sssd-ipa-1.16.2-13.el7_6.8$>ehOmq\X}>=?d   : "?EL    4 { $XQQ Q(89:x=XG`H|IXY\]^LbdefltuvwHxdyXCsssd-ipa1.16.213.el7_6.8The IPA back end of the SSSDProvides the IPA back end that the SSSD can utilize to fetch identity data from and authenticate against an IPA server.\!x86-02.bsys.centos.org jCentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssdxK#A큤A\ \ \[\\\8860831fb753c6618a7fbe77bb7e8e64d79b51e93c4a832dbf600474ed483160f43e43471819960e8f02e24713e439083ac94ea36615c15c1af6ee074705c8b38ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b90353a8500319c08871d759d555025f0afa71303d59c14ec0f76a0a28988390c0cd4fbba0aec13bb482d6cabb2029a3ed65b7c1fc54593a52d0914ac2208362f704rootrootrootrootrootrootsssdrootsssdrootrootrootrootsssdsssd-1.16.2-13.el7_6.8.src.rpmlibsss_ipa.so()(64bit)sssd-ipasssd-ipa(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/shbind-utilslibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libipa_hbac(x86-64)libipa_hbac.so.0()(64bit)libipa_hbac.so.0(IPA_HBAC_0.0.1)(64bit)libipa_hbac.so.0(IPA_HBAC_0.1.0)(64bit)libk5crypto.so.3()(64bit)libkeyutils.so.1()(64bit)libkrb5.so.3()(64bit)liblber-2.4.so.2()(64bit)libldap-2.4.so.2()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-nbt.so.0()(64bit)libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit)libndr-standard.so.0()(64bit)libndr.so.0()(64bit)libndr.so.0(NDR_0.0.1)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libsamba-util.so.0()(64bit)libselinux.so.1()(64bit)libsemanage.so.1()(64bit)libsemanage.so.1(LIBSEMANAGE_1.0)(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libsss_krb5_common.so()(64bit)libsss_ldap_common.so()(64bit)libsss_semanage.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)shadow-utilssssd-commonsssd-common-pacsssd-krb5-commonrpmlib(PayloadIsXz)1.16.2-13.el7_6.83.0.4-14.6.0-14.0-11.16.2-13.el7_6.81.16.2-13.el7_6.81.16.2-13.el7_6.85.2-1sssd1.10.0-8.beta24.11.3\@\@\@\@\@\@[@[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.2-13.8Michal Židek - 1.16.2-13.7Michal Židek - 1.16.2-13.6Michal Židek - 1.16.2-13.5Michal Židek - 1.16.2-13.4Michal Židek - 1.16.2-13.3Michal Židek - 1.16.2-13.2Michal Židek - 1.16.2-13.1Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1690759 - RHEL STIG pointing sssd Packaging issue [rhel-7.6.z] - Part 2.- Resolves: rhbz#1690759 - RHEL STIG pointing sssd Packaging issue [rhel-7.6.z]- Resolves: rhbz#1683578 - sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls [rhel-7.6.z]- Resolves: rhbz#1659507 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI [rhel-7.6.z]- Resolves: rhbz#1659083 - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust [rhel-7.6.z]- Resolves: rhbz#1656833 - sssd_nss memory leak [rhel-7.6.z]- Resolves: Bug 1649784 - SSSD not fetching all sudo rules from AD [rhel-7.6.z]- Resolves: rhbz#1645047 - sssd only sets the SELinux login context if it differs from the default [rhel-7.6.z]- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/shuk1.16.2-13.el7_6.81.16.2-13.el7_6.8libsss_ipa.soselinux_childsssd-ipa-1.16.2COPYINGsssd-ipa.5.gzsssd-ipa.5.gzkeytabs/usr/lib64/sssd//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-ipa-1.16.2//usr/share/man/man5//usr/share/man/uk/man5//var/lib/sss/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5dc3af1e1c89ab9a44fc64121f06add9e036acd3, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=348dc2cfb8d268dbb14d69248fe47d71b85f61e8, strippeddirectoryASCII texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)EEPR!RRRR$R RRGRRDR.R RRRRRR=R RR"R#R1R?RRR>RRRR RAR0R+RR R2RER(RRR/R R7R8R:R6R5R&R'R*R)R%R-R9RFRRRR;}+}W+$)bR*g L zآfLcR}vTӔKn+S7a1@1'Z^Rϖ[ IYs=Uv4X6֨ÇR@@UxHkNaֆ=S2K6>U(H[-dGRJbr l.Mr"瓦1ϞikH99J"pޞ()0yYYuַ{1Ƞg 0o: +nŌ4igBB B!I(]KPZ/uPpK ߍ5գ}3l#cS9>0r-5xPS3$~3]Qkf:_xEUL4[w f3FI ~ UkɗOR ޓCJBcX;ܜV=B8WND_QոU_~Cr\ÅD|亳Y0Q'6eU."d eC9RaGm!CmkS˪0>f͋xOGuIޞU \knl}DH%=*Nts5>2bͽ?|uJEYj{'Z8b2+\ie%g&Ea.N uh*2f%>6.{vHBOXo՟j/ }͔*%6BKW09zUՊ$$JJy î mX-[;܎ E M@_ÏmQq?B%/oL ÞcF6:;-y%q0,\£|{z 'RY ќN;$!ƆNՏ9lb%W8 ȗy!x@[T.id`t B:6W/&~%Իne[y~e\R~H ZYS^i3WQS!MbI+"IP_+ȥqOzϾV?KVŧg 8mՆh9hªD ?@YC_|>TD<-my ]ƥ[OYk,\ È.h*ŸřndnԴfؘޫMuW#S@@9Ie=@V> S]0՚hK'6*4YX&fS(" Vl 0W*3G!֢s̶?h9 ԥ²ld,A\Z` J$)N0+<Ád/{,{3 F5E%pFMhI,~yj 7UoQ_I4N,)Ȥ+M>yDg-vFe%:dI;1HJ530Đ4I7one6 '^Ij8DцĞϗ VZcdE6Z(^3G!MGZi9yUT?aJHk:= @\uC+qb9tEBɸ ~A >nE|mj]x/\Ji'M53zSTcF@p^v֝hn> A+bUSpCsp"(w&XIwv)W!oן-g &Z)Dl^z0]m wC\{Qh [#6u1ct텅^ݑpP'hyF9- ޵b8V">W!Jd7֞31 Ǚ&] yW (oŧB_x7 O/6ohy׭TNbri$) E&J˟I<#_ZmO;py1_7!yg%DiRGSuE* CaDNseD ] +GMmR<ԙ}woŠgXnQc޽O= 2Hx}#ie+~ny@]9E+?W-μ,ơqx;[ʫM1 ϩǐ/U\f!t^ehL9)N X1 mMbZD f2Xv6ͧtY@՜,mk (r ]G)VvF!Xu?YA/rL/uVDU|_[oqA; R$RC&gJ%/MI_Hder(;L(f֌$82*/}x$q֩'Fp+HUu͉A,M͑uTr,XkQ &@&0z[r P9DSL*}A)b(m:I1K-%K޴"fxK(잘Ҋ5FW8`|.OLH: >K ^W#8Էb+ x_?io Qޱ p-!+z-bC>+ZeNuP be;1d@6cRsRn9d Aw]]n_l \Ky>$$mK3Գ ̸0,84]!6R J`DB[5,y~u7J-bhl!6*9:Qչ̄|~F8|D4(jvx u4*D I\Q[}i81ƻcmh͑<,q~O`e\9duwG؉OEp54:k*H Kq4z{#pl%,]#h-_MVZA0*2{3ޅj#0)ͽY8yrڒS:~He!'G3~:f!x+g9~ăU~_v:Au@MD(ZA1!dؐ^L{qir*7@|&. k'6k6 o@. ?XWW[P!_^N\iiMo,ZV[ݫĽ?S t5f12O K6X7 /$*J|]3iacŸ^~qmfFDQgn> |e$UT9^Ŭe;CzY±kuu4^8gsxT#wQB*R*sV0Z  O \נ-e?rR[YDچ2΂Fm[pETt8 q6D˾MD6;>^OGC?'lƇoW٬{71aSCAN$j ۬;sP]׿[7ʷXT)UcB$dns 5DjL.bjʠpRIa(Ux:Ŏ9keɁA˜:gf$IE궮jp=FzeQv5;X|w\ýJk)(4.7L447+RhO( #ˆ)h$ zECNxIq-]_8luĿrS. n=;3r܄( PߕIp]X&q瞒쟅3?=DZzCS_zʘ-YfklXF2+RBCYB85u?sQJ,efv>K@lQ 5 H6ʇwa'F*N,BCNwژhr%0[#V5D3^*%/t$Q&ag=U5vF1ć^[?C㯩<.VW) ⣦ 17 7DMnQA8syA{ߘQ#@5 [({`pɓ/[ϵWQ^֊yNw+a%t k U_ÁrO9yKXR=idj.HgHI"Y1l&kмgY{Cܫkw<~'81X<ў=>ui 9? G>d$^.EiLܺ`"9D<9M$n؁)tjbJ^yT&l#`(ɕ13ܠN(X ςSIZr`!k&[07XaJK"!eOSAb/7- Ա^y$t]M6=41$YXT>N59p 9Ř,g!U"R춎UQ`IRHxT6Ѭъ&0^rZ.\WۨN#7Lx(FhcJ||itQR1`Q& \ʼǂ:US옎RQ,#Cgі\ze*rţ:$!\|'Ƥ:ưY=K^A‹A슃*a_7%'H 9.AL8lsR1zޢ-}j8v ح z^?2Ȉ$T)޾8Q%7clƷtjUqx⋇pc%0d>Y*>EHW^fYs}X]>K^EX%=&&b~J+g@+5 ^:Az?POuUځNb iygĺիnu RYbG@ -n+sg$G 5Y|ӳH4[H\-#iJɉtG/qҙ֝/ )K,Ü}m zfL)hJT9T R 7q8nB- n [=,s<:O{< i"1yWATOp~:k#Vo篣PT=; V;w~刋@Lz^cAg^Ԣ,y1pVņ u9״٤u'ث07ۼ|Õ2Z.Wgޛgx"dwi 3Aͤ~8cMU0IqjKrΟLNǺ}vx=֚Sc,5ȯ7uzkU}-7$soSگ'Dg8z*݄=Λ ": ژvWo.KKIl-̧B}PtHa],7\ 5rSгmRd17Z_ݕkN:(QjˠqQ<2-FMjGpXXCYN|96cn¬;K[Wgoz 1Cg4ZFι{t$ ; Hug">cl/oP>ablk#sp_q50\O7m#-JM}OFk 2:_G;P-јDuaǼT~$x(Fqcrj˥Vm=+hPT\ {pD? 'ioWM,@= ?NA1՚-a-ңFX~38-p9+%vͧҼIZb>*D8+D.&zDFzK>;CC \xnʦEDג*ٻjv|lЬ5Х`mY~'Y/g|7Y#xGu`t(-Tҿt$u`YVQ("4q005to4'\ڏC&DȠiPܬ0SB>ںiPxF{ W1\6CLR|ybF1ի;و$5WM}`GB+)8Z;*`g2}Fc7?_=0T:Zf*.m}F۴ CbyOLaV.yCy5;L9nv0哠d2q,B?rz(MN;&lk Xqu8D|d92KP\w sghdy 즠]4E!Zk@*xɤ|ggMUj< kAW٥ urR|U +͋7Y4^SQ2f~׈ɚ3Q.-iQ $Ά+j&)P]bcjst-7m&l߁SNLgMqLa>8C)ŹA=ӧFVB巅éa+7' ڑbqa}n&1̞ +y;,mTje?"?Q` "g|!?8ڃSr4~5JCBr 'y6ڵ~*ĥ6H-=Vdjsܥe.7#9M ׬)gudg*KRɓR|hKJd쎲+I(R>^M[ah ?j;^m''Z1v 1@6t㭞,X&Lհ X_Ƚ\IL#Od^G+3OXE{l#[Cg\VC/GQcxs;A$ΰeY"ݪ54{YR"}&݀Wڽ|DYGREJOY1)Njg_Ŵ Ob{ML4 JLpjF~$llH7)@eOPA7.۸-[bVU*P @һ m.3+?3OM-:uw f-LLeY!S_2Hcv{S@4y)y+z*q e?Ϡ(͇ k,4d }PϊerPAGNa5cbͣ V Cb "xWX<U?=hldq9ؿ+ڋ,1$2ԁ|ؘ{F $Ed.3ACS խFS[ roLEw&:z*ѓ٤#XsvHmD綰CB*.I11ḃK%a*L3(ba8!r%D?OY)")C:;,s#R*bcN u@4/釮]D8Hכ|r*Ҫ[@-Mļ zHS{r#Em*$AR0b3AkMlA}EnLȱZ-r=lsp<2a1 [ bCkc5@P`E0_Y#ܟ!.!,]2 mWD˘Of/lB''w[2!oZu̲qQkŬjVC)Nvvθ$.rt8f'i<c$o 6 r8ܕ]ȱѺsZ.Ѯ/h~F3W x| _Hܶl?ow쳎t/r8.7MΣ 3p* )}uV\>WOrά5ΒO]e6),AI/C^^I"xym]j5EMMzUnL2V V $8p/:[7;>]G^*;:_-N(X TvԦvmzMuH D %lxTvn΀8Gǻo= kz>yɔ>M įZ;~$R`"W3P&>TecI ڎ5o|+PH'JJ;%3>c=+L 5GurSy=r_T` Ǧw N饹N`TԚvS9r.])mߔ'E&=m(ݽҋ7ڞU4Qޭܾ] ބlD2n22FJ~eE#+\-/z8jpu4[ &}er*ͨ[S=Cao,pH~ܟN ZͲЭF($}c?9Q2c(:Pzj[tث1 eNcӣCo-I'd\˞a_'<}jv:<4m%nv۲Iנ[ xP)h[mT{ciNƚ?SA٘ޔfCP < z`ZciY72"`Lԍ1+sgGMi`W!d{KȓJ=F<AǟrgGB 12;?gmm3zp"9tj]8d h \O9?~~@ ,9_95a)?OQ0(rQ [0fŅ[QT 1$~$(.'4ZVØdԀ#Af|k j}cUr-tz|Ne91MyĘg3]x(LTNr/IXa*x\L5ܘH(y41DE3$2FE4oOQ6c7> _ly)j\=cxPzc1-PI ;y'L3"! 0b  PhʟVCy,GWl!-Y]X Y*oJ8h-‡9>YIt0ia%LƧ\r} .p啈l_o03^y4f+{I: YVN7~ƿzr 'Bb*uqM1ﵢݝȑWkĒZ:#(b4(R9zL,σLLeЊQfGljRn섇ctvP0p˝>~x;K%{[`'^\?4T#Ka0:s#*xzݭ`8yV;YLrbabغk+&SZ]AX  !m`PR.:X؉=լ>~~ )k[tŷCI;-lQB(o ҼtzxTwENp,7=Ycs8J|oe#?L@̾_H Sȫ@͌.$W`5u9>=I/G@jsxj32DZ5:uV]&~K.ҥ7+ Ɗ"9 ~<襏F`ʰi1 {/ZL`י/A&GSPҾ*,+[ZA/x%LQ҂P0_ qMd^yqXx P @Cb̷mϮ)NJVo  ZqDĊDZK"'_"lfnhceYhIt;5]HfV`SRNZbGra3{$YpIf4fdg[GtBsZEnpߺ 0vDR$7Ҿ y}DڀvCcYNnxw,wR|7cY^FǠxG3J[ʝ2‡B=ܩgm8B:.46NJ{/0iٲtV&6Hs4e8P</62<z3ъSj.i} O:m$(UwGYtJU'u 'Sļ?ʽPx0'3~=Ol2H]KDEӤ`e:2֖ra|#c)bO6sNgqzctBkv?݇Ǩど mMYI9T7T-l4||bv:Q[tLY'B~>YO'Ol!WH#y-GR&$W&MOx\9@<#J<&(jvYDN=`ʦ&OKܡ]*Z8jq=r7mt鞿t֦Wj5i?Q(c5?rEĽjz[6hҡ3(Bp#w礦Ax[EmR% y댇͇٠P@+S4iwֆprAd8b [/v%#[?S`ZIAaXN99rxw??S8֓1.<G+qaˡ0I9⢨KKp64:y|-Ob-귡@yc Jöm-r 6('ӷ/ ͭ.+98;DKG'c g6L_Wh3kd՘"urG Uj8 |<mrf B5aK>|ޛq\TDCA QtoLXw:Km ڹzt8 l|@$+"M1[&s+Tc!:Yh;K xiq)ѲnDPy nF 2KHr1/gu*;RnHd!r߯n^% gptMa/qp )@iu KпoRXSŭ)"=xN4Œ^%HDu/B*wy&g΍Aٝ; b`UEP~eGB E9 ӽSHr^(KiW,thlPe>&6[ȊQ7pI2F>=ٰFPA^IŰ?*j`[\J' o 褖*Ĝ?S5RYiAp?ӕJBH@49hG%BV0M60Mai ti?_jbR®YMx&&W~71s2e]e D*f&4dZm*_ת* 19Tt秊:A238> A{STd7^fܑ᦯&B>푖3UZ=ڒ˄W5$\w"]e -PLpɁjh?M6p^GOrDS8d'w#60ĩ*<= 3Y؏ L'ކ;ҿ^C{ptiegR'/!d!@Z$ctyEVSwz-Ye˚ $,j;9En^U{s Δv"mn%kSdB@RG3ɺv`U!G[y >M]w/ c )CXoY/Ѩ݅~Zc?|=) 0"rw`Um2Bz)x!頒Yƚ:-襜jOkM$1HaCƒsV9NE\zː{:D0|U@3qlpQ]>\+m*CuvKޔI}xS~J*5ߍ8:6K3ڄwĢQR-MlS&} ȾmƼ7"(|teuHX.}ch48/&D*.NUоķNikino&pڬtVRLҿmw?r! 5:"Ok[ֈNO`Lk!cI`#ID>u *bFX\/g|~r@!lxG|^GF Yկ+aoh+[1=mp5-MW&Hza@쎉 K"\@'sb4}˃n۲% %b)8j }y)  B>de| ~_br&`"sudn̛;'P ʋ/v-?zʎח'ik%DVtr Z&hc?Lh۲UwovUt|2PFuwrg|9>ȥY7`o/A9p d|i& 3 (P6Q4ֶ^a dn lT47𦯚]ߏ"]])z A,&!w e]OCU5O#^_ÙXa'e!0LPK-#ycD|Q"otm[R 1t qhȶ8&2Yٛn{2-v>M"q4Y(Z^䐛93^SJ7+ gsC9$ &B0(pc OZ}  0qa=V bM=|=uH։tEri)(vzI!(c'>b4YG,IK0fOX4oamF*0>n9ծ%܊6[k;F6a٨Q}d 4Oeҵ ŏ[DH7SIT`vbΰ|2.wn6+߅FZ 7zR∎+` _ߩgM<)DEb=?:PDf`M۪:=z'7E-fmbMdii(M=yVop/{/:=4~[^mo^ -x &ev/qo`.YV;Ҫ."%-C>sߛktf %h ,^nxrG= ֱOQCQMU(͵LUO78/u3C8oL'ƳV&=ҤDvĻDѯd8MG1REû3dgyEBG)%[Ğ8@POHO|N|}!Ä WN4H179 qPE̥\+:]IA`K6d(E 2e޿mH8P t8@#4pNeN~o Gbv8 gz&FTSg)QߕB[ AE0cFj)ѷxeoˈ:b4󇀐~4 oO7/L,jևVb2WN*@TW׿@т6A@LYz?YH2~zj,D+ mszxklFuJjA`)D^֞W𾟇AzCd)HffJr&Hn[}S*_Z2Do^%bq_Nxk@Ks4|8Spt/?w@g&{8p1H&zoQGNdЖZ/kO^.&nŠH6mD6|o$+859s @_N@}Vo.:[B3#T+|_ Cb. `|AJBɻ2ktbg Qk2Ҋՙ e@ؤDq1 7H툉A(DDƳv<^ ԓ'`U#NweJ$P\CL=XfABcmNkS2¥ { [y%v^DH_9lʞ 5Ŗ)"uJp6?d+t& }ɨۖF?(MS"X54ni Dt{Oh;1S1.yem WM|?K%]xWP:^#0GerBc.񌲟SHb,=$hVЄFˁ$2Y _y: *-;S}d:LquTχy&xo[> ;:P2W1-Q(!DZf0' y"K.ivXf)T՜3@2ItQo)gyVtȨO{X92#}+tΔ!-'}Wl|yH>,yi┵'K]H φ{Quw+x'Flk\XsfdeQu'E|+-Wl 64W{g! LdY؉MLrkVc+*8jT(㙑zγo br;h]@.AJ0eB+bG"Y"7\rV].+IigK*`9GRaň[e;iw1l5O#bS5y%$~J *cT+[ۻ>߂|lLkRGq̯yiFVvY1Tk0QDRpf !e+-wq[?"Ź虥3ǫJW=cc, /. ߯3r֎"&LZ˪AmEX~?m`Hv}u Fid4(MLVSf0bI9Jfh[L>1td)A)g}'#uusͷ(+BN.Qu=ryCA81m'ǚ#N}9uPv3姥l6Uk5Gl,k䇊@}=&* X7տI?5%{14?,NBV%ma!MFMv3L{ųh;5Rcz;^W#]\o CHb% J,on6H qh9^OZ|`AF[E0k+,(MUp gPҼlE9'Ea׸Ke^Xyh[ݔކ5-02$<  }''A]be:lO6~(6Aa/M5@vQ 9w0)΋8sx|x `':"@J@7|ڇC(])C;G0u2؎YT!l%<ǡrDRs:w LqWȍA T:0o=ӔJ"g%uQ\ lC]̈0؅Yg$EʡXU_҂{ ~e<އEX PvvYHլVR :2(pguj?#lO)"+& $b-jf<(-E4X>C')oJ&S=G0%}%/-S=n@/]hvoiv$h!X)j63謏4j/W臅䠟9>BTg4h疳ߏ:_2?tyEDfrPGPk\ 5 9cWANr6MN{U7iΆҌ/#%e]:p 8jv3NnJ'l:=aS$klV.I~QԓVifۚc:-;5sQ;y5$P2|6ŷ'zQyc@c ϋ$鈛2Z1ig7^c_O6/G_d Cܔ6ζH|l%XSްGlu x HR:6slƓמ_pew 7tE7n^Bi%MhII+} ǔ0hAIdLR@rRz;7P-_w{ SoZp_ OwoqV;ВϨ$m2P|VܰŅq>O=tE3R}Yyyp .3.yz)PmKj<9B]dSDܮװ-(lGܡ*!CцoNM(tہ̀/I!Ⅼb HY#@^qR[m uuk|$0ycNbIa9UbL*Qn8e蛎Ǣ{V& rwRVJơE歨 !lkx*Vœ㵄U&/RF^5oeXWִQhE;vtk&9tәH /bvDHP8?ta'vc?hc b jpkzk/ E9;d$G#<4}MP}AΘExUkgf Qre \l[0.PMTz S.P-|\5O&>3g<vOH!,W/:M8?[,ku;S&d.΄'ܿRWHVd!qMVUݤ@ҭDY_N|1X*vG8pFiӪQQKALG<4L 1lS0*(PF8 lۈ4IzȜcS32SR1ϩ7m9U-UDInKaO&"ץN2T\Z^_>=%|y^t; "zfM.Yxv*t<sL:my#Ƙ7{& aN$ 4hPOB24 jeb^N&{i*sfr䯂f1~RS7=C g=b%Ns׵lo)C@/TZfEHo?nRRwy~Xe#E7P pLyY!@QBY: &|u] D+;}%3H1)m_U'"aծf5LB!A8Nbڎb ]W4:1ìge*3OC3)_7A)[}(ggT:'7*c\4ME%VkےoƯә Wѥ[}M Fu,FߡQ>Th 迿jo6 WVJy$yzĞ(i:x/,w;2﬷MP`LW3 @7i>o~أu zҮgs!Ѕք QfJ/Kz+o hXr/0Sa_ |&p2c;6n~@ɰؗP\ǘD zN$ 3Ή!jwVꍟi"UrI/N*yfBnԕ7f%g.#al=Or%e߾=nMùq-O%%X%${3ޡSU3?̨yM4}VӃR`tBpz1M%8)n!Ae\Rcyha$$nt5FtTszغyyƺpyzҸ?hom6tҠ;-WlX-uV\]uґOV/^E@q_Moi0A OH##.rl[N/6'D{V1<öij h +%ıKWם`=G-Kl%!Lъ6;>}>կ!'+JѺ> ͢#Q{ѓe5x[/7G&in|kҿħjpe▾zϾ n$5kQ/j@VTٟ vc+Р+g|j 6ZWohK|#9m5>H#a=Y,J*L>hBJ2Q-14 aCtj߿t#~6i/-..ĚAklk){2W gMw iH3V='@$#cU5,mx vw14$]EÚ}2gEfoqa&Op+zOaE;Hr\,ItJSwTheʪҜ BT)gBn_*T5>qh)-_"*\浌t8jiW0 Z@Ѩ;t'?/v4}Е(+޵ ;Fե._~ g轂{൸$Zw_/ 8M:`~Y1Ss3YK@bg[ ݞG+]Ca00vYjr4;wr G/ޡ :@LRDl=HoSMlv ݕoP}7 ~ J0=`$񌷛VJHbڤԣ5щfs8n>m2Խkhj>1C]G~gc gXL98_rEU\-UkN$x{ds ͑xUJHўYNqPt/& 5>$SOk/ߧPXcMY*zVE2 ,Uj?bzK/`dҳ k8Cs@CMRg 闁`a\V#2.TYB@rԐF-Ck96Ն[p*E]mdk*MТ\i8b^K2+u;)xj`oB\Y,f zd:ƞ>I *>!^h3giBpd2ŵ(LF?VDL$שu6*|BfOPm,(h3]1\߫ȔIa$bء⯶#ojֶV1w43@0ړ:kDH*̽v(SFHI^C6k4vTuoTkE^&> %u"=08S"lJdHU`[mD3 Ԛ2Wv|_?xss)66U #T;!,#h^Wc^{}CI;Ӻ`2!䌠x]p*,&ѡxZ,N K^l p}KùL騔v; "s|ZzP '~OmqI͓'.ƱOH]o9Kv$21#Vz?lKBτ;sY0x@6 O5U߀H^YwuxrS~k"2h4g]DŽX37閈%J'!W¢fJπs>ua*}JS`ۦqp`nex1 b)"+M\>d+_9`GHb=_pc>̻1^O,#ў1Bed9oqڗ˶DP+v\$t&Js &5`PRFM"ǩ#r>`P 2f/ Y;WxĹ܅7Qd}>iWr䑟mﶴ|{wD&/ ,ti结ϛufDU4!Rh `$i~xj%y)d8U3z+T0Tf'Pgx 5eJX!H2{ lG\IiK#mDA7so|#ȶ;p)k-Uy;~ )JV$#fzEX lywm3z[$7LIw;PC _GZg(3r{VT̲_wN)n'^NnfBEÜ@fpzFk٪c]E$Dw=Ov~L.k"m|ɟ M+*8Z/I2X{r$]$YEy OM&Zow_w p##fOFW;g qYe"ƀ ? x>0 {g R_j!d=o3Hs: "mk|H^컖|1ܙ@>|.ct}G) N|WXzZaB*%\@W%&)45R{+<&;hM`G`" r1aB0mFYk->[e7=k3[mmd9}ݟ~Θ4K#r^#0y_m9mbI<%pdM'Q_}ʊ5f̌7UVRnSZjvQZW-LY{ Yn֑^ "K2ڨ zwS978GWolm+D E~)q{J.VJWq Hm gfȊ# ZPCu|L*@EͼRfw1 ~A,[, zd EeL]WMc^xO+_J\$鏑 RPb2A>BR5RLLꞸ st, tXaUu|L9nYiYCt"&,/[󾬨l}7KI_ҩC7cť&eXe`dGR |&WAŷNQw+K/(Ws8V^䦫8juDcz\o7%9JwiV#1;D|e(z,4{ ׼ r?\mdk#&CZ1ƘQcNQ*z#i 8Hn*)m$VeS>9D}!KtqQC ֫3N]c'h߷qdSC}vAge [<Yv1{U6L*u&C_*d+ɲAPK3SoVd{~`;oi4ybʶ%"jkl!I,Ry1£uqn "Fݸ MPTtF SLb}nI2@JU#pȉb[$ԪVF^ޣHfi~5N_3oEmwp<$R Έi4`hE~3 [> >'2`r,gnASa|` "bIX2XфWk SC-mTzzQdkoE6Bn b25geVbfL{h [m'WKk:܊0) ieȦIfs8{ .6T[曯3Ĥ%b)kY` P+jTK .ԲD)3HNczåb@5rۋcƣ5, 6pDJ\}:*Wтs^6g pqE@wxҴno"su!x z\U735,1IBKŦ}8fF3\VN!T€p4r Sb-u[o2Si1A4_lmqIVs^c3?zRCf /\4Lt  :z$M]ǷpyCY#gp݊B7(\9,yR=ㄌTK$M ۝s_G7C'Yn0k/Om$ТfFdy[*ߡͮD<2#:T+%XM֦҄;45&iKU15JSŹRA' 7^+--HOYD)rq"ƞFk'Ϧ)dzZzxfޫ*ZT[vJ InYMP\o}â2¨D ewf[(\VYPrlGϏ=~>_[[v'>hrPPg4"N/_ y!`JWuX`]"&/OG=CIRIQz]}|x|)X[S" /$*X(O,ⰽ 2VRZA80Z(h#L嫏o?,٨zbZBIvcF(a fni#W@^/"_;T1pJj1sr \j{Mρ^zZY!p>_: rp+HA,F-Px2!ޜ39OyV#9L08=Z؂643=A9^jcg/Q>'||ũx:EV@ГZ=0P bFUsZIU" Oeܬj3r7A_^C&3;W7sb`lG|bcB-9K7pZBoݰ2"\~5'3"\/}X'\;RXe8g T.8Sݛ<|u^rӳ=& 3tVm3(+0}p*}ͳ3Zndt.Aq祒6Rq_zIw]~4~0Ybxb7d:f_$9R:b8xm_ 1^h+(Dq|*&_0m.U׹,P<=MR$8Z؏ƻmwe?v,\dqm~(w2YA~ 9l?7P N]hl/( sLxF\RLR3#aA1G d ֨83;J N?0N%AM^saO zԑFX r^vYB 9 ے#JB:zFHߒ7Ly׸hovO]l'~F!ahaCaiPi|/T\!YbZW&\rVYٝUG䛹,b m|D=7yhSL U(7'B`o@>~CeS?37mG ŵyz2!`FM5҆x+oGYgxijw>eOSrĤ}O8ZV Y%?v* IV.V}C]!6„kO«lAĿCi`c5{-7w_mJ2翋:'`]s[!iF`IomrǓ3/W +8R}ٰކz.YB81Sq~OÜ`Dqk&QYwhMugID+e›A]!{vP56w-&+^j#)c#C5N#!unWRBN? -.5i(IpF^Xawc8Э5/8|˭*˪3EaϾ7mY@8+ {slh2H:mK@vf gi+ \[CҔRhe4)rkϻdvZdI'&Z;#\>U'@s2=9R"͌ksk)A"Eje@<@.)f#݈&VXxn2|x7.Dg{igBv/dܖNS\ 7Vy *u^._$#; [|Tr7oY 7XQaH-{ Ցi*#$76 Ȁ̵uk獏{tJ,P|+c<(Z^-и(L zdNR~ uHx ,AV*58*;6@!y[ƪVVxb )íZ2g99 ma!c0&#!Mig,SI@4qui(i+kǦ7wu]&sVsMi'iuRz^Ǯ1cnHw,]!NOw#H//H&U-Ưg8{k7?T>BL8 ͳ+fW&cտj]&x2\h% w+)I8z'y-ShQ*{|('|j -,Z)uT<Zw[XO=#- ;ɏ%8N_ v[` .7B~3sˣ`2K(c(ƗZZup:l[y[J4+P"HwW2IǗ{3%wDB6݂t=l!Cw4pw똹 m$꺌]y-ݯk\8CJ5K"I)X*fٴUhd9XL$X1͏{Ɉ18e5AvlB^$&D\N;bo5:J{l%lOx5QԤ^Jze\z$c4ByH ԷYG%s0>H2;~3<3 #}q?60O@Tmpr98"t&{G OԜ5ш|v?Yg63c5q{ S4eĈB&쐐~ڗ(O?>]u}I\<0Xe]*`e (8t՗LA2wnHsu *`c8PgHzq~[>A*ptuz2rB _~2?}䞴r m#kh{u`(4Dvyn>3 3tÚ["'"TKa&#A? i#SwJakL6hKt8euyulY%do1Pg [ՋjggT]W^1RNAI*kȇH$uq*B˽.d ]yL3rq%ZPzƸy r k"֤\=#{X2g jyط/t T #qӤC̥ݑvߋqA-[w\Fd~k|ݦ* H-)ԭ`LX6%2^\dQ]}LFBG M0GÏ}(ۋePlj0iG@>CJV[zDN[l1˿xԮ'v)C\ ^gD ʕQ7MBi-y@g s1K勣|` FWLc'ehURI\<[f xʕ+,C]zG[]m ɐ@Rv"<7D ] I{s^pt*+)ac{,qJԋjcإ>_nٲ]xkWAwƏ܀oS@M"m殑\Ԓ.%H> bz5.RBԡ8IJ:C'Veq[[ H)%?7;qs lϡYAiݗBAMҿ0x$LL zC5=V"l?C] Q8۲T$,kWM+$<_gQ{OXZd,+$Evn&˜+&=v#Kuy顮)*iش UEN%O_3N-%vKw#WcA71_/ſ_$)X#BҜ.O`h j+'RԹ>,D=wí]O +Fr aڳ\L{g  k;Ngkche`̲8)o0#[-HU}Mgw_tET-YeN=F>XMיqN)(Q5+D:eMJEd(L?Y²3O3x^a&kC}ʲQVA[~z$ :)pQK:7|e q)NmD=NHz-S .Hfа,:Ȁj$YkT9%^iQJ3jf0?gqݬC5f]R5[\ kfl#c+jzed9ꗋ溈@"A>Npb\{z6dwD4:-<`Jͤ_@BFJZ(rRUmho7 ͻ՞X}YܨB5eшuiH%xTƄ ;wP9#H;Llߎ[}v DLP¤WE${bCG)J:J5mwQKHfieFdl82 ^qEIl% ҹ>^Uυ{)3b|': c"o:rPʊ@:ݒbKQ3A\pEUeBbJvQQ 420|ڎ[^~gs/+9Am|l!ǼS^;s5/@XE$&vG7*ҢCz%qTxTZQ\!v:,,V0&yc$8F6FR+-ei)J~؍=pt:A +6 zW.Ȋ,fo)3N~ g&M8R] 4G@H:5l7)gNiLtT6_b%fS%< 3jAART[xM⧖Aμk-3MI>HZPA hSNHy)n(2GeNC Ϻv\/k8=a[oh;=돪ݽ AȋJ^5Hi| |)PCE!4¬0' kl9}@j?Yh-hɿt9GL%.$"rNZר%ޯJ[o3a\@'YyϾ]׾4w{B)o| |5hO!yGt3ti)ߎ*}TML6kHT[<{ jd'Rx.ˍ,b/mK[nƥ=7m3UnUPF84'pd7} gGZ^btJ7ݜÀ'7Uv\I&\Pom*S$=}u㚦#OS `DпRc8JWcݏAhTAZ5FQl NlVaB[|Xzb#"&ΜrCId5S~L0C˳( GI`v6yhӎݤz4wKsRAçCHx!: y@CfHҤ+覇9G"~dҶOf#Z\kBcDžYЯ7bG<6=YzXâT\3\x䍋Q~M_d4 %4M X9%d춆*N1.9<#A,Iim eK}d rz[{.ea 5q2j>7|u! x"l\&}&%Ym_{" ?UR*F#bEוC Spq!{K|ibW31BjFaX ֭Wھb 0 DC6J@F}׈H\q]B1qLsP{g;|Y>Zn&` 1^?2o +p#ꍊh[z!״ҔǨ]z:082L;IQ kL/#Z̫>b0xq޳ll,b.2Y] ]ͭMO=lA)ufK n =Jp+rF.GHƒSe0@& _ֶ⋼~v2Ұ"[04ƪGDF4Jzʭh;\J׉Bְ06 w\Qay8.B*o;1$bM7`&&<ƕd-ƛQ7b$1qq,XǬX\ kv`e3.Kڳb1ळ+UIKH[;r1D]M2d35j MC(7@@5uGԮ-uEAXBʟMa'Ӵpf AdNaݦk&*>|r0}>e@Zmho*ծzp>zܫ6ǨtPFc51!SDn!6OYXuCIn *=#Y᳠3G[fݓ\92~^l+Ctɞzx7eHL(+~@s mwlJ*1w>O@xğmњCk]Ε[FW Pԏ2/5[E|uMlgT'"n:pGPQo>9»ǁ2։`-36P웻 ^Z"{qwРt{rku\EeҼ=4XUSVԈjC+1԰;-K{R^y30,D5]WN=2&.pA13ۙi!cCPUTpa eܶދ-u#o.b 3Yajbݯpvu^^{??M&-Լb k215R΍'&{Dn7pY1 2^UTrP%qwl)m'Hbnj/rz;Zxc&ilA3ꗾ:J ɓBt?n$ex12^|sAv1c )=`ݷSK}J`Lac+a&pQ! w|ОX-9SSL!uhJ>7$e'бBl>TG!TYPi\-HX~$y}(7蠂X7j ߗ@D3B&ԺG* 7(CuOL~;2'?l-vHlfN9ojGCA0@˴|\Lg?G_U }W!p;_&o^R'"I 0 5ߛsY}aquAVh44T؇g2ܱu}V (XaEiP8ܼOrg06NeGO5ߣhZT3"1pz< 3BYN d0#}Le$2B8ПyB9lYqvvR\PAO,"& '2vz.g`Krm!DdM-m5҇p8fe8CIOl/Fb^6,݆/$yOS=| {+1m?f4SFk 4wy|?OR%PߕԬ\a'HW>ۈ͏),[?;Ĝ3EoLy! 'FNĜ HR7@jZ뾗GsU-\ Twa?C92Z-/p*1} F2Ě=R < YLJteYn[ tSW&е(r)sGrOBbmW /ᒍedw(4j5UlÅ1c3&$ĀB.\QڃR Lb_Ng*i Zp[YLgx+bՁ>+9Gv96B'| ^+^U!~8!{ "r͏(w'W-{\% ^聏dN#R_d*Ṃ͌_dc6'm$ 9cseJMY(6|1H.;g2ΰ$?(Y0蒔%>uewaKM,/ cj.ZB?&sN JDvG`DnV{=% pTQEf씬Kyjn 'q#앎ՉhՎ+Yǭǁ] ﭦ* jcrup0t=`9< eKyb8LqCڪ_s$$X); /#MO5wNÿ] 8ܩA d \ԯaBFRCD*R;%(q{=0bײ|e_(')tO 7ߥ28=/VagV0!a_~/P}\pe%=iFS4{z,Lijd[y. mH t{^\X\pDsh7ؙE MYjwbH'Li9e ]&/13 e+s,15W2u \EM2I=o 7>'0=8bT@QK$ȥpJK*H)D_ J>V6'aMgeX~9 xYb OugZsIx7QM-/6hGPAl[i7l3dֲWq0J0GX&AC 9hйmФnp";uBK `[Ÿ6Bn—og=`P? |g$|+)4L=v:[kL>D*hpS]!PDjszthkw{,9R{*DdLas0#A8wE\yP]-hõ{qJZ,Q,J B]Z BA}oϩhGaQJ0{4 YѳU%:lHM+h`Ht3:?doy><\: e7W=zOA稼ɗ8b*% 4FjǪ پ\NNc)^2U9y1GRY1Oreэ񊳹\z-ܫEjFA4Ԙk]9 ܲ.u.`_ . U[Zfd3!R*XfNcd8P_ɠi_.o 85xPP5_Q9! D4xsM<ը[%3|O:Q蘦>^b[{7 U`{R@4`G&W>e^Oذi zx߆ u0wX-gtnmg8(:SQ\ٞ_aH=TxA*ףG+ (ogY-\#O23)eXѬާKުݤVGXOkJXNώu3 yTO ȗO5W8 J*6c Ѓp_#mMB3qap@U=P$a|CxEHdU, %i=zG DHS7Rk"}c%qO|)%{mEWw.BO88|hcL^hUZxh״9-e)uw!FZĺۈ S죓Gjy*HfA匟z#HtW2)1[ziN6_s+!Whs%hTc-䆧k44h&ʹm,M9:ѯa :2r3tl(㥥pz|aE")iU(?Rl弰,"}.fWBQ{ ʷ[soS>ꯁJ~l 6'nb>r!^0:KOP_U;N|X;˞c#u+KFaY?DyFvJCGL2bwm_,df߃ddw֊ ;<U\ej.M&#YXMl5t/xޙf{J5i@tv[sBxISmøFS(P1I311xr<mw5̸O} NP~wAoAFR0F:dO>DH9fMy%8Iq`J[=Ý{hLn[nf~Ľ[}ox&NF yp?_aaJz53ZSKKLmG!&?wLGLw; Y3b[iOdիɓa^}K:oFiMNk noVA`^G6K١?o f)%_QLAOΉ[wMRģ'B}aXmɒ (2фAb9jmYBª]dqDٽZbNmlQCm%&g0UO|@imSXȞg,/,4L|TGPH7G7Bp7ɕV ~i%ڐ<3-WȬrdatmUߺBՍeofc#>3?,ܪuA.V,=`Rvu7ކmRd7]& $<:gwnN}Vp}ܪS}e (vRgaRu0hjEL=ɐSUܞV,!T`$7dZ!qSUߕ.NM1Tw>VVZIɦoqHCCqD]C]Vτ6H'e8 ~v:2:.R2 h X S8Fqek&3 PKP?5)N s *>ExQ]ob0DXZ e}&pfD\:]gDL}[Vyd\ӥ R9W&Bʛ٫}>=+kso'þRg՛v7CY[Cab"GkKz)Ko,98^ !#+$ocێzFX3*e䒊Mہ!:Sʛeݢ#d\*0<6ge}Q +js%;-Lń)ox!]+ j/V7  ْa]1)&k{4Τ.8_ei]٩zn30g/hc/oޟ*, <TC>%D$9`kwɤJ0ܼ{-:U:Ș}ؤ2|%v#k#))~aF G¬͢5-C7o஧En!^5NΥdϫFjڛ-AhHu@]XJ **$Óֹ r7 i\B'B5~z™xoT((1mX)'+Ҏ:zM2rI]rS5RjD(CxioywUlM;>?|FMgiԉUBLz%mHXGs6~8:FoQaS#D\\HV<@{w*F@±@Jmܜ{y?*PZKkl R`^  B`fYRlk_BF?@?c|xJDrp.cѵC@ok] m8Kc;]Æ$~#z`ȗڀڃ.3,Z%Q{MrݦSV#gt:wbUKFf4iId#-B. ܈:HX31ʀujFG0?mpk:({5_{mqb-H7@yO0UѸx KVEJl^k2Iϊ{Bo>_Ss(Zne_tP N]ÇT́#wx9q^B; BgjizIU =E3W2L|NI.pgzΛH߲n$DyBd+ pO H$g^̀n{Ƣ;VXk4~5(#1 ܿaR/5 _Z~ۘ u5&(DoU &F_F-q#z#M`jAL8JMe /FHTi8x-' :}tT cWfؗn&q ڶ`IwSW<v &o>c/X^!@puk^' WD1'}B3bC"D1ɬf!UOs`)[G,Pon/Mī40[k.{p+ ,&_.Gu'uh)j'5ŧȕƎKopRb7E0*z푯UgmglʙnoU';_X-"Htn\Fpu]IFaW禤|YMk#潺bߵ泡 KLCm$.n\]I6b$I<#ˆ=М0TMt{k!܊^WΩm+rwdP_ W1Ćdb؂& a,rF%M3c &QJ`cDߙ)W"qs6pl!tPbg(Ϣ}v&DsWO9?W3W$6]qqvkSMgG9}g!lvιymf/*OS+K !ZU7ChSFh%rǟerD!alʐ }3͸/GZ``"ڌ[$o|sR Ґh6HqMcK@厊{}$H`jnPuR"xQ_"ꆮ dsM1鷴/ԵF#!5&NXbmoOT}yɺ%kxzMOYqfp'_fTc qWyqyVf9bp#ħ4H'3Y~8Ť'ݎH,m|>7găz} g2w}<}72" fdT[_=~yBxFֳzǑ^0NEJ?ъhfM)GKRõe P(k()Q|Y 4uTbGG?mOF Y~w$& Ýg-<@γ*C=$xri ƽreHdzqi7gjKv F@3T%ϖ> (: 15kӞS@#ڶ B&6wd{5cǘ>p pk?bb,Ap@4 M5m |1 ]( sf LZVa靖tkb*R[N2A2֜wU!}qs$~K'[߀ܺq Lk+mi&-ϷK$q| 5__ IP!(S%b OuA;Z?\+( >@$Uc( ,;rCفz{x1zDBTWdl,>hل]{ۤ fTXxN zq'*NBS9aSg+(*m?WzQj7lכ)H>juK\_:Uۙ2G 1 HQp,M>N#b^1(LJ9[ ~~Dz],h@ 0[ch 7duǯ):K]([r4㺥K\SyPVۺIc/RρM$e$o^EE@nKY.<<˴FI>)H- M8 b_XNmл3anzcnZ'zRZ;)@v=<^5TVTAS>-#K`x};2ҕ?~)CuS~O gc,:_뱸zt-M7m])Q :K m~8G7| |LuY{}(C8ZŶH2J({Y lO]v] Nڋ1Т^ @CGLPd➙&x񊷬KYl67, TP'\,a.VgϳzDaMSo͈'O{U!oQ,{bu=nʥ]Z3[1)a v1 g[-ep O(֚teYcMn,Ͽxͫ|'pTJG/& ߰PW*)MuzXʛP>ӻ-8>WuF+U(.Y`*V)fSw`LE#b5Jy/o: !ۥOZs"y%`_ΔGwLpx(DOOjBΚ2I4W`Lv.U jeaK]kqbA!ǧ%֯&c 84azP)7$d؅׺vp!l}4YِK5 chqqCToW9)[|u At})E}9a&Kz2[#`-ťՉrTnL %u Y|ZW\+SGOTpQR[pgmyNU#*-3f5HKٱ%SWÈ|r$K){Ϧf#?+1@zK4j_ͭ^>.S҇)ʝU{AyJ:,Um.-1qf[t]/z1!C {6]<h3DP3rgcZ !լLT Iu6Wv!Ɇ5 $ݥ.#<|\iX4?kdӬn`v&ZM@*tCg57lߞqa0?pkkN Fn$}:(c2MN&Q,1rFҜ%κ]65m!CB9IU;KPBզtf_a 1(UZyn6ޕ 1:<")IC^$\ -JTaIp@/șfU\jHs`gSȫh6ҐQ $(LҌ1$Q'ˁV#wPY2UX_JI>hd;9> WBJ~k +q%-_qrzFp7)= 9Mg,I"?j- ]N)p@ޜa \QvEb[_k"@F̚9Eu%0ҿ2twz VWBh3JQBϘ>$U?Ffw?*oߙ:/ Ji!  zP[gH ?3DX\ =N˱7}FY1Fq+)Fz^LcG獥a íCYBᜨ8z&.)|$h[Mt8@SxvѦ\O4Mݳjb7CjM& }qh6XGDx[/ˠ䴁N\~eᑄaf"\*31Tg>=P;x @ZJ[8:S]Xi{'z4,wapHAR_j(2IK~az8XJ? ֗ݐKNaeުʋ ˆ_j,K]zϫ`LMd;_7`" &u˧QIJbL{8T3/&? oIɯ –rg_uzŞ~$@MӪE (q f2q\1h8MR-1Cx l(M|Tषo|!KK-N$n|R~' ;9Ҕ(r&~v1Iw9j$&+-#_ W,Zvoࡍ[y|>\vΡC-RņCf~KW.bIx3um`vo"o*冟z9./gtswis-uۭCƻ@Pοc=VΊ2B漮3hvh|:׊Ze[k#:m&X HH7ۧܮy @kp$ qq˾G爎5݊yף-82Tʢ5brN C&v42 nWa 9y<7舥zŹwn|f v^HϦm 0Dj "4 $<>̹H=|)EӈC]pGZ?]|2Mi"7izaYZ[0D,ۤX:8m;us<@/^mu&`Ki2J[$Ȓ `/3>,i eCx(F?C`Wo /(կq\Gq\-|Ʊ #4$O=G)֎r|" 80$1΍шeHqj9yԪW|8R/]X*"8Q2qϙFmMc@!' ƥ»U>(L Ug# BH !R򈖛L+9{^#TH{Eyctȝ fb_eKpB)Ϝ͓ H:R4*MǷ,J", CL :_=Wv^MҎx2.-3m~A*GH ZY,0Jvd Ь27YUf䲜/H`0[hSri a"r2$R18K+m #e E~~-壹,Ѻ{Ao+2n@lN 0􅘣]{X`#T'ձq n'7s&!0ua=B&h//m-Ѭ3TlM&xBز@<_}#=-]Йe+m-Ѭ7BOZ.E,: Z]2gߟd\X.+{_5l)9 3:A~(K$}\J{p)X[8eԋ^nXH$?]=_;yGoekP~tё48 Vb’,/Cgj7V1t/I~} m#cB߹]mBOFP9|> moM<)q}pߚB!yԛ^4?]v9)c7H*f]gsoDPŏڤ9_Lk;Ӏy^ldRTe ^5`wamODP#c3)13P$duPtu|AePyk9\nIXC!/s4/0O(# jۋt B#D 0. 3ruCи-#鰯@|<~ԣVYd*"+0]LJ۾- ahܱIȑ́:x^x01./]X8{/Wü9mn P힓=᫆8"vH/9NJYǠܹ0ˮEx^JĮ0؞ I4 7n*THU =t/Q:ȠN󻦙8VSk4|FA}Xk|@]#nw܊O9zYOAR2Wk/X([9 ׿q(󤣒XcMǴ/YonxQO2 AZNPJo 3އ#T֠ս D6 t}7?_R.o%7T(KN~S] W~/|q*12|'S-s-9` j;H={;/bK%'4]_hϫH+^q Yj>\+af)8T E԰8'XTQ3 OU9tz 7fhN`G=uEjsm*m-C18م{&9D޵j'Wrb9)Ƞ`x9wcxLi-t)Oir X0K2x*{~NnW"eMPY%r eոiBJ4ҟ0f3-$k%Sʈ_0V⟷(2^ՕD# GԃB9O+H}``/hp.^9A%1QC<^$c#}#J}}K  B$P3BBF.sqHgAy96zx&B' N?&y 0E W[8ȝ0m ACi6" :J'3QطyAqaHxb9mK?|Z`q{v\Yχ̖Y5bhB }S n f\N˓uCKaҥ\E}kvr4щ͝1YQ}є5a3* :1,"yT1:3;`,UwdpءkZTʲGlVWn$̋:X&M : ׯ|G|(Zށ73@W%wO9qEǒhnUUVr:& xWQLt,gt b5VTںrYԨs!zq`Wxl]3.$&1>.]|3p/ fg6󻒁mS hϲ[s; jZsbcVցk;9岪rC: 71K69#J;;+{w(J-wiE&R*xjˠʱMaBu+$ù/_oYABKrJIip**D:ygѝgˆ PػRՂ)>M 䅬ӎ9lЩooS&R^4gJ;!@ʙ" UJ%_4Bsυ\JmP+ p!prrMi4WJv<KJckyUqv}Xd U;2ԶCV ƙ[L,Om-п1"{!LSﺭ^t~+ P"lC(gt5YB?0ԉ5]YJ[LNz^0ks_GA5A :7mhhEh,c5kb*/-4de{3/7=c"Juhs)1FJ@M{2jU* (6qC\;,`I`RY,u؞^5n㸰! Pv*'T$k iәOgR$v}lgqd-{#َaYwDkzp(۪t2;f|.5[,)bfSȪ7ROd0uI1?Kh/V'$6(mʵOҵQDJprh_S+|0<~n43 kC3ίҋip7cF朗9}.iL w;dU5+ϪuWHeAShd8 WOgeu ĀXޱ2Ii ` 4$pU fqŅ&BJb5UJpŎQ!Ahd `@_܁\Ϳ 7i+g{lMOD0oL66rcx92RY( VHʹ m|\:?"˃˱b 1Ç{sZa*{8IeNnfC,0|]:8cIvLpevt T ঃܿRaҘ/"Nsu6zY'Uu\@A H~4 @{"@̤]]mTwift.PiE`jFkePkb8_[bu|x<%Z݌B^.ⴊgfn]_ҌM*ʏ3b%]H^aOה'!)A%i D]@lr5@A5Fڛc@H{wJ+<2<`]c+n` Ⱦjo»[+q`"D5g"GxZ,f@757@2ݜ!KwZX.41xwn9̍F,3 47 [dba_===J:]X8A;D 0kvʖXLA  A[b汿k\\lF0OvQpLz;6t (`=j$"Y8@j?Ʌעlt˽*CN'@SPPk.w띪q l VkJ'K,T#sH ؘ#w$sż}5 nl&;%+g[0r/%ӫ!m' ŠbO$s TrVh0"^_y&4ʯ)iԁY?7֮ RKrkQ]pCo0 ˟x(b گQƻVQ%(ޗwkϭWVIrRe˪ ~nxǤp ?RbIQ=H|N47?H22Bac>ɂ;4Ok}KCiov\ _C6=<?F>w-*s[>;@S2yW>?`U&J4CBmv-Ͽmp0BMpyyкD76ZEj칹2cݏoUG̢5rLp޽`^-sǺ@iD`_ :0aAD)/u9#H48VwlhtLz <@4ˢƽ-þ@( sN^P <4n:\MKGr8C 6yb9yc>Vɕ_> a!4U¶}.O$S`f`TI_T1` eL/_PK{b:}k/O=~3+G՜Nx)"/,L6,9D{ߟZO!-?@U^Uж ZȠP_oUs5x>mϬ >?0cؕ~Mm$["0nU*۸FwJ Wu^}lvƗ<\T=Lh~#Zo.ڲƻ-H7yFǎ2%g*`|=g/SfAz<꟯eNJ{{g?ܥp.VU,QY"/בW1I_z ºՐ@@$a,&8*)72[Oyv6?%F9:PBt],z$s>uLlW2^!6 rd\ Q3&c`})R^b3:$>-&ߞF較XGv,2ȠLJݢ,]_W Z x>׃qs4 >m퇮a`h[84ۿIn&p[1,,DuZu>A{a%lYl$1@AP^ (t ʠ}V{ 83zGPa5.3(FeRc/蘚Sѹ5^;‘*ͻ~PbaTu?ʚ 7jmǤ%ut(FJ8/"aٵ&06n"Ǟ{cwy: 鬉^} n*D2E?4u^!-X+ÕR&bn8_D" .ׅMؤM&7Sjݩw Aoo8 [M]R}%ު(/#-_g`x~\:S~2#8И ac"cfѸՙP~y⤯{*$/7SuN:(_fJ&qR8HJ)z"ji(gHQ^օ$~YW.Xȋ*]}EwJT{G[Awz䣁g y=Y;T.,LJJv.>:DCf⚙7nf2KЏB穘mMUe+2$ڃrd@tuh}`Xxt0(zAߏ*<`O]ųr/Q ~-|0Z8EYTP>x&' [hU=X'+zJ8$P YTz{]9T9S8 @e/JO{`f?ߒH3pЅ\:"=L\%7^6x$>HQ~IL,ɬ[ivbpn S𗮲~S!ko34vܮp \HLCWeIFUܹ̗T_Wm&^؞Ce&<,βc/AQp.*oYhLuH!ORdo?%x!Q@,sEL24Pr/LwkWo['}:Fpm}v<V(pjkArٿTgkU9A2름qMxe }q zOF@-%=vtݎA J-L+JY4xxgSD\C|x~a'g[A>5*ҏҚ,veEK ˅p Fށń"^zZ9ʏ0gML1I[m ɿZnL(s$s_ Y_ a*V +c1]iZ)˻F^e2{4Tq_͞SkMh,*n3m 0rhO|m&_|m(P:…fDŘJJ*kh;U@C G<0S`SYm-e, sD¹nU;JaqNX[ )D̓pf$aLJ;Ğ%-l?c{9(pa=0X첩 ;#GB)KJɲ_?8,DĔSlVaC4bv^`Sk'Bp6FWL?DqK-NHU K@+DR=!9ɬ&5~iHv~Jm>r+v}|ChPԑi4b惈n%V `OI$pcXޭu2k~uXaD~FdM bJ-\~؏QLv1SOC?`ď*O.wʺM"IOXOB5rфÑ؅ C'z.:#{YȔ16vpsEBx_SemI71%9k,}TN8Y=̃W< jZ {*^r7pB5N=ݐad!&k 18  |P8Ϫ =GMR4F#3K?#IJEoվfE# huLN TssӚۘ<-gPhN10Aa6ܚZ2f*0Svp"#Ds Jg j ba?6Y\1eA,p7 LA5Bs\R8@TE! t"eъUřj(׭e& c*Y^XS1|"-)bdtRZs,:;]')v=][>R$cmZ|:~4RFz[#;%x!rUZgMRhMg')(r_w E#JK/YV5cd'f v@g*9J w%6b +P̈dot<k'Ua{+*Vf:A|Zs C$:=4/&] '^DnESƜ$4υ> $1vmI"V^|o f:%&ӺԅBqE(@Tr-eM%Yȩ`Hv:CxKLvy?A$dTxU{Ɩ=]/U9ӟ%]=]M'įuyĤR qE!uI-,o͊h=kՉU'v͠3Vc̠Pn<<$`4lꁢtpX/rO+pTͧͅ v n 媽BlOc%ʗ4N%\H!QUw*R_v8z^I#=h_!{1 J*cN:Vnwt|9W_$(dSDG\X]Kdl=$pRU1oB]yH%S$0TF_$N۹+MHq߮HB/ XFSmPr yu;/)o*5؋ {װ )YQ1ƒr5wP ~RoXg%X헠Gaqյ!"/uLs >nO=i6HР^DYeYU/V.HiTq/]gcgZZ4*b\2p+$](!A @O8H:6\p^jHlxN5YϤm%NP}V[Di+ Jb\8xm!ENV@57l-MR#gr$[d5k ,&dl6?XUh7B~FApcp͔Wi s2/u S@P`mh{cE7nVy^h̑`$]u%jGa%681 H1oMd*,Sq,O=殿gkL;x~A-V0"Rqkg($xE@"փW.bF&_r((*7pF{B9807VB>6=@>@Qh9b㺈djGЬSyY!r][N=pJO-0ae^XsNh8xfH@4*iv:K}=\ x63-BqS"%T%X:j}Oa7I]Ѫ$U*+R$Dj_͓RJDH)U7D*_2k\ֵspfԘ⍼tLרiHφfxvu/k$͛Itl3 NYFf%J>W4-EoqUDm[|~gErSĆI q״]l4"F#pOxPx__|ƣ;%ݣE(ZlC ۛ^[}},!,$OO-J˵S$DReQ6K@s.p_Y,1~h]ҿN1T$)6NfEgsp@Ȧ}Uc%$me#Qf\l.[|2jzXokَ YbϔPZ%b؂Fs>cE<1ųĖTT$DCKNXL3*BlU[P`a TF;?ͮb`۽&r)FIsDf.={{}"2fv>Kt;2߁0 T yZGHg,yVvP3.tR2yZ]Q4p@ʾB2e%KGd:lD ܔ^B([^ 84Ye\L2]c& l'<. {ƞ( h-'3b`|Sl/v#]!dάȓ[A gI[@KnL!_iW~JF3A#N5q7+vG2$!E51 gs58Sͧ߮O[ԉN4\'$Ҧe_-kMwc ŴՍmЛz^QϠpfaMQ`k7:ub ELauN B:P+-2sum;zf͆e+3\;7B*iM1k˒eIah5V42bl L ZȨ(?hChs=I l&ˊ atf ʤLa{9Hu5spa $uūx.Tr+jZU=Rl)5H2J]Umm}GK(»PIƧ>?[V!XXH&i'tm u~cz.1Ϳ=N5A)GzouaԵ0~UEJo1Dxʲo!m"@AA@ߜ(f`i_ TEP_)9uE$KeCv 4Ey+am}77;qAR2!䅷 FFKLM |AMeO(3L˙f8ܳ0|ځrUrw& ))+z:nm'`VqO:o}agouA2'cnjB+ 3d\ ~{w *ŸN ]x';i|Ct h?ɓӴ;t9E&vb۞1<jM#ҡ]&4Y4O.0ne7٦dǘ)w%xr]W(T" :^a>)30 L2+::. 3_)lb}* /D]l[qG+V"r(UOWF9Q rwaكA@a2@=NxZBK17^IX` I嵮lIi0^:2gO~:TCX#i,]ɤ )IoKALG-fNeIJΌTLTz`[àރq̒ Fp˦X%glαMb]jܻe¤^XˆAn$yy;hMk`'mdv&ixuH*i[Z+>)aZ/|Ѝޒߧ_FiM\kJxE!Yjɒc&mvҊOy t'IkY#a(*%"va:Qh2V  `ĕ| _d1d` V=S!:^yK D{y\%'X{,aX_ef-!~]9tz3# zS=iI6''N5.m_TTBDZ2=5QfZB~>###s@] zse$m_bMj\LB@et.;̀g6 =вa.rDy|at>ܒGJ9fhhA# {T{pA"jjx.O.ؖpQKb?-v qfS+Лq[rWc8.E5hrL4/@ vdTsw2$4몱@ғ뱷Cܤ)0Bk1!05]5SAU"A RnUsXި`l 1$zUeNVkR1qAX'*o@z" 7Lmq8IAozxx!`ֺᏯeWG=D,$5XiJ5KVaKPǽȑ ,lQVhD5xjԛ74 m+@%$ xM*Љ ok6 #!yc >IO)E-g+H}Ys" 2Pqab}W,%A.Dώ WQ!q?Dqq뷛:.QW:+tƢÈ"sإC ' +0aݹkBaOcsG= ;]'7i ~pcz1.)i+hvѧjȀʘ/PE:NYkkW81IV-BLN7n##.#:c(=dw8.wp.sMcvfT1b. \ޗYomouЍ,/d9rHa LarNӍk^;3gYc蚥 zP-E~n-k( E7Q#σ\r-4+ןvߺbcP?pU(p%HE@^sI"wZ胱yq{0 1hNeߍ&zNlAn"w|?/=.) MbG9omQID32RV .ՍR~G}>p_yfbq#mj{\ J$z/{.;_]Vy7oO Y`aӺA9-JIs>P.+}z8?1cGJz3ϼ*vxIO !@;uf,Wn>%&2VL۶!: qÇxT!T,WNKM/{r|0\)RuޤQT ' yTaX@xahd5A.*/|hEpa.׿XB%Ӛ<:(Gצg瘵&$}nn=,7.}/abuNrev׭hm,B*W6vˤx|rw=HDKܮ!Yg+ FFf%ͅу4?jdK-,gZkE]\Xd`vC[.".4vo<=) ż!XCd3H%*5sú?YP8φzvW+zҥ~ųs8i.ROJeAi!.}boKnnm'k?欳kfSqENK5zc O2K*+m#?}Y$mjZS178 rXV"VÞwnE*".bgqY͙cn¦_$yʏ×%2&g`3Qh!e_Fmg#ԅx(YE=ǮrӎkChyŚV{aOUdXڝ*[ݜ"eQoO3x{]L0sj(,|+[k gxTVM^R (% %( %& 3=\LFgeZ'_sZ[ntT/P珀WC+$eAB+;Μ_ ]O3> BQP F49$ x^x C4U.pU ;46?&,@IF"{Qԙ"4Q[Ы AWxL)We~i ;0#68ziwݩ "ҹ{`jyMɴ}#X\eJ06YuV@Y GUބˁ 4DЧMͽ:K(}Cb!s5(gM`;ŸS4'#y8d!y-R!,\JjԮwdw:S AuOʯ`?g((c}º_|`n kTV,I1?V=xbDuNa a#c72 YEɭ[jM`3*u)#Ut*4댯zµ T /oѧJqt?jkV)a$s|CM%Hp߯IEv zH %}`ڮͥݸcqP!Z.%8 w?"0Qb(*oa2JΩzЖ 斘~ѧx:9:ž iȤ_s1GnWS>ڱ2ED4ϑ3/ #%X+8{/ +4:m;:%:_3~+}3U[RUW-{ѽ0 ?TK"B@/AР%BaJ>N.Fw#QlQ9ؼ>%z CI<=vOnƊ7\LWNںÍX4J:ֻI?c/Զ"Hri`9*58yWWmtc~Z-tٿCf;:0zNʿ9;q-.oJ!GuZaS/{Hz牀@z!=]Co? tlM~ ;.Hv[=UIQy>3 vrGƺ+t>|kme;;]w1kVF+8Br=مgS/w,{9)<^D oro}Kj D8 5ӲVFS0Ig!ER5mS_遾}{zJ@}*m嶧{sJvfeW_7Lа"p#fs^(sfqWChAQom˃ Eke`& ݩ]j[ȦETӡ (CX@nNIH6vZ[ =4z%wG栐ì>BC丆R4I_F'62[e ?mº) /Ī.VB5XX{V~?mjkR^Z3)L)(g܇" 4ƔvR,ʴF ⑁ |]mAoG3%HYAh6YWe)i@9MȶgAh:oZn?6T&6א94j:o1kBkHxB ;a4VL^d4g{q$`gdp@5N#],9z>BC}p_مǾ\׶pQ4ҙ6Ahn/]i !ɈUAadnò"|s!H<^$G_tL;8VP -"^&3>bKCae/Tj骺eX;cH-@ Hc.@_vҖeX[hBF1ǒ'6χ`04[x}^f<{.§IVܧ*GԹ˸G3/JV^djO'4 |1՗I&#?w3zL:KZXO8D϶.h۽<|YX(ᣈu},q;o{WNEdYqƐ!MbkGn;,x&'g_7L\d7#e36`0 l,t$:8hS{brа3B p9:e/<͠dq's&$b~ygPf,䂋j_Gu-k fuO2PvߗK$B:K*}1omwQOOy#]鱶w a}ԓK* #X`n'D1jmv;bM:{(*%Ns*[iպޮz,zJVmμ'}énb;fj (w^Cٯ-[1=*צT,ddkSsѶ3(&Q}»zE\?]jIqSŒ*]<~"f _jb3;Es))*?G6wAK}n,[鬯|, ؘΘdY[I)0n}efC|91N+ٲwdSֈaTI?h%~W?] M.n~UťwH R*MmsX+"[LC(6X<-7,̧W|q+0O:9+gZBqLN4cZOvHY-1 Q 'Q06J- 8h~G$Y(j`MoꗏHd՝me5Z+t9/'E9Qg׺Qa b)MVn֙?`7QN0}Jޒ[M߉'5^)# iCv KNhIN2n2?LvN4#U T,F_)/8fX]g!eAbV!w೪}ڦ&%.[A%qdߌw2Gr³ϢKhs6M /̥CE[[S;USY nF//qG)|FՅڮ壌!Χ-Ӧ'4 {ɷmQ8Ō,i>3^PrC }gɗ\,1ӱN)B T<*VOeyK`q/x?^{w)FB?ܥF )L= TǮ3)3Nd&4E.;2L[ wv6Sagr?$h$\ ?w m [x\^Y'+^[ Zċw}F.IFenn5c~Q|pjek): <9qŽIezhxvO;{e^I7 e[bH|ͻD/EkLtT+ EрnkR?ڠG|_4apߤH+Goqq]4/>W@&%f"N*5̴JA3C9kJj !X2xkE@9\ 4LK)rhH)f[#a_\E,Gh9#:i-N WG#QODoC='dRCÂC&wHVu/! Z{c`!0EVJHe ks+DFL2,[:}XvŒ%Γ b1uh*,H ;&K^(0A9R*H9@84MM f啳bs?&jc%RɷBy^ngكK~'˸QZpS:360}+R8ێCs$h2Mﰳm Ovn}h8炄 ^EdŎTv g]Ã{g#}f(|P2So-TԥE2qp~^WY1 l1Xih?*3ttɕU89܏ `C{bnK!PƛYؐSu(:KW'Լ Obl}W(l}U쉊ioCzǘ($B(2#Hu8i&dsҔ'Tw(s B3eb-A!Ze k,e((m¦*,ſ؂}=Aa'yyAV耽hpm*8([ȍS'5%.ׇ^<&_ 4m?bԉRYϲˆ\C9ej[Qkx9H.B_ޙh>8ꓚoc>Ն*Jp IA\EI n|*Ӡ$$u6HP&$Ճ`iyiu׬%mMbQ~+xs,OcubSB i WL)psC`^ږxֿ1}aË=hyCo<*1sD=uǼ EIK ~P@ OFyFF؅n+<M8((jE|}OlU̱,852H:gV ɵ4#|04w1 ռ-[5YivPg7_]Ra+9ὭTs)L>~lnB,VL/se캡hÂJ7KqUd˧QHXݹOznRIHW?X/ \,ɀ>,z( f=O_= UI-jkf]3!ta3(׏~,{ZA%XƜy͒]K'טP7kAb͙p` è]Wh4{ M2W2; \HKl> ? 鸙7̕x&wj蜦_0În]Z&YP6ҽв֙tZz]5-93VjN3)Q?:|+.dA QRٕXjHfxr'Ucp!uew[!.u6csz.*_l#mۆl\!Oj'TzC;~C  v˰5& {UpcJ["=y̛*2O^|,~iV8TCdmFoo/h` ۇ@ĵYիL[C>ʏ /i~i.޾O-roԀ6<؂aV!ͩ'rB?eFI dМfޞFdhV+%zm!rRӰdd#W`2ӛr<|hBy:w%bþ8Xo4dcbr Da\cHfwX!ѐ W) Z*Gjf \!œb@tx#N _q٣u`{x^Uf|[=ܩd0S$Ry㹚@ }mA @c嵪C"/* eE;{&Gv.tvЍU8/D՟[@=iϪEf1!~chdo -fMʎO:݇*=>!m IE7 rM7P-֡ԍ JsN"4 GAIǭsF 5> 73#8=券~`u$Jkֹĥh< K %2͐~⟲JRlp ?j=hj"_90=`l9bO2XgYAyl(>34Ҽ Vrz*5QJ6Lm炐o_s"EF3OM .,B\_gV$F_r+L 8௙=l&_CRkMNQ̀xwZűV ޮvdFwq "eLN2:rHQ&Ǹ<Á'E̮?AGҬ%LvvqsvRi[ڌ\[tB5JFnqY52V:? E+UQ}}om\M6 8il:#EH2X Zj $rR o}\bb Co9l= l_ J)^8#`Fd^:R(qtbI 5\ ȅ,q뀿- mjH ³p} 7n9 ~z{*dRqjPvF {#?2m6TdG\]ZiH^+yL\lEx9wm-B(y"S/3X!Y|nVLYP),O; ִ  z:r`LP@Zb*ʛxaPR>S (nCb9ܩ͍BAHOwhA]3ZxA?Áq<56sn`k3{$i5 pDSHpaۺp/s7{Fs,Y*3z/w}kb29`aNDr,رۂ QT3b0xjR:~<=*0bN. %{|~; A}׬>D %u_]idmщG >b0jVr u-beD떃S[?ɘ 9-qYe_9QAK2h~s];4i8x̿_4Qp1?ECaKk1rpyپ4l oJ ZX'Mw[|#S%8EPJKj Z^f}[CҌb۲I]#y~FNKʶE}; eU4 M;;x9ɦ8UNg?4 nܔvW^J`_"cy_H^c[Ź馫7ZWYX_ЁJ㚸<9_1Dby3nw8Ya(˶sCoGڡ5zaV (n+cTVjoL|!B Dl]2v6_ţH$Yp9dTlpeϒj3Ō/!Gt>TΉ[O߭r'Os3_|I$18W ^ԐN:x4}[`hqqU7`=E# |kOUN`17.IE)ҭ}L.Ō `i9~kt4j muI{ZRZݿ5y=D2!e3DSAbMCSusd^[TG'=}䕢a`x53(ʯM2]?_%#hMr7a&svs+64A-?m yW><4Ӻs< kPaLT)䷨LGYmDmOE7ZˢL_<8^\'q5ghCf[[xw) 'g"^h,#`վVET.JOl͸9}7ܱj+wR4ZgU,S&s1xG@vOQڮ̶$ipMۣvƜ iJ[-t dAimĒlҼ{mJN&͘j̝!J~ky>Iq@N[]P&l[/RMN݈L'mԗyW,{2dמݛz-dzj3r,YE2O&=9 50Bf{eR92ig){d1\3j).'1Ѻ#5Př[Ƚw}B0 مUzI^+^5҃|Y6v׍Udhs W|CetFZa["ګ[$̺͊Nxn8eDk}CsN@} R.GSUZM|S\t[(ŃOu8e\&2tO`ep''ѐUbO-߉:,#V@ JOegEqx2r DJ$ϹM%o~QWG?Q2] a3l3.4M`T+/Aao`ix$!Xi%b+9N)},~&DG5(DՌ[,2(S\[@1ieY&SyTl PXȰ>ZQmet_A|fiIl~gY/3'\ĕ=*Vh3pXd֯6Wk"VKHnنwU>,)Mn{o=sSG[9wu^*cݞubv΍>k-B HhZ DJxԬ|VLzb"ϔۻsP.ظ2ǃLwwѶ*0ճ%+)(WJ9*jr lcჶюH!H{~MK۽hςs"B_$@-(Cltf&E&e+<ܔ:Ig"W_Kj4آQ=˳9$;fB v LQZhhC+pc!@/?M͂LtѤ'*ݸ"ջBwdnHZN `VA]"߫} x`vr*e< '~grrH(%s2ҍkgF90Hz3Pe֠75hi2auck@$XLh77q6EFA ^:l?J* T$YϭAʟbl|zʤ7-[ok˅R7E˃eGu1ۢ0~cw'(QLIvb|lUஂ~ K˼SC8\~@ qp" v%"t_q#ǩUj`/~s5 :'+euQEcm%+<.UѽM"{8v۟|bz1(OFU`p ŢY&Lx|~FER 1?-S6`V,,"a(h+"g&fC {WAi\V1P'XC&q%*;u|p|&;Q߂TְdܘYS4Ը^ym~xtj >9_=)bjä|L2|hI w:Ȩ.2 Z{EAn%nwPxKXNKiы1z#Q 82Wf_H{Abp,EzkH_XZfJJ}6Ӏz+`?V[;dc 62+Z|zHpwHC뼹rK-^JUd{kE 6_Wh@,ĎIo]70tF_5E8;W9 ?afZWG7 :LMʣ P,kK2wiăzDz1 ]`)vK 4 N-n̂_^KR|U8|ߋH6Y#.]1 ' A,U'* =YDg ׸'V)u#.LV?͒UW4)=E'2l ;x`HZai%prci+$D5< MwR < kPLǡ ֑v8XÑn5Nd1&PP-yc9D]=27&tv#~Ck7-Pto)4cI֡Pe5Hzx/$yd2\cOl+Wh7r6ٽ.|/vr{\YQm f85mT{`ް$̤ ;alN:qtw]蠵J'l mWL0ske)v;KΗ`ȲL'`NDc$wiH[ ɄCYɈ ,ez RPNgC EDc+tb2h=lS&1N=ѾrrH ίq4(n74l#Oi}4}Mx()KVl3jFg2ϧaMr:XjMTEeR)b0=GE-ggs sc (jyEۑ$~< }R0mett°<{xM d)^xM*p1IBSq^xo%thi\pS= 縈sܬ}) Ll~+XIG= qͮZWPnb.RA"1k;tMزc o~F!Oxv#EâLlYzk5>"vw3eZˉҁ>@ B;^K*ח-q߃x`* 4/nÎO2'ȳ]Lxށ:Lb+_'$^_J2hͯFcI:f}|":c0ುL.xϻlD_m3#C59?`"&qdA􂸤#%\>izHذ8>ŸKV%Y [ki+U8`Zks~[5,ޒ"(s Y8oZVItmo8+tM5Q-t5[h@w\6kI>9S9<'bpw{J6?GYP݊EY2`Ƨ7២6ͮ% ݂MnxJ=fmemi/P|Ø'|ļ@^2n8T +&s^=*\ct l($8 yg>WOO:[C[j57*~*-8Hz1Q(憨%aN#A۳ݕK0h@mm.X=9#?/!5YpY妐@)FLr H~JsE+H|Pr*YZ놐i8,4f:Z.O쓺5`;Y@rw*6#EG?2.;' *5_W&WB8O XZ|SVe\((^ō MCD>0hM҈ӛX9 V*klńh!!Ml_qBژ.Pf,gdrv{ zݺc ?Y~C2ELZ{<ǤWy3g` >nN*c[:36~hElME<2JT]ȕ6"̈vdx4ڌJPZ`9S6AӽEyK5 3%Lc>r9;"'!&.p/uÒaȾ ȊF"ǶcN9$@B%n񇺇O/hNgA -v{6ƮQBZix><ȾY6 Ⱦht`9ZN%meɐ@8{DEdn-qIUul쏺 ޻DV]RF!q0Iڂm(}7/m,}N'+ Ya ; V'yPګ@D@cVqZ%@Cf֙SAum1twcy p3\ Cjŭ[&nDZ1_]RC»ϒ^dO}zQd%7Y,(߷,+ۂoKD6)W,Z F&;Adp8KfFDךcGwvs8gIѾb5^"r: R VIv{A~^iDC0˾#rE_hbj`71# ~^j`DvpF6{\dDqmy )^!l /HA,q4֌7]{iF)vauO6?f<8o5GW7I.ɟ5UqEk݈be> ^f,W /e&n5J>}Oa1qٮ3Pr2^#R?l;t,b2EBJ&,%"%C>+A/4_3hJr4r;{6' 0]1#}uVU͌s\ |T^a$]gsn}S]l-YQZv f" I9AG Hϓ !UT?#1`܅;Y{%A? ?x0D )׊6U,VTғ zGe~r.Uy,dYIg@,8?{d-%g8@A<~6II<Gml ԴOR  Co~Lķsސ)ObSSL&G\;^6zI/$RU2M)X~/93br.*姝SyqL!-:0GZO=?Рlõf(R!j.e '/ZmF[yLμ6q{Ո~P6ٽ0=v{s N 9qu|C2#:V;g2ڼw\PK 0WÇ;N63~n=h_׉R1mAɍ!lCjiW%* jY[_| @Nq8 fA_`{Pκ= x-X)P 18saؙXu铣9&zYnY;9+W9*}_dHa^Kv@XySr6$!ѶhEƼN=X8/]JŅay/;8UsrB<ϊI~(l>QwSd,ʽK#tݳSqM8|5P_ժX{g(C'xb_õAt xK{XAcw_E@i[j[u$gف`.>C,?y6'DbN=W;lq$>Ci~(?sfx9Cyya@!6:)?o tC.XI' Gʓ`8кiifӕ 5^BXA*?YRoOw'OĈQH Le YJ0$ 6rZrMgж5\ijG!>HRBINy` vK]deeVP?{|:1Wckǧ|{=6_oWNuf.t:lʴ݋,'_Ȼe軺q۸+JU[:m6}_xm^o3~ !4r`Q'iN~Δfb]M2CJ"_ ;/C*#h[XzxMmZ yB~Ȩ[HTѕpr_@*@ʜѨeɀ.Q"8X2,>Ӿ gO $[>D.VqѨ5Pw]q74!q2^p8Sc6IiiH?oV3{-`elVBKw޶ܠv {neá(8H{0T^QY]/\YpG&[0 `EG(#&0|;>s: g7(XH)]0pp3bnF*;T IZKGf]zSJvu03W|Qt89Rc,3G@Z;kPX`jnqSߒ!!ᢶK2%dV.;ʬ5d*Z"2Z,.Z}7RV{YQ¥/A2Qau ^8mqL.ew.NU(Q =^8Qjh܉hddZo&( ױd|Wjڻ"яJy]("`u{(k.t&wBHmKJ -1쨊P_7ʝ uR4Uuq[[mW!%Z.!wI=>3U[\8c3-4DjϾqS* Q&w?` zߚ'xA,rlE3M.Ή|~~ D`8K+o]MJK _M8G5~X2ˇO,?BA1&$\)reAw@; vNTtx4$ytҙ.$^ոZʭL1"FZ&-~7+UQ_|]2uU :V6K-*-n~:DH_vƕ@4q,đ)oDJZ 󣷌 oL@|m|c$ pnd9'4Ȓ[scl̆" z*aF7pF%< rkp>z.x^9ia;V4UbyA6(f@%U2@ԉݡA\2JQYT:+*?,deaU7-m^[{MmhfNuVi)0` гWŴ̑3jzhFu85$lz-d$@eJtaVa=U:wj;x::\ܙ=gmHRjSκeQM=JV症װ6,qj@5 ՜|9k@q&=IDz9ĿʈAJ GZ׍ǭIҦ p*QX2nGH(OR [٣y6R5 Xk:€MZ{VC<yUEjEW확(t'yC-w34~]v! k%;b3饃.C0iT}.PdNu.c_@KxV%]zze|S ꈎ "'^Rʏw4b{r#}[']SIG–.r3n3SJ! n1%T ^JID NqkOW&*Y9o"A$ELҔxҔ5 :vEx>wy*'ӾAYRFve&r٦6~#@|LK,uٜ}6)85"S"fnqJ>S|VNmǩ6] a4D$9#X7aC#g#>6,t 2MiحO?HƒsKl ֽ3-y^RU_BϳQVmH՝Fx6h4AKOv Jaøƫ(DŽ ?XEe!B?ڗ{VAkf4G+;~m蟶4;(nW+d$|`E n=ؠAa'*u^Ua]D>k8AG4u?Q$: Jv"qL l6ީ{M|bFQ8ռof,VE@i74+ XGr@5J cr bР~z%w%N:!.'(tؕ|&`I_yhKg2ʼ}`O{;?FMгѣJc#<'a0rOk9q=R櫃SYrT@d;) B L %C> [džM!ҍd5 #cU!][{!y,|ZD% "StY6yA5e;,Owp;C3M\ե8c ~F%Nr=jU޴[|˕dvwcXk7V%84.[Kr t5N&}AGٍ)&K\jojoV 'g 4ydQ+ ʪx_UO^K j9SKpP6OcJǗwK!lCy=GL(OHf^lר&p Yi pj.̯Q7ciz`t~^`r6DT8U~\ 0n(BNɵ2i9ðIHLT-BQzYf1&gF*o-`])lҸK2{1 ,V B_Ek@VUBFIYLQڡ6LAҨM~w";)|ʘYWA(TQmÃdsNK'< {zG:Mcb`V!~uz: i- e?ޞg¾H`g]F[(TmSh0yіŅ&4|r{U1?:jR\7! CB ́cQͧt;,P;!y;BboCU19lǡ$)i /qך[iSs BFAʨ ؟nfA6bIp r.7EΙaFN•2X!Z bLX FSֹ*jS?#_D{)| \8@Hg>11h2y׸su"Z[:a7e԰Q=G/xU }MxTPi)̩x%UYxut`0&lvwn۸)&'qhݧyB&5s_%ߍȼ?_WO0qɛoL*y|RQ4iRq'1%#yBWd8:P7m 1)kR"X%;9i30b_V%iVO ,|ܗ_Ik Un6?.yQ KhVؠ৕ޝXTPǒS& wo žu_ѧXB1v7 ֜+.UOS>%zWqׅ]P;x3FjǯR*zZL/zLVnL{b̫b"fMp(i \Qc'Ȇ?3Pޅ2ޘjY2cƶ?2M}wB`?,'H#y؈<xj^8]9H΋Lw_ìw9mrr%Su0D?^W5w(r|dr1byh=fMAN "PY%ќS = 5d". FtG/&>J2~KlY&2҃F,Z:> ygZC~T6u?haA%u5$VhAvXɊ6սPxY&:5H-| GdT)bMlO !5ߡt̯ ͋<=3`" p-hbPoȑ}ӝm}TV: ԡAFORqT![-h9FPoOE^/Mg#ؘ\XmXVr{[+AL-c)]Q8C䱠vK"|χV`AN쐗= Y?l!lN(H 腢F7RϗV)OIEۘɔ}/c此nOA?dI= y`1Kҝ$ioȰJ!sT}=j^Gˎrn(8mGU?mILf QxG30S5k^r-mH/RD5$Kt Z#U=N²jrY͸wZ0D^嫟QW&{tb?}a9]L&#rN$49Co!ZliC`F Ս z{.f uBx *NLx$v3m#ZziY[ Z{Dv |AHxD# H$sp~kB׃Z=H27ֵNx(`7yi'P'u+;+m^a9EEntMKR߷[:nE Bx ?s<ԡ%li|BX~N ]4`Y@PXmOcObߢԸ $q=cA^KY<17bܢ7c8x4] c6\o&YmC`UǕ*aXi*x a݅ Wu3}E" 6 H+|alLw)^Æl*߇ieՑIMO4g9~~גk*/FxD߁BQf'gLن~HI.=34~2nHE { aw2Oql|:*Gd K}*gۖjz}6bRf6}67{J6Fɡ<! 2IfD**~ Ȃے0Fپ9}Zbm3iHKqoMcO^V; fzl椻AGx 5e|cTg F1;!%&p_#"<a؈XTr+4Ye"" J9Tj[*FV0GڍH0#&SV2V`-'Z?2fʅ/$?GIWGWN?hHvovD~Pv@3waȂP[Ni(Ŗ:8glmE *R0hi=쒊dg2tW쟑D GbsP* S_.L/>4 _Hci`^+q6 &&p~YCJf>_,Hɘ~# }ϦU^jy?+>dWv*ddDĨϽ_nK)L FBXWx8qO]09(Ѧ "X Y*N\hŦ~Q ;erw%f ߁fw¯1$Gb|*$"LEQM|&SUoӚ'Y1*(iFYVZqyz^©Q60t|fK[D6,)Ϊ02eU%"R Frm+iQWVG+d5q LT }"L޾V!"':{TsmTu]TӅLZ$*6Fz&%%f/^|IصƘ*@P;< ~2+q6e戣ĵa]riR]+fFt׿ZkCg ~U|+ $ J:a2_gL7MG)v5A [@ܞDcX;_M<˿m|ҏO;dt1nS) V2nczQRR,)Yryc78ϵ7ac+96qL۵4DwNA6 <=L%#PTdwT9`*z vfn{^:ziK~ a7]j!/ \[q&u%$fUCEʯYI"ҌtON,8pхR`}`J/bȓkvqQ}%VD|_woF@)jжҩ~=dZhٟ.iӟn ɺCa$>ŻIwn98dȘ;4ˮm'%v  |(liIkNgUAw eJWFw-8nPeJ;sqP9A˜7<;"XyWVu SƽM;iBθ-m!**ڗRf9HEyUkr0 Df2/`;>GSqу@v5 #Fq1u`|lL, Ԯ\r :.;¹ONnE"dŒ_[pip5Ì$bF֙zlq+M*uؼf;FT\G_&o:Ʉ{(hM`9YS[pĔs{rҹ`;yCYmjwّ *'}.:&bs4S+fPl_d@3`WM^a`@ElB+);a33ƅô_"<%HZY fx|kaR@ܸ~~˂nFZ';źnDe|m,:]+!XYd{?ɌF0`[%#Cde1>axnײ Ok/Loק:Z?ȻP۵g1 7j l@9"U|:JE!5с%菣h.1Elu ױij:⓯j{*g8;G >{߸ϰ$vQ̢ D28| 7qeLd oM2O2Hw!(<ۤCҬhl݂A%L7sl)$o$|Mil7n,?[sXUAgn Bbh8'C qQ$lq7,i.+q~y+*yXԡ64uc Ab U?m$c69*ADQy0hm=Ûc qsW,rfL ;twqԠBrV'eOSr^IN搏!Yٰk9V82} w֝B.cyq+@=MM  5bhS:Q$4fpzhq5 0&;rnv:ӍkÑn)HB~k0 Rx!@U"-ȲeVu2Gu* ϕQ-8$A7i8{X+tXv.a lcI4ӷ_ыu/YgC8Ȃ~3G婀G2ŨynJR|(RGj V;Ѳh䏳RnH=~)Fe1f-'_Bq#rF.?RJE`+łʌRZyq.h[is24T'=]1;lXS)e鐪]':zFvQy`j6L~+¢MH!Kw;cG3T-`Fj{č}Jw3/x֎Gds2wW[.8<`{ q%F}\;Z8Dr|I3_䅰=C_J|*?90|*e׼Y>y0+2סhP8=4Yq;|dLg= rΛ"ܦml]#PJHOBlQ=.4܁_xi%pt.|G촪\ע$#&m{*alv:cZA%D^#:h%fR\ qR|*iPwA| ?P1V"y 7K,?pgb3UلvF)@>K~̼kb? 7gÃ{ڭ?)c Yol<ފm'OQrw KX_,ѶISv,o'<~Gh ?j?5, ]/+rxH,Pt0Q #{ ۦ)+c Es@zٛ !{&)a]1r1þ'YM tLk(ր莁zLn^rSbe/jZ[۳Cae(v/ =YҽJi"%  eDg0XH l,(~pϦ9  =nPnx/z7ߴæ]Bv~x;+=ss#HhxxBmdY`+}hI + GF,~:% @ƕxYV#/3"GSP٨~zRe YUhK:0r(A7-h9F%}teXɉ1l:ylvyڍcgSLcء:^9y{qŕ+p{ ZB3{' 6ԱX_l0*NǵZWCϳ[UϼhNmAMQDD7<#^𚙣(KvP-'(pfkrxre (|Ȋ#ۿ?0T6)J"N s](_!uH6'b'ֆ{G%̨!K)=k+ƹKTW}٪ \cw!QA[Jv>_ԼyCi3+1܈\bn~(8Z.0#o i7ZL'̚3*R4yB2;˫NJb%ۉ$Ԟl?*=1DLjkR.z:N%njߡ[)s ~ N+Q಺^ɯ@YGҼeQ >߆3[0{"}\{]o6۰vox^ ߢ5 [( 7F 3v岧)dj3 iv6-ckΨd*Ƅ ]c:4c:Wexb)_ j`Gf p ;2YBn@I( LIa܍T%Io},UZ+($.. EGx,jm}zZK=]"t^+qOz-P`(a^6?fg{--#W sz|̺O aH㥦UUz!jAHhT ~oqNbX~Bk8Ev;H6~$B=Aˌ㟡N6yB;F V_t(ئW!B\D[ΐYdS@< .8${u7<‘PZu"GUsp™)ɢvkl&-y>?d`OHS =27OC.&V: m yg)E=J..^Akćla7Z3+Z/ڦt{^|^^$)}Syt P^w,#D;Ժ&m~0aM%#5µc29O0zr @uGkP`/ү*X{PVQ`?#HqڼƻkF>)qd٣o٠?] y |0>հ}jdC5+ p2г7q0ԪP$~*X[ɕv r+HCB/46?|%4FAj␞DX1n9sN>9_%G+$I[?@? pR`v4OoK1^IOZ"Ц4ke+~2t!g Ui2Ͷ_@kA}&lq}5"UgS+ sµ,e;v/ZdvTٷAA MDP&p'RV,@SWDY@?w,<h9؄j*4)DK6'Y,࢑ףktFLdv1DNI dyGY,٢[|_*k ) I٪{tLVj{Ia|qy'qgq R`l-Z?S4L5)lu0N6jɹL5|n9k,LEV]2Wxitnz\j7BTo ԰g,5{Ř`(K㠎*M]^oaAab^yY,]HHbQʰfgs8aHKZ6l N)UdI:ߌWv[Diu;<<$*x 9NNN:TIKaR?n(eu{eh3r3׈rMvǹpu<a fB,cXa Or^R(/a<)_vu^L>YCAdK9}I\OM>0KzOfhOrX4ݹס5 EZ=b) -Z؈CԽL'H/h5Bea/rfe>'c5wqSA/܇ }AE:Z7%& qWhja65N4ϒg)Ђ0Whj)GD?,9Gm~ %޷(kqUepEj[nL%<[xfʀ*.2^1{-De)Gs/h <zjKH _ZV{:rF!}Iw )k5-Xv{QM"fJHyw a{xnRކ9A8#qcWQrEt(V?VtA?w 7+B;̈́ 놑i<2.B"%^L))X8#8g6|v 7 }6%{=5_ox j?mK:o1U5UسFԭ\ tjcc-,?A@M-aFֻYǍn$%n oM,${҂8~M@0iVaf3%+J&啳vW ff5gMK='2aէ1v{#m\!dS:k*2 T00>h;Hi{KqR BGQpO|Ll3h8lIgjQN$Iz6$U6p_ l7߯w;.,mh y@wu QV=Ũ@V$'amƻRa{Rbj ~Wi}R 82s },Nn@3ac`0 ڠhN>TZ k:+W)K!nRkivTȍ wm%#t`;@X!d=-uV(n4~>5ӢQS\Mu+AB#d q"5xJ̓7[jN$uR Csi͑Kܭ+/')N4oQ#IhBAӳOK'9T<[Zej8;l m?x5=ijM@ͧ#^4jF9) ԏ(wڵctzU?:Q\gDY&t_@!5 çVҸRD@NT%k%6xf^%~E];CCSxgW2aBTsݚJI҃^#%(X_J:ZV61LVڴNu9=z&⩋c#D_x4D(#JK"GXEX37M>ꟂZљ c Jq/ ?fI5Yjh4Ocy^` %!s=o@|.^*t8AC9j>x[+-Ǭe*Qӧ; ;K3ԉ` үsA/:Kb.iʚV`3}.չ^WY)=ZB=^2T똼 ƴ 4(vzD7.2/*KŹ&{o✶wb.`AYp2HBtڌ(ݺ6}L0*>̺;7c&~ Q׵uڻߚlM{o|YG2', U8kŠ5{pd҄GJ.FauLr< 2խ <:h/5p@)MWWYjƟ"U.+ O0q(SЛQ?ro2L.$K;jZnYu31kX~731Y$Cpc5T 3ޯ5ЊSC[F~3ձ6(a{h99 հab]Ԕ>gy YP C[|HPi ި6H?a?y6U!;1xC7o;ʛQh\Ro!J]lH}f  ISM6Uz_ DO{!=ht6aBx8vf'*';mӚ+_D+l9,N4ۍ ad2 0>ZHٿ3c{p {ȬhG̡;e v׊X0vsBUz1܍Dk$pn]_IsHHwSx,F}5Q+"qF U(O.)@3~*4$q<fu)۫szv۸I>ݷQL5 Dh鋌3'#M #e.}ݻd[ +6E H!uR}Û puWmPz#2`ŬmȇKWAJމBJMW NE~?b@- HCˮ_.YypJ'ھhDZMe =&$YI{G/6_w+6(lM a:piV6hkg[v2jܸl@@2V _ 9Z>+ynou@=Zc_X2RB \my‹Duov2s\d/9 ʕZ,۴$PHF;+V\TW!ث(D PcH_HK,宂?ʡĖ P<b ބLGd9PCnNP3C* |g%q0ϊz!ÅBuԌJPl \x[l,'zuN[O~݌Ō8^"EY.wϝ_vP\bV0 !xR]8ۿ5}"4whokbc龽sO+\ I$ҵ a$UEp9NT~IQy%B_,3S|f t ovϐG SMj} g.Ļ7eYPY/^ɽj ;urPܭ. OV|!dB[Jks'8AaJDؘs͠*rެM=f{A OH>6PvhԒ=G2|և ,13֋Il_AI`Uk{k~W J^pq'^;,KvuF-K6jݴs/T?PM9Y:.Gg|O,zp,C[rѹr*E{b m$HDR4^ľ54 s A+4H9/Q+>OA~bA4>Yi 9&4mdYNs:6A%H{%u]]v#.ٲKz?IgZc׹oY15slj7vcoS7* o".7 6KPrkHMu%z 'n)mo/!)ՊœKs(}#Ś06)Lr>Ŀ~.um&Ͷ$-g*Y*&+h;X:t^Uम9ic@%K*vl"Y߂*BROt.m,y)%O {Hu WO948c/| #O%a:ڇAmip^m^sjOȽ>F_45IS&GDQJ3!/@ɲ/c $#R2$yG#X`SgJ OK/Q{w6>QIlYg۵YyRlϥqlا^J&ɋ30B-22q*=&fۼȟz+5|n}Q ]f/Hv<GLWE,E(LA6eF|X[gRSr#m"U ^G& YB_"xSݼ3BqZZ/C=⣧0d[ rW70V69A"Q Ufna\tҧDW~܁Sт/k kX7tu"Ui풦P 3"7Z&w02pF?L("تNNɩr#=3zqhuG<]}Coϔ+5s4q(2hk<4]q'bE "Ҡm9gqu&bH[@Zq~%tΛȜ ntU4=(=ߊO3C \V%/.ޜ=3 b/ U؅FP(ʼnK)Oon1Kvd*'Qz&I'7Xl:ٿFY, op*mo&#@,VɆbe=œmשdn2'͂8nz43 g4X1A9w3 fxhl-aͩp̻$fu?tp} Zn!̉IQF[D̶SQ׵~97Ϟ[e20P /Cp p_n3k"k [|zg1ilhHN|rĚт7X7tRnsFrY T6Pd&4g]CHa$PV>2}[(qX,^[>c$ Q!Tw7J`frL#U*P4 O ɓN֑I{3w0rh$8릙HˤuMmPHAvfФ%W B[Xš͋v\gAuS<~L2[ p?$5dp0yQnN ?SUZUR%' H8f Xi扰"y5.pϖfo,Nj߱:PY2"lB<+UP,eqI/,Y$9wE5,Dqζ._-ԧ-IMgkuiU82&@ES85ha,_SrTT*ԭHP.ذ t剸~IO[v WN ,\?e(~(bMɽiZ5dʔlKE}u=^R3~.QH2or\:ު9,]E)l-< JhM?ua1'ojΎ 0ݜ/&7uv 60#b{ |qQx7* iܳ4C$tHD>W53D:1!/@ujW{V>S`qOoV|i]ҵLޫш$K⽰-~"cLCς؎кn$ ƫ6~Zނl}>Q!e֑r$oo{a@>`E(vwwu;c w`6NT- ܚɶ ,wyjGd˜7dXF\͔^E/ҘZZ\{)qyDWIQȧRj@V̮h)=4 #,AP ckB VwI>E?f)K2xF:Z/;lJ}enoX:;k4C8x!L#*J s\K¸Ns*m6[yaPܥ'\LvkoK9[Go *[!UDZ'#ed!peH&U8ryGWoiP4Qk7dAcFǪ b(jR*\Ya4մ 䓠Zul ghImK.!k)~U4TJK@ם mL UKP]Gw2MK'ZBvA8lkx!X\u+JmzEݬ [y 4$H6_ќh?# ttnaˣlM5ֽZzi2X5Ljl*0>j>1o = ϩYt;YQl)ەzEZ2& Ҟ e52,vFּ՜p {r FG{K{~5PƢ)[T{ }Uޑ.p =-CZA ^M.oRI#'/ VmԒ\zR~siy5IUur d J(e, 9Ns ?^B$Jz>7fdVyk6N, %7{x,ul,* $?"Q[%3R`[J:&tL㏂Jd*U(ЈX= EF9BHyЉ̽vLƫ{.WWhi|*ii6# c` YZ