ipa-server-trust-ad-4.5.4-10.el7.centos.3>t  DH`p[;$ƨ:8݃|r?\p *!!9GUTRfO 4+ߠ)_F6ORkYL<ݖ7v[F&p7]I a4\5MΎk z(Wl|؍D7(8vOk#HzҁʥEfj2pb06C$orJ]}i#ND~&d' . =/I![ p`lzmbGLTtYSH %<W aGYd{ y]T IQ;GpO]?&d1RHE>ΤY`mB֋Rwg"Ϫ|d,] }(q覨nrg|JfWGIL Vw m} UЧ_̺vZw,-D 5- Q9 R{h=ʕKW@r!]平a ,OcKDT>v$3b2ddb9919f73e169de23f554cfbd4b7a982406d[;$ƨ.g/ӇkP=Pi0֬@jʓ``I(LӚHc .kʖmGėkQAd KbԤgq¢88D1 ʾ,l-tY<_mddOjGdj:05K3QG XLfT~E2Z:}MJ[d 8SBjj&㍙ڛ-yQadb֥ '>Jg!IZJ`3.bXȒ8o>7gqܹФGW5͹⊠Mk 8r&U.~ϖT3~|dyixF@p?@`d , u$(@DKR ~f( \  v           Vx C ChC(8)9):M#)>7?7@8B8 G8$ H8X I8 X8Y8Z8[8\8 ]9 ^:! b;Jd<e<f<l<t<4 u x>L y>0?@@Q@\Cipa-server-trust-ad4.5.410.el7.centos.3Virtual package to install packages required for Active Directory trustsCross-realm trusts with Active Directory in IPA require working Samba 4 installation. This package is provided for convenience to install all required dependencies at once.[3)x86-01.bsys.centos.orgCentOSGPLv3+CentOS BuildSystem System Environment/Basehttp://www.freeipa.org/linuxx86_64/usr/sbin/update-alternatives --install /usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so \ winbind_krb5_locator.so /dev/null 90 /bin/systemctl reload-or-try-restart dbus /bin/systemctl reload-or-try-restart oddjobdif [ $1 -eq 0 ]; then /usr/sbin/update-alternatives --remove winbind_krb5_locator.so /dev/null /bin/systemctl reload-or-try-restart dbus /bin/systemctl reload-or-try-restart oddjobd fiif [ "$1" -ge "1" ]; then if [ "`readlink /etc/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then /usr/sbin/alternatives --set winbind_krb5_locator.so /dev/null fi fiy"[#Y : { K lA큤A큤[3[3[3[3[3[3[3!YYYY[3[3!YY[33fba2a8da609c2de4df08f22d567b5c1292f0a56e5a0c2636ba6c1040a28b74014dadc1d0cfb7ae4413b1689621170e5008245d8b75a12891cb5bb30e2b52b28e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855c06a2442215fbc0102989fcd97ca9665ce5b805c05247af87633b946ee52833bb6391686e3eead73fdfadda1429c2483c7c9f0d450facc410f48f229132d055b2c0c2ee095be1881a027db90108d4ff9d1d613dd7efeedfa0e8f7706f2cbeade0f4438da3b536bfd3d256c9223dac53c095f100ab00d22322d730d388ae2722ed4bbe35f3027ac4563e004e73e1182839c7af1196701684d6950fce59a06d3938f8c32ff48bae57e2b73c9c795cc211125ab1a65f13a2fb309e58e8ceda9ac918ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b9034c3189f953ec274b9f433fc6309cc2c5b5aec8b7eded36cd9525a5d3f4e8b2ed@rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootipa-4.5.4-10.el7.centos.3.src.rpmfreeipa-server-trust-adipa-server-trust-adipa-server-trust-ad(x86-64)  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @  /bin/sh/bin/sh/bin/sh/bin/sh/usr/bin/python2/usr/sbin/update-alternatives/usr/sbin/update-alternatives/usr/sbin/update-alternativesipa-commonipa-serverlibc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcom_err.so.2()(64bit)libcrypto.so.10()(64bit)libcrypto.so.10(libcrypto.so.10)(64bit)libdl.so.2()(64bit)libk5crypto.so.3()(64bit)libk5crypto.so.3(k5crypto_3_MIT)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)liblber-2.4.so.2()(64bit)libldap_r-2.4.so.2()(64bit)libndr.so.0()(64bit)libndr.so.0(NDR_0.0.1)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnss3.so(NSS_3.2)(64bit)libnss3.so(NSS_3.4)(64bit)libnssutil3.so()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libsamba-passdb.so.0()(64bit)libsamba-passdb.so.0(SAMBA_PASSDB_0.2.0)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsmbconf.so.0()(64bit)libsmbconf.so.0(SMBCONF_0)(64bit)libsmbldap.so.2()(64bit)libsmbldap.so.2(SMBLDAP_0)(64bit)libsmbldap.so.2(SMBLDAP_1)(64bit)libsmbldap.so.2(SMBLDAP_2)(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_idmaplibsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtevent.so.0()(64bit)pythonpython-libsss_nss_idmappython-sssrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sambasamba-pythonsamba-winbindrpmlib(PayloadIsXz)4.5.4-10.el7.centos.34.5.4-10.el7.centos.33.0.4-14.6.0-14.0-14.7.05.2-1freeipa-server-trust-ad4.11.3[2*[d@ZZ̧@Zz@Z\ZV@Z1@Z%8ZYZ@Y@Y+@Y@YX@YY@Y@Y{'@Yf@YRHYJ_YBvYA%@Y7Y7Y%uYYYY @Y.XXQ@XX@XۡXP@XX,X@X|@X|@XS@XOXOXN@XX2@WW@W@WiWQW@W@WWE@W W@W~Wv[@Wj}Wj}WEWDB@WDB@W>@W@V@VVZV@U@UYU@Uݪ@Uݪ@Uݪ@UoUU(UK@Ub@UJ@UU @U hTE@T T}TTZ@TZ@Tp@T5T@TuTto@TsTl@Td@Ta@T[bTG@TG@TFJT)IT%U@T$TSS:@S2@S1oS!S!S L@S L@Sc@SS @Rb@R@R@RUR@RRx@RR=RʚRƦ@RkRv@RG@RiRz/@RxRsRo@Ro@R^RW@RNR@-@R/ R-@R(r@R7RZ@R R R@R@R@R@R@R6QQQ'@Q@QvwQu&@Qm=@QZ@QVQ(@Q@PPPPPx@Px@PnPj@P\VPG>P@@P4P.2@PP @M6@M.@M.@M.@M-M M@L!LfLNLdLLLzLe3La?@LD>@L#HL#HL@K/KՀ@KK@KKs@Kie@K`*KK@K @JJ@J@J@JJB@J{IIIm@I1Iq@IKIFFI9I1.Ih@IIP@H@HXHO@H-w@H HHH@G߮GGgGs@G@G@G@G}G}G}GG@GC@GkGDG<4G)G(n@G3G@GJF@FS@FFuF@CentOS Sources - 4.5.4-10.el7.centos.3Rob Crittenden - 4.5.4-10.el7.3Florence Blanc-Renaud - 4.5.4-10.el7.2Florence Blanc-Renaud - 4.5.4-10.el7.1Florence Blanc-Renaud - 4.5.4-10.el7Florence Blanc-Renaud - 4.5.4-9.el7Florence Blanc-Renaud - 4.5.4-8.el7Florence Blanc-Renaud - 4.5.4-7.el7Alexander Bokovoy - 4.5.4-6.el7Alexander Bokovoy - 4.5.4-5.el7Pavel Vomacka - 4.5.4-4.el7Rob Crittenden - 4.5.4-3.el7Felipe Barreto - 4.5.4-2.el7Pavel Vomacka - 4.5.4-1.el7Felipe Barreto - 4.5.0-21.el7.2.2Felipe Barreto - 4.5.0-21.el7.2Pavel Vomacka - 4.5.0-21.el7.1.2Pavel Vomacka - 4.5.0-21.el7.1.1Pavel Vomacka - 4.5.0-21.el7.1Pavel Vomacka - 4.5.0-21.el7Pavel Vomacka - 4.5.0-20.el7Pavel Vomacka - 4.5.0-19.el7Pavel Vomacka - 4.5.0-18.el7Pavel Vomacka - 4.5.0-17.el7Pavel Vomacka - 4.5.0-16.el7Pavel Vomacka - 4.5.0-15.el7Pavel Vomacka - 4.5.0-14.el7Pavel Vomacka - 4.5.0-13.el7Pavel Vomacka - 4.5.0-12.el7Jan Cholasta - 4.5.0-11.el7Jan Cholasta - 4.5.0-10.el7Jan Cholasta - 4.5.0-9.el7Jan Cholasta - 4.5.0-8.el7Jan Cholasta - 4.5.0-7.el7Pavel Vomacka - 4.5.0-6.el7Jan Cholasta - 4.5.0-5.el7Jan Cholasta - 4.5.0-4.el7Jan Cholasta - 4.5.0-3.el7Jan Cholasta - 4.5.0-2.el7Jan Cholasta - 4.5.0-1.el7Jan Cholasta - 4.4.0-14.7Jan Cholasta - 4.4.0-14.6Jan Cholasta - 4.4.0-14.5Jan Cholasta - 4.4.0-14.4Jan Cholasta - 4.4.0-14.3Jan Cholasta - 4.4.0-14.2Jan Cholasta - 4.4.0-14.1Jan Cholasta - 4.4.0-14Jan Cholasta - 4.4.0-13Petr Vobornik - 4.4.0-12Jan Cholasta - 4.4.0-11Jan Cholasta - 4.4.0-10Jan Cholasta - 4.4.0-9Jan Cholasta - 4.4.0-8Jan Cholasta - 4.4.0-7Jan Cholasta - 4.4.0-6Jan Cholasta - 4.4.0-5Jan Cholasta - 4.4.0-4Jan Cholasta - 4.4.0-3Petr Vobornik - 4.4.0-2.1Petr Vobornik - 4.4.0-2Jan Cholasta - 4.4.0-1Jan Cholasta - 4.4.0-0.2.alpha1Jan Cholasta - 4.4.0-0.1.alpha1Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3.1Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3Jan Cholasta - 4.3.1-0.201605191449GITf8edf37.1Jan Cholasta - 4.3.1-0.201605191449GITf8edf37Jan Cholasta - 4.2.0-16Jan Cholasta - 4.2.0-15Jan Cholasta - 4.2.0-14Jan Cholasta - 4.2.0-13Jan Cholasta - 4.2.0-12Jan Cholasta - 4.2.0-11Jan Cholasta - 4.2.0-10Jan Cholasta - 4.2.0-9Jan Cholasta - 4.2.0-8Jan Cholasta - 4.2.0-7Jan Cholasta - 4.2.0-6Jan Cholasta - 4.2.0-5Jan Cholasta - 4.2.0-4Jan Cholasta - 4.2.0-3Jan Cholasta - 4.2.0-2Jan Cholasta - 4.2.0-1Jan Cholasta - 4.2.0-0.2.alpha1Jan Cholasta - 4.2.0-0.1.alpha1Jan Cholasta - 4.1.0-18.3Alexander Bokovoy - 4.1.0-18.2Jan Cholasta - 4.1.0-18.1Martin Kosek - 4.1.0-18Jan Cholasta - 4.1.0-17Jan Cholasta - 4.1.0-16Jan Cholasta - 4.1.0-15Jan Cholasta - 4.1.0-14Jan Cholasta - 4.1.0-13Jan Cholasta - 4.1.0-12Jan Cholasta - 4.1.0-11Jan Cholasta - 4.1.0-10Jan Cholasta - 4.1.0-9Jan Cholasta - 4.1.0-8Jan Cholasta - 4.1.0-7Jan Cholasta - 4.1.0-6Jan Cholasta - 4.1.0-5Jan Cholasta - 4.1.0-4Jan Cholasta - 4.1.0-3Jan Cholasta - 4.1.0-2Jan Cholasta - 4.1.0-1Jan Cholasta - 4.1.0-0.1.alpha1Petr Vobornik - 4.0.3-3Jan Cholasta - 4.0.3-2Jan Cholasta - 4.0.3-1Martin Kosek - 3.3.3-29Martin Kosek - 3.3.3-28Martin Kosek - 3.3.3-27Martin Kosek - 3.3.3-26Martin Kosek - 3.3.3-25Martin Kosek - 3.3.3-24Martin Kosek - 3.3.3-23Martin Kosek - 3.3.3-22Martin Kosek - 3.3.3-21Martin Kosek - 3.3.3-20Martin Kosek - 3.3.3-19Martin Kosek - 3.3.3-18Martin Kosek - 3.3.3-17Martin Kosek - 3.3.3-16Daniel Mach - 3.3.3-15Martin Kosek - 3.3.3-14Martin Kosek - 3.3.3-13Martin Kosek - 3.3.3-12Martin Kosek - 3.3.3-11Martin Kosek - 3.3.3-10Martin Kosek - 3.3.3-9Martin Kosek - 3.3.3-8Daniel Mach - 3.3.3-7Martin Kosek - 3.3.3-6Martin Kosek - 3.3.3-5Martin Kosek - 3.3.3-4Martin Kosek - 3.3.3-3Martin Kosek - 3.3.3-2Martin Kosek - 3.3.3-1Martin Kosek - 3.3.2-5Martin Kosek - 3.3.2-4Martin Kosek - 3.3.2-3Martin Kosek - 3.3.2-2Martin Kosek - 3.3.2-1Martin Kosek - 3.3.1-5Martin Kosek - 3.3.1-4Martin Kosek - 3.3.1-3Martin Kosek - 3.3.1-2Rob Crittenden - 3.3.1-1Rob Crittenden - 3.3.0-7Martin Kosek - 3.3.0-6Martin Kosek - 3.3.0-5Martin Kosek - 3.3.0-4Martin Kosek - 3.3.0-3Martin Kosek - 3.3.0-2Martin Kosek - 3.3.0-1Martin Kosek - 3.3.0-0.2.beta2Martin Kosek - 3.3.0-0.1.beta2Martin Kosek - 3.2.2-1Martin Kosek - 3.2.1-1Rob Crittenden - 3.2.0-2Rob Crittenden - 3.2.0-1Rob Crittenden - 3.2.0-0.4.beta1Rob Crittenden - 3.2.0-0.3.beta1Rob Crittenden - 3.2.0-0.2.beta1Martin Kosek - 3.2.0-0.1.pre1Kevin Fenzi 3.1.2-4Kevin Fenzi - 3.1.2-3Fedora Release Engineering - 3.1.2-2Rob Crittenden - 3.1.2-1Martin Kosek - 3.1.0-2Rob Crittenden - 3.1.0-1Martin Kosek - 3.0.0-3Rob Crittenden - 3.0.0-2Rob Crittenden - 3.0.0-1Rob Crittenden - 3.0.0-0.10Martin Kosek - 3.0.0-0.9Rob Crittenden - 3.0.0-0.8Rob Crittenden - 3.0.0-0.7Rob Crittenden - 3.0.0-0.6Alexander Bokovoy - 3.0.0-0.5Rob Crittenden - 3.0.0-0.4Martin Kosek - 3.0.0-0.3Alexander Bokovoy - 3.0.0-0.2Rob Crittenden - 3.0.0-0.1Rob Crittenden - 2.2.0-1Rob Crittenden - 2.1.90-0.2Rob Crittenden - 2.1.90-0.1Alexander Bokovoy - 2.1.4-5Martin Kosek - 2.1.4-4Alexander Bokovoy - 2.1.4-3Alexander Bokovoy - 2.1.4-2Rob Crittenden - 2.1.4-1Rob Crittenden - 2.1.3-8Alexander Bokovoy - 2.1.3-7Alexander Bokovoy - 2.1.3-6Fedora Release Engineering - 2.1.3-5Alexander Bokovoy - 2.1.3-4Alexander Bokovoy - 2.1.3-3Alexander Bokovoy - 2.1.3-2Alexander Bokovoy - 2.1.3-1Alexander Bokovoy - 2.1.2-1Rob Crittenden - 2.1.0-1Simo Sorce - 2.0.1-2Rob Crittenden - 2.0.1-1Rob Crittenden - 2.0.0-1Rob Crittenden - 2.0.0-0.4.rc2Rob Crittenden - 2.0.0-0.3.rc1Rob Crittenden - 2.0.0-0.1.rc1Fedora Release Engineering - 2.0.0-0.2.beta2Rob Crittenden - 2.0.0-0.1.beta2Rob Crittenden - 2.0.0-0.2.beta.git80e87e7Rob Crittenden - 2.0.0-0.1.beta.git80e87e7Rob Crittenden - 1.99-41Adam Young - 1.99-40Simo Sorce - 1.99-39Simo Sorce - 1.99-38Rob Crittenden - 1.99-37Rob Crittenden - 1.99-36Rob Crittenden - 1.99-35Jr Aquino - 1.99-34Simo Sorce - 1.99-33Rob Crittenden - 1.99-32Rob Crittenden - 1.99-31Rob Crittenden - 1.99-30Rob Crittenden - 1.99-29Rob Crittenden - 1.99-28Rob Crittenden - 1.99-27Rob Crittenden - 1.99-26Rob Crittenden - 1.99-25Adam Young - 1.99-24Rob Crittenden - 1.99-23Rob Crittenden - 1.99-22Rob Crittenden - 1.99-21Rob Crittenden - 1.99-20Rob Crittenden - 1.99-19Jason Gerard DeRose - 1.99-18Jason Gerard DeRose - 1.99-17Jason Gerard DeRose - 1.99-16Rob Crittenden - 1.99-15Jason Gerard DeRose - 1.99-14Rob Crittenden - 1.99-13Rob Crittenden - 1.99-12Rob Crittenden - 1.99-11Rob Crittenden - 1.99-10Rob Crittenden - 1.99-9Jason Gerard DeRose - 1.99-8Rob Crittenden - 1.99-7Rob Crittenden - 1.99-6Rob Crittenden - 1.99-5Rob Crittenden - 1.99-4Rob Crittenden - 1.99-3Rob Crittenden - 1.99-2Rob Crittenden - 1.99-1Tomas Mraz - 1.2.1-3Dan Walsh - 1.2.1-2Simo Sorce - 1.2.1-1Simo Sorce - 1.2.1-0Ignacio Vazquez-Abrams - 1.2.0-4Simo Sorce - 1.2.0-3Simo Sorce - 1.2.0-2Rob Crittenden - 1.2.0-1Simo Sorce - 1.1.0-3Rob Crittenden - 1.1.0-2Rob Crittenden - 1.1.0-1Rob Crittenden - 1.0.0-5Rob Crittenden - 1.0.0-4Rob Crittenden - 1.0.0-3Rob Crittenden - 1.0.0-2Rob Crittenden - 1.0.0-1Rob Crittenden 0.99-12Rob Crittenden 0.99-11Rob Crittenden 0.99-10Rob Crittenden 0.99-9Rob Crittenden 0.99-8Rob Crittenden 0.99-7Rob Crittenden 0.99-6Rob Crittenden 0.99-5Rob Crittenden 0.99-4Rob Crittenden 0.99-3Rob Crittenden 0.99-2Rob Crittenden 0.99-1Rob Crittenden - 0.6.0-2Karl MacMillan - 0.6.0-1Karl MacMillan - 0.5.0-1Rob Crittenden - 0.4.1-2Karl MacMillan - 0.4.1-1Karl MacMillan - 0.4.0-6Rob Crittenden - 0.4.0-5Rob Crittenden - 0.4.0-4Karl MacMillan - 0.4.0-3Karl MacMillan - 0.4.0-2Karl MacMillan - 0.2.0-1Rob Crittenden - 0.1.0-3Rob Crittenden - 0.1.0-2Karl MacMillan - 0.1.0-1- Roll in CentOS Branding- Resolves: #1579190 Improve Custodia client and key distribution handling - Use single Custodia instance in installers- Resolves: #1579189 nsds5ReplicaReleaseTimeout should be set by default - Add nsds5ReplicaReleaseTimeout to replica config - Fix upgrade (update_replica_config) in single master mode - Resolves: #1579190 Improve Custodia client and key distribution handling - Use single Custodia instance in installers - Resolves: #1579203 4.5.0 -> 4.5.4 upgrade breaks in ipa-server-upgrade: No such file or directory: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' - Don't try to backup CS.cfg during upgrade if CA is not configured- Resolves: #1565519 Clarify the need to restart services in ipa-server-certinstall(1) - Add a notice to restart ipa services after certs are installed - Resolves: #1564390 OTP and Radius Authentication does not work in FIPS mode - Fix OTP validation in FIPS mode - Increase the default token key size - Revert "Don't allow OTP or RADIUS in FIPS mode" - Log errors from NSS during FIPS OTP key import - Resolves: #1565520 ipa client pointing to replica shows KDC has no support for encryption type - ipa-replica-install: make sure that certmonger picks the right master - Resolves: #1565605 DNS records updated with all IPAddresses of an interface when IPA server/replica try to install with Specific IP address of that interface - replica-install: pass --ip-address to client install- Resolves: #1540361 ipa-advise for smartcards is out-of-date - ipa-advise for smartcards updated- Resolves: #1458169 --force-join option is not mentioned in ipa-replica-install man page - Add --force-join into ipa-replica-install manpage - Resolves: #1457876 ipa-backup fails silently - Changed ownership of ldiffile to DS_USER - Resolves: #1409786 Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running - Checks if Dir Server is installed and running before IPA installation - Resolves: #1452086 Pagination Size under Customization in IPA WebUI accepts negative values - WebUI: Add positive number validator - WebUI: change validator of page size settings - WebUI: fix jslint error- Resolves: #1477531 Incorrect attribute level rights (ipaallowedtoperform) of service object - WebUI: make keytab tables on service and host pages writable - Resolves: #1529444 ObjectclassViolation seen while adding idview with domain-resolution-order option - Idviews: fix objectclass violation on idview-add - Resolves: #1451576 ipa cert-request failed to generate certificate from csr - Fixing the cert-request comparing whole email address case-sensitively.- Resolves: #1421869 Unable to re-add broken AD trust - Unexpected Information received - adtrust: filter out subdomains when defining our topology to AD - Resolves: #1486286 IPA failing to authenticate via password+OTP on RHEL7.4 with fips enabled - Don't allow OTP or RADIUS in FIPS mode - Resolves: #1494226 IPA User Details not being displayed in WebUI - Fix cert-find for CA-less installations - Resolves: #1498387 389-ds-base crashed as part of ipa-server-intall in ipa-uuid - 389-ds-base crashed as part of ipa-server-intall in ipa-uuid - Resolves: #1503022 ipa-getkeytab man page should have more details about consequences of krb5 key renewal - ipa-getkeytab man page: add more details about the -r option - Resolves: #1509288 IPA trust-add internal error (expected security.dom_sid got None) - ipaserver/plugins/trust.py; fix some indenting issues - trust: detect and error out when non-AD trust with IPA domain name exists - ipaserver/plugins/trust.py: pep8 compliance - Resolves: #1511019 ipa-restore broken with python2 - Fix ipa-restore (python2) - Resolves: #1511607 ipa-backup does not backup Custodia keys and files - Backup ipa-custodia conf and keys - Resolves: #1512482 kra install fails after ipa cert renewed - Don't use admin cert during KRA installation - Prevent set_directive from clobbering other keys - pep8: reduce line lengths in CAInstance.__enable_crl_publish - installutils: refactor set_directive - Add tests for installutils.set_directive - Add safe DirectiveSetter context manager - Old pylint doesn't support bad python3 option - Resolves: #1514163 CA less IPA install with external certificates fails on RHEL 7 in FIPS mode - Fix ca less IPA install on fips mode- Resolves: #1520279 - rebuild against samba 4.7- Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads - Resolves: #1378892 host-find slowness caused by missing host attributes in index- Resolves: #1388135 [RFE] limit the retro changelog to dns subtree. - ldap: limit the retro changelog to dns subtree - Resolves: #1427798 Use X509v3 Basic Constraints "CA:TRUE" instead of "CA:FALSE" IPA CA CSR - Include the CA basic constraint in CSRs when renewing a CA - Resolves: #1493145 ipa-replica-install might fail because of an already existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX - Checks if replica-s4u2proxy.ldif should be applied - Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default - ds: ignore time skew during initial replication step - ipa-replica-manage: implicitly ignore initial time skew in force-sync - Resolves: #1500218 Replica installation at domain-level 0 fails against upgraded ipa-server - Fix ipa-replica-conncheck when called with --principal - Resolves: #1506188 server-del doesn't remove dns-server configuration from ldap- Drop workaround for building on AArch64 (#1482244) - Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485)- Resolves: #1461177 ipa-otptoken-import - XML file is missing PBKDF2 parameters! - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad, cn=trusts,dc=example,dc=com - Resolves: #1467887 iommu platform support for ipxe - Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 - Resolves: #1480102 ipa-server-upgrade failes with "This entry already exists" - Resolves: #1482802 Unable to set ca renewal master on replica - Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade) - Resolves: #1484826 FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and thus startup of Web UI fails - Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back to self-signed CA - Resolves: #1469246 Replica install fails to configure IPA-specific temporary files/directories - Resolves: #1469480 bind package is not automatically updated during ipa-server upgrade process - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Resolves: #1477703 IPA upgrade fails for latest ipa package- Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in buildroot - Resolves: #1470177 - Rebase IPA to latest 4.5.x version - Resolves: #1398594 ipa topologysuffix-verify should only warn about maximum number of replication agreements. - Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" to "Host-Based" and "Role-Based" - Resolves: #1409786 Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running - Resolves: #1451576 ipa cert-request failed to generate certificate from csr - Resolves: #1452086 Pagination Size under Customization in IPA WebUI accepts negative values - Resolves: #1458169 --force-join option is not mentioned in ipa-replica-install man page - Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case - Resolves: #1478322 user-show command fails when sizelimit is configured to number <= number of entity which is user member of - Resolves: #1496775 Enterprise principals should be able to trigger a refresh of the trusted domain data in the KDC - Resolves: #1502533 Changing cert-find to go through the proxy instead of using the port 8080 - Resolves: #1502663 pkinit-status command fails after an upgrade from a pre-4.5 IPA - Resolves: #1498168 Error when trying to modify a PTR record - Resolves: #1457876 ipa-backup fails silently - Resolves: #1493531 In case full PKINIT configuration is failing during server/replica install the error message should be more meaningful. - Resolves: #1449985 Suggest CA installation command in KRA installation warning- Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports expecting IPA services listening on IPv6 ports - Make sure upgrade also checks for IPv6 stack - control logging of host_port_open from caller - log progress of wait_for_open_ports - Resolves: #1477243 ipa help command returns traceback when no cache is present - Store help in Schema before writing to disk - Disable pylint in get_help function because of type confusion.- Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Always check peer has keys before connecting - Resolves: #1482802 - Unable to set ca renewal master on replica - Fix ipa config-mod --ca-renewal-master - Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching back to self-signed CA - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) - Resolves: #1480102 - ipa-server-upgrade failes with "This entry already exists" - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists - Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and thus startup of Web UI fails - Adds whoami DS plugin in case that plugin is missing - Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 - Fixing how sssd.conf is updated when promoting a client to replica - Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2 parameters! - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace - Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade) - Backport 4-5: Fix ipa-server-upgrade with server cert tracking- Resolves: #1477703 IPA upgrade fails for latest ipa package - Restore old version of caIPAserviceCert for upgrade only- Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Restore old version of caIPAserviceCert for upgrade only- Resolves: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - smart-card advises: configure systemwide NSS DB also on master - smart-card advises: add steps to store smart card signing CA cert - Allow to pass in multiple CA cert paths to the smart card advises - add a class that tracks the indentation in the generated advises - delegate the indentation handling in advises to dedicated class - advise: add an infrastructure for formatting Bash compound statements - delegate formatting of compound Bash statements to dedicated classes - Fix indentation of statements in Smart card advises - Use the compound statement formatting API for configuring PKINIT - smart card advises: use a wrapper around Bash `for` loops - smart card advise: use password when changing trust flags on HTTP cert - smart-card-advises: ensure that krb5-pkinit is installed on client - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Add CommonNameToSANDefault to default cert profile - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad,cn=trusts,dc=example,dc=com - NULL LDAP context in call to ldap_search_ext_s during search- Resolves: #1469246 Replica install fails to configure IPA-specific temporary files/directories - replica install: drop-in IPA specific config to tmpfiles.d - Resolves: #1469480 bind package is not automatically updated during ipa-server upgrade process - Bumped Required version of bind-dyndb-ldap and bind package- Resolves: #1452216 Replica installation grants HTTP principal access in WebUI - Make sure we check ccaches in all rpcserver paths- Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode! - ipa-sam: replace encode_nt_key() with E_md4hash() - ipa_pwd_extop: do not generate NT hashes in FIPS mode - Resolves: #1377973 ipa-server-install fails when the provided or resolved IP address is not found on local interfaces - Fix local IP address validation - ipa-dns-install: remove check for local ip address - refactor CheckedIPAddress class - CheckedIPAddress: remove match_local param - Remove ip_netmask from option parser - replica install: add missing check for non-local IP address - Remove network and broadcast address warnings- Resolves: #1449189 ipa-kra-install timeouts on replica - kra: promote: Get ticket before calling custodia- Resolve: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - server certinstall: update KDC master entry - pkinit manage: introduce ipa-pkinit-manage - server upgrade: do not enable PKINIT by default - Extend the advice printing code by some useful abstractions - Prepare advise plugin for smart card auth configuration - Resolve: #1461053 allow to modify list of UPNs of a trusted forest - trust-mod: allow modifying list of UPNs of a trusted forest - WebUI: add support for changing trust UPN suffixes- Resolves: #1377973 ipa-server-install fails when the provided or resolved IP address is not found on local interfaces - Only warn when specified server IP addresses don't match intf - Resolves: #1438016 gssapi errors after IPA server upgrade - Bump version of python-gssapi - Resolves: #1457942 certauth: use canonical principal for lookups - ipa-kdb: use canonical principal in certauth plugin - Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid breaking older clients - Add code to be able to set default kinit lifetime - Revert setting sessionMaxAge for old clients- Resolves: #1442233 IPA client commands fail when pointing to replica - httpinstance: wait until the service entry is replicated - Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then not indexed - Fix index definition for ipaAnchorUUID - Resolves: #1438016 gssapi errors after IPA server upgrade - Avoid possible endless recursion in RPC call - rpc: preparations for recursion fix - rpc: avoid possible recursion in create_connection - Resolves: #1446087 services entries missing krbCanonicalName attribute. - Changing cert-find to do not use only primary key to search in LDAP. - Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers - ipa-kdb: reload certificate mapping rules periodically - Resolves: #1455541 after upgrade login from web ui breaks - kdc.key should not be visible to all - Resolves: #1435606 Add pkinit_indicator option to KDC configuration - ipa-kdb: add pkinit authentication indicator in case of a successful certauth - Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca records are not resolvable - Turn off OCSP check - Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 - server_del - TypeError: 'NoneType' object is not iterable - fix incorrect suffix handling in topology checks- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificates/anchors - certdb: add named trust flag constants - certdb, certs: make trust flags argument mandatory - certdb: use custom object for trust flags - install: trust IPA CA for PKINIT - client install: fix client PKINIT configuration - install: introduce generic Kerberos Augeas lens - server install: fix KDC PKINIT configuration - ipapython.ipautil.run: Add option to set umask before executing command - certs: do not export keys world-readable in install_key_from_p12 - certs: do not export CA certs in install_pem_from_p12 - server install: fix KDC certificate validation in CA-less - replica install: respect --pkinit-cert-file - cacert manage: support PKINIT - server certinstall: support PKINIT - Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file option - certs: do not export CA certs in install_pem_from_p12 - server install: fix KDC certificate validation in CA-less - Resolves: #1451228 ipa-kra-install fails when primary KRA server has been decommissioned - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname - Resolves: #1451712 KRA installation fails on server that was originally installed as CA-less - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt - Resolves: #1441499 ipa cert-show does not raise error if no file name specified - ca/cert-show: check certificate_out in options - Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ - Remove pkinit-anonymous command - Resolves: #1449523 Provide an API command to retrieve PKINIT status in the FreeIPA topology - Allow for multivalued server attributes - Refactor the role/attribute member reporting code - Add an attribute reporting client PKINIT-capable servers - Add the list of PKINIT servers as a virtual attribute to global config - Add `pkinit-status` command - test_serverroles: Get rid of MockLDAP and use ldap2 instead - Resolves: #1452216 Replica installation grants HTTP principal access in WebUI - Fix rare race condition with missing ccache file - Resolves: #1455045 Simple service uninstallers must be able to handle missing service files gracefully - only stop/disable simple service if it is installed - Resolves: #1455541 after upgrade login from web ui breaks - krb5: make sure KDC certificate is readable - Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing command "ipa cert-request --add" after upgrade - Change python-cryptography to python2-cryptography- Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'" error observed during ipa upgrade with latest package. - ipa-server-install: fix uninstall - Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break replica - ca install: merge duplicated code for DM password - installutils: add DM password validator - ca, kra install: validate DM password- Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy - python2-ipalib: add missing python dependency - installer service: fix typo in service entry - upgrade: add missing suffix to http instance - Resolves: #1444791 Update man page of ipa-kra-install - ipa-kra-install manpage: document domain-level 1 - Resolves: #1441493 ipa cert-show raises stack traces when --certificate-out=/tmp - cert-show: writable files does not mean dirs - Resolves: #1441192 Add the name of URL parameter which will be check for username during cert login - Bump version of ipa.conf file - Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login - Turn on NSSOCSP check in mod_nss conf - Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting template on - renew agent: respect CA renewal master setting - server upgrade: always fix certmonger tracking request - cainstance: use correct profile for lightweight CA certificates - renew agent: allow reusing existing certs - renew agent: always export CSR on IPA CA certificate renewal - renew agent: get rid of virtual profiles - ipa-cacert-manage: add --external-ca-type - Resolves: #1441593 error adding authenticator indicators to host - Fixing adding authenticator indicators to host - Resolves: #1449525 Set directory ownership in spec file - Added plugins directory to ipaclient subpackages - ipaclient: fix missing RPM ownership - Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits' - otptoken-add-yubikey: When --digits not provided use default value- Resolves: #1449189 ipa-kra-install timeouts on replica - ipa-kra-install: fix check_host_keys- Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Make sure remote hosts have our keys - Resolves: #1442815 Replica install fails during migration from older IPA master - Refresh Dogtag RestClient.ca_host property - Remove the cachedproperty class - Resolves: #1444787 Update warning message when KRA installation fails - kra install: update installation failure message - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - ipa-server-install with external CA: fix pkinit cert issuance - Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition() must use FreeIPA CA - kerberos session: use CA cert with full cert chain for obtaining cookie - Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors definition - ipa-client-install: remove extra space in pkinit_anchors definition - Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade - Use proper SELinux context with http.keytab- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit) - spec file: bump krb5 Requires for certauth fixes - Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option is used - separate function to set ipaConfigString values on service entry - Allow for configuration of all three PKINIT variants when deploying KDC - API for retrieval of master's PKINIT status and publishing it in LDAP - Use only anonymous PKINIT to fetch armor ccache - Stop requesting anonymous keytab and purge all references of it - Use local anchor when armoring password requests - Upgrade: configure local/full PKINIT depending on the master status - Do not test anonymous PKINIT after install/upgrade - Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust. update_tdo_gidnumber: ERROR Default SMB Group not found - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed - Resolves: #1442932 ipa restore fails to restore IPA user - restore: restart/reload gssproxy after restore - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - Fix CA/server cert validation in FIPS - Resolves: #1444947 Deadlock between topology and schema-compat plugins - compat-manage: behave the same for all users - Move the compat plugin setup at the end of install - compat: ignore cn=topology,cn=ipa,cn=etc subtree - Resolves: #1445358 ipa vault-add raises TypeError - vault: piped input for ipa vault-add fails - Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault - Vault: Explicitly default to 3DES CBC - Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning - automount install: fix checking of SSSD functionality on uninstall - Resolves: #1446137 pki_client_database_password is shown in ipaserver-install.log - Hide PKI Client database password in log file- Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade - Fix CAInstance.import_ra_cert for empty passwords- Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA WebUI is slow to display user details page - cert: defer cert-find result post-processing - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica - server-install: No double Kerberos install - Resolves: #1437502 ipa-replica-install fails with requirement to use --force-join that is a client install option. - Add the force-join option to replica install - replicainstall: better client install exception handling - Resolves: #1437953 Server CA-less impossible option check - server-install: remove broken no-pkinit check - Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies - Add debug log in case cookie retrieval went wrong - Resolves: #1441548 ipa server install fails with --external-ca option - ext. CA: correctly write the cert chain - Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance spawn - Fix CA-less to CA-full upgrade - Resolves: #1442133 Do not link libkrad, liblber, libldap_r and libsss_nss_idmap to every binary in IPA - configure: fix AC_CHECK_LIB usage - Resolves: #1442815 Replica install fails during migration from older IPA master - Fix RA cert import during DL0 replication - Related: #1442004 Building IdM/FreeIPA internally on all architectures - filtering unsupported packages - Build all subpackages on all architectures- Resolves: #1382053 Need to have validation for idrange names - idrange-add: properly handle empty --dom-name option - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica - dsinstance: reconnect ldap2 after DS is restarted by certmonger - httpinstance: avoid httpd restart during certificate request - dsinstance, httpinstance: consolidate certificate request code - install: request service certs after host keytab is set up - renew agent: revert to host keytab authentication - renew agent, restart scripts: connect to LDAP after kinit - Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted domain entry - ipa-sam: create the gidNumber attribute in the trusted domain entry - Upgrade: add gidnumber to trusted domain entry - Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException: Incorrect client security database password - Add pki_pin only when needed - Resolves: #1438348 Console output message while adding trust should be mapped with texts changed in Samba. - ipaserver/dcerpc: unify error processing - Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication - trust: always use oddjobd helper for fetching trust information - Resolves: #1441192 Add the name of URL parameter which will be check for username during cert login - WebUI: cert login: Configure name of parameter used to pass username - Resolves: #1437879 [copr] Replica install failing - Create system users for FreeIPA services during package installation - Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install - Fix s4u2self with adtrust- Resolves: #1318186 Misleading error message during external-ca IPA master install - httpinstance: make sure NSS database is backed up - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR CA certificate chain in ... incomplete" - httpinstance: make sure NSS database is backed up - Resolves: #1393726 Enumerate all available request type options in ipa cert-request help - Hide request_type doc string in cert-request help - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - spec file: bump libsss_nss_idmap-devel BuildRequires - server: make sure we test for sss_nss_getlistbycert - Resolves: #1437378 ipa-adtrust-install produced an error and failed on starting smb when hostname is not FQDN - adtrust: make sure that runtime hostname result is consistent with the configuration - Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous keytab - Always check and create anonymous principal during KDC install - Remove duplicate functionality in upgrade - Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT - Upgrade: configure PKINIT after adding anonymous principal - Remove unused variable from failed anonymous PKINIT handling - Split out anonymous PKINIT test to a separate method - Ensure KDC is propery configured after upgrade - Resolves: #1437951 Remove pkinit-related options from server/replica-install on DL0 - Fix the order of cert-files check - Don't allow setting pkinit-related options on DL0 - replica-prepare man: remove pkinit option refs - Remove redundant option check for cert files - Resolves: #1438490 CA-less installation fails on publishing CA certificate - Get correct CA cert nickname in CA-less - Remove publish_ca_cert() method from NSSDatabase - Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap - IPA-KDB: use relative path in ipa-certmap config snippet - Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute - Allow erasing ipaDomainResolutionOrder attribute- Resolves: #1434032 Run ipa-custodia with custom SELinux context - Require correct custodia version- Resolves: #800545 [RFE] Support SUDO command rename - Reworked the renaming mechanism - Allow renaming of the sudorule objects - Resolves: #872671 IPA WebUI login for AD Trusted User fails - WebUI: check principals in lowercase - WebUI: add method for disabling item in user dropdown menu - WebUI: Add support for login for AD users - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit) - ipa-kdb: add ipadb_fetch_principals_with_extra_filter() - IPA certauth plugin - ipa-kdb: do not depend on certauth_plugin.h - spec file: bump krb5-devel BuildRequires for certauth - Resolves: #1264370 RFE: disable last successful authentication by default in ipa. - Set "KDC:Disable Last Success" by default - Resolves: #1318186 Misleading error message during external-ca IPA master install - certs: do not implicitly create DS pin.txt - httpinstance: clean up /etc/httpd/alias on uninstall - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR CA certificate chain in ... incomplete" - certs: do not implicitly create DS pin.txt - httpinstance: clean up /etc/httpd/alias on uninstall - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication - configure: fix --disable-server with certauth plugin - rpcserver.login_x509: Actually return reply from __call__ method - spec file: Bump requires to make Certificate Login in WebUI work - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - extdom: do reverse search for domain separator - extdom: improve cert request - Resolves: #1430363 [RFE] HBAC rule names command rename - Reworked the renaming mechanism - Allow renaming of the HBAC rule objects - Resolves: #1433082 systemctl daemon-reload needs to be called after httpd.service.d/ipa.conf is manipulated - tasks: run `systemctl daemon-reload` after httpd.service.d updates - Resolves: #1434032 Run ipa-custodia with custom SELinux context - Use Custodia 0.3.1 features - Resolves: #1434384 RPC client should use HTTP persistent connection - Use connection keep-alive - Add debug logging for keep-alive - Increase Apache HTTPD's default keep alive timeout - Resolves: #1434729 man ipa-cacert-manage install needs clarification - man ipa-cacert-manage install needs clarification - Resolves: #1434910 replica install against IPA v3 master fails with ACIError - Fixing replica install: fix ldap connection in domlvl 0 - Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is used during typing Directory Manager password - ipapython.ipautil.nolog_replace: Do not replace empty value - Resolves: #1435397 ipa-replica-install can't install replica file produced by ipa-replica-prepare on 4.5 - replica prepare: fix wrong IPA CA nickname in replica file - Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if KRA is not installed - WebUI: Fix showing vault in selfservice view - Resolves: #1435718 As a ID user I cannot call a command with --rights option - ldap2: use LDAP whoami operation to retrieve bind DN for current connection - Resolves: #1436319 "Truncated search results" pop-up appears in user details in WebUI - WebUI: Add support for suppressing warnings - WebUI: suppress truncation warning in select widget - Resolves: #1436333 Uninstall fails with No such file or directory: '/var/run/ipa/services.list' - Create temporaty directories at the begining of uninstall - Resolves: #1436334 WebUI: Adding certificate mapping data using certificate fails - WebUI: Allow to add certs to certmapping with CERT LINES around - Resolves: #1436338 CLI doesn't work after ipa-restore - Backup ipa-specific httpd unit-file - Backup CA cert from kerberos folder - Resolves: #1436342 Bump samba version, required for FIPS mode and privilege separation - Bump samba version for FIPS and priv. separation - Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa vault commands - Avoid growing FILE ccaches unnecessarily - Handle failed authentication via cookie - Work around issues fetching session data - Prevent churn on ccaches - Resolves: #1436657 Add workaround for pki_pin for FIPS - Generate PIN for PKI to help Dogtag in FIPS - Resolves: #1436714 [vault] cache KRA transport cert - Simplify KRA transport cert cache - Resolves: #1436723 cert-find does not find all certificates without sizelimit=0 - cert: do not limit internal searches in cert-find - Resolves: #1436724 Renewal of IPA RA fails on replica - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function - Resolves: #1436753 Master tree fails to install - httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available- Resolves: #1432630 python2-jinja2 needed for python2-ipaclient - Remove csrgen - Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets - Add options to allow ticket caching- Resolves: #828866 [RFE] enhance --subject option for ipa-server-install - Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in hostname - Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember' attribute - Resolves: #1321652 ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on revocation reasons - Resolves: #1340880 ipa-server-install: improve prompt on interactive installation - Resolves: #1353841 ipa-replica-install fails to install when resolv.conf incomplete entries - Resolves: #1356104 cert-show command does not display Subject Alternative Names - Resolves: #1357511 Traceback message seen when ipa is provided with invalid configuration file name - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication - Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa config-mod --enable-migration=TRUE - Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain - Resolves: #1371927 Implement ca-enable/disable commands. - Resolves: #1372202 Add Users into User Group editors fails to show Full names - Resolves: #1373091 Adding an auth indicator from the CLI creates an extra check box in the UI - Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error message - Resolves: #1375905 "Normal" group type in the UI is confusing - Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback - Resolves: #1376630 IDM admin password gets written to /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf - Resolves: #1376729 ipa-server-install script option --no_hbac_allow should match other options - Resolves: #1378461 IPA Allows Password Reuse with History value defined when admin resets the password. - Resolves: #1379029 conncheck failing intermittently during single step replica installs - Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck - Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace - Resolves: #1392778 Update man page for ipa-adtrust-install by removing --no-msdcs option - Resolves: #1392858 Rebase to FreeIPA 4.5+ - Rebase to 4.5.0 - Resolves: #1399133 Delete option shouldn't be available for hosts applied to view. - Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA should contain full trust chain - Resolves: #1400416 RFE: Provide option to take backup of IPA server before uninstalling IPA server - Resolves: #1400529 cert-request is not aware of Kerberos principal aliases - Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but not on details page - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when non-FQDN name of IPA server is first in /etc/hosts - Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using nsupdate - Resolves: #1413742 Backport request for bug/issue Change IP address validation errors to warnings - Resolves: #1415652 IPA replica install log shows password in plain text - Resolves: #1427897 different behavior regarding system wide certs in master and replica. - Resolves: #1430314 The ipa-managed-entries command failed, exception: AttributeError: ldap2- Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica with cert errors (untrusted) - added ssl verification using IPA trust anchor - Resolves: #1428472 batch param compatibility is incorrect - compat: fix `Any` params in `batch` and `dnsrecord` - Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream- Resolves: #1416454 replication race condition prevents IPA to install - wait_for_entry: use only DN as parameter - Wait until HTTPS principal entry is replicated to replica - Use proper logging for error messages- Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is installed without CA - Set up DS TLS on replica in CA-less topology - Resolves: #1398600 IPA replica install fails with dirsrv errors. - Do not configure PKI ajp redirection to use "::1" - Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands - ca: correctly authorise ca-del, ca-enable and ca-disable- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy - ipa-kdb: search for password policies globally - Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream- Resolves: #1398670 Check IdM Topology for broken record caused by replication conflict before upgrading it - Check for conflict entries before raising domain level- Resolves: #1382812 Creation of replica for disconnected environment is failing with CA issuance errors; Need good steps. - gracefully handle setting replica bind dn group on old masters - Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a temporary CA admin - replication: ensure bind DN group check interval is set on replica config - add missing attribute to ipaca replica during CA topology update - Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of named-pkcs11 - bindinstance: use data in named.conf to determine configuration status- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy - password policy: Add explicit default password policy for hosts and services - Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod - certprofile-mod: correctly authorise config update- Resolves: #1378353 Replica install fails with old IPA master sometimes during replication process - spec file: bump minimal required version of 389-ds-base - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - Fix missing file that fails DL1 replica installation - Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade - WebUI: services without canonical name are shown correctly - Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run - trustdomain-del: fix the way how subdomain is searched- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca - Keep NSS trust flags of existing certificates - Resolves: #1360813 ipa-server-certinstall does not update all certificate stores and doesn't set proper trust permissions - Add cert checks in ipa-server-certinstall - Resolves: #1371479 cert-find --all does not show information about revocation - cert: add revocation reason back to cert-find output - Resolves: #1375133 WinSync users who have First.Last casing creates users who can have their password set - ipa passwd: use correct normalizer for user principals - Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers - Properly handle LDAP socket closures in ipa-otpd - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - Make httpd publish its CA certificate on DL1- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors. - Resolves: #1375269 ipa trust-fetch-domains throws internal error- Resolves: #1373359 ipa-certupdate fails with "CA is not configured" - Fix regression introduced in ipa-certupdate- Resolves: #1355753 adding two way non transitive(external) trust displays internal error on the console - Always fetch forest info from root DCs when establishing two-way trust - factor out `populate_remote_domain` method into module-level function - Always fetch forest info from root DCs when establishing one-way trust - Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger after `ipa-replica-install` - Track lightweight CAs on replica installation - Resolves: #1357488 ipa command stuck forever on higher versioned client with lower versioned server - compat: Save server's API version in for pre-schema servers - compat: Fix ping command call - schema cache: Store and check info for pre-schema servers - Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag - Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup - Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA when revoking certificate - cert: include CA name in cert command output - WebUI add support for sub-CAs while revoking certificates - Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI - Add support for additional options taken from table facet - WebUI: Fix showing certificates issued by sub-CA - Resolves: #1368557 dnsrecord-add does not prompt for missing record parts internactively - dns: normalize record type read interactively in dnsrecord_add - dns: prompt for missing record parts in CLI - dns: fix crash in interactive mode against old servers - Resolves: #1370519 Certificate revocation in service-del and host-del isn't aware of Sub CAs - cert: fix cert-find --certificate when the cert is not in LDAP - Make host/service cert revocation aware of lightweight CAs - Resolves: #1371901 Use OAEP padding with custodia - Use RSA-OAEP instead of RSA PKCS#1 v1.5 - Resolves: #1371915 When establishing external two-way trust, forest root Administrator account is used to fetch domain info - do not use trusted forest name to construct domain admin principal - Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in certificate request - Fix CA ACL Check on SubjectAltNames - Resolves: #1373272 CLI always sends default command version - cli: use full name when executing a command - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" - Fix ipa-certupdate for CA-less installation - Resolves: #1373540 client-install with IPv6 address fails on link-local address (always) - Fix parse errors with link-local addresses- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env - Fix ipa-server-install in pure IPv6 environment - Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as reachable via the forest root - trust: make sure ID range is created for the child domain even if it exists - ipa-kdb: simplify trusted domain parent search - Resolves: #1335567 Update Warning in IdM Web UI API browser - WebUI: add API browser is tech preview warning - Resolves: #1348560 Mulitple domain Active Directory Trust conflict - ipaserver/dcerpc: reformat to make the code closer to pep8 - trust: automatically resolve DNS trust conflicts for triangle trusts - Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in certificate revocation - cert-revoke: fix permission check bypass (CVE-2016-5404) - Resolves: #1353936 custodia.conf and server.keys file is world-readable. - Remove Custodia server keys from LDAP - Secure permissions of Custodia server.keys - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full - custodia: include known CA certs in the PKCS#12 file for Dogtag - custodia: force reconnect before retrieving CA certs from LDAP - Resolves: #1362333 ipa vault container owner cannot add vault - Fix: container owner should be able to add vault - Resolves: #1365546 External trust with root domain is transitive - trust: make sure external trust topology is correctly rendered - Resolves: #1365572 IPA server broken after upgrade - Require pki-core-10.3.3-7 - Resolves: #1367864 Server assumes latest version of command instead of version 1 for old / 3rd party clients - rpcserver: assume version 1 for unversioned command calls - rpcserver: fix crash in XML-RPC system commands - Resolves: #1367773 thin client ignores locale change - schema cache: Fallback to 'en_us' when locale is not available - Resolves: #1368754 ipa server uninstall fails with Python "Global Name error" - Fail on topology disconnect/last role removal - Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP - otptoken, permission: Convert custom type parameters on server - Resolves: #1369414 ipa server-del fails with Python stack trace - Handled empty hostname in server-del command - Resolves: #1369761 ipa-server must depend on a version of httpd that support mod_proxy with UDS - Require httpd 2.4.6-31 with mod_proxy Unix socket support - Resolves: #1370512 Received ACIError instead of DuplicatedError in stageuser_tests - Raise DuplicatedEnrty error when user exists in delete_container - Resolves: #1371479 cert-find --all does not show information about revocation - cert: add missing param values to cert-find output - Renamed patch 1011 to 0100, as it was merged upstream- Resolves: #1298288 [RFE] Improve performance in large environments. - cert: speed up cert-find - Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card authentication - service: add flag to allow S4U2Self - Add 'trusted to auth as user' checkbox - Added new authentication method - Resolves: #1353881 ipa-replica-install suggests about non-existent --force-ntpd option - Don't show --force-ntpd option in replica install - Resolves: #1354441 DNS forwarder check is too strict: unable to add sub-domain to already-broken domain - DNS: allow to add forward zone to already broken sub-domain - Resolves: #1356146 performance regression in CLI help - schema: Speed up schema cache - frontend: Change doc, summary, topic and NO_CLI to class properties - schema: Introduce schema cache format - schema: Generate bits for help load them on request - help: Do not create instances to get information about commands and topics - schema cache: Do not reset ServerInfo dirty flag - schema cache: Do not read fingerprint and format from cache - Access data for help separately - frontent: Add summary class property to CommandOverride - schema cache: Read server info only once - schema cache: Store API schema cache in memory - client: Do not create instance just to check isinstance - schema cache: Read schema instead of rewriting it when SchemaUpToDate - Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file - server install: do not prompt for cert file PIN repeatedly - Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create cache directory: [Errno 13] Permission denied: '/home/test_user' - schema: Speed up schema cache - Resolves: #1366604 `cert-find` crashes on invalid certificate data - cert: do not crash on invalid data in cert-find - Resolves: #1366612 Middle replica uninstallation in line topology works without '--ignore-topology-disconnect' - Fail on topology disconnect/last role removal - Resolves: #1366626 caacl-add-service: incorrect error message when service does not exists - Fix ipa-caalc-add-service error message - Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade - DNS server upgrade: do not fail when DNS server did not respond - Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server with CA - Add warning about only one existing CA server - Set servers list as default facet in topology facet group - Resolves: #1367773 thin client ignores locale change - schema check: Check current client language against cached one- Resolves: #1361119 UPN-based search for AD users does not match an entry in slapi-nis map cache - support multiple uid values in schema compatibility tree- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 - Revert "spec: add conflict with bind-chroot to freeipa-server-dns" - Resolves: #1341249 Subsequent external CA installation fails - install: fix external CA cert validation - Resolves: #1353831 ipa-server-install fails in container because of hostnamectl set-hostname - server-install: Fix --hostname option to always override api.env values - install: Call hostnamectl set-hostname only if --hostname option is used - Resolves: #1356091 ipa-cacert-manage --help and man differ - Improvements for the ipa-cacert-manage man and help - Resolves: #1360631 ipa-backup is not keeping the /etc/tmpfiles.d/dirsrv-.conf - ipa-backup: backup /etc/tmpfiles.d/dirsrv-.conf - Resolves: #1361047 ipa-replica-install --help usage line suggests the replica file is needed - Update ipa-replica-install documentation - Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does not rpm-require it - client: RPM require initscripts to get *-domainname.service - Resolves: #1364197 caacl: error when instantiating rules with service principals - caacl: fix regression in rule instantiation - Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm - parameters: move the `confirm` kwarg to Param - Resolves: #1364464 Topology graph: ca and domain adders shows question marks instead of plus icon - Fix unicode characters in ca and domain adders - Resolves: #1365083 Incomplete output returned for command ipa vault-add - client: add missing output params to client-side commands - Resolves: #1365526 build fails during "make check" - ipa-kdb: Fix unit test after packaging changes in krb5- Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file. - Do not initialize API in ipa-client-automount uninstall - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin client changes - idrange: fix unassigned global variable - Resolves: #1360792 Migrating users doesn't update krbCanonicalName - re-set canonical principal name on migrated users - Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str' and 'bool' objects - Fix ipa hbactest output - Resolves: #1362260 ipa vault-mod no longer allows defining salt - vault: add missing salt option to vault_mod - Resolves: #1362312 ipa vault-retrieve internal error when using the wrong public key - vault: Catch correct exception in decrypt - Resolves: #1362537 ipa-server-install fails to create symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ - Correct path to HTTPD's systemd service directory - Resolves: #1363756 Increase length of passwords generated by installer - Increase default length of auto generated passwords- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos aliases) - harden the check for trust namespace overlap in new principals - Resolves: #1351142 CLI is not using session cookies for communication with IPA API - Fix session cookies - Resolves: #1353888 Fix the help for ipa otp and other topics - help: Add dnsserver commands to help topic 'dns' - Resolves: #1354406 host-del updatedns options complains about missing ptr record for host - Host-del: fix behavior of --updatedns and PTR records - Resolves: #1355718 ipa-replica-manage man page example output differs actual command output - Minor fix in ipa-replica-manage MAN page - Resolves: #1358229 Traceback message should be fixed, seen while editing winsync migrated user information in Default trust view. - baseldap: Fix MidairCollision instantiation during entry modification - Resolves: #1358849 CA replica install logs to wrong log file - unite log file name of ipa-ca-install - Resolves: #1359130 ipa-server-install command fails to install IPA server. - DNS Locations: fix update-system-records unpacking error - Resolves: #1359237 AVC on dirsrv config caused by IPA installer - Use copy when replacing files to keep SELinux context - Resolves: #1359692 ipa-client-install join fail with traceback against RHEL-6.8 ipa-server - compat: fix ping call - Resolves: #1359738 ipa-replica-install --domain= option does not work - replica-install: Fix --domain - Resolves: #1360778 Vault commands are available in CLI even when the server does not support them - Revert "Enable vault-* commands on client" - client: fix hiding of commands which lack server support - Related: #1281704 Rebase to softhsm 2.1.0 - Remove the workaround for softhsm bug #1293340 - Related: #1298288 [RFE] Improve performance in large environments. - Create indexes for krbCanonicalName attribute- Resolves: #1296140 Remove redhat-access-plugin-ipa support - Obsolete and conflict redhat-access-plugin-ipa - Resolves: #1351119 Multiple issues while uninstalling ipa-server - server uninstall fails to remove krb principals - Resolves: #1351758 ipa commands not showing expected error messages - frontend: copy command arguments to output params on client - Show full error message for selinuxusermap-add-hostgroup - Resolves: #1352883 Traceback on adding default automember group and hostgroup set - allow 'value' output param in commands without primary key - Resolves: #1353888 Fix the help for ipa otp and other topics - schema: Fix subtopic -> topic mapping - Resolves: #1354348 ipa trustconfig-show throws internal error. - allow 'value' output param in commands without primary key - Resolves: #1354381 ipa trust-add with raw option gives internal error. - trust-add: handle `--all/--raw` options properly - Resolves: #1354493 Replica install fails with old IPA master - DNS install: Ensure that DNS servers container exists - Resolves: #1354628 ipa hostgroup-add-member does not return error message when adding itself as member - frontend: copy command arguments to output params on client - Resolves: #1355856 ipa otptoken-add --type=totp gives internal error - messages: specify message type for ResultFormattingError - Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter secret key - expose `--secret` option in radiusproxy-* commands - prevent search for RADIUS proxy servers by secret - Resolves: #1356099 Bug in the ipapwd plugin - Heap corruption in ipapwd plugin - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin client changes - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper - Resolves: #1356964 Renaming a user removes all of his principal aliases - Preserve user principal aliases during rename operation- Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas - Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD - Related: #1356134 'kinit -E' does not work for IPA user- Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA with certmonger - uninstall: untrack lightweight CA certs - Resolves: #1351807 ipa-nis-manage config.get_dn missing - ipa-nis-manage: Use server API to retrieve plugin status - Resolves: #1353452 ipa-compat-manage command failed, exception: NotImplementedError: config.get_dn() - ipa-compat-manage: use server API to retrieve plugin status - Resolves: #1353899 ipa-advise: object of type 'type' has no len() - ipa-advise: correct handling of plugin namespace iteration - Resolves: #1356134 'kinit -E' does not work for IPA user - kdb: check for local realm in enterprise principals - Resolves: #1353072 ipa unknown command vault-add - Enable vault-* commands on client - vault-add: set the default vault type on the client side if none was given - Resolves: #1353995 Default CA can be used without a CA ACL - caacl: expand plugin documentation - Resolves: #1356144 host-find should not print SSH keys by default, only SSH fingerprints - host-find: do not show SSH key by default - Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3 - Removed unused method parameter from migrate-ds- Resolves: #747612 [RFE] IPA should support and manage DNS sites - Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0) in the default global_policy in IPA sets user's password expiration (krbPasswordExpiration) to be 90 days - Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records - Resolves: #1084018 [RFE] Add IdM user password change support for legacy client compat tree - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos aliases) - Fix incorrect check for principal type when evaluating CA ACLs - Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI - Resolves: #1238190 ipasam unable to lookup group in directory yet manual search works - Resolves: #1250110 search by users which don't have read rights for all attrs in search_attributes fails - Resolves: #1263764 Show Certificate displays in useless format - Resolves: #1272491 [WebUI] Certificate action dropdown does not display all the options after adding new certificate - Resolves: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.4.0 - Resolves: #1294503 IPA fails to issue 3rd party certs - Resolves: #1298242 [RFE] API compatibility - compatibility of clients - Resolves: #1298848 [RFE] Centralized topology management - Resolves: #1298966 [RFE] Extend Smart Card support - Resolves: #1315146 Multiple clients cannot join domain simultaneously: /var/run/httpd/ipa/clientcaches race condition? - Resolves: #1318903 ipa server install failing when SUBCA signs the cert - Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper console output - Resolves: #1324055 IPA always qualify requests for admin - Resolves: #1328552 [RFE] Allow users to authenticate with alternative names - Resolves: #1334582 Inconsistent UI and CLI options for removing certificate hold - Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl) - Resolves: #1349281 Fix `Conflicts` with ipa-python - Resolves: #1350695 execution of copy-schema script fails - Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z - Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test execution to 7.3 - Resolves: #1351276 ipa-server-install with dns cannot resolve itself to create ipa-ca entry - Related: #1343422 [RFE] Add GssapiImpersonate option- Resolves: #1348948 IPA server install fails with build ipa-server-4.4.0-0.el7.1.alpha1 - Revert "Increased mod_wsgi socket-timeout"- Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while setting password for default sudo binddn. - Resolves: #747612 [RFE] IPA should support and manage DNS sites - Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name - Resolves: #825391 [RFE] Replica installation should provide a means for inheriting nssldap security access settings - Resolves: #921497 Incorrect *.py[co] files placement - Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support - Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas - Resolves: #1196958 IPA replica installation failing with high number of users (160000). - Resolves: #1219402 IPA suggests to uninstall a client when the user needs to uninstall a replica - Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on Authentication Indicator - Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos principal expiration" - Resolves: #1234223 [WebUI] General invalid password error message appearing for "Locked user" - Resolves: #1254267 ipa-server-install failure applying ldap updates with limits exceeded - Resolves: #1258626 realmdomains-mod --add-domain command throwing error when doamin already is in forwardzone. - Resolves: #1259020 ipa-server-adtrust-install doesn't allow NetBIOS-name=EXAMPLE-TEST.COM (dash character) - Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error message when DNSSEC master not installed - Resolves: #1262747 dnssec options missing in ipa-dns-install man page - Resolves: #1265900 Fail installation immediately after dirsrv fails to install using ipa-server-install - Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not resolvable anymore - Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace - LimitsExceeded: limits exceeded for this query - Resolves: #1269089 Certificate of managed-by host/service fails to resubmit - Resolves: #1269200 ipa-server crashing while trying to preserve admin user - Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults - Resolves: #1271579 Automember rule expressions disappear from tables on single expression delete - Resolves: #1275816 Incomplete ports for IPA ad-trust - Resolves: #1276351 [RFE] Remove /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases - Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in the IPA UI - Resolves: #1278426 Better error message needed for invalid ca-signing-algo option - Resolves: #1279932 ipa-client-install --request-cert needs workaround in anaconda chroot - Resolves: #1282521 Creating a user w/o private group fails when doing so in WebUI - Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced by "IPA is not configured on this system" - Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert file - Resolves: #1287194 [RFE] Support of UPN for trusted domains - Resolves: #1288967 Normalize Manager entry in ipa user-add - Resolves: #1289487 Priority field missing in Password Policy detail tab - Resolves: #1291140 ipa client should configure kpasswd_server directive in krb5.conf - Resolves: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.4.0.alpha1 - Resolves: #1298848 [RFE] Centralized topology management - Resolves: #1300576 Browser setup page includes instructions for Internet Explorer - Resolves: #1301586 ipa host-del --updatedns should remove related dns entries. - Resolves: #1304618 Residual Files After IPA Server Uninstall - Resolves: #1305144 ipa-python does not require its dependencies - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 - Resolves: #1313798 Console output post ipa-winsync-migrate command should be corrected. - Resolves: #1314786 [RFE] External Trust with Active Directory domain - Resolves: #1319023 Include description for 'status' option in man page for ipactl command. - Resolves: #1319912 ipa-server-install does not completely change hostname and named-pkcs11 fails - Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord': Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on revocation reasons - Resolves: #1328549 "ipa-kra-install" command reports incorrect message when it is executed on server already installed with KRA. - Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind' - Resolves: #1329275 ipa-nis-manage command should include status option - Resolves: #1330843 'man ipa' should be updated with latest commands - Resolves: #1333755 ipa cert-request causes internal server error while requesting certificate - Resolves: #1337484 EOF is not handled for ipa-client-install command - Resolves: #1338031 Insufficient 'write' privilege on some attributes for the members of the role which has "User Administrators" privilege. - Resolves: #1343142 IPA DNS should do better verification of DNS zones - Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in browser- Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files - Fix incorrect rebase of patch 1001- Resolves: #1339233 CA installed on replica is always marked as renewal master - Related: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.3.1.201605241723GIT1b427d3- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install because of missing dependencies - Rebuild with krb5-1.14.1- Resolves: #837369 [RFE] Switch to client promotion to replica model - Resolves: #1199516 [RFE] Move replication topology to the shared tree - Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) - Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend - Resolves: #1267206 ipa-server-install uninstall should warn if no installation found - Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when ipa-client-automount is executed. - Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2. - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install because of missing dependencies - Related: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.3.1.201605191449GITf8edf37- Resolves: #1277696 IPA certificate auto renewal fail with "Invalid Credential" - cert renewal: make renewal of ipaCert atomic - Resolves: #1278330 installer options are not validated at the beginning of installation - install: fix command line option validation - Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd from starting up - client install: do not corrupt OpenSSH config with Match sections - Resolves: #1282935 ipa upgrade causes vault internal error - install: export KRA agent PEM file in ipa-kra-install - Resolves: #1283429 Default CA ACL rule is not created during ipa-replica-install - TLS and Dogtag HTTPS request logging improvements - Avoid race condition caused by profile delete and recreate - Do not erroneously reinit NSS in Dogtag interface - Add profiles and default CA ACL on migration - disconnect ldap2 backend after adding default CA ACL profiles - do not disconnect when using existing connection to check default CA ACLs - Resolves: #1283430 ipa-kra-install: fails to apply updates - suppress errors arising from adding existing LDAP entries during KRA install - Resolves: #1283748 Caching of ipaconfig does not work in framework - fix caching in get_ipa_config - Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after upgrade from RHEL 7.0 to RHEL 7.2 - upgrade: fix migration of old dns forward zones - Fix upgrade of forwardzones when zone is in realmdomains - Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap connection - ipa-cacert-renew: Fix connection to ldap. - Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection - ipa-otptoken-import: Fix connection to ldap. - Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using "yum update ipa* sssd" - Set minimal required version for openssl - Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps - Upgrade: Fix upgrade of NIS Server configuration - Resolves: #1289311 umask setting causes named-pkcs11 issue with directory permissions on /var/lib/ipa/dnssec - DNS: fix file permissions - Explicitly call chmod on newly created directories - Fix: replace mkdir with chmod - Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison - Fix version comparison - use FFI call to rpmvercmp function for version comparison - Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix groups are missing - ipa-kdb: map_groups() consider all results - Resolves: #1293870 User should be notified for wrong password in password reset page - Fixed login error message box in LoginScreen page - Resolves: #1296196 Sysrestore did not restore state if a key is specified in mixed case - Allow to used mixed case for sysrestore - Resolves: #1296214 DNSSEC key purging is not handled properly - DNSSEC: Improve error reporting from ipa-ods-exporter - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP - DNSSEC: Make sure that current key state in LDAP matches key state in BIND - DNSSEC: remove obsolete TODO note - DNSSEC: add debug mode to ldapkeydb.py - DNSSEC: logging improvements in ipa-ods-exporter - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP - DNSSEC: ipa-ods-exporter: add ldap-cleanup command - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal - DNSSEC: Log debug messages at log level DEBUG - Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running - prevent crash of CA-less server upgrade due to absent certmonger - always start certmonger during IPA server configuration upgrade - Resolves: #1297811 The ipa -e skip_version_check=1 still issues incompatibility error when called against RHEL 6 server - ipalib: assume version 2.0 when skip_version_check is enabled - Resolves: #1298289 install fails when locale is "fr_FR.UTF-8" - Do not decode HTTP reason phrase from Dogtag - Resolves: #1300252 shared certificateProfiles container is missing on a freshly installed RHEL7.2 system - upgrade: unconditional import of certificate profiles into LDAP - Resolves: #1301674 --setup-dns and other options is forgotten for using an external PKI - installer: Propagate option values from components instead of copying them. - installer: Fix logic of reading option values from cache. - Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup - ipa-ca-install: print more specific errors when CA is already installed - cert renewal: import all external CA certs on IPA CA cert renewal - CA install: explicitly set dogtag_version to 10 - fix standalone installation of externally signed CA on IPA master - replica install: validate DS and HTTP server certificates - replica install: improvements in the handling of CA-related IPA config entries - Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups - slapi-nis: update configuration to allow external members of IPA groups - Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find returns "0 trusts matched" - upgrade: fix config of sidgen and extdom plugins - trusts: use ipaNTTrustPartner attribute to detect trust entries - Warn user if trust is broken - fix upgrade: wait for proper DS socket after DS restart - Insure the admin_conn is disconnected on stop - Fix connections to DS during installation - Fix broken trust warnings - Resolves: #1321092 Installers fail when there are multiple versions of the same certificate - certdb: never use the -r option of certutil - Related: #1317381 Crash during IPA upgrade due to slapd - spec file: update minimum required version of slapi-nis - Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws [rhel-7.3] - Rebuild against newer Samba version- Resolves: #1252556 Missing CLI param and ACL for vault service operations - vault: fix private service vault creation- Resolves: #1262996 ipa vault internal error on replica without KRA - upgrade: make sure ldap2 is connected in export_kra_agent_pem - Resolves: #1270608 IPA upgrade fails for server with CA cert signed by external CA - schema: do not derive ipaVaultPublicKey from ipaPublicKey- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens - Fix an integer underflow bug in libotp - Resolves: #1262996 ipa vault internal error on replica without KRA - install: always export KRA agent PEM file - vault: select a server with KRA for vault operations - Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files - do not overwrite files with local users/groups when restoring authconfig - Renamed patch 1011 to 0138, as it was merged upstream- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to Trusts - winsync-migrate: Convert entity names to posix friendly strings - winsync-migrate: Properly handle collisions in the names of external groups - Resolves: #1261074 Adjust Firefox configuration to new extension signing policy - webui: use manual Firefox configuration for Firefox >= 40 - Resolves: #1263337 IPA Restore failed with installed KRA - ipa-backup: Add mechanism to store empty directory structure - Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate and private key in world readable file [rhel-7.2] - install: fix KRA agent PEM file permissions - Resolves: #1265086 Mark IdM API Browser as experimental - WebUI: add API browser is experimental warning - Resolves: #1265277 Fix kdcproxy user creation - install: create kdcproxy user during server install - platform: add option to create home directory when adding user - install: fix kdcproxy user home directory - Resolves: #1265559 GSS failure after ipa-restore - destroy httpd ccache after stopping the service- Resolves: #1258965 ipa vault: set owner of vault container - baseldap: make subtree deletion optional in LDAPDelete - vault: add vault container commands - vault: set owner to current user on container creation - vault: update access control - vault: add permissions and administrator privilege - install: support KRA update - Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses - config: allow user/host attributes with tagging options - Resolves: #1262315 Unable to establish winsync replication - winsync: Add inetUser objectclass to the passsync sysaccount- Resolves: #1260663 crash of ipa-dnskeysync-replica component during ipa-restore - IPA Restore: allows to specify files that should be removed - Resolves: #1261806 Installing ipa-server package breaks httpd - Handle timeout error in ipa-httpd-kdcproxy - Resolves: #1262322 Failed to backup CS.cfg message in upgrade. - Server Upgrade: backup CS.cfg when dogtag is turned off- Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not tracked - cert renewal: Include KRA users in Dogtag LDAP update - cert renewal: Automatically update KRA agent PEM file - Resolves: #1257163 renaming certificatte profile with --rename option leads to integrity issues - certprofile: remove 'rename' option - Resolves: #1257968 kinit stop working after ipa-restore - Backup: back up the hosts file - Resolves: #1258926 Remove 'DNSSEC is experimental' warnings - DNSSEC: remove "DNSSEC is experimental" warnings - Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts - Installer: do not modify /etc/hosts before user agreement - Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1 zone - DNSSEC: backup and restore opendnssec zone list file - DNSSEC: remove ccache and keytab of ipa-ods-exporter - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC key master - DNSSEC: Fix key metadata export - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. - Resolves: #1258964 revert to use ldapi to add kra agent in KRA install - Using LDAPI to setup CA and KRA agents. - Resolves: #1259848 server closes connection and refuses commands after deleting user that is still logged in - ldap: Make ldap2 connection management thread-safe again - Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute 'ra_certprofile' while ipa-ca-install - load RA backend plugins during standalone CA install on CA-less IPA master- Resolves: #1254689 Storing big file as a secret in vault raises traceback - vault: Limit size of data stored in vault - Resolves: #1255880 ipactl status should distinguish between different pki-tomcat services - ipactl: Do not start/stop/restart single service multiple times- Resolves: #1256840 [webui] majority of required fields is no longer marked as required - fix missing information in object metadata - Resolves: #1256842 [webui] no option to choose trust type when creating a trust - webui: add option to establish bidirectional trust - Resolves: #1256853 Clear text passwords in KRA install log - Removed clear text passwords from KRA install log. - Resolves: #1257072 The "Standard Vault" MUST not be the default and must be discouraged - vault: change default vault type to symmetric - Resolves: #1257163 renaming certificatte profile with --rename option leads to integrity issues - certprofile: prevent rename (modrdn)- Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone - DNSSEC: fix forward zone forwarders checks - Resolves: #1250190 idrange is not added for sub domain - trusts: format Kerberos principal properly when fetching trust topology - Resolves: #1252334 User life cycle: missing ability to provision a stage user from a preserved user - Add user-stage command - Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to start. - spec file: Add Requires(post) on selinux-policy - Resolves: #1254304 Changing vault encryption attributes - Change internal rsa_(public|private)_key variable names - Added support for changing vault encryption. - Resolves: #1256715 Executing user-del --preserve twice removes the user pernamently - improve the usability of `ipa user-del --preserve` command- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - user-undel: Fix error messages. - Resolves: #1200694 [RFE] Support for multiple cert profiles - Prohibit deletion of predefined profiles - Resolves: #1232819 testing ipa-restore on fresh system install fails - Backup/resore authentication control configuration - Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0 server - Require Dogtag PKI >= 10.2.6 - Resolves: #1245225 Asymmetric vault drops traceback when the key is not proper - Asymmetric vault: validate public key in client - Resolves: #1248399 Missing DNSSEC related files in backup - fix typo in BasePathNamespace member pointing to ods exporter config - ipa-backup: archive DNSSEC zone file and kasp.db - Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is finished - winsync-migrate: Add warning about passsync - winsync-migrate: Expand the man page - Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME" - adjust search so that it works for non-admin users - Resolves: #1250093 ipa certprofile-import accepts invalid config - Require Dogtag PKI >= 10.2.6 - Resolves: #1250107 IPA framework should not allow modifying trust on AD trust agents - trusts: Detect missing Samba instance - Resolves: #1250111 User lifecycle - preserved users can be assigned membership - ULC: Prevent preserved users from being assigned membership - Resolves: #1250145 Add permission for user to bypass caacl enforcement - Add permission for bypassing CA ACL enforcement - Resolves: #1250190 idrange is not added for sub domain - idranges: raise an error when local IPA ID range is being modified - trusts: harden trust-fetch-domains oddjobd-based script - Resolves: #1250928 Man page for ipa-server-install is out of sync - install: Fix server and replica install options - Resolves: #1251225 IPA default CAACL does not allow cert-request for services after upgrade - Fix default CA ACL added during upgrade - Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey - validate mutually exclusive options in vault-add - Resolves: #1251579 ipa vault-add --user should set container owner equal to user on first run - Fixed vault container ownership. - Resolves: #1252517 cert-request rejects request with correct krb5PrincipalName SAN - Fix KRB5PrincipalName / UPN SAN comparison - Resolves: #1252555 ipa vault-find doesn't work for services - vault: Add container information to vault command results - Add flag to list all service and user vaults - Resolves: #1252556 Missing CLI param and ACL for vault service operations - Added CLI param and ACL for vault service operations. - Resolves: #1252557 certprofile: improve profile format documentation - certprofile-import: improve profile format documentation - certprofile: add profile format explanation - Resolves: #1253443 ipa vault-add creates vault with invalid type - vault: validate vault type - Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing owner - baseldap: Allow overriding member param label in LDAPModMember - vault: Fix param labels in output of vault owner commands - Resolves: #1253511 ipa vault-find does not use criteria - vault: Fix vault-find with criteria - Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10 - install: Fix replica install with custom certificates - Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc - improve the handling of krb5-related errors in dnssec daemons - Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with starting CA and named-pkcs11.service - Server Upgrade: Start DS before CA is started. - Resolves: #1254637 Add ACI and permission for managing user userCertificate attribute - add permission: System: Manage User Certificates - Resolves: #1254641 Remove CSR allowed-extensions restriction - cert-request: remove allowed extensions check - Resolves: #1254693 vault --service does not normalize service principal - vault: normalize service principal in service vault operations - Resolves: #1254785 ipa-client-install does not properly handle dual stacked hosts - client: Add support for multiple IP addresses during installation. - Add dependency to SSSD 1.13.1 - client: Add description of --ip-address and --all-ip-addresses to man page- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to users in IdM - store certificates issued for user entries as - user-show: add --out option to save certificates to file - Resolves: #1145748 [RFE] IPA running with One Way Trust - Fix upgrade of sidgen and extdom plugins - Resolves: #1195339 ipa-client-install changes the label on various files which causes SELinux denials - Use 'mv -Z' in specfile to restore SELinux context - Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior for combinations of "User authentication types" - webui: add LDAP vs Kerberos behavior description to user auth - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - ULC: Fix stageused-add --from-delete command - Resolves: #1200694 [RFE] Support for multiple cert profiles - certprofile-import: do not require profileId in profile data - Give more info on virtual command access denial - Allow SAN extension for cert-request self-service - Add profile for DNP3 / IEC 62351-8 certificates - Work around python-nss bug on unrecognised OIDs - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality - Validate vault's file parameters - Fixed missing KRA agent cert on replica. - Resolves: #1225866 display browser config options that apply to the browser. - webui: add Kerberos configuration instructions for Chrome - Remove ico files from Makefile - Resolves: #1246342 Unapply idview raises internal error - idviews: Check for the Default Trust View only if applying the view - Resolves: #1248102 [webui] regression - incorrect/no failed auth messages - webui: fix regressions failed auth messages - Resolves: #1248396 Internal error in DomainValidator.__search_in_dc - dcerpc: Fix UnboundLocalError for ccache_name - Resolves: #1249455 ipa trust-add failed CIFS server configuration does not allow access to \\pipe\lsarpc - Fix selector of protocol for LSA RPC binding string - dcerpc: Simplify generation of LSA-RPC binding strings - Resolves: #1250192 Error in ipa trust-fecth-domains - Fix incorrect type comparison in trust-fetch-domains - Resolves: #1251553 Winsync setup fails with unexpected error - replication: Fix incorrect exception invocation - Resolves: #1251854 ipa aci plugin is not parsing aci's correctly. - ACI plugin: correctly parse bind rules enclosed in - Resolves: #1252414 Trust agent install does not detect available replicas to add to master - adtrust-install: Correctly determine 4.2 FreeIPA servers- Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains that conflicts with AD DC - trusts: Check for AD root domain among our trusted domains - Resolves: #1195339 ipa-client-install changes the label on various files which causes SELinux denials - sysrestore: copy files instead of moving them to avoind SELinux issues - Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned commands / ntpd -qgc $tmpfile hangs - enable debugging of ntpd during client installation - Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled - migration: Use api.env variables. - Resolves: #1212719 abort-clean-ruv subcommand should allow replica-certifyall: no - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand - Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has occurred - dcerpc: Expand explanation for WERR_ACCESS_DENIED - dcerpc: Fix UnboundLocalError for ccache_name - Resolves: #1222778 idoverride group-del can delete user and user-del can delete group - dcerpc: Add get_trusted_domain_object_type method - idviews: Restrict anchor to name and name to anchor conversions - idviews: Enforce objectclass check in idoverride*-del - Resolves: #1234919 Be able to request certificates without certmonger service running - cermonger: Use private unix socket when DBus SystemBus is not available. - ipa-client-install: Do not (re)start certmonger and DBus daemons. - Resolves: #1240939 Please add dependency on bind-pkcs11 - Create server-dns sub-package. - ipaplatform: Add constants submodule - DNS: check if DNS package is installed - Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow calling out oddjobd-activated services - selinux: enable httpd_run_ipa to allow communicating with oddjobd services - Resolves: #1243261 non-admin users cannot search hbac rules - fix hbac rule search for non-admin users - fix selinuxusermap search for non-admin users - Resolves: #1243652 Client has missing dependency on memcache - do not import memcache on client - Resolves: #1243835 [webui] user change password dialog does not work - webui: fix user reset password dialog - Resolves: #1244802 spec: selinux denial during kdcproxy user creation - Fix selinux denial during kdcproxy user creation - Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user - oddjob: avoid chown keytab to sssd if sssd user does not exist - Resolves: #1246136 Adding a privilege to a permission avoids validation - Validate adding privilege to a permission - Resolves: #1246141 DNS Administrators cannot search in zones - DNS: Consolidate DNS RR types in API and schema - Resolves: #1246143 User plugin - user-find doesn't work properly with manager option - fix broken search for users by their manager- Resolves: #1131907 [ipa-client-install] cannot write certificate file '/etc/ipa/ca.crt.new': must be string or buffer, not None - Resolves: #1195775 unsaved changes dialog internally inconsistent - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - Stageusedr-activate: show username instead of DN - Resolves: #1200694 [RFE] Support for multiple cert profiles - Prevent to rename certprofile profile id - Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error - Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files - copy-schema-to-ca: allow to overwrite schema files - Resolves: #1241941 kdc component installation of IPA failed - spec file: Update minimum required version of krb5 - Resolves: #1242036 Replica install fails to update DNS records - Fix DNS records installation for replicas - Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy - Start dirsrv for kdcproxy upgrade- Resolves: #846033 [RFE] Documentation for JSONRPC IPA API - Resolves: #989091 Ability to manage IdM/IPA directly from a standard LDAP client - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to users in IdM - Resolves: #1115294 [RFE] Add support for DNSSEC - Resolves: #1145748 [RFE] IPA running with One Way Trust - Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - Resolves: #1200694 [RFE] Support for multiple cert profiles - Resolves: #1200728 [RFE] Replicate PKI Profile information - Resolves: #1200735 [RFE] Allow issuing certificates for user accounts - Resolves: #1204054 SSSD database is not cleared between installs and uninstalls of ipa - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to Trusts - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality - Resolves: #1204504 [RFE] Add access control so hosts can create their own services - Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default - Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default - Resolves: #1209476 package ipa-client does not require package dbus-python - Resolves: #1211589 [RFE] Add option to skip the verify_client_version - Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597) - Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone - Resolves: #1217010 OTP Manager field is not exposed in the UI - Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp 00007fffd68b2340 error 6 in libc-2.17.so - Related: #1204809 Rebase ipa to 4.2 - Update to upstream 4.2.0 - Move /etc/ipa/kdcproxy to the server subpackage- Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install - Related: #1204809 Rebase ipa to 4.2 - Fix minimum version of slapi-nis - Require python-sss and python-sss-murmur (provided by sssd-1.13.0)- Resolves: #805188 [RFE] "ipa migrate-ds" ldapsearches with scope=1 - Resolves: #1019272 With 20000+ users, adding a user to a group intermittently throws Internal server error - Resolves: #1035494 Unable to add Kerberos principal via kadmin.local - Resolves: #1045153 ipa-managed-entries --list -p still requires DM password - Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389 from ldap_port_t - Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI - Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not matching uidgid - Resolves: #1176036 IDM client registration failure in a high load environment - Resolves: #1183116 Remove Requires: subscription-manager - Resolves: #1186054 permission-add does not prompt to enter --right option in interactive mode - Resolves: #1187524 Replication agreement with replica not disabled when ipa-restore done without IPA installed - Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as normal user. - Resolves: #1189034 "an internal error has occurred" during ipa host-del --updatedns - Resolves: #1193554 ipa-client-automount: failing with error LDAP server returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled. - Resolves: #1193759 IPA extdom plugin fails when encountering large groups - Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. - Resolves: #1194633 Default trust view can be deleted in lower case - Resolves: #1196455 ipa-server-install step [8/27]: starting certificate server instance - confusing CA staus message on TLS error - Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis - Resolves: #1199527 [RFE] Use datepicker component for datetime fields - Resolves: #1200867 [RFE] Make OTP validation window configurable - Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi - Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using get_user_grouplist() [rhel-7.2] - Resolves: #1204637 slow group operations - Resolves: #1204642 migrate-ds: slow add o users to default group - Resolves: #1208461 IPA CA master server update stuck on checking getStatus via https - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) - Resolves: #1211708 ipa-client-install gets stuck during NTP sync - Resolves: #1215197 ipa-client-install ignores --ntp-server option during time sync - Resolves: #1215200 ipa-client-install configures IPA server as NTP source even if IPA server has not ntpd configured - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens - Related: #1204809 Rebase ipa to 4.2 - Update to upstream 4.2.0.alpha1- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312)- IPA extdom plugin fails when encountering large groups (#1193759) - CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() (#1202998)- "an internal error has occurred" during ipa host-del --updatedns (#1198431) - Renamed patch 1013 to 0114, as it was merged upstream - Fax number not displayed for user-show when kinit'ed as normal user. (#1198430) - Replication agreement with replica not disabled when ipa-restore done without IPA installed (#1199060) - Limit deadlocks between DS plugin DNA and slapi-nis (#1199128)- Fix ipa-pwd-extop global configuration caching (#1187342) - group-detach does not add correct objectclasses (#1187540)- Wrong directories created on full restore (#1186398) - ipa-restore crashes if replica is unreachable (#1186396) - idoverrideuser-add option --sshpubkey does not work (#1185410)- PassSync does not sync passwords due to missing ACIs (#1181093) - ipa-replica-manage list does not list synced domain (#1181010) - Do not assume certmonger is running in httpinstance (#1181767) - ipa-replica-manage disconnect fails without password (#1183279) - Put LDIF files to their original location in ipa-restore (#1175277) - DUA profile not available anonymously (#1184149) - IPA replica missing data after master upgraded (#1176995)- Re-add accidentally removed patches for #1170695 and #1164896- IPA Replicate creation fails with error "Update failed! Status: [10 Total update abortedLDAP error: Referral]" (#1166265) - running ipa-server-install --setup-dns results in a crash (#1072502) - DNS zones are not migrated into forward zones if 4.0+ replica is added (#1175384) - gid is overridden by uid in default trust view (#1168904) - When migrating warn user if compat is enabled (#1177133) - Clean up debug log for trust-add (#1168376) - No error message thrown on restore(full kind) on replica from full backup taken on master (#1175287) - ipa-restore proceed even IPA not configured (#1175326) - Data replication not working as expected after data restore from full backup (#1175277) - IPA externally signed CA cert expiration warning missing from log (#1178128) - ipa-upgradeconfig fails in CA-less installs (#1181767) - IPA certs fail to autorenew simultaneouly (#1173207) - More validation required on ipa-restore's options (#1176034)- Expand the token auth/sync windows (#919228) - Access is not rejected for disabled domain (#1172598) - krb5kdc crash in ldap_pvt_search (#1170695) - RHEL7.1 IPA server httpd avc denials after upgrade (#1164896)- RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible (#1169591) - CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) (#1172578)- Throw zonemgr error message before installation proceeds (#1163849) - Winsync: Setup is broken due to incorrect import of certificate (#1169867) - Enable last token deletion when password auth type is configured (#919228) - ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641) - add --hosts and --hostgroup options to allow/retrieve keytab methods (#1007367) - Extend host-show to add the view attribute in set of default attributes (#1168916) - Prefer TCP connections to UDP in krb5 clients (#919228) - [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214) - webui: increase notification duration (#1171089) - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931) - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert (#1170003) - Improve validation of --instance and --backend options in ipa-restore (#951581) - RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964) - Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466)- Use NSS protocol range API to set available TLS protocols (#1156466)- schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 build fails (#1167196) - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) - "ipa trust-add ... " cmd says : (Trust status: Established and verified) while in the logs we see "WERR_ACCESS_DENIED" during verification step. (#1144121) - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server (#1156466) - Add support/hooks for a one-time password system like SecureID in IPA (#919228) - Tracebacks with latest build for --zonemgr cli option (#1167270) - ID Views: Support migration from the sync solution to the trust solution (#891984)- Improve otptoken help messages (#919228) - Ensure users exist when assigning tokens to them (#919228) - Enable QR code display by default in otptoken-add (#919228) - Show warning instead of error if CA did not start (#1158410) - CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774) - Traceback when adding zone with long name (#1164859) - Backup & Restore mechanism (#951581) - ignoring user attributes in migrate-ds does not work if uppercase characters are returned by ldap (#1159816) - Allow ipa-getkeytab to optionally fetch existing keys (#1007367) - Failure when installing on dual stacked system with external ca (#1128380) - ipa-server should keep backup of CS.cfg (#1059135) - Tracebacks with latest build for --zonemgr cli option (#1167270) - webui: use domain name instead of domain SID in idrange adder dialog (#891984) - webui: normalize idview tab labels (#891984)- ipa-csreplica-manage connect fails (#1157735) - error message which is not understandable when IDNA2003 characters are present in --zonemgr (#1163849) - Fix warning message should not contain CLI commands (#1114013) - Renewing the CA signing certificate does not extend its validity period end (#1163498) - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd (#1159330)- Fix: DNS installer adds invalid zonemgr email (#1056202) - ipaplatform: Use the dirsrv service, not target (#951581) - Fix: DNS policy upgrade raises asertion error (#1161128) - Fix upgrade referint plugin (#1161128) - Upgrade: fix trusts objectclass violationi (#1161128) - group-add doesn't accept gid parameter (#1149124)- Update slapi-nis dependency to pull 0.54-2 (#891984) - ipa-restore: Don't crash if AD trust is not installed (#951581) - Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791) - Trust setting not restored for CA cert with ipa-restore command (#1159011) - ipa-server-install fails when restarting named (#1162340)- Update Requires on pki-ca to 10.1.2-4 (#1129558) - build: increase java stack size for all arches - Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984) - Fix dns zonemgr validation regression (#1056202) - Handle profile changes in dogtag-ipa-ca-renew-agent (#886645) - Do not wait for new CA certificate to appear in LDAP in ipa-certupdate (#886645) - Add bind-dyndb-ldap working dir to IPA specfile - Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage (#886645) - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) - Deadlock in schema compat plugin (#1161131) - ipactl stop should stop dirsrv last (#1161129) - Upgrade 3.3.5 to 4.1 failed (#1161128) - CVE-2014-7828 freeipa: password not required when OTP in use (#1160877)- Do not check if port 8443 is available in step 2 of external CA install (#1129481)- Update Requires on selinux-policy to 3.13.1-4- Update to upstream 4.1.0 (#1109726)- Update to upstream 4.1.0 Alpha 1 (#1109726)- Add redhat-access-plugin-ipa dependency- Re-enable otptoken_yubikey plugin- Update to upstream 4.0.3 (#1109726)- Server installation fails using external signed certificates with "IndexError: list index out of range" (#1111320) - Add rhino to BuildRequires to fix Web UI build error- ipa-client-automount fails with incompatibility error when installed against older IPA server (#1083108)- Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future PKI versions (#1080865)- When IdM server trusts multiple AD forests, IPA client returns invalid group membership info (#1079498)- Deletion of active subdomain range should not be allowed (#1075615)- PKI database is ugraded during replica installation (#1075118)- Unable to add trust successfully with --trust-secret (#1075704)- ipa-replica-install never checks for 7389 port (#1075165) - Non-terminated string may be passed to LDAP search (#1075091) - ipa-sam may fail to translate group SID into GID (#1073829) - Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132)- Do not fetch a principal two times, remove potential memory leak (#1070924)- trustdomain-find with pkey-only fails (#1068611) - Invalid credential cache in trust-add (#1069182) - ipa-replica-install prints unexpected error (#1069722) - Too big font in input fields in details facet in Firefox (#1069720) - trust-add for POSIX AD does not fetch trustdomains (#1070925) - Misleading trust-add error message in some cases (#1070926) - Access is not rejected for disabled domain (#1070924)- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)- Display server name in ipa command's verbose mode (#1061703) - Remove sourcehostcategory from default HBAC rule (#1061187) - dnszone-add cannot add classless PTR zones (#1058688) - Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850)- Lockout plugin crashed during ipa-server-install (#912725)- Fallback to global policy in ipa lockout plugin (#912725) - Migration does not add users to default group (#903232)- Mass rebuild 2014-01-24- Fix NetBIOS name generation in CLDAP plugin (#1030517)- Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218) - Increase default timeout for IPA services (#1033273) - Error while running trustdomain-find (#1054376) - group-show lists SID instead of name for external groups (#1054391) - Fix IPA server NetBIOS name in samba configuration (#1030517) - dnsrecord-mod produces missing API version warning (#1054869) - Hide trust-resolve command as internal (#1052860) - Add Trust domain Web UI (#1054870) - ipasam cannot delete multiple child trusted domains (#1056120)- Missing objectclasses when empty password passed to host-add (#1052979) - sudoOrder missing in sudoers (#1052983) - Missing examples in sudorule help (#1049464) - Client automount does not uninstall when fstore is empty (#910899) - Error not clear for invalid realm given to trust-fetch-domains (#1052981) - trust-fetch-domains does not add idrange for subdomains found (#1049926) - Add option to show if an AD subdomain is enabled/disabled (#1052973) - ipa-adtrust-install still failed with long NetBIOS names (#1030517) - Error not clear for invalid relam given to trustdomain-find (#1049455) - renewed client cert not recognized during IPA CA renewal (#1033273)- hbactest does not work for external users (#848531)- PKI service restart after CA renewal failed (#1040018)- Move ipa-tests package to separate srpm (#1032668)- Fix status trust-add command status message (#910453) - NetBIOS was not trimmed at 15 characters (#1030517) - Harden CA subsystem certificate renewal on CA clones (#1040018)- Mass rebuild 2013-12-27- Remove "Listen 443 http" hack from deployed nss.conf (#1029046) - Re-adding existing trust fails (#1033216) - IPA uninstall exits with a samba error (#1033075) - Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260) - Fixed ownership of /usr/share/ipa/ui/js (#1026260) - ipa-tests: support external names for hosts (#1032668) - ipa-client-install fail due fail to obtain host TGT (#1029354)- Trust add tries to add same value of --base-id for sub domain, causing an error (#1033068) - Improved error reporting for adding trust case (#1029856)- Winsync agreement cannot be created (#1023085)- Installer did not detect different server and IPA domain (#1026845) - Allow kernel keyring CCACHE when supported (#1026861)- ipa-server-install crashes when AD subpackage is not installed (#1026434)- Update to upstream 3.3.3 (#991064)- Temporarily move ipa-backup and ipa-restore functionality back to make them available in public Beta (#1003933)- Server install failure during client enrollment shouldn't roll back (#1023086) - nsds5ReplicaStripAttrs are not set on agreements (#1023085) - ipa-server conflicts with mod_ssl (#1018172)- Reinstalling ipa server hangs when configuring certificate server (#1018804)- Deprecate --serial-autoincrement option (#1016645) - CA installation always failed on replica (#1005446) - Re-initializing a winsync connection exited with error (#994980)- Update to upstream 3.3.2 (#991064) - Add delegation info to MS-PAC (#915799) - Warn about incompatibility with AD when IPA realm and domain differs (#1009044) - Allow PKCS#12 files with empty password in install tools (#1002639) - Privilege "SELinux User Map Administrators" did not list permissions (#997085) - SSH key upload broken when client joins an older server (#1009024)- Remove dependency on python-paramiko (#1002884) - Broken redirection when deleting last entry of DNS resource record (#1006360)- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)- Replica installation fails for RHEL 6.4 master (#1004680) - Server uninstallation crashes if DS is not available (#998069)- Unable to remove replica by ipa-replica-manage (#1001662) - Before uninstalling a server, warn about active replicas (#998069)- Update to upstream 3.3.1 (#991064) - Update minimum version of bind-dyndb-ldap to 3.5- Fix replica installation failing on certificate subject (#983075)- Allow ipa-tests to work with older version (1.7.7) of python-paramiko- Prevent multilib failures in *.pyo and *.pyc files- ipa-server-install fails if --subject parameter is other than default realm (#983075) - do not allow configuring bind-dyndb-ldap without persistent search (#967876)- diffstat was missing as a build dependency causing multilib problems- Remove ipa-server-selinux obsoletes as upgrades from version prior to 3.3.0 are not allowed - Wrap server-trust-ad subpackage description better - Add (noreplace) flag for %{_sysconfdir}/tmpfiles.d/ipa.conf - Change permissions on default_encoding_utf8.so to fix ipa-python Provides- Update to upstream 3.3.0 (#991064)- Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release- Update to upstream 3.3.0 Beta 2 (#991064)- Update to upstream 3.2.2 - Drop ipa-server-selinux subpackage - Drop redundant directory /var/cache/ipa/sessions - Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency issues when there are still old parts of software (like entitlements plugin)- Update to upstream 3.2.1 - Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0- Add OTP patches - Add patch to set KRB5CCNAME for 389-ds-base- Update to upstream 3.2.0 GA - ipa-client-install fails if /etc/ipa does not exist (#961483) - Certificate status is not visible in Service and Host page (#956718) - ipa-client-install removes needed options from ldap.conf (#953991) - Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) - Add triggerin scriptlet to support OpenSSH 6.2 (#953617) - Require nss 3.14.3-12.0 to address certutil certificate import errors (#953485) - Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 environments. (#953464) - ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) - ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) - Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for socket based connections (#960222) - Require libsss_nss_idmap-python - Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to member is now done automatically and having it in the config file raises an error. - Add backup and restore tools, directory. - require at least systemd 38 which provides the journal (we no longer need to require syslog.target) - Update Requires on policycoreutils to 2.1.14-37 - Update Requires on selinux-policy to 3.12.1-42 - Update Requires on 389-ds-base to 1.3.1.0 - Remove a Requires for java-atk-wrapper- Remove release from krb5-server in strict sub-package to allow for rebuilds.- Add a Requires for java-atk-wrapper until we can determine which package should be pulling it in, dogtag or tomcat.- Update to upstream 3.2.0 Beta 1- Update to upstream 3.2.0 Prerelease 1 - Use upstream reference spec file as a base for Fedora spec file- Rebuild for broken deps - Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1- Rebuild for broken deps in rawhide - Fix 389-ds-base strict dep to be 1.3.0.3- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild- Update to upstream 3.1.2 - CVE-2012-4546: Incorrect CRLs publishing - CVE-2012-5484: MITM Attack during Join process - CVE-2013-0199: Cross-Realm Trust key leak - Updated strict dependencies to 389-ds-base = 1.3.0.2 and pki-ca = 10.0.1- Remove redundat Requires versions that are already in Fedora 17 - Replace python-crypto Requires with m2crypto - Add missing Requires(post) for client and server-trust-ad subpackages - Restart httpd service when server-trust-ad subpackage is installed - Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes- Updated to upstream 3.1.0 GA - Set minimum for sssd to 1.9.2 - Set minimum for pki-ca to 10.0.0-1 - Set minimum for 389-ds-base to 1.3.0 - Set minimum for selinux-policy to 3.11.1-60 - Remove unneeded dogtag package requires- Update Requires on krb5-server to 1.11- Configure CA replication to use TLS instead of SSL- Updated to upstream 3.0.0 GA - Set minimum for samba to 4.0.0-153. - Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so plugin to /dev/null since they cannot be used when trusts are configured - Restrict krb5-server to 1.10. - Update BR for 389-ds-base to 1.3.0 - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca - Add Requires on zip for generating FF browser extension- Updated to upstream 3.0.0 rc 2 - Include new FF configuration extension - Set minimum Requires of selinux-policy to 3.11.1-33 - Set minimum Requires dogtag to 10.0.0-0.43.b1 - Add new optional strict sub-package to allow users to limit other package upgrades.- Require samba packages instead of obsoleted samba4 packages- Updated to upstream 3.0.0 rc 1 - Update BR for 389-ds-base to 1.2.11.14 - Update BR for krb5 to 1.10 - Update BR for samba4-devel to 4.0.0-139 (rc1) - Add BR for python-polib - Update BR and Requires on sssd to 1.9.0 - Update Requires on policycoreutils to 2.1.12-5 - Update Requires on 389-ds-base to 1.2.11.14 - Update Requires on selinux-policy to 3.11.1-21 - Update Requires on dogtag to 10.0.0-0.33.a1 - Update Requires on certmonger to 0.60 - Update Requires on tomcat to 7.0.29 - Update minimum version of bind to 9.9.1-10.P3 - Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 - Remove Requires on authconfig from python sub-package- Rebuild against samba4 beta8- Rebuild against samba4 beta7- Adopt to samba4 beta6 (libsecurity -> libsamba-security) - Add dependency to samba4-winbind- Updated to upstream 3.0.0 beta 2- Updated to current upstream state of 3.0.0 beta 2 development- Rebuild against samba4 beta4- Updated to upstream 3.0.0 beta 1- Updated to upstream 2.2.0 GA - Update minimum n-v-r of certmonger to 0.53 - Update minimum n-v-r of slapi-nis to 0.40 - Add Requires in client to oddjob-mkhomedir and python-krbV - Update minimum selinux-policy to 3.10.0-110- Update to upstream 2.2.0 beta 1 (2.1.90.rc1) - Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. - Add Conflicts on mod_ssl - Update minimum n-v-r of 389-ds-base to 1.2.10.4 - Update minimum n-v-r of sssd to 1.8.0 - Update minimum n-v-r of slapi-nis to 0.38 - Update minimum n-v-r of pki-* to 9.0.18 - Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 - Update conflicts on bind to < 9.9.0-1 - Drop requires on krb5-server-ldap - Add patch to remove escaping arguments to pkisilent- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)- Force to use 389-ds 1.2.10-0.8.a7 or above - Improve upgrade script to handle systemd 389-ds change - Fix freeipa to work with python-ldap 2.4.6- Fix ipa-replica-install crashes - Fix ipa-server-install and ipa-dns-install logging - Set minimum version of pki-ca to 9.0.17 to fix sslget problem caused by FEDORA-2011-17400 update (#771357)- Allow Web-based migration to work with tightened SE Linux policy (#769440) - Rebuild slapi plugins against re-enterant version of libldap- Allow longer dirsrv startup with systemd: - IPAdmin class will wait until dirsrv instance is available up to 10 seconds - Helps with restarts during upgrade for ipa-ldap-updater - Fix pylint warnings from F16 and Rawhide- Update to upstream 2.1.4 (CVE-2011-3636)- Update SELinux policy to allow ipa_kpasswd to connect ldap and read /dev/urandom. (#759679)- Fix wrong path in packaging freeipa-systemd-upgrade- Introduce upgrade script to recover existing configuration after systemd migration as user has no means to recover FreeIPA from systemd migration - Upgrade script: - recovers symlinks in Dogtag instance install - recovers systemd configuration for FreeIPA's directory server instances - recovers freeipa.service - migrates directory server and KDC configs to use proper keytabs for systemd services- Rebuilt for glibc bug#747377- clean up spec - Depend on sssd >= 1.6.2 for better user experience- Fix Fedora package changelog after merging systemd changes- Fix postin scriplet for F-15/F-16- 2.1.3- Default to systemd for Fedora 16 and onwards- Update to upstream 2.1.0- Fix bug #702633- Update minimum selinux-policy to 3.9.16-18 - Update minimum pki-ca and pki-selinux to 9.0.7 - Update minimum 389-ds-base to 1.2.8.0-1 - Update to upstream 2.0.1- Update to upstream GA release - Automatically apply updates when the package is upgraded- Update to upstream freeipa-2.0.0.rc2 - Set minimum version of python-nss to 0.11 to make sure IPv6 support is in - Set minimum version of sssd to 1.5.1 - Patch to include SuiteSpotGroup when setting up 389-ds instances - Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled- Set the N-V-R so rc1 is an update to beta2.- Set minimum version of sssd to 1.5.1 - Update to upstream freeipa-2.0.0.rc1 - Move server-only binaries from admintools subpackage to server- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Set min version of 389-ds-base to 1.2.8 - Set min version of mod_nss 1.0.8-10 - Set min version of selinux-policy to 3.9.7-27 - Add dogtag themes to Requires - Update to upstream freeipa-2.0.0.pre2- Remove unnecessary moving of v1 CA serial number file in post script - Add Obsoletes for server-selinxu subpackage - Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da- Prepare spec file for release - Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503- Re-arrange doc and defattr to clean up rpmlint warnings - Remove conditionals on older releases - Move some man pages into admintools subpackage - Remove some explicit Requires in client that aren't needed - Consistent use of buildroot vs RPM_BUILD_ROOT- Moved directory install/static to install/ui- Remove dependency on nss_ldap/nss-pam-ldapd - The official client is sssd and that's what we use by default.- Remove radius subpackages- Set minimum pki-ca and pki-silent versions to 9.0.0- Drop BuildRequires on mozldap-devel- Add Requires on krb5-pkinit-openssl- Add ipa-host-net-manage script- Add ipa init script- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin- remove ipa-fix-CVE-2008-3274- Remove duplicate %files entries on share/ipa/static - Add python default encoding shared library- Drop requires on python-configobj (not used any more) - Drop ipa-ldap-updater message, upgrades are done differently now- Drop conflicts on mod_nss - Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) - Drop a slew of conditionals on older Fedora releases (< 12) - Add a few conditionals against RHEL 6 - Add Requires of nss-tools on ipa-client- Set minimum version of certmonger to 0.26 (to pck up #621670) - Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) - Set minimum version of pki-ca to 1.3.6 - Set minimum version of sssd to 1.2.1- Add BuildRequires for authconfig- Bump up minimum version of python-nss to pick up nss_is_initialize() API- Removed python-asset based webui- Change Requires from fedora-ds-base to 389-ds-base - Set minimum level of 389-ds-base to 1.2.6 for the replication version plugin.- Drop Requires of python-krbV on ipa-client- Load ipa_dogtag.pp in post install- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes.- No need to create /var/log/ipa_error.log since we aren't using TurboGears any more.- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included- Added Require mod_wsgi, added share/ipa/wsgi.py- Require python-wehjit >= 0.2.2- Add sssd and certmonger as a Requires on ipa-client- Require python-wehjit >= 0.2.0- Add ipa-rmkeytab tool- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 Any type- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf- Add bash completion script and own /etc/bash_completion.d in case it doesn't already exist- Remove ipa_webgui, its functions rolled into ipa_httpd- Removed python-cherrypy from BuildRequires and Requires - Added Requires python-assets, python-wehjit- Added httpd SELinux policy so CRLs can be read- Move ipalib to ipa-python subpackage - Bump minimum version of slapi-nis to 0.15- Set 0.14 as minimum version for slapi-nis- Add Requires: python-nss to ipa-python sub-package- Remove the IPA DNA plugin, use the DS one- Build radius separately - Fix a few minor issues- Replace TurboGears requirement with python-cherrypy- rebuild with new openssl- Fix SELinux code- Fix breakage caused by python-kerberos update to 1.1- New upstream release 1.2.1- Rebuild for Python 2.6- Respin after the tarball has been re-released upstream New hash is 506c9c92dcaf9f227cba5030e999f177- Conditionally restart also dirsrv and httpd when upgrading- Update to upstream version 1.2.0 - Set fedora-ds-base minimum version to 1.1.3 for winsync header - Set the minimum version for SELinux policy - Remove references to Fedora 7- Fix for CVE-2008-3274 - Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface - Add fix for bug #453185 - Rebuild against openldap libraries, mozldap ones do not work properly - TurboGears is currently broken in rawhide. Added patch to not build the UI locales and removed them from the ipa-server files section.- Add call to /usr/sbin/upgradeconfig to post install- Update to upstream version 1.1.0 - Patch for indexing memberof attribute - Patch for indexing uidnumber and gidnumber - Patch to change DNA default values for replicas - Patch to fix uninitialized variable in ipa-getkeytab- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum version to 1.0.7-4 so we pick up the NSS fixes. - Add selinux-policy-base(post) to Requires (446496)- Add missing entry for /var/cache/ipa/kpasswd (444624) - Added patch to fix permissions problems with the Apache NSS database. - Added patch to fix problem with DNS querying where the query could be returned as the answer. - Fix spec error where patch1 was in the wrong section- Added patch to fix problem reported by ldapmodify- Fix Requires for krb5-server that was missing for Fedora versions > 9 - Remove quotes around test for fedora version to package egg-info- Update to upstream version 1.0.0- Pull upstream changelog 722 - Add Conflicts mod_ssl (435360)- Pull upstream changelog 698 - Fix ownership of /var/log/ipa_error.log during install (435119) - Add pwpolicy command and man page- Pull upstream changelog 678 - Add new subpackage, ipa-server-selinux - Add Requires: authconfig to ipa-python (bz #433747) - Package i18n files- Pull upstream changelog 641 - Require minimum version of krb5-server on F-7 and F-8 - Package some new files- Marked with wrong license. IPA is GPLv2.- Ensure that /etc/ipa exists before moving user-modifiable html files there - Put html files into /etc/ipa/html instead of /etc/ipa- Pull upstream changelog 608 which renamed several files- package the sessions dir /var/cache/ipa/sessions - Pull upstream changelog 597- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the UI to not start.- Included LICENSE and README in all packages for documentation - Move user-modifiable content to /etc/ipa and linked back to /usr/share/ipa/html - Changed some references to /usr to the {_usr} macro and /etc to {_sysconfdir} - Added popt-devel to BuildRequires for Fedora 8 and higher and popt for Fedora 7 - Package the egg-info for Fedora 9 and higher for ipa-python- Added auto* BuildRequires- Unified spec file- Fixed License in specfile - Include files from /usr/lib/python*/site-packages/ipaserver- Version bump for release- Preverse mode on ipa-keytab-util - Version bump for relase and rpm name change- Broke invididual Requires and BuildRequires onto separate lines and reordered them - Added python-tgexpandingformwidget as a dependency - Require at least fedora-ds-base 1.1- Version bump for release- Add dep for freeipa-admintools and acl- Add dependency for python-krbV- Require mod_nss-1.0.7-2 for mod_proxy fixes- Convert to autotools-based build* Fri Sep 7 2007 Karl MacMillan - 0.3.0-1 - Added support for libipa-dna-plugin- Added support for ipa_kpasswd and ipa_pwd_extop- Abstracted client class to work directly or over RPC- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires - Remove references to admin server in ipa-server-setupssl - Generate a client certificate for the XML-RPC server to connect to LDAP with - Create a keytab for Apache - Create an ldif with a test user - Provide a certmap.conf for doing SSL client authentication- Initial rpm version/bin/sh/bin/sh/bin/shfreeipa-server-trust-ad 4.5.44.5.4-10.el7.centos.34.5.4-10.el7.centos.34.5.4 oddjob-ipa-trust.confoddjobd-ipa-trust.confwinbind_krb5_locator.soipasam.socom.redhat.idm.trust-fetch-domainsipa-adtrust-installipa-server-trust-ad-4.5.4Contributors.txtREADME.mdsmb.conf.emptyipa-server-trust-ad-4.5.4COPYINGipa-adtrust-install.1.gz/etc/dbus-1/system.d//etc/oddjobd.conf.d//usr/lib64/krb5/plugins/libkrb5//usr/lib64/samba/pdb//usr/libexec/ipa/oddjob//usr/sbin//usr/share/doc//usr/share/doc/ipa-server-trust-ad-4.5.4//usr/share/ipa//usr/share/licenses//usr/share/licenses/ipa-server-trust-ad-4.5.4//usr/share/man/man1/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz2x86_64-redhat-linux-gnuexported SGML document, ASCII textXML 1.0 document, ASCII textemptyELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5fbe445229589e23e4535f25ce3ad026971d47b0, strippedPython script, ASCII text executabledirectoryUTF-8 Unicode textASCII texttroff or preprocessor input, ASCII text (gzip compressed data, from Unix, max compression)./.RR+R)RRR.R/R-R4RRRR R RR R6R%R RR'RR(R7R5R,R&R*R3RRRRRRR1R0RR!R#R"RR$RR R>RRpython2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then # NOTE: systemd specific section /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : # END fi/bin/sh?7zXZ !#,2] b2u Q{Kf>@l q[ V!} mM̀U֥ɃJ(Ƞ:1^Ɔ*WpomVL4kNl4s!^oCHR۲RzNuѯNDni[VY!h + K`~qo.TEuh~=I{ ?닾Ku oQC4| /N`%' %g<GM nyAgWf.>nɪ "SuK+}( {ĹNb>aƵmT{7Eu +$D-A &A#"<,DĻXd*C:IQ)e{2\td@).,He>OAIԬn\kŪ鏯R/<5 '+ JS|W]uwHa VXa&)hk۶CeAd}:imڞ0}t4(AY} ~NG|ztRԎz"VL/(._dŋ)3@Kz$1"/hR!6-J'"(Z~ꨚhJ[7kMkٽ`ihl%(Nڧc.R{xnoe}U\E+# _qი/L-an r V!m'VhGo\v=>_>EUA0lA˭M(cV\/Wz Ou>h42rŠ=<h)5rv#¥*۹|` *|s6[= &'o/8gRW%JW,O:濧nNܒ4V[vJ4w*|i\b , .7o@z2hG:*9(ՠY̒ w8-%+0\EF%䥼DF&=4;)Ox!n-;նa=F!<#2A]FO3"n}0+-E@Le\M+C !-m޳)@b2* {1(>|ntacG5 sMC2-ꃨE#RSK&b5h. w Zʅ9tu(^f֢^Dwuvo7ߤKNvyZEpIII S+g!2"(f[a|OP`M8N3Fj5NҢ,!yU~7%Kg+Lesj]I ~$枅.,X?~u>c$wyXnZʽi\ ܸ9yƻwt}* X"3v+?'jxH)0/W"pXs `o8v DΤ޺¬f53'I$xoEXfJCsD|܄Љ _ l AI=SX>L2CYZqWs}NV\)M3<Ȓu"ķnWZT EW|'x\4F7<;>)|GoºBƅ^o$z[k)qH*l!TGh]')mk@h()zE^}AY'0x;r 'TK+,*8);Bg<eaK S3V$MJ{-(Έ(4VI}[Ꟍ3z8QمmY3I @od_:[,{,e#Uu'M.K.[xN)%6:%$3eԏw;%x&'ΉXmF0<æߩsT,˩6"4H_}B) @YHc'oJ?Y{q4ir˹= 08|^rna"b*!o:BQi9#F ItoY@D'Gb-2$¶7|%6b焃EюgED1Smá?,Wơ@72#@`(9anˮnđ6ص~vwMOyv3G*Hkzrb5|g#@j_kx}BZa#.Dbo7R:szZfQo48TerʸY2n%Z `C!־ID*U=so<c2@0ki6d]H" +\ZO BOrDe>X˗3N&t% ${ o頎w{) B4fǽzsKH$,퓍>cs`81{kP?1Tj _}[.Lp;sZD-Ial/q9\ۈ܃'"h1TX`U#;▍ta?Rܟp Z ,dUAwZ?j 8.rtDO#4w)h'ƕQc9:Xn0w c?-"L vI"mFx':!a LV\ilԵBY~c 8 D*癍5x^XL^B14=ګ4$7ڛX8=k94J`yڬ  ;R{,GvVa|ICL)s_$M|vr,.tlwJw#5wR5v>={$Q8n) vKbo76Fa,(@+No9㻰QRϰQ|yŘ2U"kL^fYGHn ԷͪV(cmQNY6N^3D#P(׉ݓ8I~>n(12(a͇&/Uл2E.{4$-H3SV/M:~$`Z~V&/A>h[1U7LыKG!ր5ږr/{Uq32ϓGt߃W0uyVT!s$n%!ކ6h&lprsƣW1(qsUށQ^M&|./#;ƙǓ?:psi s$匜7U%|t菋R*v2 ;#g~bD=WE,AYĉJɬP> c"#VAĦôXhs.燉z\;V|eOmԨWL5pt~)(#9\ txɰ 3 ?g ^;PKšw(GtƱ͂Bݣ"MmVik)C-4|Y]iX&6,hX(ٺ`7DVMJulD*eHb=-ĮP#8œR_Nr QWvqDl3le =3E2Ad ) ]Pc_}u`K]I3|}؊ktosU6HQhrقYTD[6VO R!]R,(fV)cJEKO0y 9wW{9TSP0n;J"{,MIBZx$!?ljy\Y G gduNp(v,']3yT࠶1OBȦ&=S:6X Z#k>V&~pa>Lk6<>o%X}Tc\Cnoxeݤ *xKn׏8! DЈe|F~(/xM9жX6 -zHO/HCo'`Q M*&Q}s?9AEAWqK,$%B>$eM)ԟ(EcQm#):L+bń>~_kR.lu5x>8 y{ˋItIg~2׀}z]'B+kw{qfWal]I)XQWoGnXuZ3((?!ITjdeX3\$(^L `Z\Uk aC7Wt:N!c7nL])l[+EES 8?U42+r1S_?z"?dyqõ䵗"w-)o ꖇ Yb3q,,QkuSݙ U `ݷ9z4~e:ގ8D,^h6外WpSkn?$ypnM8[5N"b`2k-GՏ"#y|@6pSAuvL$z8ʃ %׺MP1`ԋjyW5ޢ`!].Fi9B@R2WҜf# kbUos$X{r ohV);ľ&+gb3.F&q֪3_lM9kȸ$S)J@)Aج fࣛŶQs—Ji:2چW@Y@h'V* :{xJAl5"͟v^4 @DqH8@΄݂˕^lН }k5c5W*0? UH+a;YcF´7\5qt].lѫ*B$q44caU]ԈXw m;!lJ ^14!Ɔ2 ' c3i : rEёZ~/PД#,Pl+؈A)#GˠO{u:"|uxމ_{: 9T[w p"#D"'VpHKhG cRP}i@őB~lFR֫LI"=Ԉ&FmNi\;1p!r6q@;rkҡxw!{iԋy uězܖ "=C-uٵq^c}Qajw5s}*m%ɇobj́ =g',>V{w_P KN(G OEЏŸYdO&M-Rav@V/X=`饻vHK,,k{bt BIEib'a]Gb-JWz)CM"Ƕn^+NFɚ$ - Y؀냶[:2nf%y ᅴ h<voBj@"Wj/zlUEmLm/ "Py*ৠt`Y VAS~d䠶T5#ĪnDh}ݺBYw N7°m 0,">8""}d1,H=fIհ7g{Wj[Gl|;8Y1dU R'{(tv*:..+8Se~`5FI-xÇҨ-["Юtl*BG>+/]*hzW6~&kN[&_F1†+x#闣TF]\={{*]q# leC5jUTYKj&CQL/pyY90SF.Dr2\3^ 8i!IXWu34#n#k,X"wzbur4.2:z QEJʓ용; %~ܧKEB}~XG?70Tgc{sDyYgUF%zG>y hrMaOJp9YKh&ntcʪ2. yº^|tXE&?0c#7XBn5j\ZœRla{4xhH%.QGM=kljqR=HP}2m =âOs$Tdާ]‘ER~մgUEx@Kr]֒OM\tKR74F'gv\Oո\ V`~x*L$@ u:\Ĉ4Fյ2C>mԽȱ0뵭აp^`u "z5+Ic'g O^4!HE;:'׿Ӓj"]oܖ+'w8;, Ls3Nj:%w%i$p2;r\0L6BrcPJQ%|-~ Eq?P}׿^_`ܛeM)VO^6 }=代cl;[~7' x%{+h7# ut?I)[k}Ff{ a4 $/]_|O5ava -S7o7h/爐^mŐBM5]2T|7iZ%4H,T,qE>vDSCx*DgVܰkxȡ1z\g: -^".TS،s:X7o7W/$DH/i}Gjٚzk7$` VMfLf $OX]2Ь/8F{ ɺU!,D<[LHQoH3G{^y<Ӳt+8,0@HԊ/!K5 ez_= ) {3ōm^\] h2Q ҝt^B3{x1?c~a,OR4%-] %8那7|hq?DJ6k̋wq/Y?e_|P)3Vg> l8J( GUdp6s,Ƀ<ԊNtIhp5s _%:zʛ鮎oP~CfupN)ƍ1:)Ut|0GAHY3II(V bttTd/ (tFTØTi Uk$Ӣ>/ R[Po5~gܢ<g'ڨ3Vsoi(AϨbT=x5}Ss&8KH>%zI;k}oӖi²g0?Pø1h>Ce6x, Мh4ieqT` u}t~ŕ2֨vt]?"%FW'C+r@a"Lj lXr U8@*CPn zKhO-]ʩU؄ 9/rP(S!IhS˼\*7%H1ߣWa@)aI<gu59\pB)LϢgul-oskvx@6FxDJ|:mօ7f޳[X's:k(Nط>-x¨¡ ,RޏF0Ove~x7 ]8Ү_1z +aRu`w6\l=J&ul8A/A^v]ADYWɘ{| E$6Nh=):cP;h*LS J@2p]آh^\'5U^<Fqz7 {W?}nhy/6=X0Dg z8/S.P<>*(JCzw@yڙj*[%HKjZS‹Yx$a93/\.S3.%zCe7?1_mvAOT TbюG$h[͈ 4[ƃ`n ԛ(yJD 0[|h?qyFwѬg i熭\ԷQ"ߥH_6U2w_uLaSCڱ^8+‚9:nPVB~'AL51^^mut^U^1 Fњ@^.r󶔇hz e#gzK7q c%[_V!O>,sơ ic`ۑ`Imu0A*9](!+prW$տvzi؇R?-PC4m7e0rcjYi+T!qDDk}m_OV"?Ӱp}Ͻ($.15ԉjT|WVxqfZO!xoN4yXI\Q2-Ľ2pjFS'S8z>Ӱlzh.N-ZDTH,Tif?<%ަe.5Rz+SyQ6a1dL 讜bazG zrW |||:jnz~'ȸQƏ^iufOo~Z׈OZK.k.Yv-I5FNw"O$p#ƐߛV츠;%%v4(ɩõ"gቆ¦)F.[!)iruve8%j|_EE@0.xN̟DNl#+HTح,f|#8I;FWߏ=pd&-)EE5GbTC;P0Wl>s[3H)X|솚ʌ_H+[}a߂%,FR],^:JcH }ɶc'duETyYhyt6ew"W`f{eٳ7@QI6͹1ͺ&"NFl X}րL!D Cz{,|,~wz2fXXIL 3':wm_F%!hv6J-=Ʊk1ūW{w=̝Y葪 sbZ1&{U r![a$_ɍ BŬ;}l7aP e76mg%~ 3A5۬f5DhȜQ% .猭-/(_N]e7N>u}"p&[sU+dyCǤƓ'fJǗl.xNm"SxqD, Kf<RB*D  £fR[ukĹv5\e[,:A~i:J`d*:c1+۾x+[%2B;L 3}GRZ>bIU52u6@]y;]|9pk..p?:7p {i8hi^4⹷XN@&G6W- ci}%bPEu_'Z˼|Ze{@4[GCi-+bR~|$InG4=͗4&Nۼ֑$j$>j~on&E`E4jlI1jud7ވpP["Ya=M iU[: !q|ܠ- 5 !3d?56QP0-'uv:[*^>5:p%5 pbp$E/H4aK g\pu~DH̼f>&ei#f [DRLp%X5/BQLj*X߅(J ;BsNG$:{]=#uij/9xV3.KzV'v괌dLRe^LqthHPXjzgڄ>jegt:hU bx}ޅaq =~Jڕu=5n0ǫ:03p餤I |0s~`O]};QEE:]Zs;'Ӕ tv%=cKEުw Ч:ꂘ |I[c%-}')K[(p ZOm<TCp<{pxfb <˝frߨ~4?D{S)_[sBebitDge.bT%܂FX0]2r瞕UN9(~P*7̰>p<`Fac˥@c[,AŽ2q"+`ГR_u&cf"T J m]|"J||R(u@'lF{KP_%x,Lby<0 lI1LOKG*kA,ݫ>㔾CĖܞ ʮ<&YAAcn+l"Ql{T(t來N}?{epEoW'WMM$(ox9fס̭yh%9sC˃氀"GCS8p-`= Xhϴ ?`ɵlp_osqAU~Q7gxF9g$lXIq2[fHjG _b=J4%¿?oP{b#L ݟ[d؛)> Imȣ nC(v_[A Arf=j~*R֍0j1{j0pEu`5]%|TπaBH"mDzO z+y9R蚲_00BJ(Ym9e}z,MIC3€e]]}X3dѓId'*1.a}^7XQ=S*" atgJ: Џ&ѷQ)bfg@Rٸ9gf6  <0 tgd@Q/v;##: \t1^&.3 OPq5$ O rMlb( zn xN,OTxRa!7wF2 UVJ+rs, 3;ĩ9__€Jxeh!)b O7o14/A,7tNzyS4Q,УiqxSMo}c?x&gU^NV,rH"~(OZeK;X#)ݧ CPF񰨪 .v٨ `㖩J_L}G:~/UY*pW[E>7JdwKl t6}A+"kp#p\puNw̚3^p̃Yj(Q">bm U(eJ㬜%S 6LCF: _z|NPBQOw2BuT.,߬_=0k"䮜 $8<N A~d-qNR2oao6kbEψQ %Fy YxCH K6HWm4ZdKm@^mWu_Q5?6%J*Hώ n݀뇩Z{Gt@& YF:h QoWiMcVBh D\S~j?T$ a*!d g{f.L E=%BT33ke0)n"E#y0Ed~FmMb @yADm"3Մn<JuvdG k, 㣅tVρX^pqGG̈́\y?џz F\n2ota;r*hM*';?:+z?*8}6im>:AHUKXc"q-% X{EtHYk.$J79Ix|o>FT 8 YNC"zbW6AP9]˔V$fwGw//4PјFzY}gPȄ(_ sSfFRXQ T `x҇ERp(far"1X_stLҙ%3sX]rb4P3pya0Oμ=]."ZF>XC*ժwNܵ{>^;'/:X0|xA ihn"Hsk`CY}h" Q RE^JɊFsn{~f7}kB?#x|$:7{+rPB>Tݛ:=@-Rl=B ilղ;YQtӟUnSM\͠:k*fckqZȎifE68R6MB2))M ӈNDcY~ԽϥQ>PE@J81`rE$$ߔ֋ ~EGq,]D$}YeZoZLj!-n w~xpU읇{pKiK=&< SxZU)Xcm9dp-[A!KYG+zLZZ.Ganj`ß5[9){M,ЌKZHb-jJDaRL %X5J)-ZwbؓN_]vHW7Ɯ z&b%\@YNu'yIkĞ<c\yeE̻d;9(%V"{\[-d:,.2[ 8-`S7t?`M7k,@W`-v{Be#7v{a2/Z9 jf/awT2Πu8 `zgIYLPTJ`* ueWDڭy_eѓ - M*qdoW@Ā'YkUq'[?T`RNtg ܈@Kx5?Gc%dz,+s>gD^i>.| LgG )F7d$,t,T>VXmt2Jm#gS\Op:WH661;z" R+xNǔG5)\E5"*^U(A? 1MY`@)VaFH]bjqiݓuG򑃈c"Č$g_=ǍLP$@W/Q'>ZmwѳEi E'O[x[$nP.-\i9-a^'" ?Tf\xMeL)lueāxZY}FUMSk-,0#n,<Qk}5𪔇yU$!c3 YАPa͚R5W*(+} pQ4=KF8Soǹ콝W؅l5,b.-#ڛ R~"pvx+g20zl1al e98 Ǣ:7'#Ƀ-V8Bi_Q`}^ n{(XC('q Cyޕ/;V\^hJ K /Dժ}k Rv 2_0shQI$ceDFn(`Az|g0;tREھ7TB8gwî;8޾gzO:cC8=/lF" s "HLX)??9ݙp~OQg%d ky )c",6 o*yp:DŽZ.I\n1D€,bNE;H#w)!h)&·l#@0Myg?! Mݵ QL@S+ oDCAҿpd.+ ,4>>A%Ik{wnh^0 ,$:w^GV <Z0rL}v>+CeoM BK8V02ZEL̑QCa$ }<E&%,gi˝s+QƎݖ(ip;̔EjL6JuOHvW/iFs.Ck>_k y=SS%#Ć'mH5jy4,k)Ȇcq*O~6*|)Ax<g(/0{-$t~D L)SsFWn&D 6阏ote=;rHRuPw{4dlyY{#5,!vC'1&̼ӒR`Nڬu%2 v^Pw@_dܦV].  8PIHgU D׷bi 'f~˼#tꌻiދ7W`͝*)~}6eнwХ.d\Dy,O.Gź:eΦُds'1'h $E}I Ķ6O+(i}=39 K=Cn1oNU-o8.훩RY4yO^HA?/k[kf"Ƒh,=X%~"Z rIgF,FgP"ybDJ n|zm1S<| _AFR=ӾעʬjW?e܍K$wi QZ½ռ-/%R yxtFgTe{ӆHx%{'nLo)ds:yHĆAgS?P­ء..h*[oJ7eG_X'E Td0y3ytl[ukJ* &vGPQ KdW+/v;6Snw`~CN=sM=86l ػ+m? RB Zv,c̢ L$E ]ўiq#X1ӽ&R<2> b@t c4װn(s !YEx}%bFkfͭ/ dEz58DOUoeFW%r`j@i#;b su}4{>GuO $TJuaޖ/q5āJ6H!zbSg 4OUAQoe!sG`L~WoQJon,rB7 vPONQywҕqX~Y&7z$Z/M.S qȇj23 $;G'?*1 XI8~V d8!>Ox ]UEjZ3dK8_'`+9s|e%kX(V B aGf#pʔZ(!W_6-p6N \֟_{X#d?4'Ć_- 2zܮoKФXY-`"3Kw Ǡ{R}x 2gq5@TR3qaZkWFA<-MُGtꕮM/ uZڡ@' LmYZc+cȫDV|rFxPt4˲4 Ow?X^SFG|G"Q3'ں#[cʜH9L)j@VOL\e%,G.B,VeLvaiػ M( 5GfjjH̐+!%ԪM;!]_5X0S#oTrNѓ"$Yא~a,J7N6ޜZJeA!;mFvy-*U^>ӹd&Yd(@?ř%. $P6kO჆̒}vm7ufGRϤ:It$-sXS(ոID<+0mBЊ2` <,gL1GW@m?AgopV52 i$HXcd1IVy/3 +w &2v<;r(YC6wSd0K?uXBR"x;g֚}=eMѾRR dٲvjaqlKR?E@g(yytNDܶ[m0٦FxkXeb},-L@a(|% ݘvn[. |?D*v*ݶu5.q:APfy4Y mx/ɾU  KÈiڶxOyO+ek^ @9w |yt P>L:^HԿDV3m^Cl<. 'ꙣ'ck2aPhHh(5l4CW H^Fn-|gyzG0o8hE+X"Klׂ"iwM㻵At%W԰N9&_vƅxy "KM͊Ƙ"ԀsivlV޼4mx #rе2c>OFgZPTaq%ޔ%/ol\-FJN qBS? h]07µM.y\4m5|U(6col!6X Yn rs4Oq]\,å@"viJKHn ?`w #:ƺ *4|V3WFpl/@!`v7/,[ A@bD,n-HY{8޹Hd"R׽5NHVԏuv|-Ff|y" W|^-s Bs,Rz#UA!YFo!YƫX7amݶZQBm w Zhv o 'ORJYY2'%?P0*9QV5#<}r=8Oi>kVEDro康 [>P?w0ڙT8Z:_6>/&o뉑DN a;fQ 7PN8_UfȒ|pP}aUpDzYmi֒z5zɴoYx bj°@CmZ'jANI8 _Ou_k} װv4=rRTvz> %sȥ0E厯"5vow6 UkI.hWxx4$84y$2ELm d3~)#+/a 6<ܧuC)օ{ zpAj@ l٧+g{޼HLJ3vJ󫒾'LeG/eVgw"w/NڶrV>1n=IK(].tdž|8^}ų\(EjUWZ0v a8הjdn"khug óO[u* N Bc #%KpDP*LnWK!W W=F|\.+|5 ~ d!Iʫ|!W#^V0bؖ\v[Ζhfn*WBfGdz˂\csf# 3s4Rd4 K&\dqdR5Ds˃eGI1Ji` | \ 1ch10EdK ]`,Ra6<'JݸV":F˺%*q^>kZK!ȈlXPzЩu6-04}dUD **x-|;6h?Tfh&pS2.?Q;jku~sɩ+MkۓLNʅMQe;+Zʰ򘀒m-?֩xO(3sA1ƠEfenLDaIwi'HǼf4mrSƏ Jqg#ӓbhB\L_w}?2O<\Ͻh:C+-U,hKcŧE fݜu^OTɕ4'N!״tD9^<y=%мEIe;$AN'4 WwO{hip?"~ߟ"/hp5<v6l`m-Ck$3{HlQ zD551: 7jkꞳZH^OI\n^7~8$wFT9ͫZSO(CR|yP b̭\`(go? r@i`뒏)?NmdrY[iI2ʛ쨾BMѿ-^;RҀ~A}\5E !Cʱ(F=حFu" 8): . kNaݲT3vVJ8V*݈EQ`UƮ+v!*RM#ڰvjGl1GqLܔJmsbU_iXdK!E6r`yJ^0_euo 3p( &3 #?G; TXVjP^CEw72X,{4&DM-I3ͺ. %J_#sddBm,T)EܠXj)CμOeq`!8SDBNqieH 6advIWX8b4+A~D>遜璽 `:XplH kjY eoƾ^otL}jbɃk'B@'JaGQ4le ^Th@vP:fl'S,czVd]5'PS"ev ~.T pD܏k2j@DZ.t]) 2!k8rSI',  ^Y1xDA@+4bQMi=z}Q5@e)1fpmu\n^FJCkCXS/hy0mTJIMFN/ETrjW3р[62ojguBjB@Vr l>~0[B? iHl-bxt3Q `*i>c D *쎫ͻ%S+ 1 aRFjrqy&ͧuqR=@i{^Q P;c (^R_ןJ\<v)iv/ڜp/jR_G!kPF  55̨¡yɱ^>Nx(wKs]^}H*K2!`LЄ_9B wbd#NA2(t|VM -jlPG%4о'${xKpa(77Qj ΧHA9:=۷fEtڥCX3'(=eJo4% uJwMWt*qYRmaڹA +8zG`YIVWÜ!tF 6q {}ktȋV8ƢQ|@ϓenRfl:irn:ݠeZ+<q)KK!*rDB[й钜ȋNPg:fqUª*?2}1N ]tI!k:B57BR;fRW0fH!>gHgYkTsnl&f"{9pGDѰ;O4!8rƃߦ1']RSt6I0Înq9!3p‹$Epiڧ)MG68&7frc̏[Fat)D|U64!] J@iKMԬ`_?;]0G8F M8 kHl8%ee(@xZHZT e6n5C4dyx aur.qwÈ+_`$L귅LNO`GsIS^IJi/np]Pvs8{HO3J2k' T*3Wߪg1QB 9u%&a ZS:NSrT$aƬ⎩!uh+nBw6akr9B'mä76qPHLC6q"Pe_otZ .HLIqΣK\s니)wרy~U0l |&ndg?^G]%qͯ}͝JU}J[fDSjU &DŽ$U #iX;hxLzo~cAvE!3 OA@<$wYfoY.SU[%1jU,Kѷv@AI )͢8)qh%ɒMI`o4nGritpp.akc1޳IkPh *zV)Ӯ2Xj3~J$p)oO1roXc2ibsfKZˉ& "KcvX4|#qF-P4cL Բ3(nS  %Rp A 7>+|lYl 6DTN.CS.%"M;ӔC͒?+HZkx ksmUvxrq^C)!E2Agol1v> 8eckT萣~XeLPr_GytSP[3 , sLƁmHIPf۶QB~.4r9-^22 51kĐЌ " a8)a9Ex<DȢ J*٧ho0vɖ =_D Ĺ,%uQЪg{&&6v"O8+ǽH墻{ Bʬ k;gi [بL#OV-&k=N< BI ľ̤v$ Ws5>E1{L<ܱ39\ce )w aAT$!N"B 0 _Y QF5w_ -d=:k,@hÂw=kx( Zd5l\l2ꦙccHE(4VŷAOlta oi__'ǂ]`tc7J`1p Zb'""c鍰/:F[8rG[++.o/r\+YF7Rj%`󽎟c(1XΦEbv*1FZnuE%SU:%;-O(馀~ǿ1Bb.5%kEr c;_æUvtN LnщU1X@v< (3 [4Z<X#F}6̸{髧߈ᑘ)K9amyɴ~^u3~%G#08xtdLͮ̉e!n2R.Ìph :lXxB.~ ]`dOr}O}8|?͔٢-I^La?ʀ)M=!3|z]g)џL4O,Tޙq8_,&yb`EHyvl#.jb%H>?ѼC ?3)E>d()_mǓ.7=6G-f"-ZIA,9`5KWcBڪ4}zxYDxlݸx>CBq5<лRr9],|& 7O9 +?%+)O0r|?.:g& K^_}Ínj{vcQ=XD`FAЗAǐQ2i.HF޶+bAgRfzoqҵ\ɑQg￾X9Ҥb=KXX[KvMq.ڱ2pV$)y5K0L2@s6c8ojA{o|0˔ :ƤsVŤz? sx~8 髍{ DxN_4G#yia({hNxur d8Kjgg}nKx;]W9uh=aA(Q2[T?Bޤ>ox;3ـ[V}9Q}$H|f9ou;= ^" 2ۗK2DE7b|{;-I`RB> ?MSpk4m!ϛg_QXPRPVku9pJ{ό/eu6A?6N`JW'`P/R-XEik^ -C5Ǐد?:$*$lke w:6ΚbzQZ!Lq5R,3)ַawlEnwgXM激?v ={4.;K 1MeFNuJl/c'j"!T4MW.~1̊ƿt.kpy;|gb$X7c'bO44Ž&gJ>rqu"FZGCؘ/rH79NUE T`,'-o՜Kb{Sub]Hn(vi;2ixxHQ70Ų p8dPg%2^Ęo)\(hOzwִx} T7bsy:ɥr&?'+:t# %?2;DSu/ ?wܐ0b [LK$eИJgNp`_ 2;>mI>םq `4Q&X:{ @} ~d>+ЗD§C Ќ(XCҮ<<@Ѧ|ݾZVnOal qJ4W+p v]~>jf SJ~F}Ɖ hCF{_?-V~V/f f#1D|Өt%~w]=Fa/&>ǞxyŚ\Nv}EE]Q-I8g`^q4qX¤>+`6Cٯ rq; %?]B~F[=GЦ,}y"X?4t_A8q0 aq~0q2#N=$ =z`=y55n$A;J!ȝL !;~,*Eƒ\#+Qhd7`![u),Kņvf[YNsBtT&HGV 7*fv=kPB+G_ouC)tdM8eJKykU.t&y&CoÝZbK*OԀiޢBzCx>dꭘeuIފBK"gt@adV轳ͬ~RN3c2Qfg}fȜ>Ux& VȍI7.XqK$>‘YW#rK r ,z6c/{`q!`zߪkM<)Vo&d)됥n>$by :0){GnG#BUhUP6kFJQ4pk i}@vsXfWZBDU~YMxա.|< IK5nSVx0>=!HU T!NJA+^N7Ef$R88uR  KrH&ypSxfv`F3jKnb[y wa-=M߁ZO[ډ-[E|@c:רb)DNB37e';8$(etnAG|g$gGe,YK\U-rI/d+fbW]t/jYD+`1> 3/8ˌTf'{CLJ,\ nƁu*\Pۦ1<8r@ׂZ%txt]7+6gٝH'2:be6őO06dq :MjO ؔ`\` p{:>Șr do pM`{XW*̼զ~ ')\ޚ8-ʊeF@;EX{h_5WV[O$u}da9ӺAk{TF kDt9һ tX` :K\#J$UsBQn?x7j x$hb^\,'OI71إ} > cJً˨@JC{-UɊf?kY,]IV3AR2L&iKE ?VA]q4~Kb9ZrL~,ez?Xi41z %[?jA0ɂ" gG;!tt tIToV7ћuQENi9r7S۩7([#au SC[˙hi0d(h{zYKm]zHdm%Qc_$*J˥f-yRDLkZ"5Gs_8j &]3?w#( &ini/ $.5~И dWU K瓋ڨٞ\n~uMdVI\9DS6%NIBGpZ/Wq7KN)exk;4&h{s)1}o~j F~Y7lv6ģ9vF|mv.Q*Pq#J;c 7 E6E", yb #@xuڈ|0&$g^䦪%Zv3@ujkƾr> X9`{JLЊ)ηIi9EYΐIܝ'dPIT#0"0z'#/Q,څI6 lpN+<6ZTܥ>yz@ riОEDsfJ~VJ.Tb%Yu)ugj qX)أ̚?UHpIu u8tf8xD6L%17|T5^n_$r7C: yGȃ`u_YXp>E Du0?z~ߓvnHJ&Le?@ O8 1i':R])~MA輚tt|G|Ƴ2jgDx k3Bi~J,|FHEtw iW^d>kNs~@y맰+6:[UW21) fr ]}Kd%4v?ж<@Ɵ ڵw`ΕJ<7N XZm8nU XNV۝27O!~0 ḣqt/`w j|yy&?e&o??\04t5"C\H#wf@.h`ֺj/o݊ljK߲Nzu>o R BE%?DyCb;}`Ck)4/@  U! 7J|m\^Ij9PmӅФUO z'N0c)K}l&-v9O:q|؟uV>I2AfZJ6tZZ3vCP+[,_Wyݼx\bC5}Pjzup4~ %aᲒ}vd?*F-o?Rܚ!B85Z0;fD>ʎ!\;Q \,_|Csas81v]prFk;\zG=|cI!O3<Ծ?VC/EAL|baPc8 庒Ȯ+_G('BX&z^ާw__ؐۻ{-A +>ĵ䊾}U8rǨ.BO>#p}F+ζzkGbvY-nF%R9 Kv͹\K"XDdrq-x/*rpUc%yn,e#/:ub&ucPj);YO}od" b_1`n=B#&4ncF&BlGt>lZEspZUTI "?LX_m`#܌j6ҩ{U)ybFt˳qR*@hMh U\sLp3˕uV6{ hGoEq0.Hi|Jv]U@dX#N<6+mpeCy0#8DIH`yskQ̓ӽySApJ@@y&'8Xi ўbDVf9[hh 5%0DKj8)abGـ>B5w|zUߎ,\ >[#1/mɵHvP#aGX J]}dCSA }gy KŜK+Lvȃ[2 #tf u 9r@!fً!T6@;o9h_F}cD9EA,AcEm`g1?6{]hRFCi^{]@uX^R"2KY`:>Sq@JWnPY<2\>pmAq UME5ah-`[6O/Kgf1طYcO>yvD lKߪco^g0YE}+U]a>k9(#{hE CJA:xݯ4}]kqT峼j{ѫ 7 _-xTO6AN' ηvɝ52[R0I-mđ 0] ygRU.U`+sфf9Edg:(n~L߲UN8s@ze/h,^b-z d [LBA΁U눸K##W15t@h1sFS,4fO.%}E#){}޻!9!t\R#eJwʘfSFI&[N.,FFE*|QI{Ҽf pj/\׵ZNdVh)yڗ"yD+WI}!\֣ɔp JmwD1w1άn(7.8,K&[VO\\Hm-|e{ bq$QEU jG_^٘ ;?k.ѷ՟P5$+ݸ1(FA֒K0|l~ZgGT(SV?[*fT 5qd7~['iEiv#ěC}6awx=siAU-GX2Fw5p4y:lg# -W'I}+ F[}yBˎ|^F@ tXgrk)4Ooft#AvOCFM ]g(ЊMx\MI9^F-]-d,oa.KA+2dp䭿0ӑN81-/<8`Dr^~aNH*L>KE#.MYZ [(3d1Mռj(.< 2.?:5qh@JӻWߣ`KGPrʯyNj *"Rg]v+Шs?tF\{K-\=Nqf${|IG> dlRdk<ˊu7g -@:U$[mU=al3|*Je7ppn8 ocU&֗O+7Tq<tS\~ arj)O,ͩ3ZIll#f#D7Lef{/5dLQ:t ~B}OSʳ²z>ٺ@Ds:]`1q(Jppip!38q 腽ZG]HmN}G_pJ0QӋqd ѓ&}wYO SBեt9`򰊵@l 81Ǡ*Pw%4U-Xȏs꼍0Q;d$Z7Ke|ln𦔃 ˰D `V묣{%`ǀȋo|ʗv;/b WF=N .Yba/FN*=CZS`^ۄ]~U*AX?W <`^ b0VEWɌS;\\_|x?^ð!DzE3MkH f +*"5Q L8a7r$iqD>\36Y==pA&gbؒ7a}31X ङEZ@G }cX#J?RJ{!rW$vBEB0b4@ϝ.Џ` jqk乩Lp //!UNG#FS9 V[Lj 4%֙ hWŞd Zu'<ܩդÞܥ$Y<ŻڂthBcE2;rҘ]\ .kYܥq/nݛdC ~BZ\T44hku2%*-.bD7lR)9pD8oj2$9TRi߻q50ϋYgCmPxb_|YANB[ޔx}Zn̋!&)]6ls"4L$RW*U2sim!pQOCF> LkNϹ3hq, Lş=Is7Rj.¿BXu^NSr>VT.ˈF"lӸ0$qh2G481Ķ٠쎤Z$|dLN5 s-\Nk9#ox/GlPaABX)śFRKjG{9j6-T*^2WRrke3jWR.}u6 ñ٩f_+'er@= JlEo $T|O}JU){-mcm n5ʥT,ѓЗC9{1%t0*TC VjRIŗH oY堥͒!^Xɰn~5UJ×k8A?iGt!MIZHSThPU`Jk/[G/G}@dG v65"y퉸KF)ٷuY">$0dpso pS?IAoAV <3>cf=딲m!vzN1_}N~@$Cnuk]N\{ '.jyͺ00y~ۗS)'Pr;:rnY!]cE4>[5Ht?a֜vGd."^$gfL \ʀ ѕϢ`jcR[7BDH6l0֋=֣XF(FRL%ߜ5H,C73tZqaq((feLuȿġC -Q0dXP^/j&ݣ-nL[Jɣ=6Դ/Np#9+U7EJ~Ax\Vo&>Hb[fI!*$Ky)Cݹ띅Dـ3&_H Z,,wGAbfڄZ\ΰ!ĪoV(GF3}dC 9td֛d3kŽz}"09؀†DȬmw^;ym(+cjHH7k+tIR\ߺcC0NGjsC:̪_*]/ {˻/%adr@*"0ܿGbNwP_[K^#S+žn'vi3ñ#=N13[x{&Dre;I\eA4#m) \ KHX5o- ;eTuuhtA]T؞ވM\T5Ne +3LrݨU+nb(5-Nl1A_1xTfŴyEyiC=,7yrkmJ^DPЯ- ul!KIn"ߢs!U%>' rVЯSw]»~B`-gD&*`pDBrAZC DttE '/ݗIМY~t{ñ!8w6n+Ct@!fL S4MJԠc2-|ll~AsJhn'i}}eO'xddAs:EEM袮q]ݚ7q$JJavw!aNx`ٳ%S_=l7Qp+ bfi$1T9Vڣ3.Mbő 7 I~lhDE㓤4n38l*`v`k9򦂷'-z0U AeḼ00Z@ɕ0LB@14'?ܜ\Dw7)7$i]Tl% C 1㲽}~,s!g2wd0kU:fW!V]T*"!16'" #0T0Z)Y>kʦg1a1|0)-bKLYƯ];;"'?;1 _PL RbS?qfJkъ{-}5WXɛb : zbDNU@9}VRq"Gsyp8ʔ8R1 +?_ f#A閼׿ʜص3[hC8xoH.FMmdfa ,aYdW}CwAqP>:ry7ϭ<ԻbP[Ab `H?x vr'![o˝ɓm4 t1gW6VsQ,muS׫8A&!k ''>}uR+Ub rU' ,rY'+ Ih1O)pKe7ͫVڂ0MZt ElZ&ƙ퍞 X+e n~>"nK\ںG8w8eRÓF+[M+}zx7]5C:j DEE|3AvZjbi I\ HFo Z&M)Shc (,VVOc8"x p?6#ekwzcjH -f^n̲+`~e( fFN1tTe~ybbvO 1cpW596D` }7'6+%aѮŠ=X#vMt@v4.3=Nv!VE72y$^:2fU5MK.dmWt|/`C75doLND971]6_O $")KľA×CIP]Aw'.S7gnrI B蝺dG0ci[8ߝDќdE}l Iu1LȸLsa|[mv_a;g[ux*qzvy_%U3FإY'IJQk.a_& _.uS f +Ij+7')у\Sd*d5_s&*/{'˚ `-[;;P]œQLbɺP?_Hzƌ?X|bwQ6|d1<1tV'P㩝eޭ*1Qu(hQIZ,:Ȥ:j'oڧ/8] j6/Hu ^$Eb祢_M2dR-^5ֳ5|QLF ;j6xߞ xs<@!\6\SЉ:{E'5,ߍ"K"E'U檒^N}ɱDHyLj0k ˬ`LPt 餰3UX׾&DܺnBX-7KhcpHLsZ&s dZjm Num֜]G`5H#gH/N$pfy8x)>HS <Bn%Vèe2o` \Z(7/\<s?DǙHAY}}iyF}b'$ ĺ#M`aSKK[t( e߿PsRLCmk"2wj'v7CPxBf"y xO̕PݝG_fMm h. %52d'>nR._Aާ\dX籥3O'w v/#8 B7:v\g0;xlFӺض{SynPP" T77lF'))$I&_zvԄtos(^7L`IA%>"^K|I8nWtE(N9GTTkȃZ7C)GwCB<=gb>utv&ɶ畘:~gm4NGh(ཚy0ӌ<uvtLҋ6owy<)ѯj~xX&g 2 3-qg΢n͢wڝgwL໥}@ixs(.ܡj3G\8fÞţ/BjdTK{uB‚^Wz{  sC#{/Fh6" m7x wƵ9IUP;G0֧PɧQIN$YEnNŤ˕Ng?Y^  UL @VDE` fKG8uԋyú;j$; %vBfo nxErpF9DHQKUT5&Wg0R1ik@xyS=x.~y|FmI/UQ_T[gZmP޴xݐ)ǜF]_'B.\hWw>LmUN *4M0)5R#] VpCc dRd~'ה7Ɠ!ry=%+tկ]apҪm%0^}mӔ3~nAW-3Q :)JpR*u+VoEB`"YTok,lbb ׍Ut$Ʃ{$1 ۆb ˜/[P~a:AK]َtmDj\.9 ]Cw7d _1B9޹Imf:۵9l4L45 rH{QuLϕUK4jm֠ %tY[׃JCJ[MTl;!66rگ tFLgGGm)ҝSTő+pſMcz]j`fɛ]C_S XʆftiAPjC!lE ]dl`}Q:ihk*ZYGr/!'45p*9X/v5j5 Ӂ]T`9O׀0SŹݖ43 Z\HAB@0aNFAϿ큹(k$M#_i:vĜTwEkd dCIU#ZT'1: {2%iA)B(ckK)U`?>x 0{}\xg~9S0=Д1{Mrk vT@/ :kL+EP*ԭwlãRy_! $ΰH5=ƃ k:dg&;2.g6b~M೘)e ve_㛀߯D l ȆMl&QBwWF Bހ(4"ec1B 쌴HS` oYB|$: 2(37 O*xՋ;1&=`--%| ?HmY2hU34*jTUCSj(^ M~0) ~ L~C(ҳljrX&xcZP@je ZGYảO3FG{*_V6O2$jퟦ4@˒40u Ye[A-25! $ng0"/j"EC_&.YԩbSGzP0;w#+MnR?/uؾ5U>ȍ&x/M OİNOF*0%]raVuw`̩1C]3lfF.u]^CatBeY. q=ӆW#=dd wbIJQ7w8K!΅8w!wۓEW%fPd_d0߳oV:=f>8Wӷ2CK(X鶵hpunO9m8X|;ZWU/<483>D{єn4=@Xy>M-d|+1c#0_Ib3xe}xwxmc4F҉ϒI&{ˣ~}l)҇G#2xv9Yc9XX=HNuZաΠya^uۡB*i}-@(vUQpez~<%LfڦLŊ[9qCՄX2#iǮrJGGtDκw^^BfV֝5sj%$5 LSe_W<2E ʾ٬ ,|ې 3>>RC_r4hy͋=(`lo AsHߙUo5 5 IVIБՇ*k8Bz:,/ʭf z=ή+ٶs&)Zk i5dfo˃8u?^!b|zy/0L%+䎆cIth {mnF wÔ׮k혥XaF>V#6AԜyu%NC r;um鸫?R~+ijMX]S3Tr0?4L!ӑ_w]5KP1@-&40}{'iZa?|B%03f;nXdyrU$#T:BQuߙN4=gChIXUZ1CoS:AM 7@% 66#'` C37.P~By@ʚI$ѻ62N6ssgD':ʨ2bK J h "鯼;|/Qا;X#>0`N6sص W+CCZث7_@O,1 FRFpTu{hE,ecK9y'!0יhf+i Xa=I!/(!R0\wڃ"G 0ܹWHG_F@?_j?!YXr6ɦLuOզ ھ-јUքsHpϊC]O|"O1R^ocSqXEBQ,Z]AK[<W"@*E҃9Gk% ԡ! ^I2Tu0bFd:ُa++`&Kj0_>ŗM5s_MYܔ.$Fw#U~٨"$ZSTayem UZoV|?$j>?V 4;9]ē@ksM"GD黖eڎ7[,Q sNP>NSK5Qnk Q /pppQg!R f]ًoeW/[|s.{Z"I9*VTw$Д_Ҷ1L_>0`0n_e71idC 'Kڎ!G. ',<ۭ2Ѷk;KV׉"`Uǥ?[%nE@ήzSFCXHr[ gl<ǂ{RP롂*;[H75k 6S̏1ѻWڻ̺@w!SvD /{Ž5=v]t$%1Ȏ(ќ]9k”,yi7x熲 ;>VKd1V F+\) ^w@w'H eۙ 9UIl"%HSD.;&!K޿`3x1=\n &~!ǪKנ@|d􆸋 @SFHu>ҾBX$}'>YDk Eg;W~?j֑>XgZ߫b8#5ldޅm}pasx^P)qؒA<5b՘6 UE֚HU֭]eZ`uaT+} En*|0䂳qYU9 qeZ/;4RL HӍN]JTq'zLl{? oa2/A5 &|!̐sl'n2YD\4c _>M-tLH"ɉZB&TɄpݙVFa\(H >}%Oao~^ BhEe#>ԃ^h~*r 5˞1|/?F{]eX>JfNӆA"_}i52ޟ@ i'[ŏR;!u{ ѵ_G]_~K{pAMDȦR;hK I ߤjo(op/Cg;րg \hX:5aTYT}QYdl'@ Lh'G!1ڄ`FՏ85_ZּmD RtW0ʆȝ8P>ae0a>@=}+q7Je¿AnrI7@wLpmib4(fO]yU(c!sbo9n}dƉ2jy{mb1=%؇Bw#;KKNܧ*$8Zwf ş̦JNJAϵ@x,/'?s:c"8QYߚ]cϱ1lm!$1p,3/fF$e,9oaDuK$UmWP7G0Cpӣ Y]-Sɷ% u̳Xy)A܅.{v|ޓZ|l?>͌g( a:@+$yaۍ+391΅~I< V28*?~ϫyR`߹.yB ®j^فFW ɊmFpC]WOY]@HA.]TYXbR| S` Xpk)0"jbR/ɥP%K¯BuYD7rJmȦϦ'ʂ Cg Nn^Nn` |Fp0T}U~imq6T /F5"! ^etG5I LwZԛ݁Ft$þ]0dGﭺ \rB54M%Õ9) vꝠ<jBXMVb/{/-dγdb-CX"THƛ"ig)*C,Z+rQQ>7[`2;Eफ़!1O ip76`jCIs6؈ BsúMPnt}(hƐ{5[zqw` MKLۖso}`᧥<YZKKz SK[Fjc4K|cjI{7@c+hG*JKfa5keSٻf $ B >tC|lOL+ta-JtN8WWm`H "\5>S|tM<\ԕg_,vq" :T1x~Vxx7naOPEHwYwZ:f[|TKψaz'ԡĉdȩ't x 旾#wO8M&;BwYX$/f."~<򑓻2JdeiИq o.ulӟXwQ$g|b&'0]ebQ ;dʚzëO\_&Ս__kyՊ C7Ѭ #bm]Kq7mazu~m5xz4,a0Nq߹6-'6+=sJ-2t̙:a5О .u\",HfKpAKl_tԫt=YDJ|:s @sP؞%3Y$IofG Ϭ)__k\bPDm3 eOH>KcSeXóJ]7_Vh pnnofL Py$+3!h_S6C$2}tܰP8OfT*@KgOt/O0-`Tsswp!9jF G>;;s@KakrD%n >NL1Ur) M"70@Z_IhC:^OHm+y|l[ZZ ĉݒdZ3h,|whllP\KWQ 1Wf(}6yDG/(5ru!b!4N:,`re2aß_3{=&0!oY&_C=C6:rŸA~lt$T@[ ouRE٭DEGժ\Otlch / u]"es #L,o⭛!\BP ϶$<&5bBEtVRf^eUYp 죉ɤ8XSJMlm}YY: 8`2S%DTDv 3`e]a%_p`Q.Z5$*}U b@+t`AlF%K > wgP>psQsl/uƨ,Sn@PeԌ.EAj9Sovye"0+pF ]s-2.q+ѷ5n%ԫS`@|w<6>GvR‰N@7P1\"t Y7[ ZW9ѣ}PA2YRIZ+ދ _=&$ 5j [@p 5"PY떼hG~%jݡK ָEJS2OwHz9$a` c  o@wNᇢG$f%^[?$dCf\/V%1mlE#h3ZKt$cJQQfaQjY& QZYঀK8ࡁJcxn,C  ɋp>Ɨ/>ȚaCJԮ3H ꮻet`)ZBӏQȲr^Ȇ~z:xڕ^Ez>wpkt D `akkSk3Hqs_%ŘD㚪LwmZdʄw~.gr砩P!,r>7T~=A3)2 yj=>OAm_ҵ{἗a<q&Jtk̟W'4IRzi.3$NKd([J~$ |cexZFZaPjm!Lzc4u?hPBlږlBT|Vqa$CJG؈'HA,tut?ѾڏփNMIaZ>)h1zGMsn%q0"T89T_Abd {3e[NDU>-N`=D/4)~|qh@_>3lz7 )yqE瀓dO^4Og'.C!VvKðR[I[WBhH^C2sdyTP,'%6~i~nZ`8GD>s8|crg'炠3mry6轢B2EE,`cM`. Η$:K|LK~= YӦф?Gֽ3dňH$`r Z'upJS]5 y]g{`1n RZYl&u5WGM;I2x겲ʎrkl!!) iTe41SH,'U,:}`?dj.]AEj!|1d`Jȟ$]`-3$f7hk÷lRp_MJЀ(6rty鍕wpu+(u #Y2z8D w9 mMVLc~\дZGGvimwdW"c3ZH#tZF1DXZpmeOD*y8EsBy+f'i%C^^`͗L1IG'"f7+2zY+ᛛ[fEc4 w@v^oh3ѳ;&Du-^A/"ԞZODpᜩ&ӶFQgВ鯳EL92Y+y5AZ0uZ/'8"t,r/!=M"zH %྆.[T/GѪSU܏#Ro"0'ɇ8>jTEZƉȤnAf Ӛq5z]P0c}ſ<W24HG-e'qerH=y3"H *f!bjىJfj:I64Ίe@4+Xja( .iGM4q'n6R:r&pV@it8dxޱK5m+tOܓv7ig{c7z}lC kĘ?KӼ[ͨuJR,1ڑC1ux+;']柞–ؿe c#ҖX FwSL(|SI#A\ [|DUOko=LwEF\/yL.$y-s0c_x_=HN), Z{Tuֺ_)gICI/ b=)\U}$? qו! `>FLsKSSEт^D-l4gm-0~[h<ʒ6qduo'H9Xj"gM` "]O >siO?zix ˍg2g5($$>2Uv7N2@DI}N7MK^bVi~b 9Y/ȕhMä\Hx0mu!$ol8Zgn]ot9.:x+lZԇTuiG) E6GWwȹAxDƫW?؄ŐV&Tf}:տ1_rBlIDSR}MxP+lXRoʙ%Q5x4 uuh&"k=i"_IDe畑r*\&f8S쭾gjJڌ8>nxl\.<CF 3*&H) ƭsӌ弶N1fj1vל^CV7J$V|]ճ|1N&4c㰺:owLIKx>ʥhХeG|TE,a]'ҏcK Šg0jw`)Ɵ+N+2hͫ[5SOkl"ګ2?5҄alxWL\ӣU*4vEJ+\%NΪGpϿ#|Dw[y|i͏cY׌+)HCuߨ|weϜI{sqeǐ!+z$>ME'R7.LdJlˎwhcb# P.^}@ '%Eq40Py~+,]^$%:A{  @F6]=s!֬R٣| Μ16*!bcT1VkD>6 jHȝKK%4M̼8Ld:!rM _ŏwF+gؖw&Ȍ@Kj&V~rE묆@tcs0j 5;c,T e>AodOיz|zlm5(e$X3l|?4{C<^*UnЃF?]r]+k'jis㼐Co. |ñ({*’MU9:Mtjaŝs aO6֖6!>9/Ny(pBm'ݨZ䏹yId3n=f4+o!*2SO}x*l^ ¨5hsfF~q5'x;pM+IT=Q:*m1@EXqؙ\l~acG7ֈ,gO S/0+♐ao\v?@qFH*JָzE Pon/vyŠY,eCkGn[u2xΜ74NT,In%\zU3@"#|.+Ɓ MG:)M "@A>gÑծո82k2[ٶ~qDNQm$(]7 Yhǁ?uz`Q u6Z Ie C Q4R& Ydٺ`C0ݾ@Ԑ"/)wBlFot2kP3"/%r*z4+րZv:[i63#ә0pO>2njk7!OK3wRzͮhcIK$6! t<'ªҁ\ْ5H6)ipIRwRU-ǿ]ɂje N{6;# zH$ZPR~OfLJ&.z[~Cd4am.DY*6:ӁYd4C-ʼn>R@"D6_¡F[Z鍋*zL-h+A^؍ P7,χIzg ) _0OBgD`n{SYG k2I:̌sIWo%Z COHYI%,nx"WO ܖ /q@/ No8ͭSxef@0ă^W$p-rn}*7k~|:C.X9ޗL46DEĪd40H\$WΩ8j`PUsUڗJRfs:;QNd5Py" # >W6%,hul2xZ@B_Ϡ-Dz!ƪܷގG z)`ن~yZ1tr؆?gs;GW)bJ EsV47\։spQTV>Նcw#uAV܄Gyr#"mIg v7# T5*y{`TD4>7I2{qdS 2e#[je'EY28:cK*ʇgކyH( SFB~10lծB4L8/P$?Av_t%mh !|NI1܉T ?&ңvϸzA2U|'KOW@pDnapx!2bmi$dOu@ɞ +qkb6\wS@f\fdP2Re~*S.F=8KQ0TqnWvH=[vm=> %7U8id>ùU^#wz@VER*ơ7V(xbP |VN)`2ܭQ`7jK|.62eTcPӠ"ojxP= E #V Q& gdH5FqMtrn⃷.gb+ $0cK(2}?7B/qn af~^Љ ȩrzJ胗ϦrG#x6lJClVE'}hjЧ,H1@kEv^Op6z 5.(.6MfDs1E5U1Qv#H> K"-t*L7۷5q{ⲖXjw]}Hnd,?_YEU:^d=v;͓QbYQ+ԭr(~=b˨b(*rV EST51\dn!{yɈb) rW}.p7iIj#f.qKn>Z# \!N0=t΋ȒCsfQ)K!v>ړ)T^! NFK3`1iD, /J3z4e1#jTTSmN2 ~P>k;{,Q4v8 _}I]}Z__sêA {NrkSVx&duXw`:ml9t8B֣q;1C0mRh (c/ 0ZcF=ńX+Ru&o"">eQ~I/s{j> 3&ĢYzV D#q[xv^W;{#tɑ*Fdw~^H5R9FR*e˲o$~m}*"Y 9(1'G1< ?ZjRחŚ̵*Ϳ Q跨\޾nrc{XIƒ:"ͷ"as0GDkJXzYv^iAzq1m_qr'k *-4s5 ;0,^ZxO򨮒u|!={]3;\;3=n*txL0mVW+F?6E;m%=Uno1Ků-((<'K7Cfqv)i|P{.Ҕ1`9n>ȾfvWx~x?2V\\A@2XSR&(AGpgؾ/Dç1K |B^Qf{G~h#a kK~qɏV5K]Lrl~ϵ[mZ$HЅ|KoQp  k%+Xg9NIoNր丫 %> $iSӢΦ15W\%~&YK޼*17R]@pDWr\l3裶-$9 Og8kO`r_z ρBaPY^JFdoSarSF ۂdP;8qs&YiV-WuDMhwEjGVjvyBOk<ᕮu1q&3!%͆2B 0k5eAs8yFo^d, #{eq;DWU{˲CQ46uP55W11H+Mp]x}2[xqRD;+cMd]^[*\3]CٛW{vI1?lRނH'a& V/n7*\KjQ2XoҽO`R$܃>b"awU990@%`B\W`e 0nf?C 5S!"r2&dSq' od\^ߌOn6EtNJAW -_`>J֬"GsZFgwÖ=V-Zt^zS4+U&{EUH,LڇgU$W4hMJ)5]ͼYʓjjKtXH Kvq_Yg xV. Z_߳_]USֽ.[qm7Hu|=$䂈C-uK'X~Moț9ѱ_ϥy7|wE̹-1)nA& Q%9|փ' =̾Ij1aZ~;x;jBeG6hu!kVޥ$l+ZH19Ph`f 1^?RiZn͝ Y9 2GeK^u Mf)"Brr /^Q*.^` x-YiZ'>[p*)|6KhX]5ѝ@Ŵ->BP`yXMT=zSÛ !9MK~9MVarS1\A lt B|Jw@p>* 1fcN !wu1D+Fņٙaa ǘ(~&(40?jN )J/2uR9j!K@Ź)hJr;ټ=DHRNG>aΡM4{p U9?M}@3ǞǍVG)56)pسq.ZK1#;gN 9ȡqyn:dָ$<)Id d;I[!\(Ia|ռJu T " `ĸXBQ-Ū| lېav]C޶8(ZѕW(n|n(.xSUQfT,as[&vm*M7*V, pAGvg_kqJ]f?Tb+/ 碐V,)&bx`bjLo% UKrWkLHu7vr7*܏S['#gV% o%>aגqy˯m30/2Edf`ݢýەj}E5ѹ2P݌zMx{>vd>Re6iFp-1Պ2lf[,\s\W%!Dc=/2CRڣϑ +{ӥ)%?L~1(bs  Ɛ b7})!=t{TIH:\ qfp&lQZ [HTYֈz%l1iks;];(kE(CA:^tI:¦a.oBsbf 'nYv8oͭaMHo Jf&_?Ȭh+)1T3Bv]ω[F ^8X'n΍ѰbPwƣLl4> ǫNVNGj::f2q5{wPHQ+6Ep:\GjNă{<"\`VM{sH L-m(@_ ܬfBlfD1S+)`L:^QMDze9'ђ{VPG{)Zjw˼pY=q(ͭhwȔ$N Ps"ZmH%a⢱ޡ]mmN D,˨4ǍvFc,i{r<&`z>Γ'CIv"3oeOUT>w!/;SYfAFay,.2:D!5X/?#jO@".t }+ p;4$fNtN"J5XOï'D):+nL1#o3'h;fq]rA\mXX#D7Ww4"=tϱjrOMꝼ]_]ClVjoiǶ\ղ-; J8,7FbD-pm@Yw< `6ŹW|LHm×!oNjIvȖ s:G,%}ڨA˨ɭw*cہ<帶=ӽ"+5"c-J2~<W&<`,eޏEw3pb(FK׏z=d(1"x٢2T{=H3MĥNk6FN-dv0z:T[ ~59r9p/P7'vK,֐t.ó:]a]Y2N ~oj P&¯tAUEe@g _IV:ϸEr9Rkߘ  R}m‡6GlNjI`6 54>g]adIo6hgvHL?xOd?M=榯0ljȕÙ΅"ܵ}3ʠD%H4ܔrɼs\}" <3vVƇ-P;k ݬ6}h2Cr•^O̐^W3!*m7f.]j6P0a'cqf}v,dUeTUJp~/׵ f&P\[PR}y؀weP%bX B xlyj'YwL߆͊A ,q)e1I"7Zo ' 9kvǗ2Re;q# >eLnd͘<~7&.*R"2AiBh{F77tߛAdU@zȌme\Nn2Ӹ+áR^ӝ @8x98VYxEGSڬ9Xub@̂"ƹUA2Y146ǻ|@Q HLd2}z:r'zFyQe^ ˍR݊OijɔqRWfH(!!C;փ٨7?B_/&{` gs2ҏNX^Q_*kX`=L p Rb#Mߟ‹b<`iz:!HDr 6 }V%|<0VymfZ.[檻hQrQheg9D|=S;ZN;L] YE}363HWG4IdO;(~ڛ+NlBa5ߢahgD?ryq?JNvw_`". F9c1qPHbew$Vh&5RTW{ D\uC瞍!Hy/L sW*AZ(#S%Í0܁dnL:E&֨v ;(.I=;DӋ^ә#ƒ8aQMnt8;/a/ˬ킷Ӑ/,aRloU,qwh?G%m;<]a,uCu(J#6v d+ c/L_Fz@Jͫ>@t[(;um12$ɝ=vIj¼eiU> pԼn;FYy A@ܒ >IrT|h.JWCPMB0BɔBc{O8uLla&]oW '{OFlAgA ];)]QgDz%"Qln^!RӝdgƷD0>33okعex , [^_.w;|f㥴-s8~md=˖tBYż~,C{䖶u% ͸bN(n)njWada*Lm.i:)Ba$kzb ]ޙcP#@pw[-$ 㓠bp"[^z`or֑JrSU~#V"7y,njbcD `sܖYa)Ì!NZi&#hf\*ܱ=>&WV9_7Js!i8l\d85CBzհFؓ)P0f[,;>ZDաyu@+ M:р}3 S [^@1ۣ[ao9ׂ$~ ߹sD&Ԯ& $㼹s*! y1?oEEF:9A^C׉hհ4tO6 y4+Yj&7U&AZ'/A]bd"7335;a;_!,FXQXFj'_I_GGՠMx8-gA HynEV#Gvzm4j@ty{0%gQg oUdH;ˎ/[MID!qiQp\Ͻ,KcklN||RδqRW$Ra:[zD~mq%cv K,GX^0~MEhhc) vdїY[KWIτP{j+2(Xxxݥql-kp& TRuB複Ĺ@Lu EHd#'6g31ɓ 53h1\ߍԙVh?+k]eVlF>ۯaSn6? }LU\,e[RpX HB eO;?iWv_ƚejOz4yE5w3*/.]]y[FGȲkԐV,fԶݨFO}/ds oIK+> /rݴ_|Tف+;D7Z7%)9|3_;U'_9_se@/mzwȺ*ʙ­ɠ7փp%逞 s]. ~S$D|3≉y|7ڧy&4m ŁGwʞ.Qg}H^Gz(_ǘ/4v_~nRXS MOpA3" 8ත8K2` |CXqB06 F8VLlgS̛7^-vVVfaO:;(܇3O/h(aH_̖-v4͓eQp߱Wpx^H|P{EIiz N ^O$NN|ٝ'.GM,p.aǀ:WЕ<\< Hm8+h9n8oz4j4~`#g`۹=(Y׋HLt$beO`(>ѩx ~OG}V2c}z.1VX9 :"&^řZ$:_^#++] :RxѝT}=ժ7R_J.2q?(uZU ÈGß9\x) #ZMˍ%YLhEX uJ9CNd28A&?/KG.ő/JLi+[K6h?X嵲;ߩS܊A\_$Ĵ5>̰*zNvQn$9q6 ӉroLhAG|~^JlRtEB~PȰtٴW|{lG%f?Y:"4SmG_7| iyb*+II:c,2XGzyvt%1y\Y_@*HhuZ(~/[?&蝇_ lMpBf+\ /<})n~=m2AqWpwG^ϵo &Cc_-3 [ی?IUDTk7ڮ?J(0|F&~ .}@ [O~;KX&8VrKwe/aM b1D^$ivr6Ǫ.:۵:fȑz~ '3N~i?n_AϞSm FM BEyLy.s2oJ>uq$&Y?A65A.lUmqtYit,.U إ]DT̉L3aI1`N~0wo[>bƸܒFLmt`1Hz*N [WYrlm)mU"I-}6bi^83BGNkO0csf#>E=bCx֡g֝Ν笁0?Ѻ:,8b)œ9[:4>tl0rsٓi$mb`Iv/7ekbPxVl83xȿoEI@ 3v&qI uo欽+)0Y'?\us}nHZ6omI%j2^n#8#W F"O/Kw{>{CNBIX=vx\SUtk^~s"Ϸ}{[,;= _-ع?"J/CCK/=]5٢ߺYz1eYy oM2T)1 OSsnwtOw7ǩܨ$eӯIsQ4r2(c[ mYeO2JEQ&eQ5*$A (n^rW%D~#*9$n7~+)P]ZTBuDU:SL)a 6#Tit "X@ibX,5K. <_FxuKY-'Ԫ(orܓ.jlC8d mlG,Nho s:J>dg Ĭ ar,$ inxp5a7>.fɸeX%F"[Ѽ!RZF~_.,޽5Xprž7xtՉE7G _h0 343i~^lHEkSLQr4[|$nqV( 3~6[>C'# Ш:-#H6g'殥b?xɴ4N%%9kC~@/dyn[iS+H6'A7aԖǑ0]ZBŕ?Srm5FqhX`Kpt_#UŬJqr= kNN2.&@+J*}y&P,>\tz#}"7IIv$An HSCuBmn-!iy/)O c@v+QIh`G("(^/,PW Slu|MRzk2qS|f E^W"{B-ɱ_DQ\hH~ %0O޺q$3Z_Kvd@2{u*r.KdXwx yO`lմt:Gs<1 R15N* O5ܳ.>4cici\1 &ei` i$:ृYPbl4[HxVw'fm#]OZ' :qe іG݅o7t?Kr2g+SEK-567E TnˌY&y۞0+-Wտ^YՀl?%nDzoyږ)B&sں^GWمN=;C5ʝyGB8 o!UPzRsg_'T&^OBAoH#@N6d~6[uoBBGEFo'3#O4-.s. O&Q Ds`)fcY܂/LMXnQd .!?)nX.s{k*eoR(M׊O᫼Jd =i3}=@3>2r0t6F} * ip"t?Y\u__S{!6A6["NW2.tq/U7j~> -%Gr)IH^ʸYj)h 0=5ȷl%N ?ʄ5ĕMZ"{6tS8xZ aT#{L@UQ'2Wb@= /o^]R]>NRDwaV͉H8B'MosFe]94']Fz$;b]܆DlÑ D3lߍVe´F9cTƤPi"g4(ga].DaF צ%2˫ɍ(I(tj7%Gnq۲oApP¾uZ;mMv1k(V`LzH~Lnm/!G_| .jvF D C}x tXoB@"YJfB{PT@Vy7r9[ ֱm͋˩{/ᶌ#3d=|#2!{t7Kc$^~'X8s@ȐDbsD>Ӣ* D3I?qF;ՇӦG`@ؼ֨2}$j֯~9/ 'h-ơ`p)5 ;")P==-ǦػH6%77=yU~"Rr#KFX'DWxݙ| |CfY/:@&(E4WPx؜>ӦDv0 UPy/FX'ֻBGmU+[N1uN)wNf 7 P=$z04*M9<WټM ur{9}`۫PI]iUpY}9Md!X` *|N挪P]@0jٵƜ9b4 {I}Rz!QLJWz`s[8A/NR˓ceT66~?F:-Y>@t[šRo')UZiJ*W88H09P?3 qg@Vb$`u4b/zFHm$ޓBVH@=ܘ<>bY'7Ki;ԁV6~pjGCuJrp\۟]"9(C!S0NqV7lZ+˔=5ˏU󯦲'5,*.̝B֎5o 0ۻGfr73X.]Zc'@DalbP!$P!^h啉RP+݋Fm.4V]hmdWH5SqۓԼMK NA UQrΧy m!|W* 2r f.d}͛S~_Lݼka9\0PBASn4ԒVL*hq<.Ґ]Mݙ6#+/PVyFGdy-3(HU/KC=avO6JZ!`k=70뗙 }-"Z~B$^ac&=E5A[Ss-1ߐ%#k xȔ g&>J3!໙dK2eu\aH1@8aq'j8;8Ya8b< Feؓ lbј:1y`{9DCR|FDآS6b\©ۙ/ םV~?ƨ09 QA4N/cFj"_? %KWo}4%[&4 SM̼R1 =q@Q{ 8G 1*a^=PДup8蠜X('2fidisOQ;l\|z%ʉxMQOhg{0Rm|2$cg 02ȟ#v|]2=0[ `hޕ=֔4V&HWn| Q CAL[#5H|[8ErtdQsB@/@Er-}5ɼҦ@pT4A]<$rP||jbE+,%f EMeqL X۳c['_DJb8R'OT Sr@ bK5&cLـsp>kX\WanA疹 ORQMwYN&:|7[RZ^".fuj!(xCnè+F]dn]u4(}!$>%DEb) d>SJI`}-WWW$jU.IydwB6e0R:bIr*S8}f>Ь/=\Ca%XIC`Cd 'C0x^d }>` Nxl[]Гgc@v/qɁc{xM>'6/M5<1H=̵eM-n '^ 9 ?[p&G5qM{!}:azyFc))jM&-O<6f9ܥtg"Coʒ4=uiSFʧMWX:Yu&cBQo"ƥ|N~И`ZTΪ$g Z.9\rSZ\F'π:m|)|PK̩|{NU(@xxϕ_nX49bhլ/-99s y6h n d1Va0"-gӥ/X\}[r`?,`SLY0^'xr5YM:{ѓeL'~}UpN|ܯ `:'#|@-jNCT#57Q+9nЙFڧ` ŃkY 7qRPҞKRJN]d";0w=ǥ/뻻ѕ-cuAMiq2xq%2~?qÍnzҝCKV =.,ˑ!|r9ߪz⅑فk/Ҟ]b^DgÇ[b75!A"_pAݺgL̔OWvlp.7gzhzT l?jp/۶ٷK?Wni5[<Ц* Zg`52 u δMl 9+p5ܶh+mn=S5Jp`^({d\ғxI~''ٷDs(kvIs"En "uI0DBɁ8$-x 9W0VBk hWhvx6+< f5]K.̼!ZOY \G:+K8ҧ`U>p Gɱ =fs$:Q8"n{cy %MmGgoN[ji(?'<5jE,'g!^%WlbuUƣfk^6)K^aw%m!r<~tzњ\z1΂WYxՂ!q-uQ$7wrvXk *["fo;m WR>ViX ȅJzj#eXwx?,m0a_orFb1^8kPBui,=ğVRޟy/H8RTe? Q]օ?Ui;mYw>8MTJg r%mPոD!-*ds-C~v`ܘp )odCxG֟F+姑w]r9 ta/ԧ~&!%wi سkmxF-KIz=щ`_[ ]-m[2?OpwMʁN t˕`+CPJ46^s*!մǓ2|z5|o3LT-v +CƜ% ҧjtU"y9l((VscaWK/:[qjRv7! H\N"CV`2̺o ;j$^5!U<ۏ.aGH å+LV ~ Wd֌-xq;uC2jZYO yx:_\8|RTaBT8I.ym٣)hwkץLhSpK[)`r#ܟJjAyͭ-;[W,.p?y K{J/-A>ڇ@kĈtjqD!7Dw{U1c8Pk#4.om5W~WW+D ՛r%Oz/ɩ<9 xꚍ ֟;&BXУY͌-u>{IQf +޿Zj5=O_3Y(d7"5}n=[:hjEKy=UzH,r=m߮*$-;P?3/& 5s#g ـJRҁ@sMppHDYs977PAQ ZWm%ZmՙL=62??6v5A=Nٛ:-%U#RXe A:_-qSj7G,@0.A3fsj8Th| y $g¯<($ΠƉaUUoDO[?Y7Tkp/=ZC8뺞&78z'" pF#iwwX)W7Ѥ rhO>bZ^ hp8o|53`xD8g]T;dBq1Fw*;P:;J?q'*RR ~Cn sdŲbozrOTXZvG=%1vv@A}璔m.=$JIL0kŃ(Nw_'!UyʒRwicm-(XN+ ~sotԙ'8:%sm(4pfPfYf?B&>rN’AWk8ZE&"m@u xl=in/) <4W A€$WFg|i%|UhI]=I'd#s|ޚ>qdJ T6r-Čm,;RZG8J8Ga8sLUi$2_i \cRQjB_|%QɎe0b{99xg8 ^tg_ /]ڟY6(|z uuO tɪUo]dl~VH,_W=E0ZGīy˂j'M,J7!6Z1I&PW C.̞_$;=KL>?8 0x~2lh)Q1eX&Ty..S S ꩲ `@NZ0XЍ;hnjcx brp>ʏ (x>MS̀X zk9(o!( f> M\ 7h_K+" d֨N59$fB<8Q-ha_acd ,Rkƾ/ŅoNe3v90Ś\Wdg jcMx%^ s[,.>XOȃ0kby^<@%.e W.˺L/(|4*t[םvYmT,@V0UYz9V/?w:>nZOPnYC,8UvНxV.pG!]e\cH-ēl!*M[c5ėb3]Kd* \ZuS5 (&,x˯OsU.2x!^D}.FLxzr@)Rlφ,]Ȕ]W=Q+6{D3CgluK>Y?Urh$igY=1VjEkc`t+Oٹ%*qu&b? E~>3.b eH7kЌ*`S*;A/Q\Ks|OsH'i>_Yɠ_9;]ʪ) F~~& 5&Ѓ=tXv]>lscI';/QY8Mǃ+4 *w5"@{aSK-+U3ċz#_)m0vL:Abg{xVln< .hy6frjKu[֤AF^xuF"P*3D6m:F+Њu)js] 0m>𱛦 < u5[G:`;+r~e}_*L{ruuMccJbQ=_&}X %?!/W]&e|p?$GC_8$jɯZpI<}z \B 1Jo]%5 K3O;kZ/h|X SX z2Ml9G52 (jӅSR~jxC*&/]>[9Uqv(/fWj,m׫f'̌${({l8T^^;!59`),smnf+FR@-rg6(]K@*zd`BHĩS^f[̀=d&ϓU˱mnUCGLeo{P&W7Ǣc {ۧ ч?Gڱv/0k@YhϤ+V2gE0ՁnB뚼n^ё\]u$L% o-ų'yR4"IYK!]K~XE8!du@#K۪jD$cɁ^]H:`<@#ֆݜwO>НGb΃dsD˕=CU“iB_KLs_IT1&pf8 RƼLI)YYjn09Dث6XOͣAO;KxFY'B&8{wA|8@`%!VE^E9ŕ 9)KR[:A !q!gaثlv{B Oq&XWQo}a[~O?FKov|8A%;ޟCz@=+(L7m?J`v9]a,. v}z1oXBƟ(K1Vos]k-^_H%fsϬyXT4qqvӹjZ+'54 ˇ0HN>D&p3.AK'RVװӧSN+*5֡ 4lp<ۀ$L&V{.?0A'aHSQ2r h&FnB"BXD63OeM FR/}61 'R 6n`C$3g1Ç4gzx: k#(ƮGN#W3fE3PC& y0pY^jOFɽ4Ƨ30>rajxRSv+/X֣ysAcY'ff۶*O’Zjҿn=oM K'\pim^IU+ÇA##=ʹ~Dՠ"s"aĊ@,q@4"҇[s/8߽AmF,|OWŸ-~,,5U2b!q()hhȚ ʓfaQ!ưIIn|Y)[hS2gd$FAz2h`sշVpHVl}.UKk{R,Jgя^tMvjЯrƜoP./!S13T2`-#W⚜D=除ѼW?VʯEƈo 1NBVX))Vq֖,.|xS -iЭ!Ư"3@TH5n_?FuĨKY}Ʋg9Kta ӛ~ It0bYl}YcL9cDpo2QԹ[ӛ9 .w%#+3ӏ T^>Ȼ(L3F}TQ+k1󀫳Hz" ZrZト 5}E™-;]S\Qtkh2-IoQ\/$l0ߑ8fyΈ,,Lo9Â_-׉IWaf|2}(Q\=!,Sϒiodb\(Y::zW?ot^tm&Aĝ ۙQ1?P?QU,G mM F]5}?EZeC||0hv6:s`>çQ=._XMy1H_پSPXhݾCɂVQqE,N9b 1̉Y}O'@b:X^7ZN ^9vz$HGFQ2Ź ?`rm!qf=G-czՂ&WĜm5~ ./A1d3M=cGmN!mcO,yfnN,/7oǰw:-M |c-ēT0: ΀LZ`+5;-Aqt=sl4@”o/L$6xK;Eq*i8 Yb?)쓆"ӚsQǚvu IP$ijvǽ0^ԊPP>CвLZs~wR.@]oefkѦ#,DE666rVb) "8LC_CA:i~_u]CF.6֫֏.Yr\WX7Ӌt[a]c<7-Ž܍~#k2 Z* 7t n7LyC4H3Z/{U@qv+u>hkĥݝl %_sP(vrs4!ݬE9:~`*q%5HV}=B;w׏zt$ûhE="rAFsTp"Wq@C3}/v5'XnQBqVVa[3삞y8!cq5ɋ1Kx ̠*ΌPfyP5ʥY A+F'J@`P㉓񧷌% ~1B"?usn%4z^xW[Iռ JZÈI$/t" ڰ}0拁X)8TUna0;ڀVW*̤BN`(W !M-}AbfD0Kz`<²cpޔvI?Ub *GTLz02jz½xp*'jXXvgJN]4E;9}M'rB{ƻ5Pi::)9͡gMxc TI^Fp0C2r:kU%vt4c5le/evus(ԍGT\ܺ?3mܖ]= ء\ot B/]7xrMs Aw#hch₸ .gmi}Fe$.oOm)1xbIs).r.P;e?? tcKVqGt:J!kbVac0l'Rʵt^ ¹wSlI2#=:w!nLv|=ʜt)OBk1b'ȱvvTIqhEllfiJkfɪ$mv? qdjC@kǼXX O#[# L_#´".`문 7( m\iJJL,ΤTU BUj_<@ԿJƻP+( L.2D4֟uzـ&Q<|.ШWOY }N($ub`8(2Ns8TdяfkԻkHL?-of%fk&.h)F)Ao6n}'lmnn.nKmKUd&q'zDN`i,^jy~t}zkKGK3t!hu)[vª'U{4 d~=܅H}P,C"RY[oQ⁎R6ƺKnx 둳 eh'z)7LqxA{}F P #y,bޛ(j:ظ0lfB N:=YnFA}ɕGT'Pĝs-6z)%;}=4K3 Ï fG83zd_׃%YR lo.\dTT~=Ulq ^_jLl .m {5SH~ObJTCYK˦&9 6KJhɇη,XXKY 1 jt/.5•bJv %4dFQXN)9V LǍgwmm֠Tޒ$o>-Q{ל9:)tO2[^G;~C% NHJ]O8Buٳ^Unv5j^1;o\ll+rL,-Jl")f֪;ҠW!yݧ{/@Ux ($Y?نJEh>s\2xӤ(  6E(|q'u9_xok9jV @~t=Bl@{kyH;_u_TG;6*")'fMlԧu,WǕk@)SjxhGS=DcؘArޑԩ\9i>jAlX/!2V7T(Bp6ڕH/f]E"W'PTIJq۱PkS W?iqL7d 4x4LA&bC,K F;/s0i!G t쉢*msfy\k,pBT,Vt"hQ 3Ne?.gh0'MvVipN`>Y=FI>G`J"R\}?5G"9}53$')Ym$p,ftH6V 33YYdp==iL@2Ī-qm^TmvP(N~՘}x؇JY5̰RrjbbTdD"*{$VVJ[R @̯3Plϱs'rY  p1|̖jW^ӕث+2Dotʸ`:pi,AʾNj'H4 0:)VD'sczEs7{$T"V]g) ң2502dtCbi;_>ߥSj l 4w"#+;cŋp(! Rp+$٠EAyxopIyF!"q;8Ne#U椨,6~nzWYI{}_яB:k>6zדuo<çj,pH_fyQ#{a=N~MadvXRxU%byLSO34[ }-< ܖbJǴtKp79z 뙕#7 }#YUBNB[USQsOxvLeWzps]|+"^흂 Ǯ+IεZM|(o.wG((DB8|{NG 9f0Z9laգerXrtFu5u(y@*.!T?'vm|Jp.찒vcWy泗8`_>Bpxh CQ..<,!]rوV]ҹREfFw8 5t*NTF־^~FCҷUDN@P90y{b{ߍKDc]?A Y$AX^q{PA؏NkQ5PqR%Egi-:)!vGC`w7 \3 bd`jpu/,Гڟ^Β7~<0s / =ri*aDħmm߱7B %{r$Jl` ,Y4mQD5=Co4uO0rp~%2fD8&#{ie@u j ?-gY񻁑ǖkv[Fc WQU N]v0 ΔOR7hi(pxwH'^ܚ[Wr3r 2R+Rv6M . (073}A՛ P#Prb»OW&_{ W`D&:Mzfu ۸47OEkj{+?N ($Y$i+Z6fGBY59 W1%^c b.<9y<LV"b&j,s$Zԏi<ۄqU5`|j@nKy m9#7ݣE蛚PIFK0)ڡoGyO'#U\qӑAx}%/v)lkL{k;{i0Po~*h|U*YQ6ԙA)u_/iHRTm͞o|Avf_[tHr(>ꃮɏHP#Xx\dcrw |q--oO9ޕfAƧi$Ohc#ųn-oMԦ@Ч3` 낐3q)JG:#ˤ$Rh/oXir4pƔ0cIH5e gp'jȀO\-CFbr"2ƧYݿ8?;gXzUp#'Gz鉳W)*ϡH!y>Yq.d: cěAVBEp} xb杌&SOb8edʧ&]C wKb?OyP,ɔ4F$%VMA.ɵx xCGySp-gt]߷pR2[$}ltl ]͝QXbvb)ZxN{D)c߬fE-z_p;Ċwyw&i\a}XMXC Zj%=r&Ica(A<^EJB֋B'am'.@n=y+?tJh5ɩY>pDĢQ)T.@렪@~jHyc֐4TTӫmQE9x$A8L=$K`dhwﱓD}2y8kC]@2/%L0l|ۗ@h$ 1`Xu)=Qi Cx'! d0Wk"~vj6E<&l^U5*HBt&3ת!clA Ow?GcO coucH)]%u,GI43iߚ;<%"RKnLy_0з4%-EͲ_4o2mE`8fBg0B5,DbfBN,4\Anm|PWmnM"Wo~كu9.z=싿peH.s^%o"DŋAyL=].@s8&N&+#fhaF#m4V!dxk}OqQ2 p?w#`Ar RPshuu>{g!~T.q?=[!^ ,v6Z<$N-zNqHDHj~bwŏ7 9#g[+ pyD2W֙d'1(?MlAݽ$Tl& ;{q ]~\rb7кΜ  KC_-;#FW{1F<=~S` `0hjoz5޴E*Y>GGkÜ(M(F@Hj;j}4*fM>[(Q8uWkiw0ߧ RF:' LN$E"w[w)+2bX̜-|,Z}-pPx85k!*.cRذYe;uj[?҆卞S+ %KXt>zwd"l^_ރǡticxisWQVFvX8tvA[K-_/x(leҬd) pǥ9C1Xao/e?>R',)MX{Og^W ژ {a*6y5He!LP1Q%:7uGK*6y$=W+usT\&|nV}j]˹#L]Z2<'90>{it>hf'22W'*G.Q!Qbqt_tӫx"2g1VXejVIT ;9˭8R7T@"{wi'%C!kSY`:2%RP2$K9$2 v72 cSQ8Hz?M_W4I1فPj=(C Hr2bqy,_zJZPh3@k|^Q8Qx,}Ʉrsdfbqr lPq%Cg;Jߋil9sوϰ%k%9Nc{P!L8wȑ>u8xL褚3KqAXg :>)cx]6|%^)xrI;K_Owe/ٴ5[*$3Dbuv[FT`k<1Zj3/Z?hko0]+xyF_)v5s \l.ۣׄ i 0li%WhhK7, % /{ǜ{ګ}ΒE/>XG\׌Gx{wHW\__DOCHűj`eYcMVkzwߧj᪲Yl=|Q>]Qq`5NPH Eׁ:R!t*':Ku2=OY"+2 pS' B(LAրdt K{4FNN/,F:}B^n(U= 7:8fO2tizi`(f,WgTzJ[=~yK'Ѐ1ꮻ=Dؼ]ԋ|\VED6;͵EJk䄾 ,Es/M QsziI} GGj֧i`l*?̷;{{20KMypH+0t0T@ؼ"m> rCP7km[ %aw=C"&9_M%*#?;O8%2ݔ{E0~.*e]:% :ҟ # ּu4m '0lt,+ Va cOa"8=%LXï"?jcߴ~zU[@>kՀCAZj;SO %*Y -+2|8ޜ? xFDmuUΧrA5!|&hb i@Ԉ R׽⏏_j><}_s9j #4e9H1E%? ~o/1hpM!gM%;77MQ~SJ%z f!zTdG@]o tb/X7Ӵ+_sh| .uF`SwG>w A]*@=bi" fkIaݮ#Cm=DO-cj$Y=cƆAXj +U̩-EneJKPJn_V:c\c#h/ao10K} k3L͏ F'䪯;![d ]tTRlhFfTBU7Gn{5l4SCtT (ٚpd[W#2o^. . k0-NqEQK@,]^ۘWvw~r(x :J^xN杩[0J؁[9 #:&bǷH%Aހ-wU)}}fflhˡK60[Y7a2:.z4,K:d@}g]L(@2 iH}nXDn?@(CMÏ%"ѓI9}(zt$.V!S7&I Ca[ys833CGSt nw 4 Dbϩ^Z:$O_dPzzGPXZͭhN{NtX^Q:;_cҜ8TdܙV0b?a*cA0ҿNYkl@Bs.ؘz(Lib k9daUcv i=hFqdw/Vu`?~ɋS"KrF8C֝!c8o#]aڌo !W:e~;My='nޘε|dǭ'\Q1z"^ Po<ǥD(ݿMߣ}ރ$4lE'4d{Dߤ"&tȥM!ig_m |a4곅P]v hjbCv ,%OC5aGȜB3F$x@WKFW q(A- `g~ZXv}45]M/6͸\ҟpDpI:}c5Y7|[KZ1S ^Z}$I]'V\,<t$D<'DjGzieq_· +&Cﬥ '67Ӎ2%G W`G9AN_@dK x]MQlӣݕZa$Ocf1{>֟YfO2nmJX^H^/b8mՎ7Hd+_)x-]aLWTU5L)UJ0S)ڗUhbDe|Vy-ԭ("G * FӦ/$ݽpji@ň"`A1/$/iAUPj+JP?:v⺐яªBt^tyEI`'pNHe /^8zTQ9Vh6}]i DxNFDI4˂[f{|=`3gJ1O|;ʟ?zj`D˞)5|1!+@L$c6$,=~|Yy'Ew̱n'-RNU[0+X-s&cۯ}xHR+ }CG4(݁ZQrAGJ1:B (,gNdVQ{_RBL-c7FQ>MB;xhnXv l@d}ctGt˔" rdA_E[ K <- B"ӵ,x3I`PX,;sdNR9-N}vvјTj .œ Pc90YdC'Z^ދQ^)5ޛTnSћ Pe 2VN}sgbE\-&F.]fg@SfЈ@Wk~==בiz.ao.߾+q蛛H+hUsܔܠԻe C:>_td[9q7q67ꐅxˆ=ߚ&3L]t`@ Y3$B%vvl U>u=L/!v.B hv@x,^O$$gM W`WJL} NO)H\`+*52+‹(5 ?0*,`BL*To͵rݱԙ0hr&W!QvLE) x7PhD Bd˩E#Xyr^~F۱u )]89Oo_J̈!&ϺH=Icb위CM޾?L8Pf#TmhM8 6mNˢ A+._+/]ʸ|7g[ #a ed_S/n{+;][<ؠsIms-[5];]BѿY!m.je9S]/}nAM 4dx:Tt[cE-b kPh wCR}A4&>һ.!Wŋ˜9+P@x;#̫\} Xz} :N[D6lщ$q48UK7Pv?kO5 a2g)Z7ſb厯]wL-,3KIu\Ou$7(q E/HǼ՗zd̫jCoԿ gԎ/ nVyb#w2.R/f֬iTMTbĽN]Y G. JqI1wg(Ũ:Cze+c'x0Lhp:7$M*$zaJhz.b/Ė~ Lf:!?>,Xب.e,5}r٤1 X"ۤ.JKl Mnqur5 mfKޤnKjkMT bP-@RHDY=CB*lu%k1ݲ^H$6^[jɤ&HPD}(6Џjl@~ٜY"\3.VK߉Gs2G!5߸Vwڪj{MJhhWSiS22NPYPCPG/1OoMBP XW=g{י36-P{+qݗOHL V:ES98Zᮗ ܽSD0^ohw_*2ywK&euDan}9?7?jotŬfhՕqϬZAvZoi72|xi6d9D7i1.Rt%b42N"/C>x!a-OZ<(x)(6јv}`s<ʀW7Ybl~ &WK@N7?@ͻP4qc )CQ WGT&Gq9ȳ0Ω_)tDxQM4t4o5_|NfW 6V$_LC@]f#ٵ)"{m0KA+2l{H,Z=b1ޏOV^0ʓS @SXe2vt=ͲE# (xY˻6-M>?z^9f32 W: ie„0#$lY~@,=`ߒ qٔ G\ǪvZ{P~x:b6jjrOQd@V9*( ܑ:B]pd] 6Hl &Ξ&w7sGwn gl?k^#B" CpbeRMF/ Qa3Ab$yUq :MƑb0R,?B ҙĊ\OY`m}蘛HUdjy׉vIcu3j Pr.gz:4A)´\~__F9K86Foauj]<{vy>-DU@٬ޣ? ~Y NTwn:3˭P ! V"IA`V[J具D;1o9JF=@o , s;3]5Ew"HZK>zv U)$TQ|P.M)]!\Iri]ȅɫQ`âUX@ {U/y%ڬ^1IdӦ[mʢHL;R34n ԼJc'!ߓ3L$m9lP$FBE-B}p,gB=G?7Of&]xj6t%b>twTiU3TQ=kGNC|ɗ -qPkǟ.ݹ|Ӷ YZ