From f3b625d298bab922c64192c25914e352bd87e59e Mon Sep 17 00:00:00 2001
From: John Crygier <john.crygier@aon.com>
Date: Tue, 10 Apr 2012 13:48:06 -0400
Subject: [PATCH] Rework LDAP implementation with unboundid. Also allows for an LDAP server to be started with Gitblit GO (backed by an LDIF file).
---
distrib/gitblit.properties | 308 ++++++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 301 insertions(+), 7 deletions(-)
diff --git a/distrib/gitblit.properties b/distrib/gitblit.properties
index e8acfa9..147f2a1 100644
--- a/distrib/gitblit.properties
+++ b/distrib/gitblit.properties
@@ -2,7 +2,9 @@
# Git Servlet Settings
#
-# Base folder for repositories
+# Base folder for repositories.
+# This folder may contain bare and non-bare repositories but Gitblit will only
+# allow you to push to bare repositories.
# Use forward slashes even on Windows!!
# e.g. c:/gitrepos
#
@@ -28,6 +30,67 @@
# SINCE 0.5.0
git.enableGitServlet = true
+# Only serve/display bare repositories.
+# If there are non-bare repositories in git.repositoriesFolder and this setting
+# is true, they will be excluded from the ui.
+#
+# SINCE 0.9.0
+git.onlyAccessBareRepositories = false
+
+#
+# Groovy Integration
+#
+
+# Location of Groovy scripts to use for Pre and Post receive hooks.
+# Use forward slashes even on Windows!!
+# e.g. c:/groovy
+#
+# RESTART REQUIRED
+# SINCE 0.8.0
+groovy.scriptsFolder = groovy
+
+# Scripts to execute on Pre-Receive.
+#
+# These scripts execute after an incoming push has been parsed and validated
+# but BEFORE the changes are applied to the repository. You might reject a
+# push in this script based on the repository and branch the push is attempting
+# to change.
+#
+# Script names are case-sensitive on case-sensitive file systems. You may omit
+# the traditional ".groovy" from this list if your file extension is ".groovy"
+#
+# NOTE:
+# These scripts are only executed when pushing to *Gitblit*, not to other Git
+# tooling you may be using. Also note that these scripts are shared between
+# repositories. These are NOT repository-specific scripts! Within the script
+# you may customize the control-flow for a specific repository by checking the
+# *repository* variable.
+#
+# SPACE-DELIMITED
+# CASE-SENSITIVE
+# SINCE 0.8.0
+groovy.preReceiveScripts =
+
+# Scripts to execute on Post-Receive.
+#
+# These scripts execute AFTER an incoming push has been applied to a repository.
+# You might trigger a continuous-integration build here or send a notification.
+#
+# Script names are case-sensitive on case-sensitive file systems. You may omit
+# the traditional ".groovy" from this list if your file extension is ".groovy"
+#
+# NOTE:
+# These scripts are only executed when pushing to *Gitblit*, not to other Git
+# tooling you may be using. Also note that these scripts are shared between
+# repositories. These are NOT repository-specific scripts! Within the script
+# you may customize the control-flow for a specific repository by checking the
+# *repository* variable.
+#
+# SPACE-DELIMITED
+# CASE-SENSITIVE
+# SINCE 0.8.0
+groovy.postReceiveScripts =
+
#
# Authentication Settings
#
@@ -50,16 +113,19 @@
# SINCE 0.5.0
web.allowCookieAuthentication = true
-# Either the path to a simple user properties file
+# Either the full path to a user config file (users.conf)
+# OR the full path to a simple user properties file (users.properties)
# OR a fully qualified class name that implements the IUserService interface.
# Any custom implementation must have a public default constructor.
#
# SINCE 0.5.0
# RESTART REQUIRED
-realm.userService = users.properties
+realm.userService = users.conf
# How to store passwords.
-# Valid values are plain or md5. Default is md5.
+# Valid values are plain, md5, or combined-md5. md5 is the hash of password.
+# combined-md5 is the hash of username.toLowerCase()+password.
+# Default is md5.
#
# SINCE 0.5.0
realm.passwordStorage = md5
@@ -69,6 +135,90 @@
#
# SINCE 0.5.0
realm.minPasswordLength = 5
+
+# URL of the LDAP server.
+#
+# SINCE 1.0.0
+realm.ldap.server = ldap://my.ldap.server
+
+# Login username for LDAP searches.
+# The domain prefix may be omitted if it matches the domain specified in
+# *realm.ldap.domain*. If this value is unspecified, anonymous LDAP login will
+# be used.
+#
+# e.g. mydomain\\username
+#
+# SINCE 1.0.0
+realm.ldap.username =
+
+# Login password for LDAP searches.
+#
+# SINCE 1.0.0
+realm.ldap.password =
+
+# The LdapUserService must be backed by another user service for standard user
+# and team management.
+# default: users.conf
+#
+# SINCE 1.0.0
+# RESTART REQUIRED
+realm.ldap.backingUserService = users.conf
+
+# Delegate team membership control to LDAP.
+#
+# If true, team user memberships will be specified by LDAP groups. This will
+# disable team selection in Edit User and user selection in Edit Team.
+#
+# If false, LDAP will only be used for authentication and Gitblit will maintain
+# team memberships with the *realm.ldap.backingUserService*.
+#
+# SINCE 1.0.0
+realm.ldap.maintainTeams = false
+
+# Root node that all Users sit under in LDAP
+#
+# This is the node that searches for user information will begin from in LDAP
+# If blank, it will search ALL of ldap.
+#
+# SINCE 1.0.0
+realm.ldap.accountBase = ou=people,dc=example,dc=com
+
+# Filter Criteria for Users in LDAP
+#
+# Query pattern to use when searching for a user account. This may be any valid
+# LDAP query expression, including the standard (&) and (|) operators.
+# The variable ${username} is replaced by the string entered by the end user
+#
+# SINCE 1.0.0
+realm.ldap.accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
+
+# Root node that all Teams sit under in LDAP
+#
+# This is the node that searches for user information will begin from in LDAP
+# If blank, it will search ALL of ldap.
+#
+# SINCE 1.0.0
+realm.ldap.groupBase = ou=groups,dc=example,dc=com
+
+# Filter Criteria for Teams in LDAP
+#
+# Query pattern to use when searching for a team. This may be any valid
+# LDAP query expression, including the standard (&) and (|) operators.
+# The variable ${username} is replaced by the string entered by the end user.
+# Other variables appearing in the pattern, such as ${fooBarAttribute},
+# are replaced with the value of the corresponding attribute (in this case, fooBarAttribute)
+# as read from the user's account object matched under realm.ldap.accountBase. Attributes such
+# as ${dn} or ${uidNumber} may be useful.
+#
+# SINCE 1.0.0
+realm.ldap.groupMemberPattern = (&(objectClass=group)(member=${dn}))
+
+# Users and or teams that are Admins, read from LDAP
+#
+# This is a space delimited list. If it starts with @, it indicates a Team Name
+#
+# SINCE 1.0.0
+realm.ldap.admins= @Git_Admins
#
# Gitblit Web Settings
@@ -87,10 +237,52 @@
# SINCE 0.5.0
web.allowAdministration = true
+# Allows rpc clients to list repositories and possibly manage or administer the
+# Gitblit server, if the authenticated account has administrator permissions.
+# See *web.enableRpcManagement* and *web.enableRpcAdministration*.
+#
+# SINCE 0.7.0
+web.enableRpcServlet = true
+
+# Allows rpc clients to manage repositories and users of the Gitblit instance,
+# if the authenticated account has administrator permissions.
+# Requires *web.enableRpcServlet=true*.
+#
+# SINCE 0.7.0
+web.enableRpcManagement = false
+
+# Allows rpc clients to control the server settings and monitor the health of this
+# this Gitblit instance, if the authenticated account has administrator permissions.
+# Requires *web.enableRpcServlet=true* and *web.enableRpcManagement*.
+#
+# SINCE 0.7.0
+web.enableRpcAdministration = false
+
+# Allow Gravatar images to be displayed in Gitblit pages.
+#
+# SINCE 0.8.0
+web.allowGravatar = true
+
# Allow dynamic zip downloads.
#
# SINCE 0.5.0
web.allowZipDownloads = true
+
+# Allow optional Lucene integration. Lucene indexing is an opt-in feature.
+# A repository may specify branches to index with Lucene instead of using Git
+# commit traversal. There are scenarios where you may want to completely disable
+# Lucene indexing despite a repository specifying indexed branches. One such
+# scenario is on a resource-constrained federated Gitblit mirror.
+#
+# SINCE 0.9.0
+web.allowLuceneIndexing = true
+
+# Use Clippy (Flash solution) to provide a copy-to-clipboard button.
+# If false, a button with a more primitive JavaScript-based prompt box will
+# offer a 3-step (click, ctrl+c, enter) copy-to-clipboard alternative.
+#
+# SINCE 0.8.0
+web.allowFlashCopyToClipboard = true
# Default number of entries to include in RSS Syndication links
#
@@ -104,18 +296,43 @@
# SINCE 0.5.2
web.showRepositorySizes = true
+# List of custom regex expressions that can be displayed in the Filters menu
+# of the Repositories and Activity pages. Keep them very simple because you
+# are likely to run into encoding issues if they are too complex.
+#
+# Use !!! to separate the filters
+#
+# SINCE 0.8.0
+web.customFilters =
+
# Show federation registrations (without token) and the current pull status
# to non-administrator users.
#
# SINCE 0.6.0
web.showFederationRegistrations = false
-# This is the message display above the repositories table.
+# This is the message displayed when *web.authenticateViewPages=true*.
+# This can point to a file with Markdown content.
+# Specifying "gitblit" uses the internal login message.
+#
+# SINCE 0.7.0
+web.loginMessage = gitblit
+
+# This is the message displayed above the repositories table.
# This can point to a file with Markdown content.
# Specifying "gitblit" uses the internal welcome message.
#
# SINCE 0.5.0
web.repositoriesMessage = gitblit
+
+# Manually set the default timezone to be used by Gitblit for display in the
+# web ui. This value is independent of the JVM timezone. Specifying a blank
+# value will default to the JVM timezone.
+# e.g. America/New_York, US/Pacific, UTC, Europe/Berlin
+#
+# SINCE 0.9.0
+# RESTART REQUIRED
+web.timezone =
# Use the client timezone when formatting dates.
# This uses AJAX to determine the browser's timezone and may require more
@@ -126,17 +343,28 @@
# RESTART REQUIRED
web.useClientTimezone = false
+# Time format
+# <http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html>
+#
+# SINCE 0.8.0
+web.timeFormat = HH:mm
+
# Short date format
# <http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html>
#
# SINCE 0.5.0
web.datestampShortFormat = yyyy-MM-dd
+# Long date format
+#
+# SINCE 0.8.0
+web.datestampLongFormat = EEEE, MMMM d, yyyy
+
# Long timestamp format
# <http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html>
#
# SINCE 0.5.0
-web.datetimestampLongFormat = EEEE, MMMM d, yyyy h:mm a z
+web.datetimestampLongFormat = EEEE, MMMM d, yyyy HH:mm Z
# Mount URL parameters
# This setting controls if pretty or parameter URLs are used.
@@ -155,7 +383,9 @@
# to preemptively replace '/' with '*' or '!' for url string parameters.
#
# <https://issues.apache.org/jira/browse/WICKET-1303>
-# <http://tomcat.apache.org/security-6.html>
+# <http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10>
+# Add *-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true* to your
+# *CATALINA_OPTS* or to your JVM launch parameters
#
# SINCE 0.5.2
web.forwardSlashCharacter = /
@@ -182,6 +412,12 @@
# SINCE 0.5.0
web.repositoryRootGroupName = main
+# Display the repository swatch color next to the repository name link in the
+# repositories list.
+#
+# SINCE 0.8.0
+web.repositoryListSwatches = true
+
# Choose the diff presentation style: gitblt, gitweb, or plain
#
# SINCE 0.5.0
@@ -204,6 +440,12 @@
# SINCE 0.5.0
web.generateActivityGraph = true
+# The number of days to show on the activity page.
+# Value must exceed 0 else default of 14 is used
+#
+# SINCE 0.8.0
+web.activityDuration = 14
+
# The number of commits to display on the summary page
# Value must exceed 0 else default of 20 is used
#
@@ -223,6 +465,12 @@
#
# SINCE 0.5.0
web.itemsPerPage = 50
+
+# Registered file extensions to ignore during Lucene indexing
+#
+# SPACE-DELIMITED
+# SINCE 0.9.0
+web.luceneIgnoreExtensions = 7z arc arj bin bmp dll doc docx exe gif gz jar jpg lib lzh odg odf odt pdf ppt png so swf xcf xls xlsx zip
# Registered extensions for google-code-prettify
#
@@ -269,10 +517,13 @@
# Example global regex substitutions
# Use !!! to separate the search pattern and the replace pattern
# searchpattern!!!replacepattern
+# SINCE 0.5.0
regex.global.bug = \\b(Bug:)(\\s*[#]?|-){0,1}(\\d+)\\b!!!<a href="http://somehost/bug/$3">Bug-Id: $3</a>
+# SINCE 0.5.0
regex.global.changeid = \\b(Change-Id:\\s*)([A-Za-z0-9]*)\\b!!!<a href="http://somehost/changeid/$2">Change-Id: $2</a>
# Example per-repository regex substitutions overrides global
+# SINCE 0.5.0
regex.myrepository.bug = \\b(Bug:)(\\s*[#]?|-){0,1}(\\d+)\\b!!!<a href="http://elsewhere/bug/$3">Bug-Id: $3</a>
#
@@ -301,6 +552,7 @@
#
# SINCE 0.6.0
mail.username =
+# SINCE 0.6.0
mail.password =
# from address for generated emails
@@ -313,6 +565,17 @@
# SPACE-DELIMITED
# SINCE 0.6.0
mail.adminAddresses =
+
+# List of email addresses for sending push email notifications.
+#
+# This key currently requires use of the sendemail.groovy hook script.
+# If you set sendemail.groovy in *groovy.postReceiveScripts* then email
+# notifications for all repositories (regardless of access restrictions!)
+# will be sent to these addresses.
+#
+# SPACE-DELIMITED
+# SINCE 0.8.0
+mail.mailingLists =
#
# Federation Settings
@@ -391,6 +654,13 @@
# if unspecified, the folder is *git.repositoriesFolder*
# if specified, the folder is relative to *git.repositoriesFolder*
#
+# bare:
+# if true, each repository will be created as a *bare* repository and will not
+# have a working directory.
+#
+# if false, each repository will be created as a normal repository suitable
+# for local work.
+#
# mirror:
# if true, each repository HEAD is reset to *origin/master* after each pull.
# The repository will be flagged *isFrozen* after the initial clone.
@@ -439,6 +709,13 @@
# RESTART REQUIRED
server.useNio = true
+# Context path for the GO application. You might want to change the context
+# path if running Gitblit behind a proxy layer such as mod_proxy.
+#
+# SINCE 0.7.0
+# RESTART REQUIRED
+server.contextPath = /
+
# Standard http port to serve. <= 0 disables this connector.
# On Unix/Linux systems, ports < 1024 require root permissions.
# Recommended value: 80 or 8080
@@ -454,6 +731,14 @@
# SINCE 0.5.0
# RESTART REQUIRED
server.httpsPort = 8443
+
+# Port for serving an Apache JServ Protocol (AJP) 1.3 connector for integrating
+# Gitblit GO into an Apache HTTP server setup. <= 0 disables this connector.
+# Recommended value: 8009
+#
+# SINCE 0.9.0
+# RESTART REQUIRED
+server.ajpPort = 0
# Specify the interface for Jetty to bind the standard connector.
# You may specify an ip or an empty value to bind to all interfaces.
@@ -473,6 +758,15 @@
# RESTART REQUIRED
server.httpsBindInterface = localhost
+# Specify the interface for Jetty to bind the AJP connector.
+# You may specify an ip or an empty value to bind to all interfaces.
+# Specifying localhost will result in Gitblit ONLY listening to requests to
+# localhost.
+#
+# SINCE 0.9.0
+# RESTART REQUIRED
+server.ajpBindInterface = localhost
+
# Password for SSL keystore.
# Keystore password and certificate password must match.
# This is provided for convenience, its probably more secure to set this value
--
Gitblit v1.9.1