sssd-kcm-1.16.0-19.el7$>h՞HMmez鎭}>>|?ld   D *GMT0 > L h  7ZxAAA(g8p9<:r>?@ GH0ILXXY`\|]ј^btd9e>fAlCt\uxvӔwLxhyՄ9hCsssd-kcm1.16.019.el7An implementation of a Kerberos KCM serverAn implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache.Zϸ"x86-01.bsys.centos.org>CentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64 if [ $1 -eq 1 ] ; then # Initial installation systemctl preset sssd-kcm.socket >/dev/null 2>&1 || : fi if [ $1 -eq 0 ] ; then # Package removal, not upgrade systemctl --no-reload disable sssd-kcm.socket > /dev/null 2>&1 || : systemctl stop sssd-kcm.socket > /dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.socket >/dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.service >/dev/null 2>&1 || : fi 큤A큤ZϸZϸZϸZϸZϸZϸZϸ57379ce106ff8d34616b86ad46e92db25ce1ecdbfaf855342b3e39d2ccd8e254d50c2b062a96fdc50ef141b24132b40a62b776e14ed89c824f51c45e7571ba109490f2fa4a3393616bf60ebf52f6c1c346b8222c1d1d685ea7d6e45b3f5f2171755a8a0d6937c0bf04a0a31c8848b4b308eb5f0f90604a71441a1db3775c247cb8be56554c20a9efdb56513ee5572019a4d2e4811915a74c8d8bcb799427c3c091b30e576e05441743fcce027767650f498cf10ccca12ce0bafe8505f0e87b6frootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.0-19.el7.src.rpmsssd-kcmsssd-kcm(x86-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/sh/bin/sh/bin/shlibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libcurl.so.4()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libjansson.so.4()(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)liblber-2.4.so.2()(64bit)libldap-2.4.so.2()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libselinux.so.1()(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libuuid.so.1()(64bit)libuuid.so.1(UUID_1.0)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.0-19.el75.2-14.11.3Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/bin/shuk1.16.0-19.el71.16.0-19.el7sssd-kcm.servicesssd-kcm.socketsssd_kcmsssd-kcm.8.gzsssd-kcm.8.gzsssd-kcmkcm_default_ccache/usr/lib/systemd/system//usr/libexec/sssd//usr/share/man/man8//usr/share/man/uk/man8//usr/share//usr/share/sssd-kcm/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=2f278e1971dbd92eb7ae33910451796eee67cb8d, strippedtroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)directory9R6R2R:R#RRR8RR RRRRRR4R%RRR R RR9R0R'R"RR RRRR&R RRR(R5RR-R+R.R,R*R)RRR!R RR$R/R7R3RR1RRR>? 7zXZ !#,]"k%w+p}}^Xɕs8D:Zű5/-nDu슸VELK?Rs~-z[hU(n^.{YDU˃YjIJL!:ㆥv qb.?oX KW.YSp93%0鱤,Qq8J/ZDSތK^u J[Ta)k $(#^~F'i yVs. egVV6z04X&~1q_J PLK:E) R0L]-!^c] #t=Xsd388>I΁3j'B1jՎb_}a6Djt8,9h4v|~2߂6S0)!0Ǜ*6ѶdSSIZ=C/"~Ow4ҕw 䎸|ufɒ'0.meU&X(]5^6 C^oZtd]G=xf9ݺߖoy " $|'V6l*GPߌ1i=U, ɴFg%7@Pp 3\10ρ!|>><ɰk~9ٸg)1!+rrم6=g}N5CCQSx;JaㅗSD):iW!"j+ i6ECEHj$脞Urv#s!a^^OJD52ܣd5Pc:V[dzg7=sxNDZ7CNE@g;ޗFo>Z 'Bo7̋6Ny/Haii1+6ֽ[zΉ59Mw Oy:n>!wKFlqQΊlDX|M+ӑ4>ֿ4Q?evrd^¼'ۃLa.>|9^}"w+Ke<Ov pS~LM>+KAN\ˮ>P'?f'B/P!%4@#D!'/'RAHb Z6-`,P.{?fPa| n2%-LMDEe=Q g@ >U jdeHAARVRay 1"]bõ]cFr4` CS wm\2=4*y Y[+l)rWRn#,ј'l$@( dFmo|U4 : e(C_aMH C0vQJ<.qi+Lp1e#,ћxDSkNg_m1JSbf~gV,:\2h^L_:HO25-!`ߟC@j-Pt\Azn+bxeg`Hq S?X?`d͐|HyY|J;S^t~Ti?-MRn%0]^s9(Pй+6ޠeu==_f)QLܩX )O);p9\dm杜ȥe$ES樟{s=؛Y϶4VڣłlM%MࠟN5r.KWb֍*S7!MIʞn#>֙7?~MØ/o#%NF' z^ .:v.&3XֻǤr!G&-V o=L,w*3l֨ =& EH,)&&7f-ДqjfY6R/`k;R+1؛VYPgDylCم9^nqbs8eE1EbٙlmLԱdbGB#; PA!=o3It[[+2md{W I8Eðrw۽͝~l/8U{&u2XZj%bunZ*DI m򈄀kT,- B 963'ھVjքL{[Q P3ƤC(}yNw|Hv>a*#PZ&S]aCy>*C3x5 ~n[5笒!-a 0~;;Jwi*f72grͿ<&3;Sq$漆 VmeJ"zagPx @C xw~A2ǥ-"mt}u@}yԜ1'{` p}&MSuh*pM/'|Kl5FO5Zen9v<C)54mWΏ^猤|mೕSv28Ҷ2 +!}C\ أ^o*Yc{aU[]5>{@`'0.A7C @gx 2H%Xw@yDqP[3;wGG#&Kn|~G'v΀00 :xB(yzY5x;E34@?%s|C3L>]|א2 p'P"BCgP{G"񍹏W Ӷ*[F܊|> >HQNtoVVP7:%@cg[!זyOg};Sy3kr(75?7-6~YT`^NZv<,q?vPM;'/EMe-o--1@0sAh clפ5ԕG<Ŷ '**ktvNF ]B d&#$樘=6 o"<|G uIR ht Cr@7$m$4‡w(W7L",mCtQʠifQ1qJٷ kt#NN;cj=$)"wCzzS,ąi”') ]f!Igaħc V ]Q;TC%~[r̘=v;"94;Jt=1엶xyGU[^CssGET1ӗr]1v؟R^Z?=K^P;];7OJ/ 8u?G0ڗ6XbϺI¿*'}ULDxV ź˴_+' gSLw8y[Q=~HU!4ltnL=ٛK2̘_-aVl͖[ѝkk&:֮Wmxã*޶Ae}휓K}9vXkijjn|*0F+}`a2-+sH\xS 5UZ0-psTi72I#Sj ;1_$K&ַBD=#7S;Eey񉀉5h3L-OuSZD־r2R-[S1 Ss .wTzYju p2 mQ5r 2(/Rf8\}C-K?U@"/r {c64 Qo|f!%z֭b -?`$lgɑ77Q-B阶ڸPM↷z'I,VҀV[qԩ Iplbj`Ly@8rao!*qD*:p[]mj6hYkG h'W@E3iA۩iyϷ\KYGQȂ4:MȂ'NB]K]Z&ҍʄ^B{"9 L&e"8ʹk2COrj *%ȧN#I}܈GȢ9ΖڻFd](ei~&%Al߇XPF]Gt60 ܵ*öCgfgrQQTChw=bx&s&Q8~Sc p% WROVϥT>Ϯ,|!}\DYŖ?V^pBʭH?!9B.q^88^l>E gg8uLG> ֩zHN=dIVN~P="AK6?V i%Uiv-c(uSfƈ[=T^c=]. iv}u^F6FRdc,H6&6(fc#aBNx9F"2)>_Թ@"u;w\F_ߙ`&-ӝ07b#/ѩOX BɰTț1N{v1c[ J;=CV) ^+=nпLBp=!N˗=CKKLJ(z74SVNN1º[xӥpp?;hy6ߪ/}]`潢'ڠRxyΠɏʯix2wf 8mv odgm "(>&C= ('@0pnSrLE!sYj1m[Zip& lǚ2[WV4 ƅ]JM'^Y%1 Fg#$C`Upe$'SpRcSr} -JAH$mCU]fK|s _e294e DTJ} !q5 9J(Ⳋ® 3P~ v^܁jE tw4N.4<8)&Oi —!_DtyPKz9#śԼ ?gu{ѹI^&xue{h6. G9ę0Pp[A\tHH^`GZ\Xꃌ;Pu/)xm?(:5QiV;f-u]ԑfû;H>$QFq4&lz0 'ϕѡ&ڵc= P@o<@|s%aLV6,ൾ*;t B .a8fa'Tz_e/ckVI;YVB[T觗}f Sۄ#JWLCA7qi}qM;nUA7A`h76X'/X\.lÒQN׼ umXĪx ) 2j|6\ɫ2V[} e!Uӄ5c.ׯ(٧磍G$G\ԂXbڶTz_{Bi]o*?+K/y~Ϛ1wΠވtt@V|ehjUf]J/QwQLAp-_ e22cǽvo)8 VOc =aT #V.g@Xtܨ?&XWc;8J/i5J2h*tQcJ-7%XHNAEF yD1P$-8PPI(CD5LW*z T)7gHų˺jp8+/H}5mW)0Z4 r."MG.UqYq`bgL>90j1w*ok6B:ӧMz-`l=K4&0p_opq2_RC}qH\%b ^)of7(κ]:g-`,!&D~mN;(AVTG5"Dp#&k1/]\67 n#\YP60{)1<156#cȡc3 Οi؄5qDS]7?ϥ@ϝnO]ef[bw?j49. eC1ٙF -7͐fa8QMr@t;'{g1)f. + +$)_:Tϻ;/q&8BWx> 3D2pϪq `yru{.᝷UlK;Uc GfvS$D5 ZIr#C.l#.~ek7X Ĥɦ!XkJ2vmy%U>3l~Aos6 =jL' /b BT~ߗU ^bh4{.p]X+?S [o9)*(ƾl,b>ɔNd)?"UȈCJ"qcB$3T+Z%AEۣUs7 GZŭ KEXWf2f.+>]ߋ8p+#I ɮ.dW&09ۻ=՝ v߂]uXmkA):ڹkXbaD4E8[ o)嫆{"]K1jIZV+q,44U5ED 8ai?&^]iMgcUVJpL*q-ЂEryYCNx;YB)b.4%-61 ʫ-;umVq̼uvUi:5}=啈饷@"u^O}9dR41wZK9s!A`nS =M1v@zkq#cW?4 4]voZBE0ӫKAG\z F$ |L07b. <3zޒzG_}. +R}mOLʯ.}N$6)r3|yD[ 7{0? F=ŝG@0U CĂZ_sűfΜU'MC!W%LF%EٵP>2D tf_&#D?am@!X}Q^%^Xv1o`,3?whFFU5RۋKk$9wcæKb}jeBӈ'FYЅ69XG4a?>XŰ`嬍^$L(+qVRd>b5 5c rI{x11e,- $[ QFr\ݎa*kx/ݢwPHüwO$X= ///4l]_AB(g 1hDQһ3ob(e(gP- xDh%nM70sT}yJtm^sB5gtd͔>'kl(o6- [xvs$qQ*ABY/+*A[mc)sy Hcnwf3lnt'\5vzb[u$~lxD`6d"̴ \Gqq%n^ p-k], C%H 8DAZsj4_ٴOn5.T)fN:v( ;h=G}sJz3#X̭gԹ3VກrvYwiw L _rivQZ;LS`QX%f믟4a*/CxGyߌ +u0MZd 35FE")&' i(; *yOQٸ ~BC465Jʩ90?f ?wl0Rut7|@IȨK2k$ف_ +!8-:KtCnaotMgEaYݯ$$ @r ,觏<~'E*(qVvsnukۨ6AX aӱɌPneYU_rGUߠIC-]z]əZu#l^wob0F㲆,,<-8j@$e6Dɕ86nN5FnOP s\MFRs| cI?N7T0@C2,q\.z<9QnҲLc: Ѯfx. K?{F .mLH ?|R.]G׭W ,$ÿvYڝB%ҵ(Te'@:Ӵ%{fc̆Եl‰ 3-*~ld АmK*i3LɞT_Oroq,K*Ǭg=fzxLmdfNnj2)iՄ'O:JZk41m<iS,uEbdKqP}L0Bs\y \i|@ȐhMs r[9JJrLT TooOu3"pr ,k3Or?'o4g+lNmVՀrvtoQ]-B}q{IU9xYu6t`[; dD'-]?v#k] jVҭp ny+äCbv@!kOj*=A[vc!ݠELsGvJsMBB8~k-Ởg3G80e(f*`"F|KĎXܚ܄Km0&nKj5f"сךJvbSyVR&FLL9Wݣ [q-: =6jMZ \1Kl:.yb廇R1~BVjcGԐ}Z9K"m~IW0f;Fܓ~)TOIE/s+73㩲;#l'Y/FlG@ъղâpt€5ѹj+ON*։,K0-!l ዳ62aTd%/e辙6?|*ˢ. أx8A[tl9'ԇ%*dwx𞀎ѩ̴ޒQ6ҧ~1^R-e!)iI dECp(}x醮dDpm=;c4p8fpzjT-؝~*+]\k V^䖬lߖ),4E,[s00[-&--[ v0rYusu:| Wk} nDeRBOF=>QM+m9sl,&9J ΐ ZˠO_GRcxSL36ԺO7}[ǕXb] ^4P٣lg Y~ ؾi> G;DK<)d94ʊ3Rһ#6'09%pPuT(g'#Ugc S_4BDU6U,vhN1:,ADqU\a4 `63m;^~/:W P5.6)v6eyhLN$˘ww Kb~BBUyr"%jn4- Z[?lk;瞴csi !οsm~ -Lyn~if+dE5wGPf!Qbc: 5偂Oz4\9dW'L7yyi-J=2*C;pUYt,N[J.UڵDpF̌Mw'(̺Oۓ\rԘpVHk1K"ϴh N. ;gCN'գH&ģjS7Jk-uXI<6OVJ|4ݰeo¾RrBXWݕŀM3D`e3 y yt6U;k { bHJiRjp&?-w:KIchǞfpъʷZwqʢQCهNN&sjJy+4{\m>wwFu)f].*A`feSeb+j13 x^7yL5"U[ndZ?9_Icϟ/93 ݢ*i^#(5ya|ȭZSÛ'ؿb{TO}ΜiTq7Z3͛Kjؿ/\"NJ]B2nsIRiXJ4o)54PJ:`9 GTO+9P?~, D9?03Eixv4E։ <\}LP"Si$,SS1%~+AOX6c\E׍*{s.*s֓B{9,'Xمnřw~_Θ-^l)-B%CNQFsHkg%&]8$0ugy?$P^SڑqO\x<)Dk bBv ?rW;(dNWSvG1U{ UJF(=d?}:nt!E# Oun:Lmo)X)hfl^ f5 8鉑ykc/p7a]_l\g Õr6<DeċE 4.{o ܣ#Gw͙_@hT~W88oҖIW4zN;Fklsl(;iPг|`=Lj1Ѝ.X8=GZ#8ri1@{%ޕZRb&/ΨMnkJ9SY!qPluVCnl lkq|+yeaYpMbah S6mKWav_YWSV( |ƥ865hcḡ}HVl<ڹjU"nA\C-"0H*i4Q$JtFM"S|Ԭ pL>L5ْ&Рhˎ`nQ J^T;3`GLA,MhN`hmnۘY<@"h9:gSHΞvCiiFR^[1~U1s?lQpVCݢپ_+Z'*XJ y % lv uʝ-=aFS;TuέuZ~N8m:ljˈ4I%MPmQqI0^Ʃl]ye?=۫R&QfLۚwXI{cא7KN*z2>2#=>[Ӕj[jJ,8F)&n"_5/ o,|-Lz7AInG/q *ڲ,Mj_L.^!lȜ ==,i‹L5l,֭ߌ20ύh"m-ϑjJVx>Ԭ17_SE9ۿMd32Y6뻜J؎kx>G>B76{bG8JIG=,0mϺ|my!hv4L,J;Ȓj9WREsgҽ0Q)2;O_wF!t6dR[lJZ+ ޢT.6c]^[PmSzy-:nKi%儈ko 73I̝$P"],y 'u#1e!#ͰHPM-B @7Ali0=7S2,,Cwe%3w<]xoK,A1^1u}7kfin4FX,7Z3\TNE;)<8A>&|+ŵZ.Çy|BaI-X4PFS}_ˍ0aɹ³#>hfq#[?rҵZ7qxb \fhSI&jP^].A^fycƶ6ByzKs}k跏x)1'D7K7y; xM~A}%]䙠/q۳¨fRCɸFĠzRa<ݧ@Kɍخp˶Ûؾz+炈t"e5HNH:  /l1*QmhE < B +}NC7GM^noI|7(IwzfDW!) Mc,&SsѧMWʓJ#2 hLĝ DL$Y'u]7_.? ߸Fn*eCoDS]0&ʷ c/ղiM Q2;iV 7hh~\Ak7ڛ< [}+&ҜN>oy{jN6G7+2ɺ{HGQT.+ÿ]޲ueZ4_$ c&to|Cӎ421/U I9D/YӍͳYbdVj6[#to_G0U^$_Dn aػš55WpyٷVP;$3j&4`saI|'ۻ:l&GHQ NNozWFۦ$>lGIv>!)3Y!A v)6Z1ֱ:O.CF1<^DoxpNԩ%- j<1 Jڼ_[ȼGC!V .8sMlv }c3Z3AY} ҄ n_b%zEcyJ}=ƠpI#ٮXr[i ()}+n4V/a&|$b|0˭th\Ґ.+?: h7.̀@fI[#b }Ka;N ~qDiDE'0G,rdիt1o1jc/&߸fR+Ri rXEhTHvif\[݀3%b%7t+V_ú :DBlm^΄~ Q-uhx޽EW~ c=JSi3XipҹBJa}"RPlFACEvy&x#)wע sߺ# qnUr\A6J{ɪ pEzO$*٤k"Be,1֎K^1?72ANJkG\],6Ȟ\pm.:/V>n&F'd~)A0FR}aɨsȺ:BOf[@Wy!U+zR*'+?sStS : &~/ ؤ'o M!ng^ˌe *F%glb[AN1x_t1@qFF9GjJU9|un +WBzJWЩH8k8q{opԂhY\Hze^bR: ypid i[զ٢@Ct"fa{,dp1*9Aqo61|Vz*U gѠҘnp6(e3kI$1 j6#*ǯ)#"LPn hɆ˟Z4c9fJ aDlt[kn!cPdU:ޒ)gȸjH5Ύ!CTAݟٴħoIV[/`wWڪ2qUI\`%vymS$FJ_ĵ\Ãżp+I9KKa 2YfZ4Ph6ކvH [c6%ݲt} ʱ`pw 2S{ڲQrOWۭPAJW Cy BMܽ(̬=J1BG KjXKvD'#%@#Vl (}o}u%|qvznVΒnV/APSO H.޾!'vPsH38:SÕX4f-_ɮs}NRwT.@EYaB>niAYds꽥V{;AʈPcXC#jAyO{I,3gвkaB.\_6ɓ-$p=0DECW9]S_D_qns{)ao>q- 0, ۱*;2vjENDLm=cnβJүq >5HP}؂BӶkg>ȇ\^%[oxw1j]G|Ek^QL6H[k#늚U[wT@ ,Уvmv^/ LBarд+.j ^S{Q#/źMo^/賤(EЗWKeYݏh ʂIS%Dt;Uj\m\QfԌ mkdpyu*?f6@D{X5RCm+BKdwK ;ws` I&@#$w2ڪJy(@dZ'.%ǃ; 8σD;M4=*obpBg)Jm*8y1@3|3#0)۪G;BK w(|aVW9niJB3XxW\z%׳a<)Ii/rJ`M t({( #=Ӟ h"IzB"T ~֍㨮5_ WQG_EdNE(V,#E%dU=.,=΋,26sY~^-<:~R(3ک[, nBEfOCzYSAx]T=t88q~-AarG>YfA>79n{&+\jJT98u갟jTFq.{T/`0$ki!j_x6!1GJOOr<-@L'+<7x-LɔWr L)qFJsxz<񆤦]UT6fkQ8Fu;Tŭ(D.{&az .|9w#z:q qehx1wSΨ[6yCh-l7*%y~E+m+BEEj\y+u`"o^bz<8MfƑ*&$AY9o+|OT~9 asj*mh.Rzj):SG:8X4Ps_.N`m1_qqo\utD{D8܁7wiR%a7ܾK.Ѕ +5Ioow# GǿfR7j~`m]yfrBڰ9O:PqzƔQ^Uf.2Y_|cסx{>Rb([%t+v#.㟳XN%Zg*8 Ch{e/R谗\*@0" UaTBPPٿfz6 EK_s̑rI)圊(g^)8?&V]Qe< <- mD8l ; lx 󽼔ݧ)O%wL7]̏bjU3 Djܙ%)F+{ WJ<_1hrQ-}KE_q2$Ζe>6SejNTՕ(\nW5 tVTv=\V ( Tpb'Lu&0 o[l4\w23q"A/)8N>|7xցO'\?v ܜ\Va u(sZ|)Qe`(Wړei֨5:lsUdnaO^ٓZ(f|dF4jA"I2ezʈilY{-#hYAt]=2]Nf!tApwFvhe./N4eORyާ}6n1j, F@:M^hpT/Ɔ u(ֿڦ@}3_U6EM>4YΪkşH]؟. W#咗֘\g- c ]lyrP|x1ˬK,r9,T?ԼǧogS,b5ؐZurl^d%b;ͿwsB 9|V,<@8ȢR2<)rx2z,mO=9; !@8YAJq"3 FYωzA٢tV>pQC\=Ҏ ׾i#ϳ\U8ԢTi8H,5 ;)/w^>ϔcrYi0DVqKPc{c6Krzg W(=ދ+/|p_e -l+8%Ef+X|/i[W?q{t9+=Be?SZN גn ~ ]L?Rİbq 5I 5x;?Ev%>ۆ$yӽI?p"htЅP6 UXm/M<Řo#H(22+FqŲ&=Bc+.V9 <ݲz0u' :VQsAx~Z3ݹT&X#_P9z>AYH ,^lp/d]R)W(zV[ ]-Q$3^Io+8؂7 w1 HR]jh[CEyA#!77O3Mm;ywɓGr =tPĹþU㤔YE|Ѐ09qA+qlbfPő6Jgd $!%ֱS#NcXEbz 2~?c\} 0фFxi|(? X(XA> ʿ16 R֟"x4wcUeWjbfvImC ANA;>WGUJTd}d'>,hZBü Ϣ'5lvYtWNd{~@"[Br!@Ykkۼ3IQp}OiZhS3-N5 3"#@Ra`eϡMO:-8ebyдVez, u?w>.x"42sb#=ep=C)^^N uǝߐy gw9M`>uЫ][A3S Q3Q*q:m9xę2zCcx]{OqvW-RDOܗ\Jhgn &³MF6ygM 9NꑄbpDZl֡;/ۇ)p:|y8A9inJa/hř"/}maBVJ8=}>HjN[YlKˑcM{ޑ({~pbF]%s fl%qͨmLr3 >4M=J ."}Ժ>@b?Nf+gh$y0$ "&?VfhɈ;1yio KBS(i3lS&=X}v!b:Fܼ:1.=' Ft[Ks %Sݡ/VJ;mg~hYe.4B_yZ%7y[ers:N_9N9-~Q`3Hq SPJ+\ת_=_ ?~"2 h.yf;T~N#,T|3sӫcVLx`4&$C&lak/Oz3ܶKZjPcj|Ay/!l#7hor >5e 2zJyKWIB^ zlCpE}xN\@3lx#s.4tUm '"H؃J"IA8l9Ds0"VRxE3.r@)RQ11+=VMuStFZm3 -;jjELu1~ DY5vŪፁ LWyy=$.*W,P;h>K[˫5Ռ^͓8{쨅YHx_,M[Af1<џb#xfD}6\i9 ̟ubLA5 Es7SL wU ԼJXj̙S)lXͫU|_zA2ĒWg_[jc⠀3Hnof1$:'0&Ski/0&fW+O(LlKƁa M쑤ԁ<ᵥymϿ;7>@+5pHv.QUX`VaeWo{eFBYa}: o(x6ɞCu G orWۆz%ЬF.g!!$/`9U@#,Hƿ(fp&'%YZfG, "m>c4Y޿x,|`jJn\p6zwY.y`bj.椧&3F捯Oŝ/zƢ|<'j>= = jkveZa}3UC3i5ތKʄ6×U{# "#5h&_27#nJ%1x חd R%53ܮY[?㍝'KN&>X 䜦i6j1֘i$w!UWsCsUߏ"gKf<]c¹YG 9J?˂2Dkc7LZ~w!^ڙ]fxVwğRyGsWoF0oBܜאUԔ?D/b-\\`!frWx!J7u.XLF UU.w$BT@8GexURn1ԍdo`^HqvmHlEQHmDx~0s4ʄeyT?A,`3oHrguIyg KeIG19+4D"+ xJ6E'= ]]jdi&ax9A P|=lVNʥJ$7O68±]ºEWc"4YѸF@=>ۥZrKW)pvdubz-؂v }8U73LuXl]8EgA>lSf "bێN]h3Q;6 #LnÔó~rlIۨbAwCe?_ЀLV{%%PtQ8P3ވW_ lO'RB+{iލ\jf FYq]&uf[-Dj(/d᳒uwBpZ4D8{?/u٢R>A ;TPgZGwKdSOfkO CIASI=9$rQuyv[m{ LqwuBB+us[-WXGapр.r8eG."6.Qb$+ 1X::QdV Y5YHD ]fKn~ҪRVrCJFSfV3?nHcr."Dt'hps#ɬ t؊c3s1XZcLľ=b=V{I TOD5˜Xu9340TlTs9_'abZQ)*Pw{TFqڃ j#Q#MV#/Jywu& /J677=~Sz@gsz UpԸt]͸?A8=r02C­W["߰~K>Bi?(F,@?}& Q|ǍZj<o- PiInJ>,ؕ:]iqRg1jCS ;CcѲ~ѷU ;j]020bV,qh^߹SF+kV枌Ųm!'KϒeHd@kb PXp $6!JDjGI qjdnRl$<2 T8*dhꔲh btzxԚ}y _eνL8 P$Kz $|r)J14Ve>!ʛLG2uucjL 1SԿkX9kWτa. 嵹QFvF*@>!F>Šc p2E=mT䘜.zW-' Y'eliEnn.+ZJ`D2Qޖ`u:kZ܇5y)TV-ʽT|FC}YoANDI3/ }?Iz Y*V L" Rw %\bfzm3];1p8UWuӪ0 :8|f` )?E ~R7VlM_˅+3K8kU!v21~?}(}06(-l^kGa_A.,PfbAl Dym ^RT8G q]ƕQl7nOU$njF-2s+`X[>ׇ,8=ȃ[@pQ4#nlcMlFIf x,Od6'5oM]@x~1L6i {<,9RqY o {GeB=@y?:$"x=Gj3}ygA9aV+?$,CudEZo%ХYD5-(ijb~!ҾMy1I4ŁMvz)yBNR^Ud5EZ{s x0W75fB=*cGiP 7څ׍HQ;8YC@3L|5S r=׆'ikԤLkzqWAՖܓp ^k+chΛQ5{BRʶH3y't)?KR/[͚IW'ʰͩ=D8`#޵|Qۇ yPe0Vȿȸ!Z.HXL-"͡Ծ,bR2lڽ&U R{ veZY>GsHozUm$E^rKi0UNOB?-ݭ~썿߬[@#afQjt: sO0oLG[ tĞɰ'tL:{ٜQ57$z>\57Lew?+$߰]l=OiZ뜹L'p,K P5}\{jؒJm#\<8^SV7‚|6>2i?9=qD <ն2'*Z̘X ~LrEi 9ٻQk7Fkt356K `9#뿋\bv\ GR@{egH-8` }gzd^*OotwYYXN6"dtin8$A{c0%6Ղj -Gk!0N@( Y`H!$NEqOj#Iaq$Vom֨1ƍN??Bmk|Pܣ{MS =.y4&֜ Q$+亴#an{ǐswѢj?˓`PY'㱛yDgt\("쌅DXjӐkgdnA"tCBɅѻN:`w> lׂZmQtHA[c:2mH!ܗ6?/^" 0W[M?/X}-DRNFP6=y7?XtȒyJ~@-F-WHCz\Ŕ6i?PHzEf8oe lznJՎ.B' &Lvk۶9՘]'$S^1"fړ8+7Fsc愀A u@8|qvVt'JL-YyndO:uP%sq5T;H$Y2偝9KEBjuwtEvZ%ˣV${| ؅K<,s kH@hg %m;˅4 '5҇0.\dO ܢp ^s=!gP>&< Y4!G[xkb.!ۄo(>(8o==AT,ʏg}/L[HCZ?Xr9w$_@k48.u&^ 4x~guk]2ſwY֎wI"S\=)zuaCr+{F[:Ԗaub97.lU^ܶpd_s2ȲX,Qa=k@)3)8dx[cJsheL.: L6;5CjJ\y^ tDgƔCdk >bb68'~] DaN':ti]ϫ;dƯ"Y2dmRV(;CԴ(x.Dl& qO4J?c{|G\*a9TV /cR# ww;m'=}avS˞2mnl_R =GdIQ J<8c) 3>F9`leW6 | lEY5`*>ʼnNKY'=M %rO_dw[S'Y. Sw( f缈UŢ,7b)pg"ӛ)ߟJb"PL&sX{(ױzOmxl` >+bz$\ ho|`hk&3rX %xaI >8/5K;iִ"~e!$YT7#\wX1_zRf п 1r&;Yf6^[lC|+(׶NW9g_78~ҟaP|Լ'ɯ}blSTlۣF y{,߭-Zh'>⌕zmwk'cFcnr 6"alƻ@M`\MeĂN֖( l≮LdzkF @40Iv).bnЂ':Z0>`% @90oԀPOoLq$xt|ֆ: G]a:DFNS1\r-~'tZ9Bć`c1()C:@/) Annе"|%9J GqzqWosǎ,0@R0h_$*^4 W@j4p7s<`^0e# Y#w/⯻:;i*3/-#a=bSeǸqbKQ4i,eu=^ђ0q%@sYOԹR R|̰!сܤfP)9fBSU؏cX֓.TҲ Z.F& pT>.#{%viS|V+OF. ukǴܛ$i|Q/_lx<"f5-;?+Mw=(j)hB?Ě IZ = t$}NJ$\`$+-1z+(T+`7 m>}rg ްZWM+>[v5"K4-$6^><8:GK]-)Mb_.gOra2-Hǹ[<;] & quٚG5K*C+Z^-9}vaߩ1ۀ{7FK'0X&αx_`iTa2([=Oqd/QSѥI.A{G4s,9=Nt L'#Jmޏ"e:nb̊KwSt"=lhqAx8nzaNڥju+~q$Tj/|CTT86yJp$=Ĩ*Ti3i198"KTӲB 7sx\XHNΈ}1a1*}Mz706I#bU9X\tP]^`(A+* Ҏ +7Y `ञ) }~>ЯME4gT7v9?$ʍ1}22vF][`YFVB!FGHK,@9ӐPo6>h3A%GSxn(w P2YimM*ܺw71_kBhJBy,!\{~zTsGB :Z@/d㡌|;G#f t?>@ɢ8m -P`,YLO <9Mu!J1lJ^I?(Ӧp3I3$Z!Z$zZ^-Hfd;J,s! /Ѻech@}<ʪO0SPk9921"Mdn˅? F`D.,?B?GNG,LA|9 _ф4klNzVHz]ÙϗD/R!}Lᾷ+18>PIuwq6>A &종3+Q\ӡ7 X]>]3g>! xܜGI}=篬ZܸS׏NSE,9\)rt:G6}S4ZeC) >{y|;4we $7E+.M)H% Z̖(9Ha^j{m=+ePoڅەKL=3`d/7⦯82)^ɖDZ9dLv9-ttkLp1͑< JOʙCfwe$j'dn/,NGWR@_iO( v5VZY߄̏Re1!kK%6z'O[ƥ1΁=)sbjs"˄ВzK,6vJśtrD97}ѣF?;-] \iǧN_p/?x&GcCl)_Bxbp/dǗÌ{dsE[*iKqHZdU)?du1$Q3Z- ^A߼+M/rw֕tMg2eykJv7SgጨXe!Bڰh2:6&1Phz4&&Ҩ>׹[̻W..~bȋk*uc@u&Q9hORF5d \|Ztq@MwGI^fY>,ݣmqV[@MȾ85] tCc />k VHn RHfխ)Fe(C5a%#:y YF ΖNBn겞Lj FAщۥ@:3ܗaW67Zk>`y.aex#bcLF Jp `~ *@L.lZK"mAe, =j-Om h$lP.p>Uo/hUapOC H<_Ð9}=(vЄLF26gz8(PBA@KBhB`%^6k5N>[UzgHo{s:ӵ)dGtV>GrO#˻_.& G՟vt7=..rfye䛅~Iܒ=oL|gxwqkJ~%=W~u }븑%/ӤAt}k`Q@r^2HƛwKPR;]kLqlÝ;wduV4p F|}@#F5[Nu)n*˕f6V=LĖUWigZIcZ/0EfDr4kj8[{oѮt]!H>B(~sv/A\N:rsGi<֥+<bw=ɶGz3/GEd3ʹcDdVkɴqJ(s(I:>  ؅u;`#o d'dWsaOnIYT 4U'u;@pխ8es9g7macr[vBęÁ% H-Vrn&濰A]=vMW.AB[Dy?j5T|ansozp8Πܚ=-:k[td0^_ʜ K?L:GaoO>.Z0%!)!4y^ qd&>`b 5H7GF1Υ$Szf2XCc)#k-x-#g~o6-{&lPjFoH!{ݩ RDm. *+CG(:b]yO?Ht2E-p1Dʅ8G&  XW-^4"POή!y71r#:IMB] "C=crWz~QtAБWTcL} |q0-"D}dRHC~~;1߇vD'Ǯ{1:]E#5 :, h;Zkq—|FeHTڜtIBk݂kRXԥ\M ȐiPmQB~XUU>=n,OwJ qhD'?އt֎qP0߹ι/,͡F:%^hUx lbmB3"l=.VY'JqGA2p^:`*R߁~.72SL*\lyz"]ߛb@U{J> iu Lo7Ȏ[1einX2hs񰮙׃!Tz>rfԡSeHxU)U)p4e*KZYQU[g֖1v?Է#fWipӱ鸉XD^L͟SKx嵵lg+B:f;9VMNRe}A~qȎ}{Gc lmd’+Y\A)ejNw$"Cn{-h u,<մuj=ȎOЕ.؈MkcA'O'V"+J ijee#X|{dp)Z{(QcmyzS-vMY7AK, tڈmҁ&u- ^Wq!^0YOf""qu2 38 f3k;7;06<~pḮ~[s^ijL>K+_{w5nog*&ƤτI* ik>;?=N)De9?>oxKODqWM[aঢ 29DLB {L=G&hf"t_i$(Q̤_swrKjwx] FwΗ k!Am˗X}ĮzϖhNCJ& 8zdiKQr>3-^]N1Tp:kp"/v@(zJi<):n]ԑF&.zZ8]WR~-PHl%Vƈpi_',+7_5MegxZԫ γHY߭J!i&J7AƍS(M3/{crrAd~6еd͍7i6S][~?D4 nmOi]vd Cl3m[tV(ve=}m=\֢W0&H>? `"6띷Do*Ī3\ceb\F=/, F12j0 |nFgׂ-JB0DljuTԭD6"O= [κ9,Nl1ɫRYyhKixe:{gK.:/?[`pa ^4elۯ MMW3a+`/pڇoy_6,]7P#Z<<ﵯ^ Mf`Y1[ {:O?޿19ϘNyS`ϵ#Y >6R焐@.RYNH1t :9L41E^AMzC{k+ [JcHP.g._ 8N# 7r1%? ؈3SnZé`xD+{p rM 4Tĕ y* vOBjZ3;&I ?k|I1/kHIj;ZY m]:&/#m>[+,~9Ov|ndrO\F׉,`ki?(!u.L"fE wfW'.j=@6onMq:6lr8q`T ~I{\MZX`"3UxBXLU~/]v gF3"J2kPC=5ڧ"CѫwMtբ3%u=,ܮKEFխ`ࠊ-O+Ѝԇ?f LDTaJ`]%ZvYf ] `y@A@ 7V]|-KsurEo=Z]Ci|52ЈwI8064\=i4~|y&5K]Vryi#K4TΆS`Vܦԍԕbx!yn&í~/]!()YΜu8E%`!\AeMjՄ?|\ -Ob"=ȱߘǴ*madjyMgw_@}9C=ݦZ8/2̐4 *W0j~^`M/4GXzN*Py+I1͟ D>%omYƒ Nf0!=}%MG)Ǹi&l;B m#|'4gkDF SXyH.O*JV*@HGPP}.x[`OrGC!O<  |ړjOaI˷lYtm%ERA|7Z@} 'o ,h*jW $oӧDQ*2 2XV@ڪKǗxʅ0=_/5$Shu϶0jZ9Ҁ^Z>!*} l*0hOG֦)=v>IʋmN IiS@C2sbdͅ;Vf1tPaPY]M}7G)ʌH+$BbTԀi6ST=c>xM jȰBt+8{6x W&S']'1]`"vyoLZ-$ Fs[U A)7#^)mSxI4 zl5eMV/ Ȇ Xc Y/Jz@, A8HB_\$+Ϫ܃Z-g71&""y䀑^^:~7p`}N+g+5(P py%uJxyU&A 7 LcADpLՎ rs!4™ZpX#x8::=5HHg\)kc2dF]3i{E8<\# ɉy>` ^otcz>8tPNn72<9`s /7=JY uZܗ?D znqܙӺ);ω&)?"%s }[/%|y*w2WL+EąD+)q(\DN_Rv7~kȰJޅv e=B c8;Qȱ!xޥ5'y><2.! !Wp3aLH^ НˈoFLQ`HXrFmW4nJ 8.3{L{^ KV)xXvpO ʼ{J1bTE,3 1ɵj$ϳW' .x{3 'KCo,+rEFT[(;v2j(: iQcƮ?sК\9 &7_!;JBdhJ ÷:͇X~*JjJ7Ph٨8>dEBZ!m ]P] MY_q`-' =fB:)# 駠ڥy\R̍dkվЌ;귬/g k~i gs'c['hG1}Ľc+C+TZ'p]L6$*^v(}r.]u>*2+E}2!/-S`Y۟ɇ(N 0Y;~J%QĔ8eǩvBr9XtGZ1xNC[5) 4N՚#P]t!"R:2/YnȘK EP'JAdPY*m=Ϊ̺u~]⁻ b=oBܡjB~ " BS[lZ5(2?CIӰn$e׹mFnMY!E5tJӄ ]?+5![d4 % :@ai|ԶwM i~:qyoq)x2PzhQA*1F~J!H#,m.IUC!,Jk>^kAԎ/=Lt؈ M,80sdG5w1ZR@IQr9xTE簔[YmT<)!e@]n刡 ?Z iD8kH^IRd"!Lkc26XAdOT(3iI֊z8fХJ?" `8LTji7@84!Rvd-}}Ȁ#2ᙁ MxxoF tj|y-om.9 nu' NķO>!(7 z\UpRC9ht|]& {2;`8Miinؘ~Ee:ܣ._LZ (= JS|˧Cqs>P 㯴ED&wز`pϫPg|ۺ`_6? /%Ճycu5'["-]wMdx h֡N,W{a! koUWJ,j=rk` Jg_sa"7-L+Ж LӃht ,ޥC[" ց LcȀr!mj(g2xsxrɶ7ϧ^ӉGn_HKYz)&pNW"o+ 'ҭLzvA z3OhXg 1UpF5憯x" [2sRTWwU`)&%aheI y)ۖ=WEʪ}+,h}ctzHb%ƾKzY#o)pbT$ Be8iRC _@q܉ǃ:lB}σLZv|ʅ_GF_4.kν`9.iU!+(>tCg y#=/"VӉj BA;?v vzF׆B򆯣 \:yr*w*u􃑾qd7T|a]9zHϷU@6hl偐[E;CŮoCFg]NLW"3^ݪ,v-^QJU])V_tx:yR[7V>3ȠqN! ۉkET.Q;Xs|rVQ7{]2%/]u*m},ђ#uZ}hܬ! Ȋ=5 l( w ‘f zma:3Rdݡg -֔18^ 7%ϊt!#@!(wfA\l& iwW$Vm Rm_ .u 8k- T 7`{f2aV#-**]JHs64}Zţ4ܬ#X%AbIabȍ@_Fߛ$3UvDbZkXO'!.o8u|NrycD ^\\=1[|/$boɣj} "͎ci >j$ ͻi0+>ʍJbMl2XDQBq-eew]+K]ik-`+6B) t@;dHm~CjhU1uȔsQn锇߰/LU+fzGDi8YtpD /+hY=giLw4- \`i@j C֚]؇/~P)6qtVJ2CU"'랿@%wltAf9e]FA."0(ru;9PJ ь$ 7P.7Pfn H$E(e^>1E?Sno\K:h.kPң tx;Huhuz蕪2;l=lL5?A4P G]BII!Z+(`oV%ܦP]د3U"@9eo_sA`9{'5"o7bq$Ѷp~S{>Xb`FW(er][T\et1h-V7:?V:@#N^ܽYC 䡷@. \Z^d8p~XPa Ek噇2PE8.cˢuѸ7dBYud`JZ!aE*)Xw;?tfx#n>~Qj@3畱=]dS.빑莬3WE- N D5)zP wzꓣroOjTҁl3P7к>dTs&#}]|a5/q +׳jR L On P3X Ց_a. /Pw+r|a wUvdriJ<_-(Hae+ C^<qSKn0~dOC5x~el`}(ATZ  J?҃<;,67 w75&. ?CȮG4_Yj}?JV!FrA̿F|ٜ?ѐ'4Noi'fztLSHx=0Nɨ% GOl6e S:)\ZycfTp}% 9T--#y5J+MW|eۛ:{n3ȕBdv= I@{xVh!icqX.cZ~NK6Vr֎={Y^T(+=v={cGC<"؄391 $pFJZI$+1vkbj?G%0hMSr@u)_w6yXUrZuL@]$s Ps?H!}G?(iyȊ\lV2xvTʇDϚ볼\.m W%dzmJIPM7` :1{ގjb!#"߸~o<(|[؏JdE?L2hK;T4y[#T[e  eXl;p~QT?8Œ%Q3&KSډgiO 2SʯCYj4imC_׊2R'01$C+5g3oqEv[Se{`=KYT[ܗk,V 82g@QRkB랏w\me󭎗W1%IE%8BԌf<^'g߷øL|4 **ËȊ"({-S2M8(FGXQcTO.Zg2TG%a`*zfSrus%!̭JLD?싰#׬S CܞqJm1?tyvDGKxzO+Y6k*I;2ƕ&ZR`F&ԃА7Oڭp7jԭ=Nz"g o50.svg7l@mXGTց̸րXdtyn%7u?;AheܒequZ!64<ո9qOR41WZaC9$#%|UU xBT%ƮuH}]mـWq||Tyٺ>_42_dlD6= F ٪r)5JKxEtLṞ,oCYgk_VZjfW9PwÉbqr뼌&gWxtMe_4 ۰,mTM .c9v&\fd;-k|uVDJv'o$ JpwIG;WPl4vp '?D}I@e]p37T"'ZeI5llsjW|9chvc>WQExXCEYv%ʹQT;*<9@2.Lah7g#m3۝zAxJwͷ0 ݙ֚7ĜV,~ /EdLm\'a6VT'sZE#{!BF 8縦/c“)e @(E1ɩ?FyG)A3](i*++ aCԅYp#ޡs{4+lvA1SĆYY˱;| ̔X4&E;mä(3 +w! ,J@Y I 8Bd t,Qz2ȽӸ#Ź;i7ө6D-KO~n2^uY9>Ė|l=hw6z:l(#sAS*19;3S)/j䄫UChZJh+P9+2;Ș'>yE1I4@"PYb-%-dy;]mn?XEy 2|.[|Ñ&Ӝ*:B0W 4kkB*UݔH&{qoGz+h`A-OnD`'ʤD#jB$6-veLx̓ي v /+98!pMŒI~3'N`ZHΕ?4%l5}FL?c/:Hӓ_ +%:kb2*hF i/Gq.E8T!mz͵sf> V9犣tl{vj"FU9{}]urs/ : H]B==FEFzYsGݿ(,/"Yڊ{aBk s0C0_umu~;OҔJȓTP|L-;NPmM uڣP%4XbqX+Bzy%* }VSI zCvK~7⣳Eq+0([|26E>Wh.(aqMY¯<|6 P02iѢd(ѽ֪ZoQ:ٷ%"xhX.H(\a$DPR[׈c'`[0n#{wq!@J} n|adDRPcӵm0C N8Vqw6 ^Yh\a9ˆ9z SVwQZ,6<K|A; ҵ[dZJb-Һ?sU|W67 FU& `8jie72! [8;]}+v}*a9˶&բ$2w6ByxKX1q\ tR*2h3 1l"Uq`w;fH:%Lcȷ5xWN!Emg05y],:Xsc=˨q﬚ϵTޓ'D/g8D0=r}^(bNC*} I`hQGW:<wwӎN/x7"#~Dg9CeMsXD:0\z]p!Z;N^|hA\ىFfXwQ+smt%M*Cuך=gpNsqX۸q gOb%NX]^!9369Jݍ"=\.xghhdkX6{@\̼V+1fSo;Y|VM4oY43^Jc!7 5Sijv:]SPϣA^kj)Xɸ17 ?}IZԷy}UU<ɴv1 @vHJYkV|?LJșo};8Пjermh8<½`U~$};ƹ"+.VS=}Qɢ֩sŒ!JI#)EKXƐ-ԻE% {8, ѵ!/ u)`,.tn =D<*d{^-,7W] Ͳ+`E 2!26o5TOQƐt;hTeAq~("<{5rf굚2N\ ̭g8;95?,e8kKQ1_bȇpAHf"WTA]ݪn*P[ٖ6-w (H]_+I-/S i۝l`T Wom<]G5 7P$#IKF`Xtt-Y_["N*%3 eW qխ{AuYqd}KF?_3wL-:kXXZ >+Pb,U:#|^4v6R皪qX%ؒI?Aދ*vDr.^ Ik_<)̭'-QAFq|cft!_(a8M&ƜF.P4ðVM! FXisIy#9!rorq7uG |}ZPFF\z{0<,tnZ[b׍_EJ͘zns$n>ՓuB=(/Bp>\ʻm`?:u6/jzUe*"ǻ ‚mQJ|gMx\~EqLcل";.k os{2W mD[> och3umsc32k2-ݐ<87z&Է@EMb{2u\,HBqQ Ӟ aRww\qXhijS}VUcu:3-\5]Zb IWmP伡`Kdp"4WCG⫳VA"ϢH\xDž;{sL)G^;KcE\ns﫛uɊmגL,Q37.S)6J*mcGTHMʦaiP&o?u&Z*3h9DT{JI9bwIF68}nmse;F2fV7:}{igfdLEhŦ}d<וdnbi8Ilh?jr"r7g? ˁ_فXM?g%JϼI_ 5?[kHxxj2)r+ʹp Q+;„E6]YWXj7NV;du#5dLA3E_"Xb5:VFM_;HYZbTje%6دl ٰ9fok$,S袕抝KoBïwXYͬxk8!۠(F%v@ݻjW] ӌݞ}\O/)X:`eLu5?9:cr79%1QAq_Lpf\PDp4"3Ot#H#rm!_!ɭ(yMGI5Ӵ/t;a=ǮVo zpBH9Co~t:-}lv .8{pk- " лa('bj+qP+f#e&'TވO6Nc vԻԱ#*N@vayM}plOoy*B^ SҞ@|JmpʎdܗuaG44z`,3]aWxB[ujb}4bL(t)yx|Tr |AidD<+qRjp%*N=f>ʶA:kq*2HV }uJ2澼qal2iq0b*uB[J7mqtTBnr+i'wtx.Y?Q4|DEKQ`[5u902!Wm:%i*XO'Ѧc2 ׏0ÒƱM"өlP,tt"MYYi(XÞ_s R7PX!kg ϭ>8xgD2ߡM !K#FL~+4vV~ZrPmȨOb9V*_!m1Usqӷo}A+RiFz=CU1Cs\d Y|lWлqnyF/1,X4zr 1  |Kr%sIX)$ܕKR}‡aGs p-|zH ߲S>]#lEakA~UJuMb#:.+O ^IʿF3&"\t Uٗ=) vBROZY @|y%# LQ[ Ry\USG:T f_dpqX5owL.4Imײ7bNdҹEZCdǤߍ;BDkuSxF/itbG'K/#-l]eEp;>*JFJ'V|:^4tȼ zLѸSS(+LgOmрkiKn.İFN(lM\k= 1i a aђxRT(3Uޱ ѮS$tmlnK 'K2>&ip_";'` G3s-? rfUAH3m@BD.mW!%O$4Fj&p¼ߢ, JQw|D>|n55 J U5\gDb^. 쩑.$*#쇡[@SGRxB7:5:vp1# n_8 AfUqi;}5F"0&rc1 Mw0ɨ3ŦK!#ܱ~Tff mRva"c'-[+hW8׈M2j`9K'>`_NY9ӍvkitaEk&6+#Zԥ79dZM6]xӊ~,ʟ|1#FD!t*ǘB}Ƨ$#3Pm~tLN>ƏA%2(-KO"W@`^t0*1Ҫ> $?pօPuQ~l {Yo0mJ4IC-)@&4  G$d5o7A_wW 2s#r#SeZSg&>5ڗuEFeĪ:JkNUqz "%i5ΩBuzNE3bp#^"ιuÎ>,=ߩ*>30  stX+_嶠itsAҠK% )bo}wIyP6eJ9H f8;I}V;-h&JMfOsQ[QKX" oT%qq.'6n(->H5/LI@ۥGoR+׹&ɊROڀs 𲔵ȮuLLxLfI=6;hO a/U([@QĤ:5de{rbm#Mψ}l"@Rfz&9D))/Wseh}+lVyǶ %Ab,^(C.҈3>d/Z Dl\+ !iw!%,vtYm|hO謪*O$^p\5UD"C|6J<'0vOk`:5fK6tzR` 2Ke*1vK5Y˷ͧsؑ :سэax\׌3j ́%Y3 v5)h5&Ɖgg:6k ì.m!JS* )]I s51褚txq"J ,ϝt"v|dqi>˗c0mGItdYO] 5.oX1{CX%ֺ "Ϩ8@J^7]Yi7\'.]bcxPYb)]ԷԹiwrO8rBQeխM5*f?Y@{Pna = z3bG([A݂qʭyLY'7Ы #7x׾Go2yZqvuGui ;̥}t'6Y ij<u֏̓3QA^a]nJ=T IV[A-=sߒȲ:֒q-/_Ie.p^!?l;Fzr퍰GƲ6 ^O@ 1:Č8L4o>{_"m=N>ىB1]&\n\$DY "Ԗssc rvb7Wϰk#$Ic7"lqsgh͓wz!5 qWAUmC<ʅf7Uy ZGS׸f(԰8eaz*(fy~F܄kWēϯ6@cic 8+ le]U=NT4r]ʔ748w)s J2NpWNJ[2bt]a7҄1FTWMqV= F+X T7zqS{S Ix 7|SZ)КQG lj,.oki0At8N =-`űUan5f˽ػC l*dڔBE2]Tt$#J;;HQEv &%Yp"/|AcF~5*a$f d,rJLdb?&DʚFv޵\IXrƤJ^%Su;%A4@#l "* 4-s=|6^f;xc \x)$M垹PR"BtCɠ8X(_|Ge4I?g([eߋɽ kbsj'Jø XaV=A?W<6dLqL8|W|\*=/}4=6k\a/қPȤd:ZSCf)x+i~E->U55+q~;˶n- DGGb Ñ|}e?d o!{oغ-`TǒcV%n(y txod AzCzK+kf}1G}II;a;nؕu&;v=/—M@ "I9vާ`PRʎbmJ9$&1m) ;XO_Geg>O%b1-[\%,Jo\(-v5|SdH=g4N/-  [Kf'/S(qCt{=8RE_i@an*u? HK:[ !%zX_zGyͭ1oyLl.\@+nR_: zNh./Y`T)qS;Q1$ɷ/qc;j z!vE 7G<|$P9>N+6?OWpۢ+Rȸ0CR4T4c[_[r^/3i; kҭ3 NjIZ0J)AI3<k݆j}Rǣ|ӉqrV0~gLux#%kp darvRKRXZ4"(2nKɕ˒wQ} o-(մe 0 kM[byܹ/^Ƕ"O#JsUUv jU%|-hkoh> yߌrDhᇣ5fɪ__[۸54 =ha*LAP..4 tMҋRGn2⡓VG\ 8dGZ٤xUlm_ctÌ6r(fȈy(pyxX{BkUC BN* !@7krm.i#'3(6^+pӦyMXDSpr*ϵOp"Ffx)ʧK0F=@KO׺kneIh-!?ׁ6 pq{= | IgT-—vcD斟/7mZXlXL\E\2O5ƭ #Ȉdd2 DeP=K5j`a3;$܄RrĪ3CGUNav]"!!x]xEϴg{ @_Ac`zSA`Uw$sTypR[ݝFەvoξ%ЁNR;WB`+GvcW6:Gzajڕ9aVJ?Q,qQ)^"r6Xd!V*BWOLlJEǠzdηcKo8̓זl,_DhzcAg]E:%|=J]ɍGRe1FH?,&ʦc(R'03Igbqf} "E|ߕg~5eaRߤY{b3A,.-FNE pOj: %1лQ,>I)bI,Lvt8;-,-h8UI|>_GCl/rC¢%\ǘ?dȾg<=Bu= G4:#, p)8 c-@FmTh=Y!=>#?c"%.<+Ba ]2t(Vx DK Z0PNuӃ\0f0QZu/BbAS0LO˼EOiԠDqз" }P1w?); //9)\%'`2bRoE-MU7c_Ϋ#6ot}OwDn>[3C9aJQxGQpe:O2siNNQHՎ!\I $_A&yvEZs3aPrIE #SRܫ{1EZf-'vFHt, _r~Zo=/:CrfDCX(?.%hq R>Q,r;"JStz@u c*T[ƾCM"ՆPaPT.8RÅ߱ %2q˥o۾ןim"TrzzEb=0ۉixyCJɷ`C%&]=zث-Zm9ZO5܎-կm@ ͏RE%݁ L^ЖE#&7I %|ۦu_5feԁ~ jB0FJ-׊ü?Lo@;A t %]I-] Dۡ4i{[VM>7]{ovޔ"bQfDڪK4$@Ii圝0:RƲpUÕ*lgӶV)%:Wgt?ʎS}Mnŭ"W .._3faN G~V?|V>q KOL-=] ʹWQ.+;&04y[U?ܛo9n~f9"vYr omٍ#mb!o u&I!af~:#zx& :̖Y3ɔp3Aϒ1/63!qWf6HSD+acX8dF8znk{g~L,tʂD] N4@ E& #Wr:R4N5Q">^،'f4Lrl`C !Rg 'yj%0xcZDAxQ.d'%YU[Put~Yݺt6GRCns>y'm勊cjQ]{<3\B +k?V ebѲ4䱘Ţ%_l>DqiLtcn?#*-NNzG;rS2 X0[~,%?%IL2i *@ps!h[FR{$&F>NôD~,HMC8HZzWz.h7"f(/pFMR(c'tx'O=b0T%Co<Ϣ 6%聼q8aUXhWj3s[|d}.u<ђ/lff/;.PKUQ[¸ȗTؕH9ޛ+mmi {^b54=^*YޮZX+:t,O6M} TxO[>\c oV@ۂbX1ϕ\8x k+KEV; -jcH$npI8he^AHZ4 lWmn>KY4<գOahNxL>_W[YJ:&)[֟ PKvIUT=J UtM̚aep3v@0z=?e Ai n=vV# :hJONz۠!Ͱ2K.U$hXf a$wUYi7#Å 1 'ZGƏoGq@NBsn䇲);j|]kI'#DkO ^4:fԳ?+Z y'Ёwfw@tE!. HCD ~-ᔃo D#  8P]jc~aUɚ~_sWO}9U04/9nI¶+5t,S)MJ-nE?r/h7쨪<Ҥ3Ztsi{QgJh}{8L[Ϟ0@rr=6b_PTj`ӯ |Ah!" OSTXΣzhZϥy'1em(:Ybm,^qStP )砡նCLN_ieϋIWS$(>owO kY:S'Pr`Kȉԁ̪ `*MĘc37EzT(c^.[M}Z ^=<%7 4q>>pkXI`Y EBF% ].4;#|}"•XoghsĵzcFZwOCDFVm=,x<eÏ'_Qf'DVۜAv,gDŽ!3>?V(F8׀Nj\X*ƹ|BsT60b~QQ821AșԺRnҹL/0ݳu}l% 3*Bh&SS>t&ۧ@ *AtzDԿe? FLR`b6Z~cȻuFvk@/0X SxYiSJ7!7Qn=*+PN^¶Џ_(̷V(c3)nV՞ph|C~)DZ*B!G+)(r;ڢƉuSchrRΆ3[>8:'A;Y`lLTQ%߼L?*o3gbaZum8.&KJGb{blb;UU:Jpiwol\b`3ϱ@BPbR\IEvz8cYp\anh gIȕMI2*JLnx؋9Fes7x kO[̧';"2GORgj"H np1;lTkoa1"q5O65Ʌ~\ l9ze?E4!5]k^X$Cm$@F3?ie>4j#\pDH*(m(4^%r/'LQs-C+CS&mybmC]UGxjd'1bB惼i8j/6şHuenqo1*CCi՜@om`Ru ^Ŧɋ68-@^.h}}Q];|tNhkLy.ȈtĽK6q%WrV(XJn䱡e~MkBТP] (qxAG:Л2@v 4A .6񲕜OtC%2! P9Mm2?qJLr',l]8yh ҄jYݯp*)',K5BgBjtl$E1T*!MW䇀TY(ƻO9I4Pswa MwydK ;T1J0> w4nȼacPx'xRO,Ϊ=ʩmF#\2p5BRr3!f}ܶ 6w^F 'HrCfOGLR1oP{S;%M82BGF9YmN\SpגF7hRBLs'k+ѽ@6X 7 xh"wd|qC=шo̔;{0c-@W%vjj,ekLo)\oêՎjhIt]@ gi7Ii!7CYJY Fj".jӡIp;1k~H,esTp9jK}Tmؑ4fi]ptJ ࣫JUiUJ?_Wt`4LM?`0+dUVUu\Xʿ;(CA2&P$\JԤ+rջl4M}g~mJ 7mn Un5cD'Bj.}Mb !XthJpxh&]0~){b[uoDTyJ~V6@hJQg+"4¼HLs?خM٩Bi 4UM[|=A6;4).}Rw֯/^ 9X} 9b.2Rg[s|Ijd!%jXOI "[w0O5BMnE_uR-CAzn NbR;؃V!7ѨݖJrb>2gզutg?QIH1CIBcwF%>V hN҃|YT l a@&! EHBBZWL(<B +4A UJb\CoSV>4n MXY^/*]Aݲ߹[A+T72*J^C9.p:C,7@n6cd QۥR&Jw=gt "g%7X~=3}^Ō34ye-@m&g ˯q0h-Irw^4CBRÚ M`}GX$WQbO`dB:^Rwf֞8ѭa.7̈́.k?8]˳úZ)9Z EN'{GWw>*E? aDSQޒ'oެ8⁚Lp1(oI?-_5SCn[qضPaUvE.'I&P'a k.pv5 Ϛo ?"A: xE 6\؇F>I`.l$zxc,Bcj036ICCv|ģu@ 5 lMBIiKi޵Jqxno\gl *od=Дk;$Xi"*5 Q,E;=Eˁ`];U;ky&|3|I &,|^y9Q )#k=\sڜǚZmtmTO6ț h]N bҹ^_GSw /)EYd۽T0OWw8Z7CLi%@|-f[Ē++_"jWl%3MDCxقm z&L9&a̅$bmHv>w9$/2>Ĝˢn* ~q_Ϯ!m(ѶJ"Q۾')m3%^ ك~"NW+ڬ2?b3}i>-rs~&?pKz!ҙ DdM?,,trP9m^O#/|1b=2O9v6C̫2s4 JrziD; WeFJ݌HT rO(; !PI)Jl#E)Y^̭y:"Q3X0@=7lWC3)F0v6Xu:_߄ݴ,|\ךݸrCj*+j,ʾfra;Kॢk%HzPMڗ)tNE7Oic_<;""8эo&C׏b;$ ~#}{] E y`Aȱn&j s^чf Tzxg*ZebR Cju)r5 AЄsbsѻpalX4>ur-~7Խx 3`6S.z"9ev3}mv:A9!Qf-bWѲ>co$yG`[Fj&лyf(;Ì7 3+Gwp )BirB1kE;XSǜyEX n߅Q[u~wQlRSno_Vl^-͏ȶR[v<"7RD`p7C+27aAR''m sr~&71_(sD*1pMc\`T,Neo0٤Jqz]>ⱍ_NPAEr]gWmm!m 6.S`k|küPpьWr_7lЀKz'!k{wCƤaIlD+.2Q cW5|`ѕ U:\9@ w&)?JafD==H:H{^{]kݒʽ:åQkKzni $k襨O}vJ&%!"㼮j"PIXZ`7:|61s!$ 9gkq}v"hn `Ξȿx3؟Ws P0( H%PgMfoVW..`ș^;SnI|*y]0/A] O$F~vL8zK!%gTsp_h&Šβ~`1 {=xl!g88di7pk7" v%]T1x ym:( x˼G]3ܹeuUMzg,ǜU](r55xPEaRt+3xl.+Q"Ε4ڭEZj^fupNq:Z줊`VH'|\FҰPτ/\⎐oWxeL{ sX䎏lz M'Y$˝By1Em|S%QV; jrc{ ^A+ۗmVJkIm2Ao_@I qdxgBuBf}Fbm .^g "`GI61d/iSN8VarhnH#!j5-`MǚƮ+nj"X6W3a%adS;:o}) ZbTFPJW?5n˰b|>bt#sEPHջS-BoH5P0 c!d<#~P% ミ+{Tp@ t܆-/>c64^28.rޓ^4q<Ԍf]F"s:bZԞ2\,V3~-t:jk XO1W?`t78”ܗ! ~_tt7i1`?]TW+yQHD{ެ`|*z7 \僢)v5> ^${q͒Ԝ5G &ALb懿r?P prB z!|h:׍^tHlH%(ybTZc&7SzgI+zF[P6b0qNtJlHPR. 6k|ZwW{k0*R}>!C) {6:/cˢ o<q}ܛhQ]ni&J/>)?1/yؽK~ɯfS4~!$H4SNf[ʷkHLd` YzC&^QSD]'KYR{mpT`9A[ⱋ}HxPDo]}YZ YoEUZj0jF;Z㷢,X`yh|fCuP4yoVvOܞKE;EI` bMXl> sB48~"m  /0(B[*%QOW5ӧ*QI~ EdBpн.\+Ymwv\mjWC*!%wځ^4رt`oXvztG$8es5ފHݻbs㤓B Zg|*ۦ7v |M"莈J?ql/&m|pju2TmV!gLaF,2q&2W^`uVbXOS-0 I[>Oӧ846po=YTmux⷗vT7oꐻ{wǫtx"KVe/N볛vN&K~F"s?2|+ TVţ[˛ nd,AߗRp]V}6/;( oM@CnљeRZ;$ ܋(m+-aYDf~~qI5Pd$:h (GjDCt>= ӌ]-A%},Eϒ6e #h=$أ/pGkSdEy>J'vG9`^όLXbAi:ޙҟr힤"Fpr6@CfYʪ;DXO :ʿ,\5Vs+NY0O/Gwd^%NLteة["85 oY* _Ø#;%4Ю4X;ˉSl(#[ɭU-3bؼ(>XOʡm3(Ȁ3Wd!*ne`G8(sP9wy6[Q`fB!_pf/ΒvJG, /^=5-v[bzV[R6lC &{P5g hKGuci E& :Q9BθS@ {&DhVgL4O>DF {Cӝt*-Ӱo'4pц[^I)65HK`YLl\P%2Hrmze(n7ȂLtx½V_QyznzhHrA.L zR p0ak󹰠V?RK۟'{"U9_5kSO2ndxK l՛&]gy2zy7oW|W _p-U9|N~ ;IVn W?Ϭ&{w%8i+8s!bmSWcXq 2T/c2(/9CS4҆d#D5^$R,lUٖ(i@w%µUH,D/l#]dmcX& AWF!GxfXʆv$d]9|@)&0GCio I~uQVt  ( _$49‰Stۊk^1^xof$~P}eϠ l HuMb^zgko*$}AK:@F$B;ej(Q^N:gjJ9JMGqC#H Xpq5;  '-[2 &5yZ 0e /֍~ p@FlHU4 ?)7l@NYUMv"dY9SzG?_K{xro%W`#x@;ɻ: Q +Q8ZENy 2f%s`D5N[sÛS{ͭCwd_Uު]Ӽ,}?%1?*Jpnf#w AɊLVש( 2}GY :,4![*T gJW S)@U D|i_| \jKI/[DSm{[UݚmcA)M*0enQ0&@b]E(CrQ?y{&UVm*o/%ک>9to>V0JordB@%趑Oqj08 8VII`~lŬc2J<}YY 4;" Ʈ5}^\.%?87?Bt`ոNN]ת샨S2ʗ!I >r Rz2m`Rs g[>7f n+h2'.əTUr's;R6>Zw6f`t9ضP55RࡴFvTPY-jsfMzYx[e2GnW:\Ln|˝0^\2v㴹:` yk.ӟ@Ӽ5mZ=!IDϐ+zLkX_j@0zWuy8?//'O$&{" 5F?”v,`}TC3WJbeN5Cy5Gـ_X܌۝Gi6s@ʚn=0jjJ ?^@fy<=V NpOfLД6l^-Ll0",~qٶ\/^P9;[Y8\-[zdXߙʯ\'x-(b^ |2[Va\0aP%`ԃuU ۉ!dڲPGm Ku}N bmgEEzKN3oWd]<\u8y:1őf30՞Wy3/t=e۞ {dOEy*m)UX.(<#DZƐ`%E'`6պկNObPw]7r_kff*]{~rX ģ/@c){2Wx?0E=Tٹ.1㩔WrAFn,w k+ښZ~#mzy-DR"UlV *D&VBx=8OekS+ϴD.=Ɋfq:) Qά1FqZ8+iH_~D1.d4^tt\25@h{֍ ,N"[V5 |!3 SмV)R4s6 ތVV< {b;&+u; <_c$7.\][4{mOy (sj u~lTQ8"?HcxÞF,i d~xUws)u@ng7ys cž1t~{ϧF:xdNo3L.l^@ҍ]|@)*⎥T}zSԾ{n@cVa CuIFtsDx&(@ۣSB6}ŒR>)R6qU֛Nn[6 M]e ;y*IW LPK&+̇'_ M5ƥ7~^Qu ȢekT$χ QjꖫI)=?x(%"iO %WJ5""="n;UBo`%lc}Pg1qzɖ$iB[Rq7i1+y&WsʌQ!&ķ" ZD͗mD(G|?g:F8̆j9|7b |+*ިn\ 9˔!2m}ZOfgt 'C:>RP&2IzsU FҖ}w  +씸`h6\|O0au?}2ֽۙ¿~ Z4oAړ61Sۯ  ŐTJ?Qy.^}w"͐'٨XH+UJe:>Da'JFw;̟uε[I.(ц #*c-G>[. 9J ͣ|4-4yYE6'WQin/_!ySȹ{hu:dfew@c0񘗄uHa)`ioۏP,f/$D8||:CmKPy@J~a"\Noc(yO aeMhr}QkL.?w@<4qQJUւЍ6y]e5 Vxxu l ~@Vd 3c%mˡb6ZH= *}] addַF%DGއʡyPKAeV%QxP[„VX7k--{˙$UGxG$_{ˋa1z>'.¿)Tkqd\e/ 筡3Q|5[Z~TV 37{zOD;lh@J-S-+f\ H 6xM| Q!K.)/b[DU0g6L$oq*z9DFxWǢD#W *Zщy&7cˏ7*ěj2X7@ʰ@Z\ۀ/,6dM(-xIN<Qx?מ2N30 Re1`Ύ+,g^8Dp21tk%Gdcg@=&☤e(`F+ED`w'fO2Ln[giυ$w;->+Cs6Y-`cQNk*Pv%*tmx]v'ސ8lF,L],רu'ib SьwB]М*/QҘm{V*5 q zQۇ{?Kl$lVs'gJK*8RfPJ|TŽ^')C-a1%0C谗I2'G:? 0ŵ0a(&P& 4M$4u+^tyoh2l͂MOO[uS.W~퇻nH57 %kWktSAےl }1 pu qFAs "L&wq!,({Ʊ^ L8Y[9}'pM<%·Q,H;\3=>o^H9U9(|J&;YIՀν} OZp`l˩ YN?:5 [7_ j4=ͅ>Z79c>.V/AL21Li\c5,pQc` RpAdrr~eitn!%s *Ar/#C#ٿ?[赥  (yeT>0b4K`Fli݆⇴ӏ@Ju_ZIBi9,NG'jR~}p!h XOŔn$sBIRģ嵒!:J_ vPz6E'*;ft}d+0JSkH/j-Q?8grw'ar:\n'iǻػ敃})D2pGimŹI3ޛkz:ԯWe] P^Y) {Ɗ.Tڞ@Dl(j'`w@.(M:jl91b;C *񻣎-ߩeH3NB(q8T6$V~n4ȚE8ᦂG$4_p\.y@9W)(FG݄޼M؜z{ V"< qrsD}EʌJi MqȭO8ܰC8giԮh1{d>)S&7q6Rby*sy8`z9$q2nBr[ǎdU F0_#HT\$L#Ơ2V{0Rf#jM?MLY:?*A'mX\lz "F@FQij*SHn C3@P_n6F.ŗ5dڝ@:U='4M]m\kuf&# 0d襲~aYn.TA Ύ(V7Ț벢Ǜt5a qS7bwR%4zqZLz4mfa6}#k4$^7 1F+RiF[/^ W3%9$ȘPoY_kP:lKb ‘џHMi+; 842smc.xu;Sۦs;ʼKPg v+0ty=H]pфC\W\yxg^'2x<:G'OcK_+YnRc.+"]&Hksh(BK,f F<&;O3S?mN bz.PNWo*I3TLԅI'+ ")> Xc|]yHw*9eQ K`l^U]Hp_Y$r] n.0)l٩tbAvg . o ju`4߾kĕg^l. >d2xF{~$_%'Es:Px\ao:ko2!"0bRm4ou\ 1ov̈%P͐ PD[-o8B}Hrr#9cf|F1#d3.P0] z,yNMfqHkB":;u= p4:*-.lQTFar X ƜB;8|s!ۜ|&CB0Er a~x?a t?l1SVZ38Bc#Rv8O9 zS% o VbD֤BYӗ(s(OE;Ar!Y wgIUĭ GI<4A6LP0 V3.`xy2Wh> /@i%ϓT3-Љw jg3G.qmDÉ7 ?oM]jl,)P=/4s}Xw*qt r3>6dt~+RaLJ\zFB3xAh!%%(gc!Ds,eϙ9 +mGmj;<Nb190xPTD Y޲-p>8vIU#bE5< ,OW^c s׎L$0DxߴKUe̿z+#6 2,3Ea)4îoawfȧ]~% v!'UnT0"bEP*^6,QIم 'ɭ{ҡ>ĔPZ"gC ʍȄAxؒl()wӿ9AxeK^>P"0ՖPMenG߫\}gl$OƇNUgkz1cpu]vIM4 )YE i&I~Iuq.42UFƣ@W='M> b= -TQjdU1}baՅ6}E ѭ֚6kvW; &t]>Ҥ'I :HE։Z ~A~,0IUw)!NԎ{\I'aw+zaKPHƎOW&g&{#d2:h憧fgHkiw|=5H'ԡSiȒϏ'ce546᷶+qEjkCc%_rcR<Ҷ®J﹧*,0J{#Ä' lK:q4_%yroy su$y9ឪ%*ͣKqilS(F"2K1uXWlkq Ut| 5i 9O[)l|B%i/0RpH$BRrLK {&l>bvcq(BerΣ P 'zp%r]c6Vb9GΦy/Q~ȖF$X۝eK~3W"ZYB K;$F:10Jz0NW#􏪃@`~-}@H@`IL[+Dلs\|R7\~  lZ\%gi+CtJ?6wV f)-e.#uIXw=Z2M$v02 vs?nKrB oiOikYrĀ!i`I3;qao`{ ?M)L9dYGPWeXgGl[.x`)cZ^ Q 0.4d,$^7R7DPU(zSNu_줱xQ:HσRGD_BT3tVB>OKu+[s.6[0De0>0?`F#6:NWUQU)H>S$Kc#NPcבBҿ.O웳 Qy,#.PsxR 걹O &Z9Z1yFFp~b|Jk}%$M& A8}R ~pZr]63 r$$ȅfT߶]SFKkے<^DXVB>bk =utqYxo5~1bW^2d4fĘJ.;"z&AlN3Ų,ƒrQ Fa=1lCZs'hse*mo 'q4浥Iд}7S[k= :ʥDXj°ÊF@NJVP4fN5%B S+8TҧP'̃i)-BYIR> R \&m͏/h@B_ Lָ$V@e 4 In@窊!خ3҄A'Dzq$[ y Dl ,ko  `E+u f{nWn0 0 b6J,E@ -i<ِ_w5Bq K g`G;>Jٵ3hlcs%c)H $&0Gu[;w[ƣ';ݘ9t}Ogm۲$ TSf]^6(ho-;_OytEعCUOO[PPس*ȿՋi5m)\l{$x8B1­vLTeh6Ӡ9z6Nޭ/l!|lfKI{-/]"S7!z$rr .9qM9q^",Y`be"(3 ,3Z ~V$t7o/ح9\1Oci!O tY3ieN"1Gk#=kmɿqp{@'mT)dOf$-FC& !z 7WLEz}֕M%]<|5*|1 q:ml⼍CIA0a顜ňJ҈G +6=J9E+|aAy&yH)@T,2NxruCl{F%,6#f6O)Jwtp28}S8P.ѐ^vf3RdE2k12KJhZB`voIn,S&b* tFrjpۦsNOaf:y趱I>Ɲ9iٴH#[B3L=HdMHsn_=28?M'4)}T7*iݗH+o-T/ *5hsb)\ήIK=;z4".Yܼbr &Iaq"AMm%?)3|}*}w&J]cE'9]. FW?S,@˧rN? |-s,,JSENhl˧lWZn aҖl9$#Anv/pRr 7ۑ9L6A IwYPXNW~#8 ,K[IJ3x'ՊE5ܙ~ Q) 0T٣>;qzQL= Lu@Һ[HLS7Yeevk.![*2Z̻oc1tv/@س`,,'{J=/>>k. G Bk^YRZ :)#?UzstumR cT.!υ;)9= oU o[j4=݂h#i'6CPB!Ӵn(D#oَA/q<Pq =sǑ|O5mnR@"Db""@yb)Z8 HGWmĠd.ğ*SMXWBd|Rd#>]:B4F؉@0?BSxr6 "fyIfC7핹 O`W@N4U,֦Vيo x;?^x* %ZJ%L!T8:Ңy^[1yC5IbgbSŇ|y УTKb$Q۶ 58qr*J mqe7<4yv}*]CfM=ʔ&㉅f>)|JtH2J$1;T~8G}&דL4wm|ݞcf^Q#H+u, o6Mս,[ŠX>&b[XTR {47(@+,jH+"e_4 }wvk` 2RH6C,n˓즄 ur [N^^3,@I]\u,mn'(sCjZj0Bj 0N!oUw`Kʪ]%[ؒ:w< A^P1ʳ0yuw鮖 4L|HCڣۼ9n#B*9jRd ҆mTi6)d ȿh5ئsܼ6bBtFƲN# Qf⵭@hp`5nPN _fAH# i@R wr|9| |=sVoDorns׮"{{p2wݭ4:M:Z_Xr i `fxҊ^ó]7/+]eBIZ̒(TuhW oPX 4E@kuy vQ8sM[zmy~f1ǏgVY9s£THEPה] h9:dQ- TJm~ +Wlȣ}:ݚle-s(u6 > /TM<2!fQh۟)q,3~N'.Q " c8o 3} 'ߴđ3c~Ԭ֭;r=NkŎˀ8׹񌇏_aƓ.Mo ӣT2z%b_'wmT>'},s A>-NbNp2Ucכj𖜒+>T3VEڗEw0!\~"1TGDba7 &Zʽ z#VI//O2ik-jqLH+!)?TwS/Ƣo4{RD=zN}Zq9+JJ}$?jtftVl_:2`tc[ykbw׿줁 Zq|t" oQd+d-xFg$&S=bm9̮$ {_i "Sǯ=%{\nBb&m}!2!?Z1<1;n]%?'Qy&;0(OxZY{ӪD`{x,vͅ{z7 {B$:.ҎӾLkJAa`Tjw.zj"B S*![|c#ATfI;nQ=aa#]ڕ1ç2]<Է] u8x n 9rՔr1T_\l]F' L,:oa6!rHZBق9y^n*+y[/ڼW| fY1v ? %v=j!Áà[Ew; g/c|K<h6 l=RcF8>0KRɫ7LE}h3:N6e0jt4\dܡ?i:IԆimV6+sŔTq+A0i2  S{T5Elp@c)nj."H+͕&ձUSĔ)u&ei 3M E %[O:8Ok 2/~9Q]ʰ4[9z6͡7 Z(u..aׂǹP /~UBd8hpF)u"TizY)L iu@Eح1@h8.,z!4wT'RiҢ(o_u;*ɹF[˘x~LVWjQ]dm(/nOY$q (::>/6հieSbn.ތ^`x5^\d(|ʬ^IUP%4H,m$~3 p"5/7F=6'#8~;:/rAGx@p%άp&ٵeJ]ػ(=2v0Dv5˴0Y;ڵ,eA2dPҬ3 8\~ ;N5d¹<ʫjM1IV2πm o'4q([頻*n sa60)W\^{SGy5_2gP偘p^k.׎is%c&zͲ[2)vEzVsW2e)/:"wO-dtrPPьn)-wuTcB[[/|i &Ly;m#sUvr#[` 9I`ѝ"=>66M jV34q |Ai(k gY4mx},)n'N1ݜQ`O5muK@eޓ*}6mKbW S0ǃ yU)Cg~1>iWRvv #IEEKIe!$#otś;脍SjpjU 3&5&L+#gD_޻>`?;+2ehPijfБ "ek2[׵"43 ;])VK?:YCT ίnS/,1i$}OqWf愙  &@r奔: 1hKdEo`ɶfnTZ?7Dck8) QՀź (>diLdc w&n``J?΀N'{gޞi$PXkxi9˂w.Ebge(5U=N珗b^9bZzB.H tΠRvLMw2a#ykĒ_zkυƆB'=.PDXOH$21Q݋7Ӆ]P#/2O)/y~Sf]Fdj5\yol+;&)bH}\p ҃.xH\ u7NB(U0zNWa4}[2ϥ*(4{^ x)qdc?~{`Tͦg@.)f2uد!!9c{N#K#ѳߍiޠ]F+`ki-(7!<{rnzPʇ[?F ߧ;t)~t.5&/jߟ SJѕΈ*t7S@t/94CFp'[Mc ۮo*:˿T`>C QQL^.j=iԯR<[]pN6^ F0cCָ9Er$LhZVBOr \\lЎ0Ɖp?~aH`cτuDnvGrYk$00d)[TWj!5/LɎOΙRҠ8Z6Ɋ.ն3Wu?^8 f0e~=Z'A(}i9,H^5:9HSS){ sXR4aFl#p;n>k~U"A!0@hK?Qh C| "n0B.C;Vwmi/ 4zmC?? ks :FA?b|X=jub8G]=&Y]EBR$:ZJU+#ya \rQ#MAN끷w2Zaj)8ӋVl/#<tMv aq^!йK; e%n<)D]#Kaa`0ЂؠLnwjv k.R$(.X]{V=Z;#ptPnީf=qj 8 <`{c#Ԁ FLEi7D'UAeѦ`I_.Yxbř~he1ubD|sͤNYʸg$uRd/e8˴}x2SMo F>8rZ2D Sܶ#FQl F%dsṳD{h'Y@aXQCG* {/7lh*D}dEaB<@tctf:Ȏ HIχ&6T{<`4b2t?%-YuSpn{x!!5*0r/;B2uBmO=|aԥב"UR짏x+mo?+b~pkp-%]é]7^F٭.Li*@KNP#O~&P q5|ҹ+N~l2-|6v7965*GN"8K\]z](P(a5(Sx L=,)$c^3Ushl*)C*uȊ"?~E!1B+Xi h}֓R0ifs/+wlM*C Fš]Si4ff1FP_-# ׋4Nnck=Xd@|d ,hĢ+1=%ZCuPv98ؗɝyn;76M/W_A[y Ѝp9j9>r4qi̢'_\7={)Ժ,t. )$_%8׏<`ݗs5*ʍPD{pEGXҀOѥLhBKfA^X⑆.N .SZu:qp|Z?G碶wRj# pYI[f G>+УC]Ҥ_F sX48#N-# c~x"?2lz"l-Yr &̛ P"} ©ne8㌒~s/ľ[QdUG%tKa*^SEPIC=K 8 /e$!7DQ< C63)õS9 w;W>x,:uk$JگBvR6 oPD8V&c\RwS` g`$~f܈5W\,Q ZK<#"D\Š䛌m*#\ [fn|B[ .2\+ׂᩗvcR&qH-e&)p`C㣒К*GePwgI~IҡvSX 4O{ZYoNbY#zRi~8RBEh'H6OFP 3&[&Ǎ @$\uKddz.:?S^^MɕCGOmL+Ȗɝ}צq3hW=Ez/fRFt6m kM, e;6!mJ~LX2g(~%3=+Q 5\w!6 IZCXS=/C-IYR={7rpLSM2|eLS娦IMM3zfoPa 9JSD$3čLx/koghTdы"VՄz$Nz{4I3Yr[h`[PWAN+r-C7:29 SBs5ۦGZuK:6㗾G $WDSB*ҽ/LymILUJ_E k)o k+'(7QTW6%yufGY)|/Qru@:pA1]\Էݬ,dALԑ +s&s9d|w ߮2@]2jB܎1nS zIuI#G +N&!-xiYSTe/MaAkgKł+M!xYxfKhl*Ψ,wc{b1T -+V8lmb0wH3:N谼>:jnzm/MU@I\;+yI|!*r,{oU"t"?)TK9+7"jʈ$7r>P,kR6r@d&✊m3J3(/M+JT(%miLb'b%ōBM tJe꽊Rv܃@Ӈ?s8BBUO0ULsO TH`T Ri; 'AC?2M͟W,2oϣ;R <|EI?#\t-G;3k6jE RGoi'0$djU/Qg^*L_le״'{ƒ*+ d"s):AYBr~8[{Ab.թ%D&*Mb'5LKwpוNf}w@:m נw?O/표Y'ۘTݟ5O&àK~K d~3La"P\wIz } `⿤ p%v{ Xęy^ I ˾wW sZ`|DMx 6T/̒]i>^u^\zv yɷ/TQP\0SP`}p@j`0У )]?cMRS7/S$N"6BGkx4߹>v\ht[C@`V2D+b#0fikșKjqp^ґ,$}GWm!s9 ;?Mz6Hf5%;ʼnQ]t%a}ƲWKSKDS2UUր}繬r'~c!;? Vbs͆-Okw^jW}+)c_0x`odJM7&IGY7vvD3;CHjkD3&7Npߗr9_ D0=Y y)t+vT=l &D#,%OI -*x *`dA1UIB Fw)__.2 uL PIMsv|Ӂahta=pwhZ^ 30;=Rij/'mAf'^.&Gwµ&4{32Nވ8B 3|{u+F>\$g ]>{E9&>A톖xtw*76\]sK*N_ܮ+~lT@)z9ˁ[N5v-[yGt9)0;qbI]9:Bޞ}2-ZX%Gdfvi t~9OsͣR4}G%+[赑_ӑ Oj*B]4 2柷kX DDĘœyS>r$$VyPw6ј^m8[U"^R`Of^ƤYT\yj +Jߗ;7/B1=WvH@-І0${Ijrst4~RqۿndTǻRwgLwkd%b3%ТG1tI*qVގ.BKf=]n# Xp2 EY>zb/3A_%̙b99F%͜]Yq 7#޽p?ܲz- VZgtLp7{d((Pܯ⥍!܌ՕQUd]2nJ@<-}i+>l1پذfcIԵamIp-ʎTay?ԽRgBk .nx9З\N@xVke"0l“ƞMSDU+?\oֱ$%8 m#$k۠X[z?ѿdIE© %FGG]5Ü eyɕo{|}d%Mv~+ެM+:32גS "ym+Zpq71`Rj7}qޓu}9#fvz#UξZ ڰYT=y5,9>FC0v[q&o4-e:xQ?yw5o d4Ƣ ]*> ʉ%3hd u:vߢz (sٸ7on+TSWy#ee:֎AnԙZћE HTƏHÅ,z.@1}2 J}fa8آNMy͛﹟Vh7!xR#Uq@<ӭyȟ ׷#O[ 'VaP6E;M;6Q~jO6uia덮eI<} 8A[qNMªb=#3tg_'Ⱦ J%gv=FO)Y*]&?II!E ̾+%ɍCmp5m(?.| h,sPy8lQ\p$rQC-e"vn/^|Y|عj^ɴiRtHʦPͯ)S#<= R|N<$֬O_.Ͻ."w,=WkKYѫ,1nvi;]Tv;$'#:JR$0\|^n6Av@EsaUۦcDe@"3$}\ݑ6>vcoH~Lؠ!$jظ bF$1Lbs&*7,.g1:}baMMT9okRB"B)A1󽉴~O**SqĦl}ӎ>K$W*[74 d>!4į,zwɌKnV`yUz'G`"A@Ld ։OޫVXfs d:`ArZDdj^Ú)|U8e q 1t XnL6(Oz( ]z j [M%\P7nr]uTgr,(h6>UJ|L @$CUI>GmD!$Ko^7) G˰:*pǁAIyP `QfțkT]aP LS7J&׬Ю:$eZsP }24 ƎihrjA[ܐ*ny9!w'7\G_URJ <(M>Z=#~#9y!,NZ ?E-5!x|4T4-/mZƑ ǭ} &]艔<ίയ dq1d\(F ;B=?ђM՛ihc>McM/ׄ(s6JAslM9Y3| 7 ㆔Y4J|HvϠRbSȑ^^`;) *g8  snkWp\y.L65n}C{o9R;eJ&QୡEReV"s{\V LH2co9eʒ%BK৊1@ F@ ` Kxk k R $SB[+ԵP~ yŏ%_!<B:?uHZ@;ώ q8"Lm>^?etd%AF1[`/GvcE$)7s0T=}HVIP\n<]cmy|U;˕\cJsfwf;96l+RМD*JoDD۟#[QP #X sUҘPsW+8z>չ(@_E uZ=J,^Mսx'8֔-q6jNhtw2M8z@1LyWZ~DL\~4́VtKppzn᝖EC+-d/ygU3h0A_ hrC4^OO,woi_Y8 dGuOG HL*WrcWɉk3K מ ǜ |^MK:vh9)MA(L {d&t^F'EO=U$KUW.DJڬ6cDSVŻv9(8 7zVbz km!}!$3y"Y6ug1)bf9ET9|pY^u|lҕQU&x%ȋ]JfogGX5LF;xd^ճ_BH(,`~ 0RQ8h1|@ڮ}sހ >9:Yr"uwXFILy8Ne|CqNjY1˓khM_6(9PucV;Pu HR{`;/poU`Li&~~WVݻ}#Ĉ\辶'-VleuIAoˁE_X !g24'%p-lc~" X 5r,lx+ Ŷv+}DƊ m8utcNQ-CwZPmΦUʪcdZ}y4?oAA-kU?`dܐ̞s?1 ߂YID}xAI%U:Sn=. P!,!F/hQ1M6J կ`|̴(oSpaDӱ$ ~qNg~mmܪ,ØWH zLTGX 68V]TQyNm1u4x#@TIjS?p$3F{ȱۜ{fD=P\)t(ea4捐+1Q=zKLUЪ8_9JGL{8R,kT)[HWsɪ{H0aw΂Md^cXYyS&rg38 t~MG$z39K,HKAmUiof9RZzk9/pۥCke#x+3RV>j*4X +}\o' +_0rߓk{O^^ck_G.O;:Pȥ0 geFk֭ VC/fU  /1\s22`ENZʈ N4Jcknzshϸ˕Jšq;Ւ]8wjQ:ۻg"^cx*1 $Ej 6v:ER5,8odSy}-/Yrw[ծ>RZ2g:ix7"1AD ng͒ji|7[ݡ'ZE=-un~rqZdXK :mpFX۾dp*iV7 & ʽƧɱľЖP!!42JN sƵZP ^ fET dmxNPVUߣ2H&n ĆTuYvU^rY08 lbVvo2xڽ~&_I-ʐ_:FK')s虼]8Bu)ƐȊy.ݗ96H=e|}Rwoi,+!3f:]dRuF֝nN&\{zBs0tpȜ\x[ɒ\!Ue2=qODJgگ󎘽ey}Jt7t<ˇ/߈&qڐ^ _ě׎F)ymu(dIv<xk!PnxAcqUbUAu^.MleႰd+֠bI~\ki'Mr:MRNE #ٸ݁ŖƠ ͑KjB#٘nԇ|ciy7B\^ɘл6+2\\m 1v25nU`a,×Pzɟ4Q.b,TD~ *֤C>< YlKMB+LBXu|iU_iه:CXb5]2/mw!T3u{c`0 KM[.p7;?P̾@!!%ѥI[%~^a+y3*YwF((*=#vI/PD0E/bV61`X6 s#n$ x@ٸM|77oA;Ζ3q*-tދ~n-˶QB6]o[ZcEb"M{">kYSr d+{`-dr AK%βĶGܲeچ1M/s(O! A'eLOQuya Bˑ|Ѣ[!$bX;=7&/Y2/WdbYV"1WكNuɐ0ߴ`}IUN#6qVm4\oѡjMd3ajw,-# EvfjY"ZQL.u#I}L6D D%-[ ɍA`Kt2zQzX%diK4aܹ1l1- [7^YNj4Qzp[)s%EtU߾Dy-1JR?m&]&ot *@m( < z՞t; ||ۯ0DUDUq7bŒ% J k \?y{P5mGީV.W bcMOeҔ*ok/dxIXKy#Y(f('MC>9 8.QہO"2ùTuDigZDve6:9g/ cXOeos"U0MZe:5)iEkL!kHګ?Kx5a!m%eR5v.c@$2ͦm%.`OG RI,qZR˹so;l+ЮviN[Y֭FbiFiDd'~ hy0' CJ$J)5 o۞ӮT ꚛLe;M$"qn%q{rJ׵`o9ZHdIh٘;8k\.1Xewϝ6;cL`9!޷X<š,ЁfѶ 4>Fw} M2<׽TWnN9Y%Y-oİ+[)g=v“&Lj#W(2-N\y锡lUiX{ei!uwP.S.'d{N9-eCA}VmJM Ρm}D%, S &0w;>vЁ$'T|!6!}YP=wc#xsU|:Aġ'lB OPjõՏЬٮ9"( uه* 4 5:ʕb> Β@&f9 )YCR]. 2RҾ&:B^T g_{b²/-` N9[YվJW݀ 1І;zQyJ13&<~l;60Gljq7 6Pw`#]9f.ŗNoP׵OU *FB!?㩴SPۛ;$\=#Y@4HD}z3p^~ȿD5nJfhC<ز/&QW͟ i:12&a=MbX8J %Z#R$/&e"Jyԓ7wQސhKW<7n(>98寂#6OD%7ti!z5{&WL>:PeW4SW.Ѭv>Zֻ0G8;1dGy؞˕oɫQQCY0gB̗^?=A9g(0L)N1: r/CKdqI껋s8 ZV_995LvIRpлd E5#¿gZēԖ0\# AMݖnTn0¾ȟ'}HrށnV3WtuWۣ;AOA|]8fb^6nS[}I\j\/1myvSMamozXC[h(lfW%!9:#PǾX56s*^N"X >ݥŝ3ߢяo\j_ u0P* [6k5.`%טf]U\nͶ1Ykq#+B)DE1\2ޏ'W9whKzeam}@zpL#7H Gՠ{sbi~xha91gMs(L[{ ~up&4@d42Fvx_6ޘ I,RnmD> `BYfUD .R[a( Zl*ZnU^ZڵNd? 4FtF%bc&/t4sdddwLϷ ZkQk"z#o?4!цni x O+3tQ>a2:j"HО*<_8=Ҕ~z=k$!_#l^@wַF3rxwuuKwcbU;t-s9OD yy+ IB|Ȍ(o 2/XEN18Oó (;k7SJr|@[ 'EB0^ &l%g7zPNװd.."|+34ڸQFC^ w˿^UM2gZ#qc4IlÆSo@aڊ򳮮$b&g9FF95 ClHf57!ӔG'w\:I w+X,c͝gn,DVIrEFtɞiM" +7jޱ[p9$Q< v Iꈟzv.|&b]Q &T2yBhj,Ƙ%eT _'QK:+HWM|#\&8b;oܘOrz*sƘo#xGWz`Hw4Qc {ELg]tYʧR?Q1(fLrc3~CbMD(dCi~NtʡW4c[淔J `Mo[b{DFrف*ЏadGsU;'gru$hYYZ%ⷅb r!cfcUں&]ُG(N2*;5 `T{K93^bqxo"ܨ ,]TGmݡJG|o c9u?UKi"I_e/fz]Agrd6[%vQZv œ/{ ey9#S7C⃇:g`(v 2fZZU[s{!w^SՔTn wt8p^# 52[l1jĺqՔ|GUϞT+;_8rrƲ4\VTTi{t&UavA"JrХgKQܤ-) -t}3]ѨQwB:(աX!\崄#|1){f \PA =msT,},I%Ix VOv*)̧O+! j>]9M|rDś gܵ`=4' _拇{ΥdE[8Q*Ħ lH:R#Shw?&8w#i-]4 /QfhEq2 5DKYg9BGa!NLO8 8BdvP5,(i3ۂ:]:;̩A  }I^tXϟ"iQ)JCS9y7z)DD\ bsU34[nm,'o\lzyc\** @#xގ ֯~Fj>J'nDҿgLp~^b[E$NH0yl׉q=^Trd\p>RZ7/"Pi}E{c=_hIQ.[q_Ò2QEyâaM*j;h?TYi&g !ZNX>v0?s'1 -f_Tdb< s rΊ(&-giR=}1>,Xk=V)ʼX$}xsg-o<8}1Q͏ӓMQUݩ9d&6AL9`QXXCpV '>{JU0BL&`(-Z*236h蜵)xfLaa&0~i "&"3)ۍu%E? $ 8< M~'*]_( v/aWVj 6t 23RLGA]ѩdMQ̪he@/ZHtM%&;T$e؁o?V%Bd*0ͥ Rxtjr,Ag%(I67[7iI,NP#5F B{TΟe дfE9|NwPGEhV֠C?$M깄p sV J¨dtOb1i>j]6 !:vQt 1w sn]%mFBma-tv.WL]Ȁ;~5?eܳ7HZF|3^3hI`  *[n' zJVsh 4yqcd vtGS/黴*?|ߣi~,ѦM2l&xuE#rjRv0>Y W^$FmM9Z֡a` قi8PdtO"-LY {`c81qu. 2ޚJEC > Q]af iYVb\Wu;CfABw]׮_^prŜ\hī#dhMދң#VjYWQeA$c'uA$|Y=Z&=):<3%B> u*ߔ ߉idײ* }NRc<+mv\&7ʼO& ڤ@VTVf%N Kn7soymdժ` 3 w}:*'A1Xm Hο;s)F03NIyЌdlCg/<`;+ C/qA"2"]SJV|4YIk D&x$)*襊t/V6v ݯ@Om2΂"Oڵ_e'opjhT-蠛#~*G6X8gE,PSjm(5Vcɥ=X se#={I;{NaBͧbU&fHq 7}r6 NgARG(hMq>kMsf8'NSyPl;2rNφy(W5QeHy ^i$B%[/]=Ұ|+X_ïjqܳ|K$Zce'_D  )btDT#[VM3ONyu𶦳E| ZV6eyYI f5s|E5EG@Q-+ܙӋM{?bn+3U9̖ƅѕ%q02n yA τKOE,))"{)V["d;v{ vU4jݢl"V|C{|Wp#ROIT߮$Շ%+Oe*N􃹎-$FX>j>!ʔK?a@҄"PvLoae#OΡ>,B[a4pRi'b]-&4Hlo&n] [ݎbшS!&ODžjbsw~s|m`:͸aqV A:cR:>XԦW!9+ȯCdW-Q҂|x-m|rB VݏaO'T|b [Aa!-,C:2|(nJޫ=R_mH4и8puia$:Kge^b!q"* Gj`tqPXQUv1y̢#N a +"MYWN4N$cEK3dCl~G=`%$'f]ۣYv`uclF˚8_:ieBdT T$6:DMjlx>Mj۷qmT$3_|3UC-,Th_0g=}0|.DƩ}>$\sA-JMWfS/ʛoz 08TQi^{cC ~} huX>.4z<O/L!N9ȭPV?B)d7{YҮིB_` AZYQĺj2!J15a7ݦbQ'QjS7Ǝ(hcOMZ*_kVg܋XV(Qy2qP`˥_b^qFS+cd\tA[ևkZQlI7ǂ0tQr\n B0u0 vUe*O:Do\ ѯŠBQ$LfM7QT/ G-L 5 a TioIX!?=~v6sͫBD5RPLnX`UzgioJ:rH͟D|f˵/ B%'oZ/#adUiߑ t7{$;'vK:WY>o"%IN/쐏`HN %Cۀ R(&Ga:bL~s}1Z ]kꃍȈDXտ40 Rܑxf@R%QSSʵKUY5ʘ=hw)O~1.@ڝNF\% T{xtY7vf1mG!T!؁7:5rX_kEmRA٤@[iOs~IiRw qs>y 1lyU{o=yHR_s8QWg^BǪ{3Up PgTccxRc ^Փ o=Ʀ=Q'$EjQ绢h+,~ Q}cv%\-=g=`2:1 T ffY\G|$t&FhBzZ#T8mu61%klWaAe/@r ̗B e){}$Zzl|>G,UnFLSfc?M2H#Ah] w<6>kl ';ǻ6a[ f 6|"-@;ާ 9&|. D4Pt[ܜQzxh8p%y?qkBκbyQ#YZF×b.F$e{~Ul+ %a2<||5Sr݅J]]I>SRDNdEjw =apGX|hD}5pr6f/ Bgڗ7&yz%W8bNd{nQ >}[+pqr`xvW5Ϗ?D[Va=d)DtB@ 2? !;vrFfU߀/tu/d"U)6ܷ_崱QEC\@fQ Y4t-тɣdb(\Ҥq}lUgTPBǏzZU.i  XZgs2&moE.g*$ |sIlpdY^ST |u^eb~!{@&IKS lы1f[\qN(YO/R< b$Xmj.GUva <svنtf09ҩuPZgSms(lo?&MC3fYxnT3X. OzJ({URĽBRSlX8+ 8zkEwRdvzB[řT.t!rUf_ ߂th>7_`DYx[X]lX)V-4HhBUTj% $0աu~RsI}JZ +茣=G?_gm N\kJe ,x 佪ݺD(2_YI=#i Q36.P T3GbZ ]'peJÏx$ۤ]'$8=kzhC V XZp_&wЙk1h'}Y3UL$${XDivU7%`l.]] VTL'ID#C2F7g1WĨT d ⹻6fA*JP+ӠEɴ/t@u8hsf?QMO<|vgUp ؐ$#ԃ[Ǽ88}/ Dߘ&@;4nmKXgWl':CSC]~u0~`7]g0l~LPG ;u!98u,YhSL><1 q*öf§zxLi 1ђ[ f;7p,;r1EL8 PBrqmܾډSș 孅˩I76kS$Ra,s 8Kn q@&,+s:؞*U0 YZ