From 452bda762a55de3acd1bfc759fe893d633fdf203 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Thu, 13 Mar 2003 19:29:17 +0000 Subject: [PATCH] Some HowTos for LDAP and Samba --- lam/docs/LDAPv3-HOWTO.html | 4235 +++++++++++++++++++++++++++++++++ lam/docs/ldap-linux.htm | 280 +++ lam/docs/samba-ldap-howto.pdf | Bin 0 -> 306159 bytes 3 files changed, 4515 insertions(+) create mode 100644 lam/docs/LDAPv3-HOWTO.html create mode 100644 lam/docs/ldap-linux.htm create mode 100644 lam/docs/samba-ldap-howto.pdf diff --git a/lam/docs/LDAPv3-HOWTO.html b/lam/docs/LDAPv3-HOWTO.html new file mode 100644 index 00000000..8cd717ab --- /dev/null +++ b/lam/docs/LDAPv3-HOWTO.html @@ -0,0 +1,4235 @@ + + OpenLDAP, OpenSSL, SASL and KerberosV HOWTO + + + + + + + + + + + +
+ + + + + + + + + + + + + + +
+

Author

+ 		+

+ LDAPv3

+ 		+

Last + updated

+
+

Turbo Fredriksson

+ 		+


+

+ 		+

1 november 2002

+
+
+

+

+

Over the last year (around May, 2001) I have tried to rewrite this +HOWTO into a book, and get it published. So far my attempts have not +been that successful. No one want's to publish it. My language seems +to be lacking. The major concerns (it seems) is that it's not +"professional" enough. Maybe so, but this is the way I +want to read about something that's difficult.

+

Is +there any need for a book about this? Have a look at Implementing +LDAPv3 for the parts I have decided to show in public. It +contains the the Contents at A glance, Table of contents, and chapter +one and three. It is color encoded, to show what's done and what's +not... I'd appreciate +comments. This example is a little old now, I can't be bothered +to update it (it is after all an EXAMPLE :). However, I also managed +to create a +PDF of the first seventeen (17) pages, which includes the title +page, Contents at a glance and Table of contents as it would look +like if it was printed. This I'll try to update every now and then. +Watch the bottom on the title page for date of PDF creation. It's +updated automatically.

+

+

+

Quite a number of people (4000 unique web accesses in the first +three months it was up) have had help from this book. There's a +number of companies that got helped with this HOWTO. A lot of them +software companies. How about thanking me (if it actually helped and +saved time/money that is) by sending me something you/your company +makes? One successful company makes a Linux desktop distribution. I +would have liked a copy of that, it would have been nice :). No +requirenments though!

+

+

+

Preface

+

These +are my notes about how I got OpenLDAP (v2.0.7), OpenSSL +(v0.9.5a), SASL (v1.5.24) and MIT KerberosV (v1.2.2) to +work together. This combination (according to some RFC I can't +remember the number of) is what's called LDAPv3.

+

I +have since I initially wrote this HOWTO, upgraded some packages. The +information about this can be found in the Updates +section. At the time of this writing (Sunday, August 19, 2001) I have +not successfully compiled and installed OpenLDAP v2.0.11! I'm still +working heavily on this, it is at the top of my todo list, since I +really (!!) need to upgrade because of a resent security alert.

+

You +might want to read the section LDAPv3, +why bother to see the reasoning for this quite complicated issue. +It deals with all the discussed systems, such as SSL/TLS, SASL, LDAP +and Kerberos, and why we should run such a complicated system in the +first place.

+

Required knowledge

+

Reading +and following this documentation will require a knowledge of LDAP in +general, knowing how to create and install software 'from scratch' +(i.e. building from source/tar balls) and also how to configure +OpenLDAP and also how to administer it... This issue (LDAPv3) is not +for the beginner, and I will usually not +answer any questions in the format of 'I get this when i try to +configure/make/install this-or-that-software'! In short, you will be +required to 'read between the lines' of this document, and draw you +own (correct! :) conclutions. That being said, it's not as difficult +as it might seem. If you belong to the group of people that I here +call 'beginner', I recommend installing the software while reading +the OpenLDAP web page on OpenLDAP administration.

+

Note about +building software

+

I'm +running Debian +GNU/Linux on all my machines, both on the +Intel platform and the Sun SPARC, +and prefer to use the Debian package system as much as I can. Since +I'm also a Debian developer, I have a fairly good know-how about +making a Debian package. In my pursuit of getting this to work, I had +to modify some of the default packages since they lacked some +features that is necessary. I will try to guide you through the +process of rebuilding you package, if you to are running Debian +GNU/Linux. If you are not, I will at least tell you which parameters +to configure etc. the Debian package are using, giving you at least +SOME hint on getting all this software compiled and installed :). +Also, the progress and fast moving target that the Internet and the +OpenSource movement are, the versions I have described here are most +likely already out of date. Two weeks after I started with this +HOWTO, Cyrus-SASL had released version 1.5.26, that fixed the problem +described in the section Bugs +in Cyrus SASL, v1.5.24. But I'm deploying this any day now +on a live server, so I won't be able to test if it indeed fixes the +problem.

+

Note about text +notation:

+

Wherever you see +the <> (in bold) part, +it means that that's where you input your own information. So for +example, when you see +

+
<YOUR KERBEROS REALM>

+It means that you should put your realm in there, like this:

+
BAYOUR.COM

+Note, that you should NOT +include the characters < and >!.

+

Also, I assume +in this document that the configuration for OpenLDAP2 is installed +into /etc./ldap. If you +haven't installed it there, please remember to exchange that path to +your path.

+

Disclamer

+

Please +don't send any 'please help me' mails directly to me. Direct it to +the appropriate mailing +lists for help instead, you stand a much better chance of getting +a reply if you do. I just don't have the time (or knowledge) to help +anyone/everyone in private.

+

+Any mails sent to +me about any of this will +be replied to on a public list.

+

Table of Contents – Core software

+

BerkeleyDB

+

+BerkeleyDB from +SleepyCAT is, from what I have read/tried a better database back-end +than gdbm, ndbm and db. It is used by OpenLDAP to store the database +on disk. Your call, you don't have to use it, but I like it and have +been using it all the time.

+

Building +and installing Berkeley DB

+

OpenSSL

+

+This is the software +that will give us TLS and SSL enabled LDAP (secure and encrypted +communication). It have nothing to do with AUTHENTICATING a user, it +just gives us a way to encrypt traffic to/from the LDAP server.

+

Build +OpenSSL

+

Creating +SSL certificate

+

MIT +Kerberos V

+

+This +is what we will use to store password in. It will, as a bonus, also +give us a 'single-sign-on' system (that is, you enter your +passphrase/password once, and the 'ticket' that is returned, will be +used for login authentication).

+

Building +MIT Kerberos V

+

Bugs +in MIT Kerberos V, v1.2.1

+

Bugs +in MIT Kerberos V, v1.2.2

+

Installing +MIT Kerberos V

+

Configure +Kerberos

+

Preparing +the DNS for KerberosV

+

Kerberos +config file

+

Create +KerberosV realm

+

Setting +up KerberosV access rights

+

Testing +MIT Kerberos V

+

Cyrus +SASL

+

+This is the layer +between OpenLDAP and +Kerberos. It gives you a secure way of AUTHENTICATING access to the +LDAP server. It will not encrypt the actual traffic (even though the +authentication session is encrypted).

+

Building +Cyrus SASL

+

Bugs +in Cyrus SASL, v1.5.24

+

Build +the Cyrus SASL packages

+

Installing +Cyrus SASL

+

Testing +Cyrus SASL

+

OpenLDAP

+

+Well, we all know +what this is, don't we? It's a free LDAP server. A very (VERY) +good one to, in my opinion (even though I don't have much experience +in other LDAP server :).

+

Building +OpenLDAP v2

+

Bugs +in OpenLDAP, v2.0.7

+

Installing +OpenLDAP v2

+

Configuring +OpenLDAP v2

+

Configure +OpenLDAP to use the new SSL certificate

+

Changes +to the OpenLDAP config file

+

Changes +to the OpenLDAP startup script

+

The +OpenLDAP config file

+

The +OpenLDAP access file

+

Creating +a LDAP service key

+

Populate +the database to allow simple bind as user

+

Modify +the LDAP database to allow simple bind as user.

+

Notes +about 'userPassword: {KERBEROS}'

+

Testing +OpenLDAP v2

+

Testing +OpenLDAP, simple/anonymous bind

+

Testing +OpenLDAP, simple/anonymous bind, with SSL/TLS

+

Testing +OpenLDAP, using your Kerberos ticket

+

Testing +OpenLDAP, using your Kerberos ticket, with SSL/TLS

+

Testing +OpenLDAP, simple user bind, with SSL/TLS

+

Setting +up secure replication

+

Replication +configuration, slave server

+

Replication +configuration, master server

+

Creating +a replication principal

+

Automatically +getting a ticket before starting slurpd

+

Keeping +replication ticket updated

+

Give +the replicator access to the database

+

Table of Contents – Miscellaneous software

+

+Some +software to ease administration and migration to LDAP/Kerberos are +these softwares. I'm not going to go +in to how to get this configured and installed. That's an exercise +for the reader :). They have no real +relevance for getting LDAPv3 to work, but I thought I'd plug for them +anyway, because I have found them invaluable in using and +administrating LDAP in general.

+

LibNSS-LDAP/LibPAM-LDAP

+

The LDAP name service +switch (NSS) module is an Open Source project to integrate +LDAP as a native name service under Linux, Solaris, and other +operating systems. The LDAP pluggable authentication +module (PAM) is an Open Source project to integrate LDAP +authentication into operating systems supporting the PAM API, such as +Linux, Solaris, and HP-UX.

+

Building +and installation

+

Downloading +source

+

Building +packages

+

Install +the newly made packages

+

Concurrent +Version System

+

Not related with OpenLDAP really, but I'm +going to show you a little how to get CVS linked and compiled with +GSSAPI so that we can use our Kerberos key for authentication to the +cvs server.

+

Building +CVS

+

Configure +options

+

With +Krb4 option

+

Creating +a CVS service key

+

Cyrus +IMAP/POP3

+

Quite naturally we would like the IMAP +and POP3 server to authenticate directly with SASL to the Kerberos +database as well.

+

Building +Cyrus IMAP and POP3 server

+

Configure +Cyrus IMAP and POP3 server

+

Creating +a IMAP/POP3 service key

+

OpenAFS

+

From the project page:

+

AFS is a distributed filesystem product, +pioneered at Carnegie Mellon University and supported and developed +as a product by Transarc Corporation (now IBM Pittsburgh Labs). It +offers a client-server architecture for file sharing, providing +location independence, scalability and transparent migration +capabilities for data.

+

Kind'a like NFS with Kerberos +authentication. Although AFS is a (network) file system and have +don't have anything to do with LDAPv3, it is 'essential' for a +distributed (and load balanced) server cluster.

+

OpenAFS

+

Building +OpenAFS

+

Build +OpenAFS kernel module

+

Installing +OpenAFS

+

OpenAFS +KerberosV support software

+

Building +OpenAFS KerberosV support software

+

Installing +OpenAFS KerberosV support software

+

Configure +OpenAFS KerberosV support software

+

OpenAFS +PAM module

+

Building +and Installing the OpenAFS PAM module

+

Configure +OpenAFS PAM module

+

Configure +OpenAFS

+

Creating +a AFS service key

+

Putting +the AFS service key into the AFS KeyFile

+

Mount +the AFS volume

+

Create +the new cell

+

Setup +the cell configuration files

+

Getting +a Kerberos ticket and a AFS token

+

Setting +up root volumes

+

Testing +the OpenAFS softwares

+

Testing +OpenAFS KerberosV support software

+

Testing +OpenAFS PAM module

+

Samba

+

The idea here is to make a Windows 2000 +server out of our Linux/UNIX box. In theory (at least from what I +have understood from mails on the openldap-software list) this should +be possible if using Krb5, SASL, LDAP and Samba. I'm currently +investigating this issue.

+

Check back every now and then to see how +far I have got with this.

+

Building +Samba/Samba-TNG

+

Compile +options

+

Make +string

+

Directory +Administrator

+

From the project page:

+

Designed with the only focus of being a +tool to easily manage UNIX users and groups in an LDAP directory, +corporate information, access controls, and LDAP mail routing.

+

I'm currently writing a patch for this, +to allow it to add the principal to the KDC as well as adding the +user stuff in the LDAP server. Also in progress are SASL and SSL/TLS +binds to the LDAP server.

+

PAM/Kerberos +migration module

+

I haven't gotten this to work yet, but +I'm working on it. From the source code README:

+

pam_krb5_migrate is a stackable +authentication module (for PAM) that takes a user name and password +from an earlier module (such as pam_ldap or pam_unix) in the stack, +and attempts to transparently add them to a Kerberos realm using the +Kerberos 5 kadmin service. The module can be used to ease the +administrative burdens of migrating a large installed user base from +pre-existing authentication methods to a Kerberos based setup.

+

Looks nice to me, if I just could get it +to work!

+

Have a look at Migrating +existing users for more information about migrating existing +users.

+

QMAIL +with LDAP patches

+

It is possible to have QMAIL look in a +LDAP database for it's email addresses, and to have QMAIL's pop/imap +server authenticate the users from a LDAP database.

+

Sendmail +and LDAP

+

I'm not using Sendmail, in fact, I +dislike sendmail quite heavily. In my opinion it's the most insecure +piece of software you can install on a UNIX (like) platform. But, +granted, it's the only (mail) server that can cope with hundred of +thousands (and above) of mails. I'll see if I can dig up some +information about this, and add this to this HOWTO/FAQ.

+

In the mean time, have a look at the URL: +http://www.stanford.edu/~bbense/Inst.html.

+

Miscellaneous +information

+

Here you can find some reference +material, and copies of my configurations discussed in this document

+

+Updates

+

Most things in the Open Source movement +change quite fast, and software naturally gets updated. Instead of +adding a 'updates' section under each software product, I have +gathered them here instead, sorted by the latest version at the time +of writing.

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

BerkeleyDB

+ 		+

v3.3.11

+ 		+


+

+ 		+


+

+ 		+


+

+ 		+


+

+ 		+


+

+ 		+


+

+
+

OpenSSL

+ 		+

v0.9.6a

+ 		+

v0.9.6b

+ 		+


+

+ 		+


+

+ 		+


+

+ 		+


+

+ 		+


+

+
+

OpenLDAP

+ 		+

v2.0.10

+ 		+

v2.0.11

+ 		+

v2.0.14

+ 		+

v2.0.18

+ 		+

v2.0.21

+ 		+

v2.0.22

+ 		+

v2.0.23

+
+

CyrusSASL

+ 		+

v1.5.27

+ 		+


+

+ 		+


+

+ 		+


+

+ 		+


+

+ 		+


+

+ 		+


+

+
+

MIT KerberosV

+ 		+

v1.2.4

+ 		+


+

+ 		+


+

+ 		+


+

+ 		+


+

+ 		+


+

+ 		+


+

+
+
+

My +configuration files

+

These are copies on all my configuration +files. They are documented here in the document, but just a +preventive measure, I thought that I'd include the actual files as +well.

+

Master +LDAP server

+

Slave +LDAP server

+

PAM/LDAP +files

+

Misc +files

+

Reference +material

+

This are some misc information about +where to find more information about RFC's and Internet drafts etc.

+

Patches

+

LDAP

+

LDAPv2

+

LDAPv3

+

Authentication

+

SASL

+

Kerberos

+

Other

+

Problems +that can occur

+

After getting all this software +configured, compiled and installed, it will need to work independent +of the other. That is, each piece needs to work before we can start +gluing them together. There's always something that can go wrong. +Here's examples and solutions for some of (the most common?) ones.

+

Problems +when the KVNO don't match up.

+

No +such attribute error

+

No +such object error

+

Local +error

+

Problems +with ACL's

+

SLAPADD +problems/messages

+

Attribute +type undefined

+

Attribute +not allowed

+

Missing +required attribute

+

+Shortcuts

+

For the lazy ones, why not take a look at +this section.

+

No guaranties though!

+

APT +configuration

+

These +are the packages that are available for installations

+

KerberosV +server

+

KerberosV +client

+

KerberosV +services

+

PAM/NSS

+

Miscellaneous

+

OpenSSL

+

Cyrus +SASL

+

OpenLDAP2

+

OpenAFS

+

PostgreSQL

+

Migrating +existing users

+

+Some notes about migrating an existing user database, be it the old +fashioned /etc/passwd +approach, NIS/NIS++ etc.

+

Thanx to

+

+I would like to thank the following people, in no special +order(!), for giving +me input on this document. I apologize if I forgot someone (I started +this thank you part quite late in the development :).

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

Johann + Botha

+ 		+

For + noting that we have to start the SLAPD server on port 636 aswell

+
+

Allan + Streib

+ 		+

For + the patch to Cyrus SASL, v1.5.27

+
+

Jorge + Santos

+ 		+

For + pointing out that Berkeley DB 3.2.9 is in Debian GNU/Linux under + the name libdb3/libdb3-dev. + Also found a missing '-exec' in a find command (in the Building + Packages subsection of the libpam-ldap and libnss-ldap section).

+
+

John + Green

+ 		+

Which + had a one month newer version than the file I had in my backup + when I lost the whole page because of user error :)

+
+

Keith + R Lally

+ 		+

For + finding the latest version of the lost document.

+
+

Jasper + Möller

+ 		+

For + some question and remarks about the DNS setup, migration of + existing users, SSL certificates etc.

+
+
+

A couple of days ago (around December 12, +2001) I lost this document. I managed to rescue a version from +August, but quite a number of things where missing.

+

For those other of you that mailed me +about different versions etc, THANX! I wasn't quite sure if this +document made any difference, but it seems like it does... It's +always nice to hear from users (just not TO much :).

+

+Thanx +again for all the support

+

Building required software

+

+OpenSSL

+

Installing the +Debian GNU/Linux package

+

This package I just installed right of the Debian +GNU/Linux non-US FTP site, using apt-get install libssl09 +libssl09-dev openssl. The +development package are needed later when building +OpenLDAP v2.

+

Building OpenSSL +from scratch

+

For those of you that don't use Debian, this are the configure +command line:

+
./Configure shared --prefix=/usr --openssldir=/usr/lib/ssl

+Then build the package by issuing this command:

+
make -f Makefile.ssl all

+Install newly built OpenSSL software

+

To install OpenSSL after executing make, issue this command:

+
make -f Makefile.ssl  install.

+That's about it about OpenSSL I think, but as I said, I just +installed the Debian packages, and where done with it :)

+

+Creating SSL certificate

+

To create the certificate that OpenLDAP will use, we issue the +command openssl like this:

+
openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365

+This is what the command will output when I do it. The first line +might be different in your installation, and some of the wordings +might have changed if you are using a different version than me. The +important information you should input is on the last seven lines +(starting with Country Name and ending with Email Address. Parts in +bold+underline is my responses:

+
Using configuration from /usr/lib/ssl/openssl.cnf
+Generating a 1024 bit RSA private key
+.....++++++
+.................................................++++++
+writing new private key to 'server.pem'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:SE
+State or Province Name (full name) [Some-State]:
+Locality Name (eg, city) []:Gothenburg
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:
+Organizational Unit Name (eg, section) []:
+Common Name (eg, YOUR name) []:egeria.bayour.com
+Email Address []:turbo@bayour.com

+It is very important that you don't give localhost for the +Common Name. It should be your hosts FQDN (Fully Qualified Domain +Name). That is, what's your IP address, and what name does the DNS +tell you belong to this IP address?

+

NOTE: I can not stress this enough! 99% of all the "SSL/TLS +don't work" mails on the openldap-software list is due to the +fact that someone have not used a correct Common Name in the SSL +certificate! An IP address won't work either. It can however be used +to get your common name from the DNS. Find your IP address and issue +the command

+
host <YOUR IP ADDRESS HERE>

+The first line that reads Name: is what you should use as your common +name!

+

Keep the file server.pem created here handy, we will need +it later when setting +up secure replication below.

+

Also, remember that since you're specifying the host name in the +certificate (which is required), you must have +one certificate for each of your LDAP server (if you're doing +replication to other machines).

+

BerkeleyDB

+

+Building and installing Berkeley DB

+

This software don't exists as Debian packages, so I had to make +and install it my self. To do this, I just downloaded the tarball +from the sleepycat website. I got version 3.0.55, and I see that the +version on there site is now 3.2.9. I can't guarantee that that will +work, but be my guest to try it. If it shouldn't work, you can get +SleepyCAT +v3.0.55 at my site. This is how to build the software after +unpacking it in your favourite source directory.

+
cd build_unix
+../dist/configure
+make
+make install

+That's about all I have to say on the issue of installing Berkeley DB +mostly because there's not much more to it! :).

+

UPDATE: With Debian GNU/Linux 2.3 (aka Woody) and later, +BerkeleyDB 3.2.9 is availible in the libdb3 and libdb3-dev +packages, so you won't really need to download and install BerkeleyDB +from source. Just execute

+
apt-get install libdb3 libdb3-dev

+and off you go...

+

MIT Kerberos V

+

+Building MIT Kerberos V

+

Now, as promised I will here give you the configure parameters +that the Debian packages are using:

+
--prefix=/usr
+--enable-shared 
+--with-ccopts="-g -O2 -D_REENTRANT"
+--localstatedir=/etc
+--mandir=/usr/share/man
+--without-tcl

+Then, just make all is executed.

+

+Bugs in MIT Kerberos V, v1.2.1

+

NOTE1: As said above, there is a +bug in all Kerberos implementations deriving from MIT KerberosIV +(yes, that spells out 4, it's a very old bug!). The bug is that it +have a temporary files race condition. For those that have a version +lower than 1.2.2 and don't want to/can't upgrade, there's a patch to +be found at the MIT +Kerberos advisories site. For you that run Debian, please see the +Building Cyrus SASL +example how to make a Debian package with this patch.

+

NOTE2: Also, there have been discovered a buffer overflow +vulnerability in the telnetd that is distributed with Kerberos 5, +v1.2.2. See the URL http://www.securityfocus.com/bid/3064 +for more information about this vulnerability. A patch for this bug +can be found at the URL +http://web.mit.edu/kerberos/www/advisories/telnetd_122_patch.txt.

+

NOTE3: Debian are now distributing MIT Kerberos v1.2.2 in +it's unstable distribution, so just execute

+
apt-get update && apt-get upgrade

+(if you are getting your packages from Internet, and not from CD that +is). It should be installed into the testing and then the stable tree +after a couple of weeks (if there isn't any serious bugs against the +packages)...

+

+Bugs in MIT Kerberos V, v1.2.2

+

NOTE1: A buffer overflow bug have been found in wu-ftpd (and +therefor gssftpd which is the origin of part of the wu-ftpd). Have a +look at the advisory at +http://web.mit.edu/Kerberos/www/advisories/ftpbuf.txt. +The patch is also located without the advisory text on the URL: +http://web.mit.edu/Kerberos/www/advisories/ftpbuf_122_patch.txt.

+

+Installing MIT Kerberos V

+

To prepare the Kerberos installation, one should read the Kerberos +FAQ. This FAQ was a very good guide for me to learn (or at least +give me a rough understanding of Kerberos :). Basically nothing in +there needs to be done when using the Debian GNU/Linux packages. I +just used the default ones, even though the version I installed first +had a /tmp race condition bug. I have now upgraded to version +1.2.2-1 (the -1 is the Debian patch version). The installation is +very straight forward, just answer the questions correctly :). +However, there are some stuff that needs to be done before (or after +if you like) the installation begins. You will need a working DNS +system. And the KDC/KAdmin. server should really be on a separate +machine, but I didn't have that luxury, so I installed it on the main +system (I'll make a separate KDC/KAdmin/LDAP server later, but not +now). +

+

+Configure Kerberos

+

+Preparing the DNS for KerberosV

+

The DNS should be setup like follows to get full Kerberos network +support. However, it seems like very few programs (OpenLDAP doesn't +seem to) actually use the SRV entries, which is 'Server Location' +entries. So if you don't want to/can't change the DNS, it is not +required...

+

NOTE: I upgraded my Kerberos server (from 1.2.2 to 1.2.4) +the other day, and I got the question if my DNS was listing the +location of my KDC's (which it does) so maybe Kerberos is now using +the SRV entries. I haven't verified what's the case here, it doesn't +matter that much to me at the moment... :)

+
; IP addresses to the Kerberos/LDAP servers...
+kerberos                IN      A       <IP ADDRESS OF YOUR 1st KERBEROS SERVER>
+kerberos-1              IN      A       <IP ADDRESS OF YOUR 2nd KERBEROS SERVER>
+kerberos-2              IN      A       <IP ADDRESS OF YOUR 3rd KERBEROS SERVER>
+ldap                    IN      A       <IP ADDRESS OF YOUR 1st LDAP SERVER>
+ldap-1                  IN      A       <IP ADDRESS OF YOUR 2nd LDAP SERVER>
+ldap-2                  IN      A       <IP ADDRESS OF YOUR 3rd LDAP SERVER>
+;
+; Master setup
+_kerberos               IN      TXT     "<YOUR KERBEROS REALM>"
+_kerberos-master._udp   IN      SRV     0 0 88 kerberos
+_kerberos-adm._tcp      IN      SRV     0 0 749 kerberos
+_kpasswd._udp           IN      SRV     0 0 464 Kerberos
+;
+; Round-robin setup
+_kerberos._udp          IN      SRV     0 0 88 kerberos
+                        IN      SRV     0 0 88 kerberos-1
+                        IN      SRV     0 0 88 kerberos-2
+_ldap._tcp.<DOMAINNAME> IN      SRV     0 0 389 ldap
+                        IN      SRV     0 0 389 ldap-1
+                        IN      SRV     0 0 389 ldap-2

+Don't forget to make sure that the revers look-up works. Much of my +problems where that the KDC couldn't (wouldn't?) find my FQDN (Fully +Qualified Domain Name => Host name + Domain name) for my IP +address, or the other way around. +

+

And what's this SRV stuff doing in there? That's kind'a cool +feature in the +BIND DNS server. See the page about specifying +the location of services RFC for more about this.

+

The main KerberosV packages we will have to install on the KDC +(Kerberos server), are the following packages.

+
krb5-kdc
+krb5-admin-server
+libkrb5-dev

+To do this, all you have to do is execute (as root of course :) the +command line

+
apt-get install krb5-kdc krb5-admin-server libkrb5-dev

+and this will install and configure a KDC and Kerberos admin server. +We will need the development package later on when we build SASL. +Since I'm running Debian GNU/Linux, I just installed these default +Debian packages, which also configured the stuff for me. What is also +good to have is these packages (just add those you want at the end of +the apt-get line. These packages should be installed on the Kerberos +client. In my case, the KDC lives on my main server, so I installed +these packages on the same system as the packages above. This is not +recommended, but I had no choise.

+
krb5-doc
+krb5-user
+krb5-clients

+If you like to offer Kerberos secured services like ftp, rsh, telnet +etc, these are the packages you will also need to install (I did):

+
krb5-ftpd
+krb5-rsh-server
+krb5-telnetd

+Now, apt is so very clever that it will download and install any +packages that the above packages are dependent on. So, for example, +if you are running with an older libc6 than the krb5 packages needs, +apt will download and install (!) those for you to. +

+

+Kerberos config file

+

Now, there seems to be something +wrong in some install script or other, because sometimes when I +installed Kerberos, the file /etc/krb5.conf wasn't created +correctly. I installed, unistalled back and fourth to try to figure +out how to get this to work. I will here include the file I have, and +it should work for most cases. As said, this seems to be a random +problem, and I have not been able to successfully duplicate the +problem, so double check the file for accuracy first.

+
<libdefaults>
+        default_realm = <YOUR KERBEROS REALM>
+        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
+        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
+        permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
+        krb4_config = /etc/krb.conf
+        krb4_realms = /etc/krb.realms
+        kdc_timesync = 1
+        ccache_type = 4
+        forwardable = true
+        proxiable = true
+
+<realms>
+        <YOUR KERBEROS REALM> = {
+                kdc = kerberos.<YOUR DOMAINNAME>:88
+                admin_server = kerberos.<YOUR DOMAINNAME>:749
+                default_domain = <YOUR DOMAINNAME>
+        }
+
+<domain_realm>
+        .<YOUR DOMAINNAME> = <YOUR KERBEROS REALM>
+
+<logging>
+        kdc = FILE:/var/log/kerberos/krb5kdc.log
+        admin_server = FILE:/var/log/kerberos/kadmin.log
+        default = FILE:/var/log/kerberos/krb5lib.log
+
+<login>
+        krb4_convert = false
+        krb4_get_tickets = false

+ +Create KerberosV realm

+

When the DNS +is prepared and the packages installed, we need to create the +realm data in the KDC. You will be notified by this by the Debian +installer scripts. The command that needs to be executed are +krb5_newrealm. It will create the stash file for you, and also +create some service keys. This is what the script does (for those of +you that aren't running Debian):

+
kdb5_util create -s
+kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin"
+kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/changepw"
+/etc/init.d/krb5-kdc start || true
+/etc/init.d/krb5-admin-server start ||true

+The last two lines are however a little premature. We need some form +of administrator user in the KDC to, so execute this line

+
kadmin.local -q "addprinc krbadm@<YOUR KERBEROS REALM>"

+Also, while we are creating administrators, we will create a LDAP +administrator principal. This principal will have full access to the +LDAP database. For those of you that are migrating from OpenLDAP1 or +OpenLDAP2 without SASL etc (or basically any other LDAP server I +guess) will recognise this as the AdminDN (or rootdn as it's called +sometimes).

+
kadmin.local -q "addprinc ldapadm@<YOUR KERBEROS REALM>"

+Setting +up KerberosV access rights

+

Also, some access lists should be +installed/configured. In the file /etc/krb5kdc/kadm5.acl you should +enter these lines:

+
kadmin/admin@<YOUR KERBEROS REALM>     *
+<YOUR USERNAME>@<YOUR KERBEROS REALM>  *
+krbadm@<YOUR KERBEROS REALM>           *
+*/*@<YOUR KERBEROS REALM>              i

+For me, the second line reads turbo@BAYOUR.COM +* and that gives me full access to the database as my +ordinary login. Might not be a good thing, but then you don't have to +give out the kadmin/admin password to all of those that you want to +have (full or partial) access to your kerberos system. See the +Kerberos +V5 Installation Guide:ACL file for other values you can have +besides * and i.

+

As you can see in this ACL file, we have not listed the ldapadm +principal we created above, only the krbadm. That's because we will +separate the Kerberos administration from the LDAP administration. +Even if you are running this system on only one machine, and +you are alone in administrating this (and will be in a foreseeable +future), I still recommend that you to separate the functions. Have +you read the section LDAPv3, +why bother. Remember the discussion about security? Let's not +allow things to slip through the cracks in such a minor detail as two +separate principals...

+

The default keytab depends on your installation, but for Debian +GNU/Linux it is /etc/krb5.keytab. This file have to be +(securely) copied to the LDAP server before +being able to authenticate with SASL. I had a number of problems with +a faulty keytab. The kvno didn't matchup for some reason. Most likely +because I'm not (or at least wasn't) very good at Kerberos +administration. See the section about Problems +when the KVNO don't match up for ways of fixing/preventing this.

+

This about raps' up the Kerberos installation/configuration, now +we can (re)start the KDC and Kerberos admin server.

+

+Testing MIT Kerberos V

+

[I haven't written this part yet, please contribute!]

+

I can't really remember how I tested it, but if +ktelnet/kftp/krsh/ksu works to/from you machine, it works. If not, +take a look at the Kerberos +FAQ.

+

Cyrus SASL

+

+Building Cyrus SASL

+

This is the first package that we will have to modify, since the +default's isn't good enough (we need GSSAPI). To get the full source +code (inclusive the patches applied by the Debian maintainer etc), +there's the tool apt-get. With the parameter source, it +downloads the latest source code and unpacks it in the current +directory. So, the source package for Cyrus-SASL is, you guessed it +cyrus-sasl (Debian have lowercased package names over the +board, that eases things). To double check, the command line is:

+
apt-get source cyrus-sasl

+This is the second part. This one we need to modify a little from the +default Debian GNU/Linux packages. The changes are the following, +please edit the file debian/rules.

+
--enable-gssapi instead of --disable-gssapi

+And all the option, for those of you that aren't running Debian +GNU/Linux, are:

+
--prefix=/usr
+--enable-static
+--enable-login
+--without-des
+--without-rc4
+--enable-gssapi
+--disable-krb4
+--mandir=/usr/share/man
+--infodir=/usr/share/info

+ +Bugs in Cyrus SASL, v1.5.24

+

There is a bug in the version 1.5.24 that +makes interactive bind from ldapsearch fail if trying to +connect with SSL/TLS. If you execute this command line (exchanging +the <YOUR BASE DN>) after running kinit to get a +Kerberos ticket:

+
ldapsearch -I -b "<YOUR BASE DN>" -H ldaps:///

+If you then get the following error, you need the patch below.

+
ldap_sasl_interactive_bind_s: Unknown authentication method

+NOTE: According to a message on the openldap-software mailing +list, this was fixed some time ago in the CVS version of Cyrus SASL. +So make sure that you need the patch before applying it! The version +of the file plugins/gssapi.c in the cyrus-sasl source +directory should be greater than 1.39, that's when it was fixed. So +if you have a version higher than 1.39 you don't need to patch +Cyrus-SASL. If you got the tarball from the FTP site, then you will +need both these patches. Another thing, if you can't find a version +number in the file noted above, then you're most likely not running +the CVS version, so the patch is needed.

+

This is the patch you will have to apply:

+
diff -ur cyrus-sasl-1.5.24.orig/plugins/gssapi.c cyrus-sasl-1.5.24/plugins/gssapi.c
+--- cyrus-sasl-1.5.24.orig/plugins/gssapi.c.orig        Wed Mar  7 19:42:31 2001
++++ cyrus-sasl-1.5.24/plugins/gssapi.c  Wed Mar  7 19:43:35 2001
+@@ -1243,7 +1243,7 @@
+ 
+        /* need bits of layer */
+        allowed = secprops.max_ssf - external;
+-       need = secprops.min_ssf - external;
++       need = secprops.min_ssf < external ? 0 : secprops.min_ssf - external;
+        serverhas = ((char *)output_token->value)[0];
+ 
+        /* if client didn't set use strongest layer available */

+Also, there is a problem with the +Debian GNU/Linux (and according to information on the +OpenLDAP-Software list, in any place where you use pre-built +binaries) that makes SASL 'forget' about the realm part in the login. +The way to test this is by running slapd with options -d -1 +and try a sasl +bind. Then check the output from slapd. +To save all the output that slapd is spewing out, use the +command tee like this:

+
slapd -d -1 2>&1 | tee /tmp/output.txt

+Then search in the file /tmp/output.txt for the parts that +read:

+
slap_sasl_bind: username="u:[YOUR USER ID]" realm="[YOUR KERBEROS REALM]" ssf=[SOME NUMBER]
+<== slap_sasl_bind: authzdn: "uid=[YOUR USER ID] + realm=[YOUR KERBEROS REALM]"

+If you have the text realm=<YOUR KERBEROS REALM> in +there, all is well, and you don't need the patch. If however, the +realm is not listed there, then please apply this patch that I got +from the mailing list:

+
diff -ur cyrus-sasl-1.5.24.orig/plugins/gssapi.c cyrus-sasl-1.5.24/plugins/gssapi.c
+--- cyrus-sasl-1.5.24.orig/plugins/gssapi.c.orig        Fri Jul 21 04:06:52 2000
++++ cyrus-sasl-1.5.24/plugins/gssapi.c  Sun Dec 17 15:19:31 2000
+@@ -592,6 +594,7 @@
+        gss_buffer_desc name_without_realm;
+        gss_name_t without = NULL;
+        int equal;
++       char *realm = NULL;
+ 
+        name_token.value = NULL;
+        name_without_realm.value = NULL;
+@@ -625,7 +623,8 @@
+           without the realm and see if it's the same id (i.e. 
+           tmartin == tmartin@ANDREW.CMU.EDU. If this is the case we just want
+           to return the id (i.e. just "tmartin: */
+-       if (strchr((char *)name_token.value, (int) '@')!=NULL)
++       realm = strchr((char *)name_token.value, (int) '@');
++       if (realm != NULL)
+        {
+            name_without_realm.value = (char *) params->utils->malloc(strlen(name_token.value)+1);
+            if (name_without_realm.value == NULL) return SASL_NOMEM;
+@@ -687,6 +686,14 @@
+            strcpy(oparams->authid, name_token.value);
+        }
+ 
++       if (realm != NULL)
++       {
++           realm++; /* skip '@' */
++           oparams->realm = (char *) params->utils->malloc(strlen(realm)+1);
++           if (oparams->realm == NULL) return SASL_NOMEM;
++           strcpy(oparams->realm, realm);
++       }
++
+        if (name_token.value)
+            params->utils->free(name_token.value);
+        if (name_without_realm.value)

+Applying this patch(-es) can be done by using patch. For example, the +patch is saved in the file /tmp/gssapi1.patch. You would then +use the following command (in the top directory of the cyrus sasl +source).

+
patch -p1 < /tmp/gssapi1.patch

+The patch can also be found at my site, GSSAPI +patch 1 and GSSAPI +patch 2. The author of the first patch comes originally from +Nalin Dahyabhai <nalin@redhat.com>. Again, only do this if your +plugins/gssapi.c version is lower than 1.39 (or if you're +trying to compile SASL from the official tarball)!

+

+Build the Cyrus SASL packages

+

Now you can start building the packages by executing the command +line

+
debuild -uc -us -rfakeroot

+Debuild is in the package devscripts, so just install that package by +executing the command line

+
apt-get install devscripts

+before building the package. To build the packages if you are not +running Debian, you just execute make to build the software.

+

+Installing Cyrus SASL

+

To make sure that the packages you just build don't get +automatically upgraded when using the command

+
apt-get update && apt-get upgrade

+etc, make sure to put the packages on hold. Easiest way to do that, +is to go into dselect +and press = on the line of the package. Another way to do this +is to execute

+
echo <PACKAGENAME> hold | dpkg --set-selections

+Do this after you have installed the packages :). Please also see the +section about Bumping +the Debian GNU/Linux package version on another way to avoid +automatic upgrades of the newly made packages.

+

But before we install the SASL packages, you have to make sure +that some libraries etc. that these libraries depend on is installed. +To do this, first install these packages

+
libgdbmg1
+libpam0g
+libcomerr2
+libkrb53

+Then you can continue with installation of the SASL packages below

+
libsasl7
+libsasl-modules
+libsasl-bin

+You do this by executing the command

+
dpkg -i libsasl7*.deb libsasl-modules*.deb libsasl-bin*.deb

+To install the software if you are not running Debian, you execute +the command make install. See the package libkrb53? Now +you know why I asked you to install the Kerberos development +packages. SASL must find krb5 on the system to allow you to use +Kerberos V!

+

+Testing Cyrus SASL

+

You will need to have a working Kerberos V system running. See the +section Testing MIT +Kerberos V for more about this. What you will have to do is get +yourself two shells. Execute kinit in both and then in shell +number one type

+
su -c ./sample-server -s ldap -p /usr/lib/sasl

+And in the other one

+
./sample-client -s ldap -n <FQDN> -u <USERNAME> -p /usr/lib/sasl

+Other than that, please follow the information outlined in the file +testing.txt distributed with cyrus-sasl. You can find the file +at this URL to, Testing +the CMU SASL Library with the included sample applications if you +prefer to have it through you favourite web browser.

+

+OpenLDAP

+

+Building OpenLDAP v2

+

This package have also been slightly modified to suite my needs. +First the changes in the configure command line, please edit the file +debian/rules.

+
--disable-cleartext instead of --enable-cleartext
+--disable-rlookups  instead of --enable-rlookups
+--with-tls          instead of --without-tls
+--enable-kpasswd

+To build against the Berkeley +DB we built before, add these two lines before the configure +line.

+
CPPFLAGS="-I/usr/local/BerkeleyDB.3.0/include" \
+LDFLAGS="-L/usr/local/BerkeleyDB.3.0/lib"

+And all the options, for those of you that aren't running Debian +GNU/Linux, are the following. These are the important ones you should +have

+
--with-cyrus-sasl
+--enable-slapd
+--enable-crypt
+--enable-spasswd
+--with-tls
+--enable-kpasswd

+These are also some (optional) values you should add. Remove the +options that you know that you definitely don't want. For example, +the enable-ipv6 might be a bad idea sometimes...

+
--enable-debug
+--enable-syslog
+--enable-proctitle
+--enable-cache
+--enable-referrals
+--enable-ipv6
+--enable-local
+--with-readline
+--with-threads
+--disable-cleartext
+--enable-multimaster
+--enable-phonetic
+--disable-rlookups
+--enable-wrappers
+--enable-dynamic
+--enable-dnssrv
+--enable-ldap
+--enable-ldbm
+--enable-passwd
+--enable-shell
+--enable-sql
+--enable-slurpd
+--enable-shared

+ +Bugs in OpenLDAP, v2.0.7

+

There might also bee needed to patch +the file libraries/libldap/open.c from the openldap2 source +directory. Read all about the reasoning behind this at the OpenLDAP +ITS, bug 889. There's also a patch there for you that don't use +Debian. If you however are using Debian, and you want the changes in +the rules file and the discussed patch, you can apply this patch +instead of doing it all by yourself. To apply this patch, see the +Cyrus SASL +bugs above or read the manual page for patch. This patch might +not be needed on the OpenLDAP source you have, so verify that you +need it before use! One way of doing this, is compile/install without +it, and if ldapsearch, ldapadd, ldapmodify +segfaults when trying to use the parameter -H, then you need +it!

+

NOTE: These bugs have been fixed around 2.0.9 or so. At any +rate, the latest version (at the time of this writing, 2.0.21) have +it fixed, so there is no need to patch the files! Please have a look +at the Updates section for more +information.

+
diff -urN debian.orig/patches/004_libldap-open debian/patches/004_libldap-open
+--- debian.orig/patches/004_libldap-open        Thu Jan  1 01:00:00 1970
++++ debian/patches/004_libldap-open     Wed Mar 14 22:13:52 2001
+@@ -0,0 +1,19 @@
++diff -ur OPENLDAP_HEAD/libraries/libldap/open.c libraries/libldap/open.c
++--- OPENLDAP_HEAD/libraries/libldap/open.c     Wed Oct 18 11:53:53 2000
+++++ ./libraries/libldap/open.c Tue Nov 21 20:37:04 2000
++@@ -329,8 +329,15 @@
++       if (ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
++               strcmp( srv->lud_scheme, "ldaps" ) == 0 )
++       {
+++              LDAPConn        *savedefconn = ld->ld_defconn;
+++              ++conn->lconn_refcnt;   /* avoid premature free */
+++              ld->ld_defconn = conn;
+++
++               rc = ldap_pvt_tls_start( ld, conn->lconn_sb,
++                       ld->ld_options.ldo_tls_ctx );
+++
+++              ld->ld_defconn = savedefconn;
+++              --conn->lconn_refcnt;
++ 
++               if (rc != LDAP_SUCCESS) {
++                       return -1;
+diff -urN debian.orig/rules debian/rules
+--- debian.orig/rules   Wed Mar 14 22:10:41 2001
++++ debian/rules        Wed Mar 14 22:10:33 2001
+@@ -34,11 +34,11 @@
+ configure_args := --enable-debug --enable-syslog --enable-proctitle \
+ --enable-cache --enable-referrals --enable-ipv6 --enable-local \
+ --with-cyrus-sasl --with-readline --with-threads \
+---enable-slapd --enable-cleartext --enable-crypt --enable-spasswd \
+---enable-multimaster --enable-phonetic --enable-rlookups --enable-wrappers \
++--enable-slapd --disable-cleartext --enable-crypt --enable-spasswd \
++--enable-multimaster --enable-phonetic --disable-rlookups --enable-wrappers \
+ --enable-dynamic --enable-dnssrv --enable-ldap --enable-ldbm \
+ --enable-passwd --enable-shell --enable-sql --enable-slurpd --enable-shared \
+---without-tls
++--with-tls --enable-kpasswd
+ 
+ # FHS options
+ configure_args += --prefix=/usr --localstatedir=/var --sysconfdir=/etc \
+@@ -52,6 +52,8 @@
+ $(STAMP_DIR)/pre-build-stamp: $(unpacked) $(patched)
+        dh_testdir
+        cd $(BUILD_TREE) && CFLAGS="$(CFLAGS)" \
++               CPPFLAGS="-I/usr/local/BerkeleyDB.3.0/include" \
++               LDFLAGS="-L/usr/local/BerkeleyDB.3.0/lib" \
+                ./configure $(configure_args) --host=$(DEB_BUILD_GNU_TYPE)
+        $(MAKE) depend -C $(BUILD_TREE)
+        touch $(STAMP_DIR)/pre-build-stamp

+You can also get the OpenLDAP +v2 patch on papadoc.

+

When the possible patching is done, we will build the packages. Do +this by executing the command

+
debuild -uc -us -rfakeroot

+For those that aren't running Debian, execute the commands

+
make depend
+make

+Installing +OpenLDAP v2

+

The packages you should install are the following:

+
libldap2
+ldap-utils
+slapd

+You do this by executing the command

+
dpkg -i libldap2*.deb ldap-utils*.deb slapd*.deb

+But before you can do this, you have to make sure that some libraries +etc. that these libraries depend on is installed. To do this, execute +the line

+
apt-get install libiodbc2

+To install the software if you are not running Debian, you just +execute the command

+
make install

+For more information (in case of trouble building and installing +OpenLDAP2 etc.), please see the OpenLDAP +web site and/or the OpenLDAP +FAQ-O-Matic:Quick Start Guide.

+

+Configuring OpenLDAP v2

+

The Debian GNU/Linux installation script will guide you through +most of the scripts and will also create the administration DN +referred to in these files. This DN is mostly for backward +compatibility with older clients, than can't do SASL/Kerberos binds.

+

+Configure OpenLDAP to use the new SSL certificate

+
+Changes to the OpenLDAP config file
+

Then it's just a matter of copying this file, server.pem to +/etc/ldap and modify The +OpenLDAP config file with these options:

+
TLSCertificateFile      /etc/ldap/server.pem
+TLSCertificateKeyFile   /etc/ldap/server.pem
+TLSCACertificateFile    /etc/ldap/server.pem
+ +Changes to the OpenLDAP startup script
+

We have to make sure that slapd (the actual LDAP +daemon/server) listens to port 636 which is the actual LDAP over +SSL/TLS port. In the Debian GNU/Linux original startup script, we +make this change:

+
--- slapd.orig  Fri Jul 27 08:53:39 2001
++++ slapd       Fri Jul 27 08:53:11 2001
+@@ -21,7 +21,7 @@
+     echo -n "Starting ldap server(s):"
+     echo -n " slapd"
+     start-stop-daemon --start --quiet --pidfile "$pidfile" \
+-               --exec $DAEMON
++               --exec $DAEMON -- -h "ldap://0.0.0.0:$PORT/ ldaps://0.0.0.0/"
+     replicas=`grep ^replica /etc/ldap/slapd.conf`
+     test -z "$replicas" || (echo -n " slurpd" && start-stop-daemon --start \
+                --quiet --name slurpd --exec $SLURPD)

+That is, we have to make sure that SLAPD listens to ldaps (which is +port 636). The PORT variable is set earlier in the script (at least +in the Debian GNU/Linux version).You should have a line that read +something like:

+
PORT=389

+If you don't have this, either replace the $PORT part above +with 389, or add the PORT=389 line above the slapd +start lines...

+

+The OpenLDAP config file

+

This could be a FAQ all on it's own, +let's just include my config file, shall we?

+
# This is the main ldapd configuration file. See slapd.conf(5) for more
+# info on the configuration options.
+
+# Schema and objectClass definitions
+include                 /etc/ldap/schema/core.schema
+include                 /etc/ldap/schema/cosine.schema
+include                 /etc/ldap/schema/inetorgperson.schema
+include                 /etc/ldap/schema/nis.schema
+include                 /etc/ldap/schema/krb5-kdc.schema
+include                 /etc/ldap/schema/qmail.schema
+include                 /etc/ldap/schema/qmailControl.schema
+include                 /etc/ldap/schema/netscape-profile.schema
+include                 /etc/ldap/schema/trust.schema
+include                 /etc/ldap/schema/turbo.schema
+# Some are extra schema's that I found on the 'Net...
+# Want them? They can be found at http://www.bayour.com/openldap/schemas/
+
+# Schema check allows for forcing entries to
+# match schemas for their objectClasses's
+schemacheck             on
+
+# Where the pid file is put. The init.d script
+# will not stop the server if you change this.
+pidfile                 /var/run/slapd.pid
+
+# List of arguments that were passed to the server
+argsfile                /var/run/slapd.args
+
+# Read slapd.conf(5) for possible values
+loglevel                2048  # Only entry parsing errors
+
+sasl-realm              <YOUR KERBEROS REALM>
+sasl-host               <FQDN OF LDAP SERVER>
+#sasl-secprops          none
+
+#######################################################################
+# ldbm database definitions
+#######################################################################
+
+# The backend type, ldbm, is the default standard
+database                ldbm
+
+# The base of your directory
+suffix                  "<YOUR BASEDN>"
+
+# Where the database file are physically stored
+directory               "/var/lib/ldap"
+
+# Save the time that the entry gets modified
+lastmod                 on
+
+# Indexes
+index                   default pres,eq
+index                   objectClass,uid,uidnumber,gidnumber,cn
+index                   mail,mailalternateaddress,mailforwardingaddress eq
+
+# Include the access lists
+include                 /etc/ldap/slapd.access
+
+# End of ldapd configuration file

+In this file you will notice the option sasl-host. Remember +the DNS +setup? This is the host name and domain name of the host that +your LDAP server is running on. It is not the FQDN of the kerberos +server as I've stated in previous versions of this document. Sorry +about that. In my case, this is egeria.bayour.com, because that was +what I was entering into the SSL certificate. Don't forget the +SSL/TLS certificate file options, which I showed you in Creating +SSL certificate.

+

+The OpenLDAP access file

+

I have all my access lists (ACL's) +in a separate file (/etc/ldap/slapd.access). I'm still working +on getting this to work properly so it's not perfect, but there you +go...

+
# For Netscape Roaming  support, each user gets a  roaming profile for
+# which they have write access to
+access to dn=".*,ou=Roaming,dc=.*"
+        by dn="<YOUR ADMIN DN>" write
+        by dn="uid=ldapadm.+\+realm=<YOUR KERBEROS REALM>" write
+        by dnattr=owner write
+        by * none
+
+# Some things should be editable by the owner, and viewable by anyone...
+access to attr=cn,givenName,sn,krbName,krb5PrincipalName,gecos
+        by dn="<YOUR ADMIN DN>" write
+        by dn="uid=ldapadm.+\+realm=<YOUR KERBEROS REALM>" write
+        by self write
+        by users read
+
+access to attr=loginShell,gecos
+        by dn="<YOUR ADMIN DN>" write
+        by dn="uid=ldapadm.+\+realm=<<YOUR KERBEROS REALM>" write
+        by self write
+        by * read
+
+# Since we're using {KERBEROS}<PRINCIPAL>, we can't allow the user
+# to change the password. They have to use the Kerberos 'kpasswd' to
+# do this... But the admin can change (if need be).
+# Please see krb5 userPassword attribute
+access to attr=userPassword
+        by dn="cn=admin,ou=People,dc=papadoc,dc=bayour,dc=com" write
+        by dn="uid=ldapadm.+\+realm=<YOUR KERBEROS REALM>" write
+        by anonymous auth
+        by * none
+
+# The  mail and mailAlternateAddress  should only  be readable  if you
+# authenticate!
+access to attr=mail,mailAlternateAddress,mailHost
+        by dn="<YOUR ADMIN DN>" write
+        by dn="uid=ldapadm.+\+realm=<YOUR KERBEROS REALM>" write
+        by users read
+        by * none
+
+# Should not be readable to anyone, and only editable by admin...
+access to attr=mailQuota,trustModel,accessTo
+        by dn="<YOUR ADMIN DN>" write
+        by dn="uid=ldapadm.+\+realm=<YOUR KERBEROS REALM>" write
+        by self read
+        by * none
+
+# The admin dn has full write access
+access to *
+        by dn="<YOUR ADMIN DN>" write
+        by dn="uid=ldapadm.+\+realm=<YOUR KERBEROS REALM>" write
+        by * read

+Notice the

+
by dn="uid=ldapadm.+\+realm=<YOUR REALM>" write

+That's the Kerberos principal you want write access to the database +as. This principal was created in the Create +KerberosV realm section.

+

But there seems to be another bug in the Debian SASL packages. +According to information on the openldap-software mailing list, the +problem don't exist in the tarball from Cyrus home page. See the +section about the SASL patch - Realm +for more about this.

+

+Creating a LDAP service key

+

To let OpenLDAP/SASL connect to +the KDC, we need to add a LDAP service key into the KDC. To do this, +use the command kadmin or kadmin.local like this:

+
kadmin.local -q "addprinc -randkey ldap/<FQDN>@<YOUR KERBEROS REALM>"
+kadmin.local -q "ktadd ldap/<FQDN>"

+ +Populate the database to allow simple bind as user

+

If you starting out fresh with this project, you will have to read +up on how to create a database on the openldap database +creation and maintenance tools page. When you understand this, +it's time to specify the special object classes and attributes that +makes this whole LDAPv3 thing tick. The object class krb5Principal +specify that the attribute krb5PrincipalName is a must +and that the cn and krb5PrincipalRealm attributes is +optional. What this means, is that we use the following LDIF snippet +on each of our users:

+
objectClass: krb5Principal
+krb5PrincipalName: turbo@<MY KERBEROS REALM>
+cn: Turbo Fredriksson

+The cn means Common Name, and in this case it's my full name +(yes, my name really IS turbo! :).

+

These attributes and object classes are defined in the +krb5-kdc.schema file distributed with OpenLDAP2. The other +object classes (krb5KDCEntry and krb5Realm) are not +used in this context, so ignore them :).

+

+Modify the LDAP database to allow simple bind as user.

+

If you already have a database, but are using some other means of +storing the passwords, you will have to do some minor modifications +to the database. For example, my production server, which is a +version 1.2.11 have the passwords in the LDAP database as +'{crypt}CRYPTEDPW', and is using libpam-ldap (and for migration +purposes libpam-krb5 which is NOT to recommend in a shared network +environment since it binds in clear text) to authenticate the users +on all services (ssh/imap/pop/ftp etc). Now, Quite naturally I wanted +to use that database, so I first did a dump of the original database +with ldbmcat (to convert it into an LDIF file) and then on the +new server, slapadd to create the database. This was a big +problem, since OpenLDAP2 is much more strict about the existence of a +proper schema for the objectClasses etc. See LDAP +schemas on Papadoc for the schema's that I have (I found most of +them on the Internet so don't blame me if they are a little out of +date :).

+

Before loading the database +into the new server, I had to change all the userPassword +attributes. This is where the --enable-kpasswd comes into +play. The password should be {KERBEROS}<USERS PRINCIPAL> +like this (my entry):

+
dn: uid=turbo,ou=People,<MY BASEDN>
+replace: userPassword
+userPassword: {KERBEROS}turbo@<MY KERBEROS REALM>

+This have to be done for all the users to allow them to authenticate! +This only works if you have compiled OpenLDAP2 with the configure +option --with-kpasswd, and what that do is making slapd +ask the Kerberos server if the password corresponds with the password +for the Kerberos principal turbo@<MY KERBEROS REALM>. +What this do, is it's telling the OpenLDAP2 server (slapd) to +check the password in the Kerberos server. Since there is no password +in the LDAP database any more, we have to make sure that the user +can't change there password with either ldappasswd or via PAM. +Therer for, please have a look at the The +OpenLDAP access file again (especially the 'access to +attr=userPassword' section.

+

Now, just to clarify some things (because it will look a little +strange). If you do the modifications above, and then do a search +(ie, retrieving) the userPassword value from the database, it +will look a little garbled:

+
userPassword:: e2NyeXB0fUlNRDR0cmxiaUdFVVU=

+This is nothing to worry about. It's simply base 64 encoded (this +reads {KERBEROS}turbo@BAYOUR.COM after decoding).

+

+Notes about 'userPassword: {KERBEROS}'

+

The reason for using userPassword: {KERBEROS}PRINCIPAL +is so that we can allow simple binds with the password in the +Kerberos database. This should not really be done, since if we do a +simple bind without SSL/TLS, we're opening up the Kerberos database. +We're using Kerberos so that we get a secure system, remember?!.

+

So +simple binds would only be allow if +it's protected with SSL or TLS. If you have no interest in allowing +simple binds (note, this is not SASL bind!), then don't use the +userPassword +entry at all. If you only have interest in allowing SASL binds, this +entry can be left out completely. If, for some reason, you have +clients that can't do SASL binds (Qmail-LDAP comes to mind), then +don't have the password in the Kerberos database, but in LDAP with +either {CRYPT} or even better {SSHA}. +Using the command slappasswd, +you can create a scheme to be inserted into the database. This way, +you won't accidentally compromise your Kerberos database security.

+

+Testing OpenLDAP v2

+

In the ldapsearch commands below, I use localhost +for the name of the LDAP server. I got one mail from Will Day on the +OpenLDAP-Software mailing list, saying that this didn't work for him. +He had to exchange localhost to the FQDN of the LDAP +server instead. The reason for this is most likely because it can't +get a ticket for ldap/localhost@<KERBEROS REALM>. +To avoid that, just enter a ldap/localhost@<KERBEROS REALM> +service key as well as the ldap/<FQDN>@<KERBEROS +REALM>. Have a look at Creating +a LDAP service key below how to do that. So, if the commands +don't work as shown here, please try that.

+

Also, I'm specifying port 389 here. You might not need that at +all, since that's the default port of the LDAP server. I only list +that here, because while setting all this up for the very first time, +I ran a OpenLDAP1 server on port 389, and my new OpenLDAP2 server on +port 3389. This server is now my main LDAP database.

+

+Testing OpenLDAP, simple/anonymous bind

+

The first thing is probably to check if +a non SASL/SSL/TLS (that is, a simple bind) works

+
ldapsearch -h localhost -p 389 -x -b "" -s base -LLL supportedSASLMechanisms

+You should get something like this

+
supportedSASLMechanisms: PLAIN
+supportedSASLMechanisms: LOGIN
+supportedSASLMechanisms: ANONYMOUS
+supportedSASLMechanisms: GSSAPI

+The important stuff here is the last line! If you don't have GSSAPI +listed, something is wrong, and you should go back to Building +OpenLDAP v2 (or maybe you need to go back to Building +Cyrus SASL) and do it right this time. On my production server, I +have now disabled some of these mechanisms, so the only one I +get is GSSAPI. This is perfectly ok, since I only want/need SASL +(GSSAPI) binds.

+

+Testing OpenLDAP, simple/anonymous bind, with SSL/TLS

+

If the search for supported SASL mechanisms went well, let's + +continue with the next step. Let's try to do a simple bind, but with +SSL and TLS. The first command tests TLS, and the second one SSL +(notice the parameter -ZZ in the second and ldaps:/// +in the first?).

+
ldapsearch -H ldap://<FQDN OF LDAP SERVER>/ -p 389 -x -b "" -s base -LLL -ZZ supportedSASLMechanisms
+ldapsearch -H ldaps://<FQDN OF LDAP SERVER>/ -x -b "" -s base -LLL supportedSASLMechanisms

+You should get the same stuff as above back, only this time it is +sent to you encrypted from the LDAP server. You can double check this +by using a packet sniffer. The reason we have to enter the full name +of our LDAP server for these two commands (instead of just ldap:/// +or ldaps:///) is because in newer OpenLDAP, the certificate +verifications is much stronger. It requires the FQDN +one connects to matches the one in the certificate. In my example +(see the section about Creating +SSL certificate) the commands would look like:

+
ldapsearch -H ldap://egeria.bayour.com/ -p 389 -x -b "" -s base -LLL -ZZ supportedSASLMechanisms
+ldapsearch -H ldaps://egeria.bayour.com/ -x -b "" -s base -LLL supportedSASLMechanisms

+ +Testing OpenLDAP, using your Kerberos ticket

+

Now let's try out a SASL bind. Exchange +the -x above to -I (uppercase i) like below. Just press +enter when you get the prompt Please enter your authorisation +name:.

+
ldapsearch -H ldaps:/// -I -b "" -s base -LLL supportedSASLMechanisms

+Anything? Nope, you should get back:

+
ldap_sasl_interactive_bind_s: Local error

+This is a bug (or maybe more correctly, 'missing feature' :) in SASL +(it doesn't return the correct error codes). There is no known fix +for this yet. To get around it, execute the command kinit and +try again. The lines above, with -x replaced with -I +should return something like:

+
SASL SSF: 56
+SASL installing layers
+dn:
+supportedSASLMechanisms: PLAIN
+supportedSASLMechanisms: LOGIN
+supportedSASLMechanisms: ANONYMOUS
+supportedSASLMechanisms: GSSAPI

+Here DES (56 bit key lengh for symmetric cryptography) is used to +encrypt the data stream. That is, the transfer of the +information to you isn't encrypted, but the actual bind (the password +and user/authorisation name) is. Hmm, wonder if this is true... I've +heard 'rumors' on some lists that SASL actually ARE encrypting all +communication between you and the LDAP server. Ah, well. Better safe +than sorry, use -H or -Z.

+

+Testing OpenLDAP, using your Kerberos ticket, with SSL/TLS

+

Please verify that a SSL and TLS works with SASL to by using -ZZ +and -H parameters to the above ldapsearch command line. +The difference between -Z and -ZZ is that the later +requires the operation to be successful.

+

+Testing OpenLDAP, simple user bind, with SSL/TLS

+

Now, if all the changes to the +database (see how to populate +the database and/or modify +the LDAP database) have been done and all the above tests work, +let's try to search the database as yourself again, but this time +doing it with a simple bind (-x to ldapsearch). To make +absolutely sure that it doesn't try to use the Kerberos ticket you +got with kinit above, execute kdestroy. Just to be on +the safe side when testing here, mind you :). Here we go, all in one +line:

+
ldapsearch -x -D 'uid=turbo,ou=People,<MY BASEDN>' -W -b "" -s base -LLL -H ldaps://<FQDN OF LDAP SERVER>/ supportedSASLMechanisms

+Enter the password when prompted. This command should return the same +thing as the previous commands. Remember, you should enter the +password for your KerberosV principal. If it didn't take the Kerberos +password, you would get this back:

+
Enter LDAP Password: 
+ldap_bind: Invalid credentials

+I worked for quite some time (about 4-5 days) to get this part to +work. I had no luck. Then, all of a sudden it worked, and I'm not +quite sure why. I am however quite sure that it have +something to do with the order the ACL's for userPassword is +arranged. OpenLDAP v2.0 is a LOT more picky about the order of the +ACL's than the 1.3 version(s) where (where my config/access file +originates from). See my OpenLDAP +access file of how it looks when it works. Take a extra look at +the section that starts with:

+
access to attr=userPassword

+NOTE: The parameters -D, -W and -w is not +used when using SASL (unless you want a simple bind, which you +normally wouldn't). You use -I (uppercase i), -U and -X +to use SASL bind. For anonymous and/or simple binds, one have to use +the option -x.

+

If all the above searches work, you might want to try searching +for data under your base DN, and also do modifications etc, just to +double check that everything works as it's supposed to. The biggest +problems I had with all this, must be the ACL's! Have a second look +at The OpenLDAP +access file.

+

+Setting up secure replication

+

One of the main points (for me at least) by using SASL, Kerberos +and SSL/TLS is so that we can have a secure/encrypted authentication +and communication between the master and slave LDAP server(s). To try +this out, I will demonstrate how you can (and should?) have a slave +server running on localhost. The reason we want to do this, is so +that when doing backups of the LDAP database, we don't need to take +down the master database, only the read-only replica, which means +that we don't have any downtime on the LDAP server.

+

+Replication configuration, slave server

+

The first thing we do, is we +create the config file for the slave server. This is basically the +exact same config file as The +OpenLDAP config file. The differences though, is that the +database is located in another directory. Preferably we should set +the database to read only, but it doesn't seem to work. We will +instead use ACL's to limit the access (as much as I can, with the +limited knowledge of OpenLDAP2's ACL structure :).

+
directory       "/var/lib/ldap.backup"
+updatedn        "uid=replicator.\+realm=<YOUR REALM>"
+include         /etc/ldap/slapd.access.backup

+Other than that, we will run the slave server on other ports than the +master. That's since we are running both on the same machine, and we +can't bind both of them on the same port (unless you make it bind to +different IP addresses, but that's nothing I will go into here). +There for we add some more options to the command line. You can use +the master's start script, modify it by running slapd like +this:

+
PORT=3391 /usr/sbin/slapd \
+     -h "ldap://0.0.0.0:$PORT/ ldaps://0.0.0.0:`expr $PORT + 1`/" \
+     -f /etc/ldap/slapd.conf.backup

+That will start the non-SSL/TLS +port on 3391, and the SSL/TLS port on 3392.

+

+Replication configuration, master server

+

The modifications to the master database's configuration, is the +location of the slave. This is what we will add to the database +definition in The +OpenLDAP config file:

+
replica         host=localhost:3391
+                tls=yes
+                bindmethod=sasl
+                saslmech=GSSAPI
+replogfile      /var/lib/ldap/replog

+Please see the OpenLDAP +2.0 Administrator's Guide:Replication and the manual page for +slapd.conf for more about this.

+

+Creating a replication principal

+

To be able to use +GSSAPI/Kerberos V with replication, we will need to create a service +key that we will use for authentication and extract that into a +keyfile. The principal I have chosen here is replicator, but you can +essentially choose any principal you like, as long as use use the +same principal in the access list on both the master and the slave +server. To create such a principal, we execute the following +commands:

+
kadmin.local -q "addprinc -randkey replicator@<YOUR KERBEROS REALM>"
+kadmin.local -q "ktadd -k /etc/krb5.keytab.slurpd replicator"

+Make sure that the keytab file (/etc/krb5.keytab.slurpd in +this example) is secure. That is, transfer it safely +to the slave and master LDAP server (using for example scp or +kscp). Also make sure it is not readable for anyone else than +the user slapd is running as.

+
If this file is compromised (obtained by any arbitrary +user), then your whole LDAP database will have to be considered +compromised!
+

+Automatically getting a ticket before starting slurpd

+

Since we are using SASL/KerberosV to do the replication +authentication, we must ensure that slurpd have a Kerberos +ticket before starting. We must also 'remember' the location of the +ticket file, so that it can be removed when shutting down slurpd. +To do this, we use the LDAP +service key we created above, like this:

+
kinit -r 7d -k -t /etc/krb5.keytab.slurpd replicator@<YOUR KERBEROS REALM>

+This line will have to be inserted into the slapd/slurpd +start script, just before slurpd is started. To make sure that +the ticket gets removed/destroyed when no longer needed (ie, when +slurpd is shutdown), we issue the command kdestroy just +after slurpd have been stopped.

+

This results in the following start scripts (for starting slurpd):

+
replicas=`grep ^replica /etc/ldap/slapd.conf`
+if [ ! -z "$replicas" ]; then
+    KRB5CCNAME=FILE:/var/run/slapd.krbenv
+    echo -n "Getting ticket for replicator: "
+    kinit -k -t /etc/krb5.keytab.slurpd replicator@<YOUR KERBEROS REALM>
+    echo "done."
+
+    echo -n "Starting LDAP replication daemon: "
+    /usr/sbin/slurpd
+    echo "done."
+fi

+This is the stopping part:

+
replicas=`grep ^replica /etc/ldap/slapd.conf`
+if [ ! -z "$replicas" ]; then
+    echo -n "Stopping LDAP replication daemon: "
+    killall slurpd > /dev/null 2>&1
+    echo "done."
+
+    KRB5CCNAME=FILE:/var/run/slapd.krbenv
+    echo -n "Removing Kerberos ticket: "
+    kdestroy && rm /var/run/slapd.krbenv
+    echo "done."
+fi

+Keeping +replication ticket updated

+

To make sure that there always is a ticket for the replicator, we +will have to execute the kinit line above every now and then +from cron. How often this should happen, depends on how +long-lived the ticket is. To find that out, we issue the command +kadmin (or kadmin.local) like this:

+
kadmin.local -q "getprinc replicator" | grep "^Maximum ticket life:"

+In my case, it will return:

+
Maximum ticket life: 0 days 10:00:00

+So I will have to renew the ticket at least every ten hours. To be on +the safe side, I'll do it every nine hours. The entry we will put +into /etc/crontab is:

+
# Making sure that the LDAP replication have a valid ticket
+
+KRB5CCNAME=FILE:/var/run/slapd.krbenv
+0 */9 * * * root test -e /var/run/slapd.krbenv && kinit -R

+You can read more about running and getting tickets in shell scripts +untended at the Kerberos +FAQ:Shell scripts.

+

There is a way to specify a longer life time when creating the +principal (-maxlife) but I haven't figured out exactly how to +specify the time. I keep getting Invalid date specification +all the time.

+

UPDATE: The maximum lifetime of a ticket can, in kadmin +or kadmin.local be +specified like

+
-maxlife "4 days"
+-maxlife "4 hours"

+etc...

+

+Give the replicator access to the database

+

We must give the replicator principal access to write to the +database. To do this, we create this access file instead of The +OpenLDAP access file we had for the master server (this file is +named /etc/ldap/slapd.access.backup in the slave +server replication configuration above). The reason it's much +simpler is because it's read-only, and should contain a online backup +of the database, therefor there is no need for anyone else than +replicator to be able to read/write to the slave.

+
access to attr=cn,givenName,sn,krbName,krb5PrincipalName,loginShell,gecos,mail,mailAlternateAddress,mailHost,mailQuota,uidNumber,gidNumber,homeDirectory
+        by dn="uid=replicator.+\+realm=<YOUR KERBEROS REALM>" write
+        by users read
+        by * none
+
+access to attr=userPassword,ldapPassword,clearTextPassword
+        by dn="uid=replicator.+\+realm=<YOUR KERBEROS REALM>" write
+        by * none
+
+access to *
+        by dn="uid=replicator.+\+realm=<YOUR KERBEROS REALM>" write
+        by * read

+We should really not have read access at all (by users read +and by * read), but for some reason (which elude me) it +doesn't work otherwise...

+

Building miscellaneous software

+

Concurrent +Version System

+

+Building CVS

+

The version I did this with was v1.11-0.1. One can now +authenticate and encrypt using the GSSAPI network security interface. +For details, see the +Cederqvist's description of specifying :gserver: in +CVSROOT, and the -a global option.

+

+Configure options

+

To do this, we need to build with the following options to +configure:

+
--with-gssapi=value     GSSAPI directory
+--enable-encryption     enable encryption support

+For non-Debian systems, these are the full configure opions:

+
--prefix=/usr
+--mandir=/usr/share/man
+--infodir=/usr/share/info
+--with-gssapi
+--enable-encryption

+How to build and install? Haven't you paid attention? :) Please go +back to the Building +Cyrus SASL section again...

+

+With Krb4 option

+

There's the --with-krb4=value to configure in this case, +but as you can see that is for Kerberos IV, and that isn't fully +compatible with MIT Kerberos V. There is however a krb524d +daemon that takes care of converting a Kerberos IV request to a +Kerberos V. But that's quite pointless, since we are already using +GSSAPI with our Kerberos V server. From what I can tell, you should +only run the krb534d daemon if you don't have any other +choice. That is, if there weren't any --with-gssapi option +here, we'd go for the --with-krb4, and made sure that our +converter daemon was running.

+

+Creating a CVS service key

+

To be able to use GSSAPI/Kerberos V +with CVS, you will have to add the appropriate service key into the +Kerberos database:

+
kadmin.local -q "addprinc -randkey cvs/<FQDN>@<YOUR KERBEROS REALM>"
+kadmin.local -q "ktadd cvs/<FQDN>"

+As you can see, the service name for CVS, are... Right, cvs!

+

+Cyrus IMAP/POP

+

This is currently unverified by me, but +this is supposed to be the way it's done...

+

+Building Cyrus IMAP and POP3 server

+

To +have the Cyrus IMAP and POP3 server use GSSAPI (SASL) to authenticate +the user, we need the source of the Cyrus IMAPd/POP3d package +(apt-get source cyrus-imapd). And to build, these are the +options to configure:

+
[I'm currently trying this out, come back in a few days]

+For non-Debian systems, these are the full configure options:

+
[I'm currently trying this out, come back in a few days]

+Configure +Cyrus IMAP and POP3 server

+

See Cyrus +IMAP/POP Howto:Cyrus IMAP Configuration and imapd.conf(5) for +more about this.

+

+Creating a IMAP/POP3 service key

+

To +be able to use GSSAPI/Kerberos V with IMAPd/POP3d, you will have to +add the appropriate service keys into the Kerberos database:

+
kadmin.local -q "addprinc -randkey imap/<FQDN>@<YOUR KERBEROS REALM>"
+kadmin.local -q "addprinc -randkey pop/<FQDN>@<YOUR KERBEROS REALM>"
+kadmin.local -q "ktadd -k /etc/krb5.keytab.cyrus imap/<FQDN>"
+kadmin.local -q "ktadd -k /etc/krb5.keytab.cyrus pop/<FQDN>"
+chown cyrus /etc/krb5.keytab.cyrus

+The keytab above is used in the wrapper needed for GSSAPI/KerberosV +support:

+
#!/bin/sh
+
+KRB5_KTNAME=/etc/krb5.keytab.cyrus
+export KRB5_KTNAME
+exec /usr/sbin/imapd.real $@

+LibPAM-LDAP and LibNSS-LDAP

+

+Building and installation

+

+Downloading source

+

Basicly the only thing that needs to be done with these two +packages are rebuilding (ie, configure and make) them, +to get SSL/TLS support. For those of you that are running Debian +GNU/Linux, execute this command

+
apt-get source libpam-ldap libnss-ldap

+and the source of the two packages will be downloaded and unpacked in +the current directory.

+

+Building packages

+

To create the two Debian GNU/Linux packages, execute this command +(we only have to rebuild them to have them recognize that we have the +installed OpenSSL development package files)

+
find -maxdepth 1 -type d -name 'lib*ldap-*' -exec sh -c 'cd {} && debuild -rfakeroot -uc -us' \;

+Install +the newly made packages

+

Now it's just a matter of executing the following command to +install them:

+
dpkg -i lib*ldap_*.deb

+SAMBA

+

This is currently unverified by me, but +this is supposed to be the way it's done...

+

+Building Samba/Samba-TNG

+

Wed, May 30, 2001

+

Have compiled samba-2.2.0.final with the following options. I'm +currently trying to configure samba. Using 'security = user' +and 'encrypt passwords = no' don't work at all, and using +encrypted password don't either (it bypasses the auth mechanisms).

+
--with-krb5
+--with-ssl
+--with-sslinc=/usr/include/openssl

+According on a mail on the kerberos mailinglist, Microsofts +Step-by-Step +Guide to Kerberos 5 (krb5 1.0) Interoperability should be +interesting to read... You be the judge, I haven't bothered to read +it fully yet :).

+

Fri, Jun 1, 2001

+

It seems that the LDAP support in samba 2.2 isn't working at all. +Have downloaded samba +TNG via CVS, hopefully that will work...

+
+Compile options
+
--with-fhs
+--prefix=/usr
+--sysconfdir=/etc
+--with-privatedir=/etc/samba
+--with-lockdir=/var/state/samba
+--localstatedir=/var
+--with-netatalk
+--with-smbmount
+--with-pam
+--with-syslog
+--with-sambabook
+--with-utmp
+--with-readline
+--with-krb5
+--with-ssl
+--with-sslinc=/usr/include/openssl
+--with-ldap
+--with-utmp
+Make string
+
make SMBLOGFILE=/var/log/smb NMBLOGFILE=/var/log/nmb all smbtorture rpctorture debug2html

+ +OpenAFS

+

I have this working just fine on my live server, and it have been +working great (better than expected!) for about three months now. +From the occasional glitch when I started to understand what exactly +AFS is, I now have all my users, my web directory and whole of my FTP +support directory on AFS.

+

There's many good things about AFS, and one that I've started to +like more and more, is that root is no longer almighty! Root have (at +least default) absolutely NO rights in AFS space! It's all about +tickets (Kerberos V) and tokens. The ACL (Access Control List) of the +directory decide who have access to what, not the system UID (User +Identification Number).

+

AFS also come with 'replication support' as standard, so adding +more servers is a good thing. And easy to, from what it seems.

+

To get OpenAFS up and running with Kerberos V (OpenAFS only works +with Kerberos IV as standard), there is some additional software's +necessary besides the OpenAFS sources. These are the OpenAFS PAM +module and the the special OpenAFS/KerberosV support software's.

+

Getting OpenAFS and the associated PAM/KRB5 softwares to compile +under Debian GNU/Linux 2.2 (code name Potato) have been proven to be +very difficult. There's a lot of build dependencies that have to be +fulfilled and very few of the packages required exists for Potato. I +have therefor left out the building of all these packages. If you +really want to build for Potato, you will have to figure out how to +build those yourself.

+

OpenAFS

+

Building +OpenAFS

+

Build +OpenAFS kernel module

+

Installing +OpenAFS

+

OpenAFS +KerberosV support software

+

Building +OpenAFS KerberosV support software

+

Installing +OpenAFS KerberosV support software

+

Configure +OpenAFS KerberosV support software

+

OpenAFS +PAM module

+

Building +and Installing the OpenAFS PAM module

+

Configure +OpenAFS PAM module

+

Configure +OpenAFS

+

Creating +a AFS service key

+

Putting +the AFS service key into the AFS KeyFile

+

Mount +the AFS volume

+

Create +the new cell

+

Setup +the cell configuration files

+

Getting +a Kerberos ticket and a AFS token

+

Setting +up root volumes

+

Testing +the OpenAFS softwares

+

Testing +OpenAFS KerberosV support software

+

Testing +OpenAFS PAM module

+

+OpenAFS

+

+Building OpenAFS

+

The source package for OpenAFS is just simply called 'openafs' +so download the source, using the command

+
apt-get source openafs

+I have not needed to make any modifications to these packages, they +are fine as is. These are the options that the Debian GNU/Linux +package is using to configure the OpenAFS sources:

+
afslogsdir=/var/log/openafs
+--with-afs-sysname=$(SYS_NAME)
+--disable-kernel-module
+--prefix=/usr
+--sysconfdir=/etc
+--libexecdir=/usr/lib
+--localstatedir=/var/lib

+The variable SYS_NAME is delivered from the output of the /bin/arch +command (in the util-linux package). For my Sun SPARC Station +4, this will equal sparc_linux22. Strangely enough, this seems +to be the system name even if I use a 2.4 kernel. I think I must look +into this more...

+

To build the package on a Debian GNU/Linux box, the command

+
debuild -uc -us -rfakeroot

+is used. If not running a Debian GNU/Linux box, execute the command

+
make dest
+ +Build OpenAFS kernel module
+

When the build of the sofware is done, there will be a +openafs-modules-source package (in my example, for the version +I built, this file will be called +openafs-modules-source_1.2.3final2-3_all.deb). +This is the source to the kernel module, which is needed to give +OpenAFS support to the kernel. The module for the kernel is built by +unpacking the file openafs.tar.gz which gets installed into +/usr/src when installing this package. This file have to be +unpacked from the /usr/src tree for the make-kpkg +command (which is in the kernel-package package.

+

To create a Debian GNU/Linux package for the kernel and for the +OpenAFS module, issue the following command inside the kernel +source tree of your choice.

+
make-kpkg -uc -us configure buildpackage modules_image

+You will have to have the kernel configured using either make +config, make +menuconfig or make xconfig depending on favorite +choice. My personal favorite is the second one, make menuconfig. +Graphically enough for me :)

+

The buildpackage option creates the kernel packages, so +that can be lefout if you don't want/need a package for your kernel.

+

When the modules_image have finished, it will leave a

+
openafs-module-KERNELVERSION_OPENAFSVERSION_SPECIALVERSION_ARCH.deb

+file in /usr/src. For my Sun SPARC Station 4, trying to build +my first 2.4 kernel on this architecture, this file will be named:

+
openafs-modules-2.4.18_1.2.3final2-5+10.00.Custom_sparc.deb

+and that is installed using dpkg (with the option -i). +If not using Debian GNU/Linux, the package is installed when you +issued the command make dest.

+

+Installing OpenAFS

+

The packages that have to be installed are:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

All hosts

+ 		+

Development Host

+ 		+

Server Host(s)

+
+

openafs-client

+ 		+

libopenafs-dev

+ 		+

openafs-dbserver

+
+

openafs-modules-XX-YY

+ 		+

openafs-modules-source

+ 		+

openafs-fileserver

+
+


+

+ 		+


+

+ 		+

openafs-kpasswd

+
+
+

The development packages only have to be installed on the host +where all the packages are built, not on the client/server hosts +themselves. The libopenafs-dev package is needed by all +software's that is going to be compiled to use some functionality +that OpenAFS provides. That include the OpenAFS +KerberosV support software and the OpenAFS +PAM module below.

+

Before we continue with configuring OpenAFS, we need some +supplementary commands since we're using Kerberos V. So these have to +be built first.

+

+OpenAFS KerberosV support software

+

OpenAFS only comes with Kerberos IV (four) support. We need this +software to be able to use the Kerberos V (five) database, which was +the very first thing we did, and not have to have two +databases (the Transarc KA server which comes with OpenAFS and the +Kerberos V server) for user authentication/authorization.

+

+Building OpenAFS KerberosV support software

+

The source package for this is called openafs-krb5, and are +configured using the following configure options:

+
--prefix=/usr
+--with-krb5=/usr/
+--with-afs=/usr

+Building the openafs-krb5 package is done with debuild +as always (see above for more information). The software is built +using make on a non Debian GNU/Linux box...

+

+Installing OpenAFS KerberosV support software

+

The build process will create the openafs-krb5 package, and +is installed using dpkg. On a non Debian GNU/Linux box, issue +the command make install.

+

+Configure OpenAFS KerberosV support software

+

No configuration of the OpenAFS Kerberos V migration kit have to +be done. Instead of using klog to get a AFS token, one uses +aklog instead. This is (usually) done by the OpenAFS PAM +module, but not always, so use aklog after getting a Kerberos +V ticket.

+

+OpenAFS PAM module

+

This package is intended to be used by PAM aware programs getting +a AFS token, and requires aklog which is in the OpenAFS +KerberosV support software. Use it as any other PAM module.

+

+Building and Installing the OpenAFS PAM module

+

The source for this is called libpam-openafs-session, so a

+
apt-get source libpam-openafs-session

+is needed to get source for the package. Using the same command as +when we were building OpenAFS, we will end up with the package +libpam-openafs-session. This package is installed using the +command dpkg -i (as ANY package is installed on a Debian +GNU/Linux box is :).

+

Building and installing this software on a non Debian GNU/Linux +box, issue the command make and then make install.

+

The installation of this software will result in a file called

+
/lib/security/pam_openafs_session.so

+on a Debian GNU/Linux box, and

+
/lib/security/pam_openafs-krb5.so

+on a non Debian GNU/Linux machine. Why the files are named +differently, is something you will have to ask the maintainer for the +Debian GNU/Linux package about. I have not bothered with this, so be +my guest asking him :)

+

+Configure OpenAFS PAM module

+

The is no configuration that needs to be done for this package, +it's just a matter of using it. This is done in the service file, +located under /etc/pam.d. For example, using the pam_openafs_session +module with ssh, this is what my /etc/pam.d/ssh file looks like (use +as directed :)

+
auth            required        pam_nologin.so
+auth            required        pam_env.so
+auth            sufficient      pam_krb5.so forwardable
+auth            required        pam_unix.so try_first_pass shadow
+auth            required        pam_issue.so issue=/etc/issue.net
+
+account         sufficient      pam_krb5.so forwardable
+account         required        pam_unix.so try_first_pass shadow
+
+password        required        pam_krb5.so forwardable
+
+session         sufficient      pam_krb5.so forwardable
+session         optional        pam_openafs_session.so
+session         required        pam_unix.so
+session         optional        pam_lastlog.so
+session         optional        pam_motd.so

+How much of this that's actually needed, is up to you to decide and +verify, but this works for me. What this file do, is verify the +password against the Kerberos V database, OR if that fails, against +the /etc/shadow file (the shadow option). When that is +done, it will obtain a AFS token when the session starts.

+

We should really only add this module to services that have an +interactive session, such as ssh, login, ftp +etc. NOT something like the IMAP and POP services (unless you deliver +mail to the users home directory that is).

+

+Configure OpenAFS

+

+Creating a AFS service key

+

There is some things that needs to be setup before we can use AFS. +One such thing is to create a service principal for AFS. This is in +the form afs@REALM. Usually your AFS cell is the same as your +Kerberos realm, just in lower case. So since my Kerberos realm is +BAYOUR.COM, I decided to use +the AFS cell name of bayour.com. +If your AFS cell name don't match your Kerberos realm like this, you +will have to use the AFS principal form afs/CELL@REALM (like: +afs/google.com@BAYOUR.COM). Creating the service principal, +and putting it in a keytab is done like this:

+
kadmin.local -q "ank -randkey afs"
+kadmin.local -q "ktadd -k /etc/krb5.keytab.afs afs"

+ +Putting the AFS service key into the AFS KeyFile

+

We need AFS to recognize the service principal, and that is done +by putting the service key into the AFS KeyFile. This is done with +the command asetkey like +this:

+
asetkey add 4 /etc/krb5.keytab.afs afs

+The number 4 here is the +keynumber that got created in Creating +a AFS service key so make sure you took note about this. If you +forgot which number it is, you can use the following command line to +find that out:

+
kadmin.local -q 'getprinc afs' | grep ^Key

+ +Mount the AFS volume

+

AFS uses a special directory and file structure, very different +from the ordinary UN*X way of storing files. We need a special +partition to be mounted on /vicepX +where X is a letter from a to z (and from aa to zz – see the +OpenAFS +documentation for more about this). There have been indications +that this partition can not be on a journaling file system (such as +JFS, XFS and Ext3) on Linux.

+

If you don't have a free partition, +you can settle for a file that is mounted using the loop +module. Create such a file like this:

+
dd if=/dev/zero of=/var/lib/openafs/vicepa bs=1024k count=32
+mke2fs /var/lib/openafs/vicepa
+mount -oloop /var/lib/openafs/vicepa /vicepa

+ +Create the new cell

+
+Setup the cell configuration files
+

We need to have our IP address and cell name in both the file +server cell configuration file and +in the Client configuration file. If this is to be both a client and +server, that is. Usually the very first machine is both, but does not +need to be. In Debian GNU/Linux, the configuration files is +/etc/openafs/server/CellServDB +for the file server, and /etc/openafs/CellServDB +for the client. Make sure our IP address and cell name is located at +the top of these files. The +format of this file is:

+
>CELLNAME
+IPADDRESS

+So for my test environment, these files begin like this:

+
>bayour.com
+192.168.1.4 # tuzjfi.bayour.com

+We also need to specify which cell this is and the configuration file +for this is /etc/openafs/ThisCell. +In my example, my AFS cell name is bayour.com, +so I enter this into this file.

+
Setup AFS +services
+

When this is done, we can start the fileserver with the command

+
/etc/init.d/openafs-fileserver start

+Now it's time to setup and start the other services that we need for +this to be a proper file and database server for AFS. I will only +list them right of, no explanation.

+
bos addhost tuzjfi tuzjfi -localauth ||true
+bos adduser tuzjfi turbo -localauth
+bos create tuzjfi ptserver simple /usr/lib/openafs/ptserver -localauth
+bos create tuzjfi vlserver simple /usr/lib/openafs/vlserver -localauth
+bos create tuzjfi fs fs -cmd /usr/lib/openafs/fileserver -cmd /usr/lib/openafs/volserver -cmd /usr/lib/openafs/salvager -localauth
+vos create tuzjfi a root.afs -localauth

+In these examples, I have specified tuzjfi +which is my test platform's hostname. Replace with your +hostname! Also, the paths to the commands (/usr/lib/openafs/) +might differ from your installation, so take note!

+

Also, turbo in these commands +is my principal name which is to be the administration user for my +AFS cell. Exchange with your principal name!

+

When this is done, we can start the +AFS client which mounts the /afs tree which is where we access +our AFS file system. This is done with the command

+
/etc/init.d/openafs-client force-start
+Do not under any any circumstances access anything under /vicepX! +It is in special AFS format, and any changes might render your AFS +system unusable!
+
+Getting a Kerberos ticket and a AFS token
+

To be able to create volumes (which can roughly be translated to +partitions – storage space in AFS), we need a token for the +administration user (which we created above). This is done by issuing +the command (exchange with your +principal name):

+
kinit turbo && aklog
+ +Setting up root volumes
+

The following command sequences will create the necessary volumes +with the proper access control. Don't forget to change all +occurrences of 'tuzjfi' to +your hostname, and all references to 'bayour.com' +to your cell name. The 'bayour' +entries is quick access links to the cell mount point, and it's up to +you if you want/need them...

+
fs sa /afs system:anyuser rl
+vos create tuzjfi a root.cell -localauth
+fs sa /afs/bayour.com system:anyuser rl
+fs mkm /afs/.bayour.com root.cell -cell bayour.com -rw
+fs mkm /afs/.root.afs root.afs -rw
+ln -s /afs/bayour.com /afs/bayour
+ln -s /afs/.bayour.com /afs/.bayour
+vos addsite tuzjfi a root.afs -localauth
+vos addsite tuzjfi a root.cell -localauth
+vos release root.afs -localauth
+vos release root.cell -localauth

+ +Testing the OpenAFS softwares

+

+Testing OpenAFS KerberosV support software

+

To verify that it is possible to get a AFS token from the OpenAFS +server(s), you must have a Kerberos V ticket. This is done using the +command kinit. If kinit where successful in getting a +ticket, it will look something like this when looking at the ticket. +Viewing what tickets you have is done with the command klist +without parameters, like this:

+
[papadoc.pts/1]$ kinit
+Password for turbo@<MY_KERBEROS_REALM>: 
+[papadoc.pts/1]$ klist
+Ticket cache: FILE:/tmp/krb5cc_turbo
+Default principal: turbo@<MY_KERBEROS_REALM>
+
+Valid starting     Expires            Service principal
+05/31/02 09:59:23  05/31/02 19:59:19  krbtgt/<MY_KERBEROS_REALM>@<MY_KERBEROS_REALM>
+
+
+Kerberos 4 ticket cache: /tmp/tkt1000
+klist: You have no tickets cached
+[papadoc.pts/1]$

+Now it's time to get the AFS token:

+
[papadoc.pts/1]$ aklog
+[papadoc.pts/1]$ tokens
+
+Tokens held by the Cache Manager:
+
+User's (AFS ID 1) tokens for afs@<MY_AFS_CELL> [Expires May 31 19:59]
+   --End of list--
+[papadoc.pts/1]$

+As you can see, if everything goes well, aklog won't output +anything. This is in good old UNIX style. If it's okay, why say +anything :)

+

+Testing OpenAFS PAM module

+

When the Testing +OpenAFS KerberosV support software have been successful, it is +time to verify that the PAM module works. This is done by trying to +login with a service that is OpenAFS aware. In Configure +OpenAFS PAM module we enabled the ssh service to use +OpenAFS, so we try to login through ssh.

+

Miscellaneous information

+

+Migrating existing users

+

For those that are converting an existing setup (be it users +located in /etc/passwd, +NIS/NIS++, NDS etc) it would be nice if there +where a 'execute and continue' solution to on the fly convert the +current database while keeping the users passwords. But there is no +such thing, and never will (in most cases anyway). This is because +most, if ALL 'password storage systems' have some means of encrypting +the password. And most of them is a one-way encryption, meaning that +it's not possible to decrypt it (only force a check, trying out +random password to see if it's a match).

+

It is therefor necessary to either write a program that inserts +the users password into Kerberos (after a successful authorization) +or you can ask each and every user to come to you to receive/change +their password. On a big system, this is just not possible, so there +you have to go with option one.

+

There is however a third alternative, although in my eyes not the +perfect one... It is to only include the NEW users in this new +system, and slowly migrate (forcing a password change) the existing +ones.

+

I went for the first alternative, because my users are very spread +geographically, so it was not possible for them to come to me for a +new password, and I don't like to talk passwords over the phone. Some +of my users I never meet. So what I did was I modified the pam_ldap +module to insert the users clear text password into the +clearTextPassword attribute in the LDAP database, then after three +months I did a search for users with a clearTextPassword +entry, and use that when changing the users password in the Kerberos +server. Something like this:

+
ldapsearch -LLL 'cleartextpassword=*' clearTextPassword krb5PrincipalName

+This will give us something like this

+
dn: uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com
+krb5PrincipalName: turbo@<MY KERBEROS REALM>
+clearTextPassword: ThisIsMySecretPasswordInClearTextFormat

+This will however also give us the passwords that are set to 0 or *. +We must initially set it to some value, because OpenLDAP does not +allow us to insert a NULL value. You either use an attribute (which +requires a value) or you don't. So you'll have to write a script that +parses the information, filtering out those that don't make sense.

+

Then, for each value retrieved, modify the krb5PrincipalName +with the value of clearTextPassword. If you're paranoid, or +don't want this information in the database, just modify each LDAP +object, removing the clearTextPassword attribute and +the corresponding object class.

+

To change a password in the Kerberos database in a script, this is +how to do it

+
kadmin.local -q "cpw -pw <USER PASSWORD> <USER PRINCIPAL>"

+The magic here is the -pw option.

+

+Bumping the Debian GNU/Linux package version

+

Instead of putting the packages on hold, one can increase the +version number in a 'secure' way. That is, one makes the version +number such that it will always be higher than the default Debian +package number, that way it won't be upgraded/overwritten by a +default Debian version. To do this, one edits the file +debian/changelog. If we take the entry I made for the +cyrus-sasl packages as an example, the top of the changes file will +look like this:

+
cyrus-sasl (2:1.5.24-5.TF.3) unstable; urgency=low
+  * --without-des. It seems that's part of the Krb4 packages, not Krb5...
+
+ -- Turbo Fredriksson <turbo@debian.org>  Sun,  1 Apr 2001 19:10:58 +0200
+
+cyrus-sasl (2:1.5.24-5.TF.1) unstable; urgency=low
+  * Can't do search with '-H ldaps:///', but to the non-ssl works.
+    Norbert Klasen <klasen@zdv.uni-tuebingen.de> say:
+    Seems to be some signend/unsigned arithmetic mismatch.
+    => Patched plugins/gssapi.c
+
+ -- Turbo Fredriksson <turbo@debian.org>  Wed,  7 Mar 2001 15:30:00 +0100
+
+cyrus-sasl (2:1.5.24-5.TF) unstable; urgency=low
+  * Build with the following parameters to configure:
+        --enable-gssapi         Needed to have kerberos auth
+        --with-des              Even better to have I guess
+
+ -- Turbo Fredriksson <turbo@debian.org>  Tue, 27 Feb 2001 17:34:33 +0100

+The important number here is 2: before the actual number +(1.5.24-5). This number will not be seen when doing a

+
dpkg -l libsasl-modules

+but only when doing

+
dpkg -s libsasl-modules | grep '^Version: '

+The .TF is added just to make sure that I remember that it's a +home made packages. It will however work just fine without it. If I +remove the 2: and just have .TF, the package will be +upgraded by any package with a version number higher than 1.5.24-5. +That can be, for example 1.5.24-5.1 +which would indicate the first Non Maintainer upload. A fix for this +package, by the maintainer, would have the number 1.5.24-6 +which would also overwrite my package (if I didn't have the 2:). +By setting myself (the Turbo Fredriksson <turbo@debian.org> +entry) I will be listed as the maintainer when viewing the status of +the package (dpkg -s libsasl7 for example). That is also a +indication that it is a home made package. To make this a 'fully +fledged Debian package', instead of issuing the command debuild +-uc -us -rfakeroot i will remove the -uc -us (which is +unsigned source and changelog. Without those two parameters, the +package will be signed with my PGP (or GPG) signature. In emacs, +there's the debian-changelog-mode command, that will give you +a proper editing mode for changelogs. The mode is in the emacs +package.

+

+Problems that can occur

+

Nothing works right out of the box. Sad to say, but that's the way +it is. I have tried to list as many of the most common problems here, +but I'm still working on this, so please contribute!

+

Problems +when the KVNO don't match up.

+

No +such attribute error

+

No +such object error

+

Local +error

+

Problems +with ACL's

+

SLAPADD +problems/messages

+

Attribute +type undefined

+

Attribute +not allowed

+

Missing +required attribute

+



+

+

If you can't have pam_ldap to +authenticate you, this is most likely a problems +with ACL's

+

+Problems when the KVNO don't match up.

+

A problem with the kvno can be verified by executing the klist +-k command. If I do it on my machine, I will get this output:

+
Keytab name: FILE:/etc/krb5.keytab
+KVNO Principal
+---- --------------------------------------------------------------------------
+   4 kadmin/admin@<MY KERBEROS REALM>
+   4 kadmin/admin@<MY KERBEROS REALM>
+   4 kadmin/changepw@<MY KERBEROS REALM>
+   4 kadmin/changepw@<MY KERBEROS REALM>
+   5 ftp/<MY FQDN>@<MY KERBEROS REALM>
+   3 host/<MY FQDN>@<MY KERBEROS REALM>
+   3 host/<MY FQDN>@<MY KERBEROS REALM>
+   4 ldap/<MY FQDN>@<MY KERBEROS REALM>
+   5 ftp/<MY FQDN>@<MY KERBEROS REALM>
+   4 ldap/<MY FQDN>@<MY KERBEROS REALM>

+The reason there are two of a kind, is because they use different +crypto algorithms. To check this, use the command

+
klist -keK | grep ldap

+(we're only interested in the ldap service key at this point), it +will return something like this:

+
   4 ldap/<MY FQDN>@<MY KERBEROS REALM> (DES cbc mode with CRC-32)  (0x<A HEX NUMBER>)
+   4 ldap/<MY FQDN>@<MY KERBEROS REALM> (Triple DES cbc mode with HMAC/sha1) (0x<A HEX NUMBER>)

+To verify that the kvno for the ldap service key is correct, issue +the command

+
kvno ldap/<MY FQDN>@<MY KERBEROS REALM>

+This is what I get back:

+
ldap/<MY FQDN>@<MY KERBEROS REALM>: kvno = 4

+As you can see, they match up now. However, I wasted two whole days +on looking for a problem with OpenLDAP/SASL, when it was in fact a +problem with this number.

+

If the number received from kvno +is lower than the number received from klist, one have +to remove all the service keys and principal of that service and then +add them again. I doubt that this is the correct/best way to do it, +but it works for me (probably since this is a fresh install, without +a big DB etc.).

+
kadmin.local -q "ktrem ldap/<FQDN> all"
+kadmin.local -q "delprinc ldap/<FQDN>"
+kadmin.local -q "addprinc -randkey ldap/<FQDN>"
+kadmin.local -q "ktadd -k /etc/krb5.keytab ldap/<FQDN>"

+If the number from kvno is +higher than the one from klist, just add the service +key to the keytab, removing (?) all the old ones. Use ktadd +below until the numbers from both klist and kvno match +up.

+
kadmin.local -q "ktadd -k /etc/krb5.keytab ldap/<FQDN>"
+kadmin.local -q "ktrem ldap/<FQDN> old"

+Update, 2001-04-13: +When doing all this for a company I'm doing some consulting for, I +noticed that this might not be necessary (removing and then adding +the principal, that is). I'm not sure what happened, but I'll tell +you what I did.

+

The company have three machines, dns1, dns2 and +kattla (the dragon from Astrid Lindgren's Lionheart). Kattla +is the LDAP/Kerberos server, and dns1 and dns2 is the +DNS servers.

+

I added the host/<FQDN> principals for the three +machines in kattla's keytab. When trying krsh/ktelnet +to dns1, the machine complained about 'no such file'. Using +strace I found that kshd/ktelnetd where looking +for the keyfile /etc/krb5.keytab. I had hoped that I wouldn't +need that (since I thought/had hoped that all that would be in the +KDC). Now, I wouldn't want to copy the whole keytab from kattla +(since that included ALL server's host keys). So I executed

+
ktadd -k /etc/krb5.keytab.dns1

+on kattla and copied that file to dns1 as file +/etc/krb5.keytab. Logical conclusion? I thought so. But that's +where I got the same problem as before. The keytab on dns1 had +version 4, but I had tried connecting and got version 3 in my ticket +(that is, doing kvno host/dns1.DOMAINNAME on my own +server, revealed version 3). This was a real nuisance. I couldn't +figure out a way to have the same version in the two files.

+

Doing some testing, I tried executing kdestroy and then +kinit again. That helped!

+

Now, I'm not sure if I really need all the host keys in kattla +but as said, I'm not very good at Kerberos administration yet...

+

+No such attribute error

+

You get this error when SASL isn't configured/working properly. +Please see the simple bind examples on +when to know if SASL works or not.

+

+No such object error

+

This is most likely because you are trying to do a +simple/anonymous +bind, but aren't using the correct parameters to +ldapsearch/ldapadd/ldapmodify. Try adding -x +to the command line. If you are using -x, but still get this +error, it might be that your ACL's don't allow viewing the base dn +(where the supportedSASLMechanisms attributes are). +

+

+Local error

+

This error messages will look like this

+
# ldapsearch -h localhost -p 389 -I -b "" -s base -LLL supportedSASLMechanisms
+SASL/GSSAPI authentication started
+SASL Interaction
+Please enter your authorization name: 
+ldap_sasl_interactive_bind_s: Local error

+This is because you don't have a Kerberos TGT (Ticket Granting +Ticket). Just execute kinit to get a ticket.

+

Will Day (on the OpenLDAP-Software list) also reported that he got +this problem because he hadn't specified the FQDN host name of the +LDAP server, which led it to default to localhost, for which it +couldn't get a Kerberos ticket.

+

+Problems with ACL's

+

I migrated from OpenLDAP1 to OpenLDAP2. Having used OpenLDAP1 for +over a year on a number of production servers, going to OpenLDAP2 was +quite a nuisance. The first problem I got was that the old database +wouldn't load at all (which was a problem with the non-existence of +proper schemas). The other, and the one that gave me the most grief +was the ACL's. It seems like OpenLDAP2 is much more strict about the +correctness and order of the ACL's. So it's important to have all the +stuff in the right order and in the right place. By a lot of trial +and error, I came up with The +OpenLDAP access file you see in this document. It might be the +most perfect, but at least it works. If all other fails, try my ACL +and see if that work. If it does, start modifying that to get the +restrictions you want. I'm still working on perfecting this list, so +come back every now and then to see if I have any updates... +

+

Otherwise, don't hesitate to ask on the OpenLDAP-Software +mailing list or if you need to make your own schemas, have a look +at the OpenLDAP2 +Admin Guide:Schema Specification.

+

+SLAPADD problems/messages

+

+Attribute type undefined

+
slapadd: could not parse entry (line=<SOME LINE NR>)

+This (usually ?) means that one (or more) of the attribute you are +trying to use, don't exist in any schema. For example, I kept getting +this when trying to use the objectclass krb5Principal. The +attribute I meant to use where krb5PrincipalName +but a typo slipped in the LDIF, so it was named krb5Principal +instead...

+

NOTE: The line it complains about, is the first empty line +after the object (that is, the empty line between +the two adjacent objects) in the LDIF file. There is no problem on +the line itself, but the object above the empty line. To find +exactly what attribute it complains about, copy the whole (and ONLY +the) troublesome object to a separate LDIF file, and try to just add +that object. Then use -d -1 when executing slapadd.

+

Solution: Correct attribute name

+

+Attribute not allowed

+
slapadd: dn="<SOME DN>" (line=<SOME LINE NR>): attribute not allowed

+This (usually ?) means that you have attribute which is not a MUST +or MAY attribute in the objectclasses you are using.

+

Solution: Find the objectclass this +attribute belong to, and add that to the LDIF.

+

+Missing required attribute

+
slapadd: dn="<SOME DN>" (line=<SOME LINE NR>): missing required attribute

+This should be quite obvious. You are trying to use a objectclass, +but you have not specified one (or more) of the MUST +attributes. For example, when trying to modify my old DB (replacing +the attribute userPassword), I wrote a perl script that parsed +the old LDIF, and replaced all the userPassword: {crypt}... +values with userPassword: {KERBEROS}user@<MY KERBEROS REALM>. +Some of the objects (especially the AdminDN object) should not be +replaced, it should retain the crypted value. But my script was +buggy, so the attribute where totaly removed. Those DN's used the +objectclass simpleSecurityObject which MUST have the +attribute userPassword.

+

Solution: Add the missing REQUIRED (MUST) +attributes to the LDIF.

+

+Shortcuts

+

For those of you running Debian GNU/Linux which thinks all this +about making your own package are daunting, or if you're just to lazy +to do it your self, you can always get the pre-compiled binaries from +me. I make no promises to keeping them up to +date, I'm deploying this on a live server, without access to a +development platform. Because of this, it's difficult to keep +downloading packages, remake them and then doing a install. IF +something breaks, it will break my live server!

+

HOWEVER, if you thing it's about time I upgraded (ie, these +packages are WAY out of date) don't hesitate to send me a simple +and friendly 'nudge' mail, telling me to get my acts together! :)

+

+APT configuration

+

If you use Debian GNU/Linux and would like to use the packages +I've created, here's the line you should add one of the following +lines to the /etc/apt/sources.list file, and run the command +apt-get update to update the list of available packages.

+
deb ftp://ftp.bayour.com/pub/debian local .
+deb-src ftp://ftp.bayour.com/pub/debian local .

+These packages have such a higher version number, that they won't be +upgraded by the packages from the official Debian GNU/Linux FTP +sites. See the section about Bumping +the Debian GNU/Linux package version section of what I mean.

+

Packages are available for the Intel processors and for Sun SPARC +only. Unfortunately I don't have any Alpha, PPC, m68k machines, so I +can't currently support these architectures. Using my source +packages, all you have to do is download them yourself, and compile +using debuild as directed elsewhere in this document...

+

+These are the packages that are available for installations

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

KerberosV + server

+ 		+

KerberosV + client

+ 		+

KerberosV + services

+ 		+

PAM/NSS

+ 		+

Miscellaneous

+
+

krb5-kdc

+ 		+

krb5-doc

+ 		+

krb5-ftpd

+ 		+

libnss-ldap

+ 		+

cvs

+
+

krb5-admin-server

+ 		+

krb5-user

+ 		+

krb5-rsh-server

+ 		+

libpam-ldap

+ 		+

ssh

+
+

krb5-dev

+ 		+

krb5-clients

+ 		+

krb5-telnetd

+ 		+

libpam-krb5

+ 		+

sudo

+
+


+

+ 		+


+

+ 		+


+

+ 		+


+

+ 		+


+

+
+

OpenSSL

+ 		+

Cyrus SASL

+ 		+

OpenLDAP2

+ 		+

OpenAFS

+ 		+

PostgreSQL

+
+

libssl0.9.6a

+ 		+

libgdbmg1

+ 		+

libiodbc2

+ 		+

openafs-dbserver

+ 		+

libecpg3

+
+

openssl

+ 		+

libpam0g

+ 		+

libldap2

+ 		+

openafs-fileserver

+ 		+

libpgsql2.1

+
+

libssl0.9.6a-dev

+ 		+

libcommerr2

+ 		+

ldap-utils

+ 		+

openafs-modules-source

+ 		+

odbc-postgresql

+
+


+

+ 		+

libkrb53

+ 		+

slapd

+ 		+

openafs-client

+ 		+

postgresql

+
+


+

+ 		+

libsasl7

+ 		+

libldap2-dev

+ 		+

libopenafs-dev

+ 		+

postgresql-client

+
+


+

+ 		+

libsasl-modules

+ 		+


+

+ 		+

libpam-openafs-session

+ 		+

postgresql-dev

+
+


+

+ 		+

libsasl-bin

+ 		+


+

+ 		+


+

+ 		+


+

+
+
+

+Table 1: Packages to install. Packages in italic is for +development only...

+

The PAM/NSS modules above will come with SSL +and TLS enabled, if downloaded from me. CVS, SSH, sudo and +PostgreSQL is compiled with GSSAPI/Kerberos support (which the +original packages are not).

+

+Mailing lists for help

+
+ + + + + + + + + + + + + + + + + + + + + + + +
+

Debian + GNU/Linux

+ 		+

MIT + Kerberos V

+ 		+

NSS/LDAP

+ 		+

OpenAFS-Info

+
+

OpenSSL

+ 		+

Cyrus + SASL

+ 		+

PAM/LDAP

+ 		+


+

+
+

Berkeley DB

+ 		+

OpenLDAP

+ 		+

Samba TNG

+ 		+


+

+
+
+

+LDAPv3, why bother

+

Foreword

+

Papadoc, +before conversion

+

Why +SSL/TLS?

+

Why +Kerberos?

+

Kerberos +replacement software

+

Why +SASL?

+

+Foreword

+

Why should we use so much encryption +and such a complicated setup, when user information (inclusive the +password) works so great together with libpam-ldap? Well, basicly the +keyword here is growth (and maybe security, even though many isn't +that paranoid as me :). To illustrate what I mean by growth, I will +show you the system I use, and the (small) differences to a system I +did for the company I worked for.

+

+Papadoc, before conversion

+

I only have one machine +(called papadoc for 'historical' reasons). This system 'only' hosts +five domains, with about 50 users (most of them family and friends). +Having users (and all there relevant information, such as UID/GID +number, home directory, passwords, mail address, mail aliases etc, +etc) in an LDAP database, using libpam-ldap to help authentication, +was my main reason for LDAP. Be able to structure users in a +tree-like fashion, with the possibility to have a fail-over system +(an extra LDAP database, a so called 'replica') is a very nice +feature. But I'm not going to tell you much about the reasoning for +LDAP in the first place, there are other, better HOWTOs/FAQs etc out +there.

+

At my previous job, we had +the exact same system, but with a lot more domains, a lot more users +and finally, a lot more machines. Since this was an ISP, redundancy +is vital. So a replica was quickly setup (so that we could have an +online backup of the user/mail database). Using round-robin (poor +mans load-balancer) reduced the load of the master database.

+

+Why SSL/TLS?

+

Here came (and comes for me to when, not +if, I add a second DB or a second machine, be it shell, mail server +or other type of system) the first big gripe I had with OpenLDAP1 (at +the time of this writing, I'm still running OpenLDAP v1.2.11 on my +system, but are slowly migrating to OpenLDAP2 according to this +document). Since OpenLDAP1 don't have built in support for SSL/TLS +(or any other secure authentication mechanism), all communication +between the master and slave (or by any of the other servers on the +network, about 50 or so at last count) is done in clear text! It's +quite easy for someone on the same network segment (yes, EVEN if it's +a switched network!) to listen on the communication and retrieving +all the passwords etc. This can be avoided to some extent by using +external programs to do the SSL tunnelling, such as stunnel. +My experience with this is that it isn't that reliable. Stunnel dies +every now and then, and it's difficult to automate the process. +Another big gripe I had, was the fact that the replication DN and +password (options replica and bindmethod) have to be +stored in clear text in the configuration file. And the third thing +is that libpam-ldap is doing the authentication in clear text as +well. This isn't true any more (latest version, v99), since it can be +compiled with SSL support. +

+

Using only PAM/LDAP, an +authentication happens something like this:

+
login -> PAM -> PAM/LDAP -> LDAPServer

+Everything between login and the LDAP server is clear text +communication.

+

Also imagine adding a second system, or putting the LDAP serveri +on it's own machine. All logins (be it login/imap/pop/ssh/ftp etc) is +verified in clear text between the system and the machine where the +LDAP database is residing. Now we have tree machines, the actual +server, the master LDAP database and the slave database (or a second +login system). Login in this text does refer to a software +that does some kind of user authentication, not the program +login. All communication back and forth is done in clear text, +giving anyone (basically) the chance to discover any password.

+

+Why Kerberos?

+

But why store the user passwords in the +Kerberos database in the first place? Why not just use it for/when we +need a replica (or replicas)? We only really need Kerberos to have a +service key, right? Nope, not quite true. The answer is quite simple +actually. Kerberos is designed solely as a secure password storage +database (with a secure authentication protocol) on an insecure +network. And contrary to popular belief, a local network IS NOT +to be considered a secure environment! LDAP, on the other hand, is +designed to be a database for distributed, public information. +

+

+Kerberos replacement software

+

Put simply, passwords are more +secure in a Kerberos database, than in a LDAP ditto. Besides, with at +least MIT Kerberos, there are special, kerberised binaries that +replace the original ones. This will give you a more secure way of +authentication (you don't have to go through PAM etc). The software +to let this be possible, is libnss-ldap. It will get all the +public information (such as UID/GID numbers, home directory etc, etc) +from LDAP, but look at the Kerberos server fo the password. Thus, all +sensitive information is encrypted, even before leaving the binary. +The binaries/services that can be replaced right-out-of-the-box is +login, ftpd, ftp, rlogind, rlogin, +rshd, rsh, telnetd, telnet and passwd.

+

+Why SASL?

+

Oki, I guess I have convinced you why it is +imperative to use SSL/TLS, and we have discussed some of the nice +things about Kerberos. But why use SASL? Where does that come into +play? Well, when using the combination SASL and KerberosV (SASL can +use other means of storing password, Kerberos is just my choice), we +can use a KerberosV keytab to authenticate the master database with +the slave with. Thus, no need for any passwords etc in the slapd +configuration file. See Creating +a replication principal for more about this. The reason we use +SASL, is because SASL is designed as a middle-layer. That is, +it sits between the LDAP server and the authentication system (in +this case, Kerberos). As mentioned, SASL could just as well use any +other authentication system, such as the default UNIX way +(/etc/passwd, /etc/group etc), it's own database file (usually +/etc/sasldb) etc. In theory, it can even use a LDAP database (which +might be a little redundant, and difficult do obtain, with out +creating authentication loops). With a little code writing, it's even +possible to use a KerberosIV server. Some use libpam-smb to +look-up the user/password on a Windows PDC. Simply, SASL is +designed as a modular authentication protocol, and it's usage is as a +middle-layer. The difference between SASL and PAM (which in many +ways resembles each other) is that SASL have integrity and +confidentiality protection, while PAM don't have anything like that.

+

With all this stuff we have +discussed (LDAP, SSL/TLS, SASL and Kerberos), we get this flow of +authentication (remember the flow, +libpam_ldap?):

+
login -> PAM -> PAM/LDAP -> SSL/TLS -> SASL -> LDAP -> KerberosV

+If we only want the UID/GID number etc (like when doing ls -l +etc), the communication stops at the LDAP server, and don't continue +with SASL/Kerberos.

+

There are still many hops the +information have to travel, many of them not that very secure (like +PAM). So to minimise that, we could replace many (preferably all) of +the programs with proper Kerberised binaries, see the section about +Kerberos +replacement software. That will create the following +authentication flow.

+

For public information:

+
login -> NSS -> NSS/LDAP -> LDAP

+and for password authentication:

+
login -> Kerberos

+Much cleaner, don't you think? A nice feature would be to have +SSL/TLS to the libnss-ldap software, but I'm not quite that +paranoid yet :). It might already have that option, I just haven't +bothered to check...

+

UPDATE: I just recompiled the libnss-ldap package, +and if the OpenSSL development package are installed, libnss-ldap +will come with SSL/TLS.

+

+Updates

+

In the package listings below, the package names in bold is +the one you need if installing the rest of my packages (ie, just +using the packages, not building anyting yourself) and the ones in +italic is needed for building you own packages of the other +software. If you are very daring, have a look at the Shortcuts +section.

+

+BerkeleyDB

+

+v3.3.11

+

15/8 2001: Build and install exactly like you did on +Building +and installing Berkeley DB.

+

Unfortunately, Sleepycat have changed some of the interface, so +that OpenLDAP will have to be rewritten slightly to use the new +version of BerkeleyDB.

+
THAT IS, OPENLDAP WILL NOT WORK WITH THIS VERSION OF +BERKELEYDB!
+

+OpenSSL

+

+v0.9.6a

+

28/5 2001: Built v0.9.6a from the Debian GNU/Linux +sources. See OpenSSL.

+ +
openssl
+libssl0.9.6
+libssl-dev
+ssleay

+v0.9.6b

+

15/8 2001: Built v0.9.6b from the Debian GNU/Linux +sources. See OpenSSL.

+

+OpenLDAP

+

+v2.0.10

+

28/5 2001: According to a mail on the +OpenLDAP-Software mailinglist:

+
At 05:17 PM 5/22/01, Mark Whitehouse wrote:
+I am experiencing some database corruption problems with back-ldbm using
+Berkeley DB 3.2.9.  Any advances over this configuration would especially
+interest me.
+ +

+v2.0.11

+

12/8 2001: I'm currently testing this version, and +it works fine in a CHROOT jail.

+

I'll try to upgrade my machine the next couple of hours/days and +let you know...

+ +
[papadoc.pts/4]$ dpkg -l | grep ssl
+ii  libssl0.9.6    0.9.6b-1       SSL shared libraries
+ii  libssl09       0.9.4-5        SSL shared libraries
+ii  libssl09-dev   0.9.4-5        SSL development libraries
+ii  libssl095a     0.9.5a-5       SSL shared libraries
+ii  openssl        0.9.6b-1       Secure Socket Layer (SSL) binary and related
+ +
[papadoc.pts/4]$ dpkg -l | grep ssl
+ii  libssl-dev    0.9.6b-1       SSL shared libraries
+ +

16/8 2001: I just don't seem to get this to work. I'm still +working on it though, since I REALLY need it!

+

+v2.0.14

+

21/11 2001: I finally got this version to work! You +will have to patch servers/slurpd/config.c. +This is what it looks like:

+
diff -urN openldap-2.0.10/servers/slurpd/slurp.h openldap-2.0.10.new/servers/slurpd/slurp.h
+--- openldap-2.0.10/servers/slurpd/config.c     Mon Sep 18 18:08:08 2000
++++ openldap-2.0.10.new/servers/slurpd/config.c Thu May 24 15:29:17 2001
+@@ -34,7 +34,7 @@
+ #include "slurp.h"
+ #include "globals.h"
+ 
+-#define MAXARGS        100
++#define MAXARGS        500
+ 
+ /* Forward declarations */
+ static void    add_replica LDAP_P(( char **, int ));

+The patches you see in the Bugs +in OpenLDAP, v2.0.7 section is NOT needed +with this version. The only patch necessary is the one above +(servers/slurpd/config.c). Also, this patch is NOT +needed with OpenLDAP v2.0.18 +and later! I'm currently trying to install that, I'll let you know...

+

+v2.0.18

+

21/11 2001: This worked right out of the box! Weird! +No patches had to be applied, I just compiled it according to the +section Building OpenLDAP v2.

+

+v2.0.21

+

24/01 2002: This worked out perfectly! No need for +any patches etc. Just compile and install!

+
Note that you should really install this, and not +anything earlier. There is a bug in version 2.0.19 (and earlier I +assume).
+

+v2.0.22

+

06/02 2002: This worked out perfectly! No need for +any patches etc. Just compile and install!

+

Just for the record, these are the changed files in the Debian +GNU/Linux package. Other than this, I made no changes...

+
    + 
  1. The debian/rules
    + 
  2. The debian/changelog
    +
+

+v2.0.23

+

26/03 2003: Same as previous version. Works great! +Same modifications as v2.0.22.

+
    + 
  1. The debian/rules
    + 
  2. The debian/changelog
    +
+

+CyrusSASL

+

+v1.5.27

+

20/11 2001: Thanx to Allan Streib, I got some +updates on the new CurysSASL software:

+
    + 
  1. There is a potential security vulnerability in cyrus-sasl versions prior to 1.5.27.  It is described at: http://xforce.iss.net/static/7443.php
    + 
  2. To close the vulnerability above, I downloaded version 1.5.27 from the cyrus FTP site. I found that the problem corrected by your patch 1 has been corrected in this version of gssapi.c. However the second problem (REALM being dropped in a GSSAPI SASL bind) is still there. But your second patch file could not be applied, as there are enough other changes to gssapi.c that patch(1) could not resolve the context. I created the attached patch which corrects the problem in the 1.5.27 release. To apply it, change to the plugins directory and enter:
    +
      + 
      $ patch < cyrus-sasl-1.5.27-gssapi.patch
      +
    +
+

26/03 2002: Rein Tollevik found a problem with +chain-crashing postfix-tls using SASL LDAP authentication. Without +this patch, all applications that both link to OpenLDAP and use SASL +(maybe through PAM) will segfault. Apply this patch by issuing the +command:

+
patch -p1 < cyrus-sasl-1.5.27-sasl_allocation_locked.patch

+MIT KerberosV

+

+v1.2.4

+

04/03 2002: I'm currently looking into compiling this. These are +the changes between the 1.2.2 and 1.2.4 releases:

+
Changes between 1.2.2 and 1.2.3
+Changes between 1.2.3 and 1.2.4

+My configuration +files

+

Just to make sure that there are no typos or that you haven't +misunderstood etc anything in my configuration examples, these are my +configuration files (they are however censored). With these files, +everything works like a charm. Replication, Secure searches and +updates, simple binds etc, etc... They might not be absolutely +optimised, but they work...

+

+Master LDAP server

+
+ + + + + + + + + + + + + + + +
+

Start script

+ 		+

/etc/init.d/slapd

+
+

Configuration file

+ 		+

/etc/ldap/slapd.conf

+
+

Access Control Lists file

+ 		+

/etc/ldap/slapd.access

+
+
+

+Slave LDAP server

+
+ + + + + + + + + + + + + + + +
+

Start script

+ 		+

/etc/init.d/slapd.backup

+
+

Configuration file

+ 		+

/etc/ldap/slapd.conf.backup

+
+

Access Control Lists file

+ 		+

/etc/ldap/slapd.access.backup

+
+
+

+PAM/LDAP files

+
+ + + + + + + + + + + + + + + +
+

Name Service Switch configuration file

+ 		+

/etc/nsswitch.conf

+
+

Configuration file for LDAP NSS library

+ 		+

/etc/libnss-ldap.conf

+
+

Configuration file for LDAP PAM library

+ 		+

/etc/pam_ldap.conf

+
+
+

+Misc files

+
+ + + + + + + + + + + + + + + +
+

LDAP configuration file

+ 		+

/etc/ldap/ldap.conf

+
+

KerberosV configuration file

+ 		+

/etc/krb5.conf

+
+

Tables for driving cron

+ 		+

/etc/crontab

+
+
+

Reference material

+

+Patches

+
+ + + + + +
+

OpenSSH+Kerberos

+
+
+

+LDAP

+

+LDAPv2

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

RFC1777

+ 		+

Lightweight + Directory Access Protocol

+
+

RFC1778

+ 		+

The + String Representation of Standard Attribute Syntaxes

+
+

RFC1779

+ 		+

A + String Representation of Distinguished Names

+
+

RFC1959

+ 		+

An + LDAP URL format

+
+

RFC1960

+ 		+

A + String Representation of LDAP Search Filters

+
+

RFC1823

+ 		+

The + LDAP Application Program Interface (C language API)

+
+

RFC 2596

+ 		+

Use + of Language Codes in LDAP

+
+
+

+LDAPv3

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

RFC 2251

+ 		+

Lightweight + Directory Access protocol

+
+

RFC 2252

+ 		+

LDAPv3: + Attribute Syntax Definitions

+
+

RFC 2253

+ 		+

LDAPv3: + UTF-8 String representation of Distiguished Names

+
+

RFC 2254

+ 		+

The + string representation of LDAP search filters

+
+

RFC 2255

+ 		+

The + LDAP URL format

+
+

RFC 2256

+ 		+

A + summary of the X.500(96) User Schema for use with LDAPv3

+
+

RFC 2830

+ 		+

LDAPv3: + Extension for Transport Layer Security

+
+


+

+ 		+


+

+
+

Readme

+ 		+

Some + differences between LDAPv2 and LDAPv3

+
+
+

+Authentication

+

+SASL

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

RFC 2222

+ 		+

Simple + Authentication and Security Layer (SASL)

+
+

RFC 2245

+ 		+

Anonymous + SASL Mechanism

+
+

RFC 2444

+ 		+

The + One-Time-Password SASL Mechanism

+
+

RFC 2829

+ 		+

Strong + Authentication Methods for LDAP (SASL)

+
+


+

+ 		+


+

+
+

Draft

+ 		+

Using + Digest Authentication as a SASL Mechanism

+
+

Draft

+ 		+

SASL + GSSAPI Mechanisms

+
+

Draft

+ 		+

The + SecurID(r) SASL Mechanism

+
+

Draft

+ 		+

X.509 + Authentication SASL Mechanism

+
+

Draft

+ 		+

Telnet + SASL Option

+
+

Draft

+ 		+

The + Java SASL Application Program Interface

+
+

Draft

+ 		+

POP3 + AUTHentication command

+
+

Draft

+ 		+

DSS + Secured Password Authentication Mechanism

+
+

Draft

+ 		+

ROAMING-ELGAMAL + SASL Authentication Mechanism

+
+

Draft

+ 		+

Salted + Challenge Response Authentication Mechanism (SCRAM)

+
+


+

+ 		+


+

+
+

Documentation

+ 		+

Cyrus + SASL library for System Administrators

+
+

Documentation

+ 		+

Configuring + GSSAPI and Cyrus SASL

+
+

Documentation

+ 		+

SASL + Programmer's Guide

+
+
+

+Kerberos

+
+ + + + + + + + + + + + + + + + + + + + + + + +
+

RFC 1510

+ 		+

Kerberos + v5

+
+


+

+ 		+


+

+
+

HOWTO

+ 		+

Frequently + Asked Questions about Kerberos v5

+
+

HOWTO

+ 		+

How + to Kerberize your site

+
+

Readme

+ 		+

Designing + an Authentication System: a Dialogue in Four Scenes

+
+
+

+Other

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

RFC 1321

+ 		+

The + MD5 Message-Digest Algorithm

+
+

RFC 2052

+ 		+

A + DNS RR for specifying the location of services (DNS SRV)

+
+

RFC 2104

+ 		+

HMAC: + Keyed-Hashing for Message Authentication

+
+

RFC 2247

+ 		+

Using + Domains in LDAP/X.500 Distinguished Names

+
+

RFC 2849

+ 		+

The + LDAP Data Interchange Format (LDIF)

+
+


+

+ 		+


+

+
+

IBM Redbook

+ 		+

Understanding + LDAP

+
+
+

© 8 mar 2001, +Turbo Fredriksson <turbo@bayour.com>. Last changed: 1 nov 2002 +

+

Total number of access: +

+ \ No newline at end of file diff --git a/lam/docs/ldap-linux.htm b/lam/docs/ldap-linux.htm new file mode 100644 index 00000000..10417b23 --- /dev/null +++ b/lam/docs/ldap-linux.htm @@ -0,0 +1,280 @@ + + + + +LDAP Authentication for Linux + + + +
LDAP Authentication for Linux
© 2002 by +metaconsultancy
+ +

+LDAP is a directory server technology that allows information such +as usernames and passwords for an entire site to be stored on a central +server. +This whitepapers describes how to set up a Linux workstation +to use an LDAP server for user information and authentication. +

+ +

+Before proceeding, you will need a working LDAP server which can +provide you with user information. If you need to set one up, +consult our OpenLDAP whitepaper for +instructions. +

+ +

+User information consists of such data as mappings between user id numbers +and user names (used, for example, by ls -l), or home directory +locations (used, for example, by cd ~). Lookups of such information +are handled by the name service subsystem, configured in the file +/etc/nsswitch.conf. + +Authentication (password checking), on the other hand, is handled by the +PAM (plugable authentication module) subsystem, configured in the +/etc/pam.d/ directory. + +While these two subsystems can (in fact must) be configured seperately, +you will likely want both to use LDAP. +

+ +
+nss-ldap + +

+Begin by installing the shared library code necessary for the +name service to use ldap. + +

+# apt-get install libnss-ldap
+
+ +

+ +

+Next, open the /etc/nsswitch.conf file, and tell the +name service subsystem to use LDAP to obtain user information. + +

+
nsswitch.conf
+
+passwd:    files ldap
+group:     files ldap
+shadow:    files ldap		
+
+
+ +Note that we do not eliminate the use of flat files, since some +users and groups (e.g. root) will remain local. If your machines do not +use flat files at all and your LDAP server goes down, not even +root will be able to log in. +

+ +

+Finally, you need to tell then name service subsystem how to talk +to your LDAP server. This is done in the file +/etc/libnss-ldap.conf. + +

+
libnss-ldap.conf
+
+uri ldap://ldap.example.com/ ldap://ldap-backup.example.com/
+base dc=example, dc=org
+
+
+ +The uri directive specifies the domain name (or IP address) of your LDAP +server. As our example illustrates, you can specify multiple LDAP servers, +in which case they will be employed in failover fashion. + +The base directive specifies the root DN at which searches should start. + +For additional information on these and other configuration directives, +man libnss-ldap.conf. + +

+ +

+nss-ldap expects accounts to be objects with the following attributes: uid, +uidNumber, gidNumber, homeDirectory, and loginShell. These attributes are +allowed by the objectClass posixAccount. +

+ +

+There is a simple way to verify that your name service subsystem is using +your LDAP server as instructed. Assign a file to be owned by a user that +exists only in the LDAP database, not in /etc/passwd. If +an ls -l correctly shows the username, then the name service +subsystem is consulting the LDAP database; if it just shows the user number, +something is wrong. + +For example, if the user john, with user number 1001, exists only in +LDAP, we can try + +

+# touch /tmp/test
+# chown 1001 /tmp/test 
+# ls -l /tmp/test
+-rw-r-----     1 john     users         0 Jan  1 12:00 test
+
+ +to determine whether the the name service is using LDAP. +

+ +
+ +
+pam-ldap + +

+Next we configure the PAM subsystem to use LDAP for passwords. Begin by +installing the necessary PAM module. + +

+# apt-get install libpam-ldap
+
+ +The configuration file for the pam_ldap.so module is +/etc/pam_ldap.conf. + +
+
pam_ldap.conf
+
+uri ldaps://ldap.example.com/
+base dc=example,dc=com
+pam_password exop
+
+
+ +The uri and base directives work the same way they do for +/etc/libnss_ldap.conf and /etc/ldap/ldap.conf. +Notice that we have used ldaps to ensure that connections over which +passwords are exchanged are encrypted. +The directive "pam_password exop" tells pam-ldap to change passwords in +a way that allows OpenLDAP to apply the hashing algorithm specified +in /etc/ldap/slapd.conf, instead of attempting to hash +locally and write the result directly into the database. +

+ +

+pam-ldap assumes accounts to be ojbects with the following attributes: +uid and userPassword. The attributes are allowed by the objectClass +posixAccount. +

+ +

+We are now ready to configure individual services to use the LDAP server +for password checking. Each service that uses PAM for authentication has +its own configuration file /etc/pam.d/service. +To configure a service to use LDAP for password-checking, you must modify +its PAM configuration file. +

+ +

+To avoid an in-depth explanation of PAM, we will +content ourselves with a few examples. Consider first the login program, +which handles logins from the text console. A typical PAM stack which +checks passwords both in /etc/passwd and in the LDAP database +follows. + +

+
/etc/pam.d/login
+
+auth        required      pam_nologin.so
+auth        sufficient    pam_ldap.so
+auth        sufficient    pam_unix.so shadow use_first_pass
+auth        required      pam_deny.so
+
+
+ +After successful password authentication using the auth stack, login checks +for the existance of an account using the account stack, so it is necessary +to reference pam-ldap there, too. + +
+
/etc/pam.d/login
+
+account     sufficient    pam_unix.so
+account     sufficient    pam_ldap.so
+account     required      pam_deny.so
+
+
+ +Other login-like programs include xdm and gdm (for graphical logins), +ssh (for remote logins), su (for switching programs), and +xlock and xscreensaver (for locked screens). Each has its own file +in /etc/pam.d/. +

+ +

+Some applications not only authenticate passwords, but can also be used +to change them. The prototypical example is of course passwd, +the standard password-changing utility. Such programs can be configured to +use LDAP by modifying their password stack. + +

+
/etc/pam.d/passwd
+
+password    required      pam_cracklib.so
+password    sufficient    pam_ldap.so
+password    sufficient    pam_unix.so
+password    required      pam_deny.so
+
+
+ +

+ +

+One convienient application of pam-ldap is to set up "black box" servers +that can authenticate users for a particular service without having an +account on the machine at all. Services such as netatalk, (Cyrus) imap, +and (Postfix) smtp use PAM. By configuring their PAM stacks to use LDAP, +while leaving LDAP out of the PAM stacks of services such as login and ssh, +you can easily create a "black box" server. +

+ +
+ +
+nscd + +

+To keep your computers from pounding your LDAP server every time +a command such as ls -l /home is issued on a computer in your +organization, it is a good idea to configure your workstations to +cache some user data. As long as the data in the cache is sufficiently +fresh, the workstations use in instead of asking your LDAP server again. +The name server caching daemon (nscd) accomplishes exactly +this task. +

+ +

+To install nscd on Debian, just + +

+# apt-get install nscd
+
+ +

+ +

+The configuration file for nscd is /etc/nscd.conf. + +

+
nscd.conf
+
+enable-cache            passwd          yes
+positive-time-to-live   passwd          600
+negative-time-to-live   passwd          20
+suggested-size          passwd          211
+check-files             passwd          yes
+
+
+ +

+ +
+ + + diff --git a/lam/docs/samba-ldap-howto.pdf b/lam/docs/samba-ldap-howto.pdf new file mode 100644 index 0000000000000000000000000000000000000000..9223222024b8ba359d6f9cd3bd80fe0381e2cbbb GIT binary patch literal 306159 zcmcG#V{~QPx;7ePR$5%KlZtH{6nWck~ z9RZ!FrJjS4u#o}K&eiq5C4xJ9N zfgkd4JU4fu_xwN!DvdE{=!7X{623mOSeI(}z54q3yr-lm0!g&@ddIX|%FPAMeLPZo zpuc4XR`F*=&CC#f&E0`48A$K&20|eTYKNgFQojGujL}7r4NGL7JehSodR;g%<|h@#T&pkcTEh!axlcSEUER8dWEsGc2N=XE49sp|5KP;}cO z)p7^NwdTM#)%-KIyx@?ZO3qLb3iBLs80=NELHzufz5Jh&LG-`tIR*IM56=HaAEI==^YidhLiq0FAYSNF1?N0u1EH@zx0X7 zz!Xg&57~peGo>e*`k9+(+bp!#tdIsL(92Usmz%0}w5>Ah>4p^b5wek4 zktm0?fdFHVAsS~!<~5179u|>83V{iLD$l);M$5kK5L%DodqKtqk_8pi*;l=puDh=V z@we`ZGdLT~V0z`ois~YUaOtv}KuBc(7OYylIMUWuR-#Mngo+={vA~bU1a%pIjF;S; zOl#H8jP%87Hk9nb9IK#|yX`lE5v(E$gZbHH2|hZgU=GM)`JGrq_!?Z(zA~>?TCFpG z$6>H^GiES}%JI~C$eigjUds{i%_r)ejtVy$-fE=BA9&z>I$R)6G{Hs|@srpQ@PqO(%<87Z+qO*`t2O0iTX|l9cCVrmt2AG-t{P%%uZImX z;f3*mWPi?D&Q+^sFDg|kM}28vfjhNuna=s(ggwa+D738!0 ze0Z3GXJGb9v%t&8qaiv&9+t|r8jR+KD7%*25%>yi?({k9Gz2yE2kJ&1LpNc_B9oW< zxxrAL;v2Zlj->tNHBXo^^vm+dR`<0%$JDfj*RB;lD%SGXopm~`udqWAv80gh1rVUw zs1W7yhZhjcZnx<73=F2Q+G|rPFoN>k@NQ$Iv1(TJyI(3|2pM`QKjJS5_<5VM&06zO z3@o@S(Uts!>0kmtz@b?Lx`Jy=+gbd!VD8fss7{!+%Xk8yTAE2?AXR zH0a+aSU6Z{8QGW!*qIq<+1c5&0Plyfd*4sM!1jANFE7C#C;YYjPmmXVKgm1VzvDUs zD*?-|g};Vu1gw7y8R-drZ~ryRLcsp#0(Jt9KZZ<<1Ps4U|7#x;GXcZzYx^~3Az=7* zXTRrJ2^fCg#IJca0*2p|^6Q8k1n&p^V+{kr`xX2ezq1ORoE^|W(a3>7L3 zoJ?e-SvgW*FQjwqKN!+Q?;ao`c)vz8eS#!K!Rfz-A>@-t z*?BZh?lwA2c8BVhZ7r+YdLE2j<7FG}4t&1Ta+VI*0nM+8CLWOH7Xxp$J5E}Sg1X3s z)`m&|NrUa-Ji0|vrFgC#Q9Rv*%cu0EJNQ`P$6ZQN9sz;i0>sxu zpNYUUnO5dy@xQhMB zlcm2@WFx!Fh?^&=bPq+jBrmUUiV~0hkujP`n-B#TruwoU(jWw6Yvh%H=Hk|(EOt0Q$sRPZc`7-id`q=Z zs(WISWSHgFCEgUNRxmS?r9K+T#4a)C4l(@@RN9CYi>&I(Nyh52J523h{SeWO!hM|u ziSCn%if#O2>vdStZh5y_UQc%WVYMhFtiD4D7Iv0A6I|V7bQlaaa=ba>D z#sY0fQ~pLx1TcBMIyq%VnzSu^;LcXk87@F_iZnz)2eE`o&r78H#k8nsf(894dDTV8 z4xd%9Y%I}|^bAPsp?!upUU-;NJPR!^@ng{CwEx&UMaWi|eDQe4atH@-Q34G^x1bJ$jvot0?qdDh44Eqj0r-;p_}5^eakvS^EFcsoLkSWwBeVJh0hlOyc&FC4hfZh0Mkhsby0+W;;z2C z7&NgB9ntfr1+x1ODPtbV6B{#HyH8fbyE~h|{Rj2zEgi;ei;Gg*MH-!HtNM=U* zKMC@kCjP?uf60))+29{3@;6lh=>FFn`D_0_ljPr7?Vaiv|71A!zo_vqmi#-_F|iXc z{x=2wH)Z~3RQHP(|GbnxsqVix{olK?M0wy6{X5k?pt?HX>FYmP4!GwSX|c$cX~f*p zpLF?rkSBBqs6T30$K--ssy*tdH8T(d$au7W_r87c)Dw^7OF*TbqAZ9GH*7t?0dTFN z5TYa~#-$p%G*w~Av`24_<|UIuG##Yj-c$?leT=vsueo}y@`m4WNCwE9&W~IloqOH| zRQ1Z`1l$qU=1K`&Uk|P3W5OuR?^Xl)`{vQu9TLmud|-8L4yV5R{tK^LBDsz7fmK6EP`a_kesCD6UQjix6by|)r*ZJF+R9C5 zwe%(I|x5aaGslT#37ea#Dr)m(^%* zkS#rk+?+JuG;$5#WNjM-B0_RGXjiA9_fiAImnJD+flVezfRiK7$n}XON!{oh3ogg3 zOjNC+6od=>^a@S2f5wj(jX0xBespqW|hBag98t~Uw^6#9PhK5dr9&PSekEt%#CUOaa$0uI3pBcOdT=k2_ z3?~V{=C2eM{;YZ8m5e7*)_A}Qys9ZhR!Zd#YfsPX-U-ktfq-V2kkRKeN18PxO$U68 z1bXSLRFWtw8BxjuwrX?(CGOW74IO)k@d$|RDUF0NF6!0;K|()d_&FRE_xU5whJL5M(@>qzoyzL0F5DJr zSOjIA1`ETrZraz{UP6O>Y42Js>@f4xvXt>_vs+Lq*A|_5sxQu%w4xBTmW1^&!}Whv zu*46?&`ifLmyU9jVe*kwD4_x4Me4{B#O~Z6QJUQi;OQcd>VI8ndVD>--5gGzW)7aH zq2$m*fJu;#F%lmJ%)#lMJ;xo*!&k;AbfdqrS~pODz+Cr7d{cvcj-JYhnybDj({Xe; zvQQRE02vU%W<`CdO|tRti47+tDgD^^{MGDsQfWDxBM2aH`dnXV&h2r;u>W;QD7B3AKtUdv?GaQZBi5l! z^rO9CJZC+Q0M=eQ@|+11UFcf2a#OC-JA$sRn)ddmN?g2S4Rl3BVTgg7NsH$2S3RLO z7$p53224idS=dJkep?yVHlsew+KCO(4jQ+!db}w1#WOh)=Dc$aw6vqSy8^F|vhMhg zS4SpvFxCc8?#W^vt>=cjcX9?r`t=2<=JtwbY6$|tm>ZhTtEV>}YeD57Q;!Iu?M$ly z>+!`7eS67|duF^b1dY){zV0pj++{<2)|mD+ROvXl0K6r;Vbptw!r@7Zaxnz>6C_UX z5Uk=-UI4)gDc0xIsQsw>ehG{X-Myjc63wg5x$ld%Nx?n7`h|$%aE7@IU+>^{54U(; z)K|en2l%Cr7PdM4r_1uC2&glA;`&4WnNxGSn&pGN7BRcPdNP> zn110j0|VncsE;BSok2QA3>f2jq3@BiNb_22W5zojRCk4zZ;mZbbG8DV52cwhBL zGV(X+_^%TaI??w_Wcn|8`5#G2rhg$R-_`2-`Tl*-U#Bh!ToFZXf2#J@yRF43&F}N7 zT!f4Ex9qb8TV|j(s_8UFn2nyEOeZ8G8K{1JQE^nZ{~TJ4O7H2I*>um{b_?vKIs$J8xj2ODfnRa^FS~^`_#5iv$ z@Ar;wTa-4lgfAiuo;A;ByAuT!d76eqHCPjqW<-YO_qkEKiMzuGg@?uY`F*F2^W-tP zk%?XnnnklBmzy#Cx57tU8`{lMaxl#cND@Ue6^%$f zj)9ar&Z+$PnXfh0?%cSnq5Rs+VE)Q!$s-gOYqk;X7q*+TDrUCe`W?@R3Y8qLcq!p* zFi!M`Q_74iDewSs-9a0`Cn@+_wy-N=LI**M* zM!wNYT#c_M5cEqwH62~y3D@L+dqu^uSA?S+7>PR^z&I9UHy`=w7D13us1Rs}(wj9; z3g)@VG%JAt#pCq!q8T^}?3RhvXOwODkZLBJH)T=*`xoBV)kq53)F@(48x?7>q~7R3?aPaL%tw-{^Y~Q)Nbp^u0Jyu$G%VIJ z_{5pArj5l5%R;{Q$l5wGPS;EbAu?yRbCZXFJkb zi+37JCf)K_m5bKmoZ_V$AuQ&CSk!=0y`y|mWMCkaWW#h-2-B|F%Q76^3K91>o_|J@ z;#E#_^~)A4kSm)N_yG85??BKo;@loD44hb-iH3-eorjHXQ#6t>Hr27U&+D8W*>Ua7 z=;#2^*_bY*X)$&u_}R_-MQV40CnGTw5*Dia%oO5d;;du83nl=Mg8Wso63KqrP{h(N z4F_(52m8P>y5UMzRfNaH(1EfWtK!3F)(?O%e3D^=58bm@aph)Z!PwZV&5H(9 zmoJvJnTKjYMx@AzQkHvDiHK&_F=5m<0lqT68Z$(are=&L9U=grHZJNd=Dl*2$UcI2bT+!#}VxH{4UYHS3r>x^9N=t%5jCj zxVj)|m%MpkY}duJ!)wptvUi1X6qMqzC4n^>f0`L+sBaAFY`OZ2siuvm1;?NlqBrJvqg|w2=i{HLSd%k zqK>k(b1N8&-)ck*5#&C1!ft;04}BMlnVUO66!%y9lw}R3~h&KO1PE_SQgUFjo z7LZ~ea8SAL7@&tpH_KR$ZQbN--(`m3b2?sjr15Gap^_7#^Z2C~&-0x**qL~5j7DO| zZI!q|&-ESVfA|A@@bZ38No=m4CvJY`9b6Iv3yLJg<|h%)mfdZ>Bc@okyZqd^{6uNG zQah%1md1V?mkB}7a*lNnuued`Ms|>wr6{+BuWbk51aWK=J;&3@&WE42AFbPrw z3sQbaK=}114H>*n(tSPf{!fRgm1fX`&FW3wc$RUKAl)R`A)a%`x4~-$+25LjVIvVq ze{iP2HHZ%oS*q}DLf;YUk;=}Aq%~;*wtIR zaI$hN(!;SiKgCDb3gznSAyVMCO0teTwL+q>W0wk!Cs97tk`yslvbV0s9ANAM$d6JP zagM1_@QorZ$!T{vI0(XyD0#^WGK{14uzFy=U&Hnxy7koFS=tD8b?g-CZYkRLEhd0( zgCFB*3=*b@lL&hT(_DTE4HaXSz%)eWrmYWaooI3`{BSl8=Pufj%=itWJN1r?*&*

Q+qV`6$sTk0= z3P8(#eCalq;2NW2H3A(*fHG)8*v18Da+mR;O`wW1{MMSVn?T!+_c^n3N#s3rjay)o zl0&FMrRy54T!|+JWILGCo;oFmK!9QLQP?+;^ zc|(adw?tI1)B_~w1E9n}g`kI+RAS5TpX1r$XYbX}fR|qRs6?JNS?T0~KDM?(($pWr z;K#U{nG5hE_>xE}Zqj|~DTQjXbU+Z!SH40UT|bWX35@{y@dGc&!x!PqsB#E_)fjjJ z#yE;6H8cxj@U>Z){D_7>up}?CLqWeHoY5AFROuv$pfd-JdA5uC6hYW1ZV?-ZGj6c) zLFFZ&36@-&k?#_OLwuU{4U1TC>A5q41+~z&YQuYSEw(biG6-au`SzUDU2KNQgk3zJ z+P?1X?6#EEgsv>Vw_K5J29()%=<5YBA+SNX@D52As78i9Sovm(V%Y!D7;?TVb&urh zVUX&{@L~vtK7~|C`YkUh?DYKXG8gAcfrRu^vRk_$I2+F}d?z56HCg}W>z51_U)qd* z@-x;iz+Tjk))qi0rBUY1*z+;HVnv3qO1I`#m)2NnIGi6=DfRn;@N1H-m>+$_Ho5)du0%371mZ9v6PnKauIw7|o$j z3KXBcPA+ZJ86Y{g1dn)V6@oZh(@y%4?mSGv7({9ccTAKrAWTJY_d)H6`}pp9s~$mQ z4fNyJI~RD{sLvqi3wTF^YAJjwgMf2#sFRqYk64yFQt^2Bq^KmwRB`&3wx#nX;Sd4S zU&C)SGr`NbDnBNy@a1!DylQ>NmCPgO&rzVbpx`PJ&RlXe8$ijJ;P`+bH+2>AR%$8c5-wLrcZ0ZT;jttU8~ z@sVrfB7~-s4*nUa0GYGMNcoi1|yQ)whGHIMx3HiU!FbGrPs(FGUWSTs~8h^KR% zkg-90!?W6bi3hnw8~jt~rhg=^=VX=Uvu~ALgza6&nokQE6Lfe!i;^Tp6`@}Mdm6~t zx;n_hCUMWqM&1Mzg5bzzj!e)-6A0eu3S6kJXywmngieyKAdU}Y0Y7?bzrA841=0GZ@h&R5$o3V88M{HDU%5ca+{88KV7!Kq)yTH$rt?OP*v7%GQT& z)z}F4C&?yUr=KW7Gr^bN>Ck!{<{Y8dd?lp)EynSSp!bkgP)Om`)^h7~iocVJZE{|> z=PZ`*5F1Htf3q;dua%Q*3jSPrpX?Km43V-P07geFNgh=~LXz#@u~m3e1) z1}e+lw&qZPKo^bGIx6=_+790JeVfn_ku54CPgMS@7q?i+G(<=h_8uVp2^0#1+TJeZ z$Htde=zC2s+<*2|e`a5d9320hufHcw|0ewU?HB&RQ@vZ8-)`Z58-D%X|NoPx`ak9F ze>YWs^Id=URDb!X_ewPf!Fy`|hX?zgRi~N%USj{VkLtId`}h9JN1;9V)43wGDz$wm zbEt6(Z!=xaoTx@VvN{PQRVt?P{JM+lInjL6p6t=Y-O>Gw|72JN{`NrdT@srI7fjlv zBt~!4<+gbaDwW|Tv)#d{M0|4K&v3r*AEs+ECpIKDUOg#FOVm1iy8Tp| zsE&aNO2)Jr#YJ6q*I5zBXxL`o_4<9`km(vD2lxlHc<~+7kTwI?hl-W)>Q|Z0UKSyL*_)y;h*i>>G|Q9#YQ0n zH|a|eZyeREfLy zVn9t5a0JeTWIVe?Mmb_*(vM%lO}yz22Yszo6iMl}Z0c z`2+Lc5$DhMz~3iD(G18^RzDl zntIF1fo-#nukH?QRP$A}jE_z?M-!?S`v?|8IVE%#i3o4KwjVvs=M{tzJZoOhZs<~@ zzE|Mb7xl8_PDNmURC)a3p)(*MYNX1_0=q1(0-OI8kbSmLMbEl5kq80FA}dx^Py%DD zfMOij{WIKKONXRHjUm1`UO_j*Un?nKy{xZsys>Q=L)VJu05^N zb(R1h_pEZ4Y3OU_v6y$Qx3`qC0;(XkE9T`$)skx2{Gz-ER>n^buN2L3|g) z9ntV$m0yK;C^ZkK_RdXgE&8DJZOy|*5n`fJvmQTIR;>@YK&47jJr;()nBI;8Jdg!( z!T}ZMGMX+vk8%P&H^Z6DTHATGvcRblx!m2UMyXOs-^gv7_8{iHYwe=E*tDaZ-#{8! zSzV_#K$C(1m#}AlausQdV(@?h)~wR%kPo^1G}1~y*LPya#)RZI9-=Q&)6JPKzUcWj;xsRi;}N5Kg|J~_M9-dIlnTjC|NHd0jwW+M(8kv zM5;E#%TVl>>RCVpmF{B`3&S_yZbbnk%S&T$5V8*!t%zLiD7fNL-w#F7&G$w{-F$=I$3+i*y1=q`bDa!AVSMyQwgk&ZmC-iK~^aR6V^AmNOWJluPmf`P##E}7IQeZL~Ck_%q z2m&`ibjPIyr9=}no)d4{7VSsA*_&9A%mJm-U04`Z%#@YW?(sp0ZCJW*%t_5}^zX%R z-rt5Fc>w8=axWF<&2hGqPQu2vBuaP+kn*Md%JzYd1ppW*5uiP{{#$=?S6?TnFSfCwjrJ9b!yT_2ZRGE+$TRU5D6=>xP%fk zd2P9o>T1F_B$gUyz@9|inB$$GwAQr)Y-0;F=ZD%JeEBRhul^D=O) zv&f>*w(;D(zutbPBbLuyjXD4Xe$UjoY@N3m#Eo`Y#$N-no{#ucoK~k>rM~Rhv@T8_ zk+O@Vn%p6LWZjic6#WiC-X)hPwNi-eq>@z z;hgsMKYit=9G`4aXLIe?`065Ot{s-z6ZbkY$vuyEYp;#{Ob>Ws<+7*(KEkBlxB6yy z>`d$e8VjZdNs;gIn0KHC3z@>n?Bh28v|r-b*`vo?zH68zRb91nYyK3}y&zi9`P|d> zu|C9i@)IqAjn45@1*jnnGgO|mg9a)F7z;C{$0d?NHygkWj2w+dniaA5JSkCYofS6} z5k&X80hlN&3NO@5MXlCrmQr5;S|NsI{iPZ4 zZT&~8k>y{wDwhAyRh6mz?)mkakbLvYz`_h6znG3`xK^_aM}uLd2+KYJx0n`q{?mV`n>|r zIr6aTp2LOvha))?CijZxTc6hbs;b41f6LSPYYCmL7UWrK9cq{Tda1YPGppOc1Eq;8 zQB1HD%XZP_citZbj)jJDPDY9-wzm=`5Hn_b;=qNh&ow?e)exX8vZB=unh=t4vuA+7 zWmO$M?Y!E>7zOLQiisg9Pu-Vdx59`P3P`%=B1e!of1vfO>~m)h#m08N_EcBP=ES^B`Z^LOQ&_@Rt0%4^y=iDf45^S3d)gp{0-L?huKm%|b||z*Yhf zZ){}<9~T89?veTi+gY%MJAS~5>apz>5gZ$whH^zTPl`AUsxMfpyK~a6Wva(Yc$+V< zinaPpumpWDEe=$ZWlAss_c?x?u|n-)^RMJedWUQS2TmYSiYTfp7+#qJV~wuz{Cl5^wGy*6layJ>y;l^1y$ux!y&_|*AG7qwIh9jH_5`6QrtD{;#-MOuZ zlF{-f0Iq28r9E>vrRL5*vAjVH$D)Ai+njvh?u@VKIrH^*NiI(XV?L6Yn+}vkv;a|$ z=nAb%Tz*T2?;+z_*uLcci+HCUuhZCmjt48^x($*Gep`;*?BH1_Vx8Rr+?}YwgGI$q z46jY4ceS-vhdTP@xBK(Rw)TRPr>1vK0{ZFpq;ngm-mw-%>;^<1nHB`$;K%9#o`!w^ zIRw-+*Ykp9zIS>yDlAwA4sBSqExJcrnBGbG?9}Y_+CuwT*h+&t zC`}xp&0zPgyd8!UH-?2CBktA)Gyr)J>7EESFZVOtEAfN?0Jys?hU`IE!f>lM)dvC7 z5Jv#pSN_aA*-k8_xBi-#==1_DJev;{@(2emmge}+U~uJ3Jgemrje!0aenGe(WYYBJ zZVhT%rz@9K1t}@JG1+oc4xMdqrHGV$fFeQUlaPOUu6|%1_9L-5df2l#)@%|K7ZFxX zEwR}N>}7+A@_g;#wZDHAXy%ted{8=w$c{y?M&q+HvEYMJt;mEr+o)7=M)KwBB@;&Z15D-=cf z*VL9_LD-$4Nux(^lGJ0JYjU|yHOwQP1w?N}ia#T?(}83cqZ z(=IiPJ?s>vGwh@VyENq=USr-Y8PTNo*j6*c>7?P9L*_TZ zVzD!!j|wfXS90(}F6otRoqfz#cF8`?2BNOVj~gmTn&}<`6#mrHL+9SJI*JyL zoByPBev|L7)QW+fmGRHmisj$NR=;`tAGOZ^EVlY*t@FQ)t^Q9c%Lj7w^5o~ti zkCj`fXoSnypvI%l;DW!^YI9VDgQ#nZ?u@b}0!`aLZ{X{gwhz|4r(U!w%Qa_o6WXn@ zKmEu?NsMh>PjYET)^kQ2>mu?Jrh>2DJiPHbn$#rl(mKM|wOV@}Kfe5+%?p9|Z28r7 zL#J)qPCsghJQ3|W>{9+Lepa$moSN zDcu%Xy-74zk6W6X2wA=*4f-RFxK!?+l$)<BoZ66AVVPXKXg@vdJ4 z(WeYgDW7Hg3hW;s!=4q?^BP^j}Sv`=su?ONSFY0oMz9?>%I;nq&!F%`u*VmbhlPO`> zDO0V4Np@}yTlK@5m4?!pzo1t^A~*yaM7ME9HN*W&Ausy!YQ9?}(?{G^Y4)}3RrjOa zNgMCZ5O&(xI|vWvFb{LHeiC70YLoLcTkQE%OE1p&SplHB zILvm!J#oEFunku0PTCawxj9HAhAluhNv7JJ;*$mD<+}P;4;e7+W{Ls;oJ3#$jt!`B zNuslHGq6&sxoaT*l^bsxD&sKU65-X(-Q>yK!i0`pi;MBesAcuU-GsB;Lz0gvsG@a4 zsNcIUAoC2J{(fJy^>pdQy4I)Qp%m5u{40<&BlB_G;PiXJW>m_BFcVcrVrzTX^!Q3xnUr&xUa z0KUZfLXI%rceR=PR2A@Ee0wb8=Y){4RPpxZ&M|eg62TsuoZVEwrH*4#fUB6h(S9w7S}qukcO%G4o{wbQPXm=d&kGeO_%LRo}j0 zRy`o1_l7?J=b35Wbwz?W7&8Qsv9c0!2LLn3^_}RBU&ZGKOXve{5~x98JGKBN1Rl=4~vd1>n`|bLLD_%W|*H1U~DbPvDr(= z7x_Jj{qRrDN7;$gb=Ah+1c-6F3%?)H7Vu1>r+=UfY#GQ8_v_-p6x6k3&3Z870={X+ z!O>$o&(`YQn>+6vG8!**!P7{6MnJIQ<>$KAyt?UOQ!+5iK~cpH0buF(k2@3-1qUc* zjW~@C9s^nqFmGxcrswsCN1cipAvHHYJ?E<2Kt#m!7Wf3H5xXCTZBj{#@IJp)&w2%# zbM{GdV>YO7Kc94MOme# zh9+ zjWn+W`87t}iqb=x^D^cO{}6ZaveM~k3&=*dlCXn#L^#JR#0avu%sB)f6o$$rH&%-H z+jN>VB-*{Jp;)?!)KAFQ&mK+bjLhc&VDyt%mBS!1;3C*AHyGqdC_(THB(+gEVKu^8 zx15A0T5*K;_o%3_*Cx0&U|2oI#~j7Jlg5M(?=3_0{-!vn!NwL;y**K)Uq5ew$ezV?-l z0{}r`isDu%N}$Wj25nuG%{Sn-?O3+nq;osi z$ShBK$Rw&$=q5v7UiK>ci!AAgAJDapw|XMw)Y{|A2{CcEeKgrbfO9q_Wa zw)Y}Ig&ukMN6ahtO>zW}+aNM3oLMd5@_u(nL@t*RSQMQ#KAm4ET}Vi;Fia&KC`CZe z`WIO=^w|e+Qx_@rDArTNN@;QAAR%WM!2;eqDHjBarM6kBId&H3)%_Zbh=RQ`XV=wQ z)eXAww%RYU>c?$M1!yZ4YkQXG^*bbM?Aromd&5XWphzYG;-?{4Bt+6-j}e6^pGXec z=Ecl|F?V&{CoJ=q9iYtpVAE;CrOHeau8spR0HFH<6F~%!jVxdm0T97*g6gJ`uStTU z%Bx25K8T`ieBhMBqvgv+YY`6+D)M#*ak!A|t4oWyilov$(R6nyM(v`hM6xDM`=5Y` zZKGB6a+KoHlPHXY<49+LkBF#5(G*waTBdWR9*DYn7^Bzdbzjikpp+rX+uFsvvt#=U z8t0xqe*Z)gqsM$f$e8sR?y5B)R~#&dhPrS;Nh_`S<_ji#MuFZz5gA~S)NiuH+FHhrB>1A8OS9wM2*$8(Q_X4c;4>{JAIr~(|s%c~AO@Vji~^B*H#?Z%>R2rCcSVOH~nY!i9<# ziX`EFO~@2HHq99E;qx)=(QMc7DIu<}`y!0^RWROZj>YxCkm6FI0spAri2|eID4+7= zcD?|kRyZ?fC1(6`zM4U~N-T0>r4jUQ#=Oq&ZlkmgyMMj0ar6=jRj{h!^>Zt4VSGD8 zM^)#0-Ese_e6B1@I~8>b;y$FarH3RtbOurto43Hl(l-`7=cJcGr(Qem z^&wIMcXgFp{*QGkizS|ewZ71XBHIA&i_^?N7kGOT)CQA{Wik8mPg^X zpb+j_IfF)P_W)DqT+GkQ#L5oISrb#9>dM;sd7wq%a&{P5R4qVz+o(XCYVtY?z1%YDT^Z7? zpfZn44CCyv=AO?)O0XWz{zF_^2rz6kuSyFaLUr|LzIwp^@HS~2@Z|CRE)Bmdme`$I z>x2J6&xKv33nqefS;1(9V&mNCym=EwJQ&ZeJFPUnJfl`5fh1@s;FLYPI72D}bF$0wIoyqa1Q;TT{IjK3Uc9YR;4c2}+q+ zSJGdoJz>x>*Sc!3BPkYnElT}yWOeN1rlLcq>u|fk``JY>s4i%FoAI#Nyrw!aCZXdw zUjjq;umt#VUrN8AuT1BAqi6w(&y~9I`L;)c^uRvyscwyl@)T}6-o_YN3*#}Z@Kt}3eK>Eog4+W} zD{e46X_t= zNM7s((e$93`n=bk^fT}<%&B80@97 z2)22H?1?T*uY}k9#nid4j;i)v3#-yyDAE@%1HoccA&la>OGMYyOfuKaYzqht2`9V? z=|%&eDf&zvPL3t~88Ht>^Z){*ZSF%T3dc^tYV-dWNW z#FjvT4K@1V{QuDQ7ff-k+4nz;OGDun+}+(>gS)#s!QI{6-6goYLx3Q`T>}Jnw?E%Z zW=_s?=2vrOs-72ccUM>Sb??t!Yp;D(ZkbW2^J$zWmP38nODL2u3M7bEZ(!B%^Dk9h ziw>0}UR6H0r9>0;bFn;AyP;YgJV%Cx475yEHs##|;&ZSqKb*WB@dmZ4UZ+`AWlW1D zmvXL>zHO_+iCvm-nSi=Rn3zGU_r~Z)Yp*-xWVsqV`k~g^-Dy1Bim zBQbwkfEog9fF}A9a_|QH?s~r0`~RO6J3mYRPf?14o&8^Q^?RKE-x_c%za*$Xw(PL{ z3Pk;{2Hel*{};OYU6lHN#KwLfar_;f-c3K&pLyPQr|l2w`db*q`a6LB6Qh11=YPVe zBvtiyj6(2!$0+})6gl6m&!8wKs1npK5y z-$E*Kx;iyFTXjC-YIkaOw!gw1P`Yc=6@}uqxj*c$#T;Qxpnn)c3S%@X{~)Uzd%eC! zr}|M;L~|CEA%jeZBvnRQ&#P4{Y*zSLimqMz~X9ukv2KTuanN$EGb)Zm6G$+(?h)fr}v-lN2WzeDvKyEEwCe9D9Mm3fqh>u~Y#vS%LZTest4Iud<|?V-x5q({eG8eWvjb+F8wy z5dJER`eh8>%?9?+*{GClmEl!2BtKHZp@anQRIWS%xgr2+n6QZpdjs@faK3j7jy}TU^0s`Mah)Zow1;QXLEdZ< zCf40#1wF;#2fl9;b0PS8jsZ1^$DoS$G!!&5WVkZHiX+DZF#h~u(_gNXk#5Y!6Urh{ zjN)MJ>}B8sdSEP-oprouB@edbXD11?&epC@0?KUZ*;%p_DJe%QEv)ANP6Fu80BRs^ zfeJr+umPl)WUJO`0KPn)7jIQe(@EcOKG&K_7&lK>9VFweI;tPigcPSzXOuM#)s+F; z&X2hs_ibXwl0YPztIYUZsFA5=k(-NMDI-Hiwg{%a4``6xsxUZ}yg~cf*~XoXyIn(q zyCVzN&+eL?oQnX@8Lhn))#il_-OdM8Rle@Gt)rf{g8c*m;a6kad*q-R1E=+VF+88^ z93{CoU!}Woy_3AsFB3=2*MW8o@S#a?As(YeEJL)KAp2mV?)h<>oF zyK31cb=+_dSwYV#1l=p3x03+(PeG8O)a8=G8s(&$cY`~83hOYP6qK6DF_HyDQ@UYB zH6N&)k#MG(vfV{FrKt%cUpe5}Wx*uBPPs0FTEL9vXYW%M$$gE_Yjb9S=3BIh7(UC% z+C{a*BY=l%nFv-%=7%HXLxFu`wP??GL|0%ckd4F61f${ZhZa1dwr_=W7$QsZO6L-- zQ-W`+dO~ZnC0}XMYR<^lNT?mwPuwIm(Sp8qA7zXsNfX~a<_E4rRh7-$No8SE@b%(y z=KiWI_QQNfN@yf~u;iN%$kGQf=XUUW!R_ga5Nd9+%@DTh%CJ%lx|)u9;WA`hUNKyt zOi{nPA9x6JRgrospT*=(CO0V0bz1-2BHTUez2Q&Aw~(yV*{uZOeRHU?7K_ zJx5L??sAtd8^p7zAza-FupCQ%Cq`y+47by@S%%5&+>&~dbXQur0qQ8oWKgs_6XA&Ti z$=<~DQQ&pFV|_zYIT~me-GD&%X*NAX>VXSF3@-jKQNbV0 zj9lOYU8iGmS<6KFo)HTTS4J{4unxwE)e$r> z=#+MH7Soex0%_^BP}}LEuI75;Awn1T%o!A$6iSIiRhr9tSE%gmop@G!%^{+4$0hdE zY+tOf*pA^NR!^wc3n#A5*LBxMap{o5$y_78nxonj@8e6b49H|lVGmEnU8s2`OP;x|eRwCaXx0mU42b5(;6SVD5)D z!hok(wlsbCv@HHIYgiEjis=uj&v66T1`*RL+^?e9Y!Why9qI|}y^w)%z-8MK|Ky&r{+faLUqR*P^Z)$L z|7Pg>55oA5 z8zbP41lG4jA-A+<4m~)|=s^}UwQ`!H2SsIP3mdQ!BcnrMNkNGC`la8v`%SY6Lh|cj zy?=b2N>llO_#ua;$<)?ng4TQ6UX;mziK|`Rts-N$dSrZgT+zn$^5C*RW9<56E_3Gl zC1+=sd&CvtLs7az@@n(k^Ib-_?z8a0SELH|$4w2Sa*^xnZ(bQC{$%gVW{v4tJv4hm zXGzmv>1EScp}mfgKoXSzCO+4Fp(>ob#vph(FRl*B;|c+Xu#a-C+O-4xv0I@oneeWgiQ((XF>V6uv&KUV`Mle!mTW&)yU1lgZ$F|jW}FT6i9XiFYN4UVK#Cfc7)mmn1f>h{Zc+aW7Mcv}R> zo>iuFHiaOnQGz{T(9QaoNiDZ<7YNJ;BB+W0ND)PWwrqXfpJ$XV!QtCJaLrSK2c^+iq0Iw~eRy~R^ z-@{WHk9a(w7zt68MvM|U#y&4Vj&NMKoroBP=d_0%Zt3hL#kziPy3x7wDD1KHZ1*c& z^(Wf+s}9Qro~-=~C#IPJ3r}^b{4|J8^$+oq55Q2==8MWRooUr1;!0g+5w;E#2^~)Q zCIcN)!j?P(H-)7FrAxfe6gQyTVO%6&e8nJI=Di(sHlV0J91Xej0N#x~m{rL6PrzrR z%F4E#r*MLS`lI9wv6~W5LaY!;cn+V7IdlXgzmi&?ueU^L4qQC=x?LT-Jd~kbj?8V? zfma1zNkPTQK`aO0xtF7MjtH$XwmuHS6A+9I9=WLU>2$r_QDMAX5z*f7Cz$TdaO$f3 zc;tQdiQ4HfKi!uiQSP*oY3u>M=ud(@Y8Mp+P0WV4DKXx^pw$<%BbjIbw}FW;*HEQP z66g1*mHR#t1QN}1%md#X^l2_4L>V5Lda11gHfB4|Nk?p^suyAe>w#uT*5Iz@WMfe_ zV1|BC<>d$*e`^by8=vPR@!%l>nxsudDC!D2;xf9H((R@kE}p9rxxu-a5dh-yAPSwj zH-L;(O=i_&=iqgCUF2xr1DzcyC~dmE13>>|5)_k;>MGanS-%wYP=)UHEjWyyLrvMm zx|Zg(`3&Erj6oRlFi2D#VVO%WdkGPv9_4QCiWSx}M4VmFICr<7=mu3LJ*1lM((Eu< z%mF{3zTSZ9fM0Bj)tXea&ZdKwq^3 zGgQ!r(oF?q@RA2LVd+Mv6Haot)KwJSewgfyCO&-CITPfjk2R6Q^o>l=G(lk{^bIf& zD-?Z9ILqOSy%%{`p`rxO-LEH)mqGyR9;Wrr-DmffQ;4QlN_|nMCfdyG{=N}W{fLr% zuuv_Q71#4gaF3GB#A0#*a`(haiw;M=ZNA*AZ5VxCeyZ4kuSi1bZN-%pIO{=1le7~l zryf|MxjJlt5&oK}&AlzU5X>h=NQT=Fi=6`sy~Lw0-P-a`SeT9K_O%pUTFf@UDSgf% zZO_M}wuNP+45VZQtZNp^)Bsh3M!Bg~!__M4E+TsB)m%nxSDXnp3`G?$yAJcbwugf?QB1vFR zc?-RvDgTlG_4eo-qE=UxOmhxUk$wFtf^Ts0_09Tc` ze=Vu@a0m5T+g#V{>sQ#?Q6Gf40V5E;@YJtxSk4>h!M8Z@ z7S9Azek8!|1kml z+n!+7U-KpZGZ_3bs(yawe**@;FTQ!7eg4<--`~}Y-?rNPdr0_`KlD3l{LUBuPx0fw zTZqHVQSJ%lJjsrY|4-$k~f)1XS(#bSyByyCgjrE&TyD6;78=^!IV2EBT6Ki;Fn7X5umjGeYy^#S-~>tqa$Hf_=wx2j+DtJcHB<8=ZFOG1;O#VAbU$Q3L&;_% z-AgQink8A=74NxcqbeMhO|?OtT|)UpSo7{vjR@b2UnUp!!kWH1T$WCO`kF(AK7$ zyK$C&(dPLLM|$v+C|h$|-W(1xX+hPpfx3}-`w`C5UOYj>Kyqv4D=&^+n7y`4-5VWN zBSSp~O?NGLWPznLbrh?UTZT@Gb5)1+w<@b$!f!psC|^j`t8v+!loO!)b_fl4pD%1f zi=e>zb7PC`6y%O+d}+T2nfK;Y(Nkq5G@}wDThB}8+k|26B(pA!g2Mo^rRx~oR|_py zIOIIDd7d7gx36z<#ONPSE_Vy3hTxHj(oh1%&`kv&zp=2A?cbdm5zJ}66tNhh5laPn zngQS89TMg9cxkRJL}GEXt+AB#C#R`!(5#S#1!ylibV{{P?`~YRO)r8zC5|hQ$>j$R zpA?$ff(_PM2SbercVavDN?a`?sAY48>asK54P%mJaE*VxbDGh4FbedK!z7ejUnZ z3H8>+qq4qsU+NcD-nc99eL*+XD`7XxC%zubmVIkyHfAQ5;<+QlsZB1qKIoZA;7OwF zh{OdA`M&T&f`HIMWT(JfI?-A1DHMj}-4RTHlZ+Mx4aYb=+#La>4I$9LMm0T{>EeJC z{I1;=g0IhKEBli*vr7CR$w5y!c=$c*GEjh znf%Hld)NmF*PPHU%B}fvu^!^@u;|;_{MVf04owGxL+xNuL=e2=#D&^*3tqQ*l_1`W}lp7uCu%1nnTBppFt(S;alX9t za)1OVT&ulefq0+rJfrJ;ZztO|68>6bbH@6pGxeJDrNQy_t{QMxj6d;MUlp0qJc5(j zi{Y$Z9Hs7T?8dgPlVo&?=G&zsa3h%{R}xQI=z{sIFzip@N1%n-F*{oo(9hmrNs^)Jc7Z4X+}Bp|Dnd zBZckv49>sRCw`XFKj{-}zlJgXCWf&6W3|K|Nv5CA|1bK)Z@BS?_V6A}dcT_BXKjBs zN&XH?{EjETjja5a=_R(`0q&oO@eA4hlbm6#sBO7IkK#31jbKIpAP`eMCEM57No2_f@Iec%&eHx?IRK5jiuE6Y`?< z7#$GA;g`a2AG@z92$AfpEghh~Uw=*VFDJ$+brTkjH}Ix8fThIk{zj_|CcSOMA9Q{G z-Gf0tRGiW5;a&{eE$E(OG+~#{F|ebtc1Y z2F0y&9}NU#29U=r(Jjt&x?#Zy3+B+~j%%BIe(m>{C+?3VsDmN3l$_v;rMD$zW1)@@rb(>r5k0oTK;|Ds`Vi$aXV{?+rCY!CqNFII#`yI3 zAO}FZ|Me{X(!v1D9RKn(*?y<YjR1p;&=K^MtOeyIZX*#eGOo zrFi$)d#Chtp_}w>#iA=VNa~c9&(o*1r8QkLTgzL^v*Qu?PWiGROENCgo$Kx8HD~ND zbMm8#36k3vEv9U$$pgh3W?k~MS#4`9LfVOjkMvpS+1G2H1eb(c)$0EK>87AdlC=K2 z>ZcokplZ6RGrH*|!S|{8GzC3fXodHwd25yxExWV#2l}Zm8N&0FR5wn_dS)Z34QV6#)m8$X2M&=jB5h*N@*v%xS|5 z-RoC+4K;`>1k6Of7KWx?C^4oTb|X-bNJbza%^(^I@!_qw+b)}Weo3HeXLAy=tU+Tr z&}^^JSYB4^{?ROu#;sEPHC3iHbbt^FXu92RiMc83SwgD?QHc zwVNjJUKdwF%cx49%r-x61$jXdGLUL{8Ug<*T70C|+{?A~d8VRa( z*mXFHq=s(qt3WV(l2VHCMk8ZjJO}{fk}l_C*pwJ23g**F6O?KKGy%%H!d+2wyAWds_ymwaR09SXaE}HT6!vN!-8!wZR&L0L(t!9q1~CUv)SpNrxZ3DPGhE zn=}`=#zj|pxcYNzHqEzq26$y-YeX2=SF}m&nmtI%bUNYyIr@VL&EX={2sk&h$fesz zXb?(ko@AS&9{L=Mkf=M;YI^+eT6*;ojKC%hBrLSO*)Qk3hC(8b#RL*xTJBuX*KVEz zOx0F#F5lD4l`Un-83%N^-##UT(||R|e!XsyN%`XS@NoJ#bFv$91Pzd^DTeh0xn$39 zZnIZ^lh(oOK{V7BIM4ACWcSD=0#W(4Vt!AjJaBCJf>Cpi4ZyDM;h7@J#80oS+3gUQ z05M~sP0M?~WF^wIhnNOf|3~R%=?ACQj4@47_7SI10MI_hZPfzHB6%IPo9Os4@t3kp z)Jv=rmtJC(=xtt})ZFBlQDi)hg+dRbRlvxA zk#!v%QbCQ(EWWT)B@AbI(L-st0W2!J7@^OZO)2O?1U4j)J=wQ#4Za45opE}eJAhb4 zV;}3Vi)@bPLRsNT!IW;a3!`-9fsXJ?zEbtA28c*L4$2H|Vb~(Zp01bS@ZdU|h*(B( z?(~sy&_XO_KYriwJ8}vdWrJII7H8vKQIT!raW<8SspPOC_`01LvyKpn!fi{tNAeiE$3qr=IC?z=tWn(Ti<4NniR%s_P&buSN2U2HF<2mq3c<4 zN6W{bb0&<6fvv;id^!%i$${{06aCe+=P-Jd64|;UGuhuwivb+SYt0$2@x}wcUVtpu zek}qOFgd=XBk+VUNLG9~;m(MQNoTS4B$morc_sXd%QZp@psS$iQ-Ww5~zLyHFT;DRxRH` z_m^BSX;s63p+;LAa?s+swxbv0FDLSlA1H2zE_@$s8tcUD0izI7?lE&w@5^d|(FwfV zxo;w$Y#F57rWe;Gg%$+_>2!w}JD?D1G>7Nq;ssc^gA+^ka7pet$YW>WXK{L>Nxu>e zy=6u|V9gM{TJaE@EtA?AWd(L_r-z^NZ~wYGU7AtS~!ts+_k_I`+SwwR)w)&^zt zD(Y@X9q^S!0I)I`@63j85a8TYGZVj_VthL73LIROX?oeIZ4?X5L*smae2MJR>WJM4 zlm&<{w#Wj$jr{2E#Xz=;ppOY1i2wH1Xr zQiK3XKPsB&3psiNIyC@v{)GX5LeKy8V~mVU|AIjF|CqM?$xnao$9|cp|1$*s(x?A> z2>k7SxW5q__`Ns#y?^^%3ub1;Xa7ep_xE7(cV_-4O#Y(e|I~yfy{9lU#8JE_tIs8s zvBAG;>FKF@iL;$FRXDR*6wIkua1&1>(rZx_Td9&me!^f)^>9`+Z)rLsP)%}kM8KIUtHK6L_3Z& z-){Hd9VR;2ZZhRkmdQoT;h34hg&DpRDa}G#jZ?I)U!M1>2eM;MxHVKM*^>Z*+w7w`%n-e(T|`7qtRjJ`p_Y6ye6!$FVt{bm+b-V)nQ zHo@u!5}Xs3lc00lrBH(RL>tP5P8^$$?WbP=T${_WW2+=qC0rz&mf_Yni=GnK9#yEID9!ORb_JB$8qMQYstV1(Xp>1K zK30jsS}Y(sVFN&gK2??(W-`bIX!THkrhpocb`9X1NfCg8-)48BdyTS?`he1Bx!a#f znjP1ZD{L*9){14`*DD-Z{xwWF$TX`M=yS-)3LvJr&OE{jvZtGIj`@8BD0`i0U7tu* zS74xOxrc(8I-go8R)^494LyaYO{CGP<^q;WIywMDfi1{h^~ovjLy~2On8#L!Vp;~x z%_(4fOKQ-RNYzIKVn3H^#MF4k6zC{XLy@bBEZbGZmbDyn?=h-za|;}h_FIujS>kr zd|{E%<+N3)?pRX#nDbX_^3Q+6aKM|44=!($|I-> zeGzBg?)7D$E?%?ZO-LIjd@1x1xx;___=X5Dl!z3v@xd?6FwiX0L_VhqbZ>7Gc|=ha zS3?mnf_PZY#)XA{vK_Ud(QzZMQI-83JdN*n$ib}FCzG0Y5I0d67*f_;+I%9|9|*W_ zPl-^(N6RV<>Wzl#ysK&?$XRExF)k0Rb)Xr)F^t*!!4#%HEgLMuHfX_9!vCFxLY^nl z7xk4)Ij*Lxs%d9J$W>wIxD6#PFLN+V7ETomR9hlY<7-!}VgN0sTRyX+;_hTW(K3$p zL6{7g;eW;G&*zuhTmL@l^)c2Jad6FN;ThhycpmDn-0(|ye7BS7S^lZxvi~mR{9Eye z{r^hkpSXejAHwY4y;JWmI_}Ts{}&ziPXg>85yL-f|9?H~&ha}o{o(+QpM&%NIWw4~ z`hL?nJFNGaZd~&ce}P)E)e`7q>{?qpV5Q2et{%)hmTkCUTP3H!7p|9W+~%lX*(;_gj>%%c48ijs*$$K?TG7SQiQN$ z?s6t$_jyNC*Ur|BrQ7`pYeMo2ekWqe<2dTg@J0V3`bvFtS}hkYk8mi-F}><0fG?$w zs(qT7IP=)p_zPhY`?rNxZl$o{oC+{dBHS2*5)Hv(gIyJ&urbq=qk28o6saM5Qj+_W zJ_@Oxx5{kmiI#p)BjLWlP%-v<6l|UzefXq{UP@JJ=nw~6Du*4h)iFxb*F0Rr8X!^P zrGpMJ>b<nSWUke$0!KdsVmqJELeyN7KeeeaZzj?px_!&xDM0I+1th^0UJ2?FIKVC zrLc87saVwXX*IA-c4iLplTu5Bz0XRJ(6beqk4!FzO2SQM+V3}1S0-jR$#ELdGvQ@T z8UdV-Z6k?7gTlkGs1zRj`zw zKu(-4h#mDP+A4G9U~(KOzfZOKgyNtehR{}x(x-|GECnN#ml`O3q%Y#Qi~vIwWQ9v$ z@??c)H7+0Dlbw;ZQ8vt^IR z`xZ9q-7lxD0AU+Q%Ar7)k<(DiMNzfYQ^$Q7);qD4?!!~#96&<%4>(MFhGLLn0bb+N z(_+f22r`$^i)};A+a>8DI!vb8<-^Z*q-=9DVX&=90aDcxr4wz2lOU+z$QC}(gAzzF zJ>pY{8mK#iq^SelP>=3%Xvyx{06GBwi0Txo;V$5Lt?+1#cHysq%9!<2A&G&hI*sn{E9buN zn@4mJ^LGm;=`!SejqccB^Sfu6jYWu6Dt2DziKQ<(osgg%bC^LhcJPS2Oppecxj@M{ zxkiZ)fM%=~eoljcPWs6694cmXseTc^|~>1gFOjAmhFR4Zje>7_=1Na`i~aZ3`QMh^pOxv)W%rj!_`kO6?7zID|GHiO-9G(SoBeK?{$}O; z-j@H-uK%r8oa5i*%{YG9Q~#+IZ&ZCB?`B1K&DPa7!jl3;r0M!m$sb!J-R^9e@V+G< z*qV<%{unArI3WITcjGL&5QXfMD#{`PK4<)J`;J4kNj<{r;`>cy#BgP>gVeUs+11g> z)xyk%1mk^HO&Xe2$`@guZN^0K6$IXI9P{wT?dVj45}nw9JfqXu?0UanMbNJ9=w^HD z@NSoC$mGMgfghtVl6dcY~B80ckzO4~=rOo5J*nXzv0DH%@_I8ye0TAsU=NZ);ax z5b$<#4UJHXFBGCCLUBN2X4f$9REf?_)Ly>UQmMrjWdYNCk1d*a*p`d=7OgC`6oi(e&TMT9P51-=>P8j9fO=^m~E~Z8EJn=^_`@L}8 zoeZrxXRE&Y?Sn!9uO6MIQs=S7EIcJ3{mA(Qry&MqClU}!Nd}V28zN-`QQ+?AfsgNL zS26?%E#VF(4`pvy^f+!qPr~278s}2K>7fBaYB-7?3W_*QZ>X|FR^aq@)bu4_g8#D! zH({2A&1{P9bAD?r0;2n=p8OT?dQ|MY(05a(NDJ# z&8$Xx^>Uq;Msv95%=Kj`C+*ArjhRxQDWS0_A)eU9dKKLtPe4I%gAh2O5h58+K~5Cz z^w47%e3khW%m@@{lij!n8RJEc;IM)O-1pHG?atXr%I9L?hBm%B@HAjtCAjXAXj@{n zEaPcuwVg5DU2trwwQKUs1{GK%ogKMhqOaTeKIOS1#;sL44-g}@*qmr~ZSf`27;M{@ zGE2|tvk3DG8#wd=7?K77;;xY)0*iX0%4~D+Q&yg(HMs^>663Ue zAP$jeMPs*A;C&~L2zTRB)WAiM&1{P$at)XBXRLydN+NAg;pj5H+|8&@n3XTCkF^#s zY=KVE{f!x9hH+)A&9??(YfL1t!I37e$MKxS5{KL5#rBBwLnKmxX~f2+kU;^P=P1FO zko^U)9FCxwTZiQ}#*i+!(#B8VBuR-uJJ>I4Tl`b8WBm^3ZT=)p%{*CP(~(0L?8?{Y ziIpd+#T>c9A4f}|S6I22y*?K*8iARF^fp9ich8mA*zgxmdsg7b+K~)@n2Ldm43@vd zSE_!^bx=)rQHJ04%F6MFwyd^B9&G^f+IQ7Fskoi;w$7RyRxwgiye+Eb5$}61>Cm{Q z=Tt^khEbSUbKQnW!^{(+Qu77iQ8^=a&l;8sS({lOP$qo`5s>3oVD6;ji^j-ted?b< zufmHz{I#n6>Kg$JOzi&}3gY;Wp{1WM`#)7Rj{h#S^p|Gx=kxzdGx=Lp`=et0zpC2b zt7N|y*nc*Yzclv$RLLq6e_hb-wxoK#f?eipkb}eJQDBIg&gu8DkVncxT*9mXSU`e& zxj6@?J)l8-kTozc{@(NT<;}%3nDEL_oT+d-G#qNmo~cbnYzrVhK$tEJ{ZUn0Dcz_4 zzz`8($`^fyZo$x=3)*+)m7aF?3Y_dxZyixs}`X_DxG$Y+2dLMt)7SN*Kp(UdjV6+Wf5kU1e+E4GlR zBa@5`*cZ#jQ7v?ZS7Qgq0R4=HQ-Xd9M&hh78zHrZv6|Inn(=<8?2}a}48fysOuPIe zsl7~)uye=xeH&K%-q3U7d+RJiAM&MB=tqJ@f8^&+9-O>Qui{Ku9|>1<{dmn=)!NfY zC17c8ov)haVq&-9lN9{GxAEK!v=vbm@Yj?23pD{Oza7-yXVCsVe*S{ZKSqW)e(6Ae z6F(W~|1s_N$N1jQ5BOhB>hCFn-%joC_RsGu`p0ShTc?(R{`a@muVc$V|4ZZgPv^E# zZNp)O^?fDh`(%+j3^RJ)y+mx*NWe6)^m4<+z+qvhC7xbfookVJQlSA?*3*WqA2^A8 zv2h6#TXrqJLF?1WX~45k8wX&x_aV%LCQ~8HKdrfunc<1skQ= zW2#TK=*RecnnOTPLg)Woj7}Wt%@h?V0o7fN1Z07GHW1wiWnqBq9Av*@TD@;-g+x(q zz#{)X_TLLgI`1AK8)L%V24-Z;Qy6-(D}`27D!-@49%0_rBENLVVB72t8(CJl<<#Au zQ~Ed!KF}{N8b6~%j4??uP#3H!fT`=`UP!1p3l(!>Aa7eyCN93fJ3P*HSGm6Z+NaXu ztLh0wss&;X?Tleeap%mQC7RAKT~*Q-TftbL0cDR8mO5)(?Yx3E*Qg1Ye&Ft}H`Y$R zQ7ZgSdMq(bn{F`ENU++6%}xdj4k03V-@xAgh5;?0rVj;=$WdaQ{7w3R`csN)5z2v} zuO7@d^#PS#Hm=DGL}qz4(N#IX!;_|KT?h7X0hHCQcIf+3huG&Pvv%#$*PNbtTCd>i zZ%D&Gp1lR@4BXK3(OelpzEv}>s88bIGfEqCekp(gqpZ^m!H-p7#3xCoN;Wg@kzNTr zPlRfEH8gcmXX`gYi@Z8vVWHSNXY=J+*UfeEke8(Aiso_PP+nX|0&K61u2s zY$Ckq{4?J;@i(OdQa4bfS6U6fd;nJ9aS$+OP*;aMtba<`L5{#{cimoCE=o4Hudl7hbZ%41Y>(O8buj5LXe?5 zk;YD(Phe{CKXk|w%}N{%7v5tV=CF`+h~eMB*5j2hIOgY#(m||ub?VM+JU=hB2Shhn zCEXv-(aQ%kp;?wU!s@ZQUi(UaDX67|uUE=< zzjgcG(`_QmB70yXY_7`MufwG&Ot4;?{|Os@`z2O7PN9qFBcjZL8b|Vz3>|!Au!h;n zykdtYk%1i6NE4H-GA!JG4| zV6dy&w;1)PDu!(Z9iP!0+U-a5+jE0w7@4$VUk)hUAsa$#Fh@+O?tRt-h;SZ?i!xKTBBEZ@+2#==YPCT zfr+Fg6_BuK_;4N3Jk^*T)H=A$V0Vh;h-U(~QUAV8wCHgQI-)Hh?W7&mrnLoo0V0Qe zmDWGF%j?t>e+ivQ4G_MR3w`OBZw^Qy@r_xjK& zmx0&CJpACDvVx8}7pFzjz>=GL^fwh6B{PKyk$fTR-4 zp96cX`4A#?uTST9kcyPGQmc(k1O>5!Dw`G1V3Gh@!bw@PeUT;byY7=k@XP zKINGYo)0!G!znnqUD>n%Pjt<2WHH%8y)BakiE+HC#-dM>G1#X`wtRH24A-upjdCzw z>~_ssAsR5ZDpM6`#W7R19i|dfrU9*aL)d4S9zg!N4}nKLlhu6sVMhs}NdQO+USrpjD7 zsW=IauUB{`rHn`}j`#;pZdm4_jD>8amQRmP{TTN4%w0!!OScqV@NT+Dj zh53yG$N0@bZu0h`iswopmZQCf3-y?J+-FL0F9;787ziF7YyBJSjfgtTkx`5vUpOpx zxhIE46r5)*dM=$S>zAT6{L_X#4;ibmEbba!@kXwPeaw5=(xC+gjZFh4rOppD6U%7C2niYcx}-vOiFyIxpgaDV}suK5FV4<`*|W;S}$NGM8UwebNdU7I)>Ph3EJkg+xvyc6T_iPD5hVARw}2X8hj*c(VCm_t%=WH zQZ({2Z}qJSQb6`<4WOqr$?W2@Av(Ios2!6z2;nV%{7-k$bl!7j_MKHl=b&&wyH#T;Dw0sR~*d) z%aOQAtyK)d$ZkL+hlZRL)cQbbot9A7?2oZEBpV2*`&cYywzl7;z=76JfkH zYu0s_26u8=+GEFAsyT2^++Q9!hj?&_}OeswBS1et!Oj4vzO^p(@ku9oA^Pg@C5 zpo_BaAf|kgDk|w1;5?Vdau2|ST>ls`;_t>ZI$j=xe7S62b;MJ_q^p@{vg1q97+Wgb zs=gN_e1t1Jrm7qpwJTLIBl$+ZTmugnm?YLIuQXKKw^E}^3GbA^j7X|v)#zi;m}AYX zycA955A*XsI0s=Rqcb~l?xewo2+}kqzD+(Hp9X20d)`P)`c|CY+{{wQVQuK40z*@x z=p!iQQ`aHg%6K>q{n_|*^khXlev|La`p|3Eu_ z_S^iOD1|@g2tO@R{p@}DnO^)g8u81Gw%_Q`Z#078FRoXeetM@7tnZH4*LMw2f`2>| z(Fr;hg3Y=KCJKw0R>g7^lxV6+P76l9>ez=*ftX}ez{yoj)^ch6+Irs~l(5nB^ zMwJg+`__Hjok#Jf;wEawmz+zy{dxF1&kZiroUis)Kw88mKZHAvy$sC|qUw}j?v84Q zJ~SN<=b^c;JMsXmWrtZ!g+608aYR6A4kpP;_u=Jq;N@U+@PZ5p@C2rM@_qtSJ8_Y5 zPhf(~HM{+Rn$dgXF?8i?k#P*VKqfVNyo}0U^@F&!`Tg$gNx=KR_=mJ8IX{>wIib+A4mxcaiV& z6r5c|m8k&Y$eUg2tUM>mz1aQzz6-YujCH@58m_S|%vmcuUT^4xK}AMq6K3V($|$B= zVm#sKXNL(G=J=VVv}mKN!6;1XgJ@JJh+BbhPjtnT9-)a|D_^Av36s%;Y_{#0^gppq#x$eOg*J zr5!U#m&L-MI_5?fW|~tdIXl*<=_ib^ZN*yxQef!!=^V|jTxbZ0-K{NGf}?M$tVHb8 zjEMG*Zp7zf!;nLlpvuX*K$wEe57b&!GB8e^E_&beNCeEr9W=)%X+l4Z%vP=zd#_aR z?AzI6cy~8^A?w%s_L&>1l^O~+6llB|H`u^U;~s82bowb9+QGk34)%k47{3BfB+E@&|Y~ylD6_jx9J(T+H&{%D&vmj#zScd9Jq3bewcKkw_E5`Y_6?;*8p;bG&QZDad zy?%$;O)`u8<5OOpT=iI?d4{Fg#+1rOC(8a1=f#pQ0N{=o_%aXFh9RQ4YUmov@R0&A z2Em#Jc3M6&GqwcGXuY)?X$|FjCzIS!-v%tuWDVM&YZQ}k33+i|KUR(4y3tG;{j_qd zhfNuw3pYoSrePYLGS~J~Kv?dPLN(S^SOSFtqO^oYrv&2n%#Kn1NRtsy^Q0r#ZSKk0o~9C;LXcM>N4_vzD!9ciNrvw+ z4U*!9cA!<(A$149=Uwe7DU=j`E}*Lhyp^z+1mP0%Ja$xUX(P~6D%Mx!D}hTODfUNJ zr0RyB;~Lda=s2?!w!i8+a-laWt>cu`iL6TrciWpx9B%VqQW@7Q z9&Yq&A`(h4F=X+qz4sGc?GkRXZPE+rcvy*O5+loz$)oDXwvR@x%FRgJ>!}fnU9=&} zNrYq4a)L=F565m+j_X28#wc^JnkoHsUUD7_W#C-wW|M$f~f3=J2kG@MBAob5LhLXXItMz9AG#6XaopQ-c$_! z3^a(?4w2sf9Knw=Uu}_1`_=b&OwHo$u)X+-FvLe9@}&{}!pcIHp+ADp`-%uXS?X1vxa{jI|cldzQjQP>kRP!z#4wG3;iwD@S98aFS3B2 z*~#xL;Mc*=e-jhl^N(WQ%{bocyf<{{hXF>q{h@?TV32bA<_d+U`t@ee#BRAHODaSk z%c5Oh&bhwkc~&&Ggn#%RiVeH}Y~0|v)x*ad_DBriA?0C^U_+C&rp4`q?+NsvzKkCp zpSE2!JkQK%%x)n>oyd5!k=;8xHeu??dQ9@TJ)x-jxNpRQ)LDO8wiuG3gV(v?8DB$; zOfDo0ydBpNUv>LAjVdUi*-aVI!E+;t7dn5TjyJu<8=31L;m_z7wv*1P;gk9Fb#0w} zrxE*XXls2*Qo;6wBnv6sG*aC*1!SYp)-S-^gvNq_IWA&j>_|*0*S=g|1p!#1m0+F$6S74blH2#*=^p1 zRo4_AjXE}r0Wzr4UIBv{2}Iu_XO+_?OhIdYC!+H!HHa8sG>TTqWO6Iq5#R4bURt=6 z%Yv!1(PGY2R3;goej*;fMh2B2VryYwaPZ&(F)HKp{BBfUkPg4?oC`~N z&j~IZ)5rF+jZ*-!T2isHPX3*i2h>Le&QCXu*|4Mps>O$uB}bS{OH&w7DmUWg`P~ch znn6)mE>+n&U8Jz#jvwiYmVAK>d@o{P;O)i;`D!qhtidw|$DJVVw&etS!i4kBU2M^m zTvz3I6$pF%DFMWu8F4lGnV49g)1z>3OWfTl8f#G=soedU<|L7bGT_I*vU!I#Spo#VPEvFtR|pOYW%OD~$#)lMG* zc;l5l7!(#TqRJ@jOS4EA5d0T+VeIJ-X;I};H-4LlZL0R-8iwM^68lnB_OUPqx6?zMa-XtVsm_bp(G^nLR3FUzOC?UhQ%-j;U+uBQJJ~@yyE*dBAx&;8muA84 zp!p=Io9xIMM@|Idz7ExsYdmtkc+y*I5CN5Q<#FjS)r8P8EzzB&`dXhbC;7Apj*#>)vaEN0asy~ zJ(&{UzLfDj)lyVmopefWwF1@g^20+vC76@5diyHdzzSkxyt;}#G3#M4NfW?SEE+ri z1rJKgnH~!BN+8E1MmA7W71!ji83=Ca&ma=-db^eE<72lpgH`h#)bx$V#}|yaE1pkEkf7(u+mStlMqhB@ zcW5E-0f<`98(V{#BM8x~^9uxd9IzLIuQ{5>#30q;5=yI<# zvo>Qg&rIjhscKP-I{N2q23!{sR+yss4CVSmCPepMLWbq9{07{t$R z*Z;sEeia#h(jER8Qv~>{8#n*%ySYS*dCCyN!%cgCTkHyyGBPxZaOS#YCpHF4(KN7E)-$-@A1i+XD-i`rf5 zyLA`G#WqD#xS(rWHMQZoy^N```>4ncNbiNwniNt5eT3U^<10_r7FP)aI5F}VdmC1^ zHsf6~pC)(#ai*hntqwPDl+J8$8s1@MWar5+zsy?I)) zr3vW_LrKOAU?x%m(1bU;kk&l?wRm;m#^H;GX>kmRadJ2*=5$8uAfI5PkrEbE^HsgB zjSfV_c=>8AE;Lg-F^)vElTFo^Z)4kP?F{q=>#f3Ckf6R_^=94)i7;Yyu&ti2WzfwPm&qnO%9m4zs{?gSCJ93!Z*yNHP z#m5XpA6)1{GFMyr-u;Pd3H^2qn=p5F9-@|zSC9mw0UY!P0}v?3!5aUwpaFwYqJnpG7FtB(UNarXI%v8CMRMMR*v@Jd;%WA^MXOsUtALVY+GKC zCV_i(_k4!d!UN6$9Rn4)1Ek~sX$R~V=IZT^7H;ytxZMuaA@=AOBEqfmZh@uh~ms^BJ8Kz!x{}{mOk+KC`HL9|W$(A46s7B`U z=cF@wT1EOv$I(C^MLh$u(}gh6qssN$=D7b1B6mD#S`0AKCtTml+pQm>9uF$ckWU zkv=Wm`)H>?t-j&Ck3S$h?}RV@y|DgL9sbdpar}{i#qgfT_FwYy8QvAt|FOu(!0@ZY z`@iqZetE+Grmp^6Kz}l|{ay1KYDW9M^-Is$m-j4RBU1&cP%;Y6 z26ZUMXM>(0bD=8~Si^g=!|UnSshAqs>j&w8SJ(#&@u4W?hh8K)A&F3NOQw^z@^rl| z)+my~G-CW3nfEH`E<%u%V6cor?G6tP9hAy5qIZC)WOk~^0ZB;g%i3;(7u>`jmRK>C7KKP=;Tg@W1(He)d)T{LTEni1gPu$9rJoAGP9l&hcw?_-`sl z)_auPyUO7+iF-%)P{}M;yA>i_%8xf)Jj{4wu%Kz#-2@?$k7Si>C~m*{df&Dk*ObXF zql#=xapj7~hkNcFnc9CLJI2VsWH#nhVQl1Z=Wchmr9i@jaLqko5>b?(q2yE7pOqy> zsd&nd(Jfzh^f_-_^d>ARgZ7StjJUucjgtDhcxR9&%NrRZJ^s-!G`)YByU!6OGdA>B; z3~;%t8$|VRdTQxL%8iR(z*zNeW)_+Z+>`vQ$bRKU95{PYcFt-6)LmFXv9$G_wJD3L zU-bNnATbV+J0)$#_S8Vto{$iEKJA9pn<_nHD-@Tc1-=EX^)R9-b2M|+4~@`-@k0hi zws}2M=@;fBwQi1sB(7Tc2KHpoD~^TOc&F1NDvi_m2T1s8pY(To-S7 zHJGAQOf+{kYu4wD)&Z;bg*09BR_|wi2AaMiz}WW~U`+T#=xe>5)1wmY%x+w7;>Rd{ zy%v51plK=2!umjRPr7D;%K3WbJ2ZQ1vp9K-Rmij;Y!tgTArczjWmF$i)NuBSZS^6xUJ$(mbnPZHNsTt${_Q1 zdQjYw^+VmD=WD!0!_>OH{s4=1^_Z8S-rLx+zq3_^o&x~x&ol`WW3W?*qQSTS!e;qF z0Gp(OJ^s3M=L$ku2xn8eN}f{H~9m|>zA7K@3+iMT25lHeuq*u z$0XxkPHv4YHo(X@P(n~&qa<@6iKhkalSTp@K?iv!rw+Y+u}B?yE@lZnKuyR+GDh6T zZ8|Pb?X;d-t2A9cS+f!Wb}O`}uV_E4)N5~sZCou(jqxTPb|jW=N$$a&lUS#%ePp}T zvm=&45JDIS#f-9|=Y_#Ha0MJJ@tWrdirNw-fEuz2t*(I_Q5N#4;F~hNSq8@y=hdxf z@XBD+e5Mh)prNT=l0P5rtjhf9ECgLK?Bsjap4&$-z zfC8)5bWel9LWzRi2{Q?Rp_2OGDTBJo!ku<gLBJWBB|vkOSN4o@fr=EIpVMf=7J$$j781;EaOM&@ z&f|;2d;i}NZ#!^-C82I&QCh&9;Z_vB7>XThS(;6Fmxf%@8)VeVy<{=I0jrMy#Zea>jJ;E_4-qn&hf_uXiIgJV{HfM&|X-2AsP&mHIX>zP-9GFv<>8P4_C9L4UfR2fRr3$colfgm&}2W+ebah(trSegD?=M=zFKU6}#E{z)4 z2uUlyfL1ip3Q7Ay?ZC2E58q{~_AHto^n8P6d7#5J=>R-b^;~bInRyOa8iIM0Nf>{eJz$uOOyN8;9ZSRgU0%7yK1!QQi; zGI*0jUCTx2W!GHC6K_tIMJDUJ&nHzp*72y*4rh!A8~aZ=DxbiI?p#Yj!@ZXdcfvqx zXR9|^wpN`RpeT@*9=lj6@^2cX@zs5&Ket|?ig85>IRv2Tcq>ZnwcSRDX}5WhHaxgq z+RYD?LW5vA?O;uGBjHtS&ZlH=1)b@t>AGw$%=6n;t_O%*9H(Q39|uFt)puHm>yz8v zXITN-&HN}_8JTL&LshS7aKwH@3t^*kWt6KyVb$aUj7M8-+b0e#G(FnE!iLwCXJy{= z`}Fi9)?8jjxHO%kipZOt4jKY-X850v=g>C`=Adje6;9Qc;A?z_f`tL+aY9Q!h%s8* zU$YM39vfG;+^iclgOEq^jZW~ z?Yjxaj6BE(tq=}>u3e2U=~Lr75BozLTiOW27dSQDaIkm&Vm1%J=oME8-0=oqBC z6Q1&`9PoY%i|zMiX@+-!;Sa$6bJ64%O#dH5&m{0UL{*(CCJM3eupvGOzL|AXki z3oAcuRsSre{0raVz<;Ma?+wg*SoI&*J^vcvdH=hAyuaTF57RGkX@4c=(Mm<80FL3zmh`$5l5xi*bYW?1NIfRL}7V{CNk z)gTYs<*C(<$n+>f$|^ZpRui;qBewmZ$sdNz>l+m^p5bg1Qyb|F4p+5by`2tyTD3o( zX{|l5&36&#xScOIBCmOy&ih#NYPautCe;wfmk1rj+Er#2)9vYQAo?NC-_H@UJLDcSRe3*%I{>MR!#f)+Fnky8=I1LK0R}$OzgBHtab9a$k z-29>gQX>aIAt0(BQWaDl`VAySY9ROKFa($RhbG~MK(Aymb5j0>K~L@Rha zpERuS#Q|7M{7{Wk*Lvm$trowmBpn`i%^wv;o&(xitflS61rpq z`i5r+PE*X!g|?AVjbvv%mNj%Svu518NQdO5;|L=ag+yTIAQYOeH~eUB+MC=*&mQxFRwl*) zO@Qg@`v$J7#^BPi~8Qnv>O&7JUdhXmWKUsuoA2J?@H+t-`tF3`qkp2jf064o4x^)N4IdDW9qW_w8OoOAlM| zn=*VnloYV~)bk1q$Oa%!IO|2$J8&@Ag!UnVe8y<7+IM!Vv500K37sPFhXw(`&7@oMhG0> z+cr%dtatxoOW($c(N&{(j%al0hdwZO6)`{Ct$!(uf2;(X)~p1|kO7K#%E8j;0OlZL zBqA<1N)H=>y=r=Sy=9l#=xF#_lpnu25UyAlW zv@ZtcKQg=+n0}5%|8so&1p@vRADMnt+5f8e_3!xj%M<>8Y2^QhnelH96_|d;?cee4 zSFP{AHTeJ7iTEYnbMzGq*I7B%@;%@)R{>9f%S@rjYF2G2snx677<&dJ0BCT$Yn=%# z6bC6oshoTmCX?ejYZQBeZRlzPLY<&aZKGwD=sP2y2OnRCCgQqaHkMl)iw;Gp+tqk> zbqfBO;*%u%hvj8a_Vs-{vJ^=5I4m&XBm6NJgaXkS z)z^(kirN`Ylps{t9776cFI3E_<_YxrZ=xZTz_~I0GAAvlCw0DQ&8Z{vCTQ18lbDJr z;IsM2ClR`6Dc$SgpURmGpMe>P9igDIR|IH;wFCpST<|9`hyqJ_P~2L~T)|{?XD7A^ zJNG&03h6LGJ=U`f{8u1DmP%pSmAVxK#}qh<@2(^$+QU*l)>2?&FG=%EgM8xHwyBf) zXlY(wBQNhyMiply2(X&j(&j5mQPyB>%zi$8Tq{Ft2^PPA754W^397t5@{A*~HS=cbz2@MQPmws z7GAzs1Zb0!r#raLlla%cV(Xh$>X*Zfp*^0(2n@S`l1dmCyUtJ#Y|$E!%Amr8yFA7= z9x|Z0xnl|?2=#iU=vmBI9LM(sD2t&(Q@Hwl6~PiUan1Amk_ zYF>tSnXMKQ_#y%oCi2@RBA(_Y`7LaNeSks&o3d#CrsL54o}z^*f{G3creQ>Oy%IZe z6ZoS_$VQTd1QnD4tltH+n&v3C9|m32n)2KLqxc&=c8&LDS8fS(u12~NiwD z?L5n?XkoY@A7)D{r@5w=v3s83ySfZhV19t%txOm* z-_V)T1L#1uz|g+JaN5;H?7gkdt#5|XodZtg9MbylPY3Up*RS{p@9yAc z7B(_A>!L0wVU=vbJd%+}PofUVKFE$-KJiWnbKGWte8rcJ$g?GGGiKR@rMYK$T6ioT ziZ2bdC<$+EPap6lgEz$+DLZrTv{eE%VqDB7#jC}k$IoDnw1iwtB}`4BE_#~K90bkF zmE;LTX&Hy@ti+A#WdMz>)AvYG^iUlv2#IE2qDi`DwBscf#%eH4LvI#qbT7>jVb8u4Up*{jo5Fv z_aE@~*XHx5A^v+)_{;q1|A4nYn+N_s?nnP#-}$~^@Ha8}y_fyto&AQ%%zrUzvq<&V z1%uI7|0zHyjBtbNR1h$LIx2%zh)%!&A7`4E91+K&R!S&w`*Hm|Hbmh>80Q-RoI0F) zr^V-4SPbF$fV`l9IV?2vp`;{cZ7iA;jT?6=bVxkf*ny0N$|hh@FiI%B-Y}$hBhzlb)uz?els*QnbWq;y9>glM7~2W|Y@Lx+6Pm0IpK;G!^nh zwjmgiUAo)UjNQ;QbuL}Z2T+6b8~sUHJz{Bvu8}}3UUx38aM3(`LIfg$Zaydt$dEVD zs6DaS!2r_0uNWJMo7{&6z0-cF&;IU@ujzPszNP2MMxC&1qAW!k@wd|+b$FZ9Bv7(B z+^B*d;QM18aJxz8mbx7fcBnEHeN>ApRqh{D4%|D;lml$sIwuHVm=&+=Y)a7D3%K+kqhie?HKf{cech)0S+}kdEw){q> zpA;=PLOz^pEr=T@u0XvwIWzhB6~?oI89V`EshpEfZcc-yt+BF|AA<{x%ZlwawNh(- zJizQ4HGDpE62c;d+)B!+S*gTAy%HA& zU{mfqr7p!W8|a8C%cmtU~QYq|7 zN)LrrDa$2@sRbTLEOCfkbO_2#a2f{3?{#ZCRzdv8t-xMY!0bd4fa}4M6<+1lUFe+4 zXXR!LG@+Jd(Cva(kk2(w2*>NaklYDyuHs_#=3}k*MW%owvy`QaU<3+&z{qaUpd0s1 zG81(_ag)qf?DV@iZ5Jt$9mqBVk7CE62ga5aC)@@d`(o8#?W2<-Vw#)sHMQR_>+zK; z`rZ$2R(;IjdJ{FLlFHvB`9QWGuW~dHKZl!CWz^8m{ThIiIb%O*1{Aⅇ< z%j0gd9LMYR>TJ%I6^ty5U+2~FaAiTEAQdi|-!@rvd&qbIpc&HIC|z#h+XSMMCxNg&L(+?wxs!RQea#GO-@rEg;Gg)XwGztN_Fs#LZfc-t%y zKF;a;Q|Ce*M7Qqz0xa)dYY%6o(>7OyMvvhsEehke7Xp-cL&9tPSSNgZZb&Jv^ouus z-%fr%(AUc=dsI;J3p9Pk$Y8DSK)n=tJr;><1JzmgwaX2xR`Y&R%(A z@skBX2W8Rvfuf=$W_`3*)}-Vwzo~PRN;$4mqq;EW~3ygxB z35)vx@HBd^iFi>E#M$@x?q~#vw9Gzq!jlx3lY~x*B z7_bzh(Wo8o$J4~k*|8@^nPRAofuFJODd54u^{DcQZ0#>!#L)o$SIV#Z9<`sf}wJ?A>W@-AsfZc ziNohwr)acUVA|m?s*9x`0Qe1Cg9R==%Dx_ z0f8oCWOEG!t}~Vnt~IwqvXAXwhTN7d6kYLph_EG_ zqcn^gRkb-XDmFyX-#LAnP|qdh&MHMPIaJF932cfcl~5ujnlH(J_wf9s{OY@-@l3)q zow8yq+7yJ{P`5-iTtLkwzvSnwg+<+-GrD5)5s*PY2NcsU9gnszhwISCR2UFt12L%pjolN)Rbk|DeX=CFDM^w!rLi9O4VT}c62gqkt?d$b^PnVgL z4$x>GRC$tyDsZ5W*tp}{5JjoMAt6M!6rWkMT*Vk%;~M=_)j}~;R$;Rv(iBCg@Gyn{~ z%vxEx3JlP=*kVroVS8f5Nl`vO_jKSsNiLJ&uIki`RmR2%Lxp(;)oji+bHGC*?W$FS zy$+5Tb_J`m_WH4~>UNKkNC z{&_6Gl1dz3y3@{EvtcH83&hzU$+W6(l~4rAB?-xH+NnOdC{IHIr5VMpT~Pzy4T$zV z3&0jT4tm!!WeGhULdK#Kz6A==(?h{Aa)SQ&v2}R4A9ll)8#3YhAec+n)>%Fe8NQi_ zwJA6fF!rg;VHG(L1e88&+i7g3C!s4F>*A>o!S`Gp)dwqm+9nf;j2qyoqn7N|c|vdb z@e3g2YEg>CpZ}6RbtoLTVcOwgbODx;JD{C3^2QDp6t;B&TRpMUIfrUUeBLJnJ!jgx ztj?SIBM>kO`KRpeb97>1fdcQ(9++l`ZZpZt+uF@GwwT#<5F(x67c&f(rZHOb$c)F86nZ#8gwboAg3JKan@`Iz>~dp! zeAMk-9=Snfq)VVer!I%sGkY;s7SXJWy|FlD?R-r#-=>g1IG$t_yUir1kXKtRdh|nN zwbe>fxOTC%s@+w-dPEZ+EK`%+Qj(JIq@m%I@(aGR`8XK{va{LY3+d)Day31~)oGeXC%SQRdcxMtw1+8`3`jGJ+W+ zwDyPM>#+?FoIa{EET!b70lpinw=c1>i{v>qj1|CP0p_t*qf5GV>~PXS z^IDCSO+fS$!yY=so_qMs6l3=*TYO{7eL&X#g-pXenAfX_MabviH16pJ= zQd&eR+4`(|N9hB+UXM%Z&q-T<5W*0rn1Lwc@HZFwS8OJ*f+VV^3!S@zKUgaYFwhM; z)1Is5jXox<tYQF4_cEL<6|%NW2qjHso8jV&krs}@t|_OIzO}4EZV#otvxoI<>1Uw z%|O%0d(tbXz31N#x#{<=q)~+oeCtDxU^D9CTbw&}^iXN}!2hz_%nLp!&-`Fsmtsev z;H>QNh+(^>Vj@fd=w8g$jEjeOPBKil90ZmvdK(tM_xe;B)A4mWDkQ9jAKFZ~P!Qk8 zjvPCmvhB^pvB{dM0X%O+8Ps-T7|HB|yFJ-Wefxb^4 z{^20$yN4x%yQpPV&_)S9jJ4ER}jMo2! z9Q`g${Of4_ZOt&~5;WYEKR?yK5H#D$~r(SQ4xbn2|ET-k6WdX#tC zLqMGCkE0h){?@q-;dUY#r$6bjmw_RakL*oMDV`XCe4Qww%;%vwft#(48i$->hC#z7 zW6|;&l`M@zR-t>~bh&L8=jjuUArO(WvwK*->u{qy7@5CavfVXm12-8cOhOA*&#RWL z7k|BRXyO%$G$Ci9QQ2;9H?@mw;)bBaHvlybExgti_<@OV!rZ1qE;E8#oT7PaF=dxJ z3NgB617TlI2TGnk;4Lqjl?m|z2uDSCpbrBU*3y5Jx-A%#om&Pn4@O!J2!=zHqmG^OvWlqRg%4)ZZneiR>KVW{ZKxNzMh0lyO^hL$yzv9Ds(2c-Isj#L zm<!`mkUP9i3S^RLnqMtkojkjfqwI%E2Hs!^z~%(iCV<-Phn%U8gh5 z^>v&aH4wbWpulUz;5Zn=x;R7n)XTUD7y?8x8et+bdH{CbnU05E(ux^#nY(EK6KIeRW~1M zUrNZA+Qpcso-lIEqkuPjcBsV7iHNR7=KzgU4__SGg2@;Zuvt-jSyFll=&mMvED*-4 z*s#OLH#pYp;k`d8TEF>$*clmrmtUFxyB&!6*G}%|n)NsBKrH_pkN)Iaez)oTQ7ivW z&HA}G{i$#H@5`wyKiBQwY7@(^mHNLmbVaJm*6)@cuX|NUuhI{OW|#S&e7V`10t#yl z3bgS7>4dQ)XI1(VD{}G8uTQWXiFaF8>4XgMcBPxPt`lh(;qC;_@^nSoh#|s(D^%$T z^VbP8Y}{9-;&t@bd(ajvbZrozWoe-45?Q6W>c0V#M1ld05e6+C>#KG15s@Ut+9wg+d1W&uA z#ZC@woXEK81H-sU_44i34Q~GsC^GO-*<#~xS7BK_Qr6c;vW{F(jA;VWB+NlVXi<`2}2N6E%PwMk_S*by6+RV^fgG7LtQ-JZRhH8oN@|Et~*sJ zJBQ3Z&80=}c4OTHfCNW|lJDF%=S^Q#X*99@klDLMFzn?KS5XdW6d5&|yZr&>!;?y1 z^mNG)*=qzVZl=C9CRh$G_M((=HBiwqY0?oyW#kQj^!pr6JboO=EWTb!fbKB!?BSsdS#%L3ts#UeJ7n#SC#?fF| zY!*gyU2|UACFi^wk$~6gnL3#L%P5n#kDIb}BCSsF*}7e)i~kEUP^@`(JxU9gA%d@r zs#{wkEN&uLJBD8B)eayQv;^=iS>zicX; zj)Ps-@Rr9B6;M!`C@fdw(ogbMT{xo~nUdP8>}=$A7@oF2BIaxoCXw2GQ`{}Thm5XjA(q~OZe}Na4^Ugia*nv-6 zYK0ii!%C3w*Uw;pwy)oqs_Ip(%EiPg7j%$soH5^2k;$OR?G{K%e1P6H5>+hA0O&G0 z*k)9%Ru*71k6cc5r(H4ifKp`1Lz2p}aLfK5X=fQ$XPR_tTsB;|2Y0vN z65QS0-Q6966WoJaaND>O+}+)RI{^X#4&9TlhdI-8P0!4Kc>nEMcdc4g4`hV?s2e5w z8Zus2A#SC1<+y-UuAJ!IC*p!%LGIrp_LFAJ%m(S)j$JKZC>Y z_XYg3w*Iabe{)Wm+5Qk$*0)*FKW_+r*PefLPFerMrJ#Qn*WbVJzcvJKg_ebt@Na9= zuYuWrE4r_L!a?{u+5h&}Z=$xZx#GVCWeNY9(aQRkP5#j3Uo`UXborC2!Ed`oPiK0$ zKZJ+}km(}wC_O0U&1^ND&oWr)HTCh}HS+Kb*$x#Hmkk&FvMIBuTUA=WR=W_Nuk&_r z$M;9;`BkGDg^GLt_-q@8c8^&yHj~YEe~|pyt6}r5O657U)pL_1rnk2}yS*jNBl1U> zzMJd*+L#~HPVS@NC-F^R%DIDyxsf5de%ZkIFf915lwWBf3Ko7k><0Iu2g^@$4P@G3 z5e^&LXGXXA_t8J&)RK!k+$^0+C4$t1bz38)A9e%hy4>23f)x%v8nky5j0cK8l{EwL z^e6LgiI|8mq@@v6}Ct);=%VL85rzIoI3A;eohpAx-gjD+yzf`G^}da|bY}|;rd9iF>sCro@IPFV-ic7Cu^rt- zdeGRU@v1ukNVEwcNE1%u>l7L5keQ*$ON}Ob+~Gx*FK8=cV67qv=AdZg#R-0)c{)pS5hCi^9nS zx{sr$@ahJ`{K&>hS05y<0g{Ju%LyWx!xi`*?Jc6%)j+~Ld3yAmH(51_^aOsaIpXVJ~iuG z=>He>@VDRm|5p!xjaL5ZB5x*p>tq1{W=ng2}i={gTADG zp8LfO&^MiMeEW59wDV~ulkSUpF-xkhERu?a^amGM5Xd+!U`)Gwc>$m`ape@a00fc> z;yMkHj0fmJebI+{(ZZt}7oP;TR*%3=;O2A}<}lSh8xdH9Ko<1yu3Dj>3AW{)6c}o< zEJtYfHNWw8^f%GF^xm!6cq9kLk z;b+1#n4;V095g2`;f}I>EL^&1{;gOdDuAo$7V^zVDcpy{EIK1~(<>zl1l+){%7E!v zLV$`YPP(T>mzP;#K;z1Op+=RYT%+Z1>7W-LbEI)x7j{7*`lk!{YGy(PLX~htLl}fe zw8dr!bi&ivfeqPMe?s^2YU9iLlFSBIK)`1$Bx3*N{-aIhb3_yR03F>JE+>_zlJ;ZY zLyXxT|93p?zzH5#wME;}g?2sbQvBWnXz{+5iU+fox-+O^4<*mzZq!dBrE?;ByoYD2 ztqu5cPM1SHq7Ja|>TQf=NlWk#6{VtXDfuirUnZ6m_LM>J2nv`WdMyTGJQi%EweTU9 z2(B_8rMC+YAIPg%b$_aG84^FohV|CzE;kBnx6x{?xm1g^z4y{M=^wg?o)V3Y5HLEa zfPsZvn88~*Me*7+T_~LD2I)Y@&pf+?u1Dh0zE#SNRs> zKUZdj@Af?nw}D6aJ#8@GW&;%n5rtzFlxAWEj34BQ>cYNF)rix|qVZ3j0A{0k1DZs1 zGrf>txa75p>#y@UWChiJahSmx?DGQWdLY7g%};>d>(#1xojINp+>ms5fXKzDf!m$2 z;QQDaoMmcg<^>S1CI;wW7ee~A6fL8NbD5y7`qQfoe@o>>99tFP1_TbSTe9VkV}%x8 zEXK^taCastc*U+N2zY25m)l#i8sBDGIPWH9-q%6;KzI+^f9+?1e6ULwoOAQ6=OD+Z z^9x8j&T2JYS~&5)kmXeaK&?GrWLK^0c4l=vqQ7E-r-5#)I@yXxKnEkkAk)rQ{+D5Z zt)%x*SS&x}W(Fb&Sc4n^0RBhmf(>}j*Mu>XwaiU2Xk8&pB!-KYl8D!VBPe^21ojJ< z&a(RMJ8n-2^v-NN&S3sYvXKsNablGIVcN&hL>6M}pPgUWnTvNQn>lQg*?cE_2a+6G zn}jPtKZTXtOHQ*$#2eKa1g1#(iYTi9z6)l><_wF8s5}!u4D^2o7Kje88d?DQ;+r<8 zTzumX8`s2ax249$!v%7xq!fL)wbr5-DZ#Uq7%2>1QOsUF$848 z9WfkQ^DZ2l(yuRSUy3OfEPebMBSXvv3w|U;O)lYZLSx>Xl;~{I* zt~QN=SfFxZormvQH+uqt#7u2{?g!j^`k{$AX?w>7Rbb4uUbG%F+f)a_$2cOvJ)k_7 zgdK1tjRJD$a~pLW=kk^0Ss9~aImP>!P-Fu{k-)$RNbr?hw6jow1Jh=f88OUj60XYv z25`@qf6lK!n<(D)?-8z(hq`At>5$=zcKZbrA^ckYRs_d2g}FH z=zw;M#~12ka<<={!p?Mjo2pbnw-ET)IR1IQ4T_N5s@AbzC{;X;gkfs@RAzlsJb|o& zDc2|b7(RtuMd2pMW{-TqiuCM?xx!RCp%tq6^JCFi#QCX~xUCrvv4)Mm#m}@ab>vma zO|{gg7E#aA_mY-nFXLePsDWrT3J>^t@l94ys$Z8)YQ`hXI27jYM?cwLq~Ds3m=d0k zg-Qd)3xBX{*hHbk%?~vLSN!bc%-COyp=0^_#eg*^K+>264nl>75Sl_&8pK3a~ z=-W2QN^^nG7ajqr5$s8Q2`d#)J^&hX*wCLm9es9fn;C~&1FBUqw#GI zpj+%}JL*{mqF}0F3Epd+IM?VA&ng?b@d;tRnlYu93}xKldhcn_Lfbrm!UbRpD7cmp zNS^cjRP%l`pySYHUc(*0XvcRr_vY}i6`S)_ z|G3C6{RXrBE|Ho6(C}etlnRD=XqsR!@MGO_`n~RJ{y6HF#lk9NVU$!}Cr?DFXa~JiHK*m)Gr|Ej1KBkD1vqZ&~qsg z5mt)CJ@!e&y9E)B!AUrcncZ{1uY>aiF*xx)7Q`Iq9AqK59zv7v639)PSs{)0<-os7 z+-hfLv4=*Jo)$~oD(=Rl0R}zvrF_*r>v`TxRUYc>)`22Ea8T>+>~8li%`5?kp&j4} zl;S%>eYjVKL^$;>9u>&C!3{_LlATQXSgXH}5ForsPnt98!U$B$kUD(ljdNOvGe)yb zSQYldRCQ35q;?Wc(3-|n-7G%^9+h;?6AYPni{*r8D}VtCvK-{Cv9_GP5I`Gy++=mM zV;Yw-FvhihgXQ*^{%KZhWfV}j>Bpj&R&W1OZ+kw^&uLk_P*u5)nGz!%As&McG1UKq zi*+xkR;~xZl%*3DI0~1S8Ao8Mixu2si&!R28SIUJ)uWlvs(DQ-GgZL?L@)nl-^ESZ zHO8i6g@?0lEtK=PjU84;ZHQ}ZY_JUUYAhe$cBPqhgh8Q@m`f@$vx)=oU`g>HKL}b_ z!O+!2o#x!M5Ohz!-sSBZ2?6vw+XyXn3w=uRj8gj$tzHkWdYt7*6Y1SPIU0lH_1-fv| z=Ff*T94KR8kb8k|hmUqmH?S7D+vos}O8ruuAd6QmZAj70k?SgT(pA|!s%?%8e2xP8 zWEA(`HEIQkWWh2cS~la*ZraV0KnLhvu~oJ7+vWy54WUO|BR}$?!f8Q| z8fz!T4WtqCdGF`RmHY)f`>^AwGUGs|ZP*?-qr@mjSaRqqg}azU|9MT+yuvsurnZHIRhU| zZcam|hcN>I1T42_>(4>`eCv(Jmi4t~h7m5#kCwgo)E5?A9a+5nwwoMuSIl;r2lUi# z=jTv6>H)|hlYs$7_O_kxcn^DrxEh=H6CTYK@Qa!1Z5C#Iyt*b>Gli@@O;B|KOYp1p zX)SUnh3_|C69%CyeZBAGy$%IJ_uwJ``Ec*lNoJW6{l~$d!D<=~{r?15es!U*d-05K zfaPtf?_U7RuSWFEAdKzT;`e_KEWdx@fA#9#fXQ2S`G+9nABTPZ^8p##Td4X!7-9dl z^7!vyWKaEXJMWLvoz;_tnq7H)p}NhSi1~E!gytCHkqyuueL7`vy}_gk1`A zO7I;&y5tn-xfWW4aq?bLcjuA1lvm9Mh%09M(V)Obx%1SH6~ZLKRJ7gh)=tlGh01vQY z_*9ehSuI17AlkNbU2KiyhXI}9Mx7on@xF|}is!MLaXG-9q%M38erw#*`h>hpkDg(C_-<0^~9S~{^k>#+iD1a3J?P4qEs>b&4h;aACH(|kc zDhomcg&Q8Av~Ti$&-j=Sw(#W`=gPc#lU@w<>~bP!ViG_#^0~dAB;Y$}3aw%qFXRuY zVBcJ~A2ml)N@;$BTJkf;4XwQ@pjk!1Qzf0D+7@|xq??mRkJGr^#I`a)w2wxg?_wME zYa+;0MTAx}D{nCBseEg@^YcC7T+_iLayeS`g=Ql?W`|-F1NB^mu~Wp^J`F5x^%g0v zZ*HugGTl7QBX8?Qq~Ek5}ti{rM^)o&V59jUQdfPpR= z6Bbb;oGyZmj#l3nsSAglc4c?XweKD)*?VHgC{&o@`t^a2o01ev4H!zzr+4NHX+TkFO>JmDabwsENoHYr>5j5qZA=>s8ya zIMOG#U^DP@%c>A4$hHBg+JQ&o&pnd>Uarwa|2Fo0n{gusm3k61fUhe^>M}S?^(jzB z2vG)osw6*R%eu=b-KWrNz%KWFp&`Tpsf9`I&_+X{-62+;@Bmta06WVSLIvk0UC)9| zH3UWB8PDxD5=~M%KkYb9DMq?_SQ0f(tne6-Dm5p_7s+^3d*Wk{6~PD@!+Tl(8A+_d z>}r(a_vOM1^ql?ZA&`^KfShSCO79{N>V1$1;j@jrq!^)Ybh41hVad?|Td*(&jF=bh zMBx|eMC~=ogYgU#1!I+%u2*s`M0M!f<=VuR{MkZDc@tg>3z02q#7jCw%EJMK4mOcQ zB8>V1eZDtIhOC9mL2XkxrjloMS*){yRjGBgUsx$@Ys5 zYZ;+aI{93E9^R2MQSQWp-0fgVXnRy*atb*0&jIf$@s_VT%AF0EP+`r?q0^b02=g25 z`B*fMiz?`&D-wRltD=8ukhf?rEZPXMSA}Ypx(R0^K9S}Q5){Xc^o`|C0fwRxoZeX86z4@iN1QiBc- zm^7m==J2uah#`E(rIq8X6GJMcTzdhd>mEc$w0|E7y?)nsjkMLigvfbo*==__kg#=^ zWdSp(bBaP+5(P{4f=@f8(r~=`ROP;$MQLilQzv}E_EQguUZ{^byaHL%IB^Q^YjOxW z?M@jbeinrvC`;h=Ct1|0aMK1v|_nELV#$II8Y8k;tS?_6Y`xLk`7{UF^k6Bn2@Km{=vw5L#^&_Qa*g z9+)45JL(~78B$&|3B>_%^FH3Zl<2xOG`fMG{;0R5iIhI$O~_VrVs_{@#!+vpX|1)D znA2HGeg}L{D2@*h4iX2O5pFol^b<%D29_g5VmV8pQ+@Xj$_kuD8 zPLlcbiemvrKVH<{w5}9U-(Bi&HDM1qjRBCsj$%kn=s)hJh*nD2OV8@ zAZb=S{mcoa%azm<9670>S2?u$v4w|+J+d2=pO;qPu)46@nT(;b_GF)Guswm~>x$Rn zGbC+i-L)(zu(*jww4QEaAD1QgQpazCN@B@lq2wl`lC4`DJ1Z7Ugp>*9ciP?dmM2w} z0bd3`ukGNOXdzq7EcL8YB}ms{4G>#a@Za|*j>iy(H;~Etd?k>hni3V6bvN=YP%|@f zAAigYVn~7)P*=;Ix^%u`+so-L+U4A$inJT!vAmiah zis%$iIg|)csK*OwM|2MMh?fC>y1H7=961_J95XX*9ou_v{}mgPDxd+8l8Vf|lz>M* zLPFQfKG~VFKyfRhy&vsB*L%56_M&)Fb-gp&5x&mC6teG~vC#z43)OOW{#Us{|01-~FANz+Zr&Nz0;7k(N(aYoE`nD*bxmL?+xmV`uJk*+y}=yvtiP zQ&Mr0H?_X=CmakLE8qk}3i$}R8jpR?3-?L!=v|>z>(c#)p%m<5k6t{eq`Ul4qHs?> z342g8KPuR2pLAC_;*oA!^(p&ZOFAAMq1V^JJ3s}OK%!L;Z&0=eWt3GGz0Y~(d`_VC z+6Qp&@Kmzu`J}wW?XCD-Lrf$E&!vU&f`@#}KFr-t3Muo_1%12j09A;ZFa<+mExo(| zGeyT&oIxgLz0tYCFD;uX|KY1eJU2jFphg5Df z*j#x(<5R%}hK!td(x)A3M1nv01dAmL)Iyi0{4sIy6Us;H_KCODr1i){VmgWp8*y#| zfAd8`kDhbJ-U<8r-j9qN$VD*=XrbV5esYsYpGomqM5*)YqDv+|m}CK;^Q~hwT&WS$ zq?(h9ksw*Bvo6HGs#sM^DNoK4EZ}Wf)|T7?(bO0@iWsBT=)U6Zv%3k4z0~iGkG5zr zRc1Tg^>URMHzP#c+2HUTL*uNN&vH8Z7@OAEGf!U-APR$R3E(Xg=1FTNqXwbuMczgRWt8s zvK+;P`^G0;B4H+uNUOh-u*xBPt-M9YLi4`Weu_jkjdg=r^Z zI9*kVWYWuVkm+?DJ(gfFD8fCsowpLM)paX@PnGLWm=KE0{8?Y2R`s;vXj8lF zL{Myjx8ptdd^LMv?<|TP395m&-R$u+-@vMo<;ljkm@4S?P^Jp8VIbUYwgN*w&NEh5 zU|#IPR(`UX=?zT_)(@yB;X=F z6KElG@7Z!V^pkl^kmDyoP>AH_pK#GHi{f?bfbH)?b@qQBGWs1G{&CX6{vU>n*#G8z zyh-r>{)PX>xcEEt{KG`$O=##XBE221`~y+_X|U+k+h8JO`h86DIMB0bSJF$Y>UHj4#5SBLnAS#$AVqSKB2GMcqkR^+7%-*!TtW&kAvHZdI$C?0y9x?3 zqXhsdKd;%Hls^8{>wX#^#Uw`Wu44D|a|1T{@L|$6HEXT5zrY?c-!G0rB4$09K0iL` zr4V3!HZe$s*(FlOWhTS>qBpwZO(Y`kETS~CeN(4;#i&}M_2AmENex&`p%v&#B^xkF z(RMFJ*)whKJuK^7)q70@z?%@8DF(i7ccK99ZN{vf`Z9R+KZy$w#V2s?Mh(di8e1b^ zOkhSiz%C!4z~^k|(6X5mlLfgbxrx|nt_6i;qCT${!*zd+`jWgbF_!VA8x^bX!{$Jn zM;#*ZUeSU`_zvmfr-i_Zt&+g;8)2;5x+DL{^xVQmm9pcEka~|iy3K~Zjfh$n+p!Lt zhoS+SP+lBf#sx;?_Y88!#ulH(5$pQ0JL>VpGE-rU(lj#JgjUX_;Si#XkY=Ie`t7|W zNa`@~k%wlim0G(|t?PyG;WI6`^S;SE6%81mmAf1#AEAdu4!5M$=H7+ot)rOC)Uh0- zI}*k$W>WISv$os9)q3#GlQ#_eJE#_x@N0t-b<~Q%BJ%`1ncryj8n1BH-hF5faD=`w z4OvGM3~XNIn#Q1<=N?>Y9>ZBVE$nus9LD#+J$O3ZZlpBTl^+)j6CR%CG^RW%6rTKk zTD_JWvL1nxjq8qqr*K<1m05W?nngLkAfxrI*upb$pk{?tC=E3sQ`Epa%5cz1)3~Cl z>)~d3_J&kMzuH1l9n33xkXKThJaX^lR*E18PvQpvL2Vs{Tj^{f3R6~nPY85eATyqp zlI`Aj9Rc?B2*TIQ>~p@UGS>tjf)GLcW0h>4T6WX3Nom%uf1%2QIXHz;{3b zY~zuyAbxUfEJ5pd(MG2ZJ%Mux&6C+oq6jaKk~O_MxgabX-oi-H8vR|5W%C642=l_D z81h&9VSApC`J_yo0(8_X_-$Io2`g~c_I`-NxJ1EI=1h`Bc&$80##pA8CTXyZAO`2H z+^}7mK)T?Zo8$EK@m^<&tV545F)Al1yD5CspE+j*jIt9^PHIQ^rS9mmy(?bCMPhn7xsWoMUAFy z25}l4KR*r4(c0Zkma0=KA(Lg(E}jVVI@=Y@d4AkJ;xPf5$XmJ_3S`Lkq3|%?ciAp8 zE2{fV`XhBSwhW7fK++R~k6CER@Z1Y0kuGjrJ-4DkWLgG8qE~!2t+>nMiJxJSz{y35 zXk?=6>Cm!3C`;}(WpPmY{ppRfTp&N8o48IF zhaxT4VI8;VdZp+Qie-VNemE;=2br~n^_vjDiR9%6u9zM}fi%ZCNyx8JgBiaA@K1!g z`1Nj|^zD2&hqs03g*svEUjcVkSQ#MsczqvL!>ixy+=oupz_jf1g$+$3G0Mf9TmE=J z7TsiD3Te;B0-TW$YpM??C!=UR*1KXci7BE|#v8Ks0TW{-9%SGq}DclcJ^+ zmCN=Z95@^9$)50euDbp# zwib$a!joYG4*rCQ*+%>}B8(wtkWFRN6Cxr>5ilvwI7TONoCA*%CHq5 z@@jK3HR8%bY$5F%1y;k+qZxfzG>cm$>Y!7WjG&)29a1`)cJ_wJ19PMRJYA^Z5=fAc z7)8JbuTzof?>(Q#0}@h0UmuM%I#|=z7PHn-uB5-}LZ3fUzoFl}6Kfg;_45B%Qh@>z z4^u-LUX>y&{BB9YlfP@W*_O#W{{HK1Q={YJULv)UzBIS3d7IZxRTAM;%1*Ec=^wgu+_Z=fgqty#dNa@YtRT(rhw$B z3Zke)=tor`7HvD#q%y}t9R7&d8ohz%Qf}-BLFwdNW#oIjRuNOaSJ#xdiU;Ki$%zrl zYSD1vXoB{H8fz4$p2Z5-q}oI^Q{8Bz>?R5XYmQd1E9CVzR>^v#Vqwyvab40G+Duwy_pV-$x# zV44~bz)I{3>NLy(gx_TIucknYjmk9I!abB5T{#`>*`6|TtuMdqqd7$m5^pG32UU$; zt6>>>4>0UbVDlM5JTe~)(0p9sOKLf;Tp{knKX}>C)l9qflp;}wyC`h0gjak~m`uUw zvi9>9%1D_$6>*qX|1blg3H-6s@=jGm=U&uzNoSM3A6-|amQiLX+KaMc7c`E3r`J#O z2{CgJi2Nt0_-kSVU}j?f`>ieZw^r7lTWG%{(Eo>uzfvcE)k6CdRQxq@`=3HNZ!NSp zv#hsF_zHV}dt~Fch~}HP=AVah{+i{+@fNTDj|n+`js5-|6V|`ZzFza19j&3ykm#JL zfO5cHcS->MY?Fm%Q$2F)LGG!6NF{9^nuUEy@ln8_NQzzzod)%%)Eq!)l#<`3&F<@)S<}Q8QzT5OQ=toT(-n4zVcAFXcKBs=A z@5$ZV?ismH?Y-Y%e5up9BWg* z&Az@Dr0j%?Px}+pLO_z>+YMzoBGZPW`q7~2X8ZX0VMLQhl&F771bbwT{Yv`NX3X5T zpBJB>M2Xy_EjWlEXvY*m^_q6@vx?Oir1eL@a0{iAkpn7Ju!ry|xDw_wM7hhxn0kQ# zkQhp2DZR~V8L(DS?#l>&p_YZr6nJ4j-5cq!)t;YvRO)_z{OR{rb?Bhb}A|_x1clcV)&4v6^U)~T`7wBkSRjZ zOg8bvh%|q(y|2m(7gd#iza}vBQN0^I9eo;4gt6^*wNbwi0wWf;pDmWV8X@iymdMMk z%MxzhEF#}fmEBcopZMqB*Q!|%FN-MQ( zcX{?EkDR;X+ABFLL}@9+E7cXqHEmf}3~FZ6}PCJkuc~^&5dc7(@xGhAkK=r81%778p#f%jg*ug<0sE& zXcjGqr`w|xlCC=d#}B@|0#cz2+$u(Qzaaacu6|Ae?8>yT_h^qq1_$f+K*V)yyv!hF zH}7T=68N0}46t<1(uZdS^hG{2;~M(p10P6ity!_UP|=)+;+jZP6?D>I$1$3MsfF=; z`yBxYNbU`Bq6Q+uTf;Uj^K1wqBSN^!0F*WF}2w&q!t^iwbIf>nq-C8Q5;BbgB%xPm zee&Yk`jh?cW`~knjx|T3L+hf{^LptE`etG~T3esLCF-L|YzHB$VMT=_imp~M?b_#R z3FQ~Zi1CcjttYIURh{M*R-^^yY`9Qt0r)D zcRf-Hdl5Nl9j;EUGKr|*QLGw-P;TMqKm*BbwEMoUbjMaz!yU;A8OxzyL!I{%;?H66 zh##7PwA*}hb`G_G)SdD#is+4Y^>cO=!(Z(Yrju6j#f{E?Z_Z9}HArhuV+=m~rJ03UcsF*(GV|E-bV z^~N;weY0pMZ}0WjoOSHuA9)PK_COlKjqMYAuXNI*iYxy3ZQ9+ZnDC{LCM~5gi~5QP zIrT>~aFSVz^4y|@&nCdD+XM8y&G#n~*9R=ORYOdKyDSwuFK|Bf-pCh2Dc~QTYP-y` zA>AQOc=0XAdW3d!`FejQ3@)rW4Wh;bJpW`&YG-2zd7gxEz&S^)A-K3}8JW57#PXh7 zmAs7g53~T$|#@BXozZdQ2ll~un-0_ni$z7 zNNk~|`pe*n4BFkx{w)Jm2=>Q+#)jW@?f1zW8|UAnF&uAK7XBO?epktV#0HLE`H=q} z8-D-7f8#Ly3siV(E4{^rx2W*;`H24s8{Q(%AK36~82Rt8!A0p68yMkV?_Icm8RoAL z&)XfK7g{b?4@IDxU!BKGT(nr_R7K*Hc{~^6oi<*B0>_Yu`#BhcCWqzAL*=2k8zl)f zWXRi+`l(+n2W8y6uhh8VMi=-1omP>~5`;4Nw7b$r+L~6>HMC3L`dOE&l~hj}5O@Ne z@SNd;r{|ERTsPdk=P#(BJD7Utb)8{~B5tKM1HFHBKm(~Ff~~_>ltwA}^+h%uk~*ui zxqX7zJPz|xRospDf#+QfX@c@M<~WqcGNfRz=SG=Y+{;1e2Yw0AD|Rl@bk2%IuEHQ1 zfJJ{Zh+{5h<+WZb07ZfF>L`_|)n?L?*Zke_OTvP5;vfL=WL?&-MgxS9CLtpJBq-4O z!6_OmFANK&=#dL%r60lcSQH#3?)71LBk5Fl00C|r^ll>D9w$tq82jw|)$L}WrCQkpvT`0@G>ZaY@X0vh`q_(fMz zac`W4f`Bv>G+2$PEFK_3`)r{s07WfH9W#q$ zIA6!(4Q7DZedyz+mWDQDn@3}Zm6G{ukCV!%8?cPPfEeBUIDC3qXo`%h-@Z-3f&6xZO(Z7C1fDzI;|{0v+JJ#$ zFbFw*8_f_JPV>*s*mF!S41AYscKkHAus8QpmEt{>J5j{a)sPk)yI;-TxJb=7>to0L ztqbzThOlOBpV3eEYq;olt_#ANH7U8_&$`cSok@gC)$*i1qxDgbqS>vA#%W!d`=t33Qon&6Dzi?mm|6{_rRJ51C?#Jbh3xLePwN`&^oZf*8G z)x@Zcgi>?m_SuZuYg`H-$5MCFTl<_PSrK9pqoebzBpplQ8!K(JJI{vEi-IAmpcW7v zv;sQiWE%I;ia{xf8c5T?WIU2FK{@fSEOx`=#+zg#{Lh4rj~+kw?F5gZjLjI@s70Z1b@HxbFdCWZ=_Kd_E>R)&19^DBtTB*cd$yzp%(UW51 z2TcNpG`ClBwFR`ci*`W{MlnGlj%aWk7M4?6o>~_GZoN}y>T->bOFxkfx8g*R=M1qx$ILK1YWJPqsGqlLxEN_?>1Sbpj? z2E;>V^fZylDRRzen>?Uoy8s}KYV-Gmtvn?5NIDuUxSDvmg&Q}jvjdFvD0->%k{2xoDk1q4q2>Y-<@zkp^ZOb& zvGPY|5N0(4GDf-0*soJ6Z}Q^J=j(*G#)%KTYI})$&buv2jd1}rWCc_QXvE+vQI}{V zuqa6zNf1RId5fss!AP^W!mZ>#IPmn?A6+3*y`q0gL{pOmg~NLPOdKwbQT|qNKkhmW zt0wA4$dtBSB5y|~+G8V9{$-c{j*y9KgvalRay5^Ic@E;cyy1n_&{2W+&T9sC=x4+aP;p?tM~f>5M569ExxP&nPiZa;=LNKS4o`P6WQ72D#~Z zql2i8GvN5CLH9oD1m$#O7)G2LPXnrhYie);qjOX5ytIK}b|E!Rdv zd>PWbKfbFU!`;Ex;p=G^q|ncP*J_a!G*Qm~y)4RA3`+&NU_!2scXPVI1%?J;;v z$jgTMm5Wjq$E<=Gn+FE2OsL0y){oySrb}- zvjfHPcCz=M2*}&Dus;OkAKj(btGRz{i2Z$9`4>gzt+4$eGQV=>|4w8w)ir)|mwep_ z9x!h(0QHn--6Jpn4u|QYFaU|_W@r(jl>-^_9wfcV+)KxMZmEcPiyTV$Ft5?k@o{gb z@+De-J~pXE+GsF6D8mMNh7aZR$=M1^u!5q3QN*q#Mhr^*j?HV!$HKrW{77#*-=0XxCRv)P{|NO-|7YP!PhcNd7L_~ql zIgQIU9ky0Vc3g(;qh(RMTBnBRwyX|h7zMu5t)bqCZHO&CS=X~OrzN)SDBh$7M8w|) zBv`Z*bD4xY=JQ;eub9t-M*%Y<1ag%g^02smpZb# zQ6X^SKG^*)r-nhMqDii3S(J95vaVzDXfQF|o3Pw9fQLuze{%cobayP(;#Ej zKtj2Z_n(jBeZ=U4gQU1%Whk0CSSGDONcC?w_66Z&yC<-B!N&w-l(Z9zgX%k8Y}j<1NkCh}x+QJ75yMJV73k*zOTnRZmfPY>v*-VzMm zPWW*xf&~%8$xlwKFPG&+1JjEK*hoQwi7s^vFHp8(*`Tkg!)6X@Co=^F$e+nBHGJ=2 z>fMKc(R8i_c_17~qIN#B(%7!=7imAO2ui9vB*)&f>MyGBgOJ8p##LHhJ9_N-V)sF0 z6n8mpPOA}+$!`Kjw@Rv%$;F*sj+?2Jj%S?UBo&SME@G%*6u`zFlEdhFm?(PrgVU{S z0+FSq|Iz#BQSXZLkw5e?!@%|)%#mezu^hIjpcc3bA3W6xH%mB-Ch3_ccJ`93sC%aX zVI5#Dj0hPExX`~>3+#YmMvsKH-9}8iTRV)u5f2DK&V_QVmCsk5GC;>@C8CZ2v%57h z>Jb?34FOOgeL@Qh;DFJ)V?rqx^nqvjvN*6QxG|8S4N89uES9UUSpQaJrFSv?)*zc?nmi0r@Iu{py%mBjt)vc0PGgcqQnDdpd>}qN%K745x9|&iz4e;L zK6soJNnnjjKYC_g00HEX@Mla?GaGzyFW?xez($SGh}SHKBQs-o4@nIjx{*u1wq?@SI=JK#2aLsj{$2=*GDOx-Iu3Wll>iPc1CkXT}PE7x=`a8C)i zDDG?lP9gN-j|v@LTC7q8441TEx@#%h%FV9rpjvevn{$Ni?C5^(uUa{+UE-rVwO&%6 zVEEF4&*qzaU#zgnJ1#)i+gV2k4se91>5T$BB@de$zJtT=fbE7sv0-SN#*@%AovrMc zhr;hsSnR~3;sD9e7Q7*+APz0fO60yq z2HP{OL^tfBe`gcTu1R0P>YZx_z<-D7T655A(!DT?x$feOt0x+5ThPVjF`CUu%$QXG z`?fDU2%N_~qu5}khzd6cR5$ZreF)n|z+)6>WXH}tjCn`y%=z)ChUT1t3PNUAH*Ql< zEg)2EzoxH;qdh$=bF-k(E5_vKLfM@M6kl+uEenRwJQ^>?=Or$Fv-uGEB^#ves#L9OJZz)?|(Vp z=CA(+zWi!--}Jwnzm1SyiRQoWe}DhNf8&Jx3w(L&g#8^^{_&x>x2^N*BXGa&KmA3l zd5c?rV9j3*Qfd6ksWUvmMQ(#w!AT+OkxDk_`75z=5Tvt+YeR${`^37{H&n(q#nw4o zopbkKTaszX;ugRnIY>lgESO~}^iqd(8YYD&N$iLZSk_y}>S|~5c$LH_h2`^%tEq9n z?j$~LY#udehf*tbw_d9;jQ8j<%u7P-+kIunPOYJEY{{W2S;3Hb{lObgG68aXD~?c~c-mp*Ny*q)vFEqP z;fEO1C@!gI<7B@}T1_&9Y7s-exb9iH5ijBse?rRur52Ga%$F(9s2*~oU6|G7$pi4= zKh!?Lp5)8xcpvH8hkS(9hFi&_vRGdcl(9o$j;y;$_ENFoT3K1+hiqw*@y~p5zxIl<+X3$ZdO#}vF za`(E#4XVTqA(|hr-_y}g)=zgL8ygjcu-1)*Zg!E+$@7!DK8L!JfmYJvIpq=>bq{$5 zJfu?z6cGq)aP?@Eu4ldTid;1gj!O#Ukx|NsJMbH+KOiXZKLL4Ay?a*?H2bZgadYv~ zD~f=n$>eT*ru;O*$CJGl_RZXq$MZuY9FWioKf|)Lh7IY!`8Ec4J|RVAd0kB5?6-joI!nQm*)|98WIzOm9WTVv$KgOwqVdw z5$KWZ8P0BU#Ug!SofoI0{7%hf)XzqE+t?N>V=nAbGg@b}b=`P)oc|wdZ^4vTf^7}s z@<3t1-Q696ySuxF;O=h0gS&fh3lQAh-QC^YKBgzro%>Bsba&Uoeyg!r7SZx>3dK@5 zg+>=2Fr59wtB5p#%rtDUDr-ijK><71*;z>^FpzH_;D`3LcortF_!=6(QTELM%xb`F zeje*0}h2d_ctoe7rFax7uz2$eQF@0|>r z#CP3Ov+rXKmAXEHbIXKu5KiKAb)m;ehU#MDH@cyw90Yxp*{pRtkLW&ez*D36Z2AumDs1F zYpzV{{21-8hLX6H%3U(m$23(?bV?Sow6J${U zxYIW{^oUnRI^>s@m02Tb^72pS%f?}W9i0Iz`PnROh0geV;$Lp+<_!$0NP>kRV+ zH%J4(S#8xMC?}5}VgzrVDzih*x9-G39FU$(0FE=bN%ix$4(Fc7-=oMAaM^C$gEn^x z7OUp)btu{wpXLQcIG-9-?wD5H-~|d7a##H-;|C@*p}))Sm(63hfTw3)B_z90$$VWU z#PzFSmu-)20nc?`O*vM-MNRv7feOvmlU3AoD$3I!#p{qPl2~Nzw6Id&cwAI@e#J-~ zu8Z9vOX(}scbO@6thIawO_v9Kh=UZc?!RRZ?J3=!C_*2k#*?ePN?X}@AVGNpy+35% zt*I}!goWx8>CEaM=rs>Al*2)NzGSD0edtSfyGEQw$VAygibu!o#W|^%zu&dA7LV3O zhr!|R^Ffiy#KO2sW%N{Y0XrhK+O{UBmqm0d#oY){u?}8Wd4bB>98(oI(%re+8VIO$ z`JPNIy(lHk-R7o|-=aZ^PC6`#xnJe+M6`lPhx6z-Z5@Xf_N6!<0_jW&Jfeqedes=q z!d9sXUv7^SJbqw!VvQa`3!^xvAfv~7v}n-lv3GtoPmvO&EjZMO2t~id@Q$xVr86hr zegfZriMNoOS~G;rHca9Tl)+0sbH21nh`qL^WK&@q{}Zzf{GP=#*?sz(QB{rh7SAaA zK2pb<=%L2VOLp_!gM%;shG&KW zDx(M~hwzEzEq}DBrm8qIv1`l2ne`XJftWH< z4zOSfJNB-Jb?Z<4s)*13EE!-x8BmsA^SE=dzvDkdiBv;1F6k@Fbz6SM^#8#h5vl z9mBs6Uq`TcEmZKiT&15_7g&^1)w-dK?rVXd{xwovj9$LK} zSC&i%=^22goxCvL(%c*~TAr-wv852A33Tj9mbryOQ}MdaQ^y~)wSxnN3n#sse13lS zc4iB?tRvRPSI(X`c~*v(&eICXU>f>UVDB; zxwnDfZw<8c3j48$qq%-Wq#ml?@9Ua8K3OzABRfON8{pVr&c76OJmY)}v^y;Tx$*JM zUA9d(=w^=jk?I9oCe_drs@~XG?JfTfX^$Vbc$gnVVjFr(s#I{41^#tnk;qNGz)#CB zN-h<1Vja2_?DNvYkz0pC9uP=cyAhy?8kekBTMyMAPu#|AsFe*+_6%+$BGCA`Q`kg} zt&(=r!coVifM&Fq{U*-&lc4=k9ofevnt_{amyH=YQiczqW1IF-tD4g%8U`Te;I@1q7j~84XMq`%aVhy4>7L{* z@ZOal(Ms0+%RdhZzBP6|qeh3=hCSKbq9((xzC8g$dbBQ|U3rO+``ykXWM4RMEyO0& zn#^>N)JD90J088N1_%-d(|_QeGKfGM)Yc$I2ZiQ^Q`X@F(h>wJik5C>oY9czW!eBd zn;Sj?P~JQ{crd9kBjoMz7le~lyIYt1d!b>r!!i=`cP(cu0W=hly1pwdvbgW>Ifoy@?3Cb7-bkG)JJ8A?qO<*`*3ZySnOhk z2InjUzsM<*dFj<=gf<|=sAdyWhH&}VN<+YnAyO!YA~^}R8O}sYe&WH$F4BX7-sv%L zBp9eNO$ZpI84ayLyvV(32!gH9yIN;@-rR=R{NmKU7Qz3+5&ol zGEnC|o(2h<=Iz6*hWd%W)a0NWNoF9i2bX>qTaoSxu7u2bX5xwthVW&2$j?c1%Jrml zDi|K=&9ITpG$#@JXoO3A?~XR;&_V&b8*!F>AWz31gOXCu=gu4W2fM12iJ;lHDr9e- z*io5mVnw3f22O~Wzla(S#60FLlSx1RB+jxUg{nqQqm+0A8T9i{jS=5b{oHsn33SEQoUqhMq+aG ze6X75Twn!a_kNOkL(3%XP762K2JTYK*Ft`NCq2Lkh>YNUc@^tKt#tGmqng!-q#X(Z z6lWAd!>(2~y`8>yNI7>67$DnDvLw?9?2UHNHp0a7E`n<`pQ<*X%}krVj9QaVc|W{v z>GffNN}*^qcN!gAWPDVVtm-E9Elq5_pf1DU+#d>mcEUB5rdSo0SfazB;LLTb2`K!~ zvoFvzZI*~Y9JosCNpL}95Nl8*QFve#I07aa>-r!7PnO)+Z>^U79+%u9{mWYyW6-k`FK1X;()_)ABziIXH%9xQ&o^_|UJ zLP8^E#SiQL|QzLu}Rn~k{`axxKAN;R9%7h2!FVbYGMm3 zTz2lJMacU>uI1Lml%;-T-&NFI4k=nzB(=%`bI3>E5hwa|(g_pW9>!C*36I`7#G+3f z6ytEgA>Iw>E%KI~+`A**S&Q|$C4g8t&#px`jCVZ{H@yW5?!(iyN~^mD6GOzGn$C}q zGoqGOTmw7hDpGLf#KpaPgDebD`ge!%pWNmj3sOc#hTo|mBmJ*&^FMVM|H+j8$AXlR z{=fU0^WUl9KY!tW<1qe8|9*+(|4Ie_I#c&QoyR|7{C|@={z{*Jr;a}f^IuWNve+T3 zC3*zmyGMYND6N<|yGPN-zH)hFQ^fAW;(fnb6iq%F@Pwr-@3m~0g_#uvmu|EO_tzq; z!zQN7=aDUZBY1Ev_d4Dw)Ie(altD!hZYAxhS_gFxGMqUWu@@yk2+!} zph1Zw(BppYaoiO-@y~uhQ)J{Rd(SJnZ0FCHHe~BD zb=M+#GNZ*Dy1jdCF-#gFo<4~+<+vWtZq=TcM~y#UEp-_2LneluZM!tnS`>wGk~##wjhzd8&Y7{m{79Q|F#*@oI`I zvzs(xvNUhGXcY@|{sv^j0o;WUSAeo@p=|t>>THWtG9q2g`H|%n-spUKNVas<1fY<@k((~W$3}-sZfp<(KcJ2a68K8a+Y4_<$VHXaULO+JTO?4Qjx*Y^ckNEegh* zr=fdW2_!7|qKTcQ3zaKgg@r##B?fTHVU zwboOq+W^nmn>aPfLQ#m-*SJv7)p##e7Lcaa zwTPFOTmRzOFDH z*WS-9wll9}mQN>k5Xm#ynhZoY{^SE|C;LH7$VSV`Ti@*j=?9s#tScUkEH&WQk;}Tu zPdRx@yDf8elp>orgtW$Ej^3h^GEq6iOP$?Sdo++Ykk5jgnJCHmpa=7Z0bdc5PNX@% zvGKOR5fW^rAyMZJRwKXC^o5ObW1C^qL-)I4kB!)#$q_>^7k!ciqtr9F&|H3dByNsP zO5)Qs`YP(0EN(T%7~38*-2AbB_$hbTPl#P?Fy50OTJqol@CA%|Srr#|gXb>Hap{>n zc^>y^aLxQ|ycpcI*aT4{>(&x#q5Gw-qEWl0{PvZdg+BzG;OoRqZlu?_^HYh0(DE5KMgyiY2ylzEyfQB07L))l=|VABMsqHz5%3QUO@2+@pU z<~r~Jz!Ez9?}xJA0sH-h`v-QjGqU_Xh8TVgjQ;r;`sV=w0Nt-+=;v1K|1gGr%~bt2 zW9UCE2Y-R_Ka8HgIi7wUiNBAhpGMVRji)lzwSSy!@fsV#y@hv~4+B#wy%$89Da?~@ zsuN2zU>FBJf}m%#tcey@<&C*%TZ6 zsWG#^^zgd8Mj89WOk%7tx+`hTqWg?GGRGMC%mHuE{ zI%wec0$aAHC(3YSSHw@rHdADDdt?XHh(g;2q+sh*9WWdJNHkpreDUxBBnDi0B*HP| z`q@OE75XRG3Q&BALYrB3AZYLECP|Bl8HnPU;?H1@L`CHr_=d^a7_yPwr=Nxz-8nZn zTU+jCk5xlB$?mu}Z0YWg8uj^&*TyT!@&9#AM7PP-`j_0~bNgn14~4f9hkH zW|A<>l=5stn`2iaz-o>Fa~}wu$33!Z9^$+b8xv}YHKJJB`n#wwQIpVJ+DU^+PJqzW z`kRDh`HWDMR7_fAycZ)dYBfbjK!!N_mGlMs5Az)z#3O!+Q!P0BlLGZ@W8>6F3Y3y; zWw-+)sSQNI!B*Nl%aZ!ynSB;^UH$s?GmyS7G|f8`0yhNX`IZdTa%r})0`f6)iEtA^ z4?^`f-fI{+{WQ?dfLBU9&f5DER2Z3#o5K| z$~9m&4uA_W9giA*)ff;-8`izw;$jd&Q`AE;~i$N~svNkRY6hOG|f#e{OH_vjtg*cSsF)!m8gymS~ z5TX3CZeup3T{3vHj46sU8(~em=DYhH@A0ckD2|hhA_fQo*f#N4h@Jt!5`>eu`j}_3 zZzEs$5Qpnqw`z+{F$9cDAe6af!V}9$GxWi&iLCil_j@Oew71-54v;)-a0jF@#z6KM z8GTqM(}`+g5*X$NesMV771WS#?-wu2rO}pfWQJ)NkFt>nLv(A3=8Oh9H?nW1(S+#@ zRqY~-mC;WwM;Hv1h>PF#3u=8~{TL!<8&|&|NVSPPjhfI`SNzn&nI8@@2_~Y)cfF5tw^_=>c=<+5lCzY$Ry)JK=1Pn!H z0{b?zI6>WRsBOwbZviBqBki_Y**Ps5vJ^2re47tN>WiH)cZUv{lAl(nv!K^d_t}4tR4~g2o;;)usDr0<0DyLS}| z=4$z`Ag!D*c!wOyPWc(x^v0Lh#floBrS=Cf?dU1;B*5mM4`1OkauL3v2~P2u&YIQa z3eMz2f20A;Onb%X*VlLRY!7Vsq1sqY4BpKKoM_^;ixvMh|MmJDKmVg9K4lcU;+%+O zWBPZBJYHT8w|WR8EJag;rJ3?Ppt9|qj3gM{&7v4Tggw`bh|AtA$IEA5l$J)`3Tzzm zzN7UH@b6LW((3o~-%+a0agcS`zV2t|Wq5fKK6799!Novb%~2j~9785XI&R%yGu#th8^$%Uk@N3ZZ zKY-&;LjDUl{xfv)x05q}!qI>Gg@5to{|Dgs2Oz%J3;hn1e-j*k1?qo+BjeA{(6x-P3VSd2Ch0qr$VrSb+#Y{h#em!C z4+*0IQQNi=d;gT&8of$vU6$Ies(&)zNQh>3r6+8r=Q5rVCi>P7027_`$3!K=*+=pf6}gos3S*XP_e6u@WpGwRl|0q8Mx38n9;a1xS52m37_a)rEbb^MDGiT9t*1osl~pZ4 zHbyDhfJ_El$3Vp{uhqFOs8_f&`}5X*wS}PkYCJfd8Nha5?tP!cxxnu0;#{RFdL8YP z2@xDqos%QSEHUjxY_;H&Y7}e_oM2SNoYUGC4w0!v+DWJO!7(j`g3f0|Esv$rbev;| zTk^^~qIAmVB662{PQ&u37#Qw+jj5Lr_URK+Bk|#xh$Lfo2lOVT%Ie~jSJat~2f_^s zViwd;ENzz_2cUiN zFUro&Xy061*-W@k zatWH0bG?2!Icb`)pA33>+6sm+UvdOfNcwJr5RpPatS}%-FYTfbOr{S@5FWuy%`=Wh z_j=3Qo*^JDqoyh#tETFc+h#cx8x;;FZ`@RUFvc&*hcV>Psp2!p4WY~5k^m}#+h_C2 z3}kN`+-Ddp_rw0SpzLF*dXbu#SPk@^3zJP{m8Ch6y57l3j#xF02R?xwLvSC(XU5cI zbQtLT^rYB%Py10c%xEfP&?^N0>|^>lHe;xy6J8R5wNveoa6y5%@BDZhoa3l)gQ?`B z3dn$NKk|7iULK(b(;l%h;HS&aBWg{6tPvppbOvp#^6G(W?E|2IN&*)>JlDy4;t5|z zJ~tg3aOuOmR|XDDevWWQS;RR-R%ZMb+=(Xt3aGo}fVw_nKUF-UeFGNDs`3U)w=q0= zv~5l^-HfEov#DcujSt{9T7dn{0i={LUa|ggLAVArO4kD#Ss5uFi&PfeAAs6GwUTdu zNN{Hkew<$5L$QS=xmvIr$rxPQhws5ap4dR_bop=%cv{o@IW=Gq7I2*U`6Z^=qB5Nw zat2pFQWw!e5k&59dR=gg$i|CT8Wv+EF2Kaxi(AH8t@hLDkF{OI!lSIZDw#$HC-gK86nn zA#=!6r{=T8oU{w-EB|PUGmQCD43;Dfs$B_KABi2Tf!`fOJygE28b1 zx@x9m6Kc#}pX!3B1qF|EtVc#ckXI3``4JMR2U~|wzGB^^9{WK{tC#D|?j5^BnS+-Y zAfz{sCoLMWt({eM4FO~7%%yrEdbCuZ5GcG|=jk2^mPqK3BSO}Sm)Y`Tg}d2cYeC$A zi8YX7zuV|fKv7dCDCcd-0z`u`Iw*?y0iGQL;g{c#-oKY-;=+4w71 z{`9#1_ezrCS0nX*3zmOmMgK>=->)X{AHeym@%#5c^tXbSe*yaMAo_Q60;>P~V&?9> zqt6HV005P^?B8VM!!_?%PG}mT#xGCo%O4#loU{$l8Z7dCz8}TSgQJoH1zz-Ls#zQM zz#ffJ2jgXw?3W6Kx(Xh-+&wn1MQt^>2p3|Hm|QS0&PVMb`>vLFKN##Tt3wd=Y|p4 z5XD#HP2tQjP|6QNxT#=142Ze&RVbnPQLhv`yB7;XJ?hLb?7Mzr?2vB??BGoIXM+oe z;rA{+u#)tK254|RMA%HUw_W_)q%wE7jG+g?FP!EH$saf?+rea@Zv;A;2$%Stjl%I! z>FpfUX-i5S-Mz;YzaS42J;};ltP56U=J4eu<@uzp$C0`(o=4m&!5 z&?*EeD(`EDk{PeH>&4q;<~KXqo=sL?N#*sHs#tc>y!8TI20yOB2Zx~NfPv~_kfr&Y z&H_R1f=1sPrLsiJ=7cVafXS5ojf&f#UiU_3wrk%(y`qvEXr3RMl)0`z7sFX;FW{;6 z2KSS>@%6g2%kHdo`b=3Juy2GpCJ8B&y|~UP?Y_V8ZMu@?ly@<0GE_hGlXfpY%dXRC0PXx>}8> z7?xoNWM_LRRhZ)^EkyTiU_FM|{pQ(0abP!djjUD6&ok&zgt!LBsJe5?Ru-k{O0)4+ zlav*S&c?Hvg?bkpp+wFC;eeUfU411QrLT=Vz~1Zbx#5Y1->^+F>78ThnL9wt%=mmo zD5}1I`HoBK9gvC6>eb4wpL;r~mRr;f@1n7JJnf43bJF2{cs)>L+oV@LDQ;YGdhIaj zyoWXcONSIUgM*)yxTEu8`9i0wv)ufio3Ool9E)TN^DfuHEG!tQoEWy#oaq@I?dhvO zqxJ4Yzyl-~W0cOiY4G6gu;Bz8t)XqGI2S5wjUX9JkHaqt6@6<&(_h$|f*cUkOD%6? zBff0RE@6&EjhPTAyDWw9a(#I!O`Vm3AG4B_8#!zeC&9p>JovQm&2mYWDw-%CQoCfy z6vZvi0HjLk(25c|28Yt}=@XOZAR^s5fcCIBowPn2KK{@QTE73N_*ovkJDU*s%6JBK zic=KK)S)V6w_FO2rP{LMRW$T#f7Fg+R(7lpsR8AtxWlk+Efwt=2jxOl_BV&R(xLXK zx)d+P7$Sk`@eN>#;}UE4ICRN-0K~W-fVK>vFG%6RIIXRUh{Y!2cjdo0Zw9Ela)ipP z!^*_5D82`y?S#;i^>A#|(Q19svk7bumrH!8D|rmEv2Y;%s!%a>094uFT*y@o>_`TN zjfymG5o^jV@E8KBEh!Ll(Z1Y8*<1CeG1{P_HcQ&eI zwue5awlK&ZTWYLWd#M9GOeGxw4Hg|Q0R`;hT3&3YgFpZ-fFT3e#y?t0|NV9#BjZn1 z_^uV{|A0TnzutlVv*zo67^#f^XM5`XVDt^97v0P6{jY0Wo*>PtQG6`_Sc zF4nEhOB82EErQB?9sxh6e~SBVIaTHp6XfeWwNXvG^S7g5b%nHMwY2$)KsH0Th_ugj zYK{tF*B{iE2OCHP_{-^5TYprpYK?*up{dT!>`1np#jKSytZ!$R?dqbwxBX$H3Nv2@ z&Jut`R=2aH@bo`5>;PhlN-5>pJ>ncWZv4iBU%BdC5Rh(_NYM8gyvc6MP-Q@Q=?j-< z`p7C!$wr6mijJC?=D@uWv*du^usAf+>9^o_6@fW@kWf0;9s(dCJuY*r%-3{31%go0 z?sDM|%}W&Le3M8~+JSFSY99)EskP|%uuLMIa2SX`1E?swt>dXOPMvqu8lPUJ5JXfT zbroCu6y}$SGq!MuQ)FXUxLMP+yj)t-*EM>hSJ(q~(>$uBK3%3#1#aBC2fCV|u7T~> z-E7L^($6WFsGh9AEIj2*0L=L)0F_sPmeT4&eQ1H!N#a`fJzk1c8sdwvQHl11XsmtY zV>V>=Wzm*96Td4yTwvT)l!#8{hhxJ*xSfaAhTqn-V@2heQC$1@PJW9O#syZ!p)uNoN?2UY5jQwIjd=EKhe_zVFanAV-SN<| z&|kx+XlS$Rny7*?G7xe~l`PZt7+I8|zAoNTaz;4IjqN7%wTzPdsAg;yFgr8b{-P+O z9kyabcs)T%1CpE-Y8+!yZIKzul|NJT{IwiW_~k)D8pJiYtq}B5Y;T;OMpgm7Q#_jn z&{;KFVw|?s_%#)k3X}@028Oo1dQ=)8xejv0FkDXO;8nc%qI zNRe@;Cc>aVJZ;fy2gC^bOcjYy&drOC3Nj}j4$<>#E6oSucy;tKUVACyN{ z8jDz2To5g|=Fmh?6>1^lw*1qrEJO^HoGF%!RVd07q8MrObZooVw@-S4BDc^#w|xwa zR#9ukB$R>Cva8M|cKfmR-H43dH<2y0$jF`!Yr1@qlxoghEIe(MaI-bZOH=Cz(6Kc2 z)c2KlbQNzbKzA46qJL(g0`{<=oGQJ=eYw7|p1u!ld(OTl9z}zaRx|uba2B(~T{>s( z8vCpob!>{7#+%VRoy(=M7;~9&J33DY5;7NVRO0h(3463zRJ>e=)LY;v@>rlK{^^!h z8$|657F0ZDcV$trI5Ufc_gZR1|Md& zHT}j3$rUh#6BrN$11p?dw=RG$GOxNV=s0PMeX9T5mbz9M!dSF3SwtY5D#3Wt!d#KW zu@pJaj&r!KZlT|lc$tW}cv}YZTd|cs6yEOQ=FZGW(_Lc4s+Pwz7H)%=_tnOZF5Rn# zCvJ7{*=_ln_USF@L;J@B3ULdhyx{l8mmk(~EU9}HPqYZDAx4@=(c#paAJ7{;*$O@@ zedGAi=E4?gtJ((JK=Bjl!&4f+ikT)UsLWI>8RsTXgyACcxdt139n*bX7645y#^ji!B|Ug`di~JG z+!1wKm~uYy+!YL!Yf9}u;I)!^;zY-tCev(c(K#STiATKOWQLhY6hR`RI9(Wo=O4$c z&YgzcHl=gTl(k;fhP?lIX#cySt97DWOVawRn>FpeN`mQ3`mAyq6~};iC&xL*9w+e4 z^%ywydR$2R_iwci=5 zOve8*bp9tO`)gX`zd_kwt=Ip6tpA6`F2;9+{^S4gFO+5an?;{J|3X<^eZ6+-_xyRQ z#3Eb0_#CXvCd=qz&IzRYCksGbp19qV-n=(nr07SPlitHkCn#+B?F*d@_fw$|Cy*=A zkBBD$l=y_}=??D)cO4v_V}{@WV%Xj36A|&4(yQ*d$)^uoo2$xi&#r5DY1iyGkAmJV zmms@=cg6d*yDO~1XIuOATZwT_21rzJoG#?hfWWD14e!GTKX>(X6b^vsU9}$~hKS5{ zV#Zi!f9?`xgnvwN?R=sJI<)e>O0v&R?$m_*_ystkghK%RMNcnaW7j+XBb(^-hQ87J zU3S$wn_xJU0GL{6NJH*S1=41(jH9teCtMz((Y?5C>S`>V0|3x=XVXztKUKoY1NLe1 z9YGdh=K2p>R22y~$7=FDtG+xS>}H3Can~`}lstynR)b`t2#;qTD6PFBDb>Wu5KNQlo51mpxJFO?>r z(2Gm^C$x#1MXClGVhZ0iAMm|PMzDuA72oHVL8r+0uhZwZV+=FwDx+8&)vTZ`({ zvNef}rIHc~_VUXbg3>vD3PS;z_Ej_dSM4@#EZEV<3ipDxX2G~+6+yVcyp_jllSV0d zjAxMDN}q|8RvXC{J9S|2IMwM#3_VLN;18Jj5gW>gz@l>TnnyC#jcH`usP4{a0|L&r zoTe$1Saet`^C+V9g&%EovLdW@lxU8qGf$y-haBzIrGv7>RULtQ(1nxo$EnWY?EIB+ z0-Mr6Ff^NYQ--P1rB2sHFpw5?a#mC{4{sj>I5B+aAY)nvJ@SL^2C8p zk~17^&0<5w-{C{unRfw3X5|iduF!NjnwV93bvj9wM4sQMNeG+De5}^J<6|~r%}uC) zS_tpUb#Ti3t@BdJt=R>M!!mMuVsBe2EGO;oD$tmojryU7%_Lq95E1Z0b023+e0_~q zt*NJRja4XM-_XR;p3$_5?Z!YW1<;hvb&b}O|dgT>3K8I>b(pPe} z`cnz}m8J_6d((_etHOK_(;g&Ds&WNWGZynXZ(qIWiO42sY<2HKNn&Y>N8#M+cFil>E1z_V6aLm7vW;#OcY$O!c^vcM}M1-3e~&{N^B z_!jxP{^+n0`MD%Yy;9mm1bzgluE(d@bO@-y&EI^;Cu~B5;AEs3CfR##cql@3>5cb_ z)~F%bbuZh^0LHes%c%@*O$O7MD}_wa*-bq?@^JUn$aqvUtUCl`X;rt4!_|Cknec3D z4!35BITY@Lp2t1_Q4=L5&-4n3-c%Kz>$5gKRwc|?327Zh*8w~^(kPrVu@ZNS82g%4 zq!#uz$Iy;92R!qFz?^h7xq0}u2{L8a`wof*9-xIo>T^CW++H7=)tn9+)7UU6-Q*7v z+4{h6@goEWETSzRP~AMSOFjAOg74RL&I=ZOPaz7*U*AACpKVWD4e62`jo8Dnx|g=h?}WbGsJ8{Or=3EjU# z^Kba_oBzwg_IpbbVJlSnSO2(|E~Z0@6i0)FZ|0}{coW8KO~9% z2si$^EPc0yf4SYl%!JSSn{xkqH(D6q?d3oIH^0O5PwV@y#PEo^wtXr)vgcieUIBbB zJo&!nVJcQrk#mexUG|BS)1B}9{3j%TNHM1L(bqeagcwK4&>dPQri^)z?uNU=GvaCLJD6!y{gW@~V!}R8!X@7#K?CYF|Pb$n$Q;`V+`0XH1b6sIt+KgG1V=>6gm`IB9DxqZhxe-4JZ>G+HV$9PNqIl7PXeo zgepkAv=ExPP4H(-m%iX}k^l(Qc&^LpMe~wxN3Z7HU^X6{g`iKXK7qo}RYA#_0m!+8Pwn(%` z`f-|NZ+Y{XHGP#c#tNy&J+_rd1e9i*uQU~Dzrth%d2#&U`;`nD>d{fqf@xYh?Uu#H z{E@?(&KgRdZ&H`jM|XymQOw44$JLYSkh`#_YCEFUyio5i_qXJLY3#bKg|GvcUd*Jm ziHi!I1_lzRPK$kt_^;K0v~^O&5|(i?xa~${u9ubO*&BxCvX;~+r!hG4w*)mmz4a_ zXjI2GagSZY&GAL|lDn10$)UPM%x8Hce&$u_%lEV=YCQ8ax@e=lbahMo0mWxRd3*MX z!(d_8&G4wZj+O(YXzvdie2N343HU)5yQ!$NoS>|g@2b-H;A3+KoCpNCJ~#Z#*Gvr% z(*&({M_a#D)^og~b@nWdKZP6jGmj;hK=jacn!Q1Q?)p(PBx%speB9a>*mFj$+he-> z>3p)KhBtqK+MB#~uy#pMw{Oz7L~G1LtsoSy#XNc6vzBImLfS5| zk^$v3Edse(Xnl=e_6ax?FtqrRU|@0;3eXoDvQcN`o&_m*RAH~S*}%5UaHjxwDJ;i0 zR;#{;5ETNI66Ax@Gc}bidv;K*bG$X^7og>|+ftQ9xYjknSJYR-%Tk;-J=q69zTHzX zq~HX{-1m)LHtn9Cxf+eBSot;iKs)Qju?!aJwFm-qToqshTv^~H>l%8JR8<~e75$?5 zZjHXM$C-psp^1=JQR|oLeO+Y=%lkhWzdtn)fPtRzk32ckuOY_&Fn)i^pkI{H`waYV zT3#6cWc>b`k@;`N@1M`pU)FDbZ?*P5uK#_szPH=`t!#PAduz)kJHqR#uCD_XV%}zi z?xl(;Z)HAR+G7F8qV~#45CZHrszF?UlY85%MI@-cAi;HGVQ~agok@o4C$2ih<;op+ ztNR}t4Xg&NmO^2%WB##`iPNTfSl~|M=u+3;I_}}k>9@*QZ;EElmc35DTQ|~#mW>KN zWxJPe4>zLHNR;kreSgJ#e!W2267c~^q{NxFN4QOzxbDx?uoNj{4-*FQe;H8|iQ0Pj zw69(w&9&C49FLUczj9NVS&OjUka0jF<(R1jD|0N8O0ZiEVK~{wr@^oED(z}$_kPdb zQb5i}UGOo0+;J{%J!>P2kC4jNk3qh8NAqKp8xBz(P|(B|GLz5jSsy;V+@{(V=Gj`Z zjNkLYfBaT>A~xt~q(r0{j@wD?j(TuUI534q;z-T#m@4YZoX9QFUaFqdasR%HHgv1kqoMHenrj@c3*|y$M6vPXImRtEj*dTseuLZUNSNYUCui57q zXIzosN_MHL0}xJbhbSWT>Nf9)5Y4N0<2tLocMBrI;ti*uIG|m^>p_1VO2W+9Rnd~F zvv;8>4R{6}-$^0*YUxP#xQB54Nf)tACOu!kxN{6xoqN>J?TdBL3otq@d)F)_uKx@C zdDNM6Nl$R$k?)U;yY6!6oU5{#-nt!3+bdC&x}M7L#ptc zXFFUOHd9~oEH-2$En1>LNuxH&z5>Fc0t3?xmTWbpsY+fK>1*o0=|5Q_7l}xuSrlT{O>Vx#)5njXmUBQ3r)=kt)W}yG-)P%e z(iRY6bi?R~9Yw2@MYo2bQ?SbCJ2Fy~%=EVQP29ySQ*0wGxhAEJbs7!Udqm^Zmr$== zvsaWxYySY`(9E{H{OGf-OADfN-Y~!lqBflaG5XF&AM0m@`F=+!N!YYG4zb^4>1&<= z(wM7yE1nJicW)qiNdLoY#k%@Imq+2ewHhuZPxX+G;G{YM2Sdt~DnmNXVY5|g0k+je zNfpG`v}XP|jzNoOHHivZ)=zk!mP@<*fjW0+}fZb2nh_h3a1 zo>25lhv>`V^wpDb1CrSIJC@)6)qazFE_mf$Nq!cnfl3Hz}2VjeK zWg$P{#>=YeKrt+DUsH&zHhyCPFnxVL4Pt;j-&$Q4LPwY8Hp(LFs@NOT7z1V)4N92$uP0aV;)&&84Z6F zA5~1YJn#Kbl`^V9Txo}}ZIHWIA8s0Az`QqZJNs^NgtAD|$3W7a@X7AN8kcYLEg57u zdR72=U@T_}jM)$E8?`Qq^!2#Fb){<82vZg|+IMIszN6p|#9-cmMmZn_G@M7s(XN=kW7bon^?`Wrv+BfGLSLNi#a0RS z2e7D_msMECzKm_ygje>*=_4HntJaLc*_W*u+>=x!pTdGHOd+ zw52np9mVT2D@VI8hB@}hCcNy*QNis!#l~+#avd)N)qPzr!nz}AJ9OPX?T4)J;z#+f?pZQzr+^v&z$aGiLD;>C7C6@-#XAIqJuA1=i*(U=ISWH z`Q@mTJ?ZO!>$|^t_+H*=yQ3kA`7Cr>1q#vXjHPkdJDHG*e64tmB8n#ZaVDS1KH*UL z5yJuxX%~MD=D9sttG0yn0^Zp!7FJXU>CVHW`6I690v^)#S6R`*C-;%N>6avUXs5Fh zk9+$|*Czx5vU3m_Oe`UKcxW@~bQ0$-L=r2F0@nhxp$CmnZqhvUM}79r_d17#Jdl0_ zZ;jhYz%3ZsE@i>UPDh8)`bVNec^MoD<@Y~y6Y-`^EUg5X(IZ@LUB6r>TI~Nh*YBx)wFDRZ};T5d}!G^muQIekA3t8>erInMzs+MkEs(5WH7{oz}B$H zBt!Y6=|H-zywH7R5mR1m+Mhth$_KOtlpZJh$rCmW*)}Dx$NyEy9|lQ~J1lVl)ht}E zJv$K7>$d7N^lI_IMWq-(9j4G?>dH!9%2q+z0C;JHs-X-S34(}R$d`|c%NHpY!F*{P zkTI^_BlQEXn+#+@T!xgG%duVWx2hbt9OClw>FB|^D}9q7{en^5oX;L;T{QKqgN9mt z@Y(3R(rPjJl9U>j##Vzoe@{3i?vurcfv2%bUa0ZU-#73}Xm?S(Q zYfojDBG%|i%1j`jt<=?*y78WT@TiortcTjQCAD6@wVnG8({KJTtkXyFb1v6j#IUQs zzKLgAbtKt7^YEm)Czi^9foP5iK?DXlb*q3H2yN+A-Vb++sivv;V@=iB2p~}4#BmWl znbfjU;zKEwBOiL(P2(9c19`vHnzO*IIpL|-b|A&C$LD+zX;aQ=89}!Gzv&h_{|C90gQz8L4*#5})zgszfIX!=hq+fK?dtl=KsGENKh5wCh_5VsY z{W`sWpOSw&pJD!<&p>|3c;6h+kV2x+gy!L5_z{fco=ZEj`QuOXkh9{Rf@o(B2`eG_#%@HjiMv9=LWgLfyt-CVVqEXVxX z#@U5&)g5*0;& ztzbXN(stAo$DTYa1RR!ISUW9B9X>qi-+B}j?LQZ(1cU*HI+T&QnM)5fQYw3My?S6X zcGQ48;d4u_{A@r1{yr)Y1KuPADv~KiHo?CU4${OIdcv4ONJ>a z%AicnX6#+BIG-#b~6tICyf zeaYLkD|P}w9FCmuNRq^F>)8Jpd+P2M#-@QpJLNN@6l%yg-F!{}YGsJ{1$*svu5Z;U z5a7frp>i6+?s`q`SUH!Sbh|Uu#?x)zZw=-f(t85Yu`Na}Z$`=O+2^EiP}1!i z%WqmSWD`$d&><2>8#z{DLxS)_pnTZ77Wy}-3cYePt)twQf!lKG=v+p4bVN2Y;mgbj zZ#WcU5ec+Sda>2FC}bV*v$Bb`J6ktqNh)MAx7nyyIQML$9HgfA>`^ zdNb*$KA_SlHpfV4kGL8x9s8Mz647OM#q?Z;#bgrG*qf|ch}0&83k#~#wUU%V-n%jp zE*~^IDMe$gTZHgcW-eSlelRuKYP4QrvnVS9X*>T=O*%_uXM~zImRMsJZQpwQ^!izV zNfT3qg@vjZqmC=6HNT(9qLGjLA`CB@DgFn}d60c#Ls@0{!8LYk{`$*;)>#%?=Vhk~ zY!b-Z50kg5Y?RzXGfEj5RPR2N_HjlobYPe+K&0)b>x(D&usFbHny)`lH^pwWkMKxe+yA$VX(p$tFT{MlptFL622MICf5pP>lO!o|rq2 z6)Yc%=aMXHe0PL=R5V78kGQhbhHvu(WjUGH-wIFhyGKG;v5b+GFQV>l-~OtW?-F@v zo5I2?Sb98TjaLzorV`GtoT-y$%#U^nyFmLjxkL4oYof1tlZtX&CaGSj{51Xwvd^@v z)K*Hi)f7xjQ5*CM+Rurd&9T;ocSyilid|*{UF0ggz}n^f&@|j`Q@$N?ku#;CRDti& zv3B`0Q|=;n*jwAHI}o=X*(kn9Ye+JF>+Mgq*OB!wHsSlwV>+@yCsh)!J|5K*dhaT! zTnj-{(k{AnkJ78)g)Be~_MYwFbcJtpYUhDCS&??miFfLVDnHr}yAx^-jr<@Pf7Ke& z*#p*I=CIXG^0QexM^IZnYSGg?Q%sKzL@wYfw9G%XGMFQ6{LB;VTB#3q=A*UR9PDOB zVfyK*nwXWjG~nUh?Ihf3vJ5R5>$CM7C-g#&;gu5)PkVD)BM&Dp|Mio0A4hjj@0*>2 zBhwI!=-b|!^oaOgX4;!h_?vZ?@~?&LFjBtbx$SGWdwKZ>204gy?)_aXv8G$F$1c#u zy)RndHAnkq4WzxI^&gAVa-d~uH?637At=B3p0GXFl1x96LjD`Pu6KGel`+$|2^vN= zJ;6(#3sPfH3HQHq7k&ggI2iwmLw{I|;?LXR|ILq>KYp?N{Wkpn5bR+6{kG|E_#{C1 zKi>ZTSN@1$Cwqt{RQgZ8F=GAuu;kC%GwUA%k^j+;m^yV}8c{ZE@9_%sC)kN^b^|DA zq==r3Xs0;~FTuShWpnb*p<2SF2=k|29_=8-Q7R>Yn{@X3C{V7zGTye8RHouH#tJFqK%3=$~j%~KLdPY#RxECf?2zsXOJ4LVZU-exYndHME zAxiw==j?J`kzWy%6m}K(XJbk1Fc&`}x}>zbqK$ar7GC)1l%2G2TT zi{ijg9oNu0T?l6|y=6a?!7dzJrh5F9x|65n>hz@h<~rN;diMzI`;j9mHj1sQ0zGQgr{D1f zm!U#Jp0MV)<^4#jFKNlsA^oPx_WmifpqRXXfr7jiD9gDw+O_~+QlT+nWKIcc5^ zO^v4U;T_(Toi26k9x^O4XfCa~=`PHm*RfZcN`SQ&8Eg@3KyiZW9TjMYc(#693Tb~N7xerRAn{cI%& zM?oG#I=S>dbe?U+nYJMchYT#;g!iLLE~(3_qb&i4wA^L2<%0*ZLA1=lM}$4T#wO5y z31nhoBCY(~28m_D?qVNh(9^@4CP(#f)znvl1z!Rwk!kfi5pTN4w;t|$ zGNQEAa`n9hjMf`i&nv$g>q~nm_#*$@q>ZdXf-!?@aENpMktd9ux?sf&g19;N&K@Y@ z>JwwBKgHsU(>y$ijOBeIWHW#tRLH!JJFIq?xHhbW|BPDWIfyVCPG&OD&vG)+f!;DD z*xac(m_Nb>ysXLW^2u=Vw3x32I~58;{6+myuxon$5<>OPlio5av|to{VmX!_584D- z`PH;tKlyz&94@}h3Aa3{YZ@cfglRcL@`d3=!Wca(S(dSO`sS*Pqa2yGa!m{MhMsk# zISR+)f!B!8-_Y}?%fI25G~i0Sew{1P7RT>O)iGiE>+9eYslp$F6CtZ(@y=67$#0#mXZyRV$jH6ILv&F^yAe6!5 z?&9kT`{wwm!*hmwl7q2D>lfRRFEura_P_1iA9|>VCsYvT$IhMg@08lV-?=~ZcmI4s z#rnrfod4_-s(;(LKWO;#rt;s>x&QT4>Ob`)>d%EqA65|mUF>@!KwxEO11EPoV>0l4 zA_N2$Gk0)w5;oI!AY%l9W%U2phA^>%z^}}WoXi}_m{|XKekG*uX#7wTrr!Vpa4?`! z#Msf$!Q9Tt)`5(P?e|a9zun^=j=irGO)@rsN8|t^_1M|i$=HAe8rXn%Qg+}cFgp+c zf1mdEZ#EzdofXi=3amrL0j!nE!O23#%*am03}76rz@#w$`r!Zw5EeE@GFD(3wFf<^b#lUUagvasKufFw^ma zj{rUQc^`BzaX$FwLC3v5;KRwu`8yx5eeb*bbKjTq_c!F>`_JurKRx&gDChn6efppB z{q~>oy}$1L^iU6f`268mAl&5MR}Xao`1?NXzAjnrKY;!B`|isOydwT*WoiF4;sP{3 zj(q+aVf?|Q{FWg=ef=@$`klZ8B>eG+;CBKu(BA$WQ-K_v9E|m?K~&@l%JhOpwgwLk zl^((X;UW{3Rgnay8iFt|G75pHsDy!xPUf~YBKl6oTx1YVpe2eK8vq-?e=b%wE(jZl zicHwn&fUS>)Xa&DTA1cO6FZrpwXuV_p}q~7tiF?(u{EH>P~VD7+1Ak9*vXxNOwh`T zOzHjzM>1fLXzbu(Y{UQpykKN*=tO2wEPNp87ZY^{vgV-2cd7 zYi;N3Wb8mDYinfeVDqn8Um5@Q*?qU^46Nh%&r(P_>06l_3fchkpOeu;SQvoo;GuNp zj$-C+#zqR}PKIV=Ci+&6#t-R05C1O;?z@`@JHWyk>Qdq=w0~6XgBAsSa~r3Jo{sUi z+WXuOGEfQkPP~_ax^pmhBhzFA8pC}T5B&YPrTs4_6SXn4H8Qs`edssz9US!CK|mt{ zBvvv{2${K!k+B<@u^V79n8C)@2{;28;2Cc+6I%z+eZ2xRUV%-_@6#Sc;2i+i%-zn+ z*yb^bjSOrDv?*Jo$0T+#u%nf}quFB$CmGn*#`rH8=y}1$_Rc`d`%^O;pjq%y0+b5< zC9wm!#UCYLpUhtpuvj!$;ZXw2ReF?|$-v5w5({v*c$9$iss1Ga7Y11WQQ{y28$3#Y z?S_9z5MVlW@MBRSfd9ddV%yyVCok#PBu>Of96!RF}HU%mJ}glWn^UJ0D=qd z+p(dugM+b+(?h=kTq1wUCg#9ZWo+zbYzSJMvo+)nv`DTGF7*-32WEYvaU@PH4jgF@ zs!io)*jwesoN;IvS22Eif)RvaVP1xwbRhj6Y-GZ^Mo=&4)$gec4qCwI2Vv9XrYR#F z8SZK6JQ>LD>q4{64BJ{H-LPw*JzAnX|LoEZS0S?lVb3Et2!}15pSwNvvGg5XTSQJV zqWqQw(#~#?NikLgTzSV zX0kpCf}~rLE~;m7O8ly<-9jU07<8FaNL`Qvu@@KHccYV7Oj*ETvA-qXXA?%q+Fu(i zQ>k@j&>r%im?`f+1J}mCgU#=dBASEWUk`?8w`bfA6T-l3Pj55680ETti#%gevOR=q zZ#1r2!*o5v;_nnSlRL~WFifgrN?BS+#wq zV=)s}Og6=%XNtWG@j4h8gF$u7lifdGx{HDLE1v3N#c`G-O0;mJ4&MH@Z%Gq&Pyp_; zDS7tp^dHIePMiDUfes!Yku#*Yrk98*+RXKRKuhN;6ell-bYw?mf80!l6q+>rG$Daw z6qN2ul8NdPhXPq`*wbGXkHz3O_o6BdfAm%s_p$idnWs_uw_PdUE2oY2O&`!SE%gp z2KgGD=K4Pc9keodeyEeYBT+<*#9>eETMMh3ozo$fqo)-{`Am9EIZ~~is3p4)1OeGu zGJ&eKqMYb#X%d-Ku2q&kY@*J%hIkXSPDQ8Hxm4~VzOlcBLe`t-=6Q9g(u%M**x^j% zP0J*jnaZKx&{Me>DfAMfeeBX!?gn+}FwB9^>OlFcX_OQ0+@ehq8FLbrP?*c>xE7)AAc zf8B^Ni#-Rr_j+#}N^+Ie_omD-pUTB&A+H(7rz$9Eaj==D^t}&lBg(WF$Oo8lMqXod z42|kb=0S(Vd0pANnKx{$Bt}rm4bE~RmzS_I&=y%K?P%KfG+iuzK5@_l;?pt~RX>-1 zg7Tz(WgFQKHJ&h;H$97sUl&qK$!E?O2AYO2h`y3jAtqL2e768QtrE{-sNGtsNlWH^ z6q7XN&1>DAUvwBnpAd4ouK%;j=Q<06t3u!;#+fx9`W5E-VQ=njfC^pHS)LNzSiyeI zd{xYcmL(Vk&9uRnay8hw8mw6|wX8f}?74B`&;qbsx-{8Y@LY<%-5yfUVC8O%t#PF7 zkM*mbW&1c7ATU*)s<4`VSoaF8dsa_xK9_RXU|OZAtFno3%e|MLDgBb|;yoUyiuNQI z{8GB#r7ev&SZ1x2?E^f&Ut$`MxhfOpN0gMU6Oh)NsOE&U+U3TbqSkbq{gQN~Ifmw0 z&KpPkmm2|_nH2OW4nr@s$9f0ZEt0{o$B>XpP2^*`r7iY1DPvDr)2S2C>TpB~sLmI` zAhlAccesuG`M@(tS)r7x&x^t-l$F`G6cjoAvCRXK27w5ci_N=6yY_AGidod87ZY<^ zLdRI6g4dqGPUM&BraPx^`|XV#^G2z4wL^P--ufYu@SG{yDuu~}zo1ssL8v^B) zMpvsY+e2`RVs(^w5+p(6zdCO2<(>QG8H}((>sZxPWEgzK#41Zhq7w-XrReA9U7u_* zJDH%BuHjf`)-Tw{EyOLmoPMf&pq!u^acOb-f(^-S{1T5upG;D`Z}5y)DXGOkJZJB@ z4wal|1Y4hIZ@u<~muRCK<ERT2^| zyL~H>d^6q{WFQ4yoh_pf|8Cv#iAez5xk1M_C(gGL$@7`avVu~6h2MC&^2kQk7zzU< zB@?_~f4Ts}zl(jz*AF2(#xWlGLG34Cq_JKPPr|1{sfzweoD>&IP0b6>`lYcb) z{No~1C2Y--DFQK>Or8Q^UP!hkU0{;IrzKf+XE@+!PM&R@-vi3v874z}^v*Th2)S?F zwXt%r>+k$Rw~B@#hsZ4yLVXzN-tBi9x-SU33EbjzCT z!#y$D+D0OIlRZ$saSpCnu6C<&KBin*WYceP(6&{gQ`%`R$e8n@wJO1+TOaxtd7PE-OpN6{SxT7;) z)W&|;g7}j(OW38AIbpq2!(k#9nax1qKDNeTP`tew(aM#YQfWJpPK{I|TT<8)iOO6Q z)~+P7M|T>bnp4-ll$7meVZfq`UuoZhC4$9oqrw(S5D1nbRQy=huRo^u_PwI=6H!rPzeW8d?QoqwT4^u1_v5OfF*}(&e*#J0b7Jy zgI;MyWO#qtj!*3=sJoRR9tFt%e z5?Q@ZwMNIiNOp36$P~_WKQTSTh^j8M8)u82KgcK|t>VF^!5Bh{^$_QHRuIY8^J$-x zCU|g#_8XC>GJ)&o=(?S^+0~~LrX1!k8IKRUjypqarensq-^LT6(qOpEysC_b9yz$pv0J5}vl&x|;>Lb&|daMg#y z?Zp!69oM3XxLp%qOVEsh@$I^VHb+BSThAc^w(!e{YlwtSqaG!{w5oY4c1G

}82#(ok2- znP~dcfMq>PZb=+ETqG{T4HlhcDpEww{Q5T}y)u!Z1J^y-cPj4+O~$ICUTW24cUY>C z*c^!KU3kw2cwo92g5O`~gQw>~p^aFjS?6n=>+|0}kVzV8^iz5FHoaxNOsek!T8jT9;kZROf_j(TXdiqD0#eR?S=w<~FR)LP}jcPn_CczzgIRJUQ>= z_Zn&aNolw80@OX>orL^Figr?odfI;-z1IWlLec^%C-d5`I^CVnjeI9AcSz;Nv;-c{ z#S*(3=L7q-jqt}{xA_WJgvsdyG`x+MNBrgbm(;xqSKEH@T$P134)aS&sGxG=sIR1T zJOT@4n##@?cof$%@VyCnH(znGsX7t!&MN58LeePeQ*;ZT$6A+$_mc#|e}I=ml?5-O z9uaTjI_~h~K3P&`dd(0=+QGTNmc??7WA;2o`A$vND04F}kb)ecqeFH0rkHifVc4>7 zEX)+uSHh#5u$>i2QceXIi^paMORnpg!1vgFuUn_Xt2-SRha{eJb2{f~o41w8VOWC# zYpD#RH+vuuH^CTtwowlq*R9HJf!dbB$`b1k3jTq#$$WIIkW2%%tpJyFS62Pe-BTFo?^C&RiP6F4E`_{7KH>OJNWcrMN)0;VS=LQ%eQ}sq2vuB!)LX6=ZesR?x)GHUD*rKch5nvSL*EvY zArl9)M8#0xlcmU$>EVrWoL4T2zRXfq<7i~hP2-vhI;1pk+Y*dq+Y%M`dvFW{@Nw2% z;=WgGkYd$LDIX2YM~UM0K^UsP+~^vpyqrGXFvm`~sQH9ojWUF@+$s%1YIfX!d_9C1 z!!aFpi($H9N9$ax8X-AAU+W2Kk28&gmPe8UMJv}RjprQ7h!>Fc}t%UCUYCEOXpI55BlKZBI9-!;HJnhJ7Fi< z@AryPu5F5xMxGh%<|(Uw>d$jOP8y^50vX??!8`w`9|rI@rG?LXZ;%2>c)QrxMuq5b zkoCLi6nux?9p?lih0Ch-8jpBFc3_UJO`kKcAg&KBQg5a3PoR8x()e~;i^NUi2n4Y% zzQoU+lM$c%Vbs99Khs=8J5LG!BFhGI1Jcd>{d3}T+xB5jtq2AIj33fy6xww@@F{sJ zT9<@u>j|p{2wW_sp-j1N#o3|}!t9h#F^|#$=lS~Gq7M^wvuHItm)fUdm%)c18=!05 zDE^LNpZkSF{j>Mky33M87YdJ}X91tN>>M}Q=MP#$wvJ77IoL6ypg6U~24g1fKB4s2 zL~evr(}QCyCOA?7j&M1k>f)%cn4DL~RmsWXQVoL2G-+05PyEI??`oae1%v$K1Jf)b)#~@iUVex=F6^@-OF<4HY$DkUSh<6)@yP02Z$2O`_QR-RMcg*j zgkdjIA#as`T!^GX@OfEH?>_8u_VKthtVNi9Rk$XCROs6>^H6ciH7`6D?|^b7`V7v9eL^%$tK&H22JF9J42_U8f9@r?HKy?ooBGY;-J>;s5e z8%U%lvU;&ni(2yutI5>|DBk{R6io;hF(Q32Mx9Zp@77roxy!s1;A_+};69**&}>ca zN?xeG4f58=B&4ZjTf)j1~D0+F=8IhOzMPLA`LSL!%i0Rx#WT3=$J6PFEuS7smN>?M%4D`~T zHJQ|>qxltrK1e9x1NO4l2GJE3%7=p#VL@0uH}>wnj;#pJsJoiw5Ns>u&9OKuRQkk| zSWZ4rjbqd8?E4+$A8nsFFkTeB--7zyCoQXmn(&gX>tk9kqWF&)6879y)%X+e3d|tS zIoi#SJ`#FaH+vptEAf=7px*aToy0azBV01?^i%JGLc0tD>A5VFny>j{ggI%io@kuw zt{9J|H7(~bRpjN7L_p~`jXF0>$6B} zbjNmYd+J@*!{;!$_xZeQS@4o_x4&J4zo5mzhgQ0r;OKGod^-T&frnug%CzXRAmy|M zgyP>3ckv&LOQpVTZz-^uu&O%M*5rCo#n<$6G4AzA7;Jt9|CHbUEz6DR^^c?0u%+E= zk3v)<1yigSrCM&3?KEN!z^oP0mYiHVJE(z@jKEo)rgSiUK7SPZQ_1iyN-nDL0kLj!xK ztff=ScsTWP9i#Qb4~pvs7@6=?zr$66;M8!@@}U)_Gy>D%>9EcNxaYwGdj|f?y8SJ^ z0XIn3O0Tx$2d~aClL{nc&p--Km2I_Oj56?V7-=^=F_c|zP&^R+v|7uC7Q`^Q$ziK; zIj@gv6^w0z>R>3h)@M+t+Js8iRPgS3kH#h0NDpb63gW2A3x1gb**k64XKXE@@|9&n zr(TW{>U+pFCk~%bDu;chhnLY@D-x=StP-d-O`y z0|u&!rswQL#%@9CcuUK?v{BKsiDk!1)L3=RchkH##NhXA8L>Z!y7fiAAq2D5$lRIW zolQW|pk2MuToCC9l<2}}gaj#!RZxA~OYAROOiE$E)?TJ>RzXJgt0}+BuB?))!N`#B zUQcJuMd361qA-|lT;ciEX2};{?GT!M^YAlBgpN6_!dXeGUT<*j% zBZB9A`ng1YtinY_e-CCKemSz2Kzj`9dXfx$KH_6WB39_Tfg4BXG)AF~?7kU&aq&`k zFpGHI!?^YPgo358>mmDo8nHNvowkn>!qx^jKG5pV8#iuNj zH5HSJs#n2f{AY|Xoskf&lPNN+DtiLSr}HbU-D&9uhzGf{&{un}1S6TrR6`{$+^8Q_P7R=Z0C3&!?(Zw&Vx?9Y=A+Q;Z zXe7=JlU}5?8VS=Y8IfwZyj?cDogUa*Z41ShG^?-BD@l&N;i2&FaICWLScb;u9=p zNFPP_i{X9oyo(r~cj6cf-}Xz9${xFY_8}SK&|>!lmx_40F*qYM4U(9@B*3YG@wk(!?0gH0YwPCCs3E)KSChcHHPI)jEBs12XD^XHVy=7Y z7m0`Aw-_UnoP%u5*><&_URFd{I5mKQ( zqbU@2>8ZcU;&mgXOrWdvsXbzhp7UgsMlYo7gl->*dVZKb`Gzk`*i@~k@wc48&xctc4+N2vXk-> z&Y+xbR3dtTYo`k@z+zM?xb%hL=$ArL#tX#Z*WB=d@MW@-4UsdAHZYym_2Xe5?dg}g zK{A-D=!7Lzp1oJ`dg+XM!k96s9|IF|Iz}j6 zYs{4?r^fJ5mJMa+zvpP#L6dn!dAu6~LK>#u8k#sIHKBluIl%NKeTM72CYvXqwYC9m z=Q&fvqhncS)+U_Ct(G(WdB7L(YEAE#aRnEYXaSKAjL=t5J(dg2VV@G3!#aVknF914 z*IwQF8wJhwiR|GrwZX$YLGdgtODz|jjnmj0;x&s}2_BVaZxqy9Pp0qg8bvQR1w=WC zBc~9Gw6E|v@QUXw4Ojg>6XZ_d?Cy=LCRH+?ny$i~0WYgCpGd>-R*Bbu6uE-)h=u&A zpW%tQ^cBLtPJQzusMh1;@7`J_8c!F2EQ`{+ zmp(r0ju`q>9e%+bIQ*0Qm%_L~qH@Ezv zXn(c(^9}L^=`#0aqlg!mD#tb`S)(z7vRj8s@*8i>xaW=uw#hdpXmKoK{pJHIhFJFMWDEuT(ZckC^UE=OrkRd$nsz5aciEsuBpXv0lH;xXg% z7;M!8<4iSh7Rqr399MKxc%yODAyv7Jg)vYe(PSsTGzldUbkkD4c=^$o*KMh3e>(7s z@ZXID8KW_4N-0p^jtb%IztE+MJCAz2y~BLQH9|wp$^-|qgP|&ukfc$HnP_ZSnUz3Xcvdg4$(2`#4?z9EiQE!WBNLMGGYiTz}y8;IT5J3gwm zgnKLMMDEbjq*5F!p;c2~QjNdwBJhswm_|1xX4tdKDAY&Z$?YUU$_{!`r8MG`>1!n| zI&uB27Ruy`>TV&<>6~VilxzyNmc65=$R1BEGP-@PrVPg1`kJ6{uiL(g*HD*mSO6Q>=B_C`!rApoB1P3@Hz$bX49LTuWmzdF=WA0 z*5&6;8iWF6$ZICKUGvkh#AhT;V&*6BXAhh9Q^ZVg-soBR4d=Z}q=e&1LAyA*z#U>4 zQ(?1$)cM*MTvD%{dt!!rofazmnxW>uex8bSwH>Erw>g7;^jHhSXOzz1ybV_>-(*FC z=Zd)vm2#Qd+{nqfm)V;DZ16wz5A;8EG;r|$QSiTo4-Bo0^&OmSt@Rx&@5#MC5IbP& zp66s@eVhu0k^OO&%m--ifx>0tc#IQ&AouQ5f%X3$r|o*c_wG|!nID59AK23S#D79w zf3brPj481Hfov6YGz3@}04HSuvg_MP{N~TtIG91;doJ~UA3fxL=U?d9U+n6?&}aY| z>tt-LM#jbg0;~U_hlTkbko^PKA=3m@{VT9TrVV7U(l>P^yEg!!XqAltWDo$q{(!yy z0K9%fUH2f@Z+HtV2o?g1gJr-9U?s3JSOu&K)(0Da4Z%iWW3UO>6l?}I2U~%y!8Tx9 zupQU|>z_D|pacTm4TQ6Iug|3>}(8KDVy{i<->Gr#{H@e3gnbOyLifV*SkVqxQAWc~k|`2AN>_WwQJSB2wW z&n@=90{8s`$^8fE>*V14KL&l3HRR=GBMD=Q$_;!k=P;OFn}5f68&ztRAlRo@y&b<_tC=)Y0{y7b{h zzq#~3lYxm#z;^lo5o%>@@`$Dav$gzA{g=!D>9gg26!i4%o!j`O#xQ zv;=T}b@^Kkz+6WF>i*Ls0H6(aGlTm-NyWHTs1Ik0m^Iz5cq#( z0Zer?wl@D~DllXLTNyh(I_uv7vH=4DY}fHV$lxz+K<5Y6f2^PX2-*fZJh1TNfq-Em zj}l;%=wA|W;{}U7N`UYF273d3lX%<**d+NV0meu@N`SwlAEkdl;_QGevXA=!TjU-k zz!v$xq<_K50b3Lw_W`yjJxYKr|2eoE2qpomJst2S-C&hsW0UzXt#hILhL$ z0z-fx9`NJ!{ojhm-?#0@69ExM|8-g(s6dy$sRC;7--YLY2U7rb=>C`)2rL47{7w9$ z&W!(2zYrjf>Y*xu?(RO4=l;U}Ctv^P(B6}t72xpiL(71Uj*as_#_)kTfB%aZ{!3^f z(}ozinvc_M$N>wn&{jo5()KS`tJSZ|fEB4X;WkNKZ-^YjTfG!V#g5+C$D{yDQMu@C zrg=0Gsh_0Dx_`5yxD41sYpI_(+h>KApIRL*P0%Rl&HUcCm#aW6qOygsLJrlb=~CO7 z9>~V7E|zAc8WL3foS9q+J;lB>lqKYoD|$j4?5FVnABzygM%v|L+g4}H>wLtV_&Z(b z5QuHSr>|e8d`B;O$K(_151H}WVjJQ}896_(-sOkPj@S3?tORztoeI+=-1wH;ygm@j z{j!&@fcLgzPc%Uk!;z@u1+Mo}7srixp@e0siffPgmoHB7l?@o5qn~^8s$tbCKogLg zDT-qV!Vij5`L&%xo`9{-g=t^PwJMgt(D^2X)n6yj2d2~5B|-Fgi=t#N>%VK{#>1Y0 zcv$_$xE1F!g;E3)W{%zb@W{fz^;`PCg!}m8)arK5C_J&;C}`i!%+k4v(SOH}qd>*L z%)qtE5^c$bKJX%(U8tR>U0bIyuh@;bJGRr~S&kik263!PQ$v(Rr{VU?S8_fhx(tVt zT}e61{dFEE#+x9i_Y-3I?K`L5kE#=_;St{%31i={p~uj$GqeaeH;MKmdgGM+RC>dW z0k2W=5bxkkEx9Esd{j zH_R;n9w8l5>KHHqhjY#z*Agdhjj^m-bcH`nfb!V&mQjpPJ#HwKxb|K)MK^sWkJOc& z_({*ipYlwzt)!|)X@{}&^i;5yl|*AVL=60s@r5_{voGkfQe`3B)m7Go)!c_v?R0Ob zd&a@?!r^jCD9dkcTaSw!=b{fuMwrLzb$fqGFnyfqBwHrJ~?-kMEC3$}YDjFMUh&?PTc{2w!pR2EWpGSQA&N0u58X zX-f)ryC(A>e5F)R+bxJFM?@M)WTG#$QEjxVlV_H#HuDoxp0{skr}?Mq2m{ni$tIo8 zZnDNSdwDeJ`FuAwi_6N#<|kn;plg&3yb@LF5ASBR@#~Sy<%HrBp-E)Y`lnmn!2NuN zlzIg+nU+fyT5(;4frR9!AZ6G+h3my>mE_m}eYSSE=RgV6bB8gaMYs4+1BX0LZnW zNF_)*OzW2b&S09u9ZHRexhbCvy3bGk60@Mp5GnseO!TV)Ohla+jS&j@7n?Oj%97SH z_`wE?ycqbkG7Q#jrhIi_6dc4tY7P_L*WDVUpt9uxH)=a-N$adgqR^s~6o_eKm}w%Fch)@t=X_Il<#sqRMc4?k{wv(P9f=8~{~|09E2-+Kfi zzDRsp(Z>LySE`2NfS2*1C-~)_P1}g_Hnmbq#%VlcQZ*eL zqHDKBNYhDLb^$&@rj_K)D= zYs|>dBI{q;se}uLoqC}1^iIS!^=GY(g-LpOWgiqB5I$0UrxhmFuLwOksL{xj?!a+M ze-m$Pdh(;W0xwpKh>_5{Fhq0i-Og0_+DaI{eA?+@z*7!aE34ksC3uRF2s8xCSZ*nGyLFH&HT^6v+^nesr9ZfgLp~G#L!qGzy9$S0X9`1C z*kW}uKZ2_UjPjab*0z48yYL1^`?ODv(-j%$&Rrm`$&UYP- z!_3!@sg(&I9k(f;47v*L!Cli%4|&vPyC6m)IY@akB2n{y;z4P)lcT>HWxmQgdml%2 z;Wjq-qo|j2;X`>(GxSA0bp6|4N0m5Iq#yGOR-8{gwO>G8fc+e>lkYzcAlz7jzaE^W%VjP*1|8-zJ@#4l(Bmr;S`lH_wA`iu5W6n4;Y)_A(-g>{%hJHHL~MOqTv=WTOn2CZJ=IN8OZ zN_*I$YDfs9c0Obtevvnm>8ALL)D0 z)>wWS=zFI)Hi|ZskW#r~f7omt7GP=ipU}}<^4PW{a=$?x?;gKXXlT?IkkhD8 z5P6aOp(c&}^XQ~i8Pi9|Yh=6^k^;!G%}4WFFl&hMKb*cvrIRzu;CnO^raA~UNis+s z!a{dR@_u^JxouXloc>JBGU@5W6y~!@E}8imgOr(zr%!l6l^IUQEd~7Y&cw0(jrt+9 zIj-sY5w;5#h~(v(gKx>c4x~i{5o~#&3R&H4k$uiZ$Mu+?I)TnJnx+Xs7K2LDom&6M zuvs!@v|_I;UQoxAFW4%B+0*xvbcYMG>PM&haU5~eb~Mf_;}lLpUVQbw&I`4gNDU7} zAsyfKln5_}%X-l9l>u!(2-F{g8uD*^J`mADH3DyafezziBcT4%JqASoKWFCb?a|ZZv z4-+M!d;%8It+6Hp3`q5UH|0t38M%u_RZGU*Fg+4{9(j}EjSa}-EnQsw$TmyFQkI9R z1{aT(;C_7N&TZD{H{u{81lg(HGD!57>z7$t*u(3bO?iQ!V&dm76s6}>U-JdM*I{2* zvx6%#tVWslwoQgV6sBst++s}dKk;n7c7Da0%o2)pXgaO~J_Y7iqj~kK5W?i8C#Y-5 zIJ>OQJ64Ous;BzOdq2K;vFYtr6|BboYpk>3c7Km~b~&oJT~_RXM|<-zw#w{Jy6J8alegsLlj#XLNNZ~xW@klLR6rD%vVFH(s2m<+ZI~RZZ!$OT z66iimKCOgDFaJ_mg$O@zca?%XpT@l@IGM9Rk{jMJ>FZ(U$vyblY>4!38qwwrxzJ_Ul z?2ekQ!d_!zc3rlEB)NOn2;(e<3X3_Ky~z8n;jh}-;Kx*dImI$pZX7$iJ6e;Lnu9#E zKZaM`D*DmZcR^_~#=17CDx%F}&D9DFY>=ks$C58VYa6e+#v`Tkr?S$@mCc zf(d2pICRb1FVI9<8%FR}d|;0@t6|2muy1%FAz4q)w{2D+y#}4Z(qaBx1|NP|K%jN; zSf{RWcju5;YcM6?Nh$0{N%&wcbgy!KY`!pjn_P^tRtxgg=t+SKWk3?V*)L(L-9I-u zi#VV%nt!Pd=T+xY@C#?AGQ7i+a0R-}cqPkR77}%)zZo>qNuz~=%ed$+ztmo+n-db& zyVe^dJ1}^acl^!GBP!e+bhn7~xf=Vu?JS;-)>rHdRH5t*o;nKpA>MHs3VFL3ua*8} zT&ibaGy&YSz~P5@*ISaz5^s8`FoiiyJUAHbwX{nwVkXEGyHJMByr!j{ z*`!+(XTN@}#3v!BP}4Se(z(qdcW6U1h2XESR?qc&b8JQAB~pgZRPW$w;qia14MDw} zutWG2B7yc|T({kyst_?;`?JM%mU#*~f0BnOnhWXZoX)}*!n^5r{P`dIA;Xe2t`tbj zuL+HyS8FrtMTg3k22m7g$n{!B-{gJO?2s1Egqe%cP${&TB_MKJkabBaEqk9fX+mo% ztQtcn=rn=D|BjZ%qdDY#Q=z#0Vz~GWp&R#4F#j#JKUJsj!9unjYl#sU-c8f(;GV8P z?eTc7g2RO9e4`djjfD_z4>jmj0v!{7Mt?RR7b^i%n`>UhoM@h!jqnu0=60;SZ> zrDD){Ny!l%3bgB238Ew4F+l)RXlbc3~eOU6$`@W+c2yz0ezv#0gzfB2*fE>#LMOO-U%mQm^@@`<87&73ru)SG6-Xqw!|8*{3)L)z3QEJxS%7OU~b;<({4MxW8CvR+jM?d6oll4(t6;A{CIi z*v4q+OxU8MpJ*K;JBYOejbGPf3f$LQFSca-Z!opxH|;*g)Q6( z?he6%yKC?O0TNt-lVHI$KyW9xyA#~q?OCvQcCz<9XP-OnbKmja@!a#FMt9HduCA(H zELP1~^Y?Gx>XQ);2+3<27d^;olv=wkQeS?itwI`E$I&o$zxeE3!j)m`xD$=WVEf|T zjfT&%Y`11lT$x|unC2-#nOHuF&|G)Z~bffSs5SR z&S&;b*3a5O%T_l|Ve3TR6Rf|TelvQAzi%o><1j}U>JD8pwH3PTS5E#uI(m22+o^b{ zpeD+RMWZcx<`WSz@Qozs7u~qUn3J6-Jx0lKvo-yus|y`|P=1 zSkXyVBdoju7R&b&?|rfP?pcFy{np?(R?E_{mqleY7!$&N#*fr1k81Ude49@9Fxk=K zOP!p>y}vd_XI!t8b<6;3Wd5Z@e_v+sIkj%%TA5Wv9QZBj@{$sFi#*M~EM|oh8FF@k z@j~7ZoWol&gI1lUFFoq`IABLhPjKb5<(fkI@Xom*CB4UYelWb^qFtWgnL%e` z9Zv5t1QoJls^%wAq4)94cprCRqbS!2d=KTtw*ZTi*w zJe@Jkv)vWqi@W8GjD+}L)F7MBqoEBOV5PRr)ZjNChfZ~%csn%fh-I%xxAq%kQgNRT ztYoDw(hmZ^m}e~d1hawXr?Af*K6ExIvw@Md#Cp{kYni!u+tJ=G&0nk#<(_wcZ;DjC zIYBXR+}WrMc%Bzf=?*>AyojMu-SJs+Q>6T>Yq#0`aq%zcjtR^8Qni29Up z!!Fl?bG9$T+_r>6wT`ZM-!|WHdY86RyQ$4@d?9(c@A&pjx11lIAPr$HtJSWmjbMA8 zRw308`xQoiW=MvsL&}EIL9_FZ(VhEL&?%Dt;kNW;1$XN<`N!u&%DC7# zL|`QcT`^?0pS&0DF}3^e-oD9Cvct#PW@l)MdkxcYT26QE7D_VI$}%P50Rh%Sv~@muB5K;=L9~YA*v%gpVBBF*6Llw^Tu||PfzHSP#sFMiO26rRkiT$~fto$a@JbcehThi>XnyvoFXfp~9uhSXA98sM^2G6` zET6fjdnq<1tUPYDgDt#!Sg&e_p$c+#QpNlrK z+_ch?2>M~t3a=G3LN@t#0QcrV#siwbLsi-KAbi^Ms`gb2DWcD(SY)9*p+CHtASU*uKNgkx4@!tiO=+_m4Nda(PoT2)SqF zX@1k6-rPvgz(t=S&bx# zxBCG=I#=cGTolITcQ9|uQb-e~U<4m1nX}0Rk3i%eaj7*@KaRsvmv0;BFSbY6n!lGQ zSZ{2#S#7^s?0p?9#*(J`8u2=n>kY=xuGWI6k+@QQmphrM079I)IzZ+OUZ41N3V*fO z-Jw+qI*^ygU2fb9E z5Fy+30t$_@nx(=;FM!awa>ZTRNJvm>d4HlO{!4NpfpxK4WYgp-ejKYX5&IMcJr&xF zpAaTc4Q?U!B)@Z)gHN1tD|g=-3y zvHHWM?lgG@3&~l1o8F4>2PvcG1B?KF%obPT{3SN0(tKC=67!~+cuD$Er;h^QTYIS@ z6gW&m186-w%y|ie#xVGOx>-~jb>vxC(fIKKRbQF#<`v$dw&$$HEJS13`n}*4Wl7bJ zA&AHD_YNCw6o#1+f~pkZ04#=UVQ#X0KsA~kp&dJx+t%rF!;nCE zWg)Mftv&$)bqF6xvGx>tf%}UZIz~G|nnumn@nFO$rfkP;E*(;c62xkJsVRYbtO0}|&skl4+L#(Cl-)Z7+zuW)cR zmEnA@02|V9?^tt#*vYB|Qvhs;4c~M8p>{83RSAb51u18Z|Kgy-QJeyDkuzrTD|3qS zN2-trKO~29K4o)a*PL3X!D-ov>4B7&mDVThtyN0~sw3y0sqZE!%J)97-AhU;P}!K! z0pB1{6>jN@h&Ex(*}a%b#VwUbH_C2|F{75$K~96#xhaSB)!*p1iZ{t#eL1SlP4j_K zb=>E(!P+zOcrzDTb|I(TLy3lh@~N5vkIHmmD2TBBo_BHI8~x$<(LB>)*&N!>ld~f? zAr!Of6mLuIx~kHPG=O0;XL{7zegV4JL+f&BR}B@Gx8SP^6?%#x3Xu(j^f?kzB@YdY zcFsiB;gfYJ2J^4kB8Vss4tpDgycT5fSc3-Z7@J`vOgaNTg)r(-6o#Z<>!i1%KX}QD z%rICNSP~vX3ibMBT~akj(56ryGIobfy4P`W{EQDuCi=+UJ6@`%XZZ`ZO{XOwX*c9o-L#EdaJ zO?gqU@kYMj$>67C?zHf^48tBxBIGK_8`aGSL~6|GkRrq?mWN!lu=SzOni}$2F5+v* zH6Hp5rAg91uU=FpEV263EFHu#_N(F3H6c`zjS{;F1f2>!llFJL;NT+WFE>7%xDR7s zoF<+#i@aKBE5Vn{n9~?O&xzY6*M7;iwHRAvJW}C8ZZ% zS!*7(t_#umB_#M*YMdLt#g7xNw`xE3tIVbKEXw!sP;9CY&oo)%I18L!uB**T?@|`- zuKtH;1P;&8MgA3_Aj}0fQ?E3EsxDUWX!H#>tzMShq0XS^rmS*&TU#ONKxmxi%DwmK;~7!VN?EWE92uJX@j za15uLiuB$Oq+PY#bJL$?vGb3}6*qosVWjGq*@`# z=tf$zSNhWKtOkjlOr(Q029?)317Q>0@I5kAqcZ0DpRkR4IPdOEjPYM!4LWN;0{a%k z;SA{WuNY% zl69lMHvK8unE6ttyixAE=Q=!;A{$A2P zGzR6~zzI`xCS6D;5R<;ws_CIeF_DA#eH$KcN{_=pWFGt%(Px%>ol~KZlF>xr%zD}j zLSEqD3JY?6Eu|aQNkw7>WQt!^DIwZ|jZ`DK*yL{9>&^;o-n0?G6fir^M^X)M$7pT9kj*efP=UyRSb#IR|z$D9emd7%HIS%8m4lP#nQup31^-SfeOU!rFVj zlFck*k>So@gxVa&o)j&bgzzaa7T5P^8-xh+g0+^*J4#UC7hA_NtbmZFS@L_Dn zW(+FT0+$^q)(D?~&ML9N|EMr^4#=Zn6nCz7P7xW`UfzhRCpcACBge*J6rcn`F;Sf3 z;A~}~CO(q^PZ^*Ri?wEIBJwOX+xqqb@n8{YSLQmOU*-zeenlu~$T3im#*`@^7`{gq z7dg@0A-H0ZHNse=+~aaLTyf((Gp}6a!F)d+~5kq_U>S$C?q4oPGArOCVRzUvRiYTes@(K7%m2vY{7e;{Sl(r5k5QBpPD~6&G~J3l05ud zI_WK6^YPi|+GV>M)UF~e7^UPF-o}nrr}6&5w%}p`sQ1~HKI2(e$!XSe;&5u=tm7fsW-P^Kd{-~Q1icOQ0e*p zVtW_?Jr1Fjv}pIxf|YH8c`$&8015&-NL)I1ene8kfYKm2d+yu=tQ3`^2U|30R5Tw_ zNWm)fwk=;FG8EFH#7XiQzCo2*pc>Wt>IimS_~teXj93R@VF*SJYDFHl>A<-oz0tucdCDrm zLt6nsJ@$3oH#)eC1puEM(zz5KNN~@Gbo^R3z)m zEJsS!SgKKwcG+cnxQ5Zzh+V-l^$nX^oe`SWU+GACSTXy>ka7h0@HWw)zdO#x>Np8Q zHa%#P@3Vex*Y@l3g84d9Z7fqWetIz*K-%CDen5iQ)ns*|ZcH%HmEH6NT-L)o}!vUG4qqT&RmW@>iXgfLD%>C25!a@X*$mNRr*yTzYp@Ye*H)($bBL{G4B^ zL^vjRN5A)--k4-kna=q{NXk(=BMl!(M@R9y=GCj+E~m8~=qnF^C9i#Ls>(L}(rFF9 z6oFE-{1^@Gjboa<&QVoibG_R#QIuWm@Wk!3=L5$_pdFSu1wB?20;Ge=Ope)Br@IeB z2q&hdSzD%NjHYMRH)O=I+8qxBf&~rTT+;V}wU}f0hlStpeWhUhw!|dD%AH8Ond_u> zy3ZKx!l5S$b^by9NtL#5`B*uOB(=n%rI-2rVrDDO;_~rn%T_nxcNcztZmv@M&lg*n5?Vw zTMrHmO&B3u znTqt`@2)=u5BCh-(+S8;VQ!`M=Vb^pX7U2HDa0TY>C6whyG@MJI~!~kEY-HqgsMwL zvTTI$LScxgz0cXV^ZDv1(fMTwy(A=zc|GjxVO4M=Qi6;CWsCC>PWaJvUK)%GOE|5R zX6kJiA9KRmxtTg&3zeK35co%t88!k0kjfWZn)VfX}&q3L^%P{R1;csrG2!}R8Nnhm= zARZ=Tln(pq8rN_T28|}MYgH_v=VO1*xQ5cHQVyXYt)$8{3HN$6JrZ85kfY%2MekP> z=EN=Bkk_69ZLv^^{_(TQmxGk;hj<4??V7Nr*z94;B{J1rp^Wx0kb4~=Q+ZEu$%e_ZY~NOS zriDq^1-&fB@m5NV_rEaZWYG{(K@`IlN zbO|gO6tSqj%zi{blk<+ecKEVJBO&5cMU(MNQ!n&g_LE48)^9cLtfRV-4M%AGe7Rsv zlA{Y&2WK>ktxH4=A`-O6Z@zk-87}u9Weqj4IHjE>Cs`))0(aT#NnuErz$EomGSyDN z$H!Gkq^D1Aj)O+Bi6i#$^wQ=r%CWEKF)xgfvCY+X;LMc^Oq@|ZVtw{`<7BO}<$D#O zZSv6zr&Td@Rd$N}^X#VUTsa>IVA=sVBjPra@Dl8U zG8v~xTZXZIqJ2ms{t9wgs*@&Rx3%JgasCeoO6cTpZ?V$rpP5BuM47c!sF})!0*mw1 zgD3kq9PsGd^PfeFrEzUL)!)bZp#qm0u>$Hw5L|+R)5`87rt2C6M-6S&+~-H?0(deb z?#A}hoA4q0Ma^*bTxBOw1n+mHd`F($))|z^e7fMHnZ!v>bSy&ejxs%<& zBl6ncniRW5nX7Hofk1;|(9^bj!@Q{bP`$is>U$&0rFUOwj)<%9>H`I8@}RTx2fmne zOhA60ma~dm69#3C-#dU(rEUQ^LY2iqD#t-sUeVP3ue#RZH(f2;rv$n)PbTI zfg0d@)8>+LHpp?HoqyK{7Yzk0$zXi9ap?RJcF3v7xqh+?we>5Z6507|OacktTO$ye zGD3UHRrwYEGqhgm@(x#lIEQIjM5?Puvlp z$7>0e1SqVqrtgUyuV_kipi!J(WvJHeyr8$q z>8@6a2oSz6p*7^_e0sl%*oIUDUzvYe6GGt19yJ}eD5r&oKd^kU@Gb{`$(n-Tm4t*? zjywqM-{10@@SyjLbYW-)1vGGH$K)cNbupC zCKnV=1Rr*aPh7N0mU?0N$kmj_m8u8@z$0w>l{t|smnF{JgkA*rfMdGBF;&5_za1|e z^CnVy&H=rxHf?+WZzLZvScj2Sg*KE|0&ll!kgw!)|6wEfoxDeA*urI&fvWLU2m7rM z0sK(fhEC0B)JDoTJ~&hcC$r}#KBL=5N;?V1%Dzm^Xp0a|i(VU8DLyV1x9-NTU&3(P zDEfs-J-?7I`9xz!QWtbp>_!20*>0b58$*V*%{H^I8f{+}1*xD6MM@Sa8>W*VJG&Bb z_1Potl6=B*IyILqDJQN`5P|{Qot8#qEQd>cQTwP2v|gTMn_{1b{5AYUpp^(d#4aiQ z8!Y~LN;L-L$t9G{R=ZYS&nCEj(;RQ-gJlc|9AzhyYJr4mZZ&MRNS1^vuq>c37;*Dg zEJA7(51feAxQ+;+D_ZNE$gjiVz?gSOQQ%=AHI($~Bj|zPg247vB$zxVNpomLH4+58 z^T<~BwmU}Uo2VuS_n~bbg6a!0=z_zr0psq7T&EZJh0fSo@II#1_Zu9?rliwr2_MhA z;Yw2V{VlXG#r;N2gc8@|M-mWI=Z#s?BN9Q*vbRh5LJVGHxblzAL#O zRe0TbJ1x?Ll`imFMDJ1%jNGXq?Uz%kd+_b2BqD_SZ8Zot2b&AWWN;$%VrMJu($x47 zUbyvd;BKBc^KvlL-1?4dO*yjm9fCrf_HGhM61UHYRz=J6u_5I)EXW!$tUjt^d|JpC zG9*OicJHR>3J*RFnK4%5Ll9trUik71vpr&kR486?4cg=F^lII){L8*XF1!zQQTXYt zku(cVU@&%?*KSxbH!#f^VTx!W0q13ztBP94{)9%rEE|50uh|9F^>?}Np6CLu+nA`&Vnvt)1EDkJlie`@Zwo~9hSZW9pplVJF*mrs=K2BlWFs;My=6A35xE7en z%q?1aSHC0%fM{V>PWE*>#adk^Lt;L>lEun|B`~reosaKbOv5I6e$<`F4ouK)nb60P zshF`BeS_eBSck<*K}lAlUcKF-bvg&h>{ZFOH~aY^yZTy6P*u=}H*V`gY_wh@^YJEj zc%f{1d0%gcGbrjv`8^xfqK3d#XEOXZv;2K*t5krD`T`JrNi}rrh?y7SSc)5{9^{J& zNkbN*LvxLEnGlifZ`>?Q?h%$>cthIO@_g9jx*qQMOuMaFu+CS5WJ^UDU~-jufjv}Z z2nTUb$MQMudqLmx69gwWD{1N6kcpDYq&MppD+I>=$l95OvNIdI*QNVIu4gXx8mtd5 z*)?u6!UXyp19!hn`7o*3Wh>_%EitN1Xzb|T5t*msf*1P5p(BV+)e13sF*%{7Zfu9d zv|DHQBrXHb)=>|-YAB;@$6&f%FXV(ABK7&ihnj{VYR@VX`z&A_AnaL)9cClaF)D%+ zD0(aG*$v#96^d}JjDYcBv=kbyP|5RFOc-dBvQADjKn0RrqV!(jxnBh9jw>W=7rfUo zkqhqA7(p$*lW(+KTn>>xg0~y~CR4P!v3*2srW68TE3Oc(z*h%)aX9p6fjf*QK^ zzZRhKmwSPPxn_OXLrDk{HVA(cBD!%)i&U@9#Oj9T3J02c?U}tzP92t8~&4P8Y8^P3|(W9Y!H6gGFc{FgZB+5t5P;zw3SXv z`t&xb!v)Uq@DFyqgds}>W=Ap$YGYb4DiBvji{j=a=bqFkHJsI?h5*l%7Fa(7&7 z(l}SEc|!mfd$n%!y#seq>8sIS>nM%e?i8C7$a|>}AG4O2H&bacf>TS-vs(-q!{c+k zAK)B@KzyFEo24z1te^&_(v?xBma#NGga0u5#Z{^q+J_iirqk)RK#-pI z+LlqTPvd4XF5&>;tAu`~&3xQ#h|=}Jipm8DGtv3}tV&FmT$XtHhzWG6L_2ksefkBv z81Zp4hqs(BWt%%2u5zW%d+-*yK!Yh1sis=L;e}2f)sUWBLoCD2IaT_mKU^?auYw}d zW9!W3s6p<-cAax{FVtrHK@10#ZYJ<3I`#;i3pU^Z8xjtmWLNP-MuJ>`-?xmx7W1R3 zype;JGdIHBCy~SYvsWGww%5Y(U%piAYyn{;$~{+J9!VZ>sA9E$72|v782cvGY<4Lq z>Y}>EBAuNw4jr-1U2GUlkT2JKWY2H29F!47o<)U+j$dQd%(Q%-eqT@~7CnuW%3fXq zn7Cer88$`_o`JTNj#f-g(8FTFgzHL-BX4vb!ye`ufNw05Ijw=l~0ZvLIs4Zy5~<=8UTnN^9z>d@$e5U4GRm)pRhE)!&QF8(ts2he}mEhIsOJp z^XJ^ve?p}BfhhO|OYl32;0J!-CvxBy%)n2yz%Mv~KM(>>*nrNrP}YvP^PJ@*t>=;vZNYH70c?4JJ({tshC3)p|5iUJ-Tb$#<3I6wo(L$v@_PP(^7La)@_$LC z6QuR_7hVr2dH>1sSmmF1JwE^{fAD&q?tT2ggLpk4ozZ`n|Gi`Ilh*_MRXO)J91jT# z@OLWIAG{uraOp329*{^U@J~b^5U&UL8`0-q^Ljv%iT@d34?Bq2^S>C_17P`|P3%z- zQIM1qej@gOUg-ZsWY0gK+5Cma0zy;#WUhcdzrV<40{@PB@+Y#%-;qK7l^7luW~o6=!5Tdq(L@$_mYUnA)Y-HdC9 zE89)Pfd>9lI(GCxl7B&=F7F)zvi=-Y~ip8r0t_YH^_b+WHT|$Pk=znAn z8!wwx)?h*?@K~T346B8Y9?yH>uy}>(coLR;ho`=5u*UG|3kGW!nZc@$d!pAlWQ-0i zjz`=@h7LwVMQc?)i)8{mOJ});>06@7if~LYK<0wl`!FEjv-@@leBsOWj!!i07~X2Z zbiQVbz-~_$tk@%f#T7s6gEt}*F$ER-07Clf0dz~4{dkYYXJN;(y-kU4#Ub`6=uCYC zJuBkf`U2-~nZ!DjYU90yG_Z7sZFk#OXxm3Cc6?vV%>%oc7LQKs5x*Y1%+x3-%;fdf z>X~TL>3Fx;HV9u!%Sl5hmerzn6lME;SNyIE9(50y#?g- z8k=2(2#R8*W7aTL6JDaBk}?|)59Ge>!ey)9cDi2}(4W_V?^XEnrI8x<{=}^J+Ol!z zsGwszlI`+4zr)Ld3x2xDHxE&=?PB&gmK<`95 z=bhEO;_^?+QZdw1l6Zx*0-Y82?CJn*T&eD%w{Yd*bImS%Vv0u-TVWIq<*EPdD*6x& zk!`L-9FoZ#LZOaGlcDnq7_^yjdIi2#J1#{Ki@=E}j^ysltB*V*kz8~qjag*6FE0N( zKN{S*bw>RLz!8mSb(rGjHg6JaTct_BG=e5aM+N|Sw}oYpJKT$wcMY2kCL&|bZnk#I z{b@6B=wnQgca27y_QQxCm`lyixd>tJ=lmr&}hDpO{< zLt5Icu@O@H-4Bj>wuRo^b*-<&Yfh_m z3nN~~5S$j_KxkAqLTPJGPJ(3w9~u%o7uWT1gLC7TbVyxgY+L1+Q0UoRj2~4_hOXO= zoI@&}uj0ebrCMbHOZWumJ5d6=^lg;?s|K-t9LHREav>?;#TL`c*CP-E{xM>*Gx%() zd88;si%W{##S`v0LGg7&+zy``-l-fP(F88p*eD!ON)Q4E_NGRj>+`-3!nh$dU2p43 zfu8pFIaWOD182#WjfgA0Fm?Rk1@Y-SqN#O3;>O7P1qx{EPQef~x}an32yoeBln2cs z`U0DNMNh)HkCG7|M?W1QbLW14Zl%)78isdj+`=c`FaEyEom0tHY z*XZt)GYJI+rap1W=|e@67pKIEfS{-@zEDNR*8b{}DFjX|*s+@*979#OWAX()G75xr)E z_!1w%p}3}V)t2||46F;KQ&_guXbdx32yM+Fjbtsq{|n59jC*MuI$gOaP7?Y_GN%Pr znBZF4!m+1=3tU3!28n+xB7RXzHsaplmpuH#;_(JmnVUZ6dmMw0l1ZTP4{zF>z;A(5DlfqWV&B=@)%y#f^sdyaM)B+*3RJDKaGcnyZuTjvWYO!c0~& zZxs@Ut@`_X3Hoo~M`-H0(X;tE;)t1FM6ZzMnZQF_OomGmDn{Y!-*m@>rMG;$UCB^% zZ%W$fFw@>?#;>>@uXtg|JIfXe^}uh+8Xdg;ijDC^w*K353|}opnn5CB+w?H%9G39O zx7Dz?vjhR`{2Yup;plhY77bJKT@$ZjYs9GC^Dv61jq1-KDBCp32mRE%VBjp2wT zn>88NPQ=;c%2Mz0y*NJsEtX6zxaP-TIx+CsCf4K7RlYe~O|;ds^FbrLWSZkCjyy$w zlc0SK@v2CjV3)-Ryb?_NnURzY>+^=Zk{JL2-B94b6@OrXgtn-(*vye(34xN8e-|g4 zg^$HO>zLUJxtrB)-**)@FIs;}Znu31`?7Y#ws{WLuD_Y1C*~v~Q2=CidJJCu*(O>ed=y~uy zHxmk<29KwdT)JD@@lJQW^4!>X17MLyQw@J%Lx{zlPU&1{}Ah0A2cD~tm5uZ`{O z2uKBEkg(G4W*EQhdpL6Mb`PRsy1lkg)Uk>l^3}@DQJTG0?su3%UL&X+oP2LXen|ID zD!fGafc5L*t3W139u(m?jK@%Vja(#1yjkeDup*%^%5$|*tZz9OPwAcQ%L9J1uXrGM|j zLT<;l+G&}3Sf=Mu(-(r7j|(%hhi}WCFAsk02gFXrmQE0W%RH#-w;;v5-$lfBL@AQ~ zentE$Mg+r0U#L~ojFrqyBK>qqXZ*NQA-lv^N?EOQ6S23v zqw^}9niw(cf@-QQ>*citCS0D(B6hgmquEm9fNk-&v_Z2yI{x-^TI(#h#2<0wd!VS_ zO}!&N?CXA!^^sNcOSG~EP2tyutke*TQIDgZ5|leD7?%Hv2&oF|jSl z0oLs=EI9%7$o;IkQ-apbhJ+i2S>E7N(~3^cgI#n!>f=G>_K4zwxqKQ{7goUyy|L7* zbn(EM%=F@t=X-@mTHmU)4f^hqcGBdsY_D8NzCyq9GOys2sFLqYijXOie5S|Si!kN5 zdeiXQl!3Dz0bRGUx8kV7gN|cFSaHob74b#RC9`U+K$=sTKKE>k%J8Kc!^I8>*@FO~F= zYTB+L9Q1jWDAE>IQbR(K4t>*KCQT3DA}_yITX51fsx|WQ_})^#L`~Bx#=1%x%+ysS zz$$Cp>o@{2b`ON7(|$L+R)&PZDS+>;WOO{|E^Fu*xn$aui7}6Cy^l^Xj)v{CEcwkQ z^g>Zj&^V^Xm>#QlhNn+bL3QsaHOO##!ivF9ctU(laK=pnmU{bJ~ zY{LMrU(&69bIU$jcD+HXkl~^XjAY4Rg$ov5n)< z!eYwZw1)u5^88Ge_j_8*r(eTG1*WSzxh1A7WV#fWPy0P5SqnPkLQ{!f717oVn-r?u z`2eIo5e@KWONQUI1U|@M6d-iPYchS%ahCIP1S*vi$U0(uQsVDPT=<@S|8RODog9gE z1pX0bqNEKy^d!Hl&(eP)NqBq_$%C(~4(Ij$7VnZqol=1GT?__vs4If09T5tH3g7KZ zf>0o@hv=(*3tSt!Z>KK2s;XWO#OZfaTf;9I+*W~$iX=4|*E8R-}RmZwjPhi;4JsuXKimX$@Hz25YxVmolUN#({^)hlUJO&i%)LcMn~*QX7e{A-KUyL7Izg1GWU=#ltGbl0NLBwh?@H2Z ze*ObM9*$CnrA@*N!z;(mUrjEh+S@IN;_jJc%-4IvL3W}SFUYh9*$_r~yB}QE7aA<6 zRz*~h*^2mDyD&fBZBEd}`_Ig7pz#C-?Q3Q&W?-q+W2t5{$W#jud!q6ojHZLCd* zSeoFOgAN&7J(%M7cYNmG@tJ=epLud1KE+m;e+k4qc@ZD20A|3?ILwnP@zKi4&JO$; zY55V#`87K8if}$9Y5e((02*jftz)u+fkO;t^!U<0f+F!#7tiN_r#of*rga`gFhZBB}NBzYA zbN=qw{cAV@MCpC>0RL1WU;+8ao(3BfP5=S`BwU~?xInaZP8J{ukdq6v&ql%tqBK9* ze%W$>xV;=8S&7H;bPwo0Ru(Q2R*>WaJBZf%*TM;6^|G^YkZ=Hif7JJQ4TygWAOWy2 zvpzlHw;Dh-12~^*eZ1mFiyqIhfsoFR<;f0e<>_2zNJ000o-_Gy?v!^O$W zNy7QK<@{}EI9Wg)V+I|ADg|A~^0f1K00fHT6py84X`}a+=|cH9OL@o_-aLpyC>T6|&^7Z8?4# zU14#=u^si5QUPxk*FB3wn!d7G(T6TJHkrir1Z$*XhQccGLM6?zy;Odg#Gy13510^kK%gyI~5b+9XKCwV#EhiDu&@r|Cczh&&i5i`wdJ+^mU#gqhkVv zJgdNh4#Vv~d z@{HWxR2SOh{sjv44YV>Nm7Mj3w-*Znd^rhEoz^=XZIklLPoa_;DRSSPuJQg=Ncms|sv^GPhsX+h+T z_EmNnIyv^8&`=u4mVep3aJ7pr?k^3?I?9I67UPJu;T=ai&0)>MI3$LpYJBKf#lfko zrHM*OvK&|jeP9(60>=t12VKRC3Sr%?mAPq{t3c6R-pN1|NL40<4(*nndyjh>nzVJ8|; z;STjBAs)icbLivLO5Pnp_VjDmgNfr*QUM%ag39Han-iWDA7hfWCUwmbrStl39 zuXadfkceoVPN_Rc>CnpNg%0dD&g$->FRM&`5kDzOi&atwI1}>G&TbD9^e@O z-pZgP&;HHXp?91K$(GSVaVICyRjufO zcHvd=+MD?)kuhLE3L6y(X{ZwYi;sySxkUIkQ_o0aj7< z6%k;;&oxBZTX!fgy(aitUxZA5)20u-@cu(deuSkt@=xv~VOfr)&FjMI)z z0an^JQ_o8EJv>W$hp453^=l?dB+@2acK+r^2nMy+I%Tjibkdb4x~)=hZ32p}kU}IL$DZ+@hL`Vor!xn84M627 zEqIQtP>J5$qSV~Bnb!>k7r2ZK=|xaRtKNrz1islNPpXFdz&-FGiyiis*?}V9=<_<% z_0;k*utpb0+C5aPsi;S9FLo4VZDvIybPC0-KjxRM`J9yYubJ$7%4KXMz&&4po>4D5 zxXe7fs5lwqipo35X1}7)ykj2xVsj@v{0yt!6WyZhY-fP9YJx*)fbMbn zTu$rM^ZY0=q&mDi7Jj&#<+vWEVBg)M4MQmLAnMv>q`A*2i#VqjlLC}^L#yIR zHT~`a`I9%}uNsJ;HKTtlHvNkR;*Y8PpMIeKSZoRa0Dp03u>CHcC@gI2_9%e}5=#2h z@6dnZ(D-AuruA>yg@1BfJk0`s^%#H_lKh+&{$DySK(pkhx#Ca91!!vgWcjP(0yN2g zwEyC`c)Is-*tJPG*gz9&(8L$W#RZy@gVw@;#taDZD*!?EC)+Pukn59#9dz!oJl^wI zSRS1hp!?YWL3yl)4Rp=pxgYgC?sKt#B@K*+36{EKimE zZes<_>VMqxX#dZYAJ2K*KGw|!>gZ#6>f~dGL5+H9B*+HR#v$Q&?BtUV13<&XPM0|l}_b^LJ)va>Ni7Eq^tyrsv6fXd^!r}MuLE`S--kY7ja7q`W) zj+*iMNDL@V4`jcY=^lCspk>5UXe=l9A^q=!uaB;J9{jXgJsr29B zw2(D6GIzHA|Hf@0s;r`@tPXNpfZpc+M6U&CaVBUX{vRS*ps!#iV>d%91M8nA&{D^L zq&Nr?{rdk)9`Lcve-Z-(Eoc0TvL9&aI5@4pk^`!7rGf!sg; z?IL@i(fBXP>itPb@9&nWg1*9;4F4FHf3;}!@#Xw-F=*ILe>ntwYRrB)1dYef4uOQ~FR35^n<2J?uIwyVJAVS!U@nONhiCe0%;Slv6^4!m=AG&W3 z@UY6;a!N0z+7&lw(uWU{0^h0RR?c4ZM*A;YWMeN&h(yM4Rc>@>L%utylN8_ymLh1? zON*#M>-`Q$EJ~&4R|itr;b(#?S(&sMypF?|I3h-kK_vXp;)d0wjenQ?fg2Z}wU37j z2eafTp}QSrtRPeE?0q4dhwj^5TpzKH;j8qqv!bCqq;oVJsC-fmA-x4RLm5uRxd~WWgR$9KvMy6uCg_u^8|`ZEd9j0rKl#qDrRv)vS&W6f}b{+%L%Q8-oUH63LYjqBa3-NdJeu zw+ySJ+15pIndHHP6Wrb1-AQnQ1b26W6CikScb5>{-7SIOn&1%JA%T$FlYEgcd#|c zFYbt9+KR`ast08kFJ>Z7ptx!AHEY*9oK%??$719$++oJmoN0)5!}j_SyTbD2bOgOr z`pgtJr=sc9{WjJ9^~$$PkhoM*Zgnp`OUUOlxFXfJ1dyerrU5cOB3HMTDYFGN;%$2K zRwb;&vz>dc3NfPxoCymtNDts1MM(tF`z=3I%d>wVVV3&{2u&VNNU(!Br#$TKo)O+{ zxn!G2tDDb8&_&kyY^>3OX?Da^Fm@eguC0*!h>S!9v)togL;^B`Fx@$HbmnUwf3e2b z^V(>h%t7{+_^0OI+&Kn3Bj_b_dJQT$L{mzlzJ55rTi<6T%9U7q^aZjsgmp83MCI-g zdd2*ckv7owz9Q2*?>cDtq2V=)*GCa-yaNjO6y%*16WL2Bq52|I#gsCQpc6@pGmCmT zDuOq27h2xJ$}2ZIYsSP&_5(H4(X|R8j5O!ZcWYZo~icua54(X5oPjmW`w zZo8+2K)4&)&Y~@uc3y<3DRBjton^+qel{L7S;i8$@px%jl4K6`0b}S2n|SSY37Ibe zCvk!V$D5H2fti8>bhTq!j2B(-Y)wtAxnh0l*X-$!HD`cCqYMQfq>#UbVziiXB0tya zajo{#A)!#!5SeJx{uGttYC0Q|_>nicbnVP|U~~!i~pkxs})n9P)YWut4Jtq0_7|)1Aik$rnDzSOUX)D;4OAv9@qak)V-_pCmDn_iPaM46#5Kl3Sa1r z31YVEK?2Fg*RdZ>Mc?(=mk!6+)9DYI^%@vFcqHgeCziDo&3|$ijc0lz)nsVa7GBR1bc}n8mo!_%%4P*x_q%4QwdzoH5i|L| zy0CZ}5MMq|=_;OSO1lDoHjJ3~q&m7`uYhZrELXL)GTAqxgDqUG2to~C78RcHgNwMg z8>ad;$6lcal#nJjQ8HN)yc8qwiw7D}vz%7Z!#(?-(0OI<7@4@oBaTeYQN7_pC%@JD z4)k!Bz9KRjE8Ug5gnDO2Prw>#{9sBz>j z&({ilI(84iU$6(bVV6 zS9>bzRm#z1;j|Hu`or)}fN`2BgYe)`&9i2TN*asDrE0jKdBykXxV75~j^ljBD7cVY?^W~b7@5a|qLJ1?NW9$Yx#neND~9q9>+&e+ zVhta%r+EJ@dQm7Yt5detVx{0LSK^iGVQraH`Gm1z@zd0yo2ePB-s9|Q0 zAk~jaok8M+Kp(qhDCLdBE)zfCbg5Rp}X?KdNQ3{{P zi#73VjMt21j>m|s1QE1H>x(1U>~?EkJ)m>__DMdEZHl^WO{7+lZno;sF#2=9YD-ZT z&~D+NG>&d9V(DSGWslVaJa6JGc4Py+9jo(wqLb^l zf*~QE*A&~$oP3%iSSpY*R72$APs?$y5P~VGr3{d=)2$@2l!>B3)jG&kwBB0T;)fjr z?9nKPd`u8B$rJHr$>GJR05+8~Hhg-X_O{lJ*NnEUrqLi~ z3smQwxz4lsq_WY>DOx9JcQW4DG|u<%7X*zdqT*eUrle8s4qU`El?N`+cUFq0-Z(%ldyQK@A093Mj!3Ze`f!n zg@{TSWWXRH5Ic#rqHnzVaRlIz1>WQbN#~;tz=Jd9}WMMM!9eLgN)%ZFIpzKXPf(+~WPEsk8U|^h~Ff=#=%zLUL@&q2UbVEXmxl zgS1;lng-E&Gf238QiB1iNWID+_Bep5w9jfVw?34wyU0rqi)L$_(@SqxWRc@MpO1HC-19K0 zOSX>Jw0$2*R7(Se0ToAOWQ(nDjISgs*3g_N#p(&&Q6;L25#N{_A!?hM_yXyhn`mIe zQ2(a8-b+^|BN-l>v@`8V%~DdL*DQ1ug3eIqt6oc+K9UG~cppPkw@EnzDn+p|DlKpk zWiX_cqTw7hFnU((d5;ggWDi|fU@f4RBs$ITtsw)TXFg#CFUrbeuO9wv4*jra+QATt0v)H;InOE>h*1KX-=|p_A^}zU{~Am2WoDrvsZ*b2bZb zM0|K2ITKSy@L}*@26-4>GcYPhK03r!adxevwX42aFwhlpz?Mp+pZ?a#E0Sa>viL+CU8QNyZ1Bo&ztjeSCg=iH{ zQ4POwbQ6j-P>m8&ls`^LC*F~zJa%+}c(9z*xxm5nK0qV{q1K`Ba3I++`xydh)O{f=kRKU4~nvG!58N3MB3fSqU~V%ov}D*JB*2sT1YK zVLFqK71T5+iX2uH6UxL)&y>wkaGlB#f1x5pl0HlsOs0#r7cos_VE9CQpzUBXlzMc# z8%0bmE>FD6RIf5`Uti1XEg4Rv9d2Efw_620we?zj3y~Uv)Ls=c8zzs#>m?|vKI?Lr z=@%kCthLFj)$bs!))kCI0ikgA;a$7O-;V_G!+twG|RXsaZY!NMGYeCK( zO#YZj$kfu?(Z@XF5xC(DmD$7@%7flZ*j5KMs0 zH@Y!bMbPRR45h#!Ys-7D$HgKyNd+xoS*;LVrI@vyC}=@{5~h}WllKi?v62gXpqLt96fn_c;|Q1_{JatHtCr z06G#skoPl67n{NvK)ZIX$2hGme$`B;VELpcAA=ya|2oGU%&h3v)IR+rVT2%aP?wx6 z-|pIHWy!$oF=?o;mWD^j7P42SThST3`b*xXVa=RDgKBBT8TqIn#E0Dt+NdTJ{<9<> zNkImao)_Pe-&mGr>YT1zW*KxAlMp9p$cSj<#QG39I6r@2ALEyRvz$O}je`%NzUDhv z5Q@k}ILkFa?J)4AVFs>K^|zwA9(Kj%vbv6kJMWbVEkzL4{a!z%!hvDYPPy>Vd_>BS z)?#c}llrWH=1A>`v(ZY~K%L8BfZK8?KtwsN1QY3|HB9p|8wOeB!;SE?40Z zqtlWpYar|UVg1ZZcwqx49VaYxS@&Q~!tZ>1kfa`AQz(9O%Wf`0QcZCq2CZ&aHQl&{ zDaO+p3SuIa@Uwg~XBfDF%yCWGgpcrCA>TeDqbr_I^V5o^ZATC*>0q-x+rStYg+6=h zcJ$QaTt;O}E$Vfig(&)q8p7UX`wtG!!rF2kufG|cvnLz5`$jW_Nt%(#Cg&5iP_z{6 z$rg%33TuJwL;M96tKXQ{C_}MB8e``5I#Y|yVb5MYo!9nfTm?CyZ%H0z1(+JaWiAXH zBVEy1*$OBe5Set3Kc_y>xqB%0UTy3KmG%tgqg#xMyZX6!3#9F${hE+Mrq(xE6-eS* zMy!~ijLVa0+=U3TlRz>#D$T09oQd_P@c!i7-CMGIZ+6AUl85c~SrGCqQ^~F?wnr9N z@Lwxi*CuX#EeByna4W%>b-tprCYP@nl)z#7@)8GmXOG;`YGlNQp6L$Stxn!!98I0T zcOV~1ylh>pVq89`08RY@9nU1l>dQ_O^oGy1LtX)E7aiLBjrslX^jG3qed36Cx28Fw zws^5(pEeF0gl2pR#-dogUd0geTtP}LtHP_C_TMQslFTNr%zTu7t~JujtH$SwCog2Y zwI{y6N&$6~hh%7f!1IQt)AnH$a{x46#9LCG+1Pcl^bK5?v+PCGsTxLmY@B`V3%T&vI!25=4Rh<% z{`COJ=@X|?0;fqkeXRs;oQ2nR{YiYNV6X<1pJhY)#q0-s6f_3ueUGnpqxDri0dooQ zwF3y!@cV*n2mZ4qgHX?zQ^GZ65tc9%YWtRroc8(%zC8Vy@u61YR<-@$ScR3qExlSc zhdl#D;fZHy-L*^oUoO2kIc9 zfOT|R8O}qxfK9!keR%fCSZOs%?wqTkt4SH$xMmmb0Lr`~LpJs*J%5c#e#@>+OWnsu z*8@%7&xopuZ*(}BbV3o`_p;=O6k!O}NU2l8rHHyb>*>Z~x%P5ljS~IDZ?YH1vV<;T zZ^ZqAwph#X1L6mpps_Gk3wh`x^7Ca^A6{`QjWCJj`I3cku|nh?tRpu(7kEL_esQ|v zFEG{?;V~3Hkgy*R@|hBE`!1!MDt3cPLH`wGByw{^41>Z=P`bK4-QD;VJcW@TwXq=D zH;(GC2E4w!!q9HZQA-{F|HuJ8~m@`lmhsipbj4%Z6mXOK_`;wBN}w2Q1#&) zgeMX!u$cMo0%;1B=a0FMrsaA*!Q`kAoYo+V2Mv$2th$_)3B?`iB4C?xzV!R%-|Yv} zM`1r=koLNjB~{~Haz}>+H8Vu*iB(`-O=$v-65BEv&!6XxqKu62u(*s zMmjCto`teYJ0YNSLlm|xeM4cnIIZVeFVuIW4KI}5CG1X}_SJr}avhWpuFJL^wNnt= z{R*1vE)Cu`Mm^5a0;dfBD0 zN;9=gp?N3w1jT_b%16Zh$RUD~k`*bEz8|}ejNS~;im>!i5O=UU+AgI8 z*&4gw4Ng@wWW@1jD10q2>Quxd%IrI*JF1yHadYf1SI$MluZ@OJ+EHVZoU@+3ElLK( zSM5YT^4`ggg=*1$Kf;*#fEmwP6J>_lhgD&3C=p4+-G=qXN~cFmcGF&Bs3G>G<(sVq zx?7eNeoFQNuX`DR?eiPvM9rNE^o@xywq9MYz3V6D|CU$V)}@-Y3Wm>#vl<>%%D1s9MIm3uoc8aIpH|7(_LUgz zqBQllf7y;fG}I86PW1O)rH6lbEI>L^iUQ!dR{_CW7)}niLap;^i8X$tr3*3#b^2Nm z?5xTt+jg66Ok5QVpCCrw#c-)Tc{y|@a7qES&LET-KoMfP==Xu*NnK~-#@6-;yt5Fo z+8AOxez@A0n=R_f)&z^Q$tX7v7qbl~F?|`u>tMYHj zcDPvg7G5KL6Q|{_hs4)M1H!dxaPgAYdY7Q15A{X&lbpcrxDjN2Fio)#V+hZDM&F7= z3u3YJ^nT;>i?(R2kk~iRuNKZkK(W-U5(@y~0@*^;1?era2kae|v~H_JS0TDD@W3}*q$R}sQ7-*<*-X9+Re zhI}O&lYrDPgAw`A0~9Z3n~yWKTBA5Dj3DI8npR>rFJ1~mzld_|HfHs)2owPwEJ(>Jbtm6y^kP=lA4{Ke~O%qiHUaJJ;=+ zL1~SGE_8RY>ZHNEowzoy;UCA^@n(4+A_?KBTf|Z_pb&c9eS4rPqVM;?#4oDD0Nb>8 z$dQ6X=BvT312n?&T4eXhOdm14e8th3j9OOg%{)?usM!y;<>>LIVm zD%AdpWnbY$?LDQo&qkGg6t_f0Yj z>-j^$t#}ZGoDZ2=)6b(!P+VKKOEHj+l?4jFJFj|(Zg}mtDppABfJD66Q8$2=nu6o1 zE-mA}IPRI16#w`=L=4r?qI3i|j_dT{h$kldBO88o56}qPKt*2VDgOgULKTHUh2yGS zoo}p&OGM(e1&9^}RdU@SuqVVSl!D6yD4ZNP$m^Hyl2v@nC((R}1s#mX6l#g)TX;pH z@GCV^oHuu{_Dar?M$h!gr*u`s9zwkS&~`zUI4W>;@%muIw;T=zOBU;Jp4W-;%eDs5 z7o8#?tLAX;%bi2NY~BJEbtlD@+OPEf`T zH>yIB`v-Dn6@>Up-M$$D-G;Zh1z4jO3B{NKZgMBOX*4Y5%D4yl`kwST-el(GbNrmq z{jOS9ZoX++Yl_b?9UodjhQazgUAVL#3^IGWM;p>BP5YKcvO8+>5x>MgkO>@}q)a ztA_C#nvhzT4m0wsoqYWl4aSuP>NteOYorBeBE*}@=py^2!u+)${B?)lwiLKz5BTu< zNO6s)`D}hJ;EJV|tWP${a$SJHj%#xk4D9Yn zAyj<-N!6wOG*$_nKS}5X532x|f^EmnLob^_1i8dD;&=U-LPZzn;r&vO(3BM<$_5Z> z_Gy)H+3y{bPP8@yJT3`2>-nFp*j`FwLae=!yBg^vB4TN1Ae|Ng_u zg`A?uaeE1@z0;Q%%|V*wo|f5K)WF^_at8le`f2#0zJ2X$N>KC{tK2S*Z8uwf^RJaB zI+^d?-VLP3;%cnASTOGa4y&kdQB@RyxANx@Rsuas@Wi<8H%oqVbm5i}SMhfyMt(rH zDa!uWPxr13J@eU=6F&vi##WYF?M$vj%st!}f=t&Pl z-n5*7%;sJZKt(vi5X-i%zHH5BjLGMTu7J3mXNfwKlDUA%)}$%od#yjM?Q9AEV5Ef3 z6#^NFGyQog684;LYQ=a9=q;({@<3)ZU^qm=BNjFGH!qnuCgj<;h`~vaqXC zI$NEjh6hK>m%P(g%}gP)*<eB^+_``D z!Zt88B~fZQ4=;RFXqMOJ!?(7w+3rlXZPyjXL2+9+Dx^9JY$H74$*gtr#Nta*&`gKb zXfXout_k+bAvV5j&MUegxM(aMU(rWHHsG!76tOBe;?9?g zvz?a?e9pHXVXEp^QbAB8TaU{kMENSrP13P429Gf)yxE|9ohQK&@c7d_ zYH~iH`2l{)2ZITO64{0&nf2xy%wyjUF;}6>B|F%guV?x&h?cid)9T85%ZAdkIACgC zeFzi9cYlDPjV&i#{(!5*83vUY!($Y;S7#V1si8#w3*lA?hM1_3f8)&qWj~ZUk{4?r zUHbgdB?Ve3tFsw9wh=OHnlCh0lBSw&&NJ~tLE2^%Glc!f_W0&g)h{C3@*$$)Uhq{m1lm7|R~+$K4v zny;RQwo)@L+(nRPzukUm+5v&&V$uo01Su`{L_!nmC52sp6VF4hwMH5Qoz#dnM@kkp zNEmq#QpzceI7dQ!jI`M2j_WmAhhmjtmVtn^XR}xYBQBH~x>y|Enl^IXl6#Z12czlo z2NUea9Yn7gFP|L0F8|;q<-%oWuQR7lz+$z+>_I12Nw;+Y9ddwGsU#l`QHa+#MMZHe6i%s5 z4f4fjtXWADC&wq7-e?#YmBLT_rUxM=qs9GR2|~+as_MADTqZ|v=tX53^n0g;Y_guN zwstsy{n?UryTdcGj3Vi|94Bb}t;w_NiQ(?vRuz%FB5~0*3mSu|tJzBNY<8#*AXfnc zUdLG3@p%(AO*A>V=OA&68T{0!424#&N3&^A5Gukd_yYT@U((%Wu-_y=P1D6ycI?X} z@tf&b(wAvkd$i_{J15HHpg{!h**B3X z=czP{j4bTcFbp&*;v}P+)eVhLzfU6c3r-K5(Xrk6nj%$lRVN7HviL|$BNYh_{$R-Y zrseQF*y$-FK6#3>LY$iIlR5g%BI8cyKx#T3{?ERU$W2-07qh6H!J<a>dx3Eg=T#=_5F?dpj$sEq)Qu=h8S+eTwDHRw)5VFyk-qM1}R> z3W-ecOy!g!>V&VD*h5R&+f1c%hpICQduQ_B&38|A*+T;!Isaz7*v z+S@cIQYy`8zM6no)AdiiB>t3KsAXDXkK5Le99J>KAH|>)#AG-aHGXFCLp@8C(SaEk zHqQMDnMXZ7A*%ZzJ4M!g6mM)sTFSP~s%6aoVGBhz7CL<(XCKp%~6S>7mOG2;WRHgNbpX+ZdxKQD9!@-t69nPj9 zdgP6i#Tv0bkr7^QVdZvFp%q@9u>&H3hy{`H-LZl&je7OSnC20SKA}5Bz9zUHK3Pj@ zn(e}3t`*UOz&f8qYaq`wRfB;nXCm0as)rYE#xstNiGJSE;`)t(*s_)Ks&N)6C1F5K zJpw^HC{n8OSWBa!wW4?L?738>b#Uj&+i!F)g!yv~B&tvFo;9`J34RO& z5x=h{B^g+HAvcLs+k>+ihIBFEj5!$0YZf}HA~07so48v{Ri+$lt62NOv5ppDRuwLS z6-SdN%L$#s5O$YTmM^EpAm7sP-@!ot4hH%!1Oxpbz5w$w{34&f4-B{u{NZH#6%KSC z9dIvY2ErkJ#`fID2!O@E#{=Dmuz-b3zili3bqP3-1vvXp!-3fTaX8SA0GaOY7EGPU??Z~1Tg$-nO*|JS_n;QiizQN-Wx>;4&P z|C0s&2M7G`4De3?1{GB%HGuv7|232Q-$RxDHs0XSCx`V%e|HsI#K5lngV*8u-^{A*(D0J+QW<;SY90X#0? z0)AXSWZ*%A{|C#sfiMhU@Av(Y9T>-tzJE;c_df3@``5&Ooc|TF1We@DZ^Dm|C19`r zZxKpB_!O{KzX`x0OMeS$0ytuTfqnnv{qv9|6)hHEDH)kT6cl2>4tHk@J6mxBXA@px zAl(KFv51QqF_2e)nTwZ|nHQjPq97Ktv-h}9x0DVqs?P>_q&;#L2|b)x?+)1T3Agg^@F{p^2G=?f0K1 z8Cz33Vu1ewECzFH{B_FJ#L)>D6fre0$Ug&q6zza}nE)gC-!Z5^JC}5^wpKK-0e7ze zUZwwV-oVDf+T*Vlb~g4d&L)n;3U~D6Fz3qsbN!zfz61oD*tl3bTi9EB{E8|8f=Ud55Jp#iLL3eaiyD~iv>dEOrYxuk! zj_awRWc2grWWIwBGL3gcwe#AqKFlDY(>{r%CB@^KFNR-+#KQJi-ku~nZS+kV5HLD? zyC5&4jO`>DM)lrQ5Xtb|;Bo_`YwG&`J>BCik*=woH8&jNTU4cpj;HSXgfB@$C{B7+ z3f(WleDI&o4%@?HPrTfV%(?JVLIiaXiuNs!_q-TbV~X~ZYA2K@7+hyFzrh=%Q%uA( zWB$MfRlU`SJ7T$^R`rG@Tz#_EQGQDg z(oD-k77U@Od9movS%`|GaAB+pE_IiQjpk8%OxT+T?4vW|Qu*tCHV|m&l&(0%FB5K2 z7&DKJ-$0J^(qK^Ngnk-t$0I)LWPIb2im>_((I2C=^=(-~?*|uQ&$dN~)=uVz;nz>$ zJUlPiB%TbpDELYb^`wO{S2M*)zdH=V)7R$gcUEZnjC3r)GJJ*7C8RsBMBb>ET@$-r zts83@y@P^M9p^LjVaD!oe<9mjd)d7Is^c9ENk1`2I=d2-7Ku$o&%89|yk|s21yk?Nz3PR0Xdh504RY1wKi7U2QW(()-MO^J z5kHsihRMVuVsNfpP+{_c{+;sVd}t`A97{N2t>X^D_>1AkmWmlzq#4z0ai$^$(vXAR zU7BJ+c?2y=bjiF0db;n(GI^IU1E|yV7X;n=-ASgKMRuxQ%}hpzS@AZoo(5VxL`13e z%SM-2-0Ns(_TE`Ru$<(aG~6j8?^(yJ356z0L_N7@BQ43q5nRa@B!EI3ROj?KdTP#m@-A>sNbH@R~$gbw;X{RyWo) zdEL3XbDw2wqs`jKp2F7^&&VH)y&_#>qi-Gy{Wlc*Hx&EVQ0!jS0qe&=!mnT4k@xxz zSjx@vi>%>Z=eZYh{G?_0uJ?e2zrnEY>N!}*^tTt}4p)A z_sXne=XWiq{GJiyY=HQq{9aAJ^Ti2 z0Hz9HT)zo`n*tOTzX`xd=LgjP7f44%=3hY_KsjXL;$>s!W&6Jv>VTK&PXHtNe+KLP zm1gR{fpbKZ{^FKYxqqtv6M@d((@z1+DSr!`2g4iN-_Xua9?5%JN#KLXA2JmFai(9oD<|XLQbrnG>Lw+X|b&?QvueuaIwi|1# zelt916||KXJcyB)>Z?ir9Go{b-Zk8#98h}ewlrke;J)&h%!P*2J-8UoLnWMCzc${_ zt=2V1pB_5WPeuhk=}bLcFf)tCfiSsRKri-<>*1on_jN(!B5=(W zO+UKeB9)+xE_EutQuA(5Wit@SQmc5@E{b*RZV(ujWII>Lmwv(+BdW6p^N@N zo(rKj9b1p*C)91?}|Vs9-RytzkTagCPpW7eV1iP6`UU>Wtr@GMuCOR zO4yc@1VV*UCt7FM>uNKM{nO4RGf@sRleKvA+RgDdG*%%G$c?U zTAdcvHV_l?0r90nRy~=hab2&VI2GOPB9n#ggQ(XKS+MqVW0C*g#$cok=m-N$Z-(A+oQ6?*wK z9yNq@u7X=HsQ(2kIpeP4hIJ*+bQ-IO2&++-mqs4WfYaJ=ev+u(szkbo?~LqI9;^|D zbC0U(OWJX-atX#P<(Fwb$_iDQ59g28{N0@=^)0+sb()B?NJG-G%nV@3PqSUudqT3+ zm95fEAq?P4yi64aWg`15fgSqt)132&!jo?@qxwBJWsOH#(*ip<+A7s0D+RP#9=FEe z#C4smPM#O9i^ZxJ77~iU1dWD!vy!1a*zWrTu?u1snSQLS3t^{*qN}>-NuiI_EA%`4<{$n-?gWoDEJ<@0ayKwf;sn!U_C6u^Be%n)jd!H+-LW7a6e%07}yiW0RS`rY_fy<1zbDa_oR6MkOPkg=<-pu$};T2RJyvpcA|fVDNiCr+YvQz(N4L{wTlZ2KLQy z07e&fZ~?=AK+^`V2s_|VWCt{9@T#(beSpA|;9&jkXyXQE0cMH>lPhw7R~vxd?7(W? zKM64W1w(r<@gm@Uxc?vA7r;}-2COz4c!XdR25>!iReqsg;0FJ}&&LML={IZ(pkKh^ z@tXkX5A2Qmm0|&yCU8@*;9q4_Q1}jhftC2rJbj$RvM$yD)(3m~IN1LG_w)h7{1bxy zf9C50uhgG6|38F(0bd{cf7{h3r6wtQ@9MjMwEq(kFz_vBvIl&_cE&$}F2Jw*8}%KK zGzg#p{CVd>;U--G6S0g{wYx#H}IqM-3M#r;^=5% z>wNE&HnBAZ{Z%)$ur?t!F>yCB0?p6Z8S%ZaOsWqq@sY?IFNOV|51E;1+)Y>Cf>_e5 zh~_mjd1O_15ePV^)U#8FA@Br9QZxmd8s!uY5!T<+@T`-hJeZIP@J^K0kWstDFU>(W zD#5oFkSf51G^y;??ywQG?F!kbd>nvoRXNTo5YJ-YkU;U|+2^kmr{s|^=ejpHAFjTI z<8~YwJtu*{sesa;<4zNDrKa1X8D++WodkBIY8jZvZ99tyNq;~R4)3>lC$#F-bge+F z$usSTIaBpJtqG0H<=bO#zGCG*G|5$xvHMX^Z)F$nk`qKfEjs1ln;&38?>zuGr%^FrtN z@|m!VmosDHmTz+`QEi~%poo*u2X-?M-zti6UzPSb_aSt4b_ z_5qDPY3m0;=ElR1D#h)EUrzZ8rWI>WD{;q!4N?)ys82)19IM(Y-@Yka97l{HyV##9 zV~eaoU6ijtWAhA+noqNn<`Eup5x;)9dpxp-hA4~C=`;?9gJ4PvQ%slrnq$YEDMmz39gTC!m&XZ=oa zaf@@l=R;$UyEUK*I3eK(!?FsT@R*(!uc*1^`4*1luVzVQJ1HE6Xf@Crv+%wqLVw6l zhH{{}v&kNLiZT;%EEEe`Lq~9yy^Bt}v9-r(JJL=t4!lNi(#1{YsmsjB-a_F2w$KF| z@n8wdysJ*;t1y9odY+rK1d)Jv%shEIsC=~4Mo_2VL^*K`ztd3hsKI?ahW%;e3l^7G zZR;}=4>{vg!Iutxicke?G~!S<;gSw~d%*=1pgnDg zkHhk=Bg8eGN6tc^4)sUhEG<0)+g>qv2WD4ErTOZFhJH5fC(9G@wAA&I3y@m|eO_^r z96rw#>mBIY|8QZqCm~Ok1t*0$6Rf4B1$S2C=|{en=~Q)&-)b7s!k!X;1R-8;nD`tU6GhPiCWNV3UAzr~Ar4_X`W`}Ly3Yje z(_L2F;jyAVQN%I532)X?FEX*Xg?5jG1ro6kLllxd&((^;+{Pha)=hoNEIKwy+BOUR zGRW*2b;L=la}&VN;%$$kppJFtP~>HY?u`MVsgeIyPu!DA(uV73OI&9O-K>|s#SbsM z7+d)Li_#frsDM{-s21-T!!KSy-dynz287V`ELPEtv-uyDB)mQCdCLXAQKQhNNlKSS zgTbm~x%sxWBcf8+IUquvJ(>pf4Jr52JTWRib>!Why(^oAvh_C~@~6@~&%Svn0kQu} z)oirQkX`z^4{aR{OXvJLRQv8ZFa45E^)+{IYm6EMhwD)?-b}I)@+doG5D0q* z!vu`<)`h+ldc1z3!xwzKh%*mg&yZmaiF(^%~Km;4{`_{8lS|Q zMEX49M4v6rOWga^E;zzJleuvk&0m^SiE7EQ`$-*=Cosq0a0T#?|#C9y=qAB%&zW_$y#oMZV{{{R-l)J>IQr{LT(YCf0 z-?&M7_9}6{RPE*3D(H+SdsO_|RqAoSSLA4i5L>~@WvL@;jS$ST_^3l9H#D?PJ;bcR zy1v0^ZHB>Dc+vxjY}WGh35g)XuTNfoxJW2MHnpk1K036O6TY#6fxl6JWM%`|pzX87GS_G2aPC-uL!4<5Xa;@%kX z%QOaTufCW3X&M6zP~WW-zf5C4tdYQ;koz2zfN|yD$NwwW;FnPhu*UuR#{Jk50+`|M zKU3f9fKd#vtNkVbjACHJ)!&R_Kx)?SAGd$LB}7&Azm%|p9Y{0E{(tS>cVLnJKQV`W z-=o0vx6L5VjxPT?}Nf}9bV9z`FasE%Vg8}y9KkZ=bzwc!f#)R}Dz;An~&Xle^~JV8{dCDp9Ij=ugoPZe{PHU!{i6_Z2xl=9 z9|l2S8Ger^0B+=V-}oQJ5pV+LL9j~za58Z6aR1W{HGrSuzqz4?7E;u#;gw=d=VTjF z;9Lx(b>Xm_11&)D{iQ4w19=N}i^%O3-zlus>+xI3BY%fi$Zi{4IUtoLK8%#aYvuQ49QW_#C{v58Zo@B;Ky*EIt?f#C!O5j5nQE;T z5>!peM)CwT*`eemd&sgIYJ4or@>rmcWe7qe-QtN|s|)&*DllJ|osTe!gXEdmGC$TgKFwKQe{o(zt)>Ve)`xlMk~TnTOU? zTDt3n9Kn7IgU*fPc#M^qPHO5SjuXnn!b@r?{%5iYT*l@rwlvx^SJr!R8S!WwtguKK z+7st^nK$v|^T7sW7>${C>0u5mY{J#jmqC1w7LVzCGtZ?+QC3-Ir{!2Fs*+9JDYwfe63JXa0o@AR-L_`^I97c<$&Mgqp! zT#_4wl;}#lE^uuW2=*T>hMI0lcg}ak53#Z&qTYz@;s>)bZHbggyP=%$O}P|N`e2g1 zR2RS#hQaL%s-{g2hL;R!|L8mq+a9$c+)Ud+y<6|Zlje(_mPE6xX58Ns-8k2J4y+uCZ!^-WHr_2r)=V$9%ZuE5J8&<0VV7SdvRCEC#i)!`%U=%Y=* zdYOKmA+pv`T5#nljmX0hNI1jy!MiA51bd*>dR%}+7R~er(wuu51{hqr`tM>y zG{=HV6yrYF@3$qi<@lXcs`i$2e-dQ1n=R33qHiK(sWPdGBk)nWo*bV$f8d+XsdYYD zq3Pp4c~st6kebsq{ffq4zU;Is`EV46-|fX`&?P6xquapnJ*hk0hW(NJVqptYjZ7=% zn{YKnc&$C2)_@MNS&$afsNZJx1@rvow#hC%9!-lEM=6n7l)Tp1+YYW|{KE7Km4kW7 z2mEDrY|0pem{BnCoAbn3OjD*4)f}aISUyCy9~g4eYNkbnbDJvnbfM{qSJ?DoUVId} zU5J4VpWdaKFRkvhc+Epm;IlXr?4*y|>2;k@q_?Wvu!IMK^WVfJtg)fYA@ihFd=0U~!AcCcBu^TG+*Wo#a{YFW zXYe>Z!m$k?B=hUOzW0f~U$P3_Fc01R?5#ZYP1=7RVUu_C2W333M61>_Y{s}JK;qU`)dRSYvE!jsH-@vbDX6Irq2N~125 zG%X&*bq`8Wxk(hqNyU^?3`V48D(R?X`XaLMga;Qc?1cIv*$;%JPCZ)sR-uAu9r1MB z0GS<^aqM}H5&Pq~rzSEBXB-}rJ~UI3j27{3u^cNq!Xb*zJr=6ZvNva=7K7fZAd9!T zEa04*NCfy#U<=?HZI$aQ+xos+zl4{of~`5n3fO#u>Q@sTzH1OoHc!pEFgLL1YCCty zOw^8Ljia@ubM0T6(w{0^Kgei_5Pvsk=t@cB{FwRFK}{;Mjmh|v)5itlPb7{v7OR;E zLa;*4@EK*}+93!ouk_MpP`PU~uX^wwnycznh`316cEl`u8QzH{)x2`sA_x?gMrA!q z-|HAn&a%ZaO`UX+UZuO`sZ)!&M)V;tkhw--IOXwdzoSzo^C>?hO^Q(9Z?I1ri-aE8hfq+M~B{+#+6wWB3 zFnxt;{~z|=GOCVcT^j|0P8e7qg1f`S-Q9w_26uux1h?P>cM0z91cJK+f(3V%;CAO^ zNwU^Cd++nvy=UBS|7g0qx~jUXx@QmiedI+-OJr%j2`g*FvrV#6N%bQ#ae`&>DPHf5 zIO$!Ct-1H7Fn~+)9>&Ew13ALKf3-RU*!15J7(I+V=*QcqW$Y&Dc_@ex>D*bT({WQl z-nt1(RW}E~{LuSm;^C*j%o&xplSSRQNyJ8EEB#p3m9yo!^j7$WDYny9V?f+4xhy(S6m}#(lr_t+tl6A7q^iK%InamVpvtSQsF9{MQ0eqz;YWK5ibC_iAF0p0 zE=EHzcauuC_hs4X7R|_X;{|6@S3?(i%?<+{Wf&dgnM$rds`O)QwhwsFP`gA|qm--# zW3&9oW3nenpjbkCjOVn+nGQdhstcK_(o20TEPqk*cJcBn5{$p+ZO~-XnOYh5R|IiI zEj#DWTNpU4GB4_?r_;4BQaan8o4|=zFVwGXa&IW=cv56M1nj!$$MiC?`tgnttt&&~ z*T@lnx`SVoA!%TbPrjmB?VKCpK7~I*;MX%d&~SFuWM9cW2rZ`IUmh}opY?w?fH`cb z6I)j7y^$u2S#=G&{{bQV(O5Bnx?`@`jnyrtN@DLl@w?bZyE-?RaL(?2y&$I#h|h$HKjguQfI z!0l*vNP;xE4cSa7_ALyIsqX?wF*1wF{C%$zzsY>}T&QMj&L9fe>54Fo5~i{E0!b*T zZ_p1aRc<%Nao1|j~XhtWO80cex|6Omo#u9>|aq68+FPrhOP{~ z?YfV&SC8lUng)-?vHyLK+eB|vYC6iK36O4+fpCuyV;REvz^z>o8jRN=9f4=(6FQEP z8A{`+9)v+f)%}wDrs_eM$m@kF;pwDjh3|)47Iuv|cOcCf8Vw&dO9=ouzil*taU`bW z8HE&`6#e_wM1m2vp*?ab_=>w3L&ah#OBq6hn)~mRb*Z}yFDqsa)XO|0g5$HiuAlt~ zPbAAqMdk(IBFU4FQVV#%J*N3py@TQ|F;WaVcFfikL{a*&Dh!Xkz(?n}-AK3hDw@69 zn1DP&TZ;Xfvs`O)1d`AzBp?6c+w02)?82A0vJ%)mbRx#H=H=|8{4J4td(TP zw6isHHC{~7mLpQ~d%_ZG;tIY5) zMMKN%ZhpwwcDC~$o8DFn%P_xmAEA3=uK^`%>u)}DNVOBYlDZQBf#t@0YI@G)A)~0} zL93j%Z*d|l{8DpqaP-^CNd*h^l$A{Da6Y|=#v2A-vh!rD@5Abr4(9W**vFE2Ha>2$ zSSL{HaM;50w=rj8YxAWr@=2~nr7nW$!`CWkKX%lkP%tLl$1?D`ASYOvGH%J73vi}! z{G#IZhLiH+l83nFj;<_uM(xfQc(Xi`9wpIfL*#CYXbhIAF4e;WtsWqW+kY7`@TwuS<>tf`tGX= z(cd*}e={OJ9WrjL*5xEql~sm%{RIv3wKz1}X6qgRA7vu#*bI;4O5S~O=z-u>iuW8N zHrJ0HHy-%cvMy^=IT$MYUp3f!DEBw$8O(L&o9^Mf++p?9?iqH{8SuJp&kxsaWi}@G zjF<{{vl286(z?)D2p$d$D_h28=zPdM$btnJJPOOR%ULQ9nS3kxOO8fw>n-$5t;=;1 z^?SB^wNi1`KW}VMiQU9El3*9O%B9ypPwvRtAoH7zjf*!o(uGl5U-Nd~dwx?@Dirhn zVIR;rm;PWSwQ|kEJ;v_0e*3)uP>~1evovuM$$E&yN)+STje*S0w&lfk6Gz3Ck=;pP z3)Ke~QLCr{+l_Wrf6I}XZ9y0;M&`eK)vlab9?HqPA@@4*^9v~$X_-)pKoh=|7oz4V ztA0!I6OKtgw#L)7iAJvJuOl8R$`+w%Fc#Xz|@>*Gf0XsRN|5nXC+`f2xoj|brQ?15h5wRZ-O zekq#SK&zIapZ}7gbLfU34WBGltrB1rp92gGW z*>?_}Iqk}W!JWogDn@iMK2`TDBZwz|9U~?F94VB7rMWzR;Zeo%67EG0n&SL9*)3v& zoEs4k<5D#*rGZ!7c{68 zD=wPPW#{2EvCcm_0)TsNvsap8FYKYX`x2ur8IYhmMSsKdWYn9o zWMFG9AVSxw0vyR-oussy|FC5qm`)ui>;zgVE8=4%g*Rnv=j8>2S>R<`9*iRdG%N1k z>o1NgRYK@ws6q2tKUQ0QZo$Mnk#N^N(h#Ruj=T{6qGw9(hrWjFpL3IZ>)rs1P1ay8c2BSjyPH`2s;_YHC7>kn)n(aNi&_mpzH z(lf1Ei29rk-$2|$4jEK;WKMJjU zKBvEm|5#~|Z34s#On7M8+5L`{@ZN4$X{}P48gc7cj}t-YyV-H+*ofQaSC)wSuC}>0 zZrZoQm2k%DQs^VMq_X7@QjE|(paT_ieDI9V`N}U8_yWS9426X@ScAk&26#M8B(fP6+oRk z=vkT>2w0ndc$**@!f%3vf9jC-*J$uRhhLu}`M*W)LFQ({KoOt>P#P!;lmnTWsr_zb zW&|__ngC6KR!=ak4bTn*)j9y3{{q%N!C!v?Ykvo`|9613jK8ZEeuA~2VD}Sj_II$B z=@0bmPq6l>E%+{hOw0bz3UGiF-eAH$J4o5e4z}L{5%r(Sep!Q+>TDp6Gk5{9d%+H2 zpg&A3zZ2s@@`xu7fM3?&o>)MD3Ap@^9>LoT^dR;;$np!MatEFFsRvLmza0T_>;K&N z<0x3;4qm_q{wxCl^5B->vj6Jx$C{Bb+L-iUvhw_kAEUzrkr;>F%a9705Tn zR7Vz-X#JHZHCB&Rq=7hQYG4J+qbALZ&UfK!z+jdq*5kFVAjzoL$hua0eP6E!Q6>(v zoXbQw@8A{maOZ;@=?ws8sQc)1*Ok}c!SnA+k<9DRKWuxx(+M%*+Ha?{*lx84XXwYe z@*QdPe`kw1W?XY)m9_!-u3r{02tOYqDr01~M-&8jr6HYcBuv~dBH>G*#6lyJN);;3;7G|q02aB zm}KF>a{qiZt3-J2BQ;`xQmMG5Lsz!yoek$`wD0S&PYItcyz5}sk3N=OwMTzKF!#2q zlj%2RE%Zy6pmK<%t7kS(mD1T!9OU*cGLX8XD2ffUk(vwd8fTFo0(su~w|zJlf!Zr9 z|C-`T?4GK^03+8zzk~Xr!n(v!+dOwO_-Hk=sPa9*1H>@mBX(+CYvv6nWe%EsaGj~K zYL?uHA>qBYAd2k!+KRcXrq|Q#Cf2DZ>LvE1M=u*MW#Flg9M`sHRG{zaoNJ!BV2X=o zl2LrVVm}grqr8}~YNlxFA){%9d%d-isknO_E#VbbWc<>W-cY(XgSJ{wfZ!35qBH${ zhAML{-?pwOFq7gfmnt*kQi5!#+~FD@`e$NapDx_kIvHO>q3K+D-mjK>%r4v+eveYh zw`l36`Tdb<{8zP7iHEMoQPUL{$nui>mI{(7yepdlfDt^MFI@N=dqR+~_m^lfk4g#h zQF~GOL#H1HG$mdD3wUP4Sgo7S>2Wqu)!;b%Y%?~tD1?pa~xy{1V4aE&rhb@0x)sxYS2HLYFJh3-uv zz#niuu4^ix-P`G0P}-E0RtH=6;G?YU`vuO4sgKlRcONcIQ0U6t`z*e`qo$hQ!`g6_ zcuM3R4=UYI)0hXlU8G8_Azw?H(N}juEV{N$Vf}W^qkBJO{oXG16@N4Fw+Gf+D!O9$ z)LciMjPq}iO5w;gYlIYu!-?xHRO`6f?oyf7A?JDC&=9*qj}4tran?vtLu$OTHF-o= zLJnHuLCs}4yLgTT*svIZ-sg0fcXe5_7H<05Fbyzo1J_82;lvK$ z`^OqfyPqxBnVD}E<>*1pHFgbA`Iq{2TF^GBzt9VShTI}y4K0tmVwXBbuyXSEz(gt| zMa#rh*v4!RKoK5(-7n%pCUrkzAaFx)Ns-@V&%-?sGnMdrJHQa;oc0M5t)1 z)q?lZM3Dm0gK3uQW-%YzyyT1qRO5^+gBmdkXl0*`jl%7QBHz0iu3~2{x>`?d)%i#( zkC`9h7{s*Yv5)P zAT#|-%LBCVau=!909r$GxAojkf<55YdRW4qm#D$bwhZnW{%&gd#?)~#HXnr8AzYrN zou#LrDO31WJk=ziNuQHP1R&j|XGB{+Xf#Z+5*sJ4Kp>RA=QP!lcTn<8-AJCPlB_1j zbDunV;sd~jo74q+y1A7J`sH?YhN1R=B2FOtVp^P|ej=|g41nhPG@qBWZhF>_O~sV< zb;H{GC=qeEDrZM;`3I~$PO`aT8^3C&tgtEy*4{D{w`j_^)|R%^YI1bz`%SE}O^qua z%PWKgDW>uJkm$nl%YZg53A5PsCP8 zj*G2b^LV6KgphT|wO?n6Cl`7~dOG`7ylC@K9hXolb>q~{8_HmKTb3A*;NRv^>auuL z6GVn2z=&WUJch;F`B*`{DQ7a0+#20@H_&bn<3Becw#q5QkXkHQP-oM0m9gswB)O^% z0Te<*DSlcQU04Ac&IQ8l!KAK?MW*Moox?VtdA6SwUG&h*&7$3nD1C9J%|oD%XotDX zmc;Qaf!J0?FOstxXS)cf@6sQ(3QVDF8E{WyK#=mbci`Nq3FvfLfy_eP7pt~e7S6F+ za}&yyVup263Ks^Dk0{an5-w#Z&kI`=5dpE!d0I8{Rx)=DGL+lBMID%3#h6{A7D-Io9Z=D%RD7Th{UMe^r5vA;-GU1ZeV(fKY*iH9H5XPNX-r2{4E9n-eLrq%Kt3=-JRhtdXcAi8MrF&mv7gf zO@0q={?DpK{)oo?r=d!)%;Xfe_;MKHVF>#{3SN|>v;bcg(RS0+EXCtXKWG_^!iU@lc3PrUoV5{sV(@f{GT-! z1^cu7+g$Yb%m$$F;-99Xpy0tD?j}#hrJyL{lOgE;x8|at!1I4pl7K97o*t^75y{^k z>R%#~e~DRwf~Fuhn%|zcf374^R0J{C|7A=Pro&6Uv4rmPec6tUDMh=!n#y?dppxEvo<-a9m`D3#FN7Or@F!oP_p8sIU1Af~6 zyebBe{T0yUmtD~4eoC1B?%xA4W(NMee+(ddxc`@=KA@R&{CSZepzU{OpeJu#kZARH zA<*Bfc7NLi&GavcNkB+85cHqoA408v6m18&fIUUqIY5^5|H_OPG=={^)DCG~Vn(7F zw2tfshr`uy%zxdk=^s!0%UNAUh1zuL%BA(2 ze9NF-gWReIRz^IfO2)8g<%R$jM9_OI)Jw+#5Rkau1~E z9+mH`csBv3Bkdg}oYuxMSIs_Gw1G|AaxY5t?<$l`;A!YICdGxvg;J^2FO;J;JTe!> zL2S^iB!)_PZfSZ?wzoH|Zy;cGaLUpKRh$ke%+trl`$ZS>vh!>X5m;}H0WUFU3P~EFp=eOCc~C8cbfS0)PE(CMi^x|CZ;0Gqcys zYJFuq{PXm-)JF!#JNCyes#K&V5j>*jx>0hzE4SQgMZnfH08b&x{hLc=? zG=I)6E2LLZB))h!TQFymdZ)fMiMO?9tnaNAXYoj2&q1%OqdaEWCr#Et*ipjlnt{ja zJM=l)=RX>bVH4FTIq1cEB1LDoD`IhI>hE6CE5l86Q6*lI3L4-D6L_x(;3aQ|QzkSN z zQS%iaPGE)o1qB}fbAweD1C?kxP5u*%jw6V1kEz9ewPj&@9mdJIc4P!XylLpV4ev&Y z&TwcF7J{7>W48v!3IzpH)erSMV4q2BZnwIwDjf0pSfWC(8EJe~mDCm8Yeq{f z7T}kz%R?X-(q_h({&{Lpad9HRa5-5T5PfVoew{@N5@*xdPrXsPT9x)RX+9itR*PsZMtK$+ax*4(Bq~d*ZHJ z%9@!5DlsEbWMVb6R?X8Q!s~EL)8R{l4%HyH75Ejv-VJo7_s1JAS{de&!KB?H6+vij zvPw2il{|^4LrO$*QIyWGX6E8MCV6$W@TUDU)q zP+w2h$;3+&x+q-myy4&K?hM_q$~K?W08Aa9kuU*rAb> z-Spwt;zE)3w03Q*D^8m(5W$+0=34lwFMRi;Dy+L19dleXKu@&pOjCc`=* zIC^1vjEZJtH^!UhM z#ITck%gM1s>j|i?JS#~cPg#;MrpH~+>M%GV3ZB6}qS&Q9FMN|~97?JxeI={{u+($y z?yHD7X94n;ta9HFuk?&OieN&RxV?Fs8)>eco*eCM*X1FXg7#|lDgz#W(%hOdzL)&4 zYR_s!qr%Y!eI(ZHE8s>ru6wMUM3QT=k_xf4xf%r-$7Jku^G6md^tgIPi-{41`F18| zR`!0<0+VrtDh1)57`Q;2CKz5lE9OuL6PsT3@@E25aRY_6fR#y>d}fkFN@3K z@-J6i{9<+?q`4+=lvify4=XZ4p=m>9?2Ra!;i)!jJrn0a^Q`$}XJZ0{tzLp=OaH2K zyPch<&Ph~e_Jb-#qYWvI#0dSTgB+gN0+sDSpWNlGj-)8nQ4F@AWbrL_d*WpMv80lt z@CsJB>}^cwcT_{Mq0bs-oR{8(y>5X2M$TAewjdvW+pC&|md~^Eg8!AZ``ARr6v8c5&*TfoK2DzAHh~2X!}l^v>tE%k zfJ=|M#x!gyJvZp2W3xw`#MwTvO(K8`NLGaJsCJJhow+d81QBS=%H2OkH*r@>-R%XL zy=oU+>Q~}hfu9O%j&sG+AZ@i!84Sno%htP~&pU!C2^YM~-!X;v!<(rGBUn(I@Q$C- z4Zw9AX_?hERO}733rEI;ibECP*H_eXB9!lh%%E9Ab2Tj&g|^=gm5x>L3|$nk^cs^j ze4<@|*oK!N(Dw+`54anyV>nR?MPXuv|}ntc6W1vohH z;;nO7o&N4}D&kmu*(a}a&PJz5q)#}7`kWnFLutRd3=nHES0MovI9`3hMQwc zDJq8^tu1hilWN{LYSO+Tv42EVCt`p}$pnFag8M7P{$ z@dW%8-+`W-I;dUVgz2b-A^GKVewa6^i()5937l!P>UU11h(xEuZE{h70Ci2du* z8Cs-vt7I8P(UBW0L%v{r!)ZKMxO2*$@$kJ}jhY$on!?$V@Y$(1ml!1`;@Q)@iYSiF zW>RYkg)C0A`$2rJ(-MzR%2Fbpz44J!V$rsGJw=1G;?*w8$QJ+pq~}~Cvfp&Bdntx9 zKa|(qc4bBrC$j%7x!5eO(c%8Ml*{&rsWM;KI~@;`4V2;fZYCwmlCG4_qLDfRI+jJLD~q)($2) ze{gKWmRdymQRUD+L=LO_;duA0>En;jNbalgwI857t4V`eU*)nXqAq}vpS!pW;L2fn zb*JRo8NC}oYDDO z=iqUJYx0iIa@2)QElwX1t7BIHrLp8l$T5Zy!dFVruahZM#lbiM9RZsuGpv(lkdLM> zh$FAh0Iq(k4-nCscBU#fQ|x8M@qF3Nt{r;OMJ_aU@K#O^GQPZRPf)YXTr472+XRMr zd(%teRAVW-FHl~>PW~?NCRZ~DsM!-pPj}z&C-W9U%hJ59XIl9~?`+ zgMWxqU3D%@H$!9C;co+t|jwVVNJxqItwTrF}nqp6{n}INCh?&%kKge@@S5LZDf{Us zp$&F!F2t$mJuaX(3|aBnV6ZtY%e>)Fevp6)d5!%{uxHHWsuT)llf;qV_7GNCE|r~0 zk;B;el?r^hE<*CQt&H@Q@~^I4lA<_8#^9@%&6G3VTdF`R zy33t?ot)8-E&esL9O714_CR(T0|g?x*B{sL70FCYYh%ox^pm;07lP6Wy24tc2TqNeY(VvO(ud)|pta6>GVekKCQ*-oW%}}+ zJX(#5_{!@=?1K#8o@HvjgexvSCf?T~CY&ME^Kq88nLMg!{7Tw6Ry8*q=?NG`0U1xd z0v6xNc!Cdv&YY10GqXdahZdIcy1lH$#cs2(p&Dgfy;qsIppSE?&CHBtG`Y>_ z+I6HkOjGmrv|)Ap8Si2cU-QA|wI9=rWz9JYqxyA!R-ngWOId8JS3QgtUD2^%|4x{l zv29)_7y_wLMF)l2=zsr_jt!M3@T@=^FG-b3z7Qp-ockL*VslSw-O`P={K_hpVcFz5 z8Dy0*k&&L5YF)YT-Ea%>gxOU;;NS!Ho{01QY%BbaB_dfZ5yQ%eAdCm>m1bw>jXs_W zh}y4KXn|p0JG%shYUjE26pg8D8z>MH?X^zF|FV`2~!*w-`9B?Q7fJYsyCURvz- zE?{6LJg2%G_#oG90yT!8#Ia&5)<-)#jQX}Cv%iv8qI8KPmK45a?mf`0Q4X3PaEi@} zqJpd5Vj3i)L+?AbxjLczuQ6U57R+gRz|JTa{y;6 zJ{=$pE&9dB+LvUW4~9LVqY6tbPHl0A2v!R4s`{$J?3N|{`ux!_Ew?U(_9|EWu|^MC zMDA-PnscM7zu&yUs7SIJ8mW_3S44&O0)=;EL4)ey{W$Gx?K_?&wja}tLN9oB2B!=X zUK>xM*iEsfXDn18R!Oh9SjXl&LvTw?iSFsf;43h84~&Yist~8v>WI()e;D~?m-`fp zVzQAdoUb*do7W&nywCbDc?%95>=`nyQ)|$ZwjNZpAgzZW&glo(d zATno?O838v9{@NRmRwJLQGt{Eeys1=mHair#DAlA@%_Ujx~W0TgOB)}sd9K=!nqqE zwOes_eAdAvVluhZqa^cOOpxC;gA_EfUMMbtxS@;GNIty%Vk{r>f|L$n{~Rv{qrd(B z^Vh+aU&bw0x$QbQiO&sd;O&rRRbqkA?NTR9ekrS4@KW#8IpiqcG@p0J3Yc=cndO9* zf6ovb^7OZfyGYhS$nBkL;kkzI_ICGg8%Hofy>2OOzt~Y$nH9of{a%bU9kHo);IFMD zdAIgug^l_4zKaFv)Q7rOiRXB=x8-Q}MW~Q2#TTl8nfFC*3_i!VTx=`57o%=a0U5Op zl1QXmHWo6il8K1&pD5*OYP)gJDx-@}Xw+Vk8|&-o?evp{zF()m_8Uuj6J9B6?mBQ4 zVN(IvbH|>EXG}{(H$z{3=O_}ewk)9x>{{rSjbwRd=G+c+Bm}SrhIm=VTb=18CN)Wn z28B5Y&Sg*mTRjYzq69Dm@VW#@k{0;8xuSIH8In(sm`IEbRI@cLNUm`=BuD0PLbnJh zeCGEx>yTg4A}-xS@oDg>d{U=^D4 z`CHMRbX`vSXp;K*?6mq=S?HiI;Up|-xn6<$R>w2eH}5_eVk`&d)RZfY-k!&iaE5xn zt*A{(YKxHJbZLAA=!+#XVHP=A&)$`mUtk0) z=O(4XSkSzPSWA*`>D+O-EUv{$NH_T;B*Ai9(|7SqLsJPt1dUUkwHJ4 za48FTec}^i&MJd+uWdy+9h%-@7rQS0{H0p%R+_1d{JPe@N5oqm3Xz@>mJUehF|4vL z+8gegM%r+h6K_Yquo+#^q6Tm^!>qBVGk96pce}M`3{UD%ra`S6ot8c@WSX4Rb*q~z z9!Kqc_G!RK{r=_6=Mib@?~r!9rkQ@&OMU=7Zu$u^*9mF#CLx1nG0CsyE74! zw@=V6t~O@i`#y`nC|r5N@S_}SW!dSAiJIf<)KG{iT}jQG(JPvkZ&Y5uu7Q&o6ylGN+<{G@Zn}3 zIwn6!N<(2c64c2bb1=5l(r~O^gh4#FLR)-JV|d0BvP zQSrMBK4^zosMi5rn3cH_&VA1Px4S+q?DP+r4Y8VwI?sCu_%SP8tOJt!eTww)ng_;L zCAgVZ&YSG<dJe?|Ca3PX4l$f!Hid?nCYJ^;z4Vnf$BmA2RC11_49Ki7%^4 zVz1j$`@0WpdMwYH`cUHy3|}8oGgv#~cbJAdIDDs8!q<_vSg^pSf%-P;jS>m7fuw?F z1b>2W9l&hR(CVCNIue9_kz}5tob4~5M^Si*P~!f)I|voXg93qS{W{g4jbN)#vMDNe zxE}gOD%ltIRFYbybp}W{LvtXz6@g%-Y&7$=?M^OGNUW*#2l8E_^A3=gFdEJs-rKoG z5B~du`up_07#TFC?hHCZyZlf=C)qgvPXixWZ69}(M6K;mKJu)yo@~nN`dWvK=GURs zwv&>i4jGm%3~1=LDl-dZE0OF_7C*oydLP4)UYp5z6FVue2_z}iWf-yA*H=~9@}DH! z$+Si1wtBoY&;MND0C;}t$n|gb-oM#<|C+t`MAHE?x;W^WeO^Z+@arWR3rf<@cm2`;BDr8?geUR2F*DDvLd- zmEQnmo)pUpAkDH8P#LHKR0V05e<2>ujzA}% zGtdR-`a6LB7dGJ&J?k%QLa-M3kIDaEWD|lkt4}nqU)Y4d)4KkybOuTI{>CPJY72fy zKx{$~lZ^u;8Din~@B%LTbq&r;#sZT5f){oUu>6;ifDu%O5nKj3 z%ikApU*PoGEFf0PAN_#qaDa?q8R$VN-oPgScK|Xm2Q>ysg+UhruE0PK5)*@E*Wh%3 z%%J>f;01gD+yGn#ZUA2Y{fz%?|Eb;YZNdGpfH)H13Gq^s;fA+8U>ZimRRQu-x`iI0B#H#u$p%A28|D^ytsJ~DS!Gyv;c(nhD zP$;POU!fGTaxyb<(zE_wOeqA<)Bgriq2N19!@qa)mpA!uBIUo>Q~%e5&hj!cDsL2? zD1}e=^uHsi@V{hH{U5l1pkK^i6wshw(XY-KM{;*W+_! zeM%o(q$&@(BrWu331Ny1=y_@V-l~{@(V7b;wl0BnsjmnFE^UC5w=QCJ@M!PvoHG=*dldNoulzv;PWQ{9gp>c~LC142h zL>OX0WRTVl;%n6Lf}0y7*sIt9QQ%ymHI;2~Utu=FR$0Y5jt1xAD|pps7%z4qiR%?& z1l=iUQwhHr74-O`x?MUn9c8~6q^%-B9pF|%LP%^!=F%Z&r$zIk$En`Rot*v-q$e#nrslcZbW3)ghThca@(sc1yu_mQF$ zFVyr@sZML(e15)`7LzmU*Jr;d$-Rrmm#`fFyu<|m(QkC#$Z7(l`CYtZ6 zKE5vu3c;X-sAGVsNXZ}xT)X)p%f54s#jgY}j$g|4;VnB>H*nKog!oH^Pq%k8RIP?h zn?i%S?D-btT$?z;8co3M~=cdQN;z9 z7v?KZ1T_WW7T(ZuJ%0^A{x$VRv#*CzL#5waGUl}Xu&3GjSO0;UFST@_v5$Q_1?iPd_LTSxT-b#l^7sEKl_VgQuJ1`39AJe^fL2q+UxU+v&Otg2OVBUu#)*wsO z5zwfaYNfvFmVsQ_G}*T$QPHD#>=V+FtJUkU>m)rPHgJa?Dd4C}U*L(kHe6My1XGlC zCYt0^`j$|_oy+m48;S~h5}V#S}u`_&TLVydne@%z>l^+Pf*Xx zAtz6J+`b2K$+kGN^+s_cGwrk^#cyHP|F4@gv1N1Q)QMq&}f()RO%YEo=bk+AQJ zA=keRYCRoF)#l2OXkh#9CuxI~5-G~xM5anyJByL&|6=2ns3- z{Y?9`)2mcJXJ2&(`#QY!%bB{?QCq{U*WFl)P3J0kP?E3hfEVmXlc;FbQRtskGb%hv zDj3quD?0<`b4{TA$45w2idRDxvJwNz2Glm(%TKTSb*4gUbLrOy8VahIuRauI2gMEy zq{f%jYQQn;4s4B=YFvEUWJU(i#*UV7%ENt|y&2(MN&IU6-cPj_9xvB-ndZR(&P;JN z9}X92rC|S2*fnf<7WVn4MX&z^>#gk~+bHD2_Cy)DlJ}q*|pzqc^$kE@Et7QG=sKmw91& zF^L@PKequ()7|0hE27xs6h}BG(%6s^TIe9-01I$^Dt-7FCks4 z+{nhGPv!g1R)65y+Hzw$}6{mQ^i&|i9fVc=13V~4vF8^UX1GTz0xJldVZOL;3}$h4?}5h2sA zyzCLZjFL5L7{PZ*W~z8%D)_ox`T0jXHy8z0bQ5XZdOT&AlM;$EN+F+(A{Nr-0lz=v|33hz#3o zAE|m=sNfsLZLczpoe=)gOG5@rodvaICk-ng;ENoiqS&D{A0?Z@^>>bf?_){P+eMcS zi?Zqn6XDO@4g((o$lgDkcfpWy-Q>!{JRWh%2$d9`@)Cw4@EM2=Q~URF%7$tcr!G{z zg8ve!T~(Fvl^M^XSuVnv3*yI6f9D677SpDaylkd(C~XsD$0ech+B8;Z`(yl@aziU8 zWrxBqPV1V{M!A!HuC#OI=KI8{uhnrBIvS6hKd)4hVMRd^h9-QvRwN>VH_@7$iGLNs zzgb{7IWnjBiC6jC$CS`}6ffh%!Q^Hk$Y)xv?&WCC4inE9c$;n+lqG#@d+Or(!w=#eyanOp)2J&+dhO(Z18$r7DxF8$QJod3vG~6 z9(?YsS{7gAbV2|DcoCo+q#e=trYgP+&>joTl?##W4^3ut^DeEpsWA{n#a)n$^$X~} zCYA*ci9$!&9;~N$O!N6<(*_W%-DioZw?SLQv}lrQspj|1n~b@`un$fJi`Gu$t-W42 z_Ad^W7@f9uiUil%&m-RC+Lwx{*O%1l!4-x@V_?8Sg+|*&2K)CQz4TWnd=;y=)Z#jq zxXIZ~?!6#56O>3p*6(8S)jYK8&THEdxJcYxWr3o6p$Ls7r~m$N?u!L;C<{p=2;NOy zPYH7#ywmjy|3tu|U8bqP7ZH#>jWNy7+fs+3oJY?#R9oZ8;KC_fX4F62u8WP;7V~Cf zVh;l`cWT{ubP=~t(uCHbg0Gr+0gEdMg`6R4iI%PU*U^KW8YsI6E0EB zM;6w9|8d!9HI6U8C>6mQmNq^xmX{;`UbA4EWR} zg+Vk6`z{!UCnYLUjA)_^@ycOHo~O67A!y8vnruVU4S!Siola%F6f$Yf2^ym2y01+8 zAcrr+(p`U0I55o*zHJK~uJ{e3Qrb5Ox+@7w0Kp`O0-A5lcx|S=PNxl~rIMG6pvS4R54&i5te|aM5tQ`qKgp&$}u?F03+Q!1l>0F`Y<<_{^T1x9ozk zL|3)UjW3p?kCd99T+wzkp${4G#T2ySr<(4=^j#cTc$kr+59Y=4gADnoV&Z6p3CNN1 z99vo2O|h%{xROhv^X%BAp>M<@eeYX&CK)!^=B>4M>7KEP!YBSe?7an09owJpO9&D+ z6z&k*gS&fhcXtWyB)Gc<4H6uJySoI}V8NZ>8YKAZog+Et%$@(eZ|>ZxdGAiuUe&!; zFa5Rc>hD^g--=0(LYU{%uz@6&bN8q$?C|@*3WU;Qc)7zMJpJui5_tn-*!Oo^WpoMq zEe;8SDJ038}O9So__Uh0>v5QE?6VOvo(l6~dB>Xg1wW4nMStK5cZSL-?x3De)C zgQ0$zC!1MDC768cn&C6zBA|898k!Ab!m(?L_^^E~l$0Qm#W7Oc=&Ub*ubZ5aaYXOD z9PXNWJN34?UaFw%0GU$S7lhDtQ@4q(c<9iYbyVx!1z|;9R3AsJafbGb z!FUlHI)$v!Xd(G+(XQqsKUt+zaSf6rZ|(fn9b&5<6JZdmyRY%ykRJ@!CPD%e~fs_V@l;`xF=x;pjULvQHBS1?*ZI zd}q;>p|n!cx8rHoQq`N5dY)=B1Vc0{ouXR|kBs8gI)lU1mX4{u@O-_-hc}yNOLi}? z?L9CNg~!J{L0H&$zkRU-Rb)-v5>r|65l4pUa9rKh}e#9X2iwwqL5>@1OvHV9fl> zi|o(O_Tap%EKI++#y`K^|Ez)KmjVf3A%6-3AclW@=>4+^;4|qj>EI8DF<40yF|?O3 zwJ?7JFpdAEu=u-r^|#N_e?W|xSlIufEV2PIBUt1T7Pfmwq)kNk&o7DpjeBU`B`x16UMP0fa!qKeaxv&Ik50`v<_-1+4M?P1^e@l>ANF`<`jsE>^UOa%UW-~`k=uto)3Wq;NK&cnnAC}&JeU~La*;kOz9 z$Sxp_folZk_@hVQW30dx2oB)%Kl1}i%fZL~+2X&7|7_=HZ^1-iK=Jws^kw;Nbl|=K ztD}F8mJ<*-0riXn%qs>|GO#sR!73Y2hKmuf0AMj-1vg+eu$jOb9$4uFww&yM9tfC* z6P(TobQY+Ti3!l^z&qdo7XQG#0FU&K-v7}nHn!jF3bq%x5;g!d{fAw_@t^qsJF^4a zXYfAQLO=5XRsnCp>8u>AM63Xm8f>jU(!e7E9|MP<=K^ehCa_=#?EDdaX?p+}`PU8l zhqec>TK^*Dff>xdVX=R~LI7CnUvdDW1MCM*;OGC>+TI_^9-}aboLmGD0h}%DY()*7 zO}UAfxBwH2nHm8*z>k}a^}m3&$0+E#jj0VVG-H6_ploMsVe0HgPb6e*O{4^V;yDp1nL3#|x|;qQ(M`<7+FH)g z23)=De|c?BSyNm|Q3cTU{>v(R|G5Wr2x;NW5h=8b^gTYvB-fC)DY_J)q8wtvG@05f8KOZ`XY{|_Qd z0JHt)f}6p#3E*k=+l-t)?Fh_G_$T%RXxYKV)Cv5I_?7MNEEGU?75;S$5Fh^+$tb`{ z6Z^9q@S6K8Cj~f162FcCo%nYh4F3z67Xan|`_vSmJ;gs;0A4@;%}@a@iGRaT0nV-E zpH>3AAP_P9!u1CZa2DY2$L}n2;Qs~}EBn8a z!#Myy+5bT~{J%2G{5RLk5l*Oi4aBnSRj* zYiF8|=$$Y)5EYnOy+;H+o{L#J`u<5ts?5=->bYVsV)H~y?WpSHrp47R`v9#bCd~SF zzrcz>?$D%TpQm+)NWI-wqq$ebadup&a1`ug)dd7z@f-Ito5d|=2RXO&TgkcXY^v|{ z5meA*t-eBM-{i&wl|N^K4lPn$8Yv;@GZX!7YOX{8sooa_BAO*UES4yV*mc~jfS&sV z%I5t*WXMV-@3)av`Fh0^B*fq^&TwbMZ~5N5U4;l*t+vSRbT2T2!f8W7{NBr#!xWJn z462a>px?W6i})hjMBIa`ac|*b=!HA4+n)E$!yA3vd&@|s9UUF^yop5N18ll#uD6_K zIZXz8J!@u8XIj;*Q;h~13S+X3DUGh&e*6bu64V< z%~f(Mt9?^I)=n`)*>QQaX092H7x4}|Ca?7lUeSUMwz9n?9>ESSxt3$27ca!hFdy*K z#l_qWrNMHWt6NR8f{IMaHf41@I8(VcqG%`pZCKd|*+PJVvZvYatfs7JNo{M66*zFS zW)(&y*37aQUM@DXEa9!#C=Rdn{9P(1-!+#cvT(fPed3e{#OG!G_1FW=*Rr-SnKVnE zyy6c!rQOs!?^(vAsa133nv?HViZ)~Ubt@p_0dXK6(P#`|%g{O$B=1(~a)L+{ z8nE35q0lgt^k}yf>gQY9+^g(ZvCf!i zD=@l!0&#&?8kdVKB`To15NewHz89%^^ZC~=O)fc2X(`F(O;tGLBUP+lg)~!=uCmN% zvR(xyX6UmbvH3lne1Z;I%~K3urxqHW(O8s`txjV}sHI_w5~_SBFZmqn^_ z#)k>d-jQuk4Ek3n5lpAeo1-1SPuGH--BKt#rA~pU^frYGXZMPtMm==wFz>vzAq~`! zAve_wXclOyE3lJFvv4*DE~VlgB=e%mUlyP(E0cW0K8ejFA0kBLy>Wqv&mecj7;nw# z{~*uX+!@o$*%oKm5JgodpVYbrBVq9UgLIQur?UFBYSo5|iVDoy=l7lX7A7^%-)oB4 zq(u7O&gYo^kjbACd)WtHllJAtH%cACih{I|Hom=17x#s`f8_;4C#my1A9l(6Yll33 z4|*q=1~F|&?S#GjH;SBH2tigyXkE5vCGU+IHmkNnRcP!ZK{wLkiip-z5$JELzD$8A z!nHrAN01>VTJ5~GT*8=L^&351jzCcv(okW-k8A5->hPtCbXm%Fxzver`*HPH7{A?t zyS{*=-K0kti|wZ$?nA1c=!;Nz^6~;U2}$D4WfbewQH<)E*q(f)CW4FHBMbJ?#i=M5 z0!jcsQnca#)mviD!iUUBidl77drmJzr}lf-v+0kejpn+()Dz45-gN!&9WRSJHYJ4L zK(q1Jm(GVMl)DKk!@vlajbNM}`Wix%fA?TEM^vYd(_m_j4;M0?fXK>W{Ne)=7=PJ# zbt<%iPtilmB@Ux?k}6K+o-+NO$pevyhN1*J^}=pJUTp2rYVJvZ#%{<~Ny?eCn+9DzW+)x91>Jd$NjKTT|=L%|z7pwkCP&+GjSwsuxez(o3 z#L2{g7+v-&sTcJKktLUnX zk^0}gtqvkU#+Pfdm~IwUAGv4Bxr5;tr zqEgLY9`=8ts413Y>~9lSMf6|@@7@~o`7ZG09shG#19+-$r3^&44W6VmTc}>p%B@Eq zijHQt4IpMz?Quq9`w*yJGt!!ZOwqz`JT;CD%n~)xr*j}Yv3dC5AES-y5Df0JV$A5L zgEGV*$MXZ_IVllOSU#=atAcpLMd33$R2|psoBEd$WF{nTCQQ7ttFI@|J3O#D%00}p zZ8{IGJ5D_PDYWrpbXPtnTBV=GDlIW^_t0>Es*J;)5vj`5Xs%Lr*X+zCI$P(00y)j{ zh8R~=^yxiKwAW{U6Yp?Yuey?6_KhLpIr35VUJC+AUq4;Qe8GN>z~xF^g|`eTBdF$S z=W@hnB2|)a0l8LXUb=9}M%WG$A@_qV_q@BpTGy`n-r&WDCn<6k1?`?Lhw562V+l)z z%%S0r#(SBNj~@(puHGC8vH3Efh-MbAU17Xeh}(74Yb=dJAw{IO_{b-p@;&s6nkeO! zhtr$j(G>AEp5DxCEzUVl{9>IC<{ zgR&-TzNEC>n4oseh~}#4AAKBDG0-S!OYUCqp8liq#dbcz z_VmoCSUKpLGTPx7W6%e2mL)f#jGY9s{0*e5W%!f9ICQ?q+&8?$HJw)+DUKT56ry2R z1&^4A&u3A#?UeB)EGraCYfdS;o}<65fQyspsWE!zdF}N<6wh4@*`#2;|E!We27RFA zgKP5klHI=B>#c)v#a6AV(uz(hLtn+OMyEA=xYACFR`iZ!XXHF+O+O>`CB!n9JKr+<0xMt_(Ri*CacDrBHEnes1y(BD~Hs z2=n=PK;rpi5t6|dy0P$M zyy#W*j$C0s*WgV;Rqme!=p;InQABr{=}{=AVp^1c43CuWOvqYyB#Tc%@)y!DRooF< zkuj+%T)!RME+*~IcYVO>h*p#lTE(@@lxi3S?WvMWT@XSTy$UZERrXHcAw|bmbVL`o zMnoQNqp6?qv!>=ek(q6lFn+m-NYrYzF0MxKCP|qnMm!zE1HVIZ+-Xo}yaVKMhI;lf zJ?694XX=qyOdcP|P67`@O{fdCb~9CHKUMYX)n^bKLce9drZbpyL>Z0E%N5EaFfLr6r~ z?HccG`o;IyZ})!wQ9gbd`*G@Z%(kHKa@X^IQ8Wev^r;^mRVj~O&%w>xZfhbg=w4(e zMNV#)1oGHwtKmyqlq{;!1_J*ndgZrG9_2$#S$`lvOenw64SI9IsmU(|4e_A#R#O>I zV3p>uvpvt0h92{k_l~NuFLmT+_W&mY34!HW#Ye~dhQPT(bJChg4Zapz%WGKpcj4!4 zS&+8ZN;w83JJ|hZw%Qjf$db3j64H3WL2(?|N^P^M17Cxjt3cwTM|iL+^Cc5s_}jL= zvqU{L!+Pa0*UMY7;E&3l7kG6~SR$l2O^Ew%iWW07;lES+HXT;=E#Mi$#b9Me^EHC> zyH60u(s79gh-iX=jVGm9=(yALAu|K&o})R~*Xwo+h8bJlVto-KiS&f!=*5Nyal>tW zH>6Oweye0EB|GjDgsi9f1&VTWbE`fhR>_vd|*k=P(;)Gp& zG+LJx{jRGu!{MhU@nTZCAJwGZ-?$SC&^EiiJ&(dB*{7F-kvzPm)vuf=ie#8-9OLL;Rh6w;^FWpwX)`z=b4Ba(=6LIS9tr2)&AedtA>l zbrm;{frp33bKU2BV05rYa*2;PD=z%hUbGEeAAW0Uwcd9Ti*? zHdkJ`#&0~sdA9a#!lKJ7NZoq!yF3L40TBWWNZ9?5Q}(ig%)d;u0ddNT=P)LBH|bq% zT<#K)79(AquW%~m04W4}n8h)VOEH7CtO6C2aeNo{{H%EMv+iyA#&>fktyPU9t4(v* z>?>>w9oBZQG-$cS4de4?+UPWtdYn(X?4a;f`RYm$QaG2q_=!3{l+N@(2$N%0rb~CD z<$4w&`i|#uSieC0R%8=9#stwx01*a>O2#mhx3j_=wnUGc!M3U#s@Yy}Xf~SE!<6Sw zr!iEYmBok5YDy%#|Jea*Fnl#5M@xZpR_T47u%g{c&PVmdypK~Yta;cJ1;^njiADR$ zzVxup9PR|{$zg{~&tQv}6mbW!Ldv1XbOk<5-MbjSu#7CB)NTpq)qUovlNvBTF@$#< z=$^Wx`GD1=yLfVu`1Niv+TdF@y$dUaC=(LNM{?Mx0US%i>nznT4zde^yU|q9PwHA5 z7^N;A{+`{!fob_&x7#8SPCjc0DvW_>srtRh`$bN$8d;vOwaSfVU+}C98&0oFv(7e5 zsbbZrHG^R!dcP-4^83?_3*Vz=gc^2A*zCWG$PMu|CxuC6o{vZBxEpAwIV)*{#*=BZ zc3Y;f-=w&_hC2F?On7`5&-E+^cBWIv2U1}ZgrL_)j42Z8;7OlMRSG2;(BMGMY2HHO z(x7W}F9j(#^O0l*uDTX3B;gSwc9T_)b-N}{{(~Sat~(-uyb(3y7YX@iF&#VzO<{1< z3_3f=CxP_b3^s^L%hW+I?7I1ElkYajWd%8xq8i@$&hNYU@#)O7P`yM)>N?%mX6zpD zFnc|&Oz}A(K+$8uk|gpQ!Q(6VBW1mWJB}|IFueWt-KSHUm*ze}Vq)2`@l`dO77Utj zY;g;MB{7m8;@OQFrBCLTIC|8)!)y@rOM?lJ%tQQ^_g71$;ob|{zYUa(iG=&~^~Aih ze5}#8;kI3#+S@dbX!nR-3a*!Wu)vPbFMlq0jld^svja2Dox+%Tsa|D-jW-L@z=R0q zy5nj6(PQ6c@9np(rWrPqNu-kXOJhTjI#jxE`fPyL#$4m2R1sbr z{oaVi_rVzM@$zFrVDgb1S_hCq{anRfjnbEsqt{BWo9LSQpWNF4StE-eno1 z`@=JS3GGBPa9#O3x>IPRo38y{Ou9*T&}w53{hnSRwntASi+L|1Ha{}$j=6FCR#^cJ zYz+~so2KY}6&mZhK9~Ty76}|Fs^rcGzbRc8I?v>g39vign9(rTlV34LU z8)7qy=^#A5o;@eBcpnmvdv+Z-s=%6pw4!d!F^rsIT#aqcy3JS?QiPRSz%;(NU~@B9}K-jOe_ zt*VEWy++cA5>-y>lT^NbiH+D-S7c!we&21TW&I5{Xc$iz z3ki3^3vy>LPh2I~8gxw?70mg8A>GyhG-)}4bN6FV**Wp%(TScM=h2Kns1p>D5UsmU z-|XY7Mf27U$wYRvRxQfn$L!Q2sUZ$2h9zz>5|VWtv^B<#8X|IP`j2`FVTB#qUSg6?Kb}S2`8542Qfhe(EF zq28`4`Q{_oubN%uxk^DkEZj6gu+LlEtM|{G%QyIkOi+R>$+y&%sgx4Q7?(n=b~W-0 zL`i3cKaCZ?4D{lgwje7TR?iP7c~xKnQP?`MA?@7Gz_oqczSl&sHB4I2>yzhEE|P3j z?q0XpD8Swk|HS(CwOAq}S0cPZOZyYU<;AY7j?%Vy5avt&;gyA#x&VD#K_wf;;FM7d z?|J#OOHoc1&b~p&%aZex^9-> zB!quD6Oxva@PN);F$**g(t1r#PRYxni~HVzeOVescU*$7`ysi)k}M$A#bp1CxlJcc zUiKD+;2B&{%hb19?`(-&Rg4@=b7Oi-A|;jn6vpv4Q6I3?THA!wx`j6+(N*E4%C~io zRCv9Q3t!{c@+*$}evTowCaG=wR@U04iW+mf>ihNMd(`au{*N$N8mrKJku35BQ|r$v z`<%s!52Vnbrtq^?Yq$vKXXc>f=spWneK-tkh=9&oELbL9B6XrxSd3W>hYq<&G=Kk2 z%R+3%#XQ3z)rJ^7>`sW^EK+{zSthX-Y3r1jrzp<|d{7u&<_kMf6nX_s=-;m0BVBpJXEoy}zW>)Vkrnhn$<=D1% zD&&h8j3p3sp&1yxg~wO)T=4Fw7<+XzZO{>K9POg>=|`nxUh)|*q!C4$m2TnhV9n7d zOgTjn$k-=mqv!_?7tT}`>YGqMDH*HP)NT8?v8=zGFDYm`DGi(v7MYm$yd5T*RO+Ps zIs!QtI-XydAOC(DCkmx?dN~HC^!)@HOMsR2O|+*mf$Cl^_Zc)(m(~X`R?DAR zy`J0n$eJyO8n>Y#SjDV`TDP_JW3>(w$yoZu^rw`p>mUi@_JY7zb8`93j(4e|Zje)+ zIXzrG+)g4+D*D)SVo8rfIy!-+DktVu44VuugTFwAYEXbG39eM$#W)Kq;LXgHD=S>% zTs5wcFatsvcWjYXgGUsXSGFzAO$T77Ae{IvD{;tg~xPUlNG6*!Bd4mCAy!5H}k z)1}vjOIj7zX+HD2P`rGPEfVBJbFMxZ+;bkJW!`&hY(}z>nW-lxLCs}wri1dDpCaDq zNBMoCgg#4f*yS_kImD*KUrFyA<-|;!QcQ_#P*uiT6bYZCxmW?VB4@ zGIoSlpbm#u_gnfzft;>%w)KIYNpc4W3fGvqb(tF36c{WLgQyfWv8j-Qw3g~TnA9Dv z$|+C*F@D<2Ywy$?9E-dk?OY=AGgymf&K?Y!H1elI zpzS9V17CM=bMeVJvEj2gl26W>d{?zGiEWlL)EMbTCf>eXlyP`FvrmLFDw}-Pa2yG5 z6wOtZ+=Wu9vq$|UOi#!kk+|N=$6Ji{#lT5~Zhbx^>0E?(@>4GtW`t>$hxwyFO{`bs4I?wZ~IDtF|zUuhz4U#6dp9%Q2_8?z`Hj-Ybq?lHCGF zkn+Qll{CNEe}`MAQ|aawa^h5f$`rp&?IK=)#{~v>6R{ zb#K|yRK<+9m*=Co(fPMWk2=;{dAnJ7BXZ05++HXrYhSb1D?csO zL=AL{zvd+7=&p@}KHG{lf~!}%3#aKqme z26vTsXnW$Xp0P!@a_J&q_QFfJ;`;kTR|Db#;gwkzdyrK{)R!tDtQdFPox0kd)4Ggy zQU_{@ui8HFgL>WW%jx%0%qYmb$Q?=Q-TT|y0@e8eMMrB4a2&7i>N#&Y6A5Prv6#3V zE(OoC^Rm4%9;DiP0 z1^KpAO#av+H=h|l=eN%$bT<);pa|&~S|~}I3hA&ZI8>NBWOw+)^)G2;iDU6mV_r%% zmN7W9rYv7Tq_f83`b`jeoSPk!EF&7mD5&hCTjK{qKJ9^knE)vZeswY(ZIH{23%r*O z)!#l6d4%@0IY278_kewHhHfG(K(H`-B zOA*AY*gc~sxiIgsS;srmU_1M?-?ey{`V}Q=&~suzm*Kcvxz0M_CP(DmP~w#()d%`# zKTiEQwKfnSIJBH)vai#cD_`4kxdjZCx1)IIg~=dE#67v>BDgUjeolhX_8}c6GEe08 z#q|0Vp+C4K=ENnD+0??vFhp4x_0}V~;FxKon|hUG!X6(9VRMOd^TB9?-+E+RsoasI+3EckNeLg^QnQ1cAhe7OBk%1%e z7QsTNs*VvZ93lx6MIOi=ZQR#UJz*#R#n7j70kvweBRzgMoUiR zR$m)&i5(>UUI0`9*7~YyqPznlYoHGbOOPis;n%TTYp8L@Dj6P79W6v zz5rExYzoyGi;UaD+VzMN#QLyEi|VjbU!OhvbqGnyGQysj8un~p75ynNXluXKbEH6o zyDrext0I#;@y0!Ifj&;o#?ELdU;T=fx|4Wk1bg|pX?(b>G~#eFvod0sC-9y z@wKNHT?OKK*m3ea7KoZH{`8J+OC!rz0mgaxWDrpVKJGGqPX-G41Yxns;GF@6B|GiH z>&r_hxT`hiwhEfHTa7x&h*~E)5ON~&nnsKA`t>(U4v?oa8fYWOg_6%Hpue@KC&O5N zM9`<8`Vu5jdK-_tIIOgE$XdmwLrBPQwr&+xgE2Rl+1byg-eFS{Ykm}Ct{k!upu0AN zbrU|D0{b0Qc~tn7vE$36+HI)0)uR;tSS`cgA@sXQ*rskjw$hz;FM-Ptn6xLDre#yRgJ;8KbMBKlyM7Y*MrH16d zuY&ieUvxyro{TkI5%yB};_?HkqR1V35W%J^(u>Piooox!8m1!oYJ<|x1mPV!aWfX) ztK)8eV03-n1ox^dW!``^9?x$qNRxAzmpHg;(2BBKftqX?^?gHUOW}Kngu=2(f-i}J zr#iD&XVTPzrZ9=Pdxkxg-#5N?k?EMwFpqJXC|nxZU}`Q8SourT-cX$|Z?`o^x|q7j zWuqC<$=ExXozTvChp{y%_O7B#%3@L6&k~7D#&BD54AhNB3eV*@npvg5S|$F0vfGsLIyJnnE}orakG4qx=%7LdSQW zN5>{MJs)1%@s&tAs&bbue8ueJ!42?-K_YEq=1O?BCM)Yg#K$HBTU^Dl}IuwGCXzB6fB8qEn8onE}8p1OTQJ5xg z*iO<;Jvu%y?Q6-4Wv!j}5Bm7+$Kfn?U)kV}r)yNp1v^8D;KK;y2eDtYea9DktNYf` zW`LK8W|HK4WDP@T>VHLTE|ye`hf*7v zOv;u$;Ap6(JtL?e>wGG5Pk+#*W2W(#Ce>aiM~w1*L8(5741Xi6WMw6eCd|-{vejlZ zdVWGV9;*^^)ztPQYEt>jhMAKYev1n=Q6_i(aXo*!h~dqCVMy6$c>X)uZS*mk##d0T zRZbpD>d?XkTP4K!^gJ=%#9_uFP0ukrbP$#V(O$F18tWKHc8YJ63(=yCr@-wj z^+Qx~tA(h$W=bw<_QiD} z5{45yBmgW)-iE6tt#w=3oEMBH z5@{mEoWhs)pd{3mge^hkjI+Wn#Z2P28YZx|wS#?daMZvpXjs##sabW26D4qCj)mv1 zHXiM(o#?uJO#peu(y#e+-C_bd%+1MuyebY*{dD7FH!^`^lB-5{%z5^9vE_}w1ZZpd z)N^L2G#mYW6M;OEw`AMOhk3Tu3HY_sxu>M*94w+ovjAjD*{|zFA(qcA(z7x;3rhIM z;N!X2a$*PfJCYM&p(uJ113!^S_aU|NF4MD;<*ym$pDIukSA`yspH3JCc^`-~#AEkG zfpl+3a<-2(?z*aT_ct+wsfLQHPhHBP;M_C(Fh}mhg^dopYl7Rghnlx-25$o?#NieT z)ZfW#)_XKmEHVfZJgl-v@wRtPJMAlE!iXP^L3DGRVC?NLM0erGEG@qT40mb9Xg8D7e7nb9 z=n-xcC9benToPHcaLk9{9EUiGZl#Ap+HtSzMlrU{v&ZTo&pB@iiQ%Qc(>-*g%bJ)2 z74tn9TS2~{_jdfO8JBIl;jV46#Lax z6X~ficiFHQY7fYf%emqfC^$XPU0l?p(Wv5-FBkkXP@^`^;{y(701>9c#ohpUX+jA~ zmisos(>%Wja`oWMwY(*wp*caCXp8kz_?|EO_hhZ2eoS1>Sp#A@&1DQF^+(h8QHBvu zAATKHC?#vAu8q;KVpm~})Kr*7xrE3`>!lPf^oaI?x9HOK&F@|#f1wPEkVHz9h76d9 zI;}Wn>sWl(vykgACf&ko8VXGuHM%2>_V!28tx3$K`zpM9ysb2ae;G0)BudyF+m9ns z(mGQjW4p?@8=LCNIq9>=8*b=Xh5TT%2(8ZQ>?qhTSMkrjeM?Fn7f`FX>SK=c9o_6a zboL=VZ|b=DR(d3shwXJae2&!~#J9CRpv^>6o(84ZMJq6EprdvBUEIL_m zZCZ)4xo6f{$Zcd|?Rj5vZ*>qGWHZZ9>}Y}_$FT)-)rU(Yt!xzlr%m>Lv%0usf)wg* z@0PGMW3t9tgaU>_#oi?>WL61;;()*lya z)662!EGflnIkvWo)@@Og1$0wTlr;$tCD&2m^w$%)xMdpg78vIlpzD%q9+Hd6hRVI|3SpbAr zZLNTfALXYTmFFTUGS!9T6w%$a1m~XL8}Po$$w5bm4F)LZ7nnI+49#?`J4N*zwII8M z-?PGASSs?^yY8yGj<87efELcrjP#IMM@APZ7$W=}Q8b7A`(9`i6Y z@DN(!ro=DuSpNi7!B+3=60*?96RUNC<1F9Ot)OsXp4uIXBNJ9ZWc< z@}3=4d?`xRSBBKd@KvKya3MRyAnzu&dks1#7v=tJpJU8R|6@uUokMAL{B&{TMcsYN za6rVFwOhB*?sehtGV9trg)2hZv5b3esX96q#4sS>UUKXev-jYc8)gQkIEyuHmxT80 zdd?5+9cMJ92_sO;%I-@lSbrjlkfYBY%O=mz=zVOgkneqD(x@Yk=R-sLqII;_ooe=W zIps(@R1}}8a8vD>g0YSJ-W6e{$5&6J;%R>gw399utWTqp)SC4Lx{7{E5+&>jV)*?J zZ|r+nxUxye^Z_qF=Zjl2%{}iY3KygaVAP`HOkXsPVg zA5(gMYvTP8zg^2kWJ_lFxkOhU}W^J|e(XP}iMo>Ah(gtsb81*1B{EGuGK@zC)2 zS{>VIP2dKU&6+LlDOA7MsTSqp+A_7?_pyvcS1PlfVt(d ze?EiynpS+YH`v|?vJ4Av>G@2F_Ic*m- zeF*6vFlVFKb{lY(TeBe3m$7%+F_q6okFxt;Unt!-_@YQ0P2}(p%CHkg=J(e5c3VZB zIKDbT7jUs*Upmw^k6{XafskaQ8Ev%kwe%=;`F)fsH`GVCkCN7zk(}4OAHPr}GV6?E zSQO*hVnDYAxWemke%q78m8kT+6s3Khvk3?yXscStW420VdM|^r#-qzVFFMD4+s~>A zA9Cy$3hSk9#8Y{mZS)$xwu3gu?9E*Z!Xt6B#jIuB{$c9(l#ADdL<8s8wU+Q~I zZ_}b-qo7W!R@n*`@KW5x58l9YDzbfN*gW*Y3o>nTQASsByl^(iVtVG#v^z%SiO-Td zGpDJFN}f{|L?+i*+&R9gk4hadgd=OQb2*rz{oH%D=yMukY~V24}lDZyi=a0vgH?$Wvcc*R6$CrFnFEc1D!+7 zhm}wFcj&*7Sl{}?LvX0idJbT`m`9{7+M|>{!I@h&DK`4-DqgXj%3H*0kL=Im$T5MO z`q1#j(D_-uOU`w@oYEeiqf?Rl+Ql=I&R$Tb3!%2j;Et;P21Qf;n;4SM?*n#U`*++J zC}h9;)T9Ktdh)`5X6qH!uJeF{cuC5x(WgCq=(Yny$AN`8Rt~2Dp>?=gm#B1Q%l@F| z`XK!ac3qg;sPs~ARy^|>i|pe)^zv7B55@(}el_S5HGWs47So+D?neFcG#my6vrn~hMg~6OY`khFiMD{z7vaIb| zn4H*QawlDr`Zx?YoS=$-WHh;@fr1KTu_{d0|1sP|oSWqK=93!ZMI!@$DAJCqo@BtGFM*K&qGJ}lw{pzR+-x%X z50-OhQnyGwzxC_8EK123F}Z9Tnjsq>{WS-|lj}pvwOGHBjrCRcZF8;H94%V(c<0Kr zv6r!a&^0N-LcHE3`Y6(&-D$amd&vZJs|Bp@HB@MEbyYZ$G};6FOqB2un~~KKG(y%) zO8BTpm(UGC6bGeO^hORx~P zw}fL|_HkH+4NE(QvKA(LG~U%_o6VeHXp6xfhxZ1F42KTRX49&ei5#ieBld%YQmu3? zw6ui15h4aFBQ64SH^hRsM87odSlw*+?GKIrCW!nuLF9i<5c!D&023sb*jbo3e(^ni zM}vcyxL7%VrGn`IKQps%viv3UAH0#jx+eGuu>j{~_}hZ=Uv>TN``}->Cg21(Afl#D z#-_H;M07w;eglF0TuIOJ2PETvOb`JGC;z^0f`7C6^4~#-0Nx3HTUY*JTuZ!Qjg0#z7nEo@Ey=I!8*HPnFH1L5BtABZuCGf4c+ z`GF$Cf7tzjC4<#pTp&0wI5IdfI5Yg|1mSOpl%KqbzadhffG#P0C*v60J`Ikdcb*@7{S;JCZH6!h2LrbN`t)$ z05yVh{Lv%uF;*ZA9Kh*+=KsCiKU@4)@t^Jd?Co#$umSK8aQHb&@TkFL6Y!`3(g_F9 z9tW@pn-c(-gRQ{|bQs(}P9T6S2Ka6O9|Q^jv>^^K0R`A{f=MNSX*hsI?wr8M01qDk z!2l6(?Lc7X{LNnAn!vpQ_x6uov4OEBU>68LFMe)+_VhQqg5y8)f$jVgD)XC#e&z$} z__+nrSpm!nE070ltv}MhBLbKC8NlZP$PXZpfQEpbKf*6W3j1FfMt>ku09wIc04PA; zfie9h0dRi+)b*DHU{t^gZg9f?0wM+A&CoOcj{qr5L_#j+M9hE<*|}L*0Y=LIwayO! z=m_&a*(_p)HWt=yzXMe4Yyd!qsUwlBor$TV?LV`s|Hhu8`akFTKvqRlMnUyAJPPw~ z4ipp&Eo_~CI(T9HEdl&g`Wa{X6$jukjursGijkfXSo{yZ^#0t_CHgxj;I*x>or#4l za6teMAwx$;LpKm`WdJcYA`d1a3tJP@cSOL8=?xJBy{(-yfCd0F4!nrW>>NR01jj$| zDE~v~32^HG?-Cmu!$0{5z+L^j_nlu!0IA_Oj@GXvfQ#^xsr4%bs2|MN`jr3>GVE+k z|BM4qgTJ{{0N_Uq&Tkw||B?eBWtiEyIQ}XEkQ@H<*(AW7`=7@h;rKs58UY@%3<`f5 z0eEu$XV64|6Q=&FPT*u|{22q_Mhw3$050H|(XV5`S^N(>sQ?UZ{%1`9B@DQ-{u2F% z3k#qV|F`i!fPdWp{(}j4I|1)e;BUyk#(!}A{}TW4++8C`a7q`gF#&ZKR99+@^x`JL8TC#AgIexZCiBTwr_{sj(ev3Qsi2goA4 zxh;=a6{0G(g2HFKVL7Muje(Zj6~RdEEdCp5@u#{_cb=oQ+9|~7<_@9{2&7CD*awIe zRB6;?Pf{$>LGv-QL9ZXmYJE}&oMNjGcP+*8D?-gWkx3NDX10UrBvmvAYF6bz3_$@eg90K9EuY4QxASGInPbRsfGg(BU>+e zRN?$Bs{||hL*eF9hP8MG|8XixmWt2d3;jG}+%M^S>}#6QOvyw(pIU5H$7fC)%e&}O zlU&H~-Ez%pMknRR1DaY`ZKH)C+~Ve%CFR^9UU6ehjRlm{jRhc0#60eMq4SM+5)il> z^t;Z#dX^&UL4Uy`2BH35=Cv{VSnsyo%UxQ6am;HA86}eWjE$8F#G$wBG}X2ZVAjvdOsS3U9N3ps{IWy#Jsy**p^BB$5CL? z<6Dhj3-K+Tl864~3U#iec5J{I@|72ZF^dLC!OKP%%cPE=iL6X66VJl!dCSN-UJ$oo z4yBS@VR5xso;*D9Jr0ZGEQ>f}m!z(0He3kP zg@s6jbvU={3TIXeJYqlGzgtfrQre&eYei4(8Wne_uydr5Uf z&q)esY5V&B@N$N@F2FMTf7rY0*h-c>PxNLuwp?arW@ct)W`;5|Geen~nVFf(SY~Es zW`=scw|o0`&(7@Xt=_&_Y1Xp;h|oEip@=-`wDtSM7hNeQWKOcT#iU!(De&-0aMxd} zF%d_eIFdJgAu49OwzA zK;uc5FpODMq5rX&@u;gb%h13Fe*IaM0XTY>wYpKPs>iXML++5M&KYfgTqAK^*7 zWw?uVmxrxZlEhF12f&hl(mfhX zF<)g}Vu%vOw0K3^lIu@m=$SNFf$Uh%AZDsPwFo1~cC`B^-fpY0BGVqHEfU~P3t7Ta zxYXN9E$=|7S20AL1uF~C&t0i%q?5td77_JDW4v;zlPyk#m8)#=J`iullJu&(xw>?{ zG(#&e8~#Z7uVUNke1BtwCH465;1&KsXAGd500_hVT*m3B7y;yp_1Zja#-X=pKyBk4 z`Ukt9%kFn!`qE_D>u$b;%#mEr96KSpA+uj$HHiU~zV(?i-*0+|^~$N5 znzbuiK$R2bq&qM5TsgaH6}hAp@Ec0=cIAmEsC0A%0lb*u1YUYlHee1BSnpS`rN?@R zNb;!R;79SI554smv^QY2sS$4^Bod);ldhDchwsGFy83-ei(!|6_QLomFw)#veUP6;ejn4H07)-tfNTtd&IKIt+bBYT9Nt=hkuOq6M{PW?L z(##6p`RY89+!VRK&|22zBt4B&_is}_p$TGY{7m$ec?Go}Z=4Jb4+DG`7oKj8bm}oV z>lbY7SHB^C=L3@_Tz)Omh*0N#L<#n!0=(HN1=>+u_mLNtrZ|O$u=)VBWPUkc1q6Ly z-U8zirGcd%JDug2?#>KZ@UD?cOeWK65-+ zo1N`_9>EO)k91VillK|BE?PKpRdC|C7#$#RB>W){Kfi%)F>)n}dG7J!t&N&!5NIr^ z)|9vs`oiJN%vR0&=GZBC_67g(N9UfeXSjWa&9TZ2oSqF!fcA4bqxZpURZT@%bQ53d zYxXG3MC?r5K=uy3a*2YG$kTa!#&x|!@0MCM2;5PAl1AlrdU4O_f?na)|B9 zt$GUyqBAaEp%bpa6ehYgh%$~D7ad9j`E$blkd~Y_1@c~Q@$}vp6b$lHhY9L(!+L!d z<%b^^9y!?LZ`0i8t!(kfaHvO0y*tMWzTtBinAk^sxKKLbzHHT?V6h}MZrwD&adf13 zZrN0hyknu#L19(4ez=_Iui=YA3>d}H>jMu;z&gTJo*;30t0)m?=%m^le#woxt1xC= zRoJVs1wNJ!prk3|chQCUgJ~Q!R;x*tl2LXPzTFlu+Z zrLSOib6A(@HhCqP(nqq)wyI$hP(jPJ$jrbT`(@6Jj4R#2Cd5JSQS2G6-xtaZi>^3i z&=L;JGL5cp!dmtSK!~|P0M;`E>MrYo@)pN@zD{kG=sZ}+Ec_yL10mIV_l^LLUCju< zx5Cak$?P|mOpvRJ`uPwCYiOdMKDrjt0GG@fiPTpRFT0;}=67&yH7#I0S3A$0#1SBVgm;v}8s9}asc5&00BsoFgseQHlkgFNd4qk=ca zs+%TwxgpT)HEG}prmELPas5tUa9lb@QB(l}N*`Xzt8f|0&U#H7 z@_KE|HFH=nBbANg=SmVZhi(MTu0>KS&)FPi5iKbr3pjax=R%8G+}6TvtDDqc3rUro z>POs&nlgt#KuTiB?V(riB0v?xHwrte4pdyYF=zq)yI@mDnJOg9;i+IVu5i%&nE7P&?Z%3 z^Zm3aBa&6G$17ktHV^+hI&XG&MV~@X)0tSSSAB`6;k6NGd%8lCbJ-wP;GmYkAap=r z$2?E6;YgNwq3*_XOCRnvY!tC2GKw#*9OE@1m-RS_1sFt|`F3TZD2 zlI=8FgEY7N`&=)})2{Co*Wcb52ja$5>rhuVM-^?kp=`LF*Lb};1M|@WYNPeUZzCeG zG0fhyip7QE|5`|Mym7Aj@B<0#wiBG@BAu=zK*Vt$;%nEKiL6dE;L zeBtc~;RyJKH6Ib*d|J`j0L+qmH~VWZMSJJD%I$jqz}plNZM8H^K-f94FT)tx!r?UX zdQ7)H)qi4F?X9(;7krn5| zY(7JbgJeGOl(iO&F*hvUv$_$*Ua)dA{{#O4nc0b(?IEo*&HkET z#e;=~bZTpHgWWlZ0z99vFF0B}7NA+cnz^px-t_&Zv1pMw4B{TSSqrce$}-Zobc=Q0 zb%vP$M7NJUO0O4nPD?0W%N5ptr^)_+;wPYFwT2QsGlHT-JrlXPyJGweQ9ISow3Cw% za6>X8QLGaj#j36b7)RWp!jl0c%An6ZZW{O$3m!F>;UzT6QZX2gU=9kXRXX|Rg0Lv@ zmb?K4uZJ1aQ`15}7=1Sh&Q+k__J^fJiCQQH#ZY?I>a``4=tOXRqn)EY@1QLgcaysb zzdE&IC8mO?2Gy*W^9xzt`=)N?7u-tHIt8`Kmfn6hbZ5q{x2p#I18D%J`1GeXQiSC~ zqYhWX6ey;T?I*%d^&ef-DbMa(gr+S%t6t@c5W%>VaZN|KNNd@Po;Wu=j}Si*#W3bz zwV()-O8s*A`pokjDq1`iNp;;5AtCea#a46U!X^FcUL!d=6)XGBsQUFbtd&1f&r1R>rcK3i}jTreYQ3B_qXbOwQXh=RLbM9K?OQ6a>kIo zr^iUDfJcPGAFVR#fX%1{D6@xwyKs!shDQ(Ypa#2;slz>7vlr4&on#tx)WYtK85>yA zi=VJOheM>ZA407$_}Zj4yki|@OtnHWPNtLMwXBaQZMdHBDAB{KSR_=xoLgB}W$AG+ zi@_~KOBI`K9GrhkeWsB-eT#cYSeO}uBo*(d=iB>aW2MkJfC{9SR-~PNR5d>ZRFnV2-p17jB4Oe! zuV@~+DD#yX7FI+ww3`h)gLWx>vPuYdU0RqPt0A#G8LFNKL7Fnob=XK%R~3X^7TxkW zrDOI&ta7P9$n4gaZ^8V1CtE2@_bXI@bW+7^ZY-BNBiD^YL2hQ%S zi;Bv);97)FOPNzBOy9sZ|Bg2^S34pNfnRGkOzVgy3T2kQ^_x<{(2Ekjw%ltQlvEEW zhQar`Z+DjY>u;#sgTdHdJ$pFuvH`q)#>kI|kQ74Mj|}h(766(NwZ6^$Xz9v@nWK#7%CVGn)Hby+S4}g zB|Sw^WLHhF2mbq}ajOfkxmaa+sCNj2y)C;@tdq&SAej~1k8ZQ9`d^2Bc}!VHjU5~g zvVsE(WfG<%u`U(x<3iz)&0I|w{jGqfWV1M{@8RGH@~42o{ zb;Gku;3RoCaA7I>sR4Ko%>W#Q+j#h{D+BgdhDIAshVT54D-@kWAblVkskj3CdR-#? z=jP3_q;Zz#d6hud1YiO~d7>cVVNyaoIk`Dmf)=e6GGpFrs}qWmWKOyV@_EPeuC35l zZ?zw}ATm$}POHM}qXpLJKwVy3=$!Y)evsA3gCzpN#Y;h!c1C?DkIdi(s|XHz>Z$+b zfMqf5otxFzg0p$h1l}>FFf%Ty2Q1|WB=&^Y6An!>59@sOXbm9}ukt>sB}>}x2x#@k zbd4MxuzN#Ng;x5WPNzgRTd`F|k5iUv-#LJW1 z@tL5Is|S!z&_(B3R`^Xt$B5mTuZUwy_t-Y)9mqZ9dMJ1{&eYOWQM}_&5i`3ZB+SdK7YuuwDbqP93Z?p()i&G)%_Sqg4_bK!{)DiTs zT-_!}*>t@eCPBd70m%Zbk}}1-u0VFs^v1^Mnz9gvHT<(!=8BI*;FUN%EfXcU#%64j z3|addzGS2>FsJdzN)Po|FMy7WSgTMzUkc#Yt$jRyq?aedGqQ^`C)|*n&tKm@-J6a- z%sjt0P8LQKn;^BoKnc4LmKspwP&EXnsC=x{4WTh<{p4wqyLUbf02(#eqw#gN z6E);*9v{Q5NS@iiW&Utl@I1u1xU$AMKKj-W>)JKiQE;=yf-})F5;k`D09mR#_YiXp zeAl9<+*#i*=E6aDwbUSlrV|Ml>o|o=(t%F%NkIRKDfq;`MuFbvs$2tE6N5)~Cm{Ivg@;pnoyrW>Gf*6u{)p* zuL<|cCt&v%!r6r+qF(ledor}#&H4M`>ykiuM&h8NtlDT6<_)X71}IAU1fILGh!~V+ zkU6*-p9QvD(dE=w3VV(BOM*XJ&KHLq(Jv4+O@;*<3Fm)?ji;RuRn!gYLrXQ>2hiK2 zlYM@(u&JERO>p}@SX(tB$)fg&x;v;JyU%&WQQ1aOH<}Zo`xc|jj6m;u)9WB&BHTlt z0MsU?gUXY|@F}J6Yhf6j`DxWjN8g*|c4XxaSr|?$1gZ`<9rLFLRcxtFNnirtM8899 zIceg!A=hp7>QjI$ROHPIbY<7{N}Oja@Zs~3b%uzVw?oV$>f^=Z4O`!fp<>%uFhE&pEWKX&ZhNnHW{#%_2eW# zYMiMTJTTyE7r%hSDw*u_@yF*Jd9P@LgIH4pnA>h&g@qWIa{dO&Yu9t2=FVB=xNu6+ znEXivEP%;HcO8&ew_k$uDS$Xr;B%Kkf%6Qpe~UE^yonc>8}C4 z27~G^RGh{Rn?%S@14Fv+u>46ysSuZ2{MC&pHC|lmlO;Fr&; z>gx48>ujMSk6-2tn|Jw0JtBrH|ts<#Pd|5TN zq|>zeP1+tVc+H@(&OXZIXCY!15IUjZYo-(No*xDXt}A6qXO%OD%@2W^=s09_8uHk#TbCbCD_3*!!X!MPnpzZB(qlBM&n3Lj za-Jwid#uE37~B9JgwqJ#4ua@T5(e0cnjtl`Z=WbUW$sH64?G@ppZ)Q%*RMap`LKrX zeJxE+qIs**)q)ouTg(*HBCSZ)2sUY4fJy>AlbT4Z-0h11_kv6LmNGOsM}~*qhlI0JfA!t*{BGKg zUQK@GC%p)Sr3(R>B`WmM-JB}i<7wIfq7H&hBVWn7&@+jl179$l^>m)h7x7D?2`J}u zukN$F2dhD&EA#2e=ftmoP=WozI{ALo<{HDyKKFpaXOJSRt7Dosat`NN*+#qqb;_t# z>8zO!F%~vk=0%l1@s{viqkqivgRdVT0Dq%T_k-i`V&-0aLktlf?RQA2 z(E3FOP29UBATmt$G3_EjH(&*#N*>_ZNxFd{v^SJ0g|+)|Jd)e}LW_S>9W3X~ZPvgI zwa|h;Zs&|Wn1#WuI>WEh$k?4N?43XKyPs9FV3j@aXd0=Ic+9??LXOigG;cO20Eg_R z1h&}u+XLLKm;yCxA$)kFD3h~FU$}XAYs&tcxFvN^gKU-0DrZ-5Ka#u3Jfo}IXvY0D zDkWC`H+VyfD=1T5L@o+wfK(kh0xKsFbFzpzxiW(vciYqpvbr}7%gMtWxE?SRRShZ8 zVuGL0ruHtK?FlUHoR!w0ko8UxfM2H-MBkI#)WFqamy-&v`T1v(5EFNJ7brkSL0*bz(IfTXUhZ7j1iUC!Y= zjJrH*h#O!gvS(%Vk{=2XD%@Mdu1Ek^0}WZZhuLvA`c6e^JRJZ&fD}_)Q>4S0mWPO| z?JO9(vD^9vNYLflRS`(Y_c9SCN@a9QBQ|!G0%V~F1WA~8yulF-j|r8w$7X%Bg zWlZfdz_8g?qh1wJZ~J?DbiASSya-*;qFOgkwsvA zX@IVPVW*IWu$SqV2$-gO{Q4UCPs6pK2dSt!N~yb9145w3m7Uhdsqf-RxZy?2LuP^C zsaQ?kJ7mBf43b{isuhd-yl_$TrlIPR&s-qv#kbqM4)=WadNRewAl}W+m{!W>iMBH< zonp$2^Ucb`TIRK~=FA969J*#x7Fr#@qgkDsVK1z&t>RkW%Y*WzJMeuH$njh^si!Jv zS#&5s>mcXky9fk8z92h?lLFhMCL);6%!sov4($U8xGN5nsySLoufaaT_E=Bc0586? z1#HupXNK%!41v5_!)CP;P;KN}u7rJUMi(WKnlH6%qbbdE0J7zp`! z>l$Z`JY7v52YsUPi~K%L9VSl*0|NuX=gZc=Q|TYoE(L}ZDx?FDJ3@jpfhqIa5l@n| z;p@-HnN9|KzJyZYa=!ny0F00ZpDjsv+ngqLfAj|V?;0MuL$bO7kMW}uIYJ5U`CeNGy&y)U=vqM9)7{4Ve3xUH`N*YKqP?%bopreRAzje{%=yBvuAhuVcoF|8* zTq2B7K7(O;Hy*JYf5j#^O(aIRKH6>FSkAPr{GrU&#cA#~X5IHr z^$g>yD?D|CX!2QvE#5Fpu~Q>S(Om9kL(2W41e;HA~A208KL*KS4bP~Z~Au=_u;xt9xX z*lgV-z=B*aN#hZCUmy3xJ;WDdkqcm4c93jA0@R?W_1(fq$EwhfyMcS}w9x*qtopyQ z>VGb){*(lNVkt&OHr9W*r$0TxpWR=? z{Yx$SU&s18$NFEDRsYS_{QI(sp5uQYtNv|W>wgTZ{t?6Zw<`3%SDyd9+Wc=7=6_a| z|4~W)NA>vMD#rh;692O@{NLA6|DA~XXAdP$_m_oIqf@6dpfmhO2DBO7cRKU`7u@Mj zJMu5w>5q#3uSNO)f;)YAn?HrgU)+i9@8;y+a;GnB^f!9)5AO8md;hpNw7!yuzvRpR z{rN9D2md6U{@GgoLpuE()%~sgC7r%R!#}~MFX{9ZpZZT7U($)~Zx-r*CY_X(8NR&A zmvi|K!k`809Pk3=~x$(R_MJ6r$T1O3bW`)?4* z+)>or&BR#V-04dXIXO6+{Ml{t6^8t;0_l(Y%%9$hPDoVX>+6d<{kf=r#E{bcAI6>j zz4+%ZaPnuOv$3JoKitWGlnMQ1oQ!R)tPK9rM@(NL<%>Q2$&UY98uS-4{EPnnb5 z(a~Rm#?H#w@gHaUujsY@`z+}%^!Y`it<8;Wt^PSW`io6jnK=G6S^rMt^p`L*`y-bA zOAh|GCH?m~*w>|F@K*@<*Rv3vz+dn9x>o*wO{M-CjO0Jg{^fw_r2cAsjYaye*4HH~ z^H=NZVwL@?^)+d7|7iVhF=k(5QT^)-Ut{@?#2Ne7STz3eN{%n#X6RsGWNG5`FCpt3 zU#n&K)%~x~kmKt!@%LB%Yxp|H*Tgt~sYnM$BU^{RR3XRLsQ$bQ{Ohs5M)#j@-oA$R zUnBziZzA<;K|TJl>;cIsVBXe^n zb1UP&E%<-``%6&J*3FZK`3u^8-TB%6!0+_`Lubd%^f%6Hoj3RsWc8w^`|UTJ4$MQEIR2a|fD#--R}$oWM95mL`Xs=5SQI zfUFP&D1x1FinLV9z*{a;Y)o*Z~`sumD#4b zbz-pDF|Y7I!3xD4xc`)Uc_(roL&(9^>Mq0F{l?5~jNgq*HEm=G_C5}C3Fu$2Hodm4 zCuSERCmcJy<~=zr<%l7(>0P1pZFB2$17D+)^nNR{U91VQJ7bjt-i-P6R%7D*{bw!% zVw@W5WJURpqTWgp@<4MPiLP+GimPMubim$4aAU+6Az?O(Aye8Y&(R8tqvYzU2eM%w z!o1`HZ-JKD!F1C*j5s>}J|p2;^!vgb9Lh^OykCQu6iiPHnDo@>$^;U3hlOcAT_JBX+3m9+Mq_>4$bc@Ue#lHEokRna*I5d(17Oc~P?+ z#$!1L=PO)(&i{I(4}QVAE}h%nmKb1jfjfe+&vEMIFC(K=QVun14oF}ZxyPa1)Ld1t zJ70>BKP0K&cgxnjH8>$9r%^{pCaIAt?KN!@vQ}<$%n_3GDEDvFd|oO<3T7^{)D_1K zhL+^9ZQVKNaFGFRo0B#pE1yCnxT;ikJMi9#FDkpoNS1*;2P+eW9`HOSyW2Z*QqApV z4380LlvM{RDL>w0hwc-d(-Emkox+EX_iQ*cj3JFPG__69LwN=!0kKO~X7CM(_TC$y z44pdl2U^Vsn^1`@Ka)#kR-4d0b(%-VU`14E=A>ugG-zt*3?wX1L(8Z4S#apAv*ElV zG2{0O5kO2C%{4)+){h91TlGV7>Q)fflxGRbZ7lLTKJH6CTM36i4g%?ojgVv~8W(X+=Tc#dA67gSGCY zCXXes)m^o#?v^n>T1|GMHT$SRSYZ0Ws>CQCMG^Y|rNDrRdNA|3f$}2!P*aKB`^~B~ zlPe^f>rkoGBlq>Ans_`PnV_$n0!RT_yJgz=A|ARBGg;VMR=dmGjv5xWvwZ1neAhRQ zlX0F=Hu33P7s8FOt(UdA?xttEmfAdZ#{y*XDiw@?-CN8%UYM^v^^ql4xS#!Nu0f=k{4Tg-((?2{F&Hp7dM$HQa&Varr-gh z_f!&#;=5V6q9ucNabe44yRi$^J8&)qLS#)P1$VXT3jDQzffxdrD;ap|W8v*=4Gae>r%VsTin+44 zx`8jyNn?IYwc@46pk6ANWhj~>F6S1YvpIC{9*M1VvkkQ)BSts6KBq2r+L|NjgAAfY zyUz}cvJY75+K7g65sNF{x#Urb*HR4jSdFNlF9-wY=Y~ z;Xtq(gJgu(O+@nT{lqyhX_bDNs}FfU>Jm(FxhE}S$$9s?EN~cwsTfMZL9MFAq@>e& zhU@Abu{m(~9#kR&nJh(HXuD-U@_G-jKH9rHVt&o7-CaZ(BzwOuTx@rQtX&m7$2;DZ zx2kc!BXky7X*^~@^x^0#hHCUcFA?r^z-NXwU)= z4rv+qo+KQ<|9nR^nT+$>!K{Qb2fw;c(Szc`S9O}Yj6ZD8D>XaKW8+o~7ZBOLGAQpg zG~B3;TI)ogvYDg$O|Eq2UX(rd5*P!bq7tvA^%h=gZUZ^TrLV2M0%|92c&;w+1x!vBK1H8A;A;F`0%5sc9AGd$@Y^zor}s zcZ{70lHCl^v)VouWu&GDox-7s`OG0fcKQT2huoccZMM6EKR-%H$}?F%oxyHDzN_XIKl*_@g@U*m=`?>B)M`0Yre-f z;8&*X`3^@KROm!b3s&Y&?fe_ux%6v?jUU&iq{vD&*c&M}qpeO$FXV67$s77myVztN znE9e9PbzvKA^3DdM`~{09!w|4_e+htO^oSSHqA-(?-+WoneykhJmgF=460uf7+*6I zh#Xu!LC3sY*m@w1dmuw>!vYB-sfP0#*F8SDk{>9OYq@k2=(I?bt29`Rkk4?NI+fH- zS_N^A3KrefZxw4bPeo*bvCno3lE zkglskGejs1Gy!pFKcd%C6r18KO21VBtVnGLzMlZSvT5||k>f;yFeEk>?=15JDt_D% zYV&A~`{DR30$v#T3lNZQ)FUHyw(fihn!Sw2f|`Yqf6nV!%w$xilP_it$sb%GR%!KJ zwC2m|-J>7u^am`l+Lv{%3=LN9L$N3^0xz0WnqBn_k6a{llC~@c*ia7Vc0*fx@rx_V#3DQHZ0z?$t0g~n- z20QUy{k@#1d89uHL*NLdG*Z*aGSxxk@4wjjY$a)dB6`j{+owh3Mbv}v4^Fi(FHEy? zjHek>5O=FO%h2vSL>YqZ+c_hhu35@$HJ^TIwaYgG%`NZ>3WxR9EyO?{FRdeu!NjA0 zE9oSNHkV-7Kpp}%@%og@*TB;%d|XlufAZ(}!LO;+Zxu#U|1Es64D9E9!0|Am7}lI( zbDY)CATz@JO&7ViG+O+=J>oni+;S;=xX8Vn`b0`r5fcx{+hrz;ydkknk8_?MI}i(y z#Gm+>ii`TV8!g@c)AzYi!Y$WoBP@2avb<`RtW|SzukPWvadV>f;^%gbezx7zZr^XY zxAIFnY_4y%<4|w9W3O_MD9Vc5MC#X6`6lmfdAZ+L5FjrD*JD8!oPa*nnQleMo$&#l zt@d=}1+Ox!YR_(B$}^v>K-4!Ji|yI|ed}t+XBP=~Rj$8NNyp?2Igz_&^)Iqw%dk=g z`Ib1XQ-uAK9Qr|QahR}V+LL(`Jw+<++mKN z*YJ^G-%E}OCx0L+1_9}H&f-lLH|lEl((Gvg2GRDIc=BDaA8#ehP)=H0b*Y3@RQFsI z{jIKJpHsIK z@X#fJx@w;-dI^-r(53~o#qdPdE%o6skp6ZOFxt5iTIaRr=T?~RU)_qMC=R?RSgg$K z7j4!d2xDc8JF(V~1p)MPiT!%^8ScyaV6bgBl>RMa24O*!7kG4=X8XC!G>lz|^;{z61*9_fr zOQ}!PQ_fE-4}_sX@k2;VBAT4*C@Ci_em&O$Fmr<~k72O#@eX(4pPUG@LV}l{$5P)G ztWP(O$Q6HRYTr}3r4E$z#f2vFChJ3!3?&h+(dw&@GAFYC_S@j`hgK5Fq+Tf73+7OA z9O}wC(yQlKPJ(eB6K7PuQmHrLc`C?$s-FGsR3_Vg=7i9p=w160V<6tITlz6=EHMXh z>+oSc-@^bD+ZCNOj+&92+*h1t+ne)4A;Os7}Vz}zbNNQunV_%)>hYS&)*0LbLOVC!~?kkR0u$a1) zQ3>uA93BL&An{Qj$|X4}3k+&!yQDK==zO`b^j+Ez4hGDQ*Wd>4TzyKFTn#k4>+a5m z_;nVXo}E14GQN^$@?Z}rtxkD5-+`4Er;E`z@Ls;6Tajom)gLLiYbsL$ah5du@V)bP zi`a^07tN~s{QN|YOWl*_=k>w>Z#dY2`^OG(39%+6bv2z!Rpf2>ccPQxld28=b?E1A zDE$f4^CL<^j7PGe5FDeN$PD>j|FTtsHc;Sq51((N>=m3p8T`p zvnD6EntnLDLB$PCKiF4(K93&A(OIwPjD51)le&mDdPPC%Q3Se8{g%a3jS};-rr^0> z%#!W$g+|o=2Op!M(~^?PNKQ>|0`Ni+(vb~E#}GP5g=k4l zCeE+KL$c|C>IN&A;?-uNQR~lo541>c90%me(*=4kB`2{9%^m|=?>SEJayV1Sm5(@H zR8+fo1mXnM%EutdJ~0;jrSJpD--5*!23=R)$(sCHK(3&vwAQnP?U$D6gF! zy%)yw;|!|h>o`k{4y$V7?LfdcX15X|B1}7H6Mm&|2DB+UyM|9?z=sdb{pefYcE*hi zgdy>dr^3NSA-0!e2NA82G*0;#4mM3aHEG-ff03i)N-%ezB_YO=2 z{Sae))qe*sSLZtlD!0Ryq^*ZnL8vW{iyxRVPXJ%5{IqPNvv?k=XM~XTz;~gGa35Q} zJQ*jm#8KGdHbLE|8z&F@0sirbfGS&Jt^W;k4#^ zn9K>_x?eA%)^?DQdzV20JqkSnx?CwBHp^iD7A1=cY$D3lJ_UhP@emF(th7WKxNKwC zC*zIQQlzFLNHO%JsjqivudBcz>jj{a4JK{PAwB%wEL0qqABw0uiEbrZx z6qM})fN5OFQ{9Pm>)IvPi?sO=j&{N*lI~PMMKi)UAZ1v2AM0ML9Vuy>xzNKEcMrGM zm9hUb;GRVCx5KI3oMQb+liUPb5<96V&$O4&V~Pmq4T#YUkJ4DYDMY&=GAT6bE}N&m z#*=5-G(YL#QxKhzFuUB?wqw5_eoh9T)wLC-hoF;Sb1G07-AllQBcr2-$$~DXMI8Ij z6C=t}xK(PMx6ptq6sQ|fRc3R@@ZT$vq}#F_XB{;tvxW>ncafB>>&frtj2CrqNo4KX z_)B-mP(u&?NJenTMaJ0ix1p`*syw~^nA^WW)<2I&ShW?n269C%&b2%izZsd5?k8yZ zPoiboBQjtxhl^k#O`79bQWh;ij3%3pD5a$><~JK0$$KzgaFBew0+%jP-ZWO8GgkNe zFT{7XR3aNtr%vLuW?P@A+(EG$A2~36wry?Rd17iEv1gL_jC+h(jmcLx1Esl?Ik-O4XTm79iqba{|weP0)kbB{B^!}R5a>3 zl0^vkIp3Gm#nhM#$hgUs9UK1P1jC7d?=X$sgODj~za|Kk3UU+~gJyT)=Zfq+(M&2c ztFvCxmXeJ^7&Mnnfs|jsG*4wi*xr0)di?}g(lZuj?Fl*c>RA)XGR+WAN}Qh1Rz)`6 zyam$-7e)@0hBjK%ad_^Q5%FNu&-WXi7tY^?3gwd|knj?9(wOv7yw?w1Dv z+|yUuCtfpQ#b!8OfxyfpW!O*|+IPL0wB{zHD}HZKU%+YtHwlQN&v*r5T1&H4ga;N~ zLhp^MC{K`~aSncO73v;dCF}-^8R9oOiM9f*624$BuH|*GgzaQYPGq8RV<+=iE#!Rsal3?8!F*O6l3DMc+1>$6tHS)CRD^03!K~{@wj|2N^gZ zy}C?cTU~l&$XO8gMpqXqPC|U(?~-->?ZZQ@zxW<~=8fPeTt%*I<_7aBO8o7NjZyb9DMsp;+l!Pye_T@KR*4j zx_y;UpZuz9^fOaFV-aq_2L1I8@JSgtfl)Xc+sQCdkOO^aE)}@jJ3iBVBUYm7MF*3r zZp1aAx35z){4{yQB`^;#Kd9(?sKSz6cY%qLpB=1-Jr)ZGrcuD;XB4m0=lacKO!SQB zG%4XV>Sl2P%AxU(G_v84w$SFFmh$})guktKQ$9;;WkiXkZ=E+^5HDjuuH5+<^$MDP zpmquR|EkEiZK?=Re55)H<9QE=9yQn1H<*~WD2VNE{Gx#6 zFpVa^kqu@5(khT!@wUt0q%uQa-Gu3xRF6JiO=KHLu@kXsNV!Hc9FN9(f2^8pOR#G#x^! z+N9aX$%1^V@)SmW&D!g6s*gVS?VZWD3d_`)MLQ3ghz}^830(4x{6C#d_v2u#l>=N1 zD?gHOj^0sTGIrGike$%Wm*o^1eS&L6$RXFaDJmD?v;9Z*rAxSw6FP2C`FsxsFk3mW z{VUvz#y0TfiSBnY1!W=Z1$te@*;QgJpz(AJXE^7$YNW`_7D+4cZ14}3U#*31u@+#l z4l!K9nEijD98kSMR+! z=ik}C#gaqQHlD#0Bg}SCU{N>FRW`Tgrhm;TbIrws1ggbl6;jX=bls`GU}t5t0|AeF zz4MV5G)ZIc7P)K^Y}mo?L2}mIj*^dm^YCjF0&|IP*}C#hqo71Ds)!AB;$fdNd<)jJ zG(<1lDW`kr1As_OF!*>Yw^v+v3gvoi^~up7Chc}*<*5RrRE~$CP_ZwSldNL<&egeB z?!)1VbH`rEXd~mtOVS{*G^jPgeeHY_*i@4OtWK(h*|f>Kr5u&xg7p^`@ZzW$0(XgW z>xwes>}nybQqRmw-DI6oYq(BIkXgoM24>#SvKtvOL)mYtUu`RrhZ%|9TuI(X&J3J) zeB&gcika2iI-38c)^SNWpm>|5hXvwY=8+LfH9rMu$O>Zv0(||(*VVl`5kXyiDM$Wu zBC*bFiPq3?<_DvU_iv3qxMZsq@h3q&otI+>;l|Y1yaI($TpvGG)3O6!*D>~;(b5guW$EZ|Y^bIezT(RKVp{BH{mQ763x-MwFyxv#Q7!{rRqP7(z zU@=5`1t>p;p7pNh-^UMfiOyhSVT=m?sbkD1_I3!jLk^#cFmf)MbQ=D z@CB8Gnt~PCg+eT4eMmw&YH9a!oy6*FJz2o&bV`WM6xNZ!b{*{luB2Zx_-JdoU#dDNx$M> z4c~7LNV?)qrJzs^FP*iFoySht1#Nw%YTHT9?-a}iY&RO6zKMo)3fTkxPho@(9L`ROP^TSfd!@DPO;G?X^yavmK0w zp(-@$)F2~|uGE-SUg3}|Z$#B89MA0?ZT7xwFveN;-;~Rl=1iHmM@tG=-wHl$QU#8s zAR=&(J3I8F3W_g~rW3R;byrC3?P z#T)E8yC(0;IE(@eDtJBcx#FUH3T$D;1fpP`mW-6T!NiY+_)<9_3tU^+B_6TZa?_(d z=2mII|7ehiUe}#!>7%F%UCm{;iJuh#G&oJ`c%Qk)ym>Fz0U(7VpH0n;@mTBY^jD4E znT!XHAF|3Mp*+*NT@UW>VJm2 zV$jp@ir0#=zq@y|iinBPXi_llJHde5b`WT!IsC%0jjbjEU>xvCLAtiUH^*qXbODX) z=0|%#LZ%#I?Hq`UNeJ+Xrt~FFe4f|AenQn$PoD|s+yV3(UH5;AvKY5sVg9`P!p3k> za?3}|M@XZLTPrsVW%^?#;U-KnaX!wfBs?I(^#EiuRa!ZCqPXHiX1TrVmrYabp2}>Y zNX3r5s5TQ5Q?;c{6BiKAdEHr+iG~eK?%2`R=BnMvyP5Os`Um#Z!Oi#ts&i_lWf9a<~m@*ZfN2UC{$RiU3w}|@=*l1u-$O@Z)(}g~5cRQQ z0uNj>;-h#IjcX0V;ITCNCnzSTK`mfN^foiLNpQQH`;9zYJYbmbD?>k6r+Dy`=s08( zwE)3S`kMprxR#c#7;;X$AN``ObJ3sUk0So0o1&{>jvcCLfXbwM)N@{+U0~3OO>!T`Rv(Rmx_vT!^p z4JoA}`+L2mALXddPq9lYi&aGKp`HN>jAdpx$hGfES~N2Z2!UXTkuRg>fM2(nsT)j>^o>8&q z4oQ%2-0pk{^!<+Z1Gbp(uJ3ak1$`8@-<^`)hxGeptYj^*`3?`_GNbVL?6^Sz*0lSR^x;XX1;i}Crb~WQ2*_~nb1L(s{rgt>$Q_W z_P379JC!IuGl36xeIgB3UxZt~7EOacu6ZB!wuZJI)}4sE2t&pLqo$(kZL9GEUa}9` zU8;997zhY_*zb(L#Omf3Tj0`}4I&33J*?TOyw%0mS$q?#t6PZ!1)7T`wWTQk?AJVy z8>$i`qkKkqG@k2uOzJQio-KdouX*8GXp0P57D)=l(YNDH`@m9j-}=7ymLb*_vp%dc zchIL}x0-Ejl!kyP_qMiGmCBMQC23Xc47q&ZwxCXXEp6H?ke3q?66t=mm|{(YjY?~b z^I98tQ2n zlii{(VW&ULM!HWpF>`ykFSc=#;sU|(-ra6HL6^p5`vrr=NrCFT=@&9B)f^HEF2L=A zDo(>EgD$HL)U}RJsIEsCSO2W@v088E)Q4m@K~M zt}PC!i^M^(ZBijrjjqhvk6KJCpdTY1HNPPL2=lGL2R))2@|#U#KM2wx{F@tXa6C8? z;h9+__Y=j(s@(1G^re?od^~fOYTJ3fbIIj<-p$sO(V-bK`K+!C1}|e2?MTm-%E_07 zt~oPnROEZ7Cr2EloD)MF_N1UYMY<)1t?iPDAX+ZqJyOQ zODYgl2?+=sOnVs3lO%rbu$Y9=|Lv0X94Nja6F2OR0AV&_(0NCED+)Ns1~`IC*TvP})3hVymvmIu9EgaB4k7 z^bt_&wwZG@U59T3L3@$=^_d6z5WtmN)i1mip6EjiGf5_Dk0*3K21f_wpEee`pmJ_a z-wg@7N?p*bWrrOv?>Q}i>$m5@tMVoBvgh!}r_OjgRLd0o1#-Gr2uGy72}3+R6abV? z(5D;l>EivU9DMu(VoxS{HDXNS!<;k3leXkU5$D)p%9giPOU26gv7`=sQ|DQ6$DitK zH;W5RT()T`kGO9l#jKl;1>MI`t9cSQ+U>mLMjh<}VndbFp?Dr3OdVyWaRcMC)u^@M zpQ^|+_%sWg>Xo}NdTfQwiP%?SzS(uUhkWppQMJN`(nfK(5kDzfM?zWs26ake-Sp+H zRwFKv>=REFjAV(Vr#51(qA+|hoNg-9*Fhmuaw{G$I*&1X!_#fuJTF+!mm zFvYpAZg(A;bOgP|uHe3{mTxS$H1KTkb-1W&x1g5AmH@Elhn(1v@PH&W>i+CZkr&eZH^XgL9JYS&|zVY zMBC1tMNpUR+Tz@&pFUd2ZM0m-f?7BfWk_4vs#fndsg-5dJF*`bQH2#l?HagnM@`N` z^IhJ(Ra|sM3CkuKw}``JBLm?SJ1ng@-+cLudM~1)oKfOLUF|KW(LeF=>M0q~tYqbF zT-fRx93S|z-~qkUwv8u2Up}nBm|d}>bYKVrB_qJ@{sb8PDQ(%lr92A0Cno)#Ud2W9 zFg~7>C8b6E8NoPlQfSHY;X=dS{&{ql8Z>pYVZPrw*Qw!?Tae)00fSXOeG-&EjwCBA z#e9YZ6lcQ%TO;H(=w6TcS#I7XmjX#xamh3<(qi!YkGA5br>AWW{u?k3J*d`}9lq!L z)obLkV})n-<;NwK^?@~A{%7WwS`}IvsrW`NjH@7*p7`|{xf&?%zOGUcM@hIBL((7z zddFQyPJX4W!QJ)rt>$T^`_Udj{cmBEh)aAT}dc zVR-zJJ**&&%+GHfWI^b8K_4FkKWelZ8GD z5~I{%Qg_g|Kt?A68pbmb9MN#_-wf}NKSY4eQ$WCkl84z@fU$NbJPS@9ih`d=MdwYh zv?B!;)i@^vZSe2=%ObIcF5iaZdwCF@N9;9IU8#F-SG4Yv+-7Xw`Ybqht4oD##)rrU zD;}@U+IHPD%)dwpYSacTNAE%rjzjKH#eHYxIj*ei#1%DUW@T^Kc&FFa^qX?wQ`1)8LZ;%OosA8vRf zbHjHDv(c2{^@X3g4uU758P|-*=awuBa7-C`VA-d-VI*W>4qdG~*EQJ=nw5!wt3j2j zWQKtv`yNdF(-o-T1WA=bsFb_Z74D>bCPAAB za($I>(WnF;ZV`amH?5-lR;;^I_{5K##vY6JGW^3kZ?OHb?ct9iN7TbRIxA&JV@eYt z47|fqw*cFQk}oXpujtgVLJSJ|FW>-43g7FQH@Ak&B?@vlEX7Hye~@AdV?FsZI(}qU zQF&m>JmR+7t%k-K1s~;Yg+2bJsV?YU96Ppd)YbSn&cjiP7aq zkFDs2;EP1@#cbaxR*8A5tvBSpS2O+Lj(_LGeNw{L1HB#wDOdqX?2?7+yYENgXWtc; zB2ql<(KR0H`SiZ#hni4JosC6$D-!LAXW7`f*{rlX{fdqxpg@Tu46&nYSOKrP{|)9T z?AWNCL%;EOk@+W`OO$V-niq6L%VUtk->!MwTnnoYWwMCE#ZSQj!n9*;&)ts1QRXzT z7pWwr$1$WK-Eec(aYCCCg6y(18`&B-AKru7eYVRQIGF^$P9(R<&`K0N{Z6Xd+OdJGEq37L z9sI`8e>VVt)>9uOu9pKP=e6|Gv`DFC7A`;0Z1CozdBOEVy`{tC=P&~iDt+7j#2ddv z{67ChKSMmeJB9@Gxgw3StsI#IisZ?#>xs{zunT;#QDe}em*I=z1eVBvk|}iFtqaO% zYA!eS6OBuR9?85T{mVx>or8!zApuFAy}0@JHzNwwJt-`5poV!jo6#|Ltk~~k3YoF+ zat+m&8n=4c5)TD=RXlnIGv3JFow+GG*hcO-dt&W_DAx%PL@9D(u>vH2$4 z@!r^Il^W`=M|r&jJz1t*U63rN3Gii8m5W>+VJlVPq;b-p z!v!Fhpj6`lc3bq~{BA5(BWY2eN@Mqj2|`j7dqNe15Sfc{K!=WzB&?m2_9F5I!?f>=yTtWG;n4zQpZiz8Fz!^`EQ-|0 z#a*uu%0lqxB~3io#Cj!xS?{~8m3j9sf25Fe-B7lStnyqFTz7d%k+r*RVQg|GOY$QC z^!T_b8V*H3I<*^vZw|zCxKerSn-&%6htzO3IzhBu0&V=%NQVpSR6bu{tRr9Dl9 zDP}G42u?TWp6~76^_QS~E0O*!3LXFFK?!OILhC1rvmgc}YZU_CPxbpc1v{S%ZGyaUfaS*20n?RNFUfZNm{pL#I6vr$cQM3Cgou}HqhYG%QOYLV zJ|ANfi1Q$@QW?yl%D#GQ3bX(-2#n$OF1%)_`)HVEez`L#3=ANSz%jZ-&Sf_<;e z2RgCuyzUrF(S^s)qtNF{2?So+!_#vdqlcP{>{ivqiW@>{s32~;{aPejN0u{Z-(s78 zl2WOCffP=Na-o-~v>%B{Tc{kG&V*D+feudtfq!I)Q*LN10HaH>K6?dwQBEdVhryf|(oYo+CzUabAc%mO z4CX!;jXZWy{1((DY@ohSgeV}G(zy(b-O7!%2wPjC?g;OA#@K9Yzlh;{xW`Mbr=ZKX z>ZmlUP}@}wy^<)I+fa6ws1;*4yV?^Vdb6_1tOZzR`S>=RVqy}G+%1Sn=G|F$?TKw8 zIop7bdf#a|6Zpu%kyFw|dAbSn_jhn}N{*EdO5-e|o&}}F&0lJMgoKXlm}u1}Q6+OV zl79g|tuq^KB~9&k1hm-Rm#B{GYo;P6Iv89Aa|LsbMp`_b*!hRB0T>%(H8sZ<-{LL` z*NNFq^e;APZ%XHP5vpyWk*|_^yaoPez7{JX6KZ|&(f7?Zgu3iCy8~iZ(Asg!W?CIm z>_e7POj(4S5jYa!EIE391)vMf3t+CpnRS&@g(`eg**v$g7Xx1qRM`$yI=J_c*ROic z+CVl(vjEZ3hV0f=I;g8Wa-ci2mX3)5H@&mIRCPSy6ctpr)^+b9#zz8heFCQKaV{{W zO|?{w?Rje)oCY) z^V-&htsV5ag1wp6)E3?@b3~55qW20L810Or5#-AS-jI1gYMq>?ve~ zNABD&sNlk zEAdJ`6(eB5k-!?~_^#{Ch#E{4nSeg^bDS5cY0K-76@kLU6K-BAX;!F?C^c}=7;UXV zWd#QaeJa361Nq{a<^fzEAoUA?jNSAk=XD7-HVU0L5?sCQ2mcxoH?b44U zEx9h6kI7G3YV)`u7N_!s_M2^VX&@%{!F+a2U>93{!+VIfubX9G;uTXm29>1I{Dx#Z z(8+g?E{M+*F;dw<(L?6>=swQ13$_?s0gAjY&fF#k;2l%et}Gdinm3(4;BO0ISijLb z+&DJ5(OE^n?LS=WF;y+Rm58H^f&mo=eK?)rx+Z&!6Og2Si5qX?&RA%mJv!ogOud{_ zZpEExS>=QACS8Lm-;B!lNNyi52XW#Wp2W*kI%O*JI|j3(>uWHM_i|pk8$V`N5I0Su z4BLvEGl$V{-fQz7Syz;K@-Af%5h_aTo42EDKL&|CYsebvkFq>{_e68|0||9FM04Mu zZ?a-^0SN{8CKvmma)3*S@_>IBw@{rh)SE+=+q&)!54>q` zJo+}dMsFmrWv`2Sa+ao94DtQSKJaQn*U?Kj&?Ydky2TxS-$wsWnALy6to{dJR==aD zGXevrbN-E*`iYErr42DLakBie{uTNiz{twL%KXRtN{@N1{7;zGPqNXg@n1xK>2G$#a>_CXJ&haApH~B z_17i+zk}EXM05NkCH*0G0fRUHwER12G4!&$h33fHol;koU&H!Ai&h1RSsf zDKzX19E9vZj0HQ8>h;t1k0To}T0AS~uk^DGupJYSgu(nu`~uPr{yn|+!vX|2z1n~G z_xhO=$W&ouVE=W3*A8COYr$)$zmKmcf3>qPGXG3J?SI*rSy}#W^J@PeNx#qYdVKAh zl>s;~VEQ@9*9o&S{Td`AaIipH1RIe3!NJV((;3Vh%!I7KVC5XZiM~3F6L^ciPVQ%0 zVBMcbpqpQv^E%O=4g{7nG5~QSzcXwsoPQ7c_k@2B>gNQ2jemOUujAid1?FGt{mcU~ zGe0Nr>L{T7cRN;~orRGFm^gnq>$MDMdmYT{@n`v8E5XPBq|p4+V}GDs?El30{f2e{ z*XbWfu2*Q+udAB=SA|z-*S}!BfY2@=@a5Na4{&k@QZj4+q(lnJw1OsfMy9V9CoLl# zBNw5ttP;m7vI{^;D*TGc0X_jlfUq1cLPk!Y*92XFvFL$FFE%b_PA(Q;B|>34dyijG z4hmt)*GlY!f;PaXma(BNAu!Utg{cj&4`V}XLS;K+OH*eLIzmBfYeFSUa|>rDLM2lt zQ%6@*6FLBJd4F;?j7-ffZGYXYlD1}cgzUe}uk4V&idf&t!!uY||H^Q=IW6Oi`!Cl4e9 zIa@fI{-XvEC1Ymi@(1GtWKRAhLjGw3#K<^Vy8p=oDKbu`uBNtsEI@wDuhsa?f?@?y zfov`R8pwadl3`|hjoJ>p4;X;od;WV-+kv;u>k9l|Mw8LGI+_vC#>kjw)3u$LU$j`T zv9>Ubh?JmaA&AV6PH%2`e5lBv=bvJ3Ad5}0o#V}jH)IoSB95CM*~0Ov%k-i1Uz-aW z&2^*MecOuX7*JuZZ7NZG3}RUlaEe#PN02q)61*@8K#81JAKY6k<16)PnN7l;?wpje zF>wtM{CW(~M)=Xm; zO&9RExEfxI$;^nPjISe7Fe;^F{-qK+O=?RL-@ShLG+tBn ztRfKrbGN5oYbmQi&@o<@hcG|o^6ab^T`}pMGsidnGa(uqIY?$#!uj&Sdg`w!(hn7E z-!ciEBOs^V?+Qv8Co7W9I6f@#yY3^s+_5pBbtu_rz&Q06P}@Iz#2;+3ggobZRy_f8 zy7mu14~cIYqqK_JTAM^scv2rl0N3$Z;RcEOngC$WQHiJPmxFB%d@T6nO_%H6c235X zCsOUxbsTqJ#ZoJSE7GJ^fz*xlo%Iz9ZN6I~D3>r>2E8&(wit8N@FR^nq9?w%uQhSl zzahV1iyw3Bs0;r1R7cr#%Ic{6!_5}vqzTq;q#EWWw1Ve58|46mp>m9kf_L1shYSLK zxXd69_(Wqg_=d3_LvS=B5J?CI9;;=RC031`$W}IXPL6^6r9li4p^VmWeRgN26WEGop1;%TI zdPr&x^b#)`(>)eG$(S2B+VQJ%jty~mlNMJwxhoz{4XHjO=WO*&)#Aka^Q>MBk3^tq zP8CXkxYx6)uIIWBnSXq|%CXVMMf;*lLosKkM`H+DM%*qB)J9ME&gHob@~EPQy#kpB zo&{`sdcO`98?$+5`Q*sO4yA6=IpQBQiMu1J`4`{UDidjguN>)+)ZWa$4I8^?n>JFP zn*ou>3^%f3@xvy9Oa|*fwBs#?sF<_DWZzq%$Q#5<#k?ZH_l}n&KbjSVXqLFAx+t)GyLnFvRW-qH$A)(Ga}oL+2$M)=Y%HO|T>M<<;XV$UULH z+JlXGe$n&0k7n~X?g~ikC@v+Cb)j(tki)KQv~v~)J2_))k;-PmmD5BYlT5i-Z*Ss_ ze>1xsM_y!M7^N+~A5>+^& zg4LK2*s#>QtYkJcp~xB|L8EW>&a_BnAFAr;q9=?_i_rQq*XqHX(K)^|(`}nzxObaX zV>B*7daE@QOf;YEfVXpl78qQIL6rc!4j? zY}{PSfB$CG*r>UTklhKC@4azzQP9Cc`07JH4lM!Obo*$Uru&!TkwD|Sj`ccmHSAhh z*Zv~;a|-^9O8=eImmc4sW5X7Q^by8M&D1(NJnyziih#K~ru4whr

&VW~Q2A^^Of zqUU3wY4uQb59k27ns`mCSAlkG0G~Hz6s=)PGimb{Ly1)I(a5BM}}lVK8TdwshVPVFns$$dIuYIM=NNn*PxVu0(4BA9zTUetee+_w8HL zY}%ic1*7&6It9uiuiwGN%WdrLFF32wNTmy&2PJezD;_gSn#Be_I zB&MOav;kff*>2su+ywZ#D;3axWp|LKh3YP)4t?CJl8DD%Ca9bZtpG4RW!dsaJ26M| zuP{Zm+$W?);sleBu6z7EQv<7av(Ss!DP33=rspFVc(`cgp#4;`=FNoJ>p|q6avfRY zzTG)+$SR}6edG4{?t2PsDiq7Zxznn`4W#1M6hm|9^s)kkrW2#_O;?B2rz_~3_Ah0T zqHHrZ6Y5`T@@K*{-ZI9-V<~M< zg+6HviRYNa!z1J=D9?NF+q;6XIp7gs;tf0o7#v6Wi0}x)k-~J9m2YYm6?r%Rn zq9&mGX0lYXQ>EPP!tHU~3gc}{-d;C~xwSfbq>1{%6skv@6PXxEzJ*r7U6~V(golkb z;-cEKS94=zpEcr&$alx+&PNMyhKzIWvy>~hqs`GwqZkO26mur?63zDZk_*lP+!Ui; zw1-j2L~n z(cd_$CnX2x96@0Btb9SNnq0}TY#Lq*b4RP{utJcoZW%!&u{_r0k4-I^UxaJTO@9W= znvge`LBNIPhA=Q9m#V>}VppNzd&F>oY`po^iwqhmi~(h3{;%|sRDB_|3d|4 zd@cN=0{>Ry{;Mi5FgOFf#$Q@8%fG9@|NfirKhS|+f7Jd@g(~Yus$W9U-_qpIwy%ogBvzfSyW`yWle&+~eG?fX>)d`&+m`8wfO zP4;!tKHouM0{>$IrL?+=ikKoWoB(jB z|3@m6z?+ZW%w92CA8c#y}1D?*_mJ5dE(`!apWp zqu;>^eo5%RMM&V2;lBt)@SkA^{x}o3DfIug^!vKw@IMoF;Mdxk*tz`?mw|r+e(kCL zz2d--Pk-;L{%cj>)$x17^-pc!_3{6w2n0aqDE&Qo;5P?)@fiMzy33-fHUAH z?4R*W^a?fnSN}UH(xDe89Q>BMW?jy8X!lHy!E!IGK?NxLO|nC{r5tc<_6Y#2BRIoUY9|Fx#7ttIgOlN5RVp2NTn++_a0am(fwJqFphjeuEc zn+i?ofd90lAOs1q=B00_N+6xkT-lLuA94joX+$z03pKbZ(-TKjfBHM-glMR&>o=O_ zHVvXDQa0W7qFsGvYJH0Wsii`O?{WEdwaq; zRT@co8(;Ovdr$7?68W#3V?S(Ev_H4?W$9rgn?QfcOi;C+`wk3luAXiI(y+!=6$r;a z;7{Sm7R@c>`~_-+tt!S?tox1dpyL<`JvR}J^de{!Ffg)ATEbV5_`)Bi>Q|dCNa9tC zgej-_piPw)$cQQINqZm8q0l51H?&kI zh2LyLKRX85jT|=)y?o^UwzS*_0;+9_NUv-Iu0~e#0Af3(#!O2=2Bj~UYxTol(fPu^>!NbSVrnpM4;2A3?y~^iOGmHNypg4gUCPP z!t!*;lNvX&!rHxI&#)Rgxr2IegsDzhz~x5r&5`Ex4XYTRgL#&cue_+8n>5wk^X1Y2 zH+@9vGon+ANbMwg5vn+T{$TF7J1<`yfz-qvp-cKZ84G%2La91jiMQ~|^d{*^jGcyG3HtyRv@pg15JczbeIC*5&*KZX0Iwj|p zY2f4i0qmdvnXuT}8CCqR^n>E!%B2A^QJ4Y>*<+xhCR^8ya~~(OeOWiS;JMzuwO(Sq z#~o@qlBJElCdjVm89@Cmnxxf-yGJ)T0Oz*yX zY?`g}g>+>UR@tHFL4mhixBqfaG8|qQhNxn%oOo+wuDwmP+vh7$s+W~kJshHe83@nd z%zkkriHb9}f_t6t*W1ReM$E1Qt80jYDBI@q&CA;WXL z_jn*_E?&7Ps0CR@R&RBe*3D!L9xAAMt36CAs0ai|a# zZk-GFOf3uT8x3VORqJn0v4h%tBpFWoDf-z0%^{;QneJ;duNj)O<9IX$cwtRiWGHihpCk45T>EIHwsh4}& zoSF?X6p;c)qE)|GyfJxuUEfpOb1?AmH6k*vv=NKwGX&iv>_yCzaS@S3eQ~K75J~BR zCUOkuuiYQ%qCMY?N>GK7pegDGzJ)1`5`={`J@v!F0_*Auat;7D=+&++b9F^!CQHAs zF!wfKZB9CdH}MRm29JMn>7M``X=cS_hwmGM;;!!Xxb76%@7jg%qDon-L%>c<3W@t^U_vrKmXS9s%Khm)_fTaJ>kBZ)&1Mv z*C_N}FNtN*x(U`JA}nXx+rpS0yY8t}XUfU0Ngn%kAaLOdEadvAaS zTE|CAUBMwO6>2FHRQM1-yA)UMCsAo=%>FT#j%%_m^F-Nm1IrZq)^|N?wFPRpW+S!G z1Y5@1jWbv|j_+qXl5Hf7+XCTb9yss-yX5ze2X0qrA$AeV8hImsRdA8s zFmY$})T~Y{=xq^is5p5>G3@lYU^tlEq2jR zH(;WCXk8n#Vm1LG>0skGEK2;MBC#ps+BRCA4lU*dV=#RbS0=jNs=CFpCCE?!%Pjv@ z@qR-Sw_2Vf%d`K8Eo+%)09A_wR}Kjf4)c(9;JH%ON+RmWs}cK^iu+{Tx*bXachd3OK;U~g<(~|Q*M-Y>u&p5i2$Qc5BuS_wSHN|ZFUP)4-Qr-jAR9mvYR08PoM0`xwEfXSoNL&oEWTSlpmb*ou{Zeg4@C|i# zyfrm-S7ccJ5Z496C^zLBwfC}Ed3OwfuHH6tHgLgPM=N#N88;WOW?SehY+NQ zW4=h6Pt0z4ziAMo=j233H7MJKTCU?vxizaqXfMDOZyR7dyGQSxZ>u~q<;hfBX%duI zIfeS-tF6>oZ-Z3t6uE+;%A{HYn1(Ep9DHb%vZc)>IKd;3kEKB(5r212lQd_q|D(V$ zNuG`V%23Dxv8;ZZoy-e^S6E2-Y;NJ52Dr#m>M09L#AiujO8O$+{Cq+SZl|OEt>E;t zB(w9no~Cvv)tj;&QDmE&FQ}xPu;0hCp!Rq#iOfZ)e{6sMsO`~W{y>eI{+=^QZyDhP zIs}4y<%TPMm2KtHvim!-+vSP32iz3R!r|3ob5 zWK(Em)#$A}R#|B!!MbTOo}G$Yve|&3E0e18Lg@*XRQ_hHclKUKkrg%^r~EsEJ#Z{| zWm3h>Bj}|z2)l3GD)a&VmNbh#Q)$WHw>t9DYglg24#Q2(@$jRC3n(c1bi89{C@5EI z8|sg>VHl8TSHaOsXCULq1%JrgE~uUn(PB)Bii4^;O7gyMcxx461f2{&H#z^vB$!|z z47Nb$hvs`G0_j?B-ZvH|>@p`C}%0kI0(Mhu!1P8@IQQGcwBrMWfi%`%|7jZKp@ zAG-aNZE~W4-8uQrE0?*@)-L`9Yb<><$C@l4ncPGrfYB&hwv2%eHK)gE0XZ{Hbgr}< zHfM<8oBuC(Y`f=P7(&hl(F-PzaC8K`~ zwCEiU`2;u+q;-Pmp^b>|P1R(e2h zK&yqEIO+Qr#SfhHW~dPOHIr&LLuA;s=7fHm@gIQ_iV&N~z$$O9gX%f#aX115tQD91Bd9rCrVvwP zdW>Oqn3nFKpWuZf*oO2|nYmT6kuWIRJgG;{WE;90*W5P7qv?)VMHf={@V8nlG&0uS z+12o~k{%V%sclHMe0hIax#Y)CPYS+p3|R{-`C{hJQ;sMN^RLEt{e-BH<^ zE0b1qjvuoZXFbi%wX{f5KcS6#c{CQ{=7JX>a=(9%%Ts(Q2r3Tn`hcRcuFZ1p2x5U; z4qZf!2QqwP!J#MxS@;Ngvb?)sL%zoSHbRZA0HNh>M6ScQvRw@F=m^tesxFvS=x7Dc zITb5FUFoomP=BM7xo?Yxp>>nR(my9Nfo-`0W9AGUFp9&zRdOSnLr_Myjv4O-NAo_< zw&oe4MLz`{t<4l>zt?2a^tw1emDxF%hFOocO$W{|x^5Y4BJQ?ueu_ls z2rFC7DGx*-(9ae;pz?=Lb0nbNjwNQMRb_@=F7Sg}G&gGAv*orM2oOyn+prAF)}4sI6jCt>FKF5$C<|i zVskqS*uZC%Zv)6>89Nu`lwW;HaUt71xXz!~Z76XH3x9l=%prtTy_2tp%QTJ7YL5zt zL{odd;W{n09`?Qs;$XQXc3aWpLXY$-8hm-GMqb!~d`e>_Z@z}%!iHG8YIT>$N*E`B z$_q#furofa-f0o_I`>6#Ow&3-=gTo2n+6TN%PTeEUo&o<g|NwZ5~`$ht*GO=o8hFT1fwZ9TV9OJk~&0t6?jaFYP7><2) ziLKCWS(eI6uHaf^2cplvCiYx|NujJ_HfToJIa$EL$%{tI zmOV$^^ER@dT!$=f(xgkt2c0$vl0$1uYCZx?1C;Lr4>qnmyE6=Vicdd2OoJwOBgUNR zcIYrIq5F?3Ocek=S>{DfZ&S`&)*~(5Xzl0}uNTqy1Y50giqxaX)Eh$kpvk&)2dfVT zL)x)Ti8erJsDAUF+`_TJzRcb^XHB43eOu3dShD{^=E440P;th{Y>UDY@z#YcS5US` zg`U5wnj{ju0~52B>sxB8^oNx&pDeRQFTL-l-<3W+w%s71n@FS22xEi}Bz*n&?PPdt z;CtzvvTjYNNivekl54gehlsiZE?bAoX_b;Sii}N;mI6ldVdfk1))U@xi+7p=9^tES zoC==J7Bu^Y#gm!%oMs!3YwtlYm#rA9RTC}5QwRVr_3lTvW0+WcOZgwRGpO$l9uMrD zXLJiZaCLfar|JV|ZJluj1esU%2;dy|W$VYX1|pLM)CmxINQq@}^w2Fm?dZoUY+s}Y zrF73LuO0FcfVY|yc!p$cI|{~cdvY&io*(Hk4gA*xl zaYaK|!m%VzgN8_X^1~*2rbc&O)BZ4+@;v2fgz5YKwG$^C)zFqqd+&#=&5>TXGDYe( z&l=HPd%tb3a!z5+X|-ol_=dn^wisHDXPppAO_BlsrJ8dnAEEK&ZD^+wWjW(o&gNQn zsbYY`t!!x-{?Nq3p`ZB~s;JQlqch?t%p{u+yDmFf0An|TK%q{w^<%P|9-yBn3zbXj zyj|?!ed0PlF$%~cl+$Ln2y{|zeyl6a$+O6NLBzEJw~S8#l9aO)R7Wq3KNQK39$tie zY4@d(_ms}Q9d93dCUjf3*o&_mh7WqZlda2_0OJI>yOfVKNEe{_TpYE1s}x_0FMFq- zk_dCik2p8<8M&0qr0LC2yg1SnPM({-U5{AiSNmZ3_I`9RK!KXQ=uMTa3R8fxgtU}f zmX)$I!O_;+{fLti8(hPlICe|o7q3$}p*2@Vv;Lf~=wVcD4rM%UyTl&l;{OkOZyi*} z(&%gBvY>Exf)m``HArv^?(XgccXtaG+?_yh_u%gCPS9_Wz4Pw<9;eq|s`R)^ro6DsJn+leaMUZxZ@(%RN5b4?@Gt>oI_yScnOv-nGA$%P0 z^dJor6?PIb%Mw)$Ohu5*f`DCl zmWn`2`wyUnmM_f;zB_&CNAz2Q^-o$>)29EaqWq(g9wG4QLhKf@Jyq_-^CN)!PFj^Z zA$OX>>xs2`Dhy$Dv9DO!W3A&+dN0X{Yk-6*uOkUB@{wlTRRk0x^^4WejNI!&aHs4i zI~QygF0>S^ z#E$fSiUi*wS_8Q@i$2-Z=0|S#$TqhrJI<)>>(~4QJo+cpJy%;_!k;5u#dW@}_kUj9 zDD6wlvn6OS$&`PNk|=r?h$7`c2Hz&|X&BZHVyZIoIBdYvk+$3gdLGL1e8IaeY*hGy zU#H)^5G#m$;nPzlI~)Rg@FB*d%3=DmaD+uPh1S(ldKl=1e*8~44F>OtPgLGv4Fh<$ zMJdm!@q03e$g;MqNYF}pPYs$lxU?*el0Mbk7n$`bUHV13E3M%S2->whH2fa(1?R|c zpkPx#dPr#BXUMTS$HaWbpc>iWfQQb9ddn5Xv{_4RjVVo<9EHkD<9jYA!MUzBq{pI z3nRkVYat%phim0Dzdr<59vYBP6fhl!6aX`7$k~Vrv0-N80RwRW7uhTU>nYqhE1EwG z4>*Tvzl`VDb&4PuAz|){uzHtPrnFD^$VCekRV#+6jfVVO0b)xRy!5JV-@P7nie2e= zC8rt%3d$AVap4vgg=ejXy%O-ut*{dpOR%DR#gPCmh!wuTk}C(&+>^5*%(f0?jS?ja zEqYo7iA5XJKBP1%7%>$$z2-@OZH}Jtxn@*~QPcj3KwxHkCLb_NT#uDLh1ky9PVFBb zOXO)xo|tGE8`&|uEm}s{lyqwH6hgpeQBV^x+fu=My#DVE<4njY*NKBC7Uz znLGJQwNonQnIxw*k!QpnJ2YBnqPDRdC^?J;x3s5Q6=1u~)3MMc)Vfz|BY7bP)x%mv z;$23O6dME$x8JQB(^-H?r+f|OSq3#V3^?j4OzKov6R9cEYHP)(v=C4Yk2R7PPV`^$sWKQ|wk-u1s;o zl(mKlT)$vPF>^J)NA$FDfRI6@sU@LErgWIUujK2*zSo)_z+n6Q(7N(bhe2x~Ic_(P z2D&JsD8>RFqbjI_P?$)&osZft6W!MoP5lAi|j ztDmWAG9-In@{w<~9_nQ*-oLs6F8t(Y8Z0k^bwEdN8s%@?L*%TXQN(8-M-`=LbrFUf zM#cjwnB%sBV)R`qM`Ea(?KGq;Ry5*cc?3k4tT1EIV)0)m)(v#PT{t&r#UNxdM72mE zLKu2OLU8%%lHFTyA&e)AvvH(l>0>%&_LI-$My1w?Wu&U!B6 z$r~JuObt3NA(rLcVmHSKDH%3L2)7T%Cr2N&WaKVAnD1-P>XGQC zET{fdy?&xu!ix1THaJcU1p|01heQArGkj(|lS&*F&(uWkCaN|Hu-JY-#`H&coIO2T zI%4rx^chR?x-$`{KE@5Cia7Uedl=Z;g_BvQxiE|Dcr<(7Q$U2di%n=0DGPz@(4Cvj z=0}!N9|hl>Wrf0P4z>v=tIz3J_nQC(^}O5hjt21t(K+OXMYjo57gcMd9~4l{?Ukyc8GK<0|SF zjie6-ivIa`LIsOl0V(lBLE=v^I;^VtL7DXX&L#bjh8m+6mLafq^#;lVAIPZFL%g_jdN&+kIN%7c+uUBt zZYN|NOG|FJcuLN2*PO$1B&pGL-rG@A#u)T9rov}5^JC$6Kt%XrsN?+P?Rc@diNtMg zTVd5>13nE~JJlt4Be@Odg6SjAb31mTBEtK6E=cXFTOIq_ng3V!26{Rp=he%Jjxr>qU>eI8g853 z6M5JR;!CzPe&T8_OwZGyW@GL6Jp(ngo$L{zkx%+6uZ?uK$0fxZs{MJ#;vgRfcf`Hg zwPkYQwqAE&6y~0AB)Ly=1h4eXq6&;R%s}MFiU!WyDr!M=DFjpTx*=hF7Pj|uyGJw( zVZtD;hrtJ~&s!Lc*S^cWEQJ!Hc~V&CQm9|A7#^@#6FO}=sue|8) z$$AeYg`Ta+3acj1`Fh=u(7N(KyT=|0R$af48m*&=4S8Ovqz65G?A=^Z(?cj z&=6Xm{Om<1)Dh1r2%rjMsPs3|nW>e_h7=%A@-u=S`zAfr57Pk}g7o)QPQbNXW|iD7RU zOhslnsF}^;(~rq@Z!VKWdkoGt-SEr{xgu-qvJULKje&LDn$nsb`HMa{Q>Zh0P--$h z{`aP1ecnc08<69{O4_uI{Nbyg6)*WqC+jMr9bNn z>X=?!s$)JAN%z<$@+{NGiybSEOYE39Om>7@Ty7-#n~YE5F)|JmNSK7n+%<2M31GqX zx6_29xop#-$GlJQg`0ewzH{tKuhYBFV>u*TE?%Bu`-W^De`JyB^cFE3<(4kt-M^#x(CeKJJD2S11z9X|Q#w+&8J{)dc7kx4a6HgH8&eIO}%2)i+Rh!;Wd~wL9VKN)XcjVD^$=QoS5(+hWu~fd_nu>?DOWF2 zK(h1E6IAzKO%*1@bcfh*OczU{QOKD@?mBtGGtOfatx*{*1DpmV(-wPuoIT0xWup@! zqM;OD?TqbSvCKE-RDuH$IwT{(rx(Raj-n{>#YCno9EArUwZwJpsw!Y2fsemy%yvrG z#*rB9`l^nWrc9hR^?+p5O|i`8OSmLAxv+rLkBrqc;-sBpOuj4(9hXZc?Fi4aeTb$7 zcWMx-kEj(p^L;|?zWzpO<^astK@Y;ws5`Z~)0$mbglwYH=D5p++`hb^l$a{(UW|(~ zd-#FKj&wLD2PtUHeCK4)c~j!*OBQ071l`45vnUblyV@@fdXHfDPNI!4sZ8Y!fxVVX zH01(59~%<`%GnB0dTTn5umyOV2aRXu4@3Eb0IvO}G9YKT1y*dj^ug{7ncPiw`89m) zTx07MQxp%A9xNaSka<@>^f2G`IwwFyq&DR&8Zsh6?phqAN#W9EB{*mB)7VF;Fy1pD zzNgAER&%|q9HxzgpQL}c2^g~sb%L7hD$x=XLR?3Jgch1&%&d(%O!3;gOCEQaLD&_J z47Uo_$wpNu#d{^N-GJ+(YEZVO^H9!e`V`%xkItZ_#2r(dIOiTNq0D$szW-EvHCaSa zTj3xucCngb*iyCXERJv#1bD zFeA^f3pDxO$fp4g$RNxHkTCZs`(1&)Ws>tKb>?9(&!BH0I<~+fiZoFsXCMOoJRd1&h z-rJjbwTv|1XB9QpHAy(=KLq)1TkO_ZBw$nNe`InKvY+S-rAQ{l64rKLBUxbI?Pt!P zL&rLxg~~Az;cMT%zM*<5Q1Fi6mW2cH_W0Fd&eoR}1j0i|-s;AG6=&@E8<&CKWpDAt zLm}r{1Gell*HW8`%SmSvs-0k*8YzvVx5f}9^Qi$&IavzqX|?4>)ET)QApdxL`$tG) zFV+X=6{{MJQ*sy)TZ`xs#8}WSYy(Jw<3=TI;QG*P_UBTItCCcEkVmxW`S8oYivDgi zFfm2ORXeT0>vz|}7D)V|A4q_h-!CuP@dw5H)b_dj<#3Cgrj^+4<(H|$aa*zc>eLm( z5rZH5uG-b-%*s0OVW>u@@G=Y&?G<%( z5~-tyN8wILx<3#j`lyw!BRy!Ql3GBj!G}<3C4PG0y1|T*d0zPG3i{Cm&b#<> zT?(o-bbb*+*-=;G;Uz4r71p~0LK6QVukx^v;-`Q4rRTJFWl028}@5 z`{$y5jIhUAjDEA5P5Y8n#E6n(xODV1c?3RObxM9YgtA&b?}^XY z8Su{+h1yc}xD~3zM7hb&V0L3$2(70XqpC4WBkk0ZYeg>35SvcQK2u%sZP4Z^=hOy; z$y>n>@59oq%8(8%i_RkJ=Blx_p!Jt3(`ghS5y4uiA|L^;@?7_)M&A#bBksC2BG)s`a0W<1w8>{f zBZBTGQKPx$qtvX^STFP&N^b4OSUZ@+$-z_77pRAsW@d6+88*10D5xM&!2srb6?p5q zTO(*Sa-mU(dY-uVDp70vNyVy#LSX4&X=cl|-W+_-!zy;vyeAWZ8+&SM2V6hr--#=~ zm;3Wl1;90zIVS)0wyU{#upz!07=B**aBhj9niim!~6UVyPB{W(*c)CPI zmn~7!@n-VU;Mq2jOxoJYGSWWyahkD#N9#2yFYdaSqhjqZ7)!IY%&a*Qn$ADmKj8j_p+g3Bh->K+O3KqJi#M zbMr$lmYy54WoWiaG|et7z9**7AxeB97FmIc^F@#`r>GD5PN#PjhPEaNMN3S*9lH?U zPl_Uv{FiiBKmF{6bzrTpXZh#^=uDofYyA21!O@;3EZ7cJccj14eNb}f0{UyBTOh#t zs*9Er|8txT>LWhu22(|Nj(@^nMCZ~nBS`Viii}0OHOGFxBzlQ4O_JWMSoU2ULq^p- zD%=^8JN+DH?Y{ZTL??n;^HLRsC%L8xf#Eb`3t_a;6O3l$N~$K4b2+^g7EHcBs(Srg^W6fGh74H+{~ zYF!iq^z^6YciK@9^|6e2@8(!c7IdZGk^%Cu<{;`KdpQt@JT^ zq##K2P`^)T49FpOTJFnqT@cW%@~KDK-Z8}jtwQJ|fTV9+@gqBUMxV%Uj=oiSV6Jp4 zs1DIj>^#+Vf&-9^TXKDbQZDTjuT%MX!S(DbW@$om7#Ob@So-YanSEHe2WQE9umQKa zr4t~u0mm$?ojRGJbS0Y7E*4l|or^E8N|W+cPGzWECO)@(WyTG+ny#ulI}W{JOXmHDjm|hO-27@%`Y60qmP#}>3#>XEAZ|kpt1;t(wm&#G`u8ss>)*&|BivpuY8(!+?!NjovWB-wMRPNyE?>f%6I9GubrL`a^w@k4_7=1=xx-L-?42K zNTpV!&Ji@`m7o_p6-1);ly=%;QmW-fA3iQ2N69wpfIywPv$Ccwl_O#_<$@rF>a6iC z2XLZGh%!-Je*&d`l5`#2qI}Zg^`{mam{KgVEB{mEJuxy#dS1!?JLojELcrR7K z3Bax%r-Fn2_$s|oN#3{OKGmk*ONX8aZXugw3u>wI0!sBkdbdZNFB86$M?rINH}f*KG3d&w;$Eq!2-mg>BUqaGgPwXH0h*10S|d(! zs7&O0WJ)9?mBq7)faD`Kxq6<2CV58n08TJoqFToDnGqP})e-!*qnOZf@+%4w<(~tG zuo3cgSsCtVAA}`@&DIL4l3r-x_E-oR(k4Mbo;fL}4Ih3c^?lc1E8-+GNcUCEyZq{? z(F&W=Aumb}&=>8EB}RjbQI}%isQN^=vG5^~s|`D#I`I8=&kJSX1u8kIpHIfs_;8^45=VXhcFKUr{Jg3qYgtoOQM z7Khvi-4MlMMx-mx&yd6;t<+p1)kl)*5S_#Muxo}6F0VN|*cRdn2u~l}KqOoowhk>2 z7pp(HHCVPdNzER`{%mx7IAC?rw*A>2BHnd&rNRYUT|ga8+pKEqNd~TM*=ETDc3XAM zQj3I#Lg{Y7{q6Ghp<#BKE|;W08`N1h3RVT0rDlR!ENgv$q;*|(liXK%BbYUYwskfV zaE1q$-_L`pDE(7^wM1VfoC5BOWGfW^yhrpJd22a3QwWtMm1>Kg^1xmnWigG3l2L@Q zLPOFnBfD(_;Rh~8Ct&XOi%^{GAL~OZn z)qHv{CEfFH8Er)HTPHA_3kwDoA+2{k%>zaqR}P0%*$pF~3s0zACN;@~Q-RX#(o;Yb z)ye27;@n5Ly<9i~(RgQr=R4;*w>BT;)h=~dq| zC;d|$K<4eJIm!maO~(6ufR3GVlXlB_UQTF?9j)jGrp!<8lY^BlNGE1wHNt9iq`>&; zz2qw-u7akVOHIA>j_WSL#hr2}TvLi#r|t zFGAopzP)!VIr<0)xyQKL?gp9HIkQSk-@St4+furnIX#E#A{buBIAS9b2L0R<Hq8l!f|1tGv@}@fdujnfZr2l)=pfH zrqk;$G&rc+@nJDmnZ;^<2fn*LL#8*nDXyba-f#4!j396YBpO5HPWPy6A9s*B#exWi ztQ;N8*UbUT$y|L~<>y+Kv)h*M9n|2@R!)YG)R&+u8?ZUJg;*6Kd2y}CUk+uFI9~g4 z1@RPphTn;&?hWj!cS$*;ltO;fA^Yrc6@)X^grmf<`EBOGhw1JLrc5{I^A+I>zW;Hh zI3{L?Tt4R!1Eiq*1=?a?9=F!*)b*l`cH|nn=U6)wo%eYm`B(c~SCNcvuG&@II4hEs zB)%9)_pD+NH9Dq9A7mWjBa?y#fe-*mgKl`<638fN<}q$_%hWvMk#oLiv2A&Ym{UFp zL^WlVCV0V6H@LRGRDtE#c}GOFAEvCj$)k=^xOk9jz>XW30M*xJJu!7eo%1Gx*1BuV zax6Frs7Cwrj-~v=F#yM2(A(mFZ~=iO%~r`nK^kgXYr4fa$0or zFw@M5J|+e3vm~-8>{IlGoscR!bB`2$jSh#PAk_#eqOjgeH*Z#LPn+`%8LX4=uhRK2 z$kjg_N~Xz?8ZMXQZTG_ili*4u{8TyYbCt52!4=12`PMNpC79EC>X)-Ks{Ml4+eCQB z0?{s|d2%WERsB-sbwFV8PgU$Imij6tb8N9=2UOzDE#k_sv}tAq84#t{EDesrTa+Ks zeiO1q;+@h{Atwu&en^m5opu8qirCx(bZL25OrpvtnfpN^v6}F~tdw&C3nUnx7|r|fQ3+*M5}1sUp&u^LL?RPVuCWYQ z&+IRl`9eb3t^#r%Gu^zNo z7t|=b&MAg#H)uLU*4^!q4IyDe_Ha;jJyuz+b+_mVb2^N-1eB6rKDc+W%r)K*P!@N} zg2|L93wP}#%b)+`u_fHtkKloqW|!-P^~|{?vg#JdB6{(ge>^&JKr?;N4d6=~JxTnA zQy-rFdaj-Xg6B2y@k|-R#XZr_`1@x>QhB+y+QysvTIpVjX}}n2@;hb(2s*G;@G115 zUflxoYsV_M@UR2MuKwwju{7@ix_9zUx5Zi@t{XOyR!T7j$9o}MC~m6UxpFz_O1epL zLKiUWgdyuZzshxcr`&({xuj%Is%7y2+Wo?WJ(v9R z4`~bGl#FSqra04Tg!YqxDdNojY*KKU%qt#SqCto1JyQ@j;<)+wVm3Pp<@GstfYeA7L zreuIDko<(0O08&7mF$urdMSI<%opUD+9td_J1+iJsCzekx5w@si;HXaVj{H?Vg9wB zDihqmX$?WbXPu`LB_BV29!-X_rGb|@{Z(AMZ==&(5RA37jGs4GTI=idntte2WO`Q* zO@R(S6AYE7j-Dgj= zRXP0phhdM(i}S$yiHNp_zYxV6>dCv6lOsYPe5y=+`Tji|s}*FG!*P@Gf=@nM3pKYc zA4~C_m%0`~lu#p2LdVx>EH5}5WlSAf1-1|pR{`Iau~@k8kkZGoH<7Q=c~-lXFy49U zR$Q7_jCxniaF`!L(6Zs%Q6l|17W}O|_{|ZU$|6(&)3I3f_hSStNV~i)!D^SC!%qja z`&Nn}C^-{Gs1>BViPGpomOByMr+e2CPKhxq^+@WyCOzTKCk&UwEVNuKyNk+P^dhCl z&CvE|&0e%dG*I{KNdvP(a-T?bsj4R^;8{4dLLcCz`l)5p=B{SLxH@BJ^G-_3{`NPK+owS)UJT0*Y!+OH^_G?n~r{g6_uH3nk zTY%5fEJS)ncYGl-{4&a@&cSdileX^L-W!l8@da+oYM`=2<{HgkTF_lZARrsih<$~~BXNEIjVxB+PwJ)<{ z6~aBJ+;dh|7I9P+mLaR_U0lnYaUSnK!{M$Mv(hfkOQODh{o%UnyC9$$j7OE@2e557 zP+x+qGA^egfTn@l>K+x`Lcn?WuJirq#lTd#^ku=;GDG=#!Wa&9g{RVxK-H*!e2tNy zMBAYJGZ6*kv47*L2)r=X9cf-Wv`Wr!6Cc^NTihln(=G<_q5Kzw;@#E{3@c9;i4#rdEam|F(*-tQdr0SJW{wYDT69 ztxM02d~{qedVrm-w2k$dkEoIKkQ!Vu_+3CN#h|dBi*q9_3l3ro*|XRON&&747DJ=m zgE5%yMESaMea&b?I(^Lm-mq)djR`~Aq;x}GD_b{6FbNpjRMFRs_59Rt2QQ$oRwlOs4_H!sBp-*`QR56zv1Q00fJ8Fe?V{tBj#{_ZeFZrd-f7 zl?et2Bu0HIZJO!4EUZRii#Tga6@!{#j#a)nd390s@;gRe9U8#Mvb#k;shUt5rS_GXwM3+z`?4IeE3j^WX~ENW^~e)teb9MO9W zE!wNDe@)Y%{qr2k8BpK8Eb0nZ8wCF#7N|u+02ih(s4;^X)piI>-e&YzJ1R6h@2}S& z`FJQ=I8$rb%{&ZHPon@%hW32P5 zqA$Mpd6a6V3mIg4(AO}C?>A3kax;QZa6V^TC?WVPmxb1Xl;1C;WTJTM(A^104!~|v zOjIs>8f_(pXdQTs&meb|_n8E~h##GgT}Qh-Qxt|3^-NwsQRGg8?l86@r1IMV06EBXeX$-GFe#Ngr# zZGbg?q!a#d2BxWmQk=+Cs<4gC`r27YL-Jhxxbr%PUciLcp%{U)1aVz7X|fAf!Y24E z6uhSF*YX7+GFc`^DGE^{q{aqz(;umizT%p|dW^uh6pP+FClxusau*s!j8ruttFqG+ zmH8Q;@QTIcCb$K4*|@<&^r2{TX=l3swF*=B9v_X3@|tvYEhjJ_w~-u()0FqhrD~{y zIGvp>>Z`XG&OjOLp2lkMwp~)GTs9MRGL0;2Ce0w#)c7_@x>&EF|wXU-~a(~G!rg`Ub;90x)t-8`scQP@umHFOFLjdNoK0YYQXac zIi*5wOoO4I(H-R?=7V4oyiUEz+V+%qZ?_1MYC$Dra1gAeQ-QD)>nGSO&4VXObBQXu z9dV)b-B|X}8hvX(@l-aM5V#TUc2L6Ow{5Y?{mhJ+HMTf*H%muMlIG7@CzI8 zv1GD532XsmXAX~arC2Ni+0ni4-{}{eH)_7JalGtQcgIBNo^YQ7P*cx1h#aTE-nnb` zxPaAWjw!TCuCtXLUmJ7XlRKC0_u*I0)m`d+o<^+eNI5jCuxB)+xS=$6CB2p?#<7RmUja6gH^G5caP!jr?1jQ&IPNEo+kZtywPmb3T zb5@B=KUtr0L!oidgL~9u7&m~~AsLbcshiK3IV*-VhY7Qk3mUy7bj2&=TxydPD1%1V z)$XHIt6?YVw0VlOY>$u#Hqz$5i#jm+_RMNvJ}ZjNvtBBNCG=pZzSDav(P^inXue}B zL%nY6YHazwjM{~7o>oI8I?yZTY}&ZNR6S(^ru%{T!&?5H>1FHQwPMWKuuG`&ji_?d zSKgG}P6g9X=;3<~lgY(+j{RDgPn(e?gR0{jN{{bG2%0pA!onHd@W!ted5A^>V$7+L=+eZzVEI+=}??Jv#CFR0gB z@jv1H{*-M1=>JZD`bSs4&~v~x|7E`4pGdoZlkfK*T3-GYA>`iy{23bqIZ#0M(;M&U z5607JK1i zkNpo=AS>q^>kn8Dbd|6I;eo6`pdbs-ZNmKKS9#;_0U1avKrSCM3$P6kGWgbx6$mzD z0bc)GJu53vH^KnifX)JzH`&Wu8SuH-fNmBxpfrXJNLFJ3_Rsp}bOBOt-p+k7GVEx07e$zJzxRSf>?pq&jP&mUvtU^oD1N5G6ToL z@-~0KIwl|sk>ibl_%^q|=U@Te%eQ;M0vsO;5ajhXZ@=dG%`x+aLj<170-RSC;5}dl zvfw3N zXYld;$B0B3N#JOJCKup$%)eo9VI%tBWCwmMs1vt!qX-E0L=5TqN zsek$8V*h_wTxc0t=onc3fE=1Rh?%(>8OoVC8kiFO=SYd-%3?ylR4%`6?f;81mp4ux z@LSHz#_%6VE+D7(Z!k9?yA_DS`$r`s@J&bmH&`O@bBg{iY#!qqdGRmt3**0}i2Z{T z_Rj>bw~yyHW19ypGsADx7f>h#gsJ}fs4ot7W+0pNzli#xa==S13>f(ySeMF8ceKil zGHu^Du4F`Ti5!S*ZdQtvbRtzwZ)nWAj@=;W+3%r9A2^TP4?v^JNmGPAGdR-J1{=uk z>q4~34BcBG+_r6ef3`?+v*!FAvQqkhkv$jtBn+Z>Zua@g+rnpbeE}}TkYpzbpq2ei zI?+gFe=TPC;aJ=z&t{=u08=yV2K8kDyKCi##WEn3Gdx=ce75NPlXzv~8D(*=-qLbP zkLQho94J2a0h@KhGdeF95`2k1%GS&RXN-eSB$E}3hxf8@?BJRRSYXo=dL}~3G+A`7 zYus|Lj~lp17If^#?^z~1=w0YMPz3dYx0c9zr!F&do^Z$;Wy(nS#m*yTrDpM`lL9v1 ze6A46vSOOysIQMbDR}bekqbJ7Y;FbXav$ksO${{Tm;6=PReUM~?1nq!T$iV}5y*0{ zcPhoYSjN?<@%FE>aC2%35?EE(w;eIO%Vm;haL$WT>x6?hp5wWgxSqeZI6|@%Al2Dw z0?-ZJAFp<}KDRRg7EBZk(zi3{-EvYw49=20eBm?e>xekJ_?pZV?f4xKzz^TOden3- zcrib_RJV;#>sHg;`D#AJ^fse)TmejYf2#S!Z+jl9Gp%4VsK9>&BrAE0`f6DPiYQle z$vAw@rB|W#RE8i#{E^UBg2nO~F;vLttI5uwSK=!=8RJjcAhpS)etTrdz^m_|h{0_H z`4pxLVoK=FY1%McmjyxeHI^(|+XK1|6Wta3>3e#1^*!SJ5P-tWLkog@X9K`#zym*j zpd53}W&lxEceEPaKzT96_p#HTG1WmId5}+HNbpD2C5hnNXz;ul7I&+g2BCW0QLJRG zI8iR_Pbj7xn{g8o;<_ClO~nlbj$(erAE!l1;unGxC+A2B%lCi+Zn7x73uM@lWwHg% z4qT3!=!J@}580G(^WE#Lq8SBuyu0^A{i^Snj`UY47T&tEAlmnnAZQ(WJZP zwQR#jGq7Zo@tMZW^pi<6fGCkk!@biw1>{qnjs2G>B%bFeGZDfKLX{)u&x6z_t9KWh zY&vwkGt{F=L-APoASvTgs9RL9c+L>-4{A;h*(}A1EmjuMkUti_gUO!gBYBjJ{Dx}Y zw`JxFAS%@B9qKC5Y7|QE63X>zdTDXZO33^YIb#`#=^zD3BmAzxo-kPq=L4v5Z3UDq zg<=2V_f~&?oR$E}y>>aKz9|lG6w{`cXut3iQ9nG8YOx>tcL|+JHUIHaEKMJL)o(VY7?EK2UxY%^u=Hh1UsY$ zw~^GUOl*Hl-8pu%6dFn!C1IYhK2~qJ{(@{IR=l9!={ZETQ zEofAj@S$QY@!D4r12m}Livz1^G^*0Z( zLBu=*VRW#l&s+s^!>cQLiHOP)^3<++gaRYH-6Qf~i!P>`UIm)kaM_^NQRnC5>7*B; zW(_TI<|$8_*=A8JaJwXE{mLsnhA_!aw)lqSgm$wdHs?xa&5QfK5i--(MobuV$N9^6 zgeipDjdCwDv;iv4bs!T6M_U+@y;lQ>SHoRpNb5hrvQ4Q5$dP-Oebs0`hP~WFnJL?1 zS{0$+gy5fMe(fhWKoyeu${#3Xl^`52*#VA<*oLV}Av;nMvvLDVE-$yuHh6FMx z+w`qVhbO~<13gXvTF&-70cLhhe$H2-K@T5RW4MUw1j?X5mC_3Y-YS2J(p^spO#kX7 z;--%@);l0p#5C3)AJ?rQ4N;g_QtL@cN)BPPd(pJqIZb5c1uY~irKHMaxZ?9?HTQnr z_r?sgWu3$k?=$95Chi-I|HziVF(^nEE`)u+t?fub|JvEIrra4f)irE-YF_x$Uav?^ z%#sNq=@>LS^HQTTx|eCujbeoO!|MZBG5;euSRGs5M^sBGlcs1X*M1Kb4g}s;!vYZ% zp-sQoPo4#eABL3&mqFk-1H@{}wwLI5HjZ?Rw-6TTT1(lWpznSlg-I|%ia=uMoMcno zq=&gO;pDG-R6usUm%3=ror*G4AB^j-I57Pv=5=DsQn>ReMG$4%gSJ~v&DPp3lO7@V zb@NO2@Oa84__iZm6*=TgO+#);qSkabS0iHlamhwm@`(C*=S93I%T5=Z1||pY8tbLb zH4qiSMT|0ju#H6Nn{y7s^YbL?`|Cqd+cM{^C1o3ErJ<<8G@mFEZcSRiOePGfHI*U} z^;f3y0)M4wiY^#_>psG&YGplKuo(aF>BqafL$XsA&cn7M18O7)fv^=QYNnncZyj3Y zJW^L9^WZ{&R{VT~kyekvJ6ed6YtFRHrnqwQ3?=dg$oM*PBlc@42WbqPFf>mSs1j~l z;4fj*Ezco{B8~AK>_zK4NNKB2WI~6oEU5~e4V{cDvgH~-Jrm5%NI(_esO&#Qd-5;g+g15K{#@&fD5_; zciOVn=$(r^H`gydB`>ym$*Ix|`9IArTm)zdofv8lIy4A3?*rrsrVTU#DFDw#h{5tD zAqj~N+B~x#)`I)OcDRwetRVX`C3!g1hnC$Q3r3&nz%g+F0_tPBt%B1*=-_qcShqu8 zGiQzx3-XY^UI4JUHMN84OI;N$q&p*WC~}4^3|frveAya_oP%K4i55CVL~WK@Xbkc{ zKRZ4rTM@lNUe?P{q+3i_q_kK}x3M>))7=R#MUr2jQQx1g8jJT4PYa}Ze`6A3Tfs|P zhlhQF2ixBZ7>pEE5X1_zkK|3(>L^d6bV&^No7fPQ>*~1Fjq5uyorQ-#T<$e?-Si*>QHa#Wo*_fn*x92<<7iQ+{>HPhr&2|B2+9Bt(Yk> zccHrUY*-8Ul4Bw8X!js%7Z?Z!GAI2$0QkN3F6Zw?lZ($c zBK%kdMTn#qBA)Pz<;0o5qN95&BSE&M#_e~{d$bX#msd70RURZS9`UTkbIOSx*fMa>yqQhkfKGnE|{2W zLHuJMaJc>q(*6iu%8QCJ6XyVmQ=iNFp1=1vN4>FgONIvBhru9|5+ROpXH6WC7%Cyap70`^_G(Y6EwEJqW?c#B7nbp<$uLs zZ>KUdv;DQ;@GA>@EB*V*!mph6t&sko5|h9B|GP^^@DE8mP+;?)RtNpgf&ad=0E~A2 zp^#_&kK{rBB9i!b))xK6)`m_PnXzJZDGTk`!&i}RNH0u%AKbolT4Uy1gc z?+3WOwRziqCCZ$@wD#XfqTdo_7G_{N{+2ZV+27k^4q$4_34B$(_5VAO{#E{#{=U@% z_rL3YC&j<|`15?`H-q{AV*362dEWNFQg2{iEN|EMwgJcaW-9+R#@U*`cQ>uvv5{>MZCmmh%f`tP#03wo=2 z+kW4Ox5)i%GJkLXh`w2XIr+bezFB}#;NOyNV7d-W_y1M^oJ64P>2C$VOdS}W{_%SI zkE3seU&;5snS1|}xtxQG;lDfg{_jh@fs^!qCG`GN>hoX7yH!PGWrUS~nSq%8pELsj z-yie_Hda=8{|L1I*KOv&c>JH;<^Nhu4$Qd?Y%GDM``=a|;1U@9hrf=1HVx^&j)1z1 zkN-FVew_SGLIV8M0P2MPQTeaJc%b3L^1n>(fg}9O z$Nrxde*C*ZKFeE>4_xpA{*vH7%<|HIk#=FCtJy8gbXdlgRqrIq zUHq1QM@Mt1vSM8?d)%Vt2U@zoT<^J`_hr(8QhrYIqXVqf4fnF~xBH~};I$-SMlT&b z_yw5g6iE~tl9hFayBe33R7lNmJsRP4Sn$(W{oMP z#bUW1;E9DC(#)^+hj}=kLY=J*bVPePOv}CZO*o^${i-~hWvE_Zz0_Y*^(GUGCAQ{0 z89x)mB^Fo_2Y(VwiFU`xQL~ln?#GoCR{q9*sXSZ5K9+Q;WO9d?lZ6=Qs&gGa3gpA5Dzxt zT6cs%g&7eXJ&Oc=n!8esT@ljjJ$@!-w~Yp1NyJ}fH7$}JB(Wn4a;qY6Pt1yB&>^F8V20h?^WHkpTHR*aEx0)r09u^sQM}Y{zLAWS#EulVf zb6P@uf_2WUgt3FRX?zBBQI7L%po>`AsaNr1w^~Fm#`RMR zvhUlKY6MmZVqey;&6LJnuS8&MWrvJb&*H)_gbSpaSpwnn7%1&;20g26M5dm_S|QVtm?eU zxKsv%`3bs#|Ha74@QzF+%|xrOG~C@z;eO}&3e``d(D#CKj!Q2D>BaSBPZtQ>aZMhf z9c0tw_X~*izons0rwFN75p0jLlPun}q#B7^Y}!P*U{JWH@~JjpN$`r_E1TPvS_)sxxw6;3kJAN5<*DG zWB+82B}es`*6i&r)0vm96&Lk4%vhfKkC_nToUD-xsYD-9jl_A)xAiDQQv*8J(OA(z zwtL{cFJ(s%zPFqP5(m$V5aOUl26_2iXp;A`FDt<><$e0r^8V#kB24TcA!$6>2J%kU zNul3aVfY6gA-#*Sd;|14!QE>LRtyhA>iN9j5ta+Fvi^}26+s|cJqPI1&8}fw(Tpvu z8foW%kC#XQha?!w95>h;k|-!&fpWQLtzmzqkS#lg8myR*z?lyWHin;1W{tq&`@AR0 zri!4$5IQ23$=JbEckX#TMYITBml}eqH9QQe4K=D*MMeAmmh}pG_DzeS&rFg5h$-OLqr60)p<>iuRk#=3x z4j3`yY7M7sToHTE%wK*+3zlfrE-j=xD6qF_gLa^)Yd3;cx9%XCQH#C5I8>xA+Lw_A zCq~U$jBYL#bf!(`%InW zlp$1E;21ArenH!X3NQ(USxhVIX_viEdd_L>9*7y6z z=dNX4=XIZRo?-82Kl|DH+56;wQ}#dI-i{~7m{?N6ZW2vz#ra=bwYk5krh9lvdUf9W zTL!8}`NdD=LP}ZLSrv^FZ;*-M`G3)z51w6h}y3l(W2S^o#()- z+pD6}UgSNDJatq%aI9{)5V!8hpvH(iL-)&#U{T&T^kbT{$o2cz1$N4}TXLxlaOGs} zm)YHAn_~2{=L!G0D&vDH=?Oc`3{$%eh#4)VjyH}RuN2Fi;5YJ_HF{P2#!F4j=!S!u zWBIz7Uk!Mz@_l86`Qq2aFWuTJ@^YD^L;Vd~Ph~;E^V9DXylR@}oFGMWE_@a&*{+i% zq5geULd&Z-%{f(m3I?y%tLA%U%f|e5?MK|08AZ7(`Dc)69{-i57xL@2JdlrgXJxDD z+qG$)f7;q{rAj_qKMfm)p~5zo<7Fk=R|QnzCf1dU$NAw^gW_&Pl-LVu`rxuw&a>6J zeT?s1N;U7tzK1W;4|J~&dPq~+#c%E5-q0%WaHnb+&G5>IM^p=W*=ft>WuHas`+Qal zM;i28aZGnE-9;_-KO@>B_;N+jz$5+9y`eHPkC*2MsNskCu7B8+7CwBcEw-v{!k8es z+eYl;dg&s@t8%SAO$BL1jeOzdjvAt|@_F+m#*X&8-I1|vKW~zqJ70UH60Z4yuCbr# zDgNHh*O&o>O`ca4Tr;px=+Q5z16>FgUEiWpAN$PjdIllOhh^rFUgq z4hd}f%(>mtxmhmrNOZSXs&?+O-4ROZI#m~NZ_7!quG!yfn^h3AlkcMdhhDWm^UZ~l zb2%#G4~^u=xkTdffGU$k@s1%{xeX&8*JMuP_mEUq94X!-%~KX8oRjci!Aa9ioO9~p zg!-OWWNxwS%~CwyUZhDo38-G}O_@r%|~tcWt@8hKFom%OYcKJmv> z#WTUPXl zaJDbr>&@DE<7Qc9sb%JoBS9wem07#OF1d6U%nnwUfHCA#A{@+klIvf3El1dpwzn*P zh>mypbSP_?u1>Aull%Lh?f#bgS8CMj54JWWrSfl@2IEoV`C&#a+d|D(`V8#8>?k5u z^W$?!nba>4Yl*H9f#GeTM|GboKH?YOb(`P0IKXpcza%G}9UU~{E=2(jEyjXYfN}A;f4l^DvLBTN&#-b9bi~HXUruuSNul(-sfor5` z9g~y38lhn9FlroX6PI{BEP}T5{Fze4*z`Ez?A1?-qHUVz_2fU-EXoQde4jhYpOdA) z71s1dyzQgB(D3-n=vQ|IFI|xe2-Pl^(Ee4-l$mE$m5Vz`Xy+bWF|Q0CRxX^RxiWgR z!njIBEB2d+>(gr2*^Al>Ui`JLh5zmwTIvFSvqeSE=0s>Z!NsKD)R7; z=2&hF33|BnY{UxKsu)$GaP&>O#|y{LBmJgIv@>iy}G zF?v_|Dht-cE;fIKTP8P{@8mov6(3^Scjs1U%&Wr2^LFBk23y4BjK|mDtvz-;^{MAd zl3BcY!<$1Bj*;{`{3oeq%f}r4TBCN+HaRk?AS<*)uaruedw;Sv0v;_HG_OlSH? zA;>GVK}N`EoMZ6mlP_P(eRGpMG(T83w%K-Qh% zg`q>sjXw2<-aT)#pwP`|@3MFfUR9pNr^kn1%`-buvapS*m|Jfac;5M$@Y)Ve^&qZ1 zy0*LVZJ9?ML1NjWsRfm*Gqj&?2__jYE30k)DsjOwC{^rNdb|x~>5<+C)RyDRpS|v^ zUiIZlc0qRPV}%Y{IsbRn#96XiR9ePjqmO+IY7;iSN}1)8smIg*IaP*mS-XF^*$)?k zd)?8==}`i6-H74RSM@dSe)IS3G<@HhBAPd5et+2YsB6zc;+n&}hAIZb;iE#A&fhqe zTBmvV%!}~^&sghNKf-;-HecKgwSC0svBH~Mnv}E(lDyTayQ36T8#JEEx2Ufo6Mu#@ zjdBn57Zlqu@Ab|%c<3%1P?VypY8$k)c9&kQnq%K{#~meGPeye*uBp-Cs0evL`M_Cs z?rXcPaI9&gRAfwO=jYXZWn$-pE$ZrXbMFX9UR69`l=$?b?6N&pvj(!2o)eCSaecTX zadBg`Tf_6Jf|KM`t!>pt!j*50>UdAc1onIG(BM$8d+5ffz0MKPqb{UW5y6ak*?MsN z=3CQTLBqax_HV?$lSIp11XN5slH4cmpI?~sc+-u76L({`7VSu}8mP-D94*_E>nFmy zNr-Oe_SkO7C{(~wYe9$Yf|UWQ!|ytr#T8xb;1-u$XRlEfv?4?&-{K%SRgPEFyxbu& zYjojhqqGaQiG+F&u6GFyIWoaI!=dtf+PXD|GFKl^-@f>H@PUd=_gp+YVuqWai3kMb zaoL#e8nZOI7+KlsU%kc6MZ7g4B5dSdLXE)d3WL7eX?9n~EBD^6I=Dwm{mLg%d*<9D ziEEE%Xr}qgY%272fSjA+jpbXuUA$1XVE#aB&C>;xqQ@JSt&7zDwP^9no$m81Bxk!y z?p(Y?iARSp$d_#)T7DyT=>F+S-0@pgW;&89w$`07TBTk#(Umvkq29^;g+YExzR+?h zs^h@J_85y}&%*XcF3DYTtj}n7qj0@)9&=(mjmIF;-ui)G?bv;x8nJe=t5L^B&1VgD zEbjM-q7p$2jXQ-w$@!wes`dFw)+y1W#2P* z@@!o_pvBy0?OgCu;Dp-Qh6ApxMp;6fDXJvB ziBC`Yg-cfKq@;8Pw}0?ZGAX;IXO?_R%;&_%K+PW(bzv2ZTPmd@hTii;?n^u0?|o)f z%_}PFBq{Stk{T}yIY#Iy*8=vFXQEqx&)Lg#f^`L+Pe|4jhigD7TB}Bd16S$Lsn*ViU z{nw54Kf19dE!iwD6r5O}b~8E(f6a--ZjSp0J}j1H6u;Nr(;e^bW{>ywb7xsP@m}`6_HL6F zP5cJ@CcHj`f!Kkg%Mn~%uK3;H?()QY<9*m2UXw0_nGP?+B?W`?|H0u!0bd5o&+y0L z1wjQY1QqH*fk1*u2gJ0)Yw})%Nahfd06rPS2?XybMnWrSa9|m6{?HI-4}#73ra}k= zh2@6a62Eb88MM4zV|B&Y(?luIUeh%_K1HwC)l*u|-_ro&~9BIe&H&Qq9 z8xp#J{IT$944f{=ZwU6U{!Q0|d?U}MK-dQI$Lb@}U#NrCMi^HbgrXo}8+352A$=et z;VckVK_`OG3Hr)_XRsV($oRl-tY?6;kP2tNk!P^R5AI_^c*XSp5L))T&C_k4ZWGc6 zv<10`^*2QaCgS^=F>W*b zT{At*Q=uLdu$Z%WYC6<|0ygs*0MHBCHv@n{1wYm#yZul8E;>Yd{44%066Jq6&f|a6 z-$nmF?(fpuW@@OX&GL8A|8M%cz$4@o;NfKd#}x$;Y3PU#2;RbbxmtTU{q_#Q97n|e zpKG+!3*x!(n!kSrzc*g%&lNmQ`_C14q1ODqg2{_t_veb;5eE0^{rQc}Ed~MxZ}9s! zh_1tL`Ev!XE8{;`@RY5;uP`1nC_CBBf9Sa)Plli{A$$$w{6CIBK|EK~|1<(cah8_j z%@dmoDjIL`9C~qbmTTI>je8W|bbDDSZv$C1-*c756O{3y$ecjJRAB%ou%LKrZyvHdunw;e@$<)f&3cdcU-TRb5xr9 zUayP`rO~(PUT`%DKb$X1UT(x6yC)-p65i^^A9HF>>(fK~UBbDGlwN&xFY^)nafv(W z^e;;;i=b1ed~tEyyI%Etej2)1Ew^S^UjOqdTaCjdo7=`*X1kp|+hpRiPK;yU=&DqsKJ`5> z)H4fO-n1%4pREq%%Q5eMeOmJU(g_P0Tra~-Fg5YP&(Z65c90GYKDn|n#6LMN;mU^` z{gPa%&%>A6f|!h*M#5{WGP91~oV(t~t>pNSPVR>Fff>?QAFXcEaX+rSpBCd{{&lm; znb}{Jryah8|W6|K@Q0r}X;xAOKcP(~aQ9oPMd7sL& zXEIf14!pQ)h4XFGskUD3*1wY>;;CJ=Fnq6b@*Ne`Pu7c7x>FX#1eO(nBnLWXRXRJl;%dEKZb77X-9n;w(xosf5j>K(K4(?6f4BNRtn5!kRChzw28QU&QE(-+Pz(Nz4V;aAlaoy z%9F__A3VK9c78s8mC2HPy#9}-(~c+Nl1dxDX`0z`?y#=;XcB9G;E=dRiNx$1*N4&` zFIl!Ur|SvfQC=UeJTcceI;lXd8TZ)c2$@?Q_haMS8x{M03htoKb~)D<#0X1paI3Mq z)r%V}erFciJLLUyIHchX<<)*W6$$y1e$}dG?Vs=3m2J|p&h~s#*g9hL(OmAUmGuM5 zdabMp??YqnU0X<;=jrB`Js}_V_FwOIsP z_2|^wb2e>WHLGqmufi=T+}{+)RYA}C5jlYGE_bmbU%9^CO|0%B>096JA8OfJfk$sH z%@Lg|b?SU|CpX6&X|Dv01dpt~<*J<9r2NY$fhq#FcAmri$sG5&U%z4Q$L$~EW0vCh zEUFa_S_UJv#b;+HQYLZJ=X5<>w?vI*SLzm^tG91^voZWl%Uds{M>U+hH z(*_q?N^+jL*m-r{ub_034F=5xhEg&fZ#70rOL{dfbl{&E3~9U%zpU%5++7kA`%*JP zl+YD=dccxnV`Fi>+rUDdnvbs-<{Lew8*Y@Wt?J&rqj;}oU~Y2wUfHjY5)2o$RouIK zd0+Vlg{4QI)IRDg<4I9g+9&FgF*Jp4zPt4I=(?GaNroH~{qN1|5mdYpRY-;5bmoJ&? zvo+|d-Q&46TN}<33<{gd=y-0Wv*r?UNGdQWiDDl81^EubNHz)22 zJxiVN5)Z7@4<&N{`pZy$j-v6Zr-niEseum?*E-2)_1!s7h`gAj)Lb9z^6pmlR*4m% z$u1fCA;I3lvDLiYb$7)R=6-5WUd&C23mreGXyY24cKzN!bFOAw?tsSNNbKU2r#3;3 zhaat$l5Gqxf8Y1Ce3OQ+m0WgnZ+ceBYNy`yX$z9V^?BhKZozfKp3Wt$8kD8ln?Ben z9tfe;Ze1Z;&-r=uOJZTlXqcPrKv6F>RrcG04swRfXS%-ATAwYm1Fo%T`2L{I|7Mz1 zSFW}6Y3}Od(N?_Q(=B}%84*W^4NiA@l*EK<$)DwLG|R`|za-XkxUruqNK7rXycb>| z-~Xh;n7iD&^ORz_cie)PVU_kH@6Gr%Ih`&wW*jdKxzD%b@RAAQ))CECOZNol_3PZS zWOD9yR2Pm6S?k9Sz5mG9#F^DRXWOF6X6tP79y@)q(C8J^W~tjA-5BeC zw(Yps*L#G)d~O4@xdiN2Oweo zrEi@dxVm&0olP| z;bft?OW@Gv#z!{7AwAkZ1Ji@nE-se6-&zHEjHBb5zQinSjjiw&zmqlB=+W{H!ZX9l zqbC&G;-B=Y3XQ6?bY;>)nBXnoRWBPVZFf55k(i{~Z{R9EY<}oYMc{C=;>M*x zVX_N_qv^@9pk=Uan=y>Iwh@*dpxagLMIB0l_^`GWIiyO$7$bXydS%zWv~^D)2bGDHr##tiDHuUypY z+a9szcENI^cj?+W*D`9dszduL?p&B{n!H79bC|K&%3P!#aYlOSm(j$6rQ}CO=^E);**66PINJi6YapJhwifO;Wmhv59y3_b8&#C4~zzJ3bVgQ(Mhr;#gS6z2Tv! zRO6b|>i0XFO!1NLGu&Is+xk!GyYh&*-0?rvmBG(TYFl=H!sdI`A;F@O*MhU|K02Lw zksONK-J+cO_S>n!{Co*6TSp#_#Mv!hxx?po%Wqh9dX9WpeY%g8u}9{$xQ#h_{jW<@ z#zHwe^ooS4{qJ|J!H1-6+~=_DNRuJON{uRzkdT)wHJCAxRbtvQhhH})azdRu;KFNb zKBt^CA5J+DS!&N4lS>6c6vx*oa^8A3nvNMGt#rgsz+SWgjwUzWTWM?A(sx565&Z%dLD9`R34fCX2o;6>0u)Tnw*j1Ib+0LoV%ssIaSaCh+L|T$=wTE{xHAPBDeY$iM3Q z+b@O7gG?tX;y9zxAK&^-Dd}*0KKU?NX7_f*mTP?+B`o^w+Z=9jwY!h$&-G(Sue3(& zdS-l7rR>M1NI&Y+mobAAj^gXYl$Qy#hSOF%i*EZgEFAM4S zOyf_LhUXgMzA2UKp6!rPa~k(vIcKE5^1_PM{L40U#5OPBlm4&A)tEbBe|%<>uh zYaSDbK451E+}rE92HyaGW^Jj0~c{IqgZC@wAHqtkh^viGj7Fy%)qgx%;?zOVDt518Yxv z_>Te(3zh+TqqCitggMLjECGgkz`$5O`89b3(If~+VOg+uLN21|%HRO}e^wcsrAM9! zrb5=&)D^2Q5HZ67X)HI*%-Y}}{C`#(cp#8!z!89afjN-%HQ6ahtc6^G(*eF_)`lFP z|IezMj2MHcov9%O2Le(Banb_--;>=X5?TFatCKbE(>!Y&;9(Dz%YTV_MAB4cNRlU{ zGDxH~`90Z9B7`Bat|{1#vZ(MMRSL#m)4JGYw{Y~Q##VFf3Z^5 zQz3I8i%*GQ24+1J(r~f9Ax>%Xd#a~X6om|i2tIRoN&gN>*(;r*DQSwPq$!$`rf5o< zqA3YWQ_{afQ?^P;Q#2(_(UderQ_|FYBu&wjgrzCs?E0s}OPV1D*eji)DQS|XGly?d zVEhxBk!K1Q7Ipp*jYT7tynu-~#TG1b0IyC-8{(umV6PHs+&`(31U~HF@(fkwBtJ|N z9Yor+O#8c9kURfLEmY{(B==1TO%R@}QDbi_RvKzsdt1A@J0fia84Pz#HgSdoWeMEr zs-lL@L6z$VbBMH^w?Kz>dKcND+37 zNCrPC8%AOnY%DTp{{D@UX= z5gM~$FfibYX2U=*5RmxdndOKK5*?8zY#1Gak3hDtVKgST%}j{pMD>F}fGmTkdI2M$ z`$ixT>4@ljChsIejtC=^I@hfL$M_Ki~>!2{vd{2Opf^!XQbr6UkFwkR41kD@O7GP5nhF^$O z(%;+*9Y)syp~7ey5wS7?>Y)BzIS7tsYcpg9M9$N&VKB=Hh(ty{zxk9z1YwB6h)gE3 z`k=}|>H#zcnl%O^Ga(Hq>Ru8NQB>KV2U$E(Z6*MD5xs@I92^CFaV(I{yi0Us; zl8mhS?9Zcv1jJwjM4x6aN25UcR1`)hV4nv=g&8YgKr|0Q&(QOY01ZUWSurdc&10!GH3>A9a zM_35M&lFf2(KMn^7#LYXA!GFyD2JA@1PToVFS^Y%5@w!LARPjxZ!{8S-KW4YH_Y?s zgukhSido-arosUkw($d+Q!#5iPz|GlP(aZ^&tD3ijFu$?SSrx#G=T~#4VpLLbR1^x zQ$QY|>wt2|_6Yg>mc>*utQHsyG#xZXWS#v)-3yC1x*YXy>Yy;uIwpY%dKl(jXf&qH zkZ~GKODc>N27{#sGcI&cDADa>fR2s95Um?EE|3cZgTY)ywGU`c!}N_tpkn$)gBgP9 zFD!59I%otkX71C7*!fEX7Dv+(Bs;S6WTO#{NW<0vtcD&x8Z2)ZjL1am@~~)ObYKFE zD7G9GNtKRj3z>?omx`qIMwO#eF}foSbRSILAPYHqOlgop7(J(HOa`Q6N7Vr;0|tX^ z@R&N7bTl6T&9QQq4&nvf7G&Fp!60P}nopq|W}gRakCCUa>SNYRIMIud2T%^Jvl8f3 zDq<=@KELNaorz+9?GHH0-Jq|JO%7;=nGpl6kj3b z(0m1^0?a-hF(07!3ve%H&ali3DESODCqmo=+ql5~h=`tVfDzF9L3kdL_6B_~n36CU z5*L9k$3(9cu%9NPWe$R2+5#9H-DZCtVmd_eB-{%V1XGUmH}%rcYZ>GYV%hDHN~UE5 z*g=SBxd9l<KsgL=fcA&pgMlz0V#Xe}rWknuI|B@F0EUraG|-VS{e@)}EnlD z4{#=+`UWrTLGM$Dpb}!*0y-w*VM9K@We#ANaRv;%-zOsaDVkp(8V{}eKsgddZa@}P zjJ%>VFgAVgO5f2v{gQ8@EoA(1q{8$Lpfj=bU9FdP%?}JW(%|~fM94{05BvUEBhD#hMqG>IkZlL zVA!^R%@Q+KU{gTT9MaCBbr7(!V)QixL;GS73@u*}3oTl{AQ)PXgU1z2#;E>+&lNo{ z!8nP$!i{}g07Kh?kaB3-17K7PEdfL8qDVRPx&RnvFHQpahiwbuP)4^8>%RoQIL7aX zU>KeR49RrOHWwIRDnPAKa4$x81j{JS|3?rKWL+cE% z$6=jNVe1F%8!_XD?CH?`1(g~jO8}ec-}3gfc6PP*#I0HdX$+kA!ihcPFo==6J94xQ m_zK>dhhOjJ;0{+no#}Vz!OKrsXCk0=G&