From 87891048c7dbeeb0643f688c8fe7c868f5246746 Mon Sep 17 00:00:00 2001 From: Tanja Roth Date: Tue, 28 Jan 2020 11:34:31 +0100 Subject: [PATCH] YaST-related parts for 389-ds (#545) - fixes bsc#1137657, bsc#1157688 and Fate#323362 - updated related chapters of the Security Guide: - chapter 4: * removed first section completely (related yast module for configuring authentication servers no longer exists) * adjusted chapter title: configuration of authentication *clients* only - chapter 5: * added section about setting up 389-ds with yast * moved related sections to new sect1 * updated screenshots * add section about using CA certificates, move some info from Admin Credentials session here * disable YaST User Management for LDAP users for now - adjusted related xrefs and profiling - integrated feedback and lots of input by firstyear - many thanks! --- images/src/png/yast2-ldap-server.png | Bin 0 -> 67797 bytes xml/security_auth.xml | 663 +------------------------ xml/security_ldap.xml | 286 +++++++++-- xml/security_ldap_kerberos_ad_yast.xml | 2 +- xml/yast2_gui.xml | 2 +- xml/yast2_userman.xml | 2 +- 6 files changed, 238 insertions(+), 717 deletions(-) create mode 100644 images/src/png/yast2-ldap-server.png diff --git a/images/src/png/yast2-ldap-server.png b/images/src/png/yast2-ldap-server.png new file mode 100644 index 0000000000000000000000000000000000000000..323fad112d3790a09f62019ff7f3cc8fd5cc9f89 GIT binary patch literal 67797 zcmb@tWmp_r)bCk9@ZjzQcY?cHaMwl>2<|lQBuIcD!QI{6X_DX&+}+*X;gWOa+E0RdrQO?mb8E4s6kj;H!uq$VP=xUA@4ips zQvWoPR4`r-2t@xK820zb!1vh{|C|zti1XiZe#yK?iIoNL5y|z}(%H};n7=>lF7etj z$7#|m^Lg!wN$QE2=6=b|v9;P5w?3`<#p1cxQA!y07=00ij4hh%8Fk6N@%XELZv0|U zcqNenK4-7dc}9DgFt2_#52hB^h{2rhD+b6n#Zu-)u|84egtT$njszJ10@oRe_whk| zUT~;nyJM<%QU=&kV^L})DLCk7RK*pUp}2R6^=p~qj}8+>M{8=Uynkjdj?mjXnv`v9 z$ES!w>zVRDt(dFeDSpwW{rhl;^;|UH)JAOY?|1U_3aA|d>Kdqoa;PZTshr1Wh@?S` zPeO=XC;gQoA#wpbmi(8jd5jI)XKNeJ!(btemuB})c6L<*Suc{+PX6Gc8zK{=%wwN370e@CFO~ij4pf==^CYiql8#7Dr z^0RdITpyU_QPC?yT&^3jy2{*rcw?=8g`}ywruinEk7kB6D0*&jmZpXwmcKZzo^tSA)7tc9FJDFP_ zyvpu8eBD^8hVG(p zzr9^sE`V-0eQaZmEF6RaMDJ}T`m$^*z{3t@* zc3|Z)R25pAr6rVDNO+73e*41%q84Z0#*G3JL>HC;iV=|liiQH=2|fbsO#A?3S?0T$dic6D<|i!odPzjR)^P)hlyMogkIB&Hu7yUCNUdm>jv!i8O!T=v+T=o$WCHvtUM_z>n;QuxomET( zdyj658j^agZ3YRj=~7=gRRpV=-#|8cZ)#`U&u(2F%$feaG0!-N@wN(){n6C`F__ga ze8o>0T>eNKm0N4dl%LDw<9I=qv{fx~duR#w0j`N|b^|a$stcI1$O1{oCT*6+@ z*Om7Kqc&R`%;9cA6&h86+h=qhKC*Is$&*drSs?~o(d+c3B@A5L+=Dvg`qVf9Dxoq^ zeHlie*7c9h2NQ5LHGf7gR=Nwd>=)kuJ~zPlGCrzRT3N!}Qgf5G5*gZH-w{zBwb*F9 zR1e)Bt~b5eyCRg7mek>WK!G;Fa!p8kQIa>8+#Cj&D}lY8O9EjV=(t;))8g6U%uHvh zMcvcWZ12cMtLhwo`X6^tE!wMKhX@U3e72pqUihrq;Z2sUQYDHd4kVq+2;d!gtI^mO zXVy{B-k)dW<<(3H6!0S;E}(-Q`hyQfKv7~YV&mz##g22xZb}xdD5(=ltS|QpdK2L{ zg9A04tS1o>!-&i53maRVEtS&&<7el`&YWDb41?dkm6H({DJ9kP740|yIfv^z_n$~6 zY`}fX5mCD06W_&Im=&9EHavq~|9wIl-vnRA_qSxQQgwc7PLF31m1guV3geQ+)_V6Q ziU*XW)a0mAslE;~a(ukT8)A!{IszNX4mYrkY2UP|0GTG8VV#+&;pWwoBVy1&qu;b< zP@P}Ty3F4N;u6i%mPrI;VEC&F2%P2^^}E6u=<+%YERLm7I$qH&=gO;MqO3b5c-i~I zT5#{2hoif5oi>18E!k~pbGi)U<*Ub6R?GgrUR6f9`mzX=XV^m z3HSSIKe?$MT?In82;1&y6`FFP@>R@mw)gjQhc@9w^(oY>J!3sGadt9f~?qh|R+qOe?p7^B6^0 z-R|%)mgA7^jF`d5#6p0)e>{y;4^Q<^tzPNR9DrnfYT^OB2;aLy!Rv)gzjoi_zLsZc zP5?x7MWqXu^`X^;xjB^DyEj>cRKVqOwwhX~9-*}8t7SCOuAzx27@0-hUe;b)gGMEwEMO> zb!n7K=Hb1lyH(3Rwtr-4Dc6o_P+T!xsfz#A0*RK*UTsLRF)p3K3w@?1=nU$6aMYd; z?eR>^c3{zGNBc^*x3d(48S28wQ47R+sg8Cl-K5q>hF+Q}r>DAnFo823e-6p<44|__ zd@TCX4aRC}W_Q2Hy1FWHFOK5tig`xrXklS#qXl;6xS@9x!79K$t55CIFZY|oFUK4 znwcyp&eoO%h9xGu&(u>>icCdNmVBU++E_4SeYuOL?{n-CHUV;74Grw+G?jjxWoseI z)bn=U+`Ba{CiIG@Xv+Xs{x=FT3IwrZk5$22Tr=;(df<;Ts)vam9Yp`G-6V+dqxwqn zfzka*Hx+V-@v!CTRxvR-a&Q2)hq)Piy2p_%%9N(sYN^#|GtY>=Cw9E5j_L}NdKD7@ z46-Yv&MB&@Y2*Pw!TSCFuNfmRSuF#D-Y?^=Ef?PsRtjTJXb(~CKL|9ROfyYro7gL= zI$|LM<9TF-C{Jfo^+_pVRte6Bhm!$e{V|`-H_e>Z83+cPPSMLjcogc!>tWplIB(Hi z;ALvj+M)i)rFJs`=)ZR^5I)TNCW_M8DC#NbehN*4^)HBK#=5ujC@;$#NX0E?D;*E^0{Ui7dWC_pFZ3slw-T;w^z(nVR#?y#Hu@pF;!$4@g; zo%SC)NVOPj3!g!KG6*xrG)NMPEvqlrWPp}3LuwjAyJ$(8VszEWVD z>NfDxX_MDkXcUgAGl= zIHI==!|B5AO0(N-hnR2xosfwMX&YlUBw-Nr1#itVImN1Dnp$qp>N&pILYC;o>n3$- zsl62`S3Gq;M}mcuhO1VzZmB&TmTb)?Hv+ojd2G9Xh{!FohsG>1{ZHlx zo)YayO&9sIKn(F0?#!AEPKRYq#bxg{mTmbY2wYuwCdQl^*Se@fmLsBTMM3=h-n+F) zHH$>rl&?ON?d($L`PX{`dLI}eRQd$yUeDVSmv)f3qUHx`rl=7psg?lL019bC4VB-b zGD!aA$`DVsmbC2eUf&PRCECY=^*Qr*z z$zXo{nVpgHMn`v>m8jv_o0Xk~{&_AvmZ-tdw*ts=_VE;G^r=iV!CE!{{Vt2HrNOp0 z|FkS8XJ=2D_4wYYXFqd7l8F&R9v>I@Tu*I^vR+VgYmKJ9RcV{lyMYdLNhh%A9xiNv?qf}81)!ZF@ZTUfcoN+6rlGuv*YwD_P`5IX?e{;b~p z-0hV_u8O@h3)zh9z9n;uAUN-?Yg&cDn9}^wVH5h8UoWUM)LEyxWSGpbmo8w2d)Zwz zDrN3uM3R@cXnX!!EZMqpGqlG3M9<^lM)I1sCd&w39u>WQ*x*m`H%?geD?2-GVqnzG z<>VGD*8u%3I5*d_H9cG5?1;o@`MJHn>3+$)B59-iEL&nVG~pzT&#_s6G=8!$ZJ~Ny z|G-%8Le(ZnTLh+bjN@JeZv0a6?TOVe&&5-L*m4Bwr6OH&fZlQlqGKw;yO%v}p;;PYwRGupJ#pr5bH)}`0J zm7uJFPc8Jf5)&1F0u;b=nma|q6LtdI&v@^#7BZ-;V0lyLVbog}a}c=KZtNylL`*a<_B-uhPkrH6{a~3eKomgMT>aFhmI*rYpgwZyJ~<;pcmJ zi_hIPmDLVvhfX~^XiPQ|yjj?2`V*taMz@#3cmI}@V|YX#@#p7L?bN-E5Ec=6M(b^h zl;&&1(MVp0ck0=6eS?W#g+g|3(%YNdPpaXIyD8)(WWFlt2lk5IjlWH{D zwMI(A%q(`9M*McSjzYS-*h{|mo$2PW**Vx%n6mE3_z6ljLPbBIq@g;#*8F7ctKd-F z%cwS|s^{_rWa7yCelfi&?#sC}fp+KYG}p&Jw_*k^2tZMjca3fCStv(iWzidtT6n$#Ou!-+CH}C-cFxM_{<6L|)MHEWyXZt0#A~&w`iZ}Thm(=-uElb(UA=QW z*id+y%yJT4)#c9lK{_^bWD!-Kv8=>;y_iVA<&1!vyQq*21^5Y0tNHBI8Nj&4$K^zA zV2d-KC*xJ9Sa@TnykLE%Wf~rf_xe)APs&@mV8M_0V)b14u$k)pwUNDA>zb=!PGt;vuv^!GeB~aHjM>WFssQ*>TUPZJQ zDv#^ERUEtle1Kd}=vB@U{gnET(uT!wPm7UJgA`TqMiF_W8f@l$`=0ghN!d{eGN*hR zf19tu+?Pg&e+4+2fA{=v0q*~YP=}E1N60wf=X%u$PvG+B#R~TI7ElgVi0I-+p9q~Y zmfM_mEHyl3YgJbMl+=2S_(O!X_BT)F^tva$E}#VtDt41Vh|Fd46cvqwPXigC?@#7M zg7RdkKG8vH*fTv#q5XQb@<;4#K#suzwg>A#`%9uQbiwI(jfaTY+|YyLl4!1*&5!s{ z!fvNkx?(ygpLriQMG@*_IrcZA%AcJEL#@a7wiMTc z!`cE1d4_2xA8j2mzP04H)&@Xq(cp!Ul1h373Zl}QcD)4o9oy);}oIpRTGn-n{CHuNSVSvl=+x6s5N$*e!CP zhZf9E2#wIPo{vfBHt2BYpyF>A?{6!;$*PuUAv{F@7UEtm&$mJ_5cgo6%9WPj6dt-- zkNYkwD{7y$R=&enrHyVp|wKN%l<~3~i>FKd2y+|J8t%XO93Se&V&p@ZsZY*R<#J8>zRnNNfb>1z4xX>0 zoZG$k%seexMu7&Bt+$La$)0VFq!D_B01Qy%=m@B~BJXo#?>SCZk07+2Hl(Nx>8&a8q z&)bQzljVZYArVBAQ~t`EvNAosSEJx*g~2cIXcQa=oW%DLnSyPpq-cPsVY0)<%;38< zOHGF9gfHiKPf518`K-PTN3qOq-GGD7-M0h5-sA^v)b|B?ksDvX1(q?GUa%au2cw;F zYrnHm-?R?-Zhta+ySojZ`gCyf$4QIgC$^z3pS4l&(079cxaNBS;)tkbJk@ocK72|B zaRe*|@m&)iQT&Cb;ux=dZHS@HWJhLYs`}3Gc8eS~0H~9kO$;#eFiZ(F&*CRiukg08 z<$qclF1}7{V^9@}9kA|bjK*1dqQ7MUfL?LgC(|3IH4En|juE*( zwww6#yh&F0r36iIEsRnk5s1pRr^nfF_4FggRCURI$_LZ#NayPht++>?da(Ljns(~m zA6&h4#IFkMduC5xl@R_$YofK1BFEH&&dS4YBN(HaYkE}@%jluWiddJjodoWbnQUU71!(8R_WSFJ zlyMLhj%)=kx^OJVxO@uQnKV?>2xj__T0r=YAiPjYG`nyrVixUpi9Lo(7;Z5B*}TNj zg98;OgJs&wt&=jfY**)@LcNL_wPEk}`xyn;Q%wzP6ADQr+$I3X8_EeT!57f6=-t)`NQj6{ZYbu*({VhG zM;Szw;rSX z&+?}_8P{Ug9>5V=W45KCi~nUPWUyoVY+gq@CGdXDDVRQMDwnY2B?(Xy+X@7uvPs~R z%_FsWljVe|0M9tyt=Yt1g?2)6q^3-KZu|whyL{k@@c=XNg5nlZPKzSnksXzgU&y#h zPCVq8(m}&^OASg<$`I`M;W@(mDf8_TMDAB{Xk}3SYVT`RU!AlvkCc;6Q7-(d^P?`;h-1$*PABu-6(X&6xp1QEv)bpCZXqbZf9Jd(jS()@(V8Nv%+QB^>+tB( zH`9l&G5h0iws+|-@Jzk)WxsD_BGbe0ngDf|Q`fW$R%;Qrx#42X?T5$uTIFEg8yEnX zckT{S{#Meee7ggIZp{CEBcbLAFu&ubad(|VA6(EQA{0#iLW33^wKf|7$_xT5if6Im2 zRXjM^Z!YyMI=XT*N0^i9#hofM-#KaXb$QX82AC0_AtO-ddb zwA?x20Kk%~YHTknff1War^`BE?se$6 z4u0~bKG9&CQT50yb@)cPqt=wxCE7>Fsi*r421+3 z)PcB~23+9VN-ai3dSPpFFeX&~4D|X!fbP^-uhGS?{L`Y#0;ToSU9(7^tkko?Pap+H zX$|HM#3y17%<2rq7mAO&Hj* z!m;bB&C%dpkVNMOSbrWR-uBM%Nez{u0)Q&VsP+zKiiw@|ub`Y3X*P*uzB@h!+FnCF zzAHO;_?ryj=cgy)t2^d^xOmQRd?4HZVL-?}C#SG<;9XrxP&y7?n3%kbyeP)|`sxYt zv8x<2dSDGq^qa*9DO_&Y*HBB78CGkOE~dT7QQ4YszjQQkyrzzAYgxV=D^yoXQTj{L zmdnka9R)c+C|!{9rbMq{+EBIf^Tn6VS+j(btpmG0+BeQi&_4B*nH5SytmZb${GV-R zM0xW2%s;X5nbek2bU)%KfHoQlt}7$=X$I1LU@j}u!V#jX zEK%)oo9`rju5L2z_@V30Ki+y-OU_^-t{m zF-lAdtU2y-JJF0e?@g&QUy6NjPV)3DQCM0TQH`iO#)S8eAHZ?Pc$EV!;1Ri@#COy4 z?v(9=X|}Z|Lq8))>lqp9(Zj9cTUi$+FQiw{FKgbeBj ztmBaFa2?=d*N_?SyCO$!R>Ev5j6tq+4S}rZ$lU{C_l|R8S<9S}n z=aNkCBjQc34!y#1=#T*XA3DFGfi__>rx+oyYZxy@P{rZT+!2aP?}4N({UF}JLeUv;vC`rx*R@N2s6KPqo$ID zEZK9$9!!mv!b>cjiMSWpFF)T`n@+G=GlpARr4qQD%t^G=DIHQNi?n|{*R(aY)J(^& z^Hf5rTZbB}ubL^G01w-Mepr3xad_4!TtUX3ze!#7_H#R&(wrdMFX7OfqLA))?Abk@ z$DZt9%$n{dPHLr;TUzW<2&b1Dh@R+SnT9K`&wI<9cDpIW{KR!B2oI0nz4BeS?c<^cvzWR|M44&cq(C@@Hx|h2SN(4Ei8jw7 zw_|2YR^?5fa0j&!@`{N4A_21)*d-#6eV@b9p9?KzA*@IoMCR8iZyugsC;M?kseEH- zHsu_XPd;_eYSf+i^_?d_l#oJb$6EU3x4eib;mJFXUqVlBnZ$RmnAG7oNNd1_fL_ls zF>SBU`+Gv+2Np)WZsp#lNmp!@qA-)~DaFK?FIF?5))4&7c`RshndUQO<-Tm%FCa9zx!?qZ=M6Wnn1w zJo4q7asD~3IM{pdazGaiR$PSXEuU@iPBQf(`NEXD_r7mII-j10tvSgWhu5*cr5g2j z;sq80a|30Z==Xs3r52X>y+6N*?<<+;A16q)l;#=qUYTK6c zSE<#<$bO0?OF48;hM9g>maNwKVTU>UH3M)eC;UgL^_g$4s;1zyCK`77bgdhPu19@$ z?B7E2!&Bj)B454A!9)(fP-G5{e97*yap1478%2?yPd$r-ko|(Ma5lBd+Mzs6@G^9x zE^s02K6t*2f zFgCaD%M^jnU1XQ;iDa)Jt+$smK7sM_?c}KziTJMa&(|)Zi~GUI&HV&GQ133yMa2Jx z;je%O{eQ;!&nz}uUlqT~_}r91uKTaq#6TI7zK>%23d{E4aBq?JIp~T;R@cO^%!iCR zZVqD)TM}av8IVrwbenE1Y?h3cIVo|tI5`KOgB`EW<2Fpb(%AdmyIy?YP#Ph7Z#7dJ z>^HaTD>YwTOerjqNjoI`FjqC#@%b6g+l^k`-KBd~S*c)Sri$X9@YN`4a6>(?cf+Y! zQ2e&7WADsWu5;(2-ny|2&5+Ohd#38vP`doiiKoUS|Ao+C%^w*AcblWyB`guXA51T) z&}vIh;2W?}W_f0LWRnBE^7Dyc6|~&X4RloHP|VY2UQ6s(DFrPu?o}t-8o^+RQt@U< zls`lG)a<7nvqm(}FW_dCY+oB<CMWuaBkAlG zFVBA%FKgW)7V!VQ+%&U%wif4Sp2{-GE zL0!}sGrp}Dgt2Mz!)jQxpQz%51;t3-{x5uX1*|3ezw;9&}k5o42A+`Q~Fj| zabt0+cT9H+NfDeV zjAaJvq7~GL3&%;8Tu%?~YHSTo9Rn23%DEVorcib6jx4NMUMYIZR_#~9Um`TNf;QQR1u;$mZaYl`IXGaUEbtK^pb;wyOJTZ%V9gWY{?*n-4A3jEXv ze8hkBsXo|TtA)Qv9jrOv6$B9ddH45CmK&nQdOX4-O(7rP?clzR?5T2`fZ?2-{~}1LJ>mGLB$Uf~xOhaLrwq$z>Kk+c zjg$Rpq;v0?i8-9OyS(Y+{ zv)grr@7ODKS?qm(2&o=$=aJPu&vsk9+>!3T$(wT<2?3$49H-o^Lh`mqV$Q$t3pHl- z`@~~wI?gDSEs6Vd*fzn!1K7IiDlu9Fijv@5$Nc#=cg%;~!u@V#z z>$i4ka`aYS>rR0HS<$XmsJCuJ#1^|==WfLk|rs#nd z9H2yhfL|tk>e*U_$&81g{O!1ZrzAhH$h=+`g@UXg5JAsX6Yk519|-bW#!4+P5p`eLqb)RuYlXV9~blBJbRrSfj? z4ip2$h!^34i3ym4`yy6eReSC(Bcb>iuF?t*rh0Fa3lL>)451wEtnuNDpJPDtBq%S;& zPpCegSNN?us%~b8JgE3gR?|>kUCskGJ<48E-u`1GSH5SQXemq)hbP|ZGFjv zFlH|a)_k{iyYVZ4$(J4+5D?uhz>LtFx+tQ8 zSmU9AJ_dDhI}wB^`4PsVqH>(CiTcBGNE7PWU?YzF1P1i50;4*a?u)XX;5Hl+yC*|R z6q7m7(e>N#9zJAXw{OHf_K(q_?xJiMP z3V_O3N=r{Kzltm3#>33Ebu-!;`eDh{uIXfgrQkCS8+xuKm8XR|UiuA@b{Q-{Urpw% zpVZQJX$)zPuso2c!|whCW%N%z@{_%B{<>L0(2c3`xtEp-)e+fEMeF0qHw7E8p&TKv zVgq^u5g)IKD;Kbh zGK?6$;z2~5IIQiFKCRFxJYq8*y`%1J+}7Z^1}&>+Qmn7I$;F%Pw7F=5!Wz8+2i#umKPVBj2UiXDVr>VSJoh2vKR>#WAgwMz z1)d7b@;MxvX{wmC;Ez^H;~AI;-9=pPP}mR6-18#>?^$CQ^FJ9EQ=`iN!4Q~7L;ygU zsWIJdq~q60s`qwKb~3~I0=C3v_*F|^7L?L$?jv`7P0jO$4!2M%cdQ#Y>Dxv}&Fwzo zArp$KQo0*mu)!i`&0yOR_Rraq+dg;=z_x#T^)x~i!#QsBv7h&s)v<=+3URn6%Qri)Jq%^$e% zN~}!2X8$Cg%VNa(NnyFxtAIOgu#shP>NuNn7+J`#kYEw;XTK)gemK}B<0+kla~b=w zEy7R05+Diy5Ze`5(i_OrvA|kffB_2ZP(Fdjn4y`If?17Mus+t0ksF_K;B~R;@nRrf_FM zbe`~2UZGvv)0sc0i=Q;0Wl8sV+*xrwArEd?YKOnYp{+BD&KNQOh0`0Exr{^c-evz7 zZ}MtpJ)vmfX+kl)UfHPQaS3L+>lfrJy@3)2G*Ab5X^W84W?gEz-3Y>z9vSGju425{ zfk1*x_CIU*+^h~GWe0h!Y#qS!6=MPukZ{~75`G_>3m-1Vo#Ur_P-X%QfX-#Rl@lH7 zb}mO{l`w2Ls0Gi*@FS%G7aBmY5%jKO6?Ap8OpXgT-T~T3Ahm~NY;LTyq z)(CWiJ=wVL$}!ojrs`(YM&k!OGQHLONQo$PaWb;&*AkLZ897@QM>n$mc3j>kB6gyM zIL8xLNY>W?IBh*l@R@k*j36r(AsXgChzy~9(p+V<)v(3qs>9@qT!Y~Gvbs`~CMv^A zn35D9V|iq=FGs#;w)x4p$yqSeQe9Oo*1JnGn3MCrg#HzJ;~}L2{}rqJ4YB{d=xgJ@ zqL%-H?n^Q>^HgyJpEp-mSNZwf6h9DBp+0&NNnZQ%)E&)$$yNXO;>VO-lk;e7wt)k&2Vboo7Wa8XsSijjm$QN&JhS)W=sqAA{i&3~R*bdxNW+T$G&+ z$=2=hEz4Sob~)(_7E)$l+x;ig!Cn*!c+cfXJ2Pb1vT=I#Ep9!9M%DI{>w2er$Kpuh zbI48D`~S_~V-o13CYhJgQ7&!0cz2(e(|gY!Q&&!+Xh;K=TwbKoC(7vTUM@o^Mffu4 zo^+(fBbq;D^F*abSbsbt{40Zu_Vz%jV6QwlcJAfTJY{g0M_t!)jIDC4-j!NZ(jT-W1P@aZBf1>S z$fSbb{*+BP?DF`YpW1l}0v`!$$c&zkd^Nlwk}JdQBi}IE%Qa=yH{H~Egb(?=g03!z z+;Yy}EE};LcSiU*oLJh(U0*m!&-|(#*&XvCsb3Ll2N>xiA&zIR?lztTy>+#vBdZut z>6{kPuXk-_uNhf9E0Jv^?TJ5S5`v2$!Lnff!zW;Wdby(M6&csB!Ee5*LYA&w8w}DyMX5MshS)hAE*0{M zyBk%Tn2|v@eX?K6ykIG!)d8+~zq9@#@%;$>E=9KXJ1 zGc4E|Mr+e7-d;Iw0-zIXut;O8ws!Tk2r2aB4EDLH_*TA zZ4IJPVAhnx4YfAi5DIrK=m%BV6H`LkO*V2IpqS2zZBLjiSn)2%We0&WghTcXYV z69-P=Z9~b>6>^jB{}i#^7a?k9WS-{9{o31I>XaKb>m~bt;_0Z~fd4$ms{vSZun5Xw z+UyHPdaj7*(~B{^>(VLn#9*q{DiwqEPdvrur6lcgW}75NZwkd$aE-Xh2d9 zxU~VJB8;%HS@>}v@|Jk)da6QCD;-mxrLT8aet^BTWwBm7=-(rxBET;vJLss-n`%uS(`Miq>=q#xNjn{v(lFoneW zp_zxR|7nue8eRJRZK34@v4;bQYR#b;shRV7KeCAkc-y_^udn6mV`SETzMLcF} zyx51nPh?f{EiBfKSXLIxc9Cl=@}Xk;=>G&kS9jmQzj`i<8hU~$&Q{f(NF#w&uw0x_ zpr6T(YGqRlD6gfbex&Go)|T^= z@pjca*NfIZah&v`p$v60w~M|P@>ba8K=s_>p@R8fA#wrY8JAu~^ZDj?#7#{mO#+JQ zNQVQBt}(C8L1cfVc*FWK&xBi#emLFv$x@B@|IOB=$VZo)KL!RjM8h@kZCr*`M&^lx z(UVS!HAjTi2=L`X=t|E*9Aj^G#pMTyd znoEO=69xboMXNHw@710NAG{bG$UWZEI9k7%;GERXM$9+0G#O}5)T6~@lmla>=tyk@ zN#(NERfv`lr5G)SZO?nOq*~Hps6Yeg(P7aSI~m>ira1B1(+vK_wl-$j<$(j(=8{u2 z`XL!Ye}b_6gC#1Lr|~8xV!-mr34sG+Y@-Gc%+Q%}@q2h$$q2T!`l#(X z!t*Gv82Wg+abQ4prA(=ZDBwitRv}I!sYSbcB~A$CW}nQvgN#SV$1qjiDA*oyesFFt z(nS)zT@0=oO#Gb_Q=6HnsVN_T!xg6YnpLpWR+d9UDfZ{Q<-wT;106u2R9A%7WCmGR z7HQXbh&kDC4Bni(@N8m1x7Y92H=*jjg{Z_6(SjKf zR-||Rws-xVKca*={saM@>r>3-a9E8~avW52qf#s^XQGV%I@rR0#ypZDFbB$CzT;}Z z8rz8;hTLR!`hDLTI(eYPgneFl!mHS90ke|dI`q&>Lq#nk0`a>GiI$<4?=aY3V$b+~ zdMl2k<5*i)PM?Gz)vnr$Cn8_t3##9gEP%|!sm2DE;I7O%31ZLdchqaW&HV_7R=8Vp zkm+ETMh|W=`G4`K-U-}31rVYn8h>zv7RXm-SY@M$=X6d^sGIIT`$k&jxg_!eWf~Pf z2mkRc$#A3y+)*!P3QYS$8jf0%_2=o#15CTP;_I2+?n6tO%lXi-w-g6ZAy5JBFwijG zZGt4eev{`%m?-7?8i)(}orKNsm#7GbB&#P=olA00N0+&DAKdlJR`qU3`MPFmOY5JB zMt(suepx(4ro&36ob9UW!N8Q!u?kWtDoq;LfYhu0UkEy{jHO$Z7HwEfFPcfo)=xQk z3W;25$^PyN%9AB}T{Q#xiGy_ki}AE6B6F9mS{K!1Q&#!y5-W>w^2&-QN{;tzru}Ql z>;qk_7ViFqspZw@UhpK2mqRwZ51hs8RgraMh)wTA%T}(M{gG3coDZTxPmB`nxeHJEygZe9gqorP3hZKUPmv z0;?u&FV9umY=8Si36DZV!0EDZ<+(~kVC6_}vf?Oa=KK`91QteHZgSc9qD-SGkV5Y1 zhCn$GDM8y(!sw&~JCfdL_t2vW?p4zFYc0Rqq&H9(z@bnSBz&A|!9h;&CA(Tb)0UH3 z5KX3II5}FmmUq{*mdTWE{M5RG~9P3Y&%7cILdbQotkKLJ^+)>EN8}oOs=xyqf9;;C4ZnJgNlR88;x7E5sfHF*d zWF%AA^t`Qy8`bK+T!7U|p0c}phwp(!Ui0n5{b+I7L0Fj|CNAW*{IZ_76wB%?q@I(9 z0r5v%3`>!V1iC#rraK(o)U)4Z+V{2COm{-DHX;k}UMryq) zR1-x{jr13==k0A2z-In2i-4vUc*TD@)(`Gb3HEH?^8;i`prHdu%G} zj9t6~zM&w_2y)6c#eSCV#a|x^8=WY;C^&9twBk6K&})hWe6-HFR&bq~X*ljU_k>^r zRL$Cuee-P7Lv9y)XJ%yk%5$w``|{TfnMu5eD)_J8&YBI4uDPIE>UyZh>6=v=6u_V@ zJ5u6R8KAyXxzJ(yViw3a6mN!H_TW5cWcFvL>~ zSd=E=7Nw-F`wB$G5#whm&E8IAAQV;E=09~eiR#{ypz-XVzO#!M8Np#Ozsnw-9IYia zYe-1ijxMs>iBT-1Ew+~JdrIsR-aIZR4^}&)IZQ(9jWo~Pa)Gw*_9k8>4d2ZY53wbb z?mLeuDO1hLrKs%`RGk*fJDm!;JbOjp2${7y{@u986R=rH(Se7yxsoKd$m zJQVlh#a)ZLYboyTP~3|br%<4{>)`J0THM`baM$86*gt*$dp}8TzJv^uNoJDg$Ub|o zwe~u6W#N3d9mmeh(2iA*DLey~cj(YOvuQqIaY;cc<(ZC8zZ8C~x_1sP-x18+13B%V z73a-1WAp1+ru_LbsMI?uVU&JkNq7m2;EZWZk?{c`#!3y=KJe3o&*Nh(yeU9G_)Ster^!kJO-;Y`F#`(Ri7sq7F z(;w1Xa+dme66yzj8!Sn^kRWv8X18{>?8Cpy+`Q0sa-7?`or2VMSAx8!*h6*P{5;43 z4HE?tc)DXM^~AiEH-Gplt5H9JpS*!7#h3gxVW%Z2dct$npgcfJ+hjg2e~cG()+rx) z+OFW<#NYCld$tb%9Y1G%rm^Gsu}ag^9N#8Brk(fY_Nf-Ssw${0ON-C#HMbkyQrOC0 zuwijN!orG))jq`cZy?`qDCZAiMp1KPw=YX#!(tT3;(b)+AMUL)-#}j$Rc0Kq^_hG> zg#StZkmc=hIG&j%FvFFzWoX8El1un*jX>9srjhLm4oc==CgxmY@jeF|OIn zny=A82_(apzh6TS!Hz(i_DPCqUh%;Rv}u~StQ*xzB!U#)58^;Rmji#l)tjO@L8`S5HaTrcL<9@ptqr~}8W_`Fe4q80ai zQIO?0f&jH3dwyP?xTz@?fUJf8pr}D>rI4K&Yl#J+F4>fUP^WxeXv&tAq~XVT;zqh^ zK}A;~vqr35I-yx%eP21Bdm5mUWi`fBgzWg~eK8k#DF* zSKi(aDQ*a0Q$9ZK>gI+DAPbL(csotPpeFt#cv(?$7}!S|llyjhtZ(41ZkCkmBH%Wu zbe%_C#^AMfl*DstPjjJjadlA3DYMc!QLjn8%DgVPfM|It1#ohz&C2p+LxUXYT{HV* zc>Jz4?=tM_x9_5=dM~mSd4qj;Srp^{yit4~P;jcJ^Qy(27v@=!{-pq5OH5Q0sQ-vL zdQtv=my}$`31#Y5ON-m%)4At9f9Pa=dIw)PQKy5MtGBty{RrUe`{vxoZrYm7Q2}#I zfNU%V3A?Atay>s1KvXr;$$oREG#@U;pyffu>vrR5P9op1$&+2e30#ZecQc72-Q|?# zD6t?Y#D2QOrFH$~J=lR}T&UXwbk`B$Z=$6>kjWJUcjlvtPDUTKA#8e(T%z?J7REpw zoO1XWC7gJV?k7uy`jVdB#^d-UK2b!t#YRbn((ffuvp+-dEs{qq z?&^K!47Z$TRIwfJo&r~Y{*@xAbP`RX0qdQR{A zSOlsgPA4={FR{&mMGKADH*rE3^jTPT-EP;0@l^ET6bKn!D3C?Ilus839`ikcSXt_#d)vO$HFN}Nr-2W(or#shcs+Hjh;ovJrC;P>1cQ70Xx)${en zD3{Jdm0?t*;^^?<7{QAB9r4+D&Z3>NbiA(@xZ0!Le(g-B&2%rY+zqf6)Y%-Q9uxbz zd*mPOrDpL#R6Y3z_1XCOa)Yc+goB}kPy2~n0)Wgj)8$!SyFaMl5EGTqz$vOAn9}KV z?DuGVb*3;WegZhW(s6BJY--IgQz4+>cJbQi@)-W4+vo3*jC)jINkw-=${S_E7qvUv5Scan$O)tJiJaosSTJ-xh~y*amF@F`7dQen> zq7^0>aT$QicSO9yW3oTduth9}{;Fk=pWB*}_7^8Pk9*ys-%pRXdp=pn@3_<^CunVb zM0fEd00gu!?0(gLybB!}u!E+J3FzsR-xn5)!Z?(YG9zeFoVGr*P0XRY-x-m6_*M^F z#?9>ab0d>e*l(`l??OTZ?WC0Os1K9l$+QadD_{%xM3Z=-j+(-1JAqrs-sl(buejla+$M>@-hh2q|7ilMtEBE_QwCc z57S79M%k@Y>Ts&dzRt>^=A<5|0Vh1li=iT|zl>fmFwgwfbzy@cB{%1CavgU^I*3apwwpPBNTNC`!lu69 z5Iid-ipBPf!K3fGz%n#d1%*EHmel`FF7GRAYj)ZLKf3|y;q?L0Q-h}Y6`q=)j9;ge z2|;UoKD%FfiO`BWI^(@02dis3(DwgM9N+u-t zD#dYB6~ujJ2U!^9B*cer1qOK9ez9^gqj?^T>+#kcyx-$_+IL2dp%0Pxpt9HL$bTdm z74B?tj2p=6n|l#S~>@+}ESF46mZIy%_r zc(d4b4`TuL$<;;c{X*E)&v37nc+5!75qPjHc-@=$8{zIJbRdoAlDQ#&i@8(hZFKE9 zu!wjkgAjw>uL}xmec;Ih?Ob28XM?>MNYTSGYCU~?aC$U>jV;9AE@IZMe$=~R0|P)% zt1{4fcp#h|Xs3A^f15U%99w&W`GM*|9+8iBY0wna=@th>q8~;ys=rM?+1d)bQ02nc zLSxb~Z1%bXym}NP#9vnw!wTwQxe-7X;hWWEM`m?f%qM=AfP%-FV^n0L$#vd=+L4BL zb%kD|2u;Chf=`^S)$;bMNv}iMVe2ApgBmxt!+HCVQZR_ddt|=IV1@L7M#4VpW!GbqISiCL z!v}@pt>=^#yZ}*+^{#6wP^9URU|+^ zUy9L@3gFRGW_Q!n6h?*7qExv|G`O{-ONG>XyUICdX`1Bhs6>vrZtK20Ys(c8cq@`K{=va8E}RTq}gY<@9PqDben zcI^X_TIs_|An(I{m_Xf|UJ(kb89-Fv4%{HKoxM^ddq{4&`8I7>b+oucYfb%%I&HpQAMYmwbPhOxHiO2%L<@%Ae7@yCBPC*pX>-ht zG9}cXuT>Q8CeAnNlaP z$S^06494=4gRV43_^^sjwDxB2U7|H0-x;UNJ3jgw08m|X8D>S7APC6pVm;otJR>)K zAvQ+{a7Utku-K5LL#X3~0~qVVDiZJKihbZ+F5wwZcLHmAO&QnI@PRG!z{!cHu_~|j zp8&>`YS?@t;A3QeEYOQ)S-yGBWPaTB>fj)a^2arS0N6W8L`Xs>?3Es;rmbs8Sy29)Iy*i1XKb=s z4k9e-&LS{nZ*+97^dtlh05GwZHS4boy_#~qkz@FL+M{!O^#Ukps1Q`qdp}_N9ypdj zNiB&g9?mc|=3|f`;6J_a(4I1f?H6l@Xk+^eCZ*4YsDOENvRY|fXu##+xuLaQd0zXl z`7^el94xX&C(j|%7rCpq?=Nb~e;HvJy&6qC1BYyn4H~lPa1)vi-K z#8y`(wJ4#^4zoeFVs{RwG9oJwR>{N_?>!h5+dpkX*V{TxnD;RH3`sGkdB6{w^aJb{ zJ4J5H>{Y|*?mQz6hjgGK`f6>)-2R=#V)#7aN#$83=1d%OL8tLyKgxaWr|mhdB7cJs z1RA;UqBCyG6-dnXL^03}WAvrS`<16OrA>v~SQq()F@y#uZw4Qbt=N|CkaN3nz~}vx zg%wx?LnpT+vdVT7!>wL8kyK=p^}^@vrg=EhgXODXKGGmk{A?U4SRV&l*6G-1!A+aNtd=}S6hqC;1o!}r>wB0bwFDSBWtxon@Sn!Kp5lcW55ne*a@xs zOfp%wBXL+kZP-7eoOFa|a#@Kr)vlzp0>h_=JUaLA$RyS8)o%HYv)qt)Aw4l5agJLV zv!B*{L4~xiz!fgxqsII^w;XioPC+Q_2}sbZkz-n2Gd9J--z~|CV9-5d^j7?5;HrS^ ztgE=rka8KPaOoBnM@&;2O3wo8GzKk=S(ifvyvDoWIlgx4N!?odmqqg-k-ar9FTV8C z5{8kRmdMNJcvzXYxe`pZB|ihEyM-j|y_O0VLRm@;l*&W`_H3;i_00kK;D?^C2)Lng z34fnZqePBU^=7gylVe9OlQlK0h?WX|xw(AksDJTSUFCck~`fBdRGG!SQKX^A8S$6op~?Qa|?8F zpcuTKl}}c!xxRcIPmpR>xp{e}N{%3~ z$KIS}+VRx`b4C>X6RRMnq?_*#Lv0%Cb-lx%8>>q9)la)N^0F3QvUdHYK>QDYGU5HB z@qlgQ$%F8p^R6UY;@!2T6WJIuPEHj&K=LHz!qop>xRw$fjLa&LxM`L*SG)JJrSLy17 zD7zAMdqo$E9|TWNJTsfoqv7!0xL_kMoHCwg{=I57Hg#qMFTaTBeT_E8fHaV<#2nQAB zE7*28B^Zw!ADtZ8{QWecm_RhtspEH=osw|^a~5+L+Doq_?U-j%USg{ zwCpYA@81uD8Arz*?+cjknwzRO{q_u#G_pwujNb4ma3*ep(a{}N-2aLN?K+Yt2z-tQ z{OU0H^F1_g*LKlJ+FzlGXhD-=y2F799zVeRfWxxEdUB?*98F(_DFHw|tfU0*f@P0u z@lSH#$N0s`X{NhNt?X=al?^^I`HbkbHLaH#77tfZ(6ll42}}1#2NGHuAzz>Kzi&0V zhX6|^L5Zg~+Hf|lYAog~_wdxLe?K+Ta2)P**(J>MCcGp5sCA}#`_hx7j?-*x>La-8 zUzlLsj(Un!%fUZ3wVbD*^gFC1#tVpZEJuU* z$0t1qU@wyKo>KmDX%TQx9iD zxwpbhWW%M7D#znOqMa9)?mP4i;JWe;PnFF8kP<=H`=lg&DBQ!%F=(mSWAn}TMJh70 z-eIaW^<}lW`Xvtrf15l3FIcEN|E<-=?T)9?aZ``@i09Zf`Z4sx zLET{dzUMXB(4YQC+h^mgvxwmM>@5zeA9a+*)1w0W*nXL0w~Kg!^cn^R2KxHLhc|3C z2(M5`|6R+vnBNz?ixn4l4gBfA3;&SGYTHSgIHW`A%eQ9%;*ZJPSVPHOvqVHrXvqGVqA;Jjhy`;dE_r3 zQCU^xca`^Nb@i*EAyj_Iv{F%Co*)|=l<4zmf_idWTBZGN`zHVDs8;04_bZd1?a3SO zhvm3O^0@Q^-#((yL=2j+zm@)y`8w3w)QO7-n68bmMQ<0utupN1^jSi&l#DlD_dlL| zdk-cN)c^^4&Mj>$ZP}-mT&LFjCBk?KxEv)*W2EUZn?~eMP%!1d=gnskf1iWUbWXXA zjZt}dm?0>+*)e%}@kvPvHa4TpDEVDeE4+~o&`@J;8*9b57SL9q@T7H z6w?s@gD0`B#1TKmP?*lyVpke;1i`y6+W6!Ll`vk(E~l;4S|`=vf;vJT-4{}5O2Ipi zdRmluJ8E@fRwoD1S#Lk9zOL_#-4tDTGW;s;ej>>^j#}y9`?K|$DF>N~yxLThz)9no zmI|IQ6b&GjC-d20J}tfm``3Hlz`*Bp^^7!}_~WDURN_0<*4Wv)2PBl+I!!Z(`9(QW zUAPS}>L;chwUB|NMMM~eK@YQW>}wJe26`y}ol5B0+?;>sn*ExEk?$}vkdL0X#*h@LdiIVXJ+_(3w>1Tq}pDn{8XHH1gempm3l5#Ovgd5-`aQN0E#31hf zRFWQ_KEAeX2{Diurfsn2_k6s+EE*yY*cm!Q5dMRIIpyWd#a=Z(ukgGr3I64K)Al(I zQsjTNCwXn3?=ZkRD->ZAre7;9mxLHs4LQsanIi%MLMjN0N%32~H8y?Vq9kQIv7FA` z?QAS+l~?+!4*!T5Y9ieZx(g1VHdRN2g^!gS=(v-zj!)^N$Tch*vQq&9_S_~bYifQ! z%di~jo@Yj$P|VtCR@^R9{KUi_FckDWHneLJT^Jl-nQl*j0|J~zbJ^q=Uj0?3+FU<# z8+rE+@_~-z(V_+luuzh*M{L|r$VZTYjf_KlqI{Z%wDOFb^rTf(@`oU!WWpmr}V zc7A%wY!+LywFQrw<{$zrz!w~Ap2-lSFvZDA6YDg$TT+fPAe>GDF+Pbq7du;Vq&oNU zw8!}JeJdfYBW~1M^RPlN%t!OA)XtrX@hvww!3Jr7%*=pfcV@E=KL7CV$*CBAk9!+e zam~(fw_=j6E{CEzss`l^fAWcP^8`Y$8JU5X4Aw`nfyEru>ncE6(5bUv%i;QZ);FJPlPyLODX360C+uD z`VJv-L@e6>X3yqdlK@gzZ%|oN6->Myes)Tdra$(JpsmqB1bjR&+TeY5%#~99<0yQ) z#KKN^#P|VFGOCyI4G#Q3ycFSsMf4B7J7QHK!rB!RYbaV9S(OV zP~gZi+Go7#C=QfQf{O-UwbKpcE$MyL6=Y+59nLE_P_lC+{E|v#TD@E+UJfC~Ox|U2 z0J2Ge=5sSk|EZt(t!0C%4Yq{&n4<>ki3m9iSQi7*?aVcM+$;hHLlc{<{u`xw&}ZON zj)1b?LRf~ImdWKi+iOwy4F3;EkAh+z9t|OV&mhI~cq@6}ZdPEh>9A?u@ZXM5G3hS~ z_E&c!CJ~fOV2tMXqstrp0|y9T@Ne+gnA8GEp=9!js=gfEh6J-%I%Mq7p##+K8autu z!QflcMTrslII31q5i_n$jZD$puU6vuf^@BrvfsQU+c-xYqrr^f!kvyi*GslqXxt`< zhWlEjypJd@DVQk(MuJ3j$?HuUO970L%MG_a)oechtp)hxz4a*LYyQ(nS2>?bL3RJZ z->9Lz*LS@|NA?yRjz>MqE__du$V3?|KTaT3|`j*x#{LM74V=E#o? zlKS{+gfPTOBYdbXB)grXKoF;R0$VClvBW6d@ohZ%rw88UtaRVb6hU(ewz~^X3R-0w zX-Q)K8U3BiVd1-1FDj=80B9bvsRgx-VglS3ud8Vp(PL1KX0vbp&U^lRxW*u{KmpXK zmxTkJD4R;8j1&_5cI7wD#ub%Pc|DbOZs?=A+uF+X<0~sn&91Ld(_JMg2_*pl`d4=d zNIZX9Y#Ae5pWWiCj_3ISz|RW+NCN`q?@>r*hGOAF)7aP@t36Y77p2sKsmwBpNMlmp zg5wh7lM7YuK9Ivsu&awtc!Ouz&Us+~%3LwbL}TadmL^8t%uvRKO!9;-ws`dM#Ao8Uf%<$Tj0A7i~Co#66D<2rw70o*5TD z;RNJ7e$%=*5xAlj@+uR3nrn~2@vde~0zbBA7z6L`-30x~1Sjv76jfJv6r~7JmrZ(n zABBV6hy`}+;jDVbJL>6$Pu*C!@Bx72zOA^ff3RMqjrmyt7Gi7us$Q+G1B=Yb0wv<0 zsYm4hflcl%AD(w#GN7%0T$cdC8JkWr`FwQ#>||B!08ur6f@99ObbR5?m`%rpm`;fH ztrr#IlDWajr=FR9fet`xYv|oXGgLUUJj@(L&r=dhu<5F}6W7e>bI*&o| z8HVB*3%pSXPuyx0E#Tzj20cDW9}FIz(yqU6<3B?;{pIlak)Z<0SY%r~DX(YdA~Skt zuL;NvBwq><8}}r2vyycd_a;#zKYSiHQbdEY$M+S#L@zQ2!zSdb;5KPwm z%Gg83 zM^0){owm0bh*yP=Cq6amhpsQzuu6++Tn{`k*5?fVpIz=$l2+(fRNaGIt+M@oXZM)R z@G^5O!t2y-!2YCEn%`dv6BG9>iv1R+Oo1s!7cf{8?+S;=sVf)5RU6sfVx1Wg`MItL zq`-d8C!4Zpx@9>Px_nIf6_2>!PEKg7b6WF_VX$FT(?TQ zeT5Ra%f@BHZ(*sJ;kvwy{|f|M^7u)eDkymkq!lMaAn3`N6OHwAKCYnK4Kw|EPe?yB zik{uY-pN+lgre*8hgyjK>NsCc@BVC-2#0-h>dU70%w#nFh*I_-=*4%^y=p1myl-u6 zbcL7i_dT^43bvpk+cBr&g!*7yEt_y>#uJs|hIuXtv?v9x3Ths@*QcmSs-xRvuW)U~ z#NX7IFFT?L9FT67?u1f;J0$1Unw{l=z39FQK4Zc z8c+i6h~#8Np0}9egMfn^$H5FNFo3P%TKjg)fZF!>L=m7d(c;MSuRs{tTRJFBJ%k`S&ITnRQoSut5|b+77-%p6nJ#n z<(5^@?bYrR)5NH6_$n<;4-F3SD>y65NqpMBwVq(*$9o^p;7}xrferO!X+bp#=HquA z(ri;sg}GBmkQJ94O4TFCR^M{WlXFZbIfdYl)e!tKXtk7UB)9t;yJlHc$foE|Y$!7N z2^prOW=`dwJ96mA^X&@f3zGqGWL3ugAL03x=6Yr3dPgejCtvWTE-ju?wK=4t(@TRO ze|jFfI9TqR(pUB8jFh&ZmD)Guz1A{b-%v71RoT%=ME4D3ydfD6ot!B^PNG|6q2VAc z9+<#-4oXx%KIu_*aZvPbH{pY-#!{gBv6HSfsRGXRs}!WS2_It0LMlEifby3M=)QM! zo;CJtb>dEX=4Y*N^p&s6h}IywhEu@6?08NC2m|=oe+lYP+F4W4fSml*V~kUa=qPEhjyshR)PQJi@f9n2if8%@=GaIe!Ha+lGw^LZ?R^$$qzSxxJA^3~vAr5;~jCx1!(Y51IrPG$#j;snS?zB+5U zP0B(WT>@W4#-c0HG#gEJqOA0Y_0MO!i>kZ!CusgMnd{3;Ufng*ta1`!-C^aQ^JnvO z&QpsBMPqgX14PP7q&A^sw z9eOw%z_t;}B?%#JrkHR!XW#=%=GYS_+np}*+|ilJc<DZ+380jxK@q$(81E<)xc zo!r#NIG~CY_N$%63ppG(O|XsgSx82|;PkDP4@rdOLZPYKaGG?4lV2ItNBy~I;?tCj z)?BQHuh~!ln599=KUNoSZUO^A8E(haY$l;~XJ3_SjeRpL6Oi164M$x(syB5G*K~sD z!iC*lImjguIObV2NE_$BeLrq$neLL+n9&G!f79SM7Q8WBQp-&FAHf!$W7fXnG)+wMLmm#H@%DF!U3{R2Kn z+5M~U_X&lpID1-jrQL2wqW3Ej6uT1iaQ1Av;v1D^T73H1hhI|TJ3+Ur!}9SMEl+mo z&PjUXX({M$rK#4=%U`C5K12e!uR5C@63rO47Q81ntJk^3rEPC*swd))3-toM;ZzJ? zxhG%Gr~!-;m%(yrLsJ{;t=DvgcE+I6YUn!^E@EuE5N2I+5B`_c4OA{93wI&h%D-o1 zo2w;Exn?Uf;c2BaotbBcUFQh+OmbtmewDNKXT9-3p>G?QBa2PP^Pu9skzOUOs-*i5 z$$syxa%r@a`XV)4`h&xUMp|%GRR5;y+uu43S(8J`he{!JYDka6rdsv3g3^3icjc}+C64AvQesUtx!QFB2 z88JEc^2I!3&eD-+-95zA_>j}wS48R#R{)yap2KXLePe_J!{6>>$*QZ<@#c0v^2>$j zQJ<2Glaq>GazsSL-R;?PD~j7#ORS~enm9bZX$TUTSKGqM?zZDhDE#SGyZMZN?|&)m zJcI*YQi;WE2`w&w2aFL)zh7>QJUkYo`EnY}4z2Vi(Q)j{4tkQeloxwNXjc8JFHK|& zm&ft7h?ZVRjDMR#BfJ*-4wb+B%GhndN?|L2K#i1f*diVG+D*@@^`sO+N!UaBKl-(n zRQ8lLbe3ZJKRs7B9PH>Ii66C_mE_IR7QZihT+e0_HC0B4d2(@X3{i*cm>wr|F}PP} zhwP1f4b7QN1KwfA5Ot@1>k<@f=w1wk4(m-}8+tfHZhxuKo)~f5V=?WN|4j>geI{yt zex3~{35WTOJoUbKx)i>m<=)oa<+StTG3q&Hj?h)09bP^Ib1z36{^af)7EQp@rCkfu z_TyEo%I=Unp$MIOSkU`%d_hk}Ji;%(_?^9^6O))~z>>Dbz?yXS;_1nSCkrXk8&(l) zpIQ%B9<25hIR<}EB;d~h%P1HkpM`l;vf-M`{1swV(uBHWb74vvE0$Y}Ts8Yw=;y#ePLGRP?}RjaYMP3{iF4Yvh9 zsT|k#3WE+Jv$1E5Dt!}%q)Jbg?fXJEF6(?wic})w;h$6Pv*{xreg7{c1DP zpDnzYO@CU-T+~P7+}_LdrC~kinenA6e|w5DKz=!NzC6F1qX6Vw>||kqZ)nGF2~_UB zZw78np31)*Op@?#hK_ePIJIs1Tyz?|asdDgZ@OI(^*>H3Pu_g@Sw#D#du# z8rj9-G4xyML;`;oP!asCobpyAHCHw10o`8ue$Cx6xt#)PdLSC;?QUf*Cnx)$-RXGv zWh_Q*1tVyRCrc>^6qVh(?#LGXQ|}>YpaCYLEpuqI!Rk@893Pv4l;Z0no{f?Dm;DP^&*$ z4MPJ;6m@I80x6LJZL8mriD^kXgo<4J7tm$Z-*5ZDpA8O#2$rORVZPUx6}YB;zdELR zX3nsX)H-?}>!`iBh7q-_ygpSty(pYIpUrJ3Ji)#t{bp0aEIBsER^K%E{7)nck#>%t zXk?_gwhubA1;4EEm^26yvH_;|aDFg#;!5hrx;O7_Y}}t&U-}gu?JtNzk=qM+Ev)}G z%=hQW@H**8u`peM8E{Hb$`1P-8KyKb;&1ptBAB#$_}8G?Y>vh?;YOF=7sWL4NsJEf zuPHwS!Z=IK7FtdF$}C~OJ(5WzC0Yngc=-+M-MzNUi+U&q9f8c2nKFxSuou$Y+&(y+ zF8pgTgxp7>7=rZ8q*I#?)Blwjkp@V+;H2|-g;C^4+DP@Ou8b2vrj0~Ea19{BM@xXT zr!nL&KEn@r+h-E8Ys&q+HTzW!`EbjIW{Mh9@Z4@%IPgp%kyQ*fJ4#4#)AI`C?(=?K}> zmM&wUyastW}MxK_N2{;Z4Z)ve^$}VEa3HWAH067 z!TvYO(<1S?A9_x2*Rn0K-7j8kH}?4ZE;hQF>3UoBfL4u$7>HDR?O=T;0kbx$G@8RBW+B>$J5s*>V|wuf3+=69jsID#&HKtHRvY58tT_^w^mD)tx;x zFE3lm&CSipi9CC1NEvdI02qk~O-ex_XlS=nhPeAKQ&ogp=4u6zxac&bkm8RJ zYok}i(vy=DJQk#iO8dQi9M;Hxi%(oq((~K5z@j2|(|FmT-(6oe5M$-cg>D<~+2h_F5({oAsIC`m)RP*%l7 zMIGLQNaVM35QWxdQH})U3Ew#IZA|0C;aUGfD&8vf!BhTc+x-I){BC+{1lxxtK+ZDF?`%+q01HhyG=k^J?jJf&&#H1QZ*gle{qu{xMke?!-)>7NV?2w z?~0X$fG-2hODGNM8jbfx-VcSJ043qeo1rV^3$zWRCCf(DM_W6@TRNT}ymm zjMkGCkhJo8hP!)+!AQmV-*6(U=HgXlc<_n(6|O(W7NA=e}oA0Jf|Yz|T%4 zLlKn*-tzw1uze})EF}PxU4>}<4vPX(G)SA}L zp>9-tK~AB0MT@~%B|#%Z`pu?pB9@u!u*(zjK&?<&SCkMV_Z^ zp2<+4u(=4EzTB}?4rfo(_Q%9JYkqewiXLcQw}`#`_oB&sSu9)hsJ!ltM!I9dq+JtI z`3iTT^`^yuTZhi#g{`k*-h`~k7Xr&)oX)jpS5HkNb~A0d?HFn%J)URF9gHJXHg9aJE+u!Q&`vr&ujY|aHip%(Yl zoBdcOUT-tJYIt6k1cjJ}Faj|@_(yK-PL{2(gmspP=_Xo3q>2gBc}OiMZL z$tbJ8Sf(9|$efxT{5N<{*XJi>I&!mDQ^wgRRC($fx$HCQR!iIU4!iMKR$D>qKO{*} z)8lvN6{0^)Oj$xO#irux#*roF4(GJJ3b8)pj#E*j%nq*$BhR}lK)J)Ui1LnNJe8yh z%ulSqf9in{2@%OSs;7N?8?0ZEtq&iYKS!`g?zcP>Ugz^fuZmAD3rwh_GjulkjH2dW z8Jy--Zz^Ek>edJ^6NP_c$?9-r;nvHs+1}6X6pofU?__H*IiY)Ve@1Ft6o*Adsm^rTzro(cE%fei*2XSYdm?=2`Ay zreR>tPq$q0{lh9^X}}C6x?m<15^4}7KTc1Xq`-em%u%Ix*AsWcd_d~{@N6ezvQG*7d9uq6PSNA`+MEf z_o)9fyz+F5To~MFW+IDv{V5@DO+N3%xBl1VTcj+>m;hrV zS_N*XY3DtWqr&QhOAxkOmOVY_QO-$YFskP7DSAT03Y;PdRFHStsBdDctl{B05^_XK z_HAI*!p2AmGsT3(fUILBw*g(w%>u}A*XtgfN zn-tLJ^=z<<%U@8Qo(9PI<+DK>)4A}3%HaHr2F;#@erY}MI>rT$FSL)Ig+)zWy|-Em zvZ;+KD=HHEw*4T5rReutrU@&adZaQsiLY}ah*;>ahD&43mNh|<(YX09GnY5+T_?id zj>e(lcchAW7=8F$cCn>Aw~DjTbbcr}h;GsG@RhNPq>RKilQdXa4a}<5?WUlznvYn; zl9m2mY5YFNahlV!>n&z-8wNSGH5u1F+Ks>htXkUr9UF_4x{amyDB+J+>u)Xu>Hp3y z7D8#HxQnPB3Fdb0w41gRuzs7HH9h;eOM90D>t`(%70-z%nk2HiCca_@v|o?baq_ZO z7q1O%gF{sJ9qcQCD|R}^&fz{jx{m!a#s-z}Jog!Mk~pJN2fOW$LZK&2YGtr;Dkes* z@ORN^s>`-qpQ3xx*LZR(F#9E&xtV#zz$o}jYMOsvF1Gi_7$g>>YwXhP7lsU5 z%88D+8sOXcg;o+5BQ_4nKoUKN#+ZM{-2W#_m}$}Bb)#( zNtsQ{M(~?MY248vfw>1x12wP3BpMbA`Rr{x03lVus7}Jv&665w&wVI5Wu?|sG&I^e zD|B>pJ3NqkkaMe*4GohMZ`IY*o`D?d0QzW@CF$&{tnA zr>&4Jl2uLsp^L+IP^?~Ct$f&O!Z|{H4a`_s}Y3h%2-Q6`*{R)#WPRK1fv5)0(mvyvFuq*ycqga@Rxr zJ}t;zsZ8I_@v!cOWR9iTf-5RD^FO6M)l}6 zf-8oh)9rt1YCtcyh7ta`&-$aFx}Fgt;@8C&IQ}AjQF3ol?TqzQ=F2azieJBxgguYi zurCu|?Ob>?%u|@9wMw*atJJw)ElVKR>o7zooh;3 zBN+xzMzh^pyUy%_d*6773D8{aZD5lkJ@7gO`mjdoW_#U92VN}`?+VUK18U;Re;cH( z4`%6SJMT}M_SFh}ebA(aI$JxPu}~24Wve~hyLV%{o7D{5^eHcBdKjKDoFEWqYffSY zH5MqGqrvED=+$p)zI`4Qdk-B^_7o%uaJR8R$~KBHs)OVnT^~aGAnhv$S3fq%B`SBj zi=<)sm_=_6xutdR6-}MLF5sFUF410O?X*6FjM6fLDZ_Tm)1Pd?G1R2|O1miZLZ2F^KzoRG{CeM8Np4-ke9rVDXiWXH zwRi>)sBZMb|KLyGpI8>g9b5ESOm(@*f$iC_q9j_BdsCt02OT5gum3&`WGy zmRnPO&?LxPUE@l-plPqQ;TJ2Z?(8jQgYO%E5QmX(CIj4tvBfiV!UF0 zjeFi}+-;uf^>KnquiDV9wpx5~92+yPvm#2tKMktTzElk4y;exUmFrJbzID4{mFcG_ z6Qjx%KC+Y#RHPN7v&v2JGY5&x6|T)+0HW%}0K#Mc`iG0}7p8QT8;|j#L5bJb7bUkN z_8%FET|R?v#xYfO&Y3h|(PX|SacO+9p1Mv)hs7W@qbbNp&K39d`R4AsJEiWXC`&W8 zsGdJy5MPGofJWWS{N~G{3z`@SxN@o+pKJJj{pn>bywJ2^_N@y@4H-QqnpJS7{+-&T zNDHBF%*w>bFH`_0s;PjYxmT{}HfYsGcJ}simXU}{Ep+2;Hw8iwb!}Zk;;y>s8-pL# zCmByKJEZNsm7yMOISrL8TFLkEJ410z1>k4tv0=x@?=1hQO?3;!w8WEV@L27d^YLQ@ z@^q8oRS$(78hY8&2Z$+`I$MLP&9IN*gtw70j^Qpsv$isAEC7(3XFARlrNm%moyRV# zt@RM5q6q1U&^|Huaoz^H4N&WZRh!wPs2@XOieuSxar^DzYG+)45%e{rhrs(^vEu0~ zBTP-FsN|!oq`Cu6&%1p-oGL6sGhprinjWBpb`&d{3GbC{P~$&Ax%K(NAUH731>j6^(8*;_rvFF5e%m>W9ZeuHxx8FZoDJFs**3F=wBx&! zCrpugnXy`Fz?01EFe5(QJ1F`yw%*qDC914Wklf;07(PhcJGFi9RYQjR>zeqtCYrd8 zmb;-sBy+L>a7Y!us+qY05sa72Mq}+$Eh>XCgO$B;**4XU_Da zp{Nu|!>s$C8NN0Ue7lh@R+~!n<&w<*N7q-t#1(ei4#kQUife)5?(XjHUfkWC;_mKH z+>1MlUFk~ujiGjn9V@7sIrwbx1`p`DP&(t2@Ocz?Zh4P2l8QHD#x8s@mq(kkO)ARP-J6&}OdstHsSM&Qu+moE5 zP6%tY zUt{WjskK2=7wfMUq_m^iSZY;p^6=fZCC92;vza$9{u?=FxcDf^os{337SOMJ9l*;3 zqX;xW>L6!2#Qk$1adnaDVz=|38>Yz;_;L2=G{=7o`eJl9elUYxL`_*c^?~mmm-5F9 ztJiyTCa3Ss%T5Z#*}?rdk5@Vz)sL*_aU8whpyO4wn+FneY`3LjHfyrI`4haMW&`pj zTkbf`owLFzD>^FjqKS*uhD&%at}=EWAC>Q^g;u`(Awd-I)F%}sIk0qJ9Mni4wCVAF z4HQXF6iD!>JE={@df9(W&R=qvLtd_D=nO3pFqD?#taUtvcR$}$rqh>7_lx4UrK?aY zG1uQ_3v}dtBLKK~DP+7mZS5dga~(pKPTgH)@kRI(*??XusmU)o9!``{t}`a;5xcPH zO}`0vJ0FeyO0NIuTH5^u9p&cBo(AnaxAVbhjau7%eW*G?7g)DznqPo&m>D$tsj*t4 zvu90ks2~4}={`a`bsb#(|6JQ+P0fz2i4_bQ0@J7d$0D5Ibdg%qy(_1*vgq6`PDjAb zm#o-Ytq-f!cBKp7BZj?fe($~QW)^%%o>Hna5Ld++w-Jk{ZZkDOs(__+jGsd)UzB z2dC6Y^#R(4vQDe9E>Agwz3l%}`EvHJs398XWO4->$I(^3Snp*af>)`xM!yQ05LLC; zd!Fw{HSG22x$jVVDl?mN&@~1TboOU+3W>Yv&PTxhehM;y2=1Pavfd2_Lp7-|Lo*-HYNR?6(lVyxfTAh`A7O_#W!LghOl)feskqG*nP$jeJxLqOgs zwZO|t`03fti4tR?&96&KQCc?SxxxP?xbmIfgm2StNij*(Y+&;H^(TRU@WnTMTG9Uz zz4`C%fP&gv2u02kHUgpTx7qw zfyZVG_G8AtH~=>l16I?E{+$_vY1zO)2>5Vhq%<~jupdA89o%qSUQYEN%;@E7<2}DB ze_m~Ve)zTUF@?PH^Q(3=*nGL*L;1g$k6Xq;(+W{UpCd$XJ`BD@e!TXEu(Zrpl73V| zKmFZRH(%%SeiyQ%3-QG!zGLZimj;XH`g&<6`F@N(TR$4-VJtYR-bd4NyE!^vnvsI0 zvVTiU11~qOhC~wFx+WI|MG6a=oAremxn@7sD;xU*wYvp{>sxg(pOqlqBf8l4_4EZk zIF0w)Gwi4h__N^2_IqluAoQfQBZa^@h=k2nGeuOLad6F@;)h*Q!#`9(9whJp_nE*CSyNSop>fA+Q4A0Tz%)}f}x=FS}56I30jCY+@)I$iOZ zxkT6=__vhJ`fYN%MO|ZZxK~kV zW?f$4v}I$zu#-+!y4C4;eh+3I{9J|wVD1aPf4(_*dZ2!nl>HfS#%uaaiOj~NyR7?I zQj}QH`)q6Z+1TQFYVBaF`S~L(?o|ld&v(~;ycPE?I{tEQK=VAUk$8{^PREV(yruc` z+W64c-Rx#%+PAxUmo$kD+|Pme!I4D69}G$pXWxmpX)VRHm~dkua_Finw)l7ONBrM7 zA6`?QB&KLIwHN9A3?UXHT@V9od=jwHoGA`QZjA~Wf6B%6is+qwLCnCAc^Ti}S);^+-+GE~K-ee2ks@4pU<5(Av@3_YEjJnDK` zL`%6z+-H+9qNtkb# z=GaKf-2n~TY7t>*A~M@fY%LQ+{sgZ=zcp5s$moD{jCWc!SfQZH;Z<5GIj1*R8#MT4iSpBWENGQPI zqa>%+Owe6tR)l57* z>yh6M06-zPDJWYljfM=d>P}5xpu@*O%dBq~DM+?V3@cR}=sypo%AQ6CHV^aViGIJ| z6s|uRd}sqZR+O#MM#KWOqN&U6ic->)o>D7{>?_F2|EituFJ#c~t>O@DLi>-+{*w+k#CTIB0X*LC#JN%f!woyfeeuDBUd zm#i{dLaPx~+t*P2A{PSHk@aZjmvMTHDI@+;q533bdJZIWJ(s&(=Q5S@C+MMxSBXzC z>mF(I_q&*L@-Z$7TMz5_oW{|p`m5x?bbsl&LbAZz>?_o>2KoF4(!@w*b>EqLQSD=@ z_`gS|l-{^^EM`3L`0mPdt2Ey&p%f5t<^i^1uM30d*gpJieSi*%s66x@+3Oq^K|B1` z1C}PVPf2B=P|jNULXtLhwP1o4vv5x&_4Blc3%MMmkUQJc@O@D@T0EpE7bIulIOPWb|nbo~7t0k=M zXdvR|C*BrbxXZ=u6cB@sK?3(R!aX}U*fr%q7%?pYbqFw=nLIb7lEtMrSepSX4pt+- z$m}{4ULBE9*bqPc1o&Zdgrh^zHkMF(X_r+GoP29=N6-@i$zSR)SyxosU*1tr3>+d*~klZ8q)SMha#V5%I%A=Y8i6MN0<-s-2uc zPlAfm)5Rh?Nq?P`u&7+lkc8s>0jGwdDEro>pKEfL(o?)+?G5<-RqGnKZ*AXW=w!Z- zEiGakCBy&p_n*50g4Kb#%m`>O5&~ZaL(`^|vm`@9vXWq6VWUSA5)NPACNMJ-M9k%+ zFlB^q&Jc`u&Ggobw{36wj$-Z=k_g#UslU$m+wr7orf-NY!dDKUv@{GdVZqMnGc`7Gep|!5 zYeWZ6eBpWT%(C&w*=PvOKH_X9dSh))Mn6p!E99N6d)5ZAq8GueCf zz)qAWNi$18GV?{MRSzhnJjP|Ulxxd`SB(e>%q`h&w;s`Tc8lfx-^6Ch;C_sibpMO# z&7|Kgv$$+}K3>Rp-%RM`Ac(9Q=m|HSNe>@>8C5jrEL~~czFIA1w$su>T_vo1u288p zuewea z)Q5fuWq+y!FWUJ0w7_9UR@y1j&)JD(ZgJzGi^5&9AV2}|nWx0Hc={N78<84%yKe-* zh*$~$#N3R0_z04M4d4R7np|b7h>X$F1wJmqmULjp++*DL+ZNnX0l&m&))V>lYdS}F zgYhlib!B`=K=kB~J;9sIXD9#_Dtrj3poESgIyC{{mx=&AfkSp6B#P>(MhANLuRpOb ziE3~<=JahO^@yJlZWHZ2eN6U35~o^tV^ts|yA^}|2*3fAIk%*rm2G00uSMfWq02!o z%Tg__p`LTA{r27MfG~i_8g=mwiAU9V#eXE$_V%wVnWYQ-m9(?9Dqq;-N~iHNO46=e zfpM$}0>6sYZPNbt5xYGNTZ3=puGTKce`)ML15hv}rjEHzFxQ;_p57;Q82vW(9m4mU zgsk6P-PKo7R(+vc_kEpSjp#lcRYq(d`7;MAQ9&(s9`1j$Kgx;6gs$*)f9T49R9|Y? zLrH0g6y@vd3&%kUFQ6hZnp9&3BqnlG))op>cl&iuB zC_v!SI7NW8`79#}`aTv%f{DyR)~LO&B;k-F_|Wj#uo$AR1hSm;#Q+_TJ$r-RI&JY5 zPnZ%qYjg&-z!7lc9Olz-N#XvJ4KcZ)Y1#UF_Uzbe8WI$WeM4f>m?*j@iLDmC13Ywq z&)WKpRIvk&D<7Qf9XC+kstHBXZzU*Lf)0CZR5Iv2rNKx=jZAD~kk8{!@WCzUL`AGN z4^y>~!a1|G2pu|jp$Uof2O=3AA8sRWx8tQL8l0%F`rkLFuVTHzwR|ou=m%IFXhao$ z+3D-D%1wx@ZJO3efSGN&52x5NKsyKyquRO9KNSLT}=T3}2cD zVAD^U70yxpXXKrVkXc_|7(5p}K6tC}7BL3Ue>wHZ1D^d7zfZSNM{Tg9pt%{n*&#;+ z1khL0c*te0bl3cnorwtGIXMtPOyQ?j|7(8J3D-660HAnF-QPn4n$VsAg=Bb|zn9$3 z7I6_%a|TrY;;$Zdy)dBaI&^H5hWOLn^x2h!02;Sge{6XkF-Alzo^a6H z&-y6#_Tcg{%TN`m2gRJMBG}qvdttyFXp5ubu%@1-mXV{h$mR4QDU%joqeNq0be_S@ zsV?(%6ds#6YZ2B`n{!mmV3LQa}G_ufxve6WoybM@OV@%B+; zusWz+JB7Om0;AMajoJF6e-D#XR{oEiVB;xdu`dw`J6Bd#S#WS^GZ2^;2Ff8*3bNlE zltTMzEB1mKRs0$BxPLgUlEWt-K~pS^Pb#zDix7q%kxWZX)e;s=Gc$ThEh`7 z5Um>*4_+PFR{SV#Fw#5Cy*?w9wm7ktMyt&|{7gly?iG2_)SuEgfwO#YBz7RIfs>gi zQ)_pWt0%q5$Mjmn+R)Zs0<8gD>wj_}!ixM+1F#QWyz2sK~}@ zsPBc|#wqH&WO(1WVzfBJkfAwFS%%9hK``a0G}S5%}g*h!PDbR z(la%T!s0fO#Y_xFf0K&xx8R|K-oFYggi%vV_iX;Kww``)!ihHC-JhILn5sorHzgOy zcWs`2KK|BS_p)-(B|{%4E1Jm9)gCN56%qIKw_LY6MqksHw`C<8fsp z?=F5t79VZqm%LR) zGaGpV^LP0iy#y$1 z)i)}oBmIV#89|Fl?1N26cyn{QB`0c*la=saM`%VS4vdY=xFae5rK?jzST`9y!_qjYvg85 zOgSrgi2MLkvrs?KTQ84aRz8x4W6rpKzTa5Fj8pm-UldUfKu)-CP^E8>cPL=6WRJL>Y`|FhLBc@h0vASOI6~~h?+-y z+$GxML-&fC$bkBkbn8FH=SX1C3*!Ybu#^Ivi0^(O| z#$z0_6C5h!-?1GlYme4HWNyFT-$+hPoCnNq*t#4ar+os4j)MyK15P-+1g#%4)T>$J_o*vboU@*9620_K4+XL zICFV%14V``LGn12%Z#gfdddEleK)Jbu%GVBvF$K;3&tKy6J$tBU^66d#_|rFdH>2a zO<>H*p9|FB70F=^U2G)KGlN<=+A7TcjuRAkY* zVm0^9A@E6W&i#(mE+_WwV-(x7ko!!?EJ=2Witi5R_%k>@Cj;$W{8LfdXldalY{;+m>S)U$$ zbHe^iGbew!=}gYPQyd&qYOq`fq0fyktC;9;J{+;EBNZ1FeCoE*Cmsttsv7JMuo>^F z^SjPuS1FJ9Tr2gAo+Y_FJJaw0MO?^ zqMolW($PfVjsLp`ylo&ZCKo_7JcYV&wAtZuEw626Ck3gaH1=n9W^QOm_&v`zHG;B> z*T26R@tp!}JAKmO>20q)e&>i~yLbV#zPe`p9yn^=!k{Z9IYv)=5LIabc18AhxMEFw zH{IF_nLwI=%IPy~?Cx$O<1jlI3^PMBgT<+1Bsz7r&*eu=itkf-z~}#SH`1#z(VbwN zgWhd@COWnz4v|7P_-fmbg8EuAh#5^aSZD|kWanF6bjR>t?H-v#6?o}fg1rC)9=7l% zju_5$A2_3>NUdpPe}$P!-zNQ_8%v5oW=GP-T|)$5=TsV5811a{)pewNf`lZZwxh*s z;C}A=6-v+wd_rNV+8wNCI;-phTeQqPUn!DTTvp?D6tpg_(t%+V_O?3ey&D6HnstW3 z`!@-NOVd|mz9J9^82}{&hanXI!M49v>Q9&M9CfxdW-p11d39=lWtOs#@bT1ynpA(< z<6_AI2bfqXUCOn*!Q0xB{sarCsQUgz&7jQJbu{;+lDRR+`@!kK97T@J^m&Rpld^|V zGaP>F{79Wpx)_DiJ^m0BEJOngf-T@~%}t(;lt7Er-N;3{ODIoA6mY1d74c zs#W|NP?mO1RacMc75j;pKT^wUhyl-LlgL;SBnc)*3=i+Z2_71QRO0?48`?zUQvYWe zCM6Zu_qTM&DCHZos_b3TwRQ>Y=C96>TUlL*Ny5XuQX>HXlV98Pu?t{NSS`0s#fT># zVX{%wsV%FUOqS|eHPGvao{yhB8;%zrmfhtFrlmd>ukGylnThS}q9wOk^&X+qAK&RO zTd-+Oggu+@JQ{_=78#ma(#C-12Tb_D2oB(Hk`m$3N9HKR zx`~#2V{9)#tB%)5KP$I0bUA$M8B8V?7smVhpT=To5gCwNw=`{L7-EYSi2TDm$tVJ0M-i#{K=X7Mp zXQ~a%H=g6N6ZI#LcY{?Va>BGc4?c1E;!WxM`p6Yu&yF<=Uiy6xphyZtR%8vcT}G*h z2?CEO>G?Ju#54q3gU$L=b#-z)$}2 z`MpmxP_=J%-?!xYKY1(uyDrxeIsn37dq{H3_T4K+mHN|_`v$CCLX$2qFRA@06v{=} z$VgCiQ=b`F0+dWUEW&eC(CIv^g0oy_xkBv7Q`_qU#Wm2Zgxc|eKxLhsuFs1>(OBQr zB(|>n_{Ejc!DzVe8AJe)zr3)Ts_NvhBnKN?T576LbtusX)53z9LLR@8k`k!k3s}xg z0(iqWrm+COOSBDVOZG_uSNtdWkZ|e2>si#eQ>GhSXApT8O$YmZMNZH z2*E{zt&XKZhPopFhn7f2UK{>ih1&+5JaCyg?}2=NY*JT4DEq~-nK;X7l0MU0kD1aZ zJd9LJM_06TmZ_fG^Rnu~zWqyNI;LoHX|^8E<9(y+9=JI&fUw2i-uF@PTnP+&znXQ!AE?hc!{tiRtULt;}YmZLST&bqM?4{_&Ub zs4^`NaijfRBFNBICu^?1X7a-CJU-?Ew(p&I>y2+(d*Fh z$|3bhKVnURK9#Q@7NyovhWEAyb1rX3G3A<#aZBEY{s{CELP@J8uE&bPhXL|A1B^tY zv%4&6yrE})p32sneNm21JKbOH#$SeJV6ke6mTE74eKc{^NkQaEL|RHSu04d-F$?U$ z75gGZlULdntv|fbR{k+rh5f%@;yw-CpUk)(*M2XZ&*Kmn};VHvKT|3+Iv$ zg*GvCuCd%bA*b&Ew>795Ivo3Fv&?clKTTCY_}u`C4v?id2wU_Zb=oZHjX)JTUN z5e;|xiIlrb3X}$fnjbybXE+Frk~7Y`=hNutI=Ec!PK?Xl^6vjGvF8Dx?8ix$>C$5f z($UZ~l$U>P!Ucz}bu0K77;N-uAQ57PMbq6?xttnxJ2^8VecN=9DWpERYqPq{km;l2#0F^c007s!lM$R5`qrS1awWic3}^8p z*2ZLboihwTmg&dnUqejWJ`}Ojde-x%!jfG5GfvgQUpuX%+~7S`@=`h)3J|bFSzE3b zhq^p22ByQQ34Gcb_0Rx-?Q+& z4nhXz8G9D+N3@yV^>iZ4)XtCE_A7?*F(_`@o@Q8FC7#L6eK5-L;m`oLPclVuL48-* zfr^cf&lg-AkpujxI}_+kYk-3JQLYGb7%#soBvvPnu{@IRcFAaU&F8~{JT|GJ%x>IX zj#;Pw3Im>LVGFxSAZRQrrFJ}$5^HjEpRRIX^JPDIx&E3B?$h=sU*IW3Qx z@VljWWH&Sfl2HDIyk2k1_!PhIs6p!&;vp8IMvaOi11F z*vmTDzX+b9tUNCAj+VQprKx_D{0n=kf>&{s{jWZS5)J#miheJ?#N{4nS}Kct9eSiE z*yy=(8!VEW%h~E4_g+(E?U-6{Cy+~|4s7mmY&(BI{5j_C)UfGzY-ktUW@+p7>Z~_4 zQ-NN%YpSoNa{6)=aDSQDm?kI*E?eyC{x-PJrWlOpxW_j+#bIhc_dMMwBUvlyKcLs* zDO3Tm@R*E^jl2AH=zIYocgM$=LJxFC>+Q8)o<8Ah6m+@C!ZCp}N|Ud(&Uu{)_498} zO0GhtX0J_aBXN0H7#j17H-EG!UtLU(Vnh=aGBHI}`t!mfV}A4VA|)Hqg;wcC`WSh{YBgr8YS|&*dgy za6Guv^zezsxRqH*_>FumfaiJWmf!r^mRPPoH(S^1s{Vz!hpUaF zf(kF4DG9bq&=r1_vHck(C21Jb*^KJS(h0F6n6N|xC9K3LYjUY4hb$A3)m|K$8-l?HLV_xypXP-4Eyd3b5s{NWl=gYQ zW5ITvNfbqnbVrGZ9&{lkcxSc8o$}DD%15Ww+pgw5Hs2T%H}Mf5KnE*|#$O2Zmb2nh zCSQ(sr>B=k!CDV=l`cdcxJz?GyC;Gky55VAJazI8j%JsYZz3a|bYI+~k$SOTHiT^$ z&evKKLCQ219dLL-Jql%l;i7_(qWv9rvc(XJluwV1N67zf8(~{vKDi*uKE>XA*a^}v zWh(5DzLLEg?vnb~PON)f=mEEz^(i-cBhOx*xJKWx$?r8HVXfqH-G539k#(yC~|JrV2F_MA=Gt zb-*EWwNf*Cx88jlR(T~Y`1@yLYd};+N?kkg)=;K zwe;>5%CP8VsN)ic6_*IC0WrrFCW{1%47+C!Lcc%F$}ZoYST z!){A;v}1D9f*8(;r~TR?)OOdf-)5z!%GxRKDSy5W+dgcn7ricit$GJOA0eC_R37ll?tZFQEF|y!NPsezMSW&HcCT zk(_M~ZC>FF+c=NgL8@z_9I+d&jgYBO>@?}L*agMuD9wbdobB z59|Ez6ul@5U7h|rHW@1c@g-(`{*v`(!5}6Kw#MNkrlURVLn9>5mJew=2(T(kWMV|n>ddWwj^c&o zq%CbHR!%SMKx{HSiDWxg-iUgU)agm2Khwwx%(M8!dYhSsilVt#;nQZhag1HVI$Js5 zwboZZvnsNJlA4NML_dwZ#IkIB@R&O`x1#imZVJ4v<>>Rq)Vt495judp+_d7oH=RA& z5S!6BhOEHqZXzjr*GkW;O|*KoJ`wHf5BhLKeTJ^5m|*ja5#udUwM^Q(d|*mt=$At0DAk2$w2YU?*;H;G5Z zgHBUvobnNW@8ABSei?TJgWF=ZyYY7U&FKyKiy-ql%F)~;^&jR6Tb%9ZtP0X|Wesr! z0sWkVhEZu_;(Fm*EvF6yG7CjXrQ{#ZO??Ntp>p(_w@WVv?oDsvQ_38#CF&R~7XtQ} zkK@JZbR1jL$%qp*)6e6zqnYQ{oQ4MGYh`hY%zB%tUtP< z(w?2weowG&V>+_S)Ag;-EG%0ZVN;as?r@b=y3OTovfGLfp|N*#rMvKHKg+Qon2=mT z%H#^-^tsu7;o0R@pQNwxGG9|S#D)?7QoZ78v*1)NA5sgFot$xPeLi%nOl8mRvWTQ75G{(%^(m+ zBv71Xux$<|b{Mf*;qMQ{cV>4i>7T&5DNEdXe;>|+-#Cy!fdYT8(7WEWp5K4AP@w*; zNB^}K3@QD88-B*ZWRa6{7du$X6AX1({tiF-%cNx7a@*4kmfr1n3z;p?<}LBiHcAM3KK#A$R+Qh5_uGeizXlCeck2G32w9jiYM#L3|FIn&Qu^(v-!`4!d#W$f z9@H6Fh+wU;VWsEnZkm^WVcGd{@=H0{-Nxi{glV9VP^XK`R>vaG)V=bfEhyZ= zbL}d1Nng)zrYWV8p$nyO4&fi7_?my2ZVR7w&g@nn#vOvfx{zW<)^C&U$mRKW7OsXG zEDD=QI${w2d3Y7117n}0f4Afyv-)A(cXj(KwN}0vo5wOWT5>p{IN4yU?k;;gz%jv) zGp=Tw>frYI(+mf+YW-pFNzzo?oQcJ;11Rphv^{M$wsnJ*b1OZ#&yBg>NGnUBlvCa{ z`R{wWcv)>N0|SGtm6h-i=DLum`D= zbQSX@Q`JB0Ev+*{Y`vg7Q9@ar#;{p6_Vj1k{{S5 z#GA(S$C?)N5ih1+QB!Chg~u)D!+c0<@{y}9pGf(VFrzI9IZ-3k>16#Nc)p6dq{MWo z4uV*nd0P3tzAW)k$)96TXa_Os^wN|C1H_W|y!pT~Vcd&9|OC+ox6N z-b@#wtcKW$Tt^B2&CIVbYH%90gA{xdbasi;O)hX>5bD&5Ag`INUUt_ff6j)$Nhw4@ zN3#3vba6+4RVieA(pCD{+z>7Z&&&Sy3xeUh{=>r`0@8yQ$wwIYdRRT(J9gSedE(rL zYJ(|d&hFpLmZY)WuP?C9Z!$te*|e6X#5TO*uR}{rE0+Jj7RN4@`#5n?vjYv);V88@ zAMux$^fRa{Xhs;UUt5vV>oakg@0ugK?jK9c2Ka_+ew=cG!XEGE_rS)(h3)HEN;4dZ zc_}PS1ir$3ortZq3{$v0pa?*&EIhy941TkrNEy4@uZFC}h^&!;&0bu8QBgVu1~%~D zHX%XGToXJc?GFtP4`*g(nwy%wn+QYyS=J^GP1boPb1j;b;HZPf33F%lhW37F!O+ks zRx3SEZ+eqk68bt97=Dx7V13k`+iVBsQnDUo>#;tznadTyI!D)uK*R}dhO7T{(_arqfy}3v#TFL$`^p*?eU-a2}?qx zNYl0{ZtfL*d`P903s-0Pou6;w9@34S;XLgoju(Y$LG52~QkZ?mHm%tad=74=?Bh^j z=)>z$`f2JT&-QI0VLci|)#4Zk^cvx}I>|NhV2P}Ox>5)iXq>B2v=IW`-aElPta>2m zN8F>0bkFPQda^<`yzjD_03zyWzLaf3OxAUgr(Iw|bpwLVA}z4srB_Ibou9ASL@9Kn zZu&Q0IokpeP%QkT435VYbk%|lvKsoA_y57TlQ|WCr{0{fEsk~fDTN@@v|0_77 z%R?-elZ&bL|0r+CtzX_nudfgTTwSBclnnJht7MZp0EqNObHbBOnwopEaH0RKhpTw` z&s;=*<}p{AJ#k*xWJwFvabN`0xq&MbO)0JDy3%qA3VASq!a$uNdqS@o%to!Os2m+5t1@%Dzd-{esW2?FZ`8FU6cj!|5>@h~7F)X!@>7yI zJ@(4TWiRVQem#S9(Yl0|pE<+I$iJYL0K-)Jo6j~XE}jg9sP?E+`nD%b=2q!kc#w7T zfq(Dl3|3%82j0rY^7L}^oG+$*Q;2oM9~A#W0BqJ470;Wmj9M5lhW-~wOI+1x^n+JyIr>?Xmw`Po`2^=TZbwFd3Y*YF zo$(06r@t<2|BZ&Vbe*Uzu-wRNoei~X}{|jYqR2UISKJQ|Y&L5VvkkZqQ zJhPtepzhjqRwGnZ<)^3pw$^>ryR3Qt@`-pxIXgohJ66No|Daub9^EXJS?+$#d%?kz z1dnfKB+yC8TG&)NoM}~~)OrnMk<;~lWvYPGW*+gVWtTvH8S~no4)aZj`__Fj8%(R8 zSezZ56%`45vCd4YnK2d>y=m;qvdk&1x}VAK`S3T9F%AOk)!`Ue!=r9@k?P&>B1Ctw ztr^jWs!$rpaGJ=B+{!XOytsJox&o6plvCSpw$S3kGt)fP-&;PeSz{P?Uv|a=>?J9ct;kwi*zq zqWvL0e<%?dXSF_iQqL%lyu>W}mKg%Y7G@(#9T-;chwaY|PH$|*AGcOvcv_I+0ZJk0ff2@xPp5 zpHQ~U#CURGuSK)lnFp*BMn0&>!CbsKT=@s2NvXW4fZ;@a^LGpkwX{k4UM2IuOeat| zNU0H6>MM&wOpS*}K*ZmNWOyQu0S>0@P&MlA>-ZdQX5msu$>N$;^W=e|2Nl>n;FlL? z*;K9;ir{?|Khm}gKlHsYpi1dgfT4?QCt4XK5 z(I`ziP)L$VZU=)M(oZ4@dH%?Nz|JUd)Zjt!Oeb9{zA4&3*{krW-a z{0CnoO4_bAcb&}lVXz$C=Y9Cn^9|pjAE{wR5)H~G$&K4WmKYGs$qek!Icc7>%*>f= zF8B4hnbea)HKiJMI#lX-7Q|!zj*ps72p$js6nkJzdMDSA;bH3UOKwgG4Ocifu7=aO z112~bdx7E*5Qi^Mr|*Ar0SJpiz#_RGrd$|KKz;IEY!UUb) ze)%A}GTPyI8+q17wkWNG&3T0f!4NkTP)GM^J|+>8`^kF!ws>1(1b}1 zS2j?8BQ4TI+jZeGCa}a0ubBNl{X4ZF-x=(L4o;^RgQe#;H<%ykLudL;)R3z2h0_q7 z+2h|sA^fn1IBl+-R>}~rLFxoG#^sqVH}m^RfAT54<+Xq2@cHf?*U#}%$^Dw-5B-Fi z9{Mvu#M+HOr%AVBZo8aYFQu!5;a3iq_wCc-SZiimUw(0KjdnCch>`60@L(j)(yl4! zx=UMmI9_R6ufyY5RfW>zqWJ@qSe*Tnl$Ye&Do5f6qF)5xkZ5sf`vUOn}rH zk`BMzp{UJx$y!lGc|<$z0aC0X09!;^PozsM17vu_NNy`&^xWu7VPwp{(aTny-Pv(Q zfYr<%YWd;W&}vRUVAJ*-T4G`W#Q**j+C^r{<8-3C;H*(|uB+dlG|hBzZrx84x79$AU}dY_(HkRuaUQ>@Va_|#{L*aS5a#xA~d znyN=m2k#W$3jxqLL7f5Zqy{0#e8Qx^wB06bOT}{rK8!3-R8mEH<>*3&kOD@$b)rV3 z!O`QN{&CQR-Z-Bxa5cAy4*pQShOb(o%W5K-8^RfDRw1{i$#;cGS$=JNa_Yex*r9^H zPC;+17v1gUr=yBPTx$*X6^{VqN3PvveQoyM${mOp&Fw3-kdhG*Q!=X#{++r`_@ZrC zzXR-)hxF7Tti4Wrebxt8bh>{kVC>bG_t>I=IbFj&i0WW28(}*=JO3(|o#$SiuS(84 z8&-AdI7yN@AM*O|Wu0f(*~q%9`T2}TzQr0OMbOm!U<5NVa?Ci=R@bo32}mcjN=B2< zruIBgPektIqdQK#GcpG(ZfkLn>L-3Du*;j6`BLZY-sAp(S!C~YFO%c+A;_?hH+3w! zGs9TwYqwMz$6oMWBKMDP_JNwlV9?kMgsO%FeDFXt0k2~^gw3&>Bm9-};6=6;Bsf4f z7oDm0u`660lX^XmlzS&h5=(KwI4hSguIgeOQ3A0o2MqNm>?OD#qZ%X4`x|Z9l}Afr zaqnS3fmG6**X)ua*#BkC}RTW|Ya}yd7cc3=TjvIu$pKu!ZXEbg-Q3My_ui zSL2|1wf@l91run_(>X63hZzYFWy3MoP(XBUsK3Q)zBBPkK>-Z6xSO4|)pFuBSUM4! zqYXj3TWx-%V3t%j+-v*X)nXWXw`s0GM{9c0S9bgQMNFl@h(14mCGTVZw!zp`o0jr3 z*@GxUK zYIQ>6Sog?5tmJ8GwG?3=T1BuR7O{GFD3(!VUH0p{`iFzBMUQAH*rGK2{B*ZBEQB>UT;fb$?hg zA^E#ZPbOSEJFu0q+@7g_4XcRuGx%rUP<6kPz_wd4joRBs=(={TSZ!yI^r}0(p0kXZ z54dyrT4!XTzxaV$ck_z&=mjvE1_ZAEPhoEz6-U>63lD)H2>}u;xVyV+aCdiig1ZEF zg1fuh06_+KcbDMq?ss^e_x*kMyX&rX`3I)y={eo!Ow~SByK3|Jjv3{u-24BPLVFp1 zxz6pnUcS-p``!Q&fFRE>JzL{i7J!EY=-;l@2k-2zsxc1uLIY@bH*K*=Pui!~m!h3* z--gIQjq7Qf1c4Bac5-`9j=Fd(rTs#ZJYFntVaZ{cq3ZqYGk2^6?g==$C2T#*!;A57 zfZGb)uR}H`OH=HR&k=HxV1;QamGv8L4Am8;bT~jMkqfrg4oxH^0Cs;PBQYy<9LK~! z3VFLP%V*8Y5goPs^fYJIJg4RM`iw9N!g0#RO|N}dWQ-q@1|WA>|M0hu_b`jkLE<{O zj+#*l5@!D}d+xG)dDj7hK+*Bkr-AtgG5`?R7H5i3T?F}i?%GsTK}RN)hgJv`=I2y- zyNA7w=bR^-sN*R(H96iIpZlJoL?;}|B;8GAPjPmnQ(&L^Hqy}Osccfjy}_AmSs#g4 zNUqt!aeijfh7uY!RmHZjgb9o!=w~ODIbC_aewNs@Wfhpb%iLGxrX&A3Qw!SLtfh1% z282k|Zc&~}Hy9Xv57PfGZ9CD_7|HE@B<+wI5uoO=YUYlsAC)qBcNu^`5Xq&AG%+m> zK_=m#IBcKTY;OnOO&^gvcJncUzGR4I!`O4gf^cEF%+u~|dJ#5tX!rLxyM zNd|)fME9K}Mj@BG5zn7FUTQgN?S^xEA$au^pJ0Yjhll0#@197-c5<>Wx_y<5AS9K9 z*l_WB>ZbrWVxqPwEs;%}c!GCocVoH5aNtadlg1_P>W6U|_lWUKTci3>7RxhYQShY$7D2SvJ%6s*tT7UF&$qq(l})>ERp&ri7JQ3P!dkOkG)CKgkfx0u zMb?q-O2L+Du0yB=s2AI_OC^-{d|Vfhm7AEG8BVWrfmnOG!S_yyJpgjb!YIz0XnRW% zWv)4uL<4VD{#cqw=`%m7_U2pbWvq~ofwGF2G*;KfX6y2pVE-^R>HjMgAn;pPnDm;v=Kv1STarj<3s{62 zh~a6T?h%&yIgI;KfF4&^wVbC#z%_Y#8UeyVIGCJv&G#z;GMMFsn`GnaxG&lXyrD(X z=4t+(Y@tb^H))j?{GiU zA>6VV82~!!(;V3~Z1#R3JM^i5N$*Dv*Ft~dun_>s`NIJ`;Ylh^c=Zi}kTsiEZY@lmx(Vq|2bAU|LJ{g$PqrJY1Xn#01D zq624c7Yhd-m+Pzx#c?G=fG^sz*>8|(_Y7S?C)T!TQ!>26ydY><0VryTqC78wok0-44S-lxC1e4`XV`W{pX2YZN?DI?7 zeWydo?98=-Yh1wq3ih8A^IOdoY*ZYv`_otOkxNCf*d9CV_tc^H7uGbe zvS;AZKM6|=W#t4b)}os;vp#Ts(K|6W*B<-`N=i7~GrzqjH2*iMr!ZVXQuPFTxxK?7 z8eh}fB239Z>2MsisKc9k!=KN4FuYLm_o{!U(fXqoG*XBtIM;?A6~^>L%=$Z+l(lX<^a%fwz3kY;`VJLi7aEqW4mki4>kSIBMyrt zC|Re}>Sp}9KO1>_o(zexZJFH2kbqcKY!{>Xjs2sN$kfvuA~JYKMayQUak^uDv*VOO z*3Iw0ZCs4QdJPN3WBa2`NirGTR);tFucI9WqHh;@{!+wt?{Mn!j~VxHK0E8}T%Lq+ zGz4-Vj97jquk(h5C+{?=(e@0(FA*(xp(YqX!rBjo6nv4*u58g3b9rw8a9-ucyw)G& zrTZRuJY;pFsJ0jG!3`TYdp6?&2MW8=f}L?9+g|r8g5p@}d=aB?DijmEz2ANn4>wMy zF{eKVOJ!i2bp$=4%YL@x%e0K8EwU^g=?uBN%HyU@8DXVq!uFs7$xqj<2T=I86no{^ zF{{lck*Pn~QbGLG8-uLaq2Q>ql2>K_=V87Ptgi=4u<~)yQ<}LYx@UdlVwG|xsf|km zr!-0RrPr%}uq3`D9WSubjVQ&66ajwQDmFf8c#l{vu1b6Z_?G_x<&WpP9{3K>aG?hc zt>EG`Z#&n6>tm=yXDU*C@If(FgIplj&Z~)fhZp6N*}x{pBOPRwG~=wdH!Q8dPC9Aq^pUez-x%^kg?aKv;b7 zpR+!%m)q`7dr~V`BTPP-CDKfO`IQkzjnD1^(w8q_edH8{7J(~Pn~a@Q5JAtP;iI-r z%U4NOYJ`mp90tAKNW|H!JY6gGHoA3I$J5mFSB>aBXoTgjbj5EG=|kHfLyr^kpP0Bc zUaL@zcWEt=YjIjP52D3)s^~Wu&RUx+<|lL;kk@N`GAQ$N+1%cH12!=SBA`9%#kONI zmyZbH(f~091V>9be`m$9w#qLRcnHVr%0@hTw?UEmm1nHC7!R6)#>l;cFl|TqkZDh) z7P1R>?7Xid_)O5OhTtwrurFnvH-E9T9c^v5uQIXDp0Trq0Ir`ykt?h1e-i&2wb&h7q zw~t)RAMoe~uv@es~r!{EV|c>$ZLGuWSrKaS>HYb_^mr;)csc%06?Or2RuYw z*%YRnB38J+CA#)k=g-UHpFO$N03FV7;cCn?VQ>KJ(PX-nMC>qJqv^KON7VK8I?BrN z+l-twuykLY{wz@=SnMh|dD)XPf&JwA(aYkhk_N{HygPPTy%d#iR}!6fnQy2Z!>#uj zhjLN>09bmQi*Fh|hIe;%a8kxXV)Y2Y!UAY*>t-A~vOdm!$J&Y@4Kp+Y_h~aJ!BAgZ z`0Mmf>+{F?heHOX!J`1I0vX!GPqS<>$nd0f?wCpf2G>N1;Tel{EpN%tA5Hy69H-0^C9ay^tA*CIkT&4iPjf5fW-KjY7x>$z znf>49P;z|X#kmrp#rpJ6NGkDgIUC`igWR%dr;x{)AZ)K65P)!+UWLQj3!UAgXk6Mm zRU!yLzEb@R2X_##TT4KhVJV4Arm<3eeI-|fgcw%@$BQff3s-?_ z>JSuw!1#DUz~XM&s!z@3WIQpDHvG+cH+Cu}9A+Ih>!oZtM;u{lN4!xM75W%^+mucg zkU`e{5cHXzq@cGz5HlGHkdXFFuiZbZ5C`EWi>GI%?(sb#U7RZRY)z!$qF9phKocu5 zJwoPru{%^00PrmT6;T)?-g`=BZk(aa`^4Ct|8~(2aYIPcsWNL$Yt5>NjSt`#+%Ws6 zbvk{{2SCY`%>dL^cC{Vm&erqIfT}9%i5pBOfd3p@kkrjqo0UoHbPreMvTJ3JF5e3V zs7$6V(T5=2W*Rhej>R?Fa8(Y+xmluJj&k5P(;sN!@1ds5v&6}hYcZ6PqWFa?!R3I% zqh&9K-UG)$RJ^BheM!9OD*T&FIfn+UVH;--sfbJ#1z%ZJ#dXUv7n%?ZwU!axNB+Sf z2ddbtUY_~7+L^i|wz~DqjX0mg47M3XS&84MS%f=SOESo{2#9u>*3OjXnOObJPusL< z{ZWX9Js_)3P?V{kYe7YFvdPn!yjU5b*yci7BcTQ?uzXa?Fr z-bX@apftMgo^e)T-wjPVdZV^W{uVr$n?%z|9GZ`$gy84t@+^Vu!>{ zub3L#2d_|Pd?0SwgWk40liO)F)Wtd|x~?qrQ3{k9)87akN+@|Z{i~VSSKf>u<`@tvJWfh17whpR0NBX_} zuHe3O;G>2c!yy`}avX*J4V*y5elc*9QSfKM)z8vP1!WB3-c|%o*`HJfo_x#^5to=c zP3Q6;qGdRdrjT9j7+LGCQY7P2p3{9YHM$M_nAgCK%(`+@4{f!wl;-rf2WOfwcl>?g zFN;;~^PapZ?OLRycM47XEF-h+*6IA>xM0ofD>kZXyo#Kaxw*`ZVMf`MOqCj*A(Ocb zA```j;#i=i=o`BiTfM@x?Y7?0{i-OXpGnl+b92#IaQo z6=!S6mXDmpcCY}-v%^|D&G_9J+6rPm_x@wlX!w3QxU1=1CEM86{AJZjVd4IwU8Nzj z!!!*}C)mU7++LDY^My^s&?INu1=U&GVJSReaHT>ZMI)`Q&p9yxLE1#E1@b~!QFM&d zi^R<8N?zgXjK~2U#&xzZs&N9dYHI&u(7ae;AD-H!X5ty}Aj2``Mgube50%$F_^}I= zXPvezRc)xmjf0eLQl3p!cg@t0j4-p7i_ zeXy35yycnNPeq=$M12KROB^9!q z?9c)_&p%gt3FGiTn(r)@1AoBrZnwH-lIa0AcerCC_=-ln)+`N$^sMdk%rUbc>&HLd zIgc%q9dOxc=&F#E480){p@b3Zdbp4zcsWgOU&&Ch-Lk#jwL+y79#nZ|;|@2^ZwuTq zeiPUTe=2gJ@lNJ76izN;RHw5g0SkM(iMpL{4z{se0NFRrFGJ!!CPHMiAbd$A2rPK0 zQe?a;{Vo*uC9QJA+tG2E4#wa!3HIHR^=}WS)voT5C~dE&#yu1=E%t95d`TGaWy3GZd)uX(E|D69$<;2YMc5b8X}PyevFlS)0d!HKJ*Wsb-d0+TpD%yvZ6E`XOD)D60?v#j%KWn{(01&Q+i#sE*o=rqFYC@ z>Ug>rZ$IodcSQc8sc^on;pe>1c(>5o9%dOGW08r>>RMJT4pxIY-A!*aY!u}gwcIPx zFfGbGv_16^42iABL224pZkJ6kDrhrSi@XHZ8F-qz+@I;!a^#}~3s)~-Lr0H3VmTFo z^(d!`o``M}9Y5(VugA)IH{^LD#*XSETcO42)i%M?rU`p$3hrFE1_pkVkQiEUAiS

c(eR&?;#sL1EOq|eeodj{% zCE4`vE+ZWOuGz{}zi;@8zzx=SPY-t>&8*RB@cxZa_dL6b+)uae_6Y5m{=xkQu2xas zpV;m!Bv2ScX5PwKBuhUSS|O89qFwijO_uMNsQ&r+c(vWX zh8j-ETj_qgB?uCJeKp!UR=vPtJ!iec#+n%{4DP%C5_cs!w&I?wFv7;5>PiNEWU?gW zHk38Imu`fp&Y2euAv&Q)G&T4{Hqy3L@7b;AzzXoa@7<{8Kzt!mbt>T@lLWQ5x<1Ri z2*U)c$Bfb_E5h)SNQx?oNXTq*!;Uz}F^JQ3P!p&t$ovwAjLy zBg?k0RAXpln9!2Jb^1en=)ucF)0IA%e%?`L{_a>Pr)6r78qGStyb`xsFg#_O&iVD` z+#D^(@Mwu5zon5k+Si>cG1wp4k|T(ytr;3{bgggHXURQEj9JWDn!o zV&cTiIgCCcc|ijbyv!%l{e?63Dh~|1K4gcVR$@PtJ-1eLV+23ajbPpkd-7fMy35aG zn;|!{l66`Vb<^D_p8S@dPYbM!v#Y}eO~|sEwA$zvIu7*$aif{EKB!(Nn~^YfgX+E9 z)|%1TzX&p$x&4NsKV^CLXSa8@JRxo|N}yVMKHXT7#X0VDW%Q5RFOpifz#kkbI&8Kq zt|9?o(bBsAR;xqB_3Dc`sP&*XPm7R=?T7}>Qm0IOewBLvvl7 z!+stNf{i)|G2t<0E9~>W-6bk|W z|30zZFX7~c=RVp+q@2_9YB9|~e|6ePnNGGs%`tbO{Ar=O1XRw8t^3{kv7q{PqW)qZ z%V}Jv8^*Q8&8eEY9X&%u-HVXn?qHRe2G4~kk(kV4bj2%W={2uV8e>yJ_ls`rTT}Mq zw(DSmu8$Y(YT?u0PKe!gCknih6HGJFwH2V=RY}WWQ-MMA#g%4BKiW7~Y{BeC5rtx( zW6f?|ij^O&=l#*~sO-aXvxkup0_fV{XubNz zG12prYE1i@i&vV*rAZ~$j2LJ*uW{L&1dCy~OeF8ef_qskbub)mRZ8so1r*6{8XkX| z3|_{W3j(qwx9-Lf`JOu2T|F0)k>ZAuY$hnvPrtm!&N3avH|yPbyxYUM8^T9` zqrg<&pJ&7amn={W0HB?TiPe4elV!)-swNT$E@6;A3}?)f$(hDnX3j6|&u{XwR#O10 z2d}i+?2NBrf>T79CoenpF#^F8`d(T1$psMU#$V!3UrDB_^_mLM;?6Jcb+{=%WS)rYO7wb^4Zv?Zf>=g54-MgTGoOzw@V z|MH#Nd#VR1t<>@e4X5(JH~aFUiR;6(jDI)jT^%Jm7O&f3P?3U+c5v{^cCS~p@mi&5 zFSDl`8x+0~wfi{6X{nS%ijz8hpLV2K!z>F^Cnw3xPurua7zZj=MWxkC-QLw9mOF>J z0MeG}pva2OQ>DvI@o)O3<{j48XI+I)56z$F<~%x{1?H?O_j;6L(vnzx<{nUo=a>eM&*FJT>~=m^M!t8V~eICJtl2j%4H0=bQ=24k?&tI|RD z{pns<3+^&t^yqk1FTcfqFkJ`3#A7=4**TFEQ0^o&NQ59{>O4CS4TyUA^Dxb2skHtx zXVVgN6fJ80!^*l~|4#O_5X13%$v8@(76-N^!{5eC9SLIJdWNl?kl9AXN6p0#fZ^h| zRt}K#LdDNiX)?WCw3FpMI;|CMOVyf)9990GcldOldpUhZ6+a?IWs<`u*8|%#m>~dB zrvQFXv)z88Le+pA9uBl`MWEyDORxMmbW_7efFQ_nA@{2@OSk%$0Mgd{qGRSbv|;+nb#*bjN0RJDkL! z8^2~sxVu|S5vvN%FU%xE0F-pDvrJ2ygAh-Q#y$Y3b~YEx=MC&V{ptsns*RS6AOq&JzL(fsal01P-`9aO11U7*rdi5DGQs2QxXT+nS^iX3Y3 zI3Ce#`PJ6v)E{tYYtww+Io4eTBDKZc>>~rDThI0?qT&8Y-Q^j8KRm(5cSG!GIOZ&` zs)C05o2`O<<=U>kzi%@~4XEBU5upi{@m$x|Rh;$uJFxV?F|a2@6CycwWK*nPoW~#g z;fo=1+<4^=5?3@ET*i4^vR$V+6&mqSNe0U^<=elLb?K+j8p`H&(TkaiBZorY{HC)D z5+Hq*`g4eWq%JT+sj9E@`^z%MJ4s1Ne+TgIKmz7nF8%1o4~Ku2M94aMtX}g9A3_Bo zoLKb$vPabq*i?kbP#xzK+)JBkwZbX8ICj zP5W2G*lzI3`mMwvk0? z+3AI3im?b#oZ@J)g;ekn}DI^b-tMVuK@bZ+R#2afEh50jXuczvk1DyIYz!; zRA?wg8EdYk`Vs`dw=mF}2;?x#WzU=S773Q4oM^{V>;!6ORXc5<4|!dBTMb;Yv-_-UJwERD&MDiWR&~b%cBHQXl zg?Y!urX;8;DZyFyMn)J**fSwh)}2Y8)t^m6Gg?qR9%n10TwOobFC%VE>zM4JCx#`L z#s-}g8V(Fm#rRQvl~x6bi$h8JyrdE!_!-e-B06;ywe0d1Il0qd?G$!F0ST({Tek9{lK^n2n5byr zw-Q{h<7emYszVtNYHBKek&bwZdu3Z8OjU2&sebv>;Y9`aJn!w$`Gy_xDusG`&7|L5 zmA!=J={&KRx|5eO1%hl){$;p?x!IqzDYwzyv_tY8=c%2sWG8i=nUN0eVLCy#f%E_{u&D)E-hEKw=M+w?VQE?nV3cTrOj}F0J z-QDUy>`X{{)o-+9G-fVueM&L=t?13`O=kQ%PV%H&NI3yz;wCCi3N6?u6;X}8th+y4 z4~|tgG=Qz5h8kF1>sNTR`d2Ec?OzqK3f2-stiaE{zg%6vrwG!LmB?h5nnhjB_m2ao0PV?P$)%32noU*0m27+75#&z`n`Ug7Vif; z(YOZ62oqMqobCOy*Q2@pnM@>?AIB_1hoGz_NxOm}yj9CwlKi~2rioXkyjq_j{wLl>_wG_o3w zj++)+^&2~HdrDZeedx!5oRod$=`zf>Mh26Ws+HxoGn2!rwIbqgaKe(ry6zWj1coO& zRQ1m?f;sM|k!)iGW0XSSbAp$<&qL}yL$^45W|w-xC4NU#CR)#_8lL8C&qJp(WnPNN z)D}p!EEzAau1S+4PRhBmW zCqwaCmsul<%Sj&}RQBU8vcr%b$JlQk9C%?#;{@pQ-K-R52Q<|0|0=_+&+pb+_uFji2;7IRZkQ|gQ$OhVtqPR?vBN4xrQh8{~eq7$o&0>SeaQ# z7+roVnk$881Ot@ld{?R)3s3a1Wswe>qFf~2MRApf{kM|*oMCD)&xX9hF03{siW|y1d~c4ti$kbXPKkx-yj2FPJR|ew72R-)O3{zHXazlKH;kzZ4W1 zeN#AuevJJgJ1x$+P8lZRU~cDI6Jt zcbdj+{Vl1#$m1bRtQr%i?=`*7tg|rTNvSKCb0`jg?a+?Py63&_*1_PJ9LHD}_@$); zLoQJEHc(W=GFpp!N%~$lP5kQRhC*LkN006f-U_$iAq|(}r3NL*#|7xYsf=MmjKe+2)e_FzJcojO0jko$a z!MbTD=G5}GaKA;)P5$dumEG#H+F>cV zn84yP+1{HJ^KsjPOyb{Un1E(&%{qNZTQRVPX(J&UOWf8{y|iI86hVFkXh~w%c9nM4 z<`sAtyu)<8boZIP-C!EiO+Z$aCzG6yNZD$3RC13iv7V8Ofwcj6`)5>vp=Oqnn}P4L zCddPei3XJ;D*yiGg{j}(3R;#4tanuNWyz`W=_<)OEgl9&ow6%f)f}kI<|2Kkqb)o3 z;?*lN$Zt!;K|Ul!&9Fb!889nmF+E|59o~j+X*IfIp>Z$>+}5Kp#X~Bu*}scyQTJML zDxh>wxKiT0FWFCKl-1?*Rv!G(#CUaDLxswcRP@chv{}I|`jpo(-)NCCQ6%hk^)WU0 zM7uGDBRj5uG4I-XlZ)g{X0G04|C^Q*59H(dL0lty17pE~{8L_8_5%!8%#sd)jt`if zFIZTdmQi~?I|?c76PPn&azD~(YkH#n+Ok_(V&e3BXe|XSph7epAn4ZGtsfyP=A?O{bwl^djYg`#kqxdw zQ^Awc39i)?LC?YQt+J)MKUeBtVv!DaCLyU+>GGcl?2NRS)K>`!RaNycJuJ6-bG$_- z@toyPM~Rt11P_?dlnJUbS+()W)t|nN;YogtW7Vx;F-lwi(%#HP64FPupcX7h&gI%- z6RzbUS2M35X`Y*M3Jm;_ksmfcpiW2FH7`9J0f*qoppuXag=asdh=EJgqQ<;7UdB8% zTxLcQio4R3F`#HVn3i1ZMbTs^C=BbhF0Z>(+TT&zf@nay=5?cjUtwvr!A+VQo)p6j z(IIz4@0K#NsF);U!;$%;1arCJWOJp*7q+wR{93u?=UPLB_K7;VV9w}%!4*(etMv~J zVV%O*z!J%Tpip;XyG9^o+sp9gGG1Q%ZASvvlf|FwFJIR^ex9w2CY=R@xs$S<6jgq9 zoYnW?#oS~w=CC{7pY3cC~UKJ-=4RJYv0ki}JN}jc9M@WYNRy#kw-8 z!t%)`O0>>0Do_T}^m_SXd5q+a`9&lMgPao6F$H6g&x`QzytF$I-U)fnd9?>mmK2iS z@k60B)$7SbChGh{-)&{a2Wf=R_IR%q5n(AlyZz^bFKl97Fyp@basHcy!CGJZivmFz zH3nN6IQ0+OSgRrM9{}tkQI(AS3SK|}YC}qs4Au7bb-!boSE~=6@BQoMgjD%L^n7|+U$B!>mPMwDWXV({@J}aV z|171<@+uUSSX*(Ky(&By7F9lDs+XFbZZr9qXXkymIFYR)Gs=J&{SLZ|MoydihPhj* zld){tugWH{8im}o_R>ISPcojXy5K0?-CPk5ZbVz*_?#H-5Ahk`YrTC;@Mfxn)!3(V zp;T3HfB|&Yo$B&BH1wOi&T5P2zTBJjN~;vZ;%q!y*-*ae{hgn9m%YZ2=1k{4?IbT` z%fw3WWVOPgZj6hIM&sjv+TXetVdtma&sNozZ*ll{c5!cXr%D6I`Ko0@)ul*Ux_a_p zVEF-<0D33~nVyKbBCnclp|5T~(WlSm?SxVaKGU`3I|kSvNi``iE^4S6MFV?bLGqJr>z`;+MNC<}Oi38~WEA$SB3Qk0W=|NW;(}hTa71{au#B6Mu_(*yb;G&pkaC5%iSL@DgrVNe}{pubPck1sI#`RN{ElI zdDj(di;Rt}t*^IMP%v;3>^+kED!49*k3>#MsgLu1byG1^*rBpFymt@iA&(-Abbl%V z9?W_mK5SU-`v^7K9Xbi$pO1Gk_`UBpLaOvWTCnWjf5tCW3|1JUY`)&*W_meL4cnhf zPR*~)FBZaojj6kz6mqkBDtbzZV4dh zp-h=t=s<_Mzm0ufiZe%iqH4~|afGjSb@w^u+UJxO-62uD{&QMXFMlM|`-_}3F{pMH zO#2Q)vX0lzaF!fSo2*8_yrFA2-WoiDnW18~@lzA^2lbM;w{3Ocx4|cmV7z2%c9(OL zc6#}f0bghSo{X{7C9wXnZ|-5%7PZ3S0x3^fSbd={EZWN9Bh5+b+8Y?Qz|6bUv%J}#Z*Cp9FT1fF8n-bKe*mN-D+vkco03+Jk8l{B*}4x6B_rqm_MjH zD}ds^+*qtpj(d7w{{tPZ=6-Mf>pNh-7Ry13lbX-jy?dt3x`G>R?OyKg6QtcrD(kD{ z?TIdLTT+t0<-9zV3~_=SpkwB&#p$i}l$8>@uLu$Oa*5>v1t3Nu?NuoxN77a3k0kg$ z{e0xvD*3!^GLIZ-_N8yywN6tbpMgi!51&Pw50Kp0x}M-U6%KeA4OUw#!zLa4gRCMb z3Ly4}ws{O&sJ%-Uz2=q@^04`iaVAdo;?xZUM_ne@LZV8?9Avpe+v{q=Y1M7f9M^V8 zKwY>NU$lT*e=`RL1sYO6VSm_Qw-;JTs#;LnGsha7m*K>C?4EQGc=28dt-7)Q6&tugmk&KRw!;miKuEm1na; zH8^d&QfNSORacMi4n@mm|6cRrqDW3)MY)1P%EXTt?E3IX_INAK#o&@T{&Mps`U zwmQK}Y`(MZ8N575+#Z-qdpy$JPEd25P)xR z=Mr^)<-7z-C7DQmayuB`QM0BYbTP_Pw)tqaj&VpM31G)k;j!2BVsQ#d0W;#Rm;QKo z>8|#9$TW>PB#j;yiGBdO%$K;Y*=>cI@)U8{r_!n3?wq8>`R%?L^maCYR{`Dz-U)2Z zoX`&Oie%j-@Rgl#;I~TrmP(N_CEtTS_xkFbuksa@v?!j-#%Ry{H}TzRssih!bM-T zp&_ckS+X5<346x+;XcNTlf4+%Lz(99LgtM!Mvf<^B_axo<~1B8lFJw3@66YnNiR_y zyTEFbn1pR(4CzX4|KbeB`I!=$x0|b^htah+A=N^hRKAne>8YkwN4q}&f`G#gnXd#h zVIiB_!7d5QvQxG|+ZeHcZ#8O{6!i@1*wAT%_+~Z53WR7rk01R9O(5bX)xPH+jrsjm zhhMTQ@)DG~_SYmcd5}>~_WT=-L2E^;J7hdq(*0x9f{edbz0%D@od%mb*<$f z=jYRQ8t(LJ0$lb2ws}dr`b)^N=d&FHxE)YYEJl)g zNvWcwX2!UMV+?TV240NQ?PX*(?#vy!WdIofPh*Lg7u#pFr zNN$$16O-|WiBC&~5+$m1BJ~B^9GFpP5>F$5 zFkN)}!E=)jrG7!7(3W$;jM<|ou+oPsfMt}V%g)>b56Ir^o2q_TDbbD?R83+P*@j=4 z8;uuN1xd=dYOAEC62-$#WpTUb6PFnpcSS7I*V+oD%HF%a_}%Y=Q)5B3DRng;ep&y= zcWR)Pn1H3%CgwCMN@9M1Ic@c1i(HL(8f?Ze-K9VFgiV8;7{L1P9WEKQckx3F+QGX~ z3oh$9ubGs@0HjNuIA>aQG+xUA^Jxf4w$x;9pWj9oc4*%cYgyfH&WCVh8GD;6 zfB7T6F-}B$>|p%7>Mo;yXWKs)se6%Xe7HMrm|q;)DEn37boKG@v~88IL#LS(kFma` zlG|xNdL7{eb~#z_papn#spuh2v~F}+Pm_LPJYy^d_ykbfUj>Vs!$(I) zJ1Ox4+C;6ar1bRY0W|aa1r`i;e@{nPSMZprnu#r_ zFHpd+rR+2M7$+wuWYjxCi5?i}EQ*)6xP-KQ`U(mO|FB*_>S_uGD=%gG;Jr;fno1Yz zo1dTHBAzP)$*}uKf|`N^TGc#QuoVnl2xdM6h{;h7zvO^Eb#4yUz9xE=bOVbP7od;? zixd8SR0JFPAJfce5dR{diS=we0`ZYT@Eo=wOHUJv8@zu40&cXbnwsxFlt7+OpDx|F z4-Vh@{{>sx+E~b>VBS>e3Gk62TXr z(8ZChtF5J`p+QAWc>8>$sg|6Te2)!C9Wqiw0^2cGAsZV66$pYEN(F^jDd|x)>IO05 zN4j#l@ZN8q%BH5Kz$H61_%sx-g0S^SQL$$7Z2$o5S8*W$rT3|hLjIiHfXgj9#v_Z{1U;U6lO+cYJwb1wy@0UDSfbZ z8!3!Af-+Bh{SeI_~G1uSU4`@Kxb&=3eiYsoJjkq-HAjsmwDmH##7~ zUo-!H_*Evjqm|0G6R;CY<3I9!A@l1$6Ok;}&U_J;v^OVwJj4i(fPgWdpqcQt+1aaW zD#C-wWNSdiLwjL&$}Bz2Jdu!s&PvDkS$j|F*n<4#4RhrAc5%uN9le2iIW6Y|3yFS0 zHHw6iYCuNTLs#bcFX1$Re|`q(UwAH8H(A1XGqbDBVdFp;#6h8?`{QhLb!?}nw3n+< zi(Y%FJ4E|#dh-s^S@?L+E{oI0w;uZfQEPeXzPk(|-cjpMZS=>tEgVRk4>dUW{{a4p zdFV1c)^m|0-WJE#j4jzZob6CqhZx4=m8z@Rk9$>QPK?z%f}=>3%JDyqdJEb8zg`8m zP%^z%`TtsHcQ{-Hlj6wV7FS1%L!sl4P>I*u++UovF2l8IYD0enu*_aq0b*Yd8E>9Vb4$c)|JEN$Bja6HidG_b(Z`27m!}@I>({+ zJMNYF?&<-9^OYdwn?oM^DS+wWZQ{AVtfYBrVW4^v>&R*b_1=_2*Y;Ns_Rb` zGKO9A0<&vR58NuvCs`V8yIbSgBIQSU@Y>Bu>|l5|17tIJ%sZvEvG#%@VbgkO@R{k@ zC`qac%+eFgzT_L1AN`DZXLQ2v*g_=N8(@{x?ZA1x?P|;y&XN-zN4*oi5jDC~tFUqM zlkA})bIb(uyC! zid_~~1=$>;w2Md5sXEdtL5Jm-R-Y@9|3%sZd9E@5tc`hhMZsq|AOFGoJEgUh|e$0&3%N- zN(?lhUnCwke2(Q!#5NBxkNLOf(SV>AD}y#i6VO zS{Gj<7DE5-@$paEK`F)1u!NmhaSQbgT4bTQp!_PJHdY69KIL1Em0k|<$N*)GioCLX z#jC7((9Mf#&SpIX7>fJ8uk*RCUdT$!VFjqz%V_w<}%OrIUt zXS{the7rtT1NW{j8yFl^k&}D=#iU22+02PmyT;ezaMLvlbFpZ^QbY?b%T%YDX?qci zM|RkV8R%S>4*tylb9R)bKsTMk^Cq$u6qh-I$Z2}L@gpZF$m9q;;BTpVOEbn$yh+bm zt2fV~ox3x|kM6D&AysYZ`JUgNZckl-#d~h~ZDlxQAgTFz>0qj{P@bpX_6OVLy%2zA z!lR8q_9)Ze8JPZM#>RQ-H<$V|flO@3wN%DHDJl4Pl^=8M*%kCM%#MGFQ zl4j;XWrdwxkqpi!IkRp3iXod>uy>S`Z0T58!7l$GSghRB*Z2MV_t*Kk$DLt#QBhNB zG09K=c&hiXQAKF(IinCY*aN;h<(G_!Ys4l5r;drQy3ZrOR@+}KKTVB1zVfId|7+x5 z3t|0!i;?@8y|h@~zO-G1XFaq>s7x`hjy!rh2&Ag7w?AZCUHy-XOpQlrEG>=g-gtIV zX{xP_9Zu--1OAU6R8>?`@_v0zX=sRwh&cAq_Zl9OSZ^JyZD{EI|DC0*j2zwz2PYdI z9u9W$!+XPvOG_oi#RdWz?_S=5z;g)<)4;&u(WA356D(d2e(?^r{&%GD-+0o0A - Setting Up Authentication Servers and Clients Using &yast; + Setting Up Authentication Clients Using &yast; Whereas Kerberos is used for authentication, LDAP is used for authorization - and identification. Both can work together. The Authentication Server you can - set up with &yast; is based on LDAP and optionally Kerberos. On - &productname;, you can configure it with a &yast; wizard. - - - - For more information about LDAP, see + and identification. Both can work together. For more information about LDAP, see , and about Kerberos, see . - - - - - - Configuring an Authentication Server - - - For information about configuring an Authentication Server, see the &sls; - Security Guide, chapter Setting Up - Authentication Servers and Clients Using &yast;. It is available - from . - - - - - - Configuring an Authentication Server with &yast; - - - - - Initial Configuration of an Authentication Server - - To set up an authentication server for user account data, make sure the - yast2-auth-server, - 389-ds, - krb5-server, and - krb5-client packages are installed; &yast; will - remind you and install them if one of these packages is missing. For - Kerberos support, the krb5-plugin-kdb-ldap - package is required. - - - The first part of the Authentication Server configuration with &yast; is - setting up an LDAP server, then you can enable Kerberos. - - - Authentication Server Configuration with &yast; - - - Start &yast; as &rootuser; and select Network - Services Authentication Server - to invoke the configuration wizard. - - - - - Configure the Global Settings of your LDAP server - (you can change these settings later)—see - : - -

- &yast; Authentication Server Configuration - - - - - - - - -
- - - - Set LDAP to be started. - - - - - If the LDAP server should announce its services via SLP, check - Register at an SLP Daemon. - - - - - Configure Firewall Settings. - - - - - Click Next. - - - - - - - Select the server type: Stand-alone server, - Master server in a replication setup, or - Replica (slave) server. - - - - - Select security options (TLS Settings). - - - It is strongly recommended to Enable TLS. For more - information, see , - . - - - Authentication Without Encryption - - When using authentication without enabling transport encryption - using TLS, the password will be transmitted in the clear. - - - - Also consider using LDAP over SSL with certificates. - - - - - Confirm Basic Database Settings with entering an - LDAP Administrator Password and then clicking - Next—see - . - -
- &yast; LDAP Server—New Database - - - - - - - - -
- - - - In the Kerberos Authentication dialog, decide - whether to enable Kerberos authentication or not (you can change these - settings later)—see - . - -
- &yast; Kerberos Authentication - - - - - - - - -
- - - - Choose whether Kerberos support is needed or not. If you enable it, - also specify your Realm. Then confirm with - Next. - - - - - The Advanced Configuration allows you to specify - various aspects such as Maximum ticket life time - or ports to use. - - - - - - - Finally, check the Authentication Server Configuration - Summary and click Finish to exit the - configuration wizard. - - - - - - - - - Editing an Authentication Server Configuration with &yast; - - For changes or additional configuration start the Authentication Server - module again and in the left pane expand Global - Settings to make subentries visible—see - : - -
- &yast; Editing Authentication Server Configuration - - - - - - - - -
- - Editing Authentication Server Configuration - - - With Log Level Settings, configure the degree of - logging activity (verbosity) of the LDAP server. From the predefined - list, select or deselect logging options according to your needs. The - more options are enabled, the larger your log files grow. - - - - - Configure which connection types the server should offer under - Allow/Disallow Features. Choose from: - - - - LDAPv2 Bind Requests - - - This option enables connection requests (bind requests) from - clients using the previous version of the protocol (LDAPv2). - - - - - Anonymous Bind When Credentials Not Empty - - - Normally, the LDAP server denies any authentication attempts with - empty credentials, that is, a distinguished name (DN) or a password. - However, enabling this option - makes it possible to connect with a password and no DN to establish - an anonymous connection. - - - - - Unauthenticated Bind When DN Not Empty - - - Enabling this option makes it possible to connect without - authentication (anonymously) using a distinguished name (DN) but no - password. - - - - - Unauthenticated Update Options to Process - - - Enabling this option allows non-authenticated (anonymous) update - operations. Access is restricted according to ACLs and other rules. - - - - - - - - Allow/Disallow Features also lets you configure the - server flags. Choose from: - - - - Disable Acceptance of Anonymous Bind Requests - - - The server will no longer accept anonymous bind requests. Note, - that this does not generally prohibit anonymous directory access. - - - - - Disable Simple Bind Authentication - - - Completely disable Simple Bind authentication. - - - - - Disable Forcing Session to Anonymous Status upon StartTLS Operation Receipt - - - The server will no longer force an authenticated connection back to - the anonymous state when receiving the StartTLS operation. - - - - - Disallow the StartTLS Operation if Authenticated - - - The server will disallow the StartTLS operation on already - authenticated connections. - - - - - - - - To configure secure communication between client and server, proceed - with TLS Settings: - - - - - Activate Enable TLS to enable TLS and SSL - encryption of the client/server communication. - - - - - Either Import Certificate by specifying the exact - path to its location or enable the Use Common Server - Certificate. - - - - - - - - - - Add Schema files to be included in the server's configuration by - selecting Schema Files in the left part of the - dialog. The default selection of schema files applies to the server - providing a source of &yast; user account data. - - - &yast; allows to add traditional Schema files (usually with a name - ending in .schema) or LDIF files containing Schema - definitions in OpenLDAP's LDIF Schema format. - -
- &yast; Authentication Server Database Configuration - - - - - - - - -
- - To configure the databases managed by your LDAP server, proceed as - follows: - - - - - Select the Databases item in the left part of the - dialog. - - - - - Click Add Database to add a new database. - - - - - Specify the requested data: - - - - Base DN - - - - Enter the base DN (distinguished name) of your LDAP server. - - - - - Administrator DN - - - - Enter the DN of the administrator in charge of the server. If you - check Append Base DN, only provide the - cn of the administrator and the system fills in - the rest automatically. - - - - - LDAP Administrator Password - - - Enter the password for the database administrator. - - - - - Use This Database as the Default for OpenLDAP Clients - - - For convenience, check this option if wanted. - - - - - - - - In the next dialog, configure replication settings. - - - - - - In the next dialog, enable enforcement of password policies to provide - extra security to your LDAP server: - - - - - Check Enable Password Policies to be able to - specify a password policy. - - - - - Activate Hash Clear Text Passwords to have clear - text passwords be hashed before they are written to the database - whenever they are added or modified. - - - - - Disclose "Account Locked" Status provides a - relevant error message for bind requests to locked accounts. - - - Locked Accounts in Security Sensitive Environments - - Do not use the Disclose "Account Locked" Status - option if your environment is sensitive to security issues, because - the Locked Account error message provides - security-sensitive information that can be exploited by a potential - attacker. - - - - - - Enter the DN of the default policy object. To use a DN other than - the one suggested by &yast;, enter your choice. Otherwise, accept - the default settings. - - - - - - - Complete the database configuration by clicking - Finish. - - - - - If you have not opted for password policies, your server is ready to run - at this point. If you have chosen to enable password policies, proceed - with the configuration of the password policy in detail. If you have - chosen a password policy object that does not yet exist, &yast; creates - one: - - - - - Enter the LDAP server password. In the navigation tree below - Databases expand your database object and activate - the Password Policy Configuration item. - - - - - Make sure Enable Password Policies is activated. - Then click Edit Policy. - - - - - Configure the password change policies: - - - - - Determine the number of passwords stored in the password history. - Saved passwords may not be reused by the user. - - - - - Determine if users can change their passwords and if - they will need to change their passwords after a reset by the - administrator. Require the old password for password changes - (optional). - - - - - Determine whether and to what extent passwords should be subject to - quality checking. Set the minimum password length that must be met - before a password is valid. If you select Accept - Uncheckable Passwords, users are allowed to use encrypted - passwords, even though the quality checks cannot be performed. If - you opt for Only Accept Checked Passwords only - those passwords that pass the quality tests are accepted as valid. - - - - - - - Configure the password time-limit policies: - - - - - Determine the minimum password time-limit (the time that needs to - pass between two valid password changes) and the maximum password - time limit. - - - - - Determine the time between a password expiration warning and the - actual password expiration. - - - - - Set the number of postponement uses of an expired password before - the password expires permanently. - - - - - - - Configure the lockout policies: - - - - - Enable password locking. - - - - - Determine the number of bind failures that trigger a password lock. - - - - - Determine the duration of the password lock. - - - - - Determine the length of time that password failures are kept in the - cache before they are purged. - - - - - - - Apply your password policy settings with OK. - - - - - To edit a previously created database, select its base DN in the tree to - the left. In the right part of the window, &yast; displays a dialog - similar to the one used for the creation of a new database (with the - main difference that the base DN entry is grayed out and cannot be - changed). - - - After leaving the Authentication Server configuration by selecting - Finish, you are ready to go with a basic working - configuration for your Authentication Server. To fine-tune this setup, - use OpenLDAP's dynamic configuration back-end. - - - - The OpenLDAP's dynamic configuration back-end stores the configuration - in an LDAP database. That database consists of a set of - .ldif files in - /etc/openldap/slapd.d. There is no need to access - these files directly. To access the settings you can either use the - &yast; Authentication Server module (the - yast2-auth-server package) or an LDAP client - such as ldapmodify or ldapsearch. - For more information on the dynamic configuration of OpenLDAP, see the - OpenLDAP Administration Guide. - - - - - Editing LDAP Users and Groups - - For editing LDAP users and groups with &yast;, see - . - - - - Configuring an Authentication Client with &yast; @@ -733,12 +81,5 @@ sssd.service - System Security Services Daemon &prompt.sudo;rm -f /var/lib/sss/db/* &prompt.sudo;systemctl start sssd - - - For More Information - - For more information, see . - - diff --git a/xml/security_ldap.xml b/xml/security_ldap.xml index bddbb86979..7a2a98f7f6 100644 --- a/xml/security_ldap.xml +++ b/xml/security_ldap.xml @@ -307,32 +307,13 @@ objectclass (2.16.840.1.113730.3.2.333 NAME 'nsPerson' (as described in ) or create a + very basic setup with &yast; (as described in + ). - - - - - - - - - - - - - - - - - - - - - - @@ -341,12 +322,18 @@ objectclass (2.16.840.1.113730.3.2.333 NAME 'nsPerson' + + + + + + @@ -499,6 +486,85 @@ instance 'Localhost' is running + + Using CA Certificates for TSL + + You can manage the CA certificates for &ds389; with the following command + line tools: certutil, openssl, and + pk12util. + + + For testing purposes, you can create a self-signed certificate with + dscreate. Find the certificate at + /etc/dirsrv/slapd-localhost/ca.crt. For remote administration, + copy the certificate to a readable location. For production environments, + contact a CA authority of your organization's choice and request a server + certificate, a client certificate, and a root certificate. + + + Make sure to meet the following requirements before executing the procedure below: + + + + + You have a server certificate and a private key to use for the TSL connection. + + + + + You have set up an NSS (Network Security Services) database (for example, + with the certutil command). + + + + + + + Before you can import an existing private key and certificate into the NSS + (Network Security Services) database, you need to create a bundle of the + private key and the server certificate. This results in a *.p12 + file. + + + <filename>*.p12</filename> File and Friendly Name + + When creating the PKCS12 bundle, you must encode a friendly name + in the *.p12 file. + + + Make sure to use Server-Cert as friendly name. Otherwise + the TLS connection will fail, because the &ds389; searches for this exact string. + + + As soon as you have imported the *.p12 file in the NSS + database, the friendly name cannot be changed any more. + + + + + To create the PKCS12 bundle with the required friendly name: + + &prompt.root;openssl pkcs12 -export -in SERVER.crt \ + -inkey SERVER.key -out SERVER.p12 \ + -name Server-Cert + + Replace SERVER.crt with the server certificate + and SERVER.key with the private key to be bundled. + With , specify the name of the *.p12 + file. Use to set the friendly name to use, + Server-Cert. + + + + + After you have created the required SERVER.p12 file, + import the file into your NSS database: + + pk12util -i SERVER.p12 -d PATH_TO_NSS_DB + + + + Configuring Admin Credentials for Remote/Local Access @@ -517,7 +583,7 @@ instance 'Localhost' is running uri = ldaps://localhost basedn = dc=example,dc=com binddn = cn=Directory Manager -tls_cacertdir = /etc/dirsrv/slapd-localhost/ +tls_cacertdir = PATH_TO_CERTDIR @@ -527,19 +593,8 @@ tls_cacertdir = /etc/dirsrv/slapd-localhost/ - For test purposes, you can use dscreate to generate - a self-signed certificate which you can trust. Find the certificate at - /etc/dirsrv/slapd-localhost/ca.crt. Copy it to a - readable location or to the client machine from which you use the - ds* commands. - - - For production environments, contact the CA authority of your organization's - choice to receive a server, a client and a root certificate. - taroth 2020-01-17: @firstyear: after receiving them, where to put - them? how to adjust the example above for a production environment? and - last but not least: is there more to add on how to create a request for - and how to use a certificate from a trusted CA? + Path to the certificate at a readable location or on the client machine from + which you use the ds* commands. @@ -564,12 +619,12 @@ binddn = cn=Directory Manager When using ldapi on the server where the &ds389; instance is running, your UID/GID will be - detected. If it is 0/0 (which means you are logged + detected. If it is 0/0 (which means you are logged in as &rootuser; user), the ldapi binds the local &rootuser; as the directory server root dn (cn=Directory Manager) of the instance. This allows local administration of the server, but also allows you to set a machine-generated password for cn=Directory - Manager) that no human knows. Whoever has administrator rights + Manager that no human knows. Whoever has administrator rights on the server hosting the &ds389; instance, can access the instance as cn=Directory Manager. @@ -782,9 +837,131 @@ systemctl start sssd - + + + + Setting Up a &ds389; with &yast; + + You can use &yast; to quickly create a very basic setup of the &ds389;. + + + Creating an &ds389; Instance with &yast; + + + + In &yast;, click + Network Services + Create New Directory Server + . Alternatively, start the module from command line with + yast2 ldap-server. + + + In the window that opens, you need to fill in all mandatory text fields. + + + + + Enter the Fully qualified domain name of the &ds389;. + It must be resolvable from the host. + + + + + In Directory server instance name, enter a local name for + the LDAP server instance. + + Instance Name + + The instance name cannot be changed after the instance + has been created. If you plan for only one LDAP server, use the default + instance name localhost. However, if you plan to host + multiple LDAP servers, use meaningful names for the individual instances. + + + + + + In Directory suffix, enter the base domain name of the LDAP + tree. It is your domain name split by component. For example, + example.com becomes dc=example,dc=com. + + + + + In the mandatory security options, enter the password for the directory manager + (LDAP's root/admin account) and repeat the password in the next step. The + password must be at least 8 characters long. + + + + + To run &ds389; with a CA certificate, specify both of the following options: + + + + + Enter the path to the Server TLS certificate authority in PEM + format, with which the server certificates have been signed. + taroth 2020-01-22: string may be simplified in the future, see + https://github.com/yast/yast-auth-server/issues/55 + + + + + Enter the path to the Server TLS certificate and key in PKCS12 + format with friendly name "Server-Cert". The + *.p12 file contains the server's private key and + certificate. These must have been signed by the CA in PEM format that you + have specified above. The friendly name must be + Server-Cert, see + for details. + taroth 2020-01-22: string may be simplified in the future, see + https://github.com/yast/yast-auth-server/issues/55 + + + If you do not specify a CA certificate here, a self-signed certificate + will be created automatically. After the instance has been created, + find the related files in + /etc/dirsrv/slapd-INSTANCENAME. + + + + + + + If you are ready to create the instance, click OK. + + + + + + + + + + + + &yast; displays a message whether the creation was successful and where + to find the log files. + + + + + + + + The setup with &yast; provides only a very basic configuration of the &ds389;. + To fine-tune more settings, see + or the documentation mentioned in . + + - + + + .-\-> @@ -839,8 +1018,8 @@ systemctl start sssd Enter the Plug-Ins tab, select the LDAP plug-in, and click Launch to configure additional LDAP attributes assigned to the new user. - +).-\-> @@ -857,7 +1036,7 @@ systemctl start sssd You can administer groups in a similar way on the Groups tab. - + -\-> The initial input form of user administration offers LDAP @@ -878,9 +1057,9 @@ systemctl start sssd LDAP users and groups by selecting LDAP User and Group Configuration. - - - + +--> + Configuring an LDAP Client with &yast; &yast; includes the module LDAP and Kerberos Client @@ -1066,6 +1245,7 @@ systemctl start sssd + diff --git a/xml/security_ldap_kerberos_ad_yast.xml b/xml/security_ldap_kerberos_ad_yast.xml index c099b4aa07..be8f346f30 100644 --- a/xml/security_ldap_kerberos_ad_yast.xml +++ b/xml/security_ldap_kerberos_ad_yast.xml @@ -49,7 +49,7 @@ - LDAP: + LDAP: diff --git a/xml/yast2_gui.xml b/xml/yast2_gui.xml index db2320c942..a0fa1a73fc 100644 --- a/xml/yast2_gui.xml +++ b/xml/yast2_gui.xml @@ -133,7 +133,7 @@ - + diff --git a/xml/yast2_userman.xml b/xml/yast2_userman.xml index 620aa4e5fe..8fb960411e 100644 --- a/xml/yast2_userman.xml +++ b/xml/yast2_userman.xml @@ -908,7 +908,7 @@ LDAP: - +