ipa-server-trust-ad-4.9.2-3.module_el8.5.0+750+c59b186b >  A `eFU]RP;w*/8WAZh=(kgk# 6A d_I:2aFjj S+9n^U$&!wGrSJ #~y+*+|LU5dl=oZ'g"KJ ?x)?Ț)GՠVCY ݦbt nc͆\T qEgY a any땦a93wbdنNB4l.l4cN:j" d]J+$,ȝ*K&+LL ֟Yեn_J_\u #ف52䙑MHV1 Ff`K'*EPӴ/z٪24sB\Ña;z{Tz77i]'n##c֖bPmLnsթu2&W!@$,8eM Q,ܳ U70Ʀ`Gw+G髖en7f+&Fo&oƬ2857381343992672e43d781bccde5cc7c28d3a7b3ac5403cf96f716b898ac1c17b24876f570ac645191324a86f51d6703b374c08c`eFU]v6Z?ץu83[uw_ҵjBBdރDC 72W F%3Ufߣ N ^F13@ hWb2Z1%>qmD*y egڅ'U@.mQ/{lԉ)1Dc\l>pKr?rd : 04LPW^e r4   $ 8  `   D ; ;v;4(58<g9g:Zg>f?f@fBfGgHg`IgXgYgZh$[h,\h8]h^jbkdlelfllltlumLvm woxoypHBqPr]rhrlrrrrCipa-server-trust-ad4.9.23.module_el8.5.0+750+c59b186bVirtual package to install packages required for Active Directory trustsCross-realm trusts with Active Directory in IPA require working Samba 4 installation. This package is provided for convenience to install all required dependencies at once.`ex86-01.mbox.centos.orgP%CentOSCentOSGPLv3+CentOS Buildsys Unspecifiedhttp://www.freeipa.org/linuxx86_64/usr/sbin/update-alternatives --install /usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so \ winbind_krb5_locator.so /dev/null 90 /bin/systemctl reload-or-try-restart dbus /bin/systemctl reload-or-try-restart oddjobdif [ $1 -eq 0 ]; then /usr/sbin/update-alternatives --remove winbind_krb5_locator.so /dev/null /bin/systemctl reload-or-try-restart dbus /bin/systemctl reload-or-try-restart oddjobd fi # ONLY_CLIENTif [ "$1" -ge "1" ]; then if [ "`readlink /etc/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then /usr/sbin/alternatives --set winbind_krb5_locator.so /dev/null fi fiy4)ˆ%T$ . K hAAA큤A큤A큤`*`eK`e{`e{`e{`e{`e{`eW`eV`eW`eK`eK`e{`*`*`*`*`e{`*`*3fba2a8da609c2de4df08f22d567b5c1292f0a56e5a0c2636ba6c1040a28b7400ad643bf46af7841cd833430676e6935b2694b67410ec65934e286a5c79d538f5a23e6290af09c185e36cdd781e5d8d261165fcabe4d062f980b692e92ae10696d345c7fd34741ca33c77fc854ed805d57d803786c1450508163c19d8259361d5e1c7047a4b0ffae93bf4243df30996d90a21b9d4db6dd27298b12f53b3d134161ac691c92409e9452098f0e9c07d05d0937a42e677060818fce240d300cda791d31a60f88986b989177c2794986c76f03cd9498e9ced0f1c0b021f9965cb96612f4c8a0bcff7a1a403557f636e75450d2731d4e879606acca2ee1f77c020e37b5690db4bf4b4d858259489f133a17764d2073ff8c73402ed1aacfd1788f16b28f8c32ff48bae57e2b73c9c795cc211125ab1a65f13a2fb309e58e8ceda9ac918ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903f6340803f3e0fdeab41c14b8ddcfc73601dc5e09056f29e624fd55d6c86f57af../../../../usr/lib64/dirsrv/plugins/libipa_cldap.so../../../../usr/lib64/samba/pdb/ipasam.so@rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootipa-4.9.2-3.module_el8.5.0+750+c59b186b.src.rpmfreeipa-server-trust-adipa-server-trust-adipa-server-trust-ad(x86-64)libipa_cldap.so()(64bit)  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    @ /bin/sh/bin/sh/bin/sh/bin/sh/usr/libexec/platform-python/usr/sbin/update-alternatives/usr/sbin/update-alternatives/usr/sbin/update-alternativesipa-commonipa-serverlibc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcom_err.so.2()(64bit)libcrypto.so.1.1()(64bit)libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)libk5crypto.so.3()(64bit)libk5crypto.so.3(k5crypto_3_MIT)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)liblber-2.4.so.2()(64bit)libldap_r-2.4.so.2()(64bit)libndr-nbt.so.0()(64bit)libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit)libndr.so.1()(64bit)libndr.so.1(NDR_0.0.1)(64bit)libpwquality.so.1()(64bit)libpwquality.so.1(LIBPWQUALITY_1.0)(64bit)libsamba-passdb.so.0()(64bit)libsamba-passdb.so.0(SAMBA_PASSDB_0.2.0)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsmbconf.so.0()(64bit)libsmbconf.so.0(SMBCONF_0)(64bit)libsmbldap.so.2()(64bit)libsmbldap.so.2(SMBLDAP_0)(64bit)libsmbldap.so.2(SMBLDAP_1)(64bit)libsmbldap.so.2(SMBLDAP_2)(64bit)libsss_idmaplibsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtevent.so.0()(64bit)python3python3-libsss_nss_idmappython3-sambapython3-sssrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)rtld(GNU_HASH)sambasamba-winbind4.9.2-3.module_el8.5.0+750+c59b186b4.9.2-3.module_el8.5.0+750+c59b186b3.0.4-14.6.0-14.0-15.2-14.12.3-12freeipa-server-trust-ad4.14.3`T@`@`*b@`U_@__@_$_$_@_@_Z@_=@_:q@_$__ @^@^^^^^?@^^J@^J@^1s^!]]]]]߶]]]҇]A]g@]Z@]UI@]R@]D%]@1@]-@],j]]\@\@\!\\v{\=@\@W@V@VVZV@U@UYU@Uݪ@Uݪ@Uݪ@UoUU(UK@Ub@UJ@UU @U hTE@T T}TTZ@TZ@Tp@T5T@TuTto@TsTl@Td@Ta@T[bTG@TG@TFJT)IT%U@T$TSS:@S2@S1oS!S!S L@S L@Sc@SS @Rb@R@R@RUR@RRx@RR=RʚRƦ@RkRv@RG@RiRz/@RxRsRo@Ro@R^RW@RNR@-@R/ R-@R(r@R7RZ@R R R@R@R@R@R@R6QQQ'@Q@QvwQu&@Qm=@QZ@QVQ(@Q@PPPPPx@Px@PnPj@P\VPG>P@@P4P.2@PP @M6@M.@M.@M.@M-M M@L!LfLNLdLLLzLe3La?@LD>@L#HL#HL@K/KՀ@KK@KKs@Kie@K`*KK@K @JJ@J@J@JJB@J{IIIm@I1Iq@IKIFFI9I1.Ih@IIP@H@HXHO@H-w@H HHH@G߮GGgGs@G@G@G@G}G}G}GG@GC@GkGDG<4G)G(n@G3G@GJF@FS@FFuF@Thomas Woerner - 4.9.2-3Thomas Woerner - 4.9.2-2Alexander Bokovoy - 4.9.2-1Alexander Bokovoy - 4.9.1-1Thomas Woerner - 4.9.0-1Thomas Woerner - 4.9.0-0.5.rc3Alexander Bokovoy - 4.9.0-0.3.rc2Thomas Woerner - 4.9.0-0.2.rc2Thomas Woerner - 4.9.0-0.1.rc1Thomas Woerner - 4.9.0-0.rc1Thomas Woerner - 4.8.7-11Thomas Woerner - 4.8.7-10Thomas Woerner - 4.8.7-9Thomas Woerner - 4.8.7-8Thomas Woerner - 4.8.7-7Thomas Woerner - 4.8.7-6Thomas Woerner - 4.8.7-5Thomas Woerner - 4.8.7-4Thomas Woerner - 4.8.7-3Thomas Woerner - 4.8.7-2Thomas Woerner - 4.8.7-1Thomas Woerner - 4.8.6-2Thomas Woerner - 4.8.6-1Thomas Woerner - 4.8.4-6Thomas Woerner - 4.8.4-5Thomas Woerner - 4.8.4-4Alexander Bokovoy - 4.8.4-3Thomas Woerner - 4.8.4-2Thomas Woerner - 4.8.4-1Thomas Woerner - 4.8.3-3Thomas Woerner - 4.8.3-2Alexander Bokovoy - 4.8.3-1Alexander Bokovoy - 4.8.2-4Thomas Woerner - 4.8.2-3Thomas Woerner - 4.8.2-2Thomas Woerner - 4.8.2-1Thomas Woerner - 4.8.0-10Thomas Woerner - 4.8.0-9Thomas Woerner - 4.8.0-8Thomas Woerner - 4.8.0-7Thomas Woerner - 4.8.0-6Thomas Woerner - 4.8.0-5Alexander Bokovoy - 4.8.0-4Alexander Bokovoy - 4.8.0-3Thomas Woerner - 4.8.0-2Thomas Woerner - 4.8.0-1Alexander Bokovoy - 4.7.90-3Alexander Bokovoy - 4.7.90-2Thomas Woerner - 4.7.90-1Alexander Bokovoy - 4.7.1-12Rob Crittenden - 4.7.1-11Christian Heimes - 4.7.1-10Thomas Woerner - 4.7.1-9Christian Heimes - 4.7.1-8Thomas Woerner - 4.7.1-7.el8Lumír Balhar - 4.7.1-6.el8Alexander Bokovoy - 4.7.1-5.el8Alexander Bokovoy - 4.7.1-4.el8Thomas Woerner - 4.7.1-3.el8Alexander Bokovoy - 4.7.1-2.el8Alexander Bokovoy - 4.7.1-1.el8Tomas Orsava - 4.7.0-6.el8Rob Crittenden - 4.7.0-5.el8Rob Crittenden - 4.7.0-4.el8Thomas Woerner - 4.7.0-3.1.el8Thomas Woerner - 4.7.0-3.el8Alexander Bokovoy - 4.7.0-2.el8Rob Crittenden - 4.7.0-1.el8Rob Crittenden - 4.6.90.pre1-2.el8Rob Crittenden - 4.6.90.pre1-1.el8Troy Dawson - 4.5.4-5.el8.1Alexander Bokovoy - 4.5.4-5.el7Pavel Vomacka - 4.5.4-4.el7Rob Crittenden - 4.5.4-3.el7Felipe Barreto - 4.5.4-2.el7Pavel Vomacka - 4.5.4-1.el7Felipe Barreto - 4.5.0-21.el7.2.2Felipe Barreto - 4.5.0-21.el7.2Pavel Vomacka - 4.5.0-21.el7.1.2Pavel Vomacka - 4.5.0-21.el7.1.1Pavel Vomacka - 4.5.0-21.el7.1Pavel Vomacka - 4.5.0-21.el7Pavel Vomacka - 4.5.0-20.el7Pavel Vomacka - 4.5.0-19.el7Pavel Vomacka - 4.5.0-18.el7Pavel Vomacka - 4.5.0-17.el7Pavel Vomacka - 4.5.0-16.el7Pavel Vomacka - 4.5.0-15.el7Pavel Vomacka - 4.5.0-14.el7Pavel Vomacka - 4.5.0-13.el7Pavel Vomacka - 4.5.0-12.el7Jan Cholasta - 4.5.0-11.el7Jan Cholasta - 4.5.0-10.el7Jan Cholasta - 4.5.0-9.el7Jan Cholasta - 4.5.0-8.el7Jan Cholasta - 4.5.0-7.el7Pavel Vomacka - 4.5.0-6.el7Jan Cholasta - 4.5.0-5.el7Jan Cholasta - 4.5.0-4.el7Jan Cholasta - 4.5.0-3.el7Jan Cholasta - 4.5.0-2.el7Jan Cholasta - 4.5.0-1.el7Jan Cholasta - 4.4.0-14.7Jan Cholasta - 4.4.0-14.6Jan Cholasta - 4.4.0-14.5Jan Cholasta - 4.4.0-14.4Jan Cholasta - 4.4.0-14.3Jan Cholasta - 4.4.0-14.2Jan Cholasta - 4.4.0-14.1Jan Cholasta - 4.4.0-14Jan Cholasta - 4.4.0-13Petr Vobornik - 4.4.0-12Jan Cholasta - 4.4.0-11Jan Cholasta - 4.4.0-10Jan Cholasta - 4.4.0-9Jan Cholasta - 4.4.0-8Jan Cholasta - 4.4.0-7Jan Cholasta - 4.4.0-6Jan Cholasta - 4.4.0-5Jan Cholasta - 4.4.0-4Jan Cholasta - 4.4.0-3Petr Vobornik - 4.4.0-2.1Petr Vobornik - 4.4.0-2Jan Cholasta - 4.4.0-1Jan Cholasta - 4.4.0-0.2.alpha1Jan Cholasta - 4.4.0-0.1.alpha1Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3.1Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3Jan Cholasta - 4.3.1-0.201605191449GITf8edf37.1Jan Cholasta - 4.3.1-0.201605191449GITf8edf37Jan Cholasta - 4.2.0-16Jan Cholasta - 4.2.0-15Jan Cholasta - 4.2.0-14Jan Cholasta - 4.2.0-13Jan Cholasta - 4.2.0-12Jan Cholasta - 4.2.0-11Jan Cholasta - 4.2.0-10Jan Cholasta - 4.2.0-9Jan Cholasta - 4.2.0-8Jan Cholasta - 4.2.0-7Jan Cholasta - 4.2.0-6Jan Cholasta - 4.2.0-5Jan Cholasta - 4.2.0-4Jan Cholasta - 4.2.0-3Jan Cholasta - 4.2.0-2Jan Cholasta - 4.2.0-1Jan Cholasta - 4.2.0-0.2.alpha1Jan Cholasta - 4.2.0-0.1.alpha1Jan Cholasta - 4.1.0-18.3Alexander Bokovoy - 4.1.0-18.2Jan Cholasta - 4.1.0-18.1Martin Kosek - 4.1.0-18Jan Cholasta - 4.1.0-17Jan Cholasta - 4.1.0-16Jan Cholasta - 4.1.0-15Jan Cholasta - 4.1.0-14Jan Cholasta - 4.1.0-13Jan Cholasta - 4.1.0-12Jan Cholasta - 4.1.0-11Jan Cholasta - 4.1.0-10Jan Cholasta - 4.1.0-9Jan Cholasta - 4.1.0-8Jan Cholasta - 4.1.0-7Jan Cholasta - 4.1.0-6Jan Cholasta - 4.1.0-5Jan Cholasta - 4.1.0-4Jan Cholasta - 4.1.0-3Jan Cholasta - 4.1.0-2Jan Cholasta - 4.1.0-1Jan Cholasta - 4.1.0-0.1.alpha1Petr Vobornik - 4.0.3-3Jan Cholasta - 4.0.3-2Jan Cholasta - 4.0.3-1Martin Kosek - 3.3.3-29Martin Kosek - 3.3.3-28Martin Kosek - 3.3.3-27Martin Kosek - 3.3.3-26Martin Kosek - 3.3.3-25Martin Kosek - 3.3.3-24Martin Kosek - 3.3.3-23Martin Kosek - 3.3.3-22Martin Kosek - 3.3.3-21Martin Kosek - 3.3.3-20Martin Kosek - 3.3.3-19Martin Kosek - 3.3.3-18Martin Kosek - 3.3.3-17Martin Kosek - 3.3.3-16Daniel Mach - 3.3.3-15Martin Kosek - 3.3.3-14Martin Kosek - 3.3.3-13Martin Kosek - 3.3.3-12Martin Kosek - 3.3.3-11Martin Kosek - 3.3.3-10Martin Kosek - 3.3.3-9Martin Kosek - 3.3.3-8Daniel Mach - 3.3.3-7Martin Kosek - 3.3.3-6Martin Kosek - 3.3.3-5Martin Kosek - 3.3.3-4Martin Kosek - 3.3.3-3Martin Kosek - 3.3.3-2Martin Kosek - 3.3.3-1Martin Kosek - 3.3.2-5Martin Kosek - 3.3.2-4Martin Kosek - 3.3.2-3Martin Kosek - 3.3.2-2Martin Kosek - 3.3.2-1Martin Kosek - 3.3.1-5Martin Kosek - 3.3.1-4Martin Kosek - 3.3.1-3Martin Kosek - 3.3.1-2Rob Crittenden - 3.3.1-1Rob Crittenden - 3.3.0-7Martin Kosek - 3.3.0-6Martin Kosek - 3.3.0-5Martin Kosek - 3.3.0-4Martin Kosek - 3.3.0-3Martin Kosek - 3.3.0-2Martin Kosek - 3.3.0-1Martin Kosek - 3.3.0-0.2.beta2Martin Kosek - 3.3.0-0.1.beta2Martin Kosek - 3.2.2-1Martin Kosek - 3.2.1-1Rob Crittenden - 3.2.0-2Rob Crittenden - 3.2.0-1Rob Crittenden - 3.2.0-0.4.beta1Rob Crittenden - 3.2.0-0.3.beta1Rob Crittenden - 3.2.0-0.2.beta1Martin Kosek - 3.2.0-0.1.pre1Kevin Fenzi 3.1.2-4Kevin Fenzi - 3.1.2-3Fedora Release Engineering - 3.1.2-2Rob Crittenden - 3.1.2-1Martin Kosek - 3.1.0-2Rob Crittenden - 3.1.0-1Martin Kosek - 3.0.0-3Rob Crittenden - 3.0.0-2Rob Crittenden - 3.0.0-1Rob Crittenden - 3.0.0-0.10Martin Kosek - 3.0.0-0.9Rob Crittenden - 3.0.0-0.8Rob Crittenden - 3.0.0-0.7Rob Crittenden - 3.0.0-0.6Alexander Bokovoy - 3.0.0-0.5Rob Crittenden - 3.0.0-0.4Martin Kosek - 3.0.0-0.3Alexander Bokovoy - 3.0.0-0.2Rob Crittenden - 3.0.0-0.1Rob Crittenden - 2.2.0-1Rob Crittenden - 2.1.90-0.2Rob Crittenden - 2.1.90-0.1Alexander Bokovoy - 2.1.4-5Martin Kosek - 2.1.4-4Alexander Bokovoy - 2.1.4-3Alexander Bokovoy - 2.1.4-2Rob Crittenden - 2.1.4-1Rob Crittenden - 2.1.3-8Alexander Bokovoy - 2.1.3-7Alexander Bokovoy - 2.1.3-6Fedora Release Engineering - 2.1.3-5Alexander Bokovoy - 2.1.3-4Alexander Bokovoy - 2.1.3-3Alexander Bokovoy - 2.1.3-2Alexander Bokovoy - 2.1.3-1Alexander Bokovoy - 2.1.2-1Rob Crittenden - 2.1.0-1Simo Sorce - 2.0.1-2Rob Crittenden - 2.0.1-1Rob Crittenden - 2.0.0-1Rob Crittenden - 2.0.0-0.4.rc2Rob Crittenden - 2.0.0-0.3.rc1Rob Crittenden - 2.0.0-0.1.rc1Fedora Release Engineering - 2.0.0-0.2.beta2Rob Crittenden - 2.0.0-0.1.beta2Rob Crittenden - 2.0.0-0.2.beta.git80e87e7Rob Crittenden - 2.0.0-0.1.beta.git80e87e7Rob Crittenden - 1.99-41Adam Young - 1.99-40Simo Sorce - 1.99-39Simo Sorce - 1.99-38Rob Crittenden - 1.99-37Rob Crittenden - 1.99-36Rob Crittenden - 1.99-35Jr Aquino - 1.99-34Simo Sorce - 1.99-33Rob Crittenden - 1.99-32Rob Crittenden - 1.99-31Rob Crittenden - 1.99-30Rob Crittenden - 1.99-29Rob Crittenden - 1.99-28Rob Crittenden - 1.99-27Rob Crittenden - 1.99-26Rob Crittenden - 1.99-25Adam Young - 1.99-24Rob Crittenden - 1.99-23Rob Crittenden - 1.99-22Rob Crittenden - 1.99-21Rob Crittenden - 1.99-20Rob Crittenden - 1.99-19Jason Gerard DeRose - 1.99-18Jason Gerard DeRose - 1.99-17Jason Gerard DeRose - 1.99-16Rob Crittenden - 1.99-15Jason Gerard DeRose - 1.99-14Rob Crittenden - 1.99-13Rob Crittenden - 1.99-12Rob Crittenden - 1.99-11Rob Crittenden - 1.99-10Rob Crittenden - 1.99-9Jason Gerard DeRose - 1.99-8Rob Crittenden - 1.99-7Rob Crittenden - 1.99-6Rob Crittenden - 1.99-5Rob Crittenden - 1.99-4Rob Crittenden - 1.99-3Rob Crittenden - 1.99-2Rob Crittenden - 1.99-1Tomas Mraz - 1.2.1-3Dan Walsh - 1.2.1-2Simo Sorce - 1.2.1-1Simo Sorce - 1.2.1-0Ignacio Vazquez-Abrams - 1.2.0-4Simo Sorce - 1.2.0-3Simo Sorce - 1.2.0-2Rob Crittenden - 1.2.0-1Simo Sorce - 1.1.0-3Rob Crittenden - 1.1.0-2Rob Crittenden - 1.1.0-1Rob Crittenden - 1.0.0-5Rob Crittenden - 1.0.0-4Rob Crittenden - 1.0.0-3Rob Crittenden - 1.0.0-2Rob Crittenden - 1.0.0-1Rob Crittenden 0.99-12Rob Crittenden 0.99-11Rob Crittenden 0.99-10Rob Crittenden 0.99-9Rob Crittenden 0.99-8Rob Crittenden 0.99-7Rob Crittenden 0.99-6Rob Crittenden 0.99-5Rob Crittenden 0.99-4Rob Crittenden 0.99-3Rob Crittenden 0.99-2Rob Crittenden 0.99-1Rob Crittenden - 0.6.0-2Karl MacMillan - 0.6.0-1Karl MacMillan - 0.5.0-1Rob Crittenden - 0.4.1-2Karl MacMillan - 0.4.1-1Karl MacMillan - 0.4.0-6Rob Crittenden - 0.4.0-5Rob Crittenden - 0.4.0-4Karl MacMillan - 0.4.0-3Karl MacMillan - 0.4.0-2Karl MacMillan - 0.2.0-1Rob Crittenden - 0.1.0-3Rob Crittenden - 0.1.0-2Karl MacMillan - 0.1.0-1- ipa-client-install displays false message 'sudo binary does not seem to be present on this system' Resolves: RHBZ#1939371- Sync ipatests from upstream to RHEL packages for FreeIPA 4.9 branch Resolves: RHBZ#1932289 - Fix krb5kdc is crashing intermittently on IPA server Resolves: RHBZ#1932784- Upstream release FreeIPA 4.9.2 Related: RHBZ#1891832- Upstream release FreeIPA 4.9.1 Related: RHBZ#1891832- Upstream final release FreeIPA 4.9.0 Related: RHBZ#1891832- Upstream pre release FreeIPA 4.9.0rc3 Related: RHBZ#1891832- Remove ipa-server dependency from ipa-selinux subpackage - Related: RHBZ#1891832- Upstream pre release FreeIPA 4.9.0rc2 Related: RHBZ#1891832 - Synchronize spec file with upstream and Fedora Related: RHBZ#1891832 - Traceback while doing ipa-backup Resolves: RHBZ#1901068 - ipa-client-install changes system wide ssh configuration Resolves: RRBZ#1544379 - ipa-kdb: support subordinate/superior UPN suffixes Resolves: RHBZ#1891056 - KRA Transport and Storage Certificates do not renew Resolves: RHBZ#1872603 - Move where the restore state is marked during IPA server upgrade Resolves: RHBZ#1569011 - Intermittent IdM Client Registration Failures Resolves: RHBZ#1812871 - Nightly test failure in test_acme.py::TestACME::test_third_party_certs (updates-testing) Resolves: RHBZ#1903025 - Add IPA RA Agent to ACME group on the CA Resolves: RHBZ#1902727- Fix requirement for python3-kdcproxy, add no autoreqprov for ipatests sub package Related: RHBZ#1891832- Upstream pre release FreeIPA 4.9.0rc1 Resolves: RHBZ#1891832 - Requirements and design for libpwquality integration Resolves: RHBZ#1340463 - When parsing options require name/value pairs Resolves: RHBZ#1357495 - WebUI: Fix issue with opening links in new tab/window Resolves: RHBZ#1484088 - Use a state to determine if a 389-ds upgrade is in progress Resolves: RHBZ#1569011 - Unlock user accounts after a password reset and replicate that unlock to all IdM servers Resolves: RHBZ#1784657 - Set the certmonger subject with a string, not an object Resolves: RHBZ#1810148 - Implement ACME certificate enrolment Resolves: RHBZ#1851835 - [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0) Resolves: RHBZ#1859249 - It is not possible to edit KDC database when the FreeIPA server is running Resolves: RHBZ#1875001 - Fix nsslapd-db-lock tuning of BDB backend Resolves: RHBZ#1882340 - ipa-kdb: support subordinate/superior UPN suffixes Resolves: RHBZ#1891056 - wgi/plugins.py: ignore empty plugin directories Resolves: RHBZ#1894800- SELinux Policy: let custodia replicate keys Resolves: RHBZ#1868432- Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations Resolves: RHBZ#1870202- CAless installation: set the perms on KDC cert file Resolves: RHBZ#1863616 - EPN: handle empty attributes Resolves: RHBZ#1866938 - IPA-EPN: enhance input validation Resolves: RHBZ#1866291 - EPN: enhance input validation Resolves: RHBZ#1863079 - Require new samba build 4.12.3-52 Related: RHBZ#1868558 - Require new selinux-policy build 3.14.3-52 Related: RHBZ#1869311- [WebUI] IPA Error 3007: RequirmentError" while adding members in "User ID overrides" tab (updated) Resolves: RHBZ#1757045 - ipa-client-install: use the authselect backup during uninstall Resolves: RHBZ#1810179 - Replace SSLCertVerificationError with CertificateError for py36 Resolves: RHBZ#1858318 - Fix AVC denial during ipa-adtrust-install --add-agents Resolves: RHBZ#1859213- replica install failing with avc denial for custodia component Resolves: RHBZ#1857157- selinux don't audit rules deny fetching trust topology Resolves: RHBZ#1845596 - fix iPAddress cert issuance for >1 host/service Resolves: RHBZ#1846352 - Specify cert_paths when calling PKIConnection Resolves: RHBZ#1849155 - Update crypto policy to allow AD-SUPPORT when installing IPA Resolves: RHBZ#1851139 - Add version to ipa-idoverride-memberof obsoletes Related: RHBZ#1846434- Add missing ipa-selinux package Resolves: RHBZ#1853263- Remove client-epn left over files for ONLY_CLIENT Related: RHBZ#1847999- [WebUI] IPA Error 3007: RequirmentError" while adding members in "User ID overrides" tab Resolves: RHBZ#1757045 - EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn Resolves: RHBZ#1847999 - FreeIPA - Utilize 256-bit AJP connector passwords Resolves: RHBZ#1849914 - ipa: typo issue in ipanthomedirectoryrive deffinition Resolves: RHBZ#1851411- Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7 Resolves: RHBZ#1846434- Upstream release FreeIPA 4.8.7 - Require new samba build 4.12.3-0 Related: RHBZ#1818765 - New client-epn sub package Resolves: RHBZ#913799- Support krb5 1.18 Resolves: RHBZ#1817579- Upstream release FreeIPA 4.8.6 - New SELinux sub package to provide own module - Depend on selinux-policy-devel 3.14.3-43 for build due to a makefile issue in SELinux external policy support Related: RHBZ#1818765- Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit Resolves: RHBZ#1790663- Fixed weekday in 4.8.4-2 changelog date Related: RHBZ#1784003 - adtrust: print DNS records for external DNS case after role is enabled Resolves: RHBZ#1665051 - AD user without override receive InternalServerError with API Resolves: RHBZ#1782572 - ipa-client-automount fails after repeated installation/uninstallation Resolves: RHBZ#1790886 - install/updates: move external members past schema compat update Resolves: RHBZ#1803165 - kdb: make sure audit_as_req callback signature change is preserved Resolves: RHBZ#1803786- Update dependencies for samba, 389-ds and sssd Resolves: RHBZ#1792848- Depend on krb5-kdb-version-devel for BuildRequires - Update nss dependency to 3.44.0-4 - Reset per-indicator Kebreros policy Resolves: RHBZ#1784761- DNS install check: Fix overlapping DNS zone from the master itself Resolves: RHBZ#1784003- Rebase to upstream release 4.8.4 - Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3 Resolves: RHBZ#1782658 Resolves: RHBZ#1782169 Resolves: RHBZ#1783046 Related: RHBZ#1748987- Fix otptoken_sync plugin Resolves: RHBZ#1777811- Use default crypto policy for TLS and enable TLS 1.3 support Resolves: RHBZ#1777809 - Covscan fixes Resolves: RHBZ#1777920 - Change pki_version to 10.8.0 Related: RHBZ#1748987- Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195) Resolves: RHBZ#1767304 Resolves: RHBZ#1776939 - Support KDC ticket policies for authentication indicators Resolves: RHBZ#1777564- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() Resolves: RHBZ#1767304 - CVE-2019-10195: Don't log passwords embedded in commands in calls using batch Resolves: RHBZ#1776939- Use default ssh host key algorithms Resolves: RHBZ#1756432 - Do not run trust upgrade code if master lacks Samba bindings Resolves: RHBZ#1757064 - Finish group membership management UI Resolves: RHBZ#1773528- Update dependency for bind-dndb-ldap to 11.2-2 Related: RHBZ#1762813- Rebase to upstream release 4.8.2 - Removed upstream patches 0001 to 0010 that are part of version 4.8.2 - Updated branding patch Resolves: RHBZ#1748987- Fix automount behavior with authselect Resolves: RHBZ#1740167- extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT Resolves: RHBZ#1741530- FreeIPA 4.8.0 tarball lacks two update files that are in git Resolves: RHBZ#1741170- Allow insecure binds for migration Resolves: RHBZ#1731963- Fix --external-ca-profile not passed to CSR Resolves: RHBZ#1731813- Remove posixAccount from service_find search filter Resolves: RHBZ#1731437 - Fix repeated uninstallation of ipa-client-samba crashes Resolves: RHBZ#1732529 - WebUI: Add PKINIT status field to 'Configuration' page Resolves: RHBZ#1518153- Fix krb5-kdb-server -> krb5-kdb-version Related: RHBZ#1700121- Make sure ipa-server depends on krb5-kdb-version to pick up right MIT Kerberos KDB ABI Related: RHBZ#1700121 - User field separator uses '$$' within ipaSELInuxUserMapOrder Fixes: RHBZ#1729099- Fixed kdcproxy_version to 0.4-3 - Fixed krb5_version to 1.17-7 Related: RHBZ#1684528- New upstream release 4.8.0 - New subpackage: freeipa-client-samba - Added command ipa-cert-fix with man page - New sysconfdir sysconfig/certmonger - Updated pki_version, certmonger_version, sssd_version and kdcproxy_version Related: RHBZ#1684528- Fix upgrade issue with AD trust when no trust yet established Fixes: RHBZ#1708874 Related: RHBZ#1684528- Require certmonger 0.79.7-1 Related: RHBZ#1708095- Update to 4.7.90-pre1 Related: RHBZ#1684528 - Removed patches 0002 to 0031 as these are upsteram and part of 4.7.90-pre1 - Added new patches 0001-revert-minssf-defaults.patch and 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch- Remove strict dependencies to krb5-server version in order to allow update of krb5 to 1.17 and change dependency to KDB DAL version. Resolves: RHBZ#1700121- Handle NFS configuration file changes. nfs-utils moved the configuration file from /etc/sysconfig/nfs to /etc/nfs.conf. Resolves: RHBZ#1676981- Fix systemd-user HBAC rule Resolves: RHBZ#1664974- Resolve user/group names in idoverride*-find Resolves: RHBZ#1657745- Create systemd-user HBAC service and rule Resolves: RHBZ#1664974 - ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned Resolves: RHBZ#1664023- Fix misleading errors during client install rollback Resolves: RHBZ#1658283 - ipa-advise: update url of cacerdir_rehash tool Resolves: RHBZ#1658287 - Handle NTP configuration in a replica server installation Resolves: RHBZ#1651679 - Fix defects found by static analysis Resolves: RHBZ#1658182 - ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad Resolves: RHBZ#1658294 - ipaldap: invalid modlist when attribute encoding can vary Resolves: RHBZ#1658302 - Allow ipaapi and Apache user to access SSSD IFP Resolves: RHBZ#1639910 - Add sysadm_r to default SELinux user map order Resolves: RHBZ#1658303 - certdb: ensure non-empty Subject Key Identifier and validate server cert sig Resolves: RHBZ#1641988 - ipa-replica-install: password and admin-password options mutually exclusive Resolves: RHBZ#1658309 - ipa upgrade: handle double-encoded certificates Resolves: RHBZ#1658310 - PKINIT: fix ipa-pkinit-manage enable|disable Resolves: RHBZ#1658313 - Enable LDAP debug output in client to display TLS errors in join Resolves: RHBZ#1658316 - rpc: always read response Resolves: RHBZ#1639890 - ipa vault-retrieve: fix internal error Resolves: RHBZ#1658485 - Move ipa's systemd tmpfiles from /var/run to /run Resolves: RHBZ#1658487 - Fix authselect invocations to work with 1.0.2 Resolves: RHBZ#1654291 - ipa-client-automount and NFS unit name changes Resolves: RHBZ#1645501 - Fix compile issue with new 389-ds Resolves: RHBZ#1659448- Require platform-python-setuptools instead of python3-setuptools - Resolves: rhbz#1650139- Fixed: rhbz#1643445 - External CA step 2 fails with pki_client_database_dir is missing - Fixed: rhbz#1642834 - Smart card advise script uses hard-coded Python interpreter- Fix mapping of BUILTIN\Guests to 'nobody' group during upgrade to not use generated Samba config at this point - Related: rhbz#1623895- New command automember-find-orphans to find and remove orphan automemeber rules has been added Resolves: RHBZ#1638373 - Moved ipa/idm logos and background to redhat-logos-ipa-80.4: header-logo.png, login-screen-background.jpg, login-screen-logo.png, product-name.png New requirement to redhat-logos-ipa >= 80.4 in ipa-server-common Resolves: RHBZ#1626507- Move initialization of Guests mapping after cifs/ principal is created - Related: rhbz#1623895- 4.7.1 - Fixes: rhbz#1633105 - rebase to 4.7.1- Require the Python interpreter directly instead of using the package name - Related: rhbz#1619153- sudo rule for "admins" members should be created by default (#1609873)- ipaclient-install: chmod needs octal permissions (#1609880)- Resolves: #1609883 ipaserver/plugins/cert.py: Add reason to raise of errors.NotFound - Resolves: #1615765 do-not-use-RC4-in-FIPS-mode - Move fips_enabled to a common library to share across different plugins - ipasam: do not use RC4 in FIPS mode- Resolves: #1614301 Remove --no-sssd and --noac options - Resolves: #1613879 Disable Domain Level 0 - New patch sets to disable domain level 0 - New adapted patch to disable DL0 specific tests (pytest_ipa vs. pytest_plugins) - Adapted branding patch in ipa-replica-install.1 due to DL0 removal- Require 389-ds-base-legacy-tools for setup tools- Update to upstream 4.7.0 GA- Set krb5 DAL version to 7.0 (#1580711) - Rebuild aclocal and configure during build- Update to upstream 4.6.90.pre1- Use java-1.8.0-openjdk-devel- Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads- Resolves: #1388135 [RFE] limit the retro changelog to dns subtree. - ldap: limit the retro changelog to dns subtree - Resolves: #1427798 Use X509v3 Basic Constraints "CA:TRUE" instead of "CA:FALSE" IPA CA CSR - Include the CA basic constraint in CSRs when renewing a CA - Resolves: #1493145 ipa-replica-install might fail because of an already existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX - Checks if replica-s4u2proxy.ldif should be applied - Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default - ds: ignore time skew during initial replication step - ipa-replica-manage: implicitly ignore initial time skew in force-sync - Resolves: #1500218 Replica installation at domain-level 0 fails against upgraded ipa-server - Fix ipa-replica-conncheck when called with --principal - Resolves: #1506188 server-del doesn't remove dns-server configuration from ldap- Drop workaround for building on AArch64 (#1482244) - Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485)- Resolves: #1461177 ipa-otptoken-import - XML file is missing PBKDF2 parameters! - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad, cn=trusts,dc=example,dc=com - Resolves: #1467887 iommu platform support for ipxe - Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 - Resolves: #1480102 ipa-server-upgrade failes with "This entry already exists" - Resolves: #1482802 Unable to set ca renewal master on replica - Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade) - Resolves: #1484826 FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and thus startup of Web UI fails - Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back to self-signed CA - Resolves: #1469246 Replica install fails to configure IPA-specific temporary files/directories - Resolves: #1469480 bind package is not automatically updated during ipa-server upgrade process - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Resolves: #1477703 IPA upgrade fails for latest ipa package- Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in buildroot - Resolves: #1470177 - Rebase IPA to latest 4.5.x version - Resolves: #1398594 ipa topologysuffix-verify should only warn about maximum number of replication agreements. - Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" to "Host-Based" and "Role-Based" - Resolves: #1409786 Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running - Resolves: #1451576 ipa cert-request failed to generate certificate from csr - Resolves: #1452086 Pagination Size under Customization in IPA WebUI accepts negative values - Resolves: #1458169 --force-join option is not mentioned in ipa-replica-install man page - Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case - Resolves: #1478322 user-show command fails when sizelimit is configured to number <= number of entity which is user member of - Resolves: #1496775 Enterprise principals should be able to trigger a refresh of the trusted domain data in the KDC - Resolves: #1502533 Changing cert-find to go through the proxy instead of using the port 8080 - Resolves: #1502663 pkinit-status command fails after an upgrade from a pre-4.5 IPA - Resolves: #1498168 Error when trying to modify a PTR record - Resolves: #1457876 ipa-backup fails silently - Resolves: #1493531 In case full PKINIT configuration is failing during server/replica install the error message should be more meaningful. - Resolves: #1449985 Suggest CA installation command in KRA installation warning- Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports expecting IPA services listening on IPv6 ports - Make sure upgrade also checks for IPv6 stack - control logging of host_port_open from caller - log progress of wait_for_open_ports - Resolves: #1477243 ipa help command returns traceback when no cache is present - Store help in Schema before writing to disk - Disable pylint in get_help function because of type confusion.- Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Always check peer has keys before connecting - Resolves: #1482802 - Unable to set ca renewal master on replica - Fix ipa config-mod --ca-renewal-master - Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching back to self-signed CA - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) - Resolves: #1480102 - ipa-server-upgrade failes with "This entry already exists" - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists - Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and thus startup of Web UI fails - Adds whoami DS plugin in case that plugin is missing - Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 - Fixing how sssd.conf is updated when promoting a client to replica - Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2 parameters! - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace - Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade) - Backport 4-5: Fix ipa-server-upgrade with server cert tracking- Resolves: #1477703 IPA upgrade fails for latest ipa package - Restore old version of caIPAserviceCert for upgrade only- Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Restore old version of caIPAserviceCert for upgrade only- Resolves: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - smart-card advises: configure systemwide NSS DB also on master - smart-card advises: add steps to store smart card signing CA cert - Allow to pass in multiple CA cert paths to the smart card advises - add a class that tracks the indentation in the generated advises - delegate the indentation handling in advises to dedicated class - advise: add an infrastructure for formatting Bash compound statements - delegate formatting of compound Bash statements to dedicated classes - Fix indentation of statements in Smart card advises - Use the compound statement formatting API for configuring PKINIT - smart card advises: use a wrapper around Bash `for` loops - smart card advise: use password when changing trust flags on HTTP cert - smart-card-advises: ensure that krb5-pkinit is installed on client - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Add CommonNameToSANDefault to default cert profile - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad,cn=trusts,dc=example,dc=com - NULL LDAP context in call to ldap_search_ext_s during search- Resolves: #1469246 Replica install fails to configure IPA-specific temporary files/directories - replica install: drop-in IPA specific config to tmpfiles.d - Resolves: #1469480 bind package is not automatically updated during ipa-server upgrade process - Bumped Required version of bind-dyndb-ldap and bind package- Resolves: #1452216 Replica installation grants HTTP principal access in WebUI - Make sure we check ccaches in all rpcserver paths- Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode! - ipa-sam: replace encode_nt_key() with E_md4hash() - ipa_pwd_extop: do not generate NT hashes in FIPS mode - Resolves: #1377973 ipa-server-install fails when the provided or resolved IP address is not found on local interfaces - Fix local IP address validation - ipa-dns-install: remove check for local ip address - refactor CheckedIPAddress class - CheckedIPAddress: remove match_local param - Remove ip_netmask from option parser - replica install: add missing check for non-local IP address - Remove network and broadcast address warnings- Resolves: #1449189 ipa-kra-install timeouts on replica - kra: promote: Get ticket before calling custodia- Resolve: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - server certinstall: update KDC master entry - pkinit manage: introduce ipa-pkinit-manage - server upgrade: do not enable PKINIT by default - Extend the advice printing code by some useful abstractions - Prepare advise plugin for smart card auth configuration - Resolve: #1461053 allow to modify list of UPNs of a trusted forest - trust-mod: allow modifying list of UPNs of a trusted forest - WebUI: add support for changing trust UPN suffixes- Resolves: #1377973 ipa-server-install fails when the provided or resolved IP address is not found on local interfaces - Only warn when specified server IP addresses don't match intf - Resolves: #1438016 gssapi errors after IPA server upgrade - Bump version of python-gssapi - Resolves: #1457942 certauth: use canonical principal for lookups - ipa-kdb: use canonical principal in certauth plugin - Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid breaking older clients - Add code to be able to set default kinit lifetime - Revert setting sessionMaxAge for old clients- Resolves: #1442233 IPA client commands fail when pointing to replica - httpinstance: wait until the service entry is replicated - Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then not indexed - Fix index definition for ipaAnchorUUID - Resolves: #1438016 gssapi errors after IPA server upgrade - Avoid possible endless recursion in RPC call - rpc: preparations for recursion fix - rpc: avoid possible recursion in create_connection - Resolves: #1446087 services entries missing krbCanonicalName attribute. - Changing cert-find to do not use only primary key to search in LDAP. - Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers - ipa-kdb: reload certificate mapping rules periodically - Resolves: #1455541 after upgrade login from web ui breaks - kdc.key should not be visible to all - Resolves: #1435606 Add pkinit_indicator option to KDC configuration - ipa-kdb: add pkinit authentication indicator in case of a successful certauth - Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca records are not resolvable - Turn off OCSP check - Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 - server_del - TypeError: 'NoneType' object is not iterable - fix incorrect suffix handling in topology checks- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificates/anchors - certdb: add named trust flag constants - certdb, certs: make trust flags argument mandatory - certdb: use custom object for trust flags - install: trust IPA CA for PKINIT - client install: fix client PKINIT configuration - install: introduce generic Kerberos Augeas lens - server install: fix KDC PKINIT configuration - ipapython.ipautil.run: Add option to set umask before executing command - certs: do not export keys world-readable in install_key_from_p12 - certs: do not export CA certs in install_pem_from_p12 - server install: fix KDC certificate validation in CA-less - replica install: respect --pkinit-cert-file - cacert manage: support PKINIT - server certinstall: support PKINIT - Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file option - certs: do not export CA certs in install_pem_from_p12 - server install: fix KDC certificate validation in CA-less - Resolves: #1451228 ipa-kra-install fails when primary KRA server has been decommissioned - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname - Resolves: #1451712 KRA installation fails on server that was originally installed as CA-less - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt - Resolves: #1441499 ipa cert-show does not raise error if no file name specified - ca/cert-show: check certificate_out in options - Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ - Remove pkinit-anonymous command - Resolves: #1449523 Provide an API command to retrieve PKINIT status in the FreeIPA topology - Allow for multivalued server attributes - Refactor the role/attribute member reporting code - Add an attribute reporting client PKINIT-capable servers - Add the list of PKINIT servers as a virtual attribute to global config - Add `pkinit-status` command - test_serverroles: Get rid of MockLDAP and use ldap2 instead - Resolves: #1452216 Replica installation grants HTTP principal access in WebUI - Fix rare race condition with missing ccache file - Resolves: #1455045 Simple service uninstallers must be able to handle missing service files gracefully - only stop/disable simple service if it is installed - Resolves: #1455541 after upgrade login from web ui breaks - krb5: make sure KDC certificate is readable - Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing command "ipa cert-request --add" after upgrade - Change python-cryptography to python2-cryptography- Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'" error observed during ipa upgrade with latest package. - ipa-server-install: fix uninstall - Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break replica - ca install: merge duplicated code for DM password - installutils: add DM password validator - ca, kra install: validate DM password- Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy - python2-ipalib: add missing python dependency - installer service: fix typo in service entry - upgrade: add missing suffix to http instance - Resolves: #1444791 Update man page of ipa-kra-install - ipa-kra-install manpage: document domain-level 1 - Resolves: #1441493 ipa cert-show raises stack traces when --certificate-out=/tmp - cert-show: writable files does not mean dirs - Resolves: #1441192 Add the name of URL parameter which will be check for username during cert login - Bump version of ipa.conf file - Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login - Turn on NSSOCSP check in mod_nss conf - Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting template on - renew agent: respect CA renewal master setting - server upgrade: always fix certmonger tracking request - cainstance: use correct profile for lightweight CA certificates - renew agent: allow reusing existing certs - renew agent: always export CSR on IPA CA certificate renewal - renew agent: get rid of virtual profiles - ipa-cacert-manage: add --external-ca-type - Resolves: #1441593 error adding authenticator indicators to host - Fixing adding authenticator indicators to host - Resolves: #1449525 Set directory ownership in spec file - Added plugins directory to ipaclient subpackages - ipaclient: fix missing RPM ownership - Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits' - otptoken-add-yubikey: When --digits not provided use default value- Resolves: #1449189 ipa-kra-install timeouts on replica - ipa-kra-install: fix check_host_keys- Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Make sure remote hosts have our keys - Resolves: #1442815 Replica install fails during migration from older IPA master - Refresh Dogtag RestClient.ca_host property - Remove the cachedproperty class - Resolves: #1444787 Update warning message when KRA installation fails - kra install: update installation failure message - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - ipa-server-install with external CA: fix pkinit cert issuance - Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition() must use FreeIPA CA - kerberos session: use CA cert with full cert chain for obtaining cookie - Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors definition - ipa-client-install: remove extra space in pkinit_anchors definition - Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade - Use proper SELinux context with http.keytab- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit) - spec file: bump krb5 Requires for certauth fixes - Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option is used - separate function to set ipaConfigString values on service entry - Allow for configuration of all three PKINIT variants when deploying KDC - API for retrieval of master's PKINIT status and publishing it in LDAP - Use only anonymous PKINIT to fetch armor ccache - Stop requesting anonymous keytab and purge all references of it - Use local anchor when armoring password requests - Upgrade: configure local/full PKINIT depending on the master status - Do not test anonymous PKINIT after install/upgrade - Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust. update_tdo_gidnumber: ERROR Default SMB Group not found - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed - Resolves: #1442932 ipa restore fails to restore IPA user - restore: restart/reload gssproxy after restore - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - Fix CA/server cert validation in FIPS - Resolves: #1444947 Deadlock between topology and schema-compat plugins - compat-manage: behave the same for all users - Move the compat plugin setup at the end of install - compat: ignore cn=topology,cn=ipa,cn=etc subtree - Resolves: #1445358 ipa vault-add raises TypeError - vault: piped input for ipa vault-add fails - Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault - Vault: Explicitly default to 3DES CBC - Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning - automount install: fix checking of SSSD functionality on uninstall - Resolves: #1446137 pki_client_database_password is shown in ipaserver-install.log - Hide PKI Client database password in log file- Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade - Fix CAInstance.import_ra_cert for empty passwords- Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA WebUI is slow to display user details page - cert: defer cert-find result post-processing - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica - server-install: No double Kerberos install - Resolves: #1437502 ipa-replica-install fails with requirement to use --force-join that is a client install option. - Add the force-join option to replica install - replicainstall: better client install exception handling - Resolves: #1437953 Server CA-less impossible option check - server-install: remove broken no-pkinit check - Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies - Add debug log in case cookie retrieval went wrong - Resolves: #1441548 ipa server install fails with --external-ca option - ext. CA: correctly write the cert chain - Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance spawn - Fix CA-less to CA-full upgrade - Resolves: #1442133 Do not link libkrad, liblber, libldap_r and libsss_nss_idmap to every binary in IPA - configure: fix AC_CHECK_LIB usage - Resolves: #1442815 Replica install fails during migration from older IPA master - Fix RA cert import during DL0 replication - Related: #1442004 Building IdM/FreeIPA internally on all architectures - filtering unsupported packages - Build all subpackages on all architectures- Resolves: #1382053 Need to have validation for idrange names - idrange-add: properly handle empty --dom-name option - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica - dsinstance: reconnect ldap2 after DS is restarted by certmonger - httpinstance: avoid httpd restart during certificate request - dsinstance, httpinstance: consolidate certificate request code - install: request service certs after host keytab is set up - renew agent: revert to host keytab authentication - renew agent, restart scripts: connect to LDAP after kinit - Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted domain entry - ipa-sam: create the gidNumber attribute in the trusted domain entry - Upgrade: add gidnumber to trusted domain entry - Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException: Incorrect client security database password - Add pki_pin only when needed - Resolves: #1438348 Console output message while adding trust should be mapped with texts changed in Samba. - ipaserver/dcerpc: unify error processing - Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication - trust: always use oddjobd helper for fetching trust information - Resolves: #1441192 Add the name of URL parameter which will be check for username during cert login - WebUI: cert login: Configure name of parameter used to pass username - Resolves: #1437879 [copr] Replica install failing - Create system users for FreeIPA services during package installation - Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install - Fix s4u2self with adtrust- Resolves: #1318186 Misleading error message during external-ca IPA master install - httpinstance: make sure NSS database is backed up - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR CA certificate chain in ... incomplete" - httpinstance: make sure NSS database is backed up - Resolves: #1393726 Enumerate all available request type options in ipa cert-request help - Hide request_type doc string in cert-request help - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - spec file: bump libsss_nss_idmap-devel BuildRequires - server: make sure we test for sss_nss_getlistbycert - Resolves: #1437378 ipa-adtrust-install produced an error and failed on starting smb when hostname is not FQDN - adtrust: make sure that runtime hostname result is consistent with the configuration - Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous keytab - Always check and create anonymous principal during KDC install - Remove duplicate functionality in upgrade - Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT - Upgrade: configure PKINIT after adding anonymous principal - Remove unused variable from failed anonymous PKINIT handling - Split out anonymous PKINIT test to a separate method - Ensure KDC is propery configured after upgrade - Resolves: #1437951 Remove pkinit-related options from server/replica-install on DL0 - Fix the order of cert-files check - Don't allow setting pkinit-related options on DL0 - replica-prepare man: remove pkinit option refs - Remove redundant option check for cert files - Resolves: #1438490 CA-less installation fails on publishing CA certificate - Get correct CA cert nickname in CA-less - Remove publish_ca_cert() method from NSSDatabase - Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap - IPA-KDB: use relative path in ipa-certmap config snippet - Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute - Allow erasing ipaDomainResolutionOrder attribute- Resolves: #1434032 Run ipa-custodia with custom SELinux context - Require correct custodia version- Resolves: #800545 [RFE] Support SUDO command rename - Reworked the renaming mechanism - Allow renaming of the sudorule objects - Resolves: #872671 IPA WebUI login for AD Trusted User fails - WebUI: check principals in lowercase - WebUI: add method for disabling item in user dropdown menu - WebUI: Add support for login for AD users - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit) - ipa-kdb: add ipadb_fetch_principals_with_extra_filter() - IPA certauth plugin - ipa-kdb: do not depend on certauth_plugin.h - spec file: bump krb5-devel BuildRequires for certauth - Resolves: #1264370 RFE: disable last successful authentication by default in ipa. - Set "KDC:Disable Last Success" by default - Resolves: #1318186 Misleading error message during external-ca IPA master install - certs: do not implicitly create DS pin.txt - httpinstance: clean up /etc/httpd/alias on uninstall - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR CA certificate chain in ... incomplete" - certs: do not implicitly create DS pin.txt - httpinstance: clean up /etc/httpd/alias on uninstall - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication - configure: fix --disable-server with certauth plugin - rpcserver.login_x509: Actually return reply from __call__ method - spec file: Bump requires to make Certificate Login in WebUI work - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - extdom: do reverse search for domain separator - extdom: improve cert request - Resolves: #1430363 [RFE] HBAC rule names command rename - Reworked the renaming mechanism - Allow renaming of the HBAC rule objects - Resolves: #1433082 systemctl daemon-reload needs to be called after httpd.service.d/ipa.conf is manipulated - tasks: run `systemctl daemon-reload` after httpd.service.d updates - Resolves: #1434032 Run ipa-custodia with custom SELinux context - Use Custodia 0.3.1 features - Resolves: #1434384 RPC client should use HTTP persistent connection - Use connection keep-alive - Add debug logging for keep-alive - Increase Apache HTTPD's default keep alive timeout - Resolves: #1434729 man ipa-cacert-manage install needs clarification - man ipa-cacert-manage install needs clarification - Resolves: #1434910 replica install against IPA v3 master fails with ACIError - Fixing replica install: fix ldap connection in domlvl 0 - Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is used during typing Directory Manager password - ipapython.ipautil.nolog_replace: Do not replace empty value - Resolves: #1435397 ipa-replica-install can't install replica file produced by ipa-replica-prepare on 4.5 - replica prepare: fix wrong IPA CA nickname in replica file - Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if KRA is not installed - WebUI: Fix showing vault in selfservice view - Resolves: #1435718 As a ID user I cannot call a command with --rights option - ldap2: use LDAP whoami operation to retrieve bind DN for current connection - Resolves: #1436319 "Truncated search results" pop-up appears in user details in WebUI - WebUI: Add support for suppressing warnings - WebUI: suppress truncation warning in select widget - Resolves: #1436333 Uninstall fails with No such file or directory: '/var/run/ipa/services.list' - Create temporaty directories at the begining of uninstall - Resolves: #1436334 WebUI: Adding certificate mapping data using certificate fails - WebUI: Allow to add certs to certmapping with CERT LINES around - Resolves: #1436338 CLI doesn't work after ipa-restore - Backup ipa-specific httpd unit-file - Backup CA cert from kerberos folder - Resolves: #1436342 Bump samba version, required for FIPS mode and privilege separation - Bump samba version for FIPS and priv. separation - Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa vault commands - Avoid growing FILE ccaches unnecessarily - Handle failed authentication via cookie - Work around issues fetching session data - Prevent churn on ccaches - Resolves: #1436657 Add workaround for pki_pin for FIPS - Generate PIN for PKI to help Dogtag in FIPS - Resolves: #1436714 [vault] cache KRA transport cert - Simplify KRA transport cert cache - Resolves: #1436723 cert-find does not find all certificates without sizelimit=0 - cert: do not limit internal searches in cert-find - Resolves: #1436724 Renewal of IPA RA fails on replica - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function - Resolves: #1436753 Master tree fails to install - httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available- Resolves: #1432630 python2-jinja2 needed for python2-ipaclient - Remove csrgen - Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets - Add options to allow ticket caching- Resolves: #828866 [RFE] enhance --subject option for ipa-server-install - Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in hostname - Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember' attribute - Resolves: #1321652 ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on revocation reasons - Resolves: #1340880 ipa-server-install: improve prompt on interactive installation - Resolves: #1353841 ipa-replica-install fails to install when resolv.conf incomplete entries - Resolves: #1356104 cert-show command does not display Subject Alternative Names - Resolves: #1357511 Traceback message seen when ipa is provided with invalid configuration file name - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication - Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa config-mod --enable-migration=TRUE - Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain - Resolves: #1371927 Implement ca-enable/disable commands. - Resolves: #1372202 Add Users into User Group editors fails to show Full names - Resolves: #1373091 Adding an auth indicator from the CLI creates an extra check box in the UI - Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error message - Resolves: #1375905 "Normal" group type in the UI is confusing - Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback - Resolves: #1376630 IDM admin password gets written to /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf - Resolves: #1376729 ipa-server-install script option --no_hbac_allow should match other options - Resolves: #1378461 IPA Allows Password Reuse with History value defined when admin resets the password. - Resolves: #1379029 conncheck failing intermittently during single step replica installs - Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck - Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace - Resolves: #1392778 Update man page for ipa-adtrust-install by removing --no-msdcs option - Resolves: #1392858 Rebase to FreeIPA 4.5+ - Rebase to 4.5.0 - Resolves: #1399133 Delete option shouldn't be available for hosts applied to view. - Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA should contain full trust chain - Resolves: #1400416 RFE: Provide option to take backup of IPA server before uninstalling IPA server - Resolves: #1400529 cert-request is not aware of Kerberos principal aliases - Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but not on details page - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when non-FQDN name of IPA server is first in /etc/hosts - Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using nsupdate - Resolves: #1413742 Backport request for bug/issue Change IP address validation errors to warnings - Resolves: #1415652 IPA replica install log shows password in plain text - Resolves: #1427897 different behavior regarding system wide certs in master and replica. - Resolves: #1430314 The ipa-managed-entries command failed, exception: AttributeError: ldap2- Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica with cert errors (untrusted) - added ssl verification using IPA trust anchor - Resolves: #1428472 batch param compatibility is incorrect - compat: fix `Any` params in `batch` and `dnsrecord` - Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream- Resolves: #1416454 replication race condition prevents IPA to install - wait_for_entry: use only DN as parameter - Wait until HTTPS principal entry is replicated to replica - Use proper logging for error messages- Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is installed without CA - Set up DS TLS on replica in CA-less topology - Resolves: #1398600 IPA replica install fails with dirsrv errors. - Do not configure PKI ajp redirection to use "::1" - Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands - ca: correctly authorise ca-del, ca-enable and ca-disable- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy - ipa-kdb: search for password policies globally - Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream- Resolves: #1398670 Check IdM Topology for broken record caused by replication conflict before upgrading it - Check for conflict entries before raising domain level- Resolves: #1382812 Creation of replica for disconnected environment is failing with CA issuance errors; Need good steps. - gracefully handle setting replica bind dn group on old masters - Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a temporary CA admin - replication: ensure bind DN group check interval is set on replica config - add missing attribute to ipaca replica during CA topology update - Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of named-pkcs11 - bindinstance: use data in named.conf to determine configuration status- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy - password policy: Add explicit default password policy for hosts and services - Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod - certprofile-mod: correctly authorise config update- Resolves: #1378353 Replica install fails with old IPA master sometimes during replication process - spec file: bump minimal required version of 389-ds-base - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - Fix missing file that fails DL1 replica installation - Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade - WebUI: services without canonical name are shown correctly - Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run - trustdomain-del: fix the way how subdomain is searched- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca - Keep NSS trust flags of existing certificates - Resolves: #1360813 ipa-server-certinstall does not update all certificate stores and doesn't set proper trust permissions - Add cert checks in ipa-server-certinstall - Resolves: #1371479 cert-find --all does not show information about revocation - cert: add revocation reason back to cert-find output - Resolves: #1375133 WinSync users who have First.Last casing creates users who can have their password set - ipa passwd: use correct normalizer for user principals - Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers - Properly handle LDAP socket closures in ipa-otpd - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - Make httpd publish its CA certificate on DL1- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors. - Resolves: #1375269 ipa trust-fetch-domains throws internal error- Resolves: #1373359 ipa-certupdate fails with "CA is not configured" - Fix regression introduced in ipa-certupdate- Resolves: #1355753 adding two way non transitive(external) trust displays internal error on the console - Always fetch forest info from root DCs when establishing two-way trust - factor out `populate_remote_domain` method into module-level function - Always fetch forest info from root DCs when establishing one-way trust - Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger after `ipa-replica-install` - Track lightweight CAs on replica installation - Resolves: #1357488 ipa command stuck forever on higher versioned client with lower versioned server - compat: Save server's API version in for pre-schema servers - compat: Fix ping command call - schema cache: Store and check info for pre-schema servers - Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag - Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup - Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA when revoking certificate - cert: include CA name in cert command output - WebUI add support for sub-CAs while revoking certificates - Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI - Add support for additional options taken from table facet - WebUI: Fix showing certificates issued by sub-CA - Resolves: #1368557 dnsrecord-add does not prompt for missing record parts internactively - dns: normalize record type read interactively in dnsrecord_add - dns: prompt for missing record parts in CLI - dns: fix crash in interactive mode against old servers - Resolves: #1370519 Certificate revocation in service-del and host-del isn't aware of Sub CAs - cert: fix cert-find --certificate when the cert is not in LDAP - Make host/service cert revocation aware of lightweight CAs - Resolves: #1371901 Use OAEP padding with custodia - Use RSA-OAEP instead of RSA PKCS#1 v1.5 - Resolves: #1371915 When establishing external two-way trust, forest root Administrator account is used to fetch domain info - do not use trusted forest name to construct domain admin principal - Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in certificate request - Fix CA ACL Check on SubjectAltNames - Resolves: #1373272 CLI always sends default command version - cli: use full name when executing a command - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" - Fix ipa-certupdate for CA-less installation - Resolves: #1373540 client-install with IPv6 address fails on link-local address (always) - Fix parse errors with link-local addresses- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env - Fix ipa-server-install in pure IPv6 environment - Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as reachable via the forest root - trust: make sure ID range is created for the child domain even if it exists - ipa-kdb: simplify trusted domain parent search - Resolves: #1335567 Update Warning in IdM Web UI API browser - WebUI: add API browser is tech preview warning - Resolves: #1348560 Mulitple domain Active Directory Trust conflict - ipaserver/dcerpc: reformat to make the code closer to pep8 - trust: automatically resolve DNS trust conflicts for triangle trusts - Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in certificate revocation - cert-revoke: fix permission check bypass (CVE-2016-5404) - Resolves: #1353936 custodia.conf and server.keys file is world-readable. - Remove Custodia server keys from LDAP - Secure permissions of Custodia server.keys - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full - custodia: include known CA certs in the PKCS#12 file for Dogtag - custodia: force reconnect before retrieving CA certs from LDAP - Resolves: #1362333 ipa vault container owner cannot add vault - Fix: container owner should be able to add vault - Resolves: #1365546 External trust with root domain is transitive - trust: make sure external trust topology is correctly rendered - Resolves: #1365572 IPA server broken after upgrade - Require pki-core-10.3.3-7 - Resolves: #1367864 Server assumes latest version of command instead of version 1 for old / 3rd party clients - rpcserver: assume version 1 for unversioned command calls - rpcserver: fix crash in XML-RPC system commands - Resolves: #1367773 thin client ignores locale change - schema cache: Fallback to 'en_us' when locale is not available - Resolves: #1368754 ipa server uninstall fails with Python "Global Name error" - Fail on topology disconnect/last role removal - Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP - otptoken, permission: Convert custom type parameters on server - Resolves: #1369414 ipa server-del fails with Python stack trace - Handled empty hostname in server-del command - Resolves: #1369761 ipa-server must depend on a version of httpd that support mod_proxy with UDS - Require httpd 2.4.6-31 with mod_proxy Unix socket support - Resolves: #1370512 Received ACIError instead of DuplicatedError in stageuser_tests - Raise DuplicatedEnrty error when user exists in delete_container - Resolves: #1371479 cert-find --all does not show information about revocation - cert: add missing param values to cert-find output - Renamed patch 1011 to 0100, as it was merged upstream- Resolves: #1298288 [RFE] Improve performance in large environments. - cert: speed up cert-find - Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card authentication - service: add flag to allow S4U2Self - Add 'trusted to auth as user' checkbox - Added new authentication method - Resolves: #1353881 ipa-replica-install suggests about non-existent --force-ntpd option - Don't show --force-ntpd option in replica install - Resolves: #1354441 DNS forwarder check is too strict: unable to add sub-domain to already-broken domain - DNS: allow to add forward zone to already broken sub-domain - Resolves: #1356146 performance regression in CLI help - schema: Speed up schema cache - frontend: Change doc, summary, topic and NO_CLI to class properties - schema: Introduce schema cache format - schema: Generate bits for help load them on request - help: Do not create instances to get information about commands and topics - schema cache: Do not reset ServerInfo dirty flag - schema cache: Do not read fingerprint and format from cache - Access data for help separately - frontent: Add summary class property to CommandOverride - schema cache: Read server info only once - schema cache: Store API schema cache in memory - client: Do not create instance just to check isinstance - schema cache: Read schema instead of rewriting it when SchemaUpToDate - Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file - server install: do not prompt for cert file PIN repeatedly - Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create cache directory: [Errno 13] Permission denied: '/home/test_user' - schema: Speed up schema cache - Resolves: #1366604 `cert-find` crashes on invalid certificate data - cert: do not crash on invalid data in cert-find - Resolves: #1366612 Middle replica uninstallation in line topology works without '--ignore-topology-disconnect' - Fail on topology disconnect/last role removal - Resolves: #1366626 caacl-add-service: incorrect error message when service does not exists - Fix ipa-caalc-add-service error message - Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade - DNS server upgrade: do not fail when DNS server did not respond - Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server with CA - Add warning about only one existing CA server - Set servers list as default facet in topology facet group - Resolves: #1367773 thin client ignores locale change - schema check: Check current client language against cached one- Resolves: #1361119 UPN-based search for AD users does not match an entry in slapi-nis map cache - support multiple uid values in schema compatibility tree- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 - Revert "spec: add conflict with bind-chroot to freeipa-server-dns" - Resolves: #1341249 Subsequent external CA installation fails - install: fix external CA cert validation - Resolves: #1353831 ipa-server-install fails in container because of hostnamectl set-hostname - server-install: Fix --hostname option to always override api.env values - install: Call hostnamectl set-hostname only if --hostname option is used - Resolves: #1356091 ipa-cacert-manage --help and man differ - Improvements for the ipa-cacert-manage man and help - Resolves: #1360631 ipa-backup is not keeping the /etc/tmpfiles.d/dirsrv-.conf - ipa-backup: backup /etc/tmpfiles.d/dirsrv-.conf - Resolves: #1361047 ipa-replica-install --help usage line suggests the replica file is needed - Update ipa-replica-install documentation - Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does not rpm-require it - client: RPM require initscripts to get *-domainname.service - Resolves: #1364197 caacl: error when instantiating rules with service principals - caacl: fix regression in rule instantiation - Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm - parameters: move the `confirm` kwarg to Param - Resolves: #1364464 Topology graph: ca and domain adders shows question marks instead of plus icon - Fix unicode characters in ca and domain adders - Resolves: #1365083 Incomplete output returned for command ipa vault-add - client: add missing output params to client-side commands - Resolves: #1365526 build fails during "make check" - ipa-kdb: Fix unit test after packaging changes in krb5- Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file. - Do not initialize API in ipa-client-automount uninstall - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin client changes - idrange: fix unassigned global variable - Resolves: #1360792 Migrating users doesn't update krbCanonicalName - re-set canonical principal name on migrated users - Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str' and 'bool' objects - Fix ipa hbactest output - Resolves: #1362260 ipa vault-mod no longer allows defining salt - vault: add missing salt option to vault_mod - Resolves: #1362312 ipa vault-retrieve internal error when using the wrong public key - vault: Catch correct exception in decrypt - Resolves: #1362537 ipa-server-install fails to create symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ - Correct path to HTTPD's systemd service directory - Resolves: #1363756 Increase length of passwords generated by installer - Increase default length of auto generated passwords- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos aliases) - harden the check for trust namespace overlap in new principals - Resolves: #1351142 CLI is not using session cookies for communication with IPA API - Fix session cookies - Resolves: #1353888 Fix the help for ipa otp and other topics - help: Add dnsserver commands to help topic 'dns' - Resolves: #1354406 host-del updatedns options complains about missing ptr record for host - Host-del: fix behavior of --updatedns and PTR records - Resolves: #1355718 ipa-replica-manage man page example output differs actual command output - Minor fix in ipa-replica-manage MAN page - Resolves: #1358229 Traceback message should be fixed, seen while editing winsync migrated user information in Default trust view. - baseldap: Fix MidairCollision instantiation during entry modification - Resolves: #1358849 CA replica install logs to wrong log file - unite log file name of ipa-ca-install - Resolves: #1359130 ipa-server-install command fails to install IPA server. - DNS Locations: fix update-system-records unpacking error - Resolves: #1359237 AVC on dirsrv config caused by IPA installer - Use copy when replacing files to keep SELinux context - Resolves: #1359692 ipa-client-install join fail with traceback against RHEL-6.8 ipa-server - compat: fix ping call - Resolves: #1359738 ipa-replica-install --domain= option does not work - replica-install: Fix --domain - Resolves: #1360778 Vault commands are available in CLI even when the server does not support them - Revert "Enable vault-* commands on client" - client: fix hiding of commands which lack server support - Related: #1281704 Rebase to softhsm 2.1.0 - Remove the workaround for softhsm bug #1293340 - Related: #1298288 [RFE] Improve performance in large environments. - Create indexes for krbCanonicalName attribute- Resolves: #1296140 Remove redhat-access-plugin-ipa support - Obsolete and conflict redhat-access-plugin-ipa - Resolves: #1351119 Multiple issues while uninstalling ipa-server - server uninstall fails to remove krb principals - Resolves: #1351758 ipa commands not showing expected error messages - frontend: copy command arguments to output params on client - Show full error message for selinuxusermap-add-hostgroup - Resolves: #1352883 Traceback on adding default automember group and hostgroup set - allow 'value' output param in commands without primary key - Resolves: #1353888 Fix the help for ipa otp and other topics - schema: Fix subtopic -> topic mapping - Resolves: #1354348 ipa trustconfig-show throws internal error. - allow 'value' output param in commands without primary key - Resolves: #1354381 ipa trust-add with raw option gives internal error. - trust-add: handle `--all/--raw` options properly - Resolves: #1354493 Replica install fails with old IPA master - DNS install: Ensure that DNS servers container exists - Resolves: #1354628 ipa hostgroup-add-member does not return error message when adding itself as member - frontend: copy command arguments to output params on client - Resolves: #1355856 ipa otptoken-add --type=totp gives internal error - messages: specify message type for ResultFormattingError - Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter secret key - expose `--secret` option in radiusproxy-* commands - prevent search for RADIUS proxy servers by secret - Resolves: #1356099 Bug in the ipapwd plugin - Heap corruption in ipapwd plugin - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin client changes - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper - Resolves: #1356964 Renaming a user removes all of his principal aliases - Preserve user principal aliases during rename operation- Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas - Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD - Related: #1356134 'kinit -E' does not work for IPA user- Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA with certmonger - uninstall: untrack lightweight CA certs - Resolves: #1351807 ipa-nis-manage config.get_dn missing - ipa-nis-manage: Use server API to retrieve plugin status - Resolves: #1353452 ipa-compat-manage command failed, exception: NotImplementedError: config.get_dn() - ipa-compat-manage: use server API to retrieve plugin status - Resolves: #1353899 ipa-advise: object of type 'type' has no len() - ipa-advise: correct handling of plugin namespace iteration - Resolves: #1356134 'kinit -E' does not work for IPA user - kdb: check for local realm in enterprise principals - Resolves: #1353072 ipa unknown command vault-add - Enable vault-* commands on client - vault-add: set the default vault type on the client side if none was given - Resolves: #1353995 Default CA can be used without a CA ACL - caacl: expand plugin documentation - Resolves: #1356144 host-find should not print SSH keys by default, only SSH fingerprints - host-find: do not show SSH key by default - Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3 - Removed unused method parameter from migrate-ds- Resolves: #747612 [RFE] IPA should support and manage DNS sites - Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0) in the default global_policy in IPA sets user's password expiration (krbPasswordExpiration) to be 90 days - Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records - Resolves: #1084018 [RFE] Add IdM user password change support for legacy client compat tree - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos aliases) - Fix incorrect check for principal type when evaluating CA ACLs - Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI - Resolves: #1238190 ipasam unable to lookup group in directory yet manual search works - Resolves: #1250110 search by users which don't have read rights for all attrs in search_attributes fails - Resolves: #1263764 Show Certificate displays in useless format - Resolves: #1272491 [WebUI] Certificate action dropdown does not display all the options after adding new certificate - Resolves: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.4.0 - Resolves: #1294503 IPA fails to issue 3rd party certs - Resolves: #1298242 [RFE] API compatibility - compatibility of clients - Resolves: #1298848 [RFE] Centralized topology management - Resolves: #1298966 [RFE] Extend Smart Card support - Resolves: #1315146 Multiple clients cannot join domain simultaneously: /var/run/httpd/ipa/clientcaches race condition? - Resolves: #1318903 ipa server install failing when SUBCA signs the cert - Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper console output - Resolves: #1324055 IPA always qualify requests for admin - Resolves: #1328552 [RFE] Allow users to authenticate with alternative names - Resolves: #1334582 Inconsistent UI and CLI options for removing certificate hold - Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl) - Resolves: #1349281 Fix `Conflicts` with ipa-python - Resolves: #1350695 execution of copy-schema script fails - Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z - Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test execution to 7.3 - Resolves: #1351276 ipa-server-install with dns cannot resolve itself to create ipa-ca entry - Related: #1343422 [RFE] Add GssapiImpersonate option- Resolves: #1348948 IPA server install fails with build ipa-server-4.4.0-0.el7.1.alpha1 - Revert "Increased mod_wsgi socket-timeout"- Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while setting password for default sudo binddn. - Resolves: #747612 [RFE] IPA should support and manage DNS sites - Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name - Resolves: #825391 [RFE] Replica installation should provide a means for inheriting nssldap security access settings - Resolves: #921497 Incorrect *.py[co] files placement - Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support - Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas - Resolves: #1196958 IPA replica installation failing with high number of users (160000). - Resolves: #1219402 IPA suggests to uninstall a client when the user needs to uninstall a replica - Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on Authentication Indicator - Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos principal expiration" - Resolves: #1234223 [WebUI] General invalid password error message appearing for "Locked user" - Resolves: #1254267 ipa-server-install failure applying ldap updates with limits exceeded - Resolves: #1258626 realmdomains-mod --add-domain command throwing error when doamin already is in forwardzone. - Resolves: #1259020 ipa-server-adtrust-install doesn't allow NetBIOS-name=EXAMPLE-TEST.COM (dash character) - Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error message when DNSSEC master not installed - Resolves: #1262747 dnssec options missing in ipa-dns-install man page - Resolves: #1265900 Fail installation immediately after dirsrv fails to install using ipa-server-install - Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not resolvable anymore - Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace - LimitsExceeded: limits exceeded for this query - Resolves: #1269089 Certificate of managed-by host/service fails to resubmit - Resolves: #1269200 ipa-server crashing while trying to preserve admin user - Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults - Resolves: #1271579 Automember rule expressions disappear from tables on single expression delete - Resolves: #1275816 Incomplete ports for IPA ad-trust - Resolves: #1276351 [RFE] Remove /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases - Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in the IPA UI - Resolves: #1278426 Better error message needed for invalid ca-signing-algo option - Resolves: #1279932 ipa-client-install --request-cert needs workaround in anaconda chroot - Resolves: #1282521 Creating a user w/o private group fails when doing so in WebUI - Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced by "IPA is not configured on this system" - Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert file - Resolves: #1287194 [RFE] Support of UPN for trusted domains - Resolves: #1288967 Normalize Manager entry in ipa user-add - Resolves: #1289487 Priority field missing in Password Policy detail tab - Resolves: #1291140 ipa client should configure kpasswd_server directive in krb5.conf - Resolves: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.4.0.alpha1 - Resolves: #1298848 [RFE] Centralized topology management - Resolves: #1300576 Browser setup page includes instructions for Internet Explorer - Resolves: #1301586 ipa host-del --updatedns should remove related dns entries. - Resolves: #1304618 Residual Files After IPA Server Uninstall - Resolves: #1305144 ipa-python does not require its dependencies - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 - Resolves: #1313798 Console output post ipa-winsync-migrate command should be corrected. - Resolves: #1314786 [RFE] External Trust with Active Directory domain - Resolves: #1319023 Include description for 'status' option in man page for ipactl command. - Resolves: #1319912 ipa-server-install does not completely change hostname and named-pkcs11 fails - Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord': Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on revocation reasons - Resolves: #1328549 "ipa-kra-install" command reports incorrect message when it is executed on server already installed with KRA. - Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind' - Resolves: #1329275 ipa-nis-manage command should include status option - Resolves: #1330843 'man ipa' should be updated with latest commands - Resolves: #1333755 ipa cert-request causes internal server error while requesting certificate - Resolves: #1337484 EOF is not handled for ipa-client-install command - Resolves: #1338031 Insufficient 'write' privilege on some attributes for the members of the role which has "User Administrators" privilege. - Resolves: #1343142 IPA DNS should do better verification of DNS zones - Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in browser- Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files - Fix incorrect rebase of patch 1001- Resolves: #1339233 CA installed on replica is always marked as renewal master - Related: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.3.1.201605241723GIT1b427d3- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install because of missing dependencies - Rebuild with krb5-1.14.1- Resolves: #837369 [RFE] Switch to client promotion to replica model - Resolves: #1199516 [RFE] Move replication topology to the shared tree - Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) - Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend - Resolves: #1267206 ipa-server-install uninstall should warn if no installation found - Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when ipa-client-automount is executed. - Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2. - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install because of missing dependencies - Related: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.3.1.201605191449GITf8edf37- Resolves: #1277696 IPA certificate auto renewal fail with "Invalid Credential" - cert renewal: make renewal of ipaCert atomic - Resolves: #1278330 installer options are not validated at the beginning of installation - install: fix command line option validation - Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd from starting up - client install: do not corrupt OpenSSH config with Match sections - Resolves: #1282935 ipa upgrade causes vault internal error - install: export KRA agent PEM file in ipa-kra-install - Resolves: #1283429 Default CA ACL rule is not created during ipa-replica-install - TLS and Dogtag HTTPS request logging improvements - Avoid race condition caused by profile delete and recreate - Do not erroneously reinit NSS in Dogtag interface - Add profiles and default CA ACL on migration - disconnect ldap2 backend after adding default CA ACL profiles - do not disconnect when using existing connection to check default CA ACLs - Resolves: #1283430 ipa-kra-install: fails to apply updates - suppress errors arising from adding existing LDAP entries during KRA install - Resolves: #1283748 Caching of ipaconfig does not work in framework - fix caching in get_ipa_config - Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after upgrade from RHEL 7.0 to RHEL 7.2 - upgrade: fix migration of old dns forward zones - Fix upgrade of forwardzones when zone is in realmdomains - Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap connection - ipa-cacert-renew: Fix connection to ldap. - Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection - ipa-otptoken-import: Fix connection to ldap. - Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using "yum update ipa* sssd" - Set minimal required version for openssl - Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps - Upgrade: Fix upgrade of NIS Server configuration - Resolves: #1289311 umask setting causes named-pkcs11 issue with directory permissions on /var/lib/ipa/dnssec - DNS: fix file permissions - Explicitly call chmod on newly created directories - Fix: replace mkdir with chmod - Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison - Fix version comparison - use FFI call to rpmvercmp function for version comparison - Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix groups are missing - ipa-kdb: map_groups() consider all results - Resolves: #1293870 User should be notified for wrong password in password reset page - Fixed login error message box in LoginScreen page - Resolves: #1296196 Sysrestore did not restore state if a key is specified in mixed case - Allow to used mixed case for sysrestore - Resolves: #1296214 DNSSEC key purging is not handled properly - DNSSEC: Improve error reporting from ipa-ods-exporter - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP - DNSSEC: Make sure that current key state in LDAP matches key state in BIND - DNSSEC: remove obsolete TODO note - DNSSEC: add debug mode to ldapkeydb.py - DNSSEC: logging improvements in ipa-ods-exporter - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP - DNSSEC: ipa-ods-exporter: add ldap-cleanup command - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal - DNSSEC: Log debug messages at log level DEBUG - Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running - prevent crash of CA-less server upgrade due to absent certmonger - always start certmonger during IPA server configuration upgrade - Resolves: #1297811 The ipa -e skip_version_check=1 still issues incompatibility error when called against RHEL 6 server - ipalib: assume version 2.0 when skip_version_check is enabled - Resolves: #1298289 install fails when locale is "fr_FR.UTF-8" - Do not decode HTTP reason phrase from Dogtag - Resolves: #1300252 shared certificateProfiles container is missing on a freshly installed RHEL7.2 system - upgrade: unconditional import of certificate profiles into LDAP - Resolves: #1301674 --setup-dns and other options is forgotten for using an external PKI - installer: Propagate option values from components instead of copying them. - installer: Fix logic of reading option values from cache. - Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup - ipa-ca-install: print more specific errors when CA is already installed - cert renewal: import all external CA certs on IPA CA cert renewal - CA install: explicitly set dogtag_version to 10 - fix standalone installation of externally signed CA on IPA master - replica install: validate DS and HTTP server certificates - replica install: improvements in the handling of CA-related IPA config entries - Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups - slapi-nis: update configuration to allow external members of IPA groups - Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find returns "0 trusts matched" - upgrade: fix config of sidgen and extdom plugins - trusts: use ipaNTTrustPartner attribute to detect trust entries - Warn user if trust is broken - fix upgrade: wait for proper DS socket after DS restart - Insure the admin_conn is disconnected on stop - Fix connections to DS during installation - Fix broken trust warnings - Resolves: #1321092 Installers fail when there are multiple versions of the same certificate - certdb: never use the -r option of certutil - Related: #1317381 Crash during IPA upgrade due to slapd - spec file: update minimum required version of slapi-nis - Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws [rhel-7.3] - Rebuild against newer Samba version- Resolves: #1252556 Missing CLI param and ACL for vault service operations - vault: fix private service vault creation- Resolves: #1262996 ipa vault internal error on replica without KRA - upgrade: make sure ldap2 is connected in export_kra_agent_pem - Resolves: #1270608 IPA upgrade fails for server with CA cert signed by external CA - schema: do not derive ipaVaultPublicKey from ipaPublicKey- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens - Fix an integer underflow bug in libotp - Resolves: #1262996 ipa vault internal error on replica without KRA - install: always export KRA agent PEM file - vault: select a server with KRA for vault operations - Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files - do not overwrite files with local users/groups when restoring authconfig - Renamed patch 1011 to 0138, as it was merged upstream- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to Trusts - winsync-migrate: Convert entity names to posix friendly strings - winsync-migrate: Properly handle collisions in the names of external groups - Resolves: #1261074 Adjust Firefox configuration to new extension signing policy - webui: use manual Firefox configuration for Firefox >= 40 - Resolves: #1263337 IPA Restore failed with installed KRA - ipa-backup: Add mechanism to store empty directory structure - Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate and private key in world readable file [rhel-7.2] - install: fix KRA agent PEM file permissions - Resolves: #1265086 Mark IdM API Browser as experimental - WebUI: add API browser is experimental warning - Resolves: #1265277 Fix kdcproxy user creation - install: create kdcproxy user during server install - platform: add option to create home directory when adding user - install: fix kdcproxy user home directory - Resolves: #1265559 GSS failure after ipa-restore - destroy httpd ccache after stopping the service- Resolves: #1258965 ipa vault: set owner of vault container - baseldap: make subtree deletion optional in LDAPDelete - vault: add vault container commands - vault: set owner to current user on container creation - vault: update access control - vault: add permissions and administrator privilege - install: support KRA update - Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses - config: allow user/host attributes with tagging options - Resolves: #1262315 Unable to establish winsync replication - winsync: Add inetUser objectclass to the passsync sysaccount- Resolves: #1260663 crash of ipa-dnskeysync-replica component during ipa-restore - IPA Restore: allows to specify files that should be removed - Resolves: #1261806 Installing ipa-server package breaks httpd - Handle timeout error in ipa-httpd-kdcproxy - Resolves: #1262322 Failed to backup CS.cfg message in upgrade. - Server Upgrade: backup CS.cfg when dogtag is turned off- Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not tracked - cert renewal: Include KRA users in Dogtag LDAP update - cert renewal: Automatically update KRA agent PEM file - Resolves: #1257163 renaming certificatte profile with --rename option leads to integrity issues - certprofile: remove 'rename' option - Resolves: #1257968 kinit stop working after ipa-restore - Backup: back up the hosts file - Resolves: #1258926 Remove 'DNSSEC is experimental' warnings - DNSSEC: remove "DNSSEC is experimental" warnings - Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts - Installer: do not modify /etc/hosts before user agreement - Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1 zone - DNSSEC: backup and restore opendnssec zone list file - DNSSEC: remove ccache and keytab of ipa-ods-exporter - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC key master - DNSSEC: Fix key metadata export - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. - Resolves: #1258964 revert to use ldapi to add kra agent in KRA install - Using LDAPI to setup CA and KRA agents. - Resolves: #1259848 server closes connection and refuses commands after deleting user that is still logged in - ldap: Make ldap2 connection management thread-safe again - Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute 'ra_certprofile' while ipa-ca-install - load RA backend plugins during standalone CA install on CA-less IPA master- Resolves: #1254689 Storing big file as a secret in vault raises traceback - vault: Limit size of data stored in vault - Resolves: #1255880 ipactl status should distinguish between different pki-tomcat services - ipactl: Do not start/stop/restart single service multiple times- Resolves: #1256840 [webui] majority of required fields is no longer marked as required - fix missing information in object metadata - Resolves: #1256842 [webui] no option to choose trust type when creating a trust - webui: add option to establish bidirectional trust - Resolves: #1256853 Clear text passwords in KRA install log - Removed clear text passwords from KRA install log. - Resolves: #1257072 The "Standard Vault" MUST not be the default and must be discouraged - vault: change default vault type to symmetric - Resolves: #1257163 renaming certificatte profile with --rename option leads to integrity issues - certprofile: prevent rename (modrdn)- Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone - DNSSEC: fix forward zone forwarders checks - Resolves: #1250190 idrange is not added for sub domain - trusts: format Kerberos principal properly when fetching trust topology - Resolves: #1252334 User life cycle: missing ability to provision a stage user from a preserved user - Add user-stage command - Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to start. - spec file: Add Requires(post) on selinux-policy - Resolves: #1254304 Changing vault encryption attributes - Change internal rsa_(public|private)_key variable names - Added support for changing vault encryption. - Resolves: #1256715 Executing user-del --preserve twice removes the user pernamently - improve the usability of `ipa user-del --preserve` command- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - user-undel: Fix error messages. - Resolves: #1200694 [RFE] Support for multiple cert profiles - Prohibit deletion of predefined profiles - Resolves: #1232819 testing ipa-restore on fresh system install fails - Backup/resore authentication control configuration - Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0 server - Require Dogtag PKI >= 10.2.6 - Resolves: #1245225 Asymmetric vault drops traceback when the key is not proper - Asymmetric vault: validate public key in client - Resolves: #1248399 Missing DNSSEC related files in backup - fix typo in BasePathNamespace member pointing to ods exporter config - ipa-backup: archive DNSSEC zone file and kasp.db - Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is finished - winsync-migrate: Add warning about passsync - winsync-migrate: Expand the man page - Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME" - adjust search so that it works for non-admin users - Resolves: #1250093 ipa certprofile-import accepts invalid config - Require Dogtag PKI >= 10.2.6 - Resolves: #1250107 IPA framework should not allow modifying trust on AD trust agents - trusts: Detect missing Samba instance - Resolves: #1250111 User lifecycle - preserved users can be assigned membership - ULC: Prevent preserved users from being assigned membership - Resolves: #1250145 Add permission for user to bypass caacl enforcement - Add permission for bypassing CA ACL enforcement - Resolves: #1250190 idrange is not added for sub domain - idranges: raise an error when local IPA ID range is being modified - trusts: harden trust-fetch-domains oddjobd-based script - Resolves: #1250928 Man page for ipa-server-install is out of sync - install: Fix server and replica install options - Resolves: #1251225 IPA default CAACL does not allow cert-request for services after upgrade - Fix default CA ACL added during upgrade - Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey - validate mutually exclusive options in vault-add - Resolves: #1251579 ipa vault-add --user should set container owner equal to user on first run - Fixed vault container ownership. - Resolves: #1252517 cert-request rejects request with correct krb5PrincipalName SAN - Fix KRB5PrincipalName / UPN SAN comparison - Resolves: #1252555 ipa vault-find doesn't work for services - vault: Add container information to vault command results - Add flag to list all service and user vaults - Resolves: #1252556 Missing CLI param and ACL for vault service operations - Added CLI param and ACL for vault service operations. - Resolves: #1252557 certprofile: improve profile format documentation - certprofile-import: improve profile format documentation - certprofile: add profile format explanation - Resolves: #1253443 ipa vault-add creates vault with invalid type - vault: validate vault type - Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing owner - baseldap: Allow overriding member param label in LDAPModMember - vault: Fix param labels in output of vault owner commands - Resolves: #1253511 ipa vault-find does not use criteria - vault: Fix vault-find with criteria - Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10 - install: Fix replica install with custom certificates - Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc - improve the handling of krb5-related errors in dnssec daemons - Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with starting CA and named-pkcs11.service - Server Upgrade: Start DS before CA is started. - Resolves: #1254637 Add ACI and permission for managing user userCertificate attribute - add permission: System: Manage User Certificates - Resolves: #1254641 Remove CSR allowed-extensions restriction - cert-request: remove allowed extensions check - Resolves: #1254693 vault --service does not normalize service principal - vault: normalize service principal in service vault operations - Resolves: #1254785 ipa-client-install does not properly handle dual stacked hosts - client: Add support for multiple IP addresses during installation. - Add dependency to SSSD 1.13.1 - client: Add description of --ip-address and --all-ip-addresses to man page- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to users in IdM - store certificates issued for user entries as - user-show: add --out option to save certificates to file - Resolves: #1145748 [RFE] IPA running with One Way Trust - Fix upgrade of sidgen and extdom plugins - Resolves: #1195339 ipa-client-install changes the label on various files which causes SELinux denials - Use 'mv -Z' in specfile to restore SELinux context - Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior for combinations of "User authentication types" - webui: add LDAP vs Kerberos behavior description to user auth - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - ULC: Fix stageused-add --from-delete command - Resolves: #1200694 [RFE] Support for multiple cert profiles - certprofile-import: do not require profileId in profile data - Give more info on virtual command access denial - Allow SAN extension for cert-request self-service - Add profile for DNP3 / IEC 62351-8 certificates - Work around python-nss bug on unrecognised OIDs - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality - Validate vault's file parameters - Fixed missing KRA agent cert on replica. - Resolves: #1225866 display browser config options that apply to the browser. - webui: add Kerberos configuration instructions for Chrome - Remove ico files from Makefile - Resolves: #1246342 Unapply idview raises internal error - idviews: Check for the Default Trust View only if applying the view - Resolves: #1248102 [webui] regression - incorrect/no failed auth messages - webui: fix regressions failed auth messages - Resolves: #1248396 Internal error in DomainValidator.__search_in_dc - dcerpc: Fix UnboundLocalError for ccache_name - Resolves: #1249455 ipa trust-add failed CIFS server configuration does not allow access to \\pipe\lsarpc - Fix selector of protocol for LSA RPC binding string - dcerpc: Simplify generation of LSA-RPC binding strings - Resolves: #1250192 Error in ipa trust-fecth-domains - Fix incorrect type comparison in trust-fetch-domains - Resolves: #1251553 Winsync setup fails with unexpected error - replication: Fix incorrect exception invocation - Resolves: #1251854 ipa aci plugin is not parsing aci's correctly. - ACI plugin: correctly parse bind rules enclosed in - Resolves: #1252414 Trust agent install does not detect available replicas to add to master - adtrust-install: Correctly determine 4.2 FreeIPA servers- Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains that conflicts with AD DC - trusts: Check for AD root domain among our trusted domains - Resolves: #1195339 ipa-client-install changes the label on various files which causes SELinux denials - sysrestore: copy files instead of moving them to avoind SELinux issues - Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned commands / ntpd -qgc $tmpfile hangs - enable debugging of ntpd during client installation - Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled - migration: Use api.env variables. - Resolves: #1212719 abort-clean-ruv subcommand should allow replica-certifyall: no - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand - Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has occurred - dcerpc: Expand explanation for WERR_ACCESS_DENIED - dcerpc: Fix UnboundLocalError for ccache_name - Resolves: #1222778 idoverride group-del can delete user and user-del can delete group - dcerpc: Add get_trusted_domain_object_type method - idviews: Restrict anchor to name and name to anchor conversions - idviews: Enforce objectclass check in idoverride*-del - Resolves: #1234919 Be able to request certificates without certmonger service running - cermonger: Use private unix socket when DBus SystemBus is not available. - ipa-client-install: Do not (re)start certmonger and DBus daemons. - Resolves: #1240939 Please add dependency on bind-pkcs11 - Create server-dns sub-package. - ipaplatform: Add constants submodule - DNS: check if DNS package is installed - Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow calling out oddjobd-activated services - selinux: enable httpd_run_ipa to allow communicating with oddjobd services - Resolves: #1243261 non-admin users cannot search hbac rules - fix hbac rule search for non-admin users - fix selinuxusermap search for non-admin users - Resolves: #1243652 Client has missing dependency on memcache - do not import memcache on client - Resolves: #1243835 [webui] user change password dialog does not work - webui: fix user reset password dialog - Resolves: #1244802 spec: selinux denial during kdcproxy user creation - Fix selinux denial during kdcproxy user creation - Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user - oddjob: avoid chown keytab to sssd if sssd user does not exist - Resolves: #1246136 Adding a privilege to a permission avoids validation - Validate adding privilege to a permission - Resolves: #1246141 DNS Administrators cannot search in zones - DNS: Consolidate DNS RR types in API and schema - Resolves: #1246143 User plugin - user-find doesn't work properly with manager option - fix broken search for users by their manager- Resolves: #1131907 [ipa-client-install] cannot write certificate file '/etc/ipa/ca.crt.new': must be string or buffer, not None - Resolves: #1195775 unsaved changes dialog internally inconsistent - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - Stageusedr-activate: show username instead of DN - Resolves: #1200694 [RFE] Support for multiple cert profiles - Prevent to rename certprofile profile id - Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error - Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files - copy-schema-to-ca: allow to overwrite schema files - Resolves: #1241941 kdc component installation of IPA failed - spec file: Update minimum required version of krb5 - Resolves: #1242036 Replica install fails to update DNS records - Fix DNS records installation for replicas - Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy - Start dirsrv for kdcproxy upgrade- Resolves: #846033 [RFE] Documentation for JSONRPC IPA API - Resolves: #989091 Ability to manage IdM/IPA directly from a standard LDAP client - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to users in IdM - Resolves: #1115294 [RFE] Add support for DNSSEC - Resolves: #1145748 [RFE] IPA running with One Way Trust - Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - Resolves: #1200694 [RFE] Support for multiple cert profiles - Resolves: #1200728 [RFE] Replicate PKI Profile information - Resolves: #1200735 [RFE] Allow issuing certificates for user accounts - Resolves: #1204054 SSSD database is not cleared between installs and uninstalls of ipa - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to Trusts - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality - Resolves: #1204504 [RFE] Add access control so hosts can create their own services - Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default - Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default - Resolves: #1209476 package ipa-client does not require package dbus-python - Resolves: #1211589 [RFE] Add option to skip the verify_client_version - Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597) - Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone - Resolves: #1217010 OTP Manager field is not exposed in the UI - Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp 00007fffd68b2340 error 6 in libc-2.17.so - Related: #1204809 Rebase ipa to 4.2 - Update to upstream 4.2.0 - Move /etc/ipa/kdcproxy to the server subpackage- Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install - Related: #1204809 Rebase ipa to 4.2 - Fix minimum version of slapi-nis - Require python-sss and python-sss-murmur (provided by sssd-1.13.0)- Resolves: #805188 [RFE] "ipa migrate-ds" ldapsearches with scope=1 - Resolves: #1019272 With 20000+ users, adding a user to a group intermittently throws Internal server error - Resolves: #1035494 Unable to add Kerberos principal via kadmin.local - Resolves: #1045153 ipa-managed-entries --list -p still requires DM password - Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389 from ldap_port_t - Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI - Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not matching uidgid - Resolves: #1176036 IDM client registration failure in a high load environment - Resolves: #1183116 Remove Requires: subscription-manager - Resolves: #1186054 permission-add does not prompt to enter --right option in interactive mode - Resolves: #1187524 Replication agreement with replica not disabled when ipa-restore done without IPA installed - Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as normal user. - Resolves: #1189034 "an internal error has occurred" during ipa host-del --updatedns - Resolves: #1193554 ipa-client-automount: failing with error LDAP server returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled. - Resolves: #1193759 IPA extdom plugin fails when encountering large groups - Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. - Resolves: #1194633 Default trust view can be deleted in lower case - Resolves: #1196455 ipa-server-install step [8/27]: starting certificate server instance - confusing CA staus message on TLS error - Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis - Resolves: #1199527 [RFE] Use datepicker component for datetime fields - Resolves: #1200867 [RFE] Make OTP validation window configurable - Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi - Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using get_user_grouplist() [rhel-7.2] - Resolves: #1204637 slow group operations - Resolves: #1204642 migrate-ds: slow add o users to default group - Resolves: #1208461 IPA CA master server update stuck on checking getStatus via https - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) - Resolves: #1211708 ipa-client-install gets stuck during NTP sync - Resolves: #1215197 ipa-client-install ignores --ntp-server option during time sync - Resolves: #1215200 ipa-client-install configures IPA server as NTP source even if IPA server has not ntpd configured - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens - Related: #1204809 Rebase ipa to 4.2 - Update to upstream 4.2.0.alpha1- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312)- IPA extdom plugin fails when encountering large groups (#1193759) - CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() (#1202998)- "an internal error has occurred" during ipa host-del --updatedns (#1198431) - Renamed patch 1013 to 0114, as it was merged upstream - Fax number not displayed for user-show when kinit'ed as normal user. (#1198430) - Replication agreement with replica not disabled when ipa-restore done without IPA installed (#1199060) - Limit deadlocks between DS plugin DNA and slapi-nis (#1199128)- Fix ipa-pwd-extop global configuration caching (#1187342) - group-detach does not add correct objectclasses (#1187540)- Wrong directories created on full restore (#1186398) - ipa-restore crashes if replica is unreachable (#1186396) - idoverrideuser-add option --sshpubkey does not work (#1185410)- PassSync does not sync passwords due to missing ACIs (#1181093) - ipa-replica-manage list does not list synced domain (#1181010) - Do not assume certmonger is running in httpinstance (#1181767) - ipa-replica-manage disconnect fails without password (#1183279) - Put LDIF files to their original location in ipa-restore (#1175277) - DUA profile not available anonymously (#1184149) - IPA replica missing data after master upgraded (#1176995)- Re-add accidentally removed patches for #1170695 and #1164896- IPA Replicate creation fails with error "Update failed! Status: [10 Total update abortedLDAP error: Referral]" (#1166265) - running ipa-server-install --setup-dns results in a crash (#1072502) - DNS zones are not migrated into forward zones if 4.0+ replica is added (#1175384) - gid is overridden by uid in default trust view (#1168904) - When migrating warn user if compat is enabled (#1177133) - Clean up debug log for trust-add (#1168376) - No error message thrown on restore(full kind) on replica from full backup taken on master (#1175287) - ipa-restore proceed even IPA not configured (#1175326) - Data replication not working as expected after data restore from full backup (#1175277) - IPA externally signed CA cert expiration warning missing from log (#1178128) - ipa-upgradeconfig fails in CA-less installs (#1181767) - IPA certs fail to autorenew simultaneouly (#1173207) - More validation required on ipa-restore's options (#1176034)- Expand the token auth/sync windows (#919228) - Access is not rejected for disabled domain (#1172598) - krb5kdc crash in ldap_pvt_search (#1170695) - RHEL7.1 IPA server httpd avc denials after upgrade (#1164896)- RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible (#1169591) - CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) (#1172578)- Throw zonemgr error message before installation proceeds (#1163849) - Winsync: Setup is broken due to incorrect import of certificate (#1169867) - Enable last token deletion when password auth type is configured (#919228) - ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641) - add --hosts and --hostgroup options to allow/retrieve keytab methods (#1007367) - Extend host-show to add the view attribute in set of default attributes (#1168916) - Prefer TCP connections to UDP in krb5 clients (#919228) - [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214) - webui: increase notification duration (#1171089) - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931) - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert (#1170003) - Improve validation of --instance and --backend options in ipa-restore (#951581) - RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964) - Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466)- Use NSS protocol range API to set available TLS protocols (#1156466)- schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 build fails (#1167196) - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) - "ipa trust-add ... " cmd says : (Trust status: Established and verified) while in the logs we see "WERR_ACCESS_DENIED" during verification step. (#1144121) - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server (#1156466) - Add support/hooks for a one-time password system like SecureID in IPA (#919228) - Tracebacks with latest build for --zonemgr cli option (#1167270) - ID Views: Support migration from the sync solution to the trust solution (#891984)- Improve otptoken help messages (#919228) - Ensure users exist when assigning tokens to them (#919228) - Enable QR code display by default in otptoken-add (#919228) - Show warning instead of error if CA did not start (#1158410) - CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774) - Traceback when adding zone with long name (#1164859) - Backup & Restore mechanism (#951581) - ignoring user attributes in migrate-ds does not work if uppercase characters are returned by ldap (#1159816) - Allow ipa-getkeytab to optionally fetch existing keys (#1007367) - Failure when installing on dual stacked system with external ca (#1128380) - ipa-server should keep backup of CS.cfg (#1059135) - Tracebacks with latest build for --zonemgr cli option (#1167270) - webui: use domain name instead of domain SID in idrange adder dialog (#891984) - webui: normalize idview tab labels (#891984)- ipa-csreplica-manage connect fails (#1157735) - error message which is not understandable when IDNA2003 characters are present in --zonemgr (#1163849) - Fix warning message should not contain CLI commands (#1114013) - Renewing the CA signing certificate does not extend its validity period end (#1163498) - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd (#1159330)- Fix: DNS installer adds invalid zonemgr email (#1056202) - ipaplatform: Use the dirsrv service, not target (#951581) - Fix: DNS policy upgrade raises asertion error (#1161128) - Fix upgrade referint plugin (#1161128) - Upgrade: fix trusts objectclass violationi (#1161128) - group-add doesn't accept gid parameter (#1149124)- Update slapi-nis dependency to pull 0.54-2 (#891984) - ipa-restore: Don't crash if AD trust is not installed (#951581) - Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791) - Trust setting not restored for CA cert with ipa-restore command (#1159011) - ipa-server-install fails when restarting named (#1162340)- Update Requires on pki-ca to 10.1.2-4 (#1129558) - build: increase java stack size for all arches - Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984) - Fix dns zonemgr validation regression (#1056202) - Handle profile changes in dogtag-ipa-ca-renew-agent (#886645) - Do not wait for new CA certificate to appear in LDAP in ipa-certupdate (#886645) - Add bind-dyndb-ldap working dir to IPA specfile - Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage (#886645) - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) - Deadlock in schema compat plugin (#1161131) - ipactl stop should stop dirsrv last (#1161129) - Upgrade 3.3.5 to 4.1 failed (#1161128) - CVE-2014-7828 freeipa: password not required when OTP in use (#1160877)- Do not check if port 8443 is available in step 2 of external CA install (#1129481)- Update Requires on selinux-policy to 3.13.1-4- Update to upstream 4.1.0 (#1109726)- Update to upstream 4.1.0 Alpha 1 (#1109726)- Add redhat-access-plugin-ipa dependency- Re-enable otptoken_yubikey plugin- Update to upstream 4.0.3 (#1109726)- Server installation fails using external signed certificates with "IndexError: list index out of range" (#1111320) - Add rhino to BuildRequires to fix Web UI build error- ipa-client-automount fails with incompatibility error when installed against older IPA server (#1083108)- Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future PKI versions (#1080865)- When IdM server trusts multiple AD forests, IPA client returns invalid group membership info (#1079498)- Deletion of active subdomain range should not be allowed (#1075615)- PKI database is ugraded during replica installation (#1075118)- Unable to add trust successfully with --trust-secret (#1075704)- ipa-replica-install never checks for 7389 port (#1075165) - Non-terminated string may be passed to LDAP search (#1075091) - ipa-sam may fail to translate group SID into GID (#1073829) - Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132)- Do not fetch a principal two times, remove potential memory leak (#1070924)- trustdomain-find with pkey-only fails (#1068611) - Invalid credential cache in trust-add (#1069182) - ipa-replica-install prints unexpected error (#1069722) - Too big font in input fields in details facet in Firefox (#1069720) - trust-add for POSIX AD does not fetch trustdomains (#1070925) - Misleading trust-add error message in some cases (#1070926) - Access is not rejected for disabled domain (#1070924)- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)- Display server name in ipa command's verbose mode (#1061703) - Remove sourcehostcategory from default HBAC rule (#1061187) - dnszone-add cannot add classless PTR zones (#1058688) - Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850)- Lockout plugin crashed during ipa-server-install (#912725)- Fallback to global policy in ipa lockout plugin (#912725) - Migration does not add users to default group (#903232)- Mass rebuild 2014-01-24- Fix NetBIOS name generation in CLDAP plugin (#1030517)- Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218) - Increase default timeout for IPA services (#1033273) - Error while running trustdomain-find (#1054376) - group-show lists SID instead of name for external groups (#1054391) - Fix IPA server NetBIOS name in samba configuration (#1030517) - dnsrecord-mod produces missing API version warning (#1054869) - Hide trust-resolve command as internal (#1052860) - Add Trust domain Web UI (#1054870) - ipasam cannot delete multiple child trusted domains (#1056120)- Missing objectclasses when empty password passed to host-add (#1052979) - sudoOrder missing in sudoers (#1052983) - Missing examples in sudorule help (#1049464) - Client automount does not uninstall when fstore is empty (#910899) - Error not clear for invalid realm given to trust-fetch-domains (#1052981) - trust-fetch-domains does not add idrange for subdomains found (#1049926) - Add option to show if an AD subdomain is enabled/disabled (#1052973) - ipa-adtrust-install still failed with long NetBIOS names (#1030517) - Error not clear for invalid relam given to trustdomain-find (#1049455) - renewed client cert not recognized during IPA CA renewal (#1033273)- hbactest does not work for external users (#848531)- PKI service restart after CA renewal failed (#1040018)- Move ipa-tests package to separate srpm (#1032668)- Fix status trust-add command status message (#910453) - NetBIOS was not trimmed at 15 characters (#1030517) - Harden CA subsystem certificate renewal on CA clones (#1040018)- Mass rebuild 2013-12-27- Remove "Listen 443 http" hack from deployed nss.conf (#1029046) - Re-adding existing trust fails (#1033216) - IPA uninstall exits with a samba error (#1033075) - Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260) - Fixed ownership of /usr/share/ipa/ui/js (#1026260) - ipa-tests: support external names for hosts (#1032668) - ipa-client-install fail due fail to obtain host TGT (#1029354)- Trust add tries to add same value of --base-id for sub domain, causing an error (#1033068) - Improved error reporting for adding trust case (#1029856)- Winsync agreement cannot be created (#1023085)- Installer did not detect different server and IPA domain (#1026845) - Allow kernel keyring CCACHE when supported (#1026861)- ipa-server-install crashes when AD subpackage is not installed (#1026434)- Update to upstream 3.3.3 (#991064)- Temporarily move ipa-backup and ipa-restore functionality back to make them available in public Beta (#1003933)- Server install failure during client enrollment shouldn't roll back (#1023086) - nsds5ReplicaStripAttrs are not set on agreements (#1023085) - ipa-server conflicts with mod_ssl (#1018172)- Reinstalling ipa server hangs when configuring certificate server (#1018804)- Deprecate --serial-autoincrement option (#1016645) - CA installation always failed on replica (#1005446) - Re-initializing a winsync connection exited with error (#994980)- Update to upstream 3.3.2 (#991064) - Add delegation info to MS-PAC (#915799) - Warn about incompatibility with AD when IPA realm and domain differs (#1009044) - Allow PKCS#12 files with empty password in install tools (#1002639) - Privilege "SELinux User Map Administrators" did not list permissions (#997085) - SSH key upload broken when client joins an older server (#1009024)- Remove dependency on python-paramiko (#1002884) - Broken redirection when deleting last entry of DNS resource record (#1006360)- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)- Replica installation fails for RHEL 6.4 master (#1004680) - Server uninstallation crashes if DS is not available (#998069)- Unable to remove replica by ipa-replica-manage (#1001662) - Before uninstalling a server, warn about active replicas (#998069)- Update to upstream 3.3.1 (#991064) - Update minimum version of bind-dyndb-ldap to 3.5- Fix replica installation failing on certificate subject (#983075)- Allow ipa-tests to work with older version (1.7.7) of python-paramiko- Prevent multilib failures in *.pyo and *.pyc files- ipa-server-install fails if --subject parameter is other than default realm (#983075) - do not allow configuring bind-dyndb-ldap without persistent search (#967876)- diffstat was missing as a build dependency causing multilib problems- Remove ipa-server-selinux obsoletes as upgrades from version prior to 3.3.0 are not allowed - Wrap server-trust-ad subpackage description better - Add (noreplace) flag for %{_sysconfdir}/tmpfiles.d/ipa.conf - Change permissions on default_encoding_utf8.so to fix ipa-python Provides- Update to upstream 3.3.0 (#991064)- Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release- Update to upstream 3.3.0 Beta 2 (#991064)- Update to upstream 3.2.2 - Drop ipa-server-selinux subpackage - Drop redundant directory /var/cache/ipa/sessions - Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency issues when there are still old parts of software (like entitlements plugin)- Update to upstream 3.2.1 - Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0- Add OTP patches - Add patch to set KRB5CCNAME for 389-ds-base- Update to upstream 3.2.0 GA - ipa-client-install fails if /etc/ipa does not exist (#961483) - Certificate status is not visible in Service and Host page (#956718) - ipa-client-install removes needed options from ldap.conf (#953991) - Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) - Add triggerin scriptlet to support OpenSSH 6.2 (#953617) - Require nss 3.14.3-12.0 to address certutil certificate import errors (#953485) - Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 environments. (#953464) - ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) - ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) - Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for socket based connections (#960222) - Require libsss_nss_idmap-python - Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to member is now done automatically and having it in the config file raises an error. - Add backup and restore tools, directory. - require at least systemd 38 which provides the journal (we no longer need to require syslog.target) - Update Requires on policycoreutils to 2.1.14-37 - Update Requires on selinux-policy to 3.12.1-42 - Update Requires on 389-ds-base to 1.3.1.0 - Remove a Requires for java-atk-wrapper- Remove release from krb5-server in strict sub-package to allow for rebuilds.- Add a Requires for java-atk-wrapper until we can determine which package should be pulling it in, dogtag or tomcat.- Update to upstream 3.2.0 Beta 1- Update to upstream 3.2.0 Prerelease 1 - Use upstream reference spec file as a base for Fedora spec file- Rebuild for broken deps - Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1- Rebuild for broken deps in rawhide - Fix 389-ds-base strict dep to be 1.3.0.3- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild- Update to upstream 3.1.2 - CVE-2012-4546: Incorrect CRLs publishing - CVE-2012-5484: MITM Attack during Join process - CVE-2013-0199: Cross-Realm Trust key leak - Updated strict dependencies to 389-ds-base = 1.3.0.2 and pki-ca = 10.0.1- Remove redundat Requires versions that are already in Fedora 17 - Replace python-crypto Requires with m2crypto - Add missing Requires(post) for client and server-trust-ad subpackages - Restart httpd service when server-trust-ad subpackage is installed - Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes- Updated to upstream 3.1.0 GA - Set minimum for sssd to 1.9.2 - Set minimum for pki-ca to 10.0.0-1 - Set minimum for 389-ds-base to 1.3.0 - Set minimum for selinux-policy to 3.11.1-60 - Remove unneeded dogtag package requires- Update Requires on krb5-server to 1.11- Configure CA replication to use TLS instead of SSL- Updated to upstream 3.0.0 GA - Set minimum for samba to 4.0.0-153. - Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so plugin to /dev/null since they cannot be used when trusts are configured - Restrict krb5-server to 1.10. - Update BR for 389-ds-base to 1.3.0 - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca - Add Requires on zip for generating FF browser extension- Updated to upstream 3.0.0 rc 2 - Include new FF configuration extension - Set minimum Requires of selinux-policy to 3.11.1-33 - Set minimum Requires dogtag to 10.0.0-0.43.b1 - Add new optional strict sub-package to allow users to limit other package upgrades.- Require samba packages instead of obsoleted samba4 packages- Updated to upstream 3.0.0 rc 1 - Update BR for 389-ds-base to 1.2.11.14 - Update BR for krb5 to 1.10 - Update BR for samba4-devel to 4.0.0-139 (rc1) - Add BR for python-polib - Update BR and Requires on sssd to 1.9.0 - Update Requires on policycoreutils to 2.1.12-5 - Update Requires on 389-ds-base to 1.2.11.14 - Update Requires on selinux-policy to 3.11.1-21 - Update Requires on dogtag to 10.0.0-0.33.a1 - Update Requires on certmonger to 0.60 - Update Requires on tomcat to 7.0.29 - Update minimum version of bind to 9.9.1-10.P3 - Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 - Remove Requires on authconfig from python sub-package- Rebuild against samba4 beta8- Rebuild against samba4 beta7- Adopt to samba4 beta6 (libsecurity -> libsamba-security) - Add dependency to samba4-winbind- Updated to upstream 3.0.0 beta 2- Updated to current upstream state of 3.0.0 beta 2 development- Rebuild against samba4 beta4- Updated to upstream 3.0.0 beta 1- Updated to upstream 2.2.0 GA - Update minimum n-v-r of certmonger to 0.53 - Update minimum n-v-r of slapi-nis to 0.40 - Add Requires in client to oddjob-mkhomedir and python-krbV - Update minimum selinux-policy to 3.10.0-110- Update to upstream 2.2.0 beta 1 (2.1.90.rc1) - Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. - Add Conflicts on mod_ssl - Update minimum n-v-r of 389-ds-base to 1.2.10.4 - Update minimum n-v-r of sssd to 1.8.0 - Update minimum n-v-r of slapi-nis to 0.38 - Update minimum n-v-r of pki-* to 9.0.18 - Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 - Update conflicts on bind to < 9.9.0-1 - Drop requires on krb5-server-ldap - Add patch to remove escaping arguments to pkisilent- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)- Force to use 389-ds 1.2.10-0.8.a7 or above - Improve upgrade script to handle systemd 389-ds change - Fix freeipa to work with python-ldap 2.4.6- Fix ipa-replica-install crashes - Fix ipa-server-install and ipa-dns-install logging - Set minimum version of pki-ca to 9.0.17 to fix sslget problem caused by FEDORA-2011-17400 update (#771357)- Allow Web-based migration to work with tightened SE Linux policy (#769440) - Rebuild slapi plugins against re-enterant version of libldap- Allow longer dirsrv startup with systemd: - IPAdmin class will wait until dirsrv instance is available up to 10 seconds - Helps with restarts during upgrade for ipa-ldap-updater - Fix pylint warnings from F16 and Rawhide- Update to upstream 2.1.4 (CVE-2011-3636)- Update SELinux policy to allow ipa_kpasswd to connect ldap and read /dev/urandom. (#759679)- Fix wrong path in packaging freeipa-systemd-upgrade- Introduce upgrade script to recover existing configuration after systemd migration as user has no means to recover FreeIPA from systemd migration - Upgrade script: - recovers symlinks in Dogtag instance install - recovers systemd configuration for FreeIPA's directory server instances - recovers freeipa.service - migrates directory server and KDC configs to use proper keytabs for systemd services- Rebuilt for glibc bug#747377- clean up spec - Depend on sssd >= 1.6.2 for better user experience- Fix Fedora package changelog after merging systemd changes- Fix postin scriplet for F-15/F-16- 2.1.3- Default to systemd for Fedora 16 and onwards- Update to upstream 2.1.0- Fix bug #702633- Update minimum selinux-policy to 3.9.16-18 - Update minimum pki-ca and pki-selinux to 9.0.7 - Update minimum 389-ds-base to 1.2.8.0-1 - Update to upstream 2.0.1- Update to upstream GA release - Automatically apply updates when the package is upgraded- Update to upstream freeipa-2.0.0.rc2 - Set minimum version of python-nss to 0.11 to make sure IPv6 support is in - Set minimum version of sssd to 1.5.1 - Patch to include SuiteSpotGroup when setting up 389-ds instances - Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled- Set the N-V-R so rc1 is an update to beta2.- Set minimum version of sssd to 1.5.1 - Update to upstream freeipa-2.0.0.rc1 - Move server-only binaries from admintools subpackage to server- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Set min version of 389-ds-base to 1.2.8 - Set min version of mod_nss 1.0.8-10 - Set min version of selinux-policy to 3.9.7-27 - Add dogtag themes to Requires - Update to upstream freeipa-2.0.0.pre2- Remove unnecessary moving of v1 CA serial number file in post script - Add Obsoletes for server-selinxu subpackage - Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da- Prepare spec file for release - Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503- Re-arrange doc and defattr to clean up rpmlint warnings - Remove conditionals on older releases - Move some man pages into admintools subpackage - Remove some explicit Requires in client that aren't needed - Consistent use of buildroot vs RPM_BUILD_ROOT- Moved directory install/static to install/ui- Remove dependency on nss_ldap/nss-pam-ldapd - The official client is sssd and that's what we use by default.- Remove radius subpackages- Set minimum pki-ca and pki-silent versions to 9.0.0- Drop BuildRequires on mozldap-devel- Add Requires on krb5-pkinit-openssl- Add ipa-host-net-manage script- Add ipa init script- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin- remove ipa-fix-CVE-2008-3274- Remove duplicate %files entries on share/ipa/static - Add python default encoding shared library- Drop requires on python-configobj (not used any more) - Drop ipa-ldap-updater message, upgrades are done differently now- Drop conflicts on mod_nss - Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) - Drop a slew of conditionals on older Fedora releases (< 12) - Add a few conditionals against RHEL 6 - Add Requires of nss-tools on ipa-client- Set minimum version of certmonger to 0.26 (to pck up #621670) - Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) - Set minimum version of pki-ca to 1.3.6 - Set minimum version of sssd to 1.2.1- Add BuildRequires for authconfig- Bump up minimum version of python-nss to pick up nss_is_initialize() API- Removed python-asset based webui- Change Requires from fedora-ds-base to 389-ds-base - Set minimum level of 389-ds-base to 1.2.6 for the replication version plugin.- Drop Requires of python-krbV on ipa-client- Load ipa_dogtag.pp in post install- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes.- No need to create /var/log/ipa_error.log since we aren't using TurboGears any more.- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included- Added Require mod_wsgi, added share/ipa/wsgi.py- Require python-wehjit >= 0.2.2- Add sssd and certmonger as a Requires on ipa-client- Require python-wehjit >= 0.2.0- Add ipa-rmkeytab tool- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 Any type- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf- Add bash completion script and own /etc/bash_completion.d in case it doesn't already exist- Remove ipa_webgui, its functions rolled into ipa_httpd- Removed python-cherrypy from BuildRequires and Requires - Added Requires python-assets, python-wehjit- Added httpd SELinux policy so CRLs can be read- Move ipalib to ipa-python subpackage - Bump minimum version of slapi-nis to 0.15- Set 0.14 as minimum version for slapi-nis- Add Requires: python-nss to ipa-python sub-package- Remove the IPA DNA plugin, use the DS one- Build radius separately - Fix a few minor issues- Replace TurboGears requirement with python-cherrypy- rebuild with new openssl- Fix SELinux code- Fix breakage caused by python-kerberos update to 1.1- New upstream release 1.2.1- Rebuild for Python 2.6- Respin after the tarball has been re-released upstream New hash is 506c9c92dcaf9f227cba5030e999f177- Conditionally restart also dirsrv and httpd when upgrading- Update to upstream version 1.2.0 - Set fedora-ds-base minimum version to 1.1.3 for winsync header - Set the minimum version for SELinux policy - Remove references to Fedora 7- Fix for CVE-2008-3274 - Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface - Add fix for bug #453185 - Rebuild against openldap libraries, mozldap ones do not work properly - TurboGears is currently broken in rawhide. Added patch to not build the UI locales and removed them from the ipa-server files section.- Add call to /usr/sbin/upgradeconfig to post install- Update to upstream version 1.1.0 - Patch for indexing memberof attribute - Patch for indexing uidnumber and gidnumber - Patch to change DNA default values for replicas - Patch to fix uninitialized variable in ipa-getkeytab- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum version to 1.0.7-4 so we pick up the NSS fixes. - Add selinux-policy-base(post) to Requires (446496)- Add missing entry for /var/cache/ipa/kpasswd (444624) - Added patch to fix permissions problems with the Apache NSS database. - Added patch to fix problem with DNS querying where the query could be returned as the answer. - Fix spec error where patch1 was in the wrong section- Added patch to fix problem reported by ldapmodify- Fix Requires for krb5-server that was missing for Fedora versions > 9 - Remove quotes around test for fedora version to package egg-info- Update to upstream version 1.0.0- Pull upstream changelog 722 - Add Conflicts mod_ssl (435360)- Pull upstream changelog 698 - Fix ownership of /var/log/ipa_error.log during install (435119) - Add pwpolicy command and man page- Pull upstream changelog 678 - Add new subpackage, ipa-server-selinux - Add Requires: authconfig to ipa-python (bz #433747) - Package i18n files- Pull upstream changelog 641 - Require minimum version of krb5-server on F-7 and F-8 - Package some new files- Marked with wrong license. IPA is GPLv2.- Ensure that /etc/ipa exists before moving user-modifiable html files there - Put html files into /etc/ipa/html instead of /etc/ipa- Pull upstream changelog 608 which renamed several files- package the sessions dir /var/cache/ipa/sessions - Pull upstream changelog 597- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the UI to not start.- Included LICENSE and README in all packages for documentation - Move user-modifiable content to /etc/ipa and linked back to /usr/share/ipa/html - Changed some references to /usr to the {_usr} macro and /etc to {_sysconfdir} - Added popt-devel to BuildRequires for Fedora 8 and higher and popt for Fedora 7 - Package the egg-info for Fedora 9 and higher for ipa-python- Added auto* BuildRequires- Unified spec file- Fixed License in specfile - Include files from /usr/lib/python*/site-packages/ipaserver- Version bump for release- Preverse mode on ipa-keytab-util - Version bump for relase and rpm name change- Broke invididual Requires and BuildRequires onto separate lines and reordered them - Added python-tgexpandingformwidget as a dependency - Require at least fedora-ds-base 1.1- Version bump for release- Add dep for freeipa-admintools and acl- Add dependency for python-krbV- Require mod_nss-1.0.7-2 for mod_proxy fixes- Convert to autotools-based build* Fri Sep 7 2007 Karl MacMillan - 0.3.0-1 - Added support for libipa-dna-plugin- Added support for ipa_kpasswd and ipa_pwd_extop- Abstracted client class to work directly or over RPC- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires - Remove references to admin server in ipa-server-setupssl - Generate a client certificate for the XML-RPC server to connect to LDAP with - Create a keytab for Apache - Create an ldif with a test user - Provide a certmap.conf for doing SSL client authentication- Initial rpm version/bin/sh/bin/sh/bin/shfreeipa-server-trust-adipa-idoverride-memberof-plugin 4.9.24.9.2-3.module_el8.5.0+750+c59b186b4.9.2-3.module_el8.5.0+750+c59b186b 4.9.20.1 oddjob-ipa-trust.confoddjobd-ipa-trust.conf.build-id443056ee738a1dbe65671366ff084db12ae12f35ef6de10f20f94e4aa62a9c8d8cd775afee1a124flibipa_cldap.sowinbind_krb5_locator.soipasam.socom.redhat.idm.trust-fetch-domainsipa-adtrust-installipa-server-trust-adContributors.txtREADME.mdipa-cldap-conf.ldifsmb.conf.emptyipa-server-trust-adCOPYINGipa-adtrust-install.1.gz/etc/dbus-1/system.d//etc/oddjobd.conf.d//usr/lib//usr/lib/.build-id//usr/lib/.build-id/44//usr/lib/.build-id/ef//usr/lib64/dirsrv/plugins//usr/lib64/krb5/plugins/libkrb5//usr/lib64/samba/pdb//usr/libexec/ipa/oddjob//usr/sbin//usr/share/doc//usr/share/doc/ipa-server-trust-ad//usr/share/ipa//usr/share/licenses//usr/share/licenses/ipa-server-trust-ad//usr/share/man/man1/-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protectioncpioxz2x86_64-redhat-linux-gnu  exported SGML document, ASCII textXML 1.0 document, ASCII textdirectoryELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=443056ee738a1dbe65671366ff084db12ae12f35, strippedemptyELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ef6de10f20f94e4aa62a9c8d8cd775afee1a124f, strippedPython script, ASCII text executableUTF-8 Unicode textASCII texttroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)@A$PRRRR.RRRRRRR R R RRRRRRRRRR"R/R-R R7RRR%R#RR(R)R'RR,RR.RRR R RR R!RR"R/R-R&R R$R+RRRRRRRR R7RR/usr/libexec/platform-python -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then # NOTE: systemd specific section /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : # END fi/bin/shutf-8d0893ac3aaf5d935d0cc3bbbac8b84513baf2e3a907a02cd43df6a1ffda9b44eidm:DL1:8050020210331231356:3d2c466f?P7zXZ !#,r] b2u Q{LPԞ|[np|70&dṲ/j7?<4R*x\|Q&#O!r)#0ϏF\̦B*ltŦs OY`gĕ߻a]yɧ$6jV\qe:,oԣۣ&xF>kC!=Tq:@|Æ3*S]qP랋a\.馎/3 7<|+®,kihc~(:鋩m@&mq/;q7=)<\C14Kj5 !3xae2f:^ܒl"']e:w %WMLD_vYm*fX(E1VpF{C՝e|.oMOQ^ -˶Z!`Lv!nn@m.;ډ  {o@x<+˟UvTBYܮ^LR[E8,\}zBe{$dDxK!Oà*߮7h\@-f@/:D@r,go {d-P]I6JMfҕO7j1Gz}Q}" n㫁9TzpnX;ʤMSs C@2.,Oϯ`N}3Cp0 C13rr5rK#<]yx^602)KS&Ř&9Lj Ek/#^,7)R6oW \Kh+vI^Wɫ;3(VN8fjs3svil@闼ǿhfAzE,|x_34,Д^4+:lmZ l Awq (E}@} C+:1y{?Ey hM.aE!y˲EHnD70+3 Mg3p1nВHw0wEdGia&C|4-nzڿ"Mz081{R7>mbx)> zL{=i{}|Ɛ)JC Xm?.#1͚!Mr I>|ruhyz_*:rKtEt3I>.n*5b2`ID~Pa?d<,xij0F>--%+ivWqAmk־)[?Cgh4㷪8Q˚lQa`W*`c :Q^Fzeo䟤rN@ UOA)x6ŤȐ97WWx5#baO)qwWc tIq60u2E$сଦTGn6mHǩ jwʳ6O3E)'OYjGN7Í|a+%<Ef8ͺxe1K= ;kDA a8߷Hwkմ259m~CHlɘ$Kuihqk;ƲrKNksXcY{^D! o4q@ᛁ*HeniX;0,ՋC) \Jߐʳ/"O;|r[ {Jי cٮx;NKlU,OS\: <[1~g3[NMzA7o< 餯iF(vE%=TįP?Î:7;0\%F]_&%S=X koRX%iZZEEM|Ƭi L^c1@ UGdPd+ȢЧ&J0YD[w2,sO8!Pu,Rg8'`Q^?:5Ļxi^Z'nCPkBߦCC@SB.Cv45`.PLF x,Y&?hE.- 5 @v?D~,! b}9o cOmƔ sܜa͓f[[I1؆h~x/.1P3h#R/X] )( qa|=1y:-2}AE9&'h5P;ܷ i#&e(bT;G(Gl!D}/F lnk'X 8mL ?_d.lEryt# FSG"# Ef9_Wƾ&Ph%B`XCIYԞB0Ȇ@P.BݴP[PV{^x P #⡠ M'{Hͨ6Y婣^b[#g`\w ڐUJB55:fȢqd8f-{iHm0aX%MKIOZAG{ ߡ!{!;J4˝}J1=YImY ;?!T yGu _"["h+H^ պ9.vuwcQPh9 ߤN3t" tI<&p.3Y+LQ%w60n %2FZ"3p M2v>!JcP8~ݑB#sNr>&>A:q kݷ8[穕b id]5RDSmr+v/"i[0g3zw AP"_p4S;&Ţ3\IEsv:c~q!y8=M c1u 3B rjK1cb*MvYs}ȪQr2>=2l}Il 1_1n!3zg2/EM*ndx@YDW0KB$/qV&9:."2ِ6tEdYA样N E)&ЍTildԠ9|p]H:yљD/bEEU=i "$'q`]cJ<"a?qYa);Tv qVCGn' 3^,>B;z2~yE9~rЙNT8c]I + .D޵W.-W#"z( U5HpEOfK"3+e׎3=auIX$ 뷝u]+&hG}D AZQ<H.WQ$lxHL:㆘yn5 p ]lR Lxč5`F!ʤu9! AdM8Bet2ua7X~Z@>FTP^jK.} _/ Az tc=z&~.NqD6-bͣ<OpK9lE Ժǰ6d]K`T ÷?0%Ǩx~eJbT/I spG7t`Xt*LyS9:z Q}v,],6VREb ') ܺM9{epxݨQ{8"޲' ;Ьۯ=(m}[KHim4d)dUr)|`Gn..퀎2,JANCry^V0FU-򀸥7zj.t~ӸXV.䋤cDŨyk2;*[ /JCp9Y02I?N%/0Vג sQ|\0HQ>2b g Oy54 kFHG3s񦬊v:0Hm3}m`hWgoXkIsf68Nha/Q`\E@2wibf3_弋/}hjH }UhC"Y7U73_%"tNT*#L FQN=i! {I2qhFQEͳA3 Ţsq+jBZ%!_og0zpmrݫ %9 }8+l]uiPua)PZsY&*P]WWu)*(v^'Z\`{;hh Mylx`dQY[tZ. ֒|3w|9.EK|iXq^bћʧ&SՃ)49o.#GS&O<ظe %]@Kj1 :[/q,Q\+&Pܞ\S?UtVi"Uܻ4JgQ|xI͵R1,=6E5ڶlL*c/6mO+b- Mp"zi%{b:-l{3Bmpiׯ>w<?@!CRtg=[DM Qi}-ԬÍeEě4wyTSwSp@ϊڅa֬l-$?Gm[:po><;;c-3_S;b^fEr- \j?$3OW;w'w'ݔo@.pv8K&;3k,;W_!/MZq/@;(?:[bOEe>WG@.wloߨj[U9aY] C(m]O=BbivpyWIb"n{2ݐ LoːVE֔iEֻ)<(zSug]n f@L=]S5N._oC hU g5U#LzmmIo2fAoQgZuKAj>wxb>'9IvSl- zݘѕf!/Pu1l's|j<NM@ E +p&^l;dw[! ӢPΩVhڣW܊VY,ې%U0\Ψn}"3#.?؏ e@OQyqÜ=d,)=*[/-&#w?$QeN]d*I L6d'gSZ!ݫ8{Ɣ;eu8U@CTٖ,O7,,r|"#6,`[k ";8> Resf?p;EjcL*isiu|Oizj& >}Љֱ=$S*Vyɪ&h!-ҩz*; ovPyD \>]\yO#vY4Z(U꼉FYOaL c9QMb7!JĨֶ~5XlɹptG:&H)RUCCyw2Lsmz/)CN3 o'njkJ(hAyìļ~yileJ@7I ZIw[ pmHۮѦO{^cktj6dBۑvz_A.ïaEיK0'_m\cCBGhEס,V>8meN-a@ETs6X{zHd"rpȜӂ\Ăn*"3[~+A{}e [b(LasbK1 oAدܧ!9YNcitxHse'q1_K$AҮ8*%;&\m7_ D|*N<򣩎bX]ze}X`${)jR=ȭu rb:4\E6-v=̓ TbY=}Tpe7٬ 9Qrr9歎WrAp|,"0}\x;,v dϽcV)Oect뿴j G7}2OF/d8 DNi$cut]_ Jtq8>j#%k*tWrA2sovLn aX$KTjyѣocRԮ$~~>3Մ=SωxEr%3J꧆+E+B0zPc,D ޤutނ6dW˒AOħOb3`U8.Ss{t,9?p˪''OR"ekHHtܐۋ|7AhO蟚bLojNUndW, t +_s, >s4#iqio_;VNn-vaDvHo?Qm @ip^U_e %AKW6jU02w-;*u;}O(ƞT<3 ÖwK;=׊,je1:Nk^9|y{q;t[3zC'&vɯ|? e&2TIW XqKvqy3hv<K3vOFPUjLJ?~H,zr"6KrE7p:#ٷ"" S=C*soێ@40&ܱ1bpEzx5ƾpx!eTƝ#0{DZDt>2V4q:̶yߦ4Ef3>ƍ4v&n/`rԏzGl. Q )eS$m0#}*,9-+>ll˖:KU#+!F-xN9x (*j1̀Tؼo i \h)bKä EG"^\O Q oյ9eT 4\n j38-K}#:+<&PمB e?HEY>jZӱkk`_*DY(¤`irP"g].yP5\{HUY8%"m:`{kҦ%@IMT<-KT檶ڮǚts7*A5~ $P !։。l4 ؜֗دi,0IǗ#[]j9wL,q"jU"W$Gزu([ZJU& 0\aV۽n4fuMГN7gw&k6;U462Ut;ٱul'S[8{36{*\NssúiΡI'% ; R3~B`ۈ\#&h{vItl"H{:lJI";1T<ҎC|M: :ZT#Ow(sOR~%׻ 9 hD@SZ8JZo@  3hwW!-ANg%Pʝe;Q YɾJKF;>dv{\SLc2.(LˏJ> u0u#}{#&Q:u+l9DSx&/ye͍B.|FSV/D@tf(P]aUDm,- ~q-u" -qELD>^^@wemke85:;A"E)itC1jON U sD՜D-g.%,4 p relwWO۴c0`;Kqk>Ӛ,׆*_%SIbjՁ|^%  l?s#H}%' +iʤ^|sL?᜗]wLFt8:G ›;5YkqF# 1Py@3L-]]w|m%J T m)rR@KxqzAp4HDb`Ypoew²^sѪ@554 G3#aa\"O7o?:ߤak.HrD{0X0H#]u>8kj間.&hV0GF)nfEeF8֭VoFuFY_Bd,\c)eH\et y1<1yۊ3 kUhBo 鑧qĥ*1L7m&'+<5*%聃jZ8I 4e% >yM$%áJH{8Djywݗ3^髎D]zH#0-ZV AN,~L3F+6nKţeڻazzL4)): vV.GA_ZLe5t[-/A%.oC`k[/ KBW|R.n\]]׵wiji$MQ.Ʈ==Q;7sU?7nk a.;{S]9GulSxn ?Mݚ|3c/{҅PmZC~1g!n:´$p`J E~mZJsV0D\K(s W+ لqF]_ $y'OܦM$phJU u;TTjjR5u}%Җ_Ls?L1lTtXBxpJJ^UwiS0!)m~_H^D~팡$).]jr4F eyiU+N!I/YJkV۹jz~9ՙdU޴]GAFcthUwNwS] \$݀;[ ΃?v3$y lSl̾$o&eGt|igv<)R vt e}^c\wrYGBѤz(hNM/9Ų]3 E7h v&{[<$ı~MMo œ~ $N}3`ɋ#9GrNj'MNY), !_~%gWk'2?Yν5.aLjo_s1sI'L K d_"T(Hؼp9[oM*j8roZ+"q*`?.kB&R 5"vVz|ueӒ]Gɩ7N\.w"TVH%qx=\õ$&wHL=s EoHNH|JږX@Hj&!#2ϮՐ`ƋjҌI8<][`.Hkv?YTL`NEZɏZ?Ў=4uA'q#Z0ax!>d/` 5D Me3Q?:vm37$:l;T.~w6s)0\pzd.?AݜgCMc* Ufq%B>Cz2ԁ'#<(u| w(b7RX&vRUBf59py,E1t0u5'{fu+4f^*7ڮ ڎsfr~kqR5c,y7]ljYgSl{ L?bȇA6ٛg-VYͺyFcCѶ-M,}s;w[ 'M4~]eYix cdf,*"M*4;~3<ә% |ͺ߷k YI뽥,Cxue=}VctvU )!K&jYk0 L!#ƚȃƁB@u.-7HaHFgh" @o1F{#{68T ;%x(يa ^eaW=/ZړƵƕNec6(< ^49lH W[#Љt~=S y{t}D2u\3fq{ 08nLh>(f1ip˩+|҈Ag(j$SKMY|m9 jCd?_6F{o#`S"S?v~I)ۤ[g5s&=QRT~SM*B>T0VIYCfJ|ۊE=E &I—.t7vb`uZX.OBMɪ :ՁxMO/HN(QUk[ v6_9b?Q?IUN.:S.M[ܸ8z;B:-  %>bLzu} [O#x- #.fV\;Qx`DgM)Eo[Dv܂x jn gXUi.tVOkDV/VNqJUO* ^K$hٳ2$+ DdyΟ!"}fn2VkVL3Ut"x;٤:/p(BģB2p:v Y'㽓D0{$K#muƇßG_++]]- f`g:al'n:y{p1/' Y\~/΄"M093 Y) FjL=s6\Qc)~%gF߫Dlh 6}k1:›#N.Fę{uQ!Q`# L.0h +k8GN?cV"G^ʊ,cb(/F:ZQch7)Gplsr?elwpD~g{łCM.[m&3_*4r4zubOdqCZ`,tQ7%#Lz&!0K0vcfiO} a{ K v,xҞ3WUA| T(Y,o32J%}{IS1:/|r)+g]Կz;slފ+'m7Kx2 `wC#_mR{Xnju01' J*vTWV\>AA_ӵ a"MinTT COˈ9ԄG+FR+ׄfV$t'jM ά{dLYPk7,D`9&O-H|TkS`!CCG|2XS m}K$mdzoNx;T+h9 Ag?hrJrB!tр32o1.YyI(_Zè'AF$S}0|8|Xyr貮k"h`gz+8+c®b!`9E`5i0Ufbe3]*ӄO50d>ɶ|-hڥ1v~€!z}Ӝa(@qݘE _ iv^fD jMT c7zv & [N/̂FAB^#frΓt|x簪E@q !ʆ adB݂hf[L?>^z@Q"8 حqqjee'$u uB 1=yk J Ze܃%7C3 ֕/o7Z,t$TgKB;IQԭ.n9*j *Ba3QiFoipVEF^LsO_[æ"/"ǽ"}#²K&FQE᥋+FL=VqtV$7Z'jZe03Aq. C'Wz Khhp%Q0U S`K1CJPّJID3 ~k+{jۋۡ! dܼ$@`)8b((5h(Ȫ`p ܸ>EY[jԟ԰|w,󾖁(uF+jvR U\y H"?:Ҏgۆ?E:cYY>k+[{qg`eci'5"7!נ?ȰL9z&d*Sp i:-%(z4<*K+iÌ64z<=E3Z|m?n/piFZ k~fG2_)éһ@u1I#5Wv#X&[ Ea3Pj5(,)8w1]\7ـLBβ]:B5C6}8WhFOo,ࣳ=l/-KaZSZ[=f7|R9¦V:>Pcs&?nzB?YY<k4d6֡ؑSTXHgK7  ;9[/ENRǨ5 {o+(x'\ꄌii1FĚ/_s)so,bcI_yѪ*.ڛ~T)y4?~3o``D;YQAq&=_C3.q4~ iE4 ZU8PYѫñö$LE{Kp` n(|m2OEeOD1gM41-4I %(#z&RL$e$/NX.Ms)sh >L frHuI#HƯe{StQ)^ɧlB;_:ۓ |fAtPNk1q ,Q4B"V尌]ml'd1s30lHcЁe]Fp3Q}aN0QW.HuW( t- %4[}xW2aF0"Q$NiQY͟#3*adLm7'VGqZO~}(_7޸DQxMy(!)NWvR; tI[wryƶTn3*`Ĺlub{.5^ IڸΓIj1c|Aؐ@jԚNuHi\luS}@#5{k$vl;*5$B>ehk:9|&7sͽuthJQK|M X=ov<Mr({wݑtx3{$]${LnCN4cU4,38zW<3)gY&N J/(NQ f9_;0%"T'C&hMeOkO4_TN\#w4 DN5tU/]$埑`G2o!h^Ѥ^q0=N*'@9"05+=#vT6A 6{…@h|*է52gw\rВrtk3"xxD_68R`DP81NSYae`֕}-QFIk=tv ;> OE]20x +HyK% PT9b€44D(m#P/,;u5nXBn3E*M^W+]zUPT4Pq;UDzbڍtX`r-ǎf {9Hl<4³]TϱtV\T1}'|pya:ڙruZ$):a/df:s2Y+Z฀ǟPX4K8j;s,OOp!4?,h4ȗk}]c+ {Gi\P?b_(䎭 HEzRo_~Rd ҭuHv<`5M 4!`MAj{%_`q pC).HZJt,Oh_d`$ZPk0 foW—2 xAc۠~X Z~WO~! E+0DXA(q VmVt;y"6n.T)Z.&x8H xU fg9cH6`ĿQ_yYŗbfiıjjAFHYS>'*B} euL-sɴ ?@cn\ka G.Np苘BGp[VR1}`Lۇ-op]=G܏Hm* ,jyZ6GR%Hג&DF91)9)klzR %R?q4X 5+f1ۍGUF9zӡ!2)(r !@`DZ.[GHĩX aNc׭0ʰYJ} T_xc7(f^DB/WJ6H]M߂)y62hYd2pi>AuQvʼKB8w_5%Z\86[8aNU";~mXIQ\Td,^& ~LG#rJ8'q.^ E=s~Q@H{u=xwF>r̻ (ƻC6 6qIV0؎lJISߍqx"ո)V;V W( Q>p O0Z[qzFp@.`B񢽹 *zVq_k"Lhf Xgi4JtZJ5\z~v@)+[B#@>X)! ɚvImFX\ ugQpx5%f}[SF{.]Q ΀]ylw-fgkD x_ӔcHY5dGqִsE#ű%s{IR'3u'-Fgj XgjS'V`1Vx/;A~X"(}}?֭{W;*%QyUclz*5vU0ŭ)W\Zj~]l+ssN) {zTkEF&D8^0}pD{N[,pފ8{,JKа(?^Ruj@lQm%'_`97p3 T k?Pл 04'h_Sp z 31rlA'k9#hxXɝٔM>O]Vj*-*5r Go=47?{|ڴ-Ϊ`{ ;}5݄ }\80v-?:> >ne i8B$M<3~'2ɋVXK^; |ڧjBYt'*\#PX ֚Q'ۭey.4D81nٽퟪq*\]y" z e[FC MႪq(\6WJV'.xǝo_/V#lecfZC"T9_+T:`03l,_{ <[•q=NZt(zD!qy(Y9SLtlh&XEb줺CWA;O<~YBf#|fL9^b=W↶[YJuS!7atq{́IFpIѕ5e3x=^BA+?\vedJ<;\\mSxQƷ[TbԔrC=U)-D8.%ߺBf„ zpLBw ݅cYԲԶ5w@$ntX)LOlB gy'nPgvy.\0UFBZ׊Yl(v^P*l{3U{7ZyT/l0cY^l.7M[,L&`p[e-k#Z^|F 7 v Xý2M5XDR\!)$I/4p#!ܬ&m0ƩCO :wE-xCwgb&ú0L٦0{tIP_NYx[VmPS]PISx!<0*H(5|dK-uW șmIg-Wݗnv_5OFvX0AUkMJ]RNۼ|kX|2z _>`cc"ݴ`\]AeCC/Y'kش2iM 1~XY)]deoF*UK2)\`\dxbI&iQ8 (M㬊̹|HŽXU w<'"pK?ߝZC*vyfn&%UwyС"h+1:|dY1%5>{D6C!rnZ=!oZEzDF*Is&Ol1Ǩƕ% K ="l 8w4q.NxH9.lwXˀU{"Mu: y{^XM:Na4L>eyzR;gס?/olEmǁ/k}жsxOeyoG>0k1A{S H[mVE[ +0xt֯`On!C[;W䅑C")?{ 7ۺ-<*S`0l֋@PZH.K)M>vxr ,OmY%aC)ԛm>%qY&eItlO.w|s]ܞ} |{t9OЩ^apՃ.p8.kBgM'8Nĕ#JkQxAЫ*#pgCk}< -*.E9*$IsuDX?5ɽZ^CKo"QO0L-oΨ .=S9!c#hI0HND!HXQ{0m=f_dPQֶء,9\?JkxQ٧5<ǧFFK #|ЁмI8e^;X;5qݥ.` }兰]S&qHWv?榆!nZ%Q(ˇ_Y2ڊ"IBMb8^ж+ڕM|ۚt%#tN;k4fޚx'6%ϣx%f,?aH13։U[bjgQ]y":$ ]+A'1Սfs`&Na')XrWkdS%jǣEm>ZAXo2 y߾gOʼns@׏ofV,[j|)wzReC Ff{{:"(աc1 3ZTK:BۭO3='uj}~L_͑>{81 *#znZ{ } ^6a6{ܩ!tamUBߵWWc6C}rkx5:mPSgw+Ҽ^b*lE`4UjRjtw7/!lܡ_9:ђ9 pFm3 IGȒÓʎ 2L֫E+*K:΢S{3ʗ듭Y~>✝llBv?>W[8,%TᐥQS72u00JR.NO3 oAAЊWvNc+z|9C'Wvs hYU ?-vTNYSM㭋lekc:˩qCo]Z@|#yh/VĻOw=6?5e!#WKr܈oHmF"$:r|]OmRP3^e .zH`Ir(A`JBğ;4͟reK[-`~^O"?8no%WNI )uƖN BG2*GhZ?:8,ajG(@JV'ܭ.[Ma]#L%$Ćh[33@Y -Vq~u5pj hit܃#"и^(F(V'Z]gLv( dS= 3YBE+4}):1'2}n.%L:^w7lmCv3fԬUiL4/MxK (vg4psE!hC73s"Y«3-lAȓ;5L "Iu`ړy;N,1!3r,νKgmW<2޳OYAn#d끠/oK>Z&0O՞P[TTk\uN(B0S NoZN9ΤDn$GV!#~ rn&M+hP]gH,&Q!twzH^6)b5fKV={+~9KJ UȺUBA1+R8G&6S?k)C <tilQVj֚kZ o D"9c~3OU*0ϕ_,0LE 2h f8iEg,čJ:8?"MKr̦tY@G}+%LkCׂ <{сϥ=A*=4){n̠mu#Idb 8LMݎ?>`GE.kQOy8~a\)JrпN@~ďp`l'պhC0cH䳶=rj5-YJ7zzPaaF+;ef]6>V9t &пC d{'$aRUʶi`EZYG{T̓x?GOu: nֽ Vz;Y>bh}b\$:rrS4o}+O${Sdv|ˋ=qF,Ih.3"өǼHjfo[.`kf ~$N*sm&>BU=CIz"Lg/>%Y3Xö/ -Ln~?iV&g g7ˋ1i] ,ނ*^LC*7ǏdTaw7ԟSZ6Mڂ(rӠA56#ÂR6tFCS#_y{jÈSiqa͢𿍸h4@y+bW e(!}m&q=fsNv"R^V?~v{C>"Jn`]fR}ƒ2n q_gpj|+rDRLY5#42Dxer/n_}aV!}DrC:억>TgD㺜a?417Y'Wݮ-)mV5qa@J}N~݊pھޗE_QVP8 |rMfhPpi{6ɗ6.HLk 2{+f#Bkn@0 C94I~% gk@QG@QSrM^2M/A\(I%= oA82)ݸ|y$I^gNtɃX{֕Tt#**-` o3ܠ i^V*ƩY)|FqUd8Dz6'LT.݇ǃH[#Xg3ʝ^Kv,vpS@{m5Cq'E<0F?{[&춷5}V\hq1mV 2d'Kx, K\|R9_^BFABb7EҸ?CA7ԸY<"Ƀ:oE.ub偉119 NQ^-zi9PHlI2'T_p2Z<_IAb7󥨴N^yQ~L*uDO܌v3qEw ZQ[xˇ=~&Jޥ4=2W]WDsP r 9e[CB@ڽ.TTr9P-IbsoDΰ"aXS꭭3&۾+HVF=Σ5TwMw *Fcas&-25o˔YETRDwbvʩnH!dsȗ1}`gY Xs -y`ɸ?U.n+),]"m_Ԭ6$ ^9<.qRPR^Ĝ 1ԧFX0xf3)_8/vj]N̟T@S#LzB%x2seߣ'efE^ӚȠ~%) 4^b^=Shߡؘ& 1W~XwqL{PHƽVПXB&E !ꅻyDٞߎ0!cUO{IC\l_q*pd}5Ƹ~84#$Z0UvJl`Vޥ]f~7?<&04Eu7-BBd5嫉Y)aMSz9ayQҽG$b6;W{rG\75VDB(Mxm \\R<)˾P ;տ"en/m(/q ػ:Fk ILl((LP^UI#("- W2;Jn`}`>8X|+y.tb*,xg yR%W'g肻hGn`3`Y4jBuXuݏ~f%2ŹD1[ ψi\Y 2_ԛJ4y@;Qj挚+/Zݏ}M|Tw"3*EuY:m:W MNB᫠j9: IHL$!.ޚ0ֻ_wcRܿ'+ vQUWc [T_duذ-wbYxo778/\ԯQy~JPN(z|*kDڢKq͛Cy- 7k9z:zik7цa~5<ɀv\PV8ę71M]<>aj<) G78 Xܯ^o>[]uVR[iQ{@1q~gHQT ȯ]92ȇ?-{`S@o21j1J!icn0G*Uk 3.&22eWH *wO(r{q!ooܻf>CU ǁ\HJ@vb$$}L7Ge}Q^Cf\b EbAS ᖩD*/6=@`R*?X(]H Q{ AU\Kt}yԤ޿"8aÅY{Ѷ.b(Y}d5 Na<0RXp/}p'ŗsqEo$o@EDMė=ZpΓod9A҈vB~xrKIa.~n0//wۥbq/UX+AE҂V9bSz5e: .фC\iz W0|W^La#d(ͬc[@\ڹn_ TB.OK.WɐL5THh&wֿ=,9["eM lpiQ#nnSNG4bE^0QloQA&g2GY&'vI blwLrj̧;ډ?Az_:rT霸Sk}{צšr)H=sg"Ef-gG;_#${( qS+HT(qggP7XL'[eNzrkG@B'v ['-4?XtFx?_N#Ճ #y]rydB<5<8jaDsUhUa?a Ic,#7@"0(Lа\ $[~&m\!*գCWYE>A\*-+s7LaQ|ATZvJ V,sjJ4uWl^Jseb>3M_Y؉\熀V\0M=٤мjD@}LX_D?GW;x54ЧfmS6bmCjY^{|ևɋ:]2 ƷÔ*yV!$2mr\{ď*Q'2u0'ȎZPk~8# Wveˉ$[nj9Oyivnk><̅_nr.q3c16nd+U4i%: lf}t1d\0.}96QDz(YwM4Sm[UU(ӿdw@ep?Tr.lvV,&g,kLid؃ L|3m:fw]8 *(^Զ Or\1ZD$xiGJo ?cyFu`1u-DEKH80nq9^4A=*BXVmk`)ηC7[^uM+xŢ坍6Wؽitv+R$ g؄ѭ,ǐEϏl+ אj Q `zee(QF L@}!s]js+8T%g: KR*s(ׇG%^ e&4>6|x9"5[}Kz6%AJK+w ܽi!^lʷY# [4O7RQp =.&12PP gC-*SV`E39\o8QyaX 1<zs=7V?$rSzC)V}j .O|{fSPX>E|¹x^\EO9GDM#;dA6 k5>  $ w-ZPO5P¢udQwnNYFy*TR=dZ QMxJwWB+_z=yUin~Ξ:Xjibs5Q1R~C "-H,s0eCW }/#XxF,pG)=kJ~)3̈ȣG߀:Q}d6R`gˎPlEy"ox3HYo,eDkx[U .),(a T\M^ܩmj2>!nP8c2pt[SH jγGHݵ 'tdmJ"_Y}v>8I'OTJ񯾎 ԷC.Ǡ[<X "U. 17jdb|3 #Yfdi ~j h^1 7`up">E$ yrI<cصYqOSY)\wtԑ d%o[\Ds&. <8ψ ;S ;0m!UTS]pI//ۓL;Sꪺ#jiN'(SFYD,`y{Ľ-B8 7'g^s`H/NWaͣ_zM~W,Dω\]`r3P"WpaΉQD~@+ePmmlJ,T'3nsJ(dp $FDI8>ӸBH*meǕSR Ԯ .9v_Q.,zSx@i7GWC], s4lH &>'t&VCu=I Į.FdPA2[l9_x"UMW}~wc4q&9}2)0IdQX&4$(.]rź?F~ZB>bwT(pDGVxt@k բ!7jX8xYR") 4&ԴN7f̹'/іRt5eH\γLvݬTQN`9W~=, zllV.*О a>oQ͒3fU+'ǥZ`XXESZ!&]˝e1Vd#x6?/轂+qU&9 e{1n!'@PK>Hkmx_xqɣ, NLʳ:#1 Ps IҫDMsB2ł "1Xtp>w(f>ˈ D7.bgdo|[*=aBV5? mU/ B.x)' +Wf@`gSUE>af @j ވη)ћlɸ' so~"NZ'I0_01ǜfZ%pOXm%!"ӏ=7ߌùlul5|HU]pԛ$N+R]%xe*۵VfuǸt9ԶOۤEj#c=R>~ldt+Rki9>\=o9 eb]CKB=5f;@g&zE>.BuV׹&H7ȱ^/BfirJ.m6Z#hYɣ̴ !Z껚B$4ݪj gL2}f:uH^.d}M ¾ vɒK,f0nO on5fgZ2=#K mCRw^4:$;jK2^M;_ԥ&G`֢+@91O=qY. Fl>i<.YM;v4EyyJnērj~&A`wM~ C#K޼ z5}@x L>[Fz$%hqIzO==y I!_lC!cs?ʅ##R1Y˜6O\AԦGJR3nb{x4·z3˭&vXOEvs^ԂZj_քJeuɿǔ;=%N3?K }X:p+8B3ir lB'z)恼>ב\'%`o^v:p<2k`xYN7UxL:ʮA<Pd?~q+ IOq0ZP(=UhІHwWw;ԻRf?bOXԇ[ s/Pnȉ/ItpT x< v1*ƥ OyJQΙy&jуƔ*rf.b1hmР DGbؽS3USsx3x+?*3>obv`lFQ&T5 ̄ch|p#_ǩF KO8uAGlmԊvWX[5oGA!T *b0 ;ݘd ԥtETvuF0H"Pv2[R U2 6x~WP\^]ׅ%6Fm,fXnkZmnS VsPmgN;a(M8m!+J&>MzN?d aL3D=8R6{g++٘O8b8l2!lrxuG!eVrFG)[7[l Eи7Q)dͬ*]C_#B5`c(ʊ&Z-DA͋揮ܔrsaF/2'M+P`T8#8M~̍'ڟ<6h!`I9aR `= {n I-e9 2/R+ƇBj *_?eiby#!aD>yz3鷷Xfa"VC ;DO91̥|p^UR8HޒGü8$>VDn2(nIr,Ңĥ@l6Y\eL%ʀ|8ɿ|zx׳}Y e[}/ZAJԐpX4>lSBwZ؋tRWrXw&&/)ROeRuBS|(WZs&6 1%RU}ik >#X? 3"Gc:B)*dvMX1g;uAgבL{E^B,:0M51-  8ʴ;T`SR$Ҕ;v=ׅ%|<h6F5Ku~9ؤNei⵿kˇCZ %{Z Lk8[ǻg@劈[5rY/4!wt$m1u!#-WzX}7wdv8U^V 1 u-peCi="G~ZYbB#mϧx܊N@:`9#Oqbyܹ xU|vy|?'glds'}Jw-1mV./0 vOU,wuS(PZ)N҈fXoű40xtqq(W eZښiԥT;_[8KsN_L|[cZS ׷K ?QrhX,x; C#zK2ɿ^GrX? R aܬ4k=eٺhh\XRpTfԇ1le\&E=Tw a)ZnYMqG2nrN!f 1( ?N )zc ) ܿ^tuHz2d%r֔$-]~4H@c oitWcyBc- 6xFt |ebb/j{t^r|Ñ,E%5n5J(`JWoD8jpOiJ[Hz5s ~,JpM PH_:Pg?R_ ~Wl8Jm %flVa+g&_~+5Եk+Ck ͌şśK|mf䮋:64ѰѓݻʎVӆzr.MDF,:[V5p{پ@h{yE&ȣ{ wR!n9]"=91Y|{[9}Q?-P3uCF%Tg$eiKGTuu=UYpG[M?'83SiBM(ڶOm.+ĀQBPmc9A!k rh,U~1숯Ϳx?),o6K3}D}>qaE<楮A۷nњFnrqZ(0Ӕ_)EI q (k%Vju Og1fť7Wn:=Sp^>q48''7R܃?J#τO6"ᚶ-KURXWdeZ`%sbbH;b ?ǣUdhv|<젏[k~T]#SԬ@'k%]@vk@}'pn̒LBK9s^+&kf+MC1o^eZ-|$vd{fHLnЌ .jV{54tH@,v\l(M/5 :I; 汽1rCd4^: .M'٫( nAbYb.n\sxvv_;*jGGvQYO!@uj1\Ul$m8Jіpu%#R!Xz+z(S N*H G}tCfwFmRUH Πr_#YRK3DT]Wycؔ^j}"ףx'I䜕Vr[ ?^h6bclD%Vx.?~v0u{;:%`JR9#+ 蝨Fn8pn1jB~@cE~a&z} $1z=Fj**e)yRuچjgc7"5%^BxA3r܀j%k?QUi>[Ƙ!=~o1$9bQC`Sǎ\rN!ֵK7[G=2*(~Cυ\jF:cxQ=@2h"[c]N\c=]ԁdsw&4f0 n-,e \w7Ql,|粻-{ӈ=OѭH{l[kۼ%neնk"~d赭dhôaL+nAEAU!^J3fb'ŰzeAQDG? *h9B^&W9&:[ 7^-q!.JRdĈ sX ёƼubLHF"64bdOaawiӯmO$m @ċT"e̬J~8a %5;tj]z7$||#Qt>b} ,wI )upRScA:"d" C_V /tx[R2a+^C,0vidT )3WVx6ٿXLb6ʲ r@ii;/wI%#gSBS~߁#T FX$E$3V>㲻z e0νirΡrɽ1btOċyMM duEŒC߇Zq Yo3K폈 `#5C[m|!7DWL6I)th~G#Sܿav/j;+u`_FCT+^Pԧ^EW֏nGukM^,軣WKx$#cu2ZM/U'0-Taod 'fsnXؐƬ7X|RUy+fk:Aj/~n ](h‚WyV$/)H N8+oB6h)D/m;ACЋ &1͹=O~G~ jtKCBˤPIM:[VKRRl×,ĭ% ٪ZRL2.&sj K:?Ԅi#8 [0HHEAOSz|Jot$/hRvDrH68nYi.6 %Y.(_޸Dוi# /آLiBJ׆*3KFpx\f1ΥiZaS~MZp…xAsxGJ^g+<QSq֣HQ[9E_XYNG? G)΋ܽNuE_zx@#?:0֌mby?B]*Pp qޭs Ο3Vj[=6^93@vx/_Yݢ[+iW4>?l&A o@A?&O Թ]A@߰aL};FwS_12T+.(WnA /.$U : ?=q6E$p 錜u~T8|Rݢ[SPݬ.is )4ЪXڮg)aηU?q;K5]y3Ļv[C7ڐkr&n)$0})teD@-u{}{ eÅ0^80g.ݓ?i+EvOO0{5tѱ.t۞(R+=xhq*kAKق7oH" tZ.y4btNB18Npu>n jY*#+~wXe%!(b- VA~F #{ &霽UIByr?7]72:Hζ 8TNi ޲{հE |eԷ_4BI*,}n+rFbΔ K0y<{9DjwkZŽ:SYL atE|ºvG%._CP7?37<+alF* [1hP8`KcO.tGyM*jQ<ޔa)X!lfj5"M<%*]e4Xĥ_s@?7L3=JCs ߟͪuz˅)&Ŝ*|%r ƿK0_wnlm2d-0֪^--MgƩjb#V6NVM|f5[n13ޣo"dMD|ӀEi7ͬPwkj9 ]=+ 2t͆*k&Q5fnA {hbj;k=% ..^YrF~&u[PtC Q+cs%hVɟ b U\2X*g7¨HJPLyl1V0*ELm6q6s^;NlW.ǜq|34"ĭ7J @pz2xd2L8ǜPv KYԜg/̤p 05,4d0p71M IjvMMO.25^Y؇j3khOvɔ(CqRB)қ냘;&)QRq?%`R(&F{J#P[)>fğz-.Ie*:9*llgV]iU$vDy`i](y[TuonX*w |kffpU[nv7j ѥ`dU .L,2)0I(r=P+!t7J"efEp㠮 j}>ObEɺq t`M?.?7ҏr{ byU1J IR9:$_Ύn|֩%󲣩d:v= x !JeC2(*{;쭠}B6Y5H)J8Z ʃH%l6&%~j#4I|f7 |939XM]_&|jb. J-,B]“Q\!Er iw&I=|1% z3(:fi)޽DVuΞsBR)UÇy`Esa?S:ՆxuAs%f {XL2k*)~g^;/.B"/{;j y2J jLsRedZSh:kl n; ~5_|h|PT¨C iR;0ݵh/ߠz_pG/枅']$|RЮ+ wMW 9ܿ&,WV̒"̜Z|tƜ'mԴʚHf[Ҏ2/"G|Ba3wi*wR3Q$hJI1Kb_ m qJ7\Z%83o0Cf:ACA8x*ƷD:`E@9X^l#&)@Uz8=E[l8 7(EݠV>')C;.E'՞Gڇz wrJ< )Wlӓ$GWMoSX:oߞRNg-OmHy}C%ŢJgcu@AZ) L^ V9y^Uk*()z1a2s#TV,)F.AyU0Υ.CJdQ\#({v!K&ĺZDzR)jMqՆhqJĚvԹ3a6mA[f ԡjDY^F5|NuTH9IӅlPP.{"8y:MB;~3 2( 9cMB4dMqWV6#[CI pE 4Z g+tĖi3}a߻t~3BYFAzphfIxGRFb١s DTP~jZC괤4 hT ?+qS~淪 YkR{/cِl{bc\Bg[37cG{]65YFL!?mOPZ⸭TRH'gxS^<H21%?xby$ǎ6A^_ ɕ)spItO |k, ,G@$@ۼE/W`ohah)I)k5QmJ)Vŷ K9 |zՍnorgsʧSmBT@餘A$1y[Z]Xoa0NutSGb&6siѢiՙ_>?E\a rrJԕ fĉ"rdp ;5`41mb>{e]0G{zTu ߸M$뙓0)&9dhSv`+o.ei̟qឺ%`Wq j7\?0J ݛßQZ7F-}IX"ɫ>;}vĬQd7@L)$?3!|Ҕ ϑ2@C8t8a?1:&$;.;eĢ!qeh3V ɶoC,Gzv=7DLAIe Z"" g-A>[گAh1qٹK d- :V}G$l$ >}6s]Nŋ}/!-Y9Io`)4k` +/TybABᗍv·> NgЇ(ˢ@+т!H hvE݈DC8y}>L)sOZ7/,_c(ٴZ dܰLw2S5oKka[(Z4q{Z5 hҮMck|ڏV lϰbۈFq~v6|0BK,Lg'A:^\ 7X '-񫀬$8ek9[7x5d5ˎWQ)+b$ɑ)JVS{i+@]Mbf\Ai 0d?{etf9ugx0FS`(gZ[[f:tswDͅu;LjChބka0?ґ48D½ik0 ('OP))qk,@e COQV1l4t H"!x)X9,;_wtV{p;^ e/@FMRкêK"I&ZO$/H64<=>⩬,gsȰ?/,M-k<țE30~( m3)+:p{8{SO|IWI3b;*(׊h7.wsLu,Zp}##9;3;gVŦ , n&2[ʇn꫋} 9"lY)aK4aHg{jnU|ÐSn)W\Ifؚgi/Ьs;ywWpĩ6$Te")%yc0TW$􄽓pDl+'Pv6fea Bdl[ 6dLgS +$ej t[br|*Z1a-O~/)$S0N2ܐ2*?|w.3,q{]Vл!oOj٢% 0܉:d+@'I=zn4|Y_S4iodu [vFYҟ&5O _- 7 `,;X2"xjެJw k!miPW$=4" ,3oyo͚G0[4sȠ ߒ?-coV ;#CX+N!4ŋʀ1v#ŐgPxF́. ŹiG_Ê4dрțR!*o`@p-7I}o(?ű ٚϰ!f5ۅ$w;BjOC=Z_C.m*1lE'^T-*Wkb3i?k%?ts=tIdI'\W il7>|RW!+ɒ>U^eIiZQ!S!bΦS1_ lrq Z4%:FUC\仸lS*K1/tL@e[3&w^pupBvj7~9SdK(Rs˜4x3A,wA>4/ -=GnLLmhD/O{7M8?Y*,KE2}U$ŪI㑃.T'B|}'0jfaW|pPHف듛eSk5&t)U EkZeIS1/$uGDٲcs_#,&MlPI [dUDIӹ*bt-._%..Dԫ #uBۤtɾXFu PG]ybjK՜h/t8ElhܭP/PMX`L, j҉ MdyZ| [Cw3rS!5#ΐ"z7}H;v}౿OO 43S .5j- bP,݄hq!x (#nAe <2hm^-uQMK&K5yj(z2=|rDT %o*JJԪ~: W&&eNdY\ZR=;7xDϜ|2DB8bo?c0s_SN6 &Sp,xx*Q\>zSUg ;bzoʍ@gM;r ^\p8`|m.k.XS?pd"yn"ȭj̎/z(Q\%:bTn6zɖ:\uc{D[f}0>+qɘyESZ^AUMkZ۴׭;=ɽQfŤ.vٸ-6(M1gAN$+U2@9 E<|9L˄^*Q>e9J9b;5Ao`".#\ǗHܞ(hŋɑ/2eNkn.OUGM'1Ӈ[x!05-: /䡻&[0@屪ˊPT;"-)Է z^08fC^UZWh( 3UZQvsmI{ J :`} 'b)E:PjMů.PDt3 O |Nڵ\2ëBF4 !=t8m$xgIZDhY `ľ),,XЧ1ˡiTU[@F,=˞;`3 PV9{Yhwe Ηye|Waci8tzRiPȰ,UeNKd2~t&+ٰj!. k7v296{M$Zi &j2T3W9n;2RML4$i!9Fwꖞ7SsG}E<3TWͤ @b%+?lIjpS$6soUo!,t?'7O6cUBGz|x@Lu9dǵxǩf,Cg3{LJG.]Z9}۵|ҼjTO\8=lEXbtspdŨ'ٱw'*c砱< 1o]S~Tf/q?|;&3{UT$Bp.|a[ noc3.UOotΑo~Y-mvP4h$)k;%h]g(Uv6-ri|![(E5p)_ڤ+LoV17Tqk_.$D[vN eUF,p@<%z3vA *WH9l 3TU90f?p&!/&i\\$ ~*dG{ 0|7t:V]/ TIu-d;%hzČ%\RTkҠDMFd tX>>$.\adcXӝ`欞zRC[{ i32(6ۓqu uD5}J.m$5K/-~hM4(3/!6 7DVC&@{F4$d5A| H>aS]M:8,hҪB .|"ٯ金LJAkWZU\uQ5kFu/lO:d2g=,%&Tðo}xlcb@rh<4t&jAFK uށ@h 0  ڮ939E@~[V|H2!=Bae?۾:ꂴ17\(C^cxJ$ Wm˹c?4*YCwԸPSmmxMKq~}t0MFZuHXިy G}Bߩ&%)xxaLz8=By9 & _:޿.%t !uNFԎM,ݚ [Pϧ9cfm0XsRbeJ?uNEȀPs[DawpA=I= `YM, _}IB|fxÍK8m+Ė| N'㨡cO ,ȃt oe?RƁb@xr ";RTIB !Kɨ?rPV'$grJ+W +t 3h9N_i0Wh\Rҩm k;'.tގ8'8cE#%jح%c 7qڤ@EXVA+x[ʶQ0j2}C Ϸe7nJ uqh4fJ^Mk35=K;Gdh"g>lDKN7YT E~0|A+?1Ҳn6GjbOsEt+RHtbŏIt?팥K^k<|OmɎԓ4ILCE*I'vRRw7[PٮϨK:#/.hǂ6`nndDqW*) gdp*~#nZdnǬNsB;ҹ^!;?_TD w(3"K!1?Z:%o? -o~+cM$K(V7(n9aZfJ+GX`)i̴+FӀX3ִft(~H|/{#_;UhźO,1_Jo]7֡X;Ex9qz> q~v101i90\f%{jV[)rk-Z*?־ӣv!~6UT@g.qdz8%c\_ 29TUՔ\vr^@Vh~J2> dQCL˶xS=ǖ2S0fTaYy ґm M5 kH{Hp,p}5Lp[AiUb3i^e1gZ>v/iNsjEwy#;C?6/v6ɕ<8t,:@EE՝8X T@+h|RU+z htv8]&w!ŵ3'q =s.xyuupox3#VqgI ֛UO'RyBi5_o` 9_aMQ5 z=bM^׺*g=\{@xL/C.=vC*γ.j+!'j+Jp԰98SjZE{n"JZn8.W*P4":"F*Z}x1[FcMnA8'%C;ܨhsO%`/;LA}ini5,2Vq!c9 Kg "Ko<*ֺ:s+|뙹\\Utݷw@K7?{NZGhG' 5Eª R"\Z0K#F'iGC%w(N[ޓr)Hl30@`>yd+nE 0}ANx{bljbJguؔ-L16zVwSU ʝĠp{W!yrrNq?p1'Qì^GlӤK43;e4"VC -~ @j:B97W=ԵwQRzRdJ/ۤт+ƱJ@lj>MP~F^J,rcE˪xǹ܁^qVdπO x/ufz")~d.x尖Aˢ]6=KuqO0H\1Mwj1}zd(; 9jIST7CJV8Z?0y50|3iյ"!o<"yc4EEKdENi°'Q]҄سOK&d`=7zdb ʚN\,|s@;C.x@vGд0 yL(fՍrl lz$~&D6mC;K.t&i+ w] ?dKo}l)Ia.a^K>i0J7rz`[ݻ{5L 'cHX*ƒUKvg8m)_gePsym+`5qd\x$PV#1;Rc ;1Sc-` C]%]!%Bё!.[f7lKSf~ .qrcyI'jiY1^[GH6+W33V\K'vrDW Q2l k& 9O7.ԝaD~B3ٶh8.NJJÅ/(܄Qf7% >Ixdeϻ)֎r[;:5uqIn*S;1H)fv!wt-Itmc PFM@2! 8e8ah7WxNHqQ6U)ke&B1Yh 21Dʮ ;Wb^mi h*lW;/]ilerw`RDf7,-,v|{'gt(C8M‰(YQW qjSX0[T@J]c hדQNQִh^wոȩXɛłc> *[ϋMmu~BeD[ F߫,WyZ.\mfPɹf/#~}oPuqQAL}OC(^o6W*.F\AQ-S4j02꤈vW>2U݋t<\ gˏUmB%R5ZƺD$9Vmn^ūRP@`I [GOUsg}o3`sClFWH6+R&B.-Z}'տ(A s]4nd6p?#1ht6r8fг~{2Yo=Y0O\s;sOT" KϴI[GhxosFpsմw=ͥ :bx.5cIy&7ϜMcgYqW4h&Buîpj"$v'ɾwH'b)U.5 Gx99] , HJň5G=9W]]L"y$_2? ֣=86y t[ 6 ]h% &!K_bNUT(vBX ˥bVvR禇4Zʤ4ZusP?+,1UqbP":{Rw4V W%gWN'(/Σrβ19HLRZER0J"_^u|ڲyt< 6nÛc9vܼT1*g"d!_ 匼3Ñ5CDOh-9?bF{ږ{TkKO) L` A:_uLSF!>NN٤P&V)7-rW@ml"m~@\fX -M'-`wubDiӏgyr:S2H' ԨaqNȖs\P )2?/6$QTRR\ r46%*>sXG_TR^pxVS$f蜞|cIxQ됷\Zjeӝך"|XI;H"^qS F $R= v;TqX40B5|e"z- ^]@\osEKYU6l CoZ7I@)瞧UDK *mkc^)hYݥF(Ytީ[e3&&Fʾ*~X(!617z}iJ\4HQ"Dn7f0ȥƽiژ϶H3zm#`FfrP_-jT;Ш;54T'YY޳KC;M[&Լ\YB]IAzF+J/!EѥiJo)+m6ֺL`;y3Л:|=r"13HaY)!OΠ.Z˧=JZ3 q> cnd<ƚHA=`ǻnZaMޖMgQb^wT;in13IeHLS,i։,䌝 l |uد%0=*Sl+:"kUf"d.)h(V'J2#P j{X*Pn_r ?~<ڄ:cW2{  :sA=PNywj:A6* :WaxNQB_[TϓFB7:hW o)I{@e2^dWRhjL5v`TI )D6jrSB.݅/?kP+~.b .2D #XN5;Vr00[Kslj']4Nʖx؆ |aL}JMBzTh&)erw{ <R .!(5J֎gχjw䐘Xœ龡Nn{hLOܦDgsD ( R0vw[||i\_O$Kzr-%L+jއ{`HO@ *fIopXO~n*bxg W7ׅZվ?rbpwfx;gnn?GWbL\#i[YcӗCdj~[T` f.&3/Kp{/z70x؂ZҾ`Ao?bs12fPkU3D"0dBbA;P4hk eH@[ &'Χ`-wCI nWe9Wn:Ivق<`[_`wŊREj;ٽIoSsub,J0s)yZn}ED{Xr&8YߌV/4"փ7w+w@n.{ ~G(jw*yWBǒC d*"y$LQ_Qn *r_kIyDFk[͚8qi{z@7SҢBU#a&l_zYQ#qw]I437y:p1,NjLv4>F݅G EM{s$aLE@Ɗw3x" %@~_a3%b7gbKo5fيE #P k_/}5 Ɔ0*#^9K9*=f0wl^k 쏷=Zޭ9=ZYYai)]?xT`y TIzk86cΎ%k8}˶W5&7M5+.yZk #LX2A::Qa^5!Tb^6} S}k@oWKoVl{DE#zf-;iNv[/_#Τk <;-.į־{&Zn UX! 8 ഌQjtXHNjj Tm#jPrW()mz&rTkhx#c͙+8e:VNz7 ;%餢"Vj}#K$oNjaG_X@`XUr z; o˭T_@gD& $q [KSf68A!뷥^8mcMIu꿗kG#/;w3X,|"߫k1Nܺ*0<5Y.s3*f c9Jb'/.p/2CXuCV!bzyACbq<< MlٍxZ0GOJʥ>a,f(ӧH_:ԬKV&ZV ڿH:¥7zL^Zr- ;( \<*A,HЄzM2/C|ƶ$vk0x@DUͫ 91QC+M+4TaSazD!rW|il",Bϲ vM+ihv= _L2Bq5@ .HĈ:“ʾ]oy2Yuۃ,Mu+8}*BPrEivYrZ~=g=M|=z'Smy]W{"验#N$]EҖ_:b0!Zm'+AMMJ a0XdX)k:ؠߒN5qb)3AXKYdfj kCc\nN~ վ%n/~TI(Z]VlxME Q%t?A&4`V^." W,Q~.g?do-',;/xAk6V$1'ꈔnS?!O{CB[L%6VxF-d CrhFN Sry| fd`eI:y$c0&Pگ.o+= }hMFa@ZOgv8Bdqn4Wh*|2 @Z%[-/)y0[ҽ0$ 8 …n:k, UGyqj(f__9iI^ x7J"J/g$K',~$ię\s!hڢE9/kX枚Á1 PA$k5)gh[7^F7yN~1_&6JޣuǎV.,<cBtU\fU\;r;QHAAUg'1m7i¼@Be=r.Φ 222zSx^'Oh^s,{a3c2\C2kG@FnIvOnaYd[7 {SWQeڪ ڵ HWGlrjl֘ c;Cc$}.|G՞6r{Vn{, x$Q./ P蛐 fƌ]V<˓4R]lsGYl&V & +'!CL/c; MA9+(I{7Goj36܁D:UZKGTRY#jV>u7xҿ]p/[76U >m?p0a:{PD%ɪfs52'1LpYbZl7޽V/w6Vө0 qZhB&:9zi% މB]&KzAq{?mL1E$sh̫v`.q]iJ+|tguG1grqK ŋT?˴ujtf7U\˞^1T[!0cBݼ!2yWm$nۂ̓Ag Æ}D.O󽮺n4?j:5lV&QbM 0pvY&eZhePXdb8N*t}~\pp _̴ߞWeFO!sCV@ɣ\ Y(xG㷔Af !0R)yݠ#+LrPб/P p}pRi q>alL.`rcC^{s@) ݅LcӥDO gt 0{r7_FFX<`Hc⇌[#P7a>qMj"NR ( Y@qw) Zua-`(WRo6HDY ]?Є7F٢l[ ̑r2au lcH ֠lV-j81s 5)p{;xbKlTYcԬ09cVvw0.,_9b7m@ܕ/;J!H}Hh?m :2MGx8􃎞1Q vR*"،%v[Xp@2quDs#iPWtWMս,X=q"9׫O_Ǡr^( 8^v1g1 zEz[V Ԕ2%2.t6~x"h{*rD;<{FDI,`dF=7|SWίA_)1b`5?N1(_%GQPbw)DwYG#iL{ԓk{>gu4kͅ\BB ~d, .ЪIX7 [}-H q沝yjs/AʒYk=?UL3G} Aj^ڻ |vSb@͐{9[)CkaU8 طB"),qM$iZ_~Jab<$Lg1(s>,٧<أ,`Dh<&I]Pt`$)r;ݮC0pOßl ς2SmxFV;vz6}qUYE F޳,OYw~B>˝Pr9~]4̜D?E"0xQ-3W A[WWO ŤLV%ɅNG%IYg֥S+w4s;ڐAne\b$ȚPBFc7Y4}ZS 't|g?Y< qo ޺SaWF|j~k_d3;O;AΛYcˬ "`GՌr]D`eHQ\[3piIkty=x9;;Kjˆ֎}( n&+IZRK MF9쭜?5yuϜ%OW$V!͑3< ݂zQOL8 A .}# xJvx2>a]zxMqf٤V:) fЄ0olggIGR,%]ȿ8]1r3 sKOЩktRQmĨH#RH\gI$HDb\(#@blX(Vs:%1 AY~Kehs֛E_hFx@H@6{$Xmε\G׶_sY: 3i*ku+ P}dyuu|]C;z}8ִOwO W{L\4u(`,FyL.h| G^Wi,}o9VP p ."qH~jϤaDEHqsy@qSQt8\JƔ 3h:Y(DrĈ)2X/`Mp6 &Y׊՟5, Œ pPv;6IL?O:*D"ߘrhc;GA{#c@F+'i81z|13E]bHf:XʗV;4U*dz7ρpXO@oR/Oyx[l*_ENQ.^3~R}7[|G[jWOs+zUzoC Nt#61?m[ kwQygaSw(P" l~d2eB4~zMQTclE,T y)\T)ḫ~1l7M27@{|xo72¸9CMQR;׻*g@UAy 7/X %FQ˘-@aªW} sXԞxrB+{! yZa =(ȗs*==nkAD/=, 3z=j.v,Y :7%22jNUO'aFGɜg\:޲:i6NA GD5E'j3mL/ &V wF"NCDyKb6!Ahu:K}:@ ZM>ŭ>9-hRU8޽ZmΥW\.Kߏ!w~5nAu]\OgbY^ͷzʥJ Y ˕@IlC$NriMe?\qO02A~?'[ CnT 7y}eM*/qz&Ap6$>K׻lQ :JE:&2rjAұ}CGb*2gi\jȣ)`>oD1m<~PN 8@K:dBa]3ۤK񤄒@!T5g| Q?Up}5^6_r^x2*N\ lW~J.B-nvլc`0 pᏓm **박eU21ɮCeL{:ܓJ?kA-atMNRˉۥ(%j;#`֫1R(yly~,f]ԡi#f,MIM-R"BHܧU;IQc5sMQvK4S 'EUȟ|WQ2֢ۦ8= \[+qy- Zײ'0&^t \JC"-ڿ)^OS*!,u䶌JN:e?WR-ĚZ{>"rR!mpnhMGc@CY<9:yO 70ytz^pf[[iuWTovB rv2~R?i WW *p.R6mtmmz2^Up-lUi؊!7+K~^yY%D/aػJ"I+HSr>H{A)jSeacby¡3+t8lVCp/Š7Npspǯ ÎEVXޖFQ|j̚t\4PR,iK,^av#Z8a]yW+St[){`{RY.2v ;V7X{-XqEUUԹx/ b(4xe#wȲ3 Gh܅B@U qTޟթu6 z AKpQOEMEdYxP6Vh6)iR{pmk 5TԞzwnI;aKD_$"i$J%2dpN6j@9aߑaԥ5(cY&EβLCj֔дͤx7m2J^࢓l5<厊.fupc9Ӗ >O!ZpmEhەP\btpۼNG{eHR=&DYͺfBt,_kɻC`׍{XeU63K5 xˑf%*K6.1T? +Ι;2FArM[@1$OYP-'T/9D5O"HcWm#)4޲Z:VŦj-[!jTଁ6Էѽ%[בM)#C;~X|R^A3F kG ~OXqr0E46vƯ1}=p"~M찚Hoexb6Y- {òT|%qOK,6/t6,AYA;/הcPAZ˛`9ɘ/jnA xu=5%9"G/QYB.Reϝ<}̦nR A h)= 뻦iUq;o}g,qu> }ŀl o^YLW@0iɚ`=IOϙRyi+lD=0My]MҞQ}+KGAqO5 g"IZ5 OtU8TkK%E Mp]_t%&ӵl{>IQ/Ba|+Ӄj A<4b>`$D '!2/i-'1~ w i~9N_(BcAZNٖƚ>9 2~d@P:h;B86 y?hԻ+$B%o'F[fi#%=i"N1(sUd<g $>ҦNW2+bq!KX,g"jJt߼aD> \EJhΖ=_Roz֥ hH99;"5ez00'k(#}1a{q)cW :D$Cl t%[ćk!cʶB ZsDFBL /->.=(ޮ/өXOtR=4)%z6Ieu!)3~9IbXcА eh/{ L K[-}OFc&vc mX[ j.vt=8704cwBCvdl$KeY$b6uúcJ $P2O>݈ΊU~yN:ې*(6Q~;k-YOk x2d#7ڤ+^W0o}7dc J=j+Lʱ˛}8@,Nӟm["\z][kJ :EJW 0cQ6p4qf# _=ÖPFXy2@Y{a!Xmlt?i,ELew1kN4@Z,~9ˁAA} bOOwO[811z WZs=%Sh455ƃ#w3,?"ӒL zRr_ˢq[٭[tڹ.J7wXe6mNFw hy( ,- 11VSe))pxh=}&|X[y֫Sz3Xw^(dԎ(  F;ƷC}Y8gE}t!>YHtp^'#М1C\84qGIIPe6afsݨK'~*N2){b%9 &뾧83眿a^ .#S 3eawbC%id"ig&MU5*JJ.KG>]/]߄ >ŀgv;Y%7!CHtR\zSkvj܇C$z߆ f`6b'^ֱY#s:ܲ4$K΍xFA۟`9Jgߔ̘;@L8 ,QY@ yᖑu˩tOk#`ޜ;&}=~,V 529$rQ Q|ۭRZCPA\(TS7nRD .ftO16WC>8h 6>Ek Xzr(w68Zk8LmyBxD[Y^P@4g/؄e> N;`6Ö9j &ÙD%v;]_\Q `N"&mhjvײr=9 NM5|cl1!C,2ʄ9BpKa1ʓ%LuX{n3 ʐ^,+hi:A`plF}]\k|[B/CdXYc&@A LT֟P[a?E/ /="`2Lu//w g$KR%jlX_Eʠu"GGI4RSm2B}Qk:*Q ?ds4͌ݪȣh<[vfBT# 3~-% V)jWn1vf%ȳYo1K)BjΔ|_;CwiҪri~ +jO8 t֭]Vh:`lYKWInxXy)1/-ZV\nB˄BoNWhQB 5ucᲆzErU w' Yp' |T;-0Ypg~h4Iwg!1myͺ:FoZ!]P]˝ е;;A`@}>-w9)g0ꃩR\Fw<>sĂ$1 &[ ;XGhF}׏z!f~0}ʞŧĞ᨝,CG(lr-k-Gؕ/{r{ս(˿6}(Y BKJg8~*-$d+)[lth`Y?7ˤ]!!~T)f|&ɁG2>c܏7#gp̡ 9"ۖ-T{W_\&(d"M<`qӈORlOp?كM"~>ҰuX(i"l#(H#S4hxmҒ@ YC~Ku CXL`*̖!@AgǻD%L)+S=kT8 $kL.]UԜܣW&S4#24h-(qϸH]Y_[7[6prYT#DmqDI=EWf kDgsuȾ6%`+ fCAm #|ZtsHxdqmp`\g s.}N CS^1h?%N |)9݄>Q BK\}c8!Kz^H8!%Zd.<:rdž&պETOr݄0 [ mD*#T yg֟lBk2P|"d]vlB52U4U=Ȅ15=$WvUtDQ B)\^(J\i瘞xo~ϟ_s[w ེ+ToYD5LkqH b|T9t;(5^ @oxѠmC7NQ}E~9/]䶱ٙXEͣJ"s.b[]*%xk9x Q%wB/R?Cx`3`tDsߏ7^[Vα=dKT5S^K%a M¢WDrQ4z;V寃fl}Kנp'ۭ\ߩT^GQY=kL,AJϣhm(3$=j/$*]$o13QbpIM[zep" اM9e+#Jr1s6 )xT?Dz#P-sEras~U(`9GY6vAv%)LQ)YPt@^zR4U3} 5eWg-hAGzx?Os SC@^ȱW $i)\fF3an>_s_BB~æO}SrIyRy@سލl52,&7 Q?1I7c H{?2YMnA{dЅ{*c[FhgJ$C任 6bv%J'nJO~2pATwA [c`m@109ݫN6)CZ8Xm{V5xPiդh95H͌j(f q3.n9@-Ʈ3NRxaSM' ҋ\W-bmqυZ:u-iٞnR<5ҕrjJ]'r?0ସЬu^g L5p7<@ mnagv]>T,.Gd66#6gi\<;'2!HSIƲ_5+lޟwnF1\hP1aNF&7M 9yj,܎ 6bHW{D;O4F[؁ŀ)F2;ά)PiQ95CM"  2>HQֺam)KLw֤;Ahq{FC$2BK 4R?Z|Hs55$xHZ|B?" IiH:enśr3'qDF ؠo 9id;-ͅ48tk/SzA)xZ};Tc8(jBfR@A2l gw:!ǷR|N6a|I̝(b0e1vmEͿ~]㜲';wS *X+][T 9nN[%b7NstJ!IzL` J)^ ~u m;PGm*3"ڢإC1J?Հ O\F_gs*ig`<UyL0{W )TEO{xpqrM/*r;pVWx3^I.^ѱc4哂;}(\cZ*+Z/&^L"Ԃ@̼v=pS5D%J0Ț++ xpT6i^ O'־LĘ0Q;zpSocld&2c LSUt΁s+=.[;qć"̗c(STPf骳`g|a ScAz=rŇH O]gE:*eI*e]v/Œ2Rbu7VaÚ Й8b! ^;w8ܘWacQ9ӏJY=^[L9p[9ۚL^QOD=dRz]iK4 vWp&?=uG[~jàPq>S0ƤޑHHrJm kL#%d;> |}BиNOw1e Z\T 'kBB3lEՖ!s"Kz.Rx%p+ED1DX"ÙuyٕT/?$@ »;?[#ryibS9$aZk޲Q[!Qfw,xZU)/R/jOTɀ.8޹dgk9:ނfp {nMƸmj}V@Gf<+揚즍)}T(DO5s% &%ⲉ:b̟~u87qN"0Y? %2]H'꣏n*33bZսE_-.N|Nkh"oiai$hrV]EC3'My5g:h`-rhnZrk/Qul@ݣ(CXv:Tfqс魈(0Z?i)-/*Puh!b%.$IeJgOғ!3lWJTc/t! LO>g4] ^VZ(Tι&# څ3G7isb6De2zQqԩefB|14,AQ"v k(ls*$*l'ҌtRAEkq[ @Q]Ns$膛9g%ʒcJ$=r1ЭXA?7z'sDk|k,^(p<ŠYMFi+B1 ha7.;]:H.>E<TPW_zMFhr#6jeOHHoJ\6K3<ފ#XΜ()LNG+'졫g2{Id r+Z`uW۰ϜrM Ϊ})CBU̧6s6D͡?VivPJ`DY|;R^3A #^ O #Ҫ΅bذ-=\\NOxm_t7ݝq;ǦiSuuguPH)*ѻnfgK4A\*U"x)x xZ(B_8Y8R5{#fb,Ҁ>qA4e}zJ>=OFJœcǵBQHgf(-ŜNhgB%8|%5GS-8YtZPutlpg ǴSMC'VYQ?F^cUfFa!a͢1!-ker>"av+=hyZC*X٥ޕF|w Ri0G_|aU$drOq5qH a-+faOj"UF4znaj@bv--k<8AKX%Hu(cv{d?wc;l[V}~ KvhȾN{.^9-y[B?uO؁pNv''peB1'|N/D*~GqC7xڌtuІAϚG| AR^J,X 9ɽs@Bfj {57s/zL#MX0ֶ!E C0K$鎆-iliooPkegEBg|yaitBEϤ6{'`yyy(>8[.慣[f;5ckI)]@)FS d=̞3eJ\vڈP"I[umzoXS\,T1(@Zkni*nM|´e?ʇC,? jg /%[F́:^ HE@?t$oq1p:$DA@CrP`9Z-LWP[.3`]eI Mj*F82'2 G$U `]pUw<7Umv)18C y6)$GRRՙ M\:`/pmN.SH {M[-Oo[o{ L*+N8Dw} (QQ13W7c9\|PWnl!n'H4tG$ FQݲP͙.DЧ *O^l ٺ,T LSIweN4&#.eO):uouS×+T6D% g9.7m5;Ug|l^we^VndHCXC4 x,_} +a+/`l\6b<ƒ_v8%0DVvvR'|\B? Sb#d |5Չ}{3Gj#0uBgk ?pi3m$#Qbt&PBs&BbvC]̼h#"*x]Y "M?[e{RC 4~P&py3Ƥ EĸevBKp1qz#xbh\}S7{"JMkFUSuxR*\NNLx8)` 4<G_ngS]ɍ$AqmD6zn=.зUᎠ!y*wOX.={ܗdw_nG$OC2qs~_#E(soh"b̰iC$q9_|GTL0~v2LS 5 +642ԋ2Ph;7CS~R\h {(d7>vBE ~p2{= z%U72NELm1Õ|$sw^&Vb$a7;Ȭk@h 컂Ora'}]%mUMiWѶ[K^&_ ctk Q0 F'_?l&[\ -YeOׂʊ*!ӵ0 ^[]c@ƨ4I4pUrH3 ]﨔|<57ToFVN҄8zps,Kw۴&B@ xaϮW^\TfDhOD$bKNyF Hf\=${4Bzvܹg/rJsd.o X [PC M%Λ|0>s,gt5YΘ~2b |qkh4h@olx]c.} >R#BԘ#&Q [ )5YdAGZ㦩yz5xΓQx̜okz9dr*$E)C^cy{+7h]yMX׼ж~¸rv@> AZk 09N<\ +#`cTiv~ҤzYZajS؊ՠq† Z`b 22fQ4M'FBSIHZ HoyZR*sCi|-E+ڢ>L|plSyUaP r?^(F,?Voa_f ufK/'Z#=$N؛rb7j~mv-q_ry8zNIzD] 32[|! A$R$`%Sy.!2UN 1,u@gn¹QNZ^I5A&uYbn %f.bK"p x8943c]`x2Y#[1nfT"nv$Y:Z;̝nzy[& 8m.JҚRo]i$˷nEт 9b^B YXĹ ; Nۥӓ^iZgfFRvGϘl;1 {ҬI_{NX-xM?\j3(^̧ G]B}wȀ! OǦU*Ku.Ɯ>GwR=aCln[;( qqWV#1\$p ޣJ-L.> zGMb#?. @qzڎh ')tA"}3wWV=!uopKEl,W?F޷+ V Ę,PT{:BuM-0>+x^EyF(6 @DUk~f%Nu4&a\=G2qM5SaIVDu<=22)0(S3b#x),AZ)xv6 NUsf[ ryq  PT͆tmE`+U=uӱ5_*Al1)jdw*5purzWBl]^-N:I`!F.U)T<)+ "*r(m0{3ߋWJ~3Iu Wj@q4b_-/}lh}j{XȀ>QXԮn^I68HתuXfY Q'}ySQۼ#ruP9@l W,{~p $=yEo`p9Hg.\*btm^ou,T56cK'\#Z39Kn`&H|4jє# *P,d &ϡ(P` *`B+?́:;I}捷Qe 5|y`k: *+N2 ,+FEekvɏ_p!.|75\2ŕ)a֐k!*j"\']`ߏkKPOQ,Rgw5qfz3b}ka"7 ZtР/%׫;cʣjh+XfwXe *6[ +w 屛q@y% I2:w-k+R[˕a:m'`=P똚77vp7LAQ5&3js(Ruu{cM&+tA09.VmWf4W8\n`POhP!~1d<>3[=mPwҾBGب ۢD=8GARi^Q]G-taK)޶o2]Mɮ Qǵ d/s`ߞIȺ1$XrYa,`?UxYtg*R4u@+%;+FV1R>G20R;4W|ЁMd@L$\svXP*Ĩ B[ʺ0!d v-r@}n -{  nV'V~˺ж[^I:mHV Soa,WIA4uŽ ^ QN0 ;Qw8UM] 47Bg Bj2I0J1Bb0vRҧ/)aKQk0F,ͦ,t3)H_V/;\8^r V;(pCz K^jUՏ3(s^ǷncL2e2D+7NOƿ44u)U2Um~ɝޫG#IĆB-WH[#ɲ YD=9jT|D29$8=`g@5A_阞ς_?YC,~?JX٘ul)5`Tlj%rժ7{ JXplj$8Bb/d;JWe݉C.وZ1}#`!Đ g[9ҹQ^\ @6IYķc/@f ARLZ''yVX`'r-H jFaYHQ*pxefĦfzx3=]{;k*gPl4v;uOkšT6.,q@`A萉J/3.&f&5ڊl<%yWP~KtY$8$`膌g$s5Kv3gȻ{=j;tJ.C+c 7k|'ˡJs<0w+9j9d HS&gk:-&2vxR77Ad6GcbUbp'& 9p@<^jSX&{܃TS.uا# I8{¢&u'Ԩ9hdClnش6LH=%vSҳ_XQȓ֞0VMA x4h.@(C8]A8~ͯ™&q5'r <ix'ֲx+l]Ѵ)Zh0O](Tml> SzGJ>5yK$1*n?D}Suo,6!0-tHw.0„6 w}>`?7ƋRMi^iQm=R:'nd=f'|oOȑL5׵iJ=-\'%O|Ib:NFehZT .:(ADaBn=-ߣ9tBX,ߛu({GzL&%9 a_IsdmaSHjf'wZ^e`2 EM$ t0%M<q|- fO`X(cClo mpQBU9 m1!ft`n_4;T ʷ[dbEc45LۙQU';*.U+{txzXq4s;%ߦ\ܛeEyu'*1gK~ $Q,X2BhmK Q 0(nj8km OȇF Cm\i}k(ᔓH-$KpDaCh΁O8\h".7 PR@;(K9RW=ks B,o$C|pX0}p͸xԍ U"_;G (Iuhra|#)(1&1ca+!eboVA]6=;ȍe9Ywbryu[n)" _^Xr]Lk%K_HѵtneIMCbUȸە~@MGNϮe*PXn5 0i$uvjjzcP:pENL\0{IBY7_P(W9}#a~Pv,?MCPˊC/U"J^q3:|Z?oy+>F>kъ}o?w oqVT {N @wbYI{A)uMuMl%#VQ%]"e)@YƶU8go9jN~Rd2,TȰ1ݳ#EV\-Y[eǒ^2ݚ " )%-mp_XM8KV)XUs{7x<`kDU+_!%&t9:ƍvɁk_l6RXUt5u~gq2=6|ŒPqQz =ax@< _2 $$#uveIŵ?ʁ ~NdLևe-_}€d+0ra5?jv:C 4a,=sfZn^ kGZT(vvJ6"ǐ62o7z$qZo8 Loj^Q&͋$ p dDx$8ı{pana[!!3tgnK8fU ?q=\#|(׮ ğYhUT74nʹ EV?b UÁxj'#| z]-~<y(: |1zs9iI;U)%>):bʨ"rqut {+|Ƃ M ^ŏ6}E$0zd[Өܽ'lJTQcryOK"%phJemv\w{G7F&˲I}fq\?_{ƺ=4wE5]4ӽUZQ 纲u1iVDŽjisIG{$2 @+޿ȅF,AԘ؎*5BeA &vJr=)Vf$) 2h N(㢗U{O.7w{{Ul&jįŏYofD_j3(-@wDʘsF!>&_z@OE,q/ L#Hd ϫr'&}#ڜ꥽ݺX[iz-&=g'8o5#35AA '@xs*,$@t7{ 6oL$?DZУ[O"*|Ƭ[~*pUES JXOI P@~+G@ݾZ[UhuKS:Z+ P&noaGɿa嵬j˔б1HEi}lMZw|90kZ7S`b,?-br=a gY!| ӊdd\!'0FisRJ+d}yx.â I"l]Ytaǡ#B%A8_r7]zNvh'D#L1,ﴑ(nB;XK$6'+̼wJ!HR`٘`9:{A,c'J%]srR^ t(XNR*BUcwT4͇7q'LiY39 -ގ[ZcBlRKj[\GuZF6 8ml\ R2s;u[ZAXUYTvCGosix !v:'5@|+P Xz[ m9s+߅ز;꾛092=0epc. Z6w^.{ k;{Y[=I>, ̔w:H FsCLnN n싿BC3g(Uԃo%aFu̢YULA3x ^`@Јz yz51˩怯@4 X+voXaK᠀3{SQZ圀p{&NI,ĤM̢?X$sVqkV7jFZܽFYavȶXDttH,׸-&^~сB=>{$,_P](x, *`ZhatDO~մ'D} ƚ$G-B#{=KW /R]c8b\숝 zH-GGjYȢE js㵤Qrڄ#hgXO(ȡRh$gy"Z%YFkl͎H bL#KpP uŎ6p9L0j }7_@='>ZUu7!YUeqk! Y!t/rWGU]F+n۰UǝOA- =ʢ&[J8HX4w* e}b"z같!0!mґG8m'uEo a6'Nrqi 0) z+@+tQ/,̵4`'* +:hl3q v(' λO5h|{DnRׁFRF6Fe~+3mHx +& Ŕnȴ\Qǐ^ .VLGlFWT*DGu|\anN1_oɿr2(Gӫ?+ϖlE +5l5[зo<_V(g֖XIz[GQK,]:7m4HzzI?[)Eby{Ζ\${euhg?9wц1<ږ^AzϗH+vz^ ;gK*Z:?P_yT;p({O:4\bSѪ`FgujS3 "1ϾsܡҕI 4&@g,k͆~}h]rW 7VQ;NMF,71ɺyB5;=^@Xw_kuۦ"R! p ,;h0XR r"Wٳ!%g{e`(m^We(0VRRp.vqyW$B#aEfx022-inC2JNpS? k!ҡU1fL CǧްB̄#q3.A֞J4]ϋ ={יqErڡ<ʳPRu0:Gxf$#0B\4 ԩYQ>K~|>Izh2v ݂L ,B3o#i Ok+9n8\۔En*݀r,z~opaȒX_qtO&ѰuZ̠m  N:j$,Zcn:+miq1am޷jC)Pi,Tl_ݡot>}C2j,}S4˗Cj4]Wߣ/A˟rL!E.,:A&AE_+0[؃cΟL;XHƞaX}9h+vS9LiB-I<%K>ctǎy=^Rtz~A 3* Nҟ>y+0#JN502U][*mjvi,1|K:>8*a[BKG3Ķǟ,E΄_z 0>aFmeo36\9ַ: @H +KS|6ΔztO;Lrі&h2, m9_F[;Lφ؟Ђvp}]qMe`Ö6%vS с( D>/ {Oe̮7wM#m)Xbs'fm>4N&xhyMk} 1FGĜ4`H@aI8HŻN9 ֕^5Li^hJYk+Lbeat4(_x󚆃1xIqIB @~s.K_# ׀X,o"K6T$yR`նj7=)6jgݦsžH%ʧ{M "{}>j:"Zd`|οm`wTfWF/{^D]^8tu\XJBݗ_̃zQu.\ ̄kq5Vlo J!v`s`'V.oMz+, +m0U$LG72S*!xؤjeUuԫ_ڭGB.pcgܱx Zb$fį? O BJ/R~fλ0kw.EM,sOvCքKyߎg#oTPDp]qAՇZVjcs@ϫVdž_k5bwoC f3e]meސXs 5fE0 FsMcv\fڏjY@P۾1ⲙ:23XELTN8[D@~k!uxNu${ 9t7l\ Pmœ9N;kyj]©{|خ w? )~+dޓIմ4|5)M5dbi?Mx߮~. ~ڪϧ 0quBZ[a~~WcgZ,sJ]*MbPKD7uO=R (m|eeFJ(Tޠ¹[[i!rlX:wf3Dr[yKK1;QSo'^G37n+_lFx|lW4,=aƀ߫p;F:3 mibͪ[&No<.m\0DEQp4v8$nDZ.D[e  P #Zޤ ĭd@Mlj.bm(.;1!"ɾD K`\vrAt`?F5kt|ȝpAccw>~2li<$4w8sG85F{8Y~p8!"! κ?}R= ۔!~̙m|^E$䒑6p_ hRH3e4Q֥\)œp-!BЙrm|A2%6_"ίb0"u&A9Y):里v ilv~}W6fbu'OHݩj 4Kἲ47p&?k &Sx0IzzЮS:wI"P Y D/b"OX<73y1SP#3ai>%?J_ocxC;233 fٮ^B@p4tu~dS䤁'f_u$!LZ烺"ҍ^ɖm(r0ă: )k-Gє{ \!8{SI{ri;:ie@zq'A?xʅ}grf_CY֑acDe1E4I uҝƪ_L@l h rtt\[_5<սVoŅS#tOUIغJ߉$2B+Y`=F=$v 26K6LmsY:l)e fATlO!CFvQX[C(n4yla^4o̤c ˹M4&QU̲ϝ,4ru["^щ1v~^}`MCb\>'N"do>duLI=QA! f1++$x>NuWڽG|B3ըn{:`ż)RqǡhQlY{@4nYvZlC=>^G#7}z'¼,A;GI+ @g4ЦLm_P4{UWD0K=۽g vt~U0II1?REbbO`0Op׊b}͍F94nY(3ÖF -x?}Z`pa򟒡:K` ӷy]t:N8 ^\z/bkIA,`-|R&]{u҄`n#~)@ðmB-HueR9`>-[B5ѿ8v OzBz@br׆s|Jr1DN; `֕-խ0a$z1C1E?U@R)wG +pP2_22L#\ l9M @M_Sa:S/G|j? HqcO ÏMtl|:l-R}F>f: au?+]| WhegEJ GfTwlδ>Ǫ(Bg^R܊J.SY>_,l4n<5 4Rࠨz 7{5ш4P=ϲ k3J\޻ '*UgvŒ\mFLe0 BN[laX0l?g6*ifR][~ܝhSqǓS;wQJ/+Gn㻀q׈<眯LV9JjL91΋q,/F=ehCNi:rS1P퉖 =\JNgjA7 uFa&RnY r.Іb`{('DڦC6 95\A}<`bO bvTB!_=fKܞ_>UJp&c:!TeceüVѽV!A SycU2d/xcXwYE BcY6ޝS9ЍbUkFu'M7]Q>𻕷/g&; Vc X=au6 i˹ s^\k!hk֯!-Mο2P*ȈX@\xۖؓxف1"B'&C n/O}q<;t_a)!_ sm+0pnM1})fFD*5NNIF JUs۴Q},J HIkf u=)c" }7F[T{Y5Yz>wQLW3eJ[/)Ew\!{ߤy\: -!¾ C6͢Ch5+P$*,+R K8M65pLfo=e9nF/0A9iyuqw ^$o]1oW E[I-/8<⹇,c?2*6>_7-u偻vy_/7_}X4N\jBMmpEZ1:pJ']b-u(ܬ^TGaAm ]cͣ7>Ai]aTykeFfOSX6Ц c'K@Cm**lO4z(>;4."+"mDێN*8Nz3;AWtlţ[QE8t`vs#/XHD _$+Ԩ|i$ۅiwO\+y "-3JwRq|l"T(m=Q5Yם^FFs1{/ #{%k֑+ iu>U3l;~`~s{mz˅N3`Z"d"oխ,0Њ%> e{ T"3HG 77<Iԕ,x3;a# ˋL yhOj?EMKcGn gc'7NtE{DN̽R5,Havh͵z4&t`Hwcg Ӌ^א J:*\lE>VBt&LD>k!_15I*cΘ,-j 0Uq|f 1fÚbY=(UKjOKpUf~q\9fg jZ*5YWRrIpƕr zܽP1Wڊ@G 9ogXXĆ$(o ]}m*]R$SSW=:ǝ}P젣P Js㠡`#83Ɉh$~(+*”}wXvAREwDҚeAjw@`#P Z,U}IOeuAOvp~Be^2~nme";C;yʞR0ӊkK=ㅸRXj$mtVG"=н9# {܆%э꫊z$Y>{^~F84n4;k!1{IJpjwVipٍr})#LG|Vİw> z=2y5mP.Оeb?s39s%XT ꥵXP#'V4p "C,QeBzxюИ̋aЗ?`qgmIϷ|"=9w-i1~+t(`|C+Gk_|"RA,.jdzTfҲ 6 ")ހf%11/:EK1:YC\Ew_Ig0L ˧BA٦YcoQb5n(dnEd0m; 4?d[<9<紶&-B({̆"Rvu~q+342)U%KsdNI;k?iNOFe3Mȗٱݕ+q^&P6X=όl{>[nNpYP< %mM_h>&q*}6^7%LO~.q p( "lJq󈚙)F#Ip ޣl+R}3fTNuLG)aqVN \K^̊MNz+J^7ʗi;myE.E&4w9,w1>GN8Wd^1Z[/г؆MkYOM$q)=`9 {QFbQisi@>AF5砛lP.H*S`J~$\ E0lBBXIU Kr~N(haTf횲jٜMh5b[~"Z5*TTDҪ4ЊAHx|V~ Fw&:]{#"/8s D~ƳdBv\.Dl*_V" ;7BX+Iɽ;3 aK-{X#KkM}XOB N 5(,VguVM1:4yfB+@ څ5oA :ĸ5D3m%JX;C\RU@_fqE&cfV‘eMd 1XX}gU!Qa4 ;3NrX51Clvfdx;.N1X+yz^] fLOB,ȧi-`zC% )&RZO=z!\ׁ$&xB k[ Z qj<ǝ)}yŦI@,}2Ӓ%L$ ܤx~@O5`u.bM`j "c_,lR4Vª4+!qfh>en0fۑn~qKp?|2vOxRӃQtOj)RIFsG %m&ﭟz`J#3c;P*R>ߙ 2+1}K>X9z2GbQ ~7w@VJ?% esvU_C._̦y \ CwVLH.P$}m}C ?[޵nO8AJF; PfP ?ݩ'ǛPr/5Mgy - W _W3ɋNs@ 4dԱ(!t |WRpe=8ӛ=gv959WXn˸ɠ3SNX*'n0yn1Lv T9mvfxNjҦ˱I-\/G}5Rʓ&yˋ5+d2CR@ARJNۓC*֮Q s!Pܘ~=QfH{15טB=ĉ{ճ O8:k"ia~e?vH*^$m:Lg 8',Do xr%j?B7Jg+ُPz͒oCouPZt:Ѷ/hbJV[]Kć9.xNhOظ8i7@BrǩӍ;}}j٪f$`+q YiX=%s5FC~؂zv %GENVb'iL`Iy`NRALYZ'/,N lYC&`/' f!lu6GajLv7صe5 L`ⵞz5Bvvq#5f"n_GGE{0W o@v`2_{Y/ȋAK CDHǵ1]:WQ63_#65-QjR9&=C# 佶U24Jѝ+7Ë3SYF3Q뚘=0ڹp"sRC/N#`!}#{ Wr 1 ƿ0u?M:KǹAAGH؋12LRϯO-)ٍfT0RlCJ5)Tcp "%km}l,A'Zн]V8xՒ@ kZTXi]nnegPbA,6j"疏I^5觱9Նpb"xK-$dh-E= wn%~։Ν>%uB$M'9 ȫG Vx`f?za=Y6׎@WD 9t4Psɋe= WF|KGEߐ'~p9+v>LW51(\n)fRs9* c(@LܐFP =5# J0խ@(5)w|/C2L\@ް$ CX|Mh8VOt&G)q$Νde9ք2Ul* y[Y=>:ɯiv|1΋i,m^@)uo3]o)%JQ@-0YL.I뇣u;?O? uAS ˓b^nMe_ߨZr5<'UJ2C'Ar}81n#a. vQOe? ojh#.(& B8:#G.WpNQ2[EggۤhtniLLhHpc xw(^RS4a$Q G6odI nKbC(tudqKVzI*#*!)8vx%iWw[L:c\tJ$)(.  MńDs3\ D野ij#-E'Rƹ1a]i1C¿i X;յSsY*# "Wƃ+_bmNj3 wMqomyVQqO ңspi$8z<0]D_Y6&d@7KI%[7&#Rɋ)ufAFQ$[OyGuujTDbõ™ >qv+e*y"ߕ6Ϟ9{ CwbsAR#zsשt/4 p\ Kۿ?z}-F ~N0?4+uz$}V`;߫A6^*%'G4 k IeKv4U*?nUVb`NPjQ sHaPVa e~ e~Qy+. k/@>ni w XwH3F%[P/ӲG.y.S{ZSA4 .ε'-UJcl\1RJ$.D9l݌Ciu84J2 ۮ}A?ݑgrZT6&Bbq(o߷ w9~hrCCX9wPW  cb>4weFBrgK$k2tTBg̻cLSAN:)א`{VEAo-mou𧔎hmp*HL<@%WDo&f!G/vZ }?B:}jʖڷhrE ׎srrDbֹyj'mx>͍֓s- TmdWعBN_[ް>~ц .Yߝ;&s9X'>CNVIol`DR<{߳'ч 7L.0>4z1=/ %gq;ciI&jnOٛԅCUz]|x\UL _6~>UP|)y?\lCL]i b;S2?3řܺqr#Qa@taK 4=IߢUI-pMoxۢLx(8y  B"%`]AH.'\(JG:F;ESw]@!S3#<1W`g8dX.%_P*RB2I,r|R<2dYga&QE̤ī5#Խo~ޜ)tμgՒ^FeCmk1R7?[x3`|x*y{PbvsJ;{Kg 54`L .rftG11 #1f%<&bAS'=(S8S+1ے%UG}'3иcJ߉{Pۆ%Ds%卜k4l*b=TSةb%7yJu|"lN'ᩎ%qale5ղ.$dRr ZxE9#C|@ 5ݫ(g6ٍz,b&sWWbGbwA|H;̶Ȼ{$c藏@8wӌNowX&/I٩2ύipjicA;c|ɜ=.L;YȄjTɭـ Eb@Q!M$vA$!>cJ=vq~]JqR'ߌ)EL {c8 /q@]ZsM˦U:1m?HdehUds m\&iY[mpX&LkfQ{b+, |>dj! ,D^O5u %+m*^mN#bYܫq1'| ;xV,e]{o` DNI%тh{$8j'L42ߛ uJ j;T}gIZ`t3&B 25/i&nلZG>,X1Uv_Lsq$Y^͜ ; ]Kɻۧy֥+n&bfQ/?&&ݺ3iaTHv ͅȌ\[a| 4?Ɛͦ _= ^BZoT&n Jz!NR~o?K({KӯL?=M vͧrlyI&>KQY-8=kdMF~E=_E[AC(P$ZۺY,lSCm˨Ȭv+wHډ =K2O/ڱPԋN5E?}#G f:v7_ůx&Q$$׷P7É/Sz BuiGCh3}4_Z(^UF!:Vj%/LEik;$1{N0 ;q::@Xm"Uq?4N+8]D!B mOaQfLO8!^ 3W5Zň֬<NS/c?1Bi[4нNnH#'vѭAmc%R.0MN'vzՑR9e 66#F`M<9"Co鯝Zq8,T=pӗ&18a?!"e/y^'Ւ\> ʉnRC4SPp#8Gk%e_̐œìt)t aUz E,uPfT= KOfCȂ"C "8zɭSPT 3⯇ka7Ff\H1.#=:Ho혶6N->'#)5*Gr o⭯ >)LPg\[Q;ahC `{P_ubUAnQR n 8Ckm1>~}Yah ivveY*n;: %1CGk&[m6{&{!yi晩;D=2;)˜EXzk2ZD0OR^$' @ OijvB|ŕIOX43mF=\KMϵ.O"wc2+1C@̊kÇR-2e{EØă`^roΡF9O|zMKcNa(˨bD*Wc'~q"diK\~r^l"sy(2mi`3MZ#X4>װGZzѝ>SGȗG`o cx">dSVK8N[_@]HglG5 wA\p3_JQcd" 1(*8c܊CZ`S|&CG'ا3;Wr#PV#4o{ؖEpt!H8~5u@3ȩiC7 {ݷ/6: Dy C!d}p_VbФm"EPQƧkr9ܰo+˘x.,I[`%bG03x_O.4ɏ,u|\5UVt @ 5( K65ɂ͎%5M6%,Jz"c[^lY*?4|tsLn2/iLWa096QEuns8 rrX^|=k-v pܑʯ^ 3ֽ7j-MkS'Q MEv 6O  8(eC܄8ej_A'~7m4]J<~[Cַ28'6""q#U:pytOt=sQ[Dݛ} l/;)CE-SKn[$>g2MF2~%L^q${FO[s?И&Y2ڔ$ f Eej8 ͻOBu-NNjvItCԊBS$b`cQ_*QDp)&俌{P)!gUy@wgih}+q*OI8=iPc7[&n;U^yq3QqL+i>M9j3"!ݯ4\*o%rF%\9z9Pz;:3%{b)Vz׌zyBkIg%N"EeYw^ٱN5Ѯ~Hx#/P/ڤTs{u!^L ,ecqE/hIKpb:4]]b:~,ke}y:4Э0L<*Ϫ0 XՄ#Af\C9 +}5.cߒ^ +9~\sa`-Q_lj/Vk!=Y~<1f$!ax@?UΕ)_?n.PGХ?|{kTNzKb٧AD *'ED C+j /^O"oa.fTEy%Mn:^UpS[m5*z w=+5=utovteQ'I3cbdA-cдKoܸ)ko(δΓe9F,[ ևiO z|})z@S?vρ1}Tgfbt#+g#\|C| G12}aNh!+ֻ\- ֭VAC&tOnVvJ &^PB9"cZV-hY.^A\thXn1,0{x-,˿䘕WN ӯYOP>=aNHvA4ҦV CV5&PjA,i6_gȎjNYuP8>l<ؒ8hvhOF>NKswojƚ08|$]Xl,g͒yAu[̪W ;Md7> V#ϸ9sTi?P c*@&x50od Füs8sKmu߻~e< k9m* X*fB>H-3Pف"`rg DW9x^eҭ]9Yy1 t]4h"Z pPL,[O]$0.V*0YxmBuɠ% #dHTR2.jꑾ4171)2@̟; IvL3T{u4BN5␌ǝqҾŚ:2F]-paѡ[14^w)ln@+ȼ \"HоC١ XZcL]96 fm%b|mXT~E ؠ eR:{!BH?0 =3% )ڤa*N}^F4.ז!NUOH,At ,nqB ݔo%J\\J.0Iөer r3Bznž?k胚H,6 n}f4is.eCv@+_u͆K{YÕQO fTv97mX !6ți@\ 0GY% K ,8T YqR^s ӫqԁÒC]pJ 1Uq!&0 耙 i2>:P)`e+?Bc2xvrtvL1LJQIlK/:-q;!-/\8cM !LJ$ss8v x{XNJY ,wʊ zoɴr`6nUU.]9wgQgw'{[AQV jX3uos"GFB Ǻo{7(!ıWsoE{+es ) fHg]6au5Ծv hyV. s!\-_?z8<×,58FsBPXh4R)* ķ6  J=EGܾ6rmHbg M}d >DaKv㼬RAZdoA=FEw9f" DѡY5aՁz)etniv3AsYe{Aϧ AGu)j[i7OA.byNyIhf߿vb ;'VF0S4 }Л!OʒH;lywE98gCV>~oC"ٵY: / u?^]#|&CFwUĪ9 Nv>{1*P^rD9σv^gK][c{uFGt5L<+vمV?RmCT[MkH-. @6AswֺFAy2 m3KHƲ$uLsaA )`JP.a@5/6)EV\*^>Om{N'@Tf0C 4~7^Pv3,A=UX7WQY8s_- 7ܸUiggA '8~.qqnf; R֒S1|RQV6<)sDd4jP'_w>4171#ӹvA`KdҠ?4Qؿ)E3 ]'u2;Dj +$Cc8tH bg]dkhcF׻'dbWXX.(sV HGt}Q/M.K ˡWbM{IoݬԥLm` MI@rѥbH,@ e57cuҞ/[Ju-Pp?-a1 ==I9v - $x0ǣ{ C*s<6kHv׽áuD鯎<4 *U޸q)ѯ-CD@\y(-Ͱ2y Eh^:[4HDm7NЈ٧ޅ> IEnOk`ۀthkoߍ_EB0{GaTZ'H{4Bdc|T%A#oU?M4ϖ{d! .}^Zuj(e+@k9?D#˯ǥ J[qOWn)(3ۛx/&!)ӍQ?S&{vq-&Z)C16c"\"%E%M]TIG_ёң>A`ft}֛F$E!̈$DeNJ2W RS % wHa瞙Pr*JӲdJWIekWM*AeEfKz:Ϫ(C^$ gk㨴ʪsi&W,g5Phub\e͢4TA}V$fAxY牶T5Uf<|'kRԋtmb;M [ø[؊ HV)iux7Fb +R^T%,Rcw5!uQ«5ύISZh^iR|>h0F_`<3VW뢮H?h/dej YW[ o.gqt=}'t5/nd0.SM'eHiFY<d LtLC,LZT<>E1gQW+V GK |vlU^]^;uoӠF{ X_BD¸~gH9 JkRBd :AL1IaVڼG>M.,i^p)Ejgf*֦t>nMOhxcb[LWjmzW;VξP{x0B grϱ㐢{ý7].xhޝbx7!bӃitҪ(ă^+~ 3:bbw6k_)'a\m'wu0 ~/glw7gZkl0ųl`~2aLL{0(<&l4RQ9 8:;٠Þ^V`JhU˂`|:2-dW=@@UG&*jуH3RTI0") eN$`B@jô49`]d%EbT@ޚXAw6u`l3TtJA#|>$\`d=Nnxx(L`BZ j"|&>Lx lrI N44t+6WմP 0CaUw9)*e:HU2a} Vb^jC)Ԅua-)EhA%Tj|-,mz+X }hV6|C1Tَ߀AUEѐb3r56?xd.*XFN`8! *~3hoY 3C>1AFٚXh 10ܖCiFѼs8m0ionHiZ{= 䣳E˜Kiv*;\UW"ˤ}\8ukL9BXw$}4D?"f i0 oA>d+/)v:?G8ΙU"=YΤ_t#1r;N<9/gnF`{aCgw$5ӔV 1E%m]G7)N݅=E&HCҢ&'`zvA;6o8 {M%}b~t|UevM."pjIM 70G>8q[m dUbJ&y̚aaU!PO+$67:P`BjǶ-;6ɇ7^dq5l(y4&: n G2;@i@n[(G!B\I& /.֖*k;IޅYWm%W\B{CGsw}<9TgC-yDظ><lIrQk%cn9-e qU֤f0|Gbc*woI-u LzD9qX\{H˯E.: ^5l#NWZF8-*j07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000b00000000TRAILER!!!e#sg9~6I1