sssd-ipa-1.16.2-13.el7_6.8$>MCUwJ=P?>=?d   : "?EL    4 { $XQQ Q(89:x=XG`H|IXY\]^LbdefltuvwHxdyXCsssd-ipa1.16.213.el7_6.8The IPA back end of the SSSDProvides the IPA back end that the SSSD can utilize to fetch identity data from and authenticate against an IPA server.\!x86-02.bsys.centos.org jCentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssdxK#A큤A\ \ \[\\\8860831fb753c6618a7fbe77bb7e8e64d79b51e93c4a832dbf600474ed483160f43e43471819960e8f02e24713e439083ac94ea36615c15c1af6ee074705c8b38ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b90353a8500319c08871d759d555025f0afa71303d59c14ec0f76a0a28988390c0cd4fbba0aec13bb482d6cabb2029a3ed65b7c1fc54593a52d0914ac2208362f704rootrootrootrootrootrootsssdrootsssdrootrootrootrootsssdsssd-1.16.2-13.el7_6.8.src.rpmlibsss_ipa.so()(64bit)sssd-ipasssd-ipa(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/shbind-utilslibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libipa_hbac(x86-64)libipa_hbac.so.0()(64bit)libipa_hbac.so.0(IPA_HBAC_0.0.1)(64bit)libipa_hbac.so.0(IPA_HBAC_0.1.0)(64bit)libk5crypto.so.3()(64bit)libkeyutils.so.1()(64bit)libkrb5.so.3()(64bit)liblber-2.4.so.2()(64bit)libldap-2.4.so.2()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-nbt.so.0()(64bit)libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit)libndr-standard.so.0()(64bit)libndr.so.0()(64bit)libndr.so.0(NDR_0.0.1)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libsamba-util.so.0()(64bit)libselinux.so.1()(64bit)libsemanage.so.1()(64bit)libsemanage.so.1(LIBSEMANAGE_1.0)(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libsss_krb5_common.so()(64bit)libsss_ldap_common.so()(64bit)libsss_semanage.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)shadow-utilssssd-commonsssd-common-pacsssd-krb5-commonrpmlib(PayloadIsXz)1.16.2-13.el7_6.83.0.4-14.6.0-14.0-11.16.2-13.el7_6.81.16.2-13.el7_6.81.16.2-13.el7_6.85.2-1sssd1.10.0-8.beta24.11.3\@\@\@\@\@\@[@[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.2-13.8Michal Židek - 1.16.2-13.7Michal Židek - 1.16.2-13.6Michal Židek - 1.16.2-13.5Michal Židek - 1.16.2-13.4Michal Židek - 1.16.2-13.3Michal Židek - 1.16.2-13.2Michal Židek - 1.16.2-13.1Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1690759 - RHEL STIG pointing sssd Packaging issue [rhel-7.6.z] - Part 2.- Resolves: rhbz#1690759 - RHEL STIG pointing sssd Packaging issue [rhel-7.6.z]- Resolves: rhbz#1683578 - sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls [rhel-7.6.z]- Resolves: rhbz#1659507 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI [rhel-7.6.z]- Resolves: rhbz#1659083 - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust [rhel-7.6.z]- Resolves: rhbz#1656833 - sssd_nss memory leak [rhel-7.6.z]- Resolves: Bug 1649784 - SSSD not fetching all sudo rules from AD [rhel-7.6.z]- Resolves: rhbz#1645047 - sssd only sets the SELinux login context if it differs from the default [rhel-7.6.z]- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/shuk1.16.2-13.el7_6.81.16.2-13.el7_6.8libsss_ipa.soselinux_childsssd-ipa-1.16.2COPYINGsssd-ipa.5.gzsssd-ipa.5.gzkeytabs/usr/lib64/sssd//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-ipa-1.16.2//usr/share/man/man5//usr/share/man/uk/man5//var/lib/sss/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5dc3af1e1c89ab9a44fc64121f06add9e036acd3, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=348dc2cfb8d268dbb14d69248fe47d71b85f61e8, strippeddirectoryASCII texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)EEPR!RRRR$R RRGRRDR.R RRRRRR=R RR"R#R1R?RRR>RRRR RAR0R+RR R2RER(RRR/R R7R8R:R6R5R&R'R*R)R%R-R9RFRRRR%b6c\ , oL~bSP-,mԪuFy<+ hV{^v/{ȥkVO_55 u&-c&i흭F lb:jHb:]-/<4{c&kB>#fYv1Px^DɓNH2@+[;%yZҪ1PTwGVEܑJ'-\e}JjA@ϖGH%޶Fh`S;eդ3i,HI)"ޠ!B1qs}RAjj0оKȗ?Ȉ5N6i^RվvU'9+9zMĥEP$ mPm1B+$݆%jmZieq56Aجn|U۴+y&\ ɣ^\cr?t1pe_}!):<< FiƸ%W*"0zWx *YzM))58MtR:fG<3G(e 91{)&9C+ts2S<2pv`3fEUd+EQY*hJX~ zlG:[u^bGjeEg3PLP U-BOO!m%z~vDظt+1垗2] 1O; 4ΟZ{;z)@W:T\\HZ&rt%$ßt!vY&W+ˑȎ*(,9vѤ/>s hvWw( }&tP=Ɔ?Ŕ A84+:==8t4+I^.|.ϥwH$U^Qtgĭbb ^hf"i-z!+"qPҺb ,4/ Rm[)ͺC&-suPN$臙*l9x"#_֡;'M2Zxl~FYJ`/tF=6m oݩ[?6xld"Uz1zjkXvWakm@p>D)q.ADK3L1 d/Ox҄.ʥ3JIL]q5U6s; ͟UWCfF]TF> ;ׇat9/_zD.1´M* @O-v"RrX2T_Z9b6 r\Oki c[uCVZ^4W"+,5bۨx3

9ggg4~lfGHJM& QJZAlz5s]`E7nG<=!1K݃uIBdlfzugjooۚJ$yÍד@b(mbCrE6l/^44!Wr5V?2Br0K`4W7j"*8OloYO6=f4/QS``}-46BL/W(X10₈Ԃ$5@T7]!JkcD@ɱ{H-WA|f{Z^_E3쿛B[3'nav~bK'LU+.m?~ nÀ4T4/">^+Ig&(lf5+H޵et_pR?J*ҍGEԝ.rk Hvؒ7^1mb̈́G>H!?-<$M]9s2,g7 5,SZ@c^m22cl[~K+ɇḵlHOf|@Kht4c!kQÎxsn#TB:8d(DFj;Pd4l62^3X2'%ư hZJYb㧉ȋbr?0|ĩZ+[*"&J/]=p-?"Z9KW<:^2Tju)bzc{ \'FޕHm->˖h3 D(Eo>r¡\q-@z ab_U;vtû.w3jsƍ"JgW4I*$2IDGfVbv`/%) -[wKg+7чA5TRUk,?y}m5;Ki# [Bk]%PWy4rMT5DY_K&)4 >I𲟂~Y1#}]\z !tzJJf1N):jyʜ#B8s>wFly:ݼb5d=|MSp~O_cHz"Iohد,9~U"ad Ug]w'6~k'YaXp,?S$byk[ M$EL1"XHBzq}_sl߻quQAbp1пT*rs`'\<2 p /tBS Õ-&!;68"J'%]vik3!xz t*98!4Kļ%(,44o࠳H F79 6wFHqMM"!kitSuT節Vqj`(tzrG 5<ܖ"҈m5ԖI-8P;6Ȣ {iv0X+C"_%}.?rLö=yWmⶺ "/B1|~c8%A4qp>Ƹa渟cW\\=[(5P^!Zp>!J/ʪl7gS3l3QKTxԜ *&>h}XŵKWq zȱJQ(sq B[ݹU\UDpGaRYpMCeUvXϰ}z.DX`u~jA6:_cClҌލЅ!G7\#3!Uþ xb|K,dZLe;yLYvQKw0t)1Ce9*%H4h~^l7/g 2?hp0V|uB0뉊cIkIvDfmKa&t%3xh8Vz\eOyTu62ԭ;?u@ #O{PWucEs39 8ZAܺ*BPAP[;v=sr;?AYәn2<;?9[ִkjգd}M'k,˭ Km_!;6ԩH0Ep%3%>%uKzLo9pPT]JnM|-CBwZhz 7mt_W*\vb#%)J jou XEUu{ĘE_-QXw4P[9ר%!\.6.}q^N&Ek⽑{};"3 /ֺ}Tb@iȁp>7E[YO7f/G]tUZ=6Јl }Y {cmu͞Af `~DGJ!Y H?$8(jOuߏg{˘EOBh8h,;f @ZB a^☇Fe(W:rۉ1ɮ9 s5()±j1~Uc8^Ċd찉T*#r{~=^Ԝ,mьd4=aS{IKKHvO)H/h~g8+!(RvHDX¸mzӨƘsNgC%k@)e~g UQ6bjՉ{.ɖi Io5*tYH~Uw`1x ?z]ڵ>$RTN[^?M'vj ̼dtOH_v4$2Qw@DfՆx)'4y-9\PpgΟz߻6˽j'"ov4<#lkKDq+2pt"qm& f?T$1-TNk`HETh(*|:ɃwX ;wIZ$|x!R~"4X79 hW)?F=/l|)NU_R2/uspڑD;kak[WVR&[XaH%RKuVΈ@RF1g>VwXa#iVu##G᯲ue]n)hܘĜ&'=b۞m u%7mpx)g ,!('L$=O Eu!|kKEt,r;X Wv%ܶ(g{OsS'LUxP 4(l $\jYO~{ֹ ԦNz9aTk/ilcb:W{VaGSE"_]>>yb_Kxʘ98Jwo*d|&:0*xwV %mqψɵA'G` Qv$Ժ~LlؕVfE*F2o{GtjnZ.eZ=YJ2ܷE=,a4+SI}\X?+uoa/O"3v&o߷U&z ۓ|>"]6ͭ^\>!&Vv#+@(XNb9e<&Q>O F T -s_24:W- LkvХgd0}:KFEL%K:U媰ٴLQQzjM1P9 SdSVV~[gP[a?O>OTd+ i{8 2]G]&ǿvɦZ3G?  Xt WW>BO,Uۓ0a+x5M ѠOFzBTTjuAC\n3S@ Yn)E~M;_PfakV9T "a%̨!TRۺ[~Vw{u.=9)*9 2Խq}Ŕ6ThyekǜZT"0s|zCf):j'ӛ/GNhz~X*ų geS]vr-8qy|򖄒fDɊ0KAܮ6E? ю!ڱ*X0kkY!7^}ambN0[|(yxb9aڦl Iu|wշdd 6q]nV@J.T3uiAI[/$љh0E;|3/W2ԛ|nm1!(2V T +$ݫ,q+ѓH?`nqG_ 7S}E"][2p1]62Wb&hH6CUW|.5uFrX)??9^S[\"0"(24uFCom4F~xS<D/m+͋}ӱS^٦~j}YUH_mӊU1ؙF-@xX9Y%,cސZw.ZHq9Eza`4|>DQKLS@봽\ O) ~~@j%<ۙ[`YL"Ysp2f&^0JɝǪvXlc>$/. }rr`EϗQ5Jmh1٤/ݵ=ƕaN\NJ=s$fhS\LrIU:{w]J&8Tc:_lCXiiuIʨXcG^<㚄6D8f%WྰgȒx.sLopB.2ޭcY  H1BNAw}đ;T Ҵ#^ƵTPP-0Tx'QghPtzYz WUь' [ޖfY j.8gcui"Z3sʎ`HE?DY+n Zl"vN[azj~޶-#P;qv_*mj RUm4ekE+;1^UN3uSV}['!om<R:\8*mk\A,K0ũ$nUCܔZVSc~Sjڱ|Cs|U^<Jd,I|?쓛w]j:+xf;' tA1/]Q+͓Cq3[ H#k]t(aqw9(L9R)#` MpKμ lCp\ *yLk{ߊNo]VxWH}-ER?+nPnTZu.r*/to4¢M65t)plj97ϲ% b.0xVA°Ktg3.%,pnhKx40nHg"Q &#wj.<5mO'4㶸ɦqŨ3wVQv+:f >c1=-A?/HW+hThf, X&ej(JMk [ xWH;3"4.7+SdWzh-<\#1ŋc [Y6ؕ444BLcsb߁8*Gp*, Z:"-S—GUBGAM#|imy1C`WLqiS~;&Мxu-$nоzf9{65! D+q7Q`Gݕa+PٶJJp~b  2r[$Tɧ b6?~hPsv`SFA,N!ZJ;I*JtbW!趖 P %& n-_jg-3>?8, sWjv(+ -I@j9ǝV$0 9sIEG;h<+WJZĺvN]XH"YK{fiS"`$l2-;b?N)"zpOrX`Z >xbJv++F' )> q1J`eP9 XjogYC17=IRrp|QwFffh#yjK ~!{ ?s;o(Kڀ?4) Ѕj,&kcA Y#/re+_ZVeA0om#^YO/T I4.=Ҵu"G/+b끱&W A|u ,ߔfKihr'zVզX' n {yNRm,N"JF+]EVʁTbw04EklLO(6 9J*>M;\:cR`=LvF&Wtpn;5'?lG::BArRr鄄(QȘbF#6'|O`xtaZœѫ!G[PY`gX׈xRFU4|D[{If|öԬ|jtydfQ'_wX)-ſsHIT#Le"pDEV{4ViXGDŖ@4tY׉pN n]o͵ogv$)LzG0("{SԾ]ڣGE.h5(gn"F KNz 8R3מ?aZD. x|fa/fW ?N :9tqF ;&YDf2GDCʆѢƵx*e瞫ڔt5-M;d7ᠮw֮K$ >{s[M?]DRT`;cKB!1yGʟI N4T(jmpF҇u9 XHx oCn44WFC A-\Zw b3o-RNe ˾ŀhJ[xQSu~x+sX8Fnf-}V-r!6iwҫx4*Y6dD%b fv7^a:l[(0{%<_?bAiLs`xuC] wuCz)xYu1 ^8"`2D#<HҴXV$.+ /rv1 c#emR篜]@\b4 G0 IIi'5b3; lf{-%h48P~^I4Dp=KGKޠw'SV:Ϙd'@xW]rbeG6jǙfWkOQ: C %8{wODsJQǐ̭Ǝc~$!Z=n4Bd ZҮ<} ﬣ-PZ1W9^BL/ K *CP3'wo]vR VDg/er(v([ ;%u|XK 2ܺ_CIr=6ħaSJ` t"*\17V =Y +\m G7ԔHãZy ,jڣ16&^wB]:CS(jMUz*ˇr㗀Ou&)+uq!לNKCߒ5*At&2߰ `!a3RDF_9v*?Ћݗ;C"6SS(aB qü͇|wJyd&XSߤC~N%,|JgF`m/9z;+>l[c -W>7)[%z[C6w& g*Qb /;usM"b5`/&(/Q!syYkc*Ӑwm= 48-_КēH&B [הkT^- `M(R8:iٱ@?(®lW ]%Mw0'n,|O7@=œ]nu2@"Ni$ ؒ_Q&w=n~2MZG\}Ȉ88(]ߴT2K@5ΦXH[`.C\$埥`s̰U~hl[ FHkj{^ F^=ebRDad1vߔB`n_Զ`/ >y~'#T=x>_eH+ NՅ Жr.!K5Hn'7J;|81WI.i pF0.|a#s*%Pcg)ڝ̤EN*&q3 &o•}=lqGcb価T5RKfv*S16 ` 4{iUw@^hQ.f] AlN ckWFzM5ݢ0S3Z4ka9^{ܛD)" |CoW*c[CTQ׈ecv{U_D.7d2[}=rVH"\߭s\GװA~'Fl JfT&O~+ cĕX3/ J_/UggvBI5KvMetlC;9j[K0 ; !; (M5÷S@ <X۶xͨX>CAQcgN uWď,g oGf[DO5:es"SjIeܓ>DAxczb]P o2rƋqףD|zۂo@ UCkĥB).@{ I{򛈵JC}'4H\բt8[퉗XfY M{mk e_wtabEЫ'Eտŵ =-CIiXE&BŚ:G)!r'`s#Z<vk8fsEŇsVn)G.pXK>n 8՞] ,S~# ^PɞP̺! >G ܊(.:'I\/)Ѿ^9p48oQY .;:)?A:DfK#ypҕ^(}K"LqQH;v^5g8(4  +;sPKKNB}+Q"?+f\nJ WіyWXngS{<:Y[|7]E1}xKc(`_,߽܋od9=]{(!di{¢y3@R~v D  /5 ~2`DH?(>i ;[Ex_5(%ǝY<, YA'nEě(O7 _!k{fI ~g(낞!4'ܑZ} ]K?~318Z@+%GP7\Յ@ta#<>l-+`nJC0(ojҡEwJϔ|A͞KXcbfxi䝱<:sЫoT-򫺲4Y>`cEB}!ƑHQ^A?=0UqvkUJ3bllj׾1(>dy(dN'X8q;tD G4AA&`T=/oE @zOo,E?õ~|e֣MDGp-/\q0\h%1[in$\)sM"ڶcLT!dc'5W:(<1=^ih,o"TNΪ?фq*Нn\'t7>׵|`Z5̴s8Ѿ x|JHG?xp@/SmNQX: MI0D~'_Q(d= 9 QBEZ\6$@ HdH (z4\"z%x6VqF!]#t_ۄCF:u $;sFMIЭmӝ8e&TL_ƕ.,}͗,ndʴ'.cTDt \x8KWwq4*%5ěK :YaG'pʙ4E_ r8q![P?QHˉ;P o9e0WCz]^[|Ұ kUUl~_l8'Ky,m;ՎxT`0ױԨJ BA}CٯGhR{LywST+UwѪ( *IP/(96u VO \6*O| ѳ-M.:5̢5,A%1{ HRLUs⦤DEެq",w hT}uvcU/2mhP'Y7p5ciڲ&_nEy4tKG;cfdPSDv2бeh9hʠTrs'¨6m7m)'"Դhwu7?Q7ݠ.[}wsN5jEcMy)efPX>FO 1V7Mr AvtGkJ awҽ.Y]wdt cJ L#~:)S!$n' o밥Sexv7 0%ױ?٬?+]-oLyI?3kJdC)M<6*]v',P?V؅jSRf<%mOV=N{ (APy?zpjSw<:zFuEe9[WY<!; L\ԬˢcQ|_XXdj"+pa= u_-S6pnmɭ;sxܩ1ztru1<jx6j_$q>qc&5&X@&?ܝ&!.qm,~wf|)cy G\@fYx%# EvPš u|)lUQs;=?dްd` QfQ31iOW/FV Dͅt#Rܻ"8ꓲ9"W=̐b3oOGFh8tÁ24v\Q.9P&)YAn[mi6.r)jXJ.c!֤+JTU"߁͜7!q|#;JPU3o\$17"cƾXJ0(3W8d̊Q5,tAtAa S,VRV\ۜGݬ}9+1\z]B."IC!mp?`HXdk"]R(I ]UR[i_"9,C'o23YqĚ`8|iR> !>+MlT=7$Lf2-©\wCo+_l^H7{$~,L7\.6K+j)$9J[y$/pqha.z 6կX+K`W~ n(;7t?&Pp*ry47Aa-<;K6Kt*I֋[kQh G6{sQOZl{N(%-gV0 )CVuv"ǸS ~&FzsmEB@u)Fs^)!i 6k_@WFܑӑu!.W#k i:0e(dEHD8Q0+e>Fp>Pc XAxL#g(l>jR:SQov|%Y1m&^/ul#Xǿ8(IB>дR`6AM ER.jnG+c?G;K\ZVݡdoU"yHd"(6Tbn!e>ĴHw!FC>3aMtvHvXHa0>> ]'WBH?AFHSɮ<[(`Qڟq.lƕę1nͦgbb*/IP^iVPӨASd#⏗1rJK$Bh2?}xA+oD~KΨ:s~h`vt§%!)k?} UK(=XG'wm٧-dQ_xirVIUy=bF=#}]!qPgfd tgIT:+;mO%[ ͸syGw)ٹaʦd7u1-|jGWRa?06WԻKBgr>AT3oc(PaP7 QE>kN,UC[6c-۫ՐU2ԇɮRkB|"Yo"Ye!\zՔ 4r+=סP{f6n!F,gW|wjU[EG$R9EW)ߴh4;_u ]'eS?y[snyKzcaMzgݢZ8Ww: g3z@/7 WMz.jYbah^gkPȬ6 [X.%wo.rk{^,/o9 hso%v@8ܣ?`OcUOH՗Ơ [c}ўb  ҥL'+;"@A R*E+.}&ٲ IOW%-[> U^+z2'r#^r/#% QUWj U#2 dۛ! _+N3 Ӏ̇XIЁHym b Ry . -BځLݟW5zS")3 DK0< 4 "Qc N^[iڤ y]1ruwuë_k"tAm .~NA( w)c8aoiXuɷѢ!x)'>*nCRIcب^Oaz$?3?Ih)<,Z]q1KoS{)Tx10 p/6"WP+긓G4\Tu^V'W=&$@ U*aPO^W6FF_Fj C3- Q;[&6w:C?8J>hcbbmCInPi | 24wJNr]0-_!JM!U $hL7%Q/$ce=P(Jn(&088O#}WR - VE4&|yD~s1O/|]`?.ZT9мZi¸N`((`ڸl2cNDN2&j AӮ#;JLBRʽ9JfѬ boŨ~Yи^;$(1/ ^8%TY2Gt2fVu`En)aw[lXf"P:d\9jH$@Q<Śz-%\dԯ_Y+]t(X;S.Efnw'.hN.եr]Jh3u O0BXδj|pa;»O̙GWH.sĎ0lu0)`Z׮ZH 04Z 0eqOd32݌l`%ձ2ۘO6*Z$‰U$ }SzgdH@zd*5aT)LNz`y!bWP $h8^t^T#+m.[{a@yE`g%.49TCvXD'hfsC&Pq?Ik͸fT"7R>LpT>%)rHx,5<{r'p!y1"YarhIkNe<3 ;1*&|NC<'2I_ WE[;:Ylq&7y~Yd{stډgjqX̔-dV}Su쿯1M"H#dw_8jhRySэ?y$0# j0(9;]B:%[0eDiDZlʽWy/1>PG` P3 k›H'}j{&Ig9sqݎ$U6*\tTQZ9DqltiŚ\i:xJ;>a_4 NdcEli"ok.$#!>Jԣ_i&cF`3u{o/vl^45 6MmHyLz@0b7])UU,DJ)?}m.-{@9Vƚ&)iȤ }^Ot9;x ؗ3ICbIë:hkx0ZVDh|s8&qv~n4ۗawShOB> >Axȑ{;@9Jr1\̨ZpĶ,;Y"ϵ:#NWКS^|yI,<6 j#Յ`g얣ЏEݿTحQXĮ .A0'*,3 fz6NfH1DF0s_ryWɡUӻA6'aH\f`_i $HMIՓ PO+vc֠Ĉ^UH1AZ`>^/ň|!-a/Y378XlFMp,~\.K՜Ry%f#+U A@ZMQbL"5$pjXoP7r궒vE%Cio.)2![|rCg b`Br A' '`ת ;03ɽk';EDU]M.yQJq2]XO3h5Rb̵z7b`WYLo4E(H)>zCi+RMIL$ <1Ey8[ّlVW]-7 itNgJ <%M=|tBpwl9jN+ޱj~w)\zER[&oTjGb@ϓ ,#DFv/*JfYvWfeuD):)A減}mܚ~C],m}RYTBdx{z{xJoYԜMe\Ѣof1vMj+f%p=ufSUQ6ɌÏxkX55 1Q_axBc(ֻnɳr `{g~ucI䌯qvLQbkcr"Z2EϪa$<_spJtޚ/hژc(WjPL #ME :}=Wfd}>B"ip44YA~/^٣`>a^.|ÇP`%O:`/9a-<\OA%ETrɛ0aLOJRG50urdQqm ܠK|i/92-!NH8ĕĮT/ }q;V)νatU-"M}OZBv>E?1T̛YY0\Zk-!O4U\0lȤ?odCO~<"B1= =si p*FnZL"a. ]uCbC4k<͒rR`o`NH k숇?@kK)zؙueA0JAU$I34#cK̐"7]^cLmi.3Xȑ< I2!wb[oaU"$_!P׽N!PRz"B˔A fQa][]7"Ot @PUkeiG2㮩1@Qn\aBi$2;J8w]ثb=аh~Ry͂zuoH};QlrM$,h󲩤 mH?&V)Y?E:xO :85r Y44A EiHɢqcJ_9ˆa\%Q7q&} y hZ@|v^vde7錨SK}}S6"DW ᢶmUUW,#iU降;YHC$Hta $~Y6s-J|<[2Bvu}\Fq ó\Sjw \nLAAvax'Ʀw+%0:x[+]g]M/Pj )fV?r[ͻ,v/XjQ=q:.6R[ث)'w>:}jMP}80W2 8PϑDz* ҭvxiq[Xm!E}Ӕ`΢xh7*~e`OsU&:I)pfG^0P|]½nC%|,|ofJ{E3U6\SY`ӥCGvH*<.!-bU3>lggK2h='#T1LX*6!F [   |h S9FzhC_U|*Xi`?+ƌߔoԳ[L'@1?B* bfo09PꂥpCi JZZp@Ĉ^H@.x.k:m9G3'eIXa b?IJjݽ-TlC!GP?@v̐igI5O.Imf`ύEoo ;ouqsm)R/Ý[p}sP nx;{a9a' vϥlFZkٳ})݃գ8͙CuG+Hy:[-PT@g:ʣn>؍u&S',yT+xBOW+zhf3.~zh8>So"MxW2ڽ̰ OtUK4P90"#ŶfAЏ@ v4LS`hmxF؇ ijf }x`v:ׄ lyݏZ̓E",L_-9xrC+GJ' ߖaca?CήQ>h5h7߇6>~ )n^yZl a|O9O-LW(uIxN q,/ i/2Jv):FR) .CD?bE_{Q+@tJKZk*8irmDC808ӬS03LYhw'HC7&!Gr!ssרȞt?pxКIԝ;r鐛MD}-2ix$dBKWUM[!Y_49uvKh94"ǥ-Ġ "vs_g>Wo-ES ǦhI%4} ,)me]_U+7?yXͥ .9L˳s$|mQ-AS1S̤t_!buFg wl.#{Tn&ē0\ A~ F|UچWj^8vxX[+o"]96eL%[+'y$ E/FAQ!}ֲ.{?֚py.kF_u_Dxk&V}-0#Z&s\#b6 E+2n('vO`‰ɹ&>~h8|F>?&3%fbSQS*f⿂ ʻσYJXrHJM MR}tem5r\X%ejk!qk2,ujdMG 0*S*A9N6sP]d 3 ӅחΣ8Y̦5Sd?HB[vQlJt[qҦ'00vfyU )Kz0)WlZ$ ONϺ/&UadLPHk M{kuQ#3!K`QĬІMLq:ǰWʟ`fZЯ<$Ӵ/B™O*;SZA&+ :Kux1"$CQlK55|,̨i{3+ˍQnZ 6|:(P*D&Osy-1H5Ys ߼|oI"{x1uM`W-Ѩ B&eAK͇i#⢖P ݬ# 9/zҢoY,U~7i<]60qDdCt/Qn/`gպ$DDF9HF*o?խ0ީTsΤT@F_t^am&{z3OAeٜ i-e7 A{ /_FGdL OM HKiZlzG~R_Rwc;$ּo`#^ِ2' ^鹚(?C&;SXY%Ka@ƕe# tt NJ͑D7j#hf8 4٩bEm|O!U*pbefR-nl#2D.8X0fuZ3ӺaownvO2+^q<]g<#Dgdؔ!,b!s~!ZUD'޸0]~yY7T&c cax5Ғ 2RT"eWa*O Xw|ˉE`5h%X.F@ ߂=MVv[?,z(`TƢ ꇲty]]m/5&;$eJFeL 0UyW+os8z\4Dq<0dy6 >uii\Q*L!T2m}vON1|\6Þ6fj(HBkxF*? Ǜł#=Ѳ+*}*7E|esY-:TA)>b1Vq;X)pK3rAq,ׂ뢤DB) 3 v]u-ZD3">Z 8fSv ]*C &,Ų9 ,>$wh,.Y:n vrE*lM 5W81KA4/ibE5#5;K*L@%,q拰|%;ާ>fZxT YIƈpA9J<&AWmA%f!!/yںҖ)t%?A!ݔ?9L3"'K M|"̝S7[M%9K6 rr~Ysuνא}~s 3P6?++єr 󡸦e/)iG-Ì\~F!h¦~S^KF0"Әߦ?}ج{6+gAZQVP(r 5.9!"މ2Nh`N9sjC[K!b5&f >-8"1yޥG7`gޫjdsĤ :jHebDd ꙰|+Boڣ߿~a >ڊ[l|ɧ0tge?ʼwCE =XǙQ r{ڠ}p@0aݟ́ ,)YKtfk1RaL \^U 9eʢ9ؕ-;0'SiJĺ{'+=[h66j;nq *YZj?dQ?Bxd N4'֕4`P~?%*fB+{^#T[PF\O2U0ׂ1*qw Q0 Huw N}&a9}=)*CnfFn\w'phFKtC(29Jf.p|4+ !#$E!%rQ zqJ)ľ:)ɸ7@G4 n ֵ$Ga:p60#irELLwy*tR#K2+k C(lӢ%^NPkڳ8)"Z6&MڽO㭠嘨#u56 %^pK͐n,r'lO7dn ]֞X*!z%AAOǸ7ll<"ԀE헨 J]@)C(xzP=8Ҹbķ:~G-@3AlHa^b9<ӓfQ{oh ڇ#[ -yi;LL4e KlO$=UЌc%I؁BWyvw7I[׸?~3IWjPsFn,[:$EzTz\[V\PSSҡ5^:\azMO=Ce r>`O1Q ЍnQ6-3%`累3Po'M.3yY-@=.VN%27/7jO΋fbt דi^S|yᝋfȅ$Zϳ~|"U-{g%j֪G 2DSUZHfaq +=^>_T/!.C2BqDK(}N]+攃ϒĮ#b|e,*Ө%g7{Lu"pMɖP:b& %8H}=>i.@5=\5{E׺xWb\$JDž b= L p7zKvF @/fQ )[v-Z5?'2Ng^B>-U])enjWRI֕ȸYOtwZ+U,)`s+\R0'Ή΄c>و1ws=bđRgωwi/}};bv kLp{ZY_D6H0`< P㴌SJm,|>8i\L2ŻKwPfrzc=!) Gzf}B b?NPTt+5{Xq8uem{LOE`B1?O1R[_G^#ڦZ"5fas܍NWx/cp i9,וUDH SU$+Hr?;6`;X+c-l#u3HdKr3y` \$ 1BBD/ wswj8r=u+웋8*+HCd$ۅm;?t&~ aQ2Qr@ֽ@iD~?V)+櫥h_|Ak|vZTF̔scY d/eqw~#"[z:&f:(yRmg{0*x֪Bf=G7T:qlsYtށ=H fFS&{|P$:MyhF;+(aT7?XmH/Yk3`kUҪj`E,zw >e@V N }{W b`p3ngPc!c!Rar-+>_$ڈ&KS,,|e @A ;ʗyJS:kk߻;!H#.-Sd,e0֬? Sx["M`e9 |VXRUJǓ DF 9BٚOdD- /u2rwf ef>66Vaȶ=yM8SaQE{Nc iOrHq;~@*{»#܃Vu4I⡃03fi! w9WL7b*2( N ZyB \*%0=3 {w%`> \w݂cyoVwJ4ˁ%zT%-t?s.bQŷ/YDzۨhl8u:{R9ɟAGU8-e&裒H&2XQu?4N&agLԶh6/11g݉V ?rDge"DvӋ߭>d ˆd-˴YX:d,*O&k<{[}6B[Z ޮrҹ +MBT-V)`)wױ;o!gdi:BnZgFR얈a;q.^_?GQSOkC \jHZכˆhR)8F`9=1ODy0=d&uy8BuQuWeV<7hX&1c Qfs;.;Uaj4N6,9N7uBC6IMLaj򲆫ƟW86L_2ٍ8P:&Q:4}XpbG\X<}Dgm޸)f׬Vhx;/` ]'w&AK๗X>xxכҫL] k4V]40ysr< pʿj;"GZGf (=I |+]Ҧ6w*Ntxl%3Ƚ9͜1ƬK)I7(8[`Zq 'Y+fQ3*¬mAwEU%SӮ` $LgtP}hę/)D"S ;+o2ov). Fh$Ga (|RMoM g/]PNsY4`}H_S LϷ7K ԡg5:=W[9/Ci-§w,E=Nzs3ջňƁ\Emi'$S^+J5նK.G!}d9.{cIN{Tċیر=?0 ~-ꚠd4ު>v7rE򝑚BKy[jaC}ZVxf\A% '=0PȀ!1=w 2צ,33ꫯ\yS9݆= e5jREuAԗ+]"F[!ϰx'ͺkj7ؒ6(7qf N`͈Jcf'!l^HNQ/AywgZ RH\Z܅cna0qˀA]VU'tf1d:q0 {"=i q;ry$* W~y{`$n5x˒lbUQ,GZbRL *g2ݫ M|5N!w1cIHĄ0X> &]J(R(&{cX~c?ʉeKOYJүhɛT՜-W5bck'Lj˺)Gn~6 _j"cmIz}Km {hb#+O暢hB QD W u- $1;xM3X7Ub$4ξPCS wpe0"9.R(3xj;Id^kbI0vGcr4uyp+Z.4=K" "e7}O> 2AɃ|)bKziQSadu2 Fpw{Z.F凳mlcGEhA!S2!Uj3X3+>}.vPQieXU}kCW&▸y m\Яj{E] ?v>|$ WrBvUFrֿ>q-tÅJ*KTJ';Q#;WvGY#qNƖG5\CYUAK6o*q|9QŏwṾ!Z HN ?̹"2)/.'U+c ڬqg 2p&}u/d @jdw2>3:PQ1+0df}_xJ2^ABUZNgș=o4{D2pbzc!FE߹ İXz&Kw-^ctؖAnp'J {{=KR/b(_' R.myA^C[Dz&"#LX!K\k+!JVWٲڕ{ 05U5WKGX`I&W^ّFG?o0sDF##F? EAX!m D_o S+,J 2xIt*g2I&t`t/ >H8uPBB/B(0Y׮jPa/v v7V!=E(;^'Œ|_6QS߫ʝo 'UcэU|r5*dZ&/Sx/dcI@}bbS!b7qT Y8\bo&NdƘC:*AK& !_l.-96Qg@)ӆtXtS^07hm ٚp(ПXG2&>J}ߝY:';"ENduL}O2ģٗ(U %&F3A߸ abp!i665VuD1fGtB䢧anAFgt#ə=._:z1^ކ;O4xrO3'К|[f@}@ vpe+T$Ȟdc#6uGx@xW#'0шDa۹0 J]ga7lF(Z3Vmhshĝ0HyHZb-gDg1I&8\c[ͱ@0+8@#R,.\-bFiX@^q' !;):GP IT  `՛(dNS"~|:u-/c:rWprj2*SkSyX:SЎv4)Q.](v"¬lUr\ZJ #&Zttd-P슊ALs Mށ#BpEaj=pߕ,BVL,;10x)Q%&_(,y`sU1 K{}/²7.>Qӛuq{r/ /"+Cg%M>Vb;i&Z1d:A)P O/ 5[/n[m $4N97դ\RM \wKR~g78juZܪ֝.sizʦ+u3jk*,մfh^w'4#9F`砰rQAz:B߄^LgNCv% z(OI9S>"I\~M z; VU)JK)[m!fN>XLW$RX+$OT{J)xVEs[/2[g:ܩVS%6o9K[h;[jHR}Z_sf ;Ba퐙ЭƗ! h|;@ 0j`K "i~BhF< ݽD"@fVgX 4Ӥ3=u7w2keneS?tJ) 9tNmbvdZ/=zvaRK0ϟlدI;pE RryuZxR|kLms'M8G/_M(hR$C}v].&Pi}8͆3|U"E~P5m$Z; ԄCAxv^i2z'Pe)"cA#z`wG<8{N)Ollt >g?dlR{DxCd/sca&@g5F(}S*MPscmUr5!Ȥց4d*CM4BP\!pJc"'^} &R 3ynk n fA tMۗ0ϼROc=[ VDwmZG4-d©(4K>&X{Ѫ[RE .զ\-LbfQw:qӓ#Va&VYl5׻g0Ыc[kJ>YtpqeN1X<@oj5q h"T"h\I x/b-s-e!U:^.3{2FgVL`@oU+q΍b0]6s~C&Oz!3%gů5;KHkvIi,o1t_sn06d#A‡FdIpɖJ]] ƃ9ˎ#%_D!&jq1eGޑk/3Ͽ΃zfo4*|`>ڋ{^ ~Sit^$&Z!aNj&4|T 7 IͰ>֢y(tSʑBTI5T{X q AbW7,Zrd,e+]Qތ{Vmfw]'-y3yv0,1{ktwj8i,k2m֪uD{=ɀZx)|4G:)hGF(;RJ($bT"b-b.uqkSp׷M"qo×!J"³ Agozl\ m~5m=zIz8BcFIeJ9"ޔ"JXL=6eW`xQ^o9#YjxK 9Ϸk%jCCJ/ *=]iJdpwiPc,"#(,B6^ftţIݴD A;=c(H>1SPTTe@#uCz~\_8Ǎ0=B44; 2 Fh%D> xiyL.Rb W⫥3ת a^Xc2#Ѕ6@Bmxjqr;@YDhI=qԺiϸ3V#`6K$"FNZ[NaFKЯ]RЦ.@xԲoFr|u]LoL#}$i].%ݗȤxYRCGi/l{W%ګP a SJv',(u8b{a| ßDz]J(6>?Un  '׀ m6 Ne~Rv8去t X,BÎOզD|S\l )h]I<wCrНpq'+v}4+L)v :E߷?b*a QF6X}O/+͉-XO2N{xD^@xե' 7hJ߈*' {8 '#xSE ̦_YAbq4Zi>-f {?M[{gve2tF-ψ/M'Jq#@ ݏ3r9)D{9֘8PPUC _F2!ϙ$o-T|#WeH, ,O[PaAQ\n};V},ܩXÈ:#b. _V@ޘ݅2->2Ut#^3ah&(`j6’*8/$JGٚ2=3#cr&*xshf5tcc]jls 1us?d=isvaڔIV{[lE <\ Ƶ̤o!`_G:Z^>]2}z4- j.<~ $B&`L$BX)(#34's1/nybv믐@˿L:_b.vҗyiXfVuqXD@wfN7PNjU$|Xr# bKu)癫{%cʄzt\|st - 3vH1oߗKa"eVMPgWn.<̨w/r7e>MjZײ/JUJm®A;pazg "t8C<8}BMt1R^}Q<:oeyy~WbR$FA`=ԀZ >#d,x(Op(_KџttV9 ҊQޜƾ@M @ІbNuDNjP~t)`-s[`>g2v^3ZZ݄6:ꭹ>o]Ko5.VѯF9h [!VHnzLk6-q:y(|Ye7~9Ơ3㿋7"p`>Mu)хF?&XV"p*GumC@3:kYzUgb,f!u>!8 @Y|2n%-/Z' Bnhgb r ~A2۠PEO?ѯNJW)vet%7݈eNIh(^Y "釷إ`[F# }#BQ|k_Ow&ݜ!D_S^x#zE{+_FV.GzoBƎoK^P$cTKdưd|0a=m &+:3; p0UAnͤ*69LmltS'd9P'wOE#B%-,S(r]Ke2^tr,=~a D2AX[=17-?ZHJ^4Upn+xi~j9e ^ЫvyC$k'fi,)ڼ׷\GYXmb4Py`o̧Qgdo> f?~Ēۿϲ?:ftVJGo~N&u) zOqb#_ <1m##0ѮOQdҫѴϽڛ4uAS(c.4+W]s8h oV>2԰ԨXDPr`@! ;.ش9"a63*Ԯ! 220:`> pK\9V^ͼE è`lZk播~pp ^eq7"sMp)/"Y O ydۉ 7jΒ=k =FMZ6F=X(\PcozI\S5ׄ iTYڏtУMJo."ws#63gy btu0ݍQiP;4AZⱏf;5w{c"Q{~U,uDLw=5H؊I]}Tʱt ,)ߌz-Seψ7ѵUy!1<{/: ak[3}Iv ]^VʧDQѤ0 o,o_򋵒G-_ v:N7֜%`:,_?3T즿ɝ">* ;9.4*u^ t2ZӮT'AJi@?U`'^">krC7% p`5^"6Zd#69q!;p9 X}gӼ[|0BK20YqJhO/"MB`~Pr,\w^FrC-tѬ7~&ħhx<'AVqД,@zrYDnQYœ[1١ǬMA-D LsPe\B{)07MI"{XϤuKfQl|1s-(ALH&B~c$ BҭhU' WcXx~4,H X9aK2s9;.L1rJ%gѐ$ ݿ0'6>%-J$HaBGs9y!.~9 ~ShIbMDyЈD[68ɍml.)dTO{ 01j28}=(e. ((Jlk؄ ?;R wXBaC텁M!U]Xt"z:_I up}}Wk. ]/=$#֥)~K}~^oRU.Y9I: Eŀ^ђsqL{NJJϫgF\ v3Sh02o~J=I[x6½ɠ)j#-c $QwlRm90 `uU8+0wv[vzDK_3 !GJF? a?s#vQ:kzq ՜dkՉ֢50ynp%g cƼy?YXgIkayނZ˒-J"5~N5DFfMAKgt,&@r݇;crE*;1=l}lIDb/w:QtOXꥻd-_"9$3g3c_Zr\Aѝ1uS\Q8=8-;[c I|SA^-/2kc0ct曋xbB2"(\A℉5|vi_A6zrMA^oO uVnmLװ~Nepj5'yb88L]<?2  3 $s枆 =dDzp/5RIHBywcɌ}yJ j\6Ys'|*x81^M#p+3 /ED88[6?HpY*GFuV7-^}TZ8P#R_t*bY t Mf)TUY宍.Ckhł 0{0,G%UL n'Z>yKе-V;Bi^'jgbDab7RYeo&=VbΕ^|*LΘT@JDK!R>!KD:uq?$:OYڲe=,'%UKu Ze7PϘr>B0PI /q"YO%0kUh&/;J+_F T:5R#}cbŸd4NuQJPlWCF /ۚ/Gi#V Jk2=6o1V3g Q9ikՊ2GmjC2ji)Íh/VC>.v wŇK8 *x_aY-=C@z   Yx?$4$Qk r R&H&|NED10ל+njq=(ؓi$hjη(bFl_oigGQHļ!;\"M)\̃tXT2<ã KOG;b8,῟Ox29T;8T7Ŗ9.2 dϝPY'N_G)gm ^M*%Y:S1dlȞmJC1Hf:123If32{}6Yflߏw N3OwZ=u4+п?Pu&mj=瑱 AC!H}˕'Dgϸ&xYSO#TA ^ܳ hx 0b%*qV)4FMb2o$ ~ z#4dq  V ӱ) DWN7^[H*KwӑD皿W0XS`ޖe^ C>̨i3%Y' 9p%8Eqy!J+\>R\gm0HqHS8 P;duKC9&/`g%>mE9ל bI<袨~tW7${-7'ᑍ]kCLCuT~TX}:+j4EIa'@BnjUR:u6GXֳ`A§苂rMj8AdsԀ Nq"=p};jw>4Z|k%{o4a)vbԮ1t6`&B"UXXRFGpW_/IhC{غE^SO A98 _v0HR©_ O#e}_?"FUSTxxrTL׏hobe3]96J-} hwX&A;iM_?VAڵZs{ĥCLEBn&^+U [N@ Qˆ[q/x8o>; ([PKBѮBvCޘmEZvMecVvѰX@*4yHe?xy"7\=wjt}\A3i 0'S`n3/AFA]-3k"=:Zr3CJ0Ṁp`AV4T;rF1mkEqP[!>y EύdGp:Td|=F_ qҌ*i2DqO6aB͜*Cd[7*H%ƽeBhBE9Yͱ7L}ӤNp|b/v51wԓܜrra^i"(j&zh 놟&r̜Ju˜ of7hXՕhw{0BG5a#XCe^ S\S<'m7tuE@?ZﵑM@֫<7>-y?U%zw}S  a쯶XbW!3CS* .н44Hbl;սkLffbY⬚ NGsKJ2N #풣aVȤk2ˊs@]'LbkeC0NĆ:$c(`@Iѽc|&*̫~( _jK<^;R>M&thq%97IMÍfhhr$a]p%bqN|噛 e3"sRkfwlaտ/)2@ (L89'i dz6ņ#6Ɨrav&agla4Ä-6:Vͱ`30} ~!#ة}KGR8©/͚f-Y ZRA} ClByCR B.`QғR/. ,_?% 2}P|n`pIs5(5_\o_A`"qt 4GlYLlknmJE)!5qnd&W:;gUe)7_E}ZeJ iS 0 HnZjd2FVlyV {{ Ԉ..rƙ_MNJ+.d߱Cs.YXu%<#|[3bNPZuxg??\ӌ2S7pV{ĵG=P] w1_u"amK[y'sq⧀V̇+9"6Jb4܃I&aJn=7kN2&Zdw9"L2Qfs 9x^Vc4Kis duR`G }(Y9hнoƽv 8X\M!ED8v+V6#䜪C5y7SsNCkb {iP̣Dr+7_%;aa"OrO=hj!5eᡷQхH0 ]%)EU3r@ãavR}J[vW@c?Wk{9\\iTջ[ F=ӜtҞMS^F:Y'3`WaR=QA^N>6n3ӗAvk3͸!dgž@k+XBel6TqN?$2v(im&,,2ZtOd$D ưA. Fnl%m gO ` ٝ;o=YZL9q$` T4,kAAZMvg?F>վiY?t\3j#/oD i{8A5t_4ӟ>,WELks8K0\3iv^ᙛ?߸2nq+ 7BQ Iux2#:0ajbd<ٟmo~;Ь4/ %d~ L^QBIⱑ?Nxm|-\Ѥ@X]C[Ǣ'<5EJv298eV U! ϜJ^{i'(=FfLw| "cU"x[7 qDY 3"H!J0&5nF̓[>)*U_ųOdr)ȤW7.} `֍Wa 69-U}CZc{ t>Æ ?Y{5mYapq(E~uUܒbuU54@Z¦ N񋌥xbu[yx?VJ}@+y$׭|?4uQ XLi÷~XQ+7o8WŌ21rwn|Pp<߫w3jTJ}( -'b_dymr$7_ wk) ɮσ>w_sR mI*C&F?1:+b"8Wko^@),Cc0fQL/ t#A̺D^ΤMfavxw ,h.*C|& \8M%Ui{(K&v@U.Ki ~G3}ek y#Jݮf | -Ү7cRKvAL;4V,-v[x5%͆Eevo9v78R5%$lL2*1Xf#27hrx8Nȷӎ߄7^iD8[v^ 3< wfq* ETC,eɩnl.Ar8IF50 @6kg.{F^a^Y{nՍn(ŌDhx_6,axb8/2:}k+@ q"ֺ 40)s֋T鴺NSt 0ֹ/wwP{)/4LU߆"{ŮVYR:kDP 8l>4ՈEVWq ^&~@S 56m!o2aGҬ߁gzH$" ~EzyRy;OJ !lң(}8W 춱fSS*g#gUC}pp+}sQ:ygv/$ q&㞚oNJ+v6ZZȏ~,sGCGW'\tdjc8a"h*"t&-]JY^8'3=D I u:C@O*;([pUۊ-?D0Ϫv:lϻԝz(vƠ /etRRVK &>LNe<nG?6†e2)OLO¹.-VQ1 y+#}gnOPW3ߘ,EVAdgjNqeBzVng"Ja .y BoiiQ+BJY^(0W$C:bZٲV+n7F7Q++7I [}0 ѧ28tVqv5g4˿iժEK3m'KrTP]:a%kmfa>MjV_h7'RJ(-@xkV\UU,PJWK<⬫@7ˎY0zfZoD=AY`a3/S"+>llM #71 i|p_.bH9ocnN!8`&tD-\3Oz&wKTr(4CĐn'IJ)ǡbѺ(?N&ihap'G1d`+ ņu?CcluyX5<چd!tEWu1{yCbr;2ksT>_2!*惊( پ,"<}0\FȜ/"D !IP"E\$ߞ+<1q*afAo|bO\]=UAp}$p(Z4J=`]ྲྀ-7+ޙ6ɒK'2ğЪZw HA.PT"Kvk\F܃&4<tb#k&tg\m0Qy_r3bNT~:11Y[R:, glNT'`0VP{4n8uBz[kNx YUB9"µ˷9s(␱cet~ljy@/!iRC?nz.|_2Z$=Kf7 Ht$4&%%) %h"d,pq2}~W70S \c$k.P7@>5dX3e*P*kruJ/ 򝎤7E7^Pg2w"Zq+n{З+9o'62[$"A\}PJVHBq54+Z%n9LB,/='mIc(Y/'0~2:Wra+Iz7 ]*f)cdOTC:>]kk~wqԹN%R3 @K YBV?v= A'T04@?7l#TZ8"p4B紂XEv`Kn&B ~N!pl" H+Ԋ|(aRG'ٓ4< ,˵v004]:_Z`fJl"jqy>Q7Aؔ!dqy z1hEYغ>դt<s^$?ibt z(:ɩtk ]P.噹vx~9jni6ˇjҚ_9xƣ;`tsYTvN8BD\i[!VR+8.<6ۡusTdjTpȘa}7hݪx3Czod 8T8L:8im=]T E3H&@Z>N!AIT3dClLgn7P?dw oǮrOTX65Q(xܼ ts]?B6X݋bۥ cQu~ǵs;_<}yD1|gRJwⵒHdzB ,*WOyQi|9"N<߆"\>_yŹ-EV.׍}e~Ykj89?e;.;Џ:|]JG+䚸c)E|H"NyB܇;qF@:FI"*~Y# KeV%(g! *^w(^!9S=/}vT_2B 1/ ޴k@w\=D?'-4 ߬i5~D}KQI)ڜKxxKR/ѿY'z76|'MbsA@\jy'$NySl*Rj WdYVNĆaORɡQHҟENmj [[m #}*)y%0_ml$㨽# ZQY%tL47!$e7?g52x2?**_}C ?/'\{PRpЧ'ZN*َt.uF_d8|TTv٤Ͳ6 ɃcQiWp%<^LjLV*S {Sk,ߕ!IA_6jGKa 'ᨦBθ )ڬE, إ%y CxLvRVpX7h?#[]ZQZ>WOz.ŚuEϥK;P:DP)E/}O@Z+Pq'M7Ly}ּD`+*ʕ]3zLZ;ӄ&QSh]5èHpѢZ:vAOOvP<4 Qk C=ƾ̳&%Nif8 8@@S+<> 5b\;Y0@f0l0 V/%n%{e 2T^"i; XòQ+`f4^bk(ԐE>0$g>z4şNj Z@(j| yÝZKoA2JxT|Ҧ<n_ï4JR3du|_Kx4)cE˝f1̏07^V=EoX}רup#BeL3ub_K/]k+L \IgmN\sn)vNl(㮻 k>߽ac`y" O>I$` KH \UިnV]]ѵ~Y3ۡa$nlL E$R8,gBfR#Z*hII{-Jͷ$}_V RV]bo},;DwC,E'cp-5Es ufZ{~*G "RŤ1W4~9uc}ޚ8W[Ce /jxZja]B]X}t2̆hL%\L\Cx5 HI, j yxoi"XIWdoW&;?C(8 'CpAŭG4Uvz\=U]Xނ>eh9G.B?r5qWsle6-A:D@ k29N-9.ƃݓWkqE|{cрC]G)bׇfT2Ȭx*7jyj/2GW68{svM />쬰8nR~T] (S왚G%c"_0U=Mx5Cԟ^|{xdgkuY,1MLdeN`YTv(V(znE[aXs\#3InO)$JĚٺBGt&PM M@x[Gx:кUZe"1Iѽ9zs#nx05H"5W[f nN|rK,c~h{~B|ՖIq]~9e3' Hu9wwwUGfGe们y])\>k%TORdeVݖqDbշI#i\ȡ巚*"3&LR-RW Ӭ.-ND#d8q4J[ ?đ ҅G?BpRZ< tETq_iVXKCɰ)ߥrcAp)5$ȓ 9GWAѦY?@@wÍ<>S_^)Pd>}*[G+3-͚j T("o6y(9'pu}=(.ߤfAl'*WVc8gfTDKYj.\+"fPpJ~禿 #eFtuݩM #HǡeTlTbXo-nKc< Lj'rInRw{8'C`d|u{2SݙůQRc>mKjw4iOyqj~ I֒#fL_4 W\ZpOU`UC'ā/qf3c(ݬy㛬\*Y۝p񋱇OCsBxXS321 ڽ޿|鍢mj0eY,^x̄[O2\OvqV_UNޱ[1?i٤w~\;RT\al)Ud#P\c]OZBo`ҙom C3EpA[|jLO]<~ )f&K4ByNTA:A|{297 ?S=i,kdd?V'cDj,Vlf\wNaYBl\×;XZ(ȯN vB^W'3'|NV|mz=O=+ <։ [څ\=^(0pȨŸE1Hh>춠xԍĔެ!F`nsWG$Psll dޜEz{β3~#@#{ MJhg&٪90#^|+@t&0ˁUEQUp1>)A-d6v-ۯ/P:qOjo[^'LSVߓpp}O-Iu 5tJK"={{ ))o/J _GX*Ll]u'^W^ ➇=!+']fdY0~e9(YNtD}yp0Lå|n|u!jx>(3)۸&BNNo3ż?c/-;q,_7߁)U|P0^qpS#wLMC2 Ò]͊0&_vJ詇ZԫOG?/XN]-y?esQ+dn` lER\}Pcou:9b=%cRJ4萜Bk^0,u)\$8[*JBVpb;W6̔ͺciQ"7]Y+{oIPmN 2yJNR.UCIx#?oUKfTA&(j)VY6p,`;$ŋ/u8Z@l؏~%#spPѿpJ*YbTDqq8)Xv]+ SI_hW]oK>S2A m!åT${s:SoC2q:gB c^hޘ3Rу_aN$ܾ[ zly,%8i0V& 4n1QP'H)V,NFQ41V.39Ԕa#MՋew1nU!O4P׌Kk*MTE% >;Jۚjzvj7O8vYۧ _;/?:2-YNj wDɬj -rڔɁ:V!8 ^$uFfaړ6 7Tg nG z[巐$/zߌ`ȹ&D;'T=n|P4dqFϥ["GkBV9 iIvVBHQ Zh0aO :X$ +Ťz`A &xU8S{޲ʜ2\ҳ!w]4FvO jXGZ8LW28#@$qbB+/`}mDdb*2#|d#*wߊ_yu|0Vwk|xb֭`nD`DP[S퀹] B΀:-FSg'k7Xot6&CҖ;Zʌӯ7a͵#?L*@Mᄟ*_ Qr)^lʔ/hxWp1э qdM<">ܥԸ׶DT"i ]h6ޡ6yN"K$:F7Wse6HTOS0Nb^a@3@\(0;MW>]n!( bH:FF{TȂʣ٢,@ocߵY9 :X-%ӥ+i u ĘL9C^*n}En8+k~w),a =RY׋'"XR!Xl$;`<9H3ݖX)Ja;uJI(q-ZCMK J= 9WRi_]JL'<T8rU[ Wo\%i&.+ހ4zwrE)־vD$e[uy ZLU!1<4[:&ww6g Ou{ o)ヲ3oQpd??@эm$/mHz٫Kj htR\O1)\P6KW@Iz9@S'OJ&fH 3 l M8_#.  n:t;)+T..'{{2x:F6ڸW9c dVZK"h/y=Zz\ᲢNZ-L\(FSϬ9ԴB[1M>!h|>jbA.^GMJ-\;1h8w.VJȔ5%Z]]ԍCaaoךFXr)CS̚X B$)uoQU;]8IzZn%mZ FNJ,O ©9|yö5 ~_'I0&f4SH 6OZT վ i)sAQM+Gз*}legԷk#;ml-m-r[go<(¦1_ǁ&y'Vا˝]ihXTթ9ṇYQMl$rgyaip*OU2f;h 2=~<NkKq[ ?ȥXctwz~PjUD{|=luHb3̑~xLGDPP%iBL B+Y$j2O6 o]gs\RқqG^iHb 3I^7FtT"A;yM cpd&'ʝoy?G@lcDp-`mnZ #qD"r BbV2FYobsP m<\D**u__Zp^G=u΢Sߠ|_6`{9K8^Rixraݴ2pdȆM2TK4'&鉧?_ᾃq 2FM'ʄ1Y&eaS+ٍ(Q|y\zg~`ٛt aXNߖ uI1hc*,BY" AkmFq1uU}]h"D? 5m C6c%)mzlrO< w#ɂQXv%J6bBncm0 ~|E <._ HR\2@qrUh0EpM+^zg]h;Z jc-3>sǁvFL'jpbJH2dDMӇL ZeVRKj$;]'lO-R{}N !,NUw0yK~r.3氝mn 31MjjPD/HSܪ;ۗ%Dz3/7aBU%CJlEUg 8d/ro=08 V;b& ^%dzv BdY Ǘ8fZuS]#"dwtZ @[݋O&sFzc/הw⯡ ' qt-S@ka,&p}^|_6fߖҘ7~~x['&w!;nJ6-[i&sLoB a+ oHM/? r|Ǧ?ۤ?HDHGfE _TiV&Kc-ޑ+N6Ite(n{5VHo~Qui?v4hԠz+5l$QXsn4-(}y/f؍G m2fqF^H\|_BS'򧓅` [`917 MC)prɁv"ϐT`dd}e/᷇Fיgv:N9  ᇅPfU ņEǭt)${/lg*qnFCuհ:"" yFI6{[9>\*eD4=oFP%~D|t޲XIkx3v@'۽SX֖wK ;2M)pӢ ղ߇]%s&gV(_cppo!2Mr *~klPYlGK7BfMhxS,h.UNxhXnE\C°AZ@X'{o|s eSndu )n -O(t[ϫ06Cs.$\eu\}ܦWq)*ſPQ*ʰ 4a8Gac`#XLÃb0=?eq.p1kK<&s%GY 0S+c)frL]GPQb; F}Pd(zwkt^.W{11?sT>.&fh]ԍsC_ =Nep|& j3ֶ-P[!N9WI34k'B͠MHs̢GxX6KRɝ>Xo,93AG魚YBhٻΒeHQjbv. |wA6>8E?uRK@&qŐ/t cIGEܩr߉cj78&Iv*(%KM ZCaЧ# Pza}.W,j""OF]p:a%Pe n k$waDZ巅VL)蹔[[L6h\ U ?;ęf(F*[BhJĠ::g|fs7RȔ|G :iI6%a2#и_*7n4]&?lbc >ڍ,/u J?[+}-ubX/AЧNxLß:RJ^EtYlψ}1>ITmS9KoJABBr7y!f&6s[FbV 77n'LI 166qmLJW'"AGoˣc]#ʖuP:3UOSS rFyZ9M adXEBqPt۽Kv9`[S j\6q Tw)+dS}MӨIP2;C0A/< v`s< \"m-& sʣ͕R+׏yF/m@^W$N@G֥K럲]C".ZP9tF&-Io%o,K1]=Lʟ;OL:f#7Ϳh#PڂqaBPos){=vX܍Z#9t^'q^vGh#6UTO. ĦwJDa[ c$ԐHd込$)W`HWuƮ/}})ΝGio!<9g :W'dž,dH"rV0T1$T-e]:PdK2{,_~ݜ|ȵ>lɑIyd%]1[Ϛ՚_seP"nDd?x4cXK%għhF#}< (Qۀnz ɳӣ yaYVVvr։6+I %*)+5,IxTҊ6=9}qpͪJO5%5 ޏ51O2E =/>RHdz PVFx]~#l:> τ!K"J]ѡu&sZZTxyb EũCa!?ei+iRQƷ_UD'f)n"ď?*#fD-`|GOJe%N_Wq_a12#$m[ji$1=Nl,bsos9\L#o݆Aux _|_b\L`P6hFsh?T\muǩ.>O|e5AG#gy0f3֋(lvLPvDPdz/>V?YN \= H BP4_Gd&mȘ vvH#ԗS[oxX[ꈈjӅnX-VxKG,-ۗ{(⊘ff}{YӔ@<ė|9yi{Z8#L }3D= ;%ǖjӁ" #OaXHGIـwU&%+Qfi` '-Px|{vxƗrjWy_skmXyȻFlʩ6@kE8u J,]x 0:>*33zaq,+ɣ E*NE3|y4!};[Hs[09hݙw!#,QŘˆf`N_ ҁEe3VIkaE_~o eha@Tr֢>2(qUR9웋">}F&&:Q[9|ᤑi[]g8mVAM-Y"lAw "t2_sg7\ι$hώ3Y:&ׯ7ЦVxJFqk;FP 8o'Pے+v =Eumsw҈ak`՚ß*v.4T%ͻQ]nFoV!(Ѣy~ L2c& r_e<\#8kLv&:pDAgS@s?z,zҘj1 P#{e5=WW.ӎg!R5LƷ`MuT?o|hуnExr6] } qX] }1~ӕ\Sz(dXlui|">8ݔ|Z`1k8 I51&y+!LxUbUT:.sRRAw^Fkq9;Sl$.J .)VBιN昂r %if3U8[ F:ߔ"bA;$/[SRF\ O%@"'B^o I^O\z9 2~v⅒=%7w2f 0TwH@dӟw1#M߇ۮjU@Id\ ].6\h#::I:d-CugS# = Gy믆x5~jg =@dz~Aati,}d xqN$xp#E6(0`a}ǀW>ӧXuReH9rNBE#UxVt-| 1{oRy_5v1~Cexf:E07wzv<6>wAP1,rڊcl6aAR"aR8q#K^X/ bKC ҋۛNjdվU1CNQhVׂ֗%֥^]Fռ,} *oK%_^P_W. Ȯ㘼TA;Ɲ4꾲`! l;Ő]A5cB١/E.W/J.EӜص(цjjzh$_}3r^oi˯Iܦc&i|vyRzʛB:"M@+N/LWQ4w+21 Gqzav`J\C TT3ꊯ _w@S@QS>WO&B!] H:{c 7Bo.TD]X詻&$#4p9Ώ̧{ KɯjH (tf'n58Aِ1ŢgcQMD9aU7 X7莇cwh4Y#;!R-&-{{CS3/*jGc $p0=P5_YTN aؖodE;%THiAuRs`ǎP;0" AQ;|d!_ lӻgjP>v"C1*7Y\>g^?MUԼйP F]b [Ծ5( ?s"3QncsޮAۘP;j#I~;wqb'p=-SŶ݅L,RD &G ;@W ^ɯ5%] jUt=qs~o?A{oUwC k[ N*pݼ&DVsCZƌ? _PZϫH^rDp)_@3G2?ݝ*B\_iooE/'n6)8N(VM0m<޹YjWW R{{h)2"NEJP\OI!:356QZxȄ~gƤ9 *uv; W0EYz$ PF\3T!`7Ho K#ZIV$G,PyC+j݊w#kPyԓG%2p<9R%Kx iPF\+OFe~$@  N9J_Zfć HG^9!sJ™GaBpR,;>量EuLk!g-B ;tg@j5]E]8YN7 պ9b~ko^aDN,Xw^4I]ĞXƝ :Ug4f^Q15If&}xOS;~^k:Frz4G"B.ĿO({0Q)a9bL ^ pds{u/EsO,Ij"/Ӂi0BJ}_r:yGyrpMqT61-m1moGQ~%z&댖C}^ؑxs;fQQjqO̗pvK#܁awmU6t);aq lA{zxwr.$wP ܂ qcKgcr(9j4"W.2&!%.Lu}W_.hۓ{EsJ,8\Oκ5[TO`@ZL q!s($[KN %傴zbRu 8e#C[M^'bT-yh;yksh+DXhdfW_p,gD\y0|e"VN)9@ &-4Um7&P.xƻصfIZ.Xt/t^T̞'ӧJ(؟YIw4mѕϕ#^67 G .WL18ihNo'4;31ܵrЏ25dRC ;:@@0Eitfg|ze3]e hoG'ni{ڨXƤkg86{mK?G\JE֍mnǓ5i=GRzeS8EˁA t4$<5l̈Z[ `ww3=X>E^w5}ZHkJN LTXHh=Z^j2b9||D8ꪗupbPO: HS97@A,/XWЌ;gּ=L3RO@Ge|8$"YCsv)UAf%A@x*MFAʫ-g[mw}-jdPhKM~Km]C(ӧ&<)ޢB @O[ =f"G6ޟ≁^{F\tÍ1ZbxO@U%\.! ChX\9^A%,:8 y1&VP:g(MbA~"/;7:c _h=0'fM3V_v#9_Rkvl n fb')67Jo+˕ւ0؏V59V :@]üBNWAKK WD*e6/ʶ"FzZ#@v(5Ak[t5,?|?Y!R㎽ ]>ڠv8 phye5+ 6h֫-IJΎSG4cp81 iN,_ {TN!;0j o).hݯJLdֻIPaS^An|CF1CjΞZ xw8/ M49ʹۃpP?sx|/EĬհ@fea7ң{:R~p'^݃hwj4GJ#QF#CVLt)Us?㳫f@Yͭ-}dG7Mhxs!B~6p^>! TN7ٺfjA?Up!_~N~̃}`vXܦ0jKY;*O2-^{}YQiH{7Qhvg; P l!\))|3oU܁l-Kʃz)gq6-Xe٣[Lsi}1b!d}NЛBOˋD@4\H'eZP#{'hnG$h %0 .~-mɬg!$X}X͗RҔ&隨4 Ubj| pjA')Px]R'J/dD~|52`!?xɆ)JQBt[g{UF "wQ75O Gfz ՑUv_Eu, WJ,zn9ݐt KMPBf5 $ܱwTܝR.d5x\=J9X,0:G|5ȐbxDD֙=LLg5p)㷿jTӆ]3kA|2 ~yMA;>EwahMz#q1= SlA.[Hgm U M 6pȪ !#) h8b:'vn!BäeG9lR5śT1i!@M/KT\ NC(}ڪcAJ, N)rHǾdԋ?{GбQpNԯ`%TiՒ^*  \0%Nד6;ٶH=CY2+Nc!̙+ٙ!7 "X9LbU#qВϊ M}OkS L0W~ KJ"ɕ2IwIvI*AS$gq=؆MJİK*mvNo溩df((ń@b"h}9Nl4^Ɇ Pr@l~_QpA >'V $/>g8iB~o\ }IIg5_{ld~WÎ}}KJpbApVkFi>rÖ;pmT*/F :!1_׉ݲAe'}. ˆxo 11ޗ!y ~:.ض@R'9in5Lqyk ?PSU}fD]GôY f?p96bkJw3Skvt1k g .8J0/z,,}NHe5bկ0<ޏ.L# Ң}2wmKђA9birCJǩe:KA<0iFMKI'͌~haΓ6a#cm _P XKCҊ램Cz PYV`!ȣ#!D hr)Qh$OJuݡy 3HLM@c@5}|?50Q7y{WQ|Z>xu|#ueJ#e?sz)l6R"ʏ~JAVʴ( 86@׮A,Yӊ/d2J(S*oWw{;`^+: 4e$vGol7UNX62rvWqL#st+ Y,&ޯB_s@ձYyxc>CbtT#:6k^Ǜv+ 3&bBwgGJ_2Z,ӏ=:3sZTf̞͝PFg~GPAF "Md11Svֽ BfB:}Ya*vvo%(Ɓd܁ͺBCŪk4x47Sw5@ G?:aG'EKc:eG2%(W:n+A _/SXHj-m1ia&+)p#ag1- @5# n\j ؔ]^L2~L&ylOwh86LƇߩм(?UiI<z&Co,xWsSg#>ֆ|K[SMjt܏~ev$+%{$ Jtw|$~~ыEqUVZLÂ֪*#_ih0inZ`Tuc9o&"t@\YzӍ%oxI%!٣@[Ug Q˰XK[X}7 eR8JL}w[t:oK,},}+D0 x 糖I湢wUhViG B8/F,dvJ>߬R.t_)Y!ݢ[;{jQ:nlߍS9gSᩌ>ФA%i3  [.q]}*ּio +wSduc0l J;IVLj.<=M=~0:JTL~)8v'ª| v'Wv^9MblX%19E:W+kg/,CfqH-ũ%є8Էpw#D?cwb u%i^2{w8sg3K1y Az gQaܛA q Xz&*Ȃ1"$ /G^Ԃ >}MI9T!{|~*?*]4B`*!FH\ʘei א EHgd9k!<;9kv:5U_!=VAZpMXً#݁.XIb72^ħ.ͰǙ:LJُ{ WzuιQ'p ~$d6 ksi#w ƿ,uҨQ Q気_g]w9SYm,|M*e]ۚEI`z+/x<0kU"!iʲ@i䪠Er4QXت`-R>CTZ߹g]fp8_Cqin!b4/[?("sXRD&^f1w2mҤwFu2_3I\bil(\$k\̆uµ=b1:p8ط재iw[aw?Q':Gc߫-x2q yu㟯6‰T~$g# iP=Eo1M|BE:6D_< >m5ڗȬ"*KbYv?Éo!-ލ!C5se!3n&Wn.?"w#gjcלcaˇv,z/;SOn5}@Lȸ#ĆYz:8.@Jk)Ϥ尒LꭹT"$kX@ї-nXՖv}Э?Y/:3njcxF)t22J>}]5#*K eQ8h r=Uǒq>v7cٔ.5 rC'<ǂD904"_\X%{H2-@`4FB6Th!"cKx(}F%nڝ]U`f]rYs5Q&“QA$w8Fl+> ߅$~5Z_[4Y"|-lTx47i(l{{24=ncj1QIǭ=1RTcQ>;0ՈxeG.AޱO~%nuo&+[b  nyor>2dof5K ~s*|Xۯ(m:7+nolLt.^t-VuuLπ>9pϥ;5f`"eb\ FB FݱÊ B[;J:#@llt3om+xVkĉK'b\'+;Wb>M` $Z֓KeJT/`n#x;בQS25E8W$~>N4:J HlWc%i̋ 9*~J$cQWC;t{;qy6s}8^(Ƅ-u:-Y0jѕ,xdk>1%,cQU*(@U?nH㻼èGxk$Y#3JcaJ8uf1b#yd;||IJ(\¤j±-N\yZ!Y#*ut=F)1@˵dʡ]5df _'׋5&~>D;'y2- Ԉ[!)WrtN.o : q=2a~>F"KL>Ůu1qubH-#S,N, IεBl ra?ȧبB;\j`̝SGJ¡AguBcUߨu^t:y.KIX!u)e{Z=- vxZTl)+|n$Uh (1GZKꦩj\Gk*^\yc -p@"e?e<:yDs~y8MqEY1ֺl Pve8?Yc$?6!TSz`yXS)KT RJj^?ƺlPUQ vN].7.V~nWKYetOThg]Z,eӻpȵ^.bJxaDHw\q=KRJS?r`c^jcAfRxQN-TKa vg~)ҾqQ#|ٳ1ך6 @?@5MTF}nXMظå"+P!|]T4VKͮ)/bͬL *Np2_:ګ^[-nBWKϞEF2W^.}M5ۄlu9RF`}u-ї$@; ﹲL4ƞj1}vͧ36\6薁 oݗ̬^/B*?zҲ,"Ԟ@@IP_. 5dB.#H GGς v1hk䫲&Q=`ɛN1'[mlORKyڼp|iz)}'9ő60Npt.6QRɔ!*荢t*|mԖ~+P"~2ػs S?e~ MSI G_rPߠx){kԣ_e|tG6b/ֽY^p"*EG Àlq&Sѩ/WPx?&WYoOrcK &k1`cvvΦ~ >J+sj;*-47Uތ)i)-5@䩑xUARD\ o/z,v5UkBՉ=pJ)9 BıK/Mرru۷ZlF]9ucVj㶉Io,ܑH_[',{rKf"['ZL@nK?|8ItժX%`*BfY}.:C6Q^}Q<9c5FhnpT /gO9b8ھ}(og^r =QF &`=L@UaKvK?!#ww<@7+9c-J|\d3(6/AoIm}P:`f; N"coaת+Rfw,%ZN$PU+S]jrV4Yw7gA%SSt &E|W.MϜᘪl 0|^5)#ǽ Րt: w܆xo[EҜYML[SLW };Ezǀb'Oqq._[aiL{{gCfw`c꒕s5eR:NvO-A(YW`f # (t>bZR f|{%5Zb t;RVn! ]ʿ @.olH%ese9U3v vO ɨ~|UZ4L5"XS 5SL8n 97sl5|rMҋU3=&"nyW 9wv#O(REX|4ۧugfjp3C;rZH3'J Vfo^QހA([/66RL΄B`LwVkiHՋв Es5 n??ꐉEnm5$z 6DX]*hZ7 "o'sO|Юl4{4F韈ru$T8q,ۑ9k3%ֆޑO+ %¬qݶ<s=KqӜ{f@N:Si7n?B%]ՕϨx7Fkm׶ GeT=&@iVJCpvs: r?75Gr C&X* a`Je} PCKPjoNX?Xvjw?ECDaסAˬ?6x}{'e$c1p-\o<`gz3T+f?hk0lE䘺K缞U;B0Wq%[^kɜYϮ\"ˮIA>Xo:DQ/H0.LĄ)͟kSz9-ĪQFr%tc9n"܊T}9W-0&%C4/\!'ky Je}ݾ T:Ehv}!4$hR6,c"b fgA6~5tޟrc+QpDR2$3 R'ieh Y").;z_Z-M$q@+O(ְ5mʈjBj #diH4z9&ynK614JYN6v,= r) f٩2K~& &d\Q[c4Qb ّO?ddE.hVP og7;N_/rnG֗UqUԆq0։z7f_Hz[VQnMɟ;u&M_FöE:u=x57]#R|(Ac5/0xFfڭłBYm#¦nڬ'~0|?Rkd LdDy<37o .z;(NE7Xk:s!GƲנQEBF o!PfxϽJ^=s'6x'=Xu}q[ )/ܿ[vrfTS TbX6-zVW-k=7PHDN9} k(h5wFڐoH|ꡰ;I1"mAA ܆y:P3v`Cl ~^ÀL1S.I?bO:쓍 'RO=ho(rvRJBBGQќ (  J!)Oyi\J=YCA]o!([g E]_O#>zGaG{n9c 0asu+}wʿ{"Pݷzu7] Q=ĥCgFQՖm`-r. B;ܽNp=58,] p*biu]G„ۭK CǁgAgEz0?̚ܢ*9eJkh>k/"P үJdvxS4,U'rfT[p:.Nn!m~Տ#p >}sUR]fQ#c8C^H:ژ$Vo^[KiEnK(Z`"!l@'9l)%#}ZJn^i1(rbydsP`g.kq c#~)%f}^EYWYTM\(mAi PW2v^%Fhμ[g뫙<_@E+Գ Q]Nl՟`*>!eJk-qB<$tKk#æ j4Ws_.gzlZ77]L`oQ>^4蠇S v~Iuw*eeB/\XX>MVL ld6SdTZFuURh v@5`iqi<45A_wwDqhfIH"ء5Q3ڧȲhȵdVRLJSMѭALxu\Um&O%32)6sT }$^X:$|#ؿye`۵ Y$>3_%x5cj| qN?}=dhN<闷սyrp3?{2"$MS'cC? zAzq(xTҊb&.;穕qOB@qd<Uh[RL@j={.So*2D_Shۼޞ#aHEu$Yl͌Mpv,rdsNuG"xfw9K 'ٞ=Xϴ ikظ4O}nb[3Od\DQE9 `ݳmWLXYfu2i d$3혁j4#Up'.=KꯃvM0K}Z,î%P: 'HP7q~cJ .JH_u i*B-a_r|`]l-Jll|vH#55K# 5z !y!!?`j~ `_`备<Cht"- 2  ^8܀(@2a?g$'.^P4TKͷh\gpZ- I'`fj JPEn]5,Qǡ@A謩V%N䏊CdjkJdj 2.xK ^S Ӂ^%VSD#vW%}lwFAV; whhHp8q)sKYh5-Q(Cg6rH(bZ7Ĉ>nj݌<^-t24mG}c};ޞֽ8:^;Qfd==L^&] 2l+iC>2q~d5>^4lhIs b>w+\$qɦs=jrp9||~Q=o">1}ߎ%I0שѨx4E0ˍx CXc,3YV.<:m&I͎:M{SJfoݗ,?C+{uL tcFI-㨸/\½3RXJ%>(2rYq,F0b?,t7`H zphIq>7TsFg`4BH: X1xwt&Deㅫ ^̂pL%O4- c.b5V@;C5aIѲ2ww0b]sՊvJzmZ^ 7Ĝ>; |a8X [ @ZZ{־1Nv CQHERIsv5W-8pA={Z |umlj Cf~hkS6xI^]RxB*GI"ua]g . ɂTW#8?N4VЂB+Br̫bJIn giwK}6҂^gjՠ*}=q9~fRHG)l:..,kߥ-n:*`Rp|?5壟qTz=+p24pjz±µ"#:B'"0h3>hXhP1RC _)`~@Lp{QJw[lf$}BG|]UėbȨ,:X%\ȶчvϚ7'QWj0wʰRJɄ}.%øsX5GYts&~+MئwY4gaցoʪ-Kh}vcnpqZQUOZX e#7'݋r)jLa0=^Qly1q՟ńvGđ432  t&!XpDD1jRgӤoR-_?A|<0;OgČl,݃a|Htg/(ZЗajP䒸+jDIH<+?쐿!XAhSyېG$N'nl.GG`zt$Laе]-*,2KM2{l*$8ʳw Vu5F¬nTFH2G v<Mk'3U'l vD8Xtt> jpD(\vb"ǒ@CrU{7󫰅-hT;oA$Lڦ4X5ݱ v82aY&0\ vq(,|8dr\ңpBu 1El Nj!DkIb&y p!I^1.$+)[DAuz`ug8W32<$!3FjhUA4 ݌AŘ6Wԗ sq]c+T H ˷Lxbl|ȼ D2%-&ا$M,@#[p4n۪s̠dέY9Mcض2ɨPwc(v>;Y;&D9lF:] | YJw:$(v~XņZͲYi%ͬZ. ]_>Uys_#ܼ|3 .|'W4ݾd.wGUg^hLw+?5ob-2%[j5sGy's+j}\@XÏd9kv5˝}ԹD/QU ?`䊹5|4HjUi <J.ݟyw!t/m-{7hV8\ےr#-x_*U,~˝`DK*!eIfa#|KLyt2pά˕9GW @XD3eY^ݣ/O &_#blͭ O G@zv;k3wƚL|&ң\$I$f|SŜ:0=ZQA@jmuغʉ am"ӅUqTVS{ `M0{% {Ӛ,:v`jVR(u1uDxRr~>6tiS=:o-PzT<0tv3}ܛ;,7YUx,^-€|)Q#ucz5qn@Ćs|[2f kEkԭ#'QGvA[DQ xᗗq n! OV0| F4{lrw壱 ֦u9dq{on cn)A)M?bt@}vEr90tRG mdҒʶL𫽃şdjq܍f !qL\a"= x,LWC)S sYVM.yhN`Xb8N鈈P<9$}9(nKt@!io_OK]6ƻK /T&(Q,oX}2(Q9H()F/_KC=@Ǯwd7Iw{߼BL1A1r- ʪçHrwmn-hT!pc„"YӷU1ҝꬩĨ%BM Zk׼7{ viR0bKo0gt&xpѷ' ,okO]>CN.5)zcA"|At9ܙfdvBNGn cf cYVƬJȉԩ_V-{N a7Ɉv؟ԯxb/0M$R4v~;<*@QC* HUAHEïI7G;m$zQ4AVK׶0Ei#4qB+"*Vˎ%t' M>WH:oԆh=j Or.ߢyI\fb+ VZiź [10ک+I`\Y#ڼ_v(٪!#B~0h߯g0|OS+WOIcb L Zq\'@|"EWA5U7,2dpAy)5s1o)50VA6d?h:ЕY+W]URideGT=@U>5Gkh+3FV4ahF(A/d0CxWnPz㶥x5T b̆zR9w@U,y C;$8!Ul̑LʻXdʻj5e'ɐd!K7Cyk0>o2azQsIbo&$KH/Ueѯyb FݟV. % 6t%T'Uu~"XzvJ/ԏsU5gUNW(뢳]Wcϥ;dq_ %A욣e-?L>}jj6eUv夺c,:(O __a?ЛBbVnW ŮK#b)qp3~>*:~[=VNPKЅXfx*ۀ *1ĆΕ蚒c' 3- _Lf{>;!|iU='3>W/L9e47 4}d 0kNAd:v`vi[l sIT/e8]KK[ /12(3[ >)=B(*$yT :GD6BAY-_{ 學ŏ{/?ũߠlڈ2Uf;C nݹFΔuUNqwHVnG~ݜaB@Ә٪Q<B~7"O:rLTAL~_sc쐅QVD8+c:vDW[Y)/, 8Ҭ97.n?.n^V #q>䫭X WDQ Cr=t!wi iD1E;ǦN\M.\P(q~wp\C%L/Mg@T:Dn,PB!Z"Bp ƥ[6~m3l.ڕՌ!=:tT`ː$cK?{/_]88+& :sB:5XGMX5j?po0Z͕:NqQb:7O*V*qDwHs&`$؇lCFyUP:OEL,8;p5h{gy(XQw6EF J DqE}_)lT) V!7OPKxfvٛ d=m>J>j74eQ{G6(goO=Ht4KȷIٷ|5HfXPe$~T΢?؆aDD L_^j%ձ/.F*Mub]̋)@ybg^pޮG#;Wb֟^Dxs ڳڟIg 'L 26JԹ|>X$ K|P9Z\xj,֬ᙍhH\]_OPtpXMC趤7{WChDY|%$h/_*G2MqZHlCX2žB:DF1>gI42jZĩHevemWR*~pxhPxʯ&8!\yTyLپAسEGHR Ttumc|% ʅu@*D<G̠Q VǜUj#yN2@K֘3Ȁζ&xNnb7<^s folз޽wwkX@2||x1;yqėfA? #oqt8 r S<٧oSFyvN9*f/ppLSJѨ&{+֓HxCH, !}J(ȄDYaBGx>b䄉z{2Ŭn-p;/iu/LU-* }Ɉ/ZC(h We2m&(kn2@ ZRU_^ʔDͭY4g``!/tp%CܺE&!BB9@rÍI Rp XQG}K6Mm0 ,pwa=j9Ǥ)!|Y9Ƕc6TzM|>+~Ni[!`}#4z9?P1G@V}E׺m5m1랕DhĭCYJI*ޢ͔OjMT@r*a TH06/K$-v 9lfp<]*vݾW3R֠/Rj̗QS`|Œ {N(Βc`Гk؁'MD(љs6*}U:tiG,fZ l71׷NKYR/+p{3=v~L9Iݐ.҄zΧٸD"kgr3 f%MlީC C8t(Wcڟpƥ(v79\KxӲ A*(E{Y郊SYҴ:<(a_VZr^s`N,c\:]hF!f`hHj^w9`^ᏫL8Kw?B юG+̉XV[}R&sOuɚw13Z-\zY^qlɧoT; i%p*b:0j&`%7SRFtM =OQ("2= M/^EψE\w3 :'\.~ل i⥢$@+!la_i. a3W混~%\-]^[ 8ayGcx?DʹǪ6'Nn|Q4>8|#]{R<`o+{K mf^-mmJnV$K[AXlkDfQx}ֽDezHLph}b6[O,(ņOן)R.'f@}szS{8x"A2ZR_H.<ۺŏbp\ a"\ ݡSH^(;g7;on,.Lj׊YuK6[jU(m.OUK 7XsE5d-:~hJulH:!Fز_ኟpmŚg9#ٕQ`47W\NwT|oXfQ~ŽrLi3't(o>iLP2 F}^>tg"|@SWm_(+%tyNJCGQp`nhRoDAP3s:؋yU]QÕ!0q(Nk}BH[޶JS5[ 3ƒ#ͨС~_B3Fn|](jUF&S :3;'b9N@]k"$pBP̦!+X~=ΓKqT*Y֒pqE<+D ThhDe,5q2 [ׇ3 #ȠS1%.xYzi= hg۷,Yp~̠*1:VF:YuVis|=OﴰnQ-0 m5t*J` &.PއKnM*{v.V@K8 wWb3['1ߕ3[LMgSgbywǃWRHD-G^/&*l:忉Xjx!+[L"*2׿ܛA7})hKv8qק#R8r|,J%eB'Fi)g=~LHϗ.zo},7y2K"*V!L岊+K5 WmnpZùKݿ} b_3Io>")6ߪ跂1{oPUA0Y3m"X;@o_J6 FP*)o )DYP jPHQ٠ kIbU c B>;qNW! m{s ӱTB#$HV0_؂0YѪ-o!0c!a,Y0 7^xT"ͅcR3"~ Ƨܷ- mQb&BE}ll ߑQx׮G!E'i~\G0|D=KG]TE~U61SMi?[VYr5da%>źE.&Cw /c_zOQ5DrPB;Lϭ3%4G?By}KZZw'-U>fr~^f9DuzX1 ً; 77pt:4e2`ts;_KwD^7aP2IL5tq-44;`1tx{[}Vg$Pc(~:mn15Bl1F8~ x&Z (s$b&H J)H EjVhd30XHB۶p 3D]wjm1)֟)e͕݀LQ_[UVI)2 d@#Y_FSTC ?Zp][Q~3_\@[b_so-ߗ`v iz CJ? `WWi@Zk?QB9|K7c|ٓ'8n[09jn&\djtxI&1d/}@f3=>$S̡7:yLWt:n{foy*z[b!ڏ_CX@zDgw1; y8g9IL i#̒Rt ϔҁS?%MW0$6iLߩcƯjC6.CW"信?J3"y2I/o.^7:R٬Y`$ -DJ(z&eo_;p&oZVSz -F 7xb#܅ >Glcu@$߳M@ok.0k>^)i)6.ADHMov<0kdlSB4ɷ W( 9-oc[-SL"6BsU| 8Kt&*7{1* j+>(6UJou);:ݝp0Pᴸȡ||c`o=/S$135|MEK8}a܀R~jPwzW .{j]ޜ*&4<9]BBnLʗJBhOsRO5kIS GEŕre̩2E C$+r{B{P{s=~^i 84nj}3t, 57/t#oEbVw5+6pqp0h Oa7唟 ` *?qy=Y~NSe;0f- \떇H`bٲ5i!FHֈxyH`솼Y$G=^ᯐ~84˜;4(!D*_q.8n{FTyUuNy=ćڌS ?d0}+fcߴ a`6` $iR=I:.)XSPژh&KT:X"c@'Y':k o9);'YHqpyT&jDJޤKJEYj M d\`8*!B:`QX+?mbgǹSV]nFMe`UJknm?dU^}z15&a4TVdL&o!N6zЕM&G=EaJ0)Qăo?g"o.@83spHstazBқq=‡J0 Od͋^|O;Mɺ5AH/RaǓ[DǗjnӣ"y6Mǝ`lU\q, D fWokT3 #^WDd-9?%‡+5^<;wu)XS^=` %A`YK)(Ү:yYTd$6BPDb=wU=)c@%~>Zb w{SWlӤfH b}.ۏ\ yb)8,*zXqԨC1Nu'0&O+oq&o8&ٜSӗUvȴG_2/ߎF1a5w)e P ɕΖ7MN߮P,E7 +:YA4ZV69e١#}m#[]ɃHcrn ].MBagů1,8-] ُtRB&nYs- ]$~'Ŋ}~Wq/JhA.cd Eq` XP$eg$6pp\=S\ 1b bC֕ؑΧ}M&!d>Pj8[?[&O',3T&߾LF&0Z0t]&ESirȖbmc6;ؐ ;40P˯ Y5\PcO8T?!G}Jqfڴj IbPE{yUGcQ'[k৊&X9nAÖ˜E(??Kɨxj9EsUfV`{sM=߶4@Cb~¯iB"+jm=P `kY6WX2S8Ϧel,.tpQ\\( P&Kl `W XgX;E` 5؁撃&4N؀{ d[fu,65օ_wߠS2}ݕUR[6Ӓ/xcE@9sNV@6M&Wn|(&i`BFE_;/+arZ"*s*tQ埗`?cVSut@C֤R*t"_BJ?<[;םyY-Dӂ|JŤʇBL '*n 7O#!6=z{)n)[ )0Tn*uygx Cs}uƂ\j?F\L@d}cB3~ M0$<-Kpc@%Wb!Ju0ԑM+m3@ѽbnב\d*{~Z GH {<1_5]~-'9vw`;ǻSa4~Mʍ9nJsA[: ~hnT_~')jy,FVtO8zإnZ-jZ‘׿ 浪b/6)l6t%E 1^,C/.䴴IzJÆKMwNҽ ~.r?yj vk'Κ0bUG`kpX}D' ] 2~Ji.FA90͛fF9ЏCj[SA; _wBwkg YR:lQ"`cAtkeCluȣ` ZI=9߹V*](Ts9z20ki @V3`th;adR L#Oaj{C/89gZP RP:؄qעUKb CetԫqDz|"b6s5 -=lE+e )6:y\سplgv\ɪzgvFCܯe65sw䟻r5()SL)5+XLԝ̐8g l9P\D\e,m ͩe;)&ZB`'c?ՄۅQAʁF?BDBW)ĦSb "FEظxm,5MDka҃D+"+fG5b=m:>U ,t|i~-SR( -?~P;/Bmn+gnv`KKXm2@|o՚pPyj.])OkD5?D(*X[ Ef:Ѳ:/dlhyVwaj11YN4t^k/s@?X'4ir喣,r+Шm3$:Ay_ ïY߉m# D͟` =;f) O7TP@!Jd'2 u_S}ǵ kshk20/DRJѦ >hIW5*mҸ\fA'ڣ{4G[eQrBu4ґit2.>u΋P ˏ1CjRe@ܺyff#R86bA?s`y!8m' 0Tk5U4eC8ɀW HlP^il+sp6g^~xsq-Qߴf/+rϋ|i厲 LyBRBnH%H<>{/r1c %3Х|r+?UMSV1Wu@{m" 4aIVܱQK"%j F|Ue-fh _}:nsLٶH^jDw=M0yn-VP3 F2/s>z3B6&DB:}HLJ-M!JE!u'Ϣ3AI/dzp>mngv;r8 v-m75tJdRE@5 .c(sKӆ@7^s~JXlTcDDr' `y 1]cN`ױa >y!(6{e HG$tN[~U=˞SXaS| :$aלLwE4x\=󮗎Nu[ ƝFַiVJ1z 炃gڳG2%sS2]U]'lWԒ'b:N0i,u&BF+q6]_O3bxŐwd5-JV+W΄i΍#IM׎uKTɴm%EҜf^-_M'z x ɭe3!1Z @mSN-?{@B }ǫSj",I -tMUNit} VBvReƮ]z/2{a%ygd=zF>%ah"\U'ĚyPJU3im+7_aQ nczݪ6Lr04>e +F&"Qrx,2c6Im]:0Rb͋7n.z<~GJ.4hCgO3E]ieF*O`pqD#𹅴ZR0wZ"\()* 䒒FHB_LE9̭gE-vee}J5J)?*_4a sыlټv_T$փ+;{ LXz-(x/ka: $e:Y: Ym"P?V泆R(&#Exd&Mnd9x`ˁR5NOgǞ o1꘥T{_pm8LNKzku;[өgLK/㷅#CIwSA;L~VZDqNzI2]K; 5ut_ XdpVeCK|/g?:rcW]W?h(I(-3t_P(E1CL|K{ҭn6r+=FW(ktse;TR Z^-,ϨO=R6p`AЀLh1)(~HBlael6:6Ƥ&cQw0f|O9{S5rI퐧p@@_7ɴet:t1 wNϠk0y`'s"OzD1j?ɞa_ڃR*h/0N05H4.zߐ0R3C.6M[G[aos`|jIUQ\7P,Cu A!g?&^hKVU(ZysB1Fkt6#2:HKS`XFɆo(ilģ %r5o8%/6&h0&X`ôL0WsL$|T-Sn./jmS5Gih/ҢEx-BOHx(/K #i'`8;Y0* 7P¸)K|EJ|Z,϶f5c 205Ú#tp瞆xyv i( ?2f׆9 5sp:AKu}h]GF{S1:M{Vߴ/ Ɠ]$ieAz|ޯ.Rv^2INZCDٗ1{9/ ;*o piT*X`zh7V (8&89Jˣ+htU"Q EKb$·>0ۢ]gfqD"y; LSWxr[t?:Cec.H0M.S=OӔ<85C1-Sĩu$0dy+s2-PJqFfQ2{%6\YjBbҮ"cJ-֐e:3d˩^XU1N0+-Β;zIYz}l-.cq )@Ki|[ l<:-bH)a4)*Dz\2ǪʏZnt]jkM+56kXo>6J!>MJv!޷,ޙ_3ih]N&{3Qz&^Ov=k{6FRlzB&e7D z?;3Yo}gk tvаL&2E|9+?]cdП&M/w/rxr/MB_ P6JsSTH ɼWB碖oIsEfX+ۉ 짔Ӫu".*'S)B.F9ೱo%DZ K-"bzոrS܁W WG}0% ꎩ^A'ͯq]ji ej!E53*2~8IYY+X…T۬-/E^+ٹhTj>Hή~bxy[g 5j 3WQŐU.])vy5vӔ»H'O5/wXxwLvݢvYx%ifPJ}5"J*z#\)~xXFq1ƷbޞP9Kl"t}22&)$xi*k?(47<1zCzO{Ȫx oiB(:[kDW{X:E@zp%|of%H*f:uDZ:]\u󓮚j.yK:Kz[9//|5qWi)ub'R$5;"ibUQ {J9gL%=<oA6h+,a5!31 تh֎*xmMn? JKgC6>2(|J'FlO: :GxJe:CJYWf!{;5jLăh(ߢl2`|(M|/9;d.gq:z| I n i=FF $uqf_3ڃ@0nC}PG_ww"Ȫ7RaK(!HQ;BPkU]bIlJ[P|$k0D՘Q:) {HJn>% @8v t/8R⦝s:WdG@N-D!&y.L%n 2쀹^MF zT)1-/ZVpy~: ~fri kM8DGtͅT <[a~z)R@m#z}_[JBa2CckCO>hz_H\ab_e"8D /!RUj^K F`'y2yD-6'X兌|ִKŢg8|8S`??ywO6yxWZy,QzO9-[]nL]W9yZQn2G0bO!H҅H@Deo58:&sam2m֙fQ-oo?zP?g]cqY1Ss(qLЦf|n Uقé!l=SDtT4v>~Js1ܹF$jQa~x_CRe 4Ҭ#/vp&i2P Ohia1*0/,Ɯa