sssd-dbus-1.16.4-21.el7_7.1> H HtxHF] ?*}}+x~zh]:[ƶ/!v[y4vf'zb07e1209d558071858a4f31ba5ed714735464a75OʿJ-QvUF] ?*}}eT ^"\2wx8٭ 'wxqQ >?x?hd   >  "6SY`h         *  4 \   $77 L7( 8  94 :{ >?@G H I XY\( ]P ^ bdeflt u v8wX x y/dCsssd-dbus1.16.421.el7_7.1The D-Bus responder of the SSSDProvides the D-Bus responder of the SSSD, called the InfoPipe, that allows the information from the SSSD to be transmitted over the system bus.]#sl7.fnal.govJScientific LinuxScientific LinuxGPLv3+Scientific LinuxApplications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64 if [ $1 -eq 1 ] ; then # Initial installation systemctl preset sssd-ifp.service >/dev/null 2>&1 || : fi if [ $1 -eq 0 ] ; then # Package removal, not upgrade systemctl --no-reload disable sssd-ifp.service > /dev/null 2>&1 || : systemctl stop sssd-ifp.service > /dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-ifp.service >/dev/null 2>&1 || : fieKP b큤A큤]#]#]#]#]#\/]#~]#]#]#4601b3592d313effe1a70c44167775b06693dc9b72e7bebc718b6c9e8b094b8f1018b8062fec54f73a99b3e6621a491cfd79f1d5cf7a27860d6f3d349c32fb31801e444ad5f68eab96da07a95308cacc8858154b6ce83fb91789f7d07349a27ba2631eb70e5cdc8392c97e19924dc9aca4ddcf4b38a44ada079dbfd5f3b5c8738ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903fca00081d4ee4c4686e607ab927e92f1687f123caf315c2c50c11a54b685e11bdb6e8667dcea8cf795b6b7cc361856692944ce5aec7b125ef7d006390abb14d7f19b7df7be31dc2ed7688298ad3b1c5ee840188c306ba911580659545c34379b406414d6f6ca06a9d6d99bef0fe5c98e7de24ea9e9c937e69113f9f67f09afadrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.4-21.el7_7.1.src.rpmsssd-dbussssd-dbus(x86-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/sh/bin/sh/bin/shlibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcrypto.so.10()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libdl.so.2(GLIBC_2.2.5)(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libselinux.so.1()(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.4-21.el7_7.15.2-14.11.3]\Q\Q\"\"\"\\\r@\r@\r@\\\\\\\\\\\|\+@[@[_[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.4-21.1Michal Židek - 1.16.4-21Michal Židek - 1.16.4-20Jakub Hrozek - 1.16.4-19Jakub Hrozek - 1.16.4-18Jakub Hrozek - 1.16.4-17Michal Židek - 1.16.4-16Jakub Hrozek - 1.16.4-15Michal Židek - 1.16.4-14Michal Židek - 1.16.4-12Michal Židek - 1.16.4-12Michal Židek - 1.16.4-11Michal Židek - 1.16.4-10Michal Židek - 1.16.4-9Michal Židek - 1.16.4-8Michal Židek - 1.16.4-7Michal Židek - 1.16.4-6Michal Židek - 1.16.4-5Michal Židek - 1.16.4-4Michal Židek - 1.16.4-3Michal Židek - 1.16.4-2Michal Židek - 1.16.4-1Jakub Hrozek - 1.16.2-17Michal Židek - 1.16.2-16Michal Židek - 1.16.2-15Michal Židek - 1.16.2-14Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1758566 - negative cache does not use values from 'filter_users' config option for known domains [rhel-7.7.z]- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization - Rebuild japanese gmo file explicitly- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization- Resolves: rhbz#1707959 - sssd does not properly check GSS-SPNEGO- Resolves: rhbz#1710286 - The server error message is not returned if password change fails- Resolves: rhbz#1711832 - The files provider does not handle resetOffline properly- Resolves: rhbz#1707759 - Error accessing files on samba share randomly- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains /trusts- Resolves: rhbz#1684979 - The HBAC code requires dereference to be enabled and fails otherwise- Resolves: rhbz#1576524 - RHEL STIG pointing sssd Packaging issue - This was partially fixed by the rebase, but one spec file change was missing.- Resolves: rhbz#1524566 - FIPS mode breaks using pysss.so (sss_obfuscate)- Resolves: rhbz#1350012 - kinit / sssd kerberos fail over - Resolves: rhbz#720688 - [RFE] return multiple server addresses to the Kerberos locator plugin- Resolves: rhbz#1402056 - [RFE] Make 2FA prompting configurable- Resolves: rhbz#1666819 - SSSD can trigger a NSS lookup when parsing the filter_users/groups lists on startup, this can block the startup- Resolves: rhbz#1645461 - Slow ldb search causes blocking during startup which might cause the registration to time out- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains / trusts- Resolves: rhbz#1671138 - User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so- Resolves: rhbz#1657806 - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider- Resolves: rhbz#1641131 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD. - Resolves: rhbz#1660874 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions [rhel-7]- Resolves: rhbz#1631656 - KCM: kinit: Matching credential not found while getting default ccache- Resolves: rhbz#1406678 - sssd service is starting before network service - Resolves: rhbz#1616853 - SSSD always boots in Offline mode- Resolves: rhbz#1658994 - Rebase SSSD to 1.16.x- Resolves: rhbz#1603311 - Enable generating user private groups only for users with uid == gid where gid does not correspond to a real LDAP group- Resolves: rhbz#1602172 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1622109 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1619706 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/bin/sh cadeuk1.16.4-21.el7_7.11.16.4-21.el7_7.1 org.freedesktop.sssd.infopipe.confsssd-ifp.servicesssd_ifporg.freedesktop.sssd.infopipe.servicesssd-dbus-1.16.4COPYINGsssd-ifp.5.gzsssd-ifp.5.gzsssd-ifp.5.gzsssd-ifp.5.gz/etc/dbus-1/system.d//usr/lib/systemd/system//usr/libexec/sssd//usr/share/dbus-1/system-services//usr/share/licenses//usr/share/licenses/sssd-dbus-1.16.4//usr/share/man/ca/man5//usr/share/man/de/man5//usr/share/man/man5//usr/share/man/uk/man5/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz9x86_64-redhat-linux-gnuXML 1.0 document, ASCII textASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=58d26a992d603366dfe554366352a315816b153d, strippeddirectorytroff or preprocessor input, UTF-8 Unicode text (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, ASCII text (gzip compressed data, from Unix, max compression)/R.R*RRR RR0RRRR R,RR(RRRR R R-RRRRRRR#R&R'R%R R/R R)R$R+R"R!RRRRRRRRR4?7zXZ !X<] crv(vX0Kp` JjZ!4OJUs`y\_:0mkǣ{mZZcwVj ~Fu9MS'\ѹA+W8?ٰee]NG{O [{x!!B8?$@ǵ@W\#\s;2yesJg{\(B9|]dK$AGXPpڒg5>!{/R5^\qx3,dˉD< ,*Zk d74,NL0JPdタ3/prAxV։5d s/Pht+4qG63m5V=h $b1U f!e5X?8ry71nF)|zr@Zv7hb<ॽ>0ԙr0P"W$=C%ϝ>oDaS>Şly  {\JI]YQyOqFzAEY:끚#T|ilw!|=ek!}$^!!?2c O!U"&{k4֮/+@zAɳ8?LW5($Oީ=M~U ٳj!szEЊyGb/A˩f+xoB'ЊW;%ㇲ?e:RI14p@W 0$E#NLslPt5pi/bbc9%"w @̟=ط*x|CSR9~aYԩlۥ7M-(% fӥDO1s]8M/t0s:#N`@F,JYC#q2:OiRDž+8~k*p[bͱyTB7r`LN4_iͶL0؇!71!4q{eW8T/R_=a1P7{3!7 3%|~WQa+sR8)dWVȢ [|f Ix矟|j J/r̼c~n&}M e ]>hz Yr6nӑ,Β&9bkܱ@#rW6/ Ϊ[cn(e,0f%iv#DQWfW@h( [2<ǻoP;%p$in vNr S$~|J&%oBڷLڶϻO;}c]!-g>snpY<Ҭzˉfe h MC1 FK(E3C5 ?t /*"*gOc8#De驐3K&€DOU\FRALw QA}IG^?R0Ȇ`\ l9,ZtvBfg8OY-q>8{jWd\+aqvOlZ4Ż7 pYMQ G 9f hPM5uFbe TCcݲ`ur}HM=^co6$o]BmkGxU5~@\ʅH̀ʯ4>iLY_D3.;NS/T‘>f?;yU$r>'"N<C4dl턖p7Jel~0kE  꿼S;N~uH^41;p!Sh5,>0h,Z]d ^<&=B 1 xl5=IBdfm-XVXT$ ၍#!EE&V(8X>SJӌ@6HHld+;@h(- }-aav Waݧ50%$&*u#,ʺq Ͷ6G]bz]_LҀڂy}K3#3vYBD8@`d|/DTǒh ͠4nX+_6f#g)iiy1ea(4FRsgV%A]FwQ@ΡfPCZNnCqYkkY@> WX5G,\rzSLaQJVL9L²km9 _֬chH2:[s/v:@HDKjyvsYw3p89W6'BH~PepH@;FFʫ-nkw#-)DkzMa2k! &e)%[rWHT'8ϔX"y., -T+^ΖM_6LR!~s[]<0<pX 8υR ![M?qt\iV,Lj=`_ow*z4FӿTZS uW1u?hӎ !MRwzn6yi&:sb_ۯpAʞ?b iVraԳ"1]b.e=] G<ξKnMkHC澯JU#yU )!7ofcֽPJ| ; b74gȱ4f»5Un@$ۈzu.b>GDS@)`Gi D~y@/ܮ(n^vx 9'#kNMBd ^?/Lpmdg.ACq=H"`H̝{ߺt9昀M{W=~4ҸQ UI"coAE8 y\5T-XJf j)6baWK$FPBߏ L[%UG 8\{:M } Sn5ϓR\z"Zij=)6rlnGO O.\&o?|%5)h]Lrٟ-?ciEhJrjxT:i{(yxiòZ4b#=r`eӫ&C>b:TmD@ p}H7ف^г7lUrՓO`"69W@e,i_Uɤmz?r8tge*$ B9g OPR,c`v!g/xLy=L>0NhIPɕ8ăC̅{A,nṙ0J.ΙAic'ӉCPt%\@ZƀKQ²WR :;9^Z7 ~;ymGeAnG~IH}c;ot fq*gKnNu* l Ӊh2]zs!Oș߶;nG!K{Bʔ2uFx`Y F1K) ½~wk+gSĴ ӊ~O1+u(j&0 )ow«|MVvG%A/@k>hϫbӖ.H$^+p:1R|Zq52nfvQ:e`gxIwa oqJQ'W+N(klH R]J-_G4םVmul#h H@2 H=U-T0M^r0N >\oo&K(cUw |ˈuki4v*2P<'f =5 O]kq餦[ab[gTOyɫF0({ɑP_+c]Ї)reRŝ|Iwd߅![BF**Z:e9i 4iS_UIx0Ũ :z%+PR+|j:0|KVѓ߂}IORk@U+0KjO.RMS[^m}?'5ğ0~&㨼 ?U:MalʖXV5D`]:A}f?B`b3EZb֩q~Wע{g %D iiw=m$:ʘ2zD  k :ƫh ߳L xܕASY~`pF&K30*o!( 9gNiW[]5Y(ׂx<8幭r?ȯ.M7N]f=*ś]fBu 8K"|$ѨB|:= `ۅ3' ZW{j6Hxo55.߹%j0lx=N!xqU)Sf#d K9wXyb==;d6#}1H*~(^}^ǭ/ bm~cTE ^FJYNm%fHL 댔\FMxY \2m1/D/pJ\LTrs_2lB0Wk %rR"?--7'CߖȼY8rLHX|z2i(J'dEQ쵈4Hu5N~1Ğ#>6hLWGUe{217r?1KĞt-vҔ-#-wk!vv~ȩ.aM&r\WRx1~+Y~X!:@ԁ[5$GR햘tw;o}4q=u.K0PVmеq'ɲNE'} '{,*9Knz\ $3 t|%5"6 w n?L1q/ O0jrd}>l?+gWbW#—7j;n)i . `f"fhNe<ߞκY5L(YVхI({5*BSAv-8325OwӂI3R $W#pt1Z MG-o6š8 #?]}LHrdV3BUe&ui?VZxeTN{u4aUSBx`sƉ9?xx/S-Y2# UтU:q(Rp3:5C!o(@Ɲ!H&HXúĢqDc|M()Ro1dx_zLnX1a1#GWRUYދ6뻃0 PXk;n_O{]1$1Y!An ~ `c=bA~ٝ3ˌKȂFs ?ۗY٩EEd% -FKֲhn_((&P9//cOUj G_9omTs'턲m[RN1:(;fN}R?U5Pd}8~]dkjZ&Jj{30Gu! 7dHqUPbw,9ף3H%[!fd7+rO)G'Jk$5Sn:'-6hGm!>XQ^PЯʙ3sH2OKrq-ٔtᜦ[$q>VQ"R;I+xUJ#몋eBV^364BXyv8vO0fzHE ET[4i1t^ncms$ +i#֌>Fi7ZXy qn1(V^{X@6{?ATGfdԏ 9})6FR<wC}[Ne\Ȳ<v#˕G%2Xh-*kU2k (YަH﹆k k)V.K,NL sWD(99\TNؐS9@WI7gۿq$E1+ q@υ򞳯*DцV ~U<xw5?&>Pwgj5l.;PaJN - mG'7iR& -F2UwZH?='EY?d3Y**= |OQ] x/vƉ9yd!?`c9Dp]nO[3 .GHj?UG4)*$,39a#z7aj?b^6`^Gط:EAx9}lv>( (UN]o btqIlF£q?֗GJbt -i,u("Ѯf[ڤU?jvkan7ש08ehRҜ ܘ+7'$D|*kpc7'ʫ̞nzx7,,T31Lm~M{Tn屯1`ɝ2c*;BIgd U J*8i֝!mW >Zn4SJLk1hU;B)(͡C-Q&Cu\;9@K.Aq,k :e8;*& \ZsKl-q\_T < j`LP~::zb@$g-tVeX;$[ؤCΛѶ4E49+!k`Q7į"Y]*osgÑiB4/Q%L?C*Qe MǓt& nmKQ#3 .`qn*ĝ0ɟSiD87)|-ѫ}ЭY[~蒉׍[w]EH1NAzwZku?WD聵 (?;dU}!aCCJm~' \毫Ldk+vyEr:]Ad[dD'GB% C_zNNe`NHt7ܗCQ AIBYC{)Y4QIXB2支T,M V njk؍7\)?Q `i{vdD?:__9ש2 D#(2mEpml*BjYO/a 27Q@"n p1EbhZ,HtmtHIdC W zmʣËMM%jnp)>|3Hi,8̴83v=<Pw8,. =Y^bݚ#^4 G%,V {G DWGc ":ڀ]rּʻq _ 3umf=NDwV`"W< DSAteHWI]?՚,~0厤ٗڔ_g{EHݦlGZpJ'_^qS3ȑP5hG"qs2[enwݘ X1j!RcBg(FBE!@@^ql6CX?,3 Π}=P` ǥ8pI>z)4\w,Y3˙GSAϑ~ aa y4NP" Fc/iMܜBc[B@7[W|@f: gׂBxNW8856F/c05ׄHe>d20"kچ&p@eQ&MN`y` ɓlKJ 풔W2G*%vMKLQ|\PCui!I%Vq c|~㷦+ddhR~!߫$d&:E$)|auݪ]Ayyp_`iڲq8~r7kClJ~EOܣzC_S;wWk=\jwC1cѬ>%LJ25,륪<].Ё pbLX'lCG|nAO O"!+Fރ f:<9žfvꎠ8y Oya];6K7ׁND~.24a?-7u*ڨ:ym9.ޟROvh`T^N%yt Dy>lˏ3*Ҽ'['qu>@x>L;pٞ ~L$KGxz&XŽFRu:XࡗjY\VWqK?׶T^XU{.kivXÀ)g7 zrƘ.k5,ˠ>Cx<> vʲ5!j[=9x૕dALzH˯=9_r` ]NwXU^ Nx̒vi0nh^JK%IAM}T-Ls ߹RRM🵩 )Rs܇WYeXmYX"%hfm+"#r#sΜ=8Ȭ4{|evkHXxmpd%R }QfQ8e r#Ҳm:XPV Bxj_oC:V em\5nbw^ZY*K8~I+Jk?[v1,9#3˴6gyK '71 Kehі= .ikSmѼPƜ9çJ /Ciݪ9mֆVEG" Q4ɧAFFHҚ-u0h6gGEY|Ok\1RmEeoFRNG 'L9a2xΆ=mo81FI2J7!/FLAΰeRFD)Tn1z_ sYB^p#uT8l#[ &;V?Igw7h%[ޟFߊ&o`4 fvwZZe XEgs2virf8:"/@utۅm`u94j3X ͢S^JPn 3JDȃ}3aHCB?WЏre{w |'y}W{TXpfH=W7=LQPJ @s ~^T~ӄPwO3ϑ/[X|OgKO#~ <5HLXnkԺkl }*UO*QǹYD]r "tOTJ`$nQbF`ܹbvDtM<T b*7_-7NkYa Z<֮t2Fȋ> hjYy/sů &D4\W"%C{T:NG{DHUI؀#h*'ZNzd+rp@}+8#< Ds^sN  $&ߌ: q+f;Xs 8&o(POQT8,GwN`'/ qD9ms{7iITw Ini^e--1t:x׸2 3 jfIsHw;o}Dr :ݡҹ$ JЃl 4w}YQ}0wR̹?c0j0\zׁ`/vv%"K_EJ1eD t=}ۆJR&ԉИ @ 1ڍD!Ӌ,@Yje0zb\5ϩNSɚ_#֗l޵QC$K*Zg5FF)xFNo*NcC\0) ?#;|q9e8*;g ʣd㚐]q]T5ac2 s:Z9ٸ-6hFqSXEz*t /uɂV=QEMJVJ2 r$hvI:Ĉ]Kbtuh/nJRr7dž\erh!5w/PˆWZRl{UWPIAH DM;_63ET p;Q 툚nMnZ=a^#+ޯtQkUջu@%ƄN1ρ2iCVsE}}o7A` m$ZI: c5K0e;4 PRuk-׭ob oyJB{ZkoO/ȷH@`l̩hd|Q. NkydҢ?}E>Z/#M(ѓ5aGbQ bm.mj օ)@ 1(ۯnK2YI9#-2(]b39^X->a9k_t3䜇EBbЬ,`!.=4~u^y-c^ZݡЦԿ>IK÷͊F TH~F3$ &kXqم S:ӮE4}ިKf?`9b/ ;̢.~9vi"@m~OB5HdsI8H {*=)' ɶ6j>%YC[2jm챾 le ш7Q4Ɇ`"䕔m j;]!qYְ[7e$s񧡧c@&(n?2 /2v n|?&,aD`!9Mr+B0ڣAcl`(nWtn^p+uгVT_[,? GL30rL-g6̠۝vֻ6[g1~k<%ˋ~LqniuX٩_4ҧX^wP)zjHW^]P\Wk0^c?I8ޫX tE*\{1=zd')`d^֌p^^H vGA+ ${&$ yQtZdhPѰk*F#f |g{DGpXg(CLߧSA8^/m3< qel\1GoK;}F%4l QEo]3 Mb x8O4C+m#4 qK ~~Gj"scn 9?Y}vxEӪ"oarEN( *W(Ɓ #’w蕌118lFZfV{#Ks3:"pB*8`vG#qJja mh~yIJjE8T`hio "DX rA6Gf磽9'e[ Cyп&8C^tt/Sr=ep&ˑMϿ0y+w }R =󯻖EPkD'?jz ۂy 2qwE]8u v`9faW xg>k~R$d),G͇%5^* Ve1!x !".tͬ®U{7$$5LMhdMz9,i \\#ϡ-6@V $?D,PZ,7:AH^ll>wW.n{BU;").< LJL4EwmNYuNX^h ?S4WRoUJCai>C&;s\#B#S0axU'iv*Rpj"|y;{7'<5b+]\ PD٫,t{=jfuW)+f)w{v%p8q o0:|cÕwiAD(sQS)MTFh uA2T`E$^՗T/!^:{mPT"!B#U#.isniZdԋj1qJMm~C;SK'IWqLQV^GuYe{X0'BWs9ST|j-OҦǚj)'^S.(E `ЪtMB'pM)_7?U1HS5=c!']s50\0nm}my'}Ă& T$+/<@ˢm] :@J7OEuyZϕd\k=Ȕ6+,5CVF#OS{k|VlQ_l䕁C Q< 1>u]bbvfsBLx˕?{!m>˳GsiE{nz'RۻӬrR VIߖaYk.޸b]=7*1USBDz;-lV;Gs ?wLlz%*$>X׋/+' ڦڭ :mhGB`ש35j]fRy*8i@D.!aN#ޘ~ y?e]shKGљaBOg3ף]nIKRkҝ16miI0RgqnUV]lXlIGq5rZ0Rez8~ eЍe/#(mCeU3?YY<)0iP =3Xca<\'l E% Ӌqcl. fp3Q =-@H=!-OGF [V@ECƳ+ giwO\񼛤\2* XhREl;r"as\֚6f"gy0v;^døl~QT5TVO}R ϲc;ϒXG]_?9Q7dۃjf8OX[^zrF+ )rx-. &4gwۑSЪ1H9ۢ B&r%):6-ȵE[ZT8\``h [|H[(,=xrJOԣ:%K 4gqݵ~~/ O$_MCbNF@ah˝ot:P[5rFb$Y/fTIM_GqKJ~JN;[_u?̜tzKE%嵪ZtF=nBy2饰uL0`L驣EI"Egm1i%Xg3St~%>Y GrN ^CBq'ǔj9c D~2Yڸ!Q<sOC!-9lCh}nc3A8; o z:]>2B.sWJ#&QV:(,ûF7s_}61,oɴQ*υ#G(8|#*H:$d]r 8#n 1jrލ\}ӷ"d~[P1T(ϩ'F;>;] He)|}_oj7{dg9cT1M04^j/}sS|{/aNm'+JĮ1Կu3#}EV d3@1D9~Z%5kZڒKf^-+jfy򔎛+֐UXt-NWFw cC_,m^XUhk3i- I uO! кy#!4 Ȳ)[뙘C@.,פ [ ۚSlf4<=ClqzyĒ#4$(hl0bxp*e e$ *k 垁HeEc z`/cm'րtB ~-d!Y i@_Hg&=fsY}u.!ԅS[sNaDLA\{Հm` `8bv9&[^K&y }ztɡE0nX/Hᔏ|fѰs|]ʥtۋmL>bkg,d,02j{(* @)>3mP]iQI}YIZadO^{̇d\7[MA٘*cpz'yPU> E8DQS0x9K "I3 mj.-Q,b2B ݁<ÎG !W 1F*]o eX {}`Nj65"(lB9$ OKA; |_w8^N0?TnIĉ5_ db`˂_FYq%VߐOǣf0X*nEϱ)ټs(Ұ~zD鰊T"WIgԩUT,JAʮyrfqծVukޟ5P{;The+=$mk.ò'n4uYnFKE#D͏`t]&Ņ@Є0݃^~Cݭ`CkI)EH*sϛG:ډkʁRy"֞I!p"!"a}qX>N}CSjPX̓6a? {嶡>Uک;_*`q>Db$޳M݋lyei9_rTyTnY3LpN\қƪg)w 2Ҵh`A|xJ6ibG?|g jr?:=X;~2Ϙ!ט]y;1@aݱݲiK-P e/h젊g_"Rrayͪp f ?x_vYDC#k ֽW]\ڲ")v}yxUUƷ:_Q,!6s%cf9k0vvxЗcHO7Srs@KL*w9dYB䟙7^L &y8.{SSbVՍ"A~A[Y3 WaKQ׿rہD)$EMA58 7>4qDtL3c %_Y 㖽%-(o y"Ϙ=7K˺ _umT\6m50?.ZPBRWVIL+~E .`tt뎴v&DaAXC,H;k:]P'1V m` :.$;*q0E)V)*\*FŻ}3 Vv#S=9{m(n~M,'2GؓÃ9'r,׹N޹K MO"V]ʨu#xq"-v/|? t 0s M* aX)ou7hgn*)%I q{90<ɥ-Ce_v'D hB2#7䕎5- %~xNsd#at,r*1. J BfM|e=^^=ul5PfUm X> &X՞iO=Y9f-Qz]!qmfywXe: B!ENe1ǻ h( 7fk2$/gZs-DHși:ٟN/z]["}9Ɛݢ4pWϽd]tל4hvu5Yl6iBF 򏶏#O9f\y|ZqSV>:dω(}#- &mTo|<Ku4etڰv}b;H Jtٺ|1lgv()kҦ{AC[ Q˾4vo!ԓ8''$a*'O> ƒ]jS<6{JOӍJ`0\Cx0t'ͅe.x"7R}oN졍0vatҍx~gN|!OnaY~rӏ?ՉYlH(,}/G3#F&XX?Pρ# $ Yua\"#'F:qn/گo?CS0]/<>e~Go4;v?^G2?CեLT^J!+ߖ쨝)cP $ &k!nW\}x4Ju;.b͡eNRŽBB F`,:hҒiJaP>}qV^n^hc *!=ڭ7 )Y!oP6J'8AwG] `eãiwގ=?ʽνcdu`if g =U]eFܫF˂P){G@o~|6kJפS+l!G兇kjQJꐴ :Y ~u0@H<&PpBylٙ}mqFaLj=.NンIU>jn지2pCΥC77B pKVӉtCoP~/?Ey"q};KUNJJ7-,T G 8 nu^7::n˟4+oR ͞!ʧ#ƯI)Dt3pV]-3;g0rR"audf+(6& 8H R[BHi8@0RllvP ې\mAөjAQ.Mzï6 vBީ"|5*llD٦G܁G+nLm8/ #v# B~uA߿C9us_΃kRi\֔6l[яA񅿹mYv0ƝRTWAzY)|I{/K5m@ Krֆ:`2G{X0H@IsU% pI1"PJ}ll S"Wްc D#Jl{8KI_36znPfݘ?hmG%>Ɇ3@BgtEzbuФB~ ֬jSA_Iݍk_ѡr<|ʫߏM /2Év`5TJ`PZ gq0Biڽӝz^ 7cs8?BG7>DR:2N~5ԹQntVn;3쮦Yc-pP˪ԝeZr qT(]WI UMIEdK|D6-`+_"Tm/!l7"swycT-;/n9oRѯ$tÊ\0r}SN,7ҍw[Zu99YO~Sd/z]iBX(0m!v=9}t!GO;7H u} ;C5v.<+2xKejpOY}Qluh\ >ڻIfJVV]iD؞Xm>6c px^z-ޘ k tqX9ib &֨ \&fk{;}-kŴY ŒLSONUUBPW/;m:Sr4KH!!Njz`>Zl,xGοSZ=S^ T!˚}R͙{[n!D{wf?|PvXYVf%LH*`w7LqL\ Pv^E(/ h"d5hvo$hH n4q[v Uui5#9s4`, &-DN:BfCSŞUFI9Q(F{(Ug7sgP%޸ͥ(|$T Brz';⫷3̉"19*a Ut_}_c}s-e[VHG鴑s <;h,仴:6ՙ_1ɕf1Ђlt@؅1n\_8zWV{ -^sݹ}kj@{RܓSg_+uܔʪ*ʕ-4t-q~umOHEIW}7#[!7UbsçuM ]O~g1As$+}"{E/UBY\ jL+cdళ(4AԱDoK\,틨D\Bҝ, *D d͡䃺R:5K9뉳MJ:6DޙPIoƿR&c~[ږ99>4&S}w5}Wr{}'7ә^m[O #3͍er,uŵN?KIʹ"4.U`Ҳa$I}-wXJ~TP4a \8dCc9:堆w0@ϻŪu3OS԰CT͡!tMOP(P#>{1LD_8܁ T ދdOs唫 Pҹt]EQ{7KiiaL2%d챖bB;w =GDrzV_joŁG %_ő$G_܅$Z46LCC-!==G?T'x=Z$M:?=X jU8I5O?t)DZ; IHe$OePΰ0]LH .sэw )k+Ԭd aWAWH~hcd7w$J'׭N.>"q,vKF$@7A_CO0_|5:;c9AI!19h> 6K:ۊumx?k?NU[աzjpMƧ8 =﬊ЕDW|rܫ Fb[tLRVN5Gg]ДO/u`;7&u}SV ߊ 9ʥNƣe g]ەma'^>'>Hx?d+d+-MւZ1j}a<佡Vbf6'9 kJQ#Om:.oT-!CY8q*-LI0+΁~i 43SuPЯunA!9 $*H`hXt/ xI\&J z[<(Cj[*Rdx}CI]H ==ތ N?NPe.2>//>{a{v| cGB`f-9̤2Ym#ド 'n5EBv*d ߢB{X\6F3ǹi_Aش8񝜡Zs!L(+q^ 9aZtNʷ*Q2dۏ$yFq۩3Uod(7:/bl4~+Gki\H 94cE23*zv7skX@7_I7 { +gZ{9\!aI_kTJ7[w p,IjdȒ^a`p W>h{mKa0XI8UR5fHPbLizWхy#xyƒG.2 u&qM ClH` Pm)7pZVjZMKJPIF%u{Z}lQ aH{݅)˜1Yu Τ|82^U* BNH;h)].RV$r<<;\Tlf,nEŠ2(X|LaL(ؒyx]&ks|4ɯ#W2ڔ)E-rP@'_ޠ c!++mZv ܦ]?7ϴjВ;cvW^RA ÏplL>-klbmjҬN$Vo;\iI)yp [W6!Z6=OlPωn,#=Y:뎯ٸT]ʚINoS[H?9n!`糅φY\9 _v05~xp9ʄ陠߿*b;muou"bl>܍/lyk3}IK^]\Bt1nrf߼cl?SFf93Ȟux2m7ѱڢ@>dIgɎ൝7rm& >M^1P;iDQ|pwsƚZEx'$0 a}ONc‘9]_ .wmSD.|fRQ(pLbƠ#^39k5Ei2<љ׋RvbZ :!T|) O(_N'i؞ϼuGAlʿ4/x1, 6. 9zOá¢Zj9q`&dh+qg HS/(ŧ9det]%\`>#K !]4aF(zda¥wi$1}I"A a=[O&#$e*U86'sskc|{'MA#/3O gmَ'Ť}y;xvdzvT" 7jhJxT4~tNCE%6SX&;=k0 ?ށjq"Ş+7@VE9qWw]CU ^a#"bWi"3 arY b,.ePWSېQM `N,K,H&j6w\fE*.t^">ǞvE[gKǻtՍ*yre6mp^ZTaVuMbd1V$gAxy>k+> weE?X7) ޜ|:~)6@emkֺU"|x qx5r9>s;KРБ^vY5pVǚ]n K&֑o x!9fj9wG~J@z8c W+$n u}m[`3wđ^~T48JΝ ¹- 43x4vLn<K=ϵj8ħ-;/h s'Y@_k`$%w &[t *X[?=6!B̞rh>ò fE*=-xFz<`߆:ݩUI N72kANk4)$Ţ jj\0IsyxFY@wV"9$̡gԶg'\Rᵠ>q dkòw!O,uBssL1w]J ι2|A&db5FL2EC,8ո8Š⽇%}^BV3LSV}5Jͬd<75Y B1ǖ#FdHZw$KFQ\[ mzw'Og,\S Cʁ} ^C.+Sg}/(ry1Ȋ STYrm?N|BΚhmYq ڿ: 4Q=v4*‰e4Tcb[p7Xϗơ"6hwZ-U5_Vh ^7st^;x eȔ,֛2,<ϵָ>a}:^ HZ.V#ptK>-HX~MzNs&*I]oŤG@ۯ@=*/utE\j,yzd9;HVZ2} HFfD-*AQk ѫWNCժtRN)cCwz2-6 '8 G%CCK 4I^YGe\IȤ whY?}tEL1P\3[iKX"zg!xe.Jvܕ8h V྆U8rf}7٨3G(ZNmb<{hwT*%"1RKUT(Tq}:Od,e^`/d/N9>$jBw<~nW*f"BqJڊܹVބDo::+MȒU3L[ԐmnnaOh1IѠܔpt˙U4:ku%rMք8"SPcU֗{5 y+Q9.NhGs>:E܆mn)<67=j0/u[}}CO-eO 1e@ G[[}m=, F>OQvR18`!iR R8{†7jTJ2G !ɗd'Z^-&p''g5$n85 (GHN\qw㇯( /rWTdX`:3c׼M^?ߘjHCDqIvͿ΅'z%D8Y#MhLϚ[ο$"F'"@%@:q$ &qFA͝X7DBa`> 'ri$%d+Is ͢wߠHj-aU//HM&/_ڔq)F_!H2z`c^3X )r@`'})Ree#Á%[_L+k2Wf9EiȭB5֪Rwp HxSI[=8T\@cIarT>|Br =LoI L23xv%ˉ<1 { V{ײHn! ' tq!pY-n "Toky+]ba.+IBn<ˑRJP!={Ч3EvY cAuIȬPT1Ls#KH*N׉,m)#U$HI"m ˬ #V&SO.[2F ?o׉KSF ):h( (z0((&<4#Nab1VQvr0Ո>ݶm6d^QKvc;I'D9 /8,TLvÞWg5 -XmtZZOcw\߈3l!V) 9=c\l 8Ò.ߍ~Y~݈0 v5xLl}<8eQF1vm^N/ \NЀ9O)bտJHylG0;֞ w4H%&Pj/;QOd_MA] 1LNjtg0Q$X'cw89;=pCVj5+g篸S,z_L Dn6&Í괔N  hy`2@fhJ(\~N ;R3d#[vŮXҳ\Ёs7nX5~bjqVbUr`bsFr$cxR” \NfQ'tLu;LΉ}^cbØFHnݵe?@ %ۄu)]_ߧE2)P)˽7 bFcvYZ­ Tʨ//VPQRڟP',VeMt%OB 4N9@#SIj`8SUq7a .WEmѸhQ_^g#:BE.kMav}l؏& 3Pp^b(mCp% 1UemQgΦw0G\1]Ӧ);ٸP@j_S i^*—4QԪ*]xZO`t/:J1@ϔhI]/YX*p?=MZ650vlA{c7cnK@H ٗc|Gf>m3ú5ʧ-=w9I.^Q._lq|n9'\bLcB+{i.<ūGOB Gcujnv[|VRQ %3pǒ]L#+0XgK+,!?h LaFpCxA,ȉu(ʵggRJf;l-ve/5Ǡz`3kTϤ6c:⒦VU;5&.z`cz55pztif,g ݜ~`"\*9_ ^gQ&1\V_5 4{sӒ5|5FU"%J6|]N346< u}A88{+!,[A_"w?)M.G>h \D3bˏ~ gKoޒEAr^zØwtb#$p s,ѭ"mMP M wޡ2+ Yj6kRU/;)ƒ:4ӼOC/>~ƾݛ|&,jFX@BƟx j{D=k[2s*쓡r]ŷc3sZh.،G5T1GMS^  xVсq_'gK^,5%ae,+Nj36-1mEËUoq!D"UWMtit7F}v#h/&)Cs 1_/ۦ7X 1е=y?N"KCka! =qj:+<Ā&Qx;E͡k5KqAB&Ak“ g Ϳub*#`ϧHGv;\mAKSKж@ <SCSDaP@檘6&Z+}š¡V 5s q̄xy7VMAO4'Ʃ9$ zc]iλݫoH0i޾eRtv/j)x(Y$]3=WrHءOTLa'F `K ,oW;3,Ho)uצ= "G9y8dFC$G7Y4*]z96lkhBl#QFbb%1]6Y7 2TH. H;UeV*Qn0=&Rvt02pg,SͯZ#e NxOlxR=|6pVM&"2ﮭ(eQ3&O[bz/ҟƹ9mz9p! G;${1MKF 3]UqڬstxÀHL@' g "I^H?@@b~C]2"+wE~&/jaIPM~Yan(Z\-C ͱ>"@lk]< >7M9GS5 H3"7ll+w϶]%?18L\d$Bf}/D^gC @HhVwqDr6Q^4%$'rS(ͯ-h0!wS zYYU1B[HҬhcDsfş2m*p^bߠV%CV&D5G%<Ѕp#l>]heW8X䚖Fȟ3jk|! !-+[$h&y~rha\^X /ag] \~E:S^G/rCܽ-ipI|s`cr܎+ Eی?*| %C@.|48Rnco1Iנ8? j@Ro=H 3h L}dh(G ku&X,ןd3tF`Y \<x^~rW1wph'+RJ/2an^(pic^֙% (s.Dg780$gHy1!J9d]vr_۾۩1s9=%.lCF1C-r  IB }rDYlKޯ% Fn:BswĊo>pOpǀ)lOh]+/IҨ6c Ɛ(AtPLbZkv_gyPS&כI=uz|Rߓ3P>DŽ'}.X?w[`TU)Sr9L=ݠn:a,ז=:'9~$Xf1eT3?gY"@o^ P4Pwܝ:Z鋈~%q"ؙ/iYv6+A* mlFJΟ"S6[PvPs֮U9R:sǯA sto%Jt3D#h\5a|ƮԪy-t4ZJbq@B@zlX\ݟ*P5}:idhhE}=긾ƵXݨT٘ҎM+Zp:RRyUq"Ԁ5 *x"QVK=C/K0,}‹Xya#@9D)z՞wi,* WC$&uB h>q9fvY0f b|.sf8jøn6" +A$ ܥ9ʰb&>G3m\=Тfp-9!R;3UD}Њ;TxC XR8yZS??Eq MQQWk$"z738î,]evOf s-2aV ޿sQa"Mr\7|jDYE=jRFʣi&XJ+ Fܱ4 A?{,],vXblͱuܤ*')0´&C>Pjy͓vOk3z'53u} 7gc0؏hy=C=1]Mυ5LE WG#gL{C4 H8~#:bZ]Rʥ V(%r1]I2x LG3BxDeZjM QۄW< `(XoC5?<*j&T)Fvm y_)q3Bf1q/b6 nH8jjބoCnX+2Z1ϤԾUv΄DgJsCӡ {X*YCoA[??i웲z:^rce 2@ R3z0r%˗m,gQ8"Jnun)`7J$ssTاKXG>+ϩo1+r\jȿ |O )KFS7 { q,uzC6$RӏsX<Cpp`7:#|;Ǟuܒ_ W [-YU"nNF)o.yI2;8g!Tk>A6k[i7} Lp>hAjm)٘—:"Zė+~fUBVx:hgς2kQ%iGo㸠 t^o\ySH>?Ȣ 6O؝ [b{AQ=XHGbdՙZwUx%OvuVZ3*̜;[NfvҐg!@O#r$'ŗxRo'O<$ڥ'iI@a'cP0w5^r~.F $%Aݎ؜l[DVx ͹c; V'RPz4OF4nsG{ (B%>sGx!"Fw<Ԗ[\(inMsvׂ,mc7', L.@nT~1:/duE &YbX;ablA2j1Bt\ű _T6{b^0?}7hzYw&P o /NYk1-s`Mq7>KxIW-'y]  DO^iO+4]3T4*#Qwa? @<:kasi&wkLjq2 ąM6qN">d>؊_Dy$5(n o|C(kJNԖw!E49o~L4^E"j;<݊?8y_%?c,'7^H )K֗? KDZ4kzn#(™ژZzj"an} *a_KUeu-3W QwM[Pp3]JsզVn\,5QX ?I"Iz. r!~H9 ?d321^)Ƭr]lf<Q/׶CFH̠grc )6ܵm0DᏕw[[tU:Lgohd{/ 7]y!5)v DSdi)BUvd׾p\'t#'ª=ֱRX'st=R鰰gpˠٌ,3iՀa] ȑ\.@n}ǭ$rܺiUݩ٠;P6R(K3_KuJ}?rˍ_tbĵީѡ%{+¹ ?1N#<3Ƥ C"'G䣿STZ5QRS|>0ye`5zGfF{q1㇕,п٩*DĂe7؜Z:?&^'cM!R56+U?z|D۶,<¼k-|KN!7z''S&q݋NK}yx@Ivu:`zc9yN1W;I0|Pu4O;zEownUWYKk_&tWFeu =ȥ# ~SΰO8c-wP '~lWds}YqȅpYhnd Q'>\`KS/b]+IZ&^~}"Gt{/kHͪCS0'3 = Ga9.@'_}e3nr8%ZdiEm4yD 8Р3ŦYKJs z-p;TI՜BBҠ7WᵽGS34?{Gb*"i9G`xA.;c6<"V@9^;v7.ˤ;ލQ!UGuX]:J=Oj*hnJf퐚#$W%>6eQKԿssrXy%=U*u_ri$7Dj~H\Tbx@I*Dtˬb,zZ}smT(ydԝ܎h;7\ia|} wA{ѩCIIZ& z@YqR=K/`Nw.èN{6IT_m+\2 Lȷ,Xm db*.#?cXC^.Jx,:XIH#Nx$?yi ,lnF5lU&5I^{y ?'OAŽݎnWz_ocS^' J[u*ͱWlzv7$6R=Baf^(SAbWQr- f)(z@ڡ(_ay0._ISrHUk clcstD>kwe +Cs҈,a(}JWE6 Ba0b/"d:/3櫓 I}zOxYtOɤE ÃypaZ@(A{f;W/_C퓖_bN uaP~H'^䨛g" j M1wS+{(r' p/s@VD0[A)`,B|@$.T1qaA&3TIvV)k\ V S ;N?t62-Y~ZQ0'ъ1W6QLnbɻsjB]'H j2LNMR:l钊R>z"̓cƇhnՙ.+6> %-sBN Sy0)@+. EtkGb|!HRw:~ƧOMv30:Y ڍP7\==u5-mSZmB~$Q0Țzꊴ>ʉ=vݝ!O""al" WAbqېdG7RbK84P<jP'{L1a k(9KjSqnOЙ[O CcFEO>>n4D0L0,隣Lߠ ,ül?  ")u79_ hSv{ʄ6Y(OtRcDҊ꠆ˍ͕9bh@!I`q|sq!#BZ՞/''y\-M&qWxކ_?sH b`zY7wp#OH1Fo{FO1@*48;/׏y.*hLUoYC7.8a5*"UFDULC~ƌ*J}BT!@%71y>؃d(z!P AI=Yh_xBj-62`)iwNS,X*L M2_6.9ga=~F<ן":N ?l|ξI qyj' 'sX8CÁ>ĐAY^%j)&}F>d8(t6E@Oyt>d'_Q]yW89MF;cJV">kȄrվPXva!j`31GZ'o}.zԋI)wh5QFNڔNi1t"=! ˈvh] U*gu[VR]99+_3L|`FߠbZ{sOdtwš8u7b.yPj]-, ßTӮcl~-/ڇnNRo*E*Gt,&~L=25j=BعsolR@8p-\L_Ζ*V^(#= 3ABHF~%]؉^.QOwgԩRh`vmRUZ_U9W5 :Y#똭ZGie]|#ÖJ'ZZX6w^,Hf~l!W윭~ˁT*M@ 6J뚝c7cy7 ?hm`j꿈(JzB/>ޝbXz\Ժ삲&|Scz{*H#QD~a0!܊6i2Az"iD%~p!wg%Ä+?׳Vx徔"@=筁w g0X0q=s_]^gBwrH2~sȍ}!o*>PjPUw%T@6*)kMTBӅS\)s1mz@ENa]H#9yn^27t,q 34N%z򱄿@F?z717,s0䷯緳z7rHn8^&tb.RpU6$gQz-F*bĆRЇa/m@Zڴ3bs$TpI:nqnJځ(Mn@&_Qw 9 wZ ^B5aVpǟ[ѐߔ-c}áhK' R}GSK"(pϛSn0ovr;|)Şt^5$ Ph=|ցRϯH6t,\M|7Ʒ.0h*)T"+λJďM/&gRA'= Ѻ'bN{,tv'~ _ijA+\-7ĥA4n nJB`ZIP3)/| W!Z)L;<~=q_LS0tA8"Zfˀ B>u^zSzfuAՊ?C1ž.MU@DDdah3az5FײeW zX}fm[)zy\j:;d뇎E:TG* }*mYA>n`΁vP_N k[؈e#‘G]wJ0$c&s [#%窖52V2x4|2?F2}L KMe"鐸]}X}&WzQ_⃅1'8Zd_W\2˞jUz\|J8Dʶ#wK:/L_F)U8=a6kbahQy6lfLr[Zfĸ~ ztL+pm7F=Xsr (z3B0YC3+l L!ѧp'_-4ȟ\U"8pQUo,}xZ~.~_PJ~B&O 6z K|n'Xg1?6i7WmY\c\$T&aO}։όC{>:xc$03+ˉ4{R7۞kw/V`U{ Yf[01ܑj=*ŋʾ~^GBk@1ݨ1p LYyУSHKI,^>ͤ%Ụq/|ɽIԃ!YDd\: LL`ADWB=j"I7`x @^0+f憬]UzGc/BV>ǒ rʷ9$~ͬckV#d1Y#kzz(I.tgYM|jнUHVyXUOPz->O5֐l^.n)YKV&̈́.ӟk= laT``y$rk_Su 6b[I- )d.GCK׆k#Sxkbd-5.8!\ C\9:'4"*Džk7ZXC> Λu L=zUf'#'H%oiޠFUT=77SW5aiZя %?:l$)]qPtPk4`f5װZ ƚ;9{u݆+CEcpX]ՔVuW[uudkO^ne6w+hIf<[H㕌MG L6,Ia-HaGZDmwqcK5AOŷ}BD@U䜑Rl0:{h@־$[iD#JHK+fv|o=8ˇ.>lwe ?X=ݎ @.[HqX]|E.-đݶX0qjܞ7(-Ve )\gv#Pntq9i+0X/ U^&bM/ 7f&οVH3d⌆/EQڱmtl|"E m ME˥zOPnߪp'FjA7-%6E[_`mB-5=sȔ yT3=gQBTWyރ83(uM҅ph}R/,o)7RoLhqsWk> Bu:;a(Hc*5FىWOTQN\oCZXFmc,qmQ8 =N3G7e2ؓKܲ3=^aaj@u,lσ-sD 'vϔG8 NYܧWZٳ/[/v5b@ܧ4͹Ԇ+(ƯAqyWSh+Yh}ntOq8)cUwְk^4]ݺ)'30EGy$wl"uCQx0x{`T 4R Io YǕ4XTd"6dWII=Dȴp@`ljƕ޶vFb(jx uH3L*NitAed H˚s .܏s[7^R^/$e)P9 |\ UL_ x?zIMVf` QUL-;H_U㓛|?"m iJ3fRk%1yQcRz^Wchd3ag)2W(ΊY|HE@NFp5<ӏ06h ѢETY0>RUܛ3[ ęq6~7B Q®3 Bj9b+ێr۝h+wp,A|(ghGk6::k#f _C3 J 8cK@݅r\2.ʚ*Apqh`#A/=v,Œ8eрjǯ;t] X\:&5L " PytX[L`j{9\GabCU- +dPL-*'5܁¸HU Z〶47>b ֐uU0]d!+ 24+Ķņ'T"(fczaۏWDޘ#&Mv%#3' *;Ci|cλ'@D|)RQKLY)$γ_`ƥ*1h d2 |`΍ zḐd!6bKDN3C8xs84 |;E>uV%;n:Œ,9. zj``;b'#`kxp2ftvw{(%J]^HDM"2MO6F{*ܐ܃ dj٤A"[@`uvȮHv"ޞ*iz='˦!{V2) Ѕ;Ѽ/m׸l},ˇԉNy[ )!RyfLb蹤j-6t $Bغ\؂,i5L'=NDGՌ emAeTZ␾q^x>g}]~yqh]U@1Lkz1Sg­_7<= /} ["W7I,`s'IZ q_^d4Whx;?U%,A9UR]+lj`,Ϋ`ybCS^u 77 m+l,rȓ.KRY߅JS) {*0]RpĢ(4d3bLVқ=*vC5JS?R{%A@.g2,*KJsNЪr3~,3z+<:..JLu:{ fJ.Ooꦊ l 1 b?vVѭk168Lq!ș8=T((yz'_5&J"PI?2f%/E2vg#2UT*V!þݶ+wi IQb?Z[37ݖfHu1p;U!`DԿyju2%WNkӟh!GmP':z5h!lkz0.NODZ"HEhjLbz|=XŐ pV&J tnŧq\g+^G ;Mp4mm{Z@n;8!5)ss+ER2o/6L(]r8-֚MYY`flyE)3Ե:f}-08Ъ GUB>`-C{x<4PE0Ys#}bՏ>%q~qxt~~ѦijQ13Yw$T~x!~W4oDeh:Q$g _$4x3ҽDR;y_.~q|R(&\'.!Je*8RqB7ɚj2;XRѦg+җdVV+[qNjfhj̊:ZQ%Og3z LeBfi#{h&n.&hE(ݝ T<;KÛ6}i0xsrP,-.(3H/ 6 (^t%a YոjAܙLX@r7{y$Pc@u*BlqNĮb9AHlO^TZ6F"@Eȴ!ԧsp'F}זpYjYU÷T%|nb bS>ug TUr|x ƹ-\vpHj]X:".dڹ*14IUi]6$x {^5}\Bmf*!@OX]9?<^Y|:܅R~ QDi ,0'SAD$Rd5} #[:$x{[` amMn};K<&@Ekء7~@I;[7B&0 75~7h3?O)(TO-g`StSbUMCt:oތ^+KbH9øٻD:{)A0τS$j_YKЎy3 Of?NzH񼀎[T#h.{ B륫TX;gX)nQi˚iv,}FV0@:U !c)03 dP>͋%:G88WIAM++8MƉ~hz ʥTbGS1%|Wƣl)'wdr[:t0f9)]%BpoEXhz lSS+1z }XpOABQ#F_1q)T-t|%0^A"U8#)[ Y}g- ~0Ss$үfws!ZMH'i2Q_\'ysy]XG5Sx{Ÿ7Z Vy`݁4N,eI״e; z4Avȵ2hR2qj3:ֳ[/BBLӥ85Puy#]19^ir91qSݿ|LE yգ!D}&oYWi6L鸶AE5Qtg4>^qcm dp3Ud5ͥ:^k<QB*3+6Avb9 5Xrq"eφϲW[W]m䪷VN`#)êV8qJuz( K *ט!CviH=x1YzN# N e/Kɭyj64meJ'@ll=SRx]uo-]gb<鹧?]^p²ΚK8?IA(Ww`Xl痂K[+VH/t}҅HSfmM.cj8&P&Җ`{5z"lЎRu;{ά+[T|[&}bl*wR <&5,l?< 4ȎGσ~'ijlYukEpN#C -ɞ ø0x1[>+0i=qudH|{~j DC{OQ-VbV+7x|Mcrjף,:(׏F4to!,*f*,ӹN;)27W7z%Lq' вSEgZ㪌]0yi[W(Vt18V'uMn^=,% ]%m!~x㤄Z4\OPQ 1UC&f4S֥=5J)K_ ZbmXj~&Gۀ/ojጣ#!Xjw*VMW°CvՔ_,݁Yrq>7tx_2/a +8X?Y V B kKK_[hƔR2 HŎﴨfm$9j˸9 _e]/. O/}N0P}:ʹFRF;ݨy!aM;,mHɬuIY1=~+GxR,p^=%Ӥ@qi^ Hl-V ?&C!#xvnU^ ~;СS`V[ lM+6hᣴ NT҇7ݨ^&~K$ZU;}T5fc 1dShZ~#^Sӕgs;[^fj5d#AZ& 92 SAtrviTnH0_,?tגk5|MA?}R}Jjb**?U~ š#Π%`줺 jM7QunԙF'"1LNǔgȵQs}`kgspw`XgN656TfFV`%\I'NG-712<;{s.i !LZFJ%. Yk:BB2q$񒇧,IZQUBn9v|[+E~kF}9sIc2L3j//qE\1K5zWevOcρ$Ot%!'ֻF˛aAҟ[cOmѐˆY8{>{_p=́I7D7޽v-z{wQҔ5SJΎ2Ntq{ umP,ʖ hW87UWcZ8"q%.H*Gv>b8>_n~+$ɛlTަ-7j\Kȳɠ_t-wT1-t,'ZVݛSYY/L*6 ցOg=oRY$ İ/F~ʫf֧Oە=0"=Zf])5}m:(2 z\UtO#x6jd;%d g2͍ I@^ "w$0)@lqtǯ;`vlޫ[»INe׾i<P݈]1 p>4~xsz6ѽj( =#Rc][["Vfۍ  4V *5\Vo<%vF\[A*_ 'o1X" /a4e;[:av96=skq\?ԚZ=f?I+9k lfȏhSJ[D ]@vG:; J{~פ ׶<,h.QM+:jN_w>5z'9J;"yj$t[|5,;_~U9oA`)rt8ˑwotL0ҾwFACKݑljHby[Uf 5޷ ~s)gIB?&8"Mse$A]2JԭU3.7}eneej'EE Z`Q7IUw,2r,33(7* ́H'vb17PԖIw(WQչ5'C"5r6($HSfI3~h-ӛpW"r_`t|P濸LuP:ew3E"RD nSGz ԥ-} ĺ | VB܋V(r/ 7daC<NslNדi  E4 |^wJl |]|`lsW,ĔROkڤnò`H1#y)^A5STS0,=3ELup@CH-]8oKA1AZ#۔LB]]qH ȠW&4{"G.qǂ3!MOg8L70)\9?Fd9((HD9K.⋶j#@çsKȎ]Ȱ2#x;8soճ4w\YQ"yt4=胇c]_•pkvnN_Yv;ͬXs(dvQzz-YߑiuȒWVQeorfԎqQJ!Piл *2 Y3  S\nG(۝l6=.eFs90 XMc?f80H=f#~8"Um\Y,Vm+k a.۟F9TYSm W;uY7n⨞bBPuБ~ CW|ZϫyA Q^(Va qLْج% g}'i; !Uj4qM<$I3( 6(9Ow}3h 7|WiG}%hH۹9'2 4/32}h ?`ډ&9Wf͔$A<3籗Miէ,{HqF:id[?O U~<+E% mBXl'%A; [zĮ ~ JdJMǗ7sNia/MGuSFFI \NIsMSv6*|rgd"L!Nlmxk}-%(ՀOl%AZDŽ, <{M.1<YLn| G-Uz-bMV!ː[Mݔ)(MŊr$UL-*j"'K%~lpq>0~].3}NlxW0!'VЖSlz d{ΑJ1<m>ۿb@rR[S$|k(oBF 7Q*ǪmܩIۋ]k@V.Un3oʅ_qR16귕EsDX:CWf>E`ܾVXp9^v(YLy+ '>- 4ߓ%ϓ8/>X蟙њXNH0ubM5DҴoU2?O Q~^x0\)BYsd.?Ơ֙,If_Si䝚oN3 õgWO<'t`1 $/꟩=7IcT=̞:$F)|X5 +6.ʼzG^$"鷐mlC1|L(* \KC_j[aBUk7dE@Q _MNb9; ZC_}G9=["u?p~MBhqcyFJ.|fV0#=S:yWvɁ(!+|0"Pr'7?!(!8S%^|##{ Efۢ^㞞c45KM^)w^8*BX,xzĜQ;$h@G?2Љrb♺k'(#` qxdaSjvHh91?ݞ^ Aqp:MBK`i{ԷxON1mIV)0"/n]]䥻K3ڦhUQ) yML7Tӱ2ϗFD&}Urtknķ$ɣ `2q1$ U*QRcLA=wi*|yZj+ F0凊0Z~?z;TI]rcĻmG]* 4> A̪%TQ 7<{F\U>{eYɉRGYAwg 6?qZ)^ؤCA||/Z'GOJYCQH'Ǥ@1l!U.KEw6PKGsM"R"RPj4Q& 4io o 11o @eez]` wJ!~ev"[ImFpxfDВG)I/INͼ4Z3vi!G *XȈ7oQK.W?Ȱ2, ACvn]!]>hk a(uBڶhEE{2 ]:ԤS7M٦;XˆJ($Ufϰ#xY&$~LF*|DŽX73\ڱ dJygKunj{S՘Q[F]O$ p6㚫+ .Q% _0 t>wc"Vt#QԞ45--f9m~pጙMV>Б hk#~TO~{Db̚7N&sq #S?#oUzAiWKnj1*dm말~tdD> T1m'>˽5#V&t`fI$΁)lT[>Tx#ʙ=iYppZSߵ]I 4GuSѶN'GڦLx7#@'zh (?SX 7 A FYv#+;Gu d"Ƕî9Q܉2h(^E-:{ "-qEPp3v(FGb#'(|rcӞmx aCmCU;G,4A/et;=e/.|hBh-v-3</m: dˆD=Zg{]=+HOa3#:`ownӆ+G]sZ2ss vlQU_q[(ķϋ!?fH^{jǷNʎ ;ʰ_! ;U5iaq1L9zz7ΪS.;l&0<5R984] A!6 4y=Qy_0[{ EQ>h*`dM+dxvhm/[bO#M: X(m dDf@KfهI` 8?$nQ~[mӺ08^4'py=t+DH\{7p IceIΞɊ 6:M3ۄCkqUBv?ZJ"!\i+R]51O+\JR\ y+0$!!f?g\eZR@0!wvul }s()?Mrw: aXms-fSfWp3b\LzΊd|{U6?SròE xh3T@UZwGi X ~~z7^n%FDrR쓪 %ns}F!D$14 pJVYŎbo2Mobs!MüCPo7 5|Bվ%;DMh_4> 7o}铐m^?X85)' u b"erTY]'ؽ,LK1͗]#|H؍\cUxJ^up.o3P7A#f9_̀T.xڴrY%Hk}cv2'z#w W']|zjy.L+N>JhD C)!L‰[m:y/#pMŝJ!8[lk6moo\*yi[M $H/d]֚U;X~(;9Di5x'N.oGM9[.?e~$WE&U!ӟV ӱicZO *;m =QA !UW4bB/>uп>37eiaN _jz#=-MfvYݓ!8Q.א-S ׵BH؛ES2$" Hq3$DC?9!Og^ zȋ7.tn1zQs93!mh3GX!``wIHтr?=%Rc#i•tm6p⡍lѴTpzy(&J14)ij+$<q,["­ܣ&w2- 4NV V_,96'AeؔNؕ/lbͽf& hK϶,IR?B=ѷҾ8BY)]=jd˘`{{E3k{G;. V hekbX;H,ED?P'-&.)iCkRTa]%J՟WyJEwnd>*I ;|VS&$-|,_Pxwۉ6,kHѨBn"rs&loUn^0@[(n+0-pāl!$}G#I[P$ֶ9!'o ^b0rljFA;Ɨ6tڪ@E,vKT{{~iLU9L tڧ–Ke>rbYHz64Bg;O&HˮƿOYdRnt_O"hTz'shtmAD]{< /5+_! 4XFDŽ0&FaN?O: Qd#"<0Q{0Ȃn9ri?}4QZO|͠ffǹM"nFƴ?3fgĹnjOvԁVNZͿs(gϠ(7ԯkf&|$Ms Τtk] |qȚA:s~ s(PGݓM.2:j~,X"~:pD@cw,dg^o(GA3tl)jnV'Y^/kv$%䉠Ż˓a٥mQGsxണ)<d;Rwbo{RNw&(Òʄf\zZȨ@/ sg͵" {Ra"6~3tAO"jp#_LJ@ҢmGD鵑hyzƞDcft>I lR䡒(EFİ-VqH|;ڐƓFD*wbхq I!:zVVТ,}=N,`iapK`j)G)p,VDM686R݀Su&hxFQ# !.}sG`Y"IS|<욧.ɿ~#Iy/rJU$u3>xjؓ9aSrStw) _XԧeM\  mxVz5ػ;aB3޸TavM4_?Q :mGL5/+ϱ*F5ɀ9f<$ke釿{<ʗ^י6f*X{Gt/wU%LP)4tŲ"Q$h)9̶uf 2+Hi.YfuTŎ )i(X]g#y-4 Rk G>Oxfx8W<7ILjOX%׺]CL1]1%>6O"ŔMB,9XDR>p,ĒeQOFV̚Jn2Zp[qC -Ip w?"eBbzk 1VXTg\1к"M"IRڅ[XN;b6)MK^Jj$ kóN>C]0;@Mʏ"7F066P@C4_ 0WM,ž^Y~Z1oo3ףH ? Xm `0lxKz+U2]v`ApS_,ĎxR>)e">`u4~VO'#/$7Xя`F*dIs خ+JuV|8Mz()DdP~u?X=/o Hs! 1W:q/l)b l!k<=J(&rL OR霮|ِ &R8v9ny .RSE52gڶo2WW(eɭAM~ꫮe@d*G+Ru%ͺ}hD~I#Qj=[l+ c` 4n+ӆhN} 2BIR"'O,siJڛ_ژf؇PкT 0A8HFBmL]i X.rl`*DIۼch4 Wf\uZcYNXG3 /ѱ e]-x H"r/1Q t[nap1e:iO"zIz?so>ŨR& *Eh,,.gkܾmP+ڡpeFb14FV:ʻZsxvrYzy^秹G5b ˨$ {@9QDJ1f6B6^z4 W!uwynkv!TT3 ?ks +r` eb'O=0RjσӴ }Ll:c'3?cl ` ت >0m{N`Ǖ;DǵJ8r)6dlC%1rc8`*H,W̑$- 4@0hޯU3G 9KOݑBO*ORn6yasx,F-8މ~ ĆI4l UYRgCgr,AQoْ7֝6nG_s+:%~˿ _Tb;46g;ֶnoYfl>t@By rq{e. B01 &f W$'{7)IO?M,IU1Neuڛ{GG/8/|'3/@mzI oThFBSõK0r`>+܉ MA#XjRQy4lkG,rGkXoQOUz39`)3^L)IJIҡ@« i7.9WB9 QfƠUƻpu4DJO#nF ͌u].o\$L(+P3pז(Zx}:BBLʖw3;q'RZ`, tDNgW7jh8C0> pڽ` !ƣKUqns\˄m̿mWx ;qJBڒy^[%>:QLiKeAMƒ Pse]N?<*?ɇ^R0 %- );f#RBtJ ?"I*8:ڎâꡋd2e/ir/ t/dc? P_RK\,9n1 dC)Y?Zw+ ~PBlG4:X ,$Uv E+2m8$+$l,*#:$XxW-ֹBbgܙmd8y#3,q.ȅz}?XMIɇ6 iZN*R7+9@q)'@ NrGe W9O^j{9_N_߅%xJu=+ m&gO pם Ե3g9_:ٙT~ڝ->o\2 @,eV"aNny Ƈ[2x'({h.|G潣a8o\pщy{R\JI&]1_:6yi՚Յqdh No.>oyũU~蠰FAsE%UDn R^=Htq4>fLW|]:\փr;L 1'H6[Y8 ,d{ojww.F.KZVc,jfi;odr"|"9ݻnۉ?q 2 >zUX%?.՘15 Eh<8T:qY *0'}Mμ{+wu|_E$!,I' o䧫2F\'tJIU}dvC3v ֈ{{f6l@ XRöo9|䨒yj3ƬcvV*"S4av(KyA9=bv&GR%LϹ<8s7Ns^rߪ_0L ;bI 4eվ_=hmr'r9L䡡P}E͎Oj[%Gr@=aH|K ,&*vrq0 >͵Tt&׋xweE|@Y{p{,!ː`(»DuO8.8F/,cQaF;1OV<xj<;S7Znee]Ї2×?Ym/_3v=I5biӣ>`=etqNk6mcղr+&8`@"gעn̗둎ޗo7VWcuD W8Y%;fu\1Ab'f.2I +LL~-JSF#RGnoTLnA|~c(1ntz=}5=8a SώMG6% պVrˉ1l񹕀M35XU;qGX5؛2R m<WsF< AGu, cd~jGh57n6F(Yqߗz>cRhnD0z6{LH IPǒY-+H#`1g=ZyKcUu!۸_yZmu1\dzPq?;Řpdr)z)˰0AFxAYvJ iͳmeN:#K7G9B~4mC~Ǖ %ͫYIf&cw=N^)xnGя/؀p{% gDIJ!|G˥A@EYڡ3eh~*sY.ۈRzJ15.Ə=#a\}ZKAʙ#)OD0{n1jPs!6QL=}+3hGD6DU PHE|MQڎQl'2%Ѓ=,5n80sHx,L5Km'ُDWR'Af*5~l8ɃtR,&Y@e%=-^1@C2 QgO&ځCC4+gJ։ pGS(ra[ƼD9P,r 'pX#v Oft{<=9sLL!~:Hb‡ЌSP[Ԣ}yR^P[ϔ_xe#%"\HHhǸc&3ăׅoW9w#޲Z6<7s  YDۅA66Q< bHP.퐒ڡt{lX}^$69㐾^bZ@&tBlBo4ַ ՜.G3AHX"լ([>%vJ' vVFkjPN+Oj3]plEdT⥈s&RDLHOٴ%Ib*Pr aL?i8$=^&m|vT^i=q0 +Z085cxL`,ZhNg6^ (~lH\G?ͶSkcYķi;ȡ%z'%+/)hy׋mV,; %]:E ϘnP꫿L7{ ӲY*mY&)֦%m3U 6!iꜵ&?3 @M: ;# Dz(dMsc>Ҕ֟TRYk"0$p_P^=QzKIUf[+gVsQ-،M0ТiFPoghl$#B>뮄.6̂0 1ϲ ɍa=<|7W_F@1Y 1U Oc}[li>^}bxh75R>ژLA4Zת" =p]# {9÷7EN]ainJhnA fC^~Ku"ULL/(jJZ>3rJb¤c +PVB.Gbqhzdƣ-? @r[-+*$$z./&fa&oɽBK6ckoZwQn=>H cH]ܬf} KC G [~ݖbr4οڭB3DG"s: \aHޛ RtUR헴AfR_џ? >QrqnI=A& 8s[t!Z$%ЛBG#bѶri^?,+ - L+Py2|vBDR+C%97( 剦DGhlW#/yALB'2Gv Gޒ.!`iZ6Ed*{}d7w ؇hdT`mz =Z~I.n"4[2$jMa|[dBb x 뒒Qdm&k3t+J%.؍zo4~Ǽs6q F13IlIR]^͋>"9iV na}Y4w[qC~[Φsۭ\,kR6?L_]ְa4+ry7ƾc& S0W6[E(Íf :GS_(Y꓅xkRnl֤IʼO=҃k&zøzk3};xM6j5P*oVCA1# 03@ڮ,aYP+Pʽ)ՊvUN,_W-@jBtuCui2MT;i~)H `ʾvJI޹/Al0gu|H%d,T)Q:S7FlC nV IcD 6f:t89^ٸ#O Z\:9yGCD'd:H-/7zHYE'<`iL[95MrtpT$.r7Dbs=2=A )z9e=7NC  Xo*KYO ;WFy"9A_ z|m`ǒ/lc DWtȟvl}NB' #whv~\dZ:o˼>oO?9}xb6[{yScm"ہ!ެc8ZTjwy>7[vɶ.{Q<ocPX@k wF1fKhJ0hJs_+_oPmj}rŔ7N.1$q O?#,M՝s%O%cDsLs46v{;}7;88Wl'A>5#{7 ֫pWOx֓awYx oiTLj^}t-p吰9(J3V e,{A.t]ZŃm{hsʵI{î}6a!^B{ԐedϠ?Ėu_F z-9G4~`zKyfxcGC&ms?=374\{2=p>g}P)bMMoC'㾥b^C y)Է3j\SP `Hn9/Im\ h3Wl2݅嶄kW}1ײ72Hb; ֟,]Ҡ$"^bT6=> ;c_禮ۗ!MW<eYMՃNݷJֈWLYFb+]]&IW$|oĒ a~왛UMe]kE}A@A[I聚sk;A˜}?M+ B2fչ"$PQN~f 7'2&s !01jj7QwXs[recN(9KfϾOwɍ1+}Mu vqՈ ~PN%Q6$fNuI-w ?1$!~ X.xn0d^.f#֕YX eP,VNe1xd|G{sۂӭiM:ly +ō3*x3=1 Z??-EmT-[gc۾3a[g";n$hxZ>-z.}ʼt+%$#rՁ;EB"(8 kc c84#P-u !de>>w{7(M<Qa6_fN=9z? ?0f$BnxnٟA}{S#wqMMh&V1u<9^Z~ 5aGOD:/%{Kݡ`TA|c̃-a܇ #a71/h|=DE$=C95HMH?5"PIn!EEeѿC$Üߍ}P ] N \C!Kh,C5Tfdv}˞5mޣc? yy=}j"OIG]EB 0Po}PN=nNLk~-˹Yf*!M'eBov1&'c񍏫@aph\-Cl$@4| g#\>#pElI˥mYD3U}_<}?8/UYΟ k กu|D@hg8) U!2J# /M82g* ]9QdiYU@7zh!1]99/%'nM՞eCWsid ܳ1ύ5NJS݀B5逋L'9LCd拍 r }-(~TUgJΖ VP*|7\W_!SHhԠ'؜" !(}Q_vnohnCW#kVAFFqZc3ʖ,22a8K yP$[~+[VTM~Qszb$*Კsb`XfBFŽPZwd%>%~P]4UfCȆ-wcO0'1` } lzqO@|:Çd:N9hjǁ$*a'}BOٙ`%;r%JUiLjì7좈W$p%X$&y H*m,x36Y|f_JA-yX|-VM,|RkSrhg?a0ČL1n3?ϻ[ ] p#9Tx77 [5[;HpBaX|QnR')/גs燾aYo@DC7d98hxR8VS@# 1)x 6<' t|z0'quH;aFsre>qgEbsYf,ܩJ:uU%=*?aAX^]6Nܫ mrȕ( |cw5ŧ:C|J=JLN % NCc`Wk&x?rjrJǛԢhvWT \}}e˧| GKҢw@x+y4msMw7]BA=,nwPIGf]3&=rsU- .6Zhz B|}V_эi}` p&Dk[m_qh-/$5@P{(]f,Q -Mb-E.VIWA[Ihf՘EjV 1԰0"9~luxҴbEdjx5'!85;˷-:V7SV"{J)dOZCOr۟soE #WyEv8%V& 2_tyh-R n]egU-]N*Fǵ,62֪X(&\¥2*Z]c| \"vs7aʮXO>5a*^eXOu+aw^#k)| R Xt HIj!;Ssq$z^Рec*ߓh)\8H[ʮϽ^=U-8k:u%ȠyЙ$4qKbPawrHd]wW C|1Y*qG;>͐Frm9/{aӀY]oiz٪Ƿ<7;K'-٭|+ BĶ iY@kEhXyC - ^] TF<qiU긛{PbXoYHQXC>]QV %y|{* *˭83bv태81~ҋ) 5UʢNyd tcC x jX"F*`cxćZҮ]af?4(לE{ K{ʌfa^&ܣ嗀"- n9.) *Saf_fO"[,k]]!U^;c6N}DQ߂"24TgA؝m[Q{+:zz%tFajyZ`brLvoT]ͽ@QFUr @`+ݣtUqe_v=άjgZ;ei}%[)_d0C ݟq-Az|^%Kk> %cLZ!) }ZwkD}3>6W$h]66pGh'k2Sc+J_ 91!o!}/ 2LG "EC%!h:zҲ9އ<oЪ \ˠ =ntAƙeĪ"kN& /J*B[bשg,?Ӳ1'n*m֕%_=&n۵z#/+S؜:(z뙝N6FP:EڒsGyAn"m7N. =*H%`MOY Z1vT[N_٤\`|3)5̭̤&}x1Ym^5'ݒ_|$Gj .Bu2XJHuJM/*=s"1mZ]U3 q9E5`6?e*uA%ͦ.M+Tvq?B$M\'dQ 8@M2b0DLU^u" ' l+ ]NjN[ yߘRd4$d^s0[B~Jxn qx3lG[J&-U%fj/h*xN㓛Mg^WwxyMxǮN|U~22Rω a3H"_WrFN:a\e'QRت!ra>A\NfuTڼ4 JM;~+ʦ .MR?o`|t>̳M-`\-yׯh_ZISc"&o25ү>?TU9w=߬jG(`h.X蝆| ?FgVץ` wݷ/ƀ-ӹ!_U E5oJb#U7->W)<-Z9C[\֨ť0w3 ^H2V!@jD x *qD*t ]\ !DD*m'P':A"ݪv9ΝB66YrE}L]S{T' ˂#(,[S%M2Eø6OFƧeu񧕌gGFRd)>zvk`kJ}äK/^SC}fcxbCOJiHжs~4 .hM!c>,k9aBN]F;8wQm ]H>U.I>@_URoCUˋ h<ˤ ~isV#, m :pn`T Q;wnD&R~QJ5,SX}FHa 1tG_Dbn=` A:N}"^ЁXnbsOX$&]G?a on;ِZ8VF>:0iIJsC[wD22Uσѫg FՂ,yELL] cS7ץR9HOMZ}^AV{ !^oF{&t̘̣0tD#.Ogw$cu1koT2iV<*M4F`ڏ1σw@whdL%C2AW1s]T(4S?ϛoY`XIXފnniv> Exܸr{iUEH_jGwxO"F3-ضdRkTlrv=_!'P~8P% 0kg\qP]5"o8֓μ+TgTb iY[C*sfߙnӑRbpp.P<9nM Řonhv'̼'ܑ^F>-߮'|AZt:UI)'p4=@gJʏ;#E|[B6tn 3} xGky^+܋)W\xfɏG.3mըG7%CP೯ GTZ&z޻鷷<^06r{u=ɂ ˂>fMP SNy\ _::=g#vFz7`zPak 0p 5OLH.Jd8ުxeOlow钣Jy‰G ajL칍DNΫjY_jK&uXk"/"'"̪TRʼnURE&o%GIy3Є:*ncdBɾ'BU`Mأ,@<<,_ChZ4j.(V1w Dy_gxXm?׶Ӵ[H|̚"GDc@"W&knܨ-1I{*!"q7bAЬȫ>ඤk[#,^*L˺sMM*b˵&F6z?B&)k tFR㞐#Ө-[U;Fkektǜ1Y+ kf=Z 37+|dq/K57 wH`u?8_Go{^_^jd(}ӃAxGOΙ{.-!%ZYEiTٶ[z4=[/E#f]F{NM/.Q`z$|2׿j{-hQ ߻O6RUҖJ!sjϹ04v?6|8e@F.wRB(ifC9re6'[cM,"!^ˬSa ;:R((IN畸iS6PSX+eW;nPiױbHi[Ov*dmSVw77?p 'vZ#\'_:wx6cݬqOnj,sWx:h π'ޭ)UNq{O3q{^qʗ*/ytjZ [fTv|x71UQlrĿzM/obi7./kpK%py_L)Ê'wr] C[I_XtX ZLVFzfw2# vmE'c}] E6/ѨWYF]SA/b*P{ v4i܋e@yN+^1hjb6h7Yt.+ҩ/Ѯz t6O=fJձ >=+&m5#KoğmLg]G][ˎbs&dwg9u*' |~7̛YP8-&$pK ҾLBMHȗ ),y8P`TvRD*6߉(',Pf7i@I=rg3-0ءzozZVJ$`W5<_az蚃H7Eqbw8n =~z#DQ x' h!q[G\գxXOu[naujzƬPV )/xnc=?C=fq+ѿ'*Y&bBF~[Sk(}ƊkSq$5^%+uQAH4ʕcgc9b{Je+;4xnoLT_tD|;= Ϸj+9 F7!NcDe`0I{F'񚼺 \H8J}F"/zx0X\$MAXVwч\Glwb\^ADv(V!U^>9;١XZ}:~r[W-Opn}SVm}?0HCD3>L0}Wc )M ca.>C{U+h5=YVnkQU'g33”ޕN(׽x U#QDA1ȥ۫̉f9 ӈ"ї\=z'G#J̀PƊ5I5 9w;:Qċ5s$Wr*uv~^6M`_*Vq 8|ڃkF8r[| }B76l3[S7Klv!TuS\f"Dd>'MÙjuz 1$+/br=]!7<Ãӧ4.g}r$0 |d}Yٓj{fuv!{?{4e7wMF6?86J:LK7[jf"{53!Y*ƲK1qMbBM1?VhJ o5l5u}-6OiJ۫ R_^^8Y|1s1z}[E|j(zzĔ$ k;Ċ x'r(TP(0c]zJU˳n5u\]!)91bu/._)*-;;EAb702}&V)˝ePjd^"}?8 +S<n#SVtaSK ىm|fTrGj7C{S,|B*@Wsg71w:՛e427/` A.0Y;뭚3lko¢Y$Gdı)P'917A%vD+bE$*p,RW]tcKohA|*UT z^l~@ϋ;r~_@H3MHI89.^uvWd'`BpDGEA߶~84JGa"7a+ǔ &Yjb’u;|[%Y,0o`wL^LGv-F hg,?rڴp\\sps=:e T;f F-ޒrYj.[x}2Xh&t\(" p MO{ 6tyDJf@ wnLf x;_DV.\Jf 6Y2= zPL0+_aꃈRwPHqsW#4ՉEiS j\ޙ?/w%-070,A#lC:RXU]WBlаAfvGFKi0.Tu؛|/kB } r`њ)ve!DoQ_wMfMw~.@ĩ~lBEꔃ|સecؕT9+^UHDXC l-Əf;' $ M5ͯ**y8eʢO6Q֠¡kte0axZEٝ^nTң[(Wle' Epe-쐘M5/b†"pDd\?igh8Zf [MRv*AxO[P+-|Jjw\*yR91نt+_Z,Iˈ5!#ܥ4Wx\U:l ]0XxV֟4:T,1 {:5pڟ úݒvQׄ3_L z'\ލ'Ց^ǓuEul&W{ .{Yx陜vz_!%tĻȱV)yPBm[\([QzN^LSauB >TF)8^9)96=[ puVAjLVS=p63(9}H ~ #ٹ|}eШ K~ZcQ >p39 q,fkZOxG8 ؙ)(xK{ ɎE޵i&T|T/\E7 ,w]߶4.4e`vluC0pYi!<. ;)}ҕ<a0゙Z}1A G_`=5G-`?3vBEk:59:R]Or ځ*2-ϼ^(c,!gr` ϣh9YtmgxPb'elX[4.O4ťF:o DC6 ;dCtao`,-YsVb|;.{Oi~^Li'Ɲjc:TJYx9k̝R Q,( yO0zz+żU.Nh )M߫.O"l"yڡP& O)r{mL Y ->i'g>lA:$79(")/D4Zimw0t^+b%}~氌,I7q(=S59 Fml<wCv N0~ru>\XE ټHU(ӸQhSL9QT*d3D2.]ՍIk1)FG}vpACAJo4Zy 1hOMOma[DΣ6`/ghOyi̿w (&nk"*fL.n?`)MR>  rw]PSS1!Ԅvϯ2j? (07w)1"枬ĄP oV4j9m cd4P_ ۜн7!.mKR!PēUA>,0ߙ(iymT1um =`|x{XfmO\c|qr%̧[ 1HEz0lAzYJi4(8gaC}*|؁+P/ܪ4BR@scSִs\y*px|JNvLd㛯/Ι:rj=T<`oN08vOk:yIu<m Ώmq^rc:WYW؃0^| )2mF7,#$%t6,Tŏ-ҖZ([-{NHjU`&Z&K MwgfbN@ A'̺Pζ~1~u v ͪ*\ۅ[k+]S,a$fIj5kþmgP k<j)T檲mtj*P2Bc {Nӻv~ S* X*݃unX]ʡ,[I 0ևXdq9_sf݀ +ʭT{v\—l_% X r."ׁty'|p]~\`{( %"9:Ee]_L<#髟Ns-,:d\ȏm J*z/sDnG c(p^3o߫JCl<.ȭG=Kf멝l4KE9ڒws\ACcD|pˆnSC3SHS̽kDBrWDd-Eiu@B悵qZ˖Sc GK!~P, -bvnCvЂp+џj$r]CJ NCd/$7W|̂LM%Gm!=V&29>zң~Px%Zwp wŮ RZFUj9MVe~7%߉7.@N"^ЎŲK+1$dve.{8,חd_ 2aƪmSu>ogE5i&MUiJ  7ur[3~+l `H+{DFfo2ghnbs9Ĺ%(imX<2#> FyO6Es+2xsrl#¬B sGJ RdQhzR7F"yK7(٥J 9[#ǭ 645gQ]1QP 10qDM7}Z <-RD%y_2 0}?ǒwNC<OiFRGs{}m{?Ze7j\t 8hWQ5/%kpN$V9=]t8Qf[R@]d EyuaBVߊJl b+'eķQz /Q_*sQzǂwHΡ3Dl>n7Gj%Џ2{oφ5vZa:!Gs}2Pp58?h'g'!P6y̵jӋ+<swD+i| [E|E5'v+Gh|8O&]B}<BGE~0 Ve ,4g9ڕ(9~,D/O?qLxlQW¿Y|ױQLsp :d9wݥl k-讓"މ+-,TIFOz'V<=֑lQT''3H=6v[zS7οX PI\`&˄c$ 2rMgtYgZat1Q\)gY|G5rbQRrR-H6&իPS0ib9d膂&\ݵ9ݲAI)BNWV.jB^,(T//c,D]P"W:Φ 6T)6iuobō&^^?+?X/+}-ȳ_~=CΆ*Ȓ-"?NGk'>4[A'xaGk&alhy/O_%HMV@fZ~ٍȕV^K<u wcDS2/!O37^gdyȸh+?&hn duv/.%~$f W?O;n\)6M$铭jǛX10h94PT.wqvDVmHVr*$DajDxhd/>=Vt` U|XĒ (x&qq;sz'z+Z?G>KcPĮedn(LjO(_/Y;CKݠM|nk :I@Fl!!jQ_@D 92hګLSG+,5LÃ`4FyFu <"bXAג6"tb-GeJDYz-bTnF4`fsTN_+ oKKtdLlȣ?;kU#įi%*d໚T:d=ߟ.(%*@p|x(2#4}dbԬD.^3| Z s@5em}ud ]lSK J]3 xDZ0'T?נٵ اg|7*MRj5D0Hd/^ۮ7=de ?ǃ&9E{t'bi( ӷCʟ)7Hi\32^\9&W)=</VK͙pkW4Wq|b܃i]5;sg5 D}9hŶ՛. v*9AIݟ-\ܸ>}oO%eHhӼ[W] XV*ܝ=vNxhxJLnuAZc5%|F &L{Q4oô 1 B CqAq.}Wa^$zZKpAk">Gx!+K^WD3~g(|xT}z uQA2dZc;e}[@6&-l'Df]DkG(AL\k|Za5Kܯ~Hi%N3z'OGBeirhUgygE-|$!7LC t? *`f@"aЫ)C(J :`ntgjkfuxޖ:/7@;7YnSה 2tɶQȻ0mRΏxJ3iil+ AA$8+W) H)p,.Caڧ&/$4;38|qGsU֎P=AmRyZ{&L.4@|S!@v]H{KmuH Tg6^YR٪+*؍Y íxs}֮c7AL>|h1GA5n4D9~09x*i="1DKC E8P 9Oa',֛#KG(c/ R 5h{Nz\xk:@2P͑`Uߗ\k0k\S,e#%}'q-~evp+Ϸ8|t1-GW~&A\%MU_JDLk,7{A|V̳Ī&MVOr{E1(=jTrs 5UEmMtb+v%mk[nKZ;rv1_LҏAhԾtNoEE:28$ŶdtܓS%-Sg͡pGN+LP ph. X!SՎ5ˈvP+sA;"=;g4',[ySy+>wtR?':c$?6 Q_wE@ zO!8Pm6YpcL}HN#JάPlvIS N)reeкO|,yb j"?!(RMڛ ZSj A'fse~&H9q9zǿ7f1?RUV]FPGQVzTzxɋ ~OjV=q븮$ɰjBєy^;QJ@Y;͐mjzyw@T,iX+0vXN͵aL| O+cˀ;ts0'Rc[)̿WN.fsAѨyçp'cP&ݪKmkA/Wkŀz6qݬ8VIr|x=D`\M{)%$)WaJtWG:l=S}? b({,,C! s_y_ IP6'QyUI\=P9 ~]c?2 ,G*)Nq͊ٸč=a)fp,^KEǯע܈7V|9&uo7g8^9|GjgDs '%'"j Z.55[˳Ĵ3:r_#Ւ=4Ӫ}\k'hubت=5 ;X&p(yMMc(] C fh7VD$֩xv ׂI>8S-#̶oLuWEr 5r!jpG#1() -N]_!5&@ pUPoz僙\Ky ܌ԣ|1Oo CV$P̒dW>x -̭jS,ޔS2x5R\kmpƤEFS-s&ct~9P.od^< %ryt v9-53mH.뗨R-B%D&rT?*kfgWlpJFM~a9B>ELTD[O?w4eNJf| V^84p)@BǺ~q9MDH sB^(JP/yDp*stP`g+칟MDd5K+G"XDGum!y=n[ On2 \YjY{"ru?ԨJwNj8yF;OU1Gn}.PnV"X`E &\*oy ږ"B,jH T1XI 6=m)U4@\-L. S1̐ }MNwtU^ Χ yʴ$h%D__s dKm[Sx+LUowB-S[݁c+Jλ_̠6uRvr5ʳYD`h͡붬>)yMbCNFn0#H OdoYmkk\e&XP0qxIoˈ| X7kXHA5_ L]깧+oJ=c.YxH7me IԦ)wImU`cî>i޳qaZJn  NZ9<723: -Rz=5X9LR#J_~X]CL s"!KfA/"ldJDZz*2yU&$∓$ FOjZ6$/T͗ nF#7Ss.ހq8CȚm$B҄kInn)i&ϧay08aY lp_>fl{Λq#ܿYck*+%YJBjbD&y#r$ ]$[nH)}|***FGz..Nt,^_½ɖӘ) ǢA"\FsB N+y1ýZ{!a{-m a;B7H޲ѹ3d96Yң͆4ܱ'BZT[!\R%W &לE[O2R'# @CFz Ά<ۏF3*l%T[C@_j]aZۭ#2Cs aPMEוYEɶg$̶]&+s#pA6@  &? ΄BWR%zZ.YNoک˶|;]bRE L"<7|BةԓB5]‹4f :30g4a xS.3#͟mN/# 2 [ZmUPb^;킞:ipx ,ɴ'R?%D jĄ}X+xG~(Iz̑ kf\y5fc inx%;X5UcYz| M! /yG3` x q?JtmtPR/c(|/H@loRxSO:ljޢ%R^n C}d\>=UÑ ϓ·ȲۦK1.tkքO^;-՞kCqeRb=z(Gst;Ȉڽtʼn$(|[~oͻrSo0`~LqБ O*'Z!.EUhη<}լn6~`s]a}"e}єVHc vns|pnWfPFw65wVkQhp,,¿] UjVW)N+B^D+]pw_<>\ۊ )q|D.Ќ 4-;%_YPY<"t[uW6#z^d}]Lf):]ue:ji5"=Ή׸Kr4R0i5+?uB[ lֆSXJv$~ ]vC3{\?S\a! 6|DGAeWE =zvDڞG+r9W .M"勸pz͛I*75Q}W9؄[N @; $(ψtGFH%=qiWDT|S]xl#pXWZsZmP5͗ې '|U՝B/t#jh=ʼn-smҥ{n a͜r bDI 8I`(LҎ9&cpVΜAMʈfѓ ]b͗F6B z8ĵfw9j, L6،vegI ѺGy~}{w񶞢ˢ20ѽͰO,/6yS)N6:#sn-Hu2LL4V(ԣ_u8MiAo̩޳9n 6 f;߰'pԦ#;4r_m"ge~5*VټLb|1Gd5Le:$3-v毈 NWB&UTѼKyJT5,ۢJn ::Eܶ-JpޝHSULcmH}a$ ^vϢf86\X?Ly//EP}{Zwm9'j ǯ!|Y£XCmRןcPME72l(J-(.y\ё`F<ԣd}RlECC=^LILb!N2akJSkg<7 (/*'&7 se~4Q( ~ŒYt'|˲ [W 0_T:TuHX#~r&ߩhMfpF7ܚǔX*(WERרu<ܛͫ@Ap.Dϖ/7;+;ӴgL݄CrxCg:ĴhU=K?aĀ҆=PI,~sc}S6r{mؔ(Y ʉZ&O ZFM&-HZguDy{ ,<Ӭ悌?○0 ၑ~ И;Fpc[lk*ak5n66J|vkQSS(_i" Ŝ0Nv}8%?:e]|kUf= Z3H[RW?BQ 0ZRuCGQCD(| O\KГw7.ERH'sH+4jsCMG_H{+1N^$gF\k ,]H2{=pSg6i,QX>{ìNذi5ݧ8h{/D5ia$0{GfF~i-*zT5K]ň50JWCf•M~T \cZUbzVSl7Hy| U[] sZZ0)f 9viKZCMQIFGvIL<(icN$&Za'mOV51lA1 l'׾h͆o}xLl a X*X^Y:S2˳;# BNms"(kY99Z( j$·oԕG%Cb~fW4:5R}:Є̍^Hn:'JP/QD "gȘL[tMy"LF6ΏTN}] ?ItU(=LN*K˜:çp)WbxX昿_`Oq =…f&XG^A0id;K# 5+m"Dbh$<>E:'ݴ#ke b-:j9* Έ]x.*Eږ=-ÊMd|6.)d/g g%"ԆS- $6`*a[N%KF"u׽ST{nj?Z7:^O&foO/>$m%WP+E :n$aqep$/#?$[xՐK:XB*[]ܖT(͉ IKAW=4=C .pF3_bE'"NWNɲF׷IZ{R"gZ8Z9*{mnG?yM#^ {PY+2ɾ(z`V'NI$CUA>pVA^_U'.e"款4~1y>M[u&&fO b2kÿk;j(i]zSݝ N|2E> >'>HB|x$i9AP\yKulBpY4U k%I(WqWr|se0N>$'0h/ q"?2獚4 t)Y()83b 2wm#W2\6&6Ԣ&( "ku5_g݁EsP3K%}o-JًT9O ,У?82̎o-xTQK.Z '_,=rq6ݸM jJMT>h1t9/"H 8*S>FuE:oͫ&\mXEW=`AvI4i5Ql6 d,9c+%q&~6 A# `*N:V[MkDk)TMSV<L8,t{_ZgO*|+͖\N>e1OiK22@>me A\ | 0c;9Y98fO_]5h3>T|@ǃeFpN[q*.XCZs*N\,·}xS n<-%: Ot~ܰ۽ %0*3|@Nb/#?2G< :qfgs&Vo3~,ϛ?fi9߷+W5!Stّk-r#QE\*ZJeo)8U~o!EnVϳH uDjf±Õ+CIG?O:Bސuɀs؏b"}(؟W{"$(Bj ~h?hVٲz1ۧH8PXf^)o[cWBƃ\-}xõC~_i;Y mrYL& l7]{pҤ\k9f&ҠBl{|a-ہCO7CS^ 3{~t-2!-@' %My_ִڬLy5mgpln]OŞ+X 7GyY`ݟ̡L}vd~R5y4hZ01 3$ՖXUB^S~5Kg8 83&_aM;z4bhN\Ĉ+*U<U;D+""G[t~Hf.?sA'xk9lл OO=3_=P'V/v/Բ)w:'nȴ#7Mմ@׻7c qe )#rqԵ*F 0IG D&ex8q݃'25Q;c(%_R!Pه g.&Q~놪zrGZĺ('ү- E) br4tcUS+S[vc+^r\«קZWQ]vN} !BgfDvvp4Yg`i?/9\7 o>0nc/D-(NI4sm2d\ozWbK, wS r>$1zJm nلlW5Xqw1QAkAhNO8iO+Am)AWQ%qG{ggH0yw=La֕Pc&韨ktKC#%6w,Y&N`௿87[nkʥW8?rp7H,'-3? C5 ABt$g#H#MkLbJ\iDZ:='g?vSn 9MP %=>GVط#/*9E+,ktnp'+|u4= @ltCk22P͕v@ r|`}ֳo_u0זm gr!aSϸn=UL4Z׶4@K#sۭ֑(^hS򀥾瞩`015mL]evf3H-Șx$މUWm17^=7}ՠeB rL<9j*" 5zcF'DGx9a) d^T'dޑ02CszYY¨"$fJ#rF]58_mS&͜Et; ,bcVXuB?F+"PR ##KQCcNc>-U[jz6G#=q؀7rAP$NaO3yL1l~w;)f.ǀ#$=d߲K7H0՛ FRcV}Fv,*l0ЅE2-J^CgD8FAKuS.bWes~s4;qA R ?yzA@KfZ=Id+ФD'.u)ιmr ?^]/L${ QYnuB._M5;sÌ-K/'7ܬ 3VTRx霰9 Jd:yLFEip*qa%!_,G*~.ZQ#yqR6OE3˟ˍl,M!7',`/S藬ݲTbM4 А E\6ae.6{I1уeb?0M{5F y{>"qg.Cz۲a>lk^eiPsݰ"5y#SzvqEnÕH@Wv4V=3W]~q X)i~6ޜb-nH],$"mj`GZ7f]Q{ l8;QպͻAMdp~&- lDogPdA3RnxUjuB!5 LBz~^8L۫m-lc vĖn| )wM^o}by^¤p97L5*x9#vpm~UbgzU5_ы%@KY{> pF2_,9/~V~R4u7Z8\=cMR~RE[-Sr1o?F‘KؑOZFm 4ZHpLhja`I0۞{e#)ȖF5԰Lw;Ļfc}Z$14X~_Hqƹk*Q3EnOϢ܃0:U}'CxPpzY&)U3)M=xM#Ҥ/KCr}XpyȉBE8v:xW`w#]6Ϙ:[ M3jf̡m4XW{2EARp1%i6K =65JoŻT=wv^236FeaJAۀ 9UY.w HuǞ2LΰYqTɰ`LͪgKcR ^'L+<ߎINynϒRJ݊:1V7X糧a$ ztA=U\h /6VIkӶV21}v) )ܮ/LcxHtS|΢'OIeWz YM9# ǜ8AC4JΔoF-81TH *#_]̲+r0>$oE>RK`s9p[6 87+,* /bZ7X)l3-w}R㴗VxebL8RK,sr3{~Ⲁegws1 Ń 7|N(2o=Kiuf' ƒƎQ8B}K>Jx wSrja_cU3n%䏉f`a[륽ՆX9=UvA~78M*Ños 5{F=E˱B6ÒGqdvj#yS (`L! \ԁUWCS~o;W髪EY #ycMSKDLdFN~+@o kw;FZ#dhͬy6чT&CӋ 9+͒Ѭ2osϨ2XQn,`Ue>O:ՃxVo I:P6t NRWGD=onjVs\&L3*XXf4ϻ!-M{ eMZJl!croX!L5inv#Y<)-iwwުI:aT=6ifvA3/g"z^SRVe2"O5h"%"0d+:_G`U]\Jo5Ɛ)v-t. 6־ +!RKV/}#Kp6 Jq| y]ct%jWkrT1'֝C}'w X$y&6Qt1BY{m5(W~RW"Zz6(Z#8UIZ1auAYư U3 ]Nmw5$_ɳVȗa @%gswܬwn}0z艴T)~F7ѭ~rœq Oaiuj6y6Q:Ds.ݍe ' :zz2Rh#`d `_Iyؒ$xH}ĝ%WrDA%>H*T ?>GyXj H\4A3%Ơ\ݯ4cyes{J?XZt7Gv'K&nq F~e} LN.Rv.#'>6s:-U #yS9W/? .tTRK @H2Ii;gi eNc3A~\SBI;UԈ3^ pA4lm̑HYq'ڮw~QH98ݝácVbp(~P %6Nfu0|DuݥSIWr|Jb'pכu\S `EO餙}\vU1Z1/26Cz|:ֿ}Lr"عU ֈRZ Uĭ y}E#eTkjeg.}43֓(,JQP O8qmLO5[0#Ji98a!?s1IS7 \;ȺC[0ќD7 6B_'ŎD  Pixg@ C2zzQxFL]F)1)(,bav$xgmm!. XbMtyϏd@#(sؖ%4 }Vb4y@t9C Gx _V2N.{2BZx'Q.YXū[+ k#d/DRl1̺A} k }@b#mQ&k, x:HT .bR,^rTuiM/H0X\!wPx(_yINbۥi*M=dϥ>14ьtZ+4uǏn,BN t|`=uFd1LE׍S{ٵad󧔅.Vv&۟㱇L#;M#:iuBeI,@X[Eq]%:p0w[a:ת^Me5nIQvl\~ @֒S9xnS(:D||o`'F5nQo@7ve[Q{ K4c1)3t+Eշ 83GE'xIM]IHXA],}65]7 :n7OҷlKXe0H;) X eeIM!kWC$ fIp4ܥlMLLv?Wq5a A\dІpnh6m9`Ԃ H!ItW9X\b/dAgL{Zx@2.4tW&>3DhT!Wb+c0fO/k*n?tt>N b?E -hxVЗŻyͷWI܊0z?&&ǤnW~HV+ vSNK#U@Ôe+m,w$lxN D$7bo0Ci$)Њ"E{o+o$C )=/ +9Nv4AR"/4N &T6ƪL-t@+u;=",dk'N n+$1 -Ke.>@>\qoxVv'tyBnҝBtr=IX:ٍ9:&ٖ.ts9P7~["65jKA.4z}^VbcMDHpAƉN0ea :8ef#y{#|8XR0{rBDM3秼|IbUVcGCHs=i)(.inCNTә`MLH"Z1 qw 5eڿ1͈ 7,Wj2ə# h O MZ@"a[/1i,$ӡ3xVjsM 4%/_[X;uR]}%9j,5գUW"5r_KE x6{JN ;c60(ྶZ5K o,?~xþ[B947N= ];EN+I8b`PUW_NXw4!>Sʓ2W F>\]fFOh&f]Чc4!{J.7N2뮍.jGv1{iinoqƭɰ4g$_ac>!X7ka}@1_u`g/nrrvqocʝ'Np2{6$bqnBv[eK>o utYŀ5eTLz(*[%YHF1V'Zʅ3xlJ+Q O)T {(*V^jcnةN=x:,˛@ A+)f@YC 11G Af*y;("+?#lաɽm&oԣkr9^nU@N:%s'CEt|TL[77ctX@HrGcc-=d3kqsːQS İI4oyԴ?uhH{ $XfB$^mݽ4cP`jÎɨ7oMtr1Tp6%H'jBZ$#SsLbwjw݈x{9֦F[RMWG 8%-h6Zp"@.AB-kVGCZ#kH,RrB+^GXnT>RsX /J3CU.w]ic֑ki0Ɉ9 u"Rt?1m K/ (+uܴǏeہ_i0G7ޗHзG3UIL3·z~\]'˰5/(iFydcrm2(SntXܠdUdVϭZ((S }6K<ޡ?S+Hr+݀vOݽ‰7(9EZOFba$&۔ގ>8F ac.FK!=xؠr٬ڂُ~[罋EM5T0JN=uXE6VvjPGYwcݍŴ\!Gh_!GjGV ZZ8iI[,>a/cW #O=e~@٩(0`11@Srr)| l;Z6Z=# lI Gf[^.4f `xS=Epb鸜xmF1iū^:%-KڽΛy3me0n`CKzq͢Bus0`,۠Dv{/JS:j*dT58;})I)03il}G,0w4"tB,٧gߧ}hr" 8_zad\̜/q%Wp"e23<\[P1lM~B%71,Z 2zdʶcSO1e饜͹s[=F(G0$'dF>:6GwMՙͫbDAѴGLr>@S8^D K ]R'B3 N6q窺5ԴrtcA#b/m\̩Y]|& D#GRu Z+!6'BE\o*Af_T0k =sL.DtYc ʍ]+7mff~R"xFj]B |E:,>UA4q8H*eоDJmV&hky=̓d9H`ݖjJ. vȉ땅yeY9krNPy!t<ہag>cn5'n ){fsߛU`.Z0K+]eYĄ;=<,H&j֠Te㿇9c\w!ZG2;0Xd>ns \p3O +C5#߯OᯙyxmL\{dYM=[h-qT<x lywgOh9t|:'Y"WcNnQA~fkBvH~ jjz{'kThʝ}ElfTA%ѧȭ`9[I%7R5% 0GU0E=:KefUP Ğ s7n.`*й "aF UʡPϩQd*m~̩`5}>K@$zbd]$ ca]6 !$W{%~ P5{`_538rIe'JՇ>}挰p6 w\a UEA\Eu.DMntc(̬@!??CxCOw1Wϯ;,V2_*t ;QsRP)nN֌a&,-vk !*G.}y gLJLA}qLs:amwׂ2[LEN|lJ > B{Q# !=^sTہK|ı[,d7^ &z7{WdƜ\- !?{Yܺiy`B'puBUjkF WJHBʨ*ߐaNW@ |P+r:duUPA "MG"D ~scݦ3$^r࢐s' n*Pc\[E+9zX X,TR[4٠gZ@R%@~y}!9njii Lgi%0Bi\K]|u7h.F.?\.$,[֮H)e"O&c#3PD2lR*xW8mF[WZ.RTT*zwrn,MRkgVZixrvڛq.%^8Ґ(16 ij{EwMc.[2ݓfɚs$[3)'U w涔J Cgl7aͱNjJLLSVQXTrp;D2eEV>oQ*$ 4f ?Gղ%{ߨc%"|̨fmBC/<[h%B:ΪX1%V ~Вp{c &H5n/9Kf-TG-6C=ϰg3!@ Rsco,UMo'5l5#~@ G4(1c[X@jTd!><,,ʒ6*Fw!eSH8@4U=R\!3IGW`+Q2(Nʏn◈ ÆF!Yf"a2\|aaR|'y$9rtr.ƄiH|} =%iu^c&f啩a K K{ Y:و6b^n-̆AGԂs;ݼJw8НeeAqKIdԕ,e^Xې1+̊$"Ͱ PCvԸꁴ{oܰu'E03Ќ ߘx$j9/OlўJ i^QOQ3Pu"nY*U)24hޅLdWaF0+!zSuZKK;k wOdQmӗ qYoD gXx5 zԜ)=k@[2;S( tK/Ƀ}55'xH\肎S6◯ h5_>(shz;ׄtC;OH2^*|ެ@\d^*86ybL* 0$(lWepˀSS1dd\4!&f Aλo遮,wt 2j]Y«D!k|L6zJoBGT XXtTR1$~bt<5 ndkU%9w@]W@%k+Кpi}Z<4Ajn/ChG)ZD]ϴ  BU>I׊p+}䟹n}R{;L'8]qr dj]r5w@RBPnӒݣN4@'R!?0AO$c8;ׯ[ں=I 9Ȼm`kR,6z2HFW_2) %U=ztw̭3dLMiRsEt@k2k1 AC*y`>Wy%Seyk$E %̧7'h1EC| L *OUF@++{'eE(s:w}~]J Iη!(ʪ[SKVC"}Vfn YZ