ipa-server-trust-ad-4.9.8-7.module_el8.6.0+1103+a004f6a8 >  A b2sU]&?>Ne|GF*U/W; –#[a昜k%c'*\>e8KxBS:xx@A~|]iqX4r+l28ҳ(*5Z\L|ƂaZ4U}iIzDDx67\cLGF|Jx?x[?1)9󋦤^ ( DžzQDSLw(#2>l);q!ҥw}IeB=( 3#sEt{=]˛:tǯ3zq+)$8Fnk8U2ۤbK<4khٚA_LƉU`JKp'sv2>a!% hq61ae57437a5bfab608c461ec125e33b6908abc61b4e6fcd84d48806f4c5474fadfe9abb5e6016857b860bbfa8ef17bce71bd07f8sAb2sU]8= ]z2eqĝ`[9'̑GPFy-E,g0/W(Lbw w@G }xp,}b5QgOZek`c6%HƹP"̸3X?vVanZ'/ (SPJ@4.x$ Y).Ho%Qg\c8GatsU[;. u3y- 7ώErx4&~M΀C]CJîܑPpX >3ݬ=Ҫb(ڤūDlS6RحW⹶LA>^EІ:͹6iq]: ˠq4:zSyo{4+I8Mh7U5~/*PPb#+Z 9f#;LGc"rEU7$1K>{ /\/};΋J T8tCH7Xу:{2qJn{vXwзi3̿\>pK?d ; 48PT[bi v8    /  K   ( < |<q<4(58<x9x:^_x>u?u@uBuGvHvLIvXvYvZw[w\w$]wp^xbzld{e{f{l{t{u|,v|x w~x~yB$1<@FCipa-server-trust-ad4.9.87.module_el8.6.0+1103+a004f6a8Virtual package to install packages required for Active Directory trustsCross-realm trusts with Active Directory in IPA require working Samba 4 installation. This package is provided for convenience to install all required dependencies at once.b0?x86-01.mbox.centos.orgQCentOSCentOSGPLv3+CentOS Buildsys Unspecifiedhttp://www.freeipa.org/linuxx86_64/usr/sbin/update-alternatives --install /usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so \ winbind_krb5_locator.so /dev/null 90 /bin/systemctl reload-or-try-restart dbus /bin/systemctl reload-or-try-restart oddjobdif [ $1 -eq 0 ]; then /usr/sbin/update-alternatives --remove winbind_krb5_locator.so /dev/null /bin/systemctl reload-or-try-restart dbus /bin/systemctl reload-or-try-restart oddjobd fi # ONLY_CLIENTif [ "$1" -ge "1" ]; then if [ "`readlink /etc/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then /usr/sbin/alternatives --set winbind_krb5_locator.so /dev/null fi fiy)4%T%i - K hAA큤A큤A큤a@W@V@VVZV@U@UYU@Uݪ@Uݪ@Uݪ@UoUU(UK@Ub@UJ@UU @U hTE@T T}TTZ@TZ@Tp@T5T@TuTto@TsTl@Td@Ta@T[bTG@TG@TFJT)IT%U@T$TSS:@S2@S1oS!S!S L@S L@Sc@SS @Rb@R@R@RUR@RRx@RR=RʚRƦ@RkRv@RG@RiRz/@RxRsRo@Ro@R^RW@RNR@-@R/ R-@R(r@R7RZ@R R R@R@R@R@R@R6QQQ'@Q@QvwQu&@Qm=@QZ@QVQ(@Q@PPPPPx@Px@PnPj@P\VPG>P@@P4P.2@PP @M6@M.@M.@M.@M-M M@L!LfLNLdLLLzLe3La?@LD>@L#HL#HL@K/KՀ@KK@KKs@Kie@K`*KK@K @JJ@J@J@JJB@J{IIIm@I1Iq@IKIFFI9I1.Ih@IIP@H@HXHO@H-w@H HHH@G߮GGgGs@G@G@G@G}G}G}GG@GC@GkGDG<4G)G(n@G3G@GJF@FS@FFuF@Rafael Jeffman - 4.9.8-7Rafael Jeffman - 4.9.8-6Rafael Jeffman - 4.9.8-5Rafael Jeffman - 4.9.8-4Rafael Jeffman - 4.9.8-3Rafael Jeffman - 4.9.8-2Rafael Jeffman - 4.9.8-1Alexander Bokovoy - 4.9.6-9.1Alexander Bokovoy - 4.9.6-9Alexander Bokovoy - 4.9.6-8Alexander Bokovoy - 4.9.6-7Alexander Bokovoy - 4.9.6-6Alexander Bokovoy - 4.9.6-5Thomas Woerner - 4.9.6-4Thomas Woerner - 4.9.6-3Thomas Woerner - 4.9.6-2Thomas Woerner - 4.9.6-1Thomas Woerner - 4.9.5-1Thomas Woerner - 4.9.3-1Alexander Bokovoy - 4.9.2-1Alexander Bokovoy - 4.9.1-1Thomas Woerner - 4.9.0-1Thomas Woerner - 4.9.0-0.5.rc3Alexander Bokovoy - 4.9.0-0.3.rc2Thomas Woerner - 4.9.0-0.2.rc2Thomas Woerner - 4.9.0-0.1.rc1Thomas Woerner - 4.9.0-0.rc1Thomas Woerner - 4.8.7-11Thomas Woerner - 4.8.7-10Thomas Woerner - 4.8.7-9Thomas Woerner - 4.8.7-8Thomas Woerner - 4.8.7-7Thomas Woerner - 4.8.7-6Thomas Woerner - 4.8.7-5Thomas Woerner - 4.8.7-4Thomas Woerner - 4.8.7-3Thomas Woerner - 4.8.7-2Thomas Woerner - 4.8.7-1Thomas Woerner - 4.8.6-2Thomas Woerner - 4.8.6-1Thomas Woerner - 4.8.4-6Thomas Woerner - 4.8.4-5Thomas Woerner - 4.8.4-4Alexander Bokovoy - 4.8.4-3Thomas Woerner - 4.8.4-2Thomas Woerner - 4.8.4-1Thomas Woerner - 4.8.3-3Thomas Woerner - 4.8.3-2Alexander Bokovoy - 4.8.3-1Alexander Bokovoy - 4.8.2-4Thomas Woerner - 4.8.2-3Thomas Woerner - 4.8.2-2Thomas Woerner - 4.8.2-1Thomas Woerner - 4.8.0-10Thomas Woerner - 4.8.0-9Thomas Woerner - 4.8.0-8Thomas Woerner - 4.8.0-7Thomas Woerner - 4.8.0-6Thomas Woerner - 4.8.0-5Alexander Bokovoy - 4.8.0-4Alexander Bokovoy - 4.8.0-3Thomas Woerner - 4.8.0-2Thomas Woerner - 4.8.0-1Alexander Bokovoy - 4.7.90-3Alexander Bokovoy - 4.7.90-2Thomas Woerner - 4.7.90-1Alexander Bokovoy - 4.7.1-12Rob Crittenden - 4.7.1-11Christian Heimes - 4.7.1-10Thomas Woerner - 4.7.1-9Christian Heimes - 4.7.1-8Thomas Woerner - 4.7.1-7.el8Lumír Balhar - 4.7.1-6.el8Alexander Bokovoy - 4.7.1-5.el8Alexander Bokovoy - 4.7.1-4.el8Thomas Woerner - 4.7.1-3.el8Alexander Bokovoy - 4.7.1-2.el8Alexander Bokovoy - 4.7.1-1.el8Tomas Orsava - 4.7.0-6.el8Rob Crittenden - 4.7.0-5.el8Rob Crittenden - 4.7.0-4.el8Thomas Woerner - 4.7.0-3.1.el8Thomas Woerner - 4.7.0-3.el8Alexander Bokovoy - 4.7.0-2.el8Rob Crittenden - 4.7.0-1.el8Rob Crittenden - 4.6.90.pre1-2.el8Rob Crittenden - 4.6.90.pre1-1.el8Troy Dawson - 4.5.4-5.el8.1Alexander Bokovoy - 4.5.4-5.el7Pavel Vomacka - 4.5.4-4.el7Rob Crittenden - 4.5.4-3.el7Felipe Barreto - 4.5.4-2.el7Pavel Vomacka - 4.5.4-1.el7Felipe Barreto - 4.5.0-21.el7.2.2Felipe Barreto - 4.5.0-21.el7.2Pavel Vomacka - 4.5.0-21.el7.1.2Pavel Vomacka - 4.5.0-21.el7.1.1Pavel Vomacka - 4.5.0-21.el7.1Pavel Vomacka - 4.5.0-21.el7Pavel Vomacka - 4.5.0-20.el7Pavel Vomacka - 4.5.0-19.el7Pavel Vomacka - 4.5.0-18.el7Pavel Vomacka - 4.5.0-17.el7Pavel Vomacka - 4.5.0-16.el7Pavel Vomacka - 4.5.0-15.el7Pavel Vomacka - 4.5.0-14.el7Pavel Vomacka - 4.5.0-13.el7Pavel Vomacka - 4.5.0-12.el7Jan Cholasta - 4.5.0-11.el7Jan Cholasta - 4.5.0-10.el7Jan Cholasta - 4.5.0-9.el7Jan Cholasta - 4.5.0-8.el7Jan Cholasta - 4.5.0-7.el7Pavel Vomacka - 4.5.0-6.el7Jan Cholasta - 4.5.0-5.el7Jan Cholasta - 4.5.0-4.el7Jan Cholasta - 4.5.0-3.el7Jan Cholasta - 4.5.0-2.el7Jan Cholasta - 4.5.0-1.el7Jan Cholasta - 4.4.0-14.7Jan Cholasta - 4.4.0-14.6Jan Cholasta - 4.4.0-14.5Jan Cholasta - 4.4.0-14.4Jan Cholasta - 4.4.0-14.3Jan Cholasta - 4.4.0-14.2Jan Cholasta - 4.4.0-14.1Jan Cholasta - 4.4.0-14Jan Cholasta - 4.4.0-13Petr Vobornik - 4.4.0-12Jan Cholasta - 4.4.0-11Jan Cholasta - 4.4.0-10Jan Cholasta - 4.4.0-9Jan Cholasta - 4.4.0-8Jan Cholasta - 4.4.0-7Jan Cholasta - 4.4.0-6Jan Cholasta - 4.4.0-5Jan Cholasta - 4.4.0-4Jan Cholasta - 4.4.0-3Petr Vobornik - 4.4.0-2.1Petr Vobornik - 4.4.0-2Jan Cholasta - 4.4.0-1Jan Cholasta - 4.4.0-0.2.alpha1Jan Cholasta - 4.4.0-0.1.alpha1Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3.1Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3Jan Cholasta - 4.3.1-0.201605191449GITf8edf37.1Jan Cholasta - 4.3.1-0.201605191449GITf8edf37Jan Cholasta - 4.2.0-16Jan Cholasta - 4.2.0-15Jan Cholasta - 4.2.0-14Jan Cholasta - 4.2.0-13Jan Cholasta - 4.2.0-12Jan Cholasta - 4.2.0-11Jan Cholasta - 4.2.0-10Jan Cholasta - 4.2.0-9Jan Cholasta - 4.2.0-8Jan Cholasta - 4.2.0-7Jan Cholasta - 4.2.0-6Jan Cholasta - 4.2.0-5Jan Cholasta - 4.2.0-4Jan Cholasta - 4.2.0-3Jan Cholasta - 4.2.0-2Jan Cholasta - 4.2.0-1Jan Cholasta - 4.2.0-0.2.alpha1Jan Cholasta - 4.2.0-0.1.alpha1Jan Cholasta - 4.1.0-18.3Alexander Bokovoy - 4.1.0-18.2Jan Cholasta - 4.1.0-18.1Martin Kosek - 4.1.0-18Jan Cholasta - 4.1.0-17Jan Cholasta - 4.1.0-16Jan Cholasta - 4.1.0-15Jan Cholasta - 4.1.0-14Jan Cholasta - 4.1.0-13Jan Cholasta - 4.1.0-12Jan Cholasta - 4.1.0-11Jan Cholasta - 4.1.0-10Jan Cholasta - 4.1.0-9Jan Cholasta - 4.1.0-8Jan Cholasta - 4.1.0-7Jan Cholasta - 4.1.0-6Jan Cholasta - 4.1.0-5Jan Cholasta - 4.1.0-4Jan Cholasta - 4.1.0-3Jan Cholasta - 4.1.0-2Jan Cholasta - 4.1.0-1Jan Cholasta - 4.1.0-0.1.alpha1Petr Vobornik - 4.0.3-3Jan Cholasta - 4.0.3-2Jan Cholasta - 4.0.3-1Martin Kosek - 3.3.3-29Martin Kosek - 3.3.3-28Martin Kosek - 3.3.3-27Martin Kosek - 3.3.3-26Martin Kosek - 3.3.3-25Martin Kosek - 3.3.3-24Martin Kosek - 3.3.3-23Martin Kosek - 3.3.3-22Martin Kosek - 3.3.3-21Martin Kosek - 3.3.3-20Martin Kosek - 3.3.3-19Martin Kosek - 3.3.3-18Martin Kosek - 3.3.3-17Martin Kosek - 3.3.3-16Daniel Mach - 3.3.3-15Martin Kosek - 3.3.3-14Martin Kosek - 3.3.3-13Martin Kosek - 3.3.3-12Martin Kosek - 3.3.3-11Martin Kosek - 3.3.3-10Martin Kosek - 3.3.3-9Martin Kosek - 3.3.3-8Daniel Mach - 3.3.3-7Martin Kosek - 3.3.3-6Martin Kosek - 3.3.3-5Martin Kosek - 3.3.3-4Martin Kosek - 3.3.3-3Martin Kosek - 3.3.3-2Martin Kosek - 3.3.3-1Martin Kosek - 3.3.2-5Martin Kosek - 3.3.2-4Martin Kosek - 3.3.2-3Martin Kosek - 3.3.2-2Martin Kosek - 3.3.2-1Martin Kosek - 3.3.1-5Martin Kosek - 3.3.1-4Martin Kosek - 3.3.1-3Martin Kosek - 3.3.1-2Rob Crittenden - 3.3.1-1Rob Crittenden - 3.3.0-7Martin Kosek - 3.3.0-6Martin Kosek - 3.3.0-5Martin Kosek - 3.3.0-4Martin Kosek - 3.3.0-3Martin Kosek - 3.3.0-2Martin Kosek - 3.3.0-1Martin Kosek - 3.3.0-0.2.beta2Martin Kosek - 3.3.0-0.1.beta2Martin Kosek - 3.2.2-1Martin Kosek - 3.2.1-1Rob Crittenden - 3.2.0-2Rob Crittenden - 3.2.0-1Rob Crittenden - 3.2.0-0.4.beta1Rob Crittenden - 3.2.0-0.3.beta1Rob Crittenden - 3.2.0-0.2.beta1Martin Kosek - 3.2.0-0.1.pre1Kevin Fenzi 3.1.2-4Kevin Fenzi - 3.1.2-3Fedora Release Engineering - 3.1.2-2Rob Crittenden - 3.1.2-1Martin Kosek - 3.1.0-2Rob Crittenden - 3.1.0-1Martin Kosek - 3.0.0-3Rob Crittenden - 3.0.0-2Rob Crittenden - 3.0.0-1Rob Crittenden - 3.0.0-0.10Martin Kosek - 3.0.0-0.9Rob Crittenden - 3.0.0-0.8Rob Crittenden - 3.0.0-0.7Rob Crittenden - 3.0.0-0.6Alexander Bokovoy - 3.0.0-0.5Rob Crittenden - 3.0.0-0.4Martin Kosek - 3.0.0-0.3Alexander Bokovoy - 3.0.0-0.2Rob Crittenden - 3.0.0-0.1Rob Crittenden - 2.2.0-1Rob Crittenden - 2.1.90-0.2Rob Crittenden - 2.1.90-0.1Alexander Bokovoy - 2.1.4-5Martin Kosek - 2.1.4-4Alexander Bokovoy - 2.1.4-3Alexander Bokovoy - 2.1.4-2Rob Crittenden - 2.1.4-1Rob Crittenden - 2.1.3-8Alexander Bokovoy - 2.1.3-7Alexander Bokovoy - 2.1.3-6Fedora Release Engineering - 2.1.3-5Alexander Bokovoy - 2.1.3-4Alexander Bokovoy - 2.1.3-3Alexander Bokovoy - 2.1.3-2Alexander Bokovoy - 2.1.3-1Alexander Bokovoy - 2.1.2-1Rob Crittenden - 2.1.0-1Simo Sorce - 2.0.1-2Rob Crittenden - 2.0.1-1Rob Crittenden - 2.0.0-1Rob Crittenden - 2.0.0-0.4.rc2Rob Crittenden - 2.0.0-0.3.rc1Rob Crittenden - 2.0.0-0.1.rc1Fedora Release Engineering - 2.0.0-0.2.beta2Rob Crittenden - 2.0.0-0.1.beta2Rob Crittenden - 2.0.0-0.2.beta.git80e87e7Rob Crittenden - 2.0.0-0.1.beta.git80e87e7Rob Crittenden - 1.99-41Adam Young - 1.99-40Simo Sorce - 1.99-39Simo Sorce - 1.99-38Rob Crittenden - 1.99-37Rob Crittenden - 1.99-36Rob Crittenden - 1.99-35Jr Aquino - 1.99-34Simo Sorce - 1.99-33Rob Crittenden - 1.99-32Rob Crittenden - 1.99-31Rob Crittenden - 1.99-30Rob Crittenden - 1.99-29Rob Crittenden - 1.99-28Rob Crittenden - 1.99-27Rob Crittenden - 1.99-26Rob Crittenden - 1.99-25Adam Young - 1.99-24Rob Crittenden - 1.99-23Rob Crittenden - 1.99-22Rob Crittenden - 1.99-21Rob Crittenden - 1.99-20Rob Crittenden - 1.99-19Jason Gerard DeRose - 1.99-18Jason Gerard DeRose - 1.99-17Jason Gerard DeRose - 1.99-16Rob Crittenden - 1.99-15Jason Gerard DeRose - 1.99-14Rob Crittenden - 1.99-13Rob Crittenden - 1.99-12Rob Crittenden - 1.99-11Rob Crittenden - 1.99-10Rob Crittenden - 1.99-9Jason Gerard DeRose - 1.99-8Rob Crittenden - 1.99-7Rob Crittenden - 1.99-6Rob Crittenden - 1.99-5Rob Crittenden - 1.99-4Rob Crittenden - 1.99-3Rob Crittenden - 1.99-2Rob Crittenden - 1.99-1Tomas Mraz - 1.2.1-3Dan Walsh - 1.2.1-2Simo Sorce - 1.2.1-1Simo Sorce - 1.2.1-0Ignacio Vazquez-Abrams - 1.2.0-4Simo Sorce - 1.2.0-3Simo Sorce - 1.2.0-2Rob Crittenden - 1.2.0-1Simo Sorce - 1.1.0-3Rob Crittenden - 1.1.0-2Rob Crittenden - 1.1.0-1Rob Crittenden - 1.0.0-5Rob Crittenden - 1.0.0-4Rob Crittenden - 1.0.0-3Rob Crittenden - 1.0.0-2Rob Crittenden - 1.0.0-1Rob Crittenden 0.99-12Rob Crittenden 0.99-11Rob Crittenden 0.99-10Rob Crittenden 0.99-9Rob Crittenden 0.99-8Rob Crittenden 0.99-7Rob Crittenden 0.99-6Rob Crittenden 0.99-5Rob Crittenden 0.99-4Rob Crittenden 0.99-3Rob Crittenden 0.99-2Rob Crittenden 0.99-1Rob Crittenden - 0.6.0-2Karl MacMillan - 0.6.0-1Karl MacMillan - 0.5.0-1Rob Crittenden - 0.4.1-2Karl MacMillan - 0.4.1-1Karl MacMillan - 0.4.0-6Rob Crittenden - 0.4.0-5Rob Crittenden - 0.4.0-4Karl MacMillan - 0.4.0-3Karl MacMillan - 0.4.0-2Karl MacMillan - 0.2.0-1Rob Crittenden - 0.1.0-3Rob Crittenden - 0.1.0-2Karl MacMillan - 0.1.0-1- ipatests: Backport test fixes in python3-ipatests. Resolves: RHBZ#2057505- ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout Related: RHBZ#2053024- ipatests: remove additional check for failed units. Resolves: RHBZ#2053024 - ipa-cldap: fix memory leak. Resolves: RHBZ#2032738- Don't always override the port in import_included_profiles Fixes: RHBZ#2022483 - Remove ipa-join errors from behind the debug option Fixes: RHBZ#2048558 - Enable the ccache sweep timer during installation Fixes: RHBZ#2051575- Config plugin: return EmptyModlist when no change is applied. Resolves: RHBZ#2031825 - Custodia: use a stronger encryption algo when exporting keys. Resolves: RHBZ#2032806 - ipa-kdb: do not remove keys for hardened auth-enabled users. Resolves: RHBZ#2033342 - ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus Resolves: RHBZ#2049167 - Backport latest test fxes in python3 ipatests. Resolves: RHBZ#2048509 - Removed unused patch files that were part of 4.9.8 rebase.- Revert bind-pkcs11-utils configuration in freeipa.spec. Resolves: RHBZ#2026732- Upstream release FreeIPA 4.9.8 Related: RHBZ#2015607 - Hardening for CVE-2020-25717- Fix S4U2Self regression for cross-realm requester SID buffer - Related: RHBZ#2021443- Require samba 4.14.5-13 with IPA DC server role fixes - Related: RHBZ#2021443- Add versioned dependency of samba-client-libs to ipa-server - Related: RHBZ#2021443- Hardening for CVE-2020-25717 - Harden processing of trusted domains' users in S4U operations - Resolves: RHBZ#2021443- Hardening for CVE-2020-25717 - Rebuild against samba-4.14.5-11.el8 - Resolves: RHBZ#2021443- Hardening for CVE-2020-25717 - Related: RHBZ#2019668- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL Resolves: RHBZ#1982956- man page: update ipa-server-upgrade.1 Resolves: RHBZ#1973273 - Fall back to krbprincipalname when validating host auth indicators Resolves: RHBZ#1979625 - Add dependency for sssd-winbind-idmap to server-trust-ad Resolves: RHBZ#1982211- IPA server in debug mode fails to run because time.perf_counter_ns is Python 3.7+ Resolves: RHBZ#1974822 - Add checks to prevent assigning authentication indicators to internal IPA services Resolves: RHBZ#1979625 - Unable to set ipaUserAuthType with stageuser-add Resolves: RHBZ#1979605- Upstream release FreeIPA 4.9.6 Related: RHBZ#1945038 - Revise PKINIT upgrade code Resolves: RHBZ#1886837 - ipa-cert-fix man page: add note about certmonger renewal Resolves: RHBZ#1780317 - Certificate Serial Number issue Resolves: RHBZ#1919384- Upstream release FreeIPA 4.9.5 Related: RHBZ#1945038 - IPA to allow setting a new range type Resolves: RHBZ#1688267 - ipa-server-install displays debug output when --debug output is not specified. Resolves: RHBZ#1943151 - ACME fails to generate a cert on migrated RHEL8.4 server Resolves: RHBZ#1934991 - Switch ipa-client to use the JSON API Resolves: RHBZ#1937856 - IDM - Allow specifying permanent logging settings for BIND Resolves: RHBZ#1951511 - Cache LDAP data within a request Resolves: RHBZ#1953656 - ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4 Resolves: RHBZ#1957768- Upstream release FreeIPA 4.9.3 Resolves: RHBZ#1945038- Upstream release FreeIPA 4.9.2 Related: RHBZ#1891832- Upstream release FreeIPA 4.9.1 Related: RHBZ#1891832- Upstream final release FreeIPA 4.9.0 Related: RHBZ#1891832- Upstream pre release FreeIPA 4.9.0rc3 Related: RHBZ#1891832- Remove ipa-server dependency from ipa-selinux subpackage - Related: RHBZ#1891832- Upstream pre release FreeIPA 4.9.0rc2 Related: RHBZ#1891832 - Synchronize spec file with upstream and Fedora Related: RHBZ#1891832 - Traceback while doing ipa-backup Resolves: RHBZ#1901068 - ipa-client-install changes system wide ssh configuration Resolves: RRBZ#1544379 - ipa-kdb: support subordinate/superior UPN suffixes Resolves: RHBZ#1891056 - KRA Transport and Storage Certificates do not renew Resolves: RHBZ#1872603 - Move where the restore state is marked during IPA server upgrade Resolves: RHBZ#1569011 - Intermittent IdM Client Registration Failures Resolves: RHBZ#1812871 - Nightly test failure in test_acme.py::TestACME::test_third_party_certs (updates-testing) Resolves: RHBZ#1903025 - Add IPA RA Agent to ACME group on the CA Resolves: RHBZ#1902727- Fix requirement for python3-kdcproxy, add no autoreqprov for ipatests sub package Related: RHBZ#1891832- Upstream pre release FreeIPA 4.9.0rc1 Resolves: RHBZ#1891832 - Requirements and design for libpwquality integration Resolves: RHBZ#1340463 - When parsing options require name/value pairs Resolves: RHBZ#1357495 - WebUI: Fix issue with opening links in new tab/window Resolves: RHBZ#1484088 - Use a state to determine if a 389-ds upgrade is in progress Resolves: RHBZ#1569011 - Unlock user accounts after a password reset and replicate that unlock to all IdM servers Resolves: RHBZ#1784657 - Set the certmonger subject with a string, not an object Resolves: RHBZ#1810148 - Implement ACME certificate enrolment Resolves: RHBZ#1851835 - [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0) Resolves: RHBZ#1859249 - It is not possible to edit KDC database when the FreeIPA server is running Resolves: RHBZ#1875001 - Fix nsslapd-db-lock tuning of BDB backend Resolves: RHBZ#1882340 - ipa-kdb: support subordinate/superior UPN suffixes Resolves: RHBZ#1891056 - wgi/plugins.py: ignore empty plugin directories Resolves: RHBZ#1894800- SELinux Policy: let custodia replicate keys Resolves: RHBZ#1868432- Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations Resolves: RHBZ#1870202- CAless installation: set the perms on KDC cert file Resolves: RHBZ#1863616 - EPN: handle empty attributes Resolves: RHBZ#1866938 - IPA-EPN: enhance input validation Resolves: RHBZ#1866291 - EPN: enhance input validation Resolves: RHBZ#1863079 - Require new samba build 4.12.3-52 Related: RHBZ#1868558 - Require new selinux-policy build 3.14.3-52 Related: RHBZ#1869311- [WebUI] IPA Error 3007: RequirmentError" while adding members in "User ID overrides" tab (updated) Resolves: RHBZ#1757045 - ipa-client-install: use the authselect backup during uninstall Resolves: RHBZ#1810179 - Replace SSLCertVerificationError with CertificateError for py36 Resolves: RHBZ#1858318 - Fix AVC denial during ipa-adtrust-install --add-agents Resolves: RHBZ#1859213- replica install failing with avc denial for custodia component Resolves: RHBZ#1857157- selinux don't audit rules deny fetching trust topology Resolves: RHBZ#1845596 - fix iPAddress cert issuance for >1 host/service Resolves: RHBZ#1846352 - Specify cert_paths when calling PKIConnection Resolves: RHBZ#1849155 - Update crypto policy to allow AD-SUPPORT when installing IPA Resolves: RHBZ#1851139 - Add version to ipa-idoverride-memberof obsoletes Related: RHBZ#1846434- Add missing ipa-selinux package Resolves: RHBZ#1853263- Remove client-epn left over files for ONLY_CLIENT Related: RHBZ#1847999- [WebUI] IPA Error 3007: RequirmentError" while adding members in "User ID overrides" tab Resolves: RHBZ#1757045 - EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn Resolves: RHBZ#1847999 - FreeIPA - Utilize 256-bit AJP connector passwords Resolves: RHBZ#1849914 - ipa: typo issue in ipanthomedirectoryrive deffinition Resolves: RHBZ#1851411- Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7 Resolves: RHBZ#1846434- Upstream release FreeIPA 4.8.7 - Require new samba build 4.12.3-0 Related: RHBZ#1818765 - New client-epn sub package Resolves: RHBZ#913799- Support krb5 1.18 Resolves: RHBZ#1817579- Upstream release FreeIPA 4.8.6 - New SELinux sub package to provide own module - Depend on selinux-policy-devel 3.14.3-43 for build due to a makefile issue in SELinux external policy support Related: RHBZ#1818765- Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit Resolves: RHBZ#1790663- Fixed weekday in 4.8.4-2 changelog date Related: RHBZ#1784003 - adtrust: print DNS records for external DNS case after role is enabled Resolves: RHBZ#1665051 - AD user without override receive InternalServerError with API Resolves: RHBZ#1782572 - ipa-client-automount fails after repeated installation/uninstallation Resolves: RHBZ#1790886 - install/updates: move external members past schema compat update Resolves: RHBZ#1803165 - kdb: make sure audit_as_req callback signature change is preserved Resolves: RHBZ#1803786- Update dependencies for samba, 389-ds and sssd Resolves: RHBZ#1792848- Depend on krb5-kdb-version-devel for BuildRequires - Update nss dependency to 3.44.0-4 - Reset per-indicator Kebreros policy Resolves: RHBZ#1784761- DNS install check: Fix overlapping DNS zone from the master itself Resolves: RHBZ#1784003- Rebase to upstream release 4.8.4 - Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3 Resolves: RHBZ#1782658 Resolves: RHBZ#1782169 Resolves: RHBZ#1783046 Related: RHBZ#1748987- Fix otptoken_sync plugin Resolves: RHBZ#1777811- Use default crypto policy for TLS and enable TLS 1.3 support Resolves: RHBZ#1777809 - Covscan fixes Resolves: RHBZ#1777920 - Change pki_version to 10.8.0 Related: RHBZ#1748987- Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195) Resolves: RHBZ#1767304 Resolves: RHBZ#1776939 - Support KDC ticket policies for authentication indicators Resolves: RHBZ#1777564- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() Resolves: RHBZ#1767304 - CVE-2019-10195: Don't log passwords embedded in commands in calls using batch Resolves: RHBZ#1776939- Use default ssh host key algorithms Resolves: RHBZ#1756432 - Do not run trust upgrade code if master lacks Samba bindings Resolves: RHBZ#1757064 - Finish group membership management UI Resolves: RHBZ#1773528- Update dependency for bind-dndb-ldap to 11.2-2 Related: RHBZ#1762813- Rebase to upstream release 4.8.2 - Removed upstream patches 0001 to 0010 that are part of version 4.8.2 - Updated branding patch Resolves: RHBZ#1748987- Fix automount behavior with authselect Resolves: RHBZ#1740167- extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT Resolves: RHBZ#1741530- FreeIPA 4.8.0 tarball lacks two update files that are in git Resolves: RHBZ#1741170- Allow insecure binds for migration Resolves: RHBZ#1731963- Fix --external-ca-profile not passed to CSR Resolves: RHBZ#1731813- Remove posixAccount from service_find search filter Resolves: RHBZ#1731437 - Fix repeated uninstallation of ipa-client-samba crashes Resolves: RHBZ#1732529 - WebUI: Add PKINIT status field to 'Configuration' page Resolves: RHBZ#1518153- Fix krb5-kdb-server -> krb5-kdb-version Related: RHBZ#1700121- Make sure ipa-server depends on krb5-kdb-version to pick up right MIT Kerberos KDB ABI Related: RHBZ#1700121 - User field separator uses '$$' within ipaSELInuxUserMapOrder Fixes: RHBZ#1729099- Fixed kdcproxy_version to 0.4-3 - Fixed krb5_version to 1.17-7 Related: RHBZ#1684528- New upstream release 4.8.0 - New subpackage: freeipa-client-samba - Added command ipa-cert-fix with man page - New sysconfdir sysconfig/certmonger - Updated pki_version, certmonger_version, sssd_version and kdcproxy_version Related: RHBZ#1684528- Fix upgrade issue with AD trust when no trust yet established Fixes: RHBZ#1708874 Related: RHBZ#1684528- Require certmonger 0.79.7-1 Related: RHBZ#1708095- Update to 4.7.90-pre1 Related: RHBZ#1684528 - Removed patches 0002 to 0031 as these are upsteram and part of 4.7.90-pre1 - Added new patches 0001-revert-minssf-defaults.patch and 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch- Remove strict dependencies to krb5-server version in order to allow update of krb5 to 1.17 and change dependency to KDB DAL version. Resolves: RHBZ#1700121- Handle NFS configuration file changes. nfs-utils moved the configuration file from /etc/sysconfig/nfs to /etc/nfs.conf. Resolves: RHBZ#1676981- Fix systemd-user HBAC rule Resolves: RHBZ#1664974- Resolve user/group names in idoverride*-find Resolves: RHBZ#1657745- Create systemd-user HBAC service and rule Resolves: RHBZ#1664974 - ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned Resolves: RHBZ#1664023- Fix misleading errors during client install rollback Resolves: RHBZ#1658283 - ipa-advise: update url of cacerdir_rehash tool Resolves: RHBZ#1658287 - Handle NTP configuration in a replica server installation Resolves: RHBZ#1651679 - Fix defects found by static analysis Resolves: RHBZ#1658182 - ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad Resolves: RHBZ#1658294 - ipaldap: invalid modlist when attribute encoding can vary Resolves: RHBZ#1658302 - Allow ipaapi and Apache user to access SSSD IFP Resolves: RHBZ#1639910 - Add sysadm_r to default SELinux user map order Resolves: RHBZ#1658303 - certdb: ensure non-empty Subject Key Identifier and validate server cert sig Resolves: RHBZ#1641988 - ipa-replica-install: password and admin-password options mutually exclusive Resolves: RHBZ#1658309 - ipa upgrade: handle double-encoded certificates Resolves: RHBZ#1658310 - PKINIT: fix ipa-pkinit-manage enable|disable Resolves: RHBZ#1658313 - Enable LDAP debug output in client to display TLS errors in join Resolves: RHBZ#1658316 - rpc: always read response Resolves: RHBZ#1639890 - ipa vault-retrieve: fix internal error Resolves: RHBZ#1658485 - Move ipa's systemd tmpfiles from /var/run to /run Resolves: RHBZ#1658487 - Fix authselect invocations to work with 1.0.2 Resolves: RHBZ#1654291 - ipa-client-automount and NFS unit name changes Resolves: RHBZ#1645501 - Fix compile issue with new 389-ds Resolves: RHBZ#1659448- Require platform-python-setuptools instead of python3-setuptools - Resolves: rhbz#1650139- Fixed: rhbz#1643445 - External CA step 2 fails with pki_client_database_dir is missing - Fixed: rhbz#1642834 - Smart card advise script uses hard-coded Python interpreter- Fix mapping of BUILTIN\Guests to 'nobody' group during upgrade to not use generated Samba config at this point - Related: rhbz#1623895- New command automember-find-orphans to find and remove orphan automemeber rules has been added Resolves: RHBZ#1638373 - Moved ipa/idm logos and background to redhat-logos-ipa-80.4: header-logo.png, login-screen-background.jpg, login-screen-logo.png, product-name.png New requirement to redhat-logos-ipa >= 80.4 in ipa-server-common Resolves: RHBZ#1626507- Move initialization of Guests mapping after cifs/ principal is created - Related: rhbz#1623895- 4.7.1 - Fixes: rhbz#1633105 - rebase to 4.7.1- Require the Python interpreter directly instead of using the package name - Related: rhbz#1619153- sudo rule for "admins" members should be created by default (#1609873)- ipaclient-install: chmod needs octal permissions (#1609880)- Resolves: #1609883 ipaserver/plugins/cert.py: Add reason to raise of errors.NotFound - Resolves: #1615765 do-not-use-RC4-in-FIPS-mode - Move fips_enabled to a common library to share across different plugins - ipasam: do not use RC4 in FIPS mode- Resolves: #1614301 Remove --no-sssd and --noac options - Resolves: #1613879 Disable Domain Level 0 - New patch sets to disable domain level 0 - New adapted patch to disable DL0 specific tests (pytest_ipa vs. pytest_plugins) - Adapted branding patch in ipa-replica-install.1 due to DL0 removal- Require 389-ds-base-legacy-tools for setup tools- Update to upstream 4.7.0 GA- Set krb5 DAL version to 7.0 (#1580711) - Rebuild aclocal and configure during build- Update to upstream 4.6.90.pre1- Use java-1.8.0-openjdk-devel- Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads- Resolves: #1388135 [RFE] limit the retro changelog to dns subtree. - ldap: limit the retro changelog to dns subtree - Resolves: #1427798 Use X509v3 Basic Constraints "CA:TRUE" instead of "CA:FALSE" IPA CA CSR - Include the CA basic constraint in CSRs when renewing a CA - Resolves: #1493145 ipa-replica-install might fail because of an already existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX - Checks if replica-s4u2proxy.ldif should be applied - Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default - ds: ignore time skew during initial replication step - ipa-replica-manage: implicitly ignore initial time skew in force-sync - Resolves: #1500218 Replica installation at domain-level 0 fails against upgraded ipa-server - Fix ipa-replica-conncheck when called with --principal - Resolves: #1506188 server-del doesn't remove dns-server configuration from ldap- Drop workaround for building on AArch64 (#1482244) - Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485)- Resolves: #1461177 ipa-otptoken-import - XML file is missing PBKDF2 parameters! - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad, cn=trusts,dc=example,dc=com - Resolves: #1467887 iommu platform support for ipxe - Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 - Resolves: #1480102 ipa-server-upgrade failes with "This entry already exists" - Resolves: #1482802 Unable to set ca renewal master on replica - Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade) - Resolves: #1484826 FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and thus startup of Web UI fails - Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back to self-signed CA - Resolves: #1469246 Replica install fails to configure IPA-specific temporary files/directories - Resolves: #1469480 bind package is not automatically updated during ipa-server upgrade process - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Resolves: #1477703 IPA upgrade fails for latest ipa package- Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in buildroot - Resolves: #1470177 - Rebase IPA to latest 4.5.x version - Resolves: #1398594 ipa topologysuffix-verify should only warn about maximum number of replication agreements. - Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" to "Host-Based" and "Role-Based" - Resolves: #1409786 Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running - Resolves: #1451576 ipa cert-request failed to generate certificate from csr - Resolves: #1452086 Pagination Size under Customization in IPA WebUI accepts negative values - Resolves: #1458169 --force-join option is not mentioned in ipa-replica-install man page - Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case - Resolves: #1478322 user-show command fails when sizelimit is configured to number <= number of entity which is user member of - Resolves: #1496775 Enterprise principals should be able to trigger a refresh of the trusted domain data in the KDC - Resolves: #1502533 Changing cert-find to go through the proxy instead of using the port 8080 - Resolves: #1502663 pkinit-status command fails after an upgrade from a pre-4.5 IPA - Resolves: #1498168 Error when trying to modify a PTR record - Resolves: #1457876 ipa-backup fails silently - Resolves: #1493531 In case full PKINIT configuration is failing during server/replica install the error message should be more meaningful. - Resolves: #1449985 Suggest CA installation command in KRA installation warning- Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports expecting IPA services listening on IPv6 ports - Make sure upgrade also checks for IPv6 stack - control logging of host_port_open from caller - log progress of wait_for_open_ports - Resolves: #1477243 ipa help command returns traceback when no cache is present - Store help in Schema before writing to disk - Disable pylint in get_help function because of type confusion.- Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Always check peer has keys before connecting - Resolves: #1482802 - Unable to set ca renewal master on replica - Fix ipa config-mod --ca-renewal-master - Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching back to self-signed CA - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) - Resolves: #1480102 - ipa-server-upgrade failes with "This entry already exists" - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists - Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and thus startup of Web UI fails - Adds whoami DS plugin in case that plugin is missing - Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 - Fixing how sssd.conf is updated when promoting a client to replica - Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2 parameters! - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace - Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade) - Backport 4-5: Fix ipa-server-upgrade with server cert tracking- Resolves: #1477703 IPA upgrade fails for latest ipa package - Restore old version of caIPAserviceCert for upgrade only- Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Restore old version of caIPAserviceCert for upgrade only- Resolves: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - smart-card advises: configure systemwide NSS DB also on master - smart-card advises: add steps to store smart card signing CA cert - Allow to pass in multiple CA cert paths to the smart card advises - add a class that tracks the indentation in the generated advises - delegate the indentation handling in advises to dedicated class - advise: add an infrastructure for formatting Bash compound statements - delegate formatting of compound Bash statements to dedicated classes - Fix indentation of statements in Smart card advises - Use the compound statement formatting API for configuring PKINIT - smart card advises: use a wrapper around Bash `for` loops - smart card advise: use password when changing trust flags on HTTP cert - smart-card-advises: ensure that krb5-pkinit is installed on client - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Add CommonNameToSANDefault to default cert profile - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad,cn=trusts,dc=example,dc=com - NULL LDAP context in call to ldap_search_ext_s during search- Resolves: #1469246 Replica install fails to configure IPA-specific temporary files/directories - replica install: drop-in IPA specific config to tmpfiles.d - Resolves: #1469480 bind package is not automatically updated during ipa-server upgrade process - Bumped Required version of bind-dyndb-ldap and bind package- Resolves: #1452216 Replica installation grants HTTP principal access in WebUI - Make sure we check ccaches in all rpcserver paths- Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode! - ipa-sam: replace encode_nt_key() with E_md4hash() - ipa_pwd_extop: do not generate NT hashes in FIPS mode - Resolves: #1377973 ipa-server-install fails when the provided or resolved IP address is not found on local interfaces - Fix local IP address validation - ipa-dns-install: remove check for local ip address - refactor CheckedIPAddress class - CheckedIPAddress: remove match_local param - Remove ip_netmask from option parser - replica install: add missing check for non-local IP address - Remove network and broadcast address warnings- Resolves: #1449189 ipa-kra-install timeouts on replica - kra: promote: Get ticket before calling custodia- Resolve: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - server certinstall: update KDC master entry - pkinit manage: introduce ipa-pkinit-manage - server upgrade: do not enable PKINIT by default - Extend the advice printing code by some useful abstractions - Prepare advise plugin for smart card auth configuration - Resolve: #1461053 allow to modify list of UPNs of a trusted forest - trust-mod: allow modifying list of UPNs of a trusted forest - WebUI: add support for changing trust UPN suffixes- Resolves: #1377973 ipa-server-install fails when the provided or resolved IP address is not found on local interfaces - Only warn when specified server IP addresses don't match intf - Resolves: #1438016 gssapi errors after IPA server upgrade - Bump version of python-gssapi - Resolves: #1457942 certauth: use canonical principal for lookups - ipa-kdb: use canonical principal in certauth plugin - Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid breaking older clients - Add code to be able to set default kinit lifetime - Revert setting sessionMaxAge for old clients- Resolves: #1442233 IPA client commands fail when pointing to replica - httpinstance: wait until the service entry is replicated - Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then not indexed - Fix index definition for ipaAnchorUUID - Resolves: #1438016 gssapi errors after IPA server upgrade - Avoid possible endless recursion in RPC call - rpc: preparations for recursion fix - rpc: avoid possible recursion in create_connection - Resolves: #1446087 services entries missing krbCanonicalName attribute. - Changing cert-find to do not use only primary key to search in LDAP. - Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers - ipa-kdb: reload certificate mapping rules periodically - Resolves: #1455541 after upgrade login from web ui breaks - kdc.key should not be visible to all - Resolves: #1435606 Add pkinit_indicator option to KDC configuration - ipa-kdb: add pkinit authentication indicator in case of a successful certauth - Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca records are not resolvable - Turn off OCSP check - Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 - server_del - TypeError: 'NoneType' object is not iterable - fix incorrect suffix handling in topology checks- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificates/anchors - certdb: add named trust flag constants - certdb, certs: make trust flags argument mandatory - certdb: use custom object for trust flags - install: trust IPA CA for PKINIT - client install: fix client PKINIT configuration - install: introduce generic Kerberos Augeas lens - server install: fix KDC PKINIT configuration - ipapython.ipautil.run: Add option to set umask before executing command - certs: do not export keys world-readable in install_key_from_p12 - certs: do not export CA certs in install_pem_from_p12 - server install: fix KDC certificate validation in CA-less - replica install: respect --pkinit-cert-file - cacert manage: support PKINIT - server certinstall: support PKINIT - Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file option - certs: do not export CA certs in install_pem_from_p12 - server install: fix KDC certificate validation in CA-less - Resolves: #1451228 ipa-kra-install fails when primary KRA server has been decommissioned - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname - Resolves: #1451712 KRA installation fails on server that was originally installed as CA-less - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt - Resolves: #1441499 ipa cert-show does not raise error if no file name specified - ca/cert-show: check certificate_out in options - Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ - Remove pkinit-anonymous command - Resolves: #1449523 Provide an API command to retrieve PKINIT status in the FreeIPA topology - Allow for multivalued server attributes - Refactor the role/attribute member reporting code - Add an attribute reporting client PKINIT-capable servers - Add the list of PKINIT servers as a virtual attribute to global config - Add `pkinit-status` command - test_serverroles: Get rid of MockLDAP and use ldap2 instead - Resolves: #1452216 Replica installation grants HTTP principal access in WebUI - Fix rare race condition with missing ccache file - Resolves: #1455045 Simple service uninstallers must be able to handle missing service files gracefully - only stop/disable simple service if it is installed - Resolves: #1455541 after upgrade login from web ui breaks - krb5: make sure KDC certificate is readable - Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing command "ipa cert-request --add" after upgrade - Change python-cryptography to python2-cryptography- Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'" error observed during ipa upgrade with latest package. - ipa-server-install: fix uninstall - Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break replica - ca install: merge duplicated code for DM password - installutils: add DM password validator - ca, kra install: validate DM password- Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy - python2-ipalib: add missing python dependency - installer service: fix typo in service entry - upgrade: add missing suffix to http instance - Resolves: #1444791 Update man page of ipa-kra-install - ipa-kra-install manpage: document domain-level 1 - Resolves: #1441493 ipa cert-show raises stack traces when --certificate-out=/tmp - cert-show: writable files does not mean dirs - Resolves: #1441192 Add the name of URL parameter which will be check for username during cert login - Bump version of ipa.conf file - Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login - Turn on NSSOCSP check in mod_nss conf - Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting template on - renew agent: respect CA renewal master setting - server upgrade: always fix certmonger tracking request - cainstance: use correct profile for lightweight CA certificates - renew agent: allow reusing existing certs - renew agent: always export CSR on IPA CA certificate renewal - renew agent: get rid of virtual profiles - ipa-cacert-manage: add --external-ca-type - Resolves: #1441593 error adding authenticator indicators to host - Fixing adding authenticator indicators to host - Resolves: #1449525 Set directory ownership in spec file - Added plugins directory to ipaclient subpackages - ipaclient: fix missing RPM ownership - Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits' - otptoken-add-yubikey: When --digits not provided use default value- Resolves: #1449189 ipa-kra-install timeouts on replica - ipa-kra-install: fix check_host_keys- Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Make sure remote hosts have our keys - Resolves: #1442815 Replica install fails during migration from older IPA master - Refresh Dogtag RestClient.ca_host property - Remove the cachedproperty class - Resolves: #1444787 Update warning message when KRA installation fails - kra install: update installation failure message - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - ipa-server-install with external CA: fix pkinit cert issuance - Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition() must use FreeIPA CA - kerberos session: use CA cert with full cert chain for obtaining cookie - Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors definition - ipa-client-install: remove extra space in pkinit_anchors definition - Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade - Use proper SELinux context with http.keytab- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit) - spec file: bump krb5 Requires for certauth fixes - Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option is used - separate function to set ipaConfigString values on service entry - Allow for configuration of all three PKINIT variants when deploying KDC - API for retrieval of master's PKINIT status and publishing it in LDAP - Use only anonymous PKINIT to fetch armor ccache - Stop requesting anonymous keytab and purge all references of it - Use local anchor when armoring password requests - Upgrade: configure local/full PKINIT depending on the master status - Do not test anonymous PKINIT after install/upgrade - Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust. update_tdo_gidnumber: ERROR Default SMB Group not found - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed - Resolves: #1442932 ipa restore fails to restore IPA user - restore: restart/reload gssproxy after restore - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - Fix CA/server cert validation in FIPS - Resolves: #1444947 Deadlock between topology and schema-compat plugins - compat-manage: behave the same for all users - Move the compat plugin setup at the end of install - compat: ignore cn=topology,cn=ipa,cn=etc subtree - Resolves: #1445358 ipa vault-add raises TypeError - vault: piped input for ipa vault-add fails - Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault - Vault: Explicitly default to 3DES CBC - Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning - automount install: fix checking of SSSD functionality on uninstall - Resolves: #1446137 pki_client_database_password is shown in ipaserver-install.log - Hide PKI Client database password in log file- Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade - Fix CAInstance.import_ra_cert for empty passwords- Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA WebUI is slow to display user details page - cert: defer cert-find result post-processing - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica - server-install: No double Kerberos install - Resolves: #1437502 ipa-replica-install fails with requirement to use --force-join that is a client install option. - Add the force-join option to replica install - replicainstall: better client install exception handling - Resolves: #1437953 Server CA-less impossible option check - server-install: remove broken no-pkinit check - Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies - Add debug log in case cookie retrieval went wrong - Resolves: #1441548 ipa server install fails with --external-ca option - ext. CA: correctly write the cert chain - Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance spawn - Fix CA-less to CA-full upgrade - Resolves: #1442133 Do not link libkrad, liblber, libldap_r and libsss_nss_idmap to every binary in IPA - configure: fix AC_CHECK_LIB usage - Resolves: #1442815 Replica install fails during migration from older IPA master - Fix RA cert import during DL0 replication - Related: #1442004 Building IdM/FreeIPA internally on all architectures - filtering unsupported packages - Build all subpackages on all architectures- Resolves: #1382053 Need to have validation for idrange names - idrange-add: properly handle empty --dom-name option - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica - dsinstance: reconnect ldap2 after DS is restarted by certmonger - httpinstance: avoid httpd restart during certificate request - dsinstance, httpinstance: consolidate certificate request code - install: request service certs after host keytab is set up - renew agent: revert to host keytab authentication - renew agent, restart scripts: connect to LDAP after kinit - Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted domain entry - ipa-sam: create the gidNumber attribute in the trusted domain entry - Upgrade: add gidnumber to trusted domain entry - Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException: Incorrect client security database password - Add pki_pin only when needed - Resolves: #1438348 Console output message while adding trust should be mapped with texts changed in Samba. - ipaserver/dcerpc: unify error processing - Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication - trust: always use oddjobd helper for fetching trust information - Resolves: #1441192 Add the name of URL parameter which will be check for username during cert login - WebUI: cert login: Configure name of parameter used to pass username - Resolves: #1437879 [copr] Replica install failing - Create system users for FreeIPA services during package installation - Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install - Fix s4u2self with adtrust- Resolves: #1318186 Misleading error message during external-ca IPA master install - httpinstance: make sure NSS database is backed up - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR CA certificate chain in ... incomplete" - httpinstance: make sure NSS database is backed up - Resolves: #1393726 Enumerate all available request type options in ipa cert-request help - Hide request_type doc string in cert-request help - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - spec file: bump libsss_nss_idmap-devel BuildRequires - server: make sure we test for sss_nss_getlistbycert - Resolves: #1437378 ipa-adtrust-install produced an error and failed on starting smb when hostname is not FQDN - adtrust: make sure that runtime hostname result is consistent with the configuration - Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous keytab - Always check and create anonymous principal during KDC install - Remove duplicate functionality in upgrade - Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT - Upgrade: configure PKINIT after adding anonymous principal - Remove unused variable from failed anonymous PKINIT handling - Split out anonymous PKINIT test to a separate method - Ensure KDC is propery configured after upgrade - Resolves: #1437951 Remove pkinit-related options from server/replica-install on DL0 - Fix the order of cert-files check - Don't allow setting pkinit-related options on DL0 - replica-prepare man: remove pkinit option refs - Remove redundant option check for cert files - Resolves: #1438490 CA-less installation fails on publishing CA certificate - Get correct CA cert nickname in CA-less - Remove publish_ca_cert() method from NSSDatabase - Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap - IPA-KDB: use relative path in ipa-certmap config snippet - Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute - Allow erasing ipaDomainResolutionOrder attribute- Resolves: #1434032 Run ipa-custodia with custom SELinux context - Require correct custodia version- Resolves: #800545 [RFE] Support SUDO command rename - Reworked the renaming mechanism - Allow renaming of the sudorule objects - Resolves: #872671 IPA WebUI login for AD Trusted User fails - WebUI: check principals in lowercase - WebUI: add method for disabling item in user dropdown menu - WebUI: Add support for login for AD users - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit) - ipa-kdb: add ipadb_fetch_principals_with_extra_filter() - IPA certauth plugin - ipa-kdb: do not depend on certauth_plugin.h - spec file: bump krb5-devel BuildRequires for certauth - Resolves: #1264370 RFE: disable last successful authentication by default in ipa. - Set "KDC:Disable Last Success" by default - Resolves: #1318186 Misleading error message during external-ca IPA master install - certs: do not implicitly create DS pin.txt - httpinstance: clean up /etc/httpd/alias on uninstall - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR CA certificate chain in ... incomplete" - certs: do not implicitly create DS pin.txt - httpinstance: clean up /etc/httpd/alias on uninstall - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication - configure: fix --disable-server with certauth plugin - rpcserver.login_x509: Actually return reply from __call__ method - spec file: Bump requires to make Certificate Login in WebUI work - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - extdom: do reverse search for domain separator - extdom: improve cert request - Resolves: #1430363 [RFE] HBAC rule names command rename - Reworked the renaming mechanism - Allow renaming of the HBAC rule objects - Resolves: #1433082 systemctl daemon-reload needs to be called after httpd.service.d/ipa.conf is manipulated - tasks: run `systemctl daemon-reload` after httpd.service.d updates - Resolves: #1434032 Run ipa-custodia with custom SELinux context - Use Custodia 0.3.1 features - Resolves: #1434384 RPC client should use HTTP persistent connection - Use connection keep-alive - Add debug logging for keep-alive - Increase Apache HTTPD's default keep alive timeout - Resolves: #1434729 man ipa-cacert-manage install needs clarification - man ipa-cacert-manage install needs clarification - Resolves: #1434910 replica install against IPA v3 master fails with ACIError - Fixing replica install: fix ldap connection in domlvl 0 - Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is used during typing Directory Manager password - ipapython.ipautil.nolog_replace: Do not replace empty value - Resolves: #1435397 ipa-replica-install can't install replica file produced by ipa-replica-prepare on 4.5 - replica prepare: fix wrong IPA CA nickname in replica file - Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if KRA is not installed - WebUI: Fix showing vault in selfservice view - Resolves: #1435718 As a ID user I cannot call a command with --rights option - ldap2: use LDAP whoami operation to retrieve bind DN for current connection - Resolves: #1436319 "Truncated search results" pop-up appears in user details in WebUI - WebUI: Add support for suppressing warnings - WebUI: suppress truncation warning in select widget - Resolves: #1436333 Uninstall fails with No such file or directory: '/var/run/ipa/services.list' - Create temporaty directories at the begining of uninstall - Resolves: #1436334 WebUI: Adding certificate mapping data using certificate fails - WebUI: Allow to add certs to certmapping with CERT LINES around - Resolves: #1436338 CLI doesn't work after ipa-restore - Backup ipa-specific httpd unit-file - Backup CA cert from kerberos folder - Resolves: #1436342 Bump samba version, required for FIPS mode and privilege separation - Bump samba version for FIPS and priv. separation - Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa vault commands - Avoid growing FILE ccaches unnecessarily - Handle failed authentication via cookie - Work around issues fetching session data - Prevent churn on ccaches - Resolves: #1436657 Add workaround for pki_pin for FIPS - Generate PIN for PKI to help Dogtag in FIPS - Resolves: #1436714 [vault] cache KRA transport cert - Simplify KRA transport cert cache - Resolves: #1436723 cert-find does not find all certificates without sizelimit=0 - cert: do not limit internal searches in cert-find - Resolves: #1436724 Renewal of IPA RA fails on replica - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function - Resolves: #1436753 Master tree fails to install - httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available- Resolves: #1432630 python2-jinja2 needed for python2-ipaclient - Remove csrgen - Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets - Add options to allow ticket caching- Resolves: #828866 [RFE] enhance --subject option for ipa-server-install - Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in hostname - Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember' attribute - Resolves: #1321652 ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on revocation reasons - Resolves: #1340880 ipa-server-install: improve prompt on interactive installation - Resolves: #1353841 ipa-replica-install fails to install when resolv.conf incomplete entries - Resolves: #1356104 cert-show command does not display Subject Alternative Names - Resolves: #1357511 Traceback message seen when ipa is provided with invalid configuration file name - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication - Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa config-mod --enable-migration=TRUE - Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain - Resolves: #1371927 Implement ca-enable/disable commands. - Resolves: #1372202 Add Users into User Group editors fails to show Full names - Resolves: #1373091 Adding an auth indicator from the CLI creates an extra check box in the UI - Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error message - Resolves: #1375905 "Normal" group type in the UI is confusing - Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback - Resolves: #1376630 IDM admin password gets written to /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf - Resolves: #1376729 ipa-server-install script option --no_hbac_allow should match other options - Resolves: #1378461 IPA Allows Password Reuse with History value defined when admin resets the password. - Resolves: #1379029 conncheck failing intermittently during single step replica installs - Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck - Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace - Resolves: #1392778 Update man page for ipa-adtrust-install by removing --no-msdcs option - Resolves: #1392858 Rebase to FreeIPA 4.5+ - Rebase to 4.5.0 - Resolves: #1399133 Delete option shouldn't be available for hosts applied to view. - Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA should contain full trust chain - Resolves: #1400416 RFE: Provide option to take backup of IPA server before uninstalling IPA server - Resolves: #1400529 cert-request is not aware of Kerberos principal aliases - Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but not on details page - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when non-FQDN name of IPA server is first in /etc/hosts - Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using nsupdate - Resolves: #1413742 Backport request for bug/issue Change IP address validation errors to warnings - Resolves: #1415652 IPA replica install log shows password in plain text - Resolves: #1427897 different behavior regarding system wide certs in master and replica. - Resolves: #1430314 The ipa-managed-entries command failed, exception: AttributeError: ldap2- Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica with cert errors (untrusted) - added ssl verification using IPA trust anchor - Resolves: #1428472 batch param compatibility is incorrect - compat: fix `Any` params in `batch` and `dnsrecord` - Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream- Resolves: #1416454 replication race condition prevents IPA to install - wait_for_entry: use only DN as parameter - Wait until HTTPS principal entry is replicated to replica - Use proper logging for error messages- Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is installed without CA - Set up DS TLS on replica in CA-less topology - Resolves: #1398600 IPA replica install fails with dirsrv errors. - Do not configure PKI ajp redirection to use "::1" - Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands - ca: correctly authorise ca-del, ca-enable and ca-disable- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy - ipa-kdb: search for password policies globally - Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream- Resolves: #1398670 Check IdM Topology for broken record caused by replication conflict before upgrading it - Check for conflict entries before raising domain level- Resolves: #1382812 Creation of replica for disconnected environment is failing with CA issuance errors; Need good steps. - gracefully handle setting replica bind dn group on old masters - Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a temporary CA admin - replication: ensure bind DN group check interval is set on replica config - add missing attribute to ipaca replica during CA topology update - Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of named-pkcs11 - bindinstance: use data in named.conf to determine configuration status- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy - password policy: Add explicit default password policy for hosts and services - Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod - certprofile-mod: correctly authorise config update- Resolves: #1378353 Replica install fails with old IPA master sometimes during replication process - spec file: bump minimal required version of 389-ds-base - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - Fix missing file that fails DL1 replica installation - Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade - WebUI: services without canonical name are shown correctly - Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run - trustdomain-del: fix the way how subdomain is searched- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca - Keep NSS trust flags of existing certificates - Resolves: #1360813 ipa-server-certinstall does not update all certificate stores and doesn't set proper trust permissions - Add cert checks in ipa-server-certinstall - Resolves: #1371479 cert-find --all does not show information about revocation - cert: add revocation reason back to cert-find output - Resolves: #1375133 WinSync users who have First.Last casing creates users who can have their password set - ipa passwd: use correct normalizer for user principals - Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers - Properly handle LDAP socket closures in ipa-otpd - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - Make httpd publish its CA certificate on DL1- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors. - Resolves: #1375269 ipa trust-fetch-domains throws internal error- Resolves: #1373359 ipa-certupdate fails with "CA is not configured" - Fix regression introduced in ipa-certupdate- Resolves: #1355753 adding two way non transitive(external) trust displays internal error on the console - Always fetch forest info from root DCs when establishing two-way trust - factor out `populate_remote_domain` method into module-level function - Always fetch forest info from root DCs when establishing one-way trust - Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger after `ipa-replica-install` - Track lightweight CAs on replica installation - Resolves: #1357488 ipa command stuck forever on higher versioned client with lower versioned server - compat: Save server's API version in for pre-schema servers - compat: Fix ping command call - schema cache: Store and check info for pre-schema servers - Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag - Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup - Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA when revoking certificate - cert: include CA name in cert command output - WebUI add support for sub-CAs while revoking certificates - Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI - Add support for additional options taken from table facet - WebUI: Fix showing certificates issued by sub-CA - Resolves: #1368557 dnsrecord-add does not prompt for missing record parts internactively - dns: normalize record type read interactively in dnsrecord_add - dns: prompt for missing record parts in CLI - dns: fix crash in interactive mode against old servers - Resolves: #1370519 Certificate revocation in service-del and host-del isn't aware of Sub CAs - cert: fix cert-find --certificate when the cert is not in LDAP - Make host/service cert revocation aware of lightweight CAs - Resolves: #1371901 Use OAEP padding with custodia - Use RSA-OAEP instead of RSA PKCS#1 v1.5 - Resolves: #1371915 When establishing external two-way trust, forest root Administrator account is used to fetch domain info - do not use trusted forest name to construct domain admin principal - Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in certificate request - Fix CA ACL Check on SubjectAltNames - Resolves: #1373272 CLI always sends default command version - cli: use full name when executing a command - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" - Fix ipa-certupdate for CA-less installation - Resolves: #1373540 client-install with IPv6 address fails on link-local address (always) - Fix parse errors with link-local addresses- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env - Fix ipa-server-install in pure IPv6 environment - Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as reachable via the forest root - trust: make sure ID range is created for the child domain even if it exists - ipa-kdb: simplify trusted domain parent search - Resolves: #1335567 Update Warning in IdM Web UI API browser - WebUI: add API browser is tech preview warning - Resolves: #1348560 Mulitple domain Active Directory Trust conflict - ipaserver/dcerpc: reformat to make the code closer to pep8 - trust: automatically resolve DNS trust conflicts for triangle trusts - Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in certificate revocation - cert-revoke: fix permission check bypass (CVE-2016-5404) - Resolves: #1353936 custodia.conf and server.keys file is world-readable. - Remove Custodia server keys from LDAP - Secure permissions of Custodia server.keys - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full - custodia: include known CA certs in the PKCS#12 file for Dogtag - custodia: force reconnect before retrieving CA certs from LDAP - Resolves: #1362333 ipa vault container owner cannot add vault - Fix: container owner should be able to add vault - Resolves: #1365546 External trust with root domain is transitive - trust: make sure external trust topology is correctly rendered - Resolves: #1365572 IPA server broken after upgrade - Require pki-core-10.3.3-7 - Resolves: #1367864 Server assumes latest version of command instead of version 1 for old / 3rd party clients - rpcserver: assume version 1 for unversioned command calls - rpcserver: fix crash in XML-RPC system commands - Resolves: #1367773 thin client ignores locale change - schema cache: Fallback to 'en_us' when locale is not available - Resolves: #1368754 ipa server uninstall fails with Python "Global Name error" - Fail on topology disconnect/last role removal - Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP - otptoken, permission: Convert custom type parameters on server - Resolves: #1369414 ipa server-del fails with Python stack trace - Handled empty hostname in server-del command - Resolves: #1369761 ipa-server must depend on a version of httpd that support mod_proxy with UDS - Require httpd 2.4.6-31 with mod_proxy Unix socket support - Resolves: #1370512 Received ACIError instead of DuplicatedError in stageuser_tests - Raise DuplicatedEnrty error when user exists in delete_container - Resolves: #1371479 cert-find --all does not show information about revocation - cert: add missing param values to cert-find output - Renamed patch 1011 to 0100, as it was merged upstream- Resolves: #1298288 [RFE] Improve performance in large environments. - cert: speed up cert-find - Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card authentication - service: add flag to allow S4U2Self - Add 'trusted to auth as user' checkbox - Added new authentication method - Resolves: #1353881 ipa-replica-install suggests about non-existent --force-ntpd option - Don't show --force-ntpd option in replica install - Resolves: #1354441 DNS forwarder check is too strict: unable to add sub-domain to already-broken domain - DNS: allow to add forward zone to already broken sub-domain - Resolves: #1356146 performance regression in CLI help - schema: Speed up schema cache - frontend: Change doc, summary, topic and NO_CLI to class properties - schema: Introduce schema cache format - schema: Generate bits for help load them on request - help: Do not create instances to get information about commands and topics - schema cache: Do not reset ServerInfo dirty flag - schema cache: Do not read fingerprint and format from cache - Access data for help separately - frontent: Add summary class property to CommandOverride - schema cache: Read server info only once - schema cache: Store API schema cache in memory - client: Do not create instance just to check isinstance - schema cache: Read schema instead of rewriting it when SchemaUpToDate - Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file - server install: do not prompt for cert file PIN repeatedly - Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create cache directory: [Errno 13] Permission denied: '/home/test_user' - schema: Speed up schema cache - Resolves: #1366604 `cert-find` crashes on invalid certificate data - cert: do not crash on invalid data in cert-find - Resolves: #1366612 Middle replica uninstallation in line topology works without '--ignore-topology-disconnect' - Fail on topology disconnect/last role removal - Resolves: #1366626 caacl-add-service: incorrect error message when service does not exists - Fix ipa-caalc-add-service error message - Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade - DNS server upgrade: do not fail when DNS server did not respond - Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server with CA - Add warning about only one existing CA server - Set servers list as default facet in topology facet group - Resolves: #1367773 thin client ignores locale change - schema check: Check current client language against cached one- Resolves: #1361119 UPN-based search for AD users does not match an entry in slapi-nis map cache - support multiple uid values in schema compatibility tree- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 - Revert "spec: add conflict with bind-chroot to freeipa-server-dns" - Resolves: #1341249 Subsequent external CA installation fails - install: fix external CA cert validation - Resolves: #1353831 ipa-server-install fails in container because of hostnamectl set-hostname - server-install: Fix --hostname option to always override api.env values - install: Call hostnamectl set-hostname only if --hostname option is used - Resolves: #1356091 ipa-cacert-manage --help and man differ - Improvements for the ipa-cacert-manage man and help - Resolves: #1360631 ipa-backup is not keeping the /etc/tmpfiles.d/dirsrv-.conf - ipa-backup: backup /etc/tmpfiles.d/dirsrv-.conf - Resolves: #1361047 ipa-replica-install --help usage line suggests the replica file is needed - Update ipa-replica-install documentation - Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does not rpm-require it - client: RPM require initscripts to get *-domainname.service - Resolves: #1364197 caacl: error when instantiating rules with service principals - caacl: fix regression in rule instantiation - Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm - parameters: move the `confirm` kwarg to Param - Resolves: #1364464 Topology graph: ca and domain adders shows question marks instead of plus icon - Fix unicode characters in ca and domain adders - Resolves: #1365083 Incomplete output returned for command ipa vault-add - client: add missing output params to client-side commands - Resolves: #1365526 build fails during "make check" - ipa-kdb: Fix unit test after packaging changes in krb5- Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file. - Do not initialize API in ipa-client-automount uninstall - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin client changes - idrange: fix unassigned global variable - Resolves: #1360792 Migrating users doesn't update krbCanonicalName - re-set canonical principal name on migrated users - Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str' and 'bool' objects - Fix ipa hbactest output - Resolves: #1362260 ipa vault-mod no longer allows defining salt - vault: add missing salt option to vault_mod - Resolves: #1362312 ipa vault-retrieve internal error when using the wrong public key - vault: Catch correct exception in decrypt - Resolves: #1362537 ipa-server-install fails to create symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ - Correct path to HTTPD's systemd service directory - Resolves: #1363756 Increase length of passwords generated by installer - Increase default length of auto generated passwords- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos aliases) - harden the check for trust namespace overlap in new principals - Resolves: #1351142 CLI is not using session cookies for communication with IPA API - Fix session cookies - Resolves: #1353888 Fix the help for ipa otp and other topics - help: Add dnsserver commands to help topic 'dns' - Resolves: #1354406 host-del updatedns options complains about missing ptr record for host - Host-del: fix behavior of --updatedns and PTR records - Resolves: #1355718 ipa-replica-manage man page example output differs actual command output - Minor fix in ipa-replica-manage MAN page - Resolves: #1358229 Traceback message should be fixed, seen while editing winsync migrated user information in Default trust view. - baseldap: Fix MidairCollision instantiation during entry modification - Resolves: #1358849 CA replica install logs to wrong log file - unite log file name of ipa-ca-install - Resolves: #1359130 ipa-server-install command fails to install IPA server. - DNS Locations: fix update-system-records unpacking error - Resolves: #1359237 AVC on dirsrv config caused by IPA installer - Use copy when replacing files to keep SELinux context - Resolves: #1359692 ipa-client-install join fail with traceback against RHEL-6.8 ipa-server - compat: fix ping call - Resolves: #1359738 ipa-replica-install --domain= option does not work - replica-install: Fix --domain - Resolves: #1360778 Vault commands are available in CLI even when the server does not support them - Revert "Enable vault-* commands on client" - client: fix hiding of commands which lack server support - Related: #1281704 Rebase to softhsm 2.1.0 - Remove the workaround for softhsm bug #1293340 - Related: #1298288 [RFE] Improve performance in large environments. - Create indexes for krbCanonicalName attribute- Resolves: #1296140 Remove redhat-access-plugin-ipa support - Obsolete and conflict redhat-access-plugin-ipa - Resolves: #1351119 Multiple issues while uninstalling ipa-server - server uninstall fails to remove krb principals - Resolves: #1351758 ipa commands not showing expected error messages - frontend: copy command arguments to output params on client - Show full error message for selinuxusermap-add-hostgroup - Resolves: #1352883 Traceback on adding default automember group and hostgroup set - allow 'value' output param in commands without primary key - Resolves: #1353888 Fix the help for ipa otp and other topics - schema: Fix subtopic -> topic mapping - Resolves: #1354348 ipa trustconfig-show throws internal error. - allow 'value' output param in commands without primary key - Resolves: #1354381 ipa trust-add with raw option gives internal error. - trust-add: handle `--all/--raw` options properly - Resolves: #1354493 Replica install fails with old IPA master - DNS install: Ensure that DNS servers container exists - Resolves: #1354628 ipa hostgroup-add-member does not return error message when adding itself as member - frontend: copy command arguments to output params on client - Resolves: #1355856 ipa otptoken-add --type=totp gives internal error - messages: specify message type for ResultFormattingError - Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter secret key - expose `--secret` option in radiusproxy-* commands - prevent search for RADIUS proxy servers by secret - Resolves: #1356099 Bug in the ipapwd plugin - Heap corruption in ipapwd plugin - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin client changes - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper - Resolves: #1356964 Renaming a user removes all of his principal aliases - Preserve user principal aliases during rename operation- Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas - Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD - Related: #1356134 'kinit -E' does not work for IPA user- Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA with certmonger - uninstall: untrack lightweight CA certs - Resolves: #1351807 ipa-nis-manage config.get_dn missing - ipa-nis-manage: Use server API to retrieve plugin status - Resolves: #1353452 ipa-compat-manage command failed, exception: NotImplementedError: config.get_dn() - ipa-compat-manage: use server API to retrieve plugin status - Resolves: #1353899 ipa-advise: object of type 'type' has no len() - ipa-advise: correct handling of plugin namespace iteration - Resolves: #1356134 'kinit -E' does not work for IPA user - kdb: check for local realm in enterprise principals - Resolves: #1353072 ipa unknown command vault-add - Enable vault-* commands on client - vault-add: set the default vault type on the client side if none was given - Resolves: #1353995 Default CA can be used without a CA ACL - caacl: expand plugin documentation - Resolves: #1356144 host-find should not print SSH keys by default, only SSH fingerprints - host-find: do not show SSH key by default - Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3 - Removed unused method parameter from migrate-ds- Resolves: #747612 [RFE] IPA should support and manage DNS sites - Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0) in the default global_policy in IPA sets user's password expiration (krbPasswordExpiration) to be 90 days - Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records - Resolves: #1084018 [RFE] Add IdM user password change support for legacy client compat tree - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos aliases) - Fix incorrect check for principal type when evaluating CA ACLs - Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI - Resolves: #1238190 ipasam unable to lookup group in directory yet manual search works - Resolves: #1250110 search by users which don't have read rights for all attrs in search_attributes fails - Resolves: #1263764 Show Certificate displays in useless format - Resolves: #1272491 [WebUI] Certificate action dropdown does not display all the options after adding new certificate - Resolves: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.4.0 - Resolves: #1294503 IPA fails to issue 3rd party certs - Resolves: #1298242 [RFE] API compatibility - compatibility of clients - Resolves: #1298848 [RFE] Centralized topology management - Resolves: #1298966 [RFE] Extend Smart Card support - Resolves: #1315146 Multiple clients cannot join domain simultaneously: /var/run/httpd/ipa/clientcaches race condition? - Resolves: #1318903 ipa server install failing when SUBCA signs the cert - Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper console output - Resolves: #1324055 IPA always qualify requests for admin - Resolves: #1328552 [RFE] Allow users to authenticate with alternative names - Resolves: #1334582 Inconsistent UI and CLI options for removing certificate hold - Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl) - Resolves: #1349281 Fix `Conflicts` with ipa-python - Resolves: #1350695 execution of copy-schema script fails - Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z - Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test execution to 7.3 - Resolves: #1351276 ipa-server-install with dns cannot resolve itself to create ipa-ca entry - Related: #1343422 [RFE] Add GssapiImpersonate option- Resolves: #1348948 IPA server install fails with build ipa-server-4.4.0-0.el7.1.alpha1 - Revert "Increased mod_wsgi socket-timeout"- Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while setting password for default sudo binddn. - Resolves: #747612 [RFE] IPA should support and manage DNS sites - Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name - Resolves: #825391 [RFE] Replica installation should provide a means for inheriting nssldap security access settings - Resolves: #921497 Incorrect *.py[co] files placement - Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support - Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas - Resolves: #1196958 IPA replica installation failing with high number of users (160000). - Resolves: #1219402 IPA suggests to uninstall a client when the user needs to uninstall a replica - Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on Authentication Indicator - Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos principal expiration" - Resolves: #1234223 [WebUI] General invalid password error message appearing for "Locked user" - Resolves: #1254267 ipa-server-install failure applying ldap updates with limits exceeded - Resolves: #1258626 realmdomains-mod --add-domain command throwing error when doamin already is in forwardzone. - Resolves: #1259020 ipa-server-adtrust-install doesn't allow NetBIOS-name=EXAMPLE-TEST.COM (dash character) - Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error message when DNSSEC master not installed - Resolves: #1262747 dnssec options missing in ipa-dns-install man page - Resolves: #1265900 Fail installation immediately after dirsrv fails to install using ipa-server-install - Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not resolvable anymore - Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace - LimitsExceeded: limits exceeded for this query - Resolves: #1269089 Certificate of managed-by host/service fails to resubmit - Resolves: #1269200 ipa-server crashing while trying to preserve admin user - Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults - Resolves: #1271579 Automember rule expressions disappear from tables on single expression delete - Resolves: #1275816 Incomplete ports for IPA ad-trust - Resolves: #1276351 [RFE] Remove /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases - Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in the IPA UI - Resolves: #1278426 Better error message needed for invalid ca-signing-algo option - Resolves: #1279932 ipa-client-install --request-cert needs workaround in anaconda chroot - Resolves: #1282521 Creating a user w/o private group fails when doing so in WebUI - Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced by "IPA is not configured on this system" - Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert file - Resolves: #1287194 [RFE] Support of UPN for trusted domains - Resolves: #1288967 Normalize Manager entry in ipa user-add - Resolves: #1289487 Priority field missing in Password Policy detail tab - Resolves: #1291140 ipa client should configure kpasswd_server directive in krb5.conf - Resolves: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.4.0.alpha1 - Resolves: #1298848 [RFE] Centralized topology management - Resolves: #1300576 Browser setup page includes instructions for Internet Explorer - Resolves: #1301586 ipa host-del --updatedns should remove related dns entries. - Resolves: #1304618 Residual Files After IPA Server Uninstall - Resolves: #1305144 ipa-python does not require its dependencies - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 - Resolves: #1313798 Console output post ipa-winsync-migrate command should be corrected. - Resolves: #1314786 [RFE] External Trust with Active Directory domain - Resolves: #1319023 Include description for 'status' option in man page for ipactl command. - Resolves: #1319912 ipa-server-install does not completely change hostname and named-pkcs11 fails - Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord': Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on revocation reasons - Resolves: #1328549 "ipa-kra-install" command reports incorrect message when it is executed on server already installed with KRA. - Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind' - Resolves: #1329275 ipa-nis-manage command should include status option - Resolves: #1330843 'man ipa' should be updated with latest commands - Resolves: #1333755 ipa cert-request causes internal server error while requesting certificate - Resolves: #1337484 EOF is not handled for ipa-client-install command - Resolves: #1338031 Insufficient 'write' privilege on some attributes for the members of the role which has "User Administrators" privilege. - Resolves: #1343142 IPA DNS should do better verification of DNS zones - Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in browser- Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files - Fix incorrect rebase of patch 1001- Resolves: #1339233 CA installed on replica is always marked as renewal master - Related: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.3.1.201605241723GIT1b427d3- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install because of missing dependencies - Rebuild with krb5-1.14.1- Resolves: #837369 [RFE] Switch to client promotion to replica model - Resolves: #1199516 [RFE] Move replication topology to the shared tree - Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) - Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend - Resolves: #1267206 ipa-server-install uninstall should warn if no installation found - Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when ipa-client-automount is executed. - Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2. - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install because of missing dependencies - Related: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.3.1.201605191449GITf8edf37- Resolves: #1277696 IPA certificate auto renewal fail with "Invalid Credential" - cert renewal: make renewal of ipaCert atomic - Resolves: #1278330 installer options are not validated at the beginning of installation - install: fix command line option validation - Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd from starting up - client install: do not corrupt OpenSSH config with Match sections - Resolves: #1282935 ipa upgrade causes vault internal error - install: export KRA agent PEM file in ipa-kra-install - Resolves: #1283429 Default CA ACL rule is not created during ipa-replica-install - TLS and Dogtag HTTPS request logging improvements - Avoid race condition caused by profile delete and recreate - Do not erroneously reinit NSS in Dogtag interface - Add profiles and default CA ACL on migration - disconnect ldap2 backend after adding default CA ACL profiles - do not disconnect when using existing connection to check default CA ACLs - Resolves: #1283430 ipa-kra-install: fails to apply updates - suppress errors arising from adding existing LDAP entries during KRA install - Resolves: #1283748 Caching of ipaconfig does not work in framework - fix caching in get_ipa_config - Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after upgrade from RHEL 7.0 to RHEL 7.2 - upgrade: fix migration of old dns forward zones - Fix upgrade of forwardzones when zone is in realmdomains - Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap connection - ipa-cacert-renew: Fix connection to ldap. - Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection - ipa-otptoken-import: Fix connection to ldap. - Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using "yum update ipa* sssd" - Set minimal required version for openssl - Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps - Upgrade: Fix upgrade of NIS Server configuration - Resolves: #1289311 umask setting causes named-pkcs11 issue with directory permissions on /var/lib/ipa/dnssec - DNS: fix file permissions - Explicitly call chmod on newly created directories - Fix: replace mkdir with chmod - Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison - Fix version comparison - use FFI call to rpmvercmp function for version comparison - Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix groups are missing - ipa-kdb: map_groups() consider all results - Resolves: #1293870 User should be notified for wrong password in password reset page - Fixed login error message box in LoginScreen page - Resolves: #1296196 Sysrestore did not restore state if a key is specified in mixed case - Allow to used mixed case for sysrestore - Resolves: #1296214 DNSSEC key purging is not handled properly - DNSSEC: Improve error reporting from ipa-ods-exporter - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP - DNSSEC: Make sure that current key state in LDAP matches key state in BIND - DNSSEC: remove obsolete TODO note - DNSSEC: add debug mode to ldapkeydb.py - DNSSEC: logging improvements in ipa-ods-exporter - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP - DNSSEC: ipa-ods-exporter: add ldap-cleanup command - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal - DNSSEC: Log debug messages at log level DEBUG - Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running - prevent crash of CA-less server upgrade due to absent certmonger - always start certmonger during IPA server configuration upgrade - Resolves: #1297811 The ipa -e skip_version_check=1 still issues incompatibility error when called against RHEL 6 server - ipalib: assume version 2.0 when skip_version_check is enabled - Resolves: #1298289 install fails when locale is "fr_FR.UTF-8" - Do not decode HTTP reason phrase from Dogtag - Resolves: #1300252 shared certificateProfiles container is missing on a freshly installed RHEL7.2 system - upgrade: unconditional import of certificate profiles into LDAP - Resolves: #1301674 --setup-dns and other options is forgotten for using an external PKI - installer: Propagate option values from components instead of copying them. - installer: Fix logic of reading option values from cache. - Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup - ipa-ca-install: print more specific errors when CA is already installed - cert renewal: import all external CA certs on IPA CA cert renewal - CA install: explicitly set dogtag_version to 10 - fix standalone installation of externally signed CA on IPA master - replica install: validate DS and HTTP server certificates - replica install: improvements in the handling of CA-related IPA config entries - Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups - slapi-nis: update configuration to allow external members of IPA groups - Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find returns "0 trusts matched" - upgrade: fix config of sidgen and extdom plugins - trusts: use ipaNTTrustPartner attribute to detect trust entries - Warn user if trust is broken - fix upgrade: wait for proper DS socket after DS restart - Insure the admin_conn is disconnected on stop - Fix connections to DS during installation - Fix broken trust warnings - Resolves: #1321092 Installers fail when there are multiple versions of the same certificate - certdb: never use the -r option of certutil - Related: #1317381 Crash during IPA upgrade due to slapd - spec file: update minimum required version of slapi-nis - Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws [rhel-7.3] - Rebuild against newer Samba version- Resolves: #1252556 Missing CLI param and ACL for vault service operations - vault: fix private service vault creation- Resolves: #1262996 ipa vault internal error on replica without KRA - upgrade: make sure ldap2 is connected in export_kra_agent_pem - Resolves: #1270608 IPA upgrade fails for server with CA cert signed by external CA - schema: do not derive ipaVaultPublicKey from ipaPublicKey- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens - Fix an integer underflow bug in libotp - Resolves: #1262996 ipa vault internal error on replica without KRA - install: always export KRA agent PEM file - vault: select a server with KRA for vault operations - Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files - do not overwrite files with local users/groups when restoring authconfig - Renamed patch 1011 to 0138, as it was merged upstream- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to Trusts - winsync-migrate: Convert entity names to posix friendly strings - winsync-migrate: Properly handle collisions in the names of external groups - Resolves: #1261074 Adjust Firefox configuration to new extension signing policy - webui: use manual Firefox configuration for Firefox >= 40 - Resolves: #1263337 IPA Restore failed with installed KRA - ipa-backup: Add mechanism to store empty directory structure - Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate and private key in world readable file [rhel-7.2] - install: fix KRA agent PEM file permissions - Resolves: #1265086 Mark IdM API Browser as experimental - WebUI: add API browser is experimental warning - Resolves: #1265277 Fix kdcproxy user creation - install: create kdcproxy user during server install - platform: add option to create home directory when adding user - install: fix kdcproxy user home directory - Resolves: #1265559 GSS failure after ipa-restore - destroy httpd ccache after stopping the service- Resolves: #1258965 ipa vault: set owner of vault container - baseldap: make subtree deletion optional in LDAPDelete - vault: add vault container commands - vault: set owner to current user on container creation - vault: update access control - vault: add permissions and administrator privilege - install: support KRA update - Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses - config: allow user/host attributes with tagging options - Resolves: #1262315 Unable to establish winsync replication - winsync: Add inetUser objectclass to the passsync sysaccount- Resolves: #1260663 crash of ipa-dnskeysync-replica component during ipa-restore - IPA Restore: allows to specify files that should be removed - Resolves: #1261806 Installing ipa-server package breaks httpd - Handle timeout error in ipa-httpd-kdcproxy - Resolves: #1262322 Failed to backup CS.cfg message in upgrade. - Server Upgrade: backup CS.cfg when dogtag is turned off- Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not tracked - cert renewal: Include KRA users in Dogtag LDAP update - cert renewal: Automatically update KRA agent PEM file - Resolves: #1257163 renaming certificatte profile with --rename option leads to integrity issues - certprofile: remove 'rename' option - Resolves: #1257968 kinit stop working after ipa-restore - Backup: back up the hosts file - Resolves: #1258926 Remove 'DNSSEC is experimental' warnings - DNSSEC: remove "DNSSEC is experimental" warnings - Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts - Installer: do not modify /etc/hosts before user agreement - Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1 zone - DNSSEC: backup and restore opendnssec zone list file - DNSSEC: remove ccache and keytab of ipa-ods-exporter - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC key master - DNSSEC: Fix key metadata export - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. - Resolves: #1258964 revert to use ldapi to add kra agent in KRA install - Using LDAPI to setup CA and KRA agents. - Resolves: #1259848 server closes connection and refuses commands after deleting user that is still logged in - ldap: Make ldap2 connection management thread-safe again - Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute 'ra_certprofile' while ipa-ca-install - load RA backend plugins during standalone CA install on CA-less IPA master- Resolves: #1254689 Storing big file as a secret in vault raises traceback - vault: Limit size of data stored in vault - Resolves: #1255880 ipactl status should distinguish between different pki-tomcat services - ipactl: Do not start/stop/restart single service multiple times- Resolves: #1256840 [webui] majority of required fields is no longer marked as required - fix missing information in object metadata - Resolves: #1256842 [webui] no option to choose trust type when creating a trust - webui: add option to establish bidirectional trust - Resolves: #1256853 Clear text passwords in KRA install log - Removed clear text passwords from KRA install log. - Resolves: #1257072 The "Standard Vault" MUST not be the default and must be discouraged - vault: change default vault type to symmetric - Resolves: #1257163 renaming certificatte profile with --rename option leads to integrity issues - certprofile: prevent rename (modrdn)- Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone - DNSSEC: fix forward zone forwarders checks - Resolves: #1250190 idrange is not added for sub domain - trusts: format Kerberos principal properly when fetching trust topology - Resolves: #1252334 User life cycle: missing ability to provision a stage user from a preserved user - Add user-stage command - Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to start. - spec file: Add Requires(post) on selinux-policy - Resolves: #1254304 Changing vault encryption attributes - Change internal rsa_(public|private)_key variable names - Added support for changing vault encryption. - Resolves: #1256715 Executing user-del --preserve twice removes the user pernamently - improve the usability of `ipa user-del --preserve` command- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - user-undel: Fix error messages. - Resolves: #1200694 [RFE] Support for multiple cert profiles - Prohibit deletion of predefined profiles - Resolves: #1232819 testing ipa-restore on fresh system install fails - Backup/resore authentication control configuration - Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0 server - Require Dogtag PKI >= 10.2.6 - Resolves: #1245225 Asymmetric vault drops traceback when the key is not proper - Asymmetric vault: validate public key in client - Resolves: #1248399 Missing DNSSEC related files in backup - fix typo in BasePathNamespace member pointing to ods exporter config - ipa-backup: archive DNSSEC zone file and kasp.db - Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is finished - winsync-migrate: Add warning about passsync - winsync-migrate: Expand the man page - Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME" - adjust search so that it works for non-admin users - Resolves: #1250093 ipa certprofile-import accepts invalid config - Require Dogtag PKI >= 10.2.6 - Resolves: #1250107 IPA framework should not allow modifying trust on AD trust agents - trusts: Detect missing Samba instance - Resolves: #1250111 User lifecycle - preserved users can be assigned membership - ULC: Prevent preserved users from being assigned membership - Resolves: #1250145 Add permission for user to bypass caacl enforcement - Add permission for bypassing CA ACL enforcement - Resolves: #1250190 idrange is not added for sub domain - idranges: raise an error when local IPA ID range is being modified - trusts: harden trust-fetch-domains oddjobd-based script - Resolves: #1250928 Man page for ipa-server-install is out of sync - install: Fix server and replica install options - Resolves: #1251225 IPA default CAACL does not allow cert-request for services after upgrade - Fix default CA ACL added during upgrade - Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey - validate mutually exclusive options in vault-add - Resolves: #1251579 ipa vault-add --user should set container owner equal to user on first run - Fixed vault container ownership. - Resolves: #1252517 cert-request rejects request with correct krb5PrincipalName SAN - Fix KRB5PrincipalName / UPN SAN comparison - Resolves: #1252555 ipa vault-find doesn't work for services - vault: Add container information to vault command results - Add flag to list all service and user vaults - Resolves: #1252556 Missing CLI param and ACL for vault service operations - Added CLI param and ACL for vault service operations. - Resolves: #1252557 certprofile: improve profile format documentation - certprofile-import: improve profile format documentation - certprofile: add profile format explanation - Resolves: #1253443 ipa vault-add creates vault with invalid type - vault: validate vault type - Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing owner - baseldap: Allow overriding member param label in LDAPModMember - vault: Fix param labels in output of vault owner commands - Resolves: #1253511 ipa vault-find does not use criteria - vault: Fix vault-find with criteria - Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10 - install: Fix replica install with custom certificates - Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc - improve the handling of krb5-related errors in dnssec daemons - Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with starting CA and named-pkcs11.service - Server Upgrade: Start DS before CA is started. - Resolves: #1254637 Add ACI and permission for managing user userCertificate attribute - add permission: System: Manage User Certificates - Resolves: #1254641 Remove CSR allowed-extensions restriction - cert-request: remove allowed extensions check - Resolves: #1254693 vault --service does not normalize service principal - vault: normalize service principal in service vault operations - Resolves: #1254785 ipa-client-install does not properly handle dual stacked hosts - client: Add support for multiple IP addresses during installation. - Add dependency to SSSD 1.13.1 - client: Add description of --ip-address and --all-ip-addresses to man page- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to users in IdM - store certificates issued for user entries as - user-show: add --out option to save certificates to file - Resolves: #1145748 [RFE] IPA running with One Way Trust - Fix upgrade of sidgen and extdom plugins - Resolves: #1195339 ipa-client-install changes the label on various files which causes SELinux denials - Use 'mv -Z' in specfile to restore SELinux context - Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior for combinations of "User authentication types" - webui: add LDAP vs Kerberos behavior description to user auth - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - ULC: Fix stageused-add --from-delete command - Resolves: #1200694 [RFE] Support for multiple cert profiles - certprofile-import: do not require profileId in profile data - Give more info on virtual command access denial - Allow SAN extension for cert-request self-service - Add profile for DNP3 / IEC 62351-8 certificates - Work around python-nss bug on unrecognised OIDs - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality - Validate vault's file parameters - Fixed missing KRA agent cert on replica. - Resolves: #1225866 display browser config options that apply to the browser. - webui: add Kerberos configuration instructions for Chrome - Remove ico files from Makefile - Resolves: #1246342 Unapply idview raises internal error - idviews: Check for the Default Trust View only if applying the view - Resolves: #1248102 [webui] regression - incorrect/no failed auth messages - webui: fix regressions failed auth messages - Resolves: #1248396 Internal error in DomainValidator.__search_in_dc - dcerpc: Fix UnboundLocalError for ccache_name - Resolves: #1249455 ipa trust-add failed CIFS server configuration does not allow access to \\pipe\lsarpc - Fix selector of protocol for LSA RPC binding string - dcerpc: Simplify generation of LSA-RPC binding strings - Resolves: #1250192 Error in ipa trust-fecth-domains - Fix incorrect type comparison in trust-fetch-domains - Resolves: #1251553 Winsync setup fails with unexpected error - replication: Fix incorrect exception invocation - Resolves: #1251854 ipa aci plugin is not parsing aci's correctly. - ACI plugin: correctly parse bind rules enclosed in - Resolves: #1252414 Trust agent install does not detect available replicas to add to master - adtrust-install: Correctly determine 4.2 FreeIPA servers- Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains that conflicts with AD DC - trusts: Check for AD root domain among our trusted domains - Resolves: #1195339 ipa-client-install changes the label on various files which causes SELinux denials - sysrestore: copy files instead of moving them to avoind SELinux issues - Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned commands / ntpd -qgc $tmpfile hangs - enable debugging of ntpd during client installation - Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled - migration: Use api.env variables. - Resolves: #1212719 abort-clean-ruv subcommand should allow replica-certifyall: no - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand - Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has occurred - dcerpc: Expand explanation for WERR_ACCESS_DENIED - dcerpc: Fix UnboundLocalError for ccache_name - Resolves: #1222778 idoverride group-del can delete user and user-del can delete group - dcerpc: Add get_trusted_domain_object_type method - idviews: Restrict anchor to name and name to anchor conversions - idviews: Enforce objectclass check in idoverride*-del - Resolves: #1234919 Be able to request certificates without certmonger service running - cermonger: Use private unix socket when DBus SystemBus is not available. - ipa-client-install: Do not (re)start certmonger and DBus daemons. - Resolves: #1240939 Please add dependency on bind-pkcs11 - Create server-dns sub-package. - ipaplatform: Add constants submodule - DNS: check if DNS package is installed - Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow calling out oddjobd-activated services - selinux: enable httpd_run_ipa to allow communicating with oddjobd services - Resolves: #1243261 non-admin users cannot search hbac rules - fix hbac rule search for non-admin users - fix selinuxusermap search for non-admin users - Resolves: #1243652 Client has missing dependency on memcache - do not import memcache on client - Resolves: #1243835 [webui] user change password dialog does not work - webui: fix user reset password dialog - Resolves: #1244802 spec: selinux denial during kdcproxy user creation - Fix selinux denial during kdcproxy user creation - Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user - oddjob: avoid chown keytab to sssd if sssd user does not exist - Resolves: #1246136 Adding a privilege to a permission avoids validation - Validate adding privilege to a permission - Resolves: #1246141 DNS Administrators cannot search in zones - DNS: Consolidate DNS RR types in API and schema - Resolves: #1246143 User plugin - user-find doesn't work properly with manager option - fix broken search for users by their manager- Resolves: #1131907 [ipa-client-install] cannot write certificate file '/etc/ipa/ca.crt.new': must be string or buffer, not None - Resolves: #1195775 unsaved changes dialog internally inconsistent - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - Stageusedr-activate: show username instead of DN - Resolves: #1200694 [RFE] Support for multiple cert profiles - Prevent to rename certprofile profile id - Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error - Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files - copy-schema-to-ca: allow to overwrite schema files - Resolves: #1241941 kdc component installation of IPA failed - spec file: Update minimum required version of krb5 - Resolves: #1242036 Replica install fails to update DNS records - Fix DNS records installation for replicas - Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy - Start dirsrv for kdcproxy upgrade- Resolves: #846033 [RFE] Documentation for JSONRPC IPA API - Resolves: #989091 Ability to manage IdM/IPA directly from a standard LDAP client - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to users in IdM - Resolves: #1115294 [RFE] Add support for DNSSEC - Resolves: #1145748 [RFE] IPA running with One Way Trust - Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - Resolves: #1200694 [RFE] Support for multiple cert profiles - Resolves: #1200728 [RFE] Replicate PKI Profile information - Resolves: #1200735 [RFE] Allow issuing certificates for user accounts - Resolves: #1204054 SSSD database is not cleared between installs and uninstalls of ipa - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to Trusts - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality - Resolves: #1204504 [RFE] Add access control so hosts can create their own services - Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default - Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default - Resolves: #1209476 package ipa-client does not require package dbus-python - Resolves: #1211589 [RFE] Add option to skip the verify_client_version - Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597) - Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone - Resolves: #1217010 OTP Manager field is not exposed in the UI - Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp 00007fffd68b2340 error 6 in libc-2.17.so - Related: #1204809 Rebase ipa to 4.2 - Update to upstream 4.2.0 - Move /etc/ipa/kdcproxy to the server subpackage- Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install - Related: #1204809 Rebase ipa to 4.2 - Fix minimum version of slapi-nis - Require python-sss and python-sss-murmur (provided by sssd-1.13.0)- Resolves: #805188 [RFE] "ipa migrate-ds" ldapsearches with scope=1 - Resolves: #1019272 With 20000+ users, adding a user to a group intermittently throws Internal server error - Resolves: #1035494 Unable to add Kerberos principal via kadmin.local - Resolves: #1045153 ipa-managed-entries --list -p still requires DM password - Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389 from ldap_port_t - Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI - Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not matching uidgid - Resolves: #1176036 IDM client registration failure in a high load environment - Resolves: #1183116 Remove Requires: subscription-manager - Resolves: #1186054 permission-add does not prompt to enter --right option in interactive mode - Resolves: #1187524 Replication agreement with replica not disabled when ipa-restore done without IPA installed - Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as normal user. - Resolves: #1189034 "an internal error has occurred" during ipa host-del --updatedns - Resolves: #1193554 ipa-client-automount: failing with error LDAP server returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled. - Resolves: #1193759 IPA extdom plugin fails when encountering large groups - Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. - Resolves: #1194633 Default trust view can be deleted in lower case - Resolves: #1196455 ipa-server-install step [8/27]: starting certificate server instance - confusing CA staus message on TLS error - Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis - Resolves: #1199527 [RFE] Use datepicker component for datetime fields - Resolves: #1200867 [RFE] Make OTP validation window configurable - Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi - Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using get_user_grouplist() [rhel-7.2] - Resolves: #1204637 slow group operations - Resolves: #1204642 migrate-ds: slow add o users to default group - Resolves: #1208461 IPA CA master server update stuck on checking getStatus via https - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) - Resolves: #1211708 ipa-client-install gets stuck during NTP sync - Resolves: #1215197 ipa-client-install ignores --ntp-server option during time sync - Resolves: #1215200 ipa-client-install configures IPA server as NTP source even if IPA server has not ntpd configured - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens - Related: #1204809 Rebase ipa to 4.2 - Update to upstream 4.2.0.alpha1- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312)- IPA extdom plugin fails when encountering large groups (#1193759) - CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() (#1202998)- "an internal error has occurred" during ipa host-del --updatedns (#1198431) - Renamed patch 1013 to 0114, as it was merged upstream - Fax number not displayed for user-show when kinit'ed as normal user. (#1198430) - Replication agreement with replica not disabled when ipa-restore done without IPA installed (#1199060) - Limit deadlocks between DS plugin DNA and slapi-nis (#1199128)- Fix ipa-pwd-extop global configuration caching (#1187342) - group-detach does not add correct objectclasses (#1187540)- Wrong directories created on full restore (#1186398) - ipa-restore crashes if replica is unreachable (#1186396) - idoverrideuser-add option --sshpubkey does not work (#1185410)- PassSync does not sync passwords due to missing ACIs (#1181093) - ipa-replica-manage list does not list synced domain (#1181010) - Do not assume certmonger is running in httpinstance (#1181767) - ipa-replica-manage disconnect fails without password (#1183279) - Put LDIF files to their original location in ipa-restore (#1175277) - DUA profile not available anonymously (#1184149) - IPA replica missing data after master upgraded (#1176995)- Re-add accidentally removed patches for #1170695 and #1164896- IPA Replicate creation fails with error "Update failed! Status: [10 Total update abortedLDAP error: Referral]" (#1166265) - running ipa-server-install --setup-dns results in a crash (#1072502) - DNS zones are not migrated into forward zones if 4.0+ replica is added (#1175384) - gid is overridden by uid in default trust view (#1168904) - When migrating warn user if compat is enabled (#1177133) - Clean up debug log for trust-add (#1168376) - No error message thrown on restore(full kind) on replica from full backup taken on master (#1175287) - ipa-restore proceed even IPA not configured (#1175326) - Data replication not working as expected after data restore from full backup (#1175277) - IPA externally signed CA cert expiration warning missing from log (#1178128) - ipa-upgradeconfig fails in CA-less installs (#1181767) - IPA certs fail to autorenew simultaneouly (#1173207) - More validation required on ipa-restore's options (#1176034)- Expand the token auth/sync windows (#919228) - Access is not rejected for disabled domain (#1172598) - krb5kdc crash in ldap_pvt_search (#1170695) - RHEL7.1 IPA server httpd avc denials after upgrade (#1164896)- RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible (#1169591) - CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) (#1172578)- Throw zonemgr error message before installation proceeds (#1163849) - Winsync: Setup is broken due to incorrect import of certificate (#1169867) - Enable last token deletion when password auth type is configured (#919228) - ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641) - add --hosts and --hostgroup options to allow/retrieve keytab methods (#1007367) - Extend host-show to add the view attribute in set of default attributes (#1168916) - Prefer TCP connections to UDP in krb5 clients (#919228) - [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214) - webui: increase notification duration (#1171089) - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931) - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert (#1170003) - Improve validation of --instance and --backend options in ipa-restore (#951581) - RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964) - Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466)- Use NSS protocol range API to set available TLS protocols (#1156466)- schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 build fails (#1167196) - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) - "ipa trust-add ... " cmd says : (Trust status: Established and verified) while in the logs we see "WERR_ACCESS_DENIED" during verification step. (#1144121) - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server (#1156466) - Add support/hooks for a one-time password system like SecureID in IPA (#919228) - Tracebacks with latest build for --zonemgr cli option (#1167270) - ID Views: Support migration from the sync solution to the trust solution (#891984)- Improve otptoken help messages (#919228) - Ensure users exist when assigning tokens to them (#919228) - Enable QR code display by default in otptoken-add (#919228) - Show warning instead of error if CA did not start (#1158410) - CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774) - Traceback when adding zone with long name (#1164859) - Backup & Restore mechanism (#951581) - ignoring user attributes in migrate-ds does not work if uppercase characters are returned by ldap (#1159816) - Allow ipa-getkeytab to optionally fetch existing keys (#1007367) - Failure when installing on dual stacked system with external ca (#1128380) - ipa-server should keep backup of CS.cfg (#1059135) - Tracebacks with latest build for --zonemgr cli option (#1167270) - webui: use domain name instead of domain SID in idrange adder dialog (#891984) - webui: normalize idview tab labels (#891984)- ipa-csreplica-manage connect fails (#1157735) - error message which is not understandable when IDNA2003 characters are present in --zonemgr (#1163849) - Fix warning message should not contain CLI commands (#1114013) - Renewing the CA signing certificate does not extend its validity period end (#1163498) - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd (#1159330)- Fix: DNS installer adds invalid zonemgr email (#1056202) - ipaplatform: Use the dirsrv service, not target (#951581) - Fix: DNS policy upgrade raises asertion error (#1161128) - Fix upgrade referint plugin (#1161128) - Upgrade: fix trusts objectclass violationi (#1161128) - group-add doesn't accept gid parameter (#1149124)- Update slapi-nis dependency to pull 0.54-2 (#891984) - ipa-restore: Don't crash if AD trust is not installed (#951581) - Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791) - Trust setting not restored for CA cert with ipa-restore command (#1159011) - ipa-server-install fails when restarting named (#1162340)- Update Requires on pki-ca to 10.1.2-4 (#1129558) - build: increase java stack size for all arches - Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984) - Fix dns zonemgr validation regression (#1056202) - Handle profile changes in dogtag-ipa-ca-renew-agent (#886645) - Do not wait for new CA certificate to appear in LDAP in ipa-certupdate (#886645) - Add bind-dyndb-ldap working dir to IPA specfile - Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage (#886645) - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) - Deadlock in schema compat plugin (#1161131) - ipactl stop should stop dirsrv last (#1161129) - Upgrade 3.3.5 to 4.1 failed (#1161128) - CVE-2014-7828 freeipa: password not required when OTP in use (#1160877)- Do not check if port 8443 is available in step 2 of external CA install (#1129481)- Update Requires on selinux-policy to 3.13.1-4- Update to upstream 4.1.0 (#1109726)- Update to upstream 4.1.0 Alpha 1 (#1109726)- Add redhat-access-plugin-ipa dependency- Re-enable otptoken_yubikey plugin- Update to upstream 4.0.3 (#1109726)- Server installation fails using external signed certificates with "IndexError: list index out of range" (#1111320) - Add rhino to BuildRequires to fix Web UI build error- ipa-client-automount fails with incompatibility error when installed against older IPA server (#1083108)- Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future PKI versions (#1080865)- When IdM server trusts multiple AD forests, IPA client returns invalid group membership info (#1079498)- Deletion of active subdomain range should not be allowed (#1075615)- PKI database is ugraded during replica installation (#1075118)- Unable to add trust successfully with --trust-secret (#1075704)- ipa-replica-install never checks for 7389 port (#1075165) - Non-terminated string may be passed to LDAP search (#1075091) - ipa-sam may fail to translate group SID into GID (#1073829) - Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132)- Do not fetch a principal two times, remove potential memory leak (#1070924)- trustdomain-find with pkey-only fails (#1068611) - Invalid credential cache in trust-add (#1069182) - ipa-replica-install prints unexpected error (#1069722) - Too big font in input fields in details facet in Firefox (#1069720) - trust-add for POSIX AD does not fetch trustdomains (#1070925) - Misleading trust-add error message in some cases (#1070926) - Access is not rejected for disabled domain (#1070924)- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)- Display server name in ipa command's verbose mode (#1061703) - Remove sourcehostcategory from default HBAC rule (#1061187) - dnszone-add cannot add classless PTR zones (#1058688) - Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850)- Lockout plugin crashed during ipa-server-install (#912725)- Fallback to global policy in ipa lockout plugin (#912725) - Migration does not add users to default group (#903232)- Mass rebuild 2014-01-24- Fix NetBIOS name generation in CLDAP plugin (#1030517)- Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218) - Increase default timeout for IPA services (#1033273) - Error while running trustdomain-find (#1054376) - group-show lists SID instead of name for external groups (#1054391) - Fix IPA server NetBIOS name in samba configuration (#1030517) - dnsrecord-mod produces missing API version warning (#1054869) - Hide trust-resolve command as internal (#1052860) - Add Trust domain Web UI (#1054870) - ipasam cannot delete multiple child trusted domains (#1056120)- Missing objectclasses when empty password passed to host-add (#1052979) - sudoOrder missing in sudoers (#1052983) - Missing examples in sudorule help (#1049464) - Client automount does not uninstall when fstore is empty (#910899) - Error not clear for invalid realm given to trust-fetch-domains (#1052981) - trust-fetch-domains does not add idrange for subdomains found (#1049926) - Add option to show if an AD subdomain is enabled/disabled (#1052973) - ipa-adtrust-install still failed with long NetBIOS names (#1030517) - Error not clear for invalid relam given to trustdomain-find (#1049455) - renewed client cert not recognized during IPA CA renewal (#1033273)- hbactest does not work for external users (#848531)- PKI service restart after CA renewal failed (#1040018)- Move ipa-tests package to separate srpm (#1032668)- Fix status trust-add command status message (#910453) - NetBIOS was not trimmed at 15 characters (#1030517) - Harden CA subsystem certificate renewal on CA clones (#1040018)- Mass rebuild 2013-12-27- Remove "Listen 443 http" hack from deployed nss.conf (#1029046) - Re-adding existing trust fails (#1033216) - IPA uninstall exits with a samba error (#1033075) - Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260) - Fixed ownership of /usr/share/ipa/ui/js (#1026260) - ipa-tests: support external names for hosts (#1032668) - ipa-client-install fail due fail to obtain host TGT (#1029354)- Trust add tries to add same value of --base-id for sub domain, causing an error (#1033068) - Improved error reporting for adding trust case (#1029856)- Winsync agreement cannot be created (#1023085)- Installer did not detect different server and IPA domain (#1026845) - Allow kernel keyring CCACHE when supported (#1026861)- ipa-server-install crashes when AD subpackage is not installed (#1026434)- Update to upstream 3.3.3 (#991064)- Temporarily move ipa-backup and ipa-restore functionality back to make them available in public Beta (#1003933)- Server install failure during client enrollment shouldn't roll back (#1023086) - nsds5ReplicaStripAttrs are not set on agreements (#1023085) - ipa-server conflicts with mod_ssl (#1018172)- Reinstalling ipa server hangs when configuring certificate server (#1018804)- Deprecate --serial-autoincrement option (#1016645) - CA installation always failed on replica (#1005446) - Re-initializing a winsync connection exited with error (#994980)- Update to upstream 3.3.2 (#991064) - Add delegation info to MS-PAC (#915799) - Warn about incompatibility with AD when IPA realm and domain differs (#1009044) - Allow PKCS#12 files with empty password in install tools (#1002639) - Privilege "SELinux User Map Administrators" did not list permissions (#997085) - SSH key upload broken when client joins an older server (#1009024)- Remove dependency on python-paramiko (#1002884) - Broken redirection when deleting last entry of DNS resource record (#1006360)- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)- Replica installation fails for RHEL 6.4 master (#1004680) - Server uninstallation crashes if DS is not available (#998069)- Unable to remove replica by ipa-replica-manage (#1001662) - Before uninstalling a server, warn about active replicas (#998069)- Update to upstream 3.3.1 (#991064) - Update minimum version of bind-dyndb-ldap to 3.5- Fix replica installation failing on certificate subject (#983075)- Allow ipa-tests to work with older version (1.7.7) of python-paramiko- Prevent multilib failures in *.pyo and *.pyc files- ipa-server-install fails if --subject parameter is other than default realm (#983075) - do not allow configuring bind-dyndb-ldap without persistent search (#967876)- diffstat was missing as a build dependency causing multilib problems- Remove ipa-server-selinux obsoletes as upgrades from version prior to 3.3.0 are not allowed - Wrap server-trust-ad subpackage description better - Add (noreplace) flag for %{_sysconfdir}/tmpfiles.d/ipa.conf - Change permissions on default_encoding_utf8.so to fix ipa-python Provides- Update to upstream 3.3.0 (#991064)- Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release- Update to upstream 3.3.0 Beta 2 (#991064)- Update to upstream 3.2.2 - Drop ipa-server-selinux subpackage - Drop redundant directory /var/cache/ipa/sessions - Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency issues when there are still old parts of software (like entitlements plugin)- Update to upstream 3.2.1 - Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0- Add OTP patches - Add patch to set KRB5CCNAME for 389-ds-base- Update to upstream 3.2.0 GA - ipa-client-install fails if /etc/ipa does not exist (#961483) - Certificate status is not visible in Service and Host page (#956718) - ipa-client-install removes needed options from ldap.conf (#953991) - Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) - Add triggerin scriptlet to support OpenSSH 6.2 (#953617) - Require nss 3.14.3-12.0 to address certutil certificate import errors (#953485) - Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 environments. (#953464) - ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) - ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) - Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for socket based connections (#960222) - Require libsss_nss_idmap-python - Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to member is now done automatically and having it in the config file raises an error. - Add backup and restore tools, directory. - require at least systemd 38 which provides the journal (we no longer need to require syslog.target) - Update Requires on policycoreutils to 2.1.14-37 - Update Requires on selinux-policy to 3.12.1-42 - Update Requires on 389-ds-base to 1.3.1.0 - Remove a Requires for java-atk-wrapper- Remove release from krb5-server in strict sub-package to allow for rebuilds.- Add a Requires for java-atk-wrapper until we can determine which package should be pulling it in, dogtag or tomcat.- Update to upstream 3.2.0 Beta 1- Update to upstream 3.2.0 Prerelease 1 - Use upstream reference spec file as a base for Fedora spec file- Rebuild for broken deps - Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1- Rebuild for broken deps in rawhide - Fix 389-ds-base strict dep to be 1.3.0.3- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild- Update to upstream 3.1.2 - CVE-2012-4546: Incorrect CRLs publishing - CVE-2012-5484: MITM Attack during Join process - CVE-2013-0199: Cross-Realm Trust key leak - Updated strict dependencies to 389-ds-base = 1.3.0.2 and pki-ca = 10.0.1- Remove redundat Requires versions that are already in Fedora 17 - Replace python-crypto Requires with m2crypto - Add missing Requires(post) for client and server-trust-ad subpackages - Restart httpd service when server-trust-ad subpackage is installed - Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes- Updated to upstream 3.1.0 GA - Set minimum for sssd to 1.9.2 - Set minimum for pki-ca to 10.0.0-1 - Set minimum for 389-ds-base to 1.3.0 - Set minimum for selinux-policy to 3.11.1-60 - Remove unneeded dogtag package requires- Update Requires on krb5-server to 1.11- Configure CA replication to use TLS instead of SSL- Updated to upstream 3.0.0 GA - Set minimum for samba to 4.0.0-153. - Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so plugin to /dev/null since they cannot be used when trusts are configured - Restrict krb5-server to 1.10. - Update BR for 389-ds-base to 1.3.0 - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca - Add Requires on zip for generating FF browser extension- Updated to upstream 3.0.0 rc 2 - Include new FF configuration extension - Set minimum Requires of selinux-policy to 3.11.1-33 - Set minimum Requires dogtag to 10.0.0-0.43.b1 - Add new optional strict sub-package to allow users to limit other package upgrades.- Require samba packages instead of obsoleted samba4 packages- Updated to upstream 3.0.0 rc 1 - Update BR for 389-ds-base to 1.2.11.14 - Update BR for krb5 to 1.10 - Update BR for samba4-devel to 4.0.0-139 (rc1) - Add BR for python-polib - Update BR and Requires on sssd to 1.9.0 - Update Requires on policycoreutils to 2.1.12-5 - Update Requires on 389-ds-base to 1.2.11.14 - Update Requires on selinux-policy to 3.11.1-21 - Update Requires on dogtag to 10.0.0-0.33.a1 - Update Requires on certmonger to 0.60 - Update Requires on tomcat to 7.0.29 - Update minimum version of bind to 9.9.1-10.P3 - Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 - Remove Requires on authconfig from python sub-package- Rebuild against samba4 beta8- Rebuild against samba4 beta7- Adopt to samba4 beta6 (libsecurity -> libsamba-security) - Add dependency to samba4-winbind- Updated to upstream 3.0.0 beta 2- Updated to current upstream state of 3.0.0 beta 2 development- Rebuild against samba4 beta4- Updated to upstream 3.0.0 beta 1- Updated to upstream 2.2.0 GA - Update minimum n-v-r of certmonger to 0.53 - Update minimum n-v-r of slapi-nis to 0.40 - Add Requires in client to oddjob-mkhomedir and python-krbV - Update minimum selinux-policy to 3.10.0-110- Update to upstream 2.2.0 beta 1 (2.1.90.rc1) - Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. - Add Conflicts on mod_ssl - Update minimum n-v-r of 389-ds-base to 1.2.10.4 - Update minimum n-v-r of sssd to 1.8.0 - Update minimum n-v-r of slapi-nis to 0.38 - Update minimum n-v-r of pki-* to 9.0.18 - Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 - Update conflicts on bind to < 9.9.0-1 - Drop requires on krb5-server-ldap - Add patch to remove escaping arguments to pkisilent- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)- Force to use 389-ds 1.2.10-0.8.a7 or above - Improve upgrade script to handle systemd 389-ds change - Fix freeipa to work with python-ldap 2.4.6- Fix ipa-replica-install crashes - Fix ipa-server-install and ipa-dns-install logging - Set minimum version of pki-ca to 9.0.17 to fix sslget problem caused by FEDORA-2011-17400 update (#771357)- Allow Web-based migration to work with tightened SE Linux policy (#769440) - Rebuild slapi plugins against re-enterant version of libldap- Allow longer dirsrv startup with systemd: - IPAdmin class will wait until dirsrv instance is available up to 10 seconds - Helps with restarts during upgrade for ipa-ldap-updater - Fix pylint warnings from F16 and Rawhide- Update to upstream 2.1.4 (CVE-2011-3636)- Update SELinux policy to allow ipa_kpasswd to connect ldap and read /dev/urandom. (#759679)- Fix wrong path in packaging freeipa-systemd-upgrade- Introduce upgrade script to recover existing configuration after systemd migration as user has no means to recover FreeIPA from systemd migration - Upgrade script: - recovers symlinks in Dogtag instance install - recovers systemd configuration for FreeIPA's directory server instances - recovers freeipa.service - migrates directory server and KDC configs to use proper keytabs for systemd services- Rebuilt for glibc bug#747377- clean up spec - Depend on sssd >= 1.6.2 for better user experience- Fix Fedora package changelog after merging systemd changes- Fix postin scriplet for F-15/F-16- 2.1.3- Default to systemd for Fedora 16 and onwards- Update to upstream 2.1.0- Fix bug #702633- Update minimum selinux-policy to 3.9.16-18 - Update minimum pki-ca and pki-selinux to 9.0.7 - Update minimum 389-ds-base to 1.2.8.0-1 - Update to upstream 2.0.1- Update to upstream GA release - Automatically apply updates when the package is upgraded- Update to upstream freeipa-2.0.0.rc2 - Set minimum version of python-nss to 0.11 to make sure IPv6 support is in - Set minimum version of sssd to 1.5.1 - Patch to include SuiteSpotGroup when setting up 389-ds instances - Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled- Set the N-V-R so rc1 is an update to beta2.- Set minimum version of sssd to 1.5.1 - Update to upstream freeipa-2.0.0.rc1 - Move server-only binaries from admintools subpackage to server- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Set min version of 389-ds-base to 1.2.8 - Set min version of mod_nss 1.0.8-10 - Set min version of selinux-policy to 3.9.7-27 - Add dogtag themes to Requires - Update to upstream freeipa-2.0.0.pre2- Remove unnecessary moving of v1 CA serial number file in post script - Add Obsoletes for server-selinxu subpackage - Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da- Prepare spec file for release - Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503- Re-arrange doc and defattr to clean up rpmlint warnings - Remove conditionals on older releases - Move some man pages into admintools subpackage - Remove some explicit Requires in client that aren't needed - Consistent use of buildroot vs RPM_BUILD_ROOT- Moved directory install/static to install/ui- Remove dependency on nss_ldap/nss-pam-ldapd - The official client is sssd and that's what we use by default.- Remove radius subpackages- Set minimum pki-ca and pki-silent versions to 9.0.0- Drop BuildRequires on mozldap-devel- Add Requires on krb5-pkinit-openssl- Add ipa-host-net-manage script- Add ipa init script- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin- remove ipa-fix-CVE-2008-3274- Remove duplicate %files entries on share/ipa/static - Add python default encoding shared library- Drop requires on python-configobj (not used any more) - Drop ipa-ldap-updater message, upgrades are done differently now- Drop conflicts on mod_nss - Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) - Drop a slew of conditionals on older Fedora releases (< 12) - Add a few conditionals against RHEL 6 - Add Requires of nss-tools on ipa-client- Set minimum version of certmonger to 0.26 (to pck up #621670) - Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) - Set minimum version of pki-ca to 1.3.6 - Set minimum version of sssd to 1.2.1- Add BuildRequires for authconfig- Bump up minimum version of python-nss to pick up nss_is_initialize() API- Removed python-asset based webui- Change Requires from fedora-ds-base to 389-ds-base - Set minimum level of 389-ds-base to 1.2.6 for the replication version plugin.- Drop Requires of python-krbV on ipa-client- Load ipa_dogtag.pp in post install- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes.- No need to create /var/log/ipa_error.log since we aren't using TurboGears any more.- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included- Added Require mod_wsgi, added share/ipa/wsgi.py- Require python-wehjit >= 0.2.2- Add sssd and certmonger as a Requires on ipa-client- Require python-wehjit >= 0.2.0- Add ipa-rmkeytab tool- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 Any type- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf- Add bash completion script and own /etc/bash_completion.d in case it doesn't already exist- Remove ipa_webgui, its functions rolled into ipa_httpd- Removed python-cherrypy from BuildRequires and Requires - Added Requires python-assets, python-wehjit- Added httpd SELinux policy so CRLs can be read- Move ipalib to ipa-python subpackage - Bump minimum version of slapi-nis to 0.15- Set 0.14 as minimum version for slapi-nis- Add Requires: python-nss to ipa-python sub-package- Remove the IPA DNA plugin, use the DS one- Build radius separately - Fix a few minor issues- Replace TurboGears requirement with python-cherrypy- rebuild with new openssl- Fix SELinux code- Fix breakage caused by python-kerberos update to 1.1- New upstream release 1.2.1- Rebuild for Python 2.6- Respin after the tarball has been re-released upstream New hash is 506c9c92dcaf9f227cba5030e999f177- Conditionally restart also dirsrv and httpd when upgrading- Update to upstream version 1.2.0 - Set fedora-ds-base minimum version to 1.1.3 for winsync header - Set the minimum version for SELinux policy - Remove references to Fedora 7- Fix for CVE-2008-3274 - Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface - Add fix for bug #453185 - Rebuild against openldap libraries, mozldap ones do not work properly - TurboGears is currently broken in rawhide. Added patch to not build the UI locales and removed them from the ipa-server files section.- Add call to /usr/sbin/upgradeconfig to post install- Update to upstream version 1.1.0 - Patch for indexing memberof attribute - Patch for indexing uidnumber and gidnumber - Patch to change DNA default values for replicas - Patch to fix uninitialized variable in ipa-getkeytab- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum version to 1.0.7-4 so we pick up the NSS fixes. - Add selinux-policy-base(post) to Requires (446496)- Add missing entry for /var/cache/ipa/kpasswd (444624) - Added patch to fix permissions problems with the Apache NSS database. - Added patch to fix problem with DNS querying where the query could be returned as the answer. - Fix spec error where patch1 was in the wrong section- Added patch to fix problem reported by ldapmodify- Fix Requires for krb5-server that was missing for Fedora versions > 9 - Remove quotes around test for fedora version to package egg-info- Update to upstream version 1.0.0- Pull upstream changelog 722 - Add Conflicts mod_ssl (435360)- Pull upstream changelog 698 - Fix ownership of /var/log/ipa_error.log during install (435119) - Add pwpolicy command and man page- Pull upstream changelog 678 - Add new subpackage, ipa-server-selinux - Add Requires: authconfig to ipa-python (bz #433747) - Package i18n files- Pull upstream changelog 641 - Require minimum version of krb5-server on F-7 and F-8 - Package some new files- Marked with wrong license. IPA is GPLv2.- Ensure that /etc/ipa exists before moving user-modifiable html files there - Put html files into /etc/ipa/html instead of /etc/ipa- Pull upstream changelog 608 which renamed several files- package the sessions dir /var/cache/ipa/sessions - Pull upstream changelog 597- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the UI to not start.- Included LICENSE and README in all packages for documentation - Move user-modifiable content to /etc/ipa and linked back to /usr/share/ipa/html - Changed some references to /usr to the {_usr} macro and /etc to {_sysconfdir} - Added popt-devel to BuildRequires for Fedora 8 and higher and popt for Fedora 7 - Package the egg-info for Fedora 9 and higher for ipa-python- Added auto* BuildRequires- Unified spec file- Fixed License in specfile - Include files from /usr/lib/python*/site-packages/ipaserver- Version bump for release- Preverse mode on ipa-keytab-util - Version bump for relase and rpm name change- Broke invididual Requires and BuildRequires onto separate lines and reordered them - Added python-tgexpandingformwidget as a dependency - Require at least fedora-ds-base 1.1- Version bump for release- Add dep for freeipa-admintools and acl- Add dependency for python-krbV- Require mod_nss-1.0.7-2 for mod_proxy fixes- Convert to autotools-based build* Fri Sep 7 2007 Karl MacMillan - 0.3.0-1 - Added support for libipa-dna-plugin- Added support for ipa_kpasswd and ipa_pwd_extop- Abstracted client class to work directly or over RPC- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires - Remove references to admin server in ipa-server-setupssl - Generate a client certificate for the XML-RPC server to connect to LDAP with - Create a keytab for Apache - Create an ldif with a test user - Provide a certmap.conf for doing SSL client authentication- Initial rpm version/bin/sh/bin/sh/bin/shfreeipa-server-trust-adipa-idoverride-memberof-plugin 4.9.84.9.8-7.module_el8.6.0+1103+a004f6a84.9.8-7.module_el8.6.0+1103+a004f6a8 4.9.80.1 oddjob-ipa-trust.confoddjobd-ipa-trust.conf.build-id549f355a4f1dfe54b619b68e9e857854f57e35be970cfcccb7e3648ec8febea82cdc784e78817clibipa_cldap.sowinbind_krb5_locator.soipasam.socom.redhat.idm.trust-fetch-domainsipa-adtrust-installipa-server-trust-adContributors.txtREADME.mdipa-cldap-conf.ldifsmb.conf.emptyipa-server-trust-adCOPYINGipa-adtrust-install.1.gz/etc/dbus-1/system.d//etc/oddjobd.conf.d//usr/lib//usr/lib/.build-id//usr/lib/.build-id/54//usr/lib/.build-id/8c//usr/lib64/dirsrv/plugins//usr/lib64/krb5/plugins/libkrb5//usr/lib64/samba/pdb//usr/libexec/ipa/oddjob//usr/sbin//usr/share/doc//usr/share/doc/ipa-server-trust-ad//usr/share/ipa//usr/share/licenses//usr/share/licenses/ipa-server-trust-ad//usr/share/man/man1/-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protectioncpioxz2x86_64-redhat-linux-gnu  exported SGML document, ASCII textXML 1.0 document, ASCII textdirectoryELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8c970cfcccb7e3648ec8febea82cdc784e78817c, strippedemptyELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=549f355a4f1dfe54b619b68e9e857854f57e35be, strippedPython script, ASCII text executableUTF-8 Unicode textASCII texttroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)@A$PRRRR.RRRRRRR R R RRRRRRRRRR"R/R-R R7RRR%R#RR(R)R'RR,RR.RRR R RR R!RR"R/R-R&R R$R+RRRRRRRR R7RR/usr/libexec/platform-python -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then # NOTE: systemd specific section /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : # END fi/bin/shutf-809982804aedf724f3ec01ff9b1aedc5764f7e353312ef9c096288b29605e3e6eidm:DL1:8060020220315134656:92098735?P7zXZ !#,] b2u Q{LR~l.`XSMoeLm`fG#!?P+ulvlU2/3 Y ˌmJR0R]d/Ӎm}3])"qʕRAa 0ià[$ RCiqp-)ro eWz!AT$@xO>S<%rIM-*0v k*nCP҆O R(]((C؃>PeW# )u t,bOH>E2m=<":ْz*|tZȪGQ6cGtu]?yZk[ր>QLf;)NBԐ{s0f}8qCK/YJ>&nvc7i]_ՑӽhSɻRTALa.C8rzvZ4Ԟl-IT*wG!|f/Ft=OHg$4Tjb7:jB.u\== eSj.(O3JkpiNYmKp[ hblVut"=Q6"nE@ k&Nʏqfb22D)ABc_j.7`&ǭ>;`aHY2[6w5S Tx}(,؟ߩZ7[bDvPEQ8jF#&ԵB/.p e}5٨pA~Oyu=p;Gg,Ъ,Pn »B.+RVtFҟ:}ϨkIgAGnIøtQ7uvBӷ:O 1ns/t6/rדS0트Hw%DlA"bQH8VꁒQ[%(F)ꉂXm~X|FMw| nS<G06AXmۂ%DRtJu/˲¤fƂ 0n@<|jik=6.PwUΦݹ䊵ZG1t2*h}nf8Ed.:w:į+0g\I 3c ݶ\;tJZ7II%]A 1T#afwV N݆xOKѳWջsHUt,EH%%LʑeeGo? qbJWzkF= КK2],K˘vT?.*<$Y\2gJV(sرx?OBC,k oTɧ F?Z,o0ڈ@& uJ+Fc̞7+9]@q픩b) G2nܢuWV?GLdP&pjޝ0YdŶYRIn+Γ\]姃9mXP k}&Fa wON^f(N_FC~ST?"vLN .Fz3}.yy%+R=s~m*/Ij S}+78)+׹6\Z-hI-@92CBSAGzC).7 pŠ"=P'ZU6=؊Xl9ć75ݹ!j7oLf` &A h~_fCyk@#isl%؈!75QO&@mѰh3<[:Ld!3˜ :):A?Qlڃn҅ۂwW9w.7ts&1w3/4l |K^1HzAW^\[D8 (se,p|#~OhoN̶5`@[Mw䱀Di7v#S dY@[8'F`r&QC7:-g#f Ҕœ.np]Y4)]һ{OO#nJw~X j")fߩ~SUu/&hn#ch hÝņi◱6)c)5*HI $,4DH%}4HR2}P葯v=W-k@;Ǖt΢iiIVh%E$>!q*Qq\ MDʢϸ  MUo/Z/Ԙ@%x6m ,C/ S9׷==s>pƛv;jIS%Aj1+Iwld;K9y6&WEp-s9l@{*pI{{#q4hZ1%\h\8i+r@x M8}҉ĝA,jx0coQU7^` y:MG'[V;Bi݊g$Xr1V3)]`012JT£$!DhܪLvO^*O;Ng1Ǽzf݆҄y>orQ鮾縏BB_ڙK/}|bVĈ144.wi{TMpm`X pM <,C_U+VEho߉$ޑki/VIC0JmðϘ ?p,eq?p45!ɥ3%­Q4ګ.k!aaȪKlLr ,~w0I-I,m6 t'*Ve ĶΞ7L1PY99lG~OClm_}Ԟͽ\a} `d 3DB'yeIRUp{diNA c\NVc&@PHt{k1@c"4}Hen?FtḠ{B[҇=vak`d{tb|9.ShK ,}լ,ωfƑEix#?Wj۰hx%-dUP< mҚGsC) Jr-IF\ cHu]R3-M%{-A_oZB 6á^c$sFNNAp{󅋑 . bqZo|ڝD&="׿x,BbJ7'KFD@_PYd8kRDn'4٠Y\ ШTXaǗ89Eqqmg#Zր~=?:1?+扤%k0hNh^S0k4akq:C~i,G]# B QZȚ}l [jM+flΏܓimi^e)⧇NEZ5OAqG `eCD*ٱ6{?6wz\"> ;8 Q~!d  XvY9SfeΜ+qadh?=/r3QqY$I ,JIO1&I;Al[c*${$: 3w1L<7-bVȻ0Ǐaè1d?"qcl+èrTsp`3 U ۞gxH on.3!0x߫/9n3;5]=84hȿmEEW [ `/&HNQgd7ެ7zw^ p;*ܜ:Sg:`' vc /etVD֎DQȠ^YLAAN? -\Hj{09iYe:y`ޮ>+ 6% %ydde^PNJ>ErY(h 'P{36o:ۼx6~gK_ʨY@o$t!?ahCn͚_@);Uզ4eNR\!'cN7$&x 1F Ϩ[޺G(޴. ^UZUɇT)L283hް[w+ճf QQ_h9 Tk[Vm5#R[)2Q&ᒝGj}ט-s̓D.4=NYsd)om]DkW_B02A\3ϴ{’5LR-K;v1X(Ym>U[q PƧJKZ|#os% m]:D#&[o A] R1L3LbeWId j **F*͠0Լ]`iZ 2;˩e@Q'tqqM)Li96sLMHx<>8;.&"galdn-kf:W=t7?@\ŏ@Bp9 XA\9nǥ[MX+R~h*!_vR<ֲܖΆlQJ bk~۾)9=J\Ww20 F0|stZԛ@(r[YB1B׿˘ۡQa}Tʸ M}.0xU܀yqEO)KHvnzZ*9CLTS}k-l>SS=̡| )#_^quD*ٵqh^MAU]zq&CCқ\Zx{41Skv4(ȷͽ_# \7|!0 ieh~~ŊJLI;km^a&d/vA نVaQGS VC;.BWGXIhT> )J v= L/V>z%2y{jstnEs̷;#<1]yn8G4Wy҈RPvD 6;lĆFoW8]DXq\נ$k.7b h\#&B3 _C߱ ̥uOz%y+&W?(F K½g;a8bb ßw`IZ!V:0%=骼-)$Io=S}A<&Wuc:os- C էalos@,%*.Oe-! x\%mAӬ[})!jfg@!$vX&h<G?"ء^kS)l%bgbe_+G/K lGV$ <;V2VH$h>\'\Lzr$d5Pu"*SGbQKt%7'dy9#"KmYjT4"hVCBV9)<#.*8tb e 9 b{<)%qxكߔ/B͌npuo-$印[A;x$&磸4ãV&?+hZ9JA_⑤UU~,6`^)bo1)yOˇ=QZXY )t/!~ޅXU`>!Lc ݕI{hdwuΚPU0eK}pV |ϑ<ѯSR'0ǔV3\QNb.<֎ovvZ44絝ss*Z98$u]rd' Prj͉_Fiph^[>7vx=? "C>B@Q&]ͫB]+ރ<]BLdIIꪾ 92Xr8֘9n`4 }ҘUaMp61fhiENGӆyJY0_v.ݖ񲦯!f2bO>U,UtԊ*K:Kg"$5rz7xѡ$At?yE!V^l/[ɭYnէ{u,gP>JkR#+RjC zC\Bĉqv %bJ |`=#Α''~\~U5t)ӌ^iD YO\Z'@36e:NM)&DkP驋/2D5> DLEϒٮ[F_m6r(DXK`/ԙ√e:5"!P;)(fqB!Yc+U6) <'ZJIGuk?Fz4u)}'@e-H8X?G;0H!r|} iG?R2ԊH~d^6YH Mdor,Ś}+3玧`%5ۭ./ 8;4[JX)E㳚Wͮ䬏SotG.JG O_RQϰQN7c[}mDG!)pdBDXf% uDZXS|fWJ7q[i5܇4{B\ź 9-*8EAuVfXu1]MU[hԕ!@VGmT#1:lјĩK,7K O ߗSBYf )?Cִ~Y/[tIwtn8Jz4wJӫȬ,N6n/v|ddE@m~K8E @j^Ы2)T]'^A9f7ӎO;3^A ښZ*?d25C!Uʖ:u#!B0ː=,2G_ll'gj$]̡Mmu`J2k>'>"T@c"M)^prE$γjd$s OS< /Is}.o=翅!1/?ǥ6hi[aU7't_fZ&c-6E])fMZg  9@lձ$TJ{eg.˘q %QGAhs&hAa&J+q38V3YHtmX3+K7^!6p2WDZ9CQ&9}PC$PgT ?~x*knpܻ3BC$i"iC?"~UGekvŲ57?E$CW4r\ O"_w4󫭺T(xrQcRyAAz 8Yji@8?7yw hJjt; R1j ?"#O" Nh @]l7W^ ;xTݼ'1&ж c?Q]()8(PV^Ořzm-^~W$#.G)!g١gl /du)atC٣ܰvkaϘ9\a2pie+emCu,UdS#~_bܛ7!66x xzWEIQx2[ NH|0$|S&ۻM,ixC59DHUD &Unm{cF7' $Bw 2Y Z3[pĻ~^ˎUgIEj7,W8t!8fE+ю]wlm&.NNXj), {oYq}fce(4EΛ|s9? P A&>v.}r4͂,Q{Y`W$Nɒ̦ T&']}Ur xӺjy$pǖƌ1mq,Ue\$\H}L -ϓ0!,zsyAڲ3z}(6V~#$RoZiL|0 ~o&# L!5Oʗ"ԍo4Su~XdJVY(fi#G+U[?\0Xm\ /\>F^OMW$A !ɻ]7اrJl}ˍ_ܠ$[ v?0s1EZ?BVGwj7fei H>%3:,8!xֈ0^dJɳZka|V5|꽢<.G &o/kHӯ8Q*G@A~ k1ػI:)ƹOg$t k`p eeQN"Ɯ|$γ=;)+C.qwU2D"`[ݺ2 - NiTtnٹX5{X)BtDJEazUɂyVa~"ց ù@`u-E[@gDb9y5 ǬNx=Α[k^+l$Hw+($1!dy~P{Sav'FwI~mۜk\@kqP`cc,-@ fAZ %VڻyxSU1I6<4j ?njE':" VԿ="ĎbiX^++_2K>yc06WuqIð(9FQ6 I-]EGMBC;T(=T62:ߔ![d=1Í/\<>7 G4 7i%6=:vc\ulp,DfVX]1٘ >=eX $'aw` DI5 ÖkVwڳᙧީ'W{\,Z_C+ܤmqu]XϿ]l+Cw_tK>v9$Ӟ@w4G}/CѲ}_DMxؘ/fԾF4z4~pn&i$ w`x!f,j@%j9QDCKƚt^%6IL$Trg_vg90ނ\̑w\D!\iAk}En"h}k{ۉ$C>" IrIme&ŷ&X7>xy`p=]ngb'T>zc4JH,~ߪG<I@K˫\eG3)q)|R:yHIclc3WS BU!-rkN҃T)z=bٺ "M#&3٘:~zR+C4ڠ ՘={K;}㝥b`uu!TnKڋj \O5hr/,4S1V' .ye?4N@;n6'ӹ54u;9d/$^ rڅu)vH䃡HU:c5Ar˘;+pX9nİf Fl?>`J͟XW^nHL.j[ώg"x(9b8"}$S#p6?rl3$∌H~txҗ1H!;m/f띺IݪuҹYBF~r/ 0n>?W{FoɫGգSV]9pwQ7 !p5_[wECj1w|#$QC-^#yyI܆B> dَȎ7~ (-i˥ PMCI X{ZA-uI!X8/;As6paf=4%liBpTK"e# }ƞTe\2 ٫V&')H(3YBp"UMWo Yvy=፞ͽ9g$L_Cf.]t}8_O?b &u$ބghȾ fQŖ:TfDNoZ>F"]ƛy:@B91W| \] cc=[iJSm x݇-mYA~<ژ漏[˴^pT6hzPNka y-fta; [qWEK}&rbaE[7iS@\o@WГ![wތURvފtL{iO)*7 71 : ,gom=co ܘU !;FjjI%YgqoI#h,5VRڈHmѦם+i4A7k\Yt!kP衵PS;YAh˜"^&.B4V3voYl% 5Ys6lb؎ +N,b'hTT%{p;DraYA=VB=/?m6xB#w$N ly;yeKa{aO<{/N ֦\ᵿ.0_ N2K hइ*v~6/O{hw5r] ,Ѕ`; $)~'B-%MHO.cdǠYEtA}IE8eq7.,fzE; XxSY<8DWN l^զ p'.LO..2Zf.6weX<0߅ UA 4NAOI"xh EM* *Z3Sc OX76\+:\:q72 k6khl Ќ΍92cgS>mOw`4Dkq ̄U|$f,KN7D~YWr/=Ml^A9-]C㊍ 1]\g=zaNG /ק rL+T[pd} }qxgxZFW+^RJDOGfsjn{y"4oBLLrsj[wz|spb rผ{PX+B Ѵbo5i`@@$es yYw*_xZm%E z*tܸwt`TT3>MU}L(=Gg胯M#04Z~6UIIoV8aR.镒Q 8Y)Gl:ߗ6_\f6:|ԣc%o#lb{Np9A+rE1)!by (P}toN0NWLYp WPUX1>Y9 pN )W"MM*eΙ A37 /&#Ou6uX69RџkTwbR6HM U R_ ^縏Jadg8 K}T ]qe{l٘ҕXno=1W/(|K .CfYt>HH2*I"@QБv"2ޒ_E+(6IUFHJG Kw"IB)?ݱId;X%*3:/n27ͽ1 4nH E&q0qFKz`Py~5tՀEjuƲƠEcu˸2mmw+uA'3s,xE C$P`)ɝ,NP5cF.dJ 1ۗpd;QN\|s%p ;ToF҇( N1w8 Ǡ9ju 6y@*"I-i(bĆdR3/hGCJII?ΨRH7?%¨jSvI/㲣2H۳Z1!QY~I6;~#&Oo`.";/]y^vepAӡE@4@!hai{b%Y>_Nd~phn&$G^ݑv+=4℃ijk1(ux:K<5o/${`KAWZ8Yz&}y&UP]N|\ /򀽪҉H[xP9 nhs$2a yNr_^*A Du6-cֱRĬQ4Ae?eN<4ebyhu"dVw@Z(#r&o[EJNb;7'bJR[= (+o=[hO+ƌ_5K~W < PJlYč$7b|0P7Bt|يh(}qa4L]U19|1uWGqLY/ ?ݾ/Z,\ZĄ7&PtNVXzV_B @BCw6Qx&OCDHgSla*oZ\fOw)y@>[iirnQ#/tҩϰyB"g_Q)(\/z98n}Hi)Ł(K-Zf% XDe^m{5}l,x37yJ{={6bLZj NsYqk(ucu g}W.]'Z6Z#ʺFkIae[cD4E5Lq\~6, ^:fIV?6F4CM29 eG[FEbvHM ̂bܬǃMcG[0N B%.~q:AB^lL\rDK_.\㟧[ov H&hX;\em߈2ji`) a]v[Ϙtf8!ڃ]9]4%#';&#ē`{ģPa7-DV23\wr "IhQVpJKgEQ)tw`CD!hq|Y(ewjqrO1$UW Lҳ`W>Fؓ; yxsC }|xM7ri@F "No/~&E;d TʆԘa%\:nH#osmbC'~ڎ*)TZ2]:5LzE6Za~i@Vat+I2\u|Pc5Z!2ke =t]lN /3ĪPFTC"<`'kNbdϏ)+7d匒߿j%~8^RǠkV)z=q_\/ᛉ?Fewl6"7_7= 樶ǵw SJ;^Ý$ p-=d'%1bUs&Nh(SM򧲀sᓂ`̻ÀjFC*>NH <] 55-uy}1!%J|[8JI&ݣH6T9r&L~߿< 3TckZ}Zd?hsz><߫!9nE-܍8gxCNY ]WMxY|A Ƕp| X[&g|)Ҋ2n|\)#-Mʯ}G_ZMqeʽ-qkϩnpΝ ?VJmje59%K ǶMVDG0KcMC"=T኱݈7 '3tk&-]fMkVИjph"Ywh‹i|b_pn槍'T>|Y؜c߷3U6D$=vOWU!\L~Wf dV郶]a*`3 #ErpL{+|afO -"߂Adj\k̡\7PLNm"h傆LL'PKqpSy D:gw0&p@A &|`mMJ6mmq{%t|SU53)zfV!Zmf8Wlo91OyDDJ*#|ʧyŔW]ɇwwsGMf [ꪝg',kPaZ* m)J3A$97nxv)Np/W @n6--l4`ݥ?BХԜRұ>]As Z36WyQ+񝣜-O?hĢęo _ՃFh ~_'1bw\\OĞ/Q*ɽH + U̎vw#?˃G:S9KFV5rQ<ߏ䏶/ekRWc_*|e ;;eh}%2DΗtbk א}I>{vى#(U'2Ug} cE/Hs HDD +wox KDiJvf8ԍ*(OYS?\  03`U_:{C7*_aq򪩝Ȟ^7ݚV~ UөO3` վVPly˘Ñ|ʦVh8t4Kd|ُf|ż;fBb~nvn2q[B92(!Ϙ{; kg^ͥm<ث6;G9YY?^BN}CC~D-b9@ruܫ2+eH٥@{I!4 NęB9f34|/R!mX APᖢQB`)E# HCv޲`HyJ|NX))WxY!iVNrpYj$5imR_ O<*˭R./!<b|sc C$KfUڢ@4kBqv5Z^/@xB{3LNWj̾YvR HJ k R5<1ۂ7 n{LYIr͘xSɍsB#5Y_Y=9?Yo]2,1]EƢm뮆.ޭ| ەp_b1,U6EN_@jtiӆ }wJ>b>Wu~rJMx-_r$WBXDO:9d"';kUwDoIrW\d V¼ՐTn%3\n,%|逤v~̀dx<9 b"5󁵨"|"^?-34cYfk`FЕZqqIi~fz/'F낱\1$ش}}VN3 >z'Q?e9x)i]%wFas2BDp•{(Z{ ۦwY3\͋,86js2W~LRރr Ԕ(2.3)S xkL˷ XE2bc ףˬ/92@VL,;ǺRw6I@+"̏{q`Eeu SҼ| B۝j$*NFuٲ"Uvfl)sc9,$9pQ:<-RaO.qFL[1%cnF(GD4[:`_ FYB;Gy9WysSJֹJsSC]T3ױz/:l;́ld=OS\;{!\;;չ?ɳ-6tHJ>vKS;^y/T!exJm,D0~-v4X;khv\h o(0T W=Fwu^KqwfGd czI? *'{6>%[>amuxx&7@eYkv2MRBA%OɭZf&K »}+ g7Zd*kOjK(#ijy>YxUj}ǿ:zT79?m-qL`t/3W@Xi>0z)D/fP' {]S >--CW^z ǬkDZ(]w{MyH` H9E]EIOtx"~_\Jq^k3c7 ʀ$.)23*k@\Q֌Mέphۀ 2_jtg4[מvP5~v.J5ZHQNb > ]siϭbFp.LsiSqAZ.0T;q+U]aۇ-LymD,^&WǢzKPΏC{ \% Hpu͚ 2ˋ978º"] PrU1p. abx q[Y0QV valHs,Ϸe?ǫ8vS&{#ZVX{/f6W GH=}SCdw@"aD,RZQđ>iEf()?&@wT˨о2Iެ=8n6PC~1Uf)טq2{kFK!ڸ߄$l if2)`Rl¸Ic\+tVYPf^XoVOh'Z2)0!K`E7 @zJ0Y-<3XE[n-e8) N}#:X:AOܠVN`_XlLЎj mJPh1DyA] b w`9C?mF~}9 AZ[ P*h^ c'l O']mF"G m)N(놈у,Us fdV$+՘ jhpH.@sZ4-Jkp(eA{%Fn^HD{6ۍ܈VbD?GrsH"ȋs?Ƈ \<3^hlUt.ʘ]Qv{L:a6{[fû-IH[3 !z zG|ү.vAҟ;F'{)::(3[=I`)_-I`ieCxY*)isVyuK 6O lRJ3sE ekhN͢T4 ԯD ,jg=?QA2Z_HS#ps412D.InpmZn8DaqwPH9I3>/Xۅ7~xa7%l:77!ablVQDUcH- ۙ߄ⷁqUp}I@CTZAӛQ NQ̃-QǦUzT=?a68ރғ9Ak>$Ҙ=ץyݼ+ +4}/`1۶7)!GqfYJ3ětliКR;>dg+VD|2 2rD8 ŏɒTa}Lft$@3fUcQոI` aelo0. }_H.N(EqZԞb!ӳ+Ȅ${xHZա}H>}G$ BK)2ƱoA;ݪ9!bDп4_1N5o4 BZɳ -VU-> 8"Ԫ6J`-NRƋR˓GIƔB5/f?UK"b6lz\ 0EMϫ!p[t0UY!{!){*)pI 3k{%wOS|u\DلZk c"+7;W6ҵC'46*!H:r2ͷl$;jpad5#B3`gZ8@֚$D_k|LK[ik=|KQ՞A3 ::QPVIXk/~ǨZjLݏv|TD{ɊT9NQ&K-dU,9A(qC^-9:'X̫.mUG^Zp) K .cl&8؃ 0י`Y>Ʒ;OR~`돍?d {>=f0AnW hC-1@g*԰'f²tm\Qt- 1$ࡂ {^_pPq%Ts^u&0Xb30n;[FY3 ~cN((f`knK" 䆳-:aߪ4ȍb|ޫR+utzWA DLp-1S-d˩f}Z As5N{^+J$ƖfW[Yxk 7鰮εkmy^8 Xx=,Ӎ0aVYljlߩ fmޔ8@ #ws|~=͑w|CSY(iATB-6$,X[{&SDr.??D!Figȿ|<#^bLoZ*fWbkǛI)}VVOq3uN- ,͋V42"?0O^-ТEyE[%}&dМ[a3¦df[^8w\oG9` -^D8x(TJyXϵz<ޓA5%SU9K.m~ %|.i~xNL U/]({5чqxT'X@=VPy`+b^.b ތͶ5Eyq}XK6nv6g$ )ߥa\H Y[E/sڢȁ*ldt;kKj1VNcBX\DeTfgYщo|5|׾r$@$ئjr0!y*rՖ (K~%B!*̤ҪD-h\e&I00*#xoy6LWNG%)IVҪAU ,3I8$c@Rз308F͸bm TԟM=p1!i^ze2M$wBC@c*E4F[]f'н~uh$L^d#3PgKiU1,s yV?]+b̔KN+=jGԯ9f\|YЙv7{ cBbboNYv:$s;|f]nk I"GHFY%oi޿I?K=]k['hm#׵Vzp*>3WeƖ4o&,j|ab}ᒺeBMHD$ɩ`.صSN핒B2b%;$Po k0N]>A}HצmQ^C=\!,;]1Z?W?8'tVsŔg:(xV->B1t3&1,ѳVyj*3Gތ\Ǟ:Tnx2 4J ,qɑ2g/䫓oA<$hnQI׵W0\7&4o2('dLu„3')Ϥnd:@yKV:˚0rO?pCYo%ʉ KiY&^$cOdBLǞz5V:}@HI9Z{v idbU7INXKyFPJ!`mQOG7bȷ 1rj8l&X++(Xp4z]U#Sn}g*]}W ѝaۿHQ){ũ[j`nk;2j%Ht)=q>wu 9c:v?Xq ULgYdA]{!Ip )o7饢saۘվE~wsػ,g+; xX@EQOrkDe4bzOk@` H ni8^-#3B-CtGltlcr_FfPswd RQ:ɼ ͒ z`$ȝniY(mP 4/$KFQC[AˤeaZg !չ$uesS)U*d{T*F>U Aˮ@^*ZFY]]dd P"Uj 9-l֭"Uk"+P%RD8Fg+Hliowz_DKUMDX3jSTxL$G ww}\u3y Twמ2Ut#⥷V,I;#A9Y 1W}|[Y+_6@ycufd~da.Y'̙~_+an).aE!0b'o i#[a%3qUk,WݲF32'<.EW|mb 3-1+C>$E+4l̬w Q~-8h:d CC;W41dBsA|@ЩOADn#8_詥^/㑁D '&dafCV`Eer\b6XuOI Gc'hB SK"9.8e*IWl39gCVpfH.&\{NraSd[zZs%mJi[hƘ₅+u&"lI(YHڛv[a/NrHJš:˵xeDR1΅T` 9*Y==G<`-WdH("+kf]3 ['RnIzc L'ZzS?TSsE`2,O!϶0}~dda6תW`)=<$LG5g"X]Ꚑ;_&ɾi.]:]șwL,4f>Љ=),窻 7 iKTC6[?Z.FU}"v9? P&>D~/´|=AgUܩ99ԋܺv5*Ή>l-("Q~x&V73EAtR'L7BdnT/&t=&4 Ww~G7eʓ?Ŵ3cj緻-:γ#}oIjoKMW໣utH&KHuRR[.D蒟î#/2  ` sݵhK(iEn 59;![{[φxh܌u^FG 0A9K j{m-oʯ nL_(yxߗg!HשH~} `yݞ~bߣ0j!|arviWW/k<+R+_CG SeQ(Rwa1F2׸" 2t6ĉAHVY-hG~"Y]F|NXeOF  Om @#7 Tŀs'o ZS֨?7.LzMLiZC!Nq_)wN6Ц/([ `8 ƤRNUЫ'9jX-~sX?Sq1#(-5@|w,D6zcAߦya@ PV/!쓁=r^gjxɖkhr*4ɝiyIzҳw~}3nXjAF]hP3YR-$#<1Nso>fk,u('cGGsN+ 4O}% ~=dj31[3adƅwE-voTnjXġ~ji NŽON\BCO^p|i,àkɽM?QTfbE&a#/ݟ2*Jc9ֲwP20a+]{D"$NYG&kVo5_W*/c E|hGn HxxB[֝2uZD]-"ex'&VA.wMC!@վ\c86 rI'f9RzLkJ.-%eQ^:p'9O:u!t\_֧lMiAp 9]p'. ъSjHHHHko$Ywo|;&l/';-!M [qeOvEXRGK?Zo1Eʯ\鱊o `:4-pJ?ZtGѹO"zcm}H)t7|/>K r <&'$)^TptӒ7)EB,ߵ֞ɏLº 8lh]Ko3f3ȹCv00B\ :v湷P=&o}wNө̙=$-Kx׿ZU4 كvީĹhtu;#}`80 f/9~,G|O7 mAbr}̉,{'n^:#@wA5 'ml5韩 V|Tfu.f#aMj0,Xi.z3UzNFs*.cw:!]I Ey~k@ ֊q,7` UV#0aSRlQۚhVsy0ܟO(hVNqkE)t=V5O4hIr=b ꯪ.Ȭ{pxIT}'MK1 Xr=5#:7b^Xf Ȕ'L@ "KR77^Ydq1u-ly-ڑsa&ؙ9ԗVp*hq-yh&ɞZJ7ݚkB ﮗNgTbW^%塀=lIP独>Ah'o2hO,`1މlzd(4%37^m޵KjÕܝm!G;WҚzيaBy/%688%C*6Jޠ_]| 4:2طt4Haa2:rj}esAG'r"nNZ­Lrqb䌐p T㙉nGOJ ]7̢~^a(hNj@XݠqHhA[`Q[\8G#"{WpG>q  ?Ykm0pݎ{^NhP0FfPAKZsF6>jD{\(NW)u K.e%D^NDϾA 0KܐRɜM7Cċw0q[@Z=:G_nqpRh>x y]0fS%?u0hgPݐ- TD9SKP?̍gNބhEoݗ7抷 U6d,` 'iŶ,Ll\ 'j1+4O4M5YC^7⧟mSM<N`{Q OwUy+Aʺ"/ET2rUc4˄5 "m"9 z5`YN15ᑄb7H_1S6|l\.r dVǙYģ{r9zC8?K9 ƨQjsqwلrP7cFG"rmo\N# zho({԰@@vp[*% r!`A$*|9F{mS`䚳IUGx#.Rcv5pAEN\zQy!Η9nR]96_Gz)aP!ܿb T"u5-khquh kIT+NBTV'-b]fў~gp@D xk>Y1oMȽm :>rWы밽cGLf2y xωk-NXUIZH.pxn.tYܟLVaƊÇ-Ќ:10em8'D”a A.amϛu.=kgkO kT|}eg<2l2H9v*@!+5wioo&wBx"873n׿i4Rӥtl^=m( _,NzRFhT8?) sb('T1k焨Դe-Mޅ ^\QE3i͒ )a2qOCN@%Q1A b; +nE+I9AƑeL{jU珷@Uf$nj{I=wJIgZJBD6gmm6"w(n!čWIY?P+._/Ҏ Tp+z^'RF;<$wt2"f/ GDÊ?auLڡh/>R`_Ơ:iYdC%Y4]Zϴ `^jC ?`ҙ[_q=Ayb d7&#t$B`)WEQMRby4{>N1-4!rTe?^lj̇VMx% !^򘿭5P6nw_q~d ޖv^ܹqѿ  q`!ui|Pv-?dl϶ᜢavW0qЇBbں|1.N"Hpոek%ڈBvVᴖO.jWGo9ᶽQǙd` ީ =n ;^hwQVܱoM7?F{*+sP=-|FGK-of`ki6u4ض] {w #=z*FE]J zٹUWXML2zc? Sf: (#Cel9k`z^4Hu)sՃ #W/5 (Ve¸/ӏp Ԩ-R*lĩU`IXEjdU^:D~WwR4 (>ʥ}.S.G3 V,ycW-'q+{[XDt]OqSׄE<[y8}rO!R!UqI2XA ֑eIG:9NQ_Q肈\X}?B+FIYͦ, l }.LB.CWO1~~V &)kc|#`fNf`)W-KiE3Y m~ݔ 7"0*{\%qH.8L Bdb+p^y-F}&KAaGY-p mఉLIqWpx Rp7oXk:yWs܈#;>f&#FPޗewu?Q+Z]\͑? -?mc73I_G@Vc5RJB/9qB_r cCv5OS)ؚiD&+I=hZ㕭#W*b}f22#6O :/ء'E5ލaRf=Ku?: $lKr61F rT̅>8Ɇ:{~ˮ+:WصmcuȘ{8k|':0=Zx s̹Oyx"rM@r@k8yWI}8-گ``ѻO 6 u gx}; }/ϜG5NhwE^0%XmwtƆ7{` iz~AMv*<_j8]uH9gO¶r6YJUu5bT[.4ȷpO7]0ݼkjt a ?Cѷ%W̐ jfn4}YΫm\/)P`ƫF Fh+zk SÎ+b*\yTwC/?}Ybz|omn&OR5V!sɻBlt~_iެA|sk#uH ǣv͙ؽPRM ެ -jꐭU.6CUa) i7% ║\DoR%6ݺ`4EJQm6JL/e b woOvX˜y#[~4RW)\U-;æӂV=Ѩ*8!Fפ/~6qE|NǤu9goZGGIZЭaw97z=f:8o1ݠA]K&R:f /9]HBԣ7E J'r~P5gTa#\: M]=Kx`sPV'(\; `aĻnW:k|Tn$:=ED烵2n.FSQ$|h/9g_'z#n jTwơOBk4dB[2/cb7p/XisF$,*fB$ PcddȨC$]7d2-ng@l"[{xYcVt+JJ5b |5kѩRB'V9eml9Nom,E[Ƚ[Y]YǝlHZ BBXv"3FIN fJ)~[tٙ`~?m_!B)8D%~ʧw\^"bmYUU#M'|Ш 2/++ʷ$ײ +tþ)f[r:hbyٳ3+cNеpI5`esҭ&fP 3XWś{u)-thiNC,-)Z[ 'ila uiv x => .L0pjB-[ePxя:ERk,~'1K 2ށ6PrhnlMq#u{lSA޴Hw`vSd틈ߡdQz!{Ms̺l\c=L ?0G0~\t5†n'b@M>tDsD'iuEb F?dpC7L|=Irtgw'6;s34#%PsC, T5#>TfoM*SA:9Ca+,9oF+hJ ݈$w8gn:huH/\?J5kjNO h`'RXs3V]9b=ZV9.͎w]L7 r2t q ! &JYԼA J 6CtwB΁Rg{+]܋>s7H:!x {d&q&Ӫ3zWOI>SwrECԹ hw)/5?q(6q W3v0~] ӱXHEXr08wqB"Rzs+mP )mح[wp>id sZamc+W'/_< g-Rl ^.@ccVd@ꡪ? P/9M@$EXʂޓ4pP4)aU~O{Y9 gmyo^B{yǗG$ayĝGBm8[fb:h(x3b:4i&0"xzW$$U`̅+ t1J3JR 5 '[p޻)HάzRD'l8#uw/_P4W2LVp?v]յcK6 ּ~2C6a5Idno_şơбЗ^ugghk K?+ٝ[R6UJ55'+e7*zyPv}]\?ܻV/uWS_78FV氧y۠92Yڏ=kE۬9'$2wyWLzNY عLK*EՁ?Ft܆*iz3AGyH>"\WU}ԺvAض墀TawIL|VDKYJ{0ko59>)3nM3ܵ\X"U\ 9Vd^Z3PO)jUl^Q2! @:i@P m4/gnH:r!&-cv0xnPmSVzPS3Dt,m,R&,|Hy-*8>خX㨋f0[35 _MR;/u* ͸-5\(T,.|#˦! 1_dˋ 8!HJR.&0lMD5.i?pA2+L%Bd}$٨W/!͛n8Ϟb;Y~;CHߘ: (@ j:lF+CwF:h\w;>%ASͬ)k~|-+_bN ;!~uȼ؆w p!)u !q$*ޯ($[ʝ޶v3V'3Bv/|=2ʙC s* gzxK>Xfѝ6)"*23r8,oئFYuqW6t PS17V:袚$_lvIK]3>=8k%x*ػДdm.#h0tGG6 QUQJĮ~ %Әnkf`U*hj")Ʈ<%/ޚA(/,#G{*"-kEy{z%6- o|awx ]PɤE/)lBIP_9 r`~-Ԫkxs6ڽ!N'Θ7tÕ5͐NmZB,Ś(G:lQ(4(ܝ.J`VwaқAf_P Cһ4/zbDG`gȸcԒaW#19wfHA#w.|Wjk y|~UHѱM7#+ [u;s LG)6_bEG=s@c{_:LN"!Όh t)k1߀mJUj2<p,dЍ]fsd 4@7:J%Egv@σW,2ȄRlskط -Wlzoߠvq˹T򚡏A01?2!24EyUv&wMO7]hu6s$b6ɤo%PZ egzYdдWN:*i~OW-KhW)-*A[7% }Pn5 08=3ȑ!-;9?ǘ8Lǖ/Q،7buQs!d;ثQtnkw|!+8rK|+f}?H r4smAn OzX(%f95oM+1 U!BCʬO:ㄫEz+E:In׿k0!9ߝ?Mz 94ZcPEa1$G<{0 =`~V&2fV:Sd74 iƗ3 mn'(!Z,.@Gf$ǡ"좍}Vv?Z'V0:"nbv;ye`I7猗"# ޗ]/Ka[ oB6,U U_U-ulo.5pp8C:8x~ i{u j&51  Kw߃14EV|'Wn%PPl6c˗߸oESAVȏj_dQ ׂ(*fU!<24k> ȁ`-Q*s—}PwB6o  )ÕpƈmI\Ӷi*|Q\k0R]īQG^q&z9* ̢;dxI21Y BZjPiMc؄\^!G$Sh!@LHGFʸoӺ^J5tR,Wxu &n_۹0+0Wtrg_DٷA=C!)%+:o~\T 5+(P TP׬z[RO٤F;6:A/n?(pcM':W̰Y5leSjV"!eJə qA@j,d|+@syfFR 5Z MۯwaBPjÍ Ig: qݗ>۫||Z3Ƒs|(Șv:Hfg-2ڹi :\pӑ5 di HcJ7?V4ic:uϓ-}z:ްf_:R*A5l3tyRrF㕬z-s#p MZ_,u=z[?1b*3V '7 ZЇYKB;T܂:Aa Qj`Y%03xa(f]|vv/Q\AnIYd22|kzhݍYdU[Rcf l"+w!m&%]0j)I!`)Й {A*E^vo*%qGnba/a@d0LsH_@ʛQD`*U0 GX$޷=i)?ȹpmCɾJ e2M\$kC tc0@{b.\ktR҃(}5}w i&gWQ,'3d)A޶wh₏@3qYN+WoهEJ0_ìG"Gߋ%w|Ut^t!d\%j?.ne>Ͱ-v][Y` eE21{)Doe$9{{~ 3mpx_\ 쳧-Ic-EڅJIǜ3~nzc.g%Gx$? ܩ '~/fU&Juɸe CQe0AQ~&#j4-NJvJ^tMJIsS˜W 嫕)=δ~ Å0]PD,Ĵ{$~!ɭ뒕>AWc*Ō͟%?\6KS6ﶨ(pH'FŅ&'jJ8 үێ^IaĦɍmu=~L+6}s4 0HB ^/HuYM.C UrvJe\7'{N ET%V#+KErZ@֪m5 ) [M/?_yLfS(x"r;ӱáoW0"7%'Z$ {1h^dx!\ iX波\1kuqE\Y7¡ʾRO@YDAΜJl] \ *Є)@Wٹrs9Pӧ AA?V太fN}E --e86|x#Lg,̸Sþi'dBq/5`v|2ۄ`|{';>*s,ۧYPƠƜz{,/Wy'G(xW`674de|-f$f%71@ptxG' 3f-+esK(݌H&,&YK}Ԗص8 )?:[8>M@/ MUwo)JwK]=Ro3FL984}rA#'$iMz?(=9dyO+/sCjmȿxvHRcb٘)BZ\dFJgߵL֩& 1gLqciBuN|sIەtH[8*Df/*mhVu#/ղ&o=CƮ+cε^j 7''m렱]kǵڎ:uU vD|7/+w5 g~:?ESEuG}I_'wApW__`_6\'z~ h6+ OSR%| (0rֽI#nIK`+#I[̃`*‘lfw}+V$6 ’ɗLD Y$Ux6)Sς-rSkv%74AL T@NhO]Q_sG)oXC6eX桘_ B@mS2. w?̀L܉kUx.YK_tZoT~23v%bYEw1(E]F/[z R Mg׃+ƢѶ.]|Ѹ' R3N;Z,%?Fվ:T_O/g96/iGjxbFˣnyH2wwV&#T*cP)EDA" *93Bz/?,gt Ho<{ co4MK )0@#% \Hvw7LVttttqҼL"ŗ«}N f$ ޺Z8]hv7&[S?`svfᘅG]\wi`AA2*+șGR?aF(WuFhIi; F{3c;45GG[~7Un(KU,ģ uwtʌ#瑁$?&z %VV)v<?r~m{2Rf1. ;ьwP{|gJe܍ߴLQ{˟f='Md ]o]}ACw,UgKhK%6]#QBmrQuY`zt!>zEHB2K+Ӟ$cu ,B+43#4)ɐ<\Cb,Kȟ2I3!ZB4U%]X(+?MJ5 <5رӷ&".7ߥ`PjLn(P7IBPs?PJoR TzsA4ju>m EJlBXx.tPWڌ?CNUu=(Υ~,=io^O;M _soNAPtY˪-izke"UXji+c}g]"ͺ8hVx.m١e%~)ߩ`W+A~\EJǟ|h#$vp{PԨ`bZePãesk z$$lU= }Xgd.GԄ TƼ18NG$QUz:uGG{w9F`Qh vf }XV+ԷtB6r?HDJ6D$Ŧn_WWPF!)~dHˁPXtd T{!E#|2iunKJfڋס8 }3ݰEW0qFp^g|c~Atv)\'d|>P\>ǜyRʱy_BXBXryq+8Qh`Uh|j.UƲW'.ۤu(6@X81M cP~ߺ vf !gFZsWa>†3Nuzth*hzZl!K'k!V r 7#"PsܺH/-*-ճ3͢|(q \88~ +6~|htrlvqd2;Qp`ENWExt99׫`}o-n3+{I3.K2dp U D~޼X=؊ҒBP8ԹÝ=@rP׷D[>֐uI8h`^4A|s}S>çcV_rs8a5\ ,jD:iVM-=ǕȆjbOpQmrWd9*T6DžyBH(e |͸fXYu VӒ&%l{66gl _с!|@EV,>ru*uDeiWqtz]sDS<,y_nDAb(DZwc5U=yC*Z׺㩔 d[!z wI٢5yk}İ'auh%ǼŘq=cs IZE7Op aiC;'dc],l9>PyEi<iyb9:XCIc-jd +c36.9̒Fq?7/F 8T5GŹ[A{QG _! ^5$CBc.ըg\jĘ??t)^kIS01n#3m6=]ʀwP!:˶]V['8A_8^GW"<8 ҁh_0>Ҹ9è+B#6$`8ym\KQAYF%pFF]ǝhWTD%y0JGYj (+mxď1u!#)W 3ywwgKd]*wQ00`o1d;h8}B[[ho ΆcFVvj TQU_NmRq'oleM! nX[v~7Z˝W.cՑ,I^KXLEh=MkeAveC[1Nuu6^GIq.-e%QQ6LsmWnG~6 *ÿyK:gIa %@:iZרV #c~̨JSWwD1$vDd mnҪ2߿<}DmB$D" V0w_[-!K'w:k~W᲼}TU_J >-u@۰BmAsK0nFYӪ i;ZnE[l'W:8>O]')TqF} ]}忺{sY1?on<i+}-ijΫORǧ *_kz_( I.o~ZY8SB50ȴ ;^Nv/,N4(2趋61J ?Vk6>kTIG gvQTfxtVdV0#]96g+LDŪ<σj;A| qL>|*N/2y~0fU皥l,gɾH`&z60$>`z"hU i~@>lČW-VJK^f]֛M 8&/`9Aٷ{!@4rAA֚Jbo*uk;x1uu u{K GT ydxTq{ [eIߔ tk<3" 9wxN ;Ud#q>Q=70Le}&# \ӚBA.b)InQ ԋ`|ꕥ;=kyhdw!7e&w \\ LU߬zDx~Hqrd9pme dN" [ccG gUyF% Si!yXe=<~ zƮc ;;)3IR~:S6C!Jɯ*vh͓+#(45, Z`$N2ab=XN4`_G٣+Kߍ--z-܌HNXyU&a=×G~3>Iqj~D'#Kn9$_ara!S ៊hdt:s +:>+2"b~ڒ6= ݿp~3wxջ:A >ʌ!ОI "2B2<-i#,1 1ƴMz7e ,6!M*>-XMIs>d'NuǞr,k0!O/L *ؔ4Q!jr0 |DW39 rT}1L!)]dZA~c`"#J1|u,A@6icŪ0q۶= .Xzc;aArTm6,չXmf=7MR>Ro@'mU%C)Rcm$V|A xJM߰L#aw_M7sZˈjcKMc4r$0] vsR_g|Y²XOF=B_O}ٲ%-LI`_pv bO{wl` oc-# QVP8Bi M mw/vO8WŘN1%D^u+ &GwMIbD4>6jck04|z4,Ւ!N!1syIJ8W4qUӼ]~M, a(ħr/)PJؖ4fpo[71- !4a 2SkGFUd_@tffl^(-$;*wGT<ax7'쭸fp-, t n9&qC!G.SN9i4|c.&`*$2;E׿0W *U#voj/Z2RGvzB|C9zbp@\e;__I媽Uml#: *&I2 AܙhkKP;o͕gZԮ2wqm R]bK!mE-$6Q[5>d?X2UM}A8PG쐛9vf^d~F[0 }8\t2< p%yFR b3ۆSEq8A-z Ű`v - L( eD i&pmh?]6Ur'Z4E8B~.C!@Mjr.eYA*:$#[u=+F54y+i+O$iw)Am\JڐDF3@n(MJ&XBf(pyYFbCei' t="sy$ё@rn@yvBdhyBu=dnjWqR7Gێbٕ/Kj%T)"bIؤKf Ȇ_wR搄x2`Dk=ߵgVywu`ģ:yp͓Ubc}fIRӮ9.ޚaٮ<0_7ohB%7=Dp)"f)zz\WOrWuE~Yyఛ|"@LSd.7y ]lV;Qfp;l s`ҟ3"= R l ˸7!!~";a'xY>3a;|lىe2n&Jhbm-a&ʠNuƂՀ^W+aJ9cصcY^ABE/:rmhFlNѩNXiI@$~i/fc. :SVKn9Y)$7d`YYxx_F\|sx%JK9$l'+7z!S`8MBP.Dc_H~Ǝ5H~|C r,1M3%sjBݗl0\q Ek>Hi j/.?*uInTpѴE)9|g)ؗ 0r/U`q ޠI0ZDFDk<\D2 áLN%%8Q]Ҍmgnj(4G*GF۩[k/=˹1 d*4~uNg~-` B+Q<*a{@2|ul4-KB'e0 ٯ:OFS/Vm^2w<7KxŇ\UwZk9QT?Jҿ2J9%ۗ DOеfgά Z=@Qų#F<, Av<fd18o7$ }t)}."y`MD{euQ}/rm uk3RhƓ!#~ nB[ZWs+$˘y‽u:%NES 68>h_Ҿ>T3Z})_PuyV@i?'6>!11{neyQ\ӱp|jg9wV$;KSݛK.о$>a94(7VET'|8pg?0kaXۓHn{C6G_Q^& ar8ĵPs2y]z=ݫU]peD:OyOr":8CqޥL90Z3L@T'Z)PpHF@ &'YUx,K>PvHߢ5KW-H^پԇU-XA?3|wLz;!ڝ7&v͸Uz'жx3y&ܒ^&@=l|ZAd#b`G$t{̫>u߰yc8#/N) YmT0/1~Z"b_ |_9tdɄoxCXD)BJ{t(ʤs)'S%[{Z5lE=/GRvN 9 )~`8^gtb܁La[%-mL48+.!I0=Ѓ>ȡBZL? p1<0k) HoZ78oC.x$= KoHXh=9>*ER&4sL 8v ʵKfߠr x1O9 ؾ"x㔯ƨ@k !F e.u*ք\, `Aǹ9*S3* C=,s2 wy1)#4V[R6?v)2QɮM @_삻@mÃ%jByz(" |dQJi$t~mU|M%H'б}9LaCl وq=#k)v+ys6Vk/HI4tup1166BHRMn%0+5" 7zν 2Z~Gr T`z̾`yeY6|TxOh]>$dQT EUc(ڍ0b׍7d//\ r^Gѓ2=m;H#= -ƥF_,\]Pg2xȧ}Fֻ;[ 8Q 23CיWX]LT[ ^g_سE!S_+p|{mm}¨p ps-h(ڿ\qi؟ÙhT4i}uCo} r@[,`XD/9^vBsË5\nD[pht!F엄~P`k'ؖE뜣qo^w}&{^2_ɩjy8Heq~?(sJ$A+頋N 8haWt5( ٪l dZNF"A88S'ruY',A~cˎB$Mt<;T ]Aঢ়Xw qͲT &Pnpg*t;`!)3)쌻=n^1.>!k^r$ǽ傷}`6vj]e>V=^,H2Y$p?"ϖeI;U&+jj޺d ']Y!{i:]D8VUm^hO>ӑ^R { NMp*s񱛘 3_~mRCґ`4 a,=ns \zSX ;XsϼP3TL=o"d+M( 2#\֧Bhs=BPi&xK^t>ay,MmUW^ 1Ũ񞲏ؒU>Q=4ƀN!zL&ώwj"^zx Xݲu K3nySUɉxoq|0{ 0o㑩 "I{5 %7Βɶ50҈Zr0<pn]C5/er,d3Q_?ε_y ,D` ~rT 7+= +u>V !bF<(8R( SeVnlS6_7-dL;UQK Tj^JtNpZu}XQq@9gehVkmS"> &{R\1jNGOHBoBFNĩy: uM0ٌd22Y*xY;Z֢.-;n8lcoO ]jʡK!Vҭ7@[ɢ7z`Dz #2S9MZFoKk2[Nlm.JwQE([R(@IGIfkfO\i iEs4DLR[~^0$H"|AeGB NN>Jc {|)& Dn'n!lx J!=L, BCv1q Ōb. ?N,};1rۍjڴ/&3t7+ذj:i΁Vr* W=(tՄÌ& Cb jY\fu ~f)))vgX{u,SÃl_ 2&1vva뤘\N#GKtBݴt]+cYP7׻ y"h.eq<ʿ$ke d0p> [`8VL)bg@#WQ9ev/]۰[ .gMSO:5<JzkFY'|fR usWfBBbtW ` גE5̣V Hv2&}F g1jˁ!"j+׷Z:tEuq[(K<Ղ-Q8'oWpw♕[L.Q5$F>z4 vEQUY6}`qVWv0CrvE~ NN/Y}?O>`ȣtJ WP,޲d <#^l@ϕ́e*n}:\{>nB갡#L;D[`Q2"%+BT1n( 4P?ŷ8P. <Fy垩f#䳥KV)[x*d4 _BX<.%դ&5xtpKs3\(|I;EO)ğ 鷋8@>%T<gW;eʊwqv]7ſݾҸ٨*hF`?knۆD%eM/DhI*[dCwP1sI o|G 5'H#K$V8N [A*w,!Lh괐8NUV_.߶zE~jv9&uj7WxD~٪LYΙ| 8sXEF%R.t .u!*[\zIS+:,Hm"{0& `'zc+)[Ѹ ^nlXsçC:ZZR +YgO'khG1zC1<%Ҽ2?Rsrad'ڡuuHp$4u۱Zz7cQb09멭+ZL1G(nS9eȬ /:F,NNjHE:Y?Z!|s3JNN/,bF< +&\1\*xk+,@_Um檍SI ~SB;vn[*=S4OO֦UFi>|ԛ Y۩#;#Au)i@+䄒|mE\2mUef {o0Y#}ت7C]$tooD'nN̙3k5!ᖚc1DKLt6ж%sKi^4K.*ߊxͦ?`p$S'UkI>DD[d8@TeWR1Eq6uiJc(csZ0r;@>zxE57ziO;Ӳby0]0߷&`rtbU+)On/mx9*FK!|ӐƉ jt4q8Z3+Hf9:&'zTRh |C|:NnWg[pctSHTAe,QKPcOVXaI`cMꌓca8e E.]J__KWK0W3Ѝv`@8 ,ץvW e _Oi_Kc_L '-SlIuCuNGK)0o=2NZuт3Ux6+oX/e€ Dv@p,g:rT_ͅ%wOq <+dxkq,!*Q$i^PmG:dĵ~e"*REFxfÙ|A-j֌N6`CuV{ .Erk#Qm#L8Ų ~SVp b3CLou06 M K9"cԥ6cH22cv1Aȇ=C쪶. {WZˊT!k]eJTu4M4{2:t!N"(qrXO\^^0W ڶU,T)p記0wp_256d~p_exTwI(W]H__,M45jNJ`h,@:zHu8 h4@rDJճؕ 3 O?CWfn CڈSN #Hp*qn%65yhcaD[j{s]reCsGp9=MP 'Um;IWȣrPƭ6jOpd䄞I9uLWz4l!Zf].Xcϧz cmuGN5溏1)@xϡҌrD6V|;7 !wN?Ij6РOת qV J>mv EJ7Pl<F 4[yz>\7Ǥ\=\ ﬛o3(Ǣ=mb㲵 M^Ϥd/2tQ7g:?pB&W [otlUc8vrLH,Idh;@~l>S$1e/D_ +=eCzj6Xr>@v=-ɩ@m/:iyJ`ɊZ֠Wq{TRBi!lѰ!T[XWic%wlɗ>VVO}ZՐ]`_(?;g8Y8n2=τ,_2 "r @JBĽ`fBl \L_Ԡq i'K禢&\#1{r & xT%j|$NQ8*- CpMwv]+KEZ{(HU.ߚ-u+/)y#lv/0`ːs\ŋJzldIzM0vA BidrO{ݭ>>;!.dXȦѾ&& f1lc~bEo6/oZ8$jvƛ;Ъ'M(͜Ǿϗ _lG:DIdk\,q 6 wF:GaM2i=מ.ql#MzM%,CJh2ֳN<Ը>8k>:KKΌ(z}5yf%C-eAbIcj~u@U]γe(j:!V}xe4Qy9agpKYZ[@T^_d}5LJj{U{`Nުp7+FT5.YF59qH?bzLl6V =@0]"ȯz[7vdż-M-鑏Z4,14&<?;#Vl+T xiy\pӿN#;˺ڇ"BFpNYAwgܰ=O?۬h]yA"e?M܅8`pBPpBE_fZ4RL.\iPZ>Պox%dLqEI',WEU- Д>k=0 mԽ/sLjGѬ$F̑t?Lm." Q5ogP>LeC,5 =9Kr Ա%* xTk:a<&m^%f:M &1+D8ks=6h;zX$ByB_xFH#CTM|T-+@gJew>,Pķs#C♚-yNTXTaISVhkzv v xiG7^0d]^A^>wl5z|jM+܂S)}2CimZF-[C5|lVt _~70 UTEJUt* f`׈P+CPDh Wy|c#5g-~(@7]I]^*"IX3@J*Щr ?S2c^d8' iQ\lr`.y;+MkEyDk CKitJb}0Ɠ:tn>k}]h?*Ԗؿ`*g ڕ͢(_ȖiP_y?ُa{{_g6p[0Jy]ZXm]{FaT>_od(-nh&v2~5jD;L nV#¨lɿWߺ*]d 5wkH3f3GdXhKX)PgQ :pR0KxZ?b't!2`m~敕!8;{0eI"2hfyN4RWvI^>BOXacW54Y փhPvK5$7Ŋ i㩨b;A*7 $ \MI22E4zuUWiM=Oa1T^| j5if볠tA|(pθR3ы,AR~(_K?Yl7+UۡZO]T_)gϓX1L!įG%BѻB0:یE "|`>#ÔB{|7vhZc[v tX$+ى/L&ɢk9jvdR& ުNs8G *kנN@C $25-Ƞ + ;Sv8r_7d{rO0 oh1B l".ɐKTB6]XdeL0p7u (P,`acL|Yb 45`D "8P(+Ua$D{:]/ήS@K#anpO >@qN]uOfFgԃ^|ǧ&B7c6JUt)%ٽ\ZXC/)Z3e!BP5Ѐ>pG}5 K; pVn,:m@U.&/XŻ T5^hkCLCuj uZKD(=oe0k7&\<&$~)}Ѓ#Pl#먕q2-C=flTm ;oJ;@HK`ʝ#}Y*ߢTD-2`Zc_Ӡ01FH0 :?װ 0E1# ¤[yP;?g\:"d>lʓq[¼,FsO~5 1'KWU';X׎e[uli>ȃ/|都=k_XeSL=faMUA#]!vi4lUj[;#s[]QU(A<ȁ'O*FC+Ye<8~`#Ͽl,#7&[* w 3-E@0~`_1|pC0=NTO܊:y}g x4@)"QOyX84ubil<<0|LHxwF_k A7"'fQ&!A*eS:mNK4øYc4)VxĖ(Ι H4aOKQsXM$^Fb=N-әV4%}aXԙ ?xwA=eh4x8&Qmtw5S#@ZOC~031Oq ~֜"NG~2ytYTUB y?cM-4i 4 ёJ7b2\|2G"I KJO4$^M!"_?]ws2Z{='%mvuIU_38ى Be7 1u CV׾cA%Z`}DX)_lGv5gL brPHB2b9+;s/>}<]#Z$^=2 -g`kEځn9.8]Y<H+ --n 1bP|d{ʸ 0W%:4ZS"ۥOl`ѽ)jJ<6/Dz\׭&_*% BY%05* #v.k`J"GK,[C'/nMrz}:DiEIű `n?HQ"8F6[e+.Ԕu^Xsi/c玐{}z$t{_ӞMgE1Qybjd$"$46wS&D귓ѕ$#!zV.ݯ3!;t"djxS1ͦOQLadHr"q +ε3b Ӯļ3MN&@LZi3.ya&\GAN}Ew*N~}/!#4:]˳RX>O9lR=F}mdU"aΔ:gG\Ep{J:`󕨓Ck"I{U^qqnkc2P]=͗>s8,cf4Y%dRwT JwEz ;Y)V/ }PƖN}rGj Ggk6sLk8GB%uOU;&$~Nش"k+:>aT5-Oʀ. Lr5EI{;3MCt3d J=|(vl2 J(@c[蝳 b D>fQҭϦh4>| ꢍc: &Ռ˻w|>)\-6s`ǜyNG9 hظ&.kh_هp?!߻ڞowd!S䣬ORwԅ}.PH#^eR4kEFpisYj`$?g|7la sK&h̓DT)Mvr[9⩙a4a~;Ҕqk7:ĊI!2eٻpk{3Fښa8u][R,*lrߊxcr" 1P;9A yVI>g{H#:Z8CR!C;4SYVx;'1TMɂkfd*o6?`]*Ou79t 2  ,?D<d\q ⶇS @VZNg9izg5fW?US VLZ}QG:RZawʡy๋Cf.Rޒr$W* g3mk}ULRA5s*ED+V)8\PY7 -Iy2E84 L+:ZnP5z 4.%iv{亏b "' -QeXetnJU},,3\f5Z( 8G)ɟ@<㟷.NYpY=4Ӈd5C;2u+}39V0h:gPM5D{n`7!>׿17j7ݬa%ך*L_=C}Xk(s <w8P>~4Tzl01F48k/O iTub- ap9^LS8ގj(mLXX ]y^e{]Ybɟޛ. 0u*&q!L?YqqȘ[xY5*o8QC:Lf̸oy*2'"$B6aF|z)ݩo xp{L0j{9p>jfHil|#!:%(M :%_u[s(PjEY te6Ndw0N ?tpka-kW$ӝcō}6Fh߀4['Z(tpw#\?w*=ׅ{"&K pyX NvQVQEaHrrXX K6|xh, pzE.o_%Oi gcY܂,gNXƐKNN{rM `2R|wT`cK7m-Hww>¶J^Řipƿ~+\ & NHZ7[u>Y ŎZPw^Bd5zVfna#&ߋB^N(8٭X1_L]1?O5KZr:?WioSN\(d/ѫ:~S˰ULoj|`DG׫$i52 (*‰#O-!wK񡮛|q9.`[cGKz檴,3ѡl^8'$ U24CFXؗoڀ5(}sUE]B"m €Wl+~'nՓxm[2H`IٔWwp[|R{%gsUa{}*9g8^).u c1p{ZAEB>S@[ q=; l]ԸDthSnko;~}x8vu_+3/F֒1~ RFstI~Fs"%dz fH $CQWb$\PxөK;J8Ŝ{!f v?F› 7ZJ}9_Fkj\Db]Ϧ%nkc~bHbg }xsڇ5 .PZCq+O-r|8'ՊA) t8(B$fKE-XlÓ*<ۂ3B]% aP ow^}D $!S=5m"߅-Hyp ׵4NrhEDz#*HxnEZN|Zkt:UAe_Jߺ ٧miyq~CZɃℊd=);Ȣ'蘚x"ę%_ 9LQ "Bͩ<()1{?6 Z-'{ չ"]P& ,S Hwuh3{)nl t\>$ a$@2MX6K0lFk[Q-3f`S(A w`-6ZR}G0+%7hDY\<3u-t$M$8@0íu-SAolEqPbgAITEakIoI T͍|."@H842 T CgEM* Ɖ0Ґ'q9I@a'zv?9P%LsGV&h؅е?- IO{A RT4CBc[@ J"  .~.irљɬ| pI]Bz~(0j-;|}|mw%<"H7> ӹniT{6^ﲲC)P"j1,xީ8 l8CyWQ0lbn Sct[rC:/+-z PiKQxXN.[ Ev -))hz1ʰ _`3@m{F|sݼqռ(ϟl,8|"Fzz<n81sx p xukfwO}81Div-?G\ ˢbFŭmmu.-9]L:J@HY~2\jmA ^k|>dΰ.E%m(HG}P Y˭FNxoL]?7+N.4#7H'֨gU .Z'@q_Fdyc!p.BF'O瓙1EO"p#Wzkϕ5̦sϷ M~+.#fE{mjIڣoXdVpoZr A.OӛYX"nQ+"%,Hdze{qF~ hLA>~MqDJ)BMTw8 ?qt[ 2,|%Gq Q[Mj׼UB6 U@ţFHZY8 "GMe} B$].]Xhق~\ߥ8!_wbΫ-?[/ư*{7-+_Er\dTGe>!C 薄Ff4Ft[_W=x1 })i>z*9!- t2fIoU/G`A˖[z&]PJQg.ECT3XYdC._hzދ2.~* Ƽ \k([W09%Q Af>~Yua\2Bba 4i5 & b@<}k\撍ogg\Fa4Ԇ?.Y'7ɺ|l ĺ$C'T.AqnƫJŌ 1=ҡyvzsA+M} &fɇF5\ABTtyoUZ6PgBtpWuNfPOX~W"%HŻTp6y6/%~5,bGOOYf ҒMƻ5ӚW#JzC.Y0&OZ.VďCvX VQI+ bғ;i4:/zCr.Yn;-[WJhXSbUvݍ{Ѱ[#6ʁ#}2FhCy&W,[~؛?=6Ƀz0Wbs'({,=a!t!pn) HPA|7 I8+ɵ& BO/b ̠4SvhdfC$ " m{%3ՋZ%6~.yd=ש^GF>_*-966Gkƫ$U).t@v8']evv`0.g% Ƽ^pkp`"FzH:<}σMt_P$b/ts"8_5{]~lm$ 稹yķJaj4M \`͢~f;&a w 0>md'!U );N*%#uFD6W::ij偕EkJh3,@P E? {%{O+x->U *YJ?^x8F,V6ٞ52Oɦ:ab}Ox2aQ/_zd0]cʊz|xk.j&׋nRHiʃ[^s) V 0xeNE{UpŠ]} zleo8qmz ' ԾxUB\1, p?H8/J2|QGVH,:\bRqC_W6=q$-s2]b<3ݲk dXXV.(H|sP,`nt6:xNa ThvZTCO>ח1d Pu:9w~+>lXX;rZ[bq[gPpy~ecHB͛>ЉEw_di_{Rikǽ4n8{$ϩl*q/kQ3ԖC28ZsG(.j$l݇2Wl`c~9K!Qslj7,ܿQ/*<('x^88O%4h O;+XMG#Ac#l=jU 7TT(;*H?Il@-`"Tdξd2Ŏmj5$ɯHxXT)/2~MydL`4=I6qݭ}kճCɅf| Pܳ{un/hVZ9^Zc2(ASp7P&?^5o@:u^]/AA9,X^"Kh,Ay ,F^1\ {}>( AmC .aXZU|"[5BG@H+8DDl7ľ 7 |r2v;[=81&y^KIyXVp`g)olߖgobL2C%+FECgq]uݠFW֦1!+P'laJnؙ,`'乍2W!&yR@~43iQYǐs˅\ϛ6e%[QH;@ZĮ)ڗߦnb 4Ń#+J CvʳyfnF1y :XɊt'ړ ܔci©HCP9\,0\fDiPIyBL0f>/WE6#Vó^0D? Qϛ}Q` 9LRzd([L)]ƵW;EzNH' Ϧ죖$Ej9b6}ŵɵ뎘.n\iʻ:5`3F ; tO)E;&f> F/c&!A<[lҢQHvWzxYeD GYN-I9zC JT[fjc~c :)xhtƚ%UMڵ[m*92fBz3yS2MPZ˹=1ܒb`NhM܎ugS- ׈&/VŰnAhZ5ͿGޗNu'8^#tŠДe|Q㌎a=ٟQу宐v|1N.`4՜@}͢@SW ᎇJTv}`#& 8pW; RurZq;aFR%Ok+|L5ꥂfj{wn*6+-݀<ةkўYj2M҂xb Qsgĉ 2nxg糥8zg5ۄ!VBU1ABD#$5d yc/[CˁvXدtHqq!^J83vw5fVՔ#}=Yp$$)Q Oх'jFQj2Hg%C@4*o}O)6ל嵣f&h}HuיV&QgsVDg']wtr&_%e?YG:Enyx -]o|09һq'WR*pS.bLvY' y*mыph l(޹4BFVx\bh=ȬqC_xqkzS*[ъ>h%IB/銿9AeTA=2)7HϫYxIP5im:>\ģ}@rqVz`Zb*Y1RWyA+奴7wSidƏZ+S_h3&jQ:@}|`pۆ{t꺼[U:l2ߦ!;T# 8m ?^-X.}uXA:z8Q?/G( .,FwD$/! nUcRdZ Fp1YuݰPq~b-dNË0B[ "5/Qn ( K By'p  uu1QyW믰%Ŕ4m[$nڄTi+ sSthq/B3>< 2ˇwjAʔ+d00Jsؐd)@)R_fv9%JЁClgl2E2B \O#bH6xrgHs*\"Z|Z2UKuz='mMn[ȷUZ%F40HGپV|I/+CŸp󤫗JGtطrSh OʶB):̦a] Vt4UePQg.v!>7G1FoV_S2G<>CMߩwC_lM ĬsV% ;UCݜI<̹zmȸYz17$;@PrRwjfm) K=Jòyݩ}i {B@>JJIc !܃ԑt5U ee!HKHN+Wֆ0ͅ3Pyvr*Id1 ?Dq]/#qC텯HÇ &Ŭ8q+gzENrE{dDV/~IRɸE<{H{Gn />Щu_ktUoRmvF?{+OnOC}3 eXV?0i noPMl?[@^?zP+4@WUk8G8obC%S/"NDQbJx'G>f5L"M6>{|a6+2O%rj{z@L P{kd0> {ܽ$x %"-Or7/VRXJR5 `ȭjc6Zq? a?qE3 {L? 8 \뉖\d~wz6bP+ yuϜlÖa>ZY1TcYq6Qt+$X[ ^|毈;q=\,@Y6 tdSW{XKO1p-|f6ǩMϡX\ӁW7}YWk\J;5FV@dسf#Uh֎ ~"uFҪmӍIAE1(xA P+IA[#ᑮHwQ}ÿ]*6.`E\wSoJ<>.k jSa3wxv_pt^^zk}d~@A׷ҧ־2X -d% zҊca]K&v#;ŤHhRg2mm!>a PT!w1!~pG4P bh_lÌpfx˅]W`ۅ2ZL,=,hP:+ֹQK:lPv/m-M wqD+<`nczhYKO/ s)&~z6ִIl(UdR,$ l{{mFم|?VO3ٯWp{:lDY`:h?ʯTCTMR,!rڧ=N_0U_8i{Z0>oOV =_OoD:6ใPމRNzߩJ&wEKKpKb.Tfi3eHseN`wG32',W𨺋j#\F_Rg8 ;LcR"KQEB!]y$/Đ (/b޳&"|2oxj@Gԕi=Y+p{+.C|K~;q?f(Ayϙ/7L㊫TyDЅb=Z\P7T 2qvMk=+-1LiVW{J/Ķb8׽AŒ*v-aAq n UT};D&t: WW~|*.1 >oSˢVM|Cg?#9b{,]yhpEȲнR<2, G5,%D&^Xpf[- 9 (c$^H| Z1[!-n3Nevyx{\6 rlwX`m*Z.03Y"Z[Ro KJA: / zX q)$@p ܮ+E˙-N8 WfƜ i`SKA^qƓҔu"ּfFeL?[v?'/R~A:w70+8A{cWİdGV 531͐G\ =(س ٘ ;=_e7Sz]=Co__AȬËF2®$X?P+"4EvvRc5X<W B:5![^7 h wњoHb'DN؏@Uׁ*8WC-8c}?^yadLE.3ƭ!dpۓҫ96-[C.'<`O]Qn꽟ȇ ϼ$9܉h`(DŽ):KP?+wI2YhC!R.#(srqM?ԏ /kVjҬPx|k9Ol,#.x׆H;;Y>-eŠT ,nS}bO@JtTy;;`dIdX񏳿 _DBχeufM jxZݜ(Uዳ)t[ɟvypdvCKF%$ċ p_3ECX߇U]ɥpY4=Zȟf31hPF׍IW~f/)=y|iWqrc+*οRߤI>bl{7urr*;3{JtPd0c4|YCZKʁiN1X5Jj]hPB%/9#ēs6S{z  & l0YƘ.Jm\Y}0X?sX 4 oJ(΀<<V4A5 Y}/ X&ܽQN}RXG KRX<_eНJZNjQ nנBDen1G^j_LFJ%Mdا҂t]b-8DZ^j|Ƀ?#Cmd{2H1ja1~-ˇ0OfVhte+uMmG '0;L6} rK2B֠87V*7t{o~EkKP|#WzmI+Swȑ&ӊB Ys܎.ad^k!~Fy#B֦zȷ(o߂܊j|Ei>S)3J+{R,$^e2[RE~zN;/x馴q5!TʸZV"O)2dѹ "[}5KC7jiѓe#߂^~R]kmn6bUH(n͵zKr'ue& /[C8k5WucGQ Qi&ΪV|Vo*@5OF6 u))]^>jmkLue-b-͏ t/X?Z2sWZFK{hEmm' UE._{:V@:,Cľx6{T8'/ͰQ{Z>`F%'.ȁa/.9 9~;< 4@ an$JՇ;q^|T\&*` Y Դ7ު$xv/،Ҷ>y-#M 6$ }XąMŏ)ۥ@ EDL!&]p%,6&U_жZTj8 -,W'R00۵1\Rq?x=@ zQ$W2CwlV|vTݤ<˚`eގPP֝] гAEs2~/ 0|YzRRm1x;+6ᶛ`;`e(R-TMMM\{e9bR<-#O&9Ÿ(SNSfq֧,BM(PUFVpW>]w?: 'nrHC`=:Sڒt{4TR%:JȄY҆M-6>nS bS#z^6#R)JɊc\t A l᛬t?+XX>rIӇb![Yr+Vo8 2V[%#uZR3o撀s1<*&4QY:{K-:dCC0`32X.9IɅ.)FEX?#o}0ڣQ>Qt&H^2J\߂BNX%.apD3IX{؋1T1ƨD/g쾑NFKV@Y$s;Z_5d>i։;JTt Ip?(/_g?ܣ~B>Gpar2Sķ apb5H%r) aoZ@ Mph^fߩ@U;(e08y_FTdq#UOSjvY۵}>CޟGt?Ш͸gQyL*[(@.a ZT+ܨvSoJꞧ]Kn#IKJ %GYDk-BC| |oA,Ll0Q;vŚdKyn\=v@"Ls;,qEFRpN7Ovb6"xq_d$ h0mF^ܓH1v xDQ ōow9=-RUiƷ1At"v9`^ X/2S^p bf A^2*;_PYat\PL#a L6Xwg$9E4"K!v j| IPg\"} |9 A͗wd>C}aצLTJ9J.;5>JDy CM4ض`'$tEQ* x*NjPJ٬t7 hչk po *99dkI][^EN5qQ+0k ;ΚݑGX:KDm)F"hhDn'fźقZV.Uxbę?rXGɡ+En2]|5yԻdUgG!ig<ءKdmT7@l4 [.ɇbGuxEpSn8dPDܫ ~R>U ^[+C5u,kEEf=S<۫j8/&Q酹O A,^DH1;*i$[חsB}xH,|8*O4$ *uc3O5OL~Z2lŞk;0p8Yu.[\߲[]'8khCc%y}&c~VkbRE*9%'rK5RgG¶PE0On&ÿt-p(;H)~şRQ~Qt@tUR\;# yM4;0(KiVx\ ʓ!TlOFXv98ї]ir*%[b-Zy6b[vSO^ܖؗژ5.qңk;4#VCq׳CqX 5 ,h]mbc9cY9o4ʾLOSOFʔ;v{@CxLz~Kt:!NZ]Đ%xǝ)t[xd ay4:6fR E !L1ո -( D`^g{GΨ<CkZ5I ^cMr3>nYV>Ι]|z&m+cIl!~ _#?0%|g]Fr0u˼侫:V0 n=jc d@ u $i#41/7Ofҙqb[U_sX82#;%sԎokNub+[/',e!/N/P`@:ƥ6TW-ޖؤU\Ѡ@YIMٛ0 m8U"*jsa/h*_qP\@~2E V5 #u`רL+9 KWeˈ5(K.vfm:׫-&V}ɀD\u;=RG7˰1ڡ<NCe /Qu~r<0 PSʀ@9ќ8%j҈Ƙ.v?km) H߄m>KBml̮D-CB ȴ EfbH/zqv)\m.5L9'>ɛ 5 %]YUg#S?y҃9zLCOiK4fD1= ֓h:*%Fmo, #r+jsRfzW}9]V4_*<$Мh-i#MaMu!tiM5p@7${fΤz#8`V\x]_p.34:=Jmiҥ `uuO}' Û4 ѐ$;JedZXQᡎ DjY1a߉^`\zg%~׶V@RiI(1@ZMUu ~,Z:/ eSׯJX'<6dg\oyH?]![ErT~O_RMavћT#-b)A1dۺY"}Yo~ϥ\2jW8+Z#Ι𶪿A#-Fq R?;HfLJ+ovO*grмOʻG^!u p{+gfp[A?11fWWc3o52|>̿ v #%I {iYQ뤘Z6yFOfBN7P<ݠ] )iRg )$TJm}ӛr72l l>3>TIS/MC؊VSҚDC(Z1 < r(! 95P=lփ)*كlm%e6؏rx gA®amO/[jv-Q# $Ydz~Q }=6;VkȐJev"/Tʾ)u ;rK Qjр[9B4;Z&|֒@3yPВ@47mҶ=G0?XQ8: ޢ.]br!&$ ')0<1/gTb bQ$suUev܎Fmn]̝e?Gn`"ϳ נoo7_;}v-1n.ݓ3A/EUf CpxA\)9] -OE#ݐ:*~z"t%@ 6~ޞE w"ub6 (+D&_I8)*GvcZ@/iʈL=vg!v(PP[ľf"jNz+C!OZFUzsck|bTp΂RX{C]0.IQQ-)fh6!QQѥ ?EjA?$n?~C3HI8fc\nXc$M<|$mʘkRe9,^Iu#. EXFFPTCqmLgH3gNXҰe)$ a]js'D=Ơ< kP%*42`+ ̳aZ;Azs4$d0 ;])usבKJr#bNvQg/q NkYV>š4btk\p.tafFI(vlG8/Al!ĂM;!@w8v/̉T,I+Ng΋2rI%CȎY3t;^tUUL yJ-.,CN?n-{b0K6C0U@\ f[x1Dz3<|yƛNHaѾ߬Ŧsy,+v®4Ν/x:򇶸H.G9bA8+9ڗKdMV>(r{`jV#A0 {0Ru8v T)k0`7Dy$04 M- ,~sy*\9/d)a7#IL.'`%j$Sc:,Fbƒp2V)7pfB爓m*CIP!y+#Gbžk\4%^_xCZx)ɍPP]3|t3?[`,$*ɟgS2' >- x?bʠXR&ov0s+n ˈču InnF2Ee1֮KNR4eGǩr|(άMtgȺkĞCSYKwi$Z9yG"! .q}9m&leYf ]CMZgCktx,?@i;)E!2n`g( h ;&moXlg#g(iM*[Y}]h/Ҫ*kV^cg)6yp_WV^˾#zv/`23,^ t ߻^wܻ)2[:+ʘjT|UkUd`7zodWo4NUlkanHa[& D~g? ;ߤ]* I{!r@ΡKyG7͡%ÖUXjikbC}ZJ80YQ2b&F.k , &m ;keo"7/g#q"j6EJ0}o;An]L<.Ȥ4;@: 4VKfo{N!g9>Ҵmn%&դ+5F~zZ˜.zͦj->* .ȓ8avfnHDX0uhFY8sNP5sN]|Ӝ-& D7.]Kֲ1TF/QTg!Md-k'rPf鬾/#TZ 5,GAgLmɉܟŏdj*f\1C?=_œ^oN ȥBeR2Tp\GkFm~R5z#G.渃EҏzNDϱRË&H(4l$>a FN9b ˄wa`oK182UA -YQ`Vjcb1~{LS_W^w8t;gp[+6g ׿ ,1{Uk$=_F7 #K*HeUT^rT&>633Lv;IHR>coelwd/f_AmY j7jzĤ6-@m_|1֣Ҳg1םQ\2HT{27RӬTV.Ѵ G*qݳth`au)Zi8nB`-u#ws3mW۸kWNzzYnD5A'赑<$19zOT?bЋ_*Fn0jQb,pE&@bERrvibqJi aFO&>a,O3ze%sNgY*e\kdth > wm!o5$w-%xT{&]V Ar,&F> O)\qNDix0/9A:;j{QaV]O18@~ҙzXQ@ Td)"Ðؒ.UGyif2J$,He0$|`є&F\ֽʆ/}l}il}ZlEj$E˄h_{/վ<hXieZi~a#p9\L/YRPV /M 0D8%^wa1Ajl{1";2ңNj$ C)0vdB4#E}P۷Y" B#7Eow~AU"]߷@c I`-ɋ_[għE R9l_ksZ?tKCRӤuG9u¬CGYjwVMʞe'"I@ =K'+`YC|iIǧkŁ+i׆]d ; 8':i3-G'ҼZ7_]vX JWӣ,,pW,[`SbE5>91a@Lʑ\S%ZԜ@Pgj}xr9ĕ84tfK\N,9iCmjCXOLpy+l?x<51+jqSU -oNJ[O$@t?s45K偣'u^{?0y%CXf@mPu{]Pq<+ߢ}tg4v#rj>2 ihz@OdFBݠTr&z=Pގܹ?ΡS-362Ðmzer/\SyV<5bd<^:e/HawC?V~_d3{KqGU?̓ U06|Z7_lU.W XEWi&>7I*,Ogf4.T/,%?'WO]2NAx>8ib!l'?6+So>N疨-^&\gKZF.ԕ:r@NU!j!GP.5IBTR)2 $dGT<6[K2Y8_ #` #ubIpE8{bMZ5mn㔔gp.| cN5t-w(m8XeKq: Ԡ QS)bnx-n'χ[ &4m͛EWe}Yt\r/n]fǸ1'9te{!uo횦 *$=B` V;r DUe!f:*slzjt ~$R߲-th NغӷESNuf%E2]zAjgg#kN‚6 >s~3NLpXrJ${Ы_q-ZPjp"҇YHZ.PvY*SFFj<"|eG`X"Wn,}Sf؋5n~,~,mͽBe4SNDG?*ɶkc U.@(](1J E,MU@@sis1Rf{iqJ-o *Tm;lݕX4L# "IO{jl7Mi{XV:9qPOķ+/Ӷ 9obkDS ?(Sy#P¡,hT9 R6KAHazz3-S1v6nzOHNw3ΠɀKN584J+yhhjJO}a6'jq[wiVb`W/loik+;$68A/tP3 Jt-DD+O4cvݔ@#OJ-;}Qel+4og=qBw4ca,0l{y\7ed{׵N.oN^ 7* |JK߽f85XÒOu1wTgu%A)/ nB@>D"?(c*N9POPXȮ@wYkqcb:YT4/8 Q*.ѹS,^r`pV@k5oB RV `6ռ(; X ܳZx## &) IĞlC© 4vkʺl}RC(AX5Z5>rOĔNǥ],S1? ijp_&NL$3j˵;QUMfؾ,rU $,XL:=*jّW~uI*' D;Лx[, f3 0']7 q #Ij??{4(К87JEs1K`MHO'K^EWlak1]0ǗeW͙4p~Ke|rl%j'"8{Bw|.fƨ&: +>$H+{X!hƀ.VQDYaHf#`%L zP)asxe)(S6jz4cPW}5j#!&qqKsg6Ɠix&& v#7*Pe){~H4 bCG)M]*'T(C)n2{:^Q sd t1KuU<,OK7MIxMco<pegBc}A\̉UV!jQUK .$⤄N~#~,㒡mǍm:j,S{~-=d }ay 2$54*;z3Q?P/Pnt))Ki/(_C_FA"eM#DZ,G+80Ԡ%cP* &"͛*&{7/iᯄ 1k#+L>ftMߟ:n̼04@($X:.`:o7}U.#J>$ёErI1W. ` R6 r0%S[3LO1 V*QT~*. b@@d-ix;aF~p᎘骤x=7iD\tZ>SAwY)UNS)ڢN77Ǡ#7τOHҁ49߈ f[p]r3N:" Ƒ-S+@.IJ?!L_ֺ:iDܐ(aލ]&;%.7r p C) I.@ Ic_Μ83|Iv,7Ow"i*^DZ_w 1!p)6Աx7I G_(\\r%|F8zY?J⏏QKeb= gS|-[dq##̳j~]1h1gY6<|YVmkX 0y(!LMUF${ P?lMhԸ۟JO].Z"R&fk~MYf,d{XiRUW&d6gՆP[V`sn$Ÿdiqe3 NY)ji_vKzz)|^S/(# :#0wKXH}&xSu=.`^$C)'IRG} { =rrLO 'kU;yD`H'I^;R.Bn,8&>J!3$jb.4IH g+~Pj,j2fǙ]oc>9-&!q k!Wx! |"SǗ 5œp.ע7v{|ϓ(H!Yϗ@b*X2{傌d  u?(xxucΉB85d|!Iws=ՠjs4!de.򫆉3֟Y^E-J3ASpŭ?{ !ZBg_ֺNNI$ʻ[ؚ)nۂ 1 o8¼e[ >&n,=ԕP* -#h'%*ryB4RUx!}mৼ\$2_LBc9`31.ĝb~Q_=Vف#g.{Mg᥈/c6Z"^9C*G\k.AK R<􋘍(C Kf{9?QObζ#&9^#)>ˌJSy_m:@YjЦ rw1T!Sʎ׈ޫ/%ݫF&áCYYܲgR\q7ᏹLɣ_ǴT2x҉҉ P_w &t[1u $4m;ݎ(b=ghv\MtKyu.&r1~ ci~2>b!QP n_[_t<"RKF׏,ĸ>X~Q8[α8{٭2_ U.77g+/!?f|QXpi!yr{ J6߂5`2RAXrC]T*mStڰ ~~hlJiyE{qJh1HkP\_mG*Ol~}ہyv7֛xbL;76vBcNᨣhhczU~ˊп+$y:}:U%\`5Dc714y %8N:&Z‹m)uK[Ȧnrxh> b./AJz3|X#(e :W>xLNu49&.)@gتګc.椣D(gL\-VcSd]wQcz/9|, D7yi̤+=hM7 d׈mzy[e {V7uAEۿؚi&5TEP5C*xô;z}vEWkW0{dBQ5NggH {bo)g!dj<:̈́(ޞ^q2by=ߕ?hduVcXqyt Y mgX4>^G@Ƹzu"i*k?mUTwi`Đ|lLfzgX IfV001[YUʇZM*g#b>+1 X?NѱqF(9-*Huk&n*l_Coj+i5 bMk)bO%aF@ZX(V bZjj;סu+NT6sbE:)C!u9}$Ƽg 2״k4AseG*"Rc(!zZdɟzpeB+jߖ݁A9W/H,AzzMLk\[n+yn? |(@N#_4RfU't8d6g9M08́pưË J6C'[N>y LRs;YdEA 0~Sd%yzB4y7mdbJE?lEdbDH\i*v9; 3WuYJ]@AuLÁh\<MIlCB9776"4?M(v C|lf+E+M{XJ O1e tl5\*xƩ)\A6KL2{ ?EEjum]z|S#G^@fET;Tτg' aebNm+Qae2 ~%&} = P &bMsVtY'*yBl%Kmsdg \OX5qW$BFHK.(K 2[agDrMKgV(b;p0neѕî|N1rV}#Dsͅkɱ%i b`Z7\okT#pˆdaH_}7/Ss٠ӌPfWS}W Չ;f,br~u?#z[pS7~]9R'Z]jWY}FSSK[7ϾH刼}vog<$W̌6Y4 '|&eiNet7^iPn_p%24].# ަdyZ kzP ͉`,Wv.Mc!S#>&4d]Ci&]Cy>"#E}֎˯TB%Di;GOfX5]׌|D\\%/h|[s Xh{gi$ D5#ҧxL iMnDe?xV.,#2@bM>?7kIn Jsx⺮< 8yAG9e >O#=O*~ FiӨ>' >{0\.Еw݈yi~,ꝶep1nLa7˦ DDzot~HdQvΦJ dd6+NvnǪ*ZOmBI eto;Ubh fR[QjI 6QNd_*UDX7Mo V.y9%eYdS2˅쇢?~Xd>d[ X.4d13@JOQOݔh e>&fxMiƛ+#i2:)P1MĐ{izITf92_ N2-"i{޽g$L 8ޏXEacƪEK- +VYp4mT L $>z9nr0wN5s`>cjʮdx(`G[a$[Bm R<^Q sW;C.W+<.u Z[S]΁s? ;SML9PaE]ٳ#m=.1t$k C<Z&ƺP g%AwC-Jwsr Ħi.s nuL zπY((pֺ悢1;F#vd|*iak-5vd!{^ Xr=q))QC-Wo T0RQЮ. ( J%9ʩ9aQ˕v$hlA' V QD P0DDOx!h>K6=y‘iV,=凫wʊ%PZҢT:⺥S f[KAl) 7kqjJ-/.h*"XV϶PK7gjd) E(ᯧpRa@rgE7C6?3  .sV|'ua=5+R@{MjʆQk. <6lTP>@Ѓ/JwLT';aWVh|.K$9'}8פF }|Vi5qm { \Jpj$_=t}`#2*KDq^F)>_N 'Zt2>ˍG MOLJ4qJ+ ^='֔B" Zș]QSJL%Id9X3ܽH:nGn夒.K\D1Kvq%p_"Tx& ' tǵb{$̯80o=О?MvzB65Yrwa4+%S#f+/aULfXF^!RN$Ig؏HBO,=<ڵ)1t7>K.a} U/l%=p;yGV{&Ҹ.p1danr_`H/DG eXd-nw** ̢j:g#kĪ4E (㢖X8E% o59%` H8[g,˻[(.& 7vX XԦ6HTSdlMyk{7sc\K^Q7aN1.cP\O,t1'Hob ~aǛ/KgBmzaEի(D!H6`yXzn*&2'A1VZ\sQF[<^r&aW/rܷ0T6'E\28Q<C)k95}N݇/f\iʦF(Jn0ۏ ~OaLPkd6ZAV[koW"qk_'kGV 9BLo;Vur-$!SÁdf}73t 3ӊJ- 9z , RUѥpC6lXG~Ԁ߼ÏRcRؕ+9&|_[kY=:IaƵDߐVqauY =^x0ZtFAA 4֊ wTg[oby=څ49WRXV R,m]q [Arϸ-EEӃٳQOjJ Yce}ET]z&Iy.K|%"#E@4~:uXԺu۝ =Q$k 5%DO BVT; Y G=n,ջmk\pr Q$$P<|5iOu~V`.ɚF*pȱdfnD9K\_Q vȦ-@VP(xJ0~&/QN^y'V jDVtjzvݶbmuKZs.aoH|+FÏwQhx>92 GߑaDO1,b",f]ug#'(ϧ_uʹ/&/=A6m)@3 җMdUI]# 2vZfxI|E׾~<)F&.&L2+hҽ)g%"z 'f'GWZ^Ρ圠v<=>ȁ-Y$YMI}I쁸.BӲ".  lޥ MS‡3S>8!uZ5ȶ݇gaLSdi`c@%u =S$ \w_XZtcրT(s@2&(.@:꽩ʊ\Cs /f]+g6=b( /9B9G K/iP^8hN/_;;OP<m&`T[ɓ*~ "i IO aN<Sm&H,ujwWJ|Q"9nOljinIM1Gأu~s5nEKaiW).z' 1HZ11\_|KfÔ>o63M-m B$\5R5W6/9Svg:'\x 8w 2Nx[.Is{~[5bRסI&夶2(uf"g["7KZ o{b^߂ZX(@f0OsK\] GMznnj]u&q;@'Szhm zlqEXnwqGeB,~`$,͒gg:]9 c ff}eϮ^.͆k3-0#*p62rXhIP+"?D2c@~h{ӟސgCxM\šsygJh-~=trGdykSRO'Uk1 L#2sIG-eq,H^/VT(2 x_k> .SL l7{ܵЀtJRy g>H$'*Ldrm7vlm);<'K8RjT1'L !}8Lyu0BS۾Z0IqdƍADyl#*\+38l1=#%vnNI;Vaq_Xb,3UƋb E?Oo79 %">ڇ!g~$*yPҐw "]sKMW@M_cuA>#%!? Ȗ!7:[ۇ4,פo݆IZ^oΏ&ҭAڰ,wee&2 ?s{ͦ͋"s~Ɂ,J3Na/.I,ZT&W8N᫄c_8İY}ڊ XrWIXo.߁d]Av&R9PdbzFN pp$}Ojͽj]C P3 JW ?0p6kŽ%vASwx&ȟH-#ru6S qGkѯH; ۺ<4@zXicwX3m`C,U6u%hۆ(ZQe QNBܖ"SA}N/Fb#T6" [C,p ]`0՜t?7uALNxh3>Q8 .GG HƗӀˠi3eza/4T1r>Ktn24d1iR/>Qw#yџWP. ?Z5OWe',:9AY4s:2[Rُ89S ]&F) '^+*+o+K.w& KPc(D ]{;qQ0O"Nq楸 *J&2l7"A-RN2zx|" ŝ׺[SY96,ۅ`\W.VT[ġNmaWiPk7]fO6T {+A!*q'*+P̎ULIP/6Yy'FB,cc"'Jm֙ʿDLQHߤHmTrLӿUYf;Gf .m&= nJAR[?.'VQ?5Iݕ;m^{ c`Reb.2u)β2&KԿ3~N$ 337|y.\#BO E|>@0bIqvR!bd~$ӐN\Fxi2 ʼFI<+T CS똵TidWR'aˤ.W9ΘO*X3ZPlC迮t6Wآ;\G֯T ŀ㍟rS3@ k Lj+P"է :ϝLrp>Z-߰0H20d.b:~2ܟ4r +O|8*D6I$Tqed:?XF$!̜F<,7Šb9woEuk4%I% @i Y!?*fpvRršc` 9d],N]G!V^vwSgKQ* JjFʍO"ÈkM֗&ol $B\HS#?gV0F,9!|11G -Ӕ_x7WnԝdTcU}.ѣ]RjbdM=o(PCkWXgp#G:qB+L( I3 \\ۃv^FWɕV#03IRadP|C#jA֬J 'LJ}H`EN,g\eRh5e/@`+rQT>?T4п#B2T =ںhGr ٨Ğ&b#}Kt7Yg7QpKen{)}A xyCPc"dQ0_/ڥ&ONP$vItQˌbCp׹Jfy3tIP}$l`BK/l|׫T)gxx1J%W[ ]{ .z` ެ2U6W꒣!SWLpjÖ8˼n0ud!*Q yX2&W[5FkZ2c`&g LWW%qDzkBɃt/<: AsQoLހ*o>£R,TB,{_&eMg w \Rsc,? m {N{m/v1HXJ*pݍ//ǹxfKZ)^ևd Ïh9JYD0bù$>Jj3 ' r\ %27?@mf]rI wufz n1" X {d"~#8-1'(\޻Cz 35H87YxAmZ^\^uvnx7_r7):҃+BU :6ӊR 2S ďNQZ"Pw}4&cKvT v;/j~&\ j>,*p!  wB@/"o^^Nчn2nDThb~Kβ|O1X;7yL8/^||\Ui k6^;mH(;zvūf]uz@ȿ. P]T zjC¤u~NC`b!` Obrk`':nZ=PO*(R#'!H2'-pal)R8@ O~[cr8۵A|D܌_#]{Ns>Uߖcݎa^S!َt;x i=*9ڸgpb|3Ӫ\E!v^cK =Jc5X¦TE~ u," q(녮kc+g=~}7,,Phf 7NΕ"l"%}i{r{ evT>ԚB爋S𔅨@0vЬi1DŭtydһEy-u|5&ime)wtjĵDSMO ysRBS^C!OQQ=frFʰmGmo&lTWDv'T2hkm*MR٪ ӷEVBbmtЪFM<6i ,Zy][@\ wQp֍a?JsnoK1=;#dtp9qשrrBM9p`rssh ''(^Vk]}7dbN鏌Zf.vįCAeq8MwͳgYQ>˫s9@cH'SZ=^8͙tE+[H뎙`t<昢}~?B4/)LQp F衂Έ}^FrK/LI2W`/oNHf=.Td?^z)[!nO{;PK Ax7vM=}`[wӌE- f%u2U2tt)Ay?~f7Hy8]4-4$Bc P\$>ñCe+ ) o|6p@) eѽ%XnV!^T{_21\̇$=b:0u~FKOy۟@8q](RpUG0%qa Ek-LTW5dR;ɕƮ~X ϱrv`I>uw/5nި/ѸmˌdݵfmxjI'91 !밲RxYMj~q/=f ^[޼6dfnqanchF+[ Y𕘴 Pj! "cGҡ⤲[.Jb5A6K0Wl 'Qmq=2P.!D°io> NUFup;ގۊ͐yeպrmSوVlK Bވ3;?Tb\vl?gw&Jrc1Āh| [:D6PU5ѲޛGoj+s< 4<W 0W"!9#H5H/=D[6ǯb$(lq[{$mh%p%='ҟ[nu B]ϣs7Oѽ zB̸Ž҉·YbfL󁤵/0ɮJ>$voLY Tꬖ¶Q#ŒlVQ=|l?E.NH m7>eG@'Chyi@ժȋ̔%`[` ( g~Eq;m;\x#YT+Op8; fcSo݂v+TɘҤn_]TaYT'F*լ!%U;5(>3o97N7vQ[yVаBL@H_)'{bÊ>?3y"QH<fAN!:nvؒ+\X [N_9u|,p/_T^8SѧDtnȪЦ-9?oІԲ hO>d sϽ?Ћ~d !OM XA ALpՅ7 up\,\<~Dޙ 3-j(ki  uJ4_¬j4+GB?w/Y {jmt G$Up:D=tYEdWf,ݨ(Vd1 lhsjXh ]Ca_,lPZG2hŇz׿JEoYˁ}.iZ2Hz cte4`;qIߤjFRF#(:zҷA8>>'ƈnڍs `u^K^0GQએؚ''8WoHp-8#v@FHG!*=Tm6P3I ^ި2TbGy(i8hKiu:h%ӽ:JPk#Bfa58U-Թ{gMY0PӺEaׄ|IL'R8g;XW UL&-fr(S6ZkB?G 02iۭ*SiWgj}%d;w!熙 <)VT¶!ەf?̝wcrc]M&(@s!1mP#PTB">|`cD>p9n3 X5t;Tz?v_[7/xs}/Ld_wD%+*יX͏n:DP N{iYΫn|-`npHZJLEQgX} Lⓞ>j\Bp"/K=R>b Ϳؒr I sICs@qELSqeC Ds5ݴ݃k NYLCݱVi =P +iu_m}y;\İMvwCޣ1WRGǧ?~K)bÒ ܟn2lmLzC%QEg Nwj71¼ }QPجo?lm'v6ꡔ$"~wTciK&-p']iJm?!m?}0WFn?;W {>4mDO軍;3Uuη k%:oGQ<:.x8 6[$/6Jl29’IM{` R$Ʒ [pvϢR?!$%W3U C9dlĘ$0D'[-Q:](ЯcFFbl Fc=]6ygl3SW-,]Es.5[5ѽXlGW^b@'( wMk_+ZsF Q nф`5FdP+`\+r͑G9y `Q+~baQlSzm(ğ11p?-WeiDw 2XeѹZ{9x*kdN߫&_DiݴǪ:E%k {e\Sq7>Oͪ=[b/C`P}5Qs/!Fo|wDD*Nb~A}@kc7p0q>t#r5L犠ktptQw|80c%pЄ:((誑RW'Їϳ[o)݅UfT'O&`DȀ-q }3oz#ۥSa)v?1il!` l.߼4# y>}M'$q KY@h:RJS{K|Zk=#8ZT}ʼ1-R);狑PwGS2f20LSmSG I2Lg)%?8gɎ ]sN9Y,e`eK͇%];J-r"_V  [b)=r^DUX.߹PexX8$NHd!VT*ú;2%RRvڙ㨯8RDL)5hRdZN2g"4zga7*K!B#'ؗ`Y:PvV4guB(u0AZO Y(5~ydb/$)J/wRƠAFxX"`(yz/rZy Kp9ЪWM}%3@P2Ioc :l4+gգ5,K&ɊqVh 0P_/!Ga٬8v1L j9kX۽xTOD5zxY"d͙J; %3x^"n-?ι2*< 9M'ԡ(Z+[dD_#yĖ~.!΀%!!vcHͫmTT͑3w(Gn~aVJB2/zU_]!cwV=QMAТ)8\L^FTp^X +yy>,k7`nnaQzjBꕘN(LqT7x蟏"eC%&E Щlf#Q6+_ 5NglӀ5̬=vM;6GZC|N'ɰ]hˍӫ<⻂:Jw^7]pe\xx%mQɝUR 2KmARѮf`Xg!Kxdy0::ģ?Qp8tQ֩*".2ZaEá|iK x'b| Z^&Gd+{ǣvtˇ'˵܇"GRo,AS N-Ui%l| %Fs2k)$x%[tٌ\sXi3g#{`?u[ O]u=u jCoޕGIK||<G>g6 A?B8::A} .;ᑸӽ+SJի͑[]v5ɥ63Mh'KB#"ճR: yЖ,k'"Je~[Y vAhzUx Ai)pbv„ 9/v~sXˤi?Xgr$L:)\/-MU $Y"רB*{.#nWܥxal_h|P{d 23k"W,>E8&bV.6]s&v-BE3Ƌ!!qڢ$J«z9r^ I\S~η>Ysʝl Yײ5[RӔfDkH׺n0DeZ'&<pT@F`ܭ~3 97]=:KN²q)[%Tg|PNb07I|t/l/,˰8J޷*=4n#'`eH˳ց, G UPD@wO_T4(sf`Mow5\YF过$. v^=sO,Guw B0`.'"mɽGS0:vI)`U7"?Ml(: ln\`m ħLso]Zͩ@3'X"@v>` /=94'1R6)09i_AqSK?Sv {- Za0;Aj_4]ZQm{Hɱ=}%~xd 6] BG@P͓]S03Pkc<\_b(N&:<,x$ #f)d4; qs=+}Gq" Tw},}TӻE]ܮqfڞH: hKJ:GEp-a^rZg/VU2#7g<}Æ6`d.=xLj6YnClP*0hzzv$ah*Vn8/28ݖ9օ(3>9%I,FKBoLfX0?BI֍ <"+AjTಢԹ YZ