sssd-ad-1.16.2-13.el7$>tQ[n^xAQ>;?d   4 "6SY`x      *Hd|JJ dJ   ( 8 9(:ulGxHIXY\]^<bdefltuvw$x<yTXCsssd-ad1.16.213.el7The AD back end of the SSSDProvides the Active Directory back end that the SSSD can utilize to fetch identity data from and authenticate against an Active Directory server.[!x86-01.bsys.centos.org{CentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_640K.AA큤[[[[[[c9a268b350e4055fc4fd726a90af329db8cdc5b64abcea485fdc5267cd9743df64359a89931898470e24bb2d7fac5213527bb0200bb0f9f7d25e66798203a9e48ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b9038031df2353b541e4510094c675ea5941cc1e8cafde0678db40d7d05f79a6612e2d87edf6a824019d9ce5284ba6f6c9fc91d17053f4f5b97b1e850b06242ba7f7rootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.2-13.el7.src.rpmlibsss_ad.so()(64bit)sssd-adsssd-ad(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ bind-utilslibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libdbus-1.so.3()(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libini_config.so.3(INI_CONFIG_1.1.0)(64bit)libk5crypto.so.3()(64bit)libkeyutils.so.1()(64bit)libkrb5.so.3()(64bit)liblber-2.4.so.2()(64bit)libldap-2.4.so.2()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-nbt.so.0()(64bit)libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit)libndr-standard.so.0()(64bit)libndr.so.0()(64bit)libndr.so.0(NDR_0.0.1)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libsamba-util.so.0()(64bit)libsasl2.so.3()(64bit)libselinux.so.1()(64bit)libsmbclient.so.0()(64bit)libsmbclient.so.0(SMBCLIENT_0.1.0)(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libsss_krb5_common.so()(64bit)libsss_ldap_common.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonsssd-common-pacsssd-krb5-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.2-13.el71.16.2-13.el71.16.2-13.el75.2-1sssd1.10.0-8.beta24.11.3[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)uk1.16.2-13.el71.16.2-13.el7libsss_ad.sogpo_childsssd-ad-1.16.2COPYINGsssd-ad.5.gzsssd-ad.5.gz/usr/lib64/sssd//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-ad-1.16.2//usr/share/man/man5//usr/share/man/uk/man5/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9512a6e93ee6aa6374b0352fb7d6a3533b7bc111, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=aedf39320b6fab4019ab5f32f83d15cc24b03020, strippeddirectoryASCII texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)AAPRRRARRRRRRRR RR>R(R8R,RRRRR+R.R:RRR9RRRR R;R*R%RR R-R?RR"RRR)RR2R3R5R1R0R R!R$R#RR'R4R@R=R R6RR/R6R~)`ыn2;$gB<ޝz0hɥ>\Zem6#!/C2Uԗ{[ܩJ鿊R-jE^v'$$b㑥"JƩ -œO*I@I3ҹ"U@^+S'(ޑƔ=ψkNwho(> o*tF}fFFn1H '(HQ7i-6?4)GbABӵ2z;i(q|iad cd!zzwLD·/Z]JZj6ww<Oź$r5HdNe' PNK.RIHɵđWjg騨?lUBjk/ibP2(޻X_em?*|$UUXRjCh:UeF?.L ¬T5b5Xد;U.|;shPA]E>t^^rE:<X_<̝#e\-ȽĒ-VKŪQAv4#,? VCb8T}kTÄ>b"OϢN77sТ9\'nb)d5 u%PGZ2E}.5df3r̈fBXjm&U%AJTl#]G΁U?`ٟ~r@6 IY^r@aX\]E*J,Y]R_~pšP~:Vuj ,ǃ} R.t-Q(䅓-vd&(~v*bϪoL k*ޜLJRDBӂ^KLťȖ2wx`Ε>EKˑ"u\?:gZ?!<=Yη(ԭR{N)}4dwt֕R73AOcƝ?DyHۤZZfɽ`72"դyׯ 6auq%}']j-?꼈Ä0{ .h]vJ9ilqA!Cz̶͖AM:u:#f٠@N.t*ns^L<D&au~ ڌLsCIߐ#KWDЈ 8$âno혉LSЙ*H'ɧ繃 ^5 b N`%[H@mij3i4E;AR|׍ZHq8ږĦTBt;&4lXM }_R>OG2MDus"0;6jn@@as`AU8JPŁaaOv"]=]~GszԲM<$Q]a”x`7ΟNb[ א$[ZgTM=ƅ8"W4+7pTU/|R-v :GP#MêY{,.uX(Ix'YD@:-.F]qsʾ ` z rU鉞1H쉜P75do ɥ)t @/Q[M| w-MN-4'PNO͛ Bw/]Z_v8IEr /uJ 9G٣kl4Y+,s$a62xI\H] |$,Xw"U%\=ůˑNdC8P *BX@mZje9C՘ v)f96 eI g<@7a1n|O ,W"կ6*ZUKOKӒ_d4G&-ezԺ!i13l 9bOkWTm""tW8UZU{3OBCk@2>ϊf%rA$fYu/ΗZV2l;}kzO~&4ik:EnlӰj-C:ܢ)m/[!O_,,#{͜Sױ <$e,BHfzD[=s&DO>km!L6`&vvji+SH!1dzl&G#h|Ǟرmw銎SS*.b%NKU^̜/u")7WFDpD,=H?k%( =LI4irDMqN"Xyo>,{#`>ȡ v,'fȲ>Z VsCL#ok#@ꁛR  z_fGEQzbZ8#lyu=F?,LQ*Auw .L^7ZL@O?צe|Sų OˇSa$8!k]s]@6B>}H } 6̡pM_kxS?+dBb(2qx˺wS͹v#<[$b߻] :BO_.5Z{bAiW]$>zN0(j ݨWZ*x/0uj4z"D -!HώLs./ELODx]U.*9R>Q"8ޭN'n' Uxڴ n,vn߸j&jI%7YHh_ -`5bYC'G! ֞=BL^hTs nB0rzo { 7(w^=ir^S(L\G?mBKDgo-"9)#OG =4:a68Rq#]%LDTHr$GF댉~uE{&RQ.h_f*?(uUQ$߸$ت#{9YGG# `(j1;2}9]8/@*} r%טAZ:_䔚c_aq6 $y_rc@%*co=VS%5p[Veh 8}ߡnNCYX(êAqoc+&1]a֮#XbΪZ vy7@zgg!'*j~12!}٦L}_c$VF/<-{d\ת M !A8?8߉J`-~s*bO-k"M/8 M<2 <-6)>@TCl"_MCH`Wƞ{ zxzc"hH~7'*pƧ⾻C3& RХgf&p*#y %`DpJ(O?-,`bI3-KC{7INc=.ۤݹfrW(s ZUE?}`H+K8!H㚌]%7.jG,B<pINrouwn׷ A%(6{}u'\ joj%1wPja/Ƭ0N>"w8a#O;Km΀3]%Dup=I4 Fj̍@ -T=s)AEdY~@1cښ'|Wgz1ck36lsr|A'ͫ7*]9W1Rʻw7>\f0 WtU4UޛLx9dnHn>kV,mqc@=[u#lM.9X/'&錅O6&YL"aaһ01}ӝ:2`Wz o!0LEi Y.{.IAui Ր3;9Z0:MEN.l.6U+(5RCy-U9n@ 2^Uu,Cjd6"$PE6|LE_M"KSґܓum_O6^z`y$ͮL1lp%G ƞ/by79C.fOnsnk4('Ob(%v]x7צ`&nSofezD%ĘIURחVa%-NpqwIzZKy 42J5gdEF)x5,yvM/bM-CNxAIz}bX(@xUR}=][QkkR]`u!WL38eԠY|9RzOV6kv`%Nmuڭݿ#ҍ=COZ⬣:B:쌎i4/|l&:bX,=#|^JR du=斊EA D,)[.񰂭qzހHou\欑TH&Sw4| ay[*٘ G XÞ̘Eԇ #ۯiI?Fa}?Ɏrd0?^5Ow<2MGonc<.mK&`Kݫp ظ@cr0ѨG2`?ۧ2nQ_uYtn7zӖj^C-jJ,!?$y7!ٝTDk^riVE{fإÓx<'H~ MCQ]rȖ:|N aP,wp8=>ii7t\3FѪ?@H^ay/ oDP)4u Ӽ&R!d`g?bd(}h(zѲɫUSڦߐ"^+2_DZ#ѕH?aQ* 0K?Az 0cfu5"_V>1VT(e )&~W%yiN 'c?g!x\vHY"~-Ƙ̶ﳮQ CRNso6ԿA|vL*EzU"7mU;cw0]5r'|)jWHOׇanD(N x[UÈx/Ԟ}_Vc jf7g4S ߿M^J#C}z+ `7jBw!َ:2,lfCLE5۩ g2% l8.}:cH :N<3n>Z`VT%?QL[5Bt w9${#[X,~]H QYwͦ vA.hchGX hlcސ7U5+)O}YVYy\u2Wsb9  @rG,L|".(@.R&Mם;$m0C]kYuXa0 +6+. VrsX"U^#%@]OSQ(HOv +>I/0 Z”嘅`)tǦ3" V F]Ь?zT9Ub䄐ߋ!0<$hP%,̑qyJ_ʐOxKe%)h͙{|2xͮib h%V]*w76kFĤ6hˑftB2(o"+>~@`DeldR5JGyN=I)`yYoшZ]fQn:~379+-.J\ ݯ4cA<#U0Qsp4*q 1F$?G}'1CDOEǂQ"^;tKA6CEUT!)Ƹ[2=Π1%ԙAs bfՎ%}y*2aZA]ƌx<։Ym话3hMQwJq՗Ƨj?EF}C?±L&5V4 jrƮY&Er頯$XrڟgB\TÐ3&*äy枀,6Y>.,if$I f!~T:M|UWN4zO, Is|dfJYoxH&s0b5XzQ/?=l`L VI=Zԝ{]-:c&}y' Y9{[oyT2LJWZ9m~#eۺmТywE=`1rr)r_@;CYLCDx-afBOʙ/?*-[$Rn 'x xEE vzB8P5/sLNas];O,5"o9Nf;EX%(,#K<ȗ%Zd0]F)?VVf =ʩ06SFWdq&熿s&0^ȄR7!D$)93]STUEyFaprP20{E錚]yeWLSxӣ'㩷/m.)bH}˕T 1y's8 ǑEqY:h= K~BpR<祗Y9W[sJ |x'6KoPWgz]N8a-=偮l Qm.Dߎ'A!y|+_ָED<)Q,HNTa)Ռ#4Λ 3=Kl7h\e,J7!^g}8@r֞90 齰{o  ئH>ͿEiGN"T);LEƾFt\ʤ"Qqicv:3c}@{M;Mf<7S F?B=LuE=AϚse*2uMk+\|T_ FV6DK' 5=*d$\* ju 8 *(!6[mr}0[GWEɔle]ژ{`dlu߉˻V'$tYiY\F;Fwl9"Z SfbecAPa>2#[AG{sbK_/u.y82qsÊO~ojnU1 ayѦ#~o|G# ղ^`IArѢ Fw )p$+T בIE6BO:-(\N# $v< x\X+NXopF]Ҫg6f;{'v t89ỏM&X6k5Crn/=~ Bf`t4RhHx8Gކg<gȳ[ 傩 _bot~]Vɮ;;>}yz=ut: v ,1).3: xM#'Ein3|kKy_@Gf@=GڳrW-1Զa,.pPIDZ %63UaPR`7 VR`Upb,d- JEWȌ $+cwԱ[|`d}؝C9Խ:0+ZXHxtZO".kׁWvݽ^  _l0*6*@`L+5[$ yeNO 2A9uV̓b@S#Vu1yЇO3jbiFMpSi㲉)\43_V=}}3麚kMR ˼U &bHkG O-\'P C>{H 5_J@TL&Ri`gQ@5v~1O%JЯj/~>c4s aK\hs0uq;CM|n`]>ײrH~]SnFG/FI㽮D 8H2j^|)/w yŬs%_#fh}.)K8 F^lJQT v|Hxt-D|eӴ%"rٞZ]u@U#.4hQ?ݛN6tnvOLz1`:5-p*)x+Ed(m=y@rrcND_XS|Qªف=>jz5dY--yecO!xq㤻s 2.9m'A&M<^k>2W$τN/??uDZ ;15Ļ UNvhH69}}k]DtovHJ'mb &/ v'EGS_# ;Dcn~PZ `tɮ{=eK\yUjHÏ4/ sUeiRD^Q۫0*'y+ ZrPA@)a )5B~)ylZh-ҕ@ii ]\J{|bcp6 'T'x.0B9ӄDҦA3"}vƑ; VKSFQVTf߫7t˟OH4#v8z  R'(`vN_>91D)rR7.b3AѲoN~UޏT3n.m6/mR'Ij-lPGg+0 K}oy H!Fĥ@}p{<%<`+0 $BM/LP֮}IQ9ZUEɛȞEŒ|.~["ʫwoGƮG \.ᒞƒޮ69`yj~b* >Mc)Ŧ7JnifuÞUT-Le{bŷ܄koZhDܬB%qzcʄ,GPH48UM hoWr,|=h`D"FM} `@T׎ [;&Ԥl1hF—;c) *&b1*\r"xBДWy3k[( epU-B'fiHJ:FeЩZDlt5?Zwb"]|T|k<^IR{$=>Xht@ ϡ(׿m(Lã 6y!LM%/AĘ=ؐd6k Qe3MիH̗ j<^ːׅpw>Ij|jC6-?b8Cv"8e*steW>M]I ;> @^ Q|ʍ4r5SUҿ yl  g}OʐȬh¦P$B΢Ü$:˪ ,C[8(z=$%fEdx18 ,׹c/8N  lSU+3 dggJV(w΍383vß q|EςIo?$j*-Y_mkr<ނNqolf'2|%?>&0DkcsPt ](nJFlY2/616lZ)6e$)^d5*ᇞW3@Mr(b!A)ڌST/0dEiUR[755$T_sg226ʝEm:^Q<9k{늞b"K/kȩӾk4Kckz4@bE#Ob<>X8b = 7a'HjO% %~N('oe+wGVt׃Y>Pd}Gu!5:43-@o- rwDBG2B ? pu<&7p2{D7/(+CA4Tx!ךZTn2|T?csh۹d|Vaim ?&cM{zxr1O咏l:(4Bfl%o^\G#ʅa2"t$ӡ{ <LJk씞pX/ԯEUy6W UC\G%0ψp GcH8pdאV6[8T3 |{~H9Mf6$ >5(ɐ C &UZPmg nFvZǎ겂5qCmss_GpMRePbB–u'j2Nbv_aTi ǔ0_=͚*⅐7K;?ԑ8w}!5bT. P#ؐM=6 <׹ʗMC"X7S}Ң藫F\ ,< msD?3Py .YIM3/g lTH`2w6XDkO? sYFG< rE+,Ae}Cn (}il;%Z.VPV\ L9?2IT9)B m/~썘AgYjI$Hp "TXGeff`9M;dM0SGAV֮X;rar| Q{q90?EQ*¨+ϜX9)Җ0{luln3_x0BlVx..K;ct闺 ҡe$]FeЁ7HfB+* yOS^j騻F/!BC<ƽmLo-4e~s!y8A+Xjv2[z'xƇ(qv&t;W } F~r8pm:4 )! E[k f|ғ:"(cSrvE.&dJow H3MD{~rG Vmb C<.n~^fX℥p]S;f|(` ~=7 qx.|zUUO|EYۋ3 L-E*I "埄}П ?%2NN!gdy[7]LΎނ\* >@©}MQC^>#hѓ] Ҙ+9!si Ypf_FOq(yk^HT6Db78Kl+뢭 1 6jl&ƻe7*|>1FM|.^~^"h=ƦIL IϢqݟ#BC{ ~uoDzHJ꧵ ZwcUqpĐfCr=y2]k**<@k6 fcԶL/rșQ|G$ mbԌ`Tg37O_$ çHoEP-VeNܦ`Ƅ3)cnpJC8`$.@ZlKiы f\ƏkL Av17 ]e%b([j~'['O+LӐ(kHeTdL aя 5nvtSb>9ul(%}XxntnMl(ChҎ>}Cv1Է"' A$i+Eq6H'=\*[$wq / ՏH{xZZZ/i j,ND%k1Y4!leiOrK6Du|K6&/ 0+J223Q8(`L "xQjAggi&a_hgqS*%RǩS`Z|\a)A~A)^pा?5w'ߵ5kC&KӈH?@_ܹ2ɈwA}[Upw\bgOK -B,%yVs(TBZ$U&m8 >?Y` L#`~B邫|Y(Ig+ꗏ+/)S^(9/JZArDHًIQ5 Welaܟc1uVvWF Sz1t"VlX?%oLWX-ꦔ,pMdnǤsƄK/ݦAɥm's ^bDf7:ޙww3#&?k)5r>]p$OUo`NIy$Wu7f@e!Y>\Y:bewѳ>o-hm .(3KqL![2}d/:js޳~m%TaTPtit-nwhfqGΌh?ȼZ1*Ԟx;E2* ݚPۊ֒X*Nȁ;PkVׯz7)$ɬ1P <.vS +Zպ@·[*녊f8w~9.98Řp[y}2[NT&(r !GI̵aIΟp'PLUEvt(bGA DO`Pb27&j0AߪKVx`Z-AIXTZ4 c^m>U@Z0aTpF+@)B)MqzAVb~Pę?k/%m 6J;>k,SqhzT6eq2̹ANYWV^v>bժ#I>睭lDOodŊwOQf{,Y:",0DyJy$sD{uZ=C 0nBп;Bs60^ Q]6?!sE)hG39RZέoQ) ޳xFFW c5*#0ų4YΔu%)6k~K柈|-71;$+Ҵl(;Tf__dRN,H)ǫGCMsΗ3гTk昧j'c2r X nqA+Y]0T:jB2#Ul~ /TSlYawbO I}qKzgrBWR0wTMv܊H<9E !/مž&ӛBCl#aRR3\Eq&HT' DQeI^t6)Sʬ(++_8 ՚*⿱?_.'q+ȃ@"]H϶ERa]#Uű$hwZX̰ȎV7D ysBt`a \%`h=pw(ǟllQ4 :r"}-=[ﻡFDŴFM"i[;u%W;DU6FC+ՠZ8岪~ryV(cQ 2f)z4hT:ࢿ@']ͷ}DTجScn 7(\z6D|s$co㌉ԥ!X7.C2 9 }MD5O;+e# E.# %Ii4#sI#jXxo[1Yy~srhURs.%-k%"3w4 aLHソ4Clt&T3Y[`ua8'p!tV\:LYEep8"޶~Y<F!C҇?bN^`Lև\*8' |9;J1K!q*(rc Q8*jn h}AΐóJ9EK CI!֞U&fة#Ԥ x~䧑j084<# J5䂼$<{IZōb܆#SbR'3YTMَ$kp EAvpt"(gV}Ʌ@?o&ZI^;|:036A<5,R+\oJ&?tGrH.ҹݖ=)X¦:(TnEyۇC2%𜄶u*#(ɌzuxD7E[J9GL-Kh)SE25o>&S&ͭ9\q55y92U~DEȤ[F| 8Uy(|mFHWzm-5 t kO[=cِ:*m)3{iM[Bk/yF~U[Ї<ɨFgx:VׇV*H8f^#h/?;+]kix6,M1bsҒ5m 6C!zd!'W_ qh<:گ'7 +~H"g݌#3<~ثhH'MN'aģ I2]1|4^xQ@r<:386$R'iQ̏agč~<.8OJ 
QQ@-V3f+*R/|kloռEHT喓0x{@8w_0!T{Z䅡*D׮}/# ^T_l~P-kj\LVjI>-DJBĿZ^Kf.ǰ" Z۹FVZTuްA#s!/ +|Zl`25@&EkB!wֱ#un {fȏhLP60~*)}43Ȏl :N[tkJ2eXPC0* I;d!Igœ*2himWO8$?LzfHфe}w XR,c-/]=kt5HAKbST{G W viU3_R:FSNUx@$yU.|֎*&DQ%z-K,5x^LpjO@9b;/@>9)?>\O=ĪJV~i9 Ay>6ԨL,vV6mURہ̙IY {-yO9mߋJ1XP=0)ጼ,f V i. ,:3;oJGug7QP_AzqɂT?9 sC VHwj6Wx'}*<8x8-%JK3PXpڎK:)h5monLPY0' ]F5l e>Tis]ll,c۳_o/rbZ57V3!KBs7֛Yw޽g.JdYM;0!tb{j_C E˾SqE%P';D:U*~|KT2;wr:8tE&TT.<[QahqblvC7|6MPR60&|K&.""yS w E [YbjǞ}718-]Z< DL:+k" j"ЯW@7: 틳^U|Sy, =gqך{ҍjD)L3}nZg҆8|ghW).#"Hϼ@ő@bHB.ιllG쏡WN[:~B4ipJÐH ))s#n 7L[=k똣irrKuUICfjZB"(wr,x!? lxP6 1 Z 5 4(?|/S}A}Bv z m4G#5]!!h[2= 62]bf{[MF3fG OcEc"-(dIC=lw&"Yh-·9Ǒ/B Gy.YGR~vDRyʋST7sh-ϧ*hg͢զfPS/ a\DEȹKWu|hIjnǙOH6no^Ec 0¸R'O];gZ͊+2G`|nxc$߆ER;u{Xz[tk#<I.D7/@{ryV:3DY7]vٖ6@iNt1Fk?T`̵`b Ş0!.- yJ<<4izt&啷ڒe8dR+җCZsc:7D;iE}α|u?~[2|c={q5*97,X즆v=JeFF :(OpqdHu:0MΨCn?EXMnB ,^:\ʘ0Cq\tnc<J$1;sh Qʖ`Ajv;t?tCZz^}a߈3~|s KGFugdؒ].]iIV _O5I`{\ʳKNQ}hAkI:Z/Q˞mjnIS/=4[ydhcu{.^]Q٪hhQ _Yt>JrNl->-KH IIVx5d NU$??*쉬*HmH0g>a#N@,Ј|NTX (M BSl(+sfjT>gy<~M_/~MV#?j("A5ɣoca-~[rᗀ[?y"U5ʟ =&Enጿ2rI+ib@qJjR tp) %:9;%KNJ\& ;֩uNc8ᾪb~^}? n풅,[)ж#`6.~W>$29Kq? R2p"Y.MѶۚx3hg'e,8ﻗ͝PzMT{kD%(,PׁH$;IHGaQV,9j'HXuChas`]Yg:5 =ZC;lMK r%'@qoLk8 X\piw74rߙ z)Դ3\=i؆&b{вbc=XZ k!ay0ͯ;M(urP& 3lSuJ z=./_C !) plU t>E70V 'n d"ݯ$[P,>$Р)mP#G01Ώ&Y$؟vnam;ԝC83r2 b?V[$foL]5$ [AWMU2kkI'AA>O'm$ab.yluv v7ùV >pn!M\}XxG|t>U( H_sgu+HxT/(Y1|Atr+M05eLA97Nc<i6{E_Bq!-Ƅg#j +ć7'e}X: ]ǹfN>Zyj3w,HݍxM9*Ed*ӏ 6V.ӣ}-¤PޏO""~H~L&]‘W] 39ʄX:?Z5c0y8IHS2O7]r+Tq<ʐ @S6 wڎo}Ya۽: F9ȧlPwXLH_+`,ij!Qc $CA-]5,KOi:e:7-*n+S)XpR*!t-YQ`8R|<Ҍ6BBm Za;lB?>pURH;r.?^ cGmo,tT7KX4⩙EC%O_Z uoaTpŎoL@rh7浑énh/MH.z^нv <$3'6K3IZw: Ex / U{Tm 0ElTJKH |ͽfF*Z_~+7.hsPֱt17gɣSU-ˎ;FSLq(*$RkMt'lܸ}aoS)@+@;&O|_sn0SԷWvٝa=G zc 6jP0fepawnmFd)8^+t.ǾHIl ,^*Hrt[^eˢw`lkq004p)qtfbOOYZC! ʛ,0(= 2(&^Waet$()?.q7B~W-? Fcʽʚ__58ClnG%arC7B#k->K"Q%_fTW)-== lLS|,e3ϸ){e?Y\lM;vbf$ .q [lvI/eBn9%1Fjh3fRXۿ`Dbz -x#Бަ2Gt @Rڸ([|6EHCik=-.}s- 㭎/<< Py,1깹v)3D]!}d^e `vy2#`_9 mD 9jĭ,Z cK #46(ɼ+8r72Ͳx1KFOS &M[#vdtAbՖRA#v6kSs^(/񚪅ZxQ]YۯJ]ئ2=U|p!nrdhX.G⹵'τ:4w-;b5쨯Rz~9xR-|*g\@pX nA|Xeqt>3GnөQ[7A˳O8\J7QVI 5NW/FUL-F:+|]uWyX؁EUhLdIJ& AU,Xg ݆ NJ(,؋ރ6z*Sϙ1ۈmH fua~W=6Ι=xCDJVBCb~'tD-B0Ef8V 3ascVUch#`|T9~%W3*MudrNL^RKN ^M8x'DM'TOiֲPuOl 3C~4LFu#ƓDo57D]?286(`:O_x4VIB .D|Fz,z8*Z { :׍ʵ@PL5W|PS½MqDvpȽG%N3ϝñZ$%ףxxds~dkAȁ]Aʑ5I7LMPNtnZOuc-4eee^tHqp&oM`R:ᱱlP7Ko^}i4!,-]wt3),s ,%@v2W:8cbχs\w+ Q>F@LE{zZٳ@ν=I7LtKZD2gVݖ`#Dsc.NXlJ[rh0"Ųe'VSI1֞B8+޵x TJ#6'S3(Y7g9"uDjۑVO ɖ Pz+_ SXM)j"5D|W[H2.$gw^f1HTW>C鳎Ӭh}AJxtj7.lpl؉A%Hd0.2&feg-MSMC&/8A^Kxy T7uz+,Nϒf?Fp %)覟 }Ybcb&.e|7RSti CdM$q>3 2빬"kkwadFdgGQB,HJFxSE'e}ۛexwL#o gWB 99|To8nHuL\DCdH S5zK$qɫg'a AqL&NIgo-;-IջAxu1H%P&f A,n!Ϳ3y3L B5!oi?`#(m%ٌ/J;a~M"pܙ.E:g˧09Jˣ7Qg/ [;P-ZٳB+"yCO~ ɀ*v6K_71lR]R(nSjƑN>՝7y^A>KM4#ïmM=$]j5t@ZxW3#cM6 a74 2r!%Νp2 I^b>CR8CpK>ɜἊuhKh\qD#{Euڅ+2:L8o[ǧ3vG4兛TwK<[Yl2V }D)d9R=?EMȎvĊ;$Sr+S2qc[n_8kkp܆13/8#X iԸӨX?}Nd;k^c͆ Gb]qzna?hDKg #)h@QBBpegp84!Thb4{x߻GI0R]];4H Hz LHq6(ӦM߬w~qZgM°(Z/DۑEmiu'>A쭅5CLzPW-2} d_9"}WnAsY'20m,3ԉpf!>~W'TCu5cOD=ţŞri>XTbFh]Y\*vL Ԇ7mj:B#GITg9ȍ|e:&Ց\$y)IS ,PmJf?KCg]t@qd 5zd\&RQS%'o4l׸Կ275JlF:NJ#Vx8x6FU1`/u yE'[,~ ի>լ@*}u X')θ($ J]"|'$Ocy'U+,uM||-?ɬ~gKHLͼ9?>D3;'Xv,@48Vrے]&e61`MI,j!fVexEXű56axnmEC!<:br+@Oʍ՟u4ua!%Kb}_I.qƼ' 7jYLcC;Gt(y}2OJ S3*SZ%}G'1[/vyh:k/>L P[uWA_3l G qe'ʜ~+vUV5]O65ɱbǢs3/1†/uN 2쎜̄;jb JGΔ!pk,|P۶oO3H:74Lo@DRR+^1Dp 0s\B-3S|O]a1md޺Ci ] ?Igb;"ѧeUU=7z#TM{-f:+ Dy1 Ėv 1M0hw*jgPғMi-fVƸ:vͫy2D>edv :X9q w!\dh;{l$\y-t(BN<ʤJ&60 ϸo V4#]5I0u5oRƈ33W:wiQd)D_[rhWM. =+1v:?+ rz#t rk&gs'[b/{k.RD'NW9`1pՒi &ګUۣ o_%.w[a Zs,՘`sTi=|U^Qջz^ȉLJ"󄰐Ֆjpvl ,7bEĻDcsӒ׉D?J/`q2 KZfSYkliodN3ldPq[[^M\"uY簔G8X݃Moך(*'Qiji"]E[˱B[g H&[hk'eXs!Q8/:"XHWp.^A<48|X(kxўw;:ݺؘ5O'r,|6Peh>Ig| ϓ5}68 ^F#|a5&x8=vc5aN] ?YCy0jolM{I2Y5M6f [lI #_qH!`Y.I£)8ZX8Ө?,cv׭Uzهsby-XL[XA0V GK-.%WpI_#B9Vs/BUA7Y/%igk:ۀ{f$`n?U'tHgi^[F$(9;8$W䫰Ԕv,"I*"NFĪ`,35h$= DY2P6'rV S*);ӕHJ[eyy /I{N=r =S7ně6ol29Zvh H2Tome_iJβYf;{ȣKrV2T2*51Mo>n^:[_cI7l&OOgCNDR-qO%D k)di*VmDxY7SEh^YQ㟸= ܧqZ xe)qC[]߆yVgS ty'w}F k{E9'_  &DixZps&|{mVC9NCkA2:oDK'\ocھ)۞pG2nX r3,|1oKϽiS*WI"aWHoԈ~a^.CD綖.xA=P9#D bCu{~>dR6^"d '016I_{EᑅG@ʞv8Hp7hrNTqUp қDE+n1]X?"Vÿ uC%: m1_9F[ +SFQ)Nxjp|mIgMЈiDQp F7^-˧,0]vQ1 ƈO E:R{^;O ݋ԅUmpHkO wR~Bd1/Pط璂gqAҪ#4UG׸OM}ޒ2Ǥa){hu{a4U]{P0 +l92À gtIxLzJDRe531Vfo3 =;0|?=NvR8KRuU:5wIv>/6u%ł??'LAnOfȍ3hkً^*Mp 0gViA6BiJ\5-<ľG%nXԍL^B_l5`ķ#Q6R0[Eܖ;fpF)wB ѿО0h+hukȺv-ACRLQOb4"\B0_9CvR\qG"FеF#:JZ D뾓)pCW(<U0Rc&%F;5-`uk.:Vmo=#.t!@5ZM%(Xy1FF;`DcD~ >]H`6} xGN1ZN!@'&4I04=q"AccqvYxѹ ;h1sٸcqgqB[u3S:Wi _\/”:XXPSE?wx!70\=o^b;q|ٕ"ld>Ha䵅Ҽ(I~j5ǯṃ 9Ql*`%n' RY9e(ba;O8lo!2NRmWWT]DF yLLZ9|~uד-Z{]T|4Vle/&_l=G5$#?'\ܪGg?qFA\g\9()QiD?K*P*8Y.SJ2b>UxKGȧ+ۍ]ѻrrWm#w 'np(E˗5vv  i*]6&%pҴ›Dö#V@ C:<"L=?]Q+dkb&jQ>dmAJ!c|AWA\?n2rL_vpbj0"Q-Օ@)^J`4_LڗZo*/vMLETߣ^N_QT孋j`y S_''vg36@⧈*.ٓ?rtOkAVCȍK Ѿ* DcDf(7IH}" _ *[X x)W;Z-t/1@/2(.ŝI:>fߗ$؃\XiZ}X~`w4Rd\_1+C=lgXwsz +E< ~WpE=zSCW"!xq%婋(,8Ԕu:-zn[ 2SUE\K-v8JUh 6r#ye$97c b. =/wb[W':LLz&k%;.Tjg@ >WLQn2~bXmt <.bDNe;0-w3hK\4zԋ: {~FRSvGk5IAw)zfex>Ux±{s.)-QxkFSAbn%| ^к:xݕıqs:F8i8O{!y %efOk|nw$7)t""ρFTDiC6\]OTtъ5BwZCE1N&9lYvf_!^nFv"g:AZ5o?U"lJtnWӿ ۷GĪoS=7Plu$U@^H߻ƭ`G(8X(c+.GJz=kҷŖ=]7p^;8B]C ug 3_٩6bS/g]%XPصto` hZFG8?jj1W6y[sk;Z[\i^b 7Ҍ^,Ʉk7" R$3(KK^zٍb1JV,l݅^[2ݧ:Rtr>_nYɁ9lA.VvPb=wt~I;^`9?k_1.b.d'P4&V4 WSX/B JDcu7+{Y˧$(O֚y1~ 5'T,q' $Kg+ھc"ւ.=?񄥼(;k b' hF^ ~pٴ vwQedĩ-p0.Sj=vVJ4y56"'E&{q69 CW{>7Upzj]XeeyEl /pp B$U .}̯ۘx] -ߎMVMbFCaXcvIa4qF(Q~4-MBBby?B#/U(J*xš0"0`~scT%"[eTfXɿ6@Diz8 &t&C7>sQ]r '&&keVCU]~Q>_P9Oq:a;.ۮCOIѼⲶ30'҇BC(B_Ց@$4H'qmL{DgVP#Arˬ8Fo"I>(?j$ THLQ{~Oo m'JN>$F)2}G6oeZf8Y3S.#ȉE&4;y;r?TZEh4[\VEaqی{>;f[s4¡.[!3(Y;#_S(K{#s[^T5~Ea{?´ Q?Pޏ#\&!;۟V3Pr/}JE)0H갈ouh5q= ޳n$& i3Eu`˲['\1>5WY7嚽S;H֞sE>JxjJ\H= V[Pv\Pp%{ݘ>}8%|1`mcg?ѯ*48i'hh SB-EٜώmI^mzBgVߕt8/ {]s16z1_n*څ}BÿͿ&Aۙ0t.:@|zlu|b%{NF t ̊Auz[3YOQ 2;oԉH((maVsC^'SO>˥ $:'69&ةPeZPd7I(xo"\V0"G% l\ii=~E*ktZfĔTS@<䍿iӊ̝I=fWp% `'Nu ?@ gq"I6S=st4, &-@xN.-8ko JmH@c@iNAq/loK! ³\ I:?UTnCz]|xV0fLY@gZF<|ǏU*>om>_#&\[|7A(pVzԏ ef1`@I.uw ?t3a_U\A: 76~ε{1&0RiDL`ksӦnc*U ־1z7-A|Ү f(vU5w2 m0_bX2Y-<W~W6!3[s{4*ydJٝتk"y~H]J\d+Cչw~5zfC4CXx|M.?%!/︁O|SG6 bч7 Td篞x<7S/2ôabZpFy:)}|QiP2R#A; &񜞤h;+WUdl{(<E/24ZDFwU^)@Dȉ.0; j±D7^ ch;r?DLe";[b@ّ}=>90)75mwIA^;@P[j]B؀k-k 9aťPTM)/F馝dwt(K0AOON,'SVm;nYSzY %J5RKLA=u5v܈9i(H$0.#밈tL:7^Z[dq{ ~Rey0>KhӸ4e^_'= y/q)p!q>+A:Jl ٳHVf Z 9%Wp"\yeqL0H/zSg[ 3WC*/@FrH7*C'j3QnNyzAb!0+2ND:D&W~kžߌA>MF t|t:`!c@ix~@qcɼydί~:IuN kf& o9M]EY.vykPk'b^FpuSp!鹋`gƁ4/#4Ͳns6'Д4Lݮ t--TȒ1Y`AMGtJ:aZ38.c)-o4(oslgz)M}IUL|m`T GC+.xޜklօgf`wY2Ni`OCTZ+#>[g jÌt !70?fc&"%?bg{7"{\G8`ݘi,5 kD@j(b5O'Mœ$vNsDY utJ=aZ&ĭ۫z bB)+{h7b:8Pq6I4cy266A詵էj/ P5%SuN=ɝKWF#y>Lˢ@nɡsdV56x, zb WNDܿp#{DKitA /ԂțZT~S 6C7)(dlk-@py F]_e{{QS x~DŽPO6<^N|ho ܻ`8t;"*?|jG~! 8W䷙)l"_P>Dyek O+7"w%)721pJ}lN"@ %gO1 8svu0ylAJAnң nڪT4D¼9J dh\Sr H~J߬7Λحٛ[ч%Ypl %#(h66|*λ ! '`!4D]3 & )gQ`Ǹ;Aۣv vŪ˶4 B prpy2~s/˾Cvt6H;XJ̞Zx]lnf!G7jAG;Fdr]IwpG gJ %>X~=RFMKx ܍B:I 6Rdyq_mE$=Je+^vcM B*oWNY/V>pҊ(.ru`GmlͨP?~vNMeϾM&=,SapqbAFW|ڼPEnlYu?Sס*yKjl*W"aU[#d:~*/dpmel{㨘q!~ɍqK2DTf !f3Au:BRhb:f /g0| :q=,Vb*]Ư,A&OUsKN;֞,lϜ- T@xڒڢP!?3it` zʄ4T-GKr z)aW'r4찅X'X!e:U{x.Q+s ߧ]>{ i&͜I@c3֔HN*yUsL>86a9EՁ0`\ڝ3Q%2xA=亟%1W#r&Ogw 4F|(?=jS^5^9Ԕ%3T-)q(O=#Nh%AZnanA`-,X.aU$_ n&XlInz\-BJx@;r~H{ 0bfyk~_т;+%v \Z20PR8j Ҍl=iW'`Ke\HY~Yo\\ C;s" a!=H5XZ#nO/$u`oH~%R|wkT`NfYxAc~Bڏ\J [DNjI:o^i|E^髜socބ]=-)z8E?\nk췟8dã>EOy| ·D2М_TL/fQ޸yn| %"> C'sS|xݧ&lI;-KuXc7f()/{%M~ IVJ"V :5W8WDC׀ld܅6[He FF47N x+Dwhྭ$0%ە{Ja(Iԡٚ_UnS4A.׉4STM,Y&o~hEoNle2˙Eܷ RImCO 5,yĄizDq jB,+>E 3b]@X&`0vަEݓ XipIX! 9OK *CKg-GΒJBVqv}+ǁѥXDz7!)]iɂmwQalZ|]^uNLVRb6w=hCjw{g1+h› `#}.V@!]aPԻ \)7֗x-fLe\7Lj/v//g'58ڪ;^CٔNJˆ`_Pm?JI 4ePi쓧cZV5\쾝§/4sb[? v:vYpݰ?Ѥ`?JJ}>?gy1OQhwyǺ-? W:7HYP6p{C|75 E 07 /nZ&zN{Q1mK"zKnUA=cs[|;&4`Mx%!P;h$n̗-&( k+n9F㞴63M;\tn զLX05{;qƇceA%z7=L@fOC*)|Y̝nnp#Տ*.A]{z+#9#P ߸K $M0F?Wϡj%.[16x(T)7(tHnS۫ZlA~f$poA`xĀ'p@k $J9TW#ܚ, y A#3L/87h"afO47ֽP7J@d 3SR}0_ y ((AG[8"iH$*sn:eᐋK!QUIӻmjxM;꫔ ?~,0Tm.`ԾٹT]itk5[6[Rbw|UO}_l^/9K{bkg9_LN\aPu@d_6!qur7u NAWG2zN7~W9TɁZUY;|at^N<;|+~lDq& ق<StRܦέJ8}7fV+fk!!sEnю%~r0j+ )h^iQet运/m(> ]P+"8B{d@6qJ.+v^s>|o푭v{ð?ȶS蔸4w桧5$^HtRVbF1$CIyQylG Su*GC 7,o5+oPԈb -hp?fJпG>b \6sy pL)&*=vob! uv+ؑzJ5Nl^GU{vK`;J).݇ ?f3 z:D\ԙFNm _ T|=VUjMW܄Sٷ:G-.YQbVq' ӕbEœ~r\ DRᏚd[+jS*BS\Ё ? 9ˈb+#uoWL!ZD߲e<R7]GKմ@֜I\"`J- 62omR& -Pum{3 <נiLN]o=kTh 8*Pjҳt1x7o0]j!Zb\L؊Vg3!Yd_霃Q*\UbX!Hja_6fJh.pR>;TJgJ#Vւ1Z R>:*%[5c] jl4>_>Dpqnm8^3a|GH "cʎ`6JmJ_/Ț=w1- Ph6D53[XpU̫AZK[zQW汉k؆w9f!4'Gj O摸+YL"Q^s=iFh%D\%GFʊPA/;VDH.M̿S.euGr*6{t&9s\#T&%U+EY gFgLxUq:\y4mRm\XֳKa%'AՀ-ysc3')@R<+fwV!ͰOq9k٘]/ktLMmBH>ݷ E$*(;~/s}:.StCbL/O?vMo6`؇6nW CS#CI^P;*I*6tSu˪P˖d36MC]ȧ5F!ضlHB2PvTkmp.bN@_NP6frC@ ~:'Um=ж+nBAv;V<0䵩$3+ޗ(vr'[} S9ƈlq.f7$xB,-%B gbƦ,F'dVHD㶬vd/2uۏN c9hs!PU9Z?}<4qݵLTPFٗi9+QJٙџ^f2hhvx<+ K42f+In\${Ϋ/%BVY+/l&&8E}%fQd-kF+ǫb7|+ -#3OGard ͒FӪؾ_دhLUevMzSxA?GI5?ޯr!kđ]085 >̋^M[9BfV(Xr]_a9,l7olYcr5K˲5~ &2c2V}"h2ה |J->sg~چ`eu>B=\ltzl@A*eWkԯΠё ‘BG|L-3. vj^xX+8cԞ"Uw$-8^f ԋx D?陼bRgb9f evj]̓O[k >9k`&U 0T{@A#l|tRf ي f6ow_<H; 2}_U;פa@XYtݝ~=!aY1q鳪1M%qRQ Ќo.jybjgjvǙ&q|yyLA%s$;ӯ_k2bЋYeFxP*oP )-&1&Z%KkOo<>(N]H@Ԫ%~V0$."@S3ЈvWB=,k![̍Pﴨ-D?xD.f@JW u#򪏱ɣ-(~! 5lW4GJb%"rE!s퀸d&A1AĠk} 0;M|!UNNrL^cA`j;O>MԬ{YRH\`:}9&*9:eHc8A W]T:%=1u+cL_f<ڠI1߂b5-On1 ӱ`ބ\ \Q|՟s øu'.mӸV,,-&`~H/D˽P%Jwa.%N<ɦ[0I;= r$,~'~47-$~Ěo :է- UKr(|ZE(W]_0rBV~f)C \夞"R*V#ũCV1aqc};0`^ T 狃IY汆?7O롉DUVTЂ 24F;Q,_c[iL&+d〃*ŮrYOv8O-Vߕ,4krGSS@}W4o2sS;,9S뮲(AwYMQ'ā8V2x@u_j f_`$Ǜ/|;TMd)m?LBٜLcäxfQQup Dr ^L+mC;X;1+'zU7H&NU'D] vJ^'z.cHήo(tcL{MgAj > 0`*|QvVtMz S"pZW"p/%ثw]COdtEV Z^L3r?NWX&8T/_C&&(P'fH r<4#8f4gr2?eJ>Uo!&Fqσ +-R H7F%bK 5!~lOX!>KM.@@O)O@喀C&F#2M>2Ks M{<'hqq?@.#|@Lw(P>h;) #T@ԭ0|VGЦNW4Sa+7f(+;w5cBNoUwG.Ok sEȶ]9I{tb j:be.A0I(bcPBx f)@joUéZ--kEȖL1T(7SC)\t*H^؋̺ #'+n" /[87!WAn򛷉ьG>簻!Hjܽu%A?Ӝ.RNjQWƾZp^,}rd]~JpwAZEs 0{E6d<Pơ{Uf}K8u](j'gC1T;w6$yv,'Ic&Ʈa:#L𳵵'Exܺz<4줚]I6&㍷wѺVHv ꅂ-?]:/m|EK/?xMKk<| MM 5HL ^J[R hIÚ ̈GNC\jIFz$l[c{#SCX5oT3iG@fE{SG ^:M)Lr |X}lj$Щjq,>/([鬴7S䖮*FLi[@2,+ag+$ z QSKIAŐL]? !4jM ɚv毵+Qg!yjM9tY9FZ]c)s@+ 363v ehݧդ_x}1i`oV&ae˻%<^H4BYq'O=~cc%ۋ >ȥToigw hkglƖn #i,HfQ)ʅ`lt 9hВrDtɈO~6 )ϺNjh'`&{j<[]Mf*Kb$M$9U͚o$foAGZ<;lS7}SmnG:`w *QeM`Vy@x˛׫^C&.hIA( UqFVP|v?/i\EB?$0ޱP¡ ~Ӓ(j( gY"Bh9\ɀ`.~2}sv \)3NjQARY,\-0K\HqS)`<< r`j)lv1N'~`j6X`1J9du9TZ3H<~vfEϘ'NZݙYKόwqމo4S.DH`+LWjbH`pWc"gxLۣ9b&K[,~xl{+o@&{z KL~$&b鍦?%Y+l L0 C +!XzUI7?l[f5QlL xpZ+FfJiݚ$z7vBB3;^g *_:+͜~Ma%e\c^*trFXujH>;8Ҋ<P:F>fJ܇%^') ϭx=G!=5Ex~ٞl.Hi(~tĪ}rʸl)ΓK7o<ޤֆTQ7HSiA溷0R$e`a8O ?~՗J'I6  _FJU`:l~Djb]?٤z~i $0qQ~"E@$Qwg᥀j6y[rBw5G:6ۯBZC-RuH˜tK_wZ ʲMnTA_!عXo,FU`ͬR{CV-ER-yKCWsaI/l:6pe϶wP-nWK#rًDӪr~A1 vQ&FF}83kDF]LD'.ɩ^aG;pkjKҗ—R]wOu?۟3NЀ f['jg#? D{QP4eYFS]aF>R9l|=ecS LΑ* Ai=aH%'۝ u9\ah2܊N2j<'Uײĩ}㿝K\j'uD` ~gr_M6^tZzIK|&zSٳ{g,`N*uDdV!J*7 x*jL̇I!X"OP}]oT҄~&ɗ8-鯁* ڀ7zIݳ3'׷|. (} D G1ۗYEby2w SIlbkפ$h `Xid3Z՞])ꮚ=0W|815uj"2[9 arl.s@fT!4NpMqCDwL -m-g_h%mGzK9[߉:Z `e0~ki\”{uWeַ$ԛq BYbok\^ CmɃB H ˵ 8{QYN)1;5#GG08.. [bEZ4lVQ2Ts^V OrT6(قPο{ɄLR€; 2:ȷj7ܜnؿ0z7RBC3} IPcq1N0z<{}(~YVX7kR*6/E*6%p+.V*_Ndg#T`ilHl)"PcRc6|c QWJ_0O DꙀHL5; eS&]5$TGF5V >CwR6p?F TJPi8\KYE034rEgPFQ : Sz > w9`kʡv2"A\.9ȕ5o?$5[ mX"X9;7p _~G ܳ2[)ޟ.\U rs,:Nb~G$FŢG;äp1 fhnxk=CniúmSočiz G \>Do:[1hD߯N)lqԍU]E,#M󝤙8eoCC֫ʔ5Xo"l%9[ 5Wo]׼pn@%po'-z:oM7`v@bBSc%~҂W%ÐA16.G. +AcimӪI@7}ȼ*< i=uBYD0D)T0[7REHE: yv+EnȤ8 b; -쮩> l(7sUDRN*ǝ.^a̯ F'˴˔~XhǹzcmiHl\R 11z5e- @f Jr[evSht,9"u7֙wsNtnL \\P؃-ՏhWzΌ lNũ4|q鲦pWwn+*{ɳ\Qغ= yk? {-\O gP4~=1 3Oy04[]괟2uMY VD AV"3 ^mKۣA&^;VD`];z͵8[fuHJIv`,lUii Գg)8br 9jPZ!{M(㻠v}F )H+[E}K̬esBܕcVo+ydmb@䰘 @ < F}oD!`Wd{}0b㴖8uHs?Os>\,⚽*2˻L{(Qeg^ʞv4<T˯epO[O?GR\#81 _*ʎnz\E4"WX0%(OALX_Pr=(O>|BU! KЈڗӼu,sQAR`'`Ec:׵'ymvw"+<X\f snbvvPHدtɗTUs/Nsx4Qq(Ch! &b+4L\% 6mJl%l\=2WU [<EZ)>1Uw7Ljɋ"_8+Gʧ/=#0J5sphޔgu>ƻK=?;]YzsS"Qdˊ $̊9A@߁;BFȍt b%sW N\,j0nNoIjR5%K7zQ#4? b[l[ B-Re R\h#JP# (Y~6)>fCdQANӼC坨 "> MYSqy'l^|4kI_@-xÌg;QJFAX #PƟPO8NY)x/CJK˫fbFq<?q~c1dxc c4G`2⻘Fvǎ@oP#6Tc3ʐL2&rkg-1ZЄk.7F'_u;t3@ [krOeou*4m ǝJyv>5;hva u@_ʈ('_ )j@xeVIEaD_t!y>9L F"1TZ ޡWw O=+"Ka εϰ*Z6:"1gX5?IZ\i@FKatGmv ́eDhIYIꚪqf>&y$#ZaO(!/4^v$jJT滛tab&n#ye[KR#M _%5e||p*,^+^3 <&V_azŘJ3-[9ktE<XG5R< 4ne[F!9}38گ ))<AߢVT1e AX77*sf^Jm{ݙ>˜zBY0f$ur @;'S.ARMeޑJ.}@,PsODZ.v1%l`-Օ_7moPP2¦)REޚ }(G6Ch>Z{+x-kͲZW~ ȴĂǫNNph!|^Oi`5f ʂQY2O2EGQ J8[>KA`iK~u[%j3֕ao0krV ѫlJ^ lY?̖C=U~όKh~xOI,BEQۂ ;)/6T3FUҟznC^F[a$!tr+0V7BJޥBhnK1ړU8q$ :ho 8hmKN3AYaw5uVธfc3;wC?^x]eepIW!``qRpB$V&"H Mf苙@ VdNʄϫO0kRõV럄śAhOe 9̐vV$BSJf0(zcXd~S"k>MHn~^hHu; u>V^];ܳ2 R2Էv")TD)Opogyh tPrڵVx $.d؞aִmޔW9SG3,{b΃}ʞCKʌxiWy f3L:9%rB30E(w)7n*f) 9[]*vu(0\_ d)$H{ h٦':0` =gG\E ))@7i?>Ju+By{o\4⑲t"zTӏz00>/I&!GlYkڃ JDBL{ǥU G0},e|ذiEvQ`gCΥŝJ$fYHGR[G SZ$4y ۧ ׵ 0?dk2N 6q`eIPy|,Mzv$ ђ(n"r0kT*}ÙMe멶uCs/Fd %lZB Eˋ" araA s3V(03<K'#l$ܛ<69̞/]?Y?u4[Vm<j0x*Yʩ)T*%T2LIi8 b)mPʭc)`p j+~\qiGccԕocvu@~"EɅՏDş#bZE$#lUAQ}wO_}Phn'D޴l݋S= mB3.>,+1"  9`)UUֳSN';YBC4N]MMe;Qh[ʸ&?I-3Gs˗re9meÂz2Mv)smL-c(_.1U >:ELW/>mhZ>{nښe~[fҝ S y̦J)0ʴ\n?r Qe7fqyoщ`k@v <o0$ P'FIv1kl~y\фUZ$emImg)̡B]5(@=}`pd[1ϡ?KS=EwZ#)y{Z'\Ҏ1[$Py`Bc7vo<cS!Hs]Лo=:{ɵ`Ji$[t:L'gZTaLW(RƱ7g-!ЉsO.I`ޟ]Z m qLR`fk'u_E4Q091Y>A;T+JnI@а nZqmqxljd,Z[}Sx2sLٿD^J QH4a^ABpz )N/- %E-? =B>#Fb5/WC!mɗ;0CK6"!#viwe[F[X;M+Y?V+C \{fٲ/{ Dy7mQeqgz;8 38?g4) seAʈˈ]*=d42Np @ֿqMB'U74o&74>$yw*CXc\~c4lΨw='@QΡg9r2ZmKkib^GH,GmrUZa nwUb}fȒ.țER'"u6m<X[uFܔ?B ߫EԒ8kki [H?H?h51p$d8đ%}'aѯ<, =Ԝ#5Qb-dX3CөMw*ƴx)\6.FZ61IՐ4g 46/ZfYj$fԋ*h< sc|_B)zRd0|!a#4ưTD+9Hl>Bw=IrzY3%M1v4U:D%x:T+J'%}x 4g%<9d춠[UQ Yla'G٨%l#Dr6N19'bS~v da 2m]?+Zo0Ds+Mơ"{6s^Md{ D{X#/'О~!X@xo4{w3YQJ>#C-sߔ@2O% .pn[?pis7G|X4G .!s΋nq:ArCJtp *\Y9?I>犭MDaE) 2K2Mi~YeTQV^hO(0ȷG^y$+<< B^"3/97'KC1ŗD`5`LG 1`3]˪a! uvDuDjo~V$C-Mj~c'x\LTu˸ʯ8J%q9rWa0& PN rĂЯ^j€[(mAuػy#ħ"j᪅.ΛOK.A%/ӊ3Xq}4n\]%<]0#J=G'Yu#InXɝF?!D>4|&I'יK-Eig7Q\}<venמ-F=9,L+ٔͤO%4{$L͐9Rn;6=p|.׷z`Hh&<6^t߽LJJj߮U]"`p s)UN"8vu^xa@]b|]~ iW@7!RcME5O{)#R.lP xĴ }+i7q)x3ǘ Wafx01r9jYWBy) UOmbE B4C|MT4(ex=QrK^EP%4ALemHUӍyj$.a;]Wx%}niDy@r"sčG \J[[Bʝ9%29{?2y4kH2@Q Mcx#ZF0QWI,<}xd*39Z+_lvvdD$㍹t ~d4ol|+pbo^I%+,Z=\DQ|AK( ,pߵ)}(0ct8NԝIƮ-nUOvjK x@e^vs~ݘS^#Z<;v2ttn`X-w᠌ cuÕ:i{$[=`l2Ix'zɺ[IXð@\m#Y4=K%! i-CB*aJa4]*ȨL6Q *h"åӇ@Q4ki@>+z- qb>v N^ndʌu&lbేD3צE=d8e?ApP(+?9EHV\> \zQdLcxkT 'ПoJ ʓbSx{nźs9/8cG'-;Fp#-˅@/F}1dh mlr`ч^ N,7vgQp#M{mFһ +̃cs1 *w ~:kּN S `-4`*<LUxк K92B+Pt"Lx4*Eq#W=XȴΝ{2эc,kPj~AHY>{a-D?=e䪠 vM7gr ؝;^ΑU{U<*:«\T- mNS$bQ/TS1qƜԘ* m0S72y(r5"|G)ɫtD&Wy.z7Ԇ^ZS߯ -_XG+ ŒP==B6b? '!$cGw*tzأ(+|8+($ݡP43+VMhRƔWǩ_#M\mܘ| 8=P휔K&XpK3GѨ,;rDC%c~ :;ku+$^ljNᄦXjcjĶ[$?D;zҳQ-/. fKe9I1(م_HNt-.:q [lF=+7f j-,Ow۠@4[OXo^aΈ7~U$9+2Iqwj.QkE|'(GLf0iY"}8-! P0!ŎX[&Mt_3:UBX>sN 4rn'e?0n.i2Z,SvآDUf:LqSNl,`5o#9ZuBhpBJfX[8y惈kK#-] M%;ueˋ Fs*mea'G5, fV\h,}:,ɗ֦ Ț;=n"MPh#Ol5D{WSUv2+dl.Է.~gIz^0Ey=;7.%+'-MXtϕF۠odT s*`O(X!.J惁;$#ZoN+;kVXum4tm"׾k (܁U<ܩDP''"T\(R!hǷL{,QDvއw~{}B3Tq1H\oa+!̦~4JJ7íRٟZ0 `_Ʈr]Xu nm *@OJ|H^1TWK#:TO ]qS645ICz%K&OW*EeDcA[>^;7nhjfp'b C W)Z_V?"j BF=R/HC2a_O,ݠ'IK3&t&Tu卋˶GM U\Wk06h'FFU[DfTе* 9Gj]oSJS8K>]>uh7N\$ы#g B f`5V[FZb`Xx`mTwBuK?(M"$ n^Sjj\FF5v[ABK x a1}:t@?(G@tھb͏ Pi}F-ñ$.z!Bw[`[a^ƅY1f[9бr_Ҭd't7]->͈B߄Ŕ>^1[W,[ AչkN)alꉄyxe]HAV8 JV(aWo@'ѿyG*9 tz?2xjjEg2ou{Cr0ttBOxCj(HM/_3$ u]۪ xTs)@N͠ꯘye{?qF8r b Sjz{N|g'hdCӕh;~("8K9s&yj "o:)El)΄lB6||QĎ!3,  GrmlZE NS1zXlOKR69h#:F@#H+`pzq.maDf@)WWc&t Zu8 CkeUHf $mfU4W-[/?BMB?Dw PJ ഡ oNJ#zC+뎏2T]Y]&[-Ѩ/M;tyRǂytkpb,;iwk;@uB{͖ L(ӞwQHBItČItKaΙDG; J|[%Y["tw|oabEH氶^O,yED/v[ۗo30~WԄ_ySâ/ۘkwgH7`xDnnS"=bEeS{-K;լ{hYQ#}9hPʍ_{ Wkr6 ȤWZR\brp,}&@jvu?g! 7[Wˎ4B |7[Pl֓ BK D$'`/c;aRZ>H7Qg}3*vXѤ)_ {r)Q4j8ge%#3MV_R r3? vN!'9ؙ5'6-DuWUR .p XC&,B{p@Mu-/)o"pȏ`,F dV!Th%w4{`bG1S+/*o%!9'"bvLR MHqr1.vBxMf^-W*ީnNIKjOeu0Z0LP^&z-ἇ?uG9Ku~qtݼ \c#o*QI ;w/…ERkxj!ijNw-UfcHvm3XpB>ԓ6'ڋ?|2[{ Ȓ,l`!TH҇hWD%RX0׆)6is=hMFEEIɆ8Zak&&@'`ʘI @z2PQ^y\ &Ik 6A jSJF9oIO0ji/)P17J*v?v'[w؈rLsb^d/~;(9\h2PP4zl"x`+~_?W~[ ,Ż?"7ʝvn~awx俟äe{`Ri(J`{r(g },ouKJK-u˭B/oiG!60& /$V;6PJۦ <.MGilPVK蒸8(] 1]E7~8#gN^h F9+0Lv n\$bxmO.4Bt%ڋ$|DWfus@ۅ[L bФcE_ȫelL(rA=kߵF :ϛo@[vP07ɲAmc%1@8LU_4lezӟ쐵.3S*bfѼCڨ&V'V2zIf?@D7a_)*@v_hBnj#iҚ \a k ;Q<2W Oj'Ɋ' 0V ~;߸ݾ_Ί:D sشHs!$1Is\A/p4/:w :(4w)i>d3${zƀn}.uP:3;B1#O8^QKn(*Սuy=KMe=* L{*xCkΰڮo }bW^/g  YS:8k ZlrMHYMH$Ģ;;7'"_⥎^!ȍ=V/ |T~uݰjەptUج n^7Z.Ql#]0@F}cM]sSu(*Y&NO:bMHZT,u̡ၐwqcq`yr)Ѳ{䟳 ~l E<0hY7,'?|~&FC^Áo_ҲWO7<7meF&ZgkĂN!k(.Fyb0H]Ot| QnWRR@FUi][(n~s8?hfskxQ- Ux``ZXVR-97~ḆdfM^3f~O$)zU 囡X, A9[Q{ +=mXEj -+XϠI :zMxg PVb\}ם1w)2Be܅ʔsص, YvP ֨|2,x3?^w$x#anдH0i+HUW_\8/qU~ vkފ,`OUASУ]"`&mA_bXGfh>E_gI>xVtluFe&.?A[p>/sZ^߹\gR@WOTfm;7xzq:#*,-ȷ*[@WkC'*>,*cT0ɇNLC1d^s)qdO椀4+,ݝ70?{6Z⽟bA!pԕcU !68G]M\ ~/P>LebVY ?C4OXCwm4]!7H/4َvo90YD:.[L9#1@"gݭf]Y wo{ר*3{6ܹ *ل,/? 59;+Wq[1efEC^kO@T_noq{jQ+hlY:\q~v 0mkƜ'E h>)yǪg vXvL(׊"G#ޘaO:'v>& Iċ@)N/JSGS(.Aie\JέԐY ĽDv2x`/{4P,U۹eν/E,B }#Ѷr ^~)ɂT aK mHHZS:°50qIh@O{j(0wd]WezXjwkԓ*GlƖ;B~>9O&vU8Uyf;}` qDVm$t<2(bc*Ӛ+|'KN*A]WsYWW|ZS9bUxvOe.a~sbqLQzJ`X.3p J92>4y"p*XWwT\4;B|djݭߞ1+J[mp}! z` !pfF'M/]t=]yPn1jض\>aH>8.c,F TaNh; jQPI GI]v$UiBY Al1@#0U3eT5`2&i,x01p$7FTcrM\ _3d08T3 "'R|&JbtY응!䦮_TN<Rzd)xc$@"8:| WϷVv5!BRبAwhjhM £osaᗓ#>F_.uڑ$(Jj+&bi%2 kZb&UߍA8E ZʴU9Ixz:S %1OtȽN>,/nhn4 @x94ϖipy R*FӁC8"q~Wl- k:3l.%oH{2ȩFqCV*VG9@PW(w-iA*lpb|0c/9YCI tf|WFqā\7j޵*hH~?>&eWc;y-2i$hr3s_ڄNؙ,IaܲՌ&;Iǃ!-wy=q+=꠷z"H$󭞋(PWSӓ^6wN&*9h HoE 9%Xp{^17(.&s0zVowo9R/gWC|q>F/w;u7cI \J_jh[-U؉B3TCP&^gSij (gn@OQ KVomHE-fA1+9CyH݀|7FOFK(,7/f7E=k榓 g} ߞ8`l@S$H~V IW7aanڛv"K4Aj *`KM(z4O}X[&gqG<(i_8I,0ʑz.02@!FVpqY)/Rr>gpJ_ҺovA%OeD2,q<9y԰Z@-)=ԘZ&̘L=fX'h]ߋ/}xDF3NLj%qD*q>.qgH)Dܴ7|%9}A-&jx㢅DA__󖹣]Gl {QQ.am=0r|?‰M RWv'R|$#c28*g UȝȴkMܽ juiS Hm,8m{| P?L Sn9 {qBKƢz>DzyjbL6. S ZJt#4zy6+QEw$o 'GD#_̴@7Tz|HCBƼ(TJI2D?~BkzeK MX0&:^ b[z'$ncc:h5}oB7é]8Q^@pI ot7!1HJSA/zY ^AQM ,^;: kIM9˨PHn~Xs#,q78ǣUێu#]|AǸ_LK8Xו˺u'3k.Vdžk9zu;^Ƥe.w/.5WaZk 38M kIaye[74cگ2)w&![jc:`9q}`F i | X *ȟ59 -x`Vt~Ձq1T75}dۯD͈Gs:܁x{X2q%?҈עQɭUӵYvp$Fضy\S8zK1xaĴ/A J2@f9INFO& o("&K'#|F^q$L$ CN4t9u5 ⃥XđlHd^"R(,XvEcrՍuWCp}96q%PK VX(l1kZݴ; T,l>ҙ|g 94!_̎*Kdi.)<@-4'1wWP+"M/S5d<MǼW |h=_=a1 cT؀kQWV/f}OW3K-vؐRרߺ!^d!/&l)IxLWqɇvv D*\lLZӹm- YE1Fv:sDFŐiC鲸F]%]2 4LtD.c5p7~vXfцlTܥY`BR!D#Pmgґe2Pm~h EHnrvTd/ jVinzP6 u`#Dk&@ѣv \&F@+|,8[JeJxXԇٹ8U^~۸9!~ƞFR ~`C:Jd#[D L0٣G۰J qΡ`o -xvfDR ?R%h{p t ZhsZl)8&,!w.3F*NaY*f)|a~#ۣ56d?`FeP!~ɘW196O?lPCopw'-cH?toЖmM!87! ( 'Hy}Gxy9iИ eAЩߙ~/l,{&v dmejMٵt:϶`յaSfVOdiI7 D0=(V#n:Mr"tnF.{ QiKN\R8dBD/zЕay EueJ N2gˆ0Xp?Mt6,ڣhzT SwS]n 2W+'y% A yY?[Z(u>܊ 'Z_HpT)@T|C',ARA 33H ]"YYWn(Wg I#p½Ng Z5"Hh:LB-.= 7 ˒S`6#0a)[2ĀDP4nID\F7ba: No4vPH<F}o:ٗ#ߓ'}k1yfhKv/qЧVڄp8< [1s o-G,#rzRi v>dG0a96q1%-<+U\MXYoxO-0#)`牲Jhj9H&Rwp]6 ,xU\xyf#X/ܰCF?Tj`A([/rrA\04vJoJ?^ބ-׵Ә׻|8bӂey|Wut;S`nr!h?n 蹾Iv~~Ab5hnQ݅z}rfrYQ8vx1a:\$g6:2~yڌ`TU y84]|u(h;]Jnb lExw xb0ҿ$4I#h> d^Q4޲'$'Uy\c0nĥ -߿}>f#~6 %g-J 7; WL= v}e6X()\`j%; Kkɪ 9Hdw<dpQK'j'e5l]k<,')TOYfPt_Ji7-+] Mo/BӪ燾].6I y)юtAjjy ؚM&`ȣm")=5L5"mj=슝y 5i4>2yJyHY& |[(r͒P/lJ*@OAyiqKٞP >k棼SOZNz8w 7F92͡젒7&YkN7k#5( aԜor(ᚎ.Ѿ)Cqŝsr *'u, ,0wB$" ݀lނRoX7y_ Z/DB2y7_2m !y,O*\ dfG)U&i2DU2XFh&ZÕRSK|TL;1 E ST#Y\ zF|s䄄ŕ\pf? IQƭuH][L# Mo x@>zܰDŽY\IpCUЂȗ_D0"/Z %QPmv phpCRaťRjl"4>5ƘrCɾP \Δ/,X!%l)\H2Kh$}tI5ZuAI_ 9]]4a3<)xsgɛB< MJev( s2#f%}srAnD \M o:|wu3T&D 5-k"J3y+%-.~L4 )?ꢨ CL$q'T"vQoLܾoN2g>/9u^bhTS6 ukg>] Xo#?:a V2o״S)Fz`n!9GbI= !lR7I׼pdLF Hꍝcr~rD’O$~|{UQqisyR;)㍖XSCpbA{BG rQ0#aBī CEZ9W!;/@ȳ6(o6VL|rA˥}A&O H p4Ft[aGm'B2BOFx{1-V|ԗoEv) W$`.Ie N ]췡 =@ S1W.Kݣ P&|j:AK!9&pItZ 4CCs' %'\6KL~qW ~yj>X4fYT_Nrnkў]KKnTaMRˣХ5K w<\@T.yUl-Y]VScW{sI.L#'M`tz&f`]Y"ݹ}bTM"p8P); /ɾۂ%X(|dȶ>2i"1'KŇx VkY-@P[T@ ŪmgOUY\fzɄp, 2#;(hL`vus Lw@7 %d;XbEC m&)P_ (0GƪU*Om?1:M |5"[Ot *o([zɞۇ`CYeIw1=' FcA# 6#`q?WquS 컨-Լ>X”Qv5~p%o>'?;Lb(>b޷;4"7j8?X JW4U- x͋t0:<GN%cbEFdΑڪLxKEVuvD ->mY#B7M{4h3z2<}mi6|Xo(ӕHQc:C74\-{jkmKмR\ۨn\ ˯d3?{$5OMկ[ b" yDSK֨"׶+<"@, qeP#c/^z9)$zLJ nI[UP*%{nre| ɪ'ӽ/Mf΅ Q]>¤ 0{&xd@d0 a ^hK$MK=ѼV'LK>oXy'6Yٻ8~,l@_sLP[Wbz,(R2ztR#&Q.= EGo :olw;/Q#複M.>d>Dsa78A+| JG_y}=zl"EFm6zȞwFcJs o{2Ot2N L(e#ve J/H]E0FC7XSźip]K ҍt|qt"r*Yܜ<<ݪwB^H@2܋Wv)5Rv.\ ח)*>` xH-:2W uxf 0:rcRԛo\(<QLRǯgDøRJSPaDRnR h#0)po F4 8{~ VwÍC5B`:$KY~H&OhC/Msf9 ]? Mѱ;wZ'ar[NN5ίATH&7|uA$v짨?|-Q.hv^Ǎe+eizcRtKS^ i=b Oܟ ؠwZQ*xD0B-`eg[.i|&>lBq1~E. ePP"DXp>)O>u!P>2=s d1x?VZ*&wR7}"$4RP({Mr8٬}E>R`Q¿DVyK RljP'o((nR4a;ՓNtUblMw ~MoJ2(.H;T5.VuX-@&}QZa=+ W%LTfX@q2#jhnxmf(#D~: V_H^q`"x$4q[C aw@{a~BrKu]a;Cq5~KI,O$6KU 3\lH0V"Oy/[lٜq hCvzۅvjtJWLQ 愢m fw< ջvS^2qƷb,_v%ZԱoђ+zaSm`Nv;fim!{;@q_ȁm1Z% ' t WaqɸЮO>~x[ww~#M6hMckYDܪU:f1B!:[=PEĉI)@=@<#m\9 J-Ju]KBہ@ f㢵|ys35g9I7lNF]b*J<F zEܥ"W8i}!>Eٷ!,254?MM _E >/_E(ioS`~R+6ǜOg%\찳ڗf ghBb }J}bipt?G巙}o%<S((#,kmVCm}CHҋ/]t$y#t<;i/W%6k­/zԒ;w8md(x;fKBXC?%V.L*L0×R'_,& cM&Z>G+(c;9 %TNo#yEf6ڮK঱&3 ǯg(M˷)LsjI$ƈ9a,95Z\7 ˪'Yp*maEjęn \Xҫ'佉L1 Μl&XC"*q>q#Κʔ r:fl6є]޽Ko< :8 G[@dSY<]+^W{ מ 8oMGit)}W{.SI>XĜCjL&e:d$o=EZ)[@h…BDCF-Iɫ:b;{#y#sPՙ#ihѲWMQRp1PAj֑:}Q;Nܳ18͵cxJNeq9Xc;ڪxV0'$*)i瑲t9t*.4#TDᳰE fO,iMI^/_rs ˂t-1vcZr^$(LtJp>wu:G?s"t7y(Ry)58Uʍ4ڕU&-C[tq*WKoCtw>׮s_-LP0 yx.ɲ6g˔ -b~-#[3d_JimJ F. lxƣ(e;738-g#=ߎ_bŬyNh6at#eѱχX.J33ΒP/epaSTՋڟc$o&ǒ?q~djގ~?^Hζj#4<Ҙ!.aDLu9qVu T4f-O.g+.԰ADڗ<dFi7"S=nq8ܕ|/5TpVQTrD2  <۔&tv2J5 ҚX \BhW@8䡼SߟJC2XU3Zq]|.mwA3gT( р ,_<)'凷UM[XNQ._wa䊯3ѤNTP,Zo;ា'0[Sp%SN&4pGsQb&Pi ##ͩ)2ƇTeę55-#J^G^#ll«,6lZֹMa5ն׶?%QWZ!j1[MOe7RnB 𮗟Xri?WDH< w?~G/,Zwˋa@mYAjmD`O~\ g<硾*6=ҁA9Q""}2W7+DL z#L|,o-ΜI?!"X3VC8-5\*y;>qΫ xc1 bHx>1?).tr*UɍBԴo6\6_׹~jI%mW_yo>,:ܫ%мrElekTW~tqO"yƧA [ !pWÓw(1 #nc[)r6"r_#OFrnjLSugJwE)/3:6*. !Щd*3X/ipm*cʅ܁9ãhp|dҘ(@U m@q۬big [SPnkƬS2myUC٪`H@d ɬ[1WMס0b=if|x\DŽ$d%S#"t t$^tHFfA!<$+/==߾̶3~yh|8G.wQ<_LȎ p$:Р{ʈt5r3v 71_m<ݟ8Ӻ4%UB=!LZ-;w$%]{(= I2ઊ/\5&ScBFzbln*J 1'OBtCb<~XafLaK0--g $W ~c\ \idv2.8]2te@|QiOu21%6.&@{VQmu\֫rI5L5GœYj+qBDg&ՁPlGlaG1z^uhǯiN}>hZFǠզԓ^$m.MRI$} ]VڞI,R?HXMAu7ݾ\̕~IoG􌫶tz5u"UhS/cl{6hJ3mܿѰj" vxCMwW `B-y'? \Cd!ClahbbcOBqiM^)ܙYOSa M WZ^hY04QҠv Ew%M\Ǎ/h\l)2m5Zl`Jg*Wh`֡dQ8vdSG𹹔;,aS2@3?W{yS&NH$Ge{{mN!䍍(V1}C"\0v ޮI x ]C {N.iV5@ 0h,вz֗lY"_t(0mWY?ɖu EhZWӎV?;s9ԽP{8?BꊓI|į,^kh3s[hPg2Wjr21;.Vq> ?x.vȡY`ދøh=G@ B`UO*0[$5'G^ DfOOYOu*G@K^ա@ᇜ<-05;$ @fɯ>F MﭢBzrp{<35 6^H,^I~36Љ=-DNbmx@>I~An3̘Q$mk6Hf=dgrCTƜ,n T`eaޠB$SZdPNO2R:fvuB[Q;]xyX;ԼLYݡGM73OG@9/ 5GHODhQA6͵UjM Z.H?=ؒ @ F\մ4r7S aOk66gP= Dou/\-qeGWDew>e(jޙ%e]mv&*HHVŢWMWz, GIlҶfC{Q:ouKB 0mN{Drz Eh6uY ƀp<(/yA06jz Jd{q=(#N'Rb \8R5Lժ;1.EF"ΓؔŰ"M_E:.dh2w£;oqRDj3⮇S2/Fh=5? b MvOuMdBT֤Ԧɯ YOsޭlE-!Ӂ-- $մ79T`ъRt2 R1>9PW┅\Y9?d?gB `e88/L^:s|Ɩ_ǵTn()EXYaP[~µ'7ci4e! ~ /tijN*9:OvaZt%mۢYv~SR>S%˥ן+*R v  Yr֕|b *CC::,|?H jF".ANשj,KSQﶻ63ћ}_OM]C.eվ=sHl圗#rϹ Yw2(sLΣDr r [#.6sc4[YѺ~ A-W-uZ@v<'xn,= 4+єcpE1f- Q̟xW玤4}q9GvXm+`җ|QZBh} &Zo߶u$)xͅ!҃rYט̻sJi$ g D}Tvxu~]/^ρ3EtpBg?ڦduA Š~? kr2U5dccIn-qMp!eKDR.\娿^m, җ)ܕC1Ϭ4y<@BSjQWK!B? :ᓻw[n5aAyrK*Vd`Ohsc{.*ls-Z/ Bxg86Xn׽"Mm=4e zc;@&mv4KAPرDq3Gh.Ţy,fԉ+J b Uk4 t&3lԹ8Rr}B)BO\+( ;ABX(1  X\eaAX{Y@S>d}T ]+|. D*L\RGFLɉ;Mvj n z*9\T FU*!NdEv!mkd1miG, :v,#BgվRHN\m] KX2;Y[Qծj4 k:E%,w4T[Yx.,V< ig :}#"3Hfi` uczy%Kfa9S$#VJڨ߯{Qj֢k4:nMjUW,mT Qwx[X~ovyi;E1A9^R''-1S'|3 ;[GCQc>ٶQخ5‰F`f+ߤ, ޘ%\ B.}^Im;{Ff|>x3\<ZawhG|vmxgfm0b5f1`(iPm0jRcI&#E% E.%J fLPU?8J@˫#2κE\q0IrHȈ@ ?esE9H:M.ioBI^hąa^<7?+AZ\bԴKԆ#،OZro2&'ЈPÔ!UE`+ؚoo)'j72]Q/[\s|zT՚Cޗ'g˪ ,qYP@ZX MfK,Z-Z Ԫ<1y K?$} )w|pifH$ ׊  I|'  h$cmM T$zbq|Ff) fr СsCU44jG)?[M_E&x\ͫ$94zo\  1 m?<`!g[9yY[bQDaBX* aIMc8w4L0fO;ds2m;-kp* tL/hwA^(zN0c`E峊o(̩Q ,Uĩk4yy;Ԫg8_?vgZvmG4{Bho37%Q%8@b +[CQ:Z\O.Xm&X:+cj¡QK4ȓtxaQy^_Ceroi2ah]CM'!~?Xgey겑ڶ # U&6%v_d33we鳕anp7ym}^U-h}jUtP6[.T-bO i@k.R'fJMϑ?͵5zY:a| K/, $"Խh_vB?RmK f Նx-#rA^3ZǥN]dq(NJ  ~o(!a-^f׸- T^iz}'czFacUw:s? sZ8KCl.,8 ;')ZM ¿Sy1 鱃aEI#OdRfHS$잚XvU(?w)wڝz,?E$6r7.s8P}T"7ݟo,\nk_7Yaa[,*zjjΆ\U=i"tii?Ծ0,py")W.mFXЃY 2DJ3CDu\Ы{ -e8buƒoAG'aTseRW`nY`Q:OU+nv5+lDA\ɔ#~;ivBΝ3FqO KisvbapJz6C^"d;0u9 .$u([AjG<٭ *QO8H;FGediX =< ˓Ė`*KʈO># d1eAlO<_`M(P60`)s/vqSuGqt|$Kc4kj7-/WͩBZFN/I*(Eu]q=(9*|rSEz GY> .'f3Lv=3?&坴%_DDlB 1XLK4aU@Z6'd]qL 9f/`$0cU+ lC9Sa!}4z0DRZ >Mc]qph89 r9P)銗)IEI(~|@S7NE-bx DP RꯡLn$2AfДTXMHN_|$*I9