ipa-server-trust-ad-4.9.6-4.module_el8.5.0+921+2b5d5825 >  A a7U]< hsL':YN#ect&^V%հd ,"XNz%oi"UO S?[hECpo (WC N4צnH|d&(&XPHl#4XozCv)ӌ9.Wa=*dZ^TqO<POx^A = 7ZZ&'zN=5r"}ܿyLQxML-5Եff*&&3*g aț9:`GyΧQd2df `ܑZe 61]THL\":fcZ椬@ꔿ[{.EهSmy"..]jT]iS뎻x.i`%e'c uJsCczVz[EMm[ceb4e499322edd37cb6b613f0d2090afb16b427092bd3482dd612ec61eb5c43e199f042ddf0946848cb43ec7ae876f1fa99c5093SIa7U]UW00#q[AG$fd>W!;OK7sܼWKr""n(˻9pX7ʇW]k(Uv!(RGzU~|F2+^ ?mFeJ^#XzRZ laQ=)`DakG(pșo'C ^h;65%jlm'j Fwy ݸ%.o\(>ޓD7j)AҞY&JT$1~:* E"IaąR1 NjhX9E'L[tE8,ӳzBPsxI4e#܅Gmy%؜F x]ؔ'֦; 3l݊k/FH,kz+Cp|HS+iȡCĽq2r _/ ],ekG!q<J8>pKx5?x%d : 04PT[bi w<   , @   h   L 9 9A9(8k9k:[k>l;?lC@lKBlSGlHlIm,Xm@YmPZm[m\m]n^obqdr/er4fr7lr9trTurvr wuxuXyu<vwwwwwxCipa-server-trust-ad4.9.64.module_el8.5.0+921+2b5d5825Virtual package to install packages required for Active Directory trustsCross-realm trusts with Active Directory in IPA require working Samba 4 installation. This package is provided for convenience to install all required dependencies at once.a7aarch64-02.mbox.centos.org=CentOSCentOSGPLv3+CentOS Buildsys Unspecifiedhttp://www.freeipa.org/linuxaarch64/usr/sbin/update-alternatives --install /usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so \ winbind_krb5_locator.so /dev/null 90 /bin/systemctl reload-or-try-restart dbus /bin/systemctl reload-or-try-restart oddjobdif [ $1 -eq 0 ]; then /usr/sbin/update-alternatives --remove winbind_krb5_locator.so /dev/null /bin/systemctl reload-or-try-restart dbus /bin/systemctl reload-or-try-restart oddjobd fi # ONLY_CLIENTif [ "$1" -ge "1" ]; then if [ "`readlink /etc/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then /usr/sbin/alternatives --set winbind_krb5_locator.so /dev/null fi fiy)4(%T$ - K hAAA큤A큤A큤`@W@V@VVZV@U@UYU@Uݪ@Uݪ@Uݪ@UoUU(UK@Ub@UJ@UU @U hTE@T T}TTZ@TZ@Tp@T5T@TuTto@TsTl@Td@Ta@T[bTG@TG@TFJT)IT%U@T$TSS:@S2@S1oS!S!S L@S L@Sc@SS @Rb@R@R@RUR@RRx@RR=RʚRƦ@RkRv@RG@RiRz/@RxRsRo@Ro@R^RW@RNR@-@R/ R-@R(r@R7RZ@R R R@R@R@R@R@R6QQQ'@Q@QvwQu&@Qm=@QZ@QVQ(@Q@PPPPPx@Px@PnPj@P\VPG>P@@P4P.2@PP @M6@M.@M.@M.@M-M M@L!LfLNLdLLLzLe3La?@LD>@L#HL#HL@K/KՀ@KK@KKs@Kie@K`*KK@K @JJ@J@J@JJB@J{IIIm@I1Iq@IKIFFI9I1.Ih@IIP@H@HXHO@H-w@H HHH@G߮GGgGs@G@G@G@G}G}G}GG@GC@GkGDG<4G)G(n@G3G@GJF@FS@FFuF@Thomas Woerner - 4.9.6-4Thomas Woerner - 4.9.6-3Thomas Woerner - 4.9.6-2Thomas Woerner - 4.9.6-1Thomas Woerner - 4.9.5-1Thomas Woerner - 4.9.3-1Alexander Bokovoy - 4.9.2-1Alexander Bokovoy - 4.9.1-1Thomas Woerner - 4.9.0-1Thomas Woerner - 4.9.0-0.5.rc3Alexander Bokovoy - 4.9.0-0.3.rc2Thomas Woerner - 4.9.0-0.2.rc2Thomas Woerner - 4.9.0-0.1.rc1Thomas Woerner - 4.9.0-0.rc1Thomas Woerner - 4.8.7-11Thomas Woerner - 4.8.7-10Thomas Woerner - 4.8.7-9Thomas Woerner - 4.8.7-8Thomas Woerner - 4.8.7-7Thomas Woerner - 4.8.7-6Thomas Woerner - 4.8.7-5Thomas Woerner - 4.8.7-4Thomas Woerner - 4.8.7-3Thomas Woerner - 4.8.7-2Thomas Woerner - 4.8.7-1Thomas Woerner - 4.8.6-2Thomas Woerner - 4.8.6-1Thomas Woerner - 4.8.4-6Thomas Woerner - 4.8.4-5Thomas Woerner - 4.8.4-4Alexander Bokovoy - 4.8.4-3Thomas Woerner - 4.8.4-2Thomas Woerner - 4.8.4-1Thomas Woerner - 4.8.3-3Thomas Woerner - 4.8.3-2Alexander Bokovoy - 4.8.3-1Alexander Bokovoy - 4.8.2-4Thomas Woerner - 4.8.2-3Thomas Woerner - 4.8.2-2Thomas Woerner - 4.8.2-1Thomas Woerner - 4.8.0-10Thomas Woerner - 4.8.0-9Thomas Woerner - 4.8.0-8Thomas Woerner - 4.8.0-7Thomas Woerner - 4.8.0-6Thomas Woerner - 4.8.0-5Alexander Bokovoy - 4.8.0-4Alexander Bokovoy - 4.8.0-3Thomas Woerner - 4.8.0-2Thomas Woerner - 4.8.0-1Alexander Bokovoy - 4.7.90-3Alexander Bokovoy - 4.7.90-2Thomas Woerner - 4.7.90-1Alexander Bokovoy - 4.7.1-12Rob Crittenden - 4.7.1-11Christian Heimes - 4.7.1-10Thomas Woerner - 4.7.1-9Christian Heimes - 4.7.1-8Thomas Woerner - 4.7.1-7.el8Lumír Balhar - 4.7.1-6.el8Alexander Bokovoy - 4.7.1-5.el8Alexander Bokovoy - 4.7.1-4.el8Thomas Woerner - 4.7.1-3.el8Alexander Bokovoy - 4.7.1-2.el8Alexander Bokovoy - 4.7.1-1.el8Tomas Orsava - 4.7.0-6.el8Rob Crittenden - 4.7.0-5.el8Rob Crittenden - 4.7.0-4.el8Thomas Woerner - 4.7.0-3.1.el8Thomas Woerner - 4.7.0-3.el8Alexander Bokovoy - 4.7.0-2.el8Rob Crittenden - 4.7.0-1.el8Rob Crittenden - 4.6.90.pre1-2.el8Rob Crittenden - 4.6.90.pre1-1.el8Troy Dawson - 4.5.4-5.el8.1Alexander Bokovoy - 4.5.4-5.el7Pavel Vomacka - 4.5.4-4.el7Rob Crittenden - 4.5.4-3.el7Felipe Barreto - 4.5.4-2.el7Pavel Vomacka - 4.5.4-1.el7Felipe Barreto - 4.5.0-21.el7.2.2Felipe Barreto - 4.5.0-21.el7.2Pavel Vomacka - 4.5.0-21.el7.1.2Pavel Vomacka - 4.5.0-21.el7.1.1Pavel Vomacka - 4.5.0-21.el7.1Pavel Vomacka - 4.5.0-21.el7Pavel Vomacka - 4.5.0-20.el7Pavel Vomacka - 4.5.0-19.el7Pavel Vomacka - 4.5.0-18.el7Pavel Vomacka - 4.5.0-17.el7Pavel Vomacka - 4.5.0-16.el7Pavel Vomacka - 4.5.0-15.el7Pavel Vomacka - 4.5.0-14.el7Pavel Vomacka - 4.5.0-13.el7Pavel Vomacka - 4.5.0-12.el7Jan Cholasta - 4.5.0-11.el7Jan Cholasta - 4.5.0-10.el7Jan Cholasta - 4.5.0-9.el7Jan Cholasta - 4.5.0-8.el7Jan Cholasta - 4.5.0-7.el7Pavel Vomacka - 4.5.0-6.el7Jan Cholasta - 4.5.0-5.el7Jan Cholasta - 4.5.0-4.el7Jan Cholasta - 4.5.0-3.el7Jan Cholasta - 4.5.0-2.el7Jan Cholasta - 4.5.0-1.el7Jan Cholasta - 4.4.0-14.7Jan Cholasta - 4.4.0-14.6Jan Cholasta - 4.4.0-14.5Jan Cholasta - 4.4.0-14.4Jan Cholasta - 4.4.0-14.3Jan Cholasta - 4.4.0-14.2Jan Cholasta - 4.4.0-14.1Jan Cholasta - 4.4.0-14Jan Cholasta - 4.4.0-13Petr Vobornik - 4.4.0-12Jan Cholasta - 4.4.0-11Jan Cholasta - 4.4.0-10Jan Cholasta - 4.4.0-9Jan Cholasta - 4.4.0-8Jan Cholasta - 4.4.0-7Jan Cholasta - 4.4.0-6Jan Cholasta - 4.4.0-5Jan Cholasta - 4.4.0-4Jan Cholasta - 4.4.0-3Petr Vobornik - 4.4.0-2.1Petr Vobornik - 4.4.0-2Jan Cholasta - 4.4.0-1Jan Cholasta - 4.4.0-0.2.alpha1Jan Cholasta - 4.4.0-0.1.alpha1Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3.1Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3Jan Cholasta - 4.3.1-0.201605191449GITf8edf37.1Jan Cholasta - 4.3.1-0.201605191449GITf8edf37Jan Cholasta - 4.2.0-16Jan Cholasta - 4.2.0-15Jan Cholasta - 4.2.0-14Jan Cholasta - 4.2.0-13Jan Cholasta - 4.2.0-12Jan Cholasta - 4.2.0-11Jan Cholasta - 4.2.0-10Jan Cholasta - 4.2.0-9Jan Cholasta - 4.2.0-8Jan Cholasta - 4.2.0-7Jan Cholasta - 4.2.0-6Jan Cholasta - 4.2.0-5Jan Cholasta - 4.2.0-4Jan Cholasta - 4.2.0-3Jan Cholasta - 4.2.0-2Jan Cholasta - 4.2.0-1Jan Cholasta - 4.2.0-0.2.alpha1Jan Cholasta - 4.2.0-0.1.alpha1Jan Cholasta - 4.1.0-18.3Alexander Bokovoy - 4.1.0-18.2Jan Cholasta - 4.1.0-18.1Martin Kosek - 4.1.0-18Jan Cholasta - 4.1.0-17Jan Cholasta - 4.1.0-16Jan Cholasta - 4.1.0-15Jan Cholasta - 4.1.0-14Jan Cholasta - 4.1.0-13Jan Cholasta - 4.1.0-12Jan Cholasta - 4.1.0-11Jan Cholasta - 4.1.0-10Jan Cholasta - 4.1.0-9Jan Cholasta - 4.1.0-8Jan Cholasta - 4.1.0-7Jan Cholasta - 4.1.0-6Jan Cholasta - 4.1.0-5Jan Cholasta - 4.1.0-4Jan Cholasta - 4.1.0-3Jan Cholasta - 4.1.0-2Jan Cholasta - 4.1.0-1Jan Cholasta - 4.1.0-0.1.alpha1Petr Vobornik - 4.0.3-3Jan Cholasta - 4.0.3-2Jan Cholasta - 4.0.3-1Martin Kosek - 3.3.3-29Martin Kosek - 3.3.3-28Martin Kosek - 3.3.3-27Martin Kosek - 3.3.3-26Martin Kosek - 3.3.3-25Martin Kosek - 3.3.3-24Martin Kosek - 3.3.3-23Martin Kosek - 3.3.3-22Martin Kosek - 3.3.3-21Martin Kosek - 3.3.3-20Martin Kosek - 3.3.3-19Martin Kosek - 3.3.3-18Martin Kosek - 3.3.3-17Martin Kosek - 3.3.3-16Daniel Mach - 3.3.3-15Martin Kosek - 3.3.3-14Martin Kosek - 3.3.3-13Martin Kosek - 3.3.3-12Martin Kosek - 3.3.3-11Martin Kosek - 3.3.3-10Martin Kosek - 3.3.3-9Martin Kosek - 3.3.3-8Daniel Mach - 3.3.3-7Martin Kosek - 3.3.3-6Martin Kosek - 3.3.3-5Martin Kosek - 3.3.3-4Martin Kosek - 3.3.3-3Martin Kosek - 3.3.3-2Martin Kosek - 3.3.3-1Martin Kosek - 3.3.2-5Martin Kosek - 3.3.2-4Martin Kosek - 3.3.2-3Martin Kosek - 3.3.2-2Martin Kosek - 3.3.2-1Martin Kosek - 3.3.1-5Martin Kosek - 3.3.1-4Martin Kosek - 3.3.1-3Martin Kosek - 3.3.1-2Rob Crittenden - 3.3.1-1Rob Crittenden - 3.3.0-7Martin Kosek - 3.3.0-6Martin Kosek - 3.3.0-5Martin Kosek - 3.3.0-4Martin Kosek - 3.3.0-3Martin Kosek - 3.3.0-2Martin Kosek - 3.3.0-1Martin Kosek - 3.3.0-0.2.beta2Martin Kosek - 3.3.0-0.1.beta2Martin Kosek - 3.2.2-1Martin Kosek - 3.2.1-1Rob Crittenden - 3.2.0-2Rob Crittenden - 3.2.0-1Rob Crittenden - 3.2.0-0.4.beta1Rob Crittenden - 3.2.0-0.3.beta1Rob Crittenden - 3.2.0-0.2.beta1Martin Kosek - 3.2.0-0.1.pre1Kevin Fenzi 3.1.2-4Kevin Fenzi - 3.1.2-3Fedora Release Engineering - 3.1.2-2Rob Crittenden - 3.1.2-1Martin Kosek - 3.1.0-2Rob Crittenden - 3.1.0-1Martin Kosek - 3.0.0-3Rob Crittenden - 3.0.0-2Rob Crittenden - 3.0.0-1Rob Crittenden - 3.0.0-0.10Martin Kosek - 3.0.0-0.9Rob Crittenden - 3.0.0-0.8Rob Crittenden - 3.0.0-0.7Rob Crittenden - 3.0.0-0.6Alexander Bokovoy - 3.0.0-0.5Rob Crittenden - 3.0.0-0.4Martin Kosek - 3.0.0-0.3Alexander Bokovoy - 3.0.0-0.2Rob Crittenden - 3.0.0-0.1Rob Crittenden - 2.2.0-1Rob Crittenden - 2.1.90-0.2Rob Crittenden - 2.1.90-0.1Alexander Bokovoy - 2.1.4-5Martin Kosek - 2.1.4-4Alexander Bokovoy - 2.1.4-3Alexander Bokovoy - 2.1.4-2Rob Crittenden - 2.1.4-1Rob Crittenden - 2.1.3-8Alexander Bokovoy - 2.1.3-7Alexander Bokovoy - 2.1.3-6Fedora Release Engineering - 2.1.3-5Alexander Bokovoy - 2.1.3-4Alexander Bokovoy - 2.1.3-3Alexander Bokovoy - 2.1.3-2Alexander Bokovoy - 2.1.3-1Alexander Bokovoy - 2.1.2-1Rob Crittenden - 2.1.0-1Simo Sorce - 2.0.1-2Rob Crittenden - 2.0.1-1Rob Crittenden - 2.0.0-1Rob Crittenden - 2.0.0-0.4.rc2Rob Crittenden - 2.0.0-0.3.rc1Rob Crittenden - 2.0.0-0.1.rc1Fedora Release Engineering - 2.0.0-0.2.beta2Rob Crittenden - 2.0.0-0.1.beta2Rob Crittenden - 2.0.0-0.2.beta.git80e87e7Rob Crittenden - 2.0.0-0.1.beta.git80e87e7Rob Crittenden - 1.99-41Adam Young - 1.99-40Simo Sorce - 1.99-39Simo Sorce - 1.99-38Rob Crittenden - 1.99-37Rob Crittenden - 1.99-36Rob Crittenden - 1.99-35Jr Aquino - 1.99-34Simo Sorce - 1.99-33Rob Crittenden - 1.99-32Rob Crittenden - 1.99-31Rob Crittenden - 1.99-30Rob Crittenden - 1.99-29Rob Crittenden - 1.99-28Rob Crittenden - 1.99-27Rob Crittenden - 1.99-26Rob Crittenden - 1.99-25Adam Young - 1.99-24Rob Crittenden - 1.99-23Rob Crittenden - 1.99-22Rob Crittenden - 1.99-21Rob Crittenden - 1.99-20Rob Crittenden - 1.99-19Jason Gerard DeRose - 1.99-18Jason Gerard DeRose - 1.99-17Jason Gerard DeRose - 1.99-16Rob Crittenden - 1.99-15Jason Gerard DeRose - 1.99-14Rob Crittenden - 1.99-13Rob Crittenden - 1.99-12Rob Crittenden - 1.99-11Rob Crittenden - 1.99-10Rob Crittenden - 1.99-9Jason Gerard DeRose - 1.99-8Rob Crittenden - 1.99-7Rob Crittenden - 1.99-6Rob Crittenden - 1.99-5Rob Crittenden - 1.99-4Rob Crittenden - 1.99-3Rob Crittenden - 1.99-2Rob Crittenden - 1.99-1Tomas Mraz - 1.2.1-3Dan Walsh - 1.2.1-2Simo Sorce - 1.2.1-1Simo Sorce - 1.2.1-0Ignacio Vazquez-Abrams - 1.2.0-4Simo Sorce - 1.2.0-3Simo Sorce - 1.2.0-2Rob Crittenden - 1.2.0-1Simo Sorce - 1.1.0-3Rob Crittenden - 1.1.0-2Rob Crittenden - 1.1.0-1Rob Crittenden - 1.0.0-5Rob Crittenden - 1.0.0-4Rob Crittenden - 1.0.0-3Rob Crittenden - 1.0.0-2Rob Crittenden - 1.0.0-1Rob Crittenden 0.99-12Rob Crittenden 0.99-11Rob Crittenden 0.99-10Rob Crittenden 0.99-9Rob Crittenden 0.99-8Rob Crittenden 0.99-7Rob Crittenden 0.99-6Rob Crittenden 0.99-5Rob Crittenden 0.99-4Rob Crittenden 0.99-3Rob Crittenden 0.99-2Rob Crittenden 0.99-1Rob Crittenden - 0.6.0-2Karl MacMillan - 0.6.0-1Karl MacMillan - 0.5.0-1Rob Crittenden - 0.4.1-2Karl MacMillan - 0.4.1-1Karl MacMillan - 0.4.0-6Rob Crittenden - 0.4.0-5Rob Crittenden - 0.4.0-4Karl MacMillan - 0.4.0-3Karl MacMillan - 0.4.0-2Karl MacMillan - 0.2.0-1Rob Crittenden - 0.1.0-3Rob Crittenden - 0.1.0-2Karl MacMillan - 0.1.0-1- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL Resolves: RHBZ#1982956- man page: update ipa-server-upgrade.1 Resolves: RHBZ#1973273 - Fall back to krbprincipalname when validating host auth indicators Resolves: RHBZ#1979625 - Add dependency for sssd-winbind-idmap to server-trust-ad Resolves: RHBZ#1982211- IPA server in debug mode fails to run because time.perf_counter_ns is Python 3.7+ Resolves: RHBZ#1974822 - Add checks to prevent assigning authentication indicators to internal IPA services Resolves: RHBZ#1979625 - Unable to set ipaUserAuthType with stageuser-add Resolves: RHBZ#1979605- Upstream release FreeIPA 4.9.6 Related: RHBZ#1945038 - Revise PKINIT upgrade code Resolves: RHBZ#1886837 - ipa-cert-fix man page: add note about certmonger renewal Resolves: RHBZ#1780317 - Certificate Serial Number issue Resolves: RHBZ#1919384- Upstream release FreeIPA 4.9.5 Related: RHBZ#1945038 - IPA to allow setting a new range type Resolves: RHBZ#1688267 - ipa-server-install displays debug output when --debug output is not specified. Resolves: RHBZ#1943151 - ACME fails to generate a cert on migrated RHEL8.4 server Resolves: RHBZ#1934991 - Switch ipa-client to use the JSON API Resolves: RHBZ#1937856 - IDM - Allow specifying permanent logging settings for BIND Resolves: RHBZ#1951511 - Cache LDAP data within a request Resolves: RHBZ#1953656 - ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4 Resolves: RHBZ#1957768- Upstream release FreeIPA 4.9.3 Resolves: RHBZ#1945038- Upstream release FreeIPA 4.9.2 Related: RHBZ#1891832- Upstream release FreeIPA 4.9.1 Related: RHBZ#1891832- Upstream final release FreeIPA 4.9.0 Related: RHBZ#1891832- Upstream pre release FreeIPA 4.9.0rc3 Related: RHBZ#1891832- Remove ipa-server dependency from ipa-selinux subpackage - Related: RHBZ#1891832- Upstream pre release FreeIPA 4.9.0rc2 Related: RHBZ#1891832 - Synchronize spec file with upstream and Fedora Related: RHBZ#1891832 - Traceback while doing ipa-backup Resolves: RHBZ#1901068 - ipa-client-install changes system wide ssh configuration Resolves: RRBZ#1544379 - ipa-kdb: support subordinate/superior UPN suffixes Resolves: RHBZ#1891056 - KRA Transport and Storage Certificates do not renew Resolves: RHBZ#1872603 - Move where the restore state is marked during IPA server upgrade Resolves: RHBZ#1569011 - Intermittent IdM Client Registration Failures Resolves: RHBZ#1812871 - Nightly test failure in test_acme.py::TestACME::test_third_party_certs (updates-testing) Resolves: RHBZ#1903025 - Add IPA RA Agent to ACME group on the CA Resolves: RHBZ#1902727- Fix requirement for python3-kdcproxy, add no autoreqprov for ipatests sub package Related: RHBZ#1891832- Upstream pre release FreeIPA 4.9.0rc1 Resolves: RHBZ#1891832 - Requirements and design for libpwquality integration Resolves: RHBZ#1340463 - When parsing options require name/value pairs Resolves: RHBZ#1357495 - WebUI: Fix issue with opening links in new tab/window Resolves: RHBZ#1484088 - Use a state to determine if a 389-ds upgrade is in progress Resolves: RHBZ#1569011 - Unlock user accounts after a password reset and replicate that unlock to all IdM servers Resolves: RHBZ#1784657 - Set the certmonger subject with a string, not an object Resolves: RHBZ#1810148 - Implement ACME certificate enrolment Resolves: RHBZ#1851835 - [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0) Resolves: RHBZ#1859249 - It is not possible to edit KDC database when the FreeIPA server is running Resolves: RHBZ#1875001 - Fix nsslapd-db-lock tuning of BDB backend Resolves: RHBZ#1882340 - ipa-kdb: support subordinate/superior UPN suffixes Resolves: RHBZ#1891056 - wgi/plugins.py: ignore empty plugin directories Resolves: RHBZ#1894800- SELinux Policy: let custodia replicate keys Resolves: RHBZ#1868432- Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations Resolves: RHBZ#1870202- CAless installation: set the perms on KDC cert file Resolves: RHBZ#1863616 - EPN: handle empty attributes Resolves: RHBZ#1866938 - IPA-EPN: enhance input validation Resolves: RHBZ#1866291 - EPN: enhance input validation Resolves: RHBZ#1863079 - Require new samba build 4.12.3-52 Related: RHBZ#1868558 - Require new selinux-policy build 3.14.3-52 Related: RHBZ#1869311- [WebUI] IPA Error 3007: RequirmentError" while adding members in "User ID overrides" tab (updated) Resolves: RHBZ#1757045 - ipa-client-install: use the authselect backup during uninstall Resolves: RHBZ#1810179 - Replace SSLCertVerificationError with CertificateError for py36 Resolves: RHBZ#1858318 - Fix AVC denial during ipa-adtrust-install --add-agents Resolves: RHBZ#1859213- replica install failing with avc denial for custodia component Resolves: RHBZ#1857157- selinux don't audit rules deny fetching trust topology Resolves: RHBZ#1845596 - fix iPAddress cert issuance for >1 host/service Resolves: RHBZ#1846352 - Specify cert_paths when calling PKIConnection Resolves: RHBZ#1849155 - Update crypto policy to allow AD-SUPPORT when installing IPA Resolves: RHBZ#1851139 - Add version to ipa-idoverride-memberof obsoletes Related: RHBZ#1846434- Add missing ipa-selinux package Resolves: RHBZ#1853263- Remove client-epn left over files for ONLY_CLIENT Related: RHBZ#1847999- [WebUI] IPA Error 3007: RequirmentError" while adding members in "User ID overrides" tab Resolves: RHBZ#1757045 - EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn Resolves: RHBZ#1847999 - FreeIPA - Utilize 256-bit AJP connector passwords Resolves: RHBZ#1849914 - ipa: typo issue in ipanthomedirectoryrive deffinition Resolves: RHBZ#1851411- Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7 Resolves: RHBZ#1846434- Upstream release FreeIPA 4.8.7 - Require new samba build 4.12.3-0 Related: RHBZ#1818765 - New client-epn sub package Resolves: RHBZ#913799- Support krb5 1.18 Resolves: RHBZ#1817579- Upstream release FreeIPA 4.8.6 - New SELinux sub package to provide own module - Depend on selinux-policy-devel 3.14.3-43 for build due to a makefile issue in SELinux external policy support Related: RHBZ#1818765- Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit Resolves: RHBZ#1790663- Fixed weekday in 4.8.4-2 changelog date Related: RHBZ#1784003 - adtrust: print DNS records for external DNS case after role is enabled Resolves: RHBZ#1665051 - AD user without override receive InternalServerError with API Resolves: RHBZ#1782572 - ipa-client-automount fails after repeated installation/uninstallation Resolves: RHBZ#1790886 - install/updates: move external members past schema compat update Resolves: RHBZ#1803165 - kdb: make sure audit_as_req callback signature change is preserved Resolves: RHBZ#1803786- Update dependencies for samba, 389-ds and sssd Resolves: RHBZ#1792848- Depend on krb5-kdb-version-devel for BuildRequires - Update nss dependency to 3.44.0-4 - Reset per-indicator Kebreros policy Resolves: RHBZ#1784761- DNS install check: Fix overlapping DNS zone from the master itself Resolves: RHBZ#1784003- Rebase to upstream release 4.8.4 - Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3 Resolves: RHBZ#1782658 Resolves: RHBZ#1782169 Resolves: RHBZ#1783046 Related: RHBZ#1748987- Fix otptoken_sync plugin Resolves: RHBZ#1777811- Use default crypto policy for TLS and enable TLS 1.3 support Resolves: RHBZ#1777809 - Covscan fixes Resolves: RHBZ#1777920 - Change pki_version to 10.8.0 Related: RHBZ#1748987- Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195) Resolves: RHBZ#1767304 Resolves: RHBZ#1776939 - Support KDC ticket policies for authentication indicators Resolves: RHBZ#1777564- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() Resolves: RHBZ#1767304 - CVE-2019-10195: Don't log passwords embedded in commands in calls using batch Resolves: RHBZ#1776939- Use default ssh host key algorithms Resolves: RHBZ#1756432 - Do not run trust upgrade code if master lacks Samba bindings Resolves: RHBZ#1757064 - Finish group membership management UI Resolves: RHBZ#1773528- Update dependency for bind-dndb-ldap to 11.2-2 Related: RHBZ#1762813- Rebase to upstream release 4.8.2 - Removed upstream patches 0001 to 0010 that are part of version 4.8.2 - Updated branding patch Resolves: RHBZ#1748987- Fix automount behavior with authselect Resolves: RHBZ#1740167- extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT Resolves: RHBZ#1741530- FreeIPA 4.8.0 tarball lacks two update files that are in git Resolves: RHBZ#1741170- Allow insecure binds for migration Resolves: RHBZ#1731963- Fix --external-ca-profile not passed to CSR Resolves: RHBZ#1731813- Remove posixAccount from service_find search filter Resolves: RHBZ#1731437 - Fix repeated uninstallation of ipa-client-samba crashes Resolves: RHBZ#1732529 - WebUI: Add PKINIT status field to 'Configuration' page Resolves: RHBZ#1518153- Fix krb5-kdb-server -> krb5-kdb-version Related: RHBZ#1700121- Make sure ipa-server depends on krb5-kdb-version to pick up right MIT Kerberos KDB ABI Related: RHBZ#1700121 - User field separator uses '$$' within ipaSELInuxUserMapOrder Fixes: RHBZ#1729099- Fixed kdcproxy_version to 0.4-3 - Fixed krb5_version to 1.17-7 Related: RHBZ#1684528- New upstream release 4.8.0 - New subpackage: freeipa-client-samba - Added command ipa-cert-fix with man page - New sysconfdir sysconfig/certmonger - Updated pki_version, certmonger_version, sssd_version and kdcproxy_version Related: RHBZ#1684528- Fix upgrade issue with AD trust when no trust yet established Fixes: RHBZ#1708874 Related: RHBZ#1684528- Require certmonger 0.79.7-1 Related: RHBZ#1708095- Update to 4.7.90-pre1 Related: RHBZ#1684528 - Removed patches 0002 to 0031 as these are upsteram and part of 4.7.90-pre1 - Added new patches 0001-revert-minssf-defaults.patch and 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch- Remove strict dependencies to krb5-server version in order to allow update of krb5 to 1.17 and change dependency to KDB DAL version. Resolves: RHBZ#1700121- Handle NFS configuration file changes. nfs-utils moved the configuration file from /etc/sysconfig/nfs to /etc/nfs.conf. Resolves: RHBZ#1676981- Fix systemd-user HBAC rule Resolves: RHBZ#1664974- Resolve user/group names in idoverride*-find Resolves: RHBZ#1657745- Create systemd-user HBAC service and rule Resolves: RHBZ#1664974 - ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned Resolves: RHBZ#1664023- Fix misleading errors during client install rollback Resolves: RHBZ#1658283 - ipa-advise: update url of cacerdir_rehash tool Resolves: RHBZ#1658287 - Handle NTP configuration in a replica server installation Resolves: RHBZ#1651679 - Fix defects found by static analysis Resolves: RHBZ#1658182 - ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad Resolves: RHBZ#1658294 - ipaldap: invalid modlist when attribute encoding can vary Resolves: RHBZ#1658302 - Allow ipaapi and Apache user to access SSSD IFP Resolves: RHBZ#1639910 - Add sysadm_r to default SELinux user map order Resolves: RHBZ#1658303 - certdb: ensure non-empty Subject Key Identifier and validate server cert sig Resolves: RHBZ#1641988 - ipa-replica-install: password and admin-password options mutually exclusive Resolves: RHBZ#1658309 - ipa upgrade: handle double-encoded certificates Resolves: RHBZ#1658310 - PKINIT: fix ipa-pkinit-manage enable|disable Resolves: RHBZ#1658313 - Enable LDAP debug output in client to display TLS errors in join Resolves: RHBZ#1658316 - rpc: always read response Resolves: RHBZ#1639890 - ipa vault-retrieve: fix internal error Resolves: RHBZ#1658485 - Move ipa's systemd tmpfiles from /var/run to /run Resolves: RHBZ#1658487 - Fix authselect invocations to work with 1.0.2 Resolves: RHBZ#1654291 - ipa-client-automount and NFS unit name changes Resolves: RHBZ#1645501 - Fix compile issue with new 389-ds Resolves: RHBZ#1659448- Require platform-python-setuptools instead of python3-setuptools - Resolves: rhbz#1650139- Fixed: rhbz#1643445 - External CA step 2 fails with pki_client_database_dir is missing - Fixed: rhbz#1642834 - Smart card advise script uses hard-coded Python interpreter- Fix mapping of BUILTIN\Guests to 'nobody' group during upgrade to not use generated Samba config at this point - Related: rhbz#1623895- New command automember-find-orphans to find and remove orphan automemeber rules has been added Resolves: RHBZ#1638373 - Moved ipa/idm logos and background to redhat-logos-ipa-80.4: header-logo.png, login-screen-background.jpg, login-screen-logo.png, product-name.png New requirement to redhat-logos-ipa >= 80.4 in ipa-server-common Resolves: RHBZ#1626507- Move initialization of Guests mapping after cifs/ principal is created - Related: rhbz#1623895- 4.7.1 - Fixes: rhbz#1633105 - rebase to 4.7.1- Require the Python interpreter directly instead of using the package name - Related: rhbz#1619153- sudo rule for "admins" members should be created by default (#1609873)- ipaclient-install: chmod needs octal permissions (#1609880)- Resolves: #1609883 ipaserver/plugins/cert.py: Add reason to raise of errors.NotFound - Resolves: #1615765 do-not-use-RC4-in-FIPS-mode - Move fips_enabled to a common library to share across different plugins - ipasam: do not use RC4 in FIPS mode- Resolves: #1614301 Remove --no-sssd and --noac options - Resolves: #1613879 Disable Domain Level 0 - New patch sets to disable domain level 0 - New adapted patch to disable DL0 specific tests (pytest_ipa vs. pytest_plugins) - Adapted branding patch in ipa-replica-install.1 due to DL0 removal- Require 389-ds-base-legacy-tools for setup tools- Update to upstream 4.7.0 GA- Set krb5 DAL version to 7.0 (#1580711) - Rebuild aclocal and configure during build- Update to upstream 4.6.90.pre1- Use java-1.8.0-openjdk-devel- Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads- Resolves: #1388135 [RFE] limit the retro changelog to dns subtree. - ldap: limit the retro changelog to dns subtree - Resolves: #1427798 Use X509v3 Basic Constraints "CA:TRUE" instead of "CA:FALSE" IPA CA CSR - Include the CA basic constraint in CSRs when renewing a CA - Resolves: #1493145 ipa-replica-install might fail because of an already existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX - Checks if replica-s4u2proxy.ldif should be applied - Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default - ds: ignore time skew during initial replication step - ipa-replica-manage: implicitly ignore initial time skew in force-sync - Resolves: #1500218 Replica installation at domain-level 0 fails against upgraded ipa-server - Fix ipa-replica-conncheck when called with --principal - Resolves: #1506188 server-del doesn't remove dns-server configuration from ldap- Drop workaround for building on AArch64 (#1482244) - Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485)- Resolves: #1461177 ipa-otptoken-import - XML file is missing PBKDF2 parameters! - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad, cn=trusts,dc=example,dc=com - Resolves: #1467887 iommu platform support for ipxe - Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 - Resolves: #1480102 ipa-server-upgrade failes with "This entry already exists" - Resolves: #1482802 Unable to set ca renewal master on replica - Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade) - Resolves: #1484826 FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and thus startup of Web UI fails - Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back to self-signed CA - Resolves: #1469246 Replica install fails to configure IPA-specific temporary files/directories - Resolves: #1469480 bind package is not automatically updated during ipa-server upgrade process - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Resolves: #1477703 IPA upgrade fails for latest ipa package- Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in buildroot - Resolves: #1470177 - Rebase IPA to latest 4.5.x version - Resolves: #1398594 ipa topologysuffix-verify should only warn about maximum number of replication agreements. - Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" to "Host-Based" and "Role-Based" - Resolves: #1409786 Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running - Resolves: #1451576 ipa cert-request failed to generate certificate from csr - Resolves: #1452086 Pagination Size under Customization in IPA WebUI accepts negative values - Resolves: #1458169 --force-join option is not mentioned in ipa-replica-install man page - Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case - Resolves: #1478322 user-show command fails when sizelimit is configured to number <= number of entity which is user member of - Resolves: #1496775 Enterprise principals should be able to trigger a refresh of the trusted domain data in the KDC - Resolves: #1502533 Changing cert-find to go through the proxy instead of using the port 8080 - Resolves: #1502663 pkinit-status command fails after an upgrade from a pre-4.5 IPA - Resolves: #1498168 Error when trying to modify a PTR record - Resolves: #1457876 ipa-backup fails silently - Resolves: #1493531 In case full PKINIT configuration is failing during server/replica install the error message should be more meaningful. - Resolves: #1449985 Suggest CA installation command in KRA installation warning- Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports expecting IPA services listening on IPv6 ports - Make sure upgrade also checks for IPv6 stack - control logging of host_port_open from caller - log progress of wait_for_open_ports - Resolves: #1477243 ipa help command returns traceback when no cache is present - Store help in Schema before writing to disk - Disable pylint in get_help function because of type confusion.- Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Always check peer has keys before connecting - Resolves: #1482802 - Unable to set ca renewal master on replica - Fix ipa config-mod --ca-renewal-master - Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching back to self-signed CA - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) - Resolves: #1480102 - ipa-server-upgrade failes with "This entry already exists" - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists - Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and thus startup of Web UI fails - Adds whoami DS plugin in case that plugin is missing - Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 - Fixing how sssd.conf is updated when promoting a client to replica - Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2 parameters! - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace - Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade) - Backport 4-5: Fix ipa-server-upgrade with server cert tracking- Resolves: #1477703 IPA upgrade fails for latest ipa package - Restore old version of caIPAserviceCert for upgrade only- Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Restore old version of caIPAserviceCert for upgrade only- Resolves: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - smart-card advises: configure systemwide NSS DB also on master - smart-card advises: add steps to store smart card signing CA cert - Allow to pass in multiple CA cert paths to the smart card advises - add a class that tracks the indentation in the generated advises - delegate the indentation handling in advises to dedicated class - advise: add an infrastructure for formatting Bash compound statements - delegate formatting of compound Bash statements to dedicated classes - Fix indentation of statements in Smart card advises - Use the compound statement formatting API for configuring PKINIT - smart card advises: use a wrapper around Bash `for` loops - smart card advise: use password when changing trust flags on HTTP cert - smart-card-advises: ensure that krb5-pkinit is installed on client - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Add CommonNameToSANDefault to default cert profile - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad,cn=trusts,dc=example,dc=com - NULL LDAP context in call to ldap_search_ext_s during search- Resolves: #1469246 Replica install fails to configure IPA-specific temporary files/directories - replica install: drop-in IPA specific config to tmpfiles.d - Resolves: #1469480 bind package is not automatically updated during ipa-server upgrade process - Bumped Required version of bind-dyndb-ldap and bind package- Resolves: #1452216 Replica installation grants HTTP principal access in WebUI - Make sure we check ccaches in all rpcserver paths- Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode! - ipa-sam: replace encode_nt_key() with E_md4hash() - ipa_pwd_extop: do not generate NT hashes in FIPS mode - Resolves: #1377973 ipa-server-install fails when the provided or resolved IP address is not found on local interfaces - Fix local IP address validation - ipa-dns-install: remove check for local ip address - refactor CheckedIPAddress class - CheckedIPAddress: remove match_local param - Remove ip_netmask from option parser - replica install: add missing check for non-local IP address - Remove network and broadcast address warnings- Resolves: #1449189 ipa-kra-install timeouts on replica - kra: promote: Get ticket before calling custodia- Resolve: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - server certinstall: update KDC master entry - pkinit manage: introduce ipa-pkinit-manage - server upgrade: do not enable PKINIT by default - Extend the advice printing code by some useful abstractions - Prepare advise plugin for smart card auth configuration - Resolve: #1461053 allow to modify list of UPNs of a trusted forest - trust-mod: allow modifying list of UPNs of a trusted forest - WebUI: add support for changing trust UPN suffixes- Resolves: #1377973 ipa-server-install fails when the provided or resolved IP address is not found on local interfaces - Only warn when specified server IP addresses don't match intf - Resolves: #1438016 gssapi errors after IPA server upgrade - Bump version of python-gssapi - Resolves: #1457942 certauth: use canonical principal for lookups - ipa-kdb: use canonical principal in certauth plugin - Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid breaking older clients - Add code to be able to set default kinit lifetime - Revert setting sessionMaxAge for old clients- Resolves: #1442233 IPA client commands fail when pointing to replica - httpinstance: wait until the service entry is replicated - Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then not indexed - Fix index definition for ipaAnchorUUID - Resolves: #1438016 gssapi errors after IPA server upgrade - Avoid possible endless recursion in RPC call - rpc: preparations for recursion fix - rpc: avoid possible recursion in create_connection - Resolves: #1446087 services entries missing krbCanonicalName attribute. - Changing cert-find to do not use only primary key to search in LDAP. - Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers - ipa-kdb: reload certificate mapping rules periodically - Resolves: #1455541 after upgrade login from web ui breaks - kdc.key should not be visible to all - Resolves: #1435606 Add pkinit_indicator option to KDC configuration - ipa-kdb: add pkinit authentication indicator in case of a successful certauth - Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca records are not resolvable - Turn off OCSP check - Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 - server_del - TypeError: 'NoneType' object is not iterable - fix incorrect suffix handling in topology checks- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificates/anchors - certdb: add named trust flag constants - certdb, certs: make trust flags argument mandatory - certdb: use custom object for trust flags - install: trust IPA CA for PKINIT - client install: fix client PKINIT configuration - install: introduce generic Kerberos Augeas lens - server install: fix KDC PKINIT configuration - ipapython.ipautil.run: Add option to set umask before executing command - certs: do not export keys world-readable in install_key_from_p12 - certs: do not export CA certs in install_pem_from_p12 - server install: fix KDC certificate validation in CA-less - replica install: respect --pkinit-cert-file - cacert manage: support PKINIT - server certinstall: support PKINIT - Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file option - certs: do not export CA certs in install_pem_from_p12 - server install: fix KDC certificate validation in CA-less - Resolves: #1451228 ipa-kra-install fails when primary KRA server has been decommissioned - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname - Resolves: #1451712 KRA installation fails on server that was originally installed as CA-less - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt - Resolves: #1441499 ipa cert-show does not raise error if no file name specified - ca/cert-show: check certificate_out in options - Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ - Remove pkinit-anonymous command - Resolves: #1449523 Provide an API command to retrieve PKINIT status in the FreeIPA topology - Allow for multivalued server attributes - Refactor the role/attribute member reporting code - Add an attribute reporting client PKINIT-capable servers - Add the list of PKINIT servers as a virtual attribute to global config - Add `pkinit-status` command - test_serverroles: Get rid of MockLDAP and use ldap2 instead - Resolves: #1452216 Replica installation grants HTTP principal access in WebUI - Fix rare race condition with missing ccache file - Resolves: #1455045 Simple service uninstallers must be able to handle missing service files gracefully - only stop/disable simple service if it is installed - Resolves: #1455541 after upgrade login from web ui breaks - krb5: make sure KDC certificate is readable - Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing command "ipa cert-request --add" after upgrade - Change python-cryptography to python2-cryptography- Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'" error observed during ipa upgrade with latest package. - ipa-server-install: fix uninstall - Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break replica - ca install: merge duplicated code for DM password - installutils: add DM password validator - ca, kra install: validate DM password- Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy - python2-ipalib: add missing python dependency - installer service: fix typo in service entry - upgrade: add missing suffix to http instance - Resolves: #1444791 Update man page of ipa-kra-install - ipa-kra-install manpage: document domain-level 1 - Resolves: #1441493 ipa cert-show raises stack traces when --certificate-out=/tmp - cert-show: writable files does not mean dirs - Resolves: #1441192 Add the name of URL parameter which will be check for username during cert login - Bump version of ipa.conf file - Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login - Turn on NSSOCSP check in mod_nss conf - Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting template on - renew agent: respect CA renewal master setting - server upgrade: always fix certmonger tracking request - cainstance: use correct profile for lightweight CA certificates - renew agent: allow reusing existing certs - renew agent: always export CSR on IPA CA certificate renewal - renew agent: get rid of virtual profiles - ipa-cacert-manage: add --external-ca-type - Resolves: #1441593 error adding authenticator indicators to host - Fixing adding authenticator indicators to host - Resolves: #1449525 Set directory ownership in spec file - Added plugins directory to ipaclient subpackages - ipaclient: fix missing RPM ownership - Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits' - otptoken-add-yubikey: When --digits not provided use default value- Resolves: #1449189 ipa-kra-install timeouts on replica - ipa-kra-install: fix check_host_keys- Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Make sure remote hosts have our keys - Resolves: #1442815 Replica install fails during migration from older IPA master - Refresh Dogtag RestClient.ca_host property - Remove the cachedproperty class - Resolves: #1444787 Update warning message when KRA installation fails - kra install: update installation failure message - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - ipa-server-install with external CA: fix pkinit cert issuance - Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition() must use FreeIPA CA - kerberos session: use CA cert with full cert chain for obtaining cookie - Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors definition - ipa-client-install: remove extra space in pkinit_anchors definition - Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade - Use proper SELinux context with http.keytab- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit) - spec file: bump krb5 Requires for certauth fixes - Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option is used - separate function to set ipaConfigString values on service entry - Allow for configuration of all three PKINIT variants when deploying KDC - API for retrieval of master's PKINIT status and publishing it in LDAP - Use only anonymous PKINIT to fetch armor ccache - Stop requesting anonymous keytab and purge all references of it - Use local anchor when armoring password requests - Upgrade: configure local/full PKINIT depending on the master status - Do not test anonymous PKINIT after install/upgrade - Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust. update_tdo_gidnumber: ERROR Default SMB Group not found - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed - Resolves: #1442932 ipa restore fails to restore IPA user - restore: restart/reload gssproxy after restore - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - Fix CA/server cert validation in FIPS - Resolves: #1444947 Deadlock between topology and schema-compat plugins - compat-manage: behave the same for all users - Move the compat plugin setup at the end of install - compat: ignore cn=topology,cn=ipa,cn=etc subtree - Resolves: #1445358 ipa vault-add raises TypeError - vault: piped input for ipa vault-add fails - Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault - Vault: Explicitly default to 3DES CBC - Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning - automount install: fix checking of SSSD functionality on uninstall - Resolves: #1446137 pki_client_database_password is shown in ipaserver-install.log - Hide PKI Client database password in log file- Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade - Fix CAInstance.import_ra_cert for empty passwords- Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA WebUI is slow to display user details page - cert: defer cert-find result post-processing - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica - server-install: No double Kerberos install - Resolves: #1437502 ipa-replica-install fails with requirement to use --force-join that is a client install option. - Add the force-join option to replica install - replicainstall: better client install exception handling - Resolves: #1437953 Server CA-less impossible option check - server-install: remove broken no-pkinit check - Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies - Add debug log in case cookie retrieval went wrong - Resolves: #1441548 ipa server install fails with --external-ca option - ext. CA: correctly write the cert chain - Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance spawn - Fix CA-less to CA-full upgrade - Resolves: #1442133 Do not link libkrad, liblber, libldap_r and libsss_nss_idmap to every binary in IPA - configure: fix AC_CHECK_LIB usage - Resolves: #1442815 Replica install fails during migration from older IPA master - Fix RA cert import during DL0 replication - Related: #1442004 Building IdM/FreeIPA internally on all architectures - filtering unsupported packages - Build all subpackages on all architectures- Resolves: #1382053 Need to have validation for idrange names - idrange-add: properly handle empty --dom-name option - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica - dsinstance: reconnect ldap2 after DS is restarted by certmonger - httpinstance: avoid httpd restart during certificate request - dsinstance, httpinstance: consolidate certificate request code - install: request service certs after host keytab is set up - renew agent: revert to host keytab authentication - renew agent, restart scripts: connect to LDAP after kinit - Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted domain entry - ipa-sam: create the gidNumber attribute in the trusted domain entry - Upgrade: add gidnumber to trusted domain entry - Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException: Incorrect client security database password - Add pki_pin only when needed - Resolves: #1438348 Console output message while adding trust should be mapped with texts changed in Samba. - ipaserver/dcerpc: unify error processing - Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication - trust: always use oddjobd helper for fetching trust information - Resolves: #1441192 Add the name of URL parameter which will be check for username during cert login - WebUI: cert login: Configure name of parameter used to pass username - Resolves: #1437879 [copr] Replica install failing - Create system users for FreeIPA services during package installation - Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install - Fix s4u2self with adtrust- Resolves: #1318186 Misleading error message during external-ca IPA master install - httpinstance: make sure NSS database is backed up - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR CA certificate chain in ... incomplete" - httpinstance: make sure NSS database is backed up - Resolves: #1393726 Enumerate all available request type options in ipa cert-request help - Hide request_type doc string in cert-request help - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - spec file: bump libsss_nss_idmap-devel BuildRequires - server: make sure we test for sss_nss_getlistbycert - Resolves: #1437378 ipa-adtrust-install produced an error and failed on starting smb when hostname is not FQDN - adtrust: make sure that runtime hostname result is consistent with the configuration - Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous keytab - Always check and create anonymous principal during KDC install - Remove duplicate functionality in upgrade - Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT - Upgrade: configure PKINIT after adding anonymous principal - Remove unused variable from failed anonymous PKINIT handling - Split out anonymous PKINIT test to a separate method - Ensure KDC is propery configured after upgrade - Resolves: #1437951 Remove pkinit-related options from server/replica-install on DL0 - Fix the order of cert-files check - Don't allow setting pkinit-related options on DL0 - replica-prepare man: remove pkinit option refs - Remove redundant option check for cert files - Resolves: #1438490 CA-less installation fails on publishing CA certificate - Get correct CA cert nickname in CA-less - Remove publish_ca_cert() method from NSSDatabase - Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap - IPA-KDB: use relative path in ipa-certmap config snippet - Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute - Allow erasing ipaDomainResolutionOrder attribute- Resolves: #1434032 Run ipa-custodia with custom SELinux context - Require correct custodia version- Resolves: #800545 [RFE] Support SUDO command rename - Reworked the renaming mechanism - Allow renaming of the sudorule objects - Resolves: #872671 IPA WebUI login for AD Trusted User fails - WebUI: check principals in lowercase - WebUI: add method for disabling item in user dropdown menu - WebUI: Add support for login for AD users - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit) - ipa-kdb: add ipadb_fetch_principals_with_extra_filter() - IPA certauth plugin - ipa-kdb: do not depend on certauth_plugin.h - spec file: bump krb5-devel BuildRequires for certauth - Resolves: #1264370 RFE: disable last successful authentication by default in ipa. - Set "KDC:Disable Last Success" by default - Resolves: #1318186 Misleading error message during external-ca IPA master install - certs: do not implicitly create DS pin.txt - httpinstance: clean up /etc/httpd/alias on uninstall - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR CA certificate chain in ... incomplete" - certs: do not implicitly create DS pin.txt - httpinstance: clean up /etc/httpd/alias on uninstall - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication - configure: fix --disable-server with certauth plugin - rpcserver.login_x509: Actually return reply from __call__ method - spec file: Bump requires to make Certificate Login in WebUI work - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - extdom: do reverse search for domain separator - extdom: improve cert request - Resolves: #1430363 [RFE] HBAC rule names command rename - Reworked the renaming mechanism - Allow renaming of the HBAC rule objects - Resolves: #1433082 systemctl daemon-reload needs to be called after httpd.service.d/ipa.conf is manipulated - tasks: run `systemctl daemon-reload` after httpd.service.d updates - Resolves: #1434032 Run ipa-custodia with custom SELinux context - Use Custodia 0.3.1 features - Resolves: #1434384 RPC client should use HTTP persistent connection - Use connection keep-alive - Add debug logging for keep-alive - Increase Apache HTTPD's default keep alive timeout - Resolves: #1434729 man ipa-cacert-manage install needs clarification - man ipa-cacert-manage install needs clarification - Resolves: #1434910 replica install against IPA v3 master fails with ACIError - Fixing replica install: fix ldap connection in domlvl 0 - Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is used during typing Directory Manager password - ipapython.ipautil.nolog_replace: Do not replace empty value - Resolves: #1435397 ipa-replica-install can't install replica file produced by ipa-replica-prepare on 4.5 - replica prepare: fix wrong IPA CA nickname in replica file - Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if KRA is not installed - WebUI: Fix showing vault in selfservice view - Resolves: #1435718 As a ID user I cannot call a command with --rights option - ldap2: use LDAP whoami operation to retrieve bind DN for current connection - Resolves: #1436319 "Truncated search results" pop-up appears in user details in WebUI - WebUI: Add support for suppressing warnings - WebUI: suppress truncation warning in select widget - Resolves: #1436333 Uninstall fails with No such file or directory: '/var/run/ipa/services.list' - Create temporaty directories at the begining of uninstall - Resolves: #1436334 WebUI: Adding certificate mapping data using certificate fails - WebUI: Allow to add certs to certmapping with CERT LINES around - Resolves: #1436338 CLI doesn't work after ipa-restore - Backup ipa-specific httpd unit-file - Backup CA cert from kerberos folder - Resolves: #1436342 Bump samba version, required for FIPS mode and privilege separation - Bump samba version for FIPS and priv. separation - Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa vault commands - Avoid growing FILE ccaches unnecessarily - Handle failed authentication via cookie - Work around issues fetching session data - Prevent churn on ccaches - Resolves: #1436657 Add workaround for pki_pin for FIPS - Generate PIN for PKI to help Dogtag in FIPS - Resolves: #1436714 [vault] cache KRA transport cert - Simplify KRA transport cert cache - Resolves: #1436723 cert-find does not find all certificates without sizelimit=0 - cert: do not limit internal searches in cert-find - Resolves: #1436724 Renewal of IPA RA fails on replica - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function - Resolves: #1436753 Master tree fails to install - httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available- Resolves: #1432630 python2-jinja2 needed for python2-ipaclient - Remove csrgen - Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets - Add options to allow ticket caching- Resolves: #828866 [RFE] enhance --subject option for ipa-server-install - Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in hostname - Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember' attribute - Resolves: #1321652 ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on revocation reasons - Resolves: #1340880 ipa-server-install: improve prompt on interactive installation - Resolves: #1353841 ipa-replica-install fails to install when resolv.conf incomplete entries - Resolves: #1356104 cert-show command does not display Subject Alternative Names - Resolves: #1357511 Traceback message seen when ipa is provided with invalid configuration file name - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication - Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa config-mod --enable-migration=TRUE - Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain - Resolves: #1371927 Implement ca-enable/disable commands. - Resolves: #1372202 Add Users into User Group editors fails to show Full names - Resolves: #1373091 Adding an auth indicator from the CLI creates an extra check box in the UI - Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error message - Resolves: #1375905 "Normal" group type in the UI is confusing - Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback - Resolves: #1376630 IDM admin password gets written to /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf - Resolves: #1376729 ipa-server-install script option --no_hbac_allow should match other options - Resolves: #1378461 IPA Allows Password Reuse with History value defined when admin resets the password. - Resolves: #1379029 conncheck failing intermittently during single step replica installs - Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck - Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace - Resolves: #1392778 Update man page for ipa-adtrust-install by removing --no-msdcs option - Resolves: #1392858 Rebase to FreeIPA 4.5+ - Rebase to 4.5.0 - Resolves: #1399133 Delete option shouldn't be available for hosts applied to view. - Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA should contain full trust chain - Resolves: #1400416 RFE: Provide option to take backup of IPA server before uninstalling IPA server - Resolves: #1400529 cert-request is not aware of Kerberos principal aliases - Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but not on details page - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when non-FQDN name of IPA server is first in /etc/hosts - Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using nsupdate - Resolves: #1413742 Backport request for bug/issue Change IP address validation errors to warnings - Resolves: #1415652 IPA replica install log shows password in plain text - Resolves: #1427897 different behavior regarding system wide certs in master and replica. - Resolves: #1430314 The ipa-managed-entries command failed, exception: AttributeError: ldap2- Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica with cert errors (untrusted) - added ssl verification using IPA trust anchor - Resolves: #1428472 batch param compatibility is incorrect - compat: fix `Any` params in `batch` and `dnsrecord` - Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream- Resolves: #1416454 replication race condition prevents IPA to install - wait_for_entry: use only DN as parameter - Wait until HTTPS principal entry is replicated to replica - Use proper logging for error messages- Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is installed without CA - Set up DS TLS on replica in CA-less topology - Resolves: #1398600 IPA replica install fails with dirsrv errors. - Do not configure PKI ajp redirection to use "::1" - Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands - ca: correctly authorise ca-del, ca-enable and ca-disable- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy - ipa-kdb: search for password policies globally - Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream- Resolves: #1398670 Check IdM Topology for broken record caused by replication conflict before upgrading it - Check for conflict entries before raising domain level- Resolves: #1382812 Creation of replica for disconnected environment is failing with CA issuance errors; Need good steps. - gracefully handle setting replica bind dn group on old masters - Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a temporary CA admin - replication: ensure bind DN group check interval is set on replica config - add missing attribute to ipaca replica during CA topology update - Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of named-pkcs11 - bindinstance: use data in named.conf to determine configuration status- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy - password policy: Add explicit default password policy for hosts and services - Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod - certprofile-mod: correctly authorise config update- Resolves: #1378353 Replica install fails with old IPA master sometimes during replication process - spec file: bump minimal required version of 389-ds-base - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - Fix missing file that fails DL1 replica installation - Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade - WebUI: services without canonical name are shown correctly - Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run - trustdomain-del: fix the way how subdomain is searched- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca - Keep NSS trust flags of existing certificates - Resolves: #1360813 ipa-server-certinstall does not update all certificate stores and doesn't set proper trust permissions - Add cert checks in ipa-server-certinstall - Resolves: #1371479 cert-find --all does not show information about revocation - cert: add revocation reason back to cert-find output - Resolves: #1375133 WinSync users who have First.Last casing creates users who can have their password set - ipa passwd: use correct normalizer for user principals - Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers - Properly handle LDAP socket closures in ipa-otpd - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - Make httpd publish its CA certificate on DL1- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors. - Resolves: #1375269 ipa trust-fetch-domains throws internal error- Resolves: #1373359 ipa-certupdate fails with "CA is not configured" - Fix regression introduced in ipa-certupdate- Resolves: #1355753 adding two way non transitive(external) trust displays internal error on the console - Always fetch forest info from root DCs when establishing two-way trust - factor out `populate_remote_domain` method into module-level function - Always fetch forest info from root DCs when establishing one-way trust - Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger after `ipa-replica-install` - Track lightweight CAs on replica installation - Resolves: #1357488 ipa command stuck forever on higher versioned client with lower versioned server - compat: Save server's API version in for pre-schema servers - compat: Fix ping command call - schema cache: Store and check info for pre-schema servers - Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag - Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup - Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA when revoking certificate - cert: include CA name in cert command output - WebUI add support for sub-CAs while revoking certificates - Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI - Add support for additional options taken from table facet - WebUI: Fix showing certificates issued by sub-CA - Resolves: #1368557 dnsrecord-add does not prompt for missing record parts internactively - dns: normalize record type read interactively in dnsrecord_add - dns: prompt for missing record parts in CLI - dns: fix crash in interactive mode against old servers - Resolves: #1370519 Certificate revocation in service-del and host-del isn't aware of Sub CAs - cert: fix cert-find --certificate when the cert is not in LDAP - Make host/service cert revocation aware of lightweight CAs - Resolves: #1371901 Use OAEP padding with custodia - Use RSA-OAEP instead of RSA PKCS#1 v1.5 - Resolves: #1371915 When establishing external two-way trust, forest root Administrator account is used to fetch domain info - do not use trusted forest name to construct domain admin principal - Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in certificate request - Fix CA ACL Check on SubjectAltNames - Resolves: #1373272 CLI always sends default command version - cli: use full name when executing a command - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" - Fix ipa-certupdate for CA-less installation - Resolves: #1373540 client-install with IPv6 address fails on link-local address (always) - Fix parse errors with link-local addresses- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env - Fix ipa-server-install in pure IPv6 environment - Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as reachable via the forest root - trust: make sure ID range is created for the child domain even if it exists - ipa-kdb: simplify trusted domain parent search - Resolves: #1335567 Update Warning in IdM Web UI API browser - WebUI: add API browser is tech preview warning - Resolves: #1348560 Mulitple domain Active Directory Trust conflict - ipaserver/dcerpc: reformat to make the code closer to pep8 - trust: automatically resolve DNS trust conflicts for triangle trusts - Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in certificate revocation - cert-revoke: fix permission check bypass (CVE-2016-5404) - Resolves: #1353936 custodia.conf and server.keys file is world-readable. - Remove Custodia server keys from LDAP - Secure permissions of Custodia server.keys - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full - custodia: include known CA certs in the PKCS#12 file for Dogtag - custodia: force reconnect before retrieving CA certs from LDAP - Resolves: #1362333 ipa vault container owner cannot add vault - Fix: container owner should be able to add vault - Resolves: #1365546 External trust with root domain is transitive - trust: make sure external trust topology is correctly rendered - Resolves: #1365572 IPA server broken after upgrade - Require pki-core-10.3.3-7 - Resolves: #1367864 Server assumes latest version of command instead of version 1 for old / 3rd party clients - rpcserver: assume version 1 for unversioned command calls - rpcserver: fix crash in XML-RPC system commands - Resolves: #1367773 thin client ignores locale change - schema cache: Fallback to 'en_us' when locale is not available - Resolves: #1368754 ipa server uninstall fails with Python "Global Name error" - Fail on topology disconnect/last role removal - Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP - otptoken, permission: Convert custom type parameters on server - Resolves: #1369414 ipa server-del fails with Python stack trace - Handled empty hostname in server-del command - Resolves: #1369761 ipa-server must depend on a version of httpd that support mod_proxy with UDS - Require httpd 2.4.6-31 with mod_proxy Unix socket support - Resolves: #1370512 Received ACIError instead of DuplicatedError in stageuser_tests - Raise DuplicatedEnrty error when user exists in delete_container - Resolves: #1371479 cert-find --all does not show information about revocation - cert: add missing param values to cert-find output - Renamed patch 1011 to 0100, as it was merged upstream- Resolves: #1298288 [RFE] Improve performance in large environments. - cert: speed up cert-find - Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card authentication - service: add flag to allow S4U2Self - Add 'trusted to auth as user' checkbox - Added new authentication method - Resolves: #1353881 ipa-replica-install suggests about non-existent --force-ntpd option - Don't show --force-ntpd option in replica install - Resolves: #1354441 DNS forwarder check is too strict: unable to add sub-domain to already-broken domain - DNS: allow to add forward zone to already broken sub-domain - Resolves: #1356146 performance regression in CLI help - schema: Speed up schema cache - frontend: Change doc, summary, topic and NO_CLI to class properties - schema: Introduce schema cache format - schema: Generate bits for help load them on request - help: Do not create instances to get information about commands and topics - schema cache: Do not reset ServerInfo dirty flag - schema cache: Do not read fingerprint and format from cache - Access data for help separately - frontent: Add summary class property to CommandOverride - schema cache: Read server info only once - schema cache: Store API schema cache in memory - client: Do not create instance just to check isinstance - schema cache: Read schema instead of rewriting it when SchemaUpToDate - Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file - server install: do not prompt for cert file PIN repeatedly - Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create cache directory: [Errno 13] Permission denied: '/home/test_user' - schema: Speed up schema cache - Resolves: #1366604 `cert-find` crashes on invalid certificate data - cert: do not crash on invalid data in cert-find - Resolves: #1366612 Middle replica uninstallation in line topology works without '--ignore-topology-disconnect' - Fail on topology disconnect/last role removal - Resolves: #1366626 caacl-add-service: incorrect error message when service does not exists - Fix ipa-caalc-add-service error message - Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade - DNS server upgrade: do not fail when DNS server did not respond - Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server with CA - Add warning about only one existing CA server - Set servers list as default facet in topology facet group - Resolves: #1367773 thin client ignores locale change - schema check: Check current client language against cached one- Resolves: #1361119 UPN-based search for AD users does not match an entry in slapi-nis map cache - support multiple uid values in schema compatibility tree- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 - Revert "spec: add conflict with bind-chroot to freeipa-server-dns" - Resolves: #1341249 Subsequent external CA installation fails - install: fix external CA cert validation - Resolves: #1353831 ipa-server-install fails in container because of hostnamectl set-hostname - server-install: Fix --hostname option to always override api.env values - install: Call hostnamectl set-hostname only if --hostname option is used - Resolves: #1356091 ipa-cacert-manage --help and man differ - Improvements for the ipa-cacert-manage man and help - Resolves: #1360631 ipa-backup is not keeping the /etc/tmpfiles.d/dirsrv-.conf - ipa-backup: backup /etc/tmpfiles.d/dirsrv-.conf - Resolves: #1361047 ipa-replica-install --help usage line suggests the replica file is needed - Update ipa-replica-install documentation - Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does not rpm-require it - client: RPM require initscripts to get *-domainname.service - Resolves: #1364197 caacl: error when instantiating rules with service principals - caacl: fix regression in rule instantiation - Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm - parameters: move the `confirm` kwarg to Param - Resolves: #1364464 Topology graph: ca and domain adders shows question marks instead of plus icon - Fix unicode characters in ca and domain adders - Resolves: #1365083 Incomplete output returned for command ipa vault-add - client: add missing output params to client-side commands - Resolves: #1365526 build fails during "make check" - ipa-kdb: Fix unit test after packaging changes in krb5- Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file. - Do not initialize API in ipa-client-automount uninstall - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin client changes - idrange: fix unassigned global variable - Resolves: #1360792 Migrating users doesn't update krbCanonicalName - re-set canonical principal name on migrated users - Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str' and 'bool' objects - Fix ipa hbactest output - Resolves: #1362260 ipa vault-mod no longer allows defining salt - vault: add missing salt option to vault_mod - Resolves: #1362312 ipa vault-retrieve internal error when using the wrong public key - vault: Catch correct exception in decrypt - Resolves: #1362537 ipa-server-install fails to create symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ - Correct path to HTTPD's systemd service directory - Resolves: #1363756 Increase length of passwords generated by installer - Increase default length of auto generated passwords- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos aliases) - harden the check for trust namespace overlap in new principals - Resolves: #1351142 CLI is not using session cookies for communication with IPA API - Fix session cookies - Resolves: #1353888 Fix the help for ipa otp and other topics - help: Add dnsserver commands to help topic 'dns' - Resolves: #1354406 host-del updatedns options complains about missing ptr record for host - Host-del: fix behavior of --updatedns and PTR records - Resolves: #1355718 ipa-replica-manage man page example output differs actual command output - Minor fix in ipa-replica-manage MAN page - Resolves: #1358229 Traceback message should be fixed, seen while editing winsync migrated user information in Default trust view. - baseldap: Fix MidairCollision instantiation during entry modification - Resolves: #1358849 CA replica install logs to wrong log file - unite log file name of ipa-ca-install - Resolves: #1359130 ipa-server-install command fails to install IPA server. - DNS Locations: fix update-system-records unpacking error - Resolves: #1359237 AVC on dirsrv config caused by IPA installer - Use copy when replacing files to keep SELinux context - Resolves: #1359692 ipa-client-install join fail with traceback against RHEL-6.8 ipa-server - compat: fix ping call - Resolves: #1359738 ipa-replica-install --domain= option does not work - replica-install: Fix --domain - Resolves: #1360778 Vault commands are available in CLI even when the server does not support them - Revert "Enable vault-* commands on client" - client: fix hiding of commands which lack server support - Related: #1281704 Rebase to softhsm 2.1.0 - Remove the workaround for softhsm bug #1293340 - Related: #1298288 [RFE] Improve performance in large environments. - Create indexes for krbCanonicalName attribute- Resolves: #1296140 Remove redhat-access-plugin-ipa support - Obsolete and conflict redhat-access-plugin-ipa - Resolves: #1351119 Multiple issues while uninstalling ipa-server - server uninstall fails to remove krb principals - Resolves: #1351758 ipa commands not showing expected error messages - frontend: copy command arguments to output params on client - Show full error message for selinuxusermap-add-hostgroup - Resolves: #1352883 Traceback on adding default automember group and hostgroup set - allow 'value' output param in commands without primary key - Resolves: #1353888 Fix the help for ipa otp and other topics - schema: Fix subtopic -> topic mapping - Resolves: #1354348 ipa trustconfig-show throws internal error. - allow 'value' output param in commands without primary key - Resolves: #1354381 ipa trust-add with raw option gives internal error. - trust-add: handle `--all/--raw` options properly - Resolves: #1354493 Replica install fails with old IPA master - DNS install: Ensure that DNS servers container exists - Resolves: #1354628 ipa hostgroup-add-member does not return error message when adding itself as member - frontend: copy command arguments to output params on client - Resolves: #1355856 ipa otptoken-add --type=totp gives internal error - messages: specify message type for ResultFormattingError - Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter secret key - expose `--secret` option in radiusproxy-* commands - prevent search for RADIUS proxy servers by secret - Resolves: #1356099 Bug in the ipapwd plugin - Heap corruption in ipapwd plugin - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin client changes - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper - Resolves: #1356964 Renaming a user removes all of his principal aliases - Preserve user principal aliases during rename operation- Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas - Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD - Related: #1356134 'kinit -E' does not work for IPA user- Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA with certmonger - uninstall: untrack lightweight CA certs - Resolves: #1351807 ipa-nis-manage config.get_dn missing - ipa-nis-manage: Use server API to retrieve plugin status - Resolves: #1353452 ipa-compat-manage command failed, exception: NotImplementedError: config.get_dn() - ipa-compat-manage: use server API to retrieve plugin status - Resolves: #1353899 ipa-advise: object of type 'type' has no len() - ipa-advise: correct handling of plugin namespace iteration - Resolves: #1356134 'kinit -E' does not work for IPA user - kdb: check for local realm in enterprise principals - Resolves: #1353072 ipa unknown command vault-add - Enable vault-* commands on client - vault-add: set the default vault type on the client side if none was given - Resolves: #1353995 Default CA can be used without a CA ACL - caacl: expand plugin documentation - Resolves: #1356144 host-find should not print SSH keys by default, only SSH fingerprints - host-find: do not show SSH key by default - Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3 - Removed unused method parameter from migrate-ds- Resolves: #747612 [RFE] IPA should support and manage DNS sites - Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0) in the default global_policy in IPA sets user's password expiration (krbPasswordExpiration) to be 90 days - Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records - Resolves: #1084018 [RFE] Add IdM user password change support for legacy client compat tree - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos aliases) - Fix incorrect check for principal type when evaluating CA ACLs - Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI - Resolves: #1238190 ipasam unable to lookup group in directory yet manual search works - Resolves: #1250110 search by users which don't have read rights for all attrs in search_attributes fails - Resolves: #1263764 Show Certificate displays in useless format - Resolves: #1272491 [WebUI] Certificate action dropdown does not display all the options after adding new certificate - Resolves: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.4.0 - Resolves: #1294503 IPA fails to issue 3rd party certs - Resolves: #1298242 [RFE] API compatibility - compatibility of clients - Resolves: #1298848 [RFE] Centralized topology management - Resolves: #1298966 [RFE] Extend Smart Card support - Resolves: #1315146 Multiple clients cannot join domain simultaneously: /var/run/httpd/ipa/clientcaches race condition? - Resolves: #1318903 ipa server install failing when SUBCA signs the cert - Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper console output - Resolves: #1324055 IPA always qualify requests for admin - Resolves: #1328552 [RFE] Allow users to authenticate with alternative names - Resolves: #1334582 Inconsistent UI and CLI options for removing certificate hold - Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl) - Resolves: #1349281 Fix `Conflicts` with ipa-python - Resolves: #1350695 execution of copy-schema script fails - Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z - Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test execution to 7.3 - Resolves: #1351276 ipa-server-install with dns cannot resolve itself to create ipa-ca entry - Related: #1343422 [RFE] Add GssapiImpersonate option- Resolves: #1348948 IPA server install fails with build ipa-server-4.4.0-0.el7.1.alpha1 - Revert "Increased mod_wsgi socket-timeout"- Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while setting password for default sudo binddn. - Resolves: #747612 [RFE] IPA should support and manage DNS sites - Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name - Resolves: #825391 [RFE] Replica installation should provide a means for inheriting nssldap security access settings - Resolves: #921497 Incorrect *.py[co] files placement - Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support - Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas - Resolves: #1196958 IPA replica installation failing with high number of users (160000). - Resolves: #1219402 IPA suggests to uninstall a client when the user needs to uninstall a replica - Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on Authentication Indicator - Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos principal expiration" - Resolves: #1234223 [WebUI] General invalid password error message appearing for "Locked user" - Resolves: #1254267 ipa-server-install failure applying ldap updates with limits exceeded - Resolves: #1258626 realmdomains-mod --add-domain command throwing error when doamin already is in forwardzone. - Resolves: #1259020 ipa-server-adtrust-install doesn't allow NetBIOS-name=EXAMPLE-TEST.COM (dash character) - Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error message when DNSSEC master not installed - Resolves: #1262747 dnssec options missing in ipa-dns-install man page - Resolves: #1265900 Fail installation immediately after dirsrv fails to install using ipa-server-install - Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not resolvable anymore - Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace - LimitsExceeded: limits exceeded for this query - Resolves: #1269089 Certificate of managed-by host/service fails to resubmit - Resolves: #1269200 ipa-server crashing while trying to preserve admin user - Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults - Resolves: #1271579 Automember rule expressions disappear from tables on single expression delete - Resolves: #1275816 Incomplete ports for IPA ad-trust - Resolves: #1276351 [RFE] Remove /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases - Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in the IPA UI - Resolves: #1278426 Better error message needed for invalid ca-signing-algo option - Resolves: #1279932 ipa-client-install --request-cert needs workaround in anaconda chroot - Resolves: #1282521 Creating a user w/o private group fails when doing so in WebUI - Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced by "IPA is not configured on this system" - Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert file - Resolves: #1287194 [RFE] Support of UPN for trusted domains - Resolves: #1288967 Normalize Manager entry in ipa user-add - Resolves: #1289487 Priority field missing in Password Policy detail tab - Resolves: #1291140 ipa client should configure kpasswd_server directive in krb5.conf - Resolves: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.4.0.alpha1 - Resolves: #1298848 [RFE] Centralized topology management - Resolves: #1300576 Browser setup page includes instructions for Internet Explorer - Resolves: #1301586 ipa host-del --updatedns should remove related dns entries. - Resolves: #1304618 Residual Files After IPA Server Uninstall - Resolves: #1305144 ipa-python does not require its dependencies - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 - Resolves: #1313798 Console output post ipa-winsync-migrate command should be corrected. - Resolves: #1314786 [RFE] External Trust with Active Directory domain - Resolves: #1319023 Include description for 'status' option in man page for ipactl command. - Resolves: #1319912 ipa-server-install does not completely change hostname and named-pkcs11 fails - Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord': Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on revocation reasons - Resolves: #1328549 "ipa-kra-install" command reports incorrect message when it is executed on server already installed with KRA. - Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind' - Resolves: #1329275 ipa-nis-manage command should include status option - Resolves: #1330843 'man ipa' should be updated with latest commands - Resolves: #1333755 ipa cert-request causes internal server error while requesting certificate - Resolves: #1337484 EOF is not handled for ipa-client-install command - Resolves: #1338031 Insufficient 'write' privilege on some attributes for the members of the role which has "User Administrators" privilege. - Resolves: #1343142 IPA DNS should do better verification of DNS zones - Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in browser- Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files - Fix incorrect rebase of patch 1001- Resolves: #1339233 CA installed on replica is always marked as renewal master - Related: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.3.1.201605241723GIT1b427d3- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install because of missing dependencies - Rebuild with krb5-1.14.1- Resolves: #837369 [RFE] Switch to client promotion to replica model - Resolves: #1199516 [RFE] Move replication topology to the shared tree - Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) - Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend - Resolves: #1267206 ipa-server-install uninstall should warn if no installation found - Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when ipa-client-automount is executed. - Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2. - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install because of missing dependencies - Related: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.3.1.201605191449GITf8edf37- Resolves: #1277696 IPA certificate auto renewal fail with "Invalid Credential" - cert renewal: make renewal of ipaCert atomic - Resolves: #1278330 installer options are not validated at the beginning of installation - install: fix command line option validation - Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd from starting up - client install: do not corrupt OpenSSH config with Match sections - Resolves: #1282935 ipa upgrade causes vault internal error - install: export KRA agent PEM file in ipa-kra-install - Resolves: #1283429 Default CA ACL rule is not created during ipa-replica-install - TLS and Dogtag HTTPS request logging improvements - Avoid race condition caused by profile delete and recreate - Do not erroneously reinit NSS in Dogtag interface - Add profiles and default CA ACL on migration - disconnect ldap2 backend after adding default CA ACL profiles - do not disconnect when using existing connection to check default CA ACLs - Resolves: #1283430 ipa-kra-install: fails to apply updates - suppress errors arising from adding existing LDAP entries during KRA install - Resolves: #1283748 Caching of ipaconfig does not work in framework - fix caching in get_ipa_config - Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after upgrade from RHEL 7.0 to RHEL 7.2 - upgrade: fix migration of old dns forward zones - Fix upgrade of forwardzones when zone is in realmdomains - Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap connection - ipa-cacert-renew: Fix connection to ldap. - Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection - ipa-otptoken-import: Fix connection to ldap. - Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using "yum update ipa* sssd" - Set minimal required version for openssl - Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps - Upgrade: Fix upgrade of NIS Server configuration - Resolves: #1289311 umask setting causes named-pkcs11 issue with directory permissions on /var/lib/ipa/dnssec - DNS: fix file permissions - Explicitly call chmod on newly created directories - Fix: replace mkdir with chmod - Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison - Fix version comparison - use FFI call to rpmvercmp function for version comparison - Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix groups are missing - ipa-kdb: map_groups() consider all results - Resolves: #1293870 User should be notified for wrong password in password reset page - Fixed login error message box in LoginScreen page - Resolves: #1296196 Sysrestore did not restore state if a key is specified in mixed case - Allow to used mixed case for sysrestore - Resolves: #1296214 DNSSEC key purging is not handled properly - DNSSEC: Improve error reporting from ipa-ods-exporter - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP - DNSSEC: Make sure that current key state in LDAP matches key state in BIND - DNSSEC: remove obsolete TODO note - DNSSEC: add debug mode to ldapkeydb.py - DNSSEC: logging improvements in ipa-ods-exporter - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP - DNSSEC: ipa-ods-exporter: add ldap-cleanup command - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal - DNSSEC: Log debug messages at log level DEBUG - Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running - prevent crash of CA-less server upgrade due to absent certmonger - always start certmonger during IPA server configuration upgrade - Resolves: #1297811 The ipa -e skip_version_check=1 still issues incompatibility error when called against RHEL 6 server - ipalib: assume version 2.0 when skip_version_check is enabled - Resolves: #1298289 install fails when locale is "fr_FR.UTF-8" - Do not decode HTTP reason phrase from Dogtag - Resolves: #1300252 shared certificateProfiles container is missing on a freshly installed RHEL7.2 system - upgrade: unconditional import of certificate profiles into LDAP - Resolves: #1301674 --setup-dns and other options is forgotten for using an external PKI - installer: Propagate option values from components instead of copying them. - installer: Fix logic of reading option values from cache. - Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup - ipa-ca-install: print more specific errors when CA is already installed - cert renewal: import all external CA certs on IPA CA cert renewal - CA install: explicitly set dogtag_version to 10 - fix standalone installation of externally signed CA on IPA master - replica install: validate DS and HTTP server certificates - replica install: improvements in the handling of CA-related IPA config entries - Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups - slapi-nis: update configuration to allow external members of IPA groups - Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find returns "0 trusts matched" - upgrade: fix config of sidgen and extdom plugins - trusts: use ipaNTTrustPartner attribute to detect trust entries - Warn user if trust is broken - fix upgrade: wait for proper DS socket after DS restart - Insure the admin_conn is disconnected on stop - Fix connections to DS during installation - Fix broken trust warnings - Resolves: #1321092 Installers fail when there are multiple versions of the same certificate - certdb: never use the -r option of certutil - Related: #1317381 Crash during IPA upgrade due to slapd - spec file: update minimum required version of slapi-nis - Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws [rhel-7.3] - Rebuild against newer Samba version- Resolves: #1252556 Missing CLI param and ACL for vault service operations - vault: fix private service vault creation- Resolves: #1262996 ipa vault internal error on replica without KRA - upgrade: make sure ldap2 is connected in export_kra_agent_pem - Resolves: #1270608 IPA upgrade fails for server with CA cert signed by external CA - schema: do not derive ipaVaultPublicKey from ipaPublicKey- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens - Fix an integer underflow bug in libotp - Resolves: #1262996 ipa vault internal error on replica without KRA - install: always export KRA agent PEM file - vault: select a server with KRA for vault operations - Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files - do not overwrite files with local users/groups when restoring authconfig - Renamed patch 1011 to 0138, as it was merged upstream- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to Trusts - winsync-migrate: Convert entity names to posix friendly strings - winsync-migrate: Properly handle collisions in the names of external groups - Resolves: #1261074 Adjust Firefox configuration to new extension signing policy - webui: use manual Firefox configuration for Firefox >= 40 - Resolves: #1263337 IPA Restore failed with installed KRA - ipa-backup: Add mechanism to store empty directory structure - Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate and private key in world readable file [rhel-7.2] - install: fix KRA agent PEM file permissions - Resolves: #1265086 Mark IdM API Browser as experimental - WebUI: add API browser is experimental warning - Resolves: #1265277 Fix kdcproxy user creation - install: create kdcproxy user during server install - platform: add option to create home directory when adding user - install: fix kdcproxy user home directory - Resolves: #1265559 GSS failure after ipa-restore - destroy httpd ccache after stopping the service- Resolves: #1258965 ipa vault: set owner of vault container - baseldap: make subtree deletion optional in LDAPDelete - vault: add vault container commands - vault: set owner to current user on container creation - vault: update access control - vault: add permissions and administrator privilege - install: support KRA update - Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses - config: allow user/host attributes with tagging options - Resolves: #1262315 Unable to establish winsync replication - winsync: Add inetUser objectclass to the passsync sysaccount- Resolves: #1260663 crash of ipa-dnskeysync-replica component during ipa-restore - IPA Restore: allows to specify files that should be removed - Resolves: #1261806 Installing ipa-server package breaks httpd - Handle timeout error in ipa-httpd-kdcproxy - Resolves: #1262322 Failed to backup CS.cfg message in upgrade. - Server Upgrade: backup CS.cfg when dogtag is turned off- Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not tracked - cert renewal: Include KRA users in Dogtag LDAP update - cert renewal: Automatically update KRA agent PEM file - Resolves: #1257163 renaming certificatte profile with --rename option leads to integrity issues - certprofile: remove 'rename' option - Resolves: #1257968 kinit stop working after ipa-restore - Backup: back up the hosts file - Resolves: #1258926 Remove 'DNSSEC is experimental' warnings - DNSSEC: remove "DNSSEC is experimental" warnings - Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts - Installer: do not modify /etc/hosts before user agreement - Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1 zone - DNSSEC: backup and restore opendnssec zone list file - DNSSEC: remove ccache and keytab of ipa-ods-exporter - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC key master - DNSSEC: Fix key metadata export - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. - Resolves: #1258964 revert to use ldapi to add kra agent in KRA install - Using LDAPI to setup CA and KRA agents. - Resolves: #1259848 server closes connection and refuses commands after deleting user that is still logged in - ldap: Make ldap2 connection management thread-safe again - Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute 'ra_certprofile' while ipa-ca-install - load RA backend plugins during standalone CA install on CA-less IPA master- Resolves: #1254689 Storing big file as a secret in vault raises traceback - vault: Limit size of data stored in vault - Resolves: #1255880 ipactl status should distinguish between different pki-tomcat services - ipactl: Do not start/stop/restart single service multiple times- Resolves: #1256840 [webui] majority of required fields is no longer marked as required - fix missing information in object metadata - Resolves: #1256842 [webui] no option to choose trust type when creating a trust - webui: add option to establish bidirectional trust - Resolves: #1256853 Clear text passwords in KRA install log - Removed clear text passwords from KRA install log. - Resolves: #1257072 The "Standard Vault" MUST not be the default and must be discouraged - vault: change default vault type to symmetric - Resolves: #1257163 renaming certificatte profile with --rename option leads to integrity issues - certprofile: prevent rename (modrdn)- Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone - DNSSEC: fix forward zone forwarders checks - Resolves: #1250190 idrange is not added for sub domain - trusts: format Kerberos principal properly when fetching trust topology - Resolves: #1252334 User life cycle: missing ability to provision a stage user from a preserved user - Add user-stage command - Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to start. - spec file: Add Requires(post) on selinux-policy - Resolves: #1254304 Changing vault encryption attributes - Change internal rsa_(public|private)_key variable names - Added support for changing vault encryption. - Resolves: #1256715 Executing user-del --preserve twice removes the user pernamently - improve the usability of `ipa user-del --preserve` command- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - user-undel: Fix error messages. - Resolves: #1200694 [RFE] Support for multiple cert profiles - Prohibit deletion of predefined profiles - Resolves: #1232819 testing ipa-restore on fresh system install fails - Backup/resore authentication control configuration - Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0 server - Require Dogtag PKI >= 10.2.6 - Resolves: #1245225 Asymmetric vault drops traceback when the key is not proper - Asymmetric vault: validate public key in client - Resolves: #1248399 Missing DNSSEC related files in backup - fix typo in BasePathNamespace member pointing to ods exporter config - ipa-backup: archive DNSSEC zone file and kasp.db - Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is finished - winsync-migrate: Add warning about passsync - winsync-migrate: Expand the man page - Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME" - adjust search so that it works for non-admin users - Resolves: #1250093 ipa certprofile-import accepts invalid config - Require Dogtag PKI >= 10.2.6 - Resolves: #1250107 IPA framework should not allow modifying trust on AD trust agents - trusts: Detect missing Samba instance - Resolves: #1250111 User lifecycle - preserved users can be assigned membership - ULC: Prevent preserved users from being assigned membership - Resolves: #1250145 Add permission for user to bypass caacl enforcement - Add permission for bypassing CA ACL enforcement - Resolves: #1250190 idrange is not added for sub domain - idranges: raise an error when local IPA ID range is being modified - trusts: harden trust-fetch-domains oddjobd-based script - Resolves: #1250928 Man page for ipa-server-install is out of sync - install: Fix server and replica install options - Resolves: #1251225 IPA default CAACL does not allow cert-request for services after upgrade - Fix default CA ACL added during upgrade - Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey - validate mutually exclusive options in vault-add - Resolves: #1251579 ipa vault-add --user should set container owner equal to user on first run - Fixed vault container ownership. - Resolves: #1252517 cert-request rejects request with correct krb5PrincipalName SAN - Fix KRB5PrincipalName / UPN SAN comparison - Resolves: #1252555 ipa vault-find doesn't work for services - vault: Add container information to vault command results - Add flag to list all service and user vaults - Resolves: #1252556 Missing CLI param and ACL for vault service operations - Added CLI param and ACL for vault service operations. - Resolves: #1252557 certprofile: improve profile format documentation - certprofile-import: improve profile format documentation - certprofile: add profile format explanation - Resolves: #1253443 ipa vault-add creates vault with invalid type - vault: validate vault type - Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing owner - baseldap: Allow overriding member param label in LDAPModMember - vault: Fix param labels in output of vault owner commands - Resolves: #1253511 ipa vault-find does not use criteria - vault: Fix vault-find with criteria - Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10 - install: Fix replica install with custom certificates - Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc - improve the handling of krb5-related errors in dnssec daemons - Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with starting CA and named-pkcs11.service - Server Upgrade: Start DS before CA is started. - Resolves: #1254637 Add ACI and permission for managing user userCertificate attribute - add permission: System: Manage User Certificates - Resolves: #1254641 Remove CSR allowed-extensions restriction - cert-request: remove allowed extensions check - Resolves: #1254693 vault --service does not normalize service principal - vault: normalize service principal in service vault operations - Resolves: #1254785 ipa-client-install does not properly handle dual stacked hosts - client: Add support for multiple IP addresses during installation. - Add dependency to SSSD 1.13.1 - client: Add description of --ip-address and --all-ip-addresses to man page- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to users in IdM - store certificates issued for user entries as - user-show: add --out option to save certificates to file - Resolves: #1145748 [RFE] IPA running with One Way Trust - Fix upgrade of sidgen and extdom plugins - Resolves: #1195339 ipa-client-install changes the label on various files which causes SELinux denials - Use 'mv -Z' in specfile to restore SELinux context - Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior for combinations of "User authentication types" - webui: add LDAP vs Kerberos behavior description to user auth - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - ULC: Fix stageused-add --from-delete command - Resolves: #1200694 [RFE] Support for multiple cert profiles - certprofile-import: do not require profileId in profile data - Give more info on virtual command access denial - Allow SAN extension for cert-request self-service - Add profile for DNP3 / IEC 62351-8 certificates - Work around python-nss bug on unrecognised OIDs - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality - Validate vault's file parameters - Fixed missing KRA agent cert on replica. - Resolves: #1225866 display browser config options that apply to the browser. - webui: add Kerberos configuration instructions for Chrome - Remove ico files from Makefile - Resolves: #1246342 Unapply idview raises internal error - idviews: Check for the Default Trust View only if applying the view - Resolves: #1248102 [webui] regression - incorrect/no failed auth messages - webui: fix regressions failed auth messages - Resolves: #1248396 Internal error in DomainValidator.__search_in_dc - dcerpc: Fix UnboundLocalError for ccache_name - Resolves: #1249455 ipa trust-add failed CIFS server configuration does not allow access to \\pipe\lsarpc - Fix selector of protocol for LSA RPC binding string - dcerpc: Simplify generation of LSA-RPC binding strings - Resolves: #1250192 Error in ipa trust-fecth-domains - Fix incorrect type comparison in trust-fetch-domains - Resolves: #1251553 Winsync setup fails with unexpected error - replication: Fix incorrect exception invocation - Resolves: #1251854 ipa aci plugin is not parsing aci's correctly. - ACI plugin: correctly parse bind rules enclosed in - Resolves: #1252414 Trust agent install does not detect available replicas to add to master - adtrust-install: Correctly determine 4.2 FreeIPA servers- Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains that conflicts with AD DC - trusts: Check for AD root domain among our trusted domains - Resolves: #1195339 ipa-client-install changes the label on various files which causes SELinux denials - sysrestore: copy files instead of moving them to avoind SELinux issues - Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned commands / ntpd -qgc $tmpfile hangs - enable debugging of ntpd during client installation - Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled - migration: Use api.env variables. - Resolves: #1212719 abort-clean-ruv subcommand should allow replica-certifyall: no - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand - Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has occurred - dcerpc: Expand explanation for WERR_ACCESS_DENIED - dcerpc: Fix UnboundLocalError for ccache_name - Resolves: #1222778 idoverride group-del can delete user and user-del can delete group - dcerpc: Add get_trusted_domain_object_type method - idviews: Restrict anchor to name and name to anchor conversions - idviews: Enforce objectclass check in idoverride*-del - Resolves: #1234919 Be able to request certificates without certmonger service running - cermonger: Use private unix socket when DBus SystemBus is not available. - ipa-client-install: Do not (re)start certmonger and DBus daemons. - Resolves: #1240939 Please add dependency on bind-pkcs11 - Create server-dns sub-package. - ipaplatform: Add constants submodule - DNS: check if DNS package is installed - Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow calling out oddjobd-activated services - selinux: enable httpd_run_ipa to allow communicating with oddjobd services - Resolves: #1243261 non-admin users cannot search hbac rules - fix hbac rule search for non-admin users - fix selinuxusermap search for non-admin users - Resolves: #1243652 Client has missing dependency on memcache - do not import memcache on client - Resolves: #1243835 [webui] user change password dialog does not work - webui: fix user reset password dialog - Resolves: #1244802 spec: selinux denial during kdcproxy user creation - Fix selinux denial during kdcproxy user creation - Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user - oddjob: avoid chown keytab to sssd if sssd user does not exist - Resolves: #1246136 Adding a privilege to a permission avoids validation - Validate adding privilege to a permission - Resolves: #1246141 DNS Administrators cannot search in zones - DNS: Consolidate DNS RR types in API and schema - Resolves: #1246143 User plugin - user-find doesn't work properly with manager option - fix broken search for users by their manager- Resolves: #1131907 [ipa-client-install] cannot write certificate file '/etc/ipa/ca.crt.new': must be string or buffer, not None - Resolves: #1195775 unsaved changes dialog internally inconsistent - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - Stageusedr-activate: show username instead of DN - Resolves: #1200694 [RFE] Support for multiple cert profiles - Prevent to rename certprofile profile id - Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error - Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files - copy-schema-to-ca: allow to overwrite schema files - Resolves: #1241941 kdc component installation of IPA failed - spec file: Update minimum required version of krb5 - Resolves: #1242036 Replica install fails to update DNS records - Fix DNS records installation for replicas - Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy - Start dirsrv for kdcproxy upgrade- Resolves: #846033 [RFE] Documentation for JSONRPC IPA API - Resolves: #989091 Ability to manage IdM/IPA directly from a standard LDAP client - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to users in IdM - Resolves: #1115294 [RFE] Add support for DNSSEC - Resolves: #1145748 [RFE] IPA running with One Way Trust - Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - Resolves: #1200694 [RFE] Support for multiple cert profiles - Resolves: #1200728 [RFE] Replicate PKI Profile information - Resolves: #1200735 [RFE] Allow issuing certificates for user accounts - Resolves: #1204054 SSSD database is not cleared between installs and uninstalls of ipa - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to Trusts - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality - Resolves: #1204504 [RFE] Add access control so hosts can create their own services - Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default - Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default - Resolves: #1209476 package ipa-client does not require package dbus-python - Resolves: #1211589 [RFE] Add option to skip the verify_client_version - Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597) - Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone - Resolves: #1217010 OTP Manager field is not exposed in the UI - Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp 00007fffd68b2340 error 6 in libc-2.17.so - Related: #1204809 Rebase ipa to 4.2 - Update to upstream 4.2.0 - Move /etc/ipa/kdcproxy to the server subpackage- Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install - Related: #1204809 Rebase ipa to 4.2 - Fix minimum version of slapi-nis - Require python-sss and python-sss-murmur (provided by sssd-1.13.0)- Resolves: #805188 [RFE] "ipa migrate-ds" ldapsearches with scope=1 - Resolves: #1019272 With 20000+ users, adding a user to a group intermittently throws Internal server error - Resolves: #1035494 Unable to add Kerberos principal via kadmin.local - Resolves: #1045153 ipa-managed-entries --list -p still requires DM password - Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389 from ldap_port_t - Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI - Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not matching uidgid - Resolves: #1176036 IDM client registration failure in a high load environment - Resolves: #1183116 Remove Requires: subscription-manager - Resolves: #1186054 permission-add does not prompt to enter --right option in interactive mode - Resolves: #1187524 Replication agreement with replica not disabled when ipa-restore done without IPA installed - Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as normal user. - Resolves: #1189034 "an internal error has occurred" during ipa host-del --updatedns - Resolves: #1193554 ipa-client-automount: failing with error LDAP server returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled. - Resolves: #1193759 IPA extdom plugin fails when encountering large groups - Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. - Resolves: #1194633 Default trust view can be deleted in lower case - Resolves: #1196455 ipa-server-install step [8/27]: starting certificate server instance - confusing CA staus message on TLS error - Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis - Resolves: #1199527 [RFE] Use datepicker component for datetime fields - Resolves: #1200867 [RFE] Make OTP validation window configurable - Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi - Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using get_user_grouplist() [rhel-7.2] - Resolves: #1204637 slow group operations - Resolves: #1204642 migrate-ds: slow add o users to default group - Resolves: #1208461 IPA CA master server update stuck on checking getStatus via https - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) - Resolves: #1211708 ipa-client-install gets stuck during NTP sync - Resolves: #1215197 ipa-client-install ignores --ntp-server option during time sync - Resolves: #1215200 ipa-client-install configures IPA server as NTP source even if IPA server has not ntpd configured - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens - Related: #1204809 Rebase ipa to 4.2 - Update to upstream 4.2.0.alpha1- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312)- IPA extdom plugin fails when encountering large groups (#1193759) - CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() (#1202998)- "an internal error has occurred" during ipa host-del --updatedns (#1198431) - Renamed patch 1013 to 0114, as it was merged upstream - Fax number not displayed for user-show when kinit'ed as normal user. (#1198430) - Replication agreement with replica not disabled when ipa-restore done without IPA installed (#1199060) - Limit deadlocks between DS plugin DNA and slapi-nis (#1199128)- Fix ipa-pwd-extop global configuration caching (#1187342) - group-detach does not add correct objectclasses (#1187540)- Wrong directories created on full restore (#1186398) - ipa-restore crashes if replica is unreachable (#1186396) - idoverrideuser-add option --sshpubkey does not work (#1185410)- PassSync does not sync passwords due to missing ACIs (#1181093) - ipa-replica-manage list does not list synced domain (#1181010) - Do not assume certmonger is running in httpinstance (#1181767) - ipa-replica-manage disconnect fails without password (#1183279) - Put LDIF files to their original location in ipa-restore (#1175277) - DUA profile not available anonymously (#1184149) - IPA replica missing data after master upgraded (#1176995)- Re-add accidentally removed patches for #1170695 and #1164896- IPA Replicate creation fails with error "Update failed! Status: [10 Total update abortedLDAP error: Referral]" (#1166265) - running ipa-server-install --setup-dns results in a crash (#1072502) - DNS zones are not migrated into forward zones if 4.0+ replica is added (#1175384) - gid is overridden by uid in default trust view (#1168904) - When migrating warn user if compat is enabled (#1177133) - Clean up debug log for trust-add (#1168376) - No error message thrown on restore(full kind) on replica from full backup taken on master (#1175287) - ipa-restore proceed even IPA not configured (#1175326) - Data replication not working as expected after data restore from full backup (#1175277) - IPA externally signed CA cert expiration warning missing from log (#1178128) - ipa-upgradeconfig fails in CA-less installs (#1181767) - IPA certs fail to autorenew simultaneouly (#1173207) - More validation required on ipa-restore's options (#1176034)- Expand the token auth/sync windows (#919228) - Access is not rejected for disabled domain (#1172598) - krb5kdc crash in ldap_pvt_search (#1170695) - RHEL7.1 IPA server httpd avc denials after upgrade (#1164896)- RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible (#1169591) - CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) (#1172578)- Throw zonemgr error message before installation proceeds (#1163849) - Winsync: Setup is broken due to incorrect import of certificate (#1169867) - Enable last token deletion when password auth type is configured (#919228) - ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641) - add --hosts and --hostgroup options to allow/retrieve keytab methods (#1007367) - Extend host-show to add the view attribute in set of default attributes (#1168916) - Prefer TCP connections to UDP in krb5 clients (#919228) - [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214) - webui: increase notification duration (#1171089) - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931) - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert (#1170003) - Improve validation of --instance and --backend options in ipa-restore (#951581) - RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964) - Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466)- Use NSS protocol range API to set available TLS protocols (#1156466)- schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 build fails (#1167196) - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) - "ipa trust-add ... " cmd says : (Trust status: Established and verified) while in the logs we see "WERR_ACCESS_DENIED" during verification step. (#1144121) - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server (#1156466) - Add support/hooks for a one-time password system like SecureID in IPA (#919228) - Tracebacks with latest build for --zonemgr cli option (#1167270) - ID Views: Support migration from the sync solution to the trust solution (#891984)- Improve otptoken help messages (#919228) - Ensure users exist when assigning tokens to them (#919228) - Enable QR code display by default in otptoken-add (#919228) - Show warning instead of error if CA did not start (#1158410) - CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774) - Traceback when adding zone with long name (#1164859) - Backup & Restore mechanism (#951581) - ignoring user attributes in migrate-ds does not work if uppercase characters are returned by ldap (#1159816) - Allow ipa-getkeytab to optionally fetch existing keys (#1007367) - Failure when installing on dual stacked system with external ca (#1128380) - ipa-server should keep backup of CS.cfg (#1059135) - Tracebacks with latest build for --zonemgr cli option (#1167270) - webui: use domain name instead of domain SID in idrange adder dialog (#891984) - webui: normalize idview tab labels (#891984)- ipa-csreplica-manage connect fails (#1157735) - error message which is not understandable when IDNA2003 characters are present in --zonemgr (#1163849) - Fix warning message should not contain CLI commands (#1114013) - Renewing the CA signing certificate does not extend its validity period end (#1163498) - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd (#1159330)- Fix: DNS installer adds invalid zonemgr email (#1056202) - ipaplatform: Use the dirsrv service, not target (#951581) - Fix: DNS policy upgrade raises asertion error (#1161128) - Fix upgrade referint plugin (#1161128) - Upgrade: fix trusts objectclass violationi (#1161128) - group-add doesn't accept gid parameter (#1149124)- Update slapi-nis dependency to pull 0.54-2 (#891984) - ipa-restore: Don't crash if AD trust is not installed (#951581) - Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791) - Trust setting not restored for CA cert with ipa-restore command (#1159011) - ipa-server-install fails when restarting named (#1162340)- Update Requires on pki-ca to 10.1.2-4 (#1129558) - build: increase java stack size for all arches - Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984) - Fix dns zonemgr validation regression (#1056202) - Handle profile changes in dogtag-ipa-ca-renew-agent (#886645) - Do not wait for new CA certificate to appear in LDAP in ipa-certupdate (#886645) - Add bind-dyndb-ldap working dir to IPA specfile - Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage (#886645) - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) - Deadlock in schema compat plugin (#1161131) - ipactl stop should stop dirsrv last (#1161129) - Upgrade 3.3.5 to 4.1 failed (#1161128) - CVE-2014-7828 freeipa: password not required when OTP in use (#1160877)- Do not check if port 8443 is available in step 2 of external CA install (#1129481)- Update Requires on selinux-policy to 3.13.1-4- Update to upstream 4.1.0 (#1109726)- Update to upstream 4.1.0 Alpha 1 (#1109726)- Add redhat-access-plugin-ipa dependency- Re-enable otptoken_yubikey plugin- Update to upstream 4.0.3 (#1109726)- Server installation fails using external signed certificates with "IndexError: list index out of range" (#1111320) - Add rhino to BuildRequires to fix Web UI build error- ipa-client-automount fails with incompatibility error when installed against older IPA server (#1083108)- Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future PKI versions (#1080865)- When IdM server trusts multiple AD forests, IPA client returns invalid group membership info (#1079498)- Deletion of active subdomain range should not be allowed (#1075615)- PKI database is ugraded during replica installation (#1075118)- Unable to add trust successfully with --trust-secret (#1075704)- ipa-replica-install never checks for 7389 port (#1075165) - Non-terminated string may be passed to LDAP search (#1075091) - ipa-sam may fail to translate group SID into GID (#1073829) - Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132)- Do not fetch a principal two times, remove potential memory leak (#1070924)- trustdomain-find with pkey-only fails (#1068611) - Invalid credential cache in trust-add (#1069182) - ipa-replica-install prints unexpected error (#1069722) - Too big font in input fields in details facet in Firefox (#1069720) - trust-add for POSIX AD does not fetch trustdomains (#1070925) - Misleading trust-add error message in some cases (#1070926) - Access is not rejected for disabled domain (#1070924)- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)- Display server name in ipa command's verbose mode (#1061703) - Remove sourcehostcategory from default HBAC rule (#1061187) - dnszone-add cannot add classless PTR zones (#1058688) - Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850)- Lockout plugin crashed during ipa-server-install (#912725)- Fallback to global policy in ipa lockout plugin (#912725) - Migration does not add users to default group (#903232)- Mass rebuild 2014-01-24- Fix NetBIOS name generation in CLDAP plugin (#1030517)- Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218) - Increase default timeout for IPA services (#1033273) - Error while running trustdomain-find (#1054376) - group-show lists SID instead of name for external groups (#1054391) - Fix IPA server NetBIOS name in samba configuration (#1030517) - dnsrecord-mod produces missing API version warning (#1054869) - Hide trust-resolve command as internal (#1052860) - Add Trust domain Web UI (#1054870) - ipasam cannot delete multiple child trusted domains (#1056120)- Missing objectclasses when empty password passed to host-add (#1052979) - sudoOrder missing in sudoers (#1052983) - Missing examples in sudorule help (#1049464) - Client automount does not uninstall when fstore is empty (#910899) - Error not clear for invalid realm given to trust-fetch-domains (#1052981) - trust-fetch-domains does not add idrange for subdomains found (#1049926) - Add option to show if an AD subdomain is enabled/disabled (#1052973) - ipa-adtrust-install still failed with long NetBIOS names (#1030517) - Error not clear for invalid relam given to trustdomain-find (#1049455) - renewed client cert not recognized during IPA CA renewal (#1033273)- hbactest does not work for external users (#848531)- PKI service restart after CA renewal failed (#1040018)- Move ipa-tests package to separate srpm (#1032668)- Fix status trust-add command status message (#910453) - NetBIOS was not trimmed at 15 characters (#1030517) - Harden CA subsystem certificate renewal on CA clones (#1040018)- Mass rebuild 2013-12-27- Remove "Listen 443 http" hack from deployed nss.conf (#1029046) - Re-adding existing trust fails (#1033216) - IPA uninstall exits with a samba error (#1033075) - Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260) - Fixed ownership of /usr/share/ipa/ui/js (#1026260) - ipa-tests: support external names for hosts (#1032668) - ipa-client-install fail due fail to obtain host TGT (#1029354)- Trust add tries to add same value of --base-id for sub domain, causing an error (#1033068) - Improved error reporting for adding trust case (#1029856)- Winsync agreement cannot be created (#1023085)- Installer did not detect different server and IPA domain (#1026845) - Allow kernel keyring CCACHE when supported (#1026861)- ipa-server-install crashes when AD subpackage is not installed (#1026434)- Update to upstream 3.3.3 (#991064)- Temporarily move ipa-backup and ipa-restore functionality back to make them available in public Beta (#1003933)- Server install failure during client enrollment shouldn't roll back (#1023086) - nsds5ReplicaStripAttrs are not set on agreements (#1023085) - ipa-server conflicts with mod_ssl (#1018172)- Reinstalling ipa server hangs when configuring certificate server (#1018804)- Deprecate --serial-autoincrement option (#1016645) - CA installation always failed on replica (#1005446) - Re-initializing a winsync connection exited with error (#994980)- Update to upstream 3.3.2 (#991064) - Add delegation info to MS-PAC (#915799) - Warn about incompatibility with AD when IPA realm and domain differs (#1009044) - Allow PKCS#12 files with empty password in install tools (#1002639) - Privilege "SELinux User Map Administrators" did not list permissions (#997085) - SSH key upload broken when client joins an older server (#1009024)- Remove dependency on python-paramiko (#1002884) - Broken redirection when deleting last entry of DNS resource record (#1006360)- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)- Replica installation fails for RHEL 6.4 master (#1004680) - Server uninstallation crashes if DS is not available (#998069)- Unable to remove replica by ipa-replica-manage (#1001662) - Before uninstalling a server, warn about active replicas (#998069)- Update to upstream 3.3.1 (#991064) - Update minimum version of bind-dyndb-ldap to 3.5- Fix replica installation failing on certificate subject (#983075)- Allow ipa-tests to work with older version (1.7.7) of python-paramiko- Prevent multilib failures in *.pyo and *.pyc files- ipa-server-install fails if --subject parameter is other than default realm (#983075) - do not allow configuring bind-dyndb-ldap without persistent search (#967876)- diffstat was missing as a build dependency causing multilib problems- Remove ipa-server-selinux obsoletes as upgrades from version prior to 3.3.0 are not allowed - Wrap server-trust-ad subpackage description better - Add (noreplace) flag for %{_sysconfdir}/tmpfiles.d/ipa.conf - Change permissions on default_encoding_utf8.so to fix ipa-python Provides- Update to upstream 3.3.0 (#991064)- Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release- Update to upstream 3.3.0 Beta 2 (#991064)- Update to upstream 3.2.2 - Drop ipa-server-selinux subpackage - Drop redundant directory /var/cache/ipa/sessions - Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency issues when there are still old parts of software (like entitlements plugin)- Update to upstream 3.2.1 - Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0- Add OTP patches - Add patch to set KRB5CCNAME for 389-ds-base- Update to upstream 3.2.0 GA - ipa-client-install fails if /etc/ipa does not exist (#961483) - Certificate status is not visible in Service and Host page (#956718) - ipa-client-install removes needed options from ldap.conf (#953991) - Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) - Add triggerin scriptlet to support OpenSSH 6.2 (#953617) - Require nss 3.14.3-12.0 to address certutil certificate import errors (#953485) - Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 environments. (#953464) - ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) - ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) - Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for socket based connections (#960222) - Require libsss_nss_idmap-python - Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to member is now done automatically and having it in the config file raises an error. - Add backup and restore tools, directory. - require at least systemd 38 which provides the journal (we no longer need to require syslog.target) - Update Requires on policycoreutils to 2.1.14-37 - Update Requires on selinux-policy to 3.12.1-42 - Update Requires on 389-ds-base to 1.3.1.0 - Remove a Requires for java-atk-wrapper- Remove release from krb5-server in strict sub-package to allow for rebuilds.- Add a Requires for java-atk-wrapper until we can determine which package should be pulling it in, dogtag or tomcat.- Update to upstream 3.2.0 Beta 1- Update to upstream 3.2.0 Prerelease 1 - Use upstream reference spec file as a base for Fedora spec file- Rebuild for broken deps - Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1- Rebuild for broken deps in rawhide - Fix 389-ds-base strict dep to be 1.3.0.3- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild- Update to upstream 3.1.2 - CVE-2012-4546: Incorrect CRLs publishing - CVE-2012-5484: MITM Attack during Join process - CVE-2013-0199: Cross-Realm Trust key leak - Updated strict dependencies to 389-ds-base = 1.3.0.2 and pki-ca = 10.0.1- Remove redundat Requires versions that are already in Fedora 17 - Replace python-crypto Requires with m2crypto - Add missing Requires(post) for client and server-trust-ad subpackages - Restart httpd service when server-trust-ad subpackage is installed - Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes- Updated to upstream 3.1.0 GA - Set minimum for sssd to 1.9.2 - Set minimum for pki-ca to 10.0.0-1 - Set minimum for 389-ds-base to 1.3.0 - Set minimum for selinux-policy to 3.11.1-60 - Remove unneeded dogtag package requires- Update Requires on krb5-server to 1.11- Configure CA replication to use TLS instead of SSL- Updated to upstream 3.0.0 GA - Set minimum for samba to 4.0.0-153. - Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so plugin to /dev/null since they cannot be used when trusts are configured - Restrict krb5-server to 1.10. - Update BR for 389-ds-base to 1.3.0 - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca - Add Requires on zip for generating FF browser extension- Updated to upstream 3.0.0 rc 2 - Include new FF configuration extension - Set minimum Requires of selinux-policy to 3.11.1-33 - Set minimum Requires dogtag to 10.0.0-0.43.b1 - Add new optional strict sub-package to allow users to limit other package upgrades.- Require samba packages instead of obsoleted samba4 packages- Updated to upstream 3.0.0 rc 1 - Update BR for 389-ds-base to 1.2.11.14 - Update BR for krb5 to 1.10 - Update BR for samba4-devel to 4.0.0-139 (rc1) - Add BR for python-polib - Update BR and Requires on sssd to 1.9.0 - Update Requires on policycoreutils to 2.1.12-5 - Update Requires on 389-ds-base to 1.2.11.14 - Update Requires on selinux-policy to 3.11.1-21 - Update Requires on dogtag to 10.0.0-0.33.a1 - Update Requires on certmonger to 0.60 - Update Requires on tomcat to 7.0.29 - Update minimum version of bind to 9.9.1-10.P3 - Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 - Remove Requires on authconfig from python sub-package- Rebuild against samba4 beta8- Rebuild against samba4 beta7- Adopt to samba4 beta6 (libsecurity -> libsamba-security) - Add dependency to samba4-winbind- Updated to upstream 3.0.0 beta 2- Updated to current upstream state of 3.0.0 beta 2 development- Rebuild against samba4 beta4- Updated to upstream 3.0.0 beta 1- Updated to upstream 2.2.0 GA - Update minimum n-v-r of certmonger to 0.53 - Update minimum n-v-r of slapi-nis to 0.40 - Add Requires in client to oddjob-mkhomedir and python-krbV - Update minimum selinux-policy to 3.10.0-110- Update to upstream 2.2.0 beta 1 (2.1.90.rc1) - Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. - Add Conflicts on mod_ssl - Update minimum n-v-r of 389-ds-base to 1.2.10.4 - Update minimum n-v-r of sssd to 1.8.0 - Update minimum n-v-r of slapi-nis to 0.38 - Update minimum n-v-r of pki-* to 9.0.18 - Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 - Update conflicts on bind to < 9.9.0-1 - Drop requires on krb5-server-ldap - Add patch to remove escaping arguments to pkisilent- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)- Force to use 389-ds 1.2.10-0.8.a7 or above - Improve upgrade script to handle systemd 389-ds change - Fix freeipa to work with python-ldap 2.4.6- Fix ipa-replica-install crashes - Fix ipa-server-install and ipa-dns-install logging - Set minimum version of pki-ca to 9.0.17 to fix sslget problem caused by FEDORA-2011-17400 update (#771357)- Allow Web-based migration to work with tightened SE Linux policy (#769440) - Rebuild slapi plugins against re-enterant version of libldap- Allow longer dirsrv startup with systemd: - IPAdmin class will wait until dirsrv instance is available up to 10 seconds - Helps with restarts during upgrade for ipa-ldap-updater - Fix pylint warnings from F16 and Rawhide- Update to upstream 2.1.4 (CVE-2011-3636)- Update SELinux policy to allow ipa_kpasswd to connect ldap and read /dev/urandom. (#759679)- Fix wrong path in packaging freeipa-systemd-upgrade- Introduce upgrade script to recover existing configuration after systemd migration as user has no means to recover FreeIPA from systemd migration - Upgrade script: - recovers symlinks in Dogtag instance install - recovers systemd configuration for FreeIPA's directory server instances - recovers freeipa.service - migrates directory server and KDC configs to use proper keytabs for systemd services- Rebuilt for glibc bug#747377- clean up spec - Depend on sssd >= 1.6.2 for better user experience- Fix Fedora package changelog after merging systemd changes- Fix postin scriplet for F-15/F-16- 2.1.3- Default to systemd for Fedora 16 and onwards- Update to upstream 2.1.0- Fix bug #702633- Update minimum selinux-policy to 3.9.16-18 - Update minimum pki-ca and pki-selinux to 9.0.7 - Update minimum 389-ds-base to 1.2.8.0-1 - Update to upstream 2.0.1- Update to upstream GA release - Automatically apply updates when the package is upgraded- Update to upstream freeipa-2.0.0.rc2 - Set minimum version of python-nss to 0.11 to make sure IPv6 support is in - Set minimum version of sssd to 1.5.1 - Patch to include SuiteSpotGroup when setting up 389-ds instances - Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled- Set the N-V-R so rc1 is an update to beta2.- Set minimum version of sssd to 1.5.1 - Update to upstream freeipa-2.0.0.rc1 - Move server-only binaries from admintools subpackage to server- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Set min version of 389-ds-base to 1.2.8 - Set min version of mod_nss 1.0.8-10 - Set min version of selinux-policy to 3.9.7-27 - Add dogtag themes to Requires - Update to upstream freeipa-2.0.0.pre2- Remove unnecessary moving of v1 CA serial number file in post script - Add Obsoletes for server-selinxu subpackage - Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da- Prepare spec file for release - Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503- Re-arrange doc and defattr to clean up rpmlint warnings - Remove conditionals on older releases - Move some man pages into admintools subpackage - Remove some explicit Requires in client that aren't needed - Consistent use of buildroot vs RPM_BUILD_ROOT- Moved directory install/static to install/ui- Remove dependency on nss_ldap/nss-pam-ldapd - The official client is sssd and that's what we use by default.- Remove radius subpackages- Set minimum pki-ca and pki-silent versions to 9.0.0- Drop BuildRequires on mozldap-devel- Add Requires on krb5-pkinit-openssl- Add ipa-host-net-manage script- Add ipa init script- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin- remove ipa-fix-CVE-2008-3274- Remove duplicate %files entries on share/ipa/static - Add python default encoding shared library- Drop requires on python-configobj (not used any more) - Drop ipa-ldap-updater message, upgrades are done differently now- Drop conflicts on mod_nss - Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) - Drop a slew of conditionals on older Fedora releases (< 12) - Add a few conditionals against RHEL 6 - Add Requires of nss-tools on ipa-client- Set minimum version of certmonger to 0.26 (to pck up #621670) - Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) - Set minimum version of pki-ca to 1.3.6 - Set minimum version of sssd to 1.2.1- Add BuildRequires for authconfig- Bump up minimum version of python-nss to pick up nss_is_initialize() API- Removed python-asset based webui- Change Requires from fedora-ds-base to 389-ds-base - Set minimum level of 389-ds-base to 1.2.6 for the replication version plugin.- Drop Requires of python-krbV on ipa-client- Load ipa_dogtag.pp in post install- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes.- No need to create /var/log/ipa_error.log since we aren't using TurboGears any more.- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included- Added Require mod_wsgi, added share/ipa/wsgi.py- Require python-wehjit >= 0.2.2- Add sssd and certmonger as a Requires on ipa-client- Require python-wehjit >= 0.2.0- Add ipa-rmkeytab tool- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 Any type- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf- Add bash completion script and own /etc/bash_completion.d in case it doesn't already exist- Remove ipa_webgui, its functions rolled into ipa_httpd- Removed python-cherrypy from BuildRequires and Requires - Added Requires python-assets, python-wehjit- Added httpd SELinux policy so CRLs can be read- Move ipalib to ipa-python subpackage - Bump minimum version of slapi-nis to 0.15- Set 0.14 as minimum version for slapi-nis- Add Requires: python-nss to ipa-python sub-package- Remove the IPA DNA plugin, use the DS one- Build radius separately - Fix a few minor issues- Replace TurboGears requirement with python-cherrypy- rebuild with new openssl- Fix SELinux code- Fix breakage caused by python-kerberos update to 1.1- New upstream release 1.2.1- Rebuild for Python 2.6- Respin after the tarball has been re-released upstream New hash is 506c9c92dcaf9f227cba5030e999f177- Conditionally restart also dirsrv and httpd when upgrading- Update to upstream version 1.2.0 - Set fedora-ds-base minimum version to 1.1.3 for winsync header - Set the minimum version for SELinux policy - Remove references to Fedora 7- Fix for CVE-2008-3274 - Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface - Add fix for bug #453185 - Rebuild against openldap libraries, mozldap ones do not work properly - TurboGears is currently broken in rawhide. Added patch to not build the UI locales and removed them from the ipa-server files section.- Add call to /usr/sbin/upgradeconfig to post install- Update to upstream version 1.1.0 - Patch for indexing memberof attribute - Patch for indexing uidnumber and gidnumber - Patch to change DNA default values for replicas - Patch to fix uninitialized variable in ipa-getkeytab- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum version to 1.0.7-4 so we pick up the NSS fixes. - Add selinux-policy-base(post) to Requires (446496)- Add missing entry for /var/cache/ipa/kpasswd (444624) - Added patch to fix permissions problems with the Apache NSS database. - Added patch to fix problem with DNS querying where the query could be returned as the answer. - Fix spec error where patch1 was in the wrong section- Added patch to fix problem reported by ldapmodify- Fix Requires for krb5-server that was missing for Fedora versions > 9 - Remove quotes around test for fedora version to package egg-info- Update to upstream version 1.0.0- Pull upstream changelog 722 - Add Conflicts mod_ssl (435360)- Pull upstream changelog 698 - Fix ownership of /var/log/ipa_error.log during install (435119) - Add pwpolicy command and man page- Pull upstream changelog 678 - Add new subpackage, ipa-server-selinux - Add Requires: authconfig to ipa-python (bz #433747) - Package i18n files- Pull upstream changelog 641 - Require minimum version of krb5-server on F-7 and F-8 - Package some new files- Marked with wrong license. IPA is GPLv2.- Ensure that /etc/ipa exists before moving user-modifiable html files there - Put html files into /etc/ipa/html instead of /etc/ipa- Pull upstream changelog 608 which renamed several files- package the sessions dir /var/cache/ipa/sessions - Pull upstream changelog 597- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the UI to not start.- Included LICENSE and README in all packages for documentation - Move user-modifiable content to /etc/ipa and linked back to /usr/share/ipa/html - Changed some references to /usr to the {_usr} macro and /etc to {_sysconfdir} - Added popt-devel to BuildRequires for Fedora 8 and higher and popt for Fedora 7 - Package the egg-info for Fedora 9 and higher for ipa-python- Added auto* BuildRequires- Unified spec file- Fixed License in specfile - Include files from /usr/lib/python*/site-packages/ipaserver- Version bump for release- Preverse mode on ipa-keytab-util - Version bump for relase and rpm name change- Broke invididual Requires and BuildRequires onto separate lines and reordered them - Added python-tgexpandingformwidget as a dependency - Require at least fedora-ds-base 1.1- Version bump for release- Add dep for freeipa-admintools and acl- Add dependency for python-krbV- Require mod_nss-1.0.7-2 for mod_proxy fixes- Convert to autotools-based build* Fri Sep 7 2007 Karl MacMillan - 0.3.0-1 - Added support for libipa-dna-plugin- Added support for ipa_kpasswd and ipa_pwd_extop- Abstracted client class to work directly or over RPC- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires - Remove references to admin server in ipa-server-setupssl - Generate a client certificate for the XML-RPC server to connect to LDAP with - Create a keytab for Apache - Create an ldif with a test user - Provide a certmap.conf for doing SSL client authentication- Initial rpm version/bin/sh/bin/sh/bin/shfreeipa-server-trust-adipa-idoverride-memberof-plugin 4.9.64.9.6-4.module_el8.5.0+921+2b5d58254.9.6-4.module_el8.5.0+921+2b5d5825 4.9.60.1 oddjob-ipa-trust.confoddjobd-ipa-trust.conf.build-id6ccd9a739b8be8a7e1d45e558b7e991ae245e14ed4e33801efa41887fdce334bfbec663cc2c7a15alibipa_cldap.sowinbind_krb5_locator.soipasam.socom.redhat.idm.trust-fetch-domainsipa-adtrust-installipa-server-trust-adContributors.txtREADME.mdipa-cldap-conf.ldifsmb.conf.emptyipa-server-trust-adCOPYINGipa-adtrust-install.1.gz/etc/dbus-1/system.d//etc/oddjobd.conf.d//usr/lib//usr/lib/.build-id//usr/lib/.build-id/6c//usr/lib/.build-id/d4//usr/lib64/dirsrv/plugins//usr/lib64/krb5/plugins/libkrb5//usr/lib64/samba/pdb//usr/libexec/ipa/oddjob//usr/sbin//usr/share/doc//usr/share/doc/ipa-server-trust-ad//usr/share/ipa//usr/share/licenses//usr/share/licenses/ipa-server-trust-ad//usr/share/man/man1/-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fasynchronous-unwind-tables -fstack-clash-protectioncpioxz2aarch64-redhat-linux-gnu  exported SGML document, ASCII textXML 1.0 document, ASCII textdirectoryELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d4e33801efa41887fdce334bfbec663cc2c7a15a, strippedemptyELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6ccd9a739b8be8a7e1d45e558b7e991ae245e14e, strippedPython script, ASCII text executableUTF-8 Unicode textASCII texttroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix):;!PRRRR+R RRRR RRRRRRRRRRR,R*R R R4RRR"R R RR%R&R$RR)RR+R RRRR,R*R#RR!R(RRRRRRRR R R4RR/usr/libexec/platform-python -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then # NOTE: systemd specific section /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : # END fi/bin/shutf-89f9c83740d2a16e77583f012da66a0c50ab2a9191b0ec4554acce36d0486648fidm:DL1:8050020210907152554:3d2c466f?P7zXZ !#,] b2u Q{LQPj3+p}N:ǰ'.?5uMeMFyUCnxI C ANt 827fTVW[\F'O-]!AC=}KrC~x/3VTxSZ~L/^1m7'4}Vzo,T}S8V`,qq)O?N-BywPpw%Lݞ-# k 2 V"=L&+!h "ґC1D&V3ت-Q6s n)t P$ u5ȆɘR1eyC.zJXAfb1>n.;8OX 1ށ!lA*nC#1fm. D<]x&n$} A*\/7وoWeYJuntl)ɷ`ꎋ!O#S-#ŷ:u|SH OZnu_unpsQ"e:C>M3 Հojg`zG H ~TFtO=$tUk^]n\~?՛d*OH"<+Fswa "v(  K+CU!Qp>ε:N4A&+(Z %vJ=>y@4<.#c7`^Б{uoǜv&75ǫAg4zH{^ J}o5v%cxHtVyY%?r^罯cB2?t `bx Ş(`3we7^6tLHg5Lp<VB~̔Np 68T"눖SȺAi`z╈\˴Ku+֑ͷԴ"d 0cꛓ;*7t ԣVmyJz/O+*]DEb87qlD^ĮȹG(%+b0gN|"GbƯ@~EL["L47Iub00A<`|Mװ3?^k^^G̺FPlU&YКҜUZ'{ E9Kͳj4B oж@~f1Ғ1;g]km#<͹rc <$b2{651FDBStϑr'M [8LEh"5W\X+:niqS$U{TآUCD{cVOy=>~v:u7X[<H:m)5)Qn'Ydf4vek^uQbPLI EZ(w7SF Y柕]."-I|ow~OǛ'iOw!̳$Tp%H|]I9ǭkCjJ 9F8'vi LA j#iE6gq; Wpy҄!ӹbPF1sv .Qeh*FȐU*!K ) 2:kY$aH)Yl5H8KyɆ7ZgeO[Űo .PvpA7aK 3?O2cל`D0vKp%eޏ|Ug7iTJTqMs-.]ц׀اՈ˥1eN EmZr.ACƸ/-_[-Y88vJ(o/u2CV4>vqNaKVI[]vo6dt*Ȑ"ep^WO=tMѡ}&sŞ: X|u2r RYT_aRǯ\X!P D~RȪHv,F:MfW]{T*fsAG}4bK F?&~ꓤi9Y8*; u41!9e>#ȀN30nDE'qNaLr"%v G6NbX$\~P@c)aP61Aq^J츆ڜB4egf1ksNY9LsD: I y`ufZ>&|1ցf:c1ѿF#CZe;C|,ЏWyh F 16[To Uɐ^u2lKfEvϖezu]6) (&հ%,u] %~rY-YUW.C2u!F-W(NIɃ urΞCEISB;8ܕ-_A옂(SO#a)vpj6W 3K1 7{*<-E@EX]?# g?d,!>#3:=O;erO? %:3{hBΫ#UPT;E9V%M[)R GaICa/"-vđƃ2hۍ߬[XYn/zM!qWxDsi\⳽+hq] < Hwa`tU0}v/MZ5c&ǽЮ39L˔ptfΏ 0 |.y`y? g{0?F-2aޏ͛8z" Q-REoWuh^kS%: ߜ'35A[.vkԷ3̮:$͖x۰u,UoFn D`8 ]njtI>fϞdI1§$ނr2ht 4]J6S4N7}mzPRRe[:J&#!cL<tiAC;5fﴄG -gip A,iJ^X2mngțh^@"k-h6..]wŁXg-tX PaL88Tk7nq \wK D y`×>igf=L8 vrr[ځY oNҬs2} ϛvSXId^_v.}j %P-nr(H[ap0Z%AĞ8V(#Q_JYå.z?pnZEUwd pdb5%j4D^Cmk3zz3Keݴ@uWm6 z8 HE7 4dx)q&}U<1[si LNb _I2oŝY:Ji S^&\(4Шߏ0C_6; Q#&3i&.M:ZG !ӓtZڊ{Khe`OVvsg- %VIAQ56P2BSŸ* Ɓ.6{R^nq\IdERʭ45]`,TBywM6eok7I:kAcyg~>YDAgkpShwq7xjfϟG 2&ލX̧hL ى?Cs23}[K kxdxfPL(,ksp>݉#6cgg KӦ0)Gu8jEvrd><)(D}X&6llJ8%1ci,tv)此Sil` eݺ Ml,2{-e*罇I~]&r$xE\!r Vz8ٴ<@BOI8h%g뉾֥\d7+ gUs+2{NݥIy-}VO_liJ4=!69X=a?3QȁuU y'9e}Ub`Je C*V&az<=0fpi14@PXN6֒rT 1ޚ(hh4~-x5BS7si :tExcoLQ$3{=>1!熤O1Ywf'RK (+ۄ];>΅#&w7LCy~w߃U X"y^ > -uRkRi:(roـ9ny.Og>4G-r. z;J//W~Nh6oSWgd+?o;dWC|Ok_͈CG{W{n?tHg뵵ݴhFiCb%_3tڍp΋$j {7uuE +Ov8a7L7jΓb-*2(c۷hfk~>6ynFHR4$:@;ϐCC=FjN:]YaTꮷ?( GհkܑW+0ޙVgNdև0p-uAMv,+&xO7,̙W1",J/ E|}4kNHvc20/B.D"/3QEem'"&3ʅCǸB$mpj8kXl׭C趗ybC m;(өFOÛm,^u0gw]0R(0]E BN/z^0u |)|H$ lh80"' `WMj$M8UT5OtqCXѪ `90eo aLp;}Y^q-pK۔AJVEs4:M-{-ខ0FK54c!+ŸU.Hqе q:xN$BTqŬ|ZZk8cÅ>rf:蟱V~ŷɶVl ]y䃬jz"Mh' r' DSXTL՗ܖS`@~"YZQM!(Hή#mVlP94X=wwIHOR~ީ.X"= xc,ȵ@0+Tܔ.I>4M&z9",`ryzxңSUeV;_՗?핰r+MSZd>Qcna%o*N4ᡕӢqݡ) E@+LU$؛/ʸpnn(󼠄gG](@~ *o  ng>uP)]&pw6eu"ُ@p 2! $3|P׊Д; Oxm5`'EəeVo8ċXs܍z^৉`{QEKX.I'<~$}*Z !x>5JfxVCDd8,8,ưV%T/Șm>h 9g~cZYTŇ'U 9:d}bKT*D&;OG tkEY8xɘC;n0@8hZ%4U=\ gnm[m@at@0ц7Q*olj MX[˝j/u{6=W[ejXg%+9fQ]6N]JcbnbSUi~ Kn`Xa;ъXs~U|flͯ2@f\Y0'{cJOZ.^x!r11A<\URr/ e* `d/._s.:[|"{sۅ( GȽKrkխZbPVgpn&d p$OKND*"s~0҃t$ )a-o .O7t59L#i'Uz'9>NX6Ec#WT}k>5?~yY"#C ƱY";3 SD ZˢmlWW/w=dfi5 X00kUL g {Xt]f []և@=rav,ʟ0YbQ=6}}}WAt!G.. J9񬐒;I4:H? n@Wo\`i Tp}b,9Xp3wey1s/Kq b3>o# Ƿ/t'H ǿđ̭07еY "Ǚ .KsO1i ^rI'n/C\uDd{,U-#jj^J/Y1Hkoq.xYRBH?z:*t]PDs [Pq FTm3}ХyP*&xҮ#S*:nQ\yAowCZ -vQ@\B"L]yv,l?zLϱEF ߤKd*j;ΰk8~ή\1L g?uNmaUנ//Vy5`Dn{(7bFp[(2hlD:bv3 H`!RM[ft▫l0NeI7s. %}$tޡUOl_4L7dd+[̶O@Y잻~Qw?:~sbJ"njLuq7O״b+" 34rWb܁t$ ,sz:DHKڟg/xp*oc2Zi~^2֢-ӠD>Ո{ kٝ6TVj$-CT_L2COуv>Z<g@7]=t%rv?@ F"J_y%=0ƇEy'ÕB -!4J\:}/[dsцh".{~PNa6,E_ɟPt|Fb-}L/Ykˆ%Ai1`Eh^qc?2C@E1[F!W=j8:Wv eS.W6lc=xa{<~o9:l^tHζP@Td` &n@0GXʙԵ^b3j !XR9uNfi~5nf6WSb2+QERSzsۭJƚ?gJV]QZ m ^Ԓ^xxj8+)+0jG8l1"`? +d8`2%q;ֽFBAd9 ,6U]{u9pz=Pgd ƨ ݁ np~B*h6N Vyׄ;տ/[itp5~Uh*{ rmݡ{@ũXE4v̬!Kף9b0 \H s\Y.gaXX )iuƽe̙o}2 ڣTG+ހ%J#n+Z~ix΁LHq[47m7"k/90O?ɈXV⵻BQ,3/7ry-LtuO͞m:s!"6>nv%X1Z[*:h铢uָC?Q56t# Rl]2t$YJg?Z7GB+ 9ϑz^`"_D/JwTcֻPwܹ#Pods_ҰP61"&{ՠ{+a?"h}ze  _V? Fr8'! m_Y<@ӡFgD'i l;n!Ro@0pC#6S҄A(w rf_wp˓-䜨="@yK&5L=Aeϖ҂.aUq AHyXCq&6 N@]ކCI^@a5+ZFPYq!L$T]:h[XImbIod{ȥEc9O8a-N2yxLke6xl Mӧ&e8T?hYS{.[E`yO/-pTWa]db=6G[L`2GJl5 >y{gMZa f8os:qQw@=-7ծJp*bd:8M8^,1QmnrR [Pjo2ܔr'e~|$X1P6--}S-R>a+1P2 ڤֱMCWU۸5O!6"N A=rhNpnCġ5=3NI>6Pś!Rmkc_j̃җ:0^/PWjLIA#b1nvgಉ,9yQ\Ԙu_$ wv5%S,%Y/s?arjaDzwv׹t2Ha ۴fp`ytpso }N]H^e^>g0hl lyCkU9 dBD˯ ꯇq((CH9f"kgͱx*!k,K1Ip`4D@c3zdƆ5|#שҫ~ 51!)RD+tIQĞZŎrt"²@Nn{XqoZR2'BZ&ue;|My-_:NZYL`wdS;,|Nۜ LjEb'&TO(7a9\d>lƲmG,ݥ>i>f"y_#-Dە\hnfd1Q-אLqd0t<5*{:ƭ9Xۧř ;[TdF[r/v{D~yD'Rc3N !(H%!hv~m_?E0彠#Supx<:Gr_Ip\P>tI7,LCPˀz7 N;lݯӧ5g2++  1&tHH!ΜKKLJ#&ċ_Zp]F}W1U'Y 0xt(̾ oڗ|&鍤2U!J&v=1" iEy֟b%~Z0A=˛٦d0fS< \ԻZNK'F𪮏2H|5>˦ͰU+uS[B'*s/b0\74jvPT4T_Đ+bL4 ldڋpjEnW!7&NQWKqΓB; ΧK5+5MsgldyoRu@@ñ5ԥ(0!EҸKw 2χcIeE7qd ŸYa ~\sIN%gj S4r\ ؀~~w֎|FGs'pָ;P["rҤ6$cYM 7 < G2H xFK: N{,zhT8;G7Y*#.}x6 +gW:аvټ|/|aF(w}bgȨV E8 ~^^[ekZ EG |e|cg%TAZ݇C?Ҥ:'$-SoNRA,Ir"57Q\9]r2t}e.@v,0H-iM>2 )ez*Z Aիp땠vٱ#c4sL'Wr?S?5T:@|T&PUTlLڼE_B *;ݞ">wa.6pH s 3 sD)`ы7ta`!oHzҦW3eуB4 iV>\8 [TZJz/K'h\L鈡xj>vͨO4N=WKǘ߀ /1UR'a>#/8'd_Q8.awH%6YO7뉟'Togi]7t8l;Vr*k "K幪9꾇j!!1$wBEܮ+/ &|CEz0uVѡa+K$m]tuG]RDq  ^›`ܴwH?lm+/5ֆ}] xV8dHjWrT}EkiŹ.ǮZh,R6yBȂ l?$ |y(AwfK0}Bd'N~DM{L¡FYۀ+-DF-|Fe|rDCAz٤Sl"N QxDN,CHOtn\<%:ֶBӝJDhdE*kU\^P8ƍUDcYxӉ = (/2Pz^x',dGZE 9ŕgc.L9YQʨHrtᦥ6MI+!+'BEgSoH؟c) ${q$Z8@+nɧ.'ILnR*=Z؆J㨞G4X29&O< NƊފJp-J 4Pz$E!h37BmYt%5z~ 4hG&IZx2; Gl/̓8%b@x${gn˜+{^;́w+"cV[4p*ν*2= $~ KU,\-i1K6I`j | bfu32S3R%}"-Veݔ_ܜX=o*53BYo"Q뫍|òsЦ|ZQ[*w=c{A]=nfylD-&[ UtjMR e_wAe1cny[X?cxhQH|WbdM_眜 t S/_)m8 Ew{bXҁ,/Dl(O㥘Bϴ=<<2PBĐe|;L5Ϛ^bJ2 !ngmgQVʂ\ɩ湄*.ZSXHЊk<5`!bhyV\*-ŇCDxY@FMlQ~ bRF<ܛDuyWWW.yw ֪uᜎ @zP%.W$p$p zb7clpEо^À[#UDjcDRQ{l uuN_ pγ(6ps_KGm;98#, 653>»B${/Io}.?'[űĻ +H\: \T-*^ٓ`ع{Z+9^* q0b2*zn[kVB >y-#_<[1cu*5t򟡽*AYJd O۴]Ğ!R d<$zeպX'eOMޅlGͦ}9nϡe;5>ش| <َA`E~W)hdoQ79E}wPI8qbg4?L8Pf ,/_kKBmëU=r nڞ\VzE΃sw͠tUjJg 'T3z?O?Qa Nbs6yKSNEgU|NK'Ĵ7@KΙ|Ƹmbm7M!bj?RQ~KH^=+ofKt'~TFwbm2:xy&XA#JPIrIjob/MAea+ uB1a8g?y`@?;5daC[&w<9`pnc (cdMng2;R2qnb6!;ϳ9܄not*B23ք6)E) JUQvGdGSpX3zn~@k-/MdL8au>ɎIt.c7`mr0\Y x )a | V-(ڙe Zɖ Rnl1'^ŢPܤWB`|=ah"ktWGЃ J{ablw ^m(-GT^k5&u]5*6/ְVOQn2\8QEH9T-t6: T9"{C7]t9-86Zz -4mVB)s8Q4oLވC1Sc}{[ڤ`7O}3@uRuE TYŇbW%.I1!j`̰82$_ KI_B \kq:ir"2d{ ]=L\ @9&G+#4],?~; <kAď`E22|PoBWI'!k""QmY*0.rnɿO?}HˎEّ4v6)"LJag"X8?0cij3Dl'-R ]DOQLy~ml+a2`S-ruab멽&PpLrS,r!nJSPTCQI 7͇4&$bqy&-GYP"ޑSY.U' Ӧd$[wB+,*6Axrlf吡P[}q)I)~!^@:QӉaق j\$g-[[ kv ؤ4dO0ŷtT3w{J[g2؅ )ZHYζr 9߫<8c+H~ݕ7æ~˖N|;A }kl]od.Ôòs!ٺZW@Q vxp*-r980PB;c Lz/0A/TIk֊vGn{Z"3s +Op}KvXkb13GvG" Z+W֕&ow^i=? &04]rH YA( M~KWLҦ۸V~O%(ۇH}4zJ+>3Lafx5x8(>g EhIލ2fBkH)m{ss\\]&?8KQcuT;qX[h4pUq1uOh-4̉s5Wfr r:H0bMCD'ӭ/Ag*5Л 0T7|gLo5dU:\+MA:`ޑkܻF[tF Ķyr$C{E!Aq|*0~Pr"S9@#}j(lq: geͧI}rKn3d1&$% % ߁ AůBK&wKNdt˨dU㔩D} h3*˽#p*aa0 .PS_M.ɸPbn|0,.f-C/Y~P(H-}^U;'=."K2 DrK3engDNgEitt`ay3ճDs4AXi`U-=:w 6$ E´{ q]]7Br; 2ԬE"|% Bc2,}2j- U~Ҹ9܄nEY:C fハ$$*,kMd_B5oʉ)2L10Z. }K_J .?5J ]f|NDV p/_(QqEaI&nKg)_s=b4@z}npIW#%hղ[sg3 2gldOޥ+|5/6: й߁W .ۭeq%EM͆hHܦ;by/\T*6/r:zTxjKO&J񂠵 ] 3Բs]yF.*o 3xD<'7JFi@PKl@6|Ifj 6C;Ӓ?>AT=}?i,f7^jq4d NJE.?JXԈtn̸RC=g"ؘ8.؜vZAyδ}07yI >7G_sP%~4ưaLo\=K5(p q^Y, `~%{ᬸK^ż,sJ~JQrii4znTS|yOOz- D!%Y3%>ʼnYf,%e@cjի^+Cx#Cec)O_nEJ yVG5an.9{Fey jdHifJ϶ugU=̿7ٺG :{D&hKGJU6$0XcRpΉ x/:|Jʤ،ǹ!c} M+/ jn'0aF֕襈]c0`lY?I9oddk:SKψqe;dDvN[ٲߍadc7zuXm;Ȥ-j/v UXzv Dy>JyS"6tL oUM~gM>|W )NJ/]Օ/ Q({jYW;W/gh]3Yk,{M2FB_S;atktfO:'G5 .Jb3=O'hO=GA_w\ /]/b6TTG^o=g`nF_V:Fٙ<͙tY`zb֓ϼ2E5rzcŇ]Y9 vE(j$ߨU851;JeϤY)}5ܜF1^ܰ8d; 4=:E;vQG PwLz;HQ#>Tԉd3&ƲߖıTF Ot٥Cv,]Q#A+uJKC~ _AAw28\wBU?#k_KC,(LqU &-KZ9Vvx-E+](?FF[22 Mm*^⡗4Lei'&$5L]d?Q~;֝j@&s#~+K6WaK8V:Į $aLa$U7>%ݵ8uY9j'|YP ;8S'i$,ϥ0 z<d &뿞D=vԕDBR^Ψ>?#ف7g{墧o0~ s,ljաcޗ9KtF2dP*PU!@wd3s]Fgމ؈l _-]o!#LCUC]mTF=O5v7Ս}5ɴ$HGڳ 73}pS^ª2g{ӎy"EcCyoV'670 NKLnNI^)%(4AL`BtX iߕq#5t,̔2={{Ź.V!M;TmնXtC~6}nBbiCg JZ/9xay(H1`1B&/-.V~U3˦xri?/nqLcA_TqYU4I$bR~ oϹ]7`EKE:Ac4NEtٛn#ޕuq m!@}!wD㊡qՔGq|@Q0uD Olkj@x 6>%ʹ5AHǎa7rU:`ǣ r,$[=:BPf*laG.lyn(Xr(9669˗  4RM)Z8iI,ÃY6X|˼H/A81WDyh( i*wB= ; s'v'һw!Y S4ȢkjXC:_:U ۪#Og/sM9KI{+Ѕpag\$Ņ?VQOH͛OS_*Osxn.tG|pq+AEYN{>wSX>j|x?[%KIQA ,\$׉4R,R{֡[Gʒ,9QժuſcVܡhE/ 9ÛZ\9Sļ(" wKX ([ R܃]X_5Ex.\[9o݉+*EEWT(mhDkqsySvEl.oRSX 5jhAɌ;۸\:g9|(<"cCIE%?F+2w/Q)GMdaKpM>p%ZN^Zz}\|")͎)H*-9g$]D;-5q6$ŐraHz m{%Iah8Y] 8 ^I-Ԓ͈*Bt68L | JT`ƜZx Z'+b> PArNd:ĎGzsjT#/-./kl{艇V–ؔkq8aHSrkgʽ$kѣoU{$ 014WFnC4M;DsjLVK6%!܁ӯ 2GKk'9p/,ѽm6,.waE<-sU93 .?Ffx/ Tu<9G$sE%ݵ(_'%)*$E[bA&{.H[1Cn7""Wcs)_5p+K!ǘޒ2DC& oj%wE1 X _<]0\b5KBpۭ|o&C06.! %u޲VKq,5T0kd}-g$8 ӟ Dv͉)M%CJJ[I1gZӖFs{QsGQTxNsZr7iJ[Oj>d-oX?3F%Ҙ3J*'򊴢9KK|BGfoō~1'io\9"ܖD2 8pwK`űqnF*?nSt)~^R--\U¡tUYH8aYl6H澢:|8ΦTKUXIzUK)MvD~ 0,~w߸W=8p(WzS\kz*{@"SƫOlL\8ozR1%jز'yOQeF$,&yQv`33%C=c;"F0%|dTYfv }<} Zbf܌]do}9`^9@2rbA71m=WwԂ ?[87ݰD6=+d d 3>T;@n6Zht/'=6JqIؒba2 ۑy)m~O16#ժHmo)!LPM7W\fJNR̄KuQAb^-)(f1i!Қ>Z|td>5_ ţ,~K J.f!m8mj9C9ڜ^tFCO}(ϟrV3mi1E88UdІ#'=qpõv$9#* Uuw+-4Lv5 ^h5)gt i{s^ ﱓ ;'QnCj5f \?"E T gg`rD&@lgE;By^E.x3+Ro>nAyv<1CJTP{wpV۸5 HVsm՛b(əB"!Krd(W,N;PȽ*ZTL. m}/">L)2_@dt̴*DUYXt'VŢIrMy=b$PWmX9{Us\W {[b` =!cog>{_{p%]ku S2ʞqRd)umU |{ sDEkJFq-k'dA@c;5nxVt*ao #Ga>z* 530[]rI""{pYg/ϜjE 9.j{bh*FbwrJjʏg>P-K|[_<͚ _hҕW Kbi c;;7;n_} T4eA+~C hq,qRrxo~͸ l:1pf3J(t4*06RK_ L9:T@j3\[!E٘l)%\ 7|&~KǢ<@Dܹ{ $i9\IBv $ClM)cJ Gٻӓ_\?\@&EMg-/#K<7݌8x}L{ mJvӂ02-7q[aҒ~ Q =]FڵPL,?q{SZ'`ˠ Txba9ZTa)bVe| IPLHӎ-_ՎRhCqq?Sϫ XiXĕ<Zs|ۚchhN;BJ8R  "kTF >%GʧM*g3 xFNee8%SI+,@qCJskįlW[{QwX.V!P {v>' c?: =sHEܺ"߂8u.:qYM;(~㻝!hzsѤkM k[R &w*Q<*]za]^;nM~\Ur08n%HGENj; '/9%}TH4@avpνԸ([}g ӍSל}AAlws& ެh`Z2Eh}RJpjC~9?]G 4Jjyt/XII5m`ʈFGNFqpL ;_{W), \Y'-E ~n9!ԃ폜g Vw@|LJgA]NV)C?IV%݅r&}}Ǡnr5- q>ӲO=MBP sCanŹiWv5WSK"3T%%kWpHƙ8ilt9۩/KHeېSU,V,4m1> Cc#%SS1`|=,`kB-F!;Cg΃3DC@oX ɛ++oXiojj*щL[RMC~bdE dJYU=&.=|EL$Ք<|.oU l}.GM6/eᯇ+[F5oG^ Hq=ZL՟%kS-|v@{w cu"jLDp#sed<č K&ar2^cLd1ј%UY9.]B>l d}[g(b+57fY#褞a PT/R{HoQдJ[V>e$VPpjeC26T}zJJ{u& 93D<,W~Z,]qlQw]f&wS2[Ρg5,1\/J7A1Hy%2 .{׶$|eܛ|,$Oj7Ō-= X I\[T02b6˂^+cQSC&_XN _8~l82M|R=L4n(=䶛$ eFT (ʓN¤[Ǿ23k_X{E˟Hu&I$):sY]L&=QTNrHko;>\rn 7n7H P䁴Y}֤\0E"F\.*Ҫ5<,!&jRir*%?G26 ,QMPVzzCAcS!ݒ_,:/gNIGKqUe$[G'UTaHX䎫E@(Z.(F@wXY>1v5NwŦb@!3p^ϻ1=>!^p鶌$;}X=7$g{&6P>F֝ }?ƙ.p@ xmgx]P#0=4sMځJ*D^nF}ϪQs[/ɳx.}GEqbl$*f Jƾ?Cc׶5m.\=!6l K]<0bnAU :~ cj_k=/ S[ᴸgA}ܕ%~/0<FaliXc+ `@]qRlܽ:䅿 vIEj ,C爡j:yrb,z eƥ7&5 -]֣<5;W;ߨQR׼GA!UJG ig(~#RCWFkWA[ @odEaWo-p8%gRˍCatL> G>0wno=h`@+䎣j81Q3k 7i?{^G2.Cwe ~㽐ؑۀ'/[${f"J ĪTUu L|(uä=߀$#xq8ciP6f9:S%6C(MJeʗZ 3KTR͞TY=oNf]uCiu6}xN]HAZk+?`dHcUi'*ʳb0CJaVzPcX'7Wt׃Mn#pGI㥹nC 5S{ܨ=~>}{37-"ޑEto Wŀ7w mЌ]qO4Y)Շ珂k C)fqK;&+Ǎ0a@tiUz 6^bwzI =8דċބ H:oa 7a2Үeߛ%-"T۽]Í5(BvmNL j $\wJ Fg|o) kyA~3z}mV=yyDiZK?h fxz^hN%=sLO}ӸPVj N. 5or%ozH=׿=LjfНi\.ޔi-MO;9~GǓL_ۗ[f˨Vaj0hJP^OSDkNC{ySMOjze6-:;2]zhSez8)j+ $mN8ֿh!3,3`aZd Lܲ={W-)>e&xm[20o{- t]D ^d #a2F)Z:YOP,w؄Ӭ H(Y/NxG{ f|N 0ÚQ:wૼ2Ϛ 4T\b/Ck#oۃe@IU<`Q*RObhjE_-ZB:2xrL8%Lţ~+h"{ !LtIHo(&/￲%ҋGϲo^"cuNԳαK}B\ͤ0'`)pt^^uJ(I f`M mJdd@z?FSE`uG'3F;aq3ݝ5`GlYG:O9Lˢ{*tD.`",ʐ'n;;恜pdf\Lُbbyѯ“;uyD '` Y$&oR9h#a PW vck~]m]kĐ6˼|C^iuST9K>K9;0$%ReX;).4ϸ0a[5,ShzD/s=b[\'vx:*%X4R֝9ɷ@{%`"ئ[{ -ŕ.ω: T0䦃[c^A~:PRe@-Ǹ)OPh0ڲЂ^"vAw7kTNEngy$dW5X6S* ˰K6f/Χ X)Y-/^6nʐJ􅀍94WRG$6OXqCuP*fЃ膤!28u~G U7%ZX?x'c*A ȸ[ֿ` 3!C2V׳)x40%'Mԙ0OTu|)yeL3uzFPGv*͈>ˈ |(OEo9R<#F (Bte6g{d :߫/ǎ{RgOg>+|#_&9x(`rjn蹅JJZEHs:aiv]~~J-s3\U5J;}O#j фw@|v ecLRבx={ $|zftρwn CPCf a?R,% 2 8\#נe2>c9 /DЯz&=^ȶ?|m^e[*hLUUg@Xv8&!8XА[L:!ܷ6Eh)Uw4ȥΈ) j +c(Y.3HYp'0Ʋ7X# 7o'gK8B4B]"5$BG\!Z,ݣڶIrn>fߑwBOzy9^ 2j'֩a'͌v{u5k;I-By^2FM6_*/i)OvenhNkdZmvA툡&]J ̂1̀xEvzp`|ݑ!jFE%jbF/2Tg;{4tĩGEimPCF_6.~Xe,YF-9kԟc`AMLR|ZU6+,ޗRRskD^զ w]SP`? vFUUkxa"<=N(tS-sWB-X-&qp৓hsŧNWT!ߤ +HWqHC 1V NH)+څo9v^"p?%yI`)r{}ܛ"ݶdV7>Pn(ZgLce,]֯^=#fjp nwԧVwP9Hµqa= W?1nSڻ?>(gA]65i+_ NZR_kFԐh4cw=ZX/E$XWS8ά=;CcYt&,ձU uN1WRAeѦS^% .8tn0w['Y9 H,c^g; rI4N w$^ |/Fw^&%`|@/x|ouf-ܦE rRJSS څˑg,0ʘr;TgC0 | 7jJ}ND7g |,E,_0bۋQnjzlT/9 ,oJ )DzuMM3#)%fy]w}۫VFK{65JӅ6Hah}gF~(*4UWWv~ܱk̏06qknNKB|aAěزK|=ٟh [޸ aMuA#zoN*uG72Olo׾!xQ#^m\ia;t/OR}2&w&7B˭/&WUSڻW}yiwiKun1ۂK$sjz4 cQ5)L]Ñ㊍.;a^hEK'y-LhG(ӌTURofB[ZWbDQ#Gؼ]w]rG%ҟ`pjjnez(Dz 3;,?Z)FeN'_ބ r[KYމD|bNiǐXӪԉ؍D@Cx ݕ;"k 9݈bUxXs>*p`8<;AwI8*C.[p o b,O.֭D΄ǩH +#41v\pP$nPg!)S"];Z{֭q ^L=Ւt qjukXK*SKj0 J9WySWf^Hqb7> YV[6K&Ճŝϖd w"A7](-l{XPU>Hh--8Y8q(Ih36#&@#l뺻MwmIh \)XxбseS2ݤ\ Hڴ +n=4hYB;nR9 { h lL(c=+5i-jh"iK<_9#Cz:U"Qi&IwdS6!#8M[ "f 4? jC`i|wYR~2[YHܣF+)17t3(4{o<WNqY+\7fဘWBH;n:>O\~q-ןTHk9()VX뼎Eu4 '7G\.wl [~X%"HCcHt1 BFY2/E}K*3?$P#@0JwVkiST+Ԑc{!; K5hɂѱ&gG{ ?/BXnK|.z1.e^9p('lV-o/2y bIjpЇQ*rF{kX%1'CFJfZTS b}_%*`H#N 9#\B ZOiE!*!.iW3: %qM{ 'P̸&1<׽GQRz.lH04M}%e8oh4,WuͻFojnO[qQ}Q6$SDIwBj"PY7±:'Ұ)ϛZ.OeJlܭEmS_r65EV"/ۼ=ﺱ"Sj܇E8ɋg4 A2  ȳ|lK3J8 3q^w#Ma@u 7ǚfܧ)$3sS7M|^FiC>,FZ2#(67 DYvH1``]7XaqZ0G ٖ(OəG 4p*HE'T33|\W,Q* }(;ȍeOkj:_5o$7X (l+UjX=1PvzxNjPU˜MuD{6Is1Dϟ($n  i#}&:T, 2+0rEI s^mAfR`^ZȜ>ʶޯTtRG&#/p~s魘0Vy@ۺ^6Cx xny[z[k0-a_iZ-+)sP.UYJhce$l<5~T$T I$ق B~4Ms;~giь= Fl}Ԧ$*~bM+0O:B <_I`!9嵽M9Gd{G(Sd[WD 'T*t{Cpʔ453̆ Yу](uDx${]vn*Ĩ(-OYV qmU$[ua?ި2. :|\tX<6+!*Ky>EHO:j>$AtZE[J@C{3a8ENN7ICpe._-[P5ΧSJ.gG{5dN pse'o\ƈJoҨ]qZU15qrKѐ Z8n an N>?; 8zՊY*kNO#$_xBDk ZD[ڛsny s:9yT"u܇Z=)O֔7aeG Wׁ&/[Y%řԫ\&d:DkKPoD'8^DH:/Ħ<6ueQ@@jH :7 a7P,Oٶ>^La#s)(@wguBW7 -osF] J m o`iDdL5&V Oyk<oR2&Y C8&&POfU[CtiׯW(ii5NsT7HS0 Dӟ*\O֟ &sD Q fQ wo؟Fh@fִeQݱt}0UCsbzk?jjPi :b (ŴT=U,'c5y]b__S=3 .rﮤ4UäUTW&CChX\Aԙ7ӬY)S㣤%P$HEH0emcy4F䀞S"?!A)}":.E,|D -$t %b6z"/=1P\mi22ceУuI,g]t_ܩs9xgBCDDg Jㇳle P} \ZDOdO_O!dMD6C5Vj^ *_6q z Jwi>mS)U=0s'D1+an;[ oR ? w#<71KFo>j+«=I,bPQ"N<%k\I/+W\%pr#7 e< -'PiUpcjf$ĤN,\(HpJl4tĕԝ[&Zy }4%iQ{`Ĥ@FeY T& ZA"usG?BPe`tJo{):v L\&/s !UFG it Yw ce  uF8J]9kJY;Q{n;p"p @Z=0e$>B/Ox'Ϧy|rPCK6}6P `LAN*$M@00A wbq.!|-1f&)Lasve q{y-PF`DѸqM< d%sGƪm`2HdA Qᡖ?P-bmdk\v 査VjCxBJ?ۘ%#R/@9%[ݱTha|3mV;riXձ=mq nA:]&mP1nulC sWZE`LMLF;T_Yz&'[f(o{3"Q.r<|DA2m!P౩*f. ܬ՘q֗PzԬOuth b $%3-#vGnf\,m@wZidbk]fg%D&3GRGٹyO3Ɏ0sPD;94UqOa9y箹Dvm GqM;'ِFd8LChBZ|AbZ|{H{RQo_a`g=Pɽ<"V#Ecx(8Z̠i-^ϝo}i.LD*C|̷Z%7r6ҹm ~oTwM:VS_SԵx{[vë`eV 2!YJKHݜ><~.c8?&\t6{/n;HJD*̮|=}IEVpAt'GU?_"ydՃATC3t@>ŻHFg+uU>evv:b7}eDhdљۙ >tfܤk0 >\L#4Ψy\c-JsIi+X 7*T?1=2 ]n]tiPr4^H]/̄4 )px`[*fktMP>^9'xw1NϞp7{3c0">6䉮u+'MDk5ݜ ՠ*87Y{UXpsq\'=}؄ ڎ`g_A gU_1Ȁ~YD tAuۜoa!6vAa*aX,׭.+z-{$).#Nr$ΗPzR92sn%zYz7QlrId:tQBڌjj]]77 Md޵ ؞+"-:B[w̔M:$/HM.y2o*`"!e_NvEO~@r Mm}\x2۸@-_Osip F] #Η8*p+˗*%/&NI\26OOv¦e5桵SQ]i?oTϥfte+LFfiF$)N=T.hШ] x' ^ݝ8mo_EoTNiAݢ+ `׬q•MJ7Hꅙ,_JkGu^k ,sYFd }]a[7 k!IGfug,D!K`p,*ƲA/k偖f{>RURX(M:_iI*j-E,`[:R*1Sՙ$`mw| Yv 4CUY-zc`e`)Vg]=@r|dǥJ(XRMJR_|MRU2"<jA|`Ym+I F݂j}+7Ւrg[S6МlZ`$ >Ђ/"4ɅLCLC4~]e, 7|K7+A!hZmֳɄȅ,t@JjTCNň=8/K2qdZ_a/{ Ġ]N8!@Ffd[ו+Ԥ|X-b.GwYK mF9ysG(uˡD"{JB%ɻ+ȸ%2xQk,,bt "߉_WJ䬑)`|_֖-۽jҜ"|w n: zQK;.y* bm'[ 3W*T'ձT9M1,<۰ o}VB=ʵr 2=}A(U0u\=zj1 ɂ^I!m V`: LوO d26!>:7%XkRvk#v鬹^Y:#6GV״<< >.m}e_ ]ir϶fY>LQՆt&*['] qʊ.WpP.X~jP @Ecl9ֱ ^i|kn ?*vPs5 n)\6Lruz9/s)h(\ 􎭴K"yiΉ!XeJo`3@ WUM:c$/pk:] llpO-0B܉Ga5\[;-KTҋCA ]GNœCFf"Cvv}]޺!8gF 0u\̑9JQ=<Ċ%Ĺ&1c4kʹ7HBM1}ʉFr}0KX]L{?i4XUC^ b\!"|ĵ-E)H]1_O}4(z}6fj8#yZ?u@g0gU+ |Ƽ-RV ՜V^N%bd($[3N;%B_Cl+{Xrm2M МZm\ˎEzO` +ZծyHĚMD3w "0+^mQљlQwc_@[vA]U]2(4dI{d mFAJyNbJ=UxPwX k@'{&dTs Qxa5'2y?Jү MlCʑcKc' =%A~vˢN`<xx {VF `EXpH#֏(rޙUCً W[cO9,1Fݓ讱k3Q$Rn +w6|]yqhP}9YEJvy{T^4]\!G+c)>i#r]؄ij rhJbmMN᱋اSШ1l{@Ij GW։hGw0L>}&.Eډ5g+1#GS:e5Xne <y$eyR0#ĥAO3Q6R۫pzסM{C.vgO"Ǖ! |!@ .(&PrbHҋ-Ĉ~P&5ҜKw܎4L<0| 4ݛMw1Qg{SqW@Ar?"d$Z#\ (sHx(< 8 dE#! уי?y/&٩4t:6Ut&/CYTpba§Fn z[&ȳ, N"iD}Qm+˕BPCmY{G^kjbX ⺺Nq}7UcPUݝ)hdi ǽ}z.guBBp5}:8;0e igt waDt7rW܋Mi6O>B1޷=Ȁ3߰+@qej :uRBK{XЀcU@+iEn"C0g4w1#, k&'?u-JN֥ơ]:MEx`9En0/ uSL[3[ 4+ͦ#dCwiswQ=EΆ5(3tGA1Fc[ @n~Mz{󁅝׻Bf9A@-&+\.',8DEq_]0:_V.ͨ>*ȣncM2@]lUue\D2RF$;fщK,VWRkVq @ۿm`AJ9ܫD`0ui*nxB#ujC D$|{q/ cߛgk`Pgu\4;jK;wdƱ,R:1PSTB:[eY j Z(}S _Bͷ\+`>.8$ސ˱p1D8]ǚOSe!l*;-`kZಾx!rF>Dd?4+CV*@?'ZPVky@Dk~Tw1BpK-L^sիTh4Sl%A;F2k@n~ 跏?%hYaGG9%naTL;˔[Ŀ<;̗wr7nkbA :(_,H߶\YZ|EJ8AE"ǒX $>1L16Oeo:xu!Uvd]" vL]XG^Ag$P$\%*בr>'h,T(|yIŤ9uM~0XO~1hX`88uAL,|WdzY}2EG3'S;5 =/R!O%T퟇G?hos3oLBt<9(oBfwPk԰T`Rrϥn Ud|J?-44'`ʐ [_@J&娇†%Ъ a?׌R0)He /4ыH xzГtշb;q~z ʃ,I`+,Lo3l" ܷǏqgEϴtm󉅊〡)PY֔c;.L`q= ܊lw7~~.瑱u ѳБal'ocDnuR|65uvAN/[5 y!OIz}nwF|m8tjjoF7Y,ϫDI h[4QhM62r}7dw@tl<4ܟRf LDGԵYgI|$*}Xlځ9J(v[bƄ^ ̻|e8&$ka@Dl>/Q++04V۷\t䮎;ae(osr Saz9zQ%a@|XX7ؑNJ\Am伥JF!!swdLu"ovW5g~JO$%U5.$Te!LE x;=' A!`!]5"ٳA]W,3g59te xn8K[ɐxrj]kg#,d S;uQg(45N%EmIj]b\ {Ll dJb;M7:) l]+H-BՒaLd5e ^eK,ς1Z# >"g} >X6. 623hfì>wJśs`kpM -r Ol#%gƥ랒޲<= ۥFTE5V=sUW0tÌi=ę>ob\-⌆se ^DU)"ho+ ôH]]P%ba[09 GZVVء˗w%Bd';ŭy \ts:WzZq]غ-n +d$  NM ? H.4JCZQkeH LMZ&ݧn˘u^t Xb^nHhƲK2Lac'ޖ@RuĀ`S20GE Q+4TL?5-b{r'9f^[͔Yk(N*x9BV!n/m,jϑ'?ZvR˧l䀵NGL~GJW# \*3O}gLFGeUr6'F,8 +C^0#P olۥ{5V"Hn7p|*z6+K=2ub,*\ 5f4e v .95W`/SzPPxO%Լ2Ӿi1uu:c?<.5ܥK*ϟrlՃDppتTp~`d}D2^2e/26q%6ӒYF|d&+dOc 轠(2o*)u> me2ף⁆^YAA tNt.ǬΕʕxrʕl\VwgrSK|Bؘ>z2w1\z˻/]ܟwrj>zUw"Z S9 oÈ@'iޘ&I>h:M %,=b {tE}4~݇;}#+`4RYzuj2t1Ce)`{D -q :Wm 1g s N#hmJTԴ(KPaVd_Ĝl aۓ5A`M-Yfϝ2@[&2Bi1%;;}/]{_3.RUĴ߀SD$%@>JP/hdu"|Xy+3LAyg,%Ȟ$r8-vNĎbF!Lej)3x/s ^vk(] Z<sQH&/M>{qXdzWz :KM_9N=kqc'dU\df/SĥisSec5 9M|bh*cXD9Ed&,njWoյ~Pl /57>{el-S6M>SQ>5^4l'}DW?[:a4{$ޫ<V7 q^mt [ }`}[1;c Y~ x59o{WߒHSUք1j1t2ܑ2W3_A LkK Җo18.% ɬWwtѰЃO ,UyLtݾ0T1^f#Jn5t''`Ɛ VUydmn(;lurUj:|G7Iez DeL1o:groVVwQÂbd񁼆;o5Bә$G6qPK!!CM)떲LB$=3T,o}.ە9.3]$NJe*ݴfnK jOMUF}BZ|d3[ Jh(i~b&YY[~=拫;Y+gCri `NYRA ̙{ȗ6(O(?rE> -KOvˬޭꍆ[yͧS~WBtT{ {E&B&T-f+P5^-Ht>$nY қ`| &}1 "LaӁC&f#q9G/S .LrU ozޙ gfkK?#Y^ c|Ws(xN99J}yn4<υhToKjYE[EfPI>dgKus곢L8G\\X:J;O?][ivF^`6|9H/E.j*rljc,]їB$B1o[#xN:jZ$W,J/f~ z-$XE|2;h'-q_F}ٔ%~d .ZKa8 rl߀mNGE7_{ox C0.+hbWjsMA\@/0,%$b{Y ޚp[m!˭pCJPKpRJP.\NVB%ڛ^}nҝ6ʚIT?Q@cjc/F/:b~23 SU`g6̂fˀX,Ki}Nosص j9NT,JR`bG`o'TAfd0ԩ֚JDCN3tFN, $;wp<1rp5}9iZr;ԕ+ڪKݳ}sB6DeUw 宑>~o-V_]ȽZ쭷R:|ߖz'2PSߌ4B7a 4y#7r+IBp{Ij!B?P/ RX~x' lUb ~cOj2;"!1g0s3<<#g[jgjҤxQwk1GEsO$bMaÄSQK]=O|nI)&}.C[,q|/(ΐb+ܯ-=ds FPcpocΫǜ*ΟV93 ij@x6"XL3` ?P S)W5rp<]K-XxXy aSpRS%-8<>2LbYg 7EGa{9)4LU%u h(hV ޥw_.-% ԑ%65VQ.PHR.OH2ϝ?&g`_VYz#ym⚘k8F% 0D1P~h?Ngާ Bt4G1-J-n/NAU BF)=h"[?\'l4ƺM=vU7wE5²UqG@!=<-#0n[)ήt:Q]AppuTpEmnQj n$'重A;"8TxPg,~MMֱvHdU6*yF~1Hzd[ue,|8v˳-/YkWSmRc.ϙ6yK'_Pdg44"V %W c/cm #|Kdg+s/KLT3#-]ɶ B4mօNw}C>/Nⅎubo-#o0%MjAm^?#!fNUDIcL)~]E2O?/xPY"-(5#\1eU6'O+'ߵL7kLRmoǹqiݡ$UpcYF2kQvF,w O'GHT_e7E:W e oR -f3GK*]楮{ܠUJtzC |kv~uF%&H܉8 J:motoW;=Y5lPR2(r]Bf1j} Uyŝ@O9Nց4SĘ8_mH{[gzWdOsl+Yu],ĸJ:JDvޅ)EH&\ .g3֔|Dzej8{Hr?v³p]95j-84lDO|AwB5wmVݍyb#/1*>2Ap-ׂ>)7S3 YM=y?b箓dV UDom@ L'w (7N%=tE%-_hye؝rae4Wx|NТqLc^,zͮ6bGԈq3ߓS -:ɴ4gE]w[I@)͊ɆN$&3K!mL Wn0]䬵@ [:Jd,{ 2H8˾+EN09su傠4‚>M|( PH4%ZpEXFl&:I\Y=8񻠸IiN]tY0G+gTua]Q!vM+Ա$$'ƂN;u\N=EhtSGq\@Xo" c>{.!.V>dlyrꢴ'=xo|-^`vdYrmFDhX*hW?SneR }Lsy1JBgc&B}+n\S j؎b4]M&O-V_o|f {u-;w lM&[҅u5\7hFF4KrOJUhB~&0]-`ZORdd@U jUF&ղrO'?q}2J՛z/9Muq>%Zl9XW;DͽvE\+)0F|F: 1l0R?HP>`%%| \0gݤ+5i&5/̯˞L+ DdD!H7ʸ1$ U*U2Vc#c3S'ro[SJPד׍;AD?d:h!]G:w*4.Fv>:Qlk%S1X{\{ݒ .BHT۔ĝ3WO}$.R_o^ܧ ?SM%ЮF]QŵWP&'RnH FT{&^%Li޶H閲 11$E ;ِzz`_2 JD '6i9df0sc6XZt ;z Zf7t '&鿟mmz7d"jt:. (ż[ y xk90pQ{REmG8B_T:_ɺ67<*&*iMY1*18Q\ K'8YNկTNE*2: XU673 =x`=9%\9C;קx%^{Awzf\(>/\u7T IkV+Vg$ijhJ3xr#sE夎)u9q@ծTr''穀TҋtȦR,qEE.)kvVlȋu,i-/L] Pb33 ?JQܻuFgɹpO_ օsk`w#c=s93h@9KY*B勥^N6c"W_;W]$ً:mZ ̄'LJXmspFhKoxŃk|DqNx3jրRk)'cGyK;UgIw>#Ӗƴ<96*Z% !YD9hQbMX9[8q +ri/\xB"ejcr[Rj`Gt6b:oKޝBkr:u0ӄASu"0M7lZawt-gvbNEs8C0=3;/1{x>/AvJ I? sUlMI#Kxamp-=ZOd]+a.g}nIlƃM anlz( ý笖hb)##A>*"X%2\ml(KTji>pSB=mNGv1SkY u1ta#?4Ml&H*QKpٷ*F)(_x~ sb֓H1)v%XmB3[GnMWMN-~2 0*?پ^6MFdmc, [a!DԺZLi#4to&(X J INzx y_#+f=SᦒG4:*-t2"Stb=nL q6䝋*@U|(e$PÚ>4Jr˅&1(&Vjq|aH$ aʰtı]_v'Xl #@ $;u_1U˃[b;|K\⚆:gF"GpLs> Cx㾞T9DY;:S[ {82 tX8J}r/ {5 #0MM%dSb<|1rpf9i+5bB(Sz%v)n@ʃoUg"8\xXUX6R3 U>>m(WԚ~I~xTW3ؽԖ* M+6M4 ??b6*8 \Tf8-խK\a%zMx ~ 'x'5N-o򝉇AI{SoxPմ7?ڟ8$34R@gA# Օc$ dFHv"f.{A xϵn<X:jDH1hS G,I|UcXm bBi]>]g}"څ ;q ? ber5A/޶Ej -\<=y# RVUKgHOSMe:x8>A)T+[x;ޜoȋ e묐hOB+A$TG\ŸSlY5nrnzq}VӪilv$Ҽ$eI֫ D bai#ݺ*.<`G XUݭ0Rl.3}죗~-:aQM5[ч7dar 'KV}g^ooWhQ-Qҟ0tPNtTb|3 h$_ y f,&vQ8U}G+ VM>ʾ:8**D18騫BZPT"L'x `pRPx2%_sn}#v9]ڤ`# -K*Pނ /dbK[ˀnEDžƳk& 2Fv ?,czN%Pc|R9qľ0'[5  ),n|xZB|"I(3¼MhrҲ9֩Wid˗2 G *[Q e)!稂S-b b=HqVr99rj!ɗU㢎,No(CkC \w,UO3?s`؍R VŨ{;T+W īUCϠoך$&Q%?N :ξrw#c}3: t3 a(KqPPrMHޏZB`\ *y]nvӐS1 DY^R3bgxT Ѻ/%byDfgŤfR/>S,(ӭ2;>ԐXV42Ir$6몕&@3tN D*: \nt$@&ݟ!S4;ي|Ãd‹҅8To`b200rTLqjvgS0UEH_qG!abuʳN;`m-&Tp?EXFm6po&Q)-b1/c8MeCKoTRT\ ]m  cuƒ|z-DezASbB_zJxg]*L .Yg gJ~ǃ&u\vy6]C21gnܗ1ךuYe,I)J[ 2]ߺ6I{upa=G(~bO3c|CjD_8(Y_loy3aS9|ۦQWg_yWaXErRi_GŨ\ dʲ!Cx-ϓPطQWzhtx,As9alB]_KT8h[3[c@i*lYu[\PQr.o.A֠|~Mhtu =X0cTחG33>"q֪3ʑPoM:=+~O<ڰ \N0Db{ Q/FiHESc7g! sCA QmRoR='$˒*f<B/YK])Hrϥڿ/ʬ3m/8G dF"!q`MĸNЍ2DMWO5+.D|GRv;4uoRN_> dp$eeX\_э?S.|[c$1S;ٸ󠯔8΄;K hIvݱԨws7c>axCUV0Mh}lo~a BѽU|Udž.0u: 2:Wfx(^9~T, 1gr#iRk7SyD6mm4w T=w9·k= ''-oÃ2)og<# &[ ߌFt¥4IItI-jA&ʺ'A6\Ek[9\{{ HJ3l 1IGKw$ #-Fn^ EƯy(nN]MIڧ0J*+;Ey5NK!R3g"f`Խܴyاh3 &eU_U\~h6؟п$(|Z0ov'4qO2wVޘĥU1HkQ2J4]r4Yo#CE]Fq/jK41t5FmO4)EIQfB$Ãpzċg׎0Mb i iٙ ׵Mj6_0p& (9\0W!N9cIxՙxL: + -O,(/@3ޏq%-kNԂ=9Ut9b䑡=,os_ [&va5*1|F:(.&Dq5\9DPJD( b|ݭ\K'@fJ&M"IVrdž*OI2,^"AƗ"ƒȠ ̔j7rj}/lP#weT4fcPɦ[GR"!KB]pBYroY~>X-<|}(V'`Np5PIg)$Pc@vVS0> 0 f-([B ))NEo/P2z)*)~OW3㧳r y(4b4(=)[?̙[Xl1Nh~p뽋, \Hόa^̕>k=F$~(zc4c,oDa~,hblFsTI)67}B0B/nLd砑r-`lf*NֱH@:lutfF+J {Etwcؗ0ЦiE! /r4F=h$W97fxQ${i2\69O! O-OLe1rLoniNU` 4ZIQ0N'W$,[,$J=)XAFfPW4qZ< o~؆^z&F0㱕ВrQ>pJXHeob)XM[}Iܡ\7?@~DkrG1y Ҹ;ƇqQry1$"K^1I1 dܢwͱq`\{(Q;>I:d갤uEZth:3iۧt:S:fUq9ʥQ똆s&0 tTC{@"K|Zdvu]FC*;+ƃvg}-G<Q)Olxm+} 9#&ZF:inPQ/e86D-qpE*4la]]b\0뚏SI".Dw8E_|1+uW\QxC)#13F"mipHE@ 48t{1AsFeo,HS jTvc^F;'\e8 GYzJG)\bK͛(s e897i/dǫvSOr@àh^1٭r"u;Ө_t^*6=Q"Fq2栐NgՊ(ݢY6$#0AS^ ]c4$) [Twß5*Ǝr2 {EZ rٿA!M-<0( ~nΝ`dGb[ KtEH.R9Kգ95 &zR=^-JSVQZPFbxy 5,?~׳&2+en(&Z3 ;i" tv?1O 0<6"¹CU_Kl%wVb%&i*C{dp?%;hnC+\e=v.&]&2{%8Dpa}Vvw0€خbQ{]}KUJ7JxȎH[Xg+ 4 V3%N~j!WK70sFdR$peplN~fޠws6~|[4OyyJKu-(=!:#iFX@u+,4[^mi1u6{9["$BƇ?q`K[;L]ԩ{[nE0yYH{ E5zl)^Wj>GS,{2<yAVih@VzǖݎgH_%dY?U_7HE / nVAPl'_2ZMWf3H"U ju Ik]!k^HPjR qXK F}Kg:IBg/uJ;l zWBrCHZC0П#qNUv?4Z^^J>q+nd{@sIo4o),Oz tBS=N3=W3@2T o^k τ[QM>U=՟@i ]EyZ]J)Av +s,Aee#p3rFh< e  ?~,HpZA~[MQ+K*@+t w '!)hL%xxCX(\LXOwwŘ?Guq̮EC0Hnn~CNt/K9͚jFvbH$WY~LaLnR9*v걾I]@ 8گʘq4o^3,m)s~.)BW!cD`M%$/Ѡ<(€7Ϊ=̑YEwo" I}c@_:qmV.җ^(eRJg>z勪6kPp)Z|JBy_?2 Aޖ`jL.me=άwM~M鍧<>DWY\w7Nt6H0IJgZ>C4Eh}~0,]8?bTUOychLxqYuV2L> M(~ł]? bc⮜hA5n`rȑ*PN,%He2=& jˡzMթPG蔺 SKUeiG ugf#怜XロD&Lc=snDWjI&J  1xΰPD4x%fo2.?lU^z#((x̪9D" \o~6ɈtMDfxT#+Ԉ|EфphUsi`\r6ʈTtn$x{Ȕv٤eU_vs?\J#14 .S8Xzl -<w#sx z PcBQ{s6R̩cN4al3\4A/mrSx>T|dh:;`~rUUhHąDv߉QxL@A9UEJ5ELDi@^r*CB]|Y q0}^C(^:g/92j$2xPȵ?rY0$W<"%{כ#0oߨ(>Rᑃ%, ^/Ehy*WeE"Re5a{;NӖt\]6{6_H˸pй{Y IP 3-hk"MupGhx]]^\\ p ˆ6xU]-dC;RRM0!Nw=$`;Y~i: G{(WǨ8dHQ9#A ֖u8`5d._&tc&B[ }Y[%+b#Qu܄-gET4Á25AW _\d˪3s B?՜.=aQӾdXkv9K g(qH~ʢg^ÄkGsCQD^|L#q ^Nc+e8:47nƀҽKoxd`5*WލֶMQGK Rri=:vڈMi9.M~#pq*dI1ui{h} D`˃ ƣA,5KV"ugΰM)_ł~~sIlĜL7 rnFk)l"v])`.SǍCxO9ċԾ]i1gM- mi#;9.wzq9|\i- Ff8Z. GjkޓϹ*B1#'~5uSZABjfLpKOQկ>OŮZ=O8ge]i1h'ecAخC')3]cGb O8/U2Uy_4[@ʞdza.ͽdt(Ap6kPzM}YXn^ْpqkxSNwss6l3pKxj5%fQ|522tʤoba.g[1cٍSo@K7 /U[/sI !,_hP/F`$H&ٞP?ŬUM&ti<Aߔ RH%^W zyt -G'oMvîhfL 2 ~pj[ b[`qUH@D<~ Mn?N>psI7;o"#,*y@?N:OI InP7s6#Ҵ,+(4(fnڵR"Oh;=|tMLG~ 9W?o:"c[ܹ ś4?D%NeGX*|܄"o~~Pq5sRfoVɰKQno.7'MF|&9֨d+6 S9kOVN E,%Nf}U2'yyf? Լ1Q7<37#ߠ!{,Ya:MqQj(*'“x̏{o@mV7M*G]D u;Ss92%׮(.I}g/qP]F8.IJmr|I| g X[s|MH R# NcK3KaFVKb6QgƸ(?Ϡ>wʩmQ~{K]T# i˪j3nĘsT쩙βGcET jeas:rg߫q05MEH,Y/lFg?3biלϧwd;Vȷt/#];9A#.2"~o8_Ld#O=J>?Vh 5UFp H(v8a48R!(ҭ +`${Pn _Ŝf ȜQm3$OVq $cW/?x0Q `q_N@q. :30++Hig( R#1Rp?e :8Ae@޴n։{ghk趀`mq4)-资n^݂U?'1N d؆w4D;sCnY|T^/EMzi,>W4HD{ab51?w*Ḑp)4 ʉ\F5#-j/]ALΆmFğ ct`~hƎ܁"tpdRյ4<< (˛͏Ѷ@N{OSok-$}a#3ޡ kA`1sC=:<ِ'_+ A|"k2)-aSGo(] DdKluI$OWR4x2Mp ;]ZsŎ8]NpfP1Jm:ꅀ7+mfrLW"]-ZF,axw>vuƆ4Z i b9џCm]CEvԭcP ;A m:źbB{r TJf/jN 6y5ۣ YW\p ],] G /|w3ߴ'+h?綩Y 39%7R7Ce\=p,@Fk06[(oyϙJvrkxU $6=L[F THLmjJ)X7+v>Nm߾ޣOVNo>)20paPރGJ![vZVeѱj__5ߍ;MņOm:3dӞ1Oro_ё }g!wksF1+ Q3ur!k2HV4" \"N11b` t0i!߆Q#0'U_qkUN#'!*p8{t{Xv-WŨo~>lbERiV:r^r-$*z(C4E&Nl][w3%A !γ;A8q##́r-,j@`7;Qa o 7B'?'U*l!8!LĆS+3Ә½~J?i6_n摱շ@~"8To؟i_dӃBNm 9|J  !hN4⃡}Db7To^oV9L;K)CvtkYE`^Pq߫I8 INW,;QhTan, q۳e!LPޯ~DFDwY~b͠X-7|Zx6/As",M\jjW6q 8QʿO7}QUTt8ބ{ֽ%!c-3KyF0]THf M, ,PM2m5fWT2j OE.Ǖ;ĐM)D )KBh~=)j޸CjQddW36~ԠݑZrŞ!쒿%y#%?+*;"}х#s3Vù:ND ^ ^Tԗu%w8G?d,u?M^df>LJl;2WŢsb61ܳrsF'hWfǩNn~aG޻ KjBOuW~ CRu֟uԳbh|+V|w޴n0HMzɧ(6d–k4ܽ7fke]4↜Ҳ9CAvBi@ * R=AK*!`Φ< C3"э27kq)pEPU+/}4ߊ"NME{Q.Y8c18PJ~ 8άS 72>9tlp*B>FNbF_3G48㱣c/C<*B>+Qg s&îAMUkӋ~#Y/+GYvPFP>;#g7鶋!2\&e^܍ @ ЈmօQn=_';yn拥Bd__w\&$"W ?up /sbNL]91>CK=By$W+>,kF6ϼYx<@;-Ύ\ CDfK| =a,kR,=)96 Q#Y.=)PU LqND4I/?.J 58ڿAC&}+!JOQ6e$]8r=J izyJ0eX *+m'd6}E`tn&{T&auχpZem-ar[~%Qd0~,ooA2eZǸ ,>$Z / 5ut|=A΄eT.SANq;b9eX~5@ON7~΢bĀSo 1ZwG|Cz*_|ĪĎ1ק͠ݍñCXK˴M^-,gxDph6! /Υh+dI*EӉcZߕd/ [p&\8HcSwUO 9}+u}4bڣwe*Yqw]t7U]~TqVNFnGi4HLՀ1Eɼ۩cWW^ڠ٧DZ?%+#~>N^nӭ:OŰP8] 7h/+9US(кd*<3;MĢ?C?1ĵotޤjk;qx2ףzH~AWQOZK'`&bЗ:]s`}U**7Ȥ86:㽘&ڱvLSXV 4'UH8p%M sQ}{Wi\9sL?Z- "x$>|5qn(s@܊(9pWn6ិA/y$fYꫜIS\*s̊Ǘ SMvD CjOR Iڱ&$U[*B^ԭkQ,eZ\ 7Z?mqXg踼0h7o<:ρ(jTPCH&c晾wt?P0  k}\¬ Us(rܱ-Zգ[2H?z`uK8N+L;3HKlSAз{¤(ŹXEZƶ{s]a|y98er\& 1'0@Kly޸¦ U!7;Ex%,]9XW{zK=M&I1 -RkUT,NqHE)tth`K9o0xCVzYlFxMv gk'\:p7]/N( e57xq' .0Х#DZ{FOuVn*ԭEi\D:e!gJ$[yϢG+Cv5mTj~MaIݑpIzXH`C[KPiͽ;Ů6JE28nI\qD(;:@^8ؕăyw\9vz^Y>σ8ӑ6ʷegJFRʾ7\Pd? tJG#sT.P8Myq$x#-g6 \jP6ЬL. z(ᴵ* %n_";p̼_H+G~]tɤM=Mv/)&PJT#ap*[&(gW#Qܙ];~ #W%LTħp*()!$fە7W]o~nR2kM{sNeA$}Yzǡ~w~w:nMFE|!rlU?ݿOtɃaC D#ҥ.^ԼR0AWw) ])9mwW#!ν P𛤞'u"'6+z`_J~RL1vB0I oYU#i?P4ƞG;"~:3!E-=-mŇ$Zߞԃx$s|bʸ48~I5v9rL\yp4ʼn}~to! pg&O䨌:K/߉,:v];ǣz^H@ Ia <fnqzFp9FҒ {W,FzܫtR8T7d)/4*_ͧ!S}Rd -M;<3NT8Tح?w?ͤh7gyβtR"f9SU~I-SLy`5P5@ Z'*P68ŠYW::"_ҫu T!K,}:IP ɐ Dy8h9n}^P1b=j% 8s˸KH&clZz4嫕2L&lbIObňAc$Qp:_.35!V=EĽQ>db9bvk3 "`1eS_%-~>X+8.n'Dy OSzѠ~F°۸V*tacW]%4G׀&G2>%Rcm* +s,g礱}DmfZ/W8Fr(=meȤ(q2ϫ,`,EL>'mrp$+r (&]k_j]J `}@*Cɓќ1?^;)g` 4^h.vc9DLKU j.m8>?MBdY*x>*S>Aq2x>@> @_d@TJTԚɒ# ]78gX%|#[K-P lS("VcUHu#,LW(I=E}4&/;v7-Q  K ?3L[ *:kFU<&OhIxF$gf0邬׽d^Ά!{Y Ϭ-@ :,י4" cIVTGM$S៻1M& A6/§yZ 4gD:0> 7C4Eumv"u?ǡl)sIxҬjBP3#,eF St,~_n?CF_(ղFB[O{s.lS!bbCX.-F\WWʧ7^VVqNXwALt>̫'uňp-p{31Js'{q PD 8r?&b LHQ+*qt4Y_ˣ,,G*^)p }]I(+O&ȅf!r^Kwv T;;ttc:zgǜT0d >,j7ۏb@>kpH<6د3 (ڠg. DL6QlGs0`O~*8O@]s ne081"Ϋ>̓ǟVe4*t4I]4[q2vXtWa5Eҭ 3Ԋߪz>\Vlprk$: b{S*Uw٠q6$ 4!K FzĪ/?VZ1URQ/Aq}gF)U%d]d}ffmzQ^|8*Z01A3M巧U+Rg.ڇ].Eqސ@ϛ+& MU$ U7^CjG~W2+zkԲ񠵝 ,<5 X5j4*M: -6J.hV-~LƄF&ZyP_S*\WsCCw;P Rh/87 ibvdhpKk#t&ñ9{дW{cӺg>N4TwL#%H\vm`?UF>]a}-)}rj<˪ \T#aΝx zgR=" c̐N|o6@걪5]˸`m,Uy]Iw Gos*wE{5J9+7 '1 ^2ÄK;YL ( lvm7O_"F34-}k,Kl:PF?$KAMmj3krLYe@Бoݥ {TÞ D7t.~F4mtkq^adłK]  ȃY&G6QM:as=<`5^v$F/B]|2ҜkrL6h9(޼} 'pG+z(WC $ImE8͐şρhY&o)t_e''phbU~5Qk&.<|XpQպm6gۆ*:n&՞aP -^cpr)#ks2&u5SH3J2G,=QT u&j!T{PAֽqF?`!O v`BCjO4u7D%`ȩ KZ+@\!1^i;9h :]ԓ&Z}`GzM9!goӭ}nF(FvgNcx0+h6OKAK{][ a>REaH4}rҮ tzc!qQd[j\Z[iD7 H̪q:'XX8] 2^ u@buYOJ/F[m(Ojv@N.FO+6Z> ^͞軜*xZ:xpn]Rޘ]=>P9o]\Cq1^ W=g` @Jg;{T`g"'D**둙/wۮ?ՁjEKvc=\`dErO/= r e4N ʝ%ȍJ C9iGl?gI;YQh|qmm]?S{8\,iz+X>n-!`暫ٛ P?&(5pZcZPQ } My9}$WjWa񶒇ߴopFVbq*]d-|<b3#'{^\G#p[Wb2e[wbNfOC0)_QvɅDvuڙA $:$QZ' SQP>g&^!IWc`<y5_M ^0 lTh[,eZw CW\8ϧc)5Ai'f mLV-y g:ͨo u4L^1:qqoLS0c> I1hCrXl9Ě6X-nMh ex |2"XW(J:*- 5JR\Ԇҕ+V>@6p:\)a=.< U@jYgxsRkgpd=D%.*Â}3Y2=BVɫ6ʇt"B0֬|fJ%&QTE I(5U [.-lLXo/RJhԳ<Ѯ%%v#̈P8S}JUb,c)Á8hf U"ؗ>m3[msB鎡Rtz5zBٞ{]$տi*57 %p^^H1+(Z劣MZSu]>oBSץ: ﺰOǨm> C!MP )(%5 65Yd4 )K,pyhDI=?|&&Yʟc<K`y / duAt'?P 2tx1uz"9Jia6@|)95$!=4x F TtY%z~HVN NN,[w6`H=s7u^b A̳C-֏?NjP_DWCm{y~Y ;  |h;> o/wyXa$(!:, }w]EJЯLò*b9ÄWl0=qbAD J q/e?ocv 7)R\cmzw=Dj==_'Bc*8 d^FU zoHW$sW@Wnz[X5ʏQ+t+>W* Bh~.pTfwDz l |6ߦ NaAHF7+22v5+qIJ ?IR_쐠94k)oY ov9NU.`@|x7 Y `2%`eac(vZAnS7hݚؓGVƜq1UQ_ʮ1c`$%z,}D11|)< !2ܱTŘ(^5˫-|vVY,^GpzQWx 72-T# S:0$/2^|RoDd_oxZG.Ac6i"f`z;nx(p;et&&gb: zxuN%{5Mkr!x7z{-C]"=W#u}?f'L!p: s}0Nؐ.Z85rzy݆qu!\#hk@[\N&\<4Nl~Uj+P|_ BI ĶF$#7f<חE&x:+j]c'r\E=@;PaD(L E Xw9/2WKTtpSVyϒ~yu؂Cqt_I"F%HGP:C4ƴ@W{FQv Z1'@sX&=d}<* S!ٴc崹#P[mu+_9Tl;Z)y;̘6WdV+`?Kpcgl߄u&{rP#e.yӦJ!hXilSRʕ"|Qt]|ɧW:FC%MbxMJ##?z7Dk ㈄DK 9Qw@)[Wen3eu BCu"W R 7G//p(AILˇ/tP҂}{ͶOrEБ6 i? 2FxGTouV4р'O_.Y6ZQ(X['g .Uz)ʕ~ImA^x]߅.]&D.g?]"o= 6{TAQHfROhhbҸ2ir+,N3Y>̡żVK@XP~7&[2~5_]ed j|$SS-p;^!afg,#ZIrM] RixrD[7lV8RYnfzvgiVx{Pk49nRYotXekw1)ڃ'ą>)rF1A C.wAs[xD棬Z>F[9B _(ltݱ-F)ĒOfTK/v2Kq4D6r^{(T&6}L/J[} bq N+^c%#;yeuvCshҐ`kȾ??e1.w0nue-_p^CK7mnbUZ hL[lĴ#umƠ4 "kNx#UE)&86۬,R`-ݜY=E+/_:P髬PEp&T5;[G5U_TZs)4S(C 1dĐ3|,<'UY, ۀm( g9)A]-Zskhf,~5ϲ>L[\ ݽlюن/j>%hhPW^n0ll¯G?]e&;KطKIS!R0(#,AL'\JOd~z2m9XkH 6[!-EDKj4K1CT*W!O[҇IRYT <^ٌxSu  }ㄎm[S7afCȹrΏBdnAfZBBQoLjÏ>%Bl0q~eD``،{RH8qQ3ۡ6(j8u3Yu$-6BL%o pۮD:@xp;+}-zGnzֿq2sq@ay!M3?p&nQ oB+s.Z-fVhUZu%أ^>\qVy}C ~Ulc8a#"i/`od$=iE*Nlћ9ym3kzOCl/HL/ 4Ӓn*sC ֳvnDŽ{dm>˾t2X=Ä W ]g=E2@!fͳ^Mz$Ȱi"l_? UWNqZAsf+Ma6_%'3t0VR#~_S]Y{>xeI - NhJ0Y&gzwC.= '!04BUT b&ay5.]Z&k.cj & 5LD!^`d6݋9bX"xg %RAV]Jbֵ)s>82<#ʼn#6A =Yoxnr`hdqiι-蘷@0˿jenQa7Ӆ0`{ҜF-gtD3"oOɗY4bdW]qpO@rnINFE.UDeM#@96(,UgV&=L]%<ɭZ0N-)2 I_8=w _$O, ,N/TQӔJ@:jc:v1KRY~R1`O2Q *;ҷ*U~i׬_>0d{7|h?ݑR*l<Tu^YNf=?rV `< 8[Ħȱ\w钌1iYo##?ᦟs@]hYXQIE,T⹕ȓ}; T eDN౼~«wPfIUcm$ŅKlBBi5|'N31dp"}(AFQ^t;&((ŽzwJ`+Qk=p* XZ"!xF!g5|"M8eO õɷݱcW+*ejHf}*oPOt_YWAC"GZ&*dǂ( p?Xc@wZ  ?PeXޔ= nޜ!F$Glɺk"1X>Mp`t #W ̄,RNb>DlRh/q_VJ$<'lѳC )-}#ܘ]ҶV]a d\ptnieq QqS-Zjw6/ǭ'dԋy\[c!yzA)nl;Lӭ%7Ƹ NzѷjVkEKZB0uG?)s2E^9cݎΐٜ6ݣ5g /H -jZS89N| =@J8􀌔Ԙ"S>,)uXzӖ1 " fd ߒQ֣eVV1+#+p/OsS6L\bV2ou1b@uE3o| Rk lX*dL\hpBͣJ$P&6[oD>9:irt5Un9 4? /B ī]f-k%.{>C/Xٲ r*PlQ%홝53*|`{-C>gǘ >]9f ,M C|{2(`7Kz(OG܁Ў SMR$VIpũD6;+~@ 8#I]}ɲHfP~@(s8.ENAzEsJTKt m |pzE6Onf\ r3b;-S$t9WЇnm^. Oe?U?a݃7xݶJYay6DcA7ED{E[ s=OZ+)RL0  !PE(q5fbwS[2a$M%\?fbߧi[}bdp][sݿ|#գĜτoo4ܐ3}Q{xrbmeٌI۔ә\6h Z v"f}}W(*5 0Y1)wbuM4\mpwyrsNXU9+gf ƵvC#>/ Z?ga*\լ*ށg!͑̚E]y{@*97a{,]qy@ 8EhBWiЇ2LAqab`'a+宓lcd<0c2YƔ2~ljy׾#5%`fӨ ,pNPMB*-&:מT@0xt@,2vGyYuw&%(Ag紴ȽE Ӡ:Rx:Q㹆Jg#QURcI7y٤q;RST^k2kg2eJi# 533ԩ0-;]S}Z39R'TvQq0iN ='J7yw j'5i*$i_Jfk}ٔ'Cw3 05V9/Z)$NŬ YTylOl{<uc&3jKqWÓFH&6i BZJ\n]@hWv9NVU3` R:U8StG}`܊O ~Ը4Hr ߜ c'?jiαX475/m^+!K|$v1䍮y䀰G) vO>04XQ*'0agڮ%IӦ{؀UO{J4ɪcb]l>\D Vu1ʩT;.fNhK9̩|WE 3_0ֆ l_!㷅h0n,r8MqeZp߲ډ T{X;.01pSi&6 l)Ks]77(uߙIwQ]91-U*4zm9ӜIA\צ֕kq\ÓH,(iܛЬ Y.4)-̴6qBf^lmOy-mWi}\ػWR툗gN~ټPc/V]b@Tsȹ0s. &Նu HMRT;uX#H=/BƋ=<8tI_e4і̋7(O=eIj~ 0P.,d}> /~ BYÁY$$ʛ~P؁&zGQ0b6-8+{Jl 7A Ҁ&o Ƭ%i6O$ C硘I;L3e @,R `Zi)sfb\F{UGkVN며XU _I{7:[OPx+¦Boݽ2$)Y3T&훃a=^.{cH> XCdeT (-6Ќbagv}= Gɘ2??(TgL ]d"q}l* %ȱ]#|C:h24?Epc 7S7=ٷ~&B*XR+b1DlFNm 1]D !}nXX1oTTf;LwU筌86UÐ3Ad,JI^P>3,NiEV<^}2'Q/,rq |f"#hZcS8weLW X7擂s\>9,Y(FNY-GrF.ou1̥eeز(iu~HG`Ѱli %?z֡XqpXDu[ԇu YW:BTmЀYqF@WtW~]G 9aA I'4Nc(QVRqjC{.\H U H71% W؇Lu:A,4KNܗ%UԃDr50 ~nȤoYrЏ4Fz,lS1zݵ)-85E2`)ooqNBVg,ِI_UjQX|*ww]5t9uM{{ꫡa#.ud^D\1V[Y'3 ̅bkP&Hǝdg -UgFl QȀ̂N r:[hu3^64?^$~?E;oʼn '=ԬG˛%]"|*[6-I+p,u3M=S44 ՛GLxH/=vB)hMd`4MQpKI E1-5j($I.xP2b8I/NHZ>Ս {/:$8QDue#O $1PNRZؾ2nlIA#1z+8{/ \ <ҥ*{2Rv?|`~qL "k]z%jz@Onp˓KoOp3KN^U/x)KΌsքe<{a(2h#򅖏{Gw /3@|#c7o2< %u0$Wjj49Ic$46Bg/+W7. W`IKOSenR>/CG٤^G1JfÅ&x,/[oT7rz#!p! ݚWcQ`KXl%OigmCѥa2r4!}$BGN { [7 s tcPq]mTG|,?~6zvb\$Rh-Ϫدh],IT5yP*Ȳv:+]^>k06=?zW9aw_.m`>'|obp7zSJܦ5FGr5ă!— b1!1bSk:<yBsjSV6OatxOO;05*YpZei( :Ux%x\ܻ"0ԒOp_ftt8 Bj&rZ*̶CT=JIГ qRps.a#h<bw pv˳)w)u"pVT,0Lʰ l:ףs-c].ezHYr  58^zMghM:)kq{qlV9 z m?Ke?ne \d\-%QMptO7f_ϧeUB{.6a:@obsr#.|xZQj;.-(4=癇aӲy|d$!:t 9 YJ(d)C^Яg~iU$iפL}ͻ3nf`N6Y<,!mUs}Jcji琢8!A(埭Ѭ7@H;E a+ĎT]73弛CEnhYGU}#5%H?G+с"#(T7T4$ku -j󐦡fhe2h'mF %,B;=2z0&GcO?,.(6gb`aT{lٟu` vhĮ*7^ *v(w# /mE ::^%(ñM rG/. @|IE4cݞ+rzTcP2':Λ4- QH`]0&W6SVtB#zqX ̕w33UNxw<Y-*7 7]/H =6nsH'Gd}XR:tGor:R~$E %w^sHjbcMw\֊=WRȀ26]D98L\~u ֵ2S.(6ҋ-k8%7]KIk1%@xy"E'9ǃ*A%FЀP-tQmFz +]Ra6Ț]W`( p褳4p@7?w'tqQ<=/n4#+|=w%k#u9>nzgrz3"u8d_1g3̘okF9sBc/SITf=ZU{<|0[\[ C{Ak>EHqu`N"MG_jk`Q|ۃOm`= F~W4_WZF,n2$nS0G.OUJ~UOh7mڱڏ t ױnC%\O (wI%bSG.xq@+o7E-ݿ2C1*6s%x&$X/b5"υy?C3^9Z>RI\l҈-w¤d+^nTc%'ր\2 kxS]* L^(KZ^XkvoQ1TLjs@LJ4K `˪h!Zo3"Fǧ"U/Qԓmlar!N1g#">Qlh]6ӄZߔ1aJ X2U|l:sr G-QgzMfIfgWM&ԦU& [{T(̿'E n%-aIkĠ(|Dw$jtMO2-D0I&N:5]{1NJm7 de-?N=-oF%B E Vl'wR/ /W2j5*]Ir tU\]# ԄDv=۔[xgyg76/\ tUlHTxGDwN5]OGyvU8:A/^,L)h@!Di6W밧6P tJv+qW+q#n~X8brG/PMF{͋}jtӤpQYEVUg$$XȎl`\c$e*WՁY/ ŕfkx kYDnzd=,?AQ^uG~2 $J+]G~ Ej९5J#|ST3ۇ}4$?AsNCtgb3$r|ˎ ֮)j^zMm Lܑ.@ [D^HXplK{LZwv1Q`SXQ ꬵ9#RŽ heHhە>Yzȥ]C@Kƕ5QxWIC~O="dH刵_X n %/oL"|I(SK%3p#QV&r+20Y,W['~piF{YR4վ[[B:g-R%f0&0mQʀ/o:9z&6M3!&uQKG-`8U\ _$W?#;o3|kk_)Ԭ g[:GNoWV8LK0?>MUh]w|ڰ8ؘNF+3/"3`K[NkD[L `iK F%J}D#Y-'>+H|f |RВo9,=%#9..͛=`u8(HV,Gt֑R8 `YKDETGeV3OEDzZ,P|lHWבLɔoQ4j?-l`:F'TĹ?t#@=W p89 k1 rܴAsǗѴf;C1 -p Ud7VƊ|@`Qc﫠f~c= Rs5ՏltcxsN1lZ@ "ixwQrW"= ⃲B@K#2%tIRm̻֭p_"Urvp"8efIqP* p/D >M4@ i9HMÏ(FB`eA*nzODIm+Oom{7CH jw7~It޳Now'Fr(f]!Ӳ^V-a}հmĘh(a2萰}bx=rҡ r/M,(nHGe:߬YE%LŖj9UEk} 5 8 $E/h 7ԩ<VhǾZn8ZsՖxOua.?ʆ B`ba5a=,JfU*.m`&A#D(S̈́.NZAhjC~58~/'|/'OgtrS.h5 go,w#a_gz1B_r/GKb$xϢ#)f/+3Iw*.ye%~ X[0vNǯ |kJ\W%F#ZxD'@mv;2W)!Iwkgա}f9wRMi=06?$`xh s٠I=;_p4ff+v,%%+u\Ht [>mzRO jC._ ˩`a$\&ϙnpa|C` BV:)'țQl!>uQEsXDDwgzU6s(8saW9YtድEw_+g n1>SJ(`Q:}gefvb.ׄ`"x-wzm]礪rpˑZƤ( MZkp \ۄ*.UoQY7N(vcW2LzVAuz,?nH,ͰI*Oݩh7/5w8CҟL6X?28>Dv"]@ʠrӔٷԦYԮ$*m2 16oRfn]`c}E'!҇sID>w P =L B&uO{+mI{̃pJ^[wctZ;MP449,= Μ,ةՅiNv%K ߚ iub^g=}#^ڜ<]W2 (k|1M=Y> D+ #./q&WyQHoES+Y6NKIU0hǞA or1j"99VaMG_0uR)e:l;,8v|ἣ4>a3lGc&%NH|C k3u8W+ ea@%$i⒱]Hpk96o[t\xY$7h9< bMM5F{W@K:S1;73L"`96ZFܥlDq U'yt{+wf0 ~gQ>w H2yp%e!?Lx[$_z( Ӥȩ2 /j0։rg\Xp`ђF#z D=b&6lVR/Cp"/Sb]{QD+wG^#.:B^z͛62}ۍ}tgZA76E TfnAq1F9Pp ЮݾMխ"}[%Z}5W{fߙ'vy!g_QSg\(Ds?mPNzvktDJbűUͶ/Ӥ: $y ~)IXR^ _+f_ ʼnNTno]dms PƨH+gbѝ˞a=Ud;9HjB5DYN;n9jP WN)މstO5-Xr4JDwq -Rߎ8@N+x B?_$' [^ݜ fLR G+OeHI~լ)Sw@Ηx1Rc5x|Ԟx:U0]AlgmURUo[JB6VJ%G`YVt\ա)9\cA Bk*5dxAg*Ok\9U,ӱΛI,PGcӳ#y!?9ra~X; fP@<;ld8h SKl׵-7ZՊOB!#Y Zym:عrg v*VUBu A˞c /۔/L ہ s9ܴDNj9/xFu'azHE]7]k^gf `<=[ƌ.Q^<M7Zt6A-M?z5.Tjx ʯ %u;: =1őF[Wf-ܾ}@ψl``j1-n# c'ɪ޲ t:- 2e)ԁ8 e@?th.-"g$͂vjq ; -P7)K^y.$gŗq:@5} XD7/gH5hQYDtvr` pw4¹a-)7o1(H2 n^3LxIdʢNezM2PL5?CeHjTy> =~G.dJ"24-Qn2E#,+8Otũ6}ԱBlH~{*UUPRl)cLN`[eȡYnR{ī^$Hײ]R #[NKr}$ ͋,~@t:Y6GL9SqN$9 q}BH2&>,_S2._S6ճ ՛.ǀ{ղ \tI&ou&ltPXBo'ca/>xyziMwY=wρfk!1;?+؟ґXHGM]h9RoaF7ƚG@mζA[v9U0T "E.%RvUZ;14z.v*vyR|!Qc{z9I_giO*m#:qØ.Ӽb}}QLZLMΒCŜοnڵ3!W] Ԟ /Y cWt[hm{e n|Qm E~ϥӨ4.L |{n1>UNܘr ?TW%'!N8$JH~[Wkn9$x=MH"wfO*FᝇMJ=dl!v tGG0)O^uqF$h9,#^q*PV4B@Tv0]n9ț̰G@+`[/ɃTvx!ҍO@#e&MUY7&`[ɖb'!8v)M6R-81 Z<-IgqmwΜQQ/MZ]4J.O: QBzw6.d?r5n'4&@6 f O =c4. 5}z͉HT؞rrcu C <ػə0JcV[ϑ?lo!S5KLxyBmyhu{6>;?`64펒%\F7=isGrby1 %̵pAph`W ?;8p2`~HLJg >Nr\o@I+Mgq).24gDPƹ!'9o{ڼQf}}GzukD5dN?o~^rY)BɁ%%bt6Ӕj͸pNPjd5dvf>ZYa FI~AE 3`v2 &G^ ^(Zкk,y E~>$NGo]ԘR;[Fj /յ\=U⨂& r6i}*%j&LU?,zj挬=3%_w aua}YaNn_lKz|5S70fF*3@,de1dm%8)ϫWTmgn۴cbt:_lu"mƏ6S3} }C (9w/N|FC7ǽg0_K ]s~V~yB #Ch[Rz15:J" ߐEdU#I9Zb76*E lif68H!j|YCϏe&=U` 5F7}l8$g>Mjˤ*ɺTp,V>7 r4钫]=$FIb!`YWoOoLQ%P@$%^ќѸ^x4܃U5sWWұf$6Af}rqYo@^{?2!Qj]Z`\"6or ?|Z#\F,-3Q6<' H Vj5HUӅª|q/W qK"25˶ Ȍhqb͏p]W2Tm]՘dCROgL;xWbJo?:Db3Jj~?|.vIrR|2|4XFm5ڬKթɖ.T}Wkeh,h`'q|̵b+ P9nJ}Ԙ9PD*okX]qEEyཊ]g'9E[lتK`64su1V b\.L5dTWE({cu$*c{ M=f ADfӟwLj;.Utip*{r᨞0U*Nʞ蟊9O VqOw:^j~ܰ y_ i?z-wSF^z9T7}@01-GԠ~3& ^29 ZW6r1>:h깺{)fVefVT'ʺbZOG>W\:"-ؚf5&XRov ỔZkg6R-/3ɏ#&) Uwty(M8UahWS6t_(s9jzn3^Va}+37mk™|uh ΔcOsT='gXcmcpfD1eK$ys|.?!wX~DFvfƅbչ~ۚ᥺ &N$;6g!!˗r,L?o6,:FcG)\I֊6ENXn˻"7'C$qd >7_ A?sOw)\Pj#򻎈D.m/gy<9 Lyr>ƟBFLJ험;gwfk.쯨 m➱F˕){P\X5g?2đ*"DXJ+׀_Ij|ƜI|yvRb`zcN?:LmCݭ.X(@Ժ zR$$_HV j4*C) ֎<$ALz;+˔f=ۀ'lh;͸F$Y MTǪǎ# 7LՌ6|f[{rn!PV|=y@W">,&1bkzDз`,f_k@:f4b18_wE(/`ݍA40Mv%m1:@8g\6~),@M;AKN&w`u~ mlE2VYbI~^8ld#/JBJ=cTvzE.-)jJ{9o5D\1Y9OM4"?^m|c$uxp#[Ld“`jVnጮֻ7&[xCCKKv+8,>S.I ys2 :۾{kcE6QUKoWA4,'}Y<c2)pPlm17Ӳ@)%Ul~y OWa\{ Yy0?a0yxT%j箪hJ] N[)采0rlVJ? <}zVU~Q&V&.( 7AcD_I>.׻2NiOmu',8YǶ ZEb wrcR9wNmZ6pfZy'<^Bĕ7E&knWD,6:*5rհɢL5i@YHAN!(rfurlR3adb+pΎ P龨TIӛDy)dɚp1MY{AyA+:N`}kUna5LY5ɇ7q_N&O Iq5hYzڻ_F[iْ)1B1׳s[lܥ ]T400Я@e3Jr .NytVZ6KJT-swaT$Pt O"Ir1YITї=tzþlvwc6HG}NL.P%2k$h:2|uV3 *#J72<&/5aj5dU@Q@l;a85̰WJ635tnPZ%>= 4]<f9F}UJ#?y :9S[..''+;7&_Y&won𝘻1,Ȣoz24| ڨaC= +FF~ uzZ1&Pi?3/-1Yv;Gd%&((?~w _n?2:QU kM,SqA S,T|Tq!)V~T%]P5h*ܔw`W(D* 9.22i} |5Y^7;G\T)nAghq 6%N9<- ypUr^ o~ 퍮OyNo.U@"CUD_)OuUSA榃#|N?m\"l껗@F0c;̥ QBK|AXB Y,ʒnrs(sKy4w֮؜KEHlE(8N5 M9:m(owD}x*mtelc)c~Y,p!󐂳 ZQ Qs C iL@zLי `ZR6(kz:m;`閄ƪw"fG@Y<56g/u0+$"gӗA݅WCwhۑ ñu*s2Og+yi{+Oʘ%@ |3bF<218 귿gUW52JBo'1erG^HHg {aw%0:!oI;O5k]]eBjLG"UP%Jakb[m96X] 4SidYmyx=%Zۣ+5PCŌMjbC5z*ZMtYpu;x`gOsoE*D_sFcφJcXʖl) W˷9Cjok%IQh iEݵ0ni2`GsBr!p0 1j!L7z`wH>>&]nsvN>A g`!粚I͗Sm]NJHXsÀQ)@&疱8t7ߴ zO];~jwlP_sQMi]\PaB {b1D0ɩ j9c/s_L ÷'!ㅐe7$[|u9H2 05REH5wbzd#r<ChRNry6(պcU Hipi,"ٗ`[_tuO WP;7PRdpr )vy޳(jQb}wY@FiL -0 &6 Ϭڳo_^w"YsSN/,pE]˦4.w7⌈z{Ե3Ӿe_@ޣнF}\-{rj;1W_>?xBE6S+ʓ9ax@3p? Ъ<~@IJ#v nQ]\"uz-8oom;fsQ䞝U֔U=#Wea΀֒at4-m] u ›LcbŽ xAR},U%,.jKwqQ(48^BZ<…)>Xph#%zT -IDu n_-mﳤ=Zѩkj-Q!U Rz $\F}RD.b$6l_.Vb6'BT" mwys!ZPRGQħ;phwa)"QgCkT"z\ǵk'P̽kg o4yg U^R0I|=hʌ]_1Ƈ[yd+MdOI=yDo9GԀE5rŎ<6F@nuOPڣI5*4[Ѧ—C 5_kSG,1k(cڍ)JHPz e05cR} wcp//t^ N4mAP祛fmwɳHjnI/tyF;uXcc 1=O^'eiIV~eȴaA,ga8)TGt Z%Eh}aLNXƣ--QezW&0gى27Ex^䝇b%}Y^7}0ȇu-a =u}Ko}Gx=.FMp6m gA H{J${z]]l*=8D+1sDR0֐W¶HBZѷ9+UjFcie~j_@"XQ-:k-8F_O:XL,Uଔi3m^@O{ 50*/=$ēݚk?.q*$KGlwBla36ݠR  #1!񝊭7szVH,hӑj.;YuU7ivgwјz$hJ_l+=ϿT߬T[d&p|H[X(_Eڕ7H&5a)5b\'3;F-%4Wjn5Ptiu^7 *h*S8-+{ȚIB<*US~\@?\hG)1B5J368]Θ0H0xd?O2 mJBALSH7D8k%sS(\ ۥ"abw:$ G_VC[Xe,Tz9A,lN̸cVQ*Z?b#kɖ^t,A͏7۾v8n54iaMd \/ak Rq9rJ!bL$SYUh]L5}x8^y\;s17f-rW,rGCaxhPB/4\IPdKV+#? aa\0*dgG:txJ-cBJ(Vp\^9 zhO,k<2wق LԭV>,kO e2YN`C2i2R\.[TPPxyUȤaY.Cvbx'窎5tJ,_bLK#s, B7Ha ĕڻmI4Uqim&U'7,SqCmb?ĵ[= Nq'ԭc ΁Lڦ ;pFWw.R0Aֿ5jRgl"5^LΦO\(P.LS +',-OK4Ѿ4fSu/̛(+ܸ㊭Ц Pe%c;Ïb˼lE*Fn1X]11ͪ7)LB4s9vMu9nAz\(@m xi/rfl Eʺ L<ӻ3%+d?ͺ;Η/,ƺMh@J4n`' }15:"3ߦ2(hG]X'BPG^leHQO,V Xw <B>SW0a Ap\#S\e9kZ3hg$J,gj`f! N ),{ߨ@vP NrGZz"4?Ac~% ୞N, qՙkI!P` ލ IpzdEE 80}4C1r_8i2d̹Yu>?c8՚Gǝ`|3R>*_eFLzr7;8w){G(V *qI1m.2*yry}QϭH ˛a/aO\Z{ -R%ܳ,E>·#;~$^󖙇?q=mzǑ;t3 +^K81LcG7-(oD#Ɩ eY` -rfu~OU=@mzAƂe h-VthP68'gl>oC%eaıbJl'UycؼPt{ FKQ8ՂQ; |l~v]7*/9r:GcGWɆإ[$,?;߭b 6YNF׏ՙiస'/xB,yw 骖7R䆆TJh/M. UmQ_@1Et RBb%̔2>ni;IU2M ptTzͧԁiw,8'_s:. ۝ *0IcnUqoUUκ *$ժPÃE{G6TzmjFIդ axCO1C>acM洑>Z\-eѲۣ'JoZGHV ׉֝~wdO iP?=|P)@4SI?;PG A~2lY#L ǭKykQji= 藺n'퍝H.EN4 SPO7QSI Yo}Ct N R²V@<ot(dDvxs‹d SVh$!X!`K|!U"l =9ON;y5D6O'>o-pu6ga@z{cO'̐ e1y"h+I&OPcvysCŻRxc6du١|Yr̻xuCYf.}~!SMQru1h(@U/^9隆qt CMFE0sqWZZcHpz''.L2S'A#8^Ei(\E)Aɖ^Lq W@z%ɏ~ǼlM2ǂ,&wG*J^~bּĂ֓S4Yn^Q#y:̞uŅ~H'{~寤&GZw:y Z鱢wuZW:uTRB$pHaUCZPQG94%5 v(+d  ;Ηyp\gL/>A4}'v}籾~ e_ !=y~ &3_fr)72;`O2^}y,:cJ^Gq}#JݢSHkdrL,Gřon^Zե"OPoa5<`䠁Q5 jV$ _𤿚^4924"̱xHeT,;NhOkO{yː[CN--}l-B>\\Eefn%}yj91@pgoظƉ$^!i\?9j'6cj:; E,Ŕ(%ęh4ng@f |3)p|Ł镊Yr;5BIP}<߸'ORHY8%=h\¨ewGj9lE.xL{JÒ55}_$5罝`.K<=` :rXqFg(~6P뭼"DeZz|4|xl[$zaX'6!D "l0Y'<_mEaAr>׹{rӦjT"yW,^˻.84J@' ڱӝOyeuEvc]kMϏʩH# 8oǃ7io \D9h|pĒl׫F)MiI0 J =:xC5~ԝ⼓fE0h&C&W%Z&XKY΍#zPӥ&u{|^ `ٰϩCP!3xtiV?kEe;Bٚ(V40C Y.g->U}whQf'd`2u#2lK*(` >` Nlmcz_jqǗ6-IS.>Dri9f7笤i% 0Qm.{7`k q3%'j!mM h]nd crQ'ه,#VLɋ[V|r hܻhZ~lB|d|:N.:P“Fw(|.q^(ǞCyJVĩm ɝ!KH NIY/@cA <e %9Xwb]̠J4'jLD3iV+ܩeV`x)0eKntA[UT8@sɡGKk+GXLQШpPH'!S_~ ֋@ #"/ګfYK;42[|ΣIL'l׉ m]ݒِY:&E<)]<_w11-8U6} >i^b] VCۧΆo d4 rc~7 {Įw 1 0Eu/  -+C7~ Ӝb 5⭭As >%KsvPVGr*\]$9w블")׋e8G)2w"&Ew.3fSyYAQYzuGw}EM% j!Vm;[n>!E.cex{8܋IF^u{E AFL _yS}dwP.`xs XkԆ B , IߥxAX4ZWƒ8|-'=R4ҝt$ /ۡUqiR7:xGn߄[A 83AcIqmr/qV ֍'(zS,*$ϷM0i3;Gp +l&l "3/oO 29hv (X&YIq8g(?h$#@bU뚚'i\xE{#Q:xwkР>f!e4\iqΔoj "h,' (9Bh1O T>0[O{^\6IJV41%4aǭ Zn^^Bi-^Zq/=˯UJwHij=C kN`jѡEEq%ڡMx2n_G0cJNh\U+֋C$ R8 IWbh&D%G=q<|?1i;ҠTݏNAtLoSxC [f.g2N}-16k*9¶KЭy28܀.w!V/GS*!Lgf*˽ ,$ :'@}ϋIXP\- $5yɮSFp/mn =D{E9?cgţz ~m b-y2=+řRD+ʭ#Bl~Vx+S R42[2lUop@BJ58;{LFA[ċ:OmȖ_a!'N &6MoL }HG2zz)<>"[jE]{u,.,7Н0mi;.^Z `YlgtR/4{UUdclOh-tȺ1#H,ы\+)0Mm 3yoDdkQmdK]J /ǒXc֗|).ZX]A]`oV VUvԤ~f"ih]bK+58ub3\ WNTr$khx(hاC4/_YW46ϸ]-׽*F" Gm>$T;0J6h_cb?[乐ދ|]jهbc.f5K@Cîc˘|tk@>kr~@2\ɘ#D*)Gn&ߠdWf$<PэiM.-H5C ض}F @#0fQ:)+rzSz>5|rZ:fhBąz.tFt< (n6˪|*4 ;yxݍ >?[67lK;i[O2ǂdpV__גyfY-]N|sD 2FUO EIyoL{FGHt^G闑:-l RQ٤=?5O { l'J2esu"t?\N5($K;W[U] }ZfM3-N[2gIFO%9E0LBȫ,q~'گKj 6#bh(%.\pkGgC-Sb1땃{v]徣Q.(k \ ʯayĥ[OK)\ьQMzۨUX&_&7oUБ15>8gg5LGb+ gld+!2qoq/ĐUj#X8 }Tg_2Hcvc5dG\D{~R<̟"U1y"ok*@q[hZ,C #[J4 {< n60uO)f)d.:!hATŅ(qdhLO5: fG 6pU CpoXF/d9:u*@/'̮ZqhA}Z:2O̢QVWHrqcb@12qyhg5Us޼b!O'|y WRmJD )ń4q_\sil8_g1jY>>`TtW~uHZɺU?u]l i矜P[CydSE ^o ̽d5كhׁVDM~vИCحlkg.9Uf#~%uR;l3b=L>azͨ`7dQɌi**{0 ]w{(mm]aњb#N&zȉzduBoC_Dj EE[@[+clă3|0wpORֆd\W7r:*&^*ܭ#^=X=YqmJ)P~|𪗿|RѼˬG (9rFlp34k W( nJ˒ڕ4["&2yFAČ&9xJ GmYX>߱&h$^cxRx6"WJrEw1ߥFceOx