutdownPort = 8081
\ No newline at end of file
+#
+# Git Servlet Settings
+#
+
+# Base folder for repositories.
+# This folder may contain bare and non-bare repositories but Gitblit will only
+# allow you to push to bare repositories.
+# Use forward slashes even on Windows!!
+# e.g. c:/gitrepos
+#
+# SINCE 0.5.0
+# RESTART REQUIRED
+git.repositoriesFolder = git
+
+# Build the available repository list at startup and cache this list for reuse.
+# This reduces disk io when presenting the repositories page, responding to rpcs,
+# etc, but it means that  Gitblit will not automatically identify repositories
+# added or deleted by external tools.
+#
+# For this case you can use curl, wget, etc to issue an rpc request to clear the
+# cache (e.g. https://localhost/rpc?req=CLEAR_REPOSITORY_CACHE)
+#
+# SINCE 1.1.0
+git.cacheRepositoryList = true
+
+# Search the repositories folder subfolders for other repositories.
+# Repositories MAY NOT be nested (i.e. one repository within another)
+# but they may be grouped together in subfolders.
+# e.g. c:/gitrepos/libraries/mylibrary.git
+#      c:/gitrepos/libraries/myotherlibrary.git
+#
+# SINCE 0.5.0
+git.searchRepositoriesSubfolders = true
+
+# Maximum number of folders to recurse into when searching for repositories.
+# The default value, -1, disables depth limits.
+#
+# SINCE 1.1.0
+git.searchRecursionDepth = -1
+
+# List of regex exclusion patterns to match against folders found in
+# *git.repositoriesFolder*.
+# Use forward slashes even on Windows!!
+# e.g. test/jgit\.git
+#
+# SPACE-DELIMITED
+# CASE-SENSITIVE
+# SINCE 1.1.0
+git.searchExclusions =
+
+# List of regex url patterns for extracting a repository name when locating
+# submodules.
+#   e.g. git.submoduleUrlPatterns = .*?://github.com/(.*) will extract
+#   *gitblit/gitblit.git* from *git://github.com/gitblit/gitblit.git*
+# If no matches are found then the submodule repository name is assumed to be
+# whatever trails the last / character. (e.g. gitblit.git).
+#
+# SPACE-DELIMITED
+# CASE-SENSITIVE
+# SINCE 1.1.0
+git.submoduleUrlPatterns = .*?://github.com/(.*)
+
+# Allow push/pull over http/https with JGit servlet.
+# If you do NOT want to allow Git clients to clone/push to Gitblit set this
+# to false.  You might want to do this if you are only using ssh:// or git://.
+# If you set this false, consider changing the *web.otherUrls* setting to
+# indicate your clone/push urls.
+#
+# SINCE 0.5.0
+git.enableGitServlet = true
+
+# If you want to restrict all git servlet access to those with valid X509 client
+# certificates then set this value to true.
+#
+# SINCE 1.2.0
+git.requiresClientCertificate = false
+
+# Enforce date checks on client certificates to ensure that they are not being
+# used prematurely and that they have not expired.
+#
+# SINCE 1.2.0
+git.enforceCertificateValidity = true
+
+# List of OIDs to extract from a client certificate DN to map a certificate to
+# an account username.
+#
+# e.g. git.certificateUsernameOIDs = CN
+# e.g. git.certificateUsernameOIDs = FirstName LastName
+#
+# SPACE-DELIMITED
+# SINCE 1.2.0
+git.certificateUsernameOIDs = CN
+
+# Only serve/display bare repositories.
+# If there are non-bare repositories in git.repositoriesFolder and this setting
+# is true, they will be excluded from the ui.
+#
+# SINCE 0.9.0
+git.onlyAccessBareRepositories = false
+
+# Allow an authenticated user to create a destination repository on a push if
+# the repository does not already exist.
+#
+# Administrator accounts can create a repository in any project.
+# These repositories are created with the default access restriction and authorization
+# control values.  The pushing account is set as the owner.
+#
+# Non-administrator accounts with the CREATE role may create personal repositories.
+# These repositories are created as VIEW restricted for NAMED users.
+# The pushing account is set as the owner.
+#
+# SINCE 1.2.0
+git.allowCreateOnPush = true
+
+# The default access restriction for new repositories.
+# Valid values are NONE, PUSH, CLONE, VIEW
+#  NONE = anonymous view, clone, & push
+#  PUSH = anonymous view & clone and authenticated push
+#  CLONE = anonymous view, authenticated clone & push
+#  VIEW = authenticated view, clone, & push
+#
+# SINCE 1.0.0
+git.defaultAccessRestriction = NONE
+
+# The default authorization control for new repositories.
+# Valid values are AUTHENTICATED and NAMED
+#  AUTHENTICATED = any authenticated user is granted restricted access
+#  NAMED = only named users/teams are granted restricted access
+#
+# SINCE 1.1.0
+git.defaultAuthorizationControl = NAMED
+
+# Enable JGit-based garbage collection. (!!EXPERIMENTAL!!)
+#
+# USE AT YOUR OWN RISK!
+#
+# If enabled, the garbage collection executor scans all repositories once a day
+# at the hour of your choosing.  The GC executor will take each repository "offline",
+# one-at-a-time, to check if the repository satisfies it's GC trigger requirements.
+#
+# While the repository is offline it will be inaccessible from the web UI or from
+# any of the other services (git, rpc, rss, etc).
+#
+# Gitblit's GC Executor MAY NOT PLAY NICE with the other Git kids on the block,
+# especially on Windows systems, so if you are using other tools please coordinate
+# their usage with your GC Executor schedule or do not use this feature.
+#
+# The GC algorithm complex and the JGit team advises caution when using their
+# young implementation of GC.
+#
+# http://wiki.eclipse.org/EGit/New_and_Noteworthy/2.1#Garbage_Collector_and_Repository_Storage_Statistics
+#
+# EXPERIMENTAL
+# SINCE 1.2.0
+# RESTART REQUIRED
+git.enableGarbageCollection = false
+
+# Hour of the day for the GC Executor to scan repositories.
+# This value is in 24-hour time.
+#
+# SINCE 1.2.0
+git.garbageCollectionHour = 0
+
+# The default minimum total filesize of loose objects to trigger early garbage
+# collection.
+#
+# You may specify a custom threshold for a repository in the repository's settings.
+# Common unit suffixes of k, m, or g are supported.
+#
+# SINCE 1.2.0
+git.defaultGarbageCollectionThreshold = 500k
+
+# The default period, in days, between GCs for a repository.  If the total filesize
+# of the loose object exceeds *git.garbageCollectionThreshold* or the repository's
+# custom threshold, this period will be short-circuited.
+#
+# e.g. if a repository collects 100KB of loose objects every day with a 500KB
+# threshold and a period of 7 days, it will take 5 days for the loose objects to
+# be collected, packed, and pruned.
+#
+# OR
+#
+# if a repository collects 10KB of loose objects every day with a 500KB threshold
+# and a period of 7 days, it will take the full 7 days for the loose objects to be
+# collected, packed, and pruned.
+#
+# You may specify a custom period for a repository in the repository's settings.
+#
+# The minimum value is 1 day since the GC Executor only runs once a day.
+#
+# SINCE 1.2.0
+git.defaultGarbageCollectionPeriod = 7
+
+# Number of bytes of a pack file to load into memory in a single read operation.
+# This is the "page size" of the JGit buffer cache, used for all pack access
+# operations. All disk IO occurs as single window reads. Setting this too large
+# may cause the process to load more data than is required; setting this too small
+# may increase the frequency of read() system calls.
+#
+# Default on JGit is 8 KiB on all platforms.
+#
+# Common unit suffixes of k, m, or g are supported.
+# Documentation courtesy of the Gerrit project.
+#
+# SINCE 1.0.0
+# RESTART REQUIRED
+git.packedGitWindowSize = 8k
+
+# Maximum number of bytes to load and cache in memory from pack files. If JGit
+# needs to access more than this many bytes it will unload less frequently used
+# windows to reclaim memory space within the process. As this buffer must be shared
+# with the rest of the JVM heap, it should be a fraction of the total memory available.
+#
+# The JGit team recommends setting this value larger than the size of your biggest
+# repository. This ensures you can serve most requests from memory.
+#
+# Default on JGit is 10 MiB on all platforms.
+#
+# Common unit suffixes of k, m, or g are supported.
+# Documentation courtesy of the Gerrit project.
+#
+# SINCE 1.0.0
+# RESTART REQUIRED
+git.packedGitLimit = 10m
+
+# Maximum number of bytes to reserve for caching base objects that multiple deltafied
+# objects reference. By storing the entire decompressed base object in a cache Git
+# is able to avoid unpacking and decompressing frequently used base objects multiple times.
+#
+# Default on JGit is 10 MiB on all platforms. You probably do not need to adjust
+# this value.
+#
+# Common unit suffixes of k, m, or g are supported.
+# Documentation courtesy of the Gerrit project.
+#
+# SINCE 1.0.0
+# RESTART REQUIRED
+git.deltaBaseCacheLimit = 10m
+
+# Maximum number of pack files to have open at once. A pack file must be opened
+# in order for any of its data to be available in a cached window.
+#
+# If you increase this to a larger setting you may need to also adjust the ulimit
+# on file descriptors for the host JVM, as Gitblit needs additional file descriptors
+# available for network sockets and other repository data manipulation.
+#
+# Default on JGit is 128 file descriptors on all platforms.
+# Documentation courtesy of the Gerrit project.
+#
+# SINCE 1.0.0
+# RESTART REQUIRED
+git.packedGitOpenFiles = 128
+
+# Largest object size, in bytes, that JGit will allocate as a contiguous byte
+# array. Any file revision larger than this threshold will have to be streamed,
+# typically requiring the use of temporary files under $GIT_DIR/objects to implement
+# psuedo-random access during delta decompression.
+#
+# Servers with very high traffic should set this to be larger than the size of
+# their common big files. For example a server managing the Android platform
+# typically has to deal with ~10-12 MiB XML files, so 15 m would be a reasonable
+# setting in that environment. Setting this too high may cause the JVM to run out
+# of heap space when handling very big binary files, such as device firmware or
+# CD-ROM ISO images. Make sure to adjust your JVM heap accordingly.
+#
+# Default is 50 MiB on all platforms.
+#
+# Common unit suffixes of k, m, or g are supported.
+# Documentation courtesy of the Gerrit project.
+#
+# SINCE 1.0.0
+# RESTART REQUIRED
+git.streamFileThreshold = 50m
+
+# When true, JGit will use mmap() rather than malloc()+read() to load data from
+# pack files.  The use of mmap can be problematic on some JVMs as the garbage
+# collector must deduce that a memory mapped segment is no longer in use before
+# a call to munmap() can be made by the JVM native code.
+#
+# In server applications (such as Gitblit) that need to access many pack files,
+# setting this to true risks artificially running out of virtual address space,
+# as the garbage collector cannot reclaim unused mapped spaces fast enough.
+#
+# Default on JGit is false. Although potentially slower, it yields much more
+# predictable behavior.
+# Documentation courtesy of the Gerrit project.
+#
+# SINCE 1.0.0
+# RESTART REQUIRED
+git.packedGitMmap = false
+
+#
+# Groovy Integration
+#
+
+# Location of Groovy scripts to use for Pre and Post receive hooks.
+# Use forward slashes even on Windows!!
+# e.g. c:/groovy
+#
+# RESTART REQUIRED
+# SINCE 0.8.0
+groovy.scriptsFolder = groovy
+
+# Specify the directory Grape uses for downloading libraries.
+# http://groovy.codehaus.org/Grape
+#
+# RESTART REQUIRED
+# SINCE 1.0.0
+groovy.grapeFolder = groovy/grape
+
+# Scripts to execute on Pre-Receive.
+#
+# These scripts execute after an incoming push has been parsed and validated
+# but BEFORE the changes are applied to the repository.  You might reject a
+# push in this script based on the repository and branch the push is attempting
+# to change.
+#
+# Script names are case-sensitive on case-sensitive file systems.  You may omit
+# the traditional ".groovy" from this list if your file extension is ".groovy"
+#
+# NOTE:
+# These scripts are only executed when pushing to *Gitblit*, not to other Git
+# tooling you may be using.  Also note that these scripts are shared between
+# repositories. These are NOT repository-specific scripts!  Within the script
+# you may customize the control-flow for a specific repository by checking the
+# *repository* variable.
+#
+# SPACE-DELIMITED
+# CASE-SENSITIVE
+# SINCE 0.8.0
+groovy.preReceiveScripts =
+
+# Scripts to execute on Post-Receive.
+#
+# These scripts execute AFTER an incoming push has been applied to a repository.
+# You might trigger a continuous-integration build here or send a notification.
+#
+# Script names are case-sensitive on case-sensitive file systems.  You may omit
+# the traditional ".groovy" from this list if your file extension is ".groovy"
+#
+# NOTE:
+# These scripts are only executed when pushing to *Gitblit*, not to other Git
+# tooling you may be using.  Also note that these scripts are shared between
+# repositories. These are NOT repository-specific scripts!  Within the script
+# you may customize the control-flow for a specific repository by checking the
+# *repository* variable.
+#
+# SPACE-DELIMITED
+# CASE-SENSITIVE
+# SINCE 0.8.0
+groovy.postReceiveScripts =
+
+# Repository custom fields for Groovy Hook mechanism
+#
+# List of key=label pairs of custom fields to prompt for in the Edit Repository
+# page.  These keys are stored in the repository's git config file in the
+# section [gitblit "customFields"].  Key names are alphanumeric only.  These
+# fields are intended to be used for the Groovy hook mechanism where a script
+# can adjust it's execution based on the custom fields stored in the repository
+# config.
+#
+# e.g. "commitMsgRegex=Commit Message Regular Expression" anotherProperty=Another
+#
+# SPACE-DELIMITED
+# SINCE 1.0.0
+groovy.customFields =
+
+#
+# Authentication Settings
+#
+
+# Require authentication to see everything but the admin pages
+#
+# SINCE 0.5.0
+# RESTART REQUIRED
+web.authenticateViewPages = false
+
+# Require admin authentication for the admin functions and pages
+#
+# SINCE 0.5.0
+# RESTART REQUIRED
+web.authenticateAdminPages = true
+
+# Allow Gitblit to store a cookie in the user's browser for automatic
+# authentication.  The cookie is generated by the user service.
+#
+# SINCE 0.5.0
+web.allowCookieAuthentication = true
+
+# Config file for storing project metadata
+#
+# SINCE 1.2.0
+web.projectsFile = projects.conf
+
+# Either the full path to a user config file (users.conf)
+# OR the full path to a simple user properties file (users.properties)
+# OR a fully qualified class name that implements the IUserService interface.
+#
+# Alternative user services:
+#    com.gitblit.LdapUserService
+#    com.gitblit.RedmineUserService
+#
+# Any custom user service implementation must have a public default constructor.
+#
+# SINCE 0.5.0
+# RESTART REQUIRED
+realm.userService = users.conf
+
+# How to store passwords.
+# Valid values are plain, md5, or combined-md5.  md5 is the hash of password.
+# combined-md5 is the hash of username.toLowerCase()+password.
+# Default is md5.
+#
+# SINCE 0.5.0
+realm.passwordStorage = md5
+
+# Minimum valid length for a plain text password.
+# Default value is 5.  Absolute minimum is 4.
+#
+# SINCE 0.5.0
+realm.minPasswordLength = 5
+
+#
+# Gitblit Web Settings
+#
+# If blank Gitblit is displayed.
+#
+# SINCE 0.5.0
+web.siteName =
+
+# If *web.authenticateAdminPages*=true, users with "admin" role can create
+# repositories, create users, and edit repository metadata.
+#
+# If *web.authenticateAdminPages*=false, any user can execute the aforementioned
+# functions.
+#
+# SINCE 0.5.0
+web.allowAdministration = true
+
+# Allows rpc clients to list repositories and possibly manage or administer the
+# Gitblit server, if the authenticated account has administrator permissions.
+# See *web.enableRpcManagement* and *web.enableRpcAdministration*.
+#
+# SINCE 0.7.0
+web.enableRpcServlet = true
+
+# Allows rpc clients to manage repositories and users of the Gitblit instance,
+# if the authenticated account has administrator permissions.
+# Requires *web.enableRpcServlet=true*.
+#
+# SINCE 0.7.0
+web.enableRpcManagement = false
+
+# Allows rpc clients to control the server settings and monitor the health of this
+# this Gitblit instance, if the authenticated account has administrator permissions.
+# Requires *web.enableRpcServlet=true* and *web.enableRpcManagement*.
+#
+# SINCE 0.7.0
+web.enableRpcAdministration = false
+
+# Full path to a configurable robots.txt file.  With this file you can control
+# what parts of your Gitblit server respectable robots are allowed to traverse.
+# http://googlewebmastercentral.blogspot.com/2008/06/improving-on-robots-exclusion-protocol.html
+#
+# SINCE 1.0.0
+web.robots.txt =
+
+# If true, the web ui layout will respond and adapt to the browser's dimensions.
+# if false, the web ui will use a 940px fixed-width layout.
+# http://twitter.github.com/bootstrap/scaffolding.html#responsive
+#
+# SINCE 1.0.0
+web.useResponsiveLayout = true
+
+# Allow Gravatar images to be displayed in Gitblit pages.
+#
+# SINCE 0.8.0
+web.allowGravatar = true
+
+# Allow dynamic zip downloads.
+#
+# SINCE 0.5.0
+web.allowZipDownloads = true
+
+# Allow optional Lucene integration. Lucene indexing is an opt-in feature.
+# A repository may specify branches to index with Lucene instead of using Git
+# commit traversal. There are scenarios where you may want to completely disable
+# Lucene indexing despite a repository specifying indexed branches.  One such
+# scenario is on a resource-constrained federated Gitblit mirror.
+#
+# SINCE 0.9.0
+web.allowLuceneIndexing = true
+
+# Controls the length of shortened commit hash ids
+#
+# SINCE 1.2.0
+web.shortCommitIdLength = 6
+
+# Use Clippy (Flash solution) to provide a copy-to-clipboard button.
+# If false, a button with a more primitive JavaScript-based prompt box will
+# offer a 3-step (click, ctrl+c, enter) copy-to-clipboard alternative.
+#
+# SINCE 0.8.0
+web.allowFlashCopyToClipboard = true
+
+# Default number of entries to include in RSS Syndication links
+#
+# SINCE 0.5.0
+web.syndicationEntries = 25
+
+# Show the size of each repository on the repositories page.
+# This requires recursive traversal of each repository folder.  This may be
+# non-performant on some operating systems and/or filesystems.
+#
+# SINCE 0.5.2
+web.showRepositorySizes = true
+
+# List of custom regex expressions that can be displayed in the Filters menu
+# of the Repositories and Activity pages.  Keep them very simple because you
+# are likely to run into encoding issues if they are too complex.
+#
+# Use !!! to separate the filters
+#
+# SINCE 0.8.0
+web.customFilters =
+
+# Show federation registrations (without token) and the current pull status
+# to non-administrator users.
+#
+# SINCE 0.6.0
+web.showFederationRegistrations = false
+
+# This is the message displayed when *web.authenticateViewPages=true*.
+# This can point to a file with Markdown content.
+# Specifying "gitblit" uses the internal login message.
+#
+# SINCE 0.7.0
+web.loginMessage = gitblit
+
+# This is the message displayed above the repositories table.
+# This can point to a file with Markdown content.
+# Specifying "gitblit" uses the internal welcome message.
+#
+# SINCE 0.5.0
+web.repositoriesMessage = gitblit
+
+# Ordered list of charsets/encodings to use when trying to display a blob.
+# If empty, UTF-8 and ISO-8859-1 are used.  The server's default charset
+# is always appended to the encoding list.  If all encodings fail to cleanly
+# decode the blob content, UTF-8 will be used with the standard malformed
+# input/unmappable character replacement strings.
+#
+# SPACE-DELIMITED
+# SINCE 1.0.0
+web.blobEncodings = UTF-8 ISO-8859-1
+
+# Manually set the default timezone to be used by Gitblit for display in the
+# web ui.  This value is independent of the JVM timezone.  Specifying a blank
+# value will default to the JVM timezone.
+# e.g. America/New_York, US/Pacific, UTC, Europe/Berlin
+#
+# SINCE 0.9.0
+# RESTART REQUIRED
+web.timezone =
+
+# Use the client timezone when formatting dates.
+# This uses AJAX to determine the browser's timezone and may require more
+# server overhead because a Wicket session is created.  All Gitblit pages
+# attempt to be stateless, if possible.
+#
+# SINCE 0.5.0
+# RESTART REQUIRED
+web.useClientTimezone = false
+
+# Time format
+# <http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html>
+#
+# SINCE 0.8.0
+web.timeFormat = HH:mm
+
+# Short date format
+# <http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html>
+#
+# SINCE 0.5.0
+web.datestampShortFormat = yyyy-MM-dd
+
+# Long date format
+#
+# SINCE 0.8.0
+web.datestampLongFormat = EEEE, MMMM d, yyyy
+
+# Long timestamp format
+# <http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html>
+#
+# SINCE 0.5.0
+web.datetimestampLongFormat = EEEE, MMMM d, yyyy HH:mm Z
+
+# Mount URL parameters
+# This setting controls if pretty or parameter URLs are used.
+# i.e.
+# if true:
+#     http://localhost/commit/myrepo/abcdef
+# if false:
+#     http://localhost/commit/?r=myrepo&h=abcdef
+#
+# SINCE 0.5.0
+# RESTART REQUIRED
+web.mountParameters = true
+
+# Some servlet containers (e.g. Tomcat >= 6.0.10) disallow '/' (%2F) encoding
+# in URLs as a security precaution for proxies.  This setting tells Gitblit
+# to preemptively replace '/' with '*' or '!' for url string parameters.
+#
+# <https://issues.apache.org/jira/browse/WICKET-1303>
+# <http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10>
+# Add *-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true* to your
+# *CATALINA_OPTS* or to your JVM launch parameters
+#
+# SINCE 0.5.2
+web.forwardSlashCharacter = /
+
+# Show other URLs on the summary page for accessing your git repositories
+# Use spaces to separate urls. {0} is the token for the repository name.
+# e.g.
+# web.otherUrls = ssh://localhost/git/{0} git://localhost/git/{0}
+#
+# SPACE-DELIMITED
+# SINCE 0.5.0
+web.otherUrls =
+
+# Choose how to present the repositories list.
+#   grouped = group nested/subfolder repositories together (no sorting)
+#   flat = flat list of repositories (sorting allowed)
+#
+# SINCE 0.5.0
+web.repositoryListType = grouped
+
+# If using a grouped repository list and there are repositories at the
+# root level of your repositories folder, you may specify the displayed
+# group name with this setting.  This value is only used for web presentation.
+#
+# SINCE 0.5.0
+web.repositoryRootGroupName = main
+
+# Display the repository swatch color next to the repository name link in the
+# repositories list.
+#
+# SINCE 0.8.0
+web.repositoryListSwatches = true
+
+# Choose the diff presentation style: gitblt, gitweb, or plain
+#
+# SINCE 0.5.0
+web.diffStyle = gitblit
+
+# Control if email addresses are shown in web ui
+#
+# SINCE 0.5.0
+web.showEmailAddresses = true
+
+# Shows a combobox in the page links header with commit, committer, and author
+# search selection.  Default search is commit.
+#
+# SINCE 0.5.0
+web.showSearchTypeSelection = false
+
+# Generates a line graph of repository activity over time on the Summary page.
+# This uses the Google Charts API.
+#
+# SINCE 0.5.0
+web.generateActivityGraph = true
+
+# The number of days to show on the activity page.
+# Value must exceed 0 else default of 14 is used
+#
+# SINCE 0.8.0
+web.activityDuration = 14
+
+# The number of commits to display on the summary page
+# Value must exceed 0 else default of 20 is used
+#
+# SINCE 0.5.0
+web.summaryCommitCount = 16
+
+# The number of tags/branches to display on the summary page.
+# -1 = all tags/branches
+# 0 = hide tags/branches
+# N = N tags/branches
+#
+# SINCE 0.5.0
+web.summaryRefsCount = 5
+
+# The number of items to show on a page before showing the first, prev, next
+# pagination links.  A default if 50 is used for any invalid value.
+#
+# SINCE 0.5.0
+web.itemsPerPage = 50
+
+# Registered file extensions to ignore during Lucene indexing
+#
+# SPACE-DELIMITED
+# SINCE 0.9.0
+web.luceneIgnoreExtensions = 7z arc arj bin bmp dll doc docx exe gif gz jar jpg lib lzh odg odf odt pdf ppt png so swf xcf xls xlsx zip
+
+# Registered extensions for google-code-prettify
+#
+# SPACE-DELIMITED
+# SINCE 0.5.0
+web.prettyPrintExtensions = c cpp cs css frm groovy htm html java js php pl prefs properties py rb scala sh sql xml vb
+
+# Registered extensions for markdown transformation
+#
+# SPACE-DELIMITED
+# CASE-SENSITIVE
+# SINCE 0.5.0
+web.markdownExtensions = md mkd markdown MD MKD
+
+# Image extensions
+#
+# SPACE-DELIMITED
+# SINCE 0.5.0
+web.imageExtensions = bmp jpg gif png
+
+# Registered extensions for binary blobs
+#
+# SPACE-DELIMITED
+# SINCE 0.5.0
+web.binaryExtensions = jar pdf tar.gz zip
+
+# Aggressive heap management will run the garbage collector on every generated
+# page.  This slows down page generation a little but improves heap consumption.
+#
+# SINCE 0.5.0
+web.aggressiveHeapManagement = false
+
+# Run the webapp in debug mode
+#
+# SINCE 0.5.0
+# RESTART REQUIRED
+web.debugMode = false
+
+# Enable/disable global regex substitutions (i.e. shared across repositories)
+#
+# SINCE 0.5.0
+regex.global = true
+
+# Example global regex substitutions
+# Use !!! to separate the search pattern and the replace pattern
+# searchpattern!!!replacepattern
+# SINCE 0.5.0
+regex.global.bug = \\b(Bug:)(\\s*[#]?|-){0,1}(\\d+)\\b!!!<a href="http://somehost/bug/$3">Bug-Id: $3</a>
+# SINCE 0.5.0
+regex.global.changeid = \\b(Change-Id:\\s*)([A-Za-z0-9]*)\\b!!!<a href="http://somehost/changeid/$2">Change-Id: $2</a>
+
+# Example per-repository regex substitutions overrides global
+# SINCE 0.5.0
+regex.myrepository.bug = \\b(Bug:)(\\s*[#]?|-){0,1}(\\d+)\\b!!!<a href="http://elsewhere/bug/$3">Bug-Id: $3</a>
+
+#
+# Mail Settings
+# SINCE 0.6.0
+#
+# Mail settings are used to notify administrators of received federation proposals
+#
+
+# ip or hostname of smtp server
+#
+# SINCE 0.6.0
+mail.server =
+
+# port to use for smtp requests
+#
+# SINCE 0.6.0
+mail.port = 25
+
+# debug the mail executor
+#
+# SINCE 0.6.0
+mail.debug = false
+
+# if your smtp server requires authentication, supply the credentials here
+#
+# SINCE 0.6.0
+mail.username =
+# SINCE 0.6.0
+mail.password =
+
+# from address for generated emails
+#
+# SINCE 0.6.0
+mail.fromAddress =
+
+# List of email addresses for the Gitblit administrators
+#
+# SPACE-DELIMITED
+# SINCE 0.6.0
+mail.adminAddresses =
+
+# List of email addresses for sending push email notifications.
+#
+# This key currently requires use of the sendemail.groovy hook script.
+# If you set sendemail.groovy in *groovy.postReceiveScripts* then email
+# notifications for all repositories (regardless of access restrictions!)
+# will be sent to these addresses.
+#
+# SPACE-DELIMITED
+# SINCE 0.8.0
+mail.mailingLists =
+
+#
+# Federation Settings
+# SINCE 0.6.0
+#
+# A Gitblit federation is a way to backup one Gitblit instance to another.
+#
+# *git.enableGitServlet* must be true to use this feature.
+
+# Your federation name is used for federation status acknowledgments.  If it is
+# unset, and you elect to send a status acknowledgment, your Gitblit instance
+# will be identified by its hostname, if available, else your internal ip address.
+# The source Gitblit instance will also append your external IP address to your
+# identification to differentiate multiple pulling systems behind a single proxy.
+#
+# SINCE 0.6.0
+federation.name =
+
+# Specify the passphrase of this Gitblit instance.
+#
+# An unspecified (empty) passphrase disables processing federation requests.
+#
+# This value can be anything you want: an integer, a sentence, an haiku, etc.
+# Keep the value simple, though, to avoid Java properties file encoding issues.
+#
+# Changing your passphrase will break any registrations you have established with other
+# Gitblit instances.
+#
+# CASE-SENSITIVE
+# SINCE 0.6.0
+# RESTART REQUIRED *(only to enable or disable federation)*
+federation.passphrase =
+
+# Control whether or not this Gitblit instance can receive federation proposals
+# from another Gitblit instance.  Registering a federated Gitblit is a manual
+# process.  Proposals help to simplify that process by allowing a remote Gitblit
+# instance to send your Gitblit instance the federation pull data.
+#
+# SINCE 0.6.0
+federation.allowProposals = false
+
+# The destination folder for cached federation proposals.
+# Use forward slashes even on Windows!!
+#
+# SINCE 0.6.0
+federation.proposalsFolder = proposals
+
+# The default pull frequency if frequency is unspecified on a registration
+#
+# SINCE 0.6.0
+federation.defaultFrequency = 60 mins
+
+# Federation Sets are named groups of repositories.  The Federation Sets are
+# available for selection in the repository settings page.  You can assign a
+# repository to one or more sets and then distribute the token for the set.
+# This allows you to grant federation pull access to a subset of your available
+# repositories.  Tokens for federation sets only grant repository pull access.
+#
+# SPACE-DELIMITED
+# CASE-SENSITIVE
+# SINCE 0.6.0
+federation.sets =
+
+# Federation pull registrations
+# Registrations are read once, at startup.
+#
+# RESTART REQUIRED
+#
+# frequency:
+#   The shortest frequency allowed is every 5 minutes
+#   Decimal frequency values are cast to integers
+#   Frequency values may be specified in mins, hours, or days
+#   Values that can not be parsed or are unspecified default to *federation.defaultFrequency*
+#
+# folder:
+#   if unspecified, the folder is *git.repositoriesFolder*
+#   if specified, the folder is relative to *git.repositoriesFolder*
+#
+# bare:
+#   if true, each repository will be created as a *bare* repository and will not
+#   have a working directory.
+#
+#   if false, each repository will be created as a normal repository suitable
+#   for local work.
+#
+# mirror:
+#   if true, each repository HEAD is reset to *origin/master* after each pull.
+#   The repository will be flagged *isFrozen* after the initial clone.
+#
+#   if false, each repository HEAD will point to the FETCH_HEAD of the initial
+#   clone from the origin until pushed to or otherwise manipulated.
+#
+# mergeAccounts:
+#   if true, remote accounts and their permissions are merged into your
+#   users.properties file
+#
+# notifyOnError:
+#   if true and the mail configuration is properly set, administrators will be
+#   notified by email of pull failures
+#
+# include and exclude:
+#   Space-delimited list of repositories to include or exclude from pull
+#   may be * wildcard to include or exclude all
+#   may use fuzzy match (e.g. org.eclipse.*)
+
+#
+# (Nearly) Perfect Mirror example
+#
+
+#federation.example1.url = https://go.gitblit.com
+#federation.example1.token = 6f3b8a24bf970f17289b234284c94f43eb42f0e4
+#federation.example1.frequency = 120 mins
+#federation.example1.folder =
+#federation.example1.bare = true
+#federation.example1.mirror = true
+#federation.example1.mergeAccounts = true
+
+#
+# Advanced Realm Settings
+#
+
+# URL of the LDAP server.
+# To use encrypted transport, use either ldaps:// URL for SSL or ldap+tls:// to
+# send StartTLS command.
+#
+# SINCE 1.0.0
+realm.ldap.server = ldap://localhost
+
+# Login username for LDAP searches.
+# If this value is unspecified, anonymous LDAP login will be used.
+#
+# e.g. mydomain\\username
+#
+# SINCE 1.0.0
+realm.ldap.username = cn=Directory Manager
+
+# Login password for LDAP searches.
+#
+# SINCE 1.0.0
+realm.ldap.password = password
+
+# The LdapUserService must be backed by another user service for standard user
+# and team management.
+# default: users.conf
+#
+# SINCE 1.0.0
+# RESTART REQUIRED
+realm.ldap.backingUserService = users.conf
+
+# Delegate team membership control to LDAP.
+#
+# If true, team user memberships will be specified by LDAP groups.  This will
+# disable team selection in Edit User and user selection in Edit Team.
+#
+# If false, LDAP will only be used for authentication and Gitblit will maintain
+# team memberships with the *realm.ldap.backingUserService*.
+#
+# SINCE 1.0.0
+realm.ldap.maintainTeams = false
+
+# Root node for all LDAP users
+#
+# This is the root node from which subtree user searches will begin.
+# If blank, Gitblit will search ALL nodes.
+#
+# SINCE 1.0.0
+realm.ldap.accountBase = OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain
+
+# Filter criteria for LDAP users
+#
+# Query pattern to use when searching for a user account. This may be any valid
+# LDAP query expression, including the standard (&) and (|) operators.
+#
+# Variables may be injected via the ${variableName} syntax.
+# Recognized variables are:
+#    ${username} - The text entered as the user name
+#
+# SINCE 1.0.0
+realm.ldap.accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
+
+# Root node for all LDAP groups to be used as Gitblit Teams
+#
+# This is the root node from which subtree team searches will begin.
+# If blank, Gitblit will search ALL nodes.
+#
+# SINCE 1.0.0
+realm.ldap.groupBase = OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain
+
+# Filter criteria for LDAP groups
+#
+# Query pattern to use when searching for a team. This may be any valid
+# LDAP query expression, including the standard (&) and (|) operators.
+#
+# Variables may be injected via the ${variableName} syntax.
+# Recognized variables are:
+#    ${username} - The text entered as the user name
+#    ${dn} - The Distinguished Name of the user logged in
+#
+# All attributes from the LDAP User record are available. For example, if a user
+# has an attribute "fullName" set to "John", "(fn=${fullName})" will be
+# translated to "(fn=John)".
+#
+# SINCE 1.0.0
+realm.ldap.groupMemberPattern = (&(objectClass=group)(member=${dn}))
+
+# LDAP users or groups that should be given administrator privileges.
+#
+# Teams are specified with a leading '@' character.  Groups with spaces in the
+# name can be entered as "@team name".
+#
+# e.g. realm.ldap.admins = john @git_admins "@git admins"
+#
+# SPACE-DELIMITED
+# SINCE 1.0.0
+realm.ldap.admins = @Git_Admins
+
+# Attribute(s) on the USER record that indicate their display (or full) name.
+# Leave blank for no mapping available in LDAP.
+#
+# This may be a single attribute, or a string of multiple attributes.  Examples:
+#  displayName - Uses the attribute 'displayName' on the user record
+#  ${personalTitle}. ${givenName} ${surname} - Will concatenate the 3
+#       attributes together, with a '.' after personalTitle
+#
+# SINCE 1.0.0
+realm.ldap.displayName = displayName
+
+# Attribute(s) on the USER record that indicate their email address.
+# Leave blank for no mapping available in LDAP.
+#
+# This may be a single attribute, or a string of multiple attributes.  Examples:
+#  email - Uses the attribute 'email' on the user record
+#  ${givenName}.${surname}@gitblit.com -Will concatenate the 2 attributes
+#       together with a '.' and '@' creating something like first.last@gitblit.com
+#
+# SINCE 1.0.0
+realm.ldap.email = email
+
+# Defines whether to synchronize all LDAP users into the backing user service
+#
+# Valid values: true, false
+# If left blank, false is assumed
+realm.ldap.synchronizeUsers.enable = false
+
+# Defines whether to delete non-existent LDAP users from the backing user service
+# during synchronization. depends on  realm.ldap.synchronizeUsers.enable = true
+#
+# Valid values: true, false
+# If left blank, true is assumed
+realm.ldap.synchronizeUsers.removeDeleted = true
+
+# Attribute on the USER record that indicate their username to be used in gitblit
+# when synchronizing users from LDAP
+# if blank, Gitblit will use uid
+#
+#
+realm.ldap.uid = uid
+
+# The RedmineUserService must be backed by another user service for standard user
+# and team management.
+# default: users.conf
+#
+# RESTART REQUIRED
+realm.redmine.backingUserService = users.conf
+
+# URL of the Redmine.
+realm.redmine.url = http://example.com/redmine
+
+#
+# Server Settings
+#
+
+# The temporary folder to decompress the embedded gitblit webapp.
+#
+# SINCE 0.5.0
+# RESTART REQUIRED
+server.tempFolder = temp
+
+# Use Jetty NIO connectors.  If false, Jetty Socket connectors will be used.
+#
+# SINCE 0.5.0
+# RESTART REQUIRED
+server.useNio = true
+
+# Context path for the GO application.  You might want to change the context
+# path if running Gitblit behind a proxy layer such as mod_proxy.
+#
+# SINCE 0.7.0
+# RESTART REQUIRED
+server.contextPath = /
+
+# Standard http port to serve.  <= 0 disables this connector.
+# On Unix/Linux systems, ports < 1024 require root permissions.
+# Recommended value: 80 or 8080
+#
+# SINCE 0.5.0
+# RESTART REQUIRED
+server.httpPort = 0
+
+# Secure/SSL https port to serve. <= 0 disables this connector.
+# On Unix/Linux systems, ports < 1024 require root permissions.
+# Recommended value: 443 or 8443
+#
+# SINCE 0.5.0
+# RESTART REQUIRED
+server.httpsPort = 8443
+
+# Port for serving an Apache JServ Protocol (AJP) 1.3 connector for integrating
+# Gitblit GO into an Apache HTTP server setup.  <= 0 disables this connector.
+# Recommended value: 8009
+#
+# SINCE 0.9.0
+# RESTART REQUIRED
+server.ajpPort = 0
+
+# Specify the interface for Jetty to bind the standard connector.
+# You may specify an ip or an empty value to bind to all interfaces.
+# Specifying localhost will result in Gitblit ONLY listening to requests to
+# localhost.
+#
+# SINCE 0.5.0
+# RESTART REQUIRED
+server.httpBindInterface = localhost
+
+# Specify the interface for Jetty to bind the secure connector.
+# You may specify an ip or an empty value to bind to all interfaces.
+# Specifying localhost will result in Gitblit ONLY listening to requests to
+# localhost.
+#
+# SINCE 0.5.0
+# RESTART REQUIRED
+server.httpsBindInterface = localhost
+
+# Specify the interface for Jetty to bind the AJP connector.
+# You may specify an ip or an empty value to bind to all interfaces.
+# Specifying localhost will result in Gitblit ONLY listening to requests to
+# localhost.
+#
+# SINCE 0.9.0
+# RESTART REQUIRED
+server.ajpBindInterface = localhost
+
+# Password for SSL keystore.
+# Keystore password and certificate password must match.
+# This is provided for convenience, its probably more secure to set this value
+# using the --storePassword command line parameter.
+#
+# If you are using the official JRE or JDK from Oracle you may not have the
+# JCE Unlimited Strength Jurisdiction Policy files bundled with your JVM.  Because
+# of this, your store/key password can not exceed 7 characters.  If you require
+# longer passwords you may need to install the JCE Unlimited Strength Jurisdiction
+# Policy files from Oracle.
+#
+# http://www.oracle.com/technetwork/java/javase/downloads/index.html
+#
+# Gitblit and the Gitblit Certificate Authority will both indicate if Unlimited
+# Strength encryption is available.
+#
+# SINCE 0.5.0
+# RESTART REQUIRED
+server.storePassword = gitblit
+
+# If serving over https (recommended) you might consider requiring clients to
+# authenticate with ssl certificates.  If enabled, only https clients with the
+# a valid client certificate will be able to access Gitblit.
+#
+# If disabled, client certificate authentication is optional and will be tried
+# first before falling-back to form authentication or basic authentication.
+#
+# Requiring client certificates to access any of Gitblit may be too extreme,
+# consider this carefully.
+#
+# SINCE 1.2.0
+# RESTART REQUIRED
+server.requireClientCertificates = false
+
+# Port for shutdown monitor to listen on.
+#
+# SINCE 0.5.0
+# RESTART REQUIRED
+server.shutdownPort = 8081
diff --git a/src/com/gitblit/LdapUserService.java b/src/com/gitblit/LdapUserService.java
index 9ce18f6d..8da0ca35 100644
--- a/src/com/gitblit/LdapUserService.java
+++ b/src/com/gitblit/LdapUserService.java
@@ -1,379 +1,463 @@
-/*

- * Copyright 2012 John Crygier

- * Copyright 2012 gitblit.com

- *

- * Licensed under the Apache License, Version 2.0 (the "License");

- * you may not use this file except in compliance with the License.

- * You may obtain a copy of the License at

- *

- *     http://www.apache.org/licenses/LICENSE-2.0

- *

- * Unless required by applicable law or agreed to in writing, software

- * distributed under the License is distributed on an "AS IS" BASIS,

- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

- * See the License for the specific language governing permissions and

- * limitations under the License.

- */

-package com.gitblit;

-

-import java.io.File;

-import java.net.URI;

-import java.net.URISyntaxException;

-import java.security.GeneralSecurityException;

-import java.util.List;

-

-import org.slf4j.Logger;

-import org.slf4j.LoggerFactory;

-

-import com.gitblit.models.TeamModel;

-import com.gitblit.models.UserModel;

-import com.gitblit.utils.ArrayUtils;

-import com.gitblit.utils.StringUtils;

-import com.unboundid.ldap.sdk.Attribute;

-import com.unboundid.ldap.sdk.ExtendedResult;

-import com.unboundid.ldap.sdk.LDAPConnection;

-import com.unboundid.ldap.sdk.LDAPException;

-import com.unboundid.ldap.sdk.LDAPSearchException;

-import com.unboundid.ldap.sdk.ResultCode;

-import com.unboundid.ldap.sdk.SearchResult;

-import com.unboundid.ldap.sdk.SearchResultEntry;

-import com.unboundid.ldap.sdk.SearchScope;

-import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest;

-import com.unboundid.util.ssl.SSLUtil;

-import com.unboundid.util.ssl.TrustAllTrustManager;

-

-/**

- * Implementation of an LDAP user service.

- * 

- * @author John Crygier

- */

-public class LdapUserService extends GitblitUserService {

-

-	public static final Logger logger = LoggerFactory.getLogger(LdapUserService.class);

-	

-	private IStoredSettings settings;

-

-	public LdapUserService() {

-		super();

-	}

-

-	@Override

-	public void setup(IStoredSettings settings) {

-		this.settings = settings;

-		String file = settings.getString(Keys.realm.ldap.backingUserService, "users.conf");

-		File realmFile = GitBlit.getFileOrFolder(file);

-

-		serviceImpl = createUserService(realmFile);

-		logger.info("LDAP User Service backed by " + serviceImpl.toString());

-	}

-	

-	private LDAPConnection getLdapConnection() {

-		try {

-			URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));

-			String bindUserName = settings.getString(Keys.realm.ldap.username, "");

-			String bindPassword = settings.getString(Keys.realm.ldap.password, "");

-			int ldapPort = ldapUrl.getPort();

-			

-			if (ldapUrl.getScheme().equalsIgnoreCase("ldaps")) {	// SSL

-				if (ldapPort == -1)	// Default Port

-					ldapPort = 636;

-				

-				SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager()); 

-				return new LDAPConnection(sslUtil.createSSLSocketFactory(), ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);

-			} else {

-				if (ldapPort == -1)	// Default Port

-					ldapPort = 389;

-				

-				LDAPConnection conn = new LDAPConnection(ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);

-

-				if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {

-					SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());

-

-					ExtendedResult extendedResult = conn.processExtendedOperation(

-						new StartTLSExtendedRequest(sslUtil.createSSLContext()));

-

-					if (extendedResult.getResultCode() != ResultCode.SUCCESS) {

-						throw new LDAPException(extendedResult.getResultCode());

-					}

-				}

-				return conn;

-			}

-		} catch (URISyntaxException e) {

-			logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://<server>:<port>", e);

-		} catch (GeneralSecurityException e) {

-			logger.error("Unable to create SSL Connection", e);

-		} catch (LDAPException e) {

-			logger.error("Error Connecting to LDAP", e);

-		}

-		

-		return null;

-	}

-	

-	/**

-	 * Credentials are defined in the LDAP server and can not be manipulated

-	 * from Gitblit.

-	 *

-	 * @return false

-	 * @since 1.0.0

-	 */

-	@Override

-	public boolean supportsCredentialChanges() {

-		return false;

-	}

-	

-	/**

-	 * If no displayName pattern is defined then Gitblit can manage the display name.

-	 *

-	 * @return true if Gitblit can manage the user display name

-	 * @since 1.0.0

-	 */

-	@Override

-	public boolean supportsDisplayNameChanges() {

-		return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.displayName, ""));

-	}

-	

-	/**

-	 * If no email pattern is defined then Gitblit can manage the email address.

-	 *

-	 * @return true if Gitblit can manage the user email address

-	 * @since 1.0.0

-	 */

-	@Override

-	public boolean supportsEmailAddressChanges() {

-		return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.email, ""));

-	}

-

-	

-	/**

-	 * If the LDAP server will maintain team memberships then LdapUserService

-	 * will not allow team membership changes.  In this scenario all team

-	 * changes must be made on the LDAP server by the LDAP administrator.

-	 * 

-	 * @return true or false

-	 * @since 1.0.0

-	 */	

-	public boolean supportsTeamMembershipChanges() {

-		return !settings.getBoolean(Keys.realm.ldap.maintainTeams, false);

-	}

-

-	@Override

-	public UserModel authenticate(String username, char[] password) {

-		String simpleUsername = getSimpleUsername(username);

-		

-		LDAPConnection ldapConnection = getLdapConnection();

-		if (ldapConnection != null) {

-			try {

-				// Find the logging in user's DN

-				String accountBase = settings.getString(Keys.realm.ldap.accountBase, "");

-				String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");

-				accountPattern = StringUtils.replace(accountPattern, "${username}", escapeLDAPSearchFilter(simpleUsername));

-

-				SearchResult result = doSearch(ldapConnection, accountBase, accountPattern);

-				if (result != null && result.getEntryCount() == 1) {

-					SearchResultEntry loggingInUser = result.getSearchEntries().get(0);

-					String loggingInUserDN = loggingInUser.getDN();

-

-					if (isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) {

-						logger.debug("LDAP authenticated: " + username);

-

-						UserModel user = getUserModel(simpleUsername);

-						if (user == null)	// create user object for new authenticated user

-							user = new UserModel(simpleUsername);

-

-						// create a user cookie

-						if (StringUtils.isEmpty(user.cookie) && !ArrayUtils.isEmpty(password)) {

-							user.cookie = StringUtils.getSHA1(user.username + new String(password));

-						}

-

-						if (!supportsTeamMembershipChanges())

-							getTeamsFromLdap(ldapConnection, simpleUsername, loggingInUser, user);

-

-						// Get User Attributes

-						setUserAttributes(user, loggingInUser);

-

-						// Push the ldap looked up values to backing file

-						super.updateUserModel(user);

-						if (!supportsTeamMembershipChanges()) {

-							for (TeamModel userTeam : user.teams)

-								updateTeamModel(userTeam);

-						}

-

-						return user;

-					}

-				}

-			} finally {

-				ldapConnection.close();

-			}

-		}

-		return null;		

-	}

-

-	/**

-	 * Set the admin attribute from team memberships retrieved from LDAP.

-	 * If we are not storing teams in LDAP and/or we have not defined any

-	 * administrator teams, then do not change the admin flag.

-	 * 

-	 * @param user

-	 */

-	private void setAdminAttribute(UserModel user) {

-		if (!supportsTeamMembershipChanges()) {

-			List<String> admins = settings.getStrings(Keys.realm.ldap.admins);

-			// if we have defined administrative teams, then set admin flag

-			// otherwise leave admin flag unchanged

-			if (!ArrayUtils.isEmpty(admins)) {

-				user.canAdmin = false;

-				for (String admin : admins) {

-					if (admin.startsWith("@")) { // Team

-						if (user.getTeam(admin.substring(1)) != null)

-							user.canAdmin = true;

-					} else

-						if (user.getName().equalsIgnoreCase(admin))

-							user.canAdmin = true;

-				}

-			}

-		}

-	}

-	

-	private void setUserAttributes(UserModel user, SearchResultEntry userEntry) {

-		// Is this user an admin?

-		setAdminAttribute(user);

-		

-		// Don't want visibility into the real password, make up a dummy

-		user.password = "StoredInLDAP";

-		

-		// Get full name Attribute

-		String displayName = settings.getString(Keys.realm.ldap.displayName, "");		

-		if (!StringUtils.isEmpty(displayName)) {

-			// Replace embedded ${} with attributes

-			if (displayName.contains("${")) {

-				for (Attribute userAttribute : userEntry.getAttributes())

-					displayName = StringUtils.replace(displayName, "${" + userAttribute.getName() + "}", userAttribute.getValue());

-

-				user.displayName = displayName;

-			} else {

-				Attribute attribute = userEntry.getAttribute(displayName);

-				if (attribute != null && attribute.hasValue()) {

-					user.displayName = attribute.getValue();

-				}

-			}

-		}

-		

-		// Get email address Attribute

-		String email = settings.getString(Keys.realm.ldap.email, "");

-		if (!StringUtils.isEmpty(email)) {

-			if (email.contains("${")) {

-				for (Attribute userAttribute : userEntry.getAttributes())

-					email = StringUtils.replace(email, "${" + userAttribute.getName() + "}", userAttribute.getValue());

-

-				user.emailAddress = email;

-			} else {

-				Attribute attribute = userEntry.getAttribute(email);

-				if (attribute != null && attribute.hasValue()) {

-					user.emailAddress = attribute.getValue();

-				}

-			}

-		}

-	}

-

-	private void getTeamsFromLdap(LDAPConnection ldapConnection, String simpleUsername, SearchResultEntry loggingInUser, UserModel user) {

-		String loggingInUserDN = loggingInUser.getDN();

-		

-		user.teams.clear();		// Clear the users team memberships - we're going to get them from LDAP

-		String groupBase = settings.getString(Keys.realm.ldap.groupBase, "");

-		String groupMemberPattern = settings.getString(Keys.realm.ldap.groupMemberPattern, "(&(objectClass=group)(member=${dn}))");

-		

-		groupMemberPattern = StringUtils.replace(groupMemberPattern, "${dn}", escapeLDAPSearchFilter(loggingInUserDN));

-		groupMemberPattern = StringUtils.replace(groupMemberPattern, "${username}", escapeLDAPSearchFilter(simpleUsername));

-		

-		// Fill in attributes into groupMemberPattern

-		for (Attribute userAttribute : loggingInUser.getAttributes())

-			groupMemberPattern = StringUtils.replace(groupMemberPattern, "${" + userAttribute.getName() + "}", escapeLDAPSearchFilter(userAttribute.getValue()));

-		

-		SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, groupMemberPattern);

-		if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) {

-			for (int i = 0; i < teamMembershipResult.getEntryCount(); i++) {

-				SearchResultEntry teamEntry = teamMembershipResult.getSearchEntries().get(i);

-				String teamName = teamEntry.getAttribute("cn").getValue();

-				

-				TeamModel teamModel = getTeamModel(teamName);

-				if (teamModel == null)

-					teamModel = createTeamFromLdap(teamEntry);

-					

-				user.teams.add(teamModel);

-				teamModel.addUser(user.getName());

-			}

-		}

-	}

-	

-	private TeamModel createTeamFromLdap(SearchResultEntry teamEntry) {

-		TeamModel answer = new TeamModel(teamEntry.getAttributeValue("cn"));

-		// potentially retrieve other attributes here in the future

-		

-		return answer;		

-	}

-

-	private SearchResult doSearch(LDAPConnection ldapConnection, String base, String filter) {

-		try {

-			return ldapConnection.search(base, SearchScope.SUB, filter);

-		} catch (LDAPSearchException e) {

-			logger.error("Problem Searching LDAP", e);

-			

-			return null;

-		}

-	}

-	

-	private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) {

-		try {

-			// Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN

-			ldapConnection.bind(userDn, password);

-			return true;

-		} catch (LDAPException e) {

-			logger.error("Error authenticating user", e);

-			return false;

-		}

-	}

-

-	

-	/**

-	 * Returns a simple username without any domain prefixes.

-	 * 

-	 * @param username

-	 * @return a simple username

-	 */

-	protected String getSimpleUsername(String username) {

-		int lastSlash = username.lastIndexOf('\\');

-		if (lastSlash > -1) {

-			username = username.substring(lastSlash + 1);

-		}

-		

-		return username;

-	}

-	

-	// From: https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java

-	public static final String escapeLDAPSearchFilter(String filter) {

-		StringBuilder sb = new StringBuilder();

-		for (int i = 0; i < filter.length(); i++) {

-			char curChar = filter.charAt(i);

-			switch (curChar) {

-			case '\\':

-				sb.append("\\5c");

-				break;

-			case '*':

-				sb.append("\\2a");

-				break;

-			case '(':

-				sb.append("\\28");

-				break;

-			case ')':

-				sb.append("\\29");

-				break;

-			case '\u0000': 

-				sb.append("\\00"); 

-				break;

-			default:

-				sb.append(curChar);

-			}

-		}

-		return sb.toString();

-	}

-}

+/*
+ * Copyright 2012 John Crygier
+ * Copyright 2012 gitblit.com
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit;
+
+import java.io.File;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.security.GeneralSecurityException;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import com.gitblit.models.TeamModel;
+import com.gitblit.models.UserModel;
+import com.gitblit.utils.ArrayUtils;
+import com.gitblit.utils.StringUtils;
+import com.unboundid.ldap.sdk.Attribute;
+import com.unboundid.ldap.sdk.ExtendedResult;
+import com.unboundid.ldap.sdk.LDAPConnection;
+import com.unboundid.ldap.sdk.LDAPException;
+import com.unboundid.ldap.sdk.LDAPSearchException;
+import com.unboundid.ldap.sdk.ResultCode;
+import com.unboundid.ldap.sdk.SearchResult;
+import com.unboundid.ldap.sdk.SearchResultEntry;
+import com.unboundid.ldap.sdk.SearchScope;
+import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest;
+import com.unboundid.util.ssl.SSLUtil;
+import com.unboundid.util.ssl.TrustAllTrustManager;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Implementation of an LDAP user service.
+ *
+ * @author John Crygier
+ */
+public class LdapUserService extends GitblitUserService {
+
+	public static final Logger logger = LoggerFactory.getLogger(LdapUserService.class);
+    public static final String LDAP_PASSWORD_KEY = "StoredInLDAP";
+
+    private IStoredSettings settings;
+
+	public LdapUserService() {
+		super();
+	}
+
+	@Override
+	public void setup(IStoredSettings settings) {
+		this.settings = settings;
+		String file = settings.getString(Keys.realm.ldap.backingUserService, "users.conf");
+		File realmFile = GitBlit.getFileOrFolder(file);
+
+		serviceImpl = createUserService(realmFile);
+		logger.info("LDAP User Service backed by " + serviceImpl.toString());
+
+        synchronizeLdapUsers();
+    }
+
+    protected void synchronizeLdapUsers() {
+        final boolean enabled = settings.getBoolean(Keys.realm.ldap.synchronizeUsers.enable, false);
+        if (!enabled) {
+            return;
+        }
+        final boolean deleteRemovedLdapUsers = settings.getBoolean(Keys.realm.ldap.synchronizeUsers.removeDeleted, true);
+        LDAPConnection ldapConnection = getLdapConnection();
+        if (ldapConnection != null) {
+            try {
+                String accountBase = settings.getString(Keys.realm.ldap.accountBase, "");
+                String uidAttribute = settings.getString(Keys.realm.ldap.uid, "uid");
+                String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");
+                accountPattern = StringUtils.replace(accountPattern, "${username}", "*");
+
+                SearchResult result = doSearch(ldapConnection, accountBase, accountPattern);
+                if (result != null && result.getEntryCount() > 0) {
+                    final Map<String, UserModel> ldapUsers = new HashMap<String, UserModel>();
+
+                    for (SearchResultEntry loggingInUser : result.getSearchEntries()) {
+
+                        final String username = loggingInUser.getAttribute(uidAttribute).getValue();
+                        logger.debug("LDAP synchronizing: " + username);
+
+                        UserModel user = getUserModel(username);
+                        if (user == null) {
+                            user = new UserModel(username);
+                        }
+
+                        if (!supportsTeamMembershipChanges())
+                            getTeamsFromLdap(ldapConnection, username, loggingInUser, user);
+
+                        // Get User Attributes
+                        setUserAttributes(user, loggingInUser);
+
+                        // store in map
+                        ldapUsers.put(username, user);
+                    }
+
+                    if (deleteRemovedLdapUsers) {
+                        logger.debug("detecting removed LDAP users...");
+
+                        for (UserModel userModel : super.getAllUsers()) {
+                            if (LDAP_PASSWORD_KEY.equals(userModel.password)) {
+                                if (! ldapUsers.containsKey(userModel.username)) {
+                                    logger.info("deleting removed LDAP user " + userModel.username + " from backing user service");
+                                    super.deleteUser(userModel.username);
+                                }
+                            }
+                        }
+                    }
+
+                    for (UserModel user : ldapUsers.values()) {
+                        // Push the ldap looked up values to backing file
+                        super.updateUserModel(user);
+                        if (!supportsTeamMembershipChanges()) {
+                            for (TeamModel userTeam : user.teams)
+                                updateTeamModel(userTeam);
+                        }
+                    }
+
+                }
+            } finally {
+                ldapConnection.close();
+            }
+        }
+    }
+
+    private LDAPConnection getLdapConnection() {
+        try {
+			URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));
+			String bindUserName = settings.getString(Keys.realm.ldap.username, "");
+			String bindPassword = settings.getString(Keys.realm.ldap.password, "");
+			int ldapPort = ldapUrl.getPort();
+
+            if (ldapUrl.getScheme().equalsIgnoreCase("ldaps")) {	// SSL
+				if (ldapPort == -1)	// Default Port
+					ldapPort = 636;
+
+                SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
+                return new LDAPConnection(sslUtil.createSSLSocketFactory(), ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);
+			} else {
+				if (ldapPort == -1)	// Default Port
+					ldapPort = 389;
+
+                LDAPConnection conn = new LDAPConnection(ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);
+
+				if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {
+					SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
+
+					ExtendedResult extendedResult = conn.processExtendedOperation(
+						new StartTLSExtendedRequest(sslUtil.createSSLContext()));
+
+					if (extendedResult.getResultCode() != ResultCode.SUCCESS) {
+						throw new LDAPException(extendedResult.getResultCode());
+					}
+				}
+				return conn;
+			}
+		} catch (URISyntaxException e) {
+			logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://<server>:<port>", e);
+		} catch (GeneralSecurityException e) {
+			logger.error("Unable to create SSL Connection", e);
+		} catch (LDAPException e) {
+			logger.error("Error Connecting to LDAP", e);
+		}
+
+        return null;
+	}
+
+    /**
+	 * Credentials are defined in the LDAP server and can not be manipulated
+	 * from Gitblit.
+	 *
+	 * @return false
+	 * @since 1.0.0
+	 */
+	@Override
+	public boolean supportsCredentialChanges() {
+		return false;
+	}
+
+    /**
+	 * If no displayName pattern is defined then Gitblit can manage the display name.
+	 *
+	 * @return true if Gitblit can manage the user display name
+	 * @since 1.0.0
+	 */
+	@Override
+	public boolean supportsDisplayNameChanges() {
+		return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.displayName, ""));
+	}
+
+    /**
+	 * If no email pattern is defined then Gitblit can manage the email address.
+	 *
+	 * @return true if Gitblit can manage the user email address
+	 * @since 1.0.0
+	 */
+	@Override
+	public boolean supportsEmailAddressChanges() {
+		return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.email, ""));
+	}
+
+
+    /**
+	 * If the LDAP server will maintain team memberships then LdapUserService
+	 * will not allow team membership changes.  In this scenario all team
+	 * changes must be made on the LDAP server by the LDAP administrator.
+     *
+     * @return true or false
+	 * @since 1.0.0
+     */
+    public boolean supportsTeamMembershipChanges() {
+		return !settings.getBoolean(Keys.realm.ldap.maintainTeams, false);
+	}
+
+	@Override
+	public UserModel authenticate(String username, char[] password) {
+		String simpleUsername = getSimpleUsername(username);
+
+        LDAPConnection ldapConnection = getLdapConnection();
+		if (ldapConnection != null) {
+			try {
+				// Find the logging in user's DN
+				String accountBase = settings.getString(Keys.realm.ldap.accountBase, "");
+				String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");
+				accountPattern = StringUtils.replace(accountPattern, "${username}", escapeLDAPSearchFilter(simpleUsername));
+
+				SearchResult result = doSearch(ldapConnection, accountBase, accountPattern);
+				if (result != null && result.getEntryCount() == 1) {
+					SearchResultEntry loggingInUser = result.getSearchEntries().get(0);
+					String loggingInUserDN = loggingInUser.getDN();
+
+					if (isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) {
+						logger.debug("LDAP authenticated: " + username);
+
+						UserModel user = getUserModel(simpleUsername);
+						if (user == null)	// create user object for new authenticated user
+							user = new UserModel(simpleUsername);
+
+						// create a user cookie
+						if (StringUtils.isEmpty(user.cookie) && !ArrayUtils.isEmpty(password)) {
+							user.cookie = StringUtils.getSHA1(user.username + new String(password));
+						}
+
+						if (!supportsTeamMembershipChanges())
+							getTeamsFromLdap(ldapConnection, simpleUsername, loggingInUser, user);
+
+						// Get User Attributes
+						setUserAttributes(user, loggingInUser);
+
+						// Push the ldap looked up values to backing file
+						super.updateUserModel(user);
+						if (!supportsTeamMembershipChanges()) {
+							for (TeamModel userTeam : user.teams)
+								updateTeamModel(userTeam);
+						}
+
+						return user;
+					}
+				}
+			} finally {
+				ldapConnection.close();
+			}
+		}
+		return null;
+	}
+
+	/**
+	 * Set the admin attribute from team memberships retrieved from LDAP.
+	 * If we are not storing teams in LDAP and/or we have not defined any
+	 * administrator teams, then do not change the admin flag.
+	 *
+	 * @param user
+	 */
+	private void setAdminAttribute(UserModel user) {
+		if (!supportsTeamMembershipChanges()) {
+			List<String> admins = settings.getStrings(Keys.realm.ldap.admins);
+			// if we have defined administrative teams, then set admin flag
+			// otherwise leave admin flag unchanged
+			if (!ArrayUtils.isEmpty(admins)) {
+				user.canAdmin = false;
+				for (String admin : admins) {
+					if (admin.startsWith("@")) { // Team
+						if (user.getTeam(admin.substring(1)) != null)
+							user.canAdmin = true;
+                            logger.debug("user "+ user.username+" has administrative rights");
+					} else
+						if (user.getName().equalsIgnoreCase(admin))
+							user.canAdmin = true;
+				}
+			}
+		}
+	}
+
+    private void setUserAttributes(UserModel user, SearchResultEntry userEntry) {
+		// Is this user an admin?
+		setAdminAttribute(user);
+
+        // Don't want visibility into the real password, make up a dummy
+		user.password = LDAP_PASSWORD_KEY;
+
+        // Get full name Attribute
+        String displayName = settings.getString(Keys.realm.ldap.displayName, "");
+        if (!StringUtils.isEmpty(displayName)) {
+			// Replace embedded ${} with attributes
+			if (displayName.contains("${")) {
+				for (Attribute userAttribute : userEntry.getAttributes())
+					displayName = StringUtils.replace(displayName, "${" + userAttribute.getName() + "}", userAttribute.getValue());
+
+				user.displayName = displayName;
+			} else {
+				Attribute attribute = userEntry.getAttribute(displayName);
+				if (attribute != null && attribute.hasValue()) {
+					user.displayName = attribute.getValue();
+				}
+			}
+		}
+
+        // Get email address Attribute
+		String email = settings.getString(Keys.realm.ldap.email, "");
+		if (!StringUtils.isEmpty(email)) {
+			if (email.contains("${")) {
+				for (Attribute userAttribute : userEntry.getAttributes())
+					email = StringUtils.replace(email, "${" + userAttribute.getName() + "}", userAttribute.getValue());
+
+				user.emailAddress = email;
+			} else {
+				Attribute attribute = userEntry.getAttribute(email);
+				if (attribute != null && attribute.hasValue()) {
+					user.emailAddress = attribute.getValue();
+				}
+			}
+		}
+	}
+
+	private void getTeamsFromLdap(LDAPConnection ldapConnection, String simpleUsername, SearchResultEntry loggingInUser, UserModel user) {
+		String loggingInUserDN = loggingInUser.getDN();
+
+        user.teams.clear();		// Clear the users team memberships - we're going to get them from LDAP
+		String groupBase = settings.getString(Keys.realm.ldap.groupBase, "");
+		String groupMemberPattern = settings.getString(Keys.realm.ldap.groupMemberPattern, "(&(objectClass=group)(member=${dn}))");
+
+        groupMemberPattern = StringUtils.replace(groupMemberPattern, "${dn}", escapeLDAPSearchFilter(loggingInUserDN));
+		groupMemberPattern = StringUtils.replace(groupMemberPattern, "${username}", escapeLDAPSearchFilter(simpleUsername));
+
+        // Fill in attributes into groupMemberPattern
+		for (Attribute userAttribute : loggingInUser.getAttributes())
+			groupMemberPattern = StringUtils.replace(groupMemberPattern, "${" + userAttribute.getName() + "}", escapeLDAPSearchFilter(userAttribute.getValue()));
+
+        SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, groupMemberPattern);
+		if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) {
+			for (int i = 0; i < teamMembershipResult.getEntryCount(); i++) {
+				SearchResultEntry teamEntry = teamMembershipResult.getSearchEntries().get(i);
+				String teamName = teamEntry.getAttribute("cn").getValue();
+
+                TeamModel teamModel = getTeamModel(teamName);
+				if (teamModel == null)
+					teamModel = createTeamFromLdap(teamEntry);
+
+                user.teams.add(teamModel);
+				teamModel.addUser(user.getName());
+			}
+		}
+	}
+
+    private TeamModel createTeamFromLdap(SearchResultEntry teamEntry) {
+		TeamModel answer = new TeamModel(teamEntry.getAttributeValue("cn"));
+		// potentially retrieve other attributes here in the future
+
+        return answer;
+    }
+
+	private SearchResult doSearch(LDAPConnection ldapConnection, String base, String filter) {
+		try {
+			return ldapConnection.search(base, SearchScope.SUB, filter);
+		} catch (LDAPSearchException e) {
+			logger.error("Problem Searching LDAP", e);
+
+            return null;
+		}
+	}
+
+    private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) {
+		try {
+			// Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN
+			ldapConnection.bind(userDn, password);
+			return true;
+		} catch (LDAPException e) {
+			logger.error("Error authenticating user", e);
+			return false;
+		}
+	}
+
+
+    @Override
+    public List<String> getAllUsernames() {
+        synchronizeLdapUsers();
+        return super.getAllUsernames();
+    }
+
+    @Override
+    public List<UserModel> getAllUsers() {
+        synchronizeLdapUsers();
+        return super.getAllUsers();
+    }
+
+    /**
+	 * Returns a simple username without any domain prefixes.
+     *
+     * @param username
+	 * @return a simple username
+	 */
+	protected String getSimpleUsername(String username) {
+		int lastSlash = username.lastIndexOf('\\');
+		if (lastSlash > -1) {
+			username = username.substring(lastSlash + 1);
+		}
+
+        return username;
+	}
+
+    // From: https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java
+	public static final String escapeLDAPSearchFilter(String filter) {
+		StringBuilder sb = new StringBuilder();
+		for (int i = 0; i < filter.length(); i++) {
+			char curChar = filter.charAt(i);
+			switch (curChar) {
+			case '\\':
+				sb.append("\\5c");
+				break;
+			case '*':
+				sb.append("\\2a");
+				break;
+			case '(':
+				sb.append("\\28");
+				break;
+			case ')':
+				sb.append("\\29");
+				break;
+                case '\u0000':
+                    sb.append("\\00");
+                    break;
+			default:
+				sb.append(curChar);
+			}
+		}
+		return sb.toString();
+	}
+}