sssd-dbus-1.16.2-13.el7_6.8> H HtxHF\d ?*}}H:E}&J{G *b!5{Yddr37df6fc64f874f248123e600322ab6eb05a30791TIZdH*^FF\d ?*}}8#/ ._4b y 8AR0$A>??d   >  "6SY`h         *  4 \   $55 5( j8 t9:wp>(?0@8G@ Hh I XY\ ] ^ bdjeofrltt u vw x$ yL-Csssd-dbus1.16.213.el7_6.8The D-Bus responder of the SSSDProvides the D-Bus responder of the SSSD, called the InfoPipe, that allows the information from the SSSD to be transmitted over the system bus.\fsl7.fnal.gov:Scientific LinuxScientific LinuxGPLv3+Scientific LinuxApplications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64 if [ $1 -eq 1 ] ; then # Initial installation systemctl preset sssd-ifp.service >/dev/null 2>&1 || : fi if [ $1 -eq 0 ] ; then # Package removal, not upgrade systemctl --no-reload disable sssd-ifp.service > /dev/null 2>&1 || : systemctl stop sssd-ifp.service > /dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-ifp.service >/dev/null 2>&1 || : fieKO b큤A큤\\\"\\b[\\\\4601b3592d313effe1a70c44167775b06693dc9b72e7bebc718b6c9e8b094b8f1018b8062fec54f73a99b3e6621a491cfd79f1d5cf7a27860d6f3d349c32fb311614e13b7b8b46faabbe334bcdfc40ce54ba5a66796f0b01ea941fc8d6d8e846a2631eb70e5cdc8392c97e19924dc9aca4ddcf4b38a44ada079dbfd5f3b5c8738ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b9036d0d366fa24312f61089142ffbd7ed26c4c65d86ec5638e9b7d116d64bb275bffa6329a80e2b0989179a454b77aa9f6647dc8507031e203babf29359368cb2bc8ff65d2c47515ae727fee676d9c97ac3350d2b7e936fbcfd1f263d66339ab5399559b81cd4210bacff16046e1a11e22edf72567103c9d8da001c97c98f6c8ac9rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.2-13.el7_6.8.src.rpmsssd-dbussssd-dbus(x86-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/sh/bin/sh/bin/shlibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libselinux.so.1()(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.2-13.el7_6.85.2-14.11.3\@\@\@\@\@\@[@[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.2-13.8Michal Židek - 1.16.2-13.7Michal Židek - 1.16.2-13.6Michal Židek - 1.16.2-13.5Michal Židek - 1.16.2-13.4Michal Židek - 1.16.2-13.3Michal Židek - 1.16.2-13.2Michal Židek - 1.16.2-13.1Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1690759 - RHEL STIG pointing sssd Packaging issue [rhel-7.6.z] - Part 2.- Resolves: rhbz#1690759 - RHEL STIG pointing sssd Packaging issue [rhel-7.6.z]- Resolves: rhbz#1683578 - sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls [rhel-7.6.z]- Resolves: rhbz#1659507 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI [rhel-7.6.z]- Resolves: rhbz#1659083 - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust [rhel-7.6.z]- Resolves: rhbz#1656833 - sssd_nss memory leak [rhel-7.6.z]- Resolves: Bug 1649784 - SSSD not fetching all sudo rules from AD [rhel-7.6.z]- Resolves: rhbz#1645047 - sssd only sets the SELinux login context if it differs from the default [rhel-7.6.z]- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/bin/sh cadeuk1.16.2-13.el7_6.81.16.2-13.el7_6.8 org.freedesktop.sssd.infopipe.confsssd-ifp.servicesssd_ifporg.freedesktop.sssd.infopipe.servicesssd-dbus-1.16.2COPYINGsssd-ifp.5.gzsssd-ifp.5.gzsssd-ifp.5.gzsssd-ifp.5.gz/etc/dbus-1/system.d//usr/lib/systemd/system//usr/libexec/sssd//usr/share/dbus-1/system-services//usr/share/licenses//usr/share/licenses/sssd-dbus-1.16.2//usr/share/man/ca/man5//usr/share/man/de/man5//usr/share/man/man5//usr/share/man/uk/man5/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz9x86_64-redhat-linux-gnuXML 1.0 document, ASCII textASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=aa6af2a54325fb04ea79d2568974a8ae3c867f68, strippeddirectorytroff or preprocessor input, UTF-8 Unicode text (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, ASCII text (gzip compressed data, from Unix, max compression)-R RR(R*R,RRRRRR.R R&RRRR RR+RRRRRRR#R!R$R%R-R R'R"R)R RRRRRRRR RR2?7zXZ !X♍] crv(vX0}X|St 0~tJƶ7,w)W_iQ4| 猫%W #E 2XBb4=6 SH=W*+d&aW:0[a*Mt _Οw:;%22o4vIT!bhJ䷖WdM*=|ե^VzAKw^xCG[hĪяva `-d Ҡ 8]4b U0{X+L-*@XyeGA]sJ ʵ 'yƿkr4IB!PK=Ծ8_͊T'h~l8CW"_{N1/JP tɖ`\ ٪η\V` N5sYb+8s l-dA1Lz20P)2+īYMfY .5$W +y-V4wbA\%aPfCAʹ(W@[呒wI6@' 71LdIs[7"ؓ\5#܋STA\b@?8 b s[jҗXjn_qPÃ%|-  bx^fb3icp2 mgFƂj~ɲEno>Zy)2ߴ" KL $t'X}{S1OYmgy:*2ɧJѬ| &Nu7,z#sHSğs9s2-4V4yj1yzi.*EBܷBI,+Λn};r*"I Páu',cjZǭn-8\muiQ|:v hȁ1d Mdӻ#?WOb=,$̰:/\vOzA& Ih\н~OkY]-}fDU"g݈h\*舩\M v!\gxJWlVVSsuwV톭m=%`ҍ&3s`L C?z<_4@9<(%l^0Axv&otlL;{~3^ߦdx)O~F Eȕs,G:I/lD󈱈 ]aY\ `!ַXo 6ulPV^l5{-fw!&֊mGEe5[/XIlQ c͠):i*&{hצ~2n`Pp LUˆ9@" 1@0v ᩁ vy=g&6!T%W0t$oHj};GXN/qjPB_K_UQM{!7r5GJ$[uT:^Ӓn2g"tB/|Rs7Pg> D߃?KSj&A⏐KT3*Ȫfx.9xE=d' њwċC汶詸U. {B"[nO kxt%JHmvaj!#\@/2q&'`~+-T#q;9Rjaf(H_v|ᣭ|{ϣc2(?AC i1|#KFө_,%fBΚ[t"*Cd %cY[/@c8{5j;Bk%1<VfŎnP|f*a v~v*4rp,j x vcm?V:_KҨE,9]nREAuYp<{/,/5n?.Փ8UPL0f4IQNF` ;FDcg]UvaܸMEq|"  >JDFk;bӳFќfw Ů5lg Lb6dQB1!6YxĻikX (ީy(_X1WC9m& ,f#9MO Il"ȕ DF">eZtyO9m薘FZAu%lj(jy*J@vԤ; N?lOW , I/d`٬'?xޱqp[Sf50CG$:r*~09xV3h&=ZgVJmN_;9V:DPKM)lNr$(XrY4k X& +%BɓI1 /3l|3Wo0?W4"ȬZ %H><͚z׊SAcG(mW= oM}[{)w5Q crt~-޹8(l;C. 9=KV,[5@@LTD>%g'*N=}xF+M?DjOL3OFc|[߰C 6F%߃cmWJp j R#:?)#hd؂eꎌQ!cp|+G8Mi8<|H#<7Z*P٢~W6L`4.ې /(QE$ƴ<J[ `r˗<~Jm5UmYy-8.8lTʩl5?duf:J|C#*4HJEw1p4A΁%l=4Jj₨퇐rzP*H:SY8d5=6{lf? ԿՋ;9UC$#G ӪeSF- xt類V^rsMzyCiN)6`04}\l+}ޑR0COg_-d5]t^2,; =!-{\]YvlDLZ^=KUKzMaEBA1'F~w6 FiPݓ@'"ROd^X$ 3%q %I[fZ"O YN`qyyFljrh+O$7`L [eR?5/ :;UR yf0cޢÑ?@pib;Ǘ tp%Г(2m3kw6r1G_\-f"ZdkGW^{Y-J+l5U񭒐.};y)?y5uí Ѷ-Q@a8N¤4=J~jՃٹEo޶y9BS3g:3jMD`_(yS 6G ?f0~~t2~ZT;&r'ΘQʢMط#G&Ieҫ:%=e-Phjm#Wb3g|胕mw#g~]\-B_M%}r:UFN{*2s^{m.uӛxaz{럯tUOC~I'/Lءe2]XBxJ"N9U{*TYb) <ʃL[.co-hfeux $Z>آl4 e[h'6m/4ɭ}pS8>8Kk>A{_*:O$xhP Wޛi>&FZ^se-u-GԄ w T y6]}Ǵv_>G̳X\"P)d<+a?.lv4oNd T63%ѐ=J[f#˺ꆳݧxrJK!>(s#UcjՆ}]Hm+A`Cd9nveΌ4ۥ`Kh^MU~&șe dW1P3T(LV $w  d@m`qEи^,bwE^k!~ lN<'e4 kf5ʿ-QUUٖV11 ]̦`Оe9'(A.@ƫ<_{)G{FOW՘:"VL\g >0Cq.ˣu9Mԍ1ax28PNl{"S&g"dCQrK ng"AtcƩXE .gΡ.Lpdw*yM+gGبJΛyJ}.Mhsi|\e7bJ>ݧx /Apl|=@9~(ATeZVsXٖڰ @S@p"ٌ|h8b,^@_.uƘUB{bz=voV8l$Uu0GO:._xcKg}IC I-Ҩ7+(.4C>E+|7 \T9z4o&|i$ sŽ ҿ0B7,{h5԰yފX+K G~5|&hEeCz'323-`d _xSM}8*KS `Y ޞW ~۫ ecDqĐEdӜyP$xs6pdGvb{#r5jlY-FMi4. _Q)+րP8cxn(dw9Vu#E]/Piԫ6_hwFNc̔VGOLjEeֽQ9%)kjk3yx{eسbrv֠~m*5Zxn҄u??\7::&C엒bMF@"8{TgE ԲPZB#;*{ўqlm:x6qsuo`r Sn'1 m%0>}YRAsWnĬQa:A7liнh v/[-u?Az K>GOg@=kAp g'zC눈9a*|X7$Sk i@m |p mߕ\*:{X2^4]wPlZ2>}hcp3aD5ȳ}XwYtMp^γtS8I*v` s5Z.o'Zz^32a{9B :15؈ro>:ue`$waToͲ|pB@j&&^kHe\uvi\ibe]|"~R~f%fV*ߠG{*ےd|']Ø*W-YOj(}T!Gw5:+M-xĎUt4ǡc/h>@`iP 3E=Oi)S-M0#-nh ! _Sݟ]>#[!6}p7Ki(%S$6 nC5ȸC\iٍyNM\*|ܳeB+їM0X cgMy2Az]: ! sxٯ{l[ hrfԼ;,@9Cp т f7نȮB)2zn qZ"ʧ}gV=jwmAM[|bMu`^sP1 9jUC~5⅀AP2xWRCx]f&fQ !A@T﨔L(>Y.;,uVcQ%ț_g`jʯ&?MX~0@UB!c"F-ϞцIadUi˪,qߩ9cvv%N!R"K(-BamR,F̩$NB;KXG&!dJ,iiM$˜,;/ |UїqShcV.ӑ)|$+=Jݥ2G>;9fr,Q,L 9z"эb밢lZ&ap5h-\)ZGmwFG^ "s=F`j풲w22\m}OwfS@SZh b9mF,{~ Yj:YL5gN;Yu>A~wgXʂ. A'dp}BhВ8<iG1Q͡ڧKwF)ue/#6U1y_ ER]0nTNbμK&dFp[xr]cv@&]EoV4޾C x7}'a>ZD֤bl6߼V>憁/٬|)רDQ/%sv uҽ=ﶵyMSC: WqncKWL8]o[Nq[IqA&0G{0M >S\,綀+5s )lcb:ΌV9x Qg-mR̜ϙfVWq1}r s?^uI R1™^N] &lX3ZKJom3L cufSl/%?1 ܵi.AD߅cu `@t:3?'N6X'_OZLڷZ1l4ߝSq6XSЇy+KW𽡿j0 ('8NSN,'#tM>QWli+V my2`Jy/_ m@A9#EǰlH# L hp`gwTj*<1$mE!=qg~e]lzio6O6OV&j]ґs)bibN ?g qNq]4]]_􎻠\l|HDWƎȆ,퐣 'zlU{ęCH>xU ).+Ȅ4k]HLXv#xhWhwG l/p pX_ld_orۚaP,l9Fe;Vj\he R(΁}KӶG8 pB3̙qb3U wт {[6SUa s&2`vvX7+IG__Db(g-'3":]DTN^ҜfgV5>.j6>¹%$ʿ`3UsSmPa5`sWz͝l $[2/fϥ~]ڿr(hhOgG~$l$8 J(8mwiȆ([Όu2Ffyl9%h?dz㎈6%rA$ݖ[/3Ǩ }>yI=Bo`+8KN E 8q>j]1D"h/g5W`c3 D!hoݹSnՊmUQ,Qo^IEF%]XZdi*v#t٨Xo,?/ m[s2 Tlm(<@EBq ~3t:fTTgl )ě@ê{rjGmJR]RaNBVy%,/d H8cQR{(30skAZ)sG(ԓ'79ą,ƝY(q84FM!Z(Sv+mD%fd!&-4J/2j#ہfaќ-QߘH'Yw_ k1 =_jcwgy l"b 6M̖-G?w#ᗔ7OIU*P]&93/\{EjjxΒގ\؟G`Ky :hGN*3b)H%zpLwC:GK*6u!'9E~̧+1N.22;]2e 4T̳^ғƱK;mGf|ʩ04>2HGGy Sr58! ۱ޝfӘYZfuL#bncElw@1a5lzXvn> ={_bfg\P]RjڻX`o ې-;EVKE8~HPj7J9[ @:QFϲuެf;j^O[E5D3Dvh(ya:kKp>~=oaȺ^MkC 1֜rM!,J,Zx!9ğh!ΑڼسxRr,M8zVѹVyEYnjM颎`-S]QhIAuɂTإ+fJeVLô@v bڏ.(7bb~!ytNmfb|8޲'iyU5!-%`H4֨z|2Ouko4o.=ü#i 6}ױ!,骕9Υh&?LRRrl%li`Q>'NPIPtcR] M`jB'5OysH W)6<~JVCe5t\vUVu%wl 9y<3X!SQw[#1MwRJ@^W9lþ`E Mԍ1V@C2B36}d>U21MLn1]oG@!ئX?ɚrϔy:a}lLl˳2L/@FSA1 Ti&'=D՚>Y)-=0pN\7mW%w.O5ua~±"ء#ԝA11(#u`>ݸǣ@wT"dڱ ڠ;jq檥N4|~c;_]HX (%2LC _֣"2-V:s{)31BW+ܜَ ӞtRAXw&@5pA i \ *SG򎗂T{:lkE"c۞S31v'AƖeT4KJؖ;B[\Y**QIX.'΀Xv@?Ju~eu+˰Pׂe/뫽 kIs53ދ\% W@aYюc},\n\^ӱmGRD!Ǝw#|40zQ}$$y!;\ON:`:m/LFI,N8˨26' gE 4:z5K&U|^2[G1*+_;Es 8vQO%Vܢ*~Kfy"tHg U z͓%qlϿ;&.֙1I_Ben0!6+^l)03p.ChяM/Vf*LPT\b<.?U̸֪C0Q)s(N8hxj^gCmvuYە×D&R&e$Gt1&HHMe;)7НnCCw ~J':'2I&^ޓ)d+;f!;T™HNNSLҤ?͸1'8wII5hQ*PmbTdխҢҒ[ϡ݄Mw]Zg控RqǢ&YVңs R5L܆%r/(@¿3`hn"je^9,uѾIˏ^A EAb (B48rZau+ a|~0@ Ż~f0=gś1W\ lPKn 4 !Ɍc\14~ 9F,hЫfnIB1زѽp91 V''f)8.bUp¡.ʯ.4xG vvT(zX4g-zv]+~8s(-j-UWcS>om*Q]s// i1iK.O1x՝xcli}Cn uSI?i#ױ|"]`5rÔbf:υoT ?9,4`<1Z{,۱cJbMKG$nS\8X + ךx {E8f!fk7~tx qT}AUKad|s\KnlJ[}4qn&5r(9%M(4N )ҵ<$1oy^Rm4TbضB !Fo SO6OY HF=>}źIlSim&\258^%fBլoT,&YrUCz4HG9qL:ZWKF'S5'KƗKDtlD}gg^:Q# jBtOl0 2d)vxYD*a LL/2v՘ZN,Wgp*T#8p:#zZ7"F" Nr{.MbxFexy;TXa ѹ4gX Od "rRVuGfj{ >Ii/hxXB '(2`sњI`=9@ #I7լ] IQ vS $ ԢOmS*Hnv~ 9(Z ̭΢YU)rWC ]!=ҏ >d72r}6r&u;XljUR.&.>6V5`BЭ2tZo^7h_A$^OZ8ȂLOm!t9D'}e R[-' fu8|0 W7xַqxkcτs+,R_+eJ͉u t⦺gB vrG6gVP2و_)7ZAoPQtzM2=]'-,' An"La~.P=#6lKs;j~E|87eفNwgKW >I푽HuC^%L\&͵f‘[1$-TLg 1Ab 7|3 hS;ru;hBȸ.j =vL A' Д@BkmVoV&B:C oeV?C m,W{UB=ǹ"Zd65n к1B^)'ÿ[H"y×QʟQ{vah]%""u5w0ԇ6{銡!еlD)O ^]'6"_"5٩_Y/c[*Iǝ o`Ku1fsE:B'b8NR;lalCZp5gKnk!-<RY. [hCU{\[:搪òhp=([Iڪ,)+^3P 2 $I 7x ]n2yLmQ7ZО5iϔ'2do.FfN_^Vj+RbӸLLv-(J-Ql3w3mgKg.^j=_zBdDrة fɪվksgۅ=Ɣ(;|d776-P~E#n wq4gsQ,Bͩhh VeFq@fps(N yeiwz1»z'>m |~F֭H9b'F2%#>3*$Db9NAAͼ.[083<^VC$Aqox?g&[W5[P:`Tu@oN;5^ ~pP'gA[ \^2شָqt؞;tQ_Y0=Zbl-~(OOI6˭[V3@լB>=L^2Hq$wK@)JkbGTcn_3N!H̺m)?'"I5;Oڌ7VX{RGq MuFVxfa3=+Sg%~Pm`3ax` Exa07:/[i@5I¼cXсd)KR{ݽh7Ts<&Nӛڅoa==Amoo Vu7՛ǟA[Ҍ`q-lEj[TiEP ;,4)4kviYpuQd{I7*K@&nDôxe.NSVź 9~jb{BʕC;X9Krx% Hl8o2Io&sY.VfYTg{?5*C&:q[ڢC<ҺV$m B/ F+ǭ]!f'prF3@k?e+ va"<-s3}YZlCiaAQ2 [`S{ !h*!(u; " U {tp/_%c_@/#0[?e%?fU Z)ɩX_FUUiF_EE?[\cSqlC+N㺙MKo~6fekIy'vvK.G?7QR|WNE"؃5!RNK1Z+3*iMB莅T\r60^!R>$4-')z\ZۗM eo0@dd7Ⱦ00ޣf!?{~+]6ދACzYkFfCY(?yvم7ƭ.$k+6 qIlN2}5<붑 X /JH:B,bw-Dm&vwH9db+6VJ%3}6$BP^f'I5S/"~gNsNPF+sFOSp(hghzrZa.!BY /t/t ~7V 5 z3+ '^W:+%9Ŧ@5 `l=R_%Ar7Z-&O3:gd2NwSN1vRKjҝ' u03F[Y!C  ԘΥIV8?#LQ6uaIOHY *x]J PQa[YJffmPD"'i?D>NIep\+jph-"}̧u _b?e.uf/}n/b Neg5*lͼ 1.D܎.56#^a'f힫.Q y>TtQQ@ZlCO),.Xs/HNyK~/*ؗr <5{ÊRm5Uk6LAb.%BngADpmŽJ)G1W9t__>UDz&|'@k"[eAKδ:,'2 Q~"(Eߡb"`tQ`3~g14+WAb+f1赪+.*;|,qZk+GZ{\vѤ`w)R#-摯2hSV<q)qz_SL01v&F1 NJ +'Plr$-dpR,"N%:NBwI}e): kr+V6G0a\dEa:ħ<|Bƃ͒| Z0jp4LFS }ػ8_~|WXoކLr䮃l(XY/YpȘIP8uW%"%bG+<&d8K㹾Ӎ.--;Qpg?oF[Rܲ^ICr޿Ⱥ_Q "lV rQO%pD^$#| l8Z +M+>#Mj_rcmY-ME0L<{,<.Z@g1:Qx̰ fVݢ<ȰڑFfXe9u+0H-r;hr:2:AUWsPSʸgaΜS3P1e e6q?9̯N:p&]d}[AיldHvo'# ʒ30`y'[yOaz)Ghfcs1GG&pRa݉A zb":aB'T7s[.^e[ܪcYb(9zg]Cv˂O[GJѼm'j z[l۫:i$F2s^D mAMoa\#vY,dWsϙUveH񲒀mT0#׿K>|0׷>wB'D9bT̽#my­vWWa^B`)b=YS6kEG ;*ɋ) o&|^@.Hw}Q \F4IR [[s IWAzb@ŧ_N7ĝC[CX v=\7ZHwNw䟽mՋ9TK(ԅGxƫrT0"I#`R% Z}Wx){ ub Dua{1z;Q@D;?x6sRmg.fPkOh]*ʅ^Rߒ=76h3PZ-}ߝOշ2F4! LhHOB1@!Ije}"yWm ^ ͫ%:a;B/DnӼG`{jaXo 2GL&KiҙL&J!1q Cj*020`!#IAX<-!!>7(C'II_}W.HX?s0:qh#sf >19Y~ #7?A)Wj\eOq5YG.3Nmyk۩^o6 gcaU>D-&ΦL L >w{y1QcrJ۳?п1,(EHD] KAd@_p&q_L̍6v;o'0 qNU:1]jTd<ҌckbgValD/_Hsh h1 (-VBݚI-;.} f.$Ӆɉʞ5Y6w~HkL x݁*^Ќ`ExR:v):V"{ol*2 hT'ս|;=̧ϽKygOæ_~tHWؤΓ1QVÁU/w%(s1J%ShȉrLtH߃_*DOK\5Ce4I=e9]̅,۠:NǛs/m;1#?)3!no̺F7"z:MPg6g;{K84ud@1:DO&w,7P/{ɮibCE d 5NQ:^@/MD%A"'8Ţ9jd57/IJ蘫24jI=-Q !ܥ|}bO[\ B $>$2s%=\7hʾDޱ7Xi DNDWO:x_',ϚܔFk~Nb4U !8H*&iS_Rތp~}Ȫ^"?`7`%u >mQ Hi7Ў ]# <Ԣ`wT1dۢ΃WWJvC]G_RV'2w@9aL$z n}M:W1"p4'ո-17U VBe; O?zo S][pQ_ H+؃u{Eeըm6%>l(QCrP.yD>O/P94.ώuifb5`\$[>^7̨0|vrcx^-J:wvKHĐ`6J[WD331A pQdhwФ pʼn5ڈRqI섹bSkil]g65YPϤ8/>PlߝL-6R@>dPh9X#w pq()ˈFQӠ9 SD-uxzNbMC /4abH3G_)] r4`)ΎhgcXsF f\&=FZTEyY?`Qvw<;: cI^ƨ4L,hdُ9cAl/?Mʞ).ZBMqgpKQ(X~xB 7  wO^ER!/@ɳAu8z4:d]v/c+0s9ztDʆDeYcX#ߩh :o/LPQin)_"`^.MϭIĶaOF7\f/_&NxY^m|qcxM3rQ*9ɗW0N900Mb nNKhTF,3:/.,AO!0f~_35| Rg^H j I 9 &:c&#pF#g&5h|:ǽ n;KB82JWNGJ7낀74km[Uig~s}j>cIpseS-"J6<ſ7a!^gd{,uo&`emM0yl <g _VچXm[Uk1_ӬzιLm"AFVI6="i /gzsCc1\$g MK0v>r0 NqZK՞("!|r1床jj|4}>e'e|-$_RC"2v `$,;YIrVҎ~r>,;I&M&yNDMĉݲ9)蛫[ 4#ؙ۪ʻ/6g%2<ֈw\+@|}c+h(VF+[oUWU;vJBg^&~_ҹQ@2mq= @$yׇ08}0-/:BjqFOUO +J0 qxhe"xcB~.ӒR(_a]_Doaߗ sb0“OM LwXRRS}CJQ$gi:0Š1\*c,R$Tx̰-:B>2e챺ֺ)F,DPy!k61  Gt?0Nh/s0r^ٵukfvnېrK:t/.aG":9zpCU]"ȆQZѱr»(x<Ρ3h3=P'ЗK}#!O%#5|@ofLlz[wAPl'X "XLuByG,=b"LGq Z_ QBe8&}WU\!$f2F*ܭl"F1c)[_LepZI~-@ݸyRXO\"| ChƬq?"': vO:ء[2Jwu}m"tuwĹD0K)q؃~6bJ &Yb.|d9)Մ6dDC:Ϝn+r>Be7.NJsxc/RR h$;\퓟W}w& JŤoɫ:Zazdk=je cJM he fIiT/;Ԫv¯HP ,x_p"\aJI+ K@gEWVRt? ,X AId[$X*%y&ػKgt H'?7wpǝ sF 0,+ϒ =VR F5kٽxzBޛ,^W0QG4p!*x & \߶ʵl ^|Ұ{>M_.=}[bHG˂5SKkA(d 7ݷJS\"9ʲI51|&}A9;QdLZ/aGꨍ] "qhgro^'Z%04`BRj)RBxU04V/9LXBJ'L G~MۋLH$識]0f<+8|Ν<Hkb#o`(MG6tS/܂"_gV |sM|T@OLznY! ~BTdG R6~Y %\߄2ޢ m ܧ8t2s "n4<1g0G>HK {Oθӏ"ٍ@O~ Lu0ԭc6{D ~@WN.3$7dqtBƠ)zEetZ8 9Ԉ'`EƤ:!t&eu¼I- T*y9Y =0޸0[Z}=ށ.È!7NzF)If|N 0'6']6H6ANztdUb8̓%N`?ܲJfw#~)ټi^XXdwoYu|0ײ˖Lg;_kOY^/ _@|P.?G;>@IZyC"$h_ {% d ).,ܚjqAD‚-|b0^\IO{o1 G.~yt- x!Z2@"":}4]JGzGq[c<;列g^C*KRSJs23P81GxǑg&'+H#^M^x"&_se: ;a0W0]G3ȩR_]r!Z>:Ԯ?42ܙ*a6Vf{_ߪiZ_ TJRfpሞ[,.96q ޒ'RwU8۴nTvC>]фЇMD?5%8lly mҡQ,V!` 7 ]848voA̩0wmN׸X6ң I_x)6&RRq~$7ad]Vi%XKDU|KѾK>L \SLOϙBFcMn[aHaKy;6~n&)* !SgTX"f,>IcLx8uu tDJ4-yQ- T,vq7+Z\楟ߌKbl1!@zHo&MUp]r}T GUe*xr9裆T/NŎ^r|:$<}nac,;Fot60K&sN=U͑0(3TytY׈pvH9NEK=xS7z*9z#Ht\T+])0wނdڰ~6Y&H+ ~6 PFXS}pB_REnQ@Ӝ"@7'{~8NKH=8|1s.\˩fn>Y΀b:g#~Ϡkӕd)VLd+wLy/X,/Ed|  -bV%09OfbΩ֤ۤrn)Vw&(Q%G "4Jr%} u"۞ٻJd.>\cPݸ o6^㨾^545AI1;SIs\9\:]o\+dԺe~SHڧyt&U5{QeEjQag*DŽ'0lITKq19=-m$Ӏ)kkfI?WIQLK0Ѫq6䮱ڴ-O*3.GMji[w1e:_?;t۪/sCwp}rc YIէɕ6>o,yƶWŸAPσeTe(u8.6l{9;h@Q&iږFu զyw3o!ޏzY_ V_xْt][A<K^@9NfPжU4T 0A@Z:kA=zN~0 $_f8z7 o,N kMvq{GsS}k]GDl ._t BxJ1.ߒ A!Kj(?ۮHh[ꏿi{VX } 2‹OlhlC# ̯Kjr`9qAru uc3'"əaD/Q]>}9% C_ogghc  ^+sHKӊ f¥Uؽ} Om?e6 ;@!´w۱7@1(Sbop2.= =WX2ѹؒdvi~O<,YR=ږMlOʎLiTEAv*!q|=v>W_ )zASb\9' ec'~3M=Mu%X*!0Y:fp_a֝Xpܡ̴fĐ?.LW_"ozLlSW]g3%?4`:.⩏'կa{ )(beAӂ! c͑$rծ@ԲWdEj'`* hǡ&eM/L2MMIu5pA!GB5#Qըg$3~YNSHhQ0?h$$=)L ˍQS.:j>7# g/C(I 5ƉƽA#JBi`х\ж26ϥ~^HɩVen{eye*i.(N:|SG"զS?PC4Vqa ;>%3xAdA(}H*A92y܆P_үu!Cg$w|9ĸ(}& IsKlE< [xLYx07Fo?H78ɇ*Eشw2CQ V= &. )o\z:}iU*"H7w.tX0U$O0oGP ]4AG{N55 tSBZ4b1Hb"9랤}0W6 del휩(kHblS\'F ?13I3O&29XB7FO%7~*/h7#M?6:'ۜ})]|D@%}sRĚUdHN#/V?hMq0ejGJj I!M,u\:da[suB ?0{Uͷ7knrЊk%?*K2kAӞɵ@"K]ISW㪶@>vk(zu\йo&C|@>\%CS;[sP+X8LŅXl&`y32Ri4.G. l#́Cj<ӑ !wcU_'Uręgn7 t%#6a'aC\0z9WU2AىgOcnSg鹝1Jn \mFJ4* ~>KO˄D0Qs _-t%6SX&;̾%KK2H>;7̰JNUz@?cu|h.yagQ#ih˜2;.!:{>šL"k9wߟӿ+v6#WB<4H:mQ:XXS 4x0]&D>tny J Lܲ8#!CFְcVpכthx'0E8zoY;q'۬|Vt!|fvPHX)R;S6U!)2 p2m+-睪J2]OhPH2g.σxCrX"kXMX>0! $ lɛXzwR2I_0u0OEF~ܠH7Z X@: "T6`3ꉛخ{- cEc6x6kiSPz 5| b^u wڕ"赺O'œT-ĂD) RB*Ә̺hBI]rXfcE~`5dx4{ЦQ1[rwofȟ &d]C|A*sȋWLs }uI`h&wRu›~L}1i@nZ[wD\krqMqz }w6"2e9}nR4 d0H ͒(ؙ~ihMlTUa`]v gQWL\os\&.!ʸ hb{eKsJVgl[LP&[݅EѼ53Qbk2;UΧ~6Uy}`YfA_6fVE}[}t 7؛抡K jhUo!8iY;w5׻ưCdkW^"iBܾ4%F8gp[uaX$k!rE)T-Ē˔mN[Λ^S a-th~`R \}\^$pU(|x="ӘUk›7=a'/fϭ 3H-ts7JEɕar휥1y,vNxjg&;C|Aue*V\[AsU nef^?vV"HHUX^ J2RJtr/LraҦwxYOgKp. |j=/"]۳'w Wk}tu{w{kuc76zvxTf{,!RWVlʘ:4P%uRn''F;xDslN3'緽MZSA\dOAN<'f0!{k<|VFgÙAA[7Eyr; S1@0Ð% 8UýxXÒz}QJ^{es)W} uND4*5@a 6iKG6]nb|%|UX T?U"D$+Q5.ʭ'k,އkh#{[ʱ/W7@f'?WBPÓ5mr'vm awrSlТP1Ѥ.!2.N`, ܐ7@tE@pS780HU<00X{=>CRua\;8!2.RM##`Vpyc"]Tp캏*5i[7%9[{؇g6l7 :lD!+Z*z$ xhwu^C/T <?@]k)@ ):U.SUa}?3rdViUٳ&V[Hq<9X@]#zuxzM($ۯ笼 V$Թ0M4h^o8|q8xYL+m_ZmmSݘQ$ az"9TE6 Z*)Z/f}y|Nf=B"ȦduKeͫZ4reyw/ן%ac'XZЗ!RU<ZhmGٵ.ߨ@*ZbE=eR-(e}7Z2#W1>%|Or3 _J}g ,*_rq`z}\@ߌK*xFM\q6u+PnP٠T`JǏuj+:y,Z=:Fuڨ:&ڽW=r5DA $>)nMc5l0a1@ݎE;`f=l>av YG#<w"|,)sXH#Y>"0Fq;Aphh4 ec)`lai]Mж FØ<d0b,UW(I szvE{CV^^wlXCVh~q&rCaóו&4`St BFR n8?`G61 UQ$r'f~.1ҖT]&R"E>zpJ05YKlJ*tSuN-?a〜lILJI͖#Mn,0t-_OL۫>֠,jv |&ρ{@@X~R\ qi\&vsM[Uś:."({cDtJ"6`i|$na|V TB&s ;eC;#縪(3eP3:EW!iu]b6`יג׎&s1F.:g\ZyTq' 5piR ;i`YJU5e9y;˔O0fKFwœz!.-xm(Mu9{,Y OfeEj@pݯFm4r nXhi% úZ[;qC}sH/mmzqMu9Rrcxi`IhqNվ6.vy[Faa5(U9i̷Y.#!|:rR܁Ma=OD^89x ?a_eޛn| =0Jxp+:txLb6( 00]A-w":ֵ5X~n5&ZꮃlJMc #*gѢE"R94'jJV%e$qkF뱴iy;¼s93#aPuAy~`yk!Њ dd^嶚.aS[U(2y*!3ndQ5dm_?(Αc5(#+Ƅ1,:߇5ÙɷޏRƈp'5E[FɪjG""4 䀬 /zNi63ՠe,2ڭ {6 ]{1ӫV8ITq~L lߤF뻨kvrxů1-jSXұR:dV4P)[ `;Gpѻ=4ۢ?ZN9 7ڱV:gUi0l?| ug|V07kO%)j Dy#T4.IqG1 6(2{?d[Lwk|gJIC+jXC=Uh6CRɄ 1pn˥7r1>_"4EYOEXso6S"_z4 [Cbuh^mw ]K8ٯ\r! XI "B `*mzeUY:֋*Ċ/Fz` ~8h)oђBz(BUBbԡ,ktzYLHMė4)?]Җmuиۓ4}>#gGX DVuIN{[q2$$}h> ]_8su:PX)uFDO"R](9)-e B2gǕOn8/%[ugN~41Ya,vGf(pg_SGAW^?TYN<0'Nm aٓF: Ϧ薆sdƠ} VSa*%^ 7,V0<0Y jfγ&@4p0 TF-a;gv 4CQndm1S`KBB٥9<̩Q'(i/Ryc}#^@d.6Q`g1:U6z-:KT\ N^QJr/t" ?2$!YvհRlCwN%"rKP{N췟)"cyYPU?g>.϶%銀KW g[=)ię@bvr> g"2d$Di( uG["iSbŔ' W)@Ӂ7HL{ x;)L4ewww >O!v'pd>ae# 7΋}PP%q\NMXۧ ] _m;gDܸX%aq~*"WM?-Lb", ⵘV58fڦ,OX|-_$ =$W fA } 6ӊ$՜(Ţw&m;EBIOӹA{Tf+ ɳl~M:(8!!~LI=!.hGȊM1=ScJb*cmGX۝sH29)IH]ϲqZĴ:*@KC MaLv{J(A?𴍰'%pP gb< ;#+ΡM凵3جk]{噛*ВD/s-r^8 baaWTJq%ܗ~0zZY5Nq|)U8vj}y,! SfvH;7@IEcb@ Hv 9V^Ѿ=HSUcϱn$)aTFto!/E%8kc'<Ӄ5P JJ_e j;$L&r'y^bAx11f$߆^vx_Sydjfxa&_ ."=O0`yfڴI8HnO&ꜰK2xn d^O]l(X"G{"\E +zVgYG팠i _qW[W!QÏ Zǿ!hNӁNsS_qJ|f)PELfA9,ND7BK\gHKב]ZNclSs|$u 4b(A2}BQqd]E`nQ#`4 y To曂FtDŞ2Pl=`mMnXcțb6"M#T1=O}_F)D)qdzLD t7Xs0'Uh~dv&7頋˞\GX^McԻ9c@'˯YL[6؈/[+P=ݣzE7bL&pеy_?繧?੡iJMSNGCbyKY$ivW )z5pFFECZ}eX9GL`?Tk|jX]P2Ц(T)!O1wTeiiO"t ZX~,l:X0:rxlm3V&ϹwrX}/r#W =>M0~A:[cز19|5Z _m&N܀#d0JQ JLv\bk|wWW|uU&_;>޿2/3Ɯɢ}kziv#5GG)ح.]),lS75u}O`C`NQ ĵ% Jފ.iy*OJ_S^]XE1 Ko5{Z`=r^Z Yp?^ /AtaPsLm{E,2([EsԀ9.Lij󴡷v6fd>PQBa#Ögaq. cI jE('@撺iqV%;i2΄љ<~@S`#3 8e)|(Zh =H~^uq[T$4^ z+D=Vq\O.dATsAqP^;*u2X l:'}C~\I$9@G5PB~PޞXkYtI6჊[5btl{p93ECcd.(m" T<+4 Zn.Лi[3'/ c<]pu '?pp+L6u_XF6R+t̂ez0dpae(֌[}T)FC{h/I5#O&M MX)3B_7,!aD#F58c_ǒxOȨ|3h{cyhz%nLoQV lԡ`L tQh8 Ӽ\UbjN$'$Zt7CjޜF 'zBdXW៽Қ%Wv\>!4KGaIXV#..bc0|.d%8lB }c\w}gZFx$zIq`k9b0y-n+x3X@`^y 5|:lEx l6o*yQo!qM'h n ʟ{9z(X¹Aq` Z-MZGQ0ν.f_<߾>GYJ^bnAJv(`˲kӻĶ/ 40׷`1~s} 'cq+y85(8F'%kp5=8?T^mɮ"%1Қ@GY; $Me$u4d3Zae 2oS=̙׽j{F:kC)+Lk =@@}p_F)|kTհcpw˚ϩA49SfOً|a9֣/SQД/@ W<+F'a}1*iılu!wgSXQ#.x{ϝ9a`pkvHx(M8obH`w_Eͦh+22RXSv׉s V)gvRÛr!D@P~ oʣГ0N*H"l-;GE+2ɗd.zP=j4fW G\=|00BAUݴ%TjsgԊHpڱTzхr%S(iG(6 Uс ;2??{#,^c^3PMro1AX9U75"*kb?m8WXcνÀQۢ%-%9UogT iALx-.UM9ES|AՕ cITKҒP*<؄~Pck46?km ބTǧb}W_~~v{:I Q8j˼0y|pԎM9wПxN OՊo%n8]w f`gQX<\\ڶ'-16"NMSPk@cEǛMId< iN/"M=݅b,݇!I:8~+<`ޢ ݤ1/WWч=U6(Y%"1x;ij h}{nuI*z}z@3?3UVI>B Xr(/]֫lO;6 ]}8c0[۩;F2)l]{Ԝ AJ'jCtnb yj*./fwB ^&sPV{nPJ833cPod)Mbat. =  P*me5|gw#IeIF7jY U%.n>T[\+—.'b9[Xs-d_<(5ך^܍D*V\L.Y#TY+VIq׉} nfԩ? ڙ-$.4N]kԔ63v9~l8@7||ͨa| NHǣky맄\Ihk #&.ӻ[eG0~ HWb ␆1!Y`w,X^ƣ8BeV 2֧[hSF$ahTZ<$zCN(M{jvªrJ#]l~oeݨ;3t*6D'+ꇜ[*=;rI^ BwHOcikJH#@dItkPG xХDmLE԰\uae*al*3 }1|TB˜Jk);U #TnN^w%.mA Y'o0crJӿE$Ht& snJ~ANҁkLzs`v5%0FՁTjn_chR<\땣NB & ͭ (7olψlx@w+ A~5?~q lp$jO{~5&庉d /(^}3Jz=N˿e@`^0Ƞ(nl1cylJ /)eh" *>j\;jaacQAIډs.˔G0$'ٰ2u<H3cVQvkSSXi4\ ml[˨gGAQMЦ7,0 xqUmO!qk: 'Ew{sҖ=k(;@\-#%@bLkFN0^8>w[ھ⟤\JpAɰ!{j^Nc޷7eN7ܻ.>gkide3t4:q1)CW\$cKm <Vty k }0l.Q0:rT Ocd+*aak"6 2K֤2Py9`6E8=[;3L@pE?ĩT@MTJݹb+ 2 ˧UG&,M'#) Lux{0Bb:P<LlJ2Xo<+lD ) –\Kh{Q'\a| ظi\>؇w- o&-Kwd"ʢ+W.1o}ϛfe72ÝpEWWf?ëWKJCM.ᏍHPa 4Q-fUddY*0]uf+>sn|rQdXc2FScAL't_(KU rمB4IwO!'I]Ju1 P\3;a]]zYtX,?spBP c VEh Aݺ!J9֋OV s1Zkcb&V$aqTJ Ƙ>\+ؠ4`||V+D+uGڎ`,stJ`=.ެV]4|| Hו!H7:ӿRP)֖=(t4kox1+%G?CL6חBp-otXϤA[\i3MgBq7֣)#B '6 jD8-5룙\JWR@Ap@Γ;WD,{3n/q2Dr.-S~y!-]]'PT4%}Õ]Mfd8:kpgi,h{gEy6CIm"fb_1CzoNXpbxn\?<2vٷo%Wݴ2u/W.xM"@ÐEu}`}uY7Tɒnj}iICHfiWj][OE{eFjeDI?(twq_.d?Lr8f%Inf۵fܫ++Su=3ir |N<E%9-XUz v)N&IwVs6<~lJu QMtSlGKm w2?m{PuX (he8VXg#IJY&{4Q<^jlX)vݜ鍳vѱ -DZ͆tS{EPv)`lū摀hd4{(/Y[.ITs؆c !~|ڪS9܊+x]b?=uӧ|)rSl s8% e~6k ,.M|!,vEn]/WؘN׫7gynb+zkF>NT(^Xm5ب 93 pa/y*@uB3BC: p3yޓ2LfoKڙKHx,AIDC_L}:zS.]mwn>`0LeXy1%~æ (TLoԠ4T90bqf'D)&}A_jfbPkz_k0LMDX-̌QQ*q 7jøtj*Y'/1`JܢZE\brV"2`xSrVJhST4&w䝾MTkEޤgnIeA13K}Qj&E@l">0{x] @NO#W*+5hOۡy ⋒UTLBM3/f>mkP_pg׊7FIw{4X*@'Iowߺ)ˆȶ0ÚC|pt!ûԬn51!h13Q_&p .`bvu32[`̅v{uᤧqx?t^i~pp^3:Uh[&goשN){0</C0^́F7闐l 7ju7U|cj+7by"ʈ+(ќxqgL9- k;c4~Z{]0-N4X ؏<Шi.%JCHrɏuMɰf7h!lINO°,lzd<9՜9qHf{1w&8Ia@ .T㼉B٠7Dt|A1kIP)d k7ȵ)A\k[Xq25 b\@,.7򉨍1~_ Jb<7VF/tL7Y|ʵ.e(fFX6}7'ܓ#ca1FW&`~WWMp,}`Ix$nu!tH{lOݤlERg]9"䬫BCj )#QæN1ͧrNܒ(*TkQmBq`aOYS)ڒ7K]c落dUigj#@+e#Q؄ӃS1''"y4<||N~'Zwt7} 7j"Pp6"[RFQ=AQ2̺D!,(Jae'jOmh8c ByXJl w[T;}C^i,L(25`)-;T4o~WZ3eyD"Cr;?lD.wQaƸAA 6-0kπ@=AA[j!@sA;<>TX?dt>=۪c|:镃IsR)r@C2 .*Nrrt s0i,/RUݛ cI vCj=cЉAM-X^ھv/qH-%}\[!QZK"- 7C,[cܑ{pXB\іNf#pD7Jvp/ˣ)Ş kMa2ʟPoH62h@Ün*% ۵#Aؐu\z7.&nD 8\ԶQl#~k6Xwؔ@$KBغ@ Xbf-?܌eu.@VzzmwH_v EJ%ET?17t,}(3$LD0PR8L1=0+nX|xgj]7mbǾ Axf_۶z#*Gky> *Q+F.JɆ Jk<'o"WB|"uF yuݦg:cd7I,lDL' ;k7ưem`NevkU|`;w)ykN8 A>Pr"23F&D1t#J \,Kꅙ ""j~b]4'&SSx8@99יԸdj&Tr=> JVd Bp_Ǧ(˸6PxIo_Ma\Du׀TTlz]:`CjeqgL1Z>,KE3g,/^"6rG 9CP+wקI b uP (vOXP4Ɉ|k+[`DV|9J/ZHQ30)8#N}arĨ:,a8/kl#@Z9{|뽢U}= aҼOvQY^X 6Ϧ2SS|\JM,W!6P}~рc8 -$i֐0n&C{{i#w^$XQoZ[ֆ :IC?I;tqcVyWVk!4Y+R`ly,BOk1Ma'EGJp|ɍPb'8qTA&M|u}7eW94|xMmE]zE+nx)1ӽ 81aMA98b%+~((S?N==njɁĤ=Rvi!h7 2a ;~r~25?hJܘEӌoe h:_:BXK]V!8Nѫ;Ew@bPoʹ=]˙{=GUM!1IcTow7}?N R:A)jV8;wUe[g2}nhȟLAo!}cי( l{+`R%K\6Si:o%i@m`&fפ?+pd-A9<[:k.Ӿ k5ͽX\O ^}/3fjzvи$$po{ iŧ`?a }ҳ+jb~E@y>sSG@^ *2l#ψEPdYHMM"%v\v &1 RڼҮrQbԮ2Zu֕ ²^XQ0xZSRmౢY(Au9xʷ!Q)}&W'R+v @0U9ݶM~LAzSG2|(ɒ| 0NхdRzIIA7}]ސH89O-gu`т Ǭx?FS7\5{ fhiU<7rn|(ͧ| ~SbaNLg 1 |!pqt {0*uSWE0 =R+/_ +DACqN06{Ԁ,?΍x$%ܛ`1%+!T%WZ(5 m^] VAq-+nX_ G=;mXu YbNbU FӍUg2y:b*=m%[N׋ jk__!,Kd逩]4| \Dޛ'|2b!=+ "upwSN$GayЊF%S' 1p͙OG*Sb^\e"21X&΋ZZ "631g 1Hfs7Doa^#M WΚ#zk^ '*+KlVIr޿\Ae2n(fuFt7K@^ژvΥ.tBP̳87͈ͤlfz(1!r,u K[T@f6G̈K;lH0d@{jQLt>eyGBxNy~hZʫ"7V\wmuO/-4}0}F.dFֆ!|{M a㓠'-!<{.PsvW?Yv%V(Wڏ`{5EyWYr u,oC+hkh8Ȩ-*iC捻!³]4iNCd4}|qWM6WrC]>r\~>玘O4faoOJfĎap9 !SxpWp16Xu-Pa;~N^)8YKU$}Z)4wj I|XeLIV̐ YbCʒ 4"QZcoяJ((m  jÑ_9W9"Y$%?u ^:;!Zf ѰBt6ۑlFs܌NAА ƞ]')`eMj!nw a͡@xU"ԫh7 ,Cs8D #% [ _0i)O5h8/F, yYp Y@ Fw(g(Ϳ~kE  PUgCjW.:l">^ꁐ=DBn9-]8\l<bf/lepO Ȕܘ"XսsE&D-J+KZMU77gC}݃\{=̚UL{פk=r3Np}=(C$e3qqIrP5ɩX#Zר0βjӷ,59¸r ̓ W.8 zwHa߲I,y*Vޓ| |e҅LRAT]7o P'#4}W;_ WJcn(h}SEv^F-]IY*$~`d; BD"yو&YV̽ u?:6?*Er}9D=uexܖjfD^g_qѰX-XV դNݟ)%ÕMyg}Hզ1PFBvΦ6B=;K !#:sK=*G-`>9gk,;$l;xe@X%a^PImG>J=w45E+D0*< aתO֊x?%M,VG^qQ@5w:0SMlh%V:KݘFC.ӻGVh,% 6"l.~@q75WI B}P4BSNSl0" x<+0/K!JBd"upw#7TV#ٺ0a;w,NE@xK_LOUo<&3Է!r)q?V^l # +h^5u$ yx{6xtoc&wkܑa{\.uQJޟWǁfˆC9gZʶGY2_%t9ihd+lk)'֓dM ?hG,ѱ=m6:Y\91`5g jKkdShYHw~.`焼ckunYB[@#I"h"~i!bzra0 w࿢wV<TXw+޷R˿7?z0z+dEJOGFgӲ5  !!d'E3/V=}7fIC؈o/7|5=W ;%Tn=&sJq`A~vmW#ŕOk ~o)^>`}=g\М -zC2D@ X͜HWLYE-bAFy)xBQP+YRO(l@5%{"(;ܟHtc<3 A'ۦOmԻWLo"w@8ň˟*ݘAX'r}SيQ^s0i1(+pfAX&/)Eʜt20qݷL2u.>Puʩ?c_ = %Qӗp*<8 9W>qJ%qǦ WaES F0%sUKڽ!&MnmvutߌCAuYwK嚥d2KCN_o|\{HP&^]cH :EAvUwqw<,kM.aۏ@vrZV4|fq hUb^9[RLRSٔ;e0D9b6CX\ ~"(j@*dKY7&9moc&,WdfOϡPyLW`qQ̾r*&q:CF:e-hh86yj4kCNHK9_vт⥯9yn.ٓarѥj™-T):aK>a5ƀGޖ1oc. ">x(2Gr }2+^> 1@ q![9:{-7dŗev" aҋBb~mT&8v/A0BFQ4Y&9<hi=u%t$T bQZ e6n_~կp[nEҤ"D⎧byRF8hZ~EkUWv{ I$`ln{FX HƁ~OFO827]Y'+';aa#QhHGA cڬ@OVQc2MupfjRQNPqϼa7Hf'C'auC,<<.k0* -ݤgԑ nhUnkvTW@G mah\EH3:|!܋xn38& 2Zze]>!PuR B`Xe=po?&YE1<U:>"[9]fL2@ B@X|̀a [h Q8Rs6F39+Jd+ }dn^,F K n*+f+$"!T>unB`8(E5r@2sQ+eNEoZ$2Yƨ\S:hT'F=%Ls)m2@I/Rc-P.q#&+tt>-!w:kĠ}D$z2k׬0ʽ;^۩ M4D4>4Rdv C%&*0\lK[b]RQ9?L{m|?{15ł^^U |L1(:)o~'0fq5 H`i,gle2G`7~B10UӎSW(IqNZF_?}蘐zvro#DCTP@,6t.e U_|v \6q>o`F1~L()zs#=|xkܓ0^˽4A CVs%` i)t1lB3fl&1KAYZ1RDdZ,K)h/xamC/>!0RJD DR]BlB?*7 M+:߃kN«k%d`M 7 ddcm%-hD0Ay.\PfҘg=:8tMG4Z7vd 6;ch8e ! P(6 (۬وۮkJJ 2+8\1̭WrR̖}jzR"~!e![SȽoV4xyϽ~ .ORG}Y@)AWo]IAjQCCTj/,eΡXJכU$6Ξo*Lh}OnWK E&.`لèBu?RAio@a>ˎ\-]z>K*~O /" Sxx'\Pc0"7("Lư{AtD$X@ dىx! mY#dTGQ?mvHfh@~S#ժW7%VHzc=_dm\͎wm s m +SWG׼wWnu.Ʌ?]c=@{Xflqf)b`ڏ5݃3Tqmӿ Z׵nV65޲. -}xC+k[r/ԀCi{l$M׎М3F;$i`ۮ *xqLómdf J]z)=ֆOֆa_tpa<:r۵(M hahƗ^Q;E+53mTXLOPU$-;ߔ5괋m+:&CHɣ>X[|cA\3^*<iI /+M@(f{]h8.HX&pup dgB%I50:vCxHB󏧽$Coma6|"nuHx`Sۋin xZbZ}a^kxn kKeSk-у؀#akL sI\_əY.C[%/?@ &[<3#AbmXu"it^|lɧ*&=oa~||ɥ8'T8NKKb~J~zI9:* ?WL0|%m2E^4}6E_Z:͹9VTz}+uD1Þ>P.NGރVSe4E4`G7X^q #U[4B4d ^"Ռ pRN:jf"Q+e~|>ڳ}4fIWe_s<,2 q#d"t':bAo{ hm4r_G]5W)y \L- 7_ƾ?YW0̰^QF^[a3 ͠)"sTs5\ hfIUITʘKt3*︨VJg0%T_4R_x撷\E(Zɤ7ۗ} r O:&_P]L.vʹbLN^l3BM)cV#r󕒿_'Ttuk?ԗ`cRw8n7PC&]_G%xgxJ^'fN%dS,  n1n#a7Ѫu!Hyh95ho\ $ 4x;Ѻ[OE$[vlrt#j 'AlQE5YEW)8&\baO >۩G'QJPG3_y>G4#o^Aߠ!zdvqMN`.ܪ>TR؀c,polzI?t ?yS#IcJ%C XD a2$:>WZ. f9 <%{VˁÇ=P@Dq=aƅ{9zÑ]OS{}! bPt&$|Nto^Bk*053 z.oLn~\uVL<~ .'Π6YZ|oطOPbJ9NGNY*(v]WW*OO1"nqN5P _Wrcfmx'u:4Bl띈(F4%#rR8$\d;6Hށ,NfOy?!9*>[ʷjd$|.u%m~~R3\ 'U&QJ&kKdՐ 5)+IƓJkf*C" cxjP+; ;A|[F(oiqgd9 .Th8&D:DZh9.{Kvd<ؑ5h: t5X">+=#/$6ѧT;:^j%%ř)T@U2zl0O9 O]υFe ;ԇzI7ӑ r_SŜDޢ!Zh|Zs I؋{x6b$6z5 weUxG/Ӌg@p 9MJS0;`؞Y5$wi뺞j6>#x.8/fCBQllL@iB#v8qT5>02ji9w׷ksUNIKHnS~~9#w $a" w[Frq{8'"pi.5FuT8Ħd!A ,w%>Q #i>ߩ3x6VV>:*Z,{,9K5P[t07Y]z7uyP)iYw 1Tj@:HČIC/H `Q n,JYUh<d"Ttv_mFq3{JLeeŦFi ƶA0ƿ˝a]L=?b͗s3*$1mnC`ӞQ @Q"p5MyicfXk]?t' "6Ԙi&ѫڿB~W]uݘt }<0#nBDc2%uX&N=TJJix5˶-$|vUv?߸^aDzʣD=ʏ~CLZ3W` 踲[g| T+C>I~L:aFG|VP[iJ)9|_YΏ)((lh`[mHEǙ}AbTYdK5ʑ^/Mv%M}1w'jx++^:7 驹 fD @2 (K2`Yv0;#,εEtkk{if&M]|Yw{%u5DZ48/wphⓚb+_ޟ]}+?*"7[-.~  Ob"5.,QS_*1悂: ?-y Z;JkDz7׾,gpJ!!aoEB!mha@a 5qZX,N(1k_ax,+|L|Z!u33UǤI锩%"f_UcB-S ɢsMmK|JsoqFvߧiF`–O\iEpsEҹYU_6.',=P8G%v΀h V>bgK_HJA>T8ٛFL?sp^۵;MHfG&QpM] @Ũ|Jo8uZ[@3$8 *->*ޮ!1ӋOUtu!4pI&tA4> ^n(0>39 qINِEJtTaoIxaZۙPU.1 `zŷ܏t"AqcBq1t`U)7P)L?9\= c Qtr-]x?xs{2fpMLq7)(V ?i -Yq su3/3Vnʾfv-7TXX 1SIlѶvD"(2)Mj c+B͙}(عh|c8IJXkd_sr'CڗV\p/M=`C9}Ե=+|:޵ W]`mV/:y ܉X[Wa*N"&+˾w#Ж(BP;Ax]jXɅ#`Guv{3>xo@_X@+ЩB0E@r󁐉y2bhT6O@ȁjlCIhT{ީUTZJ~(Ý3Q3uj1sg}07a_mQ6ߘLoIRLb'ZNN1̦#N8rf|dɝO#J;! B>kq9Զw!UCD0XRDZ WO'o*վ4.6vᕉ2YI˧DXlU*5&>8fMH, ?d:O3</&c2l rCiJ WÞ`uuQd;c:!kw-M&<2sܵz+ɴ71 {= eu#'{-Ř)4vESI}Mla(U*\+< Q Z;U~ Ɠcu8-ҍs.X:܊`d›ڇ|[#('e/,ӕ rrs¸a{pRlnd M48t:;pQ /\:wi)lbے#PFrZDFB%k4,rtv5υňCCKvH.4 vg#%4L>%E[g%Zkב؇ 9p1HCZMɖsݦl%¡?i3$Ѕ:(1}ݜ=xT|6: D]9OtqOߦ J^}ȗɨG2%yu93a~ˮ;'Nf%p@GY-|$a?]9 ݖL+xu\CG/ 5l-{f*Ismr|weO:۞DR AӁ!u# "*ix!_ 0kTƾR!sUqӠso;wcGHMBbfLv5).ϊgTp5T*H,E?4Ǐl nET(]/q7贙L[%CWVY"{?YU'NDJocm  O-x#"99~aEDE]8,}Ő) &ąU/L@um`87)nnPdrNWZdt465URgg?n`vw2dSSUQ54ɯt*Iwob_:&ppA_gSr=:ZXdyJ\=-[~)(C2`G6Y5dv%#@RPE g(roiCDT5Z{[#?Z*ifJI8ik:zo%O#a0 ?KȲO\Yy1^F,9@]'&?=;>v9Lo3AHAm@/ͨ? AVEfGag2}AF?h -KfKIf)x\h-t|݂R 3%%Q/xgpE.Țo:~%|(y{0N{d^ϫ5豈x+a2goznF'U eƃқ"D&Ϛ)ى.Mt @67%~N8ayHW sxhX~1O%0Z@ buW@5fAIҭՒ (e?4eBŴ 5X^#QMȂſ{rƵnz$V]Ag_O E(C \X|<\19IQ ? %Rޞ+."f@Z0"EXWu5#VU(cQ ֛BCV; ;k{xkEZmN:pKJ ".M%cKNmɐ,ҽogȜa"{, aLz)2t ]֖lcٴ_WF6?|o'*~yN=YBoLNgBHj٭`zd>7^\u .raa5X5R5vvaC($KXCHFY9acIӪ,eMxm L#8=%nvGW*CoIHi!U3`3p'R#e7U, ǿpu$"m>5@ Rtttqo6v@q_5&<%a͘hi +u{zN\3K#\QZrSYzu Ev8n{X_\7:gIRsΉQ"AioO陙QG΁I*[9IWZ3I') \j,od.!cPgfnEs*8_dXoP|ͧ:˓g.g) D$şTU@b8B3puKCMѲ6O+H1 lOA=wO$>5ڜ>ҟ^o7uq!Yʀ |=9W>vy ջ6٠єOQ*a;Gh߆Dn Rh|4a'6PFyY8mUN6pϩ1w{I_̿,ӍD"B+ƅGl2)ۗOc:ۍ*+?",o$4TݢTD͈1Br37#x !_FVcusY2#|­ؠGl,LVۢtuVI1;Ȧ&>u^{7:QRzɰݺf&1C[eobPj%X?sU胘C/FVg?! W'XS*Y::0N;yEEuV'k;*tq ?% *,H߁Hgc!zoMW@o*iQԹj˄+;`q&s--p7ʱK@Ce߶&  Lup_#g+( L˞2t6`rQ80 WXO~> `>(kmۣܬ>Xs:L9kZFUEu&3~&]i)zHIeؽBM| taρ=}A6ƫb⻇}a N(M0$'k\ŏ\?L6p̜늯˰dLJląaGmK:+&m"q ۰+Bs-n_I0|^̰f8<`̂q?&j' "O 9f(sV@-"c: GCŸz麵k#N^CU\\_z|.^okpÓ˘jKMsqvb_m#ԭ<[5n4Q;?36Ez$Awht(6 6Pd:Z[(2離)U´RpFUx,էClF;h"Oq$l ,U<;P=Ŝb<™5;p=f/wSYkU%,ʚ1XTI/K (bYE]Jc!8ICZoaJ3L@"}3܉@mUgDb >y؝ho,,( 8$H~h+"n[PD'${u4I2vVKg$d%O(cT=yަjck}: ^"a;B骆. 4~?H8#ݚslװlEϣ|g}6 }Z?s_Ցv$9~q9;%=Mo':H}TJ3^ST@5w \ӋjjJM,4=9L_S8ZArp|VI};'7NJnYU~MۿPOC)2THQn.}VЌ .x*UAìȦd_/j^=Ф0A'&T0-9̐t%r+=< X+}'/J2*ߟYʙQ [Y"9-݂QK,2>~g}V1FV`lV (hEļƬچQu#Dia`g_Pd[16+C3߫ 8ׄd8~쾫JJ_ք!G8.(ǝ>4ϏJH;cjr jb·͍ANmP L.xߚ= gψa CJn6TF3J ToU-&$͒ "<=8|̫JtW0kFa([W)).8fjBJ# OGTxqi9ICɼ%evJe2=H4IHϬ=QwlP͂4L#q pTo, kaD]nVVi+q BCg$CM.V{c>92HWT@*:zRu[H[J.p_L)!#Ϣ"؄ '9;ǡ(<0ͷsIFU#A d}SEةnT1:_UG%I𶅠*CͽJۍiS=n}bzw`NanÉi}hᢅ279 hW vO9~*+ĕc" eА \;hC4B[0ZCȃ{Y)P5E!V[ge Wl ӄb~wh(dd:$H_4EBb.Pׅ&"9a@e/ t6аЦ6$fi#+6jV91ɴ#GE$;ā:6št@v:32NB r}~Ip6Aa| dw1b!\^ĚÆ8<;,%!-BeY_hgZ2dDRo 90̞u?W *#+n%;H?@ÇoTs,TmbڲFGA6֘,WbmU2lp 8vգY!KW"9790OSxڔע)Ң:@27z@?Mp4 X?Qz]cr5 %`D333KG8/ꉉxM༌0|d6Pŵ(}!%Z0qK X!jmJM#2kr3Ő ߹^zu \eBhnܲiM[Η @DPs%ЕI: UMcS66BiH9dl:ԘSf蔁Plyԓ̟yL+d"az6t I#8F(R=l _+*(Ir' ͏BQA' ?J zr;cWVp݅ .yڭOc3qP'`#:6lҍPJo ބa"|Tέ,DKao=}08HrYjiajpt vkZ,Kn7,;N>GC΋%]_ ޒ,6P(|ˇoP0\ۑxvUt!bBz=䖸Z XKA8& At4ΑpsrIsCM[[/e5 '>b^ /jZ?.|!֒=Tbh/z3H tQ.Rx` .,u4OwKtY Bҽg>{̯ )[9ri?B>I VldٟT*}h/Bbp-.7$XG{ڀ839ܝ0gRfDzHӛ0]}!ͥ{ܻR\,Zc~R#VzZӚ\љV fPk|n[% _3U=/i\VJac݂ WU|ʞ=V;c'=:HMzt#SI)K?ߠƇF%Պ2~SϠÆre9 hMM~-:XH92 *_6մz5l?;p&D#O镱X4QBP- XQy'{rZ\ 뤤ُjk^vaP+Azf8+[eӺJ5L-U^i$setCw7!"/^]OfY"SYLp.VmyT[J?EZtM|F) bPq[O~ʹJ$1vpW`Ci_bMI&Qɕ{5`Btwū )Z[/{8/ZHnv|%vv!kaSkTSflÏ<mBk-pD3~Gb&N8n*23jAAޟolLTx<?2u 9qdty"RԇGidex~5oA(O`Å]$<>^G:Ws oXOJ\k |Jc0Y7AMG.;WBls;p@qwC2lʛS9`G;|EbW`3ZE%VwA>BIC {a9DrsKA )g:p602Eas '5p+_e-UĭK܀i=!8/Y~wbWyV`JmkB29଻Hcv\.>}ID FҮ {T52Mf)dU{- uVU^^; [~ݙZV1v1]O:Jတ}s)f<4D@XB>}8~A`hxu,+h\DzF=Z_?|E3c2h-@fhv=$ AiK|`>A* E%3k,=!SCѝNjcB&xչUɝK<ȍ]gӃ7{\Bz"=h'_- ۨ4lbU#; ~:~K^:aW:\ WE!s0g$zŪZ\eFY.̝m@.hy6. [?=1 'ӹ@JxELQTN ~}U3Pu-Q_h 9}P#]h')ICH MgIzOә0җI5C"j!=0;HgT ]Wd[rwd4w+%]pnNn;;Voӡ;K*dU^oxnbW@yq}0Cd!'Q׽-ټ: f/j%*4[7e3>=0S{'\z7ăȏޥ;A̽ ժ͔*i #=+C%&o!qcx_ePrDRJs^!/})8ǻeUCkE)-@>A5F"vRAtOq\ۂd*Ӣ Xzbo6Jx'{;.^ܚv4~xWf'ۜiNf$"_>]\ΏBUA^g~%rsR;p"a<eѡ~\SRh HqEC>0sLAON\Q i@]lDAf^ByƯ\G {&_i5#~6<1".xA=l\~kwP0PeFԨeV ll<a*x=8!vCEl*M+ݚ)Hׄ*ue1C/<3NtitYREX:pjE6diCVExsKlj)1vӻm˼9٦YI<D3{'$p!%q="esuf~.E+7 גMsݭĕ?FBbr#x0mdP !ՠkA:V⃃;d3޾.c1+{3O23A&\ 1sZy -Mlª?كQIq©5RD[})`Q4.'4gxI`e;y_MɸSgϬd{֘/IVW8=yTOKWRO/i& ހ8¬W˟WPc ʦ/+{@^Ց';T,J覽PߚmVI؜vywvy?s5AS} .[Vp BDnׁJdv=ϲP+MCRqIP!(!Qk4xQ%1 |4IMbۓFKGMʜ7tLL Aڡc%cjg % 5[I");&iE6Ys,)VVTaznm؇(#UJ 2>~cCD`/=&2JRՒ̀|ߠ,ؐ)|="h3n#z?@G= Murײ T(o Y{}y/bleV11 #,ncs:l9iFu5Fbx:cO 5_ÃvwYʧ`F 9)g7ըB'07C/NƖ8I濛WZauD!SMCd2F< P5EG2L ;4Xkᓰ #>d(_W_^Pnק R`w6{!Yg~wkݎN*6z97WDp0 #ԯ"Atr(,`Mk"8}BݛPsv4B.}X] *«j+>VD(,(݌vsQQȿW|`y* o'a9:W.E#?|lqϦM`&V XOSZzeB'%рڃV+P63)Oqo tpfVVp3p ˯dmU]wPKF$q*aE*j<ͼJF#)$(5Pr9@v('!cа 1Cpn[Wt׍9kSCNYnf'M?Sb`Y?OG-+|2٧8u)ZѽOؠդB6#/BVH#(YfY+wU콮Z^5i_R„f4{AF7Tz VmУL(/{aCƳ*;|-i{NZ|C^x1*خMАtuJzaRKbmqĤu|R&/~87|PQʹ>oѤg0J Hf,Ε1E^ Q!rϢbF#3-fTAzEaNܽg-,1@;,&L:/SmhdYe01Ww2d1ފ_k< {KPƋ t2ԤɋChj N"- µ"0|\AH ]|$yBe wp4ENW0%bnK0S{cGO 6)gXP=$\; ѷ7/#3\i6`qY/(H nw`6k*a,҈sIU4+3g>Ս LX~v=Q-J߽\1&id LjBʛJ|>4*sGsݳ^_=hO"ӭd]cz귚QמˀvV1PW+g2 *: @u>j(RnI+}b*ywh٣V->%eڤ} wl&J4?~jZt ] !'otӗB VkЁQ{v(S \ч*OߜxkPXC} WГl?hO>NmU;_Kc-4rƛ[u%}[9^ưL9ŤY>[WE#mbgttAuf6Ð-I'F'0w|kTMzņbGV [B)Z#\ "iRt7~YJ`6Lo ؙbrM*eVbTw4?VX)sUJX|u ,Þ1A^սK?'ڀ2ϒ𽯰ʕyioj^4" 6;=iERD"l?*;ԫ?]D:|0fjko@4 zmM \vCM Ud-V~AP#b6G.$5y\*#~1xq4&zh)n[ Lֵ+? O (\SɮK] :HT0L(_Ss4-:, qc> N+O ]KY|Qy`>9Z>)Զ]{w*QYԉV硵8hdž$2I}H$Z 5T&z?Mac,T)Ü1563ytrbJ;"fDpz)%rWH@wb0cȏ>+y{t{! $bo=NXxIO<6Y3>ђuA*%c7/@8zv'}XTqFNMY˞dJʽox˭(GMp{[D7sdU C,4FXݽBG lNrIuN `5N=X XH I#vZ5 yV:C]N!~ Ttz"ű,e/.sVz`LX=̛qLd ި]ЛP7-mLk: !`{ƉW˄5$_h SX{46ޖJj,PT,O!"&a%'SSTt#I*qxۮMs,?3Ƭ3])[1ץhۡƎ[ZYsGLTv"ӣmt{ m%LN55c#B#C 6}"`MU_\{]]NƦ^ T(͔JDr9(,doGy h{ëJ(-(Bp84y{{O};gΟřm..8CBc|qIiZAw8&2?ϕx^\&M]$-Ju)a_Ai} |Qn!6~:o RxYV_W~.uE Heo 384HH R1}?^̑ >Gb,Ԥh0o^g뙈"O6$-!p\waeO96?yre[|lM]L/ $H m92Z*_ G" I8w DƼ=G;i;8 ͇.q wD#Y[)n~ȭjNHy'# ;*O$uMz }{qt<{ fiQ\~5|hFw} 嶝_;ÌO+6f-!-Kc9íW De @CW H`mAPB 1!"}1H~Ӭ`C(;ݾb hؿzVQE2rv`ZHtEp8`Qi054,VȽ? WG@[]-BPC4BpZF};(^uAht;(%gUjw+˒62 Hgl?kaǎ(#@$<_i ^(v;=Y 4փ nZFi}m lC҃K3ힿs47WYy¬Yލ]߷[ >.[Y{Yh$ɨlޯx\w@7zHG(~7DcÈDp Tt$eT6Kd;8Z9P8C`q.HG6"f89{@3 #)^u8s*ߤF?v>gA,hej7m\ ?>fB}[h' 쬰%=D%(Ň#7!ǰF>^:1Ynj G-l}R =9PB9z*lRa&hf% Ay)sH9LXcg%dqDq).* g=N6ҕ@9%lophy'.Cq]LQ{|6[eƆ>rZ#f>L 6~MJw!nG D[N+MFugX[\?Y3oٵQ) [pfX)rȕQy9G g[rYpbb:vilFI⍺>r6WBdSDhל@z2|\PPUpA [ޘ򍷓8K/e:\-Z1֣[yl^(azϤҹ+|(楍Lɘru&mmwmRNM]2;VvCIH> s?5*^ z})< RoUpֆ>e$;3vEҶ38_ep*b WJ6`o/NI$t)_LB 8񠩱t'g'*Y;xu4ӚOX\>n6hB^zzqBU- 1a+) &es*9f0B$q聓Ivg2~@'b@`C%8Hг(Ƙh=,\Ps9(wx}?fE'?f"#"x J{{[rl']&0Fo ү"T9P}rˠMb9J=)2H =Gt9X4¦ДQ )Mm+ # .Fs^}G$/VWmDPMo{݂<+xr=zrP?{FJ*ꏔC{Zh㤂AIMF\0K5e "i e,'B/.軕RT4 <OEl<X5%&MMnK Fe[罦;S)vJ>,*R˘݁9 Zu֞ 3Y5;vͬ-'@wo:B 4aY }p[R~6dZTU=ek*tXIe} 9q_@pCx#y&\pcrʼnUF#BGK#)*7 txǹ-$Eo>Xœ>sAS w=NZQQAܣ4g~<8E>kz?=&{ jOt1"WhE>_=ɨ}6ϰ8&(t-!rB}PGvd({Evzm wtRV {ACU}n _~5Y*{6xjwѿj+Ȣr7,lC%WnM x- Эz| c] ۉ0)!90ya?eh8d *C  gaR[ gEj 1Z0`ٶmyLuG9 *SިЮ>![{: eE)82YcOqT(h6[':ѹ6%b&nXg%G5֦er=w1aI:H jЃO0uHm>fdȸɑq_Dh쨳?`{yV ZU0|vFP('61;CV#HnHj̕9\Bp% y#>=7tR8\ַj?0jHIسW&veaNa%g]f2- X<5jp/u>v6\ 8:Jxk(%YAzJJtuڹ. '(&6[#a~7X0K UJgUN/K\)` 7.BYNzh-aCMu?kq[FNs3|6UȷF@I_nOu j{5s@bXeRs􏟕ͰwGnBN/<:{{Jw/pVE CR![o^+xH(4mqȇu 8.AKpn26@zaت:`f a㬅 iW7DD?T&ҤLhWHFdS8ͽzAP#r` UJjx±>l;2d[¶U;J|xُ&SPPW +sE*OיB=؊u:nBrkqZp5+/̶5I%TG4xX ^IJ7Oq| HnF!3i8CA"atz/3w[nׯStS%R ܄GM%'Q쒦Q1!Ŕ7%bn1.tqa,e VnnF_GqH!wQvStn`Q+ɟ+L hDF||rp-avfcmzn [tG %c`ڥ^jm|!,>6|azLx'O5 (6JfnKPw:˹@\9k4łp kMvA2Z|6f _$<[o>uOjpeDZ{A $QjxWpRsjS9e]nG>$,O1bj!N୐*2onJE.={.~zm^2O-7 d+|T)MAgNJ<ߩ'&>(Xzl*8hTlhہCe>: 5H8"ñ@`ʆ+ :(JxaCj[R A!@(i{KyXȥ!6 gGp ֊JxW/R$D;؀ab3_M ؈4;.-9ȋopК" ,g !Ձ,W_98j͢+bP8$х=;}~KR,0Ó9pJ HIX*M|Ϥu |V/ ?fRwEnx8RqGPa/y"iTxfs(s."5Q =K6PK\Mb9$E 2C^'0JpS8H,EU¤֡V;11(l",,1ؖRm(n苻njz2EBgcFkmK\[ڨr*iiZ/+b u?I@^ErI ?LmLTBRPz<)ebs gfjDtkܫxRd>:md3k cn9p:ݢٝZ^@_nJHZ|4= -;o9bI#qJ5ShΎɆMQ7}>?q3鄴5p_J>[EM3B]95y/! j;@p k5"Sc t0Ͼflu vDh0Oo)idI3d67bҥ%, z@U/~ighۙۡu1^vM%T8 ݑ+>`Yl@D u+`[fEڝ! ®`56("ic責5` jK؄!a=E%i YۚE+D5 '.61X-P2(&%h1? 0gq2`D#n$I1ͦR!BB3½uҡ ZQ ߈ǃnb ;a1VO(BSgܶoWtxAfu ؑNu1[Ҙ]mڻ=WG@dW= Ok]OƧ+~b:g4V߄ؾtUD6>qcRDN-V7MħlU\U=H0XZIˊX͔pRm>U )G) ߇ ]"Uq#~op 37Ki\rɮ:\Gz8!"^n}Xҁ=3{Uh'O`NR@Ri]M_?|^X~XS  r9c}Wsr;]NY"Zs(mN25M )e^>,6H+F׊|E&mL+6B՞pθ[3Kg/n)C ? x%S X>gʁUwΑ#0=̹f۶>[HVhkQ% KfPRO:1T D#'{1 %vhZ Kfɩcst5O2xss+h!O4;*Il"'WLAp|i.W.2 2yU̧>u2yotX}, 엓>k|.Wfh[@@OE9K]lV -YG ѕ$+E{zy!P+؊h˒Ȯ?H76>)[^Cjˏ{кvYaZʜeQ1W?f T7*'-\Ar$-#t_زRi6hɌ~7a~ŭUlai| w@Ֆ20q+r_;7, nce''VvB;e}(6@IX ).|t :PQP/&s0mvYrKq{HVVtfI65ق5mtql2d {g JPKmbbSoG~teܮb*59١Hnt~+Dg$ ^Lq 1t E3ش27k'@~QK% ц]kp†W!_2cdX32Hy#R~ݖ=&d uӪ~WK, H&Sɱ>H\^2'ZϨɏ3ơI1%F, }*kRج9$M[2R7^D㠏/cR;o>?KIbNzrH#$<љ u K\Wۉ MV*11ѕ;p"s[/ E$yB6{qeW4vkjUdd$a#1"˝Z, MdHk',Ʒ`|]H2BD)]&nJq֑cwm ^%mVr{݇:YX+qҹvFP#$Iaސ NScW'O;)|Q${,Η oU Q*t5_bQ.ۤ"TNQnK2or΁O!]ċ%H9$Lj &Uˡ ]?;܇ okM]Ⱥ- pڊU)'tA瓂ϛ4F%:QW"o~Eqٯ71H-Vx嚒YZLV/Wk~'tdI0Ἅ m!Za|`"/5:2ZWdSz&w7$֐mc\O6o::lmK<2Ap/>xݜ1 X ^HlJAl RCV-kVIo4=S?KT)1ˑ_(nIIXT^9`ߪILs4Qx3)B?R&NPZ,j@ . cRPUZ&Ll0 [=6J ˹&fRxgr@- }\)8\v$BW0~M^gBLIƶTq]Wk/cDz`7ؖzL>yߋfEڑ@Z7{V=E+>$>w5J'bk % M%(Ga9A~zjWA N&1զ^n^xQ{l&`Om]Pq ~(A\7 'x>&=GWc倄.?Ipl^9#0e#@dn3 [cK+N߽؄y^Yui4lG&n}6< &i28l0Sc'!XGj4 sF)ZsH@&_.!&z |y>ynzӹT&ڄLyzt Lp5~iTՀ9a PŝK Yā&D*7-nRdE:p@yz!c4647@ip;%_`\¯R9IM{8æ[m>nH Ƅ+쬤p8OEYN2;7DwfojiKf ?iijJ(y@(ufz<ǐ@kwL.Za #x͖ xX.F /KM[+H~)!n=QY?!Rn]ԘfTI *u9*#>fvk^B/qE q{ Asi``v]fG] LQkcB  1)@9e8GQo8Q5zKg=5)꟭f I |7\cjKdɍ+tZuQ!~ֆh`il•œci=xf?AʰWkSZ>̠"DsMDU0\I~<>V|j12!'R,]ޞ+'~^^3Qe[~mhғ#6jndQ.k˼XRt'_\ɥ׵Ugh+dAU p{f 9i,[|>y~U]gG;!h8-JD٠?MŸ5M%Wu]d5C-цp׃LdӃUNP$>Ʉ'(V8u- tX7/|3 %*B2+Ͽ& Gprüx yG#z \hx^j^ j^{Y"#U^=zPI/3eOHQ s{ȹ܏P{tR@p O59AŕJwλ$PmJv.q!<`m֡A&r9U{AK:uN|d&Vu@V;W%zfJESv~Q)&{ Q 1)guD4=|$$rٌ_n§S+,;ʷ]nZ!6jͱI!Wd}βDbzsCs*k68;!;:yM||Hr9Z_\FAo ġe#*,a ۢ'xQ-k|3}(ugϾB<;ft%u>{b^Jjy=㘐@!>+k[#d.%U^?F ;RZ}7G} ɜiJoH4Mk|Fx`1fFeRn{+ٿq]Q FQtOm:ml1_cm+1,ג0N@_OŒCQ؜ b_GcelBj)OPgI"F(T:yl:!492V["@8*3G.9O:R~{Hu/q@jJ)& &, & TÔA\}F+n2e 9\srV.Nk jj-;YN*l*g(xhݩ56QG Wt*ofa awKKy{ϵ#7t[f`O"yVvy=ճhAyp$4&mwxJi7Tӟg5>9c`m*@[+{8R 5!uP|d9gC8%eH^Ϳ> )_")?9{{SH -xUCVA_]QfZ\ ~7۵/Z~RlliZ1ʄt5,a̓eKj΍.&rfW) ǿeޓ'؉T9K]KsHA7:V'ߦwhyiq_`'&C!vM:1.#Q&@bzMy;]'؉on (=|j|_+z^%t3~pǼ9G?Ojrwlw;l8BH 3kMur)PΞsHIKJ˟2ߧb= 'X4?a~qӢ $@)ȧ{K1 يy0~c:i^DNUTqWG9\k7FW8Jܵacڤ04[8U H Yf91pum4 gdz6,Hٛp,AKk6mK%b#vaAգheaDF v }$uVl]}.|;,P4?c4E/ ΑleU'qheem4e.`v|S#:,1yKۼTp\{d3&7y6l撡0,J_j=l߅9"*ﴲCN+#o U/`Ԉ \} ./w[k.ґ82~g&4+} bc"[Ţ. :eS2maэ\V+ǽi58DUݾV O|?eQ룮'!W#V0=NfӜ}W2}W6N^懡v;핧 Bo#ax-\ȑ#tH!vuuRjjVGԓf0&`'C&loK-_H,s'q БpAe:W3 f-L_lu\tlrR[E@4ġ"j975pƁ&iCe*$Wڊ-7*Ej %/ʛnL$j]\^6lF Jo qovXhð(l6`y:=B6UrR̫#q3BS~ Wdt\1aɛ }-,JO: &a$4=rv^+=:c.)5w"thf;ݹQfNVOvӰ~ 2Tw wU9U/ l/K^hߵ]'s>4xJ:Y *Y);t25|FYPB/_*Fd.W j+^W1>63~+J ctE6U=L//{F^DL;̰mb^½%5l& xD:`C?a1ccW64Zv.sJ*Ah01͜vd&ZmO.b_0H]af2Mzz'6`t \aQhtXh( Zlt %G"? X*yFpxJf!ZEdpu?BQ( D(R?%xeQ}9 |zеx[F|rܬ(UQ`=2D:#j?%;χ<8ܼYQbjH8:0z<#u`lŽCJX[x5UFpLɽ!-#u$,h)W ~* 2wX/)Xt']~RӰ.YHܮ%;HO2VC uc4:Áq evKWCO!4qde!&prטesQqvH0jl͹A]g3^PFaα ׍NjrC*sjc&f'&iG DS_athg- %ٟ Qyn k]_Х?LlesПUc\ze `\$vc|,v:P.vhV8iH8UhmȦa޴r[W>I8>O*zLs(G@&-"ڐZ#{*AT[!݋Jl[2ސlNj+xmz̖CSl{h8, B QȔע*{ d=w+椊xIkJ}%Sy]1N,aR7u̫XBζi3y{?tٿ6ilAKP/g$F8]b5 q!&5zaYB RNiBFn9H"O zI3Q)ޥJPdd`?ݑ:6,~xEI"bi'9ˣ"8B)TfdVLl\Qphv2¹Z|=nf! bPsovo(9Q* ]8\ˬG?fuq#lV: q N eM:CP^i ahv P૭r%^vS2ncC--+ E+EI> J3:N>ZmiPBPt ʓh% Զ7"K?9ij1 v;;\0sx\|Ryve즡@)yݝE in]ɕaU)+x;OyodDJwSC Huw+ ѷ("7@ceaT`~.(WώL@`0ؗUQζ4%rhb^1; -*e<0!Y`/KnM48_| ~5cF%P/%9Q:W%`E!WWD;$,)-pmYVMFC1LU%v^* &TMmٺsJWal t*a*f] aZ:;7/Ch4/7t}KYM]L<j17I%$#Xn̲P3VTh # >3Da4͗r-}~t$ڲH>(< mX&s:TP ~f1WƲ֘꼲H92ڢ+nF5Ķͯ%N/iTk`|XOòȖOOqZ9D|?@vgUBª|wzG/ja{e-NyGB$\A"(411C#~4g)jR3Ŧ9=M* Qy6 }`RRHUpi}}N$B7beN6[mb.Jݦ*pUf>]a:i- @`8Yޟ:|e; %]ykVDȐu~BI~H{:ug㾒b'E7n!hrP |*d{5UmY ,/ DךsDt 1]by$y#K-O]6ˀVzb3k??d"B6"L7%ugHH ?h䍟d: Z/D7+@\ny.ަ"Yӗ5h4I;vsb-!Fxϱ= Í-.Sț"n)k:B]؄3Yk[g}:!V?LVX}Oc!rmt٘9U~2:Z"νέݽ`K/{*B(ׯ~NWnrArYm%n&̜trz=g-fse9~S~RDc<ۚ'ܔԉLV_V;7btFD-Bd̅3/7f*̉"Bc5 #BDyr;;9Ŀ|Bw>uJf""ݱ:c}b&RuFS^ Ȗj},B2}:vve S >ݰ0GB#rEDY өzO}K|ܕ,),u1XL)dܪhI^|߄拵+ 'x{NBK5+U=xQ~XY)J)"EQ^q'^Q# \a7R)̴੪Da)'R-6dB$R}I;z\.n[Ϩz8LR0SnCd ^\rծ~| yɌ@ӍjCk{!tVԟ֝$l&,. fm"yPZEf9t hceTjXV!q= g͠ծ\a#9mիfc_◡gSd0^b't$lR2%" %0M!D󺣑!f1EgƒfGaM7>e?=p҆$A8A\+wAN_ wGP`P4ue o㞖%ʗ?V֫\AD;zx+T|$횦$r: pvde=b~}<UqC6gB&S^c[5_`'LGv\Q~b|$bSK;6Q+;!͌=+}nچ";mBgfé_Q$<>>k2\ ;ҜwO)~pFNX(C;On8D$|@&ľ6' X+ij%lE˜I:\ =ez|2oItvfԊW 64̊0Dix9p-o%7oA2Dat7Io|~Q,4Q:n/0V gE4-[!K BV `XUmt.SЄd]uM Aj5}M!v Ӂ.Mݵxly=ob뢅0h{ZЩo+՘W[X=ez5NImBdQcO0z!M>+_])h6FX*ݤ-1w_髁s<{BlU-KTTE$7>W_OƒCKx%) 'r^a"9HRio>3y22xŇPEߩW'ˋ sqBB=`.ILm<]eVj nxƍ~e\H  BD C#{PIxr#37 )4XCcVHDk8w1΅ n*s8ş1`6+vy "!wB*;){.<**bvN: _N 9&AsU2wwgym44{(SW(לi.{Up' "<#H^Q% "ܛ1pCC͢=X2n96fHy}]Unpc=VU_91ʓu2 x%_t4^M^Ǯ4"J.xi7me&z-7 0TFep ђt } S97Olcc[TG7.gR*o[[i}ntx"F'u(k3#&3iP@iMp8wҦm@1s@#2,<)bDNP g<oӖAq)ne} ])*o\>*70zke:7M6[ON aXk +0"İۖhE[A1~Ge 65jl-IkJLpNzJ?%Pdi(Uױ)zlM(@weW pw g .w໘i<ܦ!Rqm E==FV1AƏx`(*f;Zlgki{%P$? ^1[b‚5@boBTZ5xZVdST4B7$F e;Vkw]aY%$1C8{}~pDw]8+1aD:]s4cg]H~>Y1ZvhY.139M6Ȕ*Ѹj1p9?3o^ \ES.5Oׂ^OmJs;Y703|tI\n7|w.֚#:||F 8Y\KZ6ߑ<9&2"}CTr0?uW{x.1vW~nde`aB{ M 1"y[Y|evKDDPrK!oڬ`lbtr2U44j_jx*`\.Vi&{xL(2a[s8d~8";`z?gjXI޽qm6 /4`tt E/?bD|]gքYKQW_0$ۮc&YGk~*饼.H7 ]cܔuj;V5{\irPnknTĤ}SH˳\$e$xC!aJn6dj a*¿HkJ$2#ӥGi 2h.ǒMoKƽ.#} ~_\ ߍMp9‹:+;EhviۓkvO Ђ+iâ-b= lcPÙ8R/8uXgXhNgP51a-âE@"1d5psT|1Bd9!=tؒ;y'D0tm)i{!KW@$A, j:m8IJ5OF%8z"Zm4'%g }p\S,kptpRvgb<, 'ࡆb6IYk N_cl+lޅ6B[d܃KC(sR⶿bQr aҀ\ vnQNbz{ V~G qùK57UKU=yqK]ݱMahw8Kf΃> [N{}PÞEd3G79 %ɀ>rueENd#7(& 'fP"{nOI:nW&ۭ Z07m$B"=_O`==)p;Mʙ-IgcAv]KXm9VI`t?cTmHDQ,nIx_ؼLBHBzx+&J Mg|0$oY5zk L6|Q!^k:|oC gd=>=ã~.s 5>Jx M&DIӯz\J)ۨWpbXpI {[p^ˈ Uz7H`{<ƲKm$Rh'>n)?e&a[)*2J/ι;{A t\p%`ԸUwD'r=!#trgZ#7!6;.CYV$'/lX\6e}HX<}<hgה†%yj..ݠ*_ިoZ*=݁{u <W9$N}Xv_@uX!.4>LM=BU^kpK2ߊQUWr[)󓊈{N2`?H6 (s$RQvsn[t,e]%<ֿFhDȈpxV@kj$~ FqoN!i@nvҦc^e2Bl Nb3ď3wuW쏼 b}+2\X 7m7M^P!ZZ2\"6d5 /lKv̘-HO![~.^wq>!`϶CSp"O;P@iqc Dl%5YE־U=P&H4;M-E3x>=$ߍ"_Fut XK*lql;?Gm'o>vkt)h[=iy"AxHd׽Q㪜Cx N,!Uj,|^?g^)v_.d9"F^Do`+7I^zgKJ]%/'$ިm?PR,a/2^hZ芃dzH<>MY 'w IN]%țul+pk`& =ͧa^̉mbxEjjZlK?U`˧Esپf}c˛'3o7OؾKȁtv nw )Xv8@*ǁiZ\#HhT7ICSv)7:/%4eMeM>'[CBj\D:܅ήl3ED!j#}@ hM3ۮqk/8[S3;?WkuCo.2٪5vLF< !ve?Rm= U!w_ŀ~B3Xi=;~iko_hOIVvl#/8ڸamtn´2VS>RQrOTB.[j5+ ӌ jӧ҂Lzi2ykd_gI?;e(bJf.#_cdW ֳWCv͛ k(>8|0'*3`^_HKwJS[91@W ie$Lo%ʂ%ŦR8cGۨdKbpu~& ;S &l/0 PK*-{ ; o"Sx` d$Ov,星Ee>UqX$0SMÚҗSjnǸkǙ՘|^&4B}*8+%?:|oJ(%cuLV,gم5Ԕo˚s9_.@.>C*~mB|n$~(IEjSnPN1N@[ b;2.T0#/EB0~C"*6O&.o"|;>0Rn9G 9qk, (c{{G{hrD/M.˧jn X,e<;twRj&ѧ7zVEQ,74WbՅˢN6zZh[aa7$V?}"'BXKdq< !:>Vw/gǠ;r0L:uPUb%>Y"M V4RcG؊i(AT1Th{@/qOө-g7+!BGYq]gI~> 䆾DroDcO{xO&LaQZ䏑mvess1BmV֎1^G Z.ݯg:%joR+Y%4+)+KL}=7okgbًȽob73J֨&Aߏ:"܁O\gBFvIQa9ꕈmg=..BZQ$Dp:G{` c2=p=b^k %} .$KyV㰦7@f[~,2 g<AN͈܇'#udo FIat|~vjir^cN]IZsD8緼zQcuLNS,`/n$1o! P8Uw,_ub@u 7 P ,+t{-<'xB(BV6,ݲa=n*gp 7lRHNTM+'с-?y_؍CuWO;<~㺆cƍ.0ϑե…t3T SqwirLL-1[<|LJ}xM(ٰe.0JHZIW$ϓ$)`7sr umv~7a;јՌW4p2y? fQb;WeƅI%G}~ZaZNߠ:TG2]L7r62ǧu2FH2ÛAL wBE5#6tkqp ?/j0Fr8.-}L\.̻ ))@Yke^`t So`y{KAD~4?m$n)Zj+^aqw*Ų8 {x{5h$ziX-Z1DqDN R.vz0r߬k"xTi6LCx TOn)υGjXI5d¯`\ TW)SX \Ok'I)0lh˩N%j +A1]"m#AB -OgUX}SŶkg"&<>:O~ Ma,eop??V?Y7aVD|;64ҐTF)@Uf,* }=M>m7>8s#0dfqR7B66p>Ԗi̢o!YɠW:Rˮ˞.ajEĽfnx6،zi" ?U>eHwE?CP X~y̜HA.h4¦R4zv6|ΗZ G\bٹF$Dt2fFvccpd~Ɨ]asai6gJȞX%X?Y4oUV+׽G/b<,*IqO}S4}h*5k;xϧr]^uA j)C͘7M[Ze :I7ʿ!ʛC.=H;GΕCdg]ӝq.٘ ;v/(N uL/gf*C#=z*?=F)5#VYC!m!FcK,IrUzS-] "]B$N|{zjZwRN'2N[Fs?b1WOU 2kۚb 1̑vg ;KvQRZKc2yEHiΌL:*&Zo2u z^P WۆĔ7{ ֲ<+-SŨ$ߖ9 1q4UےVu/(OC={x[JdU/m%UTv"gF?e| -IQ6Jeۢ .Y}jx_Typ `4 9FLKza1mVnMI"=Xd>t#D}F>X2=ރܪCqHX6`ʼvnxϺ-1/gWfI l}p? Ľ9Ksm%ui*dϛ,/TEFUMe/w'73[8lՎ[ r^̼H3.|~RbPm͚]rTu [{lJml!'YX)} ʭQa=vP뭚g A2 QJ՗ϩb6U5ߍihӌ#rժhqo;vìeGtƓ6Sk"(e瞇ߝɰn,ձոZ޿GI-n Ytr]4P0qlS3 a m\q>ޱZA#^cM5L^a*2AL)$&c0k,@m2仝 r¯O"z