sssd-ad-1.16.4-21.el7_7.3> H HtxHF^p ?*}}~hkBdLL73`C8/WHmhKDž<$257dc0a10941fa688560d1d2abecea40c6cd5d1e d*R$Q:~Lɛ謆ٸF^p ?*}}R2-RZb14'$r]_*5l(Fl7><?d   8  2OU\t     &Dd|KK K   !( 08 8"9":{ "GhHIXY\]^4bdefltuvwx4yLYCsssd-ad1.16.421.el7_7.3The AD back end of the SSSDProvides the Active Directory back end that the SSSD can utilize to fetch identity data from and authenticate against an Active Directory server.^pasl7.fnal.govScientific LinuxScientific LinuxGPLv3+Scientific LinuxApplications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_648xK0?BA큤^pI^pI^p^\/^p6^p602e0bb26f9060a3f039e206960a36e73e538af3b5486e01931692c2c4ff0de7c0ee0f0c4cc20785dd5e8dc88fbfecaadecd8f9372364f97c1ea0efa88971daad8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903d7bb7d2d20dbafc4616eb00d4d1dfd85afe2a5221a25225e51ae991d20554004dd755dbe905458b037057f9b8704ed4b323d88068ca8c804981169d85ce68fc4rootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.4-21.el7_7.3.src.rpmlibsss_ad.so()(64bit)sssd-adsssd-ad(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ bind-utilslibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libcrypto.so.10()(64bit)libdbus-1.so.3()(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libini_config.so.3(INI_CONFIG_1.1.0)(64bit)libk5crypto.so.3()(64bit)libkeyutils.so.1()(64bit)libkrb5.so.3()(64bit)liblber-2.4.so.2()(64bit)libldap-2.4.so.2()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-nbt.so.0()(64bit)libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit)libndr-standard.so.0()(64bit)libndr.so.0()(64bit)libndr.so.0(NDR_0.0.1)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libsamba-util.so.0()(64bit)libsasl2.so.3()(64bit)libselinux.so.1()(64bit)libsmbclient.so.0()(64bit)libsmbclient.so.0(SMBCLIENT_0.1.0)(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libsss_krb5_common.so()(64bit)libsss_ldap_common.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonsssd-common-pacsssd-krb5-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.4-21.el7_7.31.16.4-21.el7_7.31.16.4-21.el7_7.35.2-1sssd1.10.0-8.beta24.11.3^[^E:@]\Q\Q\"\"\"\\\r@\r@\r@\\\\\\\\\\\|\+@[@[_[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.4-21.3Michal Židek - 1.16.4-21.2Michal Židek - 1.16.4-21.1Michal Židek - 1.16.4-21Michal Židek - 1.16.4-20Jakub Hrozek - 1.16.4-19Jakub Hrozek - 1.16.4-18Jakub Hrozek - 1.16.4-17Michal Židek - 1.16.4-16Jakub Hrozek - 1.16.4-15Michal Židek - 1.16.4-14Michal Židek - 1.16.4-12Michal Židek - 1.16.4-12Michal Židek - 1.16.4-11Michal Židek - 1.16.4-10Michal Židek - 1.16.4-9Michal Židek - 1.16.4-8Michal Židek - 1.16.4-7Michal Židek - 1.16.4-6Michal Židek - 1.16.4-5Michal Židek - 1.16.4-4Michal Židek - 1.16.4-3Michal Židek - 1.16.4-2Michal Židek - 1.16.4-1Jakub Hrozek - 1.16.2-17Michal Židek - 1.16.2-16Michal Židek - 1.16.2-15Michal Židek - 1.16.2-14Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1807934 - sssd failover leads to delayed and failed logins [rhel-7.7.z]- Resolves: rhbz#1801207 - id command taking 1+ minute for returning user information [rhel-7.7.z] (- Resolves: rhbz#1758566 - negative cache does not use values from 'filter_users' config option for known domains [rhel-7.7.z]- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization - Rebuild japanese gmo file explicitly- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization- Resolves: rhbz#1707959 - sssd does not properly check GSS-SPNEGO- Resolves: rhbz#1710286 - The server error message is not returned if password change fails- Resolves: rhbz#1711832 - The files provider does not handle resetOffline properly- Resolves: rhbz#1707759 - Error accessing files on samba share randomly- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains /trusts- Resolves: rhbz#1684979 - The HBAC code requires dereference to be enabled and fails otherwise- Resolves: rhbz#1576524 - RHEL STIG pointing sssd Packaging issue - This was partially fixed by the rebase, but one spec file change was missing.- Resolves: rhbz#1524566 - FIPS mode breaks using pysss.so (sss_obfuscate)- Resolves: rhbz#1350012 - kinit / sssd kerberos fail over - Resolves: rhbz#720688 - [RFE] return multiple server addresses to the Kerberos locator plugin- Resolves: rhbz#1402056 - [RFE] Make 2FA prompting configurable- Resolves: rhbz#1666819 - SSSD can trigger a NSS lookup when parsing the filter_users/groups lists on startup, this can block the startup- Resolves: rhbz#1645461 - Slow ldb search causes blocking during startup which might cause the registration to time out- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains / trusts- Resolves: rhbz#1671138 - User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so- Resolves: rhbz#1657806 - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider- Resolves: rhbz#1641131 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD. - Resolves: rhbz#1660874 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions [rhel-7]- Resolves: rhbz#1631656 - KCM: kinit: Matching credential not found while getting default ccache- Resolves: rhbz#1406678 - sssd service is starting before network service - Resolves: rhbz#1616853 - SSSD always boots in Offline mode- Resolves: rhbz#1658994 - Rebase SSSD to 1.16.x- Resolves: rhbz#1603311 - Enable generating user private groups only for users with uid == gid where gid does not correspond to a real LDAP group- Resolves: rhbz#1602172 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1622109 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1619706 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)uk1.16.4-21.el7_7.31.16.4-21.el7_7.3libsss_ad.sogpo_childsssd-ad-1.16.4COPYINGsssd-ad.5.gzsssd-ad.5.gz/usr/lib64/sssd//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-ad-1.16.4//usr/share/man/man5//usr/share/man/uk/man5/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz9x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=1091a8ec0c86c28611c26deb009c06cb8ec5d8bd, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=b89770ab7f37380e44c68ac337c07a86f0207b73, strippeddirectoryASCII texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)BBPRRRBRRRRRRRR RR?R)R9R-RRRRR,R/R;RRR:RRRR RR R7R=R8RRRFR'R RRRRRRR?R0R7R=R>R&R RRR*RR/RRRF?@7zXZ !Xz] crv9uz(` .s|JП^ǪbNn Qr$p«'HEIon]I~<AVU J+$Rgʿu[r\P-J^Lx=BA4}doB崾fQt6;AY[8sAEa:uXjCp ^ d035c3gvFX*RG)_pg8CT([K**g?PQu|ݿ8J,=҉.WճV;ɠdF7LK83N(RDMwHhnG$jjgr7BsݾpZ^+: rKJS u[D6"[H 룱PuC T"ɂ4WJSh7 y;3NȥGֻȬQ] /Qe5ͅ'JmĶr.]IDp)WJxY& ˎyhe!Lj( ]9NJr҃KK|P^Cyب9ĭj_z*%wyW>f鯠 0S@_ RI X"f~4Pq_W3*R:Uy\#m?fTW$m&H+Tf[5(y'p&{ۈ7 Q z-`kҗ 2AƀK^mkKkN]{41߬51J(bg 믖,W䈖Sq_|L콼809=Ё EBiro9MbmWw_B l.ȁKI™|-C((Ίv9S%aOY{{7*7-㜓΍_{|פô[gNJwkZ~]r|$cRrK}"_R҈x;1nw:(#JIiw{*'݋7Mכ)ūۘ Lߺv,ŨL0.jhovVF܈`Dj`.]|qDP+*MwZHIiKvZ.!r!v2{1'D'%GUj}>JƮތ j[0hί몧1""Mno9im|obGTjsfWEk*ϔUT ".Ă sdl@A#tV$ n,VL=QĄ^EszoPT,:mb7w=BbROH4?)7G5F}SzIƌBA6ABe}3?^Mrc?J,|&iSMBdU|<\#UԂ,43Jh~sɅjNמW6X`{| L稾: (uxJHOFPIn<i.dGߌeOqmX[@CdZ"LŨhd<Egb\ իQ_8R.AOcyaD3|KVFp5|?r.kb;AأA;nICg' yY{ Bv\ZG5C,v;r!HJO[zv0#NwIem|8SO`_~G+d+L D1 oLNB0.ۦAINb" &l $ι-[o@'ږPCiN5\d*}F32RR5i-w[&Y.ifȭ6F`^IT(7RcN%{-*B6,K,Ig~g~N+OPBJxF{$2 L >w{t;ţ n*`^l7]a:O5R vZ1-Ysc Ykh\ /~zܽOӋIKNVps;h^csd{37B`wQhς5~ќ"mjK{C/KV؜ՕIFQ!55*΄nSWqu=dM>pR3ln:ud6v+P1$ p]VH|F9 Ő?o_y{v^f瀇ضnU d.o˧4~߃* <1bKUx;:(N~LEV c>K}:.Z|?8OJPu_q cE}(5v+36gi7+465%Aޖ7^u Ϝ2e< !wtEu0="8jES1~ؐNUJL++v*2SHr=x2m {Rne4}5~k.VuS,ӚC;;qB~0Cyڋm;/dH^6ɇ/P|gg`QF*{P[݆M½ EbW0HwJم:_{QDD_1vuqٲ?TwN¹;#veQ}qouMu}? BpwH ߏD+I;T=gD(O^z셦+$!JJD]*o~Cg16T* SfR#E9LJNrv6H@ͰUA=HIgUAwiO9sʋ= b3@Y*xzys  }IP7"ꉆ!dq(2u8 Xv Z&HC$uBûlT6^yGwi{~%. U:QpNfOoJ C|zQI7y 582}Hag*xnf-Qeف8 3WwnA7g[ C "ZlGa{9Q]vwXiiY|bsdK (gFqķ{؍Vjg^tTXt[fE1MB1?wӷ+6˛b^ngαWC =2\[2MR7v{*6H 9ͷ}Hq6tn.OjYlopm9Vƀ0I']'XEd6)px/K˄3Lat?N#ɞ^.He9hT6dttC,XvnujyB' vyG*C`D[L]M 1NX<^ewф]upe+[[xFlDvcf ^y=G+ = שĤ ~qY+kg[̗_̕E|]ywk&lOWaJ"BdEғ[r1 _?Y,<̄:]`mu+J;>UbME`..N1Sd7X*X˫J) E!o8`_{J|;&IO584M౪58~H0 ;XO&x^tfi[f@]!bIEqJ4S83+BF9Hh3M_ a*msincs(F3(mXCXitޏ:0yjK.JjҠdgj&JgʳP҅u؈[IirێVnc4[<#oXp+;y60W.9|Vs}bĵ@NBQ5>tRCVY.[\Bd뗁O!3<{ߟ*|/ykp3Xbj;*r%8&\ hpÙӃ\_ ͉w9p9G_}r2 E \aN49 SÁ/غ!'3[R$x3܂5QJ-i؁Jc .GCbm!M$`U7urZq}_!Q*uo'w{MS'J3lo?MLc}8uVa:٪. U4 ,E%PցBam3XeiԹ ͏\./H4-VܨdINOt ҡ3(,Ew h3-#!S bY1ƆUN~l.z/l x&$aVT ⠁ٿ>VEh[ʊ:IO!:敇@brSz ׌H"VF%z(߻bF$2Nte խl+!V$±Gxtu O}Y~c~x#% Q'[+jrD`+9.fUOOQnj7q%"f?*J*ʴјKhXe]sAnM<=ofk$gf! LtbCMQ&} y޻i=)졛ㅛE,ҩE$)E.hkT4Hb{"5&

>Yw{`Q1L{فlk̅ B,s:q)U[q<ǟ Q'g&m?8Ko}&YJVԕ!E+yR>A|L:jA"YQɅ1Ǵ"5O>؟~>,z?h6L.k iHCnD'.$&L.Uz ,kXЈA17~r/=!(ń]JXȃyN%Txt}UKdoޞu%s|jG5s:("S\w_aF^Y/ꉖ [1_[b9߿JˀyœGBAmrt5LaR=sm#̸?g A#eu$W.= ;LMyᅕLT6*Ec\th}ϢbqC} ΎF67nSYͻ[l􈺓LTvǶOrT[ Z+g#l*Xh\%}޲v: ^ IAVKXJ)V%UPLN=R,a͓널\~x'ƞ@'wF:IB⫠6|? aږdW1|դn#5&[:^A/$tG{-ɾn"BD8#!$gcId = $A:~Y٨[t+Æ a.v_#l'ZfҲLc]z ce2*Z.vc tm/ԡۂxg!{ Llg?4 6 ^ޓe(Sgj!STWsTͪ=Pҏb]h+hmH+2 MlIFr"κy,Qe?Nb5\ޞ%l恲pe_iPkڶ!v>15j3]#{EplݮHCH[zb<3chgWm78.^Mdȭj{ RI@((Jo$p(P%/BZ+h]݁5HJU}Y܁8cC9dQ25AU ZyAf+jJGHe\Q x\O-4G~0z3r֤S`*tx_SI.b?#b'O߾V VJJЅl\ !=:^n.mޞQY 5{,;%;J!"ފ{AƓ_l͹i#LT E A7=24_a7Y[lDG nnI%/?R%SCmb][ʓũ&rjc`=V4V%Ɩ1, u2Np$A Za?Zj<~ݑC 0,i -?RyJbgsZ @?NLxɖ&3 Sn]LT)!T+Pڎb9bLYU;v˦6TC5x4꘺P&얭5TTiJ6((,|=|")\o5v#ۃS&bҕǩ)^k1=8hZ/1Acv\#$0iI CBZ:K=eNDAH(t蚲m*G8}0x UUJۛw@{:{y㑶OUnaDV;J|YEay>,`B 1MnG;AYbA~y21(:~a|RO<]'ihyYJ{ aJN aP+( HhRc2 95'd зq*n3y6ubB+[n8 z䀻V~5wjܗc2z|?6<@dhsB! Q)jRٗ ;CP~qcR*h5⸎HG@t⅍DLĹ 1K6>sDc^bn[=>#(]d6!=-# 1t^~C6lT: ́PuZ֗ʚb&Z~bk&iQ*qe؋ir3c Iە1qn'P#`Yvcs'G9as[g_Pd ^7ʬm0wR;ġVp;=8Dw?2d|#ܿ Fl]pug62ũ8CߍH- _lUXYEpJ ^Px x?!oFgE B!PD}2y=0!951-YZ5ʸd2 !o> }s[In~B7F0Uq*5Mlgvͦ,πL4`<="NPDM?*!q6 5_đ4nEB, ̭[\! 曫n/.f奧Gv)x`|ue(9/ݻXT7e~g KKGu/L)]2(u'\gl+Byev Gd"ƜTQԟ,LY`2(}H@-V!&ToY,r@T~kd⎊W9Z/Eyvlw{wmI%l@Ij|9Ac3-<s)u@E^!%'AyN4,r5MCNqn,cڊY 9u)bF?"T?q(:c˳,)zY{ϓVFCg=Uo!K2u h5DΔ<3[)IBEv*`r"> _z CHNг/7Y[[_u6 ژ=)cX,H({#@}Y=Aë.LM=:}Ӷ#)G"DSHq[%Q]i⢻Dt_2?}ZuڮJ%Dr3IS.()yxޕXТTh6Yʸ::w@Ð*,2dF SeͿS޺^wQ5[HWTqWEpv҅b1x`@ιs#Oդw}gI~PgⓂuNy~\xLڬ 倗SL@C*@o]a;#/3/Ԏ Ybߵ0{W}֞Դ&/.<Q,  'V}P\idTn:t^m,(?~҉WwiE"9 zf6Ɔ;,D"`Y=bW ]! )9H6MwBM9BX 1ޤf!E"t@> JɄE []KТW|ּYSIKq֭5:@*N>횾8"_!a4)4Y=cd َ`ңaْʕORY Xsޛ])L}Zx̟CXu \>.øW\)qKds+Z#FCm{J Mр΁,e&&Jy}kfHbyeHߜB:ubȐ~s7>YO֮E38/S'y7 l2 0zQNCv^g3j^y6㫀P}w 1iӡ$tW09:P%/9K6xHh>amtT$'lτ3|aw=ϥ;fq>X9=:wxV+T#kxN`h ՛/ӑzh"߰s aJ =LԌZdľo0lM:VhAtK QMF˸Fs$j"Mq eYʷ:##s )Ug;Tf=J=$Csq7ȚXʄj7  87ǚ&^) "N*c)}{/ZԗJKt#`GzIrtJ1̮ZS @Fت7@C'֊f^ K1&ł{Ubq 'n/?djjG褪V :˂7uaIats7+ۋje\RRCWvw% GeUmS3h,K]˚]$p2_P?h#GK_iJ[V"{Ahoi%Fn.|[j<2,yy(hD}t.38?RAL7"4g $~c=lR߿13aA)Gv>-{A+o7`$IQd!XQaL$Fs}' {1+ "e$$`$ܠ's8^, :39skeBo;I/m4_ q`aWC ?N0>Q߯CJ'>MLth4 4M󠲙DΡ Ad=I O|9/fбFMG?o> iV3U+/rvƌ ^ĤdNp|qo[WwXr@䅓a`kQOb/CC4<\l0 M{+1O`D䞸 qUV&4z":BħXą(N43G+'z ߽O`jyDIKoG4 PaFL Wuu{;RTFܜ28>oޢp#xjyYK}8- "PS <eˆ|UkG^׼R~ 'X=\ 0TELJg\Ih; N0!ŏ%a&DR@ !FتgHn3Ոis_Myį?XW*?TqprqXr.#4'}Q1sq4TZ[k /wU%Y0 @k^RK pƤc 'XZǖr".SDտưs^gu&Onɜ:2l$+>TtP^(J {П HˀuD,Buv.t 8 5V/Q+@n;c@8(CYk5ZULH%ؽPRӝpOFق{33{.KM ǭQfFG{wP6BM!O38K&>ËrfNJsFRN]0_fQitf7)b~TDU&癌xAA$p@.$ bok]bmD !W!:%Vf$`ݱ)ѹxlkFXӧj6)|S6!̘M^N=M gʪ~k`.PDr ~8+=L7jӻ{I >}qyw1|//E[%'-YKmR ΐ{mSWu䛅- "{pw433D_9BԾS&ؾi6\yZy7#(JR@L w3ƬFOH H " NkMm<_A"[V&^FSICn\!~Q}bi oMsCRBOs׬Wԭ68ZA!]ylIѫco13 sEu0.N{q[WF/|3ժ貗Yos*p4ǥ&|4H/B?vo/zȬnW* }f% 8%B5RpHӕ6:ud`/l%PJW|a[xҩiNJeػo>[Ѵd'ز}(Gx賟 :a^3 s!n>VdQ49 L$+zl#\f{7>~zӧ8q<@(ë㰘y"jJ'RIC-2IpDsk]zu;ٌ4ASۿY:Zٕn,qfA^ִxi˨+ywa$JI!JU-30X?^ȔCw2B/f$n,> ^3 L>]ꀖjs &% U_{@v{_h,hfau>R;;&D Ī%@bYO]MΕmŎCBB0bU+=HhTgm7&b:1M:z\2H z3oil@P*Z"~( PݮFA1pU:|7'4C7O I?byA+JJڌ>_(֜1g "%E _Ma5]LҜllJ@%0AuDeNN;Wn&3\N%psv*,]+m!,y;U_wbP,-}P=\M}-X WQb!nF(|f, W>]s'哟%I[<Τ.o:Bٖ;]ں2"!VF;"^ݹ{t!ܼ1b5lxf{HJl$%+:ύt7KT󍴥5Q`\uzPVz|VJvJs}hi3mGD96[ѽKEoU:>Dlv^>/uW7brV *7>*r~w0ۙq5RK;*5.MtJ]lB4d+G_+.*8UgJJw)Ui 5dL_UlA~ձE ce[R4[8vSZz814/s?ix{H*X.!eF\F~sŤku4@[SPFVNW{ sjiik{ @v兀3Tzv%B3I Sigm(l~gPc0~p %!w{ o2H!J1iE4yTDv#c?r,T c|Dj6o# {3},Tgs[ \b7vg(Mhx}k~UL@2tS.%:lDzJr5VbKdL{ Kv8n̺;GQ}nLA,jd0-ssۿ'y Jdm2mlZs,^|]*ȖTvKBVA.w\{]7&+݀?~lt yTEA"Zʑbb=8pzga)r.Og:Bd/zғaAzSZD =\QW1Qeϼv1D_Q e&|l/EnгPa$X@!)]Ho#tO")e3i`р`{5w?*6&]GIA oC Cc1c!b8#ҁ"3xdHIfRzǬiO:~S0&:?=L:@KaneFW;&Ңj&p$3J^A~{Nph"v{L6s@zec9+ ڗ-֬E-poa,f+#P 6.рׁx0sFc.|1v(郎Bɒu{Rf6 'gY>tӵԁO)c,l>yFKqkQ).naLjYWY8r}oXuqY>Tαm cFk @9y]0$8o,]U; )C]=`[TO D)|Z.s;+$h[C\" BPt=`4K29m+YPMWg4c=e-}H}}P"zUI1?Sp)S1j hک# Jy r@vU\A.+^ cPԆ3l'(t[pөyc1 &Fv mW~yDjփky_C9bhǸrJ>fn<b&tott(>1/)v?]ƗW䝝+[Bb{b%ܴ4+ qOۨ:pu㥒 }:5-sr`P*L-prvw QVֹ:_ G^P{nOb)0$$,VP7`'a1p_T?H.Bfbƒ >9ٖj8޽@(!J^;D2#L_QٯFmQumɔQ>‹p$x&GɹȞ̕ES4 1+m6?ozyKK>WiBd(yFAUL7&Pzk2XU#pxg,|F翮; Y.̀gg鍼 Y2&LkͨB|vS+D)(33qZOfB4$KLy ?q9M!2⏡ܥߓ)nV"δ VKe:)laWx'Is$C ;!zlu"3OxA\Bx[QWCnK,;5u/O2 Ѵf"qEUQ.Ϗt}S]S"wIKWP]Zxd9MLwx$D3gQ,:]# = JH;aI3nX{!WpJP b,Q+ 3pn <6XtTqDϒ K oX>qn=\܁'ک."yyG!~&-oPKXJJK#.j@ `3'`h(y@t4W>2ڜ*#- cӔӘ{?C<ϋ| 9. %,jvL>EF^Э2YBLC+Q]v$-TK8ku0mWtGU͐E1"zV3s(р s8&pFSۢ$;8w<ᲵF/Gdk6\ ΧSC)PXch97]69K]sTzùdO%4$DbaEUė3_&k ąԁLW"u9. d߂HL| џC܉U8"{<7f:(|t|BW(3{A;K%lknսN)-9q LVNu0]dMgQ78Tb EkTeٯk 1-2hИ96aBM~VS/.(it!(#'|_][_RʞtdQ%t`,kX)3e[ݕpU議Q^C'nyd)8K 7eyt9Iη`T?? j?t$ sZV(*hiLEqR՞`[Dd;#wZjdr%iMռizqNZ#l_{"qw!cOg3w!œ T@ )+zjoGτ5ijY(aBOdY#y*t.:hnFeXwߎ˂mD-Ղ?Bn<#F-a/ Hx>i]*ST1gŎf zO RnN6|:Es1J< %^L.qָ61`ξiK.Np(ups>o &a Ç^9 R^NROpC(Ai]'w¾Je]'ׅЅ3\jk 8ZJ^jVT ѕiS"hUm}`ڡ CBk7U ғf HCmg W8! >quj["eL]H4g񾣃a5}gwv-܁?̿om"i.V‰U lsKDW+3)_2ՙ@vC8 Vs@z:TJ* RX`xB/THCcIfrEQ#=//?V@z5'cD ^7͊#.t-JyE P@8]xnV$P51Azo]s7%A<EDh) 3ޥ9%v-]5uYCiFj9x/^-mfPco5vYb mqT('zCwx&Ylh罃wskȰɓaȌKk+W['=e#ye,?H!!C`M/wJeܬS۞_B']^YyӗXӫhTI\X$ fD#zQ4<Eu1 I-~oK߳<P ,sZDK78^#22Aj,]/um qK A)c49357$ٸ _k"ڗeOW$*7-Hh8Ąw 7SΚ%qg߰gv}z#~wNp G OQ,VDg5HVIUZVƉrw yuw LOPVSuw+^(֑Ao1yN߶u7\Ks鋈睩(uxzm9$Mp/X]+|Y!ʦ09ye?Q|:7J;Hw(f}\ܶPW? @CC4V .П x æ6-$aX1:E!кՇaF2Q2:.?z \p+f?d+{s6[TG,W6!RoC`(QxxZM$&@Er2j@(N>C A[=O[wg g:C*Y-&{OhK/z$V%HTsL?j[7zZ+,,uSg?p.Ļ^}|F:y wg|*u;i:U"6;C x(Qs`!g&g?G?t]9ze7yT(LiRI2sq|[h@ehv8mTAkhД/4(<+FPtm߇iDhHGCKK]r~]L@SoBY m \ԡ ٥"B4Zo ܇W`ᶢA$yd;eR:M`1z1N@[@H6mrd瓸NJ8l4&_sx?C "A/EMB1gE[|wJR-8au|'TAn">^꫻CHh;cyMvR>SZ痴RpG}޺jt"(;G)b[#5yz@<6TAWd.UTKzz 蓓Kl.5opJ^T@ca(v2WyAfq]hV4xǤ.Pj4may9LMk88 zmN6SyjM_ojtCW"1a8ϋp:?MZPd/5KcI8ߴJY! 8N t`PTۀ CL\L z<4EqAd. 8lw," m"Z/LO,;n yOŞ_aSҏP8{*,]{(~V Z. uul[(5J4B(eMB{`d~~uï%ɾNr#7Π`d}#HRUPBX >Mz޹rE7MQd6LPV"SO<8v63'8 DW/Omkǂ}b,Kݎ{g AȖwٍ[SO9 6d,R4GcQꏦzZ#M⎪ 6|PmI߳YS}?~ XFE/%W_ : y85| O']|?ֽp  mmYgd/;8L5ƦK4?i4,Q cu5_44Yz&Sf,*wv4pŏ0kՄSVx7\C V+"l_*0$;A!MU%~0-Qgp`z`tSW~)p.{Lc,8Gh21!-0\u\IXa[M"S1gz*ԍsl ޑJ|UJ$d V_?פ|"ھk{yNB୿v%N!8 G"ªO+f޻H2RA`qeXfv1$P-mfELA?Xۗߏ(."n8u`(qhQ|[ ݯĝؗaCކjȿ" =Nc:L`Gͫ2]Fs2J=VOq2\* yꌫSC:Ε @9KVw8 }]{[zYO3Pm)U?GUv.GC0mDSwD񺿙 Kfa(1ƽ0 KS  coֈ`YEzDRzZڨ!.'85 ɵ=Z2I 6^d7¢9'aG [d 9؎7D?%*=7K!eH3&@q|TjG~|_L>(1]%5v<5[3k -]oD%.+'j&N"\jEC3wFGm^f3g= b-T(J 8KT?,D.^LMV9u ~~JtZ{5KM4VSd|qD>eYk,,js~zf ؒyYG@<5 EQmw.b;"(-{5d? i(OC5S\*]=hw)17ـu=G>\Y%?5W[4"i;!Cm>[8%Po#fkА691oD0Xl.gO' KW(8 .WdZ& ް:|Ql g> ]SՇ@帲||'tۃp0y$y\(~5",$ӆofZcsKYnvs H^8RvJ]K 'ĸ[6c>Мb_ Ј,2s", Q͂,1,ջ|Ha % U&4mX1O[6DRv7uzI@\'Gng9M0MvݮE~DCޞJOg,,G$-ӂH`|i[5ZrNI&LjKOeFSl(ɉpœ5N}:|Y_^>zF68݆o$ų^nCŮ )Dv0NXb I= U5CavQ4!}LpVo࿋*}+y"3ݧʍAs<|kC~J4%b͡@aoF%H;} mDX8Kj`L̊.ͱ(3ST鋱cu72qPhL2,c%q8@#S]WvZ|_5>D\CZZ7>oφ48#Y,O,d&]aAK+  G&u8 iL *3 W/^mj3'Lf_AiR5xˎaOmo2T6sb\kb&2 ;๚'NFk'`+jZ 4u0a~"tSe.h'8wҗ'yrjH5_?JP6'цq6"%vQp5 5X/7ԫToPKl*˥|;vnUTm3Hǝ>=\}RCh<-E5 k4j0q='Hxzٻng2&=fR!#Her~!;~m`8:+o t:䒌r0_lσCOeki8JHW.6O'J=N*L5XK.C(xH#:ڌhut+CbØDh1L/*ͧ#wᒵH*DhMArgb{mJKP ,-e@>aBK okT uq,_lQ3:&;Rx/T~ɤ- Uol:x1aH5:}8ȏ,$3eDkz5B,E"߆̟ aۺ&WŘndOY{wC#A2tt7Nq?-K:=SWv y򣊺^j{wgH-҆~=I6kbMUi#:Sw{SMgh0h{7+øqZS[yc0Ҟ=T+t* {$3! * `8C/ƶzxsQ@:SOv/S\:.@^;W/g3'lFغŠM]撚 =2afU6lyw${!m3KUl4 FƝsa4ǓJ~R_̃4Rk[>2:/c;g|2O 1K[9[p!ЀEy{i-"`QeBW4k#c૧*te*)v""T?)U7j64>RgrԩP$|8~[];Y̵`4_a# 2Rs-'\HܟAvAQJҬIgjv-l=,50o? TUWD˥TnV7x;c'Q;Xx\~u*pyv-y(t2¼6G z<`S.e ^aSd$F'~PP(1yY';KWrOP/}PEbA>&ܝ=Q8?.aRLֻi#]K3)\9'^]ktßYȮ lKuZ:$( UM )?ђ9CF0&'g1_4:Gܴt#㨆 nh}@'|5OZPjY4S9+ pa8^YiD覈6V>OޏGwAsS8hwE: ޤu߂ˇXđ`oIJHSy_wrdlOKMnV(ǧh^^ kPeNdku 0 LgL/V3zmX&~`Jv:C{J{3wZp3wIZPg$qYbtrX 1n'϶$׃Z1هH}OQ tSrT:MF̔R9z'b 'jN#6qwZci Hꀭ,R!xOcYsxOl)1փ$g #ƛNw Y|2@.E= P'1RUȟҜL?OLA+TGMўOnOc%a͕?l9ȫbaqGb /KȑېkoswR-'uL/sMJp٪hhdlmLV6fFOHlfSovД8MD|mݼeUy5>mWrvhW> CglR|*4TDOP1Հ݊zHnn rn$0RWCAv8:nׁaǴlAۊ  %hنQvh [0GK qr+XLLG@-@(HvW!v;i?P-/ƪ[=cA|TW;Tf;(8J` A|/:&Ncx`:VX5a/Az}3v;Wk x[c121 sSUs37Rh+%- EAX>HOZ}>Z#bP8) !i,^'˟'+ʌg퇀RG#\mOXZbZ"pg>Vuj!D61])8fas7ofa~eYp!OEARDDZÔ16zz\`L =wϤx`i4Wp 6D|KxIJ޽4Fg'EDS \γVXь؛Jc=綆 (;7PK>܄> UpCB3L3i$iėa>L"xV Z9i5"P#'=؟wYF!kiI'3WAz5_Ҍҟ&0{]EQU)HHqOaf):5J04l^% JFdTxBfߋ_Onmz`_F?t?Czmswc &i%\r)jpS:FbA{X韹ѩà s^|}6z<##@^A" wFpڃE"[&i[y"oՊAJ|Y”a:+Ps| ˦BQ՗oԪB>ٍM#1bh*^F/!Kڰ$-.JSr8.ECK}r^auB #HGҚV|ώwAKn[:A۷ʺnD\Ca@]w+Őhª|90ACb/WY?,ϑЋ3%+ <˚LY|dQ]JE ? ׶%ImAMkwD9xiw nR#է|nŮ.k)3f#Was9-Nϝi6:dQU'Zb mM\(ҹ4#RAѶɥaeFGUJ:a}OBj4w9b/s<Q6ฬ=| GeZFk​O: ݸ vo8G]S C9%ǓԌyNwI[X'[vw6}>]שd@MHN %yv$d?}ƒ *"Q'?&P!a_hȬ*=y/(kƋUweD4=sos+C*eDJ6Ebk67 _E.쨕! Bikped/>L!b:;:1r+l8;IxTk88R@J xxJ}xp0=T< jjײ[#UQtp#axRv9[߈S _8e&.mSa_-UCl&\ZIN|$q'ơ Wju8TֱSP 1h% Y>DaNk $Ȏ%m$X UxM& -̀D<4("Bɤ.[H ~n=L=C$QT挲?1wɹȯܖRwӣiOm{Gkrbj4MۂXNctwf"0ݜʪSeqPS$~e"]<8CLEGP۹] $sU[KiA~P 8ҍFU:bkt; 34sZ=6Bh3ץaɲ@XJrZgYjD?1~4ꎴ#,b 9wZ~ej_뼶r_6VcK'ZK:%p`wdK ~XջD'L3I, EbO]1zܹۼUi G_%ҾN&|A"~fi穰4^]۠[uynu RPy͛]OkυКA@8<l6EzT ږ駅"eƈVR|[DL`UV@ֆ~ZѮ8O;4D3"E]oM}/$;"sm} z)pp43uF@oQbML9g'yMR4` 1In:ߒyun/ݼQ:jRί怟Q̠3 ֖/z ,9}եY^]; c(g_nXn.ꞳAt`tWE% 9V |桴axGmzw0vwA ·9]yM230 P=zeQO|ןWNYՔR@ p+Y0,7{ܕ ]% TJDc)\Q{׾S˸{;vuW0FĢS3|OQ'j(lèntquIƖaM%f/Q!;no)ZFFu> !-myo|YX ȧx%Bp=9hnBL<;=j暗Dx>?2}2)(e[k-4B)GMAzsb2  -taLO]۲W;S\9;F<9Z/y3K<&$yӚd$[EcsE1rCeFJL)BiF 3hUg·g73kocDDLqE [S]6D@CdKU][ )x̖3הQ G5a>U>:DFQ&J`SPb&4&vQt+[[,7k8oo-wVzH k`; .3 `˪Ϻ0eV Fm|:}eh>ݹђ`9\:fkLs-F\&E1{a%` =1]jCt`=.Js}sL`yC1t^&b)GW'3Ҫ 9vU@tYR?0&$ p?\{_A}DFk7 `%raq3yl\I.OoNULxGlaD̚㣄y/Rs98gDB)*yБ/ `"4iN8SNts`$:Y-SAG V!7Gl#?*b L5.! QÑvɰ}CS-}3kAT`2J4%-H#Veb&Ez.|&q6W)A"V]`ꎽ;W\- h=8ʵˎ54rވ_gD[&ٗStq:i%&[$,(άdmr#`߅kHu{{Hír_MPb^o|?o~guq*6gK%|o(?v$w,GwHŒ|$c2x^br 6N_}Pp7w㊩"<)p'e(XEbLa"ťvֶM-ⱒߒ! ;5=t~MSLL˭ *k^DN%pq6ip}R L7.:hʣ|&ɬ<]±PِITrL"R z|'WKT`E[xb7!WC_Yͱ;T %OK+F"6 _N+YUlpt}(dѻbC9,7HtKIjKԉ O"]Pg&T;?8p?ROQoֱm%N1jfEꜧo5w想Xinb'af!Z9pzH:Z,(/g*=2LBTLryPJk<&P+>g!=8<>Չõ5;cLZv$7"L=B1|GDTKԫT mkekN.9d@lU`Ndy7ZG_єkw\|͍#mmfmOiB ϓEBL6LЋN]-!ʤHnF\+ᶏ4DdYG|*R":Ӝ&w%HlӥeklޡbwR@fk{-Mr6ۻ89|/r&*£mY'-raiyuVy=r۷rt~s )Y6:[B7 (Ɍ?PE_HBO>0K0E#؇AzPU2¨v cjobGeoawRuҔD^vԠumf{$D}kS@Ҙ(ezN)țO:[?~ *k6R1$ҁjd`}PkYeehi *o ٻ4?NiFD 6"#H:Qqܵ^]hfـWrA| PK!-W=(>[(p>Py[ԅ?zT,^%0L/L$~_P~;&* dljv@vt;Tj۵P:3v{!Ԋw뀧a!ηړdgz yϕH B\”Ű>C c.Ybz*F-dmf@)n49b]P QbL. >9UPF\[WKot_WDii_Sm`/Khz*F#N(>#o|ԫX10'+YJ월R:9`.7?;9ЌBÃҟ "4Tլf8AKgHvbV.Ps"{vR 瑜$mѰk]8nJħ?9YvW^V/'3{*;FY"B,J=R?ڌ5?T(f` ?͏G-]hb8.y!JYEgC#F'C7p@w ;+h ɒΤ%-;r<5>~|g;?McfC9;E&)YZS9'ܯ":/7q4}\\ K(ػ`Ђ/ŴS~7mյ~o0d>dNgޞ|Q~Jg]56}0lcϲb>j4MK^jҲ>N; ~EYTl+N?e7jT 0>t/W3o?v(OD@lMvW ܓ=HQP,}JW *@\f=+U&SQn|QO~7h nAfjMOF,RE۟ǎ{l|(ζPV>?a9I!]r+)<96[~C|NMSf#LD٬s8`eS* $ $ϑpZ=$,FÔf1Y2"s$vs(RXך_~܃ob{X%@(ZI]*t쪄GO:ܑԇ̈́xqyh@S_瀌}tv^No]qu耭<8D C*Hbۙ_@_J齕0ögGsUM`q-/spsw4e>3Mzi9 DSq'~}=:g|Y y56ORk,{[W[Ji{,HxPW;h|$$/cGe%˹1,X)idHNS3=p?cY We/[r\\v<=:o@.DEV}mQho3C!(zTZm5X#D+&"dD{A#3]i+(h܈sVc(YeX͝OR)>젅06S.jk pX= h acoKxFo..}$fQ|H:%.H)VERfXx 93yLSj & KOn7'CG4rj8nZW N5NV魗Vjx$8DX, + 2/|_ϬtxPAQc!˛-G 19d#)e5Ua|Q:~ʮf(YY3F8e:/r"GbsA݁$7bVh^f&9qw27P# 1 @P*4Iطk`{~TTJM1a\0@ (|4gp-4鰔,(P㪳Wfi5L ]Sښ>xy4w͹?:C#g+x/#3cdmOuN9/ c6Yt۶%?Qӱ?(=EEi.nbyQcԈ{k #i5T!QT}o ZJ''3y~i'{<sS pJ4! BFxJ3y5L"ܕ6uC}$=بf .+'5SCMuj#aj^)7!A߮1fḧ́k9*1 &d RQ ׵@;~+*,2SM*Q:ܱw<%)sSD| شq3!RČluz 0k'SqT3-h^:@9_Qk*JD Pܹ ߮=5a,:%ZdZmDC\t,zĽ ]0q5lp0{BTTGBօITh>E7uЦ3e^Seʩ/+,jg]We-4nRR8tkRNc{zjNXɽmD9ޯY^ ߊ|OrA#Z|Ƶ'UmH,@ bPcjn!4{ɦ͚6=c8͙( (MEQE-3]))o0\ ([Bǜث:V8|& #8 cQ<7QGwWlYкI%C f|g@BauN{dԺÔzG|;8}j41tTƝL^3kN]R&@Sޫy@ $LWHOGd֌&+֭>-ZJ}/UFo ;Ӟp JOVl+P ]th߬9=‡AJLy YI=:;F#DHՔ ɶ* (}[VA065?#Υ\8&@=kēN W$_DS+ E8bglXgM# \vmKKSM WPY6Melx/lyX[BsWB"ܢb@4ғ;/]!1d*QtըPϬl_EC(rhZќtNi),񕻨`IJ6¬AcQzNW,5MB5ܼ+V6`YBj:tqBv 9q9nմ >ۗ 鴖j(Yc&Z*WTw"ix"$>:f2L Aj8B1JpʫC?⩦:ЈqU3}&ʺA<iSIX}Ѐ!d˷;8+Ę Pn[k ]4˭ ӞI SoG-^I+boNgЊqtlt6ٟb}p7, )KeJfWc"fѧM%T%k.pˡx`#I84 "|6/Si%'`svhdU- hu@_#jlT5`1 ÃM$wx][:dz^Tnn| y٬ j!xƹH$bXؾ]*}0d'1 Ek!Vҧ:qZ^C*8%(`EAa^]LV>'_+)0LpANg]6=ʗQ}*9* h.jp))ET d_W9KSZK'n ږ.M%-P!Ih;J$l҅vDٓ7lSY]3Pq/_.#Y`?t*9>JXa;IJ?eB,lYVE1@Iebkw20&'1_loIi>ؿ%[1 D| "Q/O+ᬉ=|_MnpVԁ]f,G ytpWh.J|b0|n3<[TF L?.EiR9x-+$ݙ2[ TO;i)imٚz%$e1I;kt .x…8Gц Q6-ؤ0/N9a5i iIynYeUI 9sj ް ]`\g1oFb1<()˷ [vk ֚vg6orÀmeS& 6o! :DT JgE.&032sOq.y.G@t8, NNw/D'qzYKRYw<6̪oCi o:`Y٪E·mYyD@81hhh4WH& @hE4 =O;"㞌dڥ .MSQi+wC!Ob߼s9vNECTV-[5Ԗ#gcQH@[žPY6ޮ{@csBzgyh6Xn\\eJq{b!X;VMIAow~$s{۬;~-[jF\m ғ8;eVzD1^Z?Sd , :*ojn+Չ#vx~oP=k`;G3\  1%e >`@GHH4ˆɐG󕱛` i+5_dbtOkyEяa 00^"ɩ'MvmʜށAq77)Wm 8CWxS̞#\e w]i !LG@R 3)q !#ȨEd)Vh⟊gE,C` Yaul{DIaU+AK#TN=~ *WCâA`Mc#o1CwK)|%!"i*in&ɝRWێR;]Pw-*OYKN=RV}?M:*IP.%4/Px SF:8~S앱P:w¹Yt'яq}L[klF4QlJ)uXHr44O זR) +K$BBc1؏aHm=M Pxpg|m]PJz=M~cuS1|"H{'yԑ$/Lsۤ6'8 U0.V2!33H|b8KF\xz#cSb5@@~`v ɏUnB@t.LV/R2=G;GQS$z$.l- OiVfR5~O2dj uM8҂7[5ա{ h~wVy/`x?xmn%qTCӕau[!A=h^q\aTw`|*{# OaԸϯV/4t׬U˱  ҄s-rtgi$~M+J1g鋿^bxϊF&9kA35ZK(bJMI)rRGqS"L hnc\m@qr^[ڄ2.,6 Gˆos~j/ )dJN9F=wpjX%,#qg}zQZ/VśC~ fsE$^'*{rcnTK곎FAFl>.M& zU`{ґs OΨX9[aWwTx(v^wUIM2!*݀<=AM2V`|ne0P^pO[bQn5$DU:ZZAH {.u ,y/J4x~Jo&#FBdJlf==Gz aOM? vHsxfvDO?q*R‡|MԺ"?S\1jӊ ЅL JZgt%6G~vgۧգ}L.:nosө߿!y+^X΀YIR/%G۞BoH OgVfYxiH"*pxp(4 7\p9jc{0]v|'ӆ1s̆h#ٍSyBuiyz1(]o)p5 NHѻv0E,}>9((s,HS\ِxDla^G.7-#k}pPZ18'lKM kL)_wl~Beq'1 Q++Lpq'j qTp< !y:86 Rȁ阘>d l""UcVRѕxb"k{t`Yf@W2v#h{5K.~緫ЁVEjׅM^L*2ݶ}/)0Thz-00:Aa0U $v`Y^7hYFa˱ޟ6 a`FuX|- (eI8##dՇxw=u脹Ғ:}|,$HU$#{dXޮcC]qf,;^QJ6 pVa_A>Jɫ@G"6 uQKQ6Tk٠aXRZX-,eh#D6 )/b|骝5;;&C*Q/ˀz7LͱZaJb\ >q;~"YI`f` x%]lnt`xDZ~e-ծ{mBJģwGvاvoW*:(\dX8bDZqZ,v`d7΁~mY>A ,;mnƀmC^h$+=.NڻApK bӹ} 4H/2]$s໿/y=P5q5ywz25 m1?nI;/߫G2lzCLҼ;K.MdSlЏ6I82H4T0@$5P^lgpy@*7#D,j:s:iRz<|BF*J ;6[RYN_Kv-7f~ĵ %js/k>V4 eN;#稜RIHt˴K} { WA'ƥf8@#T疲l-3GV~׎9s0ߠYޝ(@Guj.*ZC \[៓2$LNai&4P+SK30Y>I'ʢU63C`s^kRe)sY(~l3C61}QA9Fsa }@w:w ? ^r1U`A<pq[|Q#vKe0.)]((f $1 ^ClWHJ >A!ѻ`GIp@BS)f_O,D|ϲ?=~E 1KgLR#u&ɂ6ل*>eI;ݙKk}0z',k~?CħOO*`ry@{"%}a?y4~]3x08f0L#`FD y6/ok*=~J94W&aʽyLӼt<d*U롬Ni}rVj'{7vGFAm5X˪:Zg3UtF'`M#p!ۋUJ8bH=W_4 JF@KS5zoңP 03: gYEN}8P͖f:^3b*i Jak`"ڪ+)#Y> YFq8ٜ幍 8qOwY|Sf_S;E 4r1)Z%΃j(AH8a{}Cp[z  J:h80hjx(8\wJԌB?ۗ)Mq++7!sx{e|zxIE&M,ű8=ڲ{/ntalU,k1v<\)gOM( "Eu))GR3]0ACoDk<+ WC8 qP"+Ƈ]h]`0&<i逖 vVTp$hݭInÐ3ܮ Qz mݿG6JShyTE3e^`O@#ʚjr:eKV#""(.Ct``9Cp(JuMdW/JkջT~qB?N/ZZΙZ^-w#)T1+O%.zG "IޛMy/`Q$ b&\>`omm^-vpjoaS= ˁ:c͈L4G i+,woH#@#>t!MezE6̌"4@)N3 pa4v \mv7Z<A!.]PP[RPƆGh6|z6ٰf^pIcwWf-Zȩ6[>Y\J Y9gjKXlp=T] _d؊ $bUJ./z~wVX o{N.SWH\ڜU/~I`;P7y^g=^%!]Ԭmgs㺭M5?цBFп5;k0^PqzMIm ǖz]K*^;I<.aCjV+}lT8ySً> Y>}vk*gB{(vPՎjyv)!+e͐kAuG K1.uZ>T6|µN4cԻ^9.5υc2:l$p&4 0R+/ QkAqmSs )wiOc.zXݙX 7D i{*tYm@)uKD0B<^ ;yK]jm ^P'mScdڜXW3Hk6W%;L5?.p JQ]|W"{I4d'3DQ#%>ک?R:hhُ'F@ԇeg@~\ ߧ7x 6&& :Ew/RXifT l}9<¦/ HלG"@~ߥ^aސzk; }y]so*I;TcN:-P`L1UjZ.7`WYW@s7ȱ܀X0'}RZIu jѽK!sMO9K5]|[jAR$/9"fYD Px x0 -h~ 8/ I.,b?`]`;tEқ- 7YϦZ9tpOV9=wªհZ(F\\ڜ4~V{=eH(bdھ ' 0zؼHuy|nBFE m̂uO3u1>f.{™߷%H[ţІ(cC{= ϭxLɢ<|?q|ǖuF5= |vQ$83Kk+:`2IyD")߯6߸/,Ra2kvz L ceܑ3 6wӖ,榢ӰBqIJrGx#̩Mnf}XY&$L;hKYeش:kĴ;$ΆSG]lp53 ( %u#ͅ?t1phZCr>$I߃(L;L'/*vBjª褗^j&&!c9A}[}/!P?쇶ZsYS-y9AO mlp7T"3MΦ1 c#`=fg9 K|?[$T5zbK|V)k9V FcրB\")IJO%ODx'p,"H5y%wOTd^XBb t5CK\:(P^ǿ}i( 2i8 k(LSp @c0J =R.?g[:NgFx)]gGrۂ * z tX#`YOPk0N~*S@VdD.C6 #4+Lji>sWm ]*)[+_uHYOx EH,yuczͣvSqFҀFDUI)nzj!?&bzB:y+%f7X6]ɪ7`K"x!#ؗ7&2_GDK{pyd LP?.5YHdlFlk{gэFxwpDL}WL$=e$JSilj!kJlo99 Oh>m^(] seXj L̍[Fz IىSKUPj]02~'u")4͋53{.JPw XĦZ7L;hᝌO)\67|ctx&Vornˉx$oQ@s i36#A[} "| wO{EFk^ʴP*r28;ؽIx:Zݳan=3u # D3P͔/hPX ϢJ);%ǖ1=rnX@Rـzī);3+נּ]i {x3~Sx"%_銬>EA8)"G<>t}ղ:bI㏤:t:lsiuz;IgôAIJ+Ao tV9$SRKb&rJZ۽˔uẍD:>!F V 6#+a\*O~r/E9rE49D_$HC@@J[Oj- "*܁8Sbbh}RY7]T50`VH%<;q)zL0pZeP@ԨòX[a=;ˏ#.+E{o#- Ju 8 uӨDp.۷nf Gi(G{gS]ߥP>x/J@d<՚Lv|Ypm@Ri/ʀK6Kwswr~`ԟIF(-ryd#qlQ,(đW`.DӬ7ߌe39Jپ#(-'o"mTJ,_%^peOjsYmfq-dr{R:7G+IXw&+Z 3wڞ9A8Dr`pɗf^p:{Pun'B/}󻿇[GqRTVΏk8!uL~b*5ZkGWiN%C;Ǹ)ufKRtaplH6lFEM"okw%xr5FUcyH(B`ړ'< yIŠ,L6pT v`Pz_)R.6'[^3yWN*,Mi$ź&6K7!h|J6 vУE-jꃚ rL %:OY܀yI%X-eDAg~I a؟]dg.}E[Z/Lrc&:2=5G͝nSdԤOTb%&{ |1 ׮z{<ʡcE[Z'>^[{ޓ003i;ՠ+3vR !F2UBɽ?O?V˝YHJ'K{ ¯k=Zׂd >|͒qiH):H(7gxCRsʞIMZ:xЄEU 1Y\4VJƍU6s;|9Lz?B&foΠ}v=)>EUšj*KDW?BZ 9}0j-oʢy%4:J'/dg#|qj]!ն\M{֡DZ#2IIP)Fa!C(Tq \ѥyR q{˨kQz6E Oz\n*Rr&bkߗK1W fL8R0Oi=,:f7%_~B!<-\ I8x`k~ZfDgFG@>oGHgQ`'Ru7/'GD9tU<L4> y]G^SU:*⒏kA:|,Kڧ#v4A"V',w۲k0-+F=9y QA .lzBQˌi`_uS0V,;Rx{Z] zdݟo#8d!Z-,{>!_Š?"?,7qC QaBLpLδO>e<`3Ԏom3/Gszm>6uv\c*BW`C̏)⾸;'`ԏN8}Uixr b`Cժg]cQ?d]]Lֽ~ĥ+`: eyyй9+)4}؅\o|5:?m~.TݾA+`$",aw2#sd W%dkPLwU8%7=:Ϋ2|@d+^#=l#ð_ouصKC[֓e+< fX!V= npt5+-_rOU SzCUE0IU` 3xg}mGoрخҼѪq21򾫰>_ X&Ȗ;¡6lwYQ^pͺ1<`m iE28I ,~~4EՑU+9( :$ f:T\YŸ "SkKVr ~ e?HcV-%eJs-ɤ # 9+dR*DŽy \.GI.詵Qۙ)q fZ :XB),N8.%TȌD 彶Z:F_u?e܉oW6"搳* hkcM.ۥXȎZ>4FOZu佄S,xU/Lqk9 GaP̂i5ŷ>)mֹ9ӷwnW^ms+HmIpOMj>:3@ZWIbME?#1'xAu1We(:r-3iC^c?2c% 0bSrH }H_[OS,.:f8SSk77 =*:$ns]ui=0=Baה矋 uwŴ{5spQg朶T\ ΥA]~1b4^=l4ɓ=ysiГ:P AW$oS!VxA{]۷{6c~R\Q$/DlҾN0H>OR6رVz͢%snM: kg'̈́{; gѦӚS ^v~=x G <|h„ϙ#g63s&zUJVo /6q8!$rw4&Ve.HV){폭b;Q gKS76(zltwX97H# 6|Ôo&U\(RipcLmF+1 FT['it8?]h2W*@g/ 1vƹ bn=#u[vq] bRw9 'Lƃi&U+[-܁iEvۄ*-z7rI|${wh<-sgM'P$FL.v`SIG/.0DL3it5]e5UFUu Cr "Ȣ86e)"ÆYm덩:|LF vm6".Tk~B#@TZԄeEezs=pEc_/NiYۙ:1D_h|^CvPT"[Nװa"ǓL%u1kydOw(bAUUG-KH RR̺3 ;@:z[zR$4ca(:z=BK6\pi+zK.yjvw4G>Pz 3@ U%/ΞM8q8U``ǹ=ċ J{VQyIz$9}TCF.Rr Xa~Ga_ۀ.p @v^)9m0C vG[U3V~$)ߴslZ@Or?TJ-JvkPW!JGHR7]~/ik+xCU=׭;zy@m *~c5֒GOdxc+';RL}H689+ g{/ӍcL7*f>]CT26Ű1Bq/ Z[Q"JR teLMWx >$,t -:P[EVKrUʩCzD d$k<0 GEcee3W0X@c!U{{WbaŬvĭՎx IҶ` >dR/LǴ̠pȘyjݿT>&y)"sa M^wf~Cau8&@,sz50||NXAxhcQ='"h;B̾ui3<TLJ>;\ݢ{:>ʬ 3@L_/A.P*~[ziC]Q܀QAgtnm2;JR bEo}p}۷$|Cgu:)T_6>C],2݉CiͲZI$2#p>@s%Bv̺h[ J/"%6[AO/Ӿ.J=gURwAT.˪;..~v>TړpN3e|ڧo&)!9j xMyڗtƫ5MЙI];[miVqnƌ. :H48]pPO> URN&bO=&ذjS@u)1!FddylDpg6=@@ ȖvYMKr26X+Tì0[5,De ^ /4$,v;|/ؔ 4G#M)A&b\ #_2/Vt˦Y %3{材7B 4 *daUfJ]w*|_"JyסMm~iN4asSN_˄m;`mܪ Uh 5d;Kuc̨\=@`<a9 _վ,gBBhe 48FhkULX(es*Ld = oU#jU修Ayy^ЌA%3 %K*mS2s"Le}`񲓑WnP&S|7/IHdÝh* LX{b7Lai^18ށCfa'-z|x`ƁD+m$W2؆GlQQ+YGguA^ ?@4MЯ-W.]B˜R"$$/NIĭx&*dͳ[ Al]W׋aoe5s8g~:ɂy63p'k$AJ#rX]{HCe;Q5,+姰s#9G+Ԁ4ʧS~&W2/y4V VEuCz*5m| /O˘(9-%*ς(=3{WV^BMBM>37|WɎ%(C]|͜U$IrmsEUŵ%ʄBt@^Du?τIVLa"6S E-.Gq.rVtY[Ղ.SlQ>vɌU`@#E5CP⩝Q*R g*s3M67qG3 LUk|쀿2O<}z3_Oז4,Vz,P wWi-sM hj{{1SѝC`ƺ-5hNP:9T%ܨ/ BFdZ1A qVngj+ 8ٚ~y[1t%Hhs0K76_M-%UFC'ngp+ gBۤc2i@5[YUnYI`~NV@W¾4Ξ`JG 8 N}V *2gM/X(`"xˉwfRm*dq+}1o2ih7Lz&< ah:yDS~Hk2[ Z<, _Y9L8F$ ۛ8"DtoWDcY5Z&i۪3pΜ%q ×VUwwKgϜ/3,Z;XDO{p1ixw\O>i5mn_Yar2#mpk6P吪( s$oqJHD KWtƪ˥HaXǫySF<7n{Z{ChT?#SW!pGl/w;@ַV."i k3} 0K=&{k"5$B#^9~͓/I@r)a ejZL#])ޞMN\+r߾U߇oMheu:_4);XGOqO巬 3y<-l8|3rx"YDؕ`ODS/޻ӟ*Aha zu]$Ak^nefϓ-#`loe+ {`M^|>8>"'YyZ%cW,'I֥~*zGsi z eΧ3Nl#^U+`)%b**k»?cT:47]2;OXPn_rF܎#J{kS|uXMT&I \e&׎L q MqQfR,x1|%Xb2bv؍?g#WzI E[zf7JoPgT̏;q9O:}vHs B8 /Jq  1IuSt^ɎY a悐{VM׌œpPG+䑀 m;'TaR~ DCfHx3@c!9NdPLl.& qpj9"A^-#N,YؤB:8/͡Q 4fz3:Rܮ۽qL+P"QZ.⛀ FɝP,&V0{P*K~dCg2en\,v76ݩv_X5/RX64~^̃Uv[2e94A2*LR*= ҽq.1!Tno<2Fj4|(ZNS~뒢 StMԘK\N]~+ }6f#Apo\Ӗ9bKMN%$p3p^jlfWϕR2򛙾v[au; v,dD:C$[! }>oޘ5!}L\Uӊy3dQq.8?)Tsޭ(V@R.Qg\H l&l)QfQ_$9:k2b=+dP X:=~.]l{uA`ݷ&5>%~f=!.JZl ,1ۀ &]f"D]>0|’UHһ؛Aq5AD)Jl})b&rAh&"$;6f`dZ):|A7lVlk/r>5GS\>h1`1ūCۇ@Hc=$@O\v%eY^n%3\}l״<%G"'Rkf|)؅'5҆q,UJP˙u l}6[bTJt=$Z`cF15ǵ9\Ԙހ7m`hi ;ʚ-ѥ+@`hY!Ozn:Adq5gO]Ys.,h~,_ ^l‘\#Xۅ IɸJ62vZ }%]ךU4ӌ@ZAa4MҥQMżjƣ *#7<. JeVfOp>)%ؿ+  ;\][n+kmlzstQ3.BDr]rr&t&}(gmE5Elyw\6c@ni9Q_4P:+ <02Əf7㈭IjtqRbE #fq&FC3p[n' P #;cvZ(B"C_HiwjZ׍b{,~ETf*B uA4r{tq->0^1 g"XeUNK*eRt'v:)}U7P`{i%#201r)hi`u἟Ut8vf{ry7x:C0c_*PmeO1Th I rQ_j7W:\m rT.Jh f@*{K(tڬ$t`^wbQd!&Ә2zt T)U[b%N ֠k}2_1 .(mo Rx:Fz\TUjtyoC܂JݭsK$l~OHܾ s ."buеk؅AYRzjS0?C-`J~mI )v'u5ODOX?鮪O:V_&_bc0*$wg:QZyXl#D3S[|Rznm?6E͊{ D``֪*=7ғ#C#hU-v5ةn 0*fb%`eqES=i>(9"lvvU1acLJDչ+٥ `u ~8b@I07{ZY9SFxiVf~Nc ^4UdXIJ̮r:C{}wk#٤u\5v KUĨ77L3[2wl539jBSɣ[iԅ󒛨eCDӢ)r<󑩻 UѬPEB"ҍ|us h204'pYLÖvťO\"K&ہOU !lm}s3 ө˻”MoE<|R]R!\D"N F K43ca=ǎzd38V#qR~x(l H$ξٕؒ4j!(=Kib"V'X"gvD*x*$~+ 6 ky&-Gb"UU.=ukoH,a,uѯ]gϊµ +Y .$6JY-sw Ρ'pae#Cfp~FYdݎ )^HUr']q¦xn,]o[WeGGhBs;=H57P-,NIiU=, ? 2QuܰYԹ>JNTO2]1Y6|]͊ԭ ˡ-xfgF_p p#c(v ^@q@Z-< ^U'ب=۸"ILEg( 4o3%bb[lcft#C6y  jU )"GYaƸn/-:]r([|S\ }\}a6"ݍeԕ(O jT 5s4| 1*K4P5s"N0] UtFC,Ra0?u';6B+WFr$,bT(Ĭ,}܉xPUd`%1q}Ջ\VUEpc6 6Slfkɢ  (eP{h7M~"t gT@Eᙉn4oLL3~r C랑;S/IZzڀ%) 5їa˓<ә $C)\N #O'Y{oD*„=ϲ`[Tսڀ h:/]>'Ń۵{^ h &v AgXcOb_gI@+:\qy=PvgPl`D L6c:_a) e-;puPR^p3&a>vFwyo-ş:ݖ|AY0S` K0%@&)v:g+W@QX_(k-4'y6Ad=W<!&OA!vT*jcK& ߱TɺN¶Atp$M${WT=:pYЕ&9ރ3~_GBh֘#ڹ k߹nq6)*&!f2gJ»62銡e1"I\0sKk?4,p/{V1z=XK#]aOv=^«a1 -⁃It'Meb#[=U!!& {fDЏ a B+gᡃ@F)\ ZOy}%/ _F,dד|{V$ T;oc$ !$]s[m1,B$hYU˕HUMW< -aõV<c.NΙ6(\5J޺4i$$F>@yT$5#hAXT$oJyk+UJY:2lo}ں!N8 "n37gQm} 6`(;ٮq|1󽸜5q`l9G "l1>9L \5:`ZW6v!ceE}lSaj@?\\[EaB+Ox ,Et-n|3S`6K  /CП]Z~UC=wZrQl05hwP46nr'=8Xį؄xѿL=xnx5DJ I)$Yjȩ[2!}!"Ŕ6\@px߰sItCNzrD:U Od':4%% O": *dj|ܜ'\|<>"*54/+S =vqOS.߾99VPv@%XtsU.-!]&>.cpa\;o]1y#y^2r`0yLlwx;ҚCUmS%w HYzpOX*gB0 ? *޳2DX @Xcor>AeRg}.CJ;%#qj>Uޛ'S.G>NA&Z6vj*:U< -%-W_&n8JlV'ܫ_9S:LgMG98YͪF5}ZF "),`%vgK(wV<-Sq$u5*h)<d#==|xH'0ns|4z[x3VίjT]Uɤ`WM^܍oD̽ AZ>倲ϋE}[9k'e9cA]W;k :$VSU~2@z5"6aBVcn'%z1޾`b^4&7t,lKvqg3P;<%)oАNX. NίN1] 9N*S@RYdcSRij%#͘xhO'oU ݑ#!0W+l`#uO%rjIv9RU )aZ8Є y-Ck=HM(;-5Υ8rBd"K= |%v Vz Hd~ѷs#@'g+[}QD՜o2q"/5ѯЖo[ȌϗZ=dMhnwSm秧(d񒘏KrTlLPi}&_ Q]ܸ]ˇWR滱_yiǮ#&=HZ1X$l6ܮ&˪!UR'{1+;_vJ*My$̫zh:Rj:ӭ7F0% ;5kM[Y'.V\Gnmˡ"omZ}GYxn &j` ?0+a͛Kn䁜=c`ht4t;]%c\K;d.!WؔXIl,O L'o'q ͈awڃQEJo%] 2\Yuwm\Zy,;}lD%EZP?ٚ,N-yӭF˱{);Xi/;ONBC5 rksT>J]U.z2cM wLUMMt2ȾM& HHt.)8v3]LdfFyP2H٪7b$ո<Af ,D 9l ZE0|⋰F;E!,-(*``rM&*{e?Ğ }s>[KlGXE=7qoe0a?JX!MLE͘Jϡr2|`3W4]roδAw($vSo +lhGZP'#e-b8$jh1Me=ӟ$zE(0)fKg3<Ƈ 'B(IlS#&~"?=ػB*`(Ifx\A4LA7!$p,ʝ.@Mz}ȑnspbac ec*)bSb7|B{+_Ej&BhOztPu{]UxSJ:1Yq'\)h#SpKY *G|O*%bU'%SC*u9GuKi꤃\lQ<{cHjSjS93R8ظ<W?; jGW?v9=]InnLϜV| 2y63"̟6TA΁ydm@tErTSc_D&f[XIN2u u@Ӕh^0Ezbr[AԽ%^1W8;Oofѡ!I0yy=fk^rEwНCk/_,j-F& :0gF/[G&hASם8vBM"QWp2ISs{zY;ʴ2:(ǩ0CD,axlUHcsk(R6}E LRBꪨв;9As?x>YxϚ;W7]֑\V]xjW')x0_b!}gzڢc>EZzOJ$zJ?yiim-{_ˡPi^y-qG$}bd8&G!*~iGHoºV^O(҅_VRkJ04̵?*~,6-4(*5 ~Z4 㯙@"2. o9w Ǝ ~=nUxb>"z71}V/=H>l>⭬i?ڹc3Oήרh#0>t挒k8X k1ܢpm35+ p[OK/ZLtODZ`ޮ t0G}tq޸E0z:}B}}QF#}Kڮ 9r/z}Z_Q{?ϡ5@^8VgT EF a\C+*TbM%'{1[A#֚o}̕xƟ\ u\NHg)puXJ}R yX3К#7mM 81Y?$M'+/3߅ >3g))!5w{B6A0sn/χ3V J$~t~0 icKM qr;fmx8oq,AWWݸ ]6tiՐ]>S ¥9YX/Ghc=n[/0 1<`o$q"3XuGY {OZg<5A 0ׂE7|:^cj`5iC߈`a8 zr ^;7P Emiiw+>CҵK(LĖ+J$Ms̽C¼/+;X&AeBDC_.}bEq(,%C̦ەa6E7B#iW%c:P zm]g% ezd D X$ֿ<[SE/P ;ڀ̑Qs ڷۏY(ĒvH"t0.ܰ?j5Ñu%$iӯsj-(U(v7ZpfljG6@#0,ikPz AZ73i-ԎSy'IdH f~x#.ltZB)S6VU Ji>`YB/nEٔL2~ێ`C- jNHҦl8Eҏ3DuPYXT..ӿ/ 1/01 1_ޱueF)\=;oJ#>oz:j>"q[m'Wx7f E Z!Sm‰4wڊ-o}6hvʚ_FkP\DFړOY]A)Th+[bVL,^C{i/((4iGWIqV^4Q|DjOOp4Ϟ)AmGq|~MؤYq(n5YŘЗ2W:5}n .B فJufk`@Q[/LۯN;Y]谏KiZST%_l.Rvᝍ>x<Ǻf^tŐ(^N}:+%ܑdPqnx<=g}ny^ M ZE  )~?N5cev/`HJV'V.tIpn6c0@9HϤ&Ų> L?ש$'= <G᠑Wm2-lv!CnZulh``W#9n"H1x38xxZ`Jgepmy.RQ(Ѧ0DG#Fl]7EkɡЫ"#RmTNdmFcdhbcj7hjmn릥ۏ4kDf0І6U&ϚEkw*x;kgKGn@4ZZu#Ya$VW!)aAjݣ-isyJ#N2͐ 6 Ѵ2BXtfϣm{5T?#*;+nttr1dP7knMC-Z3ޱm=&C.޿'JUC?hHQUچ Q8\_{& xۤNǛٷ %a^$k;˒yݳlF3a9AKd'DįĊ1¶?tE`w?q"~x?cCא"\ϔfM)8䩩HGʦ& @N4Nf6o!Z,Sg&>xZS"Ԝ4+V(}s &Ϟxskla#άSvF9+`φC[PjAƌ8"/twEFId,H' sM=d2kd‘EW0iUfMXٝtI&2Qw1Bb BqgǺ@" fGPkpX5^.㻱"04EUΐBϾ:\ށ"M*{ ۔Rb3WB8qnkUkУRvJ54ǍewmOL@]uv[p9WOӫccZ$)3|MPS{㓆x@x<;75^&<7=B$G{E7,zL[G͞˃˅ k65g2XNq=*R$!1阊fC)tOlNҜB_qG;*"J[۶u#^onSEYb$l(۾ɐ%#Oȗ Nq ϗ5:L74R돯c9'=Ut2$u)Hϸ}ʛJ1rT?[+OIz㿆6y2&*iZ[ہ9zح^9 ׈/۪&Iҧˇy0Ow{lD7Ozwfz2/ZcA}{AOnTQʜlM$ݴع]sܲ.L콊+bVQGN<q308[᳽rAvr3ey0` K]ft%?[uI`P|DtPT(Rv0ݼ,!هZ^Be&KvI Hj2K`wߥe֓/!ޅ PJU(ZNAC)5ܰS8*,?,+!mMZs `9P}c<__^m1]>Y@odgIy^oHZ'{M;$:#+@5ȸ2G%q ߴD7EIrqJ): ĉ_SA6հY?6MYR3R+ <'jF"ۻ묛5cv'M*?׳_;(AN/@s4SO(05WaFu,\Y %`y ̵_wk ?-_D*n$XMɢ;„::Y4MuW >mC:}0w=d0nq &4diK x <꠆Q Lp-sb]:gχRY3~n"PdH~##)G^rS1?cF;>Ɔ D!!JtDZRښ:W4[i:W4,G 3]p)L~o6iζs_M X2m_P0R-,l~+J w 8 eH'cs-pbG;KzS`'t_IjBy g"ó ٸ|'~饙Fӻ[Zo|λO` БUim&ף1v% ۧ{ oUγ'(̄@AQwuc $ܠ{Doԉ9pi:{ۅh[>F8k(Wi Fsc$OҒ^4Iz^*3|KF=R*՞P?dE:O]E4"N{N7ŹJ_L$ph<uL噔GݣVUy+-OЛ0 矠ۉt! |)v ƚʑũH{~>pfl2h}8&t{_=_Uep*`ŇZU8UOZ]]9q룷 [7 T:}*Gq5mc2?؛sƫy}^_Mg?@0qe;\xX?ҫ jE.ޠ.Ag Sf8bXތ=Cz²Fh{op:9ż.׸ t<#ɓXp{,x^g*_ DP&/ѡf ť$g ev} OQu{-@Ů17!9n/O7+"mH K, jXc^N |<HcmpEX1DtTd=5VIUjxҎ4;E_ =T{ʙ-p?}jY\4&oEl;E1+EgsƋ/e_LfYYBrq)P %yN9ks~Pf't"aȂҚ`p 1>Nb჈̡X <̏(TeȚ{y)^}KeR ʼns:`m#H%=<?U+?Qm+G-'CaPeC 0=qK4oIX߫2h%T\L9<"ّ{ ^0l[S#r .)("7z Z*3䜴Ԡd>ir\9Aw^ m\KX1pR8Sm_RewUGV]mG, |Bʻ&0X*ycu[!peևzS#nl\c$[vw2v/\j;zʹ ~hY- z8g[03G(dֹh#A#a[өJS szx|:pD/"M0s;ig^&+BFgԹsTY"38wrj,3:j *2PCj%| ň_ {}sFxOH1tX"$FKOclFhW^?9Ž3t֫)mZʇD_?)($㯜 P8.pOT(M.cD5`=J1Kazf]~ ,ԍ%TR"("Gn^{wr&^wxlkȻ 2x*]Vs:-}ߊ௒Fp(*s|pH۫_ڐLj2FCƖ&.g[6dJU#4"_x9uK_*zF"$% shVu,!]N /~;_|Tv(6)59>‰M{uk1R ro4dE3 U3;klVxmި R+\])O9KD-15,b5͇y˝OB/E- Bfv!ύЯDgˎGI]OIMP_ Ոw *2X:c Ima8uROOKpM4 㲙 i^vqK|/yP1hP݁&{~*6WyGL*NKNwS>pwӐYvKZ=cLtf`\  ,6TEhJge1$iK(j[(9ۤɜ9.$H^$X\[EɎ[fNEn|ġN5v8c< ]$j`Y~APJ<]`M_rQ\:psUjWYi^P. }H2QyVL7oVW'†ߑK_5ק()̕^0˼Q_@SFWt%S5g+2Wqeq܍FL[+($9B}GWe dA|H`+o9Vu} x+ ESkÀa]/-$`̝^z*4r/q'Zfiv Գz῝]ON7N" 7 E=ɗx{ӯL m@ 6HFG]i$/j[ku ~4@2B]UKPOaB#%Ч~[o̺ %tDU=VI2RM5|f@@e*x0^n .(:2;R`ourq`⋌W_mURpa0_UCS^$. ${zֈ |8g:8M7fp2jϡs,|G˛4cOi~&FR*"4P~>o.gN%;# , .>yFɩ㾪8+iLĿyafLY Btj>Xw}dSGaڿ+& Ĩ@(pWK]E6LŞQEPE_"Q%n f~^|Zә^ĝ_NJѪ%w>>-990+4%y⡋F ǞU7{!aG)P,DF,4S SMn]~!6bzwPI;#!;CNI:0`.uh st 0#F ⺘6 oGl Q<[ DIGs#{b;\Q%(=Ϯ9a8ќE޳7wG-뉩FZႣM"ivˌ`y]|@VP"3>!Sg$G4Ewy V'Pl;`{DZ 䶼 j-xg2D$vr~K]tSԹ\`Fqtn>T,@ \d7҉ Fh?N;i#Ml\n#5\V #ԮDs,lLYC@M7>v;xԘ` 8_W <ُ}FGZŤdg΄} TM8Weƍ\ AdO@[}gD xS/2 Ԯ ]BP\MSXTl)g@fu[NaoKY yJ*e̓$|kd,j#%j6Z3+TUYy3[/ZUw:o`ly3bRQwdZ H+3TaLpS΄wsp()Y^nV\3j6U 7QPE'n/eNL7pÐmn+ d׋O *B*3 +XZylu5~6E˰` 7uV(_Iy9\~^+ݖHy2pg["!mlJAӓ+>R';ǪUp{23 RlR+7(itfE`|ï|KS&YcuDWgu rC7sb!Uw*&\5bg)py5 ck*r!щIŹJvr8 }$5V ּuȇ>t%5-jx*R;DߪaUb1#ru&ݨfpWAӊ3SuRlay]Der R0bEeEar5@ sE؇9T^~g/ARG1i0,22KC3{U^܃m8q{*imnS>9- #;漱DF3Cp#[%A)_Nm)dA(l)H34:co"褂g?CӇqGbّ s5ջVKl + Bae9vzcK$(#CÈʀt".9-IZ×6j# vf (*."-Z%Wա+Z ArY$&Ȏ(Ŀ?TujgJg.ZcoB b$>%?,t_ iQyx5T?͐O:b$ntmCⱥv`DM䕙dXB{*0e@~S;#Ո^Np蟿(t3TֶI\i א'L7 $F^o{*PSr@f {(aKs=f^\`@ w~U#1N>>8+SQMVgs2X0F𱤅7_彝w}窄}{==H8HnEuc.۶;7l('%-zwCL3\]~ Mv76[R=w"f#l1$7_\@7@Oy*OĮ4 |qf%AD7Il }ڗY2itGI88lv5|pҦqYr,:OtL>/zýG6^$`JLKc8~!jQ| R"$xx9cL/w\9_qE f = E ݓXh \}HFmY^)K34xfPR1(m3hGR ?);0 Qn&:oBWS8ϓ4ZF ?נ:+'TkZE7ҊɱLG&/NuJfROۻbQ(-A3ĜX^W_mA)qdGb!t+[-(L#w` qq׍vb|gk^b8U"UО 1%$ZAzf'"V$@ǀ4p̬*b sOS _k'~eDz]8-ar['$1;ѧ&+3m 3Ɲ*38?& #O瘟 dcu ¹٩.zYg|؂ݷErzhߨʶ҄bUTzBqYV|Ҿpyk^dhLTj>:]V'th "f͉+=}N'v?DY&t!َnlWbLe*\B+Җn.>1ZP=gC3\aot]sgé/H[WoZ}f ]GV["9r&?ql\Y6Z`.2AE;6TkhQ`vL`A=,j%j=rE?Kx Gk8.e9$| 8ng9UpSIl,r< J_kn' _njJX ; I  .K? a;m%HS4ζ2\-}jb)`T/hij&XoRMO_k{%~8q( 2Fb=D"Ou(! 86Ql|-fTk:e .#!*mX{ ^97R2btHɞ0>^k }V.hғ=>uqt)b۴zqGbФgב8:U=!)MϹ!_i`ff "&_宆߉Z;SXqh6x N(;ɲZS"8&A/XWR:r f ,BM6G Mh!.bzЭ-mDpMj(] yN J>dh D/(]Tu,xg96(D:[ʉzpv֍C`{6)1侀ɵ2#Z,OMv#<5]l`1iwqpӶeNƈe.,͎r_DZ~5 U٨}<'&qO2Wkŧq;좡:TxƉǮ%owvI`i D[=/#bwmdwpj WVWOf$}r`ѐIR K=aؕO3eSс $f6K۶I+Ho_<-d_"h$ia7Ȃ" 1'_ˣPӛ9^,lΆMD7#lHK_p, c(HI>چOϷg |Y Hq&7?K#NhGi֩l!r&\L1?$dԖ>Q5n;u/h n/LV;sg,XNk\]+XP`v"d2R)EcUBɐ{Zq~R_ŷ1~|񉷧ᦦ(Un Q#7`ƆU &k4D{-WE덮pD +j򹲾6v/$(Q_<0\+H%̠h$Rs*q{ yFvLK~a )T&N0/|h\EWL΃8*ÓJ] [l&]G0Iib EwXՊ?y8q/Y}^- mǛODM2!̮TH"HCU9k#Ra-Iѧ06HInX~ pᙉyN?z8Tŗ򇝻 L$CE2)q4)>ك70)&5hS$E{U /sowvdŇE''@a߱ZL>3F[V ˹T/RN s4OcxN=&bl֌mu4lh·KJWTkJ h_#Hw6,PK/gXHHȮ`!Gj%_`R8](n?=ƚ@siӹD2ˋ`Wy}BCT+.lCx{$Hh3ډAϞ>4}N oA_ o/!:5 ':Fޒnގ!YeK15v觽M҈JBV壕<#)J: 褐ݛ>t\H*ɕ̨}4B'_N2ʠcQyOa#נ5U_Yx [&սzly)2 nlEaotu?i@vg2@XoxzsII f57?s.>uߥBhi ?ZXjb&ye?ƴZY6}t Jų3MN j)M%sVI2'dl\jHH.,v#i'BL]'WpnBjep~\W`ca:Rz"sQ"W6\310˵1T"Rg(@0a0[3 {tal2G^` ?e2h]?F]:T'l ;s:c)a6I P2Xٳ/Խ:No0(릞$GPa*kRp:!tgpuq)s^SfCs%D<1% ۊ3-}Z@0+:}l}!Qx>ڗf@#3y`ˌ։0&Rҹ HBDTve¦֒<$XrѢ1s(7UQIPPr:F롢l-);o3ڛLw2,G=^7 =r)]Mv: t2[Ƽ‚n]-?[Z,Ο4hS7RتHM$(FPIݘh%(Q;n~Gކ?HqwdZ0oy(JWy: /=ĶnF#0]J`<: w?t34 *qϖIx/h.lՃodǩ{CV+fv8>" Gˮ>ֿ޸ɓ~>p&y؛zYB>ajaIMd4!_Dx@"X8h#=ā =mܯЎsAܧή=JxoLn}AF"7&B!d%s5ȸAhdüZ j_>F.J4ZбNή>ݐK(+)2wqʚF71QF)&*.WDZv^1S]^nn:/#B-lځ(>@Q\ aPU2hF&e.u(U*:{䌕[4Ր I aü@J)m-d+!7(Ϻ{P}۟39:4=qթjp3"O}bx&}(z1y ڐM 5VԜoDV(c-pQJޖ/3. 5{ =AhOH8OxNHL*Uz?W-2 Wp[V(e>ޏ$B$hENr{R3Ygscxno aC< IgW'XGٍT5W91}GؙWH{*'(?SC>zHjn8FyFNxXw 4TήCɾE $Y&`D^Vjtb*Uk@Χm^8a(FjShOKeTB`8b+ۑHM!Rb:-xJ !b]+L:[> _[E=QU1wX## ^IZwDlǫQ5>=0 T/v$!`wrbŦ.S(i ~H9ӔJܥװ:=s+*kX">Ecx#zUh /~g|!TrR G\_ 5n-\mv܎DhK`M|ÅR!҃Z+> k^%P^ݷw: 5(YECW+GuѠ[L~WBru&-0GD'~ԍ eb(%5 `9;#9|C5>M!ނhoJ >'b\OAk/n.>޻4ƌv횘nqzI70)b|qҊ$*B[ KiJcK[t&=hͪaEBܕ*#[վ@"R,`LyԽ*t#jCJE$s!x:)}g Q=Sq cɆQ;cx8i]y8&#M4sP{D>&YcBڠVڐn\7NSR&MVƀU_i]Q7{#L#a|a2'!&6P,Ƶwk{D71F[hCqDzIh*D/B=k%,ot$E}r8۠nO# Q eS0V&62:W_4KKk?7KKP6x1Mwjnb-bȕ L4J ׈@L돛vYI]!`PxXR$j?*^pz}Pr4׎*T Ά&Zqؿ,&qL kKhh* -oAy-SeK QpSh }^6򚥀2@cHh~~KI:E9$fTaU\)"?aYQigk$:VB6rY4?(p!bN3+|nn/D@؝%d1xy(if/.]kc)eF](;AwϾXky9tAePe,®,kN|Q*˿Εh?Gq5MQ}.a__6HǗ^0=*#YǭrfrnDϨy~D FDd|fvUv'_).֪a[^$jUǓ}p߀d7r.$JOlSVT͓_|.J5<規G_Uw7͂uMQD ,3Z9H>g)`݀NdQkgsBVhk |~J5Bw3)Sʈ,>RWΌyPr\]?;eM`3JjX' qe'Ǜ8g ]$wWCW3ӹ=n n& BuG )Cl> awv)b›YL-?r\i"w3hMdhq<''φ`6NahQj>8ChE4x(j]C]Q-Ư߂Dz*/e3*ir|V]53%(Tܚ ,yEKTXQa8rB{u$!7[z\Z2\z^I7;y?{_IOJF ?~eCL ֹ0FBA (egv ~5& Hwl(iOjK}B,7^G\Z0Kӭ,dV'g˲Jf pN1:oIJŞ;-+0AH0@;)3E_=9['wf2)`,Bk3! %У]Yػc'TS4͗DĎ)Q`s7l.m⼙[S(2|̵byHbaYZRv2?ݭf,o)%~w0Bhb >%gڣ~mHˣ*L,S@GgUE%G˧lW<ZΫ\rjSȤ ~FѓmlmOgk,"_Ɯ6 ο/J]*U T ^ӟ+];S4nΩhPgŬnwPP "3>HցOXvM+QaX& _N:F_DOB5vg-o۹ /3]_HgMf? !薈!(2!O$Q%M-qޫ+2A׫_u01g-/s1iDD85˽Ig@*/uV}@: 58kT}a (5aj|GA1&h0mw^.1O[̔nQanëcd?GT#^y0aN4S~8@NLp:SKKrDe&HYRyNrר l#g=5ȡfG vc4if,B1Zw_H:P{dO%y^uN~a;M$&FCTETEb1{d$MI񪗔)hmIh&s(L&ȵ^50J8kDC=ճvpTI<%xm!FA}*$i],p➝؉jҍ tyc5];xՍ mkϯnk:b8h_jmAfP}v25?Ǒ쵩QZj>smI^MECfB5 6 \]~&Y*wW*$Xeze 4 =2\;%Eٱ`( FY”B$$Pz An Q1G al'c7ID,'vK$߹68BNcrn:nkP)ǽJ*q B?eB׾L j3( qLXaAfij+4(ZCWHl[\U[; Qrɯh.ʋR@!$ŽkvrkmqïK -{A4jd!Q2L7zuq`9;LM?p&Qwj. K+V:vӛ 6nb1L}ڸIzn8n~4$|ȣPnzjX.CB>_N1"zowjaU{rB<HDjAW&~*q^;a1Op5eELnk <{:دlJ䙆^<2X^= _йq6Sx)j?0A#D p )vߢJMh}$fz,D*݌]{'AJsK2_I9h['(FAc)f.vxD΀NWTkdΙa̴Qu!frFx}"l[Ɗ9X8}䵩Kы~BcsԑQ ޛ6<ͥ՝* (sDcxBYBF?' 4b)$cZӉY1[HD׋ѫJM -3Ҩ# JYw/x uKD$\pQvI kpݶn%dy79;:q-Oj5ѠIt@@1Y`Ns5{k ?^-TSƜ9ndw8^C~] r#bbhYLn%ƃ+8O\/Dzm*cYjDt2kuwQ_;DQ8%C2л'tmɱ2ħGp,zeLNJgMkHmL7OJr4AȔ_'<ѫG>}hǗa 14:O >pO EK'da|qߺt pLw>Hc$[{}< xKW|زrl/ <>{QxDSט  }?څ4ⰵ8+?Gꦎ};+Ew""4ws R'q/:@M疥8PzU)StcV #ѴKߪq)ӒI&HkxV8 X*]/k1B[r9;E!'@n&+t?Qf mQq ?=ӆ[:L\(zbAT7m+.ɛLW#ɄsSD!迫S6&k)E nT-OkrQ\(7A^X>F)Dql,PsJjBN{pax;y'73rbeZ ?akeq2lq9c56v<0LuFslHA[>exSr婳hLj|ROm 1uF̽\&(hP,Z_ o#%/HRYPsu4WeB?D& d?_M j\NR'6+~_jɆflHU >防~R+ǧYꅟϏz9:eKb]@+K`oIߌ9G?ڛ)r  nׇ'j&E_ :rlfTޮ$ؾoDc&-B~vDFQH4f)uTNؤ*S`fBaT1t = I (Y!D]؍7XSB3PX+'>Fʫu|$aBc_ s]g^sWޯL֐o'j/c\-&z={oklz$7s[Y5l KX3lx OX4P_5omh|q&@_ ܹ6m꼵I{.2Z3mrU`ꓭ5Lo!zjc,fV踽$E^mA2&J~&0Htĩe⸛ ]7raVoJ! 4%Kp\^cb#9JsIX! /t ҲnK_+{,Wbdž[pc)-t{I.,7G}oUY[W'.*soiW!̉YDwợĕNw |rg {RBQճ Ȯ~+)Ex4D{ $y;LC[04&`qSlč%ﴟ9}ԘcK\Ha#l0)C\ǔdĈnh+*"h7ݘ'iB2b+׍SM~wXS@Ir^܇ܚM./gS(uM,{>"t->|,ө@|e Yq#S[[i0Zւ[}Ǡ5YJܬG7}ۗYG0kKͯx>=o(KZwfld:Wh4w {vF m2`phF !Ï;.oEۛ0rLT4HZ)kk~#CLnzu5?.PݞXZK`Hi{1kx#H--ma"4Gi oȸ37 BҞ3XQ2LbJO u [30!?pl[ձyNg^(typiZA 0lSv{?y vmny HΟ6rM,|>LrkwhaIm qHҪÉ;(žBF͏ KZj-ρl?T:JZU1:r FC$Y)ۆ!R< {ar9$_81 X鳘:H˜$yfΧ3`VK*)><#|-_&a[$m]hZmH9:mJQb7MX7~ϗMv=3lrW41SB7QWݎNΞiH?Ue fZO!%P HPoVdD 4#U]HZb C>Y>>C%I>Xc <%7'a})㨑x=38x?;)iVƗ7ʱ3V Oܵu-ñX7mtO"uЕsR0W|A7m[ ҈9mnKD'࿂-SNͪĮ d?fJ<t'Ef)A9]).xu  N8t +x}L{>}3!;(H01k(Un y/sφNB\ ő4o~Weǀ % E 3a2L]AZSxWǹ,>wBd>RkB~^UqlG<=;v#a^3/,]ֿFipZ{SƗHu'W֨cAwؘrzYj#_}:E0)8m }dBu$}z)V&}c0vb;*nw1k'},A'LfwFsjQAvr]>;tfnS6_HLEtC>C,2Rx,rP#U@pEAd,6' nr2$:x2Ż${eAIŰHS_WsCe˰Ь<>foܠ GpspFZ4G\S#p:@'$mY7R:\P秄iwHl0b }ne f" 3D{C~>t= .~m2=aIncϮ-N!~; mu. AϬ͹(B+02 ̲55"0qv7co29OdgBlIY'}#Ǭ@ {‚;@P;*dD \ spv7 CryJLGL&7@wzK>ޗsv@f:sE"gV $T],> c27[bMwUd *QHZ/?IM(*&m-ӳ)Yӑ m-;,AԈ|b\gil%Ehl *a0jfru*iOYRn 7 pe&uɧLER;E{ Ք#Epy禢I7=7$W~`0<)AZ6wM%E0Z!Y붳jfC氭mț XoH3 1 168`-- i vCzpLA Y06:AyۻFc61M܎u4ZE&wc +.9b_˜(H& ELE8k6‡h]H{K!z zc/Mr9LIUF9IIGV׋92aF ##E@ХMpLa I+z1fhD#6:V؉p0~K)tiBr* nFd}#ĸ#v61>NwA(dtnj(!**87:0mjU2{+Lz~*zԐec׏g. h$R6 >oAgo ] b{:y:)_P=)5_"|FX6R]NK BNH\:M ]ujW=(X`m*)_iZ<3bi5z,REvѽ$1oVz* زׁRE^N~ RV{zypܪrX+Fp/tW 1NCCϕ%-?o1U))re佝yFTU"]7i3K ^@rdi _1=u!QX/i4T| dn6Z+hLpkcr],+]%3k`kwB R2w\c"-%Sf2v1\:ĝ $^D૮#:\UDJ< Iuk+:0dӣWԅOZ|mkʏyd: $qf1oEc嘭 骪ۜfp2VB*$0C7O  xCS6|YܦW?@ ES'c>*QZD͸kYCQZ }[R,VYCnjB,}!д8@zRVM_ʣ&^@igse-s'ھ/IwP=\›#Vk 0e$O sb^*$^0I z ] |ﳅfq=K7Z+U3:,mBZ2C:tR@"uMȠ_x@ o͎BO8/m+VqXڵߐ.vS:T^VMZE$i*t%ʘ(٧,MM*S" ҷtm.&5n `;CXKt=OI utI,.hS\=|}KVޔ#-tTsK\` bп8t|(l:ʰ׮F;'W-WuJcgpt]䬅Otߚ%uJ8  _ZlmEaym⯪֘S44(%"֌,{ȟMT;--F42`e[N0LHdF5m7rb[X((@W͛gvS!"un:H ҄Dg8fƪjs0uSl,pZ peaJdxWCk&TXT.BJ8k@>.}hylZJ>h~D! Suulۦ6TwG|qAN@ =rFxDG Y (m5ɯF@ItRPϽouRMjJ!oza$1^iz!(a`V4RFQ ,I&?HT`%q_.P& 2j FZ嵩(& MGIJ+D2PPɧx&>L٫k"r1鎓$Ywf(l1Z;Q&9[`z:Y8@iv XtG%M~g Tq4Wiқ; XH{籠PHV,w\0Ly>붯X|BpY2-J.#MGxSO U١j5pC3xΘE/$vRh$p1gZ vz3Pܜ7bw U]\N9xpQm1L6!+)YmӣHT4A+SP,赥Η%n"bґfO81:wBqNyV1Z0Y)Ç[(*6j %Z,LBNPxs۶*D xqׁﻨI Ln9Qe~64s~D pSB "M_yރvmZ?42굶J9Q1#߱.H`_[w +hG?$g#ؑ䲬҈iYE;@{cޅh`X9hsҮ\Bybɭcfm`vRC&& `zwN5Ki-خ}?N|ԸY`'\ |2{ĄD\oc*)].knqfXy7n/mgn$J=mOyE$1y$?PLfk:XExhU5OH?we>AJynGRa|5d̙S#-kW̏zLPs%e2gYwyKjy]$7׀nt&`52L$ @QK]5v%2.gk! #5I^: f|pg1\q`"pd9R n|melK&5BU U"9O~lGl|sNT<͠=h3 *l23'("fGq{(1 K:JcE` =ZCrC}0 C좗)EeѮq9d=" (Jj!6 X q19&j P4jNU\SҖ(`k#tj3=/) vo9GWq[ʗaoE,eNO}0wa\@tf?F="El,~˝62 2͏E^]_fFi7StW$ J_8" ĥu~b\23ԏ&ƭtK1#O,UILdexؤ_HH$n3ˆ"Q@2#k~NX1r\cu"}uC$QtpF&ʻh;g4qE6ٟy^ wXۮaIU&՚22 Bƞ_h"hxtj)@[b{] f* kem}%9I.pDx0_ 7 "ռlpχz @U"Nا )pi': YnuKGI9wy(x"VM== J1r?wpVPB0O.(zmǷsZN8SiEݲcv㸩>5",ohBIvDmR mj3vaˋǐV6|uKTxmO8O@h Ǯm |J6;qWxCd@[ɭ5B LcOݐ_s}oGGQ?-˳E7/EGR<ˠ R2YaPxHݨdqyFw$JSMd!ާlΨoJaNep1 ZR9m4e-VgC 3(Z6Ī0ePN*E,0,~y{<2wk`Āù4[֭/ܸ!axP4~-@? 0o(|k!>qS`dHYh)1Pvۊ#H5H▝g]7>D?!8̵.ΏDl&4@R{q0OeɤUc x’t9YE5<ɦd}{':ba=k};6}5RJ#% Ev9QYbˌL*[A>VR*nByG\F/-G[%X!rk PUY-OQ5d&;46;C ^uI_:`v',Y꟪Zy0>sBzĺ<'^h. kP Q A l̤n7m hx!l M L01,4 Qރb|#; ;H(eg"Nt|4qg+'f&T=Lݩ^i'T omP*+wh㮺VqzN@ςb_I(/]fԐ>g@$}\cu?П LN=n|xFA&noH$cNq^*!>pG:Vr@ K\N"u}"DZf\h9WJw =׍řmu4rZu!$|*nđ a^, $4Q6ʉüsr|#)mC5C%J&MM6U: |Mm@gZtSR$RDM}n ViD٫\S~ܺѺդqwfcy/˛;_ l~/C+.{ 6*Xye9Cat ~+&yH8|; -v:C6Nڠ(I ublEnك&s&rgHb.-bcPk{3<{/YG!8O. ub F޶oұ!4JAI K-a=1s`ūWv[7gT7'! 0:ņmt撀>ޘ 3!hŞ| ?#4dQGQ* 9.H:CZo˞ܴqNFz$*T޹Z A eA>x=FEB@ wL|ʀPw,|^Z乂[P蜓2T;T䷄cR;3lz j!X/)EuFS$QżƳQt6+3S8꼁(#զNWQN0B9׺4Yɑ 2|~m^K霤HV瑘 aJ2SÍ{oͫ ?ZoǴ."05z[lK/Ȼl{ИU(9` Rݞ+rDjeBdq7&l:8(~]*)},7hUU? Y}_0M/ r11Ej?sI ~ #0v  N`|`p^ۤTɵN/鰰Vb*v PƚSBW T-S:tc}=Q`7AF>P7\s_g6C]&ͱ}n:4'["&KeǤ@MJ<5`bK aZ"><ɾħK %X`$k?oK]AoEj ]K(L`p8Ž1pXdt<#Zm܊㮮"$rʼ sT4=$Mv,52-q5B({͜|SPxri.7yʏ}ƌi/@kfi&ؕd,̕\>8wvk+y9z߾ *l1%Xc+'Mf{H _ʘ]5ln`Qn/μ'U٥w\E`jl2ٹ,N]hnS CLqV6PvӋ(L6\)rGǯ; miac&> ԇ~~}JR'b@ kmgCo]MR0RZC~3BuQb겼Obפ"IRj*)! le[ݓKu0}l=n* |Z&&{g_m@bSY?. хkxMΥo 2D%a#j3vf{})#))˕5 5k'UvTׅ{Z}M<]E̞m{a'KiҡP^yk-O1qIde#4Boe{1kghd܉PDjspf* !}u)nz[O(kHG!u-ys=>$_^̴=F^B!QeؘP_@C%P/#OJ"? jHYxlZ XhzP+O I[7~q"[c~dg"h8aGn+tI2 `Ѷ4^m:\>BNOu:g"twKqW /\Ͻ'Isg]@{;F9R R.`s{HVS}<)0=WxBhtԞ9v[W\ZJ;ѿ$-j%#~4GtƞV9PwaFs:.SRcw. 6#jd9I/`{GDX2G+g`eAV\k /«8Ym ISD<M>Wlb\: U>"{m$eLM?V|fͼ¢DQ Ҟ_ᛔ8 !rg]<i=sDJ\UiJtF:V`-yS4repMMpEbe_{A0=j#WP d3^D ÒEyؕЇG%t r,bUT^T]ٰ5=JB"_. 8RЩj4fU!1T7ss7qs  f7CD!Ά5?")4 G \Klw21#@ VK _u@N͕K8.\ M IhhFbmMfXtGIȝTDƢcyJD3W|tFnj-R+^ j*k!``0qȷVO$ğzH-;!pTJΦWtQ;fL6GCx :}c)ib0 ⊁HA#fzX[;u8~:O;eQ;kYjY ʄA/jýTD͠n ,_6Đ+Xl\/zY؁F6ne8m8SGC)^zH/sRaZ/sịt-|%uxfen{gnWA*Go㡞M# 8 W^9yCŲQZFn%9&ŏfO6! fveF- i< $g0/=;EK 1-'h 8\$eQ:mV~]XhfDQ8'<7a{*-l,Y†c۴"RNblx::| !0/UhcF<7Z OFg|5ΐNņ?wviU! ~Ȯ|p "_ʛG)8?[ÖB{蛮72jL־h' wmOfB#I$H]{rOtV΅{Fhs i; XylckEghqB>쬪T :oڴ[A^C?ѯf GOJS6Os1i 2iO;]/J gs%ycY%5Nń' 6]eV_!]ի1tD]t\Ց\IȎ9oFYIvhڴ^x9;~.P K'FTŷ{RiDžHG_ED a#!J<ڷ |ٶ,Hy3s(!]AYlC6gQ'Uz\?~ f*7~CmY/xFs"  vK;|1`N-u7zw4?6S63ȊIocAw؇6r4Oi5Lgѥ_I Im9ː}`u.(b p^7cN( _W1w2,] or& 'D!%(Sm~5鐡&Gc#PS߇b z7!9>?\ ~Qrhx덻4٥nG/v+OE@HwĎĴN،!K*m Ggd: ԛe2O+yƧ<2®Tp|u!;5H!/d]ֽ=r Xzڱ}[,!^32K*8G`~`n-yE4K%9h S%]ʵY=zs~̼nȱT"ia2+cm {)Ck6w[} jHIa<H16tߟjJ,:h1I)EMG4jX#f̎`=ʘ[+laM|vW[n;[|[8 |! b5#ZN sMK27`^ZgbT ŒK|ȄͫriEWkG=8[*$ LTj-VڹPys?.D;m5P-AIXfr1`|ԩx'w[w'xh;zDaf`pAJ< yUk\4u…Wha&Etu&:/ߐݔg':.kUsAGM+&Tc4xZeMIҮ{<gf>Tmdk J}+ x,[bb/1J(T|Pdmfd ]83T36A۸ WU5Vxǔ픽b7n%Ğz'{FV[· 7ݏ.m`xNE=oA!Èk0%82OtԢu0 +SФT|RQV#5#֬Q#϶V@r)=}mczS,0M̪?Ia9 0y$0.NDVD n@+C$"ĩMÞCFEgYz;!VċQH:L P<sE~(Plzf`_v GJLLFv#u~5N`ZUrjQrt Sbc(|月^DϢg0,q2)zYM_ HEP?yQ'C2;*`RvpVG]ڴ~&ZZAݶ?ZOĝFg wl4%U*8.Hwh‡U< 2Rm$?jZo p s~.b0e11&婺WQ{)Q %$ٮQIQWCC=׳0ܩ.1*V}U>04U6hҡ/=Na`PxϞ=]U6}KpLгĨ{Hğ0%ξwvܩu_`.igca+Ѥ +r݌e)AxWN;GBgm)=ZTP_@mnRp՘0/$ \Ov]/h'~~ n럇Ќp*PME7_]a/MaSVPd{+'7ݸ(p B*)c& jT]{*$#/J~{$^EC(PnR@A HrA΃d{q(pǼ$:D~c6NZ<ʰ:8 ,b# q~$ iFA\3?|"[Qr]IWI35c+'cZLP00A$uf9-$%8-en"&1{.1&ID4rRo EK@ն:C7efp0$M#e~>-DaUd]5l`EQUV`Ozzr/!GSC+Cĕu [%SҕjVN >;}d90uɅR)Ol{+a{w8$7:sM>á/cO6h#$fݙ6bv{@$GZg}6E$:?%D`Y[<Ӣ pZto,9~-z44IĖ Z@y' )FDYbKzڍC 7 @ d"^HX)ǵurcUMbjUKBV\Ҧ߻*1-Nq7k#ꗢ]g|3C7I,@N|'uhiGD[kL[ A0q]6)aJ&sG5FZV·9/ '҇@=CYLRI3oB Ҟƺ8^龤p7*`iy!T]6:TtYt'>5eT.;9n ?&+bUǶ~twzٲKXoYxæzyϷɣ,E]r I~ [x{c$ B>צ2??H g+L]HćκE0'RĖ3uUj0 uҬQ.P8A0He_4L:538 LU#]o1$΍FZcmE, %`%S0@2:*ҡohQ7ي ܬp tʗk)Hl'Z'|8g9`Nn(e*q#BL&"|S$Ԧ*&}"@'\@|I 7]7xу߸~!*G>DKHӀvXZgrF|$ٞ;SG= 𛢶F A6{ŤckW2z&Ǧ Ͼ73rfu`yrtE׿ߨ~pd|:+jaᖹneJs姍2ݑt9$AS)ڹ\kt \\pL=7Zj S*`W-SXK _b 9**i䩑?8$LdQ{],&C5ߦxKT.K.>&DQ.c|QO{fY6MGDme6{L(iic;E; bWeG%-`=-kV ,_1P'qKsH&A8h=pA%'LjH'<"8^,Fr~tbĤ_&I">Ppcb8ղ8,ux7\;P K0 +G>LhoFA0xuWv=S}_R_59^N ػ=VݲV3(.'M8Oق<2}-$eQ0!Éf/ cVVRTZtzϝ @GrU#eEևUE <7C#3[jUhvOXSE?48.IuI:] `?!:jJ+E#wp{&R|9xhO+AqO7JxL" ! aRIOSdqφ1G|u,`iE(Cg8_Uj4?32:iPY.K9G& z&R8kZVaXW φỌA_5#8tFUZh׶7Hqޑ—A;!:a3ƅ+|p|l@j,Ȟq|~As]Xb/R4dH ړ%yc ] FIW l#5"h82"{~pAq0}+g3x5 -|^OZ%%eis$6b-+ x94q#:?Ojx_h"Cؖ-":&39tr'{EKpIg XBn!k}AÒpW+Z)0xK6/D.$!p=$d&R]A+v v&F,{6(E!D&?) H'ꇵozF'8=,I1x$ptk ,G ZI P18˵fA,P-:z]d^c5Mj8)ZL^"c􅆂[/}-Y2?D NwCT!5Nǻ}r Ǒ,Euv86@;ȴvɁ {^?:_-8 G]6zk~aU.㡿H<_6盥Vdb 2B& mc^QPmsa8)͵͉g@tr$U2 (G/[ q ë-~Lqx<VIO, I^Lq/lQdaw\l#l4`-3< в-0{Cd,aV߲╔fR\)`DkvG.ʭa/eM8Z LTAЍ]&M:H̬=NΗx`ޙMY4@(:` X *[̿1(Hcbn$oJK;6ZCXZ'lswy%c%޿ww$EE'?xP<5:ȈJH@Nr.~ٕ )T!1@XxLV)bG_xh0H)>7˅Dܴ +9'hkr޼={y5?-6nKA&! sצF$ FF0;LiψG6a4 ?" RhGVDA xlh|4RD'=7qDd$ jNafqjŝ:iϜ󿘾tyuoō|u}wӂYDHy 4wA]8$N5n"n%{O/j;U!)i0Q$")2UdەH5N+-KAMNh+6I1LbKvM؆Z U"}\[ȗ7|4ķΦ}N7H RyCe%!R yY9uHphɄ1u\4t-KB!6 0G[gD'7*i_[BLfZKG<&jg#ѷbiaRwٌRG/IpvQQ_fp(^Ea do?_״ Pw3X%RD\^do6GQҗ+gJ xPm4۽wXqBm9M$+"^0=HoBivaі~k 撊F4@b1H#sz Yum 9n@@(CˈQIǻENFuq1aT?%MA>5Ql\h7HX.1BT4n(T:7ŶyZDN. &ą>5 xVZ3iDOR&05.uc9%ʻds2Y]iKdbVU@TG뺚y>P5xݳGH\BuH#xsuOpûP$6 S8>RN!Nnde܈~sǍJ,q|Ou0*) Z~l'ҊH$@V4FXE a|`mraP JkjL1[{^hKi[;DwΗ `irIH.&ιgHD8uFlqѾKvTb6/-x|ύ.Տ?:ٛ2ٟhą|(:5qs~7Maٺ)d%Q#q&(qD!'ٿgֽDJTzt[>MHk,aka"1iT%N,>Z_.URԚ/՛L] z.Mf_h&AN0 evR}Z<N<'Y=׌)9p"g:!̷ 1!T'3!6B7ǒb8% ez@24gX}جu&"d|.׳ C̛H,t]z"<+5[X!9dU_jِ䜣JgI4ڌ j9S*9*UZ4{ )`BB7yR W"z*Ѱm2ouFk Ae&9#*0leSkX:x ͕{#mF;~N^%Av%FL)~w F Aaw~jA?^?) TzM7>xf :}i1K-Ff_cY7ZqX9Aڏe1jxͣ=<ڈ+V+zVLPeu1_FG3L4#'Zͤ,J&HH׵/,E)%6(+RDAܨ|96jhns 8+A}@^ l8#ۅZzո}dӉ3UhI%vL"bf1*VjFZކB ZE=R`Ig\x-ݪyYAVV{r5 Yu?Y4^WY΢@6-19gR-[bQq,7H+\ŚM(6TaJޑͺ dn4wf)k`FNڋi*^Эʜ)ڜm1tߜ*~e6j|yVo5*Kf1l )"Ȱ6d] c,\sE1dĵߵVF p2GĜ@E$]f};D,m7_="xԪgjh.k5Ųi;d-Y-E9貓 _ %^{婩FOa7t@d>y&R5#:]Yqz1գ+ѿi*BJo6ؔ.1pUIYi.زu=q֫[vޚ6{-]hW%{'UڊPњXFڏނTmы}Lw%?GGB⚂uSÀ:_4Ev})5>Jy2Kd"4U8oYRXbm97љ1G~] U={? [mV? qLvͶ:  gtuq |V9Svbu0IbVh J+aگ ߸tR-B 0]&>Q qQ"13 ɠu8N25VCOPy8bj`g* >%*OUq\; щQ[j'R16jUj~4z c@9o-6e{e> CNlE86 `05g#_\S>7F\&[li8tYkn{2!Td!M%y6Gr㉁r*z;,0!zC؃!ޤ̨fQE]-E=OduR= EZwN-F~MLL9Tj^Na@zejQV6ݍ$i0*Sz1xSlWy`#\6cB@v~PG LlʀI( T - A%xUAf\9Yѱj-x̵7E$Fl#p \*qA΃֙p-}],W[jj%ٺTe<vkyNO1DB{M@< ˺E65d<F(X6tt `^Zc6t/l)uLt6 (M,E@lfijW6mϰm"ѝZ*\GR/igSEߺmdp nE$h?G>|3S;)Kݼ♢xk$˳qI8$kFj- k:H;Rpd.A[,Xޓ%5R1_Ub)!Ef>ԵVM)Zk"hh/6!Cs?`}FuvOf;6R+5J! GKm>pOs/r(w.05(ԧmIb_,X t}$1dB#O /=6Ƀ\L96/07 6Yq&{Iߴhm*uK]zk+: cc멹[+lN|Ov<[$M i4ʍ .2n7cjR3I`Q&JJ\_ojMcKo>L~CDZL :5\Bǡ> ]wHҔi ,zX=F/;Qs3V쒘Rjf,]+xp/S]ɱ$\ :6 CGH-J\Iyz'TzjܓͺLCS|c-G)cWdQ1b=ٓgˆlmB-մ'XJ4}.yh8`ʼ^vM4/=ٗ6uL *hvVǧ)ϼqj~\Bu>Yx>/SQR?֍& g4@B8(!kWjUc(3]ǍB^E#Η+v8g  uCufYXcK4Q#^TkTa 1ͣ2RCm\*E9u\r!q;Mn2R Saxdt!s"&| {Z\1J˸ah: g-ΌDϵhdem{WrF $@s3lĈ.1@lH Ǹ$`c0 3M;sH"L$v0{"Z ~rn~ⲜqrAn_yNRNt"ѫ0!lwezNF2UH,apw*5wa}ϋ /AS?j9O<ᶽ 2W"gT4Su+1#:v 2f~y툰ؖdJ\:x [e;! c;|B2`H,0յ :5t@=wR }@al\dUuY`4]조b_Nj}slҡ@ZX\Ԗ@> 2Ĥ|NMh ]tb R)bjFɀ3LJ;Td1+]gߩ5<F* 7sԩ:?-ʅ ܈_d9$G$\'sSp 6-RS=edrE#t\ju}#uT8OrmTL(?Ȫ"!j{{Í tNKhhUgרŠXwc~Dq5GAIT 8 8o%[5iUm8n}Z: ;PAQƋ5ialtvHֵW(86%06Yov?5rW6UQ)|5h&hdJY)>@ ̎α#@.˜}MgV)I <"uk=-U21قdbb2RSZ?Q` ӧ؎Wb8 NRZ: 6͌r?14t8&!Fi࢖jBSlW@{06Iط0b5jJN (TԾ6NprBֺܑ5S2YZ,xN !^C1[eW:))f\%p0 @f_(XF5uLpvOi0g2`,fgFό郢|f~ܘ[J\klJnHiH0\y^K¹fώi{Yb:G.vr֎S e?wc $:pӋD O-Δf1YqyOJ֠v;ȿLwU80&sͅ rpiu:6Knᅤki`g7 VQY$ ``DPT -دV<P b+Zp& ^}7AD-ˣ) :.%m BSЩ9'9o6Ks:;@„Iܱ &kzTHDX [L(D!AF-~p3SORN?+-)RjO*F) 24v8+@SJR XM t`6g]1SugfE3c+M8?("G"E3i`h&ETW7s t|AUe&yI^:jƗÕzm\_ Z^% _&[f_S/K2Q ?8,e G!D)|\d3l50|X"P?9=t_SЄ>UzJZxT,@b/U)fk"VR!q<ciB9n tDR@i(*=@B$L5'"BNŰ: ,)渷 A[qӘ FVč^3bhVT]'ngoF^}픕M>P &!C]NZ.'N{ ̊?>VZR֓.\ŽCI te!|xʻȵyu9KؖZ-i`ɿ%=XFdڶEvp]5eM&73TxVɩ0u/wJ75C2VSCt,,Z׍\ʾ/ '^T۶}c$C0d %mkxn 3 d:J}ESsضNJ _-FdW)jᝄmt2ǻd5ĩl̶xaL̬.¡!|қ$DuD>Q#Gn:c->U%5E}ӎ/G8:k]YOjgv'M#tNⶐد$!Ȯۻ$>ZP86WEߏG9նF^\Y+oӟ=-xnU$w;_@xTy}i lv_-h҄Ř t(̤MZOA6 ӓ##N9MM%ݤϫ]}>}DsLNEٓxE uk84Y洹ʺ)Cr:67-=4*K8ΗO婈 # ?#L;:J`3m{kMZ(_o5j~ƛ|!_,痢B#_7#fӓ`BXZ^u G.Ru%\z{.J;H錮1tIJABWHzm_]#迳NNgb v.M",JFHѭI7G#{٤aus:IJ 2Kou pKS)8E_D$*cBHCo z o#}St8`8T b1Ǝ-}.h|Rj' ~~/>ks_zyɗO>}rU  Ԫp- qjB!X}5 I<2y;: 7 Uj"~3W&= % X:}J9t]}YѾ;%q,2O^qc #/H) az0kubo[A8H1,Y2!MOeIG€YW#m^%~wcRfӒ'@qYג4[̢Us u[ZQ3n+v7;.-VT/*|kЮOt"'e*8U) *8z'. 1[K]!n 8z[j{B9B].Es/n%'ч-ƥ΂lQZXa,vP֫!-~Mmߧ:b靱A+lCMvz@uT%ޛ$ D9(fdGhuR. &{NݞNgmrPn4 Ę*4nRLr&N$nv9 CxSI[C#g4  [ Z91\R#1WH2LdEͤDe5;) rF6zse)Ī;䉚 ק8+{Ȭfo;dVRVGq:)F0= bL<nm+k2X2 "dT^eH" ]u#;͡$&kB6\y̟#S$(Gj6#V+mT+ 'np`SW?kAV{ "N:Qaw2pTmߘ d䶭^uDi j˯iir}x5+^-Jaf aXF}Y"Klc- vPd#MqӎsD+.vkYIcL/Fx+1 B챩w˴ 7q^)#ǻYk B>b C'}]*KUb3vSDXN 43 ]7E3du-^B[Ͻ N] mՋ Ou\#ffcaשV\Z &:EZsð :[VHsEALg&PS@qۓ|,/sb4ε\?<+3υ^\toΜve& |JOF.Mt#SwsTxILl!5Y=LJV"nk7q[.\{7)^l HZ`K pڐ:wӗ^Q(j+!^VFgO3e'pQH9/ 1rAFwLezC'z,;1Tȉ2dp~5 rIPYlSд7)Zv$lbmZ^P c:?Bzs]HJ LC/s[ <37}#Q)L~;ڴInya2dN&{v|jx<)Zڨ)ea%BpE1DpaL.TrmH #b ~go:=j4Z-5/H{?rΣx(TbaK^vj]qfbKdaeY{ZGbbGqfVW;WtT]rGrb^*e6˵_Wj(mxc49Bma,[~q8滗fǧ]}+Q>^$̏^˪4ՉJШ5k-&x9Y.-4򍛓©SODY e+;707070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000b00000000TRAILER!!!G?]$s2o