sssd-ad-1.13.0-40.el7_2.9$>Pm3i?zǔWD>;Fl?F\d   8 &:X^h    C Lh8ELE 5E   ( 8 z9z:Y\zG?(H?DI?`X?lY?|\?]?^@b@dAaeAffAilAktAuAvAwDxDyDaFXCsssd-ad1.13.040.el7_2.9The AD back end of the SSSDProvides the Active Directory back end that the SSSD can utilize to fetch identity data from and authenticate against an Active Directory server.Wl1[worker1.bsys.centos.orgCentOSGPLv3+CentOS BuildSystem Applications/Systemhttp://fedorahosted.org/sssd/linuxx86_640K%3A큤Wl1IWl1IWl1IWl1ZUӏWl1M>M2@MMzMx@Mj - 1.13.0-40.9Jakub Hrozek - 1.13.0-40.8Jakub Hrozek - 1.13.0-40.7Jakub Hrozek - 1.13.0-40.6Jakub Hrozek - 1.13.0-40.5Jakub Hrozek - 1.13.0-40.4Jakub Hrozek - 1.13.0-40.3Jakub Hrozek - 1.13.0-40.2Jakub Hrozek - 1.13.0-40.1Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1339509 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1339258 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1339207 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1337292 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1336836 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1324442 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1324442 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1311569 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17 (File exists)- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use lib64 in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)uk1.13.0-40.el7_2.91.13.0-40.el7_2.9libsss_ad.solibsss_ad_common.sogpo_childsssd-ad-1.13.0COPYINGsssd-ad.5.gzsssd-ad.5.gz/usr/lib64/sssd//usr/libexec/sssd//usr/share/doc//usr/share/doc/sssd-ad-1.13.0//usr/share/man/man5//usr/share/man/uk/man5/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=fdc14b49f2dbf6c0cf4a0eedbe169a92ea0edbe4, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3e55d81be00be98a82b3f80e2a866865f9005253, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=663e05e80f00a72178e4683a27e25a2cfa751ffe, strippeddirectoryPascal source, ASCII texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)9J9PRR R;R8R%RRRRRRR2R(RRR'R)R4R5R"RR RRRR&RRRR9RR.R:R-R/R,R+RRR!R RR$R7R0R6R3RR RRR R1R RR@PRR;R8RRRRRRR'R:R7R)R RR@R#RR RRRRRR8R*R0R6R7R"R RRR&RR)R RR@?P7zXZ !PH6ሀ]"k%w+p}zK抯ütkUMAO[RV_uno3| sW&W|g\>HmyvZnןe4tkU b_IoU +?-j\sp'Dh W)cv C[4jSҒ`a[V@D}پSr7P$DL?rkՙ]95Q푇ӗrUlR^jXоQqRt :B9VtWpBJ&ft|,#|G Ks^\8TD ]NEg> λTE\'li;Im^Ѷ @kq;?+ X7Fs0e-Ѱ=U_b: kQ6g.ުtJNXo*-'^[ {od)Cc6IpJOw\%n"=: qQ-v[Tt#=޿&K9(<{fW`_F04 i)pi;WB/F{D@S9dŊGO^~i7T&_]cs3xPrxJ՘渢?@?tN9"B-GV/Zdp U;8*yoSZji|\I0DesuY¡ɿQiYcGVハ௠`|¶`ekd~g~lԯ/rF3K׌\LWƱT T zᘸ]<7,`431ֆX^fQ JvH84pӺpS*DLm{ހcK\{v#7z\QG Pe>QƛClaF}Sٯ΂ҏ,Dv\&&O_:<%? 9t4 #g냙չ蒡B%kg8}eӧǷU AA@UΨ#Al#r HD](+Dp,ءwc\ٛ( *KOM%!e~=D=,GWSL\vfU<7R,\#!T h|zƠW3B >98+?1BIH ޯ>_Dmdթ2T?W*\Λ;E{q"PE`.9:}SQvVB2f_)ہcA+tlYPȾijy"7@X_S[5 3?"x^l0ZnJ'`ʫGkbFu ?]-K4ƙ|#Y\ݪ &x[6?f|uoL5Gcl=jX|"3N|M) @cB 7gnup] yUbFT<7g]øW2]~BQL \tcѺj?OȽcf( 0 k7DG G-(;qI(1vR"\AbN155~d7Ͳf3<-MeBX3VUڑa}@j zHhL#|"v M˯8`9!(1vW_ӐBL;Za{Aoxjm_.BW'HnVہ*5>}ZH卽@qbi5c6`O0*d.s3sѪYj̈ywJ(o\23ρvx#ܟ&Lȑ,؝Lq[p*aV@xq;"1B1d|{0 v VĒA9A j".?!N)7\.ѼX#s6fP- .5̒5Jf,)}LM&'Ri: wڱŁd2̎C;d:I\`: w[-kzHtVeNodC{Y A;Ǜ>\hlC֌G$_76R(d[%LLe"vQNˆb@QYwdPDu#|, o uEm卵KG"K;FSi6O|)Uq,#4yZAk%Bk׼uȬyo)_T%Gmy1[ф}y9 O!7<=:]m8ݸXC ɣ ܍\tjE5Q >̞d @yM~ ^͇DMn]֖bG]DsBqF9y2 I˥*pzߎͷZf5x ShWEj*P )c?udS_# } IOe%qji crb/S3r‰K0a;>_ W{ȟv?,{EZ) ;1QzՔ}xf_;[h!~q (F$-փ5E$.\mT$Ji͵,/eJL_>A'R$Xo Л o9lܠ{d&Դ`4%Bm!|ͼ8efL{L˴d0z5aٕG޸Jn[(U` V$ud luBMfPӬKVqn9@:-xPhqֲhWXK R2b0mhuo 9k?uі;_ҠrcׂӸf-=lޖUz_Ku}Tx|SZ&H;I&ydeN>ofyZ^2j6>Ao,\?4<@eD^0l&#Pi@sK.0z(U4ӜŏIļ{+5Z-BdQӹ֦n,X qn`#"E˹ygɒ7V>TP-6톢 d_3P"*8Ŵ }&523 !x3!lނD&Pzƭ ! 9"sRЏWI3PNysUզ>~~\H@::\쉭tq'}v_! l\(8*ʾt^܂[ðhYIS ;-; R͗9 bf y4-? ~&Fi (kx>FpTR"'_z"]2EbZ$r^{yP@erX |_s?́- q/f%xNt3SAsKI4FO5[JL E8Wz,P6a(#EVL*GηG w.-*yQ޶QMDS%&0>8c֏gDl:O15`2}ցeIjKZI(pĞQEΩa0r9Hˣٛ+.G)watYj6~狠فPݏnFim-> ϡ͟oa*6AJʄF=5#v=7JlbTskE >T8̾Y"6u"J<Lg6m.c&a;I4a|x/Ds=(ւ-괻8[T{g˄5ʤB_|YMμFT>雬[8ᛜ0T3"`,TF&j57 'R=A⏻We>nbmok##]朎>v0;a'MUYuC]]aI{7(~@vi@aر=O)x&:.@Lf@ҽ%̬I\8sލ(Nw9ko='74具GS5gHzG}} Ug۽Vƽ.LS"286 A߸-=5L4;P WWH@/YM~_)j} QCԕ!-ڮ; nx5jU4eg(D%ط`z65puR%EYY @ 2 R:jnP].+5cέ-DK k͝&P@`bW4z آ i0he]=MaVׇ$3 Ԡ>{0k pVɬnp>|5RټKMh?{0κs,tk)_D8z8Gղ:[;Թ`7n )RLS~6t@ꘉ! :J[g:˺D AY5M`lAyC悋5L40MDu:GͯdzulZKxDs9R>W{OicrAo$ Ԑ֤P<1r: lW!P*ϓ@O ԃU{\ӢYgrj }ȼ>MSk8݌I,U_G n1-̔V0p6C)i mwW f s19tOqb_im3>(mC:s~i8l N?\|ur\C4'K O&J&َ-&!ˍ9{8S*€ ֚4[LAIڡĺEE( P0${7DվJ˲6;;6Uems쟯jq*n>i*`Sb#QrO^*amIt%.N<Ĩk/a(nG~fwMֱ/%q bMW^^)3P2=uI:- 'z"*z?i}HRɡLͼݍbj)HIS|dgP;x솨CwHÉ.gBtZvJI\A6W7̲!.c7"ijSk l5+AB098GG/INO>N48M-?ը4 w;̀S@|dZ.oF$*q^TGj zbq(x{;MNSjq|EGNA~fDsٽ:'tK'1"gw5Y%y~ֿН >k tWM-862qR𱴻dTi@-;*lRX|cm 4*d}5Jhv\#kJ)Vs@\m [U|y nS.Y}C! ܸd=++zj + h8Σؐ,ؘ-tymȂf3ha=GL "{{ҲeP+DCcFQ GPs  >54G\\,u{ی ,\K0f:^.Ty 6s,п[SEa626:32/c$rC6=}=[q7 :L JbMt,>i|Rm[0ht4&Ip r+ tpy^{\`i!, 7δ9먁R{Dvҗs7\ nM cB.)!/}%ԳAމ-)Wbp֍hg sXִ V,b=kWo~,'!6TjO''-hXdsY ٜw $wHLkR"^oH~Ab=-;%KM.|k9eN fsoلzONCE4!8m>4~$I7JHh&o~,`"~:7=[hO!KZ whrR G:~)DɎu:f8yG"z4!/kT(H_H"v^ge'1qM_A5>Td=Rw"\-PTvGĢI;]l`Ǣ.SViI$l =%u!Ґ@(7a 0df+{)d]agdk֩-= e?fQER;K)6o0;1e׈8c2?uتfinA QJ.m=}}onl]#f 0*}ohPpG޷jƞ$:'Sm+dx6!fYOa9kfZZ‷2*_TFW_K:?8(&>Q>h?  v7-&MFB p nXV3< "f/SXLpnR@z^x'Gͫ*,+7AEl?0/Lus+qLfAjDwTrFJW4iN{Яnp`}I9NrK arsLdz,w>LJPf!,bؐM<ǤWx`aDSTNnB䓚NU9,GPeK6}>Mk+U1@/`G$04hP;[x! F"N1JJh$(uABUQؿrv <:MQfؾN#t,|]28 a:g܆Nrx1Ph%G bXQ_q?WK6wU8T1NEi-Ó ݋!Aw{NnzN1)`Q^ 讫֣~Sn+HJ$Es&\+`Հl<5S.ҵBL'wn0 &-Pe}IE#Rbd8R8A+xia$T>ǣMˁ/rq^UNUPmKJYI'З>m 7Jx$98ތnE68bOYN? QK$xamx~pt92lJsj6|jOuϜe"5^Wv\0@ dx@8%Y/GΞ]q qfDAG^X":G尼2kz(5T%^=꼒kd "8n(D/s_O7U_2<j ͂ܭ 2J+3Agny VNzWP. ɝ{ LZ*s7>TDаRqp?)!'z^V)m><= 8nY}nM; @o3rR 颿j4/Nؕi eLa'28& g ~7+\9Lk`#Z VϦf?̶d񕫽8s< |W(l 840G|!e -=/ىǢĿ\ɪCk_sHktW5G!y)/>n.ZKm`ϲ7SCGtI*a ,(4tp#≐)kfzuPW,vO/ ` ]B4sC{..j 7 hE*a˂>#{o?_ 32~;ָbY#ƪw`1UPqnYGV-ͭ\@.92,6ْ 5.a:s1ttPg;J]F`N]>T{"͇>|i{ gE9]y"CgRqfKÃFH~UR<KK &5 /0yƓW\4RrMpU?%}"W?w?*W H:w )hfJZi{R\Sv#S N̡[3"l/β?2Q߻Ac@"x%ey^(VhTASb+̞o8twBd!@+$Cwbm ^4~Z4O kMAۇvB|Cfl\q/+5F{龊TGnƫ,v( Ab̤𰨸HASJTkү+ٰeWmȱ8.^B&B]x2Y Y!/8SUoh BMnjB3YtX.Eu6tƎ ^뭈h0H 1 P jxxU6==,d&*T &X_xSyܹSP<\4_MdAڊ]&F#5- ϱgҦr˼8^bVjaMW10/aUj$}S$R.۽hoU sXiu2 c0%P͜/З}`Ljs+[kGQ1'1Rh]-nԟexaYKS 7{X\2 މ-"c>'~ ]6Z⬲nUk%$!/S<^nǭ uRp2LF ﶬ` ^`GL89!A11i u\\="0V;7hHO:$ߑ%KL|2"2xLcPɿojgXJ1v>Ff-%o7/2ZOrjI1>-g5O0i( yvt>BdoƤ ^`iԎB #騃:\>Z8$C)\)<ўY|gA2s\t-mvZ()N>EZ<bm![W1P*䯙1qཛྷ̚i~.8'@.2 SiX gA LLöYiPg;HxpivpN5d[0SOF Jkdy&X zNvUR>/e󇰇y${ś*6끄߽_8ތV=C~^t:y&GzxIg}` oCa *M\t7;Pߋo" C25ѝaRɻ=vծ2=zUg&kPvd>oNj~XiPi >?ml_ [l$Qȁ}l)(ۍ޲RY9*|үCX,x˗ݡVhKy =oRd{"\8.aºdtib#,*2_5x׶~ڴ\Sr* 7fG%V!  E\UV5Js`!O㻴/};h[crz)+J/݅y'v(4;jwHNJ9\~-_Kg+^O4l1{1)W5z,fUjkˏ9UU+Xb=R5焦I(65ñE򦣲iJX/HݦKV *~ !YCzT VQtdȸ>'y9sq)3f(BD)@o 34nfMߞYٜj%A7#5g{Z Yw*F* %P~R9}ޚ݋"ׄÚscɮ< $Lă3͙ݢb7:"ѕc0[:N޻IN6(|I>}W(ߥ7z() =G[vJ*%'o~AF5@q@Xd)ݓ*܆XrN(;z"tᶵ HZ| ʡ&cB.͐⠷E~Nbmsy!UnYؽO0L(VFE|^uaхn0_7׆o%%/sW@LX@ -vDF's{gNRO67bf|#4UL ~EٚclmLjDq ЭX:[  @ 21qg%o*W.]G?@{"mk<[OCzB97htk=%S6ߣݽgPW~W,yD׍E˝MGf!}|VUHI UMS2)yL:DHJqut^ >9@)7aEͧNoy[TjDv^Ԋ]k3) \a9p\Ʈ4˜+H)0zs`cnw $0DsiƤ+g>+q|ٹ]_>I͟SS'T_K=jd ,n@j1mzY˲[#pXZ Qq'&/@a͎w %Ǿg!ku7JtՔdx;5d#%qYfP=l3GO,<+}3Nռ6ȨH `9"P8T(jN3PF\4:'X;EOa_WJ"!4fi!K^iҝIԜ€G4#lw['83R^9~QWuȉz\ px%x#?9.mhY+ MaYޚUh{9([vuQV3Xrx#/+.ؓl|xNzѴN Ӽ^ {؟`} i4)<SN5P%b!K֛"ׯ{ϏLks%">2!ɢaE 1>?-):JjGLCŁ{ {e)]n,x?RNl`ݞjI >), `}wk漮V\uL FH:-?TCM%ęg_]u7BCjzqP?Cģ7.'̡RrWf&[HUs8jPf坌<{xrһ Q)2rE43'[>?~дxUG"q+P$u ҾJWC@.sCᬀ cxa΍G WdoFV8Go" LR.VwܘzA1[ mPǶK=ըujcO ^H/_y+40 )dWѸ[AuQr)^7:m-S @B%z@[7N1׫Os{kcPM'xS;RRtXWxj,asub(\x47ruE哈X6sL)[YVW*eQ1zIΊ!wAQg {% 3;+bMpTr--x >xߝdD'j%9>}EL!gB֋ѩMM,3e^o߻/:WH4޸??Qx[Ӭ`lsJo]JWC[60c ݄}M|n=$x/#Al~1 ]&3#32s#]Dӈ~9s{:c̙A$.̉C|$#;%,hWyǂY/ѕaz-O3Zb[ 2K;29@Mm؂@ S! t?cv ^4<ί5;hǺU<)RQ+ Ù|ZlB4<̳FGBYgute>izea]~,UtR:BRHzHf]fԛVv8q@yO B p݉óVP"G(qTYjHAҧrO;_@V1mؒ BKCQBsX K>^Gi$j'JɩCԆΚwF_d$>ay3$r:x?Kyzf ]*˾wa5Vj5ž|`)4R`0|_:\<|+|mm!&SʕKJ+g 2}O%[۫$dPԭoy=A B#L=~kȖ *4ԳyRqRz8?;X-)jN3JVD=y3iiKqė:҃[T|EPhGHԽ.3}=1bE/"dRlCso[;dja7_p.PJG噒>. R-_8J|g8b6̬w͛wEv=>!rMC Ҿˆ=Q(_{iaQAvY7W ab+م.!_(H@i=(6&b*F> K:.ڞvl깞CSGFq`jgRҰ~l}M /:/`RW % JlsPP$\1kxsHSUnL_:!gO/: V.C%itlBS(i+ڱ9!(I9FSY#A%O!~tj4Vozլnjh ;ZWټ]3D@"m'혒;}\llxr8'H"*G9QY pY #l,UEn5MN|r#--*eߦz87CtQ X.%lP"=[-1aW)pÖ!1^Ond$lvPBQ@7iߩyn| G3wΙuxRhodr0S9֋ *.#8h07.hM/h\i5,r솛H8D_IM6ɺ ~ӷ4)1=Vq`zl$`2o)/hLd>Rt@.y"b0e-kF1X޴SvT^ Iw|vث ͯ馼2 [I^"m9nO6݉2c rTVRX ɶ[FKܰ&C'׾L#Ds=:fIЁ5, $ J|1$vHgǀW{l"sER~txIX'2'Jsůtiap>4Vv}l8@.&]|w2_yiI>w a;taq-s #^\]'O:ehl9zR{{*t"El[?௘zc%z~U$Eڮ֝QPw X:7j;*YonڑtEbWryyĎgԩWQ[>ϟgabэ!~zqx7 ڠQ$BU!2ɔu#Nܗ`Bö妎U;A0f mA> Ѕy[BrH3^Te.|b$ͥWFnT"ٍ/`\pj&1t肤ܩFh.0mFe EIg#)Joܸ:1M^t%b1+%4pPxt&"43r:灡#0B^="cAR<2fV9s>6 Gk4%F Tyd d7|]?r!랰 z=80H~q 9FYng0I9Xc]G ;"`1"třvUord,lғЄ)/yZ UˣA%y5H>XgdJpI1Dr[[nZ3 RHby<D)߶ɹU|>næNvzA4B-@ڋ8Zx텞#l.3i6k/§5@˗esZW"{ƽcnk 7^DVQ9>yR41>k*fbhj`AֲN B-<52'jk=CүFxQ+ &3 FM@"Gˣ7UMûZy9S AqYۺ,1-n+P|]'7N@>&bgVh:ݴס D<2t E ֞WĖ<ßvՃ?L<0lZc=X2}d*iEՠ^6T^`g[qQD2\UMހ\ώƀ !WchQnU0Ju /0OQgy38mc!X"ڱWcN<:8hMx$iq*6oFP<[2'wWrЌwlt8Gڦ~T@&##%E@}59A}Jp,^z7>b]Jt x>}+@]-Vrpڭm6HF "vSS]t &@NL+)5!j53{Ђ_\b-mU3ewl&@KQv!ƾr1E';A)ktu -^EOr#ɏ9ztFqb3^sK Oדw8agyQ|Cܦګ(ͷlϾ3M,yVBQR+Z^ X"m=ÌQkȷJRWcLkKm:-0nf AdUFw;S*lH%{\>S.t:P\wJ%:_WpIDʞuS|E5–Κ (e!5`Yj| [RxABr&Y(7ӽBbv|A~myz+  %ʮ:F1UM͖ _iYMe2-WFi]>)ԁe8tCoFrݹO).|yKc'B g3Z}<&lG&ҍ HSH䍾N Ju2NqJ\7Tա$4/Y](pv:&u!+f{8~p:J:ӳM ZRAnS׷dWTZZ}7ӱ?i3!E}xE# pehw{TlArǝ2SZeͽu̒h/jwb 1&IT|,$x[Hjܶ0 ȹ3v+{[3=ĔQd0^ @){90$$?IOsS'l58Nf:@ZJz{M3?FV"0`ɪWS@un-ꐊ)(oBNJ~JdZjEȣ3R0CcG(byv}7:|Ľ㫍>C3kw+z5&*Y9k]_rf ]V.!@ώdsTD+ވ,gpWFT @/V9%P-4:;m\/pBkHҺ mXj<"u|_}bx dU }l}=+[vxc9V]}\UGbkL걏 c:XOnwT)$_wLc)q1 {kBvM È [᱃ؑ.L$tdUy@%/iYVf1<$XqEPq4aQBi/R&{^zOT2S{"|[; Yުc^ݼ#sKAnNtߘ_? 1n&VsS.!|8Ҥ*`lɎ?dKo!n/q κsd_(7Y7K}USځ^adZ*ql/X}QIP.4H)tX1]( E0[I!M5ؑw~Kl+7 xŴV"Hg@`(*6g%־t) ݌B6ǜ?憉g,.݊͟T6zeЏ_JXJlY'-efCOhjR>$ˑ=4!Jm 4Z{QdX6-kwwT.pk./m~|ڽyLDOm^JgvvZޝj̕NţA#/,PWAM{3wPS-J;߃*T7Biv%?^0}z"=f{r'!dCcA/pQmU7'~a9zUThXtb5ȫ};c"./|4zZ_ L$I@ 'Ir^=;HGͬ w'g!.h dA !&QUEщOXC("c|+gY{@ 4vi @OאUȅ%z$^wSM9'RQTᓺ#wdw^?'J& ̈bs%&%5)Y@`C饇mu =⳹kYsS5=N&6|p|@zÊunLG%GƗM%w8\??W7Tѥz<eW܁N;o2U> GT4<1?6.Hknr_qtᵯ 1j 2L>`V:'Aort7vͤ#|UaxWRDȻO R=~iT">sp A$w]y(2gi25qCv}Qb.U=6!ĸTr0 N2{5_ G%Awz_Y{Z st' AcCAЌ$&gv ]8n%o]66Dkܙ:b4XbOȃO~J.Pr]J 9@dJO3C ӯ<쨩1 tU`\Կ?Cۘ7]Pw. h/R|y{Fܸϡo?]@Hq+28Bf%zi;A4Z2ӻ5eqVBtns1$$ruLԃb.[Mpx1ƷJ9 xkW෱k_gXA箲7y2AπgJP<Ă,X)u*ĈN >6HqIxa8IV;"*">zod-^Oî;5ea)%AAryB^vWْmֹ<63 O>iKN-ZVŢԸO:/)_ǿi0ZڎIY`X[זPă%mS#nK בU7AeLmev (PDmfYxZ*礪w`R2^\4!zpd!ev¶WϺ& ~" 2 5 Y#?V4ͭj]O -% KpFjdJ &%Zwk*xD*~QYkyU֔βmo, lHLuvlgY;MP"W,~FU@FBF#\I<QTkw |)gb[CdpڳP&DZ '7G-ls:(0Pk!XDЭ?6z? 9#/zP8Jr 3$*s" ~@pܲQסYRq6uS[;|M{ r@a*hґ[8Wl!~P0a!B77ǘ#vJ*,Q _dȞ{h_yV}n7<0ȁ_f˓劳=`ؘ,u"qrD@mcp k5!4y/[@'8#l&s0?C|K1 =4T&K:b (&{ObpZSsr gVɋT BZ<:l qѽ qKq+cC˕3ZjU8DPS@$Q(Hw;y gZ#}*LClŘkN̶] LZ2fǗ \ Śe77k FȠ7[=rr\mEV]-in8r 󑀳m@)O>MGL+ـhS]q}T;_JjkxaPĝqeЇ,Dm.!}9-mC>Rc>`V6eyyo; wT˶Q_Iza&7c,1dR BɧPΆ^{W` 2\՘A %5(k ձ `W RAOR$Ik֔c?|\1Y(_d;'5AV*`2.׽?_lǎѼ!!.pA;YlCP!LȎi Pys<`>k<4uX(`3=<݈ 8R<8u=Q`/#NA3fDXb3~tNڐ$ Y΋`ghoXW3+e"łՄ &?ORYB nnil A'aW=T[sny;d[b6֐mj/ BeX?v%- ODuzTܹG_ًNS.6 =^vF>=C(;=7ܱ{'?BQMi_-V Q^sU"yqގ!>#9ҟ&Y#VZ@z/բÖ6hXC#?;y=G F'0u%sdM}P]1Lz+PAffsa:T7W'` 6Vc>+_9=-eW")0-:('zS5@IwқȤ5W.Ps}V} OO`V Ԇۨd& `'dYQWٔz&"`zxK9aVפď1n9鑓ނA׾lCHZ4ܙr~i)Le[eij.$+ܻ6+Lso}I4{Ҧsk/|hGXٔP~*XPdYY4.d#-d5Xey8ᛤ0lPh1Op<RY5t'|;y\Ko|}B΢.9 ArAiLV$gȍgvHchEPO/< c|n~>fFm^QPuй%+w3(>FSm٫66!SxG?Om u2nʯFlO;-TqxVA+nEN5XIaӛ'e䳧Tux\XŖ5Ӱ󃹰 iN!o00Q־X.1y(KdL8ͱ5|q\K2EL;фbBŊzȍQ ˋx\Gnӑ{&<܄&e@-&>-Fm-= Hoh-kCc?;̆~xcNl!RhTzE]oֺv |RRXh3̟*}|Oxg(dcDL0_T5 .'>H2 Q(IpݔJ4"{wk:u %E]l6? )gJ'WM)Gg.!ezsAk\!g¾[]3 qf77IBpI痗w]T5A:*Ƃ4p^}׳4W9;| ꌈx[ RZ@D'U9tm"$#9'HheĒ/gl|iÙx:Bs5&̅P;/e}\c+a<;,x>.&Bd%Űy@:kLjlW.I- ?A[pHDs:}=^BìE{xh=+ rRw))恏-2awђKrTVlLSqڍI$TEB=WɛQH74:)o(cL7ZrV!t'&Y$Ɠ,C9vM?448Gkv+ &-JO)_sPTnpY|Yԝ&gi?dz:'.K@uޢ)m_^`v8m;?+#ENL?Ux"etWLCn$35VU4J-FYa2B-,.j҃wzsHo#ywxq?*n.ޚNN'VOWï^YN˺8f/x`t*Ha;u$@cp:ޓI; 5vg@xyOaڰ?!$/vSz'b'%[JR?ZrJ߼G BS%w1izNMAqz:H[?D(; bɄ>13EF VF *[7vD,jɭݹ Z,_U aw 6e`rߍ9ePVN+^W{}g%X'n R+qg\nɨv: }"0Uf_d*.RDXx/^h@;vv6b!F"BiF-nY9[stPSr0p)]w"f j1"T n_iXDH歽K6ABr lS:$^EŞʌ!3=ߛL$ c~jm>]R* Gы-|u(ËZ~>d+(%ZȰ_S`nY.=A~6U?N-]qsH ;l*/lޥ̿a !}Lu86́&6Ny>?0*GnIGt pvFG+i8_X"5)j2>L닋@wDZkEic dEms!8t^l8]崕A^l\8Wm}`;\tCQRnmNpԪ#Bc)6!fplyO|e l~h(]Bi11)KphOc1T4VmF҇/i^diAUs1i(ћWjQ{Zysrw^̋1ȱng6mX,1d;kg%ù,vXՋBy1:X{PaOߕ^iJP@=xx82DVPޚ2>}hquLůjHOmm[)q3c_(P"Q`AǙځ-NL ;4N3F_sKWD|rY/Kpdeo[04ң#%=f!1iL){崠5DDyֽߦ5%i$ 7e]l \Fm܃%}d(zZm.mN򀿅MZL!t.}'ϋ'ei`{h]_ o sa+}ފ #RuRW _lȿ7ATpW`XZiMx p|$tK^:ͮw*fjC~8cfѧ@#Dn)ޛ+s UVLXη܊ϭb:GC*۞s^IDq*N#։ӊǒ%4`sO=I P@XUzA úB6/cJ ZjWWecH]=XR/6Ƹe%xV+pe3c 2^_A$â[a;yu)gs-b^Zx3EUp{:! /3h =eDoKI>?9*YݗҘ}:*s_ZAبs<5 -W"JWƍ(O&xj~J;÷ժT20gKk4&Oet)' =oH#FUtb ί %TG(pufK]$48r?n~MD-kuV qd =kiie '=xœVX'`c ΃UB&Lckkg},FECsxi#f\;U©1S,%s_ܣm` ֏;̺zh(-RnkPgq(uIa?ĩ/(0tRTi8a*"0k1"X쓼𜎓W `+eB/ reQ˓l_QYP;e; ;X-<#q-邨o|bM8`Ai]QB7~$KP~JF֢7ov!C\;?*kh[{Whu(K {OA5ҰZ<Otf>t'`Duv{df76ÁSB6Iͫ"LMª "UkEv &=TK+fq6Btڤ 6ֵ/߄j$6QX2W'n$-o{~p6XMŮ 'c"l;Ud4!q/I#7v4Vvr[|O$\Óm6̪ UaRA"i Kwj\%,ؑƆBF՝%k䟯ac7moKBBDPhHs ;DHN/sh($hef<f-]|.~?ې cџ:!C&8yYUYK=P9,o@?JՐ5De=|NcՂjgLQnGYQ8ٸlx\bm|i+~NT;rږ: QWx#& F3e!U709i-Ʀ_!,Ł!} 2\90¯ Ls0Ê^rOn=M9j4s% 0bG(s+E84 xI\ّQY;Kf=@XP<}aԙ҇x*Z  QETS?!j qsmpzW:홺/bbEfE:f4bl}_pOMf`(OΒ"6QF48G Bԅj gCA,p6a7ᬆyY)Hu\vĞ&uUs,=N,ڲC1 nokL͚x-mibc}}1WĝJM# *Q) uׇ'oS,Am$­r$DxjGsAO.R9q) y:]@E>>= Ak0V\TQmZ8&'gt=kT8_Q~(>hJSty hd8WA*M xR]هyfKizC<@q̨ޚtt?͜ N쌸=]a G2@7p ٜ>?S.-;}`*'@B $X(7@ᬏgBOgl }<\CNRql6O`IB X+k2, r$]: -HG)jQۜr`C% Wtqn%KNyͫݺ|*F-Jc(%m;Prp5#iCqA][i10L 5j؊W$nMs ECq)u@ak\~k {2nc]Y!! u8L`jG0ĝƗdojeJgP51ȟ/u"^>6Eٚ\~:-K_btak-Fib钡-wݞib4bz*<-Za6)\JaAoJ Lp[KMmCoȱL~JpfKGF<rĬrȟnT=gPfOdĭ6 v>Wjxa<h(URLX8EÂyO)(4c54rUIH!Z I"=-ӷ7]-ԇ׫CYۺ1k1t6Χ:MeI#Ṕۨ7vh)8wߩ]:)Wd/%!fR½Oimܪ-CI=+qMSw\;9] Пxϻ= ~*qE9~f4׮qV$PVNw)5AtXy (?cEE&XЋC2 GFX1Ҳaa g0lm"AЛ HGlLc*WGHω~X2GڵUF^kKK)+m7sHOvT`CA#樨 C@F< TG^rưžr6Xqp?6: F LE=-Moy\ 팑YeS@TR~G_$L7FlX ]ġA0R+̌ϕkF`j5m {ku `DŽ_XG>:f[9NSזN):ѫ9 $f^#PL٣LH̢jZ2=,y6;Ԯr$].@A_43iVy#Y3IcS%T;2SJܶa]GAOajR 9M-YF@Dcok\T#YbURO0,޺> 7gF<%c3s#Gp8E5LJxXb+h[]L09Plt9 d{?gr@; ϓCsy4\?Ux͌TI*4Q)0YUۉ_$ w$Yϥp ?6Bxq06FݾA#t[2<Nr3 XnhHw8LD@PRĪ!ADFx ɠ2$,}8p~Mb?kh[#c,jq$fT[8k)@y):k: iE9ާy#%{1x5ҙrvr>!oupNvgI&])9NHƁzm+Vq x%]'J?i`Y Pq _99-R'mcɿ6rl2;doAg[mV <{2B͙&5,5=*O緑߶"5NwaI;k2Ats'14ss]||lݚY&K/<3!!5Zze}zu"vIqC'^jiilcw̞1nR99>txSʘN@oBG;H?{gJ9,acd;lZ= tŬ<-1>$)SUUXoAǝŢԑ1'!<9vE_Dx¿'olsƥxՓ!(SW.F@5ór=]7w^vG>-* qc@!mf?4MQX(TzTY[Y4.M'3JZDx! AvI3hL| UJSvUL(ꏎn5elB!"^7dDWd4D"$&HUyӢA|-&ZNRxZl#"\^rGF#eNaR oBt)X^mDVڃ.F刡?wi7P("Çd5j&̭H #o{bj5u2*XJ>U wsȄr>Ҷ& ?UR m(i;f,'+- m*+ _GR#|ɝFwKzk}%_^O|-(` 3u;e 䔰, p菻) P;i"S6S^b=O20u{t;.v-u 8dPasgdv\U~=!z@@/M]jr k5hFM$)^xxAAn' ~NEw\E 'cپ;XTҋ{__8 c;mN 23hII+T G缜^&286Ƀϋq>LP чM64akO}Gsy~Hn ql& ʅϜɿ,ࡧQ_D~rZc&?_ <٫ݍZ$eǵ e# ',GКt~T-IұRfJL1FHBPg `$$0v RLK>-ALkϮ}72P +RB@ViW-~9wC!XR#$H o8M~H`vR^d2*:VqWq p$M'Nݭ$A12c]]yʐ=(H3-sh)ɗz/&ъ}lȍK>2Yī **82"~ɩ;{NWK_gM+!ՠ+ :^= :ܯ1dŵU?~?%Ne {`{^ ʦ63d,b)TQo{L%m^7̽tK}#lҸkۆvfe?NC (Q; {6vzUg,3tʺn\;p3s]hk7f.)jQjczc*h bn6NS_&`d ojU;z*[FSndy5{u3*rܩcqk.د'cj:B,1@VZ>jXM0c0-^[B9a8v6wFa YNJTh5lVbp̬fKA.U ن hp>B_]DHs!2뙾bxl/]=t7,hh` W8oIaȘuLM{1;u"LQ1q'xC[Rx:zak;qd^ۑY ?N#h?ƎЗOkб'{J Humw`rq~H{ ?5!YPٱH_s̬h?f^66dzXI{YXOUoG\wOK7夂Dl$i5c:K{F3B1{3|&̙iFY0%{@ߥzZȪD@>AY"D^50Cm`_8WؼC+}K[3OI] . ūϺpRj+ܼ]ہ]YE aYRE3+rxoJODbAZ״z}>0☉lrHҾ5eqҴ0W'/>\_䨚%8q|wֳu噣 $H:^[& 4vk%°>'vFg)oo>履EDI)F#CTyT _35~ U%[l0IT^!v3uͭ-Krt1V ¾B\e(M=d,2i+19W03QZǞI h9\* V]SLp-HM˫h%4w#lNh2ӟ|i$Lv@7 ]Dh4$9k&!%@ɝ-.%Z @SgNza]ސ~Dxj^T܍zHPUN䌛D 'cLxl.xMf>D?C{jbӖ+:ؘ@KT-I3(o%QěT3:8HM8)AٶՆsZZIXI$NF'!9 i[rDv"l x~s{aw- N!R"=<1KGUN 1,W_U71a;&vܑ:M MErj%KǝBSZ{4юE.]OmsaLhH˥Q7ss#caAwf:m'O )n.%3ኮ"oEs'9Z\K# U=22|pZ?\S52-H.GE؂ &Ǥ|meNMfVpb_L:df6Xk3Ѩ)d CXf|8Za%e !$!1 pn)@AzR#|&xoP#{0`.Z,̕+;dm쯳*y4OO Y୲.@ԺyA%tQ}7"qf ̻D UY]B2|d/P(8zYxˋ,3MэJVYB:#A͏z]sOf.3gɠ"m4\*Y!P@>qMhz;$Բ:[Z`#W#K3븎X(eWA7sc1 hzrOKnrSzň5ve $N1@.ܿ-*q˜/ր3HU ԌX,Vgkvkȇ@o}S `i/nh`\\BV;:5IGo1g9t_QopQ+Vm&{/6G86f}˹rAEeQ$.(5JCc]Q~Zq](uaZxg1c@S` g,N|u΅Djr6A]P 9URNᦀ5F i5ڮ actShEzIJg 7G#ǂVRs$Y//h@R R2.>+!&Rli~&{EJ|̿*Gj'¹-s8Ǵ$ÞcGpyH4$h2+QKQ+2;’XS&w˜>矰+dkT& N{7Xt\KYᯩŏ喵h4T0@T8wWޛ>jo0{ /Dr $owջ5s9awG#OwǢ-Xc\<}٨l+9P*djRQ%ݕ"#NqO7YO@f6.;j'd!Y~cU=Q":l"T =Õc+*zWX>Sc@ EŒP KQTj;HgA)D0UeδPpk|v'.AJb#):@7  Z*\pʉJ4" 4-C Q`i#s )J]M6nFEi?ܗzZb8C(TdVjZN@ҴMܖOjcSc?^Ҷ7os4"0Xr.TTML+En'9!jk@*V3 !݁ :#xrqNHxmYW,5W0N/o%y;n:Cc"J.L# jP8*.>F8:$[U|HFXO+#p Iku۟1Z{ ?V)=:u[ ~"bS.&t ?CpB_Z0~4 M|+K`q`=s:B(2.?Kȯb;I.$ }y9526s8עŗ^@ E,'^s:}էu[&#q7o48R7.vNQ4 qKnm.TGp6"K-g{Slfa#=4:SWL銙uݱo,5~(ʞuǪ(ڡU#Z݉]ldF3:)E3mq7 qOcjP{p4W [}8?u|ʨ#xJJյSsz PgC޾) )b 'ͯ!x62M+.YS<@܈2~4Gvzw:l[}QIoiA1& ?J%B/J :c!xK%g0JޤNuZ>_ FA1l]QNC~\ی֏FCyAmT,׉A[׭le@2޺i5bnB=/'jY-d(@dima\$A 8qP8czkC)od^م)JJя9fW"CT=Y`Uj6v^T{$",VEDz1Y I0TޔUT^ǟYcR ϛqO@4+tgPi4)9Dw=:{ 5P p҈"M>ZLSZZN $[ENﵩAi.6 [%1(\ŁZ:?ܧsU5:lh]fpkc1(y#,;0U*%40)fgji3 xUsPyTG8BJetS(6a[x3 ܊1dkԳ}28RisC)8Hoy_ψj/&eE_c`q/{(#jT2wQ,P^J)Q~9y&(o0oWg (X{9@yz?BޮaU ^R1e5",lt"4S[RmpL \mxq̭%la̘?v٥p!wXGI\Dq'7tde @W?Ҝu:#ZRh]VWlj̏@v&R3dst٭I#Pc>/cc7vĂ) ]ʳP![$,Ǝ%V¡Ne6m #@"F վ"ds2./ϜOpp!t0vAw~z& H ?NLmyAlN, LVD#rL@nɹ(TZNUjUAD '{W$U|MNM*M6~LV#v&KPrQN~0&CWys~NU0VպӌgLE(v' D.{Q+g!ogWf<׌hh4M/L`?ElTek vRտjZnuH;9o Rb޴$Zfg*2c٥d]ƫE@ ,yBSAvn> -aMؽ}lT83 #:R9Wo}: bp ;c VJ[rwssbʔ~v F!x>ej58Uԙ9AJ8_ 8#?WtOXTIZ%&i`U^{zCIHTE]Ez` 3S78H_[ F yoXz~HꍚpGs[Ce s?E& A9#RBMp ΂X\[9uD9dɏ[ @+/:a; nyxGm1;s*A4[_FwBo>4o}Z.0WP __l`8:TI,r>&g쇦0g+xx貭 M&/](Fv!4fHRyUroN0~ gQr¿*0NLTW!󕀡ռO9zp]O7qC(ʲt #7*l7=?78SJMF hK/7l'aEZ&NhKMHzTo8Dfku ; lV^2EyUU w#~%= - u+1_k}G䤇 0۰Kzja_[W.0HR܉qVv@䡗M .7KkY'NSSJjQO_\όR޴ Dye?;^_^SuC)[#tLjX'{$q]9kRC|ov =: Ȓ{F9{#uShJ[3-y4־5f$ei$B2igF'lq51ѩIHqטo:[i#~>̯z DT^sRynQ0j._~i\ЈŇP:`tt%\zZ̾+T`ݵ,l -Roӷ:98'c.* 9v7UOdʱ3tsLDCc[V`K(IDsA*uGe6%n"!0\@ZXz6cQKKB2'ۺ~zrvk|g 53BsC”}c.3޹j )'"s2Z6="e'z)}w 6Y~`Ғ׃d8&0 <$Al/Aɾ+ӡ" \'c^%t5Yzr4E;MMQwTKh]&؀^(7;bϕʫ_$uJ$bUqF=M3[DxNc x@fcȼ 9^׀ v~Tjt)6uYD3X1~PwθP\SQ@odAAPr7NHfaI~%E=aJUĒZz>Qa qeO8ߧ-Âϴy6Y Q(':/<$k 8g3ֆB-6NtVO[Sla[\#Wlȡ0ƻtC,6Nm8q .47>ht](of1VF-U}ߊ PmApI'': wiUW` ~lAhXmZ/#Ԓq(xis,fu^ȃ\vnwraIAu _]5t!PvR.jU}40`d| Sbz(F K!ɢG:0avUN#.k1@| OTcQdk;¢]"zp Nʠːms鹓pߔ{1ట2WRy*Xk_o2LL_e/}{lF0#퐛U>ܛ}ĉ5qCZ-,WWo]T]lfa(c5[jpYk =GbRJ]*r V_&C̬ck.sz҇d/z)-ҴB^X!KWsq>ie!˂>R8{q0Q\ծ?љL(->kgM t_~R;.sbwa=: k:ȱ- I$r8^ dkX2Mv c} )FAYP3mB|/2@:}-i,@&k)Z@ opJ7M˿M($+؄YՁjK54=N6_Q_6 E+ML8mS=ZlJ`ȿU\)Wl_l{~cM_sYPKBenj7xB O"`vz܎FwSo3 8"-@o5ZV歧gG >]rn]aݩo zR]-a^v`>Y[$x N83VzlgaS˼hFq[{a,1@$лj$nk:aì\:jGDik=dLE<abĜ CA,,wxć(!(Bj?uYr(nMkA̝c Q !=H=bD9_^Eq5936_P,):s84/*eB" futokO*A-. ݝHrvmK2g)/쀶|,'nAJ*{r4fg+|`C`\M1e-1͌RF&=8suTIl|Vod]]$whBȴh+WHT0%E'Q68o:>3@-!Gi@>ـmMSpjz`}~qfZHb32.Pc'q|9vaI=4F@ J&GS|Vz`K2J4fcZM ѵ,R΢NEd 6ʪZge?j୶ uA#Sk'zKV_7bLfd &a7ѯ|5LjʃD@Z-)1)(H=Q7VEeWPWJ}v1$CJ WgUbpN*m7i}A;ᄂ$n| J46&GB置":cv66)Q24oO&pb3?ti?Jˌ NdPF&pᘍuЩ`G~:DX^ GG SNzx4kȶYu oRO(s#i QV3O_猅ܜwч>5C?M(1(e"Qx1ѲXd'mA/ ԋ 5ر2& _Ȯt_>zt| P2L6H}`Nmzzx0'܄LtM9+MR=W!]k7NZf(J8ݏGLeoKc\n:-QQ‚nOɢ%m>::gTӀmVh|~%㻲_)RAC۷YDFd!,B?w:֙]"aY,T}8}AJ\ H}*u X&mR>fnHÖ{3>X b=v&*#(_Lp "ڷSƘ\Q- v?6%I ~12 k,LA,%'F/IW= SrMz IǐfyVa<)ߋ\#ů E&p.}(PC)2Z@2fH/gq3[BcAFH&39LkP|a2Jgã`z|*]A&&V?pQVfy2£h[B?iEYܖQS`V?.lzI/zC0 S O#/)ebbE6POt+V 㘭v=QuoWeF6A1L$ݳ~Vr^~ ŌLa;ᪧOjP|1R6Vpe^jR!x&OC1!Pߤ ~K䇗h3J?P~F]L_s[A}XH?Rɷ,[{ l0y^{<˥@O1WtQpM xyglY(T`X̶TFkes?j+(WL#o^v=:aᜃ`}~bG#fGB jw;]Auίq}eAZY@1/%I`0R: qR|ȋBfhiH",KcU ߫b=9i>~fֿ4;5L0ծUqPwl<Pxfݝ{Wٛ}aQXL O|ųVv'ѺOi6y9ñjT OPY?n$Ɩԁozr9bW?C2pz9qΖLI#E`C ]-aZ ZΓDzQaHE.k(H H5-^·뒵zI~ _wSd%hĶxzy9TJat!,Y. 'Zy-1;^ HGG~=*ԧpgx>yQr#2s|`#5 )^Z4r58-3- xJ|eP^}i`b=*},//+ICQ9ڹS,]Fڀ9:j'< o.Z+@s$}}N*qtJBBJk.r @ ޲] z׋Q,sRJI]/Q,+e%ڌ±\*y!k:UkH;v|YaD-f]-(PJc Pw_:ޝpPv ?Ex߯tND[=fjkAG@8nP]UZ3>zڿK쬩YO{IǼnUܗ[3+}J/8Y&v5sYNl$ _a cKEXJ=bRs:ʔMs@С!i:pXƪJҘݒ,Ih7|J7yBWr9:`v8K׈nǤW(= LE(&p_Xɢî]]B׎Usp kl ݗ%J MǓ@S xot9l"`p],PFh\Jpќ"-[๐ ޫDȄCZPiNt0 ԅ:j09Th'%4,qʊ} :l8Ń'P,V0/aov%4C|sG5B{^g|t1O ㎿=I]ѩ&#x_ 8\XBOT'"#Z!A7p/@rn:ׯce> BPc<_fEcI3 @[Hc QT㮍3"GcLkv@IqN%S?)Sm.%F$PJ N~3ZB 0SG~8E8O p7vkKRӗM5ol  ?ϔ/.@HJI,i WMCh9r{{D /RI"` :$I?dg ʬV45)+3o{Ĕ֋'wi3\VT 运zrpA8R]M68CUHKg^ZiRwsEXBD5oZdX㰙)#?neT7 c$C;WnE͸T&Q7QMyrBm懅` KX$G0B>F)Z*=|L/'$"_rT=f~-JZ-Wu[ʉ# wcR$fO_n@i RQ:G $_ʈN^=p ;Q`ׇdas7T)yiFo>W)Nu6a.Kpa\nG0%y4F)wo86G$Ccԗm6s%*!HbDŽ+3TaʼX|-Fz/a;6Mw)㽠#K})?H|+/eeCnz~,T(טexwҴf,Kg[ktxHlW.!]^" ./,R@T{XriFZj*S6l1\I8=i#G"e+!.@iOV)e0﵆C,F?'Gu Uw XY7d^HND)>TBpZF-cvI|*z;L% ?NnEq'B\&Љ%T:QBZ24NЛL6:w}[Czj>>gx-IۯwUDItwL3-x쿱K0{;GE y5̢I[=) '2$b}P} :L]_+~#AW->mn`P.%,qjy $TA$JI\>W5i>$99]n+~uip~DwS3OpUաTBUq`?Ԑݬl8}g }\r0ē,<ܟWRxG .%ů6roCrILepwzkfJ- %$/Bgl\?XujW |b^frQw`&bSJ9OB QcypC@Wb>KAY gKg lAq..uDbgJ Y̠*uL {2,n=5|`t`x$bCv(Hf*A]; a\U uNRyl$ U ~2U7q{(L>v$E0VR`7̯57D|seSuTc(DtUX$n:AG~>S@l5DimV5B57 ^c j6L ~7|}7,Ј*؍gW؁hg_,֞a9zkθ0z61ES~f? bARu|-}VHj&)D)b;"wáYzoKzd4,ekoj30>$կ+".[tPkyޜAmBB#PH6ܔu|Ij Z?숦v€RW-L@v>%xvE 栉6m\I#.Ѥ)"X,~XzkPryP Vv\Tq=it6y{bB/,# G~IwO\6fK`*yF6VQأȻ\\- JfnP%RPQ.H:i.Q(&P8YknI E͟`Zs3Xo9(2_Md>Z jʾ~]mzbE{ \E!} Twͳ"ȤM1NSD#o1t I[8HLy`%S4DR[_9UGF)YZB>vi69dijb\A b- "ss 혻.I(dsLZ3O44I3dePA>B8% ^|G~'1:/MB'ARe?M7K$&kԌ} gah j" Q$}vu"4qG8Tbvsk,@w# {I&oZSE6ˎ^u''4E{I|"194 &:qG|3,ZG+J{ Mq:9ͧ[,7_Wp恄#Й[*aDy0;ᄃUP: ?s.bsJ vX-[ULlZLc/YOƲo+2jǛ=p4\#SyD؂a7W+ .,H^;ⷎm~YJ$ /.s=?FP߄{?hXS+ * y0j Kwgg5ɘ6!ӆp=`Lmx4>iQETXw'iX,_V0UQj; ChC>?K^ɬ9t4Hx+kp m2G;/oaK߱~"$TK∛>75hp4*Rőkѥt(WEj/e7.t5R^|V8VՓѸ}1MYȑO؀~/kP (w9o//Ʀ!8Vޒfnl%1gԊ:]w98;hb%GzB [i~ܝL":܆_e0+F`Sp$+C$5V/CvR=Qd$hp4})ORpR]4>;fPɰxK*ܢ W>9/5{KN1tdkܧ1|^cnqC}bRۈx5 J H=yV9a:wlqǶ7Wud\\'fz@fBW.;‡hH?٪tY>>bݡRf`RM${`3L  %o }avnBb{LQA0,%><8c׷jl/]ql70=/c{ Aָncȏ{1kOMT-#T!:0YQ5 K0%gOJhgLM (g2{J MTseQg*EPBLI:0peB1: hUщ:rYГA5:*Td} ͎/2V~3 LB2v *T{8-/4kiX {?0FH i9Y;8}D=ῺmQH{;7)1ӼV5>AM±4qTonOPuUm)[sX 0AX纮v_*;:QYjf/<`H hF{ kߨ6ze(R(O;D0e H!k񫩈T_97%¦8HxR%E( :Ga#XB|T=rz}ɴji 2g{4;Z#4/ )v,_4DIn'smO=O5hJ4t[_͎v'&*)Iqo'Qƣs\s,jDjtK&,G2M;sw_QlV.>vа7~7]j!-5LlSeO{]T?`Vk]*)% "GvzP%Q~gid#8AЯc!%EVCeitGR7Uݿ: u\<8 :GrAԸ3;ɛ#i_qJAk|S#6 HP"_Q*a%\GL=߫>6!-ܤ;}тG)o%s LK( 8eMX ?TGA; F4ʏr!&e@\F j7y%]?@ l@ӄme!m&MFI!2u/vio~ ߘ%I2.Cro[_Ǜ,<ԓ`yͥƄ7CtSsh(r"{&bkb1:3WNƆ'&'1U|-D+5$`ٺX <פѾd_SPb;0Y0+AU?<נ1MᚒJ fS8^a| q;R:_* g3L"}R *+떦}1IB\-"BrqCW-{+v򉊦`7B/6|D- HTzߐБZ5jlQ:ޏ45fNˊ nEAӀS`]vfMGPJw=۴r6x"eZ?EEΫ1$iO ~q[UıP7Y/ׇ}2&wF-:k" :DH3ar];g`eXÛó(mk,B$ Z%te).JA'ۜ[ z٘i]Ki@yH4vY#\`9ӧMZO1BGTXOp &#o3Fb֔:tѨP6Uk#oG}DJָ[iU:Hp+Ѻs[biwd\ALfnh'7H Ƀ8Wl2kqox{ulcwZ@ άGY7[xwlfxCf[Hd횎Ad3,m'_~!(ɏQҚLjg3{&K =s Zܐ]F{@+D_ژ-2/_NtZ;I\D`t)%pB7EZkl d Cd^C9̴AӴ!!B&f#Q&&w/#{|IfZ% xE](:Ui49FH׮7m:5LaEӐrrj\rr"?x\=5+?g?ȃPTFδ6cYnrD'D6L0URn ϛڃ1u /{ljB *0HMw;-q`#DN/G:xѝqUt32kּ/w!bXfr UHi՗u6>!IVwG&ɢT9]mj! GTη<Jv^ԟ|?7:-&\Kxퟟj"爩jo/\&)̂Wx~Inɕ2x iX1D7t"t %| tϦ!8 9'vŰAp1F 4+-`߷+) VΖY*,ȞnyUk&>aG]1FV৘SY6 0cJqӇ @r<ٟQx,̉p*uͯڔ?ΥizÈl۰6J6<쑺0m3pW=mkn Ua 'vSr l7Տ}~hۃn/;4,jO@N L_g➠DBV_pZ p9%;>o)'3bԨxS.oĎc2ڨJ@/E w=Rwn>gҼ R50`j`~<}o uN}_aWp^c5oJ9LR#dy +)pss]¿w7B[ݕKqZL?08-k4톳UE 9#ƪ/gl~&1M'Eb@檃C{UwҐVvv)ބ''K[dv;?2o*s| B-m V`y=QFglM)G[UR1\i@boTDg~Y[UvxMũC襂uuK% }66^K2-.Ժx<\25 &$ia.j>ݛQ)"I (LFx0]Eؔo 8)l+cOLDKlBO90a4[fd Z Ǜ͟- d A7U#4]VM<#tϖ{U=(M5z,B [d.J%]2]<`Z>p'iﯗ ZF$, KK(dLheMeiޅ!Op>~avfD|Y bڱ'CNV.Œ] \^`ed4*ߥb?5qIiH;Nŗ?}ejNk9`~"kylZ ';C1*@ʴ:qe8oƝk{Wu8Ddwֶ)B"w7 lLgyږ]24R9p3X23 ɑUP#܅/+P_ Wd?j:݀$J}ߡNFMik2O:J!^@1mJ=Gh\xm+Þʧ^p]&j n9X@Gz#)^WǺnF<X|ضQTDn0mS*Cy.6@J9cuǑbn;#Lr-ʭRZSByGV8_AJƎnXlHDpd2|,y3Rh}nԲP `.b yϧNǃ_DZd2w+=z]Vy8($7ee)냔|ƃ)}2!r|L] |ra%@;*Cdz}?@=OxեWh#-TYptKe\=!k*ئX%)f*ZxUém8'bqc?Dsl{Q>2(DErh:j=-=q>Bޫִ3Q7:IB}wQ)V'SBCG "R# #A/(kX_gM>ca5rjTH}٦ UJ|\ N?w˦{/}>XcJI$vI3xEh/ťxhd W>ގ7O-S L1 dn­ w+R aiT FƢpۃ IΆo>n¯Eeξ;+ܤc8q,'?9$2h%0C-D#wut]ٵ]DȖ2F|2Eɍ@;#)c6PO oYl-wٍiO\ﱙ]^mCʟ6?= X^hph`|uY0R"A`mKB:Y ΖB8nwO{o+㰮雅1_  }ev.?奎X F;~, _\¡ ;8.).FWdS`7fezUO l=+3 IZl"= G耿uLې$NeD Ba{QƏ:Wd>souZ:@44]pPU3,?W/hib.ivxV`D(c:|X5npm%-&D/-}!5o~dD0#\ 5TQRӜWZAE-4S"y:K|w7fɁD5[mW9n#޵)WKD!#~yx APD"M fd=JNe25uq{|cd/HN2񩣪 |jtbh}x5Pv}GL_^BNiVH5l˪1~.:(09aR$?9~!b|D*,W`B摉b$|T8+hk{>XBl]Ʈ kbLJLnp٥r13ڤHX e Ƚ,{H pW@2ނ )6WReX-E2k_ %O짗~Q%_6 h'U7EzZų6'{]YU5㐲b|1B6ȜYӜzflq>U,LRQGRג:bvhhinvCm̱hfamM\Gp)ݱW#! DZV*L >(X!0zuIP>@(m4iat~&ͬs:HPO eO7BSծoE-τ3\9Y[vjxWȱa+Hꝼ x/ ̵K`Qdމy@s3T;_RDKmx~<+ 9G!@B۸kC~2}rk8క⵵GY,J)`QDܧ$+D"e`zߙ2qEJƀ{@ )8[̢ ^θx%eI|_`>sl08!wQ~bYR>ưAr}D^촴>͇w!]t\Wss O33& TdžUeS=@;MqP g*`B:)z%dT뾆țd=9˓tm2B$6!s`YB|kL&}U ۱I~fWKR^jɆZp.Cg3iM~;^ߘ\$h kНHmTҢFh3ٵ*M`bW3↑^yv 䖧рmXҾ3RYJS`dz@D3>7_(d_MZ ip76eT M|J\b6Ơh#r4-JI19ZRv-Rd V_%uM]69(nlV3?AZ^8b/.0ΪNs8OMM^qWt]lOsOEV~0oki@2 @stVLP}+VR-18,ڧ䙮L W8'RE#X\/ kfA `Icr >H6Z7ߙ[9{% '5aΩc#~g0=ǵIG=W=QnT{k?xe׵+ HèS~q!OBAP 1VX礣Ec0Mr,-=̈$8wBxi$e~2^D?Z(f ( (4CP {ubZ O Lag2W'v/]J& q9 &j]JRaϵv!#7}f=lNO7f{\YVX] Ga)NI񱒒tfg\@Rξ#& U5 K+V=Q "*b 6俊y@mb~Ky2q3]Q^v-cO$.EEm(`fÿۣ?vSb1F/_x0EETR >uL1-FBPIzki#/$\eO5pW]'.$o{؝l~h'}, ~}hOſjK᱉>rB5%щ+&pB29UϜg=eLK|]=}ih8NL%dEŘ#^gJi3ऑΧq({:[jņý6追&'&+(^bRJLZuS.tOfaM#*| 1-"Ϗvb!;TO J:h'V(.Tnݬ wkaRb*1EW.Ǧ^^-;47uYy&̸QitO5!F&r7wͫJ,F*Y#NZ @v$g jF4_TSc<~]:PQ8 e[IF{pNI+fl[îڮYW1lƒQOXژlkLE*oGlŤl|[FCP4(Xz>5D$džҖx`mfViSz&V*'Z9u&η_K *%琢ĖdsᔎQp&T !V۴Z>i#aȻ7 lqԸoŢsphjDfjKk.HS5=d+gơf0P9پΤ3eSt~q6o8?bu߿^L /dY,4}]L)6eGhy /Zɼ4' TLv8$Sv+/=xL‹}?A:Q?9wP7&W@yd7K6ZBҜ}T(蒎D)i:U\ JsiZXAglX=Sh`]ŸA+2c<5+& ps;>DJ#< .V_mM{0m_t!amͼKrU.x(e4zsg:$*E]7OC8I>Ia˦OWOG.VvKwhşAQ긝qkN]33 f$/lҁ)F^H=҇Jlc*b ;%4DP؜4v;yZHH5f|Y8dތ\ƕ"` p\9"&ߋW%ѳ2bNi+E9e2 !]bi)3aˈQ]em`&#Kn;1*[b[0֘YfJ*pݓPm2w$N%l+m~\y(tٝ؄dQcvNKm՗;ÿ0BBYH'UNnBgZk)BZS1iڍaJ % |!&w-Զ2g^q(7t!OPAf^%]F(4ݐ)+C.@/y"#ccCP=K[ QtT3(|hګN[ωwxH=!#X? '-Aa?\7˶OO)8u'ӭӎzt6#%o,K䌙# `ąA!$`ľGb4+ЧC(0mdVLU*ٛ+YwٱǣϽɼ@WBDC:;PhV'DOddEd}. Ғ6Bӫ}t-,NHTrs5yޖٛPOB,ӄєq^3xNױ9עSN1I(F,"^_XP{gz i{8L[A4Sҗؓ"A،"R-ٱG:D[8z{D$utL np(_ҏߙ鹟ZjO/G6njcagAJuY>|yKMB=5?N}Lv8 q7PӪ9UBqGIyI|_.Y$5IIt{&3KWiN.0BXJUtgbׁÔ| -c!YP-FEϠ ~*ʿfKNl!xS/}Wm& 23 PkO7{utB"8ffP<26,f @x۩ÎX[bH@B11X8A`R:bF` +T~e710UBqCW=VR6qQ49(gL;b &vީfOG/MeHjX}gݒӲa!g,N37%*E2r0Qu&W KtebSt&h>sЂWe"Z""H.|'\'L9!Ȭ^{.(s8MDe[Жf!q60~G,h #MZx:ULvWo%6,Kb 0q#T3pAqz:xbUC |l s,] :7ɘi53%Nɓtit#z1l$buG*-5#J}l KA$$\!| Kʴiw{2Zhf:y޾}V[Ok]L_@p'[nF DF 'eQ8m`tto"cї$m@zHjlڷ$TW+N`_AXTP5j®<*ߥs?)̻jwM^]/C|&S܍ZB#KlcSVQ g! aٓr&P ̈́S-{#?^>Ck M+8/9ĊRaL>uy_b/oSWqJSlb+$rVDE3ڃ+ݣDݽ(tR:T;W(a&} "}&@R 8u>_o9Vַ3!*lU)~갣QWbT8I-]MSπ:)mnҺz\knGgx®]zxcGNLV-1iBGbFe YIToPjCå+yOE  39Df~ήmNNA a5,Oi A(_xqfQՍOGWx~7;7"JO4xq9_ ..Q&mrQrNt4Px7Hψy "B9#FU8b j2-'7RCmG KPph| }DbR`v|pm,pEPr:Cam, XEIUz8yr v -d*3AK)(KŽQ0q3K^rKQwk9p&-º4+^%[#n:Ry*>ygocSu 05霎9rsJd(Ϣjat_^1|L l-' ̕AE\gqn\=>bc[[@s?- .㈬ij~W.'0_,7\ר*c"A0ҍ V-t V20_od.Hk-eC$8t}_Bn[B)Ƞ2Q*T}7 k1@㦖]aM-Ia y'xVA?L@.mCST`7B;/C}u<`ToW ?Rm%QOO XH3L<}uj S/Noȇx 1)4}NS?˸q,;S0D;x[*'p7l> Ы0ӫl>B,>7߷gE 'IAØ94Í=X PXEꭀ{$8"kt'^_IR!~|(<1R|mż'l U-%48;S'Ne[|C|P`AFc dY?i`:))">$DB_M:BRbW(SĥXF*_yEL&3xk0cLim hui ]·i, y@.D ~oEH EVz\LNlliMg3AORodҽt 6Bg5B?e,+tT G_guMwhU]R<)d&#R"r`WoTM`yi M`HnL7)bBzi=MDM94p0̸pȕZ'Z}?ϡm=XS%cHum'k8*r-~ u`c(cRx'm}5~aHW[N(2oHaZ(TMO}at^Ijh2+9jG] &4ruc>Imt@RC;Q$14UdIZZ˂̘]R[}z#PjD);RXƪ /e8@ݽ>7HxyAk)YρHxD>)u&.G V6-mFWA EHs:ٹp5s1˟ϐzXgƩ ٌI+a؂1ַH/r/2苂>1 i_rsj3 +QF{CQͨBۛBٲP5艄TbޣKKf1s@j#/և8f2XX8Mج=糠5E:jp𲊫ޫSL!Ҝ "?p}lF?s;o2H =E k$H_=޲ۖ21iSRJ7LZREK)=\˸2IV]R\fkq#,ʊ9.(m :Xs gW7H^ז|)yIx .'IDF*#G]O>,0eKvZ<2aFb.,9Q:K"TR녔jzH[ޭ,gN Ȕ}-ZK#x1(v 49ۤc0, Mf)R7}|*5ZR>nU2)Tzئ+H8WBGGBF4\'yDo/J,o`BOEi;-Y3 BN ABc!]aUI%5_6xyVg=0^Cpa]3$yl\T@qqצ@*޺lNQFG0E`*nMRQ.н kS .E$Y_tV nub|FhqCŞUmP٤h}+.j2nŎR$X.n^=8^r1hco+[L,h)FLfPeu+ရßH 0bI}us:,1t@/CD/ZŨo7>bT$P{;Ŗ5tɎh⋥ZIu5 Gn0*|}n,|QԵ\ yIY]4gq-9tc\J]9_/Q^+G@-.I)`M7'$"2dEWP&g'% S)IѶgBҢvYл \O0p 7({o%ۡGy efj*|T|w|}O )%mV@Ry;EЕ}??NPF0qA,Q-{,L_W"T21 +*?$˅MkS,hS1+CD~ ~Iħ0H0 ՞]MEL5|F +ރab{P9lü f6ZQKtSy0&JmSr&*weX3Wd|Z iVWB<yC=]q_mK*&ti0׎ꁿM-$6UYֆ{k0K2alm׾j͐ry]۸W' vo 5OX}nG~¨WhV8fQ׻DZ*iPZwihA>hף۸ȟ֨#sIָaC!_#e3cu~C)|u!\Ao:j e`@pK`IiYnV11h³wQ`fh8'ZѴ]t9ɒ>7؃ ΜBcbsP4Ll~vaҧto gcJ:Φ1"%a2 TkW3Ν%e%UھQbzX^(mG 8{n"O_DuQ NIq +2By;[\ݽ{6%l K9s( tA{GZ"Ve^*vdP.!Hl\ހ0cS_&M V}+'i5VwTH"W 9!רn+Kp[}/!74m"w1 .M,臯ި DA#"b,xf1hqh88mz<䮻 =s 'Zt{ٓv-`\ukCIΥs)KF"N0i<\ax` pM/2~6]BBO#YkJ&pI:ť7޴ILuwWsffp9$__^QqVgCD8~!C؅\ z# :RԵco&5>*JCP}(Q֧qIbpp)HvVzۿotԮZ2} fWѻl ef3̟nQn$S\#)uַ&ʱu񎁑d5JPH7_ &,}+]/=:\!&,eSP=_l,Il}DAɲUxWy?UX'\>#v X# ŕ̩MUVI|)\Iw:lȰS>َR406,ǵ'Ǫ9Y i*q⻌2SȟVɝI4q(Im|x1:6/JakU\}2 -` 꽹צ>6\4&139zW$wt^vrswH{"c~ğ-;p(.P}q}kUyqF1O>ήcN[=*h୐/&C0]Ieu]{v͐'p-ht~mUV^w%'^M0n{2h]x=/(T{ @&c=,pk5BS4weV7wm~-.A_ L\xrwCQ,#KKH }iYLfE֖oH00"5=ieJK[q13cԘ 2D%]dze9TbSG?s4@C, J@))'.D/'ZۊCR%+5209٢_"կa0zS&,:}Ca9~b?Jl4oa6#mI:ZVARl( s)9'l%\xITx⌥W? 8%,ú9~׎ZzNԯ]gh$i8ZSplJX!Ea‡ L:i2!!]a߼cNQ֑9A<=]0R( H}ȒsNԯ1t)|U毌ʤibNRŅ7ek̔;IDsuGlF-}"@CnO< Em {.Ç=D~ͱkY,YGBəz Ԍ`oJk"-ju԰wܑHQa`ɍ(-Azx L7c{z5dOV=5cD]'"cR1d5'㦿 Fs MĊ.)ze˽}Fj=3T XDڏRt\ de-+原2?Q6!n81@mQ$Zy&hiryAk@֣A76{lB'~ԡytGn{$S$4\ڟ* S52K4k̫@ шWDr=Ȱ-Vŗ+\FQИrE:z9$ m%?NG脤j2\N"W?R&icLAծyrǿM3yLqaZH/ puaפh}]5:4(owϸV F\ƍFH{D|1ii6y1,zCOy >`3xl’& Aρ@$깾|8a2G˜&#F(ebb˄~תuD"R\e  XQH6 6plL\LT{O4\cJ{'YbI^lssM?OGdwmƶҖELv cO+#1X?Eg &v;2 UzsM P^fz uH v9Rj1 ?mN-y$Y]w"H>Cx% -4QY/z`7dv6F q?vlG/ӥўv D#;q^w=,"޴/L!aѢγ mk'@^k|!M8Olw4OcQiB,q|<{@^5SݲZI&m7gS.Eɼ x)~f>GcPw z(;ki+r4ŊZYxyzAy)0y bkG^bg]y1,.Qk;& xHs7vJlyԸ'z̃ЛK:Z?|5^ ]("jmRe-Y;~K'7#4*BiH%lї?J ccSz# "Ԧ5I_JŴJBF@haL1?rʂ%٫BܵVz{X?ef'¾;f RDk;.Q)vVbzy1༧Ϯ 1l?h">ThXQe<U}H{bt 0fW  mnieΊp-;i7>9 ҝ‡ T]L`ڒH<[2 ރ2]~&&B ф<)Y4yfV `Zr)gyAiClB0wS*R tXS}54(GE<0yc:zsJ!`cipatj?釒PMV0ӟ%pύ=d4t"c$( tם"ԛߤ1|!Btd?5p~+23 )ia,1q=uJ曜$3w2;d/Ж79o۸M'];p^ (tkKScH Q>yW;AKx˸LO>C#EϦ%B wk {Tb~@3ԏ:p])^| 74eF$Ӝ}6N* ( KŃݘVwJ&;*إ)Us%1P kqk t4XjȂ(=dzՀ o1 fƘ6/W &\ 2et?F$\AKfڧs¯ oL#3[ESM̉Ar^)?mErv1.>;avfmы4gmu'і|Kf&a{x}FA|Fw[q>}Au3Ѳ$gpȩ/vb!ݶ$$_,iE偺 V_ c,2> .gO@ q8%ph4w(gcCNQݪJDG[Tx&<6Axhb֗>]}^q` obt'MƍP'Y2ee 3QA7:z-_4΁yjA\e6̛0n;"sPc=Ow(NGZ ",m͒C8a+MC$s) =ep:ސ"NG]LrQL2U 59լT /A`)X@8/]'ᇩA ql-Iq,x&lH8H'mCpxŢDHDөe9K|;pv |(<|~Y%#P1[p]ަ0\h#Eo@?/|9ԋQ,ڤ\"\zVΕjU{=R Ш$<JR]o3[+8JG^|0*vP Y3|FJR}2[ F=B:5838uBRt` |\v2z׿_g?c &8I݄/6 $70P"l`SRar]MwR%[LH IN%q'q`Se#VT#>.C5107_C} ݅ R+3 sr)ؒr7wD3Pp#eCF?>ꝈYI.JKQ^rY c*TejjP kыpܬu '-N˶b{r (aǠn$eFծ\99脾ì]ES;hfѱZbq>硲{)§ %B(m zӘCecAEhlX{Lv k5 !|.靲oF"!ǪQd Ɇz\6;>x7N~ C8f٫HNo ~RE?IՇȋ+l"bPmo" LyNye4m V`jUWasTo Q`k_;m޷)3K鱑5xx/ߔo~uw:c8dcIuhJ UODЬBxcѣF-' ì7kc-K?Vl0}?>}7reF)l En0%Qa_?p!9gʬCF2A)*`욝b y8ax8ģ,o$!p1X{\0Fm3݌+/o c6j'/_ޓʣi]W%yXATMdH[tMF=#df3zMʟy`u:u*>| `YAof^Vx;c\ҊE$ a;1_hP[?% #5Ab %=}m9s#='Z aT\مޚ,9©qa. |VdX+Z iSJ\xgߢPNK!r+)6!Cfڅj>S3  Ą: VM{ -vpcaB5<|ux߂9^;spߐ?p>ͪ҇a%W^߻9d}6bGnބs4FB Ff]"2L&F%B5<[N β+{ U%r2(%Ritery @}]c- )pT$ي&8x RI>STe7҄Fpc`64`[eoC:Ljzʚ=(|Rs`_Tdq|VFW톶P|6-ׇj#T>|P$ӧV[Pa6q C Vg*.(Z[ g =3*ߞb 1c9۝DnEOb(Jˇ$i"ף]H:X<6qŇߪ?k:5cuM;?]._޶bߛޯMoU]ݗ rYCj!xvX`ckIPpIeyi]pX.ķ*)l ]fu|n iUr\->E& 1~mWrԡ[j\ѩBgC4'wXtX4`I _+?⮇_]i9_8PdzPӃOڏ\{sSc%1[,h+.mKo=o_⾴ ">otf_3Cٺ67h< bXp|]1:HP Eur*įʧz"gm'[wf>ّ,D'K ٿ$T/)+?foKm45̡PUv;zLmɻvv;H0 8.-X3"ANsZ]>s`L`4ЩD;`ta)kH/ۚETO ƻ $_wp(-m9`GOaPr l?O75Xm8/d0J`v$IO[ n]O6& E OɅ xE%VQwv [܂nZd=+t}$kqkoOlM;*Nf)Vw}0#O]cу! GϣRڊ|%{w"<#Op!\؛=3IG}><0w EK6عEB5Vfh%$Py1zxnxJ?hWcߺ"_TzHс46N62ph\\M=l#iԀe#?]HioC/_SPůZ)bI吣ȹٝ:U؊Z4Qk E/sRX7&cA(RumK{r κ*M kw,цQc51s.R%ހKn Pϟ<tjhyNpD|ʕh)6#l{L7w;}~+[z'ëV+~c5a2ɁLM)fh#g@jԒ8qpo.~H9?j yes2DW9LPxO`R(KK$$1n:V% 5Ӟވ#\nݱ&ŎY(,7s[o&Rb_ kVo lu=|5Z\1SRju}[e !7o5CVkT <sRލ!:B*_զR QA &o=EY s7t1! 7JF٘XB<].n| 8d{T)qM4>>WO Fícƨ@p %a$@b&-g52k +ErL;61xmڣvj8m2 $[ͿpiSDUJ_7@:6q=%q ==@@~D$<}ꠀ.1z6:Js>Q&Gp*׋9vN~&O Z^ީuzJҹ}@9> dҺ(Zf sh{3t<^;s"2 4\%Q5/ xݷy93aP&=ʼnw-uz)Z,lB"RQ|M NxX(ws/ɚ$c/9ؔh>c }>^[à>u41,`/ m;V6#)PCd}ߛ)Y諾O E&[zvVZD+[ @gsӘhd)Wp2z`:9Wʠ,B#`%WX[} {D& YTp \uLٽ ^LOQbfo%)W\j2ߗi2(,)=lĹΊ L?' 2Xj?b1%Wv3CZ CLǃ4& *ZD=fR0zcYŇD47HEA?d!5* #4TZSB\?XXb%R#۠oy >XqF!/'AK0q}L_9{2 }I8`c[K-@O\=c[ewmE@gyV=sbU~!⫁(Պ -+Eyi:4X Ng$NxbW|f_Mߩ7ӎz;Ap3?0 qLo!4 }9E[Z3>.>՚Oz蛋VF3WK_(/jUI^zrJR&/E?\Z~S'9_Ϲ{ :jB,>wi  dV @{ˆHrm,"s Y#2ޙ씜tڭje>{tM"oծ 7mЀ.-h> [i"3f904ojU|tMkgV˲TɈ;5ՏZ]n2=Ԗ;ЊE6 J':Qgѥ[h6aJT;n5z=CQTBŲ0MlE>ٵ9iQ>A |IuK}5(ZM7 ղd4 1(MO#rw ,EnPc(&Z踤ˤpx%n%Ǹ Z} YZ