From c0ea7ecf34f7267ef592287af9fe80bf22bf5b26 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Sat, 11 Feb 2017 22:34:42 +0100 Subject: [PATCH] 2-factor documentation --- .../manual-sources/chapter-configuration.xml | 2690 ++-- lam/docs/manual-sources/howto.xml | 12180 +--------------- .../images/configProfiles11.png | Bin 0 -> 32911 bytes .../images/configProfiles12.png | Bin 0 -> 17547 bytes .../images/configProfiles13.png | Bin 0 -> 6594 bytes .../manual-sources/images/configProfiles7.png | Bin 18625 -> 30425 bytes .../manual-sources/images/configProfiles8.png | Bin 17945 -> 24767 bytes 7 files changed, 1387 insertions(+), 13483 deletions(-) create mode 100644 lam/docs/manual-sources/images/configProfiles11.png create mode 100644 lam/docs/manual-sources/images/configProfiles12.png create mode 100644 lam/docs/manual-sources/images/configProfiles13.png diff --git a/lam/docs/manual-sources/chapter-configuration.xml b/lam/docs/manual-sources/chapter-configuration.xml index 7a0bede6..43015210 100644 --- a/lam/docs/manual-sources/chapter-configuration.xml +++ b/lam/docs/manual-sources/chapter-configuration.xml @@ -1,705 +1,760 @@ - - Configuration + + Configuration - After you installed LAM you - can configure it to fit your needs. The complete configuration can be done - inside the application. There is no need to edit configuration - files. + After you installed LAM you can + configure it to fit your needs. The complete configuration can be done + inside the application. There is no need to edit configuration files. - Please point you browser to the location where you installed LAM. - E.g. for Debian/RPM this is http://yourServer/lam. If you installed LAM - via the tar.bz2 then this may vary. You should see the following - page: + Please point you browser to the location where you installed LAM. E.g. + for Debian/RPM this is http://yourServer/lam. If you installed LAM via the + tar.bz2 then this may vary. You should see the following page: - - - - - - - + + + + + + + - If you see an error message then you might need to install an - additional PHP extension. Please follow the instructions and reload the - page afterwards. + If you see an error message then you might need to install an + additional PHP extension. Please follow the instructions and reload the page + afterwards. - Now you are ready to configure LAM. Click on the "LAM configuration" - link to proceed. + Now you are ready to configure LAM. Click on the "LAM configuration" + link to proceed. - - - - - - - + + + + + + + - Here you can change LAM's general settings, setup server profiles - for your LDAP server(s) and configure the self service (LAM Pro). You should start - with the general settings and then setup a server profile. + Here you can change LAM's general settings, setup server profiles for + your LDAP server(s) and configure the self + service (LAM Pro). You should start with the general settings and + then setup a server profile. -
- General settings +
+ General settings - After selecting "Edit general settings" you will need to enter the - master configuration password. - The default password for new installations is "lam". Now you can edit - the general settings. + After selecting "Edit general settings" you will need to enter the + master configuration password. + The default password for new installations is "lam". Now you can edit the + general settings. -
- License (LAM Pro only) +
+ License (LAM Pro only) - This is only required when you run LAM Pro. Please enter the - license key from your customer - profile. In case you have purchased multiple licenses please - only enter one license key block per installation. + This is only required when you run LAM Pro. Please enter the + license key from your customer + profile. In case you have purchased multiple licenses please + only enter one license key block per installation. - When you entered the license key then the license details can be - seen on LAM configuration overview page. + When you entered the license key then the license details can be + seen on LAM configuration overview page. + + + + + + + + +
+ +
+ Security settings + + Here you can set a time period after which inactive sessions are + automatically invalidated. The selected value represents minutes of + inactivity. + + You may also set a list of IP addresses which are allowed to + access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123) + or with the "*" wildcard (e.g. 123.123.123.*). Users which try to access + LAM via an untrusted IP only get blank pages. There is a separate field + for LAM Pro self service. + + Session encryption will encrypt sensitive + data like passwords in your session files. This is only available when + PHP MCrypt is active. This + adds extra security but also costs performance. If you manage a large + directory you might want to disable this and take other actions to + secure your LAM server. + + + + + + + + + + SSL certificate + setup: + + By default, LAM uses the CA certificates that are preinstalled on + your system. This will work if you connect via SSL/TLS to an LDAP server + that uses a certificate signed by a well-known CA. In case you use your + own CA (e.g. company internal CA) you can import the CA certificates + here. + + Please note that this can affect other web applications on the + same server if they require different certificates. There seem to be + problems on Debian systems and you may also need to restart Apache. In + case of any problems please delete the uploaded certificates and use the + system setup. + + You can either upload a DER/PEM formatted certificate file or + import the certificates directly from an LDAP server that is available + with LDAP+SSL (ldaps://). LAM will automatically override system + certificates if at least one certificate is uploaded/imported. + + The whole certificate list can be downloaded in PEM format. You + can also delete single certificates from the list. + + Please note that you might need to restart your webserver if you + do any changes to this configuration. + + + + + + + + +
+ +
+ Password policy + + This allows you to specify a central password policy for LAM. The + policy is valid for all password fields inside LAM admin (excluding tree + view) and LAM self service. Configuration passwords do not need to + follow this policy. + + + + + + + + + + You can set the minimum password length and also the complexity of + the passwords. +
+ +
+ Logging + + LAM can log events (e.g. user logins). You can use system logging + (syslog for Unix, event viewer for Windows) or log to a separate file. + Please note that LAM may log sensitive data (e.g. passwords) at log + level "Debug". Production systems should be set to "Warning" or + "Error". + + The PHP error reporting is only for developers. By default LAM + does not show PHP notice messages in the web pages. You can select to + use the php.ini setting here or printing all errors and notices. + + + + + + + + +
+ +
+ Additional options + + Email format + + Some email servers are not standards compatible. If you receive + mails that look broken you can change the line endings for sent mails + here. Default is to use "\r\n". + + At the moment, this option is only available in LAM Pro as there + is no mail sending in the free version. See here for setting up your SMTP server. + + + + + + + + +
+ +
+ Change master password + + If you would like to change the master configuration password then + enter a new password here. + + + + + + + + +
+
+ +
+ Server profiles + + The server profiles store information about your LDAP server (e.g. + host name) and what kind of accounts (e.g. users and groups) you would + like to manage. There is no limit on the number of server profiles. See + the typical scenarios about + how to structure your server profiles. + +
+ Manage server profiles + + Select "Manage server profiles" to open the profile management + page. + + + + + + + + + + Here you can create, rename and delete server profiles. The passwords of your server profiles can + also be reset. + + You may also specify the default server profile. This is the + server profile which is preselected at the login page. It also specifies + the language of the login and configuration pages. + + Templates for new server + profiles + + You can create a new server profile based on one of the built-in + templates or any existing profile. Of course, the account types and + selected modules can be changed after you created your profile. + + Built-in templates: + + + + addressbook: simple profile for user management with + inetOrgPerson object class + + + + samba3: Samba 3 users, groups, hosts and domains + + + + unix: Unix users and groups (posixAccount/Group) + + + + windows_samba4: Active Directory user, group and host + management + + + + + + + + + + + + All operations on the profile management page require that you + authenticate yourself with the configuration master password. +
+ +
+ Editing a server profile + + Please select you server profile and enter its password to edit a + server profile. + + + + + + + + + + Each server profile contains the following information: + + + + General settings: general + settings about your LDAP server (e.g. host name and security + settings) + + + + Account types: list of + account types (e.g. users and groups) that you would like to manage + and type specific settings (e.g. LDAP suffix) + + + + Modules: list of modules + which define what account aspects (e.g. Unix, Samba, Kolab) you + would like to manage + + + + Module settings: settings + which are specific for the selected account modules on the page + before + + + +
+ General settings + + Here you can specify the LDAP server and some security + settings. - + + + + + + The server address of your LDAP server can be a DNS name or an + IP address. Use ldap:// for unencrypted LDAP connections or TLS + encrypted connections. LDAP+SSL (LDAPS) encrypted connections are + specified with ldaps://. The port value is optional. TLS cannot be + combined with ldaps://. + + Hint: If you use a master/slave setup with referrals then point + LAM to your master server. Due to bugs in the underlying LDAP + libraries pointing to a slave might cause issues on write + operations. + + LAM includes an LDAP browser which allows direct modification of + LDAP entries. If you would like to use it then enter the LDAP suffix + at "Tree suffix". + + The search limit is used to reduce the number of search results + which are returned by your LDAP server. + + The access level specifies if LAM should allow to modify LDAP + entries. This feature is only available in LAM Pro. LAM non-Pro + releases use write access. See this page for details on + the different access levels. + + Advanced options + + Sometimes, you may not want to display the server address on the + login page. In this case you can setup a display name here (e.g. + "Production"). + + By default LAM will not follow LDAP referrals. This is ok for + most installations. If you use LDAP referrals please activate the + referral option in advanced settings. + + Paged results should be activated only if you encounter any + problems regarding size limits on Active Directory. LAM will then + query LDAP to return results in chunks of 999 entries. + + + + + LAM is translated to many different languages. Here you can + select the default language for this server profile. The language + setting may be overriden at the LAM login page. + + Please also set your time zone here. + + + + + + + + + + LAM can manage user home directories and quotas with an external + script. You can specify the home directory server and where the script + is located. The default rights for new home directories can be set, + too. + + You can provide a fixed user name. If you leave the field empty + then LAM will use your current account (the account you used to login + to LAM). + + There are two possibilities to connect to your home + directory/quota server: + + + + SSH key (recommended): Please generate a SSH key pair and + provide the location to the private key file. If the key is protected + by a password you can also specify it here. + + + + Password: If you do not set a SSH key then LAM will try to + connect with your current account (the password you used to login + to LAM). + + + + + + + + + + + + LAM Pro users may directly set passwords from + list view. You can configure if it should be possible to set specific + passwords and showing password on screen is allowed. + + + + + + + + + + LAM Pro users can send out changed passwords to their users. + Here you can specify the options for these mails. + + If you select "Allow alternate address" then password mails can + be sent to any address (e.g. a secondary address if the user account + is also bound to the mailbox). + + + + + + + + + + LAM supports two methods for login: + + + + Fixed list + + + + LDAP search + + + + + + + + + + + + The first one is to specify a fixed list of LDAP DNs that are + allowed to login. Please enter one DN per line. + + The second one is to let LAM search for the DN in your + directory. E.g. if a user logs in with the user name "joe" then LAM + will do an LDAP search for this user name. When it finds a matching DN + then it will use this to authenticate the user. The wildcard "%USER%" + will be replaced by "joe" in this example. This way you can provide + login by user name, email address or other LDAP attributes. + + Additionally, you can enable HTTP authentication when using + "LDAP search". This way the web server is responsible to authenticate + your users. LAM will use the given user name + password for the LDAP + login. You can also configure this to setup advanced login + restrictions (e.g. require group memberships for login). To setup HTTP + authentication in Apache please see this link + and an example for LDAP authentication here. + + Hint: LDAP search with group + membership check can be done with either HTTP authentication or LDAP overlays + like "memberOf" + or "Dynamic + lists". Dynamic lists allow to insert virtual attributes to + your user entries. These can then be used for the LDAP filter (e.g. + "(&(uid=%USER%)(memberof=cn=admins,ou=groups,dc=company,dc=com))"). + + + + + + + + + + 2-factor authentication + + LAM supports 2-factor authentication for your users. This means + the user will not only authenticate by user+password but also with + e.g. a token generated by a mobile device. This adds more security + because the token is generated on a physically separated device + (typically mobile phone). + + The token is validated by a second application. LAM currently + supports: + + + + privacyIdea + + + + By default LAM will enforce to use a token and reject users that + did not setup one. You can set this check to optional. But if a user + has setup a token then this will always be required. + + + + + + + + + + After logging in with user + password LAM will ask for the 2nd + factor. If the user has setup multiple factors then he can choose one + of them. + + + + + + + + + + Password + + You may also change the password of this server profile. Please + just enter the new password in both password fields. + + + + +
- Security settings + Account types - Here you can set a time period after which inactive sessions are - automatically invalidated. The selected value represents minutes of - inactivity. - - You may also set a list of IP addresses which are allowed to - access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123) - or with the "*" wildcard (e.g. 123.123.123.*). Users which try to - access LAM via an untrusted IP only get blank pages. There is a - separate field for LAM Pro self service. - - Session encryption will encrypt sensitive - data like passwords in your session files. This is only available when - PHP MCrypt is active. This - adds extra security but also costs performance. If you manage a large - directory you might want to disable this and take other actions to - secure your LAM server. + LAM supports to manage various types of LDAP entries (e.g. + users, groups, DHCP entries, ...). On this page you can select which + types of entries you want to manage with LAM. - + - SSL certificate - setup: + The section at the top shows a list of possible types. You can + activate them by simply clicking on the plus sign next to it. - By default, LAM uses the CA certificates that are preinstalled - on your system. This will work if you connect via SSL/TLS to an LDAP - server that uses a certificate signed by a well-known CA. In case you - use your own CA (e.g. company internal CA) you can import the CA - certificates here. + Each account type has the following options: - Please note that this can affect other web applications on the - same server if they require different certificates. There seem to be - problems on Debian systems and you may also need to restart Apache. In - case of any problems please delete the uploaded certificates and use - the system setup. + + + LDAP suffix: the LDAP + suffix where entries of this type should be managed + - You can either upload a DER/PEM formatted certificate file or - import the certificates directly from an LDAP server that is available - with LDAP+SSL (ldaps://). LAM will automatically override system - certificates if at least one certificate is uploaded/imported. + + List attributes: a list of + attributes which are shown in the account lists + - The whole certificate list can be downloaded in PEM format. You - can also delete single certificates from the list. + + Additional LDAP filter: LAM + will automatically detect the right LDAP entries for each account + type. This can be used to further limit the number of visible + entries (e.g. if you want to manage only some specific groups). + You can use "@@LOGIN_DN@@" as wildcard (e.g. + "(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the user + who is logged in. + - Please note that you might need to restart your webserver if you - do any changes to this configuration. + + Hidden: This is used to + hide account types that should not be displayed but are required + by other account types. E.g. you can hide the Samba domains + account type and still assign domains when you edit your + users. + + + + Read-only (LAM Pro only): + This allows to set a single account type to read-only mode. Please + note that this is a restriction on functional level (e.g. group + memberships can be changed on user page even if groups are + read-only) and is no replacement for setting up proper ACLs on + your LDAP server. + + + + Custom label: Here you can + set a custom label for the account types. Use this if the standard + label does not fit for you (e.g. enter "Servers" for + hosts). + + + + No new entries (LAM Pro + only): Use this if you want to prevent that new + accounts of this type are created by your users. The GUI will hide + buttons to create new entries and also disable file upload for + this type. + + + + Disallow delete (LAM Pro + only): Use this if you want to prevent that accounts of + this type are deleted by your users. + + - + + + On the next page you can specify in detail what extensions + should be enabled for each account type.
- Password policy + Modules - This allows you to specify a central password policy for LAM. - The policy is valid for all password fields inside LAM admin - (excluding tree view) and LAM self service. Configuration passwords do - not need to follow this policy. + The modules specify the active extensions for each account type. + E.g. here you can setup if your user entries should be address book + entries only or also support Unix or Samba. - + - You can set the minimum password length and also the complexity - of the passwords. -
+ Each account type needs a so called "base module". This is the + basement for all LDAP entries of this type. Usually, it provides the + structural object class for the LDAP entries. There must be exactly + one active base module for each account type. -
- Logging - - LAM can log events (e.g. user logins). You can use system - logging (syslog for Unix, event viewer for Windows) or log to a - separate file. Please note that LAM may log sensitive data (e.g. - passwords) at log level "Debug". Production systems should be set to - "Warning" or "Error". - - The PHP error reporting is only for developers. By default LAM - does not show PHP notice messages in the web pages. You can select to - use the php.ini setting here or printing all errors and - notices. - - - - - - - - + Furthermore, there may be any number of additional active + account modules. E.g. you may select "Personal" as base module and + Unix + Samba as additional modules.
- Additional options + Module settings - Email - format - - Some email servers are not standards compatible. If you receive - mails that look broken you can change the line endings for sent mails - here. Default is to use "\r\n". - - At the moment, this option is only available in LAM Pro as there - is no mail sending in the free version. See here for setting up your SMTP - server. + Depending on the activated account modules there may be + additional configuration options available. They can be found on the + "Module settings" tab. E.g. the Personal account module allows to hide + several input fields and the Unix module requires to specify ranges + for UID numbers. - - - - -
- -
- Change master password - - If you would like to change the master configuration password - then enter a new password here. - - - - - +
-
- Server profiles +
+ Cron jobs (LAM Pro) - The server profiles store information about your LDAP server (e.g. - host name) and what kind of accounts (e.g. users and groups) you would - like to manage. There is no limit on the number of server profiles. See - the typical scenarios about - how to structure your server profiles. + LAM Pro can execute common tasks via cron job. This can be used to + e.g. notify your users before their passwords expire.
- Manage server profiles + LDAP and database configuration - Select "Manage server profiles" to open the profile management - page. + Please add the LDAP bind user and password for all jobs. This + LDAP account will be used to perform all LDAP read and write + operations. + + Next, select the database type where LAM should store job + related data. Supported databases are SQLite and MySQL. + + SQLite + + This is a simple file based database. It needs no special + database server. The database file will be located next to the server + profile in config directory. + + You will need to install the SQLite PDO module for PHP + (pdo_sqlite.so). For Debian this is located in package + php5-sqlite. - + - Here you can create, rename and delete server profiles. The - passwords of your server - profiles can also be reset. + MySQL - You may also specify the default server profile. This is the - server profile which is preselected at the login page. It also - specifies the language of the login and configuration pages. + This will store all job data in an external MySQL + database. - Templates for new server - profiles + You will need to install the MySQL PDO module for PHP + (pdo_mysql.so). For Debian this is located in package + php5-mysql. - You can create a new server profile based on one of the built-in - templates or any existing profile. Of course, the account types and - selected modules can be changed after you created your profile. + Steps to create a MySQL database and user: - Built-in templates: - - - - addressbook: simple profile for user management with - inetOrgPerson object class - - - - samba3: Samba 3 users, groups, hosts and domains - - - - unix: Unix users and groups (posixAccount/Group) - - - - windows_samba4: Active Directory user, group and host - management - - - - - - - - - - - - All operations on the profile management page require that you - authenticate yourself with the configuration master - password. -
- -
- Editing a server profile - - Please select you server profile and enter its password to edit - a server profile. - - - - - - - - - - Each server profile contains the following information: - - - - General settings: general - settings about your LDAP server (e.g. host name and security - settings) - - - - Account types: list of - account types (e.g. users and groups) that you would like to - manage and type specific settings (e.g. LDAP suffix) - - - - Modules: list of modules - which define what account aspects (e.g. Unix, Samba, Kolab) you - would like to manage - - - - Module settings: settings - which are specific for the selected account modules on the page - before - - - -
- General settings - - Here you can specify the LDAP server and some security - settings. - - - - - - - - - - The server address of your LDAP server can be a DNS name or an - IP address. Use ldap:// for unencrypted LDAP connections or TLS - encrypted connections. LDAP+SSL (LDAPS) encrypted connections are - specified with ldaps://. The port value is optional. TLS cannot be - combined with ldaps://. - - Hint: If you use a master/slave setup with referrals then - point LAM to your master server. Due to bugs in the underlying LDAP - libraries pointing to a slave might cause issues on write - operations. - - LAM includes an LDAP browser which allows direct modification - of LDAP entries. If you would like to use it then enter the LDAP - suffix at "Tree suffix". - - The search limit is used to reduce the number of search - results which are returned by your LDAP server. - - The access level specifies if LAM should allow to modify LDAP - entries. This feature is only available in LAM Pro. LAM non-Pro - releases use write access. See this page for details on - the different access levels. - - Advanced options - - Sometimes, you may not want to display the server address on - the login page. In this case you can setup a display name here (e.g. - "Production"). - - By default LAM will not follow LDAP referrals. This is ok for - most installations. If you use LDAP referrals please activate the - referral option in advanced settings. - - Paged results should be activated only if you encounter any - problems regarding size limits on Active Directory. LAM will then - query LDAP to return results in chunks of 999 entries. - - - - - LAM is translated to many different languages. Here you can - select the default language for this server profile. The language - setting may be overriden at the LAM login page. - - Please also set your time zone here. - - - - - - - - - - LAM can manage user home directories and quotas with an - external script. You can specify the home directory server and where - the script is located. The default rights for new home directories - can be set, too. - - You can provide a fixed user name. If you leave the field - empty then LAM will use your current account (the account you used - to login to LAM). - - There are two possibilities to connect to your home - directory/quota server: - - - - SSH key (recommended): Please generate a SSH key pair and - provide the location to the private key file. If the key is protected - by a password you can also specify it here. - - - - Password: If you do not set a SSH key then LAM will try to - connect with your current account (the password you used to - login to LAM). - - - - - - - - - - - - LAM Pro users may directly set passwords - from list view. You can configure if it should be possible to set - specific passwords and showing password on screen is allowed. - - - - - - - - - - LAM Pro users can send out changed passwords to their users. - Here you can specify the options for these mails. - - If you select "Allow alternate address" then password mails - can be sent to any address (e.g. a secondary address if the user - account is also bound to the mailbox). - - - - - - - - - - LAM supports two methods for login. - - - - - - - - - - The first one is to specify a fixed list of LDAP DNs that are - allowed to login. Please enter one DN per line. - - The second one is to let LAM search for the DN in your - directory. E.g. if a user logs in with the user name "joe" then LAM - will do an LDAP search for this user name. When it finds a matching - DN then it will use this to authenticate the user. The wildcard - "%USER%" will be replaced by "joe" in this example. This way you can - provide login by user name, email address or other LDAP - attributes. - - Additionally, you can enable HTTP authentication when using - "LDAP search". This way the web server is responsible to - authenticate your users. LAM will use the given user name + password - for the LDAP login. You can also configure this to setup advanced - login restrictions (e.g. require group memberships for login). To - setup HTTP authentication in Apache please see this link - and an example for LDAP authentication here. - - Hint: LDAP search with group - membership check can be done with either HTTP authentication or LDAP - overlays like "memberOf" - or "Dynamic - lists". Dynamic lists allow to insert virtual attributes to - your user entries. These can then be used for the LDAP filter (e.g. - "(&(uid=%USER%)(memberof=cn=admins,ou=groups,dc=company,dc=com))"). - - - - - - - - - - You may also change the password of this server profile. - Please just enter the new password in both password fields. -
- -
- Account types - - LAM supports to manage various types of LDAP entries (e.g. - users, groups, DHCP entries, ...). On this page you can select which - types of entries you want to manage with LAM. - - - - - - - - - - The section at the top shows a list of possible types. You can - activate them by simply clicking on the plus sign next to it. - - Each account type has the following options: - - - - LDAP suffix: the LDAP - suffix where entries of this type should be managed - - - - List attributes: a list - of attributes which are shown in the account lists - - - - Additional LDAP filter: - LAM will automatically detect the right LDAP entries for each - account type. This can be used to further limit the number of - visible entries (e.g. if you want to manage only some specific - groups). You can use "@@LOGIN_DN@@" as wildcard (e.g. - "(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the - user who is logged in. - - - - Hidden: This is used to - hide account types that should not be displayed but are required - by other account types. E.g. you can hide the Samba domains - account type and still assign domains when you edit your - users. - - - - Read-only (LAM Pro only): - This allows to set a single account type to read-only mode. - Please note that this is a restriction on functional level (e.g. - group memberships can be changed on user page even if groups are - read-only) and is no replacement for setting up proper ACLs on - your LDAP server. - - - - Custom label: Here you - can set a custom label for the account types. Use this if the - standard label does not fit for you (e.g. enter "Servers" for - hosts). - - - - No new entries (LAM Pro - only): Use this if you want to prevent that new - accounts of this type are created by your users. The GUI will - hide buttons to create new entries and also disable file upload - for this type. - - - - Disallow delete (LAM Pro - only): Use this if you want to prevent that accounts - of this type are deleted by your users. - - - - - - - - - - - - On the next page you can specify in detail what extensions - should be enabled for each account type. -
- -
- Modules - - The modules specify the active extensions for each account - type. E.g. here you can setup if your user entries should be address - book entries only or also support Unix or Samba. - - - - - - - - - - Each account type needs a so called "base module". This is the - basement for all LDAP entries of this type. Usually, it provides the - structural object class for the LDAP entries. There must be exactly - one active base module for each account type. - - Furthermore, there may be any number of additional active - account modules. E.g. you may select "Personal" as base module and - Unix + Samba as additional modules. -
- -
- Module settings - - Depending on the activated account modules there may be - additional configuration options available. They can be found on the - "Module settings" tab. E.g. the Personal account module allows to - hide several input fields and the Unix module requires to specify - ranges for UID numbers. - - - - - - - - -
-
- -
- Cron jobs (LAM Pro) - - LAM Pro can execute common tasks via cron job. This can be used - to e.g. notify your users before their passwords expire. - -
- LDAP and database configuration - - Please add the LDAP bind user and password for all jobs. This - LDAP account will be used to perform all LDAP read and write - operations. - - Next, select the database type where LAM should store job - related data. Supported databases are SQLite and MySQL. - - SQLite - - This is a simple file based database. It needs no special - database server. The database file will be located next to the - server profile in config directory. - - You will need to install the SQLite PDO module for PHP - (pdo_sqlite.so). For Debian this is located in package - php5-sqlite. - - - - - - - - - - MySQL - - This will store all job data in an external MySQL - database. - - You will need to install the MySQL PDO module for PHP - (pdo_mysql.so). For Debian this is located in package - php5-mysql. - - Steps to create a MySQL database and user: - - # login + # login mysql -u root -p # create a database mysql> create database lam_cron; @@ -711,769 +766,758 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'%'; mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost'; - - - - - - - + + + + + + + - + Test your settings - After the LDAP and database settings are done you can test - your settings. + After the LDAP and database settings are done you can test your + settings. - Cron entry + Cron entry - LAM also prints the crontab line that you need to run the - configured jobs on a daily basis. The command must be run as the - same user as your webserver is running. You are free to change the - starting time of the script or run it more often. -
+ LAM also prints the crontab line that you need to run the + configured jobs on a daily basis. The command must be run as the same + user as your webserver is running. You are free to change the starting + time of the script or run it more often. +
+ +
+ Adding jobs + + To add a new job just click on the "Add job" button and select + the job type you need. The list of available jobs depends on your + active account modules. E.g. the PPolicy job will only be available if + you activated PPolicy user module. + + Depending on the job type jobs may be added multiple times with + different configurations. For descriptions about the available job + types see next chapters. + + + + + + + +
- Adding jobs + PPolicy: Notify users about password expiration - To add a new job just click on the "Add job" button and select - the job type you need. The list of available jobs depends on your - active account modules. E.g. the PPolicy job will only be available - if you activated PPolicy user module. + This will send your users an email reminder before their + password expires. - Depending on the job type jobs may be added multiple times - with different configurations. For descriptions about the available - job types see next chapters. + You need to activate the PPolicy module for users to be able + to add this job. The job can be added multiple times (e.g. to send a + second warning at a later time). + + LAM calculates the expiration date based on the last password + change and the assigned password policy (or the default policy) + using attributes pwdMaxAge and pwdExpireWarning. + + Examples: + + Warning time (pwdExpireWarning) = 14 days, notification period + = 10: LAM will send out the email 24 days before the password + expires + + Warning time (pwdExpireWarning) = 14 days, notification period + = 0: LAM will send out the email 14 days before the password + expires + + No warning time (pwdExpireWarning), notification period = 10: + LAM will send out the email 10 days before the password + expires - + -
- PPolicy: Notify users about password expiration + + Options - This will send your users an email reminder before their - password expires. + + + + Option - You need to activate the PPolicy module for users to be able - to add this job. The job can be added multiple times (e.g. to send - a second warning at a later time). + Description + - LAM calculates the expiration date based on the last - password change and the assigned password policy (or the default - policy) using attributes pwdMaxAge and pwdExpireWarning. + + From address - Examples: + The email address to set as FROM. + - Warning time (pwdExpireWarning) = 14 days, notification - period = 10: LAM will send out the email 24 days before the - password expires + + Reply-to address - Warning time (pwdExpireWarning) = 14 days, notification - period = 0: LAM will send out the email 14 days before the - password expires + Optional Reply-to address for email. + - No warning time (pwdExpireWarning), notification period = - 10: LAM will send out the email 10 days before the password - expires + + CC address - - - - - - - + Optional CC mail address. + -
- Options + + BCC address - - - - Option + Optional BCC mail address. + - Description - + + Subject - - From address + The email subject line. Supports wildcards, see + below. + - The email address to set as FROM. - + + Text - - Reply-to address + The email body text. Supports wildcards, see + below. + - Optional Reply-to address for email. - + + Notification period - - CC address + Number of days to notify before password + expires. + - Optional CC mail address. - + + Default password policy - - BCC address + Default PPolicy password policy entry (object class + "pwdPolicy"). + + + +
- Optional BCC mail address. - + Wildcards: - - Subject + You can enter LDAP attributes as wildcards in the form + @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". + For the common name it would be "@@cn@@". - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - - Default password policy - - Default PPolicy password policy entry (object class - "pwdPolicy"). - - - - - - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- 389ds: Notify users about password expiration - - This will send your users an email reminder before their - password expires. - - You need to activate the Account Locking module for users to - be able to add this job. The job can be added multiple times (e.g. - to send a second warning at a later time). - - LAM calculates the expiration date based on the attribute - passwordExpirationTime. - - - - - - - - - - - Options - - - - - Option - - Description - - - - From address - - The email address to set as FROM. - - - - Reply-to address - - Optional Reply-to address for email. - - - - CC address - - Optional CC mail address. - - - - BCC address - - Optional BCC mail address. - - - - Subject - - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - -
- - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- Shadow: Notify users about password expiration - - This will send your users an email reminder before their - password expires. - - You need to activate the Shadow module for users to be able - to add this job. The job can be added multiple times (e.g. to send - a second warning at a later time). - - LAM calculates the expiration date based on the last - password change, the password warning time (attribute - "shadowWarning") and the specified notification period. - - Examples: - - Warning time = 14, notification period = 10: LAM will send - out the email 24 days before the password expires - - Warning time = 14, notification period = 0: LAM will send - out the email 14 days before the password expires - - - - - - - - - - - Options - - - - - Option - - Description - - - - From address - - The email address to set as FROM. - - - - Reply-to address - - Optional Reply-to address for email. - - - - CC address - - Optional CC mail address. - - - - BCC address - - Optional BCC mail address. - - - - Subject - - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - -
- - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- Shadow: Delete or move expired accounts - - You can automatically delete or move expired accounts. The - job checks Shadow account expiration dates (not password - expiration dates). - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
- -
- Windows: Notify users about password expiration - - This will send your users an email reminder before their - password expires. - - You need to activate the Windows module for users to be able - to add this job. The job can be added multiple times (e.g. to send - a second warning at a later time). - - LAM calculates the expiration date based on the last - password change and the domain policy. - - - - - - - - - - - Options - - - - - Option - - Description - - - - From address - - The email address to set as FROM. - - - - Reply-to address - - Optional Reply-to address for email. - - - - CC address - - Optional CC mail address. - - - - BCC address - - Optional BCC mail address. - - - - Subject - - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - -
- - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- Windows: Delete or move expired accounts - - You can automatically delete or move expired - accounts. - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
- -
- FreeRadius: Delete or move expired accounts - - You can automatically delete or move expired - accounts. - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
- -
- Qmail: Delete or move expired accounts - - You can automatically delete or move expired accounts. The - job reads the qmail deletion date of user accounts. - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
+ There are also two special wildcards for the expiration date. + @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". + @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. + "2016-12-31".
- Job history + 389ds: Notify users about password expiration - This will show the list of all executed job runs and their - result. + This will send your users an email reminder before their + password expires. + + You need to activate the Account Locking module for users to + be able to add this job. The job can be added multiple times (e.g. + to send a second warning at a later time). + + LAM calculates the expiration date based on the attribute + passwordExpirationTime. - + + + + Options + + + + + Option + + Description + + + + From address + + The email address to set as FROM. + + + + Reply-to address + + Optional Reply-to address for email. + + + + CC address + + Optional CC mail address. + + + + BCC address + + Optional BCC mail address. + + + + Subject + + The email subject line. Supports wildcards, see + below. + + + + Text + + The email body text. Supports wildcards, see + below. + + + + Notification period + + Number of days to notify before password + expires. + + + +
+ + Wildcards: + + You can enter LDAP attributes as wildcards in the form + @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". + For the common name it would be "@@cn@@". + + There are also two special wildcards for the expiration date. + @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". + @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. + "2016-12-31". +
+ +
+ Shadow: Notify users about password expiration + + This will send your users an email reminder before their + password expires. + + You need to activate the Shadow module for users to be able to + add this job. The job can be added multiple times (e.g. to send a + second warning at a later time). + + LAM calculates the expiration date based on the last password + change, the password warning time (attribute "shadowWarning") and + the specified notification period. + + Examples: + + Warning time = 14, notification period = 10: LAM will send out + the email 24 days before the password expires + + Warning time = 14, notification period = 0: LAM will send out + the email 14 days before the password expires + + + + + + + + + + + Options + + + + + Option + + Description + + + + From address + + The email address to set as FROM. + + + + Reply-to address + + Optional Reply-to address for email. + + + + CC address + + Optional CC mail address. + + + + BCC address + + Optional BCC mail address. + + + + Subject + + The email subject line. Supports wildcards, see + below. + + + + Text + + The email body text. Supports wildcards, see + below. + + + + Notification period + + Number of days to notify before password + expires. + + + +
+ + Wildcards: + + You can enter LDAP attributes as wildcards in the form + @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". + For the common name it would be "@@cn@@". + + There are also two special wildcards for the expiration date. + @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". + @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. + "2016-12-31". +
+ +
+ Shadow: Delete or move expired accounts + + You can automatically delete or move expired accounts. The job + checks Shadow account expiration dates (not password expiration + dates). + + + + + + + + + + + Options + + + + + Option + + Description + + + + Delay + + Number of days to wait after the account is + expired. + + + + Action + + Delete or move accounts + + + + Target DN + + Move only: specifies the DN where accounts are + moved + + + +
+
+ +
+ Windows: Notify users about password expiration + + This will send your users an email reminder before their + password expires. + + You need to activate the Windows module for users to be able + to add this job. The job can be added multiple times (e.g. to send a + second warning at a later time). + + LAM calculates the expiration date based on the last password + change and the domain policy. + + + + + + + + + + + Options + + + + + Option + + Description + + + + From address + + The email address to set as FROM. + + + + Reply-to address + + Optional Reply-to address for email. + + + + CC address + + Optional CC mail address. + + + + BCC address + + Optional BCC mail address. + + + + Subject + + The email subject line. Supports wildcards, see + below. + + + + Text + + The email body text. Supports wildcards, see + below. + + + + Notification period + + Number of days to notify before password + expires. + + + +
+ + Wildcards: + + You can enter LDAP attributes as wildcards in the form + @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". + For the common name it would be "@@cn@@". + + There are also two special wildcards for the expiration date. + @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". + @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. + "2016-12-31". +
+ +
+ Windows: Delete or move expired accounts + + You can automatically delete or move expired accounts. + + + + + + + + + + + Options + + + + + Option + + Description + + + + Delay + + Number of days to wait after the account is + expired. + + + + Action + + Delete or move accounts + + + + Target DN + + Move only: specifies the DN where accounts are + moved + + + +
+
+ +
+ FreeRadius: Delete or move expired accounts + + You can automatically delete or move expired accounts. + + + + + + + + + + + Options + + + + + Option + + Description + + + + Delay + + Number of days to wait after the account is + expired. + + + + Action + + Delete or move accounts + + + + Target DN + + Move only: specifies the DN where accounts are + moved + + + +
+
+ +
+ Qmail: Delete or move expired accounts + + You can automatically delete or move expired accounts. The job + reads the qmail deletion date of user accounts. + + + + + + + + + + + Options + + + + + Option + + Description + + + + Delay + + Number of days to wait after the account is + expired. + + + + Action + + Delete or move accounts + + + + Target DN + + Move only: specifies the DN where accounts are + moved + + + +
-
- Typical scenarios +
+ Job history - This is a list of typical scenarios how your LDAP environment - may look like and how to structure the server profiles for it. + This will show the list of all executed job runs and their + result. -
- Simple: One LDAP directory managed by a small group of - admins - - This is the easiest and most common scenario. You want to - manage a single LDAP server and there is only one or a few admins. - In this case just create one server profile and you are done. The - admins may be either specified as a fixed list or by using an LDAP - search at login time. - - - - - - - - -
- -
- Advanced: One LDAP server which is managed by different admin - groups - - Large organisations may have one big LDAP directory for all - user/group accounts. But the users are managed by different groups - of admins (e.g. departments, locations, subsidiaries, ...). The - users are typically divided into organisational units in the LDAP - tree. Admins may only manage the users in their part of the - tree. - - - - - - - - - - In this situation it is recommended to create one server - profile for each admin group (e.g. department). Setup the LDAP - suffixes in the server profiles to point to the needed - organisational units. E.g. use - ou=people,ou=department1,dc=company,dc=com or - ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users. - Do the same for groups, hosts, ... This way each admin group will - only see its own users. You may want to use LDAP search for the LAM - login in this scenario. This will prevent that you need to update a - server profile if the number of admins changes. - - Attention: LAM's feature to - automatically find free UIDs/GIDs for new users/groups will not work - in this case. LAM uses the user/group suffix to search for already - assigned UIDs/GIDs. As an alternative you can specify different - UID/GID ranges for each department. Then the UIDs/GIDs will stay - unique for the whole directory. -
- -
- Multiple LDAP servers - - You can manage as many LDAP servers with LAM as you wish. This - scenario is similar to the advanced scenario above. Just create one - server profile for each LDAP server. - - - - - - - - -
- -
- Single LDAP directory with lots of users (>10 000) - - LAM was tested to work with 10 000 users. If you have a lot - more users then you have basically two options. - - - - Divide your LDAP tree in organisational units: This is - usually the best performing option. Put your accounts in several - organisational units and setup LAM as in the advanced scenario - above. - - - - Increase memory limit: Increase the memory_limit parameter - in your php.ini. This will allow LAM to read more entries. But - this will slow down the response times of LAM. - - -
+ + + + + + +
- + +
+ Typical scenarios + + This is a list of typical scenarios how your LDAP environment may + look like and how to structure the server profiles for it. + +
+ Simple: One LDAP directory managed by a small group of + admins + + This is the easiest and most common scenario. You want to manage + a single LDAP server and there is only one or a few admins. In this + case just create one server profile and you are done. The admins may + be either specified as a fixed list or by using an LDAP search at + login time. + + + + + + + + +
+ +
+ Advanced: One LDAP server which is managed by different admin + groups + + Large organisations may have one big LDAP directory for all + user/group accounts. But the users are managed by different groups of + admins (e.g. departments, locations, subsidiaries, ...). The users are + typically divided into organisational units in the LDAP tree. Admins + may only manage the users in their part of the tree. + + + + + + + + + + In this situation it is recommended to create one server profile + for each admin group (e.g. department). Setup the LDAP suffixes in the + server profiles to point to the needed organisational units. E.g. use + ou=people,ou=department1,dc=company,dc=com or + ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users. + Do the same for groups, hosts, ... This way each admin group will only + see its own users. You may want to use LDAP search for the LAM login + in this scenario. This will prevent that you need to update a server + profile if the number of admins changes. + + Attention: LAM's feature to + automatically find free UIDs/GIDs for new users/groups will not work + in this case. LAM uses the user/group suffix to search for already + assigned UIDs/GIDs. As an alternative you can specify different + UID/GID ranges for each department. Then the UIDs/GIDs will stay + unique for the whole directory. +
+ +
+ Multiple LDAP servers + + You can manage as many LDAP servers with LAM as you wish. This + scenario is similar to the advanced scenario above. Just create one + server profile for each LDAP server. + + + + + + + + +
+ +
+ Single LDAP directory with lots of users (>10 000) + + LAM was tested to work with 10 000 users. If you have a lot more + users then you have basically two options. + + + + Divide your LDAP tree in organisational units: This is + usually the best performing option. Put your accounts in several + organisational units and setup LAM as in the advanced scenario + above. + + + + Increase memory limit: Increase the memory_limit parameter + in your php.ini. This will allow LAM to read more entries. But + this will slow down the response times of LAM. + + +
+
+
+ diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml index 5039fdcc..3190212c 100644 --- a/lam/docs/manual-sources/howto.xml +++ b/lam/docs/manual-sources/howto.xml @@ -1,12165 +1,25 @@ - + LDAP Account Manager - Manual + + + + + + + + + + + + + + + + + + - - Overview - - LDAP Account Manager (LAM) manages user, group and host accounts in - an LDAP directory. LAM runs on any webserver with PHP5 support and - connects to your LDAP server unencrypted or via SSL/TLS. - - LAM supports Samba 3/4, Unix, Zarafa, Kolab 2/3, address book - entries, NIS mail aliases, MAC addresses and much more. There is a tree - viewer included to allow access to the raw LDAP attributes. You can use - templates for account creation and use multiple configuration - profiles. - - https://www.ldap-account-manager.org/ - - Copyright (C) 2003 - 2016 Roland Gruber - <post@rolandgruber.de> - - Key features: - - - - managing user/group/host/domain entries - - - - account profiles - - - - account creation via file upload - - - - multiple configuration profiles - - - - LDAP browser - - - - schema browser - - - - OU editor - - - - PDF export for all accounts - - - - manage user/group Quota and create home directories - - - - Requirements: - - - - PHP5 (>= 5.4.0) - - - - Any standard LDAP server (e.g. OpenLDAP, Active Directory, Samba - 4, OpenDJ, 389 Directory Server, Apache DS, ...) - - - - A recent web browser that supports CSS2 and JavaScript, at - minimum: - - - - Firefox (max. 2 years old) - - - - Chrome (max. 2 years old) - - - - Internet Explorer 9 (compatibility - mode turned off) - - - - Opera (max. 2 years old) - - - - - - The default password to edit the configuration options is - "lam". - - License: - - LAM is published under the GNU General Public License. The complete - list of licenses can be found in the copyright file. - - Default password: - - The default password for the LAM configuration is "lam". - - -Have fun! - The LAM development team - - - - Big picture - -
- Overview - - LAM has two major areas: - - - - Admin interface to manage all sorts of different LDAP entries - (e.g. users/groups/hosts) - - - - Self service (LAM Pro) where end users can edit their own - data - - - - - - - - - - - - - - Admin interface - - This is the main part of the application. It allows to manage a - large list of LDAP entries (e.g. users, groups, DNS entries, ...). This - part is accessed by LDAP admins and support staff. - - - - - - - - - - Functional areas: - - - - Account tabs: These tabs allow to switsch between different - account types - - - - Tree view: Provides an LDAP browser to edit LDAP entries on - attribute level - - - - Tools menu: Contains useful tools such as profile and PDF - editor - - - - Help: Link to manual - - - - Logout: Logout of the application - - - - List view: Lists all entries of the selected account type - (e.g. users) - - - - List configuration: Configuration settings for list view (e.g. - number of entries per page) - - - - Filter: Filter boxes allow to enter simple filters like - "a*" - - - - Self Service - - The self service provides a simple interface for your users to - edit their own data (e.g. telephone number). It also supports user self - registration and password reset functionality. - - You can fully customize the layout of the self service - page. - - - - - - - - - - Configuration - - Configuration is done on multiple levels: - - Global - - Effective for all parts of LAM (e.g. logging and password - policy). - - Configured via LAM admin login -> LAM configuration -> Edit general settings. - - Server profile - - All settings for an LDAP connection (e.g. server name, LDAP - suffixes, account types/modules to activate) in admin interface. There - may be multiple for one LDAP server (e.g. for multiple departments, - different user groups, ...). - - Configured via LAM admin login -> LAM configuration -> Edit server profile. - - Self service - - All settings for a self service interface (e.g. fields that can be - edited, password reset functionality, ...). - - Configured via LAM admin login -> LAM configuration -> Edit self service. - - Profiles - - Account profiles store - default values for new LDAP entries. - - PDF structures - - PDF structures define the layout - and list of data fields to include in PDF export. -
- -
- Glossary - - Here you can find a list of common terms used in LAM. - - - Glossary - - - - - Term - - Description - - - - - - Account module - - Plugin for a specific account type (e.g. Unix plugin for - user type) - - - - Account type - - Type of an LDAP entry (e.g. user/group/host) - - - - Admin interface - - LAM webpages for admin user (e.g. to create new - users) - - - - Lamdaemon - - Support script to manage user file system quotas and - create home directories - - - - PDF editor - - Manages PDF structures - - - - PDF export - - Exports an entry to PDF by using a PDF structure - - - - PDF structure - - Defines the layout and list of data fields to include in - PDF export - - - - Profile - - Template for creation of LDAP entries, contains default - values - - - - Profile editor - - Manages profiles for all account types - - - - Self Service - - LAM webpages for normal users where they can edit their - own data - - - - Self service profile - - Configuration for self service pages (multiple - configurations can exist) - - - - Tree view - - LDAP browser that allows to modify LDAP entries on - attribute/object class level - - - -
-
- -
- Architecture - - There are basically two groups of users for LAM: - - - - LDAP administrators and support - staff: - - These people administer LDAP entries like user accounts, - groups, ... - - - - Users: - - This includes all people who need to manage their own data - inside the LDAP directory. E.g. these people edit their contact - information with LAM self service (LAM Pro). - - - - - - - - - - - - Therefore, LAM is split into two separate parts, LAM for admins - and for users. LAM for admins allows to manage various types of LDAP - entries (e.g. users, groups, hosts, ...). It also contains tools like - batch upload, account profiles, LDAP schema viewer and an LDAP browser. - LAM for users focuses on end users. It provides a self service for the - users to edit their personal data (e.g. contact information). The LAM - administrator is able to specify what data may be changed by the users. - The design is also adaptable to your corporate design. - - LAM for admins/users is accessible via HTTP(S) by all major web - browsers (Firefox, IE, Opera, ...). - - LAM runtime environment: - - LAM runs on PHP. Therefore, it is independant of CPU architecture - and operating system (OS). You can run LAM on any OS which supports - Apache, Nginx or other PHP compatible web servers. - - Home directory server: - - You can manage user home directories and their quotas inside LAM. - The home directories may reside on the server where LAM is installed or - any remote server. The commands for home directory management are - secured by SSH. LAM will use the user name and password of the logged in - LAM administrator for authentication. - - LDAP directory: - - LAM connects to your LDAP server via standard LDAP protocol. It - also supports encrypted connections with SSL and TLS. -
- - - - Installation - -
- New installation - -
- Requirements - - LAM has the following requirements to run: - - - - Apache/Nginx webserver (SSL recommended) with PHP module - (PHP 5 (>= 5.2.4) with ldap, gettext, xml, openssl and optional - mcrypt) - - - - Some LAM plugins may require additional PHP extensions (you - will get a note on the login page if something is missing) - - - - Perl (optional, needed only for lamdaemon) - - - - Any standard LDAP server (e.g. OpenLDAP, Active Directory, - Samba 4, OpenDJ, 389 Directory Server, Apache DS, ...) - - - - A recent web browser that supports CSS2 and JavaScript, at - minimum: - - - - Firefox (max. 2 years old) - - - - Internet Explorer 9 (compatibility mode turned - off) - - - - Opera (max. 2 years old) - - - - Chrome (max. 2 years old) - - - - - - MCrypt will be used to store your LDAP password encrypted in the - session file. - - Please note that LAM does not ship with a selinux policy. Please - disable selinux or create your own - policy. - - See LDAP schema fles for - information about used LDAP schema files. -
- -
- Prepackaged releases - - LAM is available as prepackaged version for various - platforms. - -
- Debian - - - - - - - - - - - - LAM is part of the official Debian repository. New - releases are uploaded to unstable and will be available - automatically in testing and the stable releases. You can - run apt-get - install ldap-account-managerto install LAM - on your server. Additionally, you may download the latest - LAM Debian packages from the LAM - homepage or the Debian - package homepage.Installation of the latest packages on - Debian - - Install the LAM package - - dpkg -i ldap-account-manager_*.deb - - If you get any messages about missing - dependencies run now: apt-get -f install - - - - Install the lamdaemon package (optional) - - dpkg -i - ldap-account-manager-lamdaemon_*.deb - - - - - - -
- -
- Suse/Fedora/CentOS - - - - - - - - - - - - - - - - There are RPM packages available on the LAM - homepage. The packages can be installed with these - commands:rpm -e - ldap-account-manager - ldap-account-manager-lamdaemon (if an older - version is installed)rpm - -i <path to LAM - package> -Note: The RPM packages - for Fedora/CentOS do not contain a dependency to PHP due to - the various package names for it. Please make sure that you - install Apache/Nginx with PHP. - - - - -
- -
- Other RPM based distributions - - The RPM packages for Suse/Fedora are very generic and should - be installable on other RPM-based distributions, too. The Fedora - packages use apache:apache as file owner and the Suse ones use - wwwrun:www. -
- -
- FreeBSD - - - - - - - - - - - - LAM is part of the official FreeBSD ports tree. For - more details see these pages:FreeBSD-SVN: http://svnweb.freebsd.org/ports/head/sysutils/ldap-account-manager/FreshPorts: - http://www.freshports.org/sysutils/ldap-account-manager - - - - -
-
- -
- Installing the tar.bz2 - -
- Extract the archive - - Please extract the archive with the following command: - - tar xjf ldap-account-manager-<version>.tar.bz2 -
- -
- Install the files - -
- Manual copy - - Copy the files into the html-file scope of the web server. - For example /apache/htdocs or /var/www/html. - - Then set the appropriate file permissions inside the LAM - directory: - - - - sess: write permission for apache/nginx user - - - - tmp: write permission for apache/nginx user - - - - tmp/internal: write permission for apache/nginx - user - - - - config (with subdirectories): write permission for - apache/nginx user - - - - lib/lamdaemon.pl: set executable - - -
- -
- With configure script - - Instead of manually copying files you can also use the - included configure script to install LAM. Just run these commands - in the extracted directory: - - - - ./configure - - - - make install - - - - Options for "./configure": - - - - --with-httpd-user=USER USER is the name of your - Apache/Nginx user account (default httpd) - - - - --with-httpd-group=GROUP GROUP is the name of your - Apache/Nginx group (default httpd) - - - - --with-web-root=DIRECTORY DIRECTORY is the name where - LAM should be installed (default /usr/local/lam) - - -
-
- -
- Configuration files - - Copy config/config.cfg.sample to config/config.cfg. Open the - index.html in your web browser: - - - - Follow the link "LAM configuration" from the start page to - configure LAM. - - - - Select "Edit general settings" to setup global settings - and to change the master - configuration password (default is "lam"). - - - - Select "Edit server profiles" to setup a server - profile. - - -
- -
- Webserver configuration - - Please see the Apache or Nginx chapter. -
-
- -
- System configuration - -
- PHP - - LAM runs with PHP5 (>= 5.2.4). Needed changes in your - php.ini: - - memory_limit = 64M - - For large installations (>10000 LDAP entries) you may need - to increase the memory limit to 256M. - - If you run PHP with activated Suhosin - extension please check your logs for alerts. E.g. LAM requires that - "suhosin.post.max_name_length" and - "suhosin.request.max_varname_length" are increased (e.g. to - 256). -
- -
- Locales for non-English translation - - If you want to use a translated version of LAM be sure to - install the needed locales. The following table shows the needed - locales for the different languages. - - - Locales - - - - - Language - - Locale - - - - Catalan - - ca_ES.utf8 - - - - Chinese (Simplified) - - zh_CN.utf8 - - - - Chinese (Traditional) - - zh_TW.utf8 - - - - Czech - - cs_CZ.utf8 - - - - Dutch - - nl_NL.utf8 - - - - English - Great Britain - - no extra locale needed - - - - English - USA - - en_US.utf8 - - - - French - - fr_FR.utf8 - - - - German - - de_DE.utf8 - - - - Hungarian - - hu_HU.utf8 - - - - Italian - - it_IT.utf8 - - - - Japanese - - ja_JP.utf8 - - - - Polish - - pl_PL.utf8 - - - - Portuguese - - pt_BR.utf8 - - - - Russian - - ru_RU.utf8 - - - - Slovak - - sk_SK.utf8 - - - - Spanish - - es_ES.utf8 - - - - Turkish - - tr_TR.utf8 - - - - Ukrainian - - uk_UA.utf8 - - - -
- - You can get a list of all installed locales on your system by - executing: - - locale -a - - Debian users can add locales with "dpkg-reconfigure - locales". -
-
-
- -
- Upgrading LAM or migrate from LAM to LAM Pro - - Upgrading from LAM to LAM Pro is like installing a new LAM - version. Simply install the LAM Pro packages/tar.bz2 instead of the LAM - ones. - -
- Upgrade LAM - - Backup configuration - files - - Configuration files need only to be backed up for .tar.bz2 - installations. DEB/RPM installations do not require this step. - - LAM stores all configuration files in the "config" folder. - Please backup the following files and copy them after the new version - is installed. - - - config/*.conf - - config/config.cfg - - config/pdf/*.xml - - config/profiles/* - - - LAM Pro only: - - - config/selfService/*.* - - - Uninstall current LAM (Pro) - version - - If you used the RPM installation packages then remove the - ldap-account-manager and ldap-account-manager-lamdaemon packages by - calling "rpm -e ldap-account-manager - ldap-account-manager-lamdaemon". - - Debian needs no removal of old packages. - - For tar.bz2 please remove the folder where you installed LAM via - configure or by copying the files. - - Install new LAM (Pro) - version - - Please install the new LAM - (Pro) release. Skip the part about setting up LAM configuration - files. - - Restore configuration - files - - RPM: - - Please check if there are any files ending with ".rpmsave" in - /var/lib/ldap-account-manager/config. In this case you need to - manually remove the .rpmsave extension by overwriting the package - file. E.g. rename default.user.rpmsave to default.user. - - DEB: - - Nothing needs to be restored. - - tar.bz2: - - Please restore your configuration files from the backup. Copy - all files from the backup folder to the config folder in your LAM Pro - installation. Do not simply replace the folder because the new LAM - (Pro) release might include additional files in this folder. Overwrite - any existing files with your backup files. - - Final steps - - Now open your webbrowser and point it to the LAM login page. All - your settings should be migrated. - - Please check also the version - specific instructions. They might include additional - actions. -
- -
- Version specific upgrade instructions - -
- 5.5 -> 5.6 - - Mail routing: No longer added by default. Use profile editor - to activate by default for new users/groups. - - Personal/Unix/Windows: no more replacement of e.g. - $user/$group on user upload -
- -
- 5.4 -> 5.5 - - LAM Pro requires a license key. You can find it in your customer - profile. -
- -
- 5.1 -> 5.4 - - No special actions needed. -
- -
- 5.0 -> 5.1 - - Self Service: There were large changes to provide a responsive - design that works for desktop and mobile. If you use custom CSS to - style Self Service then this must be updated. -
- -
- 4.9 -> 5.0 - - Samba 3: If you used logon hours then you need to set the - correct time zone on tab "Generel settings" in server - profile. -
- -
- 4.5 -> 4.9 - - No special actions needed. -
- -
- 4.4 -> 4.5 - - LAM will no longer follow referrals by default. This is ok for - most installations. If you use LDAP referrals please activate - referral following for your server profile (tab General settings - -> Server settings -> Advanced options). - - The self service pages now have an own option for allowed IPs. - If your LAM installation uses IP restrictions please update the LAM - main configuration. - - Password self reset (LAM Pro) allows to set a backup email - address. You need to update the LDAP - schema if you want to use this feature. -
- -
- 4.3 -> 4.4 - - Apache configuration: LAM supports Apache 2.2 and 2.4. This - requires that your Apache server has enabled the "version" module. - For Debian and Fedora this is the default setup. The Suse RPM will - try to enable the version module during installation. - - Kolab: User accounts get the object class "mailrecipient" by - default. You can change this behaviour in the module settings - section of your LAM server profile. - - Windows: sAMAccountName is no longer set by default. Enable it - in server profile if needed. The possible domains for the user name - can also be set in server profile. -
- -
- 4.2.1 -> 4.3 - - LAM is no more shipped as tar.gz package but as tar.bz2 which - allows smaller file sizes. -
- -
- 4.1 -> 4.2/4.2.1 - - Zarafa users: The default attribute for mail aliases is now - "dn". If you use "uid" and did not change the server profile for a - long time please check your LAM server profile for this setting and - save it. -
- -
- 4.0 -> 4.1 - - Unix: The list of valid login - shells is no longer configured in "config/shells" but in the - server/self service profiles (Unix settings). LAM will use the - following shells by default: /bin/bash, /bin/csh, /bin/dash, - /bin/false, /bin/ksh, /bin/sh. - - Please update your server/self service profile if you would - like to change the list of valid login shells. -
- -
- 3.9 -> 4.0 - - The account profiles and PDF structures are now separated by - server profile. This means that if you edit e.g. an account profile - in server profile A then this change will not affect the account - profiles in server profile B. - - LAM will automatically migrate your existing files as soon as - the login page is loaded. - - Special install instructions: - - - - Debian: none, config files will be migrated when opening - LAM's login page - - - - Suse/Fedora RPM: - - - - Run "rpm -e ldap-account-manager - ldap-account-manager-lamdaemon" - - - - You may get warnings like "warning: - /var/lib/ldap-account-manager/config/profiles/default.user - saved as - /var/lib/ldap-account-manager/config/profiles/default.user.rpmsave" - - - - Please rename all files "*.rpmsave" and remove the - file extension ".rpmsave". E.g. "default.user.rpmsave" needs - to be renamed to "default.user". - - - - Install the LAM packages with "rpm -i". E.g. "rpm -i - ldap-account-manager-4.0-0.suse.1.noarch.rpm". - - - - Open LAM's login page in your browser to complete the - migration - - - - - - tar.gz: standard upgrade steps, config files will be - migrated when opening LAM's login page - - -
- -
- 3.7 -> 3.9 - - No changes. -
- -
- 3.6 -> 3.7 - - Asterisk extensions: The extension entries are now grouped by - extension name and account context. LAM will automatically assign - priorities and set same owners for all entries. -
- -
- 3.5.0 -> 3.6 - - Debian users: LAM 3.6 - requires to install FPDF 1.7. You can download the package here. - If you use Debian Stable (Squeeze) please use the package from - Testing (Wheezy). -
- -
- 3.4.0 -> 3.5.0 - - LAM Pro: The global - config/passwordMailTemplate.txt is no longer supported. You can - setup the mail settings now for each LAM server profile which - provides more flexibility. - - Suse/Fedora RPM - installations: LAM is now installed to - /usr/share/ldap-account-manager and - /var/lib/ldap-account-manager. - - Please note that configuration files are not migrated - automatically. Please move the files from /srv/www/htdocs/lam/config - (Suse) or /var/www/html/lam/config (Fedora) to - /var/lib/ldap-account-manager/config. -
- -
- 3.3.0 -> 3.4.0 - - No changes. -
- -
- 3.2.0 -> 3.3.0 - - If you use custom images for the PDF export then these images - need to be 5 times bigger than before (e.g. 250x250px instead of - 50x50px). This allows to use images with higher resolution. -
- -
- 3.1.0 -> 3.2.0 - - No changes. -
- -
- 3.0.0 -> 3.1.0 - - LAM supported to set a list of valid workstations on the - "Personal" page. This required to change the LDAP schema. Since - 3.1.0 this is replaced by the new "Hosts" module for users. - - Lamdaemon: The sudo entry needs to be changed to - ".../lamdaemon.pl *". -
- -
- 2.3.0 -> 3.0.0 - - No changes. -
- -
- 2.2.0 -> 2.3.0 - - LAM Pro: There is now a - separate account type for group of (unique) names. Please edit your - server profiles to activate the new account type. -
- -
- 1.1.0 -> 2.2.0 - - No changes. -
-
-
- -
- Uninstallation of LAM (Pro) - - If you used the prepackaged installation packages then remove the - ldap-account-manager and ldap-account-manager-lamdaemon packages. - - Otherwise, remove the folder where you installed LAM via configure - or by copying the files. -
- -
- Migration to a new server - - To move LAM (Pro) from one server to another please follow these - steps: - - - - Install LAM (Pro) on your new server - - - - Copy the following files from the old server to the new one - (base directory for RPM/DEB is - /usr/share/ldap-account-manager/): - - - - config/*.conf - - - - config/config.cfg - - - - config/pdf/* - - - - config/profiles/* - - - - config/selfService/*.* (needed for LAM Pro only) - - - - The files must be writable for the webserver user. - - - - Open LAM (Pro) login page on new server and verify - installation. - - - - Uninstall LAM (Pro) on old server. - - -
- - - - Configuration - - After you installed LAM you - can configure it to fit your needs. The complete configuration can be done - inside the application. There is no need to edit configuration - files. - - Please point you browser to the location where you installed LAM. - E.g. for Debian/RPM this is http://yourServer/lam. If you installed LAM - via the tar.bz2 then this may vary. You should see the following - page: - - - - - - - - - - If you see an error message then you might need to install an - additional PHP extension. Please follow the instructions and reload the - page afterwards. - - Now you are ready to configure LAM. Click on the "LAM configuration" - link to proceed. - - - - - - - - - - Here you can change LAM's general settings, setup server profiles - for your LDAP server(s) and configure the self service (LAM Pro). You should start - with the general settings and then setup a server profile. - -
- General settings - - After selecting "Edit general settings" you will need to enter the - master configuration password. - The default password for new installations is "lam". Now you can edit - the general settings. - -
- License (LAM Pro only) - - This is only required when you run LAM Pro. Please enter the - license key from your customer - profile. In case you have purchased multiple licenses please - only enter one license key block per installation. - - When you entered the license key then the license details can be - seen on LAM configuration overview page. - - - - - - - - -
- -
- Security settings - - Here you can set a time period after which inactive sessions are - automatically invalidated. The selected value represents minutes of - inactivity. - - You may also set a list of IP addresses which are allowed to - access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123) - or with the "*" wildcard (e.g. 123.123.123.*). Users which try to - access LAM via an untrusted IP only get blank pages. There is a - separate field for LAM Pro self service. - - Session encryption will encrypt sensitive - data like passwords in your session files. This is only available when - PHP MCrypt is active. This - adds extra security but also costs performance. If you manage a large - directory you might want to disable this and take other actions to - secure your LAM server. - - - - - - - - - - SSL certificate - setup: - - By default, LAM uses the CA certificates that are preinstalled - on your system. This will work if you connect via SSL/TLS to an LDAP - server that uses a certificate signed by a well-known CA. In case you - use your own CA (e.g. company internal CA) you can import the CA - certificates here. - - Please note that this can affect other web applications on the - same server if they require different certificates. There seem to be - problems on Debian systems and you may also need to restart Apache. In - case of any problems please delete the uploaded certificates and use - the system setup. - - You can either upload a DER/PEM formatted certificate file or - import the certificates directly from an LDAP server that is available - with LDAP+SSL (ldaps://). LAM will automatically override system - certificates if at least one certificate is uploaded/imported. - - The whole certificate list can be downloaded in PEM format. You - can also delete single certificates from the list. - - Please note that you might need to restart your webserver if you - do any changes to this configuration. - - - - - - - - -
- -
- Password policy - - This allows you to specify a central password policy for LAM. - The policy is valid for all password fields inside LAM admin - (excluding tree view) and LAM self service. Configuration passwords do - not need to follow this policy. - - - - - - - - - - You can set the minimum password length and also the complexity - of the passwords. -
- -
- Logging - - LAM can log events (e.g. user logins). You can use system - logging (syslog for Unix, event viewer for Windows) or log to a - separate file. Please note that LAM may log sensitive data (e.g. - passwords) at log level "Debug". Production systems should be set to - "Warning" or "Error". - - The PHP error reporting is only for developers. By default LAM - does not show PHP notice messages in the web pages. You can select to - use the php.ini setting here or printing all errors and - notices. - - - - - - - - -
- -
- Additional options - - Email - format - - Some email servers are not standards compatible. If you receive - mails that look broken you can change the line endings for sent mails - here. Default is to use "\r\n". - - At the moment, this option is only available in LAM Pro as there - is no mail sending in the free version. See here for setting up your SMTP - server. - - - - - - - - -
- -
- Change master password - - If you would like to change the master configuration password - then enter a new password here. - - - - - - - - -
-
- -
- Server profiles - - The server profiles store information about your LDAP server (e.g. - host name) and what kind of accounts (e.g. users and groups) you would - like to manage. There is no limit on the number of server profiles. See - the typical scenarios about - how to structure your server profiles. - -
- Manage server profiles - - Select "Manage server profiles" to open the profile management - page. - - - - - - - - - - Here you can create, rename and delete server profiles. The - passwords of your server - profiles can also be reset. - - You may also specify the default server profile. This is the - server profile which is preselected at the login page. It also - specifies the language of the login and configuration pages. - - Templates for new server - profiles - - You can create a new server profile based on one of the built-in - templates or any existing profile. Of course, the account types and - selected modules can be changed after you created your profile. - - Built-in templates: - - - - addressbook: simple profile for user management with - inetOrgPerson object class - - - - samba3: Samba 3 users, groups, hosts and domains - - - - unix: Unix users and groups (posixAccount/Group) - - - - windows_samba4: Active Directory user, group and host - management - - - - - - - - - - - - All operations on the profile management page require that you - authenticate yourself with the configuration master - password. -
- -
- Editing a server profile - - Please select you server profile and enter its password to edit - a server profile. - - - - - - - - - - Each server profile contains the following information: - - - - General settings: general - settings about your LDAP server (e.g. host name and security - settings) - - - - Account types: list of - account types (e.g. users and groups) that you would like to - manage and type specific settings (e.g. LDAP suffix) - - - - Modules: list of modules - which define what account aspects (e.g. Unix, Samba, Kolab) you - would like to manage - - - - Module settings: settings - which are specific for the selected account modules on the page - before - - - -
- General settings - - Here you can specify the LDAP server and some security - settings. - - - - - - - - - - The server address of your LDAP server can be a DNS name or an - IP address. Use ldap:// for unencrypted LDAP connections or TLS - encrypted connections. LDAP+SSL (LDAPS) encrypted connections are - specified with ldaps://. The port value is optional. TLS cannot be - combined with ldaps://. - - Hint: If you use a master/slave setup with referrals then - point LAM to your master server. Due to bugs in the underlying LDAP - libraries pointing to a slave might cause issues on write - operations. - - LAM includes an LDAP browser which allows direct modification - of LDAP entries. If you would like to use it then enter the LDAP - suffix at "Tree suffix". - - The search limit is used to reduce the number of search - results which are returned by your LDAP server. - - The access level specifies if LAM should allow to modify LDAP - entries. This feature is only available in LAM Pro. LAM non-Pro - releases use write access. See this page for details on - the different access levels. - - Advanced options - - Sometimes, you may not want to display the server address on - the login page. In this case you can setup a display name here (e.g. - "Production"). - - By default LAM will not follow LDAP referrals. This is ok for - most installations. If you use LDAP referrals please activate the - referral option in advanced settings. - - Paged results should be activated only if you encounter any - problems regarding size limits on Active Directory. LAM will then - query LDAP to return results in chunks of 999 entries. - - - - - LAM is translated to many different languages. Here you can - select the default language for this server profile. The language - setting may be overriden at the LAM login page. - - Please also set your time zone here. - - - - - - - - - - LAM can manage user home directories and quotas with an - external script. You can specify the home directory server and where - the script is located. The default rights for new home directories - can be set, too. - - You can provide a fixed user name. If you leave the field - empty then LAM will use your current account (the account you used - to login to LAM). - - There are two possibilities to connect to your home - directory/quota server: - - - - SSH key (recommended): Please generate a SSH key pair and - provide the location to the private key file. If the key is protected - by a password you can also specify it here. - - - - Password: If you do not set a SSH key then LAM will try to - connect with your current account (the password you used to - login to LAM). - - - - - - - - - - - - LAM Pro users may directly set passwords - from list view. You can configure if it should be possible to set - specific passwords and showing password on screen is allowed. - - - - - - - - - - LAM Pro users can send out changed passwords to their users. - Here you can specify the options for these mails. - - If you select "Allow alternate address" then password mails - can be sent to any address (e.g. a secondary address if the user - account is also bound to the mailbox). - - - - - - - - - - LAM supports two methods for login. - - - - - - - - - - The first one is to specify a fixed list of LDAP DNs that are - allowed to login. Please enter one DN per line. - - The second one is to let LAM search for the DN in your - directory. E.g. if a user logs in with the user name "joe" then LAM - will do an LDAP search for this user name. When it finds a matching - DN then it will use this to authenticate the user. The wildcard - "%USER%" will be replaced by "joe" in this example. This way you can - provide login by user name, email address or other LDAP - attributes. - - Additionally, you can enable HTTP authentication when using - "LDAP search". This way the web server is responsible to - authenticate your users. LAM will use the given user name + password - for the LDAP login. You can also configure this to setup advanced - login restrictions (e.g. require group memberships for login). To - setup HTTP authentication in Apache please see this link - and an example for LDAP authentication here. - - Hint: LDAP search with group - membership check can be done with either HTTP authentication or LDAP - overlays like "memberOf" - or "Dynamic - lists". Dynamic lists allow to insert virtual attributes to - your user entries. These can then be used for the LDAP filter (e.g. - "(&(uid=%USER%)(memberof=cn=admins,ou=groups,dc=company,dc=com))"). - - - - - - - - - - You may also change the password of this server profile. - Please just enter the new password in both password fields. -
- -
- Account types - - LAM supports to manage various types of LDAP entries (e.g. - users, groups, DHCP entries, ...). On this page you can select which - types of entries you want to manage with LAM. - - - - - - - - - - The section at the top shows a list of possible types. You can - activate them by simply clicking on the plus sign next to it. - - Each account type has the following options: - - - - LDAP suffix: the LDAP - suffix where entries of this type should be managed - - - - List attributes: a list - of attributes which are shown in the account lists - - - - Additional LDAP filter: - LAM will automatically detect the right LDAP entries for each - account type. This can be used to further limit the number of - visible entries (e.g. if you want to manage only some specific - groups). You can use "@@LOGIN_DN@@" as wildcard (e.g. - "(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the - user who is logged in. - - - - Hidden: This is used to - hide account types that should not be displayed but are required - by other account types. E.g. you can hide the Samba domains - account type and still assign domains when you edit your - users. - - - - Read-only (LAM Pro only): - This allows to set a single account type to read-only mode. - Please note that this is a restriction on functional level (e.g. - group memberships can be changed on user page even if groups are - read-only) and is no replacement for setting up proper ACLs on - your LDAP server. - - - - Custom label: Here you - can set a custom label for the account types. Use this if the - standard label does not fit for you (e.g. enter "Servers" for - hosts). - - - - No new entries (LAM Pro - only): Use this if you want to prevent that new - accounts of this type are created by your users. The GUI will - hide buttons to create new entries and also disable file upload - for this type. - - - - Disallow delete (LAM Pro - only): Use this if you want to prevent that accounts - of this type are deleted by your users. - - - - - - - - - - - - On the next page you can specify in detail what extensions - should be enabled for each account type. -
- -
- Modules - - The modules specify the active extensions for each account - type. E.g. here you can setup if your user entries should be address - book entries only or also support Unix or Samba. - - - - - - - - - - Each account type needs a so called "base module". This is the - basement for all LDAP entries of this type. Usually, it provides the - structural object class for the LDAP entries. There must be exactly - one active base module for each account type. - - Furthermore, there may be any number of additional active - account modules. E.g. you may select "Personal" as base module and - Unix + Samba as additional modules. -
- -
- Module settings - - Depending on the activated account modules there may be - additional configuration options available. They can be found on the - "Module settings" tab. E.g. the Personal account module allows to - hide several input fields and the Unix module requires to specify - ranges for UID numbers. - - - - - - - - -
-
- -
- Cron jobs (LAM Pro) - - LAM Pro can execute common tasks via cron job. This can be used - to e.g. notify your users before their passwords expire. - -
- LDAP and database configuration - - Please add the LDAP bind user and password for all jobs. This - LDAP account will be used to perform all LDAP read and write - operations. - - Next, select the database type where LAM should store job - related data. Supported databases are SQLite and MySQL. - - SQLite - - This is a simple file based database. It needs no special - database server. The database file will be located next to the - server profile in config directory. - - You will need to install the SQLite PDO module for PHP - (pdo_sqlite.so). For Debian this is located in package - php5-sqlite. - - - - - - - - - - MySQL - - This will store all job data in an external MySQL - database. - - You will need to install the MySQL PDO module for PHP - (pdo_mysql.so). For Debian this is located in package - php5-mysql. - - Steps to create a MySQL database and user: - - # login -mysql -u root -p -# create a database -mysql> create database lam_cron; -# -mysql> CREATE USER 'lam_cron'@'%' IDENTIFIED BY 'password'; -mysql> CREATE USER 'lam_cron'@'localhost' IDENTIFIED BY 'password'; -# grant access for new user -mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'%'; -mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost'; - - - - - - - - - - - -Test your settings - - After the LDAP and database settings are done you can test - your settings. - - Cron entry - - LAM also prints the crontab line that you need to run the - configured jobs on a daily basis. The command must be run as the - same user as your webserver is running. You are free to change the - starting time of the script or run it more often. -
- -
- Adding jobs - - To add a new job just click on the "Add job" button and select - the job type you need. The list of available jobs depends on your - active account modules. E.g. the PPolicy job will only be available - if you activated PPolicy user module. - - Depending on the job type jobs may be added multiple times - with different configurations. For descriptions about the available - job types see next chapters. - - - - - - - - - -
- PPolicy: Notify users about password expiration - - This will send your users an email reminder before their - password expires. - - You need to activate the PPolicy module for users to be able - to add this job. The job can be added multiple times (e.g. to send - a second warning at a later time). - - LAM calculates the expiration date based on the last - password change and the assigned password policy (or the default - policy) using attributes pwdMaxAge and pwdExpireWarning. - - Examples: - - Warning time (pwdExpireWarning) = 14 days, notification - period = 10: LAM will send out the email 24 days before the - password expires - - Warning time (pwdExpireWarning) = 14 days, notification - period = 0: LAM will send out the email 14 days before the - password expires - - No warning time (pwdExpireWarning), notification period = - 10: LAM will send out the email 10 days before the password - expires - - - - - - - - - - - Options - - - - - Option - - Description - - - - From address - - The email address to set as FROM. - - - - Reply-to address - - Optional Reply-to address for email. - - - - CC address - - Optional CC mail address. - - - - BCC address - - Optional BCC mail address. - - - - Subject - - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - - Default password policy - - Default PPolicy password policy entry (object class - "pwdPolicy"). - - - -
- - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- 389ds: Notify users about password expiration - - This will send your users an email reminder before their - password expires. - - You need to activate the Account Locking module for users to - be able to add this job. The job can be added multiple times (e.g. - to send a second warning at a later time). - - LAM calculates the expiration date based on the attribute - passwordExpirationTime. - - - - - - - - - - - Options - - - - - Option - - Description - - - - From address - - The email address to set as FROM. - - - - Reply-to address - - Optional Reply-to address for email. - - - - CC address - - Optional CC mail address. - - - - BCC address - - Optional BCC mail address. - - - - Subject - - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - -
- - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- Shadow: Notify users about password expiration - - This will send your users an email reminder before their - password expires. - - You need to activate the Shadow module for users to be able - to add this job. The job can be added multiple times (e.g. to send - a second warning at a later time). - - LAM calculates the expiration date based on the last - password change, the password warning time (attribute - "shadowWarning") and the specified notification period. - - Examples: - - Warning time = 14, notification period = 10: LAM will send - out the email 24 days before the password expires - - Warning time = 14, notification period = 0: LAM will send - out the email 14 days before the password expires - - - - - - - - - - - Options - - - - - Option - - Description - - - - From address - - The email address to set as FROM. - - - - Reply-to address - - Optional Reply-to address for email. - - - - CC address - - Optional CC mail address. - - - - BCC address - - Optional BCC mail address. - - - - Subject - - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - -
- - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- Shadow: Delete or move expired accounts - - You can automatically delete or move expired accounts. The - job checks Shadow account expiration dates (not password - expiration dates). - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
- -
- Windows: Notify users about password expiration - - This will send your users an email reminder before their - password expires. - - You need to activate the Windows module for users to be able - to add this job. The job can be added multiple times (e.g. to send - a second warning at a later time). - - LAM calculates the expiration date based on the last - password change and the domain policy. - - - - - - - - - - - Options - - - - - Option - - Description - - - - From address - - The email address to set as FROM. - - - - Reply-to address - - Optional Reply-to address for email. - - - - CC address - - Optional CC mail address. - - - - BCC address - - Optional BCC mail address. - - - - Subject - - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - -
- - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- Windows: Delete or move expired accounts - - You can automatically delete or move expired - accounts. - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
- -
- FreeRadius: Delete or move expired accounts - - You can automatically delete or move expired - accounts. - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
- -
- Qmail: Delete or move expired accounts - - You can automatically delete or move expired accounts. The - job reads the qmail deletion date of user accounts. - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
-
- -
- Job history - - This will show the list of all executed job runs and their - result. - - - - - - - - -
-
- -
- Typical scenarios - - This is a list of typical scenarios how your LDAP environment - may look like and how to structure the server profiles for it. - -
- Simple: One LDAP directory managed by a small group of - admins - - This is the easiest and most common scenario. You want to - manage a single LDAP server and there is only one or a few admins. - In this case just create one server profile and you are done. The - admins may be either specified as a fixed list or by using an LDAP - search at login time. - - - - - - - - -
- -
- Advanced: One LDAP server which is managed by different admin - groups - - Large organisations may have one big LDAP directory for all - user/group accounts. But the users are managed by different groups - of admins (e.g. departments, locations, subsidiaries, ...). The - users are typically divided into organisational units in the LDAP - tree. Admins may only manage the users in their part of the - tree. - - - - - - - - - - In this situation it is recommended to create one server - profile for each admin group (e.g. department). Setup the LDAP - suffixes in the server profiles to point to the needed - organisational units. E.g. use - ou=people,ou=department1,dc=company,dc=com or - ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users. - Do the same for groups, hosts, ... This way each admin group will - only see its own users. You may want to use LDAP search for the LAM - login in this scenario. This will prevent that you need to update a - server profile if the number of admins changes. - - Attention: LAM's feature to - automatically find free UIDs/GIDs for new users/groups will not work - in this case. LAM uses the user/group suffix to search for already - assigned UIDs/GIDs. As an alternative you can specify different - UID/GID ranges for each department. Then the UIDs/GIDs will stay - unique for the whole directory. -
- -
- Multiple LDAP servers - - You can manage as many LDAP servers with LAM as you wish. This - scenario is similar to the advanced scenario above. Just create one - server profile for each LDAP server. - - - - - - - - -
- -
- Single LDAP directory with lots of users (>10 000) - - LAM was tested to work with 10 000 users. If you have a lot - more users then you have basically two options. - - - - Divide your LDAP tree in organisational units: This is - usually the best performing option. Put your accounts in several - organisational units and setup LAM as in the advanced scenario - above. - - - - Increase memory limit: Increase the memory_limit parameter - in your php.ini. This will allow LAM to read more entries. But - this will slow down the response times of LAM. - - -
-
-
- - - - Managing entries in your LDAP directory - - This chapter will give you instructions how to manage the different - LDAP entries in your directory. - - Please note that not all account types are manageable with the free - LAM release. LAM Pro provides some more account types (e.g. group of - names, aliases, ...) and modules (e.g. Zarafa, custom scripts, ...) to - support additional LDAP object classes. All LAM Pro features are marked in - this manual. - - Basic page layout: - - After the login LAM will present you its main page. It consists of a - header part which is equal for all pages and the content area which covers - most the of the page. - - The header part includes the links to manage all account types (e.g. - users and groups) and open the tree view (LDAP browser). There is also the - logout link and a tools entry. - - When you login the you will see an account listing in the content - area. - - - - - - - - - - Here you can create, delete and modify accounts. Use the action - buttons at the left or double click on an entry to edit it. - - The suffix selection box allows you to list only the accounts which - are located in a subtree of your LDAP directory. - - - - - - - - - - You can change the number of shown entries per page with "Change - settings". Depending on the account type there may be additional settings. - E.g. the user list can convert group numbers to group names. - - When you select to edit an entry then LAM will show all its data on - a tabbed view. There is one tab for each functional part of the account. - You can set default values by loading an account profile. - - - - - - - - - -
- Typical usage scenarios - - Here is a list of typical usage scenarios and what account types - and modules you need to configure. - - Address book entries: - - Account types: - - - - Users (Personal) - - - - Unix accounts: - - Account types: - - - - Users (Personal + Unix) - - - - Groups (Unix (posixGroup)) - - - - Suse users may need to use Group (Group of names + Unix - (rfc2307bisPosixGroup)) because of Suse's special LDAP schema. - - Samba 3 accounts: - - Account types: - - - - Users (Personal + User + Samba 3) - - - - Groups (Unix + Samba 3) - - - - Hosts (Account + Unix + Samba 3) - - - - Samba domains (Samba domain) - - - - Samba 4/Active Directory: - - Account types: - - - - Users (Windows) - - - - Groups (Windows) - - - - Hosts (Windows) - - - - Please note that must change the attributes that are shown in the - account lists. Otherwise, the account tables will show empty lines. See - the documentation for the Windows user/group/host modules. - - For Samba 4 with Zarafa use the following modules: - - - - Users (Windows + Zarafa (+ Zarafa contact)) - - - - Groups (Windows + Zarafa) - - - - Hosts (Windows + Zarafa) - - - - Zarafa dynamic groups (Zarafa dynamic group) - - - - Zarafa address lists (Zarafa address list) - - - - See also the Zarafa section for - additional settings (e.g. using Zarafa AD schema). - - Asterisk: - - Account types: - - - - Users (Personal + Asterisk) - - - - Asterisk extensions (Asterisk extension) - - - - Zarafa: - - Account types: - - - - Users (Personal + Unix + Zarafa (+ Zarafa contact)) - - - - Groups (Unix + Zarafa) - - - - Zarafa dynamic groups (Zarafa dynamic group) - - - - Zarafa address lists (Zarafa address list) - - - - Hosts (Device + Zarafa + IP Address) - - - - PyKota: - - Account types: - - - - Users (Personal + Unix + PyKota) - - - - Groups (Unix + PyKota) - - - - Printers (PyKota) - - - - Billing codes (PyKota) - - -
- -
- Users - - LAM manages various types of user accounts. This includes address - book entries, Unix, Samba, Zarafa and much more. - - - - - Account list settings: - - The user list includes two special options to change how your - users are displayed. - - - - - - - - - - Translate GID number to group name: By - default the user list can show the primary group IDs (GIDs) of your - users. There are often cases where it is more suitable to show the group - name instead. This can be done by activating this option. Please note - that LAM will execute more LDAP queries which may result in decreased - performance. - - - - - - - - - - Show account status: If you activate this - option then there will be an additional column displayed that shows if - the account is locked. You can see more details when moving the mouse - cursor over the lock icon. This function supports Unix, Samba, PPolicy, - Windows and 389ds locking+deactivation. - - - - - - - - - - - - - Password: - - Click the "Set password" button to change the user's password(s). - Depending on the active account modules LAM will offer to change - multiple passwords at the same time. - - If a module supports to enforce a password change then you will - see the appropriate checkbox. LAM Pro also offers to send the password - via email after the account is saved. Email options are specified in - your LAM server profile. - - - - - - - - - - - - - Quick account (un)locking: - - When you edit an user then LAM supports to quickly lock/unlock the - whole account. This includes Unix, Samba and PPolicy. LAM can also - remove group memberships if an account is locked. - - You will see the current status of all account parts in the title - area of the account. - - - - - - - - - - If you click on the lock icon then a dialog will be opened to - change these values. Depending on which parts are locked LAM will - provide options to lock/unlock account parts. - - - - - - - - - - - - - - - - - -
- Personal - - This module is the most common basis for user accounts in LAM. - You can use it stand-alone to manage address book entries or in - combination with Unix, Samba or other modules. - - The Personal module provides support for managing various - personal data of your users including mail addresses and telephone - numbers. You can also add photos of your users (please install PHP - Imagick/ImageMagick for full file format support). If you do - not need to manage all attributes then you can deactivate them in your - server profile. - - Configuration - - Please activate the module "Personal (inetOrgPerson)" for - users. - - - - - - - - - - The module manages lots of fields. Probably, you will not need - all of them. You can hide fields in module settings. - - In advanced options you may also set fields to read-only (for - existing accounts) and define limits for photo files. Additionally, - you can add an "ou=addressbook" subentry to each user in case you - manage user addressbooks. - - - - - - - - - - - - - User management - - - - - - - - - - User certificates can be uploaded and downloaded. LAM will - automatically convert PEM to DER format. - - - - - - - - - - - LDAP attribute mappings - - - - - Attribute name - - Name inside LAM - - - - - - businessCategory - - Business category - - - - carLicense - - Car license - - - - cn/commonName - - Common name - - - - departmentNumber - - Department(s) - - - - description - - Description - - - - employeeNumber - - Employee number - - - - employeeType - - Employee type - - - - facsimileTelephoneNumber/fax - - Fax number - - - - givenName/gn - - First name - - - - homePhone - - Home telephone number - - - - initials - - Initials - - - - jpegPhoto - - Photo - - - - l - - Location - - - - labeledURI - - Web site - - - - mail/rfc822Mailbox - - Email address - - - - manager - - Manager - - - - mobile/mobileTelephoneNumber - - Mobile number - - - - organizationName/o - - Organisation - - - - ou - - Organizational unit - - - - pager - - Pager number - - - - physicalDeliveryOfficeName - - Office name - - - - postalAddress - - Postal address - - - - postalCode - - Postal code - - - - postOfficeBox - - Post office box - - - - registeredAddress - - Registered address - - - - roomNumber - - Room number - - - - sn/surname - - Last name - - - - st - - State - - - - street/streetAddress - - Street - - - - telephoneNumber - - Telephone number - - - - title - - Job title - - - - userCertificate - - User certificates - - - - uid/userid - - User name - - - - userPassword - - Password - - - -
- - Wildcards - - This module provides the following wildcards (others may be - provided by other modules): - - - - $firstname: First name - - - - $lastname: Last name - - - - $user: User name - - - - $commonname: Common name - - - - $email: Email address - - - - You can use them in the following input fields on user edit - screen: - - - - Common name - - - - Description - - - - Mail - - - - Postal address - - - - Registered address - - - - Web site - - - - Use this when some of your data always follows the same schema. - E.g. using "$firstname $lastname" in common name field can be used - like this to get "First Last". You can set the wildcards in profile - editor so they are automatically applied for new users. - - - - - - - - - - - - - - - - - - -
- -
- Unix - - The Unix module manages Unix user accounts including group - memberships. - - There are several configuration options for this module: - - - - UID generator: LAM will suggest UID numbers for your - accounts. Please note that it may happen that there are duplicate - IDs assigned if users create accounts at the same time. Use an - overlay - like "Attribute Uniqueness" (example) if you have lots of - LAM admins creating accounts. - - - - Fixed range: LAM searches for free numbers within the - given limits. LAM always tries to use a free UID that is - greater than the existing UIDs to prevent collisions with - deleted accounts. - - - - Samba ID pool: This uses a special LDAP entry that - includes attributes that store a counter for the last used - UID/GID. Please note that this requires that you install the - Samba schema and create an LDAP entry of object class - "sambaUnixIdPool". - - - - Magic number: Use this if your LDAP server assigns the - UID numbers automatically (e.g. DNA by 389 server). Enter the - server's magic number setting. - - - - - - Password hash type: If possible use CRYPT-SHA512 or SSHA to - protect your user's passwords. The option SASL will set the - password to "{SASL}<user name>". - - - - Login shells: List of valid login shells that can be - selected when editing an account. - - - - Hidden options: Some input fields can be hidden to simplify - the GUI if you do not need them. - - - - Set primary group as memberUid: By default primary group - membership is not set on group objects but only on user - (gidNumber). Activate this if you need to have the primary group - membership in group object, too. - - - - Do not add object class: This is for Windows only. When the - checkbox is activated then the posixAccount object class will not - be added to a user. - - - - User name suggestion: The user name is automatically filled - as specified in the configuration (default smiller for Steve - Miller). Of course, the suggested value can be changed any time. - Common name is also filled with first/last name by default. - - - - - - - - - - - - - - - - - - - - - - - Group memberships can be changed when clicking on "Edit groups". - Here you can select the Unix groups and group of names - memberships. - - To enable "Group of names" please either add the groups module - "groupOfNames"/"groupOfUniqueNames" or add the account type "Group of - names". - - - - - - - - - - You can also create home directories for your users if you setup - lamdaemon. This allows you to - create the directories on the local or remote servers. - - It is also possible to check the status of the user's home - directories. If needed the directories can be created or removed at - any time. - - - - - - - - - - Wildcards - - This module provides the following wildcards (others may be - provided by other modules): - - - - $user: User name - - - - $group: Groupe name (not numeric number) - - - - You can use them in the following input fields on user edit - screen: - - - - Common name - - - - Gecos - - - - Home directory - - - - Use this when some of your data always follows the same schema. - E.g. using "/home/$user" in home directory field can be used like this - to get "/home/myuser". You can set the wildcards in profile editor so - they are automatically applied for new users. - - - - - - - - - - - - - - - - - - -
- -
- Group of names and group of members (LAM Pro) - - This module manages memberships in group of (unique) names and - also group of members. - - Please note that this module cannot be used if the Unix module - is active. In this case group memberships may be managed with the Unix - module. - - Configuration - - To activate this feature please add the user module "Group of - names (groupOfNamesUser)" to your LAM server profile. - - - - - - - - - - The module automatically detects if groups are based on - "groupOfNames", "groupOfUniqueNames" or "groupOfMembers" and sets the - correct attribute. - - - - - - - - -
- -
- Organizational roles (LAM Pro) - - LAM can manage role memberships in organizationalRole objects. To - activate this feature please add the user module "Roles - (organizationalRoleUser)" to your LAM server profile. - - - - - - - - - - User editing - - Now, there will be a new tab "Roles" when you edit your user - accounts. Here you can select the role memberships. - - - - - - - - -
- -
- Shadow - - LAM supports the management of the LDAP substitution of - /etc/shadow. Here you can setup password policies for your Unix - accounts and also view the last password change of a user. - - - - - - - - -
- -
- NIS net groups - - Configuration - - Please add the module "NIS net groups (nisNetGroupUser)" to the - list of active user modules. - - - - - - - - - - User editing - - You will now see a new tab when editing users. Here you can - assign memberships in NIS net groups and also set host/domain. - - - - - - - - -
- -
- Password self reset (LAM - Pro) - - LAM Pro allows your users to reset their passwords by answering - a security question. The reset link is displayed on the self service page. Additionally, - you can set question + answer in the admin interface. - - Please note that self service and LAM admin interface are - separated functionalities. You need to specify the list of possible - security questions in both self service profile(s) and server - profile(s). - - Schema installation - - Please install the LDAP schema as described here. - - Activate password self reset - module - - Please activate the password self reset module in your LAM Pro - server profile. - - - - - - - - - - Now select the tab "Module settings" and specify the list of - possible security questions. Only these questions will be selectable - when you later edit accounts unless you explicitly allow to enter - custom questions. LAM Pro supports to set up to three security - questions per user. - - If you do not want to set backup email addresses then you can - hide this option. - - - - - - - - - - Edit users - - After everything is setup please login to LAM Pro and edit your - users. You will see a new tab called "Password self reset". Here you - can activate/remove the password self reset function for each user. - You can also change the security question and answer. - - If you set a backup email address then confirmation emails will - also be sent to this address. This is useful if the user password - grants access to the user's primary mailbox. So passwords can be - unlocked with an external email address. - - Hint: You can add the - passwordSelfReset object class to all your users with the multi edit tool. - - Samba 4 note: Due to a bug in - Samba 4 you need to add the extension, save, and then select a - question and set the answer. If you add the extension, set - question/answer and then save all together this will cause an LDAP - error and no changes will be saved. - - - - - - - - -
- -
- Hosts - - You can specify a list of valid host names where the user may - login. If you add the value "*" then the user may login to any host. - This can be further restricted by adding explicit deny entries which - are prefixed with "!" (e.g. "!hr_server"). - - Please note that your PAM settings need to support host - restrictions. This feature is enabled by setting pam_check_host_attr yes in your /etc/pam_ldap.conf. When it is enabled then the - account facility of pam_ldap will perform the checks and return an - error when no proper host attribute is present. Please note that users - without host attribute cannot login to such a configured - server. - - - - - - - - -
- -
- Samba 3 - - LAM supports full Samba 3 user management including logon hours - and terminal server options. - - The module is enabled by adding "Samba 3 (sambaSamAccount)" to - your user modules. - - - - - - - - - - In the configuration options you can enable password history - checking. Depending on your LDAP server you might need ascending or - descending order. Just switch the setting if the password history is - not correctly updated. - - In case you have no very old Windows clients (e.g. Windows 98) - it is recommended to disable LM hashes. They are considered to be - insecure. - - You can also hide some input fields if you do not need - them. - - - - - - - - - - After configuring the module you will see the Samba 3 tab when - you edit a user. - - - - - - - - - - Logon hours can be changed. - - - - - - - - - - You can also setup terminal server settings. - - - - - - - - -
- -
- Windows (Samba 4) - - Please activate the account type "Users" in your LAM server - profile and then add the user module "Windows - (windowsUser)(*)". - - - - - - - - - - The default list attributes are for Unix and not suitable for - Windows (blank lines in account table). Please use - "#cn;#givenName;#sn;#mail" or select your own attributes to display in - the account list. - - - - - - - - - - On tab "Module settings" you can specify the possible Windows - domain names and if pre-Windows 2000 user names should be - managed. - - NIS support is deactivated by default. Enable it if - needed. - - - - - - - - - - Now you can manage your Windows users and e.g. assign groups. - You might want to set the default domain name in the profile editor. - - Attention: - - - - Password changes require a secure connection via ldaps://. - Check your LAM server profile if password changes are refused by - the server. - - - - Your server must run a 64bit operating system. Otherwise, - the module might not work. - - - - - - - - - - - - - - - - - - - - Wildcards - - This module provides the following wildcards (others may be - provided by other modules): - - - - $firstname: First name - - - - $lastname: Last name - - - - $user: User name - - - - $commonname: Common name - - - - $email: Email address - - - - You can use them in the following input fields on user edit - screen: - - - - Common name - - - - Display name - - - - Email - - - - Email alias - - - - Home directory - - - - Profile path - - - - Script path - - - - Use this when some of your data always follows the same schema. - E.g. using "$firstname $lastname" in common name field can be used - like this to get "First Last". You can set the wildcards in profile - editor so they are automatically applied for new users. - - - - - - - - - - - - - - - - - - -
- -
- Filesystem quota (lamdaemon) - - You can manage file system quotas with LAM. This requires to - setup lamdaemon. LAM connects to - your server via SSH and manages the disk filesystem quotas. The quotas - are stored directly on the filesystem. This is the default mechanism - to store quotas for most systems. - - Please add the module "Quota (quota)" for users to your LAM - server profile to enable this feature. - - If you store the quota information directly inside LDAP please - see the next section. - - - - - - - - -
- -
- Filesystem quota (LDAP) - - You can store your filesystem quotas directly in LDAP. See - Linux - DiskQuota for details since it requires quota tools that - support LDAP. You will need to install the quota LDAP schema to manage - the object class "systemQuotas". - - Please add the module "Quota (systemQuotas)" for users to your - LAM server profile to enable this feature. - - If you store the quota information on the filesystem please see - the previous section. - - - - - - - - -
- -
- Kolab - - This module supports to manage Kolab accounts with LAM. E.g. you - can set the user's mail quota and define invitation policies. - - Please add the Kolab user module in your LAM server profile to - activate Kolab support. - - - - - - - - - - Attention: LAM will add the object class "mailrecipient" by - default. This object class is available on 389 directory server but - may not be present on e.g. OpenLDAP. Please deactivate the following - setting (LAM server profile, module settings) if you do not use this - object class. - - - - - - - - - - Please enter an email address at the Personal page and set a - Unix password first. Both are required that Kolab accepts the - accounts. The email address ("Personal" page) must match your Kolab - domain, otherwise the account will not work. - - Attention: The mailbox server - cannot be changed after the account has been saved. Please make sure - that the value is correct. - - Kolab users should not be directly deleted with LAM. You can - mark an account for deletion which then is done by the Kolab server - itself. This makes sure that the mailbox etc. is also deleted. - - - - - - - - - - If you upgrade existing non-Kolab accounts please make sure that - the account has an Unix password. -
- -
- Asterisk - - LAM supports Asterisk accounts, too. See the Asterisk section for details. -
- -
- EDU person - - EDU person accounts are mainly used in university networks. You - can specify the principal name, nick names and much more. - - - - - - - - -
- -
- PyKota - - There are two LAM user modules depending if your user entries - should be built on object class "pykotaObject" or a different - structural object class (e.g. "inetOrgPerson"). For "pykotaObject" - please select "PyKota (pykotaUserStructural(*))" and "PyKota - (pykotaUser)" in all other cases. - - - - - - - - - - To display the job history please setup the job DN on tab - "Module settings": - - - - - - - - - - Now you can add the PyKota extension to your user accounts. Here - you can setup the printing options and add payments for this - user. - - For LAM Pro there are also self service fields to allow users - e.g. to view their current balance and job history. - - - - - - - - - - You may also view the payment and job history. - - - - - - - - - - - - - - - - -
- -
- Password policy (LAM Pro) - - OpenLDAP supports the ppolicy overlay - to manage password policies for LDAP entries. LAM Pro supports managing the policies and assigning them to - user accounts. - - Please add the account type "Password policies" to your LAM - server profile and activate the "Password policy" module for the user - type. - - - - - - - - - - You can select the password policy and force a password change - on next login. Accounts can also be (un)locked. - - - - - - - - - - You can assign any password policy which is found in the LDAP - suffix of the "Password policies" type. When you set the policy to - "default" then OpenLDAP will use the default policy as defined in your - slapd.conf file. - - Attention: Locking and - unlocking requires that you also activate the option "Lockout users" - in the assigned password policy. - Otherwise, it will have no effect. -
- -
- Account locking for 389ds (LAM Pro) - - This module allows you to display if users are locked by 389ds - server. You can (de)activate your users. The password expiration time - can also be managed. - - Requirements: 389ds LDAP server - - Configuration - - Please add the user module "Account locking - (locking389ds)". - - - - - - - - - - This will show the password expiration time. You can edit the - value if needed. - - If there are any failed login attempts then LAM displays their - number and till when the user is locked by the system. - - The limit of failed login attempts and lockout duration is - configured on your LDAP server and not within LAM. - - - - - - - - - - You can unlock the user by clicking on the lock icon. - - Here you can also (de)activate the account. - - Note: Accounts are only locked by the LDAP server due to failed - password attempts. You cannot manually lock an account. Deactivate it - in case you want to disable login for a user. - - - - - - - - -
- -
- FreeRadius - - FreeRadius is a software that implements the RADIUS - authentication protocol. LAM allows you to mange several of the - FreeRadius attributes. - - To activate the FreeRadius plugin please activate the FreeRadius - user module in your server profile: - - - - - - - - - - You can disable unneeded fields on the tab "Module settings". - Here you can also set the DN where your Radius profile templates are - stored if you use the option "Profile". - - - - - - - - - - Now you will see the tab "FreeRadius" when editing users. The - extension can be (de)activated for each user. You can setup e.g. - realm, IP and expiration date. - - - - - - - - -
- -
- Heimdal Kerberos (LAM Pro) - - You can manage your Heimdal Kerberos accounts with LAM Pro. - Please add the user module "Kerberos (heimdalKerberos)" to activate - this feature. - - Setup password changing - - LAM Pro cannot generate the password hashes itself because - Heimdal uses a propietary format for them. Therefore, LAM Pro needs to - call e.g. kadmin to set the password. - - The wildcards @@password@@ and @@principal@@ are replaced with - password and principal name. Please use keytab authentication for this - command since it must run without any interaction. - - Example to create a keytab: ktutil -k /root/lam.keytab add -p - lam@LAM.LOCAL -e aes256-cts-hmac-sha1-96 -V 1 - - Security hint: Please secure your LAM Pro server since the new - passwords will be visible for a short term in the process list during - password change. - - - - - - - - - - User management - - You can specify the principal/user name, ticket lifetimes and - expiration dates. Additionally, you can set various account - options. - - - - - - - - -
- -
- MIT Kerberos (LAM Pro) - - You can manage your MIT Kerberos accounts with LAM Pro. Please - add the user module "Kerberos (mitKerberos)" to activate this feature. - If you want to manage entries based on the structural object class - "krbPrincipal" please use "Kerberos (mitKerberosStructural)" - instead. - - Setup password changing - - LAM Pro cannot generate the password hashes itself because MIT - uses a propietary format for them. Therefore, LAM Pro needs to call - kadmin/kadmin.local to set the password. - - LAM will add "-q 'cpw -pw PASSWORD PRINCIPAL'" to the command to - set the password. Please use keytab authentication for this command - since it must run without any interaction. - - Keytabs may be created with the "ktutil" application. - - Security hint: Please secure your LAM Pro server since the new - passwords will be visible for a short term in the process list during - password change. - - Example commands: - - - - /usr/sbin/kadmin -k -t /home/www-data/apache.keytab -p - realm/changepwd - - - - sudo /usr/sbin/kadmin.local - - - - - - - - - - - - User management - - You can specify the principal/user name, ticket lifetimes and - expiration dates. Additionally, you can set various account - options. - - - - - - - - -
- -
- Mail aliases - - This module allows to add/remove the user in mail alias - entries. - - Note: You need to activate the - mail alias type for this - module. - - To activate mail aliases for users please select the module - "Mail aliases (nisMailAliasUser)": - - - - - - - - - - On tab Module settings you can select if you want to set the - user name or email as recipient in alias entries. - - - - - - - - - - Now you will see the mail aliases tab when editing an - user. - - The red cross will only remove the user from the alias entry. If - you click the trash can button then the whole alias entry (which may - contain other users) will be deleted. - - - - - - - - - - You can add the user to existing alias entries or create - completly new ones. - - - - - - - - -
- -
- Qmail (LAM Pro) - - LAM Pro manages all qmail attributes for users. This includes - mail addresses, ID numbers and quota settings. - - Please note that the main mail address is managed on tab - "Personal" if this module is active. Otherwise, it will be on the - qmail tab. - - - - - - - - - - You can hide several qmail options if you do not want to manage - them with LAM. This can be done on the module settings tab of your LAM - server profile. - - - - - - - - -
- -
- Mail routing - - LAM supports to manage mail routing for user accounts. - - Module activation: - - This feature can be activated by adding the "Mail routing" - module to the user account type in your server profile. - - - - - - - - - - Usage: - - You can specify a routing address, the mail server and a number - of local addresses to route. - - In case you want to add this extension by default for new users - there is an option in profile editor. - - - - - - - - -
- -
- SSH keys - - You can manage your public keys for SSH in LAM if you installed - the LPK patch for - SSH. Activate the "SSH public key" module for users in the - server profile and you can add keys to your user entries. - - - - - - - - -
- -
- Authorized services - - You can setup PAM to check if a user is allowed to run a - specific service (e.g. sshd) by reading the LDAP attribute - "authorizedService". This way you can manage all allowed services via - LAM. - - - - To activate this PAM feature please setup your /etc/libnss-ldap.conf and set - "pam_check_service_attr" to "yes". - - - - Inside LAM you can now set the allowed services. You may also - setup default services in your account profiles. - - - - - - - - - - You can define a list of services in your LAM server profile - that is used for autocompletion. - - - - - - - - - - The autocompletion will show all values that contains the - entered text. To display the whole list you can press backspace in the - empty input field. Of course, you can also insert a service name that - is not in the list. - - - - - - - - -
- -
- IMAP mailboxes - - LAM may create and delete mailboxes on an IMAP server for your - user accounts. You will need an IMAP server that supports either SSL - or TLS for this feature. - - To activate the mailbox management module please add the - "Mailbox (imapAccess)" module for the type user in your LAM server - profile: - - - - - - - - - - Now configure the module on the tab "Module settings". Here you - can specify the IMAP server name, encryption options, the - authentication for the IMAP connection and the valid mail domains. LAM - can use either your LAM login password for the IMAP connection or - display a dialog where you need to enter the password. It is also - possible to store the admin password in your server profile. This is - not recommended for security reasons. - - The user name can either be a fixed name (e.g. "admin") or it - can be generated with LDAP attributes of the LAM admn user. E.g. $uid$ - will be transformed to "myUser" if you login with - "uid=myUser,ou=people,dc=example,dc=com". - - The mail domains specify for which accounts mailboxes may be - created/deleted. E.g. if you enter "lam-demo.org" then mailboxes can - be managed for "user@lam-demo.org" but not for "user@example.com". Use - "*" for any domain. - - You need to install the SSL certificate of the CA that signed - your server certificate. This is usually done by installing the - certificate in /etc/ssl/certs. Different Linux distributions may offer - different ways to do this. For Debian please copy the certificate in - "/usr/local/share/ca-certificates" and run "update-ca-certificates" as - root. - - It is not recommended to disable the validation of IMAP server - certificates. - - The prefix, user name attribute and path separator specifies how - your mailboxes are named (e.g. "user.myUser@localhost" or - "user/myUser"). Select the values depending on your IMAP server - settings. - - You can specify a list of initial folder names to create for new - mailboxes. LAM will then create them with each new mailbox. - - - - - - - - - - When you edit an user account then you will now see the tab - "Mailbox". Here you can create/delete the mailbox for this - user. - - - - - - - - -
- -
- IP addresses (LAM Pro) - - You can manage the IP addresses of user accounts (e.g. assigned - by DHCP) with the ipHost module. - - Configuration - - - - - - - - - - User editing - - - - - - - - -
- -
- Account - - This is a very simple module to manage accounts based on the - object class "account". Usually, this is used for host accounts only. - Please pay attention that users based on the "account" object class - cannot have contact information (e.g. telephone number) as with - "inetOrgPerson". - - You can enter a user/host name and a description for your - accounts. - - - - - - - - -
-
- -
- Groups - - - -
- Unix - - This module is used to manage Unix group entries. This is the - default module to manage Unix groups and uses the nis.schema. Suse - users who use the rfc2307bis.schema need to use - LAM Pro. - - Configuration - - Please add the account type "Groups" and then select account - module "Unix (posixGroup)". - - - - - - - - - - GID generator: LAM will suggest GID numbers for your accounts. - Please note that it may happen that there are duplicate IDs assigned - if users create groups at the same time. Use an overlay - like "Attribute Uniqueness" (example) if you have lots of LAM - admins creating groups. - - - - Fixed range: LAM searches for free numbers within the given - limits. LAM always tries to use a free GID that is greater than - the existing GIDs to prevent collisions with deleted - groups. - - - - Samba ID pool: This uses a special LDAP entry that includes - attributes that store a counter for the last used UID/GID. Please - note that this requires that you install the Samba schema and - create an LDAP entry of object class "sambaUnixIdPool". - - - - Magic number: Use this if your LDAP server assigns the GID - numbers automatically (e.g. DNA by 389 server). Enter the server's - magic number setting. - - - - Disable membership management: Disables group membership - management. This is useful if memberships are e.g. managed via group - of names. - - - - - - - - - - Group management: - - - - - - - - - - Group membership management: - - - - - - - - -
- -
- Unix groups with rfc2307bis schema (LAM Pro) - - Some applications (e.g. Suse Linux) use the rfc2307bis schema - for Unix accounts instead of the nis schema. In this case group - accounts are based on the object class groupOf(Unique)Names or namedObject. - The object class posixGroup is auxiliary in this case. - - LAM Pro supports these groups with a special account module: - rfc2307bisPosixGroup - - Use this module only if your system depends on the rfc2307bis - schema. The module can be selected in the LAM configuration. Instead - of using groupOfNames as basis for your groups you may also use - namedObject. - - Module activation: - - - - - - - - - - GID generator: LAM will suggest GID numbers for your accounts. - Please note that it may happen that there are duplicate IDs assigned - if users create groups at the same time. Use an overlay - like "Attribute Uniqueness" (example) if you have lots of LAM - admins creating groups. - - - - Fixed range: LAM searches for free numbers within the given - limits. LAM always tries to use a free GID that is greater than - the existing GIDs to prevent collisions with deleted - groups. - - - - Samba ID pool: This uses a special LDAP entry that includes - attributes that store a counter for the last used UID/GID. Please - note that this requires that you install the Samba schema and - create an LDAP entry of object class "sambaUnixIdPool". - - - - Magic number: Use this if your LDAP server assigns the GID - numbers automatically (e.g. DNA by 389 server). Enter the server's - magic number setting. - - - - Disable membership management: Disables group membership - management. This is useful if memberships are e.g. managed via group - of names. - - Force sync with group of names: This will automatically set the - group memberships of the Unix part to the same members as set on group - of names tab. - - - - - - - - - - The GID number will be filled automatically based on the server - profile configuration. - - - - - - - - - - Group members can be edited and also synced with Group of - (unique) names. - - - - - - - - -
- -
- Samba 3 - - LAM supports managing Samba 3 groups. You can set special group - types and also create Windows predefined groups like "Domain - admins". - - Module activation: - - - - - - - - - - Group editing: - - - - - - - - -
- -
- Windows (Samba 4) - - LAM can manage your Windows groups. Please enable the account - type "Groups" in your LAM server profile and then add the group module - "Windows (windowsGroup)(*)". - - - - - - - - - - The default list attributes are for Unix and not suitable for - Windows (blank lines in account table). Please use - "#cn;#member;#description" or select your own attributes to display in - the account list. - - - - - - - - - - NIS support is deactivated by default. Enable it if needed on - tab "Module settings". - - - - - - - - - - Now you can edit your groups inside LAM. You can manage the - group name, description and its type. Of course, you can also set the - group members. - - Group scopes: - - - - Global: Use this for groups with frequent changes. Global - groups are not replicated to other domains. - - - - Universal: Groups with universal scope are used to - consolidate groups that span domains. They are globally - replicated. - - - - Domain local: Groups with domain local scope can be used to - set permissions inside one domain. They are not replicated to - other domains. - - - - Group type: - - - - Security: Use this group type to control permissions. - - - - Distribution: These groups are only used for email - applications. They cannot be used to control permissions. - - - - With "Show effective members" you can show a list of all members - of this group including members of subgroups and their - subgroups. - - - - - - - - -
- -
- Kolab - - Please activate the Kolab group module in your LAM server - profile to activate Kolab support. - - - - - - - - - - You can specify the email address and also set allowed sender - and recipient addresses. - - - - - - - - -
- -
- Mail routing - - LAM supports to manage mail routing for group accounts. - - Module activation: - - This feature can be activated by adding the "Mail routing" - module to the group account type in your server profile. - - - - - - - - - - Usage: - - You can specify a routing address, the mail server and a number - of local addresses to route. - - In case you want to add this extension by default for new groups - there is an option in profile editor. - - - - - - - - -
- -
- Quota - - You can manage file system quotas with LAM. This requires to - setup lamdaemon. File system quotas - are not stored inside LAM but managed directly on the specified - servers. - - - - - - - - -
- -
- PyKota - - There are two LAM group modules depending if your group entries - should be built on object class "pykotaObject" or a different - structural object class (e.g. "posixGroup"). For "pykotaObject" please - select "PyKota (pykotaGroupStructural(*))" and "PyKota (pykotaGroup)" - in all other cases. - - - - - - - - - - Now you can add the PyKota extension to your groups. - - - - - - - - -
-
- -
- Hosts - -
- Account - - Please see the description here. -
- -
- Device (LAM Pro) - - The device object class allows to manage general information - about all sorts of devices (e.g. computers, network hardware, ...). - You can enter the serial number, location and a describing text. It is - also possible to specify the owner of the device. - - - - - - - - -
- -
- Samba 3 - - You can manage Samba 3 host entries by adding the Unix and Samba - 3 account modules. - - - - - - - - - - - - - - - - -
- -
- Windows (Samba 4) - - LAM can manage your Windows servers and workstations. Please - enable the account type "Hosts" in your LAM server profile and then - add the host module "Windows (windowsHost)(*)". - - - - - - - - - - The default list attributes are for Unix and not suitable for - Windows (blank lines in account table). Please use - "#cn;#description;#location" or select your own attributes to display - in the account list. - - - - - - - - - - Now you will see you computer accounts inside LAM. You can set - e.g. the server's description and location information. - - - - - - - - -
- -
- IP addresses (LAM Pro) - - You can manage the IP addresses of host accounts with the ipHost - module. It manages the following information: - - - - IP addresses (IPv4/IPv6) - - - - location of the host - - - - manager: the person who is responsible for the host - - - - You can activate this extension by adding the module ipHost to - the list of active host modules. - - - - - - - - -
- -
- MAC addresses - - Hosts can have an unlimited number of MAC addresses. To enable - this feature just add the "MAC address" module to the host account - type. - - - - - - - - -
- -
- Puppet - - LAM supports to manage your Puppet configuration. You can - edit all attributes like environment, classes, variables and parent - node. - - Configuration - - To activate this feature please edit your LAM server profile and - add the host module "Puppet (puppetClient)" on tab "Modules". This - will add the Puppet tab to your host pages. - - - - - - - - - - On tab "Module settings" in your LAM server profile you may also - setup some common environment names. LAM will use them to provide - autocompletion hints when editing the environment for a node. - - If you enter any value in "Enforce classes" then LAM will only - accept this list of classes. - - - - - - - - - - Editing nodes - - When you edit a host entry then you will see the tab "Puppet". - Here you can add/remove the Puppet extension and edit all - attributes. - - - - - - - - -
- -
- NIS net groups - - NIS netgroups can be used to e.g. restrict SSH access to your - machines. - - Configuration - - Please add the module "NIS net groups (nisNetGroupHost)" to the - list of active host modules. - - - - - - - - - - Host editing - - You will now see a new tab when editing hosts. Here you can - assign memberships in NIS net groups and also set user/domain. - - - - - - - - -
-
- -
- Samba 3 domains - - Samba 3 stores information about its domain settings inside LDAP. - This includes the domain name, its SID and some policies. You can manage - all these attributes with LAM. - - Please activate the account type "Samba domains" in your LAM - server profile. Please notice that Samba by default uses the LDAP root - for domain objects (e.g. dc=example,dc=com). - - - - - - - - - - This will add a new tab to LAM where you can manage domain - information. - - The domain name, SID and RID base can only be specified for new - domains and are not changeable via LAM at a later time. You may setup - several password policies for your Samba domains and also some RID - options that influence the creation of SIDs for - users/groups/hosts. - - - - - - - - -
- -
- Group of (unique) names and group of members (LAM Pro) - - These classes can be used to represent group relations. Since they - allow DNs as members you can also use them to represent nested - groups. - - Configuration: - - Activate the account type "Group of names" in your LAM server - profile to use these account modules. Alternatively, you can use the - account type "Groups". - - - - - - - - - - - - - - - - - - Then add the module "Group of names (groupOfNames)", "Group of - unique names (groupOfUniqueNames)" or "Group of members - (groupOfMembers)". - - - - - - - - - - - - - - - - - - - - On the module settings tab you set some options like the display - format for members/owners and if fields like description should not be - displayed. - - - - - - - - - - Group management: - - Group of (unique) names have four basic attributes: - - - - Name: a unique name for the group - - - - Description: optional description - - - - Owner: the account which owns this group (optional) - - - - Members: the members of the group (at least one is - required) - - - - You can add any accounts as members. This includes other groups - which leads to nested groups. - - To show members of nested groups click on "Show effective - members". Please note that for large groups this will run lots of - queries against your LDAP server. - - - - - - - - -
- -
- Organizational roles (LAM Pro) - - This module manages roles via the organizationalRole object class. - There is also a user - module to manage memberships on the user edit page. - - Configuration: - - Activate the account type "Groups" in your LAM server profile to - use this account module. Alternatively, you can use the account type - "Group of names". - - - - - - - - - - - - - - - - - - Then add the module "Role (organizationalRole)". - - - - - - - - - - On the module settings tab you set some options like the display - format for members and if description should not be displayed. - - - - - - - - - - Role management: - - You can add any accounts as members. This includes other roles - which leads to nested roles (needs to be supported by LDAP client - applications). - - To show members of nested roles click on "Show effective members". - Please note that for large roles this will run lots of queries against - your LDAP server. - - - - - - - - -
- -
- Asterisk - - LAM includes large support for Asterisk. You can add Asterisk - extensions (including voicemail) to your users and also manage Asterisk - extensions. - - The Asterisk support for users can be added by selecting the - Asterisk and Asterisk voicemail modules for users in your LAM server - profile. This will add the following tabs to your user accounts. - - - - - - - - - - The Asterisk module allows to edit a large amount of attributes. - Therefore, you can hide unused fields. Please edit you server profile - (Module settings) to do so. - - - - - - - - - - Of course, the voicemail part of Asterisk is also - supported. - - - - - - - - - - If you also want to manage Asterisk extensions then simply add the - account type "Asterisk extensions" and its module to your server - profile. - - LAM groups your Asterisk extension entries by extension name and - account context. If you edit an extension then you will see the Asterisk - entries as rules. LAM manages that all rule entries have the same owners - and assigns the priorities. - - - - - - - - -
- -
- Zarafa (LAM Pro) - - Zarafa is an OpenSource collaboration software. LAM Pro provides - support to manage Zarafa server entries, users and groups. It covers all - settings for these types including resource and quota settings. - - LAM Pro is an official Zarafa Certified Integration. - - - - - - - -
- Configuration - - To enable Zarafa support in LAM Pro please activate the Zarafa - modules for the Users, Groups and Hosts account types in you server - profile: - - - - - - - - - - Attention: LAM Pro uses the - Zarafa OpenLDAP schema as default. This schema fits for OpenLDAP, - OpenDJ, Apache Directory server and other common LDAP servers. If you - run Samba 4 or Active Directory then you need to switch the schema to - "Active Directory" on the module settings tab: - - - - - - - - - - You can configure which parts of the Zarafa user options should - be enabled. E.g. if you do not want to manage quotas per user then you - can hide these options on the tab "Module settings". - - - - - "Send as" attribute: Here you - can specify how "Send as" privileges should be managed. LAM supports - "uid" and "dn". - - If you select "uid" the LAM will store user names in the - zarafaSendAsPrivilege attribute. This way you are restricted to - specify user accounts as "Send as" allowed. - - You can also set this option to "dn" and LAM will store DNs in - the zarafaSendAsPrivilege attribute. In this case you may specify - users and groups as "Send as" allowed. - - - - - Examples for your Zarafa ldap.cfg: - - "Send as" attribute: dn - - ldap_user_sendas_attribute_type = dn - - - - - "Send as" attribute: uid - - ldap_user_sendas_attribute_type = text - - ldap_user_sendas_relation_attribute = uid - - -Attention: If the Active Directory schema is used then LAM will always use dn and ignore this setting. - - - - - Features: Zarafa 7 allows to - enable IMAP/POP3 for each user. Please hide the option "Features" if - you use Zarafa 6.x. - - - - - - - - - -
- Users - - This is an example of the user edit page with all possible - settings. This includes email settings, quotas and some options - (e.g. hide from address book). You can also set the resource type - and capacity for meeting rooms and equipment. The Zarafa extension - can be added and removed at any time for every user. - - Please note that the option "Features" requires Zarafa 7. - Please hide this option in the LAM server profile if you run Zarafa - 6.x. - - - - - - - - -
- -
- Contacts - - LAM Pro can manage your Zarafa contact entries. You can set - the email aliases and "send as" privileges. Additionally, accounts - may be hidden in the address book or disabled. - - Please note that you can either use the Zarafa user module or - Zarafa contact. LAM Pro will disable the other tab when enabling one - of them. - - - - - - - - -
- -
- Groups - - This is the edit page for groups. You can enter an email - address and additional aliases for your groups. It is also possible - to specify options (e.g. hide from address book). The extension can - be added/removed dynamically. - - Please note that the option "Send-as privileges" requires the - Zarafa 7.0.3 schema. Please hide this option in the LAM server - profile if you run Zarafa < 7.0.3. - - - - - - - - -
- -
- Servers - - The Zarafa extension for host accounts allows to set the - connection ports and file path. You can add/remove the extension at - any time. - - Setting the public store option is only possible for new host - entries. - - Please note that the proxy URL option requires the Zarafa 7.1 - schema. Please hide this option in your LAM server profile if you - use an older version. - - - - - - - - -
- -
- Address lists - - Zarafa allows to store address lists in LDAP. You need to - define a search base and LDAP filter for each address list. E.g. - entering "ou=people,dc=company,dc=com" as base and "uid=*" will - select all users that are stored in - "ou=people,dc=company,dc=com". - - You can also hide your lists from the address book or - temporarily disable them. - - - - - - - - -
- -
- Dynamic groups - - Zarafa allows to define dynamic groups in LDAP. You need to - define a search base and LDAP filter for each group. E.g. entering - "ou=people,dc=company,dc=com" as base and "uid=*" will select all - users that are stored in "ou=people,dc=company,dc=com". - - Dynamic groups may have an email address and multiple email - alias addresses. - - You can also hide your dynamic groups from the address book or - temporarily disable them. - - - - - - - - -
-
-
- -
- Kolab shared folders - - Please add the account type "Kolab shared folders" in your LAM - server profile and set the correct LDAP suffix. - - - - - - - - - - - - - - - - - - - - - Then add the "Kolab shared folder" module on tab "Modules". - - - - - - - - - - Now you can start to add shared folders inside LAM. - - - - - - - - -
- -
- DHCP - - You can mange your DHCP server with LAM. It supports to manage - subnets, fixed IP entries, IP ranges and DDNS. - - Configuration - - The DHCP management can be activated by adding the account type - DHCP to your server profile. Please also add the DHCP modules. - - LAM requires that you use an LDAP entry with the object class - "dhcpService" or "dhcpServer" as suffix for this account type. If the - "dhcpServer" entry points to a "dhcpService" entry via "dhcpServiceDN" - then you need to use the DN of the "dhcpService" entry as LDAP suffix - for DHCP. - - - - - Add account type: - - - - - - - - - - Set suffix: - - - - - - - - - - Add modules: - - - - - - - - - - Example server - entry: - - dn: - cn=server,ou=dhcp,dc=ldap-account-manager,dc=org - - objectclass: dhcpServer - - objectclass: dhcpOptions - - objectclass: top - - cn: server - - dhcpcomments: My DHCP server - - dhcpoption: domain-name - "ldap-account-manager.org" - - dhcpoption: domain-name-servers 192.168.1.1 - - dhcpoption: routers 192.168.1.1 - - dhcpoption: netbios-name-servers 192.168.1.1 - - dhcpoption: subnet-mask 255.255.255.0 - - dhcpoption: netbios-node-type 8 - - dhcpstatements: default-lease-time 3600 - - dhcpstatements: max-lease-time 7200 - - dhcpstatements: include "mykey" - - dhcpstatements: ddns-update-style interim - - dhcpstatements: update-static-leases true - - dhcpstatements: ignore client-updates - - - - - Example settings for - dhcpd.conf: - - ddns-update-style none; - - deny unknown-clients; - - ldap-server "server"; - - ldap-dhcp-server-cn "server"; - - ldap-port 389; - - ldap-username - "uid=dhcp,ou=people,dc=ldap-account-manager,dc=org"; - - ldap-password "{SSHA}XXXXXXXXXXXX"; - - ldap-base-dn - "ou=dhcp,dc=ldap-account-manager,dc=org"; - - ldap-method dynamic; - - ldap-debug-file - "/var/log/dhcp-ldap-startup.log"; - - - - - - - slapd.conf changes: - - include /etc/ldap/schema/dhcp.schema - - index dhcpHWAddress eq - - index dhcpClassData eq -Run slapindex to rebuild the index. - - - - You can manage the settings of your DHCP service/server - entry: - - - - - - - - - - You can easily create new subnet entries. - - - - - - - - - - It is also possible to specify a list of fixed IPs. - - - - - - - - - - IP ranges may be specified. - - If you use failover pools for your IP ranges please use the pool - options on the bottom. Here you can add DHCP pools (object class - "dhcpPool") and specify the failover peer. - - - - - - - - - - If you activated DDNS in the server entry then you may also - specify the DDNS settings for this subnet. - - - - - - - - -
- -
- Bind DLZ (LAM Pro) - - Bind DLZ is - an extension to the DNS server Bind that allows to store - DNS entries inside LDAP. Please install the Bind DLZ schema file on your - LDAP server. It is part of the DLZ patch. - - Configuration - - First, you need to add the Bind DNS account type and the Bind DLZ - module: - - - - - - - - - - Please set the LDAP suffix either to an existing DNS zone - (dlzZone) or an organizational unit that should include your DNS - zones. - - - - - - - - - - - - - - - - - - - - - Automatic PTR management - - LAM can automatically create/delete PTR entries for the entered - IPv4/6 records. You can enable this feature on the module settings - tab. - - PTR records will get the same TTL as IP records. Please note that - you need to have matching reverse zones (".in-addr.arpa"/".ip6.arpa") - under the same suffix as your other DNS entries. - - - - - - - - - - Zone management - - If you do not yet have a DNS zone then LAM can create one for you. - In list view switch the suffix to an organizational unit DN. Now you - will see a button "New zone". - - This will create the zone container entry and a default DNS entry - "@" for authoritative information. Now switch the suffix to your new - zone and start adding DNS entries. - - - - - - - - - - DNS entries - - LAM supports the following DNS record types: - - - - SOA: authoritative information - - - - NS: name servers - - - - A/AAAA: IP addresses - - - - PTR: reverse DNS entries - - - - CNAME: alias names - - - - MX: mail servers - - - - TXT: text records - - - - SRV: service entries - - - - - - - Authoritative (SOA) and name server (NS) - records - - Here you can manage general information about the zone like - timeouts and name servers. Please note that name servers must be - inserted in a special format (dot at the end). - - - - - - - - - - - - - IP addresses (A/AAAA) - - LAM will automatically set the correct type (A/AAAA) depending if - you enter an IPv4 or IPv6 address. - - - - - - - - - - - - - Reverse DNS entries - - Reverse DNS entries are important when you need to find the DNS - name that is associated with a given IP address. Reverse DNS entries are - stored in a separate DNS zone. - - - - - - - - - - - - - Alias names (CNAME) - - Sometimes a DNS entry should simply point to a different DNS entry - (e.g. for migrations). This can be done by adding an alias name. - - - - - - - - - - - - - Mail servers (MX) - - The mail server entries define where mails to a domain should be - delivered. The server with the lowest preference has the highest - priority. - - - - - - - - - - - - - Text records (TXT) - - Text records can be added to store a description or other data - (e.g. SPF information). - - - - - - - - - - - - - Services (SRV) - - Service records can be used to specify which servers provide - common services such as LDAP. Please note that the host name must be - _SERVICE._PROTOCOL (e.g. _ldap._tcp). - - - - - Priority: The priority of the target host, lower value means more - preferred. - - Weight: A relative weight for records with the same priority. E.g. - weights 20 and 80 for a service will result in 20% queries to the one - server and 80% to the other. - - Port: The port number that is used for your service. - - Server: DNS name where service can be reached (with dot at the - end). - - - - - - - - - - - - - File upload - - You can upload complete DNS zones via LAM's file upload. Here is - an example for a zone file and the corresponding CSV file. - - - Zone file - - - - - @ - - IN - - SOA - - ns1.example.com admin.ns1.example.com (1 360000 3600 - 3600000 370000) - - - - - - IN - - NS - - ns1.example.com. - - - - - - IN - - NS - - ns2.example.com. - - - - - - IN - - MX - - 10 mail1.example.com - - - - - - IN - - MX - - 20 mail2.example.com - - - - foo - - IN - - A - - 123.123.123.100 - - - - foo2 - - IN - - CNAME - - foo.example.com - - - - bar - - IN - - A - - 123.123.123.101 - - - - - - IN - - AAAA - - 1:2:3:4:5 - - - -
- - Please check that you have an existing zone entry that can be used - for the file upload. See above to create a new zone. - - Hint: If you use the function above to create a new zone then - please skip the "@" entry in the CSV file below. LAM creates this entry - with sample data. - - In this example we assume that the following zone extry - exists: - - dn: dlzZoneName=example.com,ou=bind,dc=example,dc=com -dlzzonename: example.com -objectclass: dlzZone -objectclass: top - - - - Here is the corresponding CSV file: bindUpload.csv -
- -
- Aliases (LAM Pro) - - Some applications use the object class "alias" to link LDAP - entries to other parts of the LDAP tree. Activate the account type - "Aliases" in your LAM server profile to use this account type. - - Currently, only user accounts can be aliased with the "uidObject" - object class. - - - - - - - - - - - - - - - - -
- -
- Mail aliases - - You can manage mail aliases (e.g. for NIS) inside LAM. This can be - used to replace local /etc/aliases files with LDAP. - - Note: Use the mail alias user - module to manage mail aliases on user pages. - - All accounts of this type are based on the "nisMailAlias" object - class and may have "cn" and "rfc822MailMember" attributes. To activate - this type please add "Mail aliases" in your LAM server profile: - - - - - - - - - - You need to select the Mail aliases module on the next tab. - - - - - - - - - - The mail aliases will then appear as separate tab inside LAM. You - may then manage the aliases with their names and recipient - addresses. - - There are mail/user icons that allow to select a mail address/user - name from the existing users. - - - - - - - - -
- -
- NIS net groups - - LAM supports to define NIS netgroups. You can use them e.g. to - restrict SSH access to your machines. - - Add the NIS net group account type and its module to your server - profile. Then you can manage net groups in LAM. Net groups may contain - other net groups as child groups. You can either insert the host/user - names manually or print the search buttons next to the input fields to - find existing entries in your directory. - - - - - - - - -
- -
- NIS objects (LAM Pro) - - You can manage NIS objects with LAM Pro. This allows you define - network mount points in LDAP. - - Add the NIS objects type to your LAM configuration and then the - NIS objects module. This will add the NIS objects tab to LAM. - - - - - - - - -
- -
- Automount objects (LAM Pro) - - LAM Pro allows you to manage automount entries. Please activate - the account type "Automount objects" in your LAM Pro server - profile. - - - - - - - - - - Then add the correct automount module. Usually, this is "Automount - entry (automount)". If you use Suse Linux with RFC2307bis schema please - select "Automount entry (rfc2307bisAutomount)". - - - - - - - - - - This will add a new tab to LAM Pro's main screen which includes a - list of all automount entries. Here you can easily create new - entries. - - - - - - - - - - Please see the following external HowTos for more information on - automounting and LDAP: - - - - AutofsLDAP - - - - Automount - über LDAP (German) - - -
- -
- Oracle databases (LAM Pro) - - Oracle allows to manage connection data that is stored in - tnsnames.ora to be stored in an LDAP directory. - - Initial setup - - LDAP server setup: - - You will need to install the correct Oracle LDAP schema files on - your LDAP server. If you run no Oracle LDAP server then you can get them - (oidbase.schema, oidnet.schema, oidrdbms.schema, alias.schema) e.g. from - here. - - Next you need to create the root entry for Oracle. It should look - like this: - - dn: cn=OracleContext,dc=example,dc=com -objectclass: orclContext -cn: OracleContext - - You can create it with LAM's tree view. Please note that "cn" must - be set to "OracleContext". - - - - - LAM setup: - - Edit your LAM server profile and add the Oracle account - type: - - - - - - - - - - In case you manage a single Oracle context just enter the - cn=OracleContext entry as LDAP suffix. If you manage multiple Oracle - context entries then set the LDAP suffix to a parent entry of - them. - - - - - - - - - - Next, add the Oracle module: - - - - - - - - - - Now you can login to LAM and start to add database - entries. - - - Managing database entries - - Each database has a service name, the connection string and an - optional description. - - - - - - - - - - Database client setup for - LDAP - - You need to activate the LDAP adapter to make the database tools - reading LDAP. Edit network/admin/sqlnet.ora like this: - - NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP) - - Then add a file called ldap.ora next to your sqlnet.ora and set - the LDAP server and DN suffix where cn=OracleContext is stored: - - DIRECTORY_SERVERS= (ldap.example.com:389:636) -DEFAULT_ADMIN_CONTEXT = "ou=ctx1,ou=oracle,o=test,c=de" -DIRECTORY_SERVER_TYPE = OID - - This will allow e.g. tnsping to get the connection data from - LDAP: - - [oracle@oracle bin]$ tnsping mydb - -TNS Ping Utility for Linux: Version 12.1.0.1.0 - Production on 09-FEB-2014 18:06:54 - -Copyright (c) 1997, 2013, Oracle. All rights reserved. - -Used parameter files: -/home/oracle/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora - -Used LDAP adapter to resolve the alias -Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=mydb.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl))) -OK (10 msec) -
- -
- Password policies (LAM Pro) - - OpenLDAP supports the ppolicy overlay - to manage password policies for LDAP entries. This allows you to set - password policies which are independent from your applications. The - policies are managed internally by the LDAP server. - - You can manage these policies with LAM Pro with the account type - "Password policies". - - - - - - - - - - You will need to add the ppolicy schema to your OpenLDAP - configuration and activate the ppolicy overlay - module in slapd.conf to use this feature. -
- -
- PyKota printers - - Please add the account type "Printers (PyKota printers)" on tab - "Account types" in your server profile and setup the LDAP suffix where - printers are stored. - - - - - - - - - - - - - - - - - - Then add the PyKota printer module on tab "Account - modules". - - - - - - - - - - Next you can start managing printers inside LAM. Here you can - setup the costs for a print job. LAM will also show if the printer is - member of any printer groups. - - - - - - - - - - You can also setup printer groups. Just add some members to your - new group. - - - - - - - - -
- -
- PyKota billing codes - - Please add the account type "Billing codes" on tab "Account types" - in your server profile and setup the LDAP suffix where billing codes are - stored. - - - - - - - - - - - - - - - - - - Then add the PyKota billing code module on tab "Account - modules". - - - - - - - - - - Now login to LAM and you will see the billing code tab where you - can manage your entries. If jobs were printed with a billing code then - you will also see the balance and page count. - - - - - - - - -
- -
- Custom fields (LAM Pro) - - This module allows you to manage LDAP attributes that are not - covered by the other LAM modules (e.g. if you use custom LDAP schemas). - You can fully define how your input fields look like: - - - - Label - - - - LDAP attribute name - - - - Unique name for field - - - - Help text - - - - Read-only display - - - - Field type: text, password, text area, checkbox, radio - buttons, select list, file upload - - - - Validation via regular expression - - - - Error message if validation fails - - - - Limitations: - - Custom fields cannot manage - - - - structural object classes - - - - attributes that require validation rules across multiple - attributes or cannot be described by a simple regular - expression - - - - Activating the custom fields - module: - - You may specify custom fields for all of your account types. - Please enter tab "Modules" in your server profile. Now activate the - "Custom fields (customFields)" module for all needed account - types. - - - - - - - - - - Setting label and icon: - - You may set the label that is displayed e.g. on the tab when - editing an account. It is also possible to specify an icon (must be a - valid URL like "/images/icon.png" or "http://server/images/icon.png"). - The icon size should be 32x32 pixels. - - LAM will display a default icon and "Custom fields" as label if - you do not enter any values. - - You may also specify how LAM displays cutom fields when there are - multiple field groups. The default is accordion view where you can - switch field groups by clicking on the title. You may also deactivate - this mode. Then all field groups are displayed one below the - other. - - - - - - - - - - Defining groups: - - All input fields are devided into groups. A group may contain one - or more object classes and allows you to add/remove a certain set of - input fields. - - E.g. you may define two groups - "My application A" and "My - application B" - that manage different LDAP attributes and object - classes. This way you will be able to control both attribute sets - independently. - - To create a group please edit your server profile and switch to - tab "Module settings". You will see the section "Custom fields" which - allows you to add new groups. Now select your account type (e.g. Users) - and specify an alias for your group. This alias will be printed as group - header when you later edit an account in the admin interface. - - - - - - - - - - After you created your new group you can setup the managed object - classes. If you specify any object classes then you will later be able - to add/remove a complete set of attributes including their object - classes. - - Skipping the object classes field is only useful if you want to - manage some attributes that are not yet supported by LAM but there is - already a LAM module that manages the object class. - - - - - - - - - - The group may look like when you edit a user. - - - - - - - - - - - - - - - - - - Adding fields: - - Now you can add a new field that manages an LDAP attribute. Simply - fill the fields and press on "Add". - - Please note that the field name cannot be changed later. It is the - unique ID for this field. - - - - - - - - - - Examples for fields and their representation: - - Text field: - - Text fields allow to specify a validation - expression and error message. - - You can also enable auto-completion. In this case LAM will search - all accounts for the given attribute and provide auto-completion hints - when the user edits this field. This should only be used if there is a - limited number of different values for this attribute. - - In case your field is a date value you can show a calendar for - easy editing. - - Example calendar formats: - - - - dd.mm.yy: 31.12.2016 - - - - yy-mm-dd: 2016-12-31 - - - - d M, y: 31 Dec, 16 - - - - d MM, y: 31 December, 2016 - - - - - - - - - - - - Presentation: - - - - - - - - - - Password field: - - You can also manage custom password fields. LAM Pro will display - two fields where the user must enter the same password. You can hash the - password if needed. - - - - - - - - - - Presentation: - - - - - - - - - - Text area: - - This adds a multi-line field. The options are similar to text - fields. Additionally, you can set the size with the number of columns - and rows. - - Please note that the validation - expression should be set to multi-line. This is done by adding - "m" at the end. - - - - - - - - - - Presentation: - - - - - - - - - - Checkbox: - - Sometimes you may want to allow only yes/no values for your LDAP - attributes. This can be represented by a checkbox. You can specify the - values for checked and unchecked. The default value is set if the LDAP - attribute has no value. - - - - - - - - - - Presentation: - - - - - - - - - - Radio buttons: - - This displays a list of radio buttons where the user can select - one value. - - You can specify a mapping of LDAP attribute values and their - display (label) on the Self Service page. To add more mapping fields - please press "Add more mapping fields". - - - - - - - - - - Presentation: - - - - - - - - - - Select list: - - Select lists allow the user to select a value in a large list of - options. The definition of the possible values and their display is - similar to radio buttons. - - You can also allow multiple values. - - - - - - - - - - Presentation: - - - - - - - - - - - - - - - - - - Validation expressions: - - The validation expressions follow the standard of Perl regular - expressions. They start and end with a "/". The beginning of a - line is specified by "^" and the end by "$". - - Examples: - - /^[a-z0-9]+$/ allows small letters and numbers. The value must not - be empty ("+"). - - /^[a-z0-9]+$/i allows small and capital letters ("i" at the end - means ignore case) and numbers. The value must not be empty - ("+"). - - Special characters that must be escaped with "\": "\", ".", "(", - ")" - - E.g. /^[a-z0-9\.]$/i - - - - - File upload: - - This is used for binary data. You can restrict uploaded data to a - given file extension and set the maximum file size. - - - - - - - - - - Presentation: - - The uploaded data may also be downloaded via LAM. - - - - - - - - -
- -
- Custom scripts (LAM Pro) - - LAM Pro allows you to execute scripts whenever an account is - created, modified or deleted. This can be useful to automate processes - which needed manual work afterwards (e.g. sending your user a welcome - mail or register a mailbox). Additionally, you can specify manual scipts - that can be executed from within LAM Pro. - - To activate this feature please add the "Custom scripts" module to - all needed account types on the configuration pages. - - - - - - - - - - In "Module settings" you can specify multiple scripts for each - action type (e.g. modify) and account type (e.g. user). The scripts need - to be located on the filesystem of your webserver and will be executed - in its user environment. E.g. if you webserver runs as user www-data - with the group www-data then the custom scripts will be run under this - user with his rights. The output of the scripts will be shown in - LAM. - - You can specify the scripts on the LAM configuration pages. - - - - - - - - - - Syntax: - - Please enter one script per line. Each line has the following - format: <account type> <action> <script> - - E.g.: user preModify /usr/bin/myCustomScript -u $uid$ - - Account types: - - You can setup scripts for all available account types (e.g. user, - group, host, ...). Please see the help on the configuration page about - your current active account types. - - Actions: - - - Action types - - - - - Action name - - Description - - - - preCreate - - Executed before creating a new account (cancels operation - if a script returns an exit code > 0, not available for file - upload) - - - - postCreate - - Executed after creating a new account (does not run if preCreate or LDAP operations - fail) - - - - preModify - - Executed before an account is modified (cancels operation - if a script returns an exit code > 0) - - - - postModify - - Executed after an account was modified (does not run if preModify or LDAP operations - fail) - - - - preDelete - - Executed before an account is modified (cancels operation - if a script returns an exit code > 0) - - - - postDelete - - Executed after an account was modified (does not run if preDelete or LDAP operations - fail) - - - - manual - - Can be run manually on account page. If you add - LAMLABEL="text" before the command then LAM will use the text as - label for the button in account edit screen. - - - -
- - Script: - - You can execute any script which is located on the filesystem of - your webserver. The path may be absolute or relative to the - PATH-variable of the environment of your webserver process. It is also - possible to add commandline arguments to your scripts. Additionally, LAM - will resolve wildcards to LDAP attributes. If your script includes an - wildcard in the format $ATTRIBUTE$ then LAM will replace it with the - attribute value of the current LDAP entry. The values of multi-value - attributes are separated by commas. E.g. if you create an account with - the attribute "uid" and value "steve" then LAM will resolve "$uid$" to - "steve". - - Please note that manual scripts can only use the current LDAP - attribute values of the account. Any modifications done that are not - saved will not be available. Manual scripts are also not available for - new accounts that are not yet saved to LDAP. - - You can switch LAM's logging to debug mode if you are unsure which - attributes with which values are available. - - The following special wildcards are available for automatical - scripts: - - - - $INFO.userPasswordClearText$: - cleartext password when Unix/Windows password is changed (e.g. - useful for external password synchronisation) for new/modified - accounts - - - - $INFO.userPasswordStatusChange$: provides - additional information if the Personal/Unix password locking status - was changed, possible values: locked, unlocked, unchanged - - - - $INFO.passwordSelfResetAnswerClearText$: - cleartext answer to security question - - - - $INFO.389lockingStatusChange$: for 389ds - account locking, provides information if account was unlocked. - Possible values: unchanged, unlocked - - - - $INFO.389deactivationStatusChange$: for 389ds - account locking, provides information if account was deactivated. - Possible values: unchanged, activated, deactivated - - - - $NEW.<attribute>$: the - value of a new attribute (e.g. $NEW.telephoneNumber$) for modified - accounts - - - - $DEL.<attribute>$: the - value of a deleted attribute (e.g. $DEL.telephoneNumber$) for - modified accounts - - - - $MOD.<attribute>$: the - new value of a modified attribute (e.g. $MOD.telephoneNumber$) for - modified accounts - - - - $ORIG.<attribute>$: the - original value of an attribute (e.g. $ORIG.telephoneNumber$) for - modified accounts - - - - Output may contain HTML: If your - scripts generate HTML output then activate this option. - - Hide command in messages: You may - want to prevent that your users see the executed commands. In this case - activating this option will only show the command output but not the - command itself. - - - - You can see a preview of the commands which will be automatically - executed on the "Custom scripts" tab. Here you can also run the manual - scripts. - - - - - - - - -
- -
- Sudo roles (LAM Pro) - - You can manage your sudo roles in LDAP if you have installed the - sudo-ldap package or compiled sudo with LDAP - support. - - To activate sudo management in LAM Pro edit your server profile - and add the type "Sudo roles". - - - - - - - - - - - - - - - - - - Now you can create sudo commands. - - - - - - - - - - The sudo roles in LDAP work similar to those in /etc/sudoers. You - can specify who may run which commands as which user. It is also - possible to specify options like NOPASSWD. -
- -
- LDAP views based on nsview (LAM Pro) - - LAM Pro supports LDAP views based on the "nsview" object class. - These views allow to create an organizational unit that shows a subset - of your LDAP content. The subset is determined by an LDAP filter. - - Configuration: - - To activate view management in LAM Pro edit your server profile - and add the type "LDAP views". - - - - - - - - - - - - - - - - - - Now you are ready to create your views. Each view has a name, LDAP - filter and an optional description. - - - - - - - - - - - - - - - - -
- -
- General information - - This module is available for all account types. It shows some - internal information about the LDAP entries like the creation time and - who modified the entry. - - If you use the "memberOf" overlay in OpenLDAP then this will also - show group memberships done by the overlay. - - - - - - - - -
- -
- Tree view (LDAP browser) - - The tree view provides a raw view on your LDAP directory. This - feature is for people who are experienced with LDAP and need special - functionality which the LAM account modules not provide. E.g. if you - want to add a special object class to an account or edit attributes - ignoring LAM's syntax checks. - - - - - - - - - - There are also some special functions available: - - Export: This allows you to export - entries to a file (e.g. LDIF or CSV format). - - Show internal attributes: Shows - internal attributes of the current entry. This includes information - about the creator and creation time of the entry. -
- - - - Tools - - - -
- Profile editor - - The account profiles are templates for your accounts. Here you can - specify default values which can then be loaded when you create - accounts. You may also load a template for an existing account to reset - it to default values. When you create a new account then LAM will always - load the profile named "default". This - account profile can include default values for all your accounts. - - - - - - - - - - You can enter the LDAP suffix, RDN identifier and various other - attributes depending on account type and activated modules. - - - - - - - - - - Import/export: - - Profiles can be exported to and imported from other server - profiles. - - - - - - - - - - - - - - - - - - There is a special export target called "*Global templates". All - profiles exported here will be copied to all other server profiles - (incl. new ones). But existing profiles with the same name are not - overwritten. So a profile in global templates is treated as default - profile for all server profiles. - - Use this if you would like to setup default profiles that are - valid for all server profiles. - - - - - - - - -
- -
- File upload - - When you need to create lots of accounts then you can use LAM's - file upload to create them. LAM will read a CSV formatted file and - create the related LDAP entries. Please check the data in you CSV file - carefully. LAM will do less checks for the file upload than for single - account creation. - - At the first page please select the account type and what - extensions should be activated. - - - - - - - - - - The next page shows all available options for the file upload. You - will also find a sample CSV file which can be used as template for your - CSV file. All red options are required columns in the file. You need to - specify a value for each account. - - When you upload the CSV file then LAM first does some checks on - this file. This includes syntax checks and if all required data was - entered. No changes in the LDAP directory are done at this time. - - If the checks were successful then LAM will ask again if you want - to create the accounts. You will also have the chance to check the - upload by viewing the changes in LDIF format. - - - - - - - - -
- -
- Multi edit - - This tool allows you to modify a large list of LDAP entries in - batch mode. You can add new attributes/object classes, remove attributes - and set attributes to a specific value. - - At the beginning, you need to specify where the entries are stored - that should be changed. You can select an account suffix, the tree - suffix or enter your own DN by selecting "Other". - - Next, enter an additional LDAP filter to limit the entries that - should be changed. E.g. use "(objectclass=inetOrgPerson)" to filter for - users. You may also enter e.g. "(!(objectClass=passwordSelfReset))" to - match all accounts that do not yet have the password self reset - feature. - - - - - Now, it is time to define the changes that should be done. The - following operations are possible: - - - - Add: Adds an attribute value if not yet existing. Please do - not use for single-value attributes that already have a - value. - - - - Modify: Sets an attribute to the given value. If the attribute - does not yet exist then it is added. If the attribute has multiple - values then all other values are removed. - - - - Delete: Deletes the specified value from this attribute. If - you leave the value field blank then all attribute values are - removed. - - - - Please note that all actions are run as separate LDAP commands. - You cannot add an object class and a required attribute at the same - time. - - - - - - - - - - Dry run - - You should always start with a dry run. It will not do any changes - to your LDAP directory but print out all modifications that will be - done. You will also be able to download the changes in LDIF format to - use with ldapmodify. This is useful if you want to adjust some actions - manually. - - - - - - - - - - Apply changes - - This will run the actions against your LDAP directory. You will - see which accounts are edited in the progress area and also if any - errors occured. - - - - - - - - -
- -
- OU editor - - This is a simple editor to add/delete organisational units in your - LDAP tree. This way you can structure the accounts. - - - - - - - - -
- -
- PDF editor - - All accounts in LAM may be exported as PDF files. You can specify - the page structure and displayed information by editing the PDF - profiles. - - - - - - - - - - When you export accounts to PDF then each account will get its own - page inside the PDF. There is a headline on each page where you can show - a page title. You may also add a logo to each page. To add more logos - please use the logo management on the PDF editor main page. - - - - - - - - - - The main part is structured into sections of information. Each - section has a title. This can either be static text or the value of an - attribute. You may also insert a static text block as section. Sections - can be moved by using the arrows next to the section title. - - Each section can contain multiple fields which usually represent - LDAP attributes. You can simply add new fields by selecting the field - name and its position. Then use the arrows to move the field inside the - section. - - - - - Import/export: - - PDF structures can be exported to and imported from other server - profiles. - - - - - - - - - - - - - - - - - - There is a special export target called "*Global templates". All - PDF structures exported here will be copied to all other server profiles - (incl. new ones). But existing PDF structures with the same name are not - overwritten. So a PDF structure in global templates is treated as - default structure for all server profiles. - - Use this if you would like to setup default PDF structures that - are valid for all server profiles. - - - - - - - - - - Logo management: - - You can upload image files to put a custom logo on the PDF files. - The image file name must end with .png or .jpg and the size must not - exceed 2000x300px. - - - - - - - - -
- -
- Schema browser - - Here you browse the schema of your LDAP server. You can view what - object classes, attributes, syntaxes and matching rules are available. - This is useful if you need to check if a certain object class is - available. - - - - - - - - -
- -
- Server information - - This shows information and statistics about your LDAP server. This - includes the suffixes, used overlays, connection data and operation - statistics. You will need "cn=monitor" setup to see all details. Some - data may not be available depending on your LDAP server software. - - Please see the following links how to setup "cn=monitor": - - - - OpenLDAP - - - - 389 - server - - - - - - - - - - -
- -
- Tests - - This allows you to check if your LDAP schema is compatible with - LAM and to find possible problems. - -
- Lamdaemon test - - LAM provides an external script to manage home directories and - quotas. You can test here if everything is setup correctly. - - If you get an error like "no tty present and no askpass program - specified" then the path to the lamdaemon.pl may be wrong. Please see - the lamdaemon installation - instructions for setup details. - - - - - - - - -
- -
- Schema test - - This will test if your LDAP schema supports all object classes - and attributes of the active LAM modules. If you get a message that - something is missing please check that you installed all required schemas. - - If you get error messages about object class violations then - this test can tell you what is missing. - - - - - - - - -
-
- - - - Access levels and password reset page (LAM Pro) - - You can define different access levels for each profile to allow or - disallow write access. The password reset page helps your deskside support - staff to reset user passwords. - -
- Access levels - - There are three access levels: - - - - Write access (default) - - There are no restrictions. LAM admin users can manage account, - create profiles and set passwords. - - - - Change passwords - - Similar to "Read only" except that the password reset page is available. - - - - Read only - - No write access to the LDAP database is allowed. It is also - impossible to manage account and PDF profiles. - - Accounts may be viewed but no changes can be saved. - - - - The access level can be set on the server configuration - page: - - - - - - - - -
- -
- Password reset page - - This special page allows your deskside support staff to reset the - Unix and Samba passwords of your users. Account may also be (un)locked - If you set the access level to - "Change passwords" then LAM will not allow any changes to the LDAP - database except password changes via this page. The account pages will - be still available in read-only mode. - - You can open the password reset page by clicking on the key symbol - on each user account: - - - - - - - - There are three different options to set a new password. - You can further restrict these options in server profile - settings. - - - - set random password and display it on - screen - - This will set the user's password to a random value. The - password will be 11 characters long with a random combination of - letters, digits and ".-_". - - You may want to use this method to tell users their new - passwords via phone. - - - - set random password and mail it to - user - - If the user account has set the mail attribute then LAM can - send your user a mail with the new password. You can change the mail - template to fit your needs. Please configure your LAM server profile - to setup the sender address, subject and mail body. Please see email format option in case of broken - mails. See here for setting up your - SMTP server. - - Using this method will prevent that your support staff knows - the new password. - - - - set specific password - - Here you can specify your own password. - - - - - - - - - - - - LAM will display contact information about the user like the - user's name, email address and telephone number. This will help your - deskside support to easily contact your users. - - Options: - - Depending on the account there may be additional options - available. - - - - Sync Samba NT/LM password with Unix - password: If a user account has Samba passwords set then - LAM will offer to synchronize the passwords. - - - - Unlock Samba account: Locked - Samba accounts can be unlocked with the password change. - - - - Update Samba password - timestamps: This will set the timestamps when the - password was changed (sambaPwdLastSet). Only existing attributes are - updated. No new attributes are added. - - - - Sync Kerberos password with Unix - password: This will also update the Heimdal Kerberos - password. - - - - Sync Asterisk (voicemail) password with - Unix password: Changes also the Asterisk - passwords. - - - - Force password change: This - will force the user to change his password at next login. This - option supports Shadow, Samba 3 and PPolicy (automatically - detected). - - - - - - - Account (un)locking: - - Depending if the account includes a Unix/Samba extension and - PPolicy is activated the page will show options to (un)lock the account. - E.g. if the account is fully unlocked then there will be no unlocking - options printed. - - - - - - - - -
- - - - Self service (LAM Pro) - -
- Preparations - -
- OpenLDAP ACLs - - By default only a few administrative users have write access to - the LDAP database. Before your users may change their settings you - must allow them to change their LDAP data. - - Hint: The ACLs below are not required if you decide to run all - operations as the LDAP bind user (option "Use for all - operations"). - - This can be done by adding ACLs to your slapd.conf or - slapd.d/cn=config/olcDatabase={1}bdb.ldif which look similar to - these: - - access to - - attrs=userPassword - - by self write - - by anonymous auth - - by * none - - - - - access to - - - attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,roomNumber,shadowLastChange,passwordSelfResetAnswer,passwordSelfResetQuestion,passwordSelfResetBackupMail - - by self write - - by * read - - If you do not want them to change all attributes then reduce the - list to fit your needs. Some modules may require additional LDAP - attributes. You can use the tree view to get the technical attribute - names e.g. by selecting an user account. - - Usually, the slapd.conf file is located in /etc/ldap or - /etc/openldap. -
- -
- Other LDAP servers - - There exist many LDAP implementations. If you do not use - OpenLDAP you need to write your own ACLs. Please check the manual of - your LDAP server for instructions. -
-
- -
- Creating a self service profile - - A self service profile defines what input fields your users see - and some other general settings like the login caption. - - When you go to the LAM configuration page you will see the self - service link at the bottom. This will lead you to the self service - configuration pages - - - - - - - - - - Now we need to create a new self service profile. Click on the - link to manage the self service profiles. - - - - - - - - - - Specify a name for the new profile and enter your master - configuration password (default is "lam") to save the profile. - - - - - - - - - - Now go back to the profile login and enter your master - configuration password to edit your new profile. -
- -
- Edit your new profile - -
- General settings - - On top of the page you see the link to the user login page. Copy - this link address and give it to your users. - - Below the link you can specify several options. - - - - - - - - - - - General options - - - - - Server address - - The address of your LDAP server. For LDAP+SSL use - "ldaps://myserver" - - - - Activate TLS - - Activates TLS encryption. Please note that this cannot - be combined with LDAP+SSL ("ldaps://"). - - - - LDAP suffix - - The part of the LDAP tree where LAM should search for - users - - - - LDAP search attribute - - Here you can specify if your users can login with user - name + password, email + password or other attributes. - - - - Follow referrals - - By default LAM will not follow LDAP referrals. This is - ok for most installations. If you use LDAP referrals please - activate the referral option in advanced settings. - - - - LDAP user + password - - The DN and password which is used to search for users - in the LDAP database. It is sufficient if this DN has only - read rights. If you leave these fields empty LAM will try to - connect anonymously. - - - - Use for all operations - - By default LAM will use the credentials of the user - that logged in to self service for read/modify operations. If - you select this box then the connection user specified before - will be used instead. Please note that this can be a security - risk because the user requires write access to all users. You - need to make sure that your LAM server is well - protected. - - - - Additional LDAP filter - - Use this to enter an additional LDAP filter (e.g. - "(objectClass=passwordSelfReset)") to reduce the number of - accounts who may use self service. - - - - HTTP authentication - - You can enable HTTP authentication for your users. This - way the web server is responsible to authenticate your users. - LAM will use the given user name + password for the LDAP - login. To setup HTTP authentication in Apache please see this - link. - - - - Login attribute label - - This is the description for the LDAP search attribute. - Set it to something which your users are familiar - with. - - - - Password field label - - This text is placed as label for the password field on - the login page. LAM will use "Password" if you do not enter - any text. - - - - Login caption - - This text is displayed at the login page. You can input - HTML, too. - - - - Main page caption - - This text is displayed at self service main page where - your users change their data. You can input HTML, too. - - - - Page header - - This HTML code will be placed on top of all self - service pages. E.g. you can use this to place your custom - logo. Any HTML code is permitted. - - - - Additional CSS links - - Here you can specify additional CSS links to change the - layout of the self service pages. This is useful to adapt them - to your corporate design. Please enter one link per - line. - - - -
- - - -
- 2-factor authentication - - LAM supports 2-factor authentication for your users. This - means the user will not only authenticate by user+password but also - with e.g. a token generated by a mobile device. This adds more - security because the token is generated on a physically separated - device (typically mobile phone). - - The token is validated by a second application. LAM currently - supports: - - - - privacyIdea - - - - By default LAM will enforce to use a token and reject users - that did not setup one. You can set this check to optional. But if a - user has setup a token then this will always be required. - - - - - - - - - - After logging in with user + password LAM will ask for the 2nd - factor. If the user has setup multiple factors then he can choose - one of them. - - - - - - - - -
-
- -
- Page layout - - Here you can specify what input fields your users can see. It is - also possible to group several input fields. - - Please use the arrow signs to change the order of the - fields/groups. - - You may also set some fields as read-only for your users. This - can be done by clicking on the lock symbol. Read-only fields can be - used to show your users additional data on the self service page that - must not be changed by themselves (e.g. first/last name). - - Sometimes, you may want to set a custom label for an input - field. Click on the edit icon to set your own label text (Personal: - Department is relabeled as "Business unit" here). - - - - - - - - - - Possible input fields - - This is a list of input fields you may add to the self service - page. - - - Self service fields - - - - - Account - type - - Option - - Description - - - - - - - - Asterisk (voicemail) - - Sync Asterisk password with Unix password - - This is a hidden field. It will update the Asterisk - password each time the Unix password is changed. - - - - - - - - Kerberos - - Sync Kerberos password with Unix password - - This is a hidden field. It will update the Kerberos - password each time the Unix password is changed. - - - - - - - - Kolab - - Delegates - - Allows to manage delegate permissions - - - - Invitation policy - - Invitation policy management - - - - - - - - Password policy - - Last password change - - read-only - - - - - - - - Password self reset - - Question - - Security question selection - - - - Answer - - Security answer - - - - Backup email - - (External) backup email address that has no relation to - user password. - - - - - - - - Personal - - Business category - - - - - - Car license - - - - - - Department - - - - - - Description - - - - - - Email address - - - - - - Fax number - - - - - - First name - - - - - - Home telephone number - - - - - - Initials - - - - - - Job title - - - - - - Last name - - - - - - Location - - - - - - Mobile number - - - - - - Office name - - - - - - Organisational unit - - - - - - Photo - - Shows the user photo if set. The user may also remove - the photo or upload a new one. - - - - Postal address - - - - - - Postal code - - - - - - Post office box - - - - - - Registered address - - - - - - Room number - - - - - - State - - - - - - Street - - - - - - Telephone number - - - - - - User certificates - - Upload of user certificates in PEM or DER - format - - - - User name - - - - - - Web site - - - - - - - - - - Samba 3 - - Password - - Input field to set a new NT/LM password. The attribute - "sambaPwdLastSet" is updated if it existed before. - - - - Sync Samba LM password with Unix password - - This is a hidden field. It will update the Samba LM - password each time the Unix password is changed. - - - - Sync Samba NT password with Unix password - - This is a hidden field. It will update the Samba NT - password each time the Unix password is changed. - - - - Update attribute "sambaPwdLastSet" on password - change - - Updates the password timestamp when password is - synchronized with Unix. - - - - Last password change (read-only) - - Displays the date and time of the user's last password - change. - - - - - - - - Shadow - - Last password change (read-only) - - Displays the date and time of the user's last password - change (Unix). - - - - - - - - Windows - - Password - - Change the user's password - - - - Location - - - - - - Office name - - - - - - Postal code - - - - - - Post office box - - - - - - State - - - - - - Street - - - - - - Telephone number - - - - - - Web site - - - - - - - - - - Unix - - Common name - - - - - - Login shell - - - - - - Password - - This is also the source for several password - synchronization options. - - - - Sync Unix password with Windows password - - This is a hidden field. It will update the Unix - password each time the Windows password is changed. - - - - - - - - Zarafa - - "Send as" privileges - - Define user who may send mails as this user - - - - Email aliases - - Email aliases - - - - - - - - PyKota - - Balance (read-only) - - Current balance for printing - - - - Total paid (read-only) - - Total money paid - - - - Payment history - - History of user payments - - - - Job history - - History of printed jobs - - - -
-
- -
- Module settings - - This allows to configure some module specific options (e.g. - custom scripts or password hash type). - - - - - - - - -
- -
- Samba 3 - - LAM Pro can check the password history and minimum age for Samba - 3 password changes. In this case please provide the LDAP suffix where - your Samba 3 domain(s) are stored. - - If you leave the field empty then no history and age checks will - be done. - - Password history: depending on your LDAP server you might need - ascending or descending order. Just switch the setting if the password - history is not correctly updated. - - - - - - - - -
- -
- Password self reset - - Schema installation - - Please install the LDAP schema as described here. - - Settings - - You can allow your users to reset their passwords themselves. - This will reduce your administrative costs for cases where users - forget their passwords. - - To enable this feature please activate the checkbox "Enable - password self reset link". - - Hint: Plese note that LAM Pro - uses security questions by default. Activate confirmation mails and - then deactivate security questions if you want to use only email - validation. - - - - - - - - - - You can now configure the minimum answer length for password - reset answers. This is checked when you allow you users to specify - their answers via the self service. Additionally, you can specify the - text of the password reset link (default: "Forgot password?"). The - link is displayed below the password field on the self service login - page. - - Next, please enter the DN and password of an LDAP entry that is - allowed to reset the passwords. This entry needs write access to the - attributes shadowLastChange, pwdAccountLockedTime and userPassword. It - also needs read access to uid, mail, passwordSelfResetQuestion and - passwordSelfResetAnswer. Please note that LAM Pro saves the password - on your server file system. Therefore, it is required to protect your - server against unauthorised access. - - Please also specify the list of password reset questions that - the user can choose. - - Please note that self service and LAM admin interface are - separated functionalities. You need to specify the list of possible - security questions in both self service profile(s) and server - profile(s). - - - - You can inform your users via mail about their password change. - The mail can include the new password by using the special wildcard - "@@newPassword@@". Additionally, you may want to insert other - wildcards that are replaced by the corresponding LDAP attributes. E.g. - "@@uid@@" will be replaced by the user name. Please see email format option in case of broken mails. - See here for setting up your SMTP - server. - - - - LAM Pro can send your users an email with a confirmation link to - validate their email address. Of course, this should only be used if - the email account is independent from the user password (e.g. at - external provider) or you use the backup email address feature. The - mail body must include the confirmation link by using the special - wildcard "@@resetLink@@". Additionally, you may want to insert other - wildcards that are replaced by the corresponding LDAP attributes. E.g. - "@@uid@@" will be replaced by the user name. - - There is also an option to skip the security question at all if - email verification is enabled. In this case the password can be reset - directly after clicking on the confirmation link. Please handle with - care since anybody with access to the user's mail account can reset - the password. - - Troubleshooting: - - 1. You get messages like "Unable to find user account." - - This can have multiple reasons: - - - - security questions enabled but no security question and/or - answer set for this user - - - - user name + email combination does not exist - - - - no connection to LDAP server - - - - Turn on logging in LAM's main configuration settings. The exact - reason is logged on notice level. - - 2. You do not see security question and answer fields when - logged into self service. - - Probably, the user does not have the object class - "passwordSelfReset" set. You can do this in admin interface. If you - have multiple users to change then use the Multi Edit Tool to add the object - class. - - New fields for self service - page - - There are special fields that you may put on the self service - page for your users. These fields allow them to change the reset - questions and its answers. It is also possible to set a backup email - address to reset passwords with an external email address. - - - - - - - - - - This is an example how can be presented to your users on the - self service page: - - - - - - - - - - Password reset link - - After activating the password self reset feature there will be a - new link on the self service login page. The text can be configured as - described above (default: "Forgot password?"). - - - - - - - - - - When a user clicks on the link then he will be asked for - identification with his user name and email address. - - - - - - - - - - LAM Pro will use this information to find the correct LDAP entry - of this user. It then displays the user's security questions and input - fields for his new password. If the answer is correct then the new - password will be set. Additionally, pwdAccountLockedTime will be - removed and shadowLastChange updated to the current time if - existing. - - - - - - - - -
- -
- User self registration - - With LAM Pro your users can create their own accounts if you - like. LAM Pro will display an additional link on the self service - login page that allows you users to create a new account including - email validation (see here for - setting up your SMTP server). - - You enable this feature in your self service profile. Just - activate the checkbox "Enable self registration link". - - - - - - - - - - Options: - - Link text: This is the label for the link - to the self registration. If empty "Register new account" will be - used. - - Admin DN and password: Please enter the - LDAP DN and its password that should be used to create new users. This - DN also needs to be able to do LDAP searches by uid in the self - service part of your LDAP tree. - - Object classes: This is a list of object - classes that are used to build the new user accounts. Please enter one - object class in each line. If you use LAM Pro password self reset - feature then do not forget to add "passwordSelfReset" here. - - Attributes: This is a list of additional - attributes that the user can enter. Please note that user name, - password and email address are mandatory anyway and need not be - specified. - - Each line represents one LDAP attribute. The settings are - separated by "::". The first setting specifies the field type. The - second setting is the LDAP attribute name. Depending on the field type - you can enter additional options: - - - - - - - - Description - - Type - - Attribute name - - First option - - Second option - - Third option - - - - An optional input field that is displayed on the - registration page. - - optional - - e.g. "givenName" - - Label that is displayed on page - - optional regular expression for validation (e.g. - "/^[0-9a-zA-Z]+$/") - - validation message if value does not match validation - expression - - - - A required input field that is displayed on the - registration page. Self registration cannot be done if such a - field is left empty by the user. - - required - - e.g. "sn" - - Label that is displayed on page - - optional regular expression for validation (e.g. - "/^[0-9a-zA-Z]+$/") - - validation message if value does not match validation - expression - - - - Constant attribute value, not visible for the user. Can - be used to set some initial values or data that must not be - edited by the user. - - constant - - e.g. "homeDirectory" - - attribute value, supports wirldcards to insert other - attribute values (e.g. "@@uid@@") - - - - - - - - Auto-numbering for attributes such as uidNumber. Will - do a search for attribute values in the given range and use - highest value + 1. - - autorange - - e.g. uidNumber - - LDAP search base, e.g. - ou=people,dc=company,dc=com - - Minimum value, e.g. 1000 - - Maximum value, e.g. 2000 - - - -
- - For a syntax description of validation expressions see here. Validation is - optional, you can leave these options blank. - - Example: - - optional::givenName::First name::/^[[:alnum:] ]+$/u::Please - enter a valid first name. - - required::sn::Last name::/^[[:alnum:] ]+$/u::Please enter a - valid last name. - - constant::homeDirectory::/home/@@uid@@ - - autorange::uidNumber::ou=people,dc=company,dc=com::10000::20000 - - If you use the object class "inetOrgPerson" and do not provide - the "cn" attribute then LAM will set it to the user name value. - - - - - Please note that only simple input boxes are supported for - account registration. The user may log in to self service when his - account was created to manage all his attributes. - - - - - Captcha support - - LAM Pro can optionally display a captcha to verify that - registrations are not from robots. The supported captcha provider is - Google reCAPTCHA. You will need the site and secret key for your - domain. They can be retrieved from here: https://www.google.com/recaptcha - - Please note that your web server must be able to access - "https://www.google.com/recaptcha/api/siteverify" to verify the - captchas. Captchas will be displayed automatically when site+secret - key are filled. - - - - - - - - - - - - - User view: - - The user can register by clicking on a link on the self service - login page: - - - - - - - - - - Here he can insert the data that you specified in the self - service profile: - - - - - - - - - - LAM will then send him an email with a validation link that is - valid for 24 hours. When he clicks on this link then the account will - be created in the self service user suffix. The DN will look like - this: uid=<user name>,... - - Please see email format option in - case of broken mails. -
- -
- Custom fields (LAM Pro) - - This module allows you to manage LDAP attributes that are not - covered by the other LAM modules (e.g. if you use custom LDAP - schemas). You can fully define how your input fields look like: - - - - Label - - - - LDAP attribute name - - - - Unique name for field - - - - Help text - - - - Read-only display - - - - Field type: text, password, text area, checkbox, radio - buttons, select list, file upload - - - - Validation via regular expression - - - - Error message if validation fails - - - - To create custom fields for the Self Service please edit your - Self Service profile and switch to tab "Module settings". Here you can - add a new field. Simply fill the fields and press on "Add". - - Please note that the field name cannot be changed later. It is - the unique ID for this field. - - After you created your fields please press on "Sync fields with - page layout". Now you can switch to tab "Page layout" and add your new - fields like any other standard field. - - - - - - - - - - Examples for fields and their representation in Self - Service: - - Text field: - - Text fields allow to specify a validation - expression and error message. - - You can also enable auto-completion. In this case LAM will - search all accounts for the given attribute and provide - auto-completion hints when the user edits this field. This should only - be used if there is a limited number of different values for this - attribute. - - In case your field is a date value you can show a calendar for - easy editing. - - Example calendar formats: - - - - dd.mm.yy: 31.12.2016 - - - - yy-mm-dd: 2016-12-31 - - - - d M, y: 31 Dec, 16 - - - - d MM, y: 31 December, 2016 - - - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - Password field: - - You can also manage custom password fields. LAM Pro will display - two fields where the user must enter the same password. You can hash - the password if needed. - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - Text area: - - This adds a multi-line field. The options are similar to text - fields. Additionally, you can set the size with the number of columns - and rows. - - Please note that the validation - expression should be set to multi-line. This is done by adding - "m" at the end. - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - Checkbox: - - Sometimes you may want to allow only yes/no values for your LDAP - attributes. This can be represented by a checkbox. You can specify the - values for checked and unchecked. The default value is set if the LDAP - attribute has no value. - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - Radio buttons: - - This displays a list of radio buttons where the user can select - one value. - - You can specify a mapping of LDAP attribute values and their - display (label) on the Self Service page. To add more mapping fields - please press "Add more mapping fields". - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - Select list: - - Select lists allow the user to select a value in a large list of - options. The definition of the possible values and their display is - similar to radio buttons. - - You can also allow multiple values. - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - - - - - - - - - Validation expressions: - - The validation expressions follow the standard of Perl regular - expressions. They start and end with a "/". The beginning of a - line is specified by "^" and the end by "$". - - Examples: - - /^[a-z0-9]+$/ allows small letters and numbers. The value must - not be empty ("+"). - - /^[a-z0-9]+$/i allows small and capital letters ("i" at the end - means ignore case) and numbers. The value must not be empty - ("+"). - - Special characters that must be escaped with "\": "\", ".", "(", - ")" - - E.g. /^[a-z0-9\.]$/i - - - - - File upload: - - This is used for binary data. You can restrict uploaded data to - a given file extension and set the maximum file size. - - - - - - - - - - Presentation: - - The uploaded data may also be downloaded via LAM. - - - - - - - - -
-
- -
- Adapt the self service to your corporate design - - LAM Pro allows you to integrate customs CSS style definitions and - design the header of all self service pages. This way you can integrate - you own logo and use your company's colors. - -
- Custom header - - The default LAM Pro header includes a logo and a horizontal - line. You can enter any HTML code here. It will be included in the - self services pages after the body tag. - - - - - - - - -
- -
- CSS files - - Usually, companies have regulations about their corporate design - and use common CSS files. This assures a common appearance of all - intranet pages (e.g. colors and fonts). To include additional CSS - files just use the following setting for this task. The additional CSS - links will be added after LAM Pro's default CSS link. This way you can - overwrite LAM Pro's style. - - - - - - - - -
-
- - - - LDAP schema files - - Here is a list of needed LDAP schema files for the different LAM - modules. For OpenLDAP we also provide a source where you can get the - files. - - - LDAP schema files - - - - - - - Account type - - Object class(es) - - Schema name - - Source - - Notes - - - - - - - - - - - - Unix accounts - - posixAccount, shadowAccount, hostObject, posixGroup - - nis.schema, rfc2307bis.schema, ldapns.schema - (hostObject) - - Part of OpenLDAP installation, part of libpam-ldap - (ldapns.schema) - - The rfc2307bis.schema is only supported by LAM Pro. Use the - nis.schema if you do not want to upgrade to LAM Pro. - - - - - - - - - - Address book entries - - inetOrgPerson - - inetorgperson.schema - - Part of OpenLDAP installation - - - - - - - - - - - - Samba 3 accounts - - sambaSamAccount, sambaGroupMapping, sambaDomain - - samba.schema - - Part of Samba tarball (examples/LDAP/samba.schema) - - - - - - - - - - - - Windows AD (Samba 4) - - user, group, computer - - - - Samba 4 built-in - - - - - - - - - - - - Kolab 2/3 users - - kolabUser - - kolab2/3.schema, rfc2739.schema - - Part of Kolab 2/3 installation - - - - - - - - - - - - Asterisk (extension) - - AsteriskSIPUser, AsteriskExtension - - asterisk.schema - - Part of Asterisk installation - - - - - - - - - - - - PyKota users, groups, printers and billing codes - - pykotaObject, pykotaAccount, pykotaAccountBalance, - pykotaGroup, pykotaPrinter, pykotaBilling - - pykota.schema - - Part of PyKota installation - - - - - - - - - - - - Mail routing - - inetLocalMailRecipient - - misc.schema - - Part of OpenLDAP installation - - - - - - - - - - - - Hosts - - hostObject, device - - ldapns.schema - - Part of libpam-ldap installation - - The device object class is only available in LAM - Pro. - - - - - - - - - - Authorized services - - authorizedServiceObject - - ldapns.schema - - Part of libpam-ldap installation - - - - - - - - - - - - Mail aliases - - nisMailAlias - - misc.schema - - Part of OpenLDAP installation - - - - - - - - - - - - Qmail user - - qmailUser - - qmail.schema - - Part of qmail_ldap - - LAM Pro only - - - - - - - - - - MAC addresses - - ieee802device - - nis.schema - - Part of OpenLDAP installation - - - - - - - - - - - - IP addresses - - ipHost - - nis.schema - - Part of OpenLDAP installation - - LAM Pro only - - - - - - - - - - Puppet - - puppetClient - - puppet.schema - - Puppet - on GitHub - - - - - - - - - - - - EDU person - - eduPerson - - eduperson.schema - - http://middleware.internet2.edu - - - - - - - - - - - - Simple Accounts - - account - - cosine.schema - - Part of OpenLDAP installation - - - - - - - - - - - - SSH public keys - - ldapPublicKey - - openssh-lpk.schema - - Included in patch from http://code.google.com/p/openssh-lpk/ - - - - - - - - - - - - Filesystem quotas - - systemQuotas - - quota.schema - - Linux - DiskQuota - - - - - - - - - - - - Group of (unique) names - - groupOfNames, groupOfUniqueNames, groupOfMembers - - core.schema - - Part of OpenLDAP installation - - LAM Pro only - - - - - - - - - - Groups - - organizationalRole - - core.schema - - Part of OpenLDAP installation - - LAM Pro only - - - - - - - - - - DHCP - - dhcpOptions, dhcpSubnet, dhcpServer - - dhcp.schema - - docs/schema/dhcp.schema - - The LDAP suffix should be set to your dhcpServer - entry. - - - - - - - - - - Bind DLZ DNS - - dlzZone, dlzHost, dlzSOARecord, dlzNSRecord, dlzARecord, - dlzMXRecord, dlzCNameRecord, dlzPTRRecord - - dlz.schema - - part of Bind - DLZ patch - - LAM Pro only - - - - - - - - - - Aliases - - alias, uidObject - - core.schema - - Part of OpenLDAP installation - - LAM Pro only - - - - - - - - - - NIS netgroups - - nisNetgroup - - nis.schema - - Part of OpenLDAP installation - - - - - - - - - - - - NIS objects - - nisObject - - nis.schema - - Part of OpenLDAP installation - - LAM Pro only - - - - - - - - - - Automount objects - - automount - - autofs.schema, rfc2307bis.schema - - Autofs LDAP - - LAM Pro only - - - - - - - - - - Oracle databases - - orclNetService - - oidbase.schema, oidnet.schema, oidrdbms.schema, - alias.schema - - Preinstalled on Oracle directory server, OpenLDAP schemas - can be downloaded e.g. here - - LAM Pro only - - - - - - - - - - Password policies - - pwdPolicy, device - - ppolicy.schema, core.schema - - Part of OpenLDAP installation - - LAM Pro only - - - - - - - - - - FreeRadius users - - radiusprofile - - openldap.schema - - Part of FreeRadius installation - - - - - - - - - - - - Heimdal Kerberos - - krb5KDCEntry - - hdb.schema - - Part of Heimdal Kerberos installation - - LAM Pro only - - - - - - - - - - MIT Kerberos - - krbPrincipal, krbPrincipalAux, krbTicketPolicyAux - - kerberos.schema - - Part of MIT Kerberos installation - - LAM Pro only - - - - - - - - - - Sudo roles - - sudoRole - - sudo.schema - - Part of sudo-ldap installation - - LAM Pro only - - - - - - - - - - Zarafa - - zarafa-user, zarafa-group, zarafa-server - - zarafa.schema - - Part of Zarafa installation - - LAM Pro only - - - - - - - - - - IMAP mailboxes - - - - - - - - - - - Does not require any schema. - - - - - - - - - - LDAP views - - nsview, organizationalunit - - built-in - - Part of LDAP server installation (e.g. 389 server) - - LAM Pro only - - - -
- - - - Security - -
- LAM configuration passwords - - LAM supports a two level authorization system for its - configuration. Therefore, there are two types of configuration - passwords: - - - - master configuration - password: needed to change general settings, - create/delete server profiles and self service profiles - - - - server profile password: used - to change the settings of a server profile (e.g. LDAP server and - account types to manage) - - - - The master configuration password can be used to reset a server - profile password. Each server profile has its own profile - password. - - Both password types are stored as hash values in the configuration - files for enhanced security. -
- -
- Use of SSL - - The data which is transfered between you and LAM is very - sensitive. Please always use SSL encrypted connections between LAM and - your browser to protect yourself against network sniffers. -
- -
- LDAP with SSL and TLS - - SSL will be used if you use ldaps://servername in your - configuration profile. TLS can be activated with the "Activate TLS" - option. - - If your LDAP server uses a SSL certificate of a well-know - certificate authority (CA) then you probably need no changes. If you use - a custom CA in your company then there are two ways to setup the CA - certificates. - -
- Setup SSL certificates in LAM general settings - - This is much easier than system level setup and will only affect - LAM. There might be some cases where other web applications on the - same web server are influenced. - - See here for details. -
- -
- Setup SSL certificates on system level - - This will make the CA certificates available also to other - applications on your system (e.g. other web applications). - - You will need to setup ldap.conf to trust your server - certificate. Some installations use /etc/ldap.conf and some use - /etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to - /etc/ldap/ldap.conf. Specify the server CA certificate with the - following option: - - TLS_CACERT /etc/ldap/ca/myCA/cacert.pem - - This needs to be the public part of the signing certificate - authority. See "man ldap.conf" for additional options. - - - - - You may also need to specify the CA certificate in your Apache - configuration by using the option "LDAPTrustedGlobalCert": - - LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem -
-
- -
- Selinux - - In case your server has selinux installed you might need to extend - the selinux ruleset. E.g. your webserver might not be allowed to write - in /var/lib. - - Read selinux status - - The following command will tell you if selinux is running in - Enforcing or Permissive mode. - - Enforcing: access that does not match rules is denied - - Permissive: access that does not match rules is granted but logged - to audit.log - - getenforce - - Set selinux to Permissive - mode - - This will just log any access violations. You will need this to - get a list of missing rights. - - setenforce Permissive - - Now do any actions inside LAM that you need for your daily work - (e.g. edit server profiles, manage LDAP entries, ...). - - Extend selinux rules - - Selinux now has logged any violations to audit.log. You can use - this now to extend your ruleset and enable enforcing later. - - The following example is for httpd. You can also adapt it to e.g. - nginx. - - # build additional selinux rules from audit.log -grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te - - - The httpdlocal.te might look like this: - - module httpdlocal 1.0; - -require { - type httpd_t; - type var_lib_t; - class file { setattr write }; -} - -#============= httpd_t ============== - -#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t. Change the label to httpd_var_lib_t. -#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf -#!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf -allow httpd_t var_lib_t:file { setattr write }; - - - Now we can compile and install this rule: - - # build module -checkmodule -M -m -o httpdlocal.mod httpdlocal.te -# package module -semodule_package -o httpdlocal.pp -m httpdlocal.mod -# install module -semodule -i httpdlocal.pp - - Now you can switch back to Enforcing mode: - - setenforce Enforcing - - LAM should now work as expected with active selinux. -
- -
- Chrooted servers - - If your server is chrooted and you have no access to /dev/random - or /dev/urandom this can be a security risk. LAM stores your LDAP - password encrypted in the session. LAM uses rand() to generate the key - if /dev/random and /dev/urandom are not accessible. Therefore the key - can be easily guessed. An attaker needs read access to the session file - (e.g. by another Apache instance) to exploit this. -
- -
- Protection of your LDAP password and directory contents - - You have to install the MCrypt extension for PHP to enable - encryption. - - Your LDAP password is stored encrypted in the session file. The - key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to - encrypt the password. All data that was read from LDAP and needs to be - stored in the session file is also encrypted. -
- -
- Apache configuration - -
- Sensitive directories - - LAM includes several .htaccess files to protect your - configuration files and temporary data. Apache is often configured to - not use .htaccess files by default. Therefore, please check your - Apache configuration and change the override setting to: - - AllowOverride All - - If you are experienced in configuring Apache then you can also - copy the security settings from the .htaccess files to your main - Apache configuration. - - If possible, you should not rely on .htaccess files but also - move the config and sess directory to a place outside of your WWW - root. You can put a symbolic link in the LAM directory so that LAM - finds the configuration/session files. - - Security sensitive directories: - - config: Contains your LAM - configuration and account profiles - - - - LAM configuration passwords (SSHA hashed) - - - - default values for new accounts - - - - directory must be accessibly by Apache but needs not to be - accessible by the browser - - - - sess: PHP session files - - - - LAM admin password in clear text or MCrypt encrypted - - - - cached LDAP entries in clear text or MCrypt encrypted - - - - directory must be accessibly by Apache but needs not to be - accessible by the browser - - - - tmp: temporary files - - - - PDF documents which may also include passwords - - - - images of your users - - - - directory contents must be accessible by browser but - directory itself needs not to be browseable - - -
- -
- Use LDAP HTTP authentication for LAM - - With HTTP authentication Apache will be responsible to ask for - the user name and password. Both will then be forwarded to LAM which - will use it to access LDAP. This approach gives you more flexibility - to restrict the number of users that may access LAM (e.g. by requiring - group memberships). - - First of all you need to load additional Apache modules. These - are "mod_ldap" - and "mod_authnz_ldap". - - Next you can add a file called "lam_auth_ldap" to - /etc/apache/conf.d. This simple example restricts access to all URLs - beginning with "lam" to LDAP authentication. - - <location /lam> - AuthType Basic - AuthBasicProvider ldap - AuthName "LAM" - AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid" - Require valid-user -</location> - - You can also require that your users belong to a certain Unix - group in LDAP: - - <location /lam> - AuthType Basic - AuthBasicProvider ldap - AuthName "LAM" - AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid" - Require valid-user - # force membership of lam-admins - AuthLDAPGroupAttribute memberUid - AuthLDAPGroupAttributeIsDN off - Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com -</location> - - Please see the Apache - documentation for more details. -
- -
- Self Service behind proxy in DMZ (LAM Pro) - - In some cases you might want to make the self service accessible - via the internet. Here is an Apache config to forward only the - required URLs via a proxy server (lamproxy.company.com) in your DMZ to - the internal LAM server (lam.company.com). - - - - - - - - This configuration allows your users to open - https://lamproxy.company.com which will then proxy the self service on - the internal server. - - <VirtualHost lamproxy.company.com:443> - ServerName lamproxy.company.com - ErrorLog /var/log/apache2/lam-proxy-error.log - CustomLog /var/log/apache2/lam-proxy-access.log combined - DocumentRoot /var/www/lam-proxy - <Proxy *> - Order deny,allow - Allow from all - </Proxy> - SSLProxyEngine on - SSLEngine on - SSLCertificateFile /etc/apache2/ssl/apache.pem - ProxyPreserveHost On - ProxyRequests off - loglevel info - - # redirect front page to self service login page - RewriteEngine on - RedirectMatch ^/$ /templates/selfService/selfServiceLogin.php?scope=user\&name=lam - - # proxy required URLs - ProxyPass /tmp https://lam.company.com/lam/tmp - ProxyPass /sess https://lam.company.com/lam/sess - ProxyPass /templates/lib https://lam.company.com/lam/templates/lib - ProxyPass /templates/selfService https://lam.company.com/lam/templates/selfService - ProxyPass /style https://lam.company.com/lam/style - ProxyPass /graphics https://lam.company.com/lam/graphics - - ProxyPassReverse /tmp https://lam.company.com/lam/tmp - ProxyPassReverse /sess https://lam.company.com/lam/sess - ProxyPassReverse /templates/lib https://lam.company.com/lam/templates/lib - ProxyPassReverse /templates/selfService https://lam.company.com/lam/templates/selfService - ProxyPassReverse /style https://lam.company.com/lam/style - ProxyPassReverse /graphics https://lam.company.com/lam/graphics -</VirtualHost> -
-
- -
- Nginx configuration - - There is no fully automatic setup of Nginx but LAM provides a - ready-to-use configuration file. - -
- RPM based installations - - The RPM package has dependencies on Apache. Therefore, Nginx is - not officially supported with this installation mode. Use tar.bz2 if - you are unsure. - - However, the package also includes an Nginx configuration file. - Please include it in your server directive like this: - - server { - ... - - include /etc/ldap-account-manager/lam.nginx.conf; - - ... -} -
- -
- DEB based installations - - The LAM installation package ships with an Nginx configuration - file. Please include it in your server directive like this: - - server { - ... - - include /etc/ldap-account-manager/lam.nginx.conf; - - ... -} -
- -
- tar.bz2 based installations - - Please add the following configuration snippet to your server - directive. - - You will need to change the alias location - ("/usr/share/ldap-account-manager") and fastcgi_pass - ("/var/run/php5-fpm.sock") to match your installation. - - location /lam { - index index.html; - alias /usr/share/ldap-account-manager; - autoindex off; - - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_index index.php; - include fastcgi_params; - } - - location ~ /lam/(tmp/internal|sess|config|lib|help|locale) { - deny all; - return 403; - } - -} - -
-
- - - - Typical OpenLDAP settings - - Some basic hints to configure the OpenLDAP server: - - Size - limit: - - You will get a message like "LDAP sizelimit exceeded, not all - entries are shown." when you hit the LDAP search limit. - - OpenLDAP allows by default 500 return values per search, if you have - more users/groups/hosts please change this: - - slapd.conf: - - e.g. "sizelimit 10000" or "sizelimit -1" for unlimited return - values - - slapd.d: - - e.g. "olcSizeLimit: 10000" or "olcSizeLimit: -1" for unlimited - return values in /etc/ldap/slapd.d/cn=config.ldif - - - - - Unique - attributes: - - There are cases where you do not want that same attribute values - exist multiple times in your database. A good example are UID/GID - numbers. - - OpenLDAP provides the attribute - uniqueness overlay for this task. - - Example to force unique UID numbers: - - In - /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif add - "olcModuleLoad: {3}unique" (replace "3" with the highest existing number - plus one). - - Now in /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif add e.g. - "olcUniqueURI: ldap:///?uidNumber?sub" - - - - - Indices: - - Indices will improve the performance when searching for entries in - the LDAP directory. The following indices are recommended: - - - index objectClass eq - - index default sub - - index uidNumber eq - - index gidNumber eq - - index memberUid eq - - index cn,sn,uid,displayName pres,sub,eq - - # Samba 3.x - - index sambaSID eq - - index sambaPrimaryGroupSID eq - - index sambaDomainName eq - - - - - Setup of email (SMTP) server - - LAM always uses a local SMTP email server on the machine where LAM - is installed. Therefore, there is no need to configure any SMTP settings - inside LAM itself. - - The local email server should be configured to forward all emails to - your company mail server (so-called smarthost). You can use any SMTP - software that ships with a Sendmail wrapper (e.g. Exim, Postfix, QMail or - Sendmail itself). - - - - - - - - - - - - - - - - Setup for home directory and quota management - - Lamdaemon.pl is used to modify quota and home directories on a - remote or local host via SSH (even if homedirs are located on - localhost). - - If you want wo use it you have to set up the following things to get - it to work: - -
- Installation - - First of all, you need to install lamdaemon.pl on your remote - server where LAM should manage homedirs and/or quota. This is usually a - different server than the one where LAM is installed. But there is no - problem if it is the same. - - - - - - - - - - - - Debian based (e.g. also - Ubuntu) - - Please install the lamdaemon DEB package on your quota/homedir - server. - - RPM based (Fedora, CentOS, Suse, - ...) - - Please install the lamdaemon RPM package on your quota/homedir - server. - - Other - - Please copy lib/lamdaemon.pl from the LAM tar.bz2 package to your - quota/homedir server. The location may be anywhere (e.g. use - /opt/lamdaemon). Please make the lamdaemon.pl script executable. -
- -
- LDAP Account Manager configuration - - - - Set the remote or local host in the configuration (e.g. - 127.0.0.1) - - - - Path to lamdaemon.pl, e.g. - /srv/www/htdocs/lam/lib/lamdaemon.pl If you installed a Debian or - RPM package then the script will be located at - /usr/share/ldap-account-manager/lib/lamdaemon.pl. - - - - Your LAM admin user must be a valid Unix account. It needs to - have the object class "posixAccount" and an attribute "uid". This - account must be accepted by the SSH daemon of your home directory - server. Do not create a second local account but change your system - to accept LDAP users. You can use LAM to add the Unix account part - to your admin user or create a new account. Please do not forget to - setup LDAP write access (ACLs) - if you create a new account. - - - - - - - - - - - - - - Note that the builtin admin/manager entries do not work for - lamdaemon. You need to login with a Unix account. - - - - - - - - - - OpenLDAP ACL location: - - The access rights for OpenLDAP are configured in - /etc/ldap/slapd.conf or - /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif. -
- -
- Setup sudo - - The perl script has to run as root. Therefore we need a wrapper, - sudo. Edit /etc/sudoers on host where homedirs or quotas should be used - and add the following line: - - $admin All= NOPASSWD: $path_to_lamdaemon * - - $admin is the admin user from - LAM (must be a valid Unix account) and - $path_to_lamdaemon is the path to - lamdaemon.pl. - - Example: - - myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl - * - - You might need to run the sudo command once manually to init sudo. - The command "sudo -l" will show all possible sudo commands of the - current user. - - Attention: Please do not use the - options "Defaults requiretty" and "Defaults env_reset" in /etc/sudoers. - Otherwise you might get errors like "you must have a tty to run sudo" or - "no tty present and no askpass program specified". -
- -
- Setup Perl - - We need an extra Perl module - Quota. To install it, run: - - - perl -MCPAN -e shell - - install Quota - - - If your Perl executable is not located in /usr/bin/perl you will - have to edit the path in the first line of lamdaemon.pl. If you have - problems compiling the Perl modules try installing a newer release of - your GCC compiler and the "make" application. - - Several Linux distributions already include a quota package for - Perl. -
- -
- Set up SSH - - Your SSH daemon must offer the password authentication method. To - activate it just use this configuration option in - /etc/ssh/sshd_config: - - PasswordAuthentication yes -
- -
- Troubleshooting - - If you have problems managing quotas and home directories then - these points might help: - - - - There is a test page for lamdaemon: Login to LAM and open - Tools -> Tests -> Lamdaemon test - - - - Check /var/log/auth.log or its equivalent on your system. This - file contains messages about all logins. If the ssh login failed - then you will find a description about the reason here. - - - - Set sshd in debug mode. In /etc/ssh/sshd_conf add these - lines: - - - SyslogFacility AUTH - - LogLevel DEBUG3 - - - Now check /var/log/syslog for messages from sshd. - - - - Error message "Your LAM admin user (...) - must be a valid Unix account to work with lamdaemon!": This - happens if you use the default LDAP admin/manager user to login to LAM. - Please see here and setup a Unix - account. -
- - - - Setup password self reset schema (LAM Pro) - -
- New installation - - Please see here if you want to - upgrade an existing schema version. - - Schema installation - - Please install the schema that comes with LAM Pro. The schema - files are located in: - - - - tar.bz2: docs/schema - - - - DEB: /usr/share/doc/ldap-account-manager/docs/schema - - - - RPM: - /usr/share/doc/ldap-account-manager-{VERSION}/schema - - - - - - - OpenLDAP with slapd.conf - configuration - - For a configuration with slapd.conf-file copy - passwordSelfReset.schema to /etc/ldap/schema/ and add this line to - slapd.conf: - - include /etc/ldap/schema/passwordSelfReset.schema - - - - OpenLDAP with slapd.d - configuration - - For slapd.d configurations you need to upload the schema file - passwordSelfReset.ldif via ldapadd command: - - ldapadd -x -W -H ldap://localhost -D "cn=admin,o=test,c=de" -f - passwordSelfReset.ldif - - Please replace "localhost" with your LDAP server and - "cn=admin,o=test,c=de" with your LDAP admin user (usually starts with - cn=admin or cn=manager). - - - - - 389 server - - Please replace INSTANCE with installation ID, e.g. - slapd-389ds. - - cp passwordSelfReset-389server.ldif /etc/dirsrv/INSTANCE/schema/70pwdreset.ldif - systemctl restart dirsrv.target - - - - Samba 4 - - The schema files are passwordSelfReset-Samba4-attributes.ldif and - passwordSelfReset-Samba4-objectClass.ldif. - - First, you need to edit them and replace "DOMAIN_TOP_DN" with your - LDAP suffix (e.g. dc=samba4,dc=test). - - Then install the attribute and afterwards the object class schema - file: - - ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-attributes.ldif --option="dsdb:schema update allowed"=true - ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-objectClass.ldif --option="dsdb:schema update allowed"=true - - - - Windows - - The schema file is passwordSelfReset-Windows.ldif. - - First, you need to edit it and replace "DOMAIN_TOP_DN" with your - LDAP suffix (e.g. dc=windows,dc=test). - - Then install the schema file as administrator on a command - line: - - ldifde -v -i -f passwordSelfReset-Windows.ldif - - - - This allows to set a security question + answer for each - account. -
- -
- Schema update - - The schema files are located in: - - - - tar.bz2: docs/schema/updates - - - - DEB: - /usr/share/doc/ldap-account-manager/docs/schema/updates - - - - RPM: - /usr/share/doc/ldap-account-manager-{VERSION}/schema/updates - - - - - - - Schema versions: - - - - Initial version (LAM Pro 3.6 - 4.4) - - - - Added passwordSelfResetBackupMail (LAM Pro 4.5 - 5.5) - - - - Multiple security questions (LAM Pro 5.6) - - - - - - - OpenLDAP with slapd.conf - configuration - - Install the schema file like a new install (skip - modification of slapd.conf file). - - - - - OpenLDAP with slapd.d - configuration - - The upgrade requires to stop the LDAP server. - - Steps: - - - - Stop OpenLDAP with e.g. "/etc/init.d/slapd stop" - - - - Delete the old schema file. It is located in e.g. - "/etc/ldap/slapd.d/cn=config/cn=schema" and called - "cn={XX}passwordselfreset.ldif" (XX can be any number) - - - - Start OpenLDAP with e.g. "/etc/init.d/slapd start" - - - - Install the schema file like a new install - - - - - - - Samba 4 - - Install the these update files by following the install - instructions in the file. In case you you upgrade with a version - difference of 2 or more you will need to apply all intermediate update - scripts. - - - - samba4_version_1_to_2_attributes.ldif (upgrade from version 1 - only) - - - - samba4_version_1_to_2_objectClass.ldif (upgrade from version 1 - only) - - - - samba4_version_2_to_3_attributes.ldif (upgrade from version - 2) - - - - samba4_version_2_to_3_objectClass.ldif (upgrade from version - 2) - - - - Please note that attributes file needs to be installed - first. - - - - - Windows - - Install the file(s) by following the install instructions in the - file. In case you you upgrade with a version difference of 2 or more you - will need to apply all intermediate update scripts. - - - - windows_version_1_to_2.ldif (upgrade from version 1 - only) - - - - windows_version_2_to_3.ldif (upgrade from version 2) - - -
- - - - Adapt LAM to your corporate design - - There are cases where you might want to change LAM's default - look'n'feel to better integrate it in your company network. Changes can be - done like this: - - Change colors, fonts and other parts with - custom CSS - - You can integrate custom CSS files in LAM. It is recommended to - write a separate CSS file instead of modifying LAM's default files. - - The CSS files are located in - - DEB/RPM: /usr/share/ldap-account-manager/style - tar.bz2: style - - - LAM will automatically integrate all CSS files in alphabetical - order. E.g. you can create a file called "900_myCompany.css" which will be - added as last file. - - Example: - - This will change the background color of all pages to turquoise. See - 500_layout.css for LAM's default settings. - - body { - background-color: #b6eeff; -} - - - You can use the same way to change fonts, sizes and more. - - E.g. this will reduce the default font size to 80%: - - body { - font-size: 80%; -} - -.ui-button-text-only { - font-size: 100%; -} - -.ui-button-text-icon-primary { - font-size: 100%; -} - - - Custom logo/* image in login box */ -td.loginLogo { - background-image: url(/logos/mylogo.png); -} - -/* image (24x24) in header line */ -a.lamLogo { - background-image: url(/logos/mylogo.png); -} - - Other images - - All images are located in - - DEB/RPM: /usr/share/ldap-account-manager/graphics - tar.bz2: graphics - - Please note that if you replace images then you need to reapply your - changes every time you upgrade LAM. - - Special changes with custom - JavaScript - - In rare cases it might not be sufficient to write custom CSS or - replace some image files. E.g. you might want to add custom content to all - pages. - - For these cases you can add a custom JavaScript file that contains - your code. - - The JavaScript files are located in - - DEB/RPM: /usr/share/ldap-account-manager/templates/lib - tar.bz2: templates/lib - - LAM will automatically integrate all .js files in alphabetical - order. E.g. you can create a file called "900_myCompany.js" which will be - added as last file. - - Self service - - See here for self - service customisations. - - - - Clustering LAM - - LAM is a web application based on PHP. Therefore, clustering is not - directly a part of the application. - - But here are some hints to run LAM in a clustered - environment. - - Application parts: - - LAM can be divided into three parts - - - - Software - - - - Configuration files - - - - Session files and temporary data - - - - Software: - - This is the simplest part. Just install LAM on each cluster node. - Please note that if you run LAM Pro you will need either one license for - each active cluster node or a company license. - - Configuration files: - - These files include the LAM server profiles, account profiles, PDF - structures, ... Usually, they do not change frequently and can be put on a - shared file system (e.g. NFS, AFS, ...). - - Please link "config" or "/var/lib/ldap-account-manager/config" to a - directory on your shared file system. - - Session data and temporary - files: - - These are critical because the files may change on every page load. - There are basically two options: - - - - load balancer with session stickiness: In this case your load - balancer will forward all requests of a user to the same cluster node. - In this case you can keep the files locally on your cluster nodes. If - you already have a load balancer then this is the simplest solution - and performs best. The disadvantage is that if a node fails then all - users connected to this node will loose their session and need to - relogin. - - - - shared file system: This should only be used if your load - balancer does not support session stickiness or you use a different - system to distribute request across the cluster. A shared file system - will decrease performance for all page loads. - - - - Session data and temporary files are located in "tmp" + "sess" or - "/var/lib/ldap-account-manager/tmp" + - "/var/lib/ldap-account-manager/sess". - - - - Troubleshooting - -
- Reset configuration password - - The password for the server profiles can be reset using the master - configuration password. Open LAM configuration -> Edit server - profiles ->Manage server profiles for this. - - In case you lost your master configuration password you need to - manually edit the main configuration file (config.cfg) on the file - system. - - - - Locate config.cfg: On DEB/RPM installations it is in - /usr/share/ldap-account-manager/config and for tar.bz2 in config - folder. - - - - Locate the "password" entry in the file - - - - Replace the password hash after "password: " with your new - clear-text password (e.g. "secret") - - - - After the change the line should look like this: - - password: secret - - You can now login using your new password. Set the password once - again via GUI in main configuration settings. This will then put again a - hash value in the config.cfg file. -
- -
- Functional issues - - Size limit - - You will get a message like "LDAP sizelimit exceeded, not all - entries are shown." when you hit the LDAP search limit. - - - - OpenLDAP: See the OpenLDAP - settings to fix this. - - - - 389 server: set nsslapd-sizelimit in cn=config (may also be - set per user) - - - - other LDAP servers: please see your server - documentation - - - - - - - Invalid syntax errors: - - If you get any strange errors like "Invalid syntax" or "Invalid DN - syntax" please check if your LDAP schema matches LAM's - requirements. - - - - - Schema test: - - This can be done by running "Tools" -> "Tests" -> "Schema - test" inside LAM. - - If there are any object classes or attributes missing you will get - a notice. See LDAP schema files for a - list of used schemas. You may also want to deactive unused modules in - your LAM server profile (tab "Modules"). - - - - - - - - - - -LDAP Logging: - - If your schema is correct you can turn on LDAP logging to get more - detailed error messages from your LDAP server. - - - - - OpenLDAP logging: - - - - slapd.conf: In /etc/ldap/slapd.conf turn logging on with the - line "loglevel 256". - - - - slapd.d: In /etc/ldap/slapd.d/cn=config.ldif please change the - attribute "olcLogLevel" to "Stats". Please add a line "olcLogLevel: - Stats" if the attribute is missing. - - - - After changing the configuration please restart OpenLDAP. It - usually uses /var/log/syslog for log output. - - - - - PHP logging - - Sometimes it can help to enable PHP logging inside LAM. You can do - this in the logging area of LAM's - main configuration. Set the logging option to "all" and check if there - are any messages printed in your browser window. Please note that not - every notice message is an error but it may help to find the - problem. -
- -
- Performance issues - - LAM is tested to work with 10000 users with acceptable - performance. If you have a larger directory or slow hardware then here - are some points to increase performance. - - - - - The first step is to check if performance problems are caused by - the LAM web server or the LDAP server. Please check which machine - suffers from high system load (CPU/memory consumption). - - High network latency may also be a problem. For large - installations please make sure that LAM web server and LDAP server are - located in the same building/server room. - - If you run LAM on multiple nodes (DNS load balancing/hardware load - balancer) then also check the clustering - section. - -
- LDAP server - - Use indices - - Depending on the queries it may help to add some more indices on - the LDAP server. Depending on your LDAP software it may already - suggest indices in its log files. See here for typical OpenLDAP indices. - - - - - Reduce query results by splitting LDAP - management into multiple server profiles - - If you manage a very large directory then it might already be - separated into multiple subtrees (e.g. by country, subsidiary, ...). - Do not use a single LAM server profile to manage your whole directory. - Use different server profiles for each separated LDAP subtree where - possible (e.g. one for German users and one for French ones). - - - - - Limit query results - - LAM allows to set an LDAP search - limit for each server profile. This will limit the number of - entries returned by your LDAP server. Use with caution because it can - cause problems (e.g. with automatic UID generation) when LAM is not - able to read all entries. - - - - - - - - -
- -
- LAM web server - - Install a PHP - accelerator - - There are tools like APC/OpCache (free) - or Zend - Server (commercial) that provide caching of PHP pages to - improve performance. They will reduce the time for parsing the PHP - pages and IO load. - - This is a simply way to enhance performance since APC/OpCache is - part of most Linux distributions. - - If you use APC then make sure that it uses enough memory (e.g. - "apc.shm_size=128M"). You can check the memory usage with the file - apc.php that is shipped with APC. - - - - - - - - - - - - - OpCache statistics can be shown with opcache-status. - - - - - - - - - - Disable session - encryption - - LAM encrypts sensitive data in your session files. You can disable it to reduce CPU - load. - - - - - - - - -
-
- diff --git a/lam/docs/manual-sources/images/configProfiles11.png b/lam/docs/manual-sources/images/configProfiles11.png new file mode 100644 index 0000000000000000000000000000000000000000..64ae4ea891638431ab5c3b546ee950efc54ea745 GIT binary patch literal 32911 zcmdSBbyS?qvo1;mNRZ%xpkZ(i?vTLX7Th6t@Zb&!E&+l&1Pku2Ly#bY1RdPn26wqH ze0%SE_P%?a^E>CR`^TLXNWZzxy2>B>4fsR6mf`EX4E+q+8LO^&@COyw z)ZIB34O|!u`G9?9%7pIe>++G}{EE!Uk4BLsh%p2!3ZvhtEavlB2{~Au!;=Z*zEe3P z;#yi&FgStRJpR)R-*~e^n=}k(Sp2Y96FX%Gi&&%&%Mlk4@!C0I+ zXV95L@f=tR0>a0yW*Zliwjk99LqGS*Znq~S==-T z6EbVO2XQ=Z_J@L|Zh^+htu!c^!_HW5a1VVa0aMYjf8KYTz`!X@UI84}l0q9>6GF>- z=?$}iH#Wjz_>pTrPwmV$Fs%16_{^!)xQC&nf1nUfGkiyIIXAGEn2>FB#$`1tMtxoe z`)SmF<`wV7+P>{W%&R-qB-Qk{+%pPy!nT#=bf8GBi8_njjG4=3M2`C0cE!Dv>RVSr}>7RPpwFGHZ!_)-pBkL`Zsl+*kLQikW$km)Fg6DJ5;1SfD&A_!TMNaPAKO zdY?$+|4zryWz8$Zp&TA+nJ1Y{f}hD{j?(3ez`4Pk=47?etl+epFMZ zmrt8aKRpS|GeZPjtp&p)uK9$x!Wd9;V;D8CoSbC)kW~u(TtV)o-I@+kDCL(x~lYfjS5e- zR!Nkdx_5|8>!*98r&8N-r#r84hPT-9nfw;250Ojw?7Gk5sAJ53w`VYEdsHc>^nc$G zE=!aH<1^owXL}JzWS1*W+7$LssJ-KQH~|D16Q^9??#kWz!_fprT|u9Db(}vw7sWDR zaLBQjU@wm4!Qupj%@Avn2l_YYN@&sFV*Vdxq z;}r|~h)7BIx6IWCI9F^*(9uq62usGjnP$v1)o4r2onqWh;SgrE(%oDbQI5R#dPzDS zk%_Uf)|qNUC2YY*mjmu}d`0H8b7je))!^`R@64JkeEBX-tdF&1kw!%peW-- z*RfgpE%WceTU$wp+-u4WmH1dvl!j0dzu!N~v|4{XeQJRn6%$k3bH;=xKv*kbpc*An z>{#*7A!ipyhvq3%P1llr**xgwEW-EZb&Fl2zN02Cs$0e!PEcOQ9BzW2G#wA2OEN;S z6>qP;fvdf`;WYB8M*ibP<1g0hj?CK3&EIHh@`A_m6?H*Z5EfHYlQmE79b}NjG-Xfa zt*`#x%zlD!(tNXtnT-vpemA2&jBBh+KP8yU_DV5NY8lz)FO{|$W=OF>AXNN1fF!(K z+#tIE6qz_a`5+pE{yzGG3qJd$fs~hEj+0xv8&UtzOGAI@xaQz|yBM1#EDBwn)R4`? z6&f&y`EnkZW3^@I0+|~fZKoGjrj!f9QY}3CbKUU=XLtig2$WR=5o_?^(14JOzr~b| zB(_z6$R%?uN-Qm_4GB2?wt#WT65Kz*5<|OF*XVuLnap> z>)WcRj4r*f8uVvZ=NhLwH;qoWRM>X8(&=Pg7lZ3^!mr;%ho7PH69xcMQ_dAKd{`Pn zb7fjS`s1i9dP7i==y9lrEJ^=3Xk*S*puY%#U4$?Er+>E=H_V*<1&?#SF1M#X_)`Rg zF9MW!kAqM6|34Zix*;R5FvssQF3oipE8NCU9NHvl0ENT*fYS{sbkvs zJl!eP@zN+#W75~xH^z0wMhS={6Yg_Qw!7@RJ&Jg6Xg_5aJ(SCt_oUogu0E`hbjd6l z^tFI?tmYc!m=hRubwfO%LLgw?*9~+jL=7{JWp__Vnxs7 zCG~x4nT%7pK=eOCMeCr&l}}r+Vqb$Q%+2ZUeeY#?%R#sF`4GBMHsxHnz1F-rky zJGaz}>orbKPe&)>^1R-wBjU7BDQ~5MCbH<%AFMN0MUVc3UY#cA@D-kL@tEjn`^C0zQ4|udh`6jegR#2M*!cJweeUmw zySq9&-#%#O*93XvSc!BsHqP%SNZIpkh!>I}wCpgIuJEw$n5BX_M34!iuAnX8Qw%QB);$j8x_q zwlbUf%Ilt`aMX1#DR7aRt%H*)DR1*(d&A_}o*&@pR@T=?T6GWp$ng)Ha$C=j*U0ck zZ7zh-5OM7nYYeYMiV|^^-g~c=X%DQ;xDX#46@EFonDFvYgB7Y;@6@)a@gsJlprC|? zg%R;Nem-6wKt>}dci51J%1KE{t^5f`ef7#_BLymWL0JcsHMMW>Bq@1`Ygwn$GaHf6y_qL2{1bwfge)j;nbS(R@mH@clI z9pt!Co+Fa0WIIVP)1sZ2n%=u5{dB zDz6c9NLbkM+1c6o`G&d+d|uFcx*E`!?#@n?VvR#6ONNP`dYK*xyQ%C@x}eYf?RiHK z#`*r72k_LpyE`EvAsU5rjymV1y=l$)BV3iQZa6-09LOxh=RPqp z5kzD=L+{!Zinl(F$Dmeiji=M!_Mnl(v=r*D@DPoy&YZQ677?5KIDB{t=De}-1?NhY zU`O((@X+j(NJyBuro?aqsK7sE?oRN;y=#j0h3ST!kDuN%*}|pc!)d60xw_ULLr-@Q6QMCNaBiEC z(PsKM>0)P;S9PC$KlLVm`}Px{On@Hl%(w9CA9Y{|Ys^tGGFkzfF43-Af6zB%bVB3# zD<})(0F^CiH%39oeDoJOq|vxH`f#P&WoIH>e{UpLCV^Qum{veQfS$h4>-x;oO+_Wv z#8S-O#bs!4kgM!9SKjh;jipFtIiRFB7Jf+RJP}Rax9-5es%~flkId@?i|xTE(@M~7 zfg1b=MqWsYg8To(fWc4Ih)6|RRa5r`42@VYp{!s^9A(48@~om3j3lQ?ur-66_G}Mj zRPX?lSYjRd48omr-+U>IfwpsZ%#zZ20g1G7qQPQ$tfu*F)>Ezqz-%2 zoDNTo3LG{Dk2i)CWMqmoDh%D-ufmDAi`5up)zsp{!epYxv$C^+YyC-c1ki{4{CrRh z$`wu7d+`U4vKG7&Y?9QSbRYi?jP)C7fxd4BV`{1*hx_G)*}B7tp}=iHqQ%%j?||x| zLdrmIFHT6huJP7L!$2Lo51{u!(z!3KGwuZ#-<7MWsYT@F@ndy$(`Z+(r$t32!7Gsj z%-mb%?JL0ssi~=rj$4%;=ld@6Ze|OuUb>BrtPo`uHnyX1?)lHanb%m1&jR;JN9W>_ zK%mGr2r~o>9Nb*1*R=$hS2bV`=36|%x|V&%Q5>#Lwg7`WQ<|+-biOx(PeO9LSGS-Q z4_!L~ERYCu0{#^0KZmE!+5DaUSxh#yAGxy!)_os|$00RJQjaFXn?iDR4G(4Py z=gZHAo3?Myynyxp&GdsnAVEPvChi~0^aPYnK*P5JlVzmjKu?G)k5V4U`fl4Yd8 z!oC+J-q7(!Y_PW+%dqa)YtRGNvoFWwMfNKCv6bmdiprGMgw+} z*I`{Yg=?U409dEj`JBtfPzFtw`{_3N8#ZHL^Xo0l08Rqz5G5rgu-4~@h&7h5!Bll( zz>&_@+X>%Y7y%xP(PI_=s6|m56y@sf&Sf#SndUN2cN9L&%F0S15dm0epWi#Cj8H&+ zPE(a8Po4~=zxl*Q7`zFfM-hx=;fb5th~VU!7onckLlelWlqRXezDCL6|N{2TKG1lWl!uP}^BrUcJt-g78 zLpafocr&WNvA@2CG^s&WSvXUJ@ywYfBzRwt+)vMidVY1?N{b65L(X7VrFM)c!0@sd zC&ZsGZBU@#D!?At{I_Sw@wVcMO7;!2M=wnuw9!P4e9imro#1w{VTT=!pI+V%ek?m) zH~LITj+_>10q{y&>zDXv6K-zq0-hJ;7w|X_8#Xq!<&_n{QftkB!^9#HD8JvGa_B19 z+S%Dz+ftl3e0c0C&g)_nRJB|aR2*eh@Tz|A=8vSQO8^?~`1*QAkU*rsfG1>2`i|nG zI_t2$v}Cu`9&i-ln?Ly`K!^GK^wi0z?C-n$ZHM58E&u!(T1tJr@Wt%egK);hrVB*< z7}Uuqsi>0m)n43paabyzFwlWPia^j1_(3(U54%|j2muflseE&uqU3%I)(*PBzI?6w z7$4~wv5cyyKdceK^$GbuQ4~VcBWMMF^?x{644?j(UtByp*CanHB{{rxvPOc65c^$) z{_wnPBHP1Kf#v)$-q7=sq;G2kCU%8!7miOKy?TxyEt)sFP#?9rqFiGXg!26>1N;lH za=f6Nr^PcZJN{ZFCCYU+_fHH;OH0>CULnNFIy*bJr}5WVB3qmy(Iow9?sx(OJH+ci zcy#!Z4($K^=_1wI_V#qOxiW|?>0k{D0U?%`5^u;@*zY4Wt{2b2 zop!Qr$UulyCPayMa-N|cObh?Zwil8C1nT25Yb3zi0W?nm#5gQ-aeB=Razl9WV%KFJ zN>S;lDoYnxO<{ko$H*4vmRCH4WzQysh4;?Fk0N%ul&ZAGk6w{OE-o&-z1;EDG@PHL zXnQ}2dwE)i%uF{#xG-<>6xKDOix;yjhD%r6NV22G0PM0eTXT@BX47~Mlvk(YtiM* zO>H7+G|%H?Q`2|}il{COJihH45IY@JM;92VK%x2Eo6kIRYKo-h@MQ70nb|}( zK_=a0r(aa`oplQiP+xGe@bg1cxLzi6IXMm_o7fw!;$tSqei^d}F(DAi{M*q{BKo9?m@QB~Bnb&@Clh2Oc>65$I4M$rS5fX|N=PIc#_j--P<>_iWqsg`ppo;n) zk%vQojm|?u`6G?9J^qgBC}$`8qDT+N5RVY{%;;{G;_5Y6Zcm8_3CD*E6%k+-S3>wb z%2X(+h~=btk}>bQD=1PdVP_^z2t=V6TeHCF>Iy~fjxCdV`I zR&8T)mi_*ugKq{-&z@}~A^BsV@e|=E*y>OOqFavr^qy<`y3{eR583B#6|k6@_!0m6 zNo!4V%i*6*1z|ZkIi@?-iaB!wQD)a!KsE@{*4n9+CT|n+OdOF)eU)NMevKYF(j^Tp z3}ZzViCpl65yCi1gbE!cT_PH8rQTxJH#B@FIlk)%@;Rmgi13@u6*|DjZjX6XS)OMG zy~-~UhTq#=e2I$M z1wxAT0d1B1kC{CpAU*(9O%7)VHlNRLRc**;2%Zl%!6WV*R~xF#E=v+vbgw>j9<<(G zXYhEf?*@cDYe%w~Yff6IrZByBsWR1XatEHRV6}6KlOL^>Gss<3WM!jAo}`R zMTXY|YqeL1vwp27BIIM9d|H{A?7j2ViC)V!=5R?0x7koy-bdQtd>NRHZliP6EOfi! zG+7lQf4@GnjEg;-6@c2BE|e`XWENrw7xF@U`rG&NxYjBRl;!5I;mK>#r`_UysO@pG zYhK#mJxcBUfjY*E%SLA<@B<^*qB_IW+{8Y0< zzN+1|HAumA_Oyan6wJm-^$UfeF?n})cs{4yUg%lJyW@5F^#qr$QjUa30@Btm!(}&> zN?WN3d9P6d=9+5Y^LtZLlUL~c6UE6iF;XUMTW#f}a~`i4oRp#x^6swT)pH(qo2P2s zBQ*$Og^Np3X=%FKb35Zj8L6rLEJLZBO+E`kKrCT1R&Td6VV%rnY3i{+1S?~I`eDxf zG?Z~w_xgC~$3zK}j8>ibwGR&U0rWvp4)fL!&)Epkj@JiUJTH~jNBehoi+6W-L1pQh zq=06`JN7)>G^#GU&dUCkejgcvtl&?6ws>oMLA$#eBPq|(M8Ta=M(KCPwo1Q;zO9$3 z>;?;#dv*nSdo>-TFzYtj?Osf+u3p1RyB%h$zHAI8o%{}pQNL@YMHu^rMeY_M=*jG>mdnrL>bdOc92Ubdu| z>06Yd{neIf#;?+<+c}Slgbmo-d#UjQwn8-7h~(gQ+FmB=}V(Q%keJbU@(o8VP^( zbd$&U${39>vvxv4-jzikE#Q_XQ(zdAgH!;Kp;aPJ9dlGf7#{Caj}tj$O)7BVv7Ey@ z`YWPTxqFCw#drCKbS{$L2dl%$TwkjA<-t_*iRK2k@tGNqu|!tz$;IKyzAoPkPsgC7 z0>pD`WY+CCjFH1~vV5r*r~6X7#5GSo{e{Kk5B*mtD12_q{+DMoRf0_}1L^E}V;Iqu zb98t@#xwt1_(Xv?YFqAS&`_{QAOR@QAG{GGW+9lQA%3JFp2=-Lzkd~4T6`>N98t*cVR%Q7JhDY_6jMq1VGa>wN|W2vRu-4Jf1u>G(c{L zM9A^;dfkHO<+w^~vn^Z?8H2P3Ixzm3!-tqprR>fpy(tb(E=j~yOm=fNb2H8~6JTm2 zM8r+OW)B;j?0%hqxiYqogY=2zgF|M`JR$_;47*O51~eB2ZXPEk1b*|ABf{?mo~NZg1?sARv0 zf?WC?Bwb#~(6g~u!R}tqRY@Rwt7iVl5OR=u#CGp&+9B+po1DoS&EQzs!xymZZqRTQ z&hI+p^N=|=$&v|UQ&W~}^V=WifAFn*zJTF9Z^CeJlpXnQOSD7STXm1-f7~G!^%{>f zI8YBHx9r~CN<prig5D)v$3$NTzG$R(>K0-<3N~9pM3i%{mm| z`5K+axBsB~P5W0jep$L%rjkM3>H7Sx6D$!VfyP|Z}z1Q0AD++27y7j^JBs8>+`lhC{t=o0~Lki%QfF18{GL#{D7Y9o#4}9J` zkmpZ)(d&P&1-S7~x*?HHU|C4KI?VzCcs4X9UF@k`2W^m{rt|OixRkoxi5>J3t=7Xm zZX9~G>LYhZ4Wz61mgx!(8EtN1@OlRl05vD@e)lY^kRe*9^Y1B!+#nh0mdslVH zC$K1&TAvuaj%%;27&2C@HhyQ8^Jjn3Zt3RI)^w1u5)+}{-k~x?aw}DN{u^LLct36> z+F1&+IVAn^7OBwK-IK@0n)47rYT1`-qxD0z{IkSoYU+VL0Gh7lmVlyB$^>UMQD?uXVk!ZT`UcKP5rAdxCatFOwL|) z{6Xo-1mcBylN|*eK>dmp7(aI&X!(7e`6OL9!lXtE9qVO4;uQu0g39o?@jcPL)q7yR z6MVi=ENrnaj(&Y@E#8F@;iEKKhZNQHQ3Mb^JVrKrEG#Yx7~)0TiL#)GsvT<=go7Ja zG#cFG9PEf+pWQ>`2E=#ykmR-0v>8?W=1pH zpxosAQ_c2Ew0R#tP}JhuWgw5JfuHe11l&W5pr-^xZ*nPIRG^rb`lL?~-X{SEJhA2E z4iXW6a&Tn${3&Re=P_CIRh_K$Hz3Z3C;X?p((1t(kXL$mHCLYLsab_7|H=vTnngn! zo^!NQ#SjHc+GLp0BcBqB+yFA*F-VO z4f?Mdb|K3gwvvG&+le&K4dovzJlYs&+4?9H7?KFZYns2i`w6v4Xf-8|>Hb!+TLDq{ zGb=gYXkkd4s!~gJwRm6%U%5&H2^YT8`Q2%+&CHIx{*?U%AC9xCH{tV}th+w?v#n{y z%=-T&6~h?zm|H>6!vO-peSv87&vdTImPbX52Sp&SXi*Hd9x?J_ebK_vDnacYGBc^H zA$sBw-6Tr9>~3*@uD|*F%?W>SZ+Eomc+4DiAVrAua(t2%o)I=P+~RQ^2eDZ~t@{r+ zd3{z~s#-KXVeJ70(Lc!JE3C7Y#{~MGSpm95~w{}x}*Sd=FWu&gVShgH43=ViK)8}&XLKF>Mx z2UvR6Dq~|I7i$2B3QsxVfJI4Dnc)8OAq*^3x|9j!nuJfxgM+7Bqk|>eEILGc>Ox1; zB&>E34S55DjSZz`@zfk^&dIAxqE)QsYRxV~!^ylchsmpR6A~nv{(d>8{mz*fOsM)sch;ff-B5(a2k6H>D~?RHGD=R}@Gw6?;=X5G>Al%EJdpa|mQlRP#l z`qzv)4G!HbarAE3iX!cTP`Q^c&k4DTMZpRgrf%+y#{rxcu4cx@?jGv&VV@ozi=fBw zFHyZglySYOC;=kgSN&9J@;)o#?e#Agv}}?&H-Pdbv>L4{CJS51B5Kd28Nch!eSsV` zOTZH++*W({c&z-#sek(yXxF~!h3pn}`kSXB$8kXHoW^dsJXVG;pH^FLI#5XV{RNq@ z!7n$)mi-UIvwy4&GNZ) zeSjgr%@QbiCRQoO)V?It({FeJjm- zK<(CxSTJAQ!H+TSfv>PBp+})j{>@9WxW~)eB`#E(3JI1)Qf>-Fc_J!dtDGJmOuLm? z_zRziG|NuX#Wnk}$fk|qGr)m_#M&&t=sS@x)O+KVaY-aVPw2pn!ZBlptWAJB%D$p6 zlIVLhJnwmxBpWh>Wh42DCcn(~{)Ex3%7b;})1_&#(ap>3#yC+(0UAyo6u0SgwYzJj zt`2*kwxs=xG=YqFw*UhsaI8uOzYEJhscO}}V^tLc-^G1@m6Vi*0lba54KfYbR&#T6 zW@##lHfwtXmN)X(2+!?$ZiwRdDpyu%*G%0YB1#;^4 zg;pP5!03OBZfnF-RZJ$P_TAd|m;mbFCd!7ZG)V3>#h)iqGSQ!2)vWv3b?z!nl>b#a zkN}s?WwtLX|3EPS^?s7+{O3nx2hn3yqw5w}+-=pIO1UFHK0(p;FY<+?rFu*wLn6J6 zjS|t@N*?P9`SZJt- zYiN*M?_T>rXaREP5g8yLpw#?t6^b0?bh}mYH}E)S1w2Uh2t|^rTU)BldtjdHyV!B{t72hM`K5}RawlZ%>*SdhY$-=N3#$Ma#dQ-tOva+Zu(+lmNB0O z6gqq!()h_Uaa()#+YedB`y$gfsDnBFL8HGK0k8osh{ceWSWPTFfHmhOlDAC96g0wi zswW*E%uHFSXy{0Wf}h?Zl7c(%WqAzG_xup=w0%3kcxFSE|fD?S<-I?(=)C z+0&SrT?Q{LDWnV3m@$4#++$@0(qf>jBK1-LS2NpReLsqLl&zJN6n-z2ReYcnG&3j( zNYpxBlIEJ3^CMPx3(32XR#e~zuMvQvL+Dt?pGXC?DEP1ud^bGwAvDmOu&=SpcE9lr z3cAjgFy~5^mb#QF@N`yAC@OMrcmL(4JdmtfvTwgN5^mHzL`|~*aTZKpA!c_XIhq3a z$1ytnKn&8G#k<=`32*w>VNib1!%>$9Jf>Ce)8%kPaj~opO0t@7f25JfxW{}o2oC0P zf0BNuQlwUMa&iMhP8S*|)SH`WrpFeP@#2YKPqJ$HEDE|jw~AZo`SdPX{dkS38K@}r zyz6pNEp$b{U-*f>)5;=t^N~2E)@sh@;3Gid=P9IZ4_BGF1wEo)vHT?yl{bmRoNJ%! zi8)P*HqA*9uOuCjk|ANNiO&tm4}~q5HuQTn9K*ya7z#E=uLrCZJ&y6x`F&0SUTvVL z&W7p`b!$sOSJztZIS_f%aGy`{^Vr)T^-oC}Joskwj^*G3y>KEJ!;zcvCyb0jRrRu4 zYk)?;4#{aYdek0}E4|#j4O0Bt^UfCp*eH^WImf+ObNIcTY}ml(ciKIY09M0Hue(Zf zmTxl+%!c%CP1e@O#vHSU6VuW>PBdl*(}IMrzLYl%_G=0Yd0uFgOjylUSDD8kd1h8s z39z!RZH+QQCy*pg=37_3if501u4bL_IX^A2X>$259)6k~lQ#Mz?af6@lo;$mL|^gS z7AG3sG!%!WUXbPXKloB7?s~c&or`yKJk3VwqK#Dy1(+fJMc!%IO6H(>Qk=1Tj|^`z zpsvHIcexA?rJ-T)@A*{_I^opefC~rVUg{LiWjlcCuF)^*y@GznmjqyJCnYD70#?Ck z<{PZEi$z}zoc_*iq7zTp)@r)>9H1+O2(WC1-an`df*zGua)E{WR+R&X=iMSBXN_h4 zi&Cc2-8;r?*CQ3xQ5hoA<-}{R|1rF^lN<#DS%FZOnUjjE zu&zwF8?Up;-TDI=*_kv-P~*8jn)_UmYfMU&`BX4tKyl}Q)&Tyl*A-54;SZ*VMKq7$ zD(!DzjAjqga}m3+Z91Ve;9w=hYL!9n^%!VXAC>4=xUqtflf8b9E0rzg3$ z(geJDT83@PvPwr--NS?Ri~;NqR0JuHbP3rY1#a3j))xkmgDC41*yEmgd{By72q$`Z zx`W)zI1mruY`R*8i}B(^Ptc>9Ml0?rK|_tBb$tHpQae&O7Bu-5EdLP`f1#VRdr?Cgu??LMnU;Df zF(53H0FKCbH=3#rfW{i`#-pDwqJHQ)`FB#B21hAl*)au`X**4>>q_mL+pKzav%bg5 zK?K^de-b*+v{2I5lW*uzZwe(dR{#2;*(<)-f&JJ%u^M`P)U6r4S%m@=MfKzfJ8jK6 zFZt4CcY}|LE?d_zibuCf<|zguhQ8c0V6Ra}H>on7A=Z&#w4{*fM``dG7`LX;8N>7^K_u+SWq? z^7ZfW#yy(NIDF4Vc*SU)r8zNZ5g*fnBU$JTFXvBZ38D<)*P$-9DFvErtYsUVf+q8ivo&YC*$YbwRe5SCLF^^!}U(oN{&m zHVtGA+*`(_sAC$NnqHypRM^~}`3mk|-+tcUo(b;CBApXG-_z7xjW80&h=ZmTsuXBs zJ)Gm8`dzZ8SOYiCBH@HWCkrAd{{IPKT^23R1; z_*_4mF00B7cH#$=^E}@OxgPjkp9_;-7HBXs+drx!tpu?IBUE7Urp}){^aa<2n&P~7 z&tL>qi&Wb?FqoKkeM@18qF{3}b9{cTh%`^=(r&7;SzugUSsZH^U=`xaCNGwdu}DO; z-QC=(QPH_!_%G6Rg$*<#OpYT*jSX$}gg>2vXJu(|*>3FU=OaLh<`I75dRE_yc%mk4 zQdw9Y7rSCAGB#o2b>%gg=duxs7gir-J{n)*BM1m-q*Df;<*s~}X6CVw=4Lm2 zUZCZ4I=vts{)QrIQriDf?Zp-gINX}vXvE`SQhbu6eOvKkkS5GopArWu>EC&e+3nV} z!_ZiHcD~t@v)uL@XN9I;r;(CP-wn1edcG?N6!hM^pG>CO)8ZbDnlW!VUJ-F)|B<_x zsJtuY70%5y$sbP!@QMz>A?RK7LupmFFz2{JQtGc@cQ z&C?W%fLX8vghK(lkCFK$Ca(^g3S_ddx`KS4Wu7#*z zaWo7#_u|SK2@*c9b5RQ}7c4opaX z^xQJiLYfo*1fz8M|H~pIgS8|fvGQaVfyj{Q12&P`2QeNfDgUpzg@=h>)zvi00p>a` zo=H|#6)VbzDqGalbi?o8kPM#s@VLrw4O-r?P$aj-BYJLQK>Po`4eviX{lrw}pR|S1 z(!hR1Wx_toF+$@2KKx;WWKW;0P~y0|1GT~|eZ4nf*vQR1N~6`9Q-SnxCW9zZ@7rQs zc>bBm2wf}q9;sYoQIoGErfKKg+k*#ix;$Bg>Ea5xy-VaR@1?r_!9cMtxMfYV0!C`J zzZYPdv|zpm5Oe^-enEhrt3i%WMZM9x2AY8}{7;DCKp-m%v=`O6_HN%I%L54~piq+N zviHaS+;l=|0l*8`&hhlHTqF8Z0|p5KMHiD;?qkR7z;lB z3(zZ~0XA0}GHp>~dcbdFId(8b+H$jenHEFseYDq4=Da7Q(>QVB?&tRAjhNf;XSu;p z{LQOJA`@49i*e#JYD)s$zd%BZ0c7_fP@e1Ih~Z@`=>vFqpt;9Ma@5U%rtFp}aKZh* zi}71$S>8HAC+3*6&a44IfAU7gkxx*+=bnq@AWk!0_vE%Pp8R$P*~!bLryg=A&BhIl~scK6}usNWX`8z%_y(@cDN| z&~S)DQ#;_L^aa;zl?17!zou3Nss)T|C4=yu2fe? zP-Kzn@t}IoyP?*NdAz0(9Uep1i*_+cvU;B9WdXzo9YjbxymNbhn-R{Om33}CT|U_> zB@PDIgB|WgisN5fQ5k@*4i5$pfF%c?_bdLytrNC1J!vpllI}t2(is5G*;?gJ=6AWuW9CA05wM&bdpP^Ma|pp4tAxYnZ)>j}hqkS#4z?rtUG6yC+TG ze<^D4p9>FO>)UbLs6^@?9DMOPp&bxMrK9tqiyLC@t8e7X%QH*n9tYaQV(mnw2;`Q1 z9;=ZNXu0`XRA@QyHr&Oe8zq?ysyLpGU}9ArQes7Y9S;opVT<>lF^<-}lo&uhC@YT^ zsg+nUD;9AAt*pmtLlNL=rK+O zQj>^Ce{*Cb?9e-?8+5kI+fIXr`nq(sVI@I2P9Owm08L+u0Qdq<>*=q-BcmCOjr7)z zirIk*Hl=+)Vn6tiG_1xoVDAjhyI9|G36$V2!vYn0T$He8#8^Rg#~>_Ox=6!)Lz8696YK~^*h><}<0N*pL? zFHsnBKNX6FIgGI+ZyeJtR@D~r1R)}{1^zB^P$zaoKe#g+d17ggZNX44GmC3@%>73_ zI-H_uoi~R+kbSOBN1wN;BUnm;c*N1*pmrC3>NI5veY-&`USQyAXf#X=6jfDqe2k8A z7nhJ=#<30&zwGm&E!)V~=NQ^hZZorv8}E3EP*#FsbMN-l>URuxRTP8ZIN`tL9B%92 zlF!iwLUIL|uoOo`<23q9N#ayT5Q^7P6L-+WdR%fv=(}Qm_Qj~sGr6*KGTdi2r)PT) z3uGuf$*56P!$3uNAGMC&OHenla^_|IP|3_ZWgkij!hR`9K9Ux~-N0J~6_4e~rbUZJ zp%rP(5ut2{Bpp#=hoH>=IQy^b9Njff{`Xn{V9g&X17fc)J5KVeLeaa^(A?8R_Q9QN zs|Eg`;U8zo2bkf{uIYpBl~?BT5@dcujJxh!PJtyRP)pQf@5n@ljS; zE4`^QOKZZ3@Dl`AI~7OHsrx{Fq8}>ndvT93w1Ebe5YFIWx;rwFh!vnk$w;$3!=9Aa zqc+D!u52%Dh-GZ=D9Pk9*$(Tb{ck`@DB3TuU_1-a@Yy|cRIrwJZAS2NE4&Z?h*!Kn z;jRnrt3X4~-KYSLEEDpmJWfAOQi&d09vvE@^CKcqou0rOy?fi+Q?}ys9j&_foq0-f zuqj3?ejaC0cDjJ2T5B}qs91Pxxh{#lB>s4!Oh2Qn^GIcUq@7OLs#+9GPEHM*i62wk!X9L6qKbUcv;gONtRH(W9hL0vze|hFM*#rQe@SvAmb;gHsLct?D`tINCoJp0}yq^lnQYduH#8I0I3Lk#-M<~V2wJXnn5HlxK{ zSDH92#y-!5wrZxc?{1j6IJozsgN;?p#ZYz@V)1>(93WTHWzaD}%~OSMF_qi?afefp z;ZH%*qXZ$e6c+MJ=mJ#?nYvLbS#@ETccdHSJw$|n<%ml%HTLrD&*BVb8Id3 z@Ph`o<8|%@&(RWXZf@?n091VG+>uhnlA$p$Ie!x$I6FG<-y%n#O;L zjnKRZC>hq#EfvEcSuKz^j2p~x#5OiFRVjZeMcLzyt0Y}sQ++--+U+JJ>6$R`FK zXHa>Y)yK?SXS=Yz6T2ChFX!OxRc2NlzHhawz4|UPRdDE?P5~TBzq#4qpwes?_c=aH zC-bc(OP~4W)LlKi>Gd&3zzR>)N6Fc$2u2@ui^QV~i__(d{qjaLj6W(x<8Y@T%D&a} zRSgj6+t=C!4ElAZQ!c)m9@^mG<$Ym~KliH)6sDYdNxxXxWQSpY-4TgdG&By}#q9p1 z!wtoRfGlR0RZuVpM1~o41owy!P{N-I#(>{eW?4ry0e_o=N+#YDXh6}fwQBIXu2rEg z(TCgtU8h2K7b{vd7MwP-7uP^r(0&vAHKWF-Q=xopFBIZ#xrjH6ab&6+YXSH*pn?47 zi`;9OUsRdCoF?l9!4SMYW1#J%baSKF<#OXhCVMz1Cug;ZJXD|8{>+NCof`UR!Z#AIkTcdf`S64@xUVxrHd-e=yL4%d)LwuVOmhX}7Ew63uj~3}Wb*nJN{9si~j*Engnmomo0bRQl`ao%9s!tN3+>k7I13>S3RZ`erp zFxlToci7iyo&6=35-D`mGi!U0o0kW0XVvB9UyfFLcR`9p;{fuMmXb0cy1KZ)R5UPH z3dLhkQdaH`C+fCkFvWjCkI>djo{zw=dqEALrSzQ9*lk}?-%+-zQ@q?YcYFnm^F<^e zA>;A>%XODKJv}m53}?z2=f2La3^OWWd$w3dOGxB$(u`snd-z8plnbwiSTH4Ld`GhV z#4g4?Ac#zsCwqLS_z&LlQ1JKF*GH9uC>5vd`tpCn&Sk|3*Xw(NgPU8(5V@G z)Ya96UCvE9lElZ+R(bxRlfIV$CymvQl0~-rA$ha8wVGbsdpHP9y_3-4V->_xJM_YB z5B3eN9k3NJyt~Z`9HJd9>BjT9J%#l|Q2?!MDM?8{E0VU7($QLiKGO5&FUT6}tfr1` zE{~ObLxFBE{8AepgDcq2g*0KGy%k>TY1AS67Y4h1aSXPQTP_G87FLDVwKM7^@RwWo z>{ojVl=ISomNJ;WkJs@4x14EMSlABG@(f5=tyHJiHx%eZYrR+wQ_hnYbUj!EI<{_r z3ynPtoDR@VF5s}<547n|R--=0Ls(qJRQYP%=~xQ+Vrlpm$p`&XI9xJvJ zWt|~BQNbMkcG3t2Z#haANhO_S=O|psXh|CTuPS@+q&5H4H1&%8W2( zFsRGv?ZBx;VU}eF?}{YMesN&WS6QA;8-;`j@@sCDm1}9UXbvX9X~diB;z^y91^QwR z;IxIQng*GO{%p)#tch6zELDyUPVY)-y6yM`yX|ImfAfI6wMl4drPt2@d%Sgesl|ln zZZZ-E9y=UzVS~ z!`MxJm6K&7k?}kqi*e`8^}cjuWxEn|ZMNBsoszP1V4wu((E}R6fcDwb!^7bnGLMQ+ zKqemLhyCn+oIwOUvu zBrF_olhW<)%v0Pt42&FYm@{I!O;%a$A^h+cQonSHjOI0}a0Z$hrNnBAaxyZCTC?Zv z4X(P}IZ#5Vd-RyU6+c%0bg_v;O)VOSe0Y9EbE()%KTOm z|3tRE-{J7Ngk)auLq9`=(&v%0@JK_pB7D~ulDm7zrR{Nj%jvVwt!$IVmCoNd;fK|& zeA*tgeMOpu+Ele9+PS?d;$rh#)a}#e`Mg{&2Hv0Fjbr(6t}3CGZ+#MZpHSZG=ViKD z`x82XW&47rl!Q$k2?6IK?F8|!DR82nf#UprndHFp&##DxiBW}`a6p9?CIjSagFQWP z-Wtx}&F^&0+wr{WjEyZXaXRqjz9rb1jw3N=1{vkEvU z5aIaypTZb_eShP1FNxRt;_7O(T#o{AZg%$2y{@Cf!#|6nZj|==`n2Rze>OL*N7%k8 zUc!*Q`4me{|F4Yk_J{SAcLp+XBGrvqA$^NpSt^5!L3|svLCDE8!No1H41n+-#fM_?acWrlg&K8Tn)_2KQ zFxKXUp_c7ZX$m`j2SeMju$!NMU~xisqE%eVZF#Jrl$7wRh0Hq%5(p}+)k8d%q&d9l z7PIEeH5|=X4?f{)57mgev4_>4<~^D?A0bk9-C%jxXtTa*q>n&6PkE5mjjJ%4{Ux2q z?A5^#t%r!DekE?J1`fO8&O?pfZ?*U}SGaLqH{FkdsyvYot4(`HIxFkC{)E(u5h@Ol zeGnbc8$nn~@e@1d(Dd8!!@&(%85uZB43W9PZI6kSHA%?T4r~cvV;uK!4VDN29J+b^ zdbl0QkG=%ng(=IhamY$U^vr?Xy+%U=e2-j3Ho*ihuz|)^B&v8s;UEA_IjGN zRGPH3G&(Q!T%{uQ@)tV%0X;MfO{uRQemARlRP=XmkCmBuXLlEn5l(wL?!@3=s8Mfk zZ+R{5)<-z8JBQv1294cRSux8@hK1x;Hw2T!5y>LsWd?EsC}n!CGr~(MrrhzqJ*2{S zca`37t9U7hERK68@ZP-8MaY{@9)4}LaDo^oU;MYEr`mV*-eE=AbCUs$cqhHq^e4Z! zo(2$s^MdJHrA3Q+lW5n#b5bK3I&t7=#H&15w ze9<&Qn2)Nt-mrp^1p|~Z3Zn*{;-NS3kIfer7I@%nIPgrTJ1H0U(+C-4xh==P|5sR zESq$|!{q^8Vmon~c-m@Uj@;sa$GPaIPkbTv5p`-y>5o)-BaVy^??jG~taWuYrK)VU z2=P$L6DE=52e;*2#r*xJN<+`5sl7{-Yd(B-&b2jk-0~=ZFj?rmwB711X}@dCJWDk~yoR z#n~Ad(#b+U_0s%nBsCgbew=?Y-nbX&Y1?tghTAJl465z3!@1D8-@k`PMsz*4+F_pC z+S}2&1!(}U*RO?zg<+EVtwr2+mjFTRgNsE=OAA<0gx4eo!345vRu-hD>H#$K=z&8o zV6p-xF8QIN=dp69+r8{)3lZbKJNb1b=>!-v%QWT5nd5-Xt|CJU+;bmE7`Ufj5+%49o4GfSu^=ZDFWi)B&ogwl@h%Ivq7HXGR z!l{bY#s~)VT!=fbc6fVAWcC>ZM;?JUa0ac07Jf;HOGx6fcr z_V?g`n$xfg%rd|qB!)%ZfHSS+>u*{r?u_u~LARfu{t1E;LG3u_^5Dhd%jy>puw(7J zGP*fbH$;Tf9(r7h0Y{!nrte!HSfeXLuo6y|KQ2ww#?(2I$Z0XDb^9h8gJ< zVm<%ZWE{E`RFO!^=Yp}QOp3ZlZ54~fLf@HH#*#vOm5Q`AnKxDr#S8 zY414Tr&!B*Xn&p26w&>)Tzq*{gZsgDzIX@)M~y|rNU+foU96?SDW-aFOxmM~y3Hi+ zB2mp5(J~F$^cNpV*mZlXNqy!)-Fg7N z2xW&K#`6~kqJAmrmrWhw%Sz{S0)BNm_rh2#ro~XYx2yDo)v%LSy@}0npW)A@Tvv?O z+q-SIPZ7AiwcfkJ1Y5A+0Z7xg)AHF|0B40H$*BgYWB*#h2YbA!|v%UnR|31iHD9yc9nmtOh-6z zagP!`YF~QRIp{}}OZD_f8{=o~?9}wD@3l**m|KN(t^V!oxm$IcHHCkKcHZyqUK9Ui z$PuHf(=Kx#KR*vBI|Ng(1|8ikm%pZc8zb#H|CD8TjorI$ z4YAqv2qM(aK^OZ32k-7R;T)NEEA7)nnR&nW?*-Nms(yVpd=tT7bWs_eyVzr3*P z?jif(QImfth19A1I~R?@<&-NN;=k1oy#^>aRId$GyrfS6_Bglty8~8gbm=h*VP0f6 zc?-jNhES6Dx<%e1%Zyfnq4||-7_ZI%nW@|nqGD!abF#P3&+YNiDCF_dJ8Dabgv^m7 zvzLgKXdWTWgNxy#`1BRL)g!``o2*8Q?G&Y!!y_gpmYJE^u`IX$(p4aI{HM~OdUFj= zw^lg@1|KncFK*410uI^Uw)1~ByRfhydCQ@QilP%}Xi`$rn7BAr8M)v8`!`=oqkr=j z`Zv2p4u*#ng!t`wW)2CiujkefdFf^K9YBZY( zo6nJk#Wp<~xP`{Y-xNQC5c2GdgB}OjH9g&wk%1^wAZ7dr)`r@lv_g}fk z)w>A`3FS4>Kkk~Enxer%kH`SYqoPH^zgSA{w=M}2>ygJvtGK%pr`SP-uDbf8kWw?N z`>N`IN4S#MJ-%1O%7fjZZlZVWXL;b8kxvh9_nOR)X-9Uw;EN6WRwYF$*u(pGfgz=hRfk2yn>Z=m zjBk&kGwxItEcUFdtdtv^F)(hQRaq_c#f=teyRTP_(#s}3v<(FUZlJ$^{bxDDgrk@k z)``^8!a~RSZnt3>KsW1&%600C!+nMF;M4xo@sS+-%Z5|||J~(&6Q;#B4H*>}87($vTife5 zZ#LS^2c@rUenB%A1tOOv9!K3FBrNwhveP^uZt^(#VmhM09JB8A-OTQ}pyY|oY^(J` zUup48<@HW~+?O`57D8nEKv) z=cD$|H0St=KFH54In>tI3)Nk0iJYvJwqIx`dlo7iTooq_9k@j_<^CJ)WU8KFJE>8oeeZAqiyH_Ju`DJ4G(yl zxdYvkXQ1nmFFQnmZ(TPA-0{yj1> z6227B>d=P(!>G}jD|j3iMc@QSj*tIJUVaEzT&NW4w|kfs_SL|}2*R3EmywYXq;dU= zD`dP@r!y^=Z{4~DAu&mIadq{iEp!jIurggEr=QE~ac)jRQz7B=3d5HnFXlGq+c!?z zrmu}_3{2QBjL8>#LmnNFHd411{~AOQ4*l>>`BK-M_sVhbT)mm*wAfP({a=TR+u-zT z)6Ul(V$gKF!aRpak~I;Rhl3AXCIj3@;htExhX6vE>YCDr_J-Kqu^)VMi&|t7NN5qy zV;FL9FQXLo5)u%IM_Nr*xBOp#~6_ z4gynz)bjYgI5sTyEnmxrgFaR@#C)X{(W(y9HTER(2IY? zh{uzLrq>^!avFXeEF_crG-yhdh~NeV-#5GWhleit{$QQ-7d-L4#LGy_BX&E;ttHqy zS8M}|Lt#;3v1)wLyO;g->sK%fbf(j&b7DQ&tlMl%2n$P9Vw(73ny!!w+Svyi1J`qv z^1zkx?tNH~2WvmeAAFZ8-*1$M}YP{b$(L1tDK#HJO8TKI(b z@891>&nf(&{q>2M@Nj^aL$!|P?~H4_&T18Mg*=bBuXikzKIgH*pRLp=j5f=$MbC?d z#(0&rt_a!&5NhV|@Nl~tkBjrOk7SP}B_-YFKJuBUIjGfHaNS4Ifi zRlDdf3%Q1gbsVq9)d7r{_0g&U7cV;7YA6t0=XG{hr<`i z$;Fl8xvw54ou!ZqZhpV-3llp{j;JkxrnNNvuVR$sUMIEp?#7hh!-q@2l0#wUvWHSd znN>(;;#|9Shu10*>hvpr}PLi&_N+`W5uZw2)sIQaXrgZuuP zD_GLqi1*iKEp9wEgCzpf{vjyn@IT9{y}iAXCnQ}1PMt4TgOg?v<8 zTpX-`wWYRE83W6tu!loQmE1^K*voc1I)~>+Zj9~6!t)@OaKKl?R}w5A5pqYQh=X;Qw)^wlPIYN z@jRCCl=e(HFFIvB4-fBoSN1TFv8yFnwH$DTeL24pF)zUw#&i#d&TNL+dWKo9QSoUM zLHl~71>*zU(mOuheCj$x!SPE5E7Zyk;DYXIarl4PgUQ@x=$^kY?xM6YTGu!jMYZ$~h?NGM^#V`UV znIX1|LtI0d?K{!vm;Y7m1=EU1$p^w-T^%>*CVzx<*ec)@LHzC>;4_^sNJo_tEU&1P(*A5D<101l0HNrTbc%>0aj$*7*%Ml+10q~P z>uf{b{NRU?rd2 zs%{{ij6Xkl*9yhSix(YWyJ>iu3osBeq!@`9V$I7OsC@+{Z}I_25#cv?e6Tn?gc<&>+CEi zBLg}7A-RBpg2HVgqWcluhbmDXOQC!jSY3UO!=j?vc`+j*A_(#EXI59G5MVS3k+Gw{ zwJ7>u{1cs}O|XFUvi~^bxkhSQS}S;t(nt8ef8TiU%N^kWaU?O3LglMTvTMhN2u|Iq z=@I)Zq{)Vc21fyH$b|8{)*Ble=iumD>$sXMNhBHgcjY|<;Pfk0qaNCr+4f$_h4-n!24!Me%^hc3xU!)*UUGoNG zyO6l>iMO;w@r9!zAExSEJwB2T52>UW8N-L=GNIZ#J;mE_2B&d-{m+GB-SgY2sWk7Z z8sAim!-xnnWhpTMaQeus^6C|hv3*3RkvKmI2z>yG*@D>wSnRfw>OukfdKq38zwL~T z=@Z0Tj7_B`lfJ(6M#M)&841bzeWWqz1?**fcYAyLkff`p$84kB$y00mfR8ZD78kaH?{z z*U=Gq^NogX98y0jUo|l2dB9BoA7tEbzWr|hfVP_DCzg8zYyf$<{2qRKSaXPt z5bD>BIB=0Q=m@@>`y$FUdg%juBfjDqQ_DA~GVoNOn;OltzB8!)w`8__uwyVGCVi-l zMZ4BxL0X?qsoj>a08vNL2`y{gwfEIfuIHo5x|q1QBKp56=PFs8ZxMnk?a1MJ zDc~YfHZAav_0-VNP*51oFK(1XK#R>oHcApzX{lM67!|cQX+OBNTu?J+KMk{3ZZepa zoqe!6DmRuV+y3YA69nwPmvVBWZ@5*9wDfu7Purg$n4*Fz-j}E!;uT~+bNLr&D~-vs zAbPp! zikd3G*QMaQf)%NO8W8usR=kf0#9`6yK|ZHAP;&a9G; zTG=~>f(nXJAP9ILJqp_k2jCB?#pdQ_>>Fe`N_p9zv!8V=Z(JW8^*-MgR@pG!Kef#{pp}tvUmBfE{0RubFaOP@FFqrcK2L@7FW6536v9-gLLI23wYI+A|EvEA zf{l$$U0t2*V+VknuV2#vP*Z#SeTy2tGuQMCJJ=e9r;r!l?E(zd-!?L)rHx0%&YJ;W zmE{n#_x<#Jo*&<(_@&+==&@f=L-2}6|BQIJH<#|>!281Fv7Bqo@{nzPSQ!2+v(Fk^ zr~IC+9=~+qhM~eg^>dMIy+j*CgM3}-iNQFEdx-d3}U z3`bRGUr&!(QA~x(fXTo1^72c3pA>7gDmJg2&rc(u$O+0*y&=BdS7=5U5yRbSTQR?x z{QM3t=6@4$auK>uENbf|oaz(WN_QTZZLZ;F*NHTD&mK`s%y`9~qHpd`E~pRF5s z)T5`yzS76GFxiJab=>{hQZB~CpT$MNS=`ajS@4ep={7OUipXv$0S1Q78I!BY7O>7c z7}38*2)`zr;=@i8;q7mR1&@*dR0||RFk1iaAeIWgQ}a=gk$1BHi}x&4$uBQ2zl@2Q z*CdIO%T&lknY}}x3DoPF&4$9}C!}FDP0uPYeQ`=4r|6iP<^muM2oNvyqP#K|FjqZ1 zJlxv)47XwSzi8QfC8m!+rfhD)pYglbn>n(&_u#<;NKFe~mnhNH<|mR8jluCltosYa zVLL$f?!)S=IIaya^Z9Tk`4Q~V1uKK(+wdSyEKM(YTtXok9)16J)0EGO-+xGGjQc>B z|D&M)wIa~}dihA699SjgoHO|b+*Q0d%XIF&r)7^vXe*#!|L=Z`mU%7aU!v={xaIK-{QNa!W(qnwjiAAW)NW*K z4Dn{=r|EjDY&6#w>BpmOt~bF#E0qL>N-iC|^E=zymBqR%Hln|~G6m1T@TKkpBaG^t z!7jqyT-o28mP7PLvjR<5myn>jr;5>*zrcJ&9|qos5?`r#m(O$OxF|5l8gs z=j;KWS$>DlMh{4eXjaW+_YHnJCU*ACpXDYni+Xx9pvxTC&dACNxx+!n$L9jH9gA2o zu&14y;}t++Ya)oq$OJ&|#rwC^^t--6-`Q8|)F5STE8obycy?`*;7W(zTC6bV^P2w_ZNell}0iB0Njom!pb31$c ze&NTYipmj`Pq70@nEIgD0`LUn2$!HBTvgUVNH4uKTAcFKNH$rh1~Ll7dnm&oXhSvc z4vz1@h3aKPPA3T}dqo&=)nJwdX-b{o#Be^TF7g6~hv5!zV%X$Ybt&kg zla_WC)WA1y-dq^rwf}l{(G(p zFstWwH-ls*_=> z8EL%&NurpG3m*YU`H~CE4&P3NZSj6!37@~821O0{%>!HF38k#X5!{R8@aEHoiB{;{M9F)N)O@nF|Zm9qd zlVg;s?$)iYk5a~rJSZ->y$!_ppa8GJ&rvJPlUQKt6ZASg1O))RwHEU7kJ55LM&~1N ziwZo{Rcvf8AUQx@hK^@|1e0OV;qfiUN?P=Eqd$~s5GJF_X|g=qHV3loO^(nHnXCs~ zmOAvldkxC~N=6idEISZMFPF>`(e3xtUz&dIT@c9U2!@~{19EVFa}%0RXTZbO@BPq3 ze1QgmCUc1yDzB?c0-9~Jv%uV~LSalW1WWx04?d9#E)uwUOQ%HdDRA8N4GmF}MzBU3 z;r5E&2NOzzjEY&Xm?kDBG$oZO;h;eluqQB8e0+zx7ssRo+6`_|7rQ_c)22Zi{{S?$ z06aig2V4{!?PesP6n6WbmDWaRPeL&!!jmK@PI(VPQQ3E z3oPZ$e$~6evH*E>yKfK>fdC3BEq)Gz63G&1_Q!N9(@jk!iI*;8p8}x@`rWDuOjzF& zm6mm|+JK~x&3+vS_|yZNWHA`%`5&Jw^Ri=yI92jj9=7&?EGH5f1e{VNBw|AFj*U1Z zf)$#R@#PD5LeOowK6M+tlQGYY42u7J$yCfl2?PQ?bAu_O>@jGLBt1PnFb5PjaPd*K zl0Q&JL!T)Puvttbo+ z%ifR|@_Ti)m%ZG1b7jv>Br`R&nZ`dGWoG%`EBrO|B))S%GWae4lOG6^4-xR}XfXu_ zR*B!4j+4_4U@R=*wOL-#{XirUju_A}aFYixU59PJ!t963)IpU2YEFo+Fa-|(Xu-M{ z>B|r!AB7edTSGd8iUQDpjQ@m^94RUDyW8zbQAk71yPdWgg+EYxL!$Ohf*Vg@szpV; zq4m`|muIFj=-ahV(EWDw4x}kUJbUzMNeEb*4hTQau8|^bLAvoWqYwUe zf9&}03KKc&35%&jA%PGgDBYl30J4aVndP>5*afIIoh;0qWeSq9!q@NFIfn>CqYguk z3EFLlG3n{x;9#Kbz$!3W2FUz*Sod%T5)`t)uCJ>xU~}2bJfRzh9RraZgp2TkMYatw z;x@W1V=?Xs{R`wnHnt*=V&&w3Smn8eQ}H)YV;OP&1nnez7W$qbfF{tzhI@m&4rc>A zsCZmV;n9E^QPwY4J7bD{`4wj||YJUXk z*<$TF6)i0-9UX9_Y5>#?ab`jzzAIi$7?*BB{Lco3JNnj;WF<~nXSwRe^PQOKIMc&% z5*N3O{{i3?5Vu0cW4fsyPn76?b)NPVM??T8%V$d`1zI+SI`-3p z;FxSP_!bh)=4}Sx(}t3NLEQ6w|VAP_?&*$Tu%|F7QLa!fc5_1e&7nZfpi~7HufPksH!)FBth$Z$S@}DN z((y{T*$-Mk=6kAm=p}D)jVaX_BC2ePh%hZ}3ypU1=mkXm%U5r%P1PL${NN_LA=L!> zIS32T{+NOyACk!Y;$rzOvc2_v0!PbLY)RTh%Xw2P5`x7Jb}*w5^@@zt`0P!K0ZFyjYsb@ z2O;mY`dx?a1fYj0K$WbdbjIR{$gnW*sf>p$08h@QUgn4V6cLeIM%}!!03Ue*qBsay zes$!cUT{6->aLrxrZ)UKfH7d?0gZtDB>F%Yj0(u%UIPMBN$4^>qGOEe0jvOjQZ*l? z(Pdmz(XBKGcNTmkhj>*7`vu+)ms^cjKbgb+;xPk2FP77&2h@4cLx0JWjCMuH@j}m} zp^;I0N5=~U;!XzO=)qWydwhIw>Cgd$T@kxK*Q8)T%%Q;mz4B+D4?9KATc&G3#}9Ir z`ucj{m*EVC8XKZ71o`GifjS5*A%lSitifqLzWZ2nObFVQG&IdL-hd(C{c0v)PJ3|s z_HAJKWf8DAJ_ZI}$3wpoc`V0a{}=Kkb#MFkRj}?1OR>YkC{!=+cy@h3BcYFb0I)xs z5Kex;6OvmV&}@c7gz7bRMiAT8gW4j{g_m-FMHVxL93>A%7R(mFXXySvKI9e__JmY% zn)jhMz4`!fvMwlI06Rbh;J?fai2!gJbm-1bPeC?Hckdo65qi!*2tP;ytTR{;OH=v# z_rvKqX)8{+j}8pep%j7dwNO~~YkPP1ei{q~kPgwG0r)dT_57)Pw$Q_1ZrO`Ia|aM~ z8fXz{S|#-9!3;^y7dwC2RkBnQ&UD7Hcpa zp$B1DbabW5mO;M%1QRzm0H4oLbaEZ#*8JdM5D-A$Z1*R$)sX5PHn;N(f(S0s0!=0) zq%A_$wKtaaEhMnf1wLnECiX%T0!VBq_@kqve*g$QnD$OVZ|MX0h(vySV}KU0vwK7H zHi21$lnlb-gvaKUHnY!q{gFSz`OzX{fCL|yIjg8Zqy{4(DPGJ_v5Dwg@SjaS`Y5_|_bjrnejQcfZh68)k?Vn;YJ9AX9_aqfK zl-KZGRtzjb)QEmpfg-6YU-y50urhkkr4+U7uvCEli4EN8856F)a)0w3Ff^g^Oj@2% zMY&bqvHXeMJY`1zabdwr4qE#1?fnxg0$v-koU15Crc1K^-lHR5xo<3}qCbU?d|xEz z{nO-u9g&Cd)R@2a{yEkD);}af|M>qN?R7!zq>Uq3YAt--ZajoN|>?&?F)v8lF^}fFI8}$?Lfy5M-(F-~B|M zvr9AraSfp$b5GMNb!pVw@Y3e-*;VY~;@7KBbDutcde_+dir2N5uV}{pJbPss|6b2B zptR2BPeskT!QN7izmf{)VPj`eJu=lxd&W^o&b^dq9Nn(sZy`+S2QQJx4lVPRB zvsrc?V*=^kSgze)Nohv3h1yCml8M{wA3aXNH|i%|oxa~e68l)I0m@2rszD`7 zK#tB>;B#XLk(eMhp`q1s6zhnn^ujp$&-U{~O1aM#o(;5+NbYLyRbb*YH8P#9I2c2^ z&uezi8w3P2M<`_X1QXMEEcY~djWWw!R7+Z)i(x&c8N4O0yIoi@#xWuu@*qz$P1N(K z{7;l)LhNF5 zGY{~jXEDbtNH5KR!BDYT1!2>gkZcV}x?AunWB^ z?DWXZ&8_9>7n%i%m^W`^qMmD~lv-hz9ccnEPLoolzAWKnT_4R__YLy;4h{}x<&LuF zvy~G1i%l2@KV~(Lp|xFIU74@<8&|t2RO)@z7ti{8&^9yq$+{0vft?*VGhYq*77Hs4AEq0!&-N%#p9zy zPyB-wHl9E#9I^0NrQ$$ss)w&>J6e<^oz2Ru6g}-)<6K@DtyJi7;X?nyrj+|azoeA3 zv;{xh1CBB9;K4}snc92V8cBr?hh_z9L{gjEjuMLHT9_V7yAmd@qTYT~{*0n0MS@c{gv4&SZC<-US}21lCn!@MJ1x2iLe z+@8|8?dB3*nIpUsOg#7f%dI9~5YJR904g|1Phlh8-N# zHH~`w_eb6CAKSL{d;cI1XW8EKs+I655%lbw?b8NHuSkja$D=M2-_rw4UeCUj(|gYc2P*>(_we-N z6>8~l(b~GFMM^~EKK+)qLXJc96cie6nA4~C1_uX^4)@j$@Z{&uKe^3hYND>rev^}Q z?w9-F-lp3q3WZX=m!^C33Pq3mX!WKWv9q&tt+e#a`6?-%6^38?<~<74MzPEa+tI3i zN4v9EH^qo1gMxxKef+!8Dq91i9UYJO3^4%_v%BHp?Q&69y?qCArd-8n*6NQ*1AI#w zR5LX4WFtueS0_#!ALIu7eTsQleXtbj?$$9E%x9y}9kx5HyG`2D>#_5r%zO1wrdvo?}tP+aDs3KHH z+;X9a^X$cgRF9mz6i$N*25hNRpZWAGUb$c+y7ha*^-wv=(UB1tNDJPt)@O5MWF(S} z?aZ0eJ*S5&Y}JUO6x#p}M#!ru>D*++FvFx!)NW8ji5XvagKQVr&PB zunAlvS%8adSJi5gJOo%-gN2ahSRod%px}s9ao;W7$B%z?B*fQyEajJ$3Zyyw%#AKN z=qO8JVj4v;UaUH3N+7MQu1;R6s!XTvIjboV{Qe2sX4>igmmnhk5I>bL2toU-oc zqw2H{*1x03BBzKcbxMS3%&eKTC+6sfvyJ)JzqH2viFgAhJ3weth4B>whhHAYCO z{R<4?ayZ(qXe+OH3vaa0T)q=q3mqeAm0{5zVDSf^2PO@8GlA`W8acwsYeakJ9(6F$Gm%3N3ULBKoE4`FlK6X_s(LskJu1CioWhIQJi7fs4 zNZ4uOsWO|8NDPWBROa#L+1~*!>I9wF}W=cI|4#Bv;{ zO5RCNp!fA1u|5?BNn_X3W(G8*{>Rxp*7uV=HUmlOvbWSeU_b$A$sz0}!a`B7vI zxOM!C3k=CgNt27ef6vb+r>9%xXwnrg%+Kfd&J5j*Yi7n^Ft+9TXXWJ3OjxwIg&t1F;1}`iD6){ri0Vx2`I~iC4Fcg|VWlZ4!|N7p?=U=mTLzt2X6rIJRtBqog|xwSE-}Dk>LEw!M!W zKh&e$IYrfSFBiArWinvGl1!rW*S@3B_0)MW4Zfqq1L95-6GG#D0#==dky91T4h(nf zXgMu{^EElHhlE(4^E#D(xLscSGA|h48o{Os+8}EiKvU`HgUbswR zsIUJk^L|(>zM^%m^Lz)t`kRy61nWdhVRm3L%T~|A&eE&e zeIRsIusH96oBM>fF^}n(f1^cj#93~e{8L6t-m%Wc#ud{x>W|(kTzPSk@jB|SGiT1Z z>c*!DSgES3zcwzGggIKD;q*Gnjy`*VUfB8fH_zspeLvn;qeZY0{(iAd-Oe3(X*qYqwFesH*U_oE8#wxDeQUC_~Jzbqa>Q_lNHvX7wwHEt8<<0R7&6> zJvV0~c7e%!FP!dJ@8A%oe*rSU<8LpkTxY3=x|A+jwI_b`TKj!Jj2c4E@!QL2cwfep z=gQb&b41zKptH7u$*ZfYZ3(=+yM!TCttY^?yL9PNnRRc-@*C$<@nZG=N)xJ^rv=98 zwsDivJ`5>L%9BVECKPUCM2%*Jbh~Kjy#}ogv9Lp11Q$(qrmd0OdnfB&_c@OT{zm!0 zhG0g1H%Fx8Yw7%RvSdwLWFHImqe;LntGAwmLs2Vz?XxxkCs*t!!@|Qhqe8wsMI!4z z@5WsBqdOltJ-CTW=~?|n2LarXe0#y$Yx>WhA|uRa$mT~!NBs_{|My1w~`;;w(%*Js)sM=CQkIi#he*i=)m#kPJJqxy%(v1;1(72QX3F8jMx3#t(f zRUUue`&Rn3ac?`9=~%QyU8fUyX-u_6(&SltRCv{I+!5L&>%B)z(68qKHnMCZF58b; zvLwU%@0TZQ8kF0W`wh8Fr6(qg1sBKvi;#2hCE(}}e`tqD)Ff=GC!qHRzEYZqTj!Y$ zb#~0VoY&6nS?gJOH)}2)p_=R6HC&J<^$YWn*uabC5Pt@zP4`%g|6g)6b5Bu=*|L71 zcD1)>Bg-KuNc69MPv5P9&=044hpEI|Uh_9=`A8k#AG~`pCOxULc;Z|4@|Mh3#qa`D zWXmcW^FR6kL_)FV?Zy@! z4lG`5()+i0@y!wAN#Yj?`KZ-kf%gAFTxZ#|w~OqJVmw76nNfTs(q|vhBCksuhll)I ze(RTVMDw{XRG-6l)I=4j-ykAn8!RPKeNtFVnn;@VA9#Imzi(bkG??Mm<3IF9#RFEB zmM-)ycsRh6wt*7)>el~xl)l!vwrXLFyan%=xDZ~VT9d=w-QE9S$5~bN0v3;YJzGp} ze7ULw_3z7To5qnr05Z@sL`Oz=AwZOXkm*SJ=a7Y53XmQ`!&NMwey{)Y+`{BN_IIVv8@S!_PPG{n2 zTw$`HVVu2YtkD@n?h$P%JF;()ZR~-OcJIy7*8-W6XD@mQ5vDSVTlbSlG+QXKQ8rcy+RojoEIj zrb?&S7z8Qo3)1uF^-C=yzCI#5!|Na&UzQ)hbL-Yem6SW3ot>x7klb*PQ(V%f?N}s# zi&t_;{8i~}=HyfY!v{hI=?~!giQ$Z}!_1F322qa>MwmO|*IRiis4D-YH_IgKe;z~Rbh~o0~)U3d@CK}1ZjaWGR zZ!s|%aYZQkj=iE%j#@f_?W^XvdU|3zIu3WHqK*$&0x1ayPfJezz-=`{`o+=SLNQlc ze2I~ne&N=}TyL%KcEHwRl7hnZXc-w95_;j+5~*M<0q=YKNx9g#_Ky9pZ=dYCzXsQq zzSA<@gqKDzo>62ykb9SgD`zB`wqY_W#sdU~WX#RY$Lsv(8l9(_ z@5{<2lk^mu)PoZCS(B#y0dB<2o2}-p7H#ph_)gL6&rFL_tu5)gPUc+W+DYh76kA0& zux5*+;by^gh$V|jNbm$)l9GS?I8!~dwoYP6Dyq%;<3sGCcA0*mbHlldFfT`oL#1=QIRvKWzbDAd95i;=={)lMG%>CLq^+PT z%%9Ktbn9@1WAEZfx$VG@IL_9#A?uoqPoL+3SjWV~#K+%p91|<`HC3pHzfolRHIhLT zoZaQ|`an?3(adr^Dt=%`lwGEzl%A>q>H(3XqN0+0mW7AMVX8TTO?tG(+Z7H?N=nix zG9))9JAmbhFS{4#bHFXaPwi0fK~3+R?^(pEJ||YBS~Um1y4qz^-uqr<|4)h|#Algh z$7TJ?;LpL(>R}OA>W_`Hx<{(rm3R_fym-+|oDxROy|>zUaV`cTE9H*;WhNFrKBw*F z(RfFr*U8D%FeYLe9(oDCo!?DiC^At|49IFSsWT+BWQ>fE=gVz%)YZwDSh%^DI)uhq zP=a=YtL;ewO%Zmc1r60#?%3hL3T!=F^3#D^M2^?tmgyhh{K1^Za9;nZ2q7Y-%MonM z%#AxwQ$;;Hhlf+hTvo=!O-xLrQT9vob_DmM7ZqOCxu*khreTS8)NczA!L%Ju8l zuL=qZK;^P$1MBMQHhMOi!f3?B#Bf9v4x=_BmA9DQ$wpkBo13%v<>Tjf0E97;UgUa> zJ@4BvZ!a$~zn#})G11W(-A}j}hZ?kl-Fc0wH6hf0Cs&jVpI6v`C?HNh*|o4485v0s zeNw!(zCJ!Z;aoq4hIX4Ht~8OxrKj^M8}x+CwA7EtHJe-NrGJXqzJQq6)at}$ZO`|G zk-7Y7PvV4yuJwr{<2P$2kph`Sa4T^Nv_>IhQpYarDDZ}en2CBf8m;4pE1jpFo;Y=Z zQGzR49#-mT)N?#d!vB|f62xxLxj03w_g~w7*#IvzsWm9w@TtvKp_C%ZAXin$4mP3x z=1iaF1^dI9lbW0EB5Oih+s`u=t!up7(YGG-=PdTY$lm(!AE!BIXF9&VLULv=J|`!~ zYJY2~wzl@+!-q6HhVqWq@7u_v0D+K0_&mGeE~@Rs15C0uYcf5yZJ6 zV=We!mH_%?h`iUQ6_O_@3No_0MCV9IF8vX792@EAh~QbA zot0zvSR7;uzoy*l%$1OwtjLb^Sd?dnbj7JTw>b>h-ut4#r~_g$htb$(yiPog*{^zZ zC&p3Ffcy4Ut~u>W9`0!}rgyk=1w$d+EcCClp3 z`g$fM*oogeJ0$`Rc3=rn9R5OXi-R9GCMAz|v9R03d^Vo+f6#M_RHqozt@T*C?9cqU z!JxdvU@wxFX}XQK9+1LVRkahMon1Bc3I7`y>IPtFcPM~WI$-VER11jQcdh^cn(s5X ztQ%vd99yG5nj26Zy*YuXdH(}eH8eC7@?cJ{RcEU8V98`hicpH6wbbmlmKIN3*F9aY zA8&3JXcuxIcOa`lMCvspIdm7w$;w_n?o+F(tTeZ@q>uu!H?gv!Mzjk65*FZM-Sze! zIXU@8JFlSNMpuTkTfmbiH)_isnHI2)JacS_aj38x(%5M1Dm18|UOty&aBH|E*t3sZ zicLAO1f15`LXsR<1uC%l?cP728PKTfd_u zk8oWXL14P-7cPTi0`Ta$Jfct_d9ZpaO&8QBWU`(jBhhmGrHKi+$9lir_1m`nL^Li? zc({D&5|9`O=?F*Zf-l|V54B!ro7suJ^)xMk3PX!4|@I_O#Jo6i;}oaAEW?e zs#rCNbLY-k_rC7{_yp#rHp|Y!QU=uutpaW75E2onk+lZte#-dMk>dCdo#Qt6YzH2V zl+;P@fIWG&=Ss%gKl2_!Z7g7=b{kb_i1Dz8;BOx8Xlq;OFC6a8Q4@*WUkN-O&Q_uc z3_OOQKJH8tZ4hp5yOM5B!%(l>;sNnT*kGnc8V4D7e9eiNd};&05izQEgRud07<8Xd zi8OZhwFhW01Lj7V_W8j2B;x6LtL}Z=nIJ-OqaDn*0wc^8&={y*%nuYZGBBvjs-@iF zzIN>z56?1eT}XE@$|Al%Sb`kYw7rR-iQwpt*EQ?j}wxEG$e?r3pPZN|F>8s0g3;;I zr(udd{0!1|^DAw?Y9RF;_J0(-AC{e>pL&3^dAw*2D8S_o*B^vp_@wLRR zDCurPFlgp!y3hZ-Wh}wPWd|71(D?oPchklYaw%}1_qJDxH96uGEsl>4)l!8Y%sUH+ z)`k9#= z1tp(txn;x=cY%)I9M%9TXTv3?r^N3G4Uu8-5L5RDZj0;-ib`nBf28u;8nQC+Te~kK zgBr4Nevu5sU-1cc@fw?NT1?C**t{hrB|y`KMMYzEe3PLQqA%_kk3*x;7l9uk1Lu0O z!F%3+%_I$>9-We6YiI*I_R*t>a5@3hOAZGzr8^rOD)EoLzh;8sP_6rdHpBslkznUf zrKNKlurJ!1OcXjF%)y+BOd`$TZ1 zZhsj#b8v9mq2LL`mjcef%!|NLAu2&LMlnhnSGmkU_Q&~^>mSah2hO`yzj^Z}@CcvY zuny925R!*+alPwoZ!gKAnAFkH zp`xY+ld}?b<)N@o(^C1wQpI?k+guOu35BW)w-E@?KKW27ZIlXWT!AH~ ztE&rE8(=TRsCgQfG-`XI?GuO|gOW$jzCOCqlF=;G2V=e_ThOPEd11pYF77{4=`8BG zT;{xo$Xq3?us+|A3Q$|?s zf7b@{UrEh(ZI;d`uZbP|JtqS;M+28s;v;!zp8rEDK_=&(@y?4?MzrqAcfwF2WvNJA zLQGN9`Fl@_sY5%j1PiyU1q+-fPt7}pxa;23C7eTK%0dxBws+B_DZ}AVCg)=Zo}Sbx z=-HHTZNc94l)n`*+sbtxWck$5Q6|?!1lsPQ2HS%PxN6Vw|oB5A6T{jxkvERSfxXrzixo$mL zogEcbp_pCfUdcz8Egj>gTD+rF{0yS+KFDNn&kQx;IBEGRxMCCLgc zsyv4o$3*X|^CNJNL`;q~lV+m<@WvlM1_oY`foy-6##8_H?cL&mUQA6e)=VeD#<^Iu zg$`Hfq{zzi`4r-dZAjh24+9JCNQO2=U2RAQBAs9Gc3PiJJ6zo+RowiluY znMeUAdYw%=tI>kxnvzCsdzj9*CxLDReSO5&B~v`VqENcNk0X&@W#ETwaDiTD$J>sn zvtZp|D!*~XxKRYUvtFJ!{={)aji3L=^1OD?f2$xh?>eDlizA$h7s>oT_HO-G;_hGV zUjIFBvAfj`7(lQRE-)Yk9Y!jlWJR!xNY6+o$*yj0`Zt~Ckm<8K4bq7Cb0SW_vOO0- z3n~(j$LhhlA-F1p|tpTOLjG)L@isxFx z;|a|tp5y-DAI>S8n2ZD1ezqNOnEoF94L7|5(i$vA=*4>idmQ-U)YO#HU{P`L3UG$! zK|xmppL7A&1R6<%SD~h4%go9Gi{Rk!umWt$$4#$5q|z446IB7-d2{oj{%1Q85RhRs zyz$n&;6E$F{enf%Uu2Y$mZrjp6ctSu^Nvw%`SuO+45NsPIhdehV`I$<^*|jC_qTbC zYX-e?TVvVJo<7~w(!$QlN=nN&QBYjR;oS@E9zc1ZT)Pg5To}+z!$2Hze4YQkWqTrU z0~3(_n?Re`I8~u21o{ia9T6$1QMrxQ?iTbO%6x%&0vfk4P`r)D`$AG?zJ6UbU4r`! z3~#vDL{d~#6l_v(>ttnQh_clrc4e|P`oPWf$_3K^N|pel5wZfXX8YSK2{m($b-T^r zxR@qh755>^>10hry5|Q4NyAFGBS)>${oi*#QPzgufX`7;QBoN&l3KrAmw!e=fU*y7 zLFPa<+XwImQb^6nCyb)w$o z>z;S;0oU%95uzml8-g$L?lVoBKf3lnV0YJN82wi70gQtyAqqTx-2)_GD{*3KoS86~Q zK-MlE8-^kLC_8{mkNXDP6M|nQr>z>W{Mt!~c2iSRAnFhG_4V)FyC*9P%kT{Z#uICZ zR6?3*F66m0&rsmzdcmE?0zz63~vIA`Z@(G%~0=2dK!FRL1$;HJ5ad6{CE}XKpwKaQ; z@(6T@Z__I($J)()g2MobH=&r(XWs`l9GIfVouVsmtVe-5p+Z7{4{lAj#x{trT8zTv zlbs->P}|{+!g286(|7{GwL`tWW!6yGM*_1~Rj5}QN%s4XwoajTK_5rCK4AZ)^Hs`h zvGObp;%ad}sIh;8*4cj=PX99mN;!&mEYwbcyc`{E%18TwFak}ncnc##!(<`HWgPCw zk}*fx5?i%)fr`BR>e?EFLMXJwlnR4LfG|Bc)4$$+h^ZMbW+kTIHvj-xa5ucVQV2pBg@|R zH$VZb=w_`Cf8-w)mjj%)3=9$mq*jLYxcBV7&YX!Yyw^b+ycqBsx4?9ci<|lVy9Z38 zbChg}HJdIV@}ea6a5?D#uwImDy*1wWOzAXn-}rbO>TV*WR476_g9#UJ0V)+>U~+m| z^BLaN#RbSCW@pDMNx2_RcJtx;E{4{&HiH_kH6T6EFa;DFjy834bo@jEau=!%K=!xS z*Ezh;oF@2u1IvS5Z42TUST3i>5%{1Zqod%cQ_|4PPET)a4w&@r5+EON(E|jl zS<8j9XJ4EqrcPY^PHN67@5F8wM80~Sacer+wf)g06k z7F!H#u>No>r9@d)wi$X+Ejv?_z%+-o;7Ab#6AaW>oFc>&2`T9zpbUpc0Qj;m$(cc# z$!5`s`)mNv&K($GJV@#IW%4w^)Au`AYXO5=&|3L=GzbsXWWk%_;)hxuWC%n)1;t@7 z;aFO}FXooe+DEX@#700K0piWLc*AG#r`9=AFrZQaiE&T|sPoyhY3iI6R^5rHfsG2_ z=7yAzF!o}+S3E#-7|w>p!+te@gHh)wjV)m6^V=uQ0_%n{*c$z0bcqCKt%W z&E3(|)MWm?v=k5GcdqQ~qnDwfdgV4$Oy(0`o`KQ754v18p4(fu)KQ933QP|+Kc`5G zA$B#i=HdZ3P#}bZgM(*gX1Mh}eOs)+flaqP*V|%OK+;Gc_Ndw~!Jdd*iRZ{NgO87c zovwa@%=Y%e(uZM1ru1&Drhw ztapehhojHl#vFbYy8z8@0J&x7(Mq@iWBg4XgscS*? ztbO@35L0GUwSBY5z0524^>v@siF;{C_i!r-pAGrS_Y722ac|z3yQq2Pg&NaC#2g&> z?VUr`8ml=97k}A>G9oyi?|Q*%%+o4}U+ae)1Wl6l(DMKChnVNd|5g!2oQ3xF%4FKkhKv9mfq9j~AJa~#~K}B7@{p~oI1aXc3&Xw7} zLLIoo#0~%(A%}OixBpz&R7;l-_uE;8FameSU+Q~2w}EWbRqlkg;2Em(P2Z!L+x!C! zVJn%LnZb0xZd@M4K*5f~;|OYdpxU7EickfDrH!B$iRqMt^aulbPiXaT3rc->~sA1ZU* zFTPS^XjugM3Hs*T`j>(4aHJ__bNJAd>!HdNcK>DE5;{v1i3~xZ zSlHQ3FdiM$0c}?iPb>KX?3Iq+CPOQOv$J(~X7H*J!*xqcs4CHef<7=b$~*{Sjp~a> zaW(Mzm*@T~oe3pPj)~-TZE2>oP>+y&U=7u(Ld+|?2F_~kbWT#G7zpH7fD|Q>85}L8vN>^ zAP==nN!VXd1P6zOjrafzSMV>>1NLq*v9Pf(~-qJG({bfaNu* zJD7@+R7H#JYU#sbKlrpMGhkB=9FLfklv^KibQo`)Zl%*?L3ll^EZpNwLMqq=-;hz% zqrH;Q2LKt2Km%U@3tJi}P6s9s8`}#68fYAt5+P=MXa7*T4!8L zlV`oBOuhvi9qa;8y9iB!U!I=e;o(7%1$}jzY&bo2jpn;KKk*fCyob#fbVikCCMU_E z2OZ?Zdg1cS%;w^d0P=8S?qS|WlTz;Ls*|tpK5S!RnyuQJnyX@7tFK5;A)eYxWhM~Z zI+#Ar@oHw-a7Zt$VCz6pEHZLyZS9ucqrnnWSSA2N)N626z%IMZ&OQq*7?Q^ac<_`= z%H0u&5<2;fo;=NbxByL>V{7(4m@MJp;ZL7F1%eMr$ph#$8*vGjs9AG(asAP+M|`N@ zU<)fN5IbO{-V_n>Ui;ldRSI+c=oCDUWLs$OO5fsac<DiMJ;EZQx$t zjzED+j>y@ypa7VoO&p*>p62;rL$+827K+e!9G&UTgi6S@GyfT9{O7r*LELurLjcS% z>MOpx>#S+2R!hckk>58jy%M@Ch#SSIfpu)VtuY5caR_&(6tIIGDh*`rJc0P8nA4jE z%B6VP96j}6R4Ka@xRd?Ik3jb$QUtwySIM9a#I^$NiE0Jth7OMjbW50`dDQYW^)P8a zEHJaU1Rj&?s2XuEdDv?Ikk<2ZaxE2OK4D~!yA}%nKBo+JV2+4MSoAD{Oi1=R6KYk= zaY>dyW(m(_CH{AIK|KS4Y?yHkCFZ^UjbLouW&JG@N!Gv@UVa6rZVChvdDn;g+V_g0Cs}1#$4Ig)bc7p`f5ZHtVAYuU5++ z3UMJJq1(6n#>VQP=+D)rkAZfxT(2`hOt3AW?gM&3F}vs2k|ucyW*$uBqV6YPp#P>v z-2I>%UtUo$@I(+g1z^7B2Mse9+>p>5w8R4;2iu2(5Pm%QksXBR>nK7ymTn`Sl0Me! zf4`g{^%>@Z(Asvl42qtQmZ%YL=Lbh>ml4HTV9MGJf98e{VCO?aRSL0epqigOdlpwa z3S#1e?#E1=AVO1G-tFo9GE{`XNLdEZOG&wc#Y5!-c$0|N>LV%^D6sY&UfePxCJAz00!I_dh4XL-xn#rU# zeEgw!0OXLCfngM&UEgPW)YH0keEb-U7Q)C^odDe%h?;|@jv1cLw^LIxOly|lv2k&ZWGk>XA)$e3Ohm_@HSnT=&a}rXdfiZ#&(?^XS|uh&b@v7)_RCpt)WWa^2m#h&nmCw?3bmWX^ik!pWP#s$yfa1oC($=5W2D9ISKgOHrfoC7b-`LR8*kY>YyNY ze()9|S3O+2puGRH2zV|CmA+7WVP?i+$(XQ7 zt7Ws+wzi;YT-DMN1YN%ac>Nq`u&~=^U`e35_^(Y)2@OcuuyExVAcMK`mG=k^$bZ_O z`gv!r{NHHw0-JRT@sgsE&%?u`sHo`9CTRu?zpAPVcq`~1c=qRuXY&a-;;^$aMaa>| z*OxO+(YE5@eY@p+XeEMy0to%f!ss6xgGR1*IXMQHgnTpC(4yWs=w>90?Wtl8_(;gK za!f7~PQRm-k3igcZlRY_ZE}7HQt#h6^~NYD)(@j65pNp)EW4le@?R4R1kZJ6XD2+I zBv=ZbgX#g-z_`{&55tSdr3Op7_-xQuX!DSSr+~no{0JRcLqkL0vnk5U6B>4dA(F(Q zO>D5c+Zjx*jf|`;vte+PKHGD0Ie|+6G#a|jfSTL>%zXf4feEFY$TtbSEF*vb;Irw) z+mBSPLBX1Vo*u^modWQXO1 zFhN%(yvE8^0x{}2=4}N$1nkW}$+vA$ySHxL0v);s<*iw4I#5DJIy!|}lWMn{&`k=1 zA<$%9U0oL!ex_;YYy>U5e*jh7-RW3(k^(5K_PpweyQe=jxo*_dh}l*k)GeWRtq=^s zbCR`FEm7hW0DJtOzP{v_yywy zf=j)i4*-iYpfe(HVovZ-KvL4=dUWE!3OGd2_~=+V9u)ES7+7FJzm9{ZJvxLMX3<(Z zRGYg}rZhA(fZj5Lyp0)>5kfzNyg?`=TK9aboc{gW1qK8$L1m9Po`Oal$WjB+PEM;( z00m4K2Ur3#NfOjD2xyQ8UZ#{1^CBprT>kG99rg3}+GfRDaJ{G$h?S_WF+>{{~v>bA039H{ksK!l4Zwp9|YnrYQo!XJ&)I)}uoR?mWj2P}Y8-M`|4;+aFOPT(|Cww4|q4iCH2%gLSpDBx6L7$Je zx8A?7p!-QpZ7tNqVv~|ufdLWh(O2xz^3yKfuu34h!Sp0R1BxtLV{T!=mOxw(925>@ zKyv?=e<|Sq9tr=yW_E9Zf%e^rApA9gTw0PwGAY{kPMNQ?UdUL{hJbs4dJVU1D+D7@ zzXK0Yp~&(yf7FD(=IC(eWJh9Y>f-YrG)9xTY|gtcY!MF921sB>4Gs@0v4j)KjVw~{ z@qT^frlT@ePf`U)rY0v}j?%qy_jfH%_J3U>0j%jP_GMxVtSKFuN z3}Xwcc}P-)$=p;;c(E2|pn$M5a@y3CFy2f0`Q^z#*=`7VdJ4r`z@w!caUfJ~#(98N z;YlE#Gd?XYU-0M(s~N5AbyK}~cTdlUd2fJ8_^waq85dW0n83_tzgEn?aAC`)JjC>+ z6qC-4OD+ z?bsteTH(knf#^AyH2|bJllwR^CW=thly~(pMf{8~R8dj0B9j_ouq^J< z%qgZUB+@Jt@nh6%fB91hnH{>iG5w?qL5B%&aZY;oJYdTxE&?(SOJsyo)_SpNtWnjKMmf!Zh_I-kSJLpB8qT)QXl9Y95>_T|8%C7=IR~9y3v`%n$MLBH`e; z=ouzVsjy1gd>Lx}rZVWW{UXGv zw)&V!VyvU5>(r$RT(Pp*mvL0ZRH;8VL<|BAk+deEn#!{JU!l?P@!bQtV0Jgeo`3*9 zntNxc*SfVnU~kDRK7XSpWxqs-U{>e(P1WbA$7xeYcsXIVmzz&_w$?*%e{+@Y(L;SP z&qJlO#ib=W8p$))rFrYNUbmJVYFm!f)0%3-Y%T7%xMIzuLsD3pgx6tGIbB2qTtR_@ zOCyz4{PG#`f%f+xsQdhHFSc5Do=|l4N5uJ$r)-Q;yxZz`E6??sGfGHF*i8$DXJ5_QUISV*}tB(c+z)oObt$)=AbOf>+ij zi!TqQ$Zn^`yL|OR;I5?Wj4fdSlE+vxoPnKPfcw_GgEhO~=YTk$gQn1|kYFxq%?sc4 z5vhxWS)Ty8u580}t(C1UMiIB|4Wp}yvN8;&XmHiIa+jNzw+49t9d*8J4m)9$dA)U5 zSnkZyoGeo6{}B;t`Dv8J@kH3#dJZl9B<-dML z6`B|z`k}?@OiCAJvfD5h)Akqi*{Tqof?+}Z-Mut@i4SO1Rhv_Ix>mb@Z`JEF*@nkK zvLzR7E*%u+RfiGny-WL>>j^0rt~(#}AEXc78M<*z&QrQt1GTVlseg@aZxM9=XU=mnvWOZJfi34E{R!hL z=N@Qi(7fAQ#V)#ojxk zGgDU=C~a+0)De)*zdo3Qfq4i4%k|HpGMBb#QBFt9r6kv{eP51ch1roIWKtEOR14CS z$*A9{z6=ce(H%Dl6Mo9}3uUWk5^SfV8Ahi4-@m^{d)JVYMSrq%a#Ddtv&uZk@F$k9 zCO>pzQiRU4osTQM9a&Ckb)qO>#JFFeEj@II5CY!Fh(2|DEDrBKELQeP^NVO z=qfuhP!tIPc@P1uAa2KROp7)KunsGemO6PuW1Aq^VVe8*zfCs~Hl~b>vc<%8>2b_~ zwSit-4LS=_N_PNJMmKFE5SWRCMisl3z(6LieQguFQb-w=f z{omolAQ81298DNs>V#Y;VRd1?!qQ2i+-q6Xpuo3FW1`$;h76fqb(8UY zc3)LRuaAs4(LiyX=GCmsxY_)8vS*4U3B{7i5Q}o3xf(^!c2Fa=+kNVqUNQDjM-0Ve zm2iRHsyq0J=&;T2ve~ps=@Z;ZNB9j|E6HPGU)bKBhS*h!$)h%m8wkXXp0efBeMcLn z?E_Iys_puzy)k9%X#Kt7RgoSh~M z%t)tCn}%t8l31Q=HuV$!`BVIKpWMr~NeK!FFRh@_!Y1|FpbY=q3#;yw=b%7d31s*D zC3|@l{)XoB3g%=oa3!S-PqqwM`-J>hVWFXZHq#u3mnrweRdQ%4L>}(XM(cgUH=oR}8^|zKfMc?je>+E_6_NEp) zdv%WBUqeRBkL{|k*u{78LZ+{mHrk1ZB{jL68$P(d(%X({c|Iap-22Y7;nA*!{XB^< zXO9V`zEQs`u}S4tylP=jN;vL=d*5hPZ|%Y4e)qR~>*d)kgu4}5$k%X6$3 zkiO+7VN#+pi=)tJ{%pG#n<%?r`df^?d^Mw1P{vA4twy7<2s2~No?!{+~ zy1mUPnx+vVKbMnMhm*8lcz(cKN-D=rl9UwgI`On0`wcT=}UCn$Fb2yp1;gvfa9ek?FC zGU~8#OV^U{{X`faERDZUE?(ktwG-1Hw6ydRIMN?9KQhzk7Z-L|vI+lDr$FYz_D)mc zDYEMpa0jR@8C_Ry4T2Q3oqbz1BuP`Puq&y~szX5RWP#MIPRXm~;}NE-M^y<58}K-L zG`OjhAw#CN_b#M$i>@)o*sCF~eg12Op8!pMjsynQfJ3797~ z)tUsb--JZ-sD}4}`y8#KlM{6aCCdu#{opFM&PLZdieZ}z1cLW zE(4JDe39$(1GUWc=-7GD52fv8#A~f?<*{B`3h3X zUqJB}5SP>R)Z%`|Aq{C&DJh$>4a?L9*UryaAZ3fMx8lhAC*frS0RpEbO&N1Hp=`Pr zGe!wR_Ubh+d8IwFvptoWK#_rPl^ko9s{?TwAt;sK5VNu2ba%gij56GqsF{+gG{hDe zNU&dr*{zQV_@35oPWVAB>?SMWa^K4n1eiN0tm#_|QB|MRAwEZL57j9P>}92Tu#)D&z|R7} z%@t1ThB`X-*6bV^^HxdHEch(M@?mIbOZVq-%6_~LgFZwT1QJazOv%>krs)i)PcVE7 zS83C+Rf<(rFSsjgFJOH-&-%FL!{+a=Le)Yb_JS5vS=!EJ$XIpoDeEkQ_}Z`ZLARRu z@$!rn0#fbEz7Xtadxa{^bzpir9z8Wxn+Cp!NQB*}@<6{@EhB&WGA4T-+oEVMROaj(X;TaGo!$#2?WY7PKvLDQ)4ySZlkFlKctDti}@g|_TH4E z@I4i2_!(P*lb!BM!C?lR1?ZW*P>S-yrNL~)m4G{}5P42MAgN0C3CBwE&tF{^{^Abv)pOOk*7C?U%J1Aa` zNennx1yZ?LEyZH$ppceGpX~7%RZY!_^hNV2IXz-;2_MxT@GWguUXkSX^+=1xYV8Mu z!NE863GPIobM=MOc$$wZ7>*x)MoD(vp&bTdYn-%Mf=j<0vah#CPV+Q6JjRGkZlk+9 zFLHWhVB*vCf#NR;E4}tc?r9Ho=mSy+_#mqqjmGdtkW(a=)+CwA6(%QB#~PR&E_%iW zrsoDf)V)U~)y^X-I(%_#X}Nhswq3^CLh7q11ne_Q-K>I?)llW}wAuD1d9RKXCIXVw zuG?5<)b7YS+vi85zI%1;0L1c`2=q#V|Hnr5>dBdZIr?JU)GWI!<`Z>kOPNl3_)n;X zLN$f-%j;`l-f=b(`M?&BX z)>XtH{pQCQt=#(&AFmN@^~hQWxestZzBV#-r+f~;VgE+{>j07cq66UJADKFsW2Tm& zq1*56&@($DUj3v$eafebP)Gq|{T)0TULwU>w{8H`k|N?88p`1?+WK?x`22C8x5_u( z=jwjHR>pW68+h1XL`~n7HIoI~9l!sp{_jLSocku@De{vZ?;obp5>-%8usb3^ASi=` zyqzGUKIIoPD$OWCfe19EI%th2Pj78&O9N^waG4s?`o~Lry75$08KkloEw`>if0RX* zG7;snD{}!uY!p0rl9H93&49b{heQQLed)?G&x#dTfz={fomf&T zyp@%j|DAl-K#8k?#BMoi8hA%GCI7^Mi(;S$VNvChGSwh%%uVB4S5C|tHr+^9ASJJj)hkE&-1-oA9?~^h7bO{sBSlc;#CwAV!-rh##Fk6*$}NWedz;gPhUJmpwRw z!0syRNDF+sZ!S(Vt)_jLTGPyR3!IBclw%Lh;pCdl#Yp^5Sfv34r);geRC=C;AQ8-9 z%lR*16bQZz-OPS|^Rm`SuA!U&!=~>)8ZKCYedX87yaO+;galen&Rzm*3)jPmanXy# zWvRAkXQ$cvgH(Lmozd`>zVyM#N=#kAQP-(Qtgx-ZJt|aAFiz6ibJ`3S{RKi@<-OPh z!%dWVxJKp94qSWi%g3(3UQ#SORi^jZE92^!$yBj|@wRy2%6z7)efSkpw^!kWPK}qje z^|QmnN?Xmg*3ILWdlWvGBY7migr@z$RZHJ2t;{bjAi1Z9KA7H-=?3X)`~zlZcbp0t6wO3 z^gw_Jl!EOMHg)~2FqxUp+E>!amSnC3l4E11JDox<^-B$Hsx_cM`zLh};&m_>tXFAJ zocd_$O<`eorjpmGx2o!zrp#4BY^>kjh*W~#<@aLnhJL~JI@rU zt&w1mMgn`mn|Vuvq^Rb_UYRS1i~rDv7Ga$GYHol^!SHl_yrHx#eGzqR-l_vwq@?Kb zy^ew)Y0ZrUICf$=(dKYNs#b{8`LyCzfQ$=JbP4jGGnHy=Ae6G3uq;cDQ{v4y`7TB? zDERonPqCeyeC=Ib+T0&mSc>>N%^UocIQcgF(#fg9q1mVSa{j#G&u-m%Q_Bv~%s>pw zjp^-+0s2PA8#eKh8{2(;Un&a)M#4%;w@N5lI3a>LMi>ueehKa)eD?!Y2 zMz|*YSAN*vUr9G`nDR!k|Dizs&b8u{kZ9)EA1|s^6y5?z-ZPlT0N&$yEvH41=O4NOq8xA4iJ< z)CO+kxSyq`IBIv(iDNt&CP8eivr1tmV%k7gzh*1 z@2n|Xt8qm|0dfufn3&jhK}-TVAS)Q;iNDQu?>3)jgJa-LQo_;jHaY7|Z)brfg2X2Y z^J5GT{D#mSK3X0?K4h8Y0Eye!aQr;}q~i(Jz@Z7yrb$3BE$I!ohu$fu27wY~(n|py zq@gEraL)F;kO2C}()gcclYcJK|DCuej^h|33gZGYIe;gxh6bEd9EW@My4xD0Q#?;K@bPto(?tnWIY1Wzd1E_o7g@Z=#n<%? zx=bV&x0Fn5jNauH=)w7lftRCgu&S5hU_cWCTNNHwx;ie;t%`R~wC;3|dS|)=MI?}x n?RM9nIoKu}ApJ+C^NNVkH(c+Q!z_>*K_C?c4QP@4i#PuPdNp+R literal 0 HcmV?d00001 diff --git a/lam/docs/manual-sources/images/configProfiles7.png b/lam/docs/manual-sources/images/configProfiles7.png index e2bfff4f9dcfdce4d3865849145f07fddba36cb5..8ea5c351b84d0926a698bd522d132dcc115e5ee4 100644 GIT binary patch literal 30425 zcmdSBWmsInwk_HL5-hj{cemiK!Gl9^3+@h$Ljr{0?(S~E-GT;pcXxNWi|l>Rm2=KJ z`@HXaKVE+e8k*|0x@uL;8gq;>36z%=M}WhD1A#yYk`f|{AP~d~@C5?{0ldPcgaHLS zK{^OaD#O6QEUd|`0>8rAN~k-4K*%Y;m(!a?EJ29dwqnDD<1Zmi=3M$u9 zX$T@q^vNDSJ)tC@zxDGGglJBuL>g(?Npl}|H~6eG%(wF+V{+sTu^+N-S#$A8t}E32`IeFF{Y#ZWL-u5e^Z zmXFQguL?czp#e6-9R^H&LN*cbQ3{xTp(RQ??e=++k}g+#ZIO|=gAy`DiX^)m5h!QWX(o;Q zDHiTn^^4hv8P|yu`fn%lI;zkLl^aglwQ-ZDNyV>8VT5xP`wf}>g@vNXgpjou;=9(U zVh5rr%Uj*90!@?Bsl+BSl)hXxs97svqTFtD>_=&aQCP z4SGC4AmPl4YGudGzAaL5{d9gw*R*JCe9w!`e!t606LocUM{dvGFzF%EUsasbq$%>L zitgk5JAZLGs8&~A=sTonE%M*mO~t(%GJ|o`91=@!&BiGRKBtdgnRX5ZhP4J6Avsm6 zC2l(RvpYPzQlJP){2wHOW~yk+s{`8IiKf^SpIU=nPIdLp1_#NzyK>!Tm$AIi(9+Vo zR31j)Iyg$9*y&zJ>*M_7cTqWX^lQe-c6NK`7za4V!qqozoA#oRP71AC=L@0iR@lH8 zGrwMMlb3OSvXDdsEDaLegup2>EtmYNV~yt9;P zs%&<&wX`%^Pd5uM=t#vW7Al*1M{jR6r~Fi3`+y;QZ?Lm=Ez9qi2l=P(3}`g}uI<4q zJJ+eM7O}&_^v}#Rkc^!n_w#DW+JxkuUGjdzpsJaa00p1dyZHH+CpkxY3zPRm@y zLS-5ZIP&z7X)^NpoupCI>RPMP-};G)g>-aun-{Kd{!*FprqI00Mk{Hdz!?muiWW}8 z`R8gqSB8?oH379&D;&gz=m7?XW@gXc6W{BsR`RLCfAaFUO(J6kb1|5@ocji|y?Z$t zV07gzYw=8`3HKtnKVxir%v^eMT4n9VgrLuQ(jc6wrhkMC-JinjOR`YI?W2>YY$VvkG{Yk;B>i_8#@ z#YvQ*A@4+ti4h+M`}RITv#+lO}I_maA1S&?m+IT0JyEiH(MoI(XR2DAy7G` zjN0Vmhgf&U@=hNFUxg(D)erA`2IVNNXY0{GwN~Z&t56_*oa2{Mufe3L&y3ow&r>r3 zDuihaYIMe5B9)(fmT27nPHtUba-)m(Z`u0`XDZW3MtRKm{4~xHiB6s5G|&3F)F^)E zPftLgZSU|hX34`-M@vOj;vuzAYej}?#%5(~G-d5H2wYY)?Ut7Iz;&?OBAOzs@K;!q zdw@?SWS!-`*Tl9!F;e+3x0Ai+6^(Ay(`v`Y{y(q$$%wLZ5Vsud=7A@tU-7z75os)4 z)Fp{xZos-PJ;f!pp7CTm?VQm&fc0WMI3xweY5ptl^RPhWx(TdQZV*{NxJJOht*f7!_XlaenC+aegUd0WIK&i<{<)qaDCY#)9yQN= zsk|0yJsui)C8aOd8+Pv;;x6=fRuXv$;>C(d{1uC*1fCubo*^Sg(%V>B(4><%jiE2lwk*KM+$8a|@9wYX&K}HhaVk${b#W}j zGZYpcKOD7DR2+wa=nS_eWN|ZPTZ^@6c&x2G0Q*CMXjRHqo)^5n`LsFq?>KCiMSNyi znc{hc1-Fg^vcEgO`+Z(;sIsBOh#C+#p=(gg+?+@Hlp1hbv$ut){7z7tK=*pz*{sK3 z(~9D8IZuX`Azmo}6Q{Szq~Y0Dn0cc7fG48v`~tq^A;cx_3e4u@TuLx&dIoHs=4%Ob zWu?9*aw~Fgx33%1zg+mVsj1nTub3RS^ju-H##>lse$LL-53(|bT|aHirI4pEG1-m} za!pxRgokJG9g-Ev`bDn^mP_PSY5O`mf1}m3om}~?%aHjlsb-<~t*5f*)4&`V(343) zG9%HwaQ!SKPp125eBRdBFq0|X6SB4OYX-hv=PSf9Cbl=Auh_X!tx$;{39UK`-Lk+|hi=PF@xNTgOzsgjR=*7;v%i>G?;X#71xZE;JfGHhZM@>A>iQnc zB{#X|#dAb@?>jWV9$)A5UE!M58=5f_gFO-^HYk||7gjFjwm=^4uS=3Mzt z*SJ(lK1qty5}9iGx!u6Uk(q6^4B&H{g9?jJ#);r%KL4SL)j}Ab4@r&bUyDVKAuEt1 zqK^GeN8j}q6bDYl;&^EsO<>F5OrU}idCaQ$$UeT^t-&W}>@-yy(&g4~jwBghK= zSSimwG4gaQa04ym;iqip0&zB_J{m*5$;ev{3x14`QEm!0p#1yC=?DW#t?7kOdo-!% zA>pF=r}RUp-dALriCNU~3ymET283}Zpd?8%NLR?O{yNg~!ISbU3Xl722&R}BBrl$Y zLNY2X4+2{@y5%B=@8I6Q0>pP^LOrsFJkH$st{f9fJ#mb0V&6;bA93R!{VMG0L24rw{fbk>^j7oqKyb-q<{0%&Ob z!QCY%yRR76a1ssP;rG1FAT%Rk&w#jtzY@e;zme8K>>(JaVaT>$H!p;D_3ZsqQyApSjG?A4ddFt_QC#s$(3)c z2${V!<>3atKY)Q65-c5ueM~ODqjk|Pz-Ai*6Uq2AH8mLnOK3+u zG&UTcXL!s04&n{S7??E5=^uH_o|S3X@+i2aWM!v451~M0sDX-w=JhVfZiJ#FZnDI_ z5T+)Dzcx2gSSDktcMr+P$y*#uusp@bKCoWU>{ki}Wr2K%e!5v!p-kTLn*#IAe0+Fm z17B`+2c6kUCKgK2nRsGY7<-)*XN!CqYzniNlU9XBiM29#$=PL=?53sWm8 zu#O$3WvJIHsXYS%AN-NS4c2$BYnLEz4(bZf*u35$d$KId%O&u$r%iML<}p zu~7Brj*N`__V+<4n^NH6W^Zq=sHkXYnA6tgt)@2X3yrkD27wcNY=bWRgPN{0OS(q` z1?s3&87{Z8JMPGMgna{rJx^H;X30;6Vb&z`7VJAG(Pd`2ffG4E(KYJ)}+pJT=A}K==bmK>@FM*b_pGrTJ1N0KTyi*obIy~ z<=^b?R>gxK?S6Mzi1-gA*BxE~uhz+}&O7la)5O-oQ)1~_>As!;AyFeU8!TF;Sg2C6 zIJ!VNny))rSdeh-!D? zht+g+D49c)L}3ea*U_z5rBp1OpvCQKpV0fUl7Jzjauo`HGAFgE_p`eZYc0o7sKn7^ z(zaoj7rh^rs9t9_*t$24wr{Pa-j%$hPb96CRJ7n-XiVzivV#`Us&0eh?Qm(q8_4E5 z%cWv!0RlS)#`4p3|0n1h8&3O6>DZk#e*7lzO=ER_e62NXG7n?P0QXG!N&}v|>0Z_F`+QxUfb%2XBM)zMB0)ZWK9|Gxc$t8gtXzxM z^CDQ(YxmU5!Xo%jC6FmBRv(NQoZLOLR&yi4&MqvBB(m)6j%CkB?e6X(2|SMW_5JKx zyS=+ho-L#y6g~j3d@osr}nSg*GsgqJJZ7`Lm&Ss?* z7}g{f6ImCR`dW|WW>=uW)BV-MesMYQi&AUwfQ|CwN?>ZEGviCp3s2=e2LiDtS6chY zkyLCyOhXj&4vQ4IEel4}uT|$HJP;JGn+~iaSpFn%pza!3N&a{+IGA*FtENGfJREiIg4zIL|GV={>WfD3*>IamWET|@C!9nZ+*^pT4~Rt z^BF=2Ia2;?adOUjR*+`SRrW1cd;=j#!+)G;EPCBBoIgW`>NSG~D${*O$^?q{N z8BQGm7W~nCO&}VjPLs2YQd&erh1oUqF)6r4Zb8Tf=0`lqBhY&1QiNgppHsU)uX3}cUCDks8iFDPN#$adQ&V#x z_j5dhPO}=%nGrDhNeHB**(3Z9CAw{1^Y6T$u4c}UZ03F$b$oyODFAWm5Rrh_<#e@U zo}qfmcqENa|M$;xN|gp<@#u`fBsO>@G{Zi7IBYFUb&}j~=%AlnGjBkqIdrqocvhTd z<$VP_f{IX}4@|_Q>DKh^Y(0IpY>LiV{kW`DaMj^I^*)*puOtp8`5JzFE>?0)EY^_W z_d>rY%Ml5dEhk9;i|Q=ETpf7!$Vy2`NlQz!E&wswpf`-(oAu+zk0d0*$*HEtAr*6$ zxVXvup7)0@Yf`U?*|X3~&TQofx3VPw-uN=!_Yrz)}4kF{`Sg@wzb=!;N5k06Uwebj}0 zgS=kqSiL4NM6N3SO;~2)(K!b+b4c`QMuM>TXnrn8M4yG_4G75C=W~9~%@GT<$+MWA zZAyyyUM=Sp6x7Qk)9_O`an|kkX=^XU$H36j4}pl-*oq0Vtzb@Aob4~RhlW#mAbmtg z?heY^NJvR(r5(5I8-g+E$KU(y&i;uY{?zDn;Cz3%7ZVc$35`gnQEdv$@7EM*s#tYs zXoxl)6%%thTO5c%Nbc_LEG#T&XlO_1(KLJKba4YtMXt-RK!4h6suTlb{p2A8ydvZ9NMy|oCJPV)1;2I&w_A~N&&X5oiIWs2AV*%aQB-B}eS zexvi}(Pvb|Dd^Eo0Vz)3=L^sU0lBlYHpq6VspLPpNgZ`>Urg z!E~v~a7qJkx6mkMUnj8A?)J9xMo%csLGSP1AvkR2tL@*0hlepSF{LT02F!6%xt;DG zPTDMRQCE}jCu7vlr>vx7$t1^oGEfBb-$WzURecx(3(26;ahvK0Dp(DoPeUlKoRKJ} z-jB$#S~&h`0};7Ao<2Sbr+W!`K7@akm3{JjSP*Cx55@bv_Th>UnRjdB?M5$xMTRC> z$3{SWY~TYD%yT=(=JQi;TZwKSbvhHD%i!!B^MTEHyAS0V z0mYfG=qL%lP&p|!wg!B%91#)G-Y%%Cs|)%W5`xEKEWI_5Egl{g5>oQzA(}#_(S9pP zjV?|qSG8Q{Xf)F|&ttko-D0|g%l*0pAW9_2III_MFDK;K0<^TXySlo_Q3JIYyn*$) z-W^s!T>AQ=j2_7CMR7I5;eA zHUMe$)jHF>Q8)4L&i(EZzuVux`t;W-N@7ni!`uzn>S zJw1Tm*v-bthN|=@CMG_8`oySJFPQyh&{Q%CkJ+&A`e*?X64D9JeHOr3`ught&I1s#BCXGqZM)F1c7 z+2uwpHsMer$M{?kxa(3bP=*SPSIX}!lnM&C0YeZdu|c0AdXXc)@r{8Wjs$?O`AjJJ zpT1)cHVjl+Ke{NG;H`pWzu98S!|={EZJc^#}cb|JH1r z1Uoub|N3o1FZ7PGPZMvGo`EXYWHb0pdqXT-en(bbw_w{_7{<(;S@o0Gk!Ye2K1WTekz z%%0HSk&ECPv?8OT0F1c9F`AO0aE}O`+2b=Od4c6gp+gesv^&dWYZ)O(Gz#W~$(*OA zr_9KFrR#s>}h$R<<}hzbLhmX-!gvW=DKg537Q90n-| z-R6Gj2{3x2Vjl*`rw~?H21_XW4M-FP7=}!-?{ktzj~A!>pqOs!`0kfCAXlWQOMGC= zzLZLc$PE~;3>jku?cRsI&7AMB>(rnc9AIs$WqODbeegp2W^#WxlUo~=0&&fJfS7uP zukm?P&*tV(v<#R=5T~K$-~OMoHK?j+jS5Fcx6YHfNa`P1O{YkEqtjP=$?W(*UtqA` z2d2OTSM&{V;GBHAvdcBJk0SfluWYoX#A6`Cu((r_toYktqm$5Z_jFkH=mVGIJF}vX zTjpy^YA$vN(lS^0DCU-k*Us<8VT5D-Mb%>Z)o8zGw8TnfD%a2cS~{FF=I!i>frHOX zuIPXJKzE5xD$G{AbNIWz`$l_fOV=9z$$+6pwZMU#p#ykHN=rDFlDi4&}Wi*h- z9$6g3RlJ2){URYBhR21^`<$IEKBDZZFE$^GdxoN;qpj-IbjC-T$irv}G(@W!VyU#J}9Agw|9QeR{LfvGJX|vC+}d36=mWCgD_< zTkQ_%UgIh7M9&7y$M2=3rw5I-lj#dBN+6)~yc_!`UL28ddw+AbTrRypDc=#PFp1sC ztogh7{rDLUn*dw+zB{AG(|z$<_~sT~ZM+4!B;;SN6FufQg{uno=OJbjjZS-uV^c== z)pCdgv*qp)b*N~);RudS_LsZUR~IA3@d7yyxc*658?cYdWy*;m5wz3}{MpJ797@F0 z@YebLZv@-3cVY#>&{t`kt$#O&`-UnO7x@>2HaZ|#lh%xizqwbC(wME&&Eb_D8DT6r zr!z1(P8jpuD5Fr}&%uVUJ6e4i>%*?I5qK4@;KvTR8*Yn~_eX?P>+A1gSEf}G*xcu) zENq(UKe&6&ztGdHNNBd9fb`h)TU}T6L8d1h&4}^k;@&IGcioFzN_ny^i7p4m>!p&> zlp{~Pmn!-gHfBciauWlLR;gV9hzy#Q>mAuKGMcr=b1e^pdsH%aSGTup#ojt7nAab- z&c+OS^%+vyyid}?h+B$fO3iV~kG5u9LX-A#M|3vLb*66k!NWV+O-?NyR~qBK0fgS? z{ac^om!~A&-b6+5r!sju>ghcWwV|CX;^VR&&yHnti``!KM>B2@Co(x0k3T`%oz3)y zB9(Q$4l4=D)0_oG`X_W4V%@$zF9Z(7OhK5p-Eg%0uplsV-%lu)$DpgMpX%~K#V!#- zq*PZI`xb{9e6~GNwA}1Fo9mieFe0&ATksq?!SstA*R}kXLrv4xA6lE8t(G+WM&9*VXMbUoj~?@7 z0xC`QoVzY}Kg`b7hd>p^OKzYKgsj)mW-lC;x89OpE)yr9uTPK!2;O|5KQ5TE4~L5d za@VU3@QSEt`qbsahMYiCW1~4DMyuCTcXLBP7+$HB#MZ(jK~dfrT+vCfb-cRF$l$eV{jSYNfO zY?b10@f4nVZ%7bSC_)0SQ^!uG((YwYVT&3am&c}KyZp)k{pnqgkr66)D#1rb!S>NN zCuq_@ww5i1IN!39phkDJQf{IoCqpCQbvv4GvvN-E`Ed2(w$}M$w^%8E7!axFy`Uc+ zVg-txZc4wrb{OdI0NcUSdGVg-)JQR;c=-Nui+kPi(!=%9&fZq8K{7C9YM-v%m)0d4 z-Ayj0OKT7?*dPJ$ExC#DqACpXbD_nzx|MV2pHj$>p8y;aJ`h?}zVB0o3@PnY(Tm&;oAkr7AGR{bil`0|gLj`?@2+E)$qPDFu>W{5>exIp~Ht6lmC}kMqKpU&$3lKx^ zB2)3W?C+;bp||n_KU~z$ALjJ*7lBqeDn=T1mt614>#PLiRVZ{?EoJ@TXucdhtFmGw zBqSwG?#EDMTFjKqY?Q|mUbortEw@;x4%G@0QBhMfu@v8H&RaZ)l>4>4T<^~*RV`I2 z<=5BOR|*N$AOI1wrpTu)zG>T2n0#GraX@b zysa@G9U8K0hhAPOyVW0ArrAbrb~y__mN^ozJ?}z#kbP-8!{vBVFaGd;rI~TZn-J4^ z+YxXi0FSf835Asa{~_Je>uIqSuP1h^St177XsKLap`~)WDq1bHdF(~WQ=tcU$LkxY zKHYY4{84Q_x(R0VzGXO^?2pdP&0YWXtJuyino@d{JjZLqJfbQfzVPdD(}8#n=-QD56++X>VznKb*QUCE?H6rd4qoaMC%P%0~-mw!&Wz zyMs4;d-gvpAC3sOY2F=83m?(T*VfT*nCMhkWWWOuU1Gt6%Efrciq=y zM@t&UldCxg)t+!%OkOXS@s=3CUeXxw_4fYiq|NNlG~~neoy*Pn*|C$}%QJnO^})u4 zbHaWAp(?=RT^~&>6pP<@x?j_2H0RVFrT+}M1VTcSd%RVf_0sbLA_oVDOhbCxOPtk0 z7#{!T#!_*9es2dP^bgO=NCx6B6L~6Zp(Z9q0K?D&UKPZD81KFjD4TDyDNnA7Rt+Zr zwicJu2+yV)$CLf#k^B*W5(MJ0 z1egT;`?=0L-A3?!{b6#h(AF{e7c?4k0x{P>{1WtB;X(=&CgWm(-GK{dgIad?-b=45M1~3-io}Q2 zvQXpO#sGFcUiz$lcGOc{ZTTG}^9O|Nz~pt@{4pwLzNSk1m&Hq8Dnl-tBhGD1iGvc@{Aq?$%0H=h3nbsk%#_-Zz$_S)O(7AU zv>c>AnW1JGCtOBFPmciubsv^nNlroWW4Mr0bRNVO%Nf}!PX-Hu$~=%-C9<)LsH@M2 zNsDBB2ij4gNqHBX1em~*1h7mVVqylre}_QhPtRammCkk}M# znU<)i7{_7yNoOh-W21k$Vrd1`xnLqHZtWrCepA+F9$yW(L0Ju`?_zc#w(NL-?w2QI zBWLgl(8rLAP+#>PK;5JR^3hj$u0qfGuf?qE`yA}6g7zN%zihxyTPsRMjUt*JDEE0J z@(%`(a1bl=ShD|_oAXi=)cs7$;@SIMp0wjI=Z=;d#cJ6@jiloQ=~ICuU`nEP=H~5yKzS4}Yzh$H+9xK^K$GT=?x;2B38}j|tT)}sgRGw73gU1L5PvhQJrYw^ zPzIIo$~U4(iH|&m9Rf%vkb>%m&gzeZpokkH$rTj9$Risha+za!y=3W}`Lhhj{EG1L zC`)9&s^s0(gwDm&&EF)$@J^VtG1SCvqF2PLgLg|#MsZ?&Tb8P@8eRqFoMML?mtM46 zE`MoFCGs~B+I`hk@;`2W0!!@*A4izGqcVD5jhox(%)QoT3NGkaxJNXgwk&blGs(hy zUC&09@yO7`C={QiF*?~|byr~yKn&*xXJ_BC#rKwN?#=-jY9ilrd?Gs_xoUz)pzWkp z+Z70~Ry70VZ~-X`JnwP2a|$X>J=aAFBqRC)MFZ%-x=ir9LMu01HOxP?FeQ#3wAeg} zoH&=s0A52atS&$vZIt9!bWF@8ce=&qD0WU^XH2m_*kG-j?IT-hZ~J>G&(N?EtyYiC z0tN7izy~J#$pH-7>Mif%c`k?PLvB_VcJBKJn=WC2bcds!p@;r(ucsppN|PPmhZ_r8 zUiV1NwJ&S(=Npv8UiYrg@w&gYI9F`#NDN^*N$3U)OE82+m!)#$X|ycotgkIu2)-If z`TLK`%x-@7#Jmqf$xNDZa9-bBe<(XYXRHf*X2RN_ooqmjU)@}HCuhhUKugtzc0OP_ zEH3w^VPGg-^cw7T0h(n)n#6_+HKDNbS6jzl{AbCX)RKk;@$pI-1*vDxKn4w4!ri==3ThZ)WvvBxtVpVd$AS ztjn{K#%?LsHBO&rzxx-{kWq<;r63Z#jE!ZR6!9{V9u0)v!Z4PX(Y7tAHJmkEbOPEI z56W3`o|k_%oc}LtriGi!VF#QE=dP_o5t@y#!LJ83mN#e9sY$1)sRMNi11r#Dn9EYq zcmnLBQ~hJvnlmE;#Y=(^qF>Ic3k1MNN$j57p(^n&%e(J?NUI=)M^)J@)aK-fG-;mL zk>r4ZDcqu6$c#;_s<`bTRtROCC#;CMC>ssw<0C#o`|TKUpU=+2Q#?o>;qpS$WvnHpw-d+CmkN)e5lH6C#Nb?6!Aq%%gL_XnI=Lmm8 zh6}<_@jwL~8%ChOp59^{h@wTD$*A|(&4#oG5fxpdyW(aH@*T=rV9<0N?+)3<@KT3sKR85I(`d z2OXs18a3v*?h@qWF%F^q)l9=8>1 zU4KNfs;jF3Rm+>p=D7Z>}Tic4Ny1Kxoq}`L9Y_6gP z(oflAgF|nhy*%R?A09pL2L{}hmp0m(SS;B;H(6OM6cw=~;Ra>FWHplev*Lsf8Mhsn zvcZQJ<8^Vq%rvC6G?$i^zFB>Ka_4bA8kZJXs_;t9`(9XBC_%P<@v zLB&<`KT)(_pRfUFm+MX%8Y^zmbn0@G?)}_sTx#4j z5LiHvrnB?Ht@_pZkM7Q}o2#o?ZJS1g-qn1~){B!eO|E~gQE4X(Vxlb@gZ0yVjV`^0 zavdiMvu&J*6Rr}uB=ZMH2pAB=E(j1dI;vR&6lDvB+;dw~~pR*^P91*WEyXgUrNu?oCO|zHl@&Q!Tg#-@s<2&~pDOMOC!nUGQ!Z2% z_4i*B4=>Sey8d$q&x-Nx{!S*5^=xpj0I)zvkVOHS{0J<9_Wck?4T7;xxeaiaypI>v zUpwi6b{`ZZk^_sy%Ges2^eKKWky^$zgMN@+S>}dz0-OUgB`7c_IoN#*kc3uCsP8~) zy~DB(WIwz0&BOmKVJR&?4he0*#^$nFjsdm*d$CN&^J<*z@pPjoE332B)6M;Ax7B7O zO*A-Oxr~LCNY8oK1b)YRZ@F;emrdNeP+ZlWZX;a)2@CrO5R2%J_qjo zCU2Wxj{A$QE8l#9tPlF`p@EAB;rylv9k=OaHB&ZqrEHPlc}yIa!=~YbgPmYos}5gd zxptM?*g833=!Zfpm0mU;&}hTw_{=wN^0Q^9h=EzTLd96=8=Iv}HAP0!V|fLw?Ye9| zIBjgB6g^|}8&Tz#9%12MLJ%s~OUE-*yBK;{&0e&3yT}74*?3C&4)vXHE3iAR3O!Ak zU!9^%kcQjroYim9{uEiyILqA00yjCI&TI|K-hJVkw>s*X*1dVEyr2S+3ET#g_3N@9 za^nz`%2PdD9-nO>!IzfO(^QWR(&;o~gQiO~%TEN6g`Fr-;~+pQYHFTrl_?2rBUx%9 zF5F{@(#E(fdQ7Wx7VZ#oa5GK~d$4@F2x zBEh>j;)U`T^>`pDHHtiz4@&PO>?Wc16o9td0!ZkUvvmGi3K|+T$S{|H`Ky3|Dhdkp zeblMdIiilUPg6@?YNQVf(#L@oL)KSR27uf{>A_W=Qc}i3Lf>H1!pFll9Hg_RT94>sP7rGC2qH!)WDCg=?5(> z%V&7uJo%!j_d!L+T$V7zkRr(Fsb$7hhO9WtsY3K`jVb9Ngt9rsIB^jH1KosA74lyX z-oIYC@}J5qr|OmT!jgeh_tG93ZedzwqhLBf4f$H7K0JKg1#z#Tk+{c$>4yUg^jTLj z(DY)v3l-MO`-8AdlvbI9WPf!{%>}Nh>?jqG1;`r!qR3q^KN@3XAGhP-2TpbgBII2j zJU{uPn7FvS{M?3yh5>Y`$4|k*0cMqxvPIpeU4LW95!Q*cxoptE{C^!b9P`BQlF$ zTqyyZ033UT@#Q*P``g=`CIGT(UVZ>_GG!e#KheaH8WNa!%|di3|6uxsp){)=QcLN= z3gkxEWUY!3;T0wl<*FY^7@xDpq-A7U6K*7}j|GxYk1B$qgHHf>@domf*5czL_dP&- z%)}Hc7h%wHTwcRo?qNC7(Busm{|O(8SqW|Ua56o%Qses~PHM8)`XsOU^&+lCr$y}Q z8dj^xIzTFSJk9BU!L&36EMmXQlmDJlQs4^M=L1F7Js(H~kWv-zcK0SK-NEG!wiQhP zm4Dn^F-aK@S{+@Rn4ZRrH$VcMQD)*=j;vsv*=hQ(&tCjYSU>?&0NK#nzLmb8R>l+`uvibL=$v}(!M5L&zXSCD7B*sG2 z+W#;h5b}%-GLD6$rUV7udG=-kKwGsSJCRaTNK7ouzk9(Za(A&mS0%OV|E74y_Z&fe zub9Q4z7{cgXxw^XzP9Mg1MnGE|9j4y$yEIBM1cF>x98pC<;C@Yc;X<=eQ6~G$aE(X zb7$&*gp~m@^gb z`P206sN!tF%sdpJ^zUuGF*J7LkEe(@2}5J!M*ghHsTxnoz|ryX_aH^3D)W+;^=^SJ z@X{h4aM05aiibTbN2gX>%=~rE;NnpT!LWHBl_=|z6UTs%(dD5;-$;HdrvF^#cVz;T zo22*b&LU2douXM-Wc8ky&!U}j4ht*(c!7}1V^$FV0Pw$4od0$$RE|qdt}7}+!2;=h z+y&B5>Y#yPuQRJz3ah&apYV~irYyxmoz?+^kIT=DoOYcB1rwF1fz|c(jt@4_`O?~_ zX{rFf^6pPmxwSzNnPkvAs8A3$LV{y`YWL4pcz^&N6S{y1GB?Ppz>K&L!^+%eT`igI z_#_Y~Wdx5kIC}OQxUUnYe&s8E3I@hucx$>wsQ?eRJq+&vXk&XNHhHoLlX2zGW@9#O zg!_|5KaJ1A@;(BV6ri%=sv1T&Q?p#}%?F!*{kB@9-V%F$a% zf&`i8uJ=mP;k>cP%8-5sib$k2X72ZNkiy~D@uMmF!u@SUAp~$D_cl_C(y{Y;GHfu# zVnV3gBK(vFy+d$$f7c}q8!c&_{;d$!9Kv=F4v4sfyzE!KgPlJ`mNPBza)pOC>_Jpt z6BCB@q_K$*t|Rw(1pOQV75t)CzY5)6)Xc0z~gM8IUDf88}1hOYtg>FwLM6dwFSUGAXCAkFlivnku?^zR5mT@6s zT}>>1wR}+`Q}kXKlP-X3Gsm&Tg!mV^wf}#TZ>-+`G3ACP4wJcEC?PUJZ72^qqWco( zQS<79zm5)M}N^0{IX2~>;o%)hLRvR>Vy0Q$2x05e0A(U|ppE6s1{tNY8a%3rbaRg%Gq!WSP5RuA!~PI00#y5Drsl#7!LnjA05Gd z|G-<&CUxaZao4Ye1&BdFg#@6bwyNXYmtDtuUNlrW09IKRV#D8|$zV2rlPqVMG}fd) zTOV*8Or(*#p6)~QQbsrcU2Syl5~${5=p}Gd&5Vz4GDaq+rtY@UOK$>4zgY!TOg{HU zNWp(+x|SG!$6|BbtHsdU)1z?%%R035dGkwdH^Tj zysVX#<`laZ5d2`c{NFPK(?yO8!hwFT9e_ZrikOFxVeBc@s)m#JMAQ(Vkc5axxjM{M z90S98oc&=$A!MLLSjYeput}@%4;W5IV0=;f*5Q(Tt^`!0wmr2S%$`;0(%<*@^qAkj zgbFz7Mc4lN2k2nb;j!q@`JY|@)`RU8u(!_BLKB>}79Jd2P#PalL29IL+ zJvMjc;u({bjEIGh3HZ2AZZ{;tk5fVI6WM=Gco1(c_lpV_%Th}v$fmV^%B$tcgzsa% z&U!y*6`IN@WGN5~9M$(MpPcroIC9m_dlo-MnU60|Q{;cypDFeq5ov6z(TBmopKp!; zozOBP>?&WH;Q#Q~g1-PR+uFrN-arwz+deb7aE2sdf^heX6SBWO>l zV3Oohp3`+iCw8eV9}N|Zn1m(&R|fZ)1UJKc$$w+gjYx1`sZ66; zulFO2G7Ot9L5$Sni6R7t#bFcX1^nf~#awUnR=y31QZn}!TQQae+{|OMOD|ynpL>{A zvty|7ub(~p>6lN~51F#sKTN0hl$B;DiUAJ#e0K~R#LL$xkDiOq14|&lE6@g%y~wXT zZ$w2ad9OU{UMmH>F1v5i|6Qy!2}9Vf0UeBG^UjCuVETXu*-w7ypAHojUHbpZPMWg@ ztlcb)T(nz!pz?6ieCw`Fc|YOaq}8GAt{3b6dy+f z6uxyBD0vUkg-C4TH})vdZ1OTd`=G`J?!E7cc{Bb>wLpqUP|DD~mJK?!|Mwsh@Gc>z z)pg7Cs3>)LdA-gZG}h*LKsx#qnIlc{7R24+JR(qf-~*Lu zBO?+(|3fY!1xN|H#MW%Vf=E5*@ke#_M0E{hW`D&}V|nyUK>HJ}`SkxaC*gsE3#^s@ zBfsCkI?l)g%#7P3{gvqqQ_NLm9FAl#nLT#L1Sc*K0{IbU7DZ&BU+{^}m;=a!V*s7i z`stGdB|R&Tq@?7@;#~LWyyedVR_63AW!;YcOzlsX!N}%@s9Y$RUn65}SeFC#H>CPE z$s{473kL@BoqLkB>POT$a)0*bUE)&!!uns=A_og!*#Ig~{5EjqBp`we72b<|`L)ex z#lzZ|!exZhwq)%Jnaj}wFBRV>FM?JufyUg;zU-&MKUU|iM2{rh}<_+;= z)ISTfz#p1X3Y)k_2k$~=gd?akL$Q}az6Vj|N%Wh@SXf9QBMSAcWjV9G+- zCcVApz_~z~#)|YG)oj$dZNka(aTsu0fM0Vm_h8g#Z30-6#evt_^buqYb`!?{j!In$ zkWOQM+4}Qn-YE!EWB9M@RY{7@5FqoKq}~l>hV%zfwU=i;0|Ugx1}C@4J|S8a>w-L# zp$ZW|nsfG8A58q*^nA+&V8mCXv*T|DCzlpf`HQ*D>u6Tj`uA=2n#fztw@(yd88xuX&?_ z_D;BDJk(D{Bl+F z$RDsUF=vS1`^i^{D+or3EPJ;R`~0We0YycYTKrumAh11o_O2zS|9F3SWMyP@_RYq2 zi+ethG>rmbjHdJ3hPn^4(&w4@d2nh=#>fRC@EhKm_^DHFc=2xPE2 z|B2SJ{<6??QD3nC6uyz3_!VDJL_}H3?lTIDpu(d3A9C=g4y}Dvb8XtDDS9Ovqnqur z+_*d=bB=E9(ZRPe^ei)j2r>#vO65dU5A1^}D})AUs$Y>swtdQXe4)eFSXM6h(jDB$ zY=+t2W%oRfc<(S*#r|0Ke|Co{5PExe#s09-ot)Knd0j?BVrLf*hj-CS_(DIO;&d=A zE!C)9m3QOIs#0ZKb9ji?^6Xs}+mLR3QL`2u_dnYE4xlF6waqA>cofkO0TB>51~n7~ z5dzXJ6hW!d>!&DPkQ!=&qS6FJnv?(^D2ND1FCj!ldWjHPfB@101PBm92oTtZbI#2E zv-9o#duC^MXLdG|d0_Ge=4tP9U-xz2_w}YcXpB;V!%01H70r<2h6CLe73JR^l~)j4 zG(>Z`&~3kB{6U?AoXfer-BeKpgTjRb>u%B`g5xu2Qbo~2j_Ik~{lNX+%*?Uj;aY|9 z?Kb0@3PSVJaFJLC6}P|k?Y&}3eNhppW9+Q)xM-b5Bc5l;dyIfWDZd^6j_3H)QzC2m zbm8Nf6$aE2_1yq57>t3rf(hQ-R;Q58TyJ_4*=W=&^N)BuQ82ffxjiWE>I4bU;B-k% zNpk%3o{yHAk=SdQYTMalNYuRCToe^3?XOegS8#(%;*L_9n%`KiG?dMnE~J3m{+NJ5 zi^)uM^=*}vjr)_UH4dGn>Xv)Z zH(E0vyXSZVCF<)q2Ve0!RiEc{501?9Ax}%Uwtl?Xe6Xx^LMd>4>H86pV-TMA_J&%j zrDI9`mwkTs@{{v-|8;uoM`L{}+S!|C2CgivzPW6TIL>o3?`)}sNLhdtIf1$&mEo~^ zbyZRMYo4g6HmzkStA-%=jMH~>a}%!mO(L~$hwZNWRFrJaB};3;N|fizr?j1Jd&I?zTWaX&;eQf|oYbUdBkm-=_uP<=&flNQ zg7;}-U-Go9#``}J!l~bKL(ZciH=0elNo}G-hWe&&iXI+<+<19Y=@106c(v#5-!^@{+>CKI+c47wj*lPnU3VuAxw#D<_wG|z8rp9@{rNHe)Xr_p3FH_3 zyYnTcZoYnU^-7DG`wwc4LvBP7lZolMxiv32gNVD^eIJSlP9dNiwsNM(k`Wie^qltb z_V%<<2XO@B=e&L^r}u8es)a>h7cq0@ug&|f@T%3T zSqtRlrvuP()V}l;wxH_^g8uUxUBn8$%XHoZBfa!jN=gc=sNF)niIrNn?{GH-1v+JE zek{i?Lk$%4ia*`MnE6u2#oQ&MGds40F*OPhh;BlDn|eB*0Yzn5K-$rNA-Rh5jL?ZLX=83Yn1i^@FG9Pr@@X7A|9b5$nk3ZCBUTPL}I9+LsSK-*%G zkRK<)=$TltRdH;MR}DI8&NJJyE6_bIGFaor=Q~s%v^n1}iz%f^TMq|y-?iM#m~9O< ze^O%dX(l~A-9t)^SjCEacZZ8u=Hpqja{EfSpAu<>YL1xyxjnA>cj)rS5!S}^tM79P z2;<3vL3}pw%MQMb@&uXOrp?jZj}c3cCdNO`SeJn!RjvdSO3u7!Kp(xnf^E8tqw`Ml z(kQH*T<|mRS6{;IiKsg^W7N4ri3K4NP_Tv|mpw7^vSoe!*XDwItb0aDWUUt$FP#&S z_sz)_OH|vvzAvC1A0*E-TgrWTpSt+|3;oR8xM>ERI>d6^Et{R_;!VhA?7zh^lM}KZ zJ7vYkS-HyzIH7hm_lQ|bBYXaRh0HD5hAY&`dvdY2M=8ttBW zS|WF;Rra6E86Dm5>q-h=8my~Ergd~`Xr)C#ex>_%JI&?&3->YU@=x9+Cl@20xQ8Ms z!PCgWMC;@^UNd^n+R-v#W9*Q^+0>r*2^Njq6u;KVD;D-zr^ zPm8Vr%6kjjm^2K+(_$j}FmGL}?w}w9!YEwoYcIBL7gAEKpzUO*Tww)#-!iA+9;@LD zCoS2z(yn^dM}pkG$+2v**}Y4Nky}jonS_t?Pe5{0-~3{KiJ&`jXtzl2{CROjMNbVF$0FPsOV=Hz>5otOws- z|Ht^#+da*@Y)ebWYtbN<_HsG)d-eAY6U~*f!@+EjoXR9yCFUP}tpM#twfW$24?sbO zn#h-5%gYy`;KqHS{kqVk-BiP4tX3RKjSJS)con~eVfts>e1PqmcI*Fm2|5nX3fS8p z=Se^{(BDReu(JJxv$|7DhjRv8)iXEd!apngJ*O^EQo_{3v92NStEu(cU`C$Cg@!V|`=eEPS09zsIT$+#ORC8T@40)ZX43Qg9E~NHQzVq*C|a0p-04$Jku? z5dL$!Kf*sFddUQH^U>cO?y7FAEBJu{GIx|$L4Ie{Po7F*OP7c~DV znf8~RYm_(xfv7z14>r9Ff!s*A0|TwCt|EE{m9IR(>_IfrY*`bBc&F;QA&}LdUZi6X zh*;}Czx98#of=;Gi*VbQN~`x1>WGNQV7cb||n6`#`AKR{bQTUMBr z4q@srFT?xZ!%II24rTtS za)4_zD`w48tB#II!A5pW3=E|GuJq3|U=pbUoX7nOdB!64-Y}=#ZFDnqs;RMMb(rne(L4 zh`d?354b6ZN6EIY%^SxoU3O&1X-$bX=XkAaj`94tQ5t>lziy3X(a8SPQH+$>$L1Z8 z5Mv1+wXF+n)UVIjfSy8yA0I@Q_}(vTfq0VoQYW;u!REGys7ULjDj`)HIk<#mBGfne zoSr9g*@YtfELZhMu)mEhooyR2N^81Fi{})0DXbO(tz8atieTAl+`B}8`J_}HPWxTKwzl`RU!lh@bRFGoBA?RfD1wETIt+anR0p0C?+^>wtA zBULLymmW>NPKyE8kK2e}R@<5k7r&oBGdDL<&jtD5*jXw?E>Tt`Xa!4l59icZ-{fq~ zC|uWmYvSF@9PsOEhtpk)aS2Ob_Hts1m5)TPKBbDu3&cuE^`wY^py$X>Y|m{wM)hx@#DM)YDgHr%8DJz1|hmlZ{Snl%19m5 zo0-{cUtHFom+R2b@M(8rI=y(}O0hj|Grh|CptG+1AGw5u)c|V$&JJpYW?u5yIfH_B zAPZn0@arWI1+gAqXE4-#=DLQ<9KyrHM{7Ly<59cQgT>Y<2*wIYkc*4!?AhTw?f5I! z)jV=FBg-Vz7t5FwCT?>@-INo@jkF5sZP7V6%zd(OwN{-2-=yviQNby2hm;i&Z@T<+c!e%f#0OB zA15rl68=4F&oR*CnWQFCHF&cDjP=jk5i6mT)n83O_drl3;3=q{2QMH>1msabLFz;P zt3V@Rb#;{lY|&_Sv2LRq4uHl0Z?PFpLyL#YxI7QQYEKd zrE|h;E09_7a~5=OLWb=mB;{j#3FF`&zqk1AP3c@Y0R_*66)E! zx9gikbT*HPD_Ju*EbebJmfqpNJ6DZJn2urmT^RVNQj78RwYBPo#t>$D#wa>3W@V)$ zDyl~Fy$j)$-(vsR?^UYM21dRoLf*p!=cq^BP0UtD5ebB*-H}pD(YvgvW=UXyERnvx zzG6>5)OG@SsMgo~1fbobP_xgpb_KE|U>d*%$Y8b>WFxJL2Ba*${L%jQ;+*cD{W#Fh z^v+fby-eqqbp%pIH#9;*LR#WQ)PW^yj^RsfZb_2xxe>VVAvN-nm^3&`7KHA#TUxcB z=F*!nfI_YA`v*jB4L(&vkSfD*^&_LubCsm^3-1M6)vFL87qp3&>96e@8EB_l^!ofCtVNt~V-Hr&X*a3eEi+W9i1S`{sq6dcV-VzLl}SYyec95M+c!O~D9x zW(HZIq69QVDhVXqSpkKT?931{-!Fj2Y29YB;tSO|TZh@$fI0UXIs%Q(73*N_?R=2g z4~Idaml78uM3C3h@MR9Ix)r2yO}U$j#zT_QO*uNo(_Td3iYydyolSJbah+7u13y@re#o!LjQdkZIc53b@;h$9n>$5N0dT ze3`)GOWO+5E*@mfweJCAQpz%}E<2 zr3=>$jOkUc@O^1Tr?!8V0>wP>$=F3<9pLKN$ZU&Ata{NOJb1u#&;XiC zwtOvCmMW-=7Y<(UnWZo}QkWc|`H=pI6I^vMXiK>3)olecy3r{Juw2a$HxmgzH{;NBbJD)tP%QjnpyA zrcpMvPsi8$m3O7}3@N!HPaZlsnRjJ-u6D63Pm>4|0ZKR;U z$7S@|T=-Tz1oBnh{i&n2jGfGk%~+*ZRHS=6^P7#F2xPcwhr9@9Q+o9(Erz1t?$TSH zk=Xd4V$N1x<4M(PAi2n!0502%rAH2gAC-jWrOR>p`Fc$5Z{5#mBpFSfrA^V)Y^|`4 zHwIke@%F1#v&DZ!o|I%O`s}qAys8bBE3#=WB@;xYZ0lV=>{(Rw0J3Cw*av#eZ4(+> z(laBT9o^=Mv;8^0s51DuB02VoJ3eHaXiOC_2p9^Os$h0Tmr)Ku#7?>UkfL($*x6-8 zibcQ0jnmsBx3)CQ`S`e^fUBMJ4W%5oUIQpwS*M-|&Y-}FM$u-g&Ny^%1Sg6$Ru@xO z_X?D%pA2!_0RH)L!QJf%^~iVwz#_92-KbB9^_@27ltSFQ;zaJ>CsdS|pAu2qoBCMO zP5*_*?y*Wj3kw&-#a%|Lsr=VAOeN{aP)t-?^>VPrqy4=+=tF%)>zd^=345%1624__ zLbg}1CO(uE{^G@Z@E&SuwEr9mh>vaJ-_g##e&;enj;hI8X>4yGCHAfJv{f@gB>j88 z7ecQ+UUZ7iRZ)Ommie{ya0-T z%l-2A?2|4K$Qg@+X9Ro`wLkaPduL-`ReiX@)yHeU(YZOG*}2wt<|hJrnva30^FVrm z-{*uksWH{Y3gr0ZQPl4VY)9i=<`MmO8Ci66eiUU`b|dRO<;Mn_MLHO0X- z$dHFXX5;ePV&u>KlYRP7QLc{10j$%JEJhde4poQ}F^O zn-wjO7FhfH_f#&>G-rxyv|`#e_&Lfee867lXfV?BSi%OkfD;~P3V}$R@KdG!0FL}R zsFKQvZX2Zn{ULpLw(GGItI~t+NTi;|qk#^lq9tEffz=5`J`O<@uz$clt#Fh+&83cO znVWhMMbLaS{PPfbPo==&TAId>Z{PO9856@hP1{eb8@a&Bqu@Ae3#>iP16m%UX;S5y zWs9jSGRhlS=QV=%;ZQX@W5c__Eo0->`&$TI-E`&>U{!ge>icw%`vH`TTucDtRa7#h z?aOW!4Ir;CbU*A~{g2cJqH$w|7V;n*_(n4;y-P9DqM9?=+^y*`cLps{?=9AjktXW08P8o;n5?jk5{vCOH_g^ zTejW$z~_8DL8a@%!NKOCE*n2hCCPm9TQQmhz;qRwb^ENP%4RJE!Q?JmU&Cm|Y~Nj2Nb)oYqtQW@ivh#*Av^-)m7~$3eknaU<&e^ z&*Ke>rO-vrmC?nchdK@efHAteJl@r{)S50Yv~}+tknjZ;3{}L%#l6TqaF@R8%0rV& zNslT1VdY=_V7wE=+D_;#xkDY|2m}M@#Q_Y)3_cxyyicbY1kNO(8r(U%ea=K8}gjwnI#yvf8pPXmWEv!MF3e zqb<7raqW*z2k$h*taYR+OFmJbQ}GFS8zZW)cVk(1zdjK-_dQ)RpS&Soz+)m*2o*x( z9Esa@fpxFOwAAACT$O`ron1}LE@{q7D5j6^jt~Y_4{J)Ye6L-|#gjSAdA0_}0z02u zG2FPXJ#FdI3=9l}_WgN3AS5I=GE*H@cQfxNHw?+0;5Ia+?0X#NMr4n@WnM}gtJmBA zY8I-#JEYQizZuxz?Y>TKz=^01F14?yW{)yiYCfutt>c&UF!IRHZq!CmVET+KdV|=2 z+monxcjU#14H{L=eM@ktq}e)MF=R{Q>F6Q+$sJ7O%Au0lBneCTqQe~AsQi1r|k3x zQ&AxWYW{r%v`gry*uckKt6tLud}fv7U;l!r>FVqHG?0Nni6{oo{l;a>=u1^r_qrI@vE%CsB2CwWu>HrdOLo6tt}^9i)Kc0%<9A zD|2({Sy_dI1rWHYbR$Q9j~*1X_zNQDuB?N7uzo3`#3(O4QbW@d%tG{4cY}o5bJw@r_JG`?xfT0{>rb)%T|eeJoXdr`e+sM^)O%wH z=t8}+Q1|a!Uvr$}%gPcSDur1rYR9)AuQ|25Il%lVGPjIYY?k2;+Za!rEPY{Ix+@LS z?<{xbV7X>HhsMTM&K>qcAoT7vJh3c{kFS}fGij-+s??CZm-ZD}7fDYbhTf^%%Nr;2 zXD;jA`ecJGj@s2hVlPCs6Kz>~oFSQbTZJbo&`X-4Q2kABwJhJmrok2no_G|)vlO>h zT2-W8Ve(pwuy9`n9N^3dxT}fu`SUSGB6v)zB;E$%Wx$UofamF4xdNjCm zgje&#tA>zno(9U&a-EJ~7^hhDyL;(^C>G~MfrQ9E!aX@_CQ8!tpCsAjndNbD8NCSh z&+$J+F?U%Wfdgas*$PWEF0`(3H11nYhhu4{2+nec47RRpKb+;hk`Z<1j~g`5BkLno zVo!Tyouqzam*-0W+J`GEh@Om|y@0j+d1*lLM}yGXhu!H6xwR*KKWaWXB?EEbG(tO8 zlfv0wOaZABzkdCaf&y5P65yK(xF#5^z^r)jJQU!j%i~#x!}<*W#f0$misd>3h9>$y z@E`{%9bf;E(h+C|V{>0Ruhx$2ns`+lIp)k<`wMC#zfPE^A1VPMf&qubcK42U498O724y7-~f;{LX--tsu z+D-jr2S2-CP2(wct`z8XX|{t!NRK?((|mm?HeA2UK35E`>RnWq;ZBnNqx<$fSP+)> zF@Y;Zr0FO_*8o5NQ@p{!`3GROobc(+B{j!gA6%U|qVfv{1)b&96ki%{_Yq}(#VJgf zZT}N&B|<^0EMI|vP|bWy8#td^W3$yX8(Sa5gl)E z!bN1Tq$vkzyGhxsns2vz-q`oBD!x?N`3A|R#aJd(J;HE6gnz#AchPal*A0?E)hY6$ z{fJd6Cz5S{7&oN9V?0dt{i_^}&y$BfUj(wzHe6|HJ}Je5hYY=43dNyQbLp<3!~YXJ zhX@k)l?2i@wq8Gke7x>>(!l#^(nQH4%&?#eNyvkH{Q z=O)=f-p2L+gt++L`Z^~>Okv>#LFwY$hY#&c|wb`LH9@@$r1v^4-e4N4S>MpQ5XeT*`2a{y`yT}a|hGs z58*KYBGO}ZK6>eLJw5Q%XO;mPPf0q>2>F%r$lvwCygNuF)vH$xHC}7&W&Ox|4hWsu zxtZv{_5LP?ld~!Y{&&k@EadSEUw}jVKiK3a4i8_qt^v=l6HYN!iy`J1eVnb*FQ9FF z9#gDbR);m_4k@QjS$$`ZSLDXz@xV-q0W^{Rv0Mg%Ly)AxK6QWZ^B(a`%0}TbWk~Ah zLZygamVJFuTQ@vuj4l2{SS2!`6$6k)() zw)9h6MNQ2}qbD0TmSZ#@#f^(RzV z5jF2y8c4+;~Ic8FvPA)-9 zLR0aUy94P*N9bT74Nl3R-xoNwG}~^w@1eFgRvwmIw&x-hAk1MfAi>SJ`M>~Gq0$j# ztD%;;!Pus|xyhw_82Ghy%8p~sNOs1BE-PZk>$GBB8B%bs?~p0fm@H0NptbM#9WEm3vNAVDy8}s6A3q z92#*_$aA2>USqI$LMaEO;N%2zaw>Sn7PO@PwDPN3UT)1P;r_b-4w;t@zF2e6EuR2X z6IpkksK%6jO8umNkjondw<2q7V%&qJE;?XXsZ=1z|-MMS9IQ(Tz= zvNR5m#6cP2zD&>4c0g^dO#%?4pQThJhR8ar3eZfRR=oZ0z#ZVeca7uZRfznvI5(edFBR+{3J&BobU^&Hq_w)P3Q%T_}#9o>_hSRkF9FqH3mh0FF=fxt4vxQx{zy}ds%=^(BX zgRzA`OdzM$>bYUCR(`?+TItERWXYlKWT%LY(OMTLN5{eCQE?76d$o`s8H1FUUVZ~0 z{KgzCo;iKlO+IjOx5(TR)aGiIjPacPIcDSQ)w|!Y@2s!y;qE>r=o$Kme+*0ZnRr4( zr=}v7w>j^A68m!YFW`%a0uFv5*VDxJo|&1ync3#6k5A^l{#1 zR}CGx?&G!H?-kP+dBS}FF}AfZ7o*vguNO$By_8IcQ#~3DT6N1z4LQQkOHUqCKbX=I zvFO=hovlf`wY8}8%S|JGXMNXah%Y(zbk&)h^AmbS126pf`#itSH-^@aFFZ@;MFTn&wE9|s{S*BQOb_E+4=hc7E7pdAZXcglEKR`|O-qZk^ z=kBDxg`GAAgYI?aIdI++4!+WNk_LQq0twiO16jao$L}9vKXdo z^d(}6A7yfJe4vj&a3^tuo$hny(T;EjITT4;fEOUo&KeEePei+26xZd?c3CXAvF7@7Jv|H~~8T7O9>QT8tT`s4Y30Tq30eEXUwc4yzRkLP|(R&|#RIsAF1OhA$EC>WbkdhQt27%tB0RKOOegpgs2Ra}J z{(*E9mQsO+hF<)mum)_xe38^}1c4CcfIq1aE7z&&AP^BqN>oV2E%j*GRRv8Q6LiXB zok)DTaVHQou|IMV zWa2mq@QsZxHa@U9@&3PU4&5&$Ns`KV#NBMmW&V_ujqYGGPD$FUwX`rWFBsHk+-LdV zk1Q-Xh*X8BqQv3+{@^Uf`F0Q_=1aMr- ze17I8Nm3rPYej_!7IQ^cR8)E)gnlG$EEYSlYRW?*mWAOrna3p z1zcQavhu@FgUkylV^R~aABYGU8Wt8-`4fwwQHEagH76I>({Kt0Ha0dlH}~`N%KiQQ zi?;mc#XE;a?PaCuh0dTu4|5H$rw}x8PU%$2_{F*ZtX<3b#l>3?e}>*?N@%!dGz<*X zm-D-W8g;XgC0_UQRe%53%}wL?eoRj05nZI-4$^s&q-jQ(VFtd+N%T z>FRAbR1Ur({~*5_W@z`iA5^v& znLD2+maA*^;gQMC$&R^!d@9ck5ev%$a0xRrYV7QJt|xgHcVen8lP??rvkgq{8=BV- zOZEBk+x*}G&Bg&qFqClr>KL3MQ)ZKCX`D^tVU^+R>jcB@5ARx(J1*8($SbKRDUClp zoOyYBC(!4~S<@XIrLbDf)M!+biv-o!Ep(k;A9dB#u!78|2l#24C5b4brA>;o!g)&t zTz*9Me$=2H7?9?FkoZLi#Tin2FynZXtf4jkc{Ih2_F?RU*smXivL)6f?KtKrn7vtW zgIB)jdNATKjyqSWsiiF~xKsn^FJxG93(n@+E}hXIvVzl`y`OzXcJ%Tu=RNA~@fMHy zXirvOI3snLT3#oN9&;ip`@PK~hv^=>!NL5qv$Wp$THf%Inhg#|ZT&MiC^O63#1mL| zIdQ=K(`y^DURi3&$q}WF<9CbHx68LPw4Q3H3pUV&yUdC|;V>LDYc|}d=$?Sj zNRtcMgR<=Ph)!V9O*rrzY87&1%aAgI!8(O1)N#^eAE*)r^H3Yt+Z^%n)AHo#{Dq@b zsE3D#w;Z@W1j~{{^%<)gUkY5e3b=hYGO*zL64@PJx|G7A;otu;oxSkYrD%CB327((J+2EP-^E z#Nwg55{8z2e0C-)Lu1tqeeDO83po-TEGr^XbxuC$=%9R6Y0BZlTR+BR8`rBp4ztK>Z*xo!@AFA---Uw_4?D1qdG&G|o5UxrUXW zX)$DSl?zqGqgCd62gjhlMM~y?h+_IlKfttV<8yPbZIf#>_!6R~p}JF>Ee8=)Ys<$% zPojUEBm3>tq)l7aaPdM(|2%5R$EVs(ohX~gT4}yPP7ktPwEbM^hY0e6isN;UZS+w6 zmFweVHp-*~%vr^}wD5=ESi-o8){j7NRs)_;G_l}r!(dU8IBBV>iD#zekNGSfajlNY zjx@zpsJ~lzyG_apWvZ*=@YE;ssvNkQQ*YhWoLx#8EwWC_Ki!|KFl8BCibG-2lunkV zT^2)R(WSt$+iVvhmd|L`$D0_(B6{+AKW2y&G`IqBeL-4B!EB?wiE2dZyix&~??Hq< zfrT`ho}5aJ>^^JfjH~dToBO4|g#Q}G^zK7mm*9xu!yLt~8FWC?(T^YZOjtlf9f(=I zwf~LYjuVEXvDDH?E1+lAE8n?BMBGYk9Q|e1wsUVX#L1~3ETv&@?+2t$3zTn%?>Z_4 zg7_^uA&)IGf$f(+CwL(J%7S+Jy$3`(_s7Ji_QDqGh{3+^Ug!QMCS?X?DF70k+Tm zD=?H6U7>v@7T~#_xW0^SRt}C%-}QG-7>sLayYzhC__UNK*C>}VLqh)RVD{T=`F!}3 zjiaSI&Bw? z%7X#nH@>w84ed4?%ve*8?vI3~=l*aY*Dh89gF}!TvYu~+sc*bX5*vB1cdCi6hT&* zS*Fw3$CU|n^+()UtycP1u6mR?PVU=8@Z~z(K_r#7%4(UBMv;0z6t=3s)*&LQvu4BN z5igi$v`+p!n$e4dNR0s-oUxtc#iG`EMg%|@k@tb7_)FhF1#_Y8cknM7V#7uG=DGPx z_Lht7;>|mlN>$PIL?6CMYHlb*VG*>)pby@P#i~$$V#<);uujoz_vqGU)cZNl_#1Ic zrzvM=X~42W5Dp4zJ}ba$xW^A!xL|~<_9!FWL%}(%=wVk`N{S6?5gj&w2s4JLXq}2l zx=-r+;QOzi=?yU0Z_7*#p0(tHK%lifs_RQMD{fd|rY(*2&B@Ve+6$$H=p2{tgr&(z zgjAM!24$o+BOeJua)|PcKSVQh?ac#0P|>-NEE^L;iMbL_+Hyhy^E)4(74BqFE#;RaB zQ&53GA#a)<=spTjLuJ0*6r?yuddU@B`9jeJj1)$QTwrecL5uHfwhw|3RLU((CKb{( z&1ChV8R(B71C9p#*p-PB*Y{lg0=TzceM_4@s9Z1(w<(|csOE^QO5@M!QP)!9snAv zumOX}V=OE!4J|FR!h2rfvPx8wY0vBI74ZLkOKKoYoq$bAT>Zc9(ErxvSIw2FZ#dsJ zC=A)~ztv%L{g#^~Ch}LzWz4p!j)Lq;M$8mKRTL@GxLBAj?k3?)g3f%8AhC>6^t-lL zy!(xs7gcBMxaj7ybx$wuK=;}-H#!t&yiX==@ z(H(~U(bWaZm|^t16M8)45!o^p+_E_V`)*Uqzxs=XYO|AH3aFfGd+%XBZ%9UG6^w4^ zkpzXyu;IVC7Y-0lL=T<|eacJY>Ttjd@@rBb#`+k3XRC*A?mk8SEBcCHnCp%r~o5!Yxrn!V-mjjpcHjx+D z5K$KL8y8m_U0X*G`A3;mug0bmq&9`PI4mO-Q5L*s6M=W z-{sJ^9@Wi83=*UEXfnYZ5!JzA{GuHi&p%S?m1R_>ZoTxY|DgQSxbBM33RqmP?Stp; zX(0i@$3fMV)}4YNGvAcv)#O?p6XqmCOhkFz5HLPM#QvgBNldltybVogYF0sRX3Emi z(|dS4S8C>_WBEAK7LQBE-%q&-@(Qa}9>#FJ;;W-D0v_w$jod!|-QfrhPvm_^9Z`$u z96ndOJ1OG=Bgy+LuKjxIwxl!aYtU@8y+)0;bOj_R#PP~`+NK6fOCdo}{a-kQ;6Xij z;-(NzH3=u}zo(sYB;lq%5%R5fxnqR7KOcI7IGt{%il%wg%I{%7^iPg7OiWkia~S;X zyAOMr()E0J7>!Q-@Uyn~^tw%4HXi1Wp)%+Pk54z#rysQx#Cl{?2o@FxkLJc#*V8E| zsWU=;m@;DRWL@_gSA{0nil^T4FzTNcchLZoU;+ghj>p&PzOk-Wif2T>qG+w9v57)4 zf{TNbD$v|sp{S^_nSqIq|GR6h1NhAMI|ydXtb%>!elLynPA2I-aPtXpvCU>T`)SLU zEnq!yKY>4KO*+tFIXLmu*6T34uH6F! zqmIvK?=zag5!P^T<&C{Pw~3xp`bREWCrj%(A88 za?4?O;t!BSy7@*&GlhEFTJD5hxHt;^ob3v2yaH?f3hbd+Jhv#sc`s07PAMA<=q9@F z`{G-v%GFIF7vk)wO6^JFkEO~A;LD1S`4UhM=Wac`>GoeDPueSycF!T9+5xDz7$Q^Bs}pJH)~MR?JTOm7pya^2s0k2sV@ejC#dO|W;q6U7r}qeT)OA}UR9Hk62IFg?e~OuLye$zrN- z;CLk>@a!e4ExPH49vWnOJ8jq7c3}4GT{O2jr-zg$ci!?enwoAqj7cYuO{rJ6eXUGH|RUT}$G0=tA)l2$PZ#5;!A-;^acs4v5~*$Im^GrwUj%IL3g>z_mz;6llE4A<#X zAJd<4)@DsQzT2?mdpN@Lr%OfWz{1L;^ZPV=e3I?EO-IN5p)jP$>ggNMNDPACo%8@! zywe>J=;%}Vetvo&2Ql7hMVx&?M8qB|bDFLz-wQa?bA18ZC0S8weH*N6aqrzC6F@ke zT8T$|s2JpIdW=}@rQDZI*_?KrQ=1NwrMQZWM3&ttaG`{ijP4tH`78{2+a#T$Wv`bP zQ%oX6GD{2%0>Sb}VCU^#C@Wy6kxF$li+#<40?1I&Qhaw2wS5=JFLPmv)I zT1Fd1Q!!r>5)da=mVIH*FdckaEdrvH-wd8aYW1vTT#rvTP7nSXk$(Yv(fht>f(#Kq zffLKv-{j!Kh#29mF?r_v0a^a`UBvQ*eLLZ` zrZ$Pj?O@X8)KZI=fwxfQgtq`4KU0eQ4t3%=JnS8rDgj&C6jNIELS=O%OzzuuEZ?8L zB)~<&YR*-3D}Qzkj2wWO39@ys{O(W_Yr*;%NM2Ov^Yio2Z-og)u|T(vBx1)-PBo(g z12z*~upr$QN#(_r(u?!+(o#CB+S2nrty(8q%C(e~3lI@Me%rW^_>B)~27; z#gDMd!D+oJk|O89p06L9=02w+COIrL(W#HSc?&VkDk_KtgtT8!`vLhonM>W)hJ;Lt zJVporZ6L@sTjuJ|ZyciaeI$22V4DoburiaYvIi=LO;0*s{_MyM>Lj_ifCE0A;i3!k z^J7~^Z3J~zH&Hhya4RkD^$u4jmJ6Oh_!vJeXleQO`1tz@_j)M(f=0*I-2C)>s~8w( ziE=kr>Fwn1;jtYOw>XW~m}hK^VY^~)a_UPp83tsF;rq$@JE?cHS@J2O)6`dJ31g6XVm}D>DnCdJ6rg!QVt!F09yoyd`FX z*(dHpjTC<`=+ofg01oVnr(pZzo5jedex2qTmG@Chv*4J88!Yg79trgJJ$(FNzmQ1V z1wKC&AD?6I^~7`h$yl3Qisl0%686P#iPA@?czoV+k*^Sb^VTzr?UBDkC^k1+^s3yr zb@-hJ5-T^nFAwo^JhXD7Ja3L|fq=;BA+CRV>8s>7h2p}OO&P*~+$!Ba4_-6vXlNzg z@Vs_%1o;Xe_J+eKPT1h1uHE+l_9+$XnS_qCvI9QsvHlVi~ts>R6kd!dTL>dLE@v$=u?mpA)g#(a85*eo+x_KN0-MftkGRT4N_tu*oYF6J&FzR`zm(qtYA&0Yq667-cGY#s zKA*wLmIpK$4GjmQ+x?cz?Wp}Sr#DI6QuAyqzxdH~b_V*Ewg}&+bfKWSy00IlGZGAC{AYz-La^s3_`9zW)_ui8yxJHOb>PHVYFXY`ot9#nfY@{FX+k1h>G z>Rzc&ZSeW5c*UfzW~P-|VLqHtxW5tfGMt&wQ7_k4FgF}bVJ+J^6r;JpMG(DJoC&5nWl~(JJBsZZ#;&2=7k2)m)YL3tE%7&GcjHGYP9+8u6O8H zexBjgXCY>T%K32Ce&&EGa(4~$4zJcpH!{AM8Q+RCyZPoa1MdT`lVnEphw*(j9(??x zwhV4Hxrh4+m7(1NyrEr5Fo~@rqTXbJ^d=r87!;yMYRs5q#4A(b8g5xS;8gNQY5{ka zVc|uhE4~zJXh`<{=70@Y6-D(z0Hz*YRoy+I9-=oUHGzTX7*`Jb^e3{(0yu1wi<9$F z!93Pj0{kjCe5xp_5|0o*XkU(R*jb_g;mCxR6G5{h*v@00kQr*boXienMN;7P@oACsx_1h|py@N$0JyT&>()cX^YuRzZJp=GTLNN{u62 z(Bg>11t3L>Mp|4{Du~GF!78?x_f2qKI{wLs2o`ihyKIpuj{}DbJ+U&T!yfM;dr7bA z@9MfO=9}PfYpt{Q#sE$!R+$JL#war~fx9K|Y$p`lMJn|sluTwM%SDg1=~U9^D3Ldu zK6j5X3gfrZ4GyE-@oC6nZBj1T=5kOD)&txlP(fJ7_U|+tV^wT=fmmF2Qx5i z7$ePxO3Vil7Pur)YWu2jXWOj74P-TP6?39a$%Itr4%ta2k|TfYR@2MFML{WEfn&?# zr_j@FoWw+PZW4b>n3ziLRL?%CzA@ZCc^A4wuI42h`nf5cK^*S-T?RFkljt&iLd)>X zaB~#4j;#1p6T;4^QgGX@ly9z*qEo!KzJ}09sEd6EPdTQzg2c zDpnk4noZNXgTH{Is@K*yg|$0gsgvWp<))wR8y;I)CcWA!j<>+9&gcaj@0(>~Z3~^p za{8o6gKMP4g~ecMZdJ=gm(zH2d)MdrVq<%3+{g3s$@%AMo`24erFd3WEp-arj)k^I z2M13o51sj>^LWmlPpppfRnOp8?-Wg^Q~}Gw6Wlu8f{`eXORX!~W4hKy+GCqy`p_I@ z_qd=>Whi37aT`N59PXdIIp;>4?I+c$i{U?a)Bjdj+B;|-seEc7{>ah(eH5CdDD&Ta9Xh7%>at<~F*j z3-$hWms;I)K4F#kCJa^~7i}4T)Nl|jKMNU@ZI1{$Vbuj0hV}>0FGea`)hv7?Q&Kr9DD8pk4`G|6z%(qh@h+y0Ym|Nv*mM;j7)Y| zyO^hEEe?N!V_cNVOtP@aaQwyNRJ+_yOJf=(Ma^4AKEVYm~ zn7|e1k50_mwK7_1P6u%n_%tUD+S@G7fjYWrMxlJB)4L5-+&QUfpSQ}XP(AIm@pFm? zRq!kJb-J{}wc1I3x>t)sA+8>>80!dR)E#&ue6hB5UppO6dnhk?HX+raJG?!*6F|JT zdD>lmC?C=AI-H6+?`<(Wnm=jVYc!pwjLua8s*#FZ-y<8-ZsPS>aA?dw! z)lX3%xmxIGr_N5XKWN5uY({mbc3VL+$Luo5t+GBs4JS8Aobo4Y+!L`pctJ=v*2ut>l8iS_(cH{pb)4b!eJN%e^1gXD>Ku^#;;c zMm>G>rSdXCyHw#YqnSd5MSr?^?qbo+!$4N?MiqDD=;cYPdzRmCmKukv#q~ogqkYTH z_7M~M2G_mBcSHA?n zQEUjOU1p%9R9Qw35PnJhjz|TVJbNR!)lBfsi+xK$!CbbPIt9gpf<@`q?+ShUOO=J| zRtfUg3>&Hl8Z=Y8%2p{eGv&%vds{i`Tz*d+G-@c90!D1XIo5wq)keM@dpV3+)BfF{ zs}A?PDy=#==V+0=e;5^b@|m!@numnzZ4sT^OBJlIAj`Jt8v;E{d`KJ-u2x#;kVBNC-kq5iJs} zrotdJx8fL{I1aT0>7@uglu|+_N!$;>s6xh|IRL zm5GR9NrI;-7JquUO6D{~W0-D>5xKbu71YyGKTkub@BD~cRGKfph!?G~uz7OU zch%BLZ^W*5Uu`Uh zl~VW%?3oGp$!tv*M7ee+=acVMMYFQl0tS-ldMn+t8+NdlwUbq~w>IZ?&!;gr+Kx5K zS_VGi^Zx8ShE$)IHSKdvpXS1wrl`AzP=EQMy1l-IDYNsCoPs@LUYy*c(TrN`RIDIi zi~ze&Jcn&`XsnamN~K&jikx&lM~;Va_s47?+ju_qIc|hcv|xtSMZm*p$eBC_0)&mN zF{($}`aM)>$lvFgmiyR!z1ek3LR;0*#rAl9(0Oki8&D1l8rZq+c5@813PDQknq zY0o|kJc(wfexjt-Zh35p)FYwA=+zE?aNpXytCnG4RCpe-8Xu)NSy4d22t8Sn!G2mU zqyDHg{u=Dx2uj@KJ|M=g@G&_@-(;Ck=yjPvhj!l(=E|p^gJ7F&|Jr)vhUf2%NB!bw|6)MC9jfu~l>EahiRP zP~S_IDbUQh#dFdC*N>)i7+!G@|SV=8SSqXuA*A%NqhX8ahk!lxHuN9AMK-0N|mXDTiTpHg57~z zHP(9-p6YiGHuqOoic2TDb%j+nYT7G}Mgdtl2@)LKwb}3KuSbgQ^==do=s(0%%~@|_ z#*Jj^%9qrgyQ1GW!&bv#OKAv$zSPA2QQ^$7MKCnQ6V5On)ZD69na*U{Aw(cN?{4L) zCy+03u`;IZ?d|*N;fIYst-BmEe2Z<6?@rNx?0B(gH$(C)%eXLW+_`CsJ} z|9!|dIaMonx9juE%m4TW=6bw#W=$v!B6jpQP#ntvS404I4rmL=q1OUiBzwn?zc*XL z%W8McfXdTUZ)f%FnvmYoCs;+l05DK{Dne*Ud&|c9$_p*QWjw-q%wBVlmgbDv>M{oR zxQz{6Q<(vIkV4R4`SZ6wYP8AU>6_8B?5uC-M|l{Cm;Y|2h$vZbrEO|R15t6740=8O zw1;Z34n!{cUzdt7Or2C6V)T-9784!%OEgCH*AjD{*;ng0>9kx8vg2)7@c~Bpl^O#z z6UDS&!y|jC@R*J=Dv?x5ztXs0W9m3m9Ft(L96zRaJeL)pd_tI$MIQZP8?n4WCq+Y3 zcm*sOQfaq9QmAypK#``!H8KSdW3V?+j0zDw?0y~_5+;w5PPKMQOW8f=^pAr<$LV97 zATz^foOJpj$pc0KUp6#!vD>6t)|aM(aV5F?B2cAn4KKvS^*40tD=kt1x}o5suIeB? z@+0GSdV8Pw@`T4l^4j(=?e2MJuVFR=KTm~~aGWQt*6pd(LSX5*LV7Do=oVcXZv7W) z>(wdi0a3exO^Nrd#I4d2L5y4W9#>ywDa1>W!_PTtGk7r-rHu12eE&1Bp#M#-sdzq1#J%0*NRwgUO>APM zNP8QRtlZq`?s!vY^ZVDVeWAE*;Px?jA%kA6Y;)ohZ<$Leo2>Kse*ax2#l2hY^G${r zpv7vRUPv`nMCw)9TU}O>d9ztkGw=Tau2K)mrQPc|AD8JOVT5phY-qjjjK>6${)VcV zn$P=b%TWM`o*A`kiOD3Qk^vi)+VvPJQQwhes6NqGS76z8clsGOq!7Ia86keG25~P8 z-st_Ygs)$)jE>a!3-F7EC75<+$B&+Qd@dPrh_qJR=c7@pJRZqkabEjmXIWl@FV z=}myuV7#49wTEtFPre+|auZn%5aAtovZP2S7P^;miVv)WTqc7>l-Xrt6TagCMD}jS zx_TyKwZOC6wlXW{uqfYtZ*W$W&*MC~e`;@hx$^!W-OUsyr=Y$yur=khPt7l$bzl?wu4n>0 zKT~+|p^$OIQ0#t5(U1%i#3@Kb2{pCk5No<0u3g|7ixjld| zi#x-R%Fd^v6rGfGK}%2UwD+T7Cs;$H5uJk=8gNOP-&T05m-WPJZLMvR#q_^$m{i78 zbEsfZ`~;{XxXJh?J)0mM!uHtPYUVh$-#Ek)80>L_jsJLsWWr&$&-WJOCSsa=|MV6# z+yXWIT!CA+!>|fwaX)D&_grdj+nmV_`1(=1xSdWcE@S(Ggnwf{%)cXe9>>&AD}RY*=0JTY=k|bhvRcd1_<^P^#%^6QqkHTyI*-`x<-cdTPqGgWcE{ z^mAYh_{FGqmo-k*=96S&!}kD~kU8maJvRk~;u#ShOSYUFe6QS9X(KIhC6}r>ySvLT zK{G2scW1Gy4qhDBYvt35)6trzQ7$zylwKkh)$iYWoLVu{Y|Hk`F9st0bj-KjGCc85kh5Z0c+ z7vl~UF>$0MG~>T)1?N;pK5Ya7;A(fdFD6#1dbWCP#t;;#VajmU%pt;3Gb_+x2 zt$iCpJ68`nKFtwh=8_VetCLx)<5a1Ps`Aav+2y4`sy2XBqYpZP7DBQpza8VN2-C*z z?a!Q#ioo^u?8wLKmQvD3c>!y)Qs4zDPP>(T%ih1+F#Kzo;RQ+N+|rQZnW{p>*3rB) zljN7%&xcKPm}uBK@3`mn+T$1nE=7N~7YE$+_DisZAZIQx?F^L4<&gFpGeZ-Bp!GpZ za;6wEg7O~@k@mDnvP;~f#d~u8LCHQ!$gehDG#p;piG+V8$yR4i)#Y*Ex_i`cninnm zS)<5N` zEMK!vOUCJQCtA>U*zT4+v1fe=9Q*n{&CK|yv+1oAlQcs_b;U*Tu(TV9?X?~{Ca&YpUL zvXh4^oPVq>zpq1u?fzs+umm8x@DU$z@*-4X;o9v3l9p4+_DCc-oC8Q-ZR(Th^lXui zxCBMgHz2n-`kHzo$R!z8Jjx02D|%0-T_|;b(9HF4sZW z8wbX&fr0NC^x7<^`i7>aNICm%%-yCqj3jn7 zt&Z-V*qiA0{&o0Ey{tE(n5DwUvrvT}Z2MVLQ};k^W|HD2nD?O~k4LlWv7GDztU*X# zRr-0I!{|6_c+qH~rb@|U0+o*Ba1;xQZ_({)I!2>KE2!H#Wu}fm$wp+9ok8oj zF>{?Q%+c&D;KxM5IbROmSmeUHvU}p?&x%KNzT{qlbEEly@W5US26}& zO@iWCDIl4{931OVHU7@m>+8~hKP-YVUIS&ibBFa#j<#G-aE;>A)i_PtQ4M!7niW+D zH7(jB_|HPsmey=Z`c3dJNzw@gYa!>9TA7}Vl{dnY)gyeHq{h2)xX>r>&JnM<0oM;A zp{R1jHj|rnPd3`!PuuqgB>kxMTpzXVZ}F!qM@`FkgpkR}#XEzpnjP5c))(sSs`KQK zoKN;v>z;gx+fd7N81VV%XCLz0sh^8Kd$RHt*}YWCkF5M{dZO7sS#g}|Wa$`Qwi{kZ zV@{GC?@KC>fqWlsH9jGs)UKTp5>FL!Z!(X;;o5$-IwB`4tBPV{LKjKeXg|r%;VO_| z+ZH2?vAKg;1Pw`?qw((>mcZ=TX=;icv*Su1E=uMHwd!5C!In37)ep_iM~rsQIOt(x z%d3E!4DD&{qlALpN(1Mgtz4iu0zk`LI0Z3rfI|Wr??}cn;P#LCj_O0B$@!P9=|{q- z5!w|^ozw#$)*vFfU}hsBV2xSLpO;c+m6im2N8Qn&-3AV0ME^KnmUaQSq*VOBB2WC} zh4{!8)ICj6br;!fmbck4?AEs};?majP3BEUD=9MxM!H$W>SkpX9CmUzrbS8j|WwWcYG>#}+I+-l{< zYXpKuJjdrJ5v?q`Hz4xg7t*Ak^p(Si-4%oZAscXjKu(fMzC5h;6aQ?AdEds3KV8~1 zx{Ges12*(?f|Dih94JzH@owE7Ny@2Ns5XOn(Qb=NOuWC;;FXGITL{R`26zAdCrkiH zq0`n}WLsfhzpmtqro>;XF`rPnKB_} zG(#*wZWESP&3QCMl!R=z{TJI0wM^@_d`iki%yMrm=u8j&{}mE~JnAMH7+204*N?)O zh>oo=*jV{Q;mU4n4FQTEY**Bz0Cc>tg_`Q>k-@?Gy1K{Mj*?Q`U{OOz$fv4+>EJq9 zEcQ2FBMF>$E<$6UZv~;*-fn9*)&|FtCds~scngAn_igSUGKA@q`u0SeCSx4SrZCah zU@8&}t-8mOf~}r}AwQfo^887$qaD06j#M2_HIO7L4rq$SNWUrTelngYG-0V-8qE>v#)cpwI&L8mmrPLjS6W zYDSOmjKDN{-UOSSbZpVo(IpCqDak9mv72u?c?_^Jec@D6`Y+y!tlaK%r!%Dwe4b%VU;ZpacTcKF6xRd*gB`fI%==v1Iw^AV&5q~V zT8d(TCkjgsGqW`yCsI$C!cIiTz5E(a-Av6$*MfW0ouQ^4`CUVT`76i#C#}mnOUTmD zYO$1i^halY2g&80zoFqaM70;hIG~pqR+hMTmeZzX3|4rHXKed^c2PwFJ z4&?r1Lzdr$0xM!{1~o&q+u?XD*zc9&YXJCYBc z{5QfcUtiPg6q!PYv-JhJPo3y2tkF)+fyg|Yy&Oyd8 zP$M;DxDGPKU=CJUH_kp-5>4nOE|D!56AX-^=Q{9B$}1+j>of69pG*QLzLaKAWPM8cKLuP8y|J@V?b#8A#GeYE-+4a4JqSz^KBNU(V4 z58<8C>PP>a<={cQypUB@4iH3CRKtMlw?8HUbb4*0#!&9-u*l8no)+A+xrM*EY<3wK z=1EoLG_-%TSYk0Lvg~hIY)`uU6&-YM()y&djmmJ8Z5RkoTA&;ZT?}T?l9eCppX1-B> zKry5;88E@X=qz<}i-dPY?E>i!85m;-N_gHq(`d^{gw#Z8GT(=#+yEXh^|D75V^+Uk zoS3yIkMmE%$!x)#XB?mgCkxk`6;x2e%NmssG7>=#L`Pb41dvn}E4OSGk&fqU_q)!H z3@eRSpEsQT{7;#;$?I<$0^v%;IU$q&af@mkdJ!VgKitL7iEuu3Ry!@0SBPSa`3ia= zoOL!^AzV&uA|ielW;Z8uZC;}*M$WGED8d;r|6jA}=q~(wqvO=bs{RO<(=jTb)Yzzv z7-7ac;jd3<;QulvV5}Y0}FCJ<~^Q~lM>fs^a;t%#s>y_r@jDj z)5+jAs`Mp=cVQ`YHYa%c$KHmc!^-5=e<^A90W!v4mv-2xt%iFPIM7XgD=DJH7DUrOi7**<)IBLA(DDCoGB4`}4iT-61otZXC zDBa#P&PYp3NKOX031C~1P@3B4WssH@HM!X8{hX95U_lk4OuA>(J9@n2Y&_A`p-Zp~ z%%aD`+sUn!*5-`Rg@mNIYMX~&StNh50#<40RPcS*Zy-R5Xnn?ngvd(Qf=*7*-OQl@ z9B)Z31FHUAALvw^cQR|G!^z5>xm#>j*T@Jr1HNWp{= z8`nd4$Gr)8ixdXkmi>ubI?(2J8wWdmntIhgLj_8$)%nK8YDY&$mdVUc@(Ju#!_0jU zupHjLA&xME2YGp;qzo(Ld@ha;fA`MI(UAbu)k`sZssc1c`v1FD&%!e~x=+tHSAQxb zyJy#kR)Mb5z0O{((&0| z-GsZxLL1uOgD(&Sf|h-KF95Mh!oS8KuWUE{e*z#6*38_9jUWB_dBT2dh5b0I-7QEj zum=iSKxJuv*lbclqIT`yBjk$DZ8)#4McBXEzW%c+^$+ZFu&WvB4NEI53FhVXL?D>b zm{cNC`D?HWt{V@Gr8&Utw@&5gpbKI64JO6 z*-51W&kb<%+lVZOcE!ZHgM$m(Z5|x^^zE89*D^n~i97&8Il-t~&PxX>#b_}-l&^`v z=>GAHl!Qe7Yn4G(*Pem84&iV89N;eY#qTciIk^{r#uPv@1nfu>n1O`z_wD`J!^7@? z_hvYepPyofPiJHc2Lm1bV803yGB7oCL0uy=RHnJvH3QV)2W1cBl-2eZG|=&q`%_+7N|)5d%^||c?5xqkjnSTlH#%H%Q;mSrEgFc|4XfUvI~7Qy5WYOFgh8^fZ+vTN z>b2>EZ2ub(5>IoHXdYII~oMox}_3Z=23CYy5q zYy*>wjD*{O#+wiX5)+y~3#_u=-$kAlaCw#Sgy^!5-wLtXShl*37MTqC@VwlpiZ!OC zIqT|rci+dwsY@KyfzQ^_TO(5*R^}3A80_X6ZccxNL1e#oJ)F~Iatzx(Tw1D5IGE^W zxqd-W(jXQ>PUESaZ#?C8&I)1KZgZ;YqNH9ES@9fMT0a( z|JemmNoUhNV6(TEbh3(hxa?X29L~uAF5gti?1hSQZME%UH%Ma;Ev}t_<-*)eMJjmL zMm#UevAkyNe@wm}s)}o4od!`rmIgis5+rfD%TT_RMo+tzz#(YVY|BR~U!&pAkWkq^+}_V|EZy&wCa37HVr_R4TOB2P}7E5nu=?YXRE^qID8`N39TN}3Qm8P zxQJa(_|FdU8@#&fs;Vb2=pLUZa#M74g2pcvRnc6WEg0ek0FVO-(&4Vpr3^{mmG7nc z*Gcp5vjhnOb?G9jLyc+A-z|ezsB%xY!USF7?S%NNt$~rr&;`Vx4z^7zZsg0{0%m-l z_)+KA_^-(IAMczwB{RKbFz5pk*;vB1%->1n`j=UvISb%~e={HhWD|fcA^{EuO@j1R zUcS~>lRF^c0Qzt#o13B;sHOZp5K++nTUz=5(~&DQjh)s#!$3b!9HjUvTj!|QD-p=d z3IZMAEKOmpGV9fF&S)QAGpHr)+59`Lhq9srm9+6@4|z8ij&*x$tn0sCJmaCJ9ecyc zemKAUy-XKXb(WO!?tuFL+HB!Zo0I?FoHws1TuX1=Vh-?rV$*GU$B*4xy860{^1R+x zv#y>3t@{wjdQbpd$pN$;zCi$OzW^!R2minA*(iMa&a(x;Lx>nWUHx3vIVCg!073|& ATL1t6 diff --git a/lam/docs/manual-sources/images/configProfiles8.png b/lam/docs/manual-sources/images/configProfiles8.png index 099db8892f0418d549bb7e0880c96b93594217dc..f6d5e3e3ef227e6226b690b92a29156c3411e3f9 100644 GIT binary patch literal 24767 zcmeFZWmH>TyDm(XwiGDt(Be*k0>xVz+})wLyL(%TTk&GSEdf&8NpW}g;!c3z`YoR4 zefRjzyWg?L-si^|=f_zi?Ml-%v(}vR_WQaLq97-Z{(|@g3JMCkqy$I_1?Ax)3d)1( zXAgl-R_IE2fzu-=5lNM2&z{XL$^QZV`P^PY(+LITRVwhuAlNYZOV)M-}(f z-FY_+R8=ozI>#va=%g0AwvW8 z+qXxkuip=4ef#kG`|ct|Df<)bZx3r*&XB8zwH^qsL9Ycg8w|Gqnpgok;N~bDpRM>G z0Ov1vA6)LAvG3dVW8n1j$@p{N^cD?*1DrnNtK47wo4G&^IDOGnNCQqN&^&gci8`w?+};6*vt#37(fb z&;RIOhfb`at(hc6jm?^vn0(1WMb$grUQryCR#=E-i3!$)6vQ6@jI@H zN%f3YRJ_9o8m+Ik+s3ig@-$V9{y-aB7}d9iAD;de=Iftu87LQ_dxOucqg=>^9%e+R zZ$4XMM}wY8s_CK0{tgA@1G-}Ec=y`R)jU};W|saJXlPF!HV>q2gq~0D%_dcy6q5Y0 zn-uQqo(ZL-vV;5HoC1?L*_kY_tPGCw>t4f;)3gjH!c!3sUr^BBR8_VOi zFw&C}ynLPb;dN2Yn>Z>aHuY(fUSOSG-ruf#V|srdgCnUZBjeBMo-r#=XK!!AR~s^~ zt3V74R}2hvFTd%&5`*HYskn{7be!lE?d-nECl?n_D5EueR%7#7!_R$x)YdWtwU$=A zOXqg!TW7h#wQBX#v(T*;71Tx~mHXm^Ee2sf``!w_Emhm21^3stbuPy9;PZ22y7w+m z>DD@q<~6B*==>V$+74%qOfy5W_K+N1h@z8Jc6WCx+X^@yhl9Unmoyon!S>Zl=2T+A zj>cun?$0&)9`KGkFu7Tfu6;%-tm6esEdoz_XGM1WJ$!DAUVDN2TK>@>bAP97fB z$X9&y){6_lSuJt3PPD!}hLGgr`>i67wipB(naLw?(MHeqBA$`q(%Q|Hx#)|Dt+(cc z5e)2U!VMBHhXFPI33G(vWGYyj7qDT6fGDFC=sDPj6A5TSHhUVG-)?wqFe0&V}olFl-|r#YKN-sP*!1*k4+8@{qE^muDAO% zDQcZqO(Eb6(Og@B z*a<=0Gi$~^C|=c*b04p*c8>|d(ub=>X>e0V0wC;64WCcu+Wp!QyC9Z zC*I2s^{y;YWMM~`q`w@;X)hq1QRzQ5-RTEna`J@YtMhXOVXD0n$kn|)k^)VVF_`v< z|Ekv+Io9x^U#DcQ5(Nd!(5K2)^R~Y_Hl=d&Qu+Kvd;B}d$S4SSE*cWVqTgJ`N5PA- zYIV+&>_>oA)ibVk*rNQfYOMkB^T=TwQJVOGIR3U1!PW=4LqY#dv5u zNr<^FhyhhDc(Ye8ZJ$<*Mep5COFKMYPCG+LP_cMRT;B)0a)_=wjWZ&{W#q3$+mI5I!<7+Yqx`Fpi&V8z}KLc%v`d zS5a{^PsVAv`r}iOJg`tvd<2}U&r=KQyx}2l7Ys5iRDm$w1|v{eu3c;_x0N#$j*m>%5j#~3+y2AZf%`K) z6&YU=<4^YQRcp@VSA&m&c{-;V8v)+)(>>wLniVm1^^LA!PL3pIUS6BI^IDSusOz2< zCV5VSPl_z)WP2Q#!sp|kNjLsp6D7J(V>8S_xhu?6+_3gRuo*r17bv6PT31i62{8e; z_Z~tU?S=c+7F(X&oqc%D*xy>E1UA0AUZ&u6i%goDPI`C!lP+Wp?hd}Yt_3?yK7EiK z9uYCMt0YAq0y^5UgWpxI3?Vnz`uk;ryzwgRo1Gs$@}Z28%5_?2ovyKn`tbVYOY{2M zK~dnz-ek3i+#bN_(n1^ltgknijF#cE2n25ev&r;tp~fyOFTaUtFTZ*c@dNP+zf;a* z5Kt{dqN;RaF<#y0`!>C0DiX<2Eib$CNbB`8PD%v|f* z*0*WM!VY(K+n*@)wUUp?#rEl2>D6mr%LO-T`W>VLPKS$w<2v}6>dMw=xSZ}&LCFj4 z*^q{_OBc12s>bv@UG-73(X8K$y{LdUey=M?rR{}Kdq5@2LTuTjI*oemF~=ib9d%+Y zm|>InT&$9r>v?i#>{g04mfd1!Jgv&>A-^NOC^PGyv1S$)15?}7!tl@iGc2uvr<1nC zRp{C*ngaEH_JdiJ&C4`ck3^bO7U9NRK(wPE`2wv>d0#wj?&K5PZh|C5!>UGgdNOUU z=GAb8>Yb_0QwxpcS6I~_XxHI6l;n6JJvWT6hUWd+0t{`x%G~7AX{p0MLcf2{AsX$p zr_JEe2{O&x63DC)k;C=?W;KDOFBq$_sBYV- z@7X_tl|gZ$f50vjad=tfY4IfrB}VBI8|dN`F8LW>#eit>rD_EtY+0THqXIc0CJfkd zj$07Mc*krDy{|INKVHEFI^|wGJ`RbKX?XZo$j7Cat3qe^yt|D!eL7lV zOZUwhngkTuZ7c~bvxDf+bHY(MbPj#T&wCU)c;9z5p7z%tWX-VogUnm6| zbzdVPK5%13)m&9N!>ub$em-kMtZrjOFGgV;wG>+Wf^UJGy%w<78G(?7ZIH-Atnm># z{AkeWZB18D7HChK^gco@Xl6uCg+wo0J;_Crx-Axw^14dje%yHtl zZa0)-4Am0~*wlc}GsGZ82zuX>1X*ioZ0S26NeN1pn?1joMY!JDj=GW|aLI4`c*otG z%#^FcPt{=eiE=ImY6mPy69i&Zk-3X4=H}NydL!CzUe=T#noH^N_*HG&GbCl>x%HkYXOY@;O0)%CvSf+Lh^1j;q~8zu#S5 zU2S7=U8P5y4^aw26w*|*4NF1#6q8~qp)D;U(Go>_%qSVA-2)o}y(7_BTxHnWNh(O_ zb1P?;n7Fv*rD2U(O%-`C7<{%rKiU8|9F-86w?g)U-8p8HYC501zm&(*uZw!@yrF`%HBFyj7d z!PLrYk|_ban2kLK0AgdK4c z3;zC4bk=V zY>fJ{ zW&b>-^ZI7CNV8sc!S~N+V^hG>gYwu)KS*V$k%`QSNDtMnf7 zZ1Ip_5RuH~w0lexrlg$Sp)->|chNOWZ)Ft*H#$uhsvK|5T)KS}eT-O2qGL$J?X-|f zt@&lqYR3@8#%Kp+MC#T@O%@t?9A1~q^Q+s;G~D5wMNKfsU4q2K@bU2(XD+;Nr_0Uo z>|i>z9Ogr>?d%Zy^Y!9lVvOR!QBim6DRvEwjr`7=Z(X)k`o;SO2EhDow)t{t4Gj%q z;e>}9>3)oE2iKGN{jj+bohTQ(36TqzHBW224HOivxvwO&Lab%qC=)(Vm%knEX3DXO z+Hxgsr$Gzu8v7ZWB+ar*qs^9N&OZw5^LTgjr+oiQ7p`~j-oAVH3}f5(ro+bLYQcxD zGyJxvrKNA7sd*A4MviBK@(b1WWKK|3? zEkdrHDqMrup)Q+Kr7JA~Xp4Uw z42cU~R?bDW8}e88WGi!7Ty>~OvwH%~+K~ebdRZ7A-44YTS`-%*kzO3FbXst8PaLh~ zk(cD!TG=gT^qrqDfE$F27>*Z^0Gdr78b1f zr}lT&w$}_uqlMqUKd*L0XNyOHdF&QuDy>>uTThM`5G6n?!=_o**4-TvY;9v>)}PE} z)DbS5!i_b2wAPz1lQdFlBHZ}%<$oO4V9uM<*eC6;wHjkr4 zQ8)pcY!PlrI$c;V<6v2xErLMS7K#OIyc3)AlhW$eeDQvAM6NpHT+#cHA9;&7!iHYUb(cZ%KT@>s~{(p#sX z=gY`rl!~nA%Aa(G4rn1795JQ9llFAAtI5C4GNIF;d@g;qC|rORW<1~mokhNZZq~&% z`(Kjs61Q&<9A1b9MWs48SHxChlFT4rWIG`(d;ltr*;S7f2e?1kE|P?+56*(M`A znBMs_Y!X)PJsVW9^Y+g|W2c`O^AETE+5E7~%#WydLk9Zts{}f75Anf9`g(L`}6r^HX+$V0bXLw&6Kh7r|Dz%k%g70qT+Cq z&y`w{#?s~{Ar{u*q`u$bh4%#nm=PNwK4XQ-I;_>dejRL&L#f0g<6xJkvvve5T5&Nk zl(;V_guLI|%)ILtC*?4faCUwd)wzPaNMzHu9mxqXj4v-o0^dRtW9hns%i1Sbuv{*Y2rle6#o z`BVA|^0_Ga&+kloIZ`znNS$u*Z~|%+VPVo58dFoHM&rWWdZoWCM)Rhorq0jLfq~UlleRr^ z3<(JdM+3nAqGMvp%ggg{aWy(`jnE;mU8oJQEKXUz%-+s?1hHsW6AdlqD=9xjc{XdT z+La&39SEYvdQR|i*r?q6ke!j9lF~D#d2~G9mIAi_62&PFnmXj@vOFtf+;KcSUw?u2 zxTO+qXI4H9q+P{1rIyJtwgGa8*o7>wHJamF&o|g$Ak>-<5 z>~gJ`V657Xr!xaeoNJ7972f6Dp=(a~EVoXlsU|?_)5p^-ncF4K6|Ii>@tiFVnirA?(-)dVu2tI+XqqE*_?gp6x+R%uHWKCd+&ly zERgNPtvkK@sB306CP~rJZ~O$Fn=k8(O;1gwBp*9FJ6BYd743SXpsb3_900F{RR<+~ zWN=q)NzJA1Q|*_xx6mp9K^wMCf!CDU+S-r&2UmZmpPFkV6A}^e^6@1nYrjJ>U%mN? zf`V5NS(uY7=qQU0#GeTkHaBu#WpNMV?kZbex+JftXIRdKtaT%h$Y2?`z`x0 zOF1VBiZ>~6eNt(uEx*1vrML|p5V$B{s2;!L2I6WI^vwUIfc@{|;(t`W-50ty-mt9% zfPPooI}YbK+1lQA5+Shf+7^z)C4YfY6T0n0Wt)dU;7PcALynilfR zhH82GznsnQ@Q6|bZ+sGLmdbf9ownZ{DgdQW9Q7AyVaYYMPtGvexwwjZtRJ9!aPsi* zVCe2HDPa{AiO&4EwaBeQ|2cr7LdMJH?U4G!gs2+z52@T7D3hEQ%dC6T=`^S{x3w(d zWL%Xyok7Q~#at~?&Vsg>bbBIqS3AygU}0cQGOfx|3Ww4&^(Z`8AsMK3r4|+zR#)?2 zNm4UL;eMy6V5T2QArQfsFwB&gno?V=%xtP7cRir(1 zBAW7gb;r)Ll-^Gc<~+d9WeP{E;OvUfjqKEX;O@qkPgnViD>mrWOFDp z;2$6L>&+#YR+;^|GAyD0I_}icCN2r;Mn6$wSzhwu?=YWUyOmU)2MVduBG|PxiUWv6( zlLCD!pW@p7&LY5?U-p`$2xlp%TL7q^oM%NFdnxYX%xSaf}4>}rl_#m#LfX|m2$wwg(f|HLnZ zS{O=v20M@=Uds&kh;H z0&bTD!GJH_5!i3FJEJ(v$&f8|ET`tT#FfB*e99YvyT)=24v^>-F6O7 zF3{9f*J$y>Hv09KR!DYdg;qC9=}&MNob()_lh#(#b+9PAgP7c%cEeIbXiZJM&CF9D zu48eo*`8^aU0Kk2Bc0~s!Pk^Qk&RNayH01vqJdS)K-1}mnI@l@=ZKEb4tgSoqelH* z-uL{tc&F zgdGXRs4}v$S!}zJaF4!4cz<%`tjY-wCv*=nX?g};2~806l6T(O&Ihd9QqTbgnO0iV z43;0#eNjjksCs2GR{!V3VM7!o9x0}&t$j^aes^404D>n9D1udv7lEYdIAFdvaX_uo zhTSw`o@FjMo{6S*G&*{|-r3c`ad-Brw^+OCRkTm*(=)_8$;HhXxvi|0J2x2xH#a|% zH1bPgR`#cF-{y36p9UVw%U;+w5A{z?eZBG5O(kti<{{y64bPfyGVu3DJw4kVZj?0I z*w^Lj>}*wdBL3z^`zb{dgfsS*lTX1N-DJ0;kTx>EuQy z8yW2C`lZH_jkOpA1RHXy->Jk0F-V7cySj#e#AjD?tsXaT%wuoPrQ$3x?d8j3pjL|d z{dlev8Ju<3_FSKYh-d<;EwNu;A zK^41?rKt^e93^fUnPYe-@vQh4U#N`_@@tm4uXibybK5LTR!RpwUkP%0zl|X#=yf{M zwtAD>m6umpR^~Y7?CRuHRSxw#@0$LYsZTEKu#j8&>E_a94Qjh6S4WDIl5l#xaMQ_= z)I-e4b&{03c7=NCQNwe4?2(%*Xt#8-1PTZIpW*aGRmr6dQyV0nsm1R$JrOYc9v)tZ z>9gA}Ly@`^mKhYj*QG{Z;LF93R+Lc8KQ?}QKiIr^41oa%Oc0CCug|A*wYv2#iE#91 zFI5&!qfSUx(e%-Y>YNXk(NnmY7D{v*>sB=^N3P_jTy}1&KY#31D-JGDg-!_Hm3^K^ zSlv8&_%2m~J%z_cr`A)pHP99G&bH^AdaB0k zvf|9`cvskdd+?-QJc1OL@Q;y=%@)Bch){59iS4wPm;>4K!k>vCN*{Y+sakr)p<%cm zx9UH!0Kxcnu}X*rO7$pnrPSBFUtM=BF6s-}JY1>ZpgUS_ z7vA0&FHpSM-6d^*L(27Tk#4PJ11Sv;(R&`IYMO|dCz~|a^eM=$>1Lv%qhqe6rGM=P zixx;9VKDvm_4bYtWAhWAG1BKuY#|`W4PT}1jW*}~kz7sW`qkNfqu1F0c)or;DClf| zR6X`f^6qua*si21(Zdfe>nsEEMB*7j>}U}6p_OT$>2R*NiUJ69Ozm%G$AW&s za>HAmUI}U1&(V&8$%~4GwJ#^aIPk{BinYWF3kMe(ds!wt4l;xQw*jP_-oC?2RA!`P zdt<1R!^1>Js*89`JV6+{?WXYb`&4)5u&Caj0!o&Ll z;GzYD-*AAKMTS;d-tSQPobd#CX=%S`)Hz6if8^wNM0q>KYkh9qeGIEOYLrkR%J~E5AviqNGv1U($3;Y(Dx&ma;{)pHKa&LuX+NP9 zlq6vEPK@S@4~B)ih$iHDUX_ewlH|0~8j&^6(*@MkjRa%03-dvP{z_V(GQr~}Sub5K zDg5>w?Pg?svqKvk+RidR-gKU$VzA;f{^x|Y0LrrZ6my#;w)-i@xqW5l@}gE&3|2(}wm6gf*^Ok&%+gi;KMoXdz$&4<-pp zmyZ7|H4q-W+X7Nok<5eJMz59D9yi(2buBM1o5iY=n+yX3;r?_23IcTv4MGApPVd`> z(iI_6S0!OAN=FwL!C!XiprczaKq`pIg#7fpby7dPmZF_K^?qVyl>axA)c9TBG*&hT<>@2cI|-h8=BZ$kdoRs=EE_Iy49 z*y24BZhF_PPu=*c>3m$g7p4CGt(&C=v3}PdOP9KFI`4vmC1fQnme;v0j^gYB zF=Jtj_&VdWF=#YbIr;f#yAvnt#j~`u2#W9;w?VKl)r5($@jLS=`?>SO_I*4hHug6L z>&F&Ac3^6{e)t^lUn{V^6dqgeiz5?d`N51of0p$9K7rscO&lDji_>E5JX6!#+uQPu zzRI#HRxXk5W2t>_S#0IMgOl`1Z(DM#q_O3MX{0Q<_^l4kM&0t@A;*+sJWhceB*k!C z(xuD}0Y0xe&+SdL;*TC-7Z61GOxq8Q9n`Juc`oLS_WBF0ZAS+N5ueJeWDSEkag66j@>t?9@nJQB(C<@q+SYpUSVeEsg z7Mb*0r)GJ4l!_-BL$zcSnMcVbQ(?@u2vE_OB#b;kQ>s zgw@yn@w?-9U8cr5!Q8HPJR#=i=cnxH?%tYXKTs1ftmROQ%+ttaELumhI4RL^DsmO5 zBTdC4)6K^U6uT9+;a@C8`W&9=BSf5dVsVcADhspP3 zrV=udu#+6Ky4tDl?!mO+>ET5u?5krb|5r%Ra8xoP;LE<298g~`J`+oKv_@B0=)31F zOoOv#{sPjHU=??yx1Vh}^l$zBZ*fct;QJD-@9p^_54sx~%GhH-d3cj#It)w4oIjUO zUtV6~y-%f`AIr%R(&jqsO)U%rP%J8!x4ptN*xhMYl6iS~Yds*;}DlZD=yyh?4g=c>6X3O&`&piIVhc;#8NHGWoWuZt*OJxZKlhWK2z!_(hK2Xk<8@}oYbhr}9Ug*x2(Nc-8r zLAXZ!W!uANv2db_@8ZlOWY(QYbf(6 zqe~6@zq9xqe#^LjyM)TV^KCP&b!Jw*n%`@V9s&yi$PEJ4bCc6KkE7G*Y_Xuhdv8Ja z>RHVGB88yicUn$WJlT(`8vPs4?i?LmUCiBCx@d_p%o&(G!f7Mx#Ss$dTD2oLQmV}} z8AVEu|Bd^~mb@3Gv0XsqE$nx5_^wQvThiADttKbLsj)9AZ1{aT`hNB%hMjCJWCv+5 zCv$9dj>W~%+Sy{aR@4Y!R)*X9yz&F@d=ne6Km5PI`*O^45Iy2kfrN-5jTeTRN}N z<>>LTSOl?!yO2abBIQ0hecB?(KOS);$glcEU16v$*KLF!!NHh)_%khJuIcP^iv>4an7HYZ3h<| zfQta238tt*N@#<50RaI(dk5AaoR<5Qrzj}nYcuB(>!U8c_H7CGHWIP3&#EW$F@$vjSazTR~piD$5XUQkfbXJ)lqsW8W?dLM-QAD)Gqi%YxQGCmC2`+Ml4 ziD?#N@;AsYy!VUwY#gD2MQY<25MNgsDqJVP%Fu)nu;`bL%(t$5R2mtf34`D4*K^<~ zBdz{&io{Rk%V4%~>Bjm;Mq^MI+(igEX@8PsgD(L$y_}kSoNw}FK zmaWQ0XRiOr-PK|#4qZrrp8`A{Iyp5xjio3jC$|y#wHh0{H$KGiT|1+y0avRq z2;}4V_3oHDo&Qq|LK5y0!UE0gI9=ZQq)hAlLlmwTkXTDO+SpPJW-hWR>#C-v+s-G5xm@Y; z^?sm!=5@B8CRp#*kBOOh=OAFyvwBL#=Z)N}2EaAz`1rQ05#x`yMv7;1H_am>oio}7{b-C9}Qz5er23942st*gE6@%?{wFI~b*ton5oKqNp# zMI{@vJ6ygo(Vybt;vybStZEt55uuB1yQr2bRf9)?SYD>oSG(U_b=UuvH@i7IBI5!e z;pI$3nS=xcle5pOZ?3PyD(^D`SW;m96BJ9_xpL*SN~=ZR@ld>mZx4miDR7)T&WGO6 zT!j;noFcE&$pt;BabF-7>v@EjWjyvq35ar=R;{j1wtV(=R6hC&r4Pd0Z@rQDEUSAM zk&*dSQ~@GOVFZI4ec)UnNjpRWCeYD4Tn@-L;}kWrvV-l-Ry7U2W!}xdKmuMEK%cKH z+XfD%^SI8r%hDDIc~I85FFj1`T|0Cq7)aNz`I9*9w9!5LZ!#Z12WjthFnLftRdEUAmn27zP)by{yi%z3-}uWzY&WC9CvczG!S$fElo+foc4YT z01~gslHw={>LZI;*URuE_Cz*XW3=Fb!bF{Kx$D=j}^cA=LITK*z zjl?53xHyq#XZnrnHvvz2)r(SvT(*mdM#)G?#iGz>D~*DZUt4oug|RjLD!;P#F!l8G z1e%BTcR$Xuows7*X+(?yzX={vf* zx@&v-r~7HKNL#=RvgtQjZ*LLdlIocL9k)O)ytxkHPteQ&!{@i4!^w#}|Nc1MN%8Q0 zyEQz0u1=U3mj_eXZ!A1Lv&ACb2~gw!`f^_zj0Joe5Y&Rx21O_3$nNHT4G(uq-nuR> z2p&2dN++_x#y*ZOCMm@aLrj|}B9^uuc<W2{4?uc9XM5LU>PQgwLxtwhpdSkDLj_M|Ln{WlK|ugywbmpH2JVd=T}kXXHZO1#1QD5)u!oGIdV1gwuU}J=0}buN zV2RhSR@c_BqBWR(0o#;-GpoyeAs3vfw4LwBvrYT<&D&-J$W=`~ml|Jsip~st1Av4o zJQEY^Y6(S@nG%%4(cKy|ascpBs?)IhJ!wdj9##s=xGQV8|8@?sVW~;rQ*RqH0D5^4 zZLfQu^ZrlRK>uYk^}nJK{l9_#1;^@tusA9fE{>b_s{{*z;j%hpsorJ-ml1<(jFq!h zd#Kwy<`$n<=c*UaDA;>)dnX_9VO&?p2rHFlYLfEfcSa^1GVueI=Pyxt$|h7~yq>hi zzX>mnM)Qfn60Z-}Wlt0Od!BpJnE) z?~7IHXk8sQd2lKYdyK9NqVH;HYj^}kq)=gptfeq5({M&HyYReq-2bz9cep|qdJ1&&YU-YB zlJI$OBOI^WY7HNpQM}(;$11Sf9Gl5Mo3F=|j?lNxi1GR~&fN1d*EcG@4;_FKKP>IJ z&h`LM=~$fE!ag~!WZz<9Vw7WH8k(9wow}bTg^zCrz_Hi6i`)sqU&jjA&6X@ikW}Nb z$fndS)H_8652QAZWpCJvUS%zs_Wu;BT3uJ%FswTxq>b%f=rk)W(GeOe(d{)fI@u&A z^suZys)BUH+vQH#g;vu9B~%0d7uL)2gU5A$>{e&YmXgoyR%+7r6K)zWsoZgZ4;fzt zYb|PUfo^?*Uni*=o<3Nz@O}bgK_m823>#vA@><42Qw!>h=+t4P-9CxNCMF+2aAu8u z({jHn7t?OrP^wBEvK`@FBw|2JCA^);A}D9_$yY6n{+r{FKE055=W|40+4>}^y&8J zN|S?2bm6(F*Wh_L0bU-tV3{OkG_!u`M_#QBxjm;cgq;RFICyyl0SSSb+7%=RTq>CC zm&VlIi%|w3MwE2%QgpJn9{n@Ly$J(p93Ep=)N!|zY^QDwbMZ_(QRMt2F0AXfH=UuX z_-bGPYwfKU`t@tm(W`cDm}>p=DD`t%&gPk!qyCiLx|60~74HT;oy3Qchpp1AtdY5< z+S@ffhq+1&;*(8ds-e|)4GktnMl86Y$LMLeR>j-z1_uTd$$J6T7SPnf)fTMr8}9E< z8f4>utYrx`T{dQRGlw>^I7P)L1K#Kh@k>Eh5fEZw&2>k}c@Hs*&-$~3Ubg4BGoAnX zp~#f=Y2+SMsw7^5dYi|rT)0nB@6|62<~0mg*D4D35(Rq7tfHdS7-%Tq(r76K1$EcN zq9s&{v`ZBtNM>=O0XSFEVSM}?$+npygyU?ga}B`tXJkU4azLA550LZg0C=^HF1y!+ z`8`| z*VgJ#S}x2*1n0@>|4iw6-0T=JoCNN8j#@_hUrNy9o%xKP-r6P7PVQyVqb3 zF9_~DzNR}0343hOL+0!(RhuRy>#h2i1b%1y$D(`?Ev(yK%|E~c=ryl~Cl_U67B4fG z9&v9^RMKYQ>&<^c4HyTc94O8#Vh{HbtpuA-9Z;-Q&%S)NMT5|X>5)-Fv=L!;O=&V9 z<@|8ktUW)nch%N)PLl@QDK}2%tMWvXz0g8${L210yhOJ+z6xSx+9>L*kN%xoBz)a& z?TL+W22L8TL)ATW)p7-#?d&r`!2Jgl)NO+sEQt4ut~O>Lh(z0|Eg*L`1|7`*B? zbhbUsZa6POLSiK?jf|#h(gH{v9(UtVU)!M!Fd$sla!E}-b^G(>1Eb|3U~oyj*9uh- zPZfZR$`7x5&4TAA!(ITMC__Z$M70!9T!lyMXAlkG%@>Y;;FSuyfJgqie@<|>tbZNm zcgS{IeCY>8)p5Ib((xFR_w3x?W`Bh@|M&Q8=ZZ8G6-sjXICr|0lN9C0x_hr#vzN|>Yz>#dDjHr{OZg{BI7vBbe zzaqj9(qE!{$ZbtZvt&Ay3-tH*&(5Zjij{9$vghE`Uu)`>lkhINrz}`LzJ8-&)98`1 zw!c)k$1L=SXb_w*Z3cAj0TM86ULGhiJ{=3?gDg;ZnZXXDxxB2A%WA>J#}5S=-bX)N z>aIc?nhBBN1<~@M<+yXQkxx zk8oLV=)7%=jWzBKC7=7IGtdVO415Z_nm^9N7HecdtwB$0=3N!&aqqK}>D$Rn0O!Hj z3DBc=e?Mpp4}S@eTl>IxdFG4%jxK=ugmQa0yR+U6VY|?v>8PrsGZ#+8`4oec5bv)8 z8=C_FzMr4Fiv|IBgMh$5F> UZ;+h7Q>~MfTL4D7>l$jEiaF^)M0w_4IW5~`<}E%g7nm+PvT0Z=3g2(ZYH+*=VK83Y9G!tpQ2YG;J%-Y!||FVxnY z-T^4(P?Mx^T=^Knf5DjyTRt5bzj-D5Hw!=~E{>1Bi-?3oKK1=QWcvmn0mRJ$DEgU- zi$U?SsHnl~3#2r`>CU9Q2TKsL7XRqz;gkC(O#B=7weblp%v^ya+DI@~ zoM=R}Q-a>0TmuB+07~z8`S%!)>oXopr+b74Lb$Ka)q?HSGq+uVo|VH#fR7TXxyN%f z-GRKX-^(&+-GewDMtFF6O#+OPsV9^iNiwvf$JMDccZ1)8gL9PbTLlOPNg0`Xn zcmEkju?k7)He+ID-rXF|hUvrAD%{=Ob>P0bwSxflLr_4V=jGb=wkJS>36;k}$;d0? zh#up?k<8`bE}ddt{w10C$-#n;&Mq3%GqUpIT9iZ6$H{<9xv&aZ{26#m5!6%98@}FZ zABlR5NBi?$*Jf=G+ab;VoPC zJ^Nwvk%<$;5F?$Jj4TbP&$DS97z{=cahi6=(B#Xf5A@$3f&fnM?+ z@p5~Zd>UW-nj;z-Al{99j;mcgePk#Zmn3tn!uZ!Nw&^-NcP@2TOD?%;+`vnbNZ**U-<62JWG(9`!q`U z*8Skm11t}B_wNA#m6qdD6+*33xSjujDkXV?{gZI-JzMtRe(TMG5)&duu;Y zLB>{AR-Zp->^c9GXdP(-h>!r;a%?Uu$;_Xz>jg@Nii-@*_-?e7<$bgyW3}V6IRqnn!S`O!A@SpSTAo8J?rVJq1dIalI_>J$H-1 z;QgjXthIUXzA4RzU*96fZE$dmC;3V}@5`xT1qhyxL{iL(fXuR4dr8(% zQCP+F%L@@}1g|LV1f1WOX@-?N6&u)>>YZ znLXfl5DIJSlL7!PTWh*dzryH3o8XW3QfVnE+ANda$@2HEXnwlVpeS-d1Bcz@8dOM9 z5k#>3^sLxr$49YxfdCGhRg2Wc1k{OlXuySzgD9lkkP>LB^z5baVFKn1no!D)C7KpS z^wxg2(JSil!==`s!Z(jPbQ+2EOB4sv;2h3VnBCnLBAJ^&vfg|n4*Z0Rvg!r^4Ba}} zDcaplJ;YfT1vk;#k#blYj@1&fR(}~}3k|DB-gH?Uof_!h*)J`tvR1!lW4r5{mi7+{ zS07!dmRG0bb2`Pw(uMn`1h1+NY;g{Q#$a~pvb4|!vq*A&{==a3g@$flB&}CV+r`=p z9k3C7`2pMC+e=3|?O*N-hX#B4O#?8Tf@mOjkk-1}umc_cN0s9m-spuHmbGw)a+{<( zWs=w{#gws3_5knjAsVHW&bu*OT*~G#0eGxd=SZYSk2bywN4vI#q+y;bZUbs^a+aw{ z!dFARp;uh&|6g<08P(L*ZDYA2DpFKH5Kt6BM4AeiNbpJk1qErL6M8R7ixk0fkw6qh zI*7s0yL18xNS79xv`{q=TBrdc)wj9d{qxFrW4t%skN0b5jEr-#_dffqHP>8g%`6{% z>0#u7-=gFY`~(&y^hUh@P)pWmy$cU=#bJLdmlWZggpX%vurFH_HR zPSN(reT3laXITh>f$(TMJbCKfMYU>Cd~c17%n61@(=B0Wz%Q8Jd$YOWA?UmI)id)1 zb>G>k*gZk}EeD`ePy%hY7Ik$o<%YWMg{BV;zM7Xh_#)X17V-^a4>#U*tMWP7RPK=< zF#V%DlHYo|tExyx-)s6~WF#>&vmuRoo-k5aF++UvrI0}h$|a4A`QEwTvP)s}nweM| ze_8D9v%bBKt3)q-Ox&(gTe4778zTM0j#P9*r2H6nO|h)FUu9_Jo%5JCM+Y3TV?=T<;t8Ji9NKlOh_~tDR`ly5nuw6${^n~8i6o37c_nH1AkaJ;r5lexmV86Bd=ay5W@55@p#YGZBhuks|a}B zAE{$`1#mZ01x{BDO>dtVcF^irn8GNV)Dz}Yg72`R%Qhl@P!hKbf?}if9~%^acSC}; zrsuxv?}Tkx&S#rAMX-g#A8J6tbg8kXJ6S7kyU9y9Eb&*i;m@YgOvY%BTHEV`Q?=)4?yQbUHq`7~?Rocxd6%DrI$Q@rb~_7TF%v9eS4M zY_;_^)O~48IKq3pdNB+24F0QDYFl*8bgekC+HfdCODf_Ur7>-{?fT_~!Rq|#TK*3) z-V1Ycbcyj_o2#7l&Ufo$9_DN@m#nQXo(!VRQq|C1uULz#d;;VoWr=1mmiTtK6&=%& zh65EI55R! z6qXz|l@UT41kd+QBy~G?pT2>ddjB`Gk4lhDdK`PtcywO5^I`2(^OZ0I;?L6cYU3mA z`#KlT?LvI_ty5Rng}+tSYR>FUZcOjF2FA>M@OYb5iAP zn4g2csG2A9U{}w3O$nrY*buj9S3R+JUkefquqy- zqk*RZsX;{Q02LR}MLVBlm^+v4Bz*VA0S6NAi{}`_7#Z|M$ThZzbHLM{5zFGBoiQmy zj8f()!}A@ZnvA>qEq@cG%F`}rTv_MUG9T9rTTGx-*`mZi(;vt;x_Sv!rL>-g*@g~9 zo2js1ZEC%HEtUvD2cg`6#Yy4!^5MK76 z*~cZ|W7nT9PpKLNg1-y*L!9R2CY69PIDuRa)E)54LOdM2qyUu$|;mKIak`0PD8qU^H>oe+{98<1KhF$egBqlM&|Kpd)0CKZ$XhG_&yE$JA^gyn^a+RCWM zR?1)JT!PI<8}$2L%k1^Q((t63!Gx;b^Z|+4$!1;qy~$Q*cB_#$uGKvu0ooFeq-DVVCk1 z=GT8EpRci=HR-gW3-N5W|3o7PzS}nk70K(T(^-2y>;u3x`YL`r2b$=(4;j;ad%2SmLXhrevQKKQHpGvaX}?+jsn=_>Y~~%;JYM!QVcXTJW0e?r z;lL}y7{%Q-0;LfUI>5M7X@YgTlT&9nB5?R1RhqAGD>PQodJEAzt$F0+Oxv|@Q{m7=6K+9M@vw z)7Z#-%MXfWWF%2lF`}^p0i3T5P|PMl(75}Y&$kh&6Y*KE<8-v{-m}Y7YEX1!n8wX| z5}RB8hn#Y@ZSwmUwwP~C3HfJ?jiHYDurQwX-_7%$W8)--uC+>mylHimBsbQH-4nfJ zuBYe0u&XxC(-tEd#ehn*FdZWhOAkQ(O0#cmNwo1DYR(^J84yitj}zqKVf6a-DR zt5Y|ed9TbOH+qFwCHW*r$7pi{KQJee;CAOyk(^tS?fsm-KBx3WWqa4Ri6sXh69raA zvb=GypuLnhUVKF@<&(fdP@BBOuv(wrfqD+kLYo&%`i+5t9!WFkk&`RnTs|-C$ur6L z@L@X%O873=B>krId_gMPFbf-915pj%?H5h^b!BT{GakSI=K6vf0&JH}Q9_$b4$^%D zw?V*a_zSmokc|9^8TMLQou3w_v{b@zgs8pi z=~>-a5CBCG)2j91r$PSUV&$z_@zMu`FpOoWtzpaw311*O0mR;%Rdeifg?3bR90$!M zp^-xUTQ{hYbo)JP506$jRR|TQ;5NQzEgrqKw_DWES@zI(g)Kk-5$I)v{hXhFh=9X) z!v(jy$7{mdpokKi*~*6~{eX7PaCAqtX#3YdbCJ%gj3o)9gu%f>ASw1J zg+!{>h2_3dmsLjeU1ze5+fxR}Zk!!3mrBRgqy%|lS*6RIa355GqK z)jY^*9o5gYy38JkKrnKkL>UgT_LL^!jqR2@a&%?=8XwPN|$?YtZD?H8eb@AYtdw z#o&>mPV-q;f$`GG~0NOseEL8cby7-BcIzI#Hu4`PM(~DEe zlCGV_ZZ=lN)knfoM->4@lFK$#i zS&P!Wl0N-19ac`0{M^&VMh{t$%}0#s%%+kAua|95HW4mtc20I%YpacHJi-6K z^Ck*8 zHr_yDmm$Vy`z^X0z9TN3p6eJrzWlQI!IFgY)u6Kgg!IpJEAQ^IpdUX$ieGIXJr23S zRsY2*qG`koQgS2p6n1KIa?qR%P=+7rOq(ptjRnH@+S2gzBPnjj!v~Kmg|IJ+rJmAg zI%*jDwvikUfSg9~EJ)BmzDnKOhiCtb;VCj#s*v`;3oQJ`VSG9%aA;tiyR!B`#W(sIqe_lS<>qDAt}ijv`c`)NVu^w z^+2A6ZBAI!aUL7_;leD_C{LP zN0usZZL#6>(Im0c$KZxV`Hu41W_hj@_I(|-J%^^NFeDNQ>>N>MI?erLkiA5{QI*OM zCCT&Be!$5mY1&sV(gcgFr(aBTDWE&0JK^=c?>?onWY~|4D8HF@oHLQX&ZwKXpe^-a zZ(8{+fe=C;@&2l0K`cN``Y#pSglExd9Xqioqtgl!>F9CJi)vax)8({*mXcpjap&WA zWA)9dnr-dGM<^LFg|aVS;y{@~o2Mr`;qec7VbIHb;#jzd@P9@}U&wH8=qLajEQeKD zPGav5$L_`cz6e%S0`Gt?HIT{ut=Y6KZ71W($X;Egy)W~LuM+*&W{RAd7ka&gDK)DhHs(Cnl5stE=|qVx=dyryev_PfXN0D-G$`<65q4CnZgd3u$SavKahO6&Q(F@ca&lH6TxZC1x{by-Rca!Z8h;n7y^}mq z|CiFK)ZSU4(Xdc&`_2UMXmzNMSD;s(%5l^}Urr)0ue>}@<}!*+SLUDbi)!&nMXS^4 zslDc5p!-tL094uOitFF~{CF*M0^qO#13fV!AyN!L2g}dOcXx=P4xMA} z_@)qzOLAPH552x;;BGg4dqRqU*!p=Gzl;7XEIoCnXhnY?5n&K0S9r&WnL25I}L`Hv}XgzW7 z){R}@uq*I+d21QC;_U3~;$qL~_T8@vK=V0^g*~Zj*6WY*C0<>XB$Z%%kQ0Ryg>n~O zU71C%4ZhpkJ5*8r@6m?k;$N*P=?}sw+kKX$#*w%n@JkJ%Lm)Q`Io?ZT()a1D+L~#y z$$JZFUW}Me9dBBZEC|nL-&df5NJOV8VK>8P>st@}ugJ|23|=aW%2}C_|63q&P~PaT z;{O06lvIN9kki+{VKD*EwhASjZ=<zq0y4pX~Ud(K|ZAk>n7jk0xYYZ1M_XdccyPlqzvPIaq8@Mg1 zLiVzcG=?HK6~X%iv8err#GqI~9goL)WA0tz=F~PaiYM?Nc&=*ow;S&VQGZEES)3;2 zDAU{wlbM-`*%mqnDUr;rP43PNy(gASl^KG>uyt-18K$VQuQP>4Y8#ERa;4Eypi<#P zeV7U#a36m&2|$3{+W%HcR{z{OQlc%cN&w=(``R-2F3B*J^XTKPQ~Mt5Up{(kg$kzk z>oDVA9Lqnm{J$9lahka*T+v0Te;5O=2EnH4#28}JwBUOyvkj$H!pxqCnl2DjK}sA6 zvEg2ei_A%?5KeRFWrkVni07WyF>*5a^3JQwD3NKc4Aa&TDv#`L%Yc>PZeH`rYzZmo zuB+AFQanYx4>beSe;^d@h{68SsyZo~%2z4#kp=6B*?mu$+&J+Gh*&}bqD?C%2>;m4|(dirm{^^p52nuz?n7BBw|oyd0W literal 17945 zcmbt+1y~%*wk}cJEkJwl%CN9J68K9G6-Eu5+j(~L00qU8GT$FKSC*&0NO|Cq3)T(dG)_)V zI%Xhf=bxzlZaMN5l2lnKp3qaezW_9q^IR6&(7+L2-Z~9@DfLKKE)B> z;Smt1&w(_jW;;-*tG{YN2imoKcan7LDLQhy)y%H< zV{Wdksiik7D-TJ@f{GMy%SR1JKC<`qvV;FzU8NNz`AquHccId>R546=X!Hc=0Y6{x z^76iTfrk;)9c}1$a|z#ygWK7%9pV7@=KLJ*EAU4r<#Ba8dG*ShP^!1L_x0=7SrY!4 zU%t4XY~Sqe&ZTe~xBA`a$;mOXm1ckX^s`ej_34{b9k%iqdES*hL&#&x##=97sIhq$ z2xFb!H&=QSg{t=g@o+-a_4G(6Gw~=Xvv29yH)SS@)F)#on^WTs*+fLrdrWbt7g zn69SvsbW-A6StFtq`F4UzENfBRV%~2FLfQ}%}WoL%(%YbAU+#cXq}7)+4fcSjg|w? z+78$lL$0%uWo6m1v-LlJ{`}nMw$<0ErMDf4;66F7-J{rg!r$B38}D>#+dEsoZ`A5z zWn=TfVv<`(D5Zm?;`HGUi|T&;`ecLV%ksh{XxN8GxYSizW&9%^*J_F943Hn2JQ@zV zHdX9>9E#14QBVqT(^Qb0&KRPiGpaPMco?XAPDt>v%Qs3aZLP*rFU9utw@+l5t%(){163-Z_AkVs+F=rY|QPV9LG_7Di zXR`hF9Q}b+K)Rnf=)iKmtLM~zHmYEjb%zpI;mN?HCNMe7)>fC5mJ(qEv9OT6iGFPU zjj>E$Ust!5my651ItrNYfM73C@6+h+Rbo=odb`=nfplk%`l=bk{w~|hQ3O}WvA8)Y zsp{pb0OIKOL9h~|r{g}n0FUk8}4FE(42MjHWU?ydX7)KBlI$b6wS2 zD9@A`CAgH#AZW|~#mUY_zqzXCGj*P0g7g!0aS5}n*9>Hu zt=g?JkVnqiw_I!z_^tPKgkW^gv2C@hgRw_Pb+kF#6hr;%KY%N@?{?#wrT7izL)r%q ze80YBCc=1hpC-Lb&cYXVcID>kI#W}*;_NB)^?Odv#{qr~YnsKE>T;j@@y)NPHR!&4guv5V}iavQr3tYUFl@kh5U zAoFkKm6g(-2}cHonvh4pV`=%KP7Y`y@SNdkt|AE?Y)(A1K&h|NxrpEC;uGL8|Jv>w-ZLEjs+4Zj#|LKR5Aa&O!SC4YW z$-;(;%Gq6Fe(g&G6y^p#5r?bKiR{OU5*)Yi7B-X_fc;W}Q!ydzP6YA0xee^Sxk8dl zLH}G+M@HTmr90Qx;G0Ztj~G9~h)$(XKW2ARl?(21vWp=bKSd9=jXL^+u_E4oD*y4e ze{^R*(c~bl54vyqo;$Q>d}Ks5gM~?D<@O-2XNrp$J`)xm;a0c*f{L`KKzrcJ;QU32 z)A*b-C8hN$qq{xF@!4WH8V&w3v0MyUG?nJzCVodp2=)*%Nd?WMvT&6NODaTrp{?R< z+VGtAY8UNnmO^Jze24 zNm}$Ve4RZDWmTeZ}IB^1@*j)&Yh<14uFTa6L40t;K$R zP2!v>P}JjxUTZsIbe-h>Jt3b$$FNA33)4pp$W(#T5Bh{Ip#b6waSgFoG21cME~F*s5x zJ;J7u%C>7BfV&?dBiDC5jiL{H-EyFaj9V;T&^Z)3owHCV&kC>^X9Z^vXtvUdaxA0U zTr+PbTscS+)4ma60KAvMi>a;M*(q}~7>B;zM1zU+KBtnrT1hQ=Qpce zKzO7aShBe^w^?5@uXH%l_V#VjhLC@e8VCL{L!kCRnKu!hqWrdqS{Es%t77`~OIxeM zk}jN2cvAQ8pWnN8-4zW)h-pt>eZZtKJ|rD8wc73V$4MbLqz?q|37jtyhAOz@vyc*S zF%ZZL8W@xU+x_i6Z}P2T9}B**(sLVUgmD*Bg^;v7er2FMbKFN&y=VmPU)RXImkJvf zzu=6I&Bah-d`1u+x(N1v-A}YEUJI=26P1Me8yYF}qEhE0V<~(oG#UKMA4c>vQe4Xz zpAe)2(U!uuChIRlq50A6*#Fk+%!HeRNND!!tr=pwI37_ zlLthWAA@s75ET`QPXa^fk(YwV8}OC%Nb{%XD!`+2Zmo{AEsfWA@F+29AiPBxPwpB;HkcWAQVJfdIBoB&%v>*VTD_dP5Nf-R7o8hc(amXBWneB!SjKt-C<9O5+&=JeJn2m; z(Jtq8Cql`AVDx=q8A9xfj&U-7n6Qx(yhLR`I=bM2Qan3*Ao)SadvZ&j_Dben-=Na( zXKT9m`WB>~EE|(-ca+8K)o|Q^znOb^H1Gp0p`h$*9+0tqV5>UTi#!2e&oNUO)5hVE zC?;mg-FW?6yA}(`W+Wnqsi(m;9xx#@4Ik_*gg%~CWw+gBQ$Cq`aZkW((6F^gRS1~l zTJEmg4Dgxe6Du1A0<=fv?w5Nwmm9KJ6g<{u567g9xsf2uD9}t`^lddar+_5q{ZHTT zd0Dw)5IRmk95S1I65RG@gR$~v_Q(b4Q9d%R?;7SsPO@)2j?3kCvS7+gww?FESw;^l z6B^4HXgO1QI@jT7Sh}{wo;M=KcflelW^~CEC(my`v$`YE3zpkLkoAQ}C>E5Q-jeWG z{{DqTka<57*7Cw)Z+6^vZI8`Su!mnYgSMziksxRnFtC{HP|RJ@X@?)@iYbI=)Pf@= zXHOcV{O8>YL6Qv>$ii9)I9{0aC`X3jg92YlVIQxhrLgk78`GWV5gECK4qEm{C)9lO zmZM=)f&wo6aQt3*&f#tgC&H3RTjOdkE*kpfm8kyy&5&FH z7r}LxT&?G&z>rSUD>hGdM=qq=Pa0KO$EcY!<~J(Z%AblitV`Qo&lM*5KJZ0~A{4Fl zf?Zb$E1i@Wk9T2Wv~gR&4PWy7WdcJ?&5YdLu@l7x91n(jvIYF0Ujr1cgKS2ddTD`< z3{FiQ%%wsK3e0+G9ai!~W>{M#pxujRZ`*KOFFH$L+76pQ*_0aEjq}sFBlm5 zD65V@>Ngx5|3x1Qz2K}WwuRNKj+@w~c;{{o#XX#_8{WFOsJpm~ImLYyAXMKvTJ)C? zcIj$JW*^AN*wtpsF8jU*S{yt(h8O4M@mRidh?76GB<1*GZ)Zm)&ficKU+*(*DE>ZNzd4mEf*^Bq(=#*2IzWMlqSn@|c3A_13~Pc59!yLZuj#xG>d4EFbKOYi9!-^)#>4Ir zLi6j}f%qKdSq}IVQBld&Eo3R{Mj(ar$tbk%6CU^R*g}E@oPs}}kj8XA8B?+CiRgC+ zZ?Ec)MtomBA^Ka0F@tq<$qA)`v9<(FCA)>P;TnRh9Bzo1WO9-YiMxAbwxLVGfqCgk4PrJd%~wRXQqiw>*N#JlbTo# zo-J4$4T<6?RVPc|rJ9#lX>m|5?c~VCaD*^Ef4Md8H+}tdpL$VKJq^T9u>^KKa)rL? zY|>!mIR@Y7nX@5Q75B=qX%V!SnSneSS?~G3@QB+dKTI1h1mbtvFoin*aZO9fEWo6`Ff4N=a8xpToft6(B zJ{%f*buY(Bx2m(wTq+CzFFnt&q@DyS$UE2B2Yn1>z=HTYw@FG*r(x=)zSiK^;yF2= z_BZ`?@L;48aHGI6g8G4y625hWo*g-LvGX%GH$H`Pu~hH4&1>7&z;x?t2N)Am5wOCO z4pX)7mSbESD=U{1m~>@i7-~a(R(`3vdfM;JQft|jfPYgcEr<+mM>$=&-!A%3X8GQn zcARm~2?l+ZQq$C#{RDRo0Hs`vi|8}!l<*aui+=j52V#7C_Vu)x*VdY?oqOW1=C*e~o|K!ymSra5yk&HU3Vbz$JoUS@AOB3; zoiF6k`>+jJE(F>%dLvV?bUL4*VzCeI1FKvP`A=pj5A~N663zJ@a9bbZpEOg5El)N? z#2jPxVq)~EWO`5igw(nwrMr}TnQE4z0btxmevFf4VO{jsLP@UQ1SUw&4!O5sgVuJp z;%A$rPMM`1%eP5s@RXNf#7{Tjdh>U%Ck?LfwWZ~AsFP|6K`up3h57F95$Q(bYjt-{ zN~?=Wi7YC-sjS;mN}9D5C_>TS!l(ZFW@v>{!qOt(HvscA8V2}oU@AyuaO$yS4LDc$7i(eJccY3gQdVIBeebTxa0vmK9c)iQAGi2qFV&3ks>1xG} zGfcg`?IhN7F=OCKda2=j9ySuh+lRgWAHO{Stg@t*dK(D45cb>nGKx})u=@-a7ISSlYi2BROttaNKR9takB$V3eK5JcQ33E%4cm00mFphQM9i z_!c`nH+0SHgWOBBQGXXHRgDiJKveg-K&)YMipJ;T&_6_@QI(Z-*1LFVO-(8zasoZn zia)3oGf>h#BXFZ0`#Zj*`%ZUn{Qjr}Z<>JTMHJ(f8y?Ya;}j~+eR7Vy|W6sa(&I9qMrr)gBX&`fkfyZw{SwD2h)`MIqNuCmsf{fhZ zx4!;}qcd!BZb3Ra!vT4X8ZEnO=R{?0RfLpw35XLZhf6)$7egh!yR^qhgi%5nZ9rGW zITu07X+DrK(v$a!!h6>Gf!0Wnun3lF73+k(-01GF=OvnFG!Mo}UuUSF9PZ!_V)Pwa zrp3V11@NSp!*iLpFKcaX{lpRy5&$OJ-k?p~YYiFQ2%>hsUm+4I4Wj0=!-DG9?G$4__DleXO1-Fb0wD&OQ5(YLxOgz`vZ>_V4mjh z=BdC`yR!S#4~Ui35|LDI7+L z;>rzWT7=viPIt<>YnFJDy{H*1Y8zwI>^gx)Ke4hpA~P2MfniJ(+iB`o=#Y#xF&AerzQ*#K8@ zNk~rKfUo9xQD9<5jE)k()S=Xw&W&?2n5{l(CpFL7ataG$yH`infyS>qk2#@T9p=?C zv~jy*DV!yZt4RhPRioMYpyShI@sra-&!cmNTCP}fKhfP~SZdNqqLE+P1uwm2p(}B~ z&q6Eusxk!@8?ESY1+7!55~?EY&A~^HE`Y71^ldO*z`^I{dh19}rS$TzE>D*iMuz{{ zWv%%TthfHLx9MM3R^Ag55)xA|EAnHo>$d#v7&}ftCxlb(va^@X2-SY=yYOjkZS|{# zu3xHwZJ@JndmZfMRW+i5zhPw$3A}iblfpo7n1E1H=cy)_$t~q$As*<3YI5~JTZb{Q zskjmE+aDPk&c~W`xVnlP+~mcDX;OX{=K1zMM755!cslXYX~OFH?(7NH{9xI#5C_vaeLTrO+8 z$W=)>hs2seBYiF#vh2pKyh1ERxw*8ki8A88l)+4q7$a!2%D$V#jRx?gX5hm`L&N>P z^zs9Jph0L1Cp-JPbK~Km(_;CxIqYcN^`d{syiBJKXe6v}opHX2&(A=*_P++W3e0@3 z(U!H`_87!lPfzd7n`mHBjJ5--;3@IFk}NJa=2>E>Mg_2H|6Br&M{SK{f{u6<@%5HJ zQ--p{T-@9+v9L-%1nAe<&wlrt4?fwMsj=em9-Nc#Lq>7nV&LFo$f&w(ws_pO0lW!l^&n zHLGBU~y zn=dY|v?;>EC-M{dSOtuT6AX4pfkYixU%&xiWTvH*l}p1vY7Tu7PK1YV7w!W_rDX5b z<3b56!1~s@0{o_W%J`BB6K^@C{s(i}0qx_wtr$gD#HY1~~00=y|9O}syFZ;KOtIUP}_)d2R9N$I++D>`?X z_lE}$4>tmFQuF+b5I!4+QXG_k9L~2}P`d$PrYAgpvR|amBp3Zua}mPJH&aJocN4hWGpo z$6xp>zRB5xLXmub_S~O}qiN?*yWy5U&mcFxZGVcZk#>jvgAYw4ujK^cUW|d?U~er> z7G#cny!9Q*6r*cC1TOscCUvf}uR5T4HWH?eiGh(H#jLNHRCTHusgbE_0P!-jo!UCJ zFYovqu(C4PS3cjiA7gae`tsFd3)B1(GT`kL+X40{Wutdp5jff0SVKX<@6~bXwjEjX ze{iDB!~f(&JO8bN@8bch_zHW*D~f>Q=z=ZGO*NwAZYUM12}?@v*7dNY^^N*ZkMXm- zwa%0FNX%{9M&IMdQfN2cqubZQ-qzOElN?4CLs`p?f(#4{=%gGPWd&)jSLY3a5{py{ z_4ZDUbAXp<74yk&^IB+1GCQB*a&p?l#Kb&4K2G7#6$N~wwRVr{d}~$Vc$oioVo#WW zLvm75K|uiy`4n<@ng>y=&ZH9j5F6rj+RkM8 z#np+@n>Wu{S(}}1F1O<7tiz)K^6yVAz&IJ~Kk=iTi7HI(M(%lsHbUXd}G=x9l z{(|z?Y!1B!$(fUe-v=SM)PMt0rVt3k!7U<>NfU|hV$w2UkHR8Ls~o=qv4mTHM0|Zi zAb05y9y1A2QCrEFn_o4CQz?eIEaYdrh4?CuA(>X`VyGp)IZ}A(F27nn?Fe~f+~lFE zm*u$J9y)A-LDw@h1OmAgxhFk6nXMRMUfTvDil@RJc#x+AqKH$tsh1F)*nG21N}4R~ zY?^CQmHB$1hm~v;TG9qVBeq5);uhi!ESI(z8q2K{n@MZor>{pi^56Whc30KYvv!!( zJGBDsmurUftUJ#N3l~Pq{a4sf4TKGHnF!;zN85vAEwd`eM~X&J;V>Y8aGK3#1V0n$ zTiNciKqs+7@jw#zZdHQ(Y%cJ!xkzAL5iVKQxWd9o4 zo$<1BKP?}LlRk~OpPZQ*`|@}7{bWeci}p6Q@eqCLd72vmp=5Xlb#*i7os+^c<&o^l zco$qD&h9F0%`ZGR(TtQlduVcUvce^wx=G!FhnS`)T1(~%8m*!1BW`?obx06)uHf~p zC{;I#R&^pRG2DE8yV%1jJR(9_NohRn<-`)rD^5m(VJH-vj9*D^vtwPHJXHsXe|SDP zQ}&1(R(ZsQfH#>48D~VM^!4;=U98pfzKzFJyWcq%$`GuXqR&G*WFO)(C*PM!tZ&L5 zo)d%xe%Hy}72Tf1WZc{*yXO5mEN|Q)u{~j#a$E4toL_5F*%*@vS1ol=0ix!(dEe7B zNh5{FH1!Y9Ub4{D*~xb@LT6@EKzi0AMr6Ocv6t+;8I6F!*G$h&_qOHq*@@vLR8~>4 zPOFzEgPG04eS?D>3Ox#Z;nFfTYQ1Smc`F4@ZY~g4uCLafwRG6%WF*woDZm;oRLz5u zMGH5_3g4UbU2MRkmf#m{A6i`e`BfPT(%{Rz3sFm2ks^{V{~1?Z{0Yzpkn7|*>rGAR z@@+G4+&Y}$+{i_yspjeRN);RSW3QSWv0p{{3Kb10`$Vzd3}i|4SR+^3n`<=qO3wDi zyysOUh>3}lh)9i< zHX4Y#bluNNPEJlpScNuL*LM_zz4rMqIy^E;2 z{ZTDX2N(EyJ?7unRJ>75oocL&u8#5(4{2eeXOvaKmGf(9Q^J@;adH-XRb|G?VH}TyZssiEeSJ&B2O5mn91`*Jke2bKqVUdj zAHgB#ZK%q1?pX;M%9e1Lt%DyC8=q0X$Z=O5sj99PdirMSOC_|fVo+W)ROo24rBLYp zr<{b8$%i}HhW){(sn&^s~K#sd9KR4HTZ7bE{4ScYV z)c~^L4^pFY5?r^No#8Zi0a4kfs-jUKWe(T7fDdi1mZznr_GfVI^*xf%qKueB(Tt2( zSei5pxt#(TFcU?S3whj3^ZRV+b|q%44@MtE3(KPK9j#|NhKrmy7baZx(Yjm z%OAvfspi-eGO-kywyeg^y_ZGsIiCr!FfX6%(>vAi{PtiEgDBGz1>lW-mdV=S;+t}N zmG93#+tAV?Wo*nz>oYYy=B?rI)c0WR-03T@Jb+`B_LT$Ux56opmB2V}|A?;=a(H3C z+K^7Xw4#A{&gVBHRdUF%ugp< zZ!%3`&#;utBHSE7E-qG})7@04O=4?aao&Kw zUs2l`iSpYAk!RyY33PJN#giOq&+KO7mgr>ur1}|0<&3z{Ejev1##R){*Sc4wpG}y& zKnr-uoV$G7jD6VIR%?^2l-}w(xz`c!_%utzf;ORO`=&2~v|?)aj8yPT8aXLZVblG_ zSEwoccD6B;64dxq&PU^q1Sae1>Lw7yaxvT-Mon?47uU;qu3^%-r9p^D3lfqIM3tP} zWK#^QhzK}j9}UKTdFeH3#>C_ebxUvUhLJ^4em1u}{dTB)O@cUXGZ>ztLHYRp|IYl! zzj_qoTuD-7TWU^Ddvmt413E=y)q7s(*TY#kH_LUz*YAoezu5te*8O?QUv!+HpvJW6ayr*E>Ee!rA^U;Ar5m@I?y3mv-J>)80M!b zI&2EwL`>-?1*Vubyi9;XlT|D;o!grYhu>cS<|~ z4v<{RGK5Q3RU_S8%8OT>U2E9cGfgq2Ca!leTTxakmnw2c1AtftA&>!l(@j^+lR@0olo(gwkBv3lUdYSu6=WN__(Z zJp%)B-xtZZ`385S#o?+H&?QQ7ejP749^g%bhYZ+QmginKon2h-YiMK(IuXqq{+WkR zAAQ6FIQcN?__VZ(lisM}Zaxlf#PIT1P!I!6xV?sP3{@{odj!vbUz?a~?4|PIq2A%D zb!LH%E?AX_&t2(zjp;}`Sx*n{{YzONWQP`%6mhb%V*z9>h5U?uH549H{=}%CuJT+5 z(!X#K9D^nw_-9UuIdxvi z$$Y9z-z5A?J_Y%#5S?#m^8=F(_0}TE0HjcEMCfw7!^zuLP ztz~kt-@dU{KYQK-ZS27Nm2qG1(GY<%`o^J|cyDzhR&T!@LHsS{HDh9lvi$tdmtF$! zY_EKfigFIDlAh~#b#ZZ#J(NCM>jJKe#(`Y>n(d>4{+?OJDpcH%w7szXtq zgLeSPG;9$CIy&%0yf!CCa$3XE{e2R&_$u~ZyO(neC)*TH2oGn&J0r*Cebsev3W?Qq z1`@UQw&pwMdj)E_;|Tt%V3sR$Fd`!eBv>W$+WLYUR_qkFj7u%P=G>UhZ;wVvm0NnIDdE!w49m-NHTVRxHN&_z6do9Ei-`Sv+F*!kD(G%gG2y$4OmgVUTpxi z4x}^?&ho>iv_F~Zfog6-jv^VIq&m(85`XR_1%)fKSFnNYih<9>S}k#_7)6F zaMVv)rThLw*m~M-8MWzmeHSsc>`K$PbO_zQd8O`xT!3T?AaiZYwpC;WZd-(W`YkH} z1mp@6ezznEi-I;7?BzZ(79a4^i#2|$q49h5FtK(C+UWA~rQge!_Y#VZHwGw-CEAK- z^CcAaH*S`b?H0tvRj4G2{NC}kJc#)x@SFYazky%Y_&-SRKfrI2vU3@e)(tR*&jaQW z(zMfHKvIvC)VT2tGdD3&)hj-4XO6lHW!;6m7J=;@~JRilJiBxA|aKaByhyfFj*9+rRSc zOkyzW%I0UvF{~Z)@bE(i-Szbi<e)Gi$ziYyDp%PVgX#CaMZr zBObM}o?h>|^XlqqtKr4K=z1UQC^dUPuhQ1aS&bm2Pr1p>=DH!&noe~jEfHXYx=L1v z{{_>o?UIkd)c7Z~EVfXhJ-vN`S}65D;IS)y|M(Q(k<@aR zAp(Nhk`n!Q?{d=U%7lB0L)7!aH1WT0lc~!^oiYfWi2aqAz{ah=vBKH*o6Qa;odTcj ziFp@DNKyX{2i2+%EF2a5fq~W;bt(QpKGEB=x0ZPJR}Yjm%w>bKTC;5RUblFgr62%1r>v6+xx@iT-zpFp`>!yQ%wgEW+zyaxH zK(z4`SoP>Yx=`dH3d*@9kl98BlHB+`eSZjR#mUci0iowV)G_`4JpA9PGym%Gd>0N1 z@4LfXWuTXmJd+|hD)Nr?K%XQ(I07=yw^0lCeDB}CPa%SVqTD{>e_XkdUVeAwv4-rU zJ2@wL@SPZRSc52;%a~|OEl^M|oNapLatH0MEGy?Q6Jp~^A9s`c(aeI;6z{0?qnQIu zCEA`Yd0Ll9rv5RT-`|Iew2^Oe`&L(w?)$@Sd7C-kE32u+df#dl z3ZsNcS2>MQ86#E2#iYPPI$8z>&#^a-l79I;=!&^oa{ zJ1NIEx-eT~f#QtrB}{;DnIFY)rpwGXO<2Pcr};G=dQlhX>O`;)>7TG|BUeODmM{8U z97P#i0D4Zw1Wy2+0f4^FZU@f=!6_9Q0|Kwj;-b+2gbDYP$i(KNz}Wn?E3qa}`OMLT z-IY7sz!&kGU)=b+#Xf$M=~_fy#Qi!eg29T?@iaKEt-hr zQY~O)AHU>n>afiNmvv<$^VFHnpf+`i0YaYKG#f)@C4M^c4(7JD9((-@@Y&YI+AEbP zB|1PklGM(rwQp1!Bz7slNo0(($Ky`(`vdhAip9{Ol?H#D~KKw2%1qF=(0Rt_CJr@@;u0rW{21Z6ewGS!2_%5I~?ZwbU#rtQb zK|UarORUOFkw;EWL`vS)_WBok9zYoYy2BLq%z`*8z$la*IWBA$NReXB z=cHC)f53GxP$kt2_>i$?5I|#YYH1z$_z0^Kxgl>?dtYbSI^W=B?_CLq5XmU;TxQD+ z?oN3+Ue<()L%eHjttRS`f=w;JTdM}2wG8wvHrW|_3V}M0gfK8QQJ?wpyhQuTOiSR~ zu=9CW($)3Js2K_7V)jFnkK`^j1WrL%ZywQLg}=oLrzHq)n1&q&na;BWzwLi_JdL!&v{mq?ypn1^IGdy6PWBzMRu z<&F76fr%Cro=Hk_8W>PUr+NCOF^fvk4hTJL*EX4B9a z2n-Dw174t+;4#wlOg9nVr%ir=xb3;Qk8ftfVQKbUby{b@@|?-v-1oHS)0PhGP7@r0 zlg+`##=^m2*k&^MIY?r3U0mF#TO|WXLr9~+CI)zJ+iSDLnwf16LNxUOogfKu((b}B z7$l(5G(1oXhw+dqz80*H-}4nmiom+EmCjcHt{^F?MZ040wF(6@n+Cq*KgcCvDwic` z0OJ7B{Y&`>4+NBaS`oXNS~`qeT=a;5c`4f;Yt!kN1CgOMFX|+SP!j{Ut=pyZ{=?c`aY2k1DT`Smg?GBEacs7V5t zE&Qp3im|Z+Kmofh=LYe_Cs02`M4jJ;lvSn7m+6Qz(JXtNWzlVw+-MRNqdfy!XG?yF zn@%9?>;-fYuru0EblO_|CMJ^ORySoLBQU5b44Pqp>t-k2?r^IjNOXPsp zAIpT!T>I_~ajppK9=6}``M6L%W*98eYqD`$EK=mKssrl*d$GT_Wo}B<=OGE_jPyZ- zKg!9sNOD;;6ABk{5j@MR2A?j{HhrQLu9nPHHj=)Hj4fFF=7lu#(xMV+I$1=$GCP;G zYQSTt!b*cVu+4I~$YAOsVA5Z6+`^7fN#-RAGIBgAr`|>-!+G?3N#qiHV4AxkXx`TE zS#!VvD(DA$8c2l#s@v+x%O0yy7_|kUk&`T`;U=!QeIp;fUfTL^F;8X;<6XVRA2lK< z1A&jluRwrSpMxh=2@|tAcF9kXWXO~|)y=`+x$SOgchMoa?e`vMckEv(Ky)Pu8SO9d zA9ZCQ2wQ-#UN4?Lu$kD?sdG)1B?qHFl)|n9s)Ta}czuqHwY4WFCcFRwe`N)kOmf?_ z^LGEEBj8_c{AXwg!ZcDunjdEgXTG4fjMu-q-J`r5gAX%3xvPY*AWwusd>AShKOU}% zUl?$_Xqx`v7kBeGa`C&9fQ+i^#eeA3r$nBKa#noAJ3_!Pf#3iYH*47L6dj8x5Jtc5is2J=k%TH1H z)y0+C517CVk?MLo{Sctip@@Si@M&oD&Bl(W%IL~n4obk9;bL=FN^8T+>!r+m0u$l; z+qtIgkRZ*xnI^l%^30MLs_8C(+uRkCA{{h7@a>K+XHvQL0^Bdvya=amQ!+<3MXht+ zMiOX01BXJ)bR-_yivid>hDAR~w8n&^*q`re#1CO8D39{*J{KT=PMIN)o?&r+1j0i@ z4`c~Q6wiRlio;Fh)_9NaNg5nuHS&MgTg=w`w%MFzyQO;r>uK9c@Fpci+tgefX|_Y% zA$2*zaCMrEMkyXUzz;C*l!PR%h$$iHdSL8+Yv%sutfrit#qf^>+PDU5&ga{MU#O<5 z3R3g(454~`$%D>LPP_sFnW8Ma^8LC^2M0gdvj?6!SXu2Yz2o7ucJ}kbHykvl03Nrs zvm+CTE8^`HQzb>6{RW^L(P&s$if%41=Npe>@!}I*+vH*f17o)Wn7U&y`2+-jgOZfY zi-$|bB;&uQ1txcy7=aCiVYN~1KV5>{-7S@ie$wLFbH$tdXEA|m8Bk2H?JO0VkO0}< zv(~Ox1oFY3gMu!0CinB#W2npwT3qRPjxRdoU_kPj!=Tx`rv|17f{TkWO{BwG=ZJPjL(VPh)G6W-4^`` zKjku4p5G`0NyKDKR~|1Rtnhuk&Mc=#OC69-uAYF&v{2diOiyWZn{7RE-V0xMAtGsN z5{7tdpI>|0n=uS^g9&9+0pC|%x;8RxcxnC_PfAt#R4LdtLs%H=r2DQ^5JWC=G4$>Q zQ06@ku{i-PBAxdtSVx`Z;e!<0fkU`rNEMO-Px}Eu=%sxP?$ifrP?BajO$v`)z-<$3OEoyb%M0%@uV2vJe6@sPQN-0(VQJ8!vqY0q2+Ba5(q6?k$Zie zij%|OR=R(o;vYy%V!hLOhb6RPZBgh(G}Zh+`%Cw;Ljnw$`6e&CyO~rYk}*D2>1H8O z{2Zc;PAMcNa0WlMTV%y5H8z&8vFZDLcud*s2oN4ubRS{_}lcuRDZxa zq>U!up-mLEh8`uJ5df-^5l>A4MZiD0?*WeG<^D(Ud-py?Q9c6DHm@VVjRrmh(LFR) z0A8xw@_%Y2lAL9T`qih%Ew!{`V=)ldx$J#OzR5tRC({S!S zA7on_`1SP7JWyZjbh%IU;zZTC|K^uv2C(T+&Y3k5Nf%Ti{Su#!i8<=kQt&W4MYj_h z3^xCYn03x(z`P(%iw30cD7;E4i@yhZz}`!|gf7k20$OQz!uFiT_9P_mzyI>%PX5zz e{E7H8k*JX!O?kAHBJMzgC<-!fq|2q=eg0p