PK p@oa,mimetypeapplication/epub+zipPKp@iTunesMetadata.plistr artistName Oracle Corporation book-info cover-image-hash 561192603 cover-image-path OEBPS/dcommon/oracle-logo.jpg package-file-hash 525480554 publisher-unique-id E10046-07 unique-id 22520741 genre Oracle Documentation itemName Oracle® Fusion Middleware Administrator's Guide for Oracle Virtual Directory, 11g Release 1 (11.1.1) releaseDate 2011-11-04T12:53:12Z year 2011 PK嚢wrPKp@META-INF/container.xml PKYuPKp@OEBPS/basic_acl.htmu$ Configuring Oracle Virtual Directory Access Control

16 Configuring Oracle Virtual Directory Access Control

This chapter explains how to configure access control for Oracle Virtual Directory and includes the following topics:

16.1 Creating Access Control Lists Using Oracle Directory Services Manager

Perform the following steps to create an ACL using Oracle Directory Services Manager:


Note:

If two ACLs differ only by their grant/deny property, the resulting permission will be a deny regardless of the order in which the ACLs are added. For example, the following two ACLs will result in a deny for Search(s) and Read(r) of all attributes for public:
deny:s,r#[all]#public:
grant:s,r#[all]#public:

  1. Log in to Oracle Directory Services Manager.

  2. Select Security from the task selection bar. The Access Control Point navigation tree appears listing the existing Access Control Points.

  3. Click the Create button. The new ACL dialog box appears.

  4. Identify the Access Control Point for the new ACL by entering the DN where you want to apply the new ACL in the DN field.

  5. Configure the scope of the new ACL by selecting either entry or subtree from the Scope list. Selecting entry applies the new ACL only at the Access Control Point DN entry in the virtual tree. Selecting subtree applies the new ACL at the Access Control Point DN entry and all the entries in the subtree below it.

  6. Click the Create button in the Structural Access Items (Entry Level Operations) area to create access policy for the entries in the virtual directory tree. The Structural Access configuration dialog box appears.

  7. Click the Permissions tab and perform the following to set the entry permissions for the access policy:

    • To explicitly grant access for an entry permission, select Grant from the Access Type list and select the permissions you want to grant access to.

    • To explicitly deny access for an entry permission, select Deny from the Access Type list and select the permissions you want to deny access to.

  8. Click the By Whom tab and perform the following to set to whom the entry access policy applies:

    • Select the subject of the ACL from the By Whom list.

    • Enter the DN or IP address of the in the DN or IP Address field if you chose Specific DN or IP Address from the By Whom list.

    Click the OK button to save the Structural Access Items (Entry Level Operations) settings. The new entry access policy appears in the Structural Access Items (Entry Level Operations) table.

  9. Click the Create button in the Content Access Items (Attribute Level Operations) area to create access policy for the attributes of the entry. The Content Access configuration dialog box appears.

  10. Click the Target tab and select the attributes from the Attribute list that the access policy applies to. Selecting * applies the access policy to all attributes.

  11. Click the Permissions tab and perform the following to set the attribute permissions for the access policy:

    • To explicitly grant access for an attribute permission, select Grant from the Access Type list and select the permissions you want to grant access to.

    • To explicitly deny access for an attribute permission, select Deny from the Access Type list and select the permissions you want to deny access to.

  12. Click the By Whom tab and perform the following to set to whom the attribute access policy applies:

    • Select the subject of the ACL from the By Whom list.

    • Enter the DN or IP address of the in the DN or IP Address field if you chose Specific DN or IP Address from the By Whom list.

  13. Click the OK button to save the Content Access Items (Attribute Level Operations) settings. The new attribute access policy appears in the Content Access Items (Attribute Level Operations) table.

16.2 Managing Access Control Lists Using Oracle Directory Services Manager

This topic explains how to manage ACLs using Oracle Directory Services Manager and contains the following sections:

PKN& z$u$PKp@OEBPS/index.htm Index

Index

A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  R  S  U  V  W  X 

A

access control
attributes, 6.3.4.4
content access permissions, 6.3.4.5
creating an ACL, 6.3.4.1
DN, 6.3.4.6
end-user binding credentials, 6.1
enforcement, 6.3.5
groups, 6.3.3
IP address, 6.3.4.6
overview, 6.3, 6.3.2
permissions, 6.3.4.5
Public, 6.3.4.6
rights, 6.3.4.3
scope, 6.3.4.2
source directory, 6.3.1
structural access permissions, 6.3.4.5
subjects, 6.3.4.6
Subtree, 6.3.4.6
with LDAP Adapter, 2.2.3
access control lists
creating, 16.1
deleting, 16.2.2
enforcing, 6.3.5
updating, 16.2.1
accounts, unlocking, 15.1.2.4
Active Directory Ranged Attributes plug-in, 4.4.2
Active_Directory_to_inetOrg Mapping, 5.2.1
ActiveDirectory Password plug-in, 4.4.1
Adapter data browser
managing entries, 15.1.3
modifying source entries, 15.1.3.2
viewing source entries, 15.1.3.1
Adapter Service Interface, 18.3.6.3
adapterNames parameter, 4.2.2.1
adapters
configuring for EUS, 19.2.2
creating the virtual directory, 2.7
custom
configuring, 18.2.2
creating, 18.2.1
overview, 18.2
settings, 18.2.2.1
Database
access control, 2.3.1
cascading deletes, 2.3.3
configuring, 12.2.3
creating, 12.2
creating for Oracle RAC, 12.2.1
creating for Oracle TimesTen, 12.2.2
data mapping, 2.3.3
deployment considerations, 2.3
entry names, 2.3.3
JDBC libraries, 2.3.2
mapped tables, 2.3.3
multiple table writes, 2.3.3
multiple value attributes, 2.3.3
overview, 2.3
searches, 2.3.3
settings, 12.2.3.1
substring searches, 2.3.3
writes to multi-table objects, 2.3.3
Diameter, 20.1, 20.3, 20.3.2.1
Join View
classes, 18.3.6.4
Conditional join, 2.5.2.2
configuring, 12.4.1
creating, 12.4
deployments, 2.5.1
duplicate entries, 2.5
example, 2.7.2
join relationships, 2.5.2
join rules, 2.5
OneToMany join, 2.5.2.3
overview, 2.5
primary adapter, 2.5
primary adapter routing, 12.4.1.2
routing, 2.5
searching, 2.5
settings, 12.4.1.1
Shadow join, 2.5.2.4
Shadow Join for OID, 12.4.2
Simple join, 2.5.2.1
LDAP
access control, 2.2.3
certificates, 12.1.1.4
configuring, 12.1.1, 19.2.2
creating, 12.1
deployment types, 2.2.1
fail over, 7.4
mutual authentication, 12.1.2
overview, 2.2
settings, 12.1.1.1
Local Store
configuring, 12.3.1, 19.2.2
creating, 12.3
fail over, 7.3.1
migrating data, 2.4.1
overview, 2.4
settings, 12.3.1.1
mappings, 14.3
namespaces, 2.8
overview, 2.1
templates
Active Directory, 2.9.2.1
CA_eTrust, 2.9.2.2
Changelog_LDAP-TYPE, 2.9.2.3
Database, 2.9.4.1
Default, 2.9.1
EUS_ActiveDirectory, 2.9.2.4
EUS_eDirectory, 2.9.2.7
EUS_OID, 2.9.2.5
EUS_Sun, 2.9.2.6
General_LDAP_Directory, 2.9.2.8
IBM_Directory, 2.9.2.9
LDAP, 2.9.2
Local Store, 2.9.3
Novell_Directory, 2.9.2.10
OAM/AD Adapter with Mapper, 2.9.2.11
OAM/AD Adapter with Script, 2.9.2.13
OAM/AD Adapter with SSL, Mapper, 2.9.2.12
OAM/ADAM Adapter with Mapper, 2.9.2.14
OAM/ADAM Adapter with Script, 2.9.2.16
OAM/ADAM Adapter with SSL, Mapper, 2.9.2.15
OAM/DB Adapter with Script, 2.9.4.1
OAM/SunOne Adapter with Mapper, 2.9.2.17
OAM/SunOne Adapter with Script, 2.9.2.18
ONames_LDAP-TYPE, 2.9.2.19
Oracle_internet_Directory, 2.9.2.20
overview, 2.9
Siemens_DirX, 2.9.2.21
SunOne_Directory, 2.9.2.22
User_LDAP-TYPE, 2.9.2.23
types of, 2.1
applyForAdmin parameter, 4.2.2.1
ASI methods, supported, 18.3.6.3
audit logs
for search operations, 17.1.1
information collected, 17.2.3
locations, A.16
authentication
client certificate, 6.2.4
Kerberos, 19.2.3.2
proxy account, 6.2.3
SSO-enabled directories, 8.3.1.3, 8.3.6.3

B

browsers, supported, 8.3.1.1

C

Cache plug-in, 4.2.13
certificates
deleting expired, 8.3.7.5
managing, 6.4
managing expired, 8.3.7.4
Changelog plug-ins, 4.2.21.2
ChangeUserRDN plug-in, 4.2.3
classes, 18.3.6
client certificate authentication, 6.2.4
Client View data browser
exporting LDIF files, 15.1.2.6
importing LDIF files, 15.1.2.5
managing entries, 15.1.2
modifying entries, 15.1.2.3
searching, 15.1.2.1
viewing entries, 15.1.2.2
Common_Name_to_Given_Name Mapping, 5.2.2
ConditionalPublish Mapping, 5.2.3
configuring OVD
maximum heap size, 9.4
privileged ports, 11.3
server properties
Fusion Middleware Control, 9.1
Oracle Directory Services Manager, 9.2
WebLogic Scripting Tool, 9.3
connecting to SSO-enabled directories, 8.3.6.3
copying configuration files, 9.7
CRAM-MD5 binding, 6.2.2
creating components, 10.3
credentials
connecting to proxied directory servers, 2.2.3
managing ODSM, 8.3.7
passing, 2.2.3, 6.1
sending to DSMLv2 service, 18.4
sharing, 3.2.10
using Pass-through mode, 12.1.1.1
custom
adapters
creating and configuring, 18.2
description, 18.3.4.1
for OAM, 19.1
troubleshooting, D.2.3
EntrySet, 18.3.4.2
joins, 2.5.2.5
plug-ins
description, 18.3.4.1
files location, A.4
Java, 18.3
troubleshooting, 18.3.6.2, D.2.3
when to use, 5.1.1
URLs, 12.2
customization, supported, A.17

D

data browsers
Adapter Browser, 15.1.1
Client View, 15.1.1
overview, 15.1.1
DB_Groups Mapping, 5.2.4
default ports, 8.1
deleting a component, 10.7
Diameter adapters, 20.1
Diameter HSS repositories, 20.1
directories, shadow, 2.5.2.4
DNS fail over, 7.2
DSMLv2 service, 18.4
Dump Transactions plug-in, 4.2.8
dynamic filters, 4.2.2.1
DynamicEntryTree plug-in, 4.2.10
DynamicGroups plug-in, 4.2.12
DynamicTree plug-in, 4.2.9

E

end-user binding credentials, 6.1
Enterprise User Security
configuring Local Store and LDAP adapters, 19.2.2, 19.2.3.2
extendAD, 19.2.3.1.1
integration
access control lists for, 19.2.4
Active Directory, 19.2.3.1, 19.2.3.2
limitations of, 19.2.7
multiple domains, 19.2.5
Novell eDirectory, 19.2.3.4
Oracle Internet Directory, 19.2.3.5
user account lockout, 19.2.6
with OVD, 19.2
preparing OVD for integration, 19.2.1
entrysets, 18.3.4
environment variables, 8.1
EUSActiveDirectory plug-in, 4.3.1
EUSeDirectory plug-in, 4.3.4
EUSiPlanet plug-in, 4.3.2
EUSLockout plug-in, 4.3.6
EUSMemberDNMapping plug-in, 4.3.5
EUSOID plug-in, 4.3.3
expired certificates
deleting, 8.3.7.5
finding, 8.3.7.4
extendAD, 19.2.3.1.1
external directories, integrating OVD, 19.2.3

F

FA UserRole plug-in, 4.2.1
fail over
DNS, 7.2
LDAP Adapters, 7.4
Local Store Adapter, 7.3.1
network, 7.2
Oracle Virtual Directory, 7.3
fault tolerance, 7.1
file.prop, 11.6.2
filters
dynamic, 4.2.2.1
static, 4.2.2.1
FlatTree plug-in, 4.2.11
ForkJoin plug-in, 4.2.5
Fusion Middleware Control
configuring SSL Listeners, 11.6.1
creating HTTP Listeners, 11.4.2
creating LDAP Listeners, 11.4.1
creating Listeners, 11.4
deleting Listeners, 11.4.3.2
editing Listeners, 11.4.3.1
getting started with, 8.4
invoking, 8.4.1
managing Listeners, 11.4.3
OVD auditing, 17.2.1
OVD logging, 17.1.1
OVD metrics, 8.4.5
OVD server properties, 9.1
restarting OVD, 8.4.4
starting OVD, 8.4.2
stopping OVD, 8.4.3
supported browsers, 8.3.1.1
URL, 8.4.1

G

GenericMapper plug-in, 4.2.23
Global Service Interface, 18.3.6.2

H

heap size, 9.4
HideEntriesByFilter plug-in, 4.2.2

I

IETF LDAP Access Control Model for LDAPv3, 2.2.3
IETF RFC 2820, 2.2.3
InetAD plug-in, 4.4.3
integration, Oracle Directory Services Manager-SSO, 1.1.4, 8.3.1.3, 8.3.2
integration, with EUS, 19.2.3

J

Java Key Store
description, 8.3.7.1
listing contents, 8.3.7.3
retrieving passwords, 8.3.7.2
Java plug-ins, 4.1
JAWS Screen Reader, 8.3.1.2
join relationships, 2.5

K

Kerberos authentication, 19.2.3.2
keystore
description, 8.3.7.1
listing contents, 8.3.7.3
retrieving passwords, 8.3.7.2
krb5.conf, 12.1

L

LDAP tools, 8.6
LDAP tools passwords, 8.6
ldapURL parameter, 4.2.2.1
LDIF files
exporting, 15.1.2.6
importing, 15.1.2.5
Listeners
Admin Gateway, 11.2, 11.2
Admin Listener settings, 11.4.3.1.1
configuring SSL
using Fusion Middleware Control, 11.6.1
using WebLogic Scripting Tool, 11.6.2
configuring using WebLogic Scripting Tool, 11.5.1.2, 11.5.1.3
creating using Fusion Middleware Control, 11.4
default, 11.2
deleting
using Fusion Middleware Control, 11.4.3.2
using WebLogic Scripting Tool, 11.5.2
editing using Fusion Middleware Control, 11.4.3.1
HTTP
creating using Fusion Middleware Control, 11.4.2
security contexts, C.6
settings, 11.4.2
WebGateway architecture, C.3
WebGateway commands, C.5
WebGateway demo browser, C.2
WebGateway DSML serverlet, C.3.1
WebGateway functionality, C.1
WebGateway Handlers, C.3.3
WebGateway query parameters, C.4
WebGateway XSLT serverlet, C.3.2
XSL stylesheets, C.7
LDAP
creating using Fusion Middleware Control, 11.4.1
settings, 11.4.1
LDAP SSL Endpoint, 11.2, 11.2
managing
using Fusion Middleware Control, 11.4.3
using WebLogic Scripting Tool, 11.5
overview, 11.1
updating using WebLogic Scripting Tool, 11.5.1, 11.5.1.1
validating SSL connections, 11.6.3
logging level values, supported, 4.2.8.1

M

management interfaces, 8.1
Map_DB_Password Mapping, 5.2.5
mappings
constructing using templates, 14.1
creating, 14.2
for adapters, 14.3
viewing, 14.1.1
virtual namespace, 1.3.1
Middleware home, 1.1.5
migrating data, 2.4.1

N

namespace
filters, 4.1.1
mapping, 1.3.1, 2.2.1
values, 10.3
namespaces adapter, 2.8

O

OAMPolicyControl plug-in, 4.5.1
ObjectClass Mapper plug-in, 4.2.14
oidcmprec, 2.4.1
Onames plug-in, 4.3.7
operations, supported, 2.3.3, 2.4.1
opmnctl
createcomponent, 10.3
deletecomponent, 10.7
overview, 10.1
registerinstance, 10.4
restartproc, 10.11
startproc, 10.9
status, 10.8
stopproc, 10.10
unregisterinstance, 10.5
updatecomponentregistration, 10.6
Oracle Access Manager, 19.1
Oracle Communications Universal User Profile
Diameter adapter, 20.3
IMS 3GPP Schema, 20.4
overview, 20.1
use cases for, 20.2
Oracle Database Net Services
integration, 19.3
Active Directory, 19.3.3
Oracle Directory Server Enterprise Edition, 19.3.4
Oracle Internet Directory, 19.3.5
starting, 19.3.2
Oracle Directory Services Manager
access, 8.3.1
cluster, 8.3.9
contents of keystore, 8.3.7.3
creating ACLs, 16.1
deleting ACLs, 16.2.2
description, 8.3.1
invoking, 8.3.5
Java Key Store, 8.3.7.1
keystore password, 8.3.7.2
languages, 18.1
logging in to directory server, 8.3.6, 8.3.6.1
managing schema, 15.2
OVD server, 9.2
session timeout, 8.3.8
SSL, 8.3.6.2
SSO integration, 1.1.4, 8.3.1.3, 8.3.2
supported browsers, 8.3.1.1
updating ACLs, 16.2.1
URL, 8.3.5
Oracle Fusion Middleware, 1.1.5
Oracle home, 1.1.5
Oracle instance, 10.2
Oracle Process Manager and Notification Server, 10.1
Oracle RAC, 12.2.1
Oracle TimesTen, 12.2.2
orcladmin, 8.3.1
orclpwdaccountunlock attribute, 15.1.2.4
orphan socket connections, 9.5
OVD
auditing, 17.2
auditing using Fusion Middleware Control, 17.2.1
auditing using WebLogic Scripting Tool, 17.2.2
classes, 18.3.6
Adapter Service Interface, 18.3.6.3
data, 18.3.6.6
data types, 18.3.6.7
exceptions, 18.3.6.8
Global Service Interface, 18.3.6.2
Join View Adapter, 18.3.6.4
utility, 18.3.6.5
Virtual Service Interface, 18.3.6.1
comparing releases, A
audit configurables, A.15
audit log, A.16
classpaths, A.13
command-line tools, A.12
configuration files, A.3
default superuser, A.1
GUI, A.11
Local Store Adapter files, A.7
log files, A.6
mapping files, A.5
plug-in files, A.4
process management, A.2
schema files, A.8
server debugging, A.10
server libraries, A.9
configuring for Oracle Access Manager, 19.1
default image, 10.2
DSMLv2 service, 18.4
integrating with Enterprise User Security, 19.2
logging granularly, 17.1.3
logging using Fusion Middleware Control, 17.1.1
logging using WebLogic Scripting Tool, 17.1.2
schema, 15.2
searching, 15.1.2.1
supporting mulitple EUS domains, 19.2.5
troubleshooting, D
OVD server
heap size, 9.4
libraries, 9.6.1

P

pass-through authentication, 6.2.1
passwords
preventing exposure, 8.6
retrieving Java Key Store, 8.3.7.2
Performance Monitor plug-in, 4.2.16
plug-ins
adapters
creating, 13.1.1
deleting, 13.1.4
editing, 13.1.3
operation-specific, 13.1.2
global
creating, 13.2.1
deleting, 13.2.4
editing, 13.2.3
viewing, 13.2.2
Java
Active Directory Ranged Attributes, 4.4.2
ActiveDirectory Password, 4.4.1
Cache, 4.2.13
chain system, 18.3.2
Changelog, 4.2.21.2
ChangeUserRDN, 4.2.3
custom, 18.3
custom entrysets, 18.3.4
custom filtering, 18.3.5
custom implementation points, 18.3.3
Dump Transactions, 4.2.8
DynamicEntryTree, 4.2.10
DynamicGroups, 4.2.12
DynamicTree, 4.2.9
EUSActiveDirectory, 4.3.1
EUSeDirectory, 4.3.4
EUSiPlanet, 4.3.2
EUSLockout, 4.3.6
EUSMemberDNMapping, 4.3.5
EUSOID, 4.3.3
FA UserRole, 4.2.1
FlatTree, 4.2.11
ForkJoin, 4.2.5
HideEntriesByFilter, 4.2.2
InetAD, 4.4.3
namespace filtering, 4.1.1
OAMPolicyControl, 4.5.1
ObjectClass Mapper, 4.2.14
Onames, 4.3.7
overview, 4.1
Performance Monitor, 4.2.16
Proxy Authorization Support, 4.2.19
SubschemaSubentry, 4.3.8
Sub-Tree, 4.2.15
UniqueEntry, 4.2.17
UPNBind, 4.2.4
UserManagement, 4.2.20
VirtualAttribute, 4.2.7
VirtualMemberof, 4.2.6
Python Mappings
Active_Directory_to_inetOrg, 5.2.1
Common_Name_to_Given_Name, 5.2.2
ConditionalPublish, 5.2.3
DB_Groups, 5.2.4
deploying, 5.1.2
Map_DB_Password, 5.2.5
overview, 5.1
proxy account authentication, 6.2.3
Proxy Authorization Support plug-in, 4.2.19
pwdaccountlockedtime attribute, 15.1.2.4
Python Mappings, 5.1, A.17

R

Referenced By table, 15.2.1.2
registering Oracle instance, 10.4
restarting OVD
opmnctl, 10.11
REST-based clients, 18.4
routing
example, 3.1
overview, 3.1
settings, 3.2
Attribute Flow, 3.2.5
bind support, 3.2.7
binds, 3.2.10
criticality, 3.2.8
DN matching, 3.2.3
filters, 3.2.2
levels, 3.2.4
priority, 3.2.1
retrievable attributes, 3.2.5.1
storable attributes, 3.2.5.3
unretrievable attributes, 3.2.5.2
unstorable attributes, 3.2.5.4
views, 3.2.9
visibility, 3.2.6

S

schema
creating like attributes, 15.2.1.3
creating like object classes, 15.2.2.3
creating new attributes, 15.2.1.2
creating new object classes, 15.2.2.2
deleting attributes, 15.2.1.5
deleting object classes, 15.2.2.5
managing, 15.2
modifying attributes, 15.2.1.4
modifying object classes, 15.2.2.4
searching, 15.2.1.1
searching for object classes, 15.2.2.1
search operations
audit logs, 17.1.1
session timeout, configuring, 8.3.8
shadow directories, 2.5.2.4
Shadow Joiner
description, 2.5.2.4
eliminating schema changes, 2.5.2.4
storing attributes, 2.5.2.4
Single Sign-On
connecting to directories, 8.3.6.3
understanding integration with Oracle Directory Services Manager, 1.1.4, 8.3.1.3
SSL
configuring LDAP Adapter to AD Application Mode target, 2.9.2.15
configuring LDAP Adapter to AD target, 2.9.2.11, 2.9.2.12
validating SSL connections, 11.6.3
SSO-enabled directories
authentication, 8.3.1.3, 8.3.6.3
connecting, 8.3.6.3
starting OVD using opmnctl, 10.9
static filters, 4.2.2.1
status of component, 10.8
stopping OVD using opmnctl, 10.10
SubschemaSubentry plug-in, 4.3.8
Sub-Tree plug-in, 4.2.15
superuser, A.1
superuser password, 9.1
supported
ASI methods, 18.3.6.3
browsers, 8.3.1.1
customization, A.17
join relationships types, 2.5.2
log level values, 4.2.8.1
operations, 2.3.3, 2.4.1
syncovdconfig, 9.7

U

UniqueEntry plug-in, 4.2.17
Unlock Account button, 15.1.2.4
unlocking user accounts, 15.1.2.4
unregistering Oracle instance, 10.5
updating registration of an Oracle instance, 10.6
UPNBind plug-in, 4.2.4
URLs, using custom, 12.2
user account lockout, enabling, 19.2.6
user accounts, unlocking, 15.1.2.4
UserManagement plug-in, 4.2.20

V

validating SSL connections, 11.6.3
views, creating and configuring, 3.2.9
Virtual Service Interface, 18.3.6.1
VirtualAttribute plug-in, 4.2.7
VirtualMemberof plug-in, 4.2.6

W

wallets
creating, 11.6.3.2
importing certificates, 11.6.1
managing, 6.4
passwords, 8.6
Web Gateway
architecture, C.3
commands, C.5
demo browser, C.2
DSML serverlet, C.3.1
functionality, C.1
Handlers, C.3.3
overview, C
query parameters, C.4
XSLT, C.3.2
Web service clients, connecting, 18.4
WebLogic
domain, 1.1.5
Home, 1.1.5
WebLogic Scripting Tool
configuring Listeners
HTTP, 11.5.1.3
LDAP, 11.5.1.2
SSL, 11.6.2
deleting Listeners, 11.5.2
getting started, 8.5, 8.5
managing Listeners, 11.5
OVD auditing, 17.2.2
OVD logging, 17.1.2
OVD server, 9.3
retrieving ODSM Java Key Store passwords, 8.3.7.2
updating Listeners, 11.5.1, 11.5.1.1
WSDL files, 18.4

X

XSL stylesheets, C.7
PKPKp@ OEBPS/toc.htm Table of Contents

Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

What's New in This Guide?

Part I Understanding Oracle Virtual Directory Services

1 Understanding Oracle Virtual Directory

2 Understanding Oracle Virtual Directory Adapters

3 Understanding Oracle Virtual Directory Routing

4 Understanding Oracle Virtual Directory Plug-Ins

5 Understanding Oracle Virtual Directory Mapping

6 Understanding Oracle Virtual Directory Security

7 Understanding Oracle Virtual Directory Fault Tolerance

Part II Basic Administration

8 Getting Started with Administering Oracle Virtual Directory

9 Configuring and Managing the Oracle Virtual Directory Server

10 Managing Oracle Virtual Directory Server Processes

11 Creating and Managing Oracle Virtual Directory Listeners

12 Creating and Configuring Oracle Virtual Directory Adapters

13 Managing Oracle Virtual Directory Plug-ins

14 Managing Oracle Virtual Directory Mappings

15 Managing Oracle Virtual Directory Entries and Schema

16 Configuring Oracle Virtual Directory Access Control

17 Managing Oracle Virtual Directory Logging and Auditing

Part III Advanced Administration

18 Customizing Oracle Virtual Directory

19 Configuring Oracle Virtual Directory for Integrated Directory Solutions

20 Oracle Communications Universal User Profile

Part IV Appendixes

A Comparing Oracle Virtual Directory 11g Release 1 (11.1.1) and 10g Releases (10.1.4.x)

B Starting and Stopping the Oracle Stack

C HTTP Listener's Web Gateway Service

D Troubleshooting Oracle Virtual Directory

Index

PK' zPKp@ OEBPS/loe.htm List of Examples

List of Examples

PKTk PKp@OEBPS/adv_cust.htm Customizing Oracle Virtual Directory

18 Customizing Oracle Virtual Directory

This chapter explains how to customize Oracle Virtual Directory and contains the following topics:

18.1 Setting Localized Languages for Oracle Directory Services Manager

Oracle Virtual Directory includes localized translations for the Oracle Directory Services Manager interface in the following languages:

  • French

  • Italian

  • German

  • Spanish

  • Brazilian Portuguese

  • Japanese

  • Traditional Chinese

  • Simplified Chinese

  • Korean

You can set the language for the Oracle Directory Services Manager interface using your web browser's language settings. Refer to your web browser's documentation for specific information on setting languages.


Notes:

Only users who have Oracle Directory Services Manager Administrator access (usually cn=orcladmin) can log in to Oracle Directory Services Manager.

18.2 Creating and Configuring Custom Adapters

Oracle Virtual Directory supports the ability to create custom adapters using plug-ins that can connect to almost any data source with a defined API. For example, you can use custom adapters to abstract information available through web services. A custom adapter is an adapter that has no functionality itself—it is a place holder where adapter level plug-ins can be configured to implement its functions instead. By default, Custom Adapters do not map to any data source. Plug-ins, such as the Diameter plug-in, that are added to Custom Adapters on the Plug-In tab in Oracle Directory Services Manager provide data to Custom Adapters. Typically, Custom Adapters are written by customers that must connect Oracle Virtual Directory to non-LDAP or non-database services, such as Web Services.

This topic contains the following sections:

18.2.2 Configuring Custom Adapters

This section describes how to configure Custom Adapter settings, including:

18.3 Developing Custom Java Plug-Ins

This topic explains how to develop custom Java plug-ins for Oracle Virtual Directory and contains the following section:

18.3.1 Overview

Oracle Virtual Directory enables you to create and deploy custom Java plug-ins that can process and manipulate LDAP operations as they pass through the Oracle Virtual Directory. Plug-ins can be positioned at either a global level, where they see and affect all requests, or at an adapter level, where they see and affect only requests for a particular adapter. You can also create and deploy plug-ins to run on particular operations and for certain namespaces.


Note:

If you rename attributes using custom Java plug-ins, Oracle Virtual Directory supports search on the renamed attribute/value only if the custom code overrides the incoming filter object, as is in the DB_Groups Mapping.

Each Oracle Virtual Directory plug-in has a specific implementation point, as listed in Table 18-1:

This chapter demonstrates how to create a custom plug-in by explaining the implementation points listed in Table 18-1. The chapter provides information for a fictitious example plug-in called the Bad Password Count plug-in which would detect if a bind operation has failed or succeeded. If the operation succeeded, then the count would be cleared and if the bind fails, then the count would increase. The fictitious Bad Password Count plug-in also ensures that the bad password count cannot be changed from outside the directory.


Note:

The Bad Password Count plug-in described in this chapter is a fictitious example used to demonstrate how Oracle Virtual Directory plug-ins and its chain system operate. Oracle Virtual Directory does not include a Bad Password Count plug-in, though it could support one if you created it.

18.3.3 Plug-In Implementation Points

Before you can build a custom plug-in, you must decide whether to implement the com.octetstring.vde.chain.Plugin interface or extend the com.octetstring.vde.chain.BasePlugin class. The BasePlugin class is a convenience that allows a plug-in developer to only implement the methods for operations to be handled by the plug-in. The example plug-in provided in this chapter extends the BasePlugin class to simplify the implementation.

The sections in this topic describe the Oracle Virtual Directory plug-in implementation points, including:

18.3.3.1 Configuration, Startup, and Shutdown Plug-In Implementation Points

Configuration is the first plug-in implementation point. Plug-ins are configured using a set of simple name and value pairs provided by the Oracle Virtual Directory configuration system. The pairs are provided to the plug-in developer through the params argument to the init method of the plug-in. The example plug-in provided in this chapter includes the following configuration options:

  • countAttribute: An attribute to be attached to all user entries that store the bad password count.

  • addOnCreate: Boolean value set to true if the plug-in adds this attribute when a user is created.

  • objectClassForAdd: The object classes that represent users to which the attribute is added.

  • ignoreOnModify: Boolean value, set to true if modify requests on the countAttribute should be ignored.

The configuration options listed above are picked-up at the life cycle methods, which is the second implementation point. The init method is called on the initialization of the plug-in at server startup and the destroy method is called when the plug-in is being shutdown. Example 18-1 shows an example init method:

Example 18-1 Example init Method

/**
 * Passes initialization information to the Plug-in
 * 
 * @param initParams
 *            Hashmap of key/value pairs specified in initial config
 * @param name
 *            The name specified in the config for this Plug-in
 */
public void init(PluginInit initParams, String name) throws ChainException {
       //the countAttribute parameter is required
       if (!initParams.containsKey(BadPasswordCount.CONFIG_COUNT_ATTRIBUTE)) {
            throw new ChainException(name + ": The "
               + BadPasswordCount.CONFIG_COUNT_ATTRIBUTE
               + " attribute is required");
       }
       this.countAttribute = new DirectoryString(initParams
                 .get(BadPasswordCount.CONFIG_COUNT_ATTRIBUTE));
       this.attribType = SchemaChecker.getInstance().getAttributeType(
            this.countAttribute);
       //determine if add on create
       this.addOnCreate = initParams
            .containsKey(BadPasswordCount.CONFIG_ADD_ON_CREATE)
            && initParams.get(BadPasswordCount.CONFIG_ADD_ON_CREATE)
            .equalsIgnoreCase("true");

       if (this.addOnCreate) {
             if (this.addOnCreate
                    && !initParams
                     .containsKey(BadPasswordCount.CONFIG_OBJECTCLASS_FOR_ADD)) {
             throw new ChainException(name
                   + ": When adding count attribute, the parameter "
                   + BadPasswordCount.CONFIG_OBJECTCLASS_FOR_ADD
                   + " is required");
             }

             String[] objectClasses = initParams
                    .getVals(BadPasswordCount.CONFIG_OBJECTCLASS_FOR_ADD);
             this.objectClasses = new HashSet();

             for (int i = 0, m = objectClasses.length; i < m; i++) {
                  this.objectClasses.add(new DirectoryString(objectClasses[i]));

             }
       } else {
               this.addOnCreate = false;
       }

       logger.info("Adding on create : " + this.addOnCreate);
       //determine if the modify operation should be ignored
       this.ignoreModify = initParams
            .containsKey(BadPasswordCount.CONFIG_IGNORE_MODIFY)
            && initParams.get(BadPasswordCount.CONFIG_IGNORE_MODIFY)
            .equalsIgnoreCase("true");

The method in Example 18-1 checks the initialization parameters to setup the plug-in. If there is not enough configuration information, then the plug-in throws an exception, causing the plug-in to not be configured for operational use by the server. You are not required to implement the destroy method unless there is a need to release any connections or shutdown any services.

18.3.3.3 Operation Plug-In Implementation Point

The final implementation point is operation implementations. Consider the following code implementation of a bind operation in Example 18-3:

Example 18-3 Example Bind Operation Implementation

/**
 * Moves through the "bind" operation's chain
 * 
 * @param chain
 *            The current chain
 * @param dn
 *            The DN for the user
 * @param password
 *            The user's password
 * @param result
 *            The result of the bind
 */
public void bind(Chain chain, Credentials creds, DirectoryString dn,
            BinarySyntax password, Bool result) throws DirectoryException,
            ChainException {
 
       // Pre-event processing 
 
// calls the next plug-in in the chain (or comment out if a handler)
      try {
         chain.nextBind(creds, dn, password, result);
      } catch (DirectoryException e) {
            throw e;
      }
 
      // Post-event processing
      if (result.booleanValue()) {
            // success, reset count
            setPasswordCount(chain, creds, dn, 0);
      } else {
            Vector searchAttributes = new Vector();
            searchAttributes.add(this.countAttribute);
 
            ChainVector results = new ChainVector();
            try
            {
            chain.getVSI().get(chain.getRequest(), creds, dn,
                new Int8((byte) 0), ParseFilter.parse("(objectClass=*)"),
                new Bool(false), searchAttributes, results);
 
            if (results.size() > 0) {
                 EntrySet es = (EntrySet) results.get(0);
                 Entry entry = es.getNext();
                 Vector values = entry.get(this.countAttribute);
                 Syntax value = (Syntax) values.get(0);
                 IntegerSyntax is = new IntegerSyntax(value.getValue());
                 setPasswordCount(chain, creds, dn,
                               ((int) is.getLongValue()) + 1);
            } else 
            {
                  setPasswordCount(chain, creds, dn, 1);
            chain.getVSI().get(...);            
            }
            }
            catch (Exception ex)
            {
 
            }
            finally
            {
                for (EntrySet entrySet : results)
                    entrySet.cancelEntrySet();
            }

            }
      }
}
 
private void setPasswordCount(Chain chain, Credentials creds,
             DirectoryString dn, int count) throws DirectoryException,
             ChainException {
 
      Vector values = new Vector();
      values.add(new IntegerSyntax(count));
      EntryChange modify = new EntryChange(EntryChange.MOD_REPLACE,
                  this.countAttribute, values);
      Vector changes = new Vector();
      changes.add(modify);
      chain.getVSI().modify(chain.getRequest(), creds, dn, changes);
 
}

The method in Example 18-3 shows an example where password failure counts are being maintained within the directory as a form of password policy. Notice that the method does not perform any pre-processing of the operation, nor does it attempt to take over the bind operation. The plug-ins bind method immediately calls the chain.nextBind method and waits for the bind to complete before moving forward with its own logic. Once the bind is complete, that is, control is returned from chain.nextBind, the plug-in checks to see if the bind was successful or not. If the bind was successful, the plug-in sets the failure count attribute to zero for the user. If the bind failed, then the current failure count is retrieved and an increased value is set.

The bind method uses the Virtual Services Interface (VSI) to modify records for the binding user. You can use the VSI interface throughout Oracle Virtual Directory as a consistent way to access directory information regardless of whether a plug-in is deployed globally or within the context of an adapter. VSI does this by always calling into Oracle Virtual Directory by starting with the next plug-in in the chain after the current plug-in. For example, if there is a mapper before the plug-in, and a cache after the plug-in, then the call to VSI only goes through the cache.

Because the plug-in is now logically in charge of maintaining the bind failure count, the plug-in modify method must be implemented so that any attempt by an LDAP client to modify the count is blocked. The plug-in modify method in Example 18-4 is implemented to throw an exception if the count attribute is included in the modify change list.

A DirectoryException is thrown with both a status code and a message. If this exception is not caught by another plug-in, both the message and the code will make it back to the client. For this example, you do not have to check and see if the ignoreOnModify has been configured because you have delegated that decision to the available method. If it was set, the plug-in modify method in Example 18-4 would not have been called.

18.3.4 Creating EntrySets

Each object in a directory is represented in Oracle Virtual Directory by a com.octetstring.vde.Entry object. Each entry contains the name of the object and attributes with attribute values. All entry objects are processed in Oracle Virtual Directory using an implementation of the com.octetstring.vde.EntrySet interface. Entry sets store or handle all entries returned by a particular data source. During normal Oracle Virtual Directory processing, each adapter called during a search request adds its own EntrySet implementation to the list of results to be returned by Oracle Virtual Directory. Additionally, it is also possible that a plug-in could insert additional EntrySet objects into the results vector array. After all adapters have been queried to fulfill the search request, each EntrySet is traversed with its entries sent to the client.

While all adapters produce EntrySet implementations, a plug-in may also create an instance of the EntrySet interface and use it to return entries to the client during a search request.

The following are the two means a plug-in can use to create an EntrySet:

18.3.4.1 ExtensibleEntrySet

The simplest means a plug-in can use to create an EntrySet is by using the com.octetstring.vde.backend.extensible.ExtensibleEntrySet class to create an EntrySet based on a java.util.Vector of Entry objects. The following is the procedure to do so:

  1. Create a new java.util.Vector array.

  2. Add all of the Entry objects to the vector.

  3. Create a new instance of ExtensibleEntrySet passing the above Vector in the constructor.

Example 18-5 shows an example of plug-in using a Web Service to retrieve a stock price based on a stock symbol. The plug-in is designed to implement the concept of a Custom Adapter, which is an adapter that has no functionality itself and is a place holder where adapter level plug-ins can be configured to implement its functions instead. In this stock service example, the plug-in would be configured against a custom adapter. The plug-in is then responsible for handling all events, which means that you would expect that the stock service plug-in would not call the chain.getNext() method.

The get method of the plug-in adds a list of Entry objects (that is, stock prices entries) to a Vector and creates an ExtensibleEntrySet based on that Vector:

18.3.4.2 Custom EntrySet

While the use of ExtensibleEntrySet is the simplest means to create an EntrySet, it is not the most efficient because it requires that all results be compiled before processing is returned to the client. In this case, a call is made to the service for each term in the filter. A better way to process this request would be to create an EntrySet in such a way as to retrieve new entries as they are requested from the stock service, as in the LDAP Adapter operation.

When the LDAP Adapter EntrySet is asked for the next Entry, the system retrieves the next entry from the remote server one at a time—the way LDAP protocol is intended to work. This approach is more efficient as it allows the client to begin retrieving entries before all entries have been processed. This approach also allows the client to stop retrieval of entries and abort the query.

An implementation of com.octetstring.vde.EntrySet must created for a plug-in to create an EntrySet that returns entries as requested. Each EntrySet must implement the following methods:

  • boolean hasMore()

    Returns true if there are more entries in this EntrySet. This method must be non-destructive.

  • Entry getNext()

    Returns the next entry in the EntrySet or null if there are no more entries.

  • void cancelEntrySet()

    This method is called when an EntrySet cannot be run to completion, allowing a custom EntrySet implementation to release any system resources it was holding.

Example 18-6 is the same plug-in implementation as Example 18-5 that creates an adapter out of a stock ticker Web Service, however, in Example 18-6, the get method only creates a list of symbols which gets passed off to the custom EntrySet. The get method in Example 18-6 adds a list of Entry objects (that is, stock prices entries) to a Vector and creates an ExtensibleEntrySet based on that Vector:

Example 18-6 Example get Method That Passes to a Custom EntrySet

public void get(Chain chain, Credentials creds, DirectoryString base,
            Int8 scope, Filter filter, Bool typesonly, Vector attributes,
            Vector result) throws DirectoryException, ChainException {
     if (scope.intValue() == SearchScope.BASEOBJECT && base.equals(this.suffix)) {
            Entry root = this.getSimpleEntry(this.suffix);
            Vector entries = new Vector();
            entries.add(root);
            result.add(new ExtensibleEntrySet(entries));
            return;
     }

     //This adapter only supports searches based on an equality match 
//or an or'ing of equality matches
     if (filter.getSelector() != Filter.EQUALITYMATCH_SELECTED &&
 filter.getSelector() != Filter.OR_SELECTED) {
     throw new DirectoryException("Only equality match or an or'ing"+
                                  " of equality matches are allowed");
     }

     String rdn="uid";
     ArrayList symbols = new ArrayList();
     //If the filter is an OR filter, we can iterate over every quote
     if (filter.getSelector() == Filter.OR_SELECTED) {
           Iterator it = filter.getOr().iterator();
           while (it.hasNext()) {
                     //Extract the symbol from the filter
                  String symbol = new String(filter.getEqualityMatch().
                  getAssertionValue().toByteArray());

                  //The attribute being checked in the equality search
                  //doesn't really matter, but we need an RDN for each entry
                  rdn = new String(filter.getEqualityMatch().
                  getAttributeDesc().toByteArray());
                  symbols.add(symbol);
           }
     } else {
            //single quote
            //Extract the symbol from the filter
            String symbol = new String(filter.getEqualityMatch().
            getAssertionValue().toByteArray());

           //The attribute being checked in the equality search doesn't
           //really matter, but we need an RDN for each entry
           rdn = new String(filter.getEqualityMatch().
                 getAttributeDesc().toByteArray());
           symbols.add(symbol);
       }

       //We use the ExtensibleEntrySet as a simple holder for entry sets.
       result.add( new StockEntrySet(symbols.iterator(),rdn,this.base));

}

In Example 18-6, a list of stock symbols is created by iterating over the or in the search filter. The compiled list is passed to the custom EntrySet implementation as shown in Example 18-7:

Example 18-7 Example of Data Passed to Custom EntrySet

public class StockEntrySet implements EntrySet {

       Iterator quotes;
       String rdn;
       String base;

       public StockEntrySet(Iterator quotes, String rdn,String base) {
              this.rdn = rdn;
              this.quotes = quotes;
              this.base = base;
       }

       public Entry getNext() throws DirectoryException {
              Entry entry = this.getStockEntry((String) quotes.next());
              if (entry == null) {
                    if (this.hasMore()) {
                          return this.getNext();
                    } else {
                          return null;
                    }
              } else {
                     return entry;
              }
       }

       public boolean hasMore() {
              return quotes.hasNext();
       }

       /**
       * Returns an entry for a stock quote
       * @param filter
       * @return An entry for the stock quote, or null for none.
       * @throws DirectoryException
       */
       public Entry getStockEntry(String symbol) throws DirectoryException {
       //Create a new entry with the symbol as the RDN
            Entry entry = new Entry(new DirectoryString(rdn + "=" + symbol + "," +
 this.base));

       //This uses an Apache Axis generated client stub
       NetXmethodsServicesStockquoteStockQuoteService service = new
       NetXmethodsServicesStockquoteStockQuoteServiceLocator();
       try {
            NetXmethodsServicesStockquoteStockQuotePortType 
            quoteService = service.
                 getNetXmethodsServicesStockquoteStockQuotePort();
            double value = quoteService.getQuote(symbol);
            if (value == -1) {
                  return null;
            }

            //Create the attribute for the entry
            Vector vals = new Vector();
            vals.add(new DirectoryString(symbol));
            entry.put(new DirectoryString(rdn),vals);

            vals = new Vector();
            vals.add(new DirectoryString("top"));
            vals.add(new DirectoryString("stockForOrganization"));
            entry.put(new DirectoryString("objectClass"),vals);

            vals = new Vector();
            vals.add(new DirectoryString(Double.toString(value)));
            entry.put(new DirectoryString("quote"),vals);

            return entry;

       } catch (ServiceException e) {
             throw new DirectoryException("Could not load web service : " +
 e.getMessage());
       } catch (RemoteException e) {
            throw new DirectoryException("Could not load web service : " +
 e.getMessage());
       }
}
    public void cancelEntrySet() {
    // nothing to do
    }
}

The EntrySet implementation in Example 18-7 uses a java.util.Iterator to track which symbol is currently being processed. The StockEntrySet class does not call out to the Web Service to create entry results until an Entry is requested by Oracle Virtual Directory on behalf of the client.

Because the plug-in supports searching one or more stocks, it is possible that not all searches return valid results. Consider that if getNext returns a NULL result to Oracle Virtual Directory before the list of stocks is exhausted, Oracle Virtual Directory prematurely assumes the results are exhausted. To handle this situation, an extra block of code is added to getNext after the call to getStockEntry. If getStockEntry returns a NULL and the iteration through the requested stocks has not finished, getNext calls itself to process the next candidate. This recursion continues until at least one valid result is returned or all queries are exhausted.

18.3.5 Understanding Filter Processing

LDAP filter possessing can be complicated. In the context of an Oracle Virtual Directory plug-in, there are two instances when it may be useful to parse a filter: pre-process or post-process. Each method offers its own advantages and disadvantages and is not always mutually exclusive.

Post-Process Filtering

In post-process filtering, the com.octetstring.vde.util.FilterUtils.evalFilter(Entry e, Filter f) method is used to see if an entry being returned as a result matches a required filter. This is the simplest way to handle filters and is useful when you are dealing with a small predefined data set that can remain in memory as a collection of Entry objects. This method is not generally the best solution when a filter must be translated into another format, for example, into a SQL WHERE clause or a special object model for an external API.

Pre-Process Filtering

Pre-processing filters are used to parse a filter and to apply it to a modified search or transform it to another format that the target of the search can understand. Think of pre-processing filters as converting an LDAP filter to an SQL WHERE clause, which to do so, you must traverse the filter object. For example, consider the conversion of the following LDAP filter to an SQL WHERE clause:

(&(|(user=jsmith)(user=lswanson)(user=ccarson))(dept=payroll)) 

The preceding LDAP filter states All records where the user is jsmith, lswanson or ccarson and whose department is payroll. Figure 18-1 shows a visual representation of this LDAP filter:

To translate the filter shown in Figure 18-1 into an SQL WHERE clause, you use a recursive function that traverses the tree. The example filter is represented in Oracle Virtual Directory as a hierarchy of Filter objects, which contain collections of other Filter objects to create a traversable tree. The filter shown in Figure 18-1 will have the object model shown in Figure 18-2, where the name of the class used to represent the filter element is below the operation or operand:

To traverse the tree shown in Figure 18-2, a recursive method is used that queries the getSelector() method of the filter to determine what type of filter it is. After the type for the filter is determined, its value must be extracted by using a getFilterType method. For example, if the filter is an equality filter, such as user=jsmith, the value of the filter object would come from currentFilter.getEqualityMatch(). In this case the return value is an AttributeValueAssertion, which stores the attribute name and value as an Oracle. Once retrieved, the values can be converted into String objects. Filter_and and Filter_or objects return java.util.Iterator classes for iterating through the child filters that are being operated on.

LDAP filters do not limit you to two terms per relation. The OR portion has three operands. Since SQL only allows two operands per operation, the tree in Figure 18-2 must be converted to a binary tree.

In Figure 18-3, the OR operation is broken up into two separate OR operations. The final WHERE clause from the filter is ((user=jsmith) OR ((user=lswanson) OR (user=ccarson))) AND (dept=payroll). The LDAP prefix notation has been transformed into a SQL like infix notation with only two operands per operation. Example 18-8 shows the source code for the transformation:

Example 18-8 Example Source Code for Transforming an LDAP Prefix Notation to SQL Notation

import com.octetstring.vde.util.*;
import com.octetstring.ldapv3.*;
import java.util.*;

public class ConvertFilter {
    public static void main(String[] args) throws Exception {
        String ldapFilter = "(&(|(user=jsmith)(user=lswanson)" +
                                 (user=ccarson))(dept=payroll))";

        System.out.println("Ldap Filter : " + ldapFilter);
        System.out.println("SQL WHERE : " +
            filterToSQL(ParseFilter.parse(ldapFilter)));
    }
    /**
     *Converts an ldap filter to an SQL WERE clause
     *@param currentFilter The filter being converted
     */
public static String filterToSQL(Filter currentFilter) {
        String[] filterVal;
        String infix="";
        switch (currentFilter.getSelector()) {
            case Filter.EQUALITYMATCH_SELECTED :  // (attrib=val)
                 filterVal = getString(currentFilter.getEqualityMatch());
                 return filterVal[0] + "=" + filterVal[1]; 
                 
             case Filter.PRESENT_SELECTED : // (attrib=*)
                 return new String(currentFilter.getPresent().toByteArray()) +
                        "=*"; 
                  
             case Filter.GREATEROREQUAL_SELECTED : // (attrib>=val)
                 filterVal = getString(currentFilter.getGreaterOrEqual());
                 return filterVal[0] + ">=" + filterVal[1];

             case Filter.LESSOREQUAL_SELECTED :  // (attrib<=val)
                 filterVal = getString(currentFilter.getLessOrEqual());
                 return filterVal[0] + "<=" + filterVal[1]; 

             case Filter.SUBSTRINGS_SELECTED : // (attrib=val*ue)
                 filterVal = getString(currentFilter.getLessOrEqual());
                 return filterVal[0] + " LIKE " + filterVal[1];

             case Filter.AND_SELECTED : // &((attrib=val)(attrib2=val2))
                 Filter_and andFilter = currentFilter.getAnd();
                 
                 infix = "";
                 for (Iterator andEnum = andFilter.iterator();
                        andEnum.hasNext();) {
                    Filter aFilter = (Filter) andEnum.next();
                    infix += "(" + filterToSQL(aFilter) + ") AND ";  
                 }
                  
                 infix = infix.substring(0,infix.lastIndexOf("AND")) + " ";
                 return infix;

             case Filter.OR_SELECTED : // &((attrib=val)(attrib2=val2))
                 Filter_or orFilter = currentFilter.getOr();
                 infix = "";
                 for (Iterator orEnum = orFilter.iterator();orEnum.hasNext();)
                    {
                        Filter aFilter = (Filter) orEnum.next();
                    infix += " ( " + filterToSQL(aFilter) + " ) OR ";
                 }
                 infix = infix.substring(0,infix.lastIndexOf("OR")) + " ";
                 return infix;
                case Filter.NOT_SELECTED : // !(&((attrib=val)(attrib2=val2)))
                    return " NOT (" + filterToSQL(currentFilter.getNot()) + 
                            ") ";

                case Filter.APPROXMATCH_SELECTED : // (attrib~=val)
                    filterVal = getString(currentFilter.getApproxMatch());
                    return filterVal[0] + " LIKE " + filterVal[1];

                case Filter.EXTENSIBLEMATCH_SELECTED : //not standard
                    return ""; //not supported
        }
        
        //will never reach
        return "";
    }
    
    /**
      *Converts an AttributeValueAssertion to a two element array with the 
      *first being the attribute name and the second being the value
      */
    public static String[] getString(AttributeValueAssertion ava) {
        String matchAttr = new String(ava.getAttributeDesc().toByteArray());
        String matchVal = new  
                String(ava.getAssertionValue().toByteArray(),"UTF8");
        
        return new String[] {matchAttr,matchVal};
    }
}

18.3.6 Understanding Classes

The sections in this topic provide a high-level introduction to the Oracle Virtual Directory classes that are available. Refer to the Oracle Fusion Middleware Java API Reference for Oracle Virtual Directory Javadoc for complete information on Oracle Virtual Directory classes. This topic contains the following sections:

18.3.6.3 Adapter Service Interface

The Adapter Service Interface (ASI) provides methods to make LDAP-like calls into the Oracle Virtual Directory at the router level or directly to a specific adapter. The Oracle Virtual Directory Join View Adapter and its Joiners use ASI to communicate with adapters that are being searched and joined. The ASI interface is useful when you want to obtain information from an internal adapter, such as when configured to provide look-up information for a plug-in class.

ASI is retrieved through the VSI by calling chain.getVSI().getASI(). With this handle, the add, bind, delete, get, getByDN, modify, and rename methods can be called. Each method has two variations: one that provides a parameter for an adapter name, and another without. Use the method with adapter names to select specific adapters or use the other, nameless method to let the router select the appropriate adapters for you based on routing logic and routing configuration.


Warning:

With the ASI, it is possible for a plug-in to be caught in an infinite loop if it calls to a context above the current plug-in. Doing this can cause a scenario where the plug-in code is called repeatedly causing unanticipated results. Unless you intend for this to happen, be careful of scenarios where plug-ins call up the stack where looping might occur. In general, unless y94ou must call a specific adapter, it is always safest to use VSI.

Oracle Virtual Directory provides no loop detection mechanisms. If you find that Oracle Virtual Directory has crashed with a custom plug-in due to a stack overflow or memory exhaustion, this is the most likely cause.


VSI, GSI and ASI all share a common interface, with certain interfaces providing extra functionality. For more information, refer to the Oracle Fusion Middleware Java API Reference for Oracle Virtual Directory.

The following list describes the supported ASI methods:

  • add()

    Performs an LDAP add operation. Two versions of this method allow either the Oracle Virtual Directory Router to select the target adapter, or a specific adapter can be selected.

  • bind()

    Performs an LDAP bind operation, either letting the Oracle Virtual Directory Router choose the adapter or applying to a specific adapter.

  • delete()

    Performs an LDAP delete operation either letting the Oracle Virtual Directory Router choose the adapter or applying to a specific adapter.

  • get()

    Performs an LDAP get operation letting the Oracle Virtual Directory Router choose eligible adapters. The get method returns a java.util.Vector of EntrySet values. An EntrySet is included for each adapter that was queried.

  • getbyDN()

    A convenience method that performs an LDAP base search using a specific DN. The caller may choose to specify a specific adapter or may let the Oracle Virtual Directory Router choose.

  • modify()

    Performs an LDAP modify operation. The caller may specify a specific adapter or may elect to have the Router choose automatically.

  • rename()

    Performs an LDAP rename operation. The caller may specify specific from and to adapters or may elect to have the Router choose automatically.

18.3.6.4 Joiner

The Oracle Virtual Directory Join View Adapter uses Joiners to join entries from a specific adapter and to merge them with entries from a primary adapter. A Joiner is an abstract class that defines the basic operations and methods required to implement a new Joiner. Joiners are called by the Join View Adapter whenever operations must be performed against a joined entry. Joiners define pre-action operations to allow manipulation of data before any LDAP operation. Joiners also define mapOperationTargetByEntry methods that allow the it to select a target entry in the target joined adapter depending on the operation being called.

A Joiner is instantiated with a primary adapter and a target adapter. The Join View Adapter always works in the context of the primary adapter and calls Joiner methods when mapping and when manipulations must be performed on a target joined adapter.

The get operation of the Join View Adapter builds a JoinEntrySet based solely on results from the primary adapter. As the Oracle Virtual Directory client subsequently polls for results from the Oracle Virtual Directory, the JoinEntrySet class calls the joiner JoinByEntry method to make a call to the joined adapter and merge the entry results. If you configure multiple join relationships, the entry set processing loops through all of the joins until the entry is fully joined based on all defined relationships.

The Joiner constructor method is called when the Joiner is instantiated by the Join View Adapter. This does not happen until the first LDAP operation is processed by the Join View Adapter (a form of lazy construction). The constructor is passed the configuration parameters for the joiner from the configuration file along with the associated target adapter name.

The createJoinFilter method is usually a local method called by the JoinByEntry method to create a search filter for a subsequent call to the AdapterServiceInterface.

18.3.6.6 Data Classes

Oracle Virtual Directory supports the following utility classes:

  • Attribute

    Attribute is a basic object used with the Entry class. An attribute defines a type (as in the attribute name) and contains its values. Methods are also provided for cloning and equivalence testing.

  • Credentials

    A basic object holding the credentials of a session. The IP address, binddn, and password if needed, are in this object. Normally, for most operations relating to the AdapterServiceInterface, only binddn is relevant.

  • Entry

    This object is used to hold an LDAP entry and it is used to contain partial entries such as with an LDAP modify request. The FilterTool utilities often work with these objects to test filters.

  • EntryChange

    This object contains an LDAP modify item. When handling modification requests, usually a Vector of EntryChange objects are passed to the AdapterServiceInterface. Each EntryChange contains a single modification to a single entry.

  • EntrySet

    An EntrySet contains a set of query results from an adapter. When a method first receives an EntrySet, the entire result set may not be in memory. Unique Entry objects are returned from an EntrySet by calling its getNext method. Each time getNext is called, the relevant adapter or plug-in class code is called to retrieve the next Entry if there is one. To test the availability of another entry, use the hasMore() method.


    Tip:

    Unless you intend to process an entire result set, you should avoid calling getNext() directly. It is always better to let the LDAP client do this. For an Oracle Virtual Directory plug-in class, a special method, postSearchEntry(), is provided giving the ability to modify each entry as it is returned to the client. Needlessly calling getNext()can cause excessive memory use and performance loss because Oracle Virtual Directory is required to load an entire result set at once, rather than process entries as they arrive from the adapters.

  • Filter

    The Filter object is a representation of a standard LDAP filter. This object provides useful methods for setting, testing, and comparing LDAP filters. The Filter object may contain a hierarchy of other filter objects (for example, Filter_and, Filter_or).

  • LDAPURL

    This class provides methods to parse a standard LDAPURL or to create one.

18.4 Connecting Web Service Clients to Oracle Virtual Directory

When Oracle Virtual Directory was first released, LDAP was the dominant protocol for accessing identity profile information. While LDAP is still the dominant protocol for authentication and authorization, new applications are often built by using Web services based on SOAP or REST standards. Oracle Virtual Directory provides mechanisms to meet these requirements by default.

REST-based clients (in simple terms, client applications that send an HTTP POST and get back data) are handled by the Oracle Virtual Directory Web Gateway (see Appendix C, "HTTP Listener's Web Gateway Service").

As an alternative, you can use Oracle Virtual Directory's DSMLv2 service, which is Oracle's implementation of the DSMLv2 standard. DSML was initially created to provide an XML representation of LDAP data (basically an alternative to ASCII-based LDIF). DSMLv2 added a SOAP-based Web service.

This SOAP-based Web service is available in Oracle Virtual Directory if you enable the DSMLv2 service in a HTTP listener. The URL is

http://ovdserver:httpport/services/dsmlv2/service

Unfortunately, while DSML is a standard defined by the OASIS standard body and it is a SOAP-based service, an official WSDL file was never produced. A WSDL file is a document used in SOAP-based Web services to describe those services to client applications so that the applications know what methods to call.

However, a third party has developed a WSDL file, which is available at

http://www.users.globalnet.co.uk/~jonbek/EASBlogLinks/dsmlQuery_v3.wsdl

About Authentication

Oracle Virtual Directory's DSMLv2 service honors all of the Oracle Virtual Directory security semantics such as ACL, routing rules, etc.

Applications authenticate to the DSMLv2 service using HTTP Basic authentication. HTTP Basic authentication does not use the .htaccess files used by the Oracle Virtual Directory Web Gateway.

To send credentials to the DSMLv2 service, the SOAP client should send an HTTP Authorization header containing the following values:

base64-encoded-dn:base64-encoded-password

For example, assuming the user is cn=orcladmin and password is welcome1, the credentials would look like this:

Y249b3JjbGFkbWlu:d2VsY29tZTE=

This string also must be base64-encoded, so the complete header would look like this:

Authorization: Basic WTI0OWIzSmpiR0ZrYldsdTpkMlZzWTI5dFpURT0=

As long as you provide a valid DN or credentials, Oracle Virtual Directory security is used as if you were accessing Oracle Virtual Directory through an LDAP client.

PK}q(99PKp@OEBPS/und_ovd.htm Understanding Oracle Virtual Directory

1 Understanding Oracle Virtual Directory

This chapter introduces you to Oracle Virtual Directory, its services and architecture, and includes the following topics

1.1 What is Oracle Virtual Directory?

This topic provides an introduction to Oracle Virtual Directory and contains the following sections:

1.1.1 Overview

Welcome to Oracle Virtual Directory, an LDAP version 3 enabled service that provides virtualized abstraction of one or more enterprise data sources into a single directory view. Oracle Virtual Directory provides the ability to integrate LDAP-aware applications into diverse directory environments while minimizing or eliminating the need to change either the infrastructure or the applications. Oracle Virtual Directory supports a diverse set of clients, such as Web Applications and portals, and it can connect to directories, databases, and Web Services as shown in Figure 1-1.

Figure 1-2 shows an example of an enterprise application used by all employees in a company. The application accesses directory information from three different sources and each contains a separate population of users, which is typical for many organizations due to corporate structure. For example, the Active Directory repositories contain only internal employee users, the single enterprise directory contains users from a different corporate division or business partner, and another set of users, such as external contractors, is contained in a relational database. As shown in the figure, Oracle Virtual Directory can be deployed to bring together the identity information from all three sources.

Oracle Virtual Directory hides the complexity of data location, format, and protocol from client applications, similar to a TCP/IP Internet network design based on switches and routers. Switches and routers handle the details of how to establish connections and protocols between different addresses on the network. Oracle Virtual Directory makes many directories appear to be one local repository in much the same ways that routers make the entire world appear like it's on your local network.

1.1.2 Features

The following is a list of some of Oracle Virtual Directory's key features:

Product Features

  • LDAPv2/v3 support

  • DSMLv2/SOAP support

  • HTTP/XSLT Gateway support

  • Low-cost configuration and maintenance

  • Globalization features such as multi-byte character support and localized language translations

  • Encryption and Strong Authentication with TLSv1 and SSLv3 support

  • Can be deployed to function as a directory Proxy and Firewall

  • Extremely small memory and hardware requirements

  • Available on any platform where Java is supported

  • Configurable Fail-Over and Intelligent Load-Balancing at the LDAP operation level

  • Granular Access Controls based on IETF's Access Control Implementation Internet Draft

  • Support for access to JNDI compliant directories and JDBC compliant databases

  • Dynamic mapping of information and schema in multiple directories

  • Intelligent Routing of LDAP Queries

  • Denial of Service protection

  • Overlapped namespace handling

  • Multiple types of adapters for various deployments

  • Extensible meta directory-like dynamic join features

  • Local schema support

  • Authentication of clients from joined directory, for example, from Active Directory

  • Granular plug-in systems to support custom extensions

  • Ability to compartmentalize information using dynamic views

  • Native support for web services at both integration and data access layers

Business Features and Benefits

  • Reduce implementation and administrative costs

  • Maximize and extend your existing infrastructure investments

  • Place all of your identity information under centralized management

  • Improve security and compliance

  • Unify multiple directories without synchronization

  • Provide LDAP interface to non-directory data

  • Combine data from multiple data-stores to create virtual entries

  • Provide application specific views of directory information

  • Expose Web Services as LDAP

1.1.3 Functionality

Oracle Virtual Directory answers the challenge of addressing today's enterprise directory needs by delivering the following:

Data Federation and Translation

Oracle Virtual Directory enables directory services access that crosses political and corporate boundaries by acting as a directory gateway that processes client requests and dynamically re-routes them to one or more existing directories—regardless of format, be it LDAP, RDBMS, or others. Oracle Virtual Directory presents a virtual directory hierarchy, or tree, to its clients and then assigns hierarchy branches of that tree to designated LDAP or RDBMS servers. Oracle Virtual Directory handles the issues of inter-directory security, protocol, and data translation so that LDAP clients assume that all information comes from a single trusted LDAP directory, the Oracle Virtual Directory.

Data Ownership

One of the least obvious—but most important—benefits of virtualization is data ownership. Organizations often create directories with specific purposes and objectives in mind. When another organization wants to access data owned by the first organization, questions arise about who ultimately owns the data and who controls it. Politics can occur when different parties want to use and share information. Everyone acknowledges the value in re-using existing data, but re-using data brings up many care and control issues. Many organizations become very concerned when copies of the data they feel they own goes to other organizations or outside parties. Questions such as the following are sure to arise:

  • Who is responsible for the data?

  • Who will ensure its accuracy?

  • Who will ensure its security and confidentiality?

  • If the information is copied, how does the owning organization assure itself that the information is being used and controlled by the other party?

Virtualization through proxy technology solves many of these political problems by keeping data where it belongs—with the data's owner. At any time, the owner can restrict or eliminate access to this data. Additionally, the owner is free to revise this information at will and can be assured that partners are always working with the latest relevant information. Most importantly, by keeping information with the owner, the use of that information can be continuously monitored and controlled by the owner.

Oracle Virtual Directory provides this type of data ownership by not copying information. Information accessed by Oracle Virtual Directory occurs in real time, assuring the consumer and provider that the information is current, accurate, and authorized.

Flexible Security Domains

Oracle Virtual Directory enhances security by providing new security domain contexts. When deploying new business applications across multiple business organizations, identity and security can be complicated by the existence of multiple directory security infrastructures. As Microsoft Active Directory administrators know, having multiple windows infrastructures (sometimes called forests) is great for administration and performance, but has a downside in that there is no automatic trust between forests and no inter-forest global catalogue.

Oracle Virtual Directory creates a new transitive security context with fine-grained access controls built to support all IETF standards for access control, while supporting the IETF models for implementation. Oracle Virtual Directory is also designed to properly integrate with security restrictions from the source directories it proxies, resulting in a multi-layer or multi-domain security concept that gives administrators the ultimate security control.

Oracle Virtual Directory supports a wide array of authentication models. In addition to SSL/TLS (including StartTLS) and certificate-based authentication, Oracle Virtual Directory can use server-to-server authentication with proxied servers (authenticating itself), or alternatively can pass user context through to source directories. By providing user-context at the Oracle Virtual Directory and source directory, both directories can provide end-user contextual security control.

Secure Data Publication

Oracle Virtual Directory offers several data security features, for example:

  • SSL/TLS support: Oracle Virtual Directory offers SSL/TLS capabilities that provide for secure communication sessions with LDAP clients. This allows you greater security by allowing Oracle Virtual Directory to be the trusted transport mechanism.

  • Transaction Cleansing: Oracle Virtual Directory is based on a protocol conversion engine, which means that it deconstructs every query, recompiling and assessing validity before transmission to trusted proxied directory sources. This protects source LDAP servers from malformed or unauthorized queries. After cleaning the garbage requests, Oracle Virtual Directory can protect limited resources from exposure to huge loads from malicious attacks by providing the ability to set limits on items such as:

    • Maximum operations per connection

    • Maximum concurrent connections

    • Maximum total connections in a specified period for a particular subject

    • Maximum total connections in a specified period for a particular address

  • Access Control: Oracle Virtual Directory implements its own access controls and provides filtered access to internal proxied directory data.

Application to Directory Integration

A directory is only useful if the applications it serves can gain access to the data it needs in a form that has consistent formats or schema. But the typical enterprise environment contains a myriad of directory repositories with different schema, namespace, and data designs.

In addition to providing a secure bridge to existing directory information, Oracle Virtual Directory provides functionality like a meta-directory to translate and transform data in real time, enabling administrators to easily normalize differences in data found between different organizations and directory infrastructures. The resulting virtualized directory view contains all the directory information needed to run an application, without requiring you to build drastic changes or integration technology into the application.

Flexible Deployment Options

Oracle Virtual Directory provides flexible deployment options that allow it to be embedded with commercial-off-the-shelf applications by developers and business application developers. Additionally, Oracle Virtual Directory can be deployed by a corporate IT department as a shared directory service distribution network.

High Availability Support

Oracle Virtual Directory offers multiple high availability capabilities, including:

  • Fault Tolerance and Fail-Over: Oracle Virtual Directories provide fault tolerance in two forms:

    • they can be configured in fault tolerant configurations

    • they can manage flow to fault tolerant proxied sources

    Multiple Oracle Virtual Directories can be quickly deployed simply by copying, or even sharing configuration files. When combined with round-robin DNS, redirector, or cluster technology, Oracle Virtual Directory provides a complete fault-tolerant solution.

    For each proxied directory source, Oracle Virtual Directory can be configured to access multiple hosts (replicas) for any particular source. It intelligently fails over between hosts and spreads the load between them. Flexible configuration options allow administrators to control percentages of a load to be directed toward specific replica nodes and to indicate whether a particular host is a read-only replica or a read/write server (master). This avoids unnecessary referrals resulting from attempts to write to a read-only replica.

  • Load-Balancing: Oracle Virtual Directory was designed with powerful load balancing features that allow it to spread load and manage failures between its proxied LDAP directory sources.

    Oracle Virtual Directory's virtual directory tree capability allows large sets of directory information to be broken up into multiple distinct directory servers. Oracle Virtual Directory recombines the separated data sets back into one virtual tree by combining the separate directory tree branches.

    If you have multiple LDAP servers for a particular source, the Oracle Virtual Directory LDAP Adapter can load-balance and fail-over for these servers on its own. This load-balancing and fail-over happens transparently to the client and does not require any additional hardware or changes to the client connecting to Oracle Virtual Directory.

    The Database adapter supports load-balancing and fail-over if the underlying JDBC driver provides this functionality. Additionally, Oracle Virtual Directory is certified for use with Oracle Real Application Clusters.

    Oracle Virtual Directory Routing also provides load-balancing capabilities. Routing allows search filters to be included in addition to the search base to determine optimized search targets. In this load-balancing approach, Oracle Virtual Directory automatically routes queries to the appropriate virtualized directory sources enabling the ability to work with many millions of directory entries.


Note:

Oracle Virtual Directory's value is as a virtualization and proxy service, not as a directory store. If you need a highly available directory storage system, Oracle recommends using Oracle Internet Directory.

Custom Application Programming Interfaces

Oracle Virtual Directory provides the following three main areas of extensibility, allowing customers and consultants to enhance the functionality of Oracle Virtual Directory to meet specific business or technical integration needs:

  • Oracle Virtual Directory Plug-ins: Oracle Virtual Directory provides a flexible plug-in framework modeled on Java Servlet Filters. You can use plug-ins to provide custom logic as part of a transaction or simply to connect to a custom data source. You can insert plug-ins globally or only for specific adapters. You can change the ordering of plug-ins and they can be isolated to particular types of transactions. Oracle Virtual Directory's management tools provide wizards for creating new plug-ins along with examples that you can use to get started quickly.

  • Custom Joiners: The Oracle Virtual Directory Join View Adapter is based on an extensible model known as Joiners. You can develop Custom Joiners to provide different joiner behaviors. Joiners provide functions such as mapping, joining, and pre- and post-handler event handling. You can write Custom Joiners to provide simple entry level joins, or extended Joiners to provide complex join logic, transaction handling, and rollback capability.

  • Web Gateway: Oracle Virtual Directory includes a customizable DSML/XSLT based gateway that provides basic web server support based on the Apache web server model that supports static HTML and XSLT rendered content. The gateway includes a directory-enabled interface allowing for queries and modification operations. Web server security enables custom delegated administration applications to be developed based on this interface.

Low-Cost, High-Value Solutions

Traditional directory integration solutions require complex LDAP provisioning and replication schemes and even synchronization to operate. These new directories then become yet another directory source that has to be maintained and managed.

As a light, real-time service, Oracle Virtual Directory improves efficiency by reusing existing directory infrastructure, rather than synchronizing and duplicating it. Oracle Virtual Directory extends the reach of existing enterprise directories and capitalizes on their value.

1.1.4 Architecture and Topology

The following sections describe the Oracle Virtual Directory architecture and topology.

Oracle Virtual Directory Architecture

The Oracle Virtual Directory server is written in Java and internally it is organized into multiple layers, as shown in Figure 1-3. These layers are logical layers—Oracle Virtual Directory appears as a single complete service to the administrator and to clients.

The first layer is Oracle Virtual Directory's listener layer where socket-level protocol is spoken. Oracle Virtual Directory provides two types of listeners: LDAP and HTTP. Both listeners support SSL/TLS on top of their basic protocols. The LDAP layer also provides the ability to support LDAP-SASL to support digital certificate authentication.

The listener hands off requests to a worker thread which handles further processing to determine which action to take, such as a search or update. Operations appear the same internally to Oracle Virtual Directory whether it is an LDAP or DSML request. After the operation is determined, the first level of security checks are performed, including making sure the request is not in violation of any Denial of Service policies or inbound Oracle Virtual Directory-level access controls.

If the request satisfies the in-bound security requirements, the next step is to invoke any global level mappings and plug-ins. Mapping and plug-ins have the ability modify the operation such as changing the name or value of attributes. After invoking configured global-plug-ins, Oracle Virtual Directory determines which adapters can handle the request by processing the information provided in the operation.

The DN of the operation, that is, the search base in the search or the DN of the entry in an all other LDAP operations like a bind or add, is the primary information used. Oracle Virtual Directory examines the DN and determines which adapters could potentially support an operation for that DN. This is possible because each adapter configuration indicates what LDAP namespace it is responsible for. If multiple adapters can support the incoming DN namespace, for example, a search whose base is the root of the directory namespace, such as dc=oracle,dc=com, then Oracle Virtual Directory performs the operation on each of the selected adapters eligible for handling that request. The order of precedence is configurable based on priority, attributes, or supported LDAP search filters.

After Oracle Virtual Directory chooses an adapter, the next step is to invoke any inbound adapter level plug-ins, which are like global plug-ins except operate only on the specific adapter. After any plug-ins are invoked, then the adapter translates the Oracle Virtual Directory request into an operation that maps to its specific adapter level protocol. With the LDAP adapter, there is often very little translation, perhaps only to translate the incoming DN to a value that maps to its actual namespace. For example the incoming search might be for ou=staff,dc=oracle,dc=com and this is mapped to ou=hr,o=oraclecorp. However, with other adapters, such as JDBC using the Database Adapter, the requests are translated into SQL calls, or for custom adapters, the requests are changed into methods that match their proprietary protocols, such as Web Service calls.

After the operation is performed, the result proceeds in reverse order back to the client. In non-search operations, there is normally no further processing. In a search operation where data is returned, plug-ins (optionally) and access controls are processed on the data. The Oracle Virtual Directory access controls are designed to work with any existing access controls you may have in place with your data and act more as additional—not replacement—access controls.

At the conclusion of the operation, the listener level ensures the data is returned to the client in the proper format, such as LDAP or DSML entries.

Oracle Directory Services Manager

As of 11g Release 1 (11.1.1), Oracle Virtual Directory and Oracle Internet Directory have a unified graphical user interface (GUI) called Oracle Directory Services Manager. Oracle Directory Services Manager simplifies the administration and configuration of Oracle Virtual Directory and Oracle Internet Directory by allowing you to use web-based forms and templates.

As of this release, you can configure Oracle Directory Services Manager to use Single Sign-On (SSO). Once Oracle Directory Services Manager has been configured with SSO, Oracle Directory Services Manager allows a user who has been authenticated by the SSO server to connect to an SSO-enabled directory without logging in, provided that the user has an entry in the directory.

Refer to "Getting Started With Oracle Directory Services Manager" for more information.

Fusion Middleware Control

As of 11g Release 1 (11.1.1), you configure many Oracle Virtual Directory features from Oracle Enterprise Manager Fusion Middleware Control. This console enables you to configure and manage all Oracle products from one user interface.

Using the Oracle Enterprise Manager Fusion Middleware Control, you can monitor the Oracle Virtual Directory Server and related components and activities. The Oracle Enterprise Manager Fusion Middleware Control collects host names and ports that you specify during installation or configure at a later time. A Resource Discovery Service (RDS) identifies Server instances and associated components and sends information about these components to the Oracle Enterprise Manager Fusion Middleware Control. The Oracle Enterprise Manager Fusion Middleware Control depends on RDS to detect when nodes in the network are down, or if additional nodes are installed and configured from the Oracle Universal Installer.

Using the monitoring functions, you can gain insight into system activity and performance, for example, total logins, successful and unsuccessful logins, average login time, request latencies, LDAP connections, and so on.

You can monitor the following items:

  • Metrics: To monitor system health

  • General: A high-level rollup of load, performance, security, login, CPU utilization, and other data

  • Performance: Key metrics for the directory server and its host

  • Reports: Data on operation success and failure

  • Topology: Information on the Oracle HTTP Server instances, directory server instances, single sign-on servers, associated databases, and so on

1.1.5 Oracle Virtual Directory in Oracle Fusion Middleware

Oracle Fusion Middleware is a collection of standards-based software products that spans a range of tools and services: From Java EE and developer tools, to integration services, business intelligence, and collaboration. Oracle Fusion Middleware offers complete support for development, deployment, and management.

Oracle Virtual Directory is a component of Oracle Fusion Middleware as a standalone Java 2 Standard Edition (J2SE) process. Oracle Virtual Directory utilizes several aspects of the Oracle Fusion Middleware framework, including integrating with the following:

  • Common Audit Framework

  • Common Logging Framework

  • Credential Store Framework

  • Oracle Enterprise Manager Fusion Middleware Control

The following is a list of Oracle Fusion Middleware concepts and terms related to Oracle Virtual Directory:

WebLogic Server Domain

A WebLogic Server administration domain is a logically related group of Java components. A WebLogic Server domain includes a special WebLogic Server instance called the Administration Server, which is the central point from which you configure and manage all resources in the domain.

An Oracle WebLogic Server domain is a peer of an Oracle instance. Both contain specific configurations outside of their Oracle homes.

WebLogic Server Home

A WebLogic Server home contains installed files necessary to host a WebLogic Server. The WebLogic Server home directory is a peer of Oracle home directories and resides within the directory structure of the Middleware home.

Oracle Instance

An Oracle instance contains one or more system components, such as Oracle Virtual Directory. The system components in an Oracle instance must reside on the same computer. An Oracle instance directory contains updatable files, such as configuration files, log files, and temporary files.

Oracle Home

An Oracle home contains installed files necessary to host a specific product. For example, the Oracle Virtual Directory home contains a directories that contain Oracle Virtual Directory binary and library files. An Oracle home resides within the directory structure of the Middleware home. Each Oracle home can be associated with multiple Oracle instances or Oracle WebLogic Server domains.

Middleware Home

A Middleware home consists of the Oracle WebLogic Server home, and, optionally, one or more Oracle homes. A Middleware home can reside on a local file system or on a remote shared disk that is accessible through NFS.


See:

Oracle Fusion Middleware Administrator's Guide for complete information about Oracle Fusion Middleware.

1.1.6 Oracle's Directory Services Portfolio

Oracle is the only vendor that provides a complete range of directory service solutions, including:

  • Scalable local-store based directory server with Oracle Internet Directory

  • Meta-directory with Directory Integration Platform

  • Directory virtualization with Oracle Virtual Directory

Use Oracle Internet Directory when you must store data in an LDAP server but do not have an existing directory server. Use Directory Integration Platform when you must synchronize databases or other directory information to Oracle Internet Directory. You can also use Directory Integration Platform to synchronize data between Oracle Internet Directory and certain Oracle applications, like Oracle eBusiness Suite. Use Ortacle Virtual Directory to aggregate data from heterogeneous sources into a single directory service in real-time through direct data access.

You can use the Oracle Directory Services products independently of each other or with each other. For example, you can use Oracle Virtual Directory with Oracle Internet Directory to provide a DSML interface to Oracle Internet Directory data. You can use Oracle Internet Directory to provide scalable storage for information to manage using Oracle Virtual Directory and that does not have an existing directory to leverage. Also, Directory Integration Platform with Oracle Internet Directory can use Oracle Virtual Directory to provide additional fault-tolerance support for existing virtualized data-stores. For example, if for some reason your primary enterprise directory becomes unavailable, Oracle Virtual Directory can use the Oracle Internet Directory store.

1.2 Why the Enterprise Directory Is Not Enough

This topic describes many of the obstacles traditional directory servers and enterprise directories face today when deployed for identity management configurations and also explains how Oracle Virtual Directory can solve them.

Overview: Traditional Directory Server Shortcomings

Today's directory servers are designed as specialized databases and by themselves, they do not provide enterprises with the tools needed to connect all possible applications into a single enterprise directory. With very few exceptions, no company has a single enterprise directory.

According to analysts, the majority of companies have several (five or more) directories used company-wide. If their intent is to provide data to an application that is used by multiple business partners, then the number of directories increases by at least the number of business partners using the application. Oracle believes that most enterprises need multiple tiers of directory services both internally and externally. Oracle Virtual Directory is one of the best ways to provide this requirement without duplicating data and without incurring large replicated infrastructure costs.

Typical directory and database technology fails to resolve issues that arise when corporations are made up of independent business units, divisions and partners. Today's directory server technology forces companies to build a single managed data infrastructure that requires huge political discussions on the following topics:

  • What data should the directory infrastructure contain?

  • Who will manage it?

  • Who will fund it?

Issues such as who should pay for directories and who should manage them become critical factors that affect the success of deploying what should be relatively simple database technology. As shown in Figure 1-4, there can be numerous directory sources in different formats and geographies, but also, owned by different parties. Additionally, other directories such as relational databases and email systems can and are added to these traditional enterprise directories.

The issues surrounding distribution of data are further complicated by the addition of LDAP-enabled applications such as Lotus Domino and Microsoft Exchange that have directory information but do not readily integrate into existing enterprise directories due to differing requirements in schema.

Developers have traditionally succeeded at creating databases for specific purposes, because decision-making is driven by individual business managers sponsoring business-driven applications. Now, the new trends of business-to-business web services and inter-business applications means that the data sources within external partners must be considered in the creation of a directory services and security infrastructure strategy.

A directory service integration layer is needed to handle practical issues such as:

  • Distributed Security: availability and verification

  • Routing: how to get to different data

  • Integration: how to handle differing formats

  • Data-level Federation: merging trusted directories

Oracle Virtual Directory is Oracle's answer to this challenge.

The following sections describe in detail common obstacles traditional directory servers face and how you can use Oracle Virtual Directory to resolve them.

Clogged Replication

Directory services are frequently deployed over time with a single primary or "master" node and multiple replication nodes. Over time, you may developed multiple hierarchies of directories to facilitate regionalized replication, which in turn support regional directory farms.

As time passed though, replication may slow down to the point where the directory replica servers are outdated. The main cause for slow replication is the maintenance of searching indexes. Often, reviewing the indexes and minimizing indexes can extend the life of an existing infrastructure.

However, at some point, directory indexing demands will outweigh any individual server's ability to keep up with and replicate changes for it. An alternative is to consider breaking the replicas into special purpose or class-of-service nodes. For example, one pair of replicas might be dedicated to handling user search and policy server requests. Another pair might be dedicated to performing white page or email searching requests. Other servers might be tuned to the needs of specific applications.

In Figure 1-5, the indexing strategy has been adjusted to create Class-of-Service replicas enabling replication to scale. Each class-of-service defines a set of directory replicas designed for specific application clients.

In this case, Oracle Virtual Directory automatically knows where the master server is and routes modified traffic directly to it—avoiding a needless directory referral operation. The next challenge is how to route applications to the correct replicas for the correct searches based on class-of-service.

One easy way is to assign directory replicas directly to applications. However, this strategy might not work since applications may use a greater variety of searches than can be configured on any particular directory replica. Instead, you can use the Oracle Virtual Directory virtual directory to automatically route each search request by using its routing include and exclude filters. These filters allow the administrator to decide which operations each proxied node may and may not perform.

Figure 1-6 shows a typical request where that application is looking to locate a user-distinguished name by searching on UID. Oracle Virtual Directory recognizes the search filter and routes the request to the appropriate directory replicas. Notice that Oracle Virtual Directory can select from multiple nodes and provide load balancing between the nodes, allowing it to spread load across multiple nodes and ensure fault tolerance by not having to rely on any single node.

For different kinds of searching operations, for example, white pages, or classes-of-service, Oracle Virtual Directory can route to alternate directory replicas.

If none of the filters are matched, a default server can be designated. This server might be set up as a low-performance server and lag in replication since it may have more general purpose indexing.

In all of these cases, you see only a single Oracle Virtual Directory. In reality, multiple, identically configured Oracle Virtual Directories can be deployed according to the fault tolerance and loading requirements of the servers. Because Oracle Virtual Directory holds no data, the architecture is 100 percent parallel, allowing for unlimited growth. For example, it is possible to deploy a server pair per application client if needed. Since each server holds no data, and therefore requires no backups, and simply acts as a router, each server adds minimal management costs to the overall infrastructure.

Transaction Failover

Many enterprises have deployed fault-tolerant infrastructures, using devices such as F5 BigIP to route LDAP traffic to available directory server nodes. Because LDAP provides atomic single unit transactions, it has often been assumed that applications would be able to deal with transaction failures. If an LDAP operation fails, it has always been assumed that the application knows to reconnect and try again. For service architects, this has presented many obstacles as some applications replay invalid transactions on multiple directory servers or the application fails and does not realize it just has to try again.

Oracle Virtual Directory addresses this problem through an intelligent connection pooling mechanism designed to spread application load across multiple directory servers. Since the connection pooling spreads individual transactions across multiple servers, Oracle Virtual Directory realizes when a transaction times out or fails on a particular node and allows the operation to be transferred to another node. Oracle Virtual Directory determines whether this is a data failure, in which case it is returned to the client, or whether it is a service failure. If there is a service failure, Oracle Virtual Directory attempts to repeat the transaction on each available server until all servers have been exhausted. Only then is a failure returned to the client.

For advanced protection, global failover can be configured by adding non-local directory nodes to Oracle Virtual Directory's server list. When configured this way, a load percentage of 0 is assigned to these non-local nodes in the LDAP Adapter's LDAP Servers configuration. This forces Oracle Virtual Directory to use these nodes only when no other local node is available, providing the ability to route traffic locally while still being able to send it to other sites in times of need.

Connection Domination

In many large-scale directory environments, there may be several applications that dominate and do not share connections. At application bootstrap time, an application is assigned a directory server, for example, by F5 BigIP, and it establishes a permanent connection with that server, causing the following problems:

  • Fault-tolerance and load-balancing is effectively bypassed. Since most traditional approaches use connection-based load balancing and failover, a connection-hungry application cannot be easily moved from an overloaded directory server.

  • An overwhelming load is created. Since the application tends to use only one directory, its load requirements may exceed the capabilities of the node to which it is assigned. By never relinquishing a connection, there is no opportunity for the management systems to re-adjust the load.

Virtual directory technology helps by providing a connection pooling mechanism that distributes load on a transaction-by-transaction basis. Oracle Virtual Directory maintains a minimum number of connections with each of its proxied directories and adds connections as load requires. Oracle Virtual Directory provides automatic switching of the single client connection and spreads its operations over multiple directory servers, making the directory service more stable because no single directory server node is overloaded. While Oracle Virtual Directory maintains a single connected session between it and the connection dominate client, Oracle Virtual Directory itself is a "good citizen" with the infrastructure and provides load distribution and periodic connection refreshes.

Application Connection Overload

The opposite scenario to the connection domination problem occurs when too many applications make connections and overload the directory server with too many TCP/IP connections and LDAP bind requests. When this happens many directory servers, including LDAP and X.500 versions, can become unstable as they run out of system resources or simply run out of processing threads. Many benchmarks show that most directory servers have a peak performance level at around seven to ten simultaneous connection threads. This information indicates that while the server may be capable of answering many more calls, peak throughput is diminished as the server starts to spend its time establishing connections rather than servicing requests, as shown in Figure 1-7.

Oracle Virtual Directory's connection pooling mechanism resolves this issue. As with the connection dominating client, Oracle Virtual Directory uses its pool to share connection between many clients, and uses rebinding to switch between user contexts where necessary (depending on the mode of the Oracle Virtual Directory pass credentials setting). Oracle Virtual Directory takes many client connections and their requests and multiplexes transactions over a reduced number of connections to the proxied servers. Since existing connections are reused, the amount of consumed resources on the proxied server is greatly reduced, allowing it to focus on LDAP transaction processing.

Data Overload

In some cases, optimizing directory replication schemes is not sufficient to create the scale needed for extremely large directories, as described in the Clogged Replication section. In these cases, the ability to create a directory in the tens or hundreds of millions of entries depends on the ability to divide data into smaller pieces and create a virtual view where all the separate pieces appear in a single directory view—a divide and conquer approach.

Oracle Virtual Directory provides several means to accomplish this virtualization. The simplest way is to exploit directory hierarchy. If the data can be broken down into a hierarchical structure, then multiple directory groupings can be created where each grouping owns one or more namespaces. This allows Oracle Virtual Directory to route traffic by simply looking at the distinguished name and deciding which directory grouping to use.

For example, if a hypothetical telephone company had customers grouped by area code, then Oracle Virtual Directory could route traffic by looking at the organization unit containing the area code as shown in Figure 1-8. For all modify and bind operations, traffic is routed solely on distinguished name. For searching operations, as described in the Clogged Replication section, routing include and exclude filters would be used to direct traffic based on search filters in the event the search base must be o=BigCo and cannot be namespace-specific.

If a flat hierarchy is needed, for example, where all entries appear to be under the same parent, you can choose to either parse the relative distinguished name (RDN), which is the left-most distinguished name or DN component, or to use prefetch operations. If the RDN component can be parsed, then routing could be established with a plug-in that parses the RDN to make routing decisions, as shown in Figure 1-9.

For example, if a DN were of the form: number=6046331751,ou=Account,o=BigCo, then the routing filter could select based on the first 3 digits (in this case 604) to select a particular directory grouping.

If the DN were of the form uid=jdoe,ou=Accounts,o=BigCo, the routing could use a hash table to decide that accounts beginning "a-l" are in one server, "m-r" in another, and "s-z" in a final grouping.

In this case, you can use a routing plug-in mechanism to supplement standard routing features. The intent of the plug-in is to allow you to describe the criteria under which the data should be separated. The selected criteria must ideally be available within every transaction, either in the DN or the filters and base.

The other alternative is to use prefetch. If the data has been divided such that there is no predictable way, at least to Oracle Virtual Directory, to determine where it occurs, Oracle Virtual Directory must then search directories based on customer-specific criteria to locate the correct repository. For example, on an LDAP modify operation a search must occur first to locate the modify repository. There must be a similar requirement for bind, delete and rename operations. On an LDAP add operation, there must be sufficient information in the add request to determine which repository receives the add request. In some situations, performance overhead could be moderated with a special master directory that the server uses simply to locate entries in the infrastructure.

Conclusion

You can use Oracle Virtual Directory in fault-tolerant configurations at various points in a global directory services deployment as shown in Figure 1-10. As a load balancer, Oracle Virtual Directory can be placed between site IP Routers, for example, WebSphere Edge Server and F5 BigIP, and site replica servers. Oracle Virtual Directory provides transaction level load balancing and fault tolerance between servers in the location. In addition to load balancing, Oracle Virtual Directory can offer multiple infrastructure level views of the data, including information from relational database sources through JDBC.

For those applications requiring a special directory view or the ability to have global transaction failover, Oracle Virtual Directory can be deployed as a middleware component directly on application servers. This strategy makes the application capable of switching between different locations if a site failure occurs. Normally, in this configuration, Oracle Virtual Directory would provide load balancing only at the local level while switching to other location nodes only when local services have failed.

Oracle Virtual Directory's flexibility enables directory architects to develop complex, robust directory service infrastructures. As an integration tool, Oracle Virtual Directory assists developers in using enterprise infrastructure as leverage in the easiest possible way. As an information router, Oracle Virtual Directory is quick to deploy, easy to manage and has an extremely low cost of operation.

Oracle Virtual Directory provides the functionality and performance required to manage large-scale deployments more effectively. As organizations look to solve enterprise-level data issues, Oracle Virtual Directory offers multiple solutions to some of their most challenging concerns.

1.3 Oracle Virtual Directory In Enterprise Directory Network Environments

You can deploy Oracle Virtual Directory in several different environments to resolve obstacles faced by traditional directory solutions. Figure 1-11 shows example deployments for Oracle Virtual Directory in two different environments, Intranet and Extranet.

Intranet Identity Example

The following steps explain the sequence of Oracle Virtual Directory's role in the intranet example displayed in Figure 1-11:

  1. At the lower left-hand corner of the figure, an internal end-user accesses an intranet based web application. The application may or may not include a policy server as part of its own infrastructure.

  2. The application or policy service requests the user's identification and password when the end-user accesses the application.

  3. The application or policy service accesses Oracle Virtual Directory using LDAPv3 to validate the credentials using an LDAP bind request.

  4. Oracle Virtual Directory in turn routes this request to the local directory server store and validates the credentials. On validation, Oracle Virtual Directory returns the verified results to the application.

  5. In a further request, the application requests the user's directory entry from Oracle Virtual Directory so that their application profile and rights can be retrieved. Oracle Virtual Directory performs a transparent join, combining attributes from both the local directory server and information from a RDBMS. Once collected, Oracle Virtual Directory merges the result into a single virtual entry and returns it to the intranet application.

Extranet Identity Example

The following steps explain the sequence of Oracle Virtual Directory's role in the extranet example displayed in Figure 1-11:

    1. In the upper right-hand corner, an external organization or business partner end-user accesses an extranet-based web application.

    2. The application contacts Oracle Virtual Directory using LDAPv3 to verify the user's credentials using an LDAP bind.

    3. Oracle Virtual Directory recognizes the credential maps to an external directory. Oracle Virtual Directory connects to the external Oracle Virtual Directory as the business partner using an SSL encrypted link and uses its own credentials to validate the inter-business unit query.

    4. Once the business partner's Oracle Virtual Directory has validated the Oracle Virtual Directory, it recognizes the request and passes it on to the internal LDAPv3 directory.

    5. Oracle Virtual Directory applies the appropriate inter-business access control and returns the filtered results from the directory back to Oracle Virtual Directory, which is then able to validate the password of the business partner user and return success or failure to the application.

    6. Finally, as in the intranet application example, the application might then query Oracle Virtual Directory for additional attributes about the user. Oracle Virtual Directory performs a join linking client-supplied information from the business partner directory with locally stored information in the corporate database.

Example Summary

The examples in Figure 1-11 demonstrate capabilities across a complex scenario. You see Oracle Virtual Directory acting as an information router and joiner, brokering information from multiple secure sources to meet the needs of an application or security infrastructure. Not only can Oracle Virtual Directory bring together information from within a single intranet, it can also leverage information from business partners. This is particularly important because it allows business partners to use the extranet application without having to be provisioned or managed in the host business's directory. Business partner users are authenticated by their own local directory in real time.

Oracle Virtual Directory can also play an important role as a LDAP Proxy server. Oracle Virtual Directory may optionally be used by business partners to act as a directory firewall. Oracle Virtual Directory properly authenticates and authorizes external access to internal directory information. In the bottom right of the diagram you also see how Oracle Virtual Directory's own routing capabilities allow it to route to multiple internal directories or Windows Active Directory forests keeping this information away from the client. As a firewall, Oracle Virtual Directory controls and limits access to information as seen by authorized external parties. As a virtual-directory component, Oracle Virtual Directory simplifies and restructures data for publication of data to be used by business partners.

1.3.1 Virtual Namespace Mapping

Oracle Virtual Directory enables you to connect to any source directory tree and map it to a new virtual tree. For example, an entry in a source directory has the following distinguished name (DN):

cn=Jim Smith,ou=People,o=Division B, c=UK

This source directory entry can be mapped to:

cn=Jim Smith,ou=People,ou=Division B, ou=People,o=AppView

In this example, Oracle Virtual Directory maps all entries below o=Division B, c=UK to ou=Division B, ou=People, o=AppView. Oracle Virtual Directory is performing an on-the-fly translation making Division B users appear to be part of the application-specific directory.

Figure 1-12 shows a local directory branch specific to the application. The root of the tree is o=AppView. Under this branch, local information such as application access control and roles can be stored, for example, cn=User Group,ou=Groups,o=AppView.

The application may have an architectural limitation that it only searches for users under a common people branch. To meet the application requirement, the design objective can be changed to have the new directory design map all directory sources underneath the ou=People branch. Figure 1-13 shows how this can also be represented:

In Figure 1-13, Oracle Virtual Directory is configured with four adapters:

  • Adapter 0 forms the root of the directory tree and maps to o=AppView. This adapter holds the virtual root of the tree and local entries such as access control groups.

  • Adapters 1-3 map each directory source to positions beneath the ou=People branch of the new application tree.

PK>QPKp@OEBPS/basic_adapters.htm Creating and Configuring Oracle Virtual Directory Adapters

12 Creating and Configuring Oracle Virtual Directory Adapters

This chapter explains how to create and configure Oracle Virtual Directory adapters and includes the following topics:

The following table lists the available Oracle Virtual Directory adapter templates and which plug-ins are deployed by these templates.


Note:

This table is intended as a quick reference only.

Be sure to read Section 2.9, "Understanding Adapter Templates" for detailed information about these adapter templates and plug-ins.


Table 12-1 Adapter Templates

Adapter Template TypeAdapter TemplatePlug-In Deployed by Adapter Template

Default Adapter

Default Template


LDAP Adapters

Active_Directory



CA_eTrust



Changelog_LDAP-TYPE

Changelog plug-in


EUS_ActiveDirectory

  • Objectclass Mapper

  • Active Directory Password

  • EUSActiveDirectory


EUS_OID

EUSOID plug-in


EUS_Sun

  • Objectclass Mapper

  • EUSun


EUS_eDirectory

  • Objectclass Mapper

  • EUSeDirectory


General_LDAP_Directory



IBM_Directory



Novell_eDirectory



OAM/AD Adapter with Mapper

  • Active Directory Ranged Attributes

  • Objectclass Mapper

  • Active Directory Password

  • Dump Before

  • Dump After


OAM/AD Adapter with SSL, Mapper

Adapter is hidden to clients by default. It is accessible only through plug-ins like the Active Directory Password plug-in.


OAM/AD Adapter with Script

  • Active Directory Ranged Attributes

  • Active Directory Password

  • Objectclass Mapper

  • Dump Before

  • Dump After


OAM/ADAM Adapter with Mapper

  • Active Directory Ranged Attributes

  • Objectclass Mapper

  • Active Directory Password

  • Dump Before

  • Dump After


OAM/ADAM Adapter with SSL, Mapper

Adapter is hidden to clients by default. It is accessible only through plug-ins like the Active Directory Password plug-in.


OAM/ADAM Adapter with Script

  • Active Directory Ranged Attributes

  • Active Directory Password

  • Dump Before

  • Dump After


OAM/SunOne Adapter with Mapper

  • Objectclass Mapper

  • Dump SunOne


OAM/SunOne Adapter with Script

Dump Transactions plug-in


ONames_LDAP-TYPE

ONames plug-in


Oracle_Internet_Directory



Siemens_DirX



SunOne_Directory



User_LDAP-TYPE

UserManagement plug-in

Local Store Adapter

Local_Storage_Adapter


Database Adapter

OAM/DB Adapter with Script

  • DumpDB1

  • DumpDB2


12.1 Creating LDAP Adapters

This topic explains how to create and configure LDAP Adapters and includes the following sections:

Perform the following steps to create LDAP Adapters using Oracle Directory Services Manager:

  1. Log in to Oracle Directory Services Manager.

  2. Select Adapter from the task selection bar. The Adapter navigation tree appears.

  3. Click the Create Adapter button. The New Adapter Wizard appears.

  4. Perform the following steps to define the Type of adapter:

    1. Select LDAP from the Adapter Type list.

    2. Enter a unique name for the LDAP Adapter in the Adapter Name field. The adapter name value is used in other configuration fields that must reference the adapter.

    3. Select an adapter template from the Adapter Template list by referring to "Understanding Adapter Templates". Use the Default template if you are unsure which template to use.


      Note:

      After selecting an adapter template, Oracle Directory Services Manager populates default values for some adapter settings. You should alter these default settings according to your environment.

    4. Click Next. The Connection screen appears.

  5. Select a DNS mode of operation from the Use DNS for Auto Discovery options to configure Oracle Virtual Directory to use DNS to automatically discover the appropriate LDAP hosts for the remote base defined (instead of configuring specific LDAP hosts in the Connection Details table). This is also referred to as serverless bind mode. The LDAP Adapter supports the following DNS modes of operation:


    Note:

    The DNS options are listed in the Oracle Directory Services Manager interface in English only, however the description for each DNS option is supported in localized language translations.

    • No: Use the Connection Details table configuration—no serverless bind.

    • Standard: Use standard DNS lookup for a non-Microsoft server. All servers are marked as read/write, so enabling the Follow Referrals setting is advised to allow for LDAP write support.

    • Microsoft: The DNS server is a Microsoft dynamic DNS and also supports load-balancing configuration. If proxying to a Microsoft dynamic DNS server, this is the recommended setting because of Oracle Virtual Directory's ability to auto-detect read/write servers compared to read-only servers.


    Note:

    Remote base should have a domain component style name when using this setting, for example, dc=myorg,dc=com. This name enables Oracle Virtual Directory to locate the LDAP hosts within the DNS service by looking up myorg.com.

  6. If you selected the No option for the Use DNS for Auto Discovery setting, add the proxy LDAP host information in the Connection Details table by clicking the Add Host button and then entering the following information. Each proxy LDAP host must provide equivalent content, that is, must be replicas.


    Note:

    Be careful when specifying only a single host for proxying. Without a failover host, the LDAP Adapter cannot automatically fail over to another host. A single host is suitable when Oracle Virtual Directory is connected to a logical LDAP service through a load balancing system.

    1. Enter the IP Address or DNS name of the LDAP host to proxy to in the Hosts field.


      Note:

      Oracle Virtual Directory 11g Release 1 (11.1.1) supports IPv6. If your network supports IPv6 you can use a literal IPv6 address in the Hosts field to identify the proxied LDAP host.

    2. Enter the port number the proxied LDAP host provides LDAP services on in the Port field.

    3. Enter a number between 0 and 100 in the Weight Value field to configure the load percentage to send to the host. If the combined percentages for all of the hosts configured for the adapter do not total 100, Oracle Virtual Directory automatically adjusts the load percentages by dividing the percentage you entered for a host by the total percentage of all hosts configured for the adapter. For example, if you have three hosts configured for the adapter at 20 percent, 30 percent, and 40 percent, Oracle Virtual Directory adjusts the 20 to 22 (20/90), the 30 to 33 (30/90), and the 40 to 44 (40/90).

    4. Select the Read-only option to configure the LDAP Adapter to only perform search operations on the LDAP host. The LDAP Adapter automatically directs all modify traffic to read/write hosts in the list.

  7. Select the Use SSL/TLS option to secure the communication between the LDAP Adapter and the proxy LDAP hosts using SSL/TLS.


    See:

    "Managing Certificate Authorities for LDAP Adapters Secured by SSL" for information on Certificate Authorities.

    If you select (enable) the Use SSL/TLS option, choose the SSL authentication mode to use for securing the adapter by selecting an option from the SSL Authentication Mode list. The SSL Authentication Mode setting is functional only when the Use SSL/TLS option is enabled.

  8. Enter the default distinguished name for the LDAP Adapter to bind with when accessing the proxied directory in the Server proxy Bind DN field. Depending on the setting in the Pass Through Credentials field, this DN is used for all operations, or only for exceptional cases such as pass-through mode. The form of the distinguished name must be in the form of the remote directory. The LDAP Adapter binds as Anonymous if the Server proxy Bind DN field is empty.

  9. Enter the authentication password in clear text in the Proxy Password field to use with Server proxy Bind DN value. When loaded on the server, the value is automatically encrypted.

  10. Click Next. Oracle Virtual Directory attempts to validate the connection(s) to the host(s) you defined in the Connection Details table. The Test Connection screen appears displaying the results of the connection validation process.

  11. Enter the location in the remote server directory tree structure to which the local Oracle Virtual Directory root suffix corresponds in the Remote Base field. This is the location in the remote directory under which Oracle Virtual Directory executes all searches and operations for the adapter. The LDAP Adapter applies an automatic mapping of all entries from the remote base to the adapter root base.

  12. Enter the namespace you want Oracle Virtual Directory clients to see for the proxied directory's namespace in the Mapped Namespace field. For example, if the DN in the proxied directory is dc=oracle, dc=com and you want Oracle Virtual Directory clients to see the namespace as dc=Oracle Corp, dc=com, you would enter dc=Oracle Corp, dc=com in the Mapped Namespace field.

  13. Set the pass-through credentials for the LDAP Adapter by selecting an option from the Pass Through Credentials list:


    Note:

    The pass-through options are listed in the Oracle Directory Services Manager interface in English only, however the description for each pass-through option is supported in localized language translations.

    • Select Never to use the Proxy DN credentials for all operations.

    • Select BindOnly to pass user credentials to the proxied LDAP server for bind only and use the default server credentials for all other operations.

    • Select Always to pass user credentials presented to Oracle Virtual Directory to the proxied LDAP server for all operations.


    Note:

    In some situations when pass-through mode is set to Always, the LDAP Adapter may still use the Proxy DN. This occurs when the user credential cannot be mapped, for example, from another adapter namespace, or if it is the root account.

    If defining multiple adapters to different domain controllers within a Microsoft Active Directory forest, you can program the LDAP Adapter to proxy credentials from other adapters (that is, two or more adapters pointing to the same Active Directory forest) by using the Routing Bind-Include setting.


  14. Select the Use Kerberos option to configure the LDAP Adapter to perform LDAP bind operations using the Kerberos protocol. Oracle recommends using Java 1.6 or higher if you enable the Use Kerberos setting to resolve many known issues with the Microsoft Active Directory version of Kerberos.

    If you enable the Use Kerberos option:

    Kerberos binds use the Kerberos libraries provided in the standard Java package. The Kerberos libraries use the krb5.conf file, which is not currently synchronized with Oracle Virtual Directory LDAP Adapter settings. The default libraries control Kerberos fail-over. Refer to Sun Microsystem's Java documentation for more information on fail-over and advanced krb5.conf file configurations.


    Note:

    If a Microsoft Active Directory server is in the process of shutting down (either stopping or rebooting) and Oracle Virtual Directory tries to connect to it, Active Directory may not validate the credential and may return a Client not Found in Kerberos Database error message instead of returning a Key Distribution Center (Domain Controller) connection error.

    The end-user should attempt to login again and assuming that either the Active Directory server is available or Key Distribution Center fail-over is enabled, successful authentication should be returned.


  15. If you enable the Use Kerberos option, you can use the Kerberos Retry option to control whether Oracle Virtual Directory should retry logging in after failed authentication attempts. If you enable the Kerberos Retry option and authentication fails, Oracle Virtual Directory reloads the kerb5.conf file and retries the log in.


    Note:

    If you identified multiple Active Directory servers in a single Kerberos realm in the krb5.conf file, do not enable the Kerberos Retry option, as enabling the retry may disrupt fail-over functionality.

  16. Click Next on the Name Space screen. The Summary screen appears listing the settings for the new LDAP Adapter.

  17. Review the settings for the new LDAP Adapter and click Finish to create the LDAP Adapter. The new LDAP Adapter appears in the Adapter tree.

After you create the LDAP Adapter you can configure it using the procedures in Configuring LDAP Adapters.

12.1.1 Configuring LDAP Adapters

This section describes how to configure LDAP Adapter settings, including:

12.1.1.1 Configuring LDAP Adapter General Settings

After you create the LDAP Adapter you can configure the general settings for the adapter by clicking the adapter name in the Adapter tree, clicking the General tab, setting values for the following fields, and clicking Apply:

Root

This field defines the root DN that the adapter provides information for. The DN defined, and the child entries below it, comprise the adapter's namespace. The value you enter in this field should be the base DN value for the returned entries. For example, if you enter dc=mydomain,dc=com in the field, all entries end with dc=mydomain,dc=com.

Active

You can configure an adapter as active (enabled) or inactive (disabled). An adapter configured as inactive does not start during a server restart or an attempted adapter start. Use the inactive setting to keep old configurations available or in stand-by without having to delete them from the configuration. The default setting is active (enabled).

LDAP Server Details

Perform the following procedures to configure the proxy LDAP host information in the LDAP Servers table in the General tab. Each proxy LDAP host must provide equivalent content, that is, must be replicas.

Be careful when specifying only a single host for proxying. Without a failover host, the LDAP Adapter cannot automatically fail over to another host. A single host is suitable when Oracle Virtual Directory is connected to a logical LDAP service by using a load balancing system.


Note:

The information in the LDAP Servers table is used only if you set the Use DNS for Auto Discovery parameter to No.

To add a proxy LDAP host to the adapter:

  1. Click the Add Host button.

  2. Enter the IP Address or DNS name of the LDAP host to proxy to in the Hosts field.


    Note:

    Oracle Virtual Directory 11g Release 1 (11.1.1) supports IPv6. If your network supports IPv6 you can use a literal IPv6 address in the Hosts field to identify the proxied LDAP host.

  3. Enter the port number the proxied LDAP host provides LDAP services on in the Port field.

  4. Enter a number between 0 and 100 in the Percentage field to configure the load percentage to send to the host. If the combined percentages for all of the hosts configured for the adapter do not total 100, Oracle Virtual Directory automatically adjusts the load percentages by dividing the percentage you entered for a host by the total percentage of all hosts configured for the adapter. For example, if you have three hosts configured for the adapter at 20 percent, 30 percent, and 40 percent, Oracle Virtual Directory adjusts the 20 to 22 (20/90), the 30 to 33 (30/90), and the 40 to 44 (40/90).

  5. Select the Read-only option to configure the LDAP Adapter to only perform search operations on the LDAP host. The LDAP Adapter automatically directs all modify traffic to read/write hosts in the list.

To delete a proxy LDAP host from the adapter:

  1. Click anywhere in the row of the host you want to delete in the Remote Host table.

  2. Click the Delete button. A confirmation dialog box appears.

  3. Click Confirm to delete the proxy LDAP host from the adapter.

To validate a proxy LDAP host connection:

  1. Click anywhere in the row of the Remote Host table for the host you want to validate the connection for.

  2. Click the Validate button. The connection to the proxy LDAP host must be validated for the adapter to proxy the LDAP host.

Use SSL/TLS

Enabling this option secures the communication between the LDAP Adapter and the proxy LDAP hosts using SSL/TLS.


See:

"Managing Certificate Authorities for LDAP Adapters Secured by SSL" for information on Certificate Authorities.

SSL Authentication Mode

If you select (enable) the Use SSL/TLS option, choose the SSL authentication mode to use for securing the adapter by selecting an option from the SSL Authentication Mode list. The SSL Authentication Mode setting is functional only when the Use SSL/TLS option is enabled.

Failover Mode

If set to Sequential, the first host specified in LDAP Servers table is used unless a failure occurs. If a failure occurs, the next host is tried. Sequential failover is often used for fail-over between geographies. In sequential failover, the LDAP Adapter attempts to use the designated host until it fails. At this point, it would fail-over to an equivalent host available in another data center or continent.

If set to Distributed, each new connection made is load balanced through the list defined by the LDAP Servers table. Distributed failover is most often used when proxying a set of LDAP hosts that are typically in the same data center or are equally available in terms of network performance.


Note:

If a remote host's network fails, a delay of several minutes may occur in Oracle Virtual Directory because of platform specific TCP socket timeout settings. However, Oracle Virtual Directory failover is operating properly and no data is lost during the delay.

Extended Trying

Enable this option to force the Oracle Virtual Directory server to continue trying to connect to the last host listed in the LDAP Servers table for new incoming requests on the adapter even after it has been determined that the connection to the host failed. When enabled, the adapter's Heartbeat Interval setting is ignored regardless if a connection to the host has failed and the host will not be removed from the LDAP Servers table. Some environments with distributed directories may prefer to disable the Extended Trying option with the Routing Critical setting to quickly return partial results at that time. The default setting is enabled.

Heartbeat Interval

The LDAP Adapter periodically verifies the availability of each the hosts defined in the LDAP Servers table. Any currently disabled host can be resurrected or a currently active host that fails the TCP/IP connection test is labeled as false during this verification cycle. The Heartbeat Interval parameter specifies the number of seconds between verification passes. Setting a value too low can cause unnecessary connections to the remote directory. Setting a value too high can mean extended time for recovery detection when you have a failure. For production environments, Oracle suggests starting with a value of 60 seconds, then making adjustments as needed.

Operation Timeout

The amount of time in milliseconds the server waits for an LDAP request to be acknowledged by a remote host. If the operation fails, the LDAP Adapter automatically tries the next server in the Remote Host table. The minimum configurable value is 15000 (ms). For production environments, Oracle suggests starting with a value of 15000, which is 15 seconds, then making adjustments as needed.

Max Pool Connections

A tuning parameter that enables you to control how many simultaneous connections can be made to a single server. For production environments, Oracle suggests starting with a value of 10 connections, then making adjustments as needed.

Max Pool Wait

The maximum amount a time in milliseconds that an LDAP operation waits to use an existing connection before causing the LDAP Adapter to generate a new connection. For production environments, Oracle suggests starting with a value of 1000, which is 1 second, then making adjustments as needed.

Max Pool Tries

Maximum number of times an operation waits for an LDAP connection before overriding the Max Pool Connections parameter to generate a new connection. Maximum time is a function of multiplying Max Pool Wait time by the number of tries. If pool wait is 1 second, and 10 is the maximum number of tries, then if after 10 seconds an LDAP connection is not available in the normal pool, the pool will be expanded to handle the extended load. To prevent pool expansion beyond Max Pool Connections, set the number of tries to a high number. For production environments, Oracle suggests starting with a value of 10, then making adjustments as needed.

Use Kerberos

Refer to step 14 for information about the Use Kerberos option.

Kerberos Retry

If you enable the Use Kerberos option, you can use the Kerberos Retry option to control whether Oracle Virtual Directory should retry logging in after failed authentication attempts. If you enable the Kerberos Retry option and authentication fails, Oracle Virtual Directory reloads the kerb5.conf file and retries the log in.


Note:

If you identified multiple Active Directory servers in a single Kerberos realm in the krb5.conf file, do not enable the Kerberos Retry option, as enabling the retry may disrupt fail-over functionality.

Use DNS For Auto Discovery

Instead of configuring specific proxy LDAP hosts in the LDAP Servers table, you can use this option to instruct Oracle Virtual Directory to use DNS to locate the appropriate LDAP servers for the remote base defined, also known as serverless bind mode. The LDAP Adapter supports the following modes of operation:

  • No: Use the LDAP Servers table configuration—no serverless bind

  • Standard: Use standard DNS lookup for a non-Microsoft server. All servers are marked as read/write, so enabling the Follow Referrals setting is advised to allow for LDAP write support.

  • Microsoft: The DNS server is a Microsoft dynamic DNS and also supports load-balancing configuration. If proxying to a Microsoft dynamic DNS server, this is preferred setting because of Oracle Virtual Directory's ability to auto-detect read/write servers compared to read-only servers.


Note:

Remote base should have a domain component style name when using this setting, for example, dc=myorg,dc=com. This name enables Oracle Virtual Directory to locate the LDAP hosts within the DNS service by looking up myorg.com.

The following fields appear in the Settings section of the General tab:

Remote Base

The location in the remote server directory tree structure to which the local Oracle Virtual Directory root suffix corresponds. This is the location in the remote directory under which Oracle Virtual Directory executes all searches and operations for the current adapter. The LDAP Adapter applies an automatic mapping of all entries from the remote base to the adapter root base.

DN Attributes

List of attributes to be treated as DNs for which namespace translation is required, such as member, uniquemember, manager. For example, when reading a group entry from a proxied directory, Oracle Virtual Directory automatically converts the DN for the group entry itself and the uniquemember or member attributes if these attributes are in the DN Attributes list.


Note:

Translate only those attributes you know must be used by the client application. Entering all possible DN attributes may not be necessary and can consume some a small amount of additional CPU time in the proxy.

To add attributes to the DN Attributes list:

  1. Click Add. The Select DN Attribute dialog box appears.

  2. Select the attribute you want to add.

  3. Click OK.

Escape Slashes

When a / character is encountered in a directory, Oracle Virtual Directory can optionally escape the slashes with back-slashes \ character. Some directory server products accept un-escaped slashes, while others reject them. Selecting this setting enables escaping of slashes.

Follow Referrals

Enabling this setting causes the LDAP Adapter to follow (chase) referrals received from a source directory on the client's behalf. If disabled, the referral is blocked and not returned to the client.

The following list summarizes the LDAP Adapter's behavior with different settings in relation to the send managed DSA control in LDAP operations setting:

  • If the LDAP Adapter's Follow Referrals is set to Enabled (true), and Send Managed DSA Control in LDAP Operations is also set to True, Oracle Virtual Directory does not chase the referral entries, but it returns them back to the client.

  • If the LDAP Adapter's Follow Referrals is set to Enabled (true), but Send Managed DSA Control in LDAP Operations is set to False, Oracle Virtual Directory chases the referral entries.

  • If the LDAP Adapter's Follow Referrals is set to Disabled (false), but Send Managed DSA Control in LDAP Operations is set to True, Oracle Virtual Directory does not chase the referral entries, but it returns them back to the client.

  • If the LDAP Adapter's Follow Referrals is set to Disabled (false), and Send Managed DSA Control in LDAP Operations is also set to False, Oracle Virtual Directory does not chase the referral entries and does not return them back to client.

Proxied Page Size

If enabled, this setting allows the proxy to use the paged results control with a proxied directory. Enabling this setting is most often used when a directory limits the number of results in a query. This setting is used on behalf of and transparently to Oracle Virtual Directory's clients.

The following fields appear in the Credential Processing section of the General tab:

Proxy DN

The default DN that the LDAP Adapter binds with when accessing the proxied directory. Depending on the Pass-through Mode setting, this DN is used for all operations, or only for exceptional cases such as pass-through mode. The form of the distinguished name should be in the form of the remote directory. Empty values are treated as Anonymous.

Proxy Password

The authentication password to be used with the Proxy DN value. To set the password, enter a value in clear text. When loaded on the server, the value is automatically hashed with a reversible mask to provide additional security, for example, {OMASK}jN63CfzDP8XrnmauvsWs1g==.

Pass-through Mode

To pass user credentials presented to Oracle Virtual Directory to the proxied LDAP server for all operations, set to Always. To pass user credentials to the proxied LDAP server for bind only and use the default server credentials for all other operations, set to Bind Only. To use the Proxy DN credentials for all operations, set to Never.


Note:

In some situations when pass-through mode is set to Always, the LDAP Adapter may still use the Proxy DN. This occurs when the user credential cannot be mapped, for example, from another adapter namespace, or is the root account.

If defining multiple adapters to different domain controllers within a Microsoft Active Directory forest, you can program the LDAP Adapter to proxy credentials from other adapters (that is, two or more adapters pointing to the same Active Directory forest) by using the Routing Bind-Include setting.


The following fields appear in the Ping Protocol Settings section of the General tab:

The Ping Protocol Settings provide options for how to determine when a source LDAP directory server that is not responding becomes available. If multiple source directory servers are configured, Oracle Virtual Directory identifies the non-responsive servers and performs subsequent operations against the next available server.

Ping Protocol

Select either TCP or LDAP as the protocol Oracle Virtual Directory should use to ping source directory servers. Select LDAP if the source directory server is using SSL.


Note:

While the TCP protocol option is faster than the LDAP option, it may produce an inaccurate response from the source directory server if its network socket is available, but its LDAP server process is unavailable.

Ping Bind DN

If you select LDAP as the Ping Protocol, identify the DN to use for the LDAP bind.

Ping Bind Password

If you select LDAP as the Ping Protocol, identify the password for the DN specified in the Ping Bind DN setting.

12.1.1.4 Managing Certificate Authorities for LDAP Adapters Secured by SSL

In some situations, SSL connections from Oracle Virtual Directory to the SSL port of an LDAP Adapter can fail and the following message may appear:

Oracle Virtual Directory could not load certificate chain

Two examples of situations when this may happen are when:

  • you create a new LDAP Adapter secured by SSL and use an untrusted Certificate Authority

  • a certificate for an existing LDAP Adapter secured by SSL expires and the new certificate is signed by an untrusted Certificate Authority

To resolve this issue, import the LDAP server certificate and the Root Certificate Authority certificate used to sign the LDAP server certificate, into the Oracle Virtual Directory server so it knows the certificates are trusted.

Use the following keytool command and an appropriate alias all on one command line:

ORACLE_HOME/jdk/jre/bin/keytool -import -trustcacerts
-alias "NEW_CA" -file PATH_TO_CA_CERTIFICATE
-keystore ORACLE_INSTANCE/config/OVD/ovd1/keystores/adapters.jks

Using LDAP Adapters with Microsoft Active Directory and Microsoft Certificate Services

By default, Microsoft Certificate Services automatically update expired Active Directory SSL certificates. However, client applications are not normally notified of this change. If this happens, the Oracle Virtual Directory LDAP Adapter connected to an updated Active Directory server stops functioning. If this occurs, use Oracle Directory Services Manager to configure the LDAP Adapter to import trusted certificates and the adapter should begin to function again.

12.1.2 Configuring a Mutual Authentication SSL Connection Between Oracle Virtual Directory and Oracle Internet Directory

Perform the following steps to configure a mutual authentication SSL connection between Oracle Virtual Directory and Oracle Internet Directory:

  1. Create and configure an LDAP Adapter for Oracle Internet Directory by referring to Creating LDAP Adapters and Configuring LDAP Adapters. When you configure the adapter, set it to use a non-SSL port number.

  2. If ORACLE_INSTANCE/config/OVD/ovd1/adapters.jks does not exist, create it with a self-signed certificate to store the trusted certificates by using the following command:

    ORACLE_HOME/jdk/jre/bin/keytool -genkey \
    -keystore ORACLE_INSTANCE/config/OVD/ovd1/keystores/adapters.jks \
    -storepass password -alias alias -keyalg rsa -dname DN
    

    Note:

    The DN identified by the -dname option in the preceding command is the DN that Oracle Virtual Directory uses to act as a client to Oracle Internet Directory.

    A user entry corresponding to this DN must exist (or must be created) on Oracle Internet Directory in order for SSL mutual authentication to work.


  3. Export the Oracle Internet Directory server certificate in Base64 format using the following command:

    orapki wallet export -wallet LOCATION_OF_OID_WALLET \
    -dn DN_FOR_OID_SERVER_CERTIFICATE -cert ./b64certificate.txt
    

    Note:

    If you use a certificate alias in the orapki command and the alias is not in all lowercase letters, an error occurs.

  4. Import the Oracle Internet Directory server certificate created in step 2 to the Oracle Virtual Directory keystore as a trusted entry using the following command:

    ORACLE_HOME/jdk/jre/bin/keytool -importcert \
    -keystore ORACLE_INSTANCE/config/OVD/ovd1/keystores/adapters.jks \
    -storepass password -alias alias -file b64certificate.txt -noprompt
    
  5. Export the Oracle Virtual Directory server certificate in Base 64 format using the following command:

    ORACLE_HOME/jdk/jre/bin/keytool -exportcert \
    -keystore ORACLE_INSTANCE/config/OVD/ovd1/keystores/adapters.jks \
    -storepass password -rfc -alias alias -file cert.txt
    
  6. Import the Oracle Virtual Directory server certificate to the Oracle Internet Directory wallet as a trusted certificate. Execute the following command from the Oracle Internet Directory wallet directory:

    orapki wallet add -wallet ./ewallet.p12 -cert cert.txt
    -trusted_cert -pwd password
    

    Note:

    If you use a certificate alias in the orapki command and the alias is not in all lowercase letters, an error occurs.

  7. Using Oracle Directory Services Manager, update the LDAP Adapter for Oracle Internet Directory as follows:

    • Select (enable) the Use SSL/TLS option

    • Change the port number to an SSL port number

    • Click the Apply button to save the changes to the adapter.

  8. Restart the Oracle Virtual Directory server.

12.2 Creating Database Adapters

This topic explains how to create and configure Database Adapters and includes the following sections:

Perform the following steps to create Database Adapters using Oracle Directory Services Manager:


Note:

Before you create a Database Adapter for a non-Oracle database for the first time, you must first load the database's drivers into Oracle Virtual Directory. Refer to "Loading Libraries into the Oracle Virtual Directory Server" for information on loading drivers into the Oracle Virtual Directory server.

If you are creating an adapter for MS SQL 2005 or 2008, be sure you use the latest sqljbdc4.jar (SQL JDBC driver). Using an older driver can cause database display problems and prevent you from successfully creating the adapter.


  1. Log in to Oracle Directory Services Manager.

  2. Select Adapter from the task selection bar. The Adapter navigation tree appears.

  3. Click the Create Adapter button. The New Adapter Wizard appears.

  4. Perform the following steps to define the Type of adapter:

    1. Select Database from the Adapter Type list.

    2. Enter a unique name for the Database Adapter in the Adapter Name field. The adapter name value is used in other configuration fields that must reference the adapter.

    3. Select Default from the Adapter template list unless you are integrating Oracle Virtual Directory with Oracle Access Manager. Refer to "Understanding Adapter Templates" for more information.


      Note:

      After selecting an adapter template, Oracle Directory Services Manager populates default values for some adapter settings. You should alter these default settings according to your environment.

    4. Click Next. The Connection screen appears.

  5. Enter a valid base DN (in DN format) in the Adapter Suffix/Namespace field. This field defines the root DN that the adapter provides information for. The DN defined, and the child entries below it, comprise the adapter's namespace. The value you enter in this field should be the base DN value for returned entries. For example, if you enter dc=mydomain,dc=com in the field, all entries end with dc=mydomain,dc=com.

  6. Select one option from the following URL Type list. Some steps to create a Database Adapter differ depending on which option you choose. After selecting an option, continue this procedure by following the alphabetic numbered steps for each option.

  7. Identify the database tables the Database Adapter should use in the Map Database Tables field by entering the name of the table file, or by clicking Browse, navigating to the table file, selecting it, and clicking OK. Click Next on the Map Database Tables screen to proceed. The Map Object Classes screen appears.


    Note:

    If you do not define an object class in step 8, the information you entered in the Map Database Tables field cannot be saved.

  8. In the Map Object Classes field, define the object classes and their RDNs that map to the database tables. Click the Create Object Class button. The New Object Class Mapping dialog box appears allowing you to define the objectclass and their corresponding RDNs. Enter the following information:

    1. Select the appropriate object class for the Object Class list.

    2. Enter the RDN for the object class in the RDN field.

    3. Click OK. The object class and the RDN appear in the Object Class table.


    Note:

    You can create nested object classes by entering an existing object where the RDN of the nested class must be an attribute of the child object class. For example, you could create parent organization units for records in a table about people where location information is available that you can use to drive the organization unit (ou) information.

  9. Map LDAP attributes for the object class and RDNs to the database table and fields. You must map LDAP attributes for the object class RDN value. You do not have to map every LDAP attribute required by the LDAP schema for the selected object class.

    Click the appropriate object class in the Object Class table and then click the Add Mapping Attribute button on the Attributes Mapping table. Enter the following information.

    • Select the LDAP attribute value for the object class from the LDAP Attribute list.

    • Select the appropriate database table and field from the Database Table:Field list.

    • Optionally, select a description for the attribute type from the Data Type list.


      Note:

      You must select BLOB from the Data Type list if you are mapping an attribute to a BLOB column in the database.

  10. Click Next on the Map Object Class Mapping screen after defining all the object classes and attribute mappings. The Summary screen appears listing the settings for the Database Adapter.

  11. Review the Database Adapter settings and click Finish to create the Database Adapter. The new Database Adapter appears in the Adapter tree.

When the adapter starts, Oracle Virtual Directory connects to the database and retrieves all defined LDAP attributes and their corresponding table and column information to reconcile the attributes with the defined LDAP schema. If a mapped LDAP attribute is already defined, it attempts to create a mapping from the database source format to the target LDAP schema format. If the LDAP attribute is not defined, the Database Adapter temporarily adds an attribute to the server schema that most closely maps to the database format (this definition is not added to the permanent Oracle Virtual Directory schema configuration).

After you create the Database Adapter, you can configure it using the procedures in Configuring Database Adapters.

12.2.1 Creating Database Adapters for Oracle RAC Database

To create a Database Adapter for use with Oracle RAC Database, perform the procedure in "Creating Database Adapters", but when you configure the connection to the Oracle RAC database on the Connection screen:

  • Select Use Custom URL from the URL Type list.

  • In the Database URL field, enter the URL to connect to the Oracle RAC database, such as:

    jdbc:oracle:oci:@(DESCRIPTION=(ADDRESS_LIST=(LOAD_
    BALANCE=ON)(ADDRESS=(PROTOCOL=TCP)(HOST=host-name-1)(PORT=1521))(ADDRESS=
    (PROTOCOL=TCP)(HOST=host-name-2)(PORT=1521)))(CONNECT_
    DATA=(SERVER=DEDICATED)(SERVICE_NAME=database-service-name)))
    

Note:

The Oracle Virtual Directory Database Adapter does not support Fast Connection Failover (FCF) for Oracle RAC. However, after a RAC instance failure, Oracle Virtual Directory reconnects to a surviving RAC instance.

12.2.2 Creating Database Adapters for Oracle TimesTen In-Memory Database

Perform the following steps to create a Database Adapter for use with Oracle TimesTen In-Memory Database:

  1. If native Oracle TimesTen libraries are not accessible to Oracle Virtual Directory, you must install the Oracle TimesTen In-Memory Database client.

  2. In Oracle Virtual Directory's opmn.xml file, add the location of the Oracle TimesTen libraries and add the location of the Oracle TimesTen JDBC driver to the class-path. The opmn.xml file is located in the following directory:

    ORACLE_INSTANCE/config/OPMN/opmn/

    To set the location of the Oracle TimesTen libraries:

    Add the LD_LIBRARY_PATH environment variable for UNIX and Linux platforms, or add the PATH environment variable on Windows.

    For example, on UNIX and Linux platforms, you add the LD_LIBRARY_PATH environment variable as follows, where TIMESTEN_HOME represents the directory where you installed the Oracle TimesTen software:


    Note:

    On Windows platforms, the PATH environment variable you set in the opmn.xml file must include the Oracle TimesTen bin directory, such as, TIMESTEN_HOME/bin.

    To add the location of the Oracle TimesTen JDBC driver to the class-path:

    Set the java-classpath to include the path to the TimesTen JDBC Driver as follows, where TIMESTEN_HOME represents the directory where you installed the Oracle TimesTen software:

  3. Reload the configuration to OPMN, and stop, then start Oracle Virtual Directory. For example:

    To reload the configuration to OPMN, execute:

    ORACLE_INSTANCE/bin/opmnctl reload
    

    To stop Oracle Virtual Directory, execute:

    ORACLE_INSTANCE/bin/opmnctl stopproc ias-component=NAME_OF_OVD_COMPONENT
    

    To start Oracle Virtual Directory, execute:

    ORACLE_INSTANCE/bin/opmnctl startproc ias-component=NAME_OF_OVD_COMPONENT
    
  4. Create a Database Source Name (DSN) for Oracle TimesTen. Refer to the Oracle TimesTen Operations Guide on the Oracle Technology Network Web site for more information.

  5. Create the Database Adapter for Oracle TimesTen using Oracle Directory Services Manager. When you create the Database Adapter for Oracle TimesTen:

    If the adapter is for an Oracle TimesTen client-only installation: 

    1. Select the Use Custom URL option from the URL Type list on the Connection screen of the New Database Adapter Wizard.

    2. Enter the following in the JDBC Driver Class field:

      com.timesten.jdbc.TimesTenDriver
      
    3. In the Database URL field, enter the following and replace DSN with the Database Source Name you created in step 4:

      jdbc:timesten:client:dsn=DSN
      
    4. Continue creating the adapter by referring to the "Creating Database Adapters" section of the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.

    If the adapter is for an Oracle TimesTen client and server installation: 

    1. Select the Use Predefined Database option from the URL Type list on the Connection screen of the New Database Adapter Wizard.

    2. Choose Oracle - Times-Ten from the Database Type list.

    3. Select the Use Custom URL option from the URL Type list.

    4. In the Database URL field, enter the following and replace DSN with the Database Source Name you created in step 4:

      jdbc:timesten:direct:dsn=DSN
      
    5. Continue creating the adapter by referring to the "Creating Database Adapters" section of the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.


Note:

You can use the Enable Case Insensitive Search option, as described in the "Configuring Database Adapter General Settings" section of the Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory, to improve Database Adapter performance during searches on case-insensitive LDAP attributes, such as uid, for Oracle TimesTen databases.

In addition to enabling the Enable Case Insensitive Search option, the linguistic indexes for the database columns used in the search must be created in the database. Refer to the Oracle Database Globalization Support Guide for information about Oracle TimesTen database linguistic indexes.


12.2.3 Configuring Database Adapters

This section describes how to configure Database Adapter settings, including:

12.2.3.1 Configuring Database Adapter General Settings

After you create the Database Adapter, you can configure the general settings for the adapter by clicking the adapter name in the Adapter tree, clicking the General tab, setting values for the following fields, and clicking Apply:

Root

This field defines the root DN that the adapter provides information for. The DN defined, and the child entries below it, comprise the adapter's namespace. The value you enter in this field should be the base DN value for returned entries. For example, if you enter dc=mydomain,dc=com in the field, all entries end with dc=mydomain,dc=com.

Active

An adapter can be configured as active (enabled) or inactive (disabled). An adapter configured as inactive does not start during a server restart or an attempted adapter start. Use the inactive setting to keep old configurations available or in stand-by without having to delete them from the configuration. The default setting is active.

The following fields appear in the Connection Settings section of the General tab:

URL Type

Select an option from the following URL Type list. Some fields for Database Adapter connection settings differ depending on which option you choose. After selecting an option, continue configuring the Connection Settings by setting the fields listed for each option.

  • Use Custom URL: Select this option to connect Oracle Virtual Directory a custom database.

    • Enter the JDBC driver class name for the database in the JDBC Driver Class field.

    • Enter the URL that Oracle Virtual Directory should use to access the database in the Database URL field.

    • Enter the user name that the Database Adapter should use to connect the database in the Database User field.

    • Enter the password for the user name you entered in the Database User field in the Password field. Oracle Virtual Directory replaces the value you enter in this field with a reversible masked value upon startup.

  • Use Predefined Database: Select this option to connect to a predefined database. The predefined databases appear in the Database Type list after selecting Use Predefined Database from the URL Type list. If you are unsure if Oracle Virtual Directory has predefined your type of database, select Use Predefined Database from the URL Type list and verify if your database is listed in the Database Type list. If your database is listed in the Database Type list, continue with the following steps. If your database is not listed, select Use Custom URL from the URL Type list and perform the steps for using a custom URL.

    • Select the type of your database from the Database Type list. After selecting the database type, the JDBC Driver Class and Database URL fields are populated with the appropriate information for the database.

    • Enter the IP Address or DNS host name of the database in the Host field.

    • Enter the port number the database listens on in the Port field.

    • Enter the name of the database, for example, the Oracle SID, in the Database Name field.

    • Enter the user name that the Database Adapter should use to connect the database in the Database User field.

    • Enter the password for the user name you entered in the Database User field in the Password field. Oracle Virtual Directory replaces the value you enter in this field with a reversible masked value upon startup.

The following fields appear in the Settings section of the General tab:

Ignore Modify Objectclass

Since objectclasses in the database are logical objects and do not map directly to a table column in the mapping, modifications to the objectclass attribute can cause errors. If the Ignore Modify Objectclasses option is enabled, the Database Adapter removes any references to the objectclass attribute so that errors are not be sent to the client application, that is, they are ignored. If the Ignore Modify Objectclasses option is not selected, error messages are sent to the client application

Include Object Class Super Classes

This setting causes the Database Adapter to list objectclass parent classes along with the main objectclass in the objectclass attribute. Disable this setting when you want to emulate Microsoft Active Directory server schema. For most scenarios, it is useful to enable this setting so that objectclass=xxx queries can be executed against parent objectclass values.

Enable Case Insensitive Search

Enabling (selecting) the Enable Case Insensitive Search option makes the search case insensitive for case insensitive LDAP attributes, such as uid. Oracle Virtual Directory uses UPPER in the SQL query when Enable Case Insensitive Search is enabled. If the database cannot maintain functional indexes, such as for Oracle TimesTen or MySQL databases, then you should disable the Enable Case Insensitive Search option. When the Enable Case Insensitive Search is disabled, Oracle Virtual Directory performs case sensitive searches and does not use UPPER in the SQL query. The default value for Enable Case Insensitive Search is Enable.

Maximum Connections

This setting defines the maximum connections the Database Adapter may make with the database.

Connection Wait Timeout

This setting determines how much time (in seconds) the Database Adapter should wait before timing-out when trying to establish a connection with the database.

The following fields appear in the DB/LDAP Mapping section of the General tab:

Used Database Tables

This field displays the database tables the Database Adapter is set to use. To add a database table, click the Add button, navigate to the table file, select it and click OK.

The following fields appear in the Object Classes section of the General tab:

Object Classes

This field displays object classes and their RDNs that map to the database tables. To add an Object Class Mapping, click the Create button, select the appropriate object class from the Object Class list, enter an RDN value for the object class in the RDN field, and click OK.

12.3 Creating Local Store Adapters

This topic explains how to create and configure Local Store Adapters and includes the following sections:

Perform the following steps to create Local Store Adapters using Oracle Directory Services Manager:

  1. Log in to Oracle Directory Services Manager.

  2. Select Adapter from the task selection bar. The Adapter navigation tree appears.

  3. Click the Create Adapter button. The New Adapter Wizard appears.

  4. Perform the following steps to define the Type of adapter:

    1. Select Local Store from the Adapter Type list.

    2. Enter a unique name for the Local Store Adapter in the Adapter Name field. The adapter name value is used in other configuration fields that must reference the adapter.

    3. Select an adapter template from the Adapter Template list by referring to "Understanding Adapter Templates". Use the Default template if you are unsure which template to use.


      Note:

      After selecting an adapter template, Oracle Directory Services Manager populates default values for some adapter settings. You should alter these default settings according to your environment.

    4. Click Next. The Settings screen appears.

  5. Enter a valid base DN (in DN format) in the Adapter Suffix/Namespace field. This field defines the root DN that the adapter provides information for. The DN defined, and the child entries below it, comprise the adapter's namespace. The value you enter in this field should be the base DN value for returned entries. For example, if you enter dc=mydomain,dc=com in the field, all entries end with dc=mydomain,dc=com.

  6. Select the Create Adapter Suffix option to create a base entry in the Local Store Adapter using the value specified in the Adapter Suffix/Namespace field.


    Note:

    If you enable the Create Adapter Suffix option, an Objectclass screen appears after you click Next on the Settings screen. When the Objectclass screen appears, select an Objectclass for the base entry in the Local Store Adapter.

  7. Enter the path, relative to the Oracle Virtual Directory installation, and a unique file name prefix for the Local Store Adapter data files in the Database File field. For example, a valid name may be data/localDB. If you are using multiple Local Store Adapters, this value must be unique for each adapter or data-corruption occurs.

  8. Enter the size for the Local Store Adapter cache in the Cache Size field. The Cache Size option determines the number of entries the Local Store Adapter will cache, which always contains the last entries accessed or written. The size of the entries determines how much memory you need.


    Note:

    Storing very large entries, for example, groups or binary objects, this may cause Oracle Virtual Directory to consume more memory than normal. You may have to increase the overall memory available to the Oracle Virtual Directory.

  9. Select the password hash type by choosing an option from the Password Hash Mode list. The most secure algorithm is SSHA, however, others are available for compatibility purposes. Selecting PLAIN leaves the password valued un-hashed in the internal Local Store Adapter data store.

  10. Enter the path, relative to the Oracle Virtual Directory installation, and a unique file name in the Backup File field in which automatic backups should be stored. For example, a valid backup file may be backup/localDB. The backup file name should be unique to the Local Store Adapter to prevent being over-written by another Local Store Adapter.

  11. Enter the hour (0 to 23) in the Backup Time - Hour field to set the hour of the time at which the Local Store Adapter automatic backup should occur.

  12. Enter the minute (0 to 59) in the Backup Time - Minute field to set the minute of the time at which the Local Store Adapter automatic backup should occur.

  13. Enter the maximum number of backup files in the Max Backup Files field to keep in the backup file rotation for the Local Store Adapter.

  14. Click Next. The Summary screen appears listing the settings for the Local Store Adapter.

  15. Review the Local Store Adapter settings and click Finish to create the Local Store Adapter. The new Local Store Adapter appears in the Adapter tree.

After you create the Local Store Adapter you can configure it using the procedures in Configuring Local Store Adapters.

12.3.1 Configuring Local Store Adapters

This section describes how to configure Local Store Adapter settings, including:

12.3.1.1 Configuring Local Store Adapter General Settings

After you create the Local Store Adapter you can configure the general settings for the adapter by clicking the adapter name in the Adapter tree, clicking the General tab, setting values for the following fields, and clicking Apply:

Root

This field definexs the root DN that the adapter provides information for. The DN defined, and the child entries below it, comprise the adapter's namespace. The value you enter in this field should be the base DN value for returned entries. For example, if you enter dc=mydomain,dc=com in the field, all entries end with dc=mydomain,dc=com.

Active

An adapter can be configured as active (enabled) or inactive (disabled). An adapter configured as inactive does not start during a server restart or an attempted adapter start. Use the inactive setting to keep old configurations available or in stand-by without having to delete them from the configuration. The default setting is active.

Read-Only

If you enable the Read-Only option the adapter does not accept modify transactions and is available for searching only. The default setting is disabled, that is, the adapter is in read/write mode.

The following fields appear in the Indexes section of the General tab:

Presence

The Presence field contains a list of attribute types whose presence in entries must be quickly identified, which is required for (attrname=*) style search filters to operate. To add an attribute to the list, click Add, select the attribute from the dialog box that appears, and click OK on the dialog box.

Exact

The Exact index field contains a list of attributes for supporting searches for exact match index, for example, sn=smith. When using the ordering index, this index is redundant. To add an attribute to the list, click Add, select the attribute from the dialog box that appears, and click OK on the dialog box.

Ordering

The Ordering field contains a list of attributes for enabling ordering searches, such as, sn<=Smith, exact searches, and initial substring searches, such as, sn=Smi*. LDAP filters allow only <= and >= ordering relationships. < and > are not supported in LDAPv3. To add an attribute to the list, click Add, select the attribute from the dialog box that appears, and click OK on the dialog box.

Substring

The Substring option is only necessary if final substring searches are necessary, for example, sn=*ith, in addition to the ordering index. Initial substring searches are often handled using the ordering index. To add an attribute to the list, click Add, select the attribute from the dialog box that appears, and click OK on the dialog box.

Search Un-indexed

Enables or disables low-performance searching of attributes that are not specifically indexed. If search un-indexed is disabled, searching an un-indexed attribute returns no results (that is, evaluates as false).

The following fields appear in the Security section of the General tab:

Enable Sensitive Attribute

Enables or disables sensitive attributes, which are attributes in the Local Store Adapter with encrypted values. If you enable the Enable Sensitive Attribute option, you must identify the attributes whose values will be encrypted using the Sensitive Attributes field.

Sensitive Attributes

If Enable Sensitive Attributes is selected, the values of the attributes listed in the Sensitive Attributes field will be encrypted.

The following fields appear in the Database section of the General tab:

Database File

The path relative to ORACLE_INSTANCE/ovd/SYSTEM_COMPONENT_NAME and a unique file name prefix for the Local Store Adapter data files. SYSTEM_COMPONENT_NAME is usually ovd1. If you are using multiple Local Store Adapters, this value must be unique for each adapter or data-corruption occurs.

Password Hash Mode

Select the password hash type by choosing an option from the Password Hash Mode list. The most secure algorithm is SSHA, however, others are available for compatibility purposes. Selecting PLAIN leaves the password valued un-hashed in the internal Local Store Adapter data store.

Auto RDN

When adding an entry, the LDAP RFCs require that the relative distinguished name, RDN, or left most DN term, be present in the attribute list of the entry being added. Some directory product vendors ignore this and allow for the RDN value to be missing from the attribute list, which may lead to some compatibility problems with applications that depend on this behavior. Enabling Auto RDN, allows Oracle Virtual Directory to automatically create the missing attribute. The default setting is disabled.

Auto Compact

After a successful database backup, Oracle Virtual Directory can optionally compress the database files. If the Local Store Adapter data is being modified frequently, this helps keep database size manageable. The default setting is disabled.


Note:

On Windows platforms, it is highly recommended that the Auto Compact feature be disabled. There are some Windows scenarios where the ability to rename files is not guaranteed, which can result in corruption or loss of data.

Transaction Log Size

When a new entry is added or changed, it is first written to a transaction log to allow for faster application response, while ensuring that transactions are written to disk.

This option determines at what size (in bytes) the transaction log is truncated. Entries that have not been placed into the data store and indexed are never removed from the transaction log, even when the number of unprocessed transactions brings the log to a size that exceeds the size listed in this option.

Having a small transaction log that is continuously truncated can add considerable overhead if adding large quantities of entries. It may be better to make the transaction log as large as possible for an initial bulk load, but reduce its size afterward, before going into production.

Cache Size

This option determines the number of entries to be cached by the Local Store Adapter in memory. It always contains the last entries accessed or written. The amount of memory needed is determined by the size of the entries.

Storing very large entries, for example, groups or binary objects, may cause Oracle Virtual Directory to consume more memory than normal. You may have to increase the overall memory available to the Oracle Virtual Directory.

The following fields appear in the Backup section of the General tab:

Backup File

The path relative to ORACLE_INSTANCE/ovd/SYSTEM_COMPONENT_NAME that points to a unique file name in which automatic backups should be stored. SYSTEM_COMPONENT_NAME is usually ovd1. The backup file name should be unique to the Local Store Adapter to prevent being over-written by another Local Store Adapter.

Backup Time - Hour

The hour (0 to 23) of the time at which the Local Store Adapter automatic backup should occur.

Backup Time - Minute

The minute (0 to 59) of the time at which the Local Store Adapter automatic backup should occur.

Max Backup Files

The maximum number of backup files to keep in the backup file rotation for the Local Store Adapter.

12.4 Creating Join View Adapters

This topic explains how to create and configure Join View Adapters and includes the following sections:


Note:

This topic assumes that the adapters to be joined using a Join View Adapter already exist.

Prerequisites for Creating a Join View Adapter

Before you can create and deploy any type of Join View Adapter, you must create an adapter to be the Join View Adapter's primary adapter. Refer to "Join View Adapter's Primary Adapter" for more information.

Before you can create a Shadow Join View Adapter, in addition to creating a primary adapter, you must create either a LDAP Adapter connected to Oracle Internet Directory, or a Local Store Adapter to store shadow entries. If you use an LDAP Adapter and Oracle Internet Directory, the base DN of the LDAP Adapter must be in Oracle Internet Directory. If you use a Local Store Adapter, the base DN of the Local Store Adapter must be in Oracle Virtual Directory.

Creating Join View Adapters

After completing the prerequisites, perform the following steps to create Join View Adapters using Oracle Directory Services Manager:

  1. Log in to Oracle Directory Services Manager.

  2. Select Adapter from the task selection bar. The Adapter navigation tree appears.

  3. Click the Create Adapter button. The New Adapter Wizard appears.

  4. Perform the following steps to define the Type of adapter:

    1. Select Join from the Adapter Type list.

    2. Enter a unique name for the Join Adapter in the Adapter Name field. The adapter name value is used in other configuration fields that must reference the adapter.

    3. Select the Default template from the Adapter Template list.


      Note:

      After selecting an adapter template, Oracle Directory Services Manager populates default values for some adapter settings. You should alter these default settings according to your environment.

    4. Click Next. The Settings screen appears.

  5. Enter the root DN that the Join View Adapter provides information for in the Adapter Suffix/Namespace field. The DN defined and the child entries below it are the namespace of the adapter. The value entered in this field is the value that appears to clients of the virtual directory. The value should be specified as a comma separated distinguished name.


    Caution:

    Ensure that the root DN of the Join View Adapter is different from that of its primary adapter or any of the joined adapters, otherwise you can cause unexpected duplicate results.

  6. Choose the primary adapter for the Join View Adapter by selecting it from the Primary Adapter list. The primary adapter is the primary driver of data in the Join View and is used by the Join View Adapter to construct its directory hierarchy. Entries in the Join View Adapter only exist if they exist in the primary adapter. The primary adapter can be any adapter. Refer to "Join View Adapter's Primary Adapter" for more information.


    Note:

    After defining and debugging a Join View, you can set the primary adapter's Visibility routing setting to Invisible to hide un-joined entries from LDAP clients.

  7. Enter the name of the adapter you want to perform a bind verification with into the Bind Adapter field, or click Browse and select the adapter. While an LDAP client can bind with a DN based on the primary adapter, it may be that the password will be verified against a joined entry in another adapter. The Bind Adapter must be either the primary adapter or one of the joined adapters.

  8. Click Next. The Summary screen appears displaying a summary of the Join View Adapter settings.

  9. Review the Join View Adapter settings and click Finish to create the Join View Adapter. The new Join View Adapter appears in the Adapter tree.

After you create the Join View Adapter you can configure it using the procedures in Configuring Local Store Adapters.

12.4.1 Configuring Join View Adapters

This section describes how to configure Join View Adapter settings, including:

12.4.1.1 Configuring Join View Adapter General Settings and Join Rules

After you create the Join View Adapter you can configure the general settings and Join Rules for the adapter by clicking the adapter name in the Adapter tree, clicking the General tab, setting values for the following fields, and clicking Apply:

Root

This field defines the root DN that the adapter provides information for. The DN defined, and the child entries below it, comprise the adapter's namespace. The value you enter in this field should be the base DN value for returned entries. For example, if you enter dc=mydomain,dc=com in the field, all entries end with dc=mydomain,dc=com.


Caution:

Ensure that the root DN of the Join View Adapter is different from that of its primary adapter or any of the joined adapters, otherwise you can cause unexpected duplicate results.

Active

An adapter can be configured as active (enabled) or inactive (disabled). An adapter configured as inactive does not start during a server restart or an attempted adapter start. Use the inactive setting to keep old configurations available or in stand-by without having to delete them from the configuration. The default setting is active.

The following fields appear in the Settings section of the General tab:

DN Attributes

List of attributes to be treated as DNs for which namespace translation is required, such as member, uniquemember, manager. For example, when reading a group entry from a proxied directory, Oracle Virtual Directory automatically converts the DN for the group entry itself and the uniquemember or member attributes if these attributes are in the DN Attributes list.


Note:

Translate only those attributes you know must be used by the client application. Entering all possible DN attributes may not be necessary and can consume some a small amount of additional CPU time in the proxy.

To add attributes to the Map DN Attributes list:

  1. Click Add. The Select DN Attribute dialog box appears.

  2. Select the attribute you want to add.

  3. Click OK.

Primary Adapter

The primary adapter is the primary driver of data in the Join View and is used by the Join View Adapter to construct its directory hierarchy. Entries in the Join View Adapter only exist if they exist in the primary adapter. The primary adapter can be any adapter. Refer to "Join View Adapter's Primary Adapter" for more information.

Bind Adapter

A list of one or more adapter names to be used for bind processing. By default, the primary adapter is used, however you can override this and list one or more other adapters. The Join View Adapter attempts to complete joins against the target adapter and process the bind. If the bind succeeds, processing stops and success is returned to the client. If the bind fails, the Join View Adapter continues trying each adapter in the Bind Adapter list. Only when all bind adapters have failed is a bind failure returned. This is useful when user identities exist in multiple directories and you want to give clients the opportunity to try password validation against multiple directories.

Join Rules

Perform the following steps to create join relationships for Join View Adapters:

  1. Click the Create button. The Join Rule dialog box appears.

  2. Select the adapter from the Adapter list to join with the Join View adapter.

  3. Select the type of join relationship for the Join View Adapter by choosing a join relationship from the Type list. Refer to "Join Relationships" for more information on join relationships.

  4. Enter a join condition in the Condition field as follows:

    • For Simple Joiners and OneToMany Joiners, enter a condition in the form remoteattribute=primaryadapterattribute where remoteattribute is an attribute in the target joined adapter and primaryadapterattrinute is an attribute from the primary adapter.

    • For Shadow Joiners, enter a unique key attribute name from the primary adapter, for example, uid, that you can use to locate records in a rename. For Shadow Joiners, the condition is not an equality condition as it is with other joiners.

    • For ConditionalSimpleJoiners, extend a Simple Joiner type of condition using the ; character and an additional condition, such as "employeenumber>0" for which the join only occurs on.

      For example, a Simple Joiner condition could be: employeenumber=employeenumber

      Extend this condition for the ConditionalSimpleJoiner using the ; character and an additional condition, for example:

      employeenumber=employeenumber;(&(employeenumber=101)(sn=Smith))
      
  5. Click OK on the Join Rule dialog box to save the join relationship information. The join relationship information appears in the Join Rules table.

  6. Click Apply at the top of the page on the General tab to deploy the join.


Note:

To join two different adapters with different keys to the primary adapter, create multiple Join Rules, each with single key. If you need multiple keys to create a single Join Rule, depending upon the specific criteria, you might be able to use the ConditionalSimpleJoiner or you may have to write a custom Join Rule.

Modifying join relationships for Join View Adapters:

  1. Click the name of the join relationship in the Join Rules table to modify. A split screen appears with the join relationship settings in the lower half of the screen.

  2. Edit the join relationship as desired.

  3. Click Apply in the lower half of the screen to save your changes.

  4. Click Apply at the top of the page on the General tab to deploy the join.

Perform the following steps to delete join relationships for Join View Adapters:

  1. Click the name of the join relationship in the Join Rules table to delete.

  2. Click the Delete button on the Join Rules table. A confirmation dialog box appears asking you to confirm deleting the join relationship.

  3. Click Delete on the confirmation dialog box to delete the join relationship. The join relationship is removed from the Join Rules table.

12.4.1.2 Configuring Adapter Routing

After you create the adapter you can configure routing for the adapter by clicking the adapter name in the Adapter tree, clicking the Routing tab, and referring to "Understanding Routing Settings". Additionally, review the following information specific to configuring Join View Adapter routing:

Primary Adapter Routing

Because the Join View Adapter's primary adapter is the primary driver of data in the Join View and is used by the Join View Adapter to construct its directory hierarchy you also must configure the primary adapter's routing.

Modify the primary adapter's Retrievable Attributes and Storable Attributes routing settings to control which attributes may be written to the primary adapter. If you do not want Oracle Virtual Directory to be able to write any modifications to the primary adapter, set Storable Attributes to _never.

Local Store Adapter Routing as Join View Adapter's Local Store Directory

If you are using a Local Store Adapter as the local store directory for the Join View Adapter you may want to adjust the Local Store Adapter's routing settings also.

Modify the Storable Attributes routing setting for the Local Store Adapter so that only the attributes that are to be written locally are listed. Include the unique key attribute used in the join rule and include the vdeprimaryref attribute. Optionally, set the Visibility routing setting to Internal for the if you do not want it to be seen by LDAP clients.

12.4.2 Configuring a Shadow Join View Adapter for Oracle Internet Directory

The following steps are an overview of the process for configuring a Join View Shadow Adapter for use with Oracle Internet Directory:

On Oracle Internet Directory:

  1. Extend the Oracle Internet Directory schema to add support for shadow objects/attributes using the following steps:

    1. Create an LDIF file with the following information:

      dn: cn=subschemasubentry
      changetype: modify
      add: attributetypes
      attributetypes: ( 1.3.6.1.4.1.17119.1.0.1 NAME 'vdeprimaryref' EQUALITY
      caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' USAGE
      userApplications )
      
      dn: cn=subschemasubentry
      changetype: modify
      add: objectclasses
      objectclasses: ( 1.3.6.1.4.1.17119.1.1.1 NAME 'vdeShadowObject' SUP 'top'
      STRUCTURAL MUST vdeprimaryref )
      
    2. Use the Oracle Internet Directory ldapmodify tool to import the LDIF file, for example:

      ldapmodify -h ORACLE_INTERNET_DIRECTORY_HOST
      -p ORACLE_INTERNET_DIRECTORY_PORT -D bindDN -q -v -f PATH_TO_LDIF_FILE
      
  2. Create a cn=shadowentries orclcontainer object to store the shadow entries in a branch that is separate from normal users to avoid confusing the shadow entries with any other normal user entries.

On Oracle Virtual Directory:

  1. Create an LDAP Adapter that connects to the Oracle Internet Directory branch you created in Step 2 and set the visibility to internal because only the Shadow Join must access it.

  2. Add vdeprimaryref,uid followed by comma separated list of attributes you want to store in the shadow entry to the Storeable Attributes field. Replace uid with the name of the attribute you can use to identify the entry if the DN changes in the primary adapter. An example may look like:

    vdeprimaryref,uid,cn,obpasswordhistory
    
  3. Set the primary adapter's visibility to internal as the Shadow Join will be the visible "entry" to LDAP clients.

  4. Create a new Join View Adapter and set the bind adapter to be the primary adapter.

  5. Create a new Shadow Join rule as follows:

    1. Set the joined adapter to be the shadow LDAP Adapter you created in Step 1.

    2. Set uid as the condition value, replacing uid with proper value if you are using another attribute as the primary key attribute for the entry.

After completing these steps, when you update the entry exposed through the Join View:

  • Oracle Virtual Directory determines which attributes must be written to the primary adapter and to the Shadow LDAP.

  • When Oracle Virtual Directory writes to the Shadow LDAP it first checks to make sure the shadowed entry exists in the LDAP server (by checking for the vderef attribute and then the condition attribute value). If Oracle Virtual Directory does not find an entry, it creates the entry then updates the attributes.

  • An LDAP client sees a complete entry with all of the attributes when it connects to Oracle Virtual Directory after the update is complete.

PKmY}PKp@OEBPS/part_adv_admin.htmS Advanced Administration

Part III

Advanced Administration

This part presents information about advanced administration tasks for Oracle Virtual Directory and contains the following chapters:

PKv"PKp@OEBPS/basic_mapping.htm2M Managing Oracle Virtual Directory Mappings

14 Managing Oracle Virtual Directory Mappings

This chapter explains how to manage Oracle Virtual Directory mappings and includes the following topics:

14.1 Constructing Mappings Using Mapping Templates

Oracle Virtual Directory includes mapping templates that act as a macro and enable you to quickly construct Mappings. The following steps explain how to construct, compile, and deploy Mappings to the Oracle Virtual Directory server so they are available to be activated at both the adapter and server levels.

Perform the following steps to construct, compile, and deploy Mappings to the Oracle Virtual Directory server using Oracle Directory Services Manager's Mapping Templates feature:


Note:

If you are managing multiple Oracle Virtual Directory servers from multiple Oracle Directory Services Manager sessions that run from the same Oracle Directory Services Manager component and you construct and then save different mapping templates to each Oracle Virtual Directory server continuously (meaning back-to-back, within 10 seconds of each other), the most recent mapping template will be saved to all servers.

This issue occurs because the same Oracle Directory Services Manager work directory is shared between all of the Oracle Virtual Directory servers managed by a single Oracle Directory Services Manager component.

To avoid this issue, be sure you wait more than 10 seconds before attempting to save the mapping templates to the different Oracle Virtual Directory servers.


  1. Log in to Oracle Directory Services Manager.

  2. Select Advanced from the task selection bar. The Advanced navigation tree appears.

  3. Expand the Mapping Templates entry in the Advanced tree. The list of Mapping templates appear.

  4. Determine which Mapping template you want to use to construct your Mapping by referring to "Understanding Mapping Templates".

    After you determine which Mapping template you want to use, click the name of the template. The Mapping Parameters for the Mapping template you selected appear in the main screen.

  5. Enter values for the attributes in the Mapping template by performing the following steps:

    1. Click the attribute in the Mapping Parameters table to edit. The current value for the attribute appears.

    2. Enter a new value for the attribute in the Value field and click OK. The new value for the attribute appears in the Mapping Parameters table.

    Repeat this step until you have set values for all the desired attributes in the Mapping.

  6. Click Apply at the top of the Mapping Templates screen.

    After you click Apply, Oracle Directory Services Manager complies the Mapping template into a Mapping script and sends it to the Oracle Virtual Directory server so that it is available to be activated at the adapter or global server level.

  7. Refer to "Viewing Deployed Mappings" to verify the Mapping was deployed to the Oracle Virtual Directory server.

14.2 Creating and Activating Server Mappings

This section describes how to create and activate Mappings at a global server level. Refer to "Applying Mappings to Adapters" for information on activating Mappings at an adapter level.

Perform the following steps to create and activate a Mapping at a global server level using Oracle Directory Services Manager:


Note:

Before you can create and activate a Mapping, the Mapping file must reside on the Oracle Virtual Directory server. Refer to "Constructing Mappings Using Mapping Templates" for information on constructing and deploying Mappings.

  1. Log in to Oracle Directory Services Manager.

  2. Select Advanced from the task selection bar. The Advanced navigation tree appears.

  3. Expand the Global Plugins entry in the Advanced tree.

  4. Click the Create Mapping button at the top of the Global Plugins entry in the Advanced tree. The Mapping dialog box appears.

  5. Enter a name in the Name field to describe the Mapping. This name is used to identify and describe the Mapping, not to name the actual Mapping script file.

  6. Enter the path to the Mapping script file in the Mapping File field, or click Select, navigate to the Mapping script file, select it, and then click OK.

  7. Determine where you want the Mapping to execute. The Mapping can execute at specific location in the virtual directory or at a global server level spanning the entire virtual tree.

    To execute the Mapping at a global server level, leave the Namespaces table empty and click OK to activate the Mapping for the entire virtual tree.

    To execute the Mapping at a specific location in the virtual tree, perform the following steps:

    1. Click the Create Namespace button in the Namespaces table.

    2. Enter the location of the virtual tree where you want the Mapping to execute in the Namespace field.

      Create multiple Namespaces to have the Mapping execute at multiple specific locations in the virtual tree.

    3. Click OK to activate the Mapping at the specific locations in the virtual tree.

  8. Refer to "Viewing Activated Server Mappings" to verify the Mapping was activated.

14.2.1 Viewing Activated Server Mappings

You can view a list of the Mappings that have been activated at the server level—not adapter level—by performing the following steps:

  1. Log in to Oracle Directory Services Manager.

  2. Select Advanced from the task selection bar. The Advanced navigation tree appears.

  3. Expand the Global Plugins entry in the Advanced tree. A list of the activated Mappings and plug-ins appears in the Advanced tree.

14.3 Applying Mappings to Adapters

Perform the following steps to apply a mapping to an adapter using Oracle Directory Services Manager:


Note:

Before you can apply a Mapping to an adapter, the Mapping file must reside on the Oracle Virtual Directory server. Refer to "Constructing Mappings Using Mapping Templates" for information on constructing and deploying Mappings to the Oracle Virtual Directory server.

  1. Log in to Oracle Directory Services Manager.

  2. Select Adapter from the task selection bar. The Adapter navigation tree appears.

  3. Click the name of the adapter in the tree to apply the mapping to. The adapter's settings screen appears.

  4. Click the Plug-ins tab. The adapter's plug-ins screen appears.

  5. Click the Create Mapping button. The Mapping dialog box appears.

  6. Enter a name in the Name field to describe the Mapping. This name is used to identify and describe the Mapping, not to name the actual Mapping script file.

  7. Enter the path to the Mapping script file in the Mapping File field, or click Select, navigate to the Mapping script file, select it, and then click OK.

  8. Determine where you want the Mapping to execute. The mapping can execute at a specific location under the adapter namespace or at the adapter namespace itself, thus spanning the entire adapter.

    To execute the Mapping at the adapter level, leave the Namespaces table empty and click OK to activate the Mapping for the entire adapter.

    To execute the Mapping at a specific location under the adapter, perform the following steps:

    1. Click the Create Namespace button in the Namespaces table.

    2. Enter the location of the virtual tree where you want the Mapping to execute in the Namespace field.

      Create multiple Namespaces to have the Mapping execute at multiple specific locations in the virtual tree.

    3. Click OK to activate the Mapping at the specific locations in the virtual tree.

  9. Click Apply on the adapter's plug-ins screen to apply the mapping to the adapter.

PKМ22PKp@OEBPS/und_fault.htm(z Understanding Oracle Virtual Directory Fault Tolerance

7 Understanding Oracle Virtual Directory Fault Tolerance

This chapter describes Oracle Virtual Directory fault tolerance and contains the following topics:

7.1 Overview

Oracle Virtual Directory is extremely flexible when implementing fault-tolerant designs. Oracle Virtual Directory does not store data locally allowing duplicate copies of the data to be deployed and managed across multiple Oracle Virtual Directory instances. Additionally, Oracle Virtual Directory configuration files can be easily duplicated or shared on an appropriate Storage Area Network (SAN) configuration.

Oracle Virtual Directory's LDAP Adapter provides excellent support for managing connections to multiple source directory replicas and masters. Oracle Virtual Directory provides the ability to spread query loads across multiple directory replicas while directing add, modify, delete, and rename operations to designated directory master servers.

In a situation where one source directory does not have fault tolerance and the LDAP client application issues a query that spans all directories, LDAP RFCs require that all parts of the directory respond correctly or the entire result is invalid. This generally works well until a proxied directory becomes unavailable. If the source without a redundant directory link fails, global queries may begin to failover all directories even though only part of the user base is impacted. Oracle Virtual Directory enables you to control how it responds when individual proxies fail and how it should impact the overall service.

In many scenarios the proxied directory is present to allow partner company users to access a host company's application. If the partner directory is offline or is unreachable, it is also likely that the company's users cannot get to the application anyway, so a failure could be deemed non-critical to the application. In this case, Oracle Virtual Directory can be configured to ignore the downed server connection, allowing the other partners to continue working.

The following is a list of the primary areas of Oracle Virtual Directory fail over, which are described in the subsequent topics in this chapter:

7.2 DNS and Network Fail Over

Depending on how you plan to implement fault tolerance for the Oracle Virtual Directory, you can consider several options for routing clients to available Oracle Virtual Directory systems.

The simplest method is to define DNS round robin where a particular DNS name has two IN A records in DNS management terms which causes a DNS server to give out a rotating address each time a request for a particular address is made (that is, ldap.corp.com alternates between 192.168.0.1 and 192.168.0.2). This approach is useful if you want to spread load between two available servers, but is less useful when one of those servers becomes unavailable because DNS is unaware of the failure and continues to send clients to the server every time it rotates through the failed server's address.

You can also use a hardware load balancer such as Cisco's LocalDirector or F5's Big-IP. These types of products provide true load balancing while monitoring performance of each of the servers. There are many products that vary in cost and capability in this category.

Another method is to use a cluster configuration (for example, Veritas) capable of switching IP addresses between failed nodes in a cluster.

7.3 Oracle Virtual Directory Fail Over

Fail over Oracle Virtual Directory system fail over is relatively straightforward unless you are using a Local Store Adapter. Oracle Virtual Directory uses configuration files that are only read on start-up. In theory, two servers reading the same configuration data automatically perform the same function.

7.4 Proxied Sources Fail Over

Oracle Virtual Directory's LDAP Adapter provides sophisticated fail over and load balancing management for all LDAP-compliant data repositories. For any proxied source or adapter you can define multiple remote host replicas and specify the following characteristics:

  • Read/Write or Read Only (Master versus Replica node)

  • Percentage load distribution or switch only on failure

Figure 7-1 shows an example of how Oracle Virtual Directory's LDAP Adapter performs transaction load-balancing:

Oracle Virtual Directory includes configurable connection handling settings that allow you to specify the following:

  • Heartbeat Interval: How often Oracle Virtual Directory verifies online status of a proxy. The heartbeat interval continually verifies availability of a server. If a proxy goes offline, Oracle Virtual Directory automatically removes it from its list of active servers and distributes load to other defined replicas. When the heartbeat interval verifies a server is available again, the server is put back on the available list.

  • Time-out Interval: How long (in milliseconds) Oracle Virtual Directory waits before determining a connection has failed. When a connection fails, Oracle Virtual Directory automatically tries the next server on its replica list. If no proxied servers are responding, the LDAP client receives the DSA unavailable error.

  • Criticality: How Oracle Virtual Directory determines when the proxy's results are critical to an overall query. If a query requires responses from multiple adapters, Oracle Virtual Directory responds with an error if any sources are unavailable (because all adapters could not be queried) and have been designated critical. In some situations you may want to have Oracle Virtual Directory return results even if only some servers could be queried. To allow Oracle Virtual Directory to return partial results, set adapters to non-critical if you are allowing missing results from those adapters.

PK݊((PKp@OEBPS/part_und.htmH Understanding Oracle Virtual Directory Services

Part I

Understanding Oracle Virtual Directory Services

This part presents introductory and conceptual information about Oracle Virtual Directory. It contains the following chapters:

PK-XPKp@OEBPS/basic_entries_schema.htm Managing Oracle Virtual Directory Entries and Schema

15 Managing Oracle Virtual Directory Entries and Schema

This chapter explains how to manage Oracle Virtual Directory entries and schema using Oracle Directory Services Manager. It contains the following topics:

15.1 Managing Oracle Virtual Directory Entries Using Data Browsers

This topic describes Oracle Virtual Directory data browsers and how to use them to manage Oracle Virtual Directory entries. This topic contains the following sections:

15.1.1 Understanding Oracle Virtual Directory Data Browsers

Oracle Virtual Directory provides the following types of data browsers:

  • Client View browser

  • Adapter browser

Both the Client View and Adapter browsers are automatically created when you define a new Oracle Virtual Directory server. Oracle Virtual Directory uses DSMLv2 over its administrative gateway to retrieve the data presented by the browsers.

Client View Browser

The Client View browser enables you to search and view the entire virtual directory tree (defined by all configured adapters) after Oracle Virtual Directory has performed all data mapping and transformation. Think of the Client View as the after view—what the data looks like after it is virtualized by Oracle Virtual Directory.

You can also import and export LDIF files to and from the Oracle Virtual Directory using the Client View data browser. LDIF is an industry standard textual interchange format designed for exchanging data between LDAP servers. LDIF files are typically used to import and export batch data and schema configuration changes.

Adapter Browser

The Adapter Browser enables you to view data as it exists in both LDAP and Database Adapter connected repositories. Think of the Adapter Browser view as the before view—what the data in LDAP and database repositories looks like before it is virtualized by Oracle Virtual Directory. When using the Adapter Browser to view databases, tables and fields appear as they exist in the original database, including sample table rows to assist in data modeling.


Notes:

  • When you click the name of an existing adapter in the Adapter Browser, the configuration of the adapter appears in the main Oracle Directory Services Manager screen. This adapter configuration information is read only—you cannot edit an adapter's configuration using the Adapter Browser.

  • Data from Join View and Local Store Adapters is not visible from the Adapter Browser.


15.1.2 Managing Oracle Virtual Directory Entries Using the Client View Data Browser

The Client View browser enables you to view and search the entire virtual directory tree (defined by all configured adapters) after Oracle Virtual Directory has performed all data mapping and transformation. You can use the Client View browser to import and export LDIF files to and from the virtual directory. You can also modify and delete attributes of the virtual tree entries using the Client View Browser.

This topic explains how to perform the following Client View browser tasks:

15.1.2.1 Searching the Virtual Directory Tree

You can search the virtual directory tree using the Client View data browser. There are two types of searches: simple and advanced. A simple search only searches the cn, uid, sn, givenname, mail, and initials attributes. An advanced search enables you to specify the search scope depth and other detailed search parameters.

To perform a simple search, perform the following steps:

  1. Log in to Oracle Directory Services Manager.

  2. Select Data Browsers from the task selection bar. The Data Tree appears.

  3. Select the Client View entry in the Data Tree.

  4. Enter the keyword you want to search for in the search field at the top of the Data Tree and click the Simple Search > icon.

To perform an advanced search, perform the following steps:

  1. Log in to Oracle Directory Services Manager.

  2. Select Data Browsers from the task selection bar. The Data Tree appears.

  3. Select the Client View entry in the Data Tree.

  4. Click the Advanced button at the top of the Data Tree. The Search Dialog box appears.

  5. Enter the starting point for the search in the Root Of The Search field.

  6. Enter the maximum number of entries for the search to return in the Max Results (entries) field.

  7. Select the depth scope for the search by selecting one option from the following Search Depth list:

    Base: searches only the entries at the location specified by the Root Of The Search field.

    One Level: searches all entries one level under the location specified by the Root Of The Search field.

    Subtree: searches the location specified by the Root Of The Search field and includes all entries under that location.

  8. Enter in the maximum number of seconds for the search to execute in the Max Search Time (seconds) field.

  9. Enter the Search Criteria as follows:

    1. Select the attribute to search for by selecting the attribute name from the list of attributes.

    2. Select a matching rule from the list of matching rules.

    3. Enter a value for the matching rule in the Specify Matching Value field.

      You can delete a search criterion by clicking the Delete button next to it.


    Note:

    To search for customized (extended) criteria, select the Show LDAP filter option and enter a custom search filter, such as (objectclass=*), in the LDAP Query field.

  10. Click Search to execute the search.

15.1.2.3 Modifying Attributes of Virtual Directory Tree Entries

You can modify and delete attributes of the virtual directory tree entries using the Client View Browser. You cannot add entries using the Client View Browser.

Perform the following steps to modify attributes of virtual directory tree entries using the Client View Browser:

  1. Log in to Oracle Directory Services Manager.

  2. Select Data Browsers from the task selection bar. The Data Tree appears.

  3. Expand the Client View entry in the Data Tree. The namespaces of the entries in the virtual directory appear.

  4. Navigate to the entry you want to modify by expanding the appropriate namespace and then click the entry. The details for that entry appear in the main screen and are organized by context-sensitive tabs, such as Attributes, Person, and Groups, depending upon the type of entry.

The following are common procedures for modifying entries. Regardless of the specific procedure you perform, after modifying an entry, click Apply to save your changes or Revert to discard them.


Notes:

  • To modify the attributes for all types of entries, click the Attributes tab and make the desired changes. By default, only non-empty attributes are shown. You can switch between Managed Attributes and Show All by using the Views list.

  • To change the list of attributes shown as managed attributes, click the icon under Optional Attributes. Select attributes you want to move from the All Attributes list to the Shown Attributes lists and use the Move and Move All arrows to move the attributes. Select attributes you want to move from the shown Attributes list to the All Attributes lists and use the Remove and Remove All arrows to move the attributes. Click Add Attributes to make your changes take effect or click Cancel to discard your changes. After you click Add Attributes, only the attributes that were on the Shown Attributes list are shown in the Managed Attributes view.


To add an object class: 

  1. Click the Attributes tab.

  2. Click the Add icon next to objectclass and use the Add Object Class dialog to select object class entries. Optionally, use the search box to filter the list of object classes. To add the object class, click it and then click OK.

To delete an object class: 

  1. Click the Attributes tab.

  2. Select the object class you want to delete.

  3. Click the Delete icon next to objectclass. The Delete Object Class dialog lists the attributes to be deleted with that class.

  4. Click Delete to proceed or Cancel to cancel the deletion.

To modify person entries: 

  1. Click the Person tab.

  2. Modify the information as needed. To upload a photograph for the person entry, click Browse, navigate to the photograph, then click Open. To update the photograph, click Update and follow the same procedure. Click the Delete icon to delete the photograph.

To modify group entries: 

  1. Click the Group tab.

  2. Click Add or Delete in the appropriate text box to add or delete a group owner or member.

15.1.3 Managing Oracle Virtual Directory Source Entries Using the Adapter Browser

The Adapter Browser enables you to view data as it exists in both LDAP and Database Adapter connected repositories. The Adapter Browser enables you to see what data looks like before it is virtualized by Oracle Virtual Directory. You can also modify and delete attributes of the source entries using the Adapter Browser.

This topic explains how to perform the following Adapter Browser tasks:


Notes:

  • When you click the name of an existing adapter in the Adapter Browser, the configuration of the adapter appears in the main Oracle Directory Services Manager screen. This adapter configuration information is read only—you cannot edit an adapter's configuration using the Adapter Browser.

  • Data from Join View and Local Store Adapters is not visible from the Adapter Browser.


15.1.3.2 Modifying Attributes of Source Repository Entries in Oracle Virtual Directory

You can modify and delete attributes of the source repository entries in Oracle Virtual Directory using the Adapter Browser. You cannot add source entries using the Adapter Browser.

Perform the following steps to modify attributes of the source repository entries in Oracle Virtual Directory using the Adapter Browser:

  1. Log in to Oracle Directory Services Manager.

  2. Select Data Browsers from the task selection bar. The Data Tree appears.

  3. Expand the Adapter Browser entry in the Data Tree. The names of the adapters that are connected to data repositories appear.

  4. Expand the entry for the adapter that contains the source entries you want to modify. The entries for the adapter appear.

  5. Click the entry you want to modify. The details for that entry appear in the main screen and are organized by context-sensitive tabs, such as Attributes, Person, and Groups, depending upon the type of entry.

The following are common procedures for modifying entries. Regardless of the specific procedure you perform, after modifying an entry, click Apply to save your changes or Revert to discard them.


Notes:

  • To modify the attributes for all types of entries, click the Attributes tab and make the desired changes. By default, only non-empty attributes are shown. You can switch between Managed Attributes and Show All by using the Views list.

  • To change the list of attributes shown as managed attributes, click the icon under Optional Attributes. Select attributes you want to move from the All Attributes list to the Shown Attributes lists and use the Move and Move All arrows to move the attributes. Select attributes you want to move from the shown Attributes list to the All Attributes lists and use the Remove and Remove All arrows to move the attributes. Click Add Attributes to make your changes take effect or click Cancel to discard your changes. After you click Add Attributes, only the attributes that were on the Shown Attributes list are shown in the Managed Attributes view.


To add an object class: 

  1. Click the Attributes tab.

  2. Click the Add icon next to objectclass and use the Add Object Class dialog to select object class entries. Optionally, use the search box to filter the list of object classes. To add the object class, click it and then click OK.

To delete an object class: 

  1. Click the Attributes tab.

  2. Select the object class you want to delete.

  3. Click the Delete icon next to objectclass. The Delete Object Class dialog lists the attributes to be deleted with that class.

  4. Click Delete to proceed or Cancel to cancel the deletion.

To modify person entries: 

  1. Click the Person tab.

  2. Modify the information as needed. To upload a photograph for the person entry, click Browse, navigate to the photograph, then click Open. To update the photograph, click Update and follow the same procedure. Click the Delete icon to delete the photograph.

To modify group entries: 

  1. Click the Group tab.

  2. Click Add or Delete in the appropriate text box to add or delete a group owner or member.

15.2 Managing Oracle Virtual Directory Schema Using Oracle Directory Services Manager

This topic explains how to manage Oracle Virtual Directory schema and contains the following sections:


Note:

This topic explains how to manage Oracle Virtual Directory schema using Oracle Directory Services Manager. If you use ldapmodify to modify Oracle Virtual Directory schema, be aware of the following items:
  • Oracle Virtual Directory expects schema keywords (such as name) to be in all capital letters (NAME).

  • Oracle Virtual Directory does not support the ldapmodify replace operation when modifying schema.


15.2.1 Managing Oracle Virtual Directory Schema Attributes

This section explains how to manage Oracle Virtual Directory schema attributes and contains the following tasks:

15.2.1.2 Creating New Schema Attributes

Perform the following steps to create new Oracle Virtual Directory schema attributes using Oracle Directory Services Manager:

  1. Log in to Oracle Directory Services Manager.

  2. Select Schema from the task selection bar. The Attribute Types and Object Classes navigation tree appears.

  3. Expand the Attribute Types entry. A list of the existing schema attributes appears.

  4. Click the Create button. The New Attribute Type dialog box appears.

  5. Enter the following information in the New Attribute Type dialog box fields:

    • Enter the name of the attribute in the Name field.

    • Enter a unique object identifier specified by ICANNS in the Object ID field. If not registered, any unique value will suffice. Oracle recommends registering all custom attributes by using a unique object identifier.

    • Optionally, enter a description for the attribute in the Description field.

    • Select the format for the attribute value by selecting an option in the Syntax list. Oracle Virtual Directory uses parent syntax values only.

    • Enter the bytes length of the attribute in the Size (bytes) field. 0 or no value (empty) implies unlimited. Oracle Virtual Directory does not enforce this attribute definition.

    • Select a standard from the Usage list for how the attribute can be used.

    • Enter an Object ID matching rule in the Ordering field for ordered searching. Oracle Virtual Directory does not use this attribute definition.

    • Enter a matching rule Object ID in the Equality field for equality. Oracle Virtual Directory does not use this attribute definition.

    • Enter a matching rule Object ID in the Substring field for substring searching. Oracle Virtual Directory does not use this attribute definition.

    • Enable the Single Value option if the attribute may hold only a single value at a time. If this option is not enable, the attribute may hold multiple values.

    • Optionally, select a parent attribute for the new attribute by selecting an existing attributes from the Superior list.


    Note:

    One problem with managing an LDAP schema is knowing to which objectclass, or objectclasses, an attribute belongs. While every objectclass shows the attributes it contains, directory administrators often want to know which objectclass is using an attribute; particularly for custom attributes.

    When you select an attribute from the Attribute Types list, Oracle Directory Services Manager displays information about that attribute, including a Referenced By table. This table shows which direct objectclasses are using the selected attribute and how that attribute is being referenced. (Attributes are referenced as mandatory or optional.)

    Be aware that the Referenced By table does not list any objectclasses that inherit the attribute (use it indirectly). For example, if sn is referenced by the person objectclass, the Referenced By table only lists the person objectclass. The table does not list the inetorganizationalperson or organizationalperson objectclasses, which are inherited from the person objectclass.


  6. Click OK on the New Attribute Type dialog box to create the attribute. The new attribute appears in the Attribute Types tree.

15.2.2 Managing Oracle Virtual Directory Schema Object Classes

This section explains how to manage Oracle Virtual Directory schema object classes and contains the following tasks:

15.2.2.2 Creating New Schema Object Classes

Perform the following steps to create new Oracle Virtual Directory schema object classes using Oracle Directory Services Manager:

  1. Log in to Oracle Directory Services Manager.

  2. Select Schema from the task selection bar. The Attribute Types and Object Classes navigation tree appears.

  3. Expand the Object Classes entry. A list of the existing schema object classes appears.

  4. Click the Create button. The New Object Class dialog box appears.

  5. Enter the following information in the New Object Class dialog box fields:

    • Enter the name of the new object class in the Name field.

    • Optionally, enter a description for the object class in the Description field. Oracle Virtual Directory does not enforce this object class definition.

    • Enter a unique object identifier string in the Object ID field. Oracle recommends registering all custom object classes by using a unique object identifier.

    • Enable the Obsolete option to mark the object class as obsolete for administrative purposes. Oracle Virtual Directory does not enforce this object class definition.

    • Select the type of object class by selecting one option from the following Type list. Oracle Virtual Directory does not enforce this object class definition.

      • Select Abstract if the object class represents object classes to be inherited by another class and not intended to be used directly by an object.

      • Select Auxiliary if the object class will be used to add additional attributes to an existing object (based on a structural object class).

      • Select Structural if the object class can form an entry.

    • Select a parent object class for the new object class by selecting an existing object class from the Superior list. If you do not select a parent object class the new object class must be descendant from top.

    • Add attributes that must be present in the object class by clicking the Add button in the Mandatory Attributes field, selecting an attribute from the list of existing attributes in the Mandatory Attribute Selector dialog box, and clicking OK. You can delete Mandatory Attributes by selecting the attribute and clicking the Delete button.

    • Add attributes that may optionally be supplied in the object class by clicking the Add button in the Optional Attributes field, selecting an attribute from the list of existing attributes in the Optional Attribute Selector dialog box, and clicking OK. You can delete Optional Attributes by selecting the attribute and clicking the Delete button.

  6. Click OK on the New Object Class dialog box to create the object class. The new object class appears in the Object Classes tree.

PK 1=3PKp@OEBPS/basic_listeners.htm Creating and Managing Oracle Virtual Directory Listeners

11 Creating and Managing Oracle Virtual Directory Listeners

This chapter explains how to create Oracle Virtual Directory Listeners and includes the following topics:

11.1 What is a Listener?

Oracle Virtual Directory provides services to clients through connections known as Listeners. Oracle Virtual Directory supports the following two types of Listeners:

  • LDAP: provides LDAPv2/v3 based services

  • HTTP: provides one or more services such as DSMLv2, or basic white page functions provided by an XSLT enabled Web Gateway

An Oracle Virtual Directory configuration can have any number of Listeners or it can even have zero Listeners, thus restricting access to only the administrative gateway. Most Oracle Virtual Directory deployments need no more than two HTTP Listeners and two LDAP Listeners, where one Listener is for SSL and one for non-SSL for each protocols.


Note:

You must explicitly stop and start Oracle Virtual Directory—not Restart—to load Listener configurations to the Oracle Virtual Directory server. This includes after creating, updating, or deleting a Listener.

11.2 Understanding the Default Oracle Virtual Directory Listeners

Oracle Virtual Directory includes two Listeners by default: an HTTP Listener named Admin Gateway and an LDAP Listener named LDAP SSL Endpoint.

Admin Gateway

The HTTP Listener named Admin Gateway is the interface the Oracle Virtual Directory server uses to communicate with the Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces. You cannot communicate with the Oracle Virtual Directory using the Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces if you disable the Admin Gateway Listener. Refer to "Editing the Oracle Virtual Directory Administrative Listener Settings" for more information about editing the Oracle Virtual Directory Administrative Listener settings.

LDAP SSL Endpoint

The LDAP Listener named LDAP SSL Endpoint is the interface Oracle Virtual Directory uses to provide performance metrics in Oracle Enterprise Manager Fusion Middleware Control. LDAP SSL Endpoint should always be enabled and secured using SSL Server Authentication. Do not delete or disable LDAP SSL Endpoint. If you need an LDAP Listener that is secured using a different SSL mode, create a new Listener using Oracle Enterprise Manager Fusion Middleware Control.

11.3 Configuring Oracle Virtual Directory to Listen on Privileged Ports

Perform the following steps to enable Oracle Virtual Directory 11g Release 1 (11.1.1.2.0) and higher on UNIX/Linux platforms to listen on privileged ports, that is, port numbers less than 1024:

  1. As the same user that installed Oracle Virtual Directory, create the cap.ora file as follows:

    echo `id -ng`: bind  > /tmp/cap.ora
    
  2. Using the Oracle Process Manager and Notification Server (OPMN) control command, stop all components:

    $ORACLE_INSTANCE/bin/opmnctl stopall
    
  3. Change to root user permissions:

    su root
    
  4. Update the ORACLE_HOME/bin/hasbind file by performing the following steps:

    1. Change ownership of the file to root:

      chown root $ORACLE_HOME/bin/hasbind
      
    2. Change the permissions on the file as follows:

      chmod 4755 $ORACLE_HOME/bin/hasbind
      
  5. Copy the cap.ora file you created in step 1 to the /etc/ directory:

    cp /tmp/cap.ora /etc/cap.ora
    
  6. Change the permissions on the /etc/cap.ora file as follows:

    chmod 644 /etc/cap.ora
    
  7. As the same user that installed Oracle Virtual Directory, start Oracle Virtual Directory and enable it to listen on privileged ports by using the following command:

    $ORACLE_HOME/bin/hasocket $ORACLE_INSTANCE/bin/opmnctl startall
    

    Note:

    To enable Oracle Virtual Directory to listen on privileged ports, you must start it using only this command.

After performing the steps in this procedure, Oracle Virtual Directory listeners can listen on privileged ports. You can create new listeners and enter privileged port numbers, or edit existing listeners to use privileged port numbers.

11.4 Creating and Managing Listeners Using Fusion Middleware Control

This topic explains how to create and manage Oracle Virtual Directory Listeners using Oracle Enterprise Manager Fusion Middleware Control and contains the following sections:

11.4.1 Creating LDAP Listeners

Perform the following steps to create an LDAP Listener using Oracle Enterprise Manager Fusion Middleware Control. Typically, when running secure and non-secure LDAP, there are at least two Listeners configured; one for regular LDAP (default port is 6501) and one for secure LDAP using SSL (default port is 7501).

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target where you want to create the LDAP Listener.

  2. Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears.

  3. Click the Create button. The Add Listener screen appears.

  4. Select LDAP from the Listener Type list and set values for the LDAP Listener configuration parameters as described in Table 11-1:

    Table 11-1 LDAP Listener Configuration Parameters

    TypeParameterDescription

    Basic

    Listener Name

    Name of the Listener. Use only ASCII characters in the value for the Listener Name parameter, as non-ASCII characters are not supported.

    In addition, do no use the following characters in a listener name:

    | ; , ! @ # $ ( ) < > / \ " ' ` ~ { } [ ] = + & ^ space or tab

    Listener Host

    Specify the IP address the Listener should use to listen for connections from clients. By default, Oracle Virtual Directory listens on all IP addresses if no value or 0.0.0.0 is specified for this parameter.

    Note: Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Listener Host setting.

    If you set this parameter to an IP address or host, the Listener uses that IP address or host to listen for connections from clients, regardless of whether the IP address or host is virtual or real.

    Listener Port

    The port number on which the Listener provides service. Only one Listener per server can be active on a port at any given time.

    If Oracle Virtual Directory is installed on the same server as an existing server, for example, an Active Directory domain controller, enter a port that does not conflict with the existing service.

    Threads

    The number of active worker threads the Listener uses to concurrently process incoming requests. The Listener automatically increases the number of threads if you enter an insufficient amount. This initial setting serves only to indicate to Oracle Virtual Directory the expected amount of simultaneous clients so that it can preallocate resources. The default setting is 10, which should be sufficient for testing purposes. For production environments, Oracle recommends to increase this setting to 50.

    Listener Enabled

    Enables (selected) and disables (not selected) the Listener for service.

    LDAP Options

    Anonymous Bind

    Controls how Oracle Virtual Directory handles LDAP anonymous authentication. Allow permits anonymous authentication; Deny prevents anonymous operations; and DenyDNOnly prevents empty password authentication.

    Note: According to the LDAP protocol specification, if an LDAP client connects to an LDAP server with a non-empty DN and an empty password, the LDAP server is expected to provide a successful anonymous bind. For applications that are using LDAP for authentication, this could allow end-users to log in to their applications without entering a password. Most LDAP-enabled applications prevent against this use case. However, as added security, you can configure Oracle Virtual Directory to prevent this from happening as an extra-safeguard.


    Work Queue Capacity

    Specifies the maximum number of pending LDAP requests that can accumulate when all worker threads associated with LDAP Listener are busy processing requests. Once the specified capacity is reached, the LDAP Listener rejects new requests with DSA is busy error. The default value is 1024.


    Allow StartTLS

    Determines whether LDAP clients can use StartTLS. If enabled, the LDAP Listener allows clients to use the StartTLS extended operation to initiate secure communication over an insecure channel.

    Socket Options

    Backlog

    Determines the maximum number of pending connection requests that can accumulate before the server starts rejecting new connection attempts. Default setting is 128.


    Read Timeout

    Enables and disables tolerance for idle client connections with the specified timeout period in milliseconds. If set to a nonzero time, client connections to the Oracle Virtual Directory server can remain idle only for the set amount of time. If the connection is idle for a period longer than the specified time, the client connection is terminated. A value of zero is considered an infinite timeout. The default value is 0.


    Reuse Address

    Determines whether the LDAP Listener should reuse socket descriptors. If enabled, socket descriptors for clients in TIME_WAIT state can be reused.


    TCP Keep Alive

    Determines whether the LDAP connection should use TCP keep-alive. If enabled, TCP keep-alive messages are periodically sent to the client to verify that the associated connection is still valid.


    TCP No Delay

    Determines whether the LDAP connection should use TCP no-delay. If enabled, response messages to the client are sent immediately, rather than potentially waiting to determine whether additional response messages can be sent in the same packet.


  5. Click the OK button on the Add Listener screen to save the LDAP Listener.

  6. Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.


    Note:

    You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.

11.4.2 Creating HTTP Listeners

Perform the following steps to create an HTTP Listener using Oracle Enterprise Manager Fusion Middleware Control:


See:

Appendix C, "HTTP Listener's Web Gateway Service" for more information about the HTTP Listener's Web Gateway settings.

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target where you want to create the HTTP Listener.

  2. Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears.

  3. Click the Create button. The Add Listener screen appears.

  4. Select HTTP from the Listener Type list and set values for the HTTP Listener configuration parameters as described in Table 11-2:

    Table 11-2 HTTP Listener Configuration Parameters

    TypeParameterDescription

    Basic

    Listener Name

    Name of the Listener. Use only ASCII characters in the value for the Listener Name parameter, as non-ASCII characters are not supported.

    Listener Host

    Specify the IP address the Listener should use to listen for connections from clients. By default, Oracle Virtual Directory listens on all IP addresses if no value or 0.0.0.0 is specified for this parameter.

    Note: Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Listener Host setting.

    If you set this parameter to an IP address or host, the Listener uses that IP address or host to listen for connections from clients, regardless of whether the IP address or host is virtual or real.

    Listener Port

    The port number on which the Listener provides service. Only one Listener per server can be active on a port at any given time.

    Threads

    The number of active worker threads the Listener uses to concurrently process incoming requests. The Listener automatically increases the number of threads if you enter an insufficient amount. This initial setting serves only to indicate to Oracle Virtual Directory the expected amount of simultaneous clients so that it can preallocate resources. The default setting is 10, which should be sufficient for testing purposes. For production environments, Oracle recommends to increase this setting to 50.

    Listener Enabled

    Enables (selected) and disables (not selected) the Listener for service.

    DSML V2 Service

    Realm Name

    Name of the realm used by Oracle Virtual Directory to protect the DSMLv2 service when the DSMLv2 service is security enabled. This realm name would appear in a HTTP browser challenge to the user.

    Web Gateway Service Section

    Allow Anonymous Access

    Enables and disables anonymous access to the Web Gateway.


    Search Root

    The root distinguished name (namespace) of the directory tree where the Web Gateway starts its sub-tree search for user identity names (UIDs) provided after a user authentication challenge.


    Search Attributes

    The attribute the Web Gateway attempts to match when searching for a UID.


    User Object Classes

    The objectclasses the Web Gateway uses when searching for users to authenticate.


    Result Cache Life (seconds)

    Maximum time that Oracle Virtual Directory waits before re-querying a user credential stored in the directory source.


    HTDocs Path

    The directory path, relative to the Oracle Virtual Directory root installation, where the XSLT and HTML files are located.


    Certificate Attributes

    Indicates which attributes contain binary PKI certificate information. The default value is usercertificate.


    Photo/Image Attributes

    Indicates which attributes contain graphical images. The default value is jpegphoto.


    Image Display Height

    The height the Web Gateway scales photos to. The default value is 100.


    Image Display Width

    The width the Web Gateway scales photos to. The default value is 100.


  5. Click the OK button on the Add Listener screen to save the HTTP Listener.

  6. Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.


    Note:

    You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.

11.4.3 Managing Listeners

This topic explains how to manage Oracle Virtual Directory Listeners using Oracle Enterprise Manager Fusion Middleware Control and contains the following sections:

11.4.3.1 Editing Listener Settings

Perform the following steps to update settings for an existing Listener (LDAP or HTTP) using Oracle Enterprise Manager Fusion Middleware Control:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target where the Listener you want to edit resides.

  2. Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears displaying the exiting Listeners.

  3. Select the Listener you want to edit by clicking on it.

  4. Click the Edit button. The Edit Listener screen appears displaying the Listener's current settings.

  5. Edit the settings as desired.

    Refer to Table 11-1, "LDAP Listener Configuration Parameters" for information about each LDAP Listener parameter.

    Refer to Table 11-2, "HTTP Listener Configuration Parameters" for information about each HTTP Listener parameter.

  6. Click the OK button on the Add Listener screen to save the HTTP Listener.

  7. Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.


    Note:

    You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.

11.4.3.1.1 Editing the Oracle Virtual Directory Administrative Listener Settings

You can edit the settings for the Oracle Virtual Directory Administrative Listener in the same manner that you edit settings for LDAP or HTTP Listeners. However, if you disable the Admin Gateway Listener, you cannot communicate with the Oracle Virtual Directory using the Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces. Refer to "Understanding the Default Oracle Virtual Directory Listeners" for more information about the Admin Listener.

Perform the following steps to edit settings for the Admin Gateway Listener using Oracle Enterprise Manager Fusion Middleware Control:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target.

  2. Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears displaying the exiting Listeners.

  3. Select the Admin Gateway Listener by clicking on it.

  4. Click the Edit button. The Edit Listener screen appears displaying the Admin Gateway Listener's current settings.

  5. Edit the Administrative Listener settings as desired and click Submit. Each Administrative Listener setting is described below in the "Administrative Listener Settings" section.

  6. Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.


    Note:

    You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.

  7. Use the opmnctl updatecomponentregistration command to update the registration of the Oracle Virtual Directory component that contains the Admin Listener you edited.

    The syntax for opmnctl updatecomponentregistration is:

    $ORACLE_INSTANCE/bin/opmnctl updatecomponentregistration 
       [-adminHost hostname] 
       [-adminPort weblogic_port] 
       [-adminUsername weblogic_admin]
       [-adminPasswordFile 'FILE_WITH_WEBLOGIC_ADMIN_PASSWORD']
       [-componentType OVD] 
       -componentName componentName
       [-Host OVD_HOST_NAME]
    

    Note:

    • If you do not use the -Host option, the value in listeners.os_xml will be used.

    • Both the componentName and componentType parameters are required.


    For example:

    $ORACLE_INSTANCE/bin/opmnctl updatecomponentregistration -adminHost myhost \
    -adminPort 7001 -adminUsername weblogic -componentType OVD -componentName ovd1    
    

Administrative Listener Settings

Listener Host

The name or IP address of the host where the Oracle Virtual Directory server is running. The default value is 0.0.0.0, which sets the Admin Listener to listen on all IP Addresses configured for the host.


Notes:

  • Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Listener Host setting.

  • If you edit the Host setting, you must immediately perform step 6 or you cannot communicate with Oracle Virtual Directory using the Oracle Enterprise Manager Fusion Middleware Control user interface.


Listener Port

The port on which Oracle Virtual Directory provides administrative services. This is the port is used by Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces to communicate with the Oracle Virtual Directory server.


Note:

If you edit the Listener Port setting, you must immediately perform step 6 or you cannot communicate with Oracle Virtual Directory using the Oracle Enterprise Manager Fusion Middleware Control user interface.

Threads

The number of active worker threads the Listener uses to concurrently process incoming requests.

Listener Enabled

Select to enable the Listener for service. If you disable the Admin Gateway Listener, you cannot communicate with Oracle Virtual Directory using the Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces. The default setting is Enabled.

Change SSL Settings

Displays the current SSL setting (Enabled or Disabled) for the Listener and provides a link to change the Listener's SSL settings. To edit the Listener's SSL Settings, click the link and refer to "Configuring SSL for Listeners Using Fusion Middleware Control" for more information.


Note:

If you edit the SSL setting (Enabled or Disabled), you must update the Oracle Virtual Directory component registration by referring to Updating the Component Registration of an Oracle Instance Using OPMNCTL. If you do not update the Oracle Virtual Directory component registration after editing the SSL setting, you cannot communicate with Oracle Virtual Directory using the Oracle Enterprise Manager Fusion Middleware Control user interface.

11.5 Managing Listeners Using WLST

This topic explains how to manage Oracle Virtual Directory Listeners using WLST and contains the following sections:


See Also:


11.5.1 Updating Listener Settings

You can use WLST to update the settings for an existing Listener as follows:

  1. Launch the WLST command line tool shell.

  2. Connect to the WebLogic Admin Server. For example:

    connect('username', 'password','t3://host_name:Admin_Server_Port')
    
  3. Move to the Oracle Virtual Directory Root Proxy MBean node and initialize the MBean. For example:

    custom()
    cd('oracle.as.management.mbeans.register')
    cd('oracle.as.management.mbeans.register:type=component,name=ovd1,instance=asin
    st1')
    invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin
    g)) 
    
  4. Move to the MBean node for the Listener you want to update, for example, the Listener named LDAP SSL Endpoint:

    cd('../..')
    cd('oracle.as.ovd')
    cd('oracle.as.ovd:type=component.Listenersconfig.sslconfig,name=LDAP SSL 
    Endpoint,instance=asinst_1,component=ovd1')
    
  5. Using the WLST set() command, update the appropriate setting. The following example updates the Threads setting:

    set('Threads', 20)
    

    Notes:

    • Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Host setting.

    • If you edit the Host, Port, or SSL setting for the Admin Listener, you must update the Oracle Virtual Directory component registration by referring to Updating the Component Registration of an Oracle Instance Using OPMNCTL. If you do not update the Oracle Virtual Directory component registration after editing any of these settings for the Admin Listener, you cannot communicate with Oracle Virtual Directory using WLST.



    See Also:

    The following sections to learn more about the Listener settings you can configure using WLST:

  6. Save the changes and then refresh the MBean. For example:

    cd('../..')
    cd('oracle.as.management.mbeans.register')
    cd('oracle.as.management.mbeans.register:type=component,name=ovd1,instance=asin
    st1')
    invoke('save',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin
    g))
    invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin
    g))
    
  7. Stop Oracle Virtual Directory if it is running. After it stops, start Oracle Virtual Directory.


    Note:

    You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.

11.5.1.1 Configuring Admin Listener Settings Using WLST

The following is a list and description of the Admin Listener settings you can configure using WLST:


See Also:

"Understanding the Default Oracle Virtual Directory Listeners" for more information about the Admin Listener.

Active

Determines whether the Listener is enabled or disabled. Supported values are true and false. If you disable the Admin Listener, you cannot communicate with Oracle Virtual Directory using Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces.

AuthenticationType

Determines the authentication mode for the Listener. Supported values are None, Server, and Mutual.

  • None configures the Listener for SSL No-Authentication Mode

  • Server configures the Listener for SSL Server Authentication Mode

  • Mutual configures the Listener for SSL Mutual Authentication

BindAddress

The InetAddress representation of value for the Host setting. If you edit the BindAddress setting, the Host setting also changes. Conversely, if you edit the Host setting, the BindAddress setting also changes.

Ciphers

Configures cipher suite negotiation, which is part of the SSL handshaking used to initiate or verify secure communications. A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. The default value is null. The following is a list of the supported values for the Ciphers setting:

  • SSL_RSA_WITH_RC4_128_MD5

  • SSL_RSA_WITH_RC4_128_SHA

  • SSL_RSA_WITH_3DES_EDE_CBC_SHA

  • SSL_RSA_WITH_DES_CBC_SHA

  • SSL_DH_anon_WITH_RC4_128_MD5

  • SSL_DH_anon_WITH_DES_CBC_SHA

  • SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

GroupURL

An LDAP URL that defines a group of users with privileges to use the Admin Listener. These users have near root privileges when accessing the Oracle Virtual Directory server through the Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager interfaces.

Host

The name or IP address of the host where the Oracle Virtual Directory server is running. The default value is 0.0.0.0, which sets the Admin Listener to listen on all IP Addresses configured for the host.


Note:

Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Host setting.

KeyStore

The name of the JKS keystore containing the SSL artifacts.

Name

The name of the Listener.

Port

The port on which Oracle Virtual Directory provides administrative services. This is the port is used by Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces to communicate with the Oracle Virtual Directory server.

Protocol

The protocol the Admin Listener uses to provide service. Supported values are HTTP and HTTPS.

SSLEnabled

Determines whether SSL is enabled on the Listener. Supported values are true and false.

SSLVersions

The supported protocols for SSL communication. The following is a list of the supported values:

  • TLSv1

  • SSLv2Hello


    Note:

    The SSLv2Hello value cannot be specified alone. If you specify SSLv2Hello, you must also specify at least one other supported version.

  • SSLv3

Threads

The number of active worker threads the Listener uses to listen for connections on the port.

TrustStore

The name of the JKS keystore containing the SSL artifacts.

11.5.1.2 Configuring LDAP Listener Settings Using WLST

The following is a list and description of the LDAP Listener settings you can configure using WLST:

Active

Determines whether the Listener is enabled or disabled. Supported values are true and false.

AllowStartTLS

Determines whether LDAP clients can use StartTLS. If enabled, the LDAP Listener allows clients to use the StartTLS extended operation to initiate secure communication over an insecure channel. Supported values are true and false. The default value is false.

AnonymousBind

Controls how Oracle Virtual Directory handles LDAP anonymous authentication. Supported values are listed in Table 11-3:

AuthenticationType

Determines the authentication mode for the Listener. Supported values are None, Server, and Mutual.

  • None configures the Listener for SSL No-Authentication Mode

  • Server configures the Listener for SSL Server Authentication Mode

  • Mutual configures the Listener for SSL Mutual Authentication

BindAddress

The InetAddress representation of value for the Host setting. If you edit the BindAddress setting, the Host setting also changes. Conversely, if you edit the Host setting, the BindAddress setting also changes.

Ciphers

Configures cipher suite negotiation, which is part of the SSL handshaking used to initiate or verify secure communications. A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. The default value is null. The following is a list of the supported values for the Ciphers setting:

  • SSL_RSA_WITH_RC4_128_MD5

  • SSL_RSA_WITH_RC4_128_SHA

  • SSL_RSA_WITH_3DES_EDE_CBC_SHA

  • SSL_RSA_WITH_DES_CBC_SHA

  • SSL_DH_anon_WITH_RC4_128_MD5

  • SSL_DH_anon_WITH_DES_CBC_SHA

  • SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

ExtendedOpsClass

In addition to the normal LDAP operations supported by the LDAP protocol, you can define your own LDAP operation using this setting. This setting is the full java class name that implements your user-defined LDAP operation.

ExtendedOpsOid

The unique name for your user-defined LDAP operation identified by the ExtendedOpsClass setting.

Host

The name or IP address of the host where the Oracle Virtual Directory server is running. The default value is 0.0.0.0.


Note:

Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Host setting.

KeyStore

The name of the JKS keystore containing the SSL artifacts.

Name

The name of the Listener.

Port

The port number on which the LDAP Listener provides service. Only one Listener per server can be active on a port at any given time.

Protocol

The protocol the LDAP Listener uses to provide service. Supported values are LDAP and LDAPS.

SSLEnabled

Determines whether SSL is enabled on the Listener. Supported values are true and false.

SSLVersions

The supported protocols for SSL communication. The following is a list of the supported values:

  • TLSv1

  • SSLv2Hello


    Note:

    The SSLv2Hello value cannot be specified alone. If you specify SSLv2Hello, you must also specify at least one other supported version.

  • SSLv3

SocketOptionsBacklog

Determines the maximum number of pending connection requests that can accumulate before the server starts rejecting new connection attempts. Default setting is 128.

SocketOptionsKeepAlive

Determines whether the LDAP connection should use TCP keep-alive. If enabled, TCP keep-alive messages are periodically sent to the client to verify that the associated connection is still valid. Supported values are true and false. The default value is false.

SocketOptionsReadTimeout

Enables and disables tolerance for idle client connections with the specified timeout period in milliseconds. If set to a nonzero time, client connections to the Oracle Virtual Directory server can remain idle only for the set amount of time. If the connection is idle for a period longer than the specified time, the client connection is terminated. A value of zero is considered an infinite timeout. The default value is 0.

SocketOptionsReuseAddress

Determines whether the LDAP Listener should reuse socket descriptors. If enabled, socket descriptors for clients in TIME_WAIT state can be reused. Supported values are true and false. The default value is false.

SocketOptionsTcpNoDelay

Determines whether the LDAP connection should use TCP no-delay. If enabled, response messages to the client are sent immediately, rather than potentially waiting to determine whether additional response messages can be sent in the same packet. Supported values are true and false. The default value is true.

Threads

The number of active worker threads the Listener uses to concurrently process incoming requests. The Listener automatically increases the number of threads if you indicate an insufficient amount. This initial setting serves only to indicate to Oracle Virtual Directory the expected amount of simultaneous clients so that it can preallocate resources. The default setting is 10, which should be sufficient for testing purposes. For production environments, Oracle recommends to increase this setting to 50.

TrustStore

The name of the JKS keystore containing the SSL artifacts.

WorkQueueCapacity

Specifies the maximum number of pending LDAP requests that can accumulate when all worker threads associated with LDAP Listener are busy processing requests. Once the specified capacity is reached, the LDAP Listener rejects new requests with DSA is busy error. The default value is 1024.


Note:

The DSA is busy error usually appears when a large number of requests are sent to the Oracle Virtual Directory server in a short time period and the LDAP Listener cannot support them.

11.5.1.3 Configuring HTTP Listener Settings Using WLST

The following is a list and description of the HTTP Listener settings you can configure using WLST:

Active

Determines whether the Listener is enabled or disabled. Supported values are true and false.

AuthenticationType

Determines the authentication mode for the Listener. Supported values are None, Server, and Mutual.

  • None configures the Listener for SSL No-Authentication Mode

  • Server configures the Listener for SSL Server Authentication Mode

  • Mutual configures the Listener for SSL Mutual Authentication

BindAddress

The InetAddress representation of value for the Host setting. If you edit the BindAddress setting, the Host setting also changes. Conversely, if you edit the Host setting, the BindAddress setting also changes.

Ciphers

Configures cipher suite negotiation, which is part of the SSL handshaking used to initiate or verify secure communications. A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. The default value is null. The following is a list of the supported values for the Ciphers setting:

  • SSL_RSA_WITH_RC4_128_MD5

  • SSL_RSA_WITH_RC4_128_SHA

  • SSL_RSA_WITH_3DES_EDE_CBC_SHA

  • SSL_RSA_WITH_DES_CBC_SHA

  • SSL_DH_anon_WITH_RC4_128_MD5

  • SSL_DH_anon_WITH_DES_CBC_SHA

  • SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

CustomWebappContext

Base URL for the location of the customer developed custom web service.

CustomWebappSecurityRealm

Name of the realm used by Oracle Virtual Directory to protect the custom web service when the custom web service is security enabled.

CustomWebappWebapp

To use your own web application to handle HTTP connections, instead of using the HTTP Listener's Web Gateway, DSMLv2 Gateway, or both use this setting to specify the path to the your custom web application war file.

Dsmlv2SecurityRealm

Name of the realm used by Oracle Virtual Directory to protect the DSMLv2 service when the DSMLv2 service is security enabled. This realm name would appear in a HTTP browser challenge to the user.

Host

The name or IP address of the host where the Oracle Virtual Directory server is running. The default value is 0.0.0.0.


Note:

Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Host setting.

KeyStore

The name of the JKS keystore containing the SSL artifacts.

Name

The name of the Listener.

Port

The port number on which the HTTP Listener provides service. Only one Listener per server can be active on a port at any given time.

Protocol

The protocol the HTTP Listener uses to provide service. Supported values are HTTP and HTTPS.

SSLEnabled

Determines whether SSL is enabled on the Listener. Supported values are true and false.

SSLVersions

The supported protocols for SSL communication. The following is a list of the supported values:

  • TLSv1

  • SSLv2Hello


    Note:

    The SSLv2Hello value cannot be specified alone. If you specify SSLv2Hello, you must also specify at least one other supported version.

  • SSLv3

Threads

The number of active worker threads the Listener uses to concurrently process incoming requests. The Listener automatically increases the number of threads if you indicate an insufficient amount. This initial setting serves only to indicate to Oracle Virtual Directory the expected amount of simultaneous clients so that it can preallocate resources. The default setting is 10, which should be sufficient for testing purposes. For production environments, Oracle recommends to increase this setting to 50.

TrustStore

The name of the JKS keystore containing the SSL artifacts.

WebgatewayAllowAnon

Enables and disables anonymous access to the Web Gateway. Supported values are true and false.

WebgatewayCertifiedAttributes

Indicates which attributes contain binary PKI certificate information. The default value is usercertificate.

WebgatewayHtDocsRoot

The directory path, relative to the Oracle Virtual Directory root installation, where the XSLT and HTML files are located.

WebgatewayMatchAttributes

The attribute the Web Gateway should attempt to match when searching for a UID. The default value is uid, mail, cn.

WebgatewayMatchObjectClasses

The objectclasses the Web Gateway should use when searching for users to authenticate. The default value is inetorgperson, user.

WebgatewayPhotoAttributes

Indicates which attributes contain graphical images. The default value is jpegphoto.

WebgatewayPhotoHeight

The height the Web Gateway scales photos to. The default value is 100.

WebgatewayPhotoWidth

The width the Web Gateway scales photos to. The default value is 100.

WebgatewaySearchRoot

The root distinguished name (namespace) of the directory tree where the Web Gateway starts its sub-tree search for user identity names (UIDs) provided after a user authentication challenge.

WebgatewaySecurityRealm

Name of the realm used by Oracle Virtual Directory to protect the Web Gateway service when the Web Gateway service is security enabled.

WebgatewayUserCacheLife

Maximum time (in seconds) that Oracle Virtual Directory waits before re-querying a user credential stored in the directory source.

11.5.2 Deleting Listeners

You can use WLST to delete an existing Listener as follows:

  1. Launch the WLST command line tool shell.

  2. Connect to the WebLogic Admin Server. For example:

    connect('username', 'password','t3://host_name:Admin_Server_Port')
    
  3. Move to the Oracle Virtual Directory Root Proxy MBean node and initialize the MBean. For example:

    custom()
    cd('oracle.as.management.mbeans.register')
    cd('oracle.as.management.mbeans.register:type=component,name=ovd1,instance=asin
    st1')
    invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin
    g)) 
    
  4. Move to the Oracle Virtual Directory Listeners configuration MBean. For example:

    cd('../..')
    cd('oracle.as.ovd/oracle.as.ovd:type=component.Listenersconfig,name=Listenersco
    nfig,instance=asinst1,component=ovd1') 
    
  5. Delete the appropriate Listener, for example, the Listener named test1, as follows:

    invoke('deleteListener',jarray.array([java.lang.String('test1')],java.lang.Obje
    ct),jarray.array(['java.lang.String'],java.lang.String))
    
  6. Save the changes and then refresh the MBean. For example:

    cd('../..')
    cd('oracle.as.management.mbeans.register')
    cd('oracle.as.management.mbeans.register:type=component,name=ovd1,instance=asin
    st1')
    invoke('save',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin
    g))
    invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin
    g))
    
  7. Stop Oracle Virtual Directory if it is running. After it stops, start Oracle Virtual Directory.


    Note:

    You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.

11.6 Securing Listeners with SSL

This topic explains how to secure Oracle Virtual Directory Listeners using SSL and contains the following sections:


Note:

The following information describes SSL configuration for a single component. If you are configuring SSL for multiple components, you can use the Oracle SSL Automation Tool, which enables you to configure SSL for multiple components using a domain-specific CA.

Refer to the Oracle Fusion Middleware Administrator's Guide for complete information about the Oracle SSL Automation Tool.


11.6.1 Configuring SSL for Listeners Using Fusion Middleware Control

Perform the following steps to secure Oracle Virtual Directory Listeners with SSL using Oracle Enterprise Manager Fusion Middleware Control:


Note:

If you are configuring the Listener for SSL No-Auth mode, do not perform step 2 and steps 3e through 3h in the following procedure.


See Also:

The information about enabling SSL for Oracle Virtual Directory Listeners in the Oracle Fusion Middleware Administrator's Guide.

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target of the Listener you want to secure with SSL.

  2. Create a keystore if one does not already exist by selecting Security and then Keystores from the Oracle Virtual Directory menu. The Java Keystore screen appears. Refer to the information about creating a keystore using Oracle Enterprise Manager in the Oracle Fusion Middleware Administrator's Guide for additional information.

  3. Configure the Listener by performing the following steps:

    1. Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears.

    2. Select the Listener you want to secure with SSL by clicking on it and then click the Edit button. The Edit Listener: Listener Name screen appears.

    3. Click the Change SSL Settings link.

    4. Click the Enable SSL option to enable SSL on the Listener. If you are configuring the Listener for SSL No-Auth mode, skip to step i now.

    5. Select the keystore you want to use from the Server Keystore Name field.


      Note:

      If you select a different keystore or change the certificate in the keystore for the Admin Gateway Listener or the LDAP SSL Endpoint Listener, you must import the certificate into the Oracle Enterprise Manager Fusion Middleware Control Agent's wallet. If you do not import the certificate, Oracle Enterprise Manager Fusion Middleware Control cannot connect to Oracle Virtual Directory to retrieve performance metrics.

      To import the certificate into the Oracle Enterprise Manager Fusion Middleware Control Agent's wallet:

      1. Export the Oracle Virtual Directory server certificate by executing the following command:

        ORACLE_HOME/jdk/jre/bin/keytool -exportcert \
        -keystore OVD_KEYSTORE_FILE -storepass PASSWORD \
        -alias OVD_SERVER_CERT_ALIAS -rfc \
        -file OVD_SERVER_CERT_FILE
        
      2. Add the Oracle Virtual Directory server certificate to the Oracle Enterprise Manager Fusion Middleware Control Agent's Wallet by executing the following command:

        ORACLE_COMMON_HOME/bin/orapki wallet add -wallet \
        $ORACLE_INSTANCE/EMAGENT/EMAGENT/sysman/config/monwallet \
        -trusted_cert -cert OVD_SERVER_CERT_FILE -pwd WALLET_PASSWORD
        

    6. Enter the password for the keystore in the Server Keystore Password field.


      Note:

      The password for the keystore that is created during the Oracle Virtual Directory installation is the same as the password set for the Oracle Virtual Directory administrator during installation.

    7. Select the truststore you want to use from the Server Truststore Name field.

    8. Enter the password for the truststore in the Server Truststore Name field.

    9. Click and expand the Advanced SSL Setting option.

    10. Select one of the following authentication modes for the Listener from the Client Authentication field.

      To configure the Listener for SSL No-Authentication Mode, select No Authentication.

      To configure the Listener for SSL Server Authentication Mode, select Server Authentication.

      To configure the Listener for SSL Mutual Authentication mode between the Oracle Virtual Directory server and the client, select Mutual Authentication.


      Note:

      The Optional Client Authentication mode is not supported for Oracle Virtual Directory Listeners.

    11. Select the appropriate option from the Cipher Suite field. You can select All, or a combination of individual options.


      Note:

      If you are configuring the Listener for SSL No-Auth mode, you must select at least one DH_anon cipher. For all other SSL modes, you must select at least one RSA cipher.

    12. Select the appropriate option from the SSL Protocol Version field.


      Note:

      The v2Hello option is not supported by itself. That is, you cannot select the v2Hello option alone—you must select it in combination with at least one additional SSL Protocol Versions from the list.

    13. Click the OK button.

  4. Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.


    Note:

    You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.

11.6.2 Configuring SSL for Listeners Using WLST

To configure SSL for Oracle Virtual Directory using the WLST command line tool:


See Also:


  1. Launch the WLST command line tool shell.

  2. Go to the custom tree using the following command:

    custom()
    
  3. Navigate to the root Oracle Virtual Directory mBean using the following commands:

    cd('oracle.as.management.mbeans.register')
    cd('oracle.as.management.mbeans.register:type=component,name=COMPONENT_
    NAME,instance=INSTANCE_NAME')
    
  4. Initialize the Oracle Virtual Directory configuration from the remote Oracle Virtual Directory server into the WebLogic server using the following command:

    invoke('load',jarray.array([],java.lang.Object),jarray.array([],
    java.lang.String))
    
  5. Identify the Listeners for this Oracle Virtual Directory component by executing the following command:

    listListeners('instName', 'compName')
    

    For example:

    listListeners('instance1','ovd1')
    

    The command lists all the Listeners for the component named ovd1. In the list of Listeners returned, identify the Listener you want to secure using SSL. For example, imagine you want to secure the Listener named LDAP SSL Endpoint.

  6. Display the existing SSL configuration for the Listener you want secure (LDAP SSL Endpoint in this example) using the following command:

    getSSL('instance1','ovd1','ovd','LDAP SSL Endpoint')
    
  7. Display the existing keystores using the following command:

    listKeyStores('instance1','ovd1','ovd')
    
  8. If necessary, create a new keystore and a self-signed certificate using the following commands.

    To create the new keystore, execute the following command:

    createKeyStore('instance1','ovd1','ovd','NEW_KEYSTORE_NAME','PASSWORD_FOR_NEW_KEYSTORE')
    

    To create a self-signed certificate in the new keystore, execute the following command:

    generateKey ('instance1','ovd1','ovd','NEW_KEYSTORE_NAME','PASSWORD_FOR_NEW_KEYSTORE', 'DN', 'keySize', 'alias')
    
  9. Identify the name of the SSL MBean for the Oracle Virtual Directory Listener by executing the following command:

    getSSLMBeanName('instance1','ovd1','ovd','LDAP SSL Endpoint')
    
  10. Set the passwords for the keystore and truststore in the MBean as follows:

    1. Change to level /oracle.as.ovd/oracle.as.ovd by using (cd) and then cd ('SSL_MBEAN_NAME').

    2. Execute the following commands:

    set('KeyStorePassword',java.lang.String('PASSWORD').toCharArray())
    set('TrustStorePassword',java.lang.String('PASSWORD').toCharArray())
    
  11. Configure the SSL settings for the Listener using the following command and file.prop. An sample file.prop file is given for reference:

    configureSSL ('instance1', 'ovd1', 'ovd', 'LDAP SSL Endpoint', 'PATH_TO_file.prop')
    

    Note:

    If you configure a different keystore or change the certificate in the keystore for the Admin Gateway Listener or the LDAP SSL Endpoint Listener, you must import the certificate into the Oracle Enterprise Manager Fusion Middleware Control Agent's wallet. If you do not import the certificate, Oracle Enterprise Manager Fusion Middleware Control cannot connect to Oracle Virtual Directory to retrieve performance metrics.

    To import the certificate into the Oracle Enterprise Manager Fusion Middleware Control Agent's wallet:

    1. Export the Oracle Virtual Directory server certificate by executing the following command:

      ORACLE_HOME/jdk/jre/bin/keytool -exportcert \
      -keystore OVD_KEYSTORE_FILE -storepass PASSWORD \
      -alias OVD_SERVER_CERT_ALIAS -rfc \
      -file OVD_SERVER_CERT_FILE
      
    2. Add the Oracle Virtual Directory server certificate to the Oracle Enterprise Manager Fusion Middleware Control Agent's Wallet by executing the following command:

      ORACLE_COMMON_HOME/bin/orapki wallet add -wallet \
      $ORACLE_INSTANCE/EMAGENT/EMAGENT/sysman/config/monwallet \
      -trusted_cert -cert OVD_SERVER_CERT_FILE -pwd WALLET_PASSWORD
      

    Important Notes Regarding the file.prop File: 

    • Replace the variable values in the Example 11-1 with the values for your environment.

    • If you are configuring the Listener for SSL No-Auth mode, you must select at least one DH_anon cipher. For all other SSL modes, you must select at least one RSA cipher.

    • You must specify the value of the KeyStore parameter when configuring SSL for server-auth and mutual-auth modes.

    • If you specify only AES ciphers, the SSLVersions parameter must contain TLSv1.

    • The text in the file.prop file is case sensitive.

    • Do not use spaces after cipher entries in the file.prop file.

    • Refer to the "Properties Files for SSL" section in the Oracle Fusion Middleware Administrator's Guide for more information about the contents of the file.prop file.


    See Also:

    The following sections for information about the AuthenticationType, SSLVersions, and Ciphers you can configure in File.prop:

  12. Save your changes and then refresh the MBean. For example:

    cd('../..')
    cd('oracle.as.management.mbeans.register')
    cd('oracle.as.management.mbeans.register:type=component,name=ovd1,instance=asinst1')
    invoke('save',jarray.array([],java.lang.Object),jarray.array([],java.lang.String))
    invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.String))
    
  13. Stop Oracle Virtual Directory if it is running. After it stops, start Oracle Virtual Directory.


    Note:

    You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.

11.6.3 Validating the SSL Connection

This topic explains how to validate SSL connections for each SSL mode and contains the following sections:


Note:

If you are using default settings after installing 11g Release 1 (11.1.1), you can use the following values for the following variables described in this section:
  • For OVD_KEY_STORE_FILE, use:

    ORACLE_INSTANCE/config/OVD/ovd1/keystores/keys.jks

  • For OVD_SERVER_CERT_ALIAS, use serverselfsigned

  • For PASSWORD used for the -storepass and -jkspwd options, use the same password as orcladmin


11.6.3.1 SSL No-Authentication Mode

To validate a connection secured by SSL No-Authentication mode, execute the following command:

ORACLE_HOME/bin/ldapbind -D cn=orcladmin -q -U 1 -h HOST -p SSL_PORT
PKPKp@ OEBPS/toc.ncx Oracle® Fusion Middleware Administrator's Guide for Oracle Virtual Directory, 11g Release 1 (11.1.1) Cover Table of Contents List of Examples List of Figures List of Tables Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory, 11g Release 1 (11.1.1) Preface What's New in This Guide? Understanding Oracle Virtual Directory Services Understanding Oracle Virtual Directory Understanding Oracle Virtual Directory Adapters Understanding Oracle Virtual Directory Routing Understanding Oracle Virtual Directory Plug-Ins Understanding Oracle Virtual Directory Mapping Understanding Oracle Virtual Directory Security Understanding Oracle Virtual Directory Fault Tolerance Basic Administration Getting Started with Administering Oracle Virtual Directory Configuring and Managing the Oracle Virtual Directory Server Managing Oracle Virtual Directory Server Processes Creating and Managing Oracle Virtual Directory Listeners Creating and Configuring Oracle Virtual Directory Adapters Managing Oracle Virtual Directory Plug-ins Managing Oracle Virtual Directory Mappings Managing Oracle Virtual Directory Entries and Schema Configuring Oracle Virtual Directory Access Control Managing Oracle Virtual Directory Logging and Auditing Advanced Administration Customizing Oracle Virtual Directory Configuring Oracle Virtual Directory for Integrated Directory Solutions Oracle Communications Universal User Profile Appendixes Comparing Oracle Virtual Directory 11g Release 1 (11.1.1) and 10g Releases (10.1.4.x) Starting and Stopping the Oracle Stack HTTP Listener's Web Gateway Service Troubleshooting Oracle Virtual Directory Index Copyright PK PKp@OEBPS/cover.htm  Cover

Oracle Corporation

PK*  PKp@OEBPS/basic_process.htm}G Managing Oracle Virtual Directory Server Processes

10 Managing Oracle Virtual Directory Server Processes

This chapter explains Oracle Virtual Directory process management using Oracle Process Manager and Notification Server and includes the following topics:

10.1 What is Oracle Process Manager and Notification Server?

The Oracle Process Manager and Notification Server (OPMN) is a daemon process that monitors Oracle Fusion Middleware components, including Oracle Virtual Directory. Oracle Enterprise Manager Fusion Middleware Control uses OPMN to stop or start Oracle Virtual Directory. From the command-line, you can use opmnctl, the command-line interface to OPMN, to perform the process management tasks for Oracle Virtual Directory that are documented in this chapter.


See Also:

The Oracle Process Manager and Notification Server Administrator's Guide for complete information about OPMN and the opmnctl command.

10.2 Understanding the Default Oracle Virtual Directory Image

When you install Oracle Virtual Directory on a host computer, the Oracle Identity Management 11g Installer creates:

If you selected either the Create New Domain or Extend Existing Domain options during installation, the Oracle Virtual Directory component is registered with a WebLogic domain. If you selected the None option during installation, the Oracle Virtual Directory component is not registered with a domain. Oracle recommends registering the Oracle Virtual Directory component with a domain. You can register it from the command-line using opmnctl as described in this chapter.

If you install multiple Oracle Virtual Directory components on multiple nodes using the Extend Existing Domain option during installation, the second and subsequent nodes will have component names of ovd2, ovd3 and so on.

10.3 Creating an Oracle Virtual Directory Component Using OPMNCTL

You create an Oracle Virtual Directory component in an Oracle instance by using opmnctl createcomponent. The following is the syntax for creating an Oracle Virtual Directory component using opmnctl createcomponent:

$ORACLE_INSTANCE/bin/opmnctl createcomponent 
   [-adminHost hostname] 
   [-adminPort weblogic_port] 
   [-adminUsername weblogic_admin]
   [-adminPasswordFile 'FILE_WITH_WEBLOGIC_ADMIN_PASSWORD']
   -componentType OVD 
   -componentName componentName
   [-passwordFile 'FILE_WITH_OVD_ADMIN_PASSWORD']
   [-admin cn=orcladmin]
   [-isAdminSSL true | false ]
   [-ovdAdminPort OVD_ADMIN_GATEWAY_PORT]
   [-namespace dc=us,dc=oracle,dc=com]
   [-ldapPort LDAP_PORT]
   [-ldapSport  SSL_ENABLED_LDAP_PORT]
   [-httpPort HTTP_PORT]
   [-isHttpSSL true | false]

You can use several parameters with the opmnctl createcomponent command. The following is a list of parameters that are specific to Oracle Virtual Directory. Refer to the Oracle Process Manager and Notification Server Administrator's Guide to see all the parameters for the opmnctl createcomponent command.

-admin

Oracle Virtual Directory admin username, for example: cn=orcladmin. The default value is cn=orcladmin.

-passwordFile

Oracle Virtual Directory admin password file. You are prompted for a password if you do not specify a file location.

-isAdminSSL

Enables and disables SSL on the Oracle Virtual Directory Admin Listener. Supported values are true and false. The default value is true.

-ovdAdminPort

Identifies the port for the Oracle Virtual Directory Admin Listener. The default values is 8899.

-namespace

Namespace value, for example: dc=us,dc=oracle,dc=com

-ldapPort

Identifies the port for Oracle Virtual Directory LDAP Listener. The default value is 6501.

-ldapSport

Identifies the SSL port for Oracle Virtual Directory LDAP Listener. The default value is 6502.

-httpPort

Identifies the port for Oracle Virtual Directory HTTP Listener. The default value is 8080.

-isHttpSSL

Enables and disables SSL on the Oracle Virtual Directory HTTP Listener. The default value is true.

10.4 Registering an Oracle Instance Using OPMNCTL

To register an Oracle instance and all the components in that Oracle instance, you use opmnctl registerinstance. The syntax is:

$ORACLE_INSTANCE/bin/opmnctl registerinstance 
 [-adminHost hostname] 
 [-adminPort weblogic_port]
 [-adminUsername weblogic_admin]
 [-adminPasswordFile 'FILE_WITH_WEBLOGIC_ADMIN_PASSWORD']

For example:

$ORACLE_INSTANCE/bin/opmnctl registerinstance \
 -adminHost myhost \
 -adminPort 7001 \
 -adminUsername weblogic \

The default administrative port on the WebLogic Administration Server is 7001.

10.5 Unregistering an Oracle Instance Using OPMNCTL

To unregister an Oracle Instance and all the components in that Oracle instance, you use opmnctl unregisterinstance. The syntax is:

$ORACLE_INSTANCE/bin/opmnctl unregisterinstance 
 [-adminHost hostname] 
 [-adminPort weblogic_port]
 [-adminUsername weblogic_admin]
 [-adminPasswordFile 'FILE_WITH_WEBLOGIC_ADMIN_PASSWORD']

For example:

$ORACLE_INSTANCE/bin/opmnctl unregisterinstance -adminHost myhost \
-adminPort 7001 -adminUsername weblogic \

The default administrative port on the WebLogic Administration Server is 7001.

10.6 Updating the Component Registration of an Oracle Instance Using OPMNCTL

To update the registration of an Oracle Virtual Directory component in a registered Oracle instance after changing the Oracle Virtual Directory component's registration, you use opmnctl updatecomponentregistration. The opmnctl updatecomponentregistration command updates the registration for the Oracle Virtual Directory component using the values in its listeners.os_xml and server.os_xml files.

The syntax for opmnctl updatecomponentregistration is:

$ORACLE_INSTANCE/bin/opmnctl updatecomponentregistration 
   [-adminHost hostname] 
   [-adminPort weblogic_port] 
   [-adminUsername weblogic_admin]
   [-adminPasswordFile 'FILE_WITH_WEBLOGIC_ADMIN_PASSWORD']
   [-componentType OVD] 
   -componentName componentName
   [-Host OVD_HOST_NAME]

Notes:

  • If you do not use the -Host option, the value in listeners.os_xml is used.

  • Both the componentName and componentType parameters are required.


For example:

$ORACLE_INSTANCE/bin/opmnctl updatecomponentregistration -adminHost myhost \
-adminPort 7001 -adminUsername weblogic -componentType OVD -componentName ovd1    

10.7 Deleting an Oracle Virtual Directory Component Using OPMNCTL

You remove an Oracle Virtual Directory component by using opmnctl deletecomponent. The syntax is:

$ORACLE_INSTANCE/bin/opmnctl deletecomponent
    [-adminHost hostname] 
    [-adminPort weblogic_port] 
    [-adminUsername weblogic_admin]
    [-adminPasswordFile 'FILE_WITH_WEBLOGIC_ADMIN_PASSWORD']
    [-componentType ovd]
    -componentName componentName

For example:

$ORACLE_INSTANCE/bin/opmnctl deletecomponent -adminHost myhost -adminPort 7001 \ -adminUsername weblogic -componentType OVD -componentName ovd1 

10.8 Viewing Active Server Instance Information Using OPMNCTL

To view the status of components and processes using opmnctl, use the following:

$ORACLE_INSTANCE/bin/opmnctl status -l

Note:

Both HTTP endpoints (Admin and WebGateway) in Oracle Virtual Directory have the identical protocol name of http. However, you can differentiate between the two using the description reflected in the opmnctl debug command, not using the opmnctl status -l command.

Oracle Enterprise Manager Fusion Middleware Control does not show the description field while displaying port information of a server.


10.9 Starting the Oracle Virtual Directory Server Using OPMNCTL

Typically, the component name of the first Oracle Virtual Directory component is ovd1.

To start the first Oracle Virtual Directory component, use the following:

$ORACLE_INSTANCE/bin/opmnctl startproc ias-component=ovd1

To start all Oracle Virtual Directory components, use the following:

$ORACLE_INSTANCE/bin/opmnctl startproc process-type=OVD

To start all components, use the following:

$ORACLE_INSTANCE/bin/opmnctl startall 

10.10 Stopping the Oracle Virtual Directory Server Using OPMNCTL

To stop the first Oracle Virtual Directory component, use the following:

$ORACLE_INSTANCE/bin/opmnctl stopproc ias-component=ovd1

To stop all Oracle Virtual Directory components, use the following:

$ORACLE_INSTANCE/bin/opmnctl stopproc process-type=OVD

To stop all components, use the following:

$ORACLE_INSTANCE/bin/opmnctl stopall 

10.11 Restarting the Oracle Virtual Directory Server Using OPMNCTL

The opmnctl restartproc command performs a "soft" restart of the Oracle Virtual Directory server, that is, it reloads the Oracle Virtual Directory configuration, but does not kill the current the Oracle Virtual Directory server process.

To restart the first Oracle Virtual Directory component, use the following:

$ORACLE_INSTANCE/bin/opmnctl restartproc ias-component=ovd1

To restart all Oracle Virtual Directory components, use the following:

$ORACLE_INSTANCE/bin/opmnctl restartproc process-type=OVD
PKdӂG}GPKp@OEBPS/und_routing.htm Understanding Oracle Virtual Directory Routing

3 Understanding Oracle Virtual Directory Routing

This chapter describes Oracle Virtual Directory routing and includes the following topics:

3.1 What is Routing?

In a traditional directory server, multiple databases are defined and each are responsible for part of the directory tree namespace and selection is determined strictly on namespace comparison. In a virtual directory, since it is possible to have multiple adapters sharing the same namespace, selection is more complex—yet more controllable.

Routing is the process by which Oracle Virtual Directory decides which adapter should be selected for an LDAP operation. Routing is applied to all adapters regardless of type and serves several purposes, including:

  • limiting the number of adapters selected to just the ones which contain the requested client data and are relevant to the current LDAP operation.

  • enabling you to design for complex environments.

  • enabling you to tune Oracle Virtual Directory to implement a more secure, higher-performing configuration by reducing the number of adapters for a particular transaction.

Routing controls adapter selection by examining not just the basic DN namespace, but also other aspects of transaction information including DN pattern matching, LDAP filters, attributes filters, and query filters. At its most basic level, Oracle Virtual Directory can select adapters through a process of adapter suffix comparison. The adapter suffix comparison involves looking at any particular search base or entry DN, such as with add, modify, delete, and rename, and then comparing it with the suffix (root) of each adapter. Depending on the scope, Oracle Virtual Directory can determine if one or more adapters was impacted by any particular query.

Adapter suffix comparison works well with a small number of adapters, however, more flexible decisions are usually required—where routing is explicitly important. Routing lets administrators teach Oracle Virtual Directory about proxied data sources in the form of routing intelligence. Routing allows Oracle Virtual Directory to further qualify directory operations and send them to the specific places where they are needed, which helps keep existing directories from being overloaded with irrelevant operations and keeps partners from seeing queries that are not related to their own directory. The Oracle Virtual Directory routing process analyzes LDAP client search filters in addition to traditional adapter suffix comparison and further refines eligible adapters for processing.

Routing Example

Consider the example virtual directory structure shown in Figure 3-1 that has the following four adapters configured:

For example, say an application that uses the directory in Figure 3-1 has little intelligence regarding a directory service and it was originally designed for a single business and does not understand that multiple business user groups may be using the same application. Instead of expecting a varied and diverse directory tree structure, the application only searches the directory from one common directory hierarchy point (or one common base). For this example, say the application only searches the directory from ou=People,o=AppView. When a user enters a login credential such as jim.smith@divisionB.com, the application issues the following search:

After receiving this query, Oracle Virtual Directory automatically selects all adapters eligible for this query. Since the query is at the base of the tree, all adapters are selected, leading to a performance problem to examine. If all the other companies exist lower in the directory structure (for example, ou=DivisionB, ou=People,o=AppView), then by default, all directory sources are searched because their branches are below the parent ou=People,o=AppView.

To resolve this issue, Oracle Virtual Directory provides routing inclusion and exclusion filters. You can use these filters to filter traffic for any particular partner directory. In this example, the administrator can set up the following Routing Include filters:

Even though the base of the LDAP client search would normally have selected all directories, the filters specify that the search for (uid=jim.smith@divisionb.com) should go only to the Division B directory. Figure 3-2 shows the three shaded adapters that would normally be selected, while the dotted area shows that after filter processing, only Division B's data is searched.

In addition to filtering queries, Oracle Virtual Directory also lets you assign priorities to each adapter. The adapter with the lower priority number is always queried first. Adapters with the same priority number are searched in order of definition in the configuration file. When conflicts occur, for example, two entries with the same DN, Oracle Virtual Directory always accepts only the response from the lower numbered adapter in priority or configuration. When routing filters fail to select a single adapter, potential conflicts are resolved by priority selection.

3.2 Understanding Routing Settings

After you create an adapter, you can configure the routing for that adapter using the adapter's Routing tab in Oracle Directory Services Manager. This topic describes the adapter routing settings available on the Routing tab and includes the following sections:


Note:

Click the Apply button on an adapter's Routing tab to apply changes you made to the adapter's Routing settings. Click the Revert button to revert (go back) to the Routing settings that were configured before you made changes. You cannot revert the settings after clicking Apply.

3.2.1 Priority

Sometimes it may be necessary to constrain Oracle Virtual Directory to process certain adapters before others, for example, when two or more adapters have overlapping namespaces. This situation can occur when bringing new directories into service while the existing directories must remain online.

The Priority setting determines the priority with which the adapter is to be treated relative to other adapters. 1 is the highest priority, 100 is the lowest priority, and 50 is the default setting.

In the example situation described above when bringing new directories into service while the existing directories must remain online, the Priority setting of the newer, more significant adapter should be set to a higher priority—that is, a number lower than the default 50 and also lower in respect to the existing adapter whose namespace overlaps with it.

Priority is used as the last chance selector when all other routing parameters have been processed. Given two otherwise equal candidates, the adapter with the higher priority, meaning lower number, is processed first. Adapters with the same priority number are searched in order of definition in the configuration file. When conflicts occur for a search operation, for example, two adapters that support the same DN, Oracle Virtual Directory uses the adapter with the lowest priority number in the configuration first. During modify operations, Oracle Virtual Directory only processes entries within the adapter that are matched first moving up the tree from the entry.


Note:

For maximum precision, Oracle recommends using the Filters to Include, Filters to Exclude, and DN Matching settings to arbitrate in configurations where multiple adapters may be selected.

3.2.2 Filters to Include and Filters to Exclude

The Filters to Include and Filters to Exclude settings are essentially filters of a filter and apply to the LDAP search filters specified by a client. If a client search filter fulfills the logical requirements defined in the Filters to Include setting, that adapter is selected for inclusion in the set of adapters used in the search. Similarly, for the Filters to Exclude setting, if the logical requirements are met, that adapter is deselected from the set of adapters used in the client search.

The format for the Filters to Include and Filters to Exclude fields is a standard LDAP search filter followed by a scope term— either #base, #one, or #sub. The scope indicates at what scope level the filter should be applied. For example, filters using the #one scope apply to one level or sub tree searches and base searches would not be filtered.

The default scope for an include filter is #sub to filter out only queries involving an entire sub tree. To apply the filter applied for all scopes, set the scope to #base, which means the filter is applied to base, one-level, and sub-tree searches.

The default scope for an exclude filter is #one to allow blocking of specific searches. To apply the filter for all scopes, set the scope to #base. To apply the filter for just sub-tree searches, set the scope to #sub.

You can use the Filters to Include setting and the Filters to Exclude setting together to form a more complex set of conditions governing the adapters used in a client search operation. For example, imagine you want to allow specific types of searches through an LDAP Adapter deployed as a firewall. To allow only certain searches, you could use a Filters to Include setting such as:

(|(mail=*@myorg.com)(uid=*@myorg.com)(sn=*)(givenname=*)(cn=*))

This filter would block any search with terms other than mail, uid, sn, givenname, or cn and allow only searches involving one or more of these terms. For example (cn=Jim Smith) is acceptable, while (uid=smith@oracle.com) is not acceptable since it does not end in myorg.com

Although most adapter configurations use simple search terms, a more complex example may better illustrate how the logic is applied. Consider the following filter example:

Client Search Command

$ ldapsearch -b dc=oracle,dc=com -s sub "(|(sn=user2)(cn=user2b))"

Routing Filter:

(&(|(uid=*)(cn=*))(sn=*))

The routing filter indicates that if the client search filter contains an sn attribute and either a uid or cn term, than a match is made. In this example, without regard to other conditions, the adapter would be selected if the given routing filter were assigned to the Filters to Include setting and would be deselected if assigned to Filters to Exclude setting because the client filter includes an sn term and a cn term which fulfills the logic of the filter.

3.2.3 DN Matching

DN Matching is most often used when you want to have adapters sharing the same adapter root and you need a way to arbitrate which entries belong to which adapter. DN Matching enables you to exploit the differences in naming that might occur between two proxied sources. For example, in a large scale deployment you may want to divide the entries based on the alphabet. DN Matching enables you to select alphabetic ranges and then allows Oracle Virtual Directory to select adapters based on range match. Thus, if you divided names into three ranges, users with IDs beginning A through J could be one directory, K through R might be another directory, and S through Z might be the final directory portion.

Another useful scenario for DN Matching is federating Microsoft Active Directory users with users in an external directory such as Open LDAP or some other directory. If the users in Open LDAP have relative distinguished names (RDNs) that are based on the uid attribute and Active Directory has user entries based on the cn attribute, then you can establish a regular expression that selects adapters based on the RDN type.

For Active Directory Adapter, the DN match might be:

(.*)cn=[a-z0-9]*$

For Open LDAP, the DN match might be:

(.*)uid=[a-z0-9]*$

By using DN Matching, Oracle Virtual Directory can effectively manage overlapped adapters by exploiting the differences in the existing sources.

In the DN Matching field you can enter a regular expression indicating how DNs within the adapter must be formed. The regular expression applies to the portion of the DN below the adapter's root. For example, if the adapter's root is ou=People,o=MyBigOrg.com and you only want to allow entries in the next level whose RDN begins with the letters A through J, you can specify an expression such as:

m/^(.*)uid=[a-j][a-z0-9]*$/

This expression indicates that the DN must contain a uid= term, followed by the letters A through J, followed by any number of alpha numeric characters. The $ sign indicates the end of the string. In this case, because a comma is excluded at the end of the string, the uid= must be the last component of the DN within this adapter. Because the UID value must begin with A through J, then only UIDs matching that criteria are accepted. Finally, the ^(.*) part of the regular expression indicates that any number of characters of any type can occur between the start of the string (indicated by ^) and the specific value uid=.


Notes:

  • Because DNs are case-insensitive, regular expression matching is performed in a case-insensitive manner.

  • The m/ and trailing / part of the match expression is optional.


3.2.4 Levels

When using multiple adapters where some adapters are children of other adapters, it may be desirable to configure the parent adapter so that queries occurring within the namespace of a child adapter are not also sent to the parent adapter. This happens when the DN of an LDAP operation pertains to both a child adapter and a parent adapter through normal namespace selection. By setting the depth, or level of the parent adapter, Oracle Virtual Directory can eliminate the parent adapter from participating in child transactions.

Used with LDAP searches, the routing Levels setting determines how many levels below the adapter root the search base may be. For example, a value of 0 requires the search base to be the same as the adapter root, a value of 1 allows the search base to be at the adapter root or one level down, and so on. An empty (blank) Levels setting, which is the default setting, allows searches at all levels.

The Levels setting is useful as a performance parameter when mixing highly nested multiple adapter scenarios. Although the root adapter has the potential for being selected for all queries of a virtualized tree, this may not be desirable since other adapters may be set to point to parts of the tree containing the relevant data. To keep the root adapter out of all queries except those actually examining the root entry, thus increasing server performance, the Levels setting should be set to 0.

For example, if a Local Store Adapter was defined to be o=Oracle.com, it might be used as a common parent for a series of LDAP Adapters such as ou=Partner1, o=Oracle.com and ou=Partner2, o=Oracle.com, and so on. In this case, o=Oracle.com is a place holder for the child adapters. Because the adapter has only one entry, it only has to be queried for operations where the search base is specifically o=Oracle.com. The adapter does not have to be searched when the search base is ou=Partner1, o=Oracle.com. In this case, a routing Levels value of 0 is appropriate.

3.2.5 Attribute Flow Settings

The Attribute Flow routing settings control how attributes flow into and out of an adapter. The Attribute Flow routing settings provide security by preventing information from being requested or returned to an unauthorized client. Also, for Join View adapters, the Attribute Flow routing settings control which attributes flow to which adapters since multiple adapters can contribute to the same virtual joined entry.


Note:

Unlike access controls, attribute flow rules provide quiet enforcement—they simply filter the request without returning an error to the client. In a high security setting this quiet enforcement prevents the client from knowing whether they are even allowed to see a particular attribute.

The following is a list of the Attribute Flow routing settings. The remaining subsections in this section describe each setting in detail:

3.2.6 Visibility

An adapter's Visibility routing setting controls whether an adapter can be queried by an external client and whether it is published in the server namingcontexts attribute under the root entry. The following is a list and description of each Visibility setting:


Note:

The Visibility options are listed in the Oracle Directory Services Manager interface in English only, however the description for each Visibility option is supported in localized language translations.

Yes

The default setting, a visible adapter is an adapter whose root is published to the servers root entry as part of the namingcontexts attribute.

No

When visibility is set to No, the adapter is not listed in the namingcontexts attribute, but is still available to external LDAP clients. This is useful when you have multiple adapters working together to form a single directory tree branch. Rather than publish the parent and all of the child adapters in namingcontexts, you can publish just the root adapter since the whole logical tree is implied and publishing the child adapters would be redundant or confusing to applications.

Internal

An Internal adapter is an adapter that is only available to plug-ins and Join View adapters running inside of Oracle Virtual Directory. Internal adapters are not available for use by external LDAP clients. An example of this is an adapter configured for use by a Join View adapter. Rather than publish information twice in the external virtual directory, the primary and joiner adapters can be marked as internal so that only the Join View Adapter may access the information defined in these adapters.

3.2.8 Criticality

When a search operation with an adapter fails due to a host error, Oracle Virtual Directory reacts according to the Criticality setting. The following is a list and brief description of each of the Criticality settings:


Note:

The Criticality options are listed in the Oracle Directory Services Manager interface in English only, however the description of the Criticality field is supported in localized language translations.

True

The default setting, which indicates that if the adapter fails to return a result, for example, due to an operations error or when all remote hosts have failed, Oracle Virtual Directory causes the overall search operation to fail and returns a DSA Unavailable error to the client regardless of whether data was found in any other adapter or not.

False

This setting instructs Oracle Virtual Directory that the failure to perform an operation in the adapter is not critical to the overall result. If a non-critical adapter incurs an operations error, than the result is simply omitted from the overall LDAP search results and Oracle Virtual Directory returns partial results from any other adapters and does not indicate any error.

Partial

Setting the adapter criticality to Partial means the application can notify its own users that partial results were obtained. When an error occurs, Oracle Virtual Directory returns an Admin Limit Exceeded error. While this is not the expected error, the intention of this setting is to cause client application logic to indicate that not all results are shown.

3.2.9 Views

Views allow applications to see different information in Oracle Virtual Directory. Views are defined by the distinguished names (DN) and IP addresses configured for the View. If an Adapter is enabled for a View, then only the DNs or IP Addresses configured in the View may see data from that Adapter. An Adapter can be en9abled for one or more Views. A user that is a member of a View can only see information from Adapters that are enabled to the same View.

To enable an Adapter for a View, in the Views section on the adapter's Routing tab, select the Enable option for the appropriate View. If an Adapter is not enabled for a View, it is part of the default View. Any client not assigned to a View may see any Adapter that is part of the default View.

3.2.10 Include Binds From and Exclude Binds From

The Include Binds From and Exclude Binds From settings allow the administrator to indicate adapters which can share each other's credentials. The Include Binds From and Exclude Binds From settings also help the adapter determine whether the user credentials or the adapter's proxy account should be passed through on an operation. For example, consider different LDAP Adapters proxying two different domain controllers within a Microsoft Active Directory forest. To Oracle Virtual Directory, a user credential from one domain does not appear to be part of another domain. Also, because both domains are from the same forest, you know that the second domain can in fact accept a credential from another domain. The Include Binds From and Exclude Binds From settings allow the administrator to instruct Oracle Virtual Directory on how to handle these situations.

When deciding whether a user credential can be passed through, Oracle Virtual Directory considers the following two conditions:

  • whether the supplied credentials are under the current adapter root

  • whether the user credentials map under an adapter listed in the Include Binds From field, and also, whether the user credential maps under an excluded adapter listed in the Exclude Binds From field.

Consider the following example with adapter root ou=admin,o=depts,dc=oracle,dc=com. A user credential may either:

  1. Case A: Map within the namespace of ou=admin,o=depts,dc=oracle,dc=com

  2. Case B: Not map within the namespace of ou=admin,o=depts,dc=oracle, dc=com (for example, the credential has DN ends with ou=sales,o=depts, dc=oracle,dc=com).

Case A

User credential ends with ou=admin,o=depts,dc=oracle,dc=com:

If the Exclude Binds From field is not empty, then the user's credential must be checked to see if they are a child of an excluded adapter. If it is, then the Proxy credential must be used (instead of passing through the client's credential). If the user's credential does not belong to an excluded adapter, then the user's credential may be passed through the current adapter.

This scenario most often occurs when two LDAP Adapters are defined where the second adapter is a child of the first or parent adapter. A credential that is part of the child adapter could also erroneously be considered to be part of the parent adapter. Using the Exclude Binds From setting helps correct the problem where the credential from the child adapter would be incorrectly passed through to the parent adapter. Using the Exclude Binds From setting allows Oracle Virtual Directory to understand that certain child DNs do not map to the parent adapter's credential set.

Case B

User credential ends with root different from ou=admin,o=depts, dc=oracle,dc=com:

If the Include Binds From field is not empty, but has adapters defined as shared, the user credential must be checked to see if it maps to a shared adapter. If it does, the credential is mapped by the shared adapter and returned to the original adapter. The original adapter is then able to pass through the credential mapped by the shared adapter.

If the credential does not map to the current adapter, or any of the shared adapters, then the proxy credential must be used rather than passing through the provided credential.

An example of this is an Oracle Virtual Directory that proxies multiple Microsoft Active Directory domains. User credentials may have different roots, but since all proxies go to the same forest, it is possible that one domain controller can authenticate a DN from another domain controller. In this situation, credentials from either adapter can be shared in common across both adapters. For example, Domain A adapter proxies Domain A, Domain B adapter proxies Domain B. Domain A and B are in the same forest. Therefore, on both the Domain A and Domain B adapter, you can set the Include Binds From setting to Domain A, Domain B and both adapters are able to pass through each-other's credentials.

PK# C9PKp@OEBPS/und_mapping.htm4 Understanding Oracle Virtual Directory Mapping

5 Understanding Oracle Virtual Directory Mapping

This chapter describes Oracle Virtual Directory mapping and includes the following topics:


Note:

The mapping information in this chapter is included for historical purposes. While existing default mapping scripts are supported, any new customization should be done using the Java plug-in API. This is because the Java API supports full access to all Oracle Virtual Directory functionality and it is also a generally easier environment to develop in.

5.1 What is a Mapping?

Oracle Virtual Directory includes a bidirectional mapping system based on the Python scripting language. A Mapping is a special Python script, file type .mpy, that processes inbound and outbound transactional data flow and allows Oracle Virtual Directory administrators to manipulate and map data as it passes through the Oracle Virtual Directory server. Based on the popular Python scripting language, Oracle Virtual Directory's mapping system enables you to perform complex data manipulation without learning a new, proprietary, or complicated programming language. Oracle Virtual Directory's mapping system provides enterprises with additional flexibility in supporting identity access from applications. Oracle Virtual Directory compiles mappings into executable byte code and runs it inline for maximum performance.

Integrators can develop easy-to-use mapping scripts that perform custom transformations when mapping information from one data source to another. These scripts can be installed on a running server and deployed without resetting the server. A mapping script can adjust requests as they enter the system on the way to data sources and transform responses on the return path to the client. For example, you can use a mapping to normalize schema, such as making Active Directory look like InetOrgPerson; attach data-type, such as {sha} to a hashed password; or create a virtual attribute based on values of attributes retrieved from a data store.

When you create a Mapping you can use a predefined mapping template to simplify its configuration or you can create a new custom mapping (refer to "Understanding Mapping Templates" for more information on mapping templates). Typically, a Mapping is deployed to the Oracle Virtual Directory server as compiled Java code and runs inside a special type of plug-in known as a Mapper. As with Plug-ins, a Mapping may run globally or at an adapter level. Multiple mappings and adapters can be combined as a set of discrete functions performing an overall conversion service. Figure 5-1 shows a typical scenario where one Mapping is running on multiple adapters, while another Mapping is running only on a specific adapter.

Each Mapping has an inbound and outbound flow, allowing it to translate one way as a request is received and reverse that translation as results are returned to the requesting application. This programmatic reversal is important because it is not usually possible for the server to guess intent.

Oracle Virtual Directory provides a lot of flexibility in determining whether a Mapping should be executed globally or within the context of a single adapter. In some situations, you may have to further restrict the locations in the virtual tree where a Mapping is applied. For example, an adapter is set-up to proxy a Microsoft Active Directory domain and points to DC=VAN,DC=Oracle,DC=com. Under that point in the directory tree, there is a CN=Users container and a CN=Groups container. You can add a namespace filter to any Mapping to apply it to only one part of the tree.

The following is a list of notes to consider regarding Oracle Virtual Directory Mappings:

5.2 Understanding Mapping Templates

This topic describes each of the Oracle Virtual Directory Mapping templates and includes the following sections:

PK1r44PKp@OEBPS/img/ovdpm016.gifGIF89a@@@က888<<<+++///999 ???LLLгyyypppŵGGGFFFϙշzzz֘OOO444 üҺ ˜ 666ɴ[[[fffeeeddd333mmm>>>UUU:::777\\\Զ555llliii___=== CCCccc'''NNN)))gggZZZIIIMMM%%% ...;;;ttt222^^^&&&KKKYYY((("""kkk~~~000vvvAAA```rrrVVV***DDDBBBHHH###{{{}}}PPPwww]]]---JJJ|||SSSXXXEEERRR,,,sssnnnoooxxxqqqhhh$$$aaa111WWWuuu!!!TTTQQQjjjbbb!, H*\ȰÇ#JHŋǏ CIɓ(S\ɲ˗5͛8sɳϟ@"0`LB*]ʴӧP$jRjʵׯ`nRٳ"m$:[Jx˷/X LÂ]̸ǐ=nD8ő3k̹3ɕ9bճӨS. ѤW˞M_.mAOE;س.BYiI柣od[K&EwUh?: C@Ag&8wxd<HxvB<ly0B#x!fbDidXP $6~ y,'P`(5%8p\v,yP>> `3\Px'K &`# ah)$\ܞF*E 㧘Є2L1ݜX0Nꪬ$ӥFꭸ)hQzb*U)ZGQ~1L10dvm/Nl TJ9ia00qH{'l[aS̏6q8@W<?$r?԰,l{}0-@׌DgU)2 3AIʹJ< \+W h)e-nߝrtBv]Uނk߈'n჻4+AӍ23LWyחoNEL:ˎ[:n꫏Ȳ箮Եzʸ.AA2*xe.1T +AvA <@(!/7#C?$ @Ch7u EP!hW*![( h0 +" dzD(p?n! Pܑ/q3 !'F1s2xPX!ňVA#`Z JHrL% T6-6X(hJTNmLfjGJҎ3%.Ax$ Gh()SyL)af3cy:^?.1 ah( `@Ƽ2IPXzxsf;g20 hJ m+F@fNq'-=n^(Iΐ2+3)JgmiAD.>F QO)N9.Ԏ!MԮ ōKe*Hw:,h@8 .T$ ga@1B$8cFF`rădt h P̫ ӦVҎ^ 4)1a@"oqHx @cƐ1 !4>Pf{͆5:%H{[G!.FPuX&! 3P8zAe hH.`@QD4U»ԩ.mwk!?d  b.k$ (G"VLc7`2 7ˈ rHyA d}pG;C ꀁ+c/:ĉ?*yF@-dLch+8Q]EȀV- f0EGq$ (D/g! )؃AfG%Qsb hA?0 Q9ׁ9 hЂb{!"!1 fݐ?xCu$:c)4 aXBQוwݏXG8P6.+Aj p=5E hu 0ș3 GnJoh0>rlTǬmPjgu:\@d-8j/=O2ܳIGnuُ^]=##ʇΥ|_ŧ~ug_Qw6wI7? ZCcs xz P g@P` yxt5`wyJx8 t_EYW'- J  J-Ű {] [ vRq 47S;t|09cE P3ui`Ux0 [H9]腒 QYTm!  pivt{aaHT `7щxN؈U!O׊NH\8]hI(AF{p0Ƙ6WvȉHh䇍p4h8#`%0\cx☏θ؏htP03 ؐadE(AY~- P0tXr8T8P386Cǐ8$]<@ɒ%@`H3J!ٔ#Y渋XAѕ&;wAXegZvqɔs&)Hz00rYtؓYZ 2.hI)*3,0.ϸY`ZIZVU:`UPXhV@ iYȎΩ*Yp A0M { ԐI5P909 @IR7%]0$Z% . * `X @K`8iɊz+_٣aseo3&@8^RL6HWڤ!DɍT:)WYd:5Dia*)vr 6i8%0o#qZ,C 4&lZ }!9I#*3Ǚx`J$:T#2P p*ҩ0I.wz@*!:0?jj :f j&J7ǚb* ` g2Zo 0$'x#J ` 0.Я0T;vf ˰:@v0Vd`1z⊩p# C9d :<۳>f@K@t)#Zڮ !c-FC@!Tp?۰+0{Ppr%(@jۯL kkڬOǙRPR(rq>?wR#`oJm@T?[$jG'O;[{țʻ̋=xw;[{؛vQ ѫ; p蛾{԰d5fɠu@p'0 <Lq  : X(`k$E {G&|@ p"ߋ.0{ i` ˰a0GP `!Jŋ̠Lpot0j@WGR`$1!qMP@m" G`Ʊ,GM(pb e :k["^ ҫhe|i =Nt`Ja -@(P+3ǀ@L` +m ȑ삓\h|ɤC.G e> &@ءʁL#˰5CFb Gf˼,80X "p`;6yc! " KV̥.`ꌰA`tD LϘz<36g<0m` +aч)ΖW%9`,`=Ԫ!}#|T@ , Lۣ0M22^m0y>@̩4+4@MCa*@ta {1TWs55 s,\}G]@R*3 9Gp:t"$q.@|=\  ;O=x<lPaY`G@ Y @أ5|03j*3@!SUo0 .4 ǼMtвAmPA ZMSHn3W+, 7N3f  4em^ IK = 9p\$ P gM\`spkj#@XwPG zCK!!ue~$v'0}`3h:NU`aP9@U2 ߭1>N6-\`ǰ B 7kNWѰp KMn& S 95C YPS N s. "-T%,P` P3nz ؠ b2 9㰑 W !Wj j z v`9` X KW8 :r`HpdjZg20. N 0 PC2 @T3 X@ ,cn`,Ð9 Fs pўnA v0V] 00 Pp &*U`%P(P"9 .ZPV$m P@^@P0a XaY5<Ϳ:b#700DhDEUkam:-!BB36-"WKϟt %ZQI.e*_!4-Ɋ>wXQ | ařX6RBߚRXPBStPE:9H˜B`atWe;w :"+VP@g!?)R@Uol {! I1" jc̟1C1.2~eBNW'ȕ.^A]_k&[PدљatZ ,yŸ)jß,vk B!B2,Pj !Mß7iƟVb|a)yj!" Gv ct"IxxbciBX&`ZL:&aE 7ğ0F1T1@,@ObIgg2tӥjLª>MPÙIG$dYiA|!~yt&NH ട X32۬3&xь"ʹTcm'/:٧ǎgY`* q"H Bdğ$,.0IN5~'y?rq.&\ B K(DbhR8iRg5 N 8`]Ґ~& "r"P`Y @ȁT' +d( B` Xqr+DMK.'[Yao3q @iubƟ#!09OBqG!ϩZ'S45+J*mᅕiF DaFYV e rt*%iUy@-x3ܚ@JP4Q )CN,cU Ћ=X 3 iaBX2# )$DFV p6xa?a &@':+|uRVqPZ?c (?qTdBR%@6"0-noЉp Uao}~r0.b ??RjQ+-uYAҁ/}.tGN'e /w`N'Ýx;whF6'qyӤ&R*LT]09;_׾o~ dj D (3L@~(\!u k59q, IhBp! e %t?6!@Ї@>Pq\@D(J^;&0J.>@PCudc5-quFh ͘0/h@EZ?P o&5 B (KI+2s4I!P`Le:?Hg7rYtB J@APJ  p _G@u5wiz r2M5 q\W48'@x|QD,pZ^K2EB8<\V59+|X>Є 0GOB$`$}N &@h32 0?䑅d)[?!E C?$ʤlZ Z, )$#E]r~X7J!,X'H22?WJNp&5p [aw˥R'G (!l-af-t9x!Hh &)YI\R e/@@Hр&喷oCm*,uJ.r!xp k`# hA ;Pq/@.WI, `mr4#-hh?DL@8 7%xQy(Ĉ|1i1^<! :@6EhBXjJ$_[Ȃ3r85hu( >$McH87 Z@tD]0y^,Q@JK  ctB zEN8tA)&g ԃ&TwQU"ac0 ÔDq$ @ H~"Uk Q :aPb  b<& @ Aa. X*`brcBt c><Ѡ?@F*k( FB AH?:`P>#>Lp=0>.hR0 8 x8 %+x㙤ÙKB(|86«1[z\H"_T`0ZD̉Ct Iq=JF. 0$@9U4n e#(I:MIfC4EOMRZ  <P-P5H<fPd8aƴ30xNR ĽX胬 JbQ8؄40MXeDՉ] gQ)Ub]R%&) lF@>>}-J" \H?J`XD,Xj"[OfkOEP~`08T>M}O#(0 $`\U>ed{'P;PVl!;ԡL~XH X90u]u K|HB$Մ2ݣXȀHWve9L ]$U` Ȁ!V%hMiӍ)p5ʤ W Y#*x&V\@B k3u# UX{IhXhՀV剎֩mxY%b[PgXȭKUtSzZ/_M4Z i_0`]S˽\`= `M,Z]L38LkzJ^ ^ ۹eR51}k 뭏xV.k(_0SvȆ`<n#hqE 5 UB--[&SAPJ( WNL=3a4X6P!~XʨaeҮ 4B ".b(JHԀ8ȃ ` ԉ_e0֊1&p ڞlNDݚ:=0FC&tFPNJ2xDI8e eS֊@JVӘ\P۬[]^e4cFjRf;֊f~hNru? 慞&!o~q.gFgLEҋ `'|g9e0` y6b{g0xefaP{,\h`^ܞbKehfU]FJćT'6 F~a&gsXHL yTX:h)G&Q8B@6gjGW$DZ]Nj">cpϨshfvfVԊc扌~@ 05,JkGF qfkVGfF@k^eQ.egv}DFg5ĕl&`j>hltRЖ.iNJ~0fXϐn롍j]uv b-UքnĖŮn~etP l QVboԸj.Fۥ68XdfoVkJmB~(pk3alX<$d(N-r.r/r0rEU`[18f# V?K6PojNHnKwq+F98hQmp&"oKXPk0I-uS?uTOuU_uVW XQniƞsJq@MsPhss\`Ac eVwN4a8 L! 4I [,p&a?wtOwu_0Xw7PPg^LsN58}8pb'fcoIdOQ#tx82PhPivԁlUEn yg'Ysx^yyQ/uT p|Ф}zz^XE3sWH Tn_Ix8O@@Hx.ЁjwJtSD^%q^6}N78׉ @F~}_ =}W,,h B1l!Ĉ'RhLI  HVHHbE0Ҭ@ѨtiS &+j( IRHS 2Jx$!':,|N#T@xC¸re_'a 4|GW $ jɚ7sN%Jj0` x!=v7wP#G E4R%K0enP3|@H+eTVw0WbJ< 界4жm!?< X0aA1c7-\ J8g!4Zi jB6}9w"(BShƥ?+K1YnЙ lwdwM!TTSU+=`}PXc `ŽG@\}P`vXb5Xdd"}jVhjl)(4(܋ŝ4ch6*c)@G$1G?FAG" %BФxQA UvuAY蘋n gr"HiPB$-EH*x \ nX7T.jDhry`jKc*G$E.BEstAYH@FQ`#lG9hN:T0$;@@O7@,!2U;a \`4`bpu.:`G-g6j@63+1ߝ3$uG,x)IG"`@q)`@H e |F 27ÔD 4g(0]yV#'R DuhF^۩ D mOjqk>ƑXEh{0C2D{H@ǥ~H @ fNFW}u- T"Ȱ%Y6@ ԀD!m޵ELk A}-Vn. ! :W >p[_͙) Pe4wd,0#Pq_ h#A.%/JE.r ȕ&:2$xc1E7`G[PÖ75fdQ8@M^ń햜ɢY 1%LONHC пdQ %ؠAtҎ fЄ-8 %E].w^7(@*PO[2bcHPVؠ(/ҡ(t"ciT$(&6Mnz3dX~!5r!:)w 5h@ZECBhi%\9U1Pf]h ỷ$$:3(X!JX|AH @f'Yi7:6 @41W"JhF^S&$4QQ 9*PD $)UXhi!P!2,RMBa `&!ђz+`7. 9`.:H>+t$0d|r.܈|UuQ.p_ :10+̂" Ddc06R6nƏw7!o &'$ʒH9rf#0gr ae˹h~mRh9qpP@3\Pcx%U*1F њbRUlz3seS9 Uur#s 0Bh)69]xdJym P.2=liؓA6e<iS˵AȜ- dzM0mq `DPu^6mXbfo:ruM e5HX'9;z @ ,q˴0%S{N>]ܥZܮ]@< Ѐ T @@a(%k" B$_ 6XC ߴ]?p]Ī݈q C_t\ ` D`0 (Q02e@ PA A @͉ ^Ye .Y vAQ.Cߕa  Q ].Ł? X!$ᐑ\ . bG`t@XU8@"uf0H/TP<=eXB 0?b"gi\pJȶbƑbә"UX}Q0A T2#֙ ؁T@:`H`B, A 2ڣ !CD %blic\p#yzaEa v@ cJ#<@$h"_A$]AX@e<@]x0<%L 0Nb@ 0 Мid6!u}HvI" *>ߟ(BrA|m%b%4c>&dFfc^%V!&f3jT`B\@d$Zʞ> [[\ƥB%[?ܥ^Ke"A$@, % `4&\-bs>'-fg2 4@ @ m"g|\iZ GGf(^)8^^VO(M`?%.O%&.(΁`lSN(b&Bd- t,GN,~1rYj-mP -nZzO_zb-$~'- lb~ "EMC΢}0jf?L nA.,ҥ> vE @#B H嶮?\mI JXdnn'\P9)lFn>@R?4@lBC=UQ o/&@ M'fH/V"f΅ovLt@C" Πx?B܂L蒮A0L ,A|/CS0Z0vID.0;|@w/Um 2q(*C0Ap0 D&# qo*V#02i-@0*dq#?Ndqk& Aб0;1-C w!m"q1@dH21u%n5e N1:qQp新 nʰ",3-.CpBm/ƨI >(1721]lOݬ(@3]2 C'>5@<0@x7H8R$!@ݼ :(s)AE1=υ='><Ȁ@ @-AA`.P$ C@32)f@LC@R,U$? 2mQI߃>T YЀ$AF-QaC"C"DSTA# B4qvۼH68'L lF'u5)2A$$>9\xxx$)C$C ;Ẽf6D,@BԆ-d @ $CXGn߾)ԁ (f|ڼj .KA70@L!/9>8?t@Qp|LaS O4?\ CJ|$8;HH=|f@<p6@A>@A4n[~l?3,:?0;$@( CW2t4\?t8#?8@?$<"L5L-\6 A9"tCH@H?ŷB8Z|@ d8NL0@A\ D)ׇ׍4~C\A3ij)?H7 4t/UxcF9vdH#I#E%Yt߱ae*_.;_0@ͻ,^C?йgΝ{d`FjV{lD AHZjBvT E!alC߭KK}Kobŋ7vrdX ZҐPrFkNsQO \ HZTxֶ}w'S8FFHR`NZ{X9~UޑM*e@|d_ڵZr8 @^si,Kg դ,*X´`fZ{m?d-=$TĖ.x j"Z22J1bh'?O*R1n(( dAXg-L66;77u :\dΧAUnı*e8>àWH~z4Pkc˂Z .qMFe$8i3n)HC 3+Td]vY} C+YDjEbEo (h4$9X^r&|ݗ DƘ1PLXǛ^x#Ârؗ DېE֑ o F`v\(luޙv9G7 BEsKRh J$ꪭb +1*L#޴Նw{n)oǒp l0X.>&~qzoJƠxF. `cERI˱L1gOi9=v⍂vd¥Uv#(LvzdnM6Fg>   f`iĀU 0#@XfFRF5/`,_\`(h(PNT8qak9BHo apnu+u;FGA A/ * P58 8AJl~6 nF7-4G ^LP )1 PA;r-f6x#V2*$`QPCGLJM00G80&RQbE?8d ?h45*oxG_f!_( 2$!(4oIjoC*py4H@ ES>V& in&ЅAq@̲%Gȑj`l]?9BjR FyM %#(X>`dO:ќT933 <.d].rAtzLbCTC8Q$HB:羑M\);#Э.I \ #@PBxˀ ^Ђ$cV0pC(cR2 ,hCBK9\$`k^U2}L /WC9npFecjYbĚ}@xu'n r6C@\qZsiUZɂw1 2'U| +gU]d1O\ /+/i B?Hnû(]d%H\} ڳ\';( Q"~;# (W^@,F)cXpw.h܏ ` 0 ;ojZvÚ@LJޏ' 3:tyܿf9sƍ0d̎)3j6K.⬔a{~S 6^~GPߞ*様at:!&bMTǦjW<H9MP=`&V6f<ke] 2\( ~dzmiK;yTP7fO-%KnQ7! :"0̗(d ?ja:0Pp~~qn?:#rxgLƿqS] pI '}c?Sȼ^K mQN +zq$16Oq}aV i_{Ao\ށ>\|mw]C6;3f41mx3Fu|!~塃yl5Aos|u+L|^2˶Lmf׽';O>=Os 9G;W_Nr11ȏO.&d6, RO#+p/Oo͈4PHdjBpN0-b0i00rPz~pVB8p~L :XJo0Yi1p mw "<ɰ RRc:*998@ ^`7ᰰ1@u` !F* 7 0` Pf.LQ)pa@葉  b VNhQ@216Q5aqd0: fV@HA`)S+"oh :! l 9oܪ|O V@~|a ЊB 5q ! * "!!r X'ۊ18`̀"vc`Ѐ"R"C",ll;HPR@,cD9 `A1S+RV|$ !2 c+i`L Ҁ=. ^dR3V-Z EE $P @.! ޠ:Pi" 3&@z2@XZ( ">`vs]h ,!6} !-`bhC,A$-Ȣx9wH9M&  ^:!X@) ^ m)$X"A^ Z!IC@qav8j=#܀h Lݬ A)?\h)TN`z6iAE'1BVh RCecN@B NԑRt.p)?E QU ӱaeu8ۄc. *<P%0@b7k` Bw uKcuCƐSkSI$(@ $ $_m5F: !x&V j6v`,,v.`LEgL)Z&zL#d nh\b 2Du0P`hVhI6WV5 WE4ݐkh'Ȥ$i @v` VmVV$> CnǍj"ٖo)nAbV plw(*owmpCbp W :c`*r789'  ` 6G7 `Jq @Fӝ:Wprh @v.oˍB:n&lE2?p l ~  A x`<b Hv@ lH !*j  !d@@e܀vaj5Mta A蠑j7? (*j`܁ 2~#Ӹa H *a !L &m'"LKD& Vv`n!!0 !NA^A ܁N`zAVG@!D P la  !|APsB֢b@A JA&@n ` Z ,_َHsen 0a A( ! jj`AN@<0a* Fan !8 @a* aԮz "`lJRJ ,./& NH>5W}R`F @TF 2*aWކ;jCvv) zH!A 0 6Aȳvf,Wҁ ` `ZBalAڡ ປx`Lg7 @F RA*b@ۮ$ > f&S.!ܱ%\h(`@ b7Eԫ Ft>ۋ.LTO,`%4#%|034`+v6전5+Dr$( H(@E1$@Aʀ8[́-x4AkQϰ1y,Τse@'n #?7QO]vfu_((?YHC?=CcM|Ap#Yvmsx7xW~yc2Okeٳ#T9r9Y~"C,ZHX@l)(C BSB' 45P`QF %bdƐu~@.4O,b)lD@A@B*v!_`R fF#Q@ Lb F$( kTz8K"_(,` R mDC#Q DUpBA 4g8n` T! 5 Q@C B?GT p ȑ' p?m9,f˼&͙,e aހ 2+ 7T-(P !`LPYG %D?Ꮳçn(5]7ߜ-.G]g.sio wwnx Հ A ()x X?lX6ְ ҰB/@vh rpWYEl* ŻmHcnlG.G 0 胫'Պ. (qL}5q{n{|YQw%7sΖz|0V f`@`pDJ(X~"0 hg(%}t7-n @PlvDPcWUlv|K YHPf|zRj SP ^ p27_:8 @  S 3 7Dg RXVbq0y: xpaDmyРyyGz%ppzzHrFe$pf3`dgT|hhC͈e?x;b o Ev /0u'u00uv0`bP ]g(Sh5|]mlSi3 ! ]0P =@ A` j_` T0SҀ} 7@pp&`q8*‡6*`y0 ^5vs JaA,  @s,@rM?4 !f!\ v 70,4AJnQ[snW`~r'I jf `ySscaZp*5p0@k4e )@Fp L@)*9阐y~9%ts= 4R%c`( P a`*rp5X0V &Q& <@ S@ `dY ,\c30ș7 )@ p ap ` `NtP9 pm4p ``(` [` } @p p)0Qj0e1\$J=,$JYl?aZw*PF0 qR |@ *popi݀I tڠ#`ny0쥦ns h0`ĺvj9 0o  P l3[0Jn0Up r $&Tz0U , .gaMTH`P%*&3cڹp j& Ƞ3P `LZE`IQ PgC`p  b `<"ª(_ a+cKekgik˶f;[жsKukv.w K@ahL@$k' ѐÀ i 2K`8 0 @8AP <[6v`0a˻mtޕ@ &wq* p  @ Xp@b: PjJd@)|`U @g)@ ҷ-k y` ,% е :4ͫPdRK`@ =lo0q0 ѷ  r { p c0C Yq`]5_9`0 c`d\P>q`00mx@ 0p (x`@ZJRI6a | 0u` g!ƭʯ+7 &ː @p:a` gڞPllP:eZ`O`(@7,Lû'Fqbf'@< \L|dηlFϰ` al N'#p@9@EnGIn?L.@t% ,m@a >k0CC|oq.sNunws\`9`4Q> Yn<>;=9-%%de`\y}^?Nn꧎?sGP~G?P 05D&Ў.ރ /ÞbK0e@r P*?F T޵9n @=m@vW05` vpK:.P8 0`   APj0` n5 Z0 z 9;0;r1%x~TL&s7";6Y[]_a[ = HrnlPg((wy/N`dP$p:^@^^U\-:!GO3 ZPE @V nN5$""0-}8pG@kBӨVC*`tv 9!/]6A(`X` fs v@0џ]? DPB >QD-^ĘQF=:@HxQȒ >I?3*9h` y!PgR4 03g6 *ŚUV]neQɔ+ŖU \!5 DAl}1M7#S~!HHIU?bIUɒb[L1@  %x,pl̡7*(,\"X٬X?#s84hzuk,8;|D XB\Ŋ ݿO<$r(3["t8.-cM,O+l(~-'9`A /0H`)1DF @(pa v^"!X¹"*`F2 fD% ÄH:TҕF0aH 3L1Ҡ2%.T`M(&"蠽92Ð~3#rGZL䆴;Buq2إ0HJYȔMǰ2~x1gU㐓Jdȑ|T L%vMk,0Ĝpq#2ƝDsJHSǀHl"ǎ|$$A,bW`Q2N,HŢ8@TsdlI@H4R^,H D#.Rf#,AB\5f; tu!Gb{yAg( |YIBa"AHq6 _c0FbĆ!NJ V!V X!$P D]@ٺC 41@qb.@ [RG #t$pgF>y:]ڹg~BۣB'qji#r["CqÎƑ;l`ب!9 $B7@$0-r-.b @D 8 `?(c YA*`u <#CJFHא.u$K XC+ `=60!c,I "ьX)Sp=ex4zmCA9^a(|Q}A;"(L,ְ/rE?vI1DC( qN G( D6*b Ѓ? _AVEDvȐ Kր h?q TTB10 "H@=HHA<5=8 8PnVj|^C7d""G=яO%+ Qq%x}_?JrNJWj r:LS&l`,\"QD'G+`T!t$ #X2jhFd W24` M#^ Tx aMk?q \NtԲH3,00p܁du8?;?$k?zPm -$L?D( B)ʜZ[)BAU x> (OpaLu*<kQ0DDB^XRVU!i&rFExlP׻zc E_S*A*A*n+'F1BY6,p9t>02Tȣ(9GBn؁`% ȃi:8?'j.FVYPϮBA2:Icc (^!<:S38a>|pxv$d8 A}QtkrI?1T|&}|``!ũ h+30KS;j@=ÿ$ۿx>ǰP, [K t? : @!?~xMZhK 5>0@"Ƙ#L~B3<6 NdE]P0L uDJXDG67=S k|V(Xh @9  ؐ %j QYELfHuV(ftH@a\TDGAG8x!hxqhCpDP|8Fhw8A{xm9@kLA8H\8'IǕ܊@ph~xV5hl X :09HB!IYXHAtJIȆȆ`JG#KpR 4B*= kXʂFkL`> ˾|pP*ǨB,8m#̺KD `KLhP:IHʡ@@hrfxG`֬s8&P~CC4hBRкaRL0)ʄp# NkYJ>OpIPALk؄Vd% +qOd؅Nixb@PD(PyXꬺ:PHU~#TщK%[ 22(:e#&(<6i+XR@ /8`0E 1Q]0}|( k ѡ(Ou9eh R=D1&8ǵ O|RβRGE0JM zx*N28*HFQ=U:S<P#DĆ'[` qtR(eD]T zԪA1TKeփp8'jkcЂ(Llc0aUѼ3(TmT:S\=y#24UUUDUTF- ,T'kJ}0QḚrlXG8u׆`x-kUHBX!X8؆V+mXHG1@PɊSXX9Omk7EY9UYxSV@AX=Y Z Y<`MXbZG-Zd}X Y/bZ1mX=Tپ@@ח`D8UՄXٰE9>>fۀx(O%55ۅZƽd9\3ÍZZX] ŀDUe̕WEܳx6Ե^`(`uݻ}%Z;Z0 0 EM]Ө0޵ u* DXx!(Ub`DG4ஃ=`*)$P!8(ŃiXb8ZHL\MDLJ]_$SčI@.@ˌP߆U@`@؃{`sH.F[%yEh -./c/@X%)f^\(-\akX-TC6DaI${aLZU5`R>#ܔ]^m^d=De`?E U [`[ ڽXcR@Ox(]?H胐,Hb]`+`/p(7HM\DqL=SGVޅ`"[90gd:=82PXR^5NUc HY_kxEnM H `EWYohB=xhEO\avEr~8gțu䅠xp@5STFFee ?3f_HtapΪ>o)ބ7@f8drdsd 83WsH/Նg_gYDjTt=pP~Zv YډZUM>g =}kcݾ}QvNֵ*hFȖa\ HnI `;qtՖVvC <&lnV5~l7Ί9# CnVnyn n~@_NnFNmΊ&l>m5fҭy`Y^k~$T0Pv6`OZl,]Y(EN_Y6,Npfpn aC\&K,j8 x]EІ & ֋/ Kr+'+*מȄK Qpzp+oC8LR(]x2/s]8.H'wN1pP"%&(J@X& uR֋D pWn鳀'CXFaU .@qEGG'hTqkprX=<2% l̘ #6f?@hOitjrΰQ *0!iK_n~x/ 0&_A=0*9$w(1HW@^оjWnP~{u{?|y:{$82.'Z)~̟؀((z/{?glwh` >2X̜'`kKU~̟FWȁb|'p "$``CŠ/b̨q#ǎ? )r$I lCS"p*YTABGNH!LB~nPr(F]T0@9vt!o*թ| A*׮T=Q#! Mq-IP1 (8.KхC†#Nx(Ut S&M6q'PKvJhҿ,!b2լ[ž@E˞[p"k/P`9W%uC.}:"@) ޿hѫK d޻p0c2 Zc ^RaABjUlDZ[qU]KцQX'X @RLH1ː1:긃~)VtA"i|2 lز IHdHap8 40- xsRCjЧхh.F[؃~T şЁgu dT%d ЀT  aeքbfGe8H|.up)[lT 2첫M,?$ t8 -:&8P,r$?\f\C,gW\G4flBrD똶r XRQACuր/@zP%\}G/:`BNe!c F$܆y K% ?OCM ܕk\T Z[C8iSX"Hbs:kijA> $DTv-@?MGcZ_g lP 6? VK G%?@8 *>MwFvd=?.C:X1#@i>UYkmbw`V^*CxE1vTGP 灯5y#W4' dOk t` Jʁ%X 9@\: (AL& (0@ 0D@9 Q0JdԬj&82,!\F(氄6 $W0j\`0r5*# 5@-1|Z 82( gEafqA6`>~л>2T`zC MVgdZ$/{/YZ褩*b2D;(gB80q3p 3aGG`e#it@x` hX D@0|3_4^@%y1iSh險I (.Db `D4 0|G>Бь: X@[R4щ” BK@C#ࣽS !{)SʘF:)4$ԯN4(I. XK0+pZk&ϫa+])DШJRĀud Z"11Tٺ) *‚4SKj^ @&C,k[Kͫܜ(iZ54k{[zmK$5W,&xBw•8fU P+hi'6U#-U*'׉pj_y&W8C8H/~@[Z$X:@K<duB4ye4/4qA!j\BBf <˱D4!6}ɉ1V@Ɛ5ț`̐  PHe1i !;(#3uDf3#b@k=RБ`W΅ '~lH87#W$:Bb'u?8 EQ6?qg46F 8Rj^ZʆU[=jձ/jLK:351O5.ߛs^64UIGj,`56 2Ua 5Ƈn5rlS ?Ѣl:[ӡmI]o*>gNK^XH`ÆII l6q^5ɽ&:tWͺԹh, ,wd6Ow3`Y/ H.wnn bW̻HҖno KAjs#;Qt o~K@CbT y|^yà)Rd"Qq۩x0EC BЏT@߫G<@"wh9|o~*"C4 UP@AB=XB&Ȁ ̀-@9R+4@pE_^LcBDX hB݁,hC< 9 DBTX!4C]6Cǁ+  aZP(R#1@ K&ЂaP"]Ȉt@`c9?:'k^LA'HbQ @hM(ldfxZrA5>PjX|fX Zph%`B[Ta_܀AOlP%Zg1.)3`X?  V1g ]*e7㕆`q'>M&v#,e.Pa|;"$B,Q!TǠ!t#HЀ !^RLBG2$/`nϼnbRVIE (J1P]!/dtոo]ߵfU6`}5Xpp^r5Hvl5ؼ-ugvEvM#9o 6a7^Ebr uU @Ss 7nD|t9}}CwmP`bC*wkq*CzE/l6TwBHxE<ݽCBX8hc8pնZh)*B4ZoW $RB%,|_^c4?A80 (2I8@CQ"A.C.Ă lq_37 ׯt,;CTZ TZCeAjAA!lAץ~x27G\*3SDCC+R@*|-Wp=$z6b 0BdB H'soNE/TPt~?xmw7 lxlI /qa |BX@.Hf:3B؂?|BhuEtH|;AB2<BT0u h8ݽ802?tZO$F 4C,D@C(+d?A N|9G?`@<=@i}+=|d:4nI!|wa?|C TC?+HPV}:_1zZ$%Z2L~a7)ZS ]#CA?,Ö 5HI`B݂>q{6vraDd<( j >w;{FwoScDm݋O7\$^?@8`A#8aC!`E1fԨ1A9dI'QTeK/aƔ96@ċpZpLC&Uz0CMOF:jUWFlt)O@7BXg/Аm[oƕ;whzEbnЗY &VqcǏP,Q/(eC#x|z\Ź.D8LЩa\PB@T؀ %Ayj. xL9會n!rhj~0(! 1ήZ;J% X6)Q vDA"zhcM4A@lağbR!ډl 9G7!$7cw2,3C\̸^ZA1I(DyjH$4AcPG#1qTc0( "2(8Atg Ь[iM0^DtLb I`^ZIlael| 9PP:!h:lĐ:v%vWEkacņ0ǟ[ĀƄ~[m'H" 'Dt;GRNaZڰ`.Z*kX!G4gmc9l "{b1CJEe ~aƊQ j4' 2Uͣ n@p{%:љ#`PDiǟ/6!yj9`]# Ò@ƢdU1%hvHT&~1<硿PWƓ6.83K.D~(jx1Ȁ+ 9A{Q`(b ,xAi =0\tT(_T0A`3UB1A4 QXQqBJ3‚%5 MɰCJH$ãX84ǃJtdB @ |o rRfUbU:]  a@yHietMVb6 !DcXd_$$HQV:ba"0|c6 ZBS6QԸ*~M!1i%J('E*:2F`?Dx NHLLhNu\e~| )r?Hs XgԵN.41bzXDa$ ш!Bj!yD /| SŔ̌讖N&%r  PLuZ \'͔U2mj]E$9]=Tc(@@Ub,;" ,W¤qakӯGHH,CjC#dwնˎֲX;=Ò""ia{ؾ6I4[+/ƖU]dQ4d=Z {\f#LH*j5PMi8Udk^RΖ{fH]S $cG\S$S/gݛ_0r`eEr(5 -Z8&QH@05uI ߣq5$g 8qo3ؐLBI `HbM=ZkbYi#Z/_T'#edߔzuHzbq8+7ľa rZuG0BW2stBt6h" >P.d"˙ӧ ml>ġjԧ  ?ƑHq"X PGRiee V(D͖  AK;HD<ֶƵuDrÜaE `0FFnƜΛ=}b,(R@4N 2R[DWB?<.fc @ A7Sp`8mHa쐃9\)pVB+6vH?{S#3ݪ5! 0X? )0G>DXC!idV#A3m,!֏P A pLOJ|B"kT{ 0a.X@\ԃ>xh!@A Ѡ :ha 1сp2C@/H)ߖf;q+>~@B (c6 "w=` Paa6 c,)+D*nKŊдRXA baol ptP 0XH``\ )`l) ,#,```^ ( vm֎A '~`$>A Ӱp)x 1q&J-B-;!+#!2\```j  !E `h !*Q)(,1&ƏGb1*f(@nmaa x fT&A! AhN7q azc"Į"Y>sVASN s@&` sAAAVAzAt@5-6`NjS-a6tEBVCCtDI3 EUEqT* EATDg`FFstH&F}Gw%aHT&: TFt2(I4K[EGJ KLQbG4Ft4EMOHKהCL4O#"J4I6OtPKK,BIP uPP6$`-QTNTM#5(M-QR73D4  `0!HJARL 6Wl9-^/_sVmB6ڀn@ ~  |Xz a&aB B@~Bb!0 qh#j vT 'aa@\ a2a\ p!tck_ScWu?veW 2ޠB `̠Ra ,7>A! `H@$ A o @< `AH 4DF iwq7"xAa6 P@j`R.w!  h! aap`Adqh86c6vcw  ` tC ` ! j0tS>` B D a"  n TÀn `f`n aLA,!,SqݮX0`0hsAL! < @aAp@ XA{lW7u9"x! ^ *@| aBy.@ ! e Ybg=a x~T`jZ'"  BeOCJSz[@! 0 L9PuXY L D @  ¡:uy:?j >| Zݠ Jy@ AڠZڡװyAb@X `Bs+QZYڥaZiڦ@>dAB$-ˆaۨ5]wa d~a@Z:`;&! "ចaƠ@ޡT v 9"ra^ rA*N\F \\ g+@ d0Y9<#<ܘ{Te7AP@ Ơd2Aևty: F` Ʒ|CaN X*7~!B6KBۑ!jv dAB@Nvk`G 0AH؄Qa! ,Q i;7u $ =^{ "@|T $^4buCb㻼? #8fkQ~4~9~_ GKO.|y}QUW>R L@=ml;8E^"ڦP7Í~푞X!K؇lсw{dnGv_"H܀h└e)${YhxꩩC|Ri%ݷe)fE-`0I%yP~~nt詬kv#:ii++/ *GrD&+䚩&lhrZKLVkغ,*lșT/_Ƞ 383O,, R\ o+b/āT ' "WE2Ұ,̋.umRZHDi<47F-K0# -tN{AC9Gf)跥" h]SO-)F[?cܵ{ *j.x\O=wuGaw.3IGVǍu>?nwNQ^>hKo'+*ܩ{9t;7v舻T6|G+OfGoeN}UY;.޻| n? !qFx@H\_kUC4 $Ћ(_[:>`BGgw 8a wB | 1ݜ `1P'A$j5Hz8fO ~#e(l HGL*C Z^hjc +.!y"IH+^5@ " B 0ddX(KPR2.ۊ]>{B(3tLUV:䐯d],3rʥ2Nd<$pjZ٨va6,+( rӜFv䎼K+JB2x!&KƦB~xІ$e^\<Fg7B̅} ā8 eDɇI8)lKl#_ňG3Q `GҦҙ3#PG=n/<]HK1s RT\V*J& KƧ96\B׭0xM< ίlT:Xn]k[]u/ϵlo[FD>ʹjju1[61@s+_rի` rB\*m"\~]*r'Lbq}/}j 7k:۸XnU|x!)[Qnͅax"Ƕ#[yUp1hFy(wP|1WsNc4GŘ̏(/vٙg9F9ֱDHQ2|n~ٗъ$7=$+yYY FMR#[hgqʲ\ENv\EzS6cF%Zѹ=vz~67y-y @,@qvTA|BWIP[Kozs3 *jد!'sO\m/OMB A$~ՏK NZ5w1ғ? [2'K'y' 8`Yg|i hW~׀"?Š}!FP'tw=% | }#H}U~q( q-(~s {9;Gw@c@ +~~/L3Xq  ؃Z ePY nDŽjHj@@Du>8U 8PH\giHvV 1AXvHSWub߰F@$|H|L` ;3G9p%Xp n  't=VpXD R@|Cz 'r tM} uPV Q V`v`-r8 +@ fgppg}iGXtZA`@pަP?1 HA y  }dC Q@ w r#Wz0 AC l 1  P5`^aI7xМ  2$@!W"#@ 7IiЗ  ylum:  Kw ` Z`  n`t 3Q a$}pZp OStU9P `I!_@ z稈\`q:uj7 z ~ ʨP*wcکJzzpF Ervtg ɧqNרv*@˺v~'jX@ڭiЯE PUW{M!| .@]JbAn {pN` `vf K*7`00 Pjк .ಛښNGi: P` ʳuʴ_@+nOF GH kMPN 6}Cԙ1 1jK %  P `3op0  fNJ|@P c k@s]۰8@7Qy^ 8p < `@K|кץk8U& P-@[en Њt u/؛+4 xS ( EK/&Kv@ `/К\p@{߫S0İN ‹H\n0 n ѽlW z$ Vz[k +PV8 y«[ /SQ{qHz]\f_ɻpf|mD5ߺ z;- 4ȷ i p;:a- v.3P5K5}@w1?^- 0`4wL5GT@Ͱ;[v p Ы ]  08<`ԇ; MÀX xW!^ `dPx Tne8NWԬ  p 10P dWĚ;3 r q p` e`x?CFPX  5@ڐ N.XP 6?pW_L@a2 P 0 CdЀ۱q > ` ` :~hYx^nEnȉ YjO`0͞rqE-ߺB@=j`ZV k?j`  p{M@ 6r$EgkPj\rD >; SEM0Θ|/ =N;#$ƛل_[$"S_\Pr2Aj~X@U =f`xs1(:8p[Ʌ1LXа/@\Ela/Y6(( jch̵!NXE5nѣޥbMD` ;>nM9uOA%ZQI.eSQ 7c QuI9& Uiծ!-h0"m Ò- S&\aĉ/fߊRyPkJ ǪExBUmXȱe,3bU7J4'>~?c"hBCcٵow~c2,\ O]k +kY{Ƞn6 (1MAia0GX8` M"6oE[tEcɁz "Bfn(H`5( WA% rJ(d}P&BPTz@d4UC"`:z&N<f`i$>P,Y``YF*3˄t֨ƞB@/ч ܰCAB5(=suW^{-BVbAQEcP''pƗ8SSlZbeՆ%$4UU@]PA32!m_^|(C ]vAMiBTdڸ6[oh(7!!qOMu#A'ŊU^d(# G`M/#I`"@|x!i(a A rw+iG7BaySӇFm-6d`5H -c{ c  {>~x7qX[ 9j*Ԣ0@碴I8}@^J` 0 ȇ\s~p`69PvtXpG`@qYP'`~>><<<陙|||۵!,7F E  ͯE ΋! E ՛ \Ȱa$rI2)L(ro^8氤ɓT$!SE&E,ϟ pjuHH&qЫXY"ZZt Mڸ2Ye㩖v}@A]5ڕHp Tq]NBύ2 =UQUkLS AuJ=L0:U@䌓˨pSO= tt ^x'QD@sZdcU"DT~c~-g`C YF4XΰF́Bca `t6S EGs8P]^:9_F$pQ$ VdTc0F6WwT#Bte#a<`OhDp@c}(RX QXV fsNl lD! (1eISpQ4c+'vY 8(PIM1JS5ES%~~,vj2!'"T(Z=FXJH6xz,v锒a& -jMqY _UJ/ ]!6Е2YDF` S p5u 8i V tR/d"~)X,r*,ƻR 0?A&P-Ώ0`j+Dk!H/M&H#p%օôC @dSxR >F\ ? ߀. ]DtM&"b'Ȁ dw眿-S>&4MgbU!..n{B^lA BBo|)üt ,B)o%ޭPB 2BT-lE~E nս}/+9"n.CLN1'"!ui9hq6 #4# ӿsh$P& ~1bc "11 DD8&||De@U48y@ 02p #23M =d< C@c :Q 1'7 ٱK < bD!Um2Qf`1) l 52OԠ26+ N̛\Ƙpr!Ě2k јX4 І:( UE^b (H! D ɕn$%YZ h i|J:CzH5u)zh:Al.)Id<ҍhbNj4@<V<,xF ¥SWuF4:fbbҼ$#6na,'ǭ+e0\MYlTo}9ݨ bm$ մ]uUQ2Tr810ePrВG䊡SUE1 * H)aPFNɬ+V/QKt(6HF@bB,:yʞ R P81b}ƣYr% d$}MXF (P+Nl<kB'N9]tڿՐDs"pa TلVR-$۬.WXF0P]Lw` FؕL )xC\aU m.mz P[6fnhv( oq[EW+kGghS> Y!AL:om70[miu(F \pSڊm,U4D\0A `V]bͮ[#靪A #=Eш5:fXDd>']t2(]  HB8f`SAL`ԲSK:QK8=o+o{S~n h@)~o+@`9zGg6 ;ٳ=xz  *-ıv(G--@<n$1|w70K%wYwUİ';ۇk7  {e 6% /$@=qw&rQ \8Sph`?ɠ-ibZ-pa~yW}R 21@1 !c jh1W/`|ss0hw.X5xZ:h@ p3y \ւ#' %h (/8‡00WY@PHWSX@PXerS\w"?BP=G&] #vUEtT'tSFЌϨ))`:B0Յ8h+[ %4@D`s]w8sB  )FG.D hs}ircYT )%'ϳM39oX|7UňW:`@\;IldcG9 ' X3 7JPfyhj 8-1 y` ID[?~9YyQjC@)s)18 _@׳ٙc1A0 j 陬ٚi1J+ 1@{P.Y<<  & Ușʹٜ w sTJ© DBi@E@Pyʀ޹!E?ԇ 8bf$a9 F  $0p9 !dp*F ݙ# 8 "ސ22ݐIG CBA(9?'@tPx䤷$ $K(6%-Q#~!vw( rT52@Vm&ֳESwؼW8$~Q@1 ˜ed!Ki I" RmPqG\9Nq~#7&-z+|S B,uW#r*4]rMA(XoDX 0]u\Bs+pʇldga(:|fm.G];R@ <%& %g,\}Ǖ!`pN1 + ;fȞ6p`W2ǘ,Vz k \w'8c P`WYNj#v̷JûY ̻ڕ +;u'|4ϼ,h "''gSۼ+7Ǥ%t|Ml%Ӆ]1As\!(!"!|L>ǥ+p4gπF0 0& Ayg:rS[ = phw=/[]ـ#fRq w+ #E /ѹkHUݝ]ʋ&K08LŸ+ŷ 0Ϭ ^Ί[qm a!x}n$EMmppPp z( <}Ѐ `ダ㾜{ǻ E >- ӦgVF`טê N.Pv\.ǻ6 W+>[R[sRPq ^~B8"U߫mjrqݭ|mܺ s~YniWRы'% ~{cXa+D-`ֿx i=Bz7&(㍄^GN ,QʣyR7^]wS8Ȓ1Q`嘾tꩠb]C pP爕NZz-qKTk˾'~ ^%,.NQi#9$Qݱm(超ӫAVIB'| _ RC* m/χn;"dG\KȰ!0߶˽&N>q>fYe?@g_AkaO. Aሯl/QQ7 P_P ?O::4)cL?IOߛߙ̟_>>YYYǯrrrQQQ^^^QRTFFHzzzsss##$XXXggg867:: OOOa`cqopWWWnmnpooLKKqpqqqqCCC999kkluuvA@Abbe/./BABB@ASQR555655@?@989UUU +++KKK$"#!, H*\ȰÇ#JHŋȱǏ CI#Ɠ(S\ɲ˗0cʜPcɛ8sGϟ@ JB;*iӧPJҫXMRʵׯ`-Z*r'#ê]˶۠V7h#YYIS?2p8"È+>wse54I ҤϠC~ژ^Oz%0M`Md8#I [S g 6< բndGKN:Ɯ,&C E 8r[A@_绱k_ޟpjцc(6։?&'Hr^w?Ef~O`wÙ$D,Xc (II F'W]xDw$w![((zPFm܅dāZA‰ (p  7dp<^pm:)磐FZUGyIlyr('o%[Qr!&px*j]aGdT"[X:Q7yb^%eJlN z$ ~ĦARՖkעLY?ի"V,lV!Bd'+qNGdAPQnwP1q <1La, $89E IhasD[r!\`3T"tTKR eG0 @U]s1;K1W ؠ\|Fs C}|T!RNtdH2M+E lPзxrGG k NE$# #CH@U,\PP(^e.Gt>|]E|؋O@Qՙ? 6l a#Fc 0절 DnbxM WK8` 9B#xކd ZMb|a'М؅0 dDRx@(h`P ;B;!UnX](CV 8fg=kжtl؄  i8D)VPz]x:xpp@J,.?D Gͅ{0G1 Pp7!͌0FR?Jv0?Df~2v\HTz%U?@MptA/ZcBq d5dN_ILFJ 2yR _@F8pHK?8M0F[R.e. چMx^X#, }bUqp.K]%0DG7ԕAH0 Y qCV2Bәs6ud7P֏n-CB>}c7گvJq0i٠#2ј v@*Ad)MOGbCEjU}94^##ؑ" +Ցb  @ްb1Qvt|jdv*-3 R>䊁E?^^X,k 6-eNJܳ* oO*!Z $3H@kbQE/\ @xـ սr _oZ)_ĺ( c?j째˦bGejli..@85^혜TPЈd  bę5kM; &d We̤7MJ ֣GKLn"88$Ooio.cNEW@C2AAh#~䮘f>KE ePRd| RVֲiåZȡ#g / [+}.kĜbQįe,4(rqi"^w۹`y,HKҖ޲K,x U=lA^1fws(̺#te5xyx wxA887i~YڜMf(pb"B³sx J-x.;i>{/;ߘ2-/5QRa{Ҧp)*l8nе8@tigON5nv7uO`4IG4ABFnE{PR8QAT?Eo0ׄp"1BuEM(GAwW#WI pkDR0qH>Ňjq(g&4r&QS3~-gi Xs4rUn֕k"WԌפEX{o;gSnm[^8gEJ$~(lG~g~ø|'pkJbSoT;p4ӈ2a:nXQp3xg[$ATT"a}Cersyh%GrSkhFyEXs:(h2(SI(7(E(72TDJtFGFPS t;dh0MdDaq}Wg|(ugwrc22b(ЅT&(;U8w\B3{PewWZ98vwah?'voG{vR|Iܤ#_ gYؖp)%3Ms#d16YɈ&a5thQPpaHWם>|0}IAfDŽ/yxٞv{b9()GPlT=G0}P56E0"P6vs4R 1ESzqi-ù2': rN*b 8}ӎ *BA$ʖęR2hZ7P  p.ݥ9!aL=r)㉠Akiy,)&lws1}B:F02k*'S9x?T@>v;j Ѡk%eХJ  06ԙȦ3 @ž8⩨:ՙ|} f8J P8J @ &m&%P79ZCZkP>PҦ8* QP jQN@ԱC m pk:o*?|3lښwԁ206#@?BPa ; \M»; D$ p@}@@ ;Lȳ{ʥ{63Og Z1[ 2Ы Sz>7J[B7 I^D`1P cˀìں공!m3W.R&\@`0k P E@ 0pE ` EhpHDH{R ۨU#7vє 7` A滘yjpՂjN~`u~0.{N}8^-\lĴs5$#,)/ ֯ P @`CQ#ӭ>~x~Ԟ q `)3P*N,)Kw]` xRK_ @p  . M65A.nv~z5~<$Iɼ;${+L KU {WSoa;^PKj׳j?Zu>!^96-{Тͨr6$PK ){}ӫ `ܫ jEB/3O6y>~PQI Ҕ%\ =}:pp @  c-4_7O| ` s4=_,C[ow 0T:W-dذ%(ER.=E$YRZpK]94'ϙ%_lY&Q+Y,ƌ 𤫐GN*UĞ#eWaŎ%[Yi:,#5 ̥KP'Em uN5 0.(;kǢT%L4m'PD"]E%V@ >PH]mܹu@r%@pLA$ W * fkJ,rK+Ha%,kSF&ᐡ5&!dfS(SG=KCrHCn@*2APd5uTRKu -|HB3BEsdi [y|^LXODy$w0I/Dt=[0lkbEsȧ=!PMu]x㥭 "ֈ BFH ܩEUYFd-2\ v l`|.%: 9֨ |/2 .`-DOeօbRf))Rp5ʀP nFT'MH im0 ^Ɲz+\dd6d] 1 }BPi.O"`(C]LTK5i2q\ HW@!5)Lp)F(2(UiVLe(C/F|zj$hNl?#@ +T/2UuWJiH@h5m  (`+>YԍV 4S*\c|$W<+p={:YN^0`4e}";eԈʈpl^FBj_ܠ$U@, ^XS+ng XЀ)+̪@@GaGZQ*XC _7V V/jПw4qA p.& cNJ囎N$/j`;&m шG+!A7bk՟sf^Fs= _6ׄnJc 9&ħ50[#4;b}Ț(JWY$3K[cHp*8@lwPZXbidE%4"sȀ1H3;My:r 19M8r!F| H(Y1<1uH{kV Յ=Zp)ys6w}p#|h]NDJ]ʗQk&E:S`xJh߃\V0k2V(MVʘ<8"l}m|#F@@*ׅ;-| czZ+Νs##­.VaFt|8jRktM_d2B{Qo%]aǃqs:KkZ1Z0xShO^L?ѓ`*:DޠNYZ5@༣q8y&sĄrOh7Vs'O8T>qrKw+S(  B~?PXYҷ?qOޛꠀ}#)0{#[3Eis:;J33k)N-?A|O=*iRS,GP PQ*JP 0O5j>z+ <-B=13( `FA9V"7$=OpQ2‰`$ &8D8戥e1` 8>£}S*;ó4n* 8CW|EC ;׉s`0T.B BE2Q‹@0)h;93>[U( XB;b;p$*Ew|G0 1<<ÍpD$s0uxsc4UxYX!)IxU@Ft[!jKJxH$zh++iPI,k+K-!PMtG( Ϟtl蹺P.Hl[. t35dTm=^h \i^(a49;A!%s^4Xl=wLڂߏ[V[dTl PK}IpJȖ^;`,2cPͽӂ#[4%SG6 PHX2(Zn*hM\#*-fkڷ ɬJcI `N*0ɩ8GC,@H8bRAs.>*z`(=Eu*xc-5&@@5:D6Zv9܂d.c d`5!T6f>W*f @!? dwpLUΠL.ZZXFDPcȄhE\?(`c*e`ƀfIz);ŮK:;Sk;F ~"=aXXw Ad3v!vޞ)eR@ odYg: Vl3OÏ1h(, .7mh2|`E {L] ՀL؄C8k .)NS?K >j^iyV7X\pHiQЂC je~ؒ#P99vwͲ:fMư@|8h C(s1Jhajiwɑx]ۈgvH>xtTOhH @<-plh=-&*2Ƌ`BS@e])|lPH`<kޙAf  kv/0=Ѓ+(d瞊דnS=6=V=Pp386ȃ.jT ЊoETr2yrn^|($f+80wΤrQiʍ kOq<0,- (h؅HO/Bo ?jK("g =pX)*LjH88k(^2LBa}^7s=;).30"@40axv .H4H*X5؂7xDWtFqoHl!twh;^፨4àR ( ȅ ^lXBx*u1' uiKF us.sv;s,(v58d_v0E1,Ȃ+:kmoE_F/woIOjAn˶QwSw;.BЀ#-`?XWx3=n?x xxaxyegv7yWywylvnvpOGqtN8LΪ;jxczL墒&ݽW-@ ?GxY_3 Ac㽆_W'vcG?_yw'*^jÙp[B ]z'}gx+u}{ާ߿{wG7w*T䯓#A2l!Ĉ'R\8 )6r#ȐTh$ʔ'@ M` haSM.Y1;lTe ,P&,0Sa2)]A+ϮU~l&rXx&'~>Vx(nhP|0W{B>l@@€A MFRuLjU;4 ɟ) މ J&j@S=URrM:@us-]H0VM H$sH@MeSJLWaik^?~l#AIR`c5T@7|E}DݪI*pR&Qj OCCF'Rz`xF"_}_,[3r<6@v6llmG3л1R`Cn agX^IqG{6+Li{-@@MI$h%8JG ‡6ls?0:UX˚,5gi,lX٬%idmK!(F= C*xA NBB)MV.pF4' `#^!3c@IHFj&$ /J NT861bXKVŸ֬-Z#[Blmj0]ҭgL1pFs׸3Y9 -h$!>$$9H2 9'NhDMA@X$&0(@*ՅOy:GbXv]A8K^RfDqpUK=iϙdC(N~HrX!6pnOQB(!Ε>s9雩:'vNI#1X ALH o@' jC`X`s(ZuQ`1G=L1nMi6M<ӄm4iR2J+ ;ϴҧlGr .@ ::P lG8CBeh@9m Y)\H5l9uqH@"-p) ȥBb38|'oձڴIAc,[0G2BH28Y؈N{$"(|У"<,2jn0Fs!P<*{xt$6"g~OD ![ :%`W\~;0LaIgE(l0*` W:82#@p$A"@2^3/x1D[6ظq[QRzC@TԐ 8x 9^?B6p{d[WQri B@~땤rDU3@`.`Hj\ܑx^,h<LuӞ7l@wr\s+-ik剓^>>tdh(3j  n(U (X@*F, ew,3uc1c:08x?vpADo#^2ҸJ̼(@*+ S@O7r@DQC<6 N|S!њ *l=%S@|m˔kAl62'zlG.TI0Dx  @yYK=Q"zG"e('2 >Fj*jVp#Rbl@/80В4C!RZAl 9rTPzUY`qq \v>BW1P=<*UiR j, !Ctu!dFA O꼠R} V%t~!酡  G!*RaP!ա?v 0!^"Y"a!HN#NR$>X't]-.!l00#1c11.0 6"b#bCM"!'Byyݟ3")"5"C^?!7~B(#:&d!"#XݠfhA9cI0D[a@7"B$0$):$F#N%6A,$BX `H:>dLwP \\)FfZ#,A&vjSq<}MQ{6 -g!?3MI"mD TX)KB]:g^Fet$\AvmrhR# = WaE?LyeY|KA yf3egBghZ$dƨm  @J'!Ԕ`]<Ua yO|S P?'Sd(=M'(*L$XLz<}Lh3BnIBa=bUlAJҚгahn#iX "T5 Ɂe<B"Uf#(.h(% M8 VJV?5Ӕd'GW#g*Τj_T"*2Qv'@P$ ي}V\̴n&DJsVcdj"AkW gXIYJ2g^+h+ʪA<ā^,lMFlqB d4-Fڦڮ-۶۾-ܲD!Tm^m :,(fFD@-n$]R*8C"fh&âl-Ji@0 X. .@1mj[*Į!ծ*.F.6 ^/2HE"0SRrD/ of< <@bg`@(/_F B(oDo!#H?Ɓ!_|C<@sJ/LmD &m.x%|oA'aX *d(.DCmD $$m / oց/B0Ht9C qu DC@[Bq\@$2 #G`^DrL/x-Aq/{1)"hhhAglF!f&or'/B`hq)s{\20F^E[1O35W5_36g6o37w73883993::3;;3<dz<3=׳=3>>I?!HA?3Aw`oAB\oB?A'AE;]o?DqE4eeBpTH4ZB!@4LύJ3G^L4COӍN3K>) 5R'R/5S7S?5TGTO5UWU_5VgVo5WwW5XWhtDL?G [[5\ǵ\5]׵]5^^5___uDP HAbDtQ3Wb/dW5ZCv;D},`O6aZG:kÐvpxd7Dchg?A$,?66?!6lFqCLncV6 vCTYeW 6lrHn6ptbowwjF(7i7osttKwCw⧡v:krp{ktn/Y-DQ@zGgB,G|?XwU`7;wtwd{6gL)G#xdsvvu_vXxi7MClG+'6;x|wk?7:cF{s6ycy'v$H{F@d@a}s$$qwrv op;skBFCydnKv/Ôpr ::'/:7?:GO:W_:go:w:Dз}:`::[c9CҞzW5CTu"I{#4SP /J4Ot0BtMćP{AtkWtT=ös?gthCHA>FK9bn{>7${vd 6C B?wk4ou~W='p>5YwS~xvo?3 GK|>TD$$$qHk?EAD"!h_+YtfL3iִygN;y4s' $(5ziRK\3 6*l6LvQH`[j#lӖjBXֵ{oޝ?"ߤ} 6|qbŋ7ɷ ʤsf͛9wthѣI6}ujիYvvlٳK?L\&3NxpÉ7~yr˙7wztөW~;sUcɗ7}z 0e׷~wrGt)_ dj )O|%H 5ܐ=4 M<E#5HLe<>, Auܑ""r"<D&<';PKP(JDEDPKp@OEBPS/img/ovdpm014.gifekGIF89a888pppyyy<<<???fff@@@333ֶ***TTTbbbFFF~~~iiiZZZ---숈KKK ```000ᰰPPP///___OOO555oookkk444 YYY&&&LLLjjj666tttuuu:::}}}{{{>>>zzzmmmlll;;;MMMeeerrr999sssgggȬvvvqqq...hhh!,) H*\ȰÇ#JHŋ3jȱǏ C.ԠAɓ(S\ɲG6\ʜIM2ɳϟ@z4IJУH*u CӧP:AtRRjjф `ÊPJUWɪ] U$lʝSCh7A L8 x-̸qIns8LĊV<[CVKţSVfհc4k/jٸFͻy7M8G8aHQ HN둆;}䘗w2R5%ϞeʙH @/4'D桗߀rF x߁V8r 栅JH l!\P=\qE 0]mcT (@ɎDxdGcmS })P?D$Y d\fߒy%DVi;EB[&R:ɠoWlRXbz*6D8 Ԧ^'KBhV>$(-eRD)4naNtʮW$O$,;kp_HG,1e1Nr,l%C'o,r~ f/ϥCk8ΒZʌ{e[:+t1 GK4&H.OaqPխEv]YiP;|0ߕ6kTo$zPS97<jߛ@_Q.)'<< wp F@ꬷ밳hO]~Nsr'0~^N|$EbCOGBNc/`Bȃklr$~tWXB7!+ 3 0A҃ 1x,m.`{'AaYH  Dhg44AD*D~X(Trb7)J5bj$ IH`d7 S %R%Qbp58B$~ `ic#JYh!1aKDFG"dG1 DB c-@ >DCH"JHR,% r ͚H!*Y#@-I= ;D MJH0#|״1BB]j)iC@bS"nS. gJԦ P5@64DbD8)$A=hBP됔X@@Jё\'1efLodf$I䱠0@V0T 89щd;uT* CB@!h,U*Cӄ-}H@а"4;Ȧ+$E5vɳ6 ZuJ!?Od Oh#%b\AW? JPWT '!lg $ Rhڪ-ӫu  8 C:rFpH A9[svH {h + IכͮO O̷X@r5Hc g2z;Qq7[Nij]a>3vGqI0^}pE8k1'}O=@ъ=s(쮿 .O}&H'oxK?J_}ߜT>ٮ ^7ҟ U/xݟӽM"x4 "t˳~}cSWpb=g[!D9G9!qGGp31|jPa07 )xփ0ex8V<0u"xnӵw&A., G3 -V< pystm:~<P}AnEx+@01(g@[A'(1 W xD&o8 hb:pViE%Po'E7na"v^| un8 0 0-gC6fG|#wvDWp0h[6`#k2uIHB؋},D-D..@0ƌR㌸ES&`4x BrhH4h_4G[xN15S'&Ѩh 1Dȍ>_!)dxYY 1)Y )zÒ L 3I#!0ЂwfTI:Vy(0@3@j.9VqHc}b@12؂)7[  YC7c9mBDkٓ(0@Ny"M82s2[Igɐ !HEXy(( x(I+Z9-Xhe40UR9FYƩ6ٓ΢Xȓ`דI2H9 قY ؕ 6seiYL%ӄ-pQؘYw٘z1x)3-zdIIiіWa9sbU,[9 NyHiT؂34/BSz}aZڣ>:)gqck>dU4@D140CaVs !z=Ms|s9ꙑ;ڞfzȩp]4Ř6.IXgjjz7!N*ʨUʑlpg gJiI tK J C`lӶ!|8Mp mk  %Y\5NSµi&kP[%\C =t1liu7|[M>!E, ং{%[f4 Y EYžEkumd1MEdE ki%?o8+LG'<K| 0P*FD@ dtĕ+M50KƖdFq*'zGx6(&081ȅlȊ\Q|$V|#lTlkّmfJʔP@WFGQd;`w8~(0S+&'cng!|.cj}:Z$qb.K83_WAd^r1j9>pr~/tR ^L,j}q:3.UbG-<#QQ~OaU>("+] :qsOon~ಈِnu^5`0˲?6c ܞ_Je>4۲U>3]Z$>6@:sLޅ ,Ii[G~% ? R.߻ZVnˈDVr;2*O~OaqL5!{a3>@OR?T_VXZ\^S?ٔJoLLR+npr?t_vu\tO~?_~[Ot%e/g?߆^;D_5?in;ʕ1y}gQa箿=}POa!beo?S_^O.?Ad1ӻ 'UTA #-C%NXѢH.nG"9Ɗ 9j:P&@ H4 mvb@HVX!njq&iLT3/jHsq>q8ǠRCx";2A%#a -+3|h!-'a \o[8`"9`f``dI>s5ca` XU`5&v[ w 0\tǢ@]\hP$ =H4DwQВQF'ȁ$(xD"=O"!1@_k:KBHv@ZVVՔu Mn{92'ƕV:ijiݳw#|#Jr}ĴI"9H$JJΦD"|$HEbPuu"H4l#$B IXpAUv 3W:7@Iǯ) uI@I>_ꋲhk&t(Ь뵭+~SDR:l)65'xc^+_ėSuS :|`%7W_Ov}>7_ vB r;!#Bv 6JuS7(anmr;C?JժUo)V wU. X5qk C5} 7.0 VDa %6Ij`I(FF-#a@ V P&xSH&a,/*YNBp{@M\%VYn6b ĴJ DLf2p )(Rd bfHQԤĶiJBTB(ر'lDN,`cU~:@ N[*7$\pgEkZwtKHpFFlX>HrNI%L'pJi)P\@cymL8kp&T=`gyOLB8baR $ Dʉ!U@c: Ra` <Lt>560HiʂnJD!G*T+ gMS&UCWbr$:OetkŠ| HZӗoDr##k6/$h": kY)J)APYz%^Eu5`MW++47fSh*$Im@o}!dv@Ud@Unh 8 nO }ad{BV| 둤5¥"q~%2Bx} E-oNy:=AT]>v>}J9^ BW&2bI$Easw=($_ǤT pQ_X2 KTHޤ]NwU$ 䤉D(1Rd0K<͸05r"3z$bu0pKpp=(1k|gaO.K2VISro" 8hHG|Wf,!tc!pF2󝯻 x%֭BВżh=J0 ey~bπ~k|^-XfSK!\BqUs Gs_K|Mw DYNMTÄo ݳa.M]׆䫑IHLkW7\қ)}U~J 3m?\ .)/ h<0_Gox`#T뽥eՈ$ 3ZW{-7FƽtwP(q.8YWtѣ얄L/9 -\S~ud]рKdCT"ը Y-MqT- {J}{b^R~96u/8rV%qF>#8`<.k)=խnz~W[rx 윓=hMqS3>$_&^X@ )Nl>韯'!>>[[$=.󃩢{H͋Ђ @ X`0㻈~ k=CS4taA , ˻@HJ3#,=>3ܾA>>y?31Ts@"$:B$Z–-3CAP.8"ÙC>6s= 00 C\ B;[E:P1 %CCK2t0M|\0UL۱;Y{{E/GB1z#4$+r 0E+;3T;[[e0+'xմGٜ*U+N]# 2R]V3e4}UeG,OlhKqM;r=pU a݉b ⛓@EWdVXjKPQKhӻX}<ЦDŽ k,- V3P; aYg!!>zi2hg:fajȞi^F+IE Ύ`oJeVau>e]4 ھn 8㦰Xe;^eʕGJpX9  (oCo. gbf\舧Pt ImxP5e5 X v5nNжj_qE8@|W?8Is53މp 5_0P!7 #FoxrXà`l r3sHю(8KPkHxLG-{vm0>_e@o|g Hld0x*+xb>x0]_x>S!GyycW !yV$>甡'Wc{I xkx:z-+smw>Aϴ7OHp{z~_$ڭO P-q&G& N~sSg*,G#n| y??yU MzU|_^_P3mjm~g_`~1HuW_ί ئI,hɤ 2l$&RhA6n "G$yc$ $`$/aҤy"Μ:wH60`(ҤGԐ"ԨR4uRZruFbFQSƳ8m-ܸqy Rz+V"N{R耲Ċc@%Gg[(spI@7s칢P.H(vXӲ7hm;!ݳi.7p0YfЀI_p,F5)ü&Ǔ} 멱Փf.% ` J.D0p ^w M}%\E& }(U]Jjqw^Ay%d0Sz4NP P[[I5)HpEDI*$^ ̐0BDbB\& a9$& Z]'e!Je.&:հg/cRdCp @ =Z%_B)U0ER@O@J aEp ,D€Uz[~:l[An:`)H` R a]@ 8hAj"(晤'v9\ƣX>FdB%Ra. @D2$3D[  @@C/Q]e0=]1dskAnm}zj); XlLu֮NDi0/TYCL\jr$!Vp@B/L4`6u?gw$ Jw:OƳ̗50@!F^p96?۹ݓҨ\,PJ1Ѓ,Pvٓ=mkڵzf]2FVA<8g4$ =`\M"pʍ Lci=.č飥Arpu^%T@ @ę$D'a"& \;HLxkg|gvJH(gjO=@HX>(x>ӭ|)TwOәt``a$38,H(ʙ#t)}E9zxs}a La$=Q .=)@#rPgI6t% J-rN"Tg#l%+m:9̉V"-է UN\:-i"UuoF @M$b^ ddjH\ ]K>lE%V6EЫJ|F]:Kkecڜg$TֺV-'X H r_|O<*A&j\8 ,35s+K b]-,:]zxIyWu⊔W:aN{*Y$A02/ `(xQ}~`@ H59 2A T @W*:57!8JR0n%ߜH5{YX%H@FЄHS lb_,PCpdH@ C00JlM1.q;BFp(4u6Aro|KXq^+z]7Dp "ɶA4-$=Q4 ?Gn6-n;l8bUkwd d-oyGd6R }1oBp")@'b:K>y 4 =cmV7qaiEAl{ G͕Sox4c]|E7d{ l8#\ mKNLjfIXSUd䇑@$l"PQ]q`1/ h!ݵrny,@`g5l^yu+tD-{~:34g%ClM L}#E0'z|?xs(Iy !#5sbյ&U 3V O2E.<"#&֯MC8'rkOFHp*^ a ]BPL_ ߰^^Սl%%,\ݙFvXdFFO^GcJF=D6MV$ EڍJQZh[q_k JmYtꅹ8Sq!J$dҸǪ\يTeʈ 5`p]!Y 6n kYHT!f`3F$uO zrРT` a!\^^L>^*FEL`t_[dX4a`.!j3J@# >b$2.#32OHE 6f61XP*z9VG]Ž} -J l$4F`$c[ |QB6!z)>\dIT;cpxc99^*#ҵ#E ""cG lZ3ADCPqĀ8$UeP$ ĉPTFxGJ$$"a> 9> ZyP)b5n8@ɒf6óv}$e9Z)Abw|:mipQ})hLEePaI$~NhbhBLk$!d`iA`YjB+)U @3&k2ƨO2*HU ajp'BdO{oMhF|KoH2jC+"mR}ׁJ4kP2`!Okļ ̺9'H|30;s8"c=3O˜Lbqt^X,J@pIڜk )P&tN8MlCJ 2D@MP'DlT4Fwrfi4Nfy4Cx0e޳B\0T`]eHtC4>GB>]գd`@HP%uKdJ$6vmVu0Z^TcD qA&ՖF]NDVNBQ74|l@wؠD CK @3eסh$zE.K{m#W a JcI"n(G$Fh$'4F SLGlA8.3Nj$tEhsnD50hch@n-y3wsdK0H@y{9yzcx~#>Z@uaGLc^]u0hk`@V?E ?ӲtФHtAyNH3*t))ݍu YմFu :bWHyEt QFBpKEuX:=A1KT8ĒGE=+30Z$Ps ?iT , вآS=@I_ՖF>;V AńbKli-Vbm_k>:% 4xaBObD)VxcF9v1I#I4yH(Y, fL D"0K;y<zH+6uSBS d@@>8cBla!<mY#<5nsXDy >pb%.v3HUɓ 6@ ]o<ϢH0ֳgHqnuF*@oz)j3%6&8B4VUKCl HZ-f},nð s_m"?,ԿP;p!2#@"h!% H&a@ϯ&,dIX'9 ÷`p:=5["7ŘH$\&|(*,ܒ.0RP`!BqHGDJ`xhsLaH"T,Fa15ݔST"a!QIC4ܜ!,%Z44BDW%r@1CB+LFL;lR ^!67jRMic ]Tƽθ\T!ՑJM?}uvRJըZm^@j(Vs~`u\ n'xwU]d3KX!TQÜY4pXgf򡆥`C]+㤓΢1H@P ;_pBVa_h6b`ߦh޻!74Bd!d w1c lansrt|_ˆ(]&ۘ\7fm3u cbwNvdzwn_~SG|/L;:s;>1u Ϳo ;??H_{Ǹ7N(E#uMAPX@=&Xa@R.|F>Cap(X o$9H{/ `R1B籏6IQ AlX%$@~uJ$D+* PZD4QLՑ 8'HBA$k!hFrorO"ĥWjQM*$ J"LN"QDB V p5#0 e2'1s^y9'rpP Cז‚*C@@dFqI  HF$( t `'-NX.DB# %IA B@:R'<* @jk(\Cp@:(F!j@ ZD `@ \zӘicB@LcF$cTk$p-jNͦߩ ȄD2,IU@ $:t@Z#AD*P"KP(4!`9qEAV +x\^4YXFAq hP2glbhFÜtl="ED5*mx08EDܗe;[7Vltҡ+'I ԌEt O6T\J5W.OL!x1ԗ}Q~Q+T)bpV!vv&3H.CEHQV) n?7 Nqx[3y]21laD8w)u3lK{3׼=$mS+ sꭞT,LAFQq0E|אd@RUeڤ*PU0XYA1so D%2bfw$w;W@zd<Ⱥ* L0^!Ex)0DɎ>/2Lj|u~' !_d_ igWM'Kb"'aId OVjc:4M<Մ_+rP\a3ufMNm5ac^ O6}'݋ پ3O:  "}|$r+[QX  (#/٤P ' xd$O p*G~%&:` g0'4 8v<1hl$} q8hi#%6Т#0;%zbp f|G|.Ѕ awP5|0$|("lJj"je8V<KkI5 e c"%z% / 'lD BQ% ;PJDQADG ".Fp$+l"f"n"5U;"P'$0P7zL ( Q/o帑 O(e|(BUN)JjT#;*\VTCVh B-fVn-n?◜%%*&"+|MIB`BR$GrqO$  H$ QBvLUXJ24^@WТE -tFG ;BZ(k#-7o[ +,<, %#M֒-r-U FB .%}jP"tWUJ-Q2$ q0K*VQ"lB(+0*;¶r.2)g#3(-1(P2 c&iZL+BU*LWn1ۤ4FTҥ$EnEn3"BUZd777"ǂʂB 4M:Ȃh/Χ3q'5YH5,7r/_h"]6s z"8Sd2/kN"^ * :3 (< @ 8V|@Uc$B?S@8Br5CT&ۈ/,-H$($,*1]d)dN3NO$fCh@51X2%Qn(5 0K 24{(K11 <4@K/AU$"! M%3=w&eS0"C"C'UCFG[c2"C"\LWEH)CIM3 >'@"KO#hp0UO '5C/' *Ԇ4b)t)fn?@B&R1R4S)aS%|"TEuTOUB$]CpI5{Ng /6ebd4-Wu"[UV[Yt5!\uCQuѯYڵߵbb%p^+;4`-e RAR+iaTChwpbBbN#Ec ^Gȑ%}HvVd3e{(heuJugGnn rbgb0hthV{JigNOjVh +fKtG vgulb] g96a3mj7dui6vmۨc;0v$nvHo o g-lol_eBdgmo'_Rr . 1r%A6  @Cq@qxIt[utCPxhxTnysguCug 6 ,H:`jGfI'{|w D0lEw!ڗ w"u dQy2 7Npa|%uW :#}dpK7h]"*ׂ/'jvs7+I)AMw`rvrB2Xg&rc~SbB >?` ZG;)">/0޽{]@l|Ο",~.Rc#)vwG\[0[|V~0h_ ę<%? /b`>1,iE0(O+} C''KO_?RJv0d$ؙ-(_???T?1Ht.UY0v)Ob <0B"-Aĉ+N ;z2HJ<2 ƅ,Xə4g˝ȡD=4ҥL:} 5T2Z}0#H\zULSz0J \8YϹ@ɖ 8 b.f}ݙ @Vb|w-߂˽0%hbGj9ٴk|ȑ.x!^g}h8@=/lKܫFx*jú˛Dq;ܽIzyMlwna`v oߝy>apL)4\w4@ouМJgwM&`|.Qވc:JUu{ZIA& ^f_B+v$ZUP/"cw3Ҹ};~ faj֓_aISe=זQZE^$XYׁDeB6IhAJaBFGlOM"d&qw^}):j9]2(BWl7XWv$5%X jZzҠ.lEVokRͺZM7F!AZ+.(]-5'"[ξ osYV~B‡bM$ەjd!kR[Pѭ.AKqa]u&M /M2XA\|pH w FlsD5#-h55x <.*1ΒLs^VXd?i`Xn10M$Y p%իe_xaUXZxgi yAxK7MU~qx?6ZEΥ&a 9\8 ᅿ|L,W ]`|ApIq7]й%Q}G_-8m^?RUr,"6$ $ % FFz(P@g&ǿG&yM2$-`˞ DSA"! M =h4V8fD"!X~WB\ { !f$\W0ĭoIr+@PD}cG 1 я~AO30JucW>%"J˷|4P2賉t Rh.LAr!/+F!J>S f 7&".N:7IE^YY@i dMs=.i"Ů(hPɕ / #kq2%%.ˀLi& ķw~/bDO-eWtxGC$^+\QC8OXޥ.\z QW,4^4I'W0зmn2oчe[RuJQ`"@QGpWJ0Bٕa" *B(UuĦiv Wf%j&(ZhIZ&1$y3{JWЍ;^]A 2VLU`kWj^u_IʕW9229zehU \4V!hdxbhlF ꈠ')bFql.tYHC,ؼι(P6y_%zӷ{ud(^F)ןdTOV!ٯ[mSKxd$ c5o$ċ:ᑱW Tp ~#.U;^ǝ$5Ǝ3aO˲4-Br xA^d.PU0Gߢm rt:VZ:.slW%חHLWC*i>ሽ˝Mq3ymb#Y8UplD fw5$^7Xr,?bnؠi+*X{P˪І  Ď&~΋$FGhz~wx}#2U/Hͽ}3lC?At!+)6kK.Cݺؽֳ\-~HUIjRi%{'i IʧTR5w$4$;Q7M=[p Af_{׮%%QD) moȏ1%a1+TITOQ$N|wOsѸзHUjMTI7ebiZ2x]WŦf={eg*zFLٺV5xd9<>-{7e7qB>Q^f=zNdG=U+#ǫ'YK N=h_/ ~|wwhvB]y1&= !D{H@{7zZR(Hdz~Wt~wa~vYiGImCU.xbpAVfg|XtHVG@ -cwJ-.2h$G7}7_{9炄7"qnH /G%u7i)(+-xzL~@QxmG#U(bZx7W{riHp&`y}Fhf{hXj nxm#hW A<8TG1_(dx:}{fr'цh3{W'8z2n A7,x񄪈m׊H% g5ȇ]fw"xՄĨaV ⊒IȂ4EX8xEȂȋȉh(VI\"E6W#fadrqwSo(~VaȂ+L!-|µ4rLYyw҇Zw"a OZA&fEޘ8S`# N(("zX9rBm4#12[Q! 71$ #ȍau롕u? x{7[A<Ə M W*}p.#}x?t6>edr& `l P=Б+xz)\'5N_ 1A<q! 3LWI#GiM9:q. p!~9Rag4›qX+1I*3s) y陿W1L֝URބ2kCqܘ!/Rbc~Ve 9[qP qb ^Sԩ)\\ %t!1q!V.yw(Rgá ZazI`y66J9$ >KPV  S4Wu&zuHjh\SJ\K?Yn%[ a:X*P(tAgʦmd*PZKOIm ps3pBSs?nZ "W"YDjֲhq~8kSQ]Ԏq y.  /%ANʩ&&i lڧ?RVzup:$~03? 񥌺K[R6gW2 RHz5vګ5?cN:U[yר8Aq!=SFOSCR?+X#z:% c6QEqDI$fj@se@I)!0G~S?7>ѯ!Irzd?^[ZCI!1bϊ>1c7!)m;BW ԍ@K+ :4S<G:Ȓ|G]@ %4%ZK[z7D$fQf;嚶bU.#`uTUjjʡlr}x!!=#P.aZ٪o +$0S&3FuDPrWY#U3{ rXcEPˣ4BSSUU,G6obkrpڿLͻ%B*(4B Z:| Ҭ7,#=Ӥ#<+j\©,,3 `4;L.|Æ"<,C~68DKla>|`BL,SVFRT[3lW*!cLƮ`|( \k@hL(sL&qp,&\{x%ǃ\w ;\QU:A_] 1K/Mk#@ AcLJ|#'L#ijL)U@l(cPI[s2!E[lȦ,! +ȣ6 H{q=4qXvw7 eW\r!Sj&=cWyB" 4\ >Qk5ģS2sCgEY{Y*+OAQKl`aE"j&]ĭݪ^vC<#SH ۪NWֱ'rٮ*=[6t˻9y`6kJ|!-F?2S:eTN&Eb*U:Ԥ1-!I<z!)%-=:![+8)ZdoC,eWؐ]:,o:TC"y2ҺcKR p=1Lm[_}fT8ԙʏ6ۂ AUqଧ>mټ%3U\L`Qܪ f53zڷ4=،,EZ̽}_ jmBnQ854v8  w[Q+^UR|u7ދ|$d@|sORqO@6o"u~BrnY\tVNBܱ%q!봮;5.8꿮5.!l>z׮!;PK>XjkekPKp@OEBPS/img/ovdpm032.gif{kGIF89a7ZZZxxxPPPGGGuuunnnzzzLLLHHHjjj VVVdddTTT___444\\\000222XXXbbb,,,$$$BBBggg"""RRR(((... ***&&&???첲>>>;;;@@@999vvv굵lll666<<<:::⫫EEE˽OOO㹹777iiipppKKKrrrώAAANNN===hhh888}}}aaaʇJJJ̧```www|||sssmmmDDDqqq~~~tst111ɩيCCC~}}{{{@?@WWWywxqpq:99QOP]]]%#$-+,LJKeeeYYYoooȠFDErqr989PNO!,7 H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\2biJF͛8sɳ \…ѣH*]gC4,F#xUAbJٳg EfƯ.\ǔ[Yxh LZ1{PN;}֪*&% +p13ϠC;<`rH)J  A D4b221I?BCxYq(;/B |)r y=-bH!$V3N@Rt$$%"MZ(L b}#0$Orc!Gi=-H`,> a l/mqSIf-?̂Rf$`hsܔ.)xL .V"w^<0A(n ?`X%@O9& CCA@h 'L [xmمZ lxZ᪖"HJ-q> *&Ʉd6ĸ2hq"qcvʰH qy9 IC䏝D}$ِER^|,4KM q0 I@ˆDjf^Bnsg9l\g=~3=E@σ> h1{4'IҖ3m3$:'<4L(hyU?iF>9$3G.p e CbX 4>R%Di}3X}<qN  B`MzηmoBc5ᄂO;'N[A\@?FN(OW0gN3=r@ЇN : ?r;Pԣ & zAЇ >NO簐$8b)'p"0`7O|h@P.% *+^g4P-ώx3JYYUo BH`G41W h@O~q7, {Ap>4.@^L7Q,h`P f$yx~ ؀·zIQ0}A%c}k `(bWuzvw}(pg FxEǂZ\0 w}p3T !XAH''dX2a4p 6 {cq{0jǔ "ixchx(T؈È8H#(h׃lj ;#B x@_`d0rJ M( aGV0#G 8t(<؀`NՂ $q0q- /Cr80^% E#`$^Ќ0 8؎0P )] /P0 @攎($m` r p@n0 Y0P CJP>RPyveÏ &5 /:p{Ɏ A@ f"EZw%Hc?|! 5Xd8Ei2t0Ryf@pꨕ$Pǐ !0x0Ptq   h<:>~|Y-~) 0&`@B rY b@( )"  @0  `0 p i7~)Di(F]w0 p*9pA%v  = x $Z.N $xz췟%0"! > g`%[0 `pv * ` )_2wقHiHHp w_ 0BJr;B"7p Ne@ PA`@'%p`ڢchG@ @e`  x 1CK`  W$NJ  lP#Il?p \P P`R `RiG(خZ:+țJ:x5Kt4s{4{ {Mװ u {3 ;rk3[$Ks 2[{*+,0.  34k6 08ҳ>@;/B;ZrHۮJ{.5HPV{XZ\۵^`b;d[f{_ډ4r;t[v{r;x?;2P#F [{۸;[0G:E3;[{ۺ{C;ۻ˻k40+K`0}KE k{ #y;W;HDP4 $XzE` x[ aV@bp?0/4P 2 ;\  M@`c LKKe$D!*h.<0h7,k<jA` ]'1Z@T`v۸ۺm"=MC"5I=]}؝ڽ ` u p  Z0*[K 11 v zv%50_ ">$^&~(*,&.b`(6P=r :PY'<L\0 oCHk ^qV~XZ\0.4nqbU0 F Wu] @pT\H>sDMhW}p0~%9_ \u^ 0 ~T]ꪾ35~ H2 op  gpE^p G`Mn(Jp < gPT9)PY2ufq>>70]Z`[h)C` `^] `~[ Pnخ0P pAm!1 @U  /<>_.Q 0Aط( xG$(T `/J.$`M~ PPd N'q- E:_A5D" qEi0 !P [G,cfр unrO`x`l ._ȿpDǂHJ놎 C` `i^@?\_8 Jp.4)O,y A ՘e>%NXE5nG!En" )Ud2O^8MaCn6oW 7C C^7*A $7*G ?BAXNO 4eBG&\aĉL_l! @K; %̿%ܷ(>[ӔB T ~wŇgRy%L>= ,.!yp@ 4@TpAt?a𳰥(pÕ FC' HZtEcqFkFsqG{QGD@y )4<I0I& < 'J,",[2L2RJ*TsM6ܲ e6>ɎLC1 a V\ %*`%2#(a*02$DH,1- Pa ,51xՋcV`M%Ixih'px`كHi`5gp_@hM<?3"Ggmxo)XugJ@ &j@JDw۾m+A%LßV(4AH h(z'4ơKCaY!YX`P!Bp#xH?g8'рULgy&lp;Z[T?D@K $!W)Vh)-{k=C':HPeyH@ n `&V*fIhY;;U(vC=㉰0#{0r1.wXq?R  A@8C"%UAUZ\YMW000?Јoc4?`Bd 3RiV@s )XBR(<?($`*@>Q̀(*/tR]4sG#|Y!٨Lu)]k3O*Ano}{_W?M6΃0T1> Op }%rUHoh@p9g\pғ?H9q&hMhD\a0C0>Њvb@n !).X'$` Aabo}[n‰աzp`|'`VnlpB.ζ!YE/Wx!nbD,T4F!UWN-Lu S U<zD1hd`#0fY oЄxA`(/ 5TjC64 xC (\48ʰ4/QMhCb%Ys^ILeE27sĔ|[ۿUΒK@5hPBB^p@y7 p`+ `DF 8P2PO`R?7gmtX9*zαw#LК*M+ o(w%hZP@x@\<夓Ԟ80Z1¡X0&?F?  ?@F \`C%BlܼldxW%ȃ]З 8X/8Є^H( )`HXK$LP-"_83:ф8p %eKK6d[Rh ȃP(sR/m41bL4żI$m58=W7)9 (Mv؂>ҊԃLy\FGOH<GHA0^'Bx>=L *|A7S8< e}]4$@ X5ֆVE (tF}IvU41DW5Qx x^8XMX]XmX}XXXXX>:,ҭ5dO6I>^dV`W_XFGWe{O6aE4^؛pn}DZYFCֵS*xLh&dZZ.^8BAp,X`3BGpBe v0IE`n]q8 uRAI`?x?Uu9`l~fֵƒc e6NM9A0cSh~i&cKa(/؂W : 8(Bii#DLF58c8p)-)6@_w#@8A0%TJ@~Hy@GW;(.Jd8p,Ȃ);h_S:~=.Hx%AU^`Q8j|v@2P`*v?o$Lj> _PG P68a؂삖yͿJL( M 6п[!@S&^%L˟OH1M M&~0}HaV &L>G_*'HL Zfʿ"N4!v`@H?A%-J -$Ng_ `͏}% c4'a 4M Ytڨŋ‡/n8r5|!9)PvoBс eQjP:4!8N'+ 3pkL)T$ 9V 7HqF(g?h HK1yD#?NtO`@@2# 0r,(p U,lB[`??Z`?ܕ `X>?Y?`YcE6>]V|aP$HE4dIa Al?o%w*r=tO!Z O/IN4B?5h?z\@" A) \&?TB*uL;/`_2E,#> ~Q$L@,1d#1DȰ&C$#lZP BMH lC +T!C&@AJٴPg=?TJ?+^ǺXPQT)p $4 Q L +D1I WrS%NYbϐ &H\0r"ȄD.WV}` AU)|Q !a!pA% 0$P4-I21z%JV QI"XB>(L i_f4@o7CH`- Ve?ګY-)?.p'H@|` <)$0H[  .{0XB4Ǟ,MDixZ_b(G ` |QHTR  !)L3R=eIS"@&q'A `r1d:"0C JyTj<+a5Xj0]KP6>hC6~ A%ĠՄ!@ЄAT] X! R0~ KHWKr 'KjBp. PNqn i L@B" vZ0=x"ypTdi"e!`"ˌQ[)v+8$e3sC4`h0da8 c$3> *X`"$h&}zT/~4#̛Y#78F?р HDPx>d h@uFH*Mb/]1cbRƿ@ b,&'!AA ]Òx['K%-$Eb 1f>3Ӭ5n~3,9x6AeF h?a%."/*`QNȔC`7ݲچ)Ԧ>5SUծ~5c-Y', p?~` hCYށF`%D1a@ &+ԡF@7>7ӭu~7-yi|>p1 I}|`r5/eqX83s֩fr Pdla:*,kk_ބSAm B8=.F8A響G:ԣ.u'}Kg:q>s^G]XBjo%.c]Z:.w fp 8Aسvo;xu"R,d,a"h`)J]!PCBl` ]Ѐ7&|{o?Rqu0z2!%y =VhD#MY=xtߓ_3ֆC{ Sm P?4@ @X<\S^Nѡ?(pBC ??DZ_(|_=   R]]`n}!), JÇ?"" "aY?`h ŸIL(A L@%A0?A HKO!#6"a% 9X|6??h;Fz5m!b"h0,"-֢-".."//"00#1" bȀP'`A)?x>-vCN Ck8^A.cn-̲=֣=#>>#??#@ML0A!B.$C6C`ϱ"%TF%HdO$PnTn%W&%KLv%YIROR{eA)BdF14)@x?`)< T^dVaRX:a6fYUޠ@L(@fc&4;rMe`J ac&T&&S%k&TBZ:` ?^&D c4  #e,| @c-BlA(AKt`A 0yZ l'W,"t|Be,)+ lhNfX6(NҦ;<?zC1hI&Q?L@m_%w& CA+ł?K4aWDA` T^L@!ga"$.NI*-EeN.$D! 6|A(?t@h  ,'H?F/HB.4:- h@ЀP׏C68@:0jRC訞jGZ^ HTkA|%f*-T ^$@g@$Pxngh¡?\ȃ;:8C-A/|>؄ d$f&M*$8*櫾++,(-XdfJ,,FF,MU ARت?!/|lFaA"4ܲ6+JWBH+R+#4)g Rj+ ??pBf3 W&c B֖m֖-Jblk\"~i,JҩPA.F~(4,(&  74bk(C|F{+?1l p.e*ځH@^,O^ȴĬtBa0DpS?H*K~ⶄ?B$S(b+,XL te..®֮ښ ViFfp@W X$ &hAw/CZBA4 t%TiB`.F%0\tAXJf{X"*onv-Үd.$˜EGɌn |V6fA0 9b$$QiApy|Af/d0IV/\"$s%GpZF`($@b`1#dUg*CĠqof(|$ !A$> .F!s?\tW *#h(@'! gFEÆ]?W2V%,K&Vr/$ t"BЀ.A C@AlA$&"P' \fps{d8kFAY4HAmP" uB@P@ @x *"*nXԯ/B+tbA 4 (ǀ@]K B!A*LB W (B. BL?q7mMtfNCA*%H :|ڍ?0<%(#@o>W0 C`>L[3XHqtrgFB/tK\)8`!&t$8w;x+س.@Cye/[1NbthyP'l(k?",D%'?%>vX$뗠rzIf$b HXBA `BwPB \t_2eϴeSqgE;XA5] ?i'DkyBb4|fxXp &#:[E @Ȃ=H_{ 9'@ $ۻ;fD;B1@¿bHeh3tkƟuǏǟ A,A%A<+ɴ|K7ϟ X%4A;;Ư}PB^t+ѽtK-yp+xًGpT鹒< ?_0~z>b~M^g,P~HCH |??} < P׿?1@D? a 6tbDڨ 9v +xTfL3iִy @3G-g?mNSV%tKQLl1j{mڏ#Kr-α-j~[A=T/Av${=&U!d3J|#[n^|EŸ/+f1dh)}f:υHe",A  ԮC-S#  hddX#wh NژCB Mo!168i(H:DD g`9 ~P(8K1!J62-."BPq0 K0XHр%B!ßbv@6JbvKk朳uk[sgsUWV|)Dtأ/@#9+))7E-x;D5EEYb1!YPY(gqe%ĠCBX%^WdvYrkwg˙'d} i_5 tW n#۟$` `&` <UM 2@"r!9"P#Tz Y.l:P m(B@!8 x8?l1NL" i`L4dh0 *~y'SQ!`҄K x72x"X7( @ B?""dHF<.Һ﨟QjS1ʜrށTU~r EԢZ樼q4q\ZWv@;DWE7d1='dYϊڴ8+Vcj`=fWȞ$h4]ZҞ֚xM6 v @ dq>I:dBr@ҀW-gg[CE)x5W#lD[0E_{NUKj=+ `5d$4#bD.Z,$=ptG5 7QA`_0G5HXBN|Q!3F ?$ E0A:D!6x Dxn~H*QceH"of1< bF!Ⲡ.r(༮R&`L? 6LR=x ]ȄP8C܊"eE`@̸ -d!!Z4 kZ[m\޼h]Sw(\;"Ү!Zb[ ]=S6Y U`b#wIjF|C:t{x'^q!HGX +9""疼-ygA[j38.6sa+^Rϰ-?3DTGfu ]x 9# ؀h!k_u۫߸$B<H7 Pw; u$eϙu+:3C: ;$M݃ڟrN?GR7 9NrOD iG%0{! .! 㬮-"` ~!c j6a!@!(!ڃ  `ܮbj,k0B @a  %\Ђ ~ ,F/xnb6A OBP-~A,hm|- /rt 0 p ֪ 005 KO ,.&';*Mబb * p p)N a ojP#. # KQk,RѧV ېPoQ {P n#ABy b {N` ~A B!!}1͊\V @B rn@hev @@ K?r#ї,j@\״ځ@{to!%$J'w1mB<֠x.\Vo!8 LR#w.p$$h!qiD*`LA`'!(=k(bS a]0ˮ\h, dQNh,Vi AA.6s~$xT`{̀ @9#,o,=S$QDz- b78l/Dm3&H <8(33p33,T, : Ba@.mȳ6 X)r'!5{\YAC p#٪=b:l93Zz"3v 暮z i!>' g@ {{{'A!v @ 6{ m!@ L `=B *Z j0r!92!`G `4 9){ : ;a@+[k!{9{` ;7p@ ({ *<b" ՛p q!:&0O&A: h;  : { D<@A [ dkA !$GR!`f\ 0{Ԋ>;LZ[\X; Z ;k@ f ſZ< [<@=e a[%p<q`9{!`Go!"i *!D|8|!@ ~|!T 6D#!K!׋@]_!πE =Ep}X x7!ŠI! ;9\X!`֝*!b} a9|\  A; 9\vL3Aa8ǀ=;|!; 6)!A ] 륞 ~"ڻ@~ڠ>~"oy _ X^þ "!:V5_< 9E߀:Xhnaw߭+Gz#Y֨:#!ɒ?>?߫X J{^A/ r{{J !Ͷ <0… & U~q` /$BȈ2JC d̙4kTitnҟKźG|l`! j=P`P&Na ()!X'Q ?BX+`\89w\ j#BH@ {Ef`ڵ9|@sD#>  h$/cJrcٻ ?Hoɿ"L = gY]jTG 3[O zNhe<TXu~"N:qb}q?0?CaGi `p&$V[Ä>\e<!>BxuQe=% %5Nz'o!ߍg-c(nl!40B !P?]:ᕓ^ݖn8?f ?gr1CЂ?640]7@|@!! @J ,dBVZWmi-v@.RR|\D@$(CU@X7!TA`"-\2&U@)H0NLrQUݵ ,c$OrB s ,s/׌s+戕A(y㇀+zl>¬3 }.=P.:✬O B4^O{kX?p'qsϱNX>}6-BM7q?cx ` @ =`ЃGp'A27I<p2YҨJUs8p~K?p #9!I*`~` %QTLS ةA!VAs)`@65F!%>F.96A xը*mmIK`U$. <-l჌l 3 fCmgOjbЁ@QȀAr(xB%01Ȅ0g8 8Ap6_#*< &&5HRB`Z'P"AUram/+]+U$aXa PNtbІ*AG B0L -ocLyCtd2P9FbyЃ%6,M`)E8 .X 3֚xi4'0.t|/!4tC]z«g}kM5]%@P <O;JLt.oӣ^}ƺ!nJCGLj6pA8-ţ<_,Gxa>ETk! I|c83I*+N{k<-?wkV}IA6d!) 0<ob{Gy'w{Tygn_c|76P+uIT  zPZ}8y{yr姀3ǀ'6`E "zRpOEd0DPU }g ߷hwwG|QӀx^J0 Wa@MnhvXP #El@DPK؄$Q2ݗ{x|2wF`oi@T0].PwcIJ  D` mX`wL8O~S8gYx~3而^>9 # @ @ "pE_ PBlz8gRTXwxzyŷ8ǘ]Υ8W`wpUFD; =@ ;M KxHNhȏhW.4X ɐ8R 03pGpkn@kV/pjP k\n?@&* 蒲%(* ȓHh)JАEy:~jI کlj3*Jꫧ ?jc ڙ**;Yժʪ]Z`Zb+jyn:7*ڮڣʥAjɪfjMگO{{J_Z}:ڦIizw ۭ:Z.`Pʲ6 ˱: ʳ:Ȯ[J"+:&۳>;Z5*js[ !czЊ骨8t;jzm+/69,P l*Jrk_[Nʤڷ. m˹빒JM밋e+k8P@ b6F K˰Kx;zzk900- 0 6Ϋo;[˴ =;l  g!7: a{Pj0 j7|GKlO ˯ ,Y _ja@x16{`¥˸›+DLp M81 KJk <ڙN5P0-PD9HJL|N"lRܖ `kJKqUD= ]:b,*|8LKek )TXy%V;|~̾Ă[e*v| P0 Q<,[6,;/p` 0 P.GʝK] ׫j 3IPs3̵jeK pи\cK,lb$, f|ãɶ ls k> L d\i{\|џ4&9LyҰ ƒ4] -Зʬh,=}?AlP?uw]}X='`Pg:TqArbprZ@i 5Wda #s 5(0 ~" dPK04`>ݠ$ `pr385BR {\@%p4& Z-IBOt30@D1V dݘY@  1 +h`oA6> tp9O O~q8P0 @DX\pNdTJA #N  j;R@n~iT-\m>C2;PKOշk{kPKp@OEBPS/img/ovdpm019.gif4XGIF89a+lll...ZZZ,,,cbcOOO999>>>666ooowww444tp\\\222jjj'''VVVdddSSSJJJFFFsss***TTTCCCDDDLLLXXX}}}(((HHH@@@;;4wvi䠠<<< ppp```000PPPUST鐐iiifffǷ~~~۽yyy{{{쏏*()GEF___qpqİ×===Ŷ878ڶllgkfXR^^^ggg溺111²Ԇa\ʾ_Yϑhhhfazzzxxxuuuaaamh~zQQQۡAAAʽxlqqqmmm???ogɱ<<7÷aW~vMLG|x!,+ H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ>Tå͛8sĨ(21%jC6i SB2= !%#EyC bGߛ5 P?:ʝkRFd@jUmz TQ0U5DVWr s̱/;t Ө=^P/=zT_@nq 2b8L+2L&GMeՃ#Qw柔I3b] X_IzАl(dQEZj&CCAP"#Jx?&pH]=YW=eTJەYv37|b9qU]VgEP)Zn#Jx i8LF. h]AP%#Qe҃vee_m #g y[T(gu t@5ScL90SY}3ğXtFenu'eS袜f婨ʥCuF5bwQ_bmȃkz"kz| 4d5WYE@>#GmZàj5jUk.K2]d!vI5DU>8f ,žc_( ZJru|Rj^eNƕz o9̱lHd>]Wmdg 22T(I&?w XU I@LJ|?N[P{hw)ˮd*cCA:tWQZ]TCG`w_W#x3Hx&;3-!,ghU4 ~0#@pdЖv \J,4ͩN@}]4ԢH*ԦG&F365&Hkhk3!s⡚z¢x#г=&]F (/*@fr|@E0 D1ic\I((uSPmf5[]V4C7a 7 &b,[î7}.4#$"0/B(|'F0Bo>X@YE0$pvȋ=r;ʫVxV& DH'Af~+L?ӑ um<ĭ:#8g7{-yg;+fhCw=I~x#WM8q 0@l"h~yKu/nm|p#y@{oNx{yMǿ,gNυLҧ~o}k_K2[g~6X4z~7}Gwez}-!%'[mɷz~} 8G%-G@P(~w지&(և{-t/Sa7-9x;| X׀)}DlN@o0 .*]UOZA~h~U@Zz]p@H((1BO1"؃VxAXhk_+` /xX#WBp_ eplj%Xȋ6pHr{00U^HE~4Xi؁XƃqCq` P7~(<G؍86gSxJz}`@P` I 0PH$~TQCH} 0/ [ PI ` +#UR0E! xr)0 0C*P F 0 I @'&40k18zZ%h}  ="9|;>1ё1GܧIlKjX:mukˁF5<5S$@@h k9G{fŌKJlJ`` ¨CcDŽ J Q$2 +[PY$;eT+ k@ #e=ZF}U`t^YQ@ Rݜ;*'T0k` @ ?_1<֪ qC@wVGa T[~=pYr8>'$Ls! QP%:ͫ4aJK~>`}US3|PU N t]WPg]2=Y#p\X`LMa@fGļ`n@|0FVT#X>N^#ّ,Q4ˎ5s 1` !`f@I벎浞*V[vh:g&a ]XuD_QliQ( qt,NCRRШCղ 10+ :^pf(0쌆kWY pSڒRbMo1? KڤXZQB,6.]1F7=Os(p h@yYa`kQ?VV,r`K5Ӳ`?-vU$QP-- >dmUSn8os_:c nXc0 t/TOOL=H)r-;GHо<΂)/tuab:Pyßv@qȏ5MĘR'7tWCjPerSr-'桒0wa>0†"ր#9M E`P`?BG!ErRK-@(6=,$uu8TSOlP4nW9鴋;cţw8gM*'#|GVn4ܧ؝˟3@WN- f,fŸ`ʁh%B)WaK’K.Lz4H /$@Ja`VX\i"8B.xl=d&-JQW(ɦ#f\ y) %r |: g|1߭;P@ <$ -Z`_αSYӎ@`m;$'3WoH2Pr|'yc7L?7yj7TW51З +@uջn6Vd^nwǴ57yIJ"1%+Or!T^Jr3Ofc>5,XuҟԿ>P+j][u#38%Aoy-IbmjET<0̃Zt*RAc$JE}_`::5C4Z|n;Ih`t-Q(Qd"( VIj>,foತ7<Ʉ V6!vVDzѮU٣h@R ގ1pR:Q SR4o)raC,Ti>glro*Xf_A"` +0>Xb)\'&]K_K%1] ޷?)8T8 / " &ocjhz^}coKIqDA*JR|!;@m78@NzCW44_'?~D^UY;ٯ_O?617+/쓻꾀x@@ @ dbP@@|s+=ϱXAl<`AV`ZpAt'@_@AZ;EC+B#<˛?D4 ASaxi8g8 BjBA x-B2 @4DCB66%4&̖AC;:~0n8e0?\vXwCC{`X1,CG C"DJDKĽ0NDN EQER,dkhEW|W cPpXEW'GtDI<, ;98fFiFjl%|8|'/FnQa$h HGu\GvlGw|udh|jG|kLld='hMp_Gp<(GsGmcAh`HhC_f|,|Gm܄HIHaSXaX'HI ʟ,zUXmərJqW$JD LJJJJqCULA iwXKH؅YXI'HHK˽ ȆzeȇyC \LLE\ ;Rɲ'0mL,0[˻@THl_|Ȍ=dA4HE L0$Ͳ\*I4QhMxͿc?cd)`;.d޽A.bCndݫ`OOL]T@2 lD9@dT^h`B?fEcGe=``:+aX H^XM`a4 cFek2mfXohq(rt/wkg;Xzߵg|g~gGgh>h4h^2Th~ thhhhhhhhii>ij2i^i4Ri~qiȋi釱ii3\ijj>1j^Pj~jpjjX~z&ê^뭸+k ,>kfikF ,kƊӼ뭨kkxPg"lĶ8Kl~vql>ƞl1XkjM\ pFj%  >m, ȀfX3ӆ9mp X7B5%09쬨$FIH 3T)pƠ^P: }ހX078aHI> (L x'$2r" :幢xPN*' +Yq.~ nI`IH& Id`/s:/+8'6- NADwS٦m@/'J&Ypp8hN9rQs`  9p0 aXN 63TKo( B0~P8cGvOuf9O ǁowӓ? p&@:5FK/zOv|v8bXnp9)ֆ,U 4@b?v_vyno# "H@xhX(zxzW{gfw> 3 &q:35 C`xr .7z{uQx(@PyI؀F||{+=wϧh>B8Է֧g )#tPH:h~ ,"o+*(/|OS?zP)$9uSR8"E5!Ĉ'Rh"ƌ7r#Ȑ"G,id PѤBV|K5Z,cΐ\ĹrG1)c 1 !A_Â7XrYm&mP9`IzXdECB )q曅z^q EdzY\C4xV U(zNYS'U3PǟUJDqjJq)qW9HERdǜ*~IR$5xOeg'BS'EXg\u n?o0;/J:;gQ썖 —r`%}9ekՕXdO]Q/x/PygU^? si6DPFk|3qdvBJ{>B \iF6C^Erƛ3YrДȐC(o8_} .~_5u5 4x%"D!3b[^ m0ݕ[^~Z_>:eϦRkjJ^:KtzϥN/)';Kךrv\;o FW>>7??wկ"l2| uC`3 :ACh7 n&t 0k{B b(ʐ1` sh!oҐ83m<9CAbH^b́lf̆1 s^ _aE,QY/Dn=Qʨ Q e(8FG8`#$;5D)R<Mj1qAX% Q l' >XR)$ `HQ}`+I>}d-q `8$*-LaR3IHI!蠛7CU"<| |Kj?`l*1tFQ@;Lb$7JrՁ8(SX=l )PsSEc: yHAŃ3spfPKF=*RzCt2}*v| <`04O$jɔ, յb^L䠦%ԫ@ *Ţ&8X*p {SgWWzoǼg% ^%Wc`Uu:$@xLX}d֯p H+puˌ Pl<ԁɉ!xp ½.DZJj" -8aXh" 'VKf/~R'`Ax/۪>0` j0_{ȅ"aL8~f $0#.6?Ӹ61s\ DKx11%3Y Nv. Pr3Y1b}%,1 [0,aܢ38VbLE @0T ;PKPa44PKp@OEBPS/img/ovdpm034.gif_GIF89a@@@???000``` ෷pppPPPްȐrrr999ϼͱ؏___///OOOooo<<<***GGGeee>>>:::yyy!,CB+û.ҖB ӑ?3G [JHEf 5| ŏ C(cI\ɲ=PvtI͛sϟ@9NGH*EQ,(1JL]ʵוipJ,Y:#=h`5_ʝ A@vȃbe!DȋViA%^hBjPX+ϙtC.XB/h!U CVo[ cmݪ^ܒУKNسkνLDj C{XC1=[VHBZ À@g&iu&Vhfvڅ[WB1|x6nV h8<Z;)D(i7y^b+P"}WهX`Id>h&G ZkClB_=&nW=oBgUk6dFT/ŗ X`*fKcIFe0jHWWPXrEi%άbԮ&k8&;Ȱ:,8J mIQ˭ŔܷlK.P~{7:k>޴$ovc[ӾͿ,K;k6,5DdO1w<,ȕlrH(r4,KŜ_K8[3`4$L7PG-2p\@Mr`-d-ުJ\kp-7hfvBm:|ύj}rg/k`'7p݂w嘳By\l=Jpщ+R @@;!5Y:!N% όG3)@ 0+`z (P  ֧CoQ@ CP/@tPp 0Ȁ>S\ C  h C(^(zK@*]D BO7V$ĺ` % -! wǰB(K{BH.aK4g!`n8 !X$? "g0Rw989Q \~ذ(+yW6>x ^$D {,! yE z X*)6 M DOq6נrobb€% Q7ǰ^w[%}B" )8/ >s!=D @ˀ%!$8+9LdAWBtt#$ !"SiCH D! @ )#MVFB}hgtTqҥfS!UNU8ϭ1'V{hb轠5h;Z>۽dziȻ n^W"Ö_ghWX͐^zH:h 8ТFY<^e/[7VK("igʾ0B@ca,<-q,PNjPи͕l;K`Vls-]GVBp%+JY!HUp4/zZ& Hr]N+%T[1@D:,XX δYe^ ,ZxD-Vk_ Uf(xa @dLSS<0F"8U,4Yply&2W|f^D՛e' q$#'Ĝ hKip| 06F">hAaoz/9dmzD%th;B#HCXBT-"y%DkiĨV]gG8҅`&D#tb6Up<"BwF*gCۍطG@08wG_nMDL۔xu qJ"i♣|J"7&n e1؊ { N9h v{eHo, e'zw KXTFЌ :'@o YHsgi˸ CrҀ`X9'y&ӰdoH .v0Fautvs88 8 v( 8 9_ H |un Ghso'ʸ xTؑpy<8 ]:Gljt\q< Ќ(7 Vg8{{38g9)tDy >)Ts9XWe)~YY Q8aH&#o~oYx wX9qU9)h藔(c#xa}j)eВ 2Ҹ5Y^6)h 't60~Li|8{'UbWXiy8XyĠ3eChg9Ɇ j-CT&s0Ħh؝x6Hy t,kgt~npG PZ~mryg} 6|i-@8gkٔ)BX(YٚPACpИpXYlaE—)ႈ`kyLُigrbq}*c _I%ꝙi,uP 4 Qhz/;H< vr=q1hI9iIyHzyx)PJXlgI>!8d([kԧƑI't}~89p3jжwTwhJ h+>cfHA`` x yg >Rg_3oZ꠹JtAs1% hA )Ò !I* ^ `M=蔈]ᢋp@5 eA%P*R"+ )4ŜWB @f$;JI&^aXJY!F yR P11pi$PdaFŖ&ɔ =zIyj] dcò:"\N`.Ls!pd:dfK!.%@$R[bQz!bQQw,1M<Rl{ bQ0#?`G͡B^OF D=e\e^&sQgPE$ݠC3+bY't/0@%0ԯbSJNP =rS!=26C0+)PW"!u([Bm;!jԃѳ=ЃG E_b5փ@,l C!L>ŅSi8#hYK*p$Qѳ$a0؅@-@S<1+yPEK^:XԧYk߾w$plJ-Z~_~ō#G~N{e݀q}WWx%`0S@1Fބga{eD|8G} B_~u߉Yg]i\Y 4`8Nxi!7yx\ T&褊֋ QX2Ht%;)&=VBGNFNdJrdUN> iRY)[~)蠃iheyzi@pkAaƄo)QՉ❤YZ|i꩜LaE*ƫ*k`)i6ZJqک'*Y{*f*vj@+(BL Lǹ2 p4 ȁQrԓ@ D,@B/P¾x!!R_Զ"S04kkͮr뭷:@L7!\ +43!4Pk01L$p)2L 46X$F ( |]BwF@AGNJ"zJx(@%JlWI(NgHp X@(җ.@B :X/" ` pK=` t( "\488 x $M}=A2%{IP 蕦0Q5h)QP&V<0@YY@P.ѐN d@ LH# r@O*mA 0 %~ͪ`HX:ʅ6MPC M{#qQQ >Z?jjWKFa%bJ1k}b[qnY`VtS׼>fD_KL /HVZúbg>j&{•P]9~vm:AikZԦЍjYZwb{ۆV*[/W=". *mvt+]ͮvj:o|[oU/{ZX󭯆7a  s ` x 宁O]L &oyKXC1|<֯ص'F1BU%80N`EcD٘3 ),׬f"pNrb?ʲr[_fYY.)gj 3ѐ4Li p>d_ ـ֠ M+CKGf1&ָw=JSҘ476ӅkR.NWgaضFGns7i_62 ];#y^6lSftl;SC Np{4B;nvjMzЩ4;c (OW0gN0w*7Їn-HѓwN [/:ַu?i`{.%d?~pNOcvϻޓ;OZO*;>'So3bA/;O}Q`/׾7_5O>;;O}7<?@B !‘(Od/h/ihr9,a!*B%Tb !Q'k1a4<'A$Aa" 8@b!TUU8@t2 "8.R!#*Hf!TU\.((,3,79hj@;v#ae`v14؄N]^!TX1+ YEBGm"BQehZdkH*n(\R(vh4t2@ 0=_1xd8'|xQQ*xa`x+\x&xA 05Uj\aCn2#"&C){W':f-آoV_FPQɣ*tOfDb|e'$苿BŸ*%r&/@#+P0!k$s"ls1i06B/cL//RNp%PN RR1N0kT,32rz02Pcv02 U/v1hCD9r-I@.h@7@;KdS8@"OmDk4CsJ@B;pJ6' on5F4J044'4=9xPI+ x !P@bx@7 OBa>7LpR7% 5h7}#P7#6 UP` vpҋؔNIZPYҖȈW%t %IQ`@@n . M5AitKS0 cNT4Hn1L #S/278qC<}#=@!p' ,#$:IkD 6,ٜ?Jq&^7"AىG:((]YԤRAięn M1RL+0 . הH+OL1@BS1!I$> i8C)Xh`BaCBq)0PP ?;ʣYuD+m3qpGrG0DʝC%64%DI AH]E0KCL0 P29bE?#GkFp0 BP64GsgcH2H5="7`zz>>fiw6ņq.qU5\#܂2k?pX suaq5Le:|!6|f kcoȋZ<]uX,,Ɓ eɜLȶnkȗFʌitn^Ů|eHom 'nk,ʉLgElvgx̔|oLDWp7\͒v'qlZ< w+e$wt]}5s ='MM]m $m#](', +0} /4- 3]8 7< ;@= ?D C]H GLM KP OT S]X] W\ [` _dm c]h;o,Dr= /s}װ0"|x׫~=ةp@؈m  ؎- ؘ}W'~~ٜ ~~=d@}ڨmm !&!LK jq~QMVᇷ۫| p# !ŝrM-WX0ezc^q7ʁ9-VԠ5vQۭݍmtq \P\]"}-* ~refMܑQr0r0q;򭜾x'p!{.dTFh\C (ڭaf\F7(R25~rx-|Ɇ24s xp>B\!׊mӈO~$DsB0ё~`m%rq!Ks`R. :Ժ;)6Ui19Ja>zp 5z D6/&A7IsIAtsI H=+H8HH8..9+bkkZ+ZJ < 3npJn[J J ˕L44VVhhiNrPPG@~@RE@9 0 *R2jqく ?Cɓ(S\ɲ˗0cʜI͛8sɳϟS4JQl(]Ԃ49I#8IHuBq ObD! "R"zoG:xS@N hXB+e@g 34 RL-ф?,R?\K"nK$qV*H`!@X! A+ƾJB#(́iDjp"NF,X/Jp@3X!@9tg3 a/282J輆 L:9pA ZM_N@ 0LjٶVlp-ISL` F|߲mg[7ľq%܊YuʠY8騧DԬ3˃P=m/|z77TG;/؇(w*w.zo_:뱷ٶ.o?OS ^ >pPRU\&(YsEn}QsNp(_g7oK`B)x""|PZ 8NjZ@Xzޤ8oI\qb$/7aVryl1L-sF` ۴͂Ba)ZDg:!MҝZc+O!џMJWZ)4 0)BgJӄ.T uCqKQ E1] HɑVKJժ #ȪVӮv`=Mqӝ2>u!P bFhRԐԩT׾$SC KXn[bn59Yִolu[5ϹҵH5ҚSHjWֺlgKnw]iK%[8r:$}tKb3ͮv]a xǻMzebo{Kڗ~_淿Q_;m ~'LDΰkr { nGLbw(NO,~gL8s+w> !)-2dU*Pr,*[~T.{`L2hN6p flY3 ϸ3+,AǭІ~0ݶE3:~t"-Sҽ4MӞ/CmaRxԦSU'~5zc-к5o]s׾ cbnƞ.͒e3~6rMhj-..lu0}on X3;{"`8po_-`,؂,?@P(xo(<+SqxoB#` <&س<$0gN$Tȹws_@Ѓ^W@HOҗ;}YԧN[Soַw^{t@hO^pNx߃BInN/t?5 `W7v{󟷻G?zf2*X&#Bvv{y⇟x?O>1|̛Џ~=?Ee=m{VǕ72h$9ןs/^|OulW롰9h^٧}}}H'~r׀~~twRw?C{PDs鱀 'CW2tHh$P5$RCcꡂ18RX'E:Q7O>8:@x>"H%h衄@'2HX21P ;hRZ؅#`Xb8dfxhjX|lsn8h9[ȇ(;{Xw6=؈7rStӃz_8'HW`HuGD8hȋXssH0WOGy8;ȋwtCDA(ȎX+h(|~xxshtWd<SR$Ȍ>h4@48 h0i6x0hs)x7g4G|5h2($UD8pG%I0Jy `SP%.)d#R|P¨| ZTh9(n>װې>|%f }"b |P w q skt@D I@x*`qP>p:PD"Xp;ИPd QWT`mLIs[D9`&bq =E 1 +10+`< 2+` :Cװ3L`$ rN h iN0+s!%"h3 0,: Ȣ# @47PfYsLs5P*D~IHK)A8@C$M`0 89p7J)Al+ cDAP@:*B)+ch󨭲<yC*:U8CQJsLVDj4GW0MJT5XBW}؝Tt!-"ì0p (p  2s0Y tpӭ 8 s*BRmp?nKb9pt +` x08n2p'FD&#@)'ip%nN \P p.)/p k"5p!஬ QvI RCzЋ!A} [3GYY .RWYszM0 s`WHGK t n`ɰJ91 n3@ss;yn2;J:xp")P9Z(i`@ %`И {A%NUۭhP]{6z0o@ۭ :Q+p0` !0s5нK{[~pT t-TSAp JJ\@@Ls%+pNpN4,ەq}p:!: P@l|LL0 k~a*W1z0}ɚC[00G|js%+@.* 7࿧p Ok"4 "<y+.p )¬; PsNH@:%n0ZP@ 7*ä!3 S {!ДL| k(83= p@(V0Z`2X:r +N \'* ?1Z @v `R0$-0>PqznƵڂAC =GpT!y0c_SAK_ QAb Ĝ)q͝#"s C9p n.pn @CpZk Qk 2@p !SJ`q!NL 4eLa2 :!l,@| zz <` (U`Nj RW{;}@¡K9 |{u@JA7@\O @n ,R Aݼ`MN 19"9pP 6)@xpP`iqL@`ŝǭS'hp*]i0xp!rC1͝}LU Y sU@`?窚дPޤw.p,O1>S18h K0袮dM.Qqcyׂଧ@/Œ>9`0P {i9⋽ /L`[i9{;@`| `^K2Jn%쾠J`/LLu(H6.3ÁR25!iW hWgqiuO*R@RqsusCQ1PnoPMGpK  W!RA).P x "M@ [؜,ͽΟ#<`n& `x ]^:!C~ޔ kpNKX ! W N. PX%PhZP#P/ !zUUv!URR RLRR YSOOccM>MΘOyy?M>KKKwyQKK?KtIIJq D][$b H   Ґ"t(I NiE v90A9-h+YDIp$``E*(qɄ U8ʕLgMn@yC#'+ID'P$nhswIxQ4P x %K\`*YnPJӹ@[l0`ɞ̃< ͞D Kɑs$T#sN9y$x0'aɃ.$ d^7nhs$G]GH$1I4$ 4t PD|́Q84M_L BbLRC@3%Be%AR=P R3@CUpdV p@N@ZN;1aE ppNW-5iLN$0Hp$ H’8#$<)0Qhu*j 2 3c@x"3*qO@@ͭw,Q , pA=0H0Pp !L Pij(`H$CYN84!L`'5Q+h1(B=DVk$ ±$XJxdCuA:`!H ։u]\MHThC_!!< TPiTmի&j1װLyK>x`j7` 8CGD m88CyFGP ݍD 1A舐訠B ՛ .DD~ 5dAPq$Mp;M1N3\oE0Pna֟?> kČ]Az 0@UdWWV rx9 pof-0}]2!# nxK UA\jk0pSrNuhXcmϰ|` (kCC.g)Ljv{tޓCHi;׈#7+IJt .B98 < nvRE M4@\?o ,\d@+o!$X΀wAC A > 8#<+9˜B FjR56gCz87e9]vN QPys˧>92S ($ ЋuM\f;[ 3fZ _PКդ6G fs?87ˉΖT[ S8E?w @JT2+ M,)TfyfGXVV Ү~M$i7`KzŚ^TcNO5$P ТUJ]hSK訨rի]kXmMZVl][7Wzg^Jڿ+ a {XBXlgXB*kYb6l,gφye$iK{VeaXmdæ[֭g-p[*\v9=]}[T(6I~ۅ plknWl.x{+񢳼o=/zq^&׽iTRTT.k X65st'mw0Oًjn ;HNr{X!ni[S3qczcX;eo{{5ȫ=W3$ KpX(_SS>Ջ,w씰f~^5sQ:dN@JW͘oL:,s ,~gMBLjN\5ku1iN8&N[gRNVjyfy ζkKq`yvw SYفfvCK{o=)lߓ6%܏ y6|5JA=Izӧ^V~Y=)\g|z݄R?^=?n?moNHwv{{G~g~~'pʷx%v|Q7e1W{7w^ch( "8&x(*,؂,90284&p8:<9>@B8DXgtHJxF*JPR8TXPXZ\؅^`b8]= @l؆%prx5XvPaAKDF H*LZvzP:|zX\:Zfpbd^ss?mao:qs)wک J}ʧZVJ:'9רb&fZQz5):Rj ʪ%Yd\{ר\u>gDZXzX5:@yjǚꪡ%ڬ: oחsJgJfz@wѭAj犮XJjSP*BWD!tuW;00{fe1JTh o&e?hNY)k  z[!P EKʰ KeAFF8.H "8@ f0"2>pPk-U.\~3jQP@2ULqOճU1C zK;!O+S@}Kpp!GpIPK]{j3!AkAPAG仱K0Q"@@0k=3k %dR#>!D$@QPcn{PRB%LbK9ShX|qr;c[0QNP"PPA%h L"rp2|xzP' ~0#)CC5 ~C /F{@z}X 1 0 J} 0K  AGptݑG`A:G3%]!_K`t|~,P. 2~9@`Ht@+P AH S= ˒12 U` ~@ L`4 ?]4PZ71_/P;S(0hK#0Vx4h0'B~ krv z  C%<-Z!PC P:T\90|DpMP9K` :`0OPI0`l9F=0ނl]sPH0;0H@ƋG3;A#!=w3.Q.1= p=J Jc+=2`LCUpP2p΄ms|0C'w P PP T`̴P 0% 0%? U0r)U0 0`* P( 5o @L :  }~P2=ӻ5 NG4+A1PqN6K'^O@-ϐm`!DP?A b> y +!S##QZ0q#JPt=I!ԡACYa%VA%\m2430ts!`P(=.tmbL258(hROP0^ `V `4p NrL N TppW ޑV{6w*  @N,M "p0 * uEj uSt#bAhM M4*G H$"n@[0aG۾x$l0tp!J0=.="PE M r=&?^p3faU V2!imT3ͽB-BCݐ0 ` P`ް?$,4 P5 zKORpzR% ~~QؤM^<;N- > PO 7@}7ѐw0Ƙ#;pb9?$+psqps'~.[FHN.sA80,~G0 39"iq:# p Pkp#3 Y^c UA_!`/0q-  ~LxLkLhVVV %iVNNiNPN!iiNzPr%PZPP!R>N P PPU4%v  #P 00c&<J~u4Y͂I6GoJl )#ss&L։4^s/eGIF89aUNNN{{{Ì<<>>QQQ^^^ggg777FFH##$QRT::>?>?!,U HXIÇ#JHŋ3jȱǏ CIɎQ˗0cʜI͛8sDʕ-PΣH*]ʴӧ/0 $X&QG$U6DjJٳhӪ]? w%"UM$M Lh˘*b"03k̹>7RPRL(c˞Mv&38r$1Vu$ ׊ض+_μyCu \D;1 u \N;OyZʖl] 6REY(^ D)@/P7Z6#lA($xQ7ؒAŒLR ApЈ4AqM7HU&i5qDJdV Y8b 97Aآ?IH暃e1:Ği -2 DP DF]V袌"Dk]ĎN?ET'ţpm\HU5@|A%)ذ#$ 2#DLR @FŪ6DPx!4Jؐ}S $4S,2@IH>ᆰFKqYAD;L3WyWyaR@u*$+/Jp\/B# l))|A"0%4BTGXcEa? 0iTcC"By @e"d+%B_Ġ2lWUxbMxi*H2X3 A:rKC4˓mݽ?~; C +01+ @B23 C+&OUd4cPK6JةuI' l(3uL ؀wv"LST',j"$ ';p whNt*6 "č7HA0mqjK"iF #w5l$=V .<\B O4E -@ \tgLMruNJyCԊ^r\ IpW߇D$X% -i Xj*wD;Baj2@N03-EHg!nT0& `H.ȣV!8؍~t@[wo4 0 P3Y1-ijW>.?k2n7Nt<"(F :r^`3H~3h)UWmb5 TDyXT؅P]/-ܛrbQ;.BUbS"`Wxj{Pad_[HϜIH MF%vYno2B6窃g8n0= aA /v,ޱ޺zfYb"MH$ :/N+B?8ݪN-zx&j+@Yg_^5~9wyQk6Bnp8tewg1B TKJ+@ @XtWE{ E rW(B"e p]Mv5H 5!c1UUp9~⑄g;GbHtls 9 I+l\Zdfz @ xHbh+h!tW`D&PoeV&fa/Ԥ&vsXc ?yhr LAqK~tU4 s?F(Y_L2!*, )1"7rsD|X 8z 9\eT 0 eWk*QqxÌhpZЁf Aָ4YTRp |5,O p bb(V 8(%p  ֏72YbY&cPX(%~ؕ~MQX]v^(XkٔX+7uGr  ob`uy 0ypѐ\ƝZngXGV"y!՚S%r{ٔF :xewu ޙZv,9*c wi^ +}T0}EYP ?ys+Q+ڤ7a/߸hʆg xy,g|#Jp 0F{ѢNGUZy@ ,A60Ǒy3 9wmQ|l3c *s wړ1f P cZtd!ŀzW㷋o>*oH6iǗ b찑!zڭ&ᝠt碠z0 VvDS[: JpH9}SMA1ʛ  ?_9SJj: 7* Mg8R ` g)hP J.Ox}yjxMUgexٰ:txhb>T/ 2+a*V P0 Set{  ڰCʴjU| hJ }cCJǤ>k[,W>P_Ԉ A,0`}b5Lj+M4qG`jJP=Ȏ} G~A{1DY௧KG~@ вe5(@[:G9_T*[Q` Ta5;G:GHҊF;AquaH>닷۔"KR pK Z9t\ 2* ̗l&0Q=keJ:W'\:WWpv)Q[Fyѕà6|ZF 64W-0Wp(TAHW,p `FplbH4m\vz (IwpqDŽ̯Il|rAV~!Z2 A*Z0<(Ĥaʪʮ˓|h\G˶˺ ˾̺m֋mاcZfkнM$o=-5Z,]zVqZxqZeѭS} mG;}M4IB&5\"}ƍL&Q )\(qbůukW]Qȡe,^&5P >[|ㅋq&LPμR>kZV~$9,6uaf޼k~Ljo2xcq] q~sNTc/hp9.QoQqdHkQ*с,]cuZyb~mӁPv##tpvLN/!\ҏc XY(3'f']ӄ%Nine n"eVQ(ΨdZNkKvh2+Y?V+$a&2bN>q*pxb}h,~GR,QIQI.6ֈk._Qi][*A(͡]2&$в,^Fo*aeE(p lk1*,kjliB\'$+&+@FMn`nicb얐k:͏&cTyZ?!ik}bp/ QPC@2 y9`/UOhQc'VT9'q5 hM=1Ң  $賻<9n/wޒ +vkfɏH%IɿQc6 ? 4wB\,$YI)UdK1eΤYM9uٳd+ 9|Z$,H2 $ *DAW !kr,H(I8FIBZ.[B ]mA$-AwYq^5agСE&]ɯCx]"4iXa`9qɕ/g|9c0@a) g`9P̀Ph!<鈃d蠗d rKۀ!&\/ 22g.3 qJ4du2( .$C H*(nJ",ƸjK̚ j+ ʎ"NƂ"(BbRL\sե$vU( 0!vp(D+qS`П# 8SD"$9ڀ&27⎀KR(2( p(]G(,}7g(*"ڠ+xѽuX;2 !a=>,pE(Uj/gZ!Acn3""0H`8BC'2J$s).n+#+ pT`(mG] ~M{Q:`#x vCc$"BBg߾""$XhKjZ,T$( +^Gu*\&P$`+K!M(vp.$0i"oon ⑱䖯%\!խPdp$W 8( P <Ն(/tl0)Se4> ]qRpYdc(E2'\Y&[O5%Mz8q`jaHc {+`V2{P? y]#Muh3y +gLE@x3g8㍭sȳ[支B'y%.1z~ v0rIY;{˕_48(4  H@|#_W`\ 86{Ӿ㾨=ٍ$ytr t<.X/v(>KA&80P020@ľ\<{J2 2Aj 2! )2"A@-(vޒXw4p?hSV@AlCcAAA>={jȴH8h1zx s!+T7!PU T;=+UTP]ݐ6S8=TT eԽAQW U[m}3 HSO^\{T-t*SZVfmVg}VhViVjVkVlVmVnVoVp WquV؍ SEU`UV=WMce7=TsW|W}W~WW XX-X=XMX]XUX!_LvV%}@ES B-PlXX YY-Y=ُ=# `L,lSzMC ?YYYY ZZ-Z=ZMZ]ZmZY)U&YTmY2}YLM5cٍUM\uЫӬYT<[\MG5[E[?TWPXTd5T3]l[- A“[XU۾Z*Dx .=UI[$V-V=B\na$\# ^%b" u>}NUx\QڥF"Fz DEKs땉JuW3Eث+-֩}2i_(?!%N!2*QR Y __N6(1M}\5ԝՍUpX}_c+ ȂւX $N6$A1p$`,#ـ^%݈`beQ+\6yr)aͰ63b, xڼ bߊ-ߘX&:Bc)M&a81cөc!4F'2!M?]}_U2U [y*Qxm'IF>JeK^4R͊ +!QM7c4 iis$ (`Y.dܴ=^{+e L`_Ҍaň%!hTff:3>eא?&+x)`UA~m]bNjZr,(~m+06d|(,DE2#Mf Io_Pyh(-phW¶`H_Yi zvhU "qVx P L~ J X-_9 ͦsH<Ն wxю pgh;-.OuWD>bxwJph6x9s;VL%"0hJ@(7GtJ_uus7p38&@00uTt:guatu@Qh.]SO`Usl dp6؂hv_vI, ?+q/w^?w`OwunvG掌*Hwy0wr|}Iwx|^!AM(xy{gxjuUx.xX4PoHl0bz&7wIwxt px@(7"#xy;qp`7`мQ@EHCgzOuR@u8W={7 '{9|wL<8(29p|{|wu㳀 R``<Wo|}^ ?8~O/?دgvг.|(~g_~n=G3qSG=p"9R'" 0el2 0sxa掝AWl%̘2gҬi&Μ:w'РBJ(Ҥ6mK ]E A2teŋ7vrdɓ)m-ܸruzD҈uΕJ*ւ.lPʰ5rR$I(Ul2̚7L΢}zu୅"hq1Yg#aܺwߕZ.4`Z w= f!{cC(Ʒs&ɀt\ e8z>qt𓈞dw#Q`@h#)in:N!R 28¿ (D; iH B!.EH?rx!PaNA2@.pa>L`!-$ ,̡gT>6B8?$@ FHӒ?-Km+$.sCx$ִCL`) 0pғh e G)9M$ )ǣ4qANi$+D[D GhωRT?"%=|@ ׋a %2PP*tO\%**ә~3b 4|C`.U'MDn.IBh*թj3%b q*QM:У4\(B0 T}+\bU&4(?Q(_jQǚҲ&TS]gͨJhlT'6[q,f2&`f"W5(53YjJdޖ. Px㿣h(-vWK+"K :NR* 0:?Ȑ9]f Z5].YST1)]Tan|ec-$nz=^5F|RA5и!,b&ظ%{ڕwSǻg&h (5!ó noM_KX<)gxS2>BK ^.d媸}DNl:twpVdGokp~ `ج-uMnE#XąC"@'fJE3ӗMpAi2-FSgPC &5s {f/鰪s-UVz).O}6rZ"첮D^ױpY{ĹxZKfK6jXCR fGsҭnpmBvt㶯m +wmsZ3\zG/ n4׺֞/dFg;4.WZ+]`7u4'I*pa[/bz@? mHzBP>r7]X:P{릮9ݽiӝm7ٻ=Ͻ~W-uaTgmzJ<OqS^Q ^D'aw8!NoH!^nX!nfh!~ex!!]![!S!P!aOa9ԅ!!  "!!""&"."#6#>"$F"&&f&n"'v'~"(("))"**"+bY+Ƣ,"-֢-".."RTb.ʶD0#11#2&2.#3 (I3F4N#52#I5f6n6"p#88".a% R ۓ#:E-;. =FP?b= ;棢죢 $!=#d($Hd d@$Ppd1@cFb ?_Ey䄨cH:hdE$$$d`MA$E~$> eDDEdM$@e`%~ (eA2F:e* iK +~| $L⇨:l)h8`g ,8@h?PI> *w |,CH@'Ȫ |B%|AEmr8䁵0%*oiR)DDYMPzG7|C'T!!C.ŖbdQ2՜-R(?"|N@|?Xqm07(tDŽKAbhTQmF*퀦rFC\.\Ltn+& .SъA!dq@ @RN`֠,r B~ ? A>qT*ywx&Bj B!2 6bJ &8R~0m^RpŤeSLLd@U:юvYɞPA `@Ep@i*h޲@ (A \,@ׄ $@ S5\~,(AH x$yH" # *dv(|C脀~$ !A!Bs|?@Py,AnD[;hpn8?( pѽl%0^yx-(Yd0qe(@Rǘb@,(aB"8-J>T!_ry7|pGB"5r++1-%Cȱ]yqh~ܐs'2&@xO%pQ1 ^Y:?ax!Ts srF;@ n<_qW?>D*+ooi:c@)0BwI/UtQ1a ,4cq``5 *5npP0Q(u9c0h3@\1 @Qh5W3@rN$*@ TCƶ3 #!\u%  5@G{4HHƪf5@4{Q0Aɴq*0CeS xXtYCY;<ӸqhRMS*XEWLueZâZo-_d HH 6p1fo0]1 ĀX Gf@tOe@O dA,vc*C6w"m#yO!d!T%+thhrkXtGItz\meD~%mYRsx8W77иfR"3&TAc@vE_6lg@[zkA(xeNQcw3vGxHsg. `p/y}@ Lx4K9&@sБAO$@7sRX}L Dʊ #}և 'W5_&;tO0]/( |^PsGR #ywac!d5o$$ nGXB25ùcC;oy$>0i:sO-wN̮Ec^աM䬨TDx ɈVȬtSXdm/P̓ 7ЂrF070\AB;{z?QLwOzP*0@|w;c˓xA!m2;=S8[[xs2 =|u#?X?`A(rq`!½3}!<}4%}nȈ?<@пy.F3V:0@]}K؅ۋ=F(} rU%L@p18@ ]K T @@ tA }8㏆?HMW؋ X?3WqW%/]Ĝ=nx3w/?)VxcFJ&\_!!0g&ue7i "TH(FA$F$ijTS)v$JEH@8&N˗1gּsgτ  %Jn܌$ fB"D0jh.j :y\ t͠#r)S޼,aĊ' (1sHͣȓ+צڑ"ykX0eҴG A?>hRz XemdmС%)[eDR&vu\<" /<, ;,)PCD:04 I3 5Xs 6$Cܺ nBn ,hн&r 8C Ȁ' $ .3 2 ˂*7ȱ kkK<34`AAp4 lFEP7ЄHOT K;-Z{-6 5EJnËzT8AHRWjO31Pݒ( /lPK#j\;ݐ>Re `׍Q0$,ym+{d=DIU&S}Ui3xXgGUv̲^j(oPKp"p⊈嶼(8""p $# kO?^~iݷ>QMRf ଡtPERS%vq]5;*V8ƚnlwea+@L(*6\o%R<ʠ6eٛXw}NsoxT T<zn2*)oWҵO`{ \fM2Z̗:nD}z,s]] hS@N/dE )8YUŅXZ7`Aa|Ђ[8AZ${ hC7O|,iccG@kb(Jo$U=qV 5 ZkbЄ$@MUABVKijI-6+CTD`mҏ@|K 0_9Б}%YALFc,Gh-fҨ җf>b.[Hf"Й Z˖7m֮] R5YCmn' )NnuǼ_y=yX擠'5g.t?ڔR)[%Bo3˨8!5`ug Qyn4q[&7AHp4%>V'C4%%tSΓdOGb*è1zĉ)գT:C@z%+ӫRtri(T Iad>z `HV4i jJrtukZKӨn5$^[Ͻ:`T8ՓVXMl$(@AfG&9] HJr7-+[lΒ=\h]Y5Fk2"m`:*ώ_pˋY@.~'2My|&O pΣ59E~Ԧ j,r}^S3 i򶙾k] "nNPRNV)~fijP Nr/kF^): ot . }Kp @ĐPє@/g M G E- *.jD`Ouk:20/LQ F@&ƤD#'B, mB.tn8\fƮ!P Dp)qfHiðtK@ ]+ ( %6 -M#  j@ q%OǑYt`QNP*Qi* 5hjqyD!ij9r'PR%!r$e$'.2#%o` Dv$z z/V*?-q)e R) ~!K.h 5sfV22A%B (.5%/g"F-w2l`R1QdV{ saT- 3 HsfL3A ,6qQs 0 5:/7K616/SB2Ͳ8$ZZ7GH Fv#{.1=\ $3#=2=M =e<j37@C=S<2w-D-s)9H48-!B0AGBMh\Ў8F4R@ /1#8Ew1C$>d@9?hFa#tHM d@G 8AT1 &5[D`[7;xL,g!'"8NY"RSZq9& z9 i;5ۮݶhWo{+MkMJh{-f]y{[Z^.vL~Nejgw"J $IuIx2fWw)֓%x7ySrYk"^xvkw7cwq"x-gfw<vmq}?x^V8 3;6or$q[0Y\˛ih,\ܘb V??xf)b(ʿ :|1ĉ@!$  ("Bߑ$Q| 3LI6(Q!$PDi ',Gᢲi&̭\6DrJ IKb pI$H i|a^\&fEaWHdQBPi֟]e2Л' ZhDn!T}PΙiw.Ĕdz AVH?d!ehi(n&Q'(rD*%Nod:fJA$[@R6Y\0+Z]aնuŷ!1 nN9KU gEr`":Tr %MDwp|&Qe[B5MĐPlaI\U X` {a{Kjz٧.Cז5QigqR) YA-pfP\SsZ[gg^sרo+q T ^Qc\L?F IFP,m_ݸ[aN:p\zŐN{~0U5V||CUlgUb"}M]m,L5sF~42ItHAK?kAvL.\fBZL.Ea, )EK=g\#}vX t[R@%3R3fЪ $S0mKTѷ $%0%-*ֺɨ\+ t Ymbf#2H9]P-)QF'9Zsr5 Z.}7'Q8_tȲC:$K4I0Zd皻@Up˴Iö)Wle +AT:p!¹Dx݊eSeU{& *F'ʍDnnOkT1 ͕|GpCs #-! !Je{&WJ =,Q!ӛAiD$!ݩU h2;-vɿV :bt"gaYhQJ$ɠP2[1Ɉ=P ŀzi PNOz cyo[J CXפޮtGmwgҮF&dP1c7tb'BP%E9Nւokc< 4-rAa]>i}Q#Ի0`9aû?_`$nNa0r^/БJ'?o;xX&n?z\P0LdNK2R2ʅ/PnSWF7QsPMwqTp[pq*ICC`% (I-BTW€obtAT~F+bYgZʅQlBt)8,aX1*!RDX5?65-"D,.P-sFVS/"QDW?Aq]<-I7fׅR%1XaPvg[=-"([+15?e;}jH'!QJCI;JR&8 (y*8-q++Rug(i$95AEOu[/؈@Q2qAY8d2,3y8.Yb*lEex}3dpo*5b/8.2A %h B$IarJa6jsT̲ELC&q%6iB8qn6yP%fV&AP"Ij8ǎ5J3Dh,?gws68sg /Gt:LP(vrM 7T)t2ra)cIQTio@j q)qZsysI~yxI%%uDv+Ԓs{阏 !qS {O~x}Q!{i'ct_&&ɛ*;A#,W{,+aG `rx$TrP؊Hɝݩn7d(yڈPa(=3f6'Ijl%9%k撧fXbAn ʎ h jFV !* E&/6)hWP`15QJt{ᢨi:븢? F>\'cѸ.a@6rIT5(wAjW(-IEW&&Ac QXk "#$c a?>uuՖlʧ}pS hx 2!B58&{ꧏ 'axzq}S'1"C&aJ)'4'<w-DvQ;oZ"ȫ 82Lʎ;PK9Ce>ePKp@OEBPS/img/ovdpm003.gifGIF89a@ iil>>>666FDE```XXXVVV iiiKIJfff&&&vvvNNNsrr/./000***TST}}};;;BBB,,,444ttt:::(((“888\\\cbcxxx222KKKdddRRR867a`c645ٻHGHOOO퀀===$#$@@@333.,-࿿./0ߌ]^`lll___ҰpppoooPPPӽί^^^QQQzzzFFH##$tuxQRT::<=qpqmmmB@AWWW312__a,+,nmnpoopprSQRuuv{|~wwwffh$"#QPQQPP0/0999hgj+++a_`---989{z{???mlmlmo877qqt777655A@@\\^555PPR!,@ H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳg2\BFBKQ(UP\hy D>jʵ*D FQ)űTY iAe3Cd"ǫ߿ _- * E`h)eK԰@#,-PL%iSenJzĭCOe=ځQ.GYe4-ߖZC`jtӓO̽ #QVB*$(vBP9+y?dA1Ar@  Ɨ٧|CzUywP_AiOSYUїYprrH$! ZDAAAiH $Qp~8?k6TrXa2tp Q4)yuϚker[f!A Lǔ TZ,:((?r(#P [Iv>'ZhW|Y%AABrj1(@]g-{4Z>'aj"\hRA*$*h)P-@ZQ r@^5F~(oeԈ3J6힤,dYf~p|v+$t.dm @̭uTQ @ ~ϪYC:aUFU^DVQ5?V[P{&%mL,.=& $[U$gG7Pf؄8en÷\ŒY'v$h|QI%6 Q>?7c|p+ąt9tsiNQސeaہE|9{PAnؿ"afWA@o{r BhC!)E#[Cz1$*I7$E"eXO";P8\&Ɉ JY6ZoM\H͈]%THKN060@址." /hfl0geڲx1-(:O7N&IF:NM&0.8 @7LU`ɔ@YM9αBg2rgL;Ex/l)|S&@ҰTIkCBFNeÑo"IΠsMf/& ZXD5fXS6_^cR#ꊎU*!gl:J5%eDLhQTZx*9j#ԪL8ub5qZ䇴RMr+0vOL9t.ŌRSLi~US-t(Ռs4Hu\P&?ƕ,7wKgLN|ū(UAIiO'_6Pe_#䖡.ۚ1.\. rK))(\.j쭈T6Tm@UF7)Щ.;قD  Mf2& kEOKK~Ek$bFı!߉ XM2#2+M҄i!ΰkUd H|%?q20⼼%Ufӕien9-]z,f $]X׬`*9obtZX˩vJxUj`^~ۻCKd⇇=kWh".{i했G 5sQD^&Vo"[wʅˮk9{Î|qnlyE^=DggycVքuY8Z ue*qh#zvvGDq&ɖ\bAf<;/|&"=ATyDaRӂ8 ~of7 ^]{ȞMb8!(|8D+JK!g&KWIϐE8@+)0BPtj_ѯ~G~%}gfP&Y a@ Hwf!blX`+@ !}] "(h$(8 "8 (A&(xfFxf`Z Y'BwGY` h``@Nk5EhGKXMQh)QfȃYх_#b8q5qx!XJA7S[#}x0_&Q[ȃHReg&0Ȉ(8zh;X aF8 JhklR7ccH gHTX䄸TtыF) !bȗ! 1Y`a9g&S`8ܘhVCm `(& + A #p } dpY?`N  @pgY- iVV $i(*ɒ. #?h P { ` ;V8RQSF hM a0T@!0 `F Z`(8HVZɕ^`)dihGȖh p)tix~ Ii  ` p VI\mPGP! F T c WrQ+iIɛ ǙÜ !i9ڹyR5z$#A yb`㩆Q!AɞZ g00igI ŏj ʠj:yy"ѡa"$j(آ/gSV}p+ iy P9xZ| !} Pٛ CFFZ{ѥ_za:ezjʦFoJqb A1Mzʧ  Vuvr9P 0 .@-J0F&dA  P 7H"Fz ѫ\ú&z: К:(8HIpbK0'j֊WpPI  96 G2Vݷ 0{ ۰lrG1{ ۱!;%[lH+ ` cPp /+F` P(;h={`5y)p NZ qSF~cH5ᴤ`S[Wӹ]aIfj o&W]:u{ɷ~ O:(j\tRe7pA  K@9+0?Pk(GNdkưY0@;I?`ূ IX[1bZ4{(۞ k؛[[w*EK` 拾w{ھ;{.KFrTpbIǰҭq@krL{Z >'aKbj i;kUq- +< -<I@ûbõ;:>L@~B܍lF<]ԹN;g;U W(FUWİm = @ iha_ !G]:Q` AI x+ {@ { hQɝVɜL<Qʣʫʟj `ڿ1ϻLɼ̤+ض<w}ܮ υ, )g6˱Ϫd,|`k<@ڭ ۊu @ꉢTI =ю}\jj"Ml (,=,ӀFmKAހf0@ T@ .0ַ(Sp lYQ31]%0Zp`iػ` _lmkMnp-pvշד׀-؄h`؈، #.;h' p0^$N@` z ` '<ڪd ѣP $ S 0%, ѽ} ۿí}ɽ]-ݢ] PX  mF;--Tړ\ܡ@M` 9` ` Y`ʮ;<q¾K%9ۍPɉ g P̗`'yO!>'+0.4nx㘠C\A>-F H NP.^U~ ![)ފlo\IO,  m=Ln?>pK.qjѵȥٗPm 0~T>ȓj. ^ rkǻòNNŸaV^rvJ,̳J (:ۮ+ߗ$87/ʬ jaLʦPvyJ.8]P?ߨ2( /Un9VN?"/8j,n)+-kvMOmn@Ԏڿ$,z8Y3/!x|knprτ\w'N/[NnTʅ镟̗Og\I&IlPOa ODloR5 ~z +Ep  $80_fCmV a^VA hRI&ctTϥ?89yŏP$gXi¬Zajxvk(y'W((t%aŎ%[Yb˼@@Ð97N /M,3MzRL?l݆reQq`CYhș#[dh\֎[j>eۨpέ{wl޽} tJ^#KlfΞAMzoULww<ޝlsɘgz3@@]'j"'L; ^C-ŢZ..j0C. 0\Gc%`гKOg_z@M&<`ȼ6 G*(`P,yB0h%LڃRȶą0! ?4,XjwA#z'\" _TzN;(⨣*PoXL@|Eߖ`Ÿ#Ʋ-G|70(ơ}bQ`":Ʊ1s#<Ec B?4ŮG>+|G%'=h (E) Ze+Fp-dR 5 ?kv5\  _\EyW0E'{xPaotf182(L9rdg$|!iI|3,4@B l=4{E-jb/h8T$|g]T` P&ld8I?ʬIr@t -߸zO?jQMm ˹l‘Nu UUUUu(_ + Uֳ"Lai[1>vū^j0U&,QSbXzA&alTڧ~ZG@AZu üͮ!%Ċ/PA CZ)}t.XvZ[$Q)DXQAg8oJ*% zɊuYdwX*x1񪖼T0/zk^J|K?E?$\Mox3չDl0F-5dm|H,V@&v[j!' 5+#Ɖ-qF 1}lD eE~ 151>2BwPXQex9ŋnWbaMP`Gs[Pu!lcs18b%1_A2\`؃s/Hm.` aAL{1GKv6t PezӃB>Qijz ygk\zyï=l#ft ,6?n}}'Og?JBO~ݙϿ$wӥSB(>#:0$> 7Bڋ83=Ftx?i1R 8q>A-54M@ @w@ADKcAp;,@AA(B Cr {Rq1C|1'x/@*B3 k,̉GC ,س /ZRM2 6)CxC:8ĉ;CȻ%? !6B4ز)Tq`DGt BJ DL䚏DN4O E?(E08TVCmll|3pg YHIPZDP08PC3&F?a$g27q|3H5P`1z58lP{no q;t\[ wwGD4||,$ưǀ\d,59ȄxcHi̺z!Hmx4S39ɸȄ1Hj0*bwYLxۼ`z,1b 2ʛD.0a|.[܃k2&r@'z VD&̏9r=Jʮʰ$64$)Ht \:#+˻; KSLS*sKJ݄[ :J $+I3P zB{H2 $ôw0J˂fpkr>154/ޔߤnjd&g!O[xrαJ0G"Nt$O9R;dLOcOtH݌( u85|=ܩ=XC+- ~3au(+zLS'B-A+ ҄w8U<3BqeQD>Ѷ--G $"5$ `.p)R:JM|%pPY.>+ILCP:5E>P8S1[ʽ+_#I |N3P!;(<+5,GPTFRxTJJT˱OU}G$2wtJ7;罽hY&S 30m `N`@RK馨`}f`@jŚuǧj[I7 }jVtkj "kSVkL|븾Mi \1+QӔ&#d^cp엢SMؿ:% l<+PURf Y^WՎvwm>5E vឆ>K喨nnRH^?PCUfR+!L0kk4"12HU25TvٓN0p7[;6_0(pHETtpC2 HLpq7;qSqwPo9|9/v _T'>=\C3Nb҅. hӞ%8U ۖ' qx b># 0s2g3GsHUs{䕙|{ |\¿C|w̢z7 ||;^0<8j)GM ̽g^ֹ{;_R%Ox,.Nϲ?O~l%~~8 ,J% *43ƀ  r#ȏ`I&ݙ>!2$( Vg̜:w'РBݹM-9 ld1aqT3!Ӧ K8ƌKޝqS~_^}dO&0gC2#_l,)q>h8N(w=ҙY>]ujվr5زgӆYmNrEw^X\Ʀ6f8d&]Ŭw3ڷsν]3u[Za'Tzcc4n1&kjnN$ 5AhDi!o3a##8qhIr-|Ƅ`r Hӱ5&]PgDy{EbwgK8h`x)ȠE&sH%ZZ9ޙy&i%Gx2j8neB 9գx* Kju}:%pqWEAB&{hB)r.KMhZ!&TEN[0NٱAoݙ4FKӡH%ZԢwVУNj%[^RRjj;.hL\TK |I𝨉HD21'rXЫ604\SI+W-H0Bv5*L9%kjw.S.1vov%(H S]İ깄'0i̱/,2:z5@'NF;aDhg>*zK??c/k'8YpE]1<p Sm"slfmY4E*Z3#8;8}8C:&Lg `H&]Otw@ ɌZPOEZ/}wX vßf8প&pli#x? RFf$2d;x\` P&j&8lQL;5N&Irq%\5GYR\aXO'[$l-pgB`/W] Dg`.\HV1pȇXEjm]ȕr{"Be06Eܕlk(\x+RȻK<=gx2Cb= Iot4-`{B.Iz(~4#N$[Qp2#D$\"czu|" rpL#/ɡX2% D/~sKb5]#q1 J~;^r[>mCY_.·,{{d7_~x'Zl\hfÔU/M^i":z # j_: c!f;y9\^Lnx@"YuaAA$7RͣI$uQqA %Z$.a$D6>$$6$.%B$D]dyM,jd1"֠B$DPb- (%PLNL *ZaT>Rbp$*ONDB+zeVj[K T ZNb[eAUJ|5~#+"g8jb9Mܥw^%+Xڢn:$L+Vgzad4~fCQ ff6"VNk$0f|jP&k&fSpp'qq'r&r.'s6ǭmn&fofdvn'wvw~'xx'yy'zz'{{'|Ƨ|'}'}ODtXuj?RgO~R'^̄Fr&n~DGN((*v(RLLgʕ4(&f(($g@ʨҨA\hAabg)6 iAiY"iffbN^.閞)zZv;xA |Av|A?8nG;CA|iOt?xA)$_)Egz*QPtAP8?*QťQЪvLtN˩ěEF+dQA ƬjxACv8>8ĸ~Оkkj?B4jY?84(x,f&<+A+jZ]+K)*8 tAd캊A(v8LA(gu)Ԋ V?+*A,?Oغ*Rlrk".l,i+ٶl-[,Nz)m&+kj*+Am*v*Y-fQv?hDmD*8jj޲ʭ-V.&nV o,kĽh8ҚP]`NZ,~?@HlA-8?Ƭ&mNoZo&2%o[-2ޫ$zl*ÞAifjFpy,(RΫN臞~hRZ0fk *n8h*NlNꦊ/L,F*Ѷz1Ҏ1Ȫov-wj̊ {,hhΒk/6hqr'S)3r)lF*A0j-.8)p儾)v*JjZꦢ*rV+2mDnrJ8/,7j&gg%'r $S>r4]*@k5 Gns%-sJ9[N:HrrOn+MĢ2*+> >tP8<׵RAoj"غjD*.4BjoGI( 6vlǒEǚβvƭk+읺ꭖ+1J|A2ɚꎴBkPnI1K#mq'kmb>pjEw,]5+^>>lRskֵ~\7-3?жkWV 3;p@xìV?3ĠxQ̴S&8v)k)3(ӖkӊE+"Bc6.iG);Qj9kb6'8k&;һ+IJw{/~.*Zd㟾O>Rx>VXd?B*?~g6Nw!g?>O,K #'k? 4xaB 6ta)VcF9v(I+`!(q Z\ִL̉'oYΉ ~5zQB[)gȠB$Zӫ[j5R FzmZea(K%R.Xvv[p_UË7nebB$gϣIoE/|ule׶֬UnwlW?wOyѩ9^nxwգ >c5۬|}"l 0K-D?%Hd;zUNڧSz¥ǧVjgMi:þˆlm& .R  5.xȋwf{<,ȋŠWqݵ&5 0/| pIjGטi%zOw ^w<7ȋ>0Rvf?v} 5x}/4' {'֯Ha^ڜLzA?xa V$}3`p=i)#H^HqPA g8*8a8ۼ P Hԡ 1BOK?*&e{k |X=ăTPц⣡? <BNLw6|DGq** F'~ Âuz#oGġ{(dp8J!R( ܢxzPc M .ugpEȻĎI3r>B j­ͣc@'!><]XY۹M{Yb8؟${U0j/ Cęӹ d >tbVT3`T9t[±GwĬ@hX 4!J Dt}o:A|2etϻ?T#*}-L`5ediG?nsu &9;dzIjaKskvP׭և`!:nφ m . #VCƉV3 irmڔLJʝ|+37="z UM}Ob`}AązxڛB{+(_ B] Tz (i#Ye#wG7!4][ŅvmPp]w]RP#m{Q ߞc}ᠹwWu%Mw W$M 0h]E; YZhoxD7V#+ߍN5}u}p1Zޔ"Ƌl!zw2˴gV˪od^,vHXNF!r/)vDMIH ,zu\mʖxJ^~ *n0B)x扮$*^nhbJp>rze .2+h gnR0n 턪L(y @I-Hn 3 Тf :NFH'  kwm+G PjѪj~G" ѝH*0f"9&!̪K Zl~ѹ`j0c!m ʂ1 ##jul1ڦZN x -' ku ˱07!|  / ,GC?B,eTq#@ v'gx &Ojh*)Ԡ@h񼋇B˛4l ȫ 28!T.5 &'+ jh1dbg!Th,@!,Jj /  , m ~ G |nhߊ )L*ۆ**MH /2_l,.3X0qȂ.bR .qNtJT p4_L#^T_ҤIkYACJu?UROm"bҌF[Z]tS\\bU=]ݕF3&^WD\[^D_  vOZߵ ֽ6!vV_4J0H$v1ʠPU !==n8\UIPG@CK`8QZ7v^eKdł=т `"*cbY,V`F-P_ydeg+ `L %TH`L% p/bWB,V Q 6X$AeLmՖX V^vZ6G6: Z@.WJAs50W*`$ @p'DT`V "2( |3JlIbr[a Z  Pa u[_``cy&AYf>\#v61]C&"8W` =!Y j [7!VA ja2AvYd"F-Y8ėM]=|eu 8q5'<ӕYHKc"1`"J]!p bzY=@~՗!`(ۛ!s"jܑx&ҷF "&/R$86I}o̡]>۽ <nMR6 iS|鹥gz6pA@Vnhvng#C# a~"!GƱ,'@;!OҕvXjR6X Vεw^:P)@G918rp=t *S 8 n8GAFV%JJu\j$R0].C;蔧jFT@,}ގ+CL$OUO^mmXZ'ЁD >ԡ4 oWbRQȴH̚Daf3, #%0no85H-50$&Z ?9nu-J8+vc<v8&pT uM0Gl} 2}oeGSbmݏT}z#Sʑϝ|+_ 6W;Ed*Q/l'_RT8D:< U-|aTmUl_*fa,c|0kL%>HbHbddh8(~a#@$ LpM0|\%< 55nm:x wolnt H(WP nRxyp4(Ҙ=*eQ Fe/ 9"0PDg_[~\ j0@#!P8H(곱m3MxIlbnx]Z8n?p S`8UzAUE0eC/# 8f 9!Qs*{<Ήq9.h+(H ^N6 pkhG _F/L.P_/0Q+p k |u^'kv=e}tQhS1? kP|w{l~Wax1xlUwx!m-Vrx('yF0w PMaqcv}a@.g` FFzdpKQ`pNL {c X&Nd0^r~fZ|g W|-Hrxy%gO 7FA,}^0F{BE1~BGti`OhK1Gv`;0~h]u Xk hJ2E=PQ\`zl!HaWUJ% 5\Z)("xsւgrywnmn76{q3]p# 0ed@ $: Oݘ N Mv L6A,'-Wmafǂuvwrdž+&oOIȊ 9@ ~7^"iTuS䀁(X_cG?^3`xF В/)X}wЦrxmmex/gŌ6 cfBd8BGHaoPb``40$ehxf"{Q9|dHi*gPgh{̰qP科ǑGw#aPuH0 yE1 Hb6_P=~Ky|l#MOYm(èx޶ȸhwq`AJ!B d&2kI0MϘ5,IR6D  p[({gنy||V0%P0𙡉)~=U)\Gq0.ٛ`׉V?  Z%60FIh"锼fxpg0Hn9y醞Q" pE67j)aP}YgY]M`rN~iyǠIO:8r[z6X p Tհo&i+WtN#PB m>*(Fz KDsQ: 9 \ *(hXcXriZ m @,z:BACP$q` pQ5a<8Z_fTYZgmhnp ^Pz)٪1@k@v V` ^ڣj9X (H\lPJTW׹P= ?4J8)r`@oX#WyX(sZ;{oa z\'!q ZaZj;xr7 +$k(kʲ-)Jz`8<۫ A:DZIMQ;RJzXjܪ[at@ Jh;Ÿtq4A w{0 97X?CU7"` T X oZJW, |࠘K||%ᩥ['ˢJ~2{9=Uʻ ɪLP+ȻZ͋ Ss`9`0-ecqP B@ cPzU p I+|x+ a80 0dЎbd$ qA7q0A K ,l˗`#.[Sµ¸B;j݃3L6|:̼>"JR1l0Dji@qaZr`* z`ln|pZ @ۍ2jNJuT]elȉfHhCK x0uJKh V! (zp6t I0W,@K `7 8l[ʦ̪¯<5{·?;D Ì[;9WL\*DRpٻ p (AqPTve\ af0e|L<S Dfd Rsdblt p6p`XpѪB0`'|qPw_\qy`)@jaGʭ §i< չ+Z4YM{\ٚX+ce}kKܽ -%@4>P8}}pzo#$"͒H lj p ݗT da)0v@y 0|2@A2]w6ɟ +-ݦLF-0 4) ޶Bmf޿8cVI%P>RN^clSt?_~mCF[x!/? >6qФqsʟ/[43hҒ8!f:(招C =$ #Q"acGK^igΤ")zF;<# л*Bݾ}_%\)-4gIիY&'_SN%<WfΜQIh @$1[Rѝ; sȍ-_ذyBHi@S AkAC1B'O%-KOFobC?A30Kܿ4⌚qC3t[ M`"A0#Aş>E$ç-> m4D Rh GPA Z@dP[A#9a0Rj :(:j.h> iNJi^ini(R)*Ҋ+,R-6.ҋ/0<Kll.lPM7u DH3 G8yNj38c.\ .B3|K.xSM+(Q( Bp%FYf=#8Qx`)c0p(!+-H#<I$LBI%\I&lI'4LY(7Jjj*G *무0x뮼ic1$2̬fS{ADTR[{-j-V_eXVS9rݵ:_ݮd(k<=Y331cu6 xǓK-ALE$QWS[Fkkg5ko4zΤ,,OArϨ:} Q46IRiÔ&nK`$XÁNnq@ X a8[ . ^aD<rr ( {SpBKq>|b /ȁC{[~ UxMhp Gy ܭ(<^nzOBH=,K/̾T31L;Cִhq:6яOPEHP[SHHmRgrGIRkwq L 2Ȫy08B w+=)t# B !P[C.af| l=bD0 * fGECZ0eJ㻹Ƌ[\eK3ayit B`zK/xi f]l6giY) iuV淧IjD-DuQ`_' H)]jm?U4Dd !l@?>P*x /(F83dG{(-e0L8N8;2 MX3B"'>!g5Ml-\ 64Xi7@UQ$0$Ϟh,FdwP=o~$CR('H$?FL4k `X3[M] c-  YZy0?˴- A2=a?xE0`B&0p-C{r6lZ3 <{+m Zix^B(|-mwEtp& nt] tU9pC$qxBȁb8A=zcDu9S%ݞA=q| $d*~z")Wk,)7-3),ݛRpCf:rK5 KCϾN? AX {vqN@rf(QSRdBC[?Ae)ZouC9@&=0G:dat"90E` =1| c :HR;;Fɏ1r5R|||iLT2Յ݊gT6^(w7sH(4>8(%`qЇyQHx3;"j7"K<ْ$3$7-(7*ü#ټOа"X : !1!?6xC0X( *̥1A`@F:J7 +B9@HЌeȄL &P3ΙC:3O N0Fmd 䥅Qv}`dZ+U6ڞ)ee޽ vAJxMeyffzۑZceXX: NvV l%_Hä0 s XdG])a*{1Tg gUXEX1s&nʄe_Loe+X}cɀ% 'H֠fޡ6br 8V߈8gZiʅPHvuz x xkcR5mi]%?y)X]]j]<@ ch[@(w^kH `OqWc-d^S' .xx-(]Gȅq>Pt.g&ͅ qHzbQzF]F[eW|^/ȁ!v.U[B!XKna- ۖ.F%ynng+h}NM`6"\`=01ԩd - P|-jZP*HZ"=دlt9`g5`X`QהPU:n֍6#ֻIH ; qaw0N(b!7)J*Th{*Z_ݏpBOUk60ǀIxD(P+z@yr?xtyGZ3gvyսy'@P/HTO`81Gz'/`#/O^P^wSh0roF&qȊۉ{P'{wB芗OW88} 95ł{R" H_/en@po&I58R?8$2mv5 xѷ=@8_2"Lp!ÆB(q?- `N!CrF6lС(R4ԩ#HКEh"FL =z(ɓgɤ9z\G>"}Dq*B.r& ̪8\$0g Yf0I8 hX% պm!-R?I$JE+[I͜;{R*(3~4Oؕe8hҸ9O-o PCжgF:vXћ6&27!& 6aQ6e ;b9DYd.aʤiN>JdC4wqA8A$Ie`ȡB[DU`@$BxbN9`}Ԅ8E#**$?9jDx1?Eo 6pbj%@uiJ{%Gw !``V-DDЧc,$7 +4 e A$ڪQ>z0(!~(,D SZThpj!`@9`6a+TwՄJhoСG*3Rf\0@13ƒ0f5N=r" \ZG$4+BZ@rq\\[a/' <`0t'rĂ@V!EVksed,#dGJW:tbk[P5w("F#*@Đ^vŰP@!F>suC\1"VwkC@$Kpauă^|VeG9r]츪d kMBE|K JBA #-Q J& aԝHm+U`.RM[$`U$*YZ`?̨Du3 Iy;xȍTApN@sL /28 gxQ DA<$9 tA= AxB-sZ GcJ;AH΍N}f& zB'Q2;&%IɌ{Ĩ#iiWik.(r8n㚘C CpNJD[6"efIP'%o$ A0R!ںJV9 #IXPP%S i]!Ow̠nɯ=\Ҍ*tjFȂQХ?Aj'fsADӯ$ mibZF6v6 Rkoab<ߔ9!q`랩4_ :\!jFµNB]j'BHzL.4:O 3K;2m7[>U+sM)nѝw"4Qt9&.a4Ud,ނ$YAᐮq gNWc5L!FU` XxHpLqPtKtv [(>Hx ;p|X c,LcofrcDf<˸L͉q4?SZ~R餵.~pҫP (]^W?:Ī6dX^!eZNP棋b@z{F:,qK#AZkUHAP[ue"֬1M\mjRԌ],V jL<[7#)Wԣ}QYU+?.7v@:ыO=JꂾǫPzH7"!)?7d>߹.y«"cy""mO]&UV&z|n>=ӻ?]^*qŬ4ZET{{3Ja.Y; "T9\#V&u3v298L7nDf$V qwV?Bu{p> tH ]yjL"׎'TcEk>7ϙWe-A| D<~Z&Vs֌U@WJIF ],oԌ_gYZ SeUI9hU_VZEAt$@g_ Gu|Y4Ol ZǙ|ea6p\lQ ja?V q m}Y`I`QU\m1[wiLաGq}d ng1WEI!wMsɣrӖ,Wp?m]U`*5-z۹=Ara%a━eqXVDЕ!bH垖tX>1I1bۙGc"D\ ܠbsĕ)Z̔J="#p}!bCb*QqU;/h5nEG7 M\-p $,]$d1XnXtr(r" ydc-STII"GQT$HAU\$Y8 -.|"M_ۯM\|x\b ֒K!9E%Uai{QH\i#YTdAM[L˻[* PM E^mHU[s|Ǹfe9bz˵N0D\ŀA!vaӈVҫh>\AJmO?l8q0R`Ն!NC2?iL='95 ]ijN㥝tvgU 2N@;PK7]!_UPKp@OEBPS/img/ovdag004.gif1GIF89aGGGWWX889䪫sstz{{(((jkkcdd𴵶ѽŸðרϠRRRxxyvvwgghpqq}~~nnnaaa"##\\]AAA--- ___LMM <<<222yxy!,2bc A0*\Ç#JH3jԨǏ CAɒzR\ɲ˗.-ȜI?zm%J(H*]hPJJXjׯ`Kv]֢ۉ~ɳj>˷o'Jpԭ]ܵchѲL9oн˹29MhQ ^԰k‰c3fȒ+Vf-ڴS+˺9N<;ڸގwN"@ӧ@ξ}:w~鈫[^6v xO 5 zE\|ל}ᗟ~_ן%ƀh")>,0 I(L5uǃ1`q'F)&)XfC HEqX0|)0y$\)| O<àʃ&ʥ?q%`B<Cp7jhiɄ$(Th`)@@G`D18!A)StfeXVO`nXr)y?nnGGP!ıGPt1E{lPrT!a/IX`\ X`+L0pq|AD -[XW-Vž\-8< D Ghq@ SpQ\@H P9$0PԱ}p`n`Z DqjxSp`Fq` eQ 6RjsU<ϰL<m#Y0>PG`)PB[w=SCt$@e0Bwz GAG 1B(Q\X<y x!_>b*{H ? CR'I<M('G8Bܙ0wV <,AB;8|8$4 |(@`0h 8O=keWz>`~ L0ox7rA42+ nx`N d OHHm+UJ$0XҒQ$ =<@@aN-{f*A !P0#B=`S,PaLPIL#`J`7@;Pz @ X' {[>hφ?cn܋;X).??3O#OyO_3yoCOzOSz/@ϽwOF;Џ,!Ё{OO? ypO0, ^nwV uw Vw Hlhwցs X "Xj$(w&xqׂ. 0h2v4Xpim<>f@vB8PLviJLdNvP0,VgwXXZb\Hv^ 6cWfh`j(vl@00);hCV]xR_`<@ІP`xrvLuuP`jVpIayO4x tF4gd#0Pli0l@yU#/`sDlG0PyCٓA*AJwҔM! zpG QryrA)9 p;b,d -fyh p)sI!D]0:3)ih)Ysѕ_~9yə"}i3IiٚٓC˒cy>ɕ@͹ ѹI>IzɗʹdٝI阐7i)֩؉ٝap!ɝ JrYUZy ڟQ:$ZڞyZ *N1:'358ژs97Zm-L*&J RZz*Nᡋ"jtSOʦUzWJujVBK [@b jPJ;)0a{%L!fTA0x;٭K?`;{N+TP qA@Qi;P3*0fPnSUq>E`!9p{0Vp7pagUGƫ?g ED ?@V|9RpT3p Nn;P&Q `q]0 gugM sR ` H|&0M\yJq[`&@ZTӵP(e0_pP@nPًJd@pNǨ;hPPZRxP;pXJXPpP/|jg7fbBl0X 1Cѿ .gT|Y0:`C;|7MRvP0Pìg0q90{@p`cqN& 8}@Xxpk\qG `DJ#_` a)\L :5pPE@!0PDS .!l<E4o `?0 ppE]E2kx<``m)' f Ya30Jy|]P9Mp ` |`y&,e@|<̗yͼ|`!!<S`qp6@8THAR;0`E\l`\ ?p|;XTD3Lr20A0q`>@-DQ-_ )6QYP#bУsLE{L|1J[E pLiHmJ RZ<9P'.$JP'ip?j-50up%}D$@Gx.%0S?V_DAG[gP7opy$p`v0KU(йx\pg-/9܃Pܼ~C?9Rx@pa*MfL P]7vHl@i~?n']`aA_`E` 0;0jg0Z?@CI \Xp$PDO1@1D% >WKPK0lt5qp2hM㐰?1kzA:6@gSqPgI3 g@A{q&2xCp{M1 M"mEuo=`Yh`;kPk`2%z>lZ.>nMk}kD xob(]9&D1\; G% '8vyq&g_8;p_;#G?#+%1fN{0{e}9#19!quqp)#~ 'Gb##|93DO C 1#'%)*p&ԉ8f:HTpGNz {|&5Yj ȑ'Н   ?(e6蹃L3^L Y'Q3I% upTX?т#aa^`Np0DG$S L|E l`bqbGv,ld>|啁CaW V4qQ%idI'eJr;CtdNGm\CafLt!7?X<1D1aFq} yqp@0=X(AM@UAK3.m =*!Qj`E{`TEJG P]+K1mm]~$e ]\RM1EȖ8PU;H _`@pYf1?q;Gva_D@ek@ {(Qn 81@jh7|Bap;@ q4"kFc8N`![o}moG.5t sHpZt]x57az#k>at/n\$KnEAG |W ^DX!(FSa 0@]FDQtEyh!@Mw`lD`B&}`${ېYЉ 0#`xSTl` ɨ@b!$@P #BP#j(04 ]($)Nq{BP 9İ78kJ"$ Ѓh@(@pAXMx` _eP# !P.!V"> "dNe.2Y^Ñ,`3 CP`,H`k@F 9` F phPA "xPqH@ |(p#xj0>(Avh4#C@˰p 0A,5Cn;4  $ ?0D'*C" P4- "(2`+($e0,QPH+ "ІA01(FP!a1xF02!ThX* ;.( `A 6XF֠)`Xb/|@X S!EJ;( 50*Pl0ЄL0%8b0" #p=H tm0!ʀ#$`X9:@ xp5pLv`@@/%@*R {.:A "f'\XDqZю 0B6(t?HB 3q{`" L`AFXX`v6P0<+Bx 4 +@)`Pk ЀaTC,~ I=$i?BgJ握 erjJ[h 9b+1"ԨNuPҀPհuMZ bog/kgz4-j V]NQ amjc`B@{Lkt,j,|^Sm%`abmzglj@inwF6ӺSlםm\ÿ7~ |n Vppd/)ꉻ m8f A %Wɯ{~ Vrn[7:Cҗ苃:ֵuw=_Ox>vSnuoN=w}~zW1u;<{xD>݅W%n򠏼oN__w==K:_xHL>eosw&ǽ7ytiNOS}{E_}n_/x~9xO_4b `u29@&1k X u~|a^wm9 JpA@~ZPRy)P.0 A`2d>ebAWw3wǁo1`io0ffαu]PC0AQ0|J2q@PrFr~L|N{lr!aWlZK[[ ^qJ7RWCr>dich8#'i0p1f;e  0@駉 IzK(gB;`iffP&k`1v~ @L0&)`=aK`U& pLjPw'yXa_0/Ra0]0?^|9`fIpPQAQx ]0i6IGv08vo0#KUB0f H F>`#Wp8P3CЍ eKX`dgd0_E#PJ0p*,isom?@5y(~Hj0`@ғ a[r8PJLrJf$` 0 091@(zQU8&7P?0CP<@tD1%W$y{ٝީc v8`"pPøAؑX&8P#\ p04h#uj/ 19޹ huh=yu?4Ke/  Pp\@U)c81)vP #_P90y 8slJFv ʠVט9 t;XuӐ9L0K1< !Pa05# D5#p_f8pOzڹ1PUکUzX ycr^h{c`"%P  M9t9|S0KlrB?oWyy9Њ9@vx  tpkv(`W[ NPr>Fs9'H`UG`a!8xpø#PA0hKg K!0M0qHL u  {Pr$t`Utp\V[PgV {F0x@N0`|`UCs~7Piir|%,wcPv{x! ʄo@{Pc ,z4r00^@>fE\T} Ǭy[w*9@l [c"]d0``{K50aX#M8`vp#R@8`oKYx{ 8'Zr[౦k멃H&;0&.+cSUPsy`_Pbrz`1&p*H굄b;d[ m00|1n_'X{86*MPN *p0𸑻DWl@X*q,vk1g 9h;)`B,EY P \E0Q`)yPrtPkۼ +9jLc ۰[5ls4hyikA@qLGEȲ]u`Wm T1n`:fA{`<`s".9@X'Ah v LG 4u. ϱЧ; Zo`t=c QBLUL  E7sR^{*SV`l%]@),2 )@vue>VQ_w0U|gCr 7BU4FYW{>pk noM%`A0~GH _`X-P:E`'M5iY0UZ` XPU; %dPT`Am(V~꩎0HPԙ?*(8@e '00D` LG`SPW@9QNRn[C0 @B(PpIeuPkoPJ8LݷMN|XOL_NPߝRf1ЁTwG4Y[]_R%;8y'{E?ˡEm?mp;4)S^dYHP_n/z?8| .xi?P׫Vpd`皯Ɯ?L@hk6Oȏ/ܵo/o|,_?_VۿOOOЏ|Zd '<(]H<ňɑ͝Ѣիذ?PV1d<w @s[XCL"NGլZuA`@ %ɇ(-I\驢SڸemǏ! LhdJ,W| ̙\4'ȝz2 4hġN`MwҌNNi5j >,qڵmÝ[7%ޛ|kgg#|9DΟC.`g_a;/i< /'b05B_CA$uYBN0ԁ&X҂ 6XKfE a!~#":(~_F dBG.'87(F)Ui%XȖ - tYYjȗtڣYF@e5`"VZ!)ؕ1:Z nignh&Ahzgh}r餵{+jq@Jlfx : <>NXDzJ ~iE΂k-~ l'G,Wlqdw wLC7EU30#|4\s83-H0Q6hDH+lL3Pwl D\\w`-dmhiEPtmxM|-n8,7G.]Wngw砇.褗n騧ꬷ.n/o'7G/Wog;PK!11PKp@OEBPS/img/ovdpm029.gif4GIF89a7???999rrr@@@ϟooo///ЯOOO```000___ pppPPPUUU***ȫGGGdddyyy>>>^^^|||NNN<<'Q8.|.p6'~=szvzDnMZ8"׍OSInX\79/\398Xx 8L]7;PEq4Z 1؁0!/w Gp:ް,^5P ;6)؂8%C p6oTFxHJL؄MH%5;p45GBBA;3 L?ՅP9`ZSw[x-=qd -8"ņtx8szƇЃEyFp8WxPwLj<#X  Z yT(:(d ( r s38u "W@tȉ P,1|7ӍwF`Vc1}݀>ѓ33 ( `w = 9 2/Џ1P  (0`) P& Hu֊S80. >rHF>p4C{F6F&()S@Q(,4D]b Xfyhjlٖוnr9tyBuze8~~myyP~ae{7a@e/A d`~.ca8HGYdmwB1 )BzdqH)I&Y9Y p$ &%P#9i)`#ٝm9YzR@jiy UvП J}CѠ  fb ֹT=NQD\rv v& pPWo GU8PE$m4tXVŤ$I-JE@F?^ՀsDt%bXY eoiVPdEU4}@zE:6G݆SzP"? Waod_QY`mLeYU_D٢QPρbGCaG p d)IYP[`tFkrj7frej>*a_/:PaEI'AP P\,Z(A E{]vd]xfꞝe^3[ZuN]FFТ*aRID+jq5@5U"uqfǕW&,(>v>{S峔)IA_G~&aqaq[*5 K[ &L,ZqPX%er;_䷦y`M:`Q]Qw{!)q䷏Rɵ 0EeD򥹐a`u?^ѶxrSS3a{Q巼+\a:KWGMU!1aOx9{QZѹ ЯiR]sT(+kZK5j {c>fUkuYzʬ;f۸r_1 ~c^ <r%g(lj0 lw˼61*la%zrz͂ozIˋ*@ڦތŒ5,\Ύڨe6b<Ġʰ@.Z mnЬ|}2 zИ; V1Yp,S.ݞ||+*m4(}5-7}1]IN;1GQ02=AMҶ B MM`Mbj%M_"nmp8\g3Z֘D؊DT ,ؐ PX]D}٘}Dt=/٠ڢ=ڢx}}!BڬګM&=,Bڶ}۷-tk*ۧ]=:~G͂΍1== c܆ԝ׭޽ݏ3G;PK/#94PKp@OEBPS/img/ovdag003.gif6RɭGIF89aoWXXGGG၁IJcdd鸸888 ֓kkl{{|sst(((𽽾ίǻxyyaabhiipqqvvvmnn}~~fffLLLRRS!!!---\]]===223BBBOOO_``gghpop!,o H*\ȰÇ#JHŋQɐǏ=I(S\˗0_I͛8sϟ@ Jt(4Z(]ʴӧPJUDdʵk>xAYnҪ]ք۷p㾥Bݻx%߿AÈ'øǐL2e3k̹wBc8൴ӑDDyAװc˖}gV+7\L`ȓ#̼c-PKNj&h]cO~y腫nqpi-` AC 1 wtPHpPqe8A@ $_aG5jmT wHT K+[p,- ESGiM`GlWц !dmF <4BnȆbF ,QdAhw` (!iAC*`Tp8VnW-Wn6/D2 ?TPEXh v8U!S0L(@ipA`,І@Ri0 P}A @ l`>xP!匪Tmq$aVaΙ jX̠.@ !uP)`SAd3h ƀ+ĠEx06<@iP2a cP@ mP@ZҚ **0'xKP @}?$S p[JŪr%P#tB-% {  ZpLa QX@ЃO XIcB& ErձNj2{޿]b'~vX&azu|9UuX$л7a olYULoȸkE/降C_POBs;+O>YP O} Ͼ{?L_/O_Ͽ6|29X ؀8Xx v "8$Jp(,y0#.0F 8:8#)؃>h C0*DXAcbFL(HMRO8VxQX\xZ؅`bXf8dxjِlp ntX0vz x~Ї8x Xp؈8 8x_@؉7@%0Xx؊H 01XxX ؋;8XxȘʸ،è|08X8?pSPJ8Xx蘎긎(@7Ў8XX0ܸ0MG80GI  ِ G P t Y D&,2y@c8ٓ-Ó>9,#D`+JPY V Z!R p/9@O\\fpgy_pZ|@lٗPl) 4U~ jp1iPy:}|"B:FHJ 3Zp9m!:h8 :,Y []कd܆%æ%&r:a*6j)L6§}d*{AavJNJ?B"B(A*ѥp)G}t IJ6=JB*Bτ+qƂzt2J.ةG)@b**, VDbGmA)Ҧ*.B6P,ڪ 7/Ps(?@=5PDmo )T?A&ǂ):AH`#&)AVt":k!2""`CR@: v9`1a'>n/pjĤ# %K F-}cf jpS8& V5Np;* K@y@]p[}Ppo`j*PAO`"PRUAM jD!/'[`P[`gPT@,`ۣfA>'x ,*,`Iڵp@AQ|f=|i&|Pf;ky)w0d0E O"T# dL ]ԣyP)epd6P0qй` 'l'2ƒP$B/PqPac{kKW`\3@uPWR!) i!h,a@0" \:\9U*op/@2&eY0Ҡuq ,|+ <"K ;sT-/b";'0`A bE`)l$D05a.u|![B;/!MW  Tp0:0bAQo\ v_K(tTIdP9v K0V OĸU+8'80!wL MLJ27@|W/?`pH;(b:  -l0Bt`/_`)0 %+000\XMP14Pu 5u,Z0|8 `Sx3Up17l8,nPXQо! "ɵRG3 ?"%@,^-CVPfb`Y\[N`v  pTsk6PGqqKgI{5p! 0ޞ5gmS 0vbP/ psq`5gf`70yJjg,kpibitѪ-|H! 7P pdP*P6~p ~`m0lP:d=Ps@\f!Xf -lS`wW0qb>/gq/7}2wV^D0g|!b 3Fp^ 'phA0[86ח q`-! Yr7^`0͵=Wf} ۶S`-,Z9|l \qHXKS|j& `g f~r[jS&pq  ]`-`eb @[1I90I0=YfS g EaXMs_ ®V4^\ ) Xl`|J 1q`%p8(0Z*0@l0SpJo0TURQP"í""*DPW%X!`ߞyoH"IqC$>;䦞iPp0m;`FB:KP`g`l iO0d#i. c~91H$30X:`J=}w! EvDc\#j/Y ! T(j:[~Y8;?RUXXMKj]vGj^]b^!c/`'Ggk|f[ w00krd@QQX s5qU! LXbCS"n& G`?2)ɋ#FpA"DSBP`c*SLBr*QGE .PGWy1"h3a -LhPF mTjAD J$HŃ56PPh`ρ!FYVG Nщ"?dіJ'N @- 8yq0Mfy'm ɜ?TD(R\1@@6!ӐX@Q@УKNسkνËO PP\Ϟ9*—c/,pJ%` `Uđj ElD 0`PS( @ڠbl1M[<L\at$ f2듨s"Q1K\fJZx0{DpAlPDL\P<1sPt6Ԁ l8(\L"Pc\ X(A4:D@s,B O8I j5!SB% -#(K0$@ vN0 {xC[J,Pa*`T! Ch% !xA PYAe80FK >H ZPC{X<L  a 0Ahp rA++% + 9Z w5A! L s 6 d!@ArMC |UȂ4`u @ )a80p әnW(OWG9~@stwh0Aé@7T LY6@_t ,&p y؁ P*t@/t\JkNQ!TfL)nDDtuNz+R\ƣљ͵0< 86E{^-zʜ\= w@ m4 9KJ"):؁{P:UO>/Gb"L! Hh,7Jqa4W~DXE~H",9NHR8VVxi/Ez -z0(3xd9H^#]7?FkbvhO4IheGXXX (؈]A+ȂP`8G3X4(h9]G4nA4w|؊y8x8Dž`hxs(hȆ|!?ᆪlOHh؍ȋ؂b8s(>ăn،(8x8@蘎ɋ1؎;^9^0`Q8Ҹ؏"9$Y!h}(.i2 ؐ88JxJcx葂,i/)1Yx邿S@ DixH9h%ٖn%x,$P$x)N-Sh\I_9QEy|؏ ey闺| 3)쨕[]Y)yيy)^rIy.iwxI)8YiYDN)i87Yy^hsIb9Թv։9^02 )IYș8ɓ:՞H9FyY{ٗ09y6)깞zIa9Bx<ڣ!" *D y9ə' W-s47F BEjGJIZ$&R븜ɕ J2:њH>:ZџAg*CZi*YN I*jɐ.zX]ꥪJz f*:"JKtڠ,Xyj4ړ> rBaڬ>XNiY x R|=ȱm,_Vz_pڮ;:ZjE0}Zxݚະ1⊮kjڱ"{0IB*,۲.014[6k7۳@B;D[F{HRL۴NPR;P&0 \۵^=b;I[f{@R`TpS(#{x;<Mp_~;[{~YQ;kЁ۹{R3IH`vۺL`{Y#hI [{&Ȼ]K;{ػ۽a䡽[۽{仾;Ѿ{k|<k | | ^k \$|(Lºk,0|+ò4|8< 3yk<)@,>86=bCV'YNS]UW\^x`7~C.7*|r>a~y^peN E>S>3+陾*^zvۓN  x~.>^n. A#nH>߾.~3Nyg=N^bю^r(o >aJO6x0,?:>N#cXWAj;=?A(.Ozna"$~N:/@UaY ]60 eoqV ntwymeq&2y&`(.pNp`r㲎>{YmIp-peO0>IBO racem+Ⱦnm^(B,qB/tq6y\Oy&{F5/Hn( 005 n/HuKKH29529n/T?J-&/n&8=%8TT8$708w M-(-(/Ko"4GŁ2CR`&^ @E4 cRƏ )jx`d$U ) Ƌ}\bCrd<hQ(H[uի @ğ%5i%(d" *z(P}tӧ!zEČ^ȑ J2L`E 1e" F *tj6*7(!3S[c[ bV$W!@/hP l41 AnRXZB&ю:³AFi&p`H"wܠyWd9!=1.v8^P; 3Gs61 OF 6@q6ajP1l4 (P h+RЇzkLP7 R!p`Jdq  "l`"pFT5@ɖ1 >`y0X@)鈊r`>@E 2(Br fx ,I,Aj @ 5Ж>0,<  > \ "H] dpu *b H&5HC`Pp Ph"VP`hy+ppR>Q!A8hp?A@u,1(; T `Pѐl5| PC '*,p@Z8@0a !A &pasC"|@%t8h :)T` `0#HP1Pt0APha%8@ A*+d MT@ A 5ȁ c0 |!p.6[`Y(`.v 9T@I@ @ L` \HC6\;2!#rkAKG %"Gx L^PBHy\ P1X3T GxPT @M؇k0C J3(!*"D.hBP6t D,@_,W3ep8"/{0pdU`V +A9x@iP `8Ta slF9   '}PëDFaMywd9X] !K@ V` ^Ạz$laB?khCg5A \@d!oȂ6a ڠ"؀a \`;(ԀЄ+l cX E,! Az P,5$ 0x <DS7CP*٠vJ`7a 2C@b2t kCх~gSݣ N,5 X@"HoP- 0, F`쀃,h@ I'6荐=!  < CxNƁIP`ܠH @QBe`U!C"( 1h n5am3tKBX\IP 3(Aj>ԗ5p|P pJ@;K KPhXO* ]oW5w$j`A0q0mOP27xChHPPpNlPW22N `p%u05Xc Fpsp0l0C`[}f'8PPh+ dX7F`i$C0p^4j QQ@_ P{P }5d 8M0pM i0[!]`6%hW~&5G`H`*F1pnPj@p$HrN?F0Pv`FPbk ^p5p!@[p8 %J'v@5  U?X\u>kpnNpS `|В\P\-r 6 V|DU!6o@cUi0`sw rè?f%J0H' *J0V> mw8cPr ydPcV`lE#E07@l0Eci   mM n4Rj\ 5@=I _&1?PhQp f`WfikR\ %lpzrWd'`2` `K=Ѝ\'rCP -0sPMN0a-VpYUrP\@pP{߉Pb=c4 dK2o5x|bQ!`5  j`dqC 9@b:bZ^yV*P`WP%p!0Hky. P ;r%C|I,ljTYDhMF2,``p5-`pgrm[p8BVP1 ZPBC!l T0QǹΦ2*008P Wp_!`R](ǚllYRmpm j*O @ظk@?LT0YtQdaj^/P~p*i-fG%g'/pn+HMZaj#yPg%mU  d:U0oZ#pY\@fQkjs` [ 7B-pc \PPZg$`&kPs' kp*PoC_i``] Zv*0ON" 8*@@*`?=_r`)3X0@lS9%.E )A+Q;0^@TSQ%o.vE0im`VU?`y4V%0a5Vɀ QzBIP 5S8iR:GjZmgR3TKOpF04hB:0@60' gh8pmy_6y`-Zp~PK ! /=9Op`eFpmS@MïpT~:[&?`T Ρ i0q*AAQpi m@(LPCc|rxh5qӫ ˚Y-(I '04&@+2^;"D:PvPs@ -;9%6Tbp ~5;h;J r+K%dwxQ`lP`Q`^L'p_Q`7%d cp0p|p_ <:2jP0x!v kH` [`pOY@Q brZT-(u0LP'l\Ry]03+p@ЙNДz\h 95ypXp &V24uZ_ ,)Ό6 }60^20'MyKAѼKPM iU:=%P~!\R@pXо}&MW`pf@iW wpCF bJ-g\v@iA Rzc0PLphA?rN('I7PV`|0#y~?^p!m7[7Urp)pE"LՔb_eL`O\@`[D|7@Œq1[v]9hi>(',  O@B I0㥺@spy,6`H`0^p%H'{nT`QbuiPQ%/'O@irq 0p+hAlt0Ы(ѫ$-C7h D(Y~yg qqz}TK 300ZGpxy@M-0M{I]I-pY[a PqN8qҰ$c:5JU0~:0 'ͽpbpw`0 p@v#pW J4^7[^p6Pj7BPEZ n\g3lO`vY~jpyR%,If`yj F u,s: `0Y`= 2P4vP#c ! 9,lQ%Md!@X1|Rq  n5a3ۺ%*K@DAc0  rk TZg%fUsy$Vg:O5dD0!Y #SSBHSQUvi{bj{MmjJ\XFfR^{mdH Z,Wf7X--6R Q gi3mGfMc 5QqFRjY8'`HE*5OR] OѲY I?$3?%1gՔ1pE($9#JsCM?/rӍJѣ@5E-@%b@y/Zp?MT76 t_pyP9C@F yp ;@.5Ҁ & ;r'4C P`V( Pta[tuaH_0Pk!pcGz.P^?g{];iFv;9X~pn޾NM@"$]𔖰x#GAn{ϼ^v{vGOzW. r@ O#o# ʰ7I%{μyhwHXN@CYϽ I%L#=Xe|Dr-`}؇}w}׀n~7Wy'?7J!c(hx} }  eR6(9F!{؃cw|ń (HH%mc*ׂ}Q nww6 =×2/sFF!4'xȅ'w(lXl"q(EB,hsG[ LJ}G|Bh?RGÈQrG[hWvh x|(3(8z(w}wx{Ja?)8yx?8v8wȌwȃxX?B8ۨ(8vv娀h{x{ŋؐ Yxޘ(zvxew^9i2W&9Yyzב׃Hx>)+ɒOx2v4w68= y/#$p$Z AC|E02x֔8{!J!p[]i_u83F9g⅖9C#Tp9[YxyȗdyxS#SYU铎_ْIyՔ!זo9Fyy9?ly)iiw v9\隯)xW29Y9 lY)Yi牞y9fY˶M2@9bɚ©ۉ)i/cڡ Z ʕøKyHI,2ڡ!j#J%j|ڌ:d/1:2Z"znٛ깏9ڙ;rJ/4ɤQ=ZY{m) _ NcJeUʝ)>bڥnʜLڤ9 ;*ujwY Y05:7p : 0zz{ЪZzZ ګ:FzȚʪxp:کzJںڭ*{ZZ蚮꺮ºʊzR?@jگ׺:*暰ʮ ۰:JΚ@p۱ ";$[&{(*,۲.KrDY/:<۳>@&oW JL۴NL `ZV{XZ\۵^`b;d[f{hjl۶npr;t[v{xz|ۓ~;[{۸;[{۹;[{ۺ;[{ۻ;[{țʻۼ;[{؛ڻ[;PK`;R6RPKp@OEBPS/img/ovdpm002.gifGIF89a)()@@@NNNPPPFEFiii;;;YYYlll ___gggzzz VUU```nnn>>>vvvJIIxxx;;4666---000UST,,,iil&&&444llgsss]^`BBB222ttt[[[cbc<<<|||dddRRR868645hhhӆDBC867===OOOCAB333⳱wvippp؎./0Ŷ~~~qpqtux##$GGGƹ::<=uuummm???~~423MLG,,'YXOpprCCCKKKXXX555nnm%$$ҽ,+,{|~oooZZZ<:<,++/./+++{{{AAAqqtbbe]]]\\^??=655#""878!, fAl ,xpJB >B ^bƉ ?n!H&G,)QeK/ʜI͛8sɳ'φdthьG*tQM2U*iըL*լVb5׮W vlYgͦE+V[Ctүo_,X`x0ƃ \ذc(c qgƖ#رӨS^S-iowmߺkǃ޷8qƅ#lϓG_>{֝7>^l69tiIO[,R+m&["ކ,[e9V&lkfX'NG,Wl1 xw V+(,Wlr0,4׌6WX<@+#Dm/p"1"4NTS4tяM[sMQ p(Ķ@ogttJH(#Q*7nuqz#8M{CZ a.ㆷ7=(?z")#z"Bڕx[x2z鲛ꬋ뱓0JCnH1Jۧӣ*Lwonycm"Ɵ~EҦAq8B'!!0r݁x֡LN^:Ttc@UM !.m)$: j}AԟLrt[ "ͅ28m tR#Kv#PXBPi\ x i^Qp[ 1}[9YB8a! #vx?mA +aN8F Rq/".h}Tчp(H79vp5$eMD@4Kҗ F$?cfP\IL vP$/7CJЀa DŽ[-pJ7ᓃsV00 JpIp ozH*S i$T e>_f .H!N6`Qp" 9t .BԢ`S::Rժ?Ҩ:4^` `Nq}":Azs +Fuu{:|!j-zX@D5VYE<`ޢ@GoLWJۍVIVR>yR&.U $]QqL[ >&̺u>bwba8TR; XT :aNVL89aS }7Q !v;@@DЂMX 00A-8qp&ΰoX|DH a01sVG[z-1E4dGȉak bY\ ]xq Llb) UG`ᅝh!m>̲9Y5x>@9=(&lbT@I%Q @Hn)6,idZǽvw]lAv۔C ;mcI^)Q:8/bW,@r@yB Љa :9v= YolO?]X?:7op1 |\^v+Ay <ЂNCLM FGz֪ ?I|fɤs| &?тb++^ αB(W~D@9NӡNt*KT/=x=h[sR5K%]%:z $vFm41W#H;^0b CKpH&o$^aE=O|g[-k^cA[IPa)(*>0ozM7/C]9җT$W}Iu}$\ywp']3Qp@ ;`N!/g @ S^Q4/2Xth3dd$sq^e!2q V-n7 $`"o41wu p{C7dp pWp/l؆3dW ?X}5a2 P Ti0HBv -wb' /@z*`={Go@\pUu cЊc q8Š3{Yf u5c meeGaw,~+wq  ` PP Ps77 ZjSP7XxIAx|8t9X3\d=q2fcW~3a{$ ebx͠ ,@ i  g ww_JYxBlVE:H3[dN^=h 9 аnq0 ~jv ' {W\ /5h1m’p8& G<.\Ђ  ecpyzp pf;M`pPYtcdu:a芹(fIhyc4{9jYps71D 7 9q` ( YW(x癋g2yaJ@c~5Y$7( i(3`  PiF P,@ `2WYМ{9qҩt-;1IqIkRq9.g--n{P`Xb؍8IM V 0 pH zd (גQx8uP eaf1\P% "5A1vU.g~2' xɠn6X Iz y`@uH|ǚ}3gMJ1gf rYfj:Typj54刐 +7 Q앞#&qc3Љ:QH}HȪʏc2W2V w9aoP`7{*a` +`'КIU2Ab7ZA7y 3&6UaЂdA/Yn*j5OI$N` I<г4Q`cjb|||N|P;bp fW`ѪPu*;ЇuuZ3:P81:P I4᧰ D[:uzwT'ִUkU{۹;[{[0=grc !/+k:d;8Iu5XhbDZj h>[{蛾껾۾ ୆8 xYl+e&'6>YH4kgvUӢ j Ǩk {32Qj,.̾/\6 fH7d 7kbU aƸm1\^Q,[ܼ s:KpbǷ ˨' ˋL;mz|, ǂ<Ȅ\Ȇ|ȈȄ<CȎȐɈ kyDgpm&ɠ̠%&fE\bfTnd`U<9:Ie5  *PvowZ`E*[0Ze謦h+%*5Q^id@ЃryA\fO e3k'T%6. ˿ X $pWP :@+sT@I%Q ε%5qf}V|/⊠^ ϫTG]`пW 6 9Μ qЫtw-X"$m&M[(M;8@^` 0f;5[Cktk5 )(` (+9JS=( rF8ˈ N{2ZaEU6^DZ: eXIu3!|(k# 6p`vU+s;Ƌ{'zg-w*i~= mo0% ] (.IUcUÉ(w` }̭} }7Kpp ˈ- quK /}j6kn p 9ѿ7*pl)LnI>w I띳#J2r<={ 3^Iҭ<>Y J= I~Z2k=quX4! E2Vc :=+4̫#\ r:J>M>"$GnreN= BMF5{VuwΛޫn I'{2:9a=ΐv&PE+ǩ2J$ޜ%AAL?oQk1;}nw7Am3^eUC xؽ#P >p93o j _o0\0zdP:#Wc,7y|/U#P \]5y@Q/͎` ^Z CJ8>73mÓUwN>,S@Gzo&nۜeN` SZ9ذa pV N"R38Q)QL#KM8)%HP% OI*E3锥QNZUYωVaJAAU<*7H!cs@[ ZQaĆ}ڔjcgK C;uJ~b٘'ީ(:) Jђ@D(.BZ qJ•'UQ޿UV_ݟ}뺏Y5p*=tk{)f.n.A! ‚8"8ޱbb-MŘ^bD e  PB=xr*ҹǥl9QK^TpYyWigx=zJ(:ɚBm8#R. KC\ц`SaO c]W"xD`+TBz8=MHR<7]P)\X*E4&2;B4"FVP#pf0x 1' t` H$FcI$FLF`#&śpA -(*l&)NnkRFI92)_Rw(@%X= (""+x@X{(8A+(\j);ɪ;qxм;im2PX7ѝ4Dl.;%1Ҕ~Υ`gNiz䞖)~34Kxxtծ]($2/Lq;MyR_ڕ%j-- JxbNpNAȰpab;^bTDQ~ 2GO,(9*hO&`RՐ:%4bd r:9Xh3"Iyr$ruT!" bg<{G8z12Gak?6vys̸Ċ,5yX[] bK#3O@)%eW(f-1=֐!~\87%p !m)`T~O 3v& p$;FP CށK\'-K~z/A߬ƢO4ta@KR'ȵPU77];;C&ޑH8 " †1ReHS,v8`^{p!XAzl>|ӱe)ؓ+'%WvmtE0+M ?A|Ji*RkY)cmRjteU)Z͢>) LG w(P؛A9xxyC/}z;)D8R 91yGu 0Zs".ds2t2"Փ-/o z:= 8(]E#>+㻊8؂8@H ^#x)Aq: X 8#4 ght8!X0?8$k-`B(Q58:x`p_p3 +> ;Q,l32h +@ZxPWсw(%q wP>:  =C- ;+N8汀xAP49@;;,NŨ' .H`ʰ8ddw_bJs  =`1D`-ȃQ5|ӷw`-8[ EA28^p r\aFFlPB9ݠ@XwZ_j K9+3F=Nq„Dsz/Q+;`v%8`*p3|E\:B2P'8+Ȕ F7;cL耉԰„oX #2HCo_+jay؉x 8ȷK@'h>JǢC4\  )h.̶̬0KLRxL Dp ks;T`*I! J:H.ЎLy s0?XL̠GGŤ<.\ `L!x XæJ*B΁IMԊ.D DK(wFٶkUA vjgOl`LHS2NNƠ`\J0-`UX (VsvrJе"(B>҈s_rB(4lR164K-PQN|ѡ\͋A*/.tQK IP&q0 Pc - uF-4]6}]U\njU=.ϟ#͋²YJ)<bʉ,yV h8 )N9@"n=oUU9WS˝ q6XҊi,,A\Z8`4QrY"j}B2=nEUpSmI APmY(?EFuZ$XDD(˚VHϟYXZhZT ׏ӭ@MA #ʏ0kx ΋u:~lD\\ZS5ܫW- ,ǭ,`f\$,H]&u"YH"l 3@ MpXD841] e]5EݪXZrY/Y4pޮI ҸH3[_A^#9@e^N`3^[T _ µZUߐ5>؆Ђ0>`[3Ϝ t"ҀRq/] YѕD{R$S`#5PKr_,`ZV]_3p`"AA ] -xHh<=c>_7؁Dx 8I8h49j 8x_x0sSj3~Q[`kljjfkLsOs&}⅟}ԋkNނ'`8f 8J{>XČ/ <-8CaÜf.QlXmwjچ=mne&Hq$Ӗ umuYV3x?p/\f<3Tzn% l~pnxc.֊(@@oT5c@\&s8v(e Ήp$hpaHpTގ 6M@ ?Dxh2!r/쮂Jm$_kln5 &'G8x(qV r(iSl dZ3ot&*dR!Fq889ǎ:s݅lh(q,-7-w`aptZlBP1L %:N @6j@UFuXdXЀuojRe]?F"i vv-p 6u%tn8 >:%Ab) tgu`ooxV}H4mnRDgMo52H\gg_hw3~)y\f (m !ygn0xs% wWwea) C]㣏Ry?%zSP_GQeCMf/9Dee @{'K1HEf@Օ`jRxv٦7ק߃Q.ne^3}_ưgoǀ_>(Ӷdt{w)5Sg}yZZ&#lqlW[ݧppw:/nXҭkU V_-/oD@4ՠCy3VObF.-N5زgvb2tQ"E5rR$I(Ut S&[.#Db E6Z[-Jk<FŦKntӏ͛{ oKy @a~?%"Ec?$I_}2!8(6Zk&"֏*CMTEmG!TI)K1mU @@F#?PR@c]@M m|-igE5B8兓R0Ht ? R k:UTY():)b&蛍H !@Z$JhlQBc[z+4 Gi]SVy=PUP`)P^nf_PVSUMk{olʸ( \L0oSJ+lR!61Z{ OPű^,N9W{EZ4a`5mO^/3 e!N&)+tSj/8܎\F RROYJt$&1ņ =~)Ay1 ~`rA2&X4%4AqV/+3L""f]w}&Srᩧt(5ZM0Z_ROeR@cSI%QikWykۃް$ S1Pe1߀sx?/.XU Ѐ @LnRD)GϫFAL}| } A,a_yݿ>U*kFс( Qjr6Cym =# A! x@z@>1U_RQ( pA 1vR>ArČ"p bN)sT=Qu󗧨&0Qam +ț`¬\)[1L8+(f; kځh@81 Mh F03K[9`sPP` k8Qъ D) C3( P4m.폝ZBu43B!gDxyG%Jl5ͦ&L&FCm<(.R~>@` m#| 'F3&2M&$=´6]7aAp_.ja&O7E@ IN ]h.x Jp9x+\sA7y(HE̒N8&7_zS|T^},di 2T@.ٔ0ը'STsM({byA?U2Td5Wp;H fH5C0-U|+`_v-;Rm U`Tg:}R,7Ub ?t/dBA IrU_Xz%薷pk\*yk_Q 5_X$]?M92>Y}",@n)& )20(~;z2-ckVρqlqA}.DqJBmgr4|iO> Gnt # Bj~UxpcZ7.C3-3Bl[ ~:?Wā}?iZ :㏧ ~ZWIo&{W>GPf%O { q, zdeBޟo(Xw%1?|O- Ǚtpǃ]=L&,ѕv (~y 7.Gv]1 8w.>i@ R!'[汚&S* @ /mJV.<@`g g3)ez~7S׶`q}qzx6NX=)Ӣb26 F }1 xύPK^.WIa?cˢUAC m]뱆^8F (|9EЁ?@?XEU8\E]YݯQ 9k0:RS YYͅYM^H[A  Ҍ^8ayl0 a}L) B9ɳ^") PD@AװiSŠQ V ]qఙ*<A2Lu^xaXP!D@_L!-b"Pa"̉aP C0K,v,  B"ZٝٙǑP9u;) _ ehA5*r@Ԣ@aIO!@c2V1!:#A"rVcޅ_6T 3`B9(]ʬ8(!vTH }IA*DU 歜UHBT(eA~  v[< lI 4,@4#h*fndej')6i\Fa? NjY VbEY ,@(A""k-.x%j'H&,CD\㶆>AaUJ^pBp<@BЫ+E2E j$y~$$X|@ڋ&$В+61(@lB1@뽞,-+˞f̖ꆊ@ЭNrЮ-ۚH: d@@Ԓl&aYr-jA͆*'KL6lVg dlmԊ,ߚ߲l^FkX@Ax &].҅%v熮ޒ.՚.N_E%˂*y)VIb(wfˠ/;/z.Nmզg־Jk$/@okC ;Vꯨboș-AC,lj};i=E</jpү.̚ _l p0 'I(hA46 /&/&li[\AEA&"[gd1l @/ïzq1ίV߄J{1܀L? 5+˸Ƞ(AP@&T@ px$S%o2wr!>+61$$qe,Ƿ7,?MR@A!0$1[r&:~j4o-p5k5_pB 8=@s<3='13C`7+@Vo `A2êBՒ# $#\tF0st%cp3/I/JS/4}8NҴV+@N4FktPP2>WIkS.TM8U3M䶔7o5_mWO<G#=gQsrR'n&qz7h$5gx5X`uawtA|tbo"+50\/\2 lDfoSwu6l2oOg`5i u=5&4?/5lO/mr߁ A,o o_XFquHlZGV[0J7)Wvu@vo7-vwgww`6qa6bu&A $kkk/(G6SJu@G~!sFphij#89A%Twl(SW>!hE%7yu.H;tfdױ Ku!h8h8_]x7aa3dy37')d4 t>f4E89A9hyi?e T%_B,92vk;4tJGJ>Ay:h44x8@T@08>y6D ^:yq7d!95u;>A!:L,;3 yE8LzCsSGw B!@P^OLg;Sʶz?3SC7O6[@6z7<;xцBxS:( !52§pn;@xG谫A~~~~~~:аB,(/:jP;T}_yT'[@lt*>]~Ӿo6?s( 0 $E@ 6tbD):$?zAM#Wr>?C-soҬT2؏߿2LDN=7@zo辴HdMm+`9ح CmEXQ}0&[5<rJ! iXІ9pCpaS XD#+DR%?KtH8AQ;Rb&EJ_KBF0I{1X6QHi<F6эxR~Ӝ> O5hB7y3a{J. E7jQڒ!0E ґZ$5eBa,LR`"2*(.A]<1Hi @Hp7QYSQz|g`! :kAEz#&S2D^[ ` #5-<@ dO1-p RBAXVIhBr!dNقE ZZW.l6AD`fi}ܚ@r,k\ <@UA,1(m+43 4-87#e%?V\"55yQzV䦆 -@bQU \H= SۃVg |pR\,j[nڪVgd@Ft$Z]!fl\?"*g@hGXxH]|Wg3Zߪ3^遴+*V$,GWg@Od ])Waq"OZz԰֍LBM!m4؂id onWdiݫRFUv*\ +PZ&d!gpY/"'6v on}3U%qSg:\E@zc @-贱MfE7O \i.=Ѯ{^X) a'x#bϟM*VR p^@T @l&N^ .p3@F"(+0 aP`TN^v<ElJRP  00 AX@ pO! `a^d 1P``@A pa  P q^ AOaF/q#Of  @p9@!D} 0E&q 11 @43 SWQT+[eOQ qPX%bs16f'8":2 rMϺ Tޑ58kʫ֎褠N(SR#Ao5`rR'G`A's2vߪǂJZ[X2#_V6*#xH%R++`0E%!,g*Nr+..HaHXo2-1r-f*#,`V1.`H 6.3CklԒ0 * 4K. a$4{:A ^6cS sH/L??M@T=!d=t`2@P }޳ >38 (YzƓ<GET5؄S; A0-p-Ipa0EKg}P"PE;y\>}@gMɳMk%[ E1NNZ5Qq!cuPe>a6g]g޵kfg^YT_0UqPSU`4aS8Mz*RSZb-5cBO1 I1U QT[kl eu2e]Btfs",`UTKm`v""V95b(s I i!maAnPBUlbQLXBzRJ+!F, "w3̖XiFmIڳ[3pwp- AVL F :4 N n6nHAf7:@v G%5eS6i3SiM:sAWCto0`4QWCAu?`a]?4@wj Ċj &Z:kU` h .MK~[02@a "X'x B!H7B fMsW:(t|}saa7܀vBp:L.AZNF#h  :Xs8ā-Csm'M)C7:؃a]C)ܠ bP8s!#` a^} }4Jk.r8x2Hw,2XN6s/y 37C BQe)! D 4TLa8B` 3r8Pc | Ȁk! א+xp9՜y#)-XA!,xL 9B))һ7C,qil +$ͅB 磕`! @gR$D$LC7B&e8|'.\EcÛ [AE9 &+<M"Ng, .!" ܺ;7@d&DhWļ\{`Aʸj wj:Ò#/5@ kf){ft!tfܾG{,g,AaAoC < υD3|p z ؒwqE `޷:5\1x3<1xXG @*+t { GD؉cɗy[;ћ=T/.Ls :l yI]-۝ЖCT3 Ysc| QЛ\>~ߘٝˡkcr:廚UcYxμ\ڏtm^ `w=}F=5פX+Z!82 : A'2!Y:%H+D \~؟[@7f{*@ 5Ž>124|^Е TJN|lUk6 <0… A1D(ZTf);.K<2ʕ,z3L1Zڼ3Ε6Np #Fh޼iO6lxhɒ)wH2c&M>j*TN0sh9s7}iĉ5kCLIrlٲ' 9B [$_5&cBY1dϤKjP[~S=&ωRNJjV^%kZnʥk^~ &lbƶΰJuSA^?>HCK*H0@(R REe-x8S? SQMUUYmWaUYi[qU]y_ Va-V51RCIT{F.? }m R 4e^viA i0@"T$x] 3%pRap'q%*bs+Bt1ZGcv7c 5av r%DlAR" $速?vDNBBIђH*yS^yqf)fVDҖ@ )hl*[)+@BYZjZ\EB{ș!uo bq#"gr):bt/R'u5j5עt0V7#v6nG-F4\I\_tEU@yU }_A8-*DE$hynЦ'$R~Xc6+sL1'4\BywV}Yg}i xi:h#aގO,Uv'd8<|O܂3R"9QdUPN:GhKt#Y~AiuB"e Tv$,M \X<J+! 1INT3.?q] E6{)j;EJMJ`[py׾M ~ RZG E4% TIm8a+ϡd X;Qtl8 B׀pT0&ЅaCVJP"7aV<]-]}ZxjlJ'FBqGTF,- ~'0e@ثoeN26H}L'I$8D5k9I %-h8ԡz(JtIkE( Qf×?fBRK4q!b3R?I'S{Gd%AY@Ƀ \plLb0E_{y ɼ@! 2 *F8%]Uǰ+帬GV$G R!Y2BHGմlQ0H~$-HA ,`I կ9Q/㣲P'#e {*)&MH"`G\Uؠ[MutmMK?.|؀Z|'l8m|ɔ@ Nv{ 1Rs Ȟ14ݍ}|1rk' B3 a 6'KNPW25Sܷwgu3~5 `rn~$Oa ! pF00esWlo7i0 e !A&"*2 G a Pwyx% 9MRGjj-qV0-SU -5@ 4Xz“Yl%o2{ &0[&wv{fswe@nW |P{ Wm0xy8]!)saZ'!P}&;O0in !&]PgZp'lwo4WiwlEz b"lB fV^qh`jtɈˈ͘T)3,89>s!pߕV zA8q7lo5gixG`zw6m( JP`f@k`  @po ɋnR%s,)10 (Z&P#3XDCr2C!!hgo3Givl(~Ô7t ِ -4@h ^u0eYhyjɁ,ouMw("yeP*҂U0 $&60 D*p Ѝ5z q&Мo&sVwǦ{kZ|m;!x< :{`f[ 6`  E Sd96^Ӵ >iqsQcv `w93^;3i0 2 :NC! 9{iGAYN wyWpS ykp@RY9 |`:z Ur kSm#'Au!Jh D%H3S,<3q i6: @#St @prZƓHJwNQ}VDž )|jʦfIi%9A֔n|ڧ)aLl@% P_&@09 ; "w'oFJEh?9I} !pӟ:^eh P 0raЬϺ*Jw4I>,2\i$:A}P_5rѳŲ˰ ? 9 _a@IhzTygHn-80a:x tnp+۲ n*}ܒ^+@%@X{JqE)q&qL'|loAw˩hjBlr L˰DX[Kз'6PY0+NP *mZ-q&Ac]j[ Bn꺄:o Un ibz& ,IFgQ704 @I,/j\oR''@^$y}+ulj-ÌJb: L ̼; PkWrY'ڪ(yHدM[ q6N00@ {([Ñ1˾[k [o ۹WKF yPLuVWmYVY8]`/I@f]}X= ]ԅ-{p}QmSV=3|و> :ܾE䩞q}:k<>z2  '(3Mm=m< #&DM[{`P`jO]Wm݇|J4rrWapfrf,m:GUƵmߺ P!1E qe{c9i`+=^͘%p,K-{ΐs }a K1nl1}(*7~9<0:"+&Mm;HPSnw@ ~̑ Z^=[AP `f }q^aá |x5 ߄KrQES,6˼,-mgr wϬ;~^߀^.>鄮/n$Ӯ1P# ^X. N};E%0x+ a  o? Ѻ|.w"F-6#a)`]>L ,ϝ. !G6PS` Z@i ?7-pq PG1Ʃ }7 /Z7-0Otk'A I˓r\c20 ;wp-+mp0Kh`) s7є ɜ]R]}]=qk DPB N'8dHf? *\z\ʕ-CĐK "lHȥMFZj#] cR %J !;vArdɓ)W|s͛9wE(G.uh?z)Sf9[ 'D3 ֓J, L$Tb%d&t'"((`  Ȅ5iaWdD1Fa,R-R?ָ`o8a@"cPf2K-Fr`L-9 .D3M5dM7߄3N4N;Á3i, m~ nKN$ t.$Ԏ.OSOMIƅЦdyNAB& :'Q;ت6Zii+무j+M|\!9CGH`/h 4\lZy7Z$ķz_8`&`ڐ#a# @y 839mA\'nKcjKoދNd(UQ5d 76y0\-HXh<@ڃv0\b}s%>`0$)g ku n%3nqG lv߭la8pd&pG<~M21Ќ]QmTdI#,R QOeN[fffm#>'cE%@0jB 4 l1zUZQvGA@č%^4}o+?LQb` P?ЀDp0?ʠ~tC1B]PSsTGld FmezYZ u/D#a78bI8 2a?tQ6$F!bE%zҚXlA -/L|zÃ6d2 LWCڴ6H?H#G>+@1> 1DmLح"eV;#̔N2Pŧ,TURҁh$ %-D >J>U4[x mL)eNȣq%hPm!B&7O ^Α>'+J;P4B]D$"~HgEEY̌b+!'#KULF5N!UЀZSq~ql N%r )Z%Ϩ D2r T)I~R5tj&z20d B։DThUjz=#@]0DWF3e fnS m @4at ~XTIAZS%*k; 0 -mjR4b HnkI{Ҿ c;PLt6H}f1>SȒ'vH:Y'vcy Iys]j{: C_ۢxMM 6RƬ4yR >\an5rS]65/SCvU{ {؂G8"j&Qdl1[O&n^`R@mL 826)4PN4# a3܌87g$|crsO PY&atu6ͳGV3Emt:6lyc\o5wI yM(v8W2946vuh_f֧ʟJg̷Z08zS@.:q|r90]хzԭ)~ V;Xn&zku]{vN=! B6{NC:ģLtKSslpF8i.w&\p$?x80%禍,y&iNo7r7M)ٖI/1ۅ>{r&G2 B6*J2Ȟ=ū+Ǔ3\1+-ü雯o)Ю&*D@,c(+Zsԓ;J_PAGh%2BBs2 @CZCj4[A H+28s'S0*3QBVCS=u=B#D.@d#%&Fd9Bê+/m̃>F.%-+ۆ'ZY(㈘ EHÿɵ[EkF{CC) '; <4HcTHbH| B}Fl#Cү849"w O28`FڻT\-2LW쀙l-?H5*F\̧DTE|g5GlBċ}pBB@<9 =ٳV8XK<;p=(?8Øm4GGXM!V_`TɤL9ZFj̔'K>Pه$d XwM2F8NVv3PD.H>XNGC0SxaEDĦN"|.DDBHFB7-O@%XoX <=@pm@Yh0-."Ed&D@0}42 9,Q#5>FΔHlOb4E0 , RK(N؃MwX6FhR|)U0Oҿ0˟L S@D-8S=} 5ͤLHF95:%}ؚ:p՗co PDCx Pe؃EIԔrP]T>h| <+v C|UNW}!&̜U6̈\\O]%}@`;Rb=x 5hY 0;jJ (mֶl׶@SS nB~>PzJ, ZhL8k-` t( ,+60p 0R#MF5HJ؝ ?PXT5.@N(*ۻۼ۽[uɁ[\刟Ղ.2De՟PS 06WTOIXuZP>ZpdEu2HV.8[(.j}[lK8N EG}d܅ B{PQ̬rܛ ɕVv֨@P}U\eZ{5FƏD+K3`>(8l uk'E-x  U)0JxMVޅbW}Wa\# Q\͍:]\QlZ ܃ 3mݫe9>X;=P`<ݐ^ìa) x.PEU)3EV!0OƮHмFD! >IVqJoE. 2^n]Dh޴1 s-Nn2&a,5fհW|7O8Z7U_f_OIW9Cخ6Ą6Hy,$Iz\[)N` s Q|QxBTF X Y] wH[}ъ Ka ^^cӏ6}dՓd*^`K6QbU[*2蒠npָTaD;9WCp^_WaKdfdg.-x)8م*-x+iNj~phsnc-g#p}S3cVH^_דgPiPuid x Dp. `gAr.H/exvf 8 fj@i^Ϋށ"Q<G k {CT,`w6;kNUƓV>CNmScό͐ 1ILl/kNAe9J' N*`،рz8Q/ȸoPp!Jk)V蛙 ȁWHj-`b9d)`>+n^J]8oK ~M [Jhm>GsPm2 HKPfO&4f]wCtcNYL]pHa }`iY6 $%Ymq8b/fK6-`pH*s20i@PV@lmF8j^> e62.' H$xc@lQ" X#2uJl`v Pf)ݸ@u,SC88xV86ha/.c|R5_couF8p=!L! *2"$*w&r"^"ubRmSwqx_'Y4|wR6^o[m"w>rt&o#. FV.xqx H;XxO7(yfov7?'Ch:IVZXrY2"8 3]yI7,\ w6_h X0"N} )@@DNTzmKXE-xh0?W;({nv|@iiwOf|Hp )0}7/.,DE Z O*B(q"Ŋ#p F >gJsgFq&͚6m:駳͞>* "Mt)DQ&BjӪVbͪp~S 3Ѳ"+pl +fN/EN h͙ItW)h3 #)WE+g&)[)y2ʖ/cvM+X'oZ ޽#A .|8H#O.Mm'h,r`h%vW.]x1`A6Ph+A(X S*&`wf?KtF0I(ĒK0䟄*%YQMGqVL;ufiV\suW^[~<ı$ {ȷ,D1?Y_fqYDUpPZH!pA"8#%Gm j1ڃئ榜 qءpΙ}6]8{Tblw3>8V aSu4BNQ!?P"$E~E쨐NT ɚIRTRQsJg38tڝz0ˢk4Jgh$z diUj1, |XA @f*ZAMT?^|\vxFf֚0/j)Ɣmpd2clƧI E0tOU{fdDL O'QejR,B jyy%Fjc%:ZW3uvm_AWsڴQmp 󔗮n-o;SvDpWPDDufFG(LA;"-jHk9)3:M¥o7ӎ6p H[3f׽L+:C|5ۋU)rrL :g\D ? 5,^MC~n4j2i)`@hv*t jⷎVzPDp" ыiCvep_;B'/phh@R/^.<>>H%22dz1 _?k^Fb="ذ< {'H'"oxUN-(l^wcXA Eؙ=Z;Z ` $X?h@"lDJDXID $ AD^ T H\hBLEܖ @E 7 `Vd` ,O RD!6PaP!!DpaO`PB^o!2R Vt@'ĄlF^\hD4'bٽ9B2bD5R"b-`1Et|C$ T]O BP8Nӝa $±ȑ",Mp@?Y!W]O͡,"/ܳN=QUh x? ֠t0Ep` p:..aZpaF%(M<08q%3\a biH.G<ʣ=bA܏-, +*BIM F D"2$Q%D4a2ՠedMp;q@2^YE[JfJ.ν9b%,L?ԀڠBO-Lm X P#DZ 94hEEdbDkEz¨W^̈ʨz Ŝ_kpfDHnĊ(Q" ifn( ;#h;RXf\ko4cQ|M4 /lARcۜ#;ѣ]l?d% F <;jd;֟꠺svƍ^VblB H'\je~焐)|*rބ 6P P <-jO*qnjeڜjDX1R%X+$%Akд^WJȮNHj+OqkVxkM-nmvmzmrj-قَڊOIDNr,p d@EN^-:-ۖmnЦ#2.䮭Nnbjn-ZFms-LZ,-:vnr&F~n.V://BGO%dnޒ;mn"o/zoo//ʯm:*(@6 fhoVj+VD0p:=r4GCD7DY8@sHo;C0wpm0+W00 0 װ  0 0'+Ěj( @94%__g/*0v#Z2ɞ,OjUTi(@ R( TsݭBlok-yS;"@ﰂV,*ılV1;1P B X ,fPp/Mq#W##lejvqY@%O&_?` 8() r^1;I_QY2--Ǡ1@<4@s[,OO2_,WY3;s %X#h37 3#8ͺ2v,:SL139 9 otEA4B+6349#Gt+7)FEiA'4={=J8Ck 0sJ+J4v4G={0?41E4gtROWOBô 4Q?Ht 5ScRkAAtGuCt>,T@ 2fumquW 4aXoStPt @sI+3:I/o"bccKvdSv&d[6dg6f76f.XG/Y/ke;-tvew/c ^mrvof6wm B6r67X4Tj;OC tww7-nf{wx6yxqvr[suYD@ 0dâWvlƓ6.x7p7wz+y8{'w{7]߄S5j3Emc*`(xod80밌8xy?qDOssY%(`W?絺\ulV`iGi<ҫySC7[G9;׷Υ9/yNr "#\ BkGϷALl-zrm(>:*#(U?(** D>>W󙬛8 uzu( bLm7}v?g;D{ȳ:)˳|||/7SAȷ ̍ }xkEǁg,B4B?{///?pw=(zO:?*w{Ol<OOƧg*{D>C*@激£C|OCӾp9~oY\ǘu Oٳ ㆙:@8`A&TaC!F8bE1fԸcI8dIE.ih9fM7qԹsǐ<Z* e@SO$R:*E,WTպO\zlY_ nIقĕ; $wMY xౄZP1?xcʃ/μ8peɞ7[<HGkN͹0բ[c~Yvl, Tk˃ KmNɭ\%NrsNz7).}کs?~=ߣǞ;>>/@ïtC*D:#41 ሓ81,6$P< o<Ahۄ5(2I#0(PoFؘD }"PHYaYevaV$Kh]J`0E}0I)  CTsAe,lP"r,ėA/$n !L>XM `XJ ;` K )t%0B Bã%7jTX$n#. abx!!* `) jBq#bK & lA~iq! Im5b$f dO && aL!``X~)e"[Ǽ !"0!`^&(1dAX %pQ#>xn*P#F |RҀRhAv!pQ).(|bmwnLh G rA @ @ "/R\0$]4H Q)1#\`H!@ -` @A‰ .&"#/"Q|R"/Q]A kLi!rf '@B.-$B-Ip'*DBq$Z l\ &8, A0pF+"1#!/֯[в"R-ȠƜ ƸR*r3.{,BLXG-0ц5'J]TS, `1)*  p 3-*wp4"?blHxgj.)b-f N 2aP!Rs"Q+2+oLh i>ByfN$,!@"gnfj:AIx2lrN; Ad <vSqr tG)iZw`Io hwv" a4-"A%bAF@ $qjS5ɲ-6tpCт9Q-5N'1!ڮ`\t:Q ft0 >   `H״kHRqdIG `~O 4,l w!a,QEδ464,-&ҲxdN;TOOX DoC?J?^RQU 5|bLHճH+")\ HU ȠHU!BF`P*e!iW;OaWoM%MC'uN鴕Yt+rU @`QMa,0U"Db]hDBZjrIw,[4!ZUՅbNc`#ƶT!u&uZTX+$)C%,KC"fIP3F6LvQs^,DJZ )hxXBvϖL!6`_ig3 gKm,jkLy*T=+:p%)Jpj' )3b"\/8q7*7"dL V X6HS=s0D; :DJ G"OTYUvaL r/saP!V#twn\\so"f!6 v! `$rt*i e*-G1iՖ/F`d~r[b`5{l4>U8yS" `r5{#X&%b}eaȵnv $m!eG J8"b*^ %&p(!"t"xX(|8LpeC Е,M#j mG)f2$!<۲tx!X+.0QxҌ9Trbt#8(ʸxsi=g ^!tq{a P]*96&Z!9}j)~u%XGג7 :$xxU+g|#rB{E\EZ N{ ax5Khy Y a9!\!qH 87~洋B\ Y6 w3/7s(&;x?CYq@bU_k(9"Z FbFT de 'w#T !!z3 Ag|PXb٢4iqz}u8=H4Iq8b욂()%gh0d] ,a켋\s 㹝V/o@@NF!NTC @E \:{{{; AD^&&RwĎ 6CNJM8AVw"{Sb#@bl؋'Zڈ+z~b.5+"IO~Fn!*i *!$x.!~ֳy[! ).G=`㉼ JcK_XV]G4 RU7߿4@ED6/Bà h(XEa͛8sdz@q,fN/EN:~8i-aR̝)6P-9p ʶHPʝ ۻxsjy0 ZQSN)NPi@wELYKA ؑC2o! GF P%yg?Zt@` ԐCw=އ/u/ UQI-SQMUUYm<@GF"P}]tٵq `3;Pq#gP6Zp |!d]f}F$ixfMQ"pf)R?pbs:&vc#pKo\=Y !(# `lF`<* "uB9!/IBe?ZRwxX  M07zE<` ¶$‰9TMx%ZgSIBЅ+9ӹ!̝2d<ϕF2+ 'M  ͛8K~ JBP"7Ї6jbHfU  R [@)S\;FPҘb6!EMS "虞-GwkAN䶼(y΃^PiNtjFա%yX34xrp Jooʐ%1 ΰMѻyKVխ_J@0 ) M/z"5WI*xAH%Jߌ2.P][VE!t9L5pdV 嫙sWT~cwU8~n̰#Mzmp.jxB V@H~Aho?7`K긴@xk/XR É0P8c9ك3Xg6eNc?B#5 SDN^x>zoR$kV>!xǢ9`YO:P 4>oCㅈU%^PshV,k .H^.`TP z6! O"I@ѹ-y:Z50t}g%~]“ 1ezgG/cbcv/)Gaq7 %5 0@ P_P Ɛ \ &?c#\@c"'/HZVk7$C2]%` s`TYE3AE4V{,Suxu0 / 8aM0 PP:p  !c/ pFGV0s1w-[VOsNotTp`f|-2ٰmnaxul{UEf*plb{b8w٧}U P( @ @ Vwv,<"}AGnY KW{w̢vӄyQ @gpvPC# k`({獝b"JUd@1_*Xv h AaP'}l@m y@vIvAq$h 0|~,pf`@zp TXl9SO)`ޱk8X",VըJD =`wx / 0&8q /p)i'?RX/Q]pp5 \镙b9f)hyjrqHh4Fp$.PnuFlq,F?^1z h0 }8w Ɛ x8Q H/0 qE{y&) 5 w ]uZdKIryWYS a#xn7)v2]'gP h_,4 |wϠ {  p/q p}QQugc2cfx Pe` @a ,ꢿOsZ ZsY1OL@@pxJD"#إBD֞vMWzܰJc `  0 P q0ЈU3f{l?+4& 7ɐ@e ڢ7y7y9<*)uy0uG1 p`g|PY!FCi!Y*:kKlM  p}P 戎XujAӶg=xqy` Iw˷CCc t8z`뱭Y |p0w2xz% 4"&8Yarjq16k g`Q`!^ @7xW'@üDsGf cK֋ QJ$k-۱ ;J[a0Y0 [WX@?4g5A܅5]Ylb{0Rr91`X@r:0p+@ц?(6|Y1\[p57슱%B+DzĘD %٠+zV->5 h77?C;3d=xb6lڜ6u%1U+RNPv5Q؀%&Àwzw V:6:P Wub49~ `pA<+}C ʪ:ĉ{F\0`\ .$,p@1ZPh(jx81]"h;飞-v\|&VΫ}WgjI}/v*|zrM?_3 9 %)_4# 7:3&ʱ.qpp3}%Y0zw5a6#?m(hQ=$|bV@gЧwa,g|^' MDT$9-1 @PJP Ń`ɠڋOd" $}0$#] - 326 ڹlKX-ÈыMk!ë<٭Eg`zwp6pSc/>:<1ucd΅<8N' 8WnL*X970 jNROB']eD^+ aeSRw$ @CO/֨mD8G'Qwwg./-Z^ )9/R@X5m s/?z4MˇH4 pΐq *(6dlgEa غ x A,da$NA?Ml[  'Pt@9/ q : 4VE38%+(@T\@z0TYn~\Ŏ% i1J! =8ChN!5fxΠSo12~9FP;4bSFg(4&]ş&'Zx@-rI>nh Gg,iC=r&ѳQΏ'p,̊A]VȈ"  Ψ$PR)DQx[MeGzDj80l*"C&:?)׵뮼@["U+1Vx1@1*Xř3fҡ[t|)XzWKzL}Li`-3;N#1>r;O8-Jd*Y&:MS.TDERl,lx,p\śaŕX m?" ^eAILR8c3,D.` ]\;,p(GiWT%5Pk܊4/.K;Ⱦ/3le`;6fa cM, ձDQ#{$2M-L83RTbYJnHHAJ ڬ+ѝ*" q@¦b!(H*a Z eb-)eT@qo8< E7iNuTAMn{$77I~ &-Pru*$)a( hEi;+9F de%LԊT$PD&K a$8_S( ͭO"DgQ'No/pR *8#i9 f.\%=E~t%LR8J+rMV T\R-{GR;U ibDd_ ~ɒ("%mţp@6QV9N j 7q* 8tFhZrgVHfs RVPfmE(E cn% bCKToJ1"\kl7= u}[@Feڢ\Hc pA DӊpMc4ɀ`WI׆@L` zΒ|n>+]ԝ0Kvg0 0:~ >6'"l4Ek)MOЊJxVh2"/ -7--H2a c?V\G:,\D @".\J2fun&N5uեXՎF "ȵd4= vHɪ׊U%T/V13̴Ifpݏpt 0X+ݯ5'H D3㦍D.( r]8de@Y1CJ>$=_;Z@A1d&q]肬UeL8blJo@8+xYc߉-'S.pڦɆ+HD856w-~4#=]v/oE]oX$8c"0_KaSfSJ taĖï$K$CD*zYiV6ǗD0M(R v:꩸| ]H{ 29svGPxوC%d&eZ(ư, ߮[xf-/Di76kZr=ig (*"xTg%m+_i QyI2p"ZFvQK\$S@5Sv);8;u>*ٸA@(>;2@hB]#£>K4۾h ۨ9s; mX9Kŏ$BRC>F9t!u#AÆ ?-wCd '0&HT) O2hBNZ-/%\\Ǎ\[ 8>y7r39:\$Ƹr(>DƝcA7Њs<ǙS{%c @F\&%5£y ܦsL{LE)Xߛ {ɬz[4;7>JHc|2eTHpDCh}[Ddy)g,l!,L`5lsI-H604 ZņK|7GEZ3Jw2SDX9DYc2HJhPK௬8%Q;IV2M@4|kGaãTLc<2)(рB)DDfŠw4zƉL3=b B<± +<?MHpxD+Nɬ*@O8NK`Dpc*D([nX='~(NʂcXi^U;bgӍ㓈pͭY p}㬘!dZ%1$2 6y` řl&b+e,%Q`ci NJVtCU4qXM2VchƮtns9FH^{fwƊ8Νfۢ)wFdEaY.#U"}@-Z*N}h%gŒKcL NfU*Mn EKH@eapEܵET0Y:[-=i ynBh3 5 v~ׁ%JKiO\8dj U!2 Pӂ"U @hŠRdx]fbyvbt Ll@ϬlR.ִi: HFꡖmȼX+=4!  f#*[d̴j@-M~4_U>Yd  x>8_m 8cpi ή_a0 I՝-`I%fC@IЀxBk $#-@ N |$†^ ”.2 +i1=\(:(}l??& msj5ڂmߕPHZ&^ ,P ) ُHrB{0  "K} ~N#x$느84AkB¥UBa4 Z` o(wDpD,LjNG;CnB^H` `5Ϋ K5N  ]]`@Gp;aZc"QMnxVgCՑTn e_SQuSol6au/W*' v[}MQh[^HlS [إ*.݂zk f#lwBkWqEv:;݌4g Ȇ'J%1 l^x븷Zh .0}}Yl6p& B7q7 f v݄z tԧG~V@20®QLhMˮf Oxz_j6)8˿ 2l!Ĉ'Rhq술JC.8pbD'*Wp ̘0u8@qĪD\@btE-ZeKϤJd)ԨRRjj\:jH4+E -ܸEvۂ ЅZdke)%˕.eԁBH @&j"-JDD$ 3B=>m4ԪnYUV3D ܺ'jPn !8gJA =PJ:)C2$e\W%$F~e&qSV?8@K^!%h''*q!Y.&7#4'(8v"B>d;tg?DfV+fpVD?8.E l*|+lDX_H![UwЖEҸm*mB/)&/Z!E?ыUҒϪ\ht<4"|0IX"Ew)A,X{A"WgdxC!3JCvOn,sQf=aANR4&Eugo-4h+J4j"HUl^u#:5ƌ"ͳZpVA>tr HRuץE3RLV< EB=03^YE7<^ad Z׾:yhBĦLiR$b#&: [bHЄ ҰS!Al8@gI (D-C<<p4H|bmBP2D+r^bj&f<#{"F1n|#1v#M8<эA# -6\h7Mm!J#F*䑟dB,9Ih$'%IPFoe(MJHVde&]JU򒫴e-7Sr,H1dK\1?SLI l3)Ii̤1MkN5̈́l47NtәT9NwƓ|&*4x4Y?ٔ:)5hAKحT%chBs6T ED!Q^ԡhD Qt}(GQJR xZKOӁT!1=Mq:P>ʦ9NӄT?2K}TEeQTT5Rԧj5]Si:t-)(KUzR][*ҷU+[Wִ|k_ {=+֬.vUUUɂU},e#{Ynֱlg'ʂ=m?ZVm-lM*X굶~=mg-]kW'V),rE{\墖%ms\Fs+]Z c]HY ;PK&8yVLPKp@OEBPS/img/ovdpm001.gif>>> 777222yyyFFFSSS 888 ***sss&&&444vvv nnn555111ppp~~~ײqqq$$$VVV'''}}}:::iiiKKKwww,,,LLLȅHHH;;;)))!!!UUUlllZZZ +++|||...MMMgggPPPeeekkkmmmtttTTTRRRJJJQQQdddooo{{{aaaNNN---]]]OOOccc """zzzjjjWWWXXX\\\fff!,wH*\ȰÇ#:tʿ]1CǏ Ci8 S\ɲ˗0cʜIsrɳϟ@ JѣBJ"j%O>@JիXAL`ÊK6MҪ]˶۷pʝKݻq52Tk,LÈV㵬ǐ#c<˘`C]xqcɨSnIװnoظsg6uߑ[N?xX۠qKB&fP\pw©_ D[7O !hIbLX2 CMQVR ?ѧan桧{'߆$f~"xJ4MI6PT$@ ~aHaz^|%)e'淟D\)Sߤ?q'ZDsJ3 #BEJ2QE`CHbD1 4pB2TTA,ǀ5<x3tHv䔨w >9bUe*QUQ&$ İK @Ir.7B' |P-yUB2)O=2PS?,A3Ӏq 2dOZ&<ؒ" G<׬Wt#OL3)K,x ,8ЃqQ?@"EbF`?M?r?@2;3C$4"(P vhpv [H# 'EC( \Q`)# @QEL )x+t\4)+8~F84ov"FY;Y)?CbF4\tA?ݭ Ѩ>03c a@s[ |MXdSzՔ$,!U@?Yn ?n0WN [J\PT|LA ␎P',cz=@j,H5lr<@'XP? 8d!]6f;$8? ovDܽ'LA ! x -0@/Bu ÀҀ 4c -h?Q@Xc&9~ ՀNI&(0% A*P h1EMG- @c@JD@EF ` [/j}nw`~¤hU5s?PG(P;, D bE8h`G+ (XP Ԙ `"wl+: T+|Ń/jHD8`-D_8|PX8fQv6α ,ΩS!50 !>spPZ`O $c_1[9&P0ȑxiH;P..Dܩ= <H@8 EN qQd(" ~ "* xKͲFFx & )\D7-c|9xʻ<7ʠVH8['}M&jTqR4 j凐qUB#}w(gXcLb.<ೇ+v `fk Fdʇ;ŀIahL :?0P ۀ  2a 1(W58@aP |6g8,qvpd` Z ! @]1p MP  R؀; 0&"g7Ck&0&f`.PְdR.Oe]{}H0c .P  f@ N(%$n`PU `F%0 JPSЏN`V" b3H h0cvp܀ `/*dP G  l p ZQ papO#? @{p`@ UP PR  eJ`JDpKU]9#ŶdZpp۠` 0 eрCv_`Lwf8 BPF& k^}0l  p ip 7_x8)s NJf  0 H@ _P p Y[PM `o N @ p fP U8  P БTr~+%N } `B87p` @`5΀ې#Pp   8` P p^}1w0 C j+ڝ$ 7 @`\pYf0-iX9& `0p 4 L?s R0$`z $9 ٢v=50% * (@YJ0n [Z` ` o  u@}) [ I 2`{ZU_7)zѫKn\@J50 Zjp 31 JE0 X1  Fs5~'0/:PO0 PU Z( ۴j  px;JL ꅧla [r]+JMi";zֶr{O|Y~+RrZu*|a۸ Zk ɹ٩u _;L;cK*kK1{F[;Ѻ{!kFƼ ֋;q;[{蛾껾?3 ]Ma;[{KF˽,q\| |8M  "<$| ǿM02<4\6|8:<>@B<+cCJLNP1\FLRH,XZ\RLU|!d\f|hjlnpr@B=D]F}H5= ٤X] P&va@ „e} }r1 b9F@ Hh0!zG q04` g*]GEK-U`^f~h& pFXp8/` " ^ `r ]-/Z` p 7 l<P c:JN0 KZ <c.j뺾l {fp-```=0  ]=և@1 ! cp 3.O@?ZUYn͹cn >͝˻˿pk0!xϝp p \`? _4 %`/3d@ؐ.$.彀l`4@5P֌* )`@pMZ FP T#p VPwd@lRT0KMf `/`ȟۿ/ǿ?͏0m+C #? ɢK`3TV^?_mcbAֱ$X >g|0A2DyxDND#G!E$YI)UdK1eΤY3&Z$7A]Ĥk|E0-Id&]@j1emPƎ]H0 ?m_.S'OxsM?&rnLGɞC>PX:bҲbR( t.Ha8Aѐ_U\*c-ei.b!B . RLO;&_yٳp ./o GT !`YOG 8H8#E)ʑ&x~(a K. /<\h+B Sƒ(/4H$,=[+4!q#b(a"&` >y6]'o XLHv1fl <Ph~hevȀWapjHNjgYFQdU0ptg R&i$nre %*0 9h#h,†NhhKCC^#-$T% -m (BQp4mHE#a BFV@C!4E 0z~@* H xC 2! h1&ax@\Љ4aEp`fx XB `6 `D qKbh^P B80 @# G)q:Ȃ ^ J}xK2a/e.TcD3C=%`$H.&+1~@(G(06A@~G > 8E1IH0C$!`730A`0 Oh3m!'`' AmrsDЋqagF0Z`G C AAx& vd IpDDBh1 9iϻrFlL L],f(6hmӇa(CD[2M$X? CHC8>0rX!"4wu16o&)l$?&( pqTiThap'tac `Hxp%0~P At#qǻU͒!̣ !`$AH Q_ģ *` }p@B ` _ H3Qw `D؁jq@ <`:PGN|@B$-az $ @ yΣI~}(T} 'L<`, !ZahϊE}Sn8yhm`"F#O(Sh[IP0)H(a$5{Є%7؇.Kj>h 5`@(ھ`5@O# Ѐe 4;> [9Hhc!-(Cg0(|=O 08YiP"0>X8"[ph,-CSDULЂ&/U ˂s老70y7JS?;\/`SHTE]TFmTG}THTITJTKTLTMTNTOEłi3cl@PKP%@ 8@X0H8Re]VfmVg/(_%T(Xfp,(pX]p` `H(HgW{W|hVkKxEJ (&`.w qxm)ohK88`h X8 ~!%<HZ<<Є0P~L"d8B  ȂRwx#A|ZZ%}Vׁn~I!`2%nQ H8AhYb>hGhxVE X!&3 5 Hm(X]4shuZCzЃ.&F@JC"8Wz [=^M޹4[x)T x?&p^ %qh \Hr8VzaH(XX{؀2_o L-H4318!j F@Q؁**eHPKTZ=aNafe^ QD(sH,pK@w؆E!Ё pY-gɂv#Z-,(HS Of8Dx)Vp:K^5CЌH *ЄR݀klUaAdBR~^kC J 7i#Ш7m#؁HDC,)Xf=!1u R8PH^0郘[` Wxq 02 BڀA Bh#D8Q)M()@%X5f>`VXfނAHu!HxA1P! O($8bA7 c(L,8݀oR40b@`G؃(%&V9@4=8;Nhi- LxWy3B L͂0@K` ;h,0>PFaz6->O 2#HvH"H o v@MȆ2 -Ujh UX%HN 0xȀ@Z()p߁p x(hh R`Ne 5VP>h5qMx;>کjD؀LXH#Hlbg@'1H?C` [Q+fmkL~ 65{=1P%@< 2p'xYrC@€Ym #'8$#)G;kv4p_VNM=޵g=n4;w;P6j'xPXrxs0$(}MhV/p7+pW5gnl00xЇAhp@JX|p}$PRȃa(']OxY`US96QR~8ss@tB7}ph=0;tIt> r@PTuN)-uS-Tv% 8' DHA r"?#B/Hgxp* Tp4 v)i-kx$E˃Ȃ?@/[/?tGFs!Yf6$jwy#Myffnn>#p#Pe48H@roX(HufXg@zGRy!/{Ѱ o{oѴW3ᷯ{WѸƤ{Â{7{|-|oGj^|w|ȿQ|O@||} Q#_})P}}؏}ٟ}گ}ۿEI,0ӧ'|q,}O.~W~'do~~~~~/?O_o믁,h „ 2l!ĄFPh"ƌ7rXׁay,iIl%L;H:wfEd_ĠB-ZpJ2m)ԨRbjԬZr# \ǒ-;``eײJѸrE.^/HY-Æ:X`<_3Ya0jl[˚7GY޾La<8rɕ[ 6Ϟs }4LL 6ބAs bB+C? j"8P 7T:ȡ 8bMh92!5 $!i+ϓ13Qy;F\ F8)fQIݛ4Ɖge`ɧe蚃]g`Z名9! Jz&lZ\,n`a.jgzjө޹F@"@BDAD?-.~X@J9+:n @C9\I)縶l:Pbͅm,*-r&" La?"0DA$Do d:J"N AlF^`x1/u `3&d!e8 m&13)4L.?k,P)\d  g/(',QF8@3ùC-<l| $la?8O5@RG'BhE YrK4@?'W, 7!Udq?̢Xc?`=F7̱J@1C*6(4Rp* %bF"P)L@ȡ:z{:6DtM/F!S\3@ Й@|`' )d[( %< \X J8#uէ% B6~'L07Lj H>mbnվ d$PJ!D*$C{0( HIDF @mWZ 6`!0`g4+7CLCsP?v(GjU(buT?(O؃ Bjv1!?j̃ h7@ "y8Ç*PàlCщ:r$tQ  !Eh `aDpJ3Q4108XV,i!=x$9]{$ V4( ~臝uWP6`D # A>1'oaX^D\`gmq e`H"ʐ/p[9D/r|`!bF4TJ[%a)8̔b1U(tWQ%54׾YYnB ^'у8 @oP,!M#`MhB+ 4$Iםv${H LC6'jш}ґB! w@ Q`5-*! ;v3b@G^qR#);)?2L `kVpM$ +T l8.@@"$B*t(@&EAl%C`8qD/\1h?|LZ%؁|8,@-v$!50P-8@*9HC6 @C9 !`BC4-Py%|47A.dA>\C3@$#H* hC408=[Mf\P&V9x4.@A63 (AB@B<tAP6]B+^D{E6HٸFm$A C`|0] іCoPL%^P E  0p)ͩͭǪU GI%p+SGI/q#GGSJ1b1h1pyqԱq,ȑ1"" # \<[%3CG G (@rs2t22,,#-7-..r//#G00H12R4O"̃4gZTh38<Չ!3:K2.FHA<Ϡ3=׳=3>>s!L B>3AA4=7L@;p@8BO4E#49! 01B!T4H=, $a;GKK4LǴL4M״M4NN4OOӴBOQ5R'R/5S7KP'Q;5UWU_5Vg5UCP;PK׾h>>PKp@OEBPS/img/ovdpm004.gifOzGIF89a```nnn;;;iiiJII666vvv ???sssiilĵttt***xxxOOO&&&444...999\\\XXX,,,jjjTSTZZZBBB(((UUUVVV888GGG000KKKddd223RRR|||cbcDDDFEEhgi===a`c@@@PPPppplll./0]^`fff~~~ggg___zzzQQQ^^^QRT{{{FFH##$Ʒ878ʀqpq867tux::<=!, H*\ȰÇ#JHŋ3ja&LBR(Q* PȏcʜI͛8s3&F<Q *U(C3@IϫXjʵםR؁>I¶۷p|iIʷ߿ V8%ٓ@o@D@Sk̹>YB'ȨS\5{A˞MSdW7:̷+_\BON-nν2&*+ B/!}2ϿcZX]߂ 6`O f5M! RWYh!pC4hc#j*A6)&㑎% 5ᏑHVٖ\vɜ,X)fkYrh&?6'RI!ii`RonTi杄ʕg~;Z!VjNR"T0:8 ^j1eHC@}R Jij(T*kj@6Tx?V(bH'mqm@?'pBEF;+FAj@ǹΎZ&l-hb")WA0g?[*l f؃ *hV^|R׸bqG$)k1TJFesZ5sZ$@pQA1GJK]h?spA5u9!OY\ͶD]avͲ{7v!`V@ Nn 1Zad䕯vFo>@GzKm:੯:[~\qn1o|Eq`A}t_[?;0K#=ձuI7/}k'<OrSQ .{'>}cWa0ys[:LB " "HX:΀K P4g 0nX""CYBP]qs(HGyoFDaD03XEjY(rHzG B?\ <Nl(<"QKH5ڐ4dFU&rN)OxIDc5 v2nhBrL]VT7⑗T"%D@S̠19LT,\.BmҒ 7cn 8g:)Pa!d;n 39*T_[$zD6yV$\ J^Y?>3jX5E!3$(7IWDP&ERRd^! Ch*wQy18PeCN\`FKMkOzҔfD 0PD 6J(7`_pshPYF>@dbeDp@ZW %ƕf?P-=|Ȇ40 z>? d"  q bh=Բqml{8Ķ1m vCk)W z(?|`"}(@uQ-pG&54`3QX"_Q4W[ޚ2sq``&ngX72 +?~1q->.{ >$:X ``=F`KH +ƀH"lsAZתp +(7u.t ]w{~-^׿`hF_QlB1J꪿v=F  :%0a `&z4@c5me\CZEF{D2<x#TXOSʕps{HV7<8'=>*KA#7BBe*C*370xA:7>^CЅ^] |B^ЇZTjqd~8ܡ@g% -iC/PA[_5u<G0d`GaOgAh%=$^]q4`QK@W%`10]<p -BB'Xm4py0i]|F7Pi 7}zԱP>\z^g'q t57apn~{D{N27bfp```|L z`ч p8=d}ejswЀTEGgh`vWjw>y(H !pP -`rbp;ȃxXMkr,G z0*`I` 5dp9gAp `*s0`8*b@dX'ՃAq{tMGu7tP~x뗆SBrNxP>EeʼnJ7}T=QTuEl$OXhs9OȊ>(IKhP8o Y`4Qx8uژ`` (HhSHohmL8No^p;guZU)J)Ȑ9Z0 4F%xp(2}`0K2ynp_X8UuǑFFp4\05cjXx EEX0T)yYr嘔(oĴqgo1u\yM9`o}iP[E]8u)# 0o0hTTeSMS/iMOXa`Iis:RW)PzKC!YT'R9!)8P`j9  Zyt)0 yeQOR aKj jaR !!-u.h?aRAR 0 YH‰(@ T(!*E%R'a[:fӹRzZ` +!֙gzPp_(Б$ !(Xì[f0뼶 @{^ɬR@.*F $rz!&$̠F ![۝<ҷ , U&Xq+e^:=+SZ< 'o# ˼+%!Il)Ī;I=dR"JNe:7k;I| զJ1pT{ **@J[ zB&+m✂к'D )%s,û m+8f(A͵[j ĝDɭNbŻcݩ_aj=RP=ا ؤ[ܙhs-[ c]&گ-ҥmՊjf +^-+)ei9d:lj[>1.H?LC pU^,ZβIJ,6HZ2h<ML0P0\j*%0~o9M0e :!~>^~ꨮ"L6_0~N2 0ZiR;շ~Q^ 0 }  f%j$ O6ɞh: @0 1~"T@' ':ANb( ΰ !`UT "3(?m'QF 0KzŤ *u0<+b [rI0 9|&_k`!% PYb^9:&?/cp q .p ])@`  >lgPdgp a&eb b /  G@3y G0  #P` ,_6 kg^P pP>9&s=/ O&AD`Ġ p PB$C? C%NXŊSw DqjTʚ, y{5f&uZdNA%ZP&'+ \b$ԩ29W󡘵  L@ DDBYcOdpUAaBaU32 0 p  A3g M8KhԩUf)Y2e ܱX{("b]PA#קߣئL=lH٨"D !ޟT`͜V+ !}%xpNW2#+8pf;4 2SeĊVEK4)AG8Si2CdD f$लBޫLbgCD?< 7*"Z gXb9sͭ*)2(Hjb8nA;L)xkC F Vz#R9!SC+IJ-E'I#bX`!hp *$VG""2jHvxN '(DN! i@=,ָ V(`#p!#/NMXUռ4(A G\`# 8r(C^%Fr $HD@A™]Ah]Hb w3NrwDNc~QU5`-`Xyh ;AiL6;()Lh*&BRQ|6YȤVKx@"ENt9vVt /!c7 $Ci:KB:5>K {Zaۃ>S`8r@aιYŬ$ &B:I`"cDr>Ih'H}u]fnG):@$b"ZePkYD'?QD FPLh-k90=ԣ,!( Xz`1 8A%@2(0ue80fJ(q1Aj#(d/0Ho1HzG1q"!bi8%k @ mL)]2dCF^ "jP3 Tn_N ឦE j;$(:/ I7K! n{;Vq^)Թ#a KpPNp `t'\f2)jUuJ :7Aqz@05"^` ^D _൯,`[α*v1 d7xyRbh 4#zw/ #P`P6D={J陸_i N1,Uw2 sYe&WL dXx q7KMw1{ay6 @"ݛ9p aBV^2C̜撽xR{uwhVX8A#p?5߬.c- M [$aM Vhֹ^sh?2q&6o&StfAZF'<Od8_R|?j0@&O{0cV/B!"U lX}{ QCC. A 3.z#Tr>>4O(?@)(R:X(XXLa;2ؿs=t8` ڋ #KkI8x8A(8hC1[1!#k@r3A2ZvP/OKuQJxZ+!R/X`"#$-x[<(Bc=+=,;6iPD0c{UN(>@hc雿@ JR>> SphNZAՈNZ~OJ}DH*pM{C`|RԂ/H4GWE)BZ?[²0[+9h(M6 ?cm )P~(Rҩ4,tdh(ڄ[p0FЁ{,ЄV诀$,ȃLȅE:H]^9()2&8?(-;OpF`n1R<؄Aav`>btCeX\@04& 0U0EDH|EEB²<5"+FF2bA>+LKKF8(H¤9H-?2H_LDd˔]Ђ 1'D2CM4HʆZ,4., x˰Mc2  D/`zDPFFL;Ž)7A9 ϢB ϡ-x}6+"TL`QR&-{Q*3B+ N$J}K/Q H[KSEf5 P;W]P dLe41\ IkF0DV-ubf(S?~pkuRTB4!ԯOLMRw"yc *hYX`+&bZXh(ɄNZp и;KsIW ׇ_H2EA B`:x7n2ZEq״TKORE(&PZ.}̀e\˽\\U\ [=.5IEX8PH\mƩM 0dLc؈\-&B@8e7'K }^赳 [L،H%}?,UTSLU#}_U ȴ)CP?ᄖB%KKNJrK%І h<潉 a^t}#vH2_EP2ν=>;Iߝgv >`3QPCs`@2 ן`N[<˯)c7}vY\av%KM =ّ&WQ39}cW"։j@DxZ]Ccb?cL`]Xer˅D0؄m,7.Fx|8 D=(@39l2'm@]]eG]eP$H!"UԙMУ + [0U}gns9{eFJD#HbJ|VSX\*Pډ 3ىeEl7具[>Ypb^͖[e^fva$Tc׌kbzCRDXM8Q@NK8a}L˄ |^m/rhvc Eۯ(2rc^$mb: k(`YrMq]ҝ@ZxX6g19TNtS'4~:D_33>Z&Y2- r}c^^:j_^mfmƶ; ]?cxsi/LZ-Zg ˅y -e Ƹ`5ֺmdjODmnV7MM3ARMb[mD5e/H؄Z A(FFl6&~?ϖTЮc^M ށv\r)光oqG#]>|^b@$.LxEphynj[~jMhl ^hRX >e;X@G(>qх8}H3vB9FbڌmYnOC1 ?W:\YKXs݉0Js5~ߗ>热UJkS,?7l]VAlY&h5>tB  +e6G(-3u"%cISdWgC]vdZg/PHqB1v(8vOvcљ2~^NOrasŮZhvLprgqgNrЉnIߐw^?[axIj#r*zMxO4gx=8`K+g粛um(P-&wHqg^OP#"Qo/-e+v?CĈ&Mm71A0PS(IPgmwR)PW]hw'XXcFwGp;ްcKtW|:u* l5ue0nuKxF\p̊(6_AI+;yp{rҖ?;_xwջH: B TSL%JLUAH$Ő"pK)R$gB2j%̘R&Μ:wd .cTG\M(jho/XϦ]mܹuo`vXb5gi'9L?DZ j(Yk=1 7 J'C r%(@) <@)\sR cs$E}WTswDRL!!SMLcѧ[n%]v_~&a!cAViM4 fD!DehS+v2J=,;іH.X$;,A(=^ddN֔<1BIRt@M JaXt}j&p7v'Ɩ%E1-L:Zi+eNXQ< )L$س$ȪLd.N! .LN<1LȦ韜I  rW51]Fn03qM;@ڊ ,$iE~tQ.ĘH(PQ  S|V b(NԔ9Md,}kfqHwx-5N2sK8j`@@ m=(VQ։lI(y(]mp4H^.j@e-A ^ ӭlx;2* xnk2M9ӷ4C) o h G"ޣ'( WzO .o'1B$ B*^ǎG5 e{aĠ {\_ȬG3$N'QkL>G9f6ĊN'Zdc89 S(`uKRD>AaN7h z]f(F3 D`6A0؄r*!F#K.Dq'Z)_L,YB .5r" (iev64a) sq! МZ,`xZ#(2&ThU ʭK dF1aZL^WfL8do&&:"^0 D FpQ/S&9Ǧ2**l`=ch:*\V>xn&ؗbҴ?duN<GQz> R`TԐ./dQW 0/qX)ӗH!A3*$P>H؟ **N%Ur+NS:QF L$mEK#QNT@j2b*P@A '5+Jקok-gNX5_UX9y0:u1 vW5-KBF |$h!ݨۑBCBh4'H,Z˨, AxЀ u&DIv d³5&8)o+O6jf1 c|%}&r"Iue^EJH1,`;QK0͝ xun ߗL! c,@BhOp-Ԥ+J t%O!}eQRn9 !|Q4Wײ&PpH ^h[te 1<$ ?c) b{q3;@!"-@ã&2Od3aT4, E? CX  V G"x`5f& 0p!M<jfuh~MZ@ cfv|IsDCᚹD>xz%@/zSG{ୠ'\7nO_o L0ӯj;AjD"cC_M`AoQiaYLAP=\eF[M\ hAx e^]썐%JaLOD]Ƙư" !2AACk@@!%nR8da p@ (430Q j *JtKia@V%%/CxPJECV3r\L-з-C&"`|*a+ơ` jg"|HaJMb=](㶌3d{0J3;`"p"8%|@748a+¡c^c=;FFR c!?8 \4 N$C@$4)z(TEcN9r b@ fFdbdP-r IcSIb!2N%[v?98-BR2%F>%9a # ~,& V4 K{XV)&1idb\`bi5c[v&1A(HxpA]&RZ^T!c<٣gn^A|+jek6eFl揩$'tzf'qf^Sf_nl6:~%WDt'{X'vjgjrqjdTGV`MfQO,' ^u^gv|^~}*_vd`m&OBjbt=p ^d"z*Pd(]h|*hqf&_Rvh_G}?8XF?0!\b #Ć{P^hn'z's(gKR"&)3^d@v$hEJ:=mi|hw"'_rF<`)/[ڼI.A~dg*b!8=d4l*Mb;nK?b*2)1T*⨗.@uZd(M|e2.?0bLa")3Ý`k< +3ga=٫ZHH, De\F)J ,֧CrB4$Y jy~K~ r c.!>  ,+NL= |¨T"lʾ'ʦ+N`f^jݵѬ&-lg ٬Nmlm-nZ-B-I-׎nzij-ٶm{B P#ޭ@Z- X+-.%"$.g|&(0; #J).^M < V!6+. t;(ےn LYҮo&/"62F۶VB8nR/Jar2 8o#dM *Q=ԃ0LB/TIe?ԃ@$z!tHp)oM0 Sh<` H @!ALqIjYFDLU]@74 dl<f$-(0Y ؀ XK@4lxY!B*@, U1O+@D"l{+P@9Ԁq7 4p=—55—pCM #;)o&Ip7dBM eq3@7Є ,r20J*GY@C"4B!89DM@0d L0sDM|04ë)r2)^hA#h LL˼q77;% H, `6s>{?< r#r!2l=6sD08kI$lA#1&|B'5t6s)t#4YX$?rM̀6(qQ=/u u|YzdF A%\POS57[ua"[[8b: @h";&AI7Y ]h'C`aG{!]y)6OO5`c/aKvd#ve^b;OWugWu%ig6JC4k6W`VH_m7~mNvofp/w:)@tN#l;6s zn#OHETOjW7xwvOXGI6mzx_vlK7zSz7tuwwϷz׷y3vj~75j5gcif#|+o7v~;rC8|K8Sp[}ckJsy{8xux7Wx{qw33r߸mxr7{w9Z9~5vCy6wOyWv7 vy[x397d#NsP\ι#7*z!ﰏO܃99f_$I1nwyTÂ@ (S1ۂ ֧ W)l)?kwA,L7Wz]l&Iz#;Yv~B &0; K;k3s{ ЛĶjKmZWS8;;뷾z7|u]|@:p@M,8s4s2, >€ `{&tY* 1ĉ fY_B 6tbD)VxcF9vdHR_#GP*ũQ3k4*Th@s(g A%ɋ7 x,!<$ R2<M'r5( A  "4=|I ETj&-*(MhJ#IYJS M$(I}2v,iy6rO#8&fJo̙PKg>sà.(C0I%҉k%2x͑A$GSIyR༥8)rƳ|37w gQuo' )s,Oʳ!,E*8ĘQ(B/Q^r9A3 DU:IAbLwŏ!k $8R-TkHjorS]^aUUjP|WiTUwdOݪsG*\;vNӠs5k]5HⵢYJXՓݫ ;NUtfyٙth'OO.g ZԾ宗M,BZﯹ ldJUv>ko[\޲i5[Ѫ,c[] 斋EtUەXU-nok;^=oxϢ^K_.# ]j_,}Z OZ.*AM鮆Kѱ!*YSk"- a8P5ȱ?v|ɔE.`9[8"[c_:-Kp$9#v`3Ն %;PÑ)@R\gf2f1TeB6V.'T&Ήf4uda%@ `7xt"+hO/ٽ0G]x֊OZ$u.P0eU4 k_e7c Djv5|Ѐ[˘m5c"6gD(np$.2Fsnh;]&)d F\%[ȵan[4C6S :`W|uNY O}_?$_p&$$QW<ap^O˟WؗF?B}o B2@nH P$n"Xoh~ )h20Njj# =ꤎ$-DNcPgii)g!#nA$Bk0n!/HTH5BP$H!,.n ֘an ((ڎ P  U. Am)D _a2 ,2` C.nԀ0 ӐW'own d+Q, MvO@OvDH xQO(olo/)lOT,N ` qO Pdp[¤(!L!v/!0}I QuN(ϐ1pbɐ E.TUS^qL.ԠDHP.Pq,1&֎) !ܒ$%i 8 ^R#6#?)!$8P `2<0 f*&)@*F:1!2){P)"Jp!|-,N/2$Pӌv./"ar p! %//|r8)N-UrDc!: ~o!n/sR.5O U 񊩈!yt!??r2!(1!+߳(;T!N2K:/b&T6>*2)( %e:I> >6! E[C ℘C,nv4AS)!hZ".-Ԧ S#!ZLӔ-;PKqe#OOPKp@OEBPS/img/ovdpm015.gifn}GIF89a888ppp@@@<<>>ooottt&&&:::LLLhhh 444777qqq{{{OOOwww;;;״YYYsss+++zzz...rrr666vvv|||IIIllljjj!, H*\ȰÇ#JHŋ3j8 CIɓ(S\ɲ˗$A͛8sɳϟ@Qd(JУH*]ʴӧeիXjʵԩ!Kٳh~EڷpʝKZT˷_wKÈ[6ǐ#K.qɘ3k\CMSu[װ5ZZs{ N^μybHNO9ν{\7gĻZ^#˟O_3_#~&7!PUd va 6xx$#UȊO|(c}!h&*PLhqhhcA8:r= LXƦ5y+BC˜hn%y#p]ex&R6R:R(P٥y&^8ЖMH(#MP!V*jZ8Ƨ@\H >N⊚ DMjkV AUd(jlp.^^%+;-l/BKv׊-QFyk ˬ&-Qkkj ,oclpE+ 7lN5W&Opeʣ;1@ \242Rj*qmvsVld9{Α˳g.84-<8pt i._ ̍xuUz jJj(9mt> ?A SBq͈ N)kѺ hk*׿6z:N{iFLf'پVȴX_fֶUd/; w}n[fhD޷vAvo|[bM{*lwCn2!n/O\8’ǣr~_< _.Q-1:5^w]>r`|l~s<;yϥsgS"zs'Kw8sJSK)n %bБb'cagA~ug[w:S^kqY^w} ib׃rw?gG|W` #_x]HⷘD` cFOzjVUFl~jIv )qqˇ"(0`