From 374ec39a4a8b54593c72063d4e038c75047f2daf Mon Sep 17 00:00:00 2001
From: Sameer Naik <sameer@damagehead.com>
Date: Sun, 6 Apr 2014 13:32:26 +0530
Subject: [PATCH] Added LDAP configuration options, close #36

---
 Changelog.md                            |   3 +++
 README.md                               |  10 +++++++++
 assets/init                             |  28 ++++++++++++++++++++++++
 assets/setup/config.tar.bz2             | Bin 7822 -> 7842 bytes
 assets/setup/config/gitlabhq/gitlab.yml |  20 ++++++++---------
 5 files changed, 51 insertions(+), 10 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 9bd4cd30..393e48c3 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,8 @@
 # Changelog
 
+**latest**
+- added LDAP configuration options.
+
 **6.7.3**
 - upgrade gitlab to 6.7.3
 - install ruby2.0 from ppa
diff --git a/README.md b/README.md
index 3ee4b33d..9336a3c8 100644
--- a/README.md
+++ b/README.md
@@ -292,6 +292,16 @@ Below is the complete list of available options that can be used to customize yo
 - **SMTP_USER**: SMTP username.
 - **SMTP_PASS**: SMTP password.
 - **SMTP_STARTTLS**: Enable STARTTLS. Defaults to true.
+- **LDAP_ENABLED**: Enable LDAP. Defaults to false
+- **LDAP_HOST**: LDAP Host
+- **LDAP_PORT**: LDAP Port. Defaults to 636
+- **LDAP_UID**: LDAP UID. Defaults to sAMAccountName
+- **LDAP_METHOD**: LDAP method, Possible values are ssl, tls and plain. Defaults to ssl
+- **LDAP_BIND_DN**:
+- **LDAP_PASS**: LDAP password
+- **LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN**: If enabled, GitLab will ignore everything after the first '@' in the LDAP username submitted by the user on login. Defaults to false if LDAP_UID is userPrincipalName, else true.
+- **LDAP_BASE**: Base where we can search for users. No default.
+- **LDAP_USER_FILTER**: Filter LDAP users. No default.
 
 # Maintenance
 
diff --git a/assets/init b/assets/init
index f7e4edb7..d98a592d 100755
--- a/assets/init
+++ b/assets/init
@@ -37,6 +37,17 @@ SMTP_USER=${SMTP_USER:-}
 SMTP_PASS=${SMTP_PASS:-}
 SMTP_STARTTLS=${SMTP_STARTTLS:-true}
 
+LDAP_ENABLED=${LDAP_ENABLED:-false}
+LDAP_HOST=${LDAP_HOST:-}
+LDAP_PORT=${LDAP_PORT:-636}
+LDAP_UID=${LDAP_UID:-sAMAccountName}
+LDAP_METHOD=${LDAP_METHOD:-ssl}
+LDAP_BIND_DN=${LDAP_BIND_DN:-}
+LDAP_PASS=${LDAP_PASS:-}
+LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-}
+LDAP_BASE=${LDAP_BASE:-}
+LDAP_USER_FILTER=${LDAP_USER_FILTER:-}
+
 case "${DB_TYPE}" in
 	mysql) DB_PORT=${DB_PORT:-3306} ;;
 	postgres) DB_PORT=${DB_PORT:-5432} ;;
@@ -48,6 +59,11 @@ case "${GITLAB_BACKUPS}" in
 	disable|*) GITLAB_BACKUP_EXPIRY=${GITLAB_BACKUP_EXPIRY:-0} ;;
 esac
 
+case "${LDAP_UID}" in
+	userPrincipalName) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-false} ;;
+	*) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-true}
+esac
+
 # generate a password for root.
 ROOT_PASSWORD=$(pwgen -c -n -1 12)
 echo "root:$ROOT_PASSWORD" | chpasswd
@@ -179,6 +195,18 @@ sed 's/{{SMTP_PASS}}/'${SMTP_PASS}'/' -i /home/git/gitlab/config/initializers/sm
 sed 's/{{SMTP_DOMAIN}}/'${SMTP_DOMAIN}'/' -i /home/git/gitlab/config/initializers/smtp_settings.rb
 sed 's/{{SMTP_STARTTLS}}/'${SMTP_STARTTLS}'/' -i /home/git/gitlab/config/initializers/smtp_settings.rb
 
+# apply LDAP configuration
+sudo -u git -H sed 's/{{LDAP_ENABLED}}/'${LDAP_ENABLED}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_HOST}}/'${LDAP_HOST}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_PORT}}/'${LDAP_PORT}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_UID}}/'${LDAP_UID}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_METHOD}}/'${LDAP_METHOD}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_BIND_DN}}/'${LDAP_BIND_DN}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_PASS}}/'${LDAP_PASS}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN}}/'${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_BASE}}/'${LDAP_BASE}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_USER_FILTER}}/'${LDAP_USER_FILTER}'/' -i /home/git/gitlab/config/gitlab.yml
+
 # take ownership of /home/git/data
 chown git:git /home/git/data
 
diff --git a/assets/setup/config.tar.bz2 b/assets/setup/config.tar.bz2
index f4bf40e4bcf716a82138afcbabae43e42c0716af..88b4082c1a14b80d3c495b45294f68246fd75f80 100644
GIT binary patch
literal 7842
zcmV;T9$n!=T4*^jL0KkKS&c$>s{j*Lf5-lo2>^fp|NsC0|L*_)|Na0F01ybk1ONaC
zU?ZIR_U(9a<l)=9sIGtj(`$mj-MH7+d)>P0y7zN{tv37S@$6wqTVPiOZLB-FUD#+T
zE2c`RK`ji9O-O<@w$p~N8pL9b+Eh}o#DM?=0%Xdk;8fG}!Bg~VCz5BBhSc>vJyRx|
zP<nb$&}cMhGyw$AO$nsM9!aKC(^00Lri}-vG#UT^007Vd6DHJD^)%W?sp>S)XwYN;
z0MGyc00EEy03;+pKqjWA=q8D^Hj%0iDf&~=W>eHOdV!(kJx@Y3XaHy$45d#`N?|l;
z(@hMTVhl`7fq^j$K+^&+5s{F|iGoCd0DuJ0O(sX7DddmIPg7*YJv5IfXah&6JwSSZ
z2kHFCPd~0d>`k7C*QGC5Gb}Pf$|g1q4v+#Lui*9i>YuYq)UJpGvU-SDL2$w2?7Xl?
zcM8h2mIVqqSqlY#&?bSjl1(I<0tN|#Ok+pevA@uL)ar&kd}W;FPP(0am;WYOqYS%h
zr(3#XuOYb&drqd9YxW)KScMUiKN2M-;R^GFUdHy0FG(NdWN)Sv|Bv$zl}j@9-vy@K
zTd9l2dt6JB!uT4m9dLuj`$<Y{+S=NpBL8x)?4NEfbSt^4vgQ7rrC>h~A14%S2LX{B
ziKQV6E=q}FSvp~$X4Lu0sS{&)g)mK63L6_>a=LAsY0;&u`)&F&TnnjQ#?4|JEaYMb
zwKfACF{BL2ryC+L-9@s$xWY>OeiWSch_~>#<yZi0MxOxcY|q=L8{)O=xbt47etLgB
z-E!`(&&1$`kVg1(2Z^^tvD)5L<HB|m;(fe+BN($ycP_<M2kjy+=u!6<#G%y^h*G}>
z`DMmaqG+&v&6W}U3ijWaW94nFerSiJ_4(cR@bqfko>b+=`5U#xH9>t&^KtD$`+@|L
z6!o~pph7pHG=yH#LK8_K$)u7U<&lKJ8`S)#E;YjLGD644@BAhyv8E$U1lh5yS`?ZL
z97+KZCMKA}H-c2Yx;<46O-9^gfdT`$5QsD}k%SsdkT=p@Ld${L{qqkD9P?%k3jbEh
zd$4ttJ(aqd_|8FqsN4N$03bcBF2;6@4op8?=)@z_@B029K8qedjF4f{=`MIg#v*9G
zWybJ1Ufc6xp!(xBwrWZ_`y*a@OE5kbiiSZ^voow9K^((`fYQIObzt~J#YH?G3!dUK
zL{uL0(aBg3#uL;1ll*+H;uwI)&g18C)91M*hb#xyghpMs0Gd1lYvH4Y|EjHA;QbcO
zKO#XCouPqd$mENaA`Axhcn1c!Mm7d}Bp9amQBz{&fD~HDNPffHn?d?ZOUX?K6WKTv
zvUh2xEa>oXwb=Z`tGu~az@gZ~C5Nr-vBy2OGuh;0&76U@^ya#B)9&|W?amTKkK=*8
zwgiYyV)b>@RwHCdlEndlLV~zl*;j219;&I{%{b)8u8JXgsB(xAgDMUlzIC)v8(Q_p
zsqhvw@&~Hp;HKyel9|-27RYW4yA63QMlx$~gP%^gl_w++bN<u;)@yE2dXh{sD*|L@
zw*%t}HV7_-i(0-#zU_Nk*b23?)89mDph3=q^sZR>dGKx=VBN7s3)<T#<Dts4=4w^q
zo*54k1@vh}w|K}aoWh#=>yqd+^3h7~s!{WZ0;d3WroLf?LmOo~A*+9AgWwgm^TQ$w
z2<!5<R5Y>+Y*nKB|3${$wJVSm2m~iC!eb)2>it`<JNH%$M9jM<UqRS@H8?xn@NwTT
zr|ONm=Z1J1=MP3sP;lAPhNWr7NI1e;{D*+=n)Kv=*0#|Ch!AxV(+nP&rD3wuBu@6V
zH`>)F?ZDx*Jx^}}R6Aw{Bh7w`y(vtx49?4A!0iwMb|d+zUEWMhcfjhTucHLRuv-32
zq6Ali%HhWcm_>A-UYiqUgO?y1mmE%A)|u_yG}+xtDQ%}r*fJ7AV>KBf*DX1(k2%SZ
zl%k;vyBs<gLZESk;pZdQOA25mRdbmJ^TJ9-P$8Rh5@p1n5t>P>9;zpMhHU2}cL_K&
z6P9DWSl%hv?B|0S^QeOOb<Xl1!1uVmNr`O(1Tw7%SoK%mQzs+Jz8V?|UbgbmvB<!l
z;@h3Zxq+qg*7kI9+D5$*H!yeaEv_6Qi}kSl#|AmX?R!j(oGX-EbH?=-t>3ehj__t8
z*UGq~a&2{Qj4I-^uIJ2G!=z-mqr8e9YMJ<7ohOOHbJ2L3(-+~)K8$)=m5kX8N=Tqs
zd`DyV&}VoW88wr(1|1VgaIv&0=VuwVFOb%fAn!TSZv(=C%!AgRJt;}fgM9XwOtBji
zQo7U(%vAJIVSJvw2N7|12>1Hx6;o`NS|`c|BEH$w=wLQ<S<Xmqq1=*r=r!`NI?&3+
z&Jx1DYYkg3E|r(CtUX9QlW;Shp8%$|s!*(bP3z>X)hz8<Tc@+#Sg3KOlPbSI>#*3#
z<@D*s`L=me%j<d0GKmv?RvP~C%Z>-+LR)YhD&DRNS_^P*9h_qnc>C0?C>k;0V$*|!
z5PV)c?tUFpNLgi+z7rw*+k#re+<z)Z+#otPv{}oYuxz`c7Az)-&fxKTo>bn03ezar
z>y6#klx#~N$x}M?!{L?5A%2gg1OWqRpJEu7kkd}g2$hjY0sq~jcT!r=r%gv092AY0
zQaXx<M3PBoPSVcO)It$Rttz5!Q0j`2+A1w#HtCYmnA<F^`7K4HcBJES4UB4it_@Xw
zHx;bnV`LygD9IrkjzS5LWNsm(#?uDG#+vf$x>`K^^gQWbek>+>50Xb9&w&~+Z8f*o
zqV+9NphMz4<I}ffsH&<DsGw&k6YcD-f50FJi-hj<m2_ADJfRpv2MJlC?nhS%>X7cu
z3qA&(f5%nb-T@6G)+ZZi?bFQxk<e_w!4TX-1UF|Ph<H=qh;X@l@7Jnl3Pk`vsr1`c
zhL*F_MiPFZG;+d@>O)jGTQ}}2_o5Cz+%T1|ee^@=%KwNV!E}B6x5Oesuy(M~pTgVo
zR?Zm88Qvh<*l2|~ImR;dVZRKD8JcV!>bQ9w#yL20-oj8yCYqJ-)2F1sXTo<7+xbIh
zia$FeHXG)f#nf-%Jp~dq_Cf#|e-bK>M1&#WbIIrYY1WpdZ9M{@Uq94Q=x9316ZgN@
z9w;+R;3~)f#v{4u1(}_gZ_FvDmahSIl-o-sBD3c#=FUED521<dskG(up(rgqSU}ki
ze0rXlJWS6hJ_Au~HM^`yOIq6+wKCYxRkh*}#6sJ0@?Lg2<=0H+{qhXTz_G-sqZTGj
zw%Z#x;&9Y#EJJbBFT83n2V!&cI27#TSjZ9c45E6%*x*{4-+MUXUSFuhEEiP}gTzAg
z9s(Cr(?)&tP<K%T1f@_2H-u<o0+KwvZD6H1k_0oT2t4|rsLUlL1q?#oM8ba4d{rsL
zaAW<mjXlOT$B~0yrG?Fi`>VEKeQM$k@aY&mO=AIDSm8^-xO{IewSgwqJdJp2ORPQ7
zFUwX<jMmWQuJ(nV_!!pxHkG!*OI{3yY7m7hhEN3+2sV#p$Q{V&@`MFk%J4&_1$9JN
zS-IQox&h^gMdf0OLKE9ECQLMv)+kur!q=+L<uS*a2Xts<v?$9sVIYGb8UY9ApiAUo
z8>kpl^+DX;@#*Oro!Fnz(DBse=5$2eCMK3G?smp%!U;?;`L9?yQ9K;7Behb`^DMA(
zKn&psD2~>g3eWNvs5-SFmp4IB;Q)ywXR$}ol#}ImETM-A%K6nFei*fT=_!2g>3uQW
zm@s2Wu|J+?^%OpXcHBc|CwfN(pYnO7UGe0ae{%&+=fp931L2#$POpw?qn;6{Z$5e@
z%2iv6Hvox0PqBuhzZ!uwAE##1u>4lbFO+58d<gEi!}4_Ce(@r94)GFvP)M6%=rhFx
zD5zCBbHPKw(lmikk@y!cU?z~f&>H5wrxGo#e*}lQxB2(rax6Ppjg5^lwCKQv)#~#H
z3Y4<6>O&7vfY}bTmca=dasx^PLr4N1B0ztEVpY<1PSKiePOtSJZXjB-qvL1|qL&)Z
z{05n+rJk;kJZ!GP)nE!OqO4bWQaQr%Z0?~izhrhKav`xLPd38yA~FK1aY{{iqAW>A
z;MaJ$GY8hCj(vxkwlwU{!I@xHSOB~IFtS|x_V!!~vrJq>ZR%~O9(*~A24<z?fbGmJ
zT`(m%;fefY`iY*m@4YVQU|)?fiMorSLI{<`qP-wevGCPDjuCl@;Bo2b>&{xOaU;Jq
zUsTDU-GC5aV7i>r-G;E9cMEikoFk@agnp<h(!iLxS^>C-8yLs&W9A<_9yw?}_PgrI
z5N13^xo+YD7oFxAilT!^#5hR3&vQW;#1p7qCK~-A2awV#8FP}mCbH|QZdq0Y7ILhy
zCeR&@)x5CCs7GeqY|G$7LMN2m?z-5P!xBpHTY&Ht`SIc0iKH9ouzH4=*x9hp*lsVU
zmir3JoIq+elF&!7iCJg4LXk9B2&0l{=d5Z5=~-J2VuAE>_Wvj79wEAFKA%GGX?A<>
z`hNu<H{SSLJblxy(e^1tDxyd6RPb=IAFfqGL>T2HRGN=wDk-jpJ!wiNO4BU!u4bx-
z11IYYjL0q^0GsqNinqaetR`8Q^%JH*WrQgOcXeY3OI*j}DvYXcL%5qem4%&x6<tm#
zgA-vT12ZWXu~-@r3}hF$K;Pq!hYm(Ouft6@$Hi}H4d=fd#j(ywB&;DK?218Q`PZ=v
zU73>)siGJwn29x{!fBo+pzUL00gVi8w2~&84`a;O#7^^*KO;sq8x{q8H^QMT#1lK3
zq`vK)jV6=zWLCV4!z|Gu-hRC~UObsGAEFJOVBv%SKE>O?pg95%p(n!=4@D|C>=)JD
zRVH(Jwk{*nJ<f}BZIG>f8rxx6A$!?snRSZfc?BV~n+PE^a6D_<2qt6XY@0!_ZM1bm
zyNcbdkQcJZx9A{Dnaodxu1*wnA7SriNr$Er{1#FVIGQPO(^!{t7SWmY?6TUhN?BI%
zX`x>0d=fGSBL=+zjeR_tCZ#BzOqrNipM-_BMIRwq7HT#nxdaeFRf{{jmLe9riZA)H
z>I|bP5Fxo4z|v8lGV?W$j|7s>6T`{gykDbI8yi$Jn7G?r#|6Qd^cwY{jj$NRZD1Yk
z38p0>h_BOunfwR$y6j~VHYT>t14POo+`BL*QnlcnniimRj$#(RqmG!pXDSzdaUt4j
zT{YOA^Ty{5F1QZJZ3}Z!hBlJVL~75Wmi7(8P4xyW4*hj@!fhs+WU!vBAz?g~{G)~0
z?}(ey7DNUEQxUpFv4W%xNdpgS*wD;E{$z_}+Oi-H4h#isOPr8E(0_)154nBc_p9&w
zKKP1i0|j1dab)!tC0HTLWkOs853yay;6&R9s9sq|CJGpV$aXd{hjmd9(688{$MHS-
z1WQMD*v8xwUGW&&tnD=My+2Dq1x^UXpTw;#j4^f~Kr&^<Qxvm-bgt7bRX_e<U8zXB
z7E((T#>O798;j&B$%M^1rLN1DE~~5=>@WWY2PQ2C)iKP}+^9#BO^q>+)G=Y%J8`gR
z4{nf?uqd^Z;gS3E?DFu_UOfrt(11Nm`l?Tzz-v+wbqfJ-#q=BFa`#3nds!Ts;Kpzf
z(x-CVn`T2(+v<f3V`Ff_{~qjmvM)#<B@@(-=~Pw%1+J>v1vLmRNc;p>6Yl41y)U3W
z(Uzxb=L|%+u6Kw<Dup6M5Hr=AF@~igs_MWAItWZl#<{?DQh>u<0x28eK9HceT7wF4
zEVM*%iwz=1g02*8V9T0bgEjYDWVS+y93M+D9*nT9vRU{V=EC_=5Zc?MOGF7%B!xo*
zUL9&8qqmPkT=B(XQ<mp_M3~)%Ht%{xm#w>1b--PiRO1?NsezB5T0PRk3_+Mvk#b=q
z#6v1j2SvRcW9W2dRr+Lba%*c2i?c1OWejW@1cj1MFo8ahz62LW+8a(GipX@8)H}K0
zb~}%__|+#!Gd`6bD?6VT>)O@LEO|a~LdS_Iy(p`YpuKip3sr{Q!@01^?~`p62nXQR
zvL2lUlUC`wj+<Wb3q|#@jU;5kr0Be)Q-Y4F3um{w8MwI$oc2M?7T}<)vOc;JTWi&+
zy+^at2c{3AtG7NU!Oct4kqqT<*{zOH4?Nm=vA!kKAFLv85wnqY?bM)hu5um|awahE
zuQO28PVSLrJ_o=%zHr233Z}#`DGg|meFX_!XbTHcdyAHgcRDnOS`Oh^Io^aCUSaPM
z9qGjAZ#PhvWhZr99m5%p%c*&MVzvk@R8Z7gc^)}ynpvRCmJYtwT%z}5a)q&kTDj&B
zwxgP$2#idOt-0!{#g|`*8K-4j@?zs>RkfzDa3sVnWr&MKqYnC5>YI#gjEu5q&Ypg4
zBJAmfq>1Om-^a$T48%Bj%eIeNwXD}TK(*(EZ!b+XDJ+~CNZx^}UQb3BPDg~<5^)*v
zJflgmb~7?$7_mu+-#}Fjp~;<(ubzo5ufZgrt)7?LZ9`JcY9JyO34>tn6+x>>D;7Nv
zp|zulg)~D&rg?^gB!VO(X|#(-4LWP7L@vr?1z@Df2-`KlxHnQaR7g_rW|((nfk{@k
zPwa-q!sAAdvJ&xPGo0j)QzRXB!45!ovJD}oCaNgD7=wPTJ^~?jGf!2v7G7f%mMyi;
zMGJA5rRPhmXygoPNeC#!L%4z?Y{alS**_6<yr@xnT1l}DgJNt*+!c}dUTl6$MT`})
z3GztTixM{-hEP>XxWhElXl!i_o%fBHa9&^!)R}PoRSC8~6IPO~u=OC$X>&z#`IIyb
zcaA^ryM0+1BT(3H?div5QS6O(oXqsn!w6^$q5M=vkl6YU;twMM1uadRm%$Dcr@!AX
zVYbv|?IuQrn+;-ekAYxnL@LWB6ytD~(uvm1h+5$)GuJe>qZYi8d)%5=)X->#dYCqq
zZdWKg7HLm<1F)7h-KME*DBbSs&xO%VH>>&|Wnl$sOIImU;wVzC9Gzw3$n#zm^F(dd
zVm1X-jay!>-TRmt23F}UpFlix=_w(3RM==~;^zmOA?OuC!GU(%QEie)$~+}88twqW
zFk?t;5Y8Q@tcsd{@3=NEbMZO{G;2dmrkWdVG!45$DpAuIjQRPM((g@o2ip%64447i
z?<*f{T31pivCZvnuX5A~gg{%*iaHtv0`5-W?5Scx1#=KhT(9kS7hsuE=9Ud2CSgTS
zZh@lwam;DoJBc3|<KhEo8y5w;>+vt~`5vPw!HA%TT0Ix1?Y_8$!K5{&bx3F>+E;TW
zTh=!#xK0&QiI@@xxfNxd=H#3y&a6b+ZATo&sdY>(d$nVJHXUU~O%(AGyK!+_qw%pM
zJ0xAv2np%~#hGdqYYQyE9^5Jl-Vj<}I1|qoa%W1sr>i2YEmwA98%dO!DPKNL)Prdj
zDVes()TA);412j6Xcb99F0Gcwu|4B1e!;FTftt+D1q^|=4CKfngu(qB;%H(xSWmRg
zY~FaAY}LV&b1u($%f*`W^9tW?BWW9A-C{nMr$Q>N8cUD?V<MLknDz1ND>iu6wB8u5
zyxqx7L8#=DWJ!MG+w_+kORJ61d7A^hmL>cwv{%U149%!CHZdlObs|Z0!DwLa(aeTN
z7acD{^j(4)d1V~7Az!8DiDEv<2h1)b7{<?(k^}ihe0tv42Ai@|OHeFRf^6|cX^4el
zFnwkQE~<Rx?N=z_A!J&xky=L^e-yf8A~6BoUKN>P!b__F>Lr>TNerCW&=^3>F{}c_
z9quSl*=u2I4g3&*-4ZzvF^v&V;c?eGrJ*5~By^#da}j#JNRpRJT%ENys12@@4H=6d
zL+(cUHFibD$F;#RqBi5JMMaAZQALuD&8E~C9)yRntuR56YpABO8QRqW1kwY!g2X4t
zuuKKiHr=rr!8?_8u2C|Tl7M3ll0uY=8E_&eGnIRq7rwDx28NHXuJssecEn0b%(R86
z5i3)HRS;RmD8nwMwJ5lZ1Y%|0yGA3EUwNSCVitHZ%?+TlxWeqEq`0=Zh||CT$!TIT
zk`)9F=~L9TTCn336Rhw^3dsZJT^5@VNCGMWG=m<whB(wo7tS+U*Vsn>&T#U@)@hSS
zZ%71tQADxx7^JF=#lnytJ3exN)1Vdx#*<*fD4W&SctHnq1~S{4UKFh6fG}kG(2_-f
zX_@Km8LY!nNVh$#(_v*k`xi7elVI9d>~P>i(u_gyzILT7Uln@n)J(lL3H;Es!63G@
zi!r&Do+HJPL$=!_!KnJ#M>c|byHML2U@&73sIJs!&0#@+yjSF47t;IR6w9EYrQd!g
zvno5r=1p+((5A0*%au@!qqP_$KBGrEpMSE3!P)am$`lBn0ab9^FoB;X=Q%g2s7qe-
zdp<%6LtYGtHrpUQ%!0;eKCcO){VpoVv}{zr2M^tziz`y*=`=$5-BwK{l1m~aV`}F}
zEY_nJ4n$P^&0UxV#vdyYnq`e<sM!k%E>b%bj@BC2$iB<XR21<DJ-mYCb#udf5Y7+j
zfIGMGA8J=Z=hK<i$0I#+Gzf)TmAlY=9mUi`O$A+?LXa5yU#E1kZ8kQ>MHFqh72IV)
ze$Am)2p)C>8ABs*kqm<)Lt?>!YL`roqzW?`7|>PVMA92h_!I?ztc7Jv02p&KjXZpP
z@Gqc=E^xqCxDjL`$lK=_5i+D~lfkMTOU607eqI!9J%sq+y%dWNhNc;hJ7K`|T%b=5
zImk2`V$4_g^V_dmxH7J`3$5f^^Ed3r6D#M9hW7YY0A^>F0`PDM3Qj?kJKdkWLo+Vh
z`-Pp6Nod3$MUoWc)@-{%hz@0v#fWKwGf4KbHyZg2J@KePa8VgQBVoj(y-Y^bTXzHL
zEDAJJ5=Rv-nxUjOI(4BN&|CuG(@LOuZ!%kLYf#<$AQ0Qyl_+$S^5LQ2X=Q4NQJAZj
zU$}>47)X{|ZW(Hju*W&HF!dama{&E0=Mp@!C}QRsFm`t_OtN~&n;5Z!Gp!^W1j)iG
z7@)}%-G!h`G*J~nsD&jnNVDk_c@8D0tShbMucnIV*ATfUtrIO;!1H?IwqRytVo0^F
zD9gc=##l0Bhl&yyI#$$aghv$xAk9R5FlgB&c#LLOA`E42N}2DWf9e$Q7l(x$gfC`l
zv~T*(ok07@q$Fw{JfUh(ZwjkRwAgoH3uKMV+8zYMmXjxt?zXiR+hbrR&_MWKk@ZEZ
zS?Hdng4P;JFl)lISVr}DTbPVs=)k@S_GO*@-rTJ7V||Z~#K~@pVq`3xp7QFK%K7Ow
zb;oGiWsfM0|FIuo%81m9fq0t+#G6cZ%Z;oa?J)Cx77c*fL5H|v=6QxkoJ^`!QM8+V
zyOEjMsS1*OqvB@Eq9Wk*X?Ku9S&I}_RVs<zj)?(Ib9m7hu0ri%uFKzlyn5}E<m%(a
zOh#;m;tmPbCZx=%R;ZCK(u-J1LzPMu$oSakfoBxBRDwbXgr+GD152x*^Q>FiNjNan
z$w@uqqSlmzXj>q@cWAtwO0g=S<ij!o0&7fEs@W3Oc@teVpvzd4vlupO7I;G>1@*@&
z#4!re;X#gxXXy-MI1r3hXiNr(o@)yp1(LP2++b51kc_%Ja4wBj8+KI~l09H!WRHtW
zq$ylaRHSPQ)!Z~~Y~pf`nvq0oa6Q6d4X8{9K_%kAMOu)`Dv&l_(2HPHm2aS+C5(#1
zGj;c?Of7<Wbh`CzO^FgD(@lb=lxdBJ8lsKSX_@Jux*A3ZKz3$A@8>G{B6rYiX2v8K
zv>9s$x{~KHg*44;%sx#`i48D0D=ZQlyn&iCtdNcP>*dxnh$iIjDGN!2f^36cwZi2E
z5=PSw2_-PjjMlQu1{R6{J3=J$-OpGU0PmLO8e~r4jxZ4*e25)*SZ<nWKd5Nykh4M{
zy^ObqZ5;f1x$surk&6UulGLqDLb-I|twQcY7~~!>sy&2QlgHzgB~WtJT%#-m8wBsP
zuYG>HuJnY}WOd~Q)WKlZkI>%I1%@^*O{v~0RDP5#h_5o$HV0-$XfPp=<)-n<R$VbB
zgTQH=nt`A(K-gk8VX`$C7>A_2>PW6Crm$|_jgl%AY+%RnE`*eoti^(QhPhGJNqg*4
zGDe>E6iB!+ge!h|=*HziQ65iY>d^Fqrs50M<*9GswYDD92nlP!%~8#%G;3&^Zvh-O
zap_r2T+Y;evixx?M%nN>%RF;uw*s&mWNy-mDU6QU*2L}}B$C-fOn8XI^YH*Tth#O3
zI|b&gYd#29n27jS#()@@kNzQ&1<|GN4W`FGS{}s4!`rln@wNS@zT-n}k)t|^4YKez
z3<|vsV+cKmAJ6vwhx7fk8~uilZ<Ivf`rKc9QR*&~Ajr2_B>(YuBvXY62-GKfup(!{
AkpKVy

literal 7822
zcmV;99&zD9T4*^jL0KkKS+jnzssIxx|HuBe2>^fp|NsC0|L*_)|Na0F01ya(1ONaC
zU?ZLP+q_b}>(SS(5MltJ3BlL_+dZ7~=<kg-nyou{xC7`leX$F{TWfT8ZLtLq^z`UK
zR?LAC6jgg}u^ZXmRiH}~Bt06VO}r%p5F<=Rnh+)vNwqywdWNT@Y^SOEDd_c2Q^gNR
zeyO9#fb@Z&GywpJ2$N)Fnw}u0ntrMJrpkJrkjP++jEszdrY2=F15u)lN9vjy4IYzC
z42?20c}&#8WHcEKG#C>JkT6Du2?&T0H5*AO`%}tklS+Px>Vrp+Owf-_L(~J*)6@)r
z00x376GX`-nt4qC^#B@Z9;SmJ02%-oKm$zx0z^arngE&z$u@-4dL|Un=+t^33<NX-
zAOHvF+w&nw^&gg*8R?CBlJ)~N&Zt_!ji!^JK!@k+^YfX0+$&g~!~$15L@Q8KEq42B
zL^pdbxzg#_RYojE;^G8h2!&P^VFE+~VAB}UKEJP<fAmVK82I>XsoPGvy8c{$lP-^p
z_h#edmdSVX^F`+CSKAk#WWDz>dW}Dl_z%?_S3G(&&EwScqx6gpZ)f^{P#-BSMN7p5
zv78yex!t&$FJW4!6Cdx~?!(TKb56a<wje`)!RPeX&&gHux?@|P(!N9DJ)WOer<pm_
zz&rVc(0?vj`ya4JkkQNUda%vo#d*-(jT|+G*0%WTRU7;@<*~E>j{mb>fiAIoTV1Mh
zv#Llvs@NKK%COj~am5jbH5SGGvk5Eo`Vw`*BHyCptzZGbjXvP*Z6EN{o%34z*B;B%
z&*7))<m-<$ct10O7C{`c<_|M&)Un#!?WXzMPi$`F+NNruI&e+S?k__#{cd`nYms(p
z87BRlv5s<`sj|WMwla_LtJ{}Q$I{#_eyE4E`92qZUOyh~<@KjNSINIvuE;O2@Hd}A
z7x9D%Br0m-7J&%hh7?O-Q5aPWh*e0mu`Z|+X4RQg_LgCHDMH7``u|-8Ml{4}pqn<e
zi$a!z2NM8@lM_r~v&vMysy+&bYf-luAV7fXLJ<Q)84Mt4G9WfeTg7&#SK?XWW2S7u
zp<nLXU#ACT*WYE;&&HA%3a!6{01zKTORGDE2R0uw(TGQ{&*S@ES|c7`>mab~x>rmh
zgGC{ze^G$-vU#b<-Ln+#M7bGud!s#<BtTz>VS&tGwbpb&R=FOe5pLhP>C9i2#bdG1
zURu&o!ownzUk^OO7)F}^x{&)k56WN+sY|Dc(`So9s^8BO+@y_MH-fahk3}of)wlHJ
z*X@h+Y`Xt8#+#myD2@`^mx)*o-gOi;!ZENj;E-aRuA-*J(;z6dkdXcNw^oDpme-X;
z9FKh<Q<J+*Ip<e{g{`O7O`Hpro`R=V87w|Gl?}J&Lj1hTcr$P|-W(TBn14UbcgK7Y
z5Uu?%8yjHS9Kxg5Tr(`v#I1YSZW)4psg5u9FpEB1vF+t}=*PawA$urth!KM-4nBQW
z(Lil$*FQVtEN$rzRnN<P+;`0u=cDg`0Ehf#o_iTYrrcdx{m@4$W(+HS(*Wx=w@AH7
zCK(lhGBaC=^MxD&3!!G#ucdFvuWNhZR<?S5q(-U)9cVu?<3C?qTaP$5Y|(=EHw7H_
zIaYldm3gO*2fTrPEvUBe7z*bwroMH;>^AjLO7FT-I>?B$f#FuVg8K|Doh+u_4iYek
zw%gMkDlPKf@HbR#sfw;jXn!}7CEOHKU{EkgwQfi#6|RWu!SSztnJFk1ZG^c^r@ls|
zrD<awFbMXw`XN?ojSywdq#cb{c{*-ZoZ$yJOJAVz9ur>Phz)CPkSKu%Q60Hp^wL%v
z8(|Z{txjAmQhw}?JR$0QJV{XPpfeu3_OB{Zn80RsTOLPnfD_7(>!o=-n40p)?4+;7
zl40c*zo&#iit%||xZ?8&u9N4d0&O7a&<5$xGmiUA_i|0RJE>w@gzcsbgpirij3U<?
zbzerO41}c>2wnN(+F=TT##4{LN50k+$V#f}WE;;JDHwqa+>A+=GJM98O<4C)JgynF
zI5%*UlR-Gp@K!g9d0m|HV_j+>zK!*H58`~TFNDmt!Gal9ge-fj^4!VD@n0Q{1ut8A
zsaWV>PkC_balU}s`rh_*aok3|sGN)){0oJ{jOBYEcC3`fQ@XmRGU$&Km1a4xq^_Fd
zyHw60RF$ua=8e&}-M@fU#c5tg)K|y0Fu9|=iXN3U<9@WBX9?G3=4(vfk5KzD?P^vu
z$YN4O0>kD!ui-(fz}U&GozODqn@fd`5T~m+(`NV^(nKBSRGYx@pmQMgr=x08bwSHq
zCKDNs1k|qe14b%)D6qaBy`z}8yM%lHVue)Uh2Dw$fW%koolb@WYKuCO9F#kfPhE?<
z)_}W=bV5}V$3GT}9sCJrTo7b2$YeD1BC)fBrMFUrW9)A}6}u&!t1EQ+o%M=`8(A?|
z>;HTQ11Fc;x1IFb#XVkcfa4J&Z@R-@<T-J~{U}RrBet#c@lx1Zi+Uu|=;wcZ;oJ=v
zJ4lv6(E<;v<IacY@{xcG7{dG}l>FR6uJK1V(yE_n6Yy@!KR&j-wQ)#X7@|q7$QL{j
zXyq!DY-_vihWy>GM6fJK=9bF77oiaZ^Z5`M1{I=xNMc^Wrk$`NR*FCm|1LL$CEO{~
zQN~9FBW4tiqM^|wl3S;8-OHj7ibZm&Cgl#OsU5{d*&B4pa+upKU-aD<Bf3sEAlSyI
z<Zx=M`P^4-CN@F@B8-v|xa1(221eo<Ol>f1OlhxgZu!yY<x|Nk@5O}=i27vabTs60
z*FQVFHpRW$bgZhCfgd7yPR=aTs>>=*LMW7?pdR0sH842ENjXdQBIuI<cm+tt_a~ob
zj(5!(Y?;@LbN(i#oUGB;>lD~}N=_QQJ31n1c(x)%P;OH7JDSjBAT2jwIiY`CH@48_
zWkC+8S8bUz_mkqP`NL^MwMMSG#<1jUdr^M1K`{4>PS`@~qxEWskW-IDzHL`XR6%o|
z7BbiCw(N5=m`*z2MYms+YrWkiKNb8D(y_&;z7J<7b@`6(Caaj7Rb-Xev6WeI5)|(n
zhBJ1BoQQpjGL{y#R*8XbhT$A$SLPT9Ke3(8iHwJFXR0&*R_to1rm5sR5Ab=M=!BM;
z#-A)bGUbak4i;$x2_0}%7Z!X@3JUAzv({+OUA3~Kl7>&33S-5ob`_lxFE#j(L}GBZ
zrWHnADexY!cNreU9<i{SZgh~OyO$K(V-t4Tcen^(f-ToCYVu>VF5NSu^B~N!1&$?#
zj98gA+iYycvsI<VNMLI#!deW$xv}SnQM*ktutmg!lh{2=BC0f3rA%unDYUF66iEg^
z?g%F-!XTTDXsO#qMk+!SrC^W5(8g;|qu=!Sy;|M1LmQAIosu)cR;i>h3xN~!oGzOZ
zW8%m59I*Nft(TWG7QY({n;QLEX>h+2)eE%w4b&aXGTEe<&|kSKG>e)9TkOTeKIX+9
z)FS+<#A{ACzQ#bbU_Q@mh09>bD8?knX+jXKs3q7Cqaibmk^$MU4N7SSK-${lBzfN=
z+d&$Oo$K`N0qwv|hiV8<w?bKAyqBg66fMbkF~7=6?m+KEZfndbT8K9y1_oFHY=e+a
zs)F4_8@W)?RaVG{yk=P%$Y|+djw}^E-DKD7nj6`FBfTdKAe7F2-YaRPT8c>Ya?}|A
zD%Pz)Z!r{Nc;39tvHoWp4{O$D@3P^sf(CR_@nsL@)};Af3sBFJwZ_#)>_bMeh<#7%
zeJs&1V8)YTe|m@Xl|Hk6+=E<C1db~|&&2Y<yU3`&okGXyz+{4lj*l)|KP?tZTxDUl
z6xBX-TR4$ZKq?}AU%87;3giS3Jy%|BJ?V7Q<`konp||KN>e;CD4+)0=zc?qGx7sJ4
z(z$wP8a{y+obU`I{lzs|=MC5JoNc2$r)d{9zKIW!xBa~`b+W8%Y-x?A#E^@1dOrx}
zWusG6voQ1|P6+&JtH4HSn^2X<U=jBd54khcoD??cS^5+B;D)tNbz^0n(zM=*vWjZ&
z>|(j4QCI@QHCuZMmh^@0Z11T*)cX=U2y97H)2VTZidj`LcD+cN6rgyetD?^Dc)T0=
zw#a{R=>?U53&YM9OOJlM?geEN7eYI@inlHP<Of^A+i<>V#;@}e%uM&cH=VqT%lhLk
zsODNh6LD-=&ILA|GE1AO(5lWe9eFNz$a8gxm%#!6a-u0oN^UkHVQ5ZPi+q?kM_yqF
z{V-U?c|mlx95j5G{U_#y>Xu2~-@42sB?-ovr`+ZU+?$xi7OIlG2PTksEC6iImIdNr
zuf!0029aXRq^z$x?3bofVFJD;g{16B+3zlejEaPJ^WxqzLvkm|-RrLg{1I9UcpiaU
zpDsP<qCvu|2bjh-*{Sb0ms8og!EIe44Tj=$5$|GFtoNu=T*9q!y1er`i(7PXLwv^u
zmkK|!R~ErA;N7y%(n~cZJkpRFjvv7wxr<Q-LJBn@AFf7JUmC@d=Z~REuf_Jfr!jN+
z&%XMsecz)xTo|YIzq{tQqPK_*_BE?F+r-)vI~c(mo&d&Bq!r!Oj3F&_KN(a;DsZQ9
zHg_uvRs)44bySLE#Mn@vXv#(ERtAJaI3Vr<0k@3zZ^Ta*-aG-``=R!)BS>$LCfy6u
zi6oM<5;Y%TiavL!_vRkdEw{3aKE{Y(uVN*wlnN$#O+&ejj0Q9@w$ezVXg)WYxrn9b
zMtmAEv}{-wdN{(VIfy8DHCg^Gy{#sb_T*;$@dq2MME=*y*~W*zhV%F99PT9DP+z6}
zK0OIy8G}z-OFc5A+mO9IvoROO!#G<<h59)u!L~s-`Z1<N+$GNJQ!1@nk1&)mq}V`&
z(W&a6bPy(6=4Ba!VB2Wl2X57-G(c90;-B(BMa<wQ#@myH9jWy_S(3xo3I3&&hme{p
zaoMPsdluoD_Vu-HSS2}Gc(l;7zTae-0}+E?5MyVrn?)4NQzlT%Eh*@l;F(C;jfrG3
z*)9|$NReB93|O1uIai85t5;|;tgJwW<jw|?jQSUst9@FemG+(<ZnNrsj7TzVNX`P=
zOmsC`vfhJV8W`IFj7H`G;Lw_4QZW{N{0z^;ez#`URU>L^bs#iMstxO|1uQNtw~BW(
zEr9Hf0u{bS+%0&<=@)hIkm(qeO?D@+^;Fjitw%&Qg`-g;8%b@tIA`7&e-PXx=}=<H
z<Hrw8?WEI8t?9D}SW_i`IOBGFA}I8QkpY0!1ZfbmV5I|6K+m=EXl8+rGDYgzv_L4L
z2RM~eVu@05>-Bx>_y6CE|9?;OBD(_h&5gJ+!DPe9hF7{k`h*XtUCiP|8wjv3Em6&a
zh9GeVV`CV2RS^vf9qKJUm(y^GZt&X}+k$JxBTK7yH}&G5rJ#bR1ZdC3u3nJQ*#ZHp
zFfy2>xEM<fGX+!s<^~#+j5ONSyHv*5ddM^@aHi%KP3h8&j~uG1QBNReu&?_T8<?>k
z__p&CB_cf9Y-x;sLlvEo*4hRD^TG&@z><_vt;g<1<MZ&t9lZ$ez<?gceRdS-a2lx*
zaZ=DO7{2+!H?N*CTpGyc*A_ET9V&Poji%YC)b{)pLm0-!;hcS*%{uC1T%RnT%#ZC<
zRssdCs@nxM2rfwcL{~HJ)v@h;f$~OLovWx~CCznsgi@$dBtZjPvuI_hNUFN90#1Sx
zGV#8kJ1Ib6zQGiY@}J%)E*7A|oJ%bc9A?94k+7?U94r}hm!Q)7oMCK*5;(rrVm+B*
zTY_2mn(2k{L_=#IBZ+8%DrAtTU~k9BqACr&{?m=L(P&eb-Hrs9-HdJH6pN;Qi*-H7
z9Ad>zGq)|w4E)uj--_I6!x=k@w?gRRgycc<T7eL#j#2mBS(Tq$oLsfJhhpoN<+i3a
zhJhl<CzwE=fH9H_&f7z2#4%bOC4~<T?49oc_n$hX?FMJtQSVvY`M;BetE92v^#m+=
zlAF?sxD+v6_=4eQpJ4EEHN)*~qM-o$+%`kgxV38fZ{?=vz(Ub}b}^)km{?M)+a-9Y
z?ND2u?)YW}2qbd3jDau+i8Qe5i0OQ{DnV^JIhf{S$0Xj*k?iQF*O3h8aM`OIz&!J5
znX&RNp#Ct5yhhGt+xOO?&dlU^QOQAvg`Ew9QA@ib);=e&pR)21z<EaU1liouHsG0V
zy8-Ul-6c!uztb^Db)fGRlb%!{((?~^i11ElLvV9+33gI<Rm<RGH06acF{D?N7F1F`
z1<$ng>&D4ygJMuQb!AB_RyPtXm_o(J5eqbMQh<b7P*J%a>YUkk_6BL-tE@3|v#Q$D
zSU3`57P7=ewQFaMEjUfaHbzETXxg6MZQ}3q=H!X(<vMNkO+lE4A0q9;)mv??bc73B
z@Urss(^D%a29j`M%HOsA8@0V3lI{)4IqzP>v1tByh;YbIn}m2UnHxihzK7-EQveL#
zf=NGHJuj^+3`#YKfQVU48wY@@4jM^WXTJ&?Tez50L^oT_whhKf1V~2HX&8_ibk|i7
zyXlY>g(gTw*~Ux*bt82|g)c)l&xW}vEazMLBV%Ey*wOSvy-Y_tx<}Y$2ZwAUpgdUy
zkkb=Y6ki-c(}tgrL@>r-<xGk$1*t1rYlK3An_|?v(&RL51~m~7f{h{`1Q8o%g@dkB
z_zWfNp+)IwCd4)kiLnc?D^u~knEi}JnOCS!){(ImNZfWZf~r;q8z!4WV`yyg#B9#1
zhzGuf!}nMeY<?!qCd+X5AkK+&MVWm{8V0-vANSv~Xp51EWNhoxZc`_+8tyn3;e`ee
zU<{G_q=t~#`VZV5Wr7J<nP|Q!HI*Jc(OM0*p_jCo8Wy%1iOhQz2E;<La$#Oq32rFG
zc0>r}NofXcOMx%Ln3l#C7TU~`5>R`XHk9b9NO&vKj&KdoO4@0LDP&2f&C301iD|r_
z-hFI@7FbTsb6be1TO2udPmeRxcv!tL7w9V$K&8=M8a3}>zX4c-!zsf)LB~c@X^*Ov
zfoqPuta?%&fnpX63%6p6cFIOk=$Z)D;0zN6G={+p<J@e>u+#s3fZD!?;&ul_YKEIl
zG&b638+Q$9M@(Wi?(-}q;+pUe$q!lvMSykYsD6l8PV`AbgUz|EN=PCIKvTZdbTA1*
z?@r+BVQC@-a}ZHnukLpjV3}caO9qh?FsiT5plH9-9LAmWxRc~Od_ZjjV&b>{4-)?$
zmEtm73`B$+k?5?yj=0(t29VbKRUx3S6Fpg3*>S4Z&2eQpX5|CwjI&3v)h89*Srcuw
z9CJ#g)@JJ%YX?m%b*&j_r=XS_nwi#ru7(Rl(IZ~;ATOXErgG>k<}JB^K6$7s^mfp=
z&hRI_7lLP=u_^LoRhz6kV;f17nki#`uIUG17KxiS$=swCWHITu!vL`*2)fHw*R?(a
zE`IT@PNAC2=LH!C+-GYbij@&S{%+`+7>^~1`=#qGhp5htR2dpFtmfjduU-5Cb*9m@
zjNxfPmngcpgS;6)F90A=I$S9{Zp3<2<a*s+bYAAq1g4<Wa!JZ0zZ2*9Obw;i%Y<TV
z!0~019*bM7YH<c^)EXO1Nur%dl3skQ3msZG5L|6=>v|u>b_i+ZlylmJewUghi2BHV
zLgX=wZ2P33KS0luSGobF?MjJk1;TK)dXb!PAz2tdaLJ>ppM1sE3Ote)i>%15M;m`)
zVO&X>F^a}&?z4hvim=5RUFQ^|Sa#sZGdfm6$UI<Bp|bBcV}A@FH$;v^3}Zx7_Z)TI
zRJSBG(3qB}*TIO*V^m2?&v+-hQ=)*{^UUte83G?#I#I*4U~GMk35^lA9a|!z${M1J
zN*x<bs2CoEhqbLRL6L3MR9Ot}YM_FN0p7u46y{nK0d|J#wxdu^<z}m#P_2@n7{jtq
zrb|q<ArZjcKQlt{R<8pC2g{XaFyjq~l$EmNE|C#TyKpX|3vr4t*Q;C<U`9k}YvR4p
zi0y0cG#%DL-dSx8prfe5td)dReu;#3c>%*>gmFlCAp0%H<$ZQN-m?U|mzANIgF*f`
z@YQT%V2r`V#4ovdzkX>Wb>}T(c8Kur`(+asGYgtSct8;IM3F=3ElEt86$wCkvigYw
z4!|f4jV8f{u{Xo75P}Z&3}&5LUj8$7fH!6MV5EycX_@KsjMT$oNVleJ!y<}5Ws8Cv
zNw94za&T%v=|!N;Ykeh7FOt1=*igMT3H?yC!63I(i&)(YX^8P;RPMKIuxdX8D(KK(
zPZT!Bm<$-h_DuGpZsnQ`i`KuPfMM@lk7zQ8Bw%+}X^dSbaNJzhz49o<=<eMzBUtW?
zq&}wZb$&k;4THDbm$DQHp9xif&|z5%_b&5uc$kDzwUgQMkV^(N=wwT6m_R+o5J=GN
z@|~E4cA$d^DX~3lXnySIu`fe6v_<ngu1zJ$CCHR<rg`ETGoxn`Q8Io8wdMh}huvZ`
zOtjS58)0E9oSjsi%r#$1{oBoz5*33VF0i2u%L=rx%4%OD0l%jacabP$%VtLDn#}c~
zphPP!R`?+L`^&0^nhPDS5TXH(tMv9uO{T`!$fAw6BEyWRPqlEX2p;nS455*@NQOa?
zp|CQ*x|mFkqzX0}7|>QAMA9=Nd7^>7)0!V=C;_|Q60!CA{{>YsMX&9U8Tv$NTOqBV
zP|!kT#5P2DH6xg;F~*xN@RKvxN67;8N-ZB9j58i~;l%i^P$!2h<TM&$%vbpI-L9_S
z%RJzJa){aa8`*{lJE@j*xx8z5V$enlguGC#G@6BsRO=X|y||`u+fq$#few{QGQkb7
zQW25{*s*WGhL|HXkDZac*O<f1Y7kr%MbFI0+DcwbMrfv*pIJaq(JV<DR8=)Cu?@#g
zLPtaxKwuhaR1arERnG3{ZyoR>ziyPXgp~DVq2O(0YKT#xS1%{lL$VB{OD(wuTBIy7
z&YBo}=O!G$KW?=WJyIxQ<{C0~cQH(1>mqDpb~g6cLD@NAl^LnZQ^lL)(>I-EQ0UDn
zGf1=T6nPFMsH`i!<*&BN=+_XqPc$%?ga?!IOz6PoayTf{O-wUjW;m_cWe<p>9=mU?
zEwUn|;<Ro{KErHHbBs6|Y*{2xta!?2iWmMNPe8pMiaLm27RtA8`i}mf{74cKH4k5G
zE|eS1Rm?Qlc;*+XI~mM91kY~sSE%s0wH6y=ViRZ}e0xt}`*BlSZl48(*wRshUj1yd
z8{y{rglPvxOl3a(cE`!>*51r-z4>`2OY^QtkhJaeFciL5-Mr=QM{%~xJ&_$hUOw}-
zh}4V7VkW_{Cet13<+~4);Nwqo=U~_kq!#?cONq#2JRve=Ov7n5`*tGpuBcU)(mo8`
zbVOVpy)O3zC77{AlVM^hdOD;8xbr<IjVutuS}Zdd>E}I{tL=4x=%#}?M}sa2)h49O
zsaB|wF4BuwN<)=O70CJ6=z(W6xKx5d2!y674g*W8pz5)2g(Tp^QwmA)9Tv2tBSP5)
z^>&NN)T<Jz4oov3ASSfUNo#^stpaVs;)7lyQrOdH5p9@ifYUr{RiJ1Uz5;_y(%aG+
zMtKNED`-pxh@Q(fdJ9VL4GRflaRf4`>tR%4tj{Tu(jnskZ4y2jT_T%`Y?(C+)!cM#
zZRB%~&4{WtxE}E^hBXrb;7NLzkYpIzp_o}9*|S14+{szn0)bpnnHkq@mX;cBpDz7&
zT6AnkqMB*2QqqQ)*ln34(iRt<nF^t#ScC^<<S!1BXSEc*qhmI)AjP1|P<!h=C@`*>
zt#c2jV`4*04r<kcLwArfMs~=N!yS3{#&HE4yNbfnfgwgguB(m83Z#w398yYwomAdk
zR0Z~x0&t1})1#*_UJvx>V`R}dj4+8I55mKhlpB_sPxpq7Q3V<i0`@YUo)U2NZ{ez?
zHY8%f8)&vGtFTwD&N`@F=wlp*j4KDJ7O8mrkueh?yA@JPtVl8wu4MSHf}Z4r)ZB8`
z3#$c@t>3=iGUyn_#oF4QBBe*?Lgb0!u}y*3Be)n4$aALw%-Xu*Q3s%DoZ5pxXo0ZM
zZpPGVFf<QIj8u_eRZUpkJ}t6X7B(<r_%6a!t8HSzJ%e28?3BFNq{$k3u&PFvhEfV$
z--f#w+}M>-?R#HqL)iyrBp0pgV&TVgY(8@c3D*ZjS4O3yR*E%Rgf(4`PeWF%OdR$!
zZkY8dsmiZKGo?=ahmfkIH%O97<0o}2w57wul(y8<9zroZxg;DK6AZgIZ5^R`vsIrI
zE6hZFrSc?(CL{ldWP<N$Kh%fBnAm%H5c*pD$EC&%wnn}>i4C$W7z-uNXcQReG4pmG
gKV$_|K2Ga1vDU3Wp`!qvHDCC<k}1N3g`4$_P;rssh5!Hn

diff --git a/assets/setup/config/gitlabhq/gitlab.yml b/assets/setup/config/gitlabhq/gitlab.yml
index 5d6037d0..d3d69179 100644
--- a/assets/setup/config/gitlabhq/gitlab.yml
+++ b/assets/setup/config/gitlabhq/gitlab.yml
@@ -119,13 +119,13 @@ production: &base
   # You can inspect a sample of the LDAP users with login access by running:
   #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
   ldap:
-    enabled: false
-    host: '_your_ldap_server'
-    port: 636
-    uid: 'sAMAccountName'
-    method: 'ssl' # "tls" or "ssl" or "plain"
-    bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
-    password: '_the_password_of_the_bind_user'
+    enabled: {{LDAP_ENABLED}}
+    host: '{{LDAP_HOST}}'
+    port: {{LDAP_PORT}}
+    uid: '{{LDAP_UID}}'
+    method: '{{LDAP_METHOD}}' # "tls" or "ssl" or "plain"
+    bind_dn: '{{LDAP_BIND_DN}}'
+    password: '{{LDAP_PASS}}'
     # If allow_username_or_email_login is enabled, GitLab will ignore everything
     # after the first '@' in the LDAP username submitted by the user on login.
     #
@@ -135,20 +135,20 @@ production: &base
     #
     # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
     # disable this setting, because the userPrincipalName contains an '@'.
-    allow_username_or_email_login: true
+    allow_username_or_email_login: {{LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN}}
 
     # Base where we can search for users
     #
     #   Ex. ou=People,dc=gitlab,dc=example
     #
-    base: ''
+    base: '{{LDAP_BASE}}'
 
     # Filter LDAP users
     #
     #   Format: RFC 4515
     #   Ex. (employeeType=developer)
     #
-    user_filter: ''
+    user_filter: '{{LDAP_USER_FILTER}}'
 
 
   ## OmniAuth settings