sssd-ipa-1.16.0-19.el7$>L3s陸zf}>=ׄ?td   6  ;AH   0 w PPP PHLQ(`8h94:r=GHI4X@YL\l]ш^byd>eCfFlHt`u|vӘwxyWpCsssd-ipa1.16.019.el7The IPA back end of the SSSDProvides the IPA back end that the SSSD can utilize to fetch identity data from and authenticate against an IPA server.Zϸ"x86-01.bsys.centos.org ECentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssdKV#[A큤AZϸZϸZϸ Y ZϸZϸZϸ56fc0f2b489a27d371a52cdbc5fd2f861f371cb4e84fc0741273d2388b9753339d56d864cb565ce053ec5dadb8ac83f9da0e43e7e5e10014b790edd9234ff8f28ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b90377418be27d6fc9967c351ca88e50a6c7a4b32841ea496631b72ec920ac75e947bbe5798233fed8f6307639fdd95dc55ae8847a0d8f1ffd40a7c6cbdf569e33f9rootrootrootrootrootrootsssdrootsssdrootrootrootrootsssdsssd-1.16.0-19.el7.src.rpmlibsss_ipa.so()(64bit)sssd-ipasssd-ipa(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/shbind-utilslibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libipa_hbac(x86-64)libipa_hbac.so.0()(64bit)libipa_hbac.so.0(IPA_HBAC_0.0.1)(64bit)libipa_hbac.so.0(IPA_HBAC_0.1.0)(64bit)libk5crypto.so.3()(64bit)libkeyutils.so.1()(64bit)libkrb5.so.3()(64bit)liblber-2.4.so.2()(64bit)libldap-2.4.so.2()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-nbt.so.0()(64bit)libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit)libndr.so.0()(64bit)libndr.so.0(NDR_0.0.1)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libsamba-util.so.0()(64bit)libselinux.so.1()(64bit)libsemanage.so.1()(64bit)libsemanage.so.1(LIBSEMANAGE_1.0)(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libsss_krb5_common.so()(64bit)libsss_ldap_common.so()(64bit)libsss_semanage.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)shadow-utilssssd-commonsssd-common-pacsssd-krb5-commonrpmlib(PayloadIsXz)1.16.0-19.el73.0.4-14.6.0-14.0-11.16.0-19.el71.16.0-19.el71.16.0-19.el75.2-1sssd1.10.0-8.beta24.11.3Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/shuk1.16.0-19.el71.16.0-19.el7libsss_ipa.soselinux_childsssd-ipa-1.16.0COPYINGsssd-ipa.5.gzsssd-ipa.5.gzkeytabs/usr/lib64/sssd//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-ipa-1.16.0//usr/share/man/man5//usr/share/man/uk/man5//var/lib/sss/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=46c36bcae96dcc510c6b5a2b84ee07ad17519e94, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=c0c94f12e20fa91b1cfa4d0ea65600d006ef1922, strippeddirectoryASCII texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)DDPR!RRRR#R R RRRRRRRFRRCR-RR@R/R*RR R'RRR.R RRR1RDR8RER6R9R7R5R4R%R&R)R(R$R,R=RRRRR RRR;R?RBR:RAR2RRRJR+RRCRRRRRR3R:RARBR*RR2R1RRRJ?07zXZ !#,]"k%{f}|,p35`7I  rb.1x--ŭ CZí߂@#vMy COο@~zdCdKUP ֓|!C~?AV\ߟ |i q|HU nx @EǷ5@6`M9 zޝv͉H9e ^k=NN^P}S p)ZZj5^2/PuD. #OSG:rp*"͡OQꎓ}1>a4Z,;`4oxӒwLc~9[]]=r`ۘkNu]mŕT*A1' Ss Fl'|KZkW`d1wr9k=} }ls腪 iw^or:z!d7VǝuRM=bk_^Q0Sv%cvV/ ASq M"cIWf"TH,=t15nnyPҏ0AΦ*uha ctSyGz52204`˥G2bCڊ=MZ/r9Zɦ+H;?\qψ1$D8籁7vPUf޷7FOm=19@x[9 [ˌ*zXЂJ.IrlA#_fjׄOf*1< KJ"c4 ÿYb/ڟQqʦݒv{֛]VyŋCWDozm#aB?yn$N@y@jV;6V &Qg2n=qgou9GqZe'7ѕ?MA.,]>qI '#u9ms0]FIه,h Jҙn ܟP`MͿm uPKc8-xNMTn&,=Ohl٭VPX^N{hˀcK<$>z 6+ 6^%dFzCD~Jkh^z"v'N~Ғ[ "vK?wQ=u(ي6Ae𴶩/,-(3XT~zgcl.53a1bew@zɍp aр*:wC)>x9CI]eq/Q{L%!EꔬG%Ӻ ,"eAM@xܻ$?N w1xFg{̕Y tB=ݰ56>{ԕ1)/`a ڣcg HOѠ"JGNQ- f1;2H)BK:샮Ix~K&+@uNDǴcDO2o9]xіy=IJGg!*c/auI=ljl}C%+ph Zk,fQ;bz!2ʍIߐtMt1Ao56@me|^Ca}{/*@Ȕ$+bg9E ZfaaM|\] ^\`CBd5- ݑQ)Ky5I_.j{*`p* bx$)'GԀV1,&?rMgF0Dԏ\^ݎ14os)O-؋"8V4#uZk븩 c98܋)mue«js#:DP!)B .Lr#|O/zܣemCOO:{i[ԗ˹/8B$w{U -?;}L3LᣑH,L1˃X&p{zp"Ο{7QGxAKѝXCFusJyG ޗw,a\2z,IáW~/O[Gd!p  \y,$dЫtoE=.-ի wG'bC>[3e!dS7ԥA3##H/ީjWrop5v'ڞ7iAw2vS4<F\%jYd55"oVI'Hf(:ݫ CtL}95(y4){@ #lV;y_lHoQ'Q88s3# 8 +),YgNpBNQ0Hڿfˏ#H7[h03 &7oB̸3}j\!;)vuc~kp1l$ dcÐm~R-[VP-L4=>Q-u==`CeK]oiIR|xZ Lj((oi'r.uAuIY/އQH;ěE8K!;TJpt.C>pF2R@hNy:kJc U@)j;0` MyB w{,b߼o +0-|U< Hh*DWJ͉ 9: ַMrS'~ -+BoC2NMx*|Ϛ"q]zk4WJŲc⁸<PWUJ9:ucE=v3rS4')|jC l s(hV AO,KLŘ3*F?z 2EIdR*Ϟłjo/D. S[>*XWh3~^;ğΡ70WQ!r*Ru1pg:m>XAdRt g @>z ^iiOn΂ݜ`+..^@ c2p91>ܖi%H'Έ.xuTtXU.^T? X[w9\,y)}%h^tS̥G=oUSO3qC񍮯TckZR.[a-júWcӒ=Gm-qJq59ӿϥ !Uje\ZXK̾u1}Hatu`Ql=_Dx;-̩F>$ԜgCzUX'x͑{~bl!i;LlD> %|:9J`2RR#8KV{i֕]PȩTOc#̶E=oJ̭Xg#_/>wQ{.bIQMw$l"v 5{׿q"*ܲIU+dN8~-S;4 ׵PY<Jt؋k v7ךS_ݢyFP Uޗ?թB;*O(3eZܷZ)j>xE ]ŶTi~<Ir(?j,%r-@Sz( lSұ _H53?Ye]VÄl$Z2#>~%;k[!nYR'K59N@lZxčzjvhycEbE~}#!"EE4k3:pcdA#udlٿ΋WCY'%+#it,yp% ,T= 6 a$КlFs ,+*Cc<=WKIYAoX |7BAU D*$/"-k&o*?IV%-fuScb~AɅm¨'D輴< &ijwwv[ m0{W5UI2(SC+k[,9|X/wQ1',N cȋՀ&ۭǦ;iF2FAWӛͳ(\v6օ W=ic> @=_Ԟ]nX=krmJeZ<ۡZA-@NReo'ݥY.o1k_rj0YW4O& Pmm."c>Ib"Plft׵ xhH r/|xGYcݗTrv(2Uu@7;Q ӆ; >#>dIm{LAgTFwif@RS #HƷ@c {;,tU0 UЉD!geG4q=>36b#mU #arEhWkr9=>/H0iha{1Z~NzӀe>7gnmACɘT`U L})<*h:\ra*SnQT" 0:?{Ŏ_xa1LѽHx0-4ZÑ#JTɔ2.3$fYZUj_[C}x`ø3UkWPs;AqdH)8.4HL["z7*Ð3Dwp( Dx{G<-xӭ쉈ĥGAKGu7Of8,N,O l)ݙP52m޾i5n ;=XM}K^V_(TUg:1_{BI׆mR9p)G'aQs8EuHG>d5L[瓀<S[Xޖtڪ/D\i;9c{J)gf@FYyrw_A]3b*;@NA#)G +yYڠr^YJHq_|UBӻ*+эӨi[ոZٶ&xȢ59Q>=}/O%[ ]Glޒl!JntO& ?W瑇o ]sXF̦)nxؓDLvqGB$b%Sཆe/}aey :Hx,#nbkD]y9E *W2bCM~ t#ZMNyǶq&o`q7@- ’ٙ L|[FwMDUW=vڧ7ནH%hNêL=`xp>Һ7N IP9鈃F SaX-ffm(fiYA1FV_&Uc!u {E]ņв"4C\^ sIq-0 6( q#gڥ c0YtxL0.t;Y!\ 5K1ϗqY3l;م) !, @DR68Ly)R!{Zv \- qTCD∊:JR%AyGX{aǘöyPJ-E ^qνeM*_,O>~2\GϚ^&5}Vzkk\ 䥝dPQ7l0^pO+HA@N jEqC 2GY'ڟmT) C1ږ\1$I9a2s;MjwwJyŘ- ճd.(4M;"0K$CH4kbNs.KU0v_ hel:ӻp_']J$c+5!%X/?/G|9'c0fŨ<85 1RCv'4QyyV.83"d=~Mq*Y|r;{p٤&'E3 :r$"b8&x_ D& i ܂r/Ncf>.B5H;ilzy4'Yd/|FHcw\/XNNȹrű:S(KSfֵS8 g aoa",xj,\:r;;xXSzy0*w7Ra gd@Z@!vtâ+_|uW>T5R"=X*} 枩["?R?ѭa?unc_[-a L^þ9! /1D j dzANx ]}ik<y 9,S0C7y.K?DPvW+שM*w[Hh29|<{Z eX.VxN {(R3;OUW\B1 aj((= cȳdbmeءX7zgfu5 x"|G-IRc V:1%A5T X#b''Ojwp ~hs$pgqoG1"ґN >6uvY7>/}Ƒ|~5̆v!%o) xa3p=G'%6h_fth{fYE2#OE:i|=+q"NhXdsHư@u}fFV쨉|Yˡ"Lo hn;')C DQox=G./9 5Nk,U(}/5`1oH՘~<{h"u1ٽB%L|[}m58-Vc Q^38J^ ӎ߹g?;.zo (>VN#e~yg@S+ :lNRh>\nx)Rv klU?_TFU$<:z}]SD_¸ؓ^4ZnvkI6OUyLJ+sIRmzhWN| ̕"-*KYLx&GNǂ!z^隇XIC"WѡKdN+$=J3cN.SfA2 5fl{r_E|Dbc֢#qMV`)i%9mJj|BRUp}z:[E2 nI#X=9]$ښףXnz.]*a~MTm#cVtVI$둴EfG%~ɄTt׶%Z5fMz|9L0~r̈qY~e,O@ :*W0?}8'C#kcٵִ'!(oC3~{xK`+)ĜURpxw*6_-\y(Izz03Wl㡀"PT{.2$s6F1xð =z^=)>yVn*_a[Y?dcQ0.(E/EUʜTXƫ7W@]e@MPhcr[|#E6LcA 5G8rٖ`T): &,/'PSAf0갶 \=)bl:mr.>$}`ymE n}O'9(;BPņ]I}<0N]V:5AySg$( )=j*xPKqyβFeJ/> B5 sdNvZ& %6 aclaaKdg( ٶM\&Gr^7l̜Y0Ysu.cZA\ $|oeXh$˖MF 9Z.ҩd1d IBi4u>_{߱d]uLG\Xh*%<]=,U̮n8zo98 vUh+K|ycʴ+v\{0qqDvt;>.7cY ^\*C1Q"2{FPb#.]_nsw$w&?dkao 6*ۻQQL06 <&Wv"D{ e~S3tZɢlEJRȅZ:N;{όAD%'$jQ(BzOpp<'I3m>w+*S`I`~i)aETZqAmvt"SAp՗_Z]#: :& j\hh9?!|'t#Jͥ9;?e #!je+I\#%ٌ=˿5>Jw)ߖ>:wR{ݰ~ګ" ӽG//b0Ro;NT *$em%r aloO/7 u)]ˆ(һ٘eޒEFTj^x&ӵu$ FJ,GT@~Zc090wv}^03.zԁWS.Z+zictlTkܘ/& 9M$4);0cdP"3jjZ(gV(RJAX+sH]Yx0*j1$|;q+Dl.C\u% A:銈CV%b^6/>|y+4 \W-K$ .I۰;.o^ 0/q|~Ȍ39(R~LIܵK(6!x:ݦzL"1g^ f2N$Zg&}:9 M'H_7 ro ^+ "qLwOf׻0CP2$aQ pbg \:9\{_q\?oxBbMbmtKÃig_Y3!/ ?s$no3Ο;\`묽\>5Y傪xŨGF_QQ˒K=cZ}"b€JtlK{\H |dۍ2)1 ؄W CۧYh@GqZ4 T2N7բo^o̩LhPqIxPX5 qrn|9N:F@J":2ゝg"u@*\cWccR ʖ: .v"+qm9s~=Q9ab=eÛa@zp 1C(c.Upm[Oan&r [/Wz+d^Y4W{!Hb %\T:5/ՆQprƮ끟jtn "JI^RPͧhTbRSBm`<<Hj7JʌA;:SZBH˜z7!rœ\`5Ix23c3lL >ϐ>%׍\ˌ=whդd4#=s R(Чoǎ SBXw`WEW*gB0*XrO":O"#$8-i5Lշʛ"˲#^ _…uE))e3wNn ޙI!v.Y!(4B2ub r m0ȴ.쪏wښBwew;5c҈!r(P&F[Qn"EIggܭߪoM˽[8zS ;-2+QK[cZSSz"cǖ ZIMGS4@L?R#^B֋8尗D4Nzd_1y\yIzXӧܣ+UbLGW%B ~|OޞPCGU:(wPaQ  8`SF~0UŤ"Y 1 ;4ATRh6#<<6z>>H[J1( eh%Ie*_6cyz֙FpT&58O%$`?ޣjD |Bb'b7Ecҙ&~zکYJL%M=h3i=@Hp,iidG2\=d29XۖHj\F@ё55'\?X_ì;!?yz Zd8e %8CZ6ckJe׿a 6Ԓc֓yx\U4I52>MQgcjlL' ֱ buGJiqĬ8L%A`&8Ɲl#ں !Pk t \ݛGM U\+C3nZ.QSqz]( !LG?j/s(C˸!Rùw^rHx-м,t' Xs~ض818Qgv^i jD l;-^0+հcyHv[S$suω]~95B%xSf#qz,;v=sH_b559S\h'D Ϳp,JOrL52̠o>ȫ T/:;V40yvW`zFX,RaHu5DH2f .w8Ws5V@/Ӯ9~ :ݯ? M{/FJ"g ^ Vf!sw\(2*>_rtHՍq  dS] G(OH6'|-M|}<OLfV=i ٱUJi:fcs:u,?^kqӯ *MN.9vYI`>iv磽sj5|\o*ҙ4ߓNR>Ƶ|ˡ1ήUǬp)'Q\y7VK!/jgI:,nH4 $=#D5|I}u7$DF&Kotp6}WL!Ԍdl nX@E69q-.T ,nmR:bFqP䒎O&H%R!cBY; 7)U𜦚ٗ( i("xgK|;˰+Ph_-4a-z#5(XPD¼,yT^G|MJ }$5cB̝j+Ctd;%n\ݕtkA~~s&*ҽ| 3<|%yqY:̩fE}j˦(L*5"üFY|D=]kAY$Eހ_9NbN?-X.1C \yA ëXL49B.O0òRLC[8*0GT,_fA E9j| QSC# ?S/n 3ɾ/A(VQKU-vܕ~ӬsOƫ T~[Rw#IjP:Ǫz1s?Od0Xr]Qx!͛Խ'p鐻A]ݪD$>0i~ݼi27/Jod)?y*<yZ= Mu? LpL'cIyK@j-ʸf7 W&Vd אLy1gp^FB.ӴHw%u@Q$ 9Mh7J襟w'ֺoD4]gmPN:w8 u]F!Qn{~2HпV3Jov%j^+LqujEqrr%KE|꣟+/]W9&No=nkJ:>&}ATiyJzu[\Wky{^">zMri`xK@XF,H*'7] ^3a >boKɺ(a힋jȕ}hYOFYgڥ= hD/ gEr]aFRRG_u߃a[|jNO Π<&Au8a$-:;REQUClG̜%icY7tuOZBON0"8v#bX^SUe||.6n OU.9Y3p $wG `x; l;c+-PiqaE|=?=V-/+ZGak.c>PD47) }v!qlx6| Rd_Xo+bC@o=\z~Qͥ 9=>WҶ#+{ Vib%+Fw,k#lWx`I DɷXh"dȄ`&sJ+kNl -yx}Pu--ժCd?“Y,n\]}"s!4rKp%1ޑECws}N lςY<6h֨JӒ5z;Z~uOؐmQ@v{Bk}.g70@Z-53cE^xD71PrҾkӏRX̅K%a:.e -{; Xe w|U[U^#gm~C[;T#åe Wa9Y߼-m*-x q9! d+sQa ;3~)1H 7%cu%q0ouUY̝cW4V V{R9 y< A\҅̇ʛ%+GE卑`h}|mSm𨃏oۅizR$ZbL6`W%ݿ[#ٻ AwQ4X#3{^'220X"+c,Y=mlaI)7jZbK) }j9VK=s{]H[kD2ʽ&Idqi(tYHBj%yܾ<#z;$V;mD#৕2:FO33ZXmNo&<q-1ak H/F"ӂ} 7PK7_)%O zo|q3JQ!JW?w<(s9z{RM+^CB?imE7'bi)Gq" qFBZ!N5Cfk=V_JU?5b=e0zZ/^34Pm_(J+fuc&SO|=X}:rڕoI9;Svt A0y-ڛýˎRqײfVNp/ܙ鼚nW@R*+ k*ݝ<^5 3*y NWh?6e/>V&092KЍvjxBxchٖ,lJqƇtܚf.I/ 6Rz=Bg E(扅G澞s;B1[{^"~@az|O|Uf(knE@1­b,3&e KTf 2LVG ϵrؖa*QԈYKto|EߣOkUh&Q& .6]/aa/ؐf/k7Mg|[-i~:1ye)1nz(۹/FHak6IfבpaɎB\s>}_a$BhDxdǿvkX{WZ UO6$P>TӪ LD{SvlW|K)ӱ93%/}[8ZF\,!rD)ddׇ鱜17вʓ03!^l|-37mS454taIz@ }ܖkR?JHISN9;Gd/E*^a`^,P,G,lr83il : Hp{b!;,3%.W6s@OljDͬDN"|[~ĥw@, IӤ$2֗ $f@IgCYp'pc~8ڥblb: ,kMiaQ#|qN?^g۾,nlwߏ9%ʛ茩1&Q1#f'f-kVLJuJ!W4_{Nf4mk*q^l6Ar23?TtBGr4n%X ؖD=VoF|vzNN66j3'`Or3RlR56zg([Ir" Dy?sMa:=]ɕS9i$fPo/[x-d ֌?Ɠ|(>MP#S!zƖ|;oiyF NGld wAl>% R4#i`beXT1L&h\6^x5܃JM]_ 6V,w2PQD!3zRgZ1~^z cAYW 22Pc!{V5XqaZ0ނ ag7&cB5 \I W.HkIjaˀR$`~in>9M%!TE?cDEqUonH&(^~_I s;]~-KxO `λPE?LX^4 56bf49ƜmFO\FqԪpcxc5W$ tzz{cbQA¦qaoUS9>^)rß+pySyަhsV.қB!/b#J6պPHfW(M@z-fj{+,Л&e%vUl)Tftыd-CLW^o4[˓x%/JPkOsǴuokmyvo=pʱDr0>,[o%nbZ*Ѳ^+O־=}=ր.|7y[j&Q""CyK5BTv>u̚$\-T%|b҈GkJp=5/*5xV/.5F:Q|\HQp^59aq^tOL<0rPG_ەo np[Ӯ_%{'U@Ì b;̭K1HiX$ Ⱥy (Hw43DMb ߎAM5[IdJϏl¾|lY)M{t|n 7 ލO[ҒGo[þWAf^iO_ l0Vt(:2x@$YHv+Vu\n8?e?wag/δ4@I}Za$ߪ{Ku$+Bs$<oQS"s.c6 µPVu*rcY#9f+DU'$~k}sZ$ޝ X:7)+ 4ΊӭŀH@qfQO$<! r"Nӫm 9i|l&VP&a<( _O:"$"qj4#Y_#:Ӛ< v8Q@%U:.-W3~ưxihKDm/"k/IvX38y?f}'Q=@]d KdF5ʀA@p*jX1W֬@>ڎϒ),Ɨ/Jb}N״UYDok+ٳ6&_-|s:BX[r*$~mEa&Jř1N6)Hk\[ RBq? S $ș^rx -u@FxL7J]U ur@!W`,*duNh"ViBz::+GJ1W uQ' PӔFPa$Z W1 <:jձxl jڹ.,h*_68pV,#@1bNԫMs}qIJ3Z2ǖ !%PcD(u!4+6sbʬsQ~sRZ[C|̽\T5>;\&Qx)!C5;F:?3=Ǟ^†sxW{2֔gSA Yq0lx 0F߂^^ Dgb+ G@Gi!,uh{="7V3xioG sqz- %($svm('(Ӈ&~x5:#x#=)Ǹ鍋嚝"9)t% HWE}&aἶ*x ֶ /ۏ%_T+OA:P>sFQXkSZJ[1ttQ G \FF ԄEY좝|ݶM}r'ܔw_R h]DPRW%b}ﲨ ; z(iz IÓnP,]`%sH]yFg 8I۾@'wSz \ܓ-opu٨=`so7W9}l{8%^(JL3ޯMCW{g*oSax?PYoJ7'R#/\c‚5a2cfBg,!@F<~zAH>ʬܑY[;0ZG+rNɥ),YYPI䈼Gմܶ?>*3[>exsR*ϹEqH: 6Û^Bm^p{+^ ŷ<-5^R#LgKI`9g`쨔C- rs@mX!ŭq;!Aa v&!&J!vzN$s] 0`: =:g Ӯ3_4 0>j@k1!?52:w.TKjI=¡mt ;wj'pBKRqX:&"ZM,ydV~5f{lW#f QhU:io84cO_iϪ/GZm: tg$.RKt0i'#7!CV.-c&!NJRUS;M<2.[RЯی/"g⌮U7.2xFWLpM[ۀLJs.l}UOtWȕcnHJm$vFDZ?@oZdZRpNy5ލB P0ȠU BפdTJg6>a-䍿M-[ QW?r9vH-g}#RNCM.9$+ wcg֫Dz9j{hEҥm0hxh=R0*l7G= (`~-S ɨ&?g"WFQgu.;Eu8dڙ@eiI]0gKN5Ox{ UT/N{In*!]`o_oHɼ-tp乳a%UGRES4pde0n2"U1l蓉ε tMCl$!]{E|e3_ 1!,*Njd2p>j"B2#RkY05%C],6+Ƨ68~~k7EA1Β̖uaU$\\mcRp pφ|_) cKʖYť6a'v`!~bH }w)ڤd*7#^d{zaE;t)٫yQNL[5;L@^ f94g1DC#k,d2E6Ej1`,rim<8lO˗7ϴ@]e`&"f4ig1k $2mpT^"pu9x{lnh]j>CLYaqq'xhS~ Wq]XymGcDROZnW%ȒwΜP)KfTJ mgWi1&w4W6ųC@ܐ:0gؿ蘁<児˞,4e^&o~ANQ =k?_BykR];0V>`^ގXbƭLs%IU^<>ʾl䔗On+ AKQ#A <-PS.J5x(sX)?JqAzZiT"UAZ&V=y!ѣr V(nVEtM٧d0=%JS]?e>|KĶ] LI:vO4۽6~d? 6Ҳ1J/ 2Ov/Q* ,wnfF筲l`䊘θwmN $9k)1vRGxcȕ\ҷ>UQ~(2_/_sɓ8qy•$H.7? ʭw[x)E8:D΢/ &q*]vϠm&Rƃ( >| >t='Y9GIš|eu_!' X SUUWGC']Y9wXcIm]mf$mQ#ݾqmb,_ْ8.B[>K>J;\8uE͚efsCR8BW %tD0v{-*:בYs(o='c5iX]tH6+.OR{0 -=WP^]]PU$,t!ĵa IJxD[B^32ᩩ~͕͏(ͻO-}Hϙ#gQ+1+}54~q ](H:WjԎU7 |bȽ=ȇ>cEDLJ"'euo]];0o jF&Z8/ ȟـSYg ٝYp?NxӗV!|eK)Ch('ݝ5`ޙ{ĉ_-Xg4z,"xJ+ԃLcHz>r˸L=ZcSR䈾d$iQ'+]k=[ITHKi!Զ*FXg`rfLգ]s9Jqۙ-Z#TN}vpT6%PvNeY,? pFm~T*8e:^#&3`^NQ &`Xhb!yj\]}9ФƎ=.Rݳoh6մ@0ed7$ނ|GZեuc9Fr E[//{'>#ʀ9I:u*0sțÛFa [W D@/.`خhń=o7Z,d>FL3^EsX U3ryFQn%@s#YZLfx >/3[Ե*EjbW{ZOy d5|sʱoi.O^[/I(IHwfnLʹ9!*׺ S!_φm;D$<@ZT jF4MDsUsd3m!О_,j4(G79nkp,+!|Jx3[P.7EG+Y~{dcxɐ @{Wcf@X91FChάR>W3̡bT\wpȺGziPJ+•b R䱚8n[Ӹ6]fm&UfIEAONcȭ wL ;}p-K!rdQ򩤱#p'[CqϨ=2|7N/ߌp^']ڨG/.Y-z=3aϫLV&O+ۂ1H؁AJa糆c{7]>QwNطr)+! {: 4ze*N~Ə q Po(vň]A9g?u$+L"߽SuZ,ڝ!h{r$hBY14 b)M8j}R4u 4^(R!1Uхо`qm| 5,N;OLG!z|jmO'3F>KxmLqR[ L{NVİ U3c/Gu'T5A y{p!@U7zUl[``$c<$JmfW#Z)m884chDr- zl%^z)kٱd8B 䢯e2d ^R )xTMKkgTPZ zQr$?Onun.ڱ•a"94 ]Nd3ϯ.RlrfhLQѨ6Jg pfͺ]̓T53һAQ 4GcޜV8 hh߀D<Rc5V)4 (4ZE`vdR#eD W~`Y3`9mKrw!:^^niCSir7-DLk`\jxpѤCirܟ63?P1! me1L쒟sCCſ>Foeuw p:s;36p3vvUA>ǃBF>=w@>߮YPV7YE0dSNP̭_" H߈2.FaKFŽc;H8CT,.a$d~MW] ,3rTsXϳ`̌B. -3q63Xx8orϵlaiLϳݭLͪ x}HȦ_ j߉.G"rt4,8ֱtQ oXRK*MbgpaՇ/Yrn^~_$`WI)FEPa`HRS=)-ޣYG ʸHǐSy3u=Jtw'6.9i )0s0q'iQgPSdŵoF1V|ރþ 磏 Pr#$RZR7@K  ^u=ZKZΰSmAq4*n-  H5l6>4l ן!b Iuw>_Lt8sAȝ@ AL±ԍ+/C)Җ6)uQ6S;R9ynXEYho6S)wnucs+Ox3yvT)p5QQq S^~Ũ$ }C$X[2SIv~lsB+gP~eiX\/?XJGo&1Кهhbmhc |mATG4h5N,?776.2)چ)~)A7bvr#(QGCBO\-7;>$9+Niߞk܏E oƊFBJC%0+#]e"EJ.jDk?6yѫ BP./I}P QxxpMqN^ RNg6)DGǬ~@Gp}B6RnB ]Sb7Cya.IT mH̃6zEv_%DT\r`uO6߶!1za鿾6ʹǧEIw7٩-(B[C\1#m<~m*h)̅p\78zKL֢jnXAx'x2 i dI%jXAl(X8\'vwLv<,fnfi/V)RI]f{>f:ta]1Dq:dj}a ƨsk쀄݋!^iFy0@iLLS]i@*$q2H 6N3 *fݸlre#UjÒ"cZa \O[ҹ_uB;y wNU@m3$x3v&u+z/(dv/8r‚a^I/_e{Q<*"){/V_KR2; r"N֛0N#O_A;/> &o >P-ңza0Egb RiBDuϜᚆ  aytmItxt{mL991*{46g08 xgauxMpgXkrgG"-Ċ(G#nTx^O0>` :k40%u vjXv Zw)qjӽ,Oi?d 'BeCSp\ Um*J!e ո[`Jn"C;𼾜YtnCrԑv6i;|gzc)K3G*0zFՐW\D?i9ӣw?c#?e1`K@ ;F>B@}3X '+OB+Jw34THڼn +],DNfp@e#qgB$e!Fk6WR: C.F>Hyn,Vo ]ݎ?`Df).Pn}T+q-FY3k}mb Gua$l>Lm!&/l@`)}\`fϟКo  U.{ڲȻ ;Jh(v=.90֨(l C/&m#\"8;amlUY̻TIU-us ?Ȃz|-W ~^Z$Xgc V Ysr8MA Ԙm  T!?]*a~/PA0ڌwy" h‘j_#;-:UNH/cxAr8shƱ\ĕ|RRЭtx tN0@@rg1Gs/@օP q;KX#Hwwp{Eaid98[EWlPXY#*jy7%9C\v4sg1=N-RA,2Eaŋ4ɽQD%Ѱ{_RɊyL$i t}uRlFbWӜ0V-N.n\ۉRZNf"@ |kB:'|ߵ>M0b_w7RL[M$휢K,}AŭD c3+Gο S+rsJO[~񙖙1ɲT c "$4v5ԽaB cDӸa r$er_~Ɩѕ4roF5}9 Ћ| FS+*.ͿĞa7ȱm̿JsZOSʰ݌a/m[K9,.ZCbA g8"E5 SXæ ʜ09_ؒ0 ~9KVZ njg;JU-j{F, iZe1NMU*)+9w~V@h)9`._uE'ѡTj!~σ{PURn/p}FTD#'`>s30cB(aQ3ŖE@R­| dO;pE xǸ4hA.j`x" pl6UPJӬUgUz Ӏl˖">Q 'rDĥi RĢ"GρP d;2(W3lZ$7E=KiŸ'0+ԋɇպ1=þ U2յ,,~<|PҩI} wQlnHABJ!L #St@xa :Smێ Tz<¡-w M$|xVC\x~5 , h7 ]h^ Nc˦CѦw 'B#4΀1CԎ w@!nZ/v<2Ϥ6{MFPf_0IC3~i5kԩdQ, ٥ݱ a\9iC\H0›S T'bB )WǴŹIm{e5u\R`:t5Im pFSNF\OU4zjB`Oe6]O1RK[G5H/j?"'y _'#Lu4E&]S7_at83v=,%e#yF#[g_oZy !(! f&7͑4ž>Ԏx9XVkr{GVY`bᷩDv orp V\˜旽LZb(*AsuМ-feEY<!b%/XbeiM;am!&wj9/.PB&2 NRrPtIЍ1_r EHI~tQ½ve}Gͥ9└\J%M.n ?k[G\!Wsw Mq hX BMmD %ݹ#wHa&xtM_7fd,eb.ލ璘eMg\/UE%ǶjVh\-HVPp۽TXܗHb|)>`oҶ $RJSʝC{q.tveȈnsQּA[/@3zd4š^#h9H0Itэ 3K4m-E[pj,ު/V- bdJPVmͽLF!\rYLfk6((biBGf~OԵU<+Nn#_Wr2! Pk/ )ۿlgWD |"бI?H3a#Cp!Qn#;I[S7e~{{E{wynOeT0+i *5K B`; Nn ![mkǘ`O̟l(}KThfe"T1Ņ'LK"rt6qpq42ٽtbJ<2i|IɬQAm%eL}QVwHGpwqW3ߢ 31ՊÚ>J>J jV!}nv~`ԡ*:Fbjz_]j6<.3`:\{瀧w 7CANiZsؒ+!.&WU(c**"EIQgF w~4c[`AכIYUvkZn\%/htmŝ8" q [ɛ<1ȑx)N*xUw97@9 iI rYltݥ!J/ /D% Xj٤D@qiU`(*ç*b:C#Ӻ EۉrKeRP{?i2k~aE&6J|Kz; K$c>HCV&l[OFR%@B_Fd{,ɢ_q(ǰz b8LRs_#muT> d5f,dejzr rl-~!BӳK l)QPIvgO# E2 nΗ7aG0(5C}`Ib=ORP6;*-Be' {Ů y,!r^YjOT%R2Vr)A,Eǎ5LBy2D͠c.vmiW?yCnm}Ij s+γ("5mhHOqtzd.<WMoaӀ0]|?Ĩw9uHS9?cuAnØWSVQ&W3]'Ikb򧞯iя<-MįPen0"gO<N R2췏i2;àbʓ>$.=59$ QfΙ>Pwjv}+kH?k;;`"?[܊[D{ZׄjIT]0hKavJ`ʡ{?6]?\H-Q*2D6:%Ϫ9V݈@BtTąxz`Hi~~֌Ca`cI ƚ75hT+*Rm~Xz>-H4$S8;rUP P65k?NWw&@fF'M%6~Dݸw12өJDjiٚY\q&U2o^+$$PKD=:jUhYj^گ.7͹h m T b8Sc P|{F>ʫZ.9Hy{*Th0@Zƻo2Ky9(9.MDYg:o:Y=4$ !r'<~tfCBIfpڨWbNA@I#u~:LK)v.5%Wb# vb@Q'.8GҤ ]*,|3qÌS\0//4L[5Z7z"^S+"ij^G ~7! yI3"ԕФ:AsSynyMH#@Cam>81L2Couw^f$( j;.}ކS*RpUħ@@or -wNt3o"K=bgs4v|^=b%5{@֊1^)7%L ֡d3FL.Y|ٝ],ZȆ>x$dQ I5&ѷތ}0cueEJf֏u;4)G +FA9=*S@k M=&nQ Xl܍~Ր-* awl]ZtǠbs[A)Η(b(wE>udm ,! ߶f5}⧫7H)ɽbO{BӪ0Dc*3ة e7)~/B\x@7AԈ|R.mNOlRƞ%e/7b X"&,x_y*%W&zWlqF꾋sK@T,0lj0瞍m;6C`ȹãuf%T$ hȢk[4^رy3"8#^B+}o : LZ(S=|VMǶO)h^=dꊊ# h}- )ȭa.s:yg#aȀ "Kx|Y$ݕ&b.anAדvbN*;ЌT7AxP jOU5>/e#[rnmֶRO5jC4nWb»mr43H:&o D^Gm9n`Fc*rMH Qr-H8. a=\=~̜v(JczslhA*>'I?;<5vs_3"w}B˟`qdօȴt[k~qOHic>'-O$Ū7ruAt;5,ULU|C|:"/f޼ ]-gR̯Dt_N\JGHu#9!h^6Y1 9/ZM10%W| t ҊvkJr7=/!(H&V^}bl/8 JI3nzΰ 9 ϣ!V{N2Pgz KM)# 4#>6AntE.^ޞZ=5Q ʔ]r h :a뵄/-Dgw;1bhU]vD?̕1؅{By5#ň73o׊ogC jaw5\`5MrWXeW-@4qW9obDA8ы4FC7~L8 h7qJސCpr6Bně8TMb| ^T->J!$!L FðXH`tӒ$trfEZZ^%:DJ7Dc3<+KĐA\OrlܩX΄ZLW?N엽@p#,*rzݷ5-\M` gX`X^9H&2i݁ \fDKm i bۗs3qir.@dw*([GXxQkY \φu{=Xkɘ1 YrNSef>!mc/H*BB45 qE>Z]իtSFHE^1i&DLM-W)6Wӯ"m*Wj(|'9ʀ%j$/R)3#I\7,@_?;* #ap b{J p {AR]4ӱuFP l>ɖ:H58#BTp8y-2=W!6k!"uԠm~bp]cgiO^!]x>kd%~:,zDW~b.AzYfF5~z5\GݵMWQ^qĕHxo%#`*tPݭ?. ykxa̠/u!sSIcNYhD~k$ |26 <3b󩄃9:?i&Uڌ?:mPBe}a48"Nϋ`kZFe&gT2# Q:O!V#XTmHwJ+6V87_Yބ7w&ߪS sΈșxTi^5&#+{n4X_3lX A {x -x=AVlBFJN|,ҏm X;O9Ai0a=+8KFUASB B졣)ZۻԜ<WR+LlAK)=ҒV!  @1}dEȒ܉=.u B\ю1L }V뗅ajMvb'KۃYc;? F΃$0TSpEqa/ FL n96~P׺vI^MOUmZA]smH!Ҹx=;?C Yx~ؗ6w)VGn-Kr"8O;jH[B@gjP!lhQj/I2ڧ)xꔜl^dKy=NUk?k qp ņ/Sԡ Zp\U/2:X?cu_k4:9PlkoDm ,VeP4tߛfHGJ^rxX=de:_ZY}OŘ*k Aq#cfj8`Z;',A/ _83ZR8WҔp:CPP/xl󨸜R~%@ԡڋomȰ9ȑSդ<x N v #اO[Ww %kϬrl( d9~F<-t "*rQڪh^ƮsNgK,5d斨tRKbɂv|K*q>u>ޯap|lR'3s|S&"ׄf '0*F#zsةG- m drW}튻 S:IpZ@W]⠝vXN@V{+MR16bbZ٢u]m̕ԖeZ>>~WXFX(ꩯ?萏T*w;2[|D`k@qcRW {DJbnZ?'~f= Wrx O-V`t&UA+~I/%=KIMJ^n&R9Iݙ\DK{[~ m]`%M=/t$8j3v}ҮX ږ|qzuC|}q258w1XS jS;M$tm4XTOFc2laaT8&E.IgLˏ}^' 6O툁*SMb:9)\aGY1A]WbxبR>EٌAtPU8}P?K.TG%| Pֻ~Q a3L!Wlzx yBjǽ B /舺NXB HBzt%窨>yVR P{~KUO)6k?tRڵ!At%;<%/$[,[4,`aUwDM-/[(4`@=[ҺzXEuu/-<%ŵ]x otѥ+٘ǜI;]Vhco$U7Cj3<<[qs0ETxKV`k=rHl@nUhP+taΌ3h|?)o0ؖ1*F'ξ#5F/)"KF6P4 FG׏U$ 5wW2,:4XZRvr&PGA$$SA!TxO lnUz3/Eؿyf8*H%q?t $u{PN=6.rǶY m`AiܛRQzZ;'[b4w>Hd[HdS=oD4Ӡ,#׶wzo!AiDE 7va7b2$45q~̯7 ZeZTn.a]bTƄi`γC;["sn<.GհN͊ T*$mKtM=Y Q*GnNw1Ml񙹙`q;pd3wUVm+5mj35߭ij+E+ ~|rmAѮ4յ+4 6Op*.؁Ҹѕf$Id? !74FmQ<^,+M۔.yYͦo%#~iK:":~ v ЛaW@_3F$&e:bbaT 06.hYcN SstD ߠ֓U7ӷw͂ydkY݆yp}ǻZj'3Hof=#I}1eLn͚BBК񩍡2 VI -e?9!i qA#>2ߧ@⻏+(8iR*"yLԦm, MܲiOWZ#?VZE=끆 y35O`PCXa+U4 QxF,dȓ)=>k ׏7i.1=Iq$mi0wʥbP S5}n+q1B!E<*̵䏟vF`c6`V KqE㰑 ;*䰨q<;gIUL8]_2ٙE^'йp?| aĸ;7{?g¤.wPAHXs,du<1)c̸P6Łp Ǔ_ %@QcweDc_Xx$chKMl$[\ JG-X/. %GaVvL3 +z,pVЛ14A|!$}0PD\Q>NǍ#\aVXHW0nk98\Jz+N :[ZןݳKHl4f'KI=s 0waxZ m-P=Y(}cxʒ/QPol'L$ĤDr/Z [Z޵ÊiWO~IJt?aU_}ܟqf.Ҵ%ȫ0֦A@6i_'ܒk<488Ɖ8upIOt[]^VlF`9D sR0HݟXw;K%eOR+-E4"<_|IOPu&C,a U/EUD筰UjBM}Qvee}{GkkWpjZ? q ֺbXawDOݡu=<7S[KJ{Tg&:CwW:pn17gѳRg\ v6)ً0n2fInt7"7,q0ZI|yza“垩ܲ8dv,AN:&j@4!]ӱ=:Ͻ-|!lR?Gm4}5zKW?ZYP14Wp.cjOkxc~~P{gjmza"/+%.HJc·дPu\6?.S:(fқ^5x`Ʃmv qe( 4!FZt/U>UZt/vm",UrsuY7O(-S]!߫}AOw LH=!cؒ#+چDsFzq$@ 'pIDyC!υ`ng5`f$:6JԇI'83y,_z;1Ț9wǫ e*F?YA=CDg1c ,O-oLpbb0=aa}lh4 )H0yTAyıLuD ʄxk!p@lfsT?n()ѯP| 撳QINcz #\EkVS~S <.WZ|_TavLT 1 xZ |]LPz(.Oly/f$E:Bϊ,)H"p|ٱkҸ8ha԰`h #jdTf*0(QF1ܬ)C-c߅XFjO x puZ9Au>J JaC\ӢD=x]%ivAjA }F 3ox/',EI4mVcl[[x_<%x>swHJ?sV΁+pR'8ϐz l"?4ft38Xtj{NN/+[R#L+ K9nqnXo3?:~ËEh'Ѯ8 JXS՛.DڐFDLzvwD68fyXwhj"N =y,]̄KM3g}A,V|UM%Ny).lA^9^w'3/ ZG}jѝ|3lfZo' "M֊⦣ U_@{>n5UyK,,>vϵ|QJ3i5qG quZCEp9Q/c7?Odžx(46I"ėH"D)ҎH)`.0^#}"P1!HR{:5a`1J1k4Ѫk*U<5}E$6CQ23f}n[h0ǫ_0[E ~j Hgt|tp XF>pL:rHԾ /V~PuѯP(`))Teb\uiN1l(6sgwaai\K5YG;9.R;%;&å&op9VvƅY+YYˣ9U;g?f^,b2$A١+=*`\U3w X ZBt nK2`[{!0Q&Mdb y2Ɔ> WpV~z$[}ջTdD LΌ0u\'J8=`8^h\9F-gl-) 0s!2 $tF)gX63lKg՚ vSb0Qa5~TۍZ/5A/>9GȂ!L3%9k=SA^e?m֭q=Ky'Q}./_TrPB}x=ZBf[ě,*&˨!ɛǂ[]dh:9iEiG<T)a < Ne6 [3lVN !v. UpdYCnw'۪>A!}ӣUC@_4цmmw'5"(@*.:qqp%cT>zC 5ށe,5s6G|hUa;Rv7t c'T|G"ǵ7B]c< sgM_ا"-YǶj{‹3K*Gj|>hHx@e-Ki_iS3*sq+`ͧvWidMr;Dci9OrrC1\t ،>BW[k5O"vV l(Qo!/2KׄMO@1|t[[|r/'s5Czr ,S[ʞE@dzwRơ{ޤU2`&݆#q*NFgE)wƒ`@]cNd<AginZWjyd ;'ORݻL0MAH~Z-K腦Wp*A̗]>ڑ^muxS٧E`i%Аi=Ҙ`3ƚLjPq6Q~;c#XxJ}K}@p6@2.,瘶ӿ$K&aUlfzT+|Օ/HTF胱ܺq0sn]z,^nl7+\?RBYI剱c6qeljɪ{TU^y䶞houi|(TWܮLsΙ!;ߔ5.yW_. Civiəgkk$ Kmqujyuz\/3[ JjC]Z'Tg1v2ra'G$'ת&mX.&^3Kr Sm6Fw",$E7V>3X u2oW>߆kH0[63*x. l|= M0 ~d-:%mrjJ :ljXf1fJ?U`L.ڂC:;] RW䡙bj5 2+Nn< Eg;p~ gҷ!~&PP{e'_ɘё_r &t\1?ÝY_G ٍ:rAIb֞9=ZSH#]h\??dZ|M4!Q- %x !y4:߻t p6ⶦvfAԶu.,65о`Gݠ@ tzjhO,|V^iR#bԶ8=k]XCnýc)T8^'㌎i_u@G S6#1fFE1R2R qtڝ-Qys4MǕٻ}kZ}x;ne*rj!Wg^Fw31I+<*e@?ա&?Ê1xvLO.dw"'seciW654FAfDx_} `3ޛkk9663F%?C a# tK8_U}-#]Tu}9`S2q]ف"hVI󢻜xyڻdpÊ>I7(*ӥt2~x'+MnE}TY 'θ"빈}Gatre:*~)vPfx{z;6Ln"ʉnI]lQޒ`vQdc@GYLqkjK2d*52_P!߸&5Scr[0v|}Z|k65nX*TxȡK9#ኦ A '(o d.݅cr m#B~鹇EJ?ޗқL'0yW%|xr EO @N`k_Ҩa!JFKW]nwguL lM 46a)o~ƍ_"Vu=.S@)U֔h:бCH VR(RKJtdM~jMХzh:Q{ǭ98}˙wGJΥ_jcbmOIY&=b.)2Pgzў;63RʞX4L]oL-l5^l"1[E=<"45y͞|sdh]6pR),b9;yʤ)p7[%'{&hi2cJ+(jp?;qwI^)vha2QQU¦k0s!tIzf,Ԥj~w[h=.*:蔚}*!@uD%^k\Wm wQpvu 6$.:w;z%XG6f?BEUf " baXq]d>`;ȹKjBJK,ry[d;ʅߗ,-~T"vL%O225't9rK*E%c*PGc1H߻Vc^a(A*}j8><3/cA4eGݙ29ɬ9 #']L0ԋsrFLj_oshԥ$UI?M p+j0}iѷNάy'-ijFCkQ:l3ܣ4j.C|>jKvUv斷9#&#\J]mZE[b9x:n!5:>ތD&'+>S.$ Ԕ4(S geFMV]|0h%ŧ\b!i,j%{|PtRß+Z֣=YDbM>إ+ti~q&S{bC0,Fm+(-TvMAQ67EFgYa-&u. '(0+uPбPDzIqgOer9SퟔGl8{2Bm?{Tfv {jUZ,Cշx]bZ,]ôw` Ăɇ5*mg^ވ/F!~t7[r<9öb3פo|Yde8 :D;cpWݻrjS9qXPI1(^N3*Iae-[&z:f2ISZbsq V\ MP _X :gd#CɬZh_BZ@3/+?g^ÁADn0tt(@cw(#B*О+glΜ߂BY+&`G2rJwnpNͷ?#Sz3 uϼLfm(hyLleB!W]PhoCtt<ǤQpaUR\1C$"ܾ̀FW<,3@*.Y /c0Mp=L0%ҭ>7h%k67%Q"_#A5$0Uv"~)6 oX{}#>5Zhu+ s)IZ_J ceu{5\;QOu]!Cr|aNQ ;%}5\l7g$ !o?$O^xҬvo,i lTYr2}:fc(j: V]E;vx7#V$nЀzA}$oJƑuY_ : m;u/yدĕ0\Z(7~UsZRsNXBe?|;"TFq؁GD]W9xv35 Y%>` JZ`=OHk|k<}mF1_6LazkQ ȩɒ pUNjAN^kqROFO>4uqv]Br9H+(!et;HDm,CcpXD_h4/CvRt l> [4訐TMQh)gCv<?$}h.~ …k/4qW-m[fqo6BAԈ#StjiߜdK2e ЈꋆQCb$zbھ[3\@Hn}5$zI 6q%8\Z&0Jg{/8>/<  [zv.E?ʤ$Wv6TN%Ŝ̆yh!ؚYQ:9 }F?=s ? H][ vU_ԺQsW[ 2J|V̑B) Gzu40t 5t sV<4%3 dl#`"h˂đfя5Uʧ-yc s_B'VnjښWy ykZWʕ~ FHՕ@>e|Lpж끝`!2D`NDG?3gZ9۸.Rp+'J3]$JdJjdg7\jDN# GT+yRmf1Sw|RqX<+{LϬJue1BJg &y )&}p{m';vqR|C@DU(-{&Rp8}Cس( 2i΂6_ѓ;]UO3BS@q%)9:zv;ex *0rW=ĊǠV, mJb 6HE9f7h&d,R>1$UbHcUbI/ZB2&ea"3470J3ئAߘNjyY%F(Y7~a6܄?0#F +uAo)1S;'@qɟ q 7̖?UK,0gJ+lxJzik${\ј)]`CѻrX\^蚵@K+"JQe卒gFµD&j&Xv!x$2VPKn˳&hABf%Y~J1&PCyI5BYOclϩĄ'-ʆr*4 Ȏp'vT ^fڂjr}HK-i˹[ eԾɂ?xē(w  zţ7(pvhO?*ƷjxE (#.2kYN쫡Wx6#s/^b̯~6A<齟JUZ MBW|g5Y`[&7Π!90*A>'CÏ \`qVFQEH{Nz~9x~I $Dġ0MXuJuD^Z RkS`-;az!WVUIun&ew|wa]JԋbuRDCOߍꪃZdx_6˜¨-#45)ն Lrxw|hn.ʷ xߟ7WN?YXorOAu|' ;#G=VHiC=D@D89P[S[&0R/4 cVrJs|:+eHe$-"j (hznDߔ{ҴXQjz=c\8M6[kw :}!jt@Ls)3v b2TJ;e !ĝ)sĺ{r ",nJ.KF0ˋ(X Iq#4O7Q/~}fXu fYfj\EHIfxet 86qo`e1|QjS+x.w? HKİyt {Kp2*ڧR!HQQy *)j.gϊ][E[NN!V҇.l޿|{$$aȾqۉ஌' Kٸz* E/Y/WV4R:^~L3^&)o]tQTo*yzϴ)B)-z; ETɸy f =99()TEI-=qV\lkuT:QLQ8aDA>Vi\3gB# 'frzʆ#2TifPb'ΤDU6,M.ȵrn"g,9tbc8,=¿/cKˎzH* %$p#*kW ޛ%?aA d A_]cёm7ZToLt_rI'`618iXُ^ֵ:*:094yi5Kuɸwm$y29͢\!ՅdR޽Ӌq 0eʺUVҞ&\iIPp-"MI/"]qZޯB>5e$2ˊD8aAqiyD}?i@-7qnT ?~8T4 ~.炁%Ka]R,wm;6Hx$mɩ:f1%+@N[,X3@9Kp$ٶ .q=M?K@X22oD\h (EڡeTU'E<[.'{ai \y-DPNV}J-5H6g*d 6W7POMSItV⿋O c}QRZkޓPv]Uzo+ƣJW&RYg_,Oa zY_dA< e!$X9%Xx8TBw=HXJ;d%m~Fv @M)F>o28dȓ(} Cu3C1 ,Ct6bv gZc9נZ~02hn2и'I?W 51◟/Vy}4/ STW؎C$>G9P 9t:|,E] ]^ 9gF|J",aTQP"5 4mQ2HS.hf!orMh(j"Ic0h#ĴY7_vn/qY)x?1̣20sqdO-,`J`TR$:w 3=Y%07sC6Yd4ʞwf( rY|n(%x&C@_DmbY_K!aޫ ι˯S W8Va?O'/!Â*Ҽe>F;BIwRdx׌)/j]E/?>Az$u6H;.Bm**D9d$ RA[O]uX%p%~_$B6Թ߭aHKO+TCsJk\ʞ, a%{VI—x兌;dcpwۅYhq\:QG+-N~ - =Ұ}yޫ(']qh#|F(=X"A<4CWc s}#w['JV1`w qlnЧ\=ǜk8v9AboCN^р^B3ia,E d9Mr==ɳmjYfć#$=si#JsPj^ VЍ3TsׁKdfՊM|d?1i%#ZCS^Zp^LeE4 [7zϠQN , *շ)H <:mIU_%-bxBƥ4#Z|L]O\\E*0~k`K%+ue4}{PC9}q(JA=Jyw>cQX"1HL dܿ}!0PNܽ tZ09klysńtZc:^VAYMZQtJ>㣎֎ 6+:l9lFӸӁTWK J!wA)a޸o`*G iz.n~'V5=y"\9ʖo@wuGhH.H˔&J]KtH/G ';;_ 1FY'n}9ЭC$D`;p5QVk4Z/&OC IkKucYq+,uiUanr\|Mڝ0O՟\J% Q*e^Q^ 4n![rV(?zKCt%1Ғ+‹ ZU RSSHm>}2h@4 G[@T.Vs}rA#yWHQ$]'<:Ggp4 ܓvj= v<P}^˥iȘ1;]BzOۈ T][ 9]Iگz-&@Om<ɘw2~p]xG!;;l˼]-w۩pf*i J\@\u񨥆|jO[IgX:iE죒GU#2M$LFaias2xR(1$ՙnD*fﰠ8U^.53T0ŘU*2{n+˱JK,Y-\_8?0aXprƉCW D#}U%OevgF`N糵Cc3qk!P]k`%]<1 "4&PBp8(pw(HߣLA7[BߑvDQUw}P: W剨n{Q]k9Qqb 'SH1Kʉy8^EI5ۨވ&Dv.W+Y*n)#Юf ^]岲vT| O 1b=MmI:iF1NO[jU`k૮pg ,DJ)E4#r_X lgdtPd=&Zfk0ҘP^mxu^sɂ =tl8Gr' Nκ,%XnYPGqU08iGqf&ĥOf*ΦPc=؃$e('4kdϽuzJ~Gk`\~+%[ "<)vם2YRז)VYb ڸ`(9ﻫ,#w, (!aˠFK"i'^Y|'CVf К[,+ X[, !m流~#5#cۏB"9^r`Zϼm!YkU @Pg鯖c˲Z0z&sPq R"guR+ :p5RGqr]_5/J\dI`%FS5J w)|P. g+0$?1Ų8ePf9JeVG7)b m2LӬV3:\ Z;Ho *^N7/fЇgv& q nLn8^eui1+Dƒ[:ȸd8W鼈'UfJ>fD:`ށGgUU^#\i8sv`% yq3zĂINHeHd ÿۨ7I)ߨߎX%n,bPzO.?/ަBG|)+TiVM{-/S?Hg9k #|Q s9,)N߁=T# `$Տ`Du[)Knz]t;@t i\BZ(H55)o-4R Ju"En a(J , WcniKBR_phEϏ)p 7n\1D)2 -NcH$l+V2]OT=ٸ^QqґZw{ŇU4 ?jv@[{)>}(ظ`AŭO=Ch;1g axWϋ%Z=,1Z _.,t{x]jTFÛcj!-i+Y ٗ0vW =U^  AP9 T^_sT.^?QDuXn.ubZLGeG^WC̸∘! XQwMpYuy)yo(et~L=hG'oK)G.C`O^?qˢ~neG4FCg=-k]PN95)P͔GBaIfW˕ɰ&?"pĺ {sA;VJ},l_p3FnmAܹ<Kҿ?\Ozx1MBԫ{Fnp`^{(Z(B d6m8VX}pGft&x@_ƊtťGVUi`"'|aVA&ھqZl(7:#;=u_Wd j1"bgi㵬X?=Mٰy+]kЙZǷz) c7Dݒc07茤5`U_M& e+W=(SДޠyvs9K x2Jٽk_SA h&1"57/I.(^+G+bͧ8Hyw|eMNaXRE0ԯ> !ϫMNU2qb_]ˢ9u뜗RPPjB%j( ̈joa`[}bqII˓ϲӒ(s/+Eⵔ-!E[*Śg6s0R2'pM/ ִ56g9~,7G.uEɴHqHkf3OZر~eaQ$stitBa_aXČ A]kлnb_?F[`t62םf x\_vE6 w[.)@8P4}5AP%p6OJT6e|G3?S8,Qm )D-.4aܑBf RfK=6Jh,~(t.k5mE(2o|`;C|WQ.l]A)z3%דT`n_?4G~ ӣPar$C7h"XkT=8l̓;$]p8b]b? k8zZi?v5%w{JMc;;hhXSؽ)k3u%k378|nlS2IN::*] |3E?+riAozMZB(V17{`hJ!XS$v.-r7?In():e] ~X}2W9HFD5o>.> AX"Sf Wg V>zhSiVc2M<&Q`:>k&Ԩ mx\{^&\ls~pld *-ĭMKNYXUx#v /@˟^cgR% åFtAa*4r0JdۈY*ܚe#/W, L7L038(_Gl9vΜ*[]$-N9]/\6/'$ޙ3<âl;]@ɵ?{PzyUpΨʃ&=HtX䣚+\<~| L Q0yHz̸!FtiͼmPESӓ.Ul6ls0_/*˜ޥ8RYgX72WXnb_?{ͤ}wdNe [ą{,[#kAGw Lf@.j:OڇEKMq/ Dk5&5* {C~ 3F07K(lļx:nɣRvA=,j6OSţ4i2Qo?>L,xW*>j@_8!eUk-:)ڑ{+P=HqZ<Ɨ$ZE2[YZxy0cP@I~<]$ h+b(g+}2,u~/~ހ|k$L8!97,"i89P8:@PøiR"kRjO*lkM?p,#|^lx&?ͮLYO+yƯ6eoJc툟5e)$ÁtLI:ybHeK3&#fElATZbvdl2JH9~(N~7Yu]uis<`rXXܤO%Q]QmP3~\ Ɏ4EݾTfE ]sA$(43,x&h<Ұ's xT[/H INc V]z>EE~gBP"󲈨Vk;7ͬːLŒ6+%c BRW":пSEO"Q~8_b$t=kYa\g?/j/,>&x9,}Gv[fxYf7K1b_g(2QRPY'pM0Kgt?묅Y\W;75v'=~1$}dL< ƅ._6 RUS!!rIՑW_(CcK{̦$Z3\JzCE> ΋$tjnvr_Cp|P 10vՁgf&n$hK>&ȘCTR(讗eK2@\3hCz}{!'q'9a6`&AL CGL78Lw4 J&@cNc 7WKwkt9E1dE(Z ũKfխYek2i,4GvG`Zla:HaEZ4лZe@ tkÑg9)2!!ЙbL0- @ Lg".bؔ^^aRu0vSMM||kLGY~)&yw@\FH=اz1_}}2G Hy$`ؒ63M+ȋᅭ%INhc(ƻ(Sj2le!*[M_#Bzn%T,XK'|K#fhk]`J)Va9p_Y}o)IUQWrU-rSܻ%BM"3\& k9z) ou⪚2dͿj r2J q@Q\\\Vc[+5@Vd;2-X5vW=q#An`in\tY!)dwze޹)W~"=U c]7: kw }+}mA'AciaINf.mדT/1$HqZ~buYO*FglF6lhP;%(u7yTPHɻ#E7ӽ0v7 &"j{D&%#7Tػ"vbutC f2atbn441 pD٨sip+&%+l"j]H1:.@D68L ~"G+*tᖫmlfWz,+Դity&\'nyΣ_+R2yY ,jw~FS44yRޯ̵=59ypJ&; 1PѣhdS0vHOy(}P׭FBra:AoPy$>Y{b^堚Ne֛QĺlR_:^GwЫn v ivQjP9`5$=ynk9 l!lEfd<_qYD6Tv EVUZ@AD{3Z] k-{y8_`y<áMTtȇI(ަ&}`5üV =Q ֢6p H)>߇>ҙR IumyH0 ,hӼORa?['=MGZ,>Z o%!L3hd9$ev5PO(㛭c&VˑJ6 Kv% |'y [/'@~D9frlΩ>VRmb*ԓY[EzE4up8C,ω|R \ q8N= *;6sc[q)27 1<W)DO9/ mwą̝J :v>.pI!a3=~ tޙwQ9VMc͝zI_0) P@p{#!B^3k<̶iڽtfy6ժNAB,.ɦ=:h/JWI=LE3r =N8ܽ:NU/-I#BMU#EP?.j ZHsp~A VShk'!ڛ ǥ.6sBQd]I_>)p߁3a @9V/P"~Y$($oZken`1td#{ytl[}:[t=[4쿊XHlL\|N8*yP ð.bFzZ\Y]%Q쯶o.xsrcEWJKE:+۶G+goYi)?yT+NuUZ0SzdnW4p;{#'T`%qrOz[Gk6nI_&Du'II,R*4RݶA0]Cֶljh. *m^B+8K(g_*Ǧ&Yam!hdHGpNXNl#,VpǯNp"*;>$t \=tg (aL&X?%MɄy JS#zÈLvs 1l,,Uś0ճ4{XSӠ!&%^lIjP[Y ih_p ~[z^ Ib@d2a|iyf0߀nՊ2V`}sn9H˲|%!6 C2R)P>EQ"6iQ(a`ʗq#qCu>C;2n KL8Dj]ɷ drIV>:%Q_^fk~ o_ayu@MpG@ȏNK[1S/F>r]KR3dj1˾)f9#.+u'?(UMz>[K1<`AvMtϥ$x:Eg<84nCb&?w3L;:o$!6f.I ٢j;!zcve>@ٔ.mMK(dVǞHճ'I*x+G'nH Mi @nwp9{lW%\j`Xc:E'K:vVtKt=vsDx "Eh Uhl8,8դlba-dk%×ET.tnVp41{VPΦѨ]Kysa\(I,GFŻ]4 եŝ#s"5 [=|@bEY85:(,-^ JWf\-zn_#.@CSkrKx^A~xONs6/ۢ*ƾ[ŕm>0dXrPcEi}I!3p7+&h*fmHu)J]桜P^U֘}a14UYUnzᖠⵝ ܕ+?Ur_h{9޾wgh/~`DHX&&Hz=D~7g{D,yVW~" t"co 4~x c,e|*(rbWbx]!BRsq&DS> Anج㸗wHɹ}xV(?}Nx_%H,3 srŸUwB\['l{+ G&kp/cɘǽ'R$Ia  gп{9Svz .vCknm],./wC߷Kc#>QІ#AO>&45&Nج~(@α\h?/: :G`n˰…p/"}Jxr*%|/!hZJhj*=V/RN87Qw!_|̼Y16f Ѝ.{+7Ŵg =M= 3[w#V=*UwLu&Vڶ͎ .®c>(q"q6q>#4󙰌(9) لjv74詗u1&.{Q*71TIc$oiquй:D/k57oUv[Ta$U:$F%C0OP$ Θx2Zs n#e%BZ[igb;D3"Ay82Ryx 3+X&:?Ȁ-Q?ǚ~LL&R'a- W*Ug d"$'{E$U6W>0Z\/DQJ;܇TAB~)[CE7mn+#*2z`=)S&T`XtP Q/s1J修nB`i?'$?th2[*b/61t\ь^z- aK_;9U%~8^s|䀩yΨְn@ C.`vVL7>q#Аiރ*B1PwҠ.m;5FmNrět+ #!3Nj9ᆁ8`J3Կ E?@QQ EZhI(4xesbFO(x~Jzd!Z$Xf9*&+QV#\q_c:d (=GD>;҂JhK@o >~\3G1pzU5GٌؤQ} ,5369tozEw8/嘮N,ےF*E)b .DTa&a>M#Ԛ Ah#ݳr.PFmk7g~Poxĺewie*47EꬌInJo}ӱŨwK~ߨ}a& 3.6K:6x#^KZ#_Y#R v[ʀ =p+Rڂt-0&c7G- ﻋB4"A PPAcS4jUp 9F%jUFC NC9K7n|=oPSpݍ3 )tZ+qB]s&Vl +O0%Ʌ}Xm6=]NpݢUg =cGyur~<Lzˑy&uG~6AB]!U g6D|_urp]ҙk3ƾU*:}{X_ /d!e=/$nMǛ)LlX [$DI<`".2x߳s _1j\-4~Rn{ǤtRGF-*-~fj.F9eJl"34Rf`on[ q8x/EIx4u(Riv'E-56ώi~}OL6Nv=a.XPe*HڔՕs/=%0Wҿ~ԃ; ,7׾p nKq2i9/n'8*#<0;+e`y}ӢuGY쏗y*jIZF& F,Q٪n+UV,MK^f,LGR s4/}E:e퇐2p9JЅ0E1~%ƭ@%iEҩu TqM/OSJpuwgBxZA##3(yaľ ީr. XD~eqt/pXf^߱L;a*9hoۇx߈?wEn/KĈe6>NhL{z; CnlB;"0>t@f$"}VSzc ;!o)`oT%]v6;Q]h&`&Ꭓ[ CS\;f"s7h#4@41R0/qwm?( `x}4bͧ Q,J/kHL gEbF%!SrWě~lnfDvw[1-r5+shL5Nfȟ c\R3Tij)M#- R힎o#W0yt)UW*s!SM|TߘkhǹDO(S<{ wgQI2޽ifBxϡz|t:7h䡘-YZI`rW@soqDsleC L+! OVBWӘIu;8j\X>U$,;58?5*HÖqY"Mclx\L|rĬZa*Wk-3V zLj`֏eØG\:aPus"A-F{q6AUlŬ/U4ڜgR**5z 7LC>QٰhF! [f(ݷ 9zSJ3@EHD_Y0E7p-?iy3 @.:拀=+YL|#֠ǚz>os KMaj1(2 ob_5Z2 @*Хu&:{#ҋ7'PqCÙK2&>99QG,@#i+T@v7j|++RhҺKw0 i?o`>*5KLYj/5#gK7+7CU-}#5[nI3ň2יrI0 &e÷u\)#'I_%ɵtTոI6XVCTCr3^ lVՀK0'>ȿJ@6%!g^K&7;I3ƪYqal%:G+։*]c~ULhNw:J6$o}Ok{d^X)EDWH%o|`B0V&}!y)~k MexI_Q./X#ovJZ)BY{Y0nuirMG[`` .غD6Cnx2"s1 UcIO.rURywݾ_3_]˷y~W~C3!<}zopg/z^nɉyix,ii2`O5e%/gU\/ױ]JaP̓Ju_@k[ul .#3^ISo05p*Neha~V}G=[5@^=Mrd55Z<]2A*eճzi/`J?I99Ӌ&`$cTx1/O7^S,RuY:6W|/_89÷Y\On[v &ݦ/,EjnRx]@ۅQgGRۨp,ltִMoV,e ̈>ilDY?[g:IX%I3Q,VV?B\H~7Δ=}&-/;!LG jyE=]&_ITJeV@r~rAaY轉$\EJ0l"aD\.kM-?UG O;,G`Y%Z {sW͜Lb[ x5fv=D5}rkY*c(&ըq% KyX<0mc}Dbv5XvҾ_مꄎ=<"mN}\?9eID?oІ J=4S}ՀGHjyޕGUr볙)w2ʪj61[ΞQ5.ei?3C'32+m.7N+&MkJhM]@<~>}FƧ0Trj;c̰)֥-1R5"rԱWTH9D R_Sݯ~6;"iU2p ]-͕p~9i:^{#{QR>HF` <ɢ/Y4^l%G.Uf!2UP/ xˤ# J^01@d).ǫ (8A/٢ p4(WI8d=?%SwD@;;dݻ#AcXdتCkiP;p{g tdfIuF7A|[& ,&# qЍ-[Jaa`Ш'Ў~E+h*ibJSҬ{U9vF:0.jC:}_Y| ,>@i؈U|ImI̯%ԺЋ!:< )CHiKAz~ U.[&$-/xDvǡT%gxJ柸9F8ϥ$4dY>n:!)k™N!crHoc|2-$kx^TDB'/b #$#4c$ &@gEim3/Ym8_X +^[Pn|ڃ=%Jڣ伓1D>Lʧ17{JrD $uC^qۀE[c}D-V(4(iÒnrH}e V]Q׷^{`YԆ?u d*PM7BM>~tn?dI3`Z}Afxz4Kq4S=h\PWj|v=P~FB_z8r9R}_h>4?ԈqT\ގߢзāVӻl8EcMNe%P Ō,QExAnXxa7mbvW3 Sn!WJm.bwT xF'z(RE @zwz( O] tJ@=_0[!?m+w)+?S&trrLs[ Y\Fء`gtB_ @@Ǘ+ Z^A j$}o\APg0b(YѰN=5^U%DZ*!zU*||*DēXSɶn%9;.M4`% X \grW5u 4/sgԈEAWZ:8ȁǰw#:^E {ps_U#_hW,L ̚Y91q3|(^o\7DN[t~9[eJc GL] i.L8 nXvE 6wȮ dbR?%5\Y3cHVnCS}+uą̀}fN@0EY/A]|?NJx]aJ0MluF\Jp골fGsgO&y' $ao\oQ6jp`1$ "[˿HR^欎sD kQR;+5j."5PlC8@Pf/7 d `f42eA`eIq×Vxsc- Jd!9ΤCKhDt[^#0;W/Xm|9CN"b'I7%kP`qӍph&MƒL@-!cG m[{:=Cڙ?2,qny,-fFt=`V*ƽQ44=na}0yJ1֋5Uifk>6Ä)i/HW.(䮴pcZGt`SÔ˴YSW?tusm'Se7z<6!|E.85@qWO.dH\rj5٫3kJG~st '@" CvN[;2&rT} mjy@ձUc /w@m96w?`8m9ryk'ѻ7_!2:*9ݱZŝ l%ƅjC5 2eTcߨ 1X/PJ4*ez ,za5Ok& Fa4W,2r\;*ëd-[䰈@ 83,<IM syUPoRڌaDp3# AHMJ,꛽]VQ`(nN;l 1VS%B[-ZNH]bt2. qRb9A<ʦg>H |Pʨ oQmMbB !dc_ :2Vo9E7j'F^d4k]0N/clOAo6di>aMk*4j8 ݂xvFalZ4o޵ 6U>0@Y;nU n ݷ*E.tY,AYy"'K݊lB: -Ri' h!f5I> s!Mgÿ/`]H?T}(}:vÄ9eDk_J8[Q(o_k.Z~xzuΫkJ7]iض{KNm{vxh*&'<&]Ћ~}:%sa!XD|h ѰHkqLg‚TK)5Ky$bwOu}"ޛO#F*f 04dG)rWw&ۏܒՎ&T󅍀@|x 'iZDɌ[&{F}}or\Y'Ai메~l0\=l ͦ(7bQ?jq=x!>&4̘4k4 %D!N[3H$1o}:=*koy1`ɂGaG]l;ӱVwVѕ2xO`L1'%hwm7%35hBRJ´e*Ÿ}½ۏ~Jqm.=Z="kBdۯo7`.}/IVF)R; _+8thbe_]-fPB=B&9I`{ ~nE `c^R6VKo.vnomAd ZגQn g[%cr ̯71k˙9Ri>"*nOr> qs;Eڒa1AL {XKz"AQp{THXf7m_aN$$[ǿ+^aYvT/?*,T>Dws}t_5imDzS;% nwk5ƀ)΅( *vBSHGo:F PPO鮓GnB3/v{1DN"q;wiׂ k&e K X,&<GXyWPFq,, ?CM 8py7b1/ȘdŚ pԋjBJߋ/ƋZxwuES U/wfKE{/+׾lx Ҟ=͟[&DLrn!goP$:5B^C%T&vہ^)S?*TQg-[UxGy:lmX`w{{)Y`{ fq;,/~z0oOj _ciUWa?(ww.\SѲ3g==vf01G&ui\Y*D4y:Lo/,}2 u|Y e|u"N{corrX=bg<hW?_cn74 M1 1I4ͶC" Qkj#4lWP;LDƫkg#QF,$aIMO +@+ؐ $R9-L9.J-lPm=>\&J@=<U.^egl(Um$Ni!b!8) :j.^z'DS#[)@h'aC?5 d3Cq+=gwo d =S51pl F._ʣqtAlmk)EV{R14X%'N&&/r߹9ӕ2BEh`Maȓ2*+XBd$8&g EbH3)cч[bu81Q(?<-$^b]qaCiNh;)2t6Lj~z~Zr(ZUP+o"r45M}â0r=U^:1_Mv;G#eYaᡘ}^p|Cu˴֎R҉@;gݠk9>'-uF#\iJS800 ^T_&q,iwRk=mʿXF tr7Le1G Z1Gl 5 EvJСQ=hPEm VݱbB;MUWZ3_hu( 𿧃l3[2~y?C,0PG>L a93iC{ |̉CgYly Dca'rcP,2˛ds=8l\ gA>P9,ns{cۤIzyGMPX1/%. VZ0lh;VQJ>0)9 YGN!Kf+3E (S^ A3U9FsK3X|:$aAў%I.]b L)(^!:z7Ħ1W6]Ӽ&ɾOTC2Ps[,pw\Zq("K % .$Fow:OjOvi+ ='$J[#+Q~f 70sȹM:crC\+iT] @OOR)r $" d*F)f d{9혞F<ͅ}1%93ZkKh@+n&y2GRhz>ʝv#gz!2kh~Ds)A,5t>TE GX K|t(dbb]!xcR'lN) jv3d7FD0]$B27a~%uHM2]a9TJ`_5_) Tq)Y9"Oh!!u'm*g{Ng>"j𸲎8F@BB Z+ѐ#i0$8[D5U1&zt׆lHYh}嫍L;>t7\h#@A.0M|3ğ!ujQcS$WsUzr͔[r 5"' 3r;Εd3I_Pl5e*t-8n<AvQ|~ uN=JPn% 5jYs"'1x*}8ǼMm=pǀ 0߸U'-v(sS%$M{Q5}Y\s'8_0Rk3$Rn9pt1B "J Fl^qzޢAy<3gK.Y>>xVcÊDKDO=~ {$(a'ב(@]}HTZ {׈)h'Wi(c ȘKD)C)Reip#2.#[γ+Txk*M$uAIKsKɶYTK9`nc2VU$3oЊQDY~mt4͉b,*JM[5'[$a㪊BQa- ]P]zG kVZV,.acPú RG#n;ظZp.X{T|3DG>`n9UQK$4Igb HNe-Qq #=cc GQ'<"=16?Qjbyy I~oK@+<0+Q[5"bsMLgױh )שZ0HPÅMLhPX\iM-3)dQT m3VW^tEv{nB:2Q~( y7s<ѩ.(d6a"1SCTg~|);Mv"2LrO:1Z$=Q5饖~0/Fz ?g4/v-"_ysDh!!*pA{ْ)MĽޛ_!T9rҕyrg&G;O `!W̬ч쫁rlnl{#x̐UN3%/5 wOZhjx8k/%=uӌ|;8^ BheJs*u$̄fnvl _'/1]AkLWA?RHCy媓:){`g4= XB>2$c9a {l< /餽 ^c~#`R|IjS+X1Cp,0vM`J&]Q0Vmde n}6sj }0,HͥDYy[ )?]%"aՇԔbbTG3vv^&4{^txW?'fvCC{Q?qu5g#PÑ85xZ땠L E=zM CWl3s]:G^W6ٮ+I.p8E}<7hBĶGO=z&ZTⴱQM(v7c/HqpD*%9 x"jby̦e\˼/ 5 i _g*}aQ;%`V=64(tyj@8r uK>|J/CXQI­|ݽ`;d܇ynt,\|v?T ї5/N1{cG2r+`Q.E&p+fX1r@~4n`ѫުN`z˅DzN~Z*m ? 1x(,@E0ikN]cCJ 7X\.ٻUs&|' =-kwڈg;U08ԟ+}nV΅Z:{-1*sL g2g.92hFO`lwY&jur:jH4sE*/״:{6./.#d`8Rrף2MhU.&֚^ UM*3°!{>ʶ= 'ˏ!L0ɑ'Mk>껥{l;=| (GLilJ]%ʨ3D(Ͷ##O*0|}gvCy"@V C9v!q!ZQ P o$ŬF2i h$%F ~cM}$``~14c>, `K?D__|ě/a#/@Y{c0tvi^쿜3x:ȉ}GDgwBz*zS'*`ߢ@5V6O@N i0)Jo W?448aݽdֶPU%\n[[S9+*S*D2@ ٬I <Ԙ^&Qҩ˓tQYI֨'j.bZJ&i>}`'w!I3]B1&@Z>ju ;T2N;OA`V'N RH'Q \sÛ."SϨ<>3rVPeͺ|x5r xCc'{3^gGMDM΍፽y )q q)34^ F"Xs'#}=uS!ixиԫ0X1kr-̳vj: ۉd)2 t7AuTYi\DtEXXH|Ig,;*>!"PGJ=m/JOiAv"6_րCG﷕ Mۡ~'`:Ỷ iNEf7iE[0$__xp,.IKOdp(Q_3oA蔹GmS0 >DDҶܕXňuWlLS8K+= _4N10Wۛ0'v;LWA _gFp8aOWˀ, %-S 6[XT&@BI5xU SȼMkbGpmeB{3 7izvڝ]eݳuڽR< OƾMPn6$WW+}]RCa2l% |hamX"m /Jz[i冩{Q-wd¤S|l;(0DŽ ̩_ bPf2Rϧ%v!5Q31v0}1L9Ft;{PyC1RG=꧷_N='5$>XSs m٧q3 ,?73чa]<((>. ؘP,UK:Q`Ծ*X>ro LՏֹ.# Id76WP\Q_4U9 EZUqiQ*}PU`+/BJIxG=9/?{>>^S_NU _U0(N _Ok !^$0 `P~)l|Tea۸0hg+h f w£\N#+bf:i(ȃ;j܁ZSi v}űg=݂įτsinTfTw_̊,pD*EعHT:]Ϩc4(*?4>TL՞ SxY4^MgP{j7.KT:il@A ^:-FQzz'ˁwD֐u3 >f'ɞ +j@Zo}nEkIk`W"V/bn܌G}Vsa"ڍ(h4rqۯY籴5ֻEX7UD` vx%Zʈ7 /H[}G]m礘kg BRq0:W49NqR`z30iWq& plgi:"5mj!1'*0'7m |WiWm7nJ>kjy/_ljו$dq7i2xmu K43I` Úv^ p؏t(K_1f؛#tq~EMb=t)]nGv9`cT_9%@2WξˇVpVS 'mMtSI]`(cLfU.AP bU}؁. tuU{og=01AwnZ(| R&7(X0- 4`43\S}% `BR,*3PKwth^{orv{^AS~dMRpEğج} EF+H%]x䂔%-V~O}.S='11 +<0"\dHWAye=5K!IY?)M.tSu6PCycU/dI0]D AQۂ}n6[Ȍ!D & ^b1we``Mޭ0()mDYK{?p5/ bFdQ0#w#/eп^#O -ʩ~\mT'1P@ȒSA\5D"(ؙJJW|ߪܾs!7k{LvTM'*e K(.~5ֶCÞ_5'"qW}#?⬽eG*Tf.S(uJ!ڜs'=pc٤` _#gH@ 9ls|s5 ~ra mǏN&:ѯ,_˸͑@[4?ƺ鷮"8LQ@r֕>[Hq4YxcY̪+H}8N[Tu!ì8f'B!jfzK$0* .G~:BZ=G 6NY.@,ٗè ^!V7ϧ3[R{:n»𕑣i^FT a1`FFk^Y?ޡi&0yufF9{mG2XE2sVO#L!lݥhW@O(+ ) \`ZoWZ$%; z[7k`[gj]XZ_?(ճ<͑/rctqcd݃8V,JBl6W8@yyNVZϓj4`]4Ţ@QkJP ynSɟf@P'zlʙ2-,޼l`e`(}|†0҅OmESfiCS9nk#[?CEZ;Z[E<,[RsOsb3 e?@$PuM:> @:,OOVR /z,: 6Id|wO$I pA!vcϫ5aU0`/\"m7ezt޲H3+ 0 rAּ"_S+ N]J_O} qEy6̇& Į@Ye  TBW_x n ^ZWIN{{@-C Ts3X8\o}d{$on!=DkŒ̕KDy+}7P6 Zo_B$dz 't9J:TP>#Ecv=\OIZfYPl-tć!V(NP52!௦ޣCX?[Y=3g~jg8HQ"-fPU|3 | bؤm|ėl3lt(t#Ns@(u]/RP#5sd{Y!4&ېH}wNL$zOfd# ^8#f~"R%mrë~Bj95INQ<ZQ;GZ9^P,I~ڹj@oꄘ*6br&*|{a-Eb#h_=p?o\4:`9ؖ­9xvmwv@xٙ/6;Qe^FUUޭ!BG2'vգGGs0ë=u_h`ơq+l!QU/7D((!L3<oe!U},pjt x@ Txexz!eW:qE߲Z]}Yk @oC62Џ@ힸY>R{&`xY?}F2gbkri14e), { A( ȧ,Q (9Y@eިyhCq1 N1. ||F6>M7/~"OS|iAdD781<t/]3HqIe)' wCyoDԅҾe[z:GC"!S1yr\@\8g5W^G^JP\KH+&N_$.P>x$,+ gtV62T0)D+ c#v:@4+9B 6f;>7Y?t+2)F O5]=ahTъdsџG^,|7:Eh2jghdIfyk6VU7ҏU` ĉ6vҦ-fm| #Y & #qŸ.pbl?nFMDϩ)`[NMAPPO̠@$jes\u8E,E%:f_gwxjRә:5aPY­AL2xDƅSn@*#rџ38:;ޱYKN ͎}Pkq=ec_O2.׮#(ɖQ)Ca880#4#p[1|'VID鹩 tyWMj988#-EFFy TQu J>бWN^MO'C)ȒzHW]v5I67p}M+ ٘-2E7i(rbbޣjHV{8X-Ծd`6Ȁ9ƫ*,_u?k-xlu!W58ך$:[@6Jy. j(K-|Vd_9&q'"@VA +֐G6LXV=oG)wxʤz \&F*NTܲkBB*[ 4.S)2i[RQy;!Bd2 w!*z8\RO&K2Z\8i zg2SI9DE`g7KrY,nJG'u #<MU6 i2UєeB%7QS%YX VfgV+ އa)f[”8*Bɶ6o[{;SU`"a^3c3nԘJzA4:/DXY hLmwQ$.XxEaÿJ^cI)imsovmKPǠY]9J4(qK0&aYgίZ0=nNwˊӔ}y3$f+pIf1/0䠠\%}a,+BTxeSj[ҡp[QoZ);9~+tP;iG!%H]ƽ s9w`[ȗ9fihJe_H{T\xg\VRQO*5>Y}^@zzCA` u:n+IR?e7H4a $d1ؐfcy@ߩR,NȾ$I7m?luɢ)dH?j4 ā='T * pa|0'Jk[o5S쇈5k>RZ0-׊t[++[do`𷑷 m<۲Ke+^^asI:a3*0PMC~ex!icc^";|yiQ8=q%Wdqm q~qmnz-ϠYuɸe݀"<2^ UW@)^vy=?w{e| lY!Jc\iENIdI]#C0joP5Osu-ɓjKjbӰ򓂷T*9Cn ujǨ!oPYx 4zBe:ዐ.4< Uͳe ɤSu mb%/BT_(iQ搦 Y%<)q 4N뾳iЄPՏ[,4r3ez{z8ҥGdb闏 3,0[l5WW,ۇg'ܨʯ=GϡP9ZDmKJ9A>k#"Hm.,Sj[x;?ny279`%:ES69!1z=ŌJtxa+;*؍K9is'VA\497ħzYK\DJ|3&I9fL 0z}(ozX+ hWnnpH<-zڂ Bg٠+1?kZfQ+6! p0¨.v,*gJ*;=7i=z(dI7d d*!芠@zIBtJ U5ǍUnKw,_<^c3B(mTX$֯'ٺV-}e=p*]|u5mq >6ZHJ˾lF`*Ab% KܱSiy+Hru+ۢL1HTk'|vCg"M:2 jvn i֢ϸQLS*|۞fW8!KfF]%!+ȿ:8bB@1Sf3ϱOv4F. &7evN/[LxnC/$S!pU lȹ|s(c,_K Gl{ ^RcƢwijja>x·YD!}źh9T0w7V3$,3;ƽm9gCaĐ])Ңaˉe~]ocMc6 C7Q;Z^|Y$C ;vVG҅IQӛ%s&.ul5ؔzi$}U,QS|pt%W$]@Wwk(GS5beݡc871h1 >amA;u]H~*C\GZ`qx㵟w_d-7VMK*mJuIZm./Kϯ!y8Q'wgo ~|XI'a8 M8c0:5RLUb08 3c]; 3Q5l4NN?d4,Ry0DV򁯍+ tll Ѡ`YyldZ<64,7‚t$V\COY뽐xg74҆So &9.,#v9CJV ;;w}37dlGqAXe9S3ۻ\09Q 1OIV+2i9obF_dҮ lJr ℳ(|Lϼlt|gOLhyyһE mq` DYD]tZ9SE⦶4g&ۂ@Ck&PJ"10&g;X@~R^nb @h9FAw#huN#&f?i1 eeْXom$-oe_:ö q}9x-hnswgi|_DFM+vr=" !ǡt.yq=z#J,;BVT>D\A(m}@pՀPJJ-ސNޥTc>. ۮџ`NYڊX"c|k6Ču|*VKICS0"ܦ_%LܾP3jnmTI |)nAi=U9sq!) ʒN?kwg^2qDHA-v"J# +;"Nh$*]0p:E+Yť?#(idĊv;YVo,N:>T+E׀1ֈȮT"&SRL+uTHɏ weg!{Dz5u` <3苻csMvʎ@e@fQ"dAJx5I- > du-*iNqX8S}J0ѐy`۟D,@6_Q|7pz'"e%/RͰ[S^ 98v |3PVW{L`ۜeenW/|0q[Ȥ"BT:w W{9h=$j8ַ!`"+/lmUb.Fi&JߠB>{#Z5[{s&gq^ZE3Mhv:¯q2Ձt>ڵj85C$arA.d SI%)޹ɎVnӯYnphB|Ф\lxC\>2#,kA_O˸'tq@ENhv;tw)}DD_qr-ѫ:j^uz5> ~NS+]BKkicoy\|ER|aLa<8eRz -gCe!|hRI!q-HsSRma4 Iz^쾀qE츁@զ Des§ŧP`2wzQ"ЈG1FN|g )/6lG`Rw ?QJӖt?T@G2mL-0!eop,TGDi,w7 LtIpd^\ɲrBSaVp-#JP_~nm(P}D$"Ѝ46AˠYd@7CIH#7zQ MՑquTdV&]4衾9,3t#er>2HY7׋ w\>YnXJ|,6Bޭ 4_t[7: VJW~muPǨ}+Y8c;rz׼VO+ @v {w:mJKc!fd1[b<hFKf2u\=Ugj&VzuD.<aFxi6Z}QH=|%akUZCEyk(=#j3 H>XR޺[.&]`G̠ETpb+l!ܼ4(*jK3,ԸSTJƣTJQGX2c??tGf5Z!؊pDg3o;PڰWӑ_u~M#/"gDϨORuj9up4 4p\^2<5+<S+[UIWD:/t`w^i*vzK2f EqWmfqCe"F@Sq3Yu=Zv$ڪ(X&\7=S @s7H`6 ӾC񋥽}Θnnt.듐*@SzTRfG(I@҄WI/j3kyF2Cj 9mp\+ٌX-W#yćC=Dql^+Wq+.n"yL&ZHGkb&N~9ŵ`Hм@A6rMkDtR@2!摄2@#bTJ;gmB#}/Y$iveX;Gq x-Ya ?4 F ԡ ݻ=r[fֽb٣% x6}Ljwfq#,Θ/S KwƒIUV'rXŏNS'k]:I ( Eqi m̞D6 C4f4'o1ڳ';0CVPU8L,EGCfMe>bygSBZJftdw64H.ތ3)~*S~+u $p>X ˨A$&hM!=/dP]5Qk/xx9]?h)OOV^*+C]HM"0V@1"ѹŰ+U;ZLJMBu#³;H4:d|8*$M0]PvP{kPl. hs#C# aK]t3D$9OYZ֨~n"}fl2zvm8j볝jA:?"}2m7D+T^ש6끟x[v.i(E.d>'-BH?F,HZrF|Q'XVٰ ǥ(q#chtUǧ(kWv7Gՠ׭ -'JĽ7Ox~p4T}:bjV{dKw Zݛ\9q-K&;xG>$i\@ؠ(D]֡m\ $ۃO&Y䍛]N]5^!OoŹE'UD)3w$6)hW s^ ZJ8OkZL~8$qrwq܀ vޟ?ɪO$$]4vi0Z,D[6rk.}ZLc:pmp3G?2S<:!%ʈ,ֳsUG8tfk1n`qᝣX45a@eM56bg='* ٗl-җEZ~.yebα-c%R w 5WxOe;|K 7hjюRJ:v1ɀ%$5i˔ {n"0)`3ʼge:p:Za0%U?.&ِgEeZfPP 6J3`[ l96 e\_(uoͯs[渆ѣPhⅭ*ب/'_ jY@DLbS(I5W$!kDkRU^HQdbIp7[3ܒ@@vje$yŸdݦhc-ujƒ NP_c%Vv/960hU]sWJ й]4A;j&:(\QA`\x@A<_?`p7kJpH=պX( 8̰]0_1üα9@XɈ|:M$eDyۧ.?P0~tV#'= ÈCJ4.gu1ߚr,&.#s㶵VJvvQ[D~5-7L/Vgvov0Wu'#{+x >psJPv |6HlOlK69#L:L}f$*ܸT;Ef{|-'τ7^^[!CP=i$YW>|^C6x+_±qc\W !~4V;GnyP\.q_1UUwKl޴ZxO"XuT>)r6zw&"+T#8-;xBdl@E$gXFb/Bwgd/dv:4RN?klQT`Oyىqm28ZrHxBT5fg_riT*$H?1Glv=B$™J^t _#va]0H(5!#odv 2-oCWh?xuZGן*LզSN5Ee.7z~IʴoKV<@ dU=c0y$whز wցcȊPP׌ŞbeEDŽ F)"#K4*' `t6s55I{MkRˆl.bXN }M.s8Y%\H`<[ƫR!Q|##&/9qlFrJAlQ g \R)$_{qCfmT7{}^0i4yW_$ . Le )ľqyhowP:TR]sG#yUP?CW[daQ@ae2AK] "F>]`jgvTWm\Lƍ; ޱoƽYx}uZ O .An.LePZYX~.$X.~c:{C4kt}`a/GS垉n {CXTF|/XDRx4{`T@ 䕜m^1 &V(7XdEV:r 5'-JսϊKR]=N-h!(`sض9,SI튢,iQd<wup/\Ob[F{*4²ŵM $SKȊ頝( :AXy~󜖛zRY h /&oz*u!u'gQGu+w=+s2Kf 9IBUx,HhĄ᝘ MsOL+O[Zp!U cڒ?)OEˊ%28{n}+hMf-:TRv,B1UuFĮw3V {lb%e9xg{rKr'4b.1wmqnVO9:ɡW*:Cߛ6ŜJ < -wSƊ|]a)RзWhW𛪥pXJHH8snŌkۊ~iK'Ck 9 F Gv@9aΠu">v|.z ܴL"{@fj9V;< H9o2&f>4" JR&,rȱEIKJop/N҆D@Z\¯g}nkKZݙ2b0ڭiErB$0\jy>(>x;-cW^4q€pxwF׀K T7HwgGl+yhBП1 L)6_aqPEwrmNmV%22]w)ZƙA@K}_(~.9lam48gd">@GkMiPNPϬ +8mOt!}mf{. OB/e!r1-0сpoK"K*Jc-JWLysA=;F{>8CT˹:@S^&,=`0 AЧ96e]|vi/ͷz6Q0}14P)V3:C+4Q։ 7 }8yt~ng,aJ/ .s]37~te1C^`֢FDmjQӈšLyA$^gw2|Yr/Rn3ˬ63d_B-3MExFhn 8}m tOb 9&`U ^2)@k,Vɞ!̜8w$ư kG5)&t@ן;#-#e_w :<˨ƅu\2 )['舎# M2\U0V@X&Td}'"l.YJmKL0FXXsH2sqGNն?Dc6kzTsPՕ][/\0B_mω#룑\_h ]mx~ 1x޽0\9T9ya A.#'6Ұ u]%38.)y1/O"u:gDJRrh洖2ywp hGA探Eb4o ZPyB]"gBT sIQmE uŰc -@\-;ӦJW~ɎDG%,̢_lϷLltv6B\W+P6xi@?Mj~IWu}n9$*L4%YJ%oh@f. G`-b1&4CUI9&DW= 꽈%S!&^MH5 n>S IY%xhqt*1!LצmctbJ-?OJ?LT_)m!ܗ40,:Z9"@vn&݂pf-Ah9Z@-g3r[&Ak0LUɭ\^^;sVsbûYKʠ ,gהjݍSAndӓYGؓS^Ip13Ɓ/r0췅ϛ 8N:GR A2^ѥ̜A\=Ç-[ O5.>CIB˺=裙U(w,1?jT֢\$ QV&emٷfj'i*l(JG4W,< 7qY!;@EE`= rif^Kz?`GZyo~̩X>f2z8CL #"Kc,! u࡭Ze<}]#;(6H} j-`_@wEةks.k؜&-I>s#e3HFCh71ؽv\~t3!N) k?f2gqB&HHܻ-\'0UBK.7۩+Bm &b#]|8aK{ESsySFRrNWB_qS8h^^u\Hv<=TC6'~UZ@ u(8/%D1QFeU)@CGm왑]0,]'HoEbǵp<؍дG/3JU&A0Ulfg[Bg9ڗy8ozrT1jζR퟊$RML8_7E Y’Swɛ6-HS0K?su\ >:dR&,QB"V+&۾{4v%0eC!_KB+Ŗ.Yh^s14e-e lp`" *:fD4p{1SllO\7b3eR"ȩ5.oW@j[yu&+t0(N`9@e׏g )9 ˞HE`lf̢ J*|2? "ːj48c03m0uNa&N {HW lr!ȃvkʦ^E6udYLHħ]aΌ24C=G6|$E XNFc,݇E M+s<_<1ǠDԤ}QQ0(rA2ˬ2 $o6lsVǧaAr p~HsO08"KqF_𒌓6q{nbb ^mXŰ@<HRkOKJ͍S}(WKIu{d"!b_=7h"ڽ4:<-I%ub96b&ωfFxF,tOgZIS׃[0$ 8aSvq,ʦwĽ2ڏ]LM H66nKnY 8$t:q}NCO. I2YmkSYNE xZKW#P?9?6aWDʇqqf`  {7&`05:l_0'qdԖOK{CgгS;| tu9)F3ۧ7n0nMK H\ԌL@!eJh͌O;/[J S w{N`-hET~6@RBne;NS R;,}\LMC;o~[TO0D K/r7ʍ,5FK歞" dr5c.ju*NwqL uBhv#}6YdHp2!rM5Zp-i{g` ^{/$+q4ɷo 7n>x$>h}="9o;9vrP(ݕ[9lՆ11c# U ?z,@WD]Xէ$ &:xL8&'Lg|L" 8gsD.~%CCk&ѱt:;EV=  <oSoLb<>"!Tw"γ\eOhUIٻ&vTxLb ͉yKRskhE^ē/%i/sUC@+ iy.`100lVZD!wz߈F~/dQltES3\Z=j Y_6Cr^Vh`%H̦*0w%,%sTv($/GS;4: 5nAi<բf5¨Hl3OpR٨H:;"}63q/#`8nCrҕ pBmd @D]#T]l Qf9%kOkw׮7)Ұaxj]k8 5!`+)$.~;(;K{; g, C_C@bB**oJSBz<* ۾UA|%Pɱ=N|AN:VlI_R7K4x[`(^}g%b[h&@"{Wf%b cDr/,(XPf+p9";ʹ{Azt`( S!@4/{4$?Oϊvًf判gk:WP) 9J\xIk"PᖦϪwC^ab'|`Qeh8mV$38d`ѿf4NF+gVf"71^v&xs+E(fp]C{bU&CWumg"<ܵK\F}M jv>h>jRrLBm܆9]C$岔rtd33[2mEDT6UՏ՝Gp) Bf|RD`:]gR57K`zc~k<ۅ[Vmm$#@}*\iӢmZO]v1Ѫctk[@bЛý> t-RU/:Y_m,6AEIu1nm4{)wj&ƱLWڊ.ueMI!/YR {;)ٗn-{X>Esc549|kK)N ! lO1Nm"So _ frXPG|S 2YQx9; *ʜͬJ;01UvjմX9; gitsUKy#ZuJ{n nxId0^ry# DWL`"U gKhd!Ű {݂L!\S X>pvn@Dt:U?H\lx''cgD[EJNj ڀoU *m*-ш(\yb  ESE:3/<4͝ +"gGO0IzJ \_XɞHGG%k"O7Ð1'ߩ`bgSq$0{ kE&͇cUGas|G{ ow ðLys+0bL08GٌwZe u y] #WZ;\t PK3*/Fz!,:}g[h^/=]ءgW q pRW6p^nr> D{v=081c< u"D@`^G.&ahś ud&IfmbDA$r>Hyx+!'Z/G M1bOyw.EYTn2[^#5N7nP3l79;w?yøN + GaP^> {Ak΂+i"gw|Ds--x8PGdrwom\8u!S$.`@fځ5?)ܫ ! vcsIݪ=z=DA>(+|n> }y_M܏!6=.av1 C.MHn~)1_$U$kv lX:3HzvOcdjK_ۯ0cO}.-Dy}MaQТDg#Wmcnų3W5l俄&ЦqNGS9 aA] wLA6s?%,tU AH-EG K?Al]sz)"xRs$&(s\K8#g\Eq ga@m0G˾G\BG!9ZG N^ n 8Ք1^GoK-mEu)}\qtZdrM{7x-)/}Br7īkqq :bga>"_o̩h7BiN$7NkхP~j`&!Km򤰇iBAX&W%2LvK;pQrb`r:t6hGB6_fYuెXǣVPXL\ghb/6 ϊO?btc|j LZ+`fz"VCp3C.QL>_eSZ=т9;(ɪ5oc9[>B#&AT ϊ5O`fADv?fnZNuSޛ.∘JfR2:X @/FzKAg_|f|6qb<Im"hdibh~xM>u3UK{ qNhMSX`E8YqK i+d "콎/ȑB(Z|+;WeilA:EX$诓 ՠMYIE>Ne3ZΖmcZbb(L?NOugoO tg6dx2ҳj g[q[\7 ծ/$J]i*SA$ F/c֗'Î1@SY: ~CҨ-Vuw4 =FgU:yTuXCHe\B"b ll9[`Y܂bK1WРI0=a6OL@H(#)E-NF?D(,KG0Gɯ*4 M/VqN+u@h;q"]qNEg51{B ;0L=P[-|9 `˕%a~QAwx@3Eo :Wf "ck]Ƶ&`!@u0QK2,-@\)>bٗ;ahnGy3vy'}%:QCs)"T>3(Тk%u4c +bC406ݽA"XP  X& [1LW=ē;۰ Jj!os/eSśDcy'Ckn8%O]zOt'ElbG沂4,k֬,/6%A{"xnӦs K.-c9E:hN4,l"xOFaR0m҇[+ 7j]G^h/PgI۔)3)x קHrP| ʃK(]洓<^ _)T1LƐ?$ֆy cJx׉h_23z|zq͉Dv_$bŽ+P/9@F#s#N:w OP&'ֳAk_g|CigR2teK t?\ɏhcq@  ^=7 އx bf]%7a% YG逬vPOu`ϩCx4, ܽ␳>7n#WAM_ V1'4XC2o l.E*Lc-An]X)9 ˣѲ$0DBTMv`,!:{#ޚ-v"TO&>  7\[9cXC{=c%!ov %JU{zQ95,ow$kJ5]NL;^\imܣ&g[%=DѩDt=9'|7X *ǠkvJ1o_}6v[\+$+4eŨ|chd] `G1e3 BcɆ}cw! (^8iIEPun >>e*ru] ٻ,;Ư=r3F+)W(e#v  ;>#e57zyohwc0^m'A(BCG {|Dg +@3* %^u}誙חWqG"7f4-?z04Դf ϡ];ׅp)! U8'$| \<,B` _sP zΣU`nݐ1CωrCԦxjAʢ £O|yP2=Ne&Dn5x `pw׃pഫG\?J+E|ՈL+g\3&上,`/ R^nmk,˽g0-'}i &gDcCN/ +^gYZ.shstrtab.interp.note.ABI-plt.goݓe'i^zVMc)ެv4 J\SC՛~ M[;nR$yCQ ,2Jc⓴ֺ|%fk%酨 SJnĉXWUa^rUjS|8T*e_oߦoŴfʬ{63h M2UuWwϞ}~y'Zf4S.7y,u~*չqNu]F |U<,5k||0dr=:/և#Mi?PI+aFB\YZm$yĝCXj.j|˳oE2U^ﲌ:]WtU$|ӍY={1 Ty~4\al胘C1ǹ_<*!DYgHs4_=qjr-*ȋ|ퟵ$Wq$c| *"SI%6\y=>Xdwɥ8/gb:̦f,|m ×w(J}ƪ/lru r{}}0[pES@3RQ.t:Hۃy=On=eBHX8bay%DUC2TQ1 -I`x_0dr.od DZ!s<YnE1e<4{Q])("W2N;`mt \UiwA?4|S*Vud|!.ƯGi(#4tFat.DzRgǢי:䆍{:`"t۲X $:ޯ@,s2 H iEV?rJ K[t`sE Kf>=H&hk}Av- $Ed75 W҈HfBi'cULD+7##9ۃ @rqEl:>o䓔3QM+gjϑ`O?[Id M(nJ리O(;ZhFO*$CID'B1e8֨ UifT3jX:ܓ"_TANXvTcGW?o:cEdNg#ەciZ~Mo~dzWOQ$rR*`wr6`M2T,nj` yȃ@F 3Ӑ$i8OV3Ah!imwN겷rxxǹYE $ %: QIo5@R²N3-x5e< >]fV5R݁쒨T d?Ntcc+1^{[Њ˃~HDߧ Ύ,Dx&+<j6~%+3& |҈7;/Zޥx^!Y ؚlo,xB#:*T<Ny )_q!ThcR vo  Ϟw A1}8RF`H̸a2+ka%N3p1T|eїlKn҈o%w"Nf5$uQz]<)Ywb?-mG!頜݂PAPA+b<\U]8Due3v ĠW"lX!ygN B[~/Fr+KόYױ @zc~"2mNϗqBV%[%^#SƇ}v;>g<"{R}IZT YQuAn`[)"ɲq y,W|Eks2`¾Aӛ[A oTl=>w=]`LSdl Yw.Iam:s]u>HS ^XY7H^Vl+xN)ޡEGޟ{~mB]2t6Vnm|]UK]n`h֨'V:AfN⨱?ErP"UdzKI.d6ltww/˸y1Z|8f%]q 6eH[#wϽng>}-.K=Hl sM2v? Q=cF.^EFM?6&xqc![U>ܥyu=T,<Ew& vng]^Z7@ ?$'0a b5D 䊞 ׆fMe2D ^鏖Fg5F #lliY[멄E"ì?Tb(TcLfkYmcWgx*EaVHc֞qQy檠mpY"wτ=+s#9U/7.tg1?p跭u;'.3[[9. |2_iݗƀů;<zzkПtFDwLH)w9V%H|4u d޿\C}i Xs2;^z(X:5ݕkJ@.fvYÒvzڍD79,- ;s1|W_̏5^|1vr|>'k/;4d?FӬ .f)nKJun]s ۸6XW_ADR!g<>h6@ f&5l2'&[l73r}{.˚L4L6l?br8!EmnWv]4,X;&7ؿY\/Z])5n7*U{ֶM\ c|n !?Ε(YQ3FNӟ1):JU'P§pk甦`M]$J#qQV#=}{ J"s3 k 7sJ'&{ߍTZ2ç`W؜`[8 qXkBE{}IڸPhR}_~kwD-{_4BݵG e. 僨fl&u+S,РsK-]yР+!xAT(4Vژ`= }$`|/Q`q+3ݍAܥQA5#9ҡq| Vt_KE-~ec?xt~hU%-"ӲM "Y]);EPvHgNێ^M|l;l@~!BA3>R-:l35܀; 7z7OZn\>?2n,"i~Gl6 N\YM&蚸9]b!bKzДn9:W膇NO[:Xh Br]ـFmі9 ,E?*AsC! Pz4w09۽p`N&yXoI5W4 x'.Sor[dpe{X7r5ax\fV7K7X. :VN6; SC =bi WEaǑ,͔5"7tXbȅB0%̠a;մL"g4sRm;?|6v 7Na48X65SC$¾ j09vцVcAkR$߽qcdq)p J_zM).Y=kmVgne<6=tF.-=Mc݃G[E4cojׂ #[?*]KP*f4x\rK#ӠVm!D[ .pΠyn)Ļp'5^ —&qqgGP|6 SD34Z,#Vl\CS{a@Mc^޻&l+tk̩f 2wC :qΌˡy@JC;w]RT> .uy}.sT~;0 f87.GE7iy5L}M|,:#y!zv; 3\j}s>a͓3-(qKݤk֗;o]0I[Lbu`f gUwbHƽOXgJ%>5Xx“Zia£}hAz~dsp];QƧiLj-sN|n GEv2k*^2U` }A/>G2['eR4(>1jHOYDi']S;%Ggon#λpGxO/  ' Xv`c@D#jԞ{{! Rq8ޞtccDZߣ`)3]U߻fwω8^Qwf/7{no]Gޓп`W\snK4n; ȝil瘦 ^w7rBX{% yS$K7]7♩_:#am777ހ$O9;}'o9Aa 2{eXfzq ldS!|;܅gNTqM'X8 b{qM;!Ks./t5!7:iFyV\p^8lF3^$hLC(x{N0F /~/>g~S A>wZ[tI˟^FPp_&On O>~v\+\1LL-z,_wM>ӥẕ"2vQwNOD#ZNx1NQbgwEst'`l*hZ'^ëѧb©7Pn#-'Zҩ).c[/-^}ًoϊWfg\43obnR>y_+P$A?? az_>} ,}X M| >1@¯[8 Zxpޤ<)ȇ2c3~Dq_6 k}C|OO5^]5LtjWS8| K)Qf0;mY]Xo,]f׹೻<CG 07ZBWoPw/[Ú>:S[Aq A8qG73.IpJVq`x^ WjAA.|W݀Eۈ:|+uMtKGq$pbAP: n}6)~i3^2x{HGͿ G`#4+L'ޥTDnCaH{$ "m}!32 !PDyv{RhNG"ޔ&Q/&#[}:]H[,D-Y'܄ 9/z[ h0yWsӹwa߱0$eB[UL48wb.Z͍c'p> I&!Zਓ')*|! CU:!E2gmd$AZE)yTxZeJ BRZZϿ*凌Fˤ֍(96sVh Q*=!Ljr\R╨׃z#TB ا;Q2 v tߙz>"bK+{4]7UdEjAA<D}xEq%GP| !%M(ʶh9Œ6AQn䘺 y]$+Vas}qL+31ͮ63NTR^KJӳrWߥJ:-!nn A v߿K;rQ6vE7yީ]W[v DH۞0fn-<)>,)\QK; қ*fJg㌖yvY.YM2tiLOHI.Pi 4h xOb!Z4L2=6C = EfZ0;pObҠɆP^ g5o{k?KYE"JN),y|fa ZNn,7Ij QGAmn-/4:$ukxЬTj@ r' Wwk,G^L2fD ]e-֗zW;I \7JI0kb=VFCF/"U[տ-(eD'ťR{28I\x{e5PHؒMC;&,a ;$pߖJ)33s3^7AK֛_fgٳu Ti3#lȼSs5mK]b' 1b m$%wچ!ŕ7.)[Vͦ\@RmE,#C`Z+ˆXJOy`Ia{:`Ԯ1ӴԦ_+cȮj+ukn(PY*AiP.cJP*6"ĹPRɖ<) cr)? CǬ(o D9p͊$A"&{]%fg߬H#l$LMC7||WjI'G5H!AN-A!(6/giEr^zخ`BvASfFd,Gh"3!M 1X,4rt8F?si ]z[,@¸P}7O8- bM+Mmu\8|d%J!=@h:5l656 dDC"lor!iRi _hYGK̆i,H1,ƶAS;10eVplc0#my]o 3uZ9Kg[tillu~+Xn)t Xz]1^Cα(pZm%ˤ5챮kH˒`˶Kt|<-66sws#̕K^va#h>_xaptb1 b{@BA LqfvNfk,fB{ICmDnܬzAF`,71NzfI;#E4f>}b;<=5eGs QA@RضVc2m2ɃGaw X)`( !vlEIAUQ dnhV)?jbvzP*vVI4X iU6Q>˳W/P>)J@X즴!i}b3PՂ[Ud4 |?"O%Yk=Z tqQ6鄾$!_&)9Cg`2]BG8edC*mhrmQͭ&qQt 1)B<)g_us Yёh= d[0^6tVZ`T$Qͯ "KAmÚ:)SI4\xL֬e;vJ37$R/O%z$2[1#IӉlM4eǚx:eu7ڎ†lb=FSDD^P}7P삷'X^*.Iyx>.?$~Z mIh ; =]-~]r6 4=6Qi1o_Ϧ}wd,Gj{d2nkg p /U8g%;p38 &2XTw9dG 25v4~at0Qja'(yLtFJ ݺwͻ::uq>""b$bnîO{vk ~b;pHߒt`cc0~y蜢@Jz프}bpO`RrHyBVe9{j_&\ ZxDLd$ƈ,3L~)3\iUo2!Ed"N v `2k j~>zݙGMhYp# BnaC$^nrëvL[9㻱pPuKt3{8UًuwjlԖa|£"Xm9˙^bZ>>툸FhևD e)TytF$G"n pq-^]'v0Ծ/pSsקD ̐čO $2:@܊gB,?i01=vTYQr൴4:_i}Iwdn P"`_@g,;#ѥ4aD0l2&+$( Sptaqt5icް)"_&M~GD9`fI%"=^ ֺs|I`NdJ) Y*Mg~(WJA)`2GxZjKBI>"6?5V07D$.1S=kjy2?NQ3J4N]>0b 4 ʀK&UFn 褙Gl:wR4I#ǒ7ςz9=y`XQǜTDUxg[I(a$:tDܤn P @*hFLbs 8gۚuٞfqH03t/R HBEKjSb]ާp:ajVv<0׏vhKGoAUeVF;9DiY&Mg ;i{ a>v2XA{w HTpn ,%)Q)oN Tq3 ײ4⡢v?(my/3yg&;?~PL$&όM],Ks9މ\PN1ՠӚW2dfYqfqka|4Ö[{m-Lq nV۝y߫UVmJ[m! ;FIg8Y/_ǒ'ՙ1n&yݩ,c!Nt8e&p͏{Ə)妾LT4 mpa`C3<ZնkMZɀٲ'fQ56CcF0Ӵ%v.$$BG[ؒ¼H.pWd*0> r %@gp34?,5e)Cn="/v!fcbd4[Fu Kgq" `wA#/n0Z&A`h u#w2UǼ},g}{ڝUTʗU2m 'OZv^UZ%F aWZ/)K55.urwMIe˨찈`YA?2sNf&۪@>k3ؑxv{٦C7&nS#4mA).*UAnv5@2\|r%PtVn,hÐ=j7씺:ns(Q`ߏu-EZ-y2ܞj G/'Qblae%K3R XIVXU6ItOD+9*{0%4U0roڹs?Xd/-wX:XMb]n)e RZe%m9gZSt5qT5>ٳVsgrJf vݦWrrU}Ru4 4BeOžeR>' TH*"(ӊS '˦lZlR z|dK qA>hݍ A3a&C 8GUɖgh0^҉׳0=R['JeA& YG`wX#$"U޳lkr)WDZ|8xQBqn1% %z ɑR\yfj}$VXzZf'ռFMAVU_ui_b [מ;m.P^̶ I 9:e{mfQ~,Hp^f=i/0ؤUHAq2ZkcW<$ΤxkW8jLB/kqG'+lKhaϯk7ZaDox" /mwjMu 'ka9f!IjE'Ή->X\hݍ?_{6+0Z;.yZa/VnN1-:qq ^*Rh׭ywZZ;F\&_yq!;Tf_;* V4a -Wn`%a(~wscUnÂV\w; BuW%Ey1ZA\[>G̥CЂG1W¦4ŏTeq2Ý,m@?5컈m07ˋk k9AH,jrnsvWQ72aǗNkN1*p *߀3qhzl#Chy Dj24KgX/,d9sW;SyapMʰ * nz~q"򠀭#UdDp8dN(D $dP;p;X4LnhM EO7^JDWyac:3}5cqRyn,9n5l<,-Qlra\򔷚׵urⵒ[uqu2+̪wCz*:{@PŀԈ/|<m(&e(9I]:o_ln1=͓"'Xj](e/bmGҊrMdL7D}4s''g=cgT݋kS,mKfњޟ!o/?@J7𜞁2ma]v˾ti-Q`].ja *]ioХ]jAt˶N}7;;HVhHUw*^yUqŗΚWO{ѫr +n UۼkޠކAqFFvúD^g`Rw.ZGzd}[.u?ϚL+F̟`)!SdJ3N[@X.hQbiߙh-ɛioM5ӏZ-}`LFn-|G֜Zӵ7U%|@)}N^^m4ɋ%yii~h|!oti>]7*+Fն>Vܤ0֯K0p5Hu1P% F;EGi+r9LԮyӖ8ֈ[S(JbZ=\InsG:j.5ƤfsmH-OqiKNnUOۍ)M] 'hN7:G:ؖ( oԨ YZ