From dd7a6a0769f38cf8506cab2f40cd95b289f1a75e Mon Sep 17 00:00:00 2001
From: Luca Beltrame <lbeltrame@kde.org>
Date: Sat, 23 Jan 2016 22:25:59 +0100
Subject: [PATCH] New post: HOWTO: Configure 389-ds LDAP server on openSUSE
 Tumbleweed

---
 ...dap-server-on-opensuse-tumbleweed.markdown |  91 ++++++++++++++++++
 images/2016/01/389-ds-console.png             | Bin 0 -> 13475 bytes
 2 files changed, 91 insertions(+)
 create mode 100644 _posts/2016-01-23-howto-configure-389-ds-ldap-server-on-opensuse-tumbleweed.markdown
 create mode 100644 images/2016/01/389-ds-console.png

diff --git a/_posts/2016-01-23-howto-configure-389-ds-ldap-server-on-opensuse-tumbleweed.markdown b/_posts/2016-01-23-howto-configure-389-ds-ldap-server-on-opensuse-tumbleweed.markdown
new file mode 100644
index 0000000..dd43c8a
--- /dev/null
+++ b/_posts/2016-01-23-howto-configure-389-ds-ldap-server-on-opensuse-tumbleweed.markdown
@@ -0,0 +1,91 @@
+---
+categories:
+- Linux
+- openSUSE
+comments: true
+date: 2016-01-23 21:28:41+0100
+layout: page
+tags:
+- Linux
+- 389-ds
+- LDAP
+- openSUSE
+title: 'HOWTO: Configure 389-ds LDAP server on openSUSE Tumbleweed'
+---
+
+Recently I've been setting up LDAP authentication on CentOS servers to give a shared authentication method to all the compute nodes I use for [my day job](http://www.marionegri.it/en_US/home/research_en/dipartimenti_en/oncology/cancer_pharmacology/translational_genomic_unit). I use [389-DS](http://directory.fedoraproject.org/) as it's in my opinion much better to administer and configure than openLDAP (plus, it has [very good documentation](http://directory.fedoraproject.org/docs/389ds/documentation.html)). As I have a self built NAS at home (with [openSUSE Tumbleweed](https://en.opensuse.org/Portal:Tumbleweed)), I thought it'd be nice to use LDAP for all the web applications I run there. This post shows how to set up 389 Directory Server on openSUSE Tumbleweed, including the administration console.
+
+# (Obligatory) disclaimer
+
+While this setup worked for *me*, there's no guarantee it will work for *you*. If something breaks, you get to keep all the pieces. With some adjustments (repo names etc) this **might** also work on openSUSE Leap 42.1, but I haven't tested it. Use these instructions at *your own risk*.
+
+# Prerequisites
+
+Your machine should have a FQDN, either a proper domain name, or an internal LAN name. It doesn't really matter as long as it's a FQDN.
+
+Secondly, you need to tune a couple of kernel parameters to ensure that the setup won't scream at you for lack of available resources. In particular, you'll need to raise the ranges of local ports available and the number of maximum file descriptors. You can easily do that by creating a file called `/etc/sysctl.d/00-389-ds.conf`with the following contents:
+
+{% highlight bash %}
+# Local ports available
+net.ipv4.ip_local_port_range = 1024 65000
+# Maximum number of file handles
+fs.file-max = 64000
+{% endhighlight %}
+
+After adding it, issue `sysctl -p` as root to apply the changes.
+
+# Installing 389 Directory Server
+
+Afterwards, we'll need to add the `network:ldap` OBS project, as in particular the admin bits of 389 aren't yet available in Tumbleweed. Bear in mind that adding third-party repository to a Tumbleweed install is *unsupported*.
+
+{% highlight bash %}
+zypper ar -f obs://network:ldap Network_Ldap
+# Trust the key when prompted
+zypper ref
+{% endhighlight %}
+
+The `obs://` scheme automatically adds the "guessed" distribution to your repository (with Leap it might fail though, so beware). Then we install the required packages:
+
+{% highlight bash %}
+zypper in 389-admin 389-admin-console 389-adminutil 389-console 389-ds 389-ds-console 389-adminutil 389-adminutil-lang
+{% endhighlight %}
+
+# Adjusting the configuration to ensure that it works
+
+So far so good. But if you follow the guides now and use `setup-ds-admin.pl`, you'll get strange errors and the administration server will fail to get configured properly. This is because of a missing dependency on the `apache2-worker` package and because the configuration for the HTTP service used by 389 Directory Server is not properly adjusted for openSUSE: it references Apache 2 modules that the openSUSE package ships builtin and thus cannot be loaded.
+
+Fixing the dependency problem is easy:
+
+{% highlight bash %}
+zypper in apache2-worker
+{% endhighlight %}
+
+Then, we'll tackle the configuration issue. Open (as root) `/etc/dirsrv/admin-serv/httpd.conf`, locate and comment out (or delete) the following lines:
+
+{% highlight apache %}
+LoadModule mpm_worker_module    /usr/lib64/apache2/mod_mpm_worker.so
+[...]
+LoadModule unixd_module         /usr/lib64/apache2/mod_unixd.so
+{% endhighlight %}
+
+Save the file and now you'll be able to run `setup-ds-admin.pl` without issues. I won't cover the process here, there are plenty of instructions in the 389 DS documentation.
+
+# After installation: fixing 389-console
+
+If you want to use `389-console` on a 64 bit system with openJDK you'll notice that upon running it'll throw a Java exception saying that some classes (Mozilla NSS Java classes) can't be found. This is because the script looks in the wrong library directory (`/usr/lib` as opposed to `/usr/lib64`). Edit `/usr/bin/389-console` and find:
+
+{% highlight bash %}
+java \
+    -cp /usr/lib/java/jss4.jar: # rest of line truncated for readability
+{% endhighlight %}
+
+and change it to:
+
+{% highlight bash %}
+java \
+    -cp /usr/lib64/java/jss4.jar: # rest of line truncated for readability
+{% endhighlight %}
+
+Voilà!
+
+![389-console working]({{ site.url }}/images/2016/01/389-ds-console.png)
\ No newline at end of file
diff --git a/images/2016/01/389-ds-console.png b/images/2016/01/389-ds-console.png
new file mode 100644
index 0000000000000000000000000000000000000000..96806c2cb9dfe21eaf08ca74b2bbb59e7defea21
GIT binary patch
literal 13475
zcmaL8b980Fw=EpIlMcFLTOHfBZQD9Y$LQF$)v?vFophX>*tY#n|K7dhefJx0ygxRo
z_Sto6@2a)doOA68SCp6df`Een1_t&;N>WrA3=AB!ffc~PfcEH&V#1&UyrZO+3m6#k
zz`qSVnHCur42%d&N>oVIBkMfdO;c41x5rNeCk@MH2^ayrOivuP-W0gJTwNW}25_%x
zTV9U-ZBtdfy#BI64?{jN@&1u!lopT<j@PsGmUGCjE8lU*ciDNn;W8DC2?Y@#Nc0u%
z{~U<!NnXcp!mB7jl>!LLmEG3~ilM*H1%p|>fhuT$@~pkc3nbuy^Z}Lr*i131tN92}
zn~?AXd~jUCG2mRNf=QkRQY2YrN)j3LIsv-hD!5|g5-IddwlL@1KrIAbewFgXCqQjJ
zJqu4n7x4CYMp)=kf~RVf!7jJA7i~0)e)*wNHCJ>FzDyR~4C>sKUcyFSU%hdRZnvqo
z<Kux68rLivD@iiAR#jzHrlhiRbQUy3z}72;9MILiM|O+6+{%|VA;72SX?_EVj42xv
z4yr8N0L-Q*qV+KV0}HF{#HA=BQ|dZeJT{po+mgPi%xCwH)IBsrZ){{!)3+5nJ8+NN
z3w(nvQD26e*#hU1uP*)6FEB~6w0c2xWu0_w7Wc*rf<%%&Nwg{v2XeSd&8killWHwi
z7zofB4r}JCF?_mRfZfb7k$urBC9bI>TzLdlj=aXpJsU<=61DelIjTfo$xy!^9C&yE
zit=52OzS8nzkmO(T1zYUTwlE6cf~laQ6*Nbc!ZfGd(#+}0~}w-<YIEa7TPC8XCjfS
zmuS38T)P4F_c5r&LSjw#1ecyPF(6aMhm0(R&LFYirm<G|{;dO=NnZ8!`B`+`mZa@+
zIg%0rDsWz?t-ko4n=jZi35$<Bc4)mA{4)o6CnCVAt+~Su_nlg~^{X1*x!c$qrfbYA
z3c+l?U4_T~U?1K)@;s5b_@Gq6^`z=fVy>*tJq_|i`U9oTVzuFVgxKBjL3nT*mn0hg
zYGco34fNCN`(PSscOsXHcpRCvT1{X5Gs|*40D9Lu)Hsve1+Oh}IL5T4o6ryGq#}{u
zWmXgL`pRURH_dT++XAdN9TTl6A%MBHYcMrmCL(07)DG<4G?2x=l<DGaQ<3e?T4|_T
z-Heq#*QRKdUr{DsKEIS8)hH#K$yff#vsj}oJJS~|n_@<hI8*WyJ!LYt_u)%L8ix<b
zpfCN~!cApWWo>i)%gNhOm6=K`r+{Cua4%uu(CzT=Yn;$>xeD`Wbg~-BZDH9g_Dq#e
zXscQIcg%qSs|L`!Q4HKWwk7i|x1EodzP2qv%YEAe@`wI%zFovWpx2)Y9@nruQYM6b
zMM!F(6<JlE<n%rxV>zVH_g+zMv|EWfTWMhWZNQ-4<=elrUqSs~V+8YX`fZ7TS&=GP
zmChlwEf^Zj&?Yn4SS&J6k)~VAuX|s;!dy+8{qb+6g_YT0kyDo{;P*fdWWbZ%vaqEl
zr^7~<j1s=t33T&bwTY$I-5#~q1MJP)LPbrA5vZM^Xx+NHy52S+{OZk)$rHEC5%bJs
zaDF~PibA)@k|McGb|vR^JzPe+K1*9$+nv3Y<>i0pYkIg?$wp>&(R%3#mW7H`X}l)L
zpib`$j%&!~Fj2;^(Cd_tsV^>Gk5%kgPG1qfr}LWpDE&a(nfDU{{UCK)<mEI<`O9cz
zr_Yz6&8F0-NPPVkm<5DA%Isq3%o<&b<MdlFq)IL5N3_8>a4-9HqlfU%qXW(O=KZm+
z-^ndz1%|oakE}Xw5+lbos-4bX<Yr6cL_k9yH@?sN^Cs%<coyO-8d~2iCIb@(2PG?O
zlCc<qiIIKG=VG>Q8z3m~`F3W$kob76gq)R5R^s8D=aEXS01Hqo<Gellty~STb)VVt
zJB5iXjttar{}nMLm3||fxw*M+n{QCM3nuFK?^9#sE^ThFKUV5jl#3L>3HUwx=F@LI
zZXfW)5HJf2YO41p6EnjY3^-l)I4j=R!L}?70&+I=Y8x93r@Mk&tv55c5L2CxMw}2Z
zX#^QAe_;Gj^>@D%s09=X3@hZ62z6@T9bXKdG-X=OG@?ouCq(NstGq24l<6<TyI*dy
z_)G~C@Oq05MPVP!tw-Jf%)%lfcCKd7EA`vs@j#Q`_!_VI5-4L9Ds4KNknVEGzy!Jj
zk49~)1=+5)zR`3#r3sJAGf?X`)zVh2v!3s#^Jkwy#bUk5BR?46Vg=<lo?0k7y`^Fe
zJGSkt%k`MscY3|v*DVyJlhs6s=i8gT6+}E*wXNI3uLlfTQ^mAPR7xFGKAs-&9PU5(
zeLf}@@x4}>9>Jgy_X<nhF@5QE!(s^q>a0$YkqP*5T#%*x$*>!feTz5`9q-FyTy0kq
zvbbEXj;_&Dei-yu@jTWxH=8SN=76UBFsKBFf^xV-5`1;ClIv_HGt=efQoY$a7@1mw
z1XL+g9hxDsh&gMt-bnLovT@v7mg4t)ldSRWz9m<_KZ^AUcE%XVMInQKjo7!`SdLzQ
zg;=h$5FjSbzy44MoNXw~kOZf5nnRHe%kQ~J!hvDi+NObu(*_-e!x!)3e&Z{44JWee
zh1o|977UuK7TjR{-os2khwwsBu=A*GjO^u`E44fx-h!2Wf-RJDGJ8w<QOIUPk6hui
z$62f4xs72Zq+(zZ#!Dy6*xd+FT6K8x$t~IzwJm-t@Qv?d)ozLruUJ&63A46bAF5_0
zs92f<WD7u+Ye>bt?XA7sT^a9Ym^E4g!-8crZk|R}>^Hi`5A1l3XY1$@&E*c(2FGo$
zHm6FbbHS-p%AwL(%nFWbg5yU`O-Bq1NzsXTd9zmCFSjiXz@-v?s}BaKd}a@hjY+?^
zC&D2j9$pCyV+oj1$Y^}XeG8RtZDSQoATwpgZn9Q2^Xno0PNyd|x+7*a`<pm{>{^r0
z`5K=m9R2e{V%(engH{_#1`!eF<!(Th!eoCFmrAevm-PTyKzcehX(+Pjk5m@xHH;s6
zZDU&>oue6Sh?0h8W@5z%0NEUV%wlD!&76%6L}c@!wcx$+%+T+0d~syq_IljPe^i|)
zrqd!fVf?h&Z}U9WB%-I9Y*bA?629SaJ7;OLmG3B)@w#7Z>|S)j{*n-7bX=xdv|lSQ
zsp$(wfG9`QIonm~wx<U+*-w>y25SD<aTrUb9|X%KDEHn1O`zwiZOC29X(GKBR}VM)
zSTZSAhaLF<@1NKLKPh}q-`iX+`9U`R^ud${G9f0vQRfSRH^O&M_d<^u1GZr~VP<RE
z>|H!PiCMnT+r6p5zd}AgUoZGv4j2Z3V;M7~p~iN0!R<DX)~Xc~+l9kiE)Tph58vWO
zO|5_a>E;r7n75||O;n_#x$I{a%0g9|Yi!o6=g3r2DKu1rE+Q$kV1&I=+jQkDewXjX
z%A=R0LyYEqst9}2!x3UGPgNqgv!x0ackU#q<LT^P;QuCQ-!kg*a?$V*1t0oQdDc<m
z3L?n=U4Lv8%m4~hD5Ho?hLB7r(gMoRhpx_65cx<|c5ikH9`zMFZqO)J8HXI$$qn<`
z>)lk!_om0U_`ow7gG;BKhe~nL7%f|9d}jO(mp9t*-8VZ)OXXgm#ua|B+pkR3p?@lO
z+uOa|Ux-UuQn_EOm&#9`@cP~)#pd!GY5c)3lTO|0E2h=`;~b4_r!!ma=5oR30VgPF
zX<5lHnU<O9a&Yz&hnvIj{h%s|S}l<6lwGM*-OUX?e67tl-*;UbgIZVeb~&WVPCdF(
zLLtZbX&D|2=IM^ei(Q9|Y%GO3yuAXQ%h`OmPuA_r1SnXAg~2hKPxJtz!SVP#vp|NR
zQYOqrM&|sU5M<zdKxDH>7j=yv0YV-iFa>f18gm-~J*2wbZjqTSmvJl-fVY-&GG3Cv
zEfm7h400AUv~Odp@k~KqNJEhS-Ze{Z2d;H_q4@hvXYJoC*ocaW%`C46+cs-);k(BC
ztz}G-E-uMpcMiq_3sy!w)cvj6i`*vMTd(Fzl`K7$N-I)zqE=ViNc0j~?=+75&n>>g
zqEIXUCPG8gs9DeR{3hY;2{2pgf?VtT^w({3PN20weq(>SoxV=|S979<@8tS>B%r51
zgFSlX<h<QoTS99V7&)_AZA(ozF}YG}#<NttNv8MGcz1p*2eMUa{WFa{1Za>!M+@io
z^mc(f^?{O1Tw{?G%z4?m`U*37nNB;5M)msEK-s6q%UfH_yR+%^5Y}csuir<Ynhi%e
znT+G%hEGh+Q|elqUvFnVy2VuX;ZPNiQ;gi%F00#vcL?&G(ZyZ3zw{Jny4_XV4ISLC
zwoqXpOiWI$G`qycphr^x(~)oShnus#EEhW9or43H95x5JI2!lG(D||-@!7u$vNSCb
zB;$bmVj61`>=m#B64!>d+0DAYOUE4?OS2F`4f6-Ap-yQtUfXA!-I9I%J5cV-dEeAy
zJp(=^SGU9aIU<$802S{o;Kj{ax!F|;6kgy~E43__igEMvjbt-9zhC~qKVEQvBOR6{
zQpj2J{=f@#PmM9Ht=pa}RdCuHGiClj<eqlG2hMi6A@X}ajYMa*%(s=#$fhFOQCnz)
z@I(4iKJ`nmzg8)(qp2!<_6zqLi}OhrzmU)}75O;?3V08+TlkG7(??$t2Dt%KlBDCv
z3P=iBC&d~r1@p{-NLTz%kRZneNyN&EK?W~{%~BqdLaEY1pV-^^ijvOkQZ4?^dXDFc
zA&F$^Maony&+?i)Y92KOe9B+0Q)!f<KKVQ=6D?5RNyAf!1C+}|m8n?Y5f&P;O$xKU
z9&Wd`MYLIMgx#m7_9nA4`Cd(a+yJ?$_nbRljvJC=K42bpPb$X}$M;9(Ied~4f)|-0
zj&*F;LD6!uSLD<2;!SK#Hw%lsmLcEB=xn(&wi6bjZZacybk`gH3%t=l8vL)2Uqp$c
zS7-AvF!$EzXlP>>KHzvShgjR&s7^7F{20z$bLNv4v&->dvYBiGLh=|}GNMo#)q17E
zTs%1K?K|5C!WpbqJ4xedOppzwa(^oY3_1bX45&``b1AUp?YDLK7IzuPBl(bQr$r%q
z<j~i=AEq5Q9TZ=vv)B+94-TFTqJLHzPFL}qU7vyVOyRbGFaPZ#PoLGi6{|MvseXq~
z$kn|&-X1I*R(O88M*niM0JF7t-flWsuI*K}v(*E#?GbaE@rosfI5H}YYPyt^@2%WR
zrTW<!CswL-y(eaWLqEMHPL~`k=l`brfQKs56sOrr-PhJ4fo_v|=Wa47mtZJF8)sLR
z<zr!Cxj7t{5lMx~=&+bJxZ)!F_2Oo84Z>O{^OYr5mn*la9UjjS84Kl($2V*RdrC>v
zdI@Yc9D~pA)}Ms!=M9GpO5O5uG)WD+qYZ}`3@@}GAUyk)M&|nFZ!SPamgH(RH=Ac~
zw*l+7^)@(;GczooQzBE^?BRYa34(Y3p0E2m^+0(yhvUJTSh<>0QKkhY2yO-z`au8C
z?~+c^&7Z!s{BU<GA8vo_wY}SvA2k*m%|6Bacs!!6(eLhU^Tp2*@GH|w;Pl#7j_SHz
zmOf;xI0gCHFzu7b84!x%bl+x12o7wf&vaoN7hnar@AnVKuC+bJfnK9>XE|xNo9#I0
zO;bB)WK8FZAU!JuJ<K1hzoI<ZU0Lj=;Ln#UB_r&QIq%G4Q$*jAOT?U2uGR*ZC#%Km
z&!;zF&}jOD5VH#iS9hLPT@$C$Vlj!ck;o17pM%)~>k|?7&p=?0U0Z&&*M6;jE-yAL
z1=jJiR|G#4zMO3?UIf+|RFM0_^s~fx)}`p(eMq;dNoMNx5$X1muP|}L_dSKvtb4(w
z2q8Ej=3Lu2k)IDlc}xaR+(6*~f|ge1W`8moM1kq(t6JS&W6ak_D_pz~FeauW4;j+h
z9kD?SHilGVA6D&@?lYTD!NgrdK8G89PT@WScu>UyB6LKBAt>7*pw#Ak|Hr&jj+8dV
zj!epUVH5Z2Y%NBqKeX2AmR&lTD&*HdDntB4MoSw1dgswxKkWh2*L$3$H2Arrg(}2;
zm`CXJD4QjRA??%1&WF<dr-e@jtu7p?g#X0#BB}9P%xNybjp{_d+sw;wLYvJc_*fE+
zQ1{0AGNxmg3+4~27YtO?fXihm*UJ}NI~_I=WocgTJFGTgdBH7IXY=WhOdH57I{G%(
z{fq-m%T>{)!8e0iL0?bT^Qg8quGm~&6Hu2GsW76_8KXZs+nH(|6gE2jrYoOiT7Swk
zC81VzE9ne!Pk~L{pKj@PBj;%or1SZ~tC&v}$_zInoh(I4#O5#p`dIt=`j#6Q{1XNv
zXO|~~K?Zhnw}QxQHj($qiB(t1PeMw{<+_Iz8iQ9@FG3Eo8^j(5{8h`bwKgxp&ALR{
zoO$uleFL>i5V<{DagP(XpMt09_A&rV{b3*%*8u_y$Mh<LGy1!tyNMPwF9ghNDh_QY
z?QC9^lm`9j(#RBS`p<7#i6@zXvZvYg%ap$<6e6_bnAG`82r^L3T(ghrfv><Dvin9Z
zZW$iF56_p|a!ys_%1cHNBp(g;`&8Mt!iZX}S!Qlr4Z)Hy8$lj2JvvR)Z_nTC3OPAB
zD*Ikg(PE_aGVAsct0X<FUbnhLL40o6(&RYBN=Hw3biqPp@3&KD;XSY@mrJk-fr#kh
z>FEXXcE*isAP-5W)rHW;o1-C`sHx8y`e^3>!wW6!uc&G;75m}Ym6hgxW#Y<2!Ppl4
zNsm%p*L=TEF1oZVwu5VQQejb<#gxwX=VJ)OJ3R>B0zkYxetdte%SFM$wah_3QSmuk
zD)REP^_~rf;&&&f=MbEfBfiOTh;8y$t&kfUH7bd1Vdyp=%9okuz%vw13>R-Sk7}}C
zm%Uaeq%_h~Z-ahLH}h7&M%x%YkQdeby_mf33=MMF7IP_fpn!UwIl>aGdMfG1UT-ly
zWLV0tsjYqWwogkTmpeJGQPbU|4Z#NT5aM65{}B(P?QJ|RKw!6eja+hf0Agyj^Yx8d
zWz}39U*=1LyTj)7zRZ9|l@Uc#M@{e1d{?y%dZCI}@1vM-3L(@cvXi$j(g#;9i&g1E
zAR*%Q?pqh?@ZsU$lZ4Daeeo+pUpxZnBpfRnINr`6N6iN+Y`t#vOo?hRok+Sb$W+{R
z7s;-zBK?#7I!RgP-V;<)YT}4X9zYd_B>#0coCFO>nxr7XD+39aX<?2<|Bs7LmQpmN
zM@mmE>Ow@4sJdf^6r7x#VnDPQ)^E<dj?@3CR;T#b;1gR#k6}$_CJt6$4cM{}=bTlI
z=wk3hgbJ(?S+kX9<Z%KJpi(x~HLyG;<~J?kwBb4d0O}4uSnn)Frf2+IxWu|p*RWw>
z`L?BTI2F052PidT!1<JaiGlv^?@M?*iPU23(~SXR;prMwlc{!g(r!o)B=SqM*`{{G
z0I_&c_?Au3PC77!Y+-AwSIIwNB<?UvYbJD)=WsjE;N8@UCxi_O`WU+%C#*8v5{+)y
zpMcum`%Zd-B6V9Rm5B4~cei4~J!#ilsBOnvFfqLKcoH|YL|Gn@YH$C$lOyNwN`s0T
zw!m_dRFq_56zv4=-}r+s>sE_y7^nJ!dutE3gB9tx)zLr}!zm^b@T<O`BfcSxE`?&7
z?$^?(qoyOK2bvZm5>?<f)UVD6r}ICjrl!)qF9Y#mVXG9#ti?6Ew~wB16di4iHFT}j
zOYC3a-!N-<$%jkti+--3aH`iRoc8*9!;m_!IbpeFIh~&<w}tTVXOeO;mw$1i(I_-h
z5FlamY#hj+6c1^tmRKmCYP`~tU-PP$o}#-@a7jH;t=<=EvHJXdZudKO2(I{(-{r%$
zHjIYwwN5KBNB2E!s=Fttnqa;{Ir>i(O#M!<^owWcM~^uk-a&=w-Leo$OZoigd9+aG
z=^~S9=5qaAOD-KCWpw@!aMykE8QnaC7RtVq2Fxc=E9aT9y7TS2Z=f<3%}~W7=)173
zSmtAa-PVwp`E&Y>`>ZZ#EB}sf!9UnWTxt1@@9@yIq<;nY#3L!0it^W}A8=!sJu<|+
z1COL32<rj|2gi5~QH|TqZ~m)T-fu02SVC8;$%gt_;H=o80>9k(5#P}gS7%Xh>I1!J
zD@bnnk2~?t34NEw99X^M0do=OxHyQ9f|n9Kq?QfIrlI?~oX%u_rER+E#lYjF`Cqmv
z7Y@b1A$-}f+Z47Y?K!REN&EBdo^|yn+w$?i$;2{4-_+=w4G&c=89{nTAJ+NMhV$(v
z4huTUhB(*xYKqbqGOj8KO|0h7(Ranu)^1oGXWQL@dIPv_&aa2+m`9%VB<Dc~jN{t|
zfq^d&67f@)eO{YNH%4EGyN_Gi0NL&INUP#Hi@qG4=cjQ=0QO&X>;y3+OD9!XBkzG<
z@OkELoJAf|Sm<clP-9qoHNl(&Y^zic73=u1OYZU&9HGb5D#xRu0p$?mKS<WwC390)
zR6k{i^q|=xkV=G`2e_5K83?kx&&0^5)5-qyXB~}X*7B#5(^T40C<n)YC!wMO7-5e9
z>wS-;-z=VPp8VWf(cp7Qqes9Mr}BmJkpwv^uPwAE@zNl3dM>$dO6T^Lq6Eb|Zh8y8
z5*4aH<i^ICzbJCS3UYDR$PM$hFgVT%ZX(@-w;uk)tgyNVtIg5JFMr(b4=Xm6zwlMH
zmmE^cK6;yqmrmBx{9|xFFh9(7;P|=|NBZ)nRlIqiuI&~D6qiZKe`t~t=D{7%#7%!Y
z(j9{t5k6EipSXnp;9{m`!AWEoMnF`+LC#vuR-;OJI)j^H52ZAvasimb5HUHf+Bc~I
zgjk_&WPjg@!0GQtCti~OKsDf9$<_yBW78~Eo@i<Q&aths3Hy2H@YqEf^CFHtw>aY~
z<O2h6FA%@YiMp79z#I+31EbZMtj0cOTsj-3D8c(afDnNw+ESQpXl~RR8}j1#pwVF<
zv_}Ms#~QfZ@><K%_8RYo7YZ;Sx*F-u;%ZOG8IN(=nLwHyh>zzpe<VbCXI~o1voju*
zmVA{mw;&}|HhIz3K22$0rK2GKYEuMXg0)U3u+y*)b4f~`w9U{~YmH$_5b&)B%>w5_
zR%CE!;|_N@=q@6&+%1z}aJyy{&kH-|Zl5a@w)OAb)zV2G+08Dg{ExdG{f&55h4N}8
zoV2NEM)Kar#~B{L!w4FqG4bK%IJ}pqKfn9@u~;A+LPTd%s9sInS?1sQDvH6$X_h0z
ztI@Emq5%#8Bz?)hnQ(i(OHb`CSm~dv9BUFHKFdqFaZxT@6;eFo$MVcMKk*eld?%cX
z#tv9j?blPcNnwo(TZOT}to&1dQFjkinT#9&-H?D3`R6wAssQ#7CLaTLi^oDm3_^#k
z!{VZ?y<b@D&tFMrMgMxP6Xir@Mm>%#{mL*Sa>vFTs#4h;J?Dxw5Be->7{<lGMpSa^
zL12d5OPh{j?@ym=Cr>1`qf+e@@cn|edIO)8oehqCU}Z<GS;iHqzBseT&BMcTy(M%%
za%}SiiZtBJBW2t-eR65@Sl*2dE}xTqLwwi^joid5rz{)bQ{Y4*m*sr}y{a~cQtKJV
z)S5Fv`6Btl-}6$5xk}JNf<){-xV=(t2H(?9XF}oWZEiF0mf5l<E`UQXzq?UrB_x!b
zE!?ts$3JfC?oWry*FMQr1m=;n#o90Wt(14kZ)Cfby#~JDuN5Or-sa@n%Nb0);a0>5
zW!fx({OGUd+&ch!L@zrS(8cICE_%+YV)dvl`!|K6Gcs|5rHOf+YLN0mXk!t!<v!p!
zPrf*spIq8*U)BUx(?&{7EES^gLn?uld57P)SVy7V)*Ffs;m~6%r?uv<m1`<-qLk!F
z-0>0C94t1G)r*nlCzf8}K6XN(4Py3(Bw9jwo^(v}B$<@Tr%^6Vk%31DUL8<SN1@Y)
zbs4<VCu)ZN=S#lS694qwoe%}-)U(OogADFJp16FN_szLTfJGafY*jwH#-0sdHj8QC
zfE~|w_@7Js@>lH>=^5Y(0bhwQ!W12p{P7lqqoxWH(twoTCwFl?v+~sSE2A`H-9$^V
zZNy6&7+7ZQ6V_~J<MFFX0Xo_~k;CC9CzbTmad_+eqpqJqAt`w0A#C^k*tEG-A5N#u
z`GuuI*+|R%g53!<gxbf<yFP#2Kd>6xrnu63T$CJMM-2}(UrwbKHbVe@=u`q+s32&i
zAjqxGQ1;!ADInaN0kF}x(y$ry8YL7ZsX{EU3oDcG3eOl2aoIm*P`8mW5r%3-(_id;
z;ZPMQcr{0iXGKF=%<oG3wTNP1ULTa@l@;Yw2Bmu$QMV;QIny4|U!<UnECf1g3@9ZD
zy13S)U>4>$5jY<RH%up~F3M@%J00`y6cvJ<e)p`6?A<(GFwPp}&A;7dcbZXteXA{U
zmiU8eahRO(IYBoY->He;QTipXd4WTfmblS%$ZcE*+1myL^MtJ3i-7qtLJ=<mRmoMy
zo1Nd9G!CDKG6qGIgGIlC&>Sg&AIU*`h`D+?)j|UvFAo$ISLc>HZzfw`u@Yj3#49=k
z7IJ%~fKOoq3+_C5-yhChUa}Xj+C(RNXF^41qkBo-Ro1>HCkYsOPAekahCr1D*uTL3
zWOF_XCw&>exqc=@C<v9WF{+4W12#YCT9KgFi5dk8V;8rl?|D{Q+)%r-4TiuJL-lgT
zUif%4S2!XT^lE<7;7U52Qq*bdnI5q4(EV^wes9=@J1~jpfpqv-R!Zwad|zoYhf<r0
zDx9+db89_#Ue)3q`kwP(I3Xo5^m@L18DFe<Pc44w?+=FF7X^CLDpL0<uW25VhUUrf
zy2ZR$-DEsz(`IGUo&bi7fw^InHdJ`xc+i8|Qgs@bC7tv4l<eY7Gi5B+tU87QI&|nw
zB)8>|NWj1_r2c&i0Je1tWu>b@V-86rb}DxKRAEPU2A%CV*-sGQ;3aJe!`#kHc`3WL
zz$f|OH~|`Ns=j#TM1OxJ?avAU9Itv(K8^VTiBfJ=z-8Z7uYMzVzftO!;>>5|vv(>C
zcLziMdZwK5eUDIqt<Kp@y*z=v%Ac-C>6+Ua`%LZJ#QvZJG>4e%c{o10R5sQXOj!r5
z{g-mZfir|c(tzpzJVQ3?+w(YiNlf%W1%~F6`Qge_{4Wl>Dr*ZxeXP!e$jdIGPshkf
z{%up7YD&?Io&rWA^3<UHUjhPsgpY}vKOh2#jKWaMh{YfJ^1TEy*yJU;>VG^v^~A0J
zr*-@hZeqw!k5p4m!9^y`?A!bsQ8)AWeOcG{AT514k4XCBlh^v@asnS;t)8TiZkGKP
z@n7Z@qqPW*QrTvnoaP`#fl$Ve*HEW8bRFChta+Mv{mWz#zNQlWoiTqqqj0=T<gt9*
zSB~?*Uv8X}a>EwwZLdg`^FS4ZRS*1KZ;gXn77TiOR)xj;?oLJ(G__@QcFYq6uk285
z{(p=l10ns&%Y7>6+odo(l$2Px0jZpw<qj~?O)Y?E^ec#V5bppHp`>EdKzk57`Y(QC
zJP{u;t%m^0+DjJr<YN7A=Jem(=K@&DEUN1zWGyt%gh@tAQr)>_Aptrqf}{2+fQK@W
zF_uVXNqMDAqzL(saeF_4QibF~`w&0)6wKxB5~DaW)wlQdM3*eYBN`q1$c5@(w)XB8
zf4ynYopjR)(I3~K=f3@_MW-y?c2efc%4)3{b&pud(z~|YpKP7HoF~WJ-D_ME#c#9<
z=zO=}J7!4RX49DV?Mt`bltKR{)^r)t>7(pB&aR!4&rkMU<XzR-THPII!L>*`2!Lep
zDVpfwrR0FK<UCMU!n1B6=GP)fVrlQdd!kliy}pQ~{UNCGv3s!HXssAM)|A2GI7tf?
zP6?t?8|OOlw$t%rrPagUuJ8nporV!uY>4nk6XwDnCe52+vZk3pH_!(Ps>|qDSigY~
zfChjw>D1@`XcdMfR|tq4-H1*53Twssfw*&7%)`fHRDkbC4f%U>vgy;}F5c!1te6Jd
zFb9O;7ku>+vw`NsEFfP%->DZ9(w2*c=VfJYrCurLfdJNi0(&K_A)@`<#&+ie+%U(h
zAy+q(jB>4epy+KUuLRD}h{yp_4Og~wu0*X$V)fSi*+--Gp70z2ux@2_oAsHM<qyZ;
zU?+Y*K-|eWf<sPs&5~sxmufQXFFNJrdDJB^D&&jKHkU0up?@0c?ze;cOF<S5jttLd
zYvXYTH=F?LffikIlPh1C7CT9oT=(BQODOp=D(+e9nR9CR-TE!^jo###>alq;HtxE-
z+>DCoK^t-U6hu-~`v!_6sGFKoqoc>PyFdf8lvI`lJe!%KOB#N#)ALvG%(|A`ng$g5
zS_hx#vh!2rHf>1mm<@%ycRw#LFL|*@Uj9%z7nXr_Si#Zs!FS68-7mu#(N{SSC^M<$
z72_~}>-E*}Y}iYt>m@R7K=dz9E8Ch=wL+po$aetWZ|FQ|8}Ng1umaVMR-;&c9K6ya
zKOt{bq3Xld7l{v6nNI?TjybizB6c8P1*}an^j919$OK(&UluPIwz~6$q*nwmEg$Yx
zn5>No$<Y_VV2q)6Kb2MUQ#sa34ufv<K@C>+Dm#HUD7Xc()$n*+byjgwC}0(jOAbb}
zXYL}3ODh-p)I9!Bg~-q2Jhsfml|E*CX=c+J*B(DJ{$QHz2?g0AIg=8R>buIt3<2Kf
zO+Uwy7rUoxacn*5X#oRlC~O1IE6&5jl+e>R1MQ!B`ThDl+EDVw;d9s!keva3+hgF|
z_G?o5l|=KQGZMJ<p1Z8h>7DzV=J-bnwCYFm$At->d9?k2dBc;4nIty9o`<gYV@>L~
zNwwV>+TN`G(NU?}++;f^>xcKu+3R@(BqUi|5$lo!_Yv(FOr-rwVAWCOo#|5B&xv}0
z(KZ*K0BP-4iEY2GJ?+kHzuOK&pHTV6*0ngF{lD;9&NfBREDE4;+On5<u`M4K{wz~v
z?H&*Lq0d_G921oMveotn?iL_hQh!fRvEVRxb0Opr>T2}2x5Rd{JB`=8=DF0KwBzX4
zMHLjEPpd;-_TLNJ(YBz(aX;d>KCmop{k+reZ&o#P7F8dtqsaUftw)Oi^#|@NjTn-U
zTTup)T8)m?FoHnO@tF$>NSrO-7gFb?^dwkL7*3mPB>5iCyk`x9X4R-JTq%(b9Un+J
zSE&@#<Nhv`Ivf>9u<^Q>T6Zi$@B;yu%?FHW(-=8^je~=Q@}exkD(~aEi4}O-S>}=m
zdi9i_R-rT=(n!0G^p-*CZoa_7fTetGt#7z-+nNlXU(!c5mrj{o8nVH^z^e2vMw~SZ
zzC6?2!kaJkg+C!<4^>Kf*jj!wTvWl@Opa)_s-4h{Sd5%Q<t6@8i`ogcz(#wqtQ`KZ
zAj{XZ*&Sl^ZL-$wXq+$_y?NxrZKA}j3{SI&_Lqi|#|K5uPWs|Zo2oe-b8^wGHH&_1
zl-?E_B<YYbriH;|ZmdxXN^(Q#AaezN_EPcT`xQg&8xj(ZXcL|l)3j=U(qZ5gOs!V`
zQ2yl#uMZTY=YzR08E=$}?cH6kB2V)A2-b2y3|~mYT|MGB1P#um!*#YSfO~ADgzfjL
z6>5HB08&q4btC6mf*GuW6SpHd--YL#wwE;HA*009nfcRtFXyG0+p@{$Y}e;~%w@u|
z{H>Q`K^$Go9R%cta8b=mNx0WnN9f$ovW6z(hD@tr^OguFEc2o{s_z=T6HM&~M<ID*
z%u!XRA4MwnYohCGJzEDRf4loizcGB6di|+^BbHd<ZajOZq^*i_rGFR;FTxMn2-63{
zfF}4_k_d>FoK2(!C`GQZru~T$hV{mB<p-E6C-9jsA^7;}W6IF)QZ2YO!sGU2>Q6a6
z7S7lRAcl$hVGa4MS+#GWx6yFV8C~HuYoEsF*Pw&|N4azQz0BvT<oQWzs*AijdquI1
ztQ!SO^KF*hdBf1#zwdM+UV*XehU9FhPFM$<edpnx@`p_{S(+5<*Z<m#{2LK(QTc>O
zaon;Wf>e}e`f@N_*qL)ygcN?9k@}!S%8=+)XVhcm(lu-OtUrO9{S}Q;7ocflJiba*
zXfmz?Sp%<ef^7}c0WJ6TG9DEXV^C8ge};AEgEWx0B*XMa%eQDc1-BzMNin2*uaCxH
zgqI{nKv~J(X%5lpK6a)<vK2bPpS4G(FUi389I~dp?p28@B9`OoR#n+C!d`AajED6m
zqP@mQ)fcNVE{_9sB&g=vy_Atzff4o+fzgKFVpFUDu5I`Q_<)oG*{&btgP!qcp{Vtl
z3&tCqpF9sS1ek6XyGvn1({eF>6%RR@*HPY8J9uKjs<g4Zv^um4M~)i%@YhZQ=cNfk
zdp{I9vh9i&>3KNQ_5*VE5$wl&f7iM_K?qH_H|9XWb=)CJ&xd>E)PwovEnHUzci&$<
zW^N9tqwB9nyI#%(aY*P<_bU4sw{y|8_A@>RT5q3*{S4r;cAUScv)AEA)guLHdiINK
zI}RZ-P(BjnqxB0%G}Ejh)ys#&$sMPCa!Lpi;g)eLrbhHRT`y%+VqNzdT#6lB-(G%r
zo?vM8k}Vlc+}KXw)+_z#rCL0W6msxiJcYeBJv04N?IHGC3+5)t&FsxnqW>Ex3{VCk
zZd8ygpTgI|Q<lnUL#v}<rJ+z#Qc^&}P$=oXGP6#5g>bWpqq$lqEb<G&{&?Gn6Ubdv
z>^kOUuSl&vKR-`*zrg#<sr*%=JtkY_^JTD^vBt@PqVe}2t+V2k9fFrN_}k!3b0_v(
zB}@&SZ*Scs&4CtJB8*Cv9p=frq(ZNBG&Vbir!BbW;2gBb`MkEs>xJLn))$$*^ay2(
z0d<h!v`@3JzL%M|MOnFVZ>w1#7%(UIS-pXCLt+5?cw_aW?Ajwzopq#JV@$dcd+djj
z&*U6RuR9t>#EK6Pm+fKyhGaud{Vmj^A4=aZu&&9zLkCCjrHLABn#O+HE}XjAo5ot=
zZ$iai;=guaZ~Dh;52wt+x_=AC{epspO(d5|f#RdYd42mBYkiROKO|Gq^}6N*altFS
zxIPCua^PdQS7;zq{kN*pET}+?U7Ze|T+JxCa~CMTr{A}MrD?#=ClEi64JV`d`nKo2
zKi|bvUgkpup9PFW;VEVQh5ijLfq?0M(?<xQSyJ);0f9lB5~R`RjX&OC^MUB6B;S9-
z*#Db^?~CR=C-pyR>VV6?=JFyv{=-w1ajs_)YW5_a#CKW-6lJsNv=UfoPGToVj>pmP
zBPEyT7!6FOYs5H}(IvfGV{&uj=TZlC#JvM(eh9_(b^ocZwa}HVJ6s~dD+>=x<P1sT
z{|Oy<30)`tUs;7?6frCm27F4xCH7|9_0b%W(zXX#p6{>ZZ|^lHN!?zyh&)rg`-fl9
zZUq3-xB(icL#?fzf2S-ERtbt#SI-@tUw+c#ih#+>L+%uLa&kFsT6WGG6K+fTQ4tVs
zj1OLAss28czcv3-rpL|VAb)-^pyN|4;7sbsz%i#$>a^dHc1nBGUuarm!J$5Sdi6Rh
zcedG-B9JM5o!WxJ(bZ%fs2c1Ma~HaeWU+DBUuf;*ysT+rZY~z0OJ26x6O#J5HbYO-
zxqZ_WwANB3M*6BNaJit&mBOW9Q*R%~Lf%j`I6;Hn&5kwLf$a9P7)sIEv-j&CR=44m
zPA<KFG~1t2eq$ATvkChPZgZc@vNr#3v5h-WexMEa2SGO0!K3Qjyj^#^2fJNZq!-W2
zG?%z(g!{wmP^%BG(@odlTh64Tn}gJ4S!no^xF^L|)R^be{d<#I+ZeO6JG$h6eo@6J
zRxt0awF@2I4`Zn|XD&Z|N(9GaR?Tx_yUM)+J#9q{qDI2PSa#F<A*(%Rukr3l?!UR}
zm0%u?u*2PNSCjWS(FA(Og=Zsw!i?@#HN&KAyvr=zQrqbN)Hkbu;RpE*A10wkz6~i3
zfYf<&_k#BopskbSHG!W<_3qwYkpM06!%yb)tXuU4$|c(7`;(x<`xjfPY?6plxW4!g
zDp7FrkOB*v;RRn2&Cw86HlCqHpO%qJC6emfcdc45GSZ;XyIZY;h8R6W%A36zNPBT%
zNisudM&zYHcK<Kuw>{;GhW*e-T;D=%!OXBRu<{Zb&d}D{MK2HLOiT@+*(qddx>Tgm
zu{b3t2T6f-6a)O&m~($TxQWoK4l}Pc3=H*{E3yLNBwh;RcnGt&Wyq4%e2Frqg#@uH
z+2F;>)aGF<!`{!U&N`LjN&r^MnkyK6)%>Dzq)9VHOVYlJEgXm;bjCM{53UAEnK{`f
ziYx1h!a;miRn*B`C4pS!RQpPn2JyyWP=8?2(wL_KpB`ib{NJ@xUC57e1_by8?k6rw
zh1G-0wFnyy?|e2wsN=}Eh-(~N&Uz%A7pe101F?g3@g-fn2oL#7Tbro|7+>}|g-W$T
z+itfJ$F2<RFLNbZbeOd<!5}t-e`>7ZsOE>Qn2C!)4B5`))6wZq4Q^3k<fE)C4umr~
z=Ses{*`P@n{K}8=7|QpRXXQ^~=6fTS4D;DQCfTyWicn~|zAPonz2ul-T>+`Bgkc@`
z>q@#^BhURB@ZnGuvRu@P#i)RlFRF~RVKVzVw(y*C+bL?J83n)+C}!TbgR7sj#zP<M
z*)6Ck%ipWym-Z3Mz!>W>k=I{m=SlIO&vcJZAw>X?dPrg8ypb!DAx!5j;vID(Lct}s
zX{O+NnmrTjevIuJh!kQ##nvIPMK;MY{tqy+5q|nM?q>Q1{gTqCRk9S!=kE~|gdyM8
zC%{%gdZ&T4h2+@$wXCLaTHRW1c(*&I1G^RK9aYwDfEU>AB@i)lkQ@jwxUGJFbWl*p
z$~r*DvP?9lrx?m%W?2t~Y%rbLL+*eO_Gcs#?i2%eR*giLKIa}1FWR}L1Su9z_IzKl
zu+joEim?7u5!aY@L8o!;^0JEci<AxZIv*M2U-8P|$@UVR0$al(6=q4!p3gxNKwQCp
z6?_cOs(lv!b=1lttR0kC-Lepw*7M@nVheAzVIUX*EtmK|f}pp!0!SEiMcqyV$%RD4
z|E&}LPw)I+BBIoMrd%DN?!P4-xp-1GEMYUKWy<;9*-1F?P@uI6QM@!K(ViSiv4Yqx
zMcWMeoy+(4H2<!|4&G;S#DH&;8Df-2ceVXFcz;DaoHnS`YX^Wnkzqba7&WDS{Au$q
zZV2ruDLGW@cQ<#tji;Q7h=^=L8qDjEl|P=Ebeq)dn%?^~iiTJhSyyk&f^&h}5LLa@
zu$6QAAJjpEmZ*dkaiauh&C^msELgG%+Ze3o)68cw1KLCItQuLG6dlx0<W|GA3;aZB
zzrx*-!r*UGCM<4JsmiOY1`H7-52Zhxw%gRutA>w3+DN>qmqTk45#*x5b#eS^`0ylC
z?V_hyEa5{~Xb0dJT(vI~5=8^5omC5!d`PuHJ%2*|>pl~n(<Q;9+NPe-8<|8bQLZP1
zO{*6$7M?-;FA6?6%^YGCT5JO|XJ)9#=<pgI`m7sCqX7l~lHP%Y-+bhmJQu4v8?i4%
zp5dK-)oW%t7W^AKa-h)=K`@S<m;7&*B&+x2L22}V0|0%#(t<%dNfhoD(iaYDAU7L|
mM-kMK|L;N{P^sq=93H0gj!BLE47BP9OiD~%v|89O@P7eMn0}G~

literal 0
HcmV?d00001