From mperina at redhat.com Mon Oct 3 08:01:00 2016 Content-Type: multipart/mixed; boundary="===============1529124873572088134==" MIME-Version: 1.0 From: Martin Perina To: users at ovirt.org Subject: Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting Date: Mon, 03 Oct 2016 14:00:59 +0200 Message-ID: In-Reply-To: 8444871475478953@web17g.yandex.ru --===============1529124873572088134== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Hi, please take a look at inline comments: On Mon, Oct 3, 2016 at 9:15 AM, wrote: > Yes. Of course. Here are my configs. > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D > # cat /etc/ovirt-engine/aaa/ovirt-sso.conf > > =E2=80=8B=E2=80=8B > > RewriteEngine on > RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ > RewriteRule ^(.*)$ - [L,NS,P,E=3DREMOTE_USER:%1] > RequestHeader set X-Remote-User %{REMOTE_USER}s > AuthType Kerberos > AuthName "Kerberos Login" > Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab > KrbAuthRealms AD.HOLDING.COM > #KrbMethodNegotiate on > #KrbMethodK5Passwd on > KrbMethodK5Passwd off > Require valid-user > > =E2=80=8BAhh, this is the issue. Above configuration is valid for oVirt 3.x= , but in 4.0 we have quite new OAuth base SSO, so you need to use following configuration: RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=3DREMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType Kerberos AuthName "Kerberos Login" Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab KrbAuthRealms AD.HOLDING.COM KrbMethodK5Passwd off Require valid-user ErrorDocument 401 "Here" =E2=80=8B =E2=80=8BAlso as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_sess= ion instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need to do following: 1. yum install mod_session mod_auth_gssapi 2. Use following Apache configuration =E2=80=8B =E2=80=8B RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=3DREMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType GSSAPI AuthName "Kerberos Login" # Modify to match installation GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab GssapiUseSessions On Session On SessionCookieName ovirt_gssapi_session path=3D/private;httponly;secure; Require valid-user ErrorDocument 401 "Here" =E2=80=8B =E2=80=8B > > # ls -la /etc/httpd/conf.d/ovirt-* > > -rw-r--r--. 1 root root 33 Jul 26 16:42 /etc/httpd/conf.d/ovirt- > engine-root-redirect.conf > lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.conf > -> /etc/ovirt-engine/aaa/ovirt-sso.conf > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D > # cat /etc/ovirt-engine/aaa/ad.holding.com.properties > > include =3D > vars.domain =3D ad.holding.com > pool.default.auth.simple.bindDN =3D s-oVirt-LS@${global:vars.domain} > pool.default.auth.simple.password =3D Passw0rd > pool.default.dc-resolve.enable =3D false > search.default.dc-resolve.enable =3D false > search.ad-resolve-upn.search-request.baseDN =3D DC=3Dad,DC=3Dholding,DC= =3Dcom > pool.default.serverset.type =3D failover > pool.default.serverset.failover.00.server =3D kom-dc01.${global:vars.doma= in} > pool.default.serverset.failover.01.server =3D kom-dc02.${global:vars.doma= in} > pool.default.serverset.failover.port =3D 636 > pool.default.serverset.failover.domain =3D ${global:vars.domain} > pool.default.ssl.enable =3D true > pool.default.ssl.protocol =3D TLSv1.2 > pool.default.ssl.truststore.file =3D ${local:_basedir}/${global: > vars.domain}.jks > pool.default.ssl.truststore.password =3D changeit > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D > # cat /etc/ovirt-engine/extensions.d/ad.holding.com-authz.properties > > ovirt.engine.extension.name =3D ad.holding.com-authz > ovirt.engine.extension.bindings.method =3D jbossmodule > ovirt.engine.extension.binding.jbossmodule.module =3D > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class =3D > org.ovirt.engineextensions.aaa.ldap.AuthzExtension > ovirt.engine.extension.provides =3D org.ovirt.engine.api. > extensions.aaa.Authz > config.profile.file.1 =3D ../aaa/ad.holding.com.properties > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D > # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-authn.properties > > ovirt.engine.extension.name =3D ad.holding.com-http-authn > ovirt.engine.extension.bindings.method =3D jbossmodule > ovirt.engine.extension.binding.jbossmodule.module =3D > org.ovirt.engine-extensions.aaa.misc > ovirt.engine.extension.binding.jbossmodule.class =3D > org.ovirt.engineextensions.aaa.misc.http.AuthnExtension > ovirt.engine.extension.provides =3D org.ovirt.engine.api. > extensions.aaa.Authn > ovirt.engine.aaa.authn.profile.name =3D ad.holding.com-http > ovirt.engine.aaa.authn.authz.plugin =3D ad.holding.com-authz > ovirt.engine.aaa.authn.mapping.plugin =3D ad.holding.com-http-mapping > config.artifact.name =3D HEADER > config.artifact.arg =3D X-Remote-User > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D > # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping. > properties > > ovirt.engine.extension.name =3D ad.holding.com-http-mapping > ovirt.engine.extension.bindings.method =3D jbossmodule > ovirt.engine.extension.binding.jbossmodule.module =3D > org.ovirt.engine-extensions.aaa.misc > ovirt.engine.extension.binding.jbossmodule.class =3D > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension > ovirt.engine.extension.provides =3D org.ovirt.engine.api. > extensions.aaa.Mapping > config.mapAuthRecord.type =3D regex > config.mapAuthRecord.regex.mustMatch =3D true > config.mapAuthRecord.regex.pattern =3D ^(?.*?)((\\\\(?@)(?< > suffix>.*?)@.*)|(?@.*))$ > config.mapAuthRecord.regex.replacement =3D ${user}${at}${suffix}${realm} > > > 03.10.2016, 09:56, "Martin Perina" : > > > =E2=80=8BAhh, so kerberos SSO works fine for API, but not for portals. = Could you > please share your Apache configuration with oVirt kerberos configuration? > Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf > --===============1529124873572088134== Content-Type: text/html MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="attachment.html" PGRpdiBkaXI9Imx0ciI+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFt aWx5OmFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmIj5IaSw8YnI+PGJyPjwvZGl2PjxkaXYgY2xh c3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxoZWx2ZXRpY2Esc2Fu cy1zZXJpZiI+cGxlYXNlIHRha2UgYSBsb29rIGF0IGlubGluZSBjb21tZW50czo8YnI+PC9kaXY+ PGRpdiBjbGFzcz0iZ21haWxfZXh0cmEiPjxicj48ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+T24g TW9uLCBPY3QgMywgMjAxNiBhdCA5OjE1IEFNLCAgPHNwYW4gZGlyPSJsdHIiPiZsdDs8YSBocmVm PSJtYWlsdG86YWxla3NleS5tYWtzaW1vdkBpdC1rYi5ydSIgdGFyZ2V0PSJfYmxhbmsiPmFsZWtz ZXkubWFrc2ltb3ZAaXQta2IucnU8L2E+Jmd0Ozwvc3Bhbj4gd3JvdGU6PGJyPjxibG9ja3F1b3Rl IGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1hcmdpbjowcHggMHB4IDBweCAwLjhleDtib3Jk ZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQsMjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij5ZZXMu IE9mIGNvdXJzZS4gSGVyZSBhcmUgbXkgY29uZmlncy48YnI+Cjxicj4KPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PHdicj49PT09PT09PT09PT09PT09PT09PT09PT09PT09PT08d2JyPj09 PT09PT09PT09PT09PT09PT09PT09PT08YnI+CiMgY2F0IC9ldGMvb3ZpcnQtZW5naW5lL2FhYS9v dmlydC08d2JyPnNzby5jb25mPGJyPgo8YnI+CjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0 eWxlPSJmb250LWZhbWlseTphcmlhbCxoZWx2ZXRpY2Esc2Fucy1zZXJpZjtkaXNwbGF5OmlubGlu ZSI+4oCL4oCLPC9kaXY+Jmx0O0xvY2F0aW9uTWF0Y2ggXigvb3ZpcnQtZW5naW5lLyh3ZWJhZG1p bnw8d2JyPnVzZXJwb3J0YWx8YXBpKXwvYXBpKSZndDs8YnI+CsKgIMKgIMKgIMKgIFJld3JpdGVF bmdpbmUgb248YnI+CsKgIMKgIMKgIMKgIFJld3JpdGVDb25kICV7TEEtVTpSRU1PVEVfVVNFUn0g XiguKikkPGJyPgrCoCDCoCDCoCDCoCBSZXdyaXRlUnVsZSBeKC4qKSQgLSBbTCxOUyxQLEU9UkVN T1RFX1VTRVI6JTFdPGJyPgrCoCDCoCDCoCDCoCBSZXF1ZXN0SGVhZGVyIHNldCBYLVJlbW90ZS1V c2VyICV7UkVNT1RFX1VTRVJ9czxicj4KwqAgwqAgwqAgwqAgQXV0aFR5cGUgS2VyYmVyb3M8YnI+ CsKgIMKgIMKgIMKgIEF1dGhOYW1lICZxdW90O0tlcmJlcm9zIExvZ2luJnF1b3Q7PGJyPgrCoCDC oCDCoCDCoCBLcmI1S2V5dGFiIC9ldGMvaHR0cGQvcy1vVmlydC1LcmIua2V5dGFiPGJyPgrCoCDC oCDCoCDCoCBLcmJBdXRoUmVhbG1zIDxhIGhyZWY9Imh0dHA6Ly9BRC5IT0xESU5HLkNPTSIgcmVs PSJub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+QUQuSE9MRElORy5DT008L2E+PGJyPgrCoCDC oCDCoCDCoCAjS3JiTWV0aG9kTmVnb3RpYXRlIG9uPGJyPgrCoCDCoCDCoCDCoCAjS3JiTWV0aG9k SzVQYXNzd2Qgb248YnI+CsKgIMKgIMKgIMKgIEtyYk1ldGhvZEs1UGFzc3dkIG9mZjxicj4KwqAg wqAgwqAgwqAgUmVxdWlyZSB2YWxpZC11c2VyPGJyPgombHQ7L0xvY2F0aW9uTWF0Y2gmZ3Q7PGJy PjwvYmxvY2txdW90ZT48ZGl2Pjxicj48ZGl2IGNsYXNzPSJnbWFpbF9kZWZhdWx0IiBzdHlsZT0i Zm9udC1mYW1pbHk6YXJpYWwsaGVsdmV0aWNhLHNhbnMtc2VyaWY7ZGlzcGxheTppbmxpbmUiPuKA i0FoaCwgdGhpcyBpcyB0aGUgaXNzdWUuIEFib3ZlIGNvbmZpZ3VyYXRpb24gaXMgdmFsaWQgZm9y IG9WaXJ0IDMueCwgYnV0IGluIDQuMCB3ZSBoYXZlIHF1aXRlIG5ldyBPQXV0aCBiYXNlIFNTTywg c28geW91IG5lZWQgdG8gdXNlIGZvbGxvd2luZyBjb25maWd1cmF0aW9uOjxicj48YnI+Jmx0O0xv Y2F0aW9uTWF0Y2ggXi9vdmlydC1lbmdpbmUvc3NvLyhpbnRlcmFjdGl2ZS1sb2dpbi1uZWdvdGlh dGV8b2F1dGgvdG9rZW4taHR0cC1hdXRoKXxeL292aXJ0LWVuZ2luZS9hcGkmZ3Q7PGJyPsKgICZs dDtJZiAmcXVvdDtyZXEoJiMzOTtBdXRob3JpemF0aW9uJiMzOTspICF+IC9eKEJlYXJlcnxCYXNp YykvaSZxdW90OyZndDs8YnI+wqAgwqAgUmV3cml0ZUVuZ2luZSBvbjxicj7CoCDCoCBSZXdyaXRl Q29uZCAle0xBLVU6UkVNT1RFX1VTRVJ9IF4oLiopJDxicj7CoCDCoCBSZXdyaXRlUnVsZSBeKC4q KSQgLSBbTCxOUyxQLEU9UkVNT1RFX1VTRVI6JTFdPGJyPsKgIMKgIFJlcXVlc3RIZWFkZXIgc2V0 IFgtUmVtb3RlLVVzZXIgJXtSRU1PVEVfVVNFUn1zPGJyPsKgIMKgIEF1dGhUeXBlIEtlcmJlcm9z PGJyPsKgIMKgIEF1dGhOYW1lICZxdW90O0tlcmJlcm9zIExvZ2luJnF1b3Q7PGJyPsKgIMKgIEty YjVLZXl0YWIgL2V0Yy9odHRwZC9zLW9WaXJ0LUtyYi5rZXl0YWI8YnI+wqDCoMKgIEtyYkF1dGhS ZWFsbXMgPGEgaHJlZj0iaHR0cDovL0FELkhPTERJTkcuQ09NIiByZWw9Im5vcmVmZXJyZXIiIHRh cmdldD0iX2JsYW5rIj5BRC5IT0xESU5HLkNPTTwvYT48YnI+wqAgwqAgS3JiTWV0aG9kSzVQYXNz d2Qgb2ZmPGJyPgrCoCDCoCBSZXF1aXJlIHZhbGlkLXVzZXI8YnI+wqDCoMKgIEVycm9yRG9jdW1l bnQgNDAxICZxdW90OyZsdDtodG1sJmd0OyZsdDttZXRhIGh0dHAtZXF1aXY9XCZxdW90O3JlZnJl c2hcJnF1b3Q7IGNvbnRlbnQ9XCZxdW90OzA7IHVybD0vb3ZpcnQtZW5naW5lL3Nzby9sb2dpbi11 bmF1dGhvcml6ZWRcJnF1b3Q7LyZndDsmbHQ7Ym9keSZndDsmbHQ7YSBocmVmPVwmcXVvdDsvb3Zp cnQtZW5naW5lL3Nzby9sb2dpbi11bmF1dGhvcml6ZWRcJnF1b3Q7Jmd0O0hlcmUmbHQ7L2EmZ3Q7 Jmx0Oy9ib2R5Jmd0OyZsdDsvaHRtbCZndDsmcXVvdDs8YnI+PC9kaXY+PGRpdiBjbGFzcz0iZ21h aWxfZGVmYXVsdCIgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlm O2Rpc3BsYXk6aW5saW5lIj7CoCAmbHQ7L0lmJmd0Ozxicj48L2Rpdj48ZGl2IGNsYXNzPSJnbWFp bF9kZWZhdWx0IiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsaGVsdmV0aWNhLHNhbnMtc2VyaWY7 ZGlzcGxheTppbmxpbmUiPgombHQ7L0xvY2F0aW9uTWF0Y2gmZ3Q7PGJyPuKAizwvZGl2PsKgPGJy PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmIiBjbGFz cz0iZ21haWxfZGVmYXVsdCI+4oCLQWxzbyBhcyA0LjAgaXMgd29ya2luZyBvbiBFTDcgeW91IG1h eSB1c2UgbW9kX2F1dGhfZ3NzYXBpL21vZF9zZXNzaW9uIGluc3RlYWQgb2YgcXVpdGUgb2xkIG1v ZF9hdXRoX2tyYi4gRm9yIG1vZF9hdXRoX2dzc2FwaS9tb2Rfc2Vzc2lvbnMgeW91IG5lZWQgdG8g ZG8gZm9sbG93aW5nOjxicj48YnI+PC9kaXY+PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWws aGVsdmV0aWNhLHNhbnMtc2VyaWYiIGNsYXNzPSJnbWFpbF9kZWZhdWx0Ij7CoCAxLiB5dW0gaW5z dGFsbCBtb2Rfc2Vzc2lvbiBtb2RfYXV0aF9nc3NhcGk8YnI+PC9kaXY+PGRpdiBzdHlsZT0iZm9u dC1mYW1pbHk6YXJpYWwsaGVsdmV0aWNhLHNhbnMtc2VyaWYiIGNsYXNzPSJnbWFpbF9kZWZhdWx0 Ij7CoCAyLiBVc2UgZm9sbG93aW5nIEFwYWNoZSBjb25maWd1cmF0aW9uIOKAizxicj48YnI+PGJy PjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiIHN0eWxlPSJmb250LWZhbWlseTphcmlh bCxoZWx2ZXRpY2Esc2Fucy1zZXJpZiI+4oCLJmx0O0xvY2F0aW9uTWF0Y2ggXi9vdmlydC1lbmdp bmUvc3NvLyhpbnRlcmFjdGl2ZS1sb2dpbi1uZWdvdGlhdGV8b2F1dGgvdG9rZW4taHR0cC1hdXRo KXxeL292aXJ0LWVuZ2luZS9hcGkmZ3Q7PGJyPsKgICZsdDtJZiAmcXVvdDtyZXEoJiMzOTtBdXRo b3JpemF0aW9uJiMzOTspICF+IC9eKEJlYXJlcnxCYXNpYykvaSZxdW90OyZndDs8YnI+wqDCoMKg IFJld3JpdGVFbmdpbmUgb248YnI+wqDCoMKgIFJld3JpdGVDb25kICV7TEEtVTpSRU1PVEVfVVNF Un0gXiguKikkPGJyPsKgwqDCoCBSZXdyaXRlUnVsZSBeKC4qKSQgLSBbTCxOUyxQLEU9UkVNT1RF X1VTRVI6JTFdPGJyPsKgwqDCoCBSZXF1ZXN0SGVhZGVyIHNldCBYLVJlbW90ZS1Vc2VyICV7UkVN T1RFX1VTRVJ9czxicj48YnI+wqDCoMKgIEF1dGhUeXBlIEdTU0FQSTxicj7CoMKgwqAgQXV0aE5h bWUgJnF1b3Q7S2VyYmVyb3MgTG9naW4mcXVvdDs8YnI+PGJyPsKgwqDCoCAjIE1vZGlmeSB0byBt YXRjaCBpbnN0YWxsYXRpb248YnI+wqDCoMKgIEdzc2FwaUNyZWRTdG9yZSBrZXl0YWI6L2V0Yy9o dHRwZC9zLW9WaXJ0LUtyYi5rZXl0YWI8YnI+wqDCoMKgIEdzc2FwaVVzZVNlc3Npb25zIE9uPGJy PsKgwqDCoCBTZXNzaW9uIE9uPGJyPsKgwqDCoCBTZXNzaW9uQ29va2llTmFtZSBvdmlydF9nc3Nh cGlfc2Vzc2lvbiBwYXRoPS9wcml2YXRlO2h0dHBvbmx5O3NlY3VyZTs8YnI+wqDCoMKgIDxicj7C oMKgwqAgUmVxdWlyZSB2YWxpZC11c2VyPGJyPsKgwqDCoCBFcnJvckRvY3VtZW50IDQwMSAmcXVv dDsmbHQ7aHRtbCZndDsmbHQ7bWV0YSBodHRwLWVxdWl2PVwmcXVvdDtyZWZyZXNoXCZxdW90OyBj b250ZW50PVwmcXVvdDswOyB1cmw9L292aXJ0LWVuZ2luZS9zc28vbG9naW4tdW5hdXRob3JpemVk XCZxdW90Oy8mZ3Q7Jmx0O2JvZHkmZ3Q7Jmx0O2EgaHJlZj1cJnF1b3Q7L292aXJ0LWVuZ2luZS9z c28vbG9naW4tdW5hdXRob3JpemVkXCZxdW90OyZndDtIZXJlJmx0Oy9hJmd0OyZsdDsvYm9keSZn dDsmbHQ7L2h0bWwmZ3Q7JnF1b3Q7PGJyPsKgICZsdDsvSWYmZ3Q7PGJyPiZsdDsvTG9jYXRpb25N YXRjaCZndDvigIs8L2Rpdj48YnI+PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIgc3R5bGU9ImZv bnQtZmFtaWx5OmFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmIj7igIs8L2Rpdj48YnI+PC9kaXY+ PGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjBweCAwcHggMHB4 IDAuOGV4O2JvcmRlci1sZWZ0OjFweCBzb2xpZCByZ2IoMjA0LDIwNCwyMDQpO3BhZGRpbmctbGVm dDoxZXgiPgo8YnI+Cjxicj4KIyBscyAtbGEgL2V0Yy9odHRwZC9jb25mLmQvb3ZpcnQtKjxicj4K PGJyPgotcnctci0tci0tLiAxIHJvb3Qgcm9vdCAzMyBKdWwgMjYgMTY6NDIgL2V0Yy9odHRwZC9j b25mLmQvb3ZpcnQtPHdicj5lbmdpbmUtcm9vdC1yZWRpcmVjdC5jb25mPGJyPgpscnd4cnd4cnd4 LiAxIHJvb3Qgcm9vdCAzNiBTZXAgMzAgMDA6MDYgL2V0Yy9odHRwZC9jb25mLmQvb3ZpcnQtc3Nv Ljx3YnI+Y29uZiAtJmd0OyAvZXRjL292aXJ0LWVuZ2luZS9hYWEvb3ZpcnQtPHdicj5zc28uY29u Zjxicj4KPGJyPgo8YnI+Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PTx3YnI+PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PHdicj49PT09PT09PT09PT09PT09PT09PT09PT09PGJy PgojIGNhdCAvZXRjL292aXJ0LWVuZ2luZS9hYWEvYWQuPHdicj5ob2xkaW5nLmNvbS5wcm9wZXJ0 aWVzPGJyPgo8YnI+CmluY2x1ZGUgPSAmbHQ7YWQucHJvcGVydGllcyZndDs8YnI+CnZhcnMuZG9t YWluID0gPGEgaHJlZj0iaHR0cDovL2FkLmhvbGRpbmcuY29tIiByZWw9Im5vcmVmZXJyZXIiIHRh cmdldD0iX2JsYW5rIj5hZC5ob2xkaW5nLmNvbTwvYT48YnI+CnBvb2wuZGVmYXVsdC5hdXRoLnNp bXBsZS48d2JyPmJpbmRETiA9IHMtb1ZpcnQtTFNAJHtnbG9iYWw6dmFycy48d2JyPmRvbWFpbn08 YnI+CnBvb2wuZGVmYXVsdC5hdXRoLnNpbXBsZS48d2JyPnBhc3N3b3JkID0gUGFzc3cwcmQ8YnI+ CnBvb2wuZGVmYXVsdC5kYy1yZXNvbHZlLmVuYWJsZSA9IGZhbHNlPGJyPgpzZWFyY2guZGVmYXVs dC5kYy1yZXNvbHZlLjx3YnI+ZW5hYmxlID0gZmFsc2U8YnI+CnNlYXJjaC5hZC1yZXNvbHZlLXVw bi5zZWFyY2gtPHdicj5yZXF1ZXN0LmJhc2VETiA9IERDPWFkLERDPWhvbGRpbmcsREM9Y29tPGJy Pgpwb29sLmRlZmF1bHQuc2VydmVyc2V0LnR5cGUgPSBmYWlsb3Zlcjxicj4KcG9vbC5kZWZhdWx0 LnNlcnZlcnNldC48d2JyPmZhaWxvdmVyLjAwLnNlcnZlciA9IGtvbS1kYzAxLiR7Z2xvYmFsOnZh cnMuZG9tYWlufTxicj4KcG9vbC5kZWZhdWx0LnNlcnZlcnNldC48d2JyPmZhaWxvdmVyLjAxLnNl cnZlciA9IGtvbS1kYzAyLiR7Z2xvYmFsOnZhcnMuZG9tYWlufTxicj4KcG9vbC5kZWZhdWx0LnNl cnZlcnNldC48d2JyPmZhaWxvdmVyLnBvcnQgPSA2MzY8YnI+CnBvb2wuZGVmYXVsdC5zZXJ2ZXJz ZXQuPHdicj5mYWlsb3Zlci5kb21haW4gPSAke2dsb2JhbDp2YXJzLmRvbWFpbn08YnI+CnBvb2wu ZGVmYXVsdC5zc2wuZW5hYmxlID0gdHJ1ZTxicj4KcG9vbC5kZWZhdWx0LnNzbC5wcm90b2NvbCA9 IFRMU3YxLjI8YnI+CnBvb2wuZGVmYXVsdC5zc2wudHJ1c3RzdG9yZS48d2JyPmZpbGUgPSAke2xv Y2FsOl9iYXNlZGlyfS8ke2dsb2JhbDo8d2JyPnZhcnMuZG9tYWlufS5qa3M8YnI+CnBvb2wuZGVm YXVsdC5zc2wudHJ1c3RzdG9yZS48d2JyPnBhc3N3b3JkID0gY2hhbmdlaXQ8YnI+CsKgPC9ibG9j a3F1b3RlPjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1hcmdpbjowcHgg MHB4IDBweCAwLjhleDtib3JkZXItbGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQsMjA0KTtwYWRk aW5nLWxlZnQ6MWV4Ij4KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PHdicj49PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT08d2JyPj09PT09PT09PT09PT09PT09PT09PT09PT08YnI+ CiMgY2F0IC9ldGMvb3ZpcnQtZW5naW5lL2V4dGVuc2lvbnMuPHdicj5kL2FkLmhvbGRpbmcuY29t LWF1dGh6Ljx3YnI+cHJvcGVydGllczxicj4KPGJyPgo8YSBocmVmPSJodHRwOi8vb3ZpcnQuZW5n aW5lLmV4dGVuc2lvbi5uYW1lIiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5vdmly dC5lbmdpbmUuZXh0ZW5zaW9uLm5hbWU8L2E+ID0gYWQuaG9sZGluZy5jb20tYXV0aHo8YnI+Cm92 aXJ0LmVuZ2luZS5leHRlbnNpb24uPHdicj5iaW5kaW5ncy5tZXRob2QgPSBqYm9zc21vZHVsZTxi cj4Kb3ZpcnQuZW5naW5lLmV4dGVuc2lvbi48d2JyPmJpbmRpbmcuamJvc3Ntb2R1bGUubW9kdWxl ID0gb3JnLm92aXJ0LmVuZ2luZS1leHRlbnNpb25zLjx3YnI+YWFhLmxkYXA8YnI+Cm92aXJ0LmVu Z2luZS5leHRlbnNpb24uPHdicj5iaW5kaW5nLmpib3NzbW9kdWxlLmNsYXNzID0gb3JnLm92aXJ0 LmVuZ2luZWV4dGVuc2lvbnMuPHdicj5hYWEubGRhcC5BdXRoekV4dGVuc2lvbjxicj4Kb3ZpcnQu ZW5naW5lLmV4dGVuc2lvbi48d2JyPnByb3ZpZGVzID0gb3JnLm92aXJ0LmVuZ2luZS5hcGkuPHdi cj5leHRlbnNpb25zLmFhYS5BdXRoejxicj4KY29uZmlnLnByb2ZpbGUuZmlsZS4xID0gLi4vYWFh LzxhIGhyZWY9Imh0dHA6Ly9hZC5ob2xkaW5nLmNvbSI+YWQuaG9sZGluZy5jb208L2E+Ljx3YnI+ cHJvcGVydGllczxicj4KPGJyPgo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT08d2JyPj09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PTx3YnI+PT09PT09PT09PT09PT09PT09PT09PT09 PTxicj4KIyBjYXQgL2V0Yy9vdmlydC1lbmdpbmUvZXh0ZW5zaW9ucy48d2JyPmQvYWQuaG9sZGlu Zy5jb20taHR0cC1hdXRobi48d2JyPnByb3BlcnRpZXM8YnI+Cjxicj4KPGEgaHJlZj0iaHR0cDov L292aXJ0LmVuZ2luZS5leHRlbnNpb24ubmFtZSIgcmVsPSJub3JlZmVycmVyIiB0YXJnZXQ9Il9i bGFuayI+b3ZpcnQuZW5naW5lLmV4dGVuc2lvbi5uYW1lPC9hPiA9IGFkLmhvbGRpbmcuY29tLWh0 dHAtYXV0aG48YnI+Cm92aXJ0LmVuZ2luZS5leHRlbnNpb24uPHdicj5iaW5kaW5ncy5tZXRob2Qg PSBqYm9zc21vZHVsZTxicj4Kb3ZpcnQuZW5naW5lLmV4dGVuc2lvbi48d2JyPmJpbmRpbmcuamJv c3Ntb2R1bGUubW9kdWxlID0gb3JnLm92aXJ0LmVuZ2luZS1leHRlbnNpb25zLjx3YnI+YWFhLm1p c2M8YnI+Cm92aXJ0LmVuZ2luZS5leHRlbnNpb24uPHdicj5iaW5kaW5nLmpib3NzbW9kdWxlLmNs YXNzID0gb3JnLm92aXJ0LmVuZ2luZWV4dGVuc2lvbnMuPHdicj5hYWEubWlzYy5odHRwLkF1dGhu RXh0ZW5zaW9uPGJyPgpvdmlydC5lbmdpbmUuZXh0ZW5zaW9uLjx3YnI+cHJvdmlkZXMgPSBvcmcu b3ZpcnQuZW5naW5lLmFwaS48d2JyPmV4dGVuc2lvbnMuYWFhLkF1dGhuPGJyPgo8YSBocmVmPSJo dHRwOi8vb3ZpcnQuZW5naW5lLmFhYS5hdXRobi5wcm9maWxlLm5hbWUiIHJlbD0ibm9yZWZlcnJl ciIgdGFyZ2V0PSJfYmxhbmsiPm92aXJ0LmVuZ2luZS5hYWEuYXV0aG4uPHdicj5wcm9maWxlLm5h bWU8L2E+ID0gYWQuaG9sZGluZy5jb20taHR0cDxicj4Kb3ZpcnQuZW5naW5lLmFhYS5hdXRobi5h dXRoei48d2JyPnBsdWdpbiA9IGFkLmhvbGRpbmcuY29tLWF1dGh6PGJyPgpvdmlydC5lbmdpbmUu YWFhLmF1dGhuLjx3YnI+bWFwcGluZy5wbHVnaW4gPSBhZC5ob2xkaW5nLmNvbS1odHRwLW1hcHBp bmc8YnI+CjxhIGhyZWY9Imh0dHA6Ly9jb25maWcuYXJ0aWZhY3QubmFtZSIgcmVsPSJub3JlZmVy cmVyIiB0YXJnZXQ9Il9ibGFuayI+Y29uZmlnLmFydGlmYWN0Lm5hbWU8L2E+ID0gSEVBREVSPGJy Pgpjb25maWcuYXJ0aWZhY3QuYXJnID0gWC1SZW1vdGUtVXNlcjxicj4KPGJyPgo9PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT08d2JyPj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PTx3 YnI+PT09PT09PT09PT09PT09PT09PT09PT09PTxicj4KIyBjYXQgL2V0Yy9vdmlydC1lbmdpbmUv ZXh0ZW5zaW9ucy48d2JyPmQvYWQuaG9sZGluZy5jb20taHR0cC1tYXBwaW5nLjx3YnI+cHJvcGVy dGllczxicj4KPGJyPgo8YSBocmVmPSJodHRwOi8vb3ZpcnQuZW5naW5lLmV4dGVuc2lvbi5uYW1l IiByZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5vdmlydC5lbmdpbmUuZXh0ZW5zaW9u Lm5hbWU8L2E+ID0gYWQuaG9sZGluZy5jb20taHR0cC1tYXBwaW5nPGJyPgpvdmlydC5lbmdpbmUu ZXh0ZW5zaW9uLjx3YnI+YmluZGluZ3MubWV0aG9kID0gamJvc3Ntb2R1bGU8YnI+Cm92aXJ0LmVu Z2luZS5leHRlbnNpb24uPHdicj5iaW5kaW5nLmpib3NzbW9kdWxlLm1vZHVsZSA9IG9yZy5vdmly dC5lbmdpbmUtZXh0ZW5zaW9ucy48d2JyPmFhYS5taXNjPGJyPgpvdmlydC5lbmdpbmUuZXh0ZW5z aW9uLjx3YnI+YmluZGluZy5qYm9zc21vZHVsZS5jbGFzcyA9IG9yZy5vdmlydC5lbmdpbmVleHRl bnNpb25zLjx3YnI+YWFhLm1pc2MubWFwcGluZy48d2JyPk1hcHBpbmdFeHRlbnNpb248YnI+Cm92 aXJ0LmVuZ2luZS5leHRlbnNpb24uPHdicj5wcm92aWRlcyA9IG9yZy5vdmlydC5lbmdpbmUuYXBp Ljx3YnI+ZXh0ZW5zaW9ucy5hYWEuTWFwcGluZzxicj4KY29uZmlnLm1hcEF1dGhSZWNvcmQudHlw ZSA9IHJlZ2V4PGJyPgpjb25maWcubWFwQXV0aFJlY29yZC5yZWdleC48d2JyPm11c3RNYXRjaCA9 IHRydWU8YnI+CmNvbmZpZy5tYXBBdXRoUmVjb3JkLnJlZ2V4Ljx3YnI+cGF0dGVybiA9IF4oPyZs dDt1c2VyJmd0Oy4qPykoKFxcXFwoPyZsdDthdCZndDtAKSg/Jmx0Ozx3YnI+c3VmZml4Jmd0Oy4q PylALiopfCg/Jmx0O3JlYWxtJmd0O0AuKikpPHdicj4kPGJyPgpjb25maWcubWFwQXV0aFJlY29y ZC5yZWdleC48d2JyPnJlcGxhY2VtZW50ID0gJHt1c2VyfSR7YXR9JHtzdWZmaXh9JHtyZWFsbX08 YnI+Cjxicj4KPGJyPgowMy4xMC4yMDE2LCAwOTo1NiwgJnF1b3Q7TWFydGluIFBlcmluYSZxdW90 OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOm1wZXJpbmFAcmVkaGF0LmNvbSI+bXBlcmluYUByZWRoYXQu Y29tPC9hPiZndDs6PGJyPgo8YnI+CiZndDsg4oCLQWhoLCBzbyBrZXJiZXJvcyBTU08gd29ya3Mg ZmluZSBmb3IgQVBJLCBidXQgbm90IGZvciBwb3J0YWxzLiBDb3VsZCB5b3UgcGxlYXNlIHNoYXJl IHlvdXIgQXBhY2hlIGNvbmZpZ3VyYXRpb24gd2l0aCBvVmlydCBrZXJiZXJvcyBjb25maWd1cmF0 aW9uPyBVc3VhbGx5IGl0JiMzOTtzIGluIC9ldGMvb3ZpcnQtZW5naW5lL2FhYS9vdmlydC08d2Jy PnNzby5jb25mPGJyPgo8L2Jsb2NrcXVvdGU+PC9kaXY+PGJyPjwvZGl2PjwvZGl2Pgo= --===============1529124873572088134==--