sssd-dbus-1.16.2-13.el7$>-l>jQJlJ}.G>>?d   : &:W]dl         .  8 `   $55 5( f8 p9:u>?@G H I@ XPYX\t ] ^P bMdeflt4 u\ vw x y-Csssd-dbus1.16.213.el7The D-Bus responder of the SSSDProvides the D-Bus responder of the SSSD, called the InfoPipe, that allows the information from the SSSD to be transmitted over the system bus.[!x86-01.bsys.centos.org; CentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64 if [ $1 -eq 1 ] ; then # Initial installation systemctl preset sssd-ifp.service >/dev/null 2>&1 || : fi if [ $1 -eq 0 ] ; then # Package removal, not upgrade systemctl --no-reload disable sssd-ifp.service > /dev/null 2>&1 || : systemctl stop sssd-ifp.service > /dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-ifp.service >/dev/null 2>&1 || : fieKO a큤A큤[[[[[ [[[[[4601b3592d313effe1a70c44167775b06693dc9b72e7bebc718b6c9e8b094b8f1018b8062fec54f73a99b3e6621a491cfd79f1d5cf7a27860d6f3d349c32fb3139a210ce23c7ab4600bff68cd095ac167e2dcb6b1cfb0f12291fa72ab23f7d49a2631eb70e5cdc8392c97e19924dc9aca4ddcf4b38a44ada079dbfd5f3b5c8738ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b9036146cf820fb6348aeb99f2f019512dc8cf51be0cd15e0123060580a65dc3fde959401846ca1f72ab6d766a36e6a56f4988c59e3b0d6b0b446c5b25ceff5cc3d6e3f35329b32170ffa4e24e7460057c54643f177e91104226aa703c3b7bd0aa2282d96f75f245f462db1b2997816713711e3683e5f3669b6e17df4678e6549b7brootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.2-13.el7.src.rpmsssd-dbussssd-dbus(x86-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/sh/bin/sh/bin/shlibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libselinux.so.1()(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.2-13.el75.2-14.11.3[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/bin/sh cadeuk1.16.2-13.el71.16.2-13.el7 org.freedesktop.sssd.infopipe.confsssd-ifp.servicesssd_ifporg.freedesktop.sssd.infopipe.servicesssd-dbus-1.16.2COPYINGsssd-ifp.5.gzsssd-ifp.5.gzsssd-ifp.5.gzsssd-ifp.5.gz/etc/dbus-1/system.d//usr/lib/systemd/system//usr/libexec/sssd//usr/share/dbus-1/system-services//usr/share/licenses//usr/share/licenses/sssd-dbus-1.16.2//usr/share/man/ca/man5//usr/share/man/de/man5//usr/share/man/man5//usr/share/man/uk/man5/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuXML 1.0 document, ASCII textASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=51f78fdb27d43063d05b3b578d93b3e4afe2f2ff, strippeddirectorytroff or preprocessor input, UTF-8 Unicode text (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, ASCII text (gzip compressed data, from Unix, max compression)-R RR(R*R,RRRRRR.R R&RRRR RR+RRRRRRR#R!R$R%R-R R'R"R)R RRRRRRRR RR2? 7zXZ !#,w]"k%{f}{&-򝍨|C]M7ojQcmIe6\h}pD,#4WRGxRpgN )ZxYꔛ pf(CH@p!.WnP6$YLl_/.mԟ^Nfa^0bAR#L-Ev;*:؀Go`(Q6G=.B_KL}za-C(`w&'ザ඲`~PPp]b/&]v;tEm2IZ{ c@>v73ʐLE|d^Q4?ӗ/gc/ghDD1VL{doLI3|.EN}ɮ~.4۲Llkq(Pyuv`v[>8wsPnTroKxdx>gL!+=*]^qL8!du!Ed"9~U5HIM G@^È)oLwUe+uox/-eGq}7~&[UL]iL1Yt,NAL3VBaAW:iW/>Pc9hf5KG/?D: I/>: n9W[ajM.X?gj 7WR># =,6{3~# pMꢜWU tmg1(c[ n ̈N 4F$bkst.h*YB'iBPi!nFe>>R}1稃ug2pXqIB,7Ezv,^(LjݓD`ۂVZ;0[Os$F_ݍX6Ff5YW\5i^#׺]*0s=j:j|42n`C8P "10mc=̈N!c9vn'@` !))`QL:3 DNPe<;%AWqY1#ΚA]*B  Lj"+Z5NĶÿ,5{U"-nѰˇG~+,ISSLGw{GJXM[JFg߽1GD1˙"ؽm*[cЊV;%K+g+t!gv[YR$W&g.ꪴҷ[C$HxB\^8dM;Mf|`'ɪ{<~Em$wӛxr_8m_ EH2ۨR&oĉ\2gY#fQ4;20Tvbl (Sy1ksOr?/)$f;0@ .HO@R̍w&"s`JbdWfؗҦ H)aIihFxyk؋M~{ܫamPJl`g@氳ś/·*cZqO4(`ng3Nifd`se_x"&(3 ($_Zj ~c/x"G{$AqHþ?u&"#wU50oX]Cz:sxh选?Xw[wM5!W+~H$ 4zBXIӔqB0w2lYrvXB)'GDF\w{`8nu9q~NkRQ\iw_pJ'N^>[}~?TKm9A?5n._Ch$S_sq)Vi&[lafwt7JvzWr (m/Ú*hHUmU NIMڜgJo5﯄E,Dl',e\{d5ER7Y-X-BN!iѨ<,L*Dʙ!"rzGXˤ sC(1X;T'8.'SQ8/&?hUkOk$t<[j?Wd']`$veqƚ,^Z/S\&S䢽$ǟL0%t"_ӄ[M)!3Y' uQnKΫu m;NyPݺ KŽ[ krK,;wP1Kx; 6s P^(g@N~ZdAd*3EImҸDB#cᧂ;43H: .YIZ8~WX| Xva5v%FtgwтqP Z;A/ \P] U᡽ C_>3L$$䙋ѹ_I -D/N@ [|Lkcb9ӅbASge~npI]^v7% ]޲E.%;98hynB擫uEw{Hv\–B/c %zãz9p;aV/W4CKpn-"VX*%Rv'ao0wm~jinɈ#qPCs䀪!xP$wūdnU0͂Rӎ`}%7 xk@`hT-R>tHŷ6ᆱT+Oh'|OaF|K mXVI""&I^#;}[-^Ӟia?Q0LЖAû]]˪YM)YOdCҋ6@,1Fϣ@{Zًi,[)ft|d_ᰰ0&dлa9v$1 =O~AL fk7%|4 Z'=+K)y?(\%F6ٟKO#qe][8e/s\۠#NV{(!O ➲ot v9~lx(I ^8A48&"ۜ%gαAJG z:\k*|fAzs$2Q\8;~:A{ȷpwh9MW߼{ jr6@(kovʹdtq~x0;).glVKҙȄ<ַYrU^yW+n¼N1V[.S?{oq'309]gM_`LWvjpr :U 6J ]c0KZV,}6X7Fq[빣\_V ٹRjyx?Ş|8ڡzk8:vBcΏtTD |[]N_M']&h2 jq唻|@CxHӏ8rsR*bg(25ďB-?Gȳ:R1KO e  0 09_^*c-Y* ͡ggxm6!>4Æc:~* ҥRn5jt*Cw+g@sF%1~96p:QYYjo3oh<~Y!#k0W6t8jF³a# fZ-RBk&xE'WeG.)'{TT'cz7b&9725Ib"qdLI9 y@o5`ߊ=Q=Y1/GJhcG%VKF"M3i`,' ҂wy nwl&|6щ^ 3PeK2}w@BY@D/2]V_tDL-%a<6'G!-ڠ?~?6$~V\I`m6S2.+t\?=|~amن:"WKDvz '&z[4g熮)3Jx :5]}0ĩ\ y?p\FtDmw?mג0?B;ȟ%璕i^sO'$i0lO_TQת0+ܻٔ~޴ 4m~'|)tj.pLw-UPNp۰ 36dV !Ѣu.$x{e2ѳjœrc"%4J1Y.{?de9:,=/mVBHoZFq7Dסs6?^Od|\W1?荩=O5Ʊ'uP'}]Aq{ٕdxר&G2UVkb6DnJdגa(4mTg&4[??3YlE,5H_3NmE#::\=ª>hg+EjK6fYcmMuW{hU&ȳr o|'e(C|LL?>@7fX֞^DM Q@a;?P4BCgxZ'#/P" .d ߅ tw\sv^$_7c~?U]`+n5՚gQzK{'2&K;a1tn8hH@@i_H#idgI]$IQ5Zlhա43'\0G;;lP+ ޓ,qh_GK)Cp(40Yv+]w„.P{Q@„'rBX xb7\-]χ>!pBSpK߉_/!EC$%[V#Bd˱$wϠΘv1 yxg`t ;M7FuĔ P4VZ{g] \E!v*eGR;:K?rt;$ vTNRxqI"hyNtz"ݡݯ* F3RIV@nGD/NN[nrWpd ƕM6Ed״wCmju/./FLFv=,zv'#v58gҶSK.M:n37u{2Xy#53Y\BUgWD۔W~!vyc֩g6NuM(W3hj7ͣ~ Yg2"MuEzvNJ2ׯc姀 +-YZM!!-^pH`ІE}:vʕp9U= Dzv\7mH^kk(cf_ 5:]Nh#N,\i玗FiYa|p̨_ 43cޠ;9~ 8F \2s38`F.6.3;ڳ\!9ga%vlԳW &y/Z [=r $cD""r9AT( <{sn>eJɥqufgirUd݋[;bBm"%S-'p8DQ'j儠>,!IF $qT8Y蠓Br'"p,I34όmKdq%:;L62~/|0p3!z9C O^+ Mi,5lByy,Mt:r[AT-Ck]ťlvl KW^KSr/֧>E8PFNl70@-)tW6w gZXcl3p{bMj,7!+<6d\a-}![vi SUN- ȌGĢ}?dm~S܆ʭ\iRGG G5LjRE$^%%* gZrWe>3:]]8XO^i lz֎_P4rMaMh-e>FSrWL;vǩٴ;v?,3VwEXZ0yk6$K?/IW9 *fFecaBomskjyL@i,%55sX|EW{κ Wjy*72:xv|p4O :Uegn>j>֩;VqwtchhW)`ԁտAVĕ|)JZ ?V]DĬ*-Ri+{SM'cY?@inɍ@[AOXH=( 1(+B%$> DcsG"׆my>ME ٙI3k4>"nvzF)zދ d' %DS%$h=ǷLA;ˆX=Ucb] :^5==yޓXq8_(/*&c12ΈnZt·%=\8ʚ՝O'F RӍ.G0Rť¾S3v ٽGW vGMzTPO+S.iO} a?pVUWr̨D2wSdct۱3A N^-ނ5!N^,DC4F Do TmIa`qq^0_R+")"(; ?߸O>JX"OW~V]JcDa':1bjΫI>2 V R=-BfG h^U1BhPm~ZBXaT*˽Xx0`J̈Z50PB"ZWL8>y6Dw\' QvV1#1#fKLdhOɫ/nP~Q|j*ݙm$W-]*%V֭܄SNafG;y; b:6{;čJd 82b*+-OZ/eZΈ"E9}^(H[˴,kobylEBWeZ8ݬŹ5[_b{o$MkF(juC4F1/I AD" ·Wr"t2k3Z ͸#Xq*O6-1}GNnTzcja0qQ)V"8Ubac@ 9 ս ŧ!=N~a#f($ pipn.^#xGnwR{OI$6b cf*Z9`*5"Ac"HpCb-?pH+(J%G{קO˨96Â!Fq T>0Y=)kJƔw& LLEiK]k$Δd?8uSK6تS#~ܫ▬-rQ /~1Z.Ǚ@..F/)r٠M WPKR(Pۨuk>Ũp#Hm p SC`{ǣ.N%obM9k/22Od;ItocT̗[ q:VkuRG\!7-jV95N1W;u |{jӎLj!w!}Iˀ~v,1\E8O8ԜhϺS^O[=H\റT!^0}ϛD~=pȨSJnIcƌVU-L$}W\~p!ia6GM͋&R"Rً> ƥSbz^SXA@7C<:@i ɘ{xѸGEÁxz@mDӉM]>օFD>y0g]msfbC󫯨Ȱ$Ѩ]V )I Hӑ1$Y"הmI5h̫XQ|c#!)b }$3a?79I-TV$G I%mB96M0_ꁝ3:{T V>]q2=A??oX+T>?(_sXnʣz2kVb R&E?s  I;KsA]O={Nh,L樣kbb7M0r@ƛ)Vr9Pf9JB{C] F1c*?ݣ:{Ψ : ;{HĹLr:WS| <w^C_d |N<ӃwƾrL47:A,|DVlbOalbM5%Ka2nˆwML󮌭>+'y[+-Tia AaO>oghcC}`սm6O秥vWSwXU SҿcA³r X$=f>3B24fߘiB=R@KyGs.Pw^gFksL"nWV,Pq[ r>@9a02(`%_f/k!Nohˢ8UNlhb{48Yǘۤ;#ViD٘ Cǚ=5l= 7Xe6Dm CӺ`n(oxkX$`e ߼YfBوA*S>%M_DpVga VQmۖUQ);~n\Yi($!;/) 5t|l|^p@B-"ekP)‰IJs&j<^^5=TZWK!%ӖZb d~0m`?;4?A~f ~j8+XXcYz zpćp^\UvFIK{f6 iKEg 0c֘7&._sv#uA# S 迵آU0<:z$HyiΧ O팿ETd=SW\;(E]Uk3xB#s>n}> cg^^tT>N)AT_a<慵m  Q://f5g{c+8ڷ~ITiK7x㝝/3Z;zryLJzmZ_>뙾򁴀\a%,2٨pA/U&2>06d )wd#k\j8#\V:42+֠$ЩpMvxRzC/6օE=E~t+2=X-ae^{uN^iC>"~P  3MQ5W-FxrCkJB&Pu(0?v<) Ԑ}~]ƞsEӦQ.<Կ͒#7RU+ #z6çӌ+ Z[ݕ)D3f_ )#[2ЂBىhgҩTT#B?V>M]Ib.ȆR @ />Sśv$nAuEee${hЎz~n<Q!ehSDH:BaWY(zsƯj x͈Ezw8\4{oQ"GUIcڪ;%^(tPqAA%!m6(f (P,CEܞgZr h8)Ŵ*螘{Dl솾8d TP<Bbj>K$E&A#~`F%SFL$ZB8(rOnTQ;kٱUQ|#R"mDSIt&6Di< kZj3qwki=?\a@9L߄"UșMJ:n񂉫Gq_īRp[+;ev(ʭhao C]f*A 2BVL %喙$|4vg'AWwn9pBN'ʾ! "Di+Ss/Cm`!b `5)Ig8/?B}jJ l2 Yt!֔>rK:͒jsy]%}Egu(iS iS쳙OQ#N̼I)]#fð!# d\TOD\uk!~b]䳑©@%C;`C];t34KZ}R{2)Tjl 3׈VI7 1)r4ZuL$~=SHۍq;3@b9:"\@(yx;;cu&R^q -lNfy0$&s| e~NJO 2l^! 'pme{ z6V7֊/ IIᆃ@]l|o ] Rt0EtrISuJsұ%.;~b]dTGPKFړl s^OPAZ]hτ^t*"*>#ZN>ќr (0޿={=ʔq|!Z9t˙@ea [$ү6bCioCt9.+z ^JYҗ>`w(%mc !qaJ^ecqEx(-\/?T\FePub >Yp~v0-6bC6m;{*Tq5J|]0װ_$z` hi%:3HHIʳGkA3Ũ)•A8ǃ k]A[-~eh{>7x _tDl0k:OE~oԎDt+U܀ eZd?W܋'ڛzC,𡸪͵&&^vJE y0LoHtۆ܍=[tz+~ 0 %D 93VLk"t<<9Sr0a^ob;! m̓̚s+3܊īHjG{rfQf)[kx/mU}]_xx}cOՈFU;q$r|ߟZ=7 :g&>=s1s0ЮIv6tpE yc: N2]摏D}`Em | AӔ^WlU$hpzf89Q[%Kf[_H~pc9>#I5&e%]Xr'({s.'>ZP+lKY~|4WJfULO0vhRH8]e=\`nR6^R9TR]cG#xLdwfʷx* "p{_ OL)o5ftKtƔvp9h O=nwRR| q}2LKDα0G 7&0ri]n{bvYק#0NqQй"!YY30CnnnA ASgi̭yDkm 7$Vb"W٥!J@j|(MMzrMf4 c16 a[=Ay߅X 1WG#e3HZx- 'kzx`sہVla|䴎Ɗ]\wa,k _F6AA]wYqD;rdס޽eՒF9(Si.aI7=h‸#,ؿ>2F4,RDxT ٵ(7ǫ2? Wv25R n7Fm=?ȭ${¿t/_H{*HBۯY2P#&'콱3Ly- nN%1}> sE--{-a=)8pb T}rO>On6qg{ΐc| %R"(=nUB.e8!1Oҩgj )pFٴџ/1s~ueNפLou}K.1 :m* x! k_% 0!\zo8Y{Aaw"bFj>w<ܭE"X;_h[K>j֊䍃h*u*|E.wߤ{Gccd ن >s [u懲4Z$Q!JWCPf`իJU6+]l9MZ + P{P#lh Fַ(90|x>YHH'mw8juu i+M%l9:Lzӵ^βgJG~JnC #;KҢkV-YPr^h +N uXG(yhkXBχ~dSfb33g=«1Wė|,t>h"`7/R wRU&eS00!J\vl2hW`U ַ*8!Q٦9#U*nPhe>75?g XٽJP긣JL(h̝jSy hqӯcreNE#b@GS4:<"P&r>FhT,Euv]?@ˊQ-K]%)'yܩW}ǡ=ތ0lHY'p:Bi7N?`H5"Nd/1(+JԬ(Cu&tr,nŏz &yM& ޵ȟֿe$JcM.+< 0?Ϳx_Z PHWz*EgY0,ADkxg!y&4@Fc ^J}(_wjB#޽kN*0Xs~ M27N a=@QQ.b$=xLO#ŵ;72hPMf(p8MglJo=H+mХՊv~].֥ GfХk"`)?ԅx%/ ½{RMzg DT!tI֭9)B\O >3ܼJ/jH|_k!bj/I[x4E!O @ʉY̵nf^b`+ N_MjGԩJ)ZWgM$RA-յO0u G‰lOBFbgڨ7'UjU>&̣qU>AkU= /V+3b81 (E=ضBk\\Is7 G?Z3^85oϲ о}Gj Kj +(Y|A~ WwK^r>V}&ف ,s8zˢQ Mo"c&Yo8ng,p uV٭υnKbt#nۺvJWɛP7$ |}s&7@,Kg[ xʺ=>~hdt)&n XyOڞI1yH]؂UY L=86(Ps}Nފj48;aSPS>7 %OɠMC:E=:fg=+8ZT\߰qBcLGdP9ơ!clؓcB7 ^+ɵ'9m>SQZH&uҡT#4}`ׂd"mW/\Si`4o4{C*)ILe.#vk{sNonm;PI$e=خ  \4fP{zwʛH|9c+ƯoxԾ,̱UBVT='j.V}F -6S{T:iu{ 5H*@Sw*X".9Njqqf5^$WOaU~sL/p7WۣB(pUWdLeWI!܎axH\.Pd] v0_N~Dž 9q#`aosBq*CWጆ[l!}#1=( f >ⴁ"$6șK)r?4bUSps)vq4oV.v#PlfWLWZELi~G4ىS3cA ?>aH#"M1!=>5JPܳMs +劎#UkJI”m_ߡi~VW.DYFM+DA)4?cZS7"=<8`?.Ʊe9R~0l>WB_8prZbUVɉ_J$[¢: `aN; cXOhgN~ف9PlNr-*uԗޚǂ61UJ'"׹ "J*|i_G_ΝtoU*H*ҞP^a O$AurMVΚena`"ʘ,7I?LOhq8ߍ}RF8e87%n6 -c,d+G fvtR%J )|0}&FdkF/&?s17RΚ.RuhV'pR kƵay(j8ؑ hy3e31TYchfل1mlȒQKjsE֋z8Q@ըuӽMV9 >8s0B H?wF}5)>\g5t*O<NۑK!,9mQ7G,6c)$6\Z"d(aj.9e/5C8i҆Y2k7ORf((u,>f$snLJ8KS~dyч54Zˆ3e!eklY{SS!>MN`_DZmK$+,HJ| ǽ)mVP7:FF"$GZqܝ?mS-ŞJ RcΟRogБ)A/j^|/>B\ u٘Г[6 B5LOK ڕ;ԶsVFp Y [U_]9حEVTHF~5х<)1 So̽V#_:ykءA|]`#Q -'b*/'?yOj2I9 C7+*A+F|TI?oW*/8YX=ap]}n(aObIB(2nKB}tKV{yB+tt*|~ vr;jԂewz_L!+(?Ė.NR9T}~^QJNC_^ޗ;ijcU YGfW6"ϐat՟*g1;H-`5ly&8 8`'~QbBM 7!{6aAѯ?sR65ͦ%7VjRӉh (@ݲH=dg6urmf6@v&^s f)+r̂ LK6ZH PcFcZ*&q-/;9jd nz0.iUlA! z4䍈#y@a:wzEַ&yCe9*yH=TA7P~,iAkG _zx`4ҋF1 D̝&'fǩ](F'x4ܢDJBzYCC  K2gp.BsDf;fV0V?RC\?Ƌ),.FuX1l{z+cSc&2 o;|nlHDqZP˱}@XmVlk@X^s-㶀k{Տyt ۫=jv:g~`Pʾyn76`3+P5z_|^R*qspoLi1nct J9>f wI{_}0 eIXp ~h{5V窖%aGY>WC+IHօ(o,3*)t6Eo4 γF֨6ٱjF'P,-?]<Ő[ʹV4rZ9%å f@JxkoNQs o~cjꠤ<y !dg!8hd()L8۞O %}N4kr,  }nsD73Vcx@k\B:>9j;=88!v!d x@^9qAi( )d<}`{6}[ҝۼөt!6"V"7u^ؚ#^C;~)[OR`#|Wq17"ĺCAI+*~6&6C.LwfHҨ[X݇NWmKظ>:E?Oc;Z9NDԛBM>m=4̞# HBQDJO"3 Y)Rz`78&#X$Y)2ӵyap$Q_ #ᰕtPǽy">~ot,m I`o :eVŹ $Fkktd}Q2̎e?t'rL~N?U*?A7X/U,BP AmciČOȄSԟ6YU(u:s:Hܴhfs)PUuDTG\ԗv̮f?wYrw ^ZȗQe>vssMLˢg._7'hqIGē@^6^ZrW۷7=aRax3ܑY2^%I.Yݲ$2ҌhL`9b M變THk>/GD_hcTFFifHÍ\53!v}d<4^pg 5I EBY*7iuzpܿtW^B{vK4nN ', N!7~ʛth򂑔;Lږ&=0f/<^'b,|MMcjb|6?@~5V"fBբˍrwԬy lJ }:J&Q-\j6P"LDNQfO:+(*W/:GQp2Mv;d=+`Zz5Pl<δϥ!牁FQ[K6V֒ {"ͷI5v+az; {_'dr:Вv ɒ1v:U_31LUTBػEadl*S5gU U7wGUr%EĠƭž' {H Gu;GLZXͰЋ{}Ou8"j%nXZz]\s@,մPZ9V i1 \UlLsǛaLRيt}{-?U-ǧ<֗%Y%ŋmW@GޮǴLAlŏKn_V삀mXTJ><- 9F,=e{GZysg)4"37QbV7V6o944䢡Z0ۜ-^P[Cs@f=T rmɟiI~BrvEDQn-/] -EB1oӰh~vp׿_vo͘ 3@~hjc`bb6Ψôzлk㡗vQ+\IIOAN~D² '|UR& w=* 1(,UY̮49fґȋcMҚ5VS6*ɦl,I2Ӹ_p O6j^_i}7x@)V{ mCJK*eIEup,en2y[ MԠ7n{ ѯ{Mg;b}BH\P}SJOH vM{/ء=s)Y};2)@λhs3 <*c vف$حϢ%"D+ތ}>ăAosZKt~9رG"XX ?^b *B71YM_0C.7&N7%<8Ү+!vGMJ)w߇{F\%2Lu4zH/Ev}ӑ \*jD]`TE€&(;rV;3mjR?D4.~kj"1(ȁ)Z ^OE8z;N6O Iߧ.y mf?!ˑ?x\+6 mzu@J\M {@ J,z*TZ_E?Ś{d3Wm'Fz^cd[SAV1)؆O4%A= PCxZF\]Q WpY Fjm=2_cI(E#P8-E&-I&m5&ܩ+m Xqs4ACGS-ޮPF'Q'4LwcP+ “Y4RZ:y:NlK^kv(Q_K=M63yAaҮ:Fiq˲EeBFڊn;+Kg4$mv\+< MQ]0Iߡfc{n*8] G)! BV_[~c"lnK>>2d >d?Kئ6J"ssCgZ?v9i̥%!UT9MUnKγ򒜢CWN)X)[+dr3_H7{D܆_ OW@HF$b8'm:|G١(yR|#+5EI׵A"-M?<{54m8~{rЏ7gf@)`g-2 cÅZɆ(4cч7J:^2B`Kq|b [)[UW -,Ž9];!D:JrK5 )؇VGϛI^ݣv 'n:L72 n2 \ivhJ5 /ϞV _d=trBO億@ '݊0B!Vŷ3})(K<0 4Nt6NfG+_wXmuy_Lm)QZN8\4ڏ0hYU­&]ohBoHl_oj'$ ;IJ|@jQ4޿rXPw'L!g S"Dx{ [ H/ݶDP_N>{"Et]KQܐr[=sq&cO]RzLЯ u.>BS7dB;"V-?:Uc3[ wH{M.s^/oH۷}. ]qpbhYȩY=QLn>ؚ^zeyY4RoncYmT`\b"6_0Oq–thxAlTA%gr!ٻu2'a qߙQf(5D(}?C+;"+>qQ(-J٭ [>.';K=^+KV%$1{ux>FD(`%xْFd?F _ S Fէ,DhVW9F%}V'H-e5p\񏥟`8>KߚILTxN5W#W6T9|%"Wdp%P$~m&5Pq4v~pcYetLOׅk 6H"IgS X.DEX$L0(\ ݁ `3eĒI@v(+4*cx_;\+l fl9P $;{ |GrgFir_]b.u6$Vn!tfR˯G& lF5A؜<7$ctnp~h,MJ s_!$Ș . '߄H# ;N (vffovxc5`mآ_Bnkb!^(Jۦ 'Xm=[+m k. O]}>."@]u;&A_"ڤs[^0hNcmX !T{\Co}}ܾ^\"!tmK%>=嬚a;4?uR/( `~r2%>~knNRן}l X/]5 睖k~"=كJ>b_ųSi&0QX2mS6{\Z҄*4a 帍B*y0?C⿓#N-.:xU_:L@i$sG/U֬1iiΪph1*J byA{;b7鄆X32j<wx5NLF+h1S|]Gp;r&!#i>GFR,BlzN8Z2@Hk/V.(j;H(/~[ϢlͱtgU(AJG Y$M̈́=L@"Q[.,8R$4lo:%p~F7"/w?.ɱ*5 ϗ%ikb nJ8}¨NĊsNf'wuXZC vW+{y5#b04YyƈN/]9Z 8o.Z*uYR%"h#Q` O465_l9  [ @أwbg#ipcKƵ*)ZCia;_@..}D+9#a&R(ٖ byZL 7=2EkS*su\mv9V |UN;MUԊD]?3e~+H&Egَ< vЌ fdpJp3ة& 0ʷ5Um'd@njGfz 7#3-!lzvYn@7:PB$q$Q%]ӶE􈯃"r%!҇˲^LfF 8 7P*'K=9D ^w-h$t*E$!dbFCQs 둢;2?(7Z] ~.2$[MdE@'}A,8dblH1APX18K}q*aD(3.s^CUphp5Sk2h[8nzRS>E^5S]r(k0ΟI4pOBL/C7:35i ₊:?H/[xͯ@Щm` rŔWZ=&&s&6sgԲskwPoo.jԣJ z5qiasgB^A{Ygc.$`^D֫ҥUڿ~}CtI| Uj'eG6#H3z5^rw4G[cF3^u#iV4ܢ, l骳);V=Hk 6f B&1:M5 qq${[2-1A-XU69WZrpJu# B+<;Ng_= 6ޱL?655|<Yʯ!5d՗w@y;^慂dgJʟ`~ț< CRhi""3T6TLq/ӥl^֍_TOO9)I]{!=E 0#SԌ nG4DV|_vzo5zj wDoAhyHXq(NJ2i@#˞T{L7 |\2V:V$50."/[qb둉yFw n${Mko , nfܢ#EhmJh2I1Js=A炬?c ίt,LG Ơݐ~?4$iߞK>S38J;]'0,cǽ:Y,Re= 譩c׻]w N"r4~GUM"dK?5pzshF}^cn.5si|m. h؄_/_P킘!]YͲEOJ*W)Rd nR>gftB?PdRmߵ| OD{P) 8uq&  ?huޢDj23tb@^e>]ԤnFƷa%/!* U0 YZ+VNհ$|w峒Cd=.5D*fV8+"ՍdJ*>D+Ɂ䖶x~K7B}G{ȣt {ŒLd|`QQU*F2 D"tM3S{Ȩ@1 Ԡd\IBLUqF%D,*^ly>"Hd$ cH:TP1_ʌ xҳdJx'P\g=SOI%i< p!zbr)tqʠXԯJ9u5rfLJ7( RS/շB/t?oOiG0tn!}h |(3?2c>W`3a8OS[(",w\- Imb3 Nk^F1IFh>$4+57aG^1YA5'kJӈHjqCD]bN-|-K' UR_iʧLDȹo|F~`,PtҎN2oCͶJŭ[2/ǐDE 5nr$1~?_-8r}pKi`rCӥ(1)㯂''B-9M%T(*ܽq8m2Tȯ=@,x(yq mhalPjq-Ȫƻm7,z*!1Xԡ9$S`A<.6^tfG:ˢe̩~?HCיkD(!Y'xy~xv4%^[xg)R 'H`V&;Zw!𮘜_|w3OE.$FnQ<ol޽κ]4e/V1HwF擥O;9Cx8O[pe/­^8< [Y$~9dzD!mf+?qL̋vN5{!:. ۴Pw@pBw ȥ_L@i1+qD@{W>Gh۱r9 UKFi }`I0Vouݏ%-b@ pwb.Uڇ4Ao/r=]"Hl2rkI)rxC'}Mpdȩ8~K]rp /e,ʭK;fpw[H K}tdQw4D&o:^* >nU_+c,UapsG,|  *+K2Ton'Wd 2EbEvk̯B,pH,i /`2S%8Vtpnaf߄zoiU`')ƕd/1GHYU<FB*+YΕtnVWPy3m޲/ы!dqf+VH@ugdCSwåkZ-O}k5 MAld~2ggf>RXclUpQYi2ZY 3':>~h@Mġ^h&F1j Jp'}!x3~l |-fY(US?|-ARbYQpT(Whd`lШI8#09J'o5g<O{~cVnҧ6ԤyIH!~,[=Z$mT"ǏA, 5FV#,AHF@Q }w MJ3q*Ќt+RYIxe6D['#3lFO.%?`Mve &H/CsU6H{`|ODaV`:zh6.M稆sRnF yo\r5l; T_FlH Q¬MED]SgMQ6v mbW$J'xC!A }+uMEG) tBO6UG1[:Da󭭝0D¤|qL UraRjɩu0azQ1(^?nT u->rό-WcN9@1ƃ?lm.8ջkqQ=mWiMs׉+XhYp/ϊqB%qRX-I xf:bJ ARձ >[`HTK団PY3.AwcG zAZs6ݶXTiU2f* d\!,b[GȫI2I~W\% (H=%gPfn?]6W||_rSXFOQʋE@b:|o> (E$9}LPV-$Xmǭ$AoJL=,odXng>J`.( b.B 6z;&fx-=z31pDpcisհ;U n)*Q-4CG J Q鼞6Re.|*iSWTB)=[ k01vXZx`S˔ԓϣ:^tn(O=OT Aܼ&؂tEr;ܼuB9 YxͲl'XXLS?6[|_V0O:EeKD .zC7DƚT~#Z2cLvK |N{=9ml\1V ;(: H|<[M?HlMepYPJlJbGAjѡt,!qz|wa@A;O-CI ;q&5(:5HTac X߇mAAّ']jէQ^hyn;)D7G5 L[O|'r[}eϺ]bݜa݌|HR~ \_[氻OP F![j`ό= F:ӉǷ%^C;r9%`l] ̒b< hXW036Vqh,\ q"#aUSohgJ(05؈AA'Ɛ%)m6 hMГݝxJIj7l =wP iǕhaD*ܞ jE*QIǂs'0Ʌ(BffBMM |QQLHNu.겡)4f뽧#D`uxٰ[܃o!e^.5]逧s,%A W7} 'vR%Oo+{i5þQvʶ=,x}Ȅ[ڋG|և77J]Z,\܂f1g[)4Bz>bWLzG(mOKΨڐjƷc)Ip͏ e1~~A /`d" 9*/%@J<7&*_W_/^uS6dųN$Ԛ!b3پ698fG6G: _W>7ZB4kh/r6E{_M$5!a [Ħr!a g "sQT2+"+.$=3~4 xrJ͟E6oyY}Y79ʳ g j7Z#cudGOmVQ6._JQj#}Z)jbm/tHR $Ix=0 SI6f27-A  n\SՠkW1b퓔ɟԔ  6_^)O}.=`3:Ƈu:-[@}`! Tl`vM1"2<[}K"Y%{y Fs/ǁrkpk;`eHu#AX֜Ok>7æqHTؖ9#ӯ="» Q#>Of.ۆ":-Uq}{擓ϖu%4J Pɒ[@B:g 4Mw\GC?Ϛ6d2ֽ%I7 Q5E)"mq{N1dJ+|ʔ:z:h|,*jtyX$Qo,M-x)3?DB{=WQ)j 8 tkhBٶ|Q\$v;94HX-B${ǧkw%^IR;R bk5Bk%-闫'k`҉sݵg^Wa<,:2p`[_13Tsb֙N&ÝzzIcɰ}UDkZL)U08y4E=BaGCt4: L7lPθ㵸Ӈ':1J/ep|DUrޯX|ZbH 9fuG/=+~Mɂ@E"B ]%7~t$24hvo0ƓW;0ӽ\=#a -c,Ϲ4@WQGPU]GzetVE=vg9nQH\<0zhPLooX%6 i+ƮensoXoxX'V MEDp+RXr92$u"QjKKSiYxtؗl]{NVj8{|GS|*:βEfMDN+GbA|efx^l?IVZ^?ԧm"`ŒH=E1W[DHܩk^O(`{w qAbzm[>n #u[[f'Bo"#Ut;T̢{GXk]®UPt}oSWM)qH +%QBef(BJl};l(ze$9N'?F J۾`+[hoD«h7~nMȆ O_ ZM=UeͺF9<:G 6p%[z{gH\ 9R|rsش?m';Z\o;t<8%V q% i5DBԮbQW}tϚ=p0hf>=ypGPḯ> (;3=:܊.v.P;]Ͻɏ2(ZRB,dA[dxP*'bX݁9q2ʤKϤϐ}sCϙ`Nst7z)VemLs˱ ( AOR.ȵTؤطpa$s{&@ \'8=y>֏QL,-wf7Vn9tӉ'J{Y&Z{k'sq J-)cMc":$ X2.9 0uXh) 8GYҚv:ۜ֟.B>SQźQ%Z^/״h1Ljz_ ̜kHir*IO^cbrnz*3ᅨTǝboIk[+i u僶{OHġR }N•pX'aV^X8ꊭ*дeq`w;ΠA Ge #^l5[ti=CbW~3)˵a5gDGu `r -?!Euwn\#&veڵ+ ݥ;:cez54=˗@P:Ĕ%u,7:P4zGsQRT^KGIhÖ*)qwaf1U29]ě ;=*`c針0$W>RUHP|`hR_nF, $dz_.~`tz1V"-CFwH|cʷg4ڥrKC=Y Gw̎h*ڧտڿ]95]qLNK1 )&e[Ut)  Vķz:E:n_<:^ Ђ? ԙ(iOe7 /'w[DLT %4H>) rO8\oм,'QϴpӖ$ha%/BC`Wp&5ǿX=%ho[!"N;%؎'J8?Z wmuf(<6~;ϸ .ܐ%ԧi 9dx`OQTC$YT,}_Ŗ ݅pLXɁsdQED[6vWjw*gcIS!l٢c*E5弹/h +R92?w@ArDŽ)tٝnXħ m'[m֠CT4cC@P`U6@ 24 qT30&PQk-YwuWmU$м?i䶳eh$=Zt Ǣ!Ļ͙f,ak^И@OTR4 KO<'?ߊ[k?t(9OVM6̅{ ׁ+n{rSn$eXi`qiX1̋aJ>QW銉sWF=:@ng_j 'Z4U{NpKZ8pd Tǵ5zZe l0Y֨ڏ#A1̇l%n~߶0#7pP̙CX?IQ$J2+~q**@B"z83580vm}dqLX&i /Pkhj?"@,^!JEg`[>@zxB(~ҌKxմ!v)NCuqAfYރ׆hewrF\ϹKWl6U׳]6mqdM8Ie7޴Clw45<= ƞ/w^)FW][@a8 ȋ0 INʑV1|SMhbZό,mC)#H|> os%ڌyL]2@ +}Sv\nd{4aLJf7:()%‡a#D^@ P)ԩ `AX_mӔ5cm/]i{c LRػK72RG-M"hl'% -x9Ũ/kfեYϷ%/\Nx&{@ƝzWܹ?-{Xf&8ͶcOlx%!A E7Bȳ̎9!@O<'1u]T%-R$l*J> CB  ZBYp4*ټ[oIG#\"/#?ltLm \FK+=#E)X& Mrh@V,5n+h!bI+]@0aL KA.6!znvw[>vk*VLkH?C*ƃYW%ˡvyKMl;n*{Ϭ{j7:1c%N"M?/4ߝhF::|ilN̴=ksRDR{5|$xf&khՁjDs('{ -9䑭 9#\5mғgk:k/⁴r.(_,*ݿs2 / ]{ALv3X-_ƥD4tHcxʯOcT|"QX6=X_L*|p웶36;(f;`D@FO}v)1LNlkb% }VU``VxcOBZk~ LzR>" -H_LZǡ!R~ Қ%Syd6gyȰ@Њfhwj^P46rGwQFuC~?ċf JtI!wN@Q瓶q,uBU2`*vޖZ@'O-jpԡ1x>Tn)>@xLm,h y^Ra7ƒk2WQ#:ՙd9Z`ỈN粵bBmTڨ.#T#wB f6o1i\A^Z'[ҘUH!nv@ ~ ޲H3{gW(Ntyh9>_oG&?yw*֠sojM_ARh'v;Ĝ"~ ÉJOOyt8o|pD}ȃ_q3f::CA SHv|>ˋMy,L8B{؂2m=I|99ݍ,(mBXcLzXt!EgtsMaD%Û3yO^h&٥j 5hLzˉy%ҹ, fLt`A'?iܣ Jx3Mk\b9WuÔ 'v.C)=uX.;{+k,0_\kt@1+ M 5_4@yTF!q܂Xv]5"]ď8Oq2;{v,56gJb^eιqKUD?1x8qpeM *DGE;\q)8(uS%CcC]9$/u\}{1267<daaXN_參PlV`\\4x'k_kwwvDg]uX}V!SgCn ͺ[1@[Q6m36D۱"#)ˏl@G J/K'b1j`A~! ӧ<~.R8϶BࣰMQuPi]nelPCƤȧ1yFИ SQG()uc80Ɲ"o;I!T/]1v >)`ҪghpLKhPjZ?"f#Dړf,-Y@+9OD%9P8)KcЯm`w=p=kaTĈV}x̏]'E;ʅ.%$!47tD6R f,; |b]9_6?X%Aǚg(i}(-FNgt죗t,o!][0αT@>!Œh, 3YF#s#'.)aswdj{QNƈM* x<.0Z nJCZ++J{%zr+t^ *6X0n% { ~vi^&}tDi~V-06u׋=CiPTzkkipqs焤=d9JmDQZyZI A1ZDMo@Lx! 0B#4߉rhJ<*yhq_4ą5PdO9dw(UG=VPhjpaڸ$oh_5􌂤 VL=ˑLB ,QIX9N~Es{ FKW,$QI}P@H[Fj,^nGdZ./Sr5b}ي#mK?yw.6FFt$6C#x̃lm;c;:DV~NWӪU5=MƠ4_0{we2J}+8 vmpt{+,7:EۯfpKђ3CRlpD3Vю´3lsY7 [/(W'\.z6 k>2g$j}.ZcMSdtc:3!@ nj/ Tt1{L&X WөvyDJPs0X U14G_5wovƽ@S+bA,Pٖά'9!}o jR~ Nzm!c7̇N\Q)MJj(m6t 4zœ]Ld#>xV'Tcj HJ!8%FR^3k?XUg1Ͻa. 꽮@kޅ>I6!n= )Ell5Rh0|,k<5bˍsBkX`NIVO^)YڔS Ghi0<7aN~剐Uu*Imϟ^{G8/u5M}( HkGD_%׆X{\E #8D "N>/}HOo%3ڧj%P3>&'8l9f-M? '^/Ӏh`WܓIed"ywUmbLfpᔂy"$$mwZ J:P5e  -LEX,gTl7KK\AP"ۣJWT0WъUg_wǔKɰ^E>A׵GLt)>؇LޚaIP+U:5`8!%{h˜) diZU%c,|KbjC  &H}wnC Z +~ Y}`#~- 雘襴n<ƞhUOQsS:;d| m5]Rg~uB(ҕ8;%.A3PAH4% h2x =4?#ڽҵKW.R?Uk&E3 ⒅4;_K(|IB9( Cr5ewRScf%b^ "7; 1!mvq~V #m״dI$ꃴmFbt#*4?YeXaPk&gsڿvmcHO0Q%a*pB-tM*z:*;!3"5h#N >s|VPshX &B.<}W6ȣ=h%^!37ЎX x:ENR[C};Jq//+D`5ݍ"phކ^zeyB=ӂGD͛qΔP \l ^<|y,aᅀSvSsЙޠ>+GwRq8ʨ}؂MR82D橀-pLK Q(;Y]4?'6r:RW|SSbƤN`[ Xʿ= 7*ʆVt+.C\6U?5KYTܪurj?2\~0=4Y+9 xO#~[GJZj9Eϵ"X;~hR@wD9¹x׿3>:@30 0,(.ml.4$&p(%o$/}# ̩hpxGf=MkQQ.GI$ C D:T{= .ϧ:'2D5fb%] סE{hw# `aCor7Ӫ3=8OI=wqb}oIQQA;]牖ňqko?I܌4:u-CuϰC3>sP2A#Y͕ևmz|zs;!S.0gh}~``;YHY I}~klܪ9Imvqfǡ,'G_2omٓ<"atbÞt]K9e$כds%T[jZҚ.7ЃքS$U1Y}\1G̀R*)]f,2,YpI \+-u`FyQnQ,/{86V PMlpu+,0<}mSzZ3=DBD(D\Rw:%G(8ީ<%4bzNE͓ɾSB` V\JN5zeYJU+xttP]UjWjWaQouy)d7fkGy¾AJiԚ~孤 {ҕCe}Ryba㘪t+_H%U!Xic[<0\|_lҷ@~|zT-M!~vdgd> Ěx Ol~߱_~.& DP:!>` ,V$pSui0#52ZQ1p/tM"z(C(De?>`ڤVG)~0U0ȄƢXV'`Ϟ]%P96b.UH \vnDpYD[s Ry|>13i-S8efcv s8-@B>is3UGPnZW$,69Ɍ0sci,ӧQ3qx«®r6$9OE |nz.zH[F~Ae, 38ڠ @ @4MbK#:[V:>18YkX]|8)Y ^S2( t=Y.-K2 2U,\ek-N|f?p6GizN> .(H=~6clAd f!@pt}cV/%&<?="(Upԁ#2O\) DiT1%ޯ5SDv"@Vk"nQ`_wjА>|Y"ڀ陷sػ8]5G.]oN%4kO#ՕIɈu&1"MPgU2ňa؍SebmL^DBZ()yJCc. \MJ-;6?sM VGv@ =<9AkWK[=+ pDt@ ~WTfAD<}π֋El(bLo$Ee(TQ L̪θxLm'[enh=ʙGڍ(zv,sZ{MaqHX'/W>cXF˚ܐТ.4Dj\~Hq [4ٶk̝MƄX>ܯ$ N6&!Z  jMۅ&~~G= 89H$ kЌ7$Zw'0<-[>3 ,ɗCTK=qjg- dj.2X Lp/ExUYj{C trBdw B*" Qւ EK=OM<i=uDQwliD`!d;䄟=:+UtDaJ.߂۞K?KSח"(Ms}-5SՑI|W[8ұ,dO޼˦CQm/4n2PIatiiH|NR}h>w W/AM6IozQjLc1a.8{?,&;I6IW$*pFqTt1hdʇrhLU3t;F%bxEjP+n46^`܊Ql ]MƺVF6BCC%dOu?ռ0(MR<+_~ҍ^0^gEi^BQQ|)/e廓[_N%f:Fț(X7V~MKÜ oOi?eL({Xp<^6X>sԻ!"j1TMtJTFlFL0q~_}}'t>}A H,&ka)n;l~Q,풆]v>X,VI#[쮴Mb#4*m"ZM˺v,`4s`" |)y,8ŴVl;ICB lwFfJcUbG]ab_0L'/7Μ6db8us&[a[-Ǎd3d˹$G T T6qKĊ=<{ obL}^0xvՊ8@stm}qVAXy2R/65ߨxPQ ̂Ϣy/s>/qu $WqVD4  3': ndj/(6¢Tg*dSpmlGDpKR0՜H.Pj~]Jʕ?o|V`#/MúJ 3 uS\BY(rx/&i& e?2@<Gﻈ%Se l}jblu?gqsS / \uf&9YN#0^aeuK7]~ʼ³!@3L:[/]uS?dd-' tYF3a~ׁ"4S̡ 0('H? `l-%QP_0y*ߏX2U0lDggG2r g[|Gh{KN^Bl;5=j>E)l*J5) R7{aXo9C!2b]I)~z?llC@% E`cC"ㇽri K~N 2X$j`4GLU ]ݪTۥ#01oqίNJiBwRݜ*#t06v"љ̋;`I #*aL,x}-k\KvF"I Wg,neJVSak@r0FVܾ m@C2gL&(\'@_If+0%7 l^dk`9,A83 v^z=ֹ/&w-"gW;|t='=JtkHfK;3G PiKo4͵NN3A>A }Ċ_a0bLc 2*f”o*KXBwj%JNIqPQ f瑌3`[vvXR"Z <:UǸ8]#yj5L fOR#6XcUXݟ FW>:w4^*JRq4^\eOඡ/%6ˁ6Em$~-p ]r cCRԫ;QPnzs| WI08T6]=Ɓ6Wl=7? },Ue`)i9(DDy0T|O~@Ѷūu|x$rWO:sL1T/KRY9*{K]cymi*`L{!z5)dkan\#4^#o%jeBLm{>!q{t{@4&Ǻ/M C}ȔarXS XRv*6-hg7.;MB8ěPlJA1mR? (mUU)̺XFqQ}(qMng dޅLv exI]"~~4SߟukukppQFL[ɒalPr9Tکu1&@3}br/LB9B 0Pc}Ӵrg'Ŗ4=;B= O w F~sASA"wC LVc"+1Nb2TCQ7\J͖(*=՝2~ϐ<|/'bN]sҋ`^"x^=(ol0{%`(eWdœA^Tg8Bg8:]^PLH-kgSCGAI4n2U:C+%KTЖV}! \3Vd"M;떟Qe}(:!U ZP9*`pMta `) t$|`FuE\*~q{ iiڬX^qL/\j,V"9IooyT/uT0.41PLÛg~$1*weSBN+?h^&нGOn]vw2`:#L~Pc5߼d 'XIie 'W@R!3+O4b>NNZpz&qBld_Ey>>]ωP^KwdŁ ꀶʶB ]7aG].j9v윕=1b(%(EZ ^8o`ņ4J'1V`,#u,'׊ >$^-|q<ʶxo^]c࿜L`ݽ^-mg,;]` Ze)<`LM:6.X^\;1|)jXmo)!Đqp Q,Gw b`Pׁ'W7X7<7lE;F{b#̀BaDJKWb3ԗWќvlc. KCYW#Cw=Kֶ"~$tݴz}굍JAp4RqF!-LЙ/g!hQZPA;># uWn"?t;@ryV5rp5 ny# ?\7r;.^2H靗7ݳ4EU`֢_cEЪvsmR*-x=Dl'm+R[C{fJo/&dKv~gi,ӗ}L"o-aH+nK ?XAz Å񕁹Spgv-YRd} -`v>o?p1xzL=EmK%_i<ދؾefdW oPDZ JT&8LO^S@t3og2s"dۨoQe(4څ4NzL<YNㄊ/^ h6;[@^K%r G1>w杯 "Wq$>"CY+oWU.**u>-\h bGZZ3 r/iB"Z>4Ry )uN}/!*/;Sg3^f98"v!lKG3r|rICgLW#wRy0 tuv9Hx؃XǞ 8 \f@,Jx5uS`.#U ـ Z.< G,¢GWw2~`o0~ Byi+p ',]X֍ol(7)5%xʹpY/yf|1<%k'rn20ڡ)";9:WBf,b204ƶa9ahҐ@D1h%pMtt V`,ղ_9:7r B"}?F0 #S+ޠYxޠC-%6ٲ4s.> 3r2 $u~c ":jx[i9h R7w ߾c° 9U|L(AUQ6sR 1&s.܉b!*ܼXc_e =hEe݃[2:w|&E~nC0Uf~6>fX׾+6u.`@>o#:j@ߕ*wo#fSL3',C-Æi)Ebar>fS"Z+3lƮ_*$S zr{[wâ͓ y9٭Fga#i[cBrSPi*p5Ok1dtPk,;W/n e^J]hn88j1\>ܪ72g $w\>y &aBaA$ 3c_T4.ƒ!eHX O"Y k&0v)p%ů, "LXv qytSo-^\E3#Dm]h*7%5yABO2#3J4CdKE<.|d/X9s $FQa%83xFkZ@s][y/~%c0X2S (5GOHUĪN8ހ?0M @v+[T_RKV*YP]=O2d>yw/;S, Er ։hl'Og(ƞgɩP6-jei(cUen&2^cԉ`ԧGcg0 FM<%ɚ %7 Iy"Tk>!ͭtKvy58ofڠ?`y:]B GzVgwn%BE~'e(`kb蜧/ס}~8Y4([}2(!׏FÏSZϾ0t$gjHN+1%f fϮ<_ ْ3J(@dhUXb o\6oDOZ8g{]TД8xL0wNs x#2QR wZDƂuop{'\XC,<0&rf- bp% YW>xؐ9Z[G!2`1LL3yev'$delV)#z`9M^aoXFv9@-νқ{LP/޹pF457Dw8HSXu[3u5]INoIC#C*a4XN18x=C*L9BET֚UbxHs 9ϧ)S^W.Ȣl@ >(cjm9xAu~PbݟŘ%-y;'!"kvڝhhQcQb@-:~1(肀 < qw\ba%GI^gwFc8 [@zװ!d@$,xLD'ƕ)g"CJd4B0RwO*RkFWci,Ϻq7{g XE2 fGփNLeiݔj1{$EW W{OWo|:yTaEK^/deKbKLsv*eyvO{^'JFLk\LLKgcjjlA).=_[9OVQW*)A]擩Q$$^߻U-݃ ^.MV&q@l1 ! H2:.&8 *$74Ny*7_7FQ9 f0w-. `^d05S}鐒'Y0ng&ӟΟnPgʊ 愳2^6{F: +DUI@.bhLGbc:Rr[x6XtJ|X^ ) =dύ 49TMHM܋ͦihyF-a^Ze>"w[ϊG@OtuԈ\g!#L%]=0ٮMbB3R N㧌&0'@G-D'Y~ Vs .bW7נ/0&:V P䧣VMŘStkZ3O-YnCFKQ [EUQR Cow[&)~eovJ hs“S7ϰEBT5 QvY"!R6Tk ӄk61Gu]q3daKN\VhHu7 w3Kܿ5BK whͨΩ3 _0{7LBn3ˉ | O6"pP8\ѹh ]f⭱Ɏ iyeşh?XCDx\)K;,&ɚa@$xj R*ψ*ab5s8k̰Ab$HfvsS7 L+*ܶJR-]ytɧw$2ڀb,Jd}?Z`m27wlgéACKQO[?}$()̮KI+ew0Ѧ&}rjٕaPKb2tZ`Ut:z1r w}cn~| |Y6Wcw(+.'c钼hX gκ_24Ms^\לXCټv x\ݪ,B/&V\/g3J7\^Em?eOtCV7hRx6;7Mfv@* Z)a$KzҒ)%/eJ3 /j'dy;w%ՈnB$<wz҈o=OVn!ɕԞm; ^7M`*pσ(Oq@l0征] ڊ:ߚqݥ@cW6]q9pDWҼbgŤ,pe’&tc :7d ϧ &<ŬmezwrĞ5ބ^1ݠ,]*$BʳLv˘#3M`fxh5^X|-aO &DW7EwF[_DZSx)_%zeԪqy|x./4mXj~͊ z9,7 ВnlJ}M2Jږ{.4!޾;oZaES&*:hr:0kP8k{P3f/zHnFfm39AEUXSgx(m3},\Y:EFJ s/*S1Ț<dIP X!otn^f,&Cӎ tCO͎-Kl} /~RCtB RvࠤV v86sR!`+ׅg?%>6inПhI=1׍VjVp%]Ҭv\HT<7qt ZPT8M32> 2>eb%gxxyœR n@A$;4Yb枫qc[p봻VIH?q4̓_;vUK,ũ q}i(9N}Yl@j^mTWZbg w+SwOn0ʟe7~#c`jYoK;?B j ió^vUҖ,<4”s]A-}:(o08k!rCoIzo5˞x?3Qw(uo\1Htٹ9lz shN'\V JX{,kFGׁ0Cj\w j6gvL(֖1szl3sCԀ3[q{V]%2h0 w]7+auW{ fOsoBrfwyB@w3 %oM&$?%+@KJNA.F S3!ÏkmGl7HТ6|bBuRÞਸ7{IX[vw[D_^5ƨb?2i) 7n\Kd펢Zϋ$q9;Ch$USQ;gT(4NHljCto{7j` [a\-N%0k7g%F`O` NyԳ_~:zϨH3kZ\iĬ4bG6dRiPEM ,D <xi6c0 Ma1!ʀ6UwD`vDj~Fe0j&NG4K93voʥU>3Q\2jV62H QOzب@w7ѡΔwqu0YL>J#ΐk%}=a*W]0>tR p5 ?>GO\tw=#!Mzy|rעߣw&s_kx,)DuAԲpv4e\ <w,s(ѯH+Ubg g%L/~kIZnu;ܟCB6S%nq @wL& `NϞjVrfRhIܩ׬׀'ٟC%?|/QP>N'ۇTqXAT @+4vk6,Yc X[_ ;"H|q$dvqRQ#Ţ#uxPP׼ٛr)ov ɀ)M`"52`،I7s|kQ~ʼnǪ>֐"*z0Y\N)Ol^PQ^zNwĈhۺZ{I [VB&zӠIR/Cz*~uB&4fE`Ie*pb^$A@FLyC _pjP[Qv*"n88"e5&_ # Qx!J별WL>CAWٙ;,T᪔@]%Ņ쇏MB1 -/Kaoy?9V~7&qК5Kn:UE1U`T`4/.],Ĺ+1`/7&A~h!uD%!`HY![>Dɮ VIɔzc: }*ޒB9U|SG xQr@QY. qɚ-1Ԣ:Yp hPԨ&_'ֿs4A>^;'ْixzesZVMYwf@-"0]5)~y}ًQn`SP0 h'j> ) 瑽Rau%뤳GB1 L_ ^ o zf"6~k:-a ބ@"Pœ,m]׏AU;)|}"/Sѩkma8;Ċnš, >H )J0#.Pzy1Y$9e( Hw/DQ/4/d q+So<94yݮ;(E`қd_Ʀ:)olI:]x;`~쒈`:F~=Ύ2d>T_Q&rB/^FD Q 1HZrT 7Yo(5.[t\8rBz yMQ*4KΜK~Fv0 @UR?% X}]}=BjA]=oJ((O'i.JѶE\TbM)DsF]W`:3 I%A\v:2t!a"4ƩWۿCvd H!»=2O4技ϕ>#jzz:خl-C.% իy(߷5_0]"/(q4vo.e_6HHʎgua|+`<VrStC\X +X"&4F5mSwLK}|}_J6(tx/1fHO @aN KﴃX Zi0Ǭ"Xrw P5cyoX{c>g_sl̶YCW#ԙΒ4A4 > $f=CoFB`6ΆZZ2pETKT&6զ ӖmܡKC_S]ڧӮku  V])}Kc*hl!8 {wuupz#ORd;nRy3!cvu g2!/8XM_4@}\Nd◦uhOr]7 bmDO%CB\7~w|+=HNŞ7Ta' tM4Rma0>v|opvMv;qM]ﻧahs qQ:5yU_u;?ٻd\U[C3)Of{TE#z HKE(Wv~vEÔ8\ űAMpoz7ƌ<ƭCt8G#-mP`zh[3/%3iT^7}Tu2"ͣrgqa>UÇz"q l %v9gb<}Sx,"+_{k|w^!qҖ  a{u>k_wgD>E@y Ȅ B}6mn~  㴻Zlw|PK*IP:FeVfa,a׎KD7sTBAMap6g ]U" _]<2J1eNSI=/jjW'W;솭#.J~jӤ;Az1 \(ƛ#X{=X\ji2YC6]>" o,ݩŊ B,*G\,V QQAMD$EVKܵl4ӑ\wx:Zv=JW/>#Mp 9e9־eI?T})9ԸEm3azc 3]ϦN!fY"_*3I|n1 Tr՚xDE+գ4;mi*U93UV,dqqyf(*4/Npe^ wP)'Ie,g6:fAid ]U_:>#@8mrIڜD) h+D=Ac;c}Q~{<8Ն $''uY(ʢu366Apg$]A_7hon)xdW-ZW>J!?OC4VA"FҜ 6sz 4c$]fWak ̂i)#0I+8iMZ\|P=%/j){`$ؠi7t8YCHM PƅJ#R(/'be{_L*?hchU]S0Ӆug\!FmK ~j:-n6`Zy~TVuoI^>ڔxְ**UQQY-?(y#]˨3喉8JboggJ']v( az,{K-=|G$FcهϞ7swtoG^E)d3s~}*bGc2-UG}ĭ-JEɛXCY<a/!%I tuQJ ]W"@&ٻszvno1 $!Γ2)-sWL` d_f);PSeՀG DR||D J?p<'kx"쐰CḆU:j.w͗~3Gh)k>D'wE|5vI7^ c?ƿڬ*/ck < 헜" V?S7ڇsSױF)4o'Y>"}lg Y tn!6aoqbEgV(aOʧ5H_p _BxA" et!T$}a&8Smy+8%!z'20 ֢vq-ȃ\׍kx#a)lP plR7er6l'ilo |\g|K u<|DIoWy^EJb(>F]!ل]g+@.eѾO!:i*=Q+HDP xeY$ϞN]}=W)h9qWhkH?D{r6W`fv#@YG@\4 9,${*yBt( ^Z3`O$]3(|f!?[G l};eb7]cx ~17Jc)B)AW#zGx24*j%8O5ճt[9b(uWm܃C#ƍQNh̰:(NAz{qE5mtō5mK&<0o>,X g/[6_', BwK:B@J&~{7jA^xsRgۦ+DĒzQRD8ü$J``9?fˌ+H'NHgj~-o@ؒo?N3p&44r΃ӯ1aPO:7,/ͤn"KPMoY%2 1 pG\󥰵\UC|Z4Q>n@HgA ;f= មh7!_×)\)%]}ie¹8F1+xA, }OwА=n8-b6i#<8M 6F\xAs8687>隶NVm2!R=+=hu!"B1rpg]b[uiذZp6:W4[<{zJIm1 &~x(^dJmW@EtqՄ\{ga+Wi>jڠުHʳ8%wչlsIv]8C +SS i t/~MsPwDE ӋJ%BXC2 XzD:|P(q'w7fDO6y~SBWyV \/4bXU0*??"̒ZU7sD3TU2lBðgyuvđhBK>2%Aǟ[1@eX5?r]4Z"'τ|>2?]r \I\i5$%N *0w|͂m 3@X0/}UbuTZ@C݊VD>2 Aߖ>9q/ i)oU_cB a~k⌣z=5ϖ/%FlT KDFڌj%W|.TVQ.#S=ڕWf4ENX9k~H_+5Q;&Ȫ;)dCzm-̫RL/*#,oamh* ٪" /1EpC[ "OF+yVl!D`HwIP\I\VQShXmw42Zm=*gA ^{6 {*z*j1_JyWM;C緿QBFD~Ty?nTŌzTX]]Q،%j1{:N=tR-daӺϷ({>~"QDH#.LXSD\c;#yzc bgX18푅,qӜ@Zϴ &l^4'cf2` ͐eEc͓i<}GV'6t=Bh]:PVk-t~EGj v4+:Eb~܈D#ih;3iB=*LzdLo`9y} RvO Y Hba]>cڽx9|~pl 5PkXׯ[](N c)I=l&)e lK#;֜q|QV /Σ8`!Q;Xzȼ:)n8V&(.7J2}A}7Șg#\ÝE8yl-ˬifOq}r 1Pnƅr::d}[28I{W.4vi)UU/VwFYYRh(՚)XGO(o ]sZxB\&0?PLFF0<,4A#9TT^!,|)rWhuW2g-yq$c7;fw5S9VtB^V PSDe]mxVQD`# c?͏_;`ūi!'g?Z^Dbay߈Q^vt9Ew39*LuȱެBv :kT f=jsv"u |9$2?bE\ :%Px7!\εJ\LvCn)?CՌN;C^T RbѦLEvyMY˼j g!{U<*8POOj,/d(-߁i^wbU,^{ʆ,Xiw%_y\2Y5 ːw<7PKHhOKqRSkNfP>-,{@sWjYOj?ܻ 6Aнo \3X\IY&ڨЩ`Zvi9SsZ5@caj+ZG{z}*Uސ;kwW**`|{)C$s{F+eR@km>\-f*EbD[*՛l(j2.שz*RJ_pn%ě1`.=je 7dFx#ƀPאqGHޠ֘4"8$ /Jayb2OP 90'"Xo]%ƵE? =&?L)5N l4R?CRzmR`Nh+-$kCt@m'\Vr~28 nIDo~gN_iuHOvUoIH1|U^UǘoH<d-AK }j2}qñRȷ/PC͇:-;=w ]AVq,|L]]o?:]n*-i0R_ĚNxvӐBKW]J&h 󣂏&L-ms@r?Ŀ%=ѥ9Dz]IL::4-^ݠ٥k5yYt‘]'zwa~nG Nk5.bVȠo_Br)fPN ɼg+I`!xM7$a2(,F^LϏ*o{!z;18c}p|'m6u(+" lDOކCɁiu\- bȷpḂϜkgZ4cuy;k.C1"6N`4ڠܪ6p}3>Y}f?Ňw&Q^ՍUGV36O\1ur1e}͐ꈂ {.5]O^+|%SdA<4^8v>T6WT0T(G7CdEn"ύۮs K>%flB ݒTOс/S $bNX٥ ۏ3SێQ%ѱehnq48,co7,uđ&&FAq: ~8|L;f_[Һ_|aƋ y="8Ey_&ҨN=zܗر(aŜL7)8K~x@N0@Eg .`T#[/ y|Q[Ւ3Ɠ \<0їy.ZaᦷBE\DDxum5Qi6-qRL_/މR@= }{O^ݤP< ,bfFnɫpխ/ 2rn3C^\Y@KNQE: /٨yTc+OM/ ^{l?':#f&/N?Ԏm1˥1]U:)6S50؁.NKz?-{=seg̼}3̔+'xl|;5`{D%y!TyrKe}i.FG-pzwt1(gԞV\4u n}kT ;DKx8PF{~N!@q5ꚹA ?_Wvz1H|00%ҺiOϫSԼ"+8"͆* R;ԫ«8D+VY?2 'gԏ^%yMF-a@#z8ouŷLHƷ0 t?5 R 5tsj I[Ktm Rr:մWL⥤פP9V6Sh'(z>$CԂZ1}+;v,¡@#^ '+uHdevf9,d-<⭑"KBiXgI:RGz|)Q]/uO9s䰩l6mmAI u0Y~$pOg|wZ'ר {GkuH RTsrV$Q}=3;*}jl?O5 ?*vX-ҍNe_bmz 6Cze%U>Knq7;Kmu*zPP5R0z0f긭2'GֱƚM&G{Ζ+hb|)PߥyΙ(9$C0:RG"`;^@4޼guZ>^.)϶7.WtMl/f@MОDLMO rK鋐^,΂V؊CRr%żPF;劒:Gܤ(WTn4yuU(͒$1L|85bCp:?b=>t> Xx6#Œܝמ ̅!d˓))ŸV%PI7\9$Q(A K5 )nV.cf _A'ӦvL"PS>KK/j_Fmwv=$:LJVj:9/p r'pi&29Ixk)qCr 7ZNO?$ #r 4-&dy[o f:Sۣi:= /[N }~64mUjm0'ClS܎ыa!iՑT@ܽ~ \~: 6$P,gQf :]Jи=ӊ0-sDLS)aqjk#\fҮ.oN?Z~+@2P A*ܚ^_#{$a>Ҍ^fpjMug/40}0aOU{GEuwWv46ݖ(skwML;8'(cO =Էa=5iYDqBl:3♺&yhM^KBt|,ami vUT$GD$z'yʰ)O=}_#JӴL'!:(jL'bk?0ͨfVh6+o:*7s(ė>hKG,f`˱)hrZSRLE.m>"4R*O)LJ]Akw 9B*nCхK]T7GÉw-ݦ{Ő(XF@L0GyTh^jOH7KAbV8wa龻8͎ :3OiH;9U:#[/ݙ1a9hUp f`ƭc4l!8nENhnOKkuFqp(OwyҐєXFM[F&΀ӿO q]ш ]SwմA}gRmVAFf E|}W5^E4/{{E6_h6Ao_M9˱@fe[ [)a' aH$4&I\ Vp0HB@b'DzBc+5 G\ 69o,KJ>B(Lo[(T #PGtH5"1k@PM-ܯQmkh" &MQk̢v3 $T ] _k*yP{ϯ qg}g?/"p' !plq$nDtvýP\ks,v|̉ a6M+Q*j~ܥe D{p w8=%+JthI >FnP2a*6]4;.SGNs;Ew x/ 1e%=%<ŏ4@c'@6)9WQMi~wxG!)6OmEu9wo~H37cE~]. KD?$c.zBj OtI'3$8]o74pe @#ϰܕ:iYNi(;b2g+ҪZIa >ϔ bۛ-"c5s~3]h,4BƦ6BN뾻5+NT筙2^˕i65:,w/pB|`ֲ{]be3'uF.f5?FfKK^u} lmm$Ma#([qwwO470MjYeAW?ă,314 /k1qQPD`~91㎎;L?׾?^Zq,ee/M )WLS^F}|A4lg>!1\I*FLOwqaY(?ߗ_B/ȩ'- o󷰾]S}*բd\ yUݩ &O(`ڬsj;3H[Cjp f%mR/RiJM&c9\g/(pi4a+c:x,:J |Ǟe 0wb(5YeCt1TPV5C2Go:( }X6{Md#~xح,k ^9Ŝ8(>ؔ?G=߆Y3b!NWBα}a)BjkQG^_w*qg?GvgU[KWAz8 v^͗s#chtđ[?C7-E%'[VLO#9IK,C~y:#+pL-+w$ s]ñԴY!GF-h4f8ZhXpbM1l6)+G(z=07 BtTN8SGޠ2NbDY杏{`iyAry|?!LLJkVz0]aIk*FN G68sel ^HSk\p\Gxet5ׄcM*߼aKV1d E@!ao$\[)ʙ&CP'@:dF ҙ˙md>.(b ׼#?D=Q STTY 'ȜtGټppȾe;GUgtI9 zSy0*YJ&ҭI3td`MdUw4E)SCGIA4aw+f(T .nZ\=̻g>G\gfCa< \Am^ SɘYTy}X\}ӲBAAwa^[XniwV@]24F*^u)M򎷧q3?*}C@2ϑfJFrx C'SMٟNҐR+Xk q?Դ[*^r!P"ٻ}1G:s1Y304!(q}^}tpoL;zG01}+1} EDmĿ> ?~DrjNŠ=b ΥT?X2R)/bP:sO9ɪ-*a>6[=(Ĭ$.wK CVC\pa=jxE&`L0~€ g1<]hUUc{Kf6σot1e,;%8K3vP0z R&kԔ8++BZ%Wd!)R <[Kp}l q22E`j,D6Wl}剦z^[`p-BPïfLÇakފ\/jf[̃ckg9*͘&T[ߧhŏp$S[6hQRX]~u>mR˕J w^-nĔ3zt(tPPm7rg~KvSvl ;vͥ5.k{ hL :1ʹZOo8hUtt6չamKiQgZ-o(hY͋v离<xIȧ})0;^'>M5[)=2FKj ( t~cu@C .}mNך2,8CV5OÄ>VA-_L bk+;kb_NۀƯ}MӿS@ڴI|_34"rC:I cVԄ%DfP]vf1kb55 55 %xX&X#d-DD.ɭQ hs\Wݎ^0%?̎}r8z\bd(XLo,SDh O t [9ӡ3n=Z-).Ɛ5g|AKm'+4F~Y>1w3%҂*HA^ղKVbofenC%@W= !EFa #֕ C f b!W2hrAT;*G/u,gyG t,@ Do0ōˇ(Vcka@=@_ʃrM:onzc*X-Io4EԢcߒb.8PH8P~hLCO3F OP`!jHOT=h8GQ#+&n-~7NBqdD;Hv#7BQe˯8O L0[Lx:vuRvx|TnGZr[AR H>t,= ?A8ZQu5Ks elrԪq'1f$wRⵝQ*\qXPDBƥwhwwք}gwkKZ;lFtV.qH`H4 QgyDWHHIX5Y % ԩw:γp׭0 ^9!Z[Vh'ig#m<~ӹfg 9pXOxOeg^}W J'ixӞanUjsA*+9~f:jkGrE@CNEX8T P;8 㧍vۂja V [_QhA'{UP'hG2 Hi/*IImVqJ4:Ƥk=HK"iAm4Z.h[D!_ *qLZqɢ^ls EfeH~*]3Vo֕\TdSQ_!̤20iܗ Rz6A­hI^jV),% Iqv m0GLEԽ} mg}`:h~')0iJ|,r"ZNfQs S{xK[P#p e 1zX’( + HKdp2NGQsBB =t8@c[(6#sv#gcLw-hgMh\{}ڶ ѧ\b40Ǝ>Bd:D->fN M]K,-O?ʼȱ _јFWQZ&Q4>\8aV`mOnHR  ŨxSc 5,  ~-TX5Јڿh%&FaȲ 57Wm3ͯAtY@o,OJ@@W7)UdX1Tw쑯M5f$ /y?1U-έ8G@S9(~_DZ@7 ^^bw>"fP۫ɷf.]Ӓ1'"~ƈ "YY)IDPˤ>NWJp!.|i/ dt | DVƕ&Ҁ}#Egf^.eFe O'df>kH`Ќnq7Z{,ʥ@O4(^R>.*"{fɮ B8} NCH= JLjFO-W@Tzӌ 'ᘫm3^z6$zoޢ\mԆ?3XR Akߕ'"Kol 2 gC6fFhYFt{)}2Xfyt, BancvNUu>sj{ini{$vڙ*IrLx (tD-"|Ybe sh(?Z8%Tgrt)Pl!,2MgY7ib$"I6-D@XTlc]ܔ Z- le+g ymyH!Q*^ɸ.`5M0L,e7wN?({*ނ}OtYtzqz; "ʕfo#B^uZC \^[pxuZZ\b2yب-mԵE6? Q#G;VG9j趞8O{w xQ@f1&̗Թ$<)aEx7{R#/,z,xh|"Ԑ#wbf:q^޳7\̸4SxU`x6qO]\e@rs>ywT#iO'X$'W4vل\_b.-{t4; p ʄ^7j)#A0DVRVAVi,25JpMn{K{io*ͶWH-0`H|Ó"nBa#-lf+ &jRkU!y,9| $7QL%9;w8Om!Ebʳ Նj> Lcd%0o\T4;TM0X+ ys8*E9mu 7/ݤP~#rP5@+7"o05S[-膩k0*$q9" \Z$S"&PÔЛJf&Ol,k?&~% MgFn(Myg.a.YafP݋ē=e%#w4Ƭ;|xd4c~7˸$2d]#*͊1q6F&[XZwF5~h[0Zb!(9|L~FES+7_2\)TFÀ v:Ks3B-֪S<߲ 8{4WXpZvzy(17Qfa{.熂06yCJN# bLբPkx8 '+AX2M7dK-48?MڒLߙVE$!$ӿ~,X3?iLtq 5"8)`+|[> EES.K9H6B$ڛkcpwu'\)òM5>|P|Vu}Uܕ`K!f#y@>W|PBw*Eu4/jTXf6͔C EV={3\;22i %Zز_H➠wuV㾮[wAґiK%/$ yi'e` J[_e+k8Ԃ#;%FsULo²$D[#:=˺})0DxFbF)tpSo.1$FU>':K6.lPrC+ץ*FZ"&, ziwOx((dN^k%獒_dye. ۾:SP,[Ž`ޭNCZ(2%jxQ"Qm+82Ȩ&{Di07Jrhz"I|iU85F8,ky FJI85 jFם<w"CMݦI]ԑ!o3F]{o_R~ Xd wNI;%E@3+kċ`1/ c~|]kt;p!H p4Θ<\C(泍Q^AֿOI \X?/~`">'4nvz!$] M+ّ!G!~9I qa`},SXG֔Nmb.M`$TDk*m؆[O!UHg*e?O¾ E;4;xoRD4Ce.bv3mjJ Ȟ*U4le_2mAhlw9 kL9A0D^3-j#9ˀ^ʹ~D Z٩(/"Y(U,b_Zg\+(~/XWz'g0 Y:> 9ELĻ$#M?EehSdS BasSeEXtsXK. ]IkrFƺ=}3zxO7Nƴêpc% ;E04 ;{]J'S;1%6,Ņ#abCE2[[ ?-gyzp;.j9T(R.H? :@*P"ٵW?Ҙ1X-F#v(d =V QCsɭ#b TU?OIvePimЅ챡tfLp˶X\d( TI 5 ILP(# ”6{vYBeybBI⛊V<bc+d.64!|7~*x㮜,rH<ɓpj_m1N)a lVI_&Y ,L=؇ޫ!+*$G` SCnԄ;V f5h@+*C)DA帗+hChbfdK^?sjOQQ% =+`bppߕ"[qFf! hpKoPyѬܯKvD;W9\kC watz4{UN+}U8nFHrM`wx|L PQ^<̆m4)i{PO0Z /8 #QٍRkRn*v4ddȘħ a=i,opK~p%S Zg5_ ,9SU#/>{(У\8^]` h j% Jd0kkޤxk)lګ9^?ԊS #)˻EECVI'@VqYwTv+b`N Ɇ4֟4nO!d&uJڅ*DV%gooِW @JVHWNLvYˠ?6g-4zm`K`7~!r 8ћS UkraԌH6?P"+ꖁؙ[(Yqst\T)O6JҜG֕ @䵡\9)O#L[X-Ҥ}1Wrė`iGug=Rnžԥwxcn{Ub=!g>rt=RDscܩ43gCҾf+O@JS;NuKb_-J]92x@܂gC[ 'ƶS𨓆0,ccE]tONq0"|6V` mdž+s#r'x- ap {RMKd;NąV"?Hֹ|~.Q2fS [z)+p "FVZ ϴH,6j( eOOu"}HZCQH~ sg}o ǭ>TW%nh?z?Y o0u(֬!lcPDJ"d䒅;1ڒyRHLY@drp6gU,2 w`t)½N_1b)=ڻfsʜ= f |?_Z[i?Q1|N?dvLٷáq*y t]'#Jqֆ&fdln{]`y+Rޤ d‘&:+]_9PJ3[DP&@؝-R DĠ2#Ft)lŪX%"+X:%1( 0M ;Ka |Zҿn-ɪ~uRXY-L>CV{pu38k߃m̓ohmH}g*ÙAC"n6R{q`>~"ޞN !t<(~(_ܖ47L .jE‡9p/U kʂr{M==0b/Fb((|D%Q$%*|]tD?lLOW=N `Z `,I0b;O>jhW^:J(-<-`y-4!J['Tu\f4yGjљ+Lo2M&SǣSj ߶j/t^_@F2kƠ0Y?kZ,;ULoߜ*Z*hL#4"~.2fݛ8^ 7QBPǪnc鼣bzxWeY7ERcd%Ē06nHX Fo LSV_"t_Wu| As;=NnU"2BY_ -t b#5*,YDRDxe`lgʳ`dE gve3!U L1ģW]4&lAI^@(/cJ6Rs{OO?H)#`hqz95SMDwp٬geHIQ[vC|2u؍(86ZuS%t̮ n>B ~:&Ffz\EnްD/|RsOeڏaNf O6toR#$;`lB&g3J!~awS# G̩1d|Aӟנq 쾠Uj\)䎳lɘҰ}>7 M#`owD6d?Ry C7xaqMWp`ٿX  s߸N3hEZ Xe.%2jZ̄q~/sժՅ v/1d3K\SɊt`.n|F9gg 6^x[.;bfơ.z|c%mk&:64j9zi%gP:t@.>#ܛ8xYVL[w$͞$K /%H}*6ʝP+ z1Ҕ `>!~0/,hCCmh.p@R54@~XX 7,6k-3Ru|z^'2X֯VsmI5M-^g62k?bTd.t LsJ+I $d<-5SW78KĢ @vfΓ6 lU nȽfC۾ v95G{VmcrJ%-Yag{сZSvχz(vTւ%,F|/F }HH3 ;j͖\]YqE o .oh1aĶJS+/U dChS(ԳC atV5omF 3K*F?7ʰN{ְ1v>09dI{m}M",bN^#<++U/1bhawk竳iDV6 !JVCY4"@r)s 3f\ޅ+ p(hO̤U/Fp;ʝmGe4Y_2q(\NW?c+id&˶h2kJ_,ő˟C8rI6l*yz\cCo3K'A.wI$f]N:'j%glltx3ًz@Y&^w^j]P(ځT~#{GӸe455VZVԞy'u"6Y洧k%84#F[Ϭgq.B k;-ea!c{?As"43LR_,ߘNm_޴~Mu͊+O}|yqy2G.3c/@Scp9 pJӀqcOS(]XQzCEu&/[5θS2V>2=,6"@bې&;^|_A+(sZ7ڤ[)J8e0bQ"Ij63 TѣSAn8=*j 4aiA.~cE7);"mY;yg%{5\뤀`,^xLs;`9БAsU>ڗWA \c4:vngĕqXg"{!BC❳gc[8B@ {G〼[:y)9Xtc@Бk\&7j›_ϊ^ OkB%-{ânLAMJ$pP#rbhQ_*Bnp5U+) +tIְ5i/w Fnj[+oaURK+#zt% KOI9̟IkGp!̣?_)7Q/㶍Cah ZfE}ԏGu'/k3ۍj-(*moaRp#h Zs >DQ{ wEr0go_5obxAQ׫VrH8"?\σlt۵ªؼ5;V&(ut{! /1%cR[uX"Nq14vKnA;gȈ>:C(sѩՉ5눤VQ- .T0S.P M=D7\s޷I7mOtqo}Go2|sUb.ac _@? <>?@:oHc֠  \F^#~M4{ kHٽR,K]3X3Nq~Rv[f`Lƻ2z 0WGjH~@9P dMt~]P#O_yEީB) yCvh=z.s C/ |Jρ~_/["qZ126yOD%Uuo }^nj{ @.X% UR~T']g"K; *lL{.e,~ `qh g/`! ѓVM\6T*N{v|Gxe3*E^< $z+č?񻶵DIE+{>`KeZɥ8,>~?TL=[0Ԙb蓅3mk7 _>>6$PCXzX ~pC9UhX$ccCDJErZ,'׷^|'` cނIU nR|< xvI)xqj!`čiK[y8+u;KdPP*<$2Y?M5R0a39ۿ8cwE셗SC@{tG} /&y1տMq}.H@P]ޟ.ufsi╲C b2M-Cɛ6y?f;u&6%!GV*YIܚpg-1btƚW fRSKMn O8O k,y]PД7sRH<)="_A,Nmm#*1"_J|0q|*Vo#zAxO.%ПPɋP'H ^/zhɇJ-M_+u(fna=(қΛU?^allsV$ !hWOGrQ.Xqpb="F,b҅!.i pVlD̏]x}ɫsdXQP7'DqҪ?Z3Zܗr@_XQAʺLkruiogx{&:IXdMW=l拑`1RӅH~~@9Fi/7QxdH묂|P1%)(|O.%ku;@yԚR\CS|=<|.-!kjjFAA%XD`@) ~N`E󐘁P\{ɘD&$0e~}[Q+LqOX ɠ-XH*YP}K4~X6D %s#aJ@G#UjFz!r "}ۛ*kg=զ,h)GRNm~VgXI`ZHk*B-IܷxhTةk@h̾1by ^WS7 'yqvhT`i)̡Yq6y Qo]*B+>x?p8Re܊jkq1?l+6-3\ǹD&Sxei }18R]y'a`/,r̂Dxv!4"RZN$` 1JӇj[e]<ǝa>oOꈩ GvǷާ4v" *y\3ɰL*}~^}ژEn6mv',0e|1Ua41OiV-G֩1a87“9A w,n!<$|JŜ2I앋d^1A u(,JB䔫r8gވhW95K(uEMk`$@9&W&('Z4OGfl R`XN)h=lTnO{w]?7j,6E7bDN- dy[ne)-EeTmIߩ*.f6AS7UGt6-5+#Ҍ'ԣhYj1S5}p?OI,xLpF"D:-OWv@:7=s)yԤnr#ءq?z)N3xQw dvJ^zUʹ(HeyLs4]!IaaGFS׿>p?*D^Tʱ,' =G H.~jڄPG@#O+ JW1S-Ĩ!攒S1z=W˙RTȲOٱkК$8 ńސ2]qz_6O$Tt^_?6V 8F;`ϲ#MgFj;&/Jp,h2RhI [q3,@#pzhT`&b|p: a/OAbі.LhN8}c>M4u\UQJiûǨD$⃢:PwNοY/,AzcqLּMp/l-8=UkFfǂH=S4P7dȈ h*2JW.ܨe0,2Kh$oɉQ /uKf87c\j_j8h+pYp<+=j.|( }a}N-`aD:Ao5/_7 w;DyQ"zę{A')lj'hb1Y,T=y[Xt^܂Pd8UBwt`7̌FUo9NKjҵ5P2.|6rQ_Yqa얒S"%Iooꮎ~,<OP&ж~"ęU5Nu'Br:M VhҴ1J{M-ˡg\"#XDrNb:ZɔYITǃ_pDܱl0޽k7#`eqF&{OSFܻf U\N1*t+(u5Z쨛8ڜ,]/$U#ц}Le]֫@Rs2j. -螧q%Ou)Wn&XXu + 51zK<,^P#}.nIZ8q$q`}Z) ڐ;b,«Y[K,2,z3r#Ҍ$+yFW0 X#EmsơA}/ lBkc!VI@EwѭHf>#N z*.z؀fhC~C!1u^I|[IKjfƯAvGc;B ¯a~ E }ħ3n?Ӟh~#+]VӚn%I\AUhRwHlZjS?wjh-χ&>Oo Tv힑>jBl^AU2j>13%1ۗ.UG;6cxp[XdQOx#{G/5`Mճr(7@&F36#A?S=O@-aP1٨}zMXqRLJp17SO{="E6Pj:l^*dkq֔VXP0hJ&9CM3m3AjHr"= 6Up2Tb bC_ipd9 7T%񡑼jMonnF|`r+b󡩤Ө Ot@@R.F“R~{Xtˡ:lܺD/RR׷˓Yx';YkȚZEmݿJ3ٱ"'cnh%ڌ}c2º2BNd\qxaX|:Vԭ-"gz蒫*;4=[TdH#Ȫ-)~>5=*FAA۽Ɖ©"]X #Am % \1~}Rtl9br+ȀO4&Dmr}?5v%kl]d}ig*0Fzxf:H)$ëQg uȹ:̕Y&*wxG'Qu,8_@L|/?mK%ft7C ksOr3_kc2EmuMLV6t U= SvA iwpf»VZ >?2c)OxpNXw>} `ctj֏1k(xB#Q^(Aj64/k2a֖ZfeV5cwtk F b&wm+¹?)} "5Tox g1ac+Ξe8oDrB7ͣF*u y[۶XGx:`}ƾϦR>4?qӈ ?vqdd|Ns3%X ߯ w7{%ś|3ɌOG_̈́{@; R~y"_{^/-7mUNU<  :{?VB8{&Eʙ. Ybvzpu]lLCdmܻ%!W鰜J麂wfSե7A(vODlaFy xJ6<=6YO̼ߢF={RDo)[Q 'ѮSo}D}g{Ams QįrDj{Y6>eLuuOPeί Qu,bV١dZ sR^s~"34=>*xq ={މ8fZQ%Q YZ