From 01335e7aac7b2ad26eed3bb1bc439024142c4f30 Mon Sep 17 00:00:00 2001 From: "William G. Thompson, Jr" Date: Sat, 8 Jun 2019 19:08:13 -0400 Subject: [PATCH] gte and content updates for 401.4 --- docs/401/401.3.rst | 2 +- docs/401/401.4-example-solution.rst | 36 ++--- docs/401/401.4.rst | 143 ++++++++++++----- docs/401/index.rst | 1 - docs/figures/401-lms-solution.png | Bin 0 -> 32029 bytes .../container_files/seed-data/bootstrap.gsh | 3 +- .../container_files/seed-data/bootstrap.gsh | 148 ++++++++++-------- 7 files changed, 205 insertions(+), 128 deletions(-) create mode 100644 docs/figures/401-lms-solution.png diff --git a/docs/401/401.3.rst b/docs/401/401.3.rst index 92b2b35..1f173d8 100644 --- a/docs/401/401.3.rst +++ b/docs/401/401.3.rst @@ -316,4 +316,4 @@ The End .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program .. _Grouper ESB Connector: https://spaces.at.internet2.edu/display/Grouper/Grouper+ESB+Connector -.. _COmanage: https://www.internet2.edu/products-services/trust-identity/comanage/ \ No newline at end of file +.. _COmanage: https://www.internet2.edu/products-services/trust-identity/comanage/ diff --git a/docs/401/401.4-example-solution.rst b/docs/401/401.4-example-solution.rst index 4aba227..42679d4 100644 --- a/docs/401/401.4-example-solution.rst +++ b/docs/401/401.4-example-solution.rst @@ -3,24 +3,24 @@ 401.4 Untangling Legacy Access Policies - Example Solution ========================================================== -The follwing solution uses techniques demonstrated in the other 401 series -labs in order to create an independent policy for the LMS service. +The following solution uses techniques demonstrated in the 201 and 401 labs. +The general solution is to create an independent access policy for the LMS +service based on the legacy community members LDAP group and a new visiting +scholars reference group. -#. Use Grouper Loader to import existing LDAP cohort group into a "community - members" reference group-- `ref:legacy:community_members` -#. Add loader job to populate `communtiy_members` from - `cn=community_members,ou=groups,dc=example,dc=edu`. -#. Run loader job to import members into reference group. -#. Create a Grouper service folder for the LMS with a policy for LMS - authorization: `app:lms:lms_authorize|allow|deny` -#. Add the "institutional people" reference group, `ref:community_members`, - to the allow policy for the LMS, `app:lms:lms_allow`. -#. Create `app:lms:ref:visiting_scholars`. Import the NetIDs for the visiting - scholors into this reference group. -#. Add `visiting_scholars` to `lms_allow`. -#. Provision this policy to a new group in the LDAP DIT that the LMS group can - use to allow access to the service. +#. Create a new application folder `lms` +#. Create a new access policy group `lms_access` +#. Configure PSPNG attributes to `provision_to` `groupOfNames` on `lms_access` +#. Create a new institutional reference `ref:legacy:community_members`. +#. Configure `community_members` with an LDAP loader job. +#. Add `community_members` to `lms_access_allow` +#. Create an application-specific reference group for the visiting scholars + `app:lms:service:ref:visiting_scholars` +#. Import the NetID list into `visiting_scholars` +#. Add `visiting_scholars` to `lms_access_allow` +#. File a ticket with Vicky to switch the LMS LDAP access control group +#. Head to your happy place! :) -Congrats! You are now a certified Grouper Guru associate level 1! -And remember nothing gets'em going like chum! +.. figure:: ../figures/401-lms-solution.png +Congrats! You are now a certified Grouper Guru associate level 1! diff --git a/docs/401/401.4.rst b/docs/401/401.4.rst index 712f57d..7a03f70 100644 --- a/docs/401/401.4.rst +++ b/docs/401/401.4.rst @@ -14,54 +14,121 @@ Lab Components -------------- * Grouper +* OpenLDAP +* `Grouper Deployment Guide`_ + -------- Overview -------- -A baseline of core services services are enabled by default for a broad range of -community cohorts. The current approach uses a hodge-podge of scripts and -manual intervention to establish a group of "institutional people" that are -granted access to a wide range of services. The system can best be described as -fragile, brittle, and difficult, if not impossible, to evolve and maintain. In -other words-- state of the industry. +A baseline of core services services are enabled by default for a broad range +of community cohorts. The current approach uses a hodge-podge of scripts and +manual intervention to establish a group of "community members" that are +granted access to a wide range of services. The system can best be described +as fragile, brittle, and difficult, if not impossible, to evolve and maintain. +In other words-- state-of-the-industry! -Last year your CIO came back from Internet2 Summit and declared that your -institution is going to deploy TIER. You've just managed to get the Grouper -software up and running, when the head of your LMS group, Vicky, bursts into your -office space and tells you that there are 50 visiting scholars showing up on -campus tomorrow, and they all need access to the LMS for a campus-wide lecture -series. +Last year your CIO came back from Internet2 Summit, and declared that your +institution was going to deploy the InCommon Trusted Access Platform. You have +just managed to get Grouper up and running, when the head of your Learning +Management System group, Vicky, bursts into your office and tells you that +there are 50 visiting scholars showing up on campus tomorrow, and they all need +access to the LMS for a campus-wide lecture series. Your co-worker had mentioned this to you before she left for her month long -vacation. She had told you she had taken care of creating the guest accounts, -and not to worry. You just need to grant access to the LMS when the time comes. -No problem. - -But suddenly, you realize that access is controlled via the "institutional -people" group in your Enterprise Directory Information Tree! If you add the -scholars to that group, they'll have access to everything on campus! +vacation. She had told you she had taken care of creating the sponsored +accounts in `COmanage`_, and not to worry. You just need to grant access to the +LMS when the time comes. No problem. -Before panic sets in, you remember your Grouper training. You'll need a little -help from Vicky, but with Grouper, you've got this covered. "OK, Vicky," you say -in a calm, steady voice. "Here's what I'm going to need your team to do ..." +But suddenly, you realize that access to the LMS is controlled via the dreaded +"community members" group in your Enterprise LDAP! If you add the scholars +to that group, they'll have access to everything on campus! ----------------- -Exercise 401.4.1 ----------------- +Before panic sets in, you remember your Grouper training. You will need a +little help from Vicky, but with Grouper, you've got this covered. "OK, +Vicky," you say in a calm, steady voice. "Here's what I'm going to need your +team to do ..." -*Untangling Policies from Cohorts* +-------------------------------------------------------- +Exercise 401.4.1 Untangling policies from legacy cohorts +-------------------------------------------------------- The goal of this exercise is to grant access to the LMS for the 50 visiting -scholar guest accounts *without* granting additional access to those accounts. -Since access control does not happen in a vacuum, you'll need some minimal -assistance from the LMS team. Vicky's team can configure the LMS to point to a -new group in the LDAP DIT, but that's all the help you'll get. - -The basic issue is that the legacy access control mechanisms are based on a -cohort of loosely defined "institutional people". All your institution's services -are using this cohort directly to determine who is supposed to have access. - -You'll need to use your new Grouper skills to resolve this issue. - - +scholar sponsored accounts *without* granting any additional unnecessary +access. Since access control does not happen in a vacuum, you'll need some +minimal assistance from the LMS team. Vicky's team can configure the LMS to +point to a new authorization group in LDAP, but that's all the help you'll get. + +The basic issue is that the legacy access control mechanisms are based on a +cohort of loosely defined "institutional people". All your institution's +services are using this cohort directly to determine who is supposed to have +access, so any changes or additions have far reaching impact. + +The dreaded "community members" group that the LMS currenty uses for access +control is in LDAP at "cn=community_members,ou=groups,dc=internet2,dc=edu". You +can log in to https://localhost:8443/phpldapadmin/ to review the group. + +Here are the 50 visiting scholar NetIDs: + +.. code-block:: + + adoe852 + agonazles804 + alopez751 + alopez802 + anielson378 + anielson51 + athompson526 + athompson713 + athompson866 + awalters247 + awhite131 + awhite631 + bdavis150 + bdavis999 + bgasper2 + bgonazles239 + bgrady115 + blee298 + cjohnson933 + clangenberg923 + clee357 + cthompson231 + cthompson287 + cwalters316 + cwalters536 + cwilliams606 + danderson959 + dbrown402 + ddavis762 + ddoe822 + dwhite663 + dwilliams299 + eanderson919 + escott173 + gbutler381 + ggrady118 + ggrady649 + glangenberg234 + gwalters810 + gwhite647 + hpeterson10 + jgrady499 + jlee308 + jnielson505 + jsmith466 + jvales111 + jvales645 + jwalters24 + kdavis686 + kjohnson872 + +You will need to use your new Grouper skills to resolve this issue. Your next +step is up to you! + +If you get stuck or bored, check out the `401.4 example solution`_! + +.. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program +.. _COmanage: https://www.internet2.edu/products-services/trust-identity/comanage/ +.. _401.4 example solution: 401.4-example-solution.html diff --git a/docs/401/index.rst b/docs/401/index.rst index 59cd18e..16cee6d 100644 --- a/docs/401/index.rst +++ b/docs/401/index.rst @@ -17,6 +17,5 @@ experience. 401.3 401.4 401.4-example-solution - appendix .. _InCommon Trusted Access Platform: https://www.incommon.org/tap/ diff --git a/docs/figures/401-lms-solution.png b/docs/figures/401-lms-solution.png new file mode 100644 index 0000000000000000000000000000000000000000..21f8f3898adac67970f732293103a2eb08e61206 GIT binary patch literal 32029 zcmaI71yoeq`#w$zh_r;#Afa@3cY`1uQqo;RcY~CK5~F~k(%m543`jH7kV@xIRXN*C~&=weh>KjP*oib z0pWhJjg*wSf|L}Mx~tPG8+%Ix1o`OHG&C*E8KMYC^Uru9adE{T%}VL`J_tXJv?TGV z-jEQ41Yr?sw3WZ7LFx}ueBrDWGmWcZADa7I%U%2)o+TOcw7NGjsPpaFq_0!6*w);2 zakl^I%*LGW$QHpkTaf)19D6^dn(M@C2uKIhRXIIyaFXsUxa0fveVJ2 zy%w}hSf+X7*@)h#>+ku>T@S1dz*R*hDnB(Zt;Hw6B%*Lm4_>i0MR0{QQ zN;i78Ra^f{mw?wJv=%vULn!T{lRJJadk8#m87}G^iSkz6h=4;X*#$b!F)~ z?OqduV$L$2T@AFTUbH_8}MQTv#XfWAb_d zvd5u4oE*7&8E>J8>~1(4#z&1eGjPT&0=F=|Bd zHH49-a60^a$i)a3&I2kW1uD#k!OsrKe1{mDm~*HiOB^I9v`d5;2$bI*qDb&ZA!$&{ z$YXtvctDNWOXM0NOeMxh5))$f0VN78`hE4tD@Mv^K`|d(Ki|7V6~r`(a1@^(k+MdA z9J(NB^75f_grzB=E*fvRgQ?&)W@P)o5((*LODDHkiJ1>O zZ3d1mvo=LxY;~KDd0v^qG|x2owAA!Hd(s+Gp}6c$m~#xjR2D5OLQm&Mn5zq#OOH#s z^O-Ykof-(=7|SX6tW$2q`&{K*(vRha=7u8Rp_oh}jWxkG1|kYCbxK*R^P3UHIw=xr zWxS8k4bpOEj2zK*NxITS490ZWxQj{hPq327pGI}kS*FCuGbl_cNaaH;9#tUD#FI%8 zC3z(m_ByOau6jMZFB7>e8T~0=!}GZFlsvQMdL@)NBiQJ(qSae zCcF2oCF>=JCl}D|$-h>@%XiP8%g=be^-(c@Sn)(bMN#wP&`0Ea&5vI4Q;Lg;0o0)> zqe%yerUR?JWJ&cjT*@*UJYO8Oh&;GX7*C#gNE0y?G7TiEBoC#FP($g2s2ON$d*Kw} zY%$z2I9(Q9A~8cTYJgDgDM~07reZT0y?AWG*f?TJZD+dBu8B$cw4?uCe_OxZn*_#1 z?HnzQ7YEN_g=AXwxtt}>N;h-gelesFUs$8IlRT^Rjx1hP=>y@Ypf$l} z|K`Fb&57#?>&a6rqj>gsmB(0*)wrYI)x0}+2j_!-2R~f09P#qV2 zKmX-gLr#Z5(yCCkav0MH70}x>$L!r83K@u=Q>t7y|Um`iCl^3 zHgc)yk=aB$P;VI&-Q2>elj|${CKo;FSo~Q0R$Qd=s>+oz?_2K7Cf*6oc;0#QS)0rG z!G7kh?awpjZjan3k5tx+*PU1%FzXW05#caDP0L9mWj0`5Wac#N)N==Ev=UC(Mo(xL zdKNlO@=hXc`D}5JvSjLJKF<_2(1VIY$!n%|*gZ=;Nwvu>!FPtQ4N(&K81cLfC?%S!US*o{!zNy)MN-sInW20G)= zB4L)rGH>tcw#rtEWSimZterl43l0Wa^-xphLcyy%D}$N5K7tK25s+M4iw1 z#Zo<$z4}Xag^{C|M@!Xh+0^5Sgw)m4l#)hLUg4tHW0(Zt)sadOJz-N}fpN|Wj8PU<*_pR;B4-c|_VLRa+RUL0#Crst#O$;$^iZtuyWZ!|J9vG7dccNHMsP|WM<>WY zME}}tzOHMIPhmm9Qh_oBIk_;oK$GVAWGeu-GEuCN&(9WM8_y8Q&S-M;bV9QS;^H7<>pX)4)y3 zwZbi;7Ub|{Ahnlp_0+**TE7OXIli&ju5s-&6xzB`e&o2GxkkJmINvtwa>Q^1jtO|T z@Tj%YF8!pWqp`fvyV3WIfA0%xB5Ut6l7&VKr!mplmL~tbv(o9nJZBBl8N_A8(cm_k z*4(sEeKar1EB!3pIn8DL@9JL-8=8+-s82umMjByHrGI&|mhOM?7VZ{Uuj8#5t||k= z+fF*Bg(O5!?g+o~E&BBQ3uo)00b!|anP6Q*UiYU@pS0^eb;u1FzLE-2xLxgHoDr~` zbf2tY9b#QDv?+}CrMGt8eE01?(}LST$4;!OAa8h|lODZ$|7q}3^m^xdTiWNe-AYj_ zr~$b?DdcTdp#Ao(3H(X(t4#c{%Ai1)3-?z7%V`?do_F=|u5S?43`RNYJBRUz(Hr{V#`O zF^k86b|h64P3)_p?r^={%ASrQm`*EZ;H_ZtQPyFTvz9~EdU#jtk$H}}mkF!Cz+ud- zt*!7G&QCE#ldWdaqk;i&EdvdM>;n3Na_jto>VeS&TxJi-fXo06kiTX>;n+)AF4%Qquru9j3htlX^ZG@|#ZsHlWpEnW#emzMqeao~R< zG}i9!&Vp=gUS3|TURpEP2KhCPw56N5 ztBtd}jguqQ-MFS^P9E+eG&FZF`sd$Y^Rxun{C<<8+uzFq7RYw@3mXS3JKH~F1CI*d zeJiML1G2Q&m9}xPbaVsWA#0^$hK--Y+yh)=$|77x7d|SG zqdDK*`i+)7t`)ysF9DZEGq@9+*+ElK$PX>WqgmsRi<=nuqYWnlEU6V zuu$dj6C@g{zdybhMf%nK{coODdP#Ba)i}=E9vmDbi42;bV?dZvh8>c32S^13k6&#J zXMa%hVfy{xUnA&Ay|?H~PD@NowB7JN+GR3mZ;uE~3BdO1Z4riH`LO->eu1Q*Fg4Yt z!UlRgT*N;RYvhcZ)UzN*k99-%*EHRRtgdQ&2gA}#*w^DP%&^r0|l zEmbE>3B{E=ST$R4#tkBpo>!_t%<%hl^{L`o?P&ZA+3v|FKSpV5UB7#5I3txdpXy_` zN*d*$M+N=;S#?Cxz@%iawi%=M8v8!6p^JnsDsVcv+5X2X@zh-qAetue-`q;izj}^=df-~?$#jcN2 znt^9(Y$v{6H`5!Gn}x@d3rz;xTx?jtXPbR%q2TRd3tk$ZmaD@7i&Kj|6}IN%2qQW-zse-o2jrI(C>;NbXe(* zKZWnLHugC$G`a$;1YE2UL#yr537ND90sDF0L>uLp~)H9pS(i8>Jsj!|r+4#qf z_Hb@&Ugu&!_K|HU)G{DSC?H--z|{K4lb36(b)DH^0Y~dYmH2duBt>bgMz(TfE@5i} z>1-N{c9TUeD{{;<;wfC+10t)U6U7F69cH*Um_*FZVt#1v_?%iGpmhj%uZ7FmtO;7{ zoLsI&-)Ip?pMh1_#zyi$%)Ie>0HAQc17!ZhOpX6`>jL5Bux&K&g;EZ@Szp zJnbY<SBFQF#E711&BNTrrUcQdH4h$g^;3AME- zvDSBzL*Gjv8`L>}$oxU{^m!)+#v&1(%gKaJBL)}Dkyh@tdx~u&PU zxeT zwDtBH5>M`eEO%;-BfKBfe0>U?tg_K$05Pb%TkU+ZSnG4LSVZ@-qxEbwxkk?_K znolMTBG@rVjUR;FkJzBGF#!?xis@BZC(Zk874J6VcnEEmb+jARpFxC=;(RT0bE?=p z=iJ9sSheEHo6Z(|J=-xD>Q)2VPcM&uniD?La_-^s%$W0-GV(m=A{KHv*zdp*l4WZ- zH;bX5@p4WM%(WbC^m0l!Kbo~G6-eqh-)p@Mpe;o!$K!31jAC!%*DO%2J{lH+#J9Tt z{9d95$q~seuwL$r)-F)Z?roMqr!j``uf#cf*|f-2sk0-EM$UUJ`k!8ImCA+TAURx} zAMl!WqBGbp#br27mwkYZGHHH_6MDS`f`t=jS=-H2e1vva8v@2Tyt2XjgYu8yfry8W zZV|m7%$!3Q))9t5V3;ce&B$L)I>?Q57$y1O3Ua$V+1lttrFamA1ylK1O~j&Kry$%@ z?EvNFyij!#gPra`YrR&?46ZLvie1p-cqROlvrnJ;%Vas?mUh8kI1WnIQrc6jBu|`8j z<$&Ocl|Y=6dwiervWJVy`_RIm(X*H!)x`fKbxY`{Sd^ZypdnvGdN1jRxG07unJB&X z<^FWGz3COKH_`tJ0t|_kFXlndAf1#6$h>ar%9%WNX_$J43<;;zfI}Ik70)1|ws`ZE zKItYmmNlj(mf1n4#IRoadPU}bx+}dFs|_P51-<0Tce~LtDnneMpZO{H9tjMndy3!7 zsifOwv2i2`j{NBuzE8`#gdLNZ5kjy+&d*m8yeQZuDX%Y*Ps8Q#9Jo}1)E%O+&g|hjoOUMEJ|rt%^JZ82mk-48tSW^&K(lL%Jm{Xmb*+R1OxkImjRM zJ;B=akUXc8_6dI)lI&oJ1Dz^0fyfandd^s;3s6f0YHiR$A`DsTE@_afKC(gL>^7SG zu-Ot7>&Q%PR+p)wFwz^>(hSH7J+>xCPR7@epDBOyzgYNlU7IYxxmpv^L>Ay1#PNuDQS!OXxW;~!aTb#??%`!MbXrK4h+&`x!DxLiL}55h2h zB-z8C6XWG4tNxwOn9en#eFBF2y3hNq-zY}^bK0y1kF9kQYTUkw5YjW^a!DTEFzgps z$$mULpYvWTuEM0IpT{StONDWj#-(y-oQEVfTgPY7wb0 z`3qA#QsK9%7#a(VdCdN_n>NXiuqKYG$L<@7K)r_#=XaB;p2VXt1nM?1n_(4O|NL~+ zqW!W&xfJ)Eobln5InhPpcDF!ccbO_G`?>+*EBhF55#?J`p6iRHE z!fH{&gJpx;OtkgJeMX^d4)G)_a`b=fJrz?9_k=1@r1Uqw2mH(3_9_4=D)z|y6RTIVRW`CVcESWOXJ%L1dsvU(tjp_W zq>$0P{XO}+>{a{{UH&{jVJe{Zl-d{eT2)}};eRJXlgNYe9gLd8v!Y)5pNyI&(GqxJ z#e-r&qCb)rAa9N$1oG-~R|anEf6Wg!n3svFKNoEe60Hz&8x4S=K$2flV)p^(R=H_9bg|H$>yBB>ok+rKx0) zzHX+`yepb7cUh6m_3=O$H|2vX?O%J}dEj+tcO=Jd^uvm!~^+4zpF|t+zMO zXWB&>%PzCj|Jp~Ivh<)Zh%ph`+FeMsI@*BLa$5H50x5qn=wLazo5TOo-R^t7f(4YL zhiqkbFoQ#?ok3E@>0cEMl?NcpFGqb9%|PPq=6|+354D{taWDzIt}d_p33Y09kfZRn zSZxB5NVioOL`6kMYlOWIbtNSwa~&>!6{LTQCXo}UuHMX8T;vFPY)TJHL_z7& z4b2t+pmcVMBRthZn-euE3wy)%F+=+J~ zyZ{7$3nrbCsxs?C`0<~v5ST#XT}iiEZ*ehcGxlj_103l1rh1{=JktNLkAc^AoKXl! zL-Dgo*+y3TQg#4|R2wyV)*ns*xpfr~ed+#R8>{XT3asKMMUznNf=^+wN$bLWVpe-* z>zLkpAVDO^uGKEqF9|#G-pJl?4MLA5<$9%@%lm(XAqdQC{K8^pp>kMo;9LShqdq=d z=_x2Nt32pwyH#H@-Cc&7R~M}OA071pgfLp!pPUAyckBV*IfX?)ffoN!zMl+KQxcbN zf1>}#gzRO-+Zi(F*|Bu~Gw3y7i{By2a(`8&|NOP!0$w(=9br@Ve_sGg33w$a`JZtz z@e=p@Uhye+5dPb!<;8&29&?T1{b!t+IPr$bgSW!ouDp%H|DBaM%3v;$=%U|I`~fXN zaF*hGAR84p`R;D?dyvE}3~4&QyVUy5^`OOkYuszG+iO0{QOV>T0_@6~T*%X1tSS9p z?n2xLqjLwF*-w43#lP71Y!{{ifEsA=-#9eNX~@3g|8HK1AKWL(n|NK`4R4t{k0 zekB#sOiEA;sRaa{W+!X(EGM-od)n-MASP8 zkB~qZ;6c1XRDC9awzRZ=PymkN@%kMp~6C1MLGyQ$4LM7%KtsEQqnH`e<`&E@ zx1S>)q%3e^^8iObc^yX~qF*nL$LT}++kpzi0`XwD0o?G;9seAt@azHqs9mVdvNchd z&SO74vfF&NAZ`4?-Sf-(pF7JT56JMIQ%r>WOAK`s*v|rRO}*QO{@z0KPF{j&%mZ<{ za$3e?+22ZE!2<}=-XG3=KKMjER~iFw&zUM<(Rn`wd)J_=_Rp}n_k+Tvm-v5JL+_md z>p^s_db?42(GD^5Xo9rxg-92bv5bC=OQiz@kG_do6JjtCVrr*qY~tx}e=L4V_1<-I zW<}KI4Tm^Yb@KEo#>IXe3CY)pKizF&7$7f&pdWeY`7%^C3fqXt_v(bHh~&t{0{rwN z?OK2DaMU*mDk_*8?)$Ab0P`m@pR@be8?fsJ>6CA@Z?ESB$fc~2I}A^hKI z?g`4WCmNBc%5N(M_o1{HU8S<23EliV1TYjVP4C6js8ratoaiy2m-Iu!KK zyS#r62g&+ywGVG}1(P~VLqFcf6UHi-K295uU$>s+k#{uMn!2pbx>clqnYM&)0uVeaWL;`ZIa^yIr8W8o2U!9 zf|grWGa$|=ZXHTlk~siFSw0MD@Z5QfCtd$IhSm7j^8dG;VQPXe@pE~FaEUb2{T_i{ zo}y!QV&#yrxqcs=N3@GM!w8Nzi#|i=E^_&}K3UKegv^Vb&1i`P@{7PGf5-R$8?m$f zGv_aj0!$T zU%S@}M3Ds;@17gK#=toW=`j)QBEa>U3Ix?R$~NgbycV3_o7_TtB0h>7z!<@9HJsJ^ z7Ec-gq%=qj!=e`ciHlL<$0(}@3hnpXLeE0gdFgM^gNpix6kInm&gB`&LU6DR&s0=) zhbD81GlJeJgj$b%iod=(f~Y<$msN+K?r?pv^7zwPfrBOwF7_z6U%K%`b{1Rn-PS_ytqX-hF5{Kik{1Qh@Y0xj{rFDj&y<; zHPVl6QYY>gp-0kxW?#M-tDEY4l2H14Dc;JtR(t6*^(*0KY z%~}PvWL7p#G3IIMT2h3Jp%oDbm^qg+YCx&H*S-W~imUBQvI!K~@+6i+=;MXI4FIUy z>TBxSzJ0m2-^^v3v&d;8(mO=Kjd)Yvy;AvVp!F2`wfRLiKaHAUlaTY&ZuTk6a*=K^ zx`sj>Nh_2V#SuWKh=_?dh-7vEJVTm_e5CEiA0Y>q7RB{rPoy6O{jtA3wz{a=LlbF` z#-`wxA24+k95J4O@#tIz9syhwKa#mSoO&7xB#>Nwv(5rL54>`b|4_ku=&ORTN*nk+ zQaF^cR#feKwY}L=K<6CpEQNmr`SZ{2Usw8x!Hc#)G1dR$<@OVl*STm~p+_)h|I6d( zu(ppp^sW)JH4b(FCZkyR<~TM97Q8OJ$LF6k2x)R zMUlybL1jC0^fI$M47@ zx2uLC+wktoF_L;qEPTFK>wD%15CJKRtHwQXk5-JqKAT^pp(lTo1{KJ`h75ic9V*dX z9Lp!(mg_GKnk^?pJ2YQ3`6pTwVuiJOXL4G`V1@#mL*3#-?|C5mZw5fk5^3J$o((LS z$3OnacRJaF4GA}8>1wIR(7N|`qIN#OP84jtk5;Q!o^i`J=z%Mr1_No{EC5A26=A%| zqI>dW8h|H@%zIwz(=rN(&;GMk+)5PJ)P21cn=b|l^sn}0<8YYk4Z&eX7|$>$R?b+O zJK%svU@>X&drBd@0BQ0*+8*SByg64$O7{H6&vZTxHl*_l67#*lDfh&wm;faoU5+#9 zh#44#-pk}fBod?Ri7cxbe{fLg43iYPJ|0uCyUv$Yg#S|nnuUv(;ESHz6bg6ii&n(p z$#0%KB`i9~yYKzT{86kNoz6VVM;FJ%micIKB}CL1P$AtB)MP>6URprTauyE^X}}tGOnlU-xq(F=-c-0jvVI=4Ga^cf}e6yok&5^by=^ zXLe1|DCMXFVpEX)YRbqfo7{8S^eOqL9hyX%;21(CeE?>EK37WqcgB$T=uTd3T%&c* zG4Ct|1AKjc8phQ0B^MeHG}tNiR4H5U#pHd$XBJm4(a8dus9o8Kc;jPZW4CF!9hbfZ zYu7oO4rKD_TmC;n1h!9dn~qK6I)f{OoqHy^q|WvH!^nyYbH&HRP@L za^UFpb9JL%0ipoTYN*5fKan}BqXWeV$;^0{2?=47YmEQ(RA-j!Q?wJoS1e!`bqH9G zAt83aoaJlPK+*1a!f#I&B_4;@`=SfWEUr1?kGOCr80R1WWFey(5&T0(@6_X48-Rwm z?N4tF{!Y05mwBN@0j?Vnsd(%kCHm`vO!zL5PiP+gYp(xfY5zYj!1WN=3gwf|)&uA^ zCiJU|4R8&>w@rBfSVFN`SB##^;}dTL^gFKk=5mY8>l2Mkj4n{Tp9yU3&Nn&?X9?8! z!#!&gPTV-{Mxp+ypRoR(DsCuHZJO_#S%Q41h6~*+ zM1uib1xo7FWNJ`jU!E=GHG6e&bSBUT048>TzrG{Crr+_{#lay~zi_ElBBc8s11w(p zQ%{i;(3>vSGf#mCrB`a){J<%Q8IE5E^tPSGn={{4pcDR^lCZwm9K^> z0JGlAVNg;a{mXZ|aw2;BxgO3>R7Zaczy)w^u`I9m0Q+>hmTsaS|Ck3@x9#bS6?kS; zj?!VGP)BVX4$#~?05Rv)GvWyll9Txg1OVG-lIuC@r(5foeWcH9+%)}K>;_Z_3{w%w zqF2%RYB=lXX|{7a#$6;D)@gA6DZPVn0Pue~m^-#}b>%EZ4dbu*m!qW3SF)la0rqk_ zNshwiIGq8~0*P1(c`1B6B2{cy?>gM!I>^!UM3B;$7^OP|71PjUJB+p`e=659X(2$< zuGPE;J5$8B2EfC5v4ytT0iY#^kXd(xyq&j6u52AHZcPr9QoL}0iq6`91|VHAXM;SG zVt?Gh}m}OYgd!Vyyjd~6LDDqlF4hPddhfYcj2A-;>AzY@p$73#G7D)=@aIvGejr z-EuQlzu2r)CAQ}AaF@|EvQJwjjl-h1S8nEd^sLdHqyCIK^m;MW?+gglGp1K>MA z^x8W#$8`oE@@irezfqMdo3N<*I}mzW;(REBqXSoBXSUichiFP;A5!PCvRwmpbPK`q zH1RtKCxrsKXC>luyg!ud6CWX?MgB1lZ_4BPWU4XigL#6;BnA}ntw;kUQQ&q=&C17r8Zv6 z{)Zg{TA$Ua7oTiSS?fyA>pjH6ivi4zS6DY{Awl%A*Si*1*pO)-C3Q64 zPwF>vwuA-gl+xUx8J)D>XC2dxgeZ%qyv6^cbn0i6?b7`z!H5zhRbNK=W%u@N#paOL7_Ae`H; z^`{P-hs&Xv&jC^_AjkuC?{8-L9rg{!-s2J$M>lKo1J(9Y9>ScyWGnrOwoBqb)h;m7 z=^=^-l=isjBx)!A_#(OJPQATJwDU~$++pn;KYN&xxfkh+2YOb-OM34RLdgNY-9)yI z!GqOPT+g&|*80`tUi#UWK$FXJ02L)+GiG)Qdu1vWiG7kuQ)-pt{fWTSo+^x$n!1e; z{aa`l6-`z`w3yh!z9cM(rV0ClwCDqG)zX&BuLO22M%<;NWl^8N*3fSuaM>u+X&u0Em)BhGP;7!rc0w7KGtU`2MZRQICLl!QsZljf>ZtgMy13 z<`&+ClHz~pen-E_Kg{->=On}LMFk8xo_5Elu78H&`g`Xd~i?>tk6=BtlP!y*sfvJ2S*nEkN% z;kc&SN2PP=f%fbtDK~AH5ohZFEbH;XuEjud=B|&U@q9UU{*$Jf$ix~54?8*%O>GGP z&~^awUiDaHzh~>k-?ge)aFDB?8I0BX0S(~6s8rL~Om>^NK$;*3PCKHx3dw`Lc)mk3 zzn^v}I4OaWdFbJ}(?O8T4?acj@^D&BZV;*l|xrjc{kl?%q zup`o^HS7Sh&8OD`52H5gg;FyEOJl&tHL!%ZT|rk&A$Ce+CGOQIO4&hWmo+ST{q!eIuTiUU9hOX;V2Rc3f-I1 zhRtUT0B?jxZL_+qE*(^pMSv%HgY#mYB!v&4ex;TEDShuqrG>(`e#Ew;dm*01jp!-CdUCyd5Z z)nv1i5bVji*Q}Zy4csjYmjSMY4)f(33KwmU2io}esKW4#Tk%vz8 zMuQaiDDH>h8>3D3V)#mY_f@@NPI7u)ZYINbp}GTdRmP=&DR_TB1-X2dkKjX+NJ{27 z<*}RO-;@3R%pRQtg#zZ1mEy;sXu-hq+KL&}Xx$^oAApsW?~r$qML{%rOzc1^tQUBD zU0XODnW1D03S~UlISNLPT+vT)Rq`=B=Q3t^HU%p_`qjnhLMAGHBO^FGCI{_XZ4h znv#m`m&OAk7#P!lUI`8ugVn1*X`E{+_WjN!7x{q<`vQ6&{+s|39oyVUPc3#@KF0b! zp_IUyG2+-HdIp~#p*x0RW*Y#HJIgjI75LLs0zSyujT5^njk6K-kyyk}HJTLu&o*MB zJlsrE@PbudP(qVEV(oukwx;ZqE00#3E;)?RM~Wqfd6o!r~J>8!`{>DX7TI zx9ouR3?>2?;bZnef`bxAg=u?}n~P|bD|17tuLHVAw6pq|d1_)*Fz2@z;nl|NrXGDK zLnxFV630}ST`$QePyRx(JD&wJ6N^p^OjhJ6>QrJGOhFTrT52o0`k{-#;?w1BYRQ~0 zV+a`?c?KrRlf$vgTPK;zE|>zU=i35x-_lqX88+Mf)vFPwrqL4ZdLQji)&g)|To!1kXh#~KnsH%(H47hXvChHYVh+aJ zWW^b~mS82(;~%azle@MvvP4F*Y;&^yLYvBIzq8uiW9qCmQ)jl~|NyTaiX;ibLC1?;7V5%E{y2v>NLnaLv--PU;2L}D z@-HuGmMWfxK`A|mT!2;e>4pAu!^^{WVor#Bh{NXI+mmOdB$n&lUcEdE@JksWu5Xgy6WW^|u-_=juJN?P^)% z`JgeqsH@7pa%V{gcTE3G@LXg*pWD>2wSXdRvU&_eMyO}U$)0ruW|>h_AJ@!{TLDWP@bpc$L`6E zH*#52mp{@u5K}UZpj9{Zd*g`OXJwbF_B1HF9f2+3VOmx$LaKp6pN^uAJvbT zdtl0P*dmVS{QSr=tI$q{o4qWRJFZ5QQ0I@eQm{=cD|kok(ZtqlaiPQMA?2yffPjA+ zqU12I!(yEpDepLo&Z5I&mA@43yEI+HOXPl{FE7_(cJ)XOhxFJkhmxjH3pH_Uj=Vk5 zVJ=4tE;OID+P-U_uA0?&%5AS}YfS3bLTHb4Gnk_R6(w~=53%_rDGmzRYK_nYlie*{jr?r7J+guxDuyP1uN{iDAd*< z3)JxHxa(A-%;D%%Wir573R-U0DB{=c<|(^#gpUC>NrO~yMeuqU7msE$plF_UMr>Fd z59$~#-x}>uRMoy}Aqs0K_KL?PTA;`QB@o!3AhjLN@gdKxKMf2p-5aJbWze>LT>S&~ ztxz`04t#dimvgx(;Tw2rP3qa#sCt#fQKgp{>Q-Hi9Y)b!VEgu6@HY}`sRGe8686bu zRHf+w;)L>Bp=+Bh&cmzE@WUw=#UZYp2^$F1A=p_GWb9*>E?)JZe85S+GvcF<68=v=`T{aqw<2Txz>6OOVr znaf~gy8i~Y%&~etl|W;@F>zy+u}!sI9je@4wA!FfAlKKQ@d4*Kqya7Zi}zxqqN%B z)hf+j#1s|ZT|>C$2art9o5ZRz4vfIVf!kR7Tyk$Qq~7o!uO|oel4R${aQ% zQxI=~Q+%)#durMS?SWlnb(7=vy11Tv zr<d#q>IhZs@LJwP6|upv}jvtXALr)g8?2SWOG+PYEJh%MG?*Y{3JLc zsm`L^;@}q!XWlOA!oj|3pP@I8VKEH%ywy!PjGpcDVq>*aLd0(FlX9;0U5j){h~?Nx z3-f-S9(<>5YvYhGTu(QObI*SA>kOF3v)%j?8_{9DVD>*<6I7?@+fRAY`c~R$_q*eW zi_Pa_cMb^}QKrk%k)EXwbJuhaz-b?!bYS~!;1v&lMYz4^y8s5ix)c}BWySR2?wqPCr3X6c|SfIy=rw}-{QsHnaAW!-a z;egE_%zSX}ObEG`+Myd&E?2oAyH;E*R5Pu1t6VG8ZL~#yT=l`-74m*|mfYbITA1Fv zcNmyamViaS8XBT#JZHT2JXG43yjJoS~yq5+nt1Eye{c& z>yKy3ij1yUd05o@TAP*8ab%}6v*-ZELNl>gvEtErm_ZD5(kZ1emjh=ndha>~0f@Gu zu%w~?j$yw$&13O{%WAml4toKbpR!p6sx_gMbKeMZ;Ri~Pr)2v@6%;Kl1eQJ}VhabTL?8Hi zna5$etgW0<)UU4EdbGW|5jbR144jz*y5FNQJ@Tg&SQqXZNDK9=zs8er(BQ!h#C4flL?N4dgBNsV zkw(4w9N#kwSxu!1v*Hsky);h5H$?@DkDg7Z(cb_tef`jHb84{?TQj2Kh=j2-VuJz~D$>y1%Bt-0bc62Y_ z9qv5!u-X{9XJ{Wh4{prwm%iCE&S)2P0CsX8<*xBk$IvBw2rRZJdcK6rq>&r8xMqB` zHedxDYst84t$GE?aR3@IYOyGUrv=@A;M&yM&u{`9Va6Jym9L;k`7P(yDq`wb1HYMhvI*aq<>DComDwEJ;Ry)b^5L-jLI4G*=Imyw)NqI;z%&<6E{TK$70 zYU54~bo*nvaYczyV?!>AX~HljThmeuB~=hUK7Ntc-h$`R5MSd6-`84G`vQ>M^!cFY zFPbPy-2Se&E(snyLOn&t(`ad5JML)*1{#_LF{<_Y=L&MyAC&LpU)cRPH*7= zJKNCj01)sM-bd^8n-1K}CM`{Ojh~*ob2ecerU0Mf37to~{)fB+s8e87>)O^-z%tQd z#SfOd;%%M2%m61QRy@ZhNte-aAOLP<&5#4ig$kQ@KPUuvbf?@YGUb=oH9P|6o9;GU zm~Ze=02YDlu4glHUft+5FvCq00BZynI6!N(8{BP3MSQ9TVD$&xq_k)>u8dB1J*@@+ z^Rxq)Y8e1HK1RiTrc**@BPWVOR|@t!RJdy%(Rg4wSLgD~5tsT+2u-2_N{#3Y#FKcwa=2jcd3#UF2+)NgUP7hb z?Bmf0&=bXKV9{X%DQpP2*PLkqIKXH1@@Zw9xEY>i46%Am18}hJ6ri^2x`Ju3Liz5_ zXJiAQx??jKU{&gz1)hEDbHxb`b~s(PTF)sQuGjJDAx^j2ij9Rf40#ei%_=UH2qg}_ zrb~3%21%Vi;lTjsOCR4+l5zz6z!9A|%4Zb-i$3>S^wOG1zsfq-PL>RIU>Xlb#U$b{ zRRg+&391h$_b-*-ardp=ERjEZp$Oy1QE~KUF{w&^!K_bLYgkgkC4|eU`>jTJLQE)5 z%lu)mGDD)*cMITcR`{ZQ8lyl%L@=3JP&>+1{;RM~a^S?@7akWlaE_4K@B#G@@;DV< z@Vw_s;v`jfSO33Ge)jSJ`|mnbJQ;p>;8WZlAM`=i%GdEHHeX#~%q^JwZE4MmKAoQX zU390NUF$!1p8XGX58jpp_PTNIY5f1vT34#zCW)k`Nu|L zo7Qsc#VcXBA)lplqzHB(gE&l{tTi+)UB&V_|6g6_9Z2Q-|NlrihdB1$J7i|%;27Bv zWh8{Gl36%LR>$5XWMz~>_RO)jL{auSMwE5z&F?z(et$mS&mX`3@K2okKG%KS*ZsO* z&*$@TwMUNG{*?Ki{6}B@U!54(Wx0x^3L6_!tN5pTi~0OY=F6;>IF6roG2N#-IZ4G< zG&E-Wqwb_0LQ)4=x`pfc`5a_ zzeXhy0eVy|v(cNR<4t(=>NGaXZrN`ChQqOuq$DJ{ji{YE28oKf0?mQbY`|ugb_bX% zI453l_0=4otyzC0GP7Tzt>+#>YsORl>4xfEOR<@kYFPEG9~ll7CJpZW;c=5na?NB3E!UV`a(#dIm8hi63ZaL`H;1*L zoSK6vdcP@#Pl4Jz+~DI`!?zB! z@YVJD4Ueq-NALd;+EaDFY#NF$P$rj_CYbhKx%MZXQ7Rm$>E%GD@P#;okxH+2K*G3j zyF`8Z>jWdA$#m^WVE5R3xW@R!%)B46$z!<=#gz}Yq^b)e_jSj)3I+s`vLNX;vIlaO z*Wrl29=^bf%4`{}yz9+Tns&g1rcN6O{P?55Og-ct#Sn=QB%7`GDJ?QRA@9`94a%Q* z0BsuI`Ix0D@$zuOZuDB=xJku<4o!0ZdE`6yAYi^98&EiZ0+!jT)?i{>0=Vd2h3zW^ ze?Q(7kk^JUo{OQ?;)3f7^5UB$25r!a{ zW)0&ubq30#kap}-*GY0UCQD#nh^*vI-@rKmfM9qJXnkuSAzKN8B40qw!~Cc%4VTIQ z@jx4#^#J6IfTZ|?Vr{7nSYpl6z`BAH;eYKJ72NG1mAmfhwauV?v;D#a5f2;-064)X z_GkPz;Ex6Q(csC4%V^}dt_{^m0w2Z#1HRsQkCVv1R!cotZ)c{Z3H+PqGEUibW^nN>}`yYby)awsmWOL-B(#B;)}`O-y3 z5jbj}QXYNFRl5(KPf-KOrf%VS z%K3}~an-qI%Hw|C*zX^OYoAt%E5PtiY9{e7c9PN3+Ci%S72L=BGvy|Nv7#}+fg>&I z0Yux;0)xUyY4S(L=VzyXH0+!YAen+oFye%mwaqTp*svt9_}7UtffZ9V4a81cp%ozJ zJK(*uj5)$&5wakgr$IW$VZ8DKdjJSATg!T^;;cm9!MV^r%Ey%mb;%&}pKsUJclaXH zM|7q4pF1V#LNLkjs!8T5cB_NBl)1i!d)!EF2I^rvoqNsC2ai$wSfX&${sHV}&c(sa zZ18pVKw!l zC!A-*_i@?S$uiF=_hg3`Qoq4zS1JV))eW2|XI1)u08tUZ1USi>e*k|sneo~2E6$`* zmk9=mcjOMmg}=)Rla_^LsrqC6!q*!}0qO_+F;{3b<*qw(8})zEyiHTDo=Fk^ZrgC6 znq1&PMZxAS=Y-e_i8&SPU~pF+uu*hMDvhNaJPf-CX8_^Z3Q8Ri{kI^~KzZA=0~kQ6 zSO=6ssTaaIZwe7WU;8IIORdD^)#jkgXTJN}XISTG>$7l1*JF^S(AoJK6ITa-0aLiZ z6S&*lLu2SfTNxyuETdJCacI|TVe-PhqzWf4`>C68oCd|FGQ5>oHZNuMGS=+ik*Mb& zFJI%_c-V;z_#<7v=b$?@jG_ICRW^{)i(yL3kizXHoXdMmHT0YD@egoy9Gn zJGAA5K`}qWCi z#bvbA(&O{BRlXXpS@&OVfG%bdYq+oS~5ElQ*5cqag7b}5Y%ZXC_9oBHIg zbC+DKlR*WU+Wke*__oAac4$ylbWohc*3;5giZLXZ#|vk(UO6U=KPKq}GMQSpMdT?X zR9!C~Wlw?G;s`uNp`S6X(Lw%y^>N2h)ehOtg=0&`I^{5SBBldV&gwR?20>{Z;O&bO z2anN(zT<+zzd4IAMSLnD>Alg1Q?L#wcKBc*jG*;LzswR7uk`Pc5@)2?`$=`~Do~0K zE$)7eA$t6>UKP9ZYp84S?6yiXEhoY^uPX*{40u(XYB85_g}I)3fE7U$CPJXN6w?-3 zzfMML^x%1w+*UVdv7p4;oDc1i&z8Tc+u!%~MGJgI$UG`&#f-@SvO$Ijr)O6(T7J7v z+_5YWVG($_)sXZW}ozu(e@jQ3M>;AK{0!?bx8T@?^97UCsLO$J?^!ukP1UE zAv#W@SZ9mmjsQVvB+e5L)V>~Ixy|-dvoci zpKnLTql>I+t}|HVvv~P=!@lh7b$lLif6i0sU@6=G#15KYT|LDe@zy)DHF>vk>aEt; ztNf$xxwF2OeRN1+47R-#Z?xj zdD$(Ulin?zgTZLAY-NWDKT9<&`x*XDwT~DZ9=z6@_vRyKdceK#!jyS`Y~L$@4_gN63`0*Aj7wR@K! zUi*ScCT1d0lJx}^hA`P!8=u|C_#Oa z3Gx8VvZIxCmtDIgURG^U5hXjV+1mVGNIi_}AxBYy5j^DO%_TI**tt)uv|eiqp<{n} zWdk}wAylSA%GBf!I4o{mbGNdc(ZZ&LzPXD7qNo&#{$6kMFp8MB2M`Any^!f-$0ay~ zZk;<4&j(gea;3+_G(An^4qOQoMKw5g+NsNo@A=t{IzPCINE;=UUtG)c7Gh$7-sL-n znaApM!v6j`@`u(l(LOd4xVK{}TTJ~$U4?ZQW%S*ht_G#B%~Q4_Nr?@&gM;tWS_gTm zYX5q#*wQFw!-ZrN9?{FF7Ikob<{=2u5TT*fCf#n>&R%4c7zS^WPh^GUMm$Vi3_l44 zJ@(appZaFTW5RI{_`*~p6yqFJg_0jI(U!H~f6_MofRzI8B6x9sH8W1*o%nI&x83`W42)9XR)=#(=sSNZF3 zn!}c_R`Jm@6bnb>;9687RLBxB$YfMet2_a{suklqq|-iDwU;CO;x-8Vv)%_eCaMk>8if}MfcBBB+L~bPM&`wP4JY!WY6~p5$y>w>!PPAvU>9c z_3C!m;-S~NJm{Z!^?i1d%|T@?JejyyGuD4YVyd_`qgb<8V|)S)8Lu4MYJ#`&g;-qL znkeSvzju;8!*QDbo%~Q=kZWbc&nibpFKlzZOZHovN@jr%-3k}RGCN%+gfxzTd~WQzNUopxg6|2E|J>TTh0yL8u(DZpgWL9o|~2-A$M3y`ROX8jgmboG%sb@!| z89s_kQYB;mE7ub9!_9ddV#O=O_=5BY_PbZ52ILfx9OJc3Mfn}42r3S1vJeQ}k@D=( z@3=4?xGplAtbRw$*eqKqI6b8fn4G6PIP%LEFeu|dQwIH(FEDT|CsF>RMdSIYDN z$klPb+xySDD3gXDQ>D7=uer?tvreldq~vFb7k0i)kd1sDieeOj+T=u#A65FDdh=c( zqtn(*wGhX22&nKeO<*Iqq_R8jx64O;<>mQ-^i(faSSe~SzuNyxIYUR`^cgOsHz|73 z#+By&mW;~p7JtDR`S49KKW`Ft<#3PA5K$JTs#XVs;A88A{<`M}8MM}6M7_oH9f~^^ zl`Uz?KUBAD$>e`keLt8_Rct;et#X;UtGvU)Qazu&ogI7^wX@OIb+8{syWR!Lj1+rU z%O=*cKzqenj@!_9bh3Om|ctAw1V7h%&GGR$O!ITi^w)q#cJF4`)DC*XHkkHVX z#F{C>+22dk&IkiaRJejxfx7(7-&8SR#1A``g2=6rIf>sj2Y>L zd>yM6+9N5$C`g+2EO0dMIXfAjzT&#ZD8y{LQzi8b?d3Yp`@>H*@$qn}X2~~JKsIqr zOu)o%jWt!ue1Lkj#9t#}oR#-YOXUhX=wDSVQ619QZWt4Ht^U1*3%S9KC z)oM8-xi(4`$7V>Mq5n@Bp&5^ZjCDh&vfhPE=vn_Gp(3ZYB8?ET?d+%Y^x?4mt*(TD zAk3rYl&|87JiMqA7B|0cJdW#E(W63+3P;PF<{Up8t~Zu+$K0J3p;x^Uzds*cdX=Y> zUX(u@)3P}i0rjfgus`0h3NNiMWmmEQLQ++?ZR=3?Ih0X}Lq;oFA*VaCA6vFCd)t>y zhMdMJdEBR+V48=&JvjO#7w}8^7B83i(V7dk!|LF_B#1O-Wt7Ufso{G&P#%tJnl?1pWE`{NPE4>HLCFI*2j#! zw}}XBB|JrDe0`RME8R=;cF)Huz2O_;(H+mAA2_-~;a7O_P$8R@%$yIdIK%41wC`$^ zFV!oXU)J4j>)fQeVSzDG%2RJvBTEMvrDFP|F_D;kc0EQZr)P-|_b?J{MUf)1TfW_I z*&k*3CEjoAaevjRu&^!SWw(l|6Kzpd4~`C(`Y~GlWNfaWi<~GF^Kom&L8;7mGC5qD zML?;NObVhDA&R2ybDa8AyeWzHTeyI+%vr|E6j!=TuIOuob!mac-;`!Qv^g^$@_%g3(@*)4 z`|O>n&&&TZRjlvhYjeHl??8n>uO1S^r*1vgUQQV$=TN!tCW6$@{EpnxK9Nsk+!D3# zTF`tYLqIVu=}Da6lzy1%==I6}T_lUD#-IX51^&Yyc*`fP>0)D~C`PYdN3`Jc%z)Qu z58XwX{!ppIYM9(k93`3d`yQxL4z`%RZrsf6_c(LaaTIeOnc5JtdpC9 zPV=**HaghzcihdK%&6%&;4pVevWjnS2!JZ&pxXV8*af3adA0(`ZdhtXDo}r)4f7<#paPWBZ>Mwkl8Eg3 z))_^G0&3fFe+FrbnocZj;)0o8(ihrDtik+f=L`f~00yTpdH$aG7s}ky?NEQIgT8~& zShdK6F^CWWrxj(O+8HHBGQ|WkfJ`CGzEiUp_LH@kY&g^|n#jBKrhV|Gw+`to{y}JT zyMN33uNbX4n^N8X#G7O?o6$cifVX_@N&DE0Nk@)B`Hx+(o@^DN#A_-fHg2hvo6nMc z@twn1GN(59fN@gEfXh{9`?Hp*#ypLfO7*yQXSbcAtSnUA$`v zVM<&*JJ4`S-E zleu!to;H?TmP(?Vh;t+iPRlcX?BIJ2{m~W~PY%fRPTI?D4hLLo#2Z8`kuH8Q&Xm{u zXEF(in3VY}OfpUUwJS@I0g&g!#8<8HS?GvNka|>(AfGtz(|(Z}tuZ}8>$KEx8(EA+ zxMpa`MPT-N8U|z^l~Xs?);k`Y-k&h5RL|krI^b%}{+G=Xw+&^pM<(=pGiZ;JUDuv_ zpScii?Lx!Rp4dh?Go&N?C7dxcA#@GAfVvx0^9_A&kIDarB!NUGtg+%naOSD)tj>(- zD=@^ubQe-j^fA|Dz9o9Y=qDoWvBbd~`dH%wB8OjV@fs(Sbx$*l+1rT*v{aAhCPDBx z{`GP;GyDCXaF)HdBejG`L-G4NBBXG2%WrLx^4lU@;=modDcAZr9RSA^9yX7{CUzoN zJYD$D`MP+irN{qG%FD!Gpv*7Tb0i)hh0ad@ zNb6%Vt@2SGMCK)63)|npe9TUFSB(-8*wXAKX(ekGOs`YuG`Y?-!)eleM={SQmUHI5 zo2I@v&w8U6(vi0+_^%^;eyL*(!0r2#6XL_}>#V zYG)GBmSw#CJYFnj^JR;+G$YiYcjsw`RVdOs?6B*Yl14?a*q9q!27+P$7ZbAUDjC(m zucehoQ;4Zh+|d1c)nA(q*!|_GBa;h7gF&kA0HafSWc^G9pIx0^0v)yx>!tOXa&F@7 zUPKs2RKo4DJabZ-uUyypC6r$#R-nj-d-fB{zY_L7Od1~*OY?ucG}tHygqNLL|EMrO z2s|#~^Ug$lh*3Pr3HDL>>aXHKEA+Tt^JS%3=&OpU4$aZx!O+VJHjbWw_%b2%GO|U< z@s$LkwB18T{VgUeTx#=pt@UjSDaiBE_=^GTK?jO-o0P>|)J`S)Wy%4lojx)DbMZoj z85r@St;FwQ`g3&bRKz)5543Ez_MiWju)!A<@NMPZ)n{qkTd>AY-OS_T-PTwe-#JcX zU|y3QC9qoaWE9qwf3QS2pxZqs>0F8QGZeI`YW~Vn@%ydTIGDxvHx+1JGvDX_*0{PA z$osR1we>X@ri1JB;Hn9tihtOVy)PQ&=H}m;_!ZaCFhJ$N9%Os~whh&p1-))uS;J-s zX)nTJpmzs5(ycDN?u_3hc)wJ9ZfTn?UhHr6(T0P}fdCTD@r3);6QfkVOe8P4TvXH7 zPb8AUes6zBe~P&I;HiK|@nmwrqVu)P^p{cj2SsX15K7|fb)ccidrj+*fQqiVDMI6d{`uM=T`eq_VL#u*u-3nU7N zii%0g>W}V($r}~o#$CMi48+&~cNwEq-^bu#JyvbAiTZ>rB;)kWlaS&!#49+E=R1HY1 zN@s@)7?Yik;D44qA8AfYl#cCUEv;AAn;8DN!*u7DBhV7g2K9a4hT#cR+}VsY*nrw; z^#B$e+^E<4?BuX`i)O{y1^uT7WEBnwD1uWY(Kr7%(>k8r8Ye(D41m1YJm`eRMFi%}f3p zOTGv0O~U03E)mE#c;jz~wb_rdyTa)fMSMl;oMe&bDMfL}`>}gv<&^wBn!0LwwQSPk zAE)NkmbQ_PS)FBdp1cNT`D3lWS^fo8(9*5jEM9qyYwfcQLkSLfecHb7g%owHjjpRU z0v`jfo5%MX!woltb>gE&42gve8T#kL-L)BjWRDY9cfcK=WB2ye-&dS_2sWpoPQ=10 zwUn3t`L%ENJYJP7x8G9QH8~GYx3D=xr=B;JWEd3O(A6_0;ARMu|L0mb;HRGZ$2^Hv zeu0}fpckr%|CXYf@Fszu>vX!Wc>dbcf($h#N7>&}F_3gKZmqQ;oV`+35eqNfmFzrQl>92p|LPF zg`fd=Rp{}xQU`E$9RMhO1Ztzc+pL%u%aIb)z}sbui*rLMd89Wfof5z83u<>A5o;#^ z=y1GcS@O5-mD*KBwhBL~@~$60qx9qfBB^uS2;gEoBX4(Z8C;vF?U9EsxHx$El_K70 zGIwo#931_#2&qv(9=rdPSAKu8Go*|21}&NO@CD*RqCi69i)29Bi?so34UPa?0R+Fg zT?(u~0{VGj zN!J*;rg=p7#7X@i4;_GPSPTgvw8h+>I0gc%Dvmj)&7M&+9U%5oJCl{b zt;OTB4ERx|#=O}N(j({p#Dklhagg8{FT>mt(45FX&V@UL%=?ijxZxDJoKX*j9+{Kb)* zSttGPtUpAv4v6{B%(id*1aYmY=RmX6%UL&$qu7wflokDIZ8!&qBJrT}xBJB@HIcCE z&!8ZNWBIwRNSR;+oTHL3_Dmc&qQFb6WrF*Z`-sfI<+&iJItYxLNsog}wbSYGek=o= z@;Y1zm(Bf*vBYmt3B*>j$a!=9UIOX9YDTBpmRpy}AYII!>2jc_9zM4Qz`c)I{SLAj zVL<`mZ2)250K&dn-;HdaBl>XhxILf+*P~gG0La_uPk`&0wXSrZ2L8Y)v^+?lNao<6 z1VXgGe;1ZWx+#Eu9%Cw#sE!grs)!Y80u7Ws!%_>y+*32psl{4ABKzVL6?VGyAUQv^k-HIzmh(FY5Ade~1_dt}FDAMZOaOszwf%-8c$7PW zyu0W8Y#^j*1^(5z>TwdIT_FA?)8vx|BsiB0dyc3lfEM1lfAB|grDn07y|w5}(i$V8 zUmQE*;Kz!V!!}?)D_5(h@9lSq)%B@A3FLefq_-e?1w>$^I-0?9U~C#qV_2 zNNV%fRDBJlR~RS35MX<)w=?I2LD}J;)r<)2rkZrFV#cQE^cJ}4lrS?l*-4ViKa;_%=CYD0A9kss@(y4WMo=sk{}!DErM2ovY| zg$zJqo0W;qY_W1SbGou9*mF3LlAQWZPMfj5nV_@KFRLWP(z$UVa{(u=4?tVS#X&4I z8mTa*o)v}y@%%QEvt;5hqli#ZbL+Ynxd(&;#6c7T#4vq6TP!FRYM*j6qHl`(b>g$O z!(dO57I>_q?A-@GAubD<)xge(Yr*q+OA{6yHmG(l+J1YAEaP-Mxzyyd3d*Gvwo)5x zuBa#}i4uWTJR*i%9=^7yAv}jVr+*j*Bf3n+kjQc$jV!}-Sc=6ix1_9YDM3mg9Eh2diH}sSbRuOo zuGLIZ$S_m#v}@x84)tx>6pJlXIxhxOD#w!wztp+B4|sdqp|wWsG}$+)^rhD-htk6U zgC@-9M*90~d20uJ?U3h4Y8FZYp$RPVU`9eIA8S8L!uE^;c7+34qN^G;e`sc_6q_7O z2uUZl4CY(f&)Q%%&n~4+B4jyP=b#eVn#3A!HmK}ap!zn+@LO6pF5;lp4uEI9&9Ld& z!8p=-ky_Xn8zXYr?MbaIngdjQT2zLSwU%heHMA{U8zIQfbh44Sq43eDopfGJg~BQX z6FeVyQDHiVSz(P_JB$S|7!YK@ON)82i6Gbzg*hW@Rea83*a0rNqBh z;TUiT501EpsMsu*!=8X9sCH*7C4Q4!)d)z$*G`>jIM-gAXoR%Rw7#lj-aOWR=6eO6 z*Z@H0BjYvB8)#i^?-XMZ(LN$hK@w%(;A_96$<;>zNw4k8Q7Uysm%u70{6;3FA1&4w%dFy(-$f=7 zM(^hgsmOtC4dbNs?WPJ`ggvL2+!|@ru$dujSY)iSbFij;a5(Lq%RC~1#9B1c0fWFMswVjK%rHi86vw@{FaKa8q@Zh20r~p3Iz}w9VW9TN0G%vUNdNm5dIu zM7(%$EqzYiOgu``c3tnjlHis^Go>47^4<=Weub-h6JsGGU5u`0s4oZGVi=5utFZ-H z=8Jtkfv7orIt&8dv)f6zS-Sb1MVLz0ap-tKW>WV+&Pxy3kn+;4LHn{zU2Jpfo3DgT z!V7H{NNMOsD`nUckDL`Zqu9N%H|8I4NL`K(7MXk9hJVE}PznizeDc7B8|w3{ zel_G0sGZN$@9wek9p)!C~}S^WhdkSr8Bs{O~~MI5?e8KooK24jjmRCh5kI<2hWdRntL%! zib0HUmTNV8I3$9(=epn=JN}F9iqae8LUFZ2rUZ^I^c}E zJ^22K$_v$;96kN;UbP@Ts=GH-xQK}Mmgr^bpE|E+q{_-Z-S1o7<{6omefl$9d;m0& z_R*}N!7NlFR7KJ>2FJRrwM(PIouNL9)c35VHuqUy8d?=uX_IMYaNt4J5%?6#6oIKt zi6M)=p_@tUjZ{k7iX)NI!(g#2k}! z{bHr;00{zAaB#4okUbzbrs}IR+#kG`+Z;a?QLc?jA^UlWr_^#+&i47|EMXsAf4Z9T zAA9BAM{X<*c)k3^2?oKN)_4~_UoK8I$Xgv_6JUGA(3znj+$;7=|LlSCUA>Zp%i4EW!XgIPBofrIR;^J!RAWO{gV8Msg;~G(=K&D&wDwZ=zlqY2wJ zdTv|x)gt36#mm<@l6vqQkq@lAd~y(CK2e=Vreg(Ng?tG%rzPVwi>1r)DnWv75d>U- zjH~`8lE6Fv0PcGr5-Du?HnE3&_(kK1+AXYvlj_Y@6+7wqJ9>xj`Y{|~#M)H)m>gs$ z0c^9@e}&w_G@i~g@NE#Ckf37TV_RLi$+`%hnOzg7CH{3zTRFkUcpX76$DY6XelK0x zmE&nu^uvHi7NPQgkLrLsD%nodxwMmL;!%ITJQ8g5&|^gqan$ozs_|%uhC)95hWq2U z_XM2|`>NHE54$)ocS77JG#{Y#kotpu z@dvS;{12ZBz9%;Mo6c>Gh*;jb^{WSLc7VGL{#+6Z69Vt7AC4w$j`=e9w(gA98ceWF z__r!Y>}r#4EsfQ#<@sBn@Y+1;9P_kEcs88-dpCvPHJ6294bLN!kb+c{28&^%HlnQcXmMUD8ecjnN&~kH^2b+?73SZxQ4iGhEFm zJ1KP)Or4AYZ+EHMP7e5`{j?RauyAFnKa(2#@h2@r2X9#!r_JtIg0TkI*Q1qH}Z zB~PB<=fQ0i(&xKkLjlRXa8(<#f(2GG7eE&7GmATI0ajeeU_(cxKbMA!EwCEWS8Y(X ztD_TOaN5z)Q3?VrSU?x+a}THb24E(y(PAabB!R%n7~B=h8VXREcK4P)l^f}f5YB?v z=&@^Y984W*@&An7n+bxuz7z~iV4IoCg7SIBwy<pM%VSzlrL^q#2q{QrJo z67*LOz(y~K2JomLW-|IS75*-cV33Z$aeh}goM;XjHa$Om#|>`1nW7< zJQVy+===li{yn7n>j1_Sp6hVXN`ZQ=PeQ?9l4@ybjh)HWIM0xR?u+jGWRIKpj4zr& zH>?f3u^TzPii!jQNfKjA4XKiUmUOPK*YNq}!=p#ePLJE_JvZ>vc-O}&c%MvEUn^r7 zXNEqxf)5NpBCaeXaDz)YmR&LbpF0Zo-v|S6HU=8^bpGcPzz0)j^^;~WC;#_g;L;XQ+}`}4 z+3WVdpI`@lfAGv>dA0WMefrNqZzmzPjt{_20C~R~jKQbVabSN99GsGUbU+V@iLyh-|DHQP zm>K%?&|~)hGhOhYm8uqbg%dx&aKdVap#rb|XAC5H0)-zmq7DxaThq=Dx9vv3Zcv7{ z;Ggxq7-3=IlJv+$>CWSLhJHYZGZex`|IeV{ZflTJ;52RYtt&kOE#eTsSF