sssd-ad-1.16.5-10.el7_9.14> H HtxHFc, ?*}}hQfjq )b /\|/<NYdO5d7ad7e86e571ec894d6845b909086de414785cdZz HmFc, ?*}}Yne)Gv ֚o!inz鬳i$"9x.G3><-?-d   9  2OU\x    7 @\MDM M   ( 8 H9 H:kHG'HH'dI'X'Y'\']'^(1b(d)e)f)l)t)u)v)w,8x,Ty,pY-Csssd-ad1.16.510.el7_9.14The AD back end of the SSSDProvides the Active Directory back end that the SSSD can utilize to fetch identity data from and authenticate against an Active Directory server.cFsl7.fnal.gov.Scientific LinuxScientific LinuxGPLv3+Scientific LinuxApplications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64HK4:5D,A큤c1c1cC^p0c c c 755de4fc044b8e1764443fd8bae3bf1788b23313990d62e66d9741d2d0f70b05afc02e535d3825579b0e437fb4434f76774e18afc9c3d2a36103ae0375ef568c8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b9033d0bb8934127be692ab1a92a43204df2684e121d85df364b2384b9c7b8743a71b146b8b8b549db81969c1fd6ca19ed642b88d47a0b504094de00f1a2484408302fad5e79df1ac6a74b1b9f0fad1a1fa3f9c6cf0c561b4c6c47ade816a0658bf0rootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.5-10.el7_9.14.src.rpmlibsss_ad.so()(64bit)sssd-adsssd-ad(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @  bind-utilslibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libcrypto.so.10()(64bit)libdbus-1.so.3()(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libini_config.so.3(INI_CONFIG_1.1.0)(64bit)libk5crypto.so.3()(64bit)libkeyutils.so.1()(64bit)libkrb5.so.3()(64bit)liblber-2.4.so.2()(64bit)libldap-2.4.so.2()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-nbt.so.0()(64bit)libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit)libndr-standard.so.0()(64bit)libndr.so.0()(64bit)libndr.so.0(NDR_0.0.1)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libsamba-util.so.0()(64bit)libsasl2.so.3()(64bit)libselinux.so.1()(64bit)libsmbclient.so.0()(64bit)libsmbclient.so.0(SMBCLIENT_0.1.0)(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_idmaplibsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libsss_krb5_common.so()(64bit)libsss_ldap_common.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)samba-client-libssssd-commonsssd-common-pacsssd-krb5-commonrpmlib(PayloadIsXz)1.16.5-10.el7_9.143.0.4-14.6.0-14.0-14.10.16-20.el7_91.16.5-10.el7_9.141.16.5-10.el7_9.141.16.5-10.el7_9.145.2-1sssd1.10.0-8.beta24.11.3cs@b2@a@a(@aa`@_ _G@_H_H_=@_;_;^3^@^V@^m@^^@^>@^@^@^t@^r @^^@]]*]@]]]@]@]m]m]p]p]p]p]S\Q\Q\"\"\"\\\r@\r@\r@\\\\\\\\\\\|\+@[@[_[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj 1.16.5-10.14Alexey Tikhonov 1.16.5-10.13Alexey Tikhonov 1.16.5-10.12Alexey Tikhonov 1.16.5-10.11Alexey Tikhonov 1.16.5-10.10Alexey Tikhonov 1.16.5-10.9Alexey Tikhonov 1.16.5-10.8Alexey Tikhonov 1.16.5-10.7Alexey Tikhonov 1.16.5-10.6Alexey Tikhonov 1.16.5-10.5Alexey Tikhonov 1.16.5-10.4Alexey Tikhonov 1.16.5-10.3Alexey Tikhonov 1.16.5-10.2Alexey Tikhonov 1.16.5-10.1Alexey Tikhonov 1.16.5-10Alexey Tikhonov 1.16.5-9Alexey Tikhonov 1.16.5-8Alexey Tikhonov 1.16.5-7Alexey Tikhonov 1.16.5-6Alexey Tikhonov 1.16.5-5Alexey Tikhonov 1.16.5-4Alexey Tikhonov 1.16.5-3Alexey Tikhonov 1.16.5-2Alexey Tikhonov 1.16.5-1Michal Židek - 1.16.4-38Michal Židek - 1.16.4-37Michal Židek - 1.16.4-36Michal Židek - 1.16.4-35Michal Židek - 1.16.4-34Michal Židek - 1.16.4-33Michal Židek - 1.16.4-32Michal Židek - 1.16.4-31Michal Židek - 1.16.4-30Michal Židek - 1.16.4-29Michal Židek - 1.16.4-28Michal Židek - 1.16.4-27Michal Židek - 1.16.4-26Michal Židek - 1.16.4-25Michal Židek - 1.16.4-24Michal Židek - 1.16.4-23Michal Židek - 1.16.4-22Michal Židek - 1.16.4-21Michal Židek - 1.16.4-20Jakub Hrozek - 1.16.4-19Jakub Hrozek - 1.16.4-18Jakub Hrozek - 1.16.4-17Michal Židek - 1.16.4-16Jakub Hrozek - 1.16.4-15Michal Židek - 1.16.4-14Michal Židek - 1.16.4-12Michal Židek - 1.16.4-12Michal Židek - 1.16.4-11Michal Židek - 1.16.4-10Michal Židek - 1.16.4-9Michal Židek - 1.16.4-8Michal Židek - 1.16.4-7Michal Židek - 1.16.4-6Michal Židek - 1.16.4-5Michal Židek - 1.16.4-4Michal Židek - 1.16.4-3Michal Židek - 1.16.4-2Michal Židek - 1.16.4-1Jakub Hrozek - 1.16.2-17Michal Židek - 1.16.2-16Michal Židek - 1.16.2-15Michal Židek - 1.16.2-14Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#2097014 - SSSD -> sssd_be and sssd_ifp coredump [rhel-7.9.z] - Resolves: rhbz#2107380 - sssd timezone issues sudonotafter [rhel-7.9.z] - Resolves: rhbz#2116207 - SSSD starting offline after reboot [rhel-7.9.z]- Resolves: rhbz#2079441 - SSSD update prompts for smartcard pin twice - After update to 7.9 [rhel-7.9.z] - Resolves: rhbz#2073352 - Use right sdap_domain in ad_domain_info_send [rhel-7.9.z]- Resolves: rhbz#2006382 - IPA Intermittence fetching groups - Resolves: rhbz#2006866 - sssd_be segfault due to empty forest root name - Resolves: rhbz#2031729 - IPA clients fail to resolve override group names. - Resolves: rhbz#2032867 - AD Domain in the AD Forest Missing after sssd latest update- Resolves: rhbz#1968316 - SSSD: User authentication failing after server reboot. - Resolves: rhbz#2000238 - disabled root ad domain causes subdomains to be marked offline - Resolves: rhbz#1984591 - After sssd update to 1.16.5-10.el7_9.8.x86_64 the customer is facing slow connection/authentication (due to discovery of unexpected AD domains)- Resolves: rhbz#1973796 - SSSD is NOT able to contact the Global Catalog when local site is down- Resolves: rhbz#1988463 - Missing search index for `originalADgidNumber` [rhel-7.9.z] - Resolves: rhbz#1968330 - id lookup is failing intermittently - Resolves: rhbz#1964415 - Memory leak in the simple access provider - Resolves: rhbz#1985457 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-7.9.z]- Resolves: rhbz#1910131 - sssd throwing error " Unable to parse name test' [1432158283]: The internal name format cannot be parsed" at debug_level 2 [rhel-7.9.z] - Resolves: rhbz#1922244 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. [rhel-7.9.z] - Resolves: rhbz#1935685 - SSSD not detecting subdomain from AD forest (7.9z) - Resolves: rhbz#1945552 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 [rhel-7.9.z] - Resolves: rhbz#1839972 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR [rhel-7.9.z]- Resolves: rhbz#1875514 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [rhel-7.9.z] - Resolves: rhbz#1772513 - SSSD is generating lot of LDAP queries in a very large environment [rhel-7.9.z] - Resolves: rhbz#1736845 - [RFE] Backporting certificate matching rules for files, AD and LDAP provider [rhel-7.9.z]- Resolves: rhbz#1899593 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() [rhel-7.9.z] - Resolves: rhbz#1888409 - sssd component logging is now too generic in syslog/journal [rhel-7.9.z] - Resolves: rhbz#1852659 - sssd service is starting even though it is disabled state [rhel-7.9.z] - Resolves: rhbz#1893443 - User lookups over the InfoPipe responder fail intermittently [rhel-7.9.z] - Resolves: rhbz#1871288 - krb5_child denies ssh users when pki device detected [rhel-7.9.z] - Resolves: rhbz#1853703 - Unexpected behavior and issue with filter_users/filter_groups option [rhel-7.9.z] - Resolves: rhbz#1756240 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains [rhel-7.9.z] - Resolves: rhbz#1851112 - LDAP bind can fail due to unconfigurable DNS server timeouts that inhibit SSSD failover [rhel-7.9.z]- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again)) - just bumping the version to build for proper target- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again))- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete)- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] - just bumping the version to build for proper target- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z]- Resolves: rhbz#1804005 - sssd doesn't follow the link order of AD Group Policy Management - Resolves: rhbz#1773409 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information - Resolves: rhbz#1551077 - GDM failure loop when no user mapped for smart card - Resolves: rhbz#1507683 - GDM password prompt when cert mapped to multiple users and promptusername is False- Resolves: rhbz#1796873 - [sssd] RHEL 7.9 Tier 0 Localization- Resolves: rhbz#1553784 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. - Resolves: rhbz#1836910 - Rhel7.7 server have an issue regarding dyndns update for PTR-records which is done by sssd on active directory DNS servers. It is done in two steps (two different nsupdate messages).- Resolves: rhbz#1835813 - sssd boots offline if symlink for /etc/resolv.conf is broken/missing - Resolves: rhbz#1837545 - Users must be informed better when internal WATCHDOG terminates process.- Resolves: rhbz#1819013 - pam_sss reports PAM_CRED_ERR when providing wrong password for an existing IPA user, but this error's description is misleading - Resolves: rhbz#1800571 - Multiples Kerberos ticket on RHEL 7.7 after lock and unlock screen- Resolves: rhbz#1834266 - "off-by-one error" in watchdog implementation- Resolves: rhbz#1829806 - [Bug] Reduce logging about flat names - Resolves: rhbz#1800564 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package- Resolves: rhbz#1683946 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working setup- Resolves: rhbz#1513371 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_be[PROXY] killed by 6 - Resolves: rhbz#1568083 - subdomain lookup fails when certmaprule contains DN - Resolves: rhbz#1781539 - PKINIT with KCM does not work - Resolves: rhbz#1786341 - SSSD doesn't honour the customized ID view created in IPA - Resolves: rhbz#1709818 - override_gid did not work for subdomain. - Resolves: rhbz#1719718 - Validator warning issue : Attribute 'dns_resolver_op_timeout' is not allowed in section 'domain/REMOVED'. Check for typos - Resolves: rhbz#1787067 - sssd (sssd_be) is consuming 100 CPU, partially due to failing mem-cache - Resolves: rhbz#1822461 - background refresh task does not refresh updated netgroup entries - Added missing 'Requires' to resolves some of rpmdiff tool warnings- Resolves: rhbz#1796352 - Rebase SSSD for RHEL 7.9- Resolves: rhbz#1789349 - id command taking 1+ minute for returning user information - Also updates spec file to not replace /pam.d/sssd-shadowutils on update- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider - just bumping the version to fix generated dates in man pages- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider- Resolves: rhbz#1769755 - sssd failover leads to delayed and failed logins- Resolves: rhbz#1768404 - automount on RHEL7 gives the message 'lookup(sss): setautomntent: No such file or directory'- Resolves: rhbz#1734056 - [sssd] RHEL 7.8 Tier 0 Localization- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1746878 - Let IPA client read IPA objects via LDAP and not a extdom plugin when resolving trusted users and groups- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1713352 - Implicit files domain gets activated when no sssd.conf present and sssd is started- Resolves: rhbz#1206221 - sssd should not always read entire autofs map from ldap- Resolves: rhbz#1657978 - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust- Resolves: rhbz#1541172 - ad_enabled_domains does not disable old subdomain after a restart until a timer removes it- Resolves: rhbz#1738674 - Paging not enabled when fetching external groups, limits the number of external groups to 2000- Resolves: rhbz#1650018 - SSSD doesn't clear cache entries for IDs below min_id- Resolves: rhbz#1724088 - negative cache does not use values from 'filter_users' config option for known domains- Resolves: rhbz#1422618 - sssd does not failover to another IPA server if just the KDC service fails - Just bumping the version to work around "build already exists"- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization - Rebuild japanese gmo file explicitly- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization- Resolves: rhbz#1707959 - sssd does not properly check GSS-SPNEGO- Resolves: rhbz#1710286 - The server error message is not returned if password change fails- Resolves: rhbz#1711832 - The files provider does not handle resetOffline properly- Resolves: rhbz#1707759 - Error accessing files on samba share randomly- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains /trusts- Resolves: rhbz#1684979 - The HBAC code requires dereference to be enabled and fails otherwise- Resolves: rhbz#1576524 - RHEL STIG pointing sssd Packaging issue - This was partially fixed by the rebase, but one spec file change was missing.- Resolves: rhbz#1524566 - FIPS mode breaks using pysss.so (sss_obfuscate)- Resolves: rhbz#1350012 - kinit / sssd kerberos fail over - Resolves: rhbz#720688 - [RFE] return multiple server addresses to the Kerberos locator plugin- Resolves: rhbz#1402056 - [RFE] Make 2FA prompting configurable- Resolves: rhbz#1666819 - SSSD can trigger a NSS lookup when parsing the filter_users/groups lists on startup, this can block the startup- Resolves: rhbz#1645461 - Slow ldb search causes blocking during startup which might cause the registration to time out- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains / trusts- Resolves: rhbz#1671138 - User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so- Resolves: rhbz#1657806 - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider- Resolves: rhbz#1641131 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD. - Resolves: rhbz#1660874 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions [rhel-7]- Resolves: rhbz#1631656 - KCM: kinit: Matching credential not found while getting default ccache- Resolves: rhbz#1406678 - sssd service is starting before network service - Resolves: rhbz#1616853 - SSSD always boots in Offline mode- Resolves: rhbz#1658994 - Rebase SSSD to 1.16.x- Resolves: rhbz#1603311 - Enable generating user private groups only for users with uid == gid where gid does not correspond to a real LDAP group- Resolves: rhbz#1602172 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1622109 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1619706 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)svuk1.16.5-10.el7_9.141.16.5-10.el7_9.14libsss_ad.sogpo_childsssd-ad-1.16.5COPYINGsssd-ad.5.gzsssd-ad.5.gzsssd-ad.5.gz/usr/lib64/sssd//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-ad-1.16.5//usr/share/man/man5//usr/share/man/sv/man5//usr/share/man/uk/man5/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz9x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=23c7985504da19672ecc82ff4142b49b45da3fed, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=93844f5e8e395f57ef432a9a16adfb6fa0535f76, strippeddirectoryASCII texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)BBPRRRCRRRRRRRR RR@R)R:R-RRRRR,R/RR9RRRGR'R RRRRRRR@R0R7R>R?R&R RRR*RR/RRRG?@7zXZ !X}] crv9wiIsL(\h,#0 ߰{;a/mҞ6 y%-mmzgAPDA[7NSNJt#@0a5OAYiK6hZ_ PZF`'mP1;!uxZ%Wga|"qîX~WTsOc}gϲ:Ւ(a$*Bʥzڹy1dn}abyC0~z~1ݒyO6ש@r~Se77SKW~n·1~*y{ٌaff?2/$ +<&?֣=wAM軨20zYױ{pb}c0Jťċ2fU q 7WhZӹ>r51T,%~t\iJ_ Ic#\MmF/&^!5'C:kvC9^T*$ƌf˔ ^HR(e }>m|;ɽ|471lr|-3f ë@7<.,1;k2*egg @B][Pշv=emD\w\Yj TXT֟o“[DAۓ=G _4&鹫 !?Kg8@AM͉ƥT- ۴+wqA^LDJ3iwT[5v?nUbE-U54XcksZkL2,ެ\:N\Cx,s) "q90@}] ŊBs _kBxd3&uqR;\؊؊Zڟv*x*t;:Jg{`Rm<~ߺ~Îkm,mR 5rG {hOD#V;Ք LI$YL4#W?΢X#v QJ'}Uq($rzcQ'rj|ű(L)sܿO,[t +1IιIWKsONU;*y *f-[Fy,]HuXзLgߗx`DoG1`ӥ6Ny ҄6a:W/C0*Tǻg,4M,_9]{P|^Y U.C2-V-}=bg1Rf\wB -Tc3`Zʠx;U 2SR0]3^(i2epq@ԧ LslXd4:&Gߎ&K QM*)LTQ$nT5bEgZI o gt!%pOG$^x 33ɖqF;H ۼI+cS*iU5ƨ [bBٕS]cf%<ƄK&A_GUIL2м5F؈U*hH'`x]&ЃzHZ,ATVge.>Ura/6@yϻM0͞z0)ȣ;ɜE?`Ud.7`Çz7J*J;T'pO"w[U7te] tp-Aǵqb\H9l5SJe@U߻S*E=]w<6}uiOMy9?*>. XB%e gs,U:d8ӚReceK>5|~Anܯ{G~}W|%k4 !oj41ҳw&SBh:xKzTL$ wUu_;)_"G?" uп{ք,)G6K\jZ|’b#a]=dϒcN c.}Gͦ˗g۬ZٞI7? ͸,?N?sVG7g0o.Wc6(}E}q/,5$ަ [UbQcr'Qa(]΅ވjt\ndaidf%o aUvsIQOWWO!VmBer.9kG86p rv 4"آ_ig޾yH[k4`@{7R[S٪7Q' ݊c=Tb,vB'>1^T׎mcˡ75qP]FEQ\gLe0(fݫ܅4+]oeOC oR"MֺzBM17`#O g[rzksEX({E]]M|2AeKaXsAdYu9d 7`;%/zkVyHL(,^ă*O ejau>R&WYIu{k.¥`T&w _-ʀK(RlǯeUj? )^\Ej]Bt ~&j*qP0z 1pT@!fuYLI ͝es|ǽd`Dl7ŔJ@ZpC>F{(H8Z$wP @ŇܔU1Y&Rl\!ۺ1kNk\k?7+-PH ʻ @DYMR{.6YQJ0*L6,@/k׻VGGǧU(4t+,oJEYp&c-nRgꫣz ZsV<$GzdhzQgZ~]SaDlç`T0WPNpkPco Tw`xxW_fD>M  Nb^'j/QIM-ć/봷d[-871&L'YSRnƹ+lI\+9`PM7Rs}75J aZb8,lWSLf{QeԸӾ;8z9d-hBZ^ULp͞/W[%mKS%5]6xE#iϡå4K ȅ)f~IPMn[u.6;NMf2Hhx zI-]k6AJ0RWpȚ'f],+#B~>AT-sRO@OlMC"YâN<3[3!( ߶gτr%u װj.څY*L,9vfe0<__G?Ɛ-5a: "V,RXi#gi4nA@H50;) e6?w̸4C@*9obdS(jlqB\>ܻ>DҔK~-_2ТhhڢыqyİxULD ϧ*'vO(Kw'X'ˎʶwpia_us`dof ,P au^]e6ytkMNꗡu!k WѪS`_Y.~ v B5?NzXT?q"f1ڜ-F5*V{lx$vc駨I'Ӽ>t.<֠3vȇ HCǰ:XwjR~ z=R4P+*zb*$T(=j`ڮ0Й&NDa. YB&=.fD cQZNi3~3/oة[R66+Io9SRyCir-Ҁ=fe>-Yvsnײq!X)!(XxƐHdhE}ժ_9@7ŖDA'6#Gu7c`㗩{mIfS 0TaTGe~9BnC,@Y叁3Xwod{VO*!S<HuG~`cquhZkf[/uU^ts&7@oBnhYQ o"bi.08Wh6:Amx_+™ˊ^+}w\I1CmV^jxͬj&*A9=/awԤP%B)`*k<9~ G醩h8#D0`}7̩Z(r ?j\GPy0q+Jy1܆*AE[.Y Ev-cZv2[=XfPW`_xh7i KS$ 5ʗ` iI8"s +\d w3))wg[1,&0nLT\9!? DxV<&5Pav8V%#=<C9B#p 2 ϻ%)> F]g 1?1aѼ[WE OXn03"yBsmǕR9˲5Q/=#m)OwQXA)k'lSfwcuɄi}w ̔n⁴ -H~tF:3dH"t ܑt^Opї}w:HQA٩~C_5)n- 1,yER*SCn! 7&0*ucVs;Y;Q IXνeLŹ\)}Ղuw-. V'>IJӬ8|quN+QZY]{Nؚp2ML!Ɛi`n,."0LXpCy9x{9:%ZN' 69;])%%c"b":s;A`Od3,_`%uc8PJN/0_SԂRhG P$;UMS$R'Qh* el!awθ3bH8)/=ȇF@6eO@ɾ>Y%KNz'i>73қ %!u$:dޥAJ$fH'Js $@|S?^(E%b3[&gEb/#5Nbx޶&}bWL'ta=4]D "a8?08JESs-N-x'|} dwXa^va6FVig%v˧+Z-XAdc=}t\&Xo%4bSXb{2 p1ED6٥`5nfry`]lȻ"YA(TR[p"Y 'LkDo!H G}i#H+X-bb\" fvy\WϞxqWň"bmJ _`GQ1z@rLfa‘;PzT- XӮ`8ԞU~eW5 J/^4nI$bonƩ{OŒ)׵;Rd{zaG}y'hȃ45_ ZT?u[H->YZ|A*!?j7GŎk#ۃbh2Nh)Uẖ&>SZYYVڐVط1+ <7FR^_}[2PM'Ǭ$";cҎpR~(0م9 jճb,R+)Q`GR9#Ƒ{s8UrЉC z*!S+3,`.ɶj>mkaiϑ|2qhq\'bOZn@\§y"EXӲCu͜U /b:/G܄Xy'!}d w'<71EK QfT4,)XF/f^[?A(P_Ģx~'LeJj1y_XlC(d>-X'{<\'kkf*=vzʖ)_B9 `GBRչ<}v,:vX(@Q< sTI}o|qh@b~НWȤeE^DB \D%f.ФlqPrX\~[>%YpZj{޳cyt]Ff}::=ȋC2 4 !lPՈ΂i)|Y{[oOa_t-^|zIK4 vZ55BEGrcI$Z/b7+훫kW[tsAj~ |i*l 0V:EJQW"=0~x%7񐇒5ztbg[n94׃R yRk2~~_)pG2Eb=c-M2\`-o$!߶݈)XJ\nO~]=^BȺ.#pAT?){; ņsoRa0_XܠD`{) gaHA7VI/k_eYii yZNɦtetW:YwiTvg#vbĻ+`"NoH2v2CF/ [E׋c^7%5x2UU=.}4gtI\j72; 4!&UtNU×c5*S9.]0B1y { \)o*#BC;qWh0Z̕)"\\V F 'D`fkio*[ϙ/W,55R[QڴDShȁHF54'n6x_}N<)JZ"V<]SD0Cq wJli {L!X8{AE:P^oG.Z2Rk@:"|r""L(3$bҦ1U-:xU])1t=}LͧΫf0/D_̄>4++E!Xۨ*Ú-Ї:.S_A 22nU:z`L"#=ؽ#rE(fX{H=fL Pxx'jH:\ܕp ͮ8=K肏՗B;4_JX8]"EKX? ;VX0e ^E_KOj€n |I~@iYPOk;fU|_MOxJ*3x$4\w:ԫ)x 䢤t5oMpr()ðNְC~!#1a Cޖ4_r!N){|Agj3,)p. '(g Tz]x_)%TUQRд$uLֆ-nwpC(ིZ:.4veXEHf'Ep| 2n^3.j*xTݱj0ӎV|"o^JD{b(E$jvg0i21~{9~qwuLD[u@-1/ /`,-Pr-?49"UJGkiWdoʼZ..gZԔo,#+=Ǻ1KWCQ ٓX߆KE^L'?7=Ƃ2ÂZf'6Z̨-7 !+ |\Ǵ:NVdTyWcao}'լ@m \rHl޷%ٯx#]/)V浐chҿW0Wqa_3Am[;P+M= zOsX禨wXS /LBˠd*m]F\BH"D¿s~഍(X'6~NK*XuK*ޞFnMy1%\0q9`1mn&OZ8zO)_އJ;%hyw0 $}D0(B D}e yĵ&kʖc&F|ʢrK W4sp鰼J{{L vk3 d!fZ-sF):dvﶆQ (6nMAGxת~% T)!YW 7޲N)3D=CcUg]E(378Nnl@׉Z7{&_O)^6?3](tzl..wUw^7{!.jl^'w=}HÓe6yE5M+1^>"b-qz [dr'jG$ tkw,A.j u?<@tu^ ~fKBu/eZ\QF6'{ȿRdsSN[g(%\3*TCrk/nܽV8{}A3n׻d8}&<̏ "24]@zc%O3[Ľ xi6xgUNI+6kWW|p^ҰL^jdEWj.d=L&]DsɔlBl/!HD.V3Kd$|fxTp  H=v%U.7ݒgu#em}v9[Nbݲsb&3QIۊi!9~z!b~w0TrZ?`$!rRIrTQ/`fd Oc̲hVa 2IE;ϊ !vpgTky UN#gXwP\r+!yݪ1B4uMl{*/@TD~|h 3dd@c@ޭij :>^5ss6`\kC?R禍PO%!IfWn_P&@R6r/o.mx8éŲ1=s 95Ll#bSag#]&y_dBdzњ 6lϋA.n[7uT/֒ P`m64v6r*z`~;'؟.n;o$`܌#-$U{̃+V`AZ9jN#bj k yNN ,M!JޢAu*/muB:Nlxd {XSOٹ953=kw&\M |b:v|zJroZ)J.0^IE/KA0/2ƈA`-,E9>Q)ِ:J8v(m0ʀj97%Ud%VuJJ[es'3T`oYv_n%qFE91uK=\8(̖OU|Z"_zUR=uY$}SZPg1Km$Bݼ)s^D3~&2).jYJX ^M}/CE]i4ݹśntH`Nޱ&(,^ oʹX]$"1\΢]k@Dxŝ,}k3Kh%/%qdM fK┧Ұ t!-c!LOzhR۩?bk56 {}m&zDg8.xd2_MQT#k,,'5ޒ;dj]A@Z&L\u*TI1f\]kJ)8D[xB1oX(I.98i"pH\-FO/>"ͤAW7yš+Q3u=HerX2.TƸ?x~`'be0x^X\'c*#Z7x 8%Le)!SmmǍWB\u8 edzmBPq4GNZ~X6)gq8>}km)+45pP! jǟn!lfO'f}|4LkԧQ p/xY8XޣTwZҼOYrJGMu,9v47qV9ƨ˦`!#1jmIrl :h.6KlT{{ldX![eHȲtUih.4)F8#Z?8.RMEU)hSp_^5<9XP{O dfg WdZX#qLvR/CjOb}t'Em::(9a2Uzg Dc3!(TZ£"7`{u Qj[/dž%Gcm445)e p]S{'vn80a;x׫#岢8[/>ypU^3^0ηnܭ;jAV6RKXFb=ywܤ^*%M=E"#'&ͭux+߉Z@shn-Eg9>篵y('OdO#Kz ?7Lp'ƫWdJ16r,Qǡ@'D]tu/c9K񲫗rB-G3~9a(T-S/pgz+L5CRHdy4T}g<(J,?P'PY3);#\{3r*Ѕv~;VĿo/5S!?^N[#QN}F%qGNGR@#4<<8xAL.X0 .7G7,^)p3^n4])ʧ<[:@EW)PA'ԗ +˪xQPXi=ff`k&A,5LȥRfiDV;n/N*Z41|ۂysҠV.8}NsiTjĮa,MɢU(xqpU@Mb[鷅O^-Ha3@+w%E1!жq놕U鷞$Rn0%ҷ M>LV'QK2jQe PHNY)F[y |VyUR$}OZD F.3SFUA]]t!]s5xXGp}sTyrV f|6xPy-J?&#h/ :W_\X%HodkVf&FC-(,be"^1\6mdwĩ)}б(IG }]# <,|ȼyDƙQ+ܖ |WxiOаr%ţq'`b\̠7$-ߊ>Q_ZC Æ$Q?(nIX$jg~tX)|BM5;43=4X(~w'nz"d<{^ißz"6Js&Sަ mXy/h&!5TUq[٣9@$ B K9Y/JೇOa<Siz9pTa5oh¢v.=m&v* uJ_4XOFG|@3!LZڄ|2C 12힡":0O׃}7k9iFE{1NY$Dz-Ʀ YE!|PDUq j8gNL-u<XRrkCzW5&篓{}.N@ף*@|]iAZ<"nJ*Q $ B  #ii7dd_脬E^ݞ*lG?jP*tϢ cuFM9k w̏?Gs<Z&ZpLim1mSKPoɧ!F8/M}g^L~m,|7ѕmL9 olу ,H\K *B%h$R'L^"6yJYXrsG .dHW5Q)^߾zy4?S~X`e ةhws' ʽi!7ӿ&P;oRn7FԽ[cuhc|v3o[w PNxWCk:c0FE|GqGI@$+6yJ*ёCJg+1FA {d : *d-HV RSoMA"eب#3-$?2n|ukɌ$ Dκ#gD9/MlƟڤ2fBKbi?R1pSt֩SI|0<}jLNɳ8 ^6栯Ou18+dž*#1!6('&ě:*]~FX0-09s3(#9$L*D7:ػzy8{g:SD#P^z1^%\aN0 LG;^j="wb=­]ru3Tb3QHfRYobt'eǣyLR P_<ىJSGlud;_H[}@[_\.[{Hõ7ifxO4A7TPHꢆ\Z6W-~ߍw?1LxTӜV-#}RT<4pu\xe(g+O3ETU!p.K_o}6݌J9cM#F0Go~D:U;+t jQ}Mt٬׺}aqʇrÈPtgQ,k7d\uUZG(Y{sץOߧ|<_>J>k:ny5EGRʛZGLbD26 af8~_nf#m{5ꏋ`iZZ,|Ί9l@lsG 9n2D(/h[o4!t;7"\LMĔEMJⳗ&ݿX>./rafwDy`(O;Z4aVվw <^ u^d %qqH]gt n[䭬w# |QO)Hx(sNY :zY#xKyfJr<v~ p_i ΂rhنۀ >HޏjW儣8htuK>!#; z ̥AHF§ 0Q|Y^ɦt3eFJpǤD1=˘/4Dk&#ǯR \^ Yik7+K)dUKkt/+?)'/x9m%o(f>Y"~_!+jvXI"@|0$Hg"v|c=_\H7έ^jAH8:UQ>oI,}r;]ô܎}&L|HCR`j`b!Nڢ2CDiLmh#6+g8G؊e7|lI_[_VJ%3QN{>YٜKG,F>m6wCX*e;4xaiPo1f-i !KI (ɜ `ח,̅@r5>qY⏥%W2K xX~,@[0c7GMgxH(]j5`!h:./A_T K@= (Ru 9)y"d?n ߄MH (rS^.5 8/3)Q9y9 s,YoJ)龾2^=YX#1DF!sR y¢Ld)'1BM Ƿa8zԲp%ǽ a&$@ %ĕeKtA]lo=*pN[Tl|oXOX}Xa<a&9l*:3vmmwEC G8[NUdgmL^@Yq>ޘPIJŚlKтXZu!am."ζ,OG~> ZeݖЕ\X Ykn' %mj#Ȁ>_idLpȾl;? څ]d}@SZ4bd 9+7펙}4Ux5&Sq;^3"jbs"l%?1[+To{LM\>O[w@Ew`*epG+6 uڿHFiAТގs?tSCz8cІM~U)-!jjׅ)9F?n bg"dtW懠zFyFenvvp_Xc-fm_%ڜ XxgsgC2?M(-Nkh_Grz jF4va!—'U$u<P 崀[߇m"jrҿGYJ*tD{C+$OvR2qyCGTAZbzr,T!Ij]ba [\WR7//Q}싾KkKu}kR^K 3 $b^x*irmS]{ԏ)6G5sA,RrUܞ䝦G͌.1*i>9xAMR;Gqb{ET3 .ݣ P3mr6P?o<[ '{dptyx'hIkHú3oȈx7J4s63%LAHU (%*[<_ ;߬>_+{7LҲ\2N{9wX耈G#֫&ԥ1 xى#}6@_Y&4V _*NEܡ^z?X&e?7Y`Ӑ[I<,h}86!'0T\44[ 1A F{@'A,/ #W}l{6nG?٦ޅxΈxa=63:\>e258s靉1Nv8㎓'XL ‚Q4_.xāl?aJrH]6Ϳ񵯆}!<r| ‰DZ7Bɼ=6覮y8"}pvΧdv;85xrn-k@bԖߘ7w*3k4B CbhB 5k8~uјxiVg+Ά̺8[q",BաF352v[2Ǣ'R'm ޥgznC34z]?pŭ^;{@#Hڒ.=n ?7[E3 qMA; V)RVf˒(`OZ3~#HʒIY Yb7sTι˛[UʒuWfz*ئTBx~drX΍w $b,{c D~UVۡ+ ;aefIUQ|$q{ b+ڿ泥6?I-o/~!#Yh>sIZN[8Ma2D| NbEQucpWX,[eT\@:p TMI7htpaU6}g'7;&FMaU,AV\czfc7`?e27b0mYG~St`nr'\BthO;jwHOa\'@P0n6u%N?$O8xw?,=?D%Jfo~AcCXܶ?)̓рF )іY,KrrZ*wb_r!::/Ϯ?iXj1p7YԜ\b.?xsJM) Gw)ci4٢:Y)V_m†0qoa Ar/t<81G:W?թY”ce,&lz4ltW^]-=]WWA1ސI wKcz>=FeUtj.Cb?gd{\H^NY²e9DdhnP fSP{Z;Vdʄfw@y6w-9%9*vKRz jՊ;ūC#"T$iGBDb)!(n'h oV#M; :A+oUɴL$ &yCރ<*p{d]';WaOE4%+ң2o +_c&] .3۟m mfd el;ё-n/4H;BP't~˩<;C|׵@yD($RDdlm kk@eq% sAwE MNٲw7M\PhwE.!% XPg;ؗ$ ۴XhFz`56W~X@O2֫H@<5Q'jDՎ=kpMГK0^&h1 [#fCVp}fʎd1؋5AV`K"]#pSےj{*^)}Z͋qє/vvyzXq~?A0-a1w/K{ 3̰-ÅV }ҾU8y w O}TC]}"a!2;d`fMU uU71NsE`0bÙ DA.wd$fx\Q5P׵d C0g/fD=80yVku&G$6f)S8 B}&P67Yr:J MlyWJU'|CތȒ9,?uG74z$ hGrMnMB$a=TL7" 53bFjt',1@g\n*~wSO#37#42R>W8R7(т/]J_ݬ)(Kq;Խ2`$@$>gCL;ƉrdŽxUHdˁyF"B羖ՆĻel̓P^R5ql<ܛ{ǃg{s6cEOyO*f]0ecLD~R-wzKhr{u\{P8~4tIpR)s"4{#0S3,6:6V&͛R:g?^:c&zκ!fl0 t 1#!U؋Qril44!BꪩsH4wj1R-v![4\) @2zɅs:]2@Ba È=ptB"L.9a+,7Ӿ72m#$)kZJmy[ea·7jQa/CަicN n&cj`2 ދt0q5A}<2e*Gu*8چI[)ߍhf?9?!'T0[}0S[s0*32LexeGȐ tB2ag²- o"?DrivgsA\]"Ư~ŷyueyj18KtX.9&eCu<㲴bEq]xf=*6,g?NCGY@(CL7&rKfƶE'[f<,K/ f 1;&beu K92Qd5UgpRMN]SO')68!!Z6I=6 EYāu0BD`i .Uz3ȗv>j^xzͣ}j+=/07P!F[QB\%SY\?F%-.LIv&/k^}@N5ϭoʷR#i1¥ܚn_4il5Si̷̅?ovyq)1@=J#[T9m[si,. ^qco/v&#~nU4D杕2x4h[Ǎ.-GVHK7|mef6ܰW)0E5 7r|R+-.'@,qKb 6>_'#7 g˩kf UQYFE)gM@"dV!*f&#L֭_h׸)$+6D}k>=I-߰ޓhco慖ir&rq&Ob\a QV' :=3]ALL%Apk",Mb.:h0_ۃ՜PL( ŗi{: KIA~Nc8p\?df[ʈ>~r23'4,yj2QM:\ 昔c6SJ4_1\MzۦZ0N_bhgS:Ih(ah™ *.:a TںF|/Mоm(\9+[Δ7Ɨ(°A W Z:#ngl`pkkOB &{Pv1%NB (Gxs ϼ1G6- ԅ$X~b6&+ JmIw.%t%\5ڙ䌚#_ KYYPUso73py+vITaPRl|F5M |J-fGV'1#jn;Lq@V; ܀2Hf|SeݿU2RDqطB3j9e l3xxqa>xۮ/W4&P|Fr#m=ED.&wdsڗͧ\Tw %J\/Zu<|.ɒ-.w-ӅQ*2InLW'qЛjTIIc(c)28>XMkܼ^Wjο8SkQQ/zfguGvv+,Ȱ{JNay ,S6F+^[bW !JVXa^Z{֟5)ԣz'sFӱ_Zk#Uz`z=)%\jJkjg7 qm73jT, $ooMRFZܻx#U}7ϓ27zz#q3lO(}z6DB+2H/A FI}c}-UB@2/H^Y kjPSWD0o A.SIHa".nEj5<-5;lf wt( 4E헑2 J$91]ZqZEĔq~/!p|kdW2,Rג[) $ Ъw` ꐪF#{yg0)^ʽ4z)nĚ&Glj4cbn05^&M^"t5 ntbĪaa|Ѩaߴ=3Ka-/}Xj"m.c*3|gU hROV2% b7>RWwDX/ESҲZt_&d[ )l856I=MaZ) UTzcՖCHc mΆo1̙ }j,{l'dol[LǢXIu1?yc":S:הJ[3zl*n_ ^6i3]rpfAXzfiJLzze#ߡe5 ۤ PO|ۓ֏뾞LVv%}p B\Zɖ$!{yɚ|BU{;! {VyW I4ef]/r2m]xMq#QOLv/+_Ubj #Bv"< C љ||.˳#x#!Q/rT3kY5ϫ}5ET`2&}Ȝ|+e -WjNWdONI|pˬ _ Μt5iLk81e;L'wX]-*X-8ɆVgrTiZɡ~8RkMH:1&aaݏ6Ghщ v D-<* c~N]פ6]ht\VzՋ.b$hI$SB#1_NI䚥aYOD/3%<5Н:|w.Qk|ͽ[Kvd 6KZkӎ-Hj0>Gyaխ\H5eώ(36z",ڶyʔ= qib(m-|Ƥm,*-9GU'KqI 2XugBWXU5Yl}=S6إ{ a hE 9El4(pu܃O !J{6Iκ"3X#k}zYPf/Z'!20v*dcXbNPݔ"eL{ƿCk4~Ol~=p >it^>We]= H͓ !B}({[&er#jvr l#{LqWpܥKȵ(]irp*j7R9^iCYXyǔmst,Aʠ([WTk72 "7s&Gīᦴҳ ̸r|Y> m&z a< #@@r)ez /SGytbShHNsˍfm9.N..qk Nm~WbxcE.ZRV/WE/)P.`λ*!%Kdgk4AU!I_E42|fP1]:O_1a9Mѷ:0`\#)k3^xнtBCYI3g,G䍇R 7G܎+z.I!-5r})QIINF..bC/r,;[Sc&OOmЈ[*5խ'\¬G $|i"UۂŨLSCt%]Gf37s'8See)YZL65FN/l߱5%T&'yh* B܉kQ18-?ZӚĂ5$#yH O݀2M+`aݙgz^H2(# BH|ܻ5-%&@XׄyV,,+Aꠋ?SRkp,kLLTbq3ɕ ;0^#7#2ۣڏ$"x[#d8RBÂt~*i%-Tr l\J#հ{M[SA\͒(d3W- ċ(7v*EKѿ,;HvBHo`{! ͍sls'd%F1 qݔlt#4;kW)u-3&$I!ꨤ܅-4?Khx.B*{2ѯh؎p'B0d+vJ`.͡?G7&sKulG+sFZ 70@HWR\v 7o-AJgٵ ˥w`d FW$޵_ޙf A_TiA ۲yuo p\,qU?siw|sHƮSCCN$lLc:noD偏0yP%T! L_Q}l*!0+;mo9=am4z# #XjGX9 7B x"#)"ac{hcedR(kɅj)(veW6Ik$aW3vYX;5%ܟݒ2*u,gP)˄]۩P#[i5"xC0ɈAa,kcڠLhk*j%?VR\,q˸uE%xK|'1݉PG#xSxDvZ(B+:̀y<Z5!1W6ӊ*66:Xњ#RR75+8hm#6{^'BQD]XZj,:JU 4S q]x8L; c<^!;Ȗm5=<4pMjȫA'pZT PCYKO1xNDENBGn]HOͨg1i\|I! 0"_`ݙjsZV& u[27֝ +c?WBH@:n`X ֤^L=%Z`E$~lt옌RoX L |j#A2 `f3gicNԔS#4Na NJf4]EWίEPS$J'p"VÅwXֈKL"Jk3AQ04)HHB'h14h49jWP*`,UI?LJ1$hHT`\Y/A=Vc:hJb61p?q0pbP3sѹA *@4ۅp|#91)s ఼6У˖ \"܉MBtB}a[szD@xigr~rsyMQHiLn84lNFėB]53n FUw%ߤ*p {7ñM?+{-w u } W< 72ml3%'LKmw2|C(釐$iGӸ7qJK睟ф6ڨ@ 7ȿe|d#i*x-zCYlMTZ}h^% Ajkoh`|*_נtϿn4ˈCpf:āG9hSZˎ0F8y pAlz"Hp<[[5nA `*&f& SW6a죳~;Ri6|Lt:uJ,8R:5.boL>Ow% &~i:oھ] f}:\STK,2.jPD~)VG m^2ؑr;roK쁷BawO9E pVY߲`x+iUYt(:l]8,|uϠ @SFd-I~q` LHtb,@ %Jb >88Ho0GLtn|hz%Ƿ3<ǝ)FpDYkh쳴;Q]ʚ\ {PT+|Bgj,ÖL}gXҀV+e>H*;jV-sԙD;r lV'og ~4!j.%PP: qd.gnt:oO`:6m~iQp%@]_1VenF/(W9Ċƺx.)*s!mӶޟM[DM#e1.8dU I3m~!QJ k*1~wԸOĊv1>Hqa4lQօsNnCR2?IWREÍ@$Wq@?r$o[no9aN I_t60EmNiS=2 -G#I?/ډDNdJ|}fu]>.ۃ+T# 3Na4X% tXS_<[#NKSRkN2Ά%hnS )ro718P? />{ i'`"غ:'2ؔ5/,:^r4 6 JoˆHFr^n/"Pz `Z[$w`#`+@`Mu0.z7[N2hDOԔ~Ѻ2(m $|JOױs8Lvv3]@Z#-DԠTFjyqQYH-'ײbOKuPUxbդG;}m!~D^'7`@q>0vr)YJ-RM<5=VH!iNmaȀOVl8gRjPyV~>*Vf˨7PK2Sg-1u|$` ^2]yk]x\xêLZ(x 7a=uq)3Rx\5_kW}co*-@ M?!tN7q:W58¯}LXL[rWq`-)`r)f`I}8~>DEo eq#ʀ_ S~ȲxFפ#3i€>dgƈ^Xb졻rwS" ֑?7_M[]ŠğvlbDScPD˭hk!\dX'&R2O5?÷-S9$ Iܢ]>MpDF&-u&;\*b `GOf_^"60P3l1sB `w Q|Ztf5=}e+JkC!JxI֤aO)$IA#g:7 C^ԓG9])sj'3i)(.=7:T>VqXj[ ؁:[&pIvK}yf6c{_g6[~/ΒlvV nC2, |cCxMQ8U^A xg0ypdX{r{+|pCn=mƒL(&9P"L?`%u%G,Yޣ뜮iY)BK/Y~._{i!ȽEϧ)CuqNzl$>f}Z =EC{Avdœ~ج"UjrKkj(x suth4;d _x0/Yl1u^lqsL#NQ D ԍ* _ϻYak Z@Ʋ"+ )O;t't?.nk-`&_g[cP_tTCf "z`sV~.`[1v3*&ӌVa﬌J|o0J>M\7qKO<fRgRjb;r+ ]!l|x[dSihdYRkКm$MJCFR,{b#ge25|{_RL"auqջ`͉u }LUId L(k`Z6 Vӄ{0-1&nb7byٷQ|Q;0)+*<;dgÌC[їT[lJ}8sk 4`'5GpYz\s$E=,lԄ A mG= 9)[Mܼ pєLdE-f|ڱBr5ĭ:eYj|~okOO [ǕNjEXD aESS g#;&/ ;%!wԋn\^qݎEmP+z*bj-ZtO A AD1Mu~ݠN*&+05ȶMDon)=L=@w_4Zդ\_L{~KcĆ?Ee:2S72RhP^|'{ HSd"^{\.XF?KhF#X怏M{?=)B0O+w`"~aQ{'cŊg6T&遛v>e]ItUbrD!oz'#虯}4ЛFJ3:9Vvi%ѹ$1 7yDz);9g~otmO nUϴrD߫.Wg/9cDW1}5Z4ۛV?0H^N}K+Ɏe XV[/|Q3qS'tk죏(e)EWxMAp=uPzmAό 'X.CWórtiB'ugK0lQK=1!Q'̖6@ N%MRPWj0JŻj6)\ӎ-k]O۵GbٻmO[BF1g,ĜJD_ẙ<4|yItZP] @74ڷ}tT12LW?I@qf1!$Ñ\7y!LvrZ&(MAABys&_PI5w!6s/!aJY"A}BO#17ՖuBӓkǷܯ,+[ RP†pw?nʄEZ8*T}闭lq9y0jB]?''56+R5 Ix=LKB|HN܎xËrkEi nƝڿS=$(5lPKr1Z88Z2,>涐 @A^sD6on,0m?E[@"j>zɈmpBRRwGpySǒ"1IJ_@{ƣ.z=,IbB[vb)cmš Gd| U[PAD{N` 򸇭i2 $EU7"dkV]4-5-ЍWIO 6ͭ(<ҟMD#䩒 ˰GsDbL$|ӝJb$XH`ňFfYS? Xsqms{k䜬:'J^/@qgy@"걌A'^xD_G^=.# }6(Bԃ|_߬aQ l1]+{ 6Q׿5|mގCYLl l і&G- иQn*+^b̶6UƄ9gcֿE&i.+&dw+q?w"d6BS3(igruV*׆^q,Z`)Ya XRLS~3ے 01d rYy6ޥ57xlI_cag HZK4R8E`)ֲ͉,`-A>yȂ WN Hk=cKsf :5sB~^U{!$EkdŏY8=ݨz]:&Rt(yE`14'vL)V?hh&m[%'3k-̾ K: n5!ӷBFHp3iyew vg, Et[8nĩ׫wxH`;D B!궁M#aG=PhϚ |ޟgb?Mn9K9Q14s-iIX#3}ގ50_Xua>pEu@4lf)H "9Yvև B) X5>.֩Ȭb/1B!JS 6 ANPtSwqB.vk.%ѲEF fDu|OC<6Der lFtgߩBGc1aOl_ER9=2+d=>AVl{0 zIG[*U91#InR]fxxWdxLg:lVB"p\%JI7Zn8v3-Սi#ы1$wU2m^͇YtVRAsN¸6k(nwN^05mTCӏ: )Ѐ3zBl XŖxw;z Q&iQZ$ Ȋ NXu"nOwO?jpW/a=iۭՂ HrgMz>+R4!PEB3sT솫%'Kmq}³O.uւ zy4~XYmn?MB,bU^4,2I<-A;++ӻ;bEq$ӹ!Mk{!iGlȢ^ i.g0eç)U/[$5k|4u6_*v#dUx$L&~EydnE?OTD|-8AP+sUKX *]{]zU1qsB>GR?i\?Hd9c7"}h5] غ~MXX  `է[Xcoy`yd=ڋzCD" {O[`λ%;[j:$fXe'"|d FB ]'A^ YKca|3Q$V|򅉫} 4nc3aH9!LV9hfT(>Zb[$j.eoֈMrBgy *C6A)en4[Խg@0a rtL%ڇ[Gt ^ZpjEW&L (q=940͌fI7WڅLډ"ry#ĄV2E7JRwwlfL% k77OeH߆7ks*:-L]b97g:xK!jphbe3L<(J7ftH'uޭ\!d1TYxnaZ \=ߞ `Ue TN=ۗpE;JlTŏ)Z}.M5Mǎo eW?D Xg\np~`F8Ǥ'ɶJ2",ԅ'5F7:sv9Ŋ 5 rbE[zo \}(D2fQ(xn6:tMl[(m }2\ "4Gg,(`_;دܢ"0'/2}u xߔupJl1~3]5FsaˢF~8,n|#ot^\=|hJ3'ȉa=E;uSܚMp-W`AŒ4 ; { '۔#ml2i%5" :+W?\܂QAIpp>8p.3#ji4Zz 3k l?4 \a:)iʉq[T#v:,AcN hJdwy|jIb6-;ZA24Ht{+crm#Ye/]F[ۻ;9BUnb%Т4V^Tv9CY^ݏ{>폛s@0z+zG~HUTG 'q%^͠! y?;Πtl'A4ul1Oii۰;M"TI= g9:~~>ȶEQE*]}};Oӵ.+j* 7( ⩷-Π\ :\|ɷg5? s=/ -Xp'L*v<3?}Vz\ *L tDrcU.0K/c*G^7 r'vBu9n sUVlNroZ f_v%H_BWE pΠ<W}ojl)1?9"Bh9C@O~Xđs]nn4.Q:OΰMK̻2h+!{J!^Nf!\F$wMKD ɅbY~OEUr:d2JiN34<ؿEE8RuREbsGC cF~l}l'/[~a7ۺ41q:l)t9tbc+Oj&Dd [?|q{$-( ՗W`ң;nwq;_}E:x uY3 U~[x #4L-yuR듘)P|d].Ocﴔz Ղf%U=(Xv2/' J*UBhЉF[LOj҂S-Y*xW sP5\e]'|rN#G6ld a_Ui~-Kc‹֠clTZHMT `9Qu촗Rc%%K6έKثܢ R4Q147 8Md ]k͍|ÅA'UhdFtK>¶IEaecn;AK,L6x-ǰeF ;I<hWd:*z_$po˄#~h.̵9GmTFp_D}\q6;=Bxb^R3Z<eC8_#N%-Z %E`u\k 0ӟk=mO $\zl$YIoGvP{e#(*{O.oDK[ٰjQ6?-b}t#e dc>E#Id=DG0-_3K썟֡5)9I짒]h&v9B?1hk t @uVpP'pۅXȡX/wPpqSy;7#$%dm~2+]N:(yοm :;a3$䍉+HW! eBmCHYڷUnA9Mo93Ɖr-C228epXV9Ҥ|ooe0:u^Ԫ)o2tI|#HƖ FHwbIULG+,V)ڂ0;'AN/0XdL ešKr}،k)2IJB}|gq+%9QqM [PGh U!2p2_:q[MƲ`r>"8쬇Pp/g)4aAr2}`p`ʷ$WN"_LdΠ0]l6W.R;ؓƫLMT{a,;?A&tso97aOn{:uTF(:+i&W: ~5_oj`QsM)q|Brm~7UIhQL!S[LtaV),2ue7!ӓ-a[Ej{Y 2>Jw82|TMN"{ p"TZޱ^{8N<A$IjݹS+ؒeFOEU)+X֨ %Qk1GEP 'l55&BH<炸ܰ\h➠((&3QPnZ}|zs!PbM}sßr.x3wINo_N1f k@oO p hnK>δ#Ɗr13@ʡx9v+;Akآ#7c- 9DRL!:<<pK;|܎M\HkwŅUphc(NNoM_IK7Z ؚ,(e dx /DnA1eh ’%-9Ñgaֲ{A<|lPXiIBKk"!RZ8oA V( ׶JUʾ$x( 1ԤS-TtTߟD0˸74dn٭r>ux z V^?#WF}I4Xbdzٲ;lSwԓIyޕ]aϾ4pun8U)DQ$>w Wyrۇp4P Nĩ zYs+ՂfuXT 0X]c݇x"E e5IV]Wb-k|yP4eˬJ^jQi枳`a.Y4\^31S )m/o>vd0-ʙ'/l>^I-tmX=OaQXɎ螁'O/Af^r4'[uwg϶7RHRajzs'>YqMVZue0t*.vgu=ݓQHL,],N?U\:%6''Fpӫ=n[flY68R=.zX+C~2eM̖τ;pJv ޒZƹn RpeocFжT9tܺHlͽ;]Hv+sw6ɯL!Ā2% |L˼kƋQY$lfVyMH1:$6蝰+-,U7jA9‹6Mxw'7q7DiXElU꙾34+j@y6iK:67R >Rr/FXMa?Fw=TBl}IL+v"y#SR^T m>\vUrr\8O .Q9~$9 |xudm,*y8w 7E>m HtZݒHsN+jRIj4W[.'a 4+m3HD%u-"|,} cۏBa=ݵN3۫RkF*h? y1 Hyϊ3ObOH@/-VĐDen Iqh.^hGhX>!|gS}kd2MoY/]]JFUM^iD˝Bb (NcP݇+5#bJP}V &(([uqjǚm*&. oO..Dd"H@6Wיe^–Z܏ܝyjvqA)Ăz`']3d XPKtz@j;zIf3ɑIRD3/#'VrFF!5!q,@%hx~fOrL~^0Bd1A;uVsg( b0`jI=Id B~>_`l>_W.g׋oU\n,.r, ";zj6$`>cL~qT0ݫB@# ws>%!jQK cÑ%q jt2Q{tI"*!#ŗR3-Snzz7(s=GjXVInUlSiW`\AR6f%xfP̣X/44~ʝ;{M3 `ykvёH K3uc]+_E8Ψ@2dSUOzpAbcQCV*$^JK&#V+5WM/uaѷ5Lae\ KIgְG5P+ߪCv o΃z|/PMԟH%2> όޘ0*\]3b8ҩ_"G<@dWt̮'# CЈ_IK4Mҁڢ@!T^ #+CO,|ZhԻ#0؛Ym!?d[#GA**G ,s$YyR_[X;V2v9 ɝ:>_$SNyYx鲿_F 9|ꌋ0hάkr?Z0y:\8j%_hfhWX ͬW(BaTUn8]ƚ).[Kf'עe)fl$ dI;!1o--GnTd.zV3nYYe#׍`s.QS*_@a],s-a1˺ -ai$/V]u,E/&U?iގ@ᓽ8M|3z&ˀ"1Lgy6yG r;_@^($kS iMz~AM2C jB^0zU\CC簿W[VW3N])Hʅݡ\,{&'eZEkRq:sRt,| tj$>nx0 o֓0Jḫ ĝC fr]gfAwn6⒐.@JI&ZOW BkmϹ@uTij ×jmqV.`{|:0|fPLD2y' >j`xj([SWD: x 9GJŀ" 5|_ւѓ4݂92(Db GPCWf`UIv_.>dA2q4Ec-i5_܀LTcS/S_ǭ{v1g N?q@}X;0v)Ro(}JgoIl=6:6b֣zO7]t\h(܄pK?9D襭knCl>\u, ô!ktɐBmi (UtjXxoP|Z+-$ľ#J~* YٳұѪe2SLHt3 ՛Tq쵆}hkLR*gzUl+% &d P ,X:~)ju2>1,ޣH.+YZz#=Jgr90xmGOaKV,P#>1\Swvsxv 0( \ M7g *n;G6d/4gP"{uB LnZO@U[)Nv^z/+%GB,?CX^0L @28*|r PDI@kdڣGx5_܀щw7힧Rd4隒{wɋNJ ^9qڗuoƵ E4?u S9}2[i `VE6\ E %XItH l{7|𢴍,Q| ,NRvd|BY\wTB@<[ޠg#*>p0Z@ BhpʟE٠ pXwXZ#j1uCk Y$ jX)ߴ>; epio `l K ǷF8Zg fk[7+픺fWƁb9HYF6s @>i[\;Č0A{ai gd7RWoM.R6-ܠS)1$]S. 謪nu[@Ţ~mCZHeX ~ ;" z h2ɐK|wC  ʘ.#۔҃l+[1>xSO P?Xw@ Dk4 N:5{.68SbA:N ERзoHgma0f>)pd%z]qyb>J+K[#+(36N}B)MU$QCAx񦞘GzgΒ7]I% SD_hB * ;ig2_| w"`MU!M@9+gwfBjW81D[.[\Ŕu7 &fZ$ZS~}bX+;Pqܼ2V AʝGE8gח(Hk1mW\L)_VG\-g# puTp]աVYͿA?# E2@uCj\kך& H<Eg?I(:.~i{?;jyx.v ª>9m. 3! B#X"",Ai`[rƽ\;Yjf\c,#-f/!N/M]3O|QTDy~w+ /SlFϒA2ҩ CAuC@Bڊ{6pzmDLQ`yfbT*c)o\z(*0wu k+KmfPtO\̀|:\jhqߘ#+=Q A5lOU"Y-4>*I^zv/ B-PkSx3˿7ķ,A9Бe9cnqgtHu$vTT6 !C {OGVR'jYY.O387dUw Vד?SN)E>l&4,C_ Q.EGKݢm4+ r+4sn ) p(^F7py7'xSru\ @1WD1A.Y!'xbjMvͣimg@o&>'qlt1<]lWeqg+'  Iv+b(G8L9c©گ)憄Kv596̓Zm0oXΔ1el* L */\KfiM j76}@б yԃQ+.FmxRݳO<'?ZE|@뇜sLjK>Y{%bcmL=Cj5o@C2}tMK Vk$=v52k:Դ/c+ni .߾g_u\8?EUsC'44`1^UU yziLhd]bƑ#}l9A/},?!Ce9L.+Dc3v,l3 /]L)W}% n2 H%9nK8l-pgK1`c|?)sO>mXix}mwY*׳#i$iK 8jyoy$̉mG{^8Wψ8bm&.@DВ .(g'o0u8B)J2um#ЌGCD挗7r٥ CىW+4>sT`C!NBF0Gm/#dσn%˯旒;7/ c#ƪzK'cF!f^O?3lL~) sK3lצZ <.;J%=Ge50Jr9}Y!CDO~jqh!؃NG`~A`[,[(N矷f? 2\d7zYyXβ|g)`uUI{z{Nh?hSU(eAvӌfLpRgW(-$-qr.jZR J,vˎyK[MX#Y2v`c'\k#"͏p/xŝJnpّ+&-%X~-SʯX#5 i;GQ=dLkhmEţJ,!o/{+[d<{ "'@Biݷ)H-ׁδ˖;<3gywp.wr]2Yh}igv-fɐ7D57%M_dʰIn:JLCp#0Baؾjy h!ؙy*G8bWQ9QۡhʳaP< !!j 5'ppKFG=Ąh#YŰ<כ#'Y DRz|ﮢ‰Lgmr倾ώ\H* K x݊Ҝ[^B#ȩZE y"4pT3FPi9O#"vC&xAϠɢ%eh>ܙ];5AÀ\h$s0_jAhFW ܀/y xTˆQY#uռ,(Vbn1%l(z`jyHH*: ^7@pxsSC@Szex'Z8QKyN+죂fS:jF?H9^t;ʖh$5ż$[Seajf`cKL?tЯ/<_GyS&_0;6Tm0Ё-JNا"DY8[U#hh fk:Tp `Q>j/3dypI#RsTQ9M͍7 Ԝa5g=7)YmXFtP )_e_㍫ O#2-b$ ji- &싖#\J[-̻`ήhIEO GR ]JЕfҠ/|Y뜟#dm~AՎ[\A٥"CNa✊v̧vh Wg qߐfǗ:0:bh`@]2c;hXy4@(*02)ׇq!ͳ暖J Wf֡!]; N-v<{_JA6/)[(,Moo][ >Uc.>/-S!ЀU&..nsϻsRqlL!'2wTc35Ӌ(Кc( tvQv}Ok~lYK/eae*u ФʉJlQB>8rMURgAPTQ|CK1_$pĸqm.A$˜1LPf2ھ dqr)+"xu~xtDo͍cj}ߝ80 lk-5-xL5 K2Vػ?btY^d5*oђ6}Txm?+f=Yhg54+L2FNju*FНjL@4P&](a\-ҶELeib9s&Q"if#byt~ZM^ɫ9;>7X%% ]|&e^n4 *ZTG_^X;Vp-L C)CeDQ&m! ' >rIi9n"mI!ɷ\:хFy8]G@?C>bVʗ:?TQmcykC;"jg݄ͫ6Dft!/m*7Ƞ^PZ{[ V¾-6-}8g]jQzN>3i5Z %4[伹HVj^hWe5W$nhc br&yD΁R:1ʟc1ăN uit\{B<_"A96E8f.n!7=]{BU&P 02l-tK ^n¯f"#TtsYAY|LwtgI>|]W*::)4!l)AʓN$lblqӉ`1v}sj)ՄX ]h\QmW8$X |LKuM4j›ct&OZZ=;}o'BlT94f"`:m}kSJ a1p~q3QʇFgk4?Mˬg gm.3Nj"('gy gά1Aj?U:0/Dw(:ȖR7z"d'7:Nw4wx^`=qգQ7$9{4Mx7w"ژTf[0e* !߰IU o6|QwcvWߘR ! "a60DF:-[XrLGx!PHbEĒ@d85tin ohoo؂ܣefU5o;LJIo~ Ac&Efm{9J?ϓrV42#cl eaGoA[$E4 mG 9fJB=ӵ6~: )$"Tj!EhjD5ҼuÝԼt(-hz Vi,f x1 a8/Fde g̨^0y3aA6Y}aP&r3YRo)"$poK!ޘ!2uvOB[{`=sOJpU/GzW炛[:O#UE6-1Ey:ՉRpf~HϢěiOoK 0t;:Vm"^?mh8!.܌@ym?iGF2IĜUsվH{qQp|hkW:l n _ܮgWիGxf@ NСf@筒6EgWd͠EQYXy#xsN4̱#!{4C5R)ANk}Dљ |!C !A7w-Ľ[8M~宣aأEUo'GN4iٶ4l“#mѶ"L]nboZVk%.<«\r`<Ӯ r@<)#҉N;v3( }&LzY)xx*TPQ)#^7x ڵι؃00dGmORH IbP V/㻨w V\*GS mV ./ _4I+H\-Rֻk7d2⁦ζ29OE.nzLw69o1t3[]PS3$tAo"?f4GϦYUweMSrzbqA.1n鵢j}y $bopᗧ[m#m3YLЧ%J4fÙ%>~QAX/9OoebgGdjʓ`jPE@Yx3vּͪ괄Zlp?ۣޯ+*LzȈW*?Z5LI @ A}J^ 65 Yg`ȁ`~fEdO5˒<\o>xDNP4u#s#h8g{2sVƬWV/ Tޯ5B>k+dIZ.iv`!DicHbA#P~BPq%9@ ۂ\hMNФ OrZC?J&w9  ~gL)九c6C"aVmOQ=c/D]oַ~ȶk@}`3N:qk`LcD+<8Vk'i.~ͿyڀoA|S `ؚ@˒)\:7#ʇMt"U !h,Cc_=Ъ[y"!HX?C`0G]'J5N49#+1PB??U 3-A&s8!g@1XuEk3ԮM^lG}ݤ aX1Rֺ Vb2y,`P`qlP/zX$ @ML; z8X kUsP/7V1vE3Cp:4PU>!ZAjֺLY0-Jtmx6mnn#BD(taudn4Lz" mIu백՚ TIOZcȑ95'1]4wZ;Wg{y$ktM:~[$禴v3o,i)4HcVMoX#qUԩXRucUBW>{?FWH iYǤeD'AI|,7h쬀_JNi.l |=Xʅy4HM\Z3U&~.[f)dYnAALpӛB# w؄1.7Jj=mCXڧ ?8nփ 8ԗlb4]>qW-T #}hєR{M3h޾;*P^P 1^{6~x݄;{b(^&g:|׿f[KTZCOͰRq.k?p4O?$ڔ0x 1!g~Ws7(9tIIфX7gw>![GOT^US'7=9fGlg&"_b+Q3^(C>& TzMOﴎDN *iSxZwbkN<%ۢvH\{Ul7F#1pb'1q{b%ŤST "ù.&?O} 7RcZ^|&`#"w+HQay`SVS7&Y|+rc("ҞPWZNW  zj/1ORA}X)Svom΂/KPbV$(B& F} xٷIDyxM \f7j#qVl1!!*!DvICnXj>xֲX.V+wTmAfE8呾ls =MnAaĿ364ZZՐݔ<7YNM .yS.ڲ+eGtzB9ea9K&hz Ӂ(BG6hRg9Ϻ-<ww|+x=}g $yp9%ފ􀽔Ӂzh7BalYʅ(]Gs9(ta, VQy} 8C$VBE6ʅ΃a映#VC“w"|0ڴݮtO~3 qE@f pǸЙeSCRufR+R ' EugEP胈Cj3e#[*@OQRZ&\j1~bqܗ<lI"ܯCQ.H,Sb&MbTc}٬ :gVc} cL(Dڂ&. Q;x={OkrAhWY8*zoA;9om{ NKģu޻T/6qæ[v:܁r )kiȡeOc i`isмe]Ѭ0"|o 4q\ U@zu9#]?=aoA(6-hî+p{X )&eq:Qv4&ϥ絔؊Gd]Pѫ <([\bM)ªwP DQM \COTiW؞COIgt.R;a[nH'.665JnH5^7zCpUys*l/.CD P'L[yI@|:;mb~hP5y1+z @o@xN8K;x35EA ƌfX^tt7um}_ˉGC$#1A+ ;N锟=~h@by" C v*VдEYJAh-MzW:3J쫌VÉj5tq)Qwf 4mȥ##9\Ύ<6x30w^k2 P>u(z 8k%t}C^X¢h Ov8Uy.Z'}灂MӮ5F: GZY\Bٯ~"hVX7[~6@H=GZ*P|%:fZ@|8F=qNOCca7`BC9Zظ\oC:.pf"\{=b 죭Տ)H#5ݶ٤|Rg͛y%T"5ƪT!ʩ8.8u|*Re~9 lJ^f5Yt&d0KaL N5H|!Q@<9l, ${; 0ĚE@T[AC@Z%M;{I8]F).pA2sɿѼ R#+|/#\z&)|c{C8}L!.aL[XGdVz{С]rCA uH1=5M; v3ѐ=t}Vr'gbڪ8Һ`@_RCPf iy{zzسwT g5~TA'SW#{cxl+ȕ%OûKE[ݘ3LS(x)G{~Ď^*QT綅 %^׾њ}uQ5"ئٮeuНZg;wvz$k-kګ'>?,,?mKaFbc!wSa(>`Q'6[⨘P@t[l<#HJF B9%,B֙ff*2#.@V]$/C}pt!+AN7(%:'v|#!Ex*zbb=?{#$)p\$HM]x)UߝƝي:H{ ,E1j|8T{2imq9p$iGٔLZSѫyDedUKضɱb.햰B *- mRs?Z׷ mV2b %Tx80zܐkN dk*|$Kܬϋtk t E}!ȞXrod t!3̙m> ԄxayqjwĸWS2tw& 2o]U14uCv-:YO=sofVN\2|Gcɼ xLr,'P T₻-ֿ[KkK4 6“ҫ;f}~M-8+s$٣>bl$T>мr-Wd4frc5;YY%r(.7::-:&frK) M>1[nnw'3W`y+h>ݢw0X_b=atBK|J5cF&adڂ CcZD܏nVy H w!KYAXB4Gj$% e f/5\PaKU(ZLy`%ɄUmTZJ (!-)$T3:K}[`y"D)ċio[Arc`:&Bi+ NYLGE>*r'= Ľi-hK^^<*X?.C_GgA/@# j>]10b L`; 3nɯ8U\-nvt >V8e'\q);b?g$fȿ~n̚|6Pc*[\,u$@ _lAcY=$L"XԘגք94,W}Kbc j1 $ G>nYzȑ/QIM5v$YQL=S !<*F7:nw0kY_dOxlJ|.?SǸ *Too'e?Ohղ ,C']VR o"0%HRmg6B1ȵR"<-YvJ9wPX$ 3/p\>CuKtb/-9ysm}!)SunCx|+ 0jsk7?34 L$L8Lhα=ehC+hUkQLpT9Ѽ2jx0:fXsB*맰]=#:4aJ *f_yOFZέ^õLiћJKO v~Lcp>Z~ksZ苆I!,c45~y, JAqޏG/,SG .};#wS,$ *V_a(hF_a6or&׫f64T"H/Or!sj–6I3 .5[ϸhC{iJ|XjCLڿO9ÐCiԦ HєwscS"wjBVp"'Q:,_s/MО(1fII2lL[>?Ar, {)5r#ɴn&h|(Rx GY | bO6(Zؖ]V \H0v46p IB[d己 k⯇CEdfr@O"v<,X'-h$,X `fj7ڿ]_(_[q Mr,ӽiI֢i[ 6+Z-;w7~uk׾ǤApK>NG3P]+_^w\6q38J9MS:f#/ in+{/`[}UVd0ݮ[ԀђUDxc* rTGYZ[jmtm7r'[3=H}ݜ Ʀև__[zB$WSn@Mç1k`_e?@0d4E= |z65Wb3d͟~t2@,nIFeO"W\)ח0Pl=O+ 3wѕ _IRq~pPAW@WyܭDe孠c#O'Ƞ H%N~Q t,v9~O ^QtJ("jFiem9x#x.7 bݐ#B)BS+bĪH-k?B&j#(EsʄP$}#Ta$Bz\ʢd[e]eL7MS{Td<"u]7D)n!cBG$9xY=^҅U^3*_ 8eCkrՊyQk S+@r D~ϗûMkeZi8/uYE$3GUqZK^;47B&ǻIVЇ?pc-a쭱-#*I2` 3O!#u۳Qr)(wÔ"~qLelfyL.A5\*o3ېnNC Xjɾ_9HbydI"dÚS%bЗIkS?C9̒Ć׶ ~ x?Q8!OSdw'J6AZ%{#L蟌jY|)Y&fJf N3)VGNbjTZ|j)g`21p'k%/}GPܸC׫Ju?$2ժW 񚈟/>Gm A=Etp9 ^[zhjr,gy-ߥ] @(N+)Vʴ`:ӝS!i:T*bXXF\F>(C|]PWڭN;q_X$O|+'+^к1ӇH+1[2v%zo_K!*/=>Gk9i<SbK!#*YLz{pm:{X7" J4vr[U*ѭx0R^&l0", ZR]m_1*kt*PY_zg?|nܖp3_|*_?u-3g SK,sAw~r,^a@"==dK4vX:2kn^CL|.ɦ56)}S`˦zC sD&}hr!lu!1JBϛmN2(G0*d5+N9: DJjJ7@W@|THÈVp%Եw 5oZ,^8~EJU-S\oMS6ٕaeEhzp(V/YWiӸ9 E^w< !"yH7rለ>1{ B/o~_ P]sbOwJ[ڦf40R,+cI~L d¦3>Vtu((sa7S_[Zj@F(遵m 3$d-" D74_P@]"U$HtBYgzhB%qT5HB2t)T!LKKܙZ[tbBZ%r?0sIYO7rp҄h5>7,?ua1A b̶ܝՕ-.^Jw*dVq"R)-NnvNml}|k# K;a<ܥcq!FQw;Vu8N)[u^D0)62ռtE0^G="GP9$B.EM ~ਈ(O [LCgi>4'f/Uz!U5@Ȣ!bYW('tT wotI-!7DO'lЍ4Ћw#;B<Z'csE˰wܾ2/$; U8cO\F (u`Ia-6p ٛ 7-ov7:*1 1' xxdx ׫*5{o"4f>,q.tܽVUʡ2|KߖlL HQr-)UT5*-&]!|UQ: ] "y?RW+2\tUzMuʊr{@'fžk%4n-qJ&@Z{+E̼yoٕB BduTԊqSLѽȤg~r}Iqq<:PxR&%q EuêtڿbإSvێ4,V=1&xfai!jI`iݳ;TLt,evcX, " Fa)`'}ȐTEN%KW ]1cӚ%7¶Ʈ.bZ3.f= k L%8lңIgT 5la?mKSvvָ6Z8<YZ?PXkV3J#]/_7oě{ġeAЉpTwФF;ڣuKDg/1‘5H9/!\T6\Ŝ.8#VA0)" nBBkكY۩~זU<c|{OᅭfJ!dlYFak3#3a4QTxADdoEYn1-ri, z"7ۆVn%w%/A^5(Q857i`dHF:1hi3 ή RkP0Ds Li%KI_/yZ$s&(z􋎕RJ`i+@~ fjx`*,,¾C ߟ &"EJc qo#qTPK8uKKm:~PS[?x^$ذj?):\.٩{9(G.]FR4Xz|RrNɲFhѣVC=<ԖJ^aTQm mvEG:fӟ7ۻa߼]!ʘu윴):>ؤcz"5PU'fJ zm;"mm/YjbDUex"z7K Y]rD*V{ H(MT8aVӖZ2!l2ߏH}yD[IF%؊:+_dL%c6X. t8Ź.76 BVeM yƁ/*UC]/|Fkv`J[8+9Cc.mb2ǞU )THhxȴ sP.-B{7+[J3h)0EP[ 9(DK(ej: u<ڭGS,ď*2** h(ToGXn+oPS ˔V {ZV$Qkkn'e-i1F/ZT'\ c|S,c'OϨ B9yNVyTCT1{Hwcyh҄c8sRhP~Տ,Jej|8=f{L$]<"( ׾5 z%HbCxn< / KzT?\ceg3w,Wr3""eATJq"wq\ZYPȗzqɕs݌-S/I,IgΥ30,!Q}vʛs&/v]_r`KVqTX=tQ7i<fܦ6`t$(Xj3DJgj(M  PEK3LX,bE5 E T_/Ϳ̳z/9LjRQ̳-:$oR_I2F(ګDp̹ʚ_[#2f q9Ϣwz]U2 ȓq6`%)*Y3P(qރB'?c$K_hGc }{~MĂyMJ(oFS饾ÔXd)}֪ٝ @j+]*(5W- UK gM|JOJQ'j[h`8mIB*kɽnMqRpH^5d@h(iXuVxgo)[pz=囨>^)^*#HV0m?E,)p2AFeWk<u +c#r:RYfxbӂ{-&%z/*unHzImi iYE?V7P녑.3Wu壽M`Lm.&WY+/-n*ZषҌUeMp,hG +,977 .ZMbKdW ?8].͉j&bw^GKuЫ s&Mi0&CJ U @9g)Ne<=-Ja/oa}PO>;#I$ت+uQ"}!I==|qlF=N:ri{(7h5^| jeh[LmX%׳LaaCj<^x&Se8XdH 4l? /y=YC-G.Y(磶]bˇϷ]X Ic%5ɻxE q;m0*r64sP/0+6.bHdW4 2KrKxahs8\|`x<&6|K\]'Ԣb#`vg藍~h֨D͍/߃sv?;z P! IB@+e%rrzY0M8=*X_u[޲ᚨo5nC[< TfQĉgJ[##~;5o͙j5"yO?P{,wT.&3Y-YTZRnUѬS!6(ֽU=c$95\WcH{ve~%6NVnY`/(5 UN?c/=KHgr2u C|s2:JiTv߿/F19!2W%+iE8ܿn) |oҠ&" ;5[_j`ٍXE%"U׫EdB|m_pfUSSoDL cU>MR61%ZxlQr+!ԛ*D,v tviߕ d-eE, ,]fzջ{,Q{ =cIN+ %Hrg#Հ*pfT\Si@C,h}7Z;F`3Ip>XЖez۝\5֑ɁQ:JGSFL^SD2".>jXL# yH1xp5}-'ܸo-;01r^j<Q@`5\ߖ9\=8O9UE pI;3<##},jeI%m>V\h%wVRE/<G*9v/a&-t+šFZٓ ĤNwS&"՗Ő #V=u-j3~n<f`m2n\]tWkd- 3cAk+LsGGZi5ySB$ U*0ɾ| h1dXr U-0FJV4:2)Rw{FR2/ޢveGM[bl/I۟uП| .*yPpx">wnz9ݯ8_([.#R.{;?6W50ѝ Xz(X1ǘΛ4!aAO;Ѡaz D(z!(a-b ơ~;d;r iN^r<4O9;Zj9 ©~Zi}_C9TB ƺw8$]hq-_ĺ6 Ủ[OX 3JQ0r[*(B́L Lgk4 yxFU$لXeN{Afƅ1|8Ǝ?x1+!97;70Xʋ}/k9\PP"$Zd|E4^F_䫶`DM-%s׃JKMSU%գ[ņˋ/Sj; xg t4M8TGHVk!xƵԭYū%F!.L^UUЯS'_GH*A-uEVޤD]X$ӴqVS[`Oߖ+pFl5"f#[3\R|4Xf].PH'A-?h9f྄+ɝkxȞ'a4X< ,DNeaPgnk^I]k rJqo2\PzH܁7nHn`FweCgeGRÉSJh>0XFM?xd&ϗ p|]gΑ櫰=9 õȔUm!J+mIgߚzHtN]*!KMwdգ2K$FO Q8+ /;WAi( Y/x(0U!8{4YBr٬~Бiok vNqŽElw]2 F BC(v$pBCs0:j+9 7eñ DݜU}[z YHrRIRAkpAV]ܞ _JРUXw-<0ݺܼMn_S)|j#f7%Ӵ׶C\Xq3PYc<r],}*EN~.:I$?#a{ueje($A $r|^ =d\0l#FۺW4%n-u+p ^Bnd!t+mŧ1FoTAT'H0*ŎGR ؑ4\:|YVNyƦtDLt赾Q $c_b1=t~z ҍFy]6,|U}~Q˚{T([SG^"lvڀ\YsL$aC@XQ'ВnEb'֐HbUca"}fتRScgehO5>0F&zgqӝ.ވCo!hZJkS[\b Y{q|hAUG q/N-2yg" CN>jR8ӆ3d |ɲ_)™P3K,i(s>~nj 8i'WV>Bm|ɿKd 爽;)@OؘZf7ouԱMW={m6z͈<غl B)\̿,]4i}Z1Ȣ__[Ug[ S_i s.XIf_r<zHA )>>y#⑂9ƿ mɸ^ "{ 0);`J fnfכ TG`BaxF%dL4TAրN Z%kꐧ2=.~+ ,<@}Ildڥ,M^y<:KLgޡ-lAlg %쩦 Ϋ'}% 2!t t)t \X9Pr_2R5< b6ᴃ(k4:ͶG!;7r' W#?=(=;u=SkU[/j#NIC얨dce*vZ<;$Iܫs >׼&t>mE}'I:3?8T2MU@a8h'7I< gV/r JT~0T4e\em Q~t])A!ra6jnq=Kwwq͜%&nueƀϠcBF19ີWαty`@<Ų8:zv_w{VE;qҜk9ϭ@ꡡec[Wkoi69[oJ䎚= wd=Y))OEw+e7ϭFGOutAoF) A&t[te1cq=4`*'++AUZ`!Ho{m;Gc]-7`gMz,հns? :HTY|C ARL1#QMV6pp^3~Ƥӽ|plTiAAA<ED~I~2xH!e<&2zW8 d 8]:ADs<"#dIY##BcOe^ҧu2&G"wҗ{h6cCqIA4TAc2D)9=L4"MF兂0a`E( [g/)6".q[_H-ql@TV?< <=į %.߿8WFK Z'rݹaX<=TNM& GNL#6N2_="p#u]>[*ɕioŰ͆[d@f 8"zcá \W $D~@QW>3< v;K['?M~pB@O+ujY4H|俠~& kNA)z*thhp O:,%}(LBe[!ܟ8'0O)| ?Lɺ^S$G*>w=Z*&ΖWs5ˎ(,+ }G '+3$*hѽ2\{"nK=Og!Pa`bLlxb"^̲1dFmȔS!hX|joU]jt6DtB=5 ǵdnt)"HPS4Q_'¸´M+lk)#[=65&s{Qt?zԡVhԔ|S4{mwΝ?ʴhQhtH: ʥsAk1LN%ڻdO(=.KKbG]1;1d1)<}MF1ũ OEpvlDw⒧@ n0,1 Bf`/&%SC.-AL3Q YKh(&H0RQ 1EMyf1[VcZ`Q.$⺒ kJc(c@V'ʖHҥ1bFWa-PiC^2]rI;u}% b|dO?StMC ݦM67):}H opipU(cHI/Cۦ6@:HM a#q;!xP9Q)d1}KZ$R'p_$8m{x *El}zS'2Lz9]~@1ob)O(Ym#1Ghru(RGﶮEI2q -! WPa6I0T8OgUlYdj ϻ?VW,<>|T&!pC3fN|]Fԩ€T>)CtýQ}`R*̕rkdQ#Nk+Ӊp(?ToNѳ3})6kx{QfsREI%e6JAnt˵綬5=C7QK 'i琐2z{~q¾! BM%mTES7&r$q5&3gbWqW*|!gTb9itaa_|P#gA΢bYr ij4 apjc;U끔{iN.uZl3=1SBv )f.1agFZV; σ)}*aC|6N0xϤ(:*9x? n d(_~[w 6(?3Jr{*ddB+Tm"B+BGbv]Wօa4[#n] 4;͆[FC:6}]{"/+ɭ0ouyO9Ů%T$].ư Mô#Eh+Iiǟ3"ZvXpل METYVB]B _}'j\2s>4 RTXu/x'+Q6=0)|͋ClPt,tPSVaqlh6ŷ;GXV}4A!9{ ˂\GkbhsIX hŸo 5_]cȍVUNkxnVgQG2OINl댥#ٸ̴%%<+LM>J[c/buPxLV @kg2p툻 _]߰sHS39q"V+._8S{׺ Oցopڍ33=lG >0\ڛ˶ESC$(:}]glRc?|äoy#GJ3qNް䶥YzՓd.[&Ul\!,]<^ H^# 6noH^3@p4X F;Y>3KIP+=k$ǾZy`REHwcϑfO|J 6FF jf z+Q>'L1F~#|w31uyۙ˻P]NH*rasj2H3!ir:U#<_D ݣ_:oQu6؃dLoLB٢ '.ƨKpWTP48ߚW$;5ar)BDR>@[PwR@R UD . @wPggTsh(@BkD:`Kgׄ8VC?tYxC rÕ>\>m MЧ x \`^d+vAr0u4 >98ȇDǺu? _kzx1CJ6#K8k <Nj -_PJ/PI(G*4 hBҙ`*iQϽuq[C/_G۞$V:歨5dCqDD-Ɂǩ\*}˟#@o곖τe!{ #EOgL5!B"p50~ȓ_2Is{o)DYB$CAbyJA3(7Sj!"@(zp$cI>3S eT9XݎY:|()]*BM_:Mİ%"4cYNn@ْ1f8K;}Č򫏢B"aKXJnbqFbJH^f;+Mbl?͖^Xpaϧflƒ Z桧=$Or8KkAVg"j?fl#[({OY7j(z 쮠H&Ix%`c8( b S>L GV˘`+#|G``)j_ٗQXGO 3Th0˛aBPᾴL/F(;\<Y ׄ4J Vw%EySiÛLf0X_H0F *ݥ8F?jȴyݦHyz ZP@-1E X3s$vef4W/I,NV%%3ʜIPA rHܦ.C,R%9h[A}Tɴ&7>븹?l0-6$v۲|*LcPCU-=@-6gn]#VRg`+EmkER )Mܽe|x/j3Ev >NߝpTHk*xN+^gTݠ5{x7*ȖyD!KUÊ}jƒ'oicGQ=Sh3]k_@E%A>zhJ)wݥ)E~=ޟ~a?zV/S@.07bcɐ"(EV*M0hniS-്oTq[T=c&p,U(JV ]폟v>aV4Ek?e\.gas+gz*=ڌ DQ0\ܩwL7N.ǞKCm0B lm>"mẍ́lܞ+I)`EIhW=~烞s`W0k@GCꌬK|_N5aU^6ii$A֭YaM&a1AЙRݎ06rrWs^iKٕ0Xw4%y31eP#(Pih:8nK"f-r!j-=An@۳ԧtjƽƥJoxr&Wu]wkZ|@BJ8w)f䡗pS8}+b+I/XqSOvRFIEK`I_[" ]ƆBG S B첈~u@7tR!b8,ǩľTt2~`C} )mAe鏁kMH{q\f=u pׅXG'/8X ?hOAmD a\dݢ*2]/:҂=B]}J /(LzD1D8fH<-n94;DKRs'uE](F17yE e=(Dv<)z䇵y!j?haaBfgiOE4 o0ꍐtH,T;y" 8؈!G3 827G*4b8`{Ęv.:2$kkV4puu9قe7*K?KATAV 穚 ?h jk2w/ֈƀ  u( ZGj$k ?f_TZ$32x:/{͡/WB`赭#E5%ElsE䥭˿Nn >ed< dPSfK02Nv2j Mdfu~<ʧi\bo=qEV ==7 Mr3tmAXvU!Z2D.azFWiQx#h։҉"*;uLr8=k .yϢl [5OXq=5R$5#άddLF] ,jD=*\}ϯxڱiEx,a<>!IѦ 0C{mp{i,Z#'6n}rwq YMutcCAP:xepuۇz^>wsό]xD=^ z+cas~:5:I\~,30xy~-j],SMå1*-beD"Uȋ06Y/SH"d.R-YڻHu6k KЕ/r[s Eq u:'ke4 (  Gb@*BC3!y;X%ٌTm-\Xd+A"$6_ndαAbǨ61Yeŭr>;/~ܷKl?18kֆ;O4]ttZ սN;!^3p{cZ\<e09ښޯي6^&L44 |R]75*k~J[@]zfXDML˚B#WpfFqJB)6堸\HSFfIa&< zx 𚟄ot=%[ţ#vb '&2@Zq8 cG oK-xGYPh6*/ɚ $j$RQ35P+"Xb$*g㓣+ Wm"$#&/„j00\b(e`x:(i[vy)vpJ} zLG`:y8b,++o&U*Ȅ Q9 Y9Miws ka٬Or(Y|~~Q7OO `y-nX, F) v_!$z}bLAk0< >ɚڸ5'(5̔:)=Zշ"k%?4A`- I|Qܨ fꜪ|4ٙ?i#80ی+N''0|rEڹ5kfKeU PZzƣL*s)O*|feHJ{ۈNCFɧJ؅BK^ܣeљѨD#=•U6@G}^uZY^(> Qk;E6FK jrcגui3S].``#-̎h0_-*Do!ACHɥΣ3I*uWbӗ=y>U8~5$0-+AO v&/3;\>Gk;KS` ^.+ ϛ@+3^vJ >S7섲ģ}Y+Kh"/4䊝C  >!$4* h=^ʪnE5C'`f x bmae UDJC#/uBzԡfG,SJ8}Af]iL鴏0.+4nMKH+x(@ m:~.à;h%Ų{TE< ͯ𤨎} ɭdص92iؼRglFC8KfB :h:ɐXGT|#-OLk̝pW'r<\XM3C4hq? i>d(]y 6!]OEkl?77,rJ Q5HLd9tbF֣rwU#_ÅTO j-mcFY{5Z\8#E@ s.'fDꍻ*cՅ,C!1%/|5Wlz:f\]WbjtO>:ۅ DCvبɹ'E9LKh+S[.m'鎙־[ü wyA(f>Օ8TʨH#䫲|Y7%W&Jl\Jh2]@xGg;kdExֹ߲C7 ?!VW w|NE) DffMfK>tZWow:F)4[STSw)"Ka`E;y] wV k )G:=^j␒ky !z>՜h?*.IYԡq_s 2(MC|/Fz.C]f9eS_WsQua_q?g<`6P'a~ۄ6V I3Ie$XCO Vdp;XGt)B!kЛ=Kyd8Nd5QyLWvI3D@sډ{ ?ZH{P%+Wn|gxRd9 ͲMqtgӼ;oIyNJXetLEX{xtкrL]C/&>b9gfNcoJfש;'TH v}~aF0PjԂݣAԘ(@6PYݻ9̘H_u3sTdM~qb g[:=2]-]$GL^ᓔKxVc, o&?;ju9:̜8Czx,#里&RIwDE[l짤PEh#WJLΏzVp<ƌB5-]k}bVj2LݨZ-%ٗ"a.bpr|&^cQH(j[mϋ A)ed ZJhD4l(SUA) \"ږu>a̴ (k'cgF_ PU 'ќj2#Q0kl!]*XW[Ae~X(+gR!r&` 5R/~g퓉Z0AέbEWqTlGe%%1' ,c UKحMzn˚^K# ci^*,^rKډ(tn_1YӭMO_thErbk걭j5\]jz؉ѤcjHH@䱳# n867Fu ˰)#>Y?a+=ipFq)03u,!l<$ AY6]2+2a@Lw֮g\ZN#Ռ.A X<'` %%q8f{B1e7íe$ ?e>9~9iH%vb%ju=<,(^ (CSrDa8%Hv%VʢXbWԛmM.>Y4ScD5ŽZZ1&΢e`l *1漺x\% AMjWe]hCzs%^<%%ko}PPߘ찒av慐2?FBRued٩!)ė`Ikr^`I }̗\BJ$Ҥ,f$鷚\ʥ K h }i#|KohĬ'NP0A3P9ܧK ;Bf6;ˎxAYbM"&lAJHXd2%NoۖAzF ve{PJP(CV8c_h.\H3U9Xw Oo^#MR+Oc K X2pY"2paУ=KJZ_fȾǠ.]$H-2B;R]6̿IhWt~^1vSO|57T> oM &U/̍DW:gaEQXՁPMouAPzG v(9!ws޵88kQݎ@+oleSg\ XމM:λ6 ]ԐuPyF%T쵓L b55!mr2U7u&Onvmf'箞( l0aLgs dq]8\%34n)*eɡ}I;?jmgletXCŞ~`75]UQz-F 9l(&J9ԼsE' ?fr3)GߺzOuB@Fk5**':g~x-ZJ6ɠs}.zLqNdzր9X8t֍2!a(jk RڡA6%)8E+ uiNX?0[.J71JbaZo=s'*ix=4ukU8$QkS+J2zA^$-2(ur"CN^G1v_, ɰF]g B䩚@pw;5S̃MiX0*HKtbWѹ=(A$-uťG4IclX.}nslPp( |Ӵ#^N]NLc3 օIUnw:`Hm&9gЦ;K褶]T ><`u 50v'ߗ/0 ZGZYOty+T`/ʜa6x ${RXbpw;qh- ŝ"X0vu丢pWWS3`ft^ACQ$ |!h;1찗)ѳB1]+FS:,ҥsbzݤH&%~y#jamѩ/ $}ECTs۞ra%p~['H]Uظ=%r+-%H=v&ė`StsΈ0A _,1#T!aʸAĚTםc;Nv߉mp]yx^.)G%Cq%;8#5^4E{򺃅uE>v\F zYje-?4Khtlb*tʛvΖ`j+q&T!ɴ2M4{'Oi&a|:jWu0@L$-^7kL"eewTTmks[?nڎ61<װZɡ.e7\3R-$ rg0kڝ))̶\Z7nx~~BaV7h@JWF^ -+?@s.de5Ch"KE^hP3TBZtM;Ms虇Ω`Mj[9oU( AR2%W5s/[4/}9!@n7ۏ-FdĮ12VuxL]Nd +xx3ڲ_#GL. T#3 `;v|ʮҖKJ6ǃ֜)ݤhH?+j ݞ2}H!0ܐnU3*@<00poduiL*\4ۿ^tКPG*n%h*2nd,SIw;wtEUXH M~\c$~s]3x;,}R/j/|9\8v]k@b5$x8G9W`Xy h٩.mwQBN[5\w7{@GѿGl{{2sR G 2@ɩ ܀8>TgUYRzd6uEyW9}jn^M˟ZUCIvIķcČ΄]Y3*("qs߳ݗBk 41]f7Olsu[3n:646T/]` njrYUdf,b-T,׽a@iRJ^`nꦬ/fe;dqr8iw/ OPޠ9JUτOC&}t?f.&tnhe$ORNQCza3wlXe5t[L=ɚ#b 3D>N#|SXxg1gJpĮ+ ~ƐGYI j&xS OP d'ùDkK3sn0j;}p\JH65B7~>^*אWuC XL+Zr0F#' Չ/-'}R]m6ׄ@xMB\h~o)ͤuAOetuQk9uSx% rq̼`#lW ui`P kwؔP~h!M=nY pPnZ`]Ϩa(.<_>u>z}zj a5YX? \r(g& 4]SW=B =ŵ,#c9i([1>8r&姻}_7}3b|Zii+)+&"ύnu-`\IS$(`C+]ƻi MlUN1!-Tgq3V)̭g|B@˯YHyNWETijU$2XH^+`SDw(1EV\Vd`[p,֡T@G?+>f7z'2u}]+ZF$Jِ-:_"l+f$kgxnaPge<q8x3""[2bqh:sh|R?mg}/4enƬWˈ̞M2xV_PBg!q8OF[h?m^kk_6ڷ#{'MHҖNL"i` _m^|}NP@t *zP܁Bf!~n,MQ#5[Sn}_T_▮R5=U&6=lZ4I9 dkQ:i>Y eoI)H 2XQj`㹈? NXՖDyn  d{62&2M? ͣ3w?jOm wue}#*uw ֧靐ԚDQ(R16?4`/BF_%dZtwNqdnFj`CM+#CɂU(ޢBDU CQ'vOt8j|BַlD4,z]&Q]3č6d Nun߬J:LuOg;C(}:&>"1{ـ '[ۋl>0B H(X[&Q/7)'Ӯ̗qm']^$SRwQDQ<ېog9u2d}˘$SK8-оѣ=4o󘾓ϰ' &Cn|]Ю)Fuحt.0 -8KU"HhxUaa Dtd7- &N%7eҸ7u,:+ FH qE+3~M 65Y6S,kB`!H_&wŚD7+]25aѵɫ2baI4wهi6^$ E(t8S[4&оaB?!r83bv0E L/ʸY1)'K!mF<.VtRSa!ѥLj:3N)R֬D1j:pchd.+fΗ=q F9M cAXYE:8|Y~(ՔXq?>w[50Liyccp_;VEAOW. ;ZP³TpXT}G5JaʰAb(:r];k'x.MX3%Kbͦo/_d{H4nd,@#{-OL!?!J>ڦBT9ﲯb\RN)8xnLMgxe駊$ 82[angb7#sWVE2>x4UkQ <,(uL5cɌp@QaUoac=#bIrī\U`?h3IԆ }Fۏ~y=@tg;"[*?pX0Dq_ti}?!H_9U5BJ j~H6~iDj[7plGơU8;}ҁ,adr^>ʭ|Q|h_suR(SY{f!HX9^P> w~[dK1R*rp)\L;K`TٺCj竣QmoՏ9 7'G3c/0+pݶ*[ҙj5@(e;::›[͔=/G-քWc l vtTN&$0;#.˫x [w.+~ӊ׿಍I1wԶa nfQ~~P*밃"|LC$_Y[Ӫnh4 ӊq|m.xŰӞ)]ĺ4:G@7bFֻ\HJ*Rt!/.įB ja#'tΔ9)L% yI՜ v aBoS:mlRd*Nfٞ@!-Km\ 7㼲N5"C9{̮"sUBm}Dlzۻ}՘J0 vğGK!Zb}#rL=w+rnJ 1a`Tb4S,@}/@+>N]kk2_bQTeUt 3@ȳcɦ$Lap>$Ayśx=Wo#BR.mG},7 zzV$sH04 @?D_f!G.ւK3R +L"5]v7"q{k||;>QN^$aP%Ota&0TW<۪|&qOpIAuu#!TWN{& _F9%'ڱ &7ubec*$U؃uAENJ 5S lxa\Z }N.nZ4jjQ"=2ʥ.ԺJw +NPp4r(|&>{ T m# lWAvݭMj aUv5HlxwƜ,c\lC\eeqzގ,Mwz$VܑR|ѝ aI0p3Ԟۿ~V §؃W\k@X6U⛈`)Cmٶ!d=-tpZ<έǮZ>r!7i/JnvxTv), ڿumy g~y^ϟ B9X3$WTgRjX_٥x{(P?ah88$pU|8bC! @ݣ( }axNVxV7FLܻ٣[<rtKٺ{Ab=Ps*hѻ'i%JZ(U46B(8[Hڷ Yut.ʦ.10F^Ze ,T ѮNgco j _x,&wBqo* b#ZC^ySm3p y.f8(BJm,U Q2yF2Cet!(ToMZCR*ٶ}Vޜ {E?r%(D{$عP/zNWqb%$exFUc֦E.o g bR'K[iڏː :RwF׋KrAa/-wJW4\(O(HQM̛ '_Yӧ̧1 ?a0i[&p>9 Z%$_~74B>ҢeS0w0!+j&?>ʢns@3WVֲYMiOh1,ǫ3 5q4ZDM]|paNŷW T_ܽJ T1ws?Lio 3utvX7_V|u894Q_:)@cpe鱕WbI]Lg_#nd&$7 g!Z~" 5`N;,i(и8Ŏ$(YrMGѷjȅ|EQ:) XR ܗYpgtY*ǜԇS;_e">1«7L,<6)ſwij]$AFPCQKΈmhO ≄xR[a;KeSsF -GCKKp)Ե=9%],$l/*JrR_.W7} 1aaJ8j"P=qڗG;Lo=&~_%C"5'Katt ,)jLKVg#k<—)(]!'N -׌a>Y0bWn1,^~cNSY0Е{DҺ2ߋf iΩu42&|5ޢ<OM'}L"n#D ],{^emf2@e</g)"Ȣwy@*+?Z X3GdR4Q6\ȢDd ̰V#\9*aP]۰6t4D{dP.y8}3t z/T#M~{h4LD;7O`PT1Vcy{.S\A<Л18]5K)(眯k#Qa\9>PGCް,/ q6S- b_&SĿ1R"9l }~3gBZ1m3u`Bm-`@ZgSsO4n p*U+}w6MI(kLXDP'bD=l O#76r^*R픝O} s-5FieR!\ ? /UVRfqQKZyLI4@ VHPL7Wl$#!T3HG푵Yɫ~sEec,@>"4+ P(T+ߴ2(kCmU(<aayUUa dUZ3"*?و9>%}wxab]0a`C Fe(.8j.%֨n0m@G*f 2%lyGJ2;bRx8Xbj\ouP[>RvuIC~W퀒zQ=x[VwyL{X0Iv47cĔaZ_H³c'oE}7]-Vxۃ6fpԇ1L\o%ݯW-hjWu |v}taCd0ds}+RtE{w+(8tk{RJ</ T ZZ/Tts߀r=AU~hN_MY]j f^/:$|^ic.AD.aH~"J3Kij}CVT@4ʖ?%nTN*p,UT Ffi{ΨSlP 5saǕ 8(mv2KfQ*aN@R@33[DZ͙ y*GTbRlo(&Se_BdE5܎"WrEs?mh!gtE=M#K猙8υ!iC/s<_&Ƌ>/+y@WiD%XDYF+uˠj|$2Tpu2F`$èk3.b c,[JQĎǣ_ǭ\j$]U.D@ : aolX ot`3ӯIK6[=؉ ҉搔ӓ=S)cykCܰ pKO w=eXn^%A =ތ$cۢ"J^T@=~p*)L) PoC2bDS!؅,IljglP{lꕶS3M;Qi?=<|#LɾaO}!<+̦9:ZRq%Lj Q֧)dLiwtciH2)̭,~<W$PR7E2+L OP#ֵhbbӌ[$hdÓOZ %Oo*1y{*8'ȞA=ul#LEQ助ŪϿ{p .!)S[s6)HiW>8p9rk_Xp$#$aXt%b^뵖zO&`t1Ĉ39)}}wkCV =jD`` 81>gN4W"nNd[՜5&c+4߇:&I7C~>ʞcȮɖeh|䭮jϽZv$X\s>cό>")2`,v?%Xв=KV1XqP%yܝe渭!#-0).""Vt:ZKjrߕkj[TdW @՞D{ d/yrэ.JMԀ[MBdԁ8IM K ېe8bg}HEls[I"6\/t mEFkve"`#H:nMՋxcy^Q2+fwIW#Ěa(r?̘<_?$VǙ#n+hWH~}GRK{Ru`h9,p rM҉v3d$ɛI6vcΕ ;ΏyQIj2ւN3nw8g_ύׁܽWBZ[d_he^wcڈ^8 Mk%E7a2 ssx?;*C7}}+Cu߷QOkg]i1qnߠp{ԶyCA Wiwn1n!ڬC2!{u9-buuR/Al![MsK|p/z%ΔrtOƔaa(wL'$tsR1JdUp>UlLGoFtbJuwy-7~9F|xy#汩;q4tLcFCdᢢ!4ݪE8S'UFt+ծdhce$/(r`Qx"|,! be}0RqXM)_=q]c>VFƶMQ4kD l`(ks`.Lp?(~pCu6?뎖XstJ~IG5b.OoLl ݠ0[oiyw~v/O`)$,"JS 8wvT ;7H9|l!YhPK@kmnjI!&fN;lf^{n˴\{9AU Tv,?ϥiv8NX>%k:խ#,Jƿtf}ZI lHe y+@*27r'-mI;O2tvG]N=Qx —01ӆ!Sjdt7NȨؐϟ֦iK(P)uWPJca\}~H.zq[A€@Ϣ )fd386BfZ 䍶?(u[`U(4VݰnLNëBbLxХ.ۍu;Kg>>{CwS/B%,a&=ZN1Ol!ֺK JFEzDٻt6K# QLϧбWV_K,WџZRݥ̲ő&#Sِ.7*< zm΅8_ ~0+@:7(v΂S"7^\%hm@TAA(Zi{U/qT-e!B,d,FLJU^MJB7E#g;׌k$-}Xa AA p"L5"G&GA[(et~C80xWO 29t#Τ䟸3SSy$#e7lH FU3 +,5Z%Ȍ$O8}g>˹Xi&XA9Ң1@|W5ɹVv~# V li"k)Y[$#dip8rˊ@CmpkKFtF2bf[OcكQ#ctQ ݿ`48e Wv..(ސZ=%x̷@ǭvH\;{P:ld_|BP}L'ˈu7jcֽ9܏b$Ӟ $Ǟ'kc@]5P}i\rtq8=P$+_NO-Fs6BK7˰ݨ ٹf:ت:_\ʣ_BVPhG 4& & +#2[/ſ`̵n*;+Z}^ܼ 獲ݨ4vu-2A7v5\ׇ8sL-:R&eZ"62YU t5RN2*ܘJBؤ~Q@Ӟt\إe Z}Jug(K:WnT y`z D 喰j5 1 d_9!?}L[i[P'_^GVF?\'yL<;mKHꢦ3DXĿPA`/,^bVZzy.1V,b`f~z?9:TӮp F Pf, ύ)O]V$~x_wE1ǥp6~A Ay /xΉEHYV Ļy2% rjI,1ZL*'ul}aSndB7Sh0;O<0$N?ʤty.|MPKJ' 6/Ye%<_!_a*4\[~ VONbGkޛf[:/G;uvH c%|ZT-J8Lu'lq eF:;uTF0W &(ERyEGGFz1kRPtب<;YV(v} m溸87&&:K:˽7yL_F弔BQJRlw7VVjwqؖ^DCJ_J ~M"' &ݒd~2pOm >I.\̳}utL^p|HԜ]|^n2.f. b}f>78(Y0kWr=I44ԋ y|uP?#^~{%tjpU?ռ]i`ޥ&Mr9!3#ueF$@[f|.v !s\A>yozw)NO5ѫg<}Tl3PREa|af "(P2E+ nI#踧 hD~FGq*h8|5lɺZ#5=F+Xg+ȵfL?jǘ#K>,}=r , 1V=k2ubwԓXцpXrܘ1ivb pڅR35@m =/ܭOя2-tS"Yꀛ(S' Kgfwc"R$ W14NeyMg^V" op(d"y\w\(ppĢP}C=kh<+qeİ]K)p` R{ si*@*.E4TSCr@9;^ t4Aܾ9'0 }~ESxfz\Ejq~+#{|`D8T;r183tBǾiK96Yl?yJ0jվ92˨4ٸ9  Bڣ$ȗ\ (R`RMJrO$ޡEcU#687sIAnP("ЦЬ,2}V/ W4ne%|,3\Gu[r8vr4ծV?gr פŁп;[;),Ƃ{lAB. hNA#E(.D i+ Wg3厫 ;+䳀5Y%& a~6k\PtF{Eɸ5JJ\cx;h}R/dC"˓ զSځ_; >&FÖPnXHɡZt3ZVg7eQ\^4L6^H9 TV='I!9m+!iii hsi=>)]$<[z)Z@7ERdCD4^ a"=cE*.$qȆ>#܇:o(֐;-s߹cB!Sqa:n*ijCbŻ+h'tR=4JO`b):[JPTf#JJE@6<~p75Iq/q] hgь-,Kۆ9ws"@h!xҌccr B]%EAqJ8$ET϶UC!ZMC~AT1OL+Sr7C;Q/mo'vBIu t;hUa@ "- }M43{De^Wu"@+2bKwJ(()Y&  gW-:Ra`:?$ō4)R?ujw:Zk*c17 ^,iâeJ+l7:DS:|TQZomE({na;;|].%:{(;Ԥ*#]9g1":ɹWW\ #^E,eeVZ1g¿+bԕ!(SCE9#43:CȸmC ^HQ y>9ȩw2&YUwG[s+v#IjJ]T>i'2- Zt}Mm]|CM7畼tx;WwEJ=`w㡤)cb*UezYyMŹ7E,Wϊe]4/A8R:§b3M4YP8cLynP[d1'}փu ʺI6\vjBP܁;{ˊZ J{E~=L40Fh@Ǥ~R!ǜ.Qe=6siZ/"F[xӈF i 1~I-xoB.IWRؑk*]OEI2Mf8bc$="陹3\7kp*6@0n 1etk4hRc#m}sʡp ϨB@uR5G'/-b&m}]7 Mj58ԊmqǬҳJ,4XjO:ْ/]@l Ĺ^_Ơxx+ypd'bοAXQaX qq9r>?ŇD=@B=5y{3l^AdC/NSk\ػc ˬrb5AZ29BvG ,9y;]d{nv9hbD\(Ti#XEbMF疔S~ien 9_7>XbۅV?gK46eFO#S&6`+ػ>6vÒ`kl96 T1L]ϲZb~Rlnu LeoW1#>:XOo(ԸK2CgX[< WuB>&O{%2ɂVof^*j hdafvUXX6MnkC2\ވ'7Kl_GN~q@5q z aWمnqe/84jy/#soߋPNk<=VuבkS)rO/%V\F5HqSE4V_n8sT4 DF{Io(ջ`W4|cSR1SdĚd1TOh%EL,{9OQV6G 9MlAӫ<~6``7首,]|1 "=w]4ډƃRp^cЖcl3m#;u@~, $]D=mErぺXV"lv)j:b4EX9ۇjK=uչ~Fj&ヨmtPu?2f7AtAPhXP Sow%-N\a̹w T9ALV?t&ֽ6>`]vNfP.%ɪ-bv"}YH֘Qn*,挺?zCd.~(]d,'nώA6;(`b]ABD4d_jmh\DBKn>la0h|`RKE(66A l t[BUV85O~,+`so㐛¦x)ZBݓX =._ >1i~]WƆMđΨ oL?2IԑIȜ-!y镊FF8"s9잴09F0A*pɆJ}+)_! X.>w+1JfTd|u `=Nw|Km(jfu`86:\zx(ߴ7<"e?-A'+RdJ2ʯ﫛24X ݆.m*r:B)3oMyKv[3>ȣMEh]]{KZ!u\O՝gXv{>Rb'Р_G%]&#|ҫĿCȶfrG3Y &3/oBVnN)ڝ$ЍEpᔉeQ^W:"rH{-X!4j9;[@gG$<Ǧ_3nXiMcmJbM qpct';|qB%L9 w""Hdl9NNu}{k7d͈(>bi>u  iO I,w^8{\‹"i 䨻<8B_gLƿ|؉if\ZFg컰9&f}wYѰ 0{a^qjҞ[ wJHӮw;!3sk1 wv(,zɏE8eT+=O ii!*N9LN'0~QYMti.LK /b(K<1gUV=bOݲk?pv>wҾtMPȰt۽~S ]Qi2P4:z0kv\sM[WdT[*1PoIQ;Iώotco*;xdCOhU?H*^k9B?O `O4?X7BjS-Ѷsh_w{qV]Aetݮ(CJOe$m7Js@Y'l\7O-a3خOaKhodqe:j<+QQk%?y8j=7)u!$Fq$k{a, 4<_׌N^ֺH(]DP0^$W˞X1a }!]%_OZxZVS~`AOX5og,"S`~JU>k6jv X^Ek)RUق(Jsfn٣zQ]<:53尞X[m=d+4LC7JE4X X!N f:DYS.*f:R.٘ g||C9Ŵ:DqAZa;[ ,K恗{Qr ^6T?Rߞ<.,T}w _lw$\ :QdH.A?taկ=~B;k_x (bκMV3 9tj{`gA2CְjQM:>߾MI_1R"ΐ~l2"O ^\CvZ@ XKAgH|Ӭ&l,&.2[q2AW:9h( rM)V>47{ȕѵ=]66eфj.mM:=/O Z稣,9 Y^S]`3\jTQsKYp ]nXG {\b!h.76HY?0yÚu~n+yV?n* TBr1[oGfn! bЋ3YJq**Nu[Ƶ!*i@8.b~<==l^QKPh)MN>&j.+G좚νx>u'ykԍ9">][-7M 52W@~5Ei?oqO𼆘,G ysyZN^Ǜ6`J}XvEJeA'oĢ̍(E&14gneD5D|q :%u\v}R· iuw( { X ("c.Mc9٪VNH~@Jyߕ᫁%(Z_MdVQcBM~8 s /\l7KRh$  !}79;̈́p9'yks A i< 8m@+ɽ 󱶪*X!'لA'QA{: `5<Dehʲ,G.+J@EAQCiWaD8sϛC`7cCTdQ'G/{(GRݕ~($RdZC3Q@rIlWדD*T-2Ęas ӽU)t>؁\W4R~"aBgߩrbyѰ#\7֎IꑄMqk뭽MzqA5^M $ĤZR$T':U_v*|Ox]Ő ;2c֖0Otܻz[۞`=B3V& s;7?^zF؄ ɉW+ icڲ 7vOt>zxzoBf]}~6!B6f~lPI=]wa:,ws:[N)nYxoO?ir%@?7~fSPW@&>ˣ]OLA"ͺ$s!>rm1v4Z%u{bۯ wfɵ@up#HТ&gq #HLro`#՞31}T˃2rȑ?LDxk)t:cK-.sxdk"}*_•v$ۆLx4%BB;/sK77[he M貞a7TG<J#، B_=C$/ V^C/቞hnq aSc Ǻ,(GZ ԟI(E92M x O 5ˬ.R T18l7 D:^U.G6y6u]%F/OǖcL?USdjp+Upʠ} l\aRry=sӥ%O̤*IRT?6TOW?A ?قA 3UuHäǁyWnA#O|Ezʷa;!`|=F5hQvg}حgz~Uގ ~:2k&~nkheI1rwlNY|{erRfk{4ADuWWXK9V sfui2/^nCr#+ηĽ=^Bհ]TP&@lpU:[L)JÃ*ZxH6~Ǣ3t`#IصB3Brrd`BFHV%݂#ᑙjBzW9twvKu/7V+I"Y"0fH2@u\gwNPҞ9Vi3vvWpM @Rv>[Re녽h&$P0~4*u`ߍĘ s| )9ⰳu&xIKvi8QgDԇNɆ=hc* ^7MJC;xs52t͋cj I]Ms Z=/σ5M} qy&*fﰗq(Ss?wzدL"[Ipn,|yrPe'?½bqu( z'JTm/x t..=GR]u߱vؓۛO:GBy [:+ө z%DGwhI-Q`+vkEێdwmvSA_$!'򰛽^%<@p$@e wKmn FŽ 7 hl|4Qׇ; mKWf`r?fjyI:]@+f WemBj&Dk^PvN 섥5zmr(F.+CA5H|:mxVan Ec4^k!mh|$]^I iJVt *x99H"-Xo29X3洍uj<-ŰTP/ʳ-uIҲoj~&T}I^ Zb?}#vb=͡+AK`J8j-ڗk=dޑ=<~:G-r+ay7|~I<4uq]Z<\˸ajnc"ȲϦ|#n}WLziXQ`:>2 ?+H^x"֣7kj}b 39{*6pV1 v)ȸ/v $ HxlUI:ncf% )RQnCm{D$hH%6j!DO .u(40WQoO&B,CXMuZyeu`_`]= 3NgM/e?ҏ{)d[""`3'j$#yDbT y,Zv%53mPPۥ? l" T}0AoED|K'A1RY|!s{)!zY1xG…z#:z"m&uL%y1 d$2 1QjF6>G<$N"H[Fu*,\5%`k3U*w" pZ[F[t҅Y粋I6nJ6nW†z6j%^9gY΁Ò6YN &;}|jʪݿ$u6DcU'aisu6[AzAKq]@tazqHA>:NsI?@i2/9F#n??:἞-g# 2cgK)dڥFHĘMS$6ՑǤFF'7f,]4( {x?'#ͬ[!uY5$9+io;/R{šyq1:p;ΪN5 |ėS5T!ρ\}nxŲs(o-ߜ?bQdlKZbrqCd\ewɵmyl< 81h&y?YgxO1uuj^f 75/_ɐȎUX^*@ L-N$k|M[gR@؉v`4Z?rypKSXm "UBVPC;[/.aZlE7g& zKJ?l}lQpzM)"mg"3UEd3ʹL',;? $ջd^{T}?3VF\6+xgu1 }%O_sLqqgS)#gɔHW8xׄ/- 2 i&H')dy&s<{?q-y_9,D(P]~ޖɈ{Ї+djVXX !Β]VwS K~;]rU rI\O1 >pI~Av&;I-l"YI_hv ۂ6}1B|Hk1,x]܁9`7KeBP͐9AULdJ<BbX W` v~/L p*JU [`^Eز}H:ңڧ)e[8 NuxM6,qsgnh& R1l1fn5B[`H)eGNW^rAq̂~rrm%6s8^$O/f~xsx(PUWs<{a 1'"BQcl`jN6*\<_"ɍڮ2ߡDKFI@lA:2Ur]ӯ7Dmj ujYd`d*}Qg\pHrHnFG,ƵHmQbx :_xg]8uVɈ);|S7Rs(p@F&ZQǟÞ D3Q)28sPf>$*68\-f3]7֛3P8 lSy>YZ ik*||nu]^]2(]qKVv^Æ9k-dC]bq?ۊ1nym8’U+g`&Ӡm }n$2:Vܩex {焊w`yʉΚ9kZ2%QWZ m^Gꯕk|q$ex/}+VJK+,myt/%NOl~˒50iu.ئ!CjL+U yfz[q*HLM얺n$li> Џ6+:X6!wu:Dzy5& !G_.dDHnSof s)>ioa'\\WoI>m$M v{#$ջ0{+m#\b|~:j gFѥb3 J20e+wu5$qʴ]Ω'ot)g⨾P$}=(1n 0Z(điF*O3)`*=AV ~IIfJA'A:&/eNp?CB"DxLwu# P~nfLĖUcQ$v䚰I+R72:q~롂Ph^KÙK07xO%#,e"V^o>DM_ݢ%햖=E;iyO=8ղQ9G?%,ʪeh~‚x[Q>^"^Bbc,>k*6\s,s:n.KvO7qz< NJ!~&w?^_J~8eqin"bg1}?S9;ӗHsEWH_A3N>ZͦSHOղI0xIԪ9׺E\B/y֚"0;۷ãkAԣ@2>Ұ׳ Mq5X: oIX~p ;WL`U@&vQ2wlГjZkb; v^R U ԆPų{䤓V NTM XBf0yEkkt =2mѢ"Iq` KА ,Ntwϵ1a@%hlU?Std73y'+'QNTC o_biGGHi/q(m>8w RfB/6ugbMF~ C9gk ^vAC2P˚NZ ̭6V(N<ʚoűo7/+5>I MYIGa@Jb z&}BEfs:y'8ŗr{%{wQfnM-B=xā~:hͨ^D?-䏨{r sWcj%&fp&= +ln%LO*]7BȌmfCbYZg0͛6"400ZL5?>X_SsRi48PW_s8L,$gNL\G >&YhoHjd! ~y$Hwg&iS~8M62JJz>gAendAP2|ӌab&Ԓ>PY W8b–`tk D¼HCjM,]G AI=fOO,zA4QOܽRx\#Q&TKs04Fv]f8 :wH>a_ 6{[m,L\!Lㅳ"֏)Vк;ODwwj-=v論 B3T"v3 JR`>;"WߑW̅y,P-ҴXW̗f4*BVsx )}j*bP ͓0n8NC!VP(<@c # iD&vm\D`'"CS0@2`o%FwC V9TYVƐΫ^ڵ 82msG*=yh!v 0_()Gy [w =C*V /~jP01PgX ? td@"k<+$,7 ؅< J 5\߳˧b / '>NA %PEj7+5C )NNexYAcozh}MwUxj0;VIv3%2eRWiF>M˂a;-^ux&Ag1Ë́M] =q j]pնL8;gy 6QW&OJfcٵ;{_cg˫:Ut\cuGNxptBe 5:GSw`lH] vtgP Ʃz}\=kv5ɷuNZUƮJs8P5P8ZX峟dg܋Mo·|_#֝E\2x`K'x5ɼB)+ [.VXG߾ۇ/$/FSs'rWT3X{%yW{ۧ7֟UV"a y ߂w m .^ΗPh8HS,KM =q!ΣdoMEwFgw|y%U`\F̗/`D֨Mzɀ6u̧Mi~{m]Sൻ6{(\T'GA|27Q(y ^ْ 4F9܇܉\Эsm͗8Kk^ߊ&@ApC Q~u]/?KݸI9}?yT? gx dU yYu~:ɛ%_kF VyfFDk<?g'?7~4苫sq]oVLxG8MY뤉1~vԅAITLD"5$~u%i3NR}>?8<ػx?:: pn?N.>?~bȕBnX ȿGJl?%WUDaJF6Y]ޮ'J_w{BR*o 8R5<8ve`Spp@(>Nu M9/y+|U+o3ʐ\kLEh@G+VJ{&-Osb >9ȡ< fA-ţ/7aݥ;sV6afKA,Nw>zpr 2&Y,4@B?WpL:aiRt:AS#n~N3-Ĵ^͐)K}mX1 u@\PH1"H'O0x YMª,& /'8?@{ސ|X2(쬃Hy<) !1 ##pTw=Hr%i#(]h,D4(:2O<.?9l=)E`$5Z7Q5A*-@1u(!'5Mu-FgAz+o[@$Lv1:sqqHRbJ򵰜XB +ʡb\I2]b jPV rj?>}@ߺ@bUL͈H/p诫J$opufbC`x7~2ޖٲ:Q%*@za/&TKXG?8q8I紛ޒ})$C 2M_ތ5;ʗ;2oͩyʔh{ O 3̴dN%K8H2Є($L` :ApGg77mr\R^2Zppa&㜡f^ĊQ.n5`hAI_kZu"$[])Rtwg憺$ɍD/i:*HWtudP W;)ƥ UBS㳑ޕitzFC=R?3tqƽJ6as e$.mk N†՝hN ӬFz 0 ו1)?D1LxKlv2> ٩n8exwjTTTCр6CgΎt_ gW4nRJUqy-{Xx3;-єV*NQ!ՀXK[99a#fk30a)/rPU䮢U\Xd?, QDW"/}&s :U YW1r@T;Wo_}:?=OZ=Ɖ8O{x7f؜1v{|v<|$Le!Uz`}kIZWO5eN)&[A~GGc Jbtt ݷO؄ѳv%V'g =(p)uF[ g kW`SOj n[ %L]AGILwC|lA#kT `y W\( L d,H",0Q 5lrK aȮ%e9JkX"Ia7qW˿1VE/V Y@xr3OH eVSEA}nMtHd[&AVED?AiG|kUX5:L8$vhO'>)[Y OYWxwERmS탨Xj>6=wc@p_N&Aa#.ZƣȰ6{j9)7]2 v9v.mB£f+(p[a6ޟ ij'VJ(CCk7lM "guf"}S8h5p$,=?R`?[?\oV#`mIZH T6:y;=s{ZgUtQ>&5 I +yU7A`%z92'E+O41z!H, ƴٗk̊dik^*hw'Q[؛sLD^&qF:pR>t 7ū *Of[}qjvrr@r&-7J "h J#4B6՜^0Ys C1ONwDѢVNU 3q*xsuWVC>(mގ5 I^fHY܁u'} T& [ &~;,&(c.Y"c*+6c&]]9_[g*kX-]̙6*珼zX* п8ovokZ;Hβr'2,Y}9D`ŗQ2ڽl ȩ4Wg8 /@{$| m슋'Uj Q l  (O[ʿEEs! hyQZ iUsM T ҂ {^3"Njg @r'N E~3jm]qĈR &ق M+c9K,8n .E &@D>遢f)䫄CoZG??: ;THڠ1K_#y z]wNZ,Dq]Ma!A\pu% Xi]hŅ#W]X;b-8xWorau}k@/&p e/B闥4FSY_looGǥdc6G"3lHF[Se2љ}E`o'3ʢ 01vI s`^lĜ}UjD,[S V3I0h"lbqyGBjڞ1;4OAoj"wi5Qc69^+u]œMI ߦW A 애Bl\ p`u ʿ*?;mTX'U^w,C,n!s<fIr9_ O}L JíǮgvklDɼ1>bNn)̧n%:\y򪩿^qF_&J9ͬR@~6aܨP9t֒mXs. (Z7ob> 3sNO><. RE;KiYHjmbpc)\7kIo fs86"X8Ml^OnI)xaDhCMutٳet xGW) VDV2`oj`uEt8UN%>tUMAZhf>qƙZs((Q)&Q3x2u?kN1';c)Y6xwx[`9[SwH&19^:rU3"$Vl*e9xCe vl. \,cYk*q- -ik̍Xh죜 VzneW58K hSZڡM"O(1biB EĒ΢d 15T}o/?u%hpAG9{43PQ(-]|F9˴1z9X"``C 76;jPءpʯ e;ZҠ`l\1ŽHL=$ 7qcAg+F=|) Z"LjxGJRr΃ը+7:M ՈH`)ƫ卞P Afn`!sL׉D`hSɋV<-*2Y]v,~#8YI\ > fjН07Yg"1X<37k3'xBR!̤ cLnO֥TznTX.8 ᵢL0y\n훸J' G7u\Aj`-v*k@Z.赬Ლ!)4/ G\oQA :T냀٦t#(Tt b'cwCf5^qqܲ3RƇxx96"E $Ǫ`QeM O ɊHYן5D&GIl &0XqU62R6=?u7$\>zYaӠL>,V$vf᭴X{5R Y,.XO1ZۓjH'z7`q8 rgGn;9;8F"Jp$@QE.)S?}0$4D>d9T`) 8 m%}F8Dx3 |~T&+AT@v3|:^8Q@!QXhbdԲ8Xz!ˢCЍYr4#ŠPQ!Lv&ex?LQ1#T.:A g\uvw4S *H/e&\kx5WŁ8>?+adj`q Z1{{~sׯv_rsݝ/;ۯGLg9#B `wiOV$8{?^Cu"K$X̹Egs:[A B__aT ~c̝ * H#锸[_: z/ XS̺9LbwLX^G*aԑM`iH 5eQSŃ*P[(]Vݴ-l`0Jezx%[ Cf:HTGޗ:S;<6_hX:[3Ji'E9c]d%PT366_{Jn97(x0>.2kx ebA9uq8q2ږNOj0RJL>mx$DҰG3E[ |9[M@(Y;E2Ki0oyHϋ&Iuޝ=u/?Ea$G#>"T"TF 1 X_.,Þ&8g>9ɵ'^ gDY,H@*b7aC qz~֟u۽> eV 6ΆmvH c$}Q6 jOS< 9 Oi;0sDpՅ̈Q3w<2ν2 "]S.>, 'THQgp/,1ˡ -Q+ts7BQ 4lOOO.IMwC?O??{wqr66ᇟ>^m>S{X¹CY\wy"VL2qĕ:Qh6|E,5 @1r~Ř~BȨ#m0 @,PqqZM2߾ "eJYԿ|M!0%6h6-m$6]{Sh+!oǍ +չ6Zo4Nqiёƭb+a2+IUWz ̲oet'ZXS4$\cŨ8\0G*U+j '(m/;STZ$FEhy$^ 5X,$BC-P|:;`΁h#Ry"Γ)za}y둸|̅fZóPE-,~fHr-({F%;@"~fφqzch4[&uW+DɞlJuW<3щClv]R/A?=K%ytF:j!Vl}1W uԼ#>B>;>9<~|xrtrye.{4Kfl\ $p-Gḯve dGj[?#l4iأ'<#GoX_#)JVi4#}͔;brie''G~ зVP=fh-:,AGo&*<:::~JH넬({ ߶:"6~} ffg ㋋V_HA)3* 8 A/<#]"5 >Q&g(d~{3h7pG21pbiԵ`3ЫB&{g/_Ɠm+n ±X4m6i)_nˀЅq(6G:ኊsiؼ>%2TNZFx> `I;H@?Kq F2H!|G!vʷL$iZ-AQt^f+M\rXh1\GXí&I-܄aO@%" )Ki0>IpLmk Td1Lo|کލ,U-66V-]0\?gU2( Unpl9(fy,x[b,,P<`yHy$t!v%`jf=`#PiȢPH/5)Ȉ޼-a XGCCxCy@:aQsS[〯Ue6}boA;KW:J=],7Fu5h8* `y  M#!,pJ "O$bK[Q'*5~(˷$U$p#yАtƤ#8Y5O!Boe?x5.x%bn?ۼGKo @EI+~RyBIJ6UG]V:T,*[c/l…<)HU곧@ b 贏hbȌ>CPlrm[y&1[_EmIJ(|:X "ě(VE,8ƻ!\Bt6 (aO3HNs[IskQb 7,`j2)@,>qZ ҊB,F,TGA WED閻++uVi $=f1/χO_tGr_f$h /VEk Y6cN< =$[\!ye'WA# !WhGAeNxӠ7 VR$xY\f8E]:؈­dAܬ,;=hMƶB?;=dgҖ,#Ccp}"߲i@: E7 Ә-@r% RE {s!|rf޲!cBbL ‡;ϳ7H i*6LA-i|sZwiXXx1=5hcMT%ތ)m';@B?:h>)CuBv;m0q}deXڂo&^08eWj>N El7Urp-2U((COqi B3t()]4ԔcK׍> n@ȡꖼp`+ -ppbxj;EKW2_QWk8#j=(R|iOF'rroCa#Htԏ=M8W(SїryPM:rLv_.)Z:˅oR1u!gD(=cۉ1i ,lK@A V]8Gƫk,Ä^b>u|h+VƞBRH`FreiF%!5,SK~.]{?_ޫa)&')Fˤ|%-솜C*AXn9:E)'IFa@@h%„3=N}jpO~ sZN2{2JJrQ Zٵ:D_Plrh1[JkN:Ԃ6\f!chi(ܪw6cw(J̰O4l;?|w?y7ÿKAZ S!/6dH|vJ!@E6:Ma.9s H@z2 _`GXk _Q2rBDFM2H!Sv* AvT=-E2%L\ /Fxa: &K e.\ydla"B↖m!'+ \;+}Q2$1Z+b,)-AW3=":"~L頩0si*F dv/c*nS-I#؋s* Z\8^"Og)iJ d 8h۲urO>g@+E+y;3DVXFOo9}8vrK Lmvmס_! vokK STSgu :L1G^ УtX˜/rۣ7",Q 3 Jbr4.dVl>[^,p9 T ^K$;pbff<[#|qq>i3e 8# X#Gwx0T &ƐtTtB9|n[A2@V#~'s#|[RtU]Q!n񻔊J^'b'U4vx6{k)DDe 6Uqvf`8`1-G.~UUO,2b= s@7QOڝR21XY$T*Z]H CS=W"W]߼gӘmqC Px1g似.Xs1cڋ޷Բw cb2k$VI0,1Cڱ(nԴ/D7ɤQj@FEXU,O`AX,MU->=Uͦj-.:N[>,wpa9aΑlh}דi=zdfHDԊ[ I1}oO@#HcrkڜT39U#RJ VR<{n%bgKhos'iqE- >Uǀv-̑5'(#X i&<+k$GH_1_׸srRx#l(?/ (8_OZF*VZssNpKy(YUť I30r_lÐn8rFn QPx}@l8+Ɠ): ̩iݼzlCCe MJc]s 9jf7}L{z$G>@$->.m[44aO LȬz`-s*MYb,,`У>릥;{G≚σ.BsOx7Qpgn ƸUXyh)fmsp97>;sIADN mbcAL ҜVCI8'22tܙ2oEAa5  k%F7 ]TkE^ a&̔޽<"Ci؞mT4F4>Fx7pfW+L?$3 Qeځ C=SB TM;f.w[U~}0f=uArwѫ \FjF1xL㒤7vcAd j)(IF;IZ_rç( Tp:BSs*һR q{1rhDk@7/Ml݋Z 2hHȊ2Iy_(QpW_6#LO|8<]7SY` u ?:}Lot'뻡_(Qn3،r4ߋsLq3G-#=3A y]6?3OFQ;Af##ZվҨ'g3PNxW1ǭhݦ=w@](9wg]Tt"@߯NKZR-^Jw;Ȁ꿂]my/UpU>>[3jS$/lWwZ^kPvf+|CLhFM}ľhoaʈ~0zIu'q+e;OG421zb{ d愞yt{`+uFvāD4oT= PuGsx>OF[ͪո{+bp%6q|' z66q} o6{S1Ig=)Ao8/]^6ЛwQ'PUK}\q@歬Ż>0 K} ^Lt:=>|`k<BcxVb(@'G 4Z%z4ţr_nK`,mqԬwȔ^ޤ(g*Ѹ@i WRn+>j{ ͢V^ͳӽyg5JA`C6 !SI_~BQb&789 ]1X𩲗iTQaKF5g7 UCHf`)"3߿@/;~?y4 [ +K5x9zL\{i|١ -H^ޗsi l#Nɣdg"@{Y,Z"k+D(Yވ.66V%4zFF35#R$y"TD7#~GFi&%y':DE{Xͨ¢o߀aqz+;a +m%$_l%פΧ4م }` 0\rN+ X$ lõEZ.֧>k'Y'NZ+%+tF;2976T@.:L/F@N#ӝrbX(X6uW/`yg'w"xG.?K*^6_ŝKKݛ <,HǚK=*¤{w9T:a)ki!߇Z!ܗCm`54~aоހ0ԽYBzkzKI:dRID,.8X..zN4n9T s6bmZg_U3d *}d0i0`vfDU3ɽp2^YC1;X@- $*V;*yٕ52緫\C ؘ5-ŬW}8ވǙP ?NGme(ZbRXD0pǿaQMDP^ !;8[a^@Q#9ݘKC|;QU_U8":uf,pxx4Fu禰J^Χ{J:57OO:-=֖8"q 1krN[|v(ጌ&:Vjؠ~27"aةR[gco43ry^|gia/F?e4hdG}5j8%C=t8>y4A|?=]$S!'$;Ls8:҆Ykh}!PZ4\]I5-K@]hA_NR.0yrE iv dxQ6bi9&ٵ#e8׮ n7}ý"h&&D]3S1:П-ڦߎ$HG{?Mvq,9: R]^3Q*7eؑسJ ='m3E &gٷco؂}L4I:=MG8oto#g7_%?.{|<|ēEJ=!q.&)ͶwXq_,rwt.]ɒ%0$S.!'Lм][dԑ9ؑz0y. ˻G'g^wAوx5)hmpIf%|6=k&)!!?뢮Jp k[dVE] *ѕ(w5;z̮&ӝ{JG5f&g?qK&bXR:O ʐ8"IN b=7Z%;CseeuSr)u(Qn&1 > {H2s`ػC:u(fafY.60t\(eƑ}5YZW8I-e u6[nwyu(6v]TɆd+z6c# cF׼ZW}iם[MQX!)@>Sp_AIG/gMkghLX:e5&׹"Ou*tx#cQ!O(KѢkuVGlX-5Whc_߫G`qq/gzlÜBesl2)FYZ^i$;un 6`_gS8$pn"@߿.(Y=$Rqr}R}mދw=]D-+w@wXToWrd|ALv"+Z_wv܉%c6'!VwT Q4~9PaNj]"s2ac I V[`21kJ㰛!Eh_1)(QҸGY62h#iq$Af\;#h3˓f[xIxYC=^|f5^q*.B"Y"EŢI t&\%=i]+ mGWlj~|>jŸ(wu=qX4\ޣH=_L5;]vvGkg9rJc]M"R=>m՝U_iW”B\vt$+JDsߋ;jg[#ds!bH^{LV^s=95O뼸j^3PP!SuP sa>6h,@g_D :B;X~zif8_Vo#=1-׭#vڍ`ʏKЌpBbU7T`ʳbHH SA.QڪN $kl;׮ch㢕~y,.tD:F!}lM޳NiUP\B/*9VJ [ׁ9H8@;`h@kW7UM%7ŠCeں~usAS:W8+̱Eyfp\Wq]hB$kQϡ/`ꦤK/Jkķ&gyjĮ;Cr6b@_ܙaS4GbJoh%)uá<\0 W,~TxƁC ׸e%G. qa86%VP#*lfM PLtmo#3h)XҘdn1h1 0DLlWe/Mk ^&z T^֌t"4q.zf 2)Ib~ˢ1iU^6 ? Ch;JxMOP`<])#~3>V%ZhMD̑"pMz+ W+UÎBj_V[8 d.z2ݣCĩ""tO; $aL^=XQ>.676664B5] &j5⓴7mbk3F'U ^Y3mmS"1ٳWx>&5>"VBjb`4=x埍-]Mh;uJ$K$0=%M`t :%&D7аZQ7RU|g lG94c`w ~ uƃ .xBJ2aM1_g6˖9L B F!S&s"ڠ;JW]rYUfd5Y#~vctYav|]ˠkJҏ#8~~sO?/4*QH?&ׯAPPXj"dܲGeFD'#r W-+d{(eUL>)ݑ@8B 27Cp26AdXMVz W-s@ aDT$%D<)(䥞y@O4Jp 4m`?XdJ<Ĭ>}jE|y>zy>zz_zhƋ[/͍kI, LFC 9a#sw,YqF* րCŸkVɟͧ@  `h_dScݧmgqD :mhX+p)# f3ʅ0F rXNׅE_Uhlr!68agY?cTMk<*j=e4bjq拢@Y$3h!<~Ov>}8:;'?NwWYɻ;gG'~QO#n?|qolP\ⓌBtp!~2QXm CMb&Z)QN4"riXM~Ơ~9% "(C4,'5K@)6w/ߑU Q{8=&FM&#ϖsH/L 7 [{G@ C]˨axR$ О$5cq J`db&9_3a\%)]3X>jB!T?19^ww3lH$N)됚I3QcЊ_q8c!£HN҈?mkT%J_hQjtP5u°C}-!WD>./9wϷ6^'OP?=cX"?[Eyd Ggm)ϲ|^bK sgl$nV='UOM鰅jiV_|!hTQͣ" M{p(wEB4~W ]~tUр]EP#P]& 4W=8T3ř:E+>Z7԰{54̧OGѣ7`3SïX7GV+ن|/Q38zpawWGB-Yw~>,s֦~[WШ0 2sOmafgUE??~nqk鏻IwzYpNQ < Ӭ[E3tL .Z~hMnlm0Oh  DA^C\fPK| KT;-.=E>Të Qt] zOԤpf8EpUppvԇ`=5}`;tTD O ml>m"FuKꐎdmXb::>p1HKU/^P&No.P:F._<H3B't'[4;9^\\6 .|#AeNTwhjݻq`?\^h*^Z4u&RzF!x1_ThÐxv7⋏÷jxx]5.1h&&X2tc30bb>ɘ뚪jJ.9BR+%Sazi?~R8P z=#Fۉՠ+揑ۏA/,V18}!-d8P rM jb/#pQo>G|#V_F} G@I=̱JwǼEG "=zh ICHqGj8@'"` ΀ajm%CA 7!Qh̰Cc`UбGp65H(⑊2@%"lׇf˿Vg!>^Y_+ %||/՟OۯOڜZ]V,f:$9hwگQ:l̀Ϡl"X]٨ 7ZCҨWլ74s}=da`qZ*V"zEmtXA&< Vk^ի7KŸzW8Db /FDN|h^ywKSdEZbuYI@הR >uoqKu[\mGչ_)= \ISo:pAPPbd#5W +T _"@75# >]W`o(럸@ p MQI3p|ci21i-B4%DA漋B/Jy5}P,Tivu/r,CHޚ]CcXi>D3sfhlj:zyhl U懀*^jBz|E⿡3E֞q_qbڮ ~M\H!g8ce塷".m%jQ;b',8Scfzf}DD\Fm)tFbj Iԩ eudeiE?ġw%9ҚѪZs\58Ko pe,G o!nE?Uzz}B}Z½N t~]jA0"9d1i|8VM`\T=%0`)[{@VRdF2~r+~W򥽯m5OP̚ *q uA [xf=I\>r5#eEև5E <7C#3[jUhvOXSE/648.IuI= `?#:iJ+wM#q{&R|9xhO+Aq7JxL")! `RIO28g£|e$`iE(Cg8[.KhX-~nweu2ҠFoyx!YHJ i}]sLқ"(L,3pGp e { 5" G 2>ekFp6F9Вmo/ܽ#/6awڶC!%`$I+qKW 3HtY= n >56:M^DiɐE/Kjx,1Jjgxw|)3[ybG`:]ח^v&tnd*C},9@d3>:Fj@E.pdDzk/ujy ஃ` Vgje~=j1Z[Z9V?K(,/K kYJ,o\~nj7}P a:Hx#\PPWӭ)-^P{8%4X2 AJ=Hc%VtQ3Sal_*%]lcH2kC.zHM&WV" A*N}MX64l0CocQ2B%eMַ lkVǑO߱Oq{YKO&H8%vf"<YbG+tV6bp5f% HziBfFGnEz)J;p4pj1y][ n1tdLP18IK Q8 /|TG6ei+'-04tؿm3[p޻FmVê\CIxXi6JXճdB'Md˻Ƽx4ޣ7*|(qRk[1:Hr'(/ep$P^e[që-~Dwqx[+24wc-\&Z*ݠA .&$]fP'AphK\<~&,GTy|,߄DJ$1Z qn aH7C,-6;ϓX__;{_ϣu XuϣoxP<5:ȈJH@A_],SAoSd16Bb4V:XSp &Ď[\`>dS}n96 fi0Ws N"l\;ygϹ,k~Zlҗ*ޙLj1C- I`)wӞ6mt&]!oi*A~D2`0IBíh鉂H5& sGyjql -@NC& h 8ZӧϞ; 9OcNiKq_hl.g(bg⽙ii{3řO#5TE]j9 i0R rKd,0]窄2Ϥ0M9d!KhK@ŋR'dKʙw=x'gF>-ú: rCC.ED{sGDL@ˣ/D-hEdy>?/KsqRU[/ԫZ#W, եΜbfqŝ9iϜ|6T"j}&4i;p>Wq}IJhEJ^v<R3+rCSRΣaIDf9s#:R"e[0+jjQ_t! yL+t Go"¬ke/:^켣:a@(g~PjzZi֫fDJ@~/v ;lh)R/kWs :$##ihm{AM&4`sH:VDBc`{-j1fâ-@8A a%uh Ķ7b2|GFX' V1usN7P3_~'wW#6~JvW}jrЪC#TYw#pĩvYiPFMuvofNjmS׎(C]A&M }Q:cg҈2dwM`k\ $Gr^ J8N?ʑwɘd2(!r˄:ȬC$"u5?|y/|gkH#xsuOp{P$6 S8>RN!Nnde܈~sRQq|O?*) Z~l'ҊH$@V4FXE a|`mraP JkjwL1[{^hmHi[;DwΗ `irIL.&ιgHD8uFlqѾKvTb6/,ht ϵԏ?8ٛ2ٟhإk|(:3vs>~7Maٺ)d%Q#q&8ID!'ٿ煩ֽDJTzt[MHk,aka"1iT%N,Z_.-ʥB9[+5>q\r࿠LL`@.3/6Du*z+y<4uzycyN$؛zSXsiNOl|6a4@LIWE3T4st3w%m]x.dn4KKqT(p[kR;AѳP{P60#Z+@CV[ f۾1@ms!dy٢D/ AdO\pm,lC{8"ܳ`(4$ώ/Q㣗s]-AJ3)=TrmARPEp@JO%{ Tia Z%_4%$WM{*p.2caYrMj0-b`D{fr~T.DՊ/o~"049O-D\`7(:4Bmk! |ǸM^lV@OlެRgR 7/_hS*m`mt ]5%R8R$䔰V -yOZLZ/t{VǼR! eR#oy4#/{cףSKŃx @c\0YKmMl]8v[Uuc;aK3B\ |~^<Kz?o2I(ĨJyuO !j3K=;)͐Pju9kcHp2hGNNIYaΑ&nhopp#lp`[[z L}RbZXUظѬ֢i⻍ܓ\Y]`n4y9 b3R8oR3wW"o|ooM'^fbK$} 2 leX[K"W#tV̅3x 9nUge?;ϝo־,W UG5 NU\>囅 }vY՗ R `:)Jm#_U/6MSlPV(}-0c ɵA#;nP݋.*[-ʢf2)1Q/y&d >'xoSR-3u*)0ehan*;;:SKAoɱ4@Ey|T#9JH{\?7(N6~GؿMPR$[tv 5d堦n2|?x핗'&οzn">r HRV#-5sjYc#HBXk|Bykz3:O|ܲ39^Dj%R?)% ~\p,ax+8E?U_l./;/0tRo^Wfj8ZR+qW ۴rv\o+j* mZРф`ӓӗߚv)ͯ3׮\|j4[jgfDZ`9u\R^HJƼ8%uXmU5^Bvdj| ~Ԩ.-) t]NtRLM!xgcwlPX[*x&ק/ qeU#%) cL&XL,p3kGomr!1q=) #"&qMHcGLΐcO)qPϓM*)BG}QG nͩ/^΍8]ӫdV ~iiكB 6˟9E6F1aMx,ߨϝSH|r<}@H_1ښa 2JM8})C *er= g~}eb"ğ MpnuP}.V}JT0@&MaKDŽJg Ag!퐞Vu־WN:0614B:o6m[C63NlEL`0]#_ӹf%n?g|Hlw%ixtm/#*BNA'@Ol>:xEDdWIwY314CZɗR>}b- ʷ<+I=J$J}"a$9؁`U32hҩ Zћ;;k 땉Z[r7连+k":0[kxJzti)bkA u˔,B5P0Hsrҍgqͅ4x9ދ\S4RN2ъ"'>ͲqO#\CM &~y6:F<031csm[nh)MF Y8Q,AE?ϔ;צ sjx)A?#ds " qF5%͉CgX}FUc W's3۩B rPdzJo5s28-&i4؂G>|3SO)K8♢x j˳dp+w74RUnEl6>ޖm-`E',)*$bu).Rm?.C]jPRX&{[಻K|h!=$`=C<`TlԶa-u_ԝbԉc SiNwQEQ }Ѿe༜M{_߽v%U\"V/U 3bOϻ~}X  u L'ȗma`>ѥMfF~O9o..ܚߥ:Ԥ K讴q_4alt=5wN+we3&H880D0GǵP*=].c6q)]^/f,>vToB`$,*H8 />66hCl7K-Tmd$!ͰHPB8G!I .!Eu0wdb#֊nC.Z*J/H0rһW pX}397F4Vs9[JFZR"!WQv@ɅVf'ױbBfx|qOщ{A4i;ó"\7cc鷤x6:唀t%kGQpҹpxyC7?Imzl&w3^D%”[E1֚`f0vtJg]ϕd γ/՟OۯO8]S喔e n 38?{ ܴ m9 ldL"/}WumJ㜚L񀞭-h?~KHdcy%옆UhMsi^z/mV:eG9PWUOS$u?zܩc. f\Bu>Y `+/S^R?֌& g4@B8ӀxFa1^ʫUO~#@Vg yu8_^:9KeZz4RUZ|tBy% 5Ѽ;ytLn|V+K' 'ꍸPjumTT5&ߙviJRΊ鷯N]2uN"ΘW1o͆XQ5n1-P@7um@D6M0m1sȌ`N$b÷{@Z]6 ?)l{ ki10#wn\%cu??^]b*mS'/Ӿ/79l"]сN0nNpjtezy|F2T 4&-7aREF32R8t&[$yFs2Hʲ^DⷼkGD7K?3JV$670A`3/ZQ C~[/ u(r+R.x5$@)FVD|jTD}'ϗݏXԆv؆b*Q8eD@EV$]xaR{DRf(p;Ng]Y(}& `&&[xH$+a]N=H:#|rJCc%w>%yB<Dn5=-hp%-+]%|- ܚO)6D`&giܺI>–)Qr2`)Z΃ٲz}3SCG&1sm^M,k^2lJ ;7Æ~d Nq L<ðL¦g[$(DaM#'ŠA(o'fH\3N.ۭ+#M]N!z5f"n~CLШ"VF|U73O.{q%=c~ߡT4ܱ}A^摓J䌊|~]or>cp$UŽ4P3z<:bx]I 02@'aK sڦ NlFۆ4 9A.8 EEMAKF*udC dA_n`an38YRfCf)M /<V]AoVKC2)-ہ$+}=eI9h[&{ 6Mq 83`jy9'JJ,ҩ\Ej!ArDu27"oh;Q^:%A_SH&W4B;y~Vi";0[UJ$GEUȄB b7ܸzqv+? rpI ʔ;خyC}Y|ٟ(8.8=6(8 G"*V wDN녛d2N9*TP"nMZ[=ugn 8M<#m :LM֛<0Ou>';MUF h ZɆ!YRVs6z0&B_!lu}eꑂ1Hb`@zKLL6<)"X@< ֏F1X3cl\IA\OĦQ$f'B$(m#U2X'@MhJm Xh滆# SF!Yb=~P)e=18$䄬u9mY5vR2YZ,xN !^79[gO:)d\%p0 @f_(XF5Mpvn@i0g2b,Ff槆ύ胢|F|3VkR\m5mJnHiH0\v^K¹`ӮiYb:G.vr֮S wc $:pӋD O-Δf1YqyOJNO֠ve_Wy}Z۔蒊`{h}¹‰U9H8`4I:|%B54[Z_ɳ}P(,u00ZkjGK[엪  BsteSl/8IXBs N/>s |~XєRHneT̃6)p9kr00aw,5ɂ(@$Ö:(_8Q$/z].tpIg%%ZYG冀X(ſ*BgiJIk╁.T҆l#fjn̬svm% @EDqX2b# Lͤ(ڙvPF,@PAITZIn䥣h|\'&:{5q)ϠU9/_[ٶiIa8umRprOAj̅OVcʷ و#CG5*MQG^eGKݞ-V {MՊXY*$GKHP-]`y hP$J3A1 SIS1lq0.tKJ9k+HЪ@`2N®uq׌X@/Z-/U׉ٛљW_;ce0IȐDW\U |>9Ȭc/Ya=AQsMeJJ`E##VE_+_¶$$jićHKƒa&PpK0JK pE!C+YI:'p׹ٵJ+N^0[Kly&α{ :k!T rHq5Ԟ+5I %(`KSt?W3C f8is"6uȠ9LPde5\ iƚ? MDzAש8JK2yl C)Ysi쀄e>-xn~ȳ[3z]\mVrd A(6}3QczZTƘ*$:kdvPD'|U;\=dhO`Drd^f>w$k |a1󵑜p`F'iT6t^cn^bKL3 DM"^RX)uO(a2u*=O` XjQIzs[E2ogB ֋JI3$鴅 [TAIm>ז'?@qC N+о1gUyD}o=: ;Z9fԪ{pόfE"M)t89pV 8"L%Op9 {a:O\3<7b^t{H⥺*68HT zH˦-~+ԥ #މC;Lb=ԘcqA|&RjK"ye6Wڢ bQQkvv{^~L *Bo_Vr8^$>FdzEvp]5eM&73TxVɩ0_/wJwC27jVSCt,,Z׍\ʁ1 '^T۶wg$C0d %=xiUW/gf~OɖuߓgfFgrJ _edWz)j턟mt2ǻd5ĩl̶xaL̬.¡!|[$DD>Q#Gn:c-U%5E}ӎ/G8:k-yOjdv'M#t5Oⶐد$!nػ$>ZP86WEߏG9ն_\Y[Cӄ֦?{[m'GFr4X vjNJ~}җ'" '֎H/؃v0t (-k j̴"6VjF|eYϫ*uRmxt_Ns8<ON a]DW)7H(pR)NW0ĩ^ UH~>r bjP +g'tvB40^(0WpJjb"Itz\=8Qo'\;Z0`A$'s\s(UbufYD{֖IXM@vz@wtT:%ޛ$ D9(fdOhuR. &{NݞNglrPn4 Ę*4NRLr&N$n8 CxSI[C#f4 Ÿ r?Z91\R#1WH2HdEͤDe5W(rF6zse)Ī䉚 ק8+{Ȭf;dVRVG6p:)F0= bL<nm+k2X'"fT^cH")]u#;͡$&kB6\y~eϑ_)KuIjǶ AEh|N80ݩʵ He+R=M-'OeL%{\.UZ#s}mWx8?ikZ \,^͊kr j|gmXYGB/d_eX>*HyS\ŴQʇh\Tl x?lυK^.>q}r?3{l2-}zWɮ~r'iЎh͙RE̴T( ,Lg\QyE~kBh?ް' ln6H>YdۯdBD^5ͤ騗$ȧz顿t,tw8: KPKDPBk.XcRs*8=ItΡOl8>Zj (N0d{RoGw/_&߽թKruЋWߜ ~ͩׯN^OI7o{KWliȥx$px 7/-vXvc' ||+T+xKorHĸ_%\{7)^m HZ`KpҐ:w\|RqV,:A/Q7b-x8/6MXߌs^6R(Kq[t_w/+2.#\T/:y@\Dk53;]S٬N 4r" `>: *+`w 6E՝ PM