sssd-ipa-1.16.0-19.el7$>ܩ(MjFԿU>=ׄ?td   6  ;AH   0 w PPP PHLQ(`8h94:r=GHI4X@YL\l]ш^byd>eCfFlHt`u|vӘwxyWpCsssd-ipa1.16.019.el7The IPA back end of the SSSDProvides the IPA back end that the SSSD can utilize to fetch identity data from and authenticate against an IPA server.Zϸ"x86-01.bsys.centos.org ECentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssdKV#[A큤AZϸZϸZϸ Y ZϸZϸZϸ56fc0f2b489a27d371a52cdbc5fd2f861f371cb4e84fc0741273d2388b9753339d56d864cb565ce053ec5dadb8ac83f9da0e43e7e5e10014b790edd9234ff8f28ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b90377418be27d6fc9967c351ca88e50a6c7a4b32841ea496631b72ec920ac75e947bbe5798233fed8f6307639fdd95dc55ae8847a0d8f1ffd40a7c6cbdf569e33f9rootrootrootrootrootrootsssdrootsssdrootrootrootrootsssdsssd-1.16.0-19.el7.src.rpmlibsss_ipa.so()(64bit)sssd-ipasssd-ipa(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/shbind-utilslibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libipa_hbac(x86-64)libipa_hbac.so.0()(64bit)libipa_hbac.so.0(IPA_HBAC_0.0.1)(64bit)libipa_hbac.so.0(IPA_HBAC_0.1.0)(64bit)libk5crypto.so.3()(64bit)libkeyutils.so.1()(64bit)libkrb5.so.3()(64bit)liblber-2.4.so.2()(64bit)libldap-2.4.so.2()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-nbt.so.0()(64bit)libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit)libndr.so.0()(64bit)libndr.so.0(NDR_0.0.1)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libsamba-util.so.0()(64bit)libselinux.so.1()(64bit)libsemanage.so.1()(64bit)libsemanage.so.1(LIBSEMANAGE_1.0)(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libsss_krb5_common.so()(64bit)libsss_ldap_common.so()(64bit)libsss_semanage.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)shadow-utilssssd-commonsssd-common-pacsssd-krb5-commonrpmlib(PayloadIsXz)1.16.0-19.el73.0.4-14.6.0-14.0-11.16.0-19.el71.16.0-19.el71.16.0-19.el75.2-1sssd1.10.0-8.beta24.11.3Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/shuk1.16.0-19.el71.16.0-19.el7libsss_ipa.soselinux_childsssd-ipa-1.16.0COPYINGsssd-ipa.5.gzsssd-ipa.5.gzkeytabs/usr/lib64/sssd//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-ipa-1.16.0//usr/share/man/man5//usr/share/man/uk/man5//var/lib/sss/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=46c36bcae96dcc510c6b5a2b84ee07ad17519e94, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=c0c94f12e20fa91b1cfa4d0ea65600d006ef1922, strippeddirectoryASCII texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)DDPR!RRRR#R R RRRRRRRFRRCR-RR@R/R*RR R'RRR.R RRR1RDR8RER6R9R7R5R4R%R&R)R(R$R,R=RRRRR RRR;R?RBR:RAR2RRRJR+RRCRRRRRR3R:RARBR*RR2R1RRRJ?07zXZ !#,]"k%f@}|,p35`7IQLؙ9wG(ID /<9[ޔ =E ~b+zfL-vyQ+9[+BS><$8-m$5ZΚDMf!*58Ǎo^jge/8x0wNF_[2Z$1T 4SޜTzN wDH7ɘX1_vĥN_Q}o=;fh*P=yoNċ$w`̍1{=>G!sZwFٯʔ{ ׫I⁜!NASr9򻡹x}Q:Ey`pTS e͈`bgyR&dؔ abiu |‰' yZޣT%Hz ^k^>,͗+\*  o32t8dQ7(7KzSCIFlV=@m8.]펤Q,,b׻곕8r U˛)yG]~X~sc :Eے[YF{6,d$ytu]ELn%@23<;~g [-24l+ kWVVl) ~BIAh h$5l"@!b1:1l2TWm4W--` (ʁNq@D֡)Psh}w?C[2)qwf9smymY3Eݙ̃/f 05ݽUlCǬV`դKId2u~3wƵ9PUQOxYn| wJ f'74!YLtIed?ү}>Sm͏%NlTY΃?Wx߹Tөtdքp>r9 ѱ@YڴwW0_|ZVfe>.-TW̪\kRW"c\!leWТTrzvWu g8Qn=C)mY䩋vM8<}tRRW .ۆ;ꍹٺ(+(hJ {ώEקVyǷx/σHr @/A w[/:K^s"ѳԾZ7 V/1Ԣ)DImq}I;,%H! PJ5l/c016j."%@!&w:;b /oSgdAZ W 5lfvWoG%AŒnt'8\ѡ[_<|@ҭDE.#fu@KݒO3zKxK%[vWLطaY"Fn ȕ}'P:En&{ /EWi-ٸYh,HYt!wb.%4uC@&B^q*;"/LB> faǙ!|{fϘP;ktן.7ϔxM m64vY"Vtm^FJHv$OڡTM/hI(D%z<3]郒4+ﰱDpfAoQ ݔ,]z UFaf F\̠ۡ gV8Ju7L7L0HiJn(NTk,RΖ6^I 3 y-Hi1Qc\Z 6I^Dmw_)sWd 񎡴Vե#hOַ }W Y>09e4vT n|E?v7 z޼JF,ݶ|hNvhURO. uFu0f nMFA~[cHBqڸ4"^Nq~+f%mHx!y_,9G:9$/S7S0&3Ap W3E2p+5vW.V5'zHSoU^z(-<TR%z+:BBVhmOS~&EyQI3AOۃ͞ S>h ˘JK~+G2P8*ܵHk=eQ)&-.4DW)Bˬ"ZhA)v  >P Jl)}!#^B<5cZ7&O"9Ow:) Z02C.omoK2Q! FWNu<<{Jl *]/d"NAnCi"w R7pJ 1 uxBmMhH(l"0aHX*04 Y,/MS+7䦠],ud*ʆm7#}RBfP1hv^H4GnnLbH; 3XU952bzzeəŚ7~sO۠o%§HU[UUb>N¤rYOL_ {/҇%MlC2٢iS0[x.(ɔiדLYs (uQ؉ab%x֕Ja›$%ڡR}w+keG¨KM0jТ:]z0lTXZm4BkÎYQ'U^bȷq;Ѕ< .Dm 7="u˞~x(= EDjٲD؊֫brv$"K"rX^7#M8n#/3e 7޵qwEsb`ȧwܾxuei/zm xO:oyp1]v3 }-rP1-Y ";ᰯƀ<-C/UM :W+w~]߱5 $A6N^O :1i-"#Ks=y룻#"к&5Q8_!p?7ŸP{Nǝ^ X~{pE$-Ry#x-oQd(fmХA OR}KytTp"W%y0h_I#+?VE\ui;l$a\$I2H'D "e%63iY쨖\A&.6VL,@ ^dh@T=VVVYnD[Mq"MHҿ둘>l<{&w}US,Z:gk_sf^P?涨CLgγ9 o Xno;1u9M7J?fn})OeP764g9ջDnhpūU0R!|2ׄ.Z]+ rQPeӖO(` 肅h9Jq/{Bc? c uYSy(~[-i˞{X6ɾxXmZS6AwӾS2l8f\Xc*1~]/c!6_#zzm|SWc7]U|$?>$H.w П~4ŃeV$Gbà.4Q$N-D*EFDk:uЇzÁ 'UBpjK@jT(ٍl% xdΜG/zE_c˿SlR޼mdZ);8?M%t!7.c,3˼#EqVւ3`( JA$v a ӨOGm49s sTk#GK2,h^=: w5=&0-]Z%6X(*ŒB#wbX;DrW-F3L4?ds0q뙲^0_K=A[quEޔ<{&Ƃs̚4_|_SKldIu"IUA0$ei(7$%k_i n.N5ur vsG+I )_ (]%$$sػkm +e'Y vlFDGŘe_kt`xxʥW)4Y $ Oe+LA̟Fqc a`-crd1o ]_qmȒxR3Z bVy`PؤB{/XkzZޑE8`s#l&baK.Oň\RS~N/ҥ49zB%~HjʠEF!26q#dnFO;KbdfL8u;1#@nK|:HZ: k?ukG`Jin t/vǿr,'(5 ׵c{f0$1\jϮc>lL80Vb5 Ĝ02|g̗ 2m#/*G3XZ]H[A:=ܢ=t(_YN[1I;f}}j͒1ҍ*Tq3/ҵ1QudY9܋wQ`ĊrTfy纅@ǺTaA-ם$k^"QE)tsM29}BP$o 3RqdƑΤ*H((g#_K8\M\d e+fDW75#)-ɚqaԔ9/Qu`P=~I J1!KYnfDh.F" 6e; 爦a5}>r^uҳ Nr*2EA( =Ќ"f^xFJ~;7~U)L I}#2ib@j[㶂qC Vq-, t&]s;=V3r&J{. sd5OŢ_S}}bM=Z^R9Zf+[fD/;5r%úݍ30$k@W\[92^)j4r\MQش8W5aUJqloCxPf}/~Z& :u݄x"zX޹9e  #b\)wzgzt9C٬Ùk#ꃍ0qldʓ^S5B-'SMJ@ ߼mcN5|IǽPa8msşl*]$'>@%xlut ؋X! l.qqbTLatƾ.~}H𢐊6!^o/e|R`?λyR)/0;Cwy]7 2U1y\9 D>~ ,IgEe箉#RRo75. X^y[7a2J/RA6p`RW/URqR7W1 |B"{x-@rH<i˶n+goeu b q1 <+0%׍cQ?KJxf,*̘De;M EQ|m>Glo#nף`r VcE!TV/J7xCNұRp}Pii5q%6~jtrNᣥ8g5c1؊0L$FiGxXyY,3iE]adtI@[&;j: j&D-K49穏0 o6Jצìtl ~1 5N8 Ǡ)k|1ҵ19 {M4d'՝n}D2YѸ'Ϡ鑓 y݈0C/VCOy;սYCjJwiE5/ԩ/$/G9tAJ]aQBFT-4@A)[G{N˧,H|A{6xRĐn>{aY(0h伤TJ_w3;*RPJH`W͟ҝʪia?.$^]WmΞk5a7BfvZi2xoCf#`y< Y!W=a5 Y^5Y5^;Ú fv5W=gL . <XGRİsP8IO}7I2Yќ%C&C,'NySF-ɨ\n!OgZEߠj#bIN\Bũ æp?Zrjx,\ /_z1|R} V|:mh!jL T-d5jt1ސSDhe.Qn_4hQ}e0Kڦ c J F,|?F!+MQ +jjnoR(a1pz&GLU WGVzA= U]09{M.#oW?ٰ͐"}]ѭP}Ʈ^ZUcYЯ$ǂ˞nrMM uC kqQK ԚTvG/A; 9i46af!h<ĔL9'Z/ Ih;hsr{: gwXN1nћ:($CT:JRN$aYd  RC:,̶:ko픵oͶ6"m/asͤ04`PY}^С]t{aZ,$"3I %j4z4Z%?2LT7|9uZ*JǑ"K!F JEϡM<X+UڪZs^F kbh- ҂_"Of8piJKQya,V)_pM_Z"Ah 9o L? A/7fh $z=vJLTo u9rɹyg4gS]B|Fb-yگL#3Lt^3KdKbFNea]*QiH)yJ>h(:gDMpqWm͊q@ GRRPEIv2 bՆR$${lAO:+oU GVӷǃ^]ʛ|n.6'1SxJ CI{QC6M\F%#=g-򀻬Іk}3vMݩľnlT{3Fvr?B3 y_Y>hX}#zb8BehfJj_a}͏XSy!~9.?t(q[w^D>^p/rc&wC&7@Buw5ڏw5R- -? 8e b%j39p%,~4Զ,ךGw!kt^K9H)r}X,hc 0oF0؋@S|[Rx` :+w^֮a,T*=mV RÕ;^V&`{W?.?'Jg-^k#sGy+fQ$A[eg&u.x`~YaIneduJbp5KlA=:bLT$;pO<T) >8#B`GQݬjce"}=;7,OwGU7n.^>Ed@@ ?2ȶ jX>oK:bGHt p{`)W$,z 5:Msziή+0MN;A:#ydm彽n87'|RYFZu EA6pLHV?{L傩i(R{}"Gòl=oЄт%b -r1d0,̿ltLIh ysYjyf,K7ɂT>ۢ"omd}Œ{>*czE*@RTnrsڰ16;9v5@7՞u?rŐ^]lϊSFM Esb@sTpj5HA1)*7_Jڙ,KY 23lBXQ>cx&zLO/W g=ifLCEZ$Q̱}ѣS"JATʸ3P\6ï(m!ĄÞ?jled/|q)]I$+шdGzP)1ɨLf,/̭ˈ+ /zZ-CDONyfȶ~VYĔZ>FQQ;3{/6N`5+b5Z n3HjZ ;ވ8~o@5 VJU awd'53 _Fvҏ# hm̴&S^wbm㏿-~ΩUMhҏC7ۖ.phP#EHfuc)e7db Gd[-Ue!@=OJtPdL+"a էXli&-}3/Vg3 Y +mN\%BHwOd `؜5c\>(;2NMۖG. G ҆aܟk$Я6Ց ]t23).nz8R,NA@GWqC@sU.o%ݨuV7uLN% %Ȣ͟lTd^M0ѵbS/LaI]uvsƗ$o-Y2 >=He=;A(}*W?jy1X8\E PIA;bb@HM@1lpV zd"vNreB^.Na>+g}a"MhWl|~6BVђUT81G_ 늉MGIEVx[[1K:Bc|F߯/lQz$=N蜻)7;w)1Pi5]3d浞5Er&O j6ټ!p}ÆjTf+|^mD`}k;J%(!tհT1 IDf^o}~oevwޙMl*B(rq]%uL3ׯƓ;u} @'[f0>ʩ!($ET1[rV YUr W,^$!$ѿY'7xx2sja1a5UdS1K_Afխ5k kV>^W;eX$] A{!} +  x'?\"H~[gr f+\d# gU T'hXy/T;R<_.Kݮ Cs}n~/h甍KTvck48_-ZGQ? :"  *N' P׈G"7rcLI{3ς[TX-yfD*?n)9C-sjw*=#U28˱kq=zr?;E*֯5NjX~ױ{C0G4E/L@ \ie.2{L=q$2Ɂise%m;C~;( 3nL8#r[GÉ?^|s} c#)CIoU/Q0m.ސXnLd6Y#ʈb3- 1Wl/c>Xʩ =C;)X\k"pԍ  j94+bICZ,ymCBZbqZf{1z.6r"{%;oc ZwYgdW>PnjdZu_1RjnZ 8@4xi]MZ{-N0/ M?9{w:ijqpRbV;Id`#C@GoAcM+8G(ޡW}jÐEјn`|:FX 9R ݆SM q`2Q2.9BK!5昜sŦ8Q2Jh!>`keJrYXg^8o5*fW2XBFloU3G'~ʽ/ c.-vG8K*kc_"A߹!CBJ%IתU` d[W" 7A)xZ`ChCZA>qvιC P *y9'.LIֆ-37H}gAA q &_:x)D)EN*y{OJ;Y _njebύlSՔ"h0,ؤڭ^Tjww&aU;bӽ(p1+c/ #uYE;xA&"sneCe;ڳis>HVv[J'g@_qǒͧ5gMe:"/~5rױvrHzՄ)!b Ĭ/&w"nyvI )EsCO~ EL *&^Ʉ`Zi{e 7i͸s]^R|uVUTky/2U(TSBoƼd-]%%J82W"9/VIf6<]7҃WG9NWQRM )U9KBf2 e-$ ~@J/EB셛T^'Wu!1sYq7OWbc1':%iQ8ZV s^LAGZDTl4C ]KKf '2;#7Ee1¡__pٗ[ OY.f„ Iwɡ -J+>9@K)gY& {ئA7 8_V 93y ˱S!3wK8qaq g^:"4|*iN7w*41 f(T"G%}5#f 0MӘx{A C` Q-qu)W퓃S0l`6c:N,C~p4{dG9N1ZZuUb販D|>n0a?QrWt#.2Ix-PŸ@pI6\EOT--',\} (//–wbY˜F [Θ{Y[Ҹ© 8Ĥ7ڟj-8' lLn[mS;HO:|]?WoMrAh ̈n]!pI}]w9: 6hi.DƆn,W&|Oz@ꮖ^"pN1ikZqܨq9z{>(ػNfL;#+86kOreDè _y\xYk/O@4un9Kfis>z|xay z-G,۾j,|™dN=q ?ݛZxS HeGaľAc2Ͳ@KTie̶鸪#}L. tF:bĈ xJ5phd[SK8"wc]k=޻vCyQ`2l|}To=0IF MDE5'^BHj37ftmQ}@Y,dۜ/7YV0aT˟GpgίInF e+SsKߢ13 yzD+A72ԱW.qfTk>GwHƐrMsa.Un r' o:'/+YO}wZuzG`(. 8otV.ynjSP<XQq:䫰wB`F?O@X|uنR'Cv*9%~}k澇;K"zr/?/ ~!V IƟ9M%^ `05 dml\hQm`OӹpCRGp*?c) I'];@_]Xմ-C),5ϋⰰ,PN1F56jg9 2CO/9vcD339ijjͰ}SQC7EvvM`0jM"A QǾ 5sXDW+mHw #.<1J/9B>J>׾PEZ\R!go]`.qXǧA2 :-1'^ J`z:o;?ɔYڼ3\,7٩[o (3씫B`z7VPVrE3f&19: ujbOj')mW z))hɛ<vg#(]/uhsyҪ ;0mD%,C UCw($z˰|T7Cȉ/_74* XY7agrĺՌF_bofg N=r31Uܪ&XF_،V=VІc'̉ZES 5;9„KjQ0&6B?uHŃ1 ,e(Lt+6~!DӀ )RW-$<r+6IJHsK]/?~4S90%ޔ@X秙_?1)FͥLtHrs@EW]1m8CC Ɣ(2 ? !o& {#mpWWRu:!jECd*#ZN``v7oŐt s$|})`&sM;iv.JfĈcj1,{V

o `S@#XBڠ -v qhΕ!κchUs(8Qr=LVgiAKt9:hRkCq1c5;>ޕt (#5)evhܫ-8eD~QJ žP<>K3_Q`GEAqqoO*9^I9{86Lo]N]O@QUkn-pn)?rZa̠ps蛊aZ֩ ԗDapj"FTH35$DhBmyNKAB/m`Lt>!Mo'(NOsG,A0{-:%7!?7Unl {?$R 6aNL`]fas_[ڰ Kg@sEƏIŸO?Yʸ]33՛}`.JFx"aCl4O ߵH9ɌDEWx5?yaGߕi'z;&<Zl7+ -*>{NDˎ޴#{%#{y]|?K,Oݐq i(eW!j *x̀ZO~D{`7?sɃRRO8F\B'F@EЫ4WWa.RPWلGWDrZ$ vɨQV]_2*~|^ui+*|YR9C]j ȓڂvpLZwk:NtDx%O%Bv^v6l$M &mg&>.V gh VzCpxx\j[R~Op|رKsq۵X_Y)Ei"TpKgaI,Lu${,s%v13TKqFDBBtLlWgf1iEqS, AtJ٧֐oh ԽȖ VUcn4!PSC|B4}"{tѿb}р*ƥdf2L$CVRbt@qԸZ tI5RƃxSKƃ~H$/aD.I<8tJ cG^|kWsk#_1(Lc[xcn[^Qx{Wâaʀ&8W./54g } H5 O/}7q.їXYFtH >΁B Rintha̩o)/D>.+6gZD:(IU"4îzx1P8ˆXR(Gx䌵HD\ylF@c"V"L JWDמMD"ps s_oJ<:pЕBDV+A/V3-+>/ @r- LB 挮iIf*kOi[oi=EBIS:U)tP<ʨI/sUF"m .jً'6 ߫kK>ya@z|L]_HٿapJY(_#R@ &aDt9MdoEtV>Q iFQ[Qڌ39( VsahECȽv~o6G sV GWŘө*>*Fsd|%ZR'`P"ݓ+uP)yKe|z=&D"fv X2?|EPqe(^3y1,YY ̃;Q9$f1* ݍX:ic2սt/"3yN7^n'aajoxsN?ߜlc׾,"Q6E}yݘ(%v;k5u܈wW%Nj .tP/^`NoTZ{-! ߾gz+05F V\6p iT}߆9^)R  -Ւp ϥ35Jq{ﳽ9NSWN{q rdE /(-4& VI&H-o j}Hk3+yv=$IK vŜz#>pi,tL1-۩lB^R`뵠3XA@ݏh;J$ Tu.9Cܯ7Ss(b{Vs5xYqﮡenzKL]&+fOCI NŲ܈JoY?1ov+ay OO]W;~V ϐl{X5Q:Q i8*'\bJz`B&ߨc]ao[sh5&CS !,!R6/BMW ,qL-J 9^Dtb}kW!vO-M aM uCR1 ^W/*sYBB,}Dp!![~Ƌ-ˣ:ѧz_D>{4},uPI@ۑ,^ եCT:z|תx͑n*4 .e5Viyym)rtՄ)68pO1td[EE@rw=2grGvizD%;f!Mt_$'LÖOp^ |eqצeA^nPxFf.9p#ːhL@Ǫ'(/.M պVQ)>/е&:H"?#Ѝ{\OqfhR6o_5|yoOs 꾮qn!U' ꂣ~5VLD<(dC/ոivg$Yh[hqf_5Ox{3wG$4Nc=f.de6[2s*ac2뉠UK}#?1\FS84P]e'ˠ\\ 7})]ɦs8GHk̑rlt'@'x0@cZ~vz0R\fkq$o2#),pSʡxp'eÓD?Ik 'j0ygGB'D4)K츞F ` FdŵZX었c89VYMDܦ%06'k,;?}@QV6tx?bFU\'ǶA-"f!Lm4Hﬨo xHSZL/ =s(Oh*SG S%3rhRWY7#=ૠ5W/u XiGJ9nH6&bHC;NR9y8݊p] =V}tGBu: ÇDrCrf`6zcg]Nq3uT9BH߄~ZaR{+,gi蒱ǛÇUw Gϩt?`e7>+La{𔠾 :! JhOH*2tan2m*pM& Lh۠v*4|i)nٕ%Md,Mp l.֑+<.:mnrs BMA *kJ3SWw@Zl%ۀB*AL69ҥRk<"u)y F"f!ˡzoc( [j72w)ȫ(%\_dn@q&1s. EW(]aL4K~SH4xȈU7ŵNeƷ6%[ JHR܆R!|?a:ÉO $P*QN#}N4XȲ~_y/f&ykLZE~Ipj%js+x+.?=2z+-F4{j5$)Z|AjFU#@[śa_kl9羇.6Z~UMG9l}ơ7.^s$Էx,4z×΃ؠaF|E{s ,0\iAa,V]nf<)HW^h~ o)2qTyk&e} ٣usgL/6| O_\ۻ /+G;|%]rth;"_ q:UoCU40AɗTDt'7Z]+( S @TR^qw:x|tI#s"a 3 P29ϒ=8@!f~V$7pGkʦLGR2$yE23F\,7 M_e\D\Lhx*^""-(IhܧPcd_Qj W,#ܻz ސڼukFBMBǮz;qeQM腽LI0B~4 ぜ2"Pcd\>.oqu`u^'䰁xi|AQDA<4G}wcwSKyahd>Y;*8=ue.z k'htFW;x4 sgkvdao2j,nwN6;1D R,$DS H n\Dgc`WlHj[uAvCfXV'rwr:L!kdɍ2(oTĖ ۙ%;ಁe(Iڌ^YWMV׋q4PwouTw Ƃʈ:C`o5?9"sd 'OtBO]c@9[xee P(`?PUDsp?:Q8F Ѿ-SSQY %] ]F\t1>' ^2f"srՔ2d*H#\@B9%ᝊ-؄ _w4B-R "](`qWz𤘳9Q 83;9POrcUKC`6}rL Xw*Ok40Cn J!AMX<%VX3wNF̋#`L6cN9@ rئ;[dN#;t$+}aPCi/fLO7>+v+w>U?8lŬxUI8JL uBz7Cy@4w:HA9{Q!ZF"u+jn@N9-z\u xs4,W_xZTH IhaUp@55hLYXYQr3`)p=$ Jiΰ {..n#|r†r$ CtBGdogHUo3Ĭߦ$ZAͱa: Gܖ m04xJ/-H[ *g$w*- t;w];=--~S`XXEfEhnƞv-++ڄht{&[md绎Y5E 6(vQh %8וgkoܻ,HI m3 /q9kM@Àa|Cô#NL6&MG=-pDu̢b]e!ɍZS=g#t l,SF%3%XzrQG^%sj{~:y_ |,<3E -1(_5bQ컳'5h =xT,K^CN-Z6Ml!85~3& ԫ2nF_H[5T4gh c )K J8d ȵԟȖp)H.YF2?J aZb]|d¡δ*`J_^m:bf1Shj5>3B2[kpR񧚗"*!H*#Y΃wń`@)Cg!8;4Ɂ* }*ڭ bXxօ'XtXvgZ^QaSW#牽Y5=Ky7#pb=-!X'\5\1u8؋mڙ/>uqƋ$ON[S'p~N&$jgZ̟̚E8fD^O6n>Ս1w CU"^ͱ\) mQ_0bl ݺ*h}>3Wkh^|y9oå8ͽM`j(}WPh}1&e!4cK2A:p@Djm9vhaN )͇I~H}9Fq "]rpB5,|!6%:Vi5vTHf!wCJ_48&3Jw >')XА ^wc dQZ^"K/MJwESD Q!(:V*obRcZ2J !QsA?qGX iY>m8"$N H%+%Dl>omZEy(V\h-m_QP:_k2׹gpZjRgkowPMød&U(ͅ]y{8bU5Rw%#+JhAQje-t?wK=v24̀b=ؕ! `s -J G}@\TV=5;PAE̼DFx]FY>ڃ)Aþ9C)g:ì~:2qS[,H IJMFX÷ #8iU>~R.@iMU< sy|B殢uɌ,:v'̞E:Tm*RJa"` ! kSք#N*I?;JeN/PŖK0!CӪP*a6![T疙AL ?_- PIPPw?*Y?Ňp?d5>zm|YJ`(-}vc0Bp7rDZFNftr>$%VJ&LҁTF].{Oމ P4Z{:9/1Oyţ҇"8V!MO'" gJ4J4(V[-1W} "cN2K)3 1ocٞ(&vLOH>RG?Vy}q~]'‘KuLkZE|Ӈ ] whP}(G+Ua;(1fQQqG@Fb(wtj,]ݙ![ C0yyd% VZn"+ -m_́Ǐ" -=~c'z<|bca{uBks j[طB"^zԖ̲VFb'Sh4SiG')ݯW!tKZƊ8i .>i$ ]Y(CK^.`U&:4&~umZ,+dm(G|b8g",\k[Q*?Lq5! w>hšpGvLwyʬ1ݬkJ-fAZ|~2DBieE1G 'E% M` F#FI]S fˬsh57_)J~t'S&.wWFZdmg+qFEJS9JL'4p~FSE 1#5G5AetYN9w7to4DɽgZo"{YNJ25˵pՃ WpUKjwkX#tZМֆVoydO%%SupJ2Lizo1ϖF7pcCXIu֣h?sҬUs7a@ \I mU-,3f~YO >G%KjbM~́':^FdWp5 fhHѸF^MBsI_L"ؿ|nO ;a@M?GOz,B6r9nszۺ(JiݕI'H&Nv*q-/ CCiv Hm̄u7r ,jZ1?c_JfH9TzvqNT<_2FN` ͡횀zkVjƧutںS QUGz~Q EXOIi$g7ӿ!p= Or%űi_1!%gvl+Y o@ w 6y1z{ STnBߖvGE!xbY%+ܱUIB2ȰE:e svP(B~*{+qS$Ѻںp/lJS/Gˤ~}5)1c]1n ڹ-a٦|rl#"^aY˞u$ǯ˄/|@z `n,#\D Jb Vx7dÐ؀9ǘ5r5i@fG6C\9aA =]P]<"TI`EQv/Ke57jg!`FjO)zxwW+ ŚMHWFM@ud[ mIAX ~j şdTy1v"C@<ltf(,hTs[9􍔂.~H2mSMpe,ub֛GcՔœX,uEH/levLgϽgَt/mSZ+~ K!@;.#`*I^tbNwWP.kBT/ջZ-xƩDmKĶR*F AU+Ff)rD1$XShNް1q9KP-P[7N@ňB溺 /,WϯaH:fsHDL+mWaNF*8ݬ -S^]Oz!~s})vIC>9ژCe"MM|'gKtK2E7x@B8YIvS%L#YE H+,@[׃xsr'E8 `MI [>{;,nP:/;-^ߏxk/8f/}[a|/+*rF0-,N1j)CRM4y;M !5p$oaMҭtc$jlPn.[9E472׾ rp4W !vF^m(%e tk)[R-??ھ;)"(^ep $Pęgixs,rZnGϭFt[T8ZwX}湡rw!Fk1\6iKlmi8@(H>1+1b%y ^uEXa-Q6Qpʿp$Ցژ7d@j& Q M2UGgvWrJ7WXPeA?gYUBl(AVYp}moj-:(4.u\?Jq+ % ! q%QNtxժ)aNcx[aP-(Ϻ~Y :|+XG HeJCsڇﲕjyxsjх`19)3@Z5h`rwBZ |,{/i%U2~_~z9dtq>΂lA^FNA?oEޙڝ?ۏ٣u@g(]U F]Ϭ];-sd0_ph0zZթd48 |V % !eQ!ovV.Jr#Zq4tGMf t24EKijr)4*mUucBS`Mn/l0%hQ/Y;D (f5Iz jzn%v̕f^Tnʝ'y泍L{ǘٖt ЬeS?I)"NzP^y:R<}_2;xT')\l߯R,_ɓ;d 66}ѳ9v>mTW4"<=}˰`R_{Q6}egq74 oJbnFͫ Aß;!E \JcAaAtGK4U`EH(%n!IXncҫͺr U]5Z szR|!Zz_'+nplhOhZDV(( x_l9>_ POA.S9mKcZh9裻U #쿽ŸABa mA+C2)4p6 bsT#C[5}ZJ72y63)Uv`, JTAt ,FF< aSg[,A%E'PVd)y)Xx66}Xal(I<6?p:ƴ[ 珋m_iǎ|c:u*]6t?OY fT⛅!sUVѓu6jxniҭ Z8 ˄K,r^X5ag8L_1(k= {px\"+{zzD*[14IgM>`b8K؉oqe}ڙY19%c2v*/ FST n /mc@9 ‡s@.sOqI3M|*\T@zed<`_3Fd}#H4KbOܰt`O] Ր^BM&vet+<ېӏ̟;M Mk8֞w #\8=)D=ewng\;3_֜PvtjYhHl85+L@TH>X,S,tP&GyN0d$J<%dw/Qo$ٞGO} վ~b_Uc .1Um(34*%Cn$xaV>1ݕz3c۟q %P@cD4Ȅ/DKl msVǘ)sۯs1Y/'sqluϬI|VmԪ *_ޓCƱq'ׄ9/_6$kQA7w4"^F.|Q/g{5#qǴ~,"㫿t #1 D9@ J-9oUEG䖎_F0n FYۏȷn?z肈aoh>{V%8ɛs4e_!{= ?Óc˵pf*<)DbԼafQ,_"m d]W*x 5-=9vtif8~">ϹuQqgуDX=zgޤxݮeb {Ek~sq[e+XZztظzG;>z*@buH-X; 27? e:A@q LJ}T,*ahyݱ8 %UބMQ ݵicpXN~P _]ymr*Fm u}@mL Nga}-uZy&(<g! 8dm gNSͪxU*S T _D PjӮ9x3Io*Gj` 5}}#l1-po^ dcIظ6\3yŃm$(K`0)wd#~)JFMz!zwf"$W 8#J@HsNPեv3Usn2G;ۖd23mpei7YSTtYe֕װrr6x~h 8?C/d\C|}(L=FiJ$e!*-kQVm $ΠC"`/@m}D$ڸ`}S | T|B߷4H1 m*<"lK[S =pL/.I7FY.x3#}눒k!!XM불'ވ ’oT!"_&D2&'(LF"ݫ)|ִ6KQeuCOԕBD0n.2.$%bd"AFͧ/"$k߿,aőΖzS^1{$#'o:v"zY&d:> 2J4wdaM*ĝ_L {ߑS&Nm3oh' G~KAm\ZX3$SƄ7e}"MV(\WЃB9a" ߞ3k-}m̲tK"- E,D2N lܹ.i iLMA'b^Me F ?QM :-!)v}6{u7&bFm[C2F@t6Ieȓ0-:ʽcW;5lvxCWלF}< }*_f NF H.MI~:L=#]Kь z՘E&qX~Z 6ؖ!N_Ma8bPhyc zr@ mMqK:2,k0SUޤ}]u'lŊC̜;1DX'UuvJ;1ǎa~vƑW'ͿW^Raksv`w.5m!G.x@$䡙n_A> wL(w|V؉ 4m5# XU7]I*vacKh}5A'hO*с&؟۔w܌{Q+?PQ½~9.8CY&% },Q(9J 6*5ղ7uz'*)2u[,-`CNi0/TK1^Ůa>=]ux~1A~{Ģ1{T7?0XQDl g%^L[8U&uYATo5PF%9%CV('@U \Oѽ!T@0j Q IqdP}AqZ8^aqt|S2SÑbpQ\?C9΄ٖ(-K ڤ#ZHCɱZnwUDR /$>& ^Y"(n/?+ҙ`+NZ\44"Dҝr5BxiI2@:UG :,@ !] NKqő6EEJK+J,¡(ɳgb+*KzT5BJWvslm5 8~Qqdb6_ys2`ߵf#+n1Dzsfy afZFs,3ݝB0->aEK 9/*2ͫY<#\d@OUNĖTMqX!Sv;ׄ}}lWyiZyJd^νu+þJ1ua[NH5I]lY: agL{˶Ehs^viYuf2ܜ ?vyF^W8k+ec7SpGj4jTn Psί(ޣ=^\]# :DeJYl8 :ܞ>N8! Z V4, 6 %2B tv^e[cZRyty_MZBw`C[SD jʐuy+2S4fc;R`b`!)ɛ|TeJ=;-qbBpV7pERZpq3c~Wl9rOz3^fMDst[pgIl`#OզdyN_SoRV:*VPALkmS}"en5$F*{p v5D=d~/1߷}uj*m?x._:$B޽S˞V% qmyƉ@aOd;&`?ibɩ3I3t9a.tj2I ;AlE.0x3' 禥LqH ~Dې}Bq>ՉԄͲ_Zk2go_x{_ckRٗ0ڹEA8 ǽ)"Pz%t@e(ƽo~%ng< CI2jBtRZŨVIvhrV1&uw0L0n݄)U4lP:zVã\Q+Zxod ZZ8lzhi -98XEC8:9}NI^V^5{6?2- @uh8dm"=Pɓ`8 dj,n W2B e +n1zL^&j;z^a '=z4/?_'8I4oR{":h?9 k`c00Rk/\D2tdb~M<+QС!sSirĞɽ sQ>Jͬ4OJwM"JyC\軯ywJhrxҵ=cGqmM>)> tP(xupH/TUv/㒎 l(gog&(NAlitUў:k <3WM09\Wnϯf Vf|O_ۇǭdAP?{ݮhhsNr%W,^g?ݲ1g6袵☮+-?^Lsv6Q:hr.d=\ͯ| \6IQkOJIHF'KG7.JV&=̦`hal i\pۤl˕K9"X/-#z: ϪSr$ە)ɫwTxy=PH /=SJ;ɬb;y6zZ yE1ٌ'hey?/q|M ̈5L,}0i<8hg=4zi!9g~AiIK"@ts/tbSϕ1EcBu  >E\oK"qyBcԗJ![.(~ZڱD)> ckLuPիn`jKgWHQ+365o0Ӵk"_!DT%G0ύGP:]8O6EwL^֚k4r<-)"tEtRAhWP[νrsst.;䳔_Y>I }UYIbe6,aKtuš;.UWvj^YX-@D]*PtC],#DfnkfRXyi7KXB$gYbtw*=5*/GcKeGY #ؓ"Pz0UXCy1j:lN"[2YX9WxWE͚XGɀ]esWsbe٣:>*ĸ m5@v#GKm/{`cy)0 l6d,\9'n(;\p #)z6"cz#'ZAh>a>4$a;Spr;cKQ$UP8.f"E6S| j3?[f#' 潏(^%žkc;\_؛\k:fݏZp&X2 Z7~lF~ m`sisEiqZ*2uEyQz,C09JbݿD +̹n c<({KZ,rQDZ!S\a,p`]C e)ȕ׏Vk99<=B2}iFymPB }c'$Bnf8;я Q`ؖV 76ʶx9ڤ7%DBRGbMC3܀i|5"o̦+1g"mH m@=qTõg{"4dҞpxQNRN[(GM񟷦 7.L]wKzCDZ]I:%):{ttjR3E*^/ eT?n:Ip5|PO{)cvw"uup|[M3u ђmm Η'^|hH*P$%i-T#ch-DOg-,&nwWc'=M"fv/clRMk] k.¾c"Z8=#tDKvY8F2-qkbvs dmF[QD4R\EM׏%q]lE u_tӪ" Qe2nIeހISX#۾6p&H+HNM\_mb-%R:=I~P{~]߼ y:z/R؜s@QNMEǡȣ@ڲ {TFDnq2wI yG][fɦadfY)ʠx\`-8D(Wh܁jyp_0bpWE,tDb+M #0)z*k2m4a4R% X,t0K;wD:Szb.~e԰n- % fN,LΎ[SqT_4$sύ?}plnrG %6z;'TD d waK[yLQ$gVXv[|% uʎ/WRj`jzik1%,50ŽDӖN68tVwt]N. 8Wڏ{_r =xκY)q3]6D9CЁП41p|httm&*xP]y`7\" ѯL2K"viG @T[_B@_1I%(3qIkCf'^Z3/i),ʞe`WJU,#lP>.5LrAɉG,r4 &{ԩiuwc e=+cjLVsi{#M6P @>=5I7! p ![e"ʍj.o,9ACV\ϫ.]kGWRּ+4}>`r~4䙢\pc[Bgb>Ozhc`:aG!I:ycX< In T07,a -46i^ ;4ւK'0jMǢ) A OollR|]HZzH<^ޅJ u=FljYuS Nz,+}:? -#|'oe|4 eZw1t71 < Fa;IV ^,豴 LK%s9CQ,SkB*:/NEСFޯ$zlq+:`R*Lݕa$ys0IAU1W)K©P_&Sfp˿.h:6r,{R|g%} <{ :Qל\P}|p5Ee ȨO۸B1dmf9 ^R&[ `)*aP%]6(GU0T1ϠLlytpRсw]p:a@f55v=+cEU5-{~݅sO08 =[66m}xk H/xH9$(Ct xWwgK;BZ{n~a1]fyz2+M-wW#\&cBKp1*m{.Cr ݃`C(e='$hie,͔cVee÷rm;Aؾ< _p414{w)l9Ue#Ƕ)XdK7+⼕CAzʱYo'h -* PS0:DoM3%m~.Y <(!@>P_5-+Ŧ0AK}GMܬ@G5b?%aJ[N8pYq!McJ?U>~DN+:җc]π ! xcE*3PiI02!="n7xQ^R2/x&w:f!j(8: }SHGyȼ7 ѓ٨b=9ilN7 .|~q8\WJsx7"ȜdRLUMT˶cG48&>^Ͼ[/⪞I\*%l3}8MpJ%\m+ڙ aOK/3ט]wUSUAhhѦw9F|) %ੜUGaK.2V/q -O폰yZ8ḓwʏy42[BjG̙# !P^e If>N#G%0zV5jqM7RPfJݤ.~j;KCʸwa[L6vIɁEYfe͈xf4MP5 ӹN+ZJ|U8%)2HI1Gu+gZ7J1#򧠾54WKA9~ 1Y~kWG-Ѣٯ/_bدr0 h|Iw^܁V2`~W:Q8ގ&ê0Ms=ʋ^.ˏ.uud]p"%/%%tZ$*!T U2Zj?uԋ2u.w ¯q3?)T47,?>L'CZbKIjk7?aO.QZ1ZO1 Efٰա]oB͸ey-.] |pl~37O:@{QD aP@!PI641,@HtGc&T@XnhԓDOgh4WNW?YrJTvDaqLy5$k}~^3m~)Sd T] i=/8)^pyY tmaM޶>ߞKyY|XFF X*P13+ 80V wDĐ7^&YMxx?Mi%b@3!V;)`ఉS_F-zb$]> t¢HPM2M"9hu´vTP\Bt)h]>o^l;~pGFFP iʥ'HM t2SƼLI 0 pĞ\7DB#4a6եy.:лǦfǩgה94~̖_yI4ҰJn#v"SCRs0=uvp&SnBO$s}KGiJmwu4SH{ז)L Ob劝tϻKv09DQ;mSf549C +) 8OX Qn ߧ)92G7(P]j'5 $4B mض8;Ϡ?-g˵c£jjW?Ƙ7?0U2B@O0 qxߞfcxʎZeJڛ(XdRQ3)xH><0e 4dH|Ԏ;nvsD5v@5Y3νP*ci>|mKCu 嗑Zu$oVDPYAqN#>W E0o42obd0˰'1)u%>nL/€9-OǩNLaf`;6?yB-v8+Xg.S#/2KK%nKNH}]gw+;2#=itKŻϊ?dj8E"1 [S-жqt4r):Ռ%Fv#Ax"nN5*R}0'Nm} in WMT=荘"Wut"yUvXTyN;M+G4Enj;dƎ:.Gr>ݓBc:1%jF͋-W?}=ҀǸ|;ZǁZ0?f6,Z N?:U!ya‹{F| (< 񈱆2vK}hUC 0h 88܎T$wlMoH8b˺Ffm뵝ްV~l֙Uآ\;Kj7oi@ZI%b{bڡj5ڈy#'ݤc6&`F]߮zkϢErFcyC$}O֏<"lѮ/UM)(x#Z[X(jB}/i3#&>2ftx6#"?Z"S$'Sp7t b+f+>o$5T |;fҨͱEJ+x] M/T<r _ 0KބuAȟn؁N"pTYYIr٘[o{9Jc-H6I@`(YW)M|M8@ͳX/u{ dypsBNܑR.o;hH?|^pוZ!pmo7fr88 QV;URQKcn8pR elк\3O""߷CVpK jY7PFhdjFJNY^G2CwI`%<0/',&M{ԚQ`) 9~ 6ꐌ 5H  wXy~J-FyRg€̫˜!};FABU},]/ouwxݟSNd `=+H/"5RSA"oPXM}lAM"p"ذ€J~&txrPkHVٚHt ͑\={22+67M.KAq,Yx4S|=v h5)qX%ΐsMͽh]aL E[;# K ^/λjc"^l 6F={bp۫cݪQ "Aɢ蟍(Nh>\t l"0QY)R2tr"ޞd/ &/șSTA+!ۣ̊x_$O‰ TDeG_O1[ OMUi V@-h}n;H6]/2joAT1FMѰ35ѝ RXmVoX{&T*b4`r<:٪aۣAt Ix`&rýZO/Ĝ{8NJ@J0m&[:`Otɶ);  ݦ|@Y˿eLz~</`@DT'JUBo us y#o LGyy1Ä pz賺 ſWFˎlyCŞN]&䰥o( B6U&mw͵= i;fܥs B}1Kp']Ev~6B" ɖ|&?n*p n\/b͂Ck%HsdCh"0֗qӔM.A8\>rU5 5 )f"=$6҇i%0̆US2kBKe*60Hel2{r-U w[,8ߖNjE@|Z=i4(--".ЦB%OX܁Rڍ\^jEĦBKSi-_*~OzeER۽z;͂}Y=͈‹('TQNdǰװZs+Z9c f7<͈n?vCuS;D'RSJ*[8jS:! HjB+Pm߅b+qȊ'L P~|Y%ؙ R/ۗSM?@/\}NbǍ@o=e]x'XtSQ5oNʡGw_M N7zZ[Χ' pj]j:[\uB J\!.mHo)wpHQɇ1Jhvcc EZÑsbՀ|MǼ*94j}K|^G !% kPf &:4֛aj_ ݸ Ď*H_N2Η8 o+=_3_U̱q} 'Y?u|H}} :*gsu\Oof/[bIC4׍{׭?Ԅ49+=nl)"ꏧ(_giqdFbPfu_*?0{ACΒ*Ճ=N9(ÎY%:t&2A]peق![_T,n֖ɀTv^IAۇD _Aa]o OfzkB*%xW8+L+2yAwԐD*?4X` >qIrbeNGK!+ =q_"GVDCL@pp),{)O xUERIŶ:[wh@.J:{(yd87&qo@_g*8ڠ]ΰi:ChCJ,08\ NӼ).[\)j#".`;f;*V(M.8AzrZKMcVIIRZ~X E|괡yǕL6LXksgdZӡshj7N LzT-`N[*A.0} a׽~݅qV$ɞAcdeї(:V >$ 1!SH"%9# gKJqc3N}T)~KS%uLI>m$asӽr"Pri7C'&iY>&+H+10gEwr kGn.,=譌},ah/_I 0NE(.|9]KkZv~p _N+TomWGj.jvZ _ڌ+|bvAH79tI˩>uW"]HrūxYW[uF;C R8MO#n%-b:8T"֕gV&JG &mjmAd&q#51h ;%8:+ ʻ;YHݜ\ΛѼSexR#lQ2[cj?BOøm0U~-lu~ӗqafY%p6U FF58V$ɵ=~5,|I"^Ee4KttJU7|FsHP2TQ+xewR]asbI>w=H^pp|L6r%̧٥B|\cF>޳2}*eȫIl'7&'6踹48=_2Zx CsZFVh%g.*jw4Uk )0?G^l4 wuk0@$XK }^Y92.׏ry bV f F:3J?R5R n^(Pg*rZ/SD3٩,aԈؔqE d9AT=X/+ꋆqFqԕ;Eג)o[݌(ѱr 3wg"ܯNnp5\+};#uMq# N]KSKyӳ%m-I(*:%.m2i%!99UHyd8ɜB_P:In0f{wV?z9z+ 58݆#1o>P..St~ -yտ>.|OVA]zJr€S7CbH/Qb65T'ۭk&[}r` 㻄Xqn܏TPa&4Mܾ~B1tOM"5owuz*ﵒ7WDY 9 x!5dpꎤ8Sy 8o{ک3qJJX6'a#*YtVr$*Z Ӆ 嗽{Ab5ReDKסz͛cΕ dE@j?{Ἕ9%ሏE$MϠCEZX% ot˨b 7R3v҂ MCkK&o7LOg,4C:T>sʱjP*jU7HLB{K*;!/$H {J4Ԉ M;1@[o_:aUɫi5-É>Y73p^N ~CF W.!P1dOiw s#(sq,d]_ /޲m&lց@ƭbOsαٯv66gw(-fc:^-'Yei'#Vorwb9ڿ~#+垫^@-Қ$-W^Ⱥ%^[yc 5N٠K> R*-Q/$[okP ^Bo[p{ O8r-ʖЀAW[.J5ቌТ<) UuS1Hs?ƋxjŞp1x֥j6o'|P8?18+l} _4p]`9nA0lf`Fvc`E! 2j3ga " >}; y^2j6q\hD30 T  )f3=}gdըn5]%Xgw̉jQ.mxQ%>ʄyq<ʊf7դC"!2q;[KK!5` 풿Ǜ́0*oxyDSF)[b3ھb8ZS[-DVl5t¨ ͵: D=!`b@2냖2Nxj7hR$] _ ~!Ccj%-qS=VRͧMlGBQnvWZ =j.Āu;c;Un^*1EA4WçqϛɾDMZP]0l@U)p|ϕ5zWҡ-Z47Q>^0^i^4N}!ZMwPpنjM:?OMܹM!B M_c~`db1c 3?Z{͛HT70suƎBoKԎlK׵ 2bhS8&fA 7m 3NMmъ}lQONZńV[ngQK (fÝ({RR8ukM.5;I]D?xNSq >;9s۩?j$)Y tORg^q>K㫜o%֏9~Qyn]YS'(2CfnX !c> @"16Wb$܊.>:[P*yLr /!e-P&}8+HUpo?vE[.azVD X5Y}/!Y2x18 :RGp88;(,Aj)_ʸ~&GBLuQRUXX:A9 H>ULqIqR=?m#lod iv8RG &]ժ.' Nb 48YM蕑aKOft?ӉA j3\YXZۆp,18c mFvV"bwTA+Q6vCz8^G&>Ʉp}ižjR)TYW0'*w(Px"G=qL~F!7Ӳ<"3)6hRb{ds -fZ} uL'o~`mPJ2).1>s( Y\dɐ/z[j2hAmcѩ4DП6y8)JoVV^*t.HcElT hYVSdDA(x :1iH4wPa5.ygM`;Gk<"hJa+ƅ>'Y0 PsVޜ6.I:asET7w:phNm[f =8퉒;pyKqߨn?`8:Job9ng0]4¸6FW0z֣` d3+\}mKW|:0%'.uRE4'sbHr(,=Mb"ƹc(?ƽ x1/ k3KQ;ʐ^Z(H nL1k?\W$ڃ@5I76LlK3SĎBL/5d<Ғ9ogY*JVo?X+a+s U-Vۼ߾ 2}RX}tsHduw4K6GmVDz)FU2 33 %易 ;;85ݨ!C& &" k ·;t>͞}Mڦ,޲vԣ'YnZZex>mDQX?y3L6Aq5_/evyh|C%ʐ :XfIUTsl x(GEGKK\N9]]xЇ|Nz8KK3BVw|Pi E)Es]zǥίs?a^4 Jt)aKmZ{I'Y T`׫o+}Cs]mHMQ}`Mg WjKqAE<{>uWy<Ee )$_x(ʥ6u7SL7>?Whע}_qk<ڲ\T͂Dlf|2/~Ǝ'v~PY@)&}pHa0(@owcvYja]u]B5C(DrrLνCyMx+jւ-p6gnĚKe:_3[~+--GDE%=,*/yεA{zٙM W+gY(=(QI^ˆwә3#;mһe#ӢڷdrH$.>Bjj#+y3],Gn:>?O$v.ل3X(0Ks*N+ēv~hp2GcY4;qSk|맫M0Œذve??Z(LPgiЧ PTao9LD * 6W;tN%6@pP\IoU wc=7%QR/lMQ7j2Y:SS{z>w!U/l% Ʒ[pkc_+ˑ|e.c:NV.e4^D<W'HQm-##)ز/X\[1ƷVOhțHȵh#)wOQ!OkЭKӜ:NFn7mPD-A;DCJX*!ٟz]p +5ߵz3n3>]A\T9伇gN o7PnnDg+d=$qW1DI m20ɺ{y. Sg Vtavo%2R[D (@piz*"`Ju*Jr])ԝ$*.R:5;^DϬb'ڨ긵˄r[D%=`jh\߯cb9ҲPZ?R& z [ߕ-q>H7[|# #* i$;Bh(ƶ`*9l԰m`WA%[-=6"=R3`s䴨|%ŮY5J_]Ҧy;]͗^\Zs6ˉ F]o.F1}|vʼn_ 3*~-YNڌ`PwzR6r`u rb4"挔5I$Jg} V@|DAc%6ؚ6l#ʱb݉Q7rsm2BRN(xEsl=zǴ kSU t)!K'VF^VQg(Q!!LC¦v9C0;) .&Ӏ߱L6[ȸHF*Wpg&.VEXPim*ݶ ~%(+ e0݋çx۵5b[Z3'ZYMz!T|PɁ G&o+7o'iׄWXܟ/1w GaRӭ@x(@Q6_ŋ:.52?ҵfW<v]SS 7A!BF^2C7>MBxP.w[|u?$7p;Rv GFhuqjhCJ})CrDaB)iehiy !q ;b;VHK_t4'< -LKXdD1ùHM7Q;Й4G8<.^YLQ|mt9Mݽ3V`Sj=bD S5b[FDpW$c5cnš&ݾ8I2^TI~2cOma0x*}o| o둦4nq5\dV Od ?;@'Ʊ[R[@^buep>|,OL1I0'lnǕvpaTˈTJ)i24s0UmIl.#Nv IxX+&g6  f3p_}K#-Yh4[H+Fͦ%& KˮdL?-|A"G Ƒwx+&w{f3-*Btp34ЊsPsC %0&ƭ)DQ $ mo9'PQpTCzsԑɫ5- GkdunҮ7dgan BmWH%f8_6[Ɗu$f=#Vu- .c{zsЉVpK!Sof=f=>)_78fUsӔr_ũ%"lS>}z zt'h V1? 85.OKl7Ax{$@`z)F -'7w}RCgdҲRyƲDn[4 q]սFl뿡IFf[{I'S@we5djXDR )WOVD9Q5 L]|Gr1\Bl|T_KZIq`U 25h-ZkEOg@ i9 aeL=l47 e3S(ڎZEV=]~Ӿ0 o:1 V&oQEUQzg\^oTFK_UM}m$lh,j邮ˏܽUU1?c>jVY)kbN<5>%%Ӯg&3] ;N7s\>kxQ\d֚iU›Ms{`ddHN;O:iEx4-+VE [nznQĚvt1gfQYBB8:)&O$L~E2c'[C%Q95e`Cp(JnɲSƊ[ !8!@8D#$`rh ? C;PBXLĒ'?mz-I 'Et:(1;}[ܡ \ ʴA6vHl?=\:[M#fF^ t] ڝ`ؽq_1>PcfRhk{k9]4@i>IXX q qg z G}urϭ:)>zbx&-K@M[|Z/`Uiږu.!-tcuz>^-i=mq/ Rr΍TB, H߷_ a O@Usp̶]S'W&LnׯR 5f+P+9;*ĶE0F"^U6 0]P$ Fg|Jb܍ö5 ZΕ(jM}R!|4!^ ( sU1Of2kEʠSnMޤ겓<|Ae>Py "KbaF(ӀZbCz|[ɿyᓂB.w 1fH\A@`Y焀y ٩UR .9b]d YUF\?9{[IA2[yМ$gnl=Q))6vWZsfԏwGS†tdHYwA0ڽX11OGu6{n;Üq.q-hnXq1s}3b jDs]*'°U4gf,'*Pmi]-s\;WyDsCpz JAJ׾+s." $W >8Eyy$D5ղoƱDH.^Ɔ,]ILD ׷3 fAZta@\Mn`b=U,jNsAJ hih{^oyM*H-ZbJ-ػN.C~{ss:;zP[Zq,tz;D: XeMt?IU;¤sBJ@"Bli].@"%M!T~嶵,b+4/  Qf>_QfX,h\'r3^tO})qƥig58!Nؤo&%ri%EP_)1$[3 /< v:mTFΞ o|6L_*3Dz1Ld#&nY077'Z\ŕhL)Z,Hhy kpjde &)'nfn<&Fb١,. v0Ou"z8~w'3to),D\A7U`ڶjH} 3&lNM;ջڏH398$,܇6aB?Gcʘ,Z}ڻamgLv< ~ޙmØSF<qHQL)xzΞjnѭh燧ت+Ne\R?'>k!R<>ax[~ؘPԖЍ;~$l#šur'O@/q=޶&hz^b0@ڻ Wy4 aJK_ԠZl?w_">x0?7˕b uK%}[7͕754j pb$\K}pK:֊411?^EfF KFqam69Ry \JTf{G SUM#rș=`rf8|ތWdr!hڇ]o:썒'~Z ;o-zOd&S:"ЀQ HU@.M5LGVlsT]aCjc8ym.Lvl>n,N¦X,֒YihV1 9-ȶCv,F mČ]T9FEX Q.vDN=%4 3! ;S*DB(+wl+ E_?/޺uA,Z2:,* Tc){퀝};̧xOi tY\k"rZTqbĻ^|^/gex6a>,8J2,4aH|s-kj)ۑ^|)AfǹQSS؇b*U*Of z-tZ@ƲD;BJ2#Ї; 8[N-`/<7:;+>~3'Kʙ :ȤO쑻Ƕ7$RGje/ s8aHYl񷐿u)[`t#R_ڮt*t&FR}ÃonF*dt5Utsk,de(g!dտrE#zzl=Tކ+iuU2 Eg+bzzUgĽz$ J',Cma0a$1H-v=ڈ ,\貳7J3uvь>O&l[a ͌jW PnauFcJ+_L5FKLxYRY@p|Ͻ 26krs%TUw4 %&"qdٱkճLOlr0$2νDBr[%Wi .RVp3 \ҹ-dvX'!\2fז*U;MTGD1dc G?1f.mt GCaAM<1 4C `n*oOV>_Ю=`%Wԑ"ePRSK%wo܈r>:̞mS ]=OwUGb HVB=XG1jxV -t{&J^X,?kΜ[8 RͦVLH}jk޼Jq˃?A} juɟ4pFa§!_*kRG(9{γo2 7N=`oH ̓nt>4M[|g3n5Z{_>#PE/*Y7vrgE:Id\ٰ7 "ON/VQ(gl~NT+]K%ɹʴ)>$q6*~NQ5񎶢}Xkv6zh@|т8E#:p1Oq >,燆$`U-2 *qa EG*g PD낣AnK9 h&$peJze@ǀ R=~ ם U;.uͅM'`HTEWyE- jוLlS4G'tP?˂sP`Hni^F;+4ME9gS˨ta[hrl0ijr:g9kPe"!?"|{o2]7wgK<(&ET-jҸ Qڛr2JNj~zHBGla ꄣ=$ ʪ4aA,fޭ8e9ү*ًj:B)m2Jw(K->D3,}}rU M E!>` 8q%z߱~K&Dci/%^`l Ȏ:5~ND޹%4=BWXL*Y զOsګ 3gpٓ5 &ADBnbӣ,!c1qXsK;!c\0.az`L,v.)iv#Y0.67cZ_nqW]dCP=@r-nme L5!j$"b2`iָ3L-vPR5Oi)#JHbD8f]p) <!\ ܂d}g;KVSX@'Ca [RsɳH!:kki9S05]\w]`ViᅅUpV:Ip`jӑDOw|Thua](qxlSPf^i}Ů,&>-8'64Onx |WkҾD&!0as39|D;ύ;XDx禈yTTE@DN2F^.:K7 YRdq)|K"m2RΥr<,3F0&YtU.}+@nafi1y#.ïèR?D%d6=\]aa3K7`|aCR;{AM0]ɷԺ7AAQgQ0{9E޶!Tv2%m Ь7ӊ-OZJg/b;8wݼDKRllzh'@"}R/Id RQ-c 6񭶃M%I.ͼ~i68Œ/QmЧ?SrUpzR}kXHYm}5Hn2)2I r ;aCC$6}^hwZ1K>K޲Zlv1_|KO|= /1y@#LCHzAHX݈ X[hPiŒ-?Jэs!'`:Д48q9I)ܘb+EV:Vݧ|*gk; ᖩJdib6:@+`=+yGcqZ0)P <qk__K r8Ʋgbxe:>H2RH:'l?jZuy?[ O˖リFf2 Ʒb8 _ ߍ)8@"E / , ۧ/\=V'IqwOW $9F$lFpT/E F܈Fδw *dFLiK^I!yEpHT0QÈGķUX+Vdrf=[MXs0=._"2J@VGJrn5,* ,S߮6`@)q׬^*ME2kluoU;)w2>ز]Ml-dDIKwdz,El'|vxeo攦G̊!8"`@ӏS]ǢnF?_,Urh\Opoj n6ua;wQN@Q l (8_Ãu^Z\4n7&gz;/R8ii J朜fQomC{Tߛ^UșawF `޶!%3%2][ O~` -ψqۡ7 ĎhW_V|" 'HalC "tg4"ơGQiXH/#)nS3j-r3C%؏%w'?4\̬Wo? ae0^{F펀; ]7AKm=֊Ќבa3\ELF*}Ak3 u YO'áU!oюgX,9o*ͷ\|UnT}ĬոC("YonԎ.H=I<ɮvx/lDqiG @!O?{ob>x'3 )Ti8gq|T4mC'D>#4#2[[NT%B2-RR>QəT}Gb.{9+V~S5#7+O2~FXZy 蛚rl=敏0 9o>sۦ d|g %`ѵNjF>/FT=|"jGp-5x(6(ʟ6-K\V#&?W25횁It1*GRl9툇FY Gid#~7AޒNG;.}h Cs0/gҴWfy?O > g̍N$5;\u-4ڙKM&C4I*bCA}Kq$t84\g $g:ܝ;̲ ]i\ }Y2cvep8,nF=X!"VI:h EΈ `>cj`@'CPm|c:rצI$ZoܚW]\1Qx]z:]qN_k8m!,lχF2ֹjOO.zMʬ|faѹF֌e֞"r[馱$<4Ƿ܇~erƱ1gO䬬ڿy7|X$thQW,J{""EpRhp?=q%M,p+%:]JQ,ۈ+)tC9fD''40rܚVMO4KJL#Ev!B} }sAD"q^Rcn,Q޲BK'!#a 1*hsqh.3쥙@MA-Նo$꿒ZTGjE $ht(ޢ k!6-z;©#)mamwQFY[62PRm=-pB:›TyҺ'- *o>Dctv25C YP4\^Ha<+x=J켫)q%Ӄc%~'Mb:PR,1s,d`QQ5# }Rp  Ó7A&7PPuܢlcR~KZ /Ȟ#? ɺ6*=;丅S@gz.^FSP<:jkRu2||rΠT7=s}zw\KswD]) Xdz(ou{_xV/$yRJݻ@FOѦ*S xEM~YV򢼔LQ1L(Va+[8~A&*3ɋwMm`a$rO˸q낮lҜgOȥ4F$m{ք+ooD4&i(>{e8N uT"jfǑ宍 VяReB0˓P<`O$cHh.7,@,! _WaAڛMǔVAih bS(, ]φoFQL6nu4 ?_ mI^|5Yv?g/e1O8[D2=6БC])}YD. 2q'Pkz[qW ‚Z2lD l~܉\fv;D`h/9dbAnK7f$qت;)?0\OპXGEOޫ/"@fHs$'xE=prfMj,^)Z@֜ݓzeC4(=޻?/xHd4o\үd,HǶB.zc*^RDNjm=Y[N?H1q ! _ךh@jt Y!?ǿgx=귣/fH 2pawi02V%4wP*F$GnȒkJyjipa; -s"u{rʯ Ѧ*( ~Daߐ\º4j*cDUzg#|5e*0^TDyѸi&ԫ!;jL9:zV_S=ASvm2FA|FwO]2n7nџ:"'X\[;;ИmaA~V.G;$ Ɲm.)Y\Uv&%4hx}uXsXHq\@[vј,a?knġMg4Jb)qo,憀$%9#S=B@}[MSHTYaIMΰi:jdELSAqJ: π/]w;khfW:h/*CIm*u#aN/u3I}YN&tJ.2<+.knQQ9=YZ$Jͬ& Tr;-;_YWR*zPo], x(؝8y2eM|ZN6顬f "2WTcE(oӴ|l{#ݬ+e` g `quOc-RQ+T;yMpJG#5_K]#`\y֩惦#z{lnfN)ډO TNIQHZg#ؑĠF߀sٹx@prN:)gL ;a\.z(-Q&no`us`i6v{$ot5xg{ྣRq<ݹR=)AYӒ}㒎LBq^+>[V屢κ-M h%ߙ $HsRg{ЅCFSEioP~݅ݭD ۣLY̒ft9鑞xLHOQH]).h:#o1y3ߖtqRvܩp݌ 4 dO_e4 \k͞)Agl^( !dgK gωGGsMs䧮9ڂXDUGL=:d隨|Y9fn,oԅ쁞[, 8V;>y.lMgVAj[]E[:VraE%7˯Z\V oϓz9=E>ҚF)2mg6RrY(w@Yjʪy/y刃k٥ޛkݱ坘>cd57Ae i)b/aKcձV GGԷ65Tc/ ;U[+@Bw62gr#*.U-`6I'-Lqd[]G6I9Wr֗BOx-ҝElUBn鑊tQ@Wyj^5;TDtԎG"X^, v\>;S\0U|I44L:G.6* $Ae. V<I^yIwHN5Ƴ}#@ꦭh C|I-ᄞ*&-c~)r Z>$#$6Y۬ZPEc,BGd,Azò8K|Zx& ж{a9D !g)J<ɍDJ,"=4l |œm+aIb f7A"w-z 7~NSgt!.7d t䖺~ )E(;kj:rϞՇ*D>ICÝXsARms d2$6[ȰlYRŅ2Liw:ay+#}pxN(1ogAS J@1X 7l㯏+PHSa ..2(|}g@Grg1Zʺ|ysC 0)3b@+E70YE[Zi˸_*O͹}.C0c]EM3q[2B yT/ f7oL*f'Cx;2-)}M$cd+qQ:A|j0R? _3D]$ުrUPwK<1/ lk>ñ:a_`m~o涅A1Ycԥ{Ey =⣍zI3q[ boJB趩Œ9$lO/`(}l@Dcbs;$'Ot&t-[jb5ylH,ZxinבC*d芙n/xv"1q6JjU_Q׉brf ovё8/y sL;:ydY7g(u[:d'̠:,) x11.:]~9OLq|n$VmۖGoT_ѕ8)_SXJntمOD6%8a2fF<[g,5ƷcݘJ`˃MO]8cM|wyπ{բN B1NroI Nyr=WiLLMHc)42UM)b'U5M@:9CCmf p.(LlX>Ks?ff~̪Íڥ27T-߶gn*=p/b{KIj#NVj f":c=I~0}t N*Ѣu rlIٳ`'8s>YmO0XݺB9~Ua"c{o8\BǑMjOmaD'&bwF[NbVĂ-;:[{R'_M^vF<G5fPО85mJ;oR:˽l@%!+RTw3K8]>+<)SDGoQHSJ' Bi{΃qGaܘwHQo(QbY'It ~# k΄Xk(uIno3΄5>O'6?yi*B%.پAYbㄡ{n" +(0&'-/ٿwO~+lsJmX_'-LСQرycN9pf:k\ZcWTvQ1NA>FX'pBLd@.D)C{sЕрb3Qؑ- bULp?$G/Iv1eu;ʺIɭ䭴 `Y^AkU%$xsxzR&"cxRFa_ӻ؀ +WK8sgNy7r0']7c9"_v"c0` H#ZN;ry7VފL2N.F/a6QJ= )nuB!&`/ֈP#QCq j Դa1V‡OLε 6jMZxbߕ$zMMvѿĦ,4!57o7ٸ =dUЪmf63kJ3DrJx9~;$\MLij_LR1F8vBW*9]X $xog'dOW[0xɦOYnJv:R(4R$Eii9JٶC" [S?b;~{l("gOsvj*Wॵk10ƋU7`qλe~W([rWPܷxdt0ӴqY&< Aօ+Zߺs|L]M"D?yTכ4^'T>2I8v3{ ͂CO3L]{Q`Һݪ&1xw7,N> ǭf@g1Tni8h)bDœXG*JG8bwdKoil)03l^zn*ڤ(:‚ VK+b97n'Is">DKz5w ؙg:v\ZN/`SQSn4U.t]8VndDzZBj=-Y߇L*(uTpxzpz*d3?=ܱ̒70u(;#N Lmxœuo2Dh 6 Y+~,M̤Dtzy@P#Xߎ4%`,ߥ10ڷNp]? YLPĈʕL}Z*.{Pa~FZ2ԳPm#X6"; }$Zw =|`,QY_`t]bp'׈2C'RB $0cyM*pE+b;yY;[7PO&𚩕jJ^ި aá1{Uo"Ky(.^}l9=ˎ+'8nvdF(; ( CLp@`JX/ Zڑ6b!tV,ځ]ebbJO)Oaq>a8|9jЗv&xVjiq !N M@s:=4YO)w֕Nm(מ'Z{ҮA[݇&$+} 8$ʈcFQBI,r@ |p @$jIO[ȒJ84;Ug&hue1(pH=BzR ?:]Tp#\7zeIC'2z tiF ݾZʁĽTW S}8yNZRǓ\JR|Fd:!c!r8i !Q ,Iw;j|)Y[[ќӓaL!<n8ݎPc5 s+3ϬQsqfBu)S4tWGĘmќ ,GO5.6+ReV&adQ HT00`z^j(wQ.|ںTѴP-eI$"o[ 3(oh9$v%YBwfh_b8/% 5__>wqw1Q@ Q `0sn^kSod#ƕU1z řLRmNx24q}xW2+z~083;I÷@%-txB*3PeAD˦PC{^?nVVy'㧓p #R_#ΆȘ3K|ZzHw YsYDK-++Y/X#z]ÅG{uġϠ 'F"-[ z \*{R?ۄi_።}ӀŬr  7v}uμfԜZYx,/:~6@!'pv!*|NEr9%kE*7/y<גE+] ^=KyE~z@7ZF.g3%I){ (IIv5V~ 2qahqK4xV i /嘁 "33מFhAL!/0Bk9ԅYJ<MmKŚ9,TvO* 0+bHܶ!_aR:4'm(kg?cTg*uJ3BDDН̅WVIEx5a0CPP7$5̾y"w,WYb[1 b2CAA:m D_r~=j-/r8N!:>|!<_$dAȖOtZɆ$wBS(ݐ6 `7?cz>@.|n#3B6Hyh vYf*2qE6vBZU4Zl\Wqj dS=9=y҅v9{$^UUP^_ʳQvA䭱b<9bQ]w~3_#=w {zPT1zl66x{&-.'\?>CN,Iatv@T}MTNCJu]>lCd-˷ϊ- u .=sKb xj/9 >EPU2K*BGr@)Ky;F#7+ z*Kp-Afpt.5vex]mN\?k=mϚ8`a|r/Zխ)4I4qۚP)}kBXdelT*F|zQ\=%MĊl7+Mj2Oɯ( i䑇N]{S7l &.aNvbl*IIhʄC$"$xD2uT#Wj@BƵW\dszVJvV/C}zp@> U6 `wWْ\rk 0݇FcD&σ3l]!+ёǪ:97³ *ڔ4~<00,\BR4zG2#8'4@R p*#&>yʿLyqHmE13_ʌg&l6%N\k@h< j}VYL!/*om 2E2իl- ) ֶX%"hxfI@|#wXF&Lk@SAF\ aѹn&sZ=~P3N_HnWǸ*?yj e҅x`cA ەt[=l,Iv'8SD>N=elrsr44[ewD̅l=0RHD倩)[Oȍp_cZ'+TjID@;ȘomYwQw$nok8~KLrA)`beZݜ{=e"Nܿx!2%\Y sdwġ UpXԚò1΍adlхD fŀΟ 6zz眑 ׻4HK2թ\`TS/0:p5uY;AJ'&o7hN+}57wp ں ђ'Y1E_<]*GyZuI"Ds<k<}~պ‘W{ً9-kmU*j_q*+8JY=VJ;qWĒ>wT$8]S(bzd&}Š(8d|M[*43v!,sWbuY}&U^iļcاvd=I %ɟFR暆D2;*SXY2ۈ@ʆ9APzR,Эhn"QvBomgG}rlCSGLoi5D=z6߱zݫ70)}3nA5M_ '@Y{\o;Cl&\2bݏ9v̼ Z'0tiG2cd+!g9ʧRw? ;G/aΟW=1;5*[yGɇ $נ#SDCs^aRK8y1qNYwF*Ndt৔ßZ> u#,I=2-75mn!bãFEZX- rj2ؘٝK+\Q\Ԙ'hB_Bʩ U'Xn xR`N _L%m^;~Ur*7lv%nBz ˨0_7!A9'ԫșCjeN _ 08p Ŧmz쳀CV6‡60cȣTxj?<$$8@ 0pUmݨpٛkbox7)$9uvc!FjDPxD 7T{gB LɷMr\Y/[Jc1/4mce:4MQd,4F`3a_p)Zv~껗ϵa*l}lRkC8%⴮nRN2r~S@s TRH"6Z{A?0%?4A(ˀ| )>K[\J%xb+]6hP88R2qRh 'l@2^+IʑD6wˆxBXHu dJj8ޑ_voOޥdLf;{>+-b;D3! 9fo_Ej+ v"<260q* Udgx_h nդ"w/B)sRN}/'%=4y홅W?|kݧL$4} LOчܧtܺ]b邤aB8)wG*,fҝIp\QȯK/N"4>cH^W8't+.n?W0N/-yݯ Qi=%5VɇUmg&l\4P62}W~vgchG.=(rcB2 DEkvOHƖr<7dؿ ?,yr20#:jdz\CV^gjuO)~AH(NLjکya`yjcr/w{XŘy\J&cD|͜r]-ov>n^6i<{ylS8 @~?ڜ^iOFITbNRK""1'ѯǩ9K={(狳~gTSa6 LMIͮXL'Ǥ9jTӊQo{YmjΙZCxÌ[?'.}Uw_6m4}p+*PrTu %rM&faC%cR2tswtM@Clq՝5r<hu4= 񎛤pnj)7pԯ!\Ki_>O뉬#u ~t @c YtgMhtêbx?4`8~,#QZ(6jǘ|he|n5[</;3K@|_&-lʞR'6PN<ւQQ]Jbh.gAE@l!Y7`(qCpAx:de{zo5tUh`snQ#{&G5s^2L 0n5-{~n-Mt]6[kz4JiS0b7mZ&ȫ jRCK@R^A{s3ޙ8߀'t tZ%k3RfuƗj.+JZ69<;K*iؿ@=KUJmGtB0TY& TGjJBW9v$s#e9.a; >'$>L sgUk\B>`!tUϗ _3+)ڪڤPiIUЁC tA}4 6-%N 7n#}%zC9qiTdyh[ei5/ilC˂^h-vi{0 9YiW Ȯ]uiG;@#g*Hȟ!2$1lX64H^#%mvCQ^p46v{P1 li4k880 E ,XO4j ,WVLж+![ uT!߶^߀8[ #}WkUl0*N?6kf8| N\ U:u~c`;r6;L rR3nFMzؓ"]A90Mr:0K̉biDbE)Eb4diMzk&F *=#4NK2ףb?cO&t:Hᅹ" OT &U#un>\R k+(jie:7DJG̓X7NͻFa sqjKv"wyԜ9EQvGt~AN¯$-eq}*S+O]^4P>F㏽d+ijIKZnf,[Bk!2FF3ʸXHKۀVpt б޻⣆ٺV;`GF?xm?Dng9&!>3$ c-Q1OW! HCx[t'ŝٟ}j.Jh6å/=aO'!*XDԒk_i݂UղStJT8HG= (wVaH MqTw>E:}ZƴPVYFXR1  2">A0wSkO:^=e8b'ܶKzmsat{W+[xbg)+u^Nxk2CEm飖%礀&ŭSp O ub}^)SWFئK_e@7U?l{ql|8}X>e 蕘3$Vɂy?W hWʎN,~გDt1`X rGk H@u-u껭Õ_&(;OD5*Q&H,zx c8o5j2݄Y 5-'h`Y{$#s\k! @s-6u9Nj ymA 'veFi3Ɵix R;%эꞯc{x]zUTQT_ݿtA B!e51_Х(TTί85`{[Ϙ4~.nfN^(K <5_dO@.R!Nl6xuVLoFi]!`E$/Bk5NۥiOg=44/_~{8\;W<G[.%{?W΢W5K@Āhp뾴lz{YTEfw, `jHsoUSstd|#6[:p*ޢ.B:bO\x;0 G2^XH*M{AWCA9asj9 Ehk, Wu4%‹)Uh^{v=IzfΉ,R>&sQy ':N#Cu?XΝXXʈ. P{[6䧆쑭 ̧WP`cJDWRSWBm}&WVogOۡv)7S@j!4LmAq!hq"ƴ 8HкtRBm]a [̃OwHǎt?̨T.D=E[ qV҅W'Ղ:e8_gW ~Wck@-+otb|gO|`v1,^s0ǺCcx pUMuv'[P$&Kv:n3e,٢y|8~e-Ôiܼna=E}`@!1- :b{YLa< Ϲ.̃[]-6%k}zus$Z-^ԒV @.7cgdHۺ_9m GeqDA { =@}"{^^k H@ d[t8 }H`*Et7S%}9=w$u'%4HHCr4{*\OuT96f؏rRc(BЛ)cdb(ŽGGneWvKHJiB<[JrqT<c&ID:wBB'LNyI߬x6>BY8Xː3mk.R:γ{2RJ*amugk&ǁ]J:`eGJuCz),!k׾$*tV]>k!ka&9U'Kd)v/S ,:׫7R5q ՍYҵ03/;JV@ԬZA"ѥ_8/g(C@y#6I4e_̇Ȏ*GluΩ)G32JD'tL`-=Y 4: oyV ?j p<`͇ħ\mPY~f—k^S / 4 Uo9gM[22h#}bZҦQgyRek=74YtO鏅r0Pw0"AӔ8 Lz4f"-wk?S'Y/vb% ws[YJܧ: ߳1dS | ?)0|ljQƣ0]9`շ#wH>09wpD\w&Fg;&g+xlZ59ڞNo1*c%;P0EM(o]nޞy[aft.GH?881Ɵ!uT>OT'Vd7?I:۬?_I9ðcE.i;^:]"1h2H>Up3HAÔ6h9-"I4yݺ㼕mBHx"͍67 ~'7%|X1& s9[}fo462S-%4`gDeMucbl߆_AW %OFtY[0@ir! 7"̴uFI Ed:Wj K:+}RBV,%%ܗ ^ hWڝ3 w1*7//׬m8|vRS M}/DQ>= "Yop.L5(`i+M ܘqSWB訽g@ ywܠ{b^{yC:,q9gOU%f- mOwCӿiSsЛhEtЭW"5.,Qxg6]OxZ3.(_@vԚ;alD'&ЌJo:B%lQ-C<~L[4ʩs?:{-4UcFm_qE(Sfu㖝)|о ![ϔ1]a(5'Pk|EBZDD.0dF I`mIGm0~VP -PP1X57[whiwg̼SDD`jtq>/,i!$w mhzOh%55J_a a` H\2bip{u~zDr͞^œ05DyLЏs ރvqE]Zdyew{yǸWҏEy8r]jsi'8:cC$'[Of`}kgN bS*֠VUQC`y=r7;ShidNdT|cKBsjb1OEBwW=snIU2H¡{F?Zj 󄱯F`y;R$70)1lKڧc˰QJNgtD  $eXO*$e`  yߣP "Xf>1r z~S]E=/Q]`b![Tێ3E .AgA~>x%(uAbK̢ @|N)M|F2Ly~mg)fu+5w(u}! P1ʸ}v59'׳a?P|ڟp|TƨGTSҜIKkT9ܱ>kբR.0e۳P4:wb#Ҡ#h:{ |P~"M!VKU+.9<(W,COduDx{bpCB8xi;P0lL>HtEu'n7dσzch#5wł!!DGE_~oM=9?`&>_KXaDLJ n2Н y]0/B⌡F@%ŸGLovL]Kk iGQlHbU}ЉA>fuͤ@}򨞕Hj-̞>8TKUWn.UfǨW }r}‘/5 ȝ:KƊ&JBKQv[uL38vn*0Sqh2 AtyEۉ-RZ$@Bt1å߹ EU_D2 dڐY2A.NqE.}JB)N>HHd!iW o9ݜ3ߓRcuA FD-ß"+8h:ֶY?"D*,6'ݒ4j%IwJ 5IqZʺM-\ +FqY[ж |rg'-vp0z%џZ B䂸M[+X\ab,񈡥d pF:ۅ"X ) G 2, RK; xDhv: {70FdYϞb N\ׂtQ RTt4" \)dE+Jd<>ĘoMjIu@D R%@1jkҳ]C/ >pG-Ӧaqm6T|Țzߌ[hG?ɉNS2Zjh2E2TA\ٚreZ,=g/V HTcirs&_)-^ ,)jVmUJpbIÕ #ro4"hGsU2"P#vNm1fS ŽPke[c \A3]ε:Fw~'ç.D҄P VCލL- 5ޡN]}Q.R}|tȨ;kj['.eۯt~y!M&Ҙz,[M?AF\ 9>coGR(ゥ=#o1fds\E$ű]F2,Urw͈NE{Qi<7 ² b-a[1)\:=65OrqsVjܑX(fM{oFVbP;-3tNPqz[1J͂I9Cd3wvs)Z5)péD‹}iڱV}/<L״\wfrz-M!Xff*AM:Vߖ#G0w%?Y @_jCIŅ'tezg/UC%2ԍ?>ٛK&ܩ9qPTפIxu~s13U% /Chȸ5&i1'1!KC̮nTx =3.)8pң=+RY>]*E>l@AL"(uisOR; 롂yŸڮ[;ـ{MukH_U{Y"ddYj>ah@!r״aY3B>Sa3[T6}-wǻn3gqNA d3n<*?,gf YJB<eYR͕aGm=zbč= nwz҆}64M|57 ^`P^җScՕѡu/-5рVrP9I;)~QK %]0{2`*mhxcN*A`q&i7W'y~0X<Ev%HX7No`A c/xo* *<2\GINTp%jugu9AM?efh YDLŠU0ys( +iEH.FږؒxVrE;h/!"qO\Ej"f<౤$WjEJjeXSN\af:giAtnZ'Hbhu#um!x+>VcQ#1ڟM`ᤥ7ޔKǓ:NW I.BT-E-_Y{$_AbJCSlg(|,]yb]>Od:M c $25ˡT^na.+vTD3?y\\o?- W1&1Fur#_n KWL.bA|m" S!J@4E6)}s!9p>&_[د+i`Gxte@YJf쬷NW>91>5̅"cnm`2E7C}<}W]a)lrk4i ^t ۫\𨎥k֠*mRlq#xzn:'T IaVdqrE`N?[QH 㵱38k&EE,@iG:W1C'HEnͅg5kŁ} ^ C@owޮ* c*K7,#YJ;5UUvPqjm4_G`6;=ԥ:C]C?qQ.[<:2 W=pLp}{ _s}u"G0/i:'k8|wogaM#W:X/O˒Ǘz,`U%;r݋:,D_ gNU t}aCeCU} cXǺW79:ǯYc9ݒ(LjX':NB< mEY.#)(R+躭5FZ2͙ Q$W+fL[c:#D:VlU'MBRj>/@ߔ=jZ>$mr e-#/6<#&Z6Ѷө5BjCiu:N,'\:U8r&'X^Mc]1ܨHܣ9bp*vއblGà;3UɲLgV+' QG͗rM}n;,6[q 졆S[N/i 683 lu? qr4ϡK=biŠ}L{4(v)5-mD;.]`vK S?+}E)gm,_d|OeP<Fʴ$;P2[m mC0k}"E.Q1'dS>%URc q]CaEt֪."mbW5/ͮ+d4V/[֥Y^$&,E>qB X/g'X,>rvq}.($ ` 5AXDaXwQ~)n7)×aTwb+}"5!fVI | kI,BN,!eKȕAq;ü-ŗ`JǮ@jMvp0HTߛ,5~Dr"¢" qMYNSg[>Qc] c ;cP5XYXL 篒}*Q U5mfWţea Dod&hYGΖ/R\±m߂;WS ɲ_cAm}bi&dȞ·%` ;B0O>/m 6Qud0,d1xDyE%Ta*Ɲ()v73`9h-ߊ3Ώv o$  Z==F6 5huϮ/3 /PXXfG>xw9SDp+h`^U#k'r&рbWi̴p!r[#0?}!'JDQN@ DJJ:~o*&G3i$w,뒊0Ms/g3(٧KJc"<1LOEimgbHdpm(J+WPӀVa6TL5|.Ewda q@rֻ*N ;t"vsnP>y"tޭsu옰KӦR B7U~Lb()3XP<]^pĮd"9GW#'۟7;u" e.>y>CDžam5=p,M}Sj|8̿;PuXQiڥ7y`XLf65|kN(lɩ]0NgD2@bc@QެVtX|!mTR #%gPB"|x5>2vM"q;U@ڈʄ%+$S-ڥPruikM_?ҕ) fV/Z> HV~-O\{,*_OQ[A{fp C[g\1i{Bһ SuUJĠ9qM4 MD0>v\.E,>PAʝ}ޠR8KO&=ƕ@{4O/wͬqc [B(Ճrec_!ne!N_y[wcɖSȳ 6@e۴ j3mיW:N71*>fKE*;U-k"ݰS!,URVIk)[O$j4POß+?: )cvi55t4'%[PUCs lf]xOa/ ?00 /Q1bUH >FO1n^&R7VvD49R.4*ݲ$:-3m#*"@I8*7dW?9}:`~"^6!9g֍6>dGl vkoH&A,j;AB?aGrVM!aFO.19.%],rE NmQt!4 d!|{N؎P=ʒ}3xa "['>ȬC3u=?!g)$q}nDzZ+|EV)5"N2VP3 BDeT&P7 !'…F=eh, 6PRK|_Х\ m[[5 [4,# Dh9[w_=v~T8vdy!g-HkGG8ANzPpdzgPuUobPqx;2<lj_SiP:5~ (y-!RїW "-X%.jDu *.'cS#r[%Ĩ\@#jv$zH!Ahef\Hp3Byj):EE杅f>'|3+^L{6r d7}.p 㼓1e*ω܄//Z&yTGQ*@x6T1 $5ŋ^efxs2&AW _[!+w ~:8L9HI0UټK, N !OCuh:l6D8^t~!JPAiEk@NF8tantD baʽ1RZN D=-nMa(6i7jzx!!Ut=|:J4oHp=gNzl+Tr0+ e@%_K:=o`#<’DX쓗?ڎ.KMY39;^-S jSW+]6ܲAQ=_!iq[SN颧<7)a Mŭ2knؽI `o]6y 8y/t <\—7Ãip ܤ>;}|=j8* Yo z| 0977[;p} FYMƼP;09F&!P3069cs4#{WI.؇9$Ϳlc^+}eeO&4M.@*׌?_.lxL@>5ZKWw(fwduޡ,eF㛣7FrmHJ;c{vuLU~{t[m2Ǯ P0 !DsK_0htS{Jwz% ]C֏j1)7k4 a 8pJIrsr J]:ؤkEq'3ESL g&Nm"^IrW5vRSBI)< ;k1`.[ &GF0,y 1Y2?as,\)RASϼ lrqV0 )EX7ք`H\Y_\|F\=@_ le$*zWq.QNĪV!&g _Or+Y iXzkdwDp>Fo42,/HjVn0i:w?&T2|7Vz`M ;<ɋDsûDWYd"/*i2ai#ǥ&Z@FbrԸj C)?&6c3u{ Ҩ20[</5tKu..%cCi)t@ i `>QK0un-Φwf=3{w\\u=6RJX }i@:h4Oi` u'ٸJoG9:`|N ܠ*X+Α0 /MZ3:dik 81Z XcS^l2AژHh8QDkc\.0D=>'~Ȥ gK \* \/nl7"~A>JQ$" ?mc6 .͉ .H3mgEFak&B]Z4/ʞtxw66? ݠ:XUR"@؊n *< TwBuu@V~s^Ws^ Je@HA,!mG v# 5mW^@i+8L!=EK%_s=ɛ)B!Aq[9 Һ?7;= IO(7"/ bBn$S0:#[OW)$"~66%|7zx]+I3vLЬ7%uCHܚLh8=)R }#ze%͋. bb^,{g;V Di :=2;\OTYfD笀ub'QɯG)K< ^c.f9[#!x[dY'!' + ^dW'׎B^ p/K> %v{.FZ,9[k?@h'80a,lݔFn'@rBGa΄GfÍv!ߨQ4 }ӷQߎ*l|ZDgŇ:XÂHYiwY=&I7LD\nٗ=q޸2xL4,o5ANbpUq 3E(KUᇛ1u u>*6!_ʼ6J6u#(F.ߨLDGdWTqWpE1b |oQrUCJAb7a!8P1D'VDU<8/W}&@@{S^ f7FJvȃ2؏hSV9~7k$Wa'RI{|MDjB%ȥ~^Nx=OHvJ 0YقXZQ L-e4W x8oXuW7YEGt/\wcJjS"L9"q2H[Q^۾m}N sdch&6Mꐝ9!xj [N}Lm-fVB#4R2 [򰔯뛂&ߤW")4x*շ^Unїa'glҚ3&|xc^( T{=B|aT =#j< ^~.Iz[5}!-_6 B15֬?:ǪR $IG WppTѳM.DU\#|kANx 9 !f_uQ-]CJ{bAك`!$+D[z$hd }` ֜t=3u-(ƛR cep>2[F0›EioןمE1NZeqv]Q6*F -\~IV%qg͉)LU,ȭ`w`)wb ^O1gFNFFV{4ج5!GsF>J>5/\S3Uߢ8 4>y/ѣDw  z^>@,~ԿWPY֭D OK0 R:횡j[#4^A֞F vC I\+t:`x2lB.5Ot0GkqA2qW;://~.7vϵyWW_ۙ74 mU)dp nPDs*/ !e[ʍ5 C-sWBTMMfl{#?0IOrY#]UkUGHG ?*G;[@E} M8DF,g|aL|nQD 0y( ɀS$W+: ⾪{g_e.VniMWB-}z=N1EѰ?)+(HY1&07<-/@{q_ԉD]|y$r6$W-y:KvH=! *vC \6uHYЬ\e e`j6 !aRJx!-9aZgY-.{ %,$QE:tzhpN0(ҝ:9fo (FRr K) j̧/ $hhRA0+ l0ly2|ڇ>9x'f@yuc C="m=g(v Rt΂)Iƕ#Y1k ٿQv(G5V|it'ܻ8/i b0n(@c6\inz "b42a-Г!+cOKFOѮ0v2qpmeT6[Uҵ+(hAԽi!9q4QGL *Χmk'⨵~q8dg!^ D蚻uW&Jv;vsM %BjM}'TrvU׌nz>6QDldCNozm7S#x#pQ f*W ͌$h W0f6K !p$[tT6]&Jڅ (\eEխMm(ߐ{߀qθӺ{M쉱]3O 'M:Ωѥ4;O;^Q7NB9raՁn2~+ ζu|4]B0hN?6wwhw'"qmj"wi "Nm= ߣ yQnawe/uŽ]0GQ%/9t<νURnvo"̷ : D8%;k:%OK_S$w `9Uދ3;W|<r?,4dD2O0ks(:p\=$в3@ۄ( gV:eLp1"n p~A!tP&8`mOp42(+-q&E/q|Kp b%%Y8J7.@im"pOIJuJ'T2k^h ifTg`yS>2Vx(IpuS"Y%f"rֹF ǒ\礄Μ8jV;MJ6 tقL b;V3,6Z`ꕴgPr%c]%[߸q)ƈxÏ2K^;".6m@Dj'~O"1f& 8tqWO_+^&k{ܴd"I34VϻhcL P<4T؜֚y2qzGyxtĞ0~T(;-ZU@A w\8 aho~t;avdv`H`ٞ{16{SpԴ,V̔_t Ums}fR9 o"p%;<MɤJwDRD MqqD<0EU{[WkA|2.a;Ɂ+}稚TG#Z,!+bn)DH%xR%A_ٸfeݟ0[!P3Wk>T2 ?4"΃p~Tܟ7XFv6Յ5ˮ&H9nf|DU;3x?3LX6GB&ު#ާe7Z X'G kmrݭNp# MJO6ASB'2d,\.4G:`eR1,۹:D+qDȚDl~^1)G1>/Mjgãq.?C#Y1, aʘw^CSw/3 F(${DlwMv󃛜9pݤB\ONm4T)4Lu9tIp]ii@akOjVY HgDp81PhAĐ{T"fr:(}HYϷwXmRO☠RXJ;Ff'nb1vT A1ã-|3y/9ErU<ź".{JSn!#9ri+c]:Pύ!Z iWez(?ԉAQݒ2kؼѤd㈵ψ8pVx&J,-(DY11۝R<)y jX 9 LO0Kuj=A\ꐒU=cvX\%NK$<;%=ꔫG(c)h#2OT?[!OHO-mWrEM79Bܵ? o#LFߐB H͇`mD\]$ DBy2U([vۍG[U?o4˄́r\h [(-#;@d.jg9Gk+Nodlz'1dC\*X snnK@1=F{٠>c{MǕ~.;/F^[Y0N }r6RL=C(U3,Z'Kyܥ~IݭYށdxDӋjدKe ` z`Vy_N|5ijwOp4q[+Cg) >TV-^;UkkgjvO;ij8:/G4i߽à AQ+JFo_dN=Rb V9y Opv;[Eoa=rk.]Ԕؒtsڂ>́nILϔ> 翋Q WtE}'ZSW74:#,tR,Ng=Aqw$+K(}( ӇЪF"1uE!9FJ0ZPcoGOmjcxA>Hg4Y2< V]_=,HgDs݄-冢tQ P>e}[Y>bC<eFYJpÒU+0dR=&nxs:C|#3sP(Qw)0a[AMN<7ZݙQ!ehmQ^q`nHg->R$WY|F8K|}W ˾whM8'{CCR||-Q cᗦB\0XX&? ^=[]+f;Q_bXJ z3^쭧h?$^T*mT$/So|&g^K*0Ƹ vA2 w4AF93\PWr0߹JM K]Jq?_5J; N45I}L؟s BIq2U~>n GK/K7?#'GabEmtKey+X숡U?EdOOrA?〲Y9 n͛Ivy o QՌ0'|]V3-}&bY'4xz}d\:ک_r  ~`=;u* )R(HhQ=$7r:+z'W]`~ѮU1 Xfw+4XGg>&;` ${qc9v4m_kEY"^9^J;ke'AQc`(ɠT*C&7RQtxBsmF!R. ʮ(s`UNZe`И4g n^wMdC%‡E-DUVOe'?|SV&r?z0> I ajma26w,3)?(+C;F@$*wrSAv.EM 6pMA - R Pbv;,e)6q)Y9H1•qJM?*&Yy vS&e bɬdxOg~S A>wZ[tI˟^FPp_&On O>~v\+\1LL-z,_wM>ӥẕ"2vQwNOD#ZNx1NQbgwEst'`l*hZ'^ëѧb©7Pn#-'Zҩ).c[/-^}ًoϊWfg\43obnR>y_+P$A?? az_>} ,}X M| >1@¯[8 Zxpޤ<)ȇ2c3~Dq_6 k}C|OO5^]5LtjWS8| K)Qf0;mY]Xo,]f׹೻<CG 07ZBWoPw/[Ú>:S[Aq A8qG73.IpJVq`x^ WjAA.|W݀Eۈ:|+uMtKGq$pbAP: n}6)~i3^2x{HGͿ G`#4+L'ޥTDnCaH{$ "m}!32 !PDyv{RhNG"ޔ&Q/&#[}:]H[,D-Y'܄ 9/z[ h0yWsӹwa߱0$eB[UL48wb.Z͍c'p> I&!Zਓ')*|! CU:!E2gmd$AZE)yTxZeJ BRZZϿ*凌Fˤ֍(96sVh Q*=!Ljr\R╨׃z#TB ا;Q2 v tߙz>"bK+{4]7UdEjAA<D}xEq%GP| !%M(ʶh9Œ6AQn䘺 y]$+Vas}qL+31ͮ63NTR^KJӳrWߥJ:-!nn A v߿K;rQ6vE7yީ]W[v DH۞0fn-<)>,)\QK; қ*fJg㌖yvY.YM2tiLOHI.Pi 4h xOb!Z4L2=6C = EfZ0;pObҠɆP^ g5o{k?KYE"JN),y|fa ZNn,7Ij QGAmn-/4:$ukxЬTj@ r' Wwk,G^L2fD ]e-֗zW;I \7JI0kb=VFCF/"U[տ-(eD'ťR{28I\x{e5PHؒMC;&,a ;$pߖJ)33s3^7AK֛_fgٳu Ti3#lȼSs5mK]b' 1b m$%wچ!ŕ7.)[Vͦ\@RmE,#C`Z+ˆXJOy`Ia{:`Ԯ1ӴԦ_+cȮj+ukn(PY*AiP.cJP*6"ĹPRɖ<) cr)? CǬ(o D9p͊$A"&{]%fg߬H#l$LMC7||WjI'G5H!AN-A!(6/giEr^zخ`BvASfFd,Gh"3!M 1X,4rt8F?si ]z[,@¸P}7O8- bM+Mmu\8|d%J!=@h:5l656 dDC"lor!iRi _hYGK̆i,H1,ƶAS;10eVplc0#my]o 3uZ9Kg[tillu~+Xn)t Xz]1^Cα(pZm%ˤ5챮kH˒`˶Kt|<-66sws#̕K^va#h>_xaptb1 b{@BA LqfvNfk,fB{ICmDnܬzAF`,71NzfI;#E4f>}b;<=5eGs QA@RضVc2m2ɃGaw X)`( !vlEIAUQ dnhV)?jbvzP*vVI4X iU6Q>˳W/P>)J@X즴!i}b3PՂ[Ud4 |?"O%Yk=Z tqQ6鄾$!_&)9Cg`2]BG8edC*mhrmQͭ&qQt 1)B<)g_us Yёh= d[0^6tVZ`T$Qͯ "KAmÚ:)SI4\xL֬e;vJ37$R/O%z$2[1#IӉlM4eǚx:eu7ڎ†lb=FSDD^P}7P삷'X^*.Iyx>.?$~Z mIh ; =]-~]r6 4=6Qi1o_Ϧ}wd,Gj{d2nkg p /U8g%;p38 &2XTw9dG 25v4~at0Qja'(yLtFJ ݺwͻ::uq>""b$bnîO{vk ~b;pHߒt`cc0~y蜢@Jz프}bpO`RrHyBVe9{j_&\ ZxDLd$ƈ,3L~)3\iUo2!Ed"N v `2k j~>zݙGMhYp# BnaC$^nrëvL[9㻱pPuKt3{8UًuwjlԖa|£"Xm9˙^bZ>>툸FhևD e)TytF$G"n pq-^]'v0Ծ/pSsקD ̐čO $2:@܊gB,?i01=vTYQr൴4:_i}Iwdn P"`_@g,;#ѥ4aD0l2&+$( Sptaqt5icް)"_&M~GD9`fI%"=^ ֺs|I`NdJ) Y*Mg~(WJA)`2GxZjKBI>"6?5V07D$.1S=kjy2?NQ3J4N]>0b 4 ʀK&UFn 褙Gl:wR4I#ǒ7ςz9=y`XQǜTDUxg[I(a$:tDܤn P @*hFLbs 8gۚuٞfqH03t/R HBEKjSb]ާp:ajVv<0׏vhKGoAUeVF;9DiY&Mg ;i{ a>v2XA{w HTpn ,%)Q)oN Tq3 ײ4⡢v?(my/3yg&;?~PL$&όM],Ks9މ\PN1ՠӚW2dfYqfqka|4Ö[{m-Lq nV۝y߫UVmJ[m! ;FIg8Y/_ǒ'ՙ1n&yݩ,c!Nt8e&p͏{Ə)妾LT4 mpa`C3<ZնkMZɀٲ'fQ56CcF0Ӵ%v.$$BG[ؒ¼H.pWd*0> r %@gp34?,5e)Cn="/v!fcbd4[Fu Kgq" `wA#/n0Z&A`h u#w2UǼ},g}{ڝUTʗU2m 'OZv^UZ%F aWZ/)K55.urwMIe˨찈`YA?2sNf&۪@>k3ؑxv{٦C7&nS#4mA).*UAnv5@2\|r%PtVn,hÐ=j7씺:ns(Q`ߏu-EZ-y2ܞj G/'Qblae%K3R XIVXU6ItOD+9*{0%4U0roڹs?Xd/-wX:XMb]n)e RZe%m9gZSt5qT5>ٳVsgrJf vݦWrrU}Ru4 4BeOžeR>' TH*"(ӊS '˦lZlR z|dK qA>hݍ A3a&C 8GUɖgh0^҉׳0=R['JeA& YG`wX#$"U޳lkr)WDZ|8xQBqn1% %z ɑR\yfj}$VXzZf'ռFMAVU_ui_b [מ;m.P^̶ I 9:e{mfQ~,Hp^f=i/0ؤUHAq2ZkcW<$ΤxkW8jLB/kqG'+lKhaϯk7ZaDox" /mwjMu 'ka9f!IjE'Ή->X\hݍ?_{6+0Z;.yZa/VnN1-:qq ^*Rh׭ywZZ;F\&_yq!;Tf_;* V4a -Wn`%a(~wscUnÂV\w; BuW%Ey1ZA\[>G̥CЂG1W¦4ŏTeq2Ý,m@?5컈m07ˋk k9AH,jrnsvWQ72aǗNkN1*p *߀3qhzl#Chy Dj24KgX/,d9sW;SyapMʰ * nz~q"򠀭#UdDp8dN(D $dP;p;X4LnhM EO7^JDWyac:3}5cqRyn,9n5l<,-Qlra\򔷚׵urⵒ[uqu2+̪wCz*:{@PŀԈ/|<m(&e(9I]:o_ln1=͓"'Xj](e/bmGҊrMdL7D}4s''g=cgT݋kS,mKfњޟ!o/?@J7𜞁2ma]v˾ti-Q`].ja *]ioХ]jAt˶N}7;;HVhHUw*^yUqŗΚWO{ѫr +n UۼkޠކAqFFvúD^g`Rw.ZGzd}[.u?ϚL+F̟`)!SdJ3N[@X.hQbiߙh-ɛioM5ӏZ-}`LFn-|G֜Zӵ7U%|@)}N^^m4ɋ%yii~h|!oti>]7*+Fն>Vܤ0֯K0p5Hu1P% F;EGi+r9LԮyӖ8ֈ[S(JbZ=\InsG:j.5ƤfsmH-OqiK<ճrprqL q9ӆ> YZ