ipa-server-trust-ad-4.5.4-10.sl7_5.1> H HtxHFZ5 ?*}}-kTeLb pP14xs{cZjkdsi e409c5777bb0fa67aa54a148f6216f54f065e35fde+ݜ-\${FZ5 ?*}}s3 _D;}itv Vme>G=?=xd ' p $48IZa rZ P  j           Jh C CXC(8'9':L'>5?5 @5(B50G5H H5| I5 X5Y5Z5[5\6 ]64 ^79 b8bd9'e9,f9/l91t9L u9 v9 w;0 x;d y;0@W@V@VVZV@U@UYU@Uݪ@Uݪ@Uݪ@UoUU(UK@Ub@UJ@UU @U hTE@T T}TTZ@TZ@Tp@T5T@TuTto@TsTl@Td@Ta@T[bTG@TG@TFJT)IT%U@T$TSS:@S2@S1oS!S!S L@S L@Sc@SS @Rb@R@R@RUR@RRx@RR=RʚRƦ@RkRv@RG@RiRz/@RxRsRo@Ro@R^RW@RNR@-@R/ R-@R(r@R7RZ@R R R@R@R@R@R@R6QQQ'@Q@QvwQu&@Qm=@QZ@QVQ(@Q@PPPPPx@Px@PnPj@P\VPG>P@@P4P.2@PP @M6@M.@M.@M.@M-M M@L!LfLNLdLLLzLe3La?@LD>@L#HL#HL@K/KՀ@KK@KKs@Kie@K`*KK@K @JJ@J@J@JJB@J{IIIm@I1Iq@IKIFFI9I1.Ih@IIP@H@HXHO@H-w@H HHH@G߮GGgGs@G@G@G@G}G}G}GG@GC@GkGDG<4G)G(n@G3G@GJF@FS@FFuF@Scientific Linux Auto Patch Process Florence Blanc-Renaud - 4.5.4-11.el7Florence Blanc-Renaud - 4.5.4-10.el7Florence Blanc-Renaud - 4.5.4-9.el7Florence Blanc-Renaud - 4.5.4-8.el7Florence Blanc-Renaud - 4.5.4-7.el7Alexander Bokovoy - 4.5.4-6.el7Alexander Bokovoy - 4.5.4-5.el7Pavel Vomacka - 4.5.4-4.el7Rob Crittenden - 4.5.4-3.el7Felipe Barreto - 4.5.4-2.el7Pavel Vomacka - 4.5.4-1.el7Felipe Barreto - 4.5.0-21.el7.2.2Felipe Barreto - 4.5.0-21.el7.2Pavel Vomacka - 4.5.0-21.el7.1.2Pavel Vomacka - 4.5.0-21.el7.1.1Pavel Vomacka - 4.5.0-21.el7.1Pavel Vomacka - 4.5.0-21.el7Pavel Vomacka - 4.5.0-20.el7Pavel Vomacka - 4.5.0-19.el7Pavel Vomacka - 4.5.0-18.el7Pavel Vomacka - 4.5.0-17.el7Pavel Vomacka - 4.5.0-16.el7Pavel Vomacka - 4.5.0-15.el7Pavel Vomacka - 4.5.0-14.el7Pavel Vomacka - 4.5.0-13.el7Pavel Vomacka - 4.5.0-12.el7Jan Cholasta - 4.5.0-11.el7Jan Cholasta - 4.5.0-10.el7Jan Cholasta - 4.5.0-9.el7Jan Cholasta - 4.5.0-8.el7Jan Cholasta - 4.5.0-7.el7Pavel Vomacka - 4.5.0-6.el7Jan Cholasta - 4.5.0-5.el7Jan Cholasta - 4.5.0-4.el7Jan Cholasta - 4.5.0-3.el7Jan Cholasta - 4.5.0-2.el7Jan Cholasta - 4.5.0-1.el7Jan Cholasta - 4.4.0-14.7Jan Cholasta - 4.4.0-14.6Jan Cholasta - 4.4.0-14.5Jan Cholasta - 4.4.0-14.4Jan Cholasta - 4.4.0-14.3Jan Cholasta - 4.4.0-14.2Jan Cholasta - 4.4.0-14.1Jan Cholasta - 4.4.0-14Jan Cholasta - 4.4.0-13Petr Vobornik - 4.4.0-12Jan Cholasta - 4.4.0-11Jan Cholasta - 4.4.0-10Jan Cholasta - 4.4.0-9Jan Cholasta - 4.4.0-8Jan Cholasta - 4.4.0-7Jan Cholasta - 4.4.0-6Jan Cholasta - 4.4.0-5Jan Cholasta - 4.4.0-4Jan Cholasta - 4.4.0-3Petr Vobornik - 4.4.0-2.1Petr Vobornik - 4.4.0-2Jan Cholasta - 4.4.0-1Jan Cholasta - 4.4.0-0.2.alpha1Jan Cholasta - 4.4.0-0.1.alpha1Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3.1Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3Jan Cholasta - 4.3.1-0.201605191449GITf8edf37.1Jan Cholasta - 4.3.1-0.201605191449GITf8edf37Jan Cholasta - 4.2.0-16Jan Cholasta - 4.2.0-15Jan Cholasta - 4.2.0-14Jan Cholasta - 4.2.0-13Jan Cholasta - 4.2.0-12Jan Cholasta - 4.2.0-11Jan Cholasta - 4.2.0-10Jan Cholasta - 4.2.0-9Jan Cholasta - 4.2.0-8Jan Cholasta - 4.2.0-7Jan Cholasta - 4.2.0-6Jan Cholasta - 4.2.0-5Jan Cholasta - 4.2.0-4Jan Cholasta - 4.2.0-3Jan Cholasta - 4.2.0-2Jan Cholasta - 4.2.0-1Jan Cholasta - 4.2.0-0.2.alpha1Jan Cholasta - 4.2.0-0.1.alpha1Jan Cholasta - 4.1.0-18.3Alexander Bokovoy - 4.1.0-18.2Jan Cholasta - 4.1.0-18.1Martin Kosek - 4.1.0-18Jan Cholasta - 4.1.0-17Jan Cholasta - 4.1.0-16Jan Cholasta - 4.1.0-15Jan Cholasta - 4.1.0-14Jan Cholasta - 4.1.0-13Jan Cholasta - 4.1.0-12Jan Cholasta - 4.1.0-11Jan Cholasta - 4.1.0-10Jan Cholasta - 4.1.0-9Jan Cholasta - 4.1.0-8Jan Cholasta - 4.1.0-7Jan Cholasta - 4.1.0-6Jan Cholasta - 4.1.0-5Jan Cholasta - 4.1.0-4Jan Cholasta - 4.1.0-3Jan Cholasta - 4.1.0-2Jan Cholasta - 4.1.0-1Jan Cholasta - 4.1.0-0.1.alpha1Petr Vobornik - 4.0.3-3Jan Cholasta - 4.0.3-2Jan Cholasta - 4.0.3-1Martin Kosek - 3.3.3-29Martin Kosek - 3.3.3-28Martin Kosek - 3.3.3-27Martin Kosek - 3.3.3-26Martin Kosek - 3.3.3-25Martin Kosek - 3.3.3-24Martin Kosek - 3.3.3-23Martin Kosek - 3.3.3-22Martin Kosek - 3.3.3-21Martin Kosek - 3.3.3-20Martin Kosek - 3.3.3-19Martin Kosek - 3.3.3-18Martin Kosek - 3.3.3-17Martin Kosek - 3.3.3-16Daniel Mach - 3.3.3-15Martin Kosek - 3.3.3-14Martin Kosek - 3.3.3-13Martin Kosek - 3.3.3-12Martin Kosek - 3.3.3-11Martin Kosek - 3.3.3-10Martin Kosek - 3.3.3-9Martin Kosek - 3.3.3-8Daniel Mach - 3.3.3-7Martin Kosek - 3.3.3-6Martin Kosek - 3.3.3-5Martin Kosek - 3.3.3-4Martin Kosek - 3.3.3-3Martin Kosek - 3.3.3-2Martin Kosek - 3.3.3-1Martin Kosek - 3.3.2-5Martin Kosek - 3.3.2-4Martin Kosek - 3.3.2-3Martin Kosek - 3.3.2-2Martin Kosek - 3.3.2-1Martin Kosek - 3.3.1-5Martin Kosek - 3.3.1-4Martin Kosek - 3.3.1-3Martin Kosek - 3.3.1-2Rob Crittenden - 3.3.1-1Rob Crittenden - 3.3.0-7Martin Kosek - 3.3.0-6Martin Kosek - 3.3.0-5Martin Kosek - 3.3.0-4Martin Kosek - 3.3.0-3Martin Kosek - 3.3.0-2Martin Kosek - 3.3.0-1Martin Kosek - 3.3.0-0.2.beta2Martin Kosek - 3.3.0-0.1.beta2Martin Kosek - 3.2.2-1Martin Kosek - 3.2.1-1Rob Crittenden - 3.2.0-2Rob Crittenden - 3.2.0-1Rob Crittenden - 3.2.0-0.4.beta1Rob Crittenden - 3.2.0-0.3.beta1Rob Crittenden - 3.2.0-0.2.beta1Martin Kosek - 3.2.0-0.1.pre1Kevin Fenzi 3.1.2-4Kevin Fenzi - 3.1.2-3Fedora Release Engineering - 3.1.2-2Rob Crittenden - 3.1.2-1Martin Kosek - 3.1.0-2Rob Crittenden - 3.1.0-1Martin Kosek - 3.0.0-3Rob Crittenden - 3.0.0-2Rob Crittenden - 3.0.0-1Rob Crittenden - 3.0.0-0.10Martin Kosek - 3.0.0-0.9Rob Crittenden - 3.0.0-0.8Rob Crittenden - 3.0.0-0.7Rob Crittenden - 3.0.0-0.6Alexander Bokovoy - 3.0.0-0.5Rob Crittenden - 3.0.0-0.4Martin Kosek - 3.0.0-0.3Alexander Bokovoy - 3.0.0-0.2Rob Crittenden - 3.0.0-0.1Rob Crittenden - 2.2.0-1Rob Crittenden - 2.1.90-0.2Rob Crittenden - 2.1.90-0.1Alexander Bokovoy - 2.1.4-5Martin Kosek - 2.1.4-4Alexander Bokovoy - 2.1.4-3Alexander Bokovoy - 2.1.4-2Rob Crittenden - 2.1.4-1Rob Crittenden - 2.1.3-8Alexander Bokovoy - 2.1.3-7Alexander Bokovoy - 2.1.3-6Fedora Release Engineering - 2.1.3-5Alexander Bokovoy - 2.1.3-4Alexander Bokovoy - 2.1.3-3Alexander Bokovoy - 2.1.3-2Alexander Bokovoy - 2.1.3-1Alexander Bokovoy - 2.1.2-1Rob Crittenden - 2.1.0-1Simo Sorce - 2.0.1-2Rob Crittenden - 2.0.1-1Rob Crittenden - 2.0.0-1Rob Crittenden - 2.0.0-0.4.rc2Rob Crittenden - 2.0.0-0.3.rc1Rob Crittenden - 2.0.0-0.1.rc1Fedora Release Engineering - 2.0.0-0.2.beta2Rob Crittenden - 2.0.0-0.1.beta2Rob Crittenden - 2.0.0-0.2.beta.git80e87e7Rob Crittenden - 2.0.0-0.1.beta.git80e87e7Rob Crittenden - 1.99-41Adam Young - 1.99-40Simo Sorce - 1.99-39Simo Sorce - 1.99-38Rob Crittenden - 1.99-37Rob Crittenden - 1.99-36Rob Crittenden - 1.99-35Jr Aquino - 1.99-34Simo Sorce - 1.99-33Rob Crittenden - 1.99-32Rob Crittenden - 1.99-31Rob Crittenden - 1.99-30Rob Crittenden - 1.99-29Rob Crittenden - 1.99-28Rob Crittenden - 1.99-27Rob Crittenden - 1.99-26Rob Crittenden - 1.99-25Adam Young - 1.99-24Rob Crittenden - 1.99-23Rob Crittenden - 1.99-22Rob Crittenden - 1.99-21Rob Crittenden - 1.99-20Rob Crittenden - 1.99-19Jason Gerard DeRose - 1.99-18Jason Gerard DeRose - 1.99-17Jason Gerard DeRose - 1.99-16Rob Crittenden - 1.99-15Jason Gerard DeRose - 1.99-14Rob Crittenden - 1.99-13Rob Crittenden - 1.99-12Rob Crittenden - 1.99-11Rob Crittenden - 1.99-10Rob Crittenden - 1.99-9Jason Gerard DeRose - 1.99-8Rob Crittenden - 1.99-7Rob Crittenden - 1.99-6Rob Crittenden - 1.99-5Rob Crittenden - 1.99-4Rob Crittenden - 1.99-3Rob Crittenden - 1.99-2Rob Crittenden - 1.99-1Tomas Mraz - 1.2.1-3Dan Walsh - 1.2.1-2Simo Sorce - 1.2.1-1Simo Sorce - 1.2.1-0Ignacio Vazquez-Abrams - 1.2.0-4Simo Sorce - 1.2.0-3Simo Sorce - 1.2.0-2Rob Crittenden - 1.2.0-1Simo Sorce - 1.1.0-3Rob Crittenden - 1.1.0-2Rob Crittenden - 1.1.0-1Rob Crittenden - 1.0.0-5Rob Crittenden - 1.0.0-4Rob Crittenden - 1.0.0-3Rob Crittenden - 1.0.0-2Rob Crittenden - 1.0.0-1Rob Crittenden 0.99-12Rob Crittenden 0.99-11Rob Crittenden 0.99-10Rob Crittenden 0.99-9Rob Crittenden 0.99-8Rob Crittenden 0.99-7Rob Crittenden 0.99-6Rob Crittenden 0.99-5Rob Crittenden 0.99-4Rob Crittenden 0.99-3Rob Crittenden 0.99-2Rob Crittenden 0.99-1Rob Crittenden - 0.6.0-2Karl MacMillan - 0.6.0-1Karl MacMillan - 0.5.0-1Rob Crittenden - 0.4.1-2Karl MacMillan - 0.4.1-1Karl MacMillan - 0.4.0-6Rob Crittenden - 0.4.0-5Rob Crittenden - 0.4.0-4Karl MacMillan - 0.4.0-3Karl MacMillan - 0.4.0-2Karl MacMillan - 0.2.0-1Rob Crittenden - 0.1.0-3Rob Crittenden - 0.1.0-2Karl MacMillan - 0.1.0-1- Added Source: ipa.ini --> Config file for automated patch script- Resolves: #1565519 Clarify the need to restart services in ipa-server-certinstall(1) - Add a notice to restart ipa services after certs are installed - Resolves: #1564390 OTP and Radius Authentication does not work in FIPS mode - Fix OTP validation in FIPS mode - Increase the default token key size - Revert "Don't allow OTP or RADIUS in FIPS mode" - Log errors from NSS during FIPS OTP key import - Resolves: #1565520 ipa client pointing to replica shows KDC has no support for encryption type - ipa-replica-install: make sure that certmonger picks the right master - Resolves: #1565605 DNS records updated with all IPAddresses of an interface when IPA server/replica try to install with Specific IP address of that interface - replica-install: pass --ip-address to client install- Resolves: #1540361 ipa-advise for smartcards is out-of-date - ipa-advise for smartcards updated- Resolves: #1458169 --force-join option is not mentioned in ipa-replica-install man page - Add --force-join into ipa-replica-install manpage - Resolves: #1457876 ipa-backup fails silently - Changed ownership of ldiffile to DS_USER - Resolves: #1409786 Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running - Checks if Dir Server is installed and running before IPA installation - Resolves: #1452086 Pagination Size under Customization in IPA WebUI accepts negative values - WebUI: Add positive number validator - WebUI: change validator of page size settings - WebUI: fix jslint error- Resolves: #1477531 Incorrect attribute level rights (ipaallowedtoperform) of service object - WebUI: make keytab tables on service and host pages writable - Resolves: #1529444 ObjectclassViolation seen while adding idview with domain-resolution-order option - Idviews: fix objectclass violation on idview-add - Resolves: #1451576 ipa cert-request failed to generate certificate from csr - Fixing the cert-request comparing whole email address case-sensitively.- Resolves: #1421869 Unable to re-add broken AD trust - Unexpected Information received - adtrust: filter out subdomains when defining our topology to AD - Resolves: #1486286 IPA failing to authenticate via password+OTP on RHEL7.4 with fips enabled - Don't allow OTP or RADIUS in FIPS mode - Resolves: #1494226 IPA User Details not being displayed in WebUI - Fix cert-find for CA-less installations - Resolves: #1498387 389-ds-base crashed as part of ipa-server-intall in ipa-uuid - 389-ds-base crashed as part of ipa-server-intall in ipa-uuid - Resolves: #1503022 ipa-getkeytab man page should have more details about consequences of krb5 key renewal - ipa-getkeytab man page: add more details about the -r option - Resolves: #1509288 IPA trust-add internal error (expected security.dom_sid got None) - ipaserver/plugins/trust.py; fix some indenting issues - trust: detect and error out when non-AD trust with IPA domain name exists - ipaserver/plugins/trust.py: pep8 compliance - Resolves: #1511019 ipa-restore broken with python2 - Fix ipa-restore (python2) - Resolves: #1511607 ipa-backup does not backup Custodia keys and files - Backup ipa-custodia conf and keys - Resolves: #1512482 kra install fails after ipa cert renewed - Don't use admin cert during KRA installation - Prevent set_directive from clobbering other keys - pep8: reduce line lengths in CAInstance.__enable_crl_publish - installutils: refactor set_directive - Add tests for installutils.set_directive - Add safe DirectiveSetter context manager - Old pylint doesn't support bad python3 option - Resolves: #1514163 CA less IPA install with external certificates fails on RHEL 7 in FIPS mode - Fix ca less IPA install on fips mode- Resolves: #1520279 - rebuild against samba 4.7- Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads - Resolves: #1378892 host-find slowness caused by missing host attributes in index- Resolves: #1388135 [RFE] limit the retro changelog to dns subtree. - ldap: limit the retro changelog to dns subtree - Resolves: #1427798 Use X509v3 Basic Constraints "CA:TRUE" instead of "CA:FALSE" IPA CA CSR - Include the CA basic constraint in CSRs when renewing a CA - Resolves: #1493145 ipa-replica-install might fail because of an already existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX - Checks if replica-s4u2proxy.ldif should be applied - Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default - ds: ignore time skew during initial replication step - ipa-replica-manage: implicitly ignore initial time skew in force-sync - Resolves: #1500218 Replica installation at domain-level 0 fails against upgraded ipa-server - Fix ipa-replica-conncheck when called with --principal - Resolves: #1506188 server-del doesn't remove dns-server configuration from ldap- Drop workaround for building on AArch64 (#1482244) - Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485)- Resolves: #1461177 ipa-otptoken-import - XML file is missing PBKDF2 parameters! - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad, cn=trusts,dc=example,dc=com - Resolves: #1467887 iommu platform support for ipxe - Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 - Resolves: #1480102 ipa-server-upgrade failes with "This entry already exists" - Resolves: #1482802 Unable to set ca renewal master on replica - Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade) - Resolves: #1484826 FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and thus startup of Web UI fails - Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back to self-signed CA - Resolves: #1469246 Replica install fails to configure IPA-specific temporary files/directories - Resolves: #1469480 bind package is not automatically updated during ipa-server upgrade process - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Resolves: #1477703 IPA upgrade fails for latest ipa package- Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in buildroot - Resolves: #1470177 - Rebase IPA to latest 4.5.x version - Resolves: #1398594 ipa topologysuffix-verify should only warn about maximum number of replication agreements. - Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" to "Host-Based" and "Role-Based" - Resolves: #1409786 Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running - Resolves: #1451576 ipa cert-request failed to generate certificate from csr - Resolves: #1452086 Pagination Size under Customization in IPA WebUI accepts negative values - Resolves: #1458169 --force-join option is not mentioned in ipa-replica-install man page - Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case - Resolves: #1478322 user-show command fails when sizelimit is configured to number <= number of entity which is user member of - Resolves: #1496775 Enterprise principals should be able to trigger a refresh of the trusted domain data in the KDC - Resolves: #1502533 Changing cert-find to go through the proxy instead of using the port 8080 - Resolves: #1502663 pkinit-status command fails after an upgrade from a pre-4.5 IPA - Resolves: #1498168 Error when trying to modify a PTR record - Resolves: #1457876 ipa-backup fails silently - Resolves: #1493531 In case full PKINIT configuration is failing during server/replica install the error message should be more meaningful. - Resolves: #1449985 Suggest CA installation command in KRA installation warning- Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports expecting IPA services listening on IPv6 ports - Make sure upgrade also checks for IPv6 stack - control logging of host_port_open from caller - log progress of wait_for_open_ports - Resolves: #1477243 ipa help command returns traceback when no cache is present - Store help in Schema before writing to disk - Disable pylint in get_help function because of type confusion.- Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Always check peer has keys before connecting - Resolves: #1482802 - Unable to set ca renewal master on replica - Fix ipa config-mod --ca-renewal-master - Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching back to self-signed CA - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) - Resolves: #1480102 - ipa-server-upgrade failes with "This entry already exists" - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists - Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and thus startup of Web UI fails - Adds whoami DS plugin in case that plugin is missing - Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 - Fixing how sssd.conf is updated when promoting a client to replica - Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2 parameters! - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace - Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade) - Backport 4-5: Fix ipa-server-upgrade with server cert tracking- Resolves: #1477703 IPA upgrade fails for latest ipa package - Restore old version of caIPAserviceCert for upgrade only- Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Restore old version of caIPAserviceCert for upgrade only- Resolves: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - smart-card advises: configure systemwide NSS DB also on master - smart-card advises: add steps to store smart card signing CA cert - Allow to pass in multiple CA cert paths to the smart card advises - add a class that tracks the indentation in the generated advises - delegate the indentation handling in advises to dedicated class - advise: add an infrastructure for formatting Bash compound statements - delegate formatting of compound Bash statements to dedicated classes - Fix indentation of statements in Smart card advises - Use the compound statement formatting API for configuring PKINIT - smart card advises: use a wrapper around Bash `for` loops - smart card advise: use password when changing trust flags on HTTP cert - smart-card-advises: ensure that krb5-pkinit is installed on client - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Add CommonNameToSANDefault to default cert profile - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad,cn=trusts,dc=example,dc=com - NULL LDAP context in call to ldap_search_ext_s during search- Resolves: #1469246 Replica install fails to configure IPA-specific temporary files/directories - replica install: drop-in IPA specific config to tmpfiles.d - Resolves: #1469480 bind package is not automatically updated during ipa-server upgrade process - Bumped Required version of bind-dyndb-ldap and bind package- Resolves: #1452216 Replica installation grants HTTP principal access in WebUI - Make sure we check ccaches in all rpcserver paths- Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode! - ipa-sam: replace encode_nt_key() with E_md4hash() - ipa_pwd_extop: do not generate NT hashes in FIPS mode - Resolves: #1377973 ipa-server-install fails when the provided or resolved IP address is not found on local interfaces - Fix local IP address validation - ipa-dns-install: remove check for local ip address - refactor CheckedIPAddress class - CheckedIPAddress: remove match_local param - Remove ip_netmask from option parser - replica install: add missing check for non-local IP address - Remove network and broadcast address warnings- Resolves: #1449189 ipa-kra-install timeouts on replica - kra: promote: Get ticket before calling custodia- Resolve: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - server certinstall: update KDC master entry - pkinit manage: introduce ipa-pkinit-manage - server upgrade: do not enable PKINIT by default - Extend the advice printing code by some useful abstractions - Prepare advise plugin for smart card auth configuration - Resolve: #1461053 allow to modify list of UPNs of a trusted forest - trust-mod: allow modifying list of UPNs of a trusted forest - WebUI: add support for changing trust UPN suffixes- Resolves: #1377973 ipa-server-install fails when the provided or resolved IP address is not found on local interfaces - Only warn when specified server IP addresses don't match intf - Resolves: #1438016 gssapi errors after IPA server upgrade - Bump version of python-gssapi - Resolves: #1457942 certauth: use canonical principal for lookups - ipa-kdb: use canonical principal in certauth plugin - Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid breaking older clients - Add code to be able to set default kinit lifetime - Revert setting sessionMaxAge for old clients- Resolves: #1442233 IPA client commands fail when pointing to replica - httpinstance: wait until the service entry is replicated - Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then not indexed - Fix index definition for ipaAnchorUUID - Resolves: #1438016 gssapi errors after IPA server upgrade - Avoid possible endless recursion in RPC call - rpc: preparations for recursion fix - rpc: avoid possible recursion in create_connection - Resolves: #1446087 services entries missing krbCanonicalName attribute. - Changing cert-find to do not use only primary key to search in LDAP. - Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers - ipa-kdb: reload certificate mapping rules periodically - Resolves: #1455541 after upgrade login from web ui breaks - kdc.key should not be visible to all - Resolves: #1435606 Add pkinit_indicator option to KDC configuration - ipa-kdb: add pkinit authentication indicator in case of a successful certauth - Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca records are not resolvable - Turn off OCSP check - Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 - server_del - TypeError: 'NoneType' object is not iterable - fix incorrect suffix handling in topology checks- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificates/anchors - certdb: add named trust flag constants - certdb, certs: make trust flags argument mandatory - certdb: use custom object for trust flags - install: trust IPA CA for PKINIT - client install: fix client PKINIT configuration - install: introduce generic Kerberos Augeas lens - server install: fix KDC PKINIT configuration - ipapython.ipautil.run: Add option to set umask before executing command - certs: do not export keys world-readable in install_key_from_p12 - certs: do not export CA certs in install_pem_from_p12 - server install: fix KDC certificate validation in CA-less - replica install: respect --pkinit-cert-file - cacert manage: support PKINIT - server certinstall: support PKINIT - Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file option - certs: do not export CA certs in install_pem_from_p12 - server install: fix KDC certificate validation in CA-less - Resolves: #1451228 ipa-kra-install fails when primary KRA server has been decommissioned - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname - Resolves: #1451712 KRA installation fails on server that was originally installed as CA-less - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt - Resolves: #1441499 ipa cert-show does not raise error if no file name specified - ca/cert-show: check certificate_out in options - Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ - Remove pkinit-anonymous command - Resolves: #1449523 Provide an API command to retrieve PKINIT status in the FreeIPA topology - Allow for multivalued server attributes - Refactor the role/attribute member reporting code - Add an attribute reporting client PKINIT-capable servers - Add the list of PKINIT servers as a virtual attribute to global config - Add `pkinit-status` command - test_serverroles: Get rid of MockLDAP and use ldap2 instead - Resolves: #1452216 Replica installation grants HTTP principal access in WebUI - Fix rare race condition with missing ccache file - Resolves: #1455045 Simple service uninstallers must be able to handle missing service files gracefully - only stop/disable simple service if it is installed - Resolves: #1455541 after upgrade login from web ui breaks - krb5: make sure KDC certificate is readable - Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing command "ipa cert-request --add" after upgrade - Change python-cryptography to python2-cryptography- Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'" error observed during ipa upgrade with latest package. - ipa-server-install: fix uninstall - Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break replica - ca install: merge duplicated code for DM password - installutils: add DM password validator - ca, kra install: validate DM password- Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy - python2-ipalib: add missing python dependency - installer service: fix typo in service entry - upgrade: add missing suffix to http instance - Resolves: #1444791 Update man page of ipa-kra-install - ipa-kra-install manpage: document domain-level 1 - Resolves: #1441493 ipa cert-show raises stack traces when --certificate-out=/tmp - cert-show: writable files does not mean dirs - Resolves: #1441192 Add the name of URL parameter which will be check for username during cert login - Bump version of ipa.conf file - Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login - Turn on NSSOCSP check in mod_nss conf - Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting template on - renew agent: respect CA renewal master setting - server upgrade: always fix certmonger tracking request - cainstance: use correct profile for lightweight CA certificates - renew agent: allow reusing existing certs - renew agent: always export CSR on IPA CA certificate renewal - renew agent: get rid of virtual profiles - ipa-cacert-manage: add --external-ca-type - Resolves: #1441593 error adding authenticator indicators to host - Fixing adding authenticator indicators to host - Resolves: #1449525 Set directory ownership in spec file - Added plugins directory to ipaclient subpackages - ipaclient: fix missing RPM ownership - Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits' - otptoken-add-yubikey: When --digits not provided use default value- Resolves: #1449189 ipa-kra-install timeouts on replica - ipa-kra-install: fix check_host_keys- Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Make sure remote hosts have our keys - Resolves: #1442815 Replica install fails during migration from older IPA master - Refresh Dogtag RestClient.ca_host property - Remove the cachedproperty class - Resolves: #1444787 Update warning message when KRA installation fails - kra install: update installation failure message - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - ipa-server-install with external CA: fix pkinit cert issuance - Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition() must use FreeIPA CA - kerberos session: use CA cert with full cert chain for obtaining cookie - Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors definition - ipa-client-install: remove extra space in pkinit_anchors definition - Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade - Use proper SELinux context with http.keytab- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit) - spec file: bump krb5 Requires for certauth fixes - Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option is used - separate function to set ipaConfigString values on service entry - Allow for configuration of all three PKINIT variants when deploying KDC - API for retrieval of master's PKINIT status and publishing it in LDAP - Use only anonymous PKINIT to fetch armor ccache - Stop requesting anonymous keytab and purge all references of it - Use local anchor when armoring password requests - Upgrade: configure local/full PKINIT depending on the master status - Do not test anonymous PKINIT after install/upgrade - Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust. update_tdo_gidnumber: ERROR Default SMB Group not found - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed - Resolves: #1442932 ipa restore fails to restore IPA user - restore: restart/reload gssproxy after restore - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - Fix CA/server cert validation in FIPS - Resolves: #1444947 Deadlock between topology and schema-compat plugins - compat-manage: behave the same for all users - Move the compat plugin setup at the end of install - compat: ignore cn=topology,cn=ipa,cn=etc subtree - Resolves: #1445358 ipa vault-add raises TypeError - vault: piped input for ipa vault-add fails - Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault - Vault: Explicitly default to 3DES CBC - Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning - automount install: fix checking of SSSD functionality on uninstall - Resolves: #1446137 pki_client_database_password is shown in ipaserver-install.log - Hide PKI Client database password in log file- Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade - Fix CAInstance.import_ra_cert for empty passwords- Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA WebUI is slow to display user details page - cert: defer cert-find result post-processing - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica - server-install: No double Kerberos install - Resolves: #1437502 ipa-replica-install fails with requirement to use --force-join that is a client install option. - Add the force-join option to replica install - replicainstall: better client install exception handling - Resolves: #1437953 Server CA-less impossible option check - server-install: remove broken no-pkinit check - Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies - Add debug log in case cookie retrieval went wrong - Resolves: #1441548 ipa server install fails with --external-ca option - ext. CA: correctly write the cert chain - Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance spawn - Fix CA-less to CA-full upgrade - Resolves: #1442133 Do not link libkrad, liblber, libldap_r and libsss_nss_idmap to every binary in IPA - configure: fix AC_CHECK_LIB usage - Resolves: #1442815 Replica install fails during migration from older IPA master - Fix RA cert import during DL0 replication - Related: #1442004 Building IdM/FreeIPA internally on all architectures - filtering unsupported packages - Build all subpackages on all architectures- Resolves: #1382053 Need to have validation for idrange names - idrange-add: properly handle empty --dom-name option - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica - dsinstance: reconnect ldap2 after DS is restarted by certmonger - httpinstance: avoid httpd restart during certificate request - dsinstance, httpinstance: consolidate certificate request code - install: request service certs after host keytab is set up - renew agent: revert to host keytab authentication - renew agent, restart scripts: connect to LDAP after kinit - Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted domain entry - ipa-sam: create the gidNumber attribute in the trusted domain entry - Upgrade: add gidnumber to trusted domain entry - Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException: Incorrect client security database password - Add pki_pin only when needed - Resolves: #1438348 Console output message while adding trust should be mapped with texts changed in Samba. - ipaserver/dcerpc: unify error processing - Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication - trust: always use oddjobd helper for fetching trust information - Resolves: #1441192 Add the name of URL parameter which will be check for username during cert login - WebUI: cert login: Configure name of parameter used to pass username - Resolves: #1437879 [copr] Replica install failing - Create system users for FreeIPA services during package installation - Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install - Fix s4u2self with adtrust- Resolves: #1318186 Misleading error message during external-ca IPA master install - httpinstance: make sure NSS database is backed up - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR CA certificate chain in ... incomplete" - httpinstance: make sure NSS database is backed up - Resolves: #1393726 Enumerate all available request type options in ipa cert-request help - Hide request_type doc string in cert-request help - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - spec file: bump libsss_nss_idmap-devel BuildRequires - server: make sure we test for sss_nss_getlistbycert - Resolves: #1437378 ipa-adtrust-install produced an error and failed on starting smb when hostname is not FQDN - adtrust: make sure that runtime hostname result is consistent with the configuration - Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous keytab - Always check and create anonymous principal during KDC install - Remove duplicate functionality in upgrade - Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT - Upgrade: configure PKINIT after adding anonymous principal - Remove unused variable from failed anonymous PKINIT handling - Split out anonymous PKINIT test to a separate method - Ensure KDC is propery configured after upgrade - Resolves: #1437951 Remove pkinit-related options from server/replica-install on DL0 - Fix the order of cert-files check - Don't allow setting pkinit-related options on DL0 - replica-prepare man: remove pkinit option refs - Remove redundant option check for cert files - Resolves: #1438490 CA-less installation fails on publishing CA certificate - Get correct CA cert nickname in CA-less - Remove publish_ca_cert() method from NSSDatabase - Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap - IPA-KDB: use relative path in ipa-certmap config snippet - Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute - Allow erasing ipaDomainResolutionOrder attribute- Resolves: #1434032 Run ipa-custodia with custom SELinux context - Require correct custodia version- Resolves: #800545 [RFE] Support SUDO command rename - Reworked the renaming mechanism - Allow renaming of the sudorule objects - Resolves: #872671 IPA WebUI login for AD Trusted User fails - WebUI: check principals in lowercase - WebUI: add method for disabling item in user dropdown menu - WebUI: Add support for login for AD users - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit) - ipa-kdb: add ipadb_fetch_principals_with_extra_filter() - IPA certauth plugin - ipa-kdb: do not depend on certauth_plugin.h - spec file: bump krb5-devel BuildRequires for certauth - Resolves: #1264370 RFE: disable last successful authentication by default in ipa. - Set "KDC:Disable Last Success" by default - Resolves: #1318186 Misleading error message during external-ca IPA master install - certs: do not implicitly create DS pin.txt - httpinstance: clean up /etc/httpd/alias on uninstall - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR CA certificate chain in ... incomplete" - certs: do not implicitly create DS pin.txt - httpinstance: clean up /etc/httpd/alias on uninstall - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication - configure: fix --disable-server with certauth plugin - rpcserver.login_x509: Actually return reply from __call__ method - spec file: Bump requires to make Certificate Login in WebUI work - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - extdom: do reverse search for domain separator - extdom: improve cert request - Resolves: #1430363 [RFE] HBAC rule names command rename - Reworked the renaming mechanism - Allow renaming of the HBAC rule objects - Resolves: #1433082 systemctl daemon-reload needs to be called after httpd.service.d/ipa.conf is manipulated - tasks: run `systemctl daemon-reload` after httpd.service.d updates - Resolves: #1434032 Run ipa-custodia with custom SELinux context - Use Custodia 0.3.1 features - Resolves: #1434384 RPC client should use HTTP persistent connection - Use connection keep-alive - Add debug logging for keep-alive - Increase Apache HTTPD's default keep alive timeout - Resolves: #1434729 man ipa-cacert-manage install needs clarification - man ipa-cacert-manage install needs clarification - Resolves: #1434910 replica install against IPA v3 master fails with ACIError - Fixing replica install: fix ldap connection in domlvl 0 - Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is used during typing Directory Manager password - ipapython.ipautil.nolog_replace: Do not replace empty value - Resolves: #1435397 ipa-replica-install can't install replica file produced by ipa-replica-prepare on 4.5 - replica prepare: fix wrong IPA CA nickname in replica file - Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if KRA is not installed - WebUI: Fix showing vault in selfservice view - Resolves: #1435718 As a ID user I cannot call a command with --rights option - ldap2: use LDAP whoami operation to retrieve bind DN for current connection - Resolves: #1436319 "Truncated search results" pop-up appears in user details in WebUI - WebUI: Add support for suppressing warnings - WebUI: suppress truncation warning in select widget - Resolves: #1436333 Uninstall fails with No such file or directory: '/var/run/ipa/services.list' - Create temporaty directories at the begining of uninstall - Resolves: #1436334 WebUI: Adding certificate mapping data using certificate fails - WebUI: Allow to add certs to certmapping with CERT LINES around - Resolves: #1436338 CLI doesn't work after ipa-restore - Backup ipa-specific httpd unit-file - Backup CA cert from kerberos folder - Resolves: #1436342 Bump samba version, required for FIPS mode and privilege separation - Bump samba version for FIPS and priv. separation - Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa vault commands - Avoid growing FILE ccaches unnecessarily - Handle failed authentication via cookie - Work around issues fetching session data - Prevent churn on ccaches - Resolves: #1436657 Add workaround for pki_pin for FIPS - Generate PIN for PKI to help Dogtag in FIPS - Resolves: #1436714 [vault] cache KRA transport cert - Simplify KRA transport cert cache - Resolves: #1436723 cert-find does not find all certificates without sizelimit=0 - cert: do not limit internal searches in cert-find - Resolves: #1436724 Renewal of IPA RA fails on replica - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function - Resolves: #1436753 Master tree fails to install - httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available- Resolves: #1432630 python2-jinja2 needed for python2-ipaclient - Remove csrgen - Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets - Add options to allow ticket caching- Resolves: #828866 [RFE] enhance --subject option for ipa-server-install - Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in hostname - Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember' attribute - Resolves: #1321652 ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on revocation reasons - Resolves: #1340880 ipa-server-install: improve prompt on interactive installation - Resolves: #1353841 ipa-replica-install fails to install when resolv.conf incomplete entries - Resolves: #1356104 cert-show command does not display Subject Alternative Names - Resolves: #1357511 Traceback message seen when ipa is provided with invalid configuration file name - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication - Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa config-mod --enable-migration=TRUE - Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain - Resolves: #1371927 Implement ca-enable/disable commands. - Resolves: #1372202 Add Users into User Group editors fails to show Full names - Resolves: #1373091 Adding an auth indicator from the CLI creates an extra check box in the UI - Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error message - Resolves: #1375905 "Normal" group type in the UI is confusing - Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback - Resolves: #1376630 IDM admin password gets written to /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf - Resolves: #1376729 ipa-server-install script option --no_hbac_allow should match other options - Resolves: #1378461 IPA Allows Password Reuse with History value defined when admin resets the password. - Resolves: #1379029 conncheck failing intermittently during single step replica installs - Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck - Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace - Resolves: #1392778 Update man page for ipa-adtrust-install by removing --no-msdcs option - Resolves: #1392858 Rebase to FreeIPA 4.5+ - Rebase to 4.5.0 - Resolves: #1399133 Delete option shouldn't be available for hosts applied to view. - Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA should contain full trust chain - Resolves: #1400416 RFE: Provide option to take backup of IPA server before uninstalling IPA server - Resolves: #1400529 cert-request is not aware of Kerberos principal aliases - Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but not on details page - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when non-FQDN name of IPA server is first in /etc/hosts - Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using nsupdate - Resolves: #1413742 Backport request for bug/issue Change IP address validation errors to warnings - Resolves: #1415652 IPA replica install log shows password in plain text - Resolves: #1427897 different behavior regarding system wide certs in master and replica. - Resolves: #1430314 The ipa-managed-entries command failed, exception: AttributeError: ldap2- Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica with cert errors (untrusted) - added ssl verification using IPA trust anchor - Resolves: #1428472 batch param compatibility is incorrect - compat: fix `Any` params in `batch` and `dnsrecord` - Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream- Resolves: #1416454 replication race condition prevents IPA to install - wait_for_entry: use only DN as parameter - Wait until HTTPS principal entry is replicated to replica - Use proper logging for error messages- Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is installed without CA - Set up DS TLS on replica in CA-less topology - Resolves: #1398600 IPA replica install fails with dirsrv errors. - Do not configure PKI ajp redirection to use "::1" - Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands - ca: correctly authorise ca-del, ca-enable and ca-disable- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy - ipa-kdb: search for password policies globally - Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream- Resolves: #1398670 Check IdM Topology for broken record caused by replication conflict before upgrading it - Check for conflict entries before raising domain level- Resolves: #1382812 Creation of replica for disconnected environment is failing with CA issuance errors; Need good steps. - gracefully handle setting replica bind dn group on old masters - Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a temporary CA admin - replication: ensure bind DN group check interval is set on replica config - add missing attribute to ipaca replica during CA topology update - Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of named-pkcs11 - bindinstance: use data in named.conf to determine configuration status- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy - password policy: Add explicit default password policy for hosts and services - Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod - certprofile-mod: correctly authorise config update- Resolves: #1378353 Replica install fails with old IPA master sometimes during replication process - spec file: bump minimal required version of 389-ds-base - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - Fix missing file that fails DL1 replica installation - Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade - WebUI: services without canonical name are shown correctly - Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run - trustdomain-del: fix the way how subdomain is searched- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca - Keep NSS trust flags of existing certificates - Resolves: #1360813 ipa-server-certinstall does not update all certificate stores and doesn't set proper trust permissions - Add cert checks in ipa-server-certinstall - Resolves: #1371479 cert-find --all does not show information about revocation - cert: add revocation reason back to cert-find output - Resolves: #1375133 WinSync users who have First.Last casing creates users who can have their password set - ipa passwd: use correct normalizer for user principals - Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers - Properly handle LDAP socket closures in ipa-otpd - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - Make httpd publish its CA certificate on DL1- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors. - Resolves: #1375269 ipa trust-fetch-domains throws internal error- Resolves: #1373359 ipa-certupdate fails with "CA is not configured" - Fix regression introduced in ipa-certupdate- Resolves: #1355753 adding two way non transitive(external) trust displays internal error on the console - Always fetch forest info from root DCs when establishing two-way trust - factor out `populate_remote_domain` method into module-level function - Always fetch forest info from root DCs when establishing one-way trust - Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger after `ipa-replica-install` - Track lightweight CAs on replica installation - Resolves: #1357488 ipa command stuck forever on higher versioned client with lower versioned server - compat: Save server's API version in for pre-schema servers - compat: Fix ping command call - schema cache: Store and check info for pre-schema servers - Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag - Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup - Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA when revoking certificate - cert: include CA name in cert command output - WebUI add support for sub-CAs while revoking certificates - Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI - Add support for additional options taken from table facet - WebUI: Fix showing certificates issued by sub-CA - Resolves: #1368557 dnsrecord-add does not prompt for missing record parts internactively - dns: normalize record type read interactively in dnsrecord_add - dns: prompt for missing record parts in CLI - dns: fix crash in interactive mode against old servers - Resolves: #1370519 Certificate revocation in service-del and host-del isn't aware of Sub CAs - cert: fix cert-find --certificate when the cert is not in LDAP - Make host/service cert revocation aware of lightweight CAs - Resolves: #1371901 Use OAEP padding with custodia - Use RSA-OAEP instead of RSA PKCS#1 v1.5 - Resolves: #1371915 When establishing external two-way trust, forest root Administrator account is used to fetch domain info - do not use trusted forest name to construct domain admin principal - Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in certificate request - Fix CA ACL Check on SubjectAltNames - Resolves: #1373272 CLI always sends default command version - cli: use full name when executing a command - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" - Fix ipa-certupdate for CA-less installation - Resolves: #1373540 client-install with IPv6 address fails on link-local address (always) - Fix parse errors with link-local addresses- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env - Fix ipa-server-install in pure IPv6 environment - Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as reachable via the forest root - trust: make sure ID range is created for the child domain even if it exists - ipa-kdb: simplify trusted domain parent search - Resolves: #1335567 Update Warning in IdM Web UI API browser - WebUI: add API browser is tech preview warning - Resolves: #1348560 Mulitple domain Active Directory Trust conflict - ipaserver/dcerpc: reformat to make the code closer to pep8 - trust: automatically resolve DNS trust conflicts for triangle trusts - Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in certificate revocation - cert-revoke: fix permission check bypass (CVE-2016-5404) - Resolves: #1353936 custodia.conf and server.keys file is world-readable. - Remove Custodia server keys from LDAP - Secure permissions of Custodia server.keys - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full - custodia: include known CA certs in the PKCS#12 file for Dogtag - custodia: force reconnect before retrieving CA certs from LDAP - Resolves: #1362333 ipa vault container owner cannot add vault - Fix: container owner should be able to add vault - Resolves: #1365546 External trust with root domain is transitive - trust: make sure external trust topology is correctly rendered - Resolves: #1365572 IPA server broken after upgrade - Require pki-core-10.3.3-7 - Resolves: #1367864 Server assumes latest version of command instead of version 1 for old / 3rd party clients - rpcserver: assume version 1 for unversioned command calls - rpcserver: fix crash in XML-RPC system commands - Resolves: #1367773 thin client ignores locale change - schema cache: Fallback to 'en_us' when locale is not available - Resolves: #1368754 ipa server uninstall fails with Python "Global Name error" - Fail on topology disconnect/last role removal - Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP - otptoken, permission: Convert custom type parameters on server - Resolves: #1369414 ipa server-del fails with Python stack trace - Handled empty hostname in server-del command - Resolves: #1369761 ipa-server must depend on a version of httpd that support mod_proxy with UDS - Require httpd 2.4.6-31 with mod_proxy Unix socket support - Resolves: #1370512 Received ACIError instead of DuplicatedError in stageuser_tests - Raise DuplicatedEnrty error when user exists in delete_container - Resolves: #1371479 cert-find --all does not show information about revocation - cert: add missing param values to cert-find output - Renamed patch 1011 to 0100, as it was merged upstream- Resolves: #1298288 [RFE] Improve performance in large environments. - cert: speed up cert-find - Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card authentication - service: add flag to allow S4U2Self - Add 'trusted to auth as user' checkbox - Added new authentication method - Resolves: #1353881 ipa-replica-install suggests about non-existent --force-ntpd option - Don't show --force-ntpd option in replica install - Resolves: #1354441 DNS forwarder check is too strict: unable to add sub-domain to already-broken domain - DNS: allow to add forward zone to already broken sub-domain - Resolves: #1356146 performance regression in CLI help - schema: Speed up schema cache - frontend: Change doc, summary, topic and NO_CLI to class properties - schema: Introduce schema cache format - schema: Generate bits for help load them on request - help: Do not create instances to get information about commands and topics - schema cache: Do not reset ServerInfo dirty flag - schema cache: Do not read fingerprint and format from cache - Access data for help separately - frontent: Add summary class property to CommandOverride - schema cache: Read server info only once - schema cache: Store API schema cache in memory - client: Do not create instance just to check isinstance - schema cache: Read schema instead of rewriting it when SchemaUpToDate - Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file - server install: do not prompt for cert file PIN repeatedly - Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create cache directory: [Errno 13] Permission denied: '/home/test_user' - schema: Speed up schema cache - Resolves: #1366604 `cert-find` crashes on invalid certificate data - cert: do not crash on invalid data in cert-find - Resolves: #1366612 Middle replica uninstallation in line topology works without '--ignore-topology-disconnect' - Fail on topology disconnect/last role removal - Resolves: #1366626 caacl-add-service: incorrect error message when service does not exists - Fix ipa-caalc-add-service error message - Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade - DNS server upgrade: do not fail when DNS server did not respond - Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server with CA - Add warning about only one existing CA server - Set servers list as default facet in topology facet group - Resolves: #1367773 thin client ignores locale change - schema check: Check current client language against cached one- Resolves: #1361119 UPN-based search for AD users does not match an entry in slapi-nis map cache - support multiple uid values in schema compatibility tree- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 - Revert "spec: add conflict with bind-chroot to freeipa-server-dns" - Resolves: #1341249 Subsequent external CA installation fails - install: fix external CA cert validation - Resolves: #1353831 ipa-server-install fails in container because of hostnamectl set-hostname - server-install: Fix --hostname option to always override api.env values - install: Call hostnamectl set-hostname only if --hostname option is used - Resolves: #1356091 ipa-cacert-manage --help and man differ - Improvements for the ipa-cacert-manage man and help - Resolves: #1360631 ipa-backup is not keeping the /etc/tmpfiles.d/dirsrv-.conf - ipa-backup: backup /etc/tmpfiles.d/dirsrv-.conf - Resolves: #1361047 ipa-replica-install --help usage line suggests the replica file is needed - Update ipa-replica-install documentation - Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does not rpm-require it - client: RPM require initscripts to get *-domainname.service - Resolves: #1364197 caacl: error when instantiating rules with service principals - caacl: fix regression in rule instantiation - Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm - parameters: move the `confirm` kwarg to Param - Resolves: #1364464 Topology graph: ca and domain adders shows question marks instead of plus icon - Fix unicode characters in ca and domain adders - Resolves: #1365083 Incomplete output returned for command ipa vault-add - client: add missing output params to client-side commands - Resolves: #1365526 build fails during "make check" - ipa-kdb: Fix unit test after packaging changes in krb5- Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file. - Do not initialize API in ipa-client-automount uninstall - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin client changes - idrange: fix unassigned global variable - Resolves: #1360792 Migrating users doesn't update krbCanonicalName - re-set canonical principal name on migrated users - Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str' and 'bool' objects - Fix ipa hbactest output - Resolves: #1362260 ipa vault-mod no longer allows defining salt - vault: add missing salt option to vault_mod - Resolves: #1362312 ipa vault-retrieve internal error when using the wrong public key - vault: Catch correct exception in decrypt - Resolves: #1362537 ipa-server-install fails to create symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ - Correct path to HTTPD's systemd service directory - Resolves: #1363756 Increase length of passwords generated by installer - Increase default length of auto generated passwords- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos aliases) - harden the check for trust namespace overlap in new principals - Resolves: #1351142 CLI is not using session cookies for communication with IPA API - Fix session cookies - Resolves: #1353888 Fix the help for ipa otp and other topics - help: Add dnsserver commands to help topic 'dns' - Resolves: #1354406 host-del updatedns options complains about missing ptr record for host - Host-del: fix behavior of --updatedns and PTR records - Resolves: #1355718 ipa-replica-manage man page example output differs actual command output - Minor fix in ipa-replica-manage MAN page - Resolves: #1358229 Traceback message should be fixed, seen while editing winsync migrated user information in Default trust view. - baseldap: Fix MidairCollision instantiation during entry modification - Resolves: #1358849 CA replica install logs to wrong log file - unite log file name of ipa-ca-install - Resolves: #1359130 ipa-server-install command fails to install IPA server. - DNS Locations: fix update-system-records unpacking error - Resolves: #1359237 AVC on dirsrv config caused by IPA installer - Use copy when replacing files to keep SELinux context - Resolves: #1359692 ipa-client-install join fail with traceback against RHEL-6.8 ipa-server - compat: fix ping call - Resolves: #1359738 ipa-replica-install --domain= option does not work - replica-install: Fix --domain - Resolves: #1360778 Vault commands are available in CLI even when the server does not support them - Revert "Enable vault-* commands on client" - client: fix hiding of commands which lack server support - Related: #1281704 Rebase to softhsm 2.1.0 - Remove the workaround for softhsm bug #1293340 - Related: #1298288 [RFE] Improve performance in large environments. - Create indexes for krbCanonicalName attribute- Resolves: #1296140 Remove redhat-access-plugin-ipa support - Obsolete and conflict redhat-access-plugin-ipa - Resolves: #1351119 Multiple issues while uninstalling ipa-server - server uninstall fails to remove krb principals - Resolves: #1351758 ipa commands not showing expected error messages - frontend: copy command arguments to output params on client - Show full error message for selinuxusermap-add-hostgroup - Resolves: #1352883 Traceback on adding default automember group and hostgroup set - allow 'value' output param in commands without primary key - Resolves: #1353888 Fix the help for ipa otp and other topics - schema: Fix subtopic -> topic mapping - Resolves: #1354348 ipa trustconfig-show throws internal error. - allow 'value' output param in commands without primary key - Resolves: #1354381 ipa trust-add with raw option gives internal error. - trust-add: handle `--all/--raw` options properly - Resolves: #1354493 Replica install fails with old IPA master - DNS install: Ensure that DNS servers container exists - Resolves: #1354628 ipa hostgroup-add-member does not return error message when adding itself as member - frontend: copy command arguments to output params on client - Resolves: #1355856 ipa otptoken-add --type=totp gives internal error - messages: specify message type for ResultFormattingError - Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter secret key - expose `--secret` option in radiusproxy-* commands - prevent search for RADIUS proxy servers by secret - Resolves: #1356099 Bug in the ipapwd plugin - Heap corruption in ipapwd plugin - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin client changes - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper - Resolves: #1356964 Renaming a user removes all of his principal aliases - Preserve user principal aliases during rename operation- Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas - Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD - Related: #1356134 'kinit -E' does not work for IPA user- Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA with certmonger - uninstall: untrack lightweight CA certs - Resolves: #1351807 ipa-nis-manage config.get_dn missing - ipa-nis-manage: Use server API to retrieve plugin status - Resolves: #1353452 ipa-compat-manage command failed, exception: NotImplementedError: config.get_dn() - ipa-compat-manage: use server API to retrieve plugin status - Resolves: #1353899 ipa-advise: object of type 'type' has no len() - ipa-advise: correct handling of plugin namespace iteration - Resolves: #1356134 'kinit -E' does not work for IPA user - kdb: check for local realm in enterprise principals - Resolves: #1353072 ipa unknown command vault-add - Enable vault-* commands on client - vault-add: set the default vault type on the client side if none was given - Resolves: #1353995 Default CA can be used without a CA ACL - caacl: expand plugin documentation - Resolves: #1356144 host-find should not print SSH keys by default, only SSH fingerprints - host-find: do not show SSH key by default - Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3 - Removed unused method parameter from migrate-ds- Resolves: #747612 [RFE] IPA should support and manage DNS sites - Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0) in the default global_policy in IPA sets user's password expiration (krbPasswordExpiration) to be 90 days - Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records - Resolves: #1084018 [RFE] Add IdM user password change support for legacy client compat tree - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos aliases) - Fix incorrect check for principal type when evaluating CA ACLs - Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI - Resolves: #1238190 ipasam unable to lookup group in directory yet manual search works - Resolves: #1250110 search by users which don't have read rights for all attrs in search_attributes fails - Resolves: #1263764 Show Certificate displays in useless format - Resolves: #1272491 [WebUI] Certificate action dropdown does not display all the options after adding new certificate - Resolves: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.4.0 - Resolves: #1294503 IPA fails to issue 3rd party certs - Resolves: #1298242 [RFE] API compatibility - compatibility of clients - Resolves: #1298848 [RFE] Centralized topology management - Resolves: #1298966 [RFE] Extend Smart Card support - Resolves: #1315146 Multiple clients cannot join domain simultaneously: /var/run/httpd/ipa/clientcaches race condition? - Resolves: #1318903 ipa server install failing when SUBCA signs the cert - Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper console output - Resolves: #1324055 IPA always qualify requests for admin - Resolves: #1328552 [RFE] Allow users to authenticate with alternative names - Resolves: #1334582 Inconsistent UI and CLI options for removing certificate hold - Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl) - Resolves: #1349281 Fix `Conflicts` with ipa-python - Resolves: #1350695 execution of copy-schema script fails - Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z - Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test execution to 7.3 - Resolves: #1351276 ipa-server-install with dns cannot resolve itself to create ipa-ca entry - Related: #1343422 [RFE] Add GssapiImpersonate option- Resolves: #1348948 IPA server install fails with build ipa-server-4.4.0-0.el7.1.alpha1 - Revert "Increased mod_wsgi socket-timeout"- Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while setting password for default sudo binddn. - Resolves: #747612 [RFE] IPA should support and manage DNS sites - Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name - Resolves: #825391 [RFE] Replica installation should provide a means for inheriting nssldap security access settings - Resolves: #921497 Incorrect *.py[co] files placement - Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support - Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas - Resolves: #1196958 IPA replica installation failing with high number of users (160000). - Resolves: #1219402 IPA suggests to uninstall a client when the user needs to uninstall a replica - Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on Authentication Indicator - Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos principal expiration" - Resolves: #1234223 [WebUI] General invalid password error message appearing for "Locked user" - Resolves: #1254267 ipa-server-install failure applying ldap updates with limits exceeded - Resolves: #1258626 realmdomains-mod --add-domain command throwing error when doamin already is in forwardzone. - Resolves: #1259020 ipa-server-adtrust-install doesn't allow NetBIOS-name=EXAMPLE-TEST.COM (dash character) - Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error message when DNSSEC master not installed - Resolves: #1262747 dnssec options missing in ipa-dns-install man page - Resolves: #1265900 Fail installation immediately after dirsrv fails to install using ipa-server-install - Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not resolvable anymore - Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace - LimitsExceeded: limits exceeded for this query - Resolves: #1269089 Certificate of managed-by host/service fails to resubmit - Resolves: #1269200 ipa-server crashing while trying to preserve admin user - Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults - Resolves: #1271579 Automember rule expressions disappear from tables on single expression delete - Resolves: #1275816 Incomplete ports for IPA ad-trust - Resolves: #1276351 [RFE] Remove /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases - Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in the IPA UI - Resolves: #1278426 Better error message needed for invalid ca-signing-algo option - Resolves: #1279932 ipa-client-install --request-cert needs workaround in anaconda chroot - Resolves: #1282521 Creating a user w/o private group fails when doing so in WebUI - Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced by "IPA is not configured on this system" - Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert file - Resolves: #1287194 [RFE] Support of UPN for trusted domains - Resolves: #1288967 Normalize Manager entry in ipa user-add - Resolves: #1289487 Priority field missing in Password Policy detail tab - Resolves: #1291140 ipa client should configure kpasswd_server directive in krb5.conf - Resolves: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.4.0.alpha1 - Resolves: #1298848 [RFE] Centralized topology management - Resolves: #1300576 Browser setup page includes instructions for Internet Explorer - Resolves: #1301586 ipa host-del --updatedns should remove related dns entries. - Resolves: #1304618 Residual Files After IPA Server Uninstall - Resolves: #1305144 ipa-python does not require its dependencies - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 - Resolves: #1313798 Console output post ipa-winsync-migrate command should be corrected. - Resolves: #1314786 [RFE] External Trust with Active Directory domain - Resolves: #1319023 Include description for 'status' option in man page for ipactl command. - Resolves: #1319912 ipa-server-install does not completely change hostname and named-pkcs11 fails - Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord': Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on revocation reasons - Resolves: #1328549 "ipa-kra-install" command reports incorrect message when it is executed on server already installed with KRA. - Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind' - Resolves: #1329275 ipa-nis-manage command should include status option - Resolves: #1330843 'man ipa' should be updated with latest commands - Resolves: #1333755 ipa cert-request causes internal server error while requesting certificate - Resolves: #1337484 EOF is not handled for ipa-client-install command - Resolves: #1338031 Insufficient 'write' privilege on some attributes for the members of the role which has "User Administrators" privilege. - Resolves: #1343142 IPA DNS should do better verification of DNS zones - Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in browser- Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files - Fix incorrect rebase of patch 1001- Resolves: #1339233 CA installed on replica is always marked as renewal master - Related: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.3.1.201605241723GIT1b427d3- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install because of missing dependencies - Rebuild with krb5-1.14.1- Resolves: #837369 [RFE] Switch to client promotion to replica model - Resolves: #1199516 [RFE] Move replication topology to the shared tree - Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) - Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend - Resolves: #1267206 ipa-server-install uninstall should warn if no installation found - Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when ipa-client-automount is executed. - Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2. - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install because of missing dependencies - Related: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.3.1.201605191449GITf8edf37- Resolves: #1277696 IPA certificate auto renewal fail with "Invalid Credential" - cert renewal: make renewal of ipaCert atomic - Resolves: #1278330 installer options are not validated at the beginning of installation - install: fix command line option validation - Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd from starting up - client install: do not corrupt OpenSSH config with Match sections - Resolves: #1282935 ipa upgrade causes vault internal error - install: export KRA agent PEM file in ipa-kra-install - Resolves: #1283429 Default CA ACL rule is not created during ipa-replica-install - TLS and Dogtag HTTPS request logging improvements - Avoid race condition caused by profile delete and recreate - Do not erroneously reinit NSS in Dogtag interface - Add profiles and default CA ACL on migration - disconnect ldap2 backend after adding default CA ACL profiles - do not disconnect when using existing connection to check default CA ACLs - Resolves: #1283430 ipa-kra-install: fails to apply updates - suppress errors arising from adding existing LDAP entries during KRA install - Resolves: #1283748 Caching of ipaconfig does not work in framework - fix caching in get_ipa_config - Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after upgrade from RHEL 7.0 to RHEL 7.2 - upgrade: fix migration of old dns forward zones - Fix upgrade of forwardzones when zone is in realmdomains - Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap connection - ipa-cacert-renew: Fix connection to ldap. - Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection - ipa-otptoken-import: Fix connection to ldap. - Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using "yum update ipa* sssd" - Set minimal required version for openssl - Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps - Upgrade: Fix upgrade of NIS Server configuration - Resolves: #1289311 umask setting causes named-pkcs11 issue with directory permissions on /var/lib/ipa/dnssec - DNS: fix file permissions - Explicitly call chmod on newly created directories - Fix: replace mkdir with chmod - Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison - Fix version comparison - use FFI call to rpmvercmp function for version comparison - Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix groups are missing - ipa-kdb: map_groups() consider all results - Resolves: #1293870 User should be notified for wrong password in password reset page - Fixed login error message box in LoginScreen page - Resolves: #1296196 Sysrestore did not restore state if a key is specified in mixed case - Allow to used mixed case for sysrestore - Resolves: #1296214 DNSSEC key purging is not handled properly - DNSSEC: Improve error reporting from ipa-ods-exporter - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP - DNSSEC: Make sure that current key state in LDAP matches key state in BIND - DNSSEC: remove obsolete TODO note - DNSSEC: add debug mode to ldapkeydb.py - DNSSEC: logging improvements in ipa-ods-exporter - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP - DNSSEC: ipa-ods-exporter: add ldap-cleanup command - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal - DNSSEC: Log debug messages at log level DEBUG - Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running - prevent crash of CA-less server upgrade due to absent certmonger - always start certmonger during IPA server configuration upgrade - Resolves: #1297811 The ipa -e skip_version_check=1 still issues incompatibility error when called against RHEL 6 server - ipalib: assume version 2.0 when skip_version_check is enabled - Resolves: #1298289 install fails when locale is "fr_FR.UTF-8" - Do not decode HTTP reason phrase from Dogtag - Resolves: #1300252 shared certificateProfiles container is missing on a freshly installed RHEL7.2 system - upgrade: unconditional import of certificate profiles into LDAP - Resolves: #1301674 --setup-dns and other options is forgotten for using an external PKI - installer: Propagate option values from components instead of copying them. - installer: Fix logic of reading option values from cache. - Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup - ipa-ca-install: print more specific errors when CA is already installed - cert renewal: import all external CA certs on IPA CA cert renewal - CA install: explicitly set dogtag_version to 10 - fix standalone installation of externally signed CA on IPA master - replica install: validate DS and HTTP server certificates - replica install: improvements in the handling of CA-related IPA config entries - Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups - slapi-nis: update configuration to allow external members of IPA groups - Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find returns "0 trusts matched" - upgrade: fix config of sidgen and extdom plugins - trusts: use ipaNTTrustPartner attribute to detect trust entries - Warn user if trust is broken - fix upgrade: wait for proper DS socket after DS restart - Insure the admin_conn is disconnected on stop - Fix connections to DS during installation - Fix broken trust warnings - Resolves: #1321092 Installers fail when there are multiple versions of the same certificate - certdb: never use the -r option of certutil - Related: #1317381 Crash during IPA upgrade due to slapd - spec file: update minimum required version of slapi-nis - Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws [rhel-7.3] - Rebuild against newer Samba version- Resolves: #1252556 Missing CLI param and ACL for vault service operations - vault: fix private service vault creation- Resolves: #1262996 ipa vault internal error on replica without KRA - upgrade: make sure ldap2 is connected in export_kra_agent_pem - Resolves: #1270608 IPA upgrade fails for server with CA cert signed by external CA - schema: do not derive ipaVaultPublicKey from ipaPublicKey- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens - Fix an integer underflow bug in libotp - Resolves: #1262996 ipa vault internal error on replica without KRA - install: always export KRA agent PEM file - vault: select a server with KRA for vault operations - Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files - do not overwrite files with local users/groups when restoring authconfig - Renamed patch 1011 to 0138, as it was merged upstream- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to Trusts - winsync-migrate: Convert entity names to posix friendly strings - winsync-migrate: Properly handle collisions in the names of external groups - Resolves: #1261074 Adjust Firefox configuration to new extension signing policy - webui: use manual Firefox configuration for Firefox >= 40 - Resolves: #1263337 IPA Restore failed with installed KRA - ipa-backup: Add mechanism to store empty directory structure - Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate and private key in world readable file [rhel-7.2] - install: fix KRA agent PEM file permissions - Resolves: #1265086 Mark IdM API Browser as experimental - WebUI: add API browser is experimental warning - Resolves: #1265277 Fix kdcproxy user creation - install: create kdcproxy user during server install - platform: add option to create home directory when adding user - install: fix kdcproxy user home directory - Resolves: #1265559 GSS failure after ipa-restore - destroy httpd ccache after stopping the service- Resolves: #1258965 ipa vault: set owner of vault container - baseldap: make subtree deletion optional in LDAPDelete - vault: add vault container commands - vault: set owner to current user on container creation - vault: update access control - vault: add permissions and administrator privilege - install: support KRA update - Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses - config: allow user/host attributes with tagging options - Resolves: #1262315 Unable to establish winsync replication - winsync: Add inetUser objectclass to the passsync sysaccount- Resolves: #1260663 crash of ipa-dnskeysync-replica component during ipa-restore - IPA Restore: allows to specify files that should be removed - Resolves: #1261806 Installing ipa-server package breaks httpd - Handle timeout error in ipa-httpd-kdcproxy - Resolves: #1262322 Failed to backup CS.cfg message in upgrade. - Server Upgrade: backup CS.cfg when dogtag is turned off- Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not tracked - cert renewal: Include KRA users in Dogtag LDAP update - cert renewal: Automatically update KRA agent PEM file - Resolves: #1257163 renaming certificatte profile with --rename option leads to integrity issues - certprofile: remove 'rename' option - Resolves: #1257968 kinit stop working after ipa-restore - Backup: back up the hosts file - Resolves: #1258926 Remove 'DNSSEC is experimental' warnings - DNSSEC: remove "DNSSEC is experimental" warnings - Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts - Installer: do not modify /etc/hosts before user agreement - Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1 zone - DNSSEC: backup and restore opendnssec zone list file - DNSSEC: remove ccache and keytab of ipa-ods-exporter - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC key master - DNSSEC: Fix key metadata export - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. - Resolves: #1258964 revert to use ldapi to add kra agent in KRA install - Using LDAPI to setup CA and KRA agents. - Resolves: #1259848 server closes connection and refuses commands after deleting user that is still logged in - ldap: Make ldap2 connection management thread-safe again - Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute 'ra_certprofile' while ipa-ca-install - load RA backend plugins during standalone CA install on CA-less IPA master- Resolves: #1254689 Storing big file as a secret in vault raises traceback - vault: Limit size of data stored in vault - Resolves: #1255880 ipactl status should distinguish between different pki-tomcat services - ipactl: Do not start/stop/restart single service multiple times- Resolves: #1256840 [webui] majority of required fields is no longer marked as required - fix missing information in object metadata - Resolves: #1256842 [webui] no option to choose trust type when creating a trust - webui: add option to establish bidirectional trust - Resolves: #1256853 Clear text passwords in KRA install log - Removed clear text passwords from KRA install log. - Resolves: #1257072 The "Standard Vault" MUST not be the default and must be discouraged - vault: change default vault type to symmetric - Resolves: #1257163 renaming certificatte profile with --rename option leads to integrity issues - certprofile: prevent rename (modrdn)- Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone - DNSSEC: fix forward zone forwarders checks - Resolves: #1250190 idrange is not added for sub domain - trusts: format Kerberos principal properly when fetching trust topology - Resolves: #1252334 User life cycle: missing ability to provision a stage user from a preserved user - Add user-stage command - Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to start. - spec file: Add Requires(post) on selinux-policy - Resolves: #1254304 Changing vault encryption attributes - Change internal rsa_(public|private)_key variable names - Added support for changing vault encryption. - Resolves: #1256715 Executing user-del --preserve twice removes the user pernamently - improve the usability of `ipa user-del --preserve` command- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - user-undel: Fix error messages. - Resolves: #1200694 [RFE] Support for multiple cert profiles - Prohibit deletion of predefined profiles - Resolves: #1232819 testing ipa-restore on fresh system install fails - Backup/resore authentication control configuration - Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0 server - Require Dogtag PKI >= 10.2.6 - Resolves: #1245225 Asymmetric vault drops traceback when the key is not proper - Asymmetric vault: validate public key in client - Resolves: #1248399 Missing DNSSEC related files in backup - fix typo in BasePathNamespace member pointing to ods exporter config - ipa-backup: archive DNSSEC zone file and kasp.db - Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is finished - winsync-migrate: Add warning about passsync - winsync-migrate: Expand the man page - Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME" - adjust search so that it works for non-admin users - Resolves: #1250093 ipa certprofile-import accepts invalid config - Require Dogtag PKI >= 10.2.6 - Resolves: #1250107 IPA framework should not allow modifying trust on AD trust agents - trusts: Detect missing Samba instance - Resolves: #1250111 User lifecycle - preserved users can be assigned membership - ULC: Prevent preserved users from being assigned membership - Resolves: #1250145 Add permission for user to bypass caacl enforcement - Add permission for bypassing CA ACL enforcement - Resolves: #1250190 idrange is not added for sub domain - idranges: raise an error when local IPA ID range is being modified - trusts: harden trust-fetch-domains oddjobd-based script - Resolves: #1250928 Man page for ipa-server-install is out of sync - install: Fix server and replica install options - Resolves: #1251225 IPA default CAACL does not allow cert-request for services after upgrade - Fix default CA ACL added during upgrade - Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey - validate mutually exclusive options in vault-add - Resolves: #1251579 ipa vault-add --user should set container owner equal to user on first run - Fixed vault container ownership. - Resolves: #1252517 cert-request rejects request with correct krb5PrincipalName SAN - Fix KRB5PrincipalName / UPN SAN comparison - Resolves: #1252555 ipa vault-find doesn't work for services - vault: Add container information to vault command results - Add flag to list all service and user vaults - Resolves: #1252556 Missing CLI param and ACL for vault service operations - Added CLI param and ACL for vault service operations. - Resolves: #1252557 certprofile: improve profile format documentation - certprofile-import: improve profile format documentation - certprofile: add profile format explanation - Resolves: #1253443 ipa vault-add creates vault with invalid type - vault: validate vault type - Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing owner - baseldap: Allow overriding member param label in LDAPModMember - vault: Fix param labels in output of vault owner commands - Resolves: #1253511 ipa vault-find does not use criteria - vault: Fix vault-find with criteria - Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10 - install: Fix replica install with custom certificates - Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc - improve the handling of krb5-related errors in dnssec daemons - Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with starting CA and named-pkcs11.service - Server Upgrade: Start DS before CA is started. - Resolves: #1254637 Add ACI and permission for managing user userCertificate attribute - add permission: System: Manage User Certificates - Resolves: #1254641 Remove CSR allowed-extensions restriction - cert-request: remove allowed extensions check - Resolves: #1254693 vault --service does not normalize service principal - vault: normalize service principal in service vault operations - Resolves: #1254785 ipa-client-install does not properly handle dual stacked hosts - client: Add support for multiple IP addresses during installation. - Add dependency to SSSD 1.13.1 - client: Add description of --ip-address and --all-ip-addresses to man page- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to users in IdM - store certificates issued for user entries as - user-show: add --out option to save certificates to file - Resolves: #1145748 [RFE] IPA running with One Way Trust - Fix upgrade of sidgen and extdom plugins - Resolves: #1195339 ipa-client-install changes the label on various files which causes SELinux denials - Use 'mv -Z' in specfile to restore SELinux context - Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior for combinations of "User authentication types" - webui: add LDAP vs Kerberos behavior description to user auth - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - ULC: Fix stageused-add --from-delete command - Resolves: #1200694 [RFE] Support for multiple cert profiles - certprofile-import: do not require profileId in profile data - Give more info on virtual command access denial - Allow SAN extension for cert-request self-service - Add profile for DNP3 / IEC 62351-8 certificates - Work around python-nss bug on unrecognised OIDs - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality - Validate vault's file parameters - Fixed missing KRA agent cert on replica. - Resolves: #1225866 display browser config options that apply to the browser. - webui: add Kerberos configuration instructions for Chrome - Remove ico files from Makefile - Resolves: #1246342 Unapply idview raises internal error - idviews: Check for the Default Trust View only if applying the view - Resolves: #1248102 [webui] regression - incorrect/no failed auth messages - webui: fix regressions failed auth messages - Resolves: #1248396 Internal error in DomainValidator.__search_in_dc - dcerpc: Fix UnboundLocalError for ccache_name - Resolves: #1249455 ipa trust-add failed CIFS server configuration does not allow access to \\pipe\lsarpc - Fix selector of protocol for LSA RPC binding string - dcerpc: Simplify generation of LSA-RPC binding strings - Resolves: #1250192 Error in ipa trust-fecth-domains - Fix incorrect type comparison in trust-fetch-domains - Resolves: #1251553 Winsync setup fails with unexpected error - replication: Fix incorrect exception invocation - Resolves: #1251854 ipa aci plugin is not parsing aci's correctly. - ACI plugin: correctly parse bind rules enclosed in - Resolves: #1252414 Trust agent install does not detect available replicas to add to master - adtrust-install: Correctly determine 4.2 FreeIPA servers- Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains that conflicts with AD DC - trusts: Check for AD root domain among our trusted domains - Resolves: #1195339 ipa-client-install changes the label on various files which causes SELinux denials - sysrestore: copy files instead of moving them to avoind SELinux issues - Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned commands / ntpd -qgc $tmpfile hangs - enable debugging of ntpd during client installation - Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled - migration: Use api.env variables. - Resolves: #1212719 abort-clean-ruv subcommand should allow replica-certifyall: no - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand - Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has occurred - dcerpc: Expand explanation for WERR_ACCESS_DENIED - dcerpc: Fix UnboundLocalError for ccache_name - Resolves: #1222778 idoverride group-del can delete user and user-del can delete group - dcerpc: Add get_trusted_domain_object_type method - idviews: Restrict anchor to name and name to anchor conversions - idviews: Enforce objectclass check in idoverride*-del - Resolves: #1234919 Be able to request certificates without certmonger service running - cermonger: Use private unix socket when DBus SystemBus is not available. - ipa-client-install: Do not (re)start certmonger and DBus daemons. - Resolves: #1240939 Please add dependency on bind-pkcs11 - Create server-dns sub-package. - ipaplatform: Add constants submodule - DNS: check if DNS package is installed - Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow calling out oddjobd-activated services - selinux: enable httpd_run_ipa to allow communicating with oddjobd services - Resolves: #1243261 non-admin users cannot search hbac rules - fix hbac rule search for non-admin users - fix selinuxusermap search for non-admin users - Resolves: #1243652 Client has missing dependency on memcache - do not import memcache on client - Resolves: #1243835 [webui] user change password dialog does not work - webui: fix user reset password dialog - Resolves: #1244802 spec: selinux denial during kdcproxy user creation - Fix selinux denial during kdcproxy user creation - Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user - oddjob: avoid chown keytab to sssd if sssd user does not exist - Resolves: #1246136 Adding a privilege to a permission avoids validation - Validate adding privilege to a permission - Resolves: #1246141 DNS Administrators cannot search in zones - DNS: Consolidate DNS RR types in API and schema - Resolves: #1246143 User plugin - user-find doesn't work properly with manager option - fix broken search for users by their manager- Resolves: #1131907 [ipa-client-install] cannot write certificate file '/etc/ipa/ca.crt.new': must be string or buffer, not None - Resolves: #1195775 unsaved changes dialog internally inconsistent - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - Stageusedr-activate: show username instead of DN - Resolves: #1200694 [RFE] Support for multiple cert profiles - Prevent to rename certprofile profile id - Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error - Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files - copy-schema-to-ca: allow to overwrite schema files - Resolves: #1241941 kdc component installation of IPA failed - spec file: Update minimum required version of krb5 - Resolves: #1242036 Replica install fails to update DNS records - Fix DNS records installation for replicas - Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy - Start dirsrv for kdcproxy upgrade- Resolves: #846033 [RFE] Documentation for JSONRPC IPA API - Resolves: #989091 Ability to manage IdM/IPA directly from a standard LDAP client - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to users in IdM - Resolves: #1115294 [RFE] Add support for DNSSEC - Resolves: #1145748 [RFE] IPA running with One Way Trust - Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - Resolves: #1200694 [RFE] Support for multiple cert profiles - Resolves: #1200728 [RFE] Replicate PKI Profile information - Resolves: #1200735 [RFE] Allow issuing certificates for user accounts - Resolves: #1204054 SSSD database is not cleared between installs and uninstalls of ipa - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to Trusts - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality - Resolves: #1204504 [RFE] Add access control so hosts can create their own services - Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default - Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default - Resolves: #1209476 package ipa-client does not require package dbus-python - Resolves: #1211589 [RFE] Add option to skip the verify_client_version - Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597) - Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone - Resolves: #1217010 OTP Manager field is not exposed in the UI - Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp 00007fffd68b2340 error 6 in libc-2.17.so - Related: #1204809 Rebase ipa to 4.2 - Update to upstream 4.2.0 - Move /etc/ipa/kdcproxy to the server subpackage- Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install - Related: #1204809 Rebase ipa to 4.2 - Fix minimum version of slapi-nis - Require python-sss and python-sss-murmur (provided by sssd-1.13.0)- Resolves: #805188 [RFE] "ipa migrate-ds" ldapsearches with scope=1 - Resolves: #1019272 With 20000+ users, adding a user to a group intermittently throws Internal server error - Resolves: #1035494 Unable to add Kerberos principal via kadmin.local - Resolves: #1045153 ipa-managed-entries --list -p still requires DM password - Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389 from ldap_port_t - Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI - Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not matching uidgid - Resolves: #1176036 IDM client registration failure in a high load environment - Resolves: #1183116 Remove Requires: subscription-manager - Resolves: #1186054 permission-add does not prompt to enter --right option in interactive mode - Resolves: #1187524 Replication agreement with replica not disabled when ipa-restore done without IPA installed - Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as normal user. - Resolves: #1189034 "an internal error has occurred" during ipa host-del --updatedns - Resolves: #1193554 ipa-client-automount: failing with error LDAP server returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled. - Resolves: #1193759 IPA extdom plugin fails when encountering large groups - Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. - Resolves: #1194633 Default trust view can be deleted in lower case - Resolves: #1196455 ipa-server-install step [8/27]: starting certificate server instance - confusing CA staus message on TLS error - Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis - Resolves: #1199527 [RFE] Use datepicker component for datetime fields - Resolves: #1200867 [RFE] Make OTP validation window configurable - Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi - Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using get_user_grouplist() [rhel-7.2] - Resolves: #1204637 slow group operations - Resolves: #1204642 migrate-ds: slow add o users to default group - Resolves: #1208461 IPA CA master server update stuck on checking getStatus via https - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) - Resolves: #1211708 ipa-client-install gets stuck during NTP sync - Resolves: #1215197 ipa-client-install ignores --ntp-server option during time sync - Resolves: #1215200 ipa-client-install configures IPA server as NTP source even if IPA server has not ntpd configured - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens - Related: #1204809 Rebase ipa to 4.2 - Update to upstream 4.2.0.alpha1- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312)- IPA extdom plugin fails when encountering large groups (#1193759) - CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() (#1202998)- "an internal error has occurred" during ipa host-del --updatedns (#1198431) - Renamed patch 1013 to 0114, as it was merged upstream - Fax number not displayed for user-show when kinit'ed as normal user. (#1198430) - Replication agreement with replica not disabled when ipa-restore done without IPA installed (#1199060) - Limit deadlocks between DS plugin DNA and slapi-nis (#1199128)- Fix ipa-pwd-extop global configuration caching (#1187342) - group-detach does not add correct objectclasses (#1187540)- Wrong directories created on full restore (#1186398) - ipa-restore crashes if replica is unreachable (#1186396) - idoverrideuser-add option --sshpubkey does not work (#1185410)- PassSync does not sync passwords due to missing ACIs (#1181093) - ipa-replica-manage list does not list synced domain (#1181010) - Do not assume certmonger is running in httpinstance (#1181767) - ipa-replica-manage disconnect fails without password (#1183279) - Put LDIF files to their original location in ipa-restore (#1175277) - DUA profile not available anonymously (#1184149) - IPA replica missing data after master upgraded (#1176995)- Re-add accidentally removed patches for #1170695 and #1164896- IPA Replicate creation fails with error "Update failed! Status: [10 Total update abortedLDAP error: Referral]" (#1166265) - running ipa-server-install --setup-dns results in a crash (#1072502) - DNS zones are not migrated into forward zones if 4.0+ replica is added (#1175384) - gid is overridden by uid in default trust view (#1168904) - When migrating warn user if compat is enabled (#1177133) - Clean up debug log for trust-add (#1168376) - No error message thrown on restore(full kind) on replica from full backup taken on master (#1175287) - ipa-restore proceed even IPA not configured (#1175326) - Data replication not working as expected after data restore from full backup (#1175277) - IPA externally signed CA cert expiration warning missing from log (#1178128) - ipa-upgradeconfig fails in CA-less installs (#1181767) - IPA certs fail to autorenew simultaneouly (#1173207) - More validation required on ipa-restore's options (#1176034)- Expand the token auth/sync windows (#919228) - Access is not rejected for disabled domain (#1172598) - krb5kdc crash in ldap_pvt_search (#1170695) - RHEL7.1 IPA server httpd avc denials after upgrade (#1164896)- RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible (#1169591) - CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) (#1172578)- Throw zonemgr error message before installation proceeds (#1163849) - Winsync: Setup is broken due to incorrect import of certificate (#1169867) - Enable last token deletion when password auth type is configured (#919228) - ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641) - add --hosts and --hostgroup options to allow/retrieve keytab methods (#1007367) - Extend host-show to add the view attribute in set of default attributes (#1168916) - Prefer TCP connections to UDP in krb5 clients (#919228) - [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214) - webui: increase notification duration (#1171089) - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931) - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert (#1170003) - Improve validation of --instance and --backend options in ipa-restore (#951581) - RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964) - Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466)- Use NSS protocol range API to set available TLS protocols (#1156466)- schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 build fails (#1167196) - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) - "ipa trust-add ... " cmd says : (Trust status: Established and verified) while in the logs we see "WERR_ACCESS_DENIED" during verification step. (#1144121) - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server (#1156466) - Add support/hooks for a one-time password system like SecureID in IPA (#919228) - Tracebacks with latest build for --zonemgr cli option (#1167270) - ID Views: Support migration from the sync solution to the trust solution (#891984)- Improve otptoken help messages (#919228) - Ensure users exist when assigning tokens to them (#919228) - Enable QR code display by default in otptoken-add (#919228) - Show warning instead of error if CA did not start (#1158410) - CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774) - Traceback when adding zone with long name (#1164859) - Backup & Restore mechanism (#951581) - ignoring user attributes in migrate-ds does not work if uppercase characters are returned by ldap (#1159816) - Allow ipa-getkeytab to optionally fetch existing keys (#1007367) - Failure when installing on dual stacked system with external ca (#1128380) - ipa-server should keep backup of CS.cfg (#1059135) - Tracebacks with latest build for --zonemgr cli option (#1167270) - webui: use domain name instead of domain SID in idrange adder dialog (#891984) - webui: normalize idview tab labels (#891984)- ipa-csreplica-manage connect fails (#1157735) - error message which is not understandable when IDNA2003 characters are present in --zonemgr (#1163849) - Fix warning message should not contain CLI commands (#1114013) - Renewing the CA signing certificate does not extend its validity period end (#1163498) - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd (#1159330)- Fix: DNS installer adds invalid zonemgr email (#1056202) - ipaplatform: Use the dirsrv service, not target (#951581) - Fix: DNS policy upgrade raises asertion error (#1161128) - Fix upgrade referint plugin (#1161128) - Upgrade: fix trusts objectclass violationi (#1161128) - group-add doesn't accept gid parameter (#1149124)- Update slapi-nis dependency to pull 0.54-2 (#891984) - ipa-restore: Don't crash if AD trust is not installed (#951581) - Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791) - Trust setting not restored for CA cert with ipa-restore command (#1159011) - ipa-server-install fails when restarting named (#1162340)- Update Requires on pki-ca to 10.1.2-4 (#1129558) - build: increase java stack size for all arches - Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984) - Fix dns zonemgr validation regression (#1056202) - Handle profile changes in dogtag-ipa-ca-renew-agent (#886645) - Do not wait for new CA certificate to appear in LDAP in ipa-certupdate (#886645) - Add bind-dyndb-ldap working dir to IPA specfile - Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage (#886645) - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) - Deadlock in schema compat plugin (#1161131) - ipactl stop should stop dirsrv last (#1161129) - Upgrade 3.3.5 to 4.1 failed (#1161128) - CVE-2014-7828 freeipa: password not required when OTP in use (#1160877)- Do not check if port 8443 is available in step 2 of external CA install (#1129481)- Update Requires on selinux-policy to 3.13.1-4- Update to upstream 4.1.0 (#1109726)- Update to upstream 4.1.0 Alpha 1 (#1109726)- Add redhat-access-plugin-ipa dependency- Re-enable otptoken_yubikey plugin- Update to upstream 4.0.3 (#1109726)- Server installation fails using external signed certificates with "IndexError: list index out of range" (#1111320) - Add rhino to BuildRequires to fix Web UI build error- ipa-client-automount fails with incompatibility error when installed against older IPA server (#1083108)- Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future PKI versions (#1080865)- When IdM server trusts multiple AD forests, IPA client returns invalid group membership info (#1079498)- Deletion of active subdomain range should not be allowed (#1075615)- PKI database is ugraded during replica installation (#1075118)- Unable to add trust successfully with --trust-secret (#1075704)- ipa-replica-install never checks for 7389 port (#1075165) - Non-terminated string may be passed to LDAP search (#1075091) - ipa-sam may fail to translate group SID into GID (#1073829) - Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132)- Do not fetch a principal two times, remove potential memory leak (#1070924)- trustdomain-find with pkey-only fails (#1068611) - Invalid credential cache in trust-add (#1069182) - ipa-replica-install prints unexpected error (#1069722) - Too big font in input fields in details facet in Firefox (#1069720) - trust-add for POSIX AD does not fetch trustdomains (#1070925) - Misleading trust-add error message in some cases (#1070926) - Access is not rejected for disabled domain (#1070924)- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)- Display server name in ipa command's verbose mode (#1061703) - Remove sourcehostcategory from default HBAC rule (#1061187) - dnszone-add cannot add classless PTR zones (#1058688) - Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850)- Lockout plugin crashed during ipa-server-install (#912725)- Fallback to global policy in ipa lockout plugin (#912725) - Migration does not add users to default group (#903232)- Mass rebuild 2014-01-24- Fix NetBIOS name generation in CLDAP plugin (#1030517)- Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218) - Increase default timeout for IPA services (#1033273) - Error while running trustdomain-find (#1054376) - group-show lists SID instead of name for external groups (#1054391) - Fix IPA server NetBIOS name in samba configuration (#1030517) - dnsrecord-mod produces missing API version warning (#1054869) - Hide trust-resolve command as internal (#1052860) - Add Trust domain Web UI (#1054870) - ipasam cannot delete multiple child trusted domains (#1056120)- Missing objectclasses when empty password passed to host-add (#1052979) - sudoOrder missing in sudoers (#1052983) - Missing examples in sudorule help (#1049464) - Client automount does not uninstall when fstore is empty (#910899) - Error not clear for invalid realm given to trust-fetch-domains (#1052981) - trust-fetch-domains does not add idrange for subdomains found (#1049926) - Add option to show if an AD subdomain is enabled/disabled (#1052973) - ipa-adtrust-install still failed with long NetBIOS names (#1030517) - Error not clear for invalid relam given to trustdomain-find (#1049455) - renewed client cert not recognized during IPA CA renewal (#1033273)- hbactest does not work for external users (#848531)- PKI service restart after CA renewal failed (#1040018)- Move ipa-tests package to separate srpm (#1032668)- Fix status trust-add command status message (#910453) - NetBIOS was not trimmed at 15 characters (#1030517) - Harden CA subsystem certificate renewal on CA clones (#1040018)- Mass rebuild 2013-12-27- Remove "Listen 443 http" hack from deployed nss.conf (#1029046) - Re-adding existing trust fails (#1033216) - IPA uninstall exits with a samba error (#1033075) - Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260) - Fixed ownership of /usr/share/ipa/ui/js (#1026260) - ipa-tests: support external names for hosts (#1032668) - ipa-client-install fail due fail to obtain host TGT (#1029354)- Trust add tries to add same value of --base-id for sub domain, causing an error (#1033068) - Improved error reporting for adding trust case (#1029856)- Winsync agreement cannot be created (#1023085)- Installer did not detect different server and IPA domain (#1026845) - Allow kernel keyring CCACHE when supported (#1026861)- ipa-server-install crashes when AD subpackage is not installed (#1026434)- Update to upstream 3.3.3 (#991064)- Temporarily move ipa-backup and ipa-restore functionality back to make them available in public Beta (#1003933)- Server install failure during client enrollment shouldn't roll back (#1023086) - nsds5ReplicaStripAttrs are not set on agreements (#1023085) - ipa-server conflicts with mod_ssl (#1018172)- Reinstalling ipa server hangs when configuring certificate server (#1018804)- Deprecate --serial-autoincrement option (#1016645) - CA installation always failed on replica (#1005446) - Re-initializing a winsync connection exited with error (#994980)- Update to upstream 3.3.2 (#991064) - Add delegation info to MS-PAC (#915799) - Warn about incompatibility with AD when IPA realm and domain differs (#1009044) - Allow PKCS#12 files with empty password in install tools (#1002639) - Privilege "SELinux User Map Administrators" did not list permissions (#997085) - SSH key upload broken when client joins an older server (#1009024)- Remove dependency on python-paramiko (#1002884) - Broken redirection when deleting last entry of DNS resource record (#1006360)- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)- Replica installation fails for RHEL 6.4 master (#1004680) - Server uninstallation crashes if DS is not available (#998069)- Unable to remove replica by ipa-replica-manage (#1001662) - Before uninstalling a server, warn about active replicas (#998069)- Update to upstream 3.3.1 (#991064) - Update minimum version of bind-dyndb-ldap to 3.5- Fix replica installation failing on certificate subject (#983075)- Allow ipa-tests to work with older version (1.7.7) of python-paramiko- Prevent multilib failures in *.pyo and *.pyc files- ipa-server-install fails if --subject parameter is other than default realm (#983075) - do not allow configuring bind-dyndb-ldap without persistent search (#967876)- diffstat was missing as a build dependency causing multilib problems- Remove ipa-server-selinux obsoletes as upgrades from version prior to 3.3.0 are not allowed - Wrap server-trust-ad subpackage description better - Add (noreplace) flag for %{_sysconfdir}/tmpfiles.d/ipa.conf - Change permissions on default_encoding_utf8.so to fix ipa-python Provides- Update to upstream 3.3.0 (#991064)- Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release- Update to upstream 3.3.0 Beta 2 (#991064)- Update to upstream 3.2.2 - Drop ipa-server-selinux subpackage - Drop redundant directory /var/cache/ipa/sessions - Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency issues when there are still old parts of software (like entitlements plugin)- Update to upstream 3.2.1 - Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0- Add OTP patches - Add patch to set KRB5CCNAME for 389-ds-base- Update to upstream 3.2.0 GA - ipa-client-install fails if /etc/ipa does not exist (#961483) - Certificate status is not visible in Service and Host page (#956718) - ipa-client-install removes needed options from ldap.conf (#953991) - Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) - Add triggerin scriptlet to support OpenSSH 6.2 (#953617) - Require nss 3.14.3-12.0 to address certutil certificate import errors (#953485) - Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 environments. (#953464) - ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) - ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) - Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for socket based connections (#960222) - Require libsss_nss_idmap-python - Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to member is now done automatically and having it in the config file raises an error. - Add backup and restore tools, directory. - require at least systemd 38 which provides the journal (we no longer need to require syslog.target) - Update Requires on policycoreutils to 2.1.14-37 - Update Requires on selinux-policy to 3.12.1-42 - Update Requires on 389-ds-base to 1.3.1.0 - Remove a Requires for java-atk-wrapper- Remove release from krb5-server in strict sub-package to allow for rebuilds.- Add a Requires for java-atk-wrapper until we can determine which package should be pulling it in, dogtag or tomcat.- Update to upstream 3.2.0 Beta 1- Update to upstream 3.2.0 Prerelease 1 - Use upstream reference spec file as a base for Fedora spec file- Rebuild for broken deps - Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1- Rebuild for broken deps in rawhide - Fix 389-ds-base strict dep to be 1.3.0.3- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild- Update to upstream 3.1.2 - CVE-2012-4546: Incorrect CRLs publishing - CVE-2012-5484: MITM Attack during Join process - CVE-2013-0199: Cross-Realm Trust key leak - Updated strict dependencies to 389-ds-base = 1.3.0.2 and pki-ca = 10.0.1- Remove redundat Requires versions that are already in Fedora 17 - Replace python-crypto Requires with m2crypto - Add missing Requires(post) for client and server-trust-ad subpackages - Restart httpd service when server-trust-ad subpackage is installed - Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes- Updated to upstream 3.1.0 GA - Set minimum for sssd to 1.9.2 - Set minimum for pki-ca to 10.0.0-1 - Set minimum for 389-ds-base to 1.3.0 - Set minimum for selinux-policy to 3.11.1-60 - Remove unneeded dogtag package requires- Update Requires on krb5-server to 1.11- Configure CA replication to use TLS instead of SSL- Updated to upstream 3.0.0 GA - Set minimum for samba to 4.0.0-153. - Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so plugin to /dev/null since they cannot be used when trusts are configured - Restrict krb5-server to 1.10. - Update BR for 389-ds-base to 1.3.0 - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca - Add Requires on zip for generating FF browser extension- Updated to upstream 3.0.0 rc 2 - Include new FF configuration extension - Set minimum Requires of selinux-policy to 3.11.1-33 - Set minimum Requires dogtag to 10.0.0-0.43.b1 - Add new optional strict sub-package to allow users to limit other package upgrades.- Require samba packages instead of obsoleted samba4 packages- Updated to upstream 3.0.0 rc 1 - Update BR for 389-ds-base to 1.2.11.14 - Update BR for krb5 to 1.10 - Update BR for samba4-devel to 4.0.0-139 (rc1) - Add BR for python-polib - Update BR and Requires on sssd to 1.9.0 - Update Requires on policycoreutils to 2.1.12-5 - Update Requires on 389-ds-base to 1.2.11.14 - Update Requires on selinux-policy to 3.11.1-21 - Update Requires on dogtag to 10.0.0-0.33.a1 - Update Requires on certmonger to 0.60 - Update Requires on tomcat to 7.0.29 - Update minimum version of bind to 9.9.1-10.P3 - Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 - Remove Requires on authconfig from python sub-package- Rebuild against samba4 beta8- Rebuild against samba4 beta7- Adopt to samba4 beta6 (libsecurity -> libsamba-security) - Add dependency to samba4-winbind- Updated to upstream 3.0.0 beta 2- Updated to current upstream state of 3.0.0 beta 2 development- Rebuild against samba4 beta4- Updated to upstream 3.0.0 beta 1- Updated to upstream 2.2.0 GA - Update minimum n-v-r of certmonger to 0.53 - Update minimum n-v-r of slapi-nis to 0.40 - Add Requires in client to oddjob-mkhomedir and python-krbV - Update minimum selinux-policy to 3.10.0-110- Update to upstream 2.2.0 beta 1 (2.1.90.rc1) - Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. - Add Conflicts on mod_ssl - Update minimum n-v-r of 389-ds-base to 1.2.10.4 - Update minimum n-v-r of sssd to 1.8.0 - Update minimum n-v-r of slapi-nis to 0.38 - Update minimum n-v-r of pki-* to 9.0.18 - Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 - Update conflicts on bind to < 9.9.0-1 - Drop requires on krb5-server-ldap - Add patch to remove escaping arguments to pkisilent- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)- Force to use 389-ds 1.2.10-0.8.a7 or above - Improve upgrade script to handle systemd 389-ds change - Fix freeipa to work with python-ldap 2.4.6- Fix ipa-replica-install crashes - Fix ipa-server-install and ipa-dns-install logging - Set minimum version of pki-ca to 9.0.17 to fix sslget problem caused by FEDORA-2011-17400 update (#771357)- Allow Web-based migration to work with tightened SE Linux policy (#769440) - Rebuild slapi plugins against re-enterant version of libldap- Allow longer dirsrv startup with systemd: - IPAdmin class will wait until dirsrv instance is available up to 10 seconds - Helps with restarts during upgrade for ipa-ldap-updater - Fix pylint warnings from F16 and Rawhide- Update to upstream 2.1.4 (CVE-2011-3636)- Update SELinux policy to allow ipa_kpasswd to connect ldap and read /dev/urandom. (#759679)- Fix wrong path in packaging freeipa-systemd-upgrade- Introduce upgrade script to recover existing configuration after systemd migration as user has no means to recover FreeIPA from systemd migration - Upgrade script: - recovers symlinks in Dogtag instance install - recovers systemd configuration for FreeIPA's directory server instances - recovers freeipa.service - migrates directory server and KDC configs to use proper keytabs for systemd services- Rebuilt for glibc bug#747377- clean up spec - Depend on sssd >= 1.6.2 for better user experience- Fix Fedora package changelog after merging systemd changes- Fix postin scriplet for F-15/F-16- 2.1.3- Default to systemd for Fedora 16 and onwards- Update to upstream 2.1.0- Fix bug #702633- Update minimum selinux-policy to 3.9.16-18 - Update minimum pki-ca and pki-selinux to 9.0.7 - Update minimum 389-ds-base to 1.2.8.0-1 - Update to upstream 2.0.1- Update to upstream GA release - Automatically apply updates when the package is upgraded- Update to upstream freeipa-2.0.0.rc2 - Set minimum version of python-nss to 0.11 to make sure IPv6 support is in - Set minimum version of sssd to 1.5.1 - Patch to include SuiteSpotGroup when setting up 389-ds instances - Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled- Set the N-V-R so rc1 is an update to beta2.- Set minimum version of sssd to 1.5.1 - Update to upstream freeipa-2.0.0.rc1 - Move server-only binaries from admintools subpackage to server- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Set min version of 389-ds-base to 1.2.8 - Set min version of mod_nss 1.0.8-10 - Set min version of selinux-policy to 3.9.7-27 - Add dogtag themes to Requires - Update to upstream freeipa-2.0.0.pre2- Remove unnecessary moving of v1 CA serial number file in post script - Add Obsoletes for server-selinxu subpackage - Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da- Prepare spec file for release - Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503- Re-arrange doc and defattr to clean up rpmlint warnings - Remove conditionals on older releases - Move some man pages into admintools subpackage - Remove some explicit Requires in client that aren't needed - Consistent use of buildroot vs RPM_BUILD_ROOT- Moved directory install/static to install/ui- Remove dependency on nss_ldap/nss-pam-ldapd - The official client is sssd and that's what we use by default.- Remove radius subpackages- Set minimum pki-ca and pki-silent versions to 9.0.0- Drop BuildRequires on mozldap-devel- Add Requires on krb5-pkinit-openssl- Add ipa-host-net-manage script- Add ipa init script- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin- remove ipa-fix-CVE-2008-3274- Remove duplicate %files entries on share/ipa/static - Add python default encoding shared library- Drop requires on python-configobj (not used any more) - Drop ipa-ldap-updater message, upgrades are done differently now- Drop conflicts on mod_nss - Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) - Drop a slew of conditionals on older Fedora releases (< 12) - Add a few conditionals against RHEL 6 - Add Requires of nss-tools on ipa-client- Set minimum version of certmonger to 0.26 (to pck up #621670) - Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) - Set minimum version of pki-ca to 1.3.6 - Set minimum version of sssd to 1.2.1- Add BuildRequires for authconfig- Bump up minimum version of python-nss to pick up nss_is_initialize() API- Removed python-asset based webui- Change Requires from fedora-ds-base to 389-ds-base - Set minimum level of 389-ds-base to 1.2.6 for the replication version plugin.- Drop Requires of python-krbV on ipa-client- Load ipa_dogtag.pp in post install- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes.- No need to create /var/log/ipa_error.log since we aren't using TurboGears any more.- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included- Added Require mod_wsgi, added share/ipa/wsgi.py- Require python-wehjit >= 0.2.2- Add sssd and certmonger as a Requires on ipa-client- Require python-wehjit >= 0.2.0- Add ipa-rmkeytab tool- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 Any type- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf- Add bash completion script and own /etc/bash_completion.d in case it doesn't already exist- Remove ipa_webgui, its functions rolled into ipa_httpd- Removed python-cherrypy from BuildRequires and Requires - Added Requires python-assets, python-wehjit- Added httpd SELinux policy so CRLs can be read- Move ipalib to ipa-python subpackage - Bump minimum version of slapi-nis to 0.15- Set 0.14 as minimum version for slapi-nis- Add Requires: python-nss to ipa-python sub-package- Remove the IPA DNA plugin, use the DS one- Build radius separately - Fix a few minor issues- Replace TurboGears requirement with python-cherrypy- rebuild with new openssl- Fix SELinux code- Fix breakage caused by python-kerberos update to 1.1- New upstream release 1.2.1- Rebuild for Python 2.6- Respin after the tarball has been re-released upstream New hash is 506c9c92dcaf9f227cba5030e999f177- Conditionally restart also dirsrv and httpd when upgrading- Update to upstream version 1.2.0 - Set fedora-ds-base minimum version to 1.1.3 for winsync header - Set the minimum version for SELinux policy - Remove references to Fedora 7- Fix for CVE-2008-3274 - Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface - Add fix for bug #453185 - Rebuild against openldap libraries, mozldap ones do not work properly - TurboGears is currently broken in rawhide. Added patch to not build the UI locales and removed them from the ipa-server files section.- Add call to /usr/sbin/upgradeconfig to post install- Update to upstream version 1.1.0 - Patch for indexing memberof attribute - Patch for indexing uidnumber and gidnumber - Patch to change DNA default values for replicas - Patch to fix uninitialized variable in ipa-getkeytab- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum version to 1.0.7-4 so we pick up the NSS fixes. - Add selinux-policy-base(post) to Requires (446496)- Add missing entry for /var/cache/ipa/kpasswd (444624) - Added patch to fix permissions problems with the Apache NSS database. - Added patch to fix problem with DNS querying where the query could be returned as the answer. - Fix spec error where patch1 was in the wrong section- Added patch to fix problem reported by ldapmodify- Fix Requires for krb5-server that was missing for Fedora versions > 9 - Remove quotes around test for fedora version to package egg-info- Update to upstream version 1.0.0- Pull upstream changelog 722 - Add Conflicts mod_ssl (435360)- Pull upstream changelog 698 - Fix ownership of /var/log/ipa_error.log during install (435119) - Add pwpolicy command and man page- Pull upstream changelog 678 - Add new subpackage, ipa-server-selinux - Add Requires: authconfig to ipa-python (bz #433747) - Package i18n files- Pull upstream changelog 641 - Require minimum version of krb5-server on F-7 and F-8 - Package some new files- Marked with wrong license. IPA is GPLv2.- Ensure that /etc/ipa exists before moving user-modifiable html files there - Put html files into /etc/ipa/html instead of /etc/ipa- Pull upstream changelog 608 which renamed several files- package the sessions dir /var/cache/ipa/sessions - Pull upstream changelog 597- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the UI to not start.- Included LICENSE and README in all packages for documentation - Move user-modifiable content to /etc/ipa and linked back to /usr/share/ipa/html - Changed some references to /usr to the {_usr} macro and /etc to {_sysconfdir} - Added popt-devel to BuildRequires for Fedora 8 and higher and popt for Fedora 7 - Package the egg-info for Fedora 9 and higher for ipa-python- Added auto* BuildRequires- Unified spec file- Fixed License in specfile - Include files from /usr/lib/python*/site-packages/ipaserver- Version bump for release- Preverse mode on ipa-keytab-util - Version bump for relase and rpm name change- Broke invididual Requires and BuildRequires onto separate lines and reordered them - Added python-tgexpandingformwidget as a dependency - Require at least fedora-ds-base 1.1- Version bump for release- Add dep for freeipa-admintools and acl- Add dependency for python-krbV- Require mod_nss-1.0.7-2 for mod_proxy fixes- Convert to autotools-based build* Fri Sep 7 2007 Karl MacMillan - 0.3.0-1 - Added support for libipa-dna-plugin- Added support for ipa_kpasswd and ipa_pwd_extop- Abstracted client class to work directly or over RPC- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires - Remove references to admin server in ipa-server-setupssl - Generate a client certificate for the XML-RPC server to connect to LDAP with - Create a keytab for Apache - Create an ldif with a test user - Provide a certmap.conf for doing SSL client authentication- Initial rpm version/bin/sh/bin/sh/bin/shfreeipa-server-trust-ad 4.5.44.5.4-10.sl7_5.14.5.4-10.sl7_5.14.5.4 oddjob-ipa-trust.confoddjobd-ipa-trust.confwinbind_krb5_locator.soipasam.socom.redhat.idm.trust-fetch-domainsipa-adtrust-installipa-server-trust-ad-4.5.4Contributors.txtREADME.mdsmb.conf.emptyipa-server-trust-ad-4.5.4COPYINGipa-adtrust-install.1.gz/etc/dbus-1/system.d//etc/oddjobd.conf.d//usr/lib64/krb5/plugins/libkrb5//usr/lib64/samba/pdb//usr/libexec/ipa/oddjob//usr/sbin//usr/share/doc//usr/share/doc/ipa-server-trust-ad-4.5.4//usr/share/ipa//usr/share/licenses//usr/share/licenses/ipa-server-trust-ad-4.5.4//usr/share/man/man1/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz9x86_64-redhat-linux-gnuexported SGML document, ASCII textXML 1.0 document, ASCII textemptyELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5fbe445229589e23e4535f25ce3ad026971d47b0, strippedPython script, ASCII text executabledirectoryUTF-8 Unicode textASCII texttroff or preprocessor input, ASCII text (gzip compressed data, from Unix, max compression)./.RR+R)RRR.R/R-R4RRRR R RR R6R%R RR'RR(R7R5R,R&R*R3RRRRRRR1R0RR!R#R"RR$RR R>RRpython2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then # NOTE: systemd specific section /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : # END fi/bin/sh?7zXZ !XEW] crv(vX0z"nHFY8u@&; $! ( o_#RxL!@1"р4eaz2xJ>1Հ_έr\?7&t.Za a2=A{<0Q6|utYչR97.S 6-y_jT\o=/[ _}љ[J+Xd2Ibt K޼M"w A9G9$sl e&YmV.^^JťLFL=mp|%茄[΃7Ole;~k k;8zzG#PBO.{zh"?M9 |nIb7&1w~o[եCuLRīoywW"$bGo52LT\7o2ʊA&9aWr-UuKk,ZŊNvν Ht% :NCh9kJJu:'! z@ ̻ɲJ73x$R7i=M!M-sP<4mFlì5zG6з"C1s|hT #q QmB)gʷPգI^d!MڬnFe8gIhvO"R:T]<~vgTKϚۑ\h:#`/B",5Gdut[.5 0{1VDŽ/K:F9l͠jNvWBA#c8P+9ӟM.tEY\|Yi Si3VVn8,pцEO%+z aW#O#?gYfyK=$}0iMewR2(g'#~g!Ltk:Ffvcч6 BMsLhW|+E!885݂ױ}xE}^m8܂*O-sLcEIzO& ;kg ;ªoHbj>|1`OӦL΀Z?z\p)"v~44Ne[o1&gn8 I g$ĭum#,OenP9*$UT d 6m_k6wh>^. WqN"=NV3e+e+琘C mrCak?L2OtD3Z2e:ӈPW);7(=A余:{G2({4̡Q@YZK&/<Kn8z3 բB;l&a?EL|HBI2eb0b3X\IKj94uS繳Ml_ Jف/k?s\Nf){DHU6wWt/?G4o%x,%E {FW9eKKnv>0)kQή~.JtCiE0owL 4\ 﫯*_*PN nǻ&CBkQWֈ^lSRܟe(!mtn4J4 u JZ ")[2x ME B΁7x  ~¼]#tPo<˔* A!o i~1ve9crP`%SUA ?n#7^A(\8v*6C& 7',&'](1t52ß<3Whfe)y#(m*-TgD ~$ &䇞9C|뉕R[q%# {JmV(!y- Rtuj?5˪G9vmx 3@?(tm [;q#L1[_օ!vG\@cኮܺr5!CSP'{ݴUm/t OQPn;.>Qݢ&sb^Ƣ'OVZ@}*ѡwV`=^z ޭڅ+ .Hsk9[~m>r_RU_d3)O M6O^YqE'+V[;\jNeiwN2f-LJ533x LLbR8za֝E|9WU_Xe!3?(P/zeU#ʩ,,jDI=8{+ Y߯:EIDsxV)rH8τGP ^k N 3x%Ψ81i2^R  MN[:ҽιQ \īu_VZ Nca(̗.eNX/^'_7 ɤ'AT1,Q:D9M욊23`["c9+ <[%]uN3ʩه/Z}J7AmFã7qXDSi{'=-2X 6.ub 7B?tIdڛwEr B_(7JI,bѴ2Lڕ LǦ KzEq<Ǟ7&/dR5_zJ_]"mۤ3h]d t*,[Y6:Oa.4ވmvA L^iR6W)8K7o@Gx dY!3|a.CN:h]#0ZnzVp js+;eRXlLttޙW A) ,n'Co$r ]Z4tքG7 ?BkA(ebP"logI+)DNAs{E/.䊇y0`jjJKGaC-#i"k+d2&xD?NtPSōm$̦]Qczm-ŘaNrx;}VCc݀bs!yY>$D(~ӮVзPL׆NhD;7Xޟ}t?)SjAg|XrTꜦW>`,Lp)O?a+@aFdI~)ds $JrElKjaOF,wY, ,K"پœ] .`3#czV14a+;x7ߴ^$҄/7=xQJ:!AVyW@]Z C_V u1.O~wǦҟ:60vP52-hL9pZK'K~q?ុ24bQp̥\ !>{0ӨL{ DqWĸ?($u@QʭZ@(0;Y C^y~$ A 1T!l@:,3@ОT_ *X'k ~=wŖwr(ms6a Ǽ`XYXȢ"&6?KN,PBdzJ6JЄqo5#"2\ѵnTNQEU"%Ft+X lu]p%r3P'vM>a@$YHx9RLveFV"vҝyxJ#QJ!d-AWFW…7ۺMjCb\Rw}9Z krf"?'p ϊWnٗ~ A`wD 09 \/xYA]{KDbFY: y`*CIL{_rcֹVQiٝ%ߒ3!\(D7΁]E.P9Q֨:h$LGe8z.e+WpϏqDkVzi9E#\#[*.B9CڣKEGi+o1`ʭ_EcEhgIt{.P; j0r6c;ܒkVɊMgv(76Jisz:r<7dJۃmQ Wqwue(/ug~JIvMIemfEڣTr Ti@ŸxVA.1W nX4~K% #h<>$J)k긹qNebm>JT!jb|舩ضqB%maa~[1y5nnR Z*ٶ݉ouO -O>TK5f7 Oeof =M`;`-| >U[2 ý,.ŢN3pDh`hxϵS&df!c-}@ G .j*[wRxr^yQ'4&\sN 3^5ií:>F WMb5<=7q-6N* bZagz RqbSNʟ^nMI)&!xEvM숝?U3%ƝYp@ k0ޡɾoP0hhywGxQS7<&'2CmUyIYO8{耷A]!*2DXa3(2ocKd}Ճ."rtZjO`I2lu(O ^ T,[? LJdNGy;o j'^ͻɃGͫ{ \uFL#+tOo!(pS Lw>`,%M*w?V-WEN™q7΂?K0*$xb6919f6=r"zrs()rewy3{UϓeHG2UI)rRzqcn;8RRC}|p]}X'؀,0" lFzq Xo4LZTwSE~&kPY$ʪ38{UoD:T;-cTqUԚ`/b]cA̍UAQ =rY#x7(7eIxYtTcTq͵ɛ5dPԽJ㫂d Ś0s*XACS !'%ڮSH)zLe;xpmt:P2NQmJW?r]R"(Q7ۑB٭pS"k%8LP,"gfdv!pPM` 2UT0]=ԓ#EX 8 KD&-,K#%F"&#[V1꫓N-G(XU9;ۜfFG_C,F7':Q@Z&!Hq+1;LP+Az\'W??pJ#L i*;'_9DoIQ CQE ЎzA# u-qj }"4:㣚 7!wX:a(~K[6 ǵq ,H?]*t2ԏEK[Z_l-EV\I{V$樖ˬ_$T9@+I+${ٳ{f+GOPuh{,Eo ] /Fl@ 7Ϙ5Py\C>8+'T6j}gY(ȭ[ 8> >~ Zw08Qd?` 8|oQ!m_.Gs˩pE!$O.\~giAS_~odWl >N>,~}l;j@9ξTM}: ʥ^6",: KY6m?2odXvf^-omįj\R OQ2K^˰1y8OsYNQM8}n%Ym/d)ã킋K(q[Ntc5lq1ҎvaD`n=a3]ޢ2gx%섭dДw 5 s0! ^"5eZz5#MkՅ1I|W??hMĻ֯bgXi;g}yo1 8K1ˢVS-C*㋁gKJx@JMFlB'/Tv|M,dYx(W}/L.c[!omMW _kSo*2tQ2a̶Dm# /cПb [2 tm+b(kl. L:]8x]613Q@׌I-)MyyW 1#5'% W>5,omYV؋4~C%T.bZFHĕި0_/ޕjNކpV<|*fF!kJrG$evE)'=]izel.н 1@r:}"uj>jϠIq6fPMvSJt I{R?`5]{{ 6_B`%DӰR [~\kTu0n%JҘAJD?֢fAz04ϚMql()I2=*<x}D)P $^[GEYPZpKX.V`)9}AI6WɄuTD&o@_g`)ۦ~iîs Y5>;uJMekl's]?JA1 ˔D?D/u;P5 Z3~&*<.rI. J̧7{ [68#*1Q߁i)!ʟ_۬Z^KtIphyL[;#%ªӲ N_ų@~>^{r7SDSԭLlM$fʛtt5GdCxG C̀O{ubQs[؂K~-ݗAlCBv.|I樞-j=&SW}y.d]fw}I.Iܕt[}F3s{fD'3Mw9ҍwG?iSՖQ?M}yswp 'VaAP^U[B?5L%SX0K_j٦G9>T(, ^B^&˨4U _47J}5V g@us3k oɹT B$-8qu:Al`5ݢj)kjk':\?-4?/*T{B-"?ApV{T@J1Јx|Tܤ۪St({J¯2l~-[.*i30|ؘY;H>go7 yB`e^b}vgc}^;tpDsȊȔ#jRdٔeϝTnkq5%*$3u/thU(A?l>&'- XIZ⥏ 7¨0]SU d^\mtIBqK\CPg¨jO0ӑRV,Kܐ=>h&wj@7RtV ,L3DϘٗ&9=^T%D}TbXI;7B(f=S;2 돔eTM5AF[ &lL,EUo'X(!FU%+J*2`wN?28eF.gdtE(i4 5B B}Y(`K !I8uO6E/~<e}NS_r PAwg3Wf3svG45*#7#xdadN X: `6uYW|qf_*~ =k!ǹ_cA&[<`2y&6*>bK ޖ ̊.˛^)ʗy.F "@%u+kdX O; }qkd\G"0XOJBKr]Dװ=w@x/$xPTP')#Qz_bg~Fw'rճQ/YMgȢ4g<F{kR*G՟m2%8ߨ`Ւ*s Fw:GE% ({"nGŗ^"WCv݊,"ZI#߱T:f>u=O4Q+cWT.ԙ=fX&$x >ҍ~0(];GP<>(9V!dtq ʺ(r t^z䑷E (1Өg(MU !Uf?-G:ldbڳ_Y,ieǀݢ0/{4[o偲wpFB0`Ȏu&U4rۉED*͈@0 VDDOtI*~]|ì}7VlU ͨ/ӏTh?Uqk%|pSHagnE}n9z>=lemu8Tz8!}wil|V>iRDxW&䊹1,JeVMX@{fؾ0v[`4#D91;:*M=B,>欋Fw=tÐD6vPQX <`AV=ʯҍ {)@j?N F+m9Sf,vH ң"Ptzwk ,dU}#Ï:C mؑl᳤zDsYxSp/dK7{:8z6v1(!"N ڢ؍@k2cqy&8#&bf́@S넍M1ߘL7$iVr0PNtX:oyM\pI;ZTLDQn[UKBw^N<$6M6b-0~.Ѡ@hɆum=lƒcN*p gq_kf%O]h\eZGD ^6ߗL L^ /(եxHzwt, [/΋1xSĜk42Rl7Olh?Zaδ[+V-2hVA3L~};<4eBN~\H %gBI Чy }Pz4o쭕}kзҘ5V`s]"3 ^ FPs/gyZQ5BR'B =PT_'ӈvUW,KyEيKj$)NIHRq5qQaA>q:1kσ@#7Z&.9clFҒ.ʴpGÖSg79ICn3̏AvAZkC 9l 8Ff6ٺ`?&=~ow[t(/$%Yw$\:% mDPz&7zwb io}!kd;yTD9$x¨>lu:"q  يh3-OU<F@a;st]( <uBx9P 宎p(s]QSq*Wt /;h ѬfNx1/G.|(nyHα® ;(-blZMJ8W) 1C[\p)K[ChKڊ=N]\>a7жP{"G"eA2ZwMLПL%Ku?"gYTX.'ЖIq۫`#uD*]%PFjW̨v_|F&e{lV d9nvL#Vg64@r kpM nX'yu4w8M< 5 "@Jih_ ?qyB8DSX,LȬWԻ]z~ٳ=J-}OD6|}`#mM qd%HXѲc ! FK9ؚF`ydqw@cu P8>֨qDzU}m5`aYYNϫ'a̝g,@T΍_izNl"^ r5xʠ$g&>bA8Zu R6q-3 Գ׊mvRPӂ-իVE/<BNRgvd=Z3U'4/@ƪTd|BmkdAôjyu͞,0:%H@"LSu/p̫⚇T/,xFtYɖ sO΋g}aig8L&])P)jwLxRs{5JU4 M72*V/A:E>&n(0<}<†8 in 05qKCl0f HR!<u:Bðav"ƸA jHTFm5 7O@=:Z/2}6VBinAֽc<@R/s6rnRkGmS ' YN!4e%=D!oT.=$-ߦQz7#ˤ7>ӱКl]>@WėN V.`#mu=a>{*رD[W(Hn-g3]תYyr:O_KbAHX+́+0%BuȮf3t[#w= ]w7I\PV e ڄˁoP nЅyv7{[?S!n[@Q3͞/ޥ`?]uQg^m Cj;&3-E[ .:h/3c 5]gզ%UhvSa vΫeWnftUaN8f)l;9hH^7 .l־ tqYa# |܎MmV[Nz|q#@z8=q#"" X>y(M)@VSפ*E  ?1pS)]֤y ՐC}22v`0APfH5_2YqN8Rz>ݹD^DŁ] h<ş,=@V{Uww@OP; vƘWZRDd҅Vޑ @˿r\1+]';G2G#(..77^)E `تUlJӪn/DͰ}7=IFzF㦺\̄h XXce# *ȷ*РN#`9.UӒNMR7>7g k#٤^wH^޵iӂy:j$'1~ziC&>@O*h*TT:z"E6iC9Fo9z24_ }8;w}ebоƣne~{0`zg ɼhwl/qS%_"5"}uQEyS'wW ]a _I0g~z9>wC`>{1 V2n>?ɭt2>?Y:8-trtɿ h-f)[a3H,cvJ$KQPe^&ZH״WU)Πx:<<^'\߂j!=7Ȅ.OqhC:w`iƥ6~s Nj;w9s{ۖ8ۇ-C MjJT3@:+(ʷE^A-pNƁtGLo9${u/'P6{crlC2|+<\+o.dY\yto[Aȶ*2'2 m8.@t,QIퟠ2@*+iQ1lVur^N" :={팀~&UDu `>Ʊ^^NC ~!Ro%m3 R&"xgivض`kQM@rZ_;|3|rz6q]giZx(-HzHîi&C%8 "Y4A vef'{M||BCV++ĔO f*=[QUdn)M~JmD\[jn ՛Od9)oX%wq>#.h5KZ}0^tI'{(c豓>9+MdЖ:jo؄.[eJ?7bUT` Nĩ:C5jNqT+b8PbOH>az.'#<ѱnjyCx_'*__ Uvț9nae0نc=EIpc*j7F|/u4oL[CL@w=tњHK`mBG!O8PAslT UJ5 : NGpD,fRo %-Ŋ1oqy|H ,m⼎Ę5@א<*kJc/c,E>uEJP.3lƼy-'`ΰ+1jnݞ\GEl0$G~m^D8Ml)7uBm; xpM&5yEXFDr5C#^>BƓ2}`*h'ÊM Tub5ٿHtCJ%ђeF}+4K&a+T]@2<}}ycޥb=$iq0lN`f6tbPaLfCT(Ԁ†(o^ďOXjP  CeƩn" W1AOtqNOoQef/ ؍5Vb(GEĽHf%f9pAB3:L=ֿiҡw[秉U?RHmŏ As`{&g~Q!==RNxo6^9Oo智p݀@:5Le-bA&cNXm֚6^OFB?www?a@/_S%*ætIXۼMǢJZGUr?Ijѻt _l[XTc8KܓC{=v ќfzEi1]A†#tܷk4_WAqRb/pBޭxDnniџqUfP̧7UtrњӠoZ]3͡HE̢aBa1N$n^sEJ M]D=d7Ms=w]7[*e}(䃣u]T&~ٹV+,rPz~GjQ֊[ݻ"^f QF0 *lL(szMw%'W4T(Nn?\S{󧡣tde>毻`'"kŠDW PP緑nw- 9P͎ Mz7u#X*|S0&!T4قo+ܵÔV!T-#S; C!pUMbLOgve+LnS^Th8oU9u$Uvn[$iAYa kO",2% vl?();{eGx@mTQ:bؠQ%T ֳ#۸Ll;>1jZ,zw:(4s/10Luj;2>dC4žs k36`6B l0R{a"@A1{ܩn3:o&6Ip-dGa45|ԡ0qśsԆ|G7 &ߙr6ċ;ڔ8!d$0em`lYeT>}SfPkځ7(SHSwA Ѷ~5.P,f!HTIɴ7"UT3SQ?τ_![1TGdLd:&P b٭:+xMC eǒ2^!0fa3#UJ5 sQr񷩥|u v·1WA+[t m3o̢O ]|}?{¯ "iOߤB]g4&29gt$y2Z,D)BuK ڻ Ź?i\TB5 Q|CW9 bxuӶۤ7jH#1ZѠ64c;rnȿ/xi=ڙso\$RHR&c]#P&r2ȥ YYJ^qH,b`VBaZq͒PG`j#X~KPOojcXZL*gRHU34 J6&'t]Ex%!YV{?0٣Sel]aBb r)ƪMQwt8N <}ݚϐCZ9~aKc;FpNI':X>ͺJЍTG 4lA79tiJ\XpsY,Q@d#7zͱorvN.͝zh'~#x$@7aOĤ JYxlS:DU1@ ԁ _3XNVuf^bҾ]57p\-+ _R;7ɺk>Wmk HkasCw7)oI2oQ񈰗AwAºsY 3Ya2pNr;H>){G"a{ʅǠlrn'KwNFO(Hzi)}-2\? ٘0kzVTI @գxx$L~|?ڔ (ET=UF,[j4f}F9A,6~"3jʠDX``_=Fe2z,'>0G}(DC+3v\K#RGaA+WznU-:U ]=Xr4o5-F-KYYMhRWO'6J,:Ge)](GGƻ 4oV'nikOoȻ& ĞA^&:Rd=ШqUU+~h̨(AS0thv"1"KƳ-2}d|Ih dLBE?O%_6CV]8|Ӝ֬͆Q@/e Eݎr'p,b!!=g?y[ZnxB؋Sv6jrCzؙ끔F3U1f(~~ vMniul&Ǽ>h-foeU,zxmL1<*VݕK!"Y<7smQŽB?>h( >n@6ʷ0!πO1uAƱTؠ%i~DJl/$ERsdYgFɈ+ʆ(cD'Seٳ-ځ sv) fvca=DzH lZ܉Ɂ)s$|=bhgK6ټCd\>vaP;C.rB"𨍯"|z(Tawh_z[`As{$fu%>$>lsxȵSM NH20ۓƫÆ'mQ4^_\n|e's}&+"Y"[>:*2NDP|מ6۵h+vIzqtFYH3GTxftAz)$T;KA{m{o1OJ80=%:;~XR׸HǤ/.]3x H|Kרu-iNyP}NϤ7mh 'ԢpV o_r&;is,K;G>'ܹ_]v i{}pAy8n!@YY'h)6L[$s|6!(ǮU mUwui2wC`Zq"+|''EL ?EQ 2i#sveE #Z7i9~n5h3" 6<@+K/!RC8yta*c4qZŁ<>$Ο^{p(iIac#o C-?_#Jԇ@r*U_T;d`k%_֏3f]TQ}@YFzz͉d uvk,qSgMQ9TzOJXJ`knx1{^qhqy̓{WI;߹.=.Afƿ]_wM"c等 G$7`0v=\SWD@0k*(#s_QN>2LړQE:J}7L[!i7MFVݘ?g]7 zҀśA vӻPĪ{ GD׭7R '5v0`G /e&-q&vM4|q.>W/PA0'(u~h/飹;WKO>5_`/0:"d{_by.y cb2آ6g79#+)Ů\g$]:fitj4j`P;DcQsYyoz%J)cf}Xp8ChFYmXgۼVv'N`JD\")J!+ֱ VYSUZs91 µX=iP4AC\HC{b75ݼ^!W NՌ=̒ Dq` $6Do҂4;rsƬ4vn/񬙾F?yoy<%IN( ׁ#^<˷$'T:-ؤaVIN(k>>^<XoMx3;{Ph<۽-'`#\4&Nn"K4 ן:;ëϯ!͹F894rO8XJ# LJt??)P<7#V|8z R1U(N z-}5{F mDugy嬭` Ӓ< X+Dat!--Lf TuHY}>)\Y?Շ2*n=<ɐL5-z*#8 jр)~_>jyHq8殥0.6)&R'yL4<+9b[]o8ǢC#g*cE!&g2A.Q4~8ȍk4)R|_ 8crC ȃ:t˅A@t(ŅlS \tɵ>wUn*mi݉5 &asD{u^Yl7O-Oܻwj bؔ?_( ./SрHb1)1SW!XdSUVD#bzT;X!b҂'[.iq+c+㲉EՇWql/AğvrV.XEx&S7D] [Bt2#b_xEk]ŏJ2R[jc'I3y$ԌsI4D\e/r4dnDc{=.[i?y; 5 =KFE>QVusF)5\Nm`γubV.{~TR\ 'sne /@u@?lS䍟ɣ#jcRcHI,\(QsRO^bߢX6hoաH¯jԀҺSGۤ=7h+Ne&$Ԟa2.9p[/6 ‰8JlvcL09LͭLf@ַn\Hhۤ\6Lq0O33$ғK\I-z{1s Qr#e_L?,״?l`maT322{W09ʄ0t ~F 436, M;7(6;_Ԍ0L9_1H^r /nv´26 :̥9HeMzCc1@߸?qŊv6|G=?}eta(hU-'gڽ\'{VsQA &0u\J LNJ!JjxNJ&1 \sdĎ~_sF t9T4@#}չ! hL-"ɹKjrBv@U9Z1po)jterzRTwΈ2Nnr%ݑT@ 1ϱO-ڒ0hFU{_VвlrsAAܐA)ZȠdjEVp\̟y!s=C$ubE/RV!'^N{Uz/PKK{?{tE4CM,@ 5N,]:ynJ]kUWtT(ah ZS]"~gv.Y9A2<R$/ֵ 7Ozݓ1DW.M@,J5ib #cV1 2TV]蟍nyY  kw;YrYc>"d4gӈ QO[mA%/A0p1/RrGLb}`{ɅRjWa}(.Y=kٸ%/)FF3gc~ء38ܖ8"f)カ!Ӹ. U̯͊ċu'1^xmmmB, Gx}$hFv&-wp0>s_JzbDkܖ rb?d5AT(ݣӝb7U^'HS--n AcI"EJ]8H Ͱn7msB]Dߕ(] 8^'3ĎvfO&(JU4R4(gv2|Iiu/ jFAaZِ+PAuܽXʄ!vxP|!OꓔۇM :6EڎV[چ*-VŰ>OeM%G5}s6k3o0PUe(Nl=m:{Bc\ҫS7ӯ4Ӏ'eDѽ@cabu†'kkHtkBXÌ(:ew?MbF%pzZe8:qFO# Sb<ZP[NTuxES)RaOWﭚzWU}LܩuE# ^SY2x*"Opwۤ?olRID1*1gÖEY( yy4[{Z]`Viŋy7g/C=QZm))k\'/JXeC'm [ F+bEybI6RL&$@|j dkժS/; |-'-Pc)瓏Dm`2gȎO+2GȢ;:9X+UN ԡK-3I]`V &].ѡEGpFo7oSEֺ Gn7ibeRdjrվx~ | w(x>*yy-Vx[]K`ۇNCr~^ga7K@fHjΥ_,CA%wNhp]͋<HTa$-i*g@cuakh&ص!GS U' [&Z[w>kcw++ICT%yP-` fyY<͓Eg<[бj`LGZ`zתN s5obD֕_n}H⳪bMYhgط,Ps>Q w/lt]ȳOԵ.D+-mUpnrґ=Α878@Dr Y3d6I iczoSKQT FlO"rd*@,4mUY P|L߾оljF`~&)W BDsv)_ }n^PPrjfhw:Xwؽq[9{\_>To^s}pA!#%C 3 ӷG;!\u.jEYP6J\ؠhbݗN9c+/tZ2AęMAYxio-':ci1q5>9۳v\~Ek9đUY3dhVff vqb. 0#wIteb=] ݳpzax}6,w4e ^DuS~9 ;M<jy"t$܈M$i)Ǻ"D[+/2E}m*hxe`bѕ>AG[~d|s9y\ 8;龠`BR ˖S)"Au$M HG^ctEdS>5eBȬLXQhgw$h&!3bSX63/OYU* <] kR(?\m.|/n"JOVu·7A ؆ ڼCX Fm.4}s]ŷt^yj]_Ek(n\E$پk##kؚ9QC1őDž҅n\ΨchR/A]uNExZΡiEo aP"yҽr`2nNa׈yj@U(!>wDބ&Noq|W qaW*a?, kFM&Y|riJ(Rʜy w ņ#ٛND⠏^M7YT&MfR}[k衋gGx+ ϯEmcta9sᛊXaS ALUS-?`Ɗ=tcDx`aSɏ;~ZSSQO% jg!^H%.;)CS%y?3s׼odGWٝ52#)͘:77K j܇)rM>2zVV0Gabe b.\>K"K ؞0aеד)ޱF^v3v 7S5Tor@r?;sM]R!,@5X#-{t[ 4oGڈZSe=^:AMED̈Olvk4AtUކ@B ;T+(jbv#z,,Z)%\8]sE$A^&<> < j=0 - oJİRj)jOLbt UCEavf)b/<}!Y>ȟzk0X}5`Z(; DL8h .w#  $jW0 fJ x~B,`9ZG\Jɥp+Yf_L rg]J*\nmb V2= k5#Lc2BuVwXa 2ЌM:c3qYj"ˌ2D}(,e0*-ewbD>R|$C t+ /:P7I3P!KNu|I sR7hN pT}0Sh#Y@t: *xNR&T O]2biŇ2]Y-_KZ\u$tNJ755юj X+8N#'5[Z4\i< /zgD2J9ksSzsR-^z1)tg[ڼ5JN7UA-a7wJu6h|@dL-?qd4=.ڜEtW]Gr}r_2 Q=O+"' W8U-OL <2`6>:ه5k7k(,5G73 .LQ|1j#"4Du}ux~_<- ME ?`}V m2"R6&7&z}#ñ(+VXybYVaBFxH9rdJ\b̀IKb-i]<ƲU9z\S:s@i$e)};dKZ9-'`IJAtOnP ų F&Kxb$~1t'E/,U^P4>TԔSk aX =<~ ^ NR[f5vzȣmp1DEq&sޮi3('((gI̾D|i-|"Dn|+ZqŚy_Y)/c;}WexbI1$7&3.ZvcpYb 5jJ WVtNH3-fB#H^j6\:KKBMكתX 2&[Dm{Ok -p|z7D]䡦F[<=99v9I;kң{ tc2|=<ۢY*pV1q7$a >:ڋT-L^=F2JFgа9^^HN # C_%#r0yFG#tAInIpa74А>FKzdj˚;K+}hLB7nO1?݊[F 8}uh窐;u ?fejOPEwc(7#]Cȯ=aM̦Wn0 ջP-*?u)ji F7--h"UԦ-98ݜh"MIx y"|R$-'ĈRimBF'\0֭ɸ*imHS S2/xR=XH*)qqʯ̒n]A]{g8DlPtld;kVx{KlsD!Lgcn~o'+Uգ=NNԬƉ!nFF4[*ez?_Ƅ&Y`8S,XYLP̹TZp-zf>Z4}Xވ4V.PUq%T+;ef|FUJ7cNj= zKwfh2FQHy|/x P;u%?4D&D*:-3%E+䶄|X1;JE]ж06 TWݟ%;zx:Xp@gXc M/-I[L8-0\,xhCaT9h,sLb8]\,B{7)&i?B6U$Q9i:N@`A0%Ύ˟ݨiz5e0oY!r$ޡ6jL'85ؾ) ޲cqG)կږg$:4A!Ƃ-@a8S v̚q {l(b{^&]4cc}Bq~]! _a:;,1`8 [>֘OL"| GMer١?a }PR%vq8@-g?H<(cS/̹η<G1!}A-m?ЧruMpX7a taa~2,HHd5&{ tN<ݏ]Sfz] GǮ\C߳Yuos/ޚvBt|lkQYƩ5L5&5.DKW ^EB;GR mAˠ 5!䪦ɇxoӬ嫤oIEt7G&\$n)I0Ы?s-/*Z?P A2keڭjò ekʆ|!uréʼuogRבRp ~|a6? `5ҼL3) oCvUb?zdSC tFжݣXaGR0Rƣ13'b)T \#łcK)yytkڻ ,sP\Vp\l *ԨM9LV9p=Q=i90ײ[V&je IJ \(-t?9L;7ytFBͧ*@M2+eib,\4ZE[ٳ4} 6Ҟ";\&;9ܩU2AkDP8^oa*@DdRGG[ QќZ׻ܺ_mЉԠAKQUsn5}E S-% w,z}|KIs 'h~A0'=;&xؐ=_N@=y3~ $lJC$1\ղ {1`SY#C>8?Z|:+!# w w^F8+q  I uCA!wW&mn9#:a$-UT"&M >dil]o[]6iDSm>ݴlāO.6&Q-.K +\j/>^y(9BH(|0\SӌiټۮmE"e,:d?,5G\&߰ acXxT]q~AO5~ZNsK9NBN$0sL:2< :y ?bEdl%q0 ۥZsV׍f7 +9_M@g ڏ ks6#^8٭!`M[[~B^'$ء4Gz 7'4jPj0M8UӒ\^b\'qQ(|Ukq&J䷘{XWa.kz!>9"#dt0fvRfBAR]\L?^buT%h1Xz2h~oKіp WXxZhy2ۣJCݖ{̈N4-L}$'>c(7Dcvmmؠ([ŝݴ"ֲlܝ82/Yrr U+J`Jc4M㈬:i;Mݬ0rp8+M%-LVc %ip[c=QT@"9mY1dR5={l.04 Ę1cvE)I #~[@ _fmhU2hA5 i` $yziBp M eZ{洎zLH8jb& }*RĔ Yyt1:8#?v| E6_:O+uh@;)g|X󏃦b[lLh}·=3rnoBss IzR£2Vx'7 Ԥ9D<+D26B~.]54hX>'}4*$=S$u>nF"3iJه.^IQDlJ'l]E-@K=(ҔPMa|o=D Dyq!;x,/ϲ(T +SQTPhA>G 6Jwү"پH5D< gi :•6 %'lw`dOGB_]m)|oxo~hcKtRn8cUҽ0{S/ahXSR ~IE_o(+/@-<-Ո4 IzEBL2G-o,!Dlkmn+pND‘B ^BSѩ#A׿YA`/KSW= )]02xUēL0,|'`ךlJY>GE޶9d47m$ @K:C3hܫHzsÁSAP\Qdd 士dHf AŢ赠`LJu^' tR:ì<5[\c;ey͆ :O)5 ᢎ{L ~8c!#~l=ZYi>7`oe(1MT\șqSKTy=aY28[#A i*BvjU-VB|:Wd_*'2L՚U4}D[h_:$L)uKt&GCBATnu ȟ6!iak3GwAz0:%щ<9&}C\*C iv|>k #q#+A\jۙilЪP҇|jhek#ŠDbpVfe`]D&A7_ǷYʧrr+%!n3EpA,$_U6T0^ȵ:&s),lN28uS9*50%@=Vzq3lR L\Bpi-.M$tcK~ygiz78{,OD.< oW<%Ʈ+`蜣9'H Y6{ddҷـw ᵸ|+qjq)y1 x&ǜ{,a'H9S얏?ô&u$Df9ඃD 5I{ uv퍂`v\qE$WDOk\'mǙo Y;}|`QMΎ-j-KHG%*W}t$/sawI˚~dtlm` 4"l+,4E?+3똛`Q֝LH:5*ynq 4v&}ݎ?#$%dd"Rra dvj*n^^SGGi۶bf#hF4%8!.fYâp!B3Zy|DR+4o˗q`^b!{$F>pR1!a@{ ΑRѮmX2ǻoq̔0 tϨi +_!geeĽ‚IVgKِҔWyezD(Μ7/s6y*b@EHN;@ oVf.{m%$?qh<]$ؖrSK6WV!`s^߾ex׽,+q4} 8s+ .!z9e$Ɓ끠 a$BWd;MUZv4 FGg/FدU/#ojC9(li{}yUE$YUuSbLvS\o-o  ǶxCGpu.`4x (]J#;}6椌!}fVxٚW7\ -@vf .zw4/Mm i^T1R1Sg45 UX5!ru 1XxS{"BNoL(:j^c-ҫ&U ztl!a, jY9./R_Im uy,P$LoՇ:ն0bWv \ 7C:é>B>oƺi:&beJXYW^!ωDž=j .@ZSzҝiiS!6JT$ x}cJ?:3@sv^fPKe-'A-?-贗g*łj|2=MiRaKBX0u•\g;'1k^VK4(PrevE v}s;d[ I0D-ڤW 1\('ad\ɐT3=k<ΊGHD1)["7Xy) ժ]6G)>uP.^䎗KE=A!w!N%qw ް nT >7Y{pOti;R CxF{\0rXÏ|wP'VEGXOxL .ϩ77 ܡA|9@XƼ>+ZQCs!ӎ&,~}X>pa @N؁)$mPDw Xy"+J-^tuca>pҭRKY+:MM7k(vˇKbjW@ S[App0f6*^0\zGR׺~djӫ\ښWV1^?@=Hjϊ"0-Jї(&z˵j#Oys1m=+sAc50:>sx!Q , qh8; d:/u ӧgd}]!yar&ʧyY'/kyZ3EC=`^`. 7qJ1dT96' @ҍ/o |"GԆKi9b\HUYJWc~*aѱ ^Ck@d & Dp)ֵ(ߏUt>]غf4QW(y^{xPuSUdKnѬM[s>c{o=*t_a:%7Kͬn~6ҀƂ]M 57#|l^mxDًFVt#(wW\Pҿ+:P!i|#9\6 ].yN>i+(FZD9fsB"1._{5!کgv WYXqu~PVd2_󴂫`;PL;~NJUT$>Z>%TfuWvr4lfLC|J&uZvZלj7*],\ٯdM#T`7>Hݨw-ݕ"BU՞꭮ {vasEVj{n9HdB՞o6*iY^UkC){]W?|sv*s*jUkO:u"7~lAWބ]o݀3 觧RS#`nPp֍E5 pfߍ׿ 2XxI z[~v,6>eZ{FC#ԃC'握pqƮ6oB`yeQ]Iy< 0j1 o&%$GbMd9:h췇yKx֝=SdQ&H=46=P8l\D~쬾}-<IVۖ̐4> a`g# p㮬A0:zӴ\Ѡ5|Uohk$4v&Twx/Xb_J:[8ؤ}M ^b$)o:r۸,XTվėj;!8|Av?ܵ\OXWdB&KҌelš95͡T'< , p wE!D5G(S:K~N5叅a]hy׭&Qa_c '%_%V?=ʮ҇4DޛݯaVOq%mg/ܼ0 B[{$bϤj6t9|.m-wT4g|lޛ$2 :U93R!|\(*㪷} ÝtV=oP1_jM"Y4i`Å@-ΧF/ KEK&rw|qRAKiJ.BqUuqIq:rD>dzAb5`t_GW k2εE"R]z5s(=%bC4mH=UGIK.h,VX@FݙoJ yd`1e:Ӱ:&e u p_3XYytg7gj"^LТX!X2"@5Ն!e4VN&/WX8p~>\|+0)G$iXG Z5cF% C[Z GbE:AiV)>~ݨގ6Ir`90<Аsc(ѭm u${9J s @[.%y&֍N[ևv!bԒ˶jI~UVf9ԭW CiK'yR# ACOȇ)֛?>xm} (1DmqYFaRrG=J "D֪ p}eI4V?N=af^YkAk@ƈ`XNF'= 5$gc5VX~[w!+8KVTcw! K BqPAHb3Srи>+ʝ^tZ4l(Xd#5LWȗT6/fdAmP 'օ.LDRIyKlG -Xo*;hi!*zI Y2/]4Ph6S8  _TV K)YQy,4A[PPĘ D),nTh]U〜dgoWwa׉O&N.#IDN&΂#(Ӵg+G]&PIB9ĈZ[b1`0pU? $o0Qj8gq..ըӰkL<Ú%+ ;alҭUЉ<kȣјJ!1g5hAK3.|Rax0ڞxHte$D߾SDòT)ZRoV>s( ^Lzˣ ᖽ`Z|9)^j뚀kKbǦ 6eZ+-r6! T>xUNQV4m^ o=1drx  |S"^GE4b% o u:R[hmKgVȉlQMT@*0á&_`0 ?ثJxu%kgkj-'N EȞZYHŞq ^^ėqIi _ѥ4aia7^U0~K1Mi턆N}}21Wdœc)$ [TT@ܸQk4NEľW|:8 0?NS>V+c~+7tM{ rmM\HB*va5X[%}ܦ7@%9ą./&G]RO63ßGF6"4pfhV {n8w -K r3s6(k=N jt% GH(/ӻooP26yjY@aq: i WR=Pgq40i%5FTmHD4RNSK)*'hk<<>n{nR_B qFe- %EO93/I}AIl2.rggƒSGk6JܟXsP$~c`{)l_`GH7EkڅoIz\etEZxJ#J-yQOQcC7\UBg%b1[ ҍ6:Zjf,Nl-WX3eąwș|(#+ D)GGPb2$M9[Il|=n}VE1/@3 X2@vcy|#`,"'P@Olp5& :Gk[?A ko-ZEQasOeɝ=y.rp1'p#3 AWv:zDtpK]PHLq5 ՖM뾊ߎI9%%DdI}ŗM#&Rmۗ-X @1;LP[F3,y*28ļNCb'YJhit ߞNσ@6}p\Pm|9}7œң</I(kc1e$-0)ȹl ũ" zj3؞ezԔhZR-mue%Yp۔klų)0Hn]t..OfE%7v6!ĄnuF:<Xe I^k;A@ztL |`sR !?WN~mR#V2$myN?Ԍo䎜_Oo4¢t@rR#%L2:2/z;U8[w{.e&!*LoA]^S 9oɮ?Yg)`MAE;)[!~n)z;t{xJ>}g@f'V'A*ސ8dVQpAʱ7LR*z73=X%4/0sŌ+H7e5n{WSHDUy^E}IPĆc9`' Y%Jfg6v{:4k&=mE34HHDAq_뺌;`%P;Y163&Y+t$퇞 ;GK3MP(satYvhOOC?{OxWf:M?ٵ>!(XlQ/fYWO FuE@ ʽY0zF/f>u?+1ighk * UUtTנ{@bs6n#SNE$\Ri2:g2XqK`f4d瘳]d `z;|2T~' z7=r5<]m`4;zw4 v9ː)#w~{Vy˒{!(l54ݭ8K9eJd2"~e-9oM),gd Syu(`<|A $$  gh'=>;YDa(=h/A"Yb n 8Mڱt[-㴽5rS%1a2 *Stt܇U{iљ)M|AfNq8JC\BԖIh!mn _OCj5*:hq+W˔,K;1+ɜo#2`DC]@ iZ4Ô囈Ie?m53;_Z.8]78ej #7,[ײIzy'y1# C, Y K.˯һ9Wb 9jr#t-.K ګ1-$F._*h⚗w GZ;> &ək1X!K*+kwWLmcf'=CENL{ƃ^"YUVW'_2nh ܯL# $51<zߜ ftrI*Z02C˝2$!='k'B4RSnD.O- *[->e vV~Hr= ,ۦ;V!" @C -&̠C F h qmá-w4l7_0*^ V-8N3t)BX8Z "\G}"@vB%".UXN<ۻXQ%alX_,)T2NQarWYNz1sTlBtpED:![U&pt<|&Ih[}v?i8 r=Ytm/x56-O[?M6H[4NѼ. $QH}*@mOV`],Gu1/D(Ijߣ;yke$]e^J'Or m򵕓g8-Q FH*N>$Ao6@Ae nYxVÞ14p)Add&͔T[Fґ&n"tw%l:^DURm]ISHT%r=M"~c`:p4]"Y5Fe&YJ )՜&H?wtx J/ ]^(c4*᧺DW$Ŋ8v!?-q%WMK"~^IYV=ѕ㴴XWAb,bT/;>Gq^lĨDr"q[nD'DE݉MCZĭGn*p'.#;N&2r̈1;RC&!{1 Ȥw!J 5Usy(+^ X7C/Ցv/oC 4`bi1iġ;EKסܸdMF1X"x H7֓||S]X ЋI#^u Z8ȷ+=iYoO |p“"+{ÅZ|JH#mEJ¿} W~X8 \#:a fRHEӔ; v6YWS9Uj\%DG6_T;P" `o]PJ_s1.ds&}q# vYz?)2we A; *^G[ 4e5  韕[2 _VWHQJ^C**gZ_iQr4dECt̮R: =9ueL.P],e@R6A##د=lA10Iw8Z=߸5;@O3pL0m↝jceQ,u.bM41=ʔ ݻn7zXlcxڛi-F3Jq'' E}NٷytF-= )S ߣQkoۅ%5WTgs{&EaŝʿߕΤHqU| RޒwyZK^L, f3 ks;9GحL1ڟK5ac}w>4ؒX365x9N$E7V>]m+qw P5M[M&Lྜྷ9Q.IYe AŮLBB{Ћ H2sJnmL8=Ǣ -Q^<Ӌ9HpQEF\lZc1g{۹wA{#q:E V7<(d4o)韈ZcH";FR廩g4q=3 | 2Gi$5dJ-@4SQ2I*USX}ZrKk_̅rYinSlsQRm#?M'&mugQ9_qb*~vg`uoO鱀K\ga%>| d(0<{elL170?sMzwV<')P$xf᪞ƨ7aؖ p-U](N/aYm?99 Y ?9RR}R.Äp?j|c ʷ&Hdlzdxlڭa̟w0g-Bl--* Q=ȥНM.BQRz68?x2E>l1yF|ZړHB 'd0>٦^V7oo͏y1Zx֍Mg[0K7 ᩆesOTU9DCl^#N f8o *1 f'گ/=DOiO9w"EyA K5ݑY!JPwAI̠>zl7TΣxGyȣd֐s#L,u@0p`,,^slt*&'03bӥtO8T-@hbt/AkQ۹R,v04X== 9T: gL)&ZF 1s@!Th6'68 aA"C^D~ N?o!h`iRioyщn|vI|]N~(E88.sO.KI2 csMch˟b!mƂ?,ߥD|b  yU#L S4Y?Au" 3V*1PS&AZ:SY^|ezw6vdy8yՆjl ۧ3BhwkB'^~|ؼu@*(:,4Qlߴ< }w,$/{8YB` ۙ*GauU{sEM1# w/w k'+GZ\Ɠħ&9!g~3Tݹ݋S?i70y Z YaI5wOR Kv/gQyG*Pب-1 geZb&P@4piirѴgkKI< o"yOT!'LADB}"Zф5\t V$m;s\bq{%)Z#/v[F!&nh;A(0+zon+Qn ."qX2D g&wL[}rMyq@=%E(eBa~ g\Oeg-FVŜߜ!n-$)EJ3zq؃VKIo?H$O8Zòջd#;H6e|\Zu$cvPyusiPEhSf] S6@que?N'"w4p]LLE^ >΄hg5K ~{{M_ G#w/(Wu4oQA9!US,%;U066Ip=-/\|T׀AVE<%_;R(kE2{Q,HƬu'Yx,H`yĀLl6W@$)JRÝluh>tK1Ajyf|D0Aڒ7N Cw.+I58(&,:|F4\,mn&_&cZe j&_&0w|=rS+.Jyb񙪝 s5&Glj#Jfy3YQ'[veVCgaRE鷭@~{~̷$) / 2A/(!X4 ?9D XFQwl7<lha𓊠'8D96j 2RZ*aAsEkpTiShvȄJs U-Qw~cL5l9{tcN d}+ 'JxZSh5||ǐoO.$DTG}kR&8ᾳP;[ZZ_U;be{1DOτ M ]& $1= sQh+B?k0d&?-ȶǸ^ϻ-/u*̓ Z'/Mhߍ!w 5>?]JL#|h?ܐ+grPUɮTu|"G qk5}9P˖|޵,&&Bv> AƉ:\=\57\+L3@]Xa9J 5xUзk&4A˦ppK ض6 (mm>cSg?Z 3e6rD9 9~n.4<Ճt{tʟH]'Jfaܼ`gîlJ @e|j+Nwאl؀ tn;vp>I}mߒ ڐhXt$ [̿)z,g"ۡZu_ɍzSO+M!]P5 e#)5/',&U7PSGz3 iZs w9Xb˗UZ v_6^ 9\ @g/*{ժ݄P <2$bbJLoK%-Il_fD:W O8!Ț[H+M ˖uxPE7@G rk5E ÌfumIp=qQ]Oo$o^L>m<,>xq K##aWId]";^RA>xr;Yڶ43M"~uDp$#iBãwAMH%:h8Hp,M䃂ϐdhK' >qג;BOIAo󀹇7## k9bZ[e |:Hh' ӭ9zFbWa5)zA޷/>z'(=ao&P9n-ڬ3}fO^Ɲ</u*J*7ckemۇΩhbH_9D%G <Q^`Ϗ~t$iQ4MH;Lƾ!+\MBl6ay F V2P{D)/T6--Q^? +"J.V?Nl}bPYu|Xi8i)l"2!dkM?JQc5Aǽ39u0!RGwT(&\M![ζ7ø8̬x蚦OUpcFJ4q {0 3ˆa\`2iYz6b¨׋.$18Uaa$P ia#Y޹!AKK)g0cjAqףצּBF~`$crg[dbS\w6Ze- w/'&^'a@w azt75W=c33@XxebK QC;_&=px g"88Z"Q+ yK89SƆK}buDvcS C* iۗ߮8h׺nom+*kwaTt%'RGW:=Yp}C5f=I9ҡY/NLt;A40C+@&$:Yw jv)W\>`@-`eDvgMjSK'AV|ow&KTxkh*qRgMMvZGog7s`"5&aq.暥ֽ|SbոKȧ|3rBAICaRHUwxԑ,0clf̓aP^#OjT^"NWBKYt}_Łz\bo \z۠I_?sj2|eͮ$wbv'B L6>.$wr=lšOI/nf5OOjzHq&ϻ6PH763M0rܕ&\g~b.z`sZFC`P‰ Uj BsAЭM{oF+ڨ1MnnŃyS!˜%blY{HreDXn Ix\4Of֎}Tqb kQNeGhѐ)geo%WeS;WL@aHtcX,^S: V|"#T?L9j&ies2?YAN )UdGXZ?~X@5櫮zQ"'с\ >~g?jӯ(p~yA$+CW6Emh8=jN*oJe>i5՚.Xp+% 'vX46W8Jy@ށroq,%][+JN=y&#3`õ5v@sW֬)}F}@rh"?{:7֘9 3Rq"C w9iI_涢S^zPLX+d"\CXgotw4JU]_dz=tRB!`A$n`X3?UŰTӳʝ_$-v]SHiZEbP9$bBufC\ΈV"9rDR `\wS9.E29;eT^SEq8qc*X?V{ɴ0(O^#ϐ.;V MLP85Pti< ai75mO>g:SDžu +6,Ra72֒ʸj/NKqO?=Z þN#3$lK^dMw-.'Tcٞ T &/) 0ԊcԞ 38%ˬddTeI |g6ΚpʭF;>O۠6X2=um[o7 jLi{)v ˊ;L&/bBzthID/ $ZC f鿃?S8Owq hQ!&#yhI#J-/F.x0!Ϫ!ӏ~A}Oz#.vL.1UZx7y𬧳GNgb쒋C#i{}'AÎY:6S^F8 Qct5$͂$EQ?Tl}Ycv]1fNC0徻fxSVyJ4M_L;jC+-tݽVOs^#O0]-Nλ}M `K'Aꍪ^hO~'nR2pƩQ)VV'(a=r ܄/Cmb55$@~f%uFxdT\K#(~ YƫZx%IZ99y^Y B9vAD#EMZ.(`407偩m9:'N;8UBdx{/;IqS@I-EQhl[NQwy >0OQhjW^ڳ?[4!bȲu< (2D[Nq$`4cS[I·p Y1IGqIA/KpzdX"_64I Nb?c>sD%}#Z{DM>ĎPz) a(DgĶ+\?(9gvdcU!k%l$JEBXt<_` 57x$?&7٧O9$O-`{EtO~gjG-O*A)*`+EJ*7cД"Ƚ&[ALrwLz tws@]ZqkG$+M(f^f›&$FHM!:ј4?o A,J߂:jJ9#3\iP[f/xD'( ?fOk_0^P _DhEgIbʋW'ݕވ?fehfٛďφƅ!3F4({ovBriX/xY֊NC%#ɼkab7iC|Y#}uD>QSN vPBuuŒ[]ڱh?:lQQHk*i҈vr_3DYθ&, [s8ߚ6I=e-YTOKC&+2* & ]wmSNg/p1@?$c~qJGgo?'X_Op>nZN6C>8qTxg!Cl+vLЌƁgKF+?D:ɋ?3p5aH퀦lg<h.J=dSdڇ%g`ĩh$o4T+\]-~u`a''/j[$ u9m)ycp L >Ch ##|Ku+l;vnV# $͈mwLkÔj Tr@Lc< gy7VQ>)O{9@pquahp`M,|jUYRж Pql nrE"5=~ى8{D#BQO :B>i*nqj%24A ­bW(MIk関?ds(Z$x0OWEuKTWC+Mx-u0*}BLehƓUxSwmM7 > >tIjWu`I· R{9D:gȩ1{a^7H#3j0 __ wK?[Gn<|_?ߨdUhM΅)g " Q/ &>-#s/ȃB#`V?oYt K`u,S_<9`L)5.-.A>JatX{%Gv! ."7^F6cT/Zs2f[i5g3EUPƒn,s څ^FrވOhfJc4 \'D))[Nn/>IIb| ݖEnOs"}pl )̉:. v)\C0 KHd}I=ceIx%.$ؠC)%d-||ӨsSmZ8_ p/^^|x=cKe&tf,b:kl^lK& r9G|Or -Xu}7 i K-ْ4ψUwXjWb2V"9mraw|x3rgyhQQ({:׋y+{DPf )UG{Hh7A"kׇpp<ܕ 8]/ M UX'h"5p]*vMXnjɻҵugj޳!l(S吾r} ijQnp{Sv8n'le0 e]WJ6 E$jB2!s ?a6TV''G4`}wSX7+ PÅd##;$Byu;w;k_P J]/\xåU0w7'&SKszi9zTb.5bR.;jM Ӧ0Q{Y,Ҥ+ctJ'T!MBOZY;-|i}86P(BּUy*  6{A[zнLpk_CM.5xɡR1 H5 u̱:9KD.ٻp~P^"Ҟj,/;Ƣa*;8MR<n2&etKms =s4h)=~HURzUJXf? 7_HmV .In71M)0yK2gfuԏ J+O]zCqV+dI%^Th`.(//AqYZcWgeGZm2f}<[PcQ0Gұݝ󗨡(ݎGQq3z߻M+/X|| x߆䡯%-ΜAnDY lL}@*} \H@p}9RNclAqnTH%)@}j1(=PEt֐]tzf>6U֗_2|U.zC@+Ϙиu)sB;>h8]`Zi͹[dv7˘/Ds63MJJޯyakp@: 4kyQ1ƮI]PEnf7&.:9]Hi[Ut;ބܠ)8ʼnW.Ul)?\w~c0?n^s.Tj t, eX'T5^#]c5 1\Pւ6rՆ11Rm M6Yb]i!Pá2}15Ika6zZs#@`˯KYkx %z{ ٣uc-byK}uY&#='lpDr2YG8$YmWBݕuETW erUau'k9OYor]+MsrD vb<ࢢd8>vHsofoL [WL2P{jgv.snvG!Cp~GvD%Xga:NF%vjp+B^%bcyo藄!-0f#]3e qU$F\ذs.eSfsp-:GGi9ۺ8ubeǀ.їf{>=3 [/H?ci@$꾈ijLxtQ`D ^EN*alIbD(/g"MDSI e?6Rܮjm\:>be*bk:-PZ`MDCH^zmFb3PR9>"9&([;eH[׎q+Yѐt@].ޖ T&=S Nļ2s+ &-/ZV-t)r*k-זuRX-=?2(w Zw냋쎴i`a^ ?g/c4I8z7X:Oyn̫?4$p}8:M;@bl'[wS5b (zl+Fm% ԡ [qg^h 'W%гv9҇y*X>rCSQ",YnE#ʢ p8ЇN8\ʸ6y-eŶ&w~'.:灔)u˩F}FoffҸ*n 9YhD =C*xJB/Qh1tW 8ѩ ϛARHw>"kHv)ջ~LVޓ4}EEXg>4tjac/$pӊA ` cv`w(Ύq81@wAH՗},frϹ0iA'ӳeGA^I҄ɉw*I&f9RX7$߂!~LJ=FdBn]d0% ʄ5cAثYg\q2P4߬c LFVaD|AtFM#&-Ԛ-lW!a^2"H`ocܷDXMZ>Px\IW(VO(Wl7)QׄDMMz` ?A|QoTEɩ ZHd%p m;u4/$?(6DH~#m4lG,9r7^co׍\x;~mKn fu!/ _Jr6DvbtVY} K AW΁*0֩eLUcZfuz]MۂC+G$),bp6tGOya(XC&@[%T S4x)}r!`Ӝ~- 0mA(=*F҈?f (JT}1w)D@#. T!< ԥlG[ѹM̊wh$'oLqZ΁!-a؈G̱>G8T_=ZZ$]b`|0)i+A)Y`N`L<;i{5D7߱=߃ =5^{(V-;q ]%Cx]mꓘkˁh8DY#9P h,xQ튀$F٨PhəVms5[tK{Emx?%{jhqxvSpT1Y/'Θ\RFlO'w]ϨJ wjgl7o~b>pX0.s~Tf'Dj&.\;T"N3Dmb$RܤjF &&^1/5caI;!3K o#Eo ^$OIy ,56R7:|;_aӉӜTyAVBpDn _Oޭ+ ١ ó퉟\wu@wN x%"sQY!5È{>ŊiqQEEgZkٽ&2 #?K;69(^7wi}Z3(F^_*M,=oýS4oJ~ʄ4;:u2ՂLM<H,jwm`Z{ shsw*L&J޹YN$gvv2rf6y6L%4RIo E{z쾜ӫLɖH{?-C1 w\n}Bd{D$j,9!=aҧ>q%M'1f?+{]-'_:;v 9fH\\%`{lbHB& E6T.S?U_l>$Qr ! "2\o 4⬜W2E؃ERk}\Ȑ( sQQ˛ĕڰM$q1-2:CP7W_>WNij`5vi_SxΏ)(5 *8'@HU]tY iP pdw̖&0|Ю=5I7̹i,WSt[.Ms.z%1 x4QOfbi RV:=o{TպF $tWR-1<{sǾA8b Έ5q%lô~#d-v{OgtnsEp-cEIdAKwn'J93>\b\ +3콀tkjJ)u{#_RԢt4lFlBݩr=M-HY#T{UEt4YJF[ZId [,Lp%TS-l۪Lʻ Ysnk=p C>r\fL4|W6GbXQ)g.m~ J0Jq#'|/ 0n zL10R şg7{2{Kd O ,p }wHtIZoH7@jd1%+> s};nαW>N6p]BLcSn▚k;'s:2 <r)1H'в}"׾^\}ombb f8V Ȉ $<ǃﰞ'YKsڱM=jen*%]\2ח㑟뛷*{Z?D1^YhZA<4aĿSLzٛCX/L mTFLX|u(h[O,:k+6g9GRDoߚȺgVwx1''`i3:7jc !mv 1HM<?.FGVܧ 2h>sn X{9_]G $E=={E?[l1Xo{aωcbb? Sׄ-4HϸKM5=|F3$LvH#u"D$ȖbȻE.DDtϴ"T[usl.#/7+!١%1H1%t~ks_ =\P NH akys@Дq %a)Y;&-H&֦5TGw~ٻG kGY*XUGwݵx%AE-"VQ%t H/dYl #(/\&gͲip5yhv!jN5 9)}ĞBHbd; 9[߹%55~3ˇ"^McO-8ʫ$z?~|FmUnבfV&v$?okFU:a-r  m4&47'J!1=n0@3]>z Zm +pO}>gqWS8;mϱuָX9\Eቱ2&"h *65%e{O_B&a8b{S<3} !0X|4kZ_A/ `RM^F&]M$;R LkrҺTLFᇕLMޚ9-;@.{eX4œMH8ۗͼBZvФMjøN ۪KUu33} o(6)t&z <~@yA5]F6n ZK~QޥB7Vg<'k/}?읢y0uGrv0C$` ixh?=Z}DÄ8:GKs93V>C\ܢOV6OV.s sՖZ M.u逭{ 5Ho\Pnq /Xmcc7O53 Jh<+zA 4LE)(C\R\Qy7l?]D:BW獷ZDDD *rˆv2P, <`ƣ7'C>a4GFdAŶ~^C ~.}KBqs&mGsTJf~pV7p{-,&̑+{L}.*IMw8AO9L\DF~ ~aRpeSȐ g^sqB/JΓ|xcoY&(.51揼:4v@oD ǿB! =K0MM lSoK등-.eQ` cnd 'ABFX cʣwtE*ӶhiѠ"I̭ϼQg|qɑ.g>nsW#P)0I,JZ?pF%~xϤX駦%&Fyox\m#$4 j<=)I%y ݅4Q ?CRHv(OD-.HHwYˍ'yU+ajV ά !3$ ,+DSҔ33ƒ&A/NOUYSuh*%U om  7a>X [ҕtef_فt*MSe9;&{v thAzK--SyPL\+Ru"FSޝ-Y*N$Hr*@$Yjufrk9EG꽬rrNSq4.oZOA&0(㵴{]iV"uEun \C5#I4s&_LD֨WorssfS_oW7+`z7X0^).;)!\&!bâ8Q2\kn\ϔ^# A>.85P|:]eDo'2ot׆/}HAyIg&)oYZTvY[Z#ºaFDl7p&l6lQ()3ԦòBYxŃQp,mKd/.ZuzNIxwќs_y{n D-4Wī+dXJ"\n"W'XμC`Ra3|Tl34x֩<ʸIp:UX` <[Y%p$NQp.襴H', 3~MAp ޤz4# E1YkYB(dm@)TVZHH*?Gbsc5lA'ELqu+Z 'QnU/at1[1ABSͰPYW K;~;:l;&tpKfqLYc'|rq>b!^..B!LU:/2o6kHH*}632yیJ%<{Oӣr.N_9$'}pD6!L0B0v?SV`p0 JR0[Feţ$]e[YBF^\+f ͤڹ<.4TY mr _M}d'&,p<'.RZ +*`UkŗYYfBo)>:fL0΀(a,.T9qd J9~cmHm:B޸ aR,BNHhE# /rP)dXȄDB}RaD> ؙB ;gudMJuvEA]&Y1gď%YN4z\HIL*a@瘡"=Ṕ8k;!8E^}WzQ4w*AHd03}N)Q"NrDf±{8Y_آhYi dmwu?|9`{#U۝`5bfNH*_eߗQtXd;u WjFW.+wrS _-[D [.Ca݅gbʿƎ?C AGrBΣ9eMӾ( 1sDnL[k0,[:hQ+܌DR!ljZ5\'Xӄ͗*[f̸bm>PiYk/N\7.sg/G|.W*Ii,I8dOqH&+ZY|Hڞrz 0HDB=bὥevM$Uw,󄟕Jӑ;/ Pao>A-Y{#H(ΫRP&x?<]%LZOq]9ʬIaz]'[T͙:_GMoCI*]!/ainiMbdJX,oW`\LPI}/\Kö\;⮣B&hW<( YqM&2%3L02y], R7KxGKyM3Z-p4۫ 8E0ot\>SQ5*SJ^ϟnJeۏ@ؠh R`1x[$U0ST?'K #ҢE?y V7chBaP.d\% ^~:mϾfKByK~c]F <5,bK`=`%hh`nvZ%06"0SEo-pWT  +AT%~*k7.HUi7ބlyk<|0KJ*BY_+.ީ%5AJXmg& ; 9M +7%uC` L$15|Kv:16K,j( L7~AoUdZokؤɥ x9-p *i}b}]Ϋ6ۄ)BȸC(94$sQvo{f9j+1X=)9Hꌸr$B1r cfDxq_C8Se$[ƎzwD_ uҊ)=E%t!Hf=ĕʴ +7wU1Pb \ȏ(j$<=^ͬzE{VV[U! u8~޳+"ybIv9T{!9z,h=4uiб/anJS[ٯ< zٖOE1eS⺈^b)뇛AӉڤ=lL]z,v:/LX rġ kP%,u%>+`z@mkλzevzP˝ƪވLdsۂ2hx< 멶ŭE(;s5R=Y,l9Mt.gm^4. RBo~/˚ e3 a`CLjꑡ57A}kI9E &Q^)um%oV^M>[b_ԉVAʃT.$Q`)/f+QT Ƚ8 jsGK KUKelrD>G~j&3prϩF/,71\rT3$]Zv'QobƾΆYI>]vMtC^B ,(46;OTv.(3hAS7?_m8kca{VUqIF7?}a >XW+`Mޚ(:ԗ.;?ܕ_*W bF>a#xOSSCԕhf8XiFl+ j$O@^x@܄ኋb%{CC9$!.۴ͦ=,\oG(U١!~[C^/P4HghHKb W`dhj ]OꝻԬb64Pm(rנ?OI--S})Fx e~3Ƞw߳f *P]AӕpE'{{= " 63ZqAvh &ݕ'7tMC? z&,#Y맶o%7 tovO# إ f MQ~prDDJ5[*Uʌ\< +U$]W.'f?=/`8ZOx;qM{(A?[b:-vq's V.!'N:|#:kD0V{^10T%WSX؝R-6(` MT$h')L&t48pE"W?v1-Ba%ޯ3]C'.?K"kR oL2${rm؛|q,A |G>ʘOLZ OY@XVغypr&N=GnV/8W#(wX R_k^|hZ2YBswZ/g4GE ٧ SVynlJU4hdB<h !?lhF^=*Ngl m8['1Gު-jفB$a ^HŲiOP5xe%H5vT_l!–ˀJ¡OL`m*E̋ R)2G3pA!`)h'orgJFҽ#|A۽*ǎ?HѣG(!<]$> Dø`/{aR|S0a_3WRzp5T<1e#9%c8Y?7Ka Cn!{unde=;h|=.ɹl @|=ǟMTRdY|̓rBB7r4Bh8aI^s^(BStA ~_6i$q=#26u>z?IoWOУbDf`=ܾ24O bqTsG`u9&\p?V_kfO0w/d3+eiN،tLgpM6>Cqo"E'.GK]Ï75ҦGY|P2m[W03@0hS]> 6mSo;:{ӈ']κk i3oQ=0VSr]ӿ0>%yBKxCQ!).~*p?˓Z׻K{'40xj(6i@ay3cRup_WTϸ i;ѹ/>+Z%b d& rmL䣂OWh5l*):NV5L8!0P*С M&wIMHb&d@ZM G1LޮBi\dsR*EJKX;ιFH[/rc7Pɗ7g'|4"+ɸ92PI2\z/N#+L`_c89@h^1K2}D۪ȃOWxRZOki4} 0JPsi> $Y洑EN]yk2?{ѱ|7Z2 KFN;>YF qanN^qjAER Bگ)uq#Uu]STݥ)OMqiOTtJxvyE+6'67\>ϩ~9&kTeLFMքT^#Tv{j~/B2>* x/t1ӢA\>/)i҇+0s<7cB;m}7#ȓ4*4cM ,%5w8{gC,lTCaiBX {r+J& I[0fTLYc[US֜^xEe3U% Tī"7c!T,@-W-2}6])OaPЏ! G 4~ܽB+݀cg ЯuօbDc nVDYN1VbMN>k.k\> lTE|22ƬyF-?k20^@Q>Isty@sG8&6U[<5qjرf] ,38rMφNvGS-XW7a(هi>ף}58F䗻u-R~U3+k m$MNYV'=')аVandWʸrd2SlRboXő~nwwQ|x,qv}HvDUDUk%GL|~n5ygx|͊`s+Ecwf_$D%mJ]pRt I}VisHX~Nkz&r/NUD+aC;Rir87cM=ws:fjPMxd j-[S湰?$`~\8?t N8#GYŎ߿/JL<6ݺSp z ,GFW.1Vcξ3p,c)\jYM^N0n2_F]D`w#S8.0 %+ /7$MMX:5%P[//d8tXN)PJp%PvܓwPx6/ RGWgŸ+0-^"S59 ng-M n^F ~!f7i?힠5&SMPršAה"7[Mձ{ZZsb#Z$P=*pam/O{H N3$X8j|Sk*Pf-'e_Kt;ȣ_ ƆNFƣY4 tK.ȼ׿y SׂJKf-Oh2D,sCB(Iix4x 4=_h+@nʿ؟٦e9nNGK_OȤ &ԩ|4 <"te^85)[s?X΢@P|1)^k}hrw]\I+;[uadz*-+c\a+]}Y(aڴ2׽oI77J:L^6AB^J+ f.0lQDPc4ƘpY|RN4¶N{Lmڽaܠ ẁBh]pmddUoXJ6C(V8u!X53A@rJ$hj4dCԙ:,I!Ltڬya~h bMqq"'n_b:ꁎE饸n`UzQGpϛ}UZ>i:a.z^c,Iyk x[v\_cu$'DR/wqu_@NKZyV v6Cob^нm@}q1Mg *I- Jq@'.0I:X ,9s#1w4"9.?2]8oF}dž2`;@,Gbht5Lڏ=XLӔ]XϾ6hEyg `;Sc{(PRN2]J# &9o:R3O1 *-=3~e+Lƍ*߾FN qac.:Z}{JjđĊ%>|#b+UU4DNNwʘlMO wѭx!J'e##yʌj8pcx#//=v@Ǿ;ߖ&~qDRձDf"~vXY(cuFOdAP>j<Q@ÔL%6s5(S {qh7.&pG$)J}#'L QwUE ,";e}IYXR$j33 a!? E5 1#fd, W(S&Qt:[a}6RdwNz(d1 Q_d +>q*!Ӓ-=PY0BJT_ճesB iw}U3UwƇx-_K)/E։SQkGx"`9e2fηz*VO$.9Nm#cD'Hf;(4MB/SŠWmAn#EM?Ku=f :}Pf":2uPO@٢˽d܁o*5@{H`U(;{4BQػ)c,LRlv-DZ9KS 0 :"0@d^3S}|#Uρ&c!C1&.\q^Kg*y ))&HFqlTڢ Oɾ<'(+K >SoiSgel^k0śɥL>U;vZ"|"燣3aohFot1/S2*~U 5'_1_6r~]Џ!f\%WK>{t .l~jgkܡPjH.9&?č&Rګ=K 5Xz8$vReed 4U:OGp^3Z/;a dH_MЦrAUOz6x@Wf8>I|b͝FYWO>+D_74zjZ fi _#JW\`>r~JL;$m)oh/J h=VhJRwo$iU>kZ9Գ9E_k::Ϻ OZO_6Vi&gmzWrAT'ӕlJT|,ohs)s#/h͚}^NׄQCA@ 9>hRb}UE(Lj8;n)5rBfRlB?ܿ7ESXHI]\CQC/n b vNIҧicz,/x;vњ:;Љ򢂪SN!Ђ'e79vk:o;QP^R=ҙm+e*591f{YlD*MǢ{{6UĩsPJo<aSOTOPE`qH6lJ?(k_>&E@ZSחSAƄ6V%{+€"::!*Jw<2|2-0%G3KR؝ idtL$ec)Nxq<[ 4#܋ߵ{k̟O/%}{6*_;:ODss"f/(@w VwT$taqYߚ\zDMn_.L?oz- KR 6yqIЎ!opt;6E | n;:8H:雋q({P |q]&DDÁ=H*`~I= Üza/A2Q]^꣣ dMJ=;3%=S lMx,0ݦ/$3B$Ͱ6.5`|gχqŝԻi*3$T}h-*9+C{+5W],Xҏ`*TJ~<r_S+0Jܞ%$7ېryDy 0"3ҟhAVŧJ}8lvNq|Ÿf2i,YAvjG_(GmOu9Q)URidw'.%(u)`vіփ(TpF>z ,ML|d:}l3 Puåg{հm8|1Ŋ:ңV=4U.B4׽J0զ6ǚϵ΋Yk>UF%XlToyB8c`1{[`9Eh{Y,Yk 9!x)4̈E._+Me!t9519#zBb'C ;MƊ cޮ UK&faƥ 0}iN b2Be;}gد4o *Vqǰt~> 7#|/#zn|*\~$j0-kHЈMwEBo}pSaӑ;2gU-4ؤvI"W:,m[ȴvHQ+;HQ+K600KD6~>5{*9A␜mQ|)#Xմ6Cc⑛Y.lԘH̠{&!A h+/<]aNf!֓,|9Y/nMZRX]Qm I2I_pw|<c>:хt4bǕ4Ѱ/C[ͤvh:6 1` i?0IKĐK cj앷/FG|DKj"wO|(eQ0x_",hQCK!tq\#?!`D'P]b(:&S'=i[~m}P`uC?SM>fL n(ʯpt6_I@80zQ'⠲Z1{wk]F.$C 7kiC0sdHeRKz*|8fdZTD+ Ԑ\o$ة\P3H.Sb}yTVZX0=@aȖX>o`|6筯I;׮b: iԾ1c @:dҾ} VӚ}* YL1LPyTr6k@r1|+נ*Ur!8{#g9أ!껝1jxTJUgL3iQd20 p9+fh\yucD 7yRzPʆ"М88_[6{u,3~>DR*؛PUyF,Vl ! bĐy 8/Iƞ pgvw8v~+yfBc) Q@AcW:RXVv`2xoQo @K *JO;<[G5/;W*mu{%/M:}5vtP,h|%z֫ToXG톢F/QGc顩nտ2@^KxqG"48`ZxWmy[L)WȖsI%_I4:Hj!V񞗙0nY=|s44e&9z]Jd"S2[ iWiFsf!$l*A`p)o1WmEj:+݇쓘YĠ+ݲ$z\%>(VV,^ָ啘;yß&hR4y ڶLa |QOqd{Z~AiE^Ϟ=bCD)9A<3/dھ}7`D+ps%=県@(|̌,6P8O{hv-ΠZa=%ϗYѝ%W)V L"?Axs'z67bKgY\ |aVR@RD|2HHQPa:gO~C!ǰ-Ol hs̙hSķ$ۢK`dvM%(JMM7pR_/֫!˼ȼ{ \P1'dW|93]1c_;*6Ab3nVAId9XnR9@SYʈ6xĻb%S5 ~36#9l@ҚjJ>PեFN p ։;鐱YbS]ׄ',;nْC zEDz =Reؾy GzBD^Y4i*3zQӽB/ )>7v ]qp}j}tNQ(b jq ]T_1gS2{elꩳz$kc#j1Ki>楑~F:AFa1F+ aM Kv.=E!l#5tz7eVpFy+5Fjx|m44I(&0xwhRIƃ>OGL@logj ˬ\"@Y5>*.9 \pAs\*U Y{cdE+I&XTpA;ʖ"Q5cs{aJfr?;kĚ;֜;%1z"G4MHݞWLaIA q7Wc"vVUA!D^1`VԪqJB^ob') ;ƴmPthJKl9w`VJDmCoB[U=F$pTAb!ͤ^d~bKm44i{ē#Nr9vE K2 VQv`mau5-ɩZJ1)7[pF17ӽ'b+h{aDbG}& W(CGV=R5CǗPidƮfm eVJs+V6gGl7Y9;8bٸhS%df9#yc?MTUx*','oˇ1x#k}3S!h\= Ӹzϰ鰜DF,qI 6*Z!:-9 %I9ek&_;Pdc뛏X$,"qK  F'%5Qla#O͓xOO)OL;5G=&:q2yKNtoj`'Fe7׽a)=3T_FZv/ݛPSzvل1#*t(+"!vJ! %W[kUV"Xs2v 1DN1P2$+(%r?9GMXńWEwUL"TυktxÞQ}l@}xkg U,ĚP@-:8ŠH:b'Fje\/Ϋg_PrBXj\>M(byk5g pמg L aD3mJe;*]t'Pp4$&#L3dE眴}PUА|>w#!i<*eB\>K$D MV&-k\JZz37L*K)~yܱtJ~y9WԮ&Y݅z{Ed)I,e9啉?Eh"Цl|pVq֑!AbQ~="i?\k~ɷFͫcւ}ď=F>31S 3ҥBM&Y;"XiL\3^Pymt6 uXO (Lccsp}mdjN4on9jVA=̛&\s}ya1Z4_3Z1g VcI"zύb D?{Wq` |eYN9| Pw}2Ad -Ϫ\ѓaSBu.~HCH9.C3mOO*4Jxy{*ҷˏvF YW9zE@$/"نCMDjfuޟGZe:F{&{k}*d5rx]TJE}\+_M+*'mnj'cjԊv#'śurctQF0َw7 Pu I&;Ӌ8&?Imw0]+ub!-[KJ,dOibiĄpwIyӘ_o`wc '<\69 㒸c}*x'k)?tc$ʹ<2񠅬);/6Rӄ@<.8J?贈,O b$:Etn!L 9A/8c,<@zo\xRuh wL{,.pZD2a(ĥXߓ 9'W=yJPE]RE i=DjL]gTt&Dw6UGr0籫6M!I7o!|C! &QƵ5L(s,S,;lh ligej%yo0u-䤾vZM(or I٭Y^L>?`]Ȑ/-9켱'ډ9Gax%8bQX91JjN❊ b_w{3rЁ7_HM/xHT[T>BOUf|8|Q)gi !fV,e2DLLM0W DCgo[r=<56ճﺌCgE\m9Mddy2Z9bcW0{B(Ke-&l,ؐ|$1| x<2PpK²`_>=@ĵa_?5~W~R}$2.!b6&{s,.hZ6r=vdJhxN߽Nnf/rE=ldLox}C߮4Єvh=}Rql(GYb>BٝsKtPn+m jhBw A'k@XFjr]FRn$, l&ڤIf4&X7_Bj 3nܕ*|/ ,lxV˩@=>7^?):-J6jG4jҴY[zͰ;ܒ=C r@RSI,=4)~7,rh]~xFl9H;WN-B-,`xm[*+,%l{kTJܧ?M_NrС!e#ut˚HnWꦱc ^hBލMuGBzPjQ)>Cf3ƾ\ ;*q^rBY@n6x믤gYLě,H`vBFB^COs[{|)d6w n/)ۉ*DvRv7_W{xP8^ Py出lZV) U^S?h˯ms|Yވ%8P`oU9MOX<7V|͜OFChUew4[͵עv-x=[<ʺW >M#~qJ Ng0RY/E9*3 d@,i Nu䆠ɳ4س\J/s/z"@4^U1uf[t¦OΩbjrf2]F?R4FB0>O;*LL{XP٠L.ŭjjuWqӀ+1'H6_vcl!1dpТDPՕ4qS4&C]kvm#:cx"x?krkg۪=2i쒙R=~OFAŊwע?Spm"1 sG;\asc̱Q$b8KJ8hSkuAMYjLOk,CV,哿ȫWnkBUr#8FP:2q!lu-O +\5(Ӗ3 Epr@j5Gj2ھue%b2Nd/$>Ii0ddӺ1Q/5q3,ʲCDw#tD1H;Ӵ?lyt2cʧrDH ,ÿoADch._2tޭaobRśqxQ q3aipa9㝜E/kwKh[3^'N<.By3*mzTܰ(7*qr*7ߵ﬎|.B.+mL[iЖ@' O=^Z}-}JO:S[^;Y^soBg}/NQS9۴o_8P~OB p\%tZG6HkULj2-/X$W2 !6A'<{zJ}p2O9.gd|x{n$2`w ~]X~b}W(b_x2#<ؼ1󁶶D eTv϶MB 5O$GdNSa"t Zsu1D@:[0