sssd-ipa-1.16.2-13.el7_6.8$>@fһqMM>=?d   : "?EL    4 { $XQQ Q(89:x=XG`H|IXY\]^LbdefltuvwHxdyXCsssd-ipa1.16.213.el7_6.8The IPA back end of the SSSDProvides the IPA back end that the SSSD can utilize to fetch identity data from and authenticate against an IPA server.\!x86-02.bsys.centos.org jCentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssdxK#A큤A\ \ \[\\\8860831fb753c6618a7fbe77bb7e8e64d79b51e93c4a832dbf600474ed483160f43e43471819960e8f02e24713e439083ac94ea36615c15c1af6ee074705c8b38ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b90353a8500319c08871d759d555025f0afa71303d59c14ec0f76a0a28988390c0cd4fbba0aec13bb482d6cabb2029a3ed65b7c1fc54593a52d0914ac2208362f704rootrootrootrootrootrootsssdrootsssdrootrootrootrootsssdsssd-1.16.2-13.el7_6.8.src.rpmlibsss_ipa.so()(64bit)sssd-ipasssd-ipa(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/shbind-utilslibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libipa_hbac(x86-64)libipa_hbac.so.0()(64bit)libipa_hbac.so.0(IPA_HBAC_0.0.1)(64bit)libipa_hbac.so.0(IPA_HBAC_0.1.0)(64bit)libk5crypto.so.3()(64bit)libkeyutils.so.1()(64bit)libkrb5.so.3()(64bit)liblber-2.4.so.2()(64bit)libldap-2.4.so.2()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-nbt.so.0()(64bit)libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit)libndr-standard.so.0()(64bit)libndr.so.0()(64bit)libndr.so.0(NDR_0.0.1)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libsamba-util.so.0()(64bit)libselinux.so.1()(64bit)libsemanage.so.1()(64bit)libsemanage.so.1(LIBSEMANAGE_1.0)(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libsss_krb5_common.so()(64bit)libsss_ldap_common.so()(64bit)libsss_semanage.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)shadow-utilssssd-commonsssd-common-pacsssd-krb5-commonrpmlib(PayloadIsXz)1.16.2-13.el7_6.83.0.4-14.6.0-14.0-11.16.2-13.el7_6.81.16.2-13.el7_6.81.16.2-13.el7_6.85.2-1sssd1.10.0-8.beta24.11.3\@\@\@\@\@\@[@[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.2-13.8Michal Židek - 1.16.2-13.7Michal Židek - 1.16.2-13.6Michal Židek - 1.16.2-13.5Michal Židek - 1.16.2-13.4Michal Židek - 1.16.2-13.3Michal Židek - 1.16.2-13.2Michal Židek - 1.16.2-13.1Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1690759 - RHEL STIG pointing sssd Packaging issue [rhel-7.6.z] - Part 2.- Resolves: rhbz#1690759 - RHEL STIG pointing sssd Packaging issue [rhel-7.6.z]- Resolves: rhbz#1683578 - sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls [rhel-7.6.z]- Resolves: rhbz#1659507 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI [rhel-7.6.z]- Resolves: rhbz#1659083 - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust [rhel-7.6.z]- Resolves: rhbz#1656833 - sssd_nss memory leak [rhel-7.6.z]- Resolves: Bug 1649784 - SSSD not fetching all sudo rules from AD [rhel-7.6.z]- Resolves: rhbz#1645047 - sssd only sets the SELinux login context if it differs from the default [rhel-7.6.z]- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/shuk1.16.2-13.el7_6.81.16.2-13.el7_6.8libsss_ipa.soselinux_childsssd-ipa-1.16.2COPYINGsssd-ipa.5.gzsssd-ipa.5.gzkeytabs/usr/lib64/sssd//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-ipa-1.16.2//usr/share/man/man5//usr/share/man/uk/man5//var/lib/sss/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5dc3af1e1c89ab9a44fc64121f06add9e036acd3, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=348dc2cfb8d268dbb14d69248fe47d71b85f61e8, strippeddirectoryASCII texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)EEPR!RRRR$R RRGRRDR.R RRRRRR=R RR"R#R1R?RRR>RRRR RAR0R+RR R2RER(RRR/R R7R8R:R6R5R&R'R*R)R%R-R9RFRRRRf W |0h@|pҺ) ?AZPN EU %DZםUgהբ"r5QA)RD $]aKى [tovgP|@Cw+8ۺf^[E^5xN]C^qčE5) ~I SձQn ٕ &:w]~5~/u׫ՒNk\8u_mG:%l$ֳh^'nzUmd8WX>j}\]5pV92$6>V#UMtR2*rxbg(Jfo*1_,EdRU4bļQR5(8rzg]FGbt0, \Zjpg `= _+6C<Ұ⨤"uS]#rU>[pD~!X ȅTUb-jFDa_D<' Ơa)-D98:~4G$X[Qvj@0amೌ{+3Oa1b,TVRx,,#-.\TN5tQ_~jnZ3~dE|fMQ^nIJ,"fڇ+pWT$`Wfm (N UtSpɩw`=n?{@kfV?5T&qZ< Hh<282.:d[QYPx{o tRHy z\u%.W]'X>="<0n셏 vp#ӼXR_;Y߆ _cӖ!L}) T( 71`{l{`rp=925kM.l܃SЇ#@`-*iUr66Mzod+\i%35uJNc6ҫ~բ֗+SƮ#,.I]I *lan_T}NJ\si` 7TX͹D<渨 g5%uI fY]AtHvepӶ`晈Ul_8{j18v7o㉇NbTyjg5^@Sa,۲r[py%q2[J\;{=ƕ@\߭-[F0n6@`^*l ~dc$|etUQZOE@dUD{h%ܴ&feb'kby9XIjի۳- *ú/@xwqLHޞ =R1b:ͻwp'vK\o:^F3# wrX{\034YIt7rq?m:k ~yjCM';h;Ko*BE#/H6o2/xUFjƱ-GgɡCNj=6foO=94@:RxvLh4|4V(:R5 h 6ԗ5;CZy EvI$'~19E>m 6R=P}X_#gzeك1"W_'QruȎH+A& IrE$CόϹqPhIKӗ l/|hBזLaw ۮ384cUoVv mK9Se+m_!)Z岯,K7e'&& '$R͚]Cw[t? |2M\77T\pgFuh@K;c{pW*W x%%md┳^#2{n>E~u^+ܵE؊K}DBBMV ʝH dn_(B.; x#gU䳄XTbD&q$xF*UuwkfO_vݣp5D?-"UyxZfA Z):+>Ql㒋:[׾tkԹPC;X&j i&%C5re=_vcU'{i0;n|W[ ܶ`]l] G*P0`Z{QN'K~x>Z3=T`7DKʣ, 6w}wܕ u!"GAsYb-AIBC6 ƀJ-|̴SHWa p54 x>p5͑{^?ߵ'>H?@jYr*nڟC3ZG N?A4tr:G32\x:S Y8O$D, .#jlHXW",&k}&Ybޯ=yw.ѻs]o{"#^YiNf Vҩ~T2B#oW|B9gi=kSl"S|No;ؕ}: քJL/ոG8KR ˓ӀLܺzt$C}HPr]S }~!*B sˠ?j*.DFMgpyKm/0YLڙj˅i&wXEzj0ǿ7/KyρDZ.eP} |x4ݕi$ p,?dN)XqC أ/v?V7ZJGYtԍvV1z{&1-Xye+oEjY눾+6{ۺ//4խH4Oj(,3 :P7}|0Y_@Dy7m|J^2wS.µx{#mYQAMPJI{?פ,_{-Σ07=V ' hVcaprPz'w^i&׋Swb+SH}כ,}NjSMr:QR] A 1Lk7g%qK[*{ܽc6;GsOj&`OrrϘ( 1flsj(zZ:$_u7wmf#Gh#4QV2]x4 3M6n );̉{^WɘaaAR{pʠFA;_>?*#ca0cB{Cvxv"|aJR{4kKNUd,vt]qA=گ> SwfLj6&IAe _-7`+u0I7..=h4U;nR-) &V?j`nT!L0OXl3 [_enAsOFg}\|{* Fi5鴼eWp8$,3Y& ,ZVܠ.J&dw_r{x{"|~ $Ƶo s#uBv71+-''u'o-=$ﴃ-C't QP~K@A6wy,v([oKыUjlI(rH6&2 {.TL|W; 8_>킪 LC3#ȰM䣈kY&{Wh-SQ@Lþ^D/ז:[9eC9":. hj {J~.02V˕U~? 8iA`oQ;vZјCW-R`OWRY7fFOP&ҕ4[g.J 6J? [M5ht)[+m<]SuKHv~y)2MR0I<.K/ co39 DgtLL.Np#%4G"QzD\7N`-9ZQ s ȼc,NPP%f "C[䰡f'Qu[ CrG/LR~8 ʺbse^~B<=!Q@PL5 D+͌qJLNڤʟrbOP&}Ul5"÷ѵ=k%F4gdLնQtb`Y =I=VhC0וl[OJ9﷠cf3aHvIJ_@QZ|`_Dڪqc?]ޅĭE3S[ 050l)v BH1z bq$'Mޓ=`_Pz튦`q o.f}HAzԿYĭ2[j I_6*S̓!2R 8Wz-S.u]E1JuzV؉a'Kv+jwZ*m&el&|V1bob`4 "-Me_lp;ui[)?N-1 ;faH~{]UuLaDq lż ItI!r1Bc4dkeFwZxHz5Eah*#VMv }wSTqfBQwO)pA>R$dr@kR c\l vr]+ݏZ,U.X';iNDHgS78Ӿ~`ʤNDuw\`oMvy+pwrś+##i)#)'V[":vp#cO m8W8'Fa+3M&MC d7=^lK]3/hS /+˟)j}p'z;WC@V& T a݇`ZNH"3?߫zoר(G]hʋ;#t0g8R?4ȘouJ^QZڨ |%~5ڇs\@_ qx:GRR#XM[tV48Z@ unbq9+Ch0_[or2ZrZ'p7Lּ uROP_S`h%64D:CLuQyeҷAtwI_x'2uN3GI#(w\CXzQRJP/6Zn ׷:Œ(+}x?b+a1LWS;tDLX-/ڊ~Ǐ w\fಁ~"2 W/v^9,nrx Q'T&ڒU3Y/ fbS$HV`*h3gr.[5E:( GHUFKДw?eձt cXޫ(WhC*e2DY7,FW>vt 1 2jq'1pGHpB kuގ@S϶9y| &jC8׈h~[gih9.e|Rĕ.Roۯ9^'>]Y+CRVAmk4L &Hp-;|BU~921&˨-/d>>+>f$'񽦮)F u$ fsZZ`76X.& _G팟6ir v+  z(x [Z7 Ǭᗫ^9of挘R)@R*苲[otL?Z`_# <\jʖeaI&j\@EFk72x]kU9={xŸgT'O 鬃qu%vFyg*4BZ N7:sER%C {EFF?vfTr"끊?3r$lM2cL, 5!rrsZ~_^zy͓kzK10s&,kS*LÓG=F *'GX܎4TuUNQQǧډc+`qs+Ƿ#:[߱\ "qq[`NH[ἿcpsQ7$Y2>hoH\}Vn `ZHPOHh"pMoNV#RP5cܵF-00H(!*iX̌*aDItkz9x9݌q4z)470F!^DԘ$A!-?xJ&W7}[kU"PM5 ,z/bD,r~JCvݚ=R!q~m [fQVP;"k>|kYaeϒZ}G4Qg3L%A"|RQiSx~yKFoCCUk \'+<ɵ6neaT ~c\rZBRdπLǎ‚f{'T1-9Jۗ/.[fC`e ;xOBЦ ?4f #subKnwQNOHev;8`=`}#NvO]KNM5\|6~C `y 1*5P荙TQ;l1lUE v3?V#XCf('q/apV4s;_Y[5рC|[2C_Dϼp!VhopIoJQLR:@ɤ()PqڕKnWCx7a4{s7K[[+]VTlKM"p]Qsqܥ%jUHmY\VGrb&t}gB΍?,r~ԋ8,"$8!wL#/|a`덞Q\c4i͏T.AÏD= G}D*41rB~8DPوutJ#̃. :ɛ85 /5Xs5Mg}V90P_ whUD皭w/1}r27@kC] MA/C/$X['H:j"G=-4bd?(|V|[GwR79p8AF(s+Ivfp ڃ&MHeoU}fylbQhKXI'D 1~J>]L2sN٨Q G)`}v]Poo*~lDn[*^-@X@2-tgFUܝ91)%SsM%&o{XgQQ ToS(S α9~ /nwϊd syp~pK6%)]}Us]KXe &/E ᵃM0l0;a_IAW%3$Ih'\P< fq@n/Ad]ց?zHQˮ3(EH=T2y@CKp9&!iWjkD=FowGV(e| Q G_goVWEXs`,foD!75_wCrBOђ?4QDS)6~?hs >YBf[?SKk>U15û>O8jZ&)V 9l]~f;NNRL^쟬Տuf%w mzq?Eף@#0D! @Kk`mWbSʇj7*7Ã.b,;+^RQ,+kT;CB }Tcu_i6c+vӆu@>>5Bv|xo)^K0(Ž01_sεv=u0FgaTsY_ ;.Ѳ3?g"E rN!%qd$ًZ"xṮCv64ao% z;d`,{'kytͮ﯀b` Z6…JۍhBkhYR$ISJYHONYFlggTEDC0@s&yKe F5蓗G*Ҿ̿5L6b" zh#k s0ﶗX)3ɿESfCP.֠ЁcjL%]O4r-|M^XEH~ hu(Vu}G[>n"E o mCЫz/%x֎j /u$,]HJe5 QXܺJ{两OM3脝؎&&_nnTJӪNz\ uw%S;q.BOd!K;rAubĄױMFV+!dd}q].umeS|NɊ#y^B_:k+IgW2u雺pRtDNDnzviƃڙ%{ޣ+o%58 -"Nu:^$ڰGK,Y@Pp+OO3@<_%^#`*Z.ڥy'M &h\G_rCJ toFc; 耿͟ruW-ьVp3JS۝]'t^W~'RU;ĒEcw!DU+ '$9~? zau~xc؊ޘ "xcLH6Brvz*a2 C.0n=2RY45cj>2cyu,E,1i?+t<^Zʏ ܙ%d]fu1`&8ڌ~KN|UѮWXM<[2p$7IZbΘ ʛ:&^-/Ho,(É]Q&SnFNt)\euʒ, t7vHTCw1޼/1h$x>EvأF xLP[R,q?mdJW]ٔs]koK:zh7 6/޸Eʝ?o)o&ϐ8a$sƶћ<LqJ~0񬫁p$.v1/#&Ĩ`[Ɑ-[C,%Z6W #ԣyvn[0ٴu@|Z4F#"L#wϧ-= <(1yZf NIIoyyցf;MXq颅U>&Pcl&ZDgUN&m4Ga ?{fiAx?o6񲣙Ҥvv0zZ6Zzlyij<*8vOSZvԥՇrnqAx{hGbfMP@ڛZ8Ak󥧠F3}%m1_B$tߠK̑O搝Ʌ 8K#Lpӝ$}4Gz6a3i k&jf[Ta&hlko\شpβ7T<{PDSz%ʪ(؈2KUc#TT.J$ PB}qC Xd{L]U*BؿYDB4\x%Jzԥ\jJY<ۤb,S. 7GyEA~'J{x4ޒ.2RТy,iFbPVk+ዼ޳$jK[@SF*7s{zJїu ~[,9^<_r,ka`UpO7&W by4 <[[x4)$C5 ti;LMo0ы~b7l%|a/Tm+'F ~x*`3c6G#oUՊr,@U~gA_(`UFDAÜL em~Hgz ZwDDig]|'O3oWGp <^bh|JZH^pNgi8Br@t*]sZNF| Z^PzA]>'DzV{H,?8>hŨFT`^;AB^[*Q`#)3z 6 v?k.̛q+ڡâ_C`iX ?.%/n[0?K}%0aB 90(nea],Q}9_Bʩ]Idŷw[O,SEZFuIP ̀k0~*4Ar Ŝ5Z<:B9/Ӎlj?"Dk$j J[_vs {n-JF+6ִ6Sn;=9IW|X j,P@üלik Vi ڑ߬cJpCVIg7= ֒,9n1srNv_Mo[˜:S9@Z~//1[ F09b@K0^zX 7x@8#ҟS$\ex.w~bКӸ#Y]w[QA 2f۶S E]αiFMlS<&:F {68T5`!Z&[z'8CjvRo)^o_{@w-^H4>lîh݊n&Fu 1nxq-QŤ&/G 1*l 1mb{cB|Z!h[W22^COսm>*J[ ghre+۹7lQSz-4"\Բf aQ^m%\vOpFEC?"}9N`ˌݻ+DvUI̩C bŰRyÅ,~ڰՂ5<udH;!sK1,YcD+º7mḂ&o$?џUpWTPDjǑ`hpsr#}YmS|윣^RݬFiTg' BNLb{y̪/ģ@b|LƸsB0΄\]$UՔ|8 -MRgS ,-iP>$d- DB;).CLDУCi3 x..xS=|ݵr찧Oz_J-כE*rNٟ^'ڒnjIT rKp?oNm_Kƕ"#l0SqoWLK$.↯,obQ'r/l>~R5o"+yFP5IV*CM;^5/<&s9K_Xf'c5{ V 'ƱZzɿhE+&%EmRJ0w)|',5\6heS]ނ!tn^{ b -T0<|KWDJtiN>SWsƩ2. mTk@Xҝ[䫂h5  ,atM`kplS©tm%.nLSvdDejBa|E="^nk|tkp}djK`FZ+ JӲ&xnTVIY"M 1I)[ aG  6rs#v,c"`sx))P[RG< 2%bԃ@y)wgtA*Vpـlt;s, 2XYB<*kM:"b=> [¿ )!ukj 3`.%]AXճͨ8f}6y_+)v LVXbrSF_h` ~|V2@8Z &:M!wrl WIYhy W* ,\kzޟZ=hu= %9;0uE/ENo3>@{;ox!^ ?|4_a" d )mc⚨߉)aZoYi[;6zQn4<ͶQ(Eb-fMG-{D<մDY ( x빬Tܤ]0"ɖ?Fo 5nQB07# h 4FήIӺw ~:A7Yw. x0ɨ54B4Xgo@LW@jɽrtT9yq1!]2 >{P2~u Du4ACΡ#L"4=k@S\hm%xb.*ɡnHK*E$|%+Y /8A0kp}wuX=Oz/q˙Ŧjn!y=s㟙^*UvuTq'z·\< \-v<8Y #e`e@|~t v JQ[Nh5xh\LfRČgH HbH&^ NxOOim6gy`OJto`ߨYX˓lt[ lÍ0ZBWӱT a~uFo_2d *CUiێU&b %wn/fbUZ"^o|)k&h{2&wj3PO6|dyQAEIC>71Q3>Op`A$ V^PV|P;P|Fe:^^H5=JݿX+4l^qdnWÊj)6ҦXcn.'b-9U&xc_{ҞF7Kb3ґ$sm3g~U5CNQ.$w/M" *[և]ym#MTct7C8vDHQQZULE wi-_Ep&xv]Oo =NNiJ0]>6oΑBz\}U H~\JNjF(b.iܬz  iST8T)Q,/d, ݅LVfR{8z2Ǩ՛ 9`,D~,3?՘$eHsBK D{Hc%ce;=&?`~}!®9\Tԯv*sʼt!~hٲu0LLfl\w[SyQ~iljًN#>QzQn![ 5Ea;]u^ ٖ^0_gUǒHFbN[p% YD洺1~,2-GQcH_!^";})(R9y?RP# r@az]g*ZKO~ȐZ!)\UyS0^b)"\W!R( Krʆ5OUu5 ֻ}v(:`%J[kyX)*ipq<_}mi*O#a3%^o)z b$3/g˭[;!b+c(t=*k N6`dGͺbA:7 ;t@1+m$G`/Si ow*ynE6nxILRGm}z)|TT|p¼#- *Xo^twh/)[KQI"w$Y rZ @@oMK (Qsd]lcYP-FOE/ ;M:"LtQTtYv#һL`]z ~Ԥ,3 \y(2⨮6e3S۳/3 O|fr,-S}a4NS3-DƹŔ='zgJ˦$e 3?JA.ѝ1oi*fH딧9Ij1" xO/8:3:w "ZwajꋹzyDq'j͞~+t0+MO7©U<%ȹ B8S c4+|f[A~]k" 6ZEvq+gybHFn DD&6}y>h`KILyD&uzRnU#Ǭp\Ϊ Mm'V"(s)mBk!E)M"Lo4rz $X:I6e$$A_g=<wk3;Dh݁쑀"*h[nغFvZɤ}SDW''!V޵ǛC.|dJ BLetu[*/T3ʊyj<^%IPtΘ€ "(C 뢗W$cİ>^vLG%"kP|bvtWnysMVN7鳆uO ֪wri,@Ef9 Ϋn е(b^?sd>bG4ȊBhBEƂ%n^ \f~_Y}c=f/4^٣{-?7k~Q-ߨm*ik}h1{ё< >)B#қo&phmFW9D5wCv J Jy]/0R(xAʋ38ָ[ZGC'!~>MN4z[g H皖mMjgp؎)RwsMkW>]|g'994? S~EXr"fk1]F-. [36NM,pE̾*)QʁQDAvܼUz,}ozph\Ef ZɼtLYZ3]]Fx )BN vך7|t,9n/|wXryo8ؿIlL> [>~B;+B?Gfcx( 7`n]E(a[3 gƟM| 6m`)u |Pw@Kˬ .ϟmNFA j(2Tacc6"uJcby9IJkBP<&;}5J$Ϭ.ˀ9uXw6Ysbl1j)zvҠuH:Tp3NG`EfD OE;͏\z c eQ8k1zk)L15 3RDz}ٶʂt5^%Eq+CBC|eBZs{=,qF-Q.rI>w5,}#_X1z/Q(ׯZ0"RV{;tg}}T2>@j";A6G݀Jٱ7r*_Q7QN^jYBskFbVjnR6ZxlV_O"L0}=+*կO;/x"vhՕ] w}N\ڃ)'ίB;‘cvh$BqaޔK1QlcfLhHx98ɪ9^ 7^8EZъ"k]U~VJP7$:F6<ߪe%pyFsd])547yzPS'Gޯv-$p2H@JWZԪqTfXnB.Q_duK1N[\ (vwS- k{L͕ϷΖ BqT!~prͧ)t2=~c,$57A=5Ӹ`<ߐ=y6$+SB͇x]4i&rwg ڑ"9hh} |ՁǠ /֭mŹMqqRZ+ȄC}#Y^϶⸀@ar2-FV&08C7Dtd l.< 6IN6H9Ao7$wwɐ9{sED@D >"䴆QPj܆4eYt@ Z,xח$4 au19] : y;ߋͱŐ]8pyyW  LվVnA"q2uQH: I p,O[UwѠI(bŁ[Ga|F۸l`ALl1Y^jʳ nߎ!ۍ[WMӂw|j32۾i&DuŨTO!1bnm/1S⚴Y1 k.`6f*2,QOV0a9>Ƈ<5JKvXZ xI0K.Ro_zA^+JkrrMV_\m/A0|t)Ny'OlL)-g4z'-ɘnUfrhg<]ĕ/0e%AVcizJAze[xa5':`/ԇs_  h1D.tEs55>4Uiv8=/.]V^+' $K)}U7a9h;cfհ8#J4UWoq->u"Fb_}UovWB8W9=E aq4p\)gJGuTk 7Fb߮!kz \\ǤTI)gKP|no=l;";ڏd6[~& bMw%-)+Bh!YWj_ JQUKZē}ۭ 1>-nZ+e /:g/hbo+#,/h̒oaR"i g~a}Oӝ糢H +gDSG萆 LnC0UhP匿;2eN0aya8_X aD}q'DCjyMT98|Ku4}CċA)⋥tGl&W|ꧠI>8IL{Jua\L +ܡ4$3$Ċfp9"g֋$0KNeZ#hL;]P>]H8Ki:j+pyاi^ߢpK3 e7紃u%\+ː>D-|j)&q.=CP'F3%ŻL*TW* !oh;d`~:<7MqS¨$2JZ{[!B1UWqaA V+jm(<η .y@M-^SlbDL Φh˺PNKMk$GxPJNMLG+ScPU됉}:M3g!xϭ )=;=KϚDż@ZK#'QW_z5GME nH6u"l&/F|1o!3ǃ.OEy]=Vn> ;8GMW<S>0sL̃8`@Hl5aefQCIHm19P@ּRgZ2$׉ Wr. Ts vqa?X⣐mz86lȭv-H':|r̷Qy\ ЊT ~XAsQy e]{zZ!mYÙyy> HSp]2-I%!R"`h4PBTrzNtHxu.<$4pfs*L4O6ø&ZgStT$] RaTY[YLCXv>$C0PCI! ݊o:|2p"c:(~i,[ %K\õv`}14}K5rid1kHF0CcaONAkgom gW&w^z60ܤYH9SH2}@(>> Sö 24=踃,YK9#9ՑAi3]`ڏ5X"&%m0SB$ Ra* dƃ2ir о J􇈌 h:o$h W%сxYx9ᣙ8rEHқ֝DfO*!u].`Bl(OQz3zz0^E1DP~HW9Jgwk|і(2K3rD|H'40QgFd&wQ4rL[&2CY~Il^rۦDc3rt b^}*r)yq~; 8Ҿ\<ߣ~k&!W+8kgze-t-[<1 PͰ\&F.3\ڷJ_go'0S7I:vrrco4{L8Lͫɀ@2FPqa]Ow'QrzP;[u*#D߻J4%:zUћyh6aiS*)% 6> aT?ll_w8P=;/ts~ )'cԬ*">ȓ@R긤 /ZDV+Yb:Ekޏ]ÐbZE73,cLQ`AdOM}tYݔ`5;kok(DZ&=($^~ю ˕QnnyvA#U]2}v BfaVB 7Q kK8d(CfDG1IڌOȆ<^C'ij!b'砌?fJqt>ScVƧ;$-0ayX-Y(UJEIs/x"Ⱦ[=[xT[& >e@7m_X( \Dʻ_=x$H1ʹF9˰Mne (Єm;A'Q(X  4թVnl*; t&Lӗbߑ[Q >;ok!N[׾`"噽vICJPAQGdR@d1,E*aN1`^Fezv\?u\"L-i\ 0=hc§5dlmo?̟DZVBڶ] #[GL) Cj\*>NKӭ=\^D=8bݴ7cq 7^ԫXAG T PaFjU$w4}nqKW$j}2[C=#l;*,Hb;Odݛ7dFk{& m{rRkܨf_paDލ b!^!]lslz^FAg9\ HX]peE?*[r<2,zhչ2쒤b08Q^°#'<|5uB*rDS/[6}k.Vm 4B깯Ɍe0lU>g-eIv3 #u۵\LĨ8 =>g=(nsLv rw q6B&uO{p%HbWa.E hF3W()q6pD׀ QFwʅ`"?ۻ sȰT ijkH-nY$6H._+(Iz?-4?Q ?DV\9n4³y(J |m,#ԡnR=6LX ƙk0yC{6 3R(-E5YIWD6%*wK5@\!q4Z6280s ]$ChM1#[0&ePð%LE2@,#P*p=!r׺ݡdynJKDA#Z2 uE ?pQe,CˀG<~nF{x2{sK nbJ^_ɴ&Rʳ*0Ap9J@K?M;?}hģ4A5IEB5bȁ@jTBKkO$8%IJHj|(Ԅ2 ѱatWӼ ֽ1ZJkŽrBL8'2z˺Lw&|f'2|byavyyZLq~6!ڸe{?s-Ӊr7^_%2&V,@9sdeyʉ(jfSDu9A'ދ}MqX;QDZ3hv"۝HGSZTى-N|D?RWmmby>Xg_ /ᕡy-ҔCVtpؗ--4;گM}O,+1\]MH(/6Il ۞jb`gǂ <8G{}.L]-%b]l86nOΆJ, K1Sc|tEQ˰z+2t >طZHFuT{򏹼I,4>8~nw_%UW,'ܳ1*ꀓw~ԗĐ?ZO }/n&[{Prt{B致9bLSzzc46Ww*Nu=K"ƖIbxKJTrwvy}믯I]W&Svʜwc݁E㒇`gs*ONKM[.` Bq#ԨLRbt!\Gp+=8 *nD`Ԍ+5Ȃy 2I6׀^E~z:]Å*f3z "^e:Jucq!욀g\[Gm|=6_ۑ>62\>T'BӨe>D:}A] ZT倵zd09ўi\z̞b8 ՕԬݰILZ./iCnS^ ÈIVRn΀oKCS̒qt>*Ǽ=0 )Q\EPEt6˒5('Z1*.8; qn.RheM<# rπ)ª6f/ W5cI%`Q:ۙ0>3~oXcZܭeM )g}Pp dhkS-.W6KnR,4|T9-Y.%}7Xl3@$<ͮOBpeXP[>Zcܚ:Rل=_]>ޒC51zKSYu+%kD{,wQ!%NtLQ_p">c~MsfNbP/'"բnfBec_4Wk24*hLrߠC,fLL=pNB ~\!JH6;<{.\^6x~3K *Zi)G r,͔/|k^̵)& 0X"1S@cgRJH; wِ(*Gߝy/ف`HO>'|Be&0*;AVY,9ϝDAoo+|I7\/#qJSd^x<яFqe̙%[cvkcg&z2 L]h޲s sLMntVNKqIcهTFnYu!ܦ 2tZd(/\Mi1b#)]ɳɮ/ Ox`\AI!>´\J s,"}&zf D )a,mbJa_~Xs+Nk;4r2j0ʹW"Ԍݘ5 QS7I(MDw|(o@d<ݹvp+% K97%5(bGEDzW- #Tey9?RZzLџ(7Ge o2*alo+)%6@dOZ.bj 38*Q_NDLsS ނӾ=aUt~'s,}֑%k+&YkMk+ 1 9s\9Ir_t#\|e7A^Fbz^eX)*| 3R ̦>VY.җ-!@Pߣo<,` yW?b_s?ho[%^'Yoc]ufG`z&#yCA2(%~YN6`̔,TVdOoUGp)KvW[@U70lT4--*D+~9km|6*9Qx:'ֳ3%ݰou$GۢT:B 0 iޭZho/# 5" 1PTm}(A?1|0EoRwcy?AS癴ĩgbb?\JI"v9>s%+Oژr]#MT9 ,/en=~n_$϶*ɠ F[Ů; ٗ*FޣKC's2A=Qhߥ+1Txq oO'\`yh#cfX?2HZ*Фwv7L*MSf0X OMk|C$a[o)bסS2J|V+ O [MU,ETSxWzt%H4#>]~8M4wdʗwm ڰ 38yC?mߞ͌Rb62@F^tix.,*!`W^ 8Yҋ^sζuEx]TYC``J"mR͐,Krl}4Ymm YqO< 9С踝]h A79nك5C4qt kB˱$xQͼ+ zs*i`Z΍hZF[hT䃯3oeS|ZV,w2fpaZ"g6qeqKck)FmCɰ1}= \pW-{ j2K\w_dOVX0Кw$uU=,UA C=B!RV(bCyl(+G1ϣW}7́^AO*79g;H"Y|!uNz>ӈ"YV=)P+!OģSxVxFl#!C }ҩ}0!UlסveDžx^YXNH=C֟IJC Idzl0]QJ` 'qhJ ^%'n܂+n'Fg^!FZԽ ,o ܻE@ %f̍ ]'2TZ 2Aq0oo"7п zEo.q퉁s{ƅ==`}'`y4u^7<<44+w5 .p*J j@C &rߦ#|PL,w4O[pPvwݝ"D^£n𒀄[bVvIjdN k9P64k5/#w<k S 8N_݄OlO)n7x^BLjP^f FH';w7TTY]N{ғἌ$_J7HEf-׹^'??h%~ vʐš&wuM'12[MxJ1l)ypmFǚc / }3Np;m;rTRn)1z'YS2=oUr5[GSlIw4$%+\izU<Ge]uH^YAT3@&'!jKNl-69+x0,)7Hr?:u)]q&HS\UB` U=*SX,zq; #4HhVCkDP|?[P\[ "5oXs2awةtp8Y#ݮu"=bfxRs0b"jUsNq$b ^&qdXAKcmfY˸d"ZŶlJݨDZb8t1&qИ6U ոQ}.pIR 9#UhGYh}hU'6CN`{h՗Kf##6 M}$wp0k^4⭜DC3ʟ|HIW_AK}_& KSO݂i0cn5T,_ bVCEtc˗EO e頊N|yK9} $|{[yA⠃ԩy2 dzWaޞ^>\+б'2~qn#r2[ٖ@SCbӬYώЮvW] xY'D vƨsbvτlXGWNpcH,T 1܆(P]\aoUtoCq=x>jk;pf{˝x*uT_]R9ݜ+32fc$ f <gWq=:o P>'tVB=6 4 }(D\5Qk\&<6bqV=iu2LC,6[jGQ*qbَAtƺ=Sn ${Oc4ҤgHŨgW[[jO!*GG-rg퀕Q@ۧ~`<՚aǠ}3+,9mw΢Org * VD.#3\xYDF^=m_WRCyМ:f`W-ʄ]?Wn4,;̥T=PA?:0y+[nYLjPs܀ ˡUK-𴛘FJaXhsŐd,f9\(2}&3lΣ=R2 %yb(Қle:F9pL?2VNoFA /kZo77*%T߿ƈKJH4znuVgSV} tLvţ.VKc1 pV|BmpCn+cZT+< GY[;@Ib4EK`1hKC0@ pki_XEyu}!!i/dRQ3ŋe8OIli <~ R޼\~bS)zKMJ:4_ޜ >[ϴe|W6RXp.vE&uL/N,p6%׭IG뭑d1!K+`*VAפ~ حۅ?˼Vy ߌ!.c{Z t + >z*&C>0A#d,* AZ()~X5C{ a#%v" ~]hH ouܢaO࿬I恨>q-l(Q6{0QrSk˄% :>bOm]$tpu9`8ɂ1Lc2?ޯe}j !6kP]FڌNR`5fS]wvD[9*37$˙śs7Zq0-s#&S&K/4L;ን{_R 6*]-Q^#ElGZzI!^~6%!:y6xGo7w].oefQz;'Y'x7~u;oQB*QTQ=G . Kռ08PGAK?ˀ ҕ3C^Yp 5i bu ]n~|%`S7d{]^}ǍpӖ5ROZ0aLNRXbege[P *,LEYw2тLzAD~u"O^u3.To8A[́ \-7. dS[GҪRZ7DM/թW &ۇ״UNrm^i—aݢ[ =vN-Ms/`f_?7شb;L6n4NNϘv?>h7ɉNXHQG7^Hh } "΃g[ * 3lu+ﵗKpXfHFJZBq@(z˼v>3@Sr )- I5Qm=-jo|͋RruZŖL;ѽ1hMb1 58Y'v#k &⇨@FWKoq ܸ62ʦky\Y`-{]}X€ G߶M[y| 6ӗ OغUv1WJp1}%ER"}b6doI帻`֫![W`ּ`mFΎKl:6a;Bό*Y0e(i:8:>fMXI`T8<|Y7U/7UE+}K} ď#bd6h[]ᢴUWX뤨/}Q7>. $GEgj/gI׳3F k%e߻߾wچ3bDfZ V(|EOBRJQFHBEeZQ !Ю)Fi7Nhs;6>{ÑC"'0A;xy|`*r@sbV T+0E)WBߣ Mo˜mU"  %0m|!T<'zƟ=b-˼^ 'BIU/ YWk W)E"fеpːuL އC $N/M^xw ʤ?7i&sl1ox,k[4U{GmiOaPmcNfH\X4UD:; ?ic g3*yltAz6j9!ˢI< Rհ)!tF]9;sFz+v3ɰ\׮GQ˼0@U[~S٭BQJΧ+ҿ=0oAanPG(U}_![S{ɮdDWq4eȄW={WO=eWc-pC A!]+9 Ĺv4T9|$ M fh}m|MeYihyP':)'4c0ȌF+"36Q~׊Ǽ"W]R|8-PnVSyiBfffY~"KD05 ڛC{@zN>eF@ْqݓuxRTiٻ*!aL@vK،5g7fp1uq_ S4{&ik^ YfmFd`7*4&ou.pF i$q@3r Y9{4PcC aZmnoI1Zrn&ɤ 'iadö]@Q Y*vd I8M 5uv&{cY][Pjϴ13S P>2ȵ4iv/%J,oS1zs8>p<8McƴcnģR7Ƨ2_M$`Ɂ ➠M]]lmD$D⡇6| c#8!MGYl~{߂ԝ6N{<$XAhORe.8O=Ÿ`Fqhݧ$PB96!qnPzpt;1vbΐ,g#>kh䧵Yn"Q71 !LhnZVfᤝ 4Z^O839W5/23`oCOikQ.bNR34=l>M0xڵ"xHv=|lVɤh%g:"v1$0%XZop+~ PylSjAi(yܬnGQ/ߌ~f.T!h$LPJM2du xrjCxwdQ;+JVm䐎2d vt'd/^}! 'FH?I00~I%/}"3d.DŪ@e^hbg"e{E:ď ` YlDxlW ;|].`R;/zޅuy fWL(x7Xc9I6QxGF ~ڑQI{0핏%حUe(n9Ǔ=oyKR=H-(yƁ&>O-Vk+궘?9bIm^o>8t4W-@k+L`;̩xާyGwwZ%[~<Ʒ*4o'fg v,5դf%%w02L݊ƕCpL;0W.Ґ~?9l#rE&pzH9UHQyXI=;`&#A.+?Շ0(D[x296l6?v<=!h8?A`%(ocQ/W>VEo*ֽ EyYUY wC?~O:L[ ;wF*Dv Κ.q͉sp-{ /31it`5nc PGT#obd ԧ3޿-EVSH]pSvPE1Vbɼ3HӑTIN~.UGx(~暠hGGehUsf }7ݧhWqKej]ѨSʷ0h$q$e%VXp>^.]}8YΔUPdJ jGʶI9rEB^ޖ o.Uy)FaPn>sCA$&?yxʩf$_I6&6#*P>1˗Uz\VmSM in)QbަOHG:.j8q}G=-\"|nOw̸1Gv-@'7 eWdp`A\$4W;OdcFFJگngіzA ǣ=1h6@h㊈pEf]QD➸#* .u;Yi9F3_s!s2?x\NJ%{Nܴ:D sUJ ZtK,TQ'lr~YކTy&Z{)\~G mSJ1Y8[,HpL#AM>(p=pU1#kb1歲~FN|¨ rr8sJ:Y!b9'sW"})gPƢ4 DnҬU iLXӷB(,{$]pSh~~$^4~.?}&t#ńE<>Sm,v' :1F_BIw4 E4i[6c4cW.fnD_;Ej_!`qS?6f43C3M':iIțzx}o٪nNLΞ'VUصp.λih06{b:[i*}ls-UƁDGL!2\^܉33?ho8K^D}:!MrJ^>đ_OuUP窠&*߃%철g3w-vR=y,AQ SqG 9?mah3"q>p=i gVwG{i">^Bè邔AYm 2d[*pvޚeW舯஄]#FhxT-[B8ef@^4n%"*kGN/M"Up<~Én ã̻AgPecd#:T]7߀Vm,|_g6JPhn6z*QT7: 6+ 'Q&$SI;KvV.JѥfD)e/K NW{? s~ẍ́N-3EJ4PȻ,܌9i h3-H~tm#DO+F3nYߑ|4:`Jƣc3 ¹U=#ò&U`leGUoFu-f"۲|98s.z{k{ieT4o =3O= P;?F(GzeASF.Z|6L4!C(.Rf(I*c';=ґaJ|}\o)a\iBHe@X8 ᏗVb-.!?M]SIT\.z q9-'J$H*k&yG$H O8WHr\=t]NO =rq~WEQ[_E@jYk@by6w4h>d -[RTge)[ 4"$x}!_~E .+&]b{ԟCԤl)E:8[:6 !U'Ie/!(GӰ̥ KbtÈ6e1x0 jH4(}M\`1=| As~"j>v׸ЇyY>͙d &S%#Y_T"I׻oOGsWT WE`ӧ!N$k:Hwfu<^fOD w uƜRIQE+Ƕ/'gP`<같yǝRK+?$0#Vt]/9̛DD"&%У |uNwtu0CFN=MЩ.LI3ac:"7rʌ,c6HbeL͌TX"9W-)+L xR%͉E]?!fĒO twSrC1B&gNMm?B7uIFORra~)'Uyb'dXɌ,\lT,U&DgGXK*zzwq3qfbhYL/N@AZY g;6^"(-Tj1Ey})p}<H"Rj|YN qr[hkFRv4J:փveB-ZA55՘G28MIlGmJؓA=!~[nމ_ .) W=xGIAKZ:w_TJ\ujk_tR3ီ3ߝ\])Z̃me(NE<-8O7VBQ" *&LN+NǍ,ը'B" [N)Mԛ-k܍@OP:Bj D)XWE7GiЅ7ΦShNc=6W8 "1=-Ieek%->%љ?{yx7Ԯ8 8|. g짋+?;DK?ؼ@;^-SAni'om9Q9RZ-3\XyVja.% g\=J3< +z yg ~ >o݉J Fd^ \%pwi:߯|i!RF#o 64zZo8=>\_tL>w4[>P9gWm( '@vwl f؄DX(A l/rP|}ASnY+{ TJ?bØ;uMޫ M^h2%2C^̍ "x6%o C |$8똘w7[ P!G䕶.[X>BmL`j]`4M{y3%-q͂&%k~B4$(Χ4&};/X,&+ {D_h1ZԤG>ZYn,[NFu ]F(Ι8*76B3 9Y]$Re9 ҉ӯvX]lXĴWv4BO2.,R3XԣA]7*QZ\oOK>fEQ8jBN*E=O&;:Ňʙ Vd_@Zw/cރQ/(@&:Y;He]BFNqi-^C& <!O(J E"q^oyKܰ$"2ţ UF)5Ա8fPぼtBH FCvކ2uW˱oh@3_F ";7E,xa;z+[6~A>< ߱0] @<7`v7CxrgVϗHs#bx'Ms',Im⒗L'1}qWS&ldO?< Ŷ)|4I?˓N8o/;X/poF8)|QFTJ@xYYL :ϫ먝z֎wS_Ĭ6Gvߑ'^{bZU:⚔޹;3٘nHN%v[?5vR{eP4{39]-GDd4iKrYZϸ :0й~7`zV]?~hgm 5kv0yJ ٟh$ER׮f;B(R`>uol>Ja8R \$Y6,&pnz…g/kirMZ˭vGW؄_o1@8K.y 1zɲ^)wn[ePLO@)esfm ܑ Ƴo)悭v(0CfPţ[ c)O/,> wsyҬǙ[MaTHdv8a;߸ocˊLzԛgE^;/j'dq랑4p# yաѲ NJ|>7~ntZM#hHY.)vIA#%U)!p/p{+]YÒ^<~'o~t5ik&l{CJ#;D$aƒ%5Q,;,s3>CA[5ᚘ 'zwRY'-d1:GgƑ/T=I 閃ksBsw$Ts2Cj@Hfkmf@or288ʖH/HJ3,ۈ1VXhu1,q0$Dc'I)6AfP@'?0B(ZiJ+)΄U{1C3ƂrA&zHvQr3i\Vmqxi| >J _F@kB{_uC2QM_q޹iscl*pK-?Kzi^xVSຶ7DezF@Mje{>占z-oՇi֪]}r0'NOPd^P(=E SWR:&G*DVʃ7{1~"!Ulf +798{q9=QK=!</+s1@%t&?=&0! !}j`E$G%$nebLTuiHgF _)+/$HQYղ(h`_>jR7TSQ]`?5 $l:@RcnniD"`ZerR9:?;  &O+˚@đ ׹[xR,k!,Q0!R=@fn r1s wj kSaX?\1Α#:.k }nB4 []sAmءS,ñYw~VP%(f?f1yr4=Ara$}E%|vE"GiM9B * 9pf?FW lc(%hHs!08##RhVYA7$2p9@9^dQKRz>ȟ(jqXYzd:*۝1{Jzө#gIz05hAʽ5<:¼w,:3"/i_HϦmy)n{qWN~Fn-9y(Ӕb.4O;̧[NqWf)VJ?G$0 y]VފqeA3z;/(#'mպuvw D  V06^@vb13q KZ]w* a*1ڎb.E@vWHIڋL, [,:NiJԗfVrv{vᶟ۲@`F Mʹ̔YؽyίQJP0]$$M?[|iRwʀXwyRvu OÒhLQmn\wHerVu$ MnOwF)$7RKsGq 1K7%Bk7!ot5yT*'汌ݐ=_2SN"80?s<(2 cAuP6K%M8pqL0@CPtS+GЭ֣Y. 23Y˨#NWj8"oIpjXB;) ;Ta/W ǧ-qXoGj2_gP 6E`2S>'So)0JI~Yj - ] ح L@ r?Lvrryp'9yU"[ Mz}܌ǫ%yX_=mI(?ÜhIYXK)9Z&7x7r#ߛu6i-mlh#pʴ3! /67M@_.,p%lѠ{ʀGn[̸ n%7SW<"˟wV.jk"g !pYp9NO8!̸Rj5UQ?6` ϲ=`\y?"u>V/"ͨ>mz>4D/3&[Y;tYpJM1PnqXb;? U`!ȇn%C3D=3G~NaF&Հ<&0Zk(u8p4# a.*ieYJmAU^>M+@:w+N:]5tJ}? DHQ# ݾ=WYn"޹8Z8-4Xx&1ץSl3\GR=jt1Goh(# )ܮ'EdǨDX­;IBI `QRb믩b__%aӈ@J+jCUF}DP6?$}vy,SY'=9)f;]: p&J!7_[5ķE \!G$9D.qE AFdd"0pFBqzS8@sP{(~M شo.붐=fC N2ԫqj=˜9QFt^ʛ?fѺž빦bee߇OM]f?E$P'T<{f…vƮCȰPS:Q1֡[!{2){y9y (<# H~},&Xuvw U!RĝwLq5}Xዶ%ttcBo R1o03+풒9[#TZC!2-dP\&R:w H1(]ANF?ړWJv^dikM!٧H94t8ajøR VͧkؚǕ_8Hq֜s1-h2aglmW`R1o*.+bhB߰ݳ.S%B[bAViz06 ٞw(e:'|S˕XXqޥHLܦǨ5>\ vPYED[{mn{$ I<ӷ1&Dm0>$uRHHawlNHuŲrƚ76*-Epnȴ\Rc ,$ dLlfE ٖ5 O9{F꾐Md͔&9f)j,DQE=Wai/bHp ʜ[JR{<3{"GfI z~E:5R%>ojD^G\?l;FV~՜b`pL|/kwP+uO#,o{<!0`,ؾ7,ȰLY#gv !m@S*Sܢk<4ckQIM H+V[tzaqv۬0 .4Snh-=$7n]);҉dyc{N=VL\59ɐ1^k>b~DеixAB+?b{Ex*!F㟪^Em *#%E]!*WGh<)&0L?{Q$YrQ ZZ}-جfۘ˵%t\lLgL)RΚh *J_RLqzLjb;tF*שmʹtD ZIIxGsDE>7vOx8ֈF%0OD 8Hdh)3yC[d[Aq>FZSn@IfM`P,;+A>.R?])Y4Y] V$ұX14g!rrzjC*f䀝1Hyy4>wmzF[*z>5ؼçו' \N CXED[niiAWbk+Cw\ B;vRL#9w#yC ]Sgv(x,U~87?^L{5U𙡈Zck3B~6`|a]SM֦ғwI6B8N`DL+H?4tre]dD!@9к{gsXy`$ŗC7xX[ euH֔q5Q^NpF6'cKdmVm -H#2YE t?RZ]Wkճ!Xoփ>&yVGC05#@~LQWq9td&W| j_0<5\pk;K1Jq VY}E/ DI?% ,7Nϓ`F-,U2啖 zn 4-(+D_Ә˲06{/wozvm ԰(VI_`@\ֶ.o $a ;PUvVxI0&zIj^N>Y5};?a1'Юm4Ж;cу `&g׶C]` $7Z_X^H ߳̕SMp}i5^15xD~D'yVZyA_$4J9G:eށ\R~BViTj:q8gߪ)홮RB օdz-xBS \ۣ ACAgG˻ W+Fs+TqG.؝CJ$}rK:?qqߧN>맡TX d78o梱~xGM$Xt OJj;b(3<9 3Hy*ekApvE@b[˨Zg*L!WX6Mb?75Ϫ|%fqjgJnQosO~A‱)θ Z1#b?&AښZIFPS#%" h8)^ss 6n ™_9{SJ"4*6 /Mۙ`8S6K򮋃( so'TD,r(q| %k3uY\x qz}nkLļaw)گ8Ya%XlX.ctѯnv&]3q! 䙲N8=K8-BzLgH8P=]hlfvdD{9g+FB"T;f*%G!2ʹE[!Tu+j2+CEk5L4 O ~ ՂhAjED~e`=?4ab8C.Ue)B}O x?Ntv2)7[mI"c A(6nu ~x+@EigM&-_%{WbDU<܂GvŎD0}H0ڧK'h`$gYZecΜ~&WH :M bzbg_5:2?h'd1dau( ӃṔpu $$M)#'Y||+z dVĞdw8Y͢3sJPEY2/M;"A*[WQx:@d5޺mIX궿ެ]LP*4qfD '`X/Mf1롌RL|Y+"0K"='ɕN 痊:GZsX>}қ5㦃iʜF_.AEo'3'@I/|JjKq %UBa:(b~\"X=X .qT_ĽAO~ԳjK=AL%b3yy.^8[o B]NofXU( $+Ĵ= V}H&|#Zro/ÖW`L&x=L tZw>q.ۍ<*{TŝR8X4dp؀_]{jU `+mc6:|}o|~ue.ZY .'H󝖴Z m CJ33CBR ӭaӲ[}8baFy݋ SQ9k0dI篑ؒ6vDtP(B)\ڡ`<H۶L5xtװ~п*I%3L97,(ZKU$FbU)hIw(FH f ax-?Rr&v MŽ[nM0?)Grwc8W#6q%;[VvJIVCa*#`w]7Z eD[AϏ"[>5w ȫl7v02Vr`0g.pZknu8(UIỸ?$p1l*Y9/l*f۲f QuJĕ1kNQ]K˼R>|NRJ]kX,HqvP>]9.D6oevFNWۓJF,qx㏯ccM˨ e}JrlԉVH] ʮnVKgAPR{4,3QA<&1yU!ՎgMqCA[}|mGߔ!=\gSBm}l|R.(1v>_y ^$! 惔*g+mq<7w^nzRp.g g-V./>c0ѵ) n# yV/䠛~4DO"]OÌKBIkj"ں; BwGb[4ͱX  [O?=O^]yEZcr|+_-|<Q.^ zca[iˆV¸+h.@>5rP STV4]I0ЉGrW j|g=Lr4K@CMm uNO'W}R>K|Rqсmwٗ#u[d&֏1nKmhcuF:w}2hhg?C6vsmhz,KLT~GSϳ^aLѸ>Ab,w'Nqc-%ִzG%]uVllxqE |s;-TfSF邥4tP[G=jUK 7)5#I8sR&ǾC2 26 荅Y,6/`:F6.w97OccM2J­<]G]OF`tX8ǬV8NfʙPni~' }&nmlw7l8u%ˤ%5>ٞueq;&J*Di78)@-l߶5uԐ#TQ*x%d.:(YgI "diu)B~\][xa2I&v᯴]Ԉ8$jЁ.vRzTrXrO7 6A8lq?a5I?.A9^^?=Aqz/D.ZOqVqh:Հee=J|Kbw^O eEeR`t0z]2I gj M0ppwrG$"xK *"txsa$i=LZn5薰 Xǖ Yzϥ +pTpE~;{2U+O@z>Y.r|vďUQꕒ|,bIwи˵ )vi/JK "S 4u)fmA7a؈/@Q.B ':}g\OLJe:6TXod| 0c#Y3=s3D"BEK VSjbR:\%6ڑVZKC&uϭ)`Iwp^e4<:߱j[X(9iKkU\R D~Lseg^d~W-RqGk}x1WMKJK ߚ:W5.Z8!G_dI PFh_޳3s'ĩg"̄vqcP1E]^̊~@둕ջGdڈ!r:v=<‘nNȰa`1?R?Rgg Y; IzLڮqUa_lrG*Qjn&q^.'%waݭqm{,tŏMs<& ݨv"!gdYE;.=LVAilYpvK Fvx'mŐFE:0ѤnSH)5+{ntZK(v1 gԉa]/{ O3}$XK"rwB8[cÞـ5%^uy¯Lzp7ߜk̤*v{4l+e26w*pV*mU`YnOUaxFb=; K7粀Bql=m%%Kvm'EDНQ̣zeC&D57}$mʓ8Njka3ˉHD2i^rLq%Ut`}P>$bjZk8X؍7\o(Q N1ղn-p>K#L_1;ԧ-4 1d֕-sdna]X r PjP vCf|jXaQmE~A&0 ޳"IXaG*ȹ :n<&&}!Y؂Ɲenu5"3s#B'^o =OҨ*8BHjXi²YϸouJ̯E[jOBͦ IVU{WP2GpU&T+|S_zm;;l0E[>!RWR-Aj+~,N ^ zh8*Egʍ;)OAb>>mG'Ci/t;Z41> >8쓩7mE*'-L}8N>ƺPV-(8ĎV'/@tCPu--U%0"7PsDح Ԏç<ߍ3k G7\FAqdźPo/1.,$,ggO-ݘ zDs B( 5ga095QG2:Hx2]Ƞuh:z?c&E *oNsűEu]R,F[*pN9QI?y-sFu7mR#-\g)~.STζ9Fj?xDUs)B_M (ϼZr'&(X8Wm.du /`}ig: ypĽbclǼ`{F礠ߠIɓ?N> dWXN {(WrzgqMVG+{a$8{ΩdunG2Ǿ>845g)holR]UɒHw}-,mLׂw罋 9@j )$x4*{u+aKiB&IMAՋtzNtVBAG~RmxMI2y, ֑bT/SI!Jt~dABtNK GcMs5ӁBHGH@Q!r rv~ \V,5ySo 1>OX#ʃ$'2>]zVd'obډD=X Q  PXhFj*erAnp_R^*E"(iw\kx8ZHV\돓{"U9xoZZNqY涙A'3CROM 2hE/bA ?ęaU#|gWA?Ѥt4FQg-neS˝ ,XAp v YBվl :|+4iJ/? O0fzpn< :9*ߣbs@"%0[]yZ Eפw xEl|ܼ&616ܹutm_iFOڎ#H{韥F(i]hobipBs}nyBH3_p 9-ɓ.hV W{+o`b%̜>JT;Q쥷,f֭cx}LZmR?Bn3biIh`nb00(,E]% ΎcG12<Kc Rz;VF[q έñu.2TS9xKWe97wJMxpD`X#}Zބ#޶QK#U/,IrEbdď}OlgI^;HCl.,v |]5VID\bMwe{K4'DFu=Rb^Z cxVg:(KR;hTk 6*"r MPлkmNDDltr5˅xX5ARsPx%l/>82W]{:fmrsNLdYNz;W1q f6|X5nUU}KЫ,D]őC_2WyTB ƽ`-[=FH 螮IiXrz-NT=0Rުs$3^3dd\4Rqt]-\*7f|EiH6&/8NCsu$μ$`ݭP@gɖE/_IҿÓ{)%#aW-KQ<"кnP6[5#0#܇]ue`k@C?2رDŴcGުk&SG<(+[[t׻xS!<._ڍ;a-C'cāpGXM} (ZfQ\Nto~mkJ":q&^·VS,u<"di85fԕd ~kCb/{F@TF\Fs@NꀶVOUN:zO+D' 4OFlB汓Ed L,@/3hCu҂5rt>Zz_>?(fJ67 WHGw0J٦p4))VYty=kډǭ:a9(gwGVsډ?^eskY]5Td%wK/*jNB+9͌vL\4Y]vٷwOd:^iȲb}(<wʯGuQ2'mcWSױie|6& i!FSrJr_c<"빠Etʉ!:!P@ة z8֯sXFvL}le{qPtonP<:yY:}:C遦=et!-ֽ&'*LqqdfNJЖ~6*m)qJ#- ^Ix2Kv+v1Zi@!b#g@ ]zGL_@.ҕqɜY/bWET!ܜ"-obZlxDÑCT࣯j_3&yaз мEpq"C_ ;ΚR#*eB _Tx9}Y.\ $g0Ҝaꋼ9b: QCyCvWͼ[ist ҥb\65 Bё|~Dh>t91b) akspw(9te5DL*Ȩ62\C4o);b@S@Ty]E2Q$}F*x " T,N|ʈ6#%DBbmJ26).j#%=a5I'D?u¤~cTAj*׭Q$ͨ]RWe9g~,-C\Ouqcrg > $P9W} ךNYU{mqU(ժ(kXL/xFK2gP.ةd>h|nӽRbS3~gi8Vh 0a~Jj AfhoLz8XFylGsPY,y.p-$ViVq˚^Eq_ז'kg'[WwLd309j>JO╭ #E28yMVmG+滟q,>^^ buBH 2Y[`)cvNgg(7d!,{,=~/bƯp vV'_7w5w[ ^xQ߆ RR6e,DN :cjL<tpPxg}jsa3/iXwcNˣvjFq[A j,;?s(縰fCETMl_Em)" /ws1<^nVh =$x 0|hTH@@T4Z;$LdU!&)P0.v:wV / X23!A!+[܀O0k1P`X C1UVUp!~9 V m߈&_j1g i4zM.hHhHhs5'n?+$wiEA8Cmjdk|)+I@_k p쐳Hh; 2#'JΪ(&S/{>FGO@VȠadt<#ϴ!mĒ^t~}l9{~ULf{A`Hք gAݜvUwyh3=,OI}3$/iE ƁNj6)zf4:.s/)Efߒ Rl`FW^{8| <1 } @gi-5dHPhȹ_a AOyY %]Z0;U \̐L#H[Jxٚ_㥳OȥSŋl#L{fO/|JHoΈy; y~] !yM,Ɗ  ^͗} ۣ^rzMr:J w`eR]pf 1oGEAT81Ֆ[9@%͓8QWo(J4@˭9hUj ~ĞU-.ĘS$ { Bzqo@DJ޸I+vw&(ń9LWéTV2RaN_uۖG2/I*h%wS,ۇd ȷ_ěӨ#JZ24T*xܟr~7IodVA!z!pev;ܱmMc9n+\2yf4`?٢˔{c©zgx: lJhzڙP5zV}Kt*Mv8?3HQm%V\g_JaUߞ24t|U@Nzg?~By_*y7swTzƤտ&K޳קMAO"G+T[N )R@HŘ3B*.#/7\OڙЃcgOQ3LVqt4.#j}Er#D v]Yk^>xq-\r1NbPm<&AR֦V*R= 7a#hNs vVP5aFZSJ{%FVqB• wɑ,0~g *h(ҍ*G[v_ _?pXkz+I1 s×tDh]7*A4:6Z1ֱǙ69*t'k30jbEa"8TwIH?vWr KYjI|B l-~,ek`Bbl_>ip@Y[8@90F7ݱoc 3Ր)yeFn^jd߻!m)w0foG:ۀ$ZGn8SuDfh6&!sw'Kxz4Y󷄨%x<>Y"I{vD/3T-uc7)}b^ 2 !ҩ5/8̵żSrp)^ȝÇ9>O$"QE(LHSE)"&- T135 Lma}J?-k4xv y.RxFdjKz5@L}TnTOe7ܤ-Ik H$0 ҢNEx0j#hUťa5v(%[5rCjJTq nSTTk 4A!8mےU'8TaŽJT 1^~FM `@77D؛M7AH씢'WXJ$PMlNXQ514GUJv O]vƱH9s{)Lu5xh&\GNA F{~Sȓ~Yt3xGmHD\ ڛXH1_0*1+}&Vi6}c,U1[ۚN>hP~\Yߌ& =IcRviD r@nKsp܀ZqFd`ܩ]0k$`6,N:WJi".\KЪ&b~"vf^qc-\u<B,UeJuv (KU'n^ +ʬԆyxJj",VAMDHL=?~ XX^` R4Ed7:oz^£s9]-Ŀnhȑf[R!ߒG ~UCkӋ!K-Dg B COp_NVvyf=BOI_,4s&R.Ӽ 6 ,i̘N6+ѵ1"\UTdqheA=>2yDTySBK$/%zm[$];zZET͟ZJ*1i0|wAbE#&鋘4B~`RN<Βq%WϞjEKstͷKZZ<Ƴ.HKlb͢)STT}})Dvr/UL[!Z$ ?!n.g{$LIkcIh`U\or k `Ri+gC MK,T(xggCV^裰 Qhu ׏&hoQA( "-UOd]G(Il PFϱvUwK+y/ؐݪ "hudRWކ ڠ_f1\B̠^cN}[$8q]A,?!׽Fh0{hd/!mfāד%hxyH-&v[LŕeK]KRG e98ƞ8;L%eEm. YL \pm85RjEm J%ϦҮVԼ#|Zi'Y->a9گ hDk(IMl#V$;Aw( "ݼruB ֯-4cU} -WxtP1Td\ i63bІ`σˬ .yRgW| (_'IwncQ~t;Q0~r& 8O/4*t*io:Q,,e^hW/U-Un0ه-x"hZ-6z<Ҿ4D7 F]Y;xt5;|tymdyOI i|(_d&Hސ\`v|E^'?k} ){s_W4TUc?d;ws"s#"FG*VPdFb^k,v#I2 *K߆T2}z7%*U|.vc{8u׊ƩgJi[βI(uɏw=f5XgG׸/*hgRǚu^j?M/PⲛM.yYY_љ-杩퉆3"9Lo@_>$a޿Bc$'PP*9;lcAAmzM̮i(2̦!" aልz ,wWtpiѣ_#H’ois՚j!:h X 50"0x/ߔΉ};y@MhypD_ z_kХF6!LˤC@V'sBp>d t:iݍSsjQǻwF 7{ᜧ>4&HN=VERϕ Տ}`Sg\5Dkcfy۳ |C@AOPR)P6hHQ\Ťqkp-pm;I<mFq{.#`19h}boF9r]\.fS8Μi#sϫZG$0%T¶h ,RK'a{u WI^v`}Եl ?Ku&IE|KhӷcyL>p:h9f lWhxX g1k&^`M}Jk yDduDh.4)SM:+(b^5#?@(uT ]S$Ó6 vOe:,dC".YYS' }է4w BHwA |*u[*i$LK#!>[AX]lGW&EG8ӀIYv~r< 3{glV<>Y\'ORz w8aOz{~ !+n}B[1QJH,w?O0s\{kg\TAz>}d7Ӆժ><06:yo11Z>uV`8БBv> 1zٜt}{h1S}]!hT ;!MoNΗ š'_-먰債H2 vb"oQ /Hۄ6@FBa+S1q]W7V,X`S_ΰ+WX9_ZFb^ {`zS AlAB8Q'ľx~u24I*KgFhNGCV`IY)-.{*bwxecLT~bK/0 y0w?N?_%d0?ߞ{NU/jE6=) G*2l~R/uWHV9'O+V@Vڑ9ϫ}xU:ě:!i!^`\ 2>eCYzS_W5G1t 0$,J$љӈ@m]2j6Rb=y;yGh`rSlİ9 =O˴A2ylìS~ARG#%W#qUJ *RQ/@ccPY!3D[sXa= ^F"rՒR~-z-p+ɍy :`cbok S9 qmt-ک=k!FL՚݈=%X^NCCtH 79 dm7J\]Ђv^l@px6q]^:VOe3`FQ<#wUL"G_j/DWuScY FRoy I'Y y|UTYo䇣6:m~6)Uz$#T#ZIC!':.!+2GB(ҩ\+Sh`+E@[V'`&7kFG[+& ݘPn=lPg{jkSEeDS&^J]/@yhɃVfF 'C$҃zH`AvziyfG0p>ci`xBec s G4|,_X&Ab$+6Z!Nj~BS&fA^Xi[( `]R%䢜 "5=ue>KPJ- }ŦVIG]u\l؅{w' 1{ Cv 3@ӍnFU%\(~Jt:Gs̈ ث#j6ɖiG`Hכv= r+' &Ob$&Z$LGAq՞3 G=$dYm8)C(XSָb,w4Z2BE)*sY]59^z/WO1ozC 6dw];ByQsҘD0KM)@jn̲\H>jc 'TT`q=ancģ8hK0Hiu\OAn?xhY_6ˁETWNoW} :W>EܲximFa^4#u;1W5+DBzhH(Me486֊2H*;3._7o1UXk?~E<=Q)=]p%~HCr_?3>3a:Xzbف{n~=2}{vV.V1b_pgvnLX g2x=! 9PPBܙ|Y ?-/rMTjFt $3m؋w(q}Mss ˯' L-,g}nd ެsz8mT$frG)XRϪ[;˚'KݽB(\nUHBg*Sa&Q_OP͋ÌPGz%1 ^MnP ||aEFtyyt$+QT37s X@qcgȥ $⑑!$csy"f.3jɀ6I Ɇ`PG^\/$t~lkv2+ݲatXP,Q ppm\YrɂFMee,w!: }4Q}:Q9;`@\,A 4"*:sV 6onBT~ͮh9A''T̞|bWSq Fdh>`Yl%ћ3Uj K//|{l'5gROx R*sZso0VֵQ̃&{<#ifW-:lǣWUûH|LQ0t玎eH~{D{8Y1m>/14#0ҞIkm7=X\B׹U~AkL=eg*о&tE>uZT,[$h!V4<;bO_.p'%h$"dӈsС/s \ %>Zo=k4SeNaa e6{21s 7ev> hxy6 I3ITR7)i= shV[P+VCL!g֭ i=j2dfZqLt=0\Ug X,/!_"F锧}T 7ЋI:J}DJ _-X1`$K[;`Z"{b7~#2īXo|W:ƘKl^@1v85E$9㙣Ln?8qM#xt* gFrرw :Cdxy#u4_ts ѹPEϻѶji(Gy6:+|CiJco"^ ;ZcPVշ`ְ˿ؾy̰՞ؗ"zq|&>Msr71~܆MF{=]Y/R9W f4̜4RM0(:7y2 UG53 0Cfjk_TGExw م7m% =i_ƍnPF LJi9Iw᝘|QXyapd#wv&+dAzɂhlCФ2S:%'R_!Ix7mc4{v8ji(dn?rFWcKݬ['FSHT5@Iqi p5(|tN@4ìb)=~Vr|̟,®'D#y:z"N\_ڥze")TՔF~W,"CR3Nq9P([:0ʡ$UdhGLUcF5(vQL iݜ5;scGTWƒ;,6Fֹőu,$d?qoU z/Hfຠva=/wcM*8Rh22و4Ou'; |vQqRW2{;_i:dyS+( h2[U -֋P/f 'J=JFN~if-W?(t %hS 1"x~zv9Pz1BWK-swbY cW :, `ٶ%FhXpVyd"Wݯ O] Kfd?Vtߡ^>Kł0+XcI }~O@|D鎚Nݽ ˅a(%Օ.z Ѧ4ۮ OITo|Bf)Or,>@Ka*5;&7~D0q$wmSNH nv~W#MpOr{ 9@v,UZ V,^}\nplf~{ ԱV7ƙ?.XQ&ox $&{jg8`+[)GTdsUނ2fl'P@D/Rgצo[v7$e%7([&5:_uSD-;7j;I{hY 7S\Vt[Ld8; ㍕x*S_>)[mQ X _.I L_\075n⛑㌞%gTOE) frvv' *ǕjHʴ5vi_o>8Xܙ & c:s$bG3bz8(15ўh@E5`}T_Rm6̅   a=sϾX2!4=-&/ j:/6:`kG*̸v-C>3q8>.w㴚NSј)a\n&6FVYF6Xw׈ uϵOS,= 6Bm܀ OEt4tKwJuÍ(kz'+Y n&i:TFd:*U3=zv?eܐqFl"a%+W(NDsn*WAΣz&r(\/~ /_lPfv:| LT¤Y)^,Լa̵6״Ͽ-v'"- \`?"V8H1K Yz<'^x]Hs)ⷭ󏶒=)Ea >XPk|;2D2|i : 39J'yHYQlj3D=)}]G"( sI!!5=N>k潪g]pJxy8rvИc [ʕNHPfqlص[i{{H ̓PK48-lr~*P;6 R^TH()qq6ehsr87v]Ux^t #a8=4kAJ~?Y3}>Ұ|Zc%=fFEP]zf Y XN@rD?B}Zedf^i} S@#K%N2`ǽF:lZ$ر3٢L'FFq P GwCɰ;8'0%>0\R7ĵ \mń >YTUꝰ\F܅۷zAl:V!_yq\fX*kttBqvsa6#AOu+Wj)29 a[DlBA`EHu]QۿTg.<yyաn +GssltL2 lpiSYRD1VIwTgAIh3Y2ը˔`c`.%s=,w!t$6 1_Uc'-5a54rf4-ٱr8IO1(B&_g$)lrmJEyʋA%0J۴/nbpT}v,TV=sw]*v3EԳN-(RxHgΝ pnj1KiY[[\Tݞ/ #;J ]WlӡnƓP;PUi%gXʱն"@jg TM6&@^^CfX,32> cRڪ%9Nӟ䡄! !>د!CQyQ= t0-g t_cwd { 9OKc(kdmF4!paETi*GHV fJ ;};v67f,惞nl^jS Py xJȖBST!$NH;Z/4ʆ>s͔fQCDG&BA?dƌ//f_;Nď33Yo7|Zb 5S!Ҥo'U4⛬+j8 9:ٗLTm Yy.[`cemΨ7}x{ۓ3Shb r[z=+ ٮ:X^K>/ EL?DZ_B[K᝕-udDx1٬B] +vgL\,^ނ_̲'kΏcOrא'k:uc(Pb2j\0Qz[ y&bMXOl,\2E'uE!xgèN vt𦓚b6dh] w^C<,Sd Vʸ=Ӷ3V9ղⓨ#@f MO$d@Qyq[t\ҥQ,d`p'@+5@$q^KeM{0TC>A jNH[Fu=IeX_2ѓtpFZ'&'}[{O\A@5o@3SȲ)Y{9(H[5~ËGH:BAPx!`L5$+2B s \ԜYZ&-xJ-SMe$P|۶00P߉ZDS[+7V;{Π^/Q "Zfz ?+<2fx2{FSӾKr5%HdM}dHLJ_#(h>$Tl+_L0:{*R^4"ГQ.6:I2]ǨqɖPLA'8+8.r؇j U3ht@E[8LƚߘR FƪR$7叇`Ăs}"4ߕ+c\7"GkͻtۤtRu >Nq3$Yӻ6|R[Ժ`~A;]C3{Dz r/A19܉ T".60`D)BLFA }XȵVrT?@[l~:O)ĸT U3DZ" Dl#U;,ʦiQSxhm5sT]=t|UPXg ۑl &Ǎ@e"댹]P%MJPwE^iSpNNl$w;qOQMr)s*H2-r53OKaӊK{p.݊5?O2C>A| .Y|9YQ͊??]Y,JlѻD%fJjnyAiz}p%}ooby<'o79 W[C\کʑI23ɚKk z7.|7;P62ͤt0P=83l%jz@BcC'0ldkm~X_V àǢ֖(!\PЄpqҘ/~c2/O)/t1JTy|[#)4h93Yò~S2bqfsWM{_؉;4B(;ڛz/%yB8 應+a rZVm?r1襤oI\O#{z1#> IIn m%K a`^]mø稠֕(۸Fb8⨧fs%uO=~Uu˩޷TCZO|Sܚ qKJãBnUɹ"eSB6De4$F$55N7R-Zp~FIQJd?B(EKMC "ԑ_&I5D6mZH~("ss7 KHW:x|H`ksB`Ě2Y.(Z'fٮsqFgQMՉ TךL[ 3cp2nZl$U*8uK7ݰ)7vCwC #Wx㥻֛}XT7u:.+zw%6KШ$7םwئٯu>"J5bՂ/]Z:Eб&MDi%(1;SH:~f^i%Xka DKv;n Opw!/y,q=47f[tDG4Rh>?'ڰY7nzCj8֚Q0y㨄\*pك.Lalh}[^γ>Kpx%鉯2G |$Y}C9&T#,ՍjBx=rv.o1q|~#jۭdݑL?Xg ܭ˖^5*EoփeOU!ul3.8t(i|:,jL(HGhY9}&>>Syize3Ӆl̎gfXH.R/mMƾ}66AF>QmBY@ HV`ᬛnwv!/Db'{JXI[\gdˠr 7PEQ/'*,Bh.ZWsh_[0Gh\V!;L!q:l+}~cD [8$zzTv us5Gf1aMaEm39=!\Slzf΄2Ң,"$~JÑ)bᣏ>̍R79&+fLv- MX=- a֪:KbjvMN H-j Vvt$}6́o9o~%yߧĤ`x('n]|Nqk̊TG?}^ߘI [J[`]5qqJF8s(Qݿ9uWΏ_UJD2#_idbAf|;͞&,M ZZlhK8ݾV>Pux5i9RQҞZ$B_m_jaGURE oVPfKI38ŗe̥~d&=2~tpr5Sa;0`| n$sQַ\bA}rNr/+X;LPzF+ʓ$P_SSbUFϜ]T +fޝv^^< {>ckزiQo[^CщE}z$P7ւn|iKHE!lL V=}/cM _SvD ^_ly̌MˠkSK}Շ fZ߅Jxs/4gc2;hV r~ObX8a'?I}5OP;X%p]xC%A ,]j6vZޛ}Y6HsںIâa HȰ*u1gMm ꚏ5đ& e7} &3h?ᢽ[`\γ'&rT1yZDj ~K@jn΃=u#^/T'9f imTZReKT9m3˼.;`Vg}=x7Q!?D)kn7rX#nJ>Go`9RCMP[yKA@iZBN@ͦǡ@Y?]B#at61'+{l{g"m~m{ UWj:$j̔9N|2޻JF>@Fޮs<|i?ê-'"<Ґ)04;o4xm(櫓ALV`,Gp#uINP0v%N$ NEԚ5ri8oЙgQ7P哜*+#oiz4G8P966J2>0)12ޜnl=&]_Lyw{n𾸘G\^8'[J@L֗`HEn&APM`Do=I=i }q!ʱR1^ }{c/ *i͉0EO?0YV|-E}2ھol9@TM>X\Nաv:Ċ7f5xfQଢ#W':r (5hJC(+U _{}JQ}%QBb)q~uler>6?roew[$ꗱ?"H2Xn Hi>YԒe<@T'Pb@^K/ R̹-1fˠ9ܚǘ7KJO(z'v?u0}2W4Buu*ai"˵It"}@Vs gW6D-cf ?e$tgKU]9CUTuR&Fmt/kZl2GlB}hRKt '_Xe '"k-LXOF+0IR)"w {4S dφ[.7`6w9qn9V*/P&@g31Pyow@-?L9k%J̥"CAWc$-kguթ?g-MǕ+J!:iypE=SwIRv(Zח-ՌCe΂$fmUs*1&ƢDvZT 8&%(kxwk=,IqKdKʅ ]:/ oIt#j.0  p?ip;Gkj=c9| D{m_WnGjlQj![EFaIJ0x: g?DGSH!Hr\Qo!H=pULv|p_^_)}7iQvȩ} "pT4 -1 |c0"/bfpdZT#p3ZWob `Ukʒ< cāD51lmkgMGq(jg8vPZoS,oUή2B6ٲ+Vp#r}$jQj=8b{K R6@O_S"g 0{E#DYV9B7/7 Wn7 ^M*Dv2hRx<#ڥ?0{] dROVJѤ(Csw>'z^(G큌{eMk_}a5DPQm=U?`PHķZ8u#Bi{1OF߆8Z1 Jj|[=EZ0sVF4u#\ ۻ·<ٟťS!팓 e"`ƺD{ ;V}5&v!skwĘ=Kx k~kqܔpP.*\8$iwh=ťƐ#WvT]MFǯqCCvHGpe)xBd7x'J{ CHdc`I5!Ϙ,Q|("} N+^6ta5^y9BwBNȣB?8qO-tf4}?%MGA`?w @AS|3c=g)*p.T˒k wi֐I}/,z\J jfc t?b{C`:ʑA,r%DLoOä߬`dm[A*ϾⲖ,bls^m ÿM`C,ZqZ\W!u&!2Ma%2prtqc٫M{6>#9B ^aۚ(JWo,Z xh>Pv!,-l't[cG6oWt+DoM=J*:[]h"C(KH<_;mflDEE+VAˎ{ͨ9u=m:D}*K7J`M#w{ K~vii7xiUjbsfGT/yIzՇwg(רvtY? %zr&zÅ9+'|&d×DhMYn^TusVK_oXQ=e%2 , !a K>, (I#%ȜtH FqPu\á;fCxV{#M ?fJ}X>$_8 eDVkNp[*TWF2i04͠qN]0tB:؃wvPQpmv5zuuľq,P.㧉D)໇lkl5~;*FuzT%:e.Xe8w 0Iݖef@.\sɫ¢:tM &}hi~z>>ަvk-.ʟh7yK3}TEaqf]vTVN*$߻}O\4+~:GN V `!(d:@]),]ÄFDl6N [? 1*la\ ;r ,~?@K'[׼XdDp_hzK6p!cPhA?o`Ve|8HF.8U7ʪ@g.t.`ڽ,6˻BϖbC蔝%ԁ7\ɊAx5 Ũ'3\yy>vIƪ<zeL`d/Gm( 8v64-{ι1_\/1ʀ\r90,ѐ؊HMsl[ދ+Z:ܩίC6ǹZEWgT {:a)':>\*jN<MPpCGId~w*q ִ61G6S\t6V׹`PIH%9dP8|W6prSꀇqb%bˡ+=?/~ݙ+MQ/$m6vjw{+j[%9c"ˆ?dmxeӋ@9 L'YZUgr+yUp}W`uSnw0u R GEƚxJ=qI]iZ=@4rQ -Wn1!LQ8T޳N6POͻ®,s,>0 1RH.uj,LQCWJ Ρ|R[""2Zc/QRrb47!=ak&6}HP' (6)]oژO']$BZft*A8 (2)EX.՞lpFI|1 T'7y^VLZ@r?CQ"kFH6 /積{e *f^'ތ2/ =T kjbjlSLi-VIw ^J7P" Ffn!a`BLC×" ,6f6.MU]Y aa+ZmVwZZs|!\uo\%q($"nJQ13mƦ:F\[Ijq_ެ43#r* B:-XLG'i;0xlyS4ElMH^Ň =jEIb{wL,ͥ+˒c̑Ͽrj] io9kQ6qZͿ* 9@#ŃY3t_zcgz*3 *dI[vBHX示E7kưӍw:;j8Hx~UßahIjq5YoZ!o^9&h_n,s}vC@_9԰;K-B@DYmvs۱gg m~L|H'+/Qw zOεBZ`~ĘNyakw0rBJ? b[6k&eDS}JHRz\gp+jjG-X58dqMbpVGu׹qm<]Fd\__'~l")SGQ"1Tу_55iޚf[2QU@dD1 Y-ļ(X> nWZG?>=`loWVPnVë Z'_e4u~cNM "AhX;1?+ȠP~1Kma<z)vӋ$=V gi5NG4ـ|ީ,t_4SƢ%ǽQj!$KK(HyhMKm.)'e\הzYG?n5`g"'tb>@OO#϶Q@xJRbNݞ 2Q0pIo`"15a46 ~(^?'S6fcF@TRG^YZI46Ooa_-YG}>Qq䭟6:N0jrR {1E8*Xtm)15Q>2#7E=zpĻA,k3B!63;<IL!EB:÷3]'$ZUށۛ>_FGզ v"W BEĈh4H>=CEo zQEB`Ipe{C+r#/IX{,W4u gf%HXe㍼KCzd?%;a)xr0_6޲ٺ[3 My(Eشk" mh{#Pi ^! <(fz;; apǬDTG{9le]ǥϱ58oe|t" `SbOHtCDf^Ʀ wb xCnM;hBؼ-4hcM&cPB~膜OcS̪O;v!.'TKOUi=11`knd[/k*eP>Hƕx.5@z?H)Ii:M1pǢJbhlVy H9^Ӂ5} >w6*[k`CA}L\Q8ɻ}b*6y-~݋qg\&= ҍao^+dt1%*7,P?`W(/̮6ԖBp]os\Hghmo[svJl(En2Ptl;;bfrgLUh9bR%la[:*I`~۽Y)qSPH+p*hI F!S$'ɪl&Z{ݰP׌l1vTJo`$PG]&OOb?b2.=A4%]i?r3iԊ&w. 53EzA;n,kLx a#_3Q/,|(ԹYrJE2@ݓ(Y,Ǐ5Mī\UQe5dSf`v[ƴmlu_*䥓*yt;+@* }":8׸.v JSZ%Q@ QA@cQR{uxao}Id3W0?cmnh {܀7?b( Dg%{Uě" a>{nGDmݷž'"wi?k ˫o cblp߶]e2ǩu/B'2,B&Wcޝ 66E.XWeoxtxljj[< ;7$jI _d)a%pWbyRCWQ=5g 0;PszgcV-it2Oȩjs}n=>|x߫'3;vUa"**Yi6NX#3SG2@WAŢȊyBR2Si=ŠML 6B] ~1L~BoC-^įDkz -EFE҇R( p4)~;hY+l"͘K'R@hHs'× N 0٧*;P\TP/ek.P@.TX*N ji{8r1=V~yc6>ni;~nH[?({(j_ n(`Ajv "YƷ~Gt\*E|b`ހGi6dECbF 4+Vag*H)F2'JЮo+_@@K˗͉úcMq2hG)s"F*6D`Vih-Pܘ${>CI׳{EO6Hn.\tAsDt!$kgS_oZ_Y&D9:lr ^oXU :P>^,|N}.F?m)\UnRtѡmh| eR ;G6`|Qv(b> ~a4H77CɀtYt>x :lCm .W5I$$c=< J0, au&JtsA³E\,&ϲ9_DT/m:u܆5#``NҲ}R\ gfq)9 UՖ6xbR.Z1 IJ@nYGeA>KUu]Y&"IӞ2V8$h +)2,"ҸsZ p; `Y|~Q0lvmUUusYssHOzy稧 50sAm C?4\/N DK=㉊YTXt"b!e$2x̟M^{WV(@g?4N~N] YLʮR${l.c}{ ӃB`_# ]?njKsRkׅJ(J pQutc=]B\rU#R ٻ]7m3ǭS,,%_lmd:hٛ̚ԓ6ɮ !~)vy]72 ?ͩt.lRklu#mǸ`JVK.D)1ES&EXNC.X7**Z <ғ=ժ DVc},9>y\a8}¸w=M!F$D jkV3{KU,Lbk2>oZRR Ca<@(?I 0U;C_!`nu v(N(RO$KMxK;8Kq^xw/<4@'=yid'+eBd[&AN)5G.Bby/7)ibZW[ FW딉Y)>\ɔD"ӛ$v%,cдh]6ʚj%F2 -?OޒG7,A}I3J=g tFw{bE,ٶ)+3 G_䳨77gqH,sF},\fEזjAڢBjMb&1m]?pڸ)K-(7=]r. :VNu!՗,)7?%XqYk9"׎,*T'0c0qVCV l ";wݹWF43,ԓlSPn(}O$ hR[cdܚrM:2?WL\hMqK&v[@$&2J93mޚ :+#[' SJep 苨<̛Cc9fYq{9JblY"Hb@TQy'ͤ566Z g{=ڌcfkc o_8| m@bzr+~@qm9[͌R\UdGg}".0 (DT&]{czuMf粸狙+Xr!MMlW9>Œyb5k";ICDž.z\D&wazmdvg֤DUG d 'p7u޷J$ 05( }(`V W]Y>VAES0J&]Bv 0Na H+&3+J*Ekpvq>ߨ3owʮF}oe17홷چ*f$56YYYU.c" ̪ 5|]l .h\U|pUm~l [ʞdx'aYMv]1-h@ay3DضE_SŔ0FTuxE@)~"8Ty\OM`T6 ed6pbl&aIJq28Dy]Zkr◧ԅ'0԰=da]\#PI*Srx2saտsD=',q6yٽm5;me04{]|־">!6XLmpըˈVFDbLz:8op-uvm"Zb)l$` Fi'>eY?jWnϧ bpKVW1Y-jeE^ǀs Pe ~m ƁJ{WC1ZYL(ɡ H4y&p-(Ā[IBhmC`APǧlՙ5zz:%ZfRmLەbnPB|էo?L8E;k},ؕr tA鳊#IrSϡqiZ3Ӑ!l65QJm@jA=ҁS4Xr~̻(1I1{9V}mgM/]|{tk|;\iOM;Ged6:fNhP; n?Z%)Pqa:8[[~7 ǟ{| YO E]x3KV V0|e+z3 ,( dYM{x \ .byX(J%8C,d2F5u*Tu֓˽172O6m)RCJ‰!K:e1xWVK8 &C2h$ 7{`+V?Y"$)fNj׉|Q%w6RxS2rjT}UD@1!U Rykn2Ϋ =g=K]VX 6|!_(\$kN= Yey =䎥ІG nal~ !qN> :<%1D e侣*(<cA> /|D*MT c`I-ݵu|:eQQ3_%>7 Ҹr]kP˶L}Jeఊb'/* CU´ZBF׳7H{Ȕ m- v r&C#lak(se:7k@^u0VEM2eJ l:J2&D9B$=]YFI"30cSƎ]]`T\(خŚ/k}_5)yX_J$H`彊g,BJv-CeP}o 6 cT/MꑚgAw)ִ{\Pi~N?~8G$ `%a'U>'`cuDj_?[S"(|铟Q~˫ 2fȈ9٘ןdJR'h"R=%H\*#u "a ϼZD8wJ}}n^L86͈[+eTZPiEsSW29ջeY%pE޴ISۜ4($p>;Fc AŔm8 ~xG,M)3H&MnR޿!S!""29rB:TjP E+D)9Ϝx+v_GYCfmހѠW霋_ܫ+UxIA/7^uH*,; \L[ۙm#aL'Jo54ҝ$V˗ARێ+P5G,]zp`׆xViu&&&LF#i 3'մ $dFݑ\|VӮIu`HH[d%eKR5P0$ɞW"]ҝ}Z?G8ϸ1=M,UO!˃ fT%/D±VdJWgǪYCC$Dn ZtbF-qo;,,x9@ `%l7AMҭQ*ZeH ;55Ry,ʒZ^OvR/U2iF=.?a{}W_qw(<>χB4Q*.x )/*ъ J|D ܬ?3n?)HC[ k͢*F9h]Fx-f9hGQkV~]Q+lĮ T @].d[zg>bmcďݍ(9!WnơRZ%o݄?s U.~? :qGGh*lzx&tCT"VR(JʍZ\v;c@1ZH[yDlpS_}x{jډ1:XW ~Ou,דqXt7T^>b1x5=zD,{,R՛Ls=vyL!7V3M˽n-ꑦ<ɘ L5Yߚj-)WNkT[G.3Aۿ?-Ϻ.zHVJ rOרʀA&x_ 1Do'%hh.?|S(1aƻetŀVó.=l; 7PYD\d- !1ribc e6gMU@$I9AB;PL!wZSVLS_+M0k)kڳAp湴dnAJQer)>裬;Syq?gT2bӽNX}q0C@J⡭@HΦ@ Sg T&M, "J|L 670y ؒZ;w{;l"Uj@k)M_C]+žLZGsfIᕕa7{&YujC7jEx]wIF6MJOzI.v,dmU>%;vEo3UL@sT2YUE1̾87.kg]; m"|Hz Y+ (q!=v_۴B;jH-|Co3&RʎK/e\1Emh TمH\e6^VR“]9Xu@x׹鸺M$9L87q\I>g#ZoVR? ˽= 3[4ܞ?֪⢄ɎβܣЙ| Bƒk4ȉ /s hBQ2IӺx@Xz̜R 771{NlzoF|Nx78 ]BPD.A&ĎgK[/" NdwT]nҩhܿA:UO'yvM#KJ\S@iS5I+Jg)y)ݎd+)HDs壦|H&ٌ,4{DvԒW J)gW)&i 97.'ʚ)~n||ꦰ#q}">c>J%AWV7)6Pp^4ں@6z&gV߮),g1`0&u%pw3 8zP`X\X; #8Ȃ88Iвmd@|*yLwWHoM`m/k$h>ٙ8ec ljKڍ$c䖿^@[% @?DfLr O55"ѡ-r$5!uCHĂoqLEu+kK]ՙ5iF~]K.a`ZBk/H1msmy63BP> |ۇߥc RhMF'7<Au|bs odQ~ޫ $8N|L]L ]؞ ;/(f"Uaa' )9`>%#d46y;LǮ ߢv+>v5\6}{)ܰ #1Dˊ.ƶsU|G*G 3Avgn|G}$2LF ̉(u+y|/\6]FAe7¡j<:uB[']{k9#LȔK_V'g-hzv!AlOm!I̳mQ"XjIzÌz}kZDY&-W(Bt04-8 I06of:L~Liqe`r` X}Lͦ!+Q`PB0D~9tvvV/~&?=ƷO%wőU>5. |TY!LȟX9(V>| k 9ALByc5BVj3 dSګs _iyĆ—SVL8Z V}5n= t(bnT8<Ry4h9gϼsA!NMD DP6Mp\c&K(3iĖAnK(@ +;JS7n^ ՈB, c<}Toͥѹ1$%o"f5DٹL ԂS ɒI~bF@@YJ3#۪mDVv}3E!G~~ٽzHwnNkzqDVGA B4ai !фz+Ex\,%%ݕ QD2 J]WUJc6i{  Q"OZOuZ3yN3ә gʵy0CĹ&Fj-L=*~L3~*ѹLC-(+T f"WTqxy;YѐP5=u-hb"W?KL$a+;&0AJ)ueup*&-@2v '2+;ķig]fzڎl۵z;+7hJ+i- chT t(/"vK*Ԃ_A{Kth18RQ;5+Zu{Sfxr!ʞ@oCsE#ƉI@.I,>\~_nBF ~47-Z,/?=dVtzDuF oK-\.8x3r7!|թX^sec\Aϱ;w6@.FT)v-[l?oeI*Yy <'8B.jBB@C+Mַۻ>*ڲ+Pݵb6Ytb\[]8ݦ RYȞ)>%3TOrL0셖3T] GqRg(xN2vRjpv↶o(=Oӈ'\eGe$^5fPf#Wtfa=ģ+ؔuE*TwRҿ±~&ⴼKBc~{gV<оGzzS*μ{$. $Nf>,P]dR5;R9o@-`qBݐs3<{BJ^i*h} ²ީǔg=WQV \5{8' |nrN.p==r=?I" d+K$phPH7P!/ff8̩ nkЭm5{6L(V~MLh@ !" ph \Bc6 V!wY~F);hHzK\,ůYE P8r!lN.rDɎxb%JpWWNi\`FFuXJ̪& :Zilf=Q $1!}WV}M(`ǣs^0rRs>2 YtaDFUkeܒZK"a)i{gyfJ2ܪI%ECZrHn%P9^Uj 82<"kݬQ}j :#J7 :~3kP)%NDC * |) N82sCv7mQ`Sn ϩShce*χl=&2&WQ'W`N )d agh  7} C%tJ1qikƉ-Gt/!ם}7gl卋A./>Ђ;. e;(" tqUT *و}Ya|WeMBoGf .'^Kbes9,k O Pg8ȱDgR4o$pq*i[;=a`d~5oz+'0o=&-SDz6TJ4&t L+8w gPSq,ɶRRG8ӂ&Qqz׫IY.NƘewMnڶ,9l|$4=F ~l*Rӽ$2#3/r6\v.=$4Kkrh1_6pPZ?(?~Cv+M_DNp:Xs?ұ8juK Arv}拤Pk 9OOkR4H:jـB4o>DyAYLP\"Ǔ` :PKb@lFʝԯt *BU$z)$? i${ Dr2E{:SW^D*ll+o Ĥ4LOIs| C$xUfK~msU}/g`FVN…x8sCi%;*9::2y4dĝVQb^dnZ+vm\nJ  ]4SoTM"e U Ԥj$uE-.͙y:$~y,ƠA=mЫvUw0.NwbPRo-*(b E4"v67yV-c 6Ko+0K [/b:s>IZ{~x:y'Y"WU>ʗrvT@F|W|`w=(հtcbqUj@ciC L$[$xuſ*4৘7o!lhajlu}0^Q%7,KpTNqAOt/k6 Ӈ4zFXo讀LA\3Yd]鰧l}h&~knLo1ё;+P)ӡ b(2@ok/5s9;fcy 8n\Nhm8"!hkC=z,x` lV0>G:'|<^ ΊIaPwvN f0 jѪiqBibK#=ÃT!_pu q,VnMx=69fKuĿ#f~' -Zܐ5m@gd5=X-,< N<A8Hpb.Wtsћ9FC<0rBXcS F6|JDKLE8ƖMTcT2:s%" Ԛ/e-_[b>@..g]g}hh￁ʯwu3lއI` =<, P+\۞!q&fޡ7!8SWA^[UR8n-Zg%-/ ry{1$m6aZc1[*5jadf[i D!^faކdeO쩰eiXhJ7}{BPBhrRx͑2ks;8f7i-¬ [%W+MF + O)]]"𺩇][DQgh^f7ͨFɣ*~=EQ gīں?r?κ],OfLt]jhɗH꼎"#4å#~ Xt͂-!]U\ iVP`W= jAKp~Hh,=gLUbSQbQi=tV2<=, 0m Do&XwGA\ѽ쥉xۯ" AkdfrQL(4@-=:bkMW3f'=u 1NٌoU-oWRWC]g^>9k߭YEY$|VimxCsR_b1T1X7+T 3D vNC8AtR6sjhow.C\'&S,\'T[  7(V%e)Z]~u8+ӀOo;@(̈(EΧLxO'egRsV&rወ) /暮ԹW^,1vNhSm:gMQIq.εbA~T|Lۯ4nUӊ+ se4=tC]ߜ[wy/ :\KPFdցDT=z<{z PȹV^x쐺B VuB]'Ƌ-Zd9䦪{Qll3LzWqԣyU~agƱtE&a)jywb)(-p5_ ˾ebrc4;B4Wi%v~aoENFQب["Dp)/ WuXRK Jà,Wx(UˋAq'b(h{W|HlNPw) G*c I҈NO7VMç04eeLwڨ"1$]>ފ^"?^{ 7 YZ