sssd-ipa-1.16.0-19.el7$>T ڛpkyg'hU>=ׄ?td   6  ;AH   0 w PPP PHLQ(`8h94:r=GHI4X@YL\l]ш^byd>eCfFlHt`u|vӘwxyWpCsssd-ipa1.16.019.el7The IPA back end of the SSSDProvides the IPA back end that the SSSD can utilize to fetch identity data from and authenticate against an IPA server.Zϸ"x86-01.bsys.centos.org ECentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssdKV#[A큤AZϸZϸZϸ Y ZϸZϸZϸ56fc0f2b489a27d371a52cdbc5fd2f861f371cb4e84fc0741273d2388b9753339d56d864cb565ce053ec5dadb8ac83f9da0e43e7e5e10014b790edd9234ff8f28ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b90377418be27d6fc9967c351ca88e50a6c7a4b32841ea496631b72ec920ac75e947bbe5798233fed8f6307639fdd95dc55ae8847a0d8f1ffd40a7c6cbdf569e33f9rootrootrootrootrootrootsssdrootsssdrootrootrootrootsssdsssd-1.16.0-19.el7.src.rpmlibsss_ipa.so()(64bit)sssd-ipasssd-ipa(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/shbind-utilslibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libipa_hbac(x86-64)libipa_hbac.so.0()(64bit)libipa_hbac.so.0(IPA_HBAC_0.0.1)(64bit)libipa_hbac.so.0(IPA_HBAC_0.1.0)(64bit)libk5crypto.so.3()(64bit)libkeyutils.so.1()(64bit)libkrb5.so.3()(64bit)liblber-2.4.so.2()(64bit)libldap-2.4.so.2()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-nbt.so.0()(64bit)libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit)libndr.so.0()(64bit)libndr.so.0(NDR_0.0.1)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libsamba-util.so.0()(64bit)libselinux.so.1()(64bit)libsemanage.so.1()(64bit)libsemanage.so.1(LIBSEMANAGE_1.0)(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libsss_krb5_common.so()(64bit)libsss_ldap_common.so()(64bit)libsss_semanage.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)shadow-utilssssd-commonsssd-common-pacsssd-krb5-commonrpmlib(PayloadIsXz)1.16.0-19.el73.0.4-14.6.0-14.0-11.16.0-19.el71.16.0-19.el71.16.0-19.el75.2-1sssd1.10.0-8.beta24.11.3Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/shuk1.16.0-19.el71.16.0-19.el7libsss_ipa.soselinux_childsssd-ipa-1.16.0COPYINGsssd-ipa.5.gzsssd-ipa.5.gzkeytabs/usr/lib64/sssd//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-ipa-1.16.0//usr/share/man/man5//usr/share/man/uk/man5//var/lib/sss/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=46c36bcae96dcc510c6b5a2b84ee07ad17519e94, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=c0c94f12e20fa91b1cfa4d0ea65600d006ef1922, strippeddirectoryASCII texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)DDPR!RRRR#R R RRRRRRRFRRCR-RR@R/R*RR R'RRR.R RRR1RDR8RER6R9R7R5R4R%R&R)R(R$R,R=RRRRR RRR;R?RBR:RAR2RRRJR+RRCRRRRRR3R:RARBR*RR2R1RRRJ?07zXZ !#,]"k%w+p}|,p35`7I ib6)? )}'UTӪ.KZα&2mz);ABR/ms Bc26[uV,0Z&,)fې3 }Q6 5|vE#S✙#l,Sn:S?Q*tfMJ=W`UݴJtg9ħ̙zK2puٵYN`ѕ設>ncpuO#TZP+= :!V2XԘG'(#F2fHڟv`w\ַ~lNdv# dNjN#?6CUpמWp:Cf`vw`\a XZ\7U#fz0TgDjæZFKݘE DB' WFbWi]Tl~ ^)NlKSYWVCC0XE]1%!q pn_]u!["jzO7؞ -R1lJs>pH6J!1n6 ;XNl򕁸H9muڴѻ\Ag#Jch>7mW&)hÙ~0x˦.(m7BX ^E\J6fEWԦE7?i<_ѕJ|x~C32֕P1~Hj%c$.R[uyuU~D ]D+TrsޟElom@xX sNSCa\Bl]GO,}'5^Tܳ !`oIĀ$'7\t0)RXU$J5#,SrA)M@YY~l>}pN)(Hq``vezq> QHd#"=ZFb+ùX&:ЀkB< 94 g""aYӦXeʪRe"@*L|ss3[k5r9ni?//9 ,vXv%JM>*sL[6WF4Iaga!~-O Vhs_ۿ/lvCQS%{yڵ[ fISyfu9/ۓN#2Pˏ%d@4`e=JAsPzC8LZ'zmn>2Ɲ=}Qzo%z s d=p t\Q槸-톧| |Xj7ֈ0vu"\f!4>:Y?Ƹp],Ƹ& r]MTd+p< 'Cݑn7/[ݴ6!{ iH$EP*QyȺi@}c&h2CF-D/kĭN\y?%qª :>&L ?sggHng2M(&ع*ؕd~LJVVVِi p}d:L\NbL$HiYub4asa.h2lz}(j([/]ϾCC/*PjmI_5h/HM};ӴDs;?|l7YC8ivaXz#If& qиOx, [v7k*d\6;Sc¾ VE}T*O"i mGLhBZEB' Kݰ. X59vۼ jK84uWSH0::gGT'X:쾀9'u."Թi^ /揀܅S﴾:"[d L=V,JU^/tx~&fLV}׬/8ʕ, 7w=-")qەgJ_ v% el^aֈK=9%0N\0+楄!r^^lv r-"<2%Xރ?M/.3IeNV<[ny(Hb:n:ߙET,^ޗ~[ǫ^>Hw(IW# ,3OU32u{LL9b kaﯤ,rjF$Rim摂NkZaƥ^?+Y֔VkO@K&׎s@ӎ.@,/=(n ?]W?٘ķJtVI#bnn6SȃwzZYHt "q]`7(dl# du3n_qZnEz8P?@J u߇ 53Xv\ $#/ d>޴ovq572< 'a?}TFo'W#y '/ Vi- qP 8 kO(@Is0׀9JG]CR,`lkؼh]/6Ư;^b6V\1 #*TO$<4FF޸n]Sb8Þ6-PW6W *rd=hqox~͛(gPw~2H+6JsDˠOAdUT$&g=[å i9Fu} N*ǧ0~CRNlyx V q N?cy";YTSZ5ѡĈ+/ HRpz?AbE+=z\ AV19'j g)'u em@{c&1aR[2;Trkn\9[tJpUSJ[0>)6ݻ47ItZ>^{S őB6x2˯W{Rz-g cjRr*{ fbԔ>nX ;ۖ J#X}0PbF;Y؛|Fb zti ꥝q,I۷P'+6p_=ݬ\W~CjMZ >N9FĬ50TC\0[7HӰP^=}U(v:DaDgcZ%7X4YƢ`x<'!FeF94P1/!*lJ68*ՅBi?~:vJ07EQ$'j1ӛލcjT['BJ"]5;ƭ-B3C-r<|̎5G ~PL#,pkJaEJJR 'Rn铝o_˜nKUb){DM9fp# Dm`4řUW&l̳dYl*e]X TvYԲvGCO:,~Cbc2֜?Nt'87%zo%-"( i&2/rWc\* YK]HrTWsVΦ Q$~cn U8)Ĵ%A{ u}aWyV$ĒV F̿'^V"Vt|^4hmŏ̑יǷOŲq ,Ee VlW AO8A@*9o ոs*0 ʢ}dj^0;6pq^Wd─[u]%f|kc;hQ`Tjh7V#na=%H9-o L֖x ܚAP 1u(Ϟ80 >!!uz0o-m5YAnEw<%jBI %mM%a*!ȟ^Y`7zИNCdm"?1\_X^P7s`&Fy_J}t~OtFnAPɃ6œWC?n4\@ZLAD[V1ra?R"ș#7NMd'Uts8P>*T-eP/dneMiC;ܣhyd,[Rњ9#`w[/'=c&J;gJ-6&B}=2V-G-a-f\o| qQިNԄUq#p H8YlCJ[lgt"KθD\!+jyf?k b7l^vNeRb-4^6N))| Ѿ8 m׋l+F {H$/Yg_HȖhF:0lUw;lH [O`ݭ{rueZCU1\^!LI$ 0t=#`h44APsX%YgYm=1KBE;k= ӔBEbř"Yfu5hJ4DWŭ;3!дEWH7J[g l>pXJYu;m?[Ңg c9범d?)U4o3oMg{iI#tu/񞰓sJ2"EWS zTcjVzftXŭ| ByؚՑ\|1ajkQ Jf@\?#1so8qɎ5_)W!JU!1'C?Д;(ƱU Bߡa3Sq%0=6ݩM`%Qp;N$'z@P$DzMX&9P.;kD YnkͱՋEfGDJaXв^"DL- DqOuS{)9cV3Z rue>~Q5.tG*Eʄ؜Ze #mcvS |V 'AOU]2`z2'xƙUॵ3zǜTW1qK+UWh}y`'%3w{SI(TZ4fǐsn!4v]b0,NnVr/_,,s՛fJ8 7[ koX+"KC._P=*9oN^5{qXm/cˁJaS {c1" J4Xoo\ERPd'V $Kyk7tZ\9k^[z& 2kts@r=Y-{ߏlD70ь6~50m(t#To? #spŮ2a ۏe~ 5v3AM^ S\FL4T9OѻxpPo4R63Լ *SH}J}ckyCI` M1YgIe- ꅤ &fh-ZRT\Yޮz4{bOVަ #.Ѯal|F3}tv@u"Od3}ɟ,NCt}^qhBV>E:mM.iѝ-t,*)VcBSWN^K`eNg9g+ZUϘqeSru,TpU OEy!xƸ0PJWx?4Tˈ%X͢PR pWZD3d<ޑ6N= DTߧ?U/Kl⦩2u IjeU}Jz&W. ɳ8H&o_re)řRȟ}dg VT!RDťKm/FDWv4&"?|*?jFϮIEzb*ضX饘0+[4xx,c8A6WQ-9:sĤ])n$%^Z{+78UKJ'«H" O}J =տYDzPf;Ѵu# }YҚq]=nrD)pK~bŧU s0MM,,?Et!m:a[*J=TuR=v϶iۑv%c"^aL蓝 t|^Szo=vOE __PO7'QNڿ3a WCJ{8_g!`e V3=O*OCn\"h"KPaʸ*4g c !QIldR(BRrC&=RhXbh$'WΕC~Φ^9j'cxY_E7z" Mo zf*5+վN5]=?=i6yLW^4"jc 1fT_Y":sLR"i(쬁 vLAMgf+Domb0Vwz~ 뻢T xθc߭/C~^4Z@Io~Gb:j cE틬JhP9@n_ WPV7es@bdWTIbwѻ 7u,;MZ tPv^ Zb<}OH@Up!([.o&ތ}G F̒`5-)sY;nY$eWHvߧ Px=x35(&h.0EfoK\afV`qT>zMu`X$-% !cF|S4A ] efk qS^6+ٺh,/aԣ1܍Fӥ.OBY@N׻D(`OeTg~(~bL-gcΣ̇@C 曳T N%1xJWg_y(hZhE;Q-c}I*3m4(c"1rвEz$3VAȹC^Ʀ |t-ʾǀ+Ӌ;bA/qIe7CX*c"~Z<Yсwe@1h͕̗DjI2-~2qbAM  !`̄gΑjSGSnmP&OZ D2A;aܮ8 BqTܼO 洍o" `ZgvɄpūA_ITl07 N ؈Q TVgxqsśWu=#sZcCh>YTڔE|9x:Ga>W#Tr1yZ~.w yy=D%zPLIMlG'"X FAnd)\mcˮsj-p5V^gW=LoY)9iU*6Y8x| [X UF˚ VBNj;jznQTG:;fLjUyc0PGzklD0y7i~N/TORG@ilb;\Dl&IcAܯ O$&5#f@*RqEtY||ك3n`A&8_A֚6FJR"e:`xeuSHΗv#0\}Ă!vBW< >ڞtY0)?3l6+Cn/ClJ Bt0IP-^g ?lvX(sb6A){&BBKN-}- ]~aPfgDŽ\@_[ >BoteCݘVJ &ӕHB8s&.xyɾ)%MmJ[-OF/y(*|Dh]Ad0%=v0`1BxTܪ[ߣ_IlW\5A׋ \DŽS|P"fO!"/zQf%XЌp>qMg'#.؛?#1J $vDܝ1^MLw*ΌR rQFwq8X]wF,spJ˧3d<>:>` ^s]&VϢ^>oc4S|k(N Jdz9 rXɗ@^hDhfig}hK?O'!6 @%{zJv6(-x1|\3XEng=v}H}-'nWNE.< wr'p!It78"hm4և7˶%(a.@oȮ_#<1dRҧң|u-[+v/ؘk-fd_DR{f딪ǻ72ϛFMN>'e"W}7fnjjL3lhW3,NMc|BQ$k'mᶈnW+Mz\5Os[PH?e2E9mVP|6m\nxxΦ6b2x&JvoX:ۗzKwKyX;ܤŦB89BkE!Jh7̹\?uo/'4bu= Ar֛'`Ph/oLm*Q6Q%t2#c1XBYm" p+ز#+2xlc8<CnON(:Z-Pl0 HM6ޱMwfÔ&B ?>2ŗhOAJ̶ vh;b0RV^CDQI;&W 8ev/ǎJ Oܪ`4&8ޅ4^r~P g꫍L^`5_xc8eej2$?/5H5tJ$pjTvy&sAS*lv p:tIL5.5ea3_J UOAG2-W3RNx :j@Iu01[ZaCm էbt}hdoZ%S$qdh ZC5<2łxK_gaSd FkvTS*shH)6{XygW^Ր@AZ3_M@18p}U Cz-L+qsJ^^ipյẽ$9>A^cA%Ri­twpn0HKt7kQVg \]τ*tF |OA`r5ɢc s p{X^?ʣ8hgѪvON6-f';pPQ<._!^ 0n @=vi3lL qRM_&?i.D.\Gʷ>%$Qk?f0;F 4)/กѢ_F (H"sG])WQ{'QIkjH673!"r0/v~߰XVl3/;ǩ0! O:8$ydM2`e=*+80I@uęy((AI(TX4[:,::elE'E$TN;95z;ޓ"D,QβS]Sim]b ggH-*35DO҂XY 7A^%"8_-yq5Wݵ*PCJreF%' b,<7WJk.` صM9?Vh sӨ#&R=0rX~{[^46$=:*1UysORL!㰂xMtОŪɕz_VI)R6& aEx6{Pn~>x \8w hRʚa)c 0n?MB] e4ֶf.%긇DWLhȢ :#:wm^ 8\Qꩄ,'w[z Cu\uIŭ ڈ֪[d`STAnum4\j1Gpx1˵I"S *."4 )0DN6R9uwẄ^Yy:ÂOl~UTof0_e`&ޔ@`1jU2"yN74&mNonP!c6RUvQa!iQ$M@ Ǒ,0["9G"~S-"WoTYX/iԏbgh2.TI(:̅4z{A7HrRZstƪS0ZrE1L xbRRR8XϟNdUa!M%-Q1@#e`:֐ ~z(GdcUTXgG/W#t Z{&BK<@A^C%\Y*1!hqcy`">`41\[R!1}ph8/QpyX rH (w!G&B&#ܷ齊HQ)\J#Gf+$ 8'fevNabP^wd2>i$$ '$l뛛])\rf:zB@DUIP2.|"8{Q֊C߃Ə$A}ܗcXSW%n9ni"ӉfXurͬUV,C  (9M5є*~1Z4(M{X,VBm vWb)ڋBr[Fʼ5Ֆ8%Ҥ|bS^7ͺgH#ⅿTΕY+*QSPe.3/1mAZXU;G#wnmy0XnՄÒ_#"fhb-)?YMzI>sFRE.M!*$Jn ~B fNT!xx XÎ˨8w}Rchzp1aTt3+],qUɴܤw~p'JX 9,¡QW >xvi$':6[m0Ok5< DG֞\}f- B='n)X*QV\D |psݺz}XAN33 ?Dp†l62MA/fތI)jX\vAhݏ4ZU6.( C^Q XЎ^3O`#MhH!rn_ɠ9[fŏ~zpO 0P ;d i &r-S1uᢪZWZ$qVa)2#Dtf%/C_),IeLUɈ2U_VL\f v1U~i򫊣O ?W: զ ``t-J"F,z2BX">b!r4:bzC\2hQ\1Hk:hIvh H>-ʬcm,` ǴKdՇvRhefq{nʪOeQ|1z^ka"bhCKcfH b"G =0]'m7i[FctDm ;u,Qi*yMej0,Ņ+ 0陸)}ḏ ,_kgpػ2O8#<ϴ~7>)V.w 2x%fh!,wOIjm]rS{} 0 4,g 1H~," 0>1˩W;;G]PÁDw*.>bQ vWb,\-IӎCmCV"LVCt8~vc=+}Íb b*쇱91`;+,`;+!~ZcA_%ۖB%4%0bɝWK;cYBg)f31GDq:xt!u>ߴ5YaZOB޴ZNCDo3nh9y:MOz }Cn9WN5 =WYLN?G %$fqғFI%c3["E=|8}]фJr!c@d9R~I=2dr^;hyep`#֪o)cjt"6m6ax)P J{LbMqmdw]<-JnVsO =X;sݨiC qqPaaMd}r80Ʋ҈NZr9S/m]]'$ +p8D&icgjXۍdM(-WG0 R^h WqI  >)w"!)it0Cwl~|J5*O]8':ES@ײaxph88ܡ^jK1Y6ٲ(I|`[eŷ-XYa%bfAqt$\Ys gy#|ӭHޗSZ57lfY1YOז̂!MVA<+]ҢhHǒݭX}Aq" TnMtxnⱝ &[ ^hͣXK` I`Sǟ$Coy@DG MQ;|"&$w0I'F^jB3up];(V@8L+=sk*A!~ϼO5*u)[;,΀xCqvS D)r3)xnLABP"*r+ ]f2Jצ?SՄvtsJ?;++ݝ]4+HoVZpw$n#Bҫ=@}8vCĠJ.˸ۄmmB|O7&$<#tE;S2,C_ wG饡çjHO !鈇u&Taq]]M9/Y>T FwA P?AD)݋,P SzziX;W$<ޣX¢M LsT,_m+JRmp{?sy%PRkw g*G[<cΛùs>#KQ2s' =SebtkzSׂƕاqMd$Csx|,v4T~%qeHfܑM`dq61-t/]T;o;/|Nź 7^|.pC|xe/6K@HfnGG*";ޤc`aF3@c 9{Tkg46P-׬XpzΩtrJ>Vg)ZGnf.RWFS߀޵xQ)Wo "6C@Bk{1J%oKS)K(;ѫI:87b V^K-/Fi+fkFMJ]BJM.E5 w|ޔpm VYmJoq`Wi qHKFl)yv#̇6,a̔W- )gq#y1lya/20ӬR|xf?M~(C׀ͭǓed{ G*d]Unp[i¯^N Xɴc#AlaS;0R 3ģQ[kR9dd/aDjjf@il"/#nz\TSnQ(V=k| Bj( F,R͏B,~$B(>1{;lC݉n*`Xf2 =*UE!ăL礢lKϊbjc(Es5TNAIp7[Ousz}`D %:DPܝ4 zU}c"l` g1(vIlN}_h)EJ7y ~_͘'gj [4amƇAB< k᪜6 %Bplg;l8nA@ 7<ޚ4Rz%ali~Ho[dž܅YE4$E',6)j'݇vu$<ț%+d6awb35lͪDv^F0~ &CsOal!4"ZR|^.~JKBtRjp Z[}A"EEDت՝ΐchލɸ)SIZuM.O@¶XxvjdkzY~MT]ǒU/et`*-&Gh)Dho"\Z RIKgrI*k㊵@G@䈚}]6ᙿl*cݜjf*-S(rHIENz=fJP܉EX#J*+{O-N&Ⱥ7~(sq*:@]c C7mH1ɩõ=f,K̂˯)ɯ$m*3_%'D 'ao~š})jC[KƼu6K.WYs0kL<'N Oͮ(#h/<|$lP$<5 /M'@ {*f .w7F5kiUM\6w;b኉'6"3:辰ԤHT[q!w).$Ps(lRÝ=H(adHLl'ZOkՒnkdf s&lS *(3KѺO=N*ľF26я#yx NYСF1v¥xNڱBYUHa&wQ l(6GN~&69WJ:'ô/cFl=8CDת ?ۚ*A͎ Sa/_ QW2bkY &nOOIFeCOC:tO*MGQw72d)1K*͢OΧ [nʽ&1\yΤ!z8竓TDjm,֏Mؓ*Wl84 G5Ju{ "v"`TXVZJy([1ᡒ_`mݿaRDV0/W u 'u_ eC5$6@ G{ji6. *94겘`=GkƷtRY&kg @>) ޭն1:;8 nngUMiî% ;-,uz{,|C=a'7.Y׌Gߢ]+x WPRD1l-}|yj?5zJ5o cwE+i&sAOPRF8 euB!JZr ,c6Ÿk>"~Z!90ž>^:[n_ ?mMO|fm.P~ P5K,MC_W&6EI7. MŠ ;|\1'k8丮:}')ӸWDI[ד|>5 W"+*ʰ1iX#49n۫Wi(-H۳'0sE'nlBA{y נ&~;:i[KzbK{sWds++nKEO)rV:cOw`bR  Af;(@FoqC_) B#T˶@Kken< O[q;=3a!'Vr9Ƨ~%!&DmM9}۹ڼR~Ѧe'/p߻f1c&>i,3ua8퍚NO0j`!臰fFשWam z+nAF/ρw7jt5[F-v`<<}ӱy9X0 TvtԹ: DX+)Z7e΅U[mhE SE*Im@+gswZj\ 5RFy% rBd9oBgُճxĜFi5cL|QV_+~iݳVuF|͈}N|ho}"]_`lR9'IX J H9uDZ}x|pf/Wݱ/-=ڵdQ'>']0tGd[(έ &휴FVW*By%';1$)sgmxϾEȹa{%MwJQD4[«4VŒa^_*h{=3P]tm8MoWzeTP1z_ACsЖ V|a9hswJ̙G=;Qwq8D 1\2]7 TruX/Nƶ*)d_-wY:fn~?CteiPFP՗%奱"Q m a6o)M* &:iwVC2lH։Ny_n=ޝ!vs)IlYBdB`Ny5I^抝[D;4>ar#Piec>FPx,cW&|n/|}NIb0D<}G׸[FAѕ#$spuUs Jͅ;6GAl6XZVIMqsYױF=/z( a j{k7oV.&\*TFO/yg,G񍏥 Q3nҊ&v] _`!z.zr=4a%#9CǪA">ǧM^P*u3VXQG4iJIs.n ǑSnfqCrD%8e}I ݍehCwg}raRE ss V%2ej2 _>qpH+ HUE7o6 J VnF^}z2B}4^-(^ wpO&ܽ>+N FԠ ; `$^PMikF?M9 ^ːu+S1a*M:GWZXBT3/ai+_z6Zl駌rp7osϹ`{nw0|5?Wll٘Kzp9̘ZQVY*|P< . { q%o]VGEIl*8}wZQ)hCKoLm"gq<"+^9zV1;PGoՏ@lwrxSꥃz)xA[+"Bը}9K>5՛u;dܔg rn fi!Ϯ8i u\^hvRCAp/,raErdc,K\D]Wt)a#!{'DӥtÓ?ђgN2a|y c L[tQsb+.y{/؝J/erBi13; dqP/3;_]E4]ygd_bEʜ8B) |!/DYjNDT#ŹU[\g <'sE量ؿh=@Vӿ 4`6lЪjv+HDCBVJ `m*ؔs{mYhj@Fd|ѓh4 {MH1/CKf}z6uo`ܢ б,逅 ƐEGW\#ix}X"Դ%!AxQ,Y,8]ŪۈO:)/bS(v<)ro;&Xf`^}|[fL]lAگi7as~FrS2$Qe!W213= 喞ܿd!٨(+>a5˽T9VE7ib"2z"dҤdGChg}It/vmI98~BƱV:El=t8JGw0\:im3~T)"V>ϠHecIG>p͊NuTkUo"q *owVцT.*39~~sj]z}*&4YqM _иV@^$ .R..BKCbFXbԛף=Uu9% EC2f*L.@aRvud Tڿa{ŶK<%n|1vgm#hIJ#?w Qߢt݄bpqZ &A!3ث-dĔjjji EKv5m\cIeX N_s.X%3{jN^G <| E ?n޸zavZTx 0 nLu3V!;(giӽd1^@rP=?\J3$,~=19dKde o4C NGՍR987>ҫOC VxzS̬(K&~Ҧ]C! =2zyJŲ*;=(b`Qh:I* m*TCLHWAt'<jG'|/Q.D bU.@ k )xERZ҉s#a4:$X@&}3%x;h)iBk3t,]-]MA1=nXK @љM@h8F0YQNQO(,cN^$ۮ\Eq`n3jSpR|h5f.lulڭt^%JlºO-Jh;+Q?}zX|ܺFPp'Nmc8S_}70 Vc0È%髿xvDЪ*;;p|čz= EX+O%zC*˕B= p?we:[Ƴ Mbvj pp \W|'ϊj-ѻ蟂].6hJl\G\y--m/(NpOV^qmb㊺̭LOU9O7u%2N2CԮT8K|A T(:<TU51p}@^*=6$DnWFǖ2Q8HVIjGp7a^Eu}K7nE*hy\ʦcy:%_X}MG|l?kXI+IFWT4gȊNi=3Pr@o aNey’cjgG}yu[g}uT,wN|EqdzT`'@R'ؠGm5$Zv%ZUbH7C)]35HE[J̡Oz+.>}3)0rd#Ր,|_n>xTpcʶF5Je᳸ׄ!l#6QH96~4lwndZ ;(E*[. ЦfHvƯ',֛5Oİ`D!CW kqDo[=dP2fTCdX2o hN\e+'QmaY=a奈cZPqA8y L>qagn\"!חLbr~wGdWHq-O@_>反)Pt ޞ}.@'X!u.{ Dgk  13^NXf/)̚[L&mWnwSD wxyzrm)+Vc:bnyS2 8~VS)x./I%۾|-ĩO ѫ^[Ǔ;sW @V$fbj1izPݍ ]b[0`|f2koRit9bWӟ J 6񂯌Zeglы!wm܆ ZDǹa5 J/K.0ГL '3,%UKCIui.CN~ e>\Hd%zS+x$8K.p2_GmçDBL aW337hl$q 1*?^*}~yyCk/ᆖX*z,9d?Sj?Dsv ^گ>Aa%Wu0 ;Pp.ħ)Ǧ(03nRѢԩ3rd4 2]91+*m^ N*GbAe)WOܘj˭E㱉e2GU1ڎJk34 " w',+LGeܡ| 䘬#k] L䆤uéIuR2h'[pZhr /ݨ|YLW$&[4Otf.YIњLcL+77BY_}epOx}T~E'َ΄1`߾_(^*R&d(`eS5L[gb"Uؔߕn #rjxIIT۳K_ })-0};oD -._'N\ـ_kr&10lnPGQ~;ar(Mue198 :y{+j`\ 9WV%+m6 iF>,n-aZ!u>r/MaA'V kRJ.XshmK`8;~x6ͣ2/綹Fգ8),%zEmGY0z{q~bI&v~܍R^4±>aP)X'f"i5CVTI+eHS}CA 63= Q0O"%)QMer(,"^\1Ղ8r餄1J:uh<߉QI } CI(ټ5* /֥tnIPH(X`9<2z{'K$\o?rC,m:hMQ2HZ)8VtX aUo.7xN|9D  ru9tʡl)Wv:1C T9/ӸE"B \$pJBV~M ߕd`*m1i~[-_\łSᥲ& X /6R\1%vs[& xBY ʆ.7r"Q$փR$?ɦcU"s~K]o:Esj ]q']qͿCG'iz tH-Cyv?g?z@+Vke:O ΀UVєcHW6]".­E`<)OmڼV  BpdvL"ϗ3: {㆏a65kNBҍ,bĴ?[gIָkNoWl%ċ?.7]4J?X.h7S] tpxlm{G^ ~sʪo8UuT9ND&=|Dt5TEJ =s;Z|%QcX ~aD_;|BkEpyy nփJC|8A'16u`@_"OTle0qPվ҃B+xI&"t6Z]! 4,VBʳU*3|hy8+<"AݰLS0 ׮jGb`|]!)4C[GAJ}7=O*)9BDS~!k1rч.uY$ !b&棦ai>ytj80Kx;W" N_n/TT# qe?Xh[/=#D%2INКPU! $IɮC0)Eތv9Y@cDk,JWt}INyE*+OrXYZqqw>'E=& k)g fzMu8w(Ta8D Е*j;ZےA3_8#U ej1`7ֈh=*&h,۫5Ss3`A1!٬pTjh4B©;D0fT!ILP2FĥLN{Kr͌{ѳ;mWQM$ʺm*4ziMcX1-ItP!=<ei}j07)O{=]2'MSϾ<ܱ4J6sWkWL_$+bՍ -PMKYͮ5/%K&K[ p0qwHS-g#GAgQ?kmέU>DPuY,tYC5!Pɻ$gZruN'S)IcFK-HƝr5w6"U75W$@Air#^ZWtK(Z3LQ&^`\mĀPbi*0Z,eFKRe,5}ofzI,~fWӾEdA⥿mF力CiԊ:9'gQ;.=fR/z,$[6Zf!B9H _/'%AdޔcnAJ:D ^UP+=|pB^E!.2t+-?MN!2ZzMqʣEikX$Gr0lڎvZC_ #?!1r>'5`^1K5 m˿%?Tɾ.Aֻ_`/prM#חyy$쪷8ó?o5׶ wW\> chhe903A pHkaE1@rM~UHnxGk=O٨(ӪbM9ơH0cT@1r5tGӻ=_Rh yU :c/8$Yz@6̲%fosq}z[SB Raf2~d)7ɭNǗk]G{>:bp(`Di&'S#T]1+.iY_Ko4 Pg S̨j|ȤQCɀ?П` k9qd2Wx1'6杲 A~KB?I66xU{ا&zXyKpV]],HN7e遝#OQ}Iu~X18FXutѓy9Ӣ9bnX99oZ5 >,6N. 6>\j`t9ȉl~iBHU/d4 /f@:H_32<|On:&Qz/?)Y?rӛu#]QEIl ˄8 :_߸PhtE刭zS(B$Kuw=vӃ6S̖ L$@ԙdbAl)Ya͉ IZKOU6|C)΃iajpZI몄QF/yުLv#N l)KMCWa-[F甭#„ JʄDYy*(h-d+O9CȐӅ*D4j_@0r29yƶM3p8"GfMϐqMJ0a4QD0qio^ R]l'n }U&>@ E 0R#p<>"z&2qThڊv[+v>n}cj d?.7b4~_ xOR|({YbYzE=j4'55|$J]F_&&Cm"-KA8Qh!鞔lʀ59&:ia

#"6Ou6>dƤ]=˦b䯴6+oi#-ѺSUu|j!D D8U~`[og3ږ64#m8 =8BYwvn!3SUdoAz#|2**Ī47hN_Cuqk@M$PK~~D*bMM|G |Y^:V GWH\bE*bgBX@K$t')Zi!I$SR8!i=+'^#WQ-]ԋ{n^C@QvЖk.4PT~C԰ƹ~3ƅͲl+VT^"?Ww>m/n2Dܺ\ܱ$GMB&Rgv2[\+A^}9?A ri kicux!Ǧ VT~mה6fh[Q$Y>2Xa~_Wz R SJ"R-| gOk\,QO:%0TQu "n}궹)ACTaB>ʜ N<[CqBPzolg\~}doQ#(4ɍ=]l#.%AⒽf( *c3*{6 x~7]k| OH72dhr/%( BXEMJ#q1 ;%80cȫ\`'PaO)q`E?1c}Cg|WGsЫFC wrjPrLGYOԺdk^H(Jeh{s5Y~m_XbpAT*{$ Y(X`n΁.Tmcm*yһG&cnFb(pk4dDŽ-1:(Zu똠PAX!#o| y+r*L5)+2fSJoc+C140 II$ bz4̜}g>r0Sㄙ-S#"Y=`),Fx%0njz:,1| 의xa dYd@7-2;rhcquL4ԗuYV,=&U$f/af>#ipB) b[q ]o>ڥoM<QCPD67.*l u3oxi?pSXU7:b6Q%5QY.MΝy=Q- V'dթm#w~?e`oƟB_j7?vJ+t #ZT.q}°\M|xBf6T_P&;ӭ??dž5!j(M~ItZOWQqxZO=g-{|&,c ݿP־d-nݬfՏvΓL6U ,hݯ]̴Ӣ Ɠ[{U)˧2_́VK),9+vW?~h-oW/#|Hi? "z6[:9G:!fW( }ź<|>_ A7qh+%^BYcE zٓvb+X^!ф= njE, nͽQ ⎮IOϾ?HІ&ɥX*nv{ f w6].Ʊrƚ1aL M^b"S(RZwBk[jZŌxfUS^w~vIVZ|p&ɩ(4KᅴoL;n IeO:]X.1Yzz]֏Q0rd yѳ܊dSDA}HSN| o,8J*:@Ka%0V{ߟrF]@,WÊejӥ =䋤z wm*BO~#%BUaLKM34/$keĹvrg\nBj`Շ߇9[;,L.)>r8A(:yi  wz^rCC -6zzIiek.G<#VTVrVEmx-D(zr}c]4j|XY?dP L1iS`0o }Ls'*򱃼e3\ Ik&t v`:\Ezy8~?8)OThYq47VzZev?-YzŝQV=]^t7 9΅JYwR57gW 66[YpkJ Gg@TxS/.MzzNř ?`taf%7idt>T-$DHvC:9yB]],ӡ3t'x쿬fMj\۾FEA;yw>h#/LqݓLc_dmCxS}m_EB'AbZS3뺗?6҉k7.?!Q~ءRQN ϫah7ˡWlP4+1TkxGsTzf{vz&eMi\;3ԣ.!:۔2Lj^x "Q0%fi?$?_,vWW! ܱQsϓgWJb|7dI&Gya ^L(zX {|C(}(mf'xL^׷+pl&d[a8<3RBwDGLKЄ@3$?[FՁRMFcy3ty^8 %¤^Nc\ [HRZl aoL +@49 l})=lJx2ekE VyFMIᄥ݌!DO.cv&ybkf<Ƙ*;8e[Gva|]ãN+svEs=[}KֵX8eE6OX}b%LD:[Yᐺ^tǎLŗ^y6`w}!ьv/6"W;C+PaG&cN_n8hɱ\h|\o. : MV]L8NW؜1x@ $ZArV';Wagok'd K>piv'?~m5Q F4=c--P{|7EmuvBII̊?V'`$WlO%Ö7n|2}霜;i"d)7wP WP-ld+?hl_[f)=Y>Ja:DTkʦ| o kx,ݡ>Q;@͊5 M&VM+zn(Rǜ 딆ŏu lfů))I}\u^U+f;CvlbG\xwm#  pÓ@\ t3 (5GhVX=.)ǎQYPæ!vjEnMTqM&?3. C$M:Q~qjRnV'H-@–m8EKu'+N'FFJm>aM-]TPq4OmL4z*:no$< NH i5vg/U$0j Ob{Z13 DbeBe*K P>V#r?_<(ʓSXHumSMFnYX:R)cٚ.TAmԦb!.DL$WxϦ_]\r`>JmlJ3;{. }?pIei SSt\"bY2NSݯe?:cٶ_L{7FC` X?C"zZDc#L+r\""MWOZ#v[/.=D|&J2qm9|tobD=<ůU^ᜂfY=Fue dvj!G&bcz#DkE -mVOr,ંH$!`*0WAbMh10^g+8ƶ P2&^U t!aor)baT#*,DrEŮJ4X <8*eOa~;$&r.Mi(K TԸLBxU~KKU4g%wq\M\2zw\5-WٿNٹ| (;t.ewj[zb"pP w ?$Ilh_Kq.#WS|TAl1}}dwA"MCLWF}HܤG?|Ak ˩s]99;&K&IP 8DN9}UD(ɭEhzŰ3i]Xo}ný߇\ '/ҕ},CN]0W<9MG4PkY&F̔|euk:X]1e{얧*WF`!1: wt/ LKg!y]j8eng//{a{} :V >((PwV02'mN@O#^%RI ;x)ue\ -& oUF0B~BJQKCYed8R@3戁mkwNʳ:hxcN+WP' 0mh'Yݓ9bCJFVzR4fTpF*Bs{u[tDi s+Jyc=IR.$3- ?׶q`CAxU,kdH~W+p;֘,(M# _fJM=W, wG /:P tvÁh*<umt >)DFE 06i\ 7h}i 02#zG.hoCkiAA=(={x̟錛Ͳ{ կ(Ӻd={u-Tϓi͸~; I' -͓m;Elϥ莈<20I_R_PX_O>C {M xB},E']6b: aG|7L~pzit֝ r5x|Jk1d XH$hyH[vVyG/)3pKݹeI6FrqBۥU?Sܩ+"m|VvmNkJ@_lY2&+oݾd 2,1;+:5„-S'X|Z?<˽bO8+Xegs) "}H!wo f8"=77wPu&U) s-B` $E^m/@s 驲_p4gj c~I-3+m< ;NF"c[Ż~@{|GUnf^Qb{5Ԏ\e܊'7 $sN`,C -MO+&Xϵ&A3[fHa4q4 (?ֻousxB <X癊G8]AH~s`c2I>[U);GdySzt"ƪbΪ@*D>iրP _AWÞ5}ϗaRXb_+1P4pǹ$=}9,~YB>ʒ+I]<4,YUpx/ز\S5&a0ܔAF1 Zɩ͖0Rd5:,؍y9HKû3ybD99QU;*^I-JL1BT7}Vp[^(pE[ 4 7艖?EL 1/2UB"0QAƓyBz.{RF|3XIUg[9TzF/wf8)>rM#ʫz&vO:zZhyE0LcNL$SlAąs u{0Ʉ眗p&!:1zir_F`]z8)!XCm!"z2)[_fK <)c8\kPhWItmYE[EkJ h9|r-ǶO=zhTB8dP#)%esld=^}ܯyv !avY4|{խhV3!L&LR\qtĨK>Tz ˉ[>0NG<%//3|nw78̡T(pñ@]xteyCi֖);fo}#xDBLؿPI.lczL맪U` {A'o̙If=hZp`ZF#~b5j)! p{v?L0S7`emR[4}Iܐe#Q(8v P 3' j6ʝ{*]]?R  eBR${~k)-%PvsI} gQB4X?eܰşfXWI$b/ۯAL+)6.qdpbm2Ñȱ da 4հ!"Q_S7=^CmNw( YfJ|S8]/hRj`Fcf[HX`Z p)i&>Uf:؋P r6Q_o(ӑ%m5ٌMl)p0![D(T E(FD=e%GVިQxnA:M!Ƙm9p2,Tyl}EhDQNV,ٻ1d60OGah|sY[Wiw-r/dԾNyrɞDHWOg&6Ј..'1wm_G@E ltK &k?qKl+~Y, | y-Q@I%xdmלmCe2xxΈ7P2Jݢ:d:8w~cxɔ^B9Bǔy̶)7.a6y`ߡH~֎ޗ%W|^6V1X(%jdVsrmz>DBi:gSW(dD)dt1'hSHqz|39_^+ dFC#>H{;7܆ڻ(MۚTk;6 9USR\9'lF7Y[giHIpX#h{v&\vn#n/p yQeP~XnӆFL٫Yp1 &6xq}X:{LPܝuhJ Z+#ue7"V wYfM(tModQ| A$/-I~4EAX['{Ҙ`x>nDj6zzge=$btE8Ƒ_xsn3މ(h p<ĴKAg#9M" 4<.o, AF)Q]M %?by*"fkij:v1sM!0]Id)OnHnϣ 2{`{e 6HyO[HInP$96|?Il"NpǙ *F-БeŠ^`"dSijuAtu5ܒ%0@hd?w_JT.ȽO}!A#05*bƋ :^-e2 $Hv:^oB40}\t/cVh&SߚأȼzOJp3vyDUntNHgv!4#W\1&rp\p,rB]}<29f$g  `ʡ݂8pFORȮ7T] c<`PʀpRc<my<Wļ0rjGs6lWqkXn;VfC+ Pi~ S~A`]>NI[Q  brLbVK ]S7uI]X[4 1BfFO 4DhX)$QzaɇP.JrK:Ú-^#H!q\=qQ̂/$8 :*rE߃R!0fSIq[}гHWmYΆwYy h"0#(u$9tLh>4_in;VD j <Ԣ;}@^# 5z{h! ^:vHdE#|W|j!Z4łלּP"q jVS2Ɩ$+әjmWݳڮ7PB*Ísw |iHvCX4Q/}TOO.ND^HIەC^ҝNрT*;t?Z$"J]Dh- I+I6՚!"c,7ܸxz?\ml3, o:L9Le\eϡJ2vɈ`vZ@er&,U?p`E).Ïeݮ~QnAp]]n 6} RE$_X5Y0)`22ѩjuObCZG(TVh[% }>g ipy.v76tۖt+e8_Ggvts Y kPy.L:etn, JQ28=f`?vۮZ-FJ}4+WЈ=Jؽ43ӟv.xi;Fω>` S!f s~~z]V< ;~({ Yߍa6NLYb5 Q0tq5ؤM ,lA]wkcQU֗͢n 58) 5[\n.Lw{E6(H"S# 0|f V:*x2O4v[i0%{WBV#,C^e-Rk.X>T[\Zy+w7v Tk MĎP4۝$./K>Cwt|PƇyynFz#WO1FVoi-ot^{;BdTۺ6ǍbBaEHc ix$oVƘ˴0.øR1ҽ/d_qwbXy EkJg2[.z;Mz|JWP)$v\W3 )Sz AE<>7'Uw:}'- m]S;t+F;H2<}ݘ;zӖ&٧(2y/w֐iJTy+yIabV-13GQK>.Ӽ lM#n^6Ng،Z;O)>$7N|/2c ,G#<#E5Î6tge};6~X#v}榹^'ϘQ)P>{h0m0b[CB:7`I+sQudT_Ⲁmdf?h { m 8ԻP3Ӎq50T散o.k\p* (ąThkmDb άf$WԀ x =¨^0H0eGDSn<q4zƾ0 toAsL}eQW2{L"n<"U!ⓗBP)b3dARȌR9G{eC3} ;?phs)spcvM*R|@ko OJ׀d6_tܻQ~56: c~`Z3oNFթS V|"69_$K6W({f M8fPa2KrŽfkcln 6 HwwSߎc:q9Y(YS54ݍZЮ",8߃n,YĈKСaX}1ly$ф _ˎj+þ63`w@]ߐ,ҦU&Wp~#)HqՂy\9vdI |MseMҟ]0uOiƄGˣk%+onU>Ql.\}wvim!l#׼rlpR[LO^"OV Wgm0sx3kFRgIM $ۤn|<5?w~#_J!~V!bHF\=~[iJOQ6#CI&wFrMh&`u[KraR1 HrLGu dS K,O >;I uXSSt J¢Yd%0=pÔ>(E=S Su!urS!%{ori&xD[,i;6kC~6H 3UUxtu|Z~Uqab愆6n:8-dE^ɋg+{U|U7L]]v}ڕnsOv O t>Df?| GK-9f&Fib#:eũc|}_W yxN L|m~=uB*GqItOeG?Y4bIO))6p5/:I뉖{.f 3(UCJ^kv1!k1o oxă12chs4?>OQXDMmnBnZ |뺷 "A B]C@n~-늨#HMP!(/M!?U6>&ٚ0ݢDsd뺆ö Ys/}QN= _^OKmK&#Djc}}_'<\{*-=0*n3/RF`<ӊ[bxz,o<(z[)9J#=^a=KCךuv+7O?y*ouY6RÖ ,Snu!gQC2aFKe b7y$M$svbph?WFT{]c1</EFwx %ϒOwXO&{z\T- DX&޻O'l!75q W!Cf?@IM_~ oBhE/B|_J7d{-Ñԇ)szƀLbuWޘ-7k  O">GE)ɝ$5u9tRք2")eԣq/VI>Vo=N&GZԹ0#׻RSt]p*F< Zcd .;2mrژ{,흛SP\JaM kZy8*ͯ+x,lAą]͓OoʼPnRhݾ Xڈ@- o씀RN SsswBqf+ڔwH3n/JlV8j ưIXɍPNH)r` ̺fq4 ݵO֔}QRj9 cN}fBp6㭳[LYWzEbY;Of:[%l?k X l?`b 0fbb>0*AW5uۃ|$CXascbxrHVcތLFߢɻ,ӆD=_ '#ؖI5Z>T*+.0V'oY K"ׄђ'ss[%lN?屄-{w{1z4mȽħ7]1,ЊO vjWp"R.FƗ▴3d`BȐ5|þ1S,bSxa*B"<' #k}s`F*r{eݽ2Fl*(L_;2V%0]u9? Hf~YQ,j{0QCV[0C8g \ 4>rjùR.S6t@HMeF\vB'=Az7,Ũ4L\hO0}HDF 0p: ct tso2a'iP_  S Զ {\_lk3Q ˬ^Uey8Po6&>\An:x<.44940WǺnaG6h-^bfJ\ IFf,2x۠TvyWgtC&^' 8ز6Q94 :@#g %`$^fzFpd]|;xFհEwZ5 3vu-$W×eȴ_՝! {@uatB̰oѢa^fDx v5[r1k}M=Rp.!J#?-T2M竪k}KWk!K~Mizu=^pвȽyUY'-6@Up,=oXu(G,L2 7o!&Hp's 绽Hы~9 jh@u’0@eWncX ~-Cxp +N%|rL͟elmKz҄N%KFWkIGP%L3Jl|>5o$AР@gӃ**Uq gH&b }= 67CM'QҳJsP+l.MlOry#\dC=.hr6SȺ> pi lDZz!K)c]ħ]Yr}iY[Z@\Wی/~PW#!b(T!l׵=/$}VD_ hy$pBL ͫ-T닜\uSMs۷JR3'(o9b ዦ#շy[U͈ RۆW,|K0tV"^%zqD36FaSYUxíEп쯂DJr"{) ܜҗ =lxzObb@Q/ &t02HBvZ٥y\|:U@(|C=# Leʩ"}t8zÐU@6Hem5v2Tt@кՒ]*>^<3 N8C9؊h,b ߹?Hqy1;VpI>MKy}`ME.V9V"h4;Z)qG*{SƻEVMum c*iߕnj2%7wXd.1AO\P}:;G͈d]J:߃&t(G1S۳-c' I:f^*?R֙س=^s\7)m( נB3w7;hճJ PG}7v7*\ryHz˱%{GD ۯfQsģv #qH@#;Rr,rij\4^D?22cZ֚)e;$4CLEeߛV O<Ag8?)^YxI6 yyZ^f˯oꇰf4W";Ae3*FP$ɼ̂ j>]]q(+Z &79$:UlZ(Q$,(Y'ɇٟ? d/Jՙw&Qaݡԟ-' m3?u!=АbuOvFw$o|Jm9s.mFS(~m ;c:ko7* Υ`Q ވ⨚W!u}&x6v-m`7`7Tj'Hf#&BSp4r7V7ݙ3GɔyqQE;YFzffc2o{f89SbG9mV1ت%E", g%x;Hꐃ[Ю_pzY%\G%+B[c~Y);{ #'z} k"sdORv-'m:Fo$nC'yaj *S40}iw Hʣ"%K5EQS'#^Tb60w}OznWUf7A$;\-3Ve0ڮݳ(-Qx|sg\Py]_L[@\n\i- Z '֡ &uVjt|{^jv:4*gXy9Uu:i_϶BN;fE˳mSzzqZ`PYcplGXs5K KiD=8A0W˧Am*5h3MT(\}y ]6JfhUdnC 'HՓ!V1kU)@j!nnukIU_lѦs]W3l2K9 h u礠 ]GQ@ξ2/?s޶hϸƼb2ZǛ{l%k.&K 39 !ބ_%,;j(>o?Щ mRD;zg֎3dLwmk*QHNE\>HLxOFS'W͏J58ܚeҥv_R; XgR}vɗFbXo\χ#+Ժ`Иe?ˢE(2zp_¤(VvDS.itrUuFÎWٻ%ˎV8H •F j%@+:tNr=ƐtHs LO6\5cW7q椣~dw^k3]Kq%ԛ:)gsF"fgreBn!ܷ R"+.>Ct'. 1J72jҸN 8! +QX{d_elOZD /0`4 ^߻Tԥ0  ~ WQl5 4Na Eib1M[vnv 5W¬ݜ|Y%*5)M\HF1Upو:ETϵJhk8t?A_W9.̈́4p _?mJ ܸEijoխ85`8c8,BsKs`2ZZVd2M&"wDh@#wjr4>ࣃE: 7F~Ĝ@U& '77Sj'+ܖy;f󄰋\$}"-9KbSP E'Ťb~ϺHb+O(O[/S y~{"B5dպ+x1+8v훭k|nkRh~!%=~[TezQ1XbB W#g1R*L¡xe4_Uڗ|s9'mJ.Hۊjqf̶pxZSy5-g-h3Vbо"˛bVe]}uWT H6vJcw[aB !IGp{̾8̕ IH|'ͯ.)Ͻ$0*UVѺ7[H 뤙diZ11zҿ/^rX؀K@wB¬-MwʖĀI[#  ]d,= RKr)t[|`>m<)@`5CWjѶ =vxC $DG| `(d^aggtsnׇ0:FdCkJ>es 'W<Md7@9 z0cRyFX~7'e v' /ge|,ϕ(} pIh )nٷH@cdmT-.DPe_XZM;_Rm u19z1EjI.{d,]3^ Q2^tK;tlbO5}+.?r7fy: %qWGY!S),""9Um푰{[Q>Q!хMg ġӨ'%K~&g%"KHʷUO yFYrK y(աydNga { 1l;nʅڷD5{ [6J$")?kklke̍RrWS:e@EI3E8D,3.֕c}a)tfgCC\ S I&Ga3[3S[ըqOێ=G lPnZg K/r'@%̏QjPb8`;Ey.SܬTAT^U؋%$HS$bߗ`\.t8̜blL?*9!Ҫk\S` Ӟ[f4m7PKA$S,6ɽh0Z"xdCerRet!M5la}W㟇1x\ ] AwCA$c*)K+P ;|l]IU~H@!Ý?0'7P1LȢyoۇ&[n6pL_y[l W"GG}H 2*h#xƛA[1<.ˆwaGzÀgKYftW9UQ\4xnYaSJ"ƩsΰǼ/Slu/@>43fxZ쐳VĄx rPU,1T #0L=9O<[״w;$DG@EYpqRD &i=M-I% tvx#: 1/MXkšdra VH? D5Y?uu@_.5חrF<:ű$mjEM;w]mwL6Je/Ȩ+,|m>(Fh'@a ,UWPMdwϧ6> Uk,#9NneCc]3u}ڻq/ðec [W hmC+-wc`_H_C/vbCҖY03KJsf yY7]LH^-+ol:?F$ԕoU̓h>pqp}q'WkLٳEf S%QDr3KxQm#j8tN(VGLPt7pAM|4IфܱT [Y3ʘ֭+[D?4l֔U,-ШС?O$ga2e=w[K8OF݈ͳ5Kf w4V\XMNy`RMA5P^M 0+fSK/Jh<2lLG'_RlR_޲nчC4ѭ7;]l,:wW'z8hTktQ*4wqcB!t@9PGxD.bᑯ8Eu Ճkn*ALHnT/G1'TR=^W+l}+[ٖ)Y2by|PX{e:N^5S|szـ6rgnjqmq/DB`.\-? 16䥙,4C)D,M)w)l J8%;mC6ca?t[fu$dEw>{vTE(c:{I󧞀7.'w zӯ{Ofi:yxw}L0 FμTA_]rؑah%f9 f |K>,+ 梉 |U}ӯS :}+ m^_u'6GB!rq|?NP%D2T2jL1 91FM-9 g^W~P8n"c_je8R9K r%CzFǫRe= Io1upiL {5:w^,VbYjD[ItOrna;?5]d6W?k ş٦l+ӻ=жh_Cmtv-E'DLTdI+q$+gY[qv/ZutKQSk'YD_Pc t\!{F=H!O_JrN2H Df,tG) ==PR[@uXsaJmp?M~I毷 뫿0ьϕW{O 4t6-K ȼ|O :ejB2L㊍\Yړ_yHtO!Ə(kHroA^t{kvT q7Ҟ0B.t["'CCЊ {XKa.ohuޠ8Z,sA4YwUy]$n)nHm7+UINfXG%/_BR!f̡| WϠam_NA}{/4X. ;"6 RܓU"'_/ g<:Tœ zGwD%D"D>/$X`}/&PL0!KK?UV:,Ăi"Z'?!JE:$Gi!B"뫔RH+?4h:T 5a2"Eq{cK>υ ȩ1wn/eaJ]ZɪZNՖ"c._&|ۆp^6"/&h.*Dx8doM=%,C74;6!溟ǻ՝yy`0S0@HG /M)XoS_d dF$8@0BEǴ]O5d "Έ6ou{DjGʖļR+NNvsS]Q+!f@?q?ɠ0>Jd2w4BޣPe`LBQBa֭dr42l \7&|x*B֟-BV؍-fu(VE4/. |V<kO㧤(0,龼?9rHtcX#NOF+1W'I# v#>hNOGiN" /olRG ҈ 0)BeҬm-C?דm|B;T' 3*Yve jb{+J%'Lesɐ\kOJ1K _\`9k`pU`wTN:Kz Ar=5W^v YOX 9K, {7AT\a TгD69al*+4lJt^p9k<4n.d/Ny~MWŒ(p?<0+эzد/adŏ`o(G0>)o_0DIVĸQ9?#> 7thrpCЉ,z(8wOrHՄ2Ff['.Xqo׷09.}x ^9P+O I%OKɹ(*7DG{Hcxk=+KVO/ Ok%60" a[1'dK-Uv"rvf 'O=O sl#&FHQ;9\FdֲMxNҖ8p$w2:oKlpMD9jX#1w^Ӕ8بxF,ag)a>|6`d>#{ߜL)f3i,mPJ+ĞbɠIL%L*Fr{׹ L֥Ckya7^UT@-!}IŴllubv>kE![k{^`Lmɢyj^!jO/ox~x# Ѭ)Ϊ3g`^m0 þU[;^|}w?׺J{saSH\d}@jtiMQ† 7ڿaQue+ 4i>2+ݥ(WF1; d)kF w5rrg "_ x<Հ!8CKM?Cp׵v]m;qy#/iA,\U6p7?G{C $L{0Lˤ. X]ov,ѷk/Ӭt 0օ`D3D(꽞mɹ0*-+h{dy}]R-q *g/N&[puD^\XCߜp'""BcXP.n5Ed~>?XD:@p EKlʌ?|`ͥy2V]Zr74Aߕ0jdEZͻS6VjK"U7Li[X@qdیOM+{xU e'?UZxN{G M]pk蕽@ok:>D+ 4Wyvb/0ĨD9"ѻo8AӬ%gӓ}[x7 &Gp4*|Y|K'̰X8 xYvWlfOb? !y}'/ZEІ @"jaI`(% PfXĐ>7]R*vT=!˝5FN>|OO1 G.p'):yڸhAk%2a ݳpiG}dyԞq|\,'_u::WJ6C6,R~>J;&֕ 4*H g-8FH09AȷށvL[+뉆|LᗜO*>c atF!VJ xjJWjq\(m%Lva/əӝޖ 93kq4l~sXkܙEN@`mE*dgO8)ܣvl~Qϻ9$nxhPTW gN씨Ij0JV66&Ý5I/ύS ֏k>b1g*dho|RD>`٫XpiE氥k[H$Z 3f g!86LAjl[%=q8|dC5{hCc> x_ܨU+~Fǫβ. . "TKa*::4hJ/ϷvqX@hXa^߳N59FaS wUyg?k˥@;Hֺ&A)bȰNƾUl)Iᛙu Nd溑/Nw '9[kO$+"H7 IO>_0❿)釈'F8}i\ k?UFSxc%h^+2nq)DW܂O Det:^y8+VV{YrUAp"r4rnYѳu;P"8t}?Ch0_{`NuMJBdtziA`d dx:voA e;fZg!J'jĆbclst\4ۚ4rm}79ОG!dlA;P{ ?ۇ/>5$ t R`wؗ_,#|n׊\pފ~ǽO_un"[n570[e,aM'šIŸu}(A,Ўi\1{>Sb1a) l"5#Pv=%J; R.eGq(A Bk*)u-<+f!+ųy5 Zy<"6JAVY*it6y 13ݞ.hT3q |+wTa?|*6oBEN}e[0 G3pPI!Em<+p5Lv,v>Wvfee~[瞺;|ElFhOßՋnLUd4R8hAیanv{3zdPgNS`N7 w^|_Nj\aHDB i*7 %G D@f\ -ű;A-H۠]䗈h`a$œckwn'xWJ՝\O8ng,Y w-Z8dhI%/LXFpF<]# '˕Fj-l}Xq/RJz/z+b:.(FH (l@#mcAm, 0.Hz["@,ZM]yW@=Fv)j xkj/i$˭Orɬ'bYs5H-l3򊓼Hm[#W*ε6 :te = ] v_*MI.ƤF7yėDtpJP]1G l` 1E[IP|n*iyi`[ }Ϛ7=Q4nO ˩ ΆJX(i*hh56_5՟n ubۗGJQ_y)*֩_i*/ߙ' DSYDAH)t%bq"?f(?r1}r@!N1͛č[dVP,]C]kx<7_]wCܦ<6`_2>^}90bKLBܮP ɂ¦6|Q,X n/U.HA=d0$d}N &-Bٟ{jg &2'3|weTWVF")+#$<;Kg{Gq-G.XBOP;s_Ulܓ{/4^h]lA:3˵<;W{CE_C\0t"Fub V.ްJwi2@&8=u `$Z4zV9,"ZHw#SEg'M*̸Gck Bl܋J$W ^ V,4kٽOwgTB)XU\FLo}:@ lwWߎ4rwθ|9+ja6x>%wJG9/i8؞!DE Z ".  qh$gᇧ{ X;@{@rZ+Ad5wcTYN%ؘ^Rj&Y$[ R4C -V#ʣsW*SB+ FCvXE2 j*\46[L'p}=s/%yӎkv~(2iVj@H RWցP#"5k|)F|}fT}zMD C!b4LG u )\j9 g,6VY bNK63(@q廮wtK]s "&9ϺҘר;`m'a'mp6ܯ&&%{F;;P`{Ey+-8HE;GP"xM":N`8NR*F4Lq @ݠ 6+,%KUHa#5IGqG\~w  ]TBaLJ , |@vVfWN}[Qx ]e~6DmKmfQA돡ͱ)I]!i9&ㅈؽ }ڭy[xF{zcl9ή&tñI0-)jr2qtuה;׮ [@^>.?qQ}?~Jξ~4t/~@11%W`ɴ!]@3Y93gώ&KR\Vxx(ZAu8%TyC639\mnu2l(Lu/1wY4;/C~:˭tO@ڛ?va3 ۭoe`1 ):>zYj2\˰Wt!^rk#5?/ys ,?<2ߢ%Fbߕ/;jD/*Z 9S2]4>rO7 ֜o-soJ`D Ak<6{π`rJ\N-~&%{yֹٟ"`zMG\Tn:&*?Xfh"W Q"o B:u!H(Ve{dZ9ts!\I,^dUL`бz:y5+i^o~^ iz~/K~żs:W )FREIu[P/u!:S]Fic_{o&IZ;dQ":mt]49.!waQ"=b&wQt,KN%H^/~С#VkT{o>h"Ƴ?Y,2VR\@KA鉐fVihvd %F6#k-!\ɘ܉@Z|rm$gYtq(6GgENbpt3JPjuJ|,HHtu#@ԃ8y2GY{Cg"0}=btbAuԍM!؃5ܐcK:T yxXiI6=e@fK]v6(^sӲ Ty:)0}, y} &?e1A& LwCsu~ R5e[M. [̥W,xFS*^ÊwjʿEEю%̈{ D'qLw=b^{(i٭/Jd0~?~ǰK,*[狎:$ ;tU_*N3,$ZFytBk.rdJm<ü%TєT¦wOeRO{ɘLHccSmP]zy K0*#c{@+L >k)/s%`~u2r ;y^D5pTƬ.RV;Sv":_(&@mS)чT`.]g*`T}@j/pẮ;qL5PKQzf/<ԍ!cd٭vnamcxʋMMqҟH8|o)Y3g,% 6 щ# @d U[`> T(*1 R_\f@9'\|=2;j4M*u?΁GO1өPtoGU8\5rp.8sf9ysO8J`:ΔMeD6q[Y50XܘM_^/;z +5ķ )>@ yx ~M_I]ҜgԑݒDݸ8=$yLZSP6cwUlԮ<7RYC 2~vVf,M3?,(;L&X/L`n,șؕN; Eɩդ}R`We3F.ҟ\B1GpaB鶂{Mx^]$,,K% oUv r12ı/iztd. zdˆ7b^Jk5Ih]k97uNYH\&DC{NN ;F:Y19o:Ct8}eGk[ jNڱ9pt X4Vt?S7Nݾ$x3[Wu%1eU9JP*N¢3ۻk9P + 5W<^ vM9^U0|"$u^-m5k𹙊tQqlK(ɨWW^W>yhPMڝ9;9 ~Յ\[3pyx՚@)٠q[!9TxA{ѝdC唦6vah+]J۫-URk9 a2{/?u{blhkzմ[4\-Rh8<':V\q[-1~קT;Sp u8xeq1 a pTϥp~ UOxC" eNzL1w-!(pg9S6ޝrTO!Iww6X[vNd 6-k]`]ۦIxV'LRC㆔=clAARɧ)fM%W Ũ1W!Ǡ>m 0ބ`ЮتA1mJ?Tq5J[H]w{O)VqӸJiwhNUǴ5۵,C/>j &"e%a[6Ggt_*(SVjjd7c.ZaYnθ85" n'G44C_(m] W}`YQwtW n]f; MޣiKޕ>oGeKزz=!Șcɻ*S=f?8o4sѦkYc=A ,=rfkș6阫5!CP[ c6$f/O^aQȢ5c'5 ;W„ LXxMDu_vx}/g)힯mI4J?[ kτ&@i4DqhJm4.4 zl$*kCH0\Y&řб(ix!L3O| 25r( ֺh|6a tE$ sNn="(C\'4L5yK!iK١׽;SVbN88}pӖb ]ݢ4xcfϑR^C52>"~ )ԉ/Ǖ^ZLy5)R/UK5[~1wjCۗ[5i{4zkЈs_-Xqiz%M{^n)g78M+XL+4wh6=࿘`R>be.Wt)EćO2%"Qi" 揃$Dft=B: U=2s$.g8Qܼ&= ȱY9w1;Gͻlngl B)A@{}CxuUޱ?X+eFD9 0ӑ_aJH[r+@- +gzSbh?׎7`UCE7eq p 9(KϞ46׆hhb_ulD9i&[b8=EfZֳI~,CYgOFP½L1ơz]ml1Uـʚ_jAv'zU,L)KNT nzΛQ% :IZN !r(NTu ‡򦵆ZWJ[v|$t-KV{?*-zQM岒je*y[EC18R'dHd >Ptf͸K9RĭQ+-fAB`Z-]Lk*~r[Z_ag_ K`"Ńx5s*lsm_gw[(C BP`‡AZr8Y^ِQyA=:R96)y'">q .>qU}( WJ4*F\NӞR}WÓLm&a4 BnotZd9p2*fcaR=eSBn O(zEKJ12)f I Z#7 :'hUHy{/Jxh<}7`A'{ozM_ZS^:hz.)G2WATr玎'֣*:Ǯzl|I+3 Bc\ins9 ;l+>˯B'9"\+}U$݂sg$ -͞ d4PڿSve mUxWs>`VA'"<>گȃi0[ Yz L|!9ȹ[Pp/&l)%1CΘ톀K2*+qFV16OA~ =4WIA`\SG.YFȰ#CHHk!r}=NM՞5i漨W)Wf}z.HAܩ}=\gbZNbd)MXNGSh8\Bcx+?SPL=I@eE\!^]h8%&ߴcdZ/wt`^ EI\Ո*.|A:dFOag/}?k)\dX /;75jFeHaZѕ=#Fq7}Y4unD74X-Gݥu&b)Et'5T0yd7mEv1g&\m%7eh!d4=iVw!zTt$^hfkR CWow*eH 01]M"QTM3wT\J0a,>י3=:}7@ Ȝ*A`d lv6DI|4RQ},Džy %h<E>S@$BsMP5 ڙN}edGSmeH_`䍃ꨐ5/)hja8LPUR5$w-j7Z|JV X6Q-\]vYR`3p$(0u uJ(44,شVD>u3% /'8xc[c ʘ# в\W 7Hb`B#h8j y4,oSZLAd4M{VLLӜC,IiZC_Z9 Vc̗裍b&k hNd_ĨbD1`AǛm>=g^uQگWWB5Qf27%^\;~~8czW a.T%0~U%=3{R)TS@QX_{=@ߠS D瓥xS < v~nfjSS 8nlk P"Y>'}ZFx<[ꊷ@lW=#-j3 V͚BVTtS+\J@wmq* igpLɋM,1H<r+Ȭh0)j܉B@!n RG=w^^v0[H7B*K#ܞz#oHn/J8M[rW0>(~oy c6ׇZ}?^ NR,έ]i 4@:z{eVv^Mcsxϥf9/13%yvUz&E]XhzzTlQ'ЊȰi=|J ْQ8J_VNz'$hesgl2dԈ5Y~#-T\֣V!W>svJi* /g.Ά (M8vԤX>B{J3LO`~k W r`*%֟HN6q~t R)ԋO3hW@J NkPJ,hdLi⍇y'#k8MGV8APhfQ`3r,6H|{jȈny L~՟'KS E̖5AEZpSaP=NE'Ή,4hCӣh! տmfm8L1*v/C*6ձ)S#oKF\AHF3Yd舣U5 ~0c ܑ nwHPO|5l@dYl!an(!ʨYx zkgWO=9O븨pb=ܱz,=Em?ܰb=bz_rX.L?3_3O_^_݇ Xi`[ LN} LwQIxj\U^ D%7+Q ae0aUUu4C؁IU>/e=Alqf{K8GTYnD#XYvf?܈$p/T]&k+T%q0{bZCF@Gf!n,j8sMM̤8Sm ȕ#|hXg17>>×KẒĮTQ~窷'A>;t"+di#~ST5Pb.]O&=..QV?\2` Ɖ.)Ъ:tcc>z,JxYFFXOV;Sa|.r0dMdGȷYL>}( %EGp!?]|.[8Q wb$cəsRtӺĭ߱VPY1gu\ZV֚V9$ۃjj.Mkў|(Kݤ?1F{^;ݤ D CNr5'V lO&c{Q >brxWk U%aaY'J:0n[3)XM; YPN"=JK&e'yіX)!h l2/Vrkb9ɓui<րxh?r$ܑ6Sk` ICY{KE {+GSVI1ᑲP ZNpgd| :ºw,bX@?. Jn崯§G_MCs1:zHybs^ b6:MDuY]kБ\v2^AE\`>O?J$gYa32Y۰>S:8Ny&V K@и/qNq5M]ken6<3gG?NM tL6 s2%":(*2g ,rÞG?B~׼ZB@ H / bBd$/ {Ns s"򤂭[kw"s3 45*γ=7l5\ۉ:ju9 )8b/ ,R0+#(^@8\U\&6P A+ێnz\F- E;8Ln I J}l4j z rhK@7Tyl6tᢏ4jqyğ쁁`&Ř:OԅI"ӟX'sY^Dim0i> L՛|; z+@:D"pt27=L1.ok5у*PS&&4cxٰ_U@eg c- σ%$Պ߭$? $${vAmrۧ&[OS e |4,Nm2b ];ĠpI$Sg m&˽s\XsSu3L^ `-kçM_☉剜W'[)cgM 72V((*YIkdx3Q lǓ+(L]Tʈۉ6x'%OuM `#3Tg=VauM6 3,** 꺘Mq~d^5 7dޮJ_\՞L PSW3Q≫{/:QiIM2 =]o3錎&:CZU*u;IW]hKg}jʢ+rez i+}']ʼnjdū_W˥$!k @IC7=vA8X_E9r$ۓ6pP]U28w[rncsjֳ^ta-]?+Տr79%@+:ݦsj},'.$rT3~z":'B~ /9kga>J(Es|}|GoKCg rL]rU۸“pxǓnhF)vY,>EzOlvش|hR+ [5<~0Ijl1K2Se5_-l5!e!q /h鰡$}^fḒLgP0Ʊ< q ʳ+M6ugGgKT-@yp}T W{7ц^U܂Zӈ @R.8+z_aE6A$ƃm}vK. acf.yF!# \u 2 OHo;8giBv?M#s DYA' ň#mg Q=50ɠ~׉iC<3w ?+LjtP̼ p(($-WTF7!k(Ê7vRqMR0 TmgԔDG~bҭ`3w>i 5E(_{@?E9Y 5#+0ϔu d$^H \l0/w~ǘSԴ~jIWϐwĚ} oSXlebl -D?Q|.0䡬Aq,_wt@I1+0/QXR~{j3ſgIQ܁@0YыA.A̶-u:z!4bz.>$MnncQוvdGܗD~ل<4$܇nuF,PXC,HDV?1+b [Ҝ@޽BT>}3ˇō9i:Z, يPZ wy FO~jKttֿ2\9,[ #,94Au hԷMQ5^r>Yi>AΨ?10$Ȯ巘7ђvc\Aq֬7ACQ!^)[ sgpu|(kFܘ nA|nclĠ?ng#y"pXr0J@'3m}'`7!j+#!alDǮ:LK ^B4p >P˦gj}E? ~ =la&SaF{f{vRPp\Oe.IʲK0+K;㚉;/|Au^t'A'4I³mHDŶ0UvFoS@L.y \$\ZԂ<8)UOWƹL"enP O=P>28x%JsbT)&Yekv`J⾷sA w7|}h]Jt\aԜ?N9ˣ ̼k)bIv*sƨ*j2lHy`2jX0AZn^ s:~0Zl@7PdOzB"٭[.a!8jetiBJmc@Hpvj[*MNѦh)tCWm;I*KbjQ &/gM⿻EUn"U,ӯyX7`F6He1૛p`H\f:zu /Ͷpq.Kmا95 ṞV]'D%I?z =ͳpnjb8DPvS3t [;g $nUѐƭicjB=A-| 4*աj@fq| cx7t>G\CNfU5UEMSJn4j+džC )aϐ8~.x ^[`<-'D'm pM}[84|G݁z_W sOeO co{qϞ1&WۉmHWߚ|O=D'"W)WN G*KF'ʞ7Ԯ'*(2Bqcztۨ.Z_,DK:XK|o/D 1\hku2~p>W c9JޱN/>`X} 1 MVl6Dz)!HpMfA@<᳟t's +k YE_Chl/Q2}ޖR P2H,,a(;@nH\p-̯q9JF<~@%#Z X.%<JS]bE9+n]-3}y'8 Ni2BV 1?Ntմof:ԟxUיiIЯG&B| :<ABOڇlIUai?yC90H$m 6Fm/ 1qXա R'=4R6G 1TU3R+k=tQd*%^ar qO&3iHXgfs 0R: #2V,@񮪹B42:]JZ1ju$?6tesϴUv,]-;nݞ2yxˋm4uej. p17?b=װ1BVh7{,ԘNA!2Ζ~Nd[*eNS+L0[W9dTwO U y42gBJ2b3Β΀=O}C̫:%y|`3}T(_ pv;B+ƛE[Lҹ shބ>(FDpOYci8ҖF.4H"՚q' Yϖ-)m15Lݠx͊4lS2g!c9ef Hk+ktyA_i& Ay`{Am$kOR_^d1.>CK Ir$>˪mJ~8 s 3׵=' [n~ Wj_QrFx8VFa1*>>'ɑ;\ V ._S+'g"#ep b[SP+4t LQ oKxDp!OƵ%~~&b6enFR"78j]$.XjSዞmXk^( f&AٖV %n;EJotq;nWMO'VɇǓ.&n;Z0ǬxKzEÊB&E$ղZ3zilU9M WUnW>&yfteY@VUfyFv u'x(ْrfVbǩzRPGmɛ enDu8NQ ]JvNuPgຊ=T ϖ kzNEEDNKO4J3v9h+E2&qL!V.+P-$[0mAMsW6oc4e[5А@@V~݂57 + ^EֻS|G-jge2.֠_A)PD,>ZT3K14ȊnObWQ;Iby]zܬy_~ IZup6A!GFc twոq!j3 ,%Gܗxd:Nk zc=S=MΪ p< g{Hg8OUVh 39{Te&U:Ih<mg_|a#IxxKxAN&.̕o|g JAD!Y&PxqC/qluֿ~ZZԩDIL3гGz@GU$ԂxrIݹvC^*7э3b[ ,TY9+wj;ٿb~+?梅b+kzE\r! Oq/٨仜>!]@R=tHwy^I_qʝ=֌Ϯcq"+*&B-xZ Go+ѵ}asܘxֽ`3lܥ5ܒnl/ѶnژCy2 ul9($dcɳ)mJ9O:zP]sΚ5Gǚ>hO}F=v}*~syZCWBZ f*UbQ]j57(*~8'DޗxBz{8$L p/mPs14|A+?Kډ5_;qVpF[F_|3%]SY*MJgvETmr% ~j2ЖГk#p[͏lfMvL ixY)mḚ̌'Cҁ=iSB=ƍh"q uW|W[Zz QǍ&zJ$)ߨ٩A˒g %ꅗTmҸ'k9A4Bŷy2zN K U+1׎幞#c | mFZj -AHIZ)@u>BL77چʠ9fj]HÑtUMm" O)h* 9ȄP§yMbc(Dhs=C.GcqƧۿ@V̾FYnIC9;9jY+Gޝk0)CP8ش/os}pU fTwjd}Vb |Sʺu!n"jlS4S,k _ &X A"އWAV G\s-Tky?O #o#$.WYI1WN>ݙ4>3 u53Gm'QFdއ~%iьEZ~?@E?J>ִF`jh|)UvWa})=ix5/{j): zȐ4eEDYj+f,`MPlv?ᨕ_:UX-CO\j$u:\|o{8nb1 OG-a.y&۽cIS6lV8-n M e(\PEa=Ծ#t!X&2k9\դ4+b:%z# gvJU+[3u8"&}KdALVbEd1.Qk`%~*]c?&ևNqF%ױx1iTK]!Wt>1OF8 {ѡi?tKHd^TLwf}4'#($j=oP1MOZ >n|7TN<[Jȷ~-/{}Ks+D?nOU+j4^<# s|\:$ }S\7=KFLʖya& ΏV@Q^Qjȇ=z5lӖI#fm4S )aATt22ˈ_rSZ7.f #LL-FWfh놇]KC]i ɚLF"'EOA[P+{~<XrLG +0Wև*'9glF(+2S_R>m+5BΦ}A݆NM̍ MK+NN (oߗdPs-cYˆv}F-u~Ve' #>¬ZC%/ ]j<ӖZ]qp.PasqXϋw/bs#b͛ޏT+!pU ng& |(m%Sw+Bt|tYc4Sbz&/TdVA?`0[AwITqC=pַ8 dC6&HJW)ar`&F|}/<fMDXAC\Qjv E(Ἦ+L)dI:p 1@k*)=S#᎙\#8ߜ~ ŃC@.S(` PMXfrWinUz 1'Vpn֥9LXy |-?z8q?Q ? jOsqOX2@on&qĎڢozlX>{aS-sS{24Q2my#H$&֛58%@r$jMk\-teHtdUa`uT&@GM>7Π \c#v `YtHew8A*ޗms1uA]; ڔ)J@r+K}%9+.v57k6m Ȃmc}@7˩ZM0l3*{EJbṊ[` ũCMpV]i㒊kՐt+^+O&%ԧ<;S@$g-jP5L`$%8YXv2c7nz@=4 Bpmvol,GUB'3=qiUaX_a?]-AyKC[/R6nlwYXCl%ouz$xZ+fHO/]V3+ */&+)~SbU[ % |GdCŅ)RO1^ /ǭxpn6n/f%(}H?(Eee][J1u()Ǣ~@5H{v<~JWi-s ؤ@ֳO=`P x6[9nfuukoVq)Qmb @6h,.aٗ904RFiǪIct+(H%=7 )s $Vb{_T}qs"F!ʹVP7ABe@*fU1Đ13$ J^67½ 3( Hpdʪ+ aV}~`ߍ.Є ~ȃNIG9)%㬲 kL"o*o_Fr: g2n^~X%2N q_6tl{?sG~ϔ#^׌2wˌ7}SτZФ:Tbti;g.ks6uS)1O<0+8S1My0 c'/v4Qɛ&JuӖZCl8V9=EdbRD@0r *XN<\TY:\U{Gt띹[R5f QI3": Ly:%7j8tE!Y.[Őƺ5noQ8/8*%g t8/u Fˊ.SaW^EzGjW͟PC T /^7˿ 2$D̹k,1sjZS wwHѿqjMiĨ.]b6FS.SA9vX Mv 72e:F#=5tgj`3c~K5~tǮ1E`˱$:bnW~o];uy&YXY#Ϸy9_ ̡y&-F)ω@cYƔrb6#{ ˇR%B 8LkGzS\̪):Qw~}[W,7n ߖw)~(0p98`uGMx;{:J2d@a"DV25!lN_2p_C: <s%CC5&NE\Ww5eBQiS^c Kt$#7|R4K9:W h?a:9ոObsfh@nKRU|ћ{F*InO_hGmBQ% Mo$" g@/s?4̋z]Lb3]1m"g#Raa>i\^wn Aǵ?eu{:O %9Ϥa4ExȪZDEpton&K%V2 'rZ:1Y3s\dۀiѻSlK%7IFr&->/'#2 i j7rjca'А,WS&CGhhmg&bNlR0tnzB;HS?^I8eeЉ-Z ,phK[zOnЦk jM=;I;}T_j*ݴ[ Wu|A$MHı485vH7xW8ZJ[ڞb8(7zvY~09ڴq_ȫǟȔޢaxTS v#elj`_aTf$|P˫U $RVe?}$2 Śv=)!_ x4{Wagv&N.mT_6VʪﰔB5:l4Niʈ^)>ʺɎcL[?3 A̍Ul姊{vHJE(W.H 1`~rBmsڦhA݃8C o4%oCߋ'~ӿqqtG -٢o=߯rr8XƵh .cZTA>#Tb8rg pq2 )y~G H.0` ӠW'4E9(ǡ 11O cW|n߁rxLjh-sTu]9fH^[vY1.u`կG{.x=A$Fh߶ύjTw=+f>Ĥ4Su3zaKARC?NG@4:;;yoeSX,|^&,cBS)N%`rߺFM"f \8Qf8¤K?s1LK?|~wD} YPa[h+cXoAQA6Ǖ1)7&␞$JNKCýQK&!>#g4 Pj yClaU^j*خЂ9h,U"s@&٠"eJ_cPG-QKB[fڛ+=TA:.dҿT)|e)W'V}M2,VfoCAgrƳP-?iPv Z +iC-kmjdo;4 Ufj79UC +ѰQyWctʰs`w|6'vvke8Br?HY 6btHG)De >^?PVM_QGmR>ObhF3n=0Ohk_TоGSO[]5z]3QC_:2 jAt}VQxZmG4R$*^]*t#26d50[A(. DеPc#3)0Ώ.hgT :1㨞}x+6>xEPFpV&g]nDrk3)#24 D]^& ,;"&L94I,/l9.! MpT?%Z^1(pD"&Y9g62}% Yms(/5&,yd973[so[DQ8nAgVuV.;7feRO˜TxZejT?e В=|vK~:|NT;pT r(IKwՒ]38i~n,uv /Vs ?j@:Il*#<5\) aҔI՚٭dh0cD2`q~feFWjR4$5Z5;oY?$q]ӭ5f;Z"ɥTB+$peLt993:-툜TAcHW'2;&)|6cɨ8GeU㼮poDmSo{^~%ȆHYVkr*Y7J_hQ5qoQDՠAHj%BfY)V_& 7F4EgKA\- f||UI0g$Tؠw~+7 ~)w*Kv+ЕwH}'F^W˪wE?Մu5G $Gj0"2>*/S]ש}-z9r0ZB>M^k!& ekc.l\ ?3N[aPCJy|\6h4\Kh$z>ړۯr RuπU\*]q'őUINW|LRD`FvO=T.^ӴQU:ow~ af$/XWqjUY1G݋tGVuC]PU،|a"Ёq_8kڧ%v AZky@=^b(:Dٶ8?tTy9m{Aqfl2r`^gA3ze]w)21=nomO0QZՑT$$1e ={/uHQ^@cpq]IHϜ# 2^7[@A+LFU`k!tfOQ]é8}\Do/P2Oy wmŷ،hך)a 8x#sЁ5n 5X^zd$Ig6b3;tltV~]2r<ǝle0zs#-O ;8j;*|]oytnJVj S㚫CwXɿ1Ex+R ”~Tէ S RH@9>a3SMXO/NnzwYe-7u"ۗLrӉ:)>yyUG:8deS@0p` GiYN0u:!HVg|7,ϱ4wo}d W'AG'71Rtꢫ(}}cMTTz1K0V0O9L~`5AO'iԽ00)#+FJ.Gv'*5o'u*M$OP^Q, KF@[$ynbjuaujl`i85ypJfBBw)5;8%gK>n\(Do>ZmsKCťvFaiprEʹtZ"f|K>[MSUֿ#0& 9؍#y7JޕqHiz:^H:f0dN3ɰi8AᑔevƵ29,sd\2.jo3L8nֿA%EytU'>>b _"-#Yvv>B' x tAKp3{Qn.N,;hB&UTOt;svENEX_aM]J"F6P^P?cK#3 ZBؙB0+e'cjEWog;Zʎ݇Bg+%_WB#A*f|BF@Ҋq:e1$Ovf &D^WW01'˜`QnZ|=F֊ʨSDm g8 =d{tehC+V 6W;E3ot(T!bGN()YHbͯoٴsKs$(NWERF]n+I8t6'[~ XoS.g$w8rjubjDέГ۰3Vٜ?Jb ׹r"^&N_(٠LIxT}i=r!wg)f`/w;SщP=}˴ =fGXiΗckk3xP> %Lw^V%$+?cXE?E_Ik&8ڹEǢd-Qֲ.<~ 2wM6lX/zqZtuݳ|J4jL[-^$J?E,J?r#ۧL&IT[t@ODdq&V:Sm"/1_LD\q2߁Ʃ;IxgqM*2Xze 9_[PAR%nO"D)AsU<=ureut?fNlVv&<5a窠؜ڦ2EV9?Xmj ?5g]Swyh5}FJklDIv =*r.A^ mIG:?DbW^xP/,1fԑ) 'bRƁ.p)mˇJg;ߤB<ߩ~#~d9HR8@ʕft6=Ȝ)RHAȍ2ǵNjrBx?ywrvNtզe*6I+5~:ypwM'Q"L~oA:Qπ K,T-8u(>L9cmnKm@#vs(f,(Qͥv'r C@iY'"Ā| ?_BIg"/bcfqnG x.aT3ᢼ{y9*|rx*nXGg;%n$<(t gEI,y LhƺWny G`˦DB . TJ {`u!i/ -o*#PR~Eܢ)fuٲc +Qj,6)tIw+3jhrY"!H]M+[9yئc70#LА;y{ֽWD$(}UZͦ9\rzɱ2Ckؼ_ ad=ljYK|j*_J=W(>~۝y/\t1GJ՚‰l?ICLUC,0jEFce.6=NRhN=>`%/@aq)@zZ S{7kC!*=i]2ࡤE7wJ 513o qRPBjL%3oLM=,t88J! |KrQ _QAV::OåXs4 OM9[h:u(:$^6``j( $!NcgU؀u _!;^DoʭC"qjY 23xuXX#vjR7l@h~w }y"gP̃ɝ׆IUHSij7h#鴜&)1Z,C@,>Ͽ͌4u,oVZ"'>'WTEeYIߕl4+2J0!jV4bhgOt_ VE*q蛛c}-r"L B,ڕH 9U¼&u +uP°3UT.0%x?v_-$L 1NƹHh<36XK+PDh~gWiW~СfJz9ߪ|JDzk\(א9K:;Hᑧ'1FB)/,Ūysic߾ (jb fk/LA3< F &cۇg6ښS): v_aˡ5^"Nc,kD(K0t in0},y, ofOBI/}GʙuA>/GړlS󂰞6tyf،S? Kh~ۼpCHݻG # &k~rXC2lD!I[C?5Ըɼ߶.f7pq/A۷M\9? T_s8:㷛/6QVJPlj;,h2/9 ӵ mUTa#Л{aU#D#*w@YTy& A4/{Տl O$HMTRCOڦU^f(`r7@h+Pp=SQ<_;дPԶ2- 8rgL-ZI'C+6;)Y|ڥB3T$/ģ^}Yx1l{9m <&{pBbuCY+Ӣs p.Z`9|" $HA[#4w$L*F uHW$E;+ԈDeJO] OCF+:k;'-OcKluRbKtt9b}}+R6VkRnt3o{ka`eҩ@6{t*|?h"گU[kK Z3:}j-F|̨@O.v^5]D J[S>hq84ClCb)éRO׹sRɻYۂGti'ջW_sQ\; >E( `᩺ Y E29M,J =q-U^tTM 9/:хCWE|#xo"*.Ktbp8 (mȼ` N g{p(>vsϚI3U`T]O>[o)V"BHpHEq  κbٲS-br3d:rQ}n?Ua{; Lpr'㈭#." .=˂+qXBϱM !L]{O޼m,;&x98|s,Mty?Sp8(<=C, =3Q4SݬƋ;[? HfVU"4;KSzjZJgW+n*9ժd}zmYе) 7V"U;gNk嘜TʼFU_e5TcJVoX5@lz]p՝ d:(Z@ o;~7MH~qEu({([޶g:참V4[ن~ܼ;nJj?5pūp@aQE{V3LR,?Yhr$gCLiah_V7[ N"ߨ$j!$f-m} U\7{ )&M%\<3lͥ |( rU  N3޳;,Pv&Qd^(l =8јQ[$I1@6 f`{Z#'PQ0T~*K|`  *6wXeiRr 7ScWfR#.SR!r=fv}tB(0JaA1Um1{R6LgTh+ Xk2VUˬ^1ݏn|磬k`zTk껽8h|46C1fB\[o,Щok40w4|:h,H*)Ԏ `U ! "V Kt` ` bF VI[m4>FE"Ƅ|k٢@[OYVt2F忸@wxy-Q${;. _Zۗ# Y~ 9<:'EB%~$&qDZ8e9\&6Zޗ?EmmT;+گU-|h.ڳl38l1R+O`ygpUP.z(#IO| }KuCʉ&7CffdG;vF Lj@N|&qC6/gtşGԸώKDb=-OtPB l.VN9rTB؞w ~"&Wƈ]M=m;ueL頁I(ZQFG/ nݏzc N80wiw&1GO]8LOϤDnsB0LrKmať5dR`mĔt)-l \1nvn>SS9ĉǔR8~#"ssЂXR~3kl%4Z@+~L4a3E&ղmcve w[Bk"8Ԩn/v4l)WT7U:n^E; m]QtcmEJoOLojUM{Z SHAGB{dT_ׯ8tgn6QzyǷ h"NZ@d֢xӕ E۫EtI[%<.5.R'-Ci$ֻb:[}az(~.JAZgxdqz2\iըG_p9e# 3\ߞwN6PLȋ/hGyLI kH^Pȧܼy"c#2Pm=f>nV3k=[afOAtE7zS0t6{h}Cdvoyug(]*"s e 7|Tׇ,m|Hܻbt%cBuLĶ2`ٸ|@75CBY$FoK^aB [0 s} un0}nXJ,tkvӲ?Fwjv u.pdI6d%Pьawz`m(D` BvdZTd'BM6yK޵OY@-RTZAQب)3Qvk^bnyuRl&BFw9ehE3=EJƲ ǏFG/*.j{`B+8g1c{B9@A)1/]@ͥ#c,EϷX1{6gڿqsIJhw>VKSݵiA мil?ůV./?7MĚG{]s$Mmg#;a=RYÇcEèuyU{=riax)?gˬjù72г'k5͔{[]bq;pô9B]BadW`=[q߽B%˘Bx|#m0xtwPWa5w}hRݵ{ 5 +4ڂ oVLxmЗPab-,(;8#>>8r Az8_j:?57 ˆjLL"غ%?=v% 6G=E0b +*gPJLGh$d i,fIP:^3j VIc{G"<{'^5&48 +A6g"2vpb{F]6 4D/kqi'nsBzȆ7ʖ)WxoMnҞ>hܻңҬZ;W-6|M".¤dN-X{zk2:Z#0^ pFc Go4!*B+Tdv,Oub8mT+y y  C<` ;wz|W@cIgZcw@ޑO4ވs,d[m0gl`cVΛr:Qtq}U!:ZSzX.ϥQB(-'StM@\{fXy4 PIASjY|(WMm0b"#xF!JmXZº+d;K&҇VD_,G_4>UR2 01s\'9:A  kklɄ>.=R7ӂ%,ɝa@pu?<ѫJE9JC麲v]G6X~9& P$UL @\Tx8% >ݸ[N^93bHln6M:U{QZ.'vQ ~bz嗯}Ƴ9Ri{:.m<(A<Ōp5;Л w_ړ"-)1z( Kp϶s9/1^|!^DxWy*e?@@(y7Oy,jvjp GW$=nQK+%*'_9c/Ik~ZlKϼ uOn9h?)1k>֋J`t[w}H2i֦$+M fd ˜tS '-wȋUffNˬmξh$Si$Ên]orRԂ-p]2̽lD^eȳ7~C|2ӵjbk Y€wuxSlZ1Xx[Vb[`S'}IMD̰TK ,yJS{\~9ws(嫩P*0h 45r^͛#GѥS ${4h9]$ ߻Ie,%"o27?]FJ#ZM |*HQ| [Ѥ@rCml hKsd.'[mLo#)mU.@a̐NGcY>E<$ O !(3[gtWJۈc.~i#+B=$*j+3ME>Xy|lnYcH(-R%";Ҿ-z _R i4)f>gYWM&*ۏCK1-rl^vJP/q|,Kki\G]VܳI2h%>Uj#X,A]7 "~=&i[ޅcfBN'O}7qi u#].p|DLӄ`]%%=Ӕ+GO$#j$vȼeX6!/Rsd~e7j/>eE0I&qqA[,K+D(<,EX}-9Z,O-9n[*{>5!ލ#b󛁅N T[y \v^Ʉ :]vų1"GrKer/i' `K:6Aq~,' o")JQQ#g6:Գg/M%mXPi!PHYC].)qqcA{Rv>C "K^ T0 5qUo{rOzv#$NN#w٘6pJvε4D$f43-'e5З [,=r?!ctGːEI/;P*|(2H !Aݬ:2.E/ 7$8y%1@Y>87A⫿"ݖ6 mA{vA9)m_1F@Fgz,&бw6:B~JD='cjZq8_eWv mus,o36 czlǃԏuMdTۂ)=U-Kq6;g| e 5O÷O/81$YsNqXƔf~7=g[V[*xw٦"+Oy`p/4RhH%KJ@ Ti//Q67~\B.NWpx!,ԩe=n4ͭ4L֞3xsr 9< H@b5ザ>rjw\lgG=0'Y I4eLעT[BkYZs*ᛊvo"'J)8@K_ [MDz)pe9ct]9p#KTT=NoU"ڜY2Гȷge ؎7CN|j~\2`T R)1B;.5ѭ'blj#o 5joMzLnwt蠭I YZq]_@ $B&ָsP^|qBb!.အw?lKN*[ZZ5: 6o 3E' a+h;<}B$V)EWW,[$h;|Y|g/;T~ߢq1ReO:g!ߛM K7nnf^v*|(ʓ E*.C k'¾Y6Y#zoPnbImNK[*E5€אbsbVͪDtgl_z W-Ld[ʯ9LG ht U% ^N虘@eI*N. %f7zsq彗k"bϥ9J}8cЁ\Y0+:\=f c"o6Oei}dKVdb&'?ԋƗ j(Mzce?uk#W `uMQ6 ]nKg|YְsH".g.|d=AD2bѺR=sN˽uɭ;.K+d; ZJ3-%L抈ke>o^V XɄ`LP5Q V%CvOcb|8zՅ=w$1e,̪ 2)=Pݫ=]QR㧧P7[z?!6_*Es6ZR!v3zF-d)* %ߑ5nAtͥ*e 5IòcDxMVrϋehT%t8IVjVo!\`GWŹy! lAƤr]SzԌb#H= ~8c,'.:KIladu\ /A6JIrg|7f[eҦl)kVQfݒR{z;WuUJ@2ȂYy35[wOENh},< "o+6;GmjCi<Νw%> |0;:<:0be8PTObn5##8l@OA\Ԧ@7ҋɄ':?:Y4R:m)l_!qI8 KA#F({ A:m_B  vJw$IUJP{%L6} /մ/h{9!gmpfaZIFՈx&&7_~/H/ux^qtw8wz_+IRe0Ijc!_SP>#%b&n E%R&#pv Jhy#.w"_2j4N eAcW~EqF%$=?U}}#`\K(V7\m{c*f)0JL͎kV5Z# _-|$_0&ڊWEWQ] ̰od"hfk)Wq>|Kc*:0.=,ʥK6:frnWSUt P-JwFA|?ZF4r=6E h) romEjaI`0lHqjb0͗/w_r"P0GϏ|Aڹ)/*Ch&'_QCQ_ȸhɒie` _6:6ꛦDžX G-!F% P78xX[xk駶(3PYxMC,WjTb\{7p*# 1 |Ə F#BNm~% R(8]L>]I vjjpZF_s"Z aiw{7O6c&c{۠u8Ԛ Lv|%.Fi݉LvTOoUDN_D^@4Rِ``T&V})ԇ2OWhu^@cV5ƧDzJ4GIǵhWA6oDE8S]@̲Y~iY)/ u2/DuG/!gv>S' tѮQO[ɑ꬀>T?zNu߬bZ;@̽?DRLL|׶=-p{e]l Wx-|wz (Bٞuz?K:kx5ƥawjTiV@#RjCwռt?qC`RaoBȬF!9Rܧ(nkĒQ$yح!,XL-MeCAG{MzWo+( *!rnCAͰyL*(LJk+ƯX jzX$^ۖ?GECvD"Je5Oӽ8cNܪ RPI?erW9^C^¬;2[ZYD%Hy@lvyʀusK1^*/nvA|?3, ρG~bb a}"M]*Gp+k6FW;m.t".eS]^&a=Ӊ r?nDz=YjX9ɹr"E0:94W+61,5*ϙg^)EUQ3gQe*c`ekDyjV-^ xuIHfT)7N_?ڷZ2;L)PЕX#_[N~)(\冲*e͊6}i;M5Y#,c6@ڒ&#epCP ݥN2yx'3(I;]ZZUe%yIdvUIw'1h5a}g )қDXlgvkہ݁OYh7\[ԻSs{vU=}+Hj`#"} dXGFbͺY1V}#9w5M6Aƭ\TQ'%q2A9b D'v#Kn[Ihc`xrC+gF? G~ɵ|(-l9O$.y0rv!0`R눗oAJwɽ_':Cm$?]6 Ь:~|fF\B]X,r)X =E|Hh{)/a_E$S˒is0ocsYT~1m )hk_>fsQ1(x@P;l.'\گf}6-G Il3K/bBpT&M=j|s3i*_վ~6q׊Sf\u⅋x[5~Ζy*X:%ro@][9X+g7Cũ̢Z}_PvJ);gإ-qDiz@ҙS7[#_\GL  #"|z=F2v1ʹIw5Sp̽{ڲ$'6ߪhyVlJlZ=9DYr0y<^TW{Ƭp^:= RrUT9iGjaX[FV֠zMbMts(6=GJvec6Dx|ZICUkW `?ڲj^ŷvl+mtٹ଎Zo ӡH gGkѶ~|U< 82=%:ϖ3,d(D!VG\@;عY*H'\H95Q ?QyX &4j)rMH֕p$K aEyGn$nL_V$"S^_ نquŸ|Lre$7͸;'yO/y-x.urM1pU5sy'Jj !!eUw4?Ⓓ\}J,kBאZ|G^4F\twb٤AFt@WL~(\MF`]p0^>a%oŰ\PS]?^ᶃ3C㥝fՎ皝PaY ,cف|[`󑸿A(-7ٳgCKO _y>gdRNm*=Wٞj{%Oj)qc;7|yoID;$9M RNIA\>jоbwsb`YyGLJ9\(MDn?K%I8}O=%S4 y}ҝgz=UcXHdE3$S:HZʪȕ6PUnҘ_MϵƨWV'ׅ_XcxGp$O$Ӛza+ o0vli!S/tV}*wDd㐍ZEc7D!QsEzp=}Jx 4®e3<28b?цgdIBU9]D c{;m<8T$Kq)؜ӒA?ٲOr擡hָW&t[)oSN1b2G1u>mH<7 .\vsJNX t/Y5w<uU]$ `1U/6QX'=,TtN94 .ջO\vq|ԁHscBV$AQ~L1W4-fzQjB9b,v^ K?E}SpջxVBHKÒ΅DH$EeQG[=hH+}o>;}r?0)홌SI`ɐ!ݡV7ޫMb+Wll2[v5\/:>DhbmS>Ysw';oQ Ȝ'L)vyjOuFSle3$2$fWS}b1S־"-<#;ylE\xD j9Is[#cp.-FUxV6m'Mtu M v%}A03sNѾ&A?:Td "C֞l᠙v^ُg:{|c=YX}=udh–Ƨ~,E,*xi/3m𾲒p)4Cײ{rtH)P7(WSIc7 0l(Ϸ oapWs_ޗ/xEpLm{en;Xߓ Hu=9=WA~.~µr.b"WSh]{)1,zChmUSn۝unw˰>go֢Q9pCRNa CdQ` GKĮ+Ql@}\`Vq$ 8=`TFrszXcr{W٨)wADhL&jÊ~.`h'gS1k'L#F)?ᮼObEk~eF9v?2$AaDYRt_Q=j~׼pܹcNy[ζA+ (,)2(?VI \T`6Jw_7K윥iIoB_nt)~B\{Gpt/HB[nMac)o(>yZKYۚRF>$ ,B}+QF-_TG$[Oݑ3es qt E/]1&LW9#˄A;H%A_48=E-Mg6FT$"J>YTLIk{d/=yhVIo@X  ia޵ Q>H!gZ]Pgv e?$pzFVZȗ tq|["jUI;OP4~ ).E*ĥx|\o ewlz7.N~_9TSP̾?muƂZ"~)@(T[\RO֑A ŬrմgyFwHS4YA]iL+8lBomCO3DYKʢ>7u̜J~ ^+ stc+;Vp7䉏o/引*#|/YE@kۓ&ⱚ_ KB9$xjx[svWd4|lJʠ%hgSє6eo鬥!%Ũ$=tQD]CQL;IbqH (nD_|h(H irund]QdXqeQo.\;]3%^3ny6ݙw]e06Pj?j8c>$BmĢ ՠl#-/!&&B_.4o$M_#< zb1 ^O%6,,GXmq:bjK9-׿tJ:섴]Njzc{I_>rYK#K^mn?k ~E}loң}jHɭC,1n2!z)øʄ)BW*CEWY*MoM)ߦdJ+(CPq, dUۻ;^<,_~ZNUZP PlOU6#Xa?rE$Mrlfq'42!5]s:4.>{tbMyWV(""P|44[ ~>Sx|[]փ` Ե0Κ-zjI0%|8^+^*{mf s#Kgs<ةu*8]6w&e̻,Aܱ"*SߍxAh{R# $fR"+Kxe`OC湐KJds;]o t._rlOYQZEZb@!lQ@ bj#Hl{:J+s#WA!m+ m"&x;(cy]]'t3 Y|&pNN&U1G|Cn}n4Ōy+tkE8f;/8f-I7GB5#քU ,Ơ߹)D7,$ $mlPBFL7#hwk š'd*57(b'֟_G9Xc,tŏn؊t^?E'5iA)*')g;6 sg'6Q1gF]J8ک#0f'#2?{mk|IJK&`TWri2-YbwNp.j'1*xb,x?8hYֆM: Unޱ1tNk6"a}&&(sM9e~X˗x(zVQrO~hsP%,O]\?I:5Ӕ*KR/t/A6X$%Mm{"o&ͫ.i :&͙B6Ԋv%b^La{TPy. ^%+.6SO3_ zذӏqz([g/"Vy΄{}7@:}M͚w`B %LaPl$[OBv7ȊĞM$?Q`>?=3'ZфN$4E8Cf5>x. NMC!aj*xX fOҌߚkƕ41d9,,-<߿x׏WPg]/9)MVЧ' )z䢱Vi_uS3K3Zа> 5 >66oP"hÓt݈n18Qۖ:3w|߭o9a"5k%jK K5Íh]rUP0_d`u*j2h8%?n Wd$3z,DHB2C!*XeU`iy!Y&8H X0Cc1!Fo ^,jmyW ׎ vR5}%dJ 4cs_ WL2)TLe ZEm}{h*B/\3uNUĐ4vLڿT][RNz3W O ؘ%ju-Eť mɇmC<ގz]BEcV"vUϷs,L䨋HoH݌'L,+k1 hPeDHd&H\So37-hkK|P+8?<ܛ JRVE˾fM!mނ1| s0C|-0u FKp% "|L 8(ҭf4e58}˸|~u" provy2^q2Y !|E8JԚfĤ&[dhb4k&:;1tDe)ĨEĺ>N^2PۧcC]Hʚ!g/n0X=%e/Kf!eKu`Ԭ5 xZ8sDL2\*JF(w)'{ U6Uoλ>M3$лiuJ[aLد;xJ47վx>p<'TxU s mH3?Kڨp5cW5y_-@qy/{a";j~G^C7ʓh0JaaN`f[Y"Q䰨5xi E^mm`̮޲͠']RN&V15Gd<> U>'^uya`M>:) #:C38^7Qua U3in~Do}a35]RmX9|Dp@w YjdL^v-8Έ{R)0F t[a%g(Jsj@@\e[zbTGAk<$=+΍ȷ~e:fsGTOR"* d+e4 g$d15$?Όy`gYTI>"{: 4Mأ%+.oh QfV|.B^(ېǚa^Z|=ۀ!rm939a~A`f핮 HT Nftg-<:+sBVj#v+$ADCا{l^񚗉D"֧h "jTP}ҨcDC[8 9X!M 2kTj5Wiљ+T_ID|3(>p~L湲>:m{چ3`搧0쏪aN7畖?:jqZ#tt@X4-MeBJ%Re&'MZ$i ee_"?HY\)tS.R5t:]R=wgOK'%lEl|soFEbReOVŶ Amg`Vnz$XLV*!_<*hD;9l?pREAz + 7˚ʴv3(xGڊܤ_X H{^Sǡ^nzQ:+^բMP#~? ~" :Z%>Mn L iAh=GH7he`eDԁ†ƊR0@g\S}qcA] #} QRuyg OXJK3yf?a .~{"Ô3/\W1lμQQstl'Dl)C cރ@e 7zM('~0x-4ViorszBBQWC…͑iM CHiuّ׎Ũ4[$իnw4C!r=MCՍ7U7Y7]B&c Vę_ žxAq/|%2*BQ0I,rX3 qUJE?5w SK\M?:/:/'[eϫU5H*S6_˱~Qss݄YGVB0dLۺ&vi=]D|ŮRP5OĄEMC"z0iX!$Ts{d*/\oNۻls7B*W{ohĠH4bI}JrАWhh< ywƒMD#e")†C0BO1 Ƚ8my٠,RaW]Ҹ)>5ISh{7V7HhW]}=;E,&2&[Zt c>MV^Q$9ZnWC,QS|xur˾x( GGy;~l}F/5sW0:5f n8].d JEApjCR} pyIpRL c>G$ݘ5r0ygf꧓F"Z$/(` dw/h_tƤU3MSSoEWu? ZyZsp_&+W&Ga"cuf.R4GM24<[żC?kgkl]UG_,^ţ^l-1dwi唧X}p"-:M阛F_b?Q sE'Ѻ,t`KUgB_kCг7rh5W3FXD M+2*>V@ĤTMQC1Y yøv4jh6xg'16&gЁ}b+**0jȵZqWLva]%F$mxwFJSP99hVHA/MRKAM쵵l<"< zJX#8# s楷~-"֜}Rʽ9.f~`$幷މ3%J iAV:#>X[׫> [NbP>'Wzv|ԭQDkkc%Vq@YH`[) .Л W3`Uߣde9ו+4LxpZ%UH 1xu4NU_ktڄh7Sqj$vte.(f5' ixh8>i-̧ʏL2}ev53-VXqoFy"5Ǻ @B<t-~"! m)!43ALg>v/Eh#E<+BKr WgpYmE7ќW9xfs_{/36UQ{zr*LxnȲ* mU=MQq_#a~a6NʣZEX_?wӥQXKlګ.䋵NN[Jl7(-NLo3s-G*^֡14V#T\9n3bJl08Z?pRjμOgI=#o]c>uvߖڬ0h?zT ~_vendǷ84v$?J-W( > %G*Φf|5_8AH^R2@꽣qkF#s#N:w OP&'ֳAk_g|CigR2teK t?\ɏhcq@  ^=7 އx bf]%7a% YG逬vPOu`ϩCx4, ܽ␳>7n#WAM_ V1'4XC2o l.E*Lc-An]X)9 ˣѲ$0DBTMv`,!:{#ޚ-v"TO&>  7\[9cXC{=c%!ov %JU{zQ95,ow$kJ5]NL;^\imܣ&g[%=DѩDt=9'|7X *ǠkvJ1o_}6v[\+$+4eŨ|chd] `G1e3 BcɆ}cw! (^8iIEPun >>e*ru] ٻ,;Ư=r3F+)W(e#v  ;>#e57zyohwc0^m'A(BCG {|Dg +@3* %^u}誙חWqG"7f4-?z04Դf ϡ];ׅp)! U8'$| \<,B` _sP zΣU`nݐ1CωrCԦxjAʢ £O|yP2=Ne&Dn5x `pw׃pഫG\?J+E|ՈL+g\3&上,`/ R^nmk,˽g0-'}i &gDcCN/ +^gYZ.shstrtab.interp.note.ABI-plt.goݓe'i^zVMc)ެv4 J\SC՛~ M[;nR$yCQ ,2Jc⓴ֺ|%fk%酨 SJnĉXWUa^rUjS|8T*e_oߦoŴfʬ{63h M2UuWwϞ}~y'Zf4S.7y,u~*չqNu]F |U<,5k||0dr=:/և#Mi?PI+aFB\YZm$yĝCXj.j|˳oE2U^ﲌ:]WtU$|ӍY={1 Ty~4\al胘C1ǹ_<*!DYgHs4_=qjr-*ȋ|ퟵ$Wq$c| *"SI%6\y=>Xdwɥ8/gb:̦f,|m ×w(J}ƪ/lru r{}}0[pES@3RQ.t:Hۃy=On=eBHX8bay%DUC2TQ1 -I`x_0dr.od DZ!s<YnE1e<4{Q])("W2N;`mt \UiwA?4|S*Vud|!.ƯGi(#4tFat.DzRgǢי:䆍{:`"t۲X $:ޯ@,s2 H iEV?rJ K[t`sE Kf>=H&hk}Av- $Ed75 W҈HfBi'cULD+7##9ۃ @rqEl:>o䓔3QM+gjϑ`O?[Id M(nJ리O(;ZhFO*$CID'B1e8֨ UifT3jX:ܓ"_TANXvTcGW?o:cEdNg#ەciZ~Mo~dzWOQ$rR*`wr6`M2T,nj` yȃ@F 3Ӑ$i8OV3Ah!imwN겷rxxǹYE $ %: QIo5@R²N3-x5e< >]fV5R݁쒨T d?Ntcc+1^{[Њ˃~HDߧ Ύ,Dx&+<j6~%+3& |҈7;/Zޥx^!Y ؚlo,xB#:*T<Ny )_q!ThcR vo  Ϟw A1}8RF`H̸a2+ka%N3p1T|eїlKn҈o%w"Nf5$uQz]<)Ywb?-mG!頜݂PAPA+b<\U]8Due3v ĠW"lX!ygN B[~/Fr+KόYױ @zc~"2mNϗqBV%[%^#SƇ}v;>g<"{R}IZT YQuAn`[)"ɲq y,W|Eks2`¾Aӛ[A oTl=>w=]`LSdl Yw.Iam:s]u>HS ^XY7H^Vl+xN)ޡEGޟ{~mB]2t6Vnm|]UK]n`h֨'V:AfN⨱?ErP"UdzKI.d6ltww/˸y1Z|8f%]q 6eH[#wϽng>}-.K=Hl sM2v? Q=cF.^EFM?6&xqc![U>ܥyu=T,<Ew& vng]^Z7@ ?$'0a b5D 䊞 ׆fMe2D ^鏖Fg5F #lliY[멄E"ì?Tb(TcLfkYmcWgx*EaVHc֞qQy檠mpY"wτ=+s#9U/7.tg1?p跭u;'.3[[9. |2_iݗƀů;<zzkПtFDwLH)w9V%H|4u d޿\C}i Xs2;^z(X:5ݕkJ@.fvYÒvzڍD79,- ;s1|W_̏5^|1vr|>'k/;4d?FӬ .f)nKJun]s ۸6XW_ADR!g<>h6@ f&5l2'&[l73r}{.˚L4L6l?br8!EmnWv]4,X;&7ؿY\/Z])5n7*U{ֶM\ c|n !?Ε(YQ3FNӟ1):JU'P§pk甦`M]$J#qQV#=}{ J"s3 k 7sJ'&{ߍTZ2ç`W؜`[8 qXkBE{}IڸPhR}_~kwD-{_4BݵG e. 僨fl&u+S,РsK-]yР+!xAT(4Vژ`= }$`|/Q`q+3ݍAܥQA5#9ҡq| Vt_KE-~ec?xt~hU%-"ӲM "Y]);EPvHgNێ^M|l;l@~!BA3>R-:l35܀; 7z7OZn\>?2n,"i~Gl6 N\YM&蚸9]b!bKzДn9:W膇NO[:Xh Br]ـFmі9 ,E?*AsC! Pz4w09۽p`N&yXoI5W4 x'.Sor[dpe{X7r5ax\fV7K7X. :VN6; SC =bi WEaǑ,͔5"7tXbȅB0%̠a;մL"g4sRm;?|6v 7Na48X65SC$¾ j09vцVcAkR$߽qcdq)p J_zM).Y=kmVgne<6=tF.-=Mc݃G[E4cojׂ #[?*]KP*f4x\rK#ӠVm!D[ .pΠyn)Ļp'5^ —&qqgGP|6 SD34Z,#Vl\CS{a@Mc^޻&l+tk̩f 2wC :qΌˡy@JC;w]RT> .uy}.sT~;0 f87.GE7iy5L}M|,:#y!zv; 3\j}s>a͓3-(qKݤk֗;o]0I[Lbu`f gUwbHƽOXgJ%>5Xx“Zia£}hAz~dsp];QƧiLj-sN|n GEv2k*^2U` }A/>G2['eR4(>1jHOYDi']S;%Ggon#λpGxO/  ' Xv`c@D#jԞ{{! Rq8ޞtccDZߣ`)3]U߻fwω8^Qwf/7{no]Gޓп`W\snK4n; ȝil瘦 ^w7rBX{% yS$K7]7♩_:#am777ހ$O9;}'o9Aa 2{eXfzq ldS!|;܅gNTqM'X8 b{qM;!Ks./t5!7:iFyV\p^8lF3^$hLC(x{N0F /~/>g~S A>wZ[tI˟^FPp_&On O>~v\+\1LL-z,_wM>ӥẕ"2vQwNOD#ZNx1NQbgwEst'`l*hZ'^ëѧb©7Pn#-'Zҩ).c[/-^}ًoϊWfg\43obnR>y_+P$A?? az_>} ,}X M| >1@¯[8 Zxpޤ<)ȇ2c3~Dq_6 k}C|OO5^]5LtjWS8| K)Qf0;mY]Xo,]f׹೻<CG 07ZBWoPw/[Ú>:S[Aq A8qG73.IpJVq`x^ WjAA.|W݀Eۈ:|+uMtKGq$pbAP: n}6)~i3^2x{HGͿ G`#4+L'ޥTDnCaH{$ "m}!32 !PDyv{RhNG"ޔ&Q/&#[}:]H[,D-Y'܄ 9/z[ h0yWsӹwa߱0$eB[UL48wb.Z͍c'p> I&!Zਓ')*|! CU:!E2gmd$AZE)yTxZeJ BRZZϿ*凌Fˤ֍(96sVh Q*=!Ljr\R╨׃z#TB ا;Q2 v tߙz>"bK+{4]7UdEjAA<D}xEq%GP| !%M(ʶh9Œ6AQn䘺 y]$+Vas}qL+31ͮ63NTR^KJӳrWߥJ:-!nn A v߿K;rQ6vE7yީ]W[v DH۞0fn-<)>,)\QK; қ*fJg㌖yvY.YM2tiLOHI.Pi 4h xOb!Z4L2=6C = EfZ0;pObҠɆP^ g5o{k?KYE"JN),y|fa ZNn,7Ij QGAmn-/4:$ukxЬTj@ r' Wwk,G^L2fD ]e-֗zW;I \7JI0kb=VFCF/"U[տ-(eD'ťR{28I\x{e5PHؒMC;&,a ;$pߖJ)33s3^7AK֛_fgٳu Ti3#lȼSs5mK]b' 1b m$%wچ!ŕ7.)[Vͦ\@RmE,#C`Z+ˆXJOy`Ia{:`Ԯ1ӴԦ_+cȮj+ukn(PY*AiP.cJP*6"ĹPRɖ<) cr)? CǬ(o D9p͊$A"&{]%fg߬H#l$LMC7||WjI'G5H!AN-A!(6/giEr^zخ`BvASfFd,Gh"3!M 1X,4rt8F?si ]z[,@¸P}7O8- bM+Mmu\8|d%J!=@h:5l656 dDC"lor!iRi _hYGK̆i,H1,ƶAS;10eVplc0#my]o 3uZ9Kg[tillu~+Xn)t Xz]1^Cα(pZm%ˤ5챮kH˒`˶Kt|<-66sws#̕K^va#h>_xaptb1 b{@BA LqfvNfk,fB{ICmDnܬzAF`,71NzfI;#E4f>}b;<=5eGs QA@RضVc2m2ɃGaw X)`( !vlEIAUQ dnhV)?jbvzP*vVI4X iU6Q>˳W/P>)J@X즴!i}b3PՂ[Ud4 |?"O%Yk=Z tqQ6鄾$!_&)9Cg`2]BG8edC*mhrmQͭ&qQt 1)B<)g_us Yёh= d[0^6tVZ`T$Qͯ "KAmÚ:)SI4\xL֬e;vJ37$R/O%z$2[1#IӉlM4eǚx:eu7ڎ†lb=FSDD^P}7P삷'X^*.Iyx>.?$~Z mIh ; =]-~]r6 4=6Qi1o_Ϧ}wd,Gj{d2nkg p /U8g%;p38 &2XTw9dG 25v4~at0Qja'(yLtFJ ݺwͻ::uq>""b$bnîO{vk ~b;pHߒt`cc0~y蜢@Jz프}bpO`RrHyBVe9{j_&\ ZxDLd$ƈ,3L~)3\iUo2!Ed"N v `2k j~>zݙGMhYp# BnaC$^nrëvL[9㻱pPuKt3{8UًuwjlԖa|£"Xm9˙^bZ>>툸FhևD e)TytF$G"n pq-^]'v0Ծ/pSsקD ̐čO $2:@܊gB,?i01=vTYQr൴4:_i}Iwdn P"`_@g,;#ѥ4aD0l2&+$( Sptaqt5icް)"_&M~GD9`fI%"=^ ֺs|I`NdJ) Y*Mg~(WJA)`2GxZjKBI>"6?5V07D$.1S=kjy2?NQ3J4N]>0b 4 ʀK&UFn 褙Gl:wR4I#ǒ7ςz9=y`XQǜTDUxg[I(a$:tDܤn P @*hFLbs 8gۚuٞfqH03t/R HBEKjSb]ާp:ajVv<0׏vhKGoAUeVF;9DiY&Mg ;i{ a>v2XA{w HTpn ,%)Q)oN Tq3 ײ4⡢v?(my/3yg&;?~PL$&όM],Ks9މ\PN1ՠӚW2dfYqfqka|4Ö[{m-Lq nV۝y߫UVmJ[m! ;FIg8Y/_ǒ'ՙ1n&yݩ,c!Nt8e&p͏{Ə)妾LT4 mpa`C3<ZնkMZɀٲ'fQ56CcF0Ӵ%v.$$BG[ؒ¼H.pWd*0> r %@gp34?,5e)Cn="/v!fcbd4[Fu Kgq" `wA#/n0Z&A`h u#w2UǼ},g}{ڝUTʗU2m 'OZv^UZ%F aWZ/)K55.urwMIe˨찈`YA?2sNf&۪@>k3ؑxv{٦C7&nS#4mA).*UAnv5@2\|r%PtVn,hÐ=j7씺:ns(Q`ߏu-EZ-y2ܞj G/'Qblae%K3R XIVXU6ItOD+9*{0%4U0roڹs?Xd/-wX:XMb]n)e RZe%m9gZSt5qT5>ٳVsgrJf vݦWrrU}Ru4 4BeOžeR>' TH*"(ӊS '˦lZlR z|dK qA>hݍ A3a&C 8GUɖgh0^҉׳0=R['JeA& YG`wX#$"U޳lkr)WDZ|8xQBqn1% %z ɑR\yfj}$VXzZf'ռFMAVU_ui_b [מ;m.P^̶ I 9:e{mfQ~,Hp^f=i/0ؤUHAq2ZkcW<$ΤxkW8jLB/kqG'+lKhaϯk7ZaDox" /mwjMu 'ka9f!IjE'Ή->X\hݍ?_{6+0Z;.yZa/VnN1-:qq ^*Rh׭ywZZ;F\&_yq!;Tf_;* V4a -Wn`%a(~wscUnÂV\w; BuW%Ey1ZA\[>G̥CЂG1W¦4ŏTeq2Ý,m@?5컈m07ˋk k9AH,jrnsvWQ72aǗNkN1*p *߀3qhzl#Chy Dj24KgX/,d9sW;SyapMʰ * nz~q"򠀭#UdDp8dN(D $dP;p;X4LnhM EO7^JDWyac:3}5cqRyn,9n5l<,-Qlra\򔷚׵urⵒ[uqu2+̪wCz*:{@PŀԈ/|<m(&e(9I]:o_ln1=͓"'Xj](e/bmGҊrMdL7D}4s''g=cgT݋kS,mKfњޟ!o/?@J7𜞁2ma]v˾ti-Q`].ja *]ioХ]jAt˶N}7;;HVhHUw*^yUqŗΚWO{ѫr +n UۼkޠކAqFFvúD^g`Rw.ZGzd}[.u?ϚL+F̟`)!SdJ3N[@X.hQbiߙh-ɛioM5ӏZ-}`LFn-|G֜Zӵ7U%|@)}N^^m4ɋ%yii~h|!oti>]7*+Fն>Vܤ0֯K0p5Hu1P% F;EGi+r9LԮyӖ8ֈ[S(JbZ=\InsG:j.5ƤfsmH-OqiKPsEL6B 32DY Ϸ 4!- YZ