sssd-ad-1.13.0-40.el7_2.9$>4G^ӕxM>>;Fl?F\d   8 &:X^h    C Lh8ELE 5E   ( 8 z9z:Y\zG?(H?DI?`X?lY?|\?]?^@b@dAaeAffAilAktAuAvAwDxDyDaFXCsssd-ad1.13.040.el7_2.9The AD back end of the SSSDProvides the Active Directory back end that the SSSD can utilize to fetch identity data from and authenticate against an Active Directory server.Wl1[worker1.bsys.centos.orgCentOSGPLv3+CentOS BuildSystem Applications/Systemhttp://fedorahosted.org/sssd/linuxx86_640K%3A큤Wl1IWl1IWl1IWl1ZUӏWl1M>M2@MMzMx@Mj - 1.13.0-40.9Jakub Hrozek - 1.13.0-40.8Jakub Hrozek - 1.13.0-40.7Jakub Hrozek - 1.13.0-40.6Jakub Hrozek - 1.13.0-40.5Jakub Hrozek - 1.13.0-40.4Jakub Hrozek - 1.13.0-40.3Jakub Hrozek - 1.13.0-40.2Jakub Hrozek - 1.13.0-40.1Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1339509 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1339258 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1339207 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1337292 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1336836 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1324442 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1324442 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1311569 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17 (File exists)- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use lib64 in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)uk1.13.0-40.el7_2.91.13.0-40.el7_2.9libsss_ad.solibsss_ad_common.sogpo_childsssd-ad-1.13.0COPYINGsssd-ad.5.gzsssd-ad.5.gz/usr/lib64/sssd//usr/libexec/sssd//usr/share/doc//usr/share/doc/sssd-ad-1.13.0//usr/share/man/man5//usr/share/man/uk/man5/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=fdc14b49f2dbf6c0cf4a0eedbe169a92ea0edbe4, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3e55d81be00be98a82b3f80e2a866865f9005253, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=663e05e80f00a72178e4683a27e25a2cfa751ffe, strippeddirectoryPascal source, ASCII texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)9J9PRR R;R8R%RRRRRRR2R(RRR'R)R4R5R"RR RRRR&RRRR9RR.R:R-R/R,R+RRR!R RR$R7R0R6R3RR RRR R1R RR@PRR;R8RRRRRRR'R:R7R)R RR@R#RR RRRRRR8R*R0R6R7R"R RRR&RR)R RR@?P7zXZ !PH6ሕ]"k%w+p}zK抯ütkUL ;lGm) ?i?Wsu7#4o kǾP*2nѐ_[O.T 0X07)Hc IY-WREo:$GekکEԜ#qô+ hj5_<I#{g +ۅ U" /Y^1QXq&U?nEcV?^0ߍ:]t( :W`_;ܝg@RYrdfQT0-[5۴J̥Mo;”jqrPݵ`9~{N6z˳u^ʼ3yZp.%QZ\2o"rf<;ȕ+r`w -UQJGJjɗXx ϡqR"0@afJ$.?]ރMF+ w)Hdx$אF2g:Cln٬1wj\#H:Jk9^aup<|уX l ' !;U)Z*y'uS㢳䋪ˣ٢űi(,FمZz} =Õ)&Õϔ@W|Qd_^z?T2z53쥻OJR#Su<#,Vлl#q;Ӆ&QF hKȃ>>(i|2 $ֲo@:W?K.zvk!CćyYy-gjo1f a;$AX<@&dQ*`;6abl4ΡN^@֚ypDSt O_,QKdED0ěOH1a<̰;E'Caƶco)PG>Q@{J2qԛg7a$/0:tQ"O {ČisMζףc83Yc QQ{S`h/~vu?*)[zDQfUZR+13G*K'_6\8*Bj,X)5BC #཈rB/':K(:.~Lj/?ZMۦ1H/Cǰlz*" 1GUpiFD-N2 D^FFj ̖"tDuHx.ɜYx BF_1fK'[R9xw}7&wU|o'%AMtÚg޵1Pre[EJzP5f9cXky'{# cDFz=Fڎ*O NΪ؄zS2~@@CR 9nT徽)@V6efF3FA6*!^jubH$5O%y=,*YO;j\v&msaUgf'1w(&RΨ!\^ 4>O^((PrŢbFmneTyIwaڣ9\C\l[{qñ&.[z5}UXh B MzZ,Va/EY? C4!֬_5Ps$!mLMNZ8_qKlo:I-Ԁ:8ked`4R>W0y;bmH;G/qdADvm镲ݴCҕtW,T*#v۾s;,hA"E[f.{gϬˊ=e2NB7Gvne0uC9ܿ=p +j҉bJn<5䏛gwiU^mq/DX6 }B4dqe6o*'LT]VBͧqK6n:cڲXڵ:vr&ȽOX+_] 3|U%v٣}aC@ QpR¤cflwe.u=%[[Y]<&"0Gf b(3layluV X-(QPBx /]MԠ3p :('ŚnU۔u#aJ4ĉp@:.I Z|*p͂)gwygݢqC\`@H9n֌yKM3F"'uÔEzT;.;h~ '"sCث<ҙ?dcų4kaChE -־8UD!L<[W }bfB@ bmlXDk ύK߾Ua3 :> |> IS7M.^S)Uo Xׇg ju@@JZrʫ{ܤ0SX`hq[g>4A>{9m">dq'k"{~ٶv-Ejp2V/!fz%Д]pPK%0Y#wפ=+xmj{j-(.ȎmWa߮ZI&؅s֎TrdOrn۽z2l9N;ݵ I8е0þ- h߼Ϩ9F!Ck$e);޴Sez. sTyLjxd‚$sw`d||5f)tڤzA Ѧ]Q-K8Gv\50Pßnաy9KP]ZY9svB~.):T#5k%b[9>$Wth+"_7sNp/õfHJF>ouGT3f)̢: 37BaD2џWWͶ~hdY9^ ƄH,_fF\!` f~ +hަ pWufsz0T_B/qL!{-sU[\J AaȓhmftmK2|h'4+ݐ;hцY$am˃UXh/v 3kI-r_Aw:V@IIE˄ӌ̑rR[ ?7`2}Rp ]J_=1w<|D7ܲg@Ò u7EŤ"m.q]g>}^oB ?#g9FFF& KYUbǘQ-Oq }r;8erڸשApr 7Nm+mޓ8Nb3B/N;%]O>:.<(j vi':y֞h6`8Ѿ PA n@?}r$UL.l fE9[Nq_#8 ٌB??8۰Z4Ltه #=HE)UMN 9ost-L%A8۠Azmϙ˚*/EH b7BIfVsF*#Ү`+LcrjS䯪HcsUh4Ӟ/7V%NMyfdz; iتoE&5]Bxή' VfWV^t|gȡoIM !(LQ:;Ʉ>W+L!x% AN M:pHƥvϨq HJXaeɯ/v䕆h_;a|6&?->$8`x7LiDEO g*œ_'.:> aiO&+ȺSV0V] q)oTj- l%V)\n2|ƼcN*S*`_s̏DCZMi JM _< -A%8co8"ťa}QB:(91jLYVYvhH|X/ΜI2~[Pa(3yt=clU*WatF3 cgTt~A(u4 S:D>稆g`֋KQ?>ƃ賉hwi9uU{RFOm˨+;!x-F@zHRݑja(dZLmvs)0XE- 'Nz4hn^)K+&=EsHzLІ.Ў%8:`E^Р. /?Z_ &KVp1-S:WYaЕ;;>//,pga?] _(s6K)PL E߾oyJm}{9ܫFl?׮0 &1iJf̍d| k}x m`Pm|UNQ#%do|/ycJF뽼OW)=*mH!yn c? b&nǗO̴>/d㽕Tг҄ ѵ7_di x4}DAD w>3%^_x,B PT#}rhz *WlL8xBiLBvɟK$3 /g3UTniGG:%pe)*UOxd58ĕeD15S 'ZJ%HeVfF)2BH6]ŌK=jyɾBSɾi@hGlp3v`Z {Q2M7]9 LwBx'b-zނ.̄ӵDžDq-лEH4)[|}[d'nbg) oH$=Q N%6WryO@.PZYekRx^#Kź4&㼡i$.#ƅ=5K> ?*5Iy4-ԾB.jbxcD9КӠ.6 , jGTLmFXasۉIRfѬбepsnuFzAŠ BIrFT`}k MGM$(?Z#lZ팭 =۲qF^y60;%wA Ňbo5:bf>R_ l(Can$ˉ,'%+Scl OMׇ#V=RȻYὔjls1I,= 0vBUև԰Qc[F&|ګ߬лT-/ Br*!I:^S8sE"#x`~~N(=v 9jη7&8]oSRtPS6'?]Rynevr!?^qoa,i T˙吃d?/.XXi`-ELX*IMo[݌>6pş 0zw'קtQbe+AX; ZkOBd. !f\fLP;́ڃZdj)1aبKgei٬ZE+6/G҇8mɰ|J/6A-ӸYڒ /VJ%s$( <ڶTsA Yť\P|}i!dGM gt({u) wVGg;D;jJ~]ap0?L*iFal@'1O}}3 IR[FlTأL9Im8=?O8ͶqLՙ^Yo=:K撚c)e&Z$D ~;cNEz\;*%𞝛3GBT5ܷk?\ fSfRg:~]XUۂ.[@j@j{CV=[V,4q{k)>IFs_'EѵATuii2CQ詹!4Sc3`R+F!' a aˬHvi\e=O".Ic8`]zghfpT E:/Ш}8\OʊPAo;M)0k{ٕSz X ~ʫJ:i fLQߖ~5TywBJP#6N~?Bmȋnr~ 4JOT'cG?dkuR >ADДMk:Л Z3hүR9|Tݫc8P zZǧtQY`\J:m'zC-n/wm~*+<`?%&Ku9*9H,>Ȃ&X r,ҤVЫŨ~b+){.6lth)ЎƽUzD :V%vjȈVЛ̯?1Ѧy]1÷ZiDVY+M$A#/W{}(Ti 0b0@>kIIe3=S,hD)fKUar&,Y4Ѣ1(sXJJoȫRgΫHf(@ˀS=eCCӓ9i#+!Fg&ګe$'(\x/$ E u8$s`ؙ!Jkᱰ1AdwAW9"E.Ī# e· NX~jp6Gri{Qs?I Ӑ D=Y7dV/.LBOO_f7d)ېojIbK겠Gj]={5=vm\䅲broUh}483&C$"SĖf+Aa(Եӝ&L2xXlRKF!obݍljdwBoXfi7Sd,3QB5Y f6}NH'`q\١9nA&szxTɴ'KzH<Qp BaC&CtaT2,<$,֚o'bLΡN߀>mSjLُc(ii |%qlObU]ka|tX i,ZaySa~QqѨ 3҇Y>h,=0t+{=_yZ8I(.V" /TLi&oy`b8%*+zQt|B-}_D+椕w{M1}a_By LJJvx?d"Pi'xr@eUuwf9I/*N?[v톚U9"@P }+C}~XCS9zAIfP%~ot0O鋽$Bhl kNL\ńWvŖpM !LRzSu:z˺n>%w-:,봔wۛe>RTh "h)+z  |d[51%ǫ/從̖zgj,w5z8?7ܧNvdII$S{0- xz1 ;κ.ZKРqu\ByjSp6da;2%ܬd3 JQAX6@ޮO/.\fdҺd]2s@:m2_}^>*P2&oٞXDps6̓潼ͪĐA{,U#c>.a{Y?ģ2K6;;)9}0`Y;a\+BM:ח4ԮLFӨ~T !Wo  eWu,+M3a")ZڔFdqj8կqŠj OT ;=n p=PV q0Q-V9pHv&#?twSc Zn @ ܴMjȬuֲfӱ'N6,fL Kջ/"&2߇o`a%pL+`θ< VWv z !lR Ђ1[TkrbrFV'aG14J0C-j${rӢUm$l'\̲rxGj9< p35><[f&Y ;WUjw, RgR?;\rː?0LxxglvflD  mrn)IU60QCOT4pٶ`p vil^<8c[EUb5>*c@| (s!xk u[@BO]d0Ӈ\HQ ҏ:a DFj[FP;~ %tg]~'B_>g5WK;va*gZQ@s~}u3AN0Ez-C5$PYwJ&J"v *_S7Qs XGFs ٛBKϚ .E-,P-o?&E{FV% a\}yq@]H)-Ҙ%u?+gF5c X$,9C|G!B;gz;ŝePn&5}?4s65ehep¿ rZtdgO%"4xvN{ޝڮ|S wn%4 Z,VQN>| $bXS`b(gwyKw I agTh`b8*|"  bs7*spLAN(۔!Ց=;U ?}CЦ6P۫eBD I|uni}@.u:՝/Žd#2Z L|zLPAj8~1f[K+Jh MPݵSrQ 1a>/FZLv?گ(y;<ڮʨyPIIxykN3T`B ' -CW88=ܸ2D#qZ4%,F*Õ*nb8 bʉ48;R#z[+@hƇ6):=ZBt7Tq}ć]kxrVY:;lǤtg;r vF 3CrIDӣoTU͠Ovvp%'r[Q -֬1 OHsM%MS2~t x먬^#ZVV+=P|Smȸni(O4 H(L39j>51c!h+䮝z; {m۽+؆RFEO-W54[c[-!V9m$4bMh@zL# L__Bp9Uz\dҠ; P^1*QpUG:O.n;\? |d hȴ= TI-k㵞% LNZ=ĩlld=ȟћz; 7IB"_\25T$ ~`Ñ[;3֏5!ͤa}2=f+2|M? e \Ep伷RVE3ן^Me9h*lX1 fA BZ&d̡]ٲ5C+R](/hOgg {_ҡf:ӈ m\pz7M.@ԏPz:&@g PņXߍш:6)3g%xdˍiٚ'L+"vlZ' V6ʀM5gv@GׅgsZz 1jLJM=rG3qkM@aٛs ~Ѩ!00eGx6 2 2i#CӳrO[1o{,N6| $tLEȺNVs!JJK0p > s G(M'*wDL7n{WyS@,eu{2V$b%>`#Gj Fb_ߣ=Ϊ%/_⶝av&>RfxCpj}?SRk<*|6B<`Z̀e!H&*O!ژ۽~@ZKR]—O劒L猹~B$T3^ )]bCMk- +{A9[@&+&\q =!eճ<ҁm$U,pŇx<шqg-nhW:ּOCt3.C#zOvjw?./' #.T3QVJ.B!bMkz=Za_7*->O\`li| }ic0mMbvZ$}c#RO UOﱥP&zv 9lZV$ZB>LÜ? Jb. 9yQ:'P[ک)?Si"%{ Vz ë́JmHد\ek&ehXJ?{O=^ukљ|[*(G cļl1OcU4 :%,3g{+*">n-lV£4b\j D{/1/9X.5kHCɜqC㏯Rj>Q$cp/^ØbǻZ^;:Z2ՂW4b('8Vxɳ>Ynܾ954g|VHؾA& wrlf& o__.,V<[leH#2foQjs ߏ}I!PdQ1нRȳ@p6ž'YɰnQoFBtp. 3b@(D=خ.2#3ju5ke?1h0o}&lE2g40Q?PsflLc R)Tq%{*vXƨ'y}@AfȌ|^Gaߩ[< lh0'{5t{R{%*E!o9Y(oh*N:2Y6Qi^pVvh"dKd|0y;01ƛtvhQ#2ċCTIpsBtjj;9"Xߝ ;@|t.*pX8>p340̇5dpw9;KtQ޵u+}.KˬTЖ5AFm#Z{ܾSSARg F QtK,K;!T*H+="̴S/ ƔCR `+i_?/4[q@o{<ХpdS[ # =ҝ, )rt ;*"bF 2LFM/ʒk+ Zqb]ȍ cn# E:؝QK41 q"h%@\e NQ8:ޭ(t~!qh8SERrCpB A Zhѯ#j ??IlsM#SefzCy )q)նj|36 _Z}H=漈dH x{E1ݰ" T YW KJ배v ptvʓ&p~3{ܝzF"8͚R)YJ[E)3nIIyKP3n ?=XaTOfh=}%~%Vt14>`flLoQcδy=vm"RTC WۓKufg/|+n+hOKAHR<ΦARLYH6Pj؄Q#` {P8/~߈l!Ÿ:~HuC4κؼ;i t7E0/7롍k;ħ,PxHĤBq,/ύ܈!F'LoX6;(>E ooj2 V6)B^=ulOӎ,O i^x]m'gݱq_W 'Hϴ?DbNtVb{yP#O_4QCnu4n N:~r[wByCb2-1&QfӘjwjd(='Ǧk~۾Yޘȃ=_2M^Pи xCjGIªlON/{ VyT}+6a+Ak=m1iT8%T6PmWB%g13UI$HëOyBuE5RS^}j" Jq>:O݄M=MC^J-YÆdg~9?GgWd*04 A]Dbe+B&˝]j?IUPljH÷6BdFU U!:TdP!r:{raȉg~hd~ 2א_|EkeU;\S괻b:0[:k<BݳX+/zo:6L S(|Jmrx"~49͂dw'=XͧL3quF ApEbAYW+ђn:TqL/#+kٵz(bO20z0UDr9KCkֹVQc0{<5ǚ(IlMDTFRH݇Eߡ⭒.ʆǰSK`۶mH:v'<ӤG׊l~$ҚCqDoj7񔆕sq(t )J-+& FG|{{)mkbƻShV?\z7g΀ 0Zġg(spYS'?7w8hQsL~\=Je13嫑4&77.MW tb)u&nrݛݰC 1i$ u0"1|t>i{TVVd 66є{fuKrwc&?Jkֵ)A7byP‹^G@^1Z+ &R] kz'E0>]/RKM[K% ?ʍQmVfOLdmZ ݴ"n*n>h\Yz]ߒ>C{)e܁,QVlKVJ{2wڷ}@ 1>Ɨ1o&d,t4PaL-<4rwsLkW0kJU%rn2ā{~vRӄ˪ɺOv9 "jWILZZaoc RLVɫc+,y| )~ w,up֕_"}>ҡȓy=yȏvLqͽ.FOLx~ťٙ|y<{[VXS%{ըizU`C ұ jECe)dgY8=YtX8o :GG q^Z4+rZqWJ">!c)TɉtsSMEHJݾ][{P@3/J ?jNxƒOQe}W:y"h#S*vn,x w;7jrޓshVhJ[6Xɖle-G)xEÄ" Hpʝ!`L]?I#]^YδQ\ɺH  FHKƖ8D vZKu,*~|bְi؋7Ok;4҅ ;6$)эLHGRU(ɳӑ,߇؄|:O}GL r-nw#ٰ)iLjsl%_Ϯld ?pyӛ#4,^Py`6.\1A)bxkwc` wU<@])E*̋dBC+^̭t]Ep^LVt#5RF]RL_j>0P~}ag6ʲj8 ., #DCFƍ[ 4wVy- α]VkARXoXe3nF=x5RS|Vh!0'G$)K^S٧lFMN)\nE)X Jf&hݪazp(~|"6Tc=]"Ƶ {pSxw7G6zr'ވ"I•-/4^aʝh;jGv< zD[4,5>1z =rK"/G^!Y`T29:$hKd,`3ҸUHdhRg;Ͷ~e%m6q"!x ZFw'?2_OI&Y5:/[V-"?6wQ4kƉI%:+g,VUk %JZ5 \t3J={ 'l2KV47g`OD(/?hwhwsy-<{+!W^ƂBUP=Kr0uȟƛXʐ$2\8b wڊUS[ul􁏏5h"{zv 3DU`=5?X,WyFĮA惌!t&bQT@(S~WX{ExW5&fzbZ43A["9)-zӚ-:s6}S|,*!.BDιKl:eڵ q|r|xa<;(X @q=u[J5Sҭ<=,@)I="t/tt?NOC@,4&d7 ^(<~ 6knLKT1A-E%_~{^ sN g#bo!)>X&*,d,v6u;/y8qUuHNVpT8e1'pv}\{9{s \=nBcs3=m,3P֥n%a ^kdFҒԇV<m .y8G#h}LdK79 -Wtjl7ؠݗ +iA^2cq#5i=jeF42hm`&鱣s{+ ٓG_[;R .BCT.Mmeڣ01Ee>g p(im|&t-U}7 W\\4y;[zsghaByfz:{Q|)k"qj|@`@;HX0F%9x>9wlhQ,>t -F%d\of`WZ)EFM/bej$/ɝ2,vlɛ}Y{LkN )3/o3fWqI:vOB ӱ MGv)lV8LGQNv)]或C֎?'dEˎSTlQ>ȱqØ6QJ/UQMDP`@G7 5hCCl9\&G / q Щy4ogtRH%SfPgP#E8#hDeenyc~J_uA0z]euoXד`[+ y.\=CAɨc'3"RFxV@d"-nn5EEU@P\l^Q(nh%*A8.]ڝ1N:qQ#A"G|$Ofmѕ S{A(kbl0K?ƹ+g̾ N˾/oOFGYxSfB-jvP}hXt"Zdli6}وw6J+l\qM/ڒ˔uX( {M:A6qX#^Vd<@+g^pHq!w?Pc)\[l=pyqg@dXpH:T[@4܎H'AZ+5&&vX@#3xO->;|Yt! "hJ툙}:~95eɦki2TfҸIgդ^I)7 #= ׶mBNBӐcfH)2yFd{ ɻY2|]IWVFE}f[9~Jqvώ6\5ztI0$SyirsùV6-i$ d+bBRxE1,ή0Erh|%اjYWCAֈcW\? }R-̥z‘ZDc(ɵ;7Nը$_8c= ]5Pj푐^$sV{Hj jcBYTWBV8NSH5#]Jӫ25E+닛RƱˆ.e[^|%Ƣi'堭ERU{)YdGl{#mD+N6KNJw߇ :WDPj9nu ;T:Od+Nu4 4lm.K$nʋq~mijo:[ly dWάwhs&Ħpexձ<$3"GḥfDçU:dJ)Mmxi15EO4eR=sk 1dGHˇ;/A+W<&w|)f, ՉKS8ffѺ$b3[dbVhcӬk2t_URFxPBaҜ:gd-h&S'NoKݞBpBY;=WJ4@,”VcR{7}if-xy׮*ϻ!1"c ?+ ,|yZ(VH ۫di0PX~\ b]Dt/58JR|`81DBo)bШ*ۉehY<ǣvY'c)0:5UVYSQ^vy$,MiX2j8cn[TbHE k4*⯈/F=HsCK:aK[g-ѷwRZV#rR_-N`cWL,~1Mqem)vIJɳ[zVUSf5R(}?1;HEk7 |Pt0=פ)Z-V#(#8^4鋦ԓmp1R# XXFW4cgҸv#3e=,RՋet "T(ǼB( n[< fC6X 'nDW{, o|!tueNYdMIdZhD5g3v sv+ϭc[Ȇj4mv5]2,pf5+[ߣΝ /PFDRBJNu57"!W_E_F{˒ˆdt[D cC5A{O>cIuޯ1/?_9qC? QNVX 7^{cW[oU[!g"Xu(3k`÷ͨtb/MTt/N (fz7atiDֽoв;6e p2[ѭRlD ޺!5 ۾~}ڴסeP ?+֥bjD~>K7c'<7_(>bhmf Ň!Mfރ~X뛻EP LyBӋDep!xu 1L8>bZԕWdE=%{o8$R*ߛCGXSG/[  p|,!hjY6权LⳚ͋PUb+ vCyo8P1ஂA}E5&K/Rn fwZ]ShIqg Se&he{olp;.QT"*x1X]y/KQ"wWy ҬdR.@ YcŘ#Q%^Ab5~UX @gɊ1]FBcD؏{1 ecwKZ+^A~%P3ESkΦZ)F5k@{_^ti^ qGY; :8_(Wcfq>ؼ`9QQ>_`bIkL$ʤà٨r]e|/MFnJ]359O_1ߘvG0ᾬB2;M m/V3g}҂zHH./|Y6l#mI L̈́UftJ<[5τO*eJ݃6pI޳\ɚ]z.Iv+˱E]|aƙtvn!Q3]K HKrSMtvg |G@MHw";z==a.cf5#L WMIY(܏t"u5͂ѕV1y1!Wx(u E:2 MZ|$l2p?36~?>ӛ2U;}cVU+QL6( $wR)/x}߀qђQ=tۺ7FؐlHY,U-2'.ma8ȸk:^91CB⽫_s KxLTkw|#ʽxܜ61"w5GD6o;zqlrEQH>ţ0y*qT4|ePˎ8)2>/U/}!]5W (KZE%%Ȃ/v\%JoɈu"dO.>x[3l-0V"PH}8xVoRԂH $I+AzHSHkaX>{im7-XPzOHEzL$X 68vnҚTQ؝$ r> "#WEe`ZD`ZңC^<ƨP|TRk=ZLSD *%,NմHSv '52d=$(EnFߡ뽩aO{ vrI^J(S'=Meb}r(*3>Ю-q\?B0qGֵ=zͨmDh [SIDxb?٥j5 t},AQcsC\+IQܨ\8a\w.T)$R DLk&8.:J6njӵ:} sP0]c_5ژa;x]a%\tS՞ߐ2bj%򩪿(dyЀ¹_bF?o,Dbe?M#ؘZbO0k9nJ{$N:W.R8+%__sWpcS]y{}n7rt%W-Xa*jԩddliVya28YW(>+6cM&"|B#{o+ R] D+LMG@T1SS']>K$ыKnV^@&録8u crKi: xC<bbDoktC+;xk㗈ƻ5Zq9 5͢B/HrN/{S3T0x+MtM(+gA `VDp&;svUzJB/9/b67ŢE6(ƫ^=U/s?\uDݐ_͓|R:6x5>%@\Z klPMk45?x nFMڶ9&ĮٿvĚW񼂗6Q ndTƶ*ь6r߃rI ϦGZ`5_\\gWt>/3P?SMA. IQ>͔ۓft$h0h2amZ67?̾ 8w#*@lbʀ߷$R)npYxot`*]6w`5S>&0E{豗/33ߦ-(|˰%A$ʏ'hJbCzz(qeփ,XϤJ^6__eb(SZoQ~ıifEhC=;zof+4z|~:t[تlu,S) =X)9n#p&kC-f (j/TJcza@cA\\d3gM(k}23&+eϝo‰Z̃&/g,]Hu,a>Wm%4q57לsW'[ߤſ('Hޜdn݄/ ww츩T`F4S`3Qitt.%pXg>c:<,|b^M<stce(&3Ν,ˏQ)H%v?YߍC;\+.*>5,{`F۴SVTQtQ=q 5{f,%48|*zB eXrxK6-]20DzWlWkHyFF>!laVs ,WXlIA0h/6bXkR2TN(e0.Y1]603,# ;/rP䟨=&k{;^ʼnz%\iUzj‰s;R[vU3RдBt/h?#°S}_4de}IH+<ؙbFheT`ֳIE'He<;T'ڊ`3RMȋ_=||T˝(gߗ#РTmR&5#8$rDt5nvj@d(Bو8^=$hKcU z%x:D!uE3v3@꺘j ,A9wZ墵>2Z2֬RYoQ"h繨]Q韝9tmfrDQvS KL5YK6P~VμT PZ21Eٹ O  \V [b+I fJu|_ 2EYFhtDp%+9kЫf 0qp2pm`m-ĤsV4&ҚX_ItNf2PwJz=u:JNJX N4!3{ q 4\w,]Azm#x(~E&mM^mׯ%"Y=%hJX^_-VR]uy/7Ae6u{7<1ʟʑaՆL >z }dI]b0{؆>C)'~4#ΕnI q<, b\h^#dY7g4oKݱk>WI@6UK Ty pMZ={23ߑA> y7E M;wՕ7Χus'9T7uڮߟ- Bj?ɭ'.MLz%=pli.ȶJ*dPн/Qފ?<s\$cft.nJ)/ js'Uԭc TWv:e΄`KD }Nf) ٚKWPt7۠34QIq_ VQ7+rz l9.Ù_.t9:yJsؗ6a< ӉUox_(kE뉖D2;Bu){JYB1f(T !jp>]H a_v>jOaGg.\ D$Uh;*7/C0S">ם*t`WaR'kn$_s!>Zށ`~A [.z9`DEp4D!/*ÜN-l wCAì+?&KqN8??|&CZ_xo1}2AwicUBt__^23GNZy:ZGςH5wI&D/x~ %785f=7j-)Ϭ1u:)W>tx)g~ʳ>=Ym= . ,f<$tU3a@fgel! rq<ϻ*;Й{N+lq>חD~u3'nJXcã̞[cq弩h$$ri" 79ك#~Arkїio9z޸sf qh_&>MV>*VtVƳMH 3Vm\ Ӟhlo+(i?>1{- Hb: Bl>&yd‹K7yse)VHQ r^q'7B`Se/lNbAи8e4;ӀAvl隶'H5qi̖E%XvV:a{z~'2Fb 2yתNw|c X;89.zoExz1 2Нc"hm҈?l];t?R# 'υ+Xϝo8WoGarz ,P]ş[O̘ov_} ΀ǵ\#>v2#%"3#Z,gf ݵOaBbOlm`uJ%_7=]4'+klvj;|o; 4Z_>v;lI)c!ȩ$}z6tPG|"\hc>+)[~9eK=8]0^Xҙ1/S󱪖V7MEXlVE[Iڔb. f D-e4NeFEr/AdĻdMv^otZeD$ ʣff\Ě@BvM|||\E(  @$x3Yrդ¯ޓ'~29{qeK6rO-f{lhΕ8k,">e8;`ܾz?Ԗ\={;.jKgD%[+9;iNGӒK:_Ip!IOZ%h DSUۅ #ǭ f'Y<&7(,d/ :bOY7ݬBn&«:C!^ );C൉m1+ƻY 3e:Z'sṾ]^JxP)r`Y"st_'Q8H#v}VjE)}Bʙ7>܉񰊔ļ6s/‹q 'FrqB1!\}< Ϩ.RNSCqEi[pH#Om u":o ʲvlM~J9* hQ{dcY#օ0u)3[a7)!)u-9)5ۍhvZR6x&. u<꠮E燱g,~U(;/#[4MI{vwOĂA7NXre֘x:5M֡me.15P|"*e"a|*[cp"lOyE-%HST8YVc ?X< &/<ɨW(H &@9ZMM- g()^bMJ:E {È [uc=!:ֲƔV%'+}kz:䓄u厫N[5`wf=_w.(&$-`#&ǪM%#@aRYr! Ug"MR\V룏Tn,p!"{bgG8;4-)i{pL_pL MVHj#]ҭ(޽߈U˞S͝-Iq#m)Y(І Wh]0UO-S;b7cّ7_)0˜l}m |s.T\sÄwݞsϟs<'7BY4`pql=khD wN0?'Hl$iA1IÊȮM}X\0eJ _fDy7!KTҽ/ r͎89(?VJ?)a!$l#<>WdsP`v4z=]hΨ4'.TjWOE< @6G-Ȩ$`+Kf6zćޚIG&E10Lݔ4pRY< &Z>;5Y:nK}8u5z*pF:vkXŲ,=yi=P|WS< ٓIW١8tJs: rcvמY @;$T_^*๙:p/놬ͷyكT"5>;Ne7'0=>)j= t6vIPn€zu?GQJ*h5 rf@W*9rY3 cvHN3_F l-}l8@zQ(D{7N -Д8lg9PaM˙'HfVHs/ڜqmy?>27Ѕ0. 2w\L2kܨ,Jļj.*!RJ}Va Df3 K ˉP"٬czOro #KwAhCS+B"i/tiwxޗqq| WIdURE4 sn r'|Ϟ:5}I>\xFZ2$J#D8.ɼVqW*8W8mIׁ!yP>Cㅀ[y7]/8'uš;Qu'W?忿<}:{>`֤+ON~R & ps2'lr# 9\i-ߏ΅.rv:WrX?~seW=5^+5Jؐ-淔#9i7&zIXRU Lt .~@!Ǻ5MfBZiqo2Wm&jӒ.d_4S/^ $gW[hA 3O6)jƐ3{ʒ&cnNӈNg6DJZBϿL:USXd&e+Sӥ!`O0iB奮w}fLX~wnV[N%>ǬAxyL,0Ϛ':;^kM̼GXm4HXD n=%N9[ym"+"qZ? TVTweNJPfIƕ sM浃JG%+zu_u e2|ŜԺ2k~idNv\xhI M.I49'OAٻu̽E Qw9WCEʒ{3_.4 Vukumx"k>ю҅t-NXr]j&809,[968.@اt] sNsl"Sm!&0dEOM 1N) 2a8o}HxQ!2]"V.`<%̰8vhOJXDKN\롺}A1 m7.U5vz<J`H7u>e8bo }GV5qt*o_ĹLG1GQ墫Mċۥ/ٻ "E2T)=%Ys{g2ƟFDlN±iyt20Z$͇v`ч?dBuoO~n)~ 1 d@ЍDiT3 l?idhqJ=ZC}җ7p3:YYۊ0SSr @1 }A̾"ٗ` .S%50 #K4%BdW+} HI}p8ۚ(1$ϾH0)-4;U~CS;1<)ěq#g|ٕ/)ɣxVMoW$Q+?]! 01(۟ʧ< nNQçs4TQ$WxBHCW+12iϰSIwI00vVa1ELh),uAQ<i%ZW]CLr\kV3ejjE. rSqBIuRug-@+?F>zntQts[̏Kv@5U؃.kܦVOLѣO.K}FK3G\ H!JbP/Gf'9cIL/S'S {ws<1 Jhj}YdRl2 e뫸IrPe< Eo}_rYf HOV0?}fzK6gCm٦-:@g@5pzl;S? V[ *X.1$d>z\Ҵ6P!f x'5y=7YħBwur^XP^!Z :oJU3  mG `Z>' xk" ?VUkt?IVSR$ES5 \BNsXm;ǑQ |t>9x/ R+3tkԮ,HpƬ% B,@]LCc,/:nStle~ݩZڊ<2ZG;58?qNXs.}$IJIh"L$`C e ɡv̫SQb)_{~[ڌ, >vO<G"!,w6ԸH?O :''n nkx إbb]Zq 1sWL-mBd0&];UY@rD?l=U ');)??jK@aώJNۓ J~W.O *ʷjuXF;u' SDUD&vEH'7#dK29{kjq^˕ÙH683<*L.A3(PYL|%F=6qMvK <>rg:^=tX Ep;Hꙣ8To7CαWCWrnV=am=^a%Pq"U* 6!uSZYX5HBtXztf`@"@FJShc^fY Ѝ[vYwzqs~}맕B iv18u*aOK|ܩ EH+U,{(Kv3 ~Fg9Fw]?Q=^xu?cR/Ή/~]nxH6aguG'+;׬;0Q.xnqDǭuB56-20@8xN E]!&MTWa=FnF!Զ<z';OrILF{O-ݜL$zFZ򡭯{~YVq0aBGꠜ>5Vp@ OBA2XzكaO[ P]Y DF5r@D%'= E`_kғh[11k/R}"h_Ԕ)fR%OADyy5œՋ ^<0IMlY*ZZOuh~Z ZazT~U*2oO'I% _Iv)G!5EpZ;HmZ1Aic7zG}=/~$\ީT4e-jbOܰ90Q^(L93|4]%O 3iu>_J vV+ӼOђBGi < Z!4 3fq#[U%^o""4I(";>=q$&U9[go,:nኗD9=<> *44 GKNb~=6.ٲ={W!tR@]%=3B(>'C7 >!*HrrxlL0tyg=ET2 A8y E01 J ,tlv+<맨}oCnūSBƎe@=:_,0ek:XSs9{W9/aTҏ>CE?lGNԬg^4j @DG7Rs[DUI+H,uf)mַj)i+);o ա62L@3_R0Gm̯ %(kR(d{ʄՎB]r%?m`%tڎ:; ?-Wl-'Յ.WuhW:йfXJDb5-0R?T)F[Xԯ6=xh[7`G E^9? 9SZ6:숡ZB } \I#ْQMJZ1u_lQwPb2χ3`0A1Y3fMÜszDH<:]f g{ %0jN܆3H8)~P gK>~xhP2S2+Ƥ{4Yp^ {3p +q*=@xqX qu z\ju-9A}rM_4s?׏_].Fg T c!>{8_tjM.\ms>B2q`Z#K?jF(¢; DZ8~IWyռI%c3;TZ<ƛtHNȡd<./ȧ-G5fϹ8w7yOڸؔ2ESTCZ(GҴ-#.3;($~vZm6Bn2}2 oP#Y kl_tQb @3A^WufMQ\'opy e0Ωڃ7jwUP(S\v?]Hn/-D[\c *$TIDDbRhύ܍/{5uA| ےε'z)y^X@d=řE\B8CRJ8dcԭox'HO4 f'$j%1! d,QRh?b5)jㄮ%7R,2)JHn3E^כ'6#(a'[XD3'X7"LjO&q,vթz:Rӑ@[;ur:hf0-.QU.7LI"u98g̷eLm<@vC`؎ʷg]>Q dI A$ݝu4dvoJQd\X0D]5YMT|i(ѳAQ=?9VMMO6ވa ^gSvJH'Ri{KhoUC? :/xW`=6 r03~+]6mVЩ~Ȇ gOv5=MMR#C?A[H/Dx4K.1 qI6K([=} 9xt^@K^7A8Y*.rbnE1{]vr[!8Qodqvv 00Ԑ?\VIdU7NFSzoh(m0!'"6'|w]ReW>7>7}ޠ:Sn#%\~`F5C_'ԡpnʬ]7bTWmI3.,kQ=TG l C&]V &fΌhRS,QHE/{W洝Nlz4b:b<PgV_~d?ِ2eDb4;dU|:UA .$(. F;8aJoT5H];ms|Fr)3`a= tGZҁJ̈́4,,#,"T!/Xg*!O׳0FobEݧ2|[eJ ]2ic7yGhN>̤5P')LD![+6XYgComi'/ی^P d¬Ί9WJU8=;q {kʄ^ZAԑfuG()( P|lamp1h^+a.,bz]r,B@ƒ0y|s|I٠xŊ9$ST(U_JuJ|ZvWt3,!t>J< Hd[ kxN`s3nnO~|w[W|9\J/6є2i:YNM na)7{XtWѠZRh@3 +hum6ΧRyD z:q?߆!o-V]IOm1W[v!a5K, ѻ^?2unv.$GŭzVi;Ulp`i}. 䴏DFl@$U:i] Q=Z}73Dդ<>x~385 KZVDce CJlZ)Lg\{#5D$)$1i?`1)˺Um|O6VL&&A\}oìV3ycY#z|}VxI͡hW[,b-T5{PG Gf_T+mWvO6@šzVkD‚<+wEb_3ݦΩB)&tw?lj U|A'?'7@\A])D,Zb%i+90 Xjb yoDo'2(6'8$@םbq'!<\2.ЇO?JS8ӌI&iR|%~ja2XD8HnMJny E{20G #.*angww׆wwr2ND|q=] ; {깣:sqJ AX<͕)E%~I63a:u/Gm&v[ bMlu8>8]6K  **NJ.(vkWɇ񌇄hy*L^[ʏ`pkaЂx=MZ>AE Na'6b^3l<3VLXlx!_,+huTJ$AIְ|Ҝ #wLOk/'ᑖG+*' Ze^'١g܆678NID D*pY#6̳tg+P$fe)FBVME^"9eWZs4‡9\ɖߢ/K%*G꩚jjfMc*P}^Xmm=  FK-@PSo$maIEr qɏ厺R ӳ&%\ro(iHeâiO(A}gL rGY$:K-a`Rl5pƏA5URLBzD RU:U|?Fb(LwthhlZգϛ5LȢgv~\E']c[̍ZC27.OtDu]o{SZ`j,E ˗6St U}אA 9;~}͟yCAO"+Oͷ׊C\$ޤ;#.&_R zkۨ'qӭZV`FAOXcԴQ"nlVm3uchjfQ$ewLb&9R|t4X<vΡpK!ԧ}moZ::r+]p'/:% V$gVJ X]~7u%ػ_mc?Ӱ#H msB8QAs.דQtevcƀ=fG"9ɭ[C Ү$K.$_d:FRJ]<7K`6_2/CSv:._z1(\ |p?9}40?EQ5S8ƌј͹RA{Y;54DĠk@_'xF{؂ ֟La}ċ~0rD v_3 Iy:YZʹ dQ4&, ]"ҎݖKH4 ycwN/=6kiڽ#{/_٘!$|$eNGbZ3Y>TP*E#hK< ~Y{lU>ϰS:.̵"Q̟Ntw.aڎ4] +/ڞDpK@fxIwUXelg=`V{Apo"m//!W;gh4X B&Of:}$3+=^^Vy?ɂ\tmR~>t{ X"ZT"m2^d>@A-H ࠏhBFiE㟂t W-;]Xԁ\05T[wkcPkRypD2.ß .VZ25kXReEvK>!j-H:xj]ݜsp>8, wBgOԿM7flh4*G3ܵUBKu՛G AS#(5o\[ԓS ë"1 4~_ZNpL]`;[w|i}J(Yƻ\EsU/۵hԖBvq7d7JIy}&Wf6ߞtnvJ3 }9M KipG9+C4^XJӪĂ,E2'?JKPqD\A)o ՊPΛ{_wZV[Ĺev Lܨ~̬GV|9R^ԇĚp~^mzm%4]V[Syf,?H""Xh! `ߡHm< '>[2ҀlraUɖ/3?՝z8ƆK;Luz+~ZvE5<Ң7%q+մx{*9<5]'U;C_ 9DDZrkd\Wf (D7sͳ/K@]M(ֳV&v(])bo؅]h)d:P ,Sl% 7;4׬0 )jK_S95`\ٺ=e41Z)Ф)e7(ܗ BE t,ZЫH-kԛr;Mtsr Iy=V>Xϋᆪړ\,H.yDمeǭA1IDd=k)vXXL9j+> .=RcC!= 5~aeP#KުY6`Nc%mQ"-*;3 N=DIswJƣ%7NoϦrg4LvE t#V+ȿEd|:}NK>" [wc]Q״(e*Cbߞ~6>e^pXE$Q3"Y+P$&uXa<:#u9(8*cAU2Jې0blDX^R@&ӻ$̼XhWƁ>χ.\zlB6̙~~z_HD?~!0&_Z@(3l7C/blDdlxVZp1 o h?7@k?M&d֩MDC<@'2 7,-b~XTݢBSʞ`n+ie㘚PN-rF_5?:aPcXUg.euַއ*$ "rQAemLކ2sqIٟy-`BuHDYuZQU+C]8B*в1#?<ihυ*uB[xPgge_)}&xY0/bA|zUG>g/x'UMRgf;}V;h \DǡVݮD]nec妌7M*ɷZG`W6im x۴ i6wu_HtrKY% <+c뚳N%nj.J3.%{|`\?MMe| {O%Z..+qHRb2g Y{e^'J21 ŎGpqT<* ܗZw|dFPDW+|$~?XƆ_թܖxW!*?zdK4Hp pS8ա<cY՛C%$yi!ڲ0WS2~zΦn >?K ?9GNLSpR>2uUIjtiŪ%SZn~5M7JM_D6f4{'hfxpSZhtwZ"$f51g(Cl?h>[H*^=(%i\e #^y߭]0\zJ"k=u r2&%hZi@>ۦʷA/XVH~GV[xޢcvQ7*5md \K6rޭ,h-[UqZ pӰOa|WZi$aZٳ,9ڽ1w#*Hpc֠!wB:yw0 "U0~;Y+L` 57>KCN|H!++޵%t`Fxf :n~lީV1#ܯ%bJ&ձِdgKѺ6j}8ݽ 'ɀ^=:jBoK;xw'=^VySEܨM*5.ʋEb6Ol'"2 `ɺ-g@db٫S̼hH&!4}+:]9f'*y1$l۝#zW[F 6cs(&G'8Sd%R_93P^$v71Μe6473&y(K|C _e6Rd᦯#H&oJ-!-Kۼ֨ϧ W3f2fNQ5׬φ0r5nf0T,XgMb.kϨz_<#hKN2$skSg2weo b:em3. LمS!;nĤ2HKo\LU"ߕC$fOo'<:"eR Y5ES:&TPzz:AX.!=L8\4}2$,\4t-<)iݿ3G}5qb+L3yD[态Oٸutf[lW\'z篆ЅC4YCu%iZ\JEaJ- x}iEvgF{R{[*򀱷h"CUK]Kl=z_4ōB7:=9q6^L.-X4Ү c!ܤ'B# ׭J4@wܢBWFC;mѐ„┌ X2YyN՛rty5cY{֞om{”Ӆ{`6[)NQzko`\ѶTӣ3O@si4Av143v Cڱ5Iy}^ΰfd>_\|buuiRKIW؁v${vKe[tp~e9puG 0 g KNiY+ߑ4PJ7wbPM#=1I7G&H]r·ILǃ&?9[Z D|Jd˞l\N&`UOk!jm:542E6;9#E|1̇3Š@R7O* /*U׾kpXkunR""-H䟱2ꧢ;濞!u4@C8L,>1צqClO8f;,IZo:x'c+MNRYZz1ALd:2ʠ+M8SBpsQ&C$9t=V)d:>ʻx8]}CKL%V8)&g6[u(!4:VS`(QB+{Nz H{jw 7?56* \$mѕ,_q-o Ն)xfO޼yaٶ v'|\4ױU߽3((pTIX<EQ>2ն@g`0ReN6>:TUmْk:(L u3h>NL%~ aiW'<IW0*,F8m2;/lr@>Hi&_׾]bBWlN|K0)V[(tbh&? 󰤧=tzҟ0fdSqF;5TmqIQ1h 0D yo{!H~?Dy o˺}A2 dKq-Z}!U^@lbpB(Vh|J%a5eN)QI$Iמx4bv %#8+"2o$HHQ/}Qfq {nr1.d$ Z~7?7m ]z™CGVpM\6?z*hUF.n:/0ĩ?._'H#!^Æz:^fWT* J3;VN{MT: ă5;pCO;,\zE~oa4wGY#>x$ROD M%9չ.% 2%`킃 VQzZ e0hb J?ƿ^kwYHO[x_EAWdCqQh9!]`2xFk*PVnU~Wk迣z>,˃z8 vqp]73٥L:ngjlҔs8;E G'pLoUTJ Jex%+}_ 6/DQVc: &)>wti63UnٸCDw+}Nt]su'Ę +,cYm O4GdE`L[Rth'#F.,KJDy5RLNhBWp1 ]xVBt?X8ylM_2ohs'dAgq x6eA&UiP諱mtzw"Du_d}F];⎡xEF Jb/azŞ&\`?פr@s0 ESuW( u/#9'vYqf : *8mߝYR4S@OAL΋5+a+A61C '׫Eށ{|T+5Ƭ~j"3L?> 紓(dOwcPefxcJԟڵ$]Ty^)߻oZXz,bc|iOl]?cfjĞ`ag$XAbBI/ {uFu_PmT4p!/ R:S H^~daPd>扂 ,4Ay_jUܲ Us+/x %d$|A`&5ѨgEFAq ?3j{k{P7z<8h]ON2-ApAsO~c/.ɂus&x2AI,WX R=U9n[1ƋekQS%Ȩab>!UiK(m%(ߜO|qf:LMsz="^6{™8BK_eY!1R;bg`ai dj6QǠ+=o!49zJA˂hDʎxw>J=z/¶=ˈ0^+R6h5!|d2!-+ ۥP|ɴVջ`QǤ 'b43^2qR:"n쌙i{\E54^tƁ gHRj^q yW}ft{g1`UIa;Ncv|/6Zah 0zm$Lb-7:ԮVI_Z:zf.+;@On&A ,|N:ۏ&|wYjrafSx9fħb6s $afH Iw'r|2OWXo=C:yA&NDZm; T[!L:]"v5Pgp[^2k j5<_E/tN-юD `I?DXZkQ׾M{g;VuR#W#:sw-om%Oi Ԍ \x*jN)1$X>5~|HW/;ׯ%+$(ܥ4iN)Ǭ&ixKO]|:K/ =muԜ{X'4ܛd EqtdMbTpDği-GW"ᒔn~$2e :El[Aa!ҨXrDr?%Y4oNR:GL啚'fP &ӈѭ\S wJGt.B7*'FJy+0CFU"a ($+cRO0*IOhVnX:|;2º0|9BJ\\1Ca<`Vw _tC5F8x`1؄&R` ̚}ۭtw$];2J(|D9.&}(Z؎goaZh*3բ*(k {r]ݣLD̷ [qBrwt H Kma}HOu4Pj N0ZxykWh1jA :~vB*Hh/bIgBBpz,v啱AM6Es]~V V?o8 ~/l/Z>IL[74.B:S#,ySv<87R]LoP1W&骖`{UP*}aDo m<d!#Ŗ+C3Iq[%v‰gtRRV(G}%FUxSEte}*>X'?{6b L*qQ|R6AV~=ܵD_B*cy!|je8%.=a8uNWAw8ɠ9lۗOF:coIT Q?er.ϐnX4㽼!\^}hWXPuZr*gLs"ʞ:a$3VnD᪌2kj.05"qubeBO(2.m 5LwBv'纙Œ+F+-*hwv*gLS%Bd cuΌq`VZh-XM9|U5#+x#/W%֣1(Z`2i)Q/b+@ASg;OAJM|LK?uj'|>-kOPfc 2%:O ~~X c-%] ؅22bŌO}^FPLa͚y^5^*|k]"٣E:S;#v# LzwRz"pu۷Mq"Hlo,4A͊ƴWZ]LuRԺ_I' ԇs!I0l߀G~ ®ڒM!d|Ny|u0Xf|`}%GK~04Ѐӥ$!zD4<ȾU Nَ*#O͂s# 0"Ia4J:$GՌn5U2ff'ŗ<" ԻRÊ[& z4>>!G~fhؓb= >?&2#3%Ao(%[79`JLmnp؟RmNԡb:&]N[jSfS?$7zg4`C`%A^M?n3e;II[)d7<\PMgu )H5w}oTlR|~9 ]RPYKv9% 'yP7qlvpqtoa|j˅;lо?=xqopSpTqaњ򓈄xQ]7YPѼ0lO#,neq,OuAb,&ׇg6OaEQ L4όiPrtY O_Q"C6 *ܑN*Y,oOP8!2Zg# 76WAPTK& \.'i|dT9gW=|D֍./q񘮶SMW2T7:I'm:mIJ V'a?ᷜu`PBbzMv`<5\D-< 4USC kic%mr ?|1V&u-ZܰD(Mxk[cH4X&BxJVjX#BO]^ʅ@'iR%IS<$T˫xy`l ij#vNto]ףOjCm-?S])>5 Qy]x@;/wKM (dYcq+A!a_$=C#\~9 Ėǂھ0 ןqZp{D*IAKą. fr|PdBǷ(ucEE*r.mk6 ?J&R3'ju3gX@ZefsAn%o?oDTw*8׃E^HជCi6bٞ{5}FVEjUM{⯊a@%-wrƱ(?E*~edC:5շrݜE^9ȇn|I  #1"b2_keY)BSQ ϊ8Aa~|yf1Xէ0E'S:!8\A4V'x.!ף.M>e3X)W3VW<|%/> uyqqN륾\Bg=bt EuS"s>A7 F3NۅorRؐT> wQ]~*$"Vsncj\’h,hhOLhAS*KCЂ( j\aI"+NvW9xo5ӈfBA"&L~Uj Ta{[5Lp5)!d- o;/hL^舷i0QW{}UfK@5̱@2%l_Z"v5 2{onO_+5.0DIO&RCKܳ7Kx` ǃA5AM `wW~;A"ΑӊbY0: CbV\, v5DYm@},u?ĒEQ2Mu=\7<F"PÃUBߣH}P3(}@%?/=>_1*kq[T!H/G{ϕl8L?{H6W1?a\@lf >Y3/)Ӷ}/m޶7lF@,@ Lz4M{!~]5ĥ"]!Iz.: ;V擙IE'I4kjܹJj8- ;¥[~Y,;]Y2@ʭ3 Dgp~QsԴjcur#%ets ln6kjeagl 9/+ Fq;"eV&P Áe6n\0zF@Y$]We*H;ڭم)haXjx1sX{PE92 n10ZYqϺM/Cy#t4G 8s i'R3uSӱ$*͞TSLxuu~#!1ws 3 `!'q%n0z@9dQևY@ J"rF0䛀D]v{lntZSW %0EUXSTb7z.y!qq ZA VQy~^c|!`VYѾtl E4\9lq Txgl7 De>_ Ԉ3] ɨ>\$碫ޛbrо:_l5`9kIBfW:J')DU|FoywR|ʋ1WN@ !4õ,OS l%Fג4AOV?Ut][iXRY֨]8utb(7[+:Rre_VQΞA8o&y潈-MLz? ]d mǫ/JR0y|>5~aF(:#ngdS!Li OϐPucE[$j.s]ASO~᫓-֌YU)3ݥG'%UyìcFKY! y-{ZlC iˏ+_ܸ3+B=P!}<[6=>#M*Ye󜡵~\$zٟf^[. ˵V: pclY9}i!PG)YxAjYAQZL_!& #,rrH*GQb¿X#uN:ݞȼpXrH6yhv">`{?x1&$"f"<2:S(DqyP40?L,- gm?ͫ.yL]طE͆,lbM4e ])@W5wZy~C*5B)eNt` Qo*66EϦmx!mSI0ZX ^ 䓄..g"o^¿#?pOJ5"+ƑĊ AAwsp5bMd,%#m e}ԓ4t9cN\,# P?J郤 f<R.WlT5ˤGŭ!;uREk"qQ@*^{G+Ԁ)ɣ5m(:cVg .m(O}NK1)Fzp߂5밃}&7AZaAۄRWF2G4WuX#/P4͔RTa'&:(3YH@18a#p :-?^9oIKaȇ$c|8Xa@s5a`)>W T*}~$+9ZrqeܵUSȁ9&ֵ:q9oGZB8omS&.L3&JY4辡TEvCx}-Y] p:r{AmvsXF~3\<{Vu8h* O{3|,\kޔF`hDGZVl B*e'CrD>#vS,r<49 %m)ΧF1<g)r.>)C -a >uYk,a>ҖPȹqP1#_e0`'ȐB KtMM_Kѥ6(qC BuB-"e^HP0H{zm*ܻ]xn@F E{t!^ȜQif^u6MSĚY4Nb9J8R8'`VqԖ@C4/ gѧԯyFÒNo(@:8:Zk݁^ l2G(TГV:;u;GOf=Hb 3<):AaՃ$pDb@S''Ju}zzJKΩ9pPR߂ {v%=CRz[)meナ N> _Ujp%d8y9 8mJ\dmHߣj9s"ɨ2ɩl+05+yvkveθjCGx~gS&v+"LYRzfN[3=o# QtPLvwG%)䬔y7?[\?G@ϿG uwWM3U2L dN"ݷibv+K*q+N\J߹뛋[0K0p8{F\?@0lO~w?z2}^細|;x<nM{pKxe+kKƏ'.q_gb@ H>wH pJޙ"_tI.BIi'?wͣ9 6oUr\)5,*QmԆ!$]-2&ߪnS@}##yON(Pt#%%yBLP]&n@[Wx{]27CAe!] R&9TOivzGP6T+ Um !UUddӌ2s| 0$B^YGavjSܛCy1@{E .Pb'u/Y3w8WSJ[?@R\ 9n\4Kr97kՓ=*uވ͢zw⿄,3f&2OA)MD5?8uxbceL4CY6pƾ5@mKGqv,&9?+9XE:"`%QkH3ѻ,\!8 g#hK: o' C2=o9͏uBWʖ ̾H1% M+ ލ9hGZ:I[x5:R~Vy b/=pgF \!5˸jYmٳiXĸWm%ۙpS8>~,va2 6~xҗV^̽qA7KNIcm. U.0b *P(kx7%if ޶{6Zf:^G|kb#{1,_ a?P ~|5j rV4Ñ0%\waZ_}C!gQQ3pWo Ayǟ9o]dԼ8<&  ^b[;x75[Vh }/ rGï,K[yKhUtشdza!vt4q {yJd|G6=AO4}tzfTȌ- Kk$C+T_p{BbPZ9J!?wm0T'%]hxGu3GEFvJ7q,BRjLkOϖkC}%lVߕPb|yŽG⢆kMv،&pEr.3FW'@y\jH]KĦPA$Qmhŭ?0=(KgJu946WQԁ`!O@ perԕz(S5{Q@ `q٠r[&6u1nS4isk-QW[T ^E8: #)Lurт ˹E޹%80G44|kvЧ!B%A4kox6pnĨFR}{Lh,/TPJlX. Pb?"K1QZ Eߝѩ:n{$0R |sWP$e~B/bEb>3*ߞ]8?%.V;mST= <1C~H}vg#,7ӺE%/1)7ss@z~F L.r vA+WÄ *RD.lEi,C8ںO):\*ɞx_.ϊ rnD} _U6@D*-OPAlIoY ߆ prhl.tȿvhYqL|}O۩4*eЬRnC2#@+HJY]ǘy1BȢOaw9B*eS Նߝ;Xe (H|%}'@˿,ڹ̌k|9} \o:$緈7keQ; ^L4Km1xβMښr'#==0n'[; )U1gIIZ' \ÚY+qArg-h*Qԏ1RI ) Yg) @"M탻 "V29. a[*C3c;ڂ_]]H82E p";3> L+uz[UYw"EL$t!N\HebM<"]f =E]蛶^ xD+Sy3m+\<&KsAxuv] {i]lb_:%ID&1?_?Mfmj`պAldmѮ.g;~P0HD l:Eّ>co|8WMC=TEX5{L4kDz+Ëұ04C" ⚇w@Uu)cȺSq0m?W < Ka* XsM -W1|~lEds Q))nz}p8$ m7e 2EAs^\ohVz̬ }Y44f#x56`ٯU+hVpK{r| )R+t$|x{'qE6r߼=wC CIMwcve, N9= ֘ya kHtV&z,.T*a//7tD!`z Uw0ـ=zƘrB!G^Ll"MuͲFB0P<$7ak:ZGIǔaMV>\ղcx IX[ $]Ykkڙ3lNLB{ί7C ܄/Qc/nC@fMؙgd#Cjߋ'0?xZD=(M>ޜ#Wk펭ض6mM:~I#L @ /f~b6[AՃ)Afdg*&}B84xEӯW4Z<>QI<IJHT_#k)B &hWy0ݲNZ'2S^Q ܉|5-<ެb,VOeqI77kNxaeSꊯhŚ-eG8_UD3V<߂S}D-2I f!e|`D:z t ېLX^I静뱕-UIˌIcZEisE| jG<{U!\ٛ6^ࡶtD 5a?)| /S5pofFpK݇qodJ}!D qAI8k59gPVդ8wlFIZ[i+E{!4q4?Q`]V[MZ7v7St ޾7CVLT,NJTYSXV[7XĢ^k'062N k"6+\tHH '{U)ޚ$ fp!>W "*G| Ĺ.\m^8{5c>/h1"u9q[-:3zGOw{6KϹ]ҶIN pOƛj`TQ\t}-7KQCZytc9vf1*S &B58koM6h_^sGE;Yo+ v+M{( 襾K?W'0]*D Q!v5zzUL/gfᦳ,ҥm!G@`|Q RLa8I\he=sle&HQԈ 4_pq/.7݈{ lɄX'cLhH[vX彖P$sRyB$UnvOT }h J9cab9^I/{;p>pRp;#$2sVu7Tvr}y+a0t8y [AH%lA 6v>@+mQ{JBȨGT {SוAX`Ϭ(V/r/#cC0~&8}`FSQEҵ͍ͯ0w1`#`KB5HM N} 2lJ> |I"kKx9 @v$ S xu@ kT`KkJ~`pSl%p"H~w3Ov!7=z$VY_8M;1 PJ^_>+z@N0m_eݐoxy"EGjlxj0a+K[z Uw#܃1RH~:ֽ=&zT:1ߘ ZyJi;W.R:nXžqbp^?4šr?@ h18G6bޮ|ꦛ~OxcXV@ gP}&չ(r|==yxfPzxPNVPle¡D}vP;ɫ،8 Oo\~i}Mp|tK-9wS'4CBxNnw%u &/ReuNdfjMi{]} W@d&BTC||؈O+ кQ\ c@-y%߳POzm:w1=vS <{fon^^Z gzBu(-ͷ8j4## CԄ_ch 轟Vpig%YxY{CJ~IzuJ[ _)VFu? Bnu\uA(-&v#4 zb؈}7kK?\SHBٿm h !1]ѼpP}Gu4/!9.,X_`ss ֓a`4".S:s:m즂Z o,ܖI0|ںIKz@f80>X ,ק\ODcH4[}2uyt=Ih V?jg}nōV 9J.lqt'刓",  A (*)lAj ?l K]y`!Aiw 18sny9t6 7(IӴ&{}y=k YO A$G#d-xNAR' )9Q~|SzU?ʼndr}kyVuRSͬzsaji͗m ]Rj~GSkD]^+ 51qO̧,=&Rǐ9Nwyvo&8n/8Vӟ6g+IK_1㇔DL}D Q^lANgZl567lO֖vh]jI@<2(\ g_Hcxn{2ES>օzgKkCѩjB:bRG{U5$A8SURI'ĽCM8\o`OԥH}Z]׬Kl̽NITi+.G~Zp{rtU  STzD5!X9gLSs ic Gbܴ-\v}P4pUo>F6cF4QAOs5LdeIy خ4 'SAī\,\qbw/eNJs %;4|.tng8RkIc”wЭ0AgzϋkMޤ`#%JR8?,358@wv(r'GXӈA1Nx ylsi uێ3sV$KD^J$i2 V{1j#G ēN)n<}яH/3IKR5DӶ(Qu?B=T >c5S ɏn:}"C)4ؓ*-ʳCe%U}ԏBa\7 3'~~=;YP3R, 0kFs` Si]KU$ p|R U\ғr.U],<1኉QBeU=G#C\-tdr:gI,Pz@UI4gdC)e݁4 3YmZpJ<"==4?v"HOAS#AW ώo͍4-!ubhч$TңD[Մ]_ JrPxT>d&,Bm 4 %7=!(0ű8eu<5l7@Wݔ쁚9)<ʌEi؁Pwj32#Ӟ EPPI78ˬ#vئʷrT nRj_";Z0p K=SL\N~/b^`I*n >}#mCOgum"dԬgຉ9" NS]t551HH9xRZ j]mO9.gBIZ Ht[nhs2][ 0s.R VaĤҁj-,U3շ0anJԥ@fƶ{ $.}lL8n/hW_EgXNls;$J7 Y[-<>SOc EEd1?ҫHwO 4frg&zCi k_=u˷Bu;&,"Wa?nujSE2j$Opt{Ӈ[l9V)3.VVAlN.z=ABSA[ļQ]T z"Mܕ Aڅb6 TbŒFD~85I["q8o ،~SW)+ix;\'xL'X !*ViAZ8'!!q⠀ԢRg!=PGFtIYseF^%LEp B k#Y}/a^w[o L=z$HNfHC}*`I\_Ul柦z )b4,e`A.C'LzY)Oo]i14~ES àb 97#H5Cehވd;zRJHwhMI~\$7>򳹆|I4&|_&E, ?*' w1Q*gk^zpzFj[cʐ"i> \ #Er&9Pup'oR>sPw}Hῳ.x}L?,ȯ#s3 <' )׈-pn 0KvLKdlZc ,!|vGw,j)1 YdXX~xU7hbf|NS&w0Y'E 9Ձ3u-ȉN7;g׻Vw[|gw.!/Q(~ęhD$E++Z"%EMf|/(] +ra@l87ב?)v4a[MԲ)( S%U?s;V06ng[*]H%nlaJԡW^IZjJc ܤ*ƥL pBZwJ;VDY! Ri=G>jJ$=C=ׄ&^ezuAF*ڞW{z9'-:瑛N4 Y Ó[FrfMQdbPT'fYSir@O!tSGE*'c\w'4g]TlTĩt[n fĪjd Z$4%>B44JaNd M~ OFTƏSr!YzRc!NzO9ll/h<6 <]K<_j,;AyG?(SoyilGWo8&\p9E %D*<4i -nGh2/oX#v%)b{;Ptj*y:gmŅĹ,hUO^ICjU }q6KjQ;"zs ~dD/bzuF p 4Ʃ-,a'mlAx&[UEa3%H bzHEdD;%OHL^fe׭tL(mWQu 'hw T.Ԓ]'xEUrR2m/ItG!ӵa,-vؠfg͞ԦvopMC4q\;?" /A&TZ//T(໲"[;2ē)\:'~ԛHwarb%K"S~TKyM)+^IL%8&kdf>ȈwLQ_e C5h .m &C߰IDREl9-CRK%nj>\ r9g|gM@^aoEpuNjo>LXãΩ* '[Km|B?]>%R {|kX`kdxDt;4jCn/^Rr  տm sGbEEF:i V*\>R+'^@`gcgQ,3ėA{~dڵ'ѩݲsoklIʃ0q.ez 0][azTZi+ݶ;tjB yɦ̖pY#c&AWSpQeD͊JG&*|ᗝ \%LTƊu |ӿ%+ 4TI1q(AҼpպa➏̊KT e4vCzQ`3y(m;Z?v$J!/?"k۬x#@2īPqљ`%Ed2˗yWwJ? !U\l4T `Q(UVڮcz9p+z@T~|u7Ԣ(ރsdypH#-*eJ_MRӐAP8ձ:HYǡ0qDL*~eZ |eo@[.Ø,թV6fBy4QGU"=C $Y*]*ʯ$vY%|U`i{]SI:=3KtDLX;͉#bm<ĜL=+/T]բ@\9;7[>%"^\bs9Ī]OpC,rAS;1A?eiJmvֿaK;,3%ESe]nAoqX1&SU'۞f3 㑿y{fuyrm-m!kYO|8ƅtCq̌:5vAf\?lpU-/?~PGbbwfm4C:і<;@1hd بp#>D?l'/DNb %Uk$ DnZDž_88^< yeX `L9ߜ=OiY3*aZ\&@ 3Xs x+k+u;*8 FWwQ 4@O6෱39#Vl- @BoވTi:7l{rI^̻Tib{]&{ݫX! G]jأ CeLzp`U[rokBaDe40ޒ$Cy.i.ȷu(vR^=߀S.\O㒮4yec U pWO#g~C ࣵv;XY-Y:Q3锳D68P#a2URFFzo$pԷY4Ayj{KFu(~u_ Y(F{U\pꈪ+{;7 9Ps>: ]q`=ZߋxNJm깥bM\*ILv>dJpLߌAEZ_|c<3^Rw)q`ywDC`XQJ,:SgUxȻn,ʹKlU?3xו{*1J^)!$/XRX}iSy9n;i5-O͞6jps h=mHC ڥ ]'-WM\0:S%<\=26v06πR ^I /isoĪ4 c_-:Z`r\DЈ $/BE\KpmBw_QϤpҶ) 156<{mMױB ;7"21 `wAYk&n-zvI2,{bZJ鐆ɎmirzZ40Kdj@!bGd&W %\ ߻ *' DNDMXbWR 9G _Fky ,Q\] 6'5͟%%ZGZ XWXuP߼KLJcj\3Uܹ ү$ ߅5$aBO Ţݶ,x6u@șwNw]!@AdݛSbDSl&u߻/Ď9K`Eŷq%ދݨJ?AIήFQiucͥ:~Zx$AۣgyS#kPsԼӞ6M=ᓑٚCLw 4Z/]=MFUy1wb3/I܎fDZZ>&BAf!DL% Hfk֥+D#]`bNUR5~:؈LFX*H\U&Yu#: 4:Aoc}u{F`gR, :<} :zDE|I_5j׉%;>+`Eu؛QXNd,D0 s+X ,ڍ#˂le>gUqgbDa,UdQHӇpjDsapk)($IEI~( r^IRLox/Mz;Yc:c$I0j꬛E{@ 3hEvy8ŊBzd X.h}?V9OzӲ 0<:a!qLogC5xmB7 ߞ[`_4ɖzvVQeqӵ'֧'s UM>A.Cx SPCñ"Q3^_}BQXy]YTBJy?),yԁmq{̵Wϔglikqa EM (pd+ne*+m,34֡OO}Nl.(G9^jjcz|үr)g!Kb H^f`.jP+6'u,"?ARB'sB|,ޣl6*(LSDS5̫+ AQ;RLpvBY&,/" k8k^-Kf-k >*Y '3: LA%K7tG/04VmL} ԆZ3 d#.ݓywlVJNG~ְYݔkj~gk\׵YVWj΃\"kabT\kع Fr0z%QT>*VId2Mcu)v xyZ3Mo .wEQPP 7OT~&("šbh<:Gf%Yˮ{ cy f&P8G1~a:<~slG i(?dCQiP|Oj(;J0db[6&*ѵI{Fx/{31ċKEnwXsu-3~[2}4W㹸(ewnzd=刢ꮃ)I>s?56ƪ1IVf!!6dnB˫@?|VcyX]=10aJ32JnsV!MxIvX!xSW~0N'1GJ ^oԘΙҰl,UǮA %RcHOY1_E ȂMA iNp4~o73q}^vVyYWkap ]c]m[KD PG"}Tx2a6_/+X־< ]<tXh51tX0 CrD#p*`4Y빉{?û ,토|—g1}UJR :D~v ƺ xb\PZ2)1h'˛,s:ra&_`7u/ 6jЫJep?R]*YpEdFW} #:Lc}X%: TG4I!`si|4*s qs4~λuYK<Ze'"t1xJ$v3@ن o"De+|vmWE^cq8χr{78͵%ĂAh41ȳ*1D EH+.un4SυM16l3jix~no9#yR'HG$eQ/g'潐1E <"OJҕ-\=|(ɃP+̀ʡA+ 4zݤd?N#j;BwPg\xh{F͗=[ft]w?=z\KF@- >9~8|L -eAm`rX;sDŽ2x€'LJi4r2jT*Y\] Kp7'"YF6Z\A8yt[kJ[ZKz(jⓧO|9&A2q4z[G;quY!@Sh {mZ|0.sՅD eHʛP 4V/iwjbϪy͕i&@?"+b] pͦX$%Pe,? mg>3z_GVm"aM?B '0xc,);.YTϮ{y۠.`s3'[ti5D;o_忮1e{ըZ^»YD#C-Ad_).uQrgD1o<0x:p(d5{[xR+I/s)ٟ^[ ^;ԩJQC駫(}~|7WU{B~)o=onxeqUi\Қ~[oXܝAY7[:Z?yQLxjdoa_@/"iE7 Yr#Vm7Y8%:KW T#G魼 ԏpHDOoBm*,Y#8r)8>^E똊\dY U;żq> =uC1=80٠?9tfx:ĥ޳MAH ؒC`sw8 Od1μ]7:+==Y%SB4R C/̞J,s[d F*?-qX74h3hf9q2-CFD5wO$<G*FQA*%K@("2i܆YY^,\E`d5-ܒ FH_v%nXM'H/Dw{Ōs*ĂrK̷{n PU9S9 eH->N[,ΉXl57&ԣk*:FqiLۨI!1R0X#u2EmZA!"ԾJS) ߓFocx<=k\єkz`ݕrE+;X@ɩQ7]:r(X{ס0N.ʜf XG*>/,y\EWPp.'v:}RoÀP ],:6juyX&Z4 >J~ 6w(qF/I Whlg'"iA 3u81W~)iZ 7RSB-36McD\Bbs2BMzWz2kZB,&4?D QOY,j_*dy˖h=+lIiY¤xNg5rY0u):_-t1!ވ[Kyl!P5 eɯN?\N5m"@ʃK0ʾma,,#Li^ d#j4OcI$sŰX OWY6#\+l5] dDP+a.DQ&KMN\16abtv[D ZW?/0ǻCw+ +Gtk=(pU!kFy zSPm!7,DkRH؋˜;Z8|}oO/a 1O>4pL[68nH݃AK?,y]Ծ% sBiN?>!]Jwny~m߈r~Ux4弇bu\eg?׳,l6}@-~ײRk xPu$7J͛0#Xh!ժ.5bυX2 6#AToc~٬XCZ}iX ]o՞Tw6nr'oWLB!m'mz'n{4p*b7b,L{9/[ 2%^[)?LNOQ%iJoI\㞼s?3A $ :Y!,)8[yYk7x P繥ӿv:$$oL3C'}BE9 4 Ma7 nn.@J0+ i6^M e`KSho _(P9ZR7#M'^Zj7%(v tzn2p~/]EU"\ƄUSƒE;8y[&$>!&:KضreNnk@_rEgSeNhu꺴C*2;Q_ =ȡj rU2gOLey ;SuΖ5n]q P.B8\Yu[<{':uUpw Z\~t+Uyl7㩊LUi'VQ4>:IDM۫ԗh;M$ 7lR+$+6nq.} EGP??bkLh;D@ouF:掉sK.n2daEzf@GL]L jxT+Y~RpNI:e6a%(,b)ݝ?Mhm6XHYmԺ}+)B+{-Qȫ`DG) 7V4n:kX ~%ۺDGy`;0X4]/:qd2M.>c7n@? P1y\#T<0ʰ(cYEYlwBH~[HHNkrޤp&w9ل33m\9<LJ)G&glvE9=(nF8(!]?cY|y#?*v'm%EAJրkkc>sGU:PI\Ԝ H>32VĽ08ph 6^#lQOe=,qo Њ Uc?4i)BBDpm"? >GeGTst G))9# )(&?S\Q@dF1UXT}JfEj6Ē.|>u~^):o1fR#/*&@~JF`ۃ/8kZ򪻞8 ͹!-TfĒ)=BﻵJTSTWsDvrƦbc"/~I=9rN1LYV{R Y#^Ѻs8kF5e-{n˘ˮ]LtuEr5;=f~@-K-۩(BK&vܿρRJN v2bS"VAjSDl?_/7Zxܹ ,ɦ?P_{Gx!}.4Ɨ4ڂ|`!%SɣD 4 tn5Q+ΎPeKOUMNuMWcR?3EiUZ) BǷBe*Y9NrP; FYrV iZ (7Hȇ6\biG 2xa"$Pʻ2/j60R==L^G^~cH&`[uVgDnZy+%Ɗ.{.rփӑxNjnN7$5+5z]闷:Ɓ9Yxv gNak+<06-bbPo"WZ>{s)ZCˠ/v8K )5 ҇^ATO_oϧ^5فȹhRҒA g齍G V 4;~Mceh)-n,v%.#r$yw(Pb[Mԫ9-H Vy+GZ+񶈥2FI'hv^beYacD"8o1Dʉz%hw=xV"vy%Bu'3V8:Ҋ]\V9ڃX}&X8PݘuHOX-%J9Cs4OkNYǫlӬ܋".~QHeȃ}5} zhs6VDDƲM`) $vOr_!L<ڻPؓ:NWm8 *8 pS7\v0dv?֮d/)|Tv[9qUۋ5nݾQ^'u+Z2 E"Hy ߺ@s~7zX>)#ƕr&0  N|P57 6ܡz}xG7.( yp,Qk$ѐmxSAD|{.9>9e[x HbB]5@N5T*X҇DK|o)kɩ-?MZ9HcJ" 뫦2e}t@&B_H\$[w}}C$ :Ux<)l@-xuWb%3w`ݞpWoc'(+v)Vpyf&sDc7)ԔG]"WRi:]$R{*?dm̚w/8&p{4UvQ7ۛAkOa6CA[l{3Q4ù:=A F'zȷ$/AV98e~w+):is22ۼܤP,I 炶Xq-BEsiu,>2npx@6uqQĭ;OoTb4<"vt Pyd#XU/4[͖#UNʭE9V0Z8 6U9ic rSCe^~ƂiTb 4ƹa[Gw68بx!,s62fw/6 f/V?XJ$(AP{=4ंYJb PG~MY*B魌]= YVK$c]M9v$UG8ClO9:gz_~N()?Kfk%?69 +*^EB޵쯅j@l^o\n.A0ɇW jo{}}Limvͧ+5}Iv)56t<.Xel9mG*ZɋXѪ$maTɢ4SQcYQPa5X๙7q bxѻO@I9B0St%>Ht6aoET>Ԫ p?ȔB\:_SJ GMPUz8@I2g#e(x< %-' V ?5$v@* OOوJ"ˀx%2Z!Z#?"♅s`b0xJek=!umѸ5%?k,e[e8iuD3dw0-o)m05ڔ ! gn<% -r@G@]D{YOٝ "icGU$.Tky;`BkC=fTL*jBذvRz(/KAK;jnEnlRS9< '3tr5 es}:_\ql!| V|=߲W~Ù[x 7TȤҳ{k֘+|0_|̡yi ,ρ|^ Q7h.|b%7i㔢\vMM Esx]M5t\f8pz홅10)cP]3Bwv1 9+پW8;>b֟,OgZק=4߹"~gP E0pNFKWIAmDI7v=<'ፐ.E =5ЙP_#vʠa{BOA}L:F{`o'(-LG~0J {vï ۊ?v9v qY=j]/;LX9!2jߺeYu A'}y"kD YeJM]0ֺ۠/O}I0QBA$LkWRKR(W) ]&^V%ǯVrCͺj^L>Ғlu ^tf:zd8%!LS!e76bQkakT*Ͷdb|1-Nđij^4 ~!h| 䟲?NEck1 6-)P֒I]f:,<10sgEd>{XDzg;ɬ1Ҟk+{qXe0.=BSOp?!nBҫ:qh}⺴&3ȭ\Պew)_۹F}b`V2ੱ$8Cy6ދ$Tedc\M\,UNM<