ipa-server-trust-ad-4.6.8-5.el7.centos>t  DH`p_H$ƨ3Qߊ?OwGTv <[C1Cg?Y._*jQzoʺ9@1jR &!^=409bfcd4835b3afe655cdfa3fe03a2317bbd8109__H$ƨ.K~' %{4YN9"gޡA:~jpel9 9( D12EYn|"*rnp5}~c3s%lO&Ѓ'0gczE6,Dh5?gc*V_ǦVwB"&ktxol)D mǜUsBIғv&1VA8I*Mb<-TBgut1ds)TD &LUʝQeFgFs䄄 eZ\ n+S#ْD{u;z[]Թ1I ɕJE)`256 WaX?$#]?|.$|WH\4k}N/*5:Zg7s,r=W67akUw9YinDX^ffrqmY_eIfecg=EvLg-:0;.+<\@kC 4>F?d ) r $<@GN zq4 h            ! b  C CtC(8 P9`P:VMP>+?3@;BCG\ H I XYZ [\ ]L ^Q bzd?eDfGlItd u v wH x| y0pCipa-server-trust-ad4.6.85.el7.centosVirtual package to install packages required for Active Directory trustsCross-realm trusts with Active Directory in IPA require working Samba 4 installation. This package is provided for convenience to install all required dependencies at once._{+x86-02.bsys.centos.org,CentOSGPLv3+CentOS BuildSystem System Environment/Basehttp://www.freeipa.org/linuxx86_64/usr/sbin/update-alternatives --install /usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so \ winbind_krb5_locator.so /dev/null 90 /bin/systemctl reload-or-try-restart dbus /bin/systemctl reload-or-try-restart oddjobdif [ $1 -eq 0 ]; then /usr/sbin/update-alternatives --remove winbind_krb5_locator.so /dev/null /bin/systemctl reload-or-try-restart dbus /bin/systemctl reload-or-try-restart oddjobd fi # ONLY_CLIENTif [ "$1" -ge "1" ]; then if [ "`readlink /etc/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then /usr/sbin/alternatives --set winbind_krb5_locator.so /dev/null fi fiy+(($ (  K hA큤A큤_{+_{+_{+_{+_{+_{+_{+^^_{+_{+^_{+3fba2a8da609c2de4df08f22d567b5c1292f0a56e5a0c2636ba6c1040a28b7400ad643bf46af7841cd833430676e6935b2694b67410ec65934e286a5c79d538fe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b8554ba1c6f804478f341538ddb0a96ae23f587a8c110e258aab3977b8e705d1507d20b1bf59e959f5dc1d6b9bbbe4ce9bbe7fa4be10f44960c04b3e6f1c8d3b7d942120a710a7f24599fc964fa80bb46eebaafcbda6e1f37e70208033bd59154c9dcb848ff4581a0f7b395b359d630d82e4c8866209af8a4a314239c5dcad00366e07123d8e70e8734bf29cdadf9940a96dde99bcc4b29033dec71037aae65f686d8f8c32ff48bae57e2b73c9c795cc211125ab1a65f13a2fb309e58e8ceda9ac918ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903f6340803f3e0fdeab41c14b8ddcfc73601dc5e09056f29e624fd55d6c86f57af@rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootipa-4.6.8-5.el7.centos.src.rpmfreeipa-server-trust-adipa-server-trust-adipa-server-trust-ad(x86-64)  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @  /bin/sh/bin/sh/bin/sh/bin/sh/usr/bin/python2/usr/sbin/update-alternatives/usr/sbin/update-alternatives/usr/sbin/update-alternativesipa-commonipa-serverlibc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcom_err.so.2()(64bit)libcrypto.so.10()(64bit)libcrypto.so.10(libcrypto.so.10)(64bit)libdl.so.2()(64bit)libk5crypto.so.3()(64bit)libk5crypto.so.3(k5crypto_3_MIT)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)liblber-2.4.so.2()(64bit)libldap_r-2.4.so.2()(64bit)libndr.so.0()(64bit)libndr.so.0(NDR_0.0.1)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnss3.so(NSS_3.2)(64bit)libnss3.so(NSS_3.4)(64bit)libnssutil3.so()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libsamba-passdb.so.0()(64bit)libsamba-passdb.so.0(SAMBA_PASSDB_0.2.0)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsmbconf.so.0()(64bit)libsmbconf.so.0(SMBCONF_0)(64bit)libsmbldap.so.2()(64bit)libsmbldap.so.2(SMBLDAP_0)(64bit)libsmbldap.so.2(SMBLDAP_1)(64bit)libsmbldap.so.2(SMBLDAP_2)(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_idmaplibsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtevent.so.0()(64bit)pythonpython-libsss_nss_idmappython-sssrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sambasamba-pythonsamba-winbindrpmlib(PayloadIsXz)4.6.8-5.el7.centos4.6.8-5.el7.centos3.0.4-14.6.0-14.0-14.10.05.2-1freeipa-server-trust-ad4.11.3_s!^W@^3^^@^^y@]]]{@]@]@]]v>]_@]Z@]S]>]@]^@\]@\\@\8\@\7\@\@\\+@\X)@\@[[\[s[[v[qr[m~@[U@[,[d@ZZ̧@Zz@Z\ZV@Z1@Z%8ZYZ@Y@Y+@Y@YX@YY@Y@Y{'@Yf@YRHYJ_YBvYA%@Y7Y7Y%uYYYY @Y.XXQ@XX@XۡXP@XX,X@X|@X|@XS@XOXOXN@XX2@WW@W@WiWQW@W@WWE@W W@W~Wv[@Wj}Wj}WEWDB@WDB@W>@W@V@VVZV@U@UYU@Uݪ@Uݪ@Uݪ@UoUU(UK@Ub@UJ@UU @U hTE@T T}TTZ@TZ@Tp@T5T@TuTto@TsTl@Td@Ta@T[bTG@TG@TFJT)IT%U@T$TSS:@S2@S1oS!S!S L@S L@Sc@SS @Rb@R@R@RUR@RRx@RR=RʚRƦ@RkRv@RG@RiRz/@RxRsRo@Ro@R^RW@RNR@-@R/ R-@R(r@R7RZ@R R R@R@R@R@R@R6QQQ'@Q@QvwQu&@Qm=@QZ@QVQ(@Q@PPPPPx@Px@PnPj@P\VPG>P@@P4P.2@PP @M6@M.@M.@M.@M-M M@L!LfLNLdLLLzLe3La?@LD>@L#HL#HL@K/KՀ@KK@KKs@Kie@K`*KK@K @JJ@J@J@JJB@J{IIIm@I1Iq@IKIFFI9I1.Ih@IIP@H@HXHO@H-w@H HHH@G߮GGgGs@G@G@G@G}G}G}GG@GC@GkGDG<4G)G(n@G3G@GJF@FS@FFuF@CentOS Sources - 4.6.8-5.el7.centosFlorence Blanc-Renaud - 4.6.8-5.el7Florence Blanc-Renaud - 4.6.8-4.el7Florence Blanc-Renaud - 4.6.8-3.el7Florence Blanc-Renaud - 4.6.8-2.el7Florence Blanc-Renaud - 4.6.8-1.el7Florence Blanc-Renaud - 4.6.6-12.el7Florence Blanc-Renaud - 4.6.6-11.el7Florence Blanc-Renaud - 4.6.6-10.el7Florence Blanc-Renaud - 4.6.6-9.el7Florence Blanc-Renaud - 4.6.6-8.el7Florence Blanc-Renaud - 4.6.6-7.el7Florence Blanc-Renaud - 4.6.6-6.el7Florence Blanc-Renaud - 4.6.6-5.el7Alexander Bokovoy - 4.6.6-4.el7Alexander Bokovoy - 4.6.6-3.el7Rob Crittenden - 4.6.6-2.el7Florence Blanc-Renaud - 4.6.6-1.el7Florence Blanc-Renaud - 4.6.5-11.el7Florence Blanc-Renaud - 4.6.5-10.el7Florence Blanc-Renaud - 4.6.5-9.el7Florence Blanc-Renaud - 4.6.5-8.el7Florence Blanc-Renaud - 4.6.5-7.el7Florence Blanc-Renaud - 4.6.5-6.el7Florence Blanc-Renaud - 4.6.5-5.el7Florence Blanc-Renaud - 4.6.5-4.el7Florence Blanc-Renaud - 4.6.5-3.el7Florence Blanc-Renaud - 4.6.5-2.el7Florence Blanc-Renaud - 4.6.5-1.el7Florence Blanc-Renaud - 4.6.4-12.el7Florence Blanc-Renaud - 4.6.4-11.el7Florence Blanc-Renaud - 4.6.4-10.el7Florence Blanc-Renaud - 4.6.4-9.el7Tibor Dudlák - 4.6.4-8.el7Tibor Dudlák - 4.6.4-7.el7Florence Blanc-Renaud - 4.6.4-6.el7Tibor Dudlák - 4.6.4-5.el7Tibor Dudlák - 4.6.4-4.el7Alexander Bokovoy - 4.6.4-3.el7Florence Blanc-Renaud - 4.6.4-2.el7Florence Blanc-Renaud - 4.6.4-1.el7Florence Blanc-Renaud - 4.5.4-10.el7.2Florence Blanc-Renaud - 4.5.4-11.el7Florence Blanc-Renaud - 4.5.4-10.el7Florence Blanc-Renaud - 4.5.4-9.el7Florence Blanc-Renaud - 4.5.4-8.el7Florence Blanc-Renaud - 4.5.4-7.el7Alexander Bokovoy - 4.5.4-6.el7Alexander Bokovoy - 4.5.4-5.el7Pavel Vomacka - 4.5.4-4.el7Rob Crittenden - 4.5.4-3.el7Felipe Barreto - 4.5.4-2.el7Pavel Vomacka - 4.5.4-1.el7Felipe Barreto - 4.5.0-21.el7.2.2Felipe Barreto - 4.5.0-21.el7.2Pavel Vomacka - 4.5.0-21.el7.1.2Pavel Vomacka - 4.5.0-21.el7.1.1Pavel Vomacka - 4.5.0-21.el7.1Pavel Vomacka - 4.5.0-21.el7Pavel Vomacka - 4.5.0-20.el7Pavel Vomacka - 4.5.0-19.el7Pavel Vomacka - 4.5.0-18.el7Pavel Vomacka - 4.5.0-17.el7Pavel Vomacka - 4.5.0-16.el7Pavel Vomacka - 4.5.0-15.el7Pavel Vomacka - 4.5.0-14.el7Pavel Vomacka - 4.5.0-13.el7Pavel Vomacka - 4.5.0-12.el7Jan Cholasta - 4.5.0-11.el7Jan Cholasta - 4.5.0-10.el7Jan Cholasta - 4.5.0-9.el7Jan Cholasta - 4.5.0-8.el7Jan Cholasta - 4.5.0-7.el7Pavel Vomacka - 4.5.0-6.el7Jan Cholasta - 4.5.0-5.el7Jan Cholasta - 4.5.0-4.el7Jan Cholasta - 4.5.0-3.el7Jan Cholasta - 4.5.0-2.el7Jan Cholasta - 4.5.0-1.el7Jan Cholasta - 4.4.0-14.7Jan Cholasta - 4.4.0-14.6Jan Cholasta - 4.4.0-14.5Jan Cholasta - 4.4.0-14.4Jan Cholasta - 4.4.0-14.3Jan Cholasta - 4.4.0-14.2Jan Cholasta - 4.4.0-14.1Jan Cholasta - 4.4.0-14Jan Cholasta - 4.4.0-13Petr Vobornik - 4.4.0-12Jan Cholasta - 4.4.0-11Jan Cholasta - 4.4.0-10Jan Cholasta - 4.4.0-9Jan Cholasta - 4.4.0-8Jan Cholasta - 4.4.0-7Jan Cholasta - 4.4.0-6Jan Cholasta - 4.4.0-5Jan Cholasta - 4.4.0-4Jan Cholasta - 4.4.0-3Petr Vobornik - 4.4.0-2.1Petr Vobornik - 4.4.0-2Jan Cholasta - 4.4.0-1Jan Cholasta - 4.4.0-0.2.alpha1Jan Cholasta - 4.4.0-0.1.alpha1Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3.1Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3Jan Cholasta - 4.3.1-0.201605191449GITf8edf37.1Jan Cholasta - 4.3.1-0.201605191449GITf8edf37Jan Cholasta - 4.2.0-16Jan Cholasta - 4.2.0-15Jan Cholasta - 4.2.0-14Jan Cholasta - 4.2.0-13Jan Cholasta - 4.2.0-12Jan Cholasta - 4.2.0-11Jan Cholasta - 4.2.0-10Jan Cholasta - 4.2.0-9Jan Cholasta - 4.2.0-8Jan Cholasta - 4.2.0-7Jan Cholasta - 4.2.0-6Jan Cholasta - 4.2.0-5Jan Cholasta - 4.2.0-4Jan Cholasta - 4.2.0-3Jan Cholasta - 4.2.0-2Jan Cholasta - 4.2.0-1Jan Cholasta - 4.2.0-0.2.alpha1Jan Cholasta - 4.2.0-0.1.alpha1Jan Cholasta - 4.1.0-18.3Alexander Bokovoy - 4.1.0-18.2Jan Cholasta - 4.1.0-18.1Martin Kosek - 4.1.0-18Jan Cholasta - 4.1.0-17Jan Cholasta - 4.1.0-16Jan Cholasta - 4.1.0-15Jan Cholasta - 4.1.0-14Jan Cholasta - 4.1.0-13Jan Cholasta - 4.1.0-12Jan Cholasta - 4.1.0-11Jan Cholasta - 4.1.0-10Jan Cholasta - 4.1.0-9Jan Cholasta - 4.1.0-8Jan Cholasta - 4.1.0-7Jan Cholasta - 4.1.0-6Jan Cholasta - 4.1.0-5Jan Cholasta - 4.1.0-4Jan Cholasta - 4.1.0-3Jan Cholasta - 4.1.0-2Jan Cholasta - 4.1.0-1Jan Cholasta - 4.1.0-0.1.alpha1Petr Vobornik - 4.0.3-3Jan Cholasta - 4.0.3-2Jan Cholasta - 4.0.3-1Martin Kosek - 3.3.3-29Martin Kosek - 3.3.3-28Martin Kosek - 3.3.3-27Martin Kosek - 3.3.3-26Martin Kosek - 3.3.3-25Martin Kosek - 3.3.3-24Martin Kosek - 3.3.3-23Martin Kosek - 3.3.3-22Martin Kosek - 3.3.3-21Martin Kosek - 3.3.3-20Martin Kosek - 3.3.3-19Martin Kosek - 3.3.3-18Martin Kosek - 3.3.3-17Martin Kosek - 3.3.3-16Daniel Mach - 3.3.3-15Martin Kosek - 3.3.3-14Martin Kosek - 3.3.3-13Martin Kosek - 3.3.3-12Martin Kosek - 3.3.3-11Martin Kosek - 3.3.3-10Martin Kosek - 3.3.3-9Martin Kosek - 3.3.3-8Daniel Mach - 3.3.3-7Martin Kosek - 3.3.3-6Martin Kosek - 3.3.3-5Martin Kosek - 3.3.3-4Martin Kosek - 3.3.3-3Martin Kosek - 3.3.3-2Martin Kosek - 3.3.3-1Martin Kosek - 3.3.2-5Martin Kosek - 3.3.2-4Martin Kosek - 3.3.2-3Martin Kosek - 3.3.2-2Martin Kosek - 3.3.2-1Martin Kosek - 3.3.1-5Martin Kosek - 3.3.1-4Martin Kosek - 3.3.1-3Martin Kosek - 3.3.1-2Rob Crittenden - 3.3.1-1Rob Crittenden - 3.3.0-7Martin Kosek - 3.3.0-6Martin Kosek - 3.3.0-5Martin Kosek - 3.3.0-4Martin Kosek - 3.3.0-3Martin Kosek - 3.3.0-2Martin Kosek - 3.3.0-1Martin Kosek - 3.3.0-0.2.beta2Martin Kosek - 3.3.0-0.1.beta2Martin Kosek - 3.2.2-1Martin Kosek - 3.2.1-1Rob Crittenden - 3.2.0-2Rob Crittenden - 3.2.0-1Rob Crittenden - 3.2.0-0.4.beta1Rob Crittenden - 3.2.0-0.3.beta1Rob Crittenden - 3.2.0-0.2.beta1Martin Kosek - 3.2.0-0.1.pre1Kevin Fenzi 3.1.2-4Kevin Fenzi - 3.1.2-3Fedora Release Engineering - 3.1.2-2Rob Crittenden - 3.1.2-1Martin Kosek - 3.1.0-2Rob Crittenden - 3.1.0-1Martin Kosek - 3.0.0-3Rob Crittenden - 3.0.0-2Rob Crittenden - 3.0.0-1Rob Crittenden - 3.0.0-0.10Martin Kosek - 3.0.0-0.9Rob Crittenden - 3.0.0-0.8Rob Crittenden - 3.0.0-0.7Rob Crittenden - 3.0.0-0.6Alexander Bokovoy - 3.0.0-0.5Rob Crittenden - 3.0.0-0.4Martin Kosek - 3.0.0-0.3Alexander Bokovoy - 3.0.0-0.2Rob Crittenden - 3.0.0-0.1Rob Crittenden - 2.2.0-1Rob Crittenden - 2.1.90-0.2Rob Crittenden - 2.1.90-0.1Alexander Bokovoy - 2.1.4-5Martin Kosek - 2.1.4-4Alexander Bokovoy - 2.1.4-3Alexander Bokovoy - 2.1.4-2Rob Crittenden - 2.1.4-1Rob Crittenden - 2.1.3-8Alexander Bokovoy - 2.1.3-7Alexander Bokovoy - 2.1.3-6Fedora Release Engineering - 2.1.3-5Alexander Bokovoy - 2.1.3-4Alexander Bokovoy - 2.1.3-3Alexander Bokovoy - 2.1.3-2Alexander Bokovoy - 2.1.3-1Alexander Bokovoy - 2.1.2-1Rob Crittenden - 2.1.0-1Simo Sorce - 2.0.1-2Rob Crittenden - 2.0.1-1Rob Crittenden - 2.0.0-1Rob Crittenden - 2.0.0-0.4.rc2Rob Crittenden - 2.0.0-0.3.rc1Rob Crittenden - 2.0.0-0.1.rc1Fedora Release Engineering - 2.0.0-0.2.beta2Rob Crittenden - 2.0.0-0.1.beta2Rob Crittenden - 2.0.0-0.2.beta.git80e87e7Rob Crittenden - 2.0.0-0.1.beta.git80e87e7Rob Crittenden - 1.99-41Adam Young - 1.99-40Simo Sorce - 1.99-39Simo Sorce - 1.99-38Rob Crittenden - 1.99-37Rob Crittenden - 1.99-36Rob Crittenden - 1.99-35Jr Aquino - 1.99-34Simo Sorce - 1.99-33Rob Crittenden - 1.99-32Rob Crittenden - 1.99-31Rob Crittenden - 1.99-30Rob Crittenden - 1.99-29Rob Crittenden - 1.99-28Rob Crittenden - 1.99-27Rob Crittenden - 1.99-26Rob Crittenden - 1.99-25Adam Young - 1.99-24Rob Crittenden - 1.99-23Rob Crittenden - 1.99-22Rob Crittenden - 1.99-21Rob Crittenden - 1.99-20Rob Crittenden - 1.99-19Jason Gerard DeRose - 1.99-18Jason Gerard DeRose - 1.99-17Jason Gerard DeRose - 1.99-16Rob Crittenden - 1.99-15Jason Gerard DeRose - 1.99-14Rob Crittenden - 1.99-13Rob Crittenden - 1.99-12Rob Crittenden - 1.99-11Rob Crittenden - 1.99-10Rob Crittenden - 1.99-9Jason Gerard DeRose - 1.99-8Rob Crittenden - 1.99-7Rob Crittenden - 1.99-6Rob Crittenden - 1.99-5Rob Crittenden - 1.99-4Rob Crittenden - 1.99-3Rob Crittenden - 1.99-2Rob Crittenden - 1.99-1Tomas Mraz - 1.2.1-3Dan Walsh - 1.2.1-2Simo Sorce - 1.2.1-1Simo Sorce - 1.2.1-0Ignacio Vazquez-Abrams - 1.2.0-4Simo Sorce - 1.2.0-3Simo Sorce - 1.2.0-2Rob Crittenden - 1.2.0-1Simo Sorce - 1.1.0-3Rob Crittenden - 1.1.0-2Rob Crittenden - 1.1.0-1Rob Crittenden - 1.0.0-5Rob Crittenden - 1.0.0-4Rob Crittenden - 1.0.0-3Rob Crittenden - 1.0.0-2Rob Crittenden - 1.0.0-1Rob Crittenden 0.99-12Rob Crittenden 0.99-11Rob Crittenden 0.99-10Rob Crittenden 0.99-9Rob Crittenden 0.99-8Rob Crittenden 0.99-7Rob Crittenden 0.99-6Rob Crittenden 0.99-5Rob Crittenden 0.99-4Rob Crittenden 0.99-3Rob Crittenden 0.99-2Rob Crittenden 0.99-1Rob Crittenden - 0.6.0-2Karl MacMillan - 0.6.0-1Karl MacMillan - 0.5.0-1Rob Crittenden - 0.4.1-2Karl MacMillan - 0.4.1-1Karl MacMillan - 0.4.0-6Rob Crittenden - 0.4.0-5Rob Crittenden - 0.4.0-4Karl MacMillan - 0.4.0-3Karl MacMillan - 0.4.0-2Karl MacMillan - 0.2.0-1Rob Crittenden - 0.1.0-3Rob Crittenden - 0.1.0-2Karl MacMillan - 0.1.0-1- Roll in CentOS Branding- Resolves: #1826659 IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp - ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset- Resolves: #1842950 ipa-adtrust-install fails when replica is offline - ipa-adtrust-install: avoid failure when replica is offline - Resolves: #1831856 CVE-2020-11022 ipa: jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method - WebUI: Apply jQuery patch to fix htmlPrefilter issue- Resolves: #1834385 Man page syntax issue detected by rpminspect - Man pages: fix syntax issues - Resolves: #1829787 ipa service-del deletes the required principal when specified in lower/upper case - Make check_required_principal() case-insensitive - Resolves: #1825829 ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3 - ipa-advise: fallback to /usr/libexec/platform-python if python3 not found - Resolves: #1812020 CVE-2015-9251 ipa: js-jquery: Cross-site scripting via cross-domain ajax requests - Web UI: Upgrade jQuery version 2.0.3 -> 3.4.1 - Resolves: #1713487 CVE-2019-11358 ipa: js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection - Web UI: Upgrade jQuery version 2.0.3 -> 3.4.1- Resolves: #1802408 CVE-2020-1722 ipa: No password length restriction leads to denial of service - Add interactive prompt for the LDAP bind password to ipa-getkeytab - CVE-2020-1722: prevent use of too long passwords- Resolves: #1819725 - Rebase IPA to latest 4.6.x version - Resolves: #1817927 - host-add --password logs cleartext userpassword to Apache error log - Resolves: #1817923 - IPA upgrade is failing with error "Failed to get request: bus, object_path and dbus_interface must not be None." - Resolves: #1817922 - covscan memory leaks report - Resolves: #1817919 - Enable compat tree to provide information about AD users and groups on trust agents - Resolves: #1817918 - Secure tomcat AJP connector - Resolves: #1817886 - ipa group-add-member: prevent adding IPA objects as external members - Resolves: #1788718 - ipa-server-install incorrectly setting slew mode (-x) when setting up ntpd- Resolves: #1754902 - Running ipa-server-install fails when RHEL 7.7 packages are installed on RHEL 7.6 - Resolves: #1404770 - ID Views: do not allow custom Views for the masters - idviews: prevent applying to a master - Resolves: #1801791 - Compatibility Schema difference in functionality for systems following RHEL 7.5 -> 7.6 upgrade path as opposed to new RHEL 7.6 systems - install/updates: move external members past schema compat update - Resolves: #1795890 - ipa-pkinit-manage enable fails on replica if it doesn't host the CA - pkinit setup: fix regression on master install - pkinit enable: use local dogtag only if host has CA - Resolves: #1788907 - Renewed certs are not picked up by IPA CAs - Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit - Resolves: #1780548 - Man page ipa-cacert-manage does not display correctly on RHEL - ipa-cacert-manage man page: fix indentation - Resolves: #1782587 - add "systemctl restart sssd" to warning message when adding trust agents to replicas - adtrust.py: mention restarting sssd when adding trust agents - Resolves: #1771356 - Default client configuration breaks ssh in FIPS mode - Use default ssh host key algorithms - Resolves: #1755535 - ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client - smartcard: make the ipa-advise script compatible with authselect/authconfig - Resolves: #1758406 - KRA authentication fails when IPA CA has custom Subject DN - upgrade: fix ipakra people entry 'description' attribute - krainstance: set correct issuer DN in uid=ipakra entry - Resolves: #1756568 - ipa-server-certinstall man page does not match built-in help - ipa-server-certinstall manpage: add missing options - Resolves: #1206690 - UPG not being enforced properly - ipa user_add: do not check group if UPG is disabled - Resolves: #1811982 - CVE-2018-14042 ipa: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip. - Resolves: #1811978 - CVE-2018-14040 ipa: bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute - Resolves: #1811972 - CVE-2016-10735 ipa: bootstrap: XSS in the data-target attribute - Resolves: #1811969 -CVE-2018-20676 ipa: bootstrap: XSS in the tooltip data-viewport attribute - Resolves: #1811966 - CVE-2018-20677 ipa: bootstrap: XSS in the affix configuration target property - Resolves: #1811962 - CVE-2019-8331 ipa: bootstrap: XSS in the tooltip or popover data-template attribute - Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1 - Resolves: #1769791 - Invisible part of notification area in Web UI intercepts clicks of some page elements - WebUI: Fix notification area layout - Resolves: #1545755 - ipa-replica-prepare should not update pki admin password - Fix indentation levels - ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN - ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager - Don't save password history on non-Kerberos accounts- Resolves: #1778777 - After upgrade AD Trust Agents were removed from LDAP - trust upgrade: ensure that host is member of adtrust agents- Resolves: #1728123 - EMBARGOED CVE-2019-10195 ipa: FreeIPA: batch API logging user passwords to /var/log/httpd/error_log [rhel-7] - CVE-2019-10195: Don't log passwords embedded in commands in calls using batch - Resolves: #1773550 - IPA upgrade fails for latest ipa package when adtrust is installed - Do not run trust upgrade code if master lacks Samba bindings - Resolves: #1767302 - EMBARGOED CVE-2019-14867 ipa: Denial of service in IPA server due to wrong use of ber_scanf() [rhel-7.8] - Make sure to have storage space for tag- Resolves: #1762317 - ipa-backup command is failing on rhel-7.8 - ipa-backup: fix python2 issue with os.mkdir- Resolves: #1755223 - Sub-CA key replication failure - Handle missing LWCA certificate or chain - Fix CustodiaClient ccache handling - CustodiaClient: use ldapi when ldap_uri not specified - CustodiaClient: fix IPASecStore config on ipa-4-7 - Bump krb5 min version- Resolves: #1754494 - ipa-replica-install does not enforce --server option - replica install: enforce --server arg - Resolves: #1729638 - ipa_kdb: assertion failure from NULL lcontext pointer to ldap_get_values_len() - Fix segfault in ipadb_parse_ldap_entry() - Log INFO message when LDAP connection fails on startup - Fix NULL pointer dereference in maybe_require_preauth() - Resolves: #1636765 - ipa-restore set wrong file permissions and ownership for /var/log/dirsrv/slapd- directory - ipa-restore: Restore ownership and perms on 389-ds log directory- Resolves: #1752005 - Keyrings should not be used in containerized environment - Don't configure KEYRING ccache in containers - Resolves: #1751951 - When master's IP address does not resolve to its name, ipa-replica-install fails - Add container environment check to replicainstall - Resolves: #1750700 - when migrating trusted domain object structure, add default access control definitions, if they were missing in old trust objects - add default access control when migrating trust objects - adtrust: add default read_keys permission for TDO objects - Disable deprecated-lambda check in adtrust upgrade code- Resolves: #1749788 - ipa host-find --pkey-only includes SSH keys in output - Don't return SSH keys with ipa host-find --pkey-only - Resolves: #1745108 - Bug 1497334 invalidating single-label domains introduces regression of usage for customers - check for single-label domains only during server install - Resolves: #1583950 - IPA: IDM drops all custom attributes when moving account from preserved to stage - user-stage: transfer all attributes from preserved to stage user - xmlrpc test: add test for preserved > stage user- Resolves: 1744926 - rebuild against Samba 4.10 to solve undefined symbol: DEBUGLEVEL_CLASS - Backport patches to compile against Samba 4.10 - Fix Python 2 compatibility in adtrustinstance- Resolves: 1717008 - User incorrectly added to negative cache when backend is reconnecting to IPA service / timed out: error code 32 'No such object'- Rebuild- Resolves: 1733075 - Rebase IPA to latest 4.6.x version - Resolves: 1512952 - cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign - Resolves: 1544470 - cn=cacert could show expired certificate - Resolves: 1581583 - Error message should be more useful while ipa-backup fails for insufficient space - Resolves: 1632351 - remove "last init status" from ipa-replica-manage list if it's None. - Resolves: 1691939 - False error is shown when options are added to an existing sudo rule using 'sudooption' - Resolves: 1695685 - IPA Web UI is slow to display user details page - Resolves: 1702426 - ipa-server-common expected file permissions in package don't match runtime permissions - Resolves: 1711172 - Removing TLSv1.0, TLSv1.1 from nss.conf - Resolves: 1714076 - Issue with adding multiple RHEL 7 IPA replica to RHEL 6 IPA master - Resolves: 1714921 - x509.Name -> ipapython.dn.DN does not handle multi-valued RDNs - Resolves: 1720952 - Cannot modify TTL with ipa dnsrecord-mod --ttl alone on command line - Resolves: 1721550 - Staged user is not being recognized if the user entry doesn't have an objectClass "posixaccount" - Resolves: 1727304 - Restrict cipher lists used by openssl connections - Resolves: 1733209 - ipa-client-automount needs option to specify domain - Resolves: 1733265 - IPA webgui incorrectly display number of entries in ID views- Resolves: 1723473 - ipa upgrade fails with trust entry already exists - adtrust upgrade: fix wrong primary principal name, part 2 - Resolves: 1686302 - ipa trust fetch-domains, server parameter ignored - trust-fetch-domains: make sure we use right KDC when --server is specified- Resolves: 1723473 - ipa upgrade fails with trust entry already exists - adtrust upgrade: fix wrong primary principal name- Resolves: 1712794 - ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled - Consider configured servers as valid- Resolves: 1702651 - Command ipa conole is broken - ipa console: catch proper exception when history file can not be open - Resolves: 1704796 - Wrong CA replication topology created with two replicas - replica install: acknowledge ca_host override - Resolves: 1708873 - Unable to upgrade ipa data: IPA version error: data needs to be upgraded (expected version '4.7.90.pre1-3.fc30', current version '4.7.2-8.fc30') - upgrade: adtrust - catch empty result when retrieving list of trusts- Resolves: 1704227 - Wrong logic in ipactl restart leads to start instead of restart pki-tomcatd - ipactl restart: fix wrong logic when checking service list- Resolves: 1700804 - Update Red Hat logo in IdM Server- Resolves: 1697242 Communication with oddjob helper fails - Bypass D-BUS interface definition deficiences for trust-fetch-domains- Resolves: 1686302 ipa trust fetch-domains, server parameter ignored - oddjob: allow to pass options to trust-fetch-domains - Resolves: 1695481 ipa trust-add failing with CIFS server communication error - adtrust: define Guests mapping after creating cifs/ principal - net groupmap: force using empty config when mapping Guests- Resolves: 1694623 ipa-kra-install failing with invalid 'role_servrole': must be Unicode text error - ipa-setup-kra: fix python2 parameter - Resolves: 1694596 ipa-server-upgrade fails with ConversionError: invalid 'cn': must be Unicode text - ipa-server-upgrade: fix add_systemd_user_hbac- Resolves: 1691334 New defect found in ipa-4.6.5-1.el7 - Coverity: fix issue in ipa_extdom_extop.c - Resolves: 1666843 ipa-replica-manage force-sync --from keeps prompting "No status yet" - ipa-replica-manage: fix force-sync - Resolves: 1594245 [RFE] sysadm_r should be included in default SELinux user map order - Add sysadm_r to default SELinux user map order - Resolves: 1527215 RFE: ipa client should setup openldap for GSSAPI - RFE: ipa client should setup openldap for GSSAPI - Resolves: 1518939 RFE: Extend IPA to support unadvertised replicas - Unify and simplify LDAP service discovery - Use api.env.container_masters - Consolidate container_masters queries - Add hidden replica feature - ipatests: Exercise hidden replica feature - Simplify and improve tests - Implement server-state --state=enabled/hidden - Consider hidden servers as role provider - Improve config-show to show hidden servers - More test fixes - Don't allow to hide last server for a role - Synchronize hidden state from IPA master role - Test replica installation from hidden replica - Add design draft - Don't fail if config-show does not return servers - Resolves: 1517886 double ca acl provoke console error. - Add uniqueness constraint on CA ACL name - Resolves: 1498110 Using --auto-reverse and --allow-zone-overlap does not skip zone overlap check - Extend CALessBase::installer_server to accept extra_args - Skip zone overlap check with auto-reverse - Resolves: 1496963 [RFE] Provide an option to include FQDN in IDM topology graph - Web UI (topology graph): Show FQDN for nodes if they have no common DNS zone - Resolves: 1345975 [RFE] Support One-Way Trust authenticated by trust secret - Replace hard-coded paths with path constants - Support Samba 4.9 - Add design page for one-way trust to AD with shared secret - trust: allow trust agents to read POSIX identities of trust - trusts: add support for one-way shared secret trust - upgrade: upgrade existing trust agreements to new layout - upgrade: add trust upgrade to actual upgrade code - Resolves: 1690191 [RFE] Offline Certificate Renewal System - Extract ca_renewal cert update subroutine - cainstance: add function to determine ca_renewal nickname - constants: add ca_renewal container - Add ipa-cert-fix tool - ipa-cert-fix: add man page - ipa-cert-fix: use customary exit statuses - Resolves: 1631826 Create a warning that SSSD needs restart after idrange-mod - Show a notification that sssd needs restarting after idrange-mod- Resolves: 1677197 Rebase IPA to latest 4.6.x version - Resolves: 1690037[RFE] Add utility to promote CA replica to CRL master - Resolves: 1689585 Cannot install ipa-server on rhel7.7 - Resolves: 1672184 Fix compile issue with new 389-ds - Resolves: 1672180 pki spawn fails for IPA replica install from RHEL6 IPA master - Resolves: 1669012 host_del and host_disable fails, ra.find() search for every certificates instead of the host's certificate by subject - Resolves: 1658701 ipa-replica-install fails migrating RHEL 6 to 7 - Resolves: 1651834 searching for ipa users by certificate fails - Resolves: 1644874 IPA Upgrade failed with "unable to convert the attribute u'cACertificate;binary'" - Resolves: 1638545 ipa-advise command points to old URL's. - Resolves: 1637717 RFE: Validation and better error messages when novajoin fails because of SSL errors - Resolves: 1599939 'ipa vault-retrieve' is failing with "ipa: ERROR: an internal error has occurred" - Resolves: 1593454 In IPA WebUI, a warning appears in the background(warning message behind the dialog box). - Resolves: 1586268 [RFE] Red Hat Identity Manager IP SANs - Resolves: 1579037 Adding 3rd Party CAs to IPA results in SmartCard preparation script failure - Resolves: 1577967 Users with user creation/modification privileges fail to add the "--radius-username" option when creating users - Resolves: 1572674 ipa-cacert-manage cannot import PKCS#7 files - Resolves: 1562422 [RFE] Allow IPA Services to Start After the IPA Backup Has Completed - Resolves: 1562396 IPA numeric username breaks sudo and getent - Resolves: 1533228 The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records - Resolves: 1497334 ipa-server-install should prevent installations with single label domains - Resolves: 1493541 ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not. - Resolves: 1485217 [RFE] Warn or adjust umask if it is too restrictive to break installation - Resolves: 1428690 ipa-backup does not create log file at /var/log/ - Resolves: 1408439 ipa idoverrideuser-find view --anchor fails to return output - Resolves: 1390757 automember-rebuild crashes - Resolves: 1376024 During one step replica install the command accepts both OTP and Admin password simultaneously - Resolves: 1245626 ipa-client-install modifies /etc/openldap/ldap.conf in a way which is unhandy for openldap-clients- Resolves: 1672180 pki spawn fails for IPA replica install from RHEL6 IPA master - Update mod_nss cipher list so there is overlap with a 4.x master - Resolves: 1672184 Fix compile issue with new 389-ds - ipa-sidgen: make internal fetch_attr helper really internal - Resolves: 1669012 host_del and host_disable fails, ra.find() search for every certificates instead of the host's certificate by subject - Add workaround for slow host/service del - Optimize cert remove case - Resolves: 1533228 The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain record - replica installation: add master record only if in managed zone - ipatests: add test for replica in forward zone- Resolves: 1651834 searching for ipa users by certificate fails - ipaldap.py: fix method creating a ldap filter for IPACertificate - ipatests: add xmlrpc test for user|host-find --certificate - Resolves: 1644874 IPA Upgrade failed with "unable to convert the attribute u'cACertificate;binary'" - ipa upgrade: handle double-encoded certificates - ipatests: add upgrade test for double-encoded cacert - ipatests: fix TestUpgrade::test_double_encoded_cacert - Resolves: 1599939 'ipa vault-retrieve' is failing with "ipa: ERROR: an internal error has occurred" - Add a shared-vault-retrieve test - Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes. - Resolves: 1493541 ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not. - ipatest: add test for ipa-pkinit-manage enable|disable - PKINIT: fix ipa-pkinit-manage enable|disable - Resolves: 1390757 automember-rebuild crashes - Find orphan automember rules - Resolves: 1658701 ipa-replica-install fails migrating RHEL 6 to 7 - replication: check remote ds version before editing attributes- Resolves: 1630361 PKINIT fails in FIPS mode - Ensure that public cert and CA bundle are readable - Always make ipa.p11-kit world-readable - Make /etc/httpd/alias world readable & executable - Fix permission of public files in upgrader- Resolves: #1624755 Re-installing replica on the same system displays 'WARNING: cannot check if port 443 is already configured' - ipa-replica-install: properly use the file store - Resolves: #1623486 PKINIT configuration did not succeed message is received during Replica-install - ipa-replica-install: fix pkinit setup - Related: #1624289 AVC denials noticed during test execution for SUB-CA test-suite in FIPS mode - Update minimum selinux-policy to 3.13.1-224- Resolves #1508498 Authn/TOTP defined users periodically prompt for just password credentials to access resources - Clear next field when returnining list elements in queue.c - Add cmocka unit tests for ipa otpd queue code - Resolves #1622168 ipa-otpd: fix potential double-free and infinite loop in queue code - Clear next field when returnining list elements in queue.c - Add cmocka unit tests for ipa otpd queue code - Resolves #1603444 ipa-server-install script is failing when using the "--no-dnssec-validation" parameter combined with the "--forwarder" - ipa-server-install: do not perform forwarder validation with --no-dnssec-validation- Resolves: #1609882 ipaserver/plugins/cert.py: Add reason to raise of errors.NotFound - ipaserver/plugins/cert.py: Added reason to raise of errors.NotFound - Resolves: #1598662 Replica installation fails with connection refused error - Do not set ca_host when --setup-ca is used - Resolves: #1577108 Improve Custodia client and key distribution handling - Fix KRA replica installation from CA master - Resolves: #1515314 ipa-replica-install fails with PIN error [ CA-less environment ] - Fix ipa-replica-install when key not protected by PIN - Resolves: #1480502 ipa server uninstall with -v option displays "IOError: [Errno 9] Bad file descriptor Logged from file ipautil.py, line 442" - uninstall -v: remove Tracebacks - Resolves: #1368345 Replace ERROR: cannot connect to 'http://localhost:8888/ipa/json': [Errno 111] Connection refused with 'IPA is not configured on this system' - ipa commands: print 'IPA is not configured' when ipa is not setup - Disable message about log in ipa-backup if IPA is not configured - Resolves: #1591824 Installation of replica against a specific master - Do not set ca_host when --setup-ca is used - Resolves: #1594141 Replication races in DogtagInstance.setup_admin - Catch ACIError instead of invalid credentials - Resolves: #1623112 ipa-replica-install defines nsds5replicabinddngroup before the group contains the DN of the replication manager - DS replication settings: fix regression with <3.3 master - Resolves: #1623113 Replica install: certmonger sometimes fails - Wait for client certificates - Auto-retry failed certmonger requests- Resolves: #1590647 ldapmodify userPassword reflects on krblastpwdchange on RHEL6 but not RHEL7 - In IPA 4.4 when updating userpassword with ldapmodify does not update krbPasswordExpiration nor krbLastPwdChange - Resolves: #1600074 ipa-server-upgrade displays 'DN: cn=Schema Compatibility,cn=plugins,cn=config does not exists or haven't been updated' - Re-open the ldif file to prevent error message - Resolves: #1608783 ipa trust-add fails in FIPS mode. - Move fips_enabled to a common library to share across different plugins - ipasam: do not use RC4 in FIPS mode- Resolves: #1607616 Traceback in messages file during ipa-server-install: File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 541, in #012 - Removing filesystem encoding check - Resolves: #1598044 plugable.py:491:bootstrap:SystemEncodingError: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. - Removing filesystem encoding check- Resolves: #1600525 ipa-client-install --uninstall fails to uninstall client. - ipa client uninstall: clean the state store when restoring hostname - Resolves: #1598117 client uninstall fails when installed using non-existing hostname - ipa client uninstall: clean the state store when restoring hostname - Resolves: #1596168 ipa help topics displays 'ipa: ERROR: an internal error has occurred' - Fix regression: Handle unicode where str is expected - Resolves: #1591824 Installation of replica against a specific master - Query for server role IPA master - Only create DNS SRV records for ready server - Delay enabling services until end of installer - replicainstall: DS SSL replica install pick right certmonger host - Fix CA topology warning - Fix race condition in get_locations_records() - Fix DNSSEC install regression - Handle races in replica config - Resolves: #1591647 Increase WSGI worker process count - Use 4 WSGI workers on 64bit systems - Resolves: #1565633 nsds5ReplicaReleaseTimeout should be set by default. - Tune DS replication settings - Resolves: #1607616 Traceback in messages file during ipa-server-install: File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 541, in #012 - Removing filesystem encoding check - Resolves: #1598044 plugable.py:491:bootstrap:SystemEncodingError: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. - Removing filesystem encoding check- Resolves: #1603514 Replica install fails with "Certificate issuance failed (CA_REJECTED)" - ACIError- Resolves: #1594142 SRV lookup doesn't correctly sort results - Sort and shuffle SRV record by priority and weight - Resolves: #1594141 Replication races in DogtagInstance.setup_admin - Fix replication races in Dogtag admin code - Use common replication wait timeout of 5min - Improve and fix timeout bug in wait_for_entry() - Resolves: #1591824 Installation of replica against a specific master - Always set ca_host when installing replica - Resolves: #1591647 Increase WSGI worker process count - Increase WSGI process count to 5 on 64bit - Resolves: #1394034 Custom SELinux User Map order is changed after updating IPA - Use replace instead of add to set new default ipaSELinuxUserMapOrder - Resolves: #1381535 ipa config-mod returns "Configured size limit exceeded" - ipaserver config plugin: Increase search records minimum limit- Resolves: #1561581 Rebase IPA to latest 4.6.x version - Resolves: #1234219 [WebUI] Error message could be better while adding idrange with untrusted domain name. - Resolves: #1274488 ipa-client-install should use previously entered username when performing setup validation - Resolves: #1289487 Priority field missing in Password Policy detail tab - Resolves: #1339129 ipa vault-archive overwrites an existing value without warning - Resolves: #1368345 Replace ERROR: cannot connect to 'http://localhost:8888/ipa/json': [Errno 111] Connection refused with 'IPA is not configured on this system' - Resolves: #1424735 While performing ipa-server-upgrade, sssd goes offline and stalls the upgrade process - Resolves: #1427105 RFE - Option to add custom OID or display name in IPA Cert - Resolves: #1434924 ipa-restore fails when umask is set to 0027 - Resolves: #1441262 ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group - Resolves: #1452081 Suggest user to install libyubikey package instead of traceback - Resolves: #1458183 Users can delete their last active OTP token - Resolves: #1478366 Crash noticed during IPA upgrade process due to ipa package - Resolves: #1480502 ipa server uninstall with -v option displays "IOError: [Errno 9] Bad file descriptor Logged from file ipautil.py, line 442" - Resolves: #1481936 Limit number of times the DNS response for the ipa-server A and AAAA records are done during uninstallation. - Resolves: #1483139 ipa-restore command doesn't exit with failure if wrong directory manager's password is provided - Resolves: #1485429 domain resolution order field in Identity->ID Views->Settings tab missing in WebUI - Resolves: #1485851 ipa param-find: command displays internal error - Resolves: #1494198 ipa-replica-manage re-initialize TypeError: 'NoneType' object does not support item assignment - Resolves: #1504565 API schema generated by server doesn't follow language requested by client. - Resolves: #1505925 kdc segfault in openldap libs when ipa-server is installed and custom pkinit is configured - Resolves: #1506709 ipa trust-add - Filter out overlapping namespace domains automatically - Resolves: #1513041 ipa-restore does not enable/start oddjobd - Resolves: #1515314 ipa-replica-install fails with PIN error [ CA-less environment ] - Resolves: #1515374 Custodia keys are not removed on uninstall - Resolves: #1518932 The Issuer DN field in IPA is not updating properly - Resolves: #1519723 admins group is not including all permissions of Role "User Administrator" - Resolves: #1527020 nsslapd-sasl-max-buffer-size is hardcoded to '2097152' during install even if another value was provided in an LDIF ( --dirsrv-config-file ) - Resolves: #1534726 IPA 'Generate OTP' option in web gui does not show OTP code when no reverse zone is managed - Resolves: #1547641 ipa: Please log something after restarting the KDC - Resolves: #1547995 CRL url on replicas gets incorrectly redirected - Resolves: #1549187 IdM servers:/usr/share/ipa/html/ca.crt does not include the complete chain - Resolves: #1553594 ldappasswd cause the IPA embedded Directory server to SIGSEGV - Resolves: #1568748 Allow hosts to delete their own services - Resolves: #1576133 Radius Proxy OTP Auth in IPA is not failing over to the second server in a radius-proxy - Resolves: #1577108 Improve Custodia client and key distribution handling- Resolves: #1565633 nsds5ReplicaReleaseTimeout should be set by default - Add nsds5ReplicaReleaseTimeout to replica config - Fix upgrade (update_replica_config) in single master mode - Resolves: #1577108 Improve Custodia client and key distribution handling - Use single Custodia instance in installers - Resolves: #1577805 4.5.0 -> 4.5.4 upgrade breaks in ipa-server-upgrade: No such file or directory: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' - Don't try to backup CS.cfg during upgrade if CA is not configured- Resolves: #1518157 Clarify the need to restart services in ipa-server-certinstall(1) - Add a notice to restart ipa services after certs are installed - Resolves: #1544679 OTP and Radius Authentication does not work in FIPS mode - Fix OTP validation in FIPS mode - Increase the default token key size - Revert "Don't allow OTP or RADIUS in FIPS mode" - Log errors from NSS during FIPS OTP key import - Resolves: #1470916 ipa client pointing to replica shows KDC has no support for encryption type - ipa-replica-install: make sure that certmonger picks the right master - Resolves: #1542627 DNS records updated with all IPAddresses of an interface when IPA server/replica try to install with Specific IP address of that interface - replica-install: pass --ip-address to client install- Resolves: #1540361 ipa-advise for smartcards is out-of-date - ipa-advise for smartcards updated- Resolves: #1458169 --force-join option is not mentioned in ipa-replica-install man page - Add --force-join into ipa-replica-install manpage - Resolves: #1457876 ipa-backup fails silently - Changed ownership of ldiffile to DS_USER - Resolves: #1409786 Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running - Checks if Dir Server is installed and running before IPA installation - Resolves: #1452086 Pagination Size under Customization in IPA WebUI accepts negative values - WebUI: Add positive number validator - WebUI: change validator of page size settings - WebUI: fix jslint error- Resolves: #1477531 Incorrect attribute level rights (ipaallowedtoperform) of service object - WebUI: make keytab tables on service and host pages writable - Resolves: #1529444 ObjectclassViolation seen while adding idview with domain-resolution-order option - Idviews: fix objectclass violation on idview-add - Resolves: #1451576 ipa cert-request failed to generate certificate from csr - Fixing the cert-request comparing whole email address case-sensitively.- Resolves: #1421869 Unable to re-add broken AD trust - Unexpected Information received - adtrust: filter out subdomains when defining our topology to AD - Resolves: #1486286 IPA failing to authenticate via password+OTP on RHEL7.4 with fips enabled - Don't allow OTP or RADIUS in FIPS mode - Resolves: #1494226 IPA User Details not being displayed in WebUI - Fix cert-find for CA-less installations - Resolves: #1498387 389-ds-base crashed as part of ipa-server-intall in ipa-uuid - 389-ds-base crashed as part of ipa-server-intall in ipa-uuid - Resolves: #1503022 ipa-getkeytab man page should have more details about consequences of krb5 key renewal - ipa-getkeytab man page: add more details about the -r option - Resolves: #1509288 IPA trust-add internal error (expected security.dom_sid got None) - ipaserver/plugins/trust.py; fix some indenting issues - trust: detect and error out when non-AD trust with IPA domain name exists - ipaserver/plugins/trust.py: pep8 compliance - Resolves: #1511019 ipa-restore broken with python2 - Fix ipa-restore (python2) - Resolves: #1511607 ipa-backup does not backup Custodia keys and files - Backup ipa-custodia conf and keys - Resolves: #1512482 kra install fails after ipa cert renewed - Don't use admin cert during KRA installation - Prevent set_directive from clobbering other keys - pep8: reduce line lengths in CAInstance.__enable_crl_publish - installutils: refactor set_directive - Add tests for installutils.set_directive - Add safe DirectiveSetter context manager - Old pylint doesn't support bad python3 option - Resolves: #1514163 CA less IPA install with external certificates fails on RHEL 7 in FIPS mode - Fix ca less IPA install on fips mode- Resolves: #1520279 - rebuild against samba 4.7- Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads - Resolves: #1378892 host-find slowness caused by missing host attributes in index- Resolves: #1388135 [RFE] limit the retro changelog to dns subtree. - ldap: limit the retro changelog to dns subtree - Resolves: #1427798 Use X509v3 Basic Constraints "CA:TRUE" instead of "CA:FALSE" IPA CA CSR - Include the CA basic constraint in CSRs when renewing a CA - Resolves: #1493145 ipa-replica-install might fail because of an already existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX - Checks if replica-s4u2proxy.ldif should be applied - Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default - ds: ignore time skew during initial replication step - ipa-replica-manage: implicitly ignore initial time skew in force-sync - Resolves: #1500218 Replica installation at domain-level 0 fails against upgraded ipa-server - Fix ipa-replica-conncheck when called with --principal - Resolves: #1506188 server-del doesn't remove dns-server configuration from ldap- Drop workaround for building on AArch64 (#1482244) - Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485)- Resolves: #1461177 ipa-otptoken-import - XML file is missing PBKDF2 parameters! - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad, cn=trusts,dc=example,dc=com - Resolves: #1467887 iommu platform support for ipxe - Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 - Resolves: #1480102 ipa-server-upgrade failes with "This entry already exists" - Resolves: #1482802 Unable to set ca renewal master on replica - Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade) - Resolves: #1484826 FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and thus startup of Web UI fails - Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back to self-signed CA - Resolves: #1469246 Replica install fails to configure IPA-specific temporary files/directories - Resolves: #1469480 bind package is not automatically updated during ipa-server upgrade process - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Resolves: #1477703 IPA upgrade fails for latest ipa package- Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in buildroot - Resolves: #1470177 - Rebase IPA to latest 4.5.x version - Resolves: #1398594 ipa topologysuffix-verify should only warn about maximum number of replication agreements. - Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" to "Host-Based" and "Role-Based" - Resolves: #1409786 Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running - Resolves: #1451576 ipa cert-request failed to generate certificate from csr - Resolves: #1452086 Pagination Size under Customization in IPA WebUI accepts negative values - Resolves: #1458169 --force-join option is not mentioned in ipa-replica-install man page - Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case - Resolves: #1478322 user-show command fails when sizelimit is configured to number <= number of entity which is user member of - Resolves: #1496775 Enterprise principals should be able to trigger a refresh of the trusted domain data in the KDC - Resolves: #1502533 Changing cert-find to go through the proxy instead of using the port 8080 - Resolves: #1502663 pkinit-status command fails after an upgrade from a pre-4.5 IPA - Resolves: #1498168 Error when trying to modify a PTR record - Resolves: #1457876 ipa-backup fails silently - Resolves: #1493531 In case full PKINIT configuration is failing during server/replica install the error message should be more meaningful. - Resolves: #1449985 Suggest CA installation command in KRA installation warning- Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports expecting IPA services listening on IPv6 ports - Make sure upgrade also checks for IPv6 stack - control logging of host_port_open from caller - log progress of wait_for_open_ports - Resolves: #1477243 ipa help command returns traceback when no cache is present - Store help in Schema before writing to disk - Disable pylint in get_help function because of type confusion.- Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Always check peer has keys before connecting - Resolves: #1482802 - Unable to set ca renewal master on replica - Fix ipa config-mod --ca-renewal-master - Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching back to self-signed CA - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) - Resolves: #1480102 - ipa-server-upgrade failes with "This entry already exists" - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists - Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and thus startup of Web UI fails - Adds whoami DS plugin in case that plugin is missing - Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 - Fixing how sssd.conf is updated when promoting a client to replica - Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2 parameters! - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace - Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade) - Backport 4-5: Fix ipa-server-upgrade with server cert tracking- Resolves: #1477703 IPA upgrade fails for latest ipa package - Restore old version of caIPAserviceCert for upgrade only- Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Restore old version of caIPAserviceCert for upgrade only- Resolves: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - smart-card advises: configure systemwide NSS DB also on master - smart-card advises: add steps to store smart card signing CA cert - Allow to pass in multiple CA cert paths to the smart card advises - add a class that tracks the indentation in the generated advises - delegate the indentation handling in advises to dedicated class - advise: add an infrastructure for formatting Bash compound statements - delegate formatting of compound Bash statements to dedicated classes - Fix indentation of statements in Smart card advises - Use the compound statement formatting API for configuring PKINIT - smart card advises: use a wrapper around Bash `for` loops - smart card advise: use password when changing trust flags on HTTP cert - smart-card-advises: ensure that krb5-pkinit is installed on client - Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Add CommonNameToSANDefault to default cert profile - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad,cn=trusts,dc=example,dc=com - NULL LDAP context in call to ldap_search_ext_s during search- Resolves: #1469246 Replica install fails to configure IPA-specific temporary files/directories - replica install: drop-in IPA specific config to tmpfiles.d - Resolves: #1469480 bind package is not automatically updated during ipa-server upgrade process - Bumped Required version of bind-dyndb-ldap and bind package- Resolves: #1452216 Replica installation grants HTTP principal access in WebUI - Make sure we check ccaches in all rpcserver paths- Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode! - ipa-sam: replace encode_nt_key() with E_md4hash() - ipa_pwd_extop: do not generate NT hashes in FIPS mode - Resolves: #1377973 ipa-server-install fails when the provided or resolved IP address is not found on local interfaces - Fix local IP address validation - ipa-dns-install: remove check for local ip address - refactor CheckedIPAddress class - CheckedIPAddress: remove match_local param - Remove ip_netmask from option parser - replica install: add missing check for non-local IP address - Remove network and broadcast address warnings- Resolves: #1449189 ipa-kra-install timeouts on replica - kra: promote: Get ticket before calling custodia- Resolve: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - server certinstall: update KDC master entry - pkinit manage: introduce ipa-pkinit-manage - server upgrade: do not enable PKINIT by default - Extend the advice printing code by some useful abstractions - Prepare advise plugin for smart card auth configuration - Resolve: #1461053 allow to modify list of UPNs of a trusted forest - trust-mod: allow modifying list of UPNs of a trusted forest - WebUI: add support for changing trust UPN suffixes- Resolves: #1377973 ipa-server-install fails when the provided or resolved IP address is not found on local interfaces - Only warn when specified server IP addresses don't match intf - Resolves: #1438016 gssapi errors after IPA server upgrade - Bump version of python-gssapi - Resolves: #1457942 certauth: use canonical principal for lookups - ipa-kdb: use canonical principal in certauth plugin - Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid breaking older clients - Add code to be able to set default kinit lifetime - Revert setting sessionMaxAge for old clients- Resolves: #1442233 IPA client commands fail when pointing to replica - httpinstance: wait until the service entry is replicated - Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then not indexed - Fix index definition for ipaAnchorUUID - Resolves: #1438016 gssapi errors after IPA server upgrade - Avoid possible endless recursion in RPC call - rpc: preparations for recursion fix - rpc: avoid possible recursion in create_connection - Resolves: #1446087 services entries missing krbCanonicalName attribute. - Changing cert-find to do not use only primary key to search in LDAP. - Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers - ipa-kdb: reload certificate mapping rules periodically - Resolves: #1455541 after upgrade login from web ui breaks - kdc.key should not be visible to all - Resolves: #1435606 Add pkinit_indicator option to KDC configuration - ipa-kdb: add pkinit authentication indicator in case of a successful certauth - Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca records are not resolvable - Turn off OCSP check - Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 - server_del - TypeError: 'NoneType' object is not iterable - fix incorrect suffix handling in topology checks- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificates/anchors - certdb: add named trust flag constants - certdb, certs: make trust flags argument mandatory - certdb: use custom object for trust flags - install: trust IPA CA for PKINIT - client install: fix client PKINIT configuration - install: introduce generic Kerberos Augeas lens - server install: fix KDC PKINIT configuration - ipapython.ipautil.run: Add option to set umask before executing command - certs: do not export keys world-readable in install_key_from_p12 - certs: do not export CA certs in install_pem_from_p12 - server install: fix KDC certificate validation in CA-less - replica install: respect --pkinit-cert-file - cacert manage: support PKINIT - server certinstall: support PKINIT - Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file option - certs: do not export CA certs in install_pem_from_p12 - server install: fix KDC certificate validation in CA-less - Resolves: #1451228 ipa-kra-install fails when primary KRA server has been decommissioned - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname - Resolves: #1451712 KRA installation fails on server that was originally installed as CA-less - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt - Resolves: #1441499 ipa cert-show does not raise error if no file name specified - ca/cert-show: check certificate_out in options - Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ - Remove pkinit-anonymous command - Resolves: #1449523 Provide an API command to retrieve PKINIT status in the FreeIPA topology - Allow for multivalued server attributes - Refactor the role/attribute member reporting code - Add an attribute reporting client PKINIT-capable servers - Add the list of PKINIT servers as a virtual attribute to global config - Add `pkinit-status` command - test_serverroles: Get rid of MockLDAP and use ldap2 instead - Resolves: #1452216 Replica installation grants HTTP principal access in WebUI - Fix rare race condition with missing ccache file - Resolves: #1455045 Simple service uninstallers must be able to handle missing service files gracefully - only stop/disable simple service if it is installed - Resolves: #1455541 after upgrade login from web ui breaks - krb5: make sure KDC certificate is readable - Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing command "ipa cert-request --add" after upgrade - Change python-cryptography to python2-cryptography- Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'" error observed during ipa upgrade with latest package. - ipa-server-install: fix uninstall - Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break replica - ca install: merge duplicated code for DM password - installutils: add DM password validator - ca, kra install: validate DM password- Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy - python2-ipalib: add missing python dependency - installer service: fix typo in service entry - upgrade: add missing suffix to http instance - Resolves: #1444791 Update man page of ipa-kra-install - ipa-kra-install manpage: document domain-level 1 - Resolves: #1441493 ipa cert-show raises stack traces when --certificate-out=/tmp - cert-show: writable files does not mean dirs - Resolves: #1441192 Add the name of URL parameter which will be check for username during cert login - Bump version of ipa.conf file - Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login - Turn on NSSOCSP check in mod_nss conf - Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting template on - renew agent: respect CA renewal master setting - server upgrade: always fix certmonger tracking request - cainstance: use correct profile for lightweight CA certificates - renew agent: allow reusing existing certs - renew agent: always export CSR on IPA CA certificate renewal - renew agent: get rid of virtual profiles - ipa-cacert-manage: add --external-ca-type - Resolves: #1441593 error adding authenticator indicators to host - Fixing adding authenticator indicators to host - Resolves: #1449525 Set directory ownership in spec file - Added plugins directory to ipaclient subpackages - ipaclient: fix missing RPM ownership - Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits' - otptoken-add-yubikey: When --digits not provided use default value- Resolves: #1449189 ipa-kra-install timeouts on replica - ipa-kra-install: fix check_host_keys- Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Make sure remote hosts have our keys - Resolves: #1442815 Replica install fails during migration from older IPA master - Refresh Dogtag RestClient.ca_host property - Remove the cachedproperty class - Resolves: #1444787 Update warning message when KRA installation fails - kra install: update installation failure message - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - ipa-server-install with external CA: fix pkinit cert issuance - Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition() must use FreeIPA CA - kerberos session: use CA cert with full cert chain for obtaining cookie - Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors definition - ipa-client-install: remove extra space in pkinit_anchors definition - Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade - Use proper SELinux context with http.keytab- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit) - spec file: bump krb5 Requires for certauth fixes - Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option is used - separate function to set ipaConfigString values on service entry - Allow for configuration of all three PKINIT variants when deploying KDC - API for retrieval of master's PKINIT status and publishing it in LDAP - Use only anonymous PKINIT to fetch armor ccache - Stop requesting anonymous keytab and purge all references of it - Use local anchor when armoring password requests - Upgrade: configure local/full PKINIT depending on the master status - Do not test anonymous PKINIT after install/upgrade - Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust. update_tdo_gidnumber: ERROR Default SMB Group not found - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed - Resolves: #1442932 ipa restore fails to restore IPA user - restore: restart/reload gssproxy after restore - Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - Fix CA/server cert validation in FIPS - Resolves: #1444947 Deadlock between topology and schema-compat plugins - compat-manage: behave the same for all users - Move the compat plugin setup at the end of install - compat: ignore cn=topology,cn=ipa,cn=etc subtree - Resolves: #1445358 ipa vault-add raises TypeError - vault: piped input for ipa vault-add fails - Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault - Vault: Explicitly default to 3DES CBC - Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning - automount install: fix checking of SSSD functionality on uninstall - Resolves: #1446137 pki_client_database_password is shown in ipaserver-install.log - Hide PKI Client database password in log file- Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade - Fix CAInstance.import_ra_cert for empty passwords- Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA WebUI is slow to display user details page - cert: defer cert-find result post-processing - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica - server-install: No double Kerberos install - Resolves: #1437502 ipa-replica-install fails with requirement to use --force-join that is a client install option. - Add the force-join option to replica install - replicainstall: better client install exception handling - Resolves: #1437953 Server CA-less impossible option check - server-install: remove broken no-pkinit check - Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies - Add debug log in case cookie retrieval went wrong - Resolves: #1441548 ipa server install fails with --external-ca option - ext. CA: correctly write the cert chain - Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance spawn - Fix CA-less to CA-full upgrade - Resolves: #1442133 Do not link libkrad, liblber, libldap_r and libsss_nss_idmap to every binary in IPA - configure: fix AC_CHECK_LIB usage - Resolves: #1442815 Replica install fails during migration from older IPA master - Fix RA cert import during DL0 replication - Related: #1442004 Building IdM/FreeIPA internally on all architectures - filtering unsupported packages - Build all subpackages on all architectures- Resolves: #1382053 Need to have validation for idrange names - idrange-add: properly handle empty --dom-name option - Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica - dsinstance: reconnect ldap2 after DS is restarted by certmonger - httpinstance: avoid httpd restart during certificate request - dsinstance, httpinstance: consolidate certificate request code - install: request service certs after host keytab is set up - renew agent: revert to host keytab authentication - renew agent, restart scripts: connect to LDAP after kinit - Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted domain entry - ipa-sam: create the gidNumber attribute in the trusted domain entry - Upgrade: add gidnumber to trusted domain entry - Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException: Incorrect client security database password - Add pki_pin only when needed - Resolves: #1438348 Console output message while adding trust should be mapped with texts changed in Samba. - ipaserver/dcerpc: unify error processing - Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication - trust: always use oddjobd helper for fetching trust information - Resolves: #1441192 Add the name of URL parameter which will be check for username during cert login - WebUI: cert login: Configure name of parameter used to pass username - Resolves: #1437879 [copr] Replica install failing - Create system users for FreeIPA services during package installation - Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install - Fix s4u2self with adtrust- Resolves: #1318186 Misleading error message during external-ca IPA master install - httpinstance: make sure NSS database is backed up - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR CA certificate chain in ... incomplete" - httpinstance: make sure NSS database is backed up - Resolves: #1393726 Enumerate all available request type options in ipa cert-request help - Hide request_type doc string in cert-request help - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - spec file: bump libsss_nss_idmap-devel BuildRequires - server: make sure we test for sss_nss_getlistbycert - Resolves: #1437378 ipa-adtrust-install produced an error and failed on starting smb when hostname is not FQDN - adtrust: make sure that runtime hostname result is consistent with the configuration - Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous keytab - Always check and create anonymous principal during KDC install - Remove duplicate functionality in upgrade - Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT - Upgrade: configure PKINIT after adding anonymous principal - Remove unused variable from failed anonymous PKINIT handling - Split out anonymous PKINIT test to a separate method - Ensure KDC is propery configured after upgrade - Resolves: #1437951 Remove pkinit-related options from server/replica-install on DL0 - Fix the order of cert-files check - Don't allow setting pkinit-related options on DL0 - replica-prepare man: remove pkinit option refs - Remove redundant option check for cert files - Resolves: #1438490 CA-less installation fails on publishing CA certificate - Get correct CA cert nickname in CA-less - Remove publish_ca_cert() method from NSSDatabase - Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap - IPA-KDB: use relative path in ipa-certmap config snippet - Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute - Allow erasing ipaDomainResolutionOrder attribute- Resolves: #1434032 Run ipa-custodia with custom SELinux context - Require correct custodia version- Resolves: #800545 [RFE] Support SUDO command rename - Reworked the renaming mechanism - Allow renaming of the sudorule objects - Resolves: #872671 IPA WebUI login for AD Trusted User fails - WebUI: check principals in lowercase - WebUI: add method for disabling item in user dropdown menu - WebUI: Add support for login for AD users - Resolves: #1200767 [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit) - ipa-kdb: add ipadb_fetch_principals_with_extra_filter() - IPA certauth plugin - ipa-kdb: do not depend on certauth_plugin.h - spec file: bump krb5-devel BuildRequires for certauth - Resolves: #1264370 RFE: disable last successful authentication by default in ipa. - Set "KDC:Disable Last Success" by default - Resolves: #1318186 Misleading error message during external-ca IPA master install - certs: do not implicitly create DS pin.txt - httpinstance: clean up /etc/httpd/alias on uninstall - Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR CA certificate chain in ... incomplete" - certs: do not implicitly create DS pin.txt - httpinstance: clean up /etc/httpd/alias on uninstall - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication - configure: fix --disable-server with certauth plugin - rpcserver.login_x509: Actually return reply from __call__ method - spec file: Bump requires to make Certificate Login in WebUI work - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - extdom: do reverse search for domain separator - extdom: improve cert request - Resolves: #1430363 [RFE] HBAC rule names command rename - Reworked the renaming mechanism - Allow renaming of the HBAC rule objects - Resolves: #1433082 systemctl daemon-reload needs to be called after httpd.service.d/ipa.conf is manipulated - tasks: run `systemctl daemon-reload` after httpd.service.d updates - Resolves: #1434032 Run ipa-custodia with custom SELinux context - Use Custodia 0.3.1 features - Resolves: #1434384 RPC client should use HTTP persistent connection - Use connection keep-alive - Add debug logging for keep-alive - Increase Apache HTTPD's default keep alive timeout - Resolves: #1434729 man ipa-cacert-manage install needs clarification - man ipa-cacert-manage install needs clarification - Resolves: #1434910 replica install against IPA v3 master fails with ACIError - Fixing replica install: fix ldap connection in domlvl 0 - Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is used during typing Directory Manager password - ipapython.ipautil.nolog_replace: Do not replace empty value - Resolves: #1435397 ipa-replica-install can't install replica file produced by ipa-replica-prepare on 4.5 - replica prepare: fix wrong IPA CA nickname in replica file - Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if KRA is not installed - WebUI: Fix showing vault in selfservice view - Resolves: #1435718 As a ID user I cannot call a command with --rights option - ldap2: use LDAP whoami operation to retrieve bind DN for current connection - Resolves: #1436319 "Truncated search results" pop-up appears in user details in WebUI - WebUI: Add support for suppressing warnings - WebUI: suppress truncation warning in select widget - Resolves: #1436333 Uninstall fails with No such file or directory: '/var/run/ipa/services.list' - Create temporaty directories at the begining of uninstall - Resolves: #1436334 WebUI: Adding certificate mapping data using certificate fails - WebUI: Allow to add certs to certmapping with CERT LINES around - Resolves: #1436338 CLI doesn't work after ipa-restore - Backup ipa-specific httpd unit-file - Backup CA cert from kerberos folder - Resolves: #1436342 Bump samba version, required for FIPS mode and privilege separation - Bump samba version for FIPS and priv. separation - Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa vault commands - Avoid growing FILE ccaches unnecessarily - Handle failed authentication via cookie - Work around issues fetching session data - Prevent churn on ccaches - Resolves: #1436657 Add workaround for pki_pin for FIPS - Generate PIN for PKI to help Dogtag in FIPS - Resolves: #1436714 [vault] cache KRA transport cert - Simplify KRA transport cert cache - Resolves: #1436723 cert-find does not find all certificates without sizelimit=0 - cert: do not limit internal searches in cert-find - Resolves: #1436724 Renewal of IPA RA fails on replica - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function - Resolves: #1436753 Master tree fails to install - httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available- Resolves: #1432630 python2-jinja2 needed for python2-ipaclient - Remove csrgen - Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets - Add options to allow ticket caching- Resolves: #828866 [RFE] enhance --subject option for ipa-server-install - Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in hostname - Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember' attribute - Resolves: #1321652 ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on revocation reasons - Resolves: #1340880 ipa-server-install: improve prompt on interactive installation - Resolves: #1353841 ipa-replica-install fails to install when resolv.conf incomplete entries - Resolves: #1356104 cert-show command does not display Subject Alternative Names - Resolves: #1357511 Traceback message seen when ipa is provided with invalid configuration file name - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full - Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication - Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa config-mod --enable-migration=TRUE - Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain - Resolves: #1371927 Implement ca-enable/disable commands. - Resolves: #1372202 Add Users into User Group editors fails to show Full names - Resolves: #1373091 Adding an auth indicator from the CLI creates an extra check box in the UI - Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error message - Resolves: #1375905 "Normal" group type in the UI is confusing - Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback - Resolves: #1376630 IDM admin password gets written to /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf - Resolves: #1376729 ipa-server-install script option --no_hbac_allow should match other options - Resolves: #1378461 IPA Allows Password Reuse with History value defined when admin resets the password. - Resolves: #1379029 conncheck failing intermittently during single step replica installs - Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck - Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace - Resolves: #1392778 Update man page for ipa-adtrust-install by removing --no-msdcs option - Resolves: #1392858 Rebase to FreeIPA 4.5+ - Rebase to 4.5.0 - Resolves: #1399133 Delete option shouldn't be available for hosts applied to view. - Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA should contain full trust chain - Resolves: #1400416 RFE: Provide option to take backup of IPA server before uninstalling IPA server - Resolves: #1400529 cert-request is not aware of Kerberos principal aliases - Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but not on details page - Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when non-FQDN name of IPA server is first in /etc/hosts - Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using nsupdate - Resolves: #1413742 Backport request for bug/issue Change IP address validation errors to warnings - Resolves: #1415652 IPA replica install log shows password in plain text - Resolves: #1427897 different behavior regarding system wide certs in master and replica. - Resolves: #1430314 The ipa-managed-entries command failed, exception: AttributeError: ldap2- Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica with cert errors (untrusted) - added ssl verification using IPA trust anchor - Resolves: #1428472 batch param compatibility is incorrect - compat: fix `Any` params in `batch` and `dnsrecord` - Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream- Resolves: #1416454 replication race condition prevents IPA to install - wait_for_entry: use only DN as parameter - Wait until HTTPS principal entry is replicated to replica - Use proper logging for error messages- Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is installed without CA - Set up DS TLS on replica in CA-less topology - Resolves: #1398600 IPA replica install fails with dirsrv errors. - Do not configure PKI ajp redirection to use "::1" - Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands - ca: correctly authorise ca-del, ca-enable and ca-disable- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy - ipa-kdb: search for password policies globally - Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream- Resolves: #1398670 Check IdM Topology for broken record caused by replication conflict before upgrading it - Check for conflict entries before raising domain level- Resolves: #1382812 Creation of replica for disconnected environment is failing with CA issuance errors; Need good steps. - gracefully handle setting replica bind dn group on old masters - Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a temporary CA admin - replication: ensure bind DN group check interval is set on replica config - add missing attribute to ipaca replica during CA topology update - Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of named-pkcs11 - bindinstance: use data in named.conf to determine configuration status- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy - password policy: Add explicit default password policy for hosts and services - Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod - certprofile-mod: correctly authorise config update- Resolves: #1378353 Replica install fails with old IPA master sometimes during replication process - spec file: bump minimal required version of 389-ds-base - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - Fix missing file that fails DL1 replica installation - Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade - WebUI: services without canonical name are shown correctly - Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run - trustdomain-del: fix the way how subdomain is searched- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca - Keep NSS trust flags of existing certificates - Resolves: #1360813 ipa-server-certinstall does not update all certificate stores and doesn't set proper trust permissions - Add cert checks in ipa-server-certinstall - Resolves: #1371479 cert-find --all does not show information about revocation - cert: add revocation reason back to cert-find output - Resolves: #1375133 WinSync users who have First.Last casing creates users who can have their password set - ipa passwd: use correct normalizer for user principals - Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers - Properly handle LDAP socket closures in ipa-otpd - Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - Make httpd publish its CA certificate on DL1- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors. - Resolves: #1375269 ipa trust-fetch-domains throws internal error- Resolves: #1373359 ipa-certupdate fails with "CA is not configured" - Fix regression introduced in ipa-certupdate- Resolves: #1355753 adding two way non transitive(external) trust displays internal error on the console - Always fetch forest info from root DCs when establishing two-way trust - factor out `populate_remote_domain` method into module-level function - Always fetch forest info from root DCs when establishing one-way trust - Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger after `ipa-replica-install` - Track lightweight CAs on replica installation - Resolves: #1357488 ipa command stuck forever on higher versioned client with lower versioned server - compat: Save server's API version in for pre-schema servers - compat: Fix ping command call - schema cache: Store and check info for pre-schema servers - Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag - Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup - Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA when revoking certificate - cert: include CA name in cert command output - WebUI add support for sub-CAs while revoking certificates - Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI - Add support for additional options taken from table facet - WebUI: Fix showing certificates issued by sub-CA - Resolves: #1368557 dnsrecord-add does not prompt for missing record parts internactively - dns: normalize record type read interactively in dnsrecord_add - dns: prompt for missing record parts in CLI - dns: fix crash in interactive mode against old servers - Resolves: #1370519 Certificate revocation in service-del and host-del isn't aware of Sub CAs - cert: fix cert-find --certificate when the cert is not in LDAP - Make host/service cert revocation aware of lightweight CAs - Resolves: #1371901 Use OAEP padding with custodia - Use RSA-OAEP instead of RSA PKCS#1 v1.5 - Resolves: #1371915 When establishing external two-way trust, forest root Administrator account is used to fetch domain info - do not use trusted forest name to construct domain admin principal - Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in certificate request - Fix CA ACL Check on SubjectAltNames - Resolves: #1373272 CLI always sends default command version - cli: use full name when executing a command - Resolves: #1373359 ipa-certupdate fails with "CA is not configured" - Fix ipa-certupdate for CA-less installation - Resolves: #1373540 client-install with IPv6 address fails on link-local address (always) - Fix parse errors with link-local addresses- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env - Fix ipa-server-install in pure IPv6 environment - Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as reachable via the forest root - trust: make sure ID range is created for the child domain even if it exists - ipa-kdb: simplify trusted domain parent search - Resolves: #1335567 Update Warning in IdM Web UI API browser - WebUI: add API browser is tech preview warning - Resolves: #1348560 Mulitple domain Active Directory Trust conflict - ipaserver/dcerpc: reformat to make the code closer to pep8 - trust: automatically resolve DNS trust conflicts for triangle trusts - Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in certificate revocation - cert-revoke: fix permission check bypass (CVE-2016-5404) - Resolves: #1353936 custodia.conf and server.keys file is world-readable. - Remove Custodia server keys from LDAP - Secure permissions of Custodia server.keys - Resolves: #1358752 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full - custodia: include known CA certs in the PKCS#12 file for Dogtag - custodia: force reconnect before retrieving CA certs from LDAP - Resolves: #1362333 ipa vault container owner cannot add vault - Fix: container owner should be able to add vault - Resolves: #1365546 External trust with root domain is transitive - trust: make sure external trust topology is correctly rendered - Resolves: #1365572 IPA server broken after upgrade - Require pki-core-10.3.3-7 - Resolves: #1367864 Server assumes latest version of command instead of version 1 for old / 3rd party clients - rpcserver: assume version 1 for unversioned command calls - rpcserver: fix crash in XML-RPC system commands - Resolves: #1367773 thin client ignores locale change - schema cache: Fallback to 'en_us' when locale is not available - Resolves: #1368754 ipa server uninstall fails with Python "Global Name error" - Fail on topology disconnect/last role removal - Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP - otptoken, permission: Convert custom type parameters on server - Resolves: #1369414 ipa server-del fails with Python stack trace - Handled empty hostname in server-del command - Resolves: #1369761 ipa-server must depend on a version of httpd that support mod_proxy with UDS - Require httpd 2.4.6-31 with mod_proxy Unix socket support - Resolves: #1370512 Received ACIError instead of DuplicatedError in stageuser_tests - Raise DuplicatedEnrty error when user exists in delete_container - Resolves: #1371479 cert-find --all does not show information about revocation - cert: add missing param values to cert-find output - Renamed patch 1011 to 0100, as it was merged upstream- Resolves: #1298288 [RFE] Improve performance in large environments. - cert: speed up cert-find - Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card authentication - service: add flag to allow S4U2Self - Add 'trusted to auth as user' checkbox - Added new authentication method - Resolves: #1353881 ipa-replica-install suggests about non-existent --force-ntpd option - Don't show --force-ntpd option in replica install - Resolves: #1354441 DNS forwarder check is too strict: unable to add sub-domain to already-broken domain - DNS: allow to add forward zone to already broken sub-domain - Resolves: #1356146 performance regression in CLI help - schema: Speed up schema cache - frontend: Change doc, summary, topic and NO_CLI to class properties - schema: Introduce schema cache format - schema: Generate bits for help load them on request - help: Do not create instances to get information about commands and topics - schema cache: Do not reset ServerInfo dirty flag - schema cache: Do not read fingerprint and format from cache - Access data for help separately - frontent: Add summary class property to CommandOverride - schema cache: Read server info only once - schema cache: Store API schema cache in memory - client: Do not create instance just to check isinstance - schema cache: Read schema instead of rewriting it when SchemaUpToDate - Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file - server install: do not prompt for cert file PIN repeatedly - Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create cache directory: [Errno 13] Permission denied: '/home/test_user' - schema: Speed up schema cache - Resolves: #1366604 `cert-find` crashes on invalid certificate data - cert: do not crash on invalid data in cert-find - Resolves: #1366612 Middle replica uninstallation in line topology works without '--ignore-topology-disconnect' - Fail on topology disconnect/last role removal - Resolves: #1366626 caacl-add-service: incorrect error message when service does not exists - Fix ipa-caalc-add-service error message - Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade - DNS server upgrade: do not fail when DNS server did not respond - Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server with CA - Add warning about only one existing CA server - Set servers list as default facet in topology facet group - Resolves: #1367773 thin client ignores locale change - schema check: Check current client language against cached one- Resolves: #1361119 UPN-based search for AD users does not match an entry in slapi-nis map cache - support multiple uid values in schema compatibility tree- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 - Revert "spec: add conflict with bind-chroot to freeipa-server-dns" - Resolves: #1341249 Subsequent external CA installation fails - install: fix external CA cert validation - Resolves: #1353831 ipa-server-install fails in container because of hostnamectl set-hostname - server-install: Fix --hostname option to always override api.env values - install: Call hostnamectl set-hostname only if --hostname option is used - Resolves: #1356091 ipa-cacert-manage --help and man differ - Improvements for the ipa-cacert-manage man and help - Resolves: #1360631 ipa-backup is not keeping the /etc/tmpfiles.d/dirsrv-.conf - ipa-backup: backup /etc/tmpfiles.d/dirsrv-.conf - Resolves: #1361047 ipa-replica-install --help usage line suggests the replica file is needed - Update ipa-replica-install documentation - Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does not rpm-require it - client: RPM require initscripts to get *-domainname.service - Resolves: #1364197 caacl: error when instantiating rules with service principals - caacl: fix regression in rule instantiation - Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm - parameters: move the `confirm` kwarg to Param - Resolves: #1364464 Topology graph: ca and domain adders shows question marks instead of plus icon - Fix unicode characters in ca and domain adders - Resolves: #1365083 Incomplete output returned for command ipa vault-add - client: add missing output params to client-side commands - Resolves: #1365526 build fails during "make check" - ipa-kdb: Fix unit test after packaging changes in krb5- Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file. - Do not initialize API in ipa-client-automount uninstall - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin client changes - idrange: fix unassigned global variable - Resolves: #1360792 Migrating users doesn't update krbCanonicalName - re-set canonical principal name on migrated users - Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str' and 'bool' objects - Fix ipa hbactest output - Resolves: #1362260 ipa vault-mod no longer allows defining salt - vault: add missing salt option to vault_mod - Resolves: #1362312 ipa vault-retrieve internal error when using the wrong public key - vault: Catch correct exception in decrypt - Resolves: #1362537 ipa-server-install fails to create symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ - Correct path to HTTPD's systemd service directory - Resolves: #1363756 Increase length of passwords generated by installer - Increase default length of auto generated passwords- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos aliases) - harden the check for trust namespace overlap in new principals - Resolves: #1351142 CLI is not using session cookies for communication with IPA API - Fix session cookies - Resolves: #1353888 Fix the help for ipa otp and other topics - help: Add dnsserver commands to help topic 'dns' - Resolves: #1354406 host-del updatedns options complains about missing ptr record for host - Host-del: fix behavior of --updatedns and PTR records - Resolves: #1355718 ipa-replica-manage man page example output differs actual command output - Minor fix in ipa-replica-manage MAN page - Resolves: #1358229 Traceback message should be fixed, seen while editing winsync migrated user information in Default trust view. - baseldap: Fix MidairCollision instantiation during entry modification - Resolves: #1358849 CA replica install logs to wrong log file - unite log file name of ipa-ca-install - Resolves: #1359130 ipa-server-install command fails to install IPA server. - DNS Locations: fix update-system-records unpacking error - Resolves: #1359237 AVC on dirsrv config caused by IPA installer - Use copy when replacing files to keep SELinux context - Resolves: #1359692 ipa-client-install join fail with traceback against RHEL-6.8 ipa-server - compat: fix ping call - Resolves: #1359738 ipa-replica-install --domain= option does not work - replica-install: Fix --domain - Resolves: #1360778 Vault commands are available in CLI even when the server does not support them - Revert "Enable vault-* commands on client" - client: fix hiding of commands which lack server support - Related: #1281704 Rebase to softhsm 2.1.0 - Remove the workaround for softhsm bug #1293340 - Related: #1298288 [RFE] Improve performance in large environments. - Create indexes for krbCanonicalName attribute- Resolves: #1296140 Remove redhat-access-plugin-ipa support - Obsolete and conflict redhat-access-plugin-ipa - Resolves: #1351119 Multiple issues while uninstalling ipa-server - server uninstall fails to remove krb principals - Resolves: #1351758 ipa commands not showing expected error messages - frontend: copy command arguments to output params on client - Show full error message for selinuxusermap-add-hostgroup - Resolves: #1352883 Traceback on adding default automember group and hostgroup set - allow 'value' output param in commands without primary key - Resolves: #1353888 Fix the help for ipa otp and other topics - schema: Fix subtopic -> topic mapping - Resolves: #1354348 ipa trustconfig-show throws internal error. - allow 'value' output param in commands without primary key - Resolves: #1354381 ipa trust-add with raw option gives internal error. - trust-add: handle `--all/--raw` options properly - Resolves: #1354493 Replica install fails with old IPA master - DNS install: Ensure that DNS servers container exists - Resolves: #1354628 ipa hostgroup-add-member does not return error message when adding itself as member - frontend: copy command arguments to output params on client - Resolves: #1355856 ipa otptoken-add --type=totp gives internal error - messages: specify message type for ResultFormattingError - Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter secret key - expose `--secret` option in radiusproxy-* commands - prevent search for RADIUS proxy servers by secret - Resolves: #1356099 Bug in the ipapwd plugin - Heap corruption in ipapwd plugin - Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin client changes - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper - Resolves: #1356964 Renaming a user removes all of his principal aliases - Preserve user principal aliases during rename operation- Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas - Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD - Related: #1356134 'kinit -E' does not work for IPA user- Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA with certmonger - uninstall: untrack lightweight CA certs - Resolves: #1351807 ipa-nis-manage config.get_dn missing - ipa-nis-manage: Use server API to retrieve plugin status - Resolves: #1353452 ipa-compat-manage command failed, exception: NotImplementedError: config.get_dn() - ipa-compat-manage: use server API to retrieve plugin status - Resolves: #1353899 ipa-advise: object of type 'type' has no len() - ipa-advise: correct handling of plugin namespace iteration - Resolves: #1356134 'kinit -E' does not work for IPA user - kdb: check for local realm in enterprise principals - Resolves: #1353072 ipa unknown command vault-add - Enable vault-* commands on client - vault-add: set the default vault type on the client side if none was given - Resolves: #1353995 Default CA can be used without a CA ACL - caacl: expand plugin documentation - Resolves: #1356144 host-find should not print SSH keys by default, only SSH fingerprints - host-find: do not show SSH key by default - Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3 - Removed unused method parameter from migrate-ds- Resolves: #747612 [RFE] IPA should support and manage DNS sites - Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0) in the default global_policy in IPA sets user's password expiration (krbPasswordExpiration) to be 90 days - Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records - Resolves: #1084018 [RFE] Add IdM user password change support for legacy client compat tree - Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos aliases) - Fix incorrect check for principal type when evaluating CA ACLs - Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI - Resolves: #1238190 ipasam unable to lookup group in directory yet manual search works - Resolves: #1250110 search by users which don't have read rights for all attrs in search_attributes fails - Resolves: #1263764 Show Certificate displays in useless format - Resolves: #1272491 [WebUI] Certificate action dropdown does not display all the options after adding new certificate - Resolves: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.4.0 - Resolves: #1294503 IPA fails to issue 3rd party certs - Resolves: #1298242 [RFE] API compatibility - compatibility of clients - Resolves: #1298848 [RFE] Centralized topology management - Resolves: #1298966 [RFE] Extend Smart Card support - Resolves: #1315146 Multiple clients cannot join domain simultaneously: /var/run/httpd/ipa/clientcaches race condition? - Resolves: #1318903 ipa server install failing when SUBCA signs the cert - Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper console output - Resolves: #1324055 IPA always qualify requests for admin - Resolves: #1328552 [RFE] Allow users to authenticate with alternative names - Resolves: #1334582 Inconsistent UI and CLI options for removing certificate hold - Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl) - Resolves: #1349281 Fix `Conflicts` with ipa-python - Resolves: #1350695 execution of copy-schema script fails - Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z - Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test execution to 7.3 - Resolves: #1351276 ipa-server-install with dns cannot resolve itself to create ipa-ca entry - Related: #1343422 [RFE] Add GssapiImpersonate option- Resolves: #1348948 IPA server install fails with build ipa-server-4.4.0-0.el7.1.alpha1 - Revert "Increased mod_wsgi socket-timeout"- Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while setting password for default sudo binddn. - Resolves: #747612 [RFE] IPA should support and manage DNS sites - Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name - Resolves: #825391 [RFE] Replica installation should provide a means for inheriting nssldap security access settings - Resolves: #921497 Incorrect *.py[co] files placement - Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support - Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas - Resolves: #1196958 IPA replica installation failing with high number of users (160000). - Resolves: #1219402 IPA suggests to uninstall a client when the user needs to uninstall a replica - Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on Authentication Indicator - Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos principal expiration" - Resolves: #1234223 [WebUI] General invalid password error message appearing for "Locked user" - Resolves: #1254267 ipa-server-install failure applying ldap updates with limits exceeded - Resolves: #1258626 realmdomains-mod --add-domain command throwing error when doamin already is in forwardzone. - Resolves: #1259020 ipa-server-adtrust-install doesn't allow NetBIOS-name=EXAMPLE-TEST.COM (dash character) - Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error message when DNSSEC master not installed - Resolves: #1262747 dnssec options missing in ipa-dns-install man page - Resolves: #1265900 Fail installation immediately after dirsrv fails to install using ipa-server-install - Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not resolvable anymore - Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace - LimitsExceeded: limits exceeded for this query - Resolves: #1269089 Certificate of managed-by host/service fails to resubmit - Resolves: #1269200 ipa-server crashing while trying to preserve admin user - Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults - Resolves: #1271579 Automember rule expressions disappear from tables on single expression delete - Resolves: #1275816 Incomplete ports for IPA ad-trust - Resolves: #1276351 [RFE] Remove /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases - Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in the IPA UI - Resolves: #1278426 Better error message needed for invalid ca-signing-algo option - Resolves: #1279932 ipa-client-install --request-cert needs workaround in anaconda chroot - Resolves: #1282521 Creating a user w/o private group fails when doing so in WebUI - Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced by "IPA is not configured on this system" - Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert file - Resolves: #1287194 [RFE] Support of UPN for trusted domains - Resolves: #1288967 Normalize Manager entry in ipa user-add - Resolves: #1289487 Priority field missing in Password Policy detail tab - Resolves: #1291140 ipa client should configure kpasswd_server directive in krb5.conf - Resolves: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.4.0.alpha1 - Resolves: #1298848 [RFE] Centralized topology management - Resolves: #1300576 Browser setup page includes instructions for Internet Explorer - Resolves: #1301586 ipa host-del --updatedns should remove related dns entries. - Resolves: #1304618 Residual Files After IPA Server Uninstall - Resolves: #1305144 ipa-python does not require its dependencies - Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 - Resolves: #1313798 Console output post ipa-winsync-migrate command should be corrected. - Resolves: #1314786 [RFE] External Trust with Active Directory domain - Resolves: #1319023 Include description for 'status' option in man page for ipactl command. - Resolves: #1319912 ipa-server-install does not completely change hostname and named-pkcs11 fails - Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord': Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given - Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on revocation reasons - Resolves: #1328549 "ipa-kra-install" command reports incorrect message when it is executed on server already installed with KRA. - Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind' - Resolves: #1329275 ipa-nis-manage command should include status option - Resolves: #1330843 'man ipa' should be updated with latest commands - Resolves: #1333755 ipa cert-request causes internal server error while requesting certificate - Resolves: #1337484 EOF is not handled for ipa-client-install command - Resolves: #1338031 Insufficient 'write' privilege on some attributes for the members of the role which has "User Administrators" privilege. - Resolves: #1343142 IPA DNS should do better verification of DNS zones - Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in browser- Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files - Fix incorrect rebase of patch 1001- Resolves: #1339233 CA installed on replica is always marked as renewal master - Related: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.3.1.201605241723GIT1b427d3- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install because of missing dependencies - Rebuild with krb5-1.14.1- Resolves: #837369 [RFE] Switch to client promotion to replica model - Resolves: #1199516 [RFE] Move replication topology to the shared tree - Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) - Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend - Resolves: #1267206 ipa-server-install uninstall should warn if no installation found - Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when ipa-client-automount is executed. - Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2. - Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install because of missing dependencies - Related: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.3.1.201605191449GITf8edf37- Resolves: #1277696 IPA certificate auto renewal fail with "Invalid Credential" - cert renewal: make renewal of ipaCert atomic - Resolves: #1278330 installer options are not validated at the beginning of installation - install: fix command line option validation - Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd from starting up - client install: do not corrupt OpenSSH config with Match sections - Resolves: #1282935 ipa upgrade causes vault internal error - install: export KRA agent PEM file in ipa-kra-install - Resolves: #1283429 Default CA ACL rule is not created during ipa-replica-install - TLS and Dogtag HTTPS request logging improvements - Avoid race condition caused by profile delete and recreate - Do not erroneously reinit NSS in Dogtag interface - Add profiles and default CA ACL on migration - disconnect ldap2 backend after adding default CA ACL profiles - do not disconnect when using existing connection to check default CA ACLs - Resolves: #1283430 ipa-kra-install: fails to apply updates - suppress errors arising from adding existing LDAP entries during KRA install - Resolves: #1283748 Caching of ipaconfig does not work in framework - fix caching in get_ipa_config - Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after upgrade from RHEL 7.0 to RHEL 7.2 - upgrade: fix migration of old dns forward zones - Fix upgrade of forwardzones when zone is in realmdomains - Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap connection - ipa-cacert-renew: Fix connection to ldap. - Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection - ipa-otptoken-import: Fix connection to ldap. - Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using "yum update ipa* sssd" - Set minimal required version for openssl - Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps - Upgrade: Fix upgrade of NIS Server configuration - Resolves: #1289311 umask setting causes named-pkcs11 issue with directory permissions on /var/lib/ipa/dnssec - DNS: fix file permissions - Explicitly call chmod on newly created directories - Fix: replace mkdir with chmod - Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison - Fix version comparison - use FFI call to rpmvercmp function for version comparison - Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix groups are missing - ipa-kdb: map_groups() consider all results - Resolves: #1293870 User should be notified for wrong password in password reset page - Fixed login error message box in LoginScreen page - Resolves: #1296196 Sysrestore did not restore state if a key is specified in mixed case - Allow to used mixed case for sysrestore - Resolves: #1296214 DNSSEC key purging is not handled properly - DNSSEC: Improve error reporting from ipa-ods-exporter - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP - DNSSEC: Make sure that current key state in LDAP matches key state in BIND - DNSSEC: remove obsolete TODO note - DNSSEC: add debug mode to ldapkeydb.py - DNSSEC: logging improvements in ipa-ods-exporter - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP - DNSSEC: ipa-ods-exporter: add ldap-cleanup command - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal - DNSSEC: Log debug messages at log level DEBUG - Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running - prevent crash of CA-less server upgrade due to absent certmonger - always start certmonger during IPA server configuration upgrade - Resolves: #1297811 The ipa -e skip_version_check=1 still issues incompatibility error when called against RHEL 6 server - ipalib: assume version 2.0 when skip_version_check is enabled - Resolves: #1298289 install fails when locale is "fr_FR.UTF-8" - Do not decode HTTP reason phrase from Dogtag - Resolves: #1300252 shared certificateProfiles container is missing on a freshly installed RHEL7.2 system - upgrade: unconditional import of certificate profiles into LDAP - Resolves: #1301674 --setup-dns and other options is forgotten for using an external PKI - installer: Propagate option values from components instead of copying them. - installer: Fix logic of reading option values from cache. - Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup - ipa-ca-install: print more specific errors when CA is already installed - cert renewal: import all external CA certs on IPA CA cert renewal - CA install: explicitly set dogtag_version to 10 - fix standalone installation of externally signed CA on IPA master - replica install: validate DS and HTTP server certificates - replica install: improvements in the handling of CA-related IPA config entries - Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups - slapi-nis: update configuration to allow external members of IPA groups - Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find returns "0 trusts matched" - upgrade: fix config of sidgen and extdom plugins - trusts: use ipaNTTrustPartner attribute to detect trust entries - Warn user if trust is broken - fix upgrade: wait for proper DS socket after DS restart - Insure the admin_conn is disconnected on stop - Fix connections to DS during installation - Fix broken trust warnings - Resolves: #1321092 Installers fail when there are multiple versions of the same certificate - certdb: never use the -r option of certutil - Related: #1317381 Crash during IPA upgrade due to slapd - spec file: update minimum required version of slapi-nis - Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws [rhel-7.3] - Rebuild against newer Samba version- Resolves: #1252556 Missing CLI param and ACL for vault service operations - vault: fix private service vault creation- Resolves: #1262996 ipa vault internal error on replica without KRA - upgrade: make sure ldap2 is connected in export_kra_agent_pem - Resolves: #1270608 IPA upgrade fails for server with CA cert signed by external CA - schema: do not derive ipaVaultPublicKey from ipaPublicKey- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens - Fix an integer underflow bug in libotp - Resolves: #1262996 ipa vault internal error on replica without KRA - install: always export KRA agent PEM file - vault: select a server with KRA for vault operations - Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files - do not overwrite files with local users/groups when restoring authconfig - Renamed patch 1011 to 0138, as it was merged upstream- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to Trusts - winsync-migrate: Convert entity names to posix friendly strings - winsync-migrate: Properly handle collisions in the names of external groups - Resolves: #1261074 Adjust Firefox configuration to new extension signing policy - webui: use manual Firefox configuration for Firefox >= 40 - Resolves: #1263337 IPA Restore failed with installed KRA - ipa-backup: Add mechanism to store empty directory structure - Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate and private key in world readable file [rhel-7.2] - install: fix KRA agent PEM file permissions - Resolves: #1265086 Mark IdM API Browser as experimental - WebUI: add API browser is experimental warning - Resolves: #1265277 Fix kdcproxy user creation - install: create kdcproxy user during server install - platform: add option to create home directory when adding user - install: fix kdcproxy user home directory - Resolves: #1265559 GSS failure after ipa-restore - destroy httpd ccache after stopping the service- Resolves: #1258965 ipa vault: set owner of vault container - baseldap: make subtree deletion optional in LDAPDelete - vault: add vault container commands - vault: set owner to current user on container creation - vault: update access control - vault: add permissions and administrator privilege - install: support KRA update - Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses - config: allow user/host attributes with tagging options - Resolves: #1262315 Unable to establish winsync replication - winsync: Add inetUser objectclass to the passsync sysaccount- Resolves: #1260663 crash of ipa-dnskeysync-replica component during ipa-restore - IPA Restore: allows to specify files that should be removed - Resolves: #1261806 Installing ipa-server package breaks httpd - Handle timeout error in ipa-httpd-kdcproxy - Resolves: #1262322 Failed to backup CS.cfg message in upgrade. - Server Upgrade: backup CS.cfg when dogtag is turned off- Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not tracked - cert renewal: Include KRA users in Dogtag LDAP update - cert renewal: Automatically update KRA agent PEM file - Resolves: #1257163 renaming certificatte profile with --rename option leads to integrity issues - certprofile: remove 'rename' option - Resolves: #1257968 kinit stop working after ipa-restore - Backup: back up the hosts file - Resolves: #1258926 Remove 'DNSSEC is experimental' warnings - DNSSEC: remove "DNSSEC is experimental" warnings - Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts - Installer: do not modify /etc/hosts before user agreement - Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1 zone - DNSSEC: backup and restore opendnssec zone list file - DNSSEC: remove ccache and keytab of ipa-ods-exporter - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC key master - DNSSEC: Fix key metadata export - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. - Resolves: #1258964 revert to use ldapi to add kra agent in KRA install - Using LDAPI to setup CA and KRA agents. - Resolves: #1259848 server closes connection and refuses commands after deleting user that is still logged in - ldap: Make ldap2 connection management thread-safe again - Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute 'ra_certprofile' while ipa-ca-install - load RA backend plugins during standalone CA install on CA-less IPA master- Resolves: #1254689 Storing big file as a secret in vault raises traceback - vault: Limit size of data stored in vault - Resolves: #1255880 ipactl status should distinguish between different pki-tomcat services - ipactl: Do not start/stop/restart single service multiple times- Resolves: #1256840 [webui] majority of required fields is no longer marked as required - fix missing information in object metadata - Resolves: #1256842 [webui] no option to choose trust type when creating a trust - webui: add option to establish bidirectional trust - Resolves: #1256853 Clear text passwords in KRA install log - Removed clear text passwords from KRA install log. - Resolves: #1257072 The "Standard Vault" MUST not be the default and must be discouraged - vault: change default vault type to symmetric - Resolves: #1257163 renaming certificatte profile with --rename option leads to integrity issues - certprofile: prevent rename (modrdn)- Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone - DNSSEC: fix forward zone forwarders checks - Resolves: #1250190 idrange is not added for sub domain - trusts: format Kerberos principal properly when fetching trust topology - Resolves: #1252334 User life cycle: missing ability to provision a stage user from a preserved user - Add user-stage command - Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to start. - spec file: Add Requires(post) on selinux-policy - Resolves: #1254304 Changing vault encryption attributes - Change internal rsa_(public|private)_key variable names - Added support for changing vault encryption. - Resolves: #1256715 Executing user-del --preserve twice removes the user pernamently - improve the usability of `ipa user-del --preserve` command- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - user-undel: Fix error messages. - Resolves: #1200694 [RFE] Support for multiple cert profiles - Prohibit deletion of predefined profiles - Resolves: #1232819 testing ipa-restore on fresh system install fails - Backup/resore authentication control configuration - Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0 server - Require Dogtag PKI >= 10.2.6 - Resolves: #1245225 Asymmetric vault drops traceback when the key is not proper - Asymmetric vault: validate public key in client - Resolves: #1248399 Missing DNSSEC related files in backup - fix typo in BasePathNamespace member pointing to ods exporter config - ipa-backup: archive DNSSEC zone file and kasp.db - Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is finished - winsync-migrate: Add warning about passsync - winsync-migrate: Expand the man page - Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME" - adjust search so that it works for non-admin users - Resolves: #1250093 ipa certprofile-import accepts invalid config - Require Dogtag PKI >= 10.2.6 - Resolves: #1250107 IPA framework should not allow modifying trust on AD trust agents - trusts: Detect missing Samba instance - Resolves: #1250111 User lifecycle - preserved users can be assigned membership - ULC: Prevent preserved users from being assigned membership - Resolves: #1250145 Add permission for user to bypass caacl enforcement - Add permission for bypassing CA ACL enforcement - Resolves: #1250190 idrange is not added for sub domain - idranges: raise an error when local IPA ID range is being modified - trusts: harden trust-fetch-domains oddjobd-based script - Resolves: #1250928 Man page for ipa-server-install is out of sync - install: Fix server and replica install options - Resolves: #1251225 IPA default CAACL does not allow cert-request for services after upgrade - Fix default CA ACL added during upgrade - Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey - validate mutually exclusive options in vault-add - Resolves: #1251579 ipa vault-add --user should set container owner equal to user on first run - Fixed vault container ownership. - Resolves: #1252517 cert-request rejects request with correct krb5PrincipalName SAN - Fix KRB5PrincipalName / UPN SAN comparison - Resolves: #1252555 ipa vault-find doesn't work for services - vault: Add container information to vault command results - Add flag to list all service and user vaults - Resolves: #1252556 Missing CLI param and ACL for vault service operations - Added CLI param and ACL for vault service operations. - Resolves: #1252557 certprofile: improve profile format documentation - certprofile-import: improve profile format documentation - certprofile: add profile format explanation - Resolves: #1253443 ipa vault-add creates vault with invalid type - vault: validate vault type - Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing owner - baseldap: Allow overriding member param label in LDAPModMember - vault: Fix param labels in output of vault owner commands - Resolves: #1253511 ipa vault-find does not use criteria - vault: Fix vault-find with criteria - Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10 - install: Fix replica install with custom certificates - Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc - improve the handling of krb5-related errors in dnssec daemons - Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with starting CA and named-pkcs11.service - Server Upgrade: Start DS before CA is started. - Resolves: #1254637 Add ACI and permission for managing user userCertificate attribute - add permission: System: Manage User Certificates - Resolves: #1254641 Remove CSR allowed-extensions restriction - cert-request: remove allowed extensions check - Resolves: #1254693 vault --service does not normalize service principal - vault: normalize service principal in service vault operations - Resolves: #1254785 ipa-client-install does not properly handle dual stacked hosts - client: Add support for multiple IP addresses during installation. - Add dependency to SSSD 1.13.1 - client: Add description of --ip-address and --all-ip-addresses to man page- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to users in IdM - store certificates issued for user entries as - user-show: add --out option to save certificates to file - Resolves: #1145748 [RFE] IPA running with One Way Trust - Fix upgrade of sidgen and extdom plugins - Resolves: #1195339 ipa-client-install changes the label on various files which causes SELinux denials - Use 'mv -Z' in specfile to restore SELinux context - Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior for combinations of "User authentication types" - webui: add LDAP vs Kerberos behavior description to user auth - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - ULC: Fix stageused-add --from-delete command - Resolves: #1200694 [RFE] Support for multiple cert profiles - certprofile-import: do not require profileId in profile data - Give more info on virtual command access denial - Allow SAN extension for cert-request self-service - Add profile for DNP3 / IEC 62351-8 certificates - Work around python-nss bug on unrecognised OIDs - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality - Validate vault's file parameters - Fixed missing KRA agent cert on replica. - Resolves: #1225866 display browser config options that apply to the browser. - webui: add Kerberos configuration instructions for Chrome - Remove ico files from Makefile - Resolves: #1246342 Unapply idview raises internal error - idviews: Check for the Default Trust View only if applying the view - Resolves: #1248102 [webui] regression - incorrect/no failed auth messages - webui: fix regressions failed auth messages - Resolves: #1248396 Internal error in DomainValidator.__search_in_dc - dcerpc: Fix UnboundLocalError for ccache_name - Resolves: #1249455 ipa trust-add failed CIFS server configuration does not allow access to \\pipe\lsarpc - Fix selector of protocol for LSA RPC binding string - dcerpc: Simplify generation of LSA-RPC binding strings - Resolves: #1250192 Error in ipa trust-fecth-domains - Fix incorrect type comparison in trust-fetch-domains - Resolves: #1251553 Winsync setup fails with unexpected error - replication: Fix incorrect exception invocation - Resolves: #1251854 ipa aci plugin is not parsing aci's correctly. - ACI plugin: correctly parse bind rules enclosed in - Resolves: #1252414 Trust agent install does not detect available replicas to add to master - adtrust-install: Correctly determine 4.2 FreeIPA servers- Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains that conflicts with AD DC - trusts: Check for AD root domain among our trusted domains - Resolves: #1195339 ipa-client-install changes the label on various files which causes SELinux denials - sysrestore: copy files instead of moving them to avoind SELinux issues - Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned commands / ntpd -qgc $tmpfile hangs - enable debugging of ntpd during client installation - Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled - migration: Use api.env variables. - Resolves: #1212719 abort-clean-ruv subcommand should allow replica-certifyall: no - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand - Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has occurred - dcerpc: Expand explanation for WERR_ACCESS_DENIED - dcerpc: Fix UnboundLocalError for ccache_name - Resolves: #1222778 idoverride group-del can delete user and user-del can delete group - dcerpc: Add get_trusted_domain_object_type method - idviews: Restrict anchor to name and name to anchor conversions - idviews: Enforce objectclass check in idoverride*-del - Resolves: #1234919 Be able to request certificates without certmonger service running - cermonger: Use private unix socket when DBus SystemBus is not available. - ipa-client-install: Do not (re)start certmonger and DBus daemons. - Resolves: #1240939 Please add dependency on bind-pkcs11 - Create server-dns sub-package. - ipaplatform: Add constants submodule - DNS: check if DNS package is installed - Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow calling out oddjobd-activated services - selinux: enable httpd_run_ipa to allow communicating with oddjobd services - Resolves: #1243261 non-admin users cannot search hbac rules - fix hbac rule search for non-admin users - fix selinuxusermap search for non-admin users - Resolves: #1243652 Client has missing dependency on memcache - do not import memcache on client - Resolves: #1243835 [webui] user change password dialog does not work - webui: fix user reset password dialog - Resolves: #1244802 spec: selinux denial during kdcproxy user creation - Fix selinux denial during kdcproxy user creation - Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user - oddjob: avoid chown keytab to sssd if sssd user does not exist - Resolves: #1246136 Adding a privilege to a permission avoids validation - Validate adding privilege to a permission - Resolves: #1246141 DNS Administrators cannot search in zones - DNS: Consolidate DNS RR types in API and schema - Resolves: #1246143 User plugin - user-find doesn't work properly with manager option - fix broken search for users by their manager- Resolves: #1131907 [ipa-client-install] cannot write certificate file '/etc/ipa/ca.crt.new': must be string or buffer, not None - Resolves: #1195775 unsaved changes dialog internally inconsistent - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - Stageusedr-activate: show username instead of DN - Resolves: #1200694 [RFE] Support for multiple cert profiles - Prevent to rename certprofile profile id - Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error - Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files - copy-schema-to-ca: allow to overwrite schema files - Resolves: #1241941 kdc component installation of IPA failed - spec file: Update minimum required version of krb5 - Resolves: #1242036 Replica install fails to update DNS records - Fix DNS records installation for replicas - Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy - Start dirsrv for kdcproxy upgrade- Resolves: #846033 [RFE] Documentation for JSONRPC IPA API - Resolves: #989091 Ability to manage IdM/IPA directly from a standard LDAP client - Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to users in IdM - Resolves: #1115294 [RFE] Add support for DNSSEC - Resolves: #1145748 [RFE] IPA running with One Way Trust - Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade - Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - Resolves: #1200694 [RFE] Support for multiple cert profiles - Resolves: #1200728 [RFE] Replicate PKI Profile information - Resolves: #1200735 [RFE] Allow issuing certificates for user accounts - Resolves: #1204054 SSSD database is not cleared between installs and uninstalls of ipa - Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to Trusts - Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality - Resolves: #1204504 [RFE] Add access control so hosts can create their own services - Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default - Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default - Resolves: #1209476 package ipa-client does not require package dbus-python - Resolves: #1211589 [RFE] Add option to skip the verify_client_version - Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597) - Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone - Resolves: #1217010 OTP Manager field is not exposed in the UI - Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp 00007fffd68b2340 error 6 in libc-2.17.so - Related: #1204809 Rebase ipa to 4.2 - Update to upstream 4.2.0 - Move /etc/ipa/kdcproxy to the server subpackage- Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install - Related: #1204809 Rebase ipa to 4.2 - Fix minimum version of slapi-nis - Require python-sss and python-sss-murmur (provided by sssd-1.13.0)- Resolves: #805188 [RFE] "ipa migrate-ds" ldapsearches with scope=1 - Resolves: #1019272 With 20000+ users, adding a user to a group intermittently throws Internal server error - Resolves: #1035494 Unable to add Kerberos principal via kadmin.local - Resolves: #1045153 ipa-managed-entries --list -p still requires DM password - Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389 from ldap_port_t - Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI - Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not matching uidgid - Resolves: #1176036 IDM client registration failure in a high load environment - Resolves: #1183116 Remove Requires: subscription-manager - Resolves: #1186054 permission-add does not prompt to enter --right option in interactive mode - Resolves: #1187524 Replication agreement with replica not disabled when ipa-restore done without IPA installed - Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as normal user. - Resolves: #1189034 "an internal error has occurred" during ipa host-del --updatedns - Resolves: #1193554 ipa-client-automount: failing with error LDAP server returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled. - Resolves: #1193759 IPA extdom plugin fails when encountering large groups - Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. - Resolves: #1194633 Default trust view can be deleted in lower case - Resolves: #1196455 ipa-server-install step [8/27]: starting certificate server instance - confusing CA staus message on TLS error - Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis - Resolves: #1199527 [RFE] Use datepicker component for datetime fields - Resolves: #1200867 [RFE] Make OTP validation window configurable - Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi - Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using get_user_grouplist() [rhel-7.2] - Resolves: #1204637 slow group operations - Resolves: #1204642 migrate-ds: slow add o users to default group - Resolves: #1208461 IPA CA master server update stuck on checking getStatus via https - Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) - Resolves: #1211708 ipa-client-install gets stuck during NTP sync - Resolves: #1215197 ipa-client-install ignores --ntp-server option during time sync - Resolves: #1215200 ipa-client-install configures IPA server as NTP source even if IPA server has not ntpd configured - Resolves: #1217009 OTP sync in UI does not work for TOTP tokens - Related: #1204809 Rebase ipa to 4.2 - Update to upstream 4.2.0.alpha1- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312)- IPA extdom plugin fails when encountering large groups (#1193759) - CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() (#1202998)- "an internal error has occurred" during ipa host-del --updatedns (#1198431) - Renamed patch 1013 to 0114, as it was merged upstream - Fax number not displayed for user-show when kinit'ed as normal user. (#1198430) - Replication agreement with replica not disabled when ipa-restore done without IPA installed (#1199060) - Limit deadlocks between DS plugin DNA and slapi-nis (#1199128)- Fix ipa-pwd-extop global configuration caching (#1187342) - group-detach does not add correct objectclasses (#1187540)- Wrong directories created on full restore (#1186398) - ipa-restore crashes if replica is unreachable (#1186396) - idoverrideuser-add option --sshpubkey does not work (#1185410)- PassSync does not sync passwords due to missing ACIs (#1181093) - ipa-replica-manage list does not list synced domain (#1181010) - Do not assume certmonger is running in httpinstance (#1181767) - ipa-replica-manage disconnect fails without password (#1183279) - Put LDIF files to their original location in ipa-restore (#1175277) - DUA profile not available anonymously (#1184149) - IPA replica missing data after master upgraded (#1176995)- Re-add accidentally removed patches for #1170695 and #1164896- IPA Replicate creation fails with error "Update failed! Status: [10 Total update abortedLDAP error: Referral]" (#1166265) - running ipa-server-install --setup-dns results in a crash (#1072502) - DNS zones are not migrated into forward zones if 4.0+ replica is added (#1175384) - gid is overridden by uid in default trust view (#1168904) - When migrating warn user if compat is enabled (#1177133) - Clean up debug log for trust-add (#1168376) - No error message thrown on restore(full kind) on replica from full backup taken on master (#1175287) - ipa-restore proceed even IPA not configured (#1175326) - Data replication not working as expected after data restore from full backup (#1175277) - IPA externally signed CA cert expiration warning missing from log (#1178128) - ipa-upgradeconfig fails in CA-less installs (#1181767) - IPA certs fail to autorenew simultaneouly (#1173207) - More validation required on ipa-restore's options (#1176034)- Expand the token auth/sync windows (#919228) - Access is not rejected for disabled domain (#1172598) - krb5kdc crash in ldap_pvt_search (#1170695) - RHEL7.1 IPA server httpd avc denials after upgrade (#1164896)- RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible (#1169591) - CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) (#1172578)- Throw zonemgr error message before installation proceeds (#1163849) - Winsync: Setup is broken due to incorrect import of certificate (#1169867) - Enable last token deletion when password auth type is configured (#919228) - ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641) - add --hosts and --hostgroup options to allow/retrieve keytab methods (#1007367) - Extend host-show to add the view attribute in set of default attributes (#1168916) - Prefer TCP connections to UDP in krb5 clients (#919228) - [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214) - webui: increase notification duration (#1171089) - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931) - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert (#1170003) - Improve validation of --instance and --backend options in ipa-restore (#951581) - RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964) - Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466)- Use NSS protocol range API to set available TLS protocols (#1156466)- schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 build fails (#1167196) - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) - "ipa trust-add ... " cmd says : (Trust status: Established and verified) while in the logs we see "WERR_ACCESS_DENIED" during verification step. (#1144121) - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server (#1156466) - Add support/hooks for a one-time password system like SecureID in IPA (#919228) - Tracebacks with latest build for --zonemgr cli option (#1167270) - ID Views: Support migration from the sync solution to the trust solution (#891984)- Improve otptoken help messages (#919228) - Ensure users exist when assigning tokens to them (#919228) - Enable QR code display by default in otptoken-add (#919228) - Show warning instead of error if CA did not start (#1158410) - CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774) - Traceback when adding zone with long name (#1164859) - Backup & Restore mechanism (#951581) - ignoring user attributes in migrate-ds does not work if uppercase characters are returned by ldap (#1159816) - Allow ipa-getkeytab to optionally fetch existing keys (#1007367) - Failure when installing on dual stacked system with external ca (#1128380) - ipa-server should keep backup of CS.cfg (#1059135) - Tracebacks with latest build for --zonemgr cli option (#1167270) - webui: use domain name instead of domain SID in idrange adder dialog (#891984) - webui: normalize idview tab labels (#891984)- ipa-csreplica-manage connect fails (#1157735) - error message which is not understandable when IDNA2003 characters are present in --zonemgr (#1163849) - Fix warning message should not contain CLI commands (#1114013) - Renewing the CA signing certificate does not extend its validity period end (#1163498) - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd (#1159330)- Fix: DNS installer adds invalid zonemgr email (#1056202) - ipaplatform: Use the dirsrv service, not target (#951581) - Fix: DNS policy upgrade raises asertion error (#1161128) - Fix upgrade referint plugin (#1161128) - Upgrade: fix trusts objectclass violationi (#1161128) - group-add doesn't accept gid parameter (#1149124)- Update slapi-nis dependency to pull 0.54-2 (#891984) - ipa-restore: Don't crash if AD trust is not installed (#951581) - Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791) - Trust setting not restored for CA cert with ipa-restore command (#1159011) - ipa-server-install fails when restarting named (#1162340)- Update Requires on pki-ca to 10.1.2-4 (#1129558) - build: increase java stack size for all arches - Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984) - Fix dns zonemgr validation regression (#1056202) - Handle profile changes in dogtag-ipa-ca-renew-agent (#886645) - Do not wait for new CA certificate to appear in LDAP in ipa-certupdate (#886645) - Add bind-dyndb-ldap working dir to IPA specfile - Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage (#886645) - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) - Deadlock in schema compat plugin (#1161131) - ipactl stop should stop dirsrv last (#1161129) - Upgrade 3.3.5 to 4.1 failed (#1161128) - CVE-2014-7828 freeipa: password not required when OTP in use (#1160877)- Do not check if port 8443 is available in step 2 of external CA install (#1129481)- Update Requires on selinux-policy to 3.13.1-4- Update to upstream 4.1.0 (#1109726)- Update to upstream 4.1.0 Alpha 1 (#1109726)- Add redhat-access-plugin-ipa dependency- Re-enable otptoken_yubikey plugin- Update to upstream 4.0.3 (#1109726)- Server installation fails using external signed certificates with "IndexError: list index out of range" (#1111320) - Add rhino to BuildRequires to fix Web UI build error- ipa-client-automount fails with incompatibility error when installed against older IPA server (#1083108)- Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future PKI versions (#1080865)- When IdM server trusts multiple AD forests, IPA client returns invalid group membership info (#1079498)- Deletion of active subdomain range should not be allowed (#1075615)- PKI database is ugraded during replica installation (#1075118)- Unable to add trust successfully with --trust-secret (#1075704)- ipa-replica-install never checks for 7389 port (#1075165) - Non-terminated string may be passed to LDAP search (#1075091) - ipa-sam may fail to translate group SID into GID (#1073829) - Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132)- Do not fetch a principal two times, remove potential memory leak (#1070924)- trustdomain-find with pkey-only fails (#1068611) - Invalid credential cache in trust-add (#1069182) - ipa-replica-install prints unexpected error (#1069722) - Too big font in input fields in details facet in Firefox (#1069720) - trust-add for POSIX AD does not fetch trustdomains (#1070925) - Misleading trust-add error message in some cases (#1070926) - Access is not rejected for disabled domain (#1070924)- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)- Display server name in ipa command's verbose mode (#1061703) - Remove sourcehostcategory from default HBAC rule (#1061187) - dnszone-add cannot add classless PTR zones (#1058688) - Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850)- Lockout plugin crashed during ipa-server-install (#912725)- Fallback to global policy in ipa lockout plugin (#912725) - Migration does not add users to default group (#903232)- Mass rebuild 2014-01-24- Fix NetBIOS name generation in CLDAP plugin (#1030517)- Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218) - Increase default timeout for IPA services (#1033273) - Error while running trustdomain-find (#1054376) - group-show lists SID instead of name for external groups (#1054391) - Fix IPA server NetBIOS name in samba configuration (#1030517) - dnsrecord-mod produces missing API version warning (#1054869) - Hide trust-resolve command as internal (#1052860) - Add Trust domain Web UI (#1054870) - ipasam cannot delete multiple child trusted domains (#1056120)- Missing objectclasses when empty password passed to host-add (#1052979) - sudoOrder missing in sudoers (#1052983) - Missing examples in sudorule help (#1049464) - Client automount does not uninstall when fstore is empty (#910899) - Error not clear for invalid realm given to trust-fetch-domains (#1052981) - trust-fetch-domains does not add idrange for subdomains found (#1049926) - Add option to show if an AD subdomain is enabled/disabled (#1052973) - ipa-adtrust-install still failed with long NetBIOS names (#1030517) - Error not clear for invalid relam given to trustdomain-find (#1049455) - renewed client cert not recognized during IPA CA renewal (#1033273)- hbactest does not work for external users (#848531)- PKI service restart after CA renewal failed (#1040018)- Move ipa-tests package to separate srpm (#1032668)- Fix status trust-add command status message (#910453) - NetBIOS was not trimmed at 15 characters (#1030517) - Harden CA subsystem certificate renewal on CA clones (#1040018)- Mass rebuild 2013-12-27- Remove "Listen 443 http" hack from deployed nss.conf (#1029046) - Re-adding existing trust fails (#1033216) - IPA uninstall exits with a samba error (#1033075) - Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260) - Fixed ownership of /usr/share/ipa/ui/js (#1026260) - ipa-tests: support external names for hosts (#1032668) - ipa-client-install fail due fail to obtain host TGT (#1029354)- Trust add tries to add same value of --base-id for sub domain, causing an error (#1033068) - Improved error reporting for adding trust case (#1029856)- Winsync agreement cannot be created (#1023085)- Installer did not detect different server and IPA domain (#1026845) - Allow kernel keyring CCACHE when supported (#1026861)- ipa-server-install crashes when AD subpackage is not installed (#1026434)- Update to upstream 3.3.3 (#991064)- Temporarily move ipa-backup and ipa-restore functionality back to make them available in public Beta (#1003933)- Server install failure during client enrollment shouldn't roll back (#1023086) - nsds5ReplicaStripAttrs are not set on agreements (#1023085) - ipa-server conflicts with mod_ssl (#1018172)- Reinstalling ipa server hangs when configuring certificate server (#1018804)- Deprecate --serial-autoincrement option (#1016645) - CA installation always failed on replica (#1005446) - Re-initializing a winsync connection exited with error (#994980)- Update to upstream 3.3.2 (#991064) - Add delegation info to MS-PAC (#915799) - Warn about incompatibility with AD when IPA realm and domain differs (#1009044) - Allow PKCS#12 files with empty password in install tools (#1002639) - Privilege "SELinux User Map Administrators" did not list permissions (#997085) - SSH key upload broken when client joins an older server (#1009024)- Remove dependency on python-paramiko (#1002884) - Broken redirection when deleting last entry of DNS resource record (#1006360)- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)- Replica installation fails for RHEL 6.4 master (#1004680) - Server uninstallation crashes if DS is not available (#998069)- Unable to remove replica by ipa-replica-manage (#1001662) - Before uninstalling a server, warn about active replicas (#998069)- Update to upstream 3.3.1 (#991064) - Update minimum version of bind-dyndb-ldap to 3.5- Fix replica installation failing on certificate subject (#983075)- Allow ipa-tests to work with older version (1.7.7) of python-paramiko- Prevent multilib failures in *.pyo and *.pyc files- ipa-server-install fails if --subject parameter is other than default realm (#983075) - do not allow configuring bind-dyndb-ldap without persistent search (#967876)- diffstat was missing as a build dependency causing multilib problems- Remove ipa-server-selinux obsoletes as upgrades from version prior to 3.3.0 are not allowed - Wrap server-trust-ad subpackage description better - Add (noreplace) flag for %{_sysconfdir}/tmpfiles.d/ipa.conf - Change permissions on default_encoding_utf8.so to fix ipa-python Provides- Update to upstream 3.3.0 (#991064)- Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release- Update to upstream 3.3.0 Beta 2 (#991064)- Update to upstream 3.2.2 - Drop ipa-server-selinux subpackage - Drop redundant directory /var/cache/ipa/sessions - Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency issues when there are still old parts of software (like entitlements plugin)- Update to upstream 3.2.1 - Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0- Add OTP patches - Add patch to set KRB5CCNAME for 389-ds-base- Update to upstream 3.2.0 GA - ipa-client-install fails if /etc/ipa does not exist (#961483) - Certificate status is not visible in Service and Host page (#956718) - ipa-client-install removes needed options from ldap.conf (#953991) - Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) - Add triggerin scriptlet to support OpenSSH 6.2 (#953617) - Require nss 3.14.3-12.0 to address certutil certificate import errors (#953485) - Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 environments. (#953464) - ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) - ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) - Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for socket based connections (#960222) - Require libsss_nss_idmap-python - Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to member is now done automatically and having it in the config file raises an error. - Add backup and restore tools, directory. - require at least systemd 38 which provides the journal (we no longer need to require syslog.target) - Update Requires on policycoreutils to 2.1.14-37 - Update Requires on selinux-policy to 3.12.1-42 - Update Requires on 389-ds-base to 1.3.1.0 - Remove a Requires for java-atk-wrapper- Remove release from krb5-server in strict sub-package to allow for rebuilds.- Add a Requires for java-atk-wrapper until we can determine which package should be pulling it in, dogtag or tomcat.- Update to upstream 3.2.0 Beta 1- Update to upstream 3.2.0 Prerelease 1 - Use upstream reference spec file as a base for Fedora spec file- Rebuild for broken deps - Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1- Rebuild for broken deps in rawhide - Fix 389-ds-base strict dep to be 1.3.0.3- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild- Update to upstream 3.1.2 - CVE-2012-4546: Incorrect CRLs publishing - CVE-2012-5484: MITM Attack during Join process - CVE-2013-0199: Cross-Realm Trust key leak - Updated strict dependencies to 389-ds-base = 1.3.0.2 and pki-ca = 10.0.1- Remove redundat Requires versions that are already in Fedora 17 - Replace python-crypto Requires with m2crypto - Add missing Requires(post) for client and server-trust-ad subpackages - Restart httpd service when server-trust-ad subpackage is installed - Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes- Updated to upstream 3.1.0 GA - Set minimum for sssd to 1.9.2 - Set minimum for pki-ca to 10.0.0-1 - Set minimum for 389-ds-base to 1.3.0 - Set minimum for selinux-policy to 3.11.1-60 - Remove unneeded dogtag package requires- Update Requires on krb5-server to 1.11- Configure CA replication to use TLS instead of SSL- Updated to upstream 3.0.0 GA - Set minimum for samba to 4.0.0-153. - Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so plugin to /dev/null since they cannot be used when trusts are configured - Restrict krb5-server to 1.10. - Update BR for 389-ds-base to 1.3.0 - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca - Add Requires on zip for generating FF browser extension- Updated to upstream 3.0.0 rc 2 - Include new FF configuration extension - Set minimum Requires of selinux-policy to 3.11.1-33 - Set minimum Requires dogtag to 10.0.0-0.43.b1 - Add new optional strict sub-package to allow users to limit other package upgrades.- Require samba packages instead of obsoleted samba4 packages- Updated to upstream 3.0.0 rc 1 - Update BR for 389-ds-base to 1.2.11.14 - Update BR for krb5 to 1.10 - Update BR for samba4-devel to 4.0.0-139 (rc1) - Add BR for python-polib - Update BR and Requires on sssd to 1.9.0 - Update Requires on policycoreutils to 2.1.12-5 - Update Requires on 389-ds-base to 1.2.11.14 - Update Requires on selinux-policy to 3.11.1-21 - Update Requires on dogtag to 10.0.0-0.33.a1 - Update Requires on certmonger to 0.60 - Update Requires on tomcat to 7.0.29 - Update minimum version of bind to 9.9.1-10.P3 - Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 - Remove Requires on authconfig from python sub-package- Rebuild against samba4 beta8- Rebuild against samba4 beta7- Adopt to samba4 beta6 (libsecurity -> libsamba-security) - Add dependency to samba4-winbind- Updated to upstream 3.0.0 beta 2- Updated to current upstream state of 3.0.0 beta 2 development- Rebuild against samba4 beta4- Updated to upstream 3.0.0 beta 1- Updated to upstream 2.2.0 GA - Update minimum n-v-r of certmonger to 0.53 - Update minimum n-v-r of slapi-nis to 0.40 - Add Requires in client to oddjob-mkhomedir and python-krbV - Update minimum selinux-policy to 3.10.0-110- Update to upstream 2.2.0 beta 1 (2.1.90.rc1) - Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. - Add Conflicts on mod_ssl - Update minimum n-v-r of 389-ds-base to 1.2.10.4 - Update minimum n-v-r of sssd to 1.8.0 - Update minimum n-v-r of slapi-nis to 0.38 - Update minimum n-v-r of pki-* to 9.0.18 - Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 - Update conflicts on bind to < 9.9.0-1 - Drop requires on krb5-server-ldap - Add patch to remove escaping arguments to pkisilent- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)- Force to use 389-ds 1.2.10-0.8.a7 or above - Improve upgrade script to handle systemd 389-ds change - Fix freeipa to work with python-ldap 2.4.6- Fix ipa-replica-install crashes - Fix ipa-server-install and ipa-dns-install logging - Set minimum version of pki-ca to 9.0.17 to fix sslget problem caused by FEDORA-2011-17400 update (#771357)- Allow Web-based migration to work with tightened SE Linux policy (#769440) - Rebuild slapi plugins against re-enterant version of libldap- Allow longer dirsrv startup with systemd: - IPAdmin class will wait until dirsrv instance is available up to 10 seconds - Helps with restarts during upgrade for ipa-ldap-updater - Fix pylint warnings from F16 and Rawhide- Update to upstream 2.1.4 (CVE-2011-3636)- Update SELinux policy to allow ipa_kpasswd to connect ldap and read /dev/urandom. (#759679)- Fix wrong path in packaging freeipa-systemd-upgrade- Introduce upgrade script to recover existing configuration after systemd migration as user has no means to recover FreeIPA from systemd migration - Upgrade script: - recovers symlinks in Dogtag instance install - recovers systemd configuration for FreeIPA's directory server instances - recovers freeipa.service - migrates directory server and KDC configs to use proper keytabs for systemd services- Rebuilt for glibc bug#747377- clean up spec - Depend on sssd >= 1.6.2 for better user experience- Fix Fedora package changelog after merging systemd changes- Fix postin scriplet for F-15/F-16- 2.1.3- Default to systemd for Fedora 16 and onwards- Update to upstream 2.1.0- Fix bug #702633- Update minimum selinux-policy to 3.9.16-18 - Update minimum pki-ca and pki-selinux to 9.0.7 - Update minimum 389-ds-base to 1.2.8.0-1 - Update to upstream 2.0.1- Update to upstream GA release - Automatically apply updates when the package is upgraded- Update to upstream freeipa-2.0.0.rc2 - Set minimum version of python-nss to 0.11 to make sure IPv6 support is in - Set minimum version of sssd to 1.5.1 - Patch to include SuiteSpotGroup when setting up 389-ds instances - Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled- Set the N-V-R so rc1 is an update to beta2.- Set minimum version of sssd to 1.5.1 - Update to upstream freeipa-2.0.0.rc1 - Move server-only binaries from admintools subpackage to server- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Set min version of 389-ds-base to 1.2.8 - Set min version of mod_nss 1.0.8-10 - Set min version of selinux-policy to 3.9.7-27 - Add dogtag themes to Requires - Update to upstream freeipa-2.0.0.pre2- Remove unnecessary moving of v1 CA serial number file in post script - Add Obsoletes for server-selinxu subpackage - Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da- Prepare spec file for release - Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503- Re-arrange doc and defattr to clean up rpmlint warnings - Remove conditionals on older releases - Move some man pages into admintools subpackage - Remove some explicit Requires in client that aren't needed - Consistent use of buildroot vs RPM_BUILD_ROOT- Moved directory install/static to install/ui- Remove dependency on nss_ldap/nss-pam-ldapd - The official client is sssd and that's what we use by default.- Remove radius subpackages- Set minimum pki-ca and pki-silent versions to 9.0.0- Drop BuildRequires on mozldap-devel- Add Requires on krb5-pkinit-openssl- Add ipa-host-net-manage script- Add ipa init script- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin- remove ipa-fix-CVE-2008-3274- Remove duplicate %files entries on share/ipa/static - Add python default encoding shared library- Drop requires on python-configobj (not used any more) - Drop ipa-ldap-updater message, upgrades are done differently now- Drop conflicts on mod_nss - Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) - Drop a slew of conditionals on older Fedora releases (< 12) - Add a few conditionals against RHEL 6 - Add Requires of nss-tools on ipa-client- Set minimum version of certmonger to 0.26 (to pck up #621670) - Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) - Set minimum version of pki-ca to 1.3.6 - Set minimum version of sssd to 1.2.1- Add BuildRequires for authconfig- Bump up minimum version of python-nss to pick up nss_is_initialize() API- Removed python-asset based webui- Change Requires from fedora-ds-base to 389-ds-base - Set minimum level of 389-ds-base to 1.2.6 for the replication version plugin.- Drop Requires of python-krbV on ipa-client- Load ipa_dogtag.pp in post install- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes.- No need to create /var/log/ipa_error.log since we aren't using TurboGears any more.- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included- Added Require mod_wsgi, added share/ipa/wsgi.py- Require python-wehjit >= 0.2.2- Add sssd and certmonger as a Requires on ipa-client- Require python-wehjit >= 0.2.0- Add ipa-rmkeytab tool- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 Any type- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf- Add bash completion script and own /etc/bash_completion.d in case it doesn't already exist- Remove ipa_webgui, its functions rolled into ipa_httpd- Removed python-cherrypy from BuildRequires and Requires - Added Requires python-assets, python-wehjit- Added httpd SELinux policy so CRLs can be read- Move ipalib to ipa-python subpackage - Bump minimum version of slapi-nis to 0.15- Set 0.14 as minimum version for slapi-nis- Add Requires: python-nss to ipa-python sub-package- Remove the IPA DNA plugin, use the DS one- Build radius separately - Fix a few minor issues- Replace TurboGears requirement with python-cherrypy- rebuild with new openssl- Fix SELinux code- Fix breakage caused by python-kerberos update to 1.1- New upstream release 1.2.1- Rebuild for Python 2.6- Respin after the tarball has been re-released upstream New hash is 506c9c92dcaf9f227cba5030e999f177- Conditionally restart also dirsrv and httpd when upgrading- Update to upstream version 1.2.0 - Set fedora-ds-base minimum version to 1.1.3 for winsync header - Set the minimum version for SELinux policy - Remove references to Fedora 7- Fix for CVE-2008-3274 - Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface - Add fix for bug #453185 - Rebuild against openldap libraries, mozldap ones do not work properly - TurboGears is currently broken in rawhide. Added patch to not build the UI locales and removed them from the ipa-server files section.- Add call to /usr/sbin/upgradeconfig to post install- Update to upstream version 1.1.0 - Patch for indexing memberof attribute - Patch for indexing uidnumber and gidnumber - Patch to change DNA default values for replicas - Patch to fix uninitialized variable in ipa-getkeytab- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum version to 1.0.7-4 so we pick up the NSS fixes. - Add selinux-policy-base(post) to Requires (446496)- Add missing entry for /var/cache/ipa/kpasswd (444624) - Added patch to fix permissions problems with the Apache NSS database. - Added patch to fix problem with DNS querying where the query could be returned as the answer. - Fix spec error where patch1 was in the wrong section- Added patch to fix problem reported by ldapmodify- Fix Requires for krb5-server that was missing for Fedora versions > 9 - Remove quotes around test for fedora version to package egg-info- Update to upstream version 1.0.0- Pull upstream changelog 722 - Add Conflicts mod_ssl (435360)- Pull upstream changelog 698 - Fix ownership of /var/log/ipa_error.log during install (435119) - Add pwpolicy command and man page- Pull upstream changelog 678 - Add new subpackage, ipa-server-selinux - Add Requires: authconfig to ipa-python (bz #433747) - Package i18n files- Pull upstream changelog 641 - Require minimum version of krb5-server on F-7 and F-8 - Package some new files- Marked with wrong license. IPA is GPLv2.- Ensure that /etc/ipa exists before moving user-modifiable html files there - Put html files into /etc/ipa/html instead of /etc/ipa- Pull upstream changelog 608 which renamed several files- package the sessions dir /var/cache/ipa/sessions - Pull upstream changelog 597- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the UI to not start.- Included LICENSE and README in all packages for documentation - Move user-modifiable content to /etc/ipa and linked back to /usr/share/ipa/html - Changed some references to /usr to the {_usr} macro and /etc to {_sysconfdir} - Added popt-devel to BuildRequires for Fedora 8 and higher and popt for Fedora 7 - Package the egg-info for Fedora 9 and higher for ipa-python- Added auto* BuildRequires- Unified spec file- Fixed License in specfile - Include files from /usr/lib/python*/site-packages/ipaserver- Version bump for release- Preverse mode on ipa-keytab-util - Version bump for relase and rpm name change- Broke invididual Requires and BuildRequires onto separate lines and reordered them - Added python-tgexpandingformwidget as a dependency - Require at least fedora-ds-base 1.1- Version bump for release- Add dep for freeipa-admintools and acl- Add dependency for python-krbV- Require mod_nss-1.0.7-2 for mod_proxy fixes- Convert to autotools-based build* Fri Sep 7 2007 Karl MacMillan - 0.3.0-1 - Added support for libipa-dna-plugin- Added support for ipa_kpasswd and ipa_pwd_extop- Abstracted client class to work directly or over RPC- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires - Remove references to admin server in ipa-server-setupssl - Generate a client certificate for the XML-RPC server to connect to LDAP with - Create a keytab for Apache - Create an ldif with a test user - Provide a certmap.conf for doing SSL client authentication- Initial rpm version/bin/sh/bin/sh/bin/shfreeipa-server-trust-ad 4.6.84.6.8-5.el7.centos4.6.8-5.el7.centos4.6.8 oddjob-ipa-trust.confoddjobd-ipa-trust.confwinbind_krb5_locator.soipasam.socom.redhat.idm.trust-fetch-domainsipa-adtrust-installipa-server-trust-ad-4.6.8Contributors.txtREADME.mdsmb.conf.emptyipa-server-trust-ad-4.6.8COPYINGipa-adtrust-install.1.gz/etc/dbus-1/system.d//etc/oddjobd.conf.d//usr/lib64/krb5/plugins/libkrb5//usr/lib64/samba/pdb//usr/libexec/ipa/oddjob//usr/sbin//usr/share/doc//usr/share/doc/ipa-server-trust-ad-4.6.8//usr/share/ipa//usr/share/licenses//usr/share/licenses/ipa-server-trust-ad-4.6.8//usr/share/man/man1/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz2x86_64-redhat-linux-gnuexported SGML document, ASCII textXML 1.0 document, ASCII textemptyELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a5fc4699e0c18bf1827c155de127aa27762b2112, strippedPython script, ASCII text executabledirectoryUTF-8 Unicode textASCII texttroff or preprocessor input, ASCII text (gzip compressed data, from Unix, max compression)./.RR+R)RR.R/R-RR4RRRR R RR R6R%R RR'RR(R7R5R,R&R*R3RRRRRRR1R0RR!R#R"RR$RR R>RRpython2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then # NOTE: systemd specific section /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : # END fi/bin/sh?7zXZ !#,5.] b2u Q{Kqajo,ɣԁw7$&ԯt7IH37;i0 k?!eW ^u#.VReb)Q)V)D%fN+4je:Qwf"GL(2cXk3~&CB"h>q9] ،=)J졭n!Y7ՙ$yCAAa/#/&Ϙorg*2lJ栏{kM$C"7BPq#_z%s zMV;3|@ݔFFJ\ <#+@ܸDlib5ӷ8@ox||Mec夕⵷+.RBl0d>mJNQWI.xFNN#m>ˢ8 *8m5qɷ<[M:gj5 Pφ玑xvzi[I1 1jVXF+d$ҵn%|YiAQvAE0&ѧ8nɟ_w&/pʋ!qDGvr٦QNW8{(<,AF*G'gDd{$1|7>{@,םcv+#ISlq]6̢ 聑MnTOT;!`'t. 29]y-Ҩ).<Mܶr7a.]\PxP|J*1ŭ99m[Xۘ2 9V%^*ᓊeE{ųoH͛hgRd. x5J%̝('],9۟rKkUBTBdub&$BqckӄnxJx2Eܶ$#fnh'j$~:.;x) _ZF'W 9N9)fXȇoaɱ_'N9!IK3m%a/kpWG_T!s-a:$d{T0c8xŸa&ggG,CR椝묞4 Lg%'m0<:.R"nugd fY!6ی'oIsC]Qt7kuPj3&bmvkO|rN X~eܢ PK2+⬢W;>"[ ]Z''"á+;&,73^RF<%5Q_G4:9r:trЅb(,(Vj :KZȀagA"Y#-\\I4Uug鍥߸dR{-ǘ0/ |:,N(IւP5H G6(eP <h0>Qa eADӔ8ϮK2PTk4ݖ(^A8vDC`غ{_t7S0$Yn?mܒ2o@d}*:^ׁiq>\~@/>BD+Q0 NgqUk;a_~ZZ!r>:inS(TrO `qNJ0۳&|#ͼjŻeF 3Np՞UG9^2XY^- gӹ=>{@c컦Z,ox!5L>Їȕ%^<`1 K{{t(ڐCtNvEn ) Ҿ&4a1'0"\x=.5'^nz˫S#AE%QAv~Ry +Qv [ڢ) Q:' 2݂ :c<<-"4fq?&~q]b_KL !<&/\Wzl jyCi4!cCgT)*޹{I}45WdYZy$绌\B(~?(ǰ~uݐ_'Ło`HE87Xq{L& )衼f\ªUGƆр[iMʔ\ځYsPk$g/2y@TY6O%fɒ. i]tR)2p[~;ߛvS#>+ ZCKt4Ba%3f9 16=uHZ|a.]hچR%Ti(ՂH WKږbeXeȉQ&9lQijt!X=,,4'jҖs@D/OW~'{9CEK1^&O%A@va5Ogkbʹz?^ŸjF^9l0ѮbƉ>RV**msW"5|9R]"W]@kjdfʯk5ޤ mlu6P]dK+bʆ#( iZ@cE|d|H~Otep%1(@CR]yFj]/|-^s~ e)(ʽF2SSxKwj=U5S=C,<1х=-(bD@_{.-3ɳXmDꕂ8S6uSZTu< Vٍnri`n#d_ro`O#n[=3{^>S4;Ւw3|RgVs(<f1*NUF'is~vBM)]yž b s"2>*X}xŖA0!IIPh:g1 uoAH!5T%k|itòXVq;|u ^_drXdD j/*8$i y0'C>:!̕9 vb8JE4l U ֨m]/Њ1!=elq>Ħ5Ś;&KӇ1vt:Њ W'f%ͭ7hR/{fՕUtrBc ±#rT9%.Y8ä<鬾aL7p7s(A(;7\RԤƕ&Nd6rb~Q\_+l\_z ֧%t=KiGZ*/P:=M0Mkq;^zI!82a=vNb:~vp? Ѻqyt >zMk5I/T~f+YŚvcSYx3cSs2j[Y<ڄ(&ƌS3cSF!6پdZB2 'O5')~-Ū/)[D8eb C7 U K0AV/9B&zZ!20C2<.]!)&[x a D {x֩ 4?^a2]\n] C5, nK="pĕ %߅eoX ߫vj/ڕ \a\;le \'0d9G(!FDvx_DYZ 8'D>?by H~G̗q)8b#\S 5G؅tGL{꾩yj 0S {ߏ~R?|\Z32 yPl<9lXpgP` 1c^umM& 6y/&\ul*4|r| Wx)(-Y>jPjA7V ;DHFե֧ 9Fݞ$"MHQqr䵒@(cBYI_㷅 \ӧ dojF3Ȓ|E`ҚZnX.NO&a"*cHbNBKQ7*SRxaܪQm8v_8RԼ^E_s*ÝIMT: K j7i>d[O+Qb4H|y&_v7q{1$פCKOPzHz҅Ǵ9@ĥA ,C @Y_4>!\QOi0>d[KtCS<8TY ,~|1驨@'5`NXɦB=Hz hGfS+uӛ%l|)z ӏ /CM@^[kGԔs2ZT?0P߇,?:۽L(KU")rcI #;jwҊn*z9c٘Kxz~/@&]nF`!j㴛܆pb'"ލ8I< iSEtL[S_3O67x7'j#p}NWt,m׼.pK3,$GYYUwXRRww#Z73^۬t~u|'^F MUWt.D(琠Y)D3oa'4\jK=?KfDd7J(s,2Im/MH FdS֡g%R)d +'" G}4=Rh^@5Qި9i-WYiNoS" ̜P[lݐ#VWaxp $AHMVld ؞*:XQ*8čYPż>^k)tG5s>? E#, v9nU;_sHGە%G&4gq.Feo.}ǀyn koe3Q:Rw]5k]-2}NDq'4t <& _j~g|0 2iPdt4k.Gߔ֣r z~CJ#:.gqnQ^[㾹t%Z'xԩc0V\_Jj-ϼRޮ#0ȂA+6TiI̦hw}. ÏpUqqmYYu&JLuX)w2B1 }jR Dbm횼԰zf"j +ci-i:Pn$7MK>&,#WdG$Gs"hTfu8kU"."Go a3`3w-bT^kU[:ȾX %{CMZi׭f?jRgٌ@_ & yӑ 4˪W%YEH"ؗKKhj}^9i7/ތyoZM Zz|0Ci}h1lƒeEH`; kU-v_.\¡eR:i14M,n=][{W}L $ռkփE!Y%g3G`i ڻ fʗ1ۨXjH,(e?O#pŴ:-bNȋU:8&lQVD3G_vMLrۊƷfM q֧)ZF_A )qRG KBR94K`!:ifA1>+_[Pi-KnC.\@ 0]?g⤢ܒ KZuؼ^Uыrqδ*Ý~j@j9jIEʂ`(L+s.YgWb2|F%O9fN "cm♨&iDic!—;!+GMv:a$Il9(# \HU} BX9У 2{2ck'8:*&zM8hQB>Rhm4kw=yrCo;9rs>&scX@\ZlK, s1; +ÿ3fxH7agܳ.FHmWImZSB#8m5[ Vmj?f9Ob_H*+c2<N=څwٔfIok{_n&.eն'7ri1ҶQϦZSOKdQd}&MBwq埥Sz ()nԻE=IG'kMVFS5|P:vڥ֒<A+2G;XKM+PeŚHUt^)>HNk^H)5;Dn/4q#*WpzZvD-zfy=Brw!F@:[)34'oOߥtN}& "粟𞇽Fld8Cnj͊Z 'y㫯^Hlg G_ު»d)͔[ ngS#iU ֿ=RHeQQY B$u8|TlMZ`th^pJ_- p&xzD ܾJٽ,.!4UOL{%$_Twl# \`(^sa[Zi|IoS!},Pm l҃^$څq Þ2s3G811t{mpbII|#A9/% p${cp0]BR+6-7~6/,m%7 :PXqPpAHI֋wD?Ai.MΠ*>@z&)őۖYI@Ss.YkH|_ jFMߧɤccktZ?|E)@Y j#g{mu2/"EI)a]I瑻NYK\sLhR\#I|*B˃3LT.)$#3ș@%"E.z}HpȀv'dOp:7*tP諚F4 %*q]3QE5̭{FO<rN^?CmfMuǜ_ЅQ? ȯf<T}E/Qj5R:t.NroP˞z$"0dxrP;~yQQɛ!2A˜y~`$z%$swao]"Y*z(h~k`,-@ٲ[ZuⰛ)&ߪsHf\bz_]Lr) XgzU5(drD -0 ]^~Bi҈^2 ?ҢKLJv#~ZfB73а$gFElH849?Я7͐'AUThp\86,\x Y*oRkSY>n%ΞɇZr8üRV>wn (4p,zdnUed<q31 b{va<'~a8}^i ^26[KcJ'*s6D[pP7Ee J7؀OH%Um`dޏ[!F)c;+1%;b)5[Li[P^6o%9 '͂1yWR%:{}ៈ4B*P k,x/z(Uhi4_r/hMTtJF|:4bx̦Tw0/U>5~JQ\y0w˥w3NtR|YVM"z\QID. ;J-=;b+C>lh_Iǀ2D iiAFI)#TL9R԰A] Wf3^+զ;4!N=goA^iB.W\4yW3qĿɪ}DL /l}$LsvZmVpV[Aд7Ew v0M԰us=s%\.;QS8T/u#E{H)s- +xs"xVct$@fA%e̬WV{LISq+I% J| )1AQ/VҶ&Q[1yp%Jg!(!}(uU3[3zI\JDugp R^n4d"l U̵VݷVZW< :>_AglEggU+Xjhf{튴fl͜D:&Z;h|@ |nvw%ϑ ,0MpS 7{Lb߫2h xAhz%.%0GhWДAWܒߛxXXc8NLB-P]#^)!Σؚשcd5o:4%z]'؀Ui(v9Iʭ1 xK=,dEHwѹh JٿbzaBj#aXWHaM;4V$-9F}rFuS gDD32HH\;.& ̢TPl"'ak^' %jx#룞{ \$M5^ > i jwOASj|s8a@mE&dcl6k\Dmh[<Ųf6ó;Ҁm?c2GlnՁkzƑ\^\{9g/l$ٿ*83|ӹN4VL|Ds˶&F, ߧfĂe[%Rh!u͑N^r^( pIw >$vT̯o6|9G../!vjf/,mA) M`ɆxK|0#gib/sCԆGݽzQ7XfbA ,]15cٚg<W:6LR]?b^s# Sǧf@x_d㊂_ YuJD=gg|DIeWY#0ԇ)|1]C#S z()G+5r2^9;p_ֵ_nݱG -$PE~v1[7龪rwQӌ\8Hp&L9Tܳ\R6]}P<:"| }Prj&,ـpaӐ~U.P\]Yʥ۴GԐ'};ݸ@K1--5}=5w&ԢGF{cm]>/qos O/r|,9:8ueįê=9D@9ͰDuyfo4ک5hF'[V@GF.Fk˺4ʕơeyڝ>N)t16*"Հ>Kڶif^4O!ӑTXɲ|{`yV u^ݸdFᮖ;c >$a5o iz|_ݐY䍫̗] `5]ϑ _Tq=kaw:aSI(f8qmc68]"&޼ɠcI-W}Ƙj[4}P9 °}I1Jk&?B^UggUaҾjeaW0հ-z@Ub]YPo7F_qq&ճK ߡnUUEtrv.揓 $ Lsׇ mݔڍk)zQT=v_;_ρxsh/(ku jkj!Sf^$^(tp]y*]yV댴R-qͬUwYYA{fG?[(D+M Inb'7>0 h6ڒŽ@t|77-Qzx2Y ;,P<@DOziXŧ8n™?Z6 @|ZH&&6F$}E0EJڜS\7z_h\Ig=H6^ܱ,3(QA]S9'rA@k-ѵH!5Q,wa;sd>;÷q\Px$Hƥ|_Ŭ)V i>E4)ʴς+ڏeF׬Vg`Wx#KCJlam%:r;f~ӃYZ y.e?\ Ox_[$iYY>x0de nݪatPEksCSZ  c*le䮙_P=^9l:fF0X@~1 !Ltg8lc9$.#U55bC}dK,`4pz[ Ғ\=kجJʃ>ͬW=5 8#Ҙpmo' %t#u`Nc^oüSU~s">v1Q; UI:H$&_WlR9ʞuLefvs&|äإY$8"'j)< [՞g] z󼂲OxP:$T1!Ќˋi4##[B'f!ͣx vB:X J alڲۜTEBEV1fEk-7g b[aҳ`$<]$ֆ$4.+,AɒiMcZt rv(ޛM#!J!Ԕ?o5Ҭ* g1{ ¯aF^E>ЋߪN@q~ qFuru,P#^ WV9*NLD̽PHG2!G5i&:V46oVk NÙ NA3:ܰCD[ɬr **ZV 5֨a艓p$8Lt;d!0Ȝ!ks:$Xahډ) b+ڻl<_ݥɾ͈Ak0>'yg?K= M2 ,dX;` P2J>H?`JtP| ZPNgZj9ǁ@5:* v΂<DŽHA;`Ci5WcYU*Q>s 8B2pExe,~G>Ja `7PK,Fx>d݂UZM3UJV̷6{r0\'-[Ns+a-鈘x'F`[ =`U}:ǯ[Z"EZ.pg2"!OD 5f4=@z_?@(-5G-P.W8{ճJiZ]鼜WzMߟtT$'OΓZo>m#k RS˲ۃOZn,^%M7Aﴟxn9麞?AID3; e~轭l]g!10IG\ lH.c]UDLĖb bVLsmjm 2[}eJLa{0%0jC_<:qE;z92Wgsxʣ8/4@΢wtxVދKc@4"*9e28E aV+BxDhb1Ɗ*6ʱ@bz'bAwÊl X4 y p޻E!^bׂ[]@ՙ`U/Cϋ+@uj)Q&AWn Ux{cZ<$h^R`ui6O.X98S״β] Oc}2ۥ4*3j ZxJZXז~'BΘ]:7áh;lxF-!LŷYz5TYv@ҙ&K~KȪ"Hm$|܍nQ4QRdVZ0ͻ6heyRž8Ojf_~+qW'W<'D6|^f6x3ֳsz.9%@a{蠱?hhC~d}pތoO\u6 A~ax&ly6YZ6ѡ?| ӱ0Pϳ ;bb2IviZF 18n}IӤa4z'ژ˝~Ξܩ=gjΔCw=ﴐل >C0r]} @^ǐ]h/ &G#g+<4R E)}Kާ<\c/!C{o9MhkQs_PboaxdKjvLեq9AtlaH8D8_P_Grb7(Uga}}hʶphWJuUK%#("”HԿ-%+hCu1GEVr:oNP aQA0S)@h9Vl3CNdo|URkߎ=%Eۺj},5F(D=G=O pb?̜J{b֚Uq̕YGwcѽ+0e< K[^U* %>"E8rJP~/Yg1"U<bǻB܌g,G$ƣ5X9ݴpE!h K -࿩cO _@;c$J!,s:wv/=>렛o4yl%(̌&she'jb3, 1qnȏ 9zӎ Z_'hϪyONlE9KO76F3z-o QB|T$|bEflK?:%k-MySX*a=|ߋtI#J \a%i4ֿ:(^p4%6 ~!9%rlYY/aB[ &q MaPEćyE•8gMI蟁"r6}%;w $9}5Hl/t6]~+tv_Ԉ*wp3+*&|ǠLXɇR3툎xh`J*+S4oXR|pt:4rDb t)3 o+q}>QsdL o^,4.-ǬKN IWNVa ИcK)ZcuVy?gv:]!@N\Eۻg'_Ⰳ0 } rI{3)$U?Tt)[ xKX'%M2Vڢh :cӅy琟4վ.Xu$A\떷<:)+ 6BӞ Z.%#Ǿ -,>U05p2~=*)X\URU`iGoJ<!m |RA+Xo1ЏwF灋ˇfw4g|I-1l xQ> J.fćF6 NAtc-q3*-r NkЇ&w921nb>ۡj%mݰ-})dBwO0H@ bp:h7ٞy$KrŌBVb"F0vGCWӌ?Rj$i{(̙n}n5@G؊̚D`dnW~'CNN&ߍ!XdBN-΢ĻXYʄH@(h! 9&u\߄&RUqNbrWv%Df}4 ^cuQϿeZLe[.tĶxQ3i2[*i. [m͞(1B[|w_\iUliQB>΂i]02' (e}l ~d0{0VziӛNVq=Sg.w%B Gƙ*0}˿|0x1;FrJv9@NY8C JJI|`] .'Ԟ|C"Cq9d}xMݪAڡT€`dYB{tU C zZ1/±0 hPTȠvhx "LΉ; ywM2pLPƆY-o! 3w.=EUw=`21~0M](Иhӓ ,'pL%ǒ>*gtZ+ǼI\ $ua=~=)P xέIZR\ݱby'ЯjPM\~ 0V(#_ڐ'$yzcIa{A%Яp$] %ʉłҸE8mHQ;@}^(g{gH5Yd:ڽ)`SbA~&"Fq/֢I|},W`ᰋ y.22W^WCdTc|ήMҜ(z9'N ޥH0 f2FFt/(úΆd%yk{My PMZ/b:`;szxsi`S"ouVdtv1Oƌ໭Ԧ(+TCD~,rh׹d~¥-$aWb>\{l/ Á:UMOѩ_^؏tBլRyE2{#JF4pl "0(B +Ǭ|XGɦ),K0bW-_{;v*F,7O.F/ûVƻGH-y]Z@:ijǓͨ>W-X-"Uy[6ί}^*yx}bK[sMӚAS EH0wmTϾ-ڮR3p֕M)Oӕ9; =8AcdDOhF3ěNw;fmB\΂"v׋C~U|Je>$8 =lkHSu8vssE޸|R+˪JEb4] =^9l/z$$&^`Gy4yh;$i3` Fx0$ٹT]_=/W9N I`gm=_DLZVY3̶ԕ흥K"GK"⑅Ep}Wpف7 ܂p\Q}5Rr oMC#+ݞЙQ9Wȹ^ﳘ),=j5jL"WlSuD%3vDgX_\X=_', 5q6Q~%F d]b{C@Ӷ#cpn+4g V/#"ь $E#놠 hmblG2CPOK}Y?0P͏= pT\B4Uң&ةxA4b_gG]lRDFC"`\m^X7+L]OPV|II\S𙊅'k>z̭,B˞ ~Qq8n6`.)4.2Dԟv gڕ B_C HMILcxvфր8J'@\[^[ꪚvԁڽ 2Lπk@h5ں'Qt.CL>Eujm O6%HޖWԂ) }rJPA\7(:uOW-+C(7-">g<Ż9_2"iҊr;Ł>ӸMv&g#&Li$4G7E_Xݜ7K1`2a 'V]OsQ 1OUնboH|7%F ccYC뚽)njm!rwq]!UxƁgevʯ8* ( ZD9^a~9`Kp-|ARGp q ѱe#X^R0Aڒ-#o SG"?vj%%G̸MLXBO R$SꝮ-r&Q8B2p;^]ge⣘'X#V c3s19ۦ*Ɠg'Op/pSO/Ӟ^}D 6jΑ ..1|CP[̸Sޤ&v< 'm|(}J k7yL ?M Ӵn`n[ͺZp+}Ϥ8KTp ]۰o:Iif^Ι'đ'%MTJ%PnQ D;f㫹kܟ]D*߇%!Mܴtӌ"-OT޴: 0&,nZQâ([⋁qM#5enַ~hv(N; ('!*]:7 I0q)uОU%L2iB^_bia^HuRNq6bM1\#M2tXyCe7E=Hk߫ZGl}ԑp ޞQQ9"WLΖVm 2pH#6cYמ̨oo^"Y '#?}(c\ . ?2ؿ: &q8 }:hߤ+Jo:Xg9Czq*&SiܛQƎ&sF&@Cz^41&#YQi0E\F4aliDl+cy q{8a^8k3~-4YUUE붃Xj'D0|:;E)ODDMhhIy}9eTWVoUmXjD̲("I ¹5,[' ?Ǹ/@4!+WvWj+~VیjSf9y RTgp &N5JIf6Lq:_Pp楧8Kcb1Lg T"3L^Xܸ@3JHko`ey TxX^b%JdH42Cz&[C'Dy[@,r~[ܡMՅʟ*h>Yx =B"1<2{1я-*|A0k!bݔ s{ !4|fea(x41 ƸVZBj>$ـiP[xțChvgSʧ>4ri!_bZT`;ɮy#{7g{e!Ҫmȥ]@x zF gBPؠhTY@FxW,yKOJswe *HiQscnWb>ҔID>> 4XyYq.B :Lvr{! x{V=BYW$dn'|&ЌX>~4[: fHc<Ŷgj 2VX"\˲ ٺ"dh em}]01CwtK-tD.5^ܚk7lGt ?x+,#QwN-].]yѰ:#ﯾ~0҄>S& O:je=1)z0 ۟ܛHw;Z'ôPƙS{ft& a:fp҆draFZg=_wǹ&EZg8)u&wVq.ɒˌ5$oeϕ)h@.(r9up=wv3:txlzǤA%(#_Ks1&E{ƌZp lIaZKw۾`0Kȧq␌лx1jݴY2dZ)B:mzYkQ_X6F .դ&X?,Sz5;6?leWfls0I^ni]r -b/,{+fy1IAV |gy[Z%(n9t/A4uWoc#7]2DLp#+OZm}K $4q+XV9Y0s ya*ٕ 7ܩ Q)5%UlR!+oܫ ލ֛պbDTMJp;yG?jmBDw&Yp]a{ւvr)6'>xQnٝ`(" ;$&b(Z3/|q(ṟ*.3>GtxKV | n>?-M@89rvMBI8L:Ǟ}AmuNt(^/I|${9P*Cb~o'eS 3=/f(.0Y{Wv[%ෑ/{z7$Y4m*ew?VKx;8#1ZeO9gmgk Hi3ddtiGbmB%jvl+cu0=]ԗPt{:}W r*P@.q=d4~tUW]An'ky߮Cv內#ފM1!ZQE-'ez ` &XL]F0ʮdZ ` α`+eR xi'(<֒OM⭑=ڹ Vaws?/!7 I Tm0]Uce1rkꀻ/BIC ɘ?09ǘ=SFnp0ŷ螴 Ȃip "1]D3-ڢs9) kk_,i^a-ѵI3bܓ,n"1SG01L>|$1E`6K˔v{H`v2xYc4هq+ &[Ĕ+|0G϶䰾쁴!J!+^Ȉ+@΀X ң *RT_##G72E o9;rbT(J-prY`O,ߋ'B?,:Υ)SEqm-fufnihN9eAȚu/[R'eXN$%^ ~Q_{>htsaS׵|Ɖ}>zGa52I9kr'SEԅis])xqU!-L;--a}uɴ$r>[OΎ/X.V:k0pw1;YhMIϴ02z2\* e[eǧB#ɣcQsN(McXY˛9zԌzxH?J+F=bX"Wcݽ8>H0w rQulij䲵R.6.Lġp{tZ<~jV'8 hIkR)FGCh]\6K׍<{\ XyaX"i'ȶl4s %z#|iOi)bH~s.@gcM&Ԍ_ ţNOG[51Hhg:̽rq*V&z=eyuԈ mt0xNjmݡS ~ PVK}#b<=pzㅆѭ-{*$E>wˈ->H|}|aP|J 5yQNlnz ŗA͍J F>ZJEυDb)e]ZR`C "€.VS o+ c؄,ADO&Pr%%yJHW&W0{r'E`Sbdq茶2\oōhQPd~c>6&x]u$Soul̏Dעc~Wpj*03) 1g̑H}f8Cn' s1LzҦDM݃fwL(~ ZY RW敭NdzXegYIM%Bv|1I&erD9t{7g7!y"]+NG0Җכl/_1 D޴VFfT2ơ=/{-}x3j ߵ掔/bZI;rcvʵY:Ч LebiP^JvFֆ7YJ 5SKG3-El\J}8Y ]D 4i!e*ri8HF '䖡T/9.>/&9>F[| vH-wH/\N\LnÏ _v]Qm/3ko~; :9Y^-:ŘXgNȅ+hR,Ϟ@_>: Vj4Nz1I&Z5K\:sȌ Il唧Q>>y@a𳄃ԏă~/yS dej=k:·9ߤTji膠6D•Ƕ\2;Ql5Q *%SDY>2)^쿎N g-L9P EV-lj53l{1PEy֭%n)ɘPkik}q.!D%5rMD9D;L. C/~ BNC:: h 탯4=_:4JdYX6I"]o=/o/]˝ߎ} &B }ңVV& L =t? D4tǠ edqj%ޱNy@,u\ڴxc'K!WcXg*gGTGÉ):q*Ӕ*NcЧfC>*eQP-p!f tX2]@H7>%M-v:DMa}6LtSwo3~χ(菸D:B 04+MW@cQQC:ChRm K{huV?7<*u H'V!} -_+Ҥ¥/x=H-n8gk<~^^Փ'zaRr(9M8TJg^|q[D8~v̋@qeK,5 krFCم n^U ̠CvoO=&>𜝬: ey$BޔdU kxzOZ4ؠVh%m ,Ti:C b#6iV{o?pDcǩ@a.5ϛ2a9xm M-_ /w .Ğ}8jV1r.n 9,bb|w2q`:!gDx?rJ6'eQQ'2dmY\Q:҈AUbvyIF/o wDL-- qw!1a8h&%wy$w Ejt6).@=:8~E\y6{ $X­+{ɐ7`['_9@%8 ۸z=(YBLa]9T]߆_$r݃aigVqu2'N`%c4 [G,LuZZpJHkB2r$ga(z37cT'ɐF__2gĎ}׌M m4& D(1myZ_H4d9׶L=IYgތF"4N(?T-8J -ѯ䮒'PɆdCiƙp@+{_-,!kpÕT=ܹH˳C97ͺ%qZWL1@鶋&펓svPА6_i~=#$^20K3i3)8(B?5q>8q"vQ mjTMF{cյa'yL|*?`mD8L[1oQ«k'еLtL=1sZ` kT=Mu8YH)47ftA$Xpl#bR` Vb1;d ALlod?]ֿ7LXORV${52+VsdƉܬy0*ױo WUʛGPZO- w!+b, q/d+Hʤ9*O-0za:# }lK}^NMd2ΘeM0W\88|tL6*.Bl -gw?t@f [_ ݜ.1NDJ LcGIkVlr8E`d`>mݦ2z^HWn1gR ERxS:,ɯ{Ja%t& JDuTAFP[i>K,# ТHD>6y c݅ȦD18X6u`seb8F*$ga oOwcM֓3wrC18u {4=d499(&4KsؒT ֝%f`GLgE9Mvx:܇5Y?: ,7)2gՙmZ|xPr^nׁNdDؚn \drdңk"N!#`7K[iZG:;:9>3^/K"rGd&Td儡5Hw\~$5 $jrZ"><b : B wd!RmPd "KJlƩ1qJ'\.X"*MkHi#.kmg%`> )LB9bE3+o+*aa-o3Dnv~LELp~?n9n<ȠA[M˟rWcbaSBǚ$@|ӿ+xڸ7ē~4h(^{Ҏ+WI1!(o /?!{`c4A$ݜV-aO17*G@eAs/?a ;v6q2.XxzJX0ղ̹76q+$2e!TN=2Xi'0ãW*)e m>dVig 6@˸k =RwՙאK .yc4M#LL믽ř1%ao|‘.:uV(s6<.8岵 ԯgjp;#襈nKEgm$2d@Q$9VBՉmɓygf$a}e1 HuHmO}!-4+ =}ߓ:_\Ÿʸ}៌Gǒpژ@O^ +y7y\*Ӟ̨tSKWgWQf{d8<㲰&O/S UǒyM1hbH18tƩPY|wPl$&m`eF =EWf"x}NO(Dɞ6`u޺ +,b>M @g-2-Zsp!ru2-l{Y{vͪY L0)˱s~c*;Kh# sH4x镺l`뜤fD;Hhe*%-뿒)/u3ZOFgT0G|V:ʹ1Qwzr9JgPi=`.E@b|87KSJrv9ؽxkLȿB@3 ՍqvZbꚬe^0=$P 030~1"ſDT6vmXCnT}N$^)RKF'XNrF6)w?^_B~u$/Yht?1w'.8Rz0c,vmV+l~r M.9q<ѕ9&A OM7Mr|X55-o؎KWj#2D?F~OS`0-<)CrNزxyw΁r#XTG4OKCsf.fV䨥R!\[ pF.V{VF:䡋`1")c_30 B9tFr%mwl[7$7>V!F Nzn.;_SU/8M݋='F.tz&jrt%}|+BPպ56NԨvpsF6|߲F2[ϣ q+aoץoЭjh o3db ۆ#z{ՌRbo Axy諨?86@`ֿ\nxd Y#6KRoaWp02SMݑۘKT$R$FnJ$Ғ.t$>gIDc\N38j^>ܡ L9q@_Q`3ĹIL5!r] I!`#j`cԈPʬh, w{JG3CNfƙl%n{V8*Nvص;n",yG 'RrZ.D r~^. i`S zD:{̖r!fGga.TvJۨ0J<]#h, Na9{1!e=bӂ>bzuG7*jz1zt/r̒y@DӬ!yLl.NQr z2n#NAaOd@19 P7SI)aTƃ|/l̈́1f RU*@FpȭÑMJր#=AY|KF*w}Ե#;n'HdmO`B8.npTl>*f"i}zg2v-)~ -Z!Ә Y3VzȒQ65- #a 1tY4DzkUԟtt*(q BU#--}^Y}Dw)C& /)#z[#5ED%6r=P0pSn(}p D-fJʛfQ4'm%%ߕnچJ0֔&Qxo*`9z8۸լi_:e]R@ ,ۯ\g.F+so֕Hl_+3xlt1؅q +y6 1 ,oK;jWGQ&ck1a~BBxu"K}Jd (/Cn J[+I &mIN¹0=4gjN5+)ymC6&%2>(4}>G~ss +ʪ >u"*5j?[P[)Om4lrՏX VR_uLq0b+Oݩ`2>ԄƷ )A|x̯*rT<Z6ջG_`8N@<PE);I ޲. re"-Jv㙗05h.#OMR3[d@%LoB/U-#QG>+`˗ P*e۷]lH#Z-#/' >a`'20FNEpҟw,c[_=SfXIحؖdYIBmd{pUeXr2krc-[v[J.LWw}'q:;L!+[b9Q+5Z,F ߍ`bASaZG ktJ5uyÙɨM,R])`oK0::VLL|vZrQ6c3Ϝxlq,Q! ,CJEAP3' 3ҟI\YY }͢ ݭJTbLkxƶf(#$ą<Ǩ u :]~DDHa9wA,H-#F\0huꀃ_YO2S}z:?fm j7aGVk b9B(7&ʹOrZ c1BR% {X緗 퀁4Qފ~50%ju>6笶bb=P,JӦY AN/ɛ!lGYD'H;}.|`Vhf3l9wJ$#pN 0 HW|IFNǺZuB>lƾBKC)EGŽL&ƳF(I{KMIx4dX8bni!32'?$'t'Nw@iĦת#<Lva(frAcVX?p!=sfINԩ}xX/-Vv-VCa[݂^|5|92R@?^뫚&:Uyy ~Za脖iᄆ3?3 " ?jBx%"|l0p|qJؑ:✖c;ض3 tkQ=0[X"K }4F5P8fZ_:>6Wu.ȶX=t0ZrA 5+RK!V!Ia- %h6^06 C)#SHm<U MA\qo>J;{? "u@ݻz%-#:7ϐKF㡡/:O~HR?.HepV* ʃ[JOO,\BAՔKn/ܛ;Զ4QǦwr}&54S1>i# S4֦@ht97ab%=TC1L> N ?iz2t3Z!ᦙ{Uȕ(i M8{p[ ]~&l3'u!+b|72}lC՝ kC Y''avO02Iگ4`cm:q%JzQoGeFSV#S|Xm[FTx`V!nZ}UCl.[T.yٹƉPfϸؖs!3ӑ*ѰK, 8^et(([O(BcHu=dv׸8hYP31~mvܹ)kV 1[Y^bT(qc5[~tL 1S;))!uXF^Jr_ v,MWRÂyjvԛ'Fa4 W!N*gx: \9+7""8PhDQV_:h}ƯlV#vvN6*kX)J#EXv*έō8>`MERV$D4K eH;Ux97mh1_NOVISmf/jw{^V6'؋E%"8xKj&Vk8ƘY[Ed^E33L^l ZX >ͺ x0cl |´*J11 %x!7 n}ZN{`e> 8`vhbG6|rHmyb11)k!03[TH d וF|ㄩl0UeBiP_ wJ-PsS0@I-*i{]+qo}J&݆'W̫I]X>[}M43_?KR|T4:I ~>>/qj{?u2[@kkKw Tl7ͧo]M5* ,bnP )@egy@iHrrS#gJuEne2$07eGS8fMeOy2oՉ $ĸekbϒ:؉dKe Qe>/Am!CFvo\*M Ԃq{=\u^f8D57XخuJŠ?c@cςYRD`\%clRFρ(8T7t@@ aKGІ; ZD}sq49_Vj{ 5O`怟mg68Ks?w1ZfXg1ۡnw1L|~+i$0/2RŜ.XƔ Ʈe1ٜi`±䔽4$(^!\P%WQ1j]F:-S*w v== xU,uۏҴCx&OkjhilBltsv9M#imQ|{?L}绒&LwNe6:M}w?F@%H2`34zO.VnA= k_=ƿ'!Eu N^ݕX7" ?0B8]Zu*az^$NkX]}5:kC*L ~y?8/1ƾ߁J;NH{=,/w`^E3nFH+GwZ[[5WV'Oϕ\KjaBwMGeNf?1m/|[7VVܺ=Ѹ9fG[Mx#/å ∯o)B곌[)xM@ % js9[(KP|&nķՁKw$dAVsО fqO9_'1haMB`x ~{,32 ]~P ?3WPU7ɤ?'sw6[`7qzC7B`A=޳o0}C0e'UӨth',M"rҎ[^hFefMkvKAD]$B(lOŢߴC? !bw7R+Hu$U\13v%JqcfAz3(?D#qkk@26R]9uya&ђsAg4}_RA^Nu5CH*l_Єt駁&/CG1pM)E]r wTCpsH]W2eiX։/՘psOYct3Ǭe`A~rxBۘ8x%AўQܪ^CV󛹇HYIz}ZWMt7u-B㳢6qOHO3VV{GEa6&;» `I;^пBR6u"E[_*4" OUܬM Jj@=0JiAO]\ &y mP eF~[h(jYr&F¦E."8EFS#@dc(QyIn. %~ .a<ݍR|IBp[oaz(i1W\q5VQ@Xo Og݌Lus$ yz3Ӟ7_ j!ƙ-0L|A>q&19')RUˑn*)hF8]SCBp2%{}JyO{rsՐPG{%S5h(HwO0Mm.T?+\"B*>L+J#0In*Eɹ-}9bT oG16jUa i *zkv6OmIp ϓ#Y9kddư5irW1\W'cW J <"zx;P{VD}{͹<-VuVʘ$'2@ UUx݂hSSb4!T#0:}AbhHXRc9^;B uFT=-kP"o']t|j%+o0vdh9JK#:NSڸi[6wcіâu ߑ ipx Ru}+cyGqoD@~b#ʔއ]b \Jo{T{s9yuUY)EziGUMƛ>`GэCIN Zހ> zDk*uAI8?tpJD0BZ`v?j$θq( ĉט)@A)-(slӢ lA%% ;&}o)Ȧ1 S :C0[5˙β6և%y2 m~0Zh)h\9NJJ_$ث,xxG3&{D+%yExyA a®Iu%GޫI`yHkƢ`s#f-!.D 4i5vu}jDSʪ]]$@/z(X:AUi>H;dk%v={{,.QGg{;tp*(GԿfF4Gy 7q$F2Q!uDC T0y͛f=&L!=+s !FH d qN"%N:Mg"sКxj`tgMax͏In2#*QniM_@s +`Eml>Am'wТag)xnJ &o5GQWƨd geEjrs9u?``DeY#wb8BxݮLD `ų$qkQS02lH-ga4$JA(u{ AUĦfjpl]Et^d>Pngj1lð=]Fg @;8"~N TNX6'3psg}vq.E *' ղA?|jT}?B昁Bh.ӓőmC-yw_WNz֫^ `96,: - C8֯KA4i;kA|coj@+-B,#f&QlE ,d@wGe7otk7vyLQuiDeGoVp1' R%hNy0$>S(L&|@| ~wPخndpf s{\S%)L!ȴs`SNk_g쟓T(VYI8oKY/ vr7DzFI\膂`ȋ^0uP3  _cMX Iy\V NQgC=LMi'#MiVw]B*= %ǘ80 yF'.soLqU/Ƒ;%}Sه+ǒsBi.c(=]ٸlFCgEHΐou:!H?TuHddq".#<-Ŕr^Iyj) JI7ZAUi, g‡\ YWx334FyA lkJ~Y7ѻu~Tjr$6Mq^C%ڗ qwf1ƹJG] s,t@Np + c,pjppgYn6`k*tw?t+ MT%*Ɉȟ|cuuQW9=h#N"M/A%5 '1E"7 93v" ߧr(:)'na´="7ZH1Jx%;6R59_vbh/` 8٭$ ΟN{jgbsvIw>A9b\HC SdjF@DdoBCVL40dޱ25n 8:IɒQlj!9yȂ{n=w5nw;+3p~ʭ(EY"pN g33-LceዅnB!ut/>gH^Yg'.4iRے&[0!m"SHZKwU/ E=BЙlͯ; t2![?q2k g ?/(;ɲn5<14M3-Y)k&{)1<߂ذMUbH儱ts>c&DDtIv rP'ՆqliϜFk>et\N"qh-*y~ゥ/q^1KFJNkW">_,0GJlV D^aXed+ ɳ1ytEʴ 60h lKk Pi"?s* (BF!ٷeqDSpf̃W*N)84s ^UQ/5z{IYmY ]F?bO}efv%C5HvlIȊ 99-Mְ_XhR#]ҽ@TtUvb$h`RW( < Uxͱ,WR6^W'"q+ g:0~E[}wG`-SV- xx(U41N3;YA4XL擔6f`fRi^v%Ak:q=:t'%?xZ1={ =;0_ ӁCbÒTsn)\R`noJ)a/2^@NB l_Pcrjs h;ǙΗ&WsP`Ḱl^0<,*)90``&ʐ;fw;~VItfzŮ>9'vQb׸ ;}TwdlN;<5 m[i bg96>_8d u5_+tYSJ}.')x`0Ƨ:RS Cv;Kd|A~6uy389Rpgi`;"T6wPnEn+u :KH[;J̰֓@CeV+f6wgRAfy5=j=#tvt"X%Bka ;[lq0W[[ $sSp e @񸝶b$ (+ :nT?yr8;m}cҴRYÒ.)vsr'N:~C`ĹJ*y/'ުP3^00 Gܠ 'F>͓p5 d@xPO&-˝1%I "nΐn愱u d.3 즻ͅ m9-TCskG~BTXPKz$@hX@Ņ Xؐ .[ aݽ#=W`ayyPx=@?Fo%$&nt\8;L0+}./ÅSS|_ kKAga~$IGiIzVUUMsD8""iXN; z ҅*ѴMH 8uN7ZI&z;8l#6?perh&SQQsF\cQq_ԀF)ʕk7! x'h6bT'Sue2O'u o;7N%eGj=I@θhJ`k޶#];[\dnnfNw KR% >377,^ j HЛ<8o+|-G8,fhgJ-[A@X9)XvÓ<&[ϼD0"M\ 8ZCzF,]a|Qz^oZUI6b'G(ol3cdRj4DUfTm :)D͐!ctO$1;^cc,]C^:_q1v0p_= rhmF ::\'J `_Gpug9/p M ڧM%S5`r3;(q,_` g{\.9i\8VZRZ'b.@lCA|vp^5AXTL{\Kb=RTDjw˸kƵ.… U^VGj۞nT}I- |]Kk94%/zn(c٨4IO+r;|lRϽ΋zv(Mj#TUzqO0^ʷs<]*y%12Nurm}x_H5Y8"NR-]U4iW٢15uxN35΋OOXUSS탂xBd[Rmc*`:Pwi݊{v&'5Νl5ͯD[3 #5TڲA}~#ꫛ)g=fcI4v:ejty/%p5h;=ˢFBkW"J@F&/q7rݢ8Q`ΞvG?*>DݦE#Hm0;T8]cf69|wcATYVxLiKShשcȈ\ۉԦr s-ݵLP52wĢʕi]udvEL/8jƟW6Md) "|hh%>1.GC2?z36&N.Z2PL&u<]\y* >ۨc (:û S$0*P~,v3hV`L{TҪc̳O>X p&_591D|u0I5v?E&>y9-ձ@/Um#DV|bmZ;[!<Rj!뻭ă:;. jC>".[/e sVMw])Z<|<'fB \nqÆ$ D?_- n C U+wcR#X bG"wA' Id$C7 _^TTҩ^_$q&nSVӌbTfF|W%9ިrdWWt,qY=3+H|/:0 q#oKԾ^硓[B :حK6k V];FDX/RbI~68>5Mj=uLѫ1Aĕ戚u\wzxSRoWv^׿n8w_a@8!w,jڏ!/"Gwzٰڹ^>)+n;MtidY6M(M[`䎶GMo8.p%c;kԘ膂p)*BV6YsuuoɥjwbvC@並yf*  D6ظ I-/vPg5{,^:xsBO ԟ2W<;X Q+ҋ@#B {1i&2kJayu(p߸Zܽ\ BLRGy\V\ ,cW>f,?2pDD`jA8f1- ӎhXZKaO@!]%?-`~Ԍ 2#; AϿ@JL5#ca.ҘvIc"ǎx7Ry7o%@MEy ï r@!Hx%; ^X9qlJ@s,oQˀ3@nI| V ٭:D"Djuk3B1fdJ1/"YQ|"^ &}<.s.mj!Co$_D4q{}DKB{l5CxKi~dckUːo~&G`Xu~ _rM+ ;W(GC̿}x4z`/"5Q$4cWE& D&a4qsu/U"gBHHp̣}ĒF]_wƕ〿?e8F\U~8ŗvBkok(5w%mon egFFqfU*f<3`5]1JRazr aG^&N(lNInmmlCO7?٣F!nٖRo^Vͼ[E=ʚmJKe< FowO˨i)aegIL :ٽQq >RDt5@9S@?2cM" Ad#HyH?cv{$ *6𪙃ԆΧ˞]=J³5yb %Vheˌ]JBՏٗE9#LK. IǿыË*bf{_3;T8 ѪpuF$yAEoDJEAYÙF|¾3 hkU+h}ޛ*HL &w+lN.]M Nq)(/s6mp[iE;m2`"oQ]]"֢{JFɶ˃͚c2bi~J4䣘 %k5=+}  JgE];-:*Pk9RGèWZLG3ycbQI9K) Ŀ_KU:;g0YbkIQgIZ Òx(boLzmEX4-zqEfPe~Vov]$; AתZۛJJ;o gXT$7 sEl FJr g؊k]׃n#5D`[dM}F_>3& G& n?dgHd`F c]ZVH-NjGZRIQkvD%;)f5J08=Jz_p1Aq(5a^5xP,`[aJZNĝ+𕽚$ Jh J1pMiGS!k-gC|`F#C2,9F22㨆pCYRg ķ~{_hA0hNeY04vic SHCaWWu\bИ- \)QjD"JIōa[m,Gf`]B.VDENf?ᓠo*NKj,`xfOLnlLLiOpBu6]GZ;Uy$4][#4^B]#JI4E]6(!7@ ɪ9=!'_nbɎ݄G d/3=.Nb/}PRFtMY y5HP eBz볈ǿ!n`;Pيv=W G"vv{AnVZb:MAyANf(B6BVƫ ^PjJeB!΋1S!r?39L'|J9`g0bm {Lc6m:Ksp7ĵ.znmOE=-ੴStkԏ'!(nGS` ([VpLʓkg*BvߛjKT ?6v<38!;֏1'n |oe?WڗN̓WX"ɥ -{~6?c22;&?]XRR,bBOv0^yUJ/o2`)/m'덢Su skgnlp@G{E /奭Gb͖H`ϑs\G`&ΐKov)\F#O9uㇲa,=C &/$|wro!jglY!q6$1OPjD|l-~A٪.Hpd)(GṘusOӕ{ߩE|Aߡ/a|L|ȃ@ Tr"UYQ{tZݠ#ۍ6imB#DpT*T:duѦj™LWhl(P:Y[Fgһ+f*~U4JԀb=(b.r0zbJ5w h*}n|,QP}** TwEMĚ=>tԝ4"Ւr؁ΜAA8ױ\s]hX%Ha|2  u topA%+=SĄ͢eilkw7[_|j7 *s\%`l/=.%|'ҴwvQ\y1ŕZrZ9DSei -.:*9:{w=6 |&ϴt^ulP79,otT@CV3669YSK.zelB@kYs%KaD>|mim'FYZH>Q >?7Avɔj:&+**MYkgZ.{ qa*q/?ڂEwh ӉﯾK? r~;YE<%'oE.Tʋ/~?K;((?2IC=s}0p> AS`=R`+}za:ܰ)_jԍ·R*ldm H5{$I!-0QIvѹN"CTFM4e3=?ΠJ %H 0<9InOqIh7cPg G>N&eVh}LtxhTB# f^`.}/ JMzSq"k~7eUQR^_" "zk29쀥"LZSqYЬ!]c?rVLxA?5-_g!qAxؔw|6Z!&e;}]Di,.j}''o"1{ڵ%8i}(#IQV) ^G?[K;Rɍ3 n&6ņQ6L\Nͅh9M:~P|.N^ze !Rޣx2/kk(G#(u"i׬8EG %GDMH/ӎLWja%J_{)\2BS-F|JDK!Ĕ)ʂCrR8tM ŸF]$^#S:+*3EOH˓$ֶ]Z{7YLqzm"#-S"X7ˆ5& Wi1U"ؾO0\ aFQzoS }BOlX/ jf'F8oc/?s|M[SbQw5;BŴΘf }HHCtk]]f37X Mx*\ϾZG*7t=\[e0lLF/ZeYPaݗԽ'uxl(@IKx(VV^`RٲUaY;@V֌`Ju+8jl,D &㛙nN7K=wïň1t}S9 ]rw;ߩsWmޠ3c] dcfE7r9\YMt)2'"j8CAq^Z%.X3nH;$izXp¤nNmw0)^d2* WbAܟ:aeuU}~rW?:}V-C-!e@7ԫQf䕁(l>B\н|\S #Lzn/ĮPp2K[T4~%/>)oKѳeVg<6+88,r#! 3CT CN͑z{^qa1*+(ְwꔳZ{s.v:SNfRKiEQ#b/_ѺXS73P!nfp;$:2Ce\/2ϳLqZTfHƸhvZ"(wN$'ajw'Ɯ0y#wܒDByv8 *WUꔦ-;I&U7i*Q(H3!+ 15Y4"aD<adCda :ў;/wܭ:| TmIe]Bdo~L?Ҿf-h) s^ˮi'᪒/U:y. õY ?V./&J[]ɍz,p8`d}sj<48kL@˞&"q(<='>of?Y[@qmfpYp X՗2[q1jLU?] J@t$ !_RwQGY# $#w.=4UtEi>}/;+3X{#?k Lr{%Z.~̎ `vhz!0^@M(G;gl j7z7^F&pMջuѰ bD=X@9 &=>\5gj9.:5)4m86E3fb,%8o49ӽj/㉪J^ݛ`b#I8뷀Za {g;z`!P 0G |z}2Hd"{, PQ3b4j:]HBqUY>-+ݣ 7:#.4C~ߝ&OCGY8^45vC]q;,Iz/=`3r-pood`,q4*C>l}\i`6;h W 1ϐCe~}Ms^*/* o}6v< ٤ԡI.a 5.&ҵmB]]27_0zDFܢi@^fji 5? X0ts +a<ѴA OVDH_wUzՊ%;G))Ѯ΍J;\BnKuL{>U7CJfnN`!@'Tdh*\y"ekA6p!/|DN ӳbm|f".@u^)zQeejLPI93%߯o`Gu3Ѓ#iXC!RE~\@AJ=L=[,j ȟwKDMAa%1ȇ;_/q8`Q%?f4q*{HwvĶ/Q)S [Kl.k.?"7`E9+qteeBK^9:S(UjZ"$.2SDicz$ܹ ;exHHC=Eˎrdk!S XJĆdB$KA((-.ahn)DN(6P72-+d BX>'`*bwj%b"pB,N\28GEDq{H_㍨Cvi쇯GknddYt?vӛ G0N3m0Q]rI${_ڰ)LESW>+{&=r #_8 l*L9Cq~VԿ;6@~&|ҹoǠd>.4$)>UU œj[0/l JR+JF$o3*?6(pl,nSTSwj]1fH2,SX?xykO~[7k̸-,C\~'&Y`Tk4Gi<ν3O{[@<S0%KaPJAd*rϜ>Os-FɽÜh!) > $=Q\:5T?^tn]\ycV&7tKJi$/а4bWb7q3{ҋ;-R6_ze gn8ذ̯13иC La."R-|YjC WSB`gĚ0Ӕ<®OtnYQ@"?CbWڎl\4$FgC.!թR-e2%2-U':⦞<5 >Q y`A-,soPG205L-@]ظWzv9S\?ڮ&=: zTf!n /Ь&Dc@=(ظ4 Vz8]w{ }9!IRvwCh89wMx@m*.Lʜ/Yl JިFA*iשXXg`e6FGhy']P<#^+$'^RXѰV!G(:1֐җHsKs*𹡕D1ބ]yACvt!&9$Y? r5ul `ہH?It2Dc$'Eex(Zm: kMHD/7Z.Q OuyŤK7rb+Yy} M"\!-16~mlSgFj;05\dR9tNڊF~ Z,_g*b5㕌wYoAiɍB|!bD@&ÁLdVCaUY ê @ZLf_,g !+B>cAUtj0S˥h@Fl/ZiOh-##4{]ԎV kD-$Ơ)xpkR Y֔5,=.uqB鏖%.r%=D|s2v\_R@Iа,{.ˋf!]ֺ R' _m݊&9(yn7vh޸Km*#$)dQ T=rajOq]{S Br~U@,hDs_8d+[DEt1N #] 'v܋ko66>]C }ht7jXN6L5+XGQu1U[-RW4ʠ jGuqOꮢ_R{7N7+܎PNv()+Z &EB bgKg,YFW.R.U+RM BXrZHhؾ,mJį=tI+Vhkz:^̷9`fyl:P*MX7PĀUȥ6&|遠ή^I$D v㕷?2-VSX~a\3ͣBc/Yh۟Қ'viթi01 Ҥ60A)[Cl<,;8z\M`'NVMIݐhtqR6WI8 ܷVj4 A%ʯRȓRl$Dakr앭 3{}y&)&42aU"UdL4myMSGx@s2#A!܀ͩ?H_v3|vr4O\KAUMѷyFxXR:N M2b QOmx+l]Kuqh΁=S$;GCW{bJEЄ=K^}:J\4 r/hVRj\1T\~:Jv(Z6Usqq]a:ō\yFVQ4锢`ARP;@NW}>+")5eUN| h927N% 1Pً[𴚷=4~Z^bF#rNd"dQË GǘZ}ΰIdZ*z^FΤw.&󀛁PwUV*Oy{jgJwMfTm}O! sR B wb|Rc vYҌ3LDeQ@(XLQ!Oz&;ͬ\Dh.C>*>((`ew:D%m Oog.[s*gRT({>fH&a vJO!nA;4/tI=7+_:Vqaj=D(]@ުtԫ=ӽ/d ^urɡG>|r(UUw)]jHnq=FXF^{o>ۆ&W<H#Ǘ6pct2iNsM-:fO(shH<R:{K-bqKn Jx4;*d'hdӃm?5HW]XwF.SweW]7 ]|<w"#hXczJ*pMl!jӶ s :)Թ6n&#n~ '5j-זuG.?8 Ғ&TgtǓy7բB)B>ɉUJtиكuDW&S옌J2>,n0fN@[ pZk`HW XXR۾j.7!{;ڬpgaY3ج ܸ1܊e_06p^ 8ͧd(|f/<+Rֲ˩DS#2%Y`L7kl A_+ѹ0 '꾳JZHC ĵJ$&P"AFG:?[\`w·I[Iٓ.r0|7y6?rg W0MD'e&3BM}W2w7h oM2w|(_vаlzߍ&Ʌ}͛%a%ӞpyQlxr%Ov lFN>ȾTvY6Mclm\=;GX ui<âQݮ+O*I'Bp4 Q ;aMɁXhXE`j*~캅٥8vE`?褄I[cHWz΍ν )}Fޅǥzc.[3תڣp8;}n'<}{s&כPoʧerm&rrQjd} y04p'rjO@!w$^ʯJ!L:h,<^ʺXʹ b 7k`Zjeg(GZ<L-(tГ*@HF[l[yB]nhDd^rM4ϲnZ",͔=YSbUfr>v-1FPHD( B mX֑^"hYSфc႕[}KZz# ME+` ONڃ#](09dl35.ŷ:Rj_ >@C=u@XF!7?\dz߂{D0VP\֊/,AjKFr䲡f86րpĂa5e)dIǎt#EZqZqh ,.>զg8;t5 n?j Km!/rg@U:֧"O9)r-aKJ \s(W5-QjP,!)brmʱH!w3)*}+ 8t3Ga.͇{;мTc[%qb& uݎF|`,4JV {t;~qw\kоHB9|{i?t8]V8cmO[ =a -t*q5@8e%Cx\NN\HJY'# %=UB?uൈ~FC"F"dMʓK쩑d? mi)kb׷->21h\I'~iMOw-2,. 4э=Bg`pKˏ6bbsH;C]=Z5vtewʭuy=ɽSu fU.[IPVYܠqC#Ka6*~k$e?;1.\a(SDesgҋ?I@dXfm7\_&FAz?^O L/f'G= 癔c~ DL4.Yh!}9p 0El ^gיJ me^g`O;}"} ZAcuVtq9w> )*cosS/iOGXʵC I }TJ,HJ8AD͛؎'9D;;6j0*iՆ"+gQ(M䱕U rD@&ͩs 1d+ _jpPK ꛄq8ž49ājDutT1};`)cCAd9}&MIOzPfs<\]hV<(0S9<>"m!W+iz|Ʌ#Jn,]䥚bLRE_HME"@Iy#$0eMcK#+r@/&dz='GG@*\F܊&~8nN'%fң,8Гk^$>׮ 5J\ű9% I |'R_t @A b2>Q+AkK&jvZҹnYO: 7 #s#%\ W5,l6r@wCtI"K@XL'Q,ߔsw5H<NҩUr|[t&'OAeO:)L-3V\:lwD-1ؓ 7~7uY!PQ ,jA1'fGGGвm۷M; $Sd b MdA~'=59 ŠP`olQp4}=:vAXkAj8 ǔM*OBW.WʽCЦp BUֵ ZyS*- ?SQjOq[Vۈ_.4iMAYh5V%7Ad`0T%?u~lfe%[]ܿy-]ś3,X#ͳuj%}Hi#;l]C1=Hvckɷh{_.W-*T!-cCrhC 6 OtT.?#jԦyUֺ١Mݝv)k^'* <ܻsE ч$?h'qT![Qz,U?Zr$uO=w{ Iʺ1'b6K@ {Lo6#Huxٸ")HpR;ezWG7 _#v+Q+/T*85[LC,YaxMpqf8"W'MԿc% MAAvoeI_EH/]ѰD%seyzI,ֺJge\嘚Ҷnm2B.iaw%3Mxhq2xڨH=cl;WRMWA8SX]')=IOUP7.WޭEPV8aR9ꄾ#˰4j^t I=:,A+vO̝.l*\By#Bv vgȳ5`~N(K_„ MJQћC>{ͣVmW6 1Ocnm%=$zyd\Rn=^So:fr+GGF=o'fE'GӣO;N}浅-NuPZ/15сxDJ4&5>E=,X-(W*+v P_>u˱?&@A'ךoe$@@`a;:Nr[DpZ )> -|;|HzE1aD?Amt8Vt |BQ8"v{]JC|SU&S-'\=X3z2H+q Ip.=(trŚL^4f6w!vN0Teb}ֵV Oó"ªyGNy&fK:8EJ7ʷ>rK\v8Kʊw q^j$-8AaB4[)}ldK 5"@hވcYv-'(NW'.9vXE9HMjdBlAZΈ~ٿSB"53aq ˺6ȈmCJء*v/-!Hз$I{#Tz6Dq VӡQ.3'S"N^ )бW ENҜ*Y> >-H80Z()\^W(7NPVOS+f&%]) pmtJg$f*>W\C TfFEuhXoN/k^ÄnӲ¸y B^0O85@ UL'm'VňX4 ٠bW!.vOm.fr%Z^yoq8ʰ|lݤC Df'_r`G''1Dzq- NuD)v@yQeÄ9b [#/FhG k LZL?AsU~DDadY~Ajz9 DX!VPb ٴh7 <Zyv\bXP'ނxq×Eȸb׼*7xQ#[nK1u`G v3)e<>z NiV޴~NAd-ĖN,P|SHߥn>n}nfS@HK/"IjTUc7^vBs>0a<@`[Od^f/2LlME*V`@)עF@[%HߕFzY $!M ,}RM؝x㹌Y7ԈADq: 0ܲWQᑸB+\ò2vlZѨ;([}k{˩y:~ uD9cv$ړ)*5 7U"mwi؎p[v'dЉ AlC][DO|/Dd8ĸgl.2cbl(=IAtYWBgW=Cԩ}\Z3~3tGqO<#T@!9TRF]UCy>yʌe~02[ŖNVeH ;r9D;>RhDMؖݺ? }E*ęZvRl9mv uvxJ$3@©pcEk>~J;CŬ( ΏkHT˟c@ I1:t[7rpj&9,(j#-w,jS YX:HZbX,-}Ǹm),/YRBcjP 3jƹz.˃z6^ ү0n""!A--܁IWT@"X6C]J^nU77aµ-WLtkg05yV6NKSHw`kV6:(.c˳#_oBcʽ+Ӊi^-E W٩.6'pxCNZZK<$0[IJ}iRގg3x/+)06f[P |v;kj8^VTkxO+ݖ`n\gLԵ"&jj'j&,RD;mZr/Ш:FMh$曟Ey]}W'xр)'6Kw`ޒZ\ce Gy+e苫|}:}{gĕaBT^-5|0Yui@Lym-?m+cS9WkTcF\Qxo3uވ蟞r; !WF1:O&bB`f'1|uFчŭ':=.'^JAc:Q!$By+"mcV.WԲId[KMI-~Qk"iob֪)pDC?MONpLwdY PD_ b^]%|مqA2)S ŌaT/rޢN%ё4_0K Ŋgɹz17 x\?LZ ;"巜SHhFźoGxX(d_EWH*nm%FRTA+V}^ aU`Fq:]%H:5^xJ:sT~IM+=< t*ASO/$ImC͓UMS7U}[ M]$ }t9̇ ;gȠ"#PE !UxxtT5mԉj#ѭjaOzOF hc65< swrӴVwcR1|:H |zmҟe>0j"+ʎwoMtp$?]9ok9@:IrnV+IъBr Lb}ff jQA'c&_`r(|8LdžD`v\x^o[DpGWߺ4J/XGiUYiys',FN*bhQ]U03{r^m8j=Akt񴽒v/jɇ:SJ-TabR]Pشe*fb )"ß̈ F뵔!luIO4IGvS=ZA}WIH+?cϐmhJu}:L'(o~ݰآB'MKo1E^d&_U~.*QUm Hufh}(s,QI~JG\jV_ sU>%حY\,|j45L7fۥ1!=Ҥ1T4p|sU?xXWoﰀQl)Z@|B*OΦ,rKF_'K[w*_Vr!%+*z>HRXl^߈z4Gg#Z)ɩm党jD3)Vt_YSŊO)ڨ.*QacePA::.;trU945hXpr̉g ?ځd=@}~[y<0#V7)AqxV1IޖJ6o3\{hyVrN:Y5j#API)a8Ҷuc@mG>Tu OJO9JϤ)aɋSN%u mjh 0XO:j1OY !v}ybZĨWX}b-n\<=p-Ws9$Dd #~>ml68hRcn(7?-*M+8=c(5]ۉ<5iƌү^~ɏ2G 6كjnE2ޫ?y8Zb-#1A3Gǽ:M_.Nmމ3SPAeN1?LA|r,nǡx}hq݂@#7޶& B\7SיfzSGz73]'DU=B3ES su%?VC;;4oHF/*8Lx 2qʥz@_/{:f_<P%sGg|R?p7246STH*$vIĉXQh"$ 6v4[A}Gh Sp4b KY贜10,b`%Ȕ-?N;3bC6~V,Z†8Eg,} T+Bz $v&@S 6äPf%3D?,;Cвsϣ`F7 .GT.ZYWd^Ck 黭l]y߽a>'+U+kSRK1_Р}kr3"mYmNywfsAEoD|[5f7$ 1IxE wblR\iQ@t no+iS,kANQv.b y?% 4#6Lݲ@!$SݗVI3as{*מ o@]w}(a:XIPUq޿P8ҟQGm=fz{YXf l7IW&Gr%&J{ (Rd׳~ntm4^bd.~ G?{Eg]:zY.{hO}U;3 )+ah.ҲI@~;Tu~եrѲ).[\[ϮyH%D*es G & \ ˬuxYT"Feρ3߸Wi_}fޞB"2R"ñd+EUꁶ#Q` TtV]̞yM18ތb )5)yje:F|P"^V' Y({wu]=]ޤXh2õOM!)zYH!i0|uC<D>6]Lp杅(vΌٜ܅ eky؉Z_0Mz| (֦K%+?8!ۙ9ujΡ,Bp\|V.;xxxs߄<=|/mceEGe#7_Q[pYIW8OO9Z;nC`/Enhj;{;7Vq:tv@d]cF"`Zه~t3L8uiOiq,MEr^HVSCpݺḰF1u37-\`b.9r#m<.%i6EmtA(r~k#ur&23dH,u6Kg1_Is?[5q" ( ' ijf?bNjrhb_zQF 8ַ8[-VS"Vp^;})Cn v:cb?*o ogV,m9 O=l?䅞, ȵIUq^ɮjk8?+yTK]ToO_תB_jDT29 z{&̓6>Uc/FWH쫁_I7Xoa hv&sxn4yY6xK3,d6_K0L3Q/yta戇A~>f ?wTm!ѻڊZ42 5ܣ{\9ޯ~:CP۩? y*a_%_ yI[98<.?lt.Pqc>ԧnUNr f5kNbHم2:V֜0չiNXc ԃ9.$WM՘wi2 Q[Qt.X8-ށ>ͬ/60kRrM7zm?\&`Awƣ7j{ 'dH-8Yԁo%y;>4m쒦Q!y$eSV`f idĤ2!CM~ Z _K*ׅw|T`T] ,SAX#]FHJEܬ9gഫ/( xJQ8=B):|wyaZ\ Sϡh1Dk?2E5Yj45N\ 3uU֣:i|I`܅% ͣx f ?)UÈe ɨʘXf^,=8<,1̊|$b\0ktBUZ~=bm%Ca[COZi HZI[u&dLVnkbd|rW {qE_O]z=,h07 &meKb5v:/&Fǣ3hlU qo/k \IwG^>;ҴC՜{C{%ߧڌt[6Xk 7G ?$ْTHғ\4` 7`z9U8Ь`3FkܬEŇ_ (-ޮӕ1uw2ܦ,x JLLƏaBo/ [Y 2霴{œ,8}{$NhŐI FꙒ㕇ѐUҶ*/oEWS渫ܭ2wtdFޫ?+'dثu-,e,{ˬM$f?F0*Ċ{<3aF)_1՘[>^4Km(xjX45# ֘[=eCbU8vHEyѺ75D@dhE"LvO ssxfvwv碒vh}fk0Ӿ3Ndt^vQٿ3|1bؙ${K^~mp=&8^4]3v:xT;}ZD$Z)D/-at`\MIj.˄c]l4ύw/V.{}i'$HtDV.$/C2yO'J כ llHMgckslU ǃiԃ2Nhmގ|%$4!We;P"є١4:aP_mpT3aq P iրkkڤQnjy%HGN~fv[UTRH&߳CUӳ4 snΫZeG7A*7eɣޱnBM޶wYV ȵgzI&o9~g*NjGJħZ#L';ύ,s9Dݺ*"@P%=af,cxl^O}]6X˕mu]Tr`|tb%pkq"~I㷐t!Y"E|b/Ԕ~8kMvfe[HNHVwcr3N)ԪdZXvy/jaFKjɋ 楉SۻΖ{suJXδ-{޸*p=Ѣ K ~z>7ɫ- 4Imj+ 8dasn|w75۰t=-!f((i3%46.#*x TZeb{"ıfCRh t*Ko .8i2kUVM܆X WwIleL@g}WoTi)2Hu|'0h)l+D:tPt!l^0!Rbϯ`ؑG idnٛ#@QحYb!Xite-I|*̖|Ykjy gRX`Jc(IE)q4dCh\trM ?Oo(B5gËbH'UCd;a#P¶7ћf~xis|r)cRW7oO4KQ!ig'PCy, /];slgaZDTw.M<\ gҢVW Q2zڢګV\t1]eם벧#T~F"筣C6`m[iuW'U,~in(@Mf2D٪4h0i7+ $]&2j`0ܾ𚌔",^e =km-ZCk_ )Zd/>>1igdn㓇 c1-Y]TSp$~Cbz4tE:]c*!kT6?h.(FQTUP1=#ݹ*E{ތP!k<)]-}Dڰx }d'xȉ4:t~lè=֦1((T"a1ϡ[Jd-hr=i:O-Fm0Kp'pk& q0Ѫ9Xrm9^վ} @u3ө):L<|F,ӁTo藘֖p06 oo"0fƝo*i2|zڽAr4*7]H{`Dx!Hx-V]&bZOdu :)aѪXV,PLqDIX&_<7>H;_Uʟ HJMPnhy-`q ж3{=(L F%S%t ܝ?2s`꤮d@;Rԛ&&DxF#}X_)dɆO4mRS-Ґi*bh}&mry탧1:F 'GO#{{):#WitDSyNuU#8}`w7Ѫr0@(WBx%1Q2{sz@caqt٦ " \-5mߚ(м탵0+vt"HXz+2Y pPF#=ZO/yPJ<)Ǣ s@Ƌp^3^ɈTφRG:TnS:}tLjH,LSvQWԍ$X/}˴:Nv],?kړ_2~x#F+2Fގ*(V&IAVwڦwӾ^swyDW)ɖCє1c zC(q #nܭE^i;7n"4!HhCJ";+juoi˂ M%+&MԬ/vɇ5Hjͻ^0"QZ4zb̕?vƨg{0DO0\UXzzdh/8cЈAe* X<xG| K!.PBÐGXe nZ~t1/)PJ(Qe1a T1}W\ ͼH{ѯ[R LT uLԦ#/fIYr4c1x *T t0M'eH}#ڵ9.S ul6cDAM⏇j/omj'][4i_5#l`Tr!:":%;gֱw:{k!;ɋ/RJHئjaOIxTre6L$;`Y? 1_Mΰ 7XD] !lcGjqHBr$0 < A_k<;ic^jrq*9xONNAu{c&^ǫǸ~0Nrr_T Ji7l'2hԭ\Wgˡ2^Tӆ85/b\_E|c whSG$Xཋ/OP!Z$dIGO` u@xTsjK)&"XVOϲHS %qYw 4׻[_R)w6L?l+Ȥhd];87_ dF;v 0*sVfGk.fOv+偉Ha` `G9V鈖s Z+FS778lWfvfٳNm](Lh{u=@ o$OPrv~d]wGC^QQE*uܬ5|yiy쁻hP~B&lFDĄԘ1  Q,<]m%Q˽ɊBACyr(Aa D ,pY2Hck&3ov`a%Zj>V3cLm[5u]G]88dzež)Þؐ$V4\rGm"'Hf"92WhgGcKP_H<1و$qD*aQ',=oHEv«hdMHhӪ,JJA4=#zbQO72眨3|jG`.׀e\O6T6U--usˑB*:2;7Uy '9'7kϚ$icZ`yo|,6S+%9/ . l/b<`P6mo<_z"v{V'M4KDeu+ņ$G!"AyE.q AJtkɅ4ݢTa?!w,z֌o[Œmd(8 pa@'YEۻg$;v~ B(5J l$d__حX܃DQH U7xj4cD3 4M8|xy#_I9asZd۩dgw7:D- i^Je!d?Q{$*zB]+ Yh"3`̉Z_:J*{n2P<%LwX+gA#l ǽuC$hC% {1LB`ϐ\KGQFeme{g>[dn×8?kb[u9/#8: ЏdMI =9q$@QY0I:4N&b'Ht$=S.Iq=soS&g ǎFQ5{U$/4Dȋ2JO|AfF}d^`VHcb%L xH5#0+꘦S .b`YpΕGZDW?pPRB1g '0E]W6Xo0kU9aƷ7!ӓ[Xg4 Qgi۹ʮ5J_`r4G p{)vZg4h37vDZ, =!dvUD$GpWnk L+'هb* /vGX"4WAT] BBx)'r\lHYBzv*֭ǖz`³G 7~/'*Z=@2K]\IJ$Oho@6HrX`ƏtMvƏ(VךjDAmG!S雝;ZohC iM$b[;k /ta`IZ\R. `r#m U`OmyMy &D $v,m>X){m]^`re #Yb>⥢?5Ԏ_~eQf@s}4^R(mE *(?oſSoY*>o.Mj\F\J>m4 ];6]zq{%B_͵<4tf_X[ 'py: x20B=Ocd/d[ur{gPZz ~ۚ 1Dy RxE(ox&P/fk<&Oy{3;(l]^7ܵ'Դd$dD莞$0S+q\kW§>zr*s`mY3K"ڶKT MC{H cT', Tzf[(Z2>)d1}OZ*W~W0P}W1Sp$q+_bBZV冏l!R;ƕ ';?kB HRЯIne[c䛟:ec2쨦UVUBBQ,Bk]Ljy$[3ƠLvHkŒIځSM$fj`]^xsoi4QQM9'mзz?Vpmi  ptDq/hDPtAb0,H},LB-Uj^ә@Ad?O,9vsAad% qt@gq[D}aW\/:p$6<'S${šriV9,8ֽ@@ }ő~IE+bA*rlKm-M)՘75^> 1lT_1WD|1 1x.O+zkU _jh-4OmXvƓԇ۬9;鱃#ƇW2KvƼ>o8*Saԟ㎆iłպ.6@g}*-f˄0>4BLq$TE~UKҢ!'/+}۾IyjWOX>:4Ӏ&ºWfYMEHj)b'jb.[ td2#]F6ƚHϸ˃/oGFrG!?4T$-9}2T[[/ht{ϋS֢3m9nŚy. F#[+&S'*FV2ܹ֥2 + rǗCÀeTE'w_2IJDHU:༁6z ­#u7d;7N \NcS< sA3X L]-P @בZ:v I>c\ŤA &FNMu4uE]Z9ihouq&x:>ӽe'H\b/vbh/?? K+F?] ɫaNgf!8 hb䢛Ų[H\=fc5nqZ#ѩG'zD`pJE-l;v5˃Z-kExn}Df3@Ytz/F NU{~~!V qiKU]Et7+VccaD0Чo܌5Ig.p;kL3?~ :&,aKΉHrW=QId-2a3Tjnήox` +ja@1j37[r%i쿮(},e&˥8b.D?wAv>ḣr~m$ VGhFjQE#F(wY(&Ɖ@̚L*'hotGơQ/zЅ(7Dtu\Qڂbdx\T2i6&.#m|ũW:f,D yy-Ʊ,4%5-5h; n>`rJ SCJGrhV} H͋"RŚG$8V1Ria}N 1:vbuA GjK oߑi+å>b} qi.̛u){Xf(5s la8(6|D>74J]! /lyQ?@P<}#Q+=ދ}tW궭,oTo;#} >z9C%_P>ˆ7A?(&d.2s:Zq`uCMWWϒZ]E{p;sPYdz"i"?l݀@nkntOb6'.@|p} aV㓭cϯfXA⬅!iVT^4mC)/]Cbvb=1$fBF ~]Eh*rZ'ss޻.a)=)E u|SP;UqP7hYes.'(1S+VX8 8[9e8>v!?a9AP3`Ϊ\pRr|q Xػf '_^ bۤ]bMxvtM=Aq޿mنjnBQ$y4p " U:35 wV;]]a`#fL,":TzSf&j7mygp^dܐ[UJyl3rxCM}7Pp:'`R=VR&~%Z-t ٟQZO@_vN#/ q*vKܙX ]s/T-Exԛuz߁əMi2pWRP6:k[NOɓpH|4g=%r]횝i|(D#gp xAgV`~Pmi @̩l M2Y ƷɳA6~o)~RKp&T̨ι'"&0tƟEG9@^Ff`_ ;Lq&fM\.Ʈ'/|QaXҩ`|+:?S#"pM ]Ui]%Z򹡋(T v*t0쥥o f^⍡H 3tDދʗ9\7 j]GIyT[[#UFfGiWu>*ۭ jL8aG%WK3t1 Q/ V'q#'Y.lL=bq I󁒹iVݐE}&nŏR ni O ,xduu/-)=K+؜Z?Ib16x2Q ?Z/"UHtE} ċp(3r5p #$! ҙrEX_ׅy yd0xh^@z4g]IH5߹{"/;~!0u@] q}H8ٸZ0uGVT6+L1#}Y".)9 C C׌*wMsI#'ӱ1랿l/N5 ?;J׮ܟ;Y~_gP@þ^q%mow%Oy&ܧEZp/k&fJ| ]hpe&a:9j27ܟPInş'2CSE-Ww5v&bC6?ghNQ juM+h+XZFbld&TDхVMN?ha~f)/e ,嶿CV Fm a p.Cċ1x~GSVff0 Ap+0_DukLr!Q05h?'"O]Pj㢾˙udil)8Po2^Cf3 cLzrv߈wbVdpi;JԐYwh\ԃfwΜj-V&cK+Dyi@qğ@2 F ]|ӂbf 2ɇ#)!-]?C89& y:]RFwG,^TM'l>fq[-ȰkfOD 0Tpeao`_aV LcET?^nNbMGS0>E0:,S @F ۆ [^s&Vs[{ܶn?$ڴsu/'8%/)/j&{ zpf_ å#WOH۵9yy`M~"s!Х8Dwk}sYO!3']J832Sf!fI'v%Ѩ}˓xs379CiJɘ1<9a9ܱ:ș !BbPnJcIJ.=d24!?>v$1G9)i]^7v=-Uɺx_V̙gn!eR؉IZ7#jw.*E{ tν 3 8>gQI7Νݱ}- v"6 h^YԪ0L`? 2"u$o Gh`bP\`&=]8n1LaDHG"(Lp1ק PsT73_.rUkG5\,og]xD$KX~:ێ˵Ѭ,E #NKl N:=O4z3nݷSU;ZQQڜ|{pdH3pei ʺbtyΑ@g7Y#_(Z@tR㫜&Q)2-{Ar= 4]-^NCd>i<+C{ȅ{=jۮumLߔһ ,cxWO,8׻|8߰ݬEuY&N7F?<IDžlvnn:#eC] 7?J)n#A+:c'hejV(~jKk l=<2U:09WPN\oQڹ"e\~=MDImNc !zsuJR*_@&P%۱wOP g( ܻWGJBǝ~|rBԶ9Cf~ η~d߲˝8~^찉hm X~"Z, _]Z%ԙNੰ\>4;,l~>;^#]KEf]4bri_!M M2Wߐ'@eX&x30Fl(]΍$6 ~%StpH Po#3%*t'HۺK|T׮Uצ&7a/LDIO6წ{N7Tܥ(3Uω=uOîA|F{+Ĩ}T!H}ȝ[OIk80*! |dMd%ϭfM)uꔽm!o/4,D. }Od 0j4dfNn$R{F1g&4q#68ō['.I#7%ş:N{zN$rףq8e VuU&|E cǜX8F;=( ubY*_+]` +[zzkwkEmBT6Sb-&C2Yⶡ5>z"T%g+Nle%֝Po̲RRF~Zh|%slg#!|L8# 'Um2+s;Q8"jv;+*ORKӂU] e<> d(tY]sdu%SwS6Ocjles7yv =gjacOog%679X}_#cUL4Y+&f Z3e ~+ ]流<5]瀡K5i.ieCb^&ڕTt]XiHa͈ɏ0h`6EE|U<;77И, qZ.Q4hnEdA7J۾ ~PV- 0Rh<]/!fssƜ?Tr92]3"RղR?(W!ՏD=8[H[E]UЬ׮;jI̎feq Si11`K'S>4ȡ*Df*8X9[`RLE 1 @R`ЕE".r啾r&!g{|‡엸jIUBFGtc772L=WIO'|=$ BΊ܌|궇tei|9,#zԗeg1=ܨn  Wd?Yt,%mCfB5 )3l|}NcjFCF+Hz%ݐ2i:[ J A pݎR-\ ˥xXB>mxD3W?pL["- *:pm^yA|3^(~FW`1s) +>\=pk E7V)Ki%8e։uf Ob@O|.X fp{~sAq ) #Hw𼜐1Dh+P1#nW9C\BGn<gbԟ`?Fx E&˞~T>7|0ZUQ<'i6]Q0#m{Z:̬ VRTRBvɽ $CHO|aZ҃`ޭ"i#? yCYKߨdM_MVT|tO2V%PTd!?E2iC3[4I Z݂P*(XBEWs]r]FwRFKchĤ77lS`9υW)mܬmbB]R u /_&TYĉxe7>xѰǒ+ ŝFQl5E͸PuT8Vs?\E\狍{t rpquY3V.a~ l9jdXB~؀T޷_}$/S( H=eq&NsЂ]ILw g61q\4HEJWK*~0KA}+9\xx,\ U&y*+u',]3p0^%sj#~*qş, )H>X D !D}?K-BN ʱVjnmz6.M;+Bn{꘦+.Mn _y9&yCa-b<,a6ea IÇb)Vr0cj"<Ǟp$$srI" (e2_+16udzԅ{0DaaRkf)oy fq<yYuՠ: zYAb+T dKaN#DA)%v,mRaPtYU?(!I9 " h f/yj?'g6y) MAxࡾa=?V'"rs2:GD}2raL^@C/B /sabO@Q.)vY`ݤӲ>;OڢCd\BJlEv.ZX:%]WO2z84mL8n"Vׯ&tzҟ>'n)K p'H{%zmEO&!2G+;zܓ[mA[Ԇp@1?NXdI:YCHѮd0S9b51VJ_Fr\g0 _|GoP ŲAڳ1KhrI)=qh8_IA zVUu3/M_t́ N~p#f*sIS~=u-3,|?+ҍ*~ez k+`59*f:ЁL}ǍCԤz3cTy1@ECػ­VfJSNA>rk-[=UтS3_$!j6͹fK^1 h' W6NnWEM=Ѣ= * Ǹ4~2Õå*3&=$L !@v8$c%Zm_Ց)ҫ];BT8 agyh騙ٕZ˦­,^ fq|;k9$͢#o ]Ӹ0 =վ.2D{U ,9Q[%= !׿u 8հp)S9P1̗]Q٥7j4CǾp *c FCgFoZ-~X)n5$YnC1pvfC&JBpt=cWsxgh؄6T0Du2|pt/gG+0LY\4c8f/8"kTV˘;9NwO:6a g  wU策 @1|'gp^8;}1@&gפyj/A.}`)S1UI1"8!i[{Abk^R4ؐ!bG EtXjMZj긫DoD@ܡ :qBPۂt1匈=_W.y'J@и&D~s9Cmdɣo h8<̆Fghl^$2tC?fspqaч 49JܜiXzv3clO.g}AڝA_ӷmr8Qrs:IE~8oFޅYeUZMF3z-&CdlH|)[k傸X{*ZHkCBaΛ |ZUT[un589:0w+)QQ:]&cx;-Ge>gK8 ͟T?r;]i oIYi'm+-U8L w]D8c)KsHt)@@(`#O㭯e]~f:b׃kThڒO}yFz$ ő'l齜+^U-0)>A‡_\2v4]xK¿yF@2]J̈g{z"iy%)l9l;bVUApPXi" P:!LK/W*1)!٣r a`pwvQŠh@U$xE#w>[/%ٞwN9|;'54\B7Ѫfl0/rCvkFoX yYM`Nͤ&1cT2߳㳑:H ˳Nvk,Ji[TmNO]{gG1V`İAGNJ63[fMq` % Ɋr jپ^{siHtl2&-pd r..ْ &*>aXˣbCb ۺAlCcQwWQs; {U|VOwUhgRN)|1W&Pɇ9f!/B ,>%| M}Ase忳^}ngI *d9@hcGK 6xH@IB\d Os +?77!', i# H1ƒX1آMsP#Qcfh3|f22Aң=3\\4<*lj= L &>QN{pW|:TK[ 7M(VoO#I?f-d@n$p5$ƖXNL}&1H#O"8@Z%j2/3IS,OfS,5&楦x޻sd5% 0;WiUNDUbDR 1;vWآ$/ݮ^IԱPWbXlm'Egy{ê/*ymQƆѝfUm;(}# ڒQpl$5IVjΣ^HK,uZft_q(Qe 郁bGx)Xf|Zs"Y܅Yz'rý>_,!lceLNv6(d*{YMhce|7BpR:0V:Spq@lIӣ#g8٫@%3k)!`0"s{w#"3pw kѵe܏y ;L3H&$+T^R6ZZli%Q;O\jW@_VQ,PЪ\<%"q}'8t-^Iޭ:)Ud y4ܝˬМ"ն YZ