sssd-ad-1.16.5-10.el7_9.15> H HtxHFcR ?*}}n1 b +m]ݮ(vuD.X'~896f1fee158e0cb4eb40094035efa9e07469932c|wAlLhSS^rCFcR ?*}}gMT>tr4D="ڽL:ǸT":\ 3></?/ d   9  2OU\x    7 @\MDM M   ( 8 I9I:IG(|H(I(X(Y(\(])^)eb*d*e*f*l*t*u+ v+(w-lx-y-Y/Csssd-ad1.16.510.el7_9.15The AD back end of the SSSDProvides the Active Directory back end that the SSSD can utilize to fetch identity data from and authenticate against an Active Directory server.cϼsl7.fnal.gov.Scientific LinuxScientific LinuxGPLv3+Scientific LinuxApplications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64HK4:5D,A큤cϼcϼcϼ^p0cϼcϼcϼ42e2de1e290056f3081995626555e0d7299b5ac4e787b5a3286abe80ee8c4128934390350ba18caae3ecba1b2df8b5ef3a8edc192f4c4476bfd49b51b990bfd48ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903eed5023c5edaa65f8d846d58d0c006ff2c0cdb83e1ce6d0d1afe9c5b9d2e4ff2bbe9a9287323f58efb0d6a6155ca082f0c7a2b7b544009122df2939036e2e9216b147ee05517a5f1206554c99245c84e09289e4a92b0090172f1125f3907556frootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.5-10.el7_9.15.src.rpmlibsss_ad.so()(64bit)sssd-adsssd-ad(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @  bind-utilslibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libcrypto.so.10()(64bit)libdbus-1.so.3()(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libini_config.so.3(INI_CONFIG_1.1.0)(64bit)libk5crypto.so.3()(64bit)libkeyutils.so.1()(64bit)libkrb5.so.3()(64bit)liblber-2.4.so.2()(64bit)libldap-2.4.so.2()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-nbt.so.0()(64bit)libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit)libndr-standard.so.0()(64bit)libndr.so.0()(64bit)libndr.so.0(NDR_0.0.1)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libsamba-util.so.0()(64bit)libsasl2.so.3()(64bit)libselinux.so.1()(64bit)libsmbclient.so.0()(64bit)libsmbclient.so.0(SMBCLIENT_0.1.0)(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_idmaplibsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libsss_krb5_common.so()(64bit)libsss_ldap_common.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)samba-client-libssssd-commonsssd-common-pacsssd-krb5-commonrpmlib(PayloadIsXz)1.16.5-10.el7_9.153.0.4-14.6.0-14.0-14.10.16-20.el7_91.16.5-10.el7_9.151.16.5-10.el7_9.151.16.5-10.el7_9.155.2-1sssd1.10.0-8.beta24.11.3c @cs@b2@a@a(@aa`@_ _G@_H_H_=@_;_;^3^@^V@^m@^^@^>@^@^@^t@^r @^^@]]*]@]]]@]@]m]m]p]p]p]p]S\Q\Q\"\"\"\\\r@\r@\r@\\\\\\\\\\\|\+@[@[_[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj 1.16.5-10.15Alexey Tikhonov 1.16.5-10.14Alexey Tikhonov 1.16.5-10.13Alexey Tikhonov 1.16.5-10.12Alexey Tikhonov 1.16.5-10.11Alexey Tikhonov 1.16.5-10.10Alexey Tikhonov 1.16.5-10.9Alexey Tikhonov 1.16.5-10.8Alexey Tikhonov 1.16.5-10.7Alexey Tikhonov 1.16.5-10.6Alexey Tikhonov 1.16.5-10.5Alexey Tikhonov 1.16.5-10.4Alexey Tikhonov 1.16.5-10.3Alexey Tikhonov 1.16.5-10.2Alexey Tikhonov 1.16.5-10.1Alexey Tikhonov 1.16.5-10Alexey Tikhonov 1.16.5-9Alexey Tikhonov 1.16.5-8Alexey Tikhonov 1.16.5-7Alexey Tikhonov 1.16.5-6Alexey Tikhonov 1.16.5-5Alexey Tikhonov 1.16.5-4Alexey Tikhonov 1.16.5-3Alexey Tikhonov 1.16.5-2Alexey Tikhonov 1.16.5-1Michal Židek - 1.16.4-38Michal Židek - 1.16.4-37Michal Židek - 1.16.4-36Michal Židek - 1.16.4-35Michal Židek - 1.16.4-34Michal Židek - 1.16.4-33Michal Židek - 1.16.4-32Michal Židek - 1.16.4-31Michal Židek - 1.16.4-30Michal Židek - 1.16.4-29Michal Židek - 1.16.4-28Michal Židek - 1.16.4-27Michal Židek - 1.16.4-26Michal Židek - 1.16.4-25Michal Židek - 1.16.4-24Michal Židek - 1.16.4-23Michal Židek - 1.16.4-22Michal Židek - 1.16.4-21Michal Židek - 1.16.4-20Jakub Hrozek - 1.16.4-19Jakub Hrozek - 1.16.4-18Jakub Hrozek - 1.16.4-17Michal Židek - 1.16.4-16Jakub Hrozek - 1.16.4-15Michal Židek - 1.16.4-14Michal Židek - 1.16.4-12Michal Židek - 1.16.4-12Michal Židek - 1.16.4-11Michal Židek - 1.16.4-10Michal Židek - 1.16.4-9Michal Židek - 1.16.4-8Michal Židek - 1.16.4-7Michal Židek - 1.16.4-6Michal Židek - 1.16.4-5Michal Židek - 1.16.4-4Michal Židek - 1.16.4-3Michal Židek - 1.16.4-2Michal Židek - 1.16.4-1Jakub Hrozek - 1.16.2-17Michal Židek - 1.16.2-16Michal Židek - 1.16.2-15Michal Židek - 1.16.2-14Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#2149703 - smartcards: special characters must be escaped when building search filter [rhel-7.9.z] - Resolves: rhbz#2149902 - EMBARGOED CVE-2022-4254 sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters [rhel-7.9.z]- Resolves: rhbz#2097014 - SSSD -> sssd_be and sssd_ifp coredump [rhel-7.9.z] - Resolves: rhbz#2107380 - sssd timezone issues sudonotafter [rhel-7.9.z] - Resolves: rhbz#2116207 - SSSD starting offline after reboot [rhel-7.9.z]- Resolves: rhbz#2079441 - SSSD update prompts for smartcard pin twice - After update to 7.9 [rhel-7.9.z] - Resolves: rhbz#2073352 - Use right sdap_domain in ad_domain_info_send [rhel-7.9.z]- Resolves: rhbz#2006382 - IPA Intermittence fetching groups - Resolves: rhbz#2006866 - sssd_be segfault due to empty forest root name - Resolves: rhbz#2031729 - IPA clients fail to resolve override group names. - Resolves: rhbz#2032867 - AD Domain in the AD Forest Missing after sssd latest update- Resolves: rhbz#1968316 - SSSD: User authentication failing after server reboot. - Resolves: rhbz#2000238 - disabled root ad domain causes subdomains to be marked offline - Resolves: rhbz#1984591 - After sssd update to 1.16.5-10.el7_9.8.x86_64 the customer is facing slow connection/authentication (due to discovery of unexpected AD domains)- Resolves: rhbz#1973796 - SSSD is NOT able to contact the Global Catalog when local site is down- Resolves: rhbz#1988463 - Missing search index for `originalADgidNumber` [rhel-7.9.z] - Resolves: rhbz#1968330 - id lookup is failing intermittently - Resolves: rhbz#1964415 - Memory leak in the simple access provider - Resolves: rhbz#1985457 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-7.9.z]- Resolves: rhbz#1910131 - sssd throwing error " Unable to parse name test' [1432158283]: The internal name format cannot be parsed" at debug_level 2 [rhel-7.9.z] - Resolves: rhbz#1922244 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. [rhel-7.9.z] - Resolves: rhbz#1935685 - SSSD not detecting subdomain from AD forest (7.9z) - Resolves: rhbz#1945552 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 [rhel-7.9.z] - Resolves: rhbz#1839972 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR [rhel-7.9.z]- Resolves: rhbz#1875514 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [rhel-7.9.z] - Resolves: rhbz#1772513 - SSSD is generating lot of LDAP queries in a very large environment [rhel-7.9.z] - Resolves: rhbz#1736845 - [RFE] Backporting certificate matching rules for files, AD and LDAP provider [rhel-7.9.z]- Resolves: rhbz#1899593 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() [rhel-7.9.z] - Resolves: rhbz#1888409 - sssd component logging is now too generic in syslog/journal [rhel-7.9.z] - Resolves: rhbz#1852659 - sssd service is starting even though it is disabled state [rhel-7.9.z] - Resolves: rhbz#1893443 - User lookups over the InfoPipe responder fail intermittently [rhel-7.9.z] - Resolves: rhbz#1871288 - krb5_child denies ssh users when pki device detected [rhel-7.9.z] - Resolves: rhbz#1853703 - Unexpected behavior and issue with filter_users/filter_groups option [rhel-7.9.z] - Resolves: rhbz#1756240 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains [rhel-7.9.z] - Resolves: rhbz#1851112 - LDAP bind can fail due to unconfigurable DNS server timeouts that inhibit SSSD failover [rhel-7.9.z]- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again)) - just bumping the version to build for proper target- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again))- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete)- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] - just bumping the version to build for proper target- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z]- Resolves: rhbz#1804005 - sssd doesn't follow the link order of AD Group Policy Management - Resolves: rhbz#1773409 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information - Resolves: rhbz#1551077 - GDM failure loop when no user mapped for smart card - Resolves: rhbz#1507683 - GDM password prompt when cert mapped to multiple users and promptusername is False- Resolves: rhbz#1796873 - [sssd] RHEL 7.9 Tier 0 Localization- Resolves: rhbz#1553784 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. - Resolves: rhbz#1836910 - Rhel7.7 server have an issue regarding dyndns update for PTR-records which is done by sssd on active directory DNS servers. It is done in two steps (two different nsupdate messages).- Resolves: rhbz#1835813 - sssd boots offline if symlink for /etc/resolv.conf is broken/missing - Resolves: rhbz#1837545 - Users must be informed better when internal WATCHDOG terminates process.- Resolves: rhbz#1819013 - pam_sss reports PAM_CRED_ERR when providing wrong password for an existing IPA user, but this error's description is misleading - Resolves: rhbz#1800571 - Multiples Kerberos ticket on RHEL 7.7 after lock and unlock screen- Resolves: rhbz#1834266 - "off-by-one error" in watchdog implementation- Resolves: rhbz#1829806 - [Bug] Reduce logging about flat names - Resolves: rhbz#1800564 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package- Resolves: rhbz#1683946 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working setup- Resolves: rhbz#1513371 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_be[PROXY] killed by 6 - Resolves: rhbz#1568083 - subdomain lookup fails when certmaprule contains DN - Resolves: rhbz#1781539 - PKINIT with KCM does not work - Resolves: rhbz#1786341 - SSSD doesn't honour the customized ID view created in IPA - Resolves: rhbz#1709818 - override_gid did not work for subdomain. - Resolves: rhbz#1719718 - Validator warning issue : Attribute 'dns_resolver_op_timeout' is not allowed in section 'domain/REMOVED'. Check for typos - Resolves: rhbz#1787067 - sssd (sssd_be) is consuming 100 CPU, partially due to failing mem-cache - Resolves: rhbz#1822461 - background refresh task does not refresh updated netgroup entries - Added missing 'Requires' to resolves some of rpmdiff tool warnings- Resolves: rhbz#1796352 - Rebase SSSD for RHEL 7.9- Resolves: rhbz#1789349 - id command taking 1+ minute for returning user information - Also updates spec file to not replace /pam.d/sssd-shadowutils on update- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider - just bumping the version to fix generated dates in man pages- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider- Resolves: rhbz#1769755 - sssd failover leads to delayed and failed logins- Resolves: rhbz#1768404 - automount on RHEL7 gives the message 'lookup(sss): setautomntent: No such file or directory'- Resolves: rhbz#1734056 - [sssd] RHEL 7.8 Tier 0 Localization- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1746878 - Let IPA client read IPA objects via LDAP and not a extdom plugin when resolving trusted users and groups- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1713352 - Implicit files domain gets activated when no sssd.conf present and sssd is started- Resolves: rhbz#1206221 - sssd should not always read entire autofs map from ldap- Resolves: rhbz#1657978 - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust- Resolves: rhbz#1541172 - ad_enabled_domains does not disable old subdomain after a restart until a timer removes it- Resolves: rhbz#1738674 - Paging not enabled when fetching external groups, limits the number of external groups to 2000- Resolves: rhbz#1650018 - SSSD doesn't clear cache entries for IDs below min_id- Resolves: rhbz#1724088 - negative cache does not use values from 'filter_users' config option for known domains- Resolves: rhbz#1422618 - sssd does not failover to another IPA server if just the KDC service fails - Just bumping the version to work around "build already exists"- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization - Rebuild japanese gmo file explicitly- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization- Resolves: rhbz#1707959 - sssd does not properly check GSS-SPNEGO- Resolves: rhbz#1710286 - The server error message is not returned if password change fails- Resolves: rhbz#1711832 - The files provider does not handle resetOffline properly- Resolves: rhbz#1707759 - Error accessing files on samba share randomly- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains /trusts- Resolves: rhbz#1684979 - The HBAC code requires dereference to be enabled and fails otherwise- Resolves: rhbz#1576524 - RHEL STIG pointing sssd Packaging issue - This was partially fixed by the rebase, but one spec file change was missing.- Resolves: rhbz#1524566 - FIPS mode breaks using pysss.so (sss_obfuscate)- Resolves: rhbz#1350012 - kinit / sssd kerberos fail over - Resolves: rhbz#720688 - [RFE] return multiple server addresses to the Kerberos locator plugin- Resolves: rhbz#1402056 - [RFE] Make 2FA prompting configurable- Resolves: rhbz#1666819 - SSSD can trigger a NSS lookup when parsing the filter_users/groups lists on startup, this can block the startup- Resolves: rhbz#1645461 - Slow ldb search causes blocking during startup which might cause the registration to time out- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains / trusts- Resolves: rhbz#1671138 - User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so- Resolves: rhbz#1657806 - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider- Resolves: rhbz#1641131 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD. - Resolves: rhbz#1660874 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions [rhel-7]- Resolves: rhbz#1631656 - KCM: kinit: Matching credential not found while getting default ccache- Resolves: rhbz#1406678 - sssd service is starting before network service - Resolves: rhbz#1616853 - SSSD always boots in Offline mode- Resolves: rhbz#1658994 - Rebase SSSD to 1.16.x- Resolves: rhbz#1603311 - Enable generating user private groups only for users with uid == gid where gid does not correspond to a real LDAP group- Resolves: rhbz#1602172 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1622109 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1619706 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)svuk1.16.5-10.el7_9.151.16.5-10.el7_9.15libsss_ad.sogpo_childsssd-ad-1.16.5COPYINGsssd-ad.5.gzsssd-ad.5.gzsssd-ad.5.gz/usr/lib64/sssd//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-ad-1.16.5//usr/share/man/man5//usr/share/man/sv/man5//usr/share/man/uk/man5/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz9x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=44d73d70f7d43e19c2ab7f2a21180bc79c2c0555, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=b8be4a6665b4831e39364b8a5c8f4e0deb32a16b, strippeddirectoryASCII texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)BBPRRRCRRRRRRRR RR@R)R:R-RRRRR,R/RR9RRRGR'R RRRRRRR@R0R7R>R?R&R RRR*RR/RRRG?@7zXZ !X~] crv9w uG*H\8,_}~F?(IYb(L1Q<*U` jxJQ K*%x#yy2qK1/alFwxOb%O,GXLLuŎ2*$<5|E~Kyv/);]cji1H+Dq?7gPMabn.'JЍ,/{Mt367oIn=+O0#c*#ˠ.eY-*Ԥ:ĠillQLNХCw܁*}b XU&^gQ$V$xWp1#OPɠx}tw{.}Bme my'_Fp3i?sE@x>ǃz۷pIcdJ g=h A q#omP`9T¸}#GLQwy CI;w@:d¼*|q@{^!d>b!₲=i@ a8? x:)f% .Ma?QokuDbl<ۓmRVQ_L@i?GJ3'jYHES{*!{{MގǺyqXmHq2abR̟2{#5ղ 2JJ0%lorBfK|.G<ƍ*L siIATyq4 3EW;slD8:eI7Ɇ^HBBc NԛD%m8=mɍ|4obF].]9Tμ/0/[mːLcSk" (J .@\%p60Q,?~g[$V蜪ekGTs2V5Tޞ?Ma 9i ] Y" ^k(V$T ^MGJ3UQϓh3<_]T%l&B5%]B7EJfh /aúCZe0RK):BӬ1.^I^DD>GRkK:̆z;1U]9cF:fj`Qwbb׶yK<:60֨lDԟ}֞hF hnr^y`Tю 7It+&(姨\[6{2.K{TIRZYHn=TT +Vf|فa2uj3tݵtnVL?; Sl4YO|:vVie~}#dֳ KSRg|en-Bj$tJg}Z .}za'A<'I)S7K6Q@&tfny? Ts%>R)x>21L"S\N稥*'fՠNb$/DU;ܩ%]{վT\`̭X.-3eeNn6G^Ϳm#o֔^3T)kYgFL8?hZY`vBc=cITsN*/$6;?qz>\ { ܛhscʺlh.͛r uǯL}L14B8^ԝO?-WȚ> "-a; BVUsʭOr|loG=a 69A,Cx*Tu|4:K .D7vLYMhf[q>sxZ75A0xJP`OrNtulG/[q `fq=+8rN=+އv[p0/l#\SfYcmD z40dV]ϛb(:=ݮ'#rt;5z/%sSlB@nU/:/BB%^05_A`|J ߵ$KFoکfr}^!q: mM(wbebz6y(g.W@gyrDQ@ىH:V%%j*2vQǵ{wru+@D%91UTwh=%2(t!L^0YQ|])S=>lv/:>u%7bKșG|ſUXxXWY4pLc;mJľ R3Q K|̕=i͚J2)Kwнek,Du丨֏U֚ B !1(,43Z8 j'v ^dw5\R S<$w Խ- k?gVޞbXպJbal>+$:<1 `h)R9[md3/<2zhq0PkbRl-zh֯lJ.L~(ޗJo2q2SMlT` f,bk%?[0kXWa3oR3} oy~ėpK7m4&x l2^f{%5c @uV4}ʄ4(1 z( x%z. LyE6ثᬙC [όo$yįԭ]p/Cblѯ NcL: DT t0!V:eeM{)7,^3C:WuRpW\ kÄw"GU)V-ZG)DhKX,HaAGKK1uAϏTa"oKD˱ rLR9!m 1 e&MhS'Dj@`'sHi7@M)@"UWF}05킇Yz)gTKCn|]l[xʯ|2R!k|P,?[^U 9"2wsS.Y9[.Y<8a9 rd0lj1;&N#9%&,TӀgjҏwN{n7WHGQ3}Mz.q$|v!<"A]`Tm6N>aZ"@UjoNu~'L-.]vU,"iZiMd\K̢C/8V{ ~pniozEV I{kbjͲLf >3!@A΁i5uv>AIF3%]O2;gYx{rT1a -G[OTmn8RqSNhehXT㠜f{#I]%sjMZe&s 3F\?{KyA4놳Nm7hfч4\>58cCyً=\o0.QJ׬J@ڐg-[vUZ_' ޢ^u˛ s#Gx=A 4,j9͒b'XRMW=4(Ei=>%9qȘ3`+rX=Q"0P^!ܻBww % 9]3w2!yzקSTJa:Ґ1h"}};VRHYöK3[h^T?*Q 8~ VߜrBՑaݯT *,MՐH(P׭ܷ} #iONf.l_l,:{O5 ]r%W޸*\GqjbM~ON1UF{ڝ ^QK`.0z<$!M g5@n8xx`mNm q_VX-}hoRTys*uso1Ht]{yWTFA_Gpjm©k&wLAC;Ga2kRxQ`[7COVq~u2˴*;ղׇ:]JWB0!fwk'0RʴO4[3<6YB"y@?:j(Hc\ v])I%~Gi}νŢ_ ushyqSpi^3;!PDG@bk"CV8Mn X\%M 6 Ao gn)gl/d-X$9Nn~-֥eSZKJS$菑SAe5-F¶{mا7Y,]>,)l՟rA:kh-gj.Z.mlHɹl",,i |eAb| KYHQ+o]b^7] >h`0YA u'^\P}}p{G\yr-pM?m5HdBiWyGk׆Cv XXmoTAD#3 ֭ĖhHOuג#(/ȁ% r^1=Pd&]xgwru$l Ro3(ThOfo)~'[G&M9믆?'wkcuEߣ.]!ՇK'Hnk7E?)rDޤVt;xƬw;ٲ+'YВ?;SU\`NcċQ~{+fJ_E1uvu17oxd< ]"/]*h%3*W'{-o,ޤ~*ŗ^w {!샹oS;@n+ {T R2:'4h49/#>Mf"N6x=TL\s/C{HԤUGE//yj#Z2g嘭ܘjmҙ?ިKytE`O _HTb`ҩf$Ƨt~/ChOp#+/͒#T/ A séI!~87Qhwl7sŏ+=:ZR8\[gQf#p'}`"rT.X%Sa;uf5ptvj1C=Z|Aږ 5 C"9q!{/BYɏ(\]cV)eh͛*NoOk@ũh  %2J8y3Z`)ƿLox^c:PE x, =A#kʂB}kxDN1ޞwvQ8Ek^}ya va}e9B`|3uʹ<Ū*aw (T5&7*hQ%:ؤ kyJӀ@nikg4myECUcGs ߉T׷K@c-5"+XRn;֩S Ӓ(@tn\}U!Bq텹X0=Ѫ#[Q:N&hM $n]VBI!m!ܸ{Ϧ*v.0:3ylŔ6174GpZVٻ@Zy[0AgƁL{LȞ&>i2w'Otu<]szs5Fw2 4j{ InHn u_h GlXx㱸qm)Zb!9R\KqLtCvQ;j%( Z -P^S E/`jXx@Hv~z#/k0~\Sa3ȷ #L;&Z27+m~Hd"Ӫ6ͥ"(r8z'{8<[OQzx$τ@f}ZkLhq2(NxT;{MR,CAHvSr7IOlZ.,#O'9rϋ]6q<8sh:%Lkl;XQaa!V|LGwWKVG +}ಯX2!>OmH֭kDC}yey8;1n;lBa,b~/?6J(Q˕Vgvh)3QgzgEwKAHv,EY$KBʭ̞pZ̶t -.ʱhu: Դc#xP1 0.IW}EBM&ͦDJZ["bC$?Z_Chz9g|1^L&=߆B0AB .^ ;uD+Sθ"dB&'ȓ0iAܝ˴uuih]>+stʚv1.}}niC̟6{ȕ=f>dM]Z4v'Ң@:"{X}2BSdzfn=_C= 8ߡtIJlȡd %4_tk>\ 7w}U?+o| .yήۮajvA>>?;~Wl;N(Gxȫ&?܊vuzOAX _k$7UMT(*mEhsLQflbK'&PK1Tn nf`jo5r=,ӭ\PʔAHFe`w7pU Fe_kY]>n̜˗/\'VT8*˦L+;ԭSJص?0]͈dQM> (Fu1.wwMe `ښ0Wqp@d} ˃dl<-rCa?e:;z+GQ?32:QZWgW* '2P7G% )]#rsߤ@)0? f brDcfr9ER,^&t׋K՛SB]<.i&HIFdTp^R{7#>{$*ƥ u~Di-+|S/E$jqܺ< jt2 [| (s0ď RÒGv=sFz.tڐhTt(ٶ=T\ "|2E<#`.yFDgCRC>G=FG &ChLNJmi'_ֶ yrn$9߬" ~1SϦ3ۊhEK;9-}† T\ (/o޴Yr)+>$37{u9V* ":z*&#=HWc\U:a4FBG%Ëx[+wfxOqS! S|@4{mt?/:xX ?g ƗF=TbbN$A]] jQPFB5_*w X "_X[QmK>:aTfhnW@XX1[9BǔMfQ㾨o"$)oBQf~{\Xf@z@&6ø~M/gեC5Uihm$!>ˊp}=D@Y;.CB"5#҉&@}wH~: 8JF9LNoނFtGGf̈́UTR[uA'OFgpDѿUb/V*:QU[J Пpf'2΅ y5?̬q΄vXNLk th"pm e Z˕|*M82ux%DΆgՋn2{ψwWR*@6 .b_&Voh` j/`sPR- = R%ЙRd3{]/ڜS[Dq >Kw-ʌO+C54ŋݽI<*[LU*тp'~DɁ鯉bGQ [, cQLRJd6,,((KLiv>'`xzxZ>'ss:EެZzq8old2l#s-ʲ oj16b`,~l%hîSs%(:xV%k[9UCX<}P>(Z*Oxڷ?Wy\&31|J<3Q̽7K\:k(k5~>G6FBRt)ě<9Ia1 E #KH]R&m-mۣ YԉD狡5p~q﵉.f{Y␚C%A7uT/#(&}Q^̭W`,/4!^{BZ!HY~Q19StJCaZEN!a詡V/iȯ70g556+84P-(U0i7EzE֦a'}A޿pXڿ߯| k6Dž?p)_xhs$l_sҁ:a7nks1\Bvau/7=q9%E*;{RþJ~_䦞TY6/B `]&0斢giC(;_wr/ 8cxQb:)uAwkv+ Q\;̄DFH4ȁՉFe(q۵nL1= ƊO΀=%胧o|qݱlVloXXc{VXSk$rƟz $믨_{sߌAX? ̕9)v\eܪ74SU)_ډ2DЩJ7Jڭ0|JQ}^a( &b,w3 *W}1($n *;`xƃ; h^ϱ^5؝{ب,]9sf)4ɸD췑Z8dJ]hIýgO;:7"ّX,Q>[]I=e]OJYtK341ߵ?Fv' U2\T㝯0Ta$HFO#]7(tW0 W |`RZCF҇ z<}209<)+'tSB$W%2eG4TB7*+Ui;U k#FR¶%%·[ zW^QRw^׭: x'qە1eQm@trHG ڙrg-Dh3!,£\'\C5{!.6\9G&QK(->8X\r@aJc_(S&  x2WI #+>fS¬(;,pHN nĺsaU&}&q8K`4;nejeurQW.b~#4ZyGL®=ma_fqAFz.Ziq,$YV-r ISZ@uiHg6ry쑱-Z}^E3?nۘk"uSͪ3'}G]W ,ĢP6%+1X[&]R\h?h  gKY|q1>GIK]D8?gvF)UNI\]ecWsooHwYDLCä?]kbcȇo0gQ]t/l伟p"% [CVX&oZZ/` bO0m`wnE(kw3+Ź禫`q՚T3/fqe?/íE,-ڟOgsӉҠWyه~:r{ԞXyVzw ڠxP6ei.~%mH$1GJ%c Ͻ 3U<7 ?ݰ>,,83ދ$`6kKAy' ᙺȱ/M3X-g7 9_t,tYW Iũxj^Y0t(g>, zu:+ 6$%4еF%0Lyz :_ qН9ӫz٢0=9;REe<3p{m`;Z-DɃc!-,_BՌmRⴡO}1hT<6H}x`aŖdg7GC0Zui/ɣ@huv%lv\5ǃ  W:||w+>vJhNOSeFW>;d ,DgX*ޑ>t $Q"%ܱ*0{D؁ufsAe6 jLd3U@[x06- %d'3ZsTRD[t @K`@aqkST6M DЍb&i^Ws\{pk|OH^ԫwèS "&?dx5"")F3,ZmM3=,ѷ{UY,NgPj\:$$6;GuZn8n~51!,%~V 4e -x{2GlJso,+hJ#3Xev(ŋ\ɊP e.Ckkui.$ނ7|i9|uTUO0眞mφC}PU kT ñݜá%I-X`w_m K.ŮYѵ΁T g2;jw |[.bid\e0\Eikн[chY*j 'ghfZ7axӗz0k99d.vy>}ވms&|OÞMNZ1ۢ7!gSR  w(a >J K]8ڬ(N_7pT׼\&r!(]^:ؿzě=!b2kD#x hG 8c0$ Tv\zDDߟyznRUk}b;0yt5< >QAJ=Q<&~_W٧7`J[V#+L4x:Qf CXG,;_6N9Y(k`'x/pBP8$kre߯3&G( `c(Mc 0fmQL&}2hUe⥋oY@ 'C$|jvoM @vguզ+G=ś5T&!}yf pŊASS[I(7禑uo`d%9J"dF$>q01}} : 9 a}H+r7K:? .FS&8&p*< A䤉N][zAiՃOB?/ Hek7Q ea,DL5^fa:žfBHKY |Co/!D7328FΫ{HK7Ť,pؑ& p[r57`F1[Ev"A.NkB Nf1K&OP{:[x#/]#s߿tM8y/UzPY0rIVl,j%Qǣ "a۫BJ?]0H:XWlJ$Hf9+]Op MEc0sR;Ӯߌ̧jNprU:_,cߞĹɠ"[HKFH[sl쓲t#8Ůj\ z2٦cJGF]N\_hg־5dcڃĿGVQ~SE:Q(aO>DMW5.4s#Z;9SR}}tZ8bR8C2$RNaXixΛ>[4h^jb[w9'J^uov"^ f/b1{#6)VyoR!/RBn;|1HwTl[@ɍ Q/1Jau(rVyWA8|'sJgepGՎ`TZi2D ^9VoPK.iЊWJBaά UnGSXQ=Z _ʚ:KDP_4֋kT'"(Td)_҇'N4;>YU1@M_68}hc* K#ms$Nᇦ9 9m+o+%dk2p3LXo k;wM>i2)>%'k9ߎewˆ 3|%RZ0=&ZΒX"jOܓQv$[Յ04XVGJg @U!sdeh⟠ +`.x'+Jm:l֥~!a/\HN aˀ#~f3=.:Wi6jw9#dx-t,yD?HH Дrdb8rEi렷*ά+nGg|r;lJs.D!d{ qTgn31ɰ` &;a"9?v7}P o\'8)#l=ڟ(ְ6}3˨!i7 /Lrv$`݇W>m[;Vc ^箅&V 2tp~혟 e-72s'yf.epKj1t0#VL1ͻg]>MTdvW*=/si壂ԦouJqpF}1 ĔPpʺžuzy7nvpa(./"bWiP[b rqLR+g]V I H:Zj#}+\%M'^:-y6ZD@eo'][߭a&{Fû2ux5.IËܗn")βcT*+UМL܎T,*><ʽoy.RFG;.=(!]9ŖoDF/s.V>@Ө_F< Xq>z uc&3FPf~K`>*zNv[W/y:@HgHc,~F[6OB2էTGhay|<*3R-a; )CE62Bv:fr2'x,?yN>?4["D1=қ!c='"!06NG4'=y`NPv}*oaҘ-jg㖼:pFxfXƋ>ppێL3H@E%~0D\Pm%<ߕ*mK8.RE4ncv45j,'?) 1[)zQUy(_^EQ^]5DvYU>jD;j.Ei8#@p ˦t`p'ij!)ic#%78ږ}3ɯ/'6R7'O7.Qqk?D6IOM摩 ӯqhURC2-5nv%"ipn2ױGs18Tjl'$nAVCzn-4JDRWqeERiVLح',yQy}]8 p]OÂYhi޸gUB&#{]>MO:}O0;?E&#G-F wfrL}fߩ-ty`9kC[9:CL5&xTOyXRYa1ă^p ~aҳ~ߖ#MKAP\26v@U=6f.hTV f E~bj~ uvRXoN~04q E ěQ4<87hjOPt5{LĦalZt_kDtd>e⃜V`h~+0镚 +7lP0b(爾VϏ-VEwpP/dCe'J|t~DЏ@v< j0madTjWm _ɭ}ؚ M54rYy=0_~ܟWցF 4֭SC"> M& 6Gz]-ծQ'vAnowhȾFhcu^B1륓½sM&Ct`z`&1-̦Gw;y( m D$=61OCs:Z:&<-Gb;EBZq1A/ޞ7QT./.[4-(Lg=,B_VJx}X Q+^'+cェ+^&g߅5?|a,ԣ{27 ejh >A؎pyScL*ݏt{2 2?!F,L*VsXA/ѭ2s߻'%9H1cuȨ˷d)u 6ԭ&A0%ƢRaɶ˩-7d2Kd>~27٥`z#tЄg[)JgZK>pYIrKt}cNI3(Rބj`-@6%E"nqTL7;s‰b=6.Y~N54 o t9nd-btr5z'p~!!xa9J((5t`,UHf(%Wհk~Ğ i~azAYT" Rpq3Q !8."哓sWnvXޙ{U 4`9l (;=VA5̓N>f?=\:dzԨbgToE|c.+4,)86Yy{S\E,c!ҟQ/V !~F`P-ru:>08~I㺞ȾNi^$<#7A~);:p{S4PTcێkD*TSضu>7/ǰtW\*TEss8=#4^ LjX%R<ԬD H[L*%hiNe6b01X4$ f[ x 5(v_lbݩ$ 䗃 lDQ}6њU'~pӿ4h,`JU;E _'f~ W`du{j4jWJVaTQ'9xKX㠰 Q65hwi>$E6 ^GEpMѲ!B+J\t^6r<܋<+i}[F=yȩzru/l?]l§9-$p4}'>9I l4D3d쵽{Q2?O<<;Df](tmzy|X eTzls—QtTK0Q2"eCwE`C32_/UCH&OOΑwO`isV hF"}0.zdCfO>-yp@1~h׸ނ,imuvmҩV/X> @ǵ#rYih^h?~^kw<(mֳBш5FXAxf,z CkL4UçlI@h挃ځvbFvc;j{r`(;%1]_rC.xcFkLKΕ76b>!Y.P.|| x#RU 6_1s7)69@isR5.mgR`rS&ZΌ -f|qWR[\xf/"æg5%jH$hT4 8NPs{Ȗjd_S9s칈+Z}cIb7Yk>(TJ0@xK8({pq.[ttL2 >`Ј)䊔2RՏ1 lIVi?1j@la+0 S;҆|"0NZCݼ'~&Z!dE»Rɟ޹nbey<|fb|r&pEIϧ3,C? -p:'O%*yMC{@rX WFۣ-Zܪ c bŽXa\+9nF{J)ww:7iiZN '.1; o%ei@^z:pmvgY:>K|LXP7&ǁlJo\KJsHS nN +p(!cJ Wg{/[7b ,8\?^$U8EqXR(݂zڰy.ZK1˜N N+^n`=ʚ 'u;荙b<~/_`V1HYم6]:wju[H'| ķnⱗ(umxz|+IAWB|i'B)[{_>A`od`GE֚ fQMWUjC73 Gvlt~=+XWV=<4%2•Vd5?@f]-k5`xȣ^sgt=eHZsVPR26?UBBƧv覗+T~2lGhxx:&%cٌidm{u/m*!x} X5/ԁNSJ6P3.;0NbCp;`[/^"81_U^N)DKe NX(@\0'&0s00,YsM'o5_E SIki *x>!~{ w[tUm!boꍍWȾk^+q?RQyuo4]y;8=KPaUilOZ#.z_cȬ|ܱX etƇI:I ,NmE[AZc %QNPJ*TY5`n]* 0OKF n.入Z6qefiz6=\$q{Ab<Yq J2_bYN90 ]'<X;IL*":$L4Jє $(x{[MʈV9 ̎T:|v{gP- +U܁ dnXvp \z3) Zu"n"|ju]E;*O$h==8^M eX*9z@zsC:,PsJйw@D愹xZ=O=R^2RgۏVԧثBpme0x$VH2W4Ib7IFP3++lZ?$Mɛ6^ͺ-+FpGeoat7잮Ղ[pǛ9ԽD@ fV0ot^ #+qB̨L;}ᕜ5Avm}5_Sd7{ʢLQIf߿c仂ڒ*LC㊘ȶ0ilJKf9 Ye1~?s휉~0ǤLg8O=u_Oˤ5pW8tͪ k3q 'WZ# dA$PlVj7Wyn+]/$jo(.ar"5 'x*;WrX٘-C GC-2s|^P1"hA`ZjA-60`"uFU(D~jOs Vx(ؠ=LlFs3?d  Z+7AD e[fP=/Hɬ6"i5V B/䓍u/[+2O4%pmB''ԟPg4/LQњ]Kc|_1~770쳈9~T1@oH47n*>Y pkoU{t^vxԄe\h,Zt4CJ ܷ,m1Bu@YdBQDH87abKACv^ڲ.=92Fq 7l|IiOEܽ&y_riz>bQ,8%7XJE7! ])هH`GbNW^~H#@;Z~0E*2ŊXWFP@;aݬd-S1-..#X[kO0\" e $.^YKERE@{ϣɹ4fC. W{ ;v*"ܩ ڸF,TlUH!{}P\`3ǡ؉ &lsғ ^w=S PZQ>oKAIi^G\|$NZj" `bfbz퐋GL$mRVWD -Ku?%4I=VֿmZ\uHNX:yތ?ԃwVTBa^LIN-jcκDb\|z 剶O/9NU߬'r|ުd'H?yMFEFee$ބx}ŐQ0s? ̳ȶD4(Ĕ#E*M8akr~22"Lz-H]嵅#kKg3cǙQY2}+~t8&чM҃8չz֬;M0Of%;/#㍉uAva&&HÿNάL'OlNpt,3px]J!&Pg!pAqЄ;8N/z;u|b P9mWW;'Dnqbd^CHlNTj>4Qh$NGZn E0ʔx^*?MRUdKifmN؆eRqw*RtmX`̈́!^{=PC՞0QhlF\b 4E},,`6KA݄n FOYLaea\:I#,uxpkm1abo9d0_?GRmc-f;&J}ܲٛ++Q'bL񿝕y̝G ޹rJeu{t؉܀ vF> SMӤ[Ĝ)|1Lp&p֦VSmr+AWүJz$ (M1?,ZG$-W9sLySP lP2?-#_rE7\F tQdDB9İK>Fu">U@p7ꓚr ⮀~%B ;4/ 9ߚy yd=woU FAO~ً @ZQFWc;Д٭_PC=緞a~X?SUV \m*~=@CVЧ] v CU7(R%' 7DJÉͅ"dVVۘJ?fW4 y5F*?_d uG6,ZxG[rDu\68]C.#$+7A2OTu3=+}c>|@xEDb3E~C_y$(J>ٯ_uL /X9O{'#B?|.nHP1nVrܪFi4j`CBشU7{iAEÉo@t_4A])o(4"娽qxRuJ $+d-w]#j~Tv{ l6mɟhP5w2D{{:yth .h'VgoYX0:LGjWNWs5E"ɿ]b~9e"øCgwUZhoYp iːqeR>H//z\rpcjpRru(‹pfJlŲo-i%XlCA=֋A{ 6 +~,x0С `Fdzd Oz0p!pYe7^_#*T(MeE \e'ϫ !'il9T`>_4[z]1㎳d},r0I_c1#6/Q"o/ʿr?Ngq'oqvƠ1%~6ȸHIVq7!$(,01ёBe Y7b`d:&f4x1ι;Q Xl2 )(Л~s9yf؝}|t!i%kӪX+ݱ Ҧ"iJG(8pnjI6'6f  o AՆjOҏf3陷ĺ1I$3MIWdjzd::. #dxh#iN̯)SSD> '~ C>CeH%^hAWcIL6^5FwQp- t/N]g*uȆiK0{t*|sCi4Ĭt {8JԅjaU;˚AO_z/R?bu/hܐd0ސ D4@f%3@rl,D'"}}*~P Q̎\4}W,)+&OvtyhpEe4`krw{#6A 6P ypaqXDIk˲.mYF_7?⁡H0>}~3&40?_W+ujءf5'b8@޸ZL-OkʥjZe9cיf'nĩi$ok/Uh@]spYwLI9'|\4gՔw ;+5執AayOiI3UElťj1eVsyUtˀ"t @ éY6jC?{#q,P*Jcگ*gt^Ѷ* cO W2x1) &}+&c7H]MTLJY}%os[!:rd|gk oIn&i~~VzC*+LWe̵)@ΟdKd'kϛRvq~iGxQ” %]Ѡ"v' 9Aug߽g> xȪ3JxH  ^,eνvj>?}!b`XM36bLκ:"I6.QҦ<߉b=U4cqG-ߕ(DbCڲI @;lICbw@ONp352gq](EH/OB=Ȅ+Q\RxF)"JWh0 ڪ(Dfh|6ƾtj, St$f%Rf2:`vn+BSPd, gpj k'#«hjg[>Vޝ5^1z.?K 3›0I-/0qҬ6b{}2Iڮ4OKZhsB2L'QmRc˕dq㞏?tJB\e` ʅѱ~ =^#x+L>5OMi&g=6S'K!Gї+r訓j S%m끂XC.Ob!K* R1+Ȟ{*S~2dv5UyyM Abyd:/PSrfNNJ 2+qMC"E,ιwK^'F@ M2i3 i ɣulV~ܻRQo\Ŷ4]͠vV튣*6.}kh؍mj)Uxj+5[tj;+p46l ?k-S, .~Cmz%,%DzD)οVS`'<YM]b+sw+sp" =ڿM}rot<*Qx7Lq L򶇌y0t:#4܂QoU %q 2bM9Y%}ӢYKwvKbz%H+La$MP0Ai>yh#6=- X/ܬ'Ǽ\ *2&?{GmHwiiz|BafvQ7:#Yg`.oyуgQLe Ÿ$!-!K 3(J{!-J&#}/zISA7`4">0jy}Rro'۲8 v=0[0)Q4Ӱ5_4)Ks#KS?4j80娣jKzsm67 IڶAlT>у )siK <}O؎4 tĿuFȗ1"PPt%|V/$` 36^}YL' >7rmaC3 ] ? 2. ثGS^o>*T'@ ^-+x *YF%/v<5gͿc(QTՉ@ť A\Sw/8j8dwlou:}&02΁S*(=%aqptAZ>5FM|1@ol\ o V~}]}=W>8Z4Eq#^+*C7D8Ba L~;1n<>n";"~\V*mg|jԯM|5F$涶o-.ͯR l{߃ މUh.oI807PMdFI hWkH(Lkz+Y"v;pi : iҾ HOMԪ.s]9*(o|-I3>g@Aꗕ@VPw1PG2 ]K IJ4J?l&t СAcć+'peR_c~ lrSbCy;oͱ \ͷ5y( !P쮼O:Q9>1l fjCsaTo{^4"`H5{kTtsO20xf6ZnK0d2u<@z\g9l3jͨ\Q0 8LsJ\EaJ?l=F $ˠ;(c`^eS!E-9==@Z2~" 3B+s0>t5Sc (8[<#һ׉u(LҭZK0֬ t31O,"@2ᣐr5Z |'~n{PC*VGɼS Ybu{*D͡LeHKܫ rb ()~eeh%L1E| )!Uc@l%lpџ)Ai|*u *yTm4`]w!Lƪ׷xg@;Sy1o/cN[e;W(?51t!}qqӞk.ʦ!niK2wֵʢԑ\9B1_" (oQ{Q=e!Y΋8# k51+xakAyu0ׇ^EKc b.shJP(gϴ'D>)7lœ=a{"[coU"y+W ˵)хEqo٥31J`ćTJofp z3%u4j!Fi$37NG &>SvԒWy>6v{dNEȠP+c 5˖A ´AUd^ح;zPU .GE}_F7060sFڕH&V-=..6O[f Ck.W? =5ְ}yL b` zᴴY4IsRʳIAsc `fv*U.`\ye-!:{ds;uR5x<`w/,7Š^sXDKʺ^jʰcZ L8{f501}t,y|#ԧUV JϦFk4;%GlLX##p +yk黸  Q !6qg> 8yXT;y&ґucoRiծm;j>LsUzl^H]Q$:q[-|gN8&G5Ym7WD!(@*(4s\/g=yVW2zK(1+ s!Y` Jrʦ 5Ɣ L e"?\%g,V9:S\NXr@jwD1錩$CDQ{Ys%Qk XXj,'qߐ}, hn! lU@X򗧂NGk6pSL^Ʃ͠D |qLP_W1!0Mtv$Lb3IE|LX\XB31#ԻrUOTpCu2:9+^xݤψUm= ߷39k|gUU/!t n|#nBRϩܾkuLzvϷKfRz6XKU9ɥcsT9hUW.'E%af_ҥ__5 D A.#e#-kQ3sWl%'1A4枏l g% JPY`m]/ .cI⣇KTSg:_DoM̜̰ .Ǧ/[]CY`VT]G}kG ۬l4RГi egpӢ!f^J\$j8}Ђz2VBi:KkFo/ Ia#}~ȋE݋?sge\ sN2b-0d\\{Yt>kz~P}:?f.!NQ bvo[-!vmKxv)JEBٴEvJR>LWPndnH@E' 9fu0#$916 B=ŕ [2:>e?ßbģ ?OEsd/l{ cI]-l i30J6P} ZFDmiׁڰGOlw+XX?><:@}5?ǭ `oK=>z tC坟!b)>c'KBcr Vrx?J{W}+=// Ke8vy߃g%BY9:*L%ỵ<}8WOqC$QTmۆƻ|]=4:+ BeD Gq:Tl+mp]xwb:'5Z\orsBba99H"AMm@00}| AMqb[#=8VY(VRh{bfdfENށE1ϖx&]QV_^ˉQ0=͔}`˃n,|Ri_m݋)]늭,E?fyCrqlf#5r̓ e ;qx-?TK]h5l˚+}:7 1> KBm?^>mn$vq㌉$puMDh.w U;~dX,NxbTt_V̌mzo*HH'bھ eAkj%ŷs~kqlfdM[D&Rl?'>A8"lR򃊭lN$ \ w&)g̒}JczZ1z?[|yVJՕgS?y9P.`ݛFh1aTybR}muLJ%gj5Z K8T5kQL"D%T1qGP o3C84@+4ZB%.KrO`0X6pvQ#>4 $]9B0AU ͦu嵴2vVXY|cxavvW(c^lJөAK0!(Vhk(_Zݟt_Pp$(Us /$Qd/ƒ BӲg=)vLZ[!Hk8+Y~NBd2K{-xSقP¾ eӻ[ϳI11 ksٿ"8AR9}k: ,ȂԗRAk["~y㽐7|>F`Q .[='[E:w tʘaBDI@m.o"м#Bj2KZt1GklLdO-7C%1pP4_}nr:ć~D/=s0[SwR *M4w%Uu\?8[<ܨ0g-EXIl+lTlDY>CkOMb쿡(c mTnk{ٖD \t$Hk׶ޏn@=3YB |%R˾痜e_HmS~"mMW0bPx\4$&ӷуh$oc0;bX2?C^5)]B;S7FG` H?!Ђޯ]qtuYңaԯup\:#II#;\zBiW8)nT4w@|cNUS*W9y퇨YVݱ֏;7DHI_USXe'` !O9Cgݥ{`/ge0kRfM٫4 DVjdi4:j{mX#ic(uŞJ:$g҉?m&ޗ*h H ;ݚc2Ƌt%5Z&꿃-c2q8]!CƊIk cڳy,+{0Pǹ&ACԘ;V`:QpeREhcgLKd%Ĝ*F/A"6sPsf[vIFFS.1J,2| n>Mk0T9g U(bYOuIrC˭'0V:MFP#J'ea%(s.pXj^ږGJ :lln۫m޹ Iم=ck]K,Ba1k) $ %WDFJ*ZXf;Qו^E`,^)X OmS!HXQosPSjb٪}# kT9z2dab-Ifa*K{W%1tTDZq!?ʵ7> !4ۗ~ ԙDgWdxP)( 1afqó FXDǖl7K`t>!N$$ DSVl|E|ڦGmA^XFF0C`:=ǰ.G5삄FY9h!v‡IY\uWeISXBMM eUY|. w^\3R.0!t!bdK$lJ`Hx{lLT)JH$C .\\gȪ-؂.N1#Iaj^}8] -l<KK2͸dx;DN`ҍ e 袡Lo ]E_)ăL٣v)rj{nzg!Gj-ζ^>Y ۬=DAbFez) VکTbV~N&q9ŘW xLXj b,Y?U nZM8*]*5H}N񞲲x3(^uc2.hi s²y,3$^ qvաY2ebs)ܮ="d)WdL*{S":5Z|w]&zhZjqܞiʅB h˔4&ǁ+'nW ;fy{S[9*Ypk 0̄'w(赙/e$cҢa.󣱰G @eWQ0Np6w=+v('Hl %/fOFaR6o%ֹ=e*6V!6Ř1u:P|Pr^M[Z0mr^;1gz"%s# ej ɠ$4 I9Ԗy WaaRY5>" a)vcb c͝o9PPL&:#Ŷ1~GmS=*h}I̅WژQbtxbF>3W_OaKDL`*YȈ l9s^}}.?n܊~GJ [KzR>2rLk"Ҙ9=wD+]%^-V8L$|$6sAI\BKh|#ZЗRZ8gI0 #BU8鄇{7LÙROGƹ3NZ:B r'wj\.Ƶ]b |} "juU=@?\a@X@inL0ķihGL4x~SiW8r5C l̐Lz!Dȑ}@-=MMK-(xP_~97㙛Z$W>5ԑ[> sbIa3 ?loM$KVR,esi=D{|>@$cruHQ/^#@'dywRzΟpvzaI:K"lmM/xUqmO/|H|jbBA\)q6z gt(ؙ"ꟹc <1m\!S^N@SZBM -\nktWcزaQ I[ :yVB6X%xVۂΐ`[%͡z\O "OLA_3 lL<0rB$HyhP0Ť[.iĵ$ (Q@*=qb%3AU#(JA'Då10?{#9:+̂JaRoRG2t E;3}'کF}/aNn(ۡ>);3sVI0eIO)8x XahqPҪ[ ֊0Ω$ݫy'C5k՗B G-+PƘt  $jGxwzə-Eu̙)Ra>L=J@-mƊ0qD,Gɨ)b}ǂ.,oh:wW:/SՓ٘ZSO,y`* 7SV؞XdD\8V1gJ> ş.ލ Fk(!B@L%*o8U̫X%g*t5¼diPocιɈC@] ̭)i*sעSL0hGmǼ9_ 3a1]%} b UoMG;PU纳BNZ>:901_ˍ\b[YN[;-qZJ0ӑj(2)IZrFVi K陆 B}D&ՙ^ [0bUKEPE69eSnxC%:"1n^JwBku Oڏ`Mf; @Ty 1L0A{W/21bp$A"5 ~#PТ"ʗ$˗jzϰeCz0ˡL2\X/ rq{Q @ k\u-`侱٨,տQOpjƪX$zg|$.QE䰙xWвwi)}hXA Ia`mTU1E`Ҕ4(>+00R'ߥӷg<ՋB0;V85,,ac,}_4 8dY3~gm!ߎ[`?: fn(֣]!$lPQT#./>ZV׻Rr&tJ&ixciC;#'Tms8s_2B@ŘbĂ";.N 7#0߄3Hh]] WKD9iZ C耵*?Af$rLf򡠤#Z%}?b|7RI[ 1VbbCQv?9]+\isX AbK4%ɕdS[GSМ)^]I)gە\ZCLުyu16-ukPYB$Д3m,C4d? ׌Hfg \` zdK'/CdiΨJm5jnN%Hzveu78Uj󕝷"@%[b)?ݛ^0a 1C^&𯔨1뾪un2%Z\԰ݝ؄Q͗;ֶ~a)x W9[/0He!.Y; =^aXT{&F)HbGYc*fGȞ|$a|yAF]^7* M| <8\#-U4*:-KPơڨ,}Yν.DZ =L'4^[€2D@6t J$,(*Q*Շ$A AhA G B^4/i.syEΪ."dQon'a ɚ.NHG!9q\Ÿd@3LR&aجJ]iZ*ָ|W5㠫y\XrFf8pMe4ߜ@\M#zhQ½_{j>_AL{D`~,fV[W󁓏{!v?]#~Yoopzn5MwD\DDSwVH]fר/jO^V.28A[ +Hf0)uFlthbcw_b)~ϸҨ.GJ8y]ᷤjZ`+f4I0sz"]GDɗy\4rWOD#[Ez2N*j [`qԛRNDTVV`?Ʈ& tsJgt" ^ Gt8inp˺4A~!A\;7t,~f嬜~PNBO9^';ZaۛJ(ߡ+j])@g"ܠccBLڬ͋E/P\&r5ӑC"?cnh.;qi{; 1s*䓆aeHG3jDB3iL|;]270JRcu`#fVwL7ϫ5䏲,f9߇w&u.d?b7=S9N &~{(ܠ U)2I= !7ǬEg~3bz{0뫽1ce[\92Id4$3{ Q|D)@)S""k7Wfzt ._77þ]|=otlpD~6"WEw|5gci ;pW )$U1rmM'N${Xp}-^{hIJ}-βXHn!amy, J'%۹AX&@ ʔZF'now`-th".TǯHY<|(w$A.q;7YvtQ\bb\a^*CR}|QktT6>9ׁ.$8X%$T Jӿg!˃K9}W=v_Ѐ5&+8,b0 t.8]cɓİR;کw[KQ7ӯ|8]=,K6m! ΑGb/Hfy1KEv(qsG?a7I AyUL&Xdk ?5 32b2h@yk)V0l笰8;HzȬ:֍Y%X0ytT!#@Ѽ+J8(ۡL%MHўwsv]_[]ffoWwl[~7 RGyp7,72* b`o/KdNF]ɺ~{1DuW hN %sf r؏K 1 F1+IkxxX;+ |Pmj=]oXB3cD fk367|r2—|oT6l{)Z3"'\NM- ț:s^B% DL}\srlɄ-Ż<0@0nmStBB$z|Ci5LaHujV_Ěw11QwsO[.&y*_9(,Gi3 o&M ލr'o q8n-[lQ&Aa[Ń5:[x]g5o7Su@ﴃ ]'SNIyxFA7)+2Hx0qnn8_x4_tY&ԡcT9Vpr/gM}$=aY8gmVCNb1,xZz\.8dawED|:B{k2ɉ6Iӎ&eBG;S ,ygRo8PEK+_{wCL/%JwT ~ז3:n F2α}5߼t^g cg>쪈{rgzVdfrKW|>D}\["lTv u$ d ?{HR1) rmBۑ0j+摏D  ʢ*sk"j߼MہlĮԍfu5[n5ZKcE$w|jU ȢJ٭#S_1Z7o^(ԮgwAOb]Tg akca#o/񥣵3yNhڬ?/Yz ޣᒥJZa:ڢSu_OCa,2?h׽x ͒2epwP#C1m dޜ~ Γz1hS:BT \KVDꁠ `?:{N~W;(" E-讂O:%c=P5Ʉ^9b+劣/ `&Q,\y)m Dh)7 6Bn83Dx*F,>l'ypi~?E\"㼸>` c`]rryr>tʧFm!)#;>'?J <^K{ͱdxQbn 8@˕nmŘ- -KW.8Lx+1i]b׊UCφx~e'\6T_PgDN4MMupQVme@e;Et{MLD6h9[ hb:70xc/59<uWcn M %10j>Sn.,nj)r&(#b)("WA g30[cϦJ~Ɉ !Lii׸KChS7c% \v_aEyUϞ7B[\qq١R9P]6H'jM{,U6,CchKp8ךq;=VAEmO!4I/if >2j=םMj^cL0͞jOR |-W1ki^hs9bhz8iAq׳LGB:VVeXAtUw:T^ L)\6SiVmkw4'\tqu7+ &;?ۯۻ+jB !)grT9MEG#0)my>> }>g]k#K(e>Li5%`|. *7 ]*7!>"2!U 2B&sxabU?}w%Q" &v9#dl2j(I |K +s%P@<4ksI> ԕe ccU]=6Z)W;#Ni u _=G: dh1G~ZHNV ^Uv+>uxdB\&=oWٵ$ˎbb]*6}rmuAI2?FJݠ}M:o؋qލ4)x;U?r$i 7W/J :>mi*.$GKnn5+#EP3`]g`uƗ=0AGxw:1a9G/y]%6\6ljaDl+.$=GO8'@nGw ^=|v>o7p/׽\q@4XXHw/XO^Vij@ ,:[+<䐷XD!lKEĔ֢mWXp7~[fG K `FR?2X"d̘vxyoB ` .wŔA_#e\ӱ>@Gn/EA!1c&mDqz/79ٵF.<ȅ1|f6:xXxiH )qvL5MB 6f7qkW![D_y^%A^lG(wsbu0_9S$ѭDp2W5}~IޯUʩ* f[n!-ˀJ^L] 5׉v6 iEʵD(l W%qgR"/[WI]n q5O#BP肌^Ÿ㗵_k WBքG& 6Hv\yA :/13Q~Kd&ԠiC{1)xm} r~;VSENUwN-vUy d<:}!u eo^.@86Qz:"9P_;E[-#;ÝXö|ZH\zxpe+eV/*v@[ժl8'a8V_ èHmY` _j8@ nCr5HI,B"D獵ϪF#K/1WYV}x\`FN $=e3[<5~чB rQS\j^~,ﰿm'KR5YՂJIhvӻz8K.?$>S Ce6č">Vu렻A(qpGҋǃFIh@)0:AN5+؛/IT}yf]+af%j8z FnfSXsuP=(ÑRYU"$ZV؅DD9R $[Z6%8t4WW7SߐDu*t7کp1EĮCtf8 >ZLr1/NDKb9`FrUB<] 0m.%&x{3CN4`oҎMQl{E%B.+j˽:IiF/O0 tc.w1YUߴm ws'QܲMXa*(b/Yt̗^Ԣ ," $?@!2jtB,PQ29838i J'[l_?2Q{8cK*!D=>g!.Lx=oIq1 or֚ Kx᤬ pr6mku(L^2.h#F3{c3RyQ P$VGf"zaZ7RTg?/ t%4<|GgB^<^ W 7n\D6N}.aً?$ 72o=kGаÝe Nْ۪R:= ;j> Iw$WdPƝ?sH$F![6X :Y59*~kfnCgal9s!OxG4MS%ΠzP}klS6H4m)x. B㘔ga!J7J mzՆF Ԯ[Q_)&LU!)֝?vZ2r`}.>Ԋ(?)͖xSeP6c{}ɀ%{G3$.rY<(\QHT[W/!(&j-CY1}(5n?1si0G$Bf%N#֏^d 1yQM#R3o$/MnR[-25\l܅1Gw\xi}nAfaZ=x&z-)SuM9HR<L+tsd}eksrR;l^hg3MAQ/Ç|4ٸ'f_G^),齏lK>8Af]Y <$ <#D6pjJ\Ry V4% [77Wk{oכ{Ybt01wBЊ3OZ)5[OG%G [-wz8%+DpJ;Nat;)FlZd0vƆ߉e6$J%# bM:[vomz+|N7Tk+M+n,͆7fZh-; m5jH%¼GYXALD >EmCGkTp ;5pDOaUr~?%ήK_5U6bk?:{4zw>G,2ьѐzn-Jܰ`P,1ԇm<">:H㦂T,3rA70~71n[?8;{|OrT:`ao&+kgec/dcyy<$3E:#dž0+g3l?;}N)s  ?V$mON"h #o7là?2L2uеUwr\0Cr/iLi?-IhU&6/iV QU56tv퍹-O!Z,4_ qVNbix/Vf˻ j6I'.l3tsV&\104dh 獵HLvE%u8F{ ўe5ף 3F+4聾*YƖ"J_ڞB;S$ɠ*Y:DbV 3.:[xo9FDI*.p7z$/ZR-80ci3l&>YJiԍQ>lr*|lzV"p'qKVVCanEMwkq 1ab+PPK6%NZE쟚_AV6B̩8% = ݔ6o26F xi*_ $!n%Eި$ێHWɟN?tJ"`34qFP)]H <{217vRu6d3W{̧5tޱP׏)fJ~d.)g14/7ﻀUTY,KYܫks84374yfE{qY"b]B^8"Ng{= XSh[l >a+LXmVfŁ( ̔Fu遧ze:]7yKh_lW7H>)|?'(PjQm$SFrm,P:t@>y()nv G q(VmSꭟچU YO#%̿D"tl|UZC*"R<;40@wH"ԃtIP0EFdȁ^j'-]q)R,-Fw HԟnnYyZ{.N_C>SrAiCuEXH *4?aF#l^T[/#xl_Й?j@ ;/-=VmҜu79tɁ `BUDu'D7j7D9Q(R^ 0dgnw*?iOF02:"|'/^g+-F:]ET|ꓨ8ߚ(\N粃.j< P;./DԼh[R(^pgB:" "\hи:07Bvp& '=k+ncRyϙ)D Uw玡gI iڋ ^T9֑ 8mU+ӡJYw⚐/yqQ#;tW_DU(9VmOdFc>z[X.Q9=րx/[U"f+R^`sj]8coz$Q)"9Eo4陙!284,LrȄʱafƒM#%@S̶=O_O{xRQ;Y Z^ãCGy|4].Cq|!9"{蛋{x鮞7(AeM }`!O{ EPgJ47 -ET7)tLh ߯sN4AA.$mmf&l>hNpA(.-WAY?: ז~4HcRi1o}HU,J2A7/,>IqW<Xg]GhzV߉;U`&8F|&D3Un$=GO)\X%+V$C tU͂{X>5f}A3%s"r8tЭ[ۗ. 5q @Lts+TXL(W\1P(,xb68f=`&ؘH[*/~c +1rCXM)ʈ3yb1Livו6q >4֪Fôq0q+#bK8_DA/t~QeP~{{8펭7%:)ҫ\8V1qqM@&{ ND! ;`ez0;:#>|3kIץ`Vb8NO -!XWI\w]->ycBN97jEx6 T>*,?iೕ8$]NJc-d9}X\P#d~偺s^x('&ԩT2 5˪i7HrM|zZ|A8K7QH\Uʅ~۽x^"f,:M\`&P$Fm74,xkT4:f$.|K#732X|J8J&_tJ|Qp 68~[5h<9egpLtW+>!PO&erhNs|k.UEc(74h|YG5 h$9r$R[ KKZ])NҢ5Wcy^lMUqYŭB9NFcAEI4 k~1w,_A{~o)9%ՉDpYES4ZIyrnȻFg:7q&j1 O~PPhZC .Gx?!b }>*qX͢Eh&.^%1?#p4̦emУW I jRA|]T=_y߮8=ZOvit T&~Z u04̃ ']C0YOp`8/ C }6:ګ"D_b5ycNsXj};"^`L/#d$$̿kX<4J!/ᲂntń1h"nq*pW* Zm*H*SCh4mv;dy&`,35㐊?/u>da/%yR?1 \IأF.:(߰PN#m*=B&mMiQBk)@do|)54:DZ;*'ǸG{|pRĴ𓈆"&SH,;r QיqzS+3 ;<UH$)zjkL)镴^ % S_^ U#@[FÞ> qhT6tFx´YVSkůc-.c~ͭlMi$hiwWdeq3b*Pm $Fh뙆}`!8mo8zl :0Fh/{`7bx2Gq[b喏=,c67*R㐕o@* %S#L04E R"g)4lK^Ͱh5MvθXwF'0Kh#T('XO])0,=WǼl$7׵ ˓6q:z)0!F 8o?Oɱ$3lo o[]%;y)O$nU&nWQSi6.V09gQ ItiFq'w)t-kzaU/woZ?Z99 7 OkpՉjBTlԨw?֞PNBT}oX@UqmA b=h;PT0¦`;3+fٿup(~`Z^؛y{aFDw!7v3gyN :S3גN>lk|.$"(BaՊJH ut/V::"z(ᰧT|R&D- "k,f֨1cr ;kߠ;Olbbe#z*w@[{)L gs0J+eƟl.BHN&bIiTW7eekY\Hl&) tHZ3 HÃl|458;d=F!p9%vlqTZ/V"h(6WB^McvvGA;9~z˽zh<p-*hz)qL8ay7w2 _˚/b澅E*GlDE"3!SRAkuNI>a(Q"#PzvCir͊s)R!5Ģj֠@C3жqeWԢWbr~L 'Ö%)lB}P:ǀX>ZArn:xzu{'MN8lZ5*0hWcA&AHO3'`h1IG1zFR"rҬ9@!!"23h8hue(Q0ƺf(. JM""7Ϫ_ufg}6`O=f Yûl[ܾv`@B1׎Pz_皑ۛQ-o/,95;!} 2Ɂ1$\H$WyAλ_I؎V+j5K#?'p !}fC ͡`vL?R{^H2tcvh/ԙ+kd+mEs6عBRDGxYr[`PEҴ-,;@v,^w2#; CrϱQ4 OПΐ3 459kq“a0zݛ4X'u}' Jq!{4a$gW:wtgnɂ0ȋ["pi-b&3u۽+E k GՑ-(HXm;$s{p 2];2\DҢoF20kv2kSEz6A & 4R׈Tb0#A۟(9/ ]/q8um{&RGۜHy&+c0IqFQ@0D'&wGlK= &VYL월6* d Q"ePjbgHh tLFr6&:,j=urNrM]'#ħ/yGI8.ܽo6,p+RFpIݧOD)Wܺ}ڧG3Vr)Tb\Ҩ"JҧOZ; 0b"`f=պuM%{#,Doh* Y%e\p'@Hh:a1[zQ TK(#pr.dbDQr.)0́s} ׉7,#Wd+"+ Q\h]-s% {f/ OF:l2(H끺 Kv{k)iځ}##&Bq\JK7Uؽ/H{ (@Z}[KZ4*{GM \o~`kB5dύ#@98-m}.P3T:D-QW>l]@{ B$H7 bKquMA^2qN%ExS"|ZhbTc=IF$,>Wn>ћEe^;@:%Ck;WY4?K3,Yg` C/r+iu?ېeǰmK2^:>Js @0}zЎw/TBqLˏ*pGz2r\E>LDRT&3}WB(?N`BT#{A87[U3,/iCHO1j7B'8bELti <%i"o<+/w݄E,^[twh BrЖԫHmUA- r " HvT@ F`/NqS9 c]gf\Ds|$ٝqFy~ŸODRX *5>eo.LzRdpU9K,zZiValw`]"ݽ|G.ADCBi ` s_FrHBK6 "'w;臮1ʁ%7y_NCYѼpyak-ir94>WaGІv= < ~Otd Q"FƁ׮?=~f?@{~3|'m`<nYƲmZ̕EZ!l kCZOOU2NX BGY tf1oW1Mǭb,֊ / ǺF}'qnM]7i0͋&8 p+ZaEhIzX%J>5llH9|<YEVf'"Ǣq͓iiOdoS=N60KP kK%x!Dywpun"Oen:S8 lu:ɄDԫTt F )헠 +/kloA|MNq$ s+FJoHv)ƂtX^Ynfp#{{Ú$*$ΜY&qs`Uc0OK"X(83H}j3]p:NA1m#t 3fARD>0vOk9Mrf/1ofMq$`-rD#8C=VV8~[ִUʉ30G3'D"ɦeހȈQXz*?>4UI،elv)Hy 3袾m[9W{-ch\H- .Dfj8O=2U" lX^LNP*Ԁըk_ׅ+Q$-y~U߿-%_"W&Їj;KU`7dޠt`XXBо+B<;Khb%M~_#im(C_1 3Bp}2RCn-(ozoo Ns0L/Qx#Aq(uRߑnJ9(Ld\_ުMķ"<)|qCPW[$wAK{!O}^;"WDޔ#!vA&1F@Ac= AloH TE m rzmatK.,j\ |Xƒd=nl ,0lur6F.&ʚi_ό,WF)/+6ru M-b[,Anwl㤤C3NZ =FXA$[A٩w%srr]ǫ/% .ZJz٢k󘖡/X =s"͏" d*M(R w*N D T"%(Xb_ _3ss\޹((CTQ# WߨKBNLκx8*J [K4S~M*:1;شLz@&30ftoao'hd\YBOkr Yo]Lcd1ZA\[л>a7-,9x(!N?/FG7O Ab)0^]&~5I`{^ok; 0+Q?-rٮC٬RQҒcqR L *;ishpn=:k儆6CJ,W2Lb+ oыĺQQ`ZR.0QUC|-uWOHΎܯG_1V7+0ps98s9~Ě3f䥑F}#C4YpW1NG//(u%Ӈ%LoLb4$HS1NJJxU*?Jakfth Xyy7VA[PIK@F=Ey-IQnp<#A,OZej„4Fd}ZM27õ~D]鉕sI#`5U$r<tl#k%VmK&+גEچi(њT[X\(7p (q٭nc_N^o1b=Ek3=Joc}IlU") 8Sjj'Dλޙȟ&P0קHmAP…@Y a\`{點 !v_#y5[/D1CYTvkthN`dflSmEvv˧{Zr%=@`2b߀JpoX~h=BJ<d a ol K#0czTCE5 T+RJ(SՉOX-O_~/DPϓׂ}L͚UjχXzX+aXwΌUSwu}x E_z(_wCPm@gMJW\kűЛ5;HyV2y~[Y:TJ:pEx+, @MʾPbw) l=LF;~omX|;lG|T{(XP9 *KVgVMȍ9+u^jjx> 98Ye󷜏.*G9}_B3jG­)mI~K,Rs!?}3b2C9S76 F<a1#b ٤`O! 3E|բOW<;*=B1TmzޔgɉA{2)r=dVB;a<kpXy7hEA@2Op]ē.kuSh+8[W ԱɷY1(ѐFQ]˳К|ۛ$b@縸8hA Z>GITQPWך2]TRt/ %V/bRrIRD [Ҋu޴{9Ikz*I=JV̊+fL'k1c?ue3N&,\/;LHg%{ fowjq9XVxۣ˝ݑג $=F#C"dyEK(.P,L:<6%F~6׽Uevķr K0x'Svxb2٥cf&1{"nLm%q`t$ Qˤ7 %2 =:f(Ԓ:orjaֽq%d)_RYTgֱpˉ.&ްd{n~朰]ΞkDL bIswTHywYP@&KLaEr\V? TPTqwly{-?k"@Q[μu rc݂mU dx+Z煐6s\{dv4HQxWki4{LxC}mV5+~<϶>Eī % !"8r0zjZjȁƀ 4%mP+RDi`ԗ(,f}R!hvS=F1`QmHү%3OG*QI-F0ZRHۯAK˷)`ީd`O>m]RcΨ߽H>;Y8vH9,eZp Gxd(XlM\.આRwJ9{/Pލ5;Ro4QN fly37>N<{ZT8.X\*"+rL֒ɑA5[ԅ{G/e?Cc4/N oȆD)$  De@|HOJ &udusW*329P`$rZ1a8J[IvSⅶ1`ߛR+qmaլ]oX}E;=9{(O m_K-~]M /74/%0e=%d,tw&7w aSp*qW?9m(&FF^DӀL^&咮VȎcؕl}Wx9+"0nU5Ϙ)<}x` J̨\_OA氪QVqo(৛z_ F< pePZ-ԌH 5yL ZӾ6d{й$O!),X> Y{ڣ02^=NR,>(9~X ^.yV\#䃄 m~$ ,L@)Q2as,o%UT#0*:z!4B\LX-.iU\zrDAkTKWs xeEULZx?qp+L6n&u,5?~UmhYޣEn,M>lu|VF5񭚋cL >Sk_Bq :C"OrmGvVpxYGX.G9?\@0`+5:;E$ fZ<-W;U|JKYdz& MZ p%W|4Z+G4_ao-r.m2c5-nB$NBXRlOitD\Hh?;-K@(k[-KƲ@.]j}<{-— -鎙Mֈ+ۗebSyL˜4Zs<V yˁq'K#E̍QJwl2ўi%PIOz4-hBnZHzW .b~ bP/f9k_ZhLw{k# }7BvJn2/Xcqܛ{1C=̲ၿ>{ԉQw'|^C.F9u[cw"l)#Si`HDws;eKL󣍓~aĶY/mIdΛ㶃k! eJ|em9tv=Gt1BQ5t.\o,]D$Xt2FJp,aG)& T2N5Ý\[ jHշ6fZ3!5E7-\̻$7Ҙ?Z؅,]LY;{*yL6ja4lRR[|5H$#f1QBu4{>A6lx %VKY^4S|Wboͣ& yakNb-+%H?8爰kjO(,,r\}Ρxh[7*j"ъl K WM>!" u!# O7@޽/aHA2^T@)O^' SH} nPXGDDZͫ(5[{1GW stW"8sx\sU#:p6BW$HԎ yl|z#gFbd;cX`95SyA= )E.BMIkwd xÏe< [<6Bm|_&_13ۭ<;SdEӻdD@+0A.@.xGta]h04GZ:{럞PYATt`*vtVX>Ztϭ꾠5K&}%<4kmр6΋iW|Q_i7,|D_/pf' bhK4A6(vtk~ŀ{Rۺ8f­%U{&,Vl'DIf8(+ŴZ)9עKD _1z%7CĊl0 i1UF%S(؍D@< *%!K3z]/+,-yx5T_nؽ4]0%ӋTA+f~"b`%-'v2{MF w8~&,==) rܴx Xy?H ?Vzo4FwC1rLnX{YRn1ɼ( MdKq(oVlדg^]ELcnirc)ZJ䉡PVw Q"jM-8?*fF 5>gtC(ķQ*]b`S`U(2j$7‹HW١Sf;һWVPk~-O5mjoU |!M:E3S6+9ˇ)uO#\MdgjiU=FlBM~f !pJ2^zBJؓ n,B72ܧ~Hq 2M$uyCdPrw[z`1>q>f`k97}V׫4K5;|[ܱ˙Wq,a *WL+ENɄXI`eL8\aP"'f'mRoXJfs_;X( 6m])3鷐KrW*kqWR<75ɌXB>;ad^.^rQjK>c홌!Q5_8l'Xߋ ّ M@yT\@y|~+A2,Q1͕J:?3[+<p Δ5ebt+x2pq~jPUG}5_~\j7vf&yXu?n WN\=Rw{BJwxzgBe-s2/^)^f5DTV[X(xiK{%eO9ZvɱL!5l3SR QNCt/`w z)@BdyC S5,Db bQgx;" 0E@Tf [ϪYWƖ>*3R(GLܒۛYgjkmt6=> |`R(mpV5i0b`?$ǰ1 =/mna=RCMxT s`Y$Kl+y1wjjr@JTsYlɭ%R!]s׵B H{A5VrXȅ\b2q[xS' 7 V\Ӛ.`NnmDr(RV `:>چY F\4|ZA֊4| Y;zD ?MO\P@i$/77ah߆.oTU54.t qݝY1|c3nw*YQ6\i';t^ujUL~Yt#ӃB§(;?|!v`(5 u%`UEL7o0ܾٛb?D(ĒT*JLbH% esbYyZH#Tm(HP8Gj\ Sv9YAɒnLJ csPS'e@vy)'][%FPmmD Uh_LVˍnl=<Ե, <= ݽ2Wk)X,nJ p@JI WQ$j\oX7j14Êt; g: 7z>:XwEA!]dxْcdu:ck ijHFOWՕK_Pf@@BkJcpݏ*` RFgEUha9%֐?~Zp {N1E%:(,$k@Jj<4xD~u+^jKP`S lcow 2i[ {g+;kPaxrI4H"Vewm81/v1I~`冸dCζ'xۘ)i5(?>";KI }8!aX;kS|XuYQAOԿ;?k׵QZp)B.FM㶐NϿ#IX] B&\1Y%z@^/7DA%|f_ܫXH묉|h,˹dx܇$bܕv*+gf_̽NP !Jn-%ݰ5 blY#Gm^Vf87+z!t!nBރu KdG ֏yDJ(_su+޳*Eаjad^ƮI,qDFj!pV7 X1|fW~96. DXf pyak//&Fi^6n+;2'BvE$ 0Tk f QG\(Lk;MYj|rU'*KM8i6hD~'Eݸژ[ ޔu^_ٞʌhh13-Pp5WwR&N7h/,iu2?^*!:MQ5 K *F8m+7vGY-fE+0VgMDً)?TlmIt4 2EXU o Q:Ťa}pWs~u_or(N? ґanxs|bS̨=6Ld2o]:E)?0r~1B "UN3G}bS4N_s2{7(mr)%dvǴDuWg?"!y{Bq/@̰ a):tdnI͆\Ҋhŋ- nGI =]&SJJءrl4h$ e}sC2GJGTMʪOr-~#$h=ט+#AU)s^&M$Bv, ˋEq"w_V_,euV,e@ML]BXJ yGliw_nbS5Wd [N&Dhj(Wx3|bʀMoӮOƻ' 0~2{srJ(dmJN7^ʛ-`7BN"D(O?.+D 2~]osvޯS!Uy/W-Ӥd>8S3naNrSYk9eVg֪'~ZJ*@oIr2H#؜,zn=ﱃ e$jd%lNřk-Wˈ{nWRVT潢Im,@+"hoKSS>SD\K=8 umn h50Lw6Z|Lϻa#B7ir2"&r j܌%csN R$}$24vR:"v4}h;*(iTU~)l ( G.E F| a:T[ KsCtq6HDRRD5i=6uWGVL:!gadi'TuiHlI?{aXr;܍"8M0eGg|=q}9J ,o ||i;?,J v=$~ǣKz+Z: Rڲ"p?bV8 i;[_2puMpte?<ۙ r:p2/ _*OL&^e]",hn4ҿ-P;سiYƐ|γk]U} !ĩn#ŽsP֬XP`7gհb^<#0htϙxqsIPc {P%{\3k 9fG(@A/7QoSٜvu9-^n$7\|M?HBLʮBq" ɷf Jif\g{QE/<H5tH]Rw+r!J+gi,Zw~/`)n132;;i'~wן<|y))*NHH ىj}eS۠wc#}0dahVL҄+jFE P}%*>5ߚeXix& {2*[+nU".* yoŖwƳJbk_p M!T,Na*u&@ޤPUF|ȕN;3uG[n4'|KS4҄C5Y" /c#R޶.!r㱙= al#,U=Jﭧ&9?#$0oıEg2k5nrG?=i4h7 J8)D߶=^N^j v*3J~=31fqW#}#VoMV>dQze.M*EWPZ_Xhm֒0 wX3jUnMF[i&oم_q^˒Ih$뇐,j]LL PL27p!*CX|B>ΒӭmxoY'9}n ݖAXw5o䅻|4']* ф ˚AR5'%^/<1WeӓUϧU]Q]]~ˊX[-}J1#do(O\mՎ4; N)@vQa2^滺7AD X,t]G~/r<ãQۉ @kEUm^K V"(Җ #N#*sT,ԣ)efBuՇO4hwm=Ezour6JҰ^ 33{Ĥ|,E|B4d@MieyNj,Y, {p>cN1Y sdL~:-60asU!x þY<% ֜/(eoPXm6EͲBP lF\i1J@ U%J8u0cjed)]0YCf ,9>jMJڨ`;<64 D|ypS(&'Z,ZKJVBLQXT6sB_AE`aDˎC8*o:M98s[r"7O^.=jK.g>$T𿪂!|%ișJxб]ί`!4`sڴsm|E/L;ӻ^E,@4WlqcM̺1+L_jLu$XUˡrf:uM%<B:2_YȠφ$ʎj43dx_eW-$wx0ty& D|#+bOæ}G YsgΎ HRũNV/I(m=@Ȧ*"J ӶGFZ^,y5T,X#V/[.#E0H$z6-]F-z;G8>~q/,Y|VdfnNk""8|G}ɛ3AIҲq>%~<YK՝F"(>˕ R̅gfqH_r~_ $r3A4> ($JRA(JmIt3KLcHCMA˲Yd˻kIk2~J%qi*h1 vdqWՊ>{! T)«'G&fd2{&"e=JY*UCsnYw *۰E~H:-EK; I@",0T$:X,!O( (pf݌wVIc=~ gzBR]f‚c{}bTU)S)?k;B]s'}L۶yCjVfɺ S[[.wnZ/5֎3G%貔WV'ɱ%(Qjý[Z9sL!hŇ⇷dR^'i{Eh~YhmB2fQ,ڂi?" ] V{Y^|"HކɩP E } mDž,#`% i[+$Wb͖,fEo1m\)2ס=WB5"3'anзjfUGheɇ #Ed7:=L!\R!>'F Y>dYik+.L:25jp~%9j3s H0cȻ]p<$k[8'hZ.=i$ HNJڥc *6m톍 Zm;ֿlakD57N]Lc.ɠ,qc?H:sYCk9a7^,NPH١HwT^A0#B=~F~?Gn 7Ҁ<:F|`OZ9:%n IYŨ/uFK)EmPmW&r0|?M?& l6Zii[Z y\#iH"yU<-s Tc< r h>>AspŽ(zήș0e]OD]_A/M#*j_ǴQ+Y2*.v*zWQ9>H"Ey۠XbNTuE!fxa?0ЗIkM, v-WgnKAWs1ƦVY0' Ktz|&"b!."T%1g_7^rƹKU~g%E_1!.پm[ASE'r~ֆL Cr# A9joAK 7dGiTT sV+ $O3_)4pG™MP5D[r09N?i捷_fxA'Rח8<)8 /.%*-[+R;b0⪅[#򇺄oYednq5JmԂ34HZ&d-0u ^KXC?ë(C f\˂=z՗d hSҧf\~!uo&^yË(n2uZi 1l%sJҡ&d]( AEr·vo Ş~Bn Q B3x#~oj.j={jWblzClظWAu]B!"Re[Օl9v >K^T!"p_7.y]:#Io0GLf:Q^zcZ9h 3v a_TJ uK띐vbY2q{,~G|CdO7} smj gg!zdVYPtߓw[†ΒpT-mb7ǀ_t=*G%w/I,1RΉ{>^p7M-~[X/>S?0F1|I g--^3p01"1"(f#qIӝSdZD&>Evw]Զ8tH$~HEگw4kѱ&'&5_3B9˱FY71;e묀YY֕[1} Regլ&1fOjVZ&M0u{bgcm;db,-FVGp̦OɑSrJbAg$xAO=B#K*pw/:| ,6Zp0! !yG{iQhSzƞJWkJNuʅtFP ID9[0c..4隨}-7/ V)6nYyVX_Ń5ݙӃn6ίo9Q3kGB_AN>r*iϙu|tKpۯ(G ega";͠Ld+/3BX}ЛÔcO u\',ClZW$eE'MWp<ҮI6L䅱CmNbOՁhJykߥZ-w[:&Lts'U)%hsIQ䍳'OSݻB >/V-wkY*ÿӹ8Eр(Cm7c"DG,Xfqўu*V,+G]0G hYIuIf Pۤvڝ[( R_k/wUb͠wr\?h?̯io ewHVʯZdP H:a? be$SªǻJMA3TP\w35gv+)tK/:i=*# rO &@΂|i@% Sc. k1 'BLdCQFQp=pk@/d3>Xqgr·NuĞD wOͧ 1% _L<]9rQJe4ʛ[fhl 24`G:[IM?ñ0C欴pLCh)7.D9=k="iX/[ .wy"+q8]Fmک_lPxSq8p4vZgGV ߐ~rSP/nځTJ*]I?R[3+Pu _j1gLjCQ^B heT .[+~5Tqv^62Fnj,DbJ̚;'-p=|eqrGMMJuC=ZQz' %zx #kv­'of_t!$™|ʳd&5}CLd.]D5f f}Mݹr}p3`1O2]Wܖ9:0;Dpj)ɶ+>":7bִRR+3E |&x~v0ðP׎ f-F`(o5 ߈ҕAf~VAKa) x^%su823/ݓ#qb!@cZ'TJQ;}XXӊRoGYwଈ9}M;7[ߌx+QNңN'֋PD3!?̷JwZ9ox]e9SQnWm'Q'K? -zg> Z'1Zڪ2ޟN08?.\JX\ |Z|JR\'E(bxR.f˚-e&U=@J U6^5onJme^j'VmDYE&O$<Ҿ--^F]* rWXK}Y##8ٕDBm(&  :؏bf {6IbUx_VMƛ)ūt/T<O'ka!RWV 82Zd:QƷ³6Hu${<,2Wݜ^A|]iH5*2) xb.X ,]-mኁ-I)iHX{ЖyϐNJ7l2AYb`򔓨p}݃rOax#BѤXvx J[!Ǽ=h6Xs;ed>s:D}S;q;,PrɪAG%P;{5}y~0dſˮ$Gdy1{}Gvt͉`qyvqo'P`TC1wtќD91|&2`k334RVY'nt:Jq5,t0-:QH ׀?6}^DJpbN/z.;cXS'~fAH=8CFՏϋ8z89&ϝֳi&+<2<[PEGXr5?*Aw gsq}j>G<_I>־LW,W)9'd*{ч}:¡݌fHPw8r43#(C Ep fp}ē]t9}^y5g ]L ֽ}'ȸ7LU3SlIewdHV ]$h0Q-(xy,#o)ͯϽQ66 mī0lK)o<`Jȅ7?F5ӳ94?g  vD juŭ)eEc .nidy@^A_: Jg3iV)jD#C"gWZ_|A |OCJY<3[ڡf56Y ȴɴziSSWXgEokeZm43\?nN=jzA+*}(F0KK ʚ`֬"jQ@ Dv\4iSoD|_dбvL&_7 A~yIV3^ ߶+q3 yl$48މfnYAfX_cXlzSZnlb1:u\P\.f)jK2=I; p-t|ǕZGZIOkcƱ7[ D?wpd<FSo݉@vGM"S>e5'uҚĄ. j4Z $Tt!Kz'!D ҝ x?z.4\H%DuH^E g/W͵G#;(bF%'+_ M>ͣ֡ŌŠ< wK·ַkh3 䅑.~q3{h3K*p) vE QaE.L$HktMx$1G@#ob)(L .!%ZcB93wQ8XG(Rozq_)*8U_P= Sg,t7xm:*ag0υdsQYePt15g-5Yl~Ȭ"&T`l*:/Qe_aG^ \\l%X,,QLOfꅿ<7a+R5߬ Yx9\x^ֺ}`Nvx`4$KcU#8#_jBHscB>dݷ'7U w,5~|rbTP Y ۦ~2SߪaML̰U7Ά~$p.Iش~+ ~,q Yl @zJlXrs-ab G=J{W:< 5Ỳ3 T5`,9Ba0ix6u)L, p;!nO&m 39qe~bxZZ]цu` eP/W%8CV 8`:CQ S]{v X߬\K@UJ䴔p2BlZ::Bꘔ$jp.1 X>)暑3U$ёAp7`Dx0kzUs2+T#hNuo8 '\! ((d徱ѰjQ[n\=>:)`eShSosx8E,%2>ngm UJ u6CBa9vL7aRZȋ͙݀2xI+ٶjce: ]Sdj7$T n`썊YCPe,|ڙ* {3ZZSk>I\I;YmԯІFE-9ƀ mH ۥ[CwJhͅĨ/﮳SnhXGGts~eFdtK4 Dh,gOdӫV)Ԓ7!(htF#534:keT!Ey$(YS6M=XRm7{O a13 L#Gט~+R! rvimhfj)-R"0 uPA.'fwց(k^"Q>$26]r5M>dWݎ1ٖ)4 t&~ O42쥛mQLÜ 6iק06;E'A1# 4t rA}=`A8PmZQ3W3" 9Rd "? 4!mkI$Tay?㑂8O!Pr L$+D˖~ZM=f(&'J 1ķi%q|IQu0G+Oq2 ܣf'zY_6gڢ!Ie  zB9 dĻL* dWMUmJ̒ gcc W9G_<[ڤէ{P,Ri>!Zp8\l2DRң"-E.WU#t91{ \i!j!hcXTa5Cy+1..}5 $<qE,gWV\O^\5_܊csV|"BRUka֮nmu]-MqHExh6~b,\F mn$(`vv5Qh)X^PTlԎCK('lUW{>TWQ)5àe.o &Y9Z4yw׌cc&gh[&Fk`?+`YN-?P< )1չOޙH}/tC?&@h+TO[8URrP[s#\1Ϊ䢰nUVgU?.Z[F荈/#|'\Zk?ZZ<ޖw(lG %' 셶g PRݯ5u=T1ck9ng"{UA,2ا~dw)`0\E8bk8^`:JIͪN/$8SPFgb/S}O=Gg8尭y:}Zl!$f~,WOu5ovZ7baq yC{aRM+Д9/f YeOOvԎi~c:L~#Né- *kf-ig(/- JRSRn ~{ީ{T=HQ'm8*/Ď3yEݵ!MUC{2 d_.mqK+{v)YyGtL_Ic9T7'* i&iaZZ[ /jbT. K`WW;JkA.9 ΋ ^^6{(cu?chգ!߸A>vb,>{pXEG|[sx ,0 eHOHYč-%d,9sIIv=`y6K eNXUEw(T{mHj?\=/bPW'BȽoOfw#4PE=PYxӍ:P5%CbٲOc=Ӄd71.ӍӟԄxyQMZ~}:.p8"Wi 750 |- QQ_10v :`_N29g3;!idrkYMf0Fuwf9ІCv Py"z>R{rL 4LQI犸=n 2SB qٌ {!-_d]#XX\iӮ w/Uy+Cj)a~PnkX~r|yiYiEwZk/5۠<2=\,L'}f*IO,¥oVgo*G^RK/UʝDk _ƞoB>TFB1Bd*IafNؼW[-lN .~+@v0 Og<~YIr]krTSsqA9_ RrO`30OoV7fZWJ8TUޔ@!m^IĸRGI6Y-הGEJó+/PX*Ǐ ];E(hT̚"puPlr$j`uU)=1YԘZԣ繴BoqU1V\Ũow'Y.h[L f  I4S /) G'U7*~G4,N Bj#c,|nN',۔LMw'5 H,4Or|҄+Y9;c.崈ftA!<&,"v`qS #ko.Oo'ܭfnP5\L$Av_)[G\1ї7ip@& _<2= *.sJZCQ` kaL<TNλ!WOe `o[z,1vlr~ i["8a,ELBuJc%jHJiF3_P^GOpE(Zjۡva/UO _%ybu+;C(qu<X#+r4?[Juc_H8IAAV.{!<Ңs7]NR8 ?vP_ɭ%s!ꏦJ>pk\Mb,kyҏǢ+qe1L3C; WgiRhɍk~,>PΞ»&8ُm tMRkii7ڠթ5>:3H#A&i:Wp _"?/EbPM`|̬& :åU*%\ +#-yanBh:CA(=Q)vehzǢNyOl&%?hSc9鐢j(o _^TI!o$~+8_flA^2sS37&sFe8#3 VL$vkTFo =+/#lXfSe+*T@z;s纨s$l=S~3g5U}nc Ysn>d\<եy .m*ϝgNi?`z2n-]\dB/6mpc!U}^ m G)^"}ڲ̿3Nxm^2iOKm"K 2Z#0mujeV <|},?RI^$6D6 uIZ/I8ZLwX"p*IH;QnM{ŞV-t2V():ӈ5{5=PivrTypmv'+g*OI7ڇ?5 *d9S4*4K~X78-ĀƑU{0㲩&۔tjp}ܦ]s v2aT?r`OP1|rAnp$ۿѓhF d2m=ð EWR=hqEYY$(2Sd7u u7p:%Df]2u'Zq^1mV)w*^52c=CF=7%[[JRW&)b,\:"yN1]D&%k(f5y-.Q 260eƊxsU'=lC!?Bw5c\ ZK630sB70/s N~(v ZnoJA*-)hh0e ԴI){k;yX1E[NS&]aN|=s g8]e+1X ]v&ΟP>37m"f '3~sӷ=q!YYE/^: /YruMy mdMptRuJkLu9z>HCuqFϥKuKfkuńiz}bbP@v]ϲlEωޒGh4u]0iP ~md͍U,Bĥ/ MzXwD` b,on@AZV1z6A@(Kk93>,,+yw?r`(XKq;\jxi*) ڦ}/1 : ފyatq7pxXp*LZ6Jo=泶2el8q05AN߼dVAH8ylj4ďZuj?-h3 ٝHl(Dhp 2&Yp܊>]P0G"jo?R V_3VBiԁ"P"r87C[LAoB$,ب` E'i?県6!hz 3*AB:1$+v!pDEۛPwV$/ZVkӾ ۧYSfN3qqD!)FH\ɟLBW5wSI8h5'T~?bD#ʣ%I27 &O(Qp/#;3?AǠ S7Iz+F)))7nP"xG4SH3y&D7/@3hlUBˡa5r>gTҸ݊Z5LV/%~H8f5.}Y_361W툵lx*WGA8pzdePD[{/[7T-n[^ΠXT[s{GQ!d Υq 4mmTpZL.o6,w0UF".^|vϖMN)i ߑ K,tAdu;'##Nī9*x_dR4ڐAЙaD'Fsmʉ5_,¸ 8-Tn".jd'{pW_LFCUi-L^\eB3IB:6 Y bNWuSjR6J'α#I+S="K toA{lߙ ߑӄK"f0o BmC 6"]Dv^nP;/P=8x tݡG.יj(}К}˛S9[S Qh2yu8V^^qikASNjYvnp 8J8?ƪM_ksS劫H(/@`kA !$XWU2&%߸NMIwK:QjliT@%!?3Z;7e3SXRvFѾc PxdSzqO[ fMf6NƢ[V/H)Zl ,} ƑBKxOpzx\@'@oG8@„~4$49(68YqaTj=WV 쬪JM?NEzXd1l^XV8Q=K x fIF7X& ׻4N57KwmT_K/r.q9\vGKd,b E"bu]a%^jkAbrW0;Bc0=M_.16~qyUO,cMJĹ6řu1@¨oI3fNP̓TtSRGޓQOVX0?q*6@# V%خ>Ds0BGPza (q+`wC.ZW ܘ{EQeE-h`ĵzG/=-; K|hti e:5\}:vրOVq/)TlhEU"`b 1w/!J".xPy]f]jO}ۂ=Q~ly*_сY!PbII(5EwXD[D$k֠C~&\N _iΒIB5< NX{J[K{g%XL=#%#߉K~FO[Q떂jONdK\}?|]VD!i2na|5)̓2]q1EZǭ`4|KL zE4Ñ=1kuek"m' kX&_@ڑR/8٬5ff 3{szrp']ӄf*yw\A Oi$hsΟ!gM,{EVy(%ʬww{Jě] %jKp'bA&X/E<#sTj)8Z:8̩VPٳd:"ɰ| ~xJzA>P@FA%޷tp2h]K!;\ex$ژUga@HkȣLSH= |eij /Ckq˒z- 򍷍R--/QP ᕗb(!Bj?4B0>owhesL=YI؜^6IA mU1p#"B4_ 7aJwXx\}|K8_|1 VcOPY23Ey®XKSK23 υ5ura7߆z3jCƒlsFYΊgRh7P*t$$McvVk"j]7m0SD'M8@؈x4ZS!ުAN'-u-ɗdrnWM8- ܬD_\h* fH pT_Uz4~V*5PZ\H;PaLڛ.yfnX͉ia=XC&2dmx\Qᓏ'͞hB=I=A}5=5 ,9nMӼɼFh?2Fjl2FzZ7|(y=>t8Z?[7Fߪ''i~3kAj˘M-wLp.%F75;vqM/r=Qv\21!3d] f[Z3~'{3f<'u!wG m#E/  H&gp&UP{E:\hYg+=YRwFڪճ)+`Z8M_κl yW08Lv K)5[rak]%c<:200 e^ t(N#1T!d!~n3twŃ~\َkL쇦X4-A3w-z@J0hߦnFIWl2A̖6`e^ˇ;iW@ dֱ 6Flqoib/_bʬ{CbQQ|燪8c$n";Ll•竷 Xa%-1Ѣ,2^t5/5D0pO[{é#33^ Ljp+Q|AN&"Ζڍ5@4'1b#} n8O3~2hPf͂ iRjI18Zao(7 kX'fAx(WgIbǒ;S#W,3+ڙaP6Cw-.S ?4h~$Y8p[3bP3o4O{ V^Ƶ}rpޝIc)tKQFC~it+8JSzSpu/v*e(ۣoJ{׈ar Rh%z(:B auô_q̗/ɥo܇,EFʐ%ZkT<Ʈz] ^U$풯%ǟP3l,ޤ`s-]z%.BVuQyan\~0<6H7"9}ÌH4+wbׇO/߃0*/$L" ]wh+B&-PE}(!݂g.xsyAa襓X; cP`6͔Xm?XGf%XhZcS-vI\bK?PֈjoiBhBW=g]r4PꌰhD#,3p3w3|RG[]4 (orzjU [5g|]d<|'+=hUf##rg?n{/OP:Vf)41u2$O-@bc} [V1gԡlnH)}?SM}#?#\s_P%ήs3.s0%?d .X?Vtl_5S-x3=xjKM7Bl-efȵi9LkGUbT *e_Q]{hbDAi6♃A ;$UfkC9R~d?m=g5> >`fL]Btv(F{i&i(>/,xcRbUBmZCRϕzc.'-! D}hKσyPYc!K# tݐB{o,', |rYI-,5Xmemհ`ũqGd*,9@o\'f[7]$3əg=o#$F8[{UHtoբ_^;kB+K!VI}t9|os]2;VIyδlV7'&0zr=+WbGxt,T{g!NBF&Ӆ/S5! '2(lI6EԆG<[Wc6o&| q۵$vRMB 3<SKG¶m'K| k]JC$)ς[c_SV7$/ %.=&l% `5ؐGei(qjpA9RDÄze+dhs2f@F 1JӖڙNhj#ug}~C$f>;|g>F#h/O&.Y:!D{z䊽lQeܩ!ì3s:QFzruz붋 G!-^3z||2v+fՌ؂H#z)1 B=WjXE9[A}CޗJ sv1 돰=DpiwSy{iѓB- + $8]={Dt{lPJnXM)/ cs0Hq˪::O%EZjun"\jT %Ç~+g DR1KB.aѡoL=ղ\s7\<4WpGkd}%FjB8Kk|J25kA a t F2&?nIGŞLʨ^R\)'[6NhI | *ûp粸Z$2v H}D`820&ěpoZ Lg,!*4Qg4' ΌIxs@U< Mm}!γ=L@;qRL􃌒52<6Ja Q/Eds&? vZ#MIF1z^R硶4ćB)0$ rf9 %5[ QObk8}is3PjuՕ Her3 w9廕c.)Dž$-T.&-cUi;%4>Z^QhxPP$ 6媏6,->D܈2C>B4Nߍ~_kC0y$'ކ[k~DC_e#RG w6 !A$s @7HvS (NXS 6AԢ]rCK3H ]f+Gv?>Om79A_Qfbn,%[JX]3s CWZzfS_m4X+%x5zXAU+c뙅 "p*1,]iFIӰqnc#*7V#_x@m[vMޫpUҁ?!X X=Wjk$@q,kTF@YbcH'%TI6n1qƩ-N8QMe0Ŋ6f!0mu& O"=#΋dpX8h%wTU;W Lgn\]8} ^3.J*~Op?nZ05Tgzzww~ OEyZE 밼E~ݺYea'}$ǃJ6Wa5 Yf|wh$زb2%|/GX\8tkދ7)2߈pDYX! M1m4_9Dpco,x÷h`skAᓽS~9azx}G&B.x%/Eg466ymP.R*eM_k a|6rL:)dۥ0A |4ZAx#0RO8=$IM$YDتr^Y=˱$T< HuRp:=lDFΖ4?cpi<@ h.7CJmV{CF9m,@$gy≊Ct5\ċ.G8 >W C6# /9^\oDk_: AoȟK.f.Wn2\Da߼7BRJ5^BWзÄV٩4!.K`4V},Vej2=[v[x?ټIǻH-0<|RG äMwIz㑁+;FxT $y!֎xg$Gf{r`>{~ 8_iںi(n+cQ44\ ‹ʅCS`ZBS"L-Ըsp5+6l q.C('\>TD{RulZIP\$CC 7D;]o/Uԋ3#WO08vţ+LS[0o*H/iN}Y@+ : n^j *:Nzûu৺\ s@o'ס5`sRyM$~E{`ٿYj㗝Sl8V̏RWUpKﺦԪRcr e)}am!GQ+$2mH~6 =s{-ƅrM A!5;iU69 VẀHqr$WHQ܎Jnˤք0-&!kXZv@235U2takPiiSpV4ʞŭùok5l|T qFOmވ``?(tVO_n8HPg_*fY 3qp9"J6SzTh<=]ea\/ Atռ#ɒXtػ*5Y]6IG/UԪxSS?#PʆyyQ#+!/VƮ%C|Zv :|Bpɢ8&C %V,Ky[|Ay\3a1=[8zY Xn3EpAʂ316X A%Od%=@KZ߼+h>}!&'IUe9j6f`lqSB&]st¬ jĠP6Ûk3^ j<܁<nh'VD$'-Qj.P3ym)),N F}gT}.s;ι/tBUwͥ5nnԹWCF278LY-fͲ5ׇ6să$DɦY:7v'>v0.* -"{7$Ni/;سD/{dd4AJHFZI%Y{{b2c:0ìfQ9.-A<{4rk"u+.RG1;C>Mt[uo1Dr6Z2K'DkcYlcٞ(=b^0-5Y V_lF`țtEkpL(!EAy饑R,<8%P_(bvBa4fSKA+.͓;c5V_*#ElVXL)nB@{Eq'|xqzb9=b\}`CDz?OALG:k|e}M"P=j%HxW#I,geHiZ~[ZS&DPx([p0NB"3 JI cTėx3,KUg-S`rZUMULR6M\V6YlQg _X@(=U48jۂ,!D( O%q$ZL|ҪJ*ɶDisKĒ(g7u)8 g-IOJ[uO)\0Uۇ[(x+џ`ɔyqxGt8),X=q! H&א,!3D..Mus@OGSc sd٥Q G#,l,8ȶN=3R&*Pg?GCT)tfTKwN(dϬS3V[>յMͼ]ҙ%561sV'I-"T*_ځA? ^T120|)V0 ֏БiIK!l 6ɕ !r'JQQAoR fHv/)2jMZ z) )CV+B$]7o0Ln.2-TUT5 xUL PM2x.-Ȁv-oY/ ta``:d|ָ_8szKg7e>P"k-"Yg!^PiFoe xK6D|U% nH{)\jN=o4^Ow+PnKFz^êJ kiGe)rv'K;E9佲^aV_- ~s҇!'(jѕ>)7G]XPR9,Y[|݁f性R}L_U^޿yd>.?JT=+#q*d;}[&xVu/PcGڷ>_t_T+$yb_Cyn.akROA.A]bns}$MTVTCJ +Ћ:8snP1jS/ӄibd# <}%HҾgㆪFPȟ{E㏅!z6qiOӺ_Z(>#ZCjryb$nv;-t XDdU>~DzY+D4VSY6\!t/FwDTmޙ3a尙 . @^*슋P4* )Z ygÅG S'#5hz#..ơnsɭO59(ܔ T.+' jlr?2p݊[lGm%̇ ~#jI`0eA95>یJ,xu}ʪONL&`NSucr׭cUoFm3xmBܿwMf"hZPDu.&eTu6 _g,Y/1VUCVZb&:f, 7o8f8b ~Ўeh&at2#)b{6z{UIչ\mfhBr}&Mow'9<; 9 ~ħ `6<,quVzЗh4L>슍9Dm/;qR=> 10y4ag8߶9& G>~lW8](bKy+z&ʁH;bQ nH @D"@8zªn6.rQEL@ 6}ZHp@C< z.|Eonp2ȍР?]z(P.Om?EHbܭMECbFeȾQ@e>]neY/e0tݧÙE,+f9PD^eGu{YH Gqzɠ!#-[^ 5KXSh?d}8;3?hn Խ'? {SSO@H#A +M)JdCa ) gf3Wᚪ}C3Ne6buhX> 'SfޤMR}1ȷ 8c*&\'r-E*3%jiDInFkDLIRXm5wi:!ZOd j^IX KLi\)l=CNY4Y#ڮuG-FwCVVeQOmdq^Ԕ+zU/P/U: 9r"(!y)9u [.x/X }A*acمt 1P$Kkl!}[} Ռ,HTv]ih(y/<+J[?16GH-o4:}M ɠN'F\U/}򕨭O-2aH4xQ va+q1ہپ\Ͼζr#SJca< 'Y3ٴt(Nt O  ñAX73o-=p fyt-CܶM)(O*&&uoѣ #Qy ,jlۢ . ? Ī]c;l%? R-9g7P(UqDҧ:̘{s?c3[aT.R6Y;i=ӊ^3fՐq3..U4)~aYgI>sTV;lB(A_` pˈZnz#Es4`JT݄Ƒyxd>^$m1RN!\Uv7I^b<3|7(8KjE|Xȧq"n`a,3S%Ѧx1 &x$qFU Pr8=<)V5ɯ<"Cz5> ^Gvc⑴ҴS)PaH>wO I^m02)ȅa%V3AQu@j,[79WI0dA΀lUq %4lFi_7M`W6 s*@;[t`+Š+8͌'7Ƈm_T)FjSMBV `- [?[6" NaawyxCD8j.]yz|uSIryԾ<ę6Ռ4k.pN8UPJiPďrOJzDJ>p3$N9-^N=X;a&ܓUabYə(=:w_j'ܒؙˮq ]啬 7hrlc:Ђ|I.i]?/cc"FUb,4lI⠋{zBm΍-NKS@H!1rjΞΰF?d$Ѹ00߄/Us>qx"p] PގHXXpCſ.t՗VWL4E,ۭ/򒂞dxd~wb tAhd5+?b xN+ *ewf𳁒{g=%7iWh4ihpw@{Υ7."4  Nчt \% T=sžӭ1 ! 勱Zm#øBw1!Ey~}/K\D6OjNu,N(R.@JOs;%fGޜv.vdf~qcjVPS)jڰQxiEw)[ g@f3f?+;5W&2Clv&͙D+b։' Q0Aԫ"~bn#F0 Gw3#4hزOR-?A4f\4HTH3ϹCci}:ϔ ;A]g@pNwm5,&XWƶJzm*L>R'-g `Vt uR |2^m/;0Y li!J{ƾce4]cJc-*.4.1A=m.] *8 HVr=9M@~sy69ڥp3S@lȑў.u 33Nngz@U½M{]׷qbDHX_ ԰5y4򐲈n/gNKnL⽻:a4l<##(iϣ@CgՄUg0\;겖(܉R7_A)K;V?@)j?AurW: mY4df!JɈustק8$Dsk7{`&yE͚ 7,=A KIbu+9g&^MxH*)(ilн)ֺ~B.6ZzL]߭E⺀:Qr;e6yg𽼹N1!6\g=ܜ{bHrP!gNZv Gv6v!9׻nx-Q_x[.%B\N_'Idt=(B[O~eUPY;+5UiI5:P*O}5T043;3DQ j*(=:pG 1O?w̒h̹b%FMV *EuG76 %'7/J-K֝ИgHvtwտ>B0 I9 Bȧ>|$u}vtezҡ~V}(HcRn S1\#x~k}I,C1I !)VXrrUJe Xbse>3!y}x+L8K~@4AڽxѸ.w_  댚)GZBүQev#wڂ2wz+DU`s< <$Ǜ)o В1zEau =+Ajf'kvu` ՟.K~|jϻ?ض>(8̜  FqLyadD7H,!`mVLwͦm0GX)V*NKl#ƻ#{TYS8W"^E2 2s}BDNucy1#eDwxpSYCk<>NJlB.ɔc[EnŭRlG&cIGi$u g9>Q5BbiPڰ p?[k0| wҒʨ-fNY&m0kZ%pE?IHo2,=w彊A`Aw)m_;#`a'y\|N}'5.P8ḀEi zkYlqG!x-_,/4~kF%JQc,F31=:[j>J'R^l<<bA~:7> ܤ=֪H6^ؙ9nd+]bķtЭAb\<K A#ݴxRJJ-JwA5`rklDO #mK1>PʦbGy.8 u8$L&_&>N|L}liv8 [<%O2~Q)ɣo, @۝)9VfW5Zbw( ]~ 3:~1Y9#G;5 d;KK@U[K,6A9ƣP8~}r0O< d}8̪ӚHؾT}ZQ;U(@{`Uz?$;ZZsBxIb'ᗊI腈{bk,i\;2K8=(_ "ώ8 ǾB\4K+| E.To(dǏͳ\Zo1'Y5)t22 nzu&/Tiς 8)a?/,sHZ#w$x3weGVFE5Gu+w2MnZ=/d!4Ѭ163s$%@t{[[tbd0̧V:55(RXxnfI;&U37pB7J}z#X'm:y3 fxдy;XYwWfJUS@ Ȭy?:}?dY"v{JBcpxV# .gv"DUh9Zmk"Z.2)|FnL2]ɭ$lɅ.g0(|O#!Z-ci/⟙`JM0$QY/ClƜo]dhON:86q=z rm~F C#0J1R";t5O߁Eu뉥sB+$y,d>kc, bZɐe]35^7SN>Ȑc|v7pBORxd:i;=υӭ +4,Ca[Li |Ձ/AOJw8?ZTCw% 46=7 +.-)4A6 +%\:1^˪& r$~_ۍ|&pH -~ G8ѨOH9O /f#™> n'H[՟%B=П rAu ]z p&$΄u"_A,B0sԪ7tDOѹfqu=/Pe='FݲE>ķBe-{@;faL_R _zO%R!%jyG/0 0>BæOg* ҖFZsg~0Oo3q/[ʼJRzՔ`CSPseqCZQg\l+ 8o=9Ai3Ƨ?G.b5^F32c?UL}9p&?Z.c[v3d &9eYaw!}jđo#CF2 J}8>qᣊϥtqɥ)JNgWxH;2TQi H3AR/3> 'rDqL{.l,99 Ϲ212'G*iOȤ#UnY s.688]"{V5aՠ_0ؤK@QE)+a-Z,. ~_F] g_f73q!w1m,?peA5Ub~ry]p ,ͪOxzIq 5Ky1mwngRxU n4H0*Aɻ{WƛtL}v~ӄ3|NbC+W aW@jٞwD9׊9 "lb'ӽ &E >y='6z}D|-ks']u0Ma{WJ9e{(Ȯ7k|@?,BwЇk)pavu@0K_ ^%K1 RPz[R0uGv5o>lSO̔iƊ꒏)t05DJӁ{%m8V}j+sc66bET܅`Džcxpƣ w?wRbʛt}oL-NGFG'^&.(ș=Z[lH9;=L,UB")[hxᬸMѺڑT]> 7U_K9 kDBD.W;6X^_?孼۹FEQʀnИ?6X }Q{,~8EdJ3Ӈ己^E`K- Lx!|9;0] &jVpzAu/ukY EnF_K4]x%습.jR&KcRXHPoG CywZs =_h#q n#|X˪IZNkxqCy9ԕ뱹^yh@ػzxU]<ڲ=3 ;*gfbF9|"nҴ zn8jo`1ߏgVRN3Cq]`"~2ֆC"f.l:[t w b`Jd/V^-H^IB+L,JgX &阱%iV?IQu%7-ƙΏ7O1 e#`Ixmp Ec`0AY?]oH|(eU O{ٌƤP 8>;m:G.b;4GXV_Ot@]  vrX  % ٵ8ȅT?C꺬}+bciW._h=/T3lz"5~9 ~p ( i%j_g-'pvR=Ml(vMV$+kwl9`ֵuƶvWu;t\貅4slf 6Rkt ؐ>ϡ )ÍS+{`]koI>DvK]KqkPsp6 g?(/Pof׿F>NO;닸ae9$OB+;j]y 3;SA1V\7/}/_I ^f~; 5ާ.NX=宨g J篾~QhǹP O0d No&hQh_.Ar5%hr [D 8"/qּ;LZ'N._~*wU)?Fqr*:?e~:&!:4QItX7K +h͌x:}/N~ohW߶,{ !q)Ic3 DjH*Kvg/v&}pxpw~ttA~>;9\||6:?9hm3+)8c\S= f7W9}Xg$~~J"ðl%&05m]O6R( # Tp4b Pk yp8옡P}Jr 4_V8]Vh[}< f!.Cט"W$V0 hC%MZĔ (8},+J rsCy@͂ZGo_n&H9K'v欈l=ޗ4Y`}B Y*veLF XVAi\~ .8t.ܝӤgt+46Gfv[i!S<ƕڰJbꀸ45cDN`AhSUYL8%P_N!f}q~!dQY"y>SBVAicFG:{dKFQ\UY^ǑhPtddy6]~rzRffIk 6Goj>Ƀ@U[b>|QC~;NkF<[,L+ςVN-I&b0u6åF)0ka9H+WCŸhYd+Ԡ @  CAj.5WK 㑜+B!kPl驴y>S֧ost=ʊCԣ0{'h  ?{=۲yi: 3OoX- de2;3쀢R@/b4 JőF~TSf*LmACO;4@C'tM( yzVH>hi8O2||_˦1L*Kը(mLJΜ@FϮhP#0[/gwZ[)a<UB1rrQ7F4}뇿f$(aRV _]E~^Y!*HE^;Mulq%-+%8b妁Zwt~>z{qȽo ̰9c xI^,=B zk}u&kW˜R,>7M*#: lԏ%(Ǖ<=8$ o1C= gJO.+W{gQfS⍶& NBܶ>l *J$+ٓ|j) ;rG֨&Ň jOTJP,qA505$`XDX`j'&]K:sdEXœnP𯄗c z_A:n㧁Xf+$*V=ܚT\9 .,3LbU֋Z5ō ӎzתk upH0))&ԟVO|S4;\ 7НڦBQ,%.}lzPl M9F\ [ZM+Ga'mhrRpn)n/ȻneAr\bڄOS)G^WdQච7m?A"HOP oؘ;7D*Yr s)zE-Y<*q0jFIX {6~~~Ч+r8߬6Gn۸lt8vzϪ ,50 |L,kV̓Vo+,\K sdObV&՟hcBdn+YWCkA8i )/ט/K &C5T0N476M8u.3X]|nWAV/YU,̆b-MZo^Du\/# f1 Ghl9$`.b"-4Eګf$(U2d;|.Q4UkA͐ 8 +O*1Lu=>>BM8pvpYL!Q\ы Dn9(UZWl7&9LַLsdOΊUֱ?6[3mTLyTVq4ִveNd(fL .@v9 hMVbr.FAYpA$] AM,|E ÕSOUqW =ߴ"?">0x>Y&DuwR֑A1c`;GR<V3X8J)B"ү+J5ӺL; GvΑZjq*1*ր^#M A_Z/KiD9,ގK?juml LEfiِc=vV""O/XXBx&̌(s,<@[]1<1Ayqc| kROݦK&uUSꍾLrY_"0lh¸Qs% 4F؟]@P,n/ߚ}-:g,&(DKs1| x]$M;wҲ4qB-Sn֬7H-5 *64 q60W5lDlpN?s0`Aƽ@*`Sh]9볟G/^ˆ8σw;GgoW'%:R4)@hd,Iq8J|t 1_?l'|3r?8PPRLfcNFwRl=hP5ܽ.Q/ .wEs@x?Lbrt3fD&#IT:\F>sYA찹1]YƲ~AU[hZ֘E'9G9 t3ofkp 'vc$$ā1C]DQbFr P6%E,Vu;Icj7ue_(~F J~{y[1sh`gCG1f3: WPda[|GApir icr=dEr!dZ{Yo.l8} C_Fw(Aظcɋ{U8z{I4ol=?xǂq-Wz S&DܙƏ(ϕ*e+:xQWtot@j$RW#=;;x#6ܨB爙k= ђ 7hyZTd̥) !TY0& GpГ|(ՠ;)an9Dc xfn HgNBi3P}dCI(jܞK?x_92ݨ9gkG\q"KkE `u7qO2"o^묹Gp/ZΤRa_>cΚ4Btʁ}DH\S. \UayIi|Ȍs"9ݩRJE(rd qJpGOg?ǩLW0OfpB~K Q%hɨe3qLW)CB E)h GABmM8)/>6cG"xT?]tZbA:Y)1θVhRWU>^FӁBM0'kJq|DAW((!2GAbrsr;/^_}ۻ;/w_w_^oG? .(rG <5ҞHp.+n=hg#E-0I<ө5s-i,tdAۿ¨Ƙ;AT.֑4F")qݷu6,_bʼnusRﰙ2TM5:¨#(ő1kRUPi[Nb?aݕJܷ 68?uj/uc-vxm(,M tf8NrƆ# iK:"1flm&soQa}\VeVK@2r,qd-/7UyJaN#|>HaEBg@r췠ҩPw(dX.aJM4Qϓ;%{( :_  -lHF| EE%BA8byΠ;}:bA ']X= Mq|rkO 1m%YTn†37%l?e;T벷{;B5}Z;e@lf 4""Hp8. m8ȡ? ?yAr$; Ә}ӽy"#M_-bZe, ۢ Jͨ^+9iw*VTl~9"^d^R<_TSioa֕qdyO~TuPBF{!2V8xZ]rӕqftn ̲ݸ|5>vaJYRA ;gXy e {e@DlÕ\|YA8O8ˣ ^ G};Y.c=C[W(jG npiKeǟG{.>\›/'g~ ~~l'Jm?}:888f,#}bs!;:=|Ḓbd &+um0 Y2kb 1Å Q{GaX^㴚eҿ}Dz˔$45ԛC`BKllW[{I6mVB>Vs[mh2Ӣ#[,V>eTVt2e7VN<ӵ=hu)HxNJQqxxa4kU^W6NP^,[wTIhI|kXH.[tvriF >gE'S:.#q ʹgA; yBx6Hr1ő= Wh$[70

>#3N>-VYQ6}ZXA"piɑ Z!P2Kw8D = << $miin'XBA]zݶ*O=3R'ztPh* OB/jfV>_Ӻjy fkQLnM/^zW+DɞlJuW<3щClv]R/A?=O%itF:j!Vl}1W uԼ#>B>;:>:9LTxtttݕ` Y'P+X416w;]H%4 Ĝfrt$;"Ƃ-W !9c#JGhF߲=;X5KxF2oux;Up>c6.#}sWÌ׃G-gl6֛i2֏21`cz137>^]__\BJJAQQT z\5?GI&˽'_u A@h;{K<^5ً}qzuo<~mE\ ә\8Sp-=?{0.(X'\Qq9MէD=㔪C Woއb`S=iig)H&)/(N[i2Z:M%r4]NzIK.y|k~v8>M<kd"0W4 (SD$eu) ' {6XW",U0MO;׻Q7F۪e߳&+LJQA Ζs8 E,oo+UP,|󡸜E ,;/ 66<.pV]sL W,pT]lV* Y RF#\ћ%A(`hvHrB7o_', pyrvVU77̦ܲO-hgJG GQ%Qv(.|GE?o4"7 вpdr!A DY r cK2" SpdQO|vd.c:_1s44x{DǼ6b~f6ZI;3D[mؿet8o~;;0ѻD,g(umBpaA(=ibŕO*RX֦ҹ2jUvUǟ@b+peRp'4Eiq5X}_hQ׳bC}E% @6 PT Q!q]zuR fij%~Ug ! 'hA,1mC,1gq\6h )r9ܙ5;_%GwRS@6ALõ8qE,#v_6ѨQ+s&&=-t(Jj@:V()vY.|<{~)aZDQmbT*ہ*j"i1u&kYc@h@;n\6F;DU͘w"Y4,36>8[+ags۶Ky G^v-oS>[+{}x7P&}S5,.~A7(Su*ҌP([X0'Y$VF<#2U'͠L]j`snMMw]2(o 2AQjKTnCt[ :xQ0e ]djI $tBXa[HF&QA\ƒkkc@:jZD`PE;gLucF`BKn nniSājsUQLq[nG_qBX@rSIq A&4pcd R#i . Ra-4c!@o @CM9tH Čn{ 'Bk'6)ǨSQt%)z3 f)sm"!>qʗ&++ltf.'G66<^,NAܴs2})gؤ#đaE뒢ح\va+]BqFd C@8@ TtnnpmUpTHazI2L8,sQZwχ.muo),T hIY/WjT\(9-hr%ëe;v_brbA џbOL:\҂n9ıqYvKSt?8ߟ_q"dFZ/Y*L8Cdا䧰k1:um.'$g]1Z] *lC&fS@-zaSEQO8mzBޭq); |G[P`s8:v" +Ov#}|ӿqԃLC^l1Xn:* Cjm#uc-®]/sd`ϱ2dd䄈 ˛e' -T.:BΧT-h 5P,6{B[dK~ƹ_XxKIl%kp/&}2>eLԷ'`A \D -NCOVH vV:wd&IcVJ6XY`eASaTj^T˧`a[ nnK!F] nU@FG&pmD$Sϟ3$0K:fϰ~q4H'v&*uI*x6XF|6gP6p%FNu.2|Gh ;rabMn! =%.#)?st&ݶ~{#H.k: cޞFԑ,;$r'9 frGޥ3)1xh7,Jd !Ċϖ.1JN&؋ZF3*4|ng[#kNPGZ'LxW(^I o܅fcq!䐥FP_05Q!79p:8[U)"#z%—PDK֓ga$؆!p )G꟡زq W8D )ҍ'9RuUAQSy1؆"hGXns ~nh[*i;"IF} &Im[}\,۶"eyihU%! RձYEOaZ TYXXbG{}MKw½;5wU[]00n <q D$=R*r"so|wdq B ؉4 +ǂh9>plOedA=y5LDe>Evh뛖tRmϡ*i;-;K!…ٮr~wS%%& RG QƱ9̨}!>6W`\ИёHaI$O >pHvN |й3elm`jsC+VK4,oڅ֊1%L7){yDҰ=Mhh}/Z6o(V<)~,Ig@yq&|ƾ_q8{Vћdw\>}aV5Gg+}O#3͂{^%<3~/;14KWGw[@bwЙ%IohY: 2*"ASPwznuȿ8ʗ(J-OQ:lF>Ÿp&wgy2Po"=Got%ߦNwCP ,Kg<h 5fZF 4zf*h]V,wmpOgϟ+Dvك̄GF̫}QO2w^gag5<)c[}ў#[MK{^Q?(:?L3R._S||Pf|C'I^ ,#=~;t/WCנf?h<ׁ}{F%>:,J |+ַ֛UsqVJ3l:T{cOHh1l<-mrw5@T<1lm;b=g{8Rp^l7$O/>-,4F>[g/[Yw |^7`KV+ |.x~5z<z晿AH$+ sf0 swXAr]@=>2U5sF2!?y|t2WsB9k^Il2lnl]ѫf0D{7iVqwzl߽>%m4}G5"探RMB*\w>H_u׺)c 3jK| rbat$#3dum)Yy+ |RU$[rfa-vfu=unuwt.ar=EI[7'+ccc(1s^o^~r#yŌf?KZ066[/%\rC֛`ۏ옼\G7>1W 8&d$-p*Mz]_ffģ' 0$xVˊ5kRi~r 1yzKqy~TdM4>Knx`7ܡ0ӝuN|tz|##x$#4ĤQ(FO@ǹiJuifG9ݖjY Y*)IQδXUq.(;>ݜ;W|DIAE g{?ΊkX:-lB8_OK%@Loqs@$ cbSe/ߣӰ hÄ3j+o"'QE;6:\K;V[w$V8JّI\KIM'Y\HULsZR%v*$ӆ&ŋco f0Z2mPs6qC<))>/|Eq3MځK~ꏠSPĤ`â>򉉠@B\ vv5qü>>GtsL1)ro'w.qzEt ic̒Yn67h>DMa1 ZߝOt.xkXotZz-q]uE<8c̝/P!Mu?ݭfaհAdoE3ðSꟷbig0 :$ -2]a3&9^6~.獫;hɎj)пqmK{p=p4|fh*~zLIhWCNXIw])n&){kq+DL%qMgbtӡ?e[M'sI~ ?v~{aYrt5@ǻfTSo$#/gl9{Oڊg;L8o<2=#&tiP#Fuz}/ a1Pzm>\)5~ euWNq(l";VFԛ܍y=jӮ;+2B:R.&|zl=$]#^Ƴϰ\*X|u _*k$>L|sETcPI /G\tiu B2*|QEG;֭تZL+kƾWO3lU^N ؆92 l j;pHR:Ej;1\x #sB ؙ=>"f53o%U_G_}b.Ӹ;BVJ3i4v"^#Tҹ4.;.* Qz)mUeXlׅ@EhdZ@7TNGXɴ ck8+T\fҠ*s$$vs.yb3u;Kpb,K.JZuXj~=;5iҡ,aVf4ҪV Gt4P''iWtJh>ܣ;KE0 Q5CS~^i>6MbţW5뾝=8(ʷsA;"ZՇ.oDe<=;Qsb+8g4%JZ9 Zh{+kTrIt.n./:ٸ+]9gߍeE+lBUC˿Ѯ0e@k<3V5%#LekKZu~WVI*KcToƙH{rj49yqxgʡBDAZ| mXY3 5Չ*كt(wα|Sqު !Fzbb[[Gu?풵B5#Z1Īn:gr,4$4#r?]Uas8; Iv]E+ƕNY]ItBP7qgtӤ >ᛧ*9b_Ur0鷮s^q"vH%ϙֈoNJn.9Oue3J]3E˵t+pVncËx'k1z:ͻЄHHעNCG_ 2MI9+D_vefRoM=4 $4E{]/w!TWl~恾3'æhf uŔ@KSCy7a|XL'|z7qJ\RqmTKyz8*D>. ''{O-j(hόu"6pHj#4#ޛ LYiX"S?K-kQܝяܜh=:1OF? k!A㲪kln?zӗ0+^LLZd,/.43ݶ&)j#J: QfMMFY]ˍO: Kh5Պ.!e$QAV`#Yv!(ov] C\X3>DͶbt.<6$z~>_*!iO,J&iy|-%GU*U͚|\ږF,fRR*M1b2ԃ2!#cv`%^+J 8E^柛H.M;B D"5i:]Zm˓';eRpEcL7r1 5l~٭AJ7wwhG*yt'R F)NgM}J<³#E'VV=؇ԾꁍOq@ɢ]3&eG;{SEE!+w&I,Øѽz|m$1|4X]lnmll(]ij3Mfzōr5ZfHyL~7TDyYyAsx.[2Y)MeѤs[ƢyN7N.#q*>H@i,əwHiHHн#y e M\Wff;wb5S gBBpw"p%Dn ]+)hQs_}tCxD-;|75gLͿp(YC%G$<(+J濒0:jzۅa1$[C| \^romNxӵҹ_prD=H7c7@53t}z$H-%hmE691FyZ,4|?R'A,`]R-eĖ{? @ΪI.ݬzNzEq1a x:Xͽ13Ʈ弽,WnvfWwĮ>~+˰2AO.x! ۛ~% Ip)R]/:O̚fח)]uvDZ"-QqNG;g aıyupYlQLUӆb=/G[cb4[[^?K3sn007070100000007000081a400000000000000000000000163cfbca10000442c000000fd0000000400000000000000000000002500000000./usr/share/man/uk/man5/sssd-ad.5.gz}s[Ǚ+^i2IֳC[,Hy&[$"@pRvK"-ʩRIT&S5(ҤxmGwݯ Il%}~SQshL ]/5hGEx\GϏvuwǣ;6T=؉/D3RlkV=+U8L1Wz \ިVoDM7ob7c6v:o0X-̩ύ5*qs Z3/8sVy'_ij v2ẹFMmtU/ar/g+ Rc];:p*:uN9E?.9]Q~]K8jTV7sry;j4[8(|sX1++cW_yfclzat3_l.yu?83X8}v JKq4S[Ɗh 鏎"q3*VWKfTY8)F~Gkq%,U+CcEݯZfiTpf|KU|3ZJZ);Do^rɩ.F?>iV_|!hTQͣ" M{p(wEB4~W ]~tUр]EP#P]& 4W=8T3ř:E+>Z7԰{54̧OGѣ7`3SïX7GV+ن|/Q38zpawWGB-Yw~>,s֦~[WШ0 2sOmafgUE??~nqk鏻IwzYpNQ < Ӭ[E3tL .Z~hMnlm0Oh  DA^C\fPK| KT;-.=E>Të Qt] zOԤpf8EpUppvԇ`=5}`;tTD O ml>m"FuKꐎdmXb::>p1HKU/^P&No.P:F._<H3B't'[4;9^\\6 .|#AeNTwhjݻq`?\^h*^Z4u&RzF!x1_ThÐxv7⋏÷jxx]5.1h&&X2tc30bb>ɘ뚪jJ.9BR+%Sazi?~R8P z=#Fۉՠ+揑ۏA/,V18}!-d8P rM jb/#pQo>G|#V_F} G@I=̱JwǼEG "=zh ICHqGj8@'"` ΀ajm%CA 7!Qh̰Cc`UбGp65H(⑊2@%"lׇf˿Vg!>^Y_+ %||/՟OۯOڜZ]V,f:$9hwگQ:l̀Ϡl"X]٨ 7ZCҨWլ74s}=da`qZ*V"zEmtXA&< Vk^ի7KŸzW8Db /FDN|h^ywKSdEZbuYI@הR >uoqKu[\mGչ_)= \ISo:pAPPbd#5W +T _"@75# >]W`o(럸@ p MQI3p|ci21i-B4%DA漋B/Jy5}P,Tivu/r,CHޚ]CcXi>D3sfhlj:zyhl U懀*^jBz|E⿡3E֞q_qbڮ ~M\H!g8ce塷".m%jQ;b',8Scfzf}DD\Fm)tFbj Iԩ eudeiE?ġw%9ҚѪZs\58Ko pe,G o!nE?Uzz}B}Z½N t~]jA0"9d1i|8VM`\T=%0`)[{@VRdF2~r+~W򥽯m5OP̚ *q uA [xf=I\>r5#eEև5E <7C#3[jUhvOXSE/648.IuI= `?#:iJ+wM#q{&R|9xhO+Aq7JxL")! `RIO28g£|e$`iE(Cg8[.KhX-~nweu2ҠFoyx!YHJ i}]sLқ"(L,3pGp e { 5" G 2>ekFp6F9Вmo/ܽ#/6awڶC!%`$I+qKW 3HtY= n >56:M^DiɐE/Kjx,1Jjgxw|)3[ybG`:]ח^v&tnd*C},9@d3>:Fj@E.pdDzk/ujy ஃ` Vgje~=j1Z[Z9V?K(,/K kYJ,o\~nj7}P a:Hx#\PPWӭ)-^P{8%4X2 AJ=Hc%VtQ3Sal_*%]lcH2kC.zHM&WV" A*N}MX64l0CocQ2B%eMַ lkVǑO߱Oq{YKO&H8%vf"<YbG+tV6bp5f% HziBfFGnEz)J;p4pj1y][ n1tdLP18IK Q8 /|TG6ei+'-04tؿm3[p޻FmVê\CIxXi6JXճdB'Md˻Ƽx4ޣ7*|(qRk[1:Hr'(/ep$P^e[që-~Dwqx[+24wc-\&Z*ݠA .&$]fP'AphK\<~&,GTy|,߄DJ$1Z qn aH7C,-6;ϓX__;{_ϣu XuϣoxP<5:ȈJH@A_],SAoSd16Bb4V:XSp &Ď[\`>dS}n96 fi0Ws N"l\;ygϹ,k~Zlҗ*ޙLj1C- I`)wӞ6mt&]!oi*A~D2`0IBíh鉂H5& sGyjql -@NC& h 8ZӧϞ; 9OcNiKq_hl.g(bg⽙ii{3řO#5TE]j9 i0R rKd,0]窄2Ϥ0M9d!KhK@ŋR'dKʙw=x'gF>-ú: rCC.ED{sGDL@ˣ/D-hEdy>?/KsqRU[/ԫZ#W, եΜbfqŝ9iϜ|6T"j}&4i;p>Wq}IJhEJ^v<R3+rCSRΣaIDf9s#:R"e[0+jjQ_t! yL+t Go"¬ke/:^켣:a@(g~PjzZi֫fDJ@~/v ;lh)R/kWs :$##ihm{AM&4`sH:VDBc`{-j1fâ-@8A a%uh Ķ7b2|GFX' V1usN7P3_~'wW#6~JvW}jrЪC#TYw#pĩvYiPFMuvofNjmS׎(C]A&M }Q:cg҈2dwM`k\ $Gr^ J8N?ʑwɘd2(!r˄:ȬC$"u5?|y/|gkH#xsuOp{P$6 S8>RN!Nnde܈~sRQq|O?*) Z~l'ҊH$@V4FXE a|`mraP JkjwL1[{^hmHi[;DwΗ `irIL.&ιgHD8uFlqѾKvTb6/,ht ϵԏ?8ٛ2ٟhإk|(:3vs>~7Maٺ)d%Q#q&8ID!'ٿ煩ֽDJTzt[MHk,aka"1iT%N,Z_.-ʥB9[+5>q\r࿠LL`@.3/6Du*z+y<4uzycyN$؛zSXsiNOl|6a4@LIWE3T4st3w%m]x.dn4KKqT(p[kR;AѳP{P60#Z+@CV[ f۾1@ms!dy٢D/ AdO\pm,lC{8"ܳ`(4$ώ/Q㣗s]-AJ3)=TrmARPEp@JO%{ Tia Z%_4%$WM{*p.2caYrMj0-b`D{fr~T.DՊ/o~"049O-D\`7(:4Bmk! |ǸM^lV@OlެRgR 7/_hS*m`mt ]5%R8R$䔰V -yOZLZ/t{VǼR! eR#oy4#/{cףSKŃx @c\0YKmMl]8v[Uuc;aK3B\ |~^<Kz?o2I(ĨJyuO !j3K=;)͐Pju9kcHp2hGNNIYaΑ&nhopp#lp`[[z L}RbZXUظѬ֢i⻍ܓ\Y]`n4y9 b3R8oR3wW"o|ooM'^fbK$} 2 leX[K"W#tV̅3x 9nUge?;ϝo־,W UG5 NU\>囅 }vY՗ R `:)Jm#_U/6MSlPV(}-0c ɵA#;nP݋.*[-ʢf2)1Q/y&d >'xoSR-3u*)0ehan*;;:SKAoɱ4@Ey|T#9JH{\?7(N6~GؿMPR$[tv 5d堦n2|?x핗'&οzn">r HRV#-5sjYc#HBXk|Bykz3:O|ܲ39^Dj%R?)% ~\p,ax+8E?U_l./;/0tRo^Wfj8ZR+qW ۴rv\o+j* mZРф`ӓӗߚv)ͯ3׮\|j4[jgfDZ`9u\R^HJƼ8%uXmU5^Bvdj| ~Ԩ.-) t]NtRLM!xgcwlPX[*x&ק/ qeU#%) cL&XL,p3kGomr!1q=) #"&qMHcGLΐcO)qPϓM*)BG}QG nͩ/^΍8]ӫdV ~iiكB 6˟9E6F1aMx,ߨϝSH|r<}@H_1ښa 2JM8})C *er= g~}eb"ğ MpnuP}.V}JT0@&MaKDŽJg Ag!퐞Vu־WN:0614B:o6m[C63NlEL`0]#_ӹf%n?g|Hlw%ixtm/#*BNA'@Ol>:xEDdWIwY314CZɗR>}b- ʷ<+I=J$J}"a$9؁`U32hҩ Zћ;;k 땉Z[r7连+k":0[kxJzti)bkA u˔,B5P0Hsrҍgqͅ4x9ދ\S4RN2ъ"'>ͲqO#\CM &~y6:F<031csm[nh)MF Y8Q,AE?ϔ;צ sjx)A?#ds " qF5%͉CgX}FUc W's3۩B rPdzJo5s28-&i4؂G>|3SO)K8♢x j˳dp+w74RUnEl6>ޖm-`E',)*$bu).Rm?.C]jPRX&{[಻K|h!=$`=C<`TlԶa-u_ԝbԉc SiNwQEQ }Ѿe༜M{_߽v%U\"V/U 3bOϻ~}X  u L'ȗma`>ѥMfF~O9o..ܚߥ:Ԥ K讴q_4alt=5wN+we3&H880D0GǵP*=].c6q)]^/f,>vToB`$,*H8 />66hCl7K-Tmd$!ͰHPB8G!I .!Eu0wdb#֊nC.Z*J/H0rһW pX}397F4Vs9[JFZR"!WQv@ɅVf'ױbBfx|qOщ{A4i;ó"\7cc鷤x6:唀t%kGQpҹpxyC7?Imzl&w3^D%”[E1֚`f0vtJg]ϕd γ/՟OۯO8]S喔e n 38?{ ܴ m9 ldL"/}WumJ㜚L񀞭-h?~KHdcy%옆UhMsi^z/mV:eG9PWUOS$u?zܩc. f\Bu>Y `+/S^R?֌& g4@B8ӀxFa1^ʫUO~#@Vg yu8_^:9KeZz4RUZ|tBy% 5Ѽ;ytLn|V+K' 'ꍸPjumTT5&ߙviJRΊ鷯N]2uN"ΘW1o͆XQ5n1-P@7um@D6M0m1sȌ`N$b÷{@Z]6 ?)l{ ki10#wn\%cu??^]b*mS'/Ӿ/79l"]сN0nNpjtezy|F2T 4&-7aREF32R8t&[$yFs2Hʲ^DⷼkGD7K?3JV$670A`3/ZQ C~[/ u(r+R.x5$@)FVD|jTD}'ϗݏXԆv؆b*Q8eD@EV$]xaR{DRf(p;Ng]Y(}& `&&[xH$+a]N=H:#|rJCc%w>%yB<Dn5=-hp%-+]%|- ܚO)6D`&giܺI>–)Qr2`)Z΃ٲz}3SCG&1sm^M,k^2lJ ;7Æ~d Nq L<ðL¦g[$(DaM#'ŠA(o'fH\3N.ۭ+#M]N!z5f"n~CLШ"VF|U73O.{q%=c~ߡT4ܱ}A^摓J䌊|~]or>cp$UŽ4P3z<:bx]I 02@'aK sڦ NlFۆ4 9A.8 EEMAKF*udC dA_n`an38YRfCf)M /<V]AoVKC2)-ہ$+}=eI9h[&{ 6Mq 83`jy9'JJ,ҩ\Ej!ArDu27"oh;Q^:%A_SH&W4B;y~Vi";0[UJ$GEUȄB b7ܸzqv+? rpI ʔ;خyC}Y|ٟ(8.8=6(8 G"*V wDN녛d2N9*TP"nMZ[=ugn 8M<#m :LM֛<0Ou>';MUF h ZɆ!YRVs6z0&B_!lu}eꑂ1Hb`@zKLL6<)"X@< ֏F1X3cl\IA\OĦQ$f'B$(m#U2X'@MhJm Xh滆# SF!Yb=~P)e=18$䄬u9mY5vR2YZ,xN !^79[gO:)d\%p0 @f_(XF5Mpvn@i0g2b,Ff槆ύ胢|F|3VkR\m5mJnHiH0\v^K¹`ӮiYb:G.vr֮S wc $:pӋD O-Δf1YqyOJNO֠ve_Wy}Z۔蒊`{h}¹‰U9H8`4I:|%B54[Z_ɳ}P(,u00ZkjGK[엪  BsteSl/8IXBs N/>s |~XєRHneT̃6)p9kr00aw,5ɂ(@$Ö:(_8Q$/z].tpIg%%ZYG冀X(ſ*BgiJIk╁.T҆l#fjn̬svm% @EDqX2b# Lͤ(ڙvPF,@PAITZIn䥣h|\'&:{5q)ϠU9/_[ٶiIa8umRprOAj̅OVcʷ و#CG5*MQG^eGKݞ-V {MՊXY*$GKHP-]`y hP$J3A1 SIS1lq0.tKJ9k+HЪ@`2N®uq׌X@/Z-/U׉ٛљW_;ce0IȐDW\U |>9Ȭc/Ya=AQsMeJJ`E##VE_+_¶$$jićHKƒa&PpK0JK pE!C+YI:'p׹ٵJ+N^0[Kly&α{ :k!T rHq5Ԟ+5I %(`KSt?W3C f8is"6uȠ9LPde5\ iƚ? MDzAש8JK2yl C)Ysi쀄e>-xn~ȳ[3z]\mVrd A(6}3QczZTƘ*$:kdvPD'|U;\=dhO`Drd^f>w$k |a1󵑜p`F'iT6t^cn^bKL3 DM"^RX)uO(a2u*=O` XjQIzs[E2ogB ֋JI3$鴅 [TAIm>ז'?@qC N+о1gUyD}o=: ;Z9fԪ{pόfE"M)t89pV 8"L%Op9 {a:O\3<7b^t{H⥺*68HT zH˦-~+ԥ #މC;Lb=ԘcqA|&RjK"ye6Wڢ bQQkvv{^~L *Bo_Vr8^$>FdzEvp]5eM&73TxVɩ0_/wJwC27jVSCt,,Z׍\ʁ1 '^T۶wg$C0d %=xiUW/gf~OɖuߓgfFgrJ _edWz)j턟mt2ǻd5ĩl̶xaL̬.¡!|[$DD>Q#Gn:c-U%5E}ӎ/G8:k-yOjdv'M#t5Oⶐد$!nػ$>ZP86WEߏG9ն_\Y[Cӄ֦?{[m'GFr4X vjNJ~}җ'" '֎H/؃v0t (-k j̴"6VjF|eYϫ*uRmxt_Ns8<ON a]DW)7H(pR)NW0ĩ^ UH~>r bjP +g'tvB40^(0WpJjb"Itz\=8Qo'\;Z0`A$'s\s(UbufYD{֖IXM@vz@wtT:%ޛ$ D9(fdOhuR. &{NݞNglrPn4 Ę*4NRLr&N$n8 CxSI[C#f4 Ÿ r?Z91\R#1WH2HdEͤDe5W(rF6zse)Ī䉚 ק8+{Ȭf;dVRVG6p:)F0= bL<nm+k2X'"fT^cH")]u#;͡$&kB6\y~eϑ_)KuIjǶ AEh|N80ݩʵ He+R=M-'OeL%{\.UZ#s}mWx8?ikZ \,^͊kr j|gmXYGB/d_eX>*HyS\ŴQʇh\Tl x?lυK^.>q}r?3{l2-}zWɮ~r'iЎh͙RE̴T( ,Lg\QyE~kBh?ް' ln6H>YdۯdBD^5ͤ騗$ȧz顿t,tw8: KPKDPBk.XcRs*8=ItΡOl8>Zj (N0d{RoGw/_&߽թKruЋWߜ ~ͩׯN^OI7o{KWliȥx$px 7/-vXvc' ||+T+xKorHĸ_%\{7)^m HZ`KpҐ:w\|RqV,:A/Q7b-x8/6MXߌs^6R(Kq[t_w/+2.#\T/:y@\Dk53;]S٬N 4r" `>: *+`w 6E՝ PM