From e63b03f3d7e4851e008e4bb4d184982c2c0bd229 Mon Sep 17 00:00:00 2001
From: WuKong <rebirthmonkey@gmail.com>
Date: Tue, 24 May 2016 17:13:17 +0200
Subject: [PATCH] odl/aaa clone

Change-Id: I2b72c16aa3245e02d985a2c6189aacee7caad36e
Signed-off-by: WuKong <rebirthmonkey@gmail.com>
---
 odl-aaa-moon/README.md                             |   64 +
 odl-aaa-moon/aaa-authn-api/pom.xml                 |   38 +
 odl-aaa-moon/aaa-authn-api/src/main/docs/Makefile  |   29 +
 .../aaa-authn-api/src/main/docs/class_diagram.png  |  Bin 0 -> 30016 bytes
 .../aaa-authn-api/src/main/docs/class_diagram.ucls |  127 ++
 .../src/main/docs/credential_auth_sequence.png     |  Bin 0 -> 29197 bytes
 .../src/main/docs/credential_auth_sequence.wsd     |   18 +
 .../src/main/docs/federated_auth_sequence.png      |  Bin 0 -> 40566 bytes
 .../src/main/docs/federated_auth_sequence.wsd      |   24 +
 .../aaa-authn-api/src/main/docs/mapping.rst        | 1609 +++++++++++++++++++
 .../src/main/docs/resource_access_sequence.png     |  Bin 0 -> 38693 bytes
 .../src/main/docs/resource_access_sequence.wsd     |   25 +
 .../aaa-authn-api/src/main/docs/sssd_01.diag       |    6 +
 .../aaa-authn-api/src/main/docs/sssd_01.svg        |   32 +
 .../aaa-authn-api/src/main/docs/sssd_02.diag       |   18 +
 .../aaa-authn-api/src/main/docs/sssd_02.svg        |   79 +
 .../aaa-authn-api/src/main/docs/sssd_03.diag       |   31 +
 .../aaa-authn-api/src/main/docs/sssd_03.svg        |  143 ++
 .../aaa-authn-api/src/main/docs/sssd_04.diag       |   25 +
 .../aaa-authn-api/src/main/docs/sssd_04.svg        |  100 ++
 .../aaa-authn-api/src/main/docs/sssd_05.svg        |  613 +++++++
 .../src/main/docs/sssd_auth_sequence.png           |  Bin 0 -> 39322 bytes
 .../src/main/docs/sssd_auth_sequence.wsd           |   23 +
 .../src/main/docs/sssd_configuration.rst           | 1687 ++++++++++++++++++++
 .../org/opendaylight/aaa/api/Authentication.java   |   26 +
 .../aaa/api/AuthenticationException.java           |   31 +
 .../aaa/api/AuthenticationService.java             |   42 +
 .../main/java/org/opendaylight/aaa/api/Claim.java  |   56 +
 .../java/org/opendaylight/aaa/api/ClaimAuth.java   |   37 +
 .../org/opendaylight/aaa/api/ClientService.java    |   20 +
 .../org/opendaylight/aaa/api/CredentialAuth.java   |   28 +
 .../java/org/opendaylight/aaa/api/Credentials.java |   15 +
 .../opendaylight/aaa/api/IDMStoreException.java    |   24 +
 .../org/opendaylight/aaa/api/IDMStoreUtil.java     |   40 +
 .../java/org/opendaylight/aaa/api/IIDMStore.java   |   72 +
 .../java/org/opendaylight/aaa/api/IdMService.java  |   39 +
 .../opendaylight/aaa/api/PasswordCredentials.java  |   20 +
 .../org/opendaylight/aaa/api/SHA256Calculator.java |   83 +
 .../java/org/opendaylight/aaa/api/TokenAuth.java   |   37 +
 .../java/org/opendaylight/aaa/api/TokenStore.java  |   25 +
 .../java/org/opendaylight/aaa/api/model/Claim.java |   60 +
 .../org/opendaylight/aaa/api/model/Domain.java     |   86 +
 .../org/opendaylight/aaa/api/model/Domains.java    |   34 +
 .../java/org/opendaylight/aaa/api/model/Grant.java |   86 +
 .../org/opendaylight/aaa/api/model/Grants.java     |   35 +
 .../org/opendaylight/aaa/api/model/IDMError.java   |   61 +
 .../java/org/opendaylight/aaa/api/model/Role.java  |   86 +
 .../java/org/opendaylight/aaa/api/model/Roles.java |   34 +
 .../java/org/opendaylight/aaa/api/model/User.java  |  126 ++
 .../org/opendaylight/aaa/api/model/UserPwd.java    |   40 +
 .../java/org/opendaylight/aaa/api/model/Users.java |   34 +
 .../org/opendaylight/aaa/api/model/Version.java    |   49 +
 odl-aaa-moon/aaa-authn-basic/pom.xml               |   76 +
 .../java/org/opendaylight/aaa/basic/Activator.java |   31 +
 .../org/opendaylight/aaa/basic/HttpBasicAuth.java  |  129 ++
 .../opendaylight/aaa/basic/HttpBasicAuthTest.java  |  102 ++
 odl-aaa-moon/aaa-authn-federation/pom.xml          |  132 ++
 .../org/opendaylight/aaa/federation/Activator.java |   51 +
 .../aaa/federation/ClaimAuthFilter.java            |  249 +++
 .../aaa/federation/FederationConfiguration.java    |   95 ++
 .../aaa/federation/FederationEndpoint.java         |  149 ++
 .../aaa/federation/ServiceLocator.java             |   83 +
 .../opendaylight/aaa/federation/SssdFilter.java    |  151 ++
 .../OSGI-INF/metatype/metatype.properties          |   11 +
 .../main/resources/OSGI-INF/metatype/metatype.xml  |   19 +
 .../src/main/resources/WEB-INF/web.xml             |   34 +
 .../src/main/resources/federation.cfg              |    3 +
 .../aaa/federation/FederationEndpointTest.java     |  121 ++
 odl-aaa-moon/aaa-authn-keystone/pom.xml            |  106 ++
 .../org/opendaylight/aaa/keystone/Activator.java   |   34 +
 .../aaa/keystone/KeystoneTokenAuth.java            |   39 +
 .../aaa-authn-mdsal-api/pom.xml                    |   99 ++
 .../src/main/yang/aaa-authn-model.yang             |  154 ++
 .../aaa-authn-mdsal-config/pom.xml                 |   40 +
 .../src/main/resources/initial/08-authn-config.xml |   43 +
 .../aaa-authn-mdsal-store-impl/pom.xml             |  169 ++
 .../aaa/authn/mdsal/store/AuthNStore.java          |  263 +++
 .../aaa/authn/mdsal/store/DataEncrypter.java       |  101 ++
 .../aaa/authn/mdsal/store/IDMMDSALStore.java       |  483 ++++++
 .../aaa/authn/mdsal/store/IDMObject2MDSAL.java     |  224 +++
 .../aaa/authn/mdsal/store/IDMStore.java            |  182 +++
 .../aaa/authn/mdsal/store/util/AuthNStoreUtil.java |  140 ++
 .../mdsal/store/rev141031/AuthNStoreModule.java    |   90 ++
 .../store/rev141031/AuthNStoreModuleFactory.java   |   46 +
 .../src/main/yang/aaa-authn-mdsal-store-cfg.yang   |   77 +
 .../authn/mdsal/store/DataBrokerReadMocker.java    |  112 ++
 .../aaa/authn/mdsal/store/DataEncrypterTest.java   |   38 +
 .../aaa/authn/mdsal/store/IDMStoreTest.java        |  175 ++
 .../aaa/authn/mdsal/store/IDMStoreTestUtil.java    |  181 +++
 .../aaa/authn/mdsal/store/MDSALConvertTest.java    |   78 +
 .../authn/mdsal/store/util/AuthNStoreUtilTest.java |   88 +
 odl-aaa-moon/aaa-authn-mdsal-store/pom.xml         |   22 +
 odl-aaa-moon/aaa-authn-sssd/pom.xml                |   88 +
 .../java/org/opendaylight/aaa/sssd/Activator.java  |   28 +
 .../org/opendaylight/aaa/sssd/SssdClaimAuth.java   |  220 +++
 odl-aaa-moon/aaa-authn-store/pom.xml               |  100 ++
 .../java/org/opendaylight/aaa/store/Activator.java |   45 +
 .../opendaylight/aaa/store/DefaultTokenStore.java  |  154 ++
 .../OSGI-INF/metatype/metatype.properties          |   14 +
 .../main/resources/OSGI-INF/metatype/metatype.xml  |   22 +
 .../aaa-authn-store/src/main/resources/tokens.cfg  |    4 +
 .../aaa/store/DefaultTokenStoreTest.java           |   66 +
 odl-aaa-moon/aaa-authn-sts/pom.xml                 |  112 ++
 .../java/org/opendaylight/aaa/sts/Activator.java   |  207 +++
 .../aaa/sts/AnonymousPasswordValidator.java        |   30 +
 .../aaa/sts/AnonymousRefreshTokenValidator.java    |   29 +
 .../org/opendaylight/aaa/sts/OAuthRequest.java     |   42 +
 .../org/opendaylight/aaa/sts/ServiceLocator.java   |  141 ++
 .../org/opendaylight/aaa/sts/TokenAuthFilter.java  |  148 ++
 .../org/opendaylight/aaa/sts/TokenEndpoint.java    |  242 +++
 .../src/main/resources/WEB-INF/web.xml             |   23 +
 .../java/org/opendaylight/aaa/sts/RestFixture.java |   34 +
 .../org/opendaylight/aaa/sts/TokenAuthTest.java    |   94 ++
 .../opendaylight/aaa/sts/TokenEndpointTest.java    |  164 ++
 odl-aaa-moon/aaa-authn/pom.xml                     |  103 ++
 .../main/java/org/opendaylight/aaa/Activator.java  |   51 +
 .../opendaylight/aaa/AuthenticationBuilder.java    |  122 ++
 .../opendaylight/aaa/AuthenticationManager.java    |   77 +
 .../java/org/opendaylight/aaa/ClaimBuilder.java    |  160 ++
 .../java/org/opendaylight/aaa/ClientManager.java   |   88 +
 .../main/java/org/opendaylight/aaa/EqualUtil.java  |   42 +
 .../java/org/opendaylight/aaa/HashCodeUtil.java    |  104 ++
 .../aaa/PasswordCredentialBuilder.java             |   87 +
 .../org/opendaylight/aaa/SecureBlockingQueue.java  |  258 +++
 .../OSGI-INF/metatype/metatype.properties          |   12 +
 .../main/resources/OSGI-INF/metatype/metatype.xml  |   16 +
 .../aaa-authn/src/main/resources/authn.cfg         |    2 +
 .../aaa/AuthenticationBuilderTest.java             |  129 ++
 .../aaa/AuthenticationManagerTest.java             |  133 ++
 .../org/opendaylight/aaa/ClaimBuilderTest.java     |  208 +++
 .../org/opendaylight/aaa/ClientManagerTest.java    |   70 +
 .../opendaylight/aaa/PasswordCredentialTest.java   |   39 +
 .../opendaylight/aaa/SecureBlockingQueueTest.java  |  191 +++
 odl-aaa-moon/aaa-authz/aaa-authz-config/pom.xml    |   43 +
 .../src/main/resources/initial/08-authz-config.xml |   60 +
 odl-aaa-moon/aaa-authz/aaa-authz-model/pom.xml     |   95 ++
 .../src/main/yang/authorization-schema.yang        |  190 +++
 .../aaa-authz/aaa-authz-restconf-config/pom.xml    |   43 +
 .../main/resources/initial/09-rest-connector.xml   |   42 +
 odl-aaa-moon/aaa-authz/aaa-authz-service/pom.xml   |  152 ++
 .../aaa/authz/srv/AuthzBrokerImpl.java             |  150 ++
 .../aaa/authz/srv/AuthzConsumerContextImpl.java    |   46 +
 .../authz/srv/AuthzDataReadWriteTransaction.java   |  129 ++
 .../aaa/authz/srv/AuthzDomDataBroker.java          |  100 ++
 .../aaa/authz/srv/AuthzProviderContextImpl.java    |   47 +
 .../aaa/authz/srv/AuthzReadOnlyTransaction.java    |   69 +
 .../aaa/authz/srv/AuthzServiceImpl.java            |  121 ++
 .../aaa/authz/srv/AuthzWriteOnlyTransaction.java   |  103 ++
 .../yang/config/aaa_authz/srv/AuthzSrvModule.java  |   76 +
 .../aaa_authz/srv/AuthzSrvModuleFactory.java       |   53 +
 .../src/main/yang/aaa-authz-service-impl.yang      |  115 ++
 .../authz/srv/AuthzConsumerContextImplTest.java    |   46 +
 odl-aaa-moon/aaa-authz/pom.xml                     |   23 +
 odl-aaa-moon/aaa-credential-store-api/pom.xml      |   22 +
 .../src/main/yang/credential-model.yang            |   47 +
 odl-aaa-moon/aaa-h2-store/.gitignore               |    2 +
 odl-aaa-moon/aaa-h2-store/pom.xml                  |  160 ++
 .../opendaylight/aaa/h2/config/IdmLightConfig.java |  133 ++
 .../aaa/h2/persistence/AbstractStore.java          |  187 +++
 .../aaa/h2/persistence/DomainStore.java            |  166 ++
 .../aaa/h2/persistence/GrantStore.java             |  158 ++
 .../opendaylight/aaa/h2/persistence/H2Store.java   |  316 ++++
 .../opendaylight/aaa/h2/persistence/RoleStore.java |  151 ++
 .../aaa/h2/persistence/StoreException.java         |   29 +
 .../opendaylight/aaa/h2/persistence/UserStore.java |  202 +++
 .../authn/h2/store/rev151128/AAAH2StoreModule.java |   49 +
 .../store/rev151128/AAAH2StoreModuleFactory.java   |   29 +
 .../resources/initial/08-aaa-h2-store-config.xml   |   26 +
 .../aaa-h2-store/src/main/yang/aaa-h2-store.yang   |   28 +
 .../aaa/h2/persistence/DomainStoreTest.java        |   76 +
 .../aaa/h2/persistence/GrantStoreTest.java         |   76 +
 .../aaa/h2/persistence/H2StoreTest.java            |  187 +++
 .../aaa/h2/persistence/RoleStoreTest.java          |   76 +
 .../aaa/h2/persistence/UserStoreTest.java          |   79 +
 odl-aaa-moon/aaa-idmlight/pom.xml                  |  229 +++
 .../opendaylight/aaa/idm/IdmLightApplication.java  |   57 +
 .../org/opendaylight/aaa/idm/IdmLightProxy.java    |  208 +++
 .../org/opendaylight/aaa/idm/StoreBuilder.java     |  118 ++
 .../opendaylight/aaa/idm/rest/DomainHandler.java   |  591 +++++++
 .../org/opendaylight/aaa/idm/rest/RoleHandler.java |  228 +++
 .../org/opendaylight/aaa/idm/rest/UserHandler.java |  419 +++++
 .../opendaylight/aaa/idm/rest/VersionHandler.java  |   46 +
 .../idmlight/rev151204/AAAIDMLightModule.java      |   90 ++
 .../rev151204/AAAIDMLightModuleFactory.java        |   29 +
 .../src/main/resources/WEB-INF/web.xml             |   79 +
 .../aaa-idmlight/src/main/resources/idmtool.py     |  247 +++
 .../resources/initial/08-aaa-idmlight-config.xml   |   26 +
 .../aaa-idmlight/src/main/yang/aaa-idmlight.yang   |   28 +
 .../aaa/idm/persistence/PasswordHashTest.java      |   93 ++
 odl-aaa-moon/aaa-idmlight/tests/cleardb.sh         |    5 +
 odl-aaa-moon/aaa-idmlight/tests/domain.json        |    5 +
 odl-aaa-moon/aaa-idmlight/tests/domain2.json       |    5 +
 odl-aaa-moon/aaa-idmlight/tests/grant.json         |    4 +
 odl-aaa-moon/aaa-idmlight/tests/grant2.json        |    4 +
 odl-aaa-moon/aaa-idmlight/tests/result.json        |    1 +
 odl-aaa-moon/aaa-idmlight/tests/role-admin.json    |    4 +
 odl-aaa-moon/aaa-idmlight/tests/role-user.json     |    4 +
 odl-aaa-moon/aaa-idmlight/tests/test.sh            |  308 ++++
 odl-aaa-moon/aaa-idmlight/tests/user.json          |    7 +
 odl-aaa-moon/aaa-idmlight/tests/user2.json         |    7 +
 odl-aaa-moon/aaa-idmlight/tests/userpwd.json       |    4 +
 odl-aaa-moon/aaa-idp-mapping/pom.xml               |   84 +
 .../org/opendaylight/aaa/idpmapping/Activator.java |   25 +
 .../org/opendaylight/aaa/idpmapping/IdpJson.java   |  248 +++
 .../aaa/idpmapping/InvalidRuleException.java       |   35 +
 .../aaa/idpmapping/InvalidTypeException.java       |   35 +
 .../aaa/idpmapping/InvalidValueException.java      |   35 +
 .../opendaylight/aaa/idpmapping/RuleProcessor.java | 1368 ++++++++++++++++
 .../aaa/idpmapping/StatementErrorException.java    |   35 +
 .../org/opendaylight/aaa/idpmapping/Token.java     |  401 +++++
 .../aaa/idpmapping/UndefinedValueException.java    |   34 +
 .../aaa/idpmapping/RuleProcessorTest.java          |  130 ++
 .../org/opendaylight/aaa/idpmapping/TokenTest.java |   66 +
 odl-aaa-moon/aaa-shiro-act/pom.xml                 |   84 +
 .../org/opendaylight/aaa/shiroact/Activator.java   |   51 +
 .../opendaylight/aaa/shiroact/ActivatorTest.java   |   25 +
 odl-aaa-moon/aaa-shiro/pom.xml                     |  156 ++
 .../java/org/opendaylight/aaa/shiro/Activator.java |   45 +
 .../org/opendaylight/aaa/shiro/ServiceProxy.java   |   94 ++
 .../aaa/shiro/accounting/Accounter.java            |   38 +
 .../aaa/shiro/authorization/DefaultRBACRules.java  |   78 +
 .../aaa/shiro/authorization/RBACRule.java          |  170 ++
 .../opendaylight/aaa/shiro/filters/AAAFilter.java  |   72 +
 .../aaa/shiro/filters/MoonOAuthFilter.java         |  187 +++
 .../shiro/filters/ODLHttpAuthenticationFilter.java |   78 +
 .../opendaylight/aaa/shiro/moon/MoonPrincipal.java |  155 ++
 .../aaa/shiro/moon/MoonTokenEndpoint.java          |   30 +
 .../aaa-shiro/src/main/resources/WEB-INF/web.xml   |   48 +
 .../aaa-shiro/src/main/resources/shiro.ini         |   95 ++
 .../opendaylight/aaa/shiro/ServiceProxyTest.java   |   45 +
 .../shiro/authorization/DefaultRBACRulesTest.java  |   43 +
 .../aaa/shiro/authorization/RBACRuleTest.java      |  106 ++
 .../aaa/shiro/realm/ODLJndiLdapRealmTest.java      |  246 +++
 .../aaa/shiro/realm/TokenAuthRealmTest.java        |  139 ++
 .../shiro/web/env/KarafIniWebEnvironmentTest.java  |   76 +
 odl-aaa-moon/artifacts/pom.xml                     |  231 +++
 odl-aaa-moon/commons/docs/AuthNusecases.vsd        |  Bin 0 -> 206336 bytes
 odl-aaa-moon/commons/docs/direct_authn.png         |  Bin 0 -> 22058 bytes
 odl-aaa-moon/commons/docs/federated_authn1.png     |  Bin 0 -> 36542 bytes
 odl-aaa-moon/commons/docs/federated_authn2.png     |  Bin 0 -> 35203 bytes
 odl-aaa-moon/commons/federation/README             |  271 ++++
 .../federation/idp_mapping_rules.json.example      |   30 +
 odl-aaa-moon/commons/federation/jetty.xml.example  |   85 +
 .../commons/federation/my_app.conf.example         |   31 +
 .../AAA_AuthZ_MDSAL.json.postman_collection        |   77 +
 odl-aaa-moon/distribution-karaf/pom.xml            |  274 ++++
 odl-aaa-moon/features/api/pom.xml                  |   91 ++
 .../features/api/src/main/features/features.xml    |   21 +
 odl-aaa-moon/features/authn/pom.xml                |  304 ++++
 .../features/authn/src/main/features/features.xml  |  247 +++
 odl-aaa-moon/features/authz/pom.xml                |  101 ++
 .../features/authz/src/main/features/features.xml  |   31 +
 odl-aaa-moon/features/pom.xml                      |   19 +
 odl-aaa-moon/features/shiro/pom.xml                |  179 +++
 .../features/shiro/src/main/features/features.xml  |   41 +
 odl-aaa-moon/parent/pom.xml                        |  278 ++++
 odl-aaa-moon/pom.xml                               |   50 +
 257 files changed, 28002 insertions(+)
 create mode 100644 odl-aaa-moon/README.md
 create mode 100644 odl-aaa-moon/aaa-authn-api/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/Makefile
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/class_diagram.png
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/class_diagram.ucls
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/credential_auth_sequence.png
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/credential_auth_sequence.wsd
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/federated_auth_sequence.png
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/federated_auth_sequence.wsd
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/mapping.rst
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/resource_access_sequence.png
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/resource_access_sequence.wsd
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_01.diag
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_01.svg
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_02.diag
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_02.svg
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_03.diag
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_03.svg
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_04.diag
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_04.svg
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_05.svg
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.png
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_configuration.rst
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Authentication.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationException.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationService.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Claim.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClaimAuth.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClientService.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/CredentialAuth.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Credentials.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IDMStoreException.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IDMStoreUtil.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IIDMStore.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IdMService.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/PasswordCredentials.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/SHA256Calculator.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenAuth.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenStore.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Claim.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Domain.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Domains.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Grant.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Grants.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/IDMError.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Role.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Roles.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/User.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/UserPwd.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Users.java
 create mode 100644 odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Version.java
 create mode 100644 odl-aaa-moon/aaa-authn-basic/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authn-basic/src/main/java/org/opendaylight/aaa/basic/Activator.java
 create mode 100644 odl-aaa-moon/aaa-authn-basic/src/main/java/org/opendaylight/aaa/basic/HttpBasicAuth.java
 create mode 100644 odl-aaa-moon/aaa-authn-basic/src/test/java/org/opendaylight/aaa/basic/HttpBasicAuthTest.java
 create mode 100644 odl-aaa-moon/aaa-authn-federation/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/Activator.java
 create mode 100644 odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/ClaimAuthFilter.java
 create mode 100644 odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/FederationConfiguration.java
 create mode 100644 odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/FederationEndpoint.java
 create mode 100644 odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/ServiceLocator.java
 create mode 100644 odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/SssdFilter.java
 create mode 100644 odl-aaa-moon/aaa-authn-federation/src/main/resources/OSGI-INF/metatype/metatype.properties
 create mode 100644 odl-aaa-moon/aaa-authn-federation/src/main/resources/OSGI-INF/metatype/metatype.xml
 create mode 100644 odl-aaa-moon/aaa-authn-federation/src/main/resources/WEB-INF/web.xml
 create mode 100644 odl-aaa-moon/aaa-authn-federation/src/main/resources/federation.cfg
 create mode 100644 odl-aaa-moon/aaa-authn-federation/src/test/java/org/opendaylight/aaa/federation/FederationEndpointTest.java
 create mode 100644 odl-aaa-moon/aaa-authn-keystone/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authn-keystone/src/main/java/org/opendaylight/aaa/keystone/Activator.java
 create mode 100644 odl-aaa-moon/aaa-authn-keystone/src/main/java/org/opendaylight/aaa/keystone/KeystoneTokenAuth.java
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-api/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-api/src/main/yang/aaa-authn-model.yang
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-config/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-config/src/main/resources/initial/08-authn-config.xml
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/AuthNStore.java
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/DataEncrypter.java
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMMDSALStore.java
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMObject2MDSAL.java
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMStore.java
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/util/AuthNStoreUtil.java
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/mdsal/store/rev141031/AuthNStoreModule.java
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/mdsal/store/rev141031/AuthNStoreModuleFactory.java
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/yang/aaa-authn-mdsal-store-cfg.yang
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/DataBrokerReadMocker.java
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/DataEncrypterTest.java
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/IDMStoreTest.java
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/IDMStoreTestUtil.java
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/MDSALConvertTest.java
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/util/AuthNStoreUtilTest.java
 create mode 100644 odl-aaa-moon/aaa-authn-mdsal-store/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authn-sssd/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authn-sssd/src/main/java/org/opendaylight/aaa/sssd/Activator.java
 create mode 100644 odl-aaa-moon/aaa-authn-sssd/src/main/java/org/opendaylight/aaa/sssd/SssdClaimAuth.java
 create mode 100644 odl-aaa-moon/aaa-authn-store/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authn-store/src/main/java/org/opendaylight/aaa/store/Activator.java
 create mode 100644 odl-aaa-moon/aaa-authn-store/src/main/java/org/opendaylight/aaa/store/DefaultTokenStore.java
 create mode 100644 odl-aaa-moon/aaa-authn-store/src/main/resources/OSGI-INF/metatype/metatype.properties
 create mode 100644 odl-aaa-moon/aaa-authn-store/src/main/resources/OSGI-INF/metatype/metatype.xml
 create mode 100644 odl-aaa-moon/aaa-authn-store/src/main/resources/tokens.cfg
 create mode 100644 odl-aaa-moon/aaa-authn-store/src/test/java/org/opendaylight/aaa/store/DefaultTokenStoreTest.java
 create mode 100644 odl-aaa-moon/aaa-authn-sts/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/Activator.java
 create mode 100644 odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/AnonymousPasswordValidator.java
 create mode 100644 odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/AnonymousRefreshTokenValidator.java
 create mode 100644 odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/OAuthRequest.java
 create mode 100644 odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/ServiceLocator.java
 create mode 100644 odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/TokenAuthFilter.java
 create mode 100644 odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/TokenEndpoint.java
 create mode 100644 odl-aaa-moon/aaa-authn-sts/src/main/resources/WEB-INF/web.xml
 create mode 100644 odl-aaa-moon/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/RestFixture.java
 create mode 100644 odl-aaa-moon/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/TokenAuthTest.java
 create mode 100644 odl-aaa-moon/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/TokenEndpointTest.java
 create mode 100644 odl-aaa-moon/aaa-authn/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/Activator.java
 create mode 100644 odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/AuthenticationBuilder.java
 create mode 100644 odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/AuthenticationManager.java
 create mode 100644 odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/ClaimBuilder.java
 create mode 100644 odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/ClientManager.java
 create mode 100644 odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/EqualUtil.java
 create mode 100644 odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/HashCodeUtil.java
 create mode 100644 odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/PasswordCredentialBuilder.java
 create mode 100644 odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/SecureBlockingQueue.java
 create mode 100644 odl-aaa-moon/aaa-authn/src/main/resources/OSGI-INF/metatype/metatype.properties
 create mode 100644 odl-aaa-moon/aaa-authn/src/main/resources/OSGI-INF/metatype/metatype.xml
 create mode 100644 odl-aaa-moon/aaa-authn/src/main/resources/authn.cfg
 create mode 100644 odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/AuthenticationBuilderTest.java
 create mode 100644 odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/AuthenticationManagerTest.java
 create mode 100644 odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/ClaimBuilderTest.java
 create mode 100644 odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/ClientManagerTest.java
 create mode 100644 odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/PasswordCredentialTest.java
 create mode 100644 odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/SecureBlockingQueueTest.java
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-config/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-config/src/main/resources/initial/08-authz-config.xml
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-model/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-restconf-config/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-restconf-config/src/main/resources/initial/09-rest-connector.xml
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-service/pom.xml
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModule.java
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModuleFactory.java
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/yang/aaa-authz-service-impl.yang
 create mode 100644 odl-aaa-moon/aaa-authz/aaa-authz-service/src/test/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImplTest.java
 create mode 100644 odl-aaa-moon/aaa-authz/pom.xml
 create mode 100644 odl-aaa-moon/aaa-credential-store-api/pom.xml
 create mode 100644 odl-aaa-moon/aaa-credential-store-api/src/main/yang/credential-model.yang
 create mode 100644 odl-aaa-moon/aaa-h2-store/.gitignore
 create mode 100644 odl-aaa-moon/aaa-h2-store/pom.xml
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/config/IdmLightConfig.java
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/AbstractStore.java
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/GrantStore.java
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/H2Store.java
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/RoleStore.java
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/StoreException.java
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/UserStore.java
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/h2/store/rev151128/AAAH2StoreModule.java
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/h2/store/rev151128/AAAH2StoreModuleFactory.java
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/main/resources/initial/08-aaa-h2-store-config.xml
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/main/yang/aaa-h2-store.yang
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/DomainStoreTest.java
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/GrantStoreTest.java
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/H2StoreTest.java
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/RoleStoreTest.java
 create mode 100644 odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/UserStoreTest.java
 create mode 100644 odl-aaa-moon/aaa-idmlight/pom.xml
 create mode 100644 odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/IdmLightApplication.java
 create mode 100644 odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/IdmLightProxy.java
 create mode 100644 odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/StoreBuilder.java
 create mode 100644 odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/DomainHandler.java
 create mode 100644 odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/RoleHandler.java
 create mode 100644 odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/UserHandler.java
 create mode 100644 odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/VersionHandler.java
 create mode 100644 odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/idmlight/rev151204/AAAIDMLightModule.java
 create mode 100644 odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/idmlight/rev151204/AAAIDMLightModuleFactory.java
 create mode 100644 odl-aaa-moon/aaa-idmlight/src/main/resources/WEB-INF/web.xml
 create mode 100644 odl-aaa-moon/aaa-idmlight/src/main/resources/idmtool.py
 create mode 100644 odl-aaa-moon/aaa-idmlight/src/main/resources/initial/08-aaa-idmlight-config.xml
 create mode 100644 odl-aaa-moon/aaa-idmlight/src/main/yang/aaa-idmlight.yang
 create mode 100644 odl-aaa-moon/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/persistence/PasswordHashTest.java
 create mode 100644 odl-aaa-moon/aaa-idmlight/tests/cleardb.sh
 create mode 100644 odl-aaa-moon/aaa-idmlight/tests/domain.json
 create mode 100644 odl-aaa-moon/aaa-idmlight/tests/domain2.json
 create mode 100644 odl-aaa-moon/aaa-idmlight/tests/grant.json
 create mode 100644 odl-aaa-moon/aaa-idmlight/tests/grant2.json
 create mode 100644 odl-aaa-moon/aaa-idmlight/tests/result.json
 create mode 100644 odl-aaa-moon/aaa-idmlight/tests/role-admin.json
 create mode 100644 odl-aaa-moon/aaa-idmlight/tests/role-user.json
 create mode 100644 odl-aaa-moon/aaa-idmlight/tests/test.sh
 create mode 100644 odl-aaa-moon/aaa-idmlight/tests/user.json
 create mode 100644 odl-aaa-moon/aaa-idmlight/tests/user2.json
 create mode 100644 odl-aaa-moon/aaa-idmlight/tests/userpwd.json
 create mode 100644 odl-aaa-moon/aaa-idp-mapping/pom.xml
 create mode 100644 odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/Activator.java
 create mode 100644 odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/IdpJson.java
 create mode 100644 odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidRuleException.java
 create mode 100644 odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidTypeException.java
 create mode 100644 odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidValueException.java
 create mode 100644 odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/RuleProcessor.java
 create mode 100644 odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/StatementErrorException.java
 create mode 100644 odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/Token.java
 create mode 100644 odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/UndefinedValueException.java
 create mode 100644 odl-aaa-moon/aaa-idp-mapping/src/test/java/org/opendaylight/aaa/idpmapping/RuleProcessorTest.java
 create mode 100644 odl-aaa-moon/aaa-idp-mapping/src/test/java/org/opendaylight/aaa/idpmapping/TokenTest.java
 create mode 100644 odl-aaa-moon/aaa-shiro-act/pom.xml
 create mode 100644 odl-aaa-moon/aaa-shiro-act/src/main/java/org/opendaylight/aaa/shiroact/Activator.java
 create mode 100644 odl-aaa-moon/aaa-shiro-act/src/test/java/org/opendaylight/aaa/shiroact/ActivatorTest.java
 create mode 100644 odl-aaa-moon/aaa-shiro/pom.xml
 create mode 100644 odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/Activator.java
 create mode 100644 odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/ServiceProxy.java
 create mode 100644 odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/accounting/Accounter.java
 create mode 100644 odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/authorization/DefaultRBACRules.java
 create mode 100644 odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/authorization/RBACRule.java
 create mode 100644 odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AAAFilter.java
 create mode 100644 odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/MoonOAuthFilter.java
 create mode 100644 odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/ODLHttpAuthenticationFilter.java
 create mode 100644 odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/moon/MoonPrincipal.java
 create mode 100644 odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/moon/MoonTokenEndpoint.java
 create mode 100644 odl-aaa-moon/aaa-shiro/src/main/resources/WEB-INF/web.xml
 create mode 100644 odl-aaa-moon/aaa-shiro/src/main/resources/shiro.ini
 create mode 100644 odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/ServiceProxyTest.java
 create mode 100644 odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/authorization/DefaultRBACRulesTest.java
 create mode 100644 odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/authorization/RBACRuleTest.java
 create mode 100644 odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/realm/ODLJndiLdapRealmTest.java
 create mode 100644 odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/realm/TokenAuthRealmTest.java
 create mode 100644 odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/web/env/KarafIniWebEnvironmentTest.java
 create mode 100644 odl-aaa-moon/artifacts/pom.xml
 create mode 100644 odl-aaa-moon/commons/docs/AuthNusecases.vsd
 create mode 100644 odl-aaa-moon/commons/docs/direct_authn.png
 create mode 100644 odl-aaa-moon/commons/docs/federated_authn1.png
 create mode 100644 odl-aaa-moon/commons/docs/federated_authn2.png
 create mode 100644 odl-aaa-moon/commons/federation/README
 create mode 100644 odl-aaa-moon/commons/federation/idp_mapping_rules.json.example
 create mode 100644 odl-aaa-moon/commons/federation/jetty.xml.example
 create mode 100644 odl-aaa-moon/commons/federation/my_app.conf.example
 create mode 100644 odl-aaa-moon/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection
 create mode 100644 odl-aaa-moon/distribution-karaf/pom.xml
 create mode 100644 odl-aaa-moon/features/api/pom.xml
 create mode 100644 odl-aaa-moon/features/api/src/main/features/features.xml
 create mode 100644 odl-aaa-moon/features/authn/pom.xml
 create mode 100644 odl-aaa-moon/features/authn/src/main/features/features.xml
 create mode 100644 odl-aaa-moon/features/authz/pom.xml
 create mode 100644 odl-aaa-moon/features/authz/src/main/features/features.xml
 create mode 100644 odl-aaa-moon/features/pom.xml
 create mode 100644 odl-aaa-moon/features/shiro/pom.xml
 create mode 100644 odl-aaa-moon/features/shiro/src/main/features/features.xml
 create mode 100644 odl-aaa-moon/parent/pom.xml
 create mode 100644 odl-aaa-moon/pom.xml

diff --git a/odl-aaa-moon/README.md b/odl-aaa-moon/README.md
new file mode 100644
index 00000000..71f52a63
--- /dev/null
+++ b/odl-aaa-moon/README.md
@@ -0,0 +1,64 @@
+## Welcome to the OPNFV/Opendaylight AAA Project!
+
+This project is aimed at providing a flexible, pluggable framework with out-of-the-box capabilities for:
+
+* *Authentication*:  Means to authenticate the identity of both human and machine users (direct or federated).
+* *Authorization*:  Means to authorize human or machine user access to resources including RPCs, notification subscriptions, and subsets of the datatree.
+* *Accounting*:  Means to record and access the records of human or machine user access to resources including RPCs, notifications, and subsets of the datatree
+
+
+
+### Building
+
+*Prerequisite:*  The followings are required for building AAA:
+
+- Maven 3
+- Java 7
+
+Get the code:
+
+    clone the project with git
+
+Build it:
+
+    cd aaa && mvn clean install -DskipTests
+
+### Export Moon information
+
+export MOON_SERVER_ADDR=192.168.105.135
+export MOON_SERVER_PORT=5000
+
+
+### Installing
+
+AAA installs into an existing Opendaylight controller Karaf installation.  If you don't have an Opendaylight installation, please refer to this [page](https://wiki.opendaylight.org/view/OpenDaylight_Controller:Installation).
+
+Start the controller Karaf container:
+    cd distribution-karaf/target/assembly/
+	bin/karaf
+
+Install AAA AuthN features:
+
+	feature:install odl-aaa-shiro
+
+### Running
+
+Once the installation finishes, one can authenticates with the Opendaylight controller by presenting a username/password and a domain name (scope) to be logged into:
+
+    curl -s -d 'grant_type=password&username=admin&password=admin&scope=sdn' http://<controller>:<port>/moon/token
+
+Upon successful authentication, the controller returns an access token with a configurable expiration in seconds, something similar to the followings:
+
+    {"expires_in":3600,"token_type":"Bearer","access_token":"d772d85e-34c7-3099-bea5-cfafd3c747cb"}
+
+The access token can then be used to access protected resources on the controller by passing it along in the standard HTTP Authorization header with the resource request.  Example:
+
+    curl -s -H 'Authorization: Bearer d772d85e-34c7-3099-bea5-cfafd3c747cb' http://<controller>:<port>/restconf/operational/opendaylight-inventory:nodes
+
+The operational state of access tokens cached in the MD-SAL can also be obtained after enabling the restconf feature:
+
+    feature:install odl-aaa-all
+
+At the following URL
+
+    http://controller:8181/restconf/operational/aaa-authn-model:tokencache/
diff --git a/odl-aaa-moon/aaa-authn-api/pom.xml b/odl-aaa-moon/aaa-authn-api/pom.xml
new file mode 100644
index 00000000..31a17236
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/pom.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.opendaylight.aaa</groupId>
+    <artifactId>aaa-parent</artifactId>
+    <version>0.3.1-Beryllium-SR1</version>
+    <relativePath>../parent</relativePath>
+  </parent>
+
+  <artifactId>aaa-authn-api</artifactId>
+  <packaging>bundle</packaging>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-simple</artifactId>
+    </dependency>
+    <dependency>
+        <groupId>com.sun.jersey</groupId>
+        <artifactId>jersey-server</artifactId>
+        <scope>provided</scope>
+    </dependency>
+  </dependencies>
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.felix</groupId>
+        <artifactId>maven-bundle-plugin</artifactId>
+      </plugin>
+    </plugins>
+  </build>
+
+</project>
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/Makefile b/odl-aaa-moon/aaa-authn-api/src/main/docs/Makefile
new file mode 100644
index 00000000..446795b4
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/Makefile
@@ -0,0 +1,29 @@
+all: sssd_configuration.html sssd_configuration.pdf mapping.html
+
+
+images = sssd_01.png sssd_02.png sssd_03.png sssd_04.png sssd_05.png
+
+sssd_configuration.html: $(images)
+
+sssd_configuration.pdf: $(images)
+
+%.html: %.rst
+	rst2html $< $@
+
+%.pdf: %.rst
+	rst2pdf --footer='-###Page###-' $< -o $@
+
+%.png: %.svg
+	inkscape -z -e $@ -w 800 $<
+
+sssd_01.svg: sssd_01.diag
+	blockdiag -Tsvg $<
+
+sssd_02.svg: sssd_02.diag
+	blockdiag -Tsvg $<
+
+sssd_03.svg: sssd_03.diag
+	seqdiag -Tsvg $<
+
+sssd_04.svg: sssd_04.diag
+	blockdiag -Tsvg $<
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/class_diagram.png b/odl-aaa-moon/aaa-authn-api/src/main/docs/class_diagram.png
new file mode 100644
index 0000000000000000000000000000000000000000..999a41f9b68d60c9f980ce6b0364d434153a573c
GIT binary patch
literal 30016
zcmdpeby$?$`tA@qgbW?R&`2l<N_R*}g9s9m(g+OQDM*VT2uKMcD2<df3W%UI(&5nE
zU1yEBzu4d2=lsrf{yScm3N!0n>sj&C{oLyfQ&W+{!=c21Kp=Q`<)t+s5cD$e7m0-q
zKFNvbwSYiepm(JuHQiHI>I^NZzl@*zWr%Eyk?hnQNZH|3U$6J1F%&VHY$+obbg|^<
z<zrH}?P$Hp#`{3!M@!=6;X*y(HQMZ8d6;Mvk|(;Cr#v&}2VazvCB2puy0uiJngWwT
z6A8{z>doC(qQ~~;uI627AH4Ruh6f|?P25~vU9~L4xYtutQ>|8kJP`S^_D<CQnz+qq
z;6GN9>oC{#Ge_K3+|5^HI!_>w3<wS>G?Qa^_z*(HvV8g$0^!o4gB2@<2tXhd;snqK
z%y-}rNF;42274Sm3<7DzZ$?Y_N&tmGrsWu0n&yUGk5}ff`g9z6-!}AG)tH{8+6|w_
z8RH>9N4|70*%+0ho$dC!9vA(!YQU?WO)q_@qGaIx`YKiQ40_xdSUI|uzk>O+_Ay8F
zL|H^bXBn}~hA@Wi#I@?a_K$09ebH3L)iocc(r4{n6*4d=61pPag*{Z(YraDO9SFh}
zcYKn>2a#=Z55s8S9q$`1d)kJi)4<M5UE^(354D{3vS^uZZV8~JQIyu8f0&b_GS+6j
zXDf){KS?aKBe14ROJ<@YS<DKigI#ZJqker?78{e|(ljG%j7-zVGWzKOv)i1U>b$Sw
zm<zhHk$WJ2SR|$>q1eK{!!do?J{GoMSOX$7hnbqx@wGkHeJ2?SxEeaz_0EG(jKRyR
zf)20rPH&ClIg@3|Ihn!*Qy(FWyosMPv&bScvMcU%NpeVDGzY>@=9|JY>wO9~T}S7N
ze;PWB8Kd>u_})oL+a-neC_bT6#70UqgumB5*(bNQjugyg3B^#LlW4iBh%l<mun>!Z
zHN`Yegnm*}b*A=Mc`X=i!-tqkHKC5N^e!-}R+vN!BjtKON6$J**xJS#0LjWQMnXD9
zbCaLaLFJ4JVG4AOtdek}q{#OkSk`o~C2no#H3B0N)Jc#X5W!@F2YeI)kC_DuG~T{?
zf17|w5Z%dz;tu$z<zF8Sq1uEb<^>U9ap9m2PL?%IpokZYQv9N?ekHiK_kMcB%XKl)
z4?<oG1^1p#5{)vv*|}W$6*Y!VE1V0}G6S;21S_oDDCx%RN~_}aTjNX%drZjiNztB>
z%0~11otUqL7lU|OGs2#r3!D{9o}G-P7d2G*P9IrZw4FZ6po+{?85X=+X@Ik|P{2c0
zzp#2g@Q0#}T%8clcZ_?9zUwbY@>nn#yW(Hgef04{2~ca;(erC*XpmFu`)58gjayC@
zHAQY`*IC@x<NU&6(nUr|<z!Ome2WA%#db7mH2Q|skQw_MFXo=hlS1nd7G5K#+icnC
zQgCVeRAudNW;)DZ$tB=3mM<jy)z$D3#qNh|A6V?px;?aq6dMlO6jx8(`0EIa$<yk`
zlg_)J+50@&_f*)I{#>JUrz*(4Jcn8b-fZgm_yhNNbn8RKt_7)N`Qgy|bJ#1VYjJB~
ztDS*fo~-Pigtct}O6q<4x4S2@m}-cx<?bgp&&t!()qvIV7ijxqQb~+?lRhWk<DmBL
zbJ?!P1q~iGldpX5C5BGRRJf74uS>`889erxm0&9sH81k}WE1uoG19woljF2zW5N03
zyR~cAD!c@>4ZbgtNA1EBxu>#Ry_$LNy>Som>yZHK7a9bQLhbz$JuF&<L;SG(CH`8&
z-oYJC>}`#j%_WwJLM%Vz>ug4-!8XIFA(YkUEIb5@QbmwU=?g_)K1C$bh(+kul2`XJ
zDMJ&zkM9pdxFuoi#A~L=0C^f3$$=F9zYLHjSSsW+RUU+I=#^Q=^i6TKbyu~ef(4c~
zcJ4Tmh9LuI4Gqx}<G1|~bqh)WJ;SJ`dQE<h7`lapeYzvrf+h+rhah6I)X~voB}JPh
zEzUkqPkNs&^zSBN6v2;Lc{$4mX1kgzun1jOp3iEN1>%#%et}bX!O)i{od|TT5k^Yf
z%+!xEv4SEnx+t8~tU_Ed=MFP4(Mj%zHaCfjop)6>lsa#9N71Gq#-&UhyNQw0=a_4?
z^fVWd*2=1%zL2oi&)Tb*OvJeNjRz^w?myy0M}6PP=G$Fe#1xg`4b8Zp@Bj}na2SKt
z@ey>ki!W)Z$Ih3M)@z++q3d5=kze_riEdR3yl>SOTho3U@tpQWcG86Dv;L()oXy09
z3c*A}<LbORfsIa=K#B8QkpwP<A03YpUzjS12MegNe{Mv7Kj(e*6Je`&8a~R1<VFb$
zEiMM#!Ef+98XC=cR&aT*0xOISBVPce!;;j-EAyz?X+{Z!1*J|150c-k^D{Zx=Y|>(
z`xP1JOsCp>L@7{^&?on<ZDRoiY)sZy$zd4z*1ta$=-PhGBIdyIH=6=lgU{)G78J2D
zb73g|qRxxoL?8;C7Vdg_d&CVZUIJx`FTP;m;^zKPRz`wP+fUf)k%oV|gz-${4JLXd
zI?5g8CKC@04G|m}IXY^@VS$b*K*y?kykjg^P@3oe%V;?nB8iN#<S6<)#CDnwb<r{y
z=wO$*)m`3tmM*H)45aK2y350c^{?7J3_|;s7$*|>UhrC}G({(2;yf^EY80VCO}1Q!
zn5FJO?v+fr`&^r^I=_GS@M}^1=DM}_HIAiDZszCN=(lZS_5crUO^BL3g1}kZGb+#0
zd355y`h4K+v?ZPgd%bvYM0J|61JA;uW^}k>Zr-(zoN6`E{nXc0oXPsrFnGn=T?W`a
z-YN^k)!GOv)(CsTt~d7f_Rh@AeEar|B6ntq0%e%{AHbg|LJz47^5CLlHLHc}uq&H)
z;=7MSZ+K%+s&a@dahj3TVqtxf*<QE8LiA)jhBXJIrB7A&eAMj<NO0dOTxH)~BY@5l
zwFgE;MWvQ3NaaQU(uSxO$-(F5j(D^`vK<Nz%UbqbXM?SEd(}CgKS(}GZVRvs)k?*F
z_2^We*R0Rx636Du!w#LLae7$0RNN(+3zzh+L?Cn@GdHTR+Nh*1M{-?oLrGa#k=u4X
zOYs1QF<JiR4<`cYH5OP|bDY~_3oEy$0<6J4$9q<#jTi{9<+%d9WYCaXn7+q3(fFad
zhSL<mLx~vcUhmzBZ{}Q$ly^wU?IHc{G>V<<@i{SQL7#VaBX5T;T^ISaX79s`nmce!
z>}E9JMv(ow@Wk&woHFz}SF^>Mji*j#Y#8rhB!g3ihV%zJifC1XFHBMov45HC^RlkI
zX_|gh{E!lv@#)1)SgTd_FP})Ei0~)10CrTZnlZA^nflM;v`vs3-RMl+JB}yz@Neh3
zl#%P9T<aprU1mWL{${s<4~U@-SQNUgGAM~U(ZNRp&CTR`Tn3?&Wo-;RG-X6yu*5=B
zi<m_r-B1jFLW!<lNBU_-yvUsYqR{1}!oRsx9@MaG>(PI8v(Bi`z_Yy)zkRp^CQ7f3
zB^VwBqJ`b*mV(p4An)-+FT653JODNQ-#+@^ew!$o#p0}h$fAMx;1Nf2)6^6em~?p1
zZ^!?C{*BulNtgKAXWP~*(PJz`K(wAB)nsi+;4E<Gb}!{#)1$2dOAn!Y$%2pADqv|G
z-zCqy!16ZwH^YInjjXvb0s=nUhv!1)<>wy8vbI;)V4t)e3m~|fb-w02QJf5sl6-}$
zCA~4&v034jX)JHXm}K0m<I#C?iKPga9u~qdOvnYMzNje!_dezCg8P2<nC~+*tUIn9
zBB<FE$VBYYlGT#&TaQY2u;>a~l?&~6m-Qtutjl*T{9FW~XRu`sl;N}Z7yC~GA`8pY
zY>SG^T_K13p%`@@d=o9sgAwoMb?S>2Rm${><eBudiYi|lSUNcw-y?#~`Q`73+q#hn
zon5v;&O(rMa#_GW1uBFF-Sayc&g%Hkpyzk1IL|~I^LkI_9LL0z2U22HaHD1ouOO=-
zUw@~cCSuwiQ+3E-n~k#biAZxF{xqgJ0kp2I^k8WC)<kf>k&Q?6?Zv_f;+rokuVM$M
zVWSZms<9BEy?qtyb$dk=@2}pT2swp2KSI8yUv)4cGg(dEQi#RFV}3?l_(LnHIlxuk
zvwU3~ZC`YJXxXmgj>b{_)fP#kiC8zSCc+L4_O2z}>Z5X^=780=$YBt^VE$z;oTocI
zS@z%3bWeS|R3aLF&1UR}wvUz;jmN!Ei~<+96r5>>p3P^Hs3m~Jm;~9#>@1zJ`j!C7
z7=#uk_{m=yL_*jIhn3c6G_{@wTdUhI?Nj~Met48@P9Y<)`db19kE)||hQ_HytoKQw
z>f}CLJVkzA?(FC`)#VOGw{B-NpkqBf%XTjy;QjVCGMf;ZFo;vChDD5DxYin}8HyU|
z`<&nTzF%c!Wk=^F$csDIngfc9Tvb-i2R2)TUvi!ptJsE)KS&8SqML9Y!a3qx8Amv&
zV+`Ns&wPs(781heAz>nd-^8}L6L*<Owwj*u%8&-7{q9YoW=S5po-j;FTZzn+!wsqD
zmo@Bh5Z&(8<An!iFB1~lJF&oE_rYLsdD^wAS6gJI%7l`R*s^RN$}MWPeJ1%Bb8^NY
zcLyGMjhmbM-o1OPt~D!>5D7s|d3a>DPV3ctXCd<*uBw(JjHB-zFN)}4t<P3hSD`fS
zMm9EzCv|@3zQe<4{zNDhzk=ZMW#{A+-y1SDF$GDVuW$Xz3Pb|?B6Fh<fBW{WmX=m?
z>&VE+M4eYhCk*leg3{;Epj)54UJ>}_6x$3IdhM^pzq$rtrMbxHOk0si<ULhU(zVWA
zR!(7v+Ap6Bq=*E@*`;RO!Ohgv)X}lD77QdvqWgjS*4RPQiSzUmb)1#)8n?%f3tpT+
zBy={0w6*OfYCqQ38@S#y%CB->>`mgfD3e%~!GQ3fHA_AuykFtoHaaqLU6_$ejN&Qn
zM1!B<3!b+cmn}&`gD4prs4lm)9UUF5jn_my9a-J`{)!*B6Cd&d3z@O!p8f{o(ag6b
z?w2<o-loCHkwNzl@fXPD*VEIhaa|>HaT~rGFv5tV@u{s3EL+CP6?6#%9n89`&TF4S
z3HGrM$#~!Ya?trRY$__MD=JUml5hym)e}D@l#um4#}pbcj{pIP<?Vy>11^4kxp}mi
zOGrq@*QxXA*49?pVI6-21Oe%Ov~gbYNl)Y1AwHcju(`~jLn<2^n}~=Avw3uD{NGP}
zb$wRqgvNXM;(^VX-fTrBE2xgd#gHPy6BA^}sk75#GYiZmoQr25M!&m9n0tA7IXXJ}
z_|&aLN}T?F=9`YbzW36*oc7L3{U8gMh-*4WYXsYh5-`fh%F4>swPHnIBK4wq1EH<G
z{rW`RF*pEV3~P*k8^in-FK^2XH0JU}Pp?|C6<<CPV-+S>!vNX6^5t`TI9OIQ3pDHB
zLnyx)T`hHFWD5GVLVm=<Lqmy)iAHnM^1r1HVc3xbYozeIffJZw+N)Q@ejS}ynuHgl
zP<>xnSuuSks^xk!BOJJ-<SS>BmKBwiNqmHn7r)}K9R$7Nw@*mL%_X~7+|QjOBb2n9
z{+BN%Fx9*2ngqvwbRpzZEPBHBPN~$Py5kOxTq>mYjhZP)KcpE=8pIsmJ3A9nBSyL%
z(+k8Km&`akr6C&r=@QL*dwW}3j>8{w@j`=yD3K64yaVio4Ifhl0;mfQ5R`I*xLZe0
z&uc0GnrQfu^Up>U4|H{r9j)~sLAC_K@l3H8&HmcL*S#;8VSHT`qZa&fiJgIQe5dg$
zqo<gSiwToUIlsFsF14SmKRi4vby9!Wss(?eDqfUA@~>{pOiicX<)mE~CLb_+glzPI
zYp1si5WKrPv9hw+FzH5CJML;>#v(BD*aorl_Th=k+f>%T$*bL4H+xdGI$czgT*t8b
z##1kyv%8HtlM?EL7Za;0uUL;T&;$xVSTRm8k3P?Y$!?KDeQm09K3L&DZ;^aMBrQB{
z<DW&))4Jao{v|8|LtG>w^o>-tifU@r^MRFNN2J}st%u`u{SqR)cO_VR<#2(zkidM=
zeIDrPjh5SxAJM7QBO4z}4m_Q651n9IZ~G50iPuByRMJyXDJd1CJskP&u3WJG0u@T8
zD?lcvxo=m^wW9C&b_I-%Ej?Sb%lJSbnoKqQh8)_;PiW<6LITyb7T$qFG)Yb{jpV~=
zod|YUZK5hi`JUpP2TsFqV+^*bkZ*|p6FvgTy?%iG#?0E<+REzPioRwjQN0$H=N!f&
z!4>S4DAp^x(u2>x&?HYYg<-6dEc;7O+g$3qe*}|f{|pY6Rii2$$MW(ru#n>u6E}q!
z@4v<bksRN}+3=^Ag!lJcG&AD*@#6=uwhQ7z;KRP(9~x13PX!3%W&yyg*FU|nvHS5~
ze~sZfL_=mo14K+7!x#My!;7ZEhc(G#5k|yN+R4*-<ZO*<SAHjr=W_qgN|1xH)u}g&
z01)mCns~rZtAmtwS%kxC@UviM_r2zVLnpsYCEExBLIcm5&{d#9y#eVG%zS)&ohgF%
zTyM71-~4Y7$$cM!n^u+vHW@f`DsPzz2KwV2MaITjbpx$9^jR|bpT_R?ew8DHLV|$C
zFas3@OHor*^}tnDL4p|S*Ra3N2u(;A9`&i)))pM8Q$4#T<-2984JSpAAPAI5hHQ8T
zK1SUz($JgG`=X=6;+Z%Gy9RsVrx^>@WD7$)Ab+gEuOVrjoaY~)NW}J8%`1b@VqDe9
zwQqiwcH5rZcwVW{y0_ZvD)Qv4{67u4r1P!#^Sc+66KYxXf3nHDj$n^E+SKHw+vub9
z#$?=LnGkPEva@lUnfy7d%tjUBC%>iMjMhju#S(+x(a`~nzuA1I8V_RQ+w*~Sv9r0a
zLHr`y$T8n#`-!#vx058y$Q?px&ysYnQw0-srr70sMmtKJobwbdkvFf4o_5@3Ap1ye
zw|>1i)#h6*$uP|a784O=f}7hz)>cKNk>}TDEmtOk1t1idCzxBt;PhG1a#|v%7W%j1
z480Dg&TO8E@5FL(c1CH7Z@S7H5aV-D3vMK<!xtVusFHZz+nYzdwby9W^x29<|3obg
zw#g^l76xarbz3dM$e#~UF25yds`SBxD;#6m@2>Kfy)$$KB<Au7rel^>A5F6t%p6wh
zy7ALSwd~~+4}_imxu&fba_Z|T=dvi2Xh|W&I4-{|1Fb{`mL;*Dq*qpCx4g_A+HmH&
zo*FoUM!;A7<8pmvYUaFzpmtM3wV<Tv90b{TU>KVnw27LNJf1JQM`>MMU2Uzt>rEUf
zVrc3i{xiSr-K=|q7O+~!1**YXfxM1%6kxY9#Mn{9?rm$Ub%$Hb;tRt<(fO>zKKsY6
zj7n;+c&-OslIgdgt!Y8c!ngCH`jK=#%+u#LFEp$zuArdc>({R#-nAKFL4Mw6>GpnR
zi!-mO#KpE*1V{eBQ`AQXao)CmTh<Lt3)?kzYi(S3t#g$o*IAJQpfw?~x*<HR+*Z_D
zR+O6rR8B_WNwV<7bH%&oSHURO8^mo%UZU-tGK6I&+i>>Nt*oG9L(%P2x5ASt(P0&l
z!?_YU19G{?U1PB_)7#Wv##CwW8u%|?kE#|ja`<w<8<0l4{pHfuQw(({sv2B2MdLVI
z6)u`ScG#yw(ziA0iuOmGItDj3%F!DMrdYU$o`_YU0=SP990<hJze6qR@n~Afzm0`_
z;;UDqHE!$fezis<P~p0AQiH0Uv#`a<F1Wk$Nu8%zR5|H;(+lszb$xDr{uLXn_&U{v
z7mG}|m39>yp$4MNU-p8qw7h(`5d%MR`2_l>8;c}+eI)@Eu(rrc{9(y5uz-?(u}3gB
zOHu>$9(AO`jqL2~tgYX#=+9jF(_qOI*VT!F2-cjNwqG4?>$;a{E*Y)kHj*mbc5EZU
z^whS{Hd<)DHRX!gg^+5j(>sXigNPu_r(`Kcy0f|z7qXH(Rl6J)7iY@-(a{`1@C|K+
zw=lEku~!7y(efpM=pQj(kivbvBh5{>pEdOu9U0B$Ry`?u|5`lEaZo+yk?UWvlJDIq
z|H4Wj;g`e%q;w1n#GK}ohCjAFjYKx;sS1v4=*}+uoOtYJhA;}Heg9;lz3pcy`ey&9
zEGg(tbCW{V6OCeT^{PgVZayedqD$3bd_lipUP4jCW6(9h(+x}{ut^mX!jvVjAk@3`
z_2=hml0x3}ih~KeVxi}i6zb0XicAS_%N(9FP<pcEDVO>dCYLUj2cm$M*<U~l<Wf+&
z1UCE4o1MR6lKhzorwqPo$)Ly2CSxfbPbKyLf{=96hNK12If^4PuBBbf3!K-cDHb(!
z5Rd_vRB${Mbn*p$u$nF;MrZ94WlCaV3aga~pH{9)G3R1vLS)Kn^K?CCv7EyLB?YH}
z7hWG7KakAaL(RrF!4WkZlV7v>AW*!=3Q$ewj-t9N@!^|}R@-q!v)-r%O^vD<JQWoc
zd#j_`lkrKiOt77G7>=b_U5;xJmEQt@Qa~e(Ce;ijZ~`sN&B0lUiBy6cG5!vASd)%a
zBA)!=0woT|YCW6~h>{ikD}OmkvmZ)I)W0MV6aEo*<zl+%$61*mBmNf5X$FHtXn1%S
zScOvV*aR|BC~q0~2f_xVloHwPzxPaZ@4@g#dE7rwDXEE<SB-2R&7Yx~n&6MYLHmhX
z9oL&jL4Qg%TjjPs(cCP(D{f#UVL}Z+2nk98sG1D$>+i({H6qf2D0L&!F#Jit20R2w
z6^J&8{!}H+m##IU!oqs4H}n58(nGLv2`^uEbOw|DsZH;rW3WI>VK)B>@~4>hb4FKH
zl$10b&M^LLY2CQBbsMB>Ef?WL2A`%fZDhK@(8`LHo0h99S<2q<clRf2&H{S=eY@z&
zxA?m%qH?r<2QC?WE2EY6sDw~onkgcvk3apqXxs2Oo!q=xc9Fy6I&oC>2ZAO4GzGP1
z6>n>L_R>1d2VDGrhcg*`z%8GH1j}rmfkE;=ASfXTL-tzQLaPRMmhBF@X4OB##qzzr
zS9tv>o0fgGR{i*}jFEO#^hggG!9y<em<_=(n~Gl@{SvQB+FXRKc*;GwF#{v;N`wQ4
zsewGZSCdSRaH^=}Bq}!v2kR?-y)^%WGCbvIx{Kyv+UfXFM8HGR8iwL$0t9$DlcAI&
z(}jJ@U-4;&-Dczt-M!hEyqjO9?@qHl&B3g=YSU2Tdyi8Fx3A~++(W63w3?qSgj5_r
zb>hJ>HFvHVe^}#sUy^pHxrw~9oOA4>!)9GXy$fgfL&70BcvZo>O+mdSl^EJdJRf`w
z2Hnbrisvbgbg&(M+<Fdy*V3Um4a9@Ay?9IEm<WiP`UY_>?S~H^q!?bL;^qk)^s3T|
z9<{E#8(808DLc5~Dw81tf6~>bu)J20s%|KC!mc<Ov=^C12P4v0V}!lQ0?Km>7^-TG
zqjn{}{|<&wnU>E_Qr{$~JHt<#)9Z1-JTI3j71+>lxG$9{5Sjz`D#)mue7?ms%Mv9p
zRgNy<1N5P=Y;@I;MO%d;=3t;R?6g6s-hF;6So~WUUJ2E+>4r~kUp5a#p-qaX69f&p
zcYj=_V6N4AfOQ$7a$HcP3~#=-CQPSJvr2)NwDM4$y4i>v+T$<%6r6u+V89-JbX!mB
zhF&wLJG|HWFO-9=V5%|Ugv~UK`D^f}-=4!rKDI@Yx}b|mUgvRBk1&k_*M(!x<p+r}
zz&&1ULZ?|^$wpuuKoX_q1tMsLtKJ}${~a<zu3-PEBc@WDakPJG7Z-DWe!h~53Ymw@
zpDNS(G;m&1_77)fln?3wiK(d^bGm=(Y9#6C=;-m@s-CXy^{KypP6h00i;@?YERs&&
zxT#$19{t@LLYH$AO<J`a--rJ8%kH<u#r;4&{oH^-2cA-YSj+EII>cHh1DAj^sb<0p
z$;*j3uHM(7_6Lz4<q2kMTy}Og2w|SP(ldny6`ju|eYO`^_dZ(Ab4w?uGSPlE&6nG!
zqNj7jsyp0<j~KOessH&Pv>I0GoY~+mnfR7uvZipf^;ph}K22cZ!%3_p6jNu5Tn~o`
z|E1wl0s6H`^Qse#oDVq%voC)q9kx1#hO|~k;5aQk6ZdlV*mGOvyzF{^C0ybm{J~38
zm@d)*d+rH=$KBRFn$MJx1;sA-X<K@d+ePeDj}59kxPSOU73CCqUUb|IJGQxFlP8=|
z>%jdxtl$PKl=Vtym>E{@Q0VisGdN=X;ZA{<`mfG0pG`Fh`!+mZBjlS|;&u~Z5~<tA
zY4loqMiklnWHdLANIKkHsG2w;E4eZ}b|f{%{HJ+&9tO}N<qcvAizfn!DJk&hV#Q%W
z|HKye2%&ZsHG8%NSb@3J15%!MUFzh#wHer@aT%Ve!R1l;i7C_<-Lw-RJRs?jeO{^z
zhu3UoL5pbWy^l|3_2$!STnubQsstF(T@V>{T3A$$+Sd-KA&z}FlYhFmsdTSZj5gh=
z<z8*$a6TyyJj^{T51jCo!<obQjQgAi=|6}Aae;^j$QD;rxSpS#diN>)2ffPsa_fq`
zKGx+m<);Pa8-We{WA<O*NYSRsOunjX;>%Alh-U3VluvWJ$rdj&wP!JB8OPS8+|Zzt
zgiB)(QF{Vp9>*6wY6>7k;B<EEPY2JaUR5nL*c3A(p$fr@KRw|D>L#Kbi+kxeSiuuK
zmZSWQ2V29eMRM|POzB8qmYWEP^@TQdvpb&D--;7xRJeVibe07B>yzn;i3_eZAK!%h
zp<@yssyw#m+S?Uw-lhKo&*+wR)JgeE0LgrtpP!$XH~tpkpSqUZ1^^U*<NWxcl_1T`
zTt5_8P48P?t3cRD5hUO*8>dbS2qV`*F)VLNT~$(2iuBx+h4_yIfUiE()_O1YW&>Od
zqQ(J^EufzOb#c%(K&h%QIRtVa4FQ>gi4E1b*{^l*p+ovfE@&$tvGraMhd?#}wk6GV
z0D%}m0l@?Up$x@<P&11|{6hff)O~?S5ugAk08xTxt`yIq1B9;`&Ht+Xtn6kbfLkFX
zct}WNH~|zyumG-uWLN?@v``S#9_S7WI3j%Dq(PSW>q`Ofr4Iqp$izhIghQAS0=We6
z!3F$w&=eqpbR3F`ir%#lh%!LHViMlHW79H#_%nkk$#;My0>~u_fNpF9xXG2)A3w<M
z5I~G-fBgc!VqsxPItP3j3XqvLvU6|%Gh-Bq`VyOy9Ac!8`spix?&jy_0Nw|YI0MrO
zc?3`*a7s|3(fI+<bc|2XAdy$WzAIh$x5tkk$EOlP{KvpLJu<Vii*5>oaH)Vtw*t&S
zueRXhna=>}{1u#lUSX)Oi~-CzZuc@37vc|$8CX?+bTBv7>hU!&{_G}HRdko+Ga)3y
z05o<qx3*R=81|T~_mR5w;w3f2KLAJ?nZRw)$@QE8(hq1xjq>g*C0{`J)ZE(M-rnD@
z2~cYY1%Tul<-rLAnGG4r-VzfNn^`~s;t8hl@fO$&adBFeY<TpYl$4aQp&?cdJqQE?
z07Y$huOa3Z7QrM0exke%>l30S9MYeAdo{i$VSsED$Y}v$Ef9kSOQS|TJDC?>AFtW(
zetqYB{ruFAgZ0UHO@qEGAtYB6tde?3Z7utYrt{Ou^Y7okhsoMl%wyz3mQVB0=!o43
z8!b_wALxYu3ffWzkfV`+A{ek!j2jI83=*gknl+{YrW$4_22iZ1#t29_ogbpuqhegF
zM(~p}SxVVrk@Lu!1-eS5w;4DDZI^1XGO(6dV7)o%+A3h4@o1drtbt7}0mlM`Vi9@t
z8gaG5!_$7#>+J3|tDWsC4sD}9kPFH+2g^#r>X;4O8M6;Fg$q)a({8U;5x%Vv#y!(n
zt603wP)cIVl9oI)P$naS3P#x72_*=x(7{fAIICLp(J({=$zKa~tsaEP(Pu`jr;<J+
z2DqO)JK^16=hQSI1Y_RthuP-w4b$ps$=m>U>sWuaH_ymWm>dC0UX5^!%1ifYlc(u7
z(=Zkn$LzyuR5GxysBSPnf1bhe3F=dH<MoHk208h*yC+e1M0gi-V{m-{6$^67A1qiC
zmKSVnPRmcp4I?#pp=XSOrA~mWK1@E2I7^^gBWoU#;W;G(k%^g349c}Pw5c7h5VSoY
zhr2!S-$|Y%U`Z7SHDJKh0YL20ea$*#Lxb8q({E@JyT8`DtB5o(?NCAp^A5TfBhDSs
z9+#Ptr*i^#k&VJFLUcU`x=qgU^%z9kD45O_wPkJh;HU_LFzA1<lb}*70LdjpEhQZc
z%!U^owO2$fO<&y3KLXlLA9vn|rxQXh2OK3FQVRB;fake?8P%k;xv897j4XL-n7DGT
z>$HU%d@t?3SRepQNhxZsYT*I|I8z6ezQ@~6e)VU_qp0O{59SJ)P^@RmL3YKBCOn@t
z>_0Iq!&`shZRM9xy&_whCf84o+X80iJ6#RePwsbq{VT>6cu>ci9M7BKwauhedMF1p
zkP@|b;p9*hy~+zYho9;eT(=YPtk$;neC;hc!^)?=O5ttVqs_+*5;*H@mtA;UHZ1M4
zR+WyquT^%r2DJqhz6%8lfR0)K5>6Q4*Bp(1nH2HZ2(d8WvuoJpx8L{bv&SJu)V8T>
z2Png(ahW~rX+3eT<suuG-8Xop?Z=<6GJ`p5{hD*FfPhf>$;_aESk?K+G(Mo{bhQ2*
z@FE``3AYi&`I&roL=jpvFR`p5-wg-5WsTY`Nj6a^V3!CVY?QN%D1NH79jiKfH?-H>
z6nAV$Q#{{DP9S;>SYiqb)Hbskz@6vBMb5qtK2v#^F1XSD+FpOVw50kZX^4#eQ?zL5
zNxRfWlT^bks3W(%R{_{(3aa1FolI|^dmrCWWWgUl*h~`tD(G?EInOZD|Lwg%@<F*&
z{}L40XtPBQH@E?b6h<x0i`!jIy`17gRp$fTlOFT!_!Duf&2jcLUNbHT&8W#f=noHA
zW>z$J!CfdYc!?+*BB{g8gmcMZ;itALt=I8R$w1=-8T~CYE-?TAx4}^MWVWzi<5Tv&
zs?xddT%!$gec*;oegOpX6}6I$?<4=KF_NB<sd4lBc!`TrdhvS63+({1U*?LIfirXK
zldMJm-~o9sUWP0v3Nl0<QJ!ZOqxEAoqiH=+H`M;#z$ff=CGOgn0^wDa$1|tAG_iO1
zwE5&xolI3&Z6O|@+#k-hwEX^X&<II4@cI%<qEFJN%W7_bGe9Wole%Eo^sU)o`a0$K
zUfM*v?Ai6p(OJARB?q0(RgX-H_avQpC`jMKNnghN(6#l5gS(|_^-n|)r(P<bm-zn7
z@gc8b+Pkp*;quh%acYpp2XnneO7wGn6ls3YclSJIMmzakT5s!MZV~Z`qDZqBURuM?
z^7fw3b$U-`woFm*O{YTtHG;BbN9&*JuQ5E4M%VPM*dAzp?IS>DN{)g<Br4wIlI6sk
z(@ms00S1|%2IrE30D31oPVBVSQNt;#US*@GkXS@0qL)Z4U-75zwpGOXsw?#(vBqNV
zOL=x>E5Yo-m+l?w>I-*qKHmM&b^jh8oB5w)7fASPAhBOU@0~Zy!+O>~ideIA3aNLo
zm7<B0UPkNPPzL6^?w+>bps3l1RplEy;|95YhxlCRfR}zmHklY-Fd6>4Aaz6h{{Kr5
z=vKcn{Gj07PV8-(QpPY~<}pvR)#bYpl+UuVrwtgq4fB{8-o-3DSL{gRU|EyhVV(Qo
zzuBKjrJ4Qgr$=7zuZ=7D8?z=sY_3u7j^M<T4y(&1{r>~xNGdl@z(G%Kw}*)a`D!eQ
zmTG@SJoyQA&RYQmA#6_u%2m?-mJzQfPg0sE1)A^0MPCnUVW*GhU0S9;=|FLD!uK2r
zBHTLg64SjOZ`5QJqdm$|K{l34{&pMtLf5l!Iw|B-SajeNlhSX#hN;6X->r5#aWP++
zHC%Fo@^z@g-M4rQu%PX#^+1DIgR1|^owcd^A8=<W$gO7$clmIrBwVep!&b=Zi&s49
zn?9)6OB?61j1i9aOh5k*{Ml)f{y|fup$ix4xmFdpQ9RF*%}E5%3dReqi1Je(0ucfd
za^q8O5eq6VmLfP`D)oEpKY~)HVy)>Gv@;oFj9kJ{jC`!D`ql=ZX}suwU}XF+RgKIM
zI5=1nC+D2>@iceY>(<MGHC(HZkzf31U8-*QEY9!#7<gv*>Ye{w0-B(-=^wlz&wk}H
z6Z#{IvE~3Z$d`uQ(e(7=?OpOgd;Rlo7v4#qwrzP-;RD;K1+$76CBJ=g7LOBUh>hru
z%DawCY_@^{cLW#B*?nBp_E_XM|C=kS|LT=~qWI)wX1Gw`Iudj9v&_uc_=IPB-7r4%
z@fmSJB~O1^1>cPiO`h8<46xRhw>FBZDT49ngiWu($iU3@n!nQut>bttlGA$Z@BX#e
zv+$)d48m5ML*ae$Lr7#~)Ka+b?BvVphjF^n{=%B0tZ^NO`|<+RrEVsiDn*kf)l`Lz
z%e%MSkr~vg1+B6^qL<I^lmAO*ZaJ-n<AYZ$_!Ar7YKlhfPrr|zPVBt;Bn{_u?7yFp
zP0V-Rb6ei{Mqva-(R9-wLEW5q_{Zsew9vLXto9}B_W}oW6HeWV!^C(^VJ>`2%YU84
zztdaSmRs}E-D?<5!k#8X!`;6}<d-2!t$=e=kO$7~UDPudzJpkXUd#XmEJi?TDZ$$P
zw+{b}&RSDMH7HIxnkL}xc;11r2S0f1RP>xi6W(S@`KE#v(JkNF*sx?m!sovd885K#
z&CmVhRS|7!wV2aX{GG|Fx$(iJEejL9Cs@LJZCf{Ro1nO-t?;&`rafKyyKw1_TTi9g
z=wQjM6bIT5BR^e^Ni89Qo*$fuPoA~+e!au*>piEsrCjef??mWmZGIoFe4<Nly^DdE
z;ytWO@M;7>p)>Dk?&^N544fx0_EeGN`mC33<wi$vA7@Ofy<HZ+%}=(siAUE^hub_K
z&|$I-eVrZ7^DOGOJL73<Sw_QHCPntzmXW!XhDS<`TwRjR{Rk4}7%6yjE0HHPc29=P
zelBDAsj(3`f-9QocyRGm*ZJUK(P<Yhw}~l}xMZLJ7R%5={G-!lib|e#4BH@s66*yB
z4pn0)1wW#=uMhf^#&>t8q*9eu4{zl$A<@0d4-mlgO&J=Vf9HNW=`eA)GpM~T#>v-Q
zNW)?sDU)?G%5ssAcm5}%@6e@zG}n;;<co&<#b7UF#&R2@y>zLuwiZ`{)*xC_c3qcU
zxnh-u>B#dBgl4wYeZz5sR~W!PJii@+G|H*0_=Nj%Lj2b0F`yBLHE0**msCi7l=XSM
zUGz^17!oPLQ|a4hW7$#@ea5k-GUT|N-i4V1MFE*vVg>HLL^lbu+4*V()@ryxK+8d)
zitxYxJ-6ub*>14YDz4j2eed;5`|*fh3@jv)4!-tYJXLWVd+Uy$ea-SS4u?AoXs=zb
z*eW12<3ifnkP>yxZ*S!#TfZ(w(*%qkR1`3JvaBfXv$H_;AxEoW@<Si8XoxgGp)A)2
zFa1-{hC`K7|4Rb#8{`N&Y8en=0<H_nYE>K#mQaa%ZY=%msO&PVcRBm0H{a446v54)
z7WTFlhE*So{l?!Cae7%V+31e_0iMs<+#rtU@v5u*6G9WV971TV79^J*)t8Nm52z#k
zV)d$S6#avt<qkh@X%IeAP4i-;pjeRMz9O%ww`Tb<Ms)QB22s?FNcSQN61EsRSSDH+
z3<MFpXedMa{aq11AKw!(fGPDeNtODg>enHC+FAL+&s<`~&A#<9eUtzOnD5u{x<1q|
zvF`5`iN(>Gm0yxuch3MzL){!;x2gK^+nlKB)%3C}++Xt}y;~D|#J0`K&3_D*N;m#C
z+8Lw20wY4vn1Qd-i^;EEZJ&jI`jPvXo{*WDd83E{cNFWrg1@;s0zvn^rJ~OUkboK5
z&P<?x#7U(l{dHI2ctXPQSxBPZ*hmih*O-11Rc@r~uWn`kr!Xo05uo@0Qjod%+t@SS
zv>!u2bs6Kypg&m#&tx~QxotQUvD27F|1CV~nL1vNcaUV>jVQ7VuLgA2L+nDT)Vy7|
zWf;r)NT<d+457v=rBhr|QgZL^Ii<FZkugSFszOB20^<#P3777(;NP*4Y`Sl`F30cS
zXaE%)Z3I{Hm+4u@?t%i7auF$t%*$c%4v=|sVae<pxfy;@dA#q7(IP`ZZ|<u8BMVE!
z6+@nsJ82kQ{rzP;pZCP7pA>Ors#cncLM3N>k-v*=u5O`0;l=ioV#;Lhn%xbp1IhP>
zAhL4VEdj<?0z{yS0)HuaslG@4TgfZgfthcPPDoq%<I5ZTijrdGK&n*>Hk4F+@jFGE
zJSg9N{U+?2`LbX)$NZiKEt1Q@cdOhw4-Kf6&5WT7|F5Wk4OQ;4O)%YF6fL*G9lesA
z?u~~~yP>eh>G62>#QgdSw^wYL+9SGT<y)o^;=t`I<h(^f@{-gIS$^3ouRfNDsOKk`
z6K=)z)!*;JnYwD=99v9x<7!<X!FWc}7a_S&Q$zjPD+^e|&)V(9qM`{O1KZGtqS3~@
zSqpunW|yNkOyTGGRypHT@x6+#r=QHrP7Xd$A^dvNc|_w#7wMyIdwT(5C9lSAZx_nF
zn)?z<+ji+qN;1l%6aS&B@5IkmdS-_w3mPbf?w8y^kGDi12z>KQtRu6!?DTrS)cIo6
z5?munWw=K4z4=;87z>TwvY=SG<;G?)iL$}6U|MBD1>H=HjVRcL(u=IX=9Qn%PyORh
zskr2mH4A$CnZK+?l>k;wM?Y<8_8Mki?Dx7aK8xj2-maa+n+g1}#Opc-^oVb@go5t_
z?|%64LGroU5Cn%|D>Ez%MKum$eRwTl>w0%-=zoBKb(<v*xC(ey+iS@~KJ;r13sSj=
zTXrpABkAZj#gGz0;UH_p-hms*Q0$g}Z-^d0=n2xsH>~$L+bY=Z8W-Z^qtQ<x1XiuM
zLv$g^?F)|d`dN_Np%xFk$*+I_03-GdM|Pj?V}~K>(%e^mfxqpaUu0iEzq0`sX%Oc5
zk@bA@nIW}dt<&Kr+PUVCp{OsLlan<;2bp2FeLiXZ;G*lHgE3tt^bQ=Q!nU-l{Tw9;
z1yC<_mU>*>jrTzmD@Z!Zn1ya9fYw}WjmlopzX~Xe;##_jXD@E4Qmu?CqK@B1I4PQN
zHef;YCjV`xn~E_8E5T(ZDMBu~65eQJM)D6SfbWH*{kJgkKV*E<hQLixUd-peN3ENj
zVEm{yMfi*`Zg|6**Ae!;X)=x-hU~sqUH6j+e2wA~a&TjL$7_sl9i!RRzB~%#eTPP*
zdhpQpX{N{lzh%uB-M+lf!)xcUME!ov4vUzBN8b=Ux`q@JsIc|!4VcQL_r$A-`?eGe
zGt1}0_i$NUUE)TFm9~~tK8@H}5I}okw@WUqJ5?bn4PX|5P8OZdx?<AT{d&1(3&!}G
zwU#=J`Ugq3il{r#<#o~I)2Kbl>VZLLP0~b8EjM_~ZBTUzr=J}yjnB7$EvjU_dA0=Z
z57sPe!F$?o7z+>TA!R&oN2lG3&(_iP#5q$JJhjw=KU^rwvh0cFsvCLVhn-O4LY@~@
zfJ0o~<ZFGjRMu*?7P~I0uPECvX~~hKV)3k(H<N{i-H5m=(T5|&0dI1`PqqD3s8w#c
zX~b-<$IzJm&<kttK0l>;n^WzK`h>4v8j#}E?;>}%g$ueB#O>B|cEZilUE*bza6w*Q
zy2uGrIo-5)cC+iu?zE+`5L6>`rQ>L&brn9t*`;W23gl_s>Ji%P#VJ;>F4>)%-6@wi
zmll0zXECCeQ8DOgb^lcg|6}!$;({pauSRSl?~dtzPE7B=D#m%dQ-qZ_vawd1_+Iu_
zzAG&=4f|qVQOjUnQg(!$b$n?Wbk_iRe#_(5Wb+rfrRA{`#p9l7Gxn&-t6Gm>rpelm
zenhm(`v5pzjqkMOpB2-}tyn51pK|x|**@AIvn-}oJ)X-%yPL@>5q+s-^LEul^xhDK
zwpZux2Ob*|8w@=i0QS9~N_U3`Nw>7R0o8C%MI%zL+H_N2-r4vn=Kd~43O;mZiXCyH
zVW>DWZFpC_y3E;_vLVhlzfkkam1uMJ>x{d>wz9xGsrVr_veU&pccO;x<xQ>+TWxBu
zgg2fc8w=V@x=uI4mEL#k5IT5-1uX<i(ZOQ3m<NJN(lCZ!ycO~aPTbIKVuqE4i0Hr{
zc*0&#PWBfn>NfAt-hsbiq&-(S>Iu4?(7L`w0%hFzW3d0mR9CtNs}28FQ1C7O#pE%y
zCP8l_`ms$gAVhA2m}F18e<r$yAn4KqH6?pVdCgT{BZ|<Nw^B+=3g!6nWp!HJ-0(WB
zq0P%z+oHnXkuzzrb$B>9S#~pw6om=M%h{b}pDxHEy1Ul%i%2s~-Zf}(IXg#nlLK7x
zTAZ~6Qd^j1?|kV1nc6{q#>K+dY{#xrWTWn7jsKKv?=nNujnakhW_hIcyV<YrhjcBi
ze2?X$LvVYpJ^ymQW!s!8hC+v@Uy(}EYNdp0?*(R1F`UH!cT~&_ZYPoXf`5CpSvKkG
zc~ZjL0rm!FBpvnPf%b_UKYz8)sS0PAWYa{SiXa_=sU8KF;#i5BiG1{IIqp}motgd2
zSf;#qBY!970acHBBKxz;C)Kx$@+m>b@#=<yT@8H1s0gh8WhAgfI9wInOw0`oybmOi
zbbI<Yty??kgj&6ZC^e5LoHQ~hGV2So{C1Nt*}Sm(eF8v^O$sQpM)9}*HyQVZ?E>t0
z;0bvDnP>mQ+x)r{vxM<?K>sf=@FQaAN7XwdOjT?J1u2tC!9M1yu|E>7m@D(Oz+DYc
zwY6U$vpg9z$6jn*Ih~#F3ZY|q{XM;q(R2rH7DSB5dTCj^C6lsao#Y>l384Q>LMZ7U
zM0ZqdXxIm2vq~EfeTB;@6c1i^OL54SGlWxUU}>FOqi&V7wyTJUUpRdZ@rmHKH9y0Z
zOQ@~@r|-PitZj?(2v7hWqrVam*!_|&S}k&1vrCRqa~+Tob|u9vbxwI-#1ABt|Io%M
zX$hm8y7W1)QvqkGeeOs%;%9Q_k#5(kl0D%Eq4&ehAH<DRrIc0s*O(Pp{7Z6Fc{aty
zu*&Ht(u>?@*?^>mp_?7{rgHb}Lk)s$#&XuKpyV0vdHeNwHbA0^-69Ud=%`kh_@u~O
zQkoTxp*P1UgR16SMZwgz$f<wk9a@MCj<&1z!sD0qd_Jkr!#s;<I`>ooe>MMb@x}#Z
zA{+&$0_^#}Rd@@ENOgZ6_)nEf>BHUeDn?s#$bf(MYal_cGnSn+8{Ak}b$cVC<n~+^
zzM+d|w1dJ|W4P!x^HPbA{am~^J7;nI5{aoy2FEb$sbVZGh3l~Td`GP!vS5@kFP@49
zAGBtGQf^Q5&s<qO-*5l&=v<U2Fj<}e`bp(?%@(_7$@pvf?K!JCdrnX%7;ZvUige(S
zNvH#zcZr%x{R?2c(ES3hEnf(*4g$UY)#xv$@6RFxxZw!kOIeh#{sN#r*N=r-!~au_
zijf3bQXU;!&~-(oS1MvNDGWm~WxOpWknPNWSQhZOu~Fy#D{^Y*`+VJETuZBEi{#c=
z>)IAh(|h?I4cs98p2SaW&Vc%FB>iid=wSa0RqvUKtd{9bc!vD^B;(s>_YmXj!)>)!
z=2czq<tw!G?+VImg<UngrXkoL{^LH59h1KHyUN<QTIYLJg@C#6Mfu(eEE81){x$VR
z=6^Us3NJW5<?cd{$b*j$4C}ZaTocsy5Y#19H&pfLv+>D}DV$VO>_M_E+X!B^5#3jo
ztReL4vEZ<OOPX|=$5gwBs&)RFB_Cqr-!tY`Pgr29fc4hETV2n-bvIH>JnJ248n1l(
zR@!FnIS#vin}R5|{a(Z|SAN%y2F_-1n%l~a+h58<-#<LMxeW>>7r;H}`Jb-HxLJ}F
zeaGPGRFW42q|Q+}DML<1^7J(V8KC<00CiS?E}8QC?o17QerccH;Jtj}RM{C31tqtT
zHZn1_^(dIC>^@ue+b=PQB|Ia?S+cow+B3GwgvBWT8LR)rV+`CAx2vrry%9kNHkVpa
zlzh}yVq*|Bj0l#TYkwhM*RS7rDp*4Ail=(6u}lGzk4$_29fRoe;CatflNbh3cJr)p
zWXTJ!qATop6>PzDzSj{1c=FCBMWkReT2NIy0I?9bI_`$=vt<oYlyShnf!sMi;jSYp
z9Qajj1jI516uW13G>~|`8mu%4E=q_2La3=d2y0gUFApm*v7xObeW;(ya08#jDkv!X
z$D?Yrzqt405H%i9<>%^Kb!`bc0F~e2t7!h2s5VL9&%1Z;Tx%Y>%3jp*jf}j!jsu`H
zLn9+Ze(RGBhOVxV3^gz-BO?!w!;&vF#8iN^wY|NKDm~*|0u+MF|GX(h0&e3#oNFtw
zf4bp-TSe7w>jocn(ER}&4&vYWZ&##Hl64PP+8b7m;<*9fftiJ+qXYJfV*nwE)Gz{k
zAwYP_o`FKbQG^8?aBoS-X)cm1x6TsczX|RJL2z1sK1I<pQc@mWH$&ZKg7}B-?(TvM
zRaE%pqpRR53|R^-g!K~OK}e?vI?aLdf9su}W%3ZNJy4IPGZ`#=h@D3-zR`$bW<dZ6
z2jyyr))P8bVO)qBy1N+U0g#%9ScDb==!uYI>@<9c7Fdq&m|alF4X{z>f%6#tq`<~=
zH*KReqOKt&O&vmvz{+$hZFob9fyuUH{{OEVOOju8Gdx)m|6(rGgtLPMEQ#vUk1_H~
zn2&`oRw)V{(d__u)DqVTp#P(vGkcLn+qN}6u1-%D*#)fn3>VABOHNfPSI+NFfJ%kG
zCLN4YCaXpA*9%d0uYjF;CjsXP*Z6lnK;r)!9{|*)5#6lqg#XWXeI(2zfq2N4fYHGB
z_}@1P>h4ZFPwzZUs9MHMZrs4MC%Os>KHlB?)kH!!j{Z{e!TH$D4|oZXcnl!NQjgOV
zU*(Z$HPr&U^s~8EfyI`9O=aoi6pEIBgb@^Qr{)CKH#7M^zx~7+N#_|x@Q6(kzM!qX
z8-9K!r3~Ka06`TZqcSrMZ(xdU2RLJeVD8D1gm`8yx0&L9N5nP<xP`k&WNwxRE?)P6
zGHDHgBOim)ESZ&?3-Wmoxk285y=5hU;_?6eXNj*X6Q{FeGfxgI5>CCMu{oM0KNQ5j
z6vzm)x!vEUW2uh&?5%7NyBa%{T|q6lWd81}Y*fl6@28m$Bv}(soh1aRGg_cczGl^m
z!6EB-wtnWcxiy|+p=E(z=d!e+2Qc{;X?Y0VzcqYM+F`@#&Cb&V-VE|R{Wt=J+=p)T
zZu2FC2sAo!S<kRf36r$oXuLCFBWc{UKi!+3Kl46q*##wn?O#`aZY~BHNy=OuUAj^-
zfOnbCssPh$Yr0+4;YBL|5@0~WV7RwMf5&LecF$X-$)ePbWU{o(MDl@mz30B`lX5V2
zakq+N&-o%p*t*XaC*f9{MGZ1HG%IDmrXmi<*cCyLJr#fGU>r>O%{Q?XTvNyulCuS?
zksBZ&pYCfQ_?k6A+2#FCONU#!C}R6*XU!*rqZT=Xy$L_JK3qcApNpg5j!66m9t445
zygCtdO~1psivBJ4YOtK=CpykIz7dvImw9>pOy)#;tTie~89VrzC21D>bC%%G!D7+}
zuRj=k9rp5uTfAOFmQ&Lx-g1$HUPRVQ)k;I>kuV0#`)Mxk53RoVIpVy1xh^VmwXoOi
z{o%LeZZ(qaOriTne=P%bOsrO(&8_;{A1NC%L^~!hz%p|V4U!_0ANgUMyRc#2y|tt8
zPTO)^iglmBo8ac#j3tbZ^Nr3A&-3XBr%CgSr%`jip&4nU7VB-%O==r&W)%4Tdj(RT
zg2mudmY4=F;n(=g-OVy^caDKWW1h@c{mt~dy9QiiI29x<wYky%<U~yTofF}hzyx~}
zqBDpI-t3ZFH_M!Htte{<N3kmVG<tBzT#}9@v(}Bvuw=#0eJtLZ6$leWpH0R{LGo(7
zszu_yFHlka)i%-u!<1?jwPL*6&Kt9<*G?3E)XG0xx!yXvTHgOAEA!hv-fPzA=%vsg
zi|G7LxclnV=fN~f@Q#*Jx9OuClTl)*>YAV6>v;()|IZbI*HhH{Xhe&xu8C~^6cbQf
zq6m!$VimawGtp*0rloPq25<Rz-%0<z6Fr>pibCxAmFs@vx3g@N?XwT%4JoJJaQ<vv
zE8`Kom9TNp&EW}qFX{51Ubf=(w;Mybv^;N@1sz5s43yq=3G5-omAm|$KVA`ql766!
z2-*-=8MxaeS#bBK@DFkeb!fa6`ZzkXXnECo#T&Q#Ap(mE?)}7MkJw&6S=Lrh?OcCy
z4={)%&A{Rxe3?H#+|y1_p{d@S=JtzqIyg)1l4*OFbRWU9XmhD3q%2A>6pynzI8X-e
zj(>XVl)n75b=f+do1*B!p18=G0xt=)Ufo42m!c`-(N=1P*WIgLvuib<O{8)hZj{Sg
zg1dzA4t}BKk2Rx8?7smjQkFGqc>HT2q{PsFV~q4Kkh3*tsZ~thBOmgDRjW|&FO}n=
zXE#N*Z(FbE$xT1PCN171fVyTavDbo8HT&I`tWYOOw}b>|s{3<Mn%LgnqG?`09f#DF
zc1XwP)`xJTU<zJGvJL8RlS}W6N=`sA+3+9Nhh#0lOI4s*vYqJlchvLgNIF8m^`VZY
z+~*(s*VRaFV6~L~{F~{KDzUAihZVykDFty4U@|3vC<FMr3n|0N!+%z+uRfJghx2MK
z;#F>vLpAd+p=65nnIFNWjmSJ+3Deu2KSQF}IpBp56f(E`uIpu+whSdkU|j!Uf*J(7
zo)Ks1Kbbl^*4CeIihcab9qJuCE+_tESF)~(H@%&vq7KI!$nSM3`QDkP*^)23dK8R$
zoeNv*4aW4y&cwLq!vYaO{iJziSZ+L%@n%sWE4ZdFG<=>7fjJv(r#4I;??1=r=t^C!
zpE%5epHHxy6VZ!%RNRQR{?NLYKt9~JCXSsa_SGh&m-N+UL3bZpcvfcMeNO|vL;-mh
z%cggYO67+mL*YU6*MFSh-}K<=HPf7A<OimE$lC&V01MTzlh@mY#V>s~pOYW{^_@>@
zLT1^OXZbZakNd|ImfJDo8WgOD(z9y@?2hw3%d~vso6ZOCelmG~w}qulyYIzdhN6$>
zrvbKb#y7dw9~y4eYm<Dww6-tMnRd{Bpy1sg|3q<sRW1mb4Y)U0gC?+!#8QV;{<^we
zr;ItdkA=zCvW}TR-KTdgIxR@wb|c)Sc(KZBH=ii2kfEdes4x;3+@?9<F1XI=+O&O|
zi2G-5&aFRfX1hXpog)K|LlK^q`Be1xE3|qvtp$U%8aYK0SsaR4UtYxBE>I@Fq|ov5
zl~ZhOS?b{uNsGF=Qv6NdNrz$jqH8d}eS^E*gWqp8<KLIExVA)uHR2*zzF}EB7k$n^
zhee*<c|)_Q_8?ZEdz)CFUq~C&X#ODZ(9u#=nT+=|2b6o_ygXLYP57+!eD;Bl_ScIY
z%(~a1>bp7{bX+8Q)(r?_ZTtqO&7-70RYl62XBuscPjc11&T>Co>}6oZZDuR*GSM*p
z_C%#>;eWOFl>t$1?b?Hggh(kUFj9haNzIUgQi7y(3R^%zh7fQV8kA53L{OCO4(U#@
zNP(fdyG!D%G4|fC`ksBh_d7q&59SBY%zB<@t^2;$TK9Ed*SgJBEN6hwtf#7Q(`-#<
znU>|%K%zt4XIF0<5TK)!^-#82hWP1B7q`d)k}1V}(i7;ZPM#Hfzh7qgAq7o<(VU5R
z(*-nVCQW@bvkX=7JTe;R@5b+Ja_@wvWXWt~RVy454`5=WR9oFAFEo)jYAIkFus_#9
z5n!NAE}=x(@g4cm?F{k<I^5|^7jHmWdS99AEzq3Bb;o_>8qu}ZqYU*WCBbb{(`@tV
zpFMS^Sj=6)^4%7$oqzymOJ3Det}*t<Y2r_}peIAW1Yl!Ilm>MAfgaC#J{G%X4a<ur
zFI_PlmP}-7=HH$su*F$;gO=uadO<cd2k;7~+J$l+gla`foE>1e-kUEQVWfliwwujQ
zoh_lyl}HK{?$D*al+tT=P`M(lG50SOL^wq-zb!;1e&lCD^y2-WnP&~<V((HhEVx6C
zDIhmg)@w{|rE>1m_|@!~`cU=TV{&>=rghySk7&WXkD11PuE$#&so5yQgA2T23x4Qh
zS@dYjLWoV&a490kQQqqz+R}%R3a>59e)j27!4`Bk#>6!pXbJh+XFBS&dEJATMDCM3
z@&c4L^2}5G)OvP2Dos>JWU5<H)yNwLPp0+18BfTlh(gW5?C6nJ8)_z+UBX4V_^fjE
zgT+vE^7BPgAJwE2&`SSkr=<F`r<`n(*{Pr*uu2)F59>uzJlmSc*!k<cU!w0(6Fr7q
z;Jl+X_q9SPe{YkZax1gnaqm4y?OZD8BDdO9c=yEFek;j3HA6;L#ZBuiFx!wtk%TxJ
z<Zk!p=3#L+Yk|BHY5#bL>A9wZG~?&N<aZ}Hh@8^2gRX!uvbhxv7Lyx(3M;WMjt+q#
zHI8Iz^}IOoIss;xp_6Rt*Y_gG=OSB=6efB;--;HdlIG<GOHxeu)yDewi&PB$7FXwg
zf`kIdKnNxkrG@hSIR*42%s@Wg>w0(h#mkpEy1IdnCPZ+~Nw3A8KR)g_s-3|3F-tT`
zQUU74^)LKzc)I*alzEc0>Oo1<vHrnK({WAS2$C>PTW}Dw5`74hQ`Tn)Ul#G<w6%Tx
zf{Err7PpWT-_&)kz<1sp;f5Uf_Gj$co8P7nL!;@5PDw}LC4Xr(_7m-n-(|S(M<M-(
zq|=3vUIh4yLpnHKc0VjDgRkVW5L%}WQrtv0Hu}zsyuE)XrJ@dbGB}a^oi@r`7%-?~
zHw2<SsKe)TnG%)o`|l?t%N}-*5iYc!+*8fTG<(lyQ{C~+XLOK6z8oaS8f!J2hdbF@
z+ohUw+BdAaGiE%I>g5%63oRyrq)CjZ^5<^N#SGb%yLz$Y*2&#V40ox+mEi(zoG;_9
zDd^U7>EGmMG2JI9mUQ=C(2XoXe~)0%H=(_6oocUwJ>b3jWVl_gD8DwiDZQ{6;l`}1
zP+d}p+7)>?rpuexM68)&D=jBmb=~CdjnkJ{{c0i$bPG2fzHr*oVmO@kfRXy%lqdv`
z670_gfmmXi5MR%$rgN9%YInIr%Vw@}itY#I3pQo38-Ih^?WqmwcfxC*5)#1t2XjNL
zzGDBK%Q-8ajTafEPJw+;iEse+e9Pl4Gu|dVYrr3DgI&)7>QlAH7rS@#Ravi8TUpJm
zv{q_}O-QRM@wvR2hN+H`Hf1fHZ0cTJ=J*wFkCcMCxR6O690%>bY{qGnY{*s`_eAoU
zR_Q46dP~YrhzR0j>9y8W9A(_Y$a1kR2ZIfXzt2Oxsz$HAG$C1pvkxU$GIZ_*3%eJ4
znvA9^=ZaX)9-K3L#~KJES}aPR_`u?ZKkY4_!c4L%r`6A~zncw8UiTJ2o#t?ZQHblm
z6h9so9iS=p)({s`XdMXAq8#5OOeM73XZl234i@rxVNZUnW*E<Z{5wnXZHPp~;B~)C
z6+_&GRp{zrr&YLfFtP4(QL9sbokrM(;9&A2m{sZNsSQPcSgnj1*b3D;vjmbe#%sI(
zqBw<wmZZOOs-!o%ok@EJ=j_euD|Cu`1)sKgBk`VwMK2?Hha%kjSJKZ^*dJCunhU;5
zAhKeUdxcJn-gb?;FLYn9UQc~JE}F)l@EB?o?oU`qri_0{E;hbtxl4=}Dm8QO`bD1k
z5R@3}9$6LjbwI!6{jps%VUI{X+I=G%Y3@;SWMZrZ1fXsu_z@qDsizM^KGKgB^5)>s
zzEn`&zHv75gMV5oz2bFi7rQ}pMZO@nf6A6#?>dD+2f}1ivLXVvYJ&cgTCNzyP1l3r
zBK2_ohQ8H8k*%}0W@>nc6hy(j#m0aLsEi5d31hM^&`@UIM;wJ58v8%<ECI5qt8%<2
zP=+PAndW+_<grb*V*q2z?F(dF658w|$vbU&{3Fr&!)ilOYo{jo#y+I_#-@BEyIyf)
zG1z-o(z~vC>1|T^TMxfv&9+-L>U9E?;B5;@diHcqM@OA4Hre|n8GDsUHw>l{YvgP_
zUh8;I(=Kn+LLf56T56clF7AvptrWDBpkb50=9v#{)&9be>)f~}LC#-$dh4e3-Y2wT
zE?cWp12fzs!pDQz8zvKVO_Ttm<*U~87tUV-@SNrbb_06=05-=!^*~Ou@bJU~zMalg
zcT+Og?9ny{?iL;MWq4lIX_e(J0riUN(b5LINxSHPT=GvVMj$NG{286e0;hfk_Ht;N
z`GebN6-OV+J}D6g#LV>bL~*B0Q^+u^%w}7d*jm2Ht`xmRQuYId8zX`}osQ+=biA_-
zvrl**rws9(kt?kJvRZNmn{;p>^p6nEbUKvsE3ANC|36pq!1lkFAv~n7kE5OT<9@eM
zm`1uJ96-y}gO-6;0gBDnok6WjH1zhaf?;97tvMf$B3l<{@uc*P@d|qOXr<*3i3Ea+
zjB;~XO`g}^5dp{5#arm;vIxNmywi{^4dm>G{-eFcf3Q7a+EvPEYxl`b!#yw)+ch5A
zB;7^?^{Aiw=*d<!rb%mOY*@$eVyGW+BNm?_0WOrJQS6;`rN>G>a#=Xr-NB7eht(V=
zHbI^q$``sQ@)g&UW)_qg*Ab-7;d!S%)Rby_4chgnBM3V=CP}JwC2$XeUp^veJ+LhZ
z@|pCo()N=MQof*dlCsD8jcz$w%<9GXz>AG|s~O3*52za8AabkGzmP%E+P&Tx{4bcq
zqkP2l)ik4L#l!jyOZDgy;Y&lX<ub06_rr$;OBB<0Wy?2%h2^VnkMBr^5tzSQv0w+U
zb~?VDEt&v6!Fnl=p;2;#Kq&^sH>jD(Ry9*A(Vy908Q7p(wA9%1J|vT;p)F1$NOFnN
zj822o%z*gX_1<uH5jXgmiS7w>*b(Oqcf$Kf>z1deC@eh?rt|k&f36;~*^(<2f3?GN
zj<ecCPnL^7h%+?O>}6?$=DX*e%g_0f4QM%7KlUTjt@z(bDMe{ykUuY1NKZ%)*~kuY
z$nQyOs`Dh*N8P+vl+no+Iqach!2emTh_%Sv8jF3-xxb^e+p?{z=!GFC)kXwrrK9@{
zvkbdK$tPm-wQi{)vdcHr#9JT&_V;>GGrwrtY1DBhFR#v@zeahwv1E<O;FkHBids~b
z8JhVMEgS2E$;Mqv@JK0aVutKg3tZU@2~w@;QmsugTtsRbh<N*OBW<e8jNy@-TNBsG
zA7xtxp<||%sBO!LGV}6sNG#Kv#uxmp`wOB~D2lGh@0h@cT;BA(!m^w^$lGg;bl;!t
z5HeHFcCRr{Z8G{=W3^AVwZ3BILiGlasVsDQp2|Y`!xS};2Qvz36=@+GIiNQ}fglFC
zzDl!nO-Ob|L4c2M2B)EG)JK!7`A=mWGFE;#(()C)$!a|x61EK0BAfK1uw1{5$-k+-
z<k8Gd%O$KovnDdHESe8A@nEa&jwLSI1Yy~|EFXK>+jx-`;@WDJnk>&0HOf_?z4Kgb
zla=g~`qq=<bQ(A_hem^FxMYh-W(MK&Al>!H8m|mpZ)j+5HZ*3mhTrK>3!3XrFnpYp
zaJGtJPK&~(2qmQxj?6#kVTd*Jq=E}sS6^EE1xF>}JYv(zxZ&-tFyPsk7X#4d;fhbS
zH$QQUXSZql5X&jbv7sCm!M5U5Uxp))6SW$W_IvH%_d4i_J~SzNv_9~YrbfCneVYDu
z;eeX7SyumMzj|(cLLFTPyIz&9B1h0$UByfaEkbM)pDSZErVg1aX^JKL`U=@o_ebPt
zj>DAsu0DBv9%K_1C+Ep+wM%<1bha%io9zvlji)|t=r!)91<Pdn&MdX;G<1V1`Axsq
zw&3RE^h8ef>7(lcWdt8v!pWY=7HLz1WQkP4%A~P$pwFay$f>+Ev@@Mn0?V|tk_NK8
zCy1a7sTl%Gi)(65CA3=8<uEPMmcaaE36=UmM)gyWb(6iZ4bZ+4u*v~BUH%`F^naIF
z`RCxLsEEqPfzuzoymK65Diy?5)z|Yu0jlzKTFf^G3UWZQY1|e_;(1%p6GhozGS-mC
zya4^eU~8O55z(Y9cwlJ;DEkn%UZB<X`nA51(Rq(KQ42h<6ay(C$UcvRgoKEQh>#HT
zQRjnp5_>Y-u|PrIH%fzj=B)`9<&1Y#8%N1f9B^OI^H0pZY|Fr?JJI3i4q$}s5(-GZ
zw)GdtEMr2=R|=E6r`Zq?kvQeA7{qwSW-TCs6woap{uB49{hxpp{aR$J&qGkw`wQGW
z<O21`jvKa*oA!&WpXRI1vS4qDdhoDEOIS!Zz_FZ~tD{S=Pfm$bKOy~dpQ%p59CkxO
zO6Lu^_^|eCpPW-0A0H8~J=Unjpn*(_f_T?v!F&FOEYB2Gu$o^SVV8%rw;n<;p_&~7
zD@z?pQ3>Y~UJt0<@da1QPZX4wZkREit9M-szOitn8Lc9ilkpniT(H~Dr-=_RBhTk~
z1IEm=@ZR{1ILhBBPOvnGYN@VMOW#F#9=j|FJS$$k_=Oc2QTaTgJ{4u4t$p5E(4Sar
zBd{Hx7$-=C-8t2-cbQ9tTCC9eG2-wJ7{^HrH@M-RPhJ5DJws)sq9iG}%de5>OAvN;
zo2a$;lQEHPb;YvvTy06axFK)$^NMbSpwrV>Z?|FbV}XhhrwLhNLow9e_TI;mRte{Y
z%3c?Qoy^JkY?rQ+4-M7~KQiBM{Ze(9vU>3|t9`R;*9YC!C3Yf?T=GBSNd^@jq6zvr
zeeLU7B!JOCET!u`8-Fe5er?=46tiuNO?H@4e(ZVu!5>EaJUlR==P>_MjKZOG7l5qh
z;7FV=<4AOc$kJ>gFBmA5YqM~Rb3pjM_kB0}aOz`|#C93>15hccKIwhLYO0Pg-E@om
zO3i1W3Wq65{IapjX`1n=;73u)N+B322|Dsk0AYOy#Ll_^Mg`(YG#&?1n*fSyclZnc
z@#g&-zK6Ntck72ZekHe`x<qhQ8?eV9#(qEs!wf*85Oz+0yYrJ_U{z4k*{%pKextHO
z*nwId|5-3V+P493^&6@RFs>F19tOZ((C2wlZQue1OeV)P@)eu?zeaxU6JwXJ$5hM*
z>@I!a5{GmHM4CsGbEj?}J1e*+LH%Sc(J~f~sK3uXMiBvP5Zl;=1a}MIYFAH`;?}ML
zu@H<t(Mbfc=NORX!_?Q{kJ3OI)Kg%+q67D0hoHBGPb>9rY6;soAJly2ta-1DDO>pZ
zeM)n?kgqJkEMPxmwPKKm=HWjHGD-~pe+n{EU>;b8;eUa#jcLgKJnp^I8RGmvB=_<I
zS$E+bz44s07AG3cR?7duI2*7kIkIqLHfwf;l+2#YV}eBarZC&2)CdXaEUd4c5)gx3
zQr1oTdFZM+J(6GOtvol;V_SyK$wn5U!Y-#-I3x{<>D2Hm({%F#Xe!$h8zSl>oaT!Z
zbXC(rjq=Py36Xe`5kM~3om?Y#cZIvF>jJ2A7Q=Kt>x`A(Zw{wW3WKdG<rB&AS8MVZ
zB!e_W7(l~AAebSY0=NP(@Kr`nR|p~TcpQe~CkNSqT%c)`bOZkW?OXqofzJ={`7HoD
z3^ghEF|^Grzdvb$G{60a%>eSe6c+Tj$JWDrxeaZkUt@R3_w{Iiu~TlNEu`UQQniS9
z-(l95nozuF^DVOctLK_1l}A)HwcqheuD4Ty;uuD6@Geg;6CM34+*<f|8r{3p%^r>Z
z&pj#pg4(w0b*M(K@LTw)ANO`B9%^a@aD4djIEev1KO?QLcSeRbrF;!s_MOa+uFah*
zxervR2L-QK-*Z)NFdSG>@>(p8HoP>SZ92=T+-_O2Gkco)E!tqyMELU(OG;Gu!Q{ng
zn&dgl^GrM~bNE{5MlVTz7S>&L*b06w<w2z8!LfGDfgU>H`d@GIFZA%&e<#;v!_V31
z0e~QaMy1IsekN|`vJ`SXLU(YM!&DKTo@OV2BNN1^V{al{<;-2zdGleW2MJeQ+$^@~
z(cz1ufKHFQbw(BO9!C>*8HgbJKHvK7XS&_^pv%@-TP<ISwf4?X>|DRK#2zjcd{9_G
zL2nuMr6f4TiGOU$jbHq#Ziu{?K^fAe!?ze-O!W+Y+|T}4CCfKc{POfj7>2Aafidj=
zMl?}D47Y0L?gO!FKjr4nF2{6>h(*KjE-{LiDy(n}o^9DfHw(Gg-qu873nWZ2*zA=g
z1z@B?Fg6|a8;)L+j=>QIy}#W|qvL*O%(Q6k`J6y3$hLQGcBjt5Lq03UbDo-mt5h(V
ztTXVtttL{p=#ZrEwV?K6d|v!8U)i%i6Zh;3cUDkbQc5jZfr(>aR&KagNL`e^PQ3%D
z5=33Y`>ABODVxbqBs?Fm3Z<I)r|GzeCaHyFBB-`{BT1_hZlJJkt1;WfgF2+IUKgWj
z9pm$F34H5H^hZ?H=*s&SYcAD=_IL5*S-CPiRi-fxpk%s3xs;1KH;MyO{p6n7Tux#F
zXg&m%S~a)VeRj>Ctyf$qYN!o4PQu3&oqY|?z|msFVVkR&sZXoi_IoXjZG%YUDUGMV
zLiAgN2M2`wo?_SiXY>#R9J!Gn4FZujAfo*(hU40)82vv*6+jFI4Eax19Cv%7oy=L*
zkEn>>)4yVWmDpOw%iQqitV2alq;^pkQLl5_%H+ok^8On1r20ABkA%eo!@{jc_J48X
zolNrZq(BZOk6eU}i<Hx!M9~GBZ8jM_%aJCAYv~@okfF1#`06GcqdMs143-k-a4`1M
z*W~5mPpoxn9Y{FsCB$4t3>W}*^!OvT_>x;;v~Uab)OR66udgs#OHC?$qqI*koCFsM
zlF%|UmSVUVq^kHUQUy78>RX%OoQDWjg1?>ffb-=0IS-xXHv%nYle2z<bAA7H;w)T+
zdMK{0xY<_zOxY1#PD)BLW${i26Uq;~7IXoQ$FOtu`%Mc0Jof!(mna=ZOFZUxJ=3-X
zf>r&Wz*i%rf`!KHqw4%mHV04{bcmKjTS!j!emm9y!8An|d+g!roJ(Cq_RtQ+<oMx|
z9rj@TUG<c>KA-Ea%!24nUL*@Zuvi#t1r^eTbiV$BR6*M79AknU%9p|V(QHVm_aMIc
z0dKLnDBnV*T><6#@f>-<#eoVenT_6<p?oD8!!6o72Ts1&qm}KVkTR}%ubp7;jaDy%
z=<UcBdLm|bi6PDAnrKyDY&y?rtas4{usjK81ksSWdw0yp+w(QC_ks`*4*VAE5Rs3F
ztI;;3M4pf+Tsm2pe+eG$RS5Y1C1|7G_g|9|jdRvxkzCz?Oy(FKRy=~GdsN&x-ofJH
zs>h;3Pqa!Fc2Bfojmm=Sc(`j6V-UQ!2M~K-9~W?sli=~-^^%p+FvtlD8c!%T*#t<n
z(Rm^u@3u-ENNm6dWVhpAzcWTR%m9U8@e^MSMv&P4PamyS9J<JODBFzOaw+bNUDBh@
zj$*E|j-{9pb?@4VP5s=UycdY+FL1Lm1gv+z;1In!;&D`wOyTRMT_vRP@x4;Mn>d2m
z(=k@|&5`l&^y`8gT|}4khm*e8ac4m1oX5iz8WGnXQ4l{u@*P%ZQ*>pRmh91eDX6Zq
zE)M&&pogsD$6ajO@3ZfD)B5arpWTDSY9)w>d~V>0jil682mP3q*%#gP^MpkXDH2qS
zhwD>OwsgwWK8<@3^Yn?Z6c^_CGo>D<-Q>!yk=iY4(L*5$GN4OQW5ydBAB&u+S3Iga
z1vD}(6U$!Bqc@HWIg_H1hal}fZKd~^B*eK^<3yU$izU+`Tb_Ea2QzU<>}{`Z>e-j9
zjn!)^M-)1dx#io_uEj*Wt?46bZK3z^aBB-NgJT3MT~Cq_rg~EIBq-`>cSgU(V$Wj0
z$IR{ZjQ(T1t4}2mwya8}JWy>3f=aBBu~ykr-Bl;i^z#~<OI|XkI&-C9kcdEFV|(>L
zPR6PPsF@Mdm=z@--O99_7)KZn-I9=m^~z_x^jpNXik$O8jJjekHAqJBPzjv^rgjS$
z#cOWp;NGg^{c`a=;nz^2*o#En_4CV|MID1JTiWrxVdAO85}IktXTl8%I&#tb>+8cu
z^#~Fqb~QC|x2fNzSl5>$ekPZ7Uv4oHBF`W%@GLl|7!6~GD%SRwmplI0oXgi$$qXLa
z^lVI8oXcMG+&lDa!Y13f7^~7Ay(wCg91<*+Rp8H?kT=XEgv;3fg`cPdmvP?pLf?gk
z#hn6TR$NA8tQ%-LIRTip7b0%{sBYsR@v$X+uWHc(=>RG`)Y9O)tN1n4C1l9p7cR~X
zpzz7M3%)y(hyg4vLg!a^`bT&9Csz>pf-pvngbMU^it6kx$?qd(1_PFi4o^Oc9S?aH
zaY%*~$E(LeSOQn#f)W*1ThAE9W>NT##SI^K*NB&CyG_1Ot9ww&0mTart5OjfIdu~T
z5xxeD?!?&W^Z@RH>-%OS+mw-#Zg1WDPG;L^X6g-^xr@-V+~jYr(6ni0EVsv0r#ZRo
zCrWnaD$h+unX<lOd%re643EfQ4M#l+7dcmxc*r(oB<)7SIzb~}wg}TWWGXNUK|mb6
zznRSROr+I{;P5dj*(yV`TV}z&OmHh9MnlKQ={(;R*HmjKXn`?u$`WaDY_;{6Mwmy$
zp`SKWXawbIV`g4#D9sE>G;&sEUW%ISd+{s^H0$%N+2_oM9UT@2Hu_ztEYPfJ$vRu*
z16CtLTGyD<UEEnS0UqO~&13trUg-6U%cwt8h7=GN)o|j>26?9w3LmN;aIJ)g6RV4+
zMu{A=0Y{np?kL+POWVV5r|TNBio0ShHEbLgvqaE^TA5oO+c<?Cyjq{(^VLKB&6UO5
ze%K>cMZ~yw>k$Sm&ZI=^&e~f$Ao@Ttp$>T5#@O7vqucs@7#u1t0?qL29@4Wkb&DNu
ztz7O7wAvZ3uA<SKL1h{5EIgrJnR;+yjBZo+S95<cR@<Gs!Z^os;!uwpl@)U5ay?c%
zJ|<LM2yt<9T6w!rQ6c-RBemI5GFx!xCG&Lh@yc7ex`WGJymWRWYxp=r^5>ZqzjWFA
zdcl8Z{aL2P#H_NU!1@o4I-nuihlgDzAuG3#Uv9)=1zeQ{uB%T6O)K|U6+LE2)V1g{
z_4}~TG7)=g2o=8e$M=Y@4}&@y2IFpcNXgfnoOAsC-$D2z?2Ly0Aj<!f$LKeY)xwu<
zS9Fd%WjvIk|B}4rd-~&YeOu0VPdxp|C!2d<56zs3qe|=+mQy9T;&6T>K@JAt68L?L
zuTalzGrjc?+jT$LvNgV+QQjxX2%0wY2iuqXreulxkzA1<r|^Slb)H?g!^{kYL{fms
zbHmT4rHvasY*Tr>cLRMZJLAdpy>7yHO`9!K(8m2EN#0O9hw*94`YGBT#fN)+kKKpF
zj2saA6C6b#%qRr?8ylX!=8IBzFi=}wz%AIdZ{PMHYJ-owgyKUgF*4Ac-Q$xLF2z9P
zkl$GlsW208H3G5J)W1~qq{Zivj!n7*2<^RsP;GU-RJ*$S@gu^}$-8m$EBLq|Ect)C
zV>Gd{R_emD+=lmKt9@fCoLS4mYSb-58O;QDZ4Ja#(r74WRlV*Q#iaPkz$`>H5nBr)
z^1_d=t`x84OO;0>Ao_-wKm&M5`-{U*(9X_JFDEKL#l()q9;d4&{Tk+(J_&7tD-^!C
zj1d9x?$;84O))~OuA0~;w|QP4B})WPJ@)j<u!KvDN4P5IYa1=}p)BR`!FM}Z9!Fgp
zzYDBro&5V6<2*A|h55(Y<ey9f`d2Vrp6{-4^?$ZsqPOiqJ30>92bz6j;Nt=wNQl+0
ZN*F}@^S%<$yNAhr$xAC;&yh0r{x9OgH|GEV

literal 0
HcmV?d00001

diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/class_diagram.ucls b/odl-aaa-moon/aaa-authn-api/src/main/docs/class_diagram.ucls
new file mode 100644
index 00000000..68345256
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/class_diagram.ucls
@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<class-diagram version="1.1.6" icons="true" automaticImage="PNG" always-add-relationships="false" generalizations="true" 
+  realizations="true" associations="true" dependencies="true" nesting-relationships="true">  
+  <interface id="1" language="java" name="org.opendaylight.aaa.api.TokenStore" project="aaa-authn-api" 
+    file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenStore.java" binary="false" corner="BOTTOM_RIGHT">    
+    <position height="-1" width="-1" x="637" y="568"/>    
+    <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" 
+      visibility="true">      
+      <attributes public="true" package="true" protected="true" private="false" static="true"/>      
+      <operations public="true" package="true" protected="true" private="false" static="true"/>    
+    </display>  
+  </interface>  
+  <interface id="2" language="java" name="org.opendaylight.aaa.api.AuthenticationService" project="aaa-authn-api" 
+    file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationService.java" binary="false" 
+    corner="BOTTOM_RIGHT">    
+    <position height="-1" width="-1" x="385" y="727"/>    
+    <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" 
+      visibility="true">      
+      <attributes public="true" package="true" protected="true" private="false" static="true"/>      
+      <operations public="true" package="true" protected="true" private="false" static="true"/>    
+    </display>  
+  </interface>  
+  <interface id="3" language="java" name="org.opendaylight.aaa.api.CredentialAuth" project="aaa-authn-api" 
+    file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/CredentialAuth.java" binary="false" 
+    corner="BOTTOM_RIGHT">    
+    <position height="-1" width="-1" x="148" y="94"/>    
+    <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" 
+      visibility="true">      
+      <attributes public="true" package="true" protected="true" private="false" static="true"/>      
+      <operations public="true" package="true" protected="true" private="false" static="true"/>    
+    </display>  
+  </interface>  
+  <interface id="4" language="java" name="org.opendaylight.aaa.api.TokenAuth" project="aaa-authn-api" 
+    file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenAuth.java" binary="false" corner="BOTTOM_RIGHT">    
+    <position height="-1" width="-1" x="139" y="568"/>    
+    <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" 
+      visibility="true">      
+      <attributes public="true" package="true" protected="true" private="false" static="true"/>      
+      <operations public="true" package="true" protected="true" private="false" static="true"/>    
+    </display>  
+  </interface>  
+  <interface id="5" language="java" name="org.opendaylight.aaa.api.PasswordCredentials" project="aaa-authn-api" 
+    file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/PasswordCredentials.java" binary="false" 
+    corner="BOTTOM_RIGHT">    
+    <position height="-1" width="-1" x="383" y="218"/>    
+    <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" 
+      visibility="true">      
+      <attributes public="true" package="true" protected="true" private="false" static="true"/>      
+      <operations public="true" package="true" protected="true" private="false" static="true"/>    
+    </display>  
+  </interface>  
+  <interface id="6" language="java" name="org.opendaylight.aaa.api.Credentials" project="aaa-authn-api" 
+    file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Credentials.java" binary="false" corner="BOTTOM_RIGHT">    
+    <position height="-1" width="-1" x="385" y="93"/>    
+    <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" 
+      visibility="true">      
+      <attributes public="true" package="true" protected="true" private="false" static="true"/>      
+      <operations public="true" package="true" protected="true" private="false" static="true"/>    
+    </display>  
+  </interface>  
+  <interface id="7" language="java" name="org.opendaylight.aaa.api.Authentication" project="aaa-authn-api" 
+    file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Authentication.java" binary="false" 
+    corner="BOTTOM_RIGHT">    
+    <position height="-1" width="-1" x="386" y="567"/>    
+    <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" 
+      visibility="true">      
+      <attributes public="true" package="true" protected="true" private="false" static="true"/>      
+      <operations public="true" package="true" protected="true" private="false" static="true"/>    
+    </display>  
+  </interface>  
+  <interface id="8" language="java" name="org.opendaylight.aaa.api.ClaimAuth" project="aaa-authn-api" 
+    file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClaimAuth.java" binary="false" corner="BOTTOM_RIGHT">    
+    <position height="-1" width="-1" x="138" y="386"/>    
+    <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" 
+      visibility="true">      
+      <attributes public="true" package="true" protected="true" private="false" static="true"/>      
+      <operations public="true" package="true" protected="true" private="false" static="true"/>    
+    </display>  
+  </interface>  
+  <interface id="9" language="java" name="org.opendaylight.aaa.api.Claim" project="aaa-authn-api" 
+    file="/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Claim.java" binary="false" corner="BOTTOM_RIGHT">    
+    <position height="-1" width="-1" x="386" y="386"/>    
+    <display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" accessors="true" 
+      visibility="true">      
+      <attributes public="true" package="true" protected="true" private="false" static="true"/>      
+      <operations public="true" package="true" protected="true" private="false" static="true"/>    
+    </display>  
+  </interface>  
+  <dependency id="10">    
+    <end type="SOURCE" refId="3"/>    
+    <end type="TARGET" refId="6"/>  
+  </dependency>  
+  <dependency id="11">    
+    <end type="SOURCE" refId="2"/>    
+    <end type="TARGET" refId="7"/>  
+  </dependency>  
+  <generalization id="12">    
+    <end type="SOURCE" refId="5"/>    
+    <end type="TARGET" refId="6"/>  
+  </generalization>  
+  <dependency id="13">    
+    <end type="SOURCE" refId="3"/>    
+    <end type="TARGET" refId="9"/>  
+  </dependency>  
+  <generalization id="14">    
+    <end type="SOURCE" refId="7"/>    
+    <end type="TARGET" refId="9"/>  
+  </generalization>  
+  <dependency id="15">    
+    <end type="SOURCE" refId="1"/>    
+    <end type="TARGET" refId="7"/>  
+  </dependency>  
+  <dependency id="16">    
+    <end type="SOURCE" refId="8"/>    
+    <end type="TARGET" refId="9"/>  
+  </dependency>  
+  <dependency id="17">    
+    <end type="SOURCE" refId="4"/>    
+    <end type="TARGET" refId="7"/>  
+  </dependency>  
+  <classifier-display autosize="true" stereotype="true" package="true" initial-value="false" signature="true" 
+    accessors="true" visibility="true">    
+    <attributes public="true" package="true" protected="true" private="false" static="true"/>    
+    <operations public="true" package="true" protected="true" private="false" static="true"/>  
+  </classifier-display>  
+  <association-display labels="true" multiplicity="true"/>
+</class-diagram>
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/credential_auth_sequence.png b/odl-aaa-moon/aaa-authn-api/src/main/docs/credential_auth_sequence.png
new file mode 100644
index 0000000000000000000000000000000000000000..52d636503141c50d6a2544a5674dcd2cc5e27edf
GIT binary patch
literal 29197
zcmbrm1z43^_bt8^13?f;K|)FzR7xa85R?|_6huHeq(c-$8l<~JQt1#jf=G8s3)0=q
z=1w@@sqdWozrXvx`}pW{*e`Facda?c9AnJoB`Yn4g+YRWKp?OliHkfzAkJnW5NE!k
zpM{?=HjbWye=g`qh>0MMPyS1&Ob<pNZXh0s+<$5pvp8a}j@LhUaWxq6%u}ewAG1f}
z8`;%50@Kf>g{C>Oa%!RFYDPsxIekevnooPmZwN2EqyO2JL{RdC;Cvygtg%9%b2lO>
zLFjeMLH%%aG?6emM&$GL1D9QD$+j5#7j3nCEzhyd>Ak7oCKAX>B`?Cih|IS&SKxm|
zWp~dY5QXR%f(XQG!u#X!T?ZBYAsnE3&VvGh5b{Y_MMEGAuHw7E&sg64kAJDwRlUl|
zet&Zg8ykCnfB&qT_TrDvo>wTs#A%ia%kICuU~!ie4=<Q&Wv^e$RZ3bq%%#F<&l20S
zcHDe<q$2(Kl^hMd<>4}GM<Sx|ey?35iD;GGnojx9=H@2%-1b&6ilkm@go`FzgzD0j
zD-`?=g`uILadB}%H?G~*5iu|@c<|sYMlp5*w(PE3Pk(=VEN_2vGt<qRX&D*f%!J|L
z;m4?hl{06~{QB;f_3`7gdqR3sQ&WBvf-YStk7#LW8HWsBy?P}ndHHA`b#%aOHtOUj
zea%aKOHJQ~`x52W)>iOMsVMj{h3lc5s;a7%mX@Zb%hF)cc}&9H-QD+fIuDc1%HGyU
zLqkmGD1WA+qI!dql$`u)X=&u6eEP*J<mzRX9ypfcH6HB(2gW<gBa-zQA;EMqar}<O
zox<GQB`O6kt_m}=ung%Yr%T5=tW9`q4#m5o23lKlieel5)b*a)3|}L@p>h$M^sd$P
zWlHz<8JXC7y?uRLOiT;kyzq*Oio#hn2CJM8G8M80c`qQoC$1V*IPNST?fwdI$FZ{7
z*qCX*LVU+v(`CNrqhWU%CkMyk7}9m5{8e9HpYOZ9{lnAGVBYcDi&t=ktzW%jVP+Pg
z>in!*FDxv4`SRsKGoQ@P(R!(^>s0O?3h_9W3w=4P8s!~%W6nDxbKU89!bwR<vb*=0
zWD`aN_9pS};lb~bRB{^iWy3jgwUAW_39pkf9tGdLDtzzNy!GC?p1!_5dBDv0`27-Q
z28O-KV420GC3`+i7yv>xP4y>FsD>2o-@h*;^jemlgM)*V*Jg2~!WKqA9Q`&IS6H#!
zaAT6F4>~2xHh7m3;jFK$t>M+%T3GPdt=<@^?(Z*=GaajR3{T3?YYuC4k*ILk%FN5l
zd;9h+Oq|rz)b#Y3&SbIFl_m|*+&6E|vW82budS`^ZFbAd75S6$bj{xCYAz@!NX2Yz
zZM{V4e6X#6!&BMp9>{CEeD3`DSMxoOw6u^~NSDse&itdS^-={TC9~nu&$cV07cN{7
zPVDIJ-hfw=|CRpkr<_3?QMu2bVI=$s(9glwtgNi?YzhhrO)KH*0s;b?#jNV3H#C&t
zj26GXCnO}~sFg6<KV|TC*j^l%sPi!~F~Pcg`5o5vu#gZDPa3H?!um?7cQTC@h8DI$
zSqbp6VJ>y0r+@jvSI06}WA@_3i<d7S=iPDKHug@!z{KQ*+ntRWO?+^1zyG{<lDCf!
z85x=07$+AOA%;i3ej_1oV*Bgz@^XHM%^U8kc6^2f1^Vqzay~M-9<F&V&Ohl2{<!XO
z>`CF0phkYrdbVBgI7KUfj90O^HJS+Ja<tF+5{HN=egBuDhQ`wPc;{xR$><lANVK8M
z8bPzsFKI`cbKPPzxC~`lmL?<Rp{BJ{mSZjlOBxk6M@KtjQqe_rPqQ*JA$m|B<R&I2
zrl->x>W#Z@jLW}JR~^PMxQ_2)A{PG`rlG3wBO({!_d+**RM@Uu5j-@XY9jDX8g*RZ
z7e@E2-P;~A!^6WXF&;?D%922jy!VQ+azc#4StM_EdfEoU%a0$*baZqMUYpDVI&@u(
zKVWtC^gQ)Wg6|%&t!-_k($9}pI${zsCxmBfAyF{!5N1NYl;1J_aZC7pWTeXT=g%!I
z^9!$uV-~M_#0!vJCn142^(H9;f>^g>P;fA{Nw>}!16Ip9*6YN?OQV&%3=EGP9ADJ9
zU&<6T9dp{is(k+K{Z*Lb-oCymuJPTyy{+x-W^2`q$i$<A9SQcOgB9c$JloH&Z?7-e
z`5e$Hy?Rx&S<C#<pN!XKt&T`0jxUJIXe}dGrQn@r3C#MSprCqxvSiP=!u(a_-YNq-
zD~sv*LM#lVVz9vH_L&VeV`i2^LDX)t^>}x>%$(y0{2k7k(!K(3yFFge%)lT)#^(F?
z?_JGBNYuW>_Q}YEv=Fb(#Ji?l7pK8}@Zf>4cmO&7EG;D^rFFD?y7Z$1Lsccz-b{S5
zSiobpC<gDOJkOJ9I?QO9nv&AdnkE(fkZo_dVr7;VUUE)h<el?ErjuP7qo1CkRi@<T
z`j1X&Ryuq{l@1IHTorC<ZJmo_@ZO&a*ZT71i@?!l_sMNUqGe6KD}S}{5FJ+6BMFJ*
z@SeWDE~M^N;jZrP&|$VR%_^t8IwCD)W#z!*_NJ!!z8tm3<O&W*YisK}ckawy2%r#5
z%Yr$J%y}oXR!Uz$(7|O_DwDNl$45pM`|jO4r94drB%!lJu+2;xnM3YzYczM|moKv(
zdwYBCfe=#QCbD3)!U)m1+u7N5l<Zuhghd;B?^RQ4t3p2B{*w=V6}D#k=RIpb7Zx%z
zGaE0t*OJ5Xne9x@$e_P>Z-2Tq8Wzt*vPaI&&RP436bsbu;_*@&J3CqxHY}8r)oy4;
z{kc=-cXQ@H@pPf(!h~J1eD#V`ZpnfPF2u@u)BQ5(-Hw(PU(LG~6A(z~9uE~Zy0I`a
z!Zof|_IC}<@sXRsoMuwWrEyoUu#qZf%loYL@Zm$j!`0gTt%W=o<hicY=5V%dPdOS~
z=hd$l;WfTo%h+BT3LnjbT=6&_$J)kbxjVfb0&D14Hy3dgVg1zM-bRzz`NDHBgMOLc
zCF8YeX=@|&spH|{iRHBobKZgPA#Op;f=QF#oVpc_v%WaMzAq|$`bkDLH#MC*d**1c
zsVP&AuB&EDhc17t3DrumPvVnAUso~E0P|cB!u_{zBKvCmC!fml@_YL=;*WGb@Ba9#
zyJ@tqn3)|D6Eo&|><l0xA5-s_u>#BF#$H$dCTn-Pr2;wkehGJyd6z~ssj}e@032`|
zV`1Up&8%j<F0fz;2ndL;U9(;q>}_uLVRb(~+-NVg_+@Ej1^FJ%J3Jxhytht!RNnbC
zeA-{q>euMa+Wv{s!k0`5w5u1L3P;{wrJg0Cla4Xi>>DgHg0;$sj{&2}SP@gzEgmc|
zy8{!CqcV}hVnSqp^d@CWQj%~nUXXZ-6J0)2)wo`vGBY{1sk)91RY1L3v9XGilaswY
z&r!?$toiOdBx*3@Ea&=0yC644DXayT&W;Wtt$e1BWz|pZhf{tjtEw_;C~IgqpG-@w
z!TIXPS%%M^B`&T*hT0cR9=j1bmIrzLl83O8Qvd7Mh=D17$8AzU7rvwN(o*HfkTh;a
zNBZZ~#`wyAdoJ_3yrr{fXme_Pkanma`UVP!ZmqZ;N292%AseAxxE!b<y3IFQVy3lU
zH`N@TiizBx&+_)hfQtY&frYA~rY7jT&%wi^!c5rRjtlvvDUMccQKZput*aXUFm+t;
z_%OJtz07*9>*r5x2TEs!p3E-#%66prc+JC9gYGmbz$k!toKS~l@Y!^EBqw+EXl@H;
z-gVIo$w{e?>nHJGU~mvJTuMsHdl4#!aM!)5aANis=4HbGygoy!Wg%DA<9e>E`)hGA
zCN%UFAh3g-mF|+#h531x{W-ewuMI)ep#vY&)YaA9g`XK38d_RfK7HEbOUyny1sT6<
z?+E5|ir^hOjDVNzar`Hsu&}W3WN06iPfkt(UTreXt+Ox-9yhX3Pf0z(3O=VS+KC1*
zIz?s#E&_o8h6|g7Lp+M|>({T=>~powaGqcdjs36Bw6%XO4VBc^)&dYgr+j+>E9rU%
zMJulGi}pATRn@4VAj(*08fV<hI_VS{o+Fq6T~gic%8;17P+WX`F{bP;hr1?2#r!UZ
z5ii#lBR0!w)_&D<b8yJw7dao;I6MM`H|wJ6RJzg_Ot-nD$ji%Hj;8`BGEM0U7FOtz
zYe&L;FE6ijnfNf5Tg=X-GAA)NjUqO<qM4D`6kpVNt5<3B1LUa{$VxOc?yT(UtlYf3
zYNw$#rTdJ#@Hiw?91;>nXME(`uVswwtdC~Mqiv+U)OUZf3V5-R?D~%>HWzxc0ENp<
zXFN`~*q-a2fhGIw*|V<e1YIGDFNTMn@8Spe+)+DY0tLrYDXG?r6iz~ukpOfHKXEGU
z0&?$}{Sc0$V`}Phux(QQ)rW}9VQZfDAlKg?+Zl_7U!wSj*B$-pp%Sy^TvRg~QdVmI
zF<|>bZ|mjZ$SNYKG0$7KZ-30oGb?{AKU8dze4SaNyl}1pW>(7BD=VvH`b<Fl`#l7$
zjg4MagTaJ|vLGh;T?LzAdT+RnLU)<Ddms!lgS~d>aG(fPkfwh#$t`Umd;7BWgWjhA
zv$_T8gnn)8Z94Jj`M-psAXzY18=%w}V_;h0os&?JZl@kH0GPz-`xOx_EkQ;`Mpjl+
z$nOB8A*Bi@nh%#+z)LtukZOmoiy_DZA_VZZ*pY}9P;X^!9&uauA%KWYw6pT^-C0U`
zZSjIy^!Oyi#D2u=Hz_HfK?=#47a@j4`J>b#IVXoDpnd^RNpd%<U-J}dy_s!O9|vld
zu&}W4@$t=^xy;N=zyS;elylB5`!bbW>utO%9Ra^azSwU-F=Jz6gM@hwY01ymH#;Y1
zraj(uV_It9B2B2TI%_ByxA6PK#PJn4X2f=EYjHqcOKWU!@Fb7vx5XqLKTo`KQLz!r
z;%*FN`-fs;j`sE{s;XVCWoA%H!E}>KA1}fPsQ2;l;k8>$fI>^?Mn`Y&)W%+JZZ2dd
zr`4ZsSy@aY*>%Y;wYAOn)~5mlQ9ru6x*8f9>g#79O~HZ;843G+WCvd|Ro^7d43!Z<
zLkP()FE2ANFhHJxgd<shHUT~NU#iz#-_yGFr}zI$`FdLOYD`6w&s;V{-W_Z|c#6?Y
z`N{p=&DRf&f*0$mi!R0}58^y2Y-MO`SHyP_ZaC<v;>LW~>u+^765CCIgY^uD>h%|F
z7jjL;zjaLqCYfZ^9e&ICzpSDES$K0~uPP~4Iqet5%+U)~7K$m}=q|)~cReKW4WFD8
zW3ke>jN}*IXEk@+v_n45eM)?Q))rItn615~WyXBJzvn$BMx6QGBPK>hwceZxM<G?!
zhrHh~O+IFbZ;pFvsi*~X_S-J>nRMBXdGz*kf3Y#^iZRT+pPX&Lx}z#;kyfd>ompl(
zb`(-OH#VDPHDf!;<+4GotuxVSpmy^n`QzM$Uj+uuVGo+jvg!;hbUJUCtfNV*#*2#F
zl)=}3+AZI=KJ}GU`Zy#688Rj!Eq&Fq8<{z;kVW<MNd-PCBEn~MG`_TAr_AL@$iX2S
zdCc3L=1flJe81RFs5-#w5*HVju|m6^Ui%Qo69b}^%94qJ0wN0wUKHx!x%q1P!A`t-
z!F2uhP>iu6eXwKBQo+amW=&3_t7|4ME>7@A`)7|_@`cX4;NUAIV}!M}{hexwNOJ!D
z)L5>b3A^!cNeqMY7Z10@H&PVzU(e4E)_S(P9IjRH+K?)^;4Nh?VIq~)OU%c2u5&S?
z=CjK99jupo8co+Gu5g*ChQ%Bny9_WeWkql;ZG^LBU80<ui`3L~BP66Qe-({S?&6K}
zAz1#~jHBu3;l|IeC~WNGD9(lG^78%0U_m^uxYmd@QIT(RTvx6SVu;F>m>nPO%@n-5
zJh#!O<{y01Z?IrS!Xd%y%jdS179tF>)_98NFSufA=a2@SSGrv8*}BkiZGSMHkx~k8
z^(M4h`R?~rrahpg)zfzAp2bWXy?0VbW8se<5^paasHyr-Ztx!+_4o9=PaR;g-6FJQ
z=ipEjecMTL)~zf#*$@7Bc_mf}1h|+OG2K}AkG5v<5}8;*ey`Q-gV5~NCD`m&Ebclm
zq{d)CLE&0kr<eJ8tz)iRsWbdO50B{g?+=iNmNW0KQtT}A>n#oPTWd=tEAVOF{cM0y
zC-~FP<y%x5RZzI-WD!Q7@zF~M7X$q5wO=!14$W)PX4CO}dyaBJ?=^qS<|3RA5)B#O
zdBmDqu5;dA3q1O2Z<TXU@};TNp1rcLP-j|FYrvy9Y>%@aRp%29GlyAq6IEtaalA)&
z5Nk^~G;qmr$7Nw}BeSc^JDNKnB$R(;$kxGlF*TU31fm%kPkv`J=J6L5X9#2g0uHvQ
z!vq<D$a^~9s;itUq#|xv*0=|yM1Ec#t+Y}Zu#%Vmm7UFwJa(~Kn~>tQ$?odyEwfoN
z)tk!l!V{aG3hm%;*3jT$!o^!*Y=Ei(*K9=wb+j^tJSGo|i{o)Qd_ql)#+FCv&CWuX
z-Z19c3OD-Q*P^+RVSP1%fXw+>OT^bMRCMn0!oo*8?lN`%%!kQX4g9780_5&E-bn%|
zJ7-PJ#=Q+kNh!b3W0knuwPIfhql<So7X|Ity;oOXb*CT0q87OEbHR3uObXq8D>E(a
zq0`n&5xuGA@!FZYca;OKbAKr_h+ZJ2Bb4gYu?RxFS5T-VxyO+p#|ZF0$B?j6^9&=s
zov@kQ^4{0l<UC{d#Kg~TZt}dZ@(=ov@0JJfDxcLRP1}6xjP%5@+*z(2DhUv<f3iHs
z1NnZ#Z~LgI=!gI*zUkXMrK+aJI3U2fj1iE&v(>+`xoNGTQNgNwi-mdd+)-bW=!(@{
z(!{`(>FEzaLH*N-!n~I-4_-8f5q$g@kS28y)4mhKwPfY6i|_kN`zL;4px~>_a5p!2
z%Z=`V4Gm*2T2{x`Hd96zm1EQH?&#>UZO@Ju8gw2wIFv&jp<H(7XL>wp!>H(uWI;(u
zx$E(_h}))YnqQb%ay}IoGqVzM&X;x0vn;2jrtTS0sP)R54->K;qPkK;c6Ue8(!Qr`
z2{yC8aC)XQL3yNF#iv}}`EW@l_VMh<0gE8g0_qZW{e5iWF0sLNn6Fob;f2h!MmufJ
z@|^GF>bI{T<1x@}!YA4nTioArl#-V-C9HgQ=H=R<`O0Xm=M}5jF>4~0s46q9>^JqH
zQG=hJ1*N9ix5r7x#i5Z4wkf%Y)(xV($J*K+Qw8xktFrR)v1uvx_jymntyo(5_;`yr
zRnZ-pJb0U;RwBJ=lo%+3?C2bSO!I;33c=u`SFe`7c~R3zlRiRcptr-tFLdq6C<~y7
zm%G(RcJBwSaH+bfQ1vd1;CKI5K3-*Z<29NCrUcp2@-dDwaUr}s0}|o9JUrqnwDb)e
z{QM&j{zOD#rY*|=YG!3R&|1YuH)vGWjr1^M_^ZKe+?Y|gbgATf0L6XP;{sCL^|D3L
z;<7TY%~#3Wb#+u?V%H<Dq3{CS&d4|@Ud3Q}{J05UWJrA`=N?J*4LxtnBkG&n1XC|M
zuM;K^wqJp%rl62_&*re5B{x5RMl1le-6^)hHShV-L6y=ShYIIVAGx_@Z?^v4n%YEb
z_afH3o}S)S0s=P2i!bW^lMlA*Ug*c0432*NTCOiMQ&?!QuNE|`0^^jHrf51tDpf9;
znJOJGy}F|%|HRU(3d7pEaNyH3IprT-hljXjx>BxP-}hEJ+T!>vs$UbQ%h17kxkAz-
zQLJB<g%_DE8{<gEJE&O|L!}WHsvzY0nkBrj9ma8ci5IB3Gy3{s!VRnAR;qkwn-<e9
z$e9mI#|{#bIaA&;uRS`T+jZ(zJYvQZHa0o0QEn}J^TNf83sy6^5=a(id@P_YDLFZH
z42c_BS{6FKrYR&dr@GZ9`GqjBZU#gQKjpKSc+$=6P<u9I_fS@4@6Mg|68ZGvt%d$r
z&3wn5wOHO{f&E#H{f#P^m}qF^lquQSNo7)np2f)CysRud+<X9swihl^w6w9dG%{dZ
z;>mY8s#-y6)l4-F47*>V_Vy7SDiQ1J?Ij`<*xE+X&`gS3#V#ytz=ar@w2JM2bSOGG
zz2mv7EEBb9s6HHuJZ{@R+KGnyUx5VyPp<d9Tp}DhH&;XOnD2RC_9eg3m!_`_73te5
z8RWmfS%e?xLX{*hPhm1-Lvtfx?Pf}fv*OdIB-d8YofQz3lapI(Y&6udh@GJB$P7_*
z#qhr#kPb<9)1S;lDf`D`Rpc*7_<&j(TsUo|*!8@X6cxXsj_4K^uEWZwy*V0MRphYc
z581k~&{w0vA4;#!Foqs@J`ZK9N*km^%TzYsoflu*qr9^oQ&cpyyGETN^9f?nQ6BQn
z@$N4fUS1|VyyUkRf4zM9P0T+=O3Jxs_~zh)3dxy`9ap-0`(yfT>PutCZv~vw>b|M_
z`lCva$iqut!@{PC*xsS`7YMFLe@45w??=jWi{9Xw6+hg-TDMGz@yMXRyzfse;%lp@
zUFt7Z`UmGRt5*6~j;;vo*0i)t9`5nqyQfZD4=kCNsA$p^LF2<~5>{EwFFf817ZeeE
zt6$-<oXnQJ`*Px&o<x|_r{|3qTbDcv+j*>RVv+u69<X=H(+tMLTVd5&j*pA`xQkxM
znA#gZ@$37P<<5%Mb>h9Dy$x>FieD!$s^hEJ_QKb<i_<!H9k=WG9g|vHJv}{Q1D%zD
zCaY;|+<|nNr^$a%d&OCev+2o6rl$4r8GafPEo!Fx8b6+5d&y^Ohk|bCLA`&mrsjiU
zvj7f`9-t&!+hXO;er-6J%oMf?QjC^S2L_2Bf5lL)$R7-HMseB3;Oz>8c3JYuzPWh<
zo3j@67OJNv@p*Xm6cshOZ{L2hmS&-2sAeoBmsS`NZ*oZN+8(#UZx`5I?A+9wEH>kc
z;z@mjbw4YE`3y%C$&0*c>=*#GT#Hgzo)-+Fq5)IqtQYuU3c9=~B*hhaU^r2I+pg|P
zX1W(cX7M2EBY<s!+2Mh>q~+paYy?UW>tMwRG_2K||Gy+J)t&GI0QW--*d6HN2rLgb
zG)_-^g;d2u+bSE&81{3=GZ=$ca3$rnQ-oqaGYDE_{k8g-#zfl3mqcKn`EmJD8pEw8
z32i?@;#*w5g93+OtUV+Ugnu(GZ+Hlf_6E%1ylxHDjyg+ye%@DVuhD7T71ghs_5i{4
z;Ef@MFMb9)*A(5xi8P0Jdf{&h-880P^i8ohB*K3lH@%jn3ZW7h<Dw$YZZ{5zBkFUA
z*ZtoQ36RAWwze`761w*=MDfLxWo4_!&7pFAN{kC?Ai-~^Voc7?_MO8~O+Z~O_AaK4
zn643byQeGfaz|@7GKw@ZGLiuw1FA>R76?g5qT=F~r>69tJ?jLeVs+KLywwAf2nc*#
zL&Ld+1zzX<O%}D{=PzDZ-i?WhA}MzZ2xt#uQA4McQc9<Pxi#MlWvQZ~BGi;swkzb6
z&(|j#se%l?`x0Nhdev{j%g>LD&+b!dDs6oG&dyFcchH9q6XWC0UcQ`PTy*+beWpBh
z*yHhq8@7qr53i1vTGV!TcMlJLfl?c^nUEuGajKx*g9Ar9yDxTY!lnqIE}aCR=xqgU
z%LeLiP9u;hG=?r~8htX{W~q2~@(LLR8Pdq8O?{2Isj1)M<m=R71c`^l#+n!zUB}0#
zA@q@#mnS17ZHwWNmzC9i{v4l-OiHc?_?b&5JkX|UZ*Q+P9k3;E`c;tHqI1b9C{`vX
zpPq_^NI09BnVAE@_3P09s<|+3^72O4|I(;(igYp2*SB5$`87ZP4ko5gU?9$C<(QBV
zP#LU&9Vx>My^>It@%#}rkmQ_q?f@AXuFPCzHRE4dc?6~X#>U1aO3=PQsv#F}+J#fo
zdw;ktWMjic`FyG=6xU0H26td+=tM28d{<yENqeo3@F7MIarC<U5auxe6bA2mmXqQj
zAEcU@{P^??SY}WjmdB7t>+#j`+GwUjOC_Y`ly^{2Cvf`k^RbSO8_r6m<9Rtbtqlzc
z^z(ZgGbN@Y^Ft*oZ~!)iz;LPrkzq8PM8I)da#?r^&486rr3)R7xu;!?m|F+t1&i!n
z2<st*)2dr?vaW&x!BN;SVzwqeHdczwX=lW?KTnIz)@R9EN-%fvUC`NA-_s7CqZ9=T
zKy(s9Z)|M^{(IuMAFhUhfdTXlh<SxmYG#d*&G+S=T4e=XyFJm7_yA-)U{B0#Z2WzF
zpW?iWiyIxU^#s97LtVWuPfLcV=fekFF)=a2Xi%=!_MA?~SwW89e*Ifx<D>nY;9z-8
zP4c6AY-}s=fR`>^+AOg|OBln&@YuwJvv`RlX<LDoezsilV)g2zIJV~lbPIFy*@1%e
zO*xw&@t%$jbJXEpM8q}2=9(H|A|j#_Y4KxL7W=JRH;y-IY$kvA0ytw!FVBPG07&7H
zxVRlGi^K<>XV0GfQdyaklQYM{g-c9aW;RxJo!j&-FE5_(yDJpZ=oZ%2Az?DY;vjth
zDLu*hRN(dCplX>MC;v_NKv0Q58Br<cV`6IV>kD&n2Dx{3cDA~@8i>*jc+@lE@$TA$
z(J#jGum3g`g7=tQ;tP`{J%w&cM#!qGe*vKrcr3VaGqaVzz`&hR$GpNq>;7B~kimi1
zN|Q*4jg9s4YW({4qS4EjAe4THiW(fA2SEi6fN62-&K(#jkXS&9aK~|WKJxYTZEAWv
zfPi=d3La<!CqO{1v9VF-^N;%a^rR#mP{iSPf$GUp%mMZ0Lxt=fBFg7+7)K3*d>SkU
z_jm6Aw4|n`nGO}R+_>@DwD#8;A*(ttkM#shiX67*p58KVlJz`?rgs{S83l<^8E!m&
z0y#*a%7OU;E!)`GIE+;TY845&rw~RyJ*(YyLb+eU8y+5h^Y$$)1gBkdct+sJKnQ=)
z7W0VBxV&713dnCicwCTfv$CMPoSDOda3`&$b)uZ-e|@T;AQi_q(AAYM7C??k#Co_`
z(0-zR$@PGE&jV*<XD`Urs37OH@ik?(P5f|%gD8}F03B4~+aM^ym+-nw2MZrj1$D%)
z2|8~3CS`!`<Wv8vuD-q*>ov+3nV<h**`_Ik!Ed`<DrC%FHZpQ-dgLtP6TyaS8QW;D
z47E$}I?VR<b=5LU+HSY%<Bj&Tw}wXB7{eMdXGiC5jriyr_GP%G(OmmaqKZWJwr4g5
zRik?|O6)JRpO1F^yd&jgrZ7Io^g;FWrW8#?TJ?Xz{;@fQkXlfWH>Qjh1D~@8oakA3
zxO_G5SzDsCw`UQuY%OE+f^Eb)eaRa>7kOIVonhV<2(7V3@5l#GaE(D$&A3UXsC0s2
zr`-bbnbg+FooOu_7RqjWAK&ed4XQ>Udhj+p;-!MA-Bi?_<3>sor3;*vzGF?zZ_Ij#
z-;#3sbNyFG8?2pV_&|@ED^W`WBc2W~zTY(CDIUg$lRUde5shlRoe?K`yzHGN@Ml(z
zWIHsDBE9qy{V!RV=!BG$CH|Ygh2sVJu|-?pw*R@FzFGImzT^vEM$3((oSRMIG4$av
z{36?IW7sF1Us80-A<zI9Y<avOza6brv5kg!jc>a3_QLA>NL$^(`E=LeXZLUr2)}x#
zasBQ|aRa)(<nl_JC9yw~^lwj`c=YAJeo7(q$jovCAOZ)zO9xHH5dvX`?m@wE`K2JD
zI=Umm{xG4)dUFe|9nC6pt@5WcV`^P*&>z6T3%>sdUxqS(ndb&($^NO$=eKL!$D;ho
zasKz^UXwQ$OwGikCE%>uW{uy$EG2Vm>GzSYT1A$nq;Lo#*@jY>DB?xcib-GgGA=Kl
zF*GE04}9~64){E8@5g1Wci1<0Vo;o%6I|~<@Z?!I;mbR9yfmt-eb>s$<~sUL?Hr=R
zl0<74ih-Hd1JhsM>m<+1DsIQ;)8MS?>b&vu!;174!DA3G*x&z>DxuG;MwmST1}bIA
zUzo>1)cUcpWU(=%=#&f$uJ(2<cR0zW7x_@tZd#WpBO~{O$20ae-nO*7^L+O`EnVNi
z{=BNP?`)sR6T4l8a?jn}>#VHuetw?P@l~0b^8}Tj44Y$Os07BWHm2h*UfH%a-|f#<
z8SClom5Doy6yG%d?#o6+B^@5BAQ`>A*BsvK9{69>S%c=RJU)~i*u1=KOj+O<X@~rl
z_@>e**P@%B)_u4%Xnt-lsBCXFSA%YOm{?TqskC$ukYsGgVIG}t^_7k?Dit<Y_`Q<n
zMm5SqYQ{IsHbp70%Id|Ii_g80Tj*c0vWR@C%f4N)Qe(4tcYglf$e=?@`76h{q9}60
zx%<J6c9$sS(;c+FL>$h_Ek~z==?q60y{^#8`2~IV;x&upj0!2_@W=tFz!$fq<*?8r
zP-6&j^PezRg@#xI&Hi(HDVdlUi7Tv_9l?N0`&>W1sEFX)c@}&hv(&VQymyu3c?#GC
z1xGt%1@EjMl$Q%$AsZAzzl4q2+}rq;#!^tw4!@dvIZ%B0y~w5QZAB>8h2(5ajL$(y
z^rUCx@X$`Up+H{=j$5~L2xnV?`xzL}Us`m(c;!N8&{L&!C~s^mE$LZ~lB-bL-URHG
zl_OKjL`SqGpNIKdTlw{$KmTOZPo%S!!)u$gxRkTKq9sxP#i>kCbi{d$s<XGq$Y55<
zaz~oEiWZlaV?W6@b8b!UQ%;f5jC{|CQNIh7drQ2aC{-B{tqiQ;(ZL(h!?je79h2mm
z-sQZmsE~HS_}<N*q|~M+5!%&ve@E0xhXRITT8<;Y-kOb+3qBX85N<F-(qf#OZVo?K
zn42p<Wu{*j6i|;a-!k`>Z9uvlk^ht7`u0)&Ql%quYKB`{Nl71A%JQtzQYI<2E)5pd
zO##o^s~CHxrmV!o_Lj-{|H@B28Urhq-FgZ$-{EAfC(qZf&1~vFva~NwafMZ+fBsD5
zxM{9hIO_}y4eH1-Tb+2dTPA%@x@zwQIpw#W9=p*mjbZ_D!4<Z^hY3?6JBcVomQO~f
z%xa9<y|k>XBaeqvdS^MdwN(lzB?1b<^PaX1IN|Q@YE63Xq-Gzq6CVF3#7!Stjz!Zm
z;&O6`!%IM?q@~sK_vh*=0f|N$oq;9ihP(Bwwgf;h7FI^wwY@m&x9=`IDlv@(P9fij
zhi8Dh|AUKE_yghh{@6-XK@EP7Wn^|%$Jwu5O)pb79jhA2%+zc|1*Kf2zCe1f@L7MZ
z?n0l(;2;K<srur|v9uL0{mFE2UQda^Mj?480>hPr(Qn`SsiGQn%x&lM;lrIWN872U
zrANVG+=C9!#?P14r<a+4XO6iAol>0@1jUyxCD|q|c>wgTJ=-&Lx5Un?tbFBy3ZBNk
z3MCH4X|c6Z<QklWDf!^7JI=(cfxPT0avg`zCP|4+UrmjY(!F*ZN0^i}+i}}kTEZvo
z`g@Uf5)v9ZY4v-y%jMQNHNu_MZtH4&Jv~i+ZncJAXn>t@K9C+RU5i)42Kp?>nOhK<
z0`$nGO9xt&nLO6Bl0wzoqod1!!z_8jhm@D&Y!(e1_tuY5z8Z>(ZaF!xah}LiyMVZ}
zEXdBD_u%67GROLv=+O$>FP(jUzL()vqRHc@i&G;eYLi}zP>owglj@~bK6>NEcv`YB
z2tqPHz8Ortw3GvEA28`S6Tf}|v?>FxXn+452rr5`gQm})-x#v1alcwum$WoQ4G|d=
zGv2|`6&Kg?c@utKcJ`a21DU>l?r+~UA4`52Qg5Et>FA%)dp@b4SQWzhF(ZTH*3V1l
zoV>x_HxV4%{cYmjT!m8J=-QSB@VT&dZ{V+EVQtObWz%?E=89ZP3_N*I>Bx!Dpdca=
z5;Y~I_^5q@p<?PYXYgjF74t^rG&G{a!af`IuMHH?HI4A1p=r*vZTnT-CG{Wvm8`9X
zK`+3JfluHy>&TVoDOF%Lfc0l(jQ8%{J~_E_@P{XtD4nVdoetx4>)SBTQR}xII*e82
zUA#QYFa+Y_;Y3}BmTRSsF1yW7A!HEs#S7<I3X2G0_z!-?@pn#7*VfiZ@9x@h^yimd
z195(LE?uqIl%HASj(%H;8=4~zZ@@~gk)_VW$W-%DcQ<?L%Kn~TG^bHbLl8xDgx$IG
z9<h97z2CmQ$H}*xD$dB*eHhzp!fY#JVsd_M%@F`G6TW}cU5kMav=q!L>t{y1LPI@*
zgI9Q0n8A^=?Mbm;{BmWIoZ|e@6QQ+dayJ+lT8D--BEwFcxYNgv+AZ2}^iaKzt&UUZ
zm={IVhkHv)$(C@U9)nqKX1ett-kGZa>j3CIOUw0~>@U*CriotPCd#E_zthsV@62|V
zb*eo^1(Va_UB2e|8-D6pWCFo5h9{Vuuc57pQTtvX_bZfBmnQ|+K}dX`w|~{osj1Pz
zc{D`z!ZQE><AOYW-Q9lgcWqjuG)xGt$a5JhKiBPEr?ym0Emnjgd(C7>z%f|*$EH@{
zA1~)H$Ay;DHjAP#?86E45F*@AIx!U|+-V_l;W`S|m3{CRJXf_^U}#B`LHQS~sdXak
z3hDigs)3vN@8fjH1q~QmeqBV^VYO(jfnNH$>6X^+00$3l56=HR?2Gs(JdCKn5{0n=
zH=~L6*C&wjKga2Qt{eaNSou%t<$q4myiKd&a{*Q+q1hUdV;+OoV2utV73H_bgtAi-
zgi@^KJA(P$UoIy2>jX*u*9e|I``^6UHNPRwza4kViUHc4&iieAPo8+6u0G-2-x#O=
zyVH{dX@kc~CSE}A9>zPvZ{lu!I;R|w%Eqz35dTMkui$qoHXi88R2Uu^>F(-6r#yfD
zJSjHRdBUazEiIDRp1`FfPpsn0lNPL-Ga^n){Hj$nAr%$kBjFo3-@bjjcKtg0b(t&!
zofgEP?_N!NT4PYcJJo1ys1V7?$<xx(+S=N{2z<jG2qp}V8mP;nBO{^YOiNEc@h2!N
zTQBsn@bMiAs(A%~9~kVyaRSZ`KsNk_21y0tk@g$YP{8uuz1tGSnU$Ms`d0!9C^YaZ
zL8PXoq~YSS0eS|!7ES_VV`Ey|!tqHNy;({_;D}OD@dG^>oEa>n=j_Kv{)>i6p=YF{
z6T5)}KGM;;y1MV*rz=*fhCb_hW@Tj+6>WjHakePxA+4Xv@+gDrq{YcNWFDqO*!Y&-
zCOi8{B?~t@JG-T(hKhzpgqe_zmX?^9c%;gi_y5371;@vOqw^Xuv5JzC?Q937u=sxn
zsbX;P-E_}ZFMC221l}q~#{=Nrp5W{0>Vn28>YcQH!X*Kn-Q3nTy=E8Arj<s|$jdv_
z*0u~zRBIaGx1h`fhab48pj2m4%w7d3_(|Tfw)tPFskzm@Tn!1io+6`ubV?w^!o_K>
zkn{btECVjiGWo;FQy0~XpUJouy?#PKAhy<q%#fGPy#enTfUmNO3NU+(3=BlNFx|Q(
zOOLOKbcwD1<$Sc&@8IA7&Ju9wqMw?YpMsg`=<pEy>fl!4dES5{EDqkU?l5a5A3~N1
z^SfZfZf*6;ost3`4E*k{EfKdt9i(SrDJm`ok7Zbuk%7VPWMlB^>MEGOK&;U!HNXE=
zx)F<wi>nxldN>OhP8Y_I$4#M3t|u0=qv0~EOO&Rjrkh6Cp52v>wqULw9#*fDV?f#>
zs&Ab10LW5<J;&eQzsu}kYe5Xa6ALYXrw%uq57E(TPoI99*_gY4g@pwa0ysUxG@2V5
zKbD1oz$YsX0$*p4IE^KBXLmO*@CPCy=fa!8RAvTqmv-a0@S*QDi`kAuNCiMcwDtAb
zfC&eMLbWc146nxV*$X2BSzDT$leN^8m2p4;WIe%%A({<SmbAED6B!|6ya;U^@X(;@
zJ3BuoBna)B0Eq-X#iOX-pbses6e??4FthdB<6fDYH#9Z|<tivE{{U1_EMd#abmxxc
zSd}wSJ+0uZ^zkVuDhdVEBZvh55zu5nMQS;%iGpMQ&A@BR+JzsVlNW1X8b6E<l(2Y;
zNVxiYz|By&H2v$Byqw%;;Ag;77ZMVpkfjJSypb#7)-z!Xi!~6b0jYp-y|S|Mfv|9z
zWaNj?&?47k6dVmE?tR<yWh~J{xm8szz%uFSrCL7{74>j)a}&CeKo2|<<Ec+kVyyDi
z@^AL=;XANNpSBUC{Q3e;Hjs|5zhdS7@~`w#Lfx<AyP4eX@@M`-zMn7@_pyo?zwSD@
zI5`~x>vZny*Oo~3ouwgepfv|BKzJZx(>&bj*D^6Sz5qQMmXi$$2{+W#hJcz~9w?|E
z9_9n23S?JVSgVOGc%|dPt_YUpREcRgkNHm_ef=2#2edbDvT9ZF@$+l!=f=m6WvdiC
z^d~jc(ZR*Xw_cxo1lD%p2AGG*Nl7Gd_k3`E=suwq^GEln0e>*7O8)c4540@g6fhaL
z7nf@@>(675{CtWy6&4KluaY4QGJqo=0b^J}yMXRJ93Iqw^(~WDO}7dk;C0B-9M_mz
zBmB{YByPLbov=g+E`^L=!Jc+J?n!ZnOmu@jlX)&rkjNNSH_E+Mso;^GC;swy=aHMD
zAHD(UiB2K2RWKJ%`j(_C^V|@)y}K#tMV~OS@;RrjZW6?$s(8+6N}pLlAJ!;*nIiP-
z698DYL&VaOdi#zRU&FI|7=aJeQ4<!kjrECik=W->dyx+O4rcClQzG{CyT2B)?Qp2l
zJJz|zEVPMhBL+|Okf(lG?FHAldkn+!fIm`qChs0c7!dubjeNX{E%sIZ=s$^Das~~d
zU}v+F7#I1uQO%!)`~2%|_uqP)ZUs;%WB-jO;`(RSheVxm`ER{bC-~;Sjyt&sV7Y$-
zD1~F<3W|yX&ihZv%3s!s4@O_`$Rsho7yMTc1IIx8OHWO`Dh%$`yQI<z3cb;`3cpJ>
znr5%gfB5j>@DL@hi;IUxCmC@A2VGK1$`hN+0VY#F=1_gTesdU09#Q55e=CTO=65+c
zIrE5q7<r~gOhgzN8F^w|SJc!T%@i20z6lr$4N;htpP$dQ^7!}MTVg^3#z)XghDt4{
zDQRxr{5~`^G%|7orQqD$9K;*Qjz0eWE|m>x3s^fLD&D$%{ry_y)^quK%}+@~_l2OX
z%n$$ib#Me~OGrov#ILNZXo1&pc0RbuKZegfUz{ciJdhCFDo>ULFu~uxftsuW7j+K=
z{|Fl!8;BvMBjp~Ro_HsN08}lw>7kEm@#jyWl8~j$>}=z~LPIvKDjIk23WGmCA}Z=0
zFE7Pi^MtZh645T}WcNT=7eJbW$HA*^0<<a9AD_mv@~Y;6!1=Ai=nJ$#O-?=+7Ju;~
zO_n}J(6tKsI}8jmhI65c0;Ry$&kyKs*2>1UcaDSB=_$4M<$C6Ovz8VYPeNJ%x%0{>
ze_bsd_ZML2?HnAUqN8n>24Bsz#o~)jO-`bpdjq<CMQQ1eA3siX4d`An2VJhXShK`b
z!^%^Yq+qy`+FdgC-WD{OfG^*na=6<LzuW&R_kXlMZ$-bSpyUM9L!aE8qru-2F@#9>
z!1?)?<*kq|L64G@3-R-7t@9z83v&+y_wJ|c>_xD05~80wnGUGKvYZ?fS=m5kW@#xY
zi03E0V<VP-mxi7eXB{3oolrQS4>v(01N3cu)3JE+1j@TkNIg^U=qk#G{hr`YEib$5
zu0Hcl0!I5Gy8Zg3*YHUCj&+?k0aXw^FK>mR5-1r!`$MFK7YWy=azA(RB62*AQDFLC
zu){5<|4;0|#DDYOVS^k#rz`3Z8j#fYLUg+$-2pxPu>f;O7y#IS(h)$+J`JM+U<F*c
zfW98*Ry?b{AR*BVT~dG`1Y8d9va<UB6Hz3qv8oonuN_DCfUZ35@*2*qzrvEvk}1#v
z)Go^`Kh%O|N9cf~eDDrOScK|ocr(0N#ZT0bfrJxRVVy`-K$F|wz{#VXy?2h8cIlU~
zu;TgbammS1AhG@Y`4eOV`uFOlb|5i8_lR<#K~P+r<}vC>DOY{3TSl;R31*Z8x&>I9
zwXE*OfPFhUI(lY$nlbp2<&J4XASL8oj5o&aQu??6J#GN075N|8S(Wn%JSw0X|M%|!
zc!8{wlbM+mb@=E*nuNhwx7RL-d3n&t82<+*@%RmsBx_-M2=99UegS=LNbS)hujJ(9
z%^{G=I-?ay<A(hR2?&6*`Y|+wC%m}0NQ2u59YuOZ$Ixg3!G(o|WzLKj(2lwijC;Nu
z;62X%Cwu$~PAy{p4qhw|DBT;dPEGBYb2ZSwwqNAoah}q>c?uW&R#I~w>a0L0(VskT
z+vsRq)$IftuGmKaB@l=lf`95`D79<z^Yb7yy>IztNQy0XUkMsSphqG^z?co!iv*Nw
zN6AV<C3rk2OS;TzYiht39tz9`2j4*NlxYZxv@$W#4d;$Q#|<W?ENJB!(C@H;HWafl
zf&J~GLhdq+Sm?(A5ZFb4iHQkS$nHBw#+?X>shJtuxh`mu8i(=#W<LfxIzVL8Wq*&i
zZy$88-m_V>gPzAZz(dSxYHDR!OcbGKalPE7ud#ePH2tH_HRu&rc>46(wQK0-&Yn;%
zNgslP>vTT<Q*nFD4KWvNNg3JMAw#_&WI;<`iP@N@l9H0L^6b(Q87^+uuuZhh)W72_
zEE$_uW!H;JN@gs}L`6m2aWphWK<r~f9^Sco_atmWn;Z?za|rn-T{y{>v?W<5SV>QB
z3Dn`LDgkik-oCxox>Hydo1{_c(A(b+x_NCwgE$!3;X_P(RT#QMtzjMmIf7*d3KoPe
z=<I{Y@bTkEFz#cbqZ_dD(I!7h$jEqKrI+-dclw811GCp^x`h}5dO?8|=$w%1peTXH
zO;ZDdQZUp*FA~PNH&!!ktr551n({erFUklWLD`pMS&?5@2)h3SwA#GX)dg@>9Yig5
z;rw~dl94oxwY@`tOwiZ`wFa~^ECaNzetpKW7CJbVAHw|S=i`IqIvaO%bOf`$J%*<n
z>3R(L8j4a8F){8+SJo1yf5N(%-v$EWUuzVn(PTr=&6_u&&jy+jIBwsjJgK_wFfwM!
z%~;j~V)hFN5VV|p4=D%c(Fa<IFlLo5b-Tw8Q-vVrmXwri4(Z!cDDtz)cErJ=o<3GQ
zk*0P&;=j;E5dP)~p`?K@ecB`DKPNQU0yUQD=$E|#{rKBt4ad}kKG5tL5*XN#EOy1A
zQ7{@iEoXqq+|~laF1^;84NzFJ!igK@ls++mq6zA<hNdQ+dx2b5pjtx`37n%Rf%Lw;
zzWzb+=r|!GKLv?W|FlQsIQDHvksz*$>Z8KEJeuEI&jZljJRn+$h<t;`1}*cuHM5Cs
z?K><<&kki1lO;$L_`{0-t{^Hr{4pAV?4?+luTL|?O)v#Qf(qO)nMQVNH$3Nr5R)C_
zYiWI&y7#<`zdD_?scZM0Jc@H!dS}hCZC#%ElZ+Q%PYm|2kH_aX7QbV?ikdRwHl<gJ
zueZKy60qla@Z(Qb==C#Fe{F;K`;JO7jQ4mCdyr(KWDIIs1E<6A$J(nFKl9dj%x2}5
zNj6}^R!;3xS_62g2)#}uZ#QKI_Qt8K_6JRMqOKiJUi&NcbUWbG2XxD|?l-T`zi={t
zVYNiZkF<aH0{pJJ{(}j7{asvAGUnE^H$pdVadMJ@5dtRe>=gKMfK&nB@3QJ2{EA1=
zn|+<XoWEMUi2i?v-b^h--Gp%P@N|uhv)|kp@Rr&G2@!!H5n?6;R>TQfP2-)nBdy2b
zwL<4yiOEn{WaI!$H9#L|Xm0`4K*yw@%b_w@ZT9y8%Y}r6+01r~4;1J_`yJXvZ1r+$
zLrF<raT--fX=P>hA|fJ>9yPu>j|mQp_Mg~qntsM_!bStHqq)tXd^$1K*o*^yB;kZ|
zcx`7#&~|wk8f5_d@$vCNFMYi)F|~=TrY38UI27bi2|?c=n33Y6qV_@HhuX<`vr`PZ
zGoRG8A(CNY{l*!c(p;$#;xrSMWq<^{qyL=-FztB(jg;;<kn{IBJ!|JiD=XlRp~mMu
z-+mV4U!c$a!ZG4QQ+TjA4KQG#IY)p&vvYEa3JXJ6|5>vubhlf9_uvnO;xQ-`Ww>4`
zBeoB8!88_$oVW<PFkq2zzygG#^|8&#Xz%Z=u&I5brlyAS(iSWs&=p%+dKYp=s2Ik)
z{|Q-wFbD$1N?g1F3b}7OYds(3c}Ux!l^I6%_yjWaFBd}V9vT{&n~;!P50tBrM2@%e
zTyJ0F%Af?{yW_G#0Om_kf)gPh?U^qUiG-&Gp6I*Zb?9dX6BiyC8NXo{%>WmKU@)eD
zk*2t~n4JAZ%lcF^Sgj&4uKh0DpGwQ3R@Ahtu0a&e3<n)%dX01ZN*4{R#_8OBq2Kaw
zcTFlB5~Jw83JPk}D6WJtXb$Rn0Tz>disSIGuwv&@=9)D2OVev;ukU^6@%Cw_)uZ53
zb7Fn;gei?^`%our;R<FX)@7k?C`zv&Rt51D!eZi_XG;!eB_`I1B*oCGg&~;LSM2Yl
zkm+$<(7p|{@_XAYql}MPO$|`wB6zGf?d6SfZ<C1*X`{S<E9OBEuiHS9BV|(Qt0wAm
zT(p~jc29d?zzzg3V&1*>>g6SNgO&M5qWYfk`z5s%)Mfj8X}V{%2~L^RsEPRv(owRx
z)n)O4^!-R|jMrGeTnptu`8>M+d|fSGGHqs!oecZ+ciq3NMgxl!$x%xV`(`=LuLzEl
zXNG$Dl*j!!E&!D!%PE5^$aCSpsOB`42Ni!Y`E6X;IRmDHXq2ok2}$gyeuo}JTC(;v
zs7hZu*vAjnTca;p$KcuN4!#VCXjRob0Fmfq=MNI{+Z(2mYDb#^ypk7dX#T8_PhEzu
zw=zuglnx*wo(w?3Lw~DxKNVehdD<?e1T1w6l8;0bYZ<NVv7g4ZgvWW#BkkD#Rr&(d
zb~*Jb{xQN}Ie40_P!tcLWzGq1f#C1{1<|dwTjx(KjfFKmQ5u%v%||A$>tN~r?;__n
zpv@7SZ|n~<!D^bJ5Wn`@-86|me!Q`9kl$M2_x^4rC^8Q*ot+3x1}rnMN}kBBy4TKW
z$;k~2ibpm5-WC-)=3tUz_v6#R)Kq(@mPg(1wA61l5pUo++oN|zzWezMeVNg6+0*Sx
zkuw=Jp+0*?@a9bje1SpY;7*qaZ&NO2-Ys(cElvD2KJbE>x1b<7IQT*Gg2sMV%n4&`
z`(wcVlrVMx!uZOZE$B*>U(T{HKeS%pV&FT(r=($L*P<uobae@g99Zq>_@R{da(TpY
zcDyqH2luayH_*qC<Op?nZ}$eZ)yB9+h4gS4yLVCsm>k@+d-k^u)Ya1lfA}6PS9~Jl
z^)D}%E-5B2Fdfl!$oVf{1GEG+H!(sB#^F@+{J&cy@Pt!>IJ`d@BJw>`=dihK>C>dQ
zs_bs>btVt@^P)}yBPLi`3+b5`zirNqwpKch3qO%;soUJdqooZ8HLmPsuZ?g6_!28C
z1&KLdc66sB>%W`AE)5+8`gvD{o0{UHqe%4iVj~4c4kqd*Z|h!Im^BCcw`ANGoz|#;
zctIJ+dy`uWJLr`5_O#IT<Fxv9C^gkpMC{lR>>Sio(s;s6&G8a6A2v6C;L#OltCj4m
zAPb(z2Y@rD`yJMJSsC=Li=t3QTxObznl4kLmA{~iAt{-y;o-rdy@H`(U2C-16ZvEi
zFTMOKMbLvDQe981aHJ?Z(=oZ6F#O;?Y(FqA9mU~|ni6VG1ga#X;t#_>{4~im5)wZ9
zCxqlK>*KXCKYvaUu`bfOf2-4gj+H8u1Ax`sETjJOm}wp!u?a&LFGzzM0IcL)6$|Oo
zw42LEVew;kH8f%)*`4Q1>b`3(cGenpChcr(T0;f<*;20>5N-N$TkHWy{jIGYF0JF{
z<+dxvrludF)r`%|ULB*nZtD(fezAjw%x5MhD(cKH@mK%eZzC2pJd;j+2p;~{^Bu$3
zP5k(Uln>N#aZM{xw?3Ue2^r-~zf1m6Rib12<hOOI6CYfk_+@ta+O1kJo<E;7a}OLI
zo=Bp)8o%<$)nstf>i$=Gha7A&<4csdUX##C<9cL7PnlAxJUMGXz0}v(7>5H~CC||W
z5|eCw{qbx+A>j*moD&P=ZBEWKBFi#TFi?U}v%5+xR$ro_o(7x4<UwO#_kgZ2WxPvb
za&4$MO@2_r!;BlRr)^}H6BD5OY-UE#aL>Ge3~X-!r)=!0qv`RP@+vM4XsS?W^~8As
z1`O?LYWI*(1svh^4GG|*0s}uC_hv;s@N7GG&IxwoS^lX#Qjl(?s>(6qCBB)RcwgAn
zu6^7bo$}EmLuhK4ySNORdwXmJ>xj;?M1!9~U7wSerkanVXTm}iw2hbyZV&!TABegr
z7cL1|;soM!#=whsgboz`W~U?8Z^*&9%l{52I>e{?B>tz862Ky&qEy1~V`D?TygI+W
zwE!CxwOCtPngEr%dZj~szwM)k595M@++-WLIeNJ7+yPEp#NxBT!FB_55Z2VB!$NR(
zCk<Ls++N-fVbD}jIS<{C*?DH~{VGEu?7}r8{wcky`W7c8bydHn!&znUhL4Q2G@j1_
zeqPt`#-TS_V8vU@E9Xb5GQ>s3#O+S+`($C$zc9#H8Sms~U<h@ov|WjU{*!ZWf@az@
z;&0b_;!MnNn?ef+wU~>s&cs!Ge4F)2MLaxe35g9Kq6e-=Ti$-HKitrcfWf|oUnpBV
z1il!&o4zSpLxUJ?aYq*IaRv~+o;{;;a^joy_!r^)zE5XcB)j3yYR$H`UyfT*F%fpQ
zdzQzWo04@|4G*a#ED)BqC$nRSjyBcav7+Rf;KJ?W@Pi4BqaT~m_!-wv)#c8pgJx&A
z$izhM_qrunXYs`wg#EAPIanzvzla62`HeoAX50A<iv2|eePRp-&@1H6_4NpDk-bm*
zLn3GLI(6uufHojPABs3tyzo18WybXG?em7_%PNy0eaVYSgb}WpkkvwN>wJ3+c9&aZ
z9uK?vXK3k4rjX<v2Bm=cPT1jp^2XEg^YGQj>9~2%?c^5uBjcJsI|cqxX#7vDjepN=
zr;P}|W%yeGT3f(*1MX1v`CVfDe^7=0l=uHk)1D^<1)^H@-=6jVq@d5<A%ovN6s+fQ
zlk`LwfB#z{m1Nla<qlR&+TrQ7V4Je`-}=J;)$aJ0O5pbv3m9fZ=-)O!bN}ZMoR&if
z)f0jd4hIeW-){M@Sm(r8AG`-@0;9Z&%HHOjd|EOBaTBtJ!Btz^9oT1LdKC7`vgMJ2
ztqfF5f5EO3Acf1xb!vV-D|7&yc?T5;&lsbA@837HpM0)dzD&yb694EPh*^5$XI^9c
zp%P%?GSkx5!A=uBJv{>hd$5&^dmt$5iL!THQBGhh?&#?FFB-ku2oz{+az1d!d}yCJ
zI5>cgV97W>6&hUNPpD7!E9<gmaTEFpUh&yk109{Dykpm;5qo9Wrw*}-7e;d~5GPPn
z=Q+{+Gb$p1b(!jN=RUrF{Q3Q$8bOb$Ns-c!L(b@9g>U-`=hX)>-cvo!!Ib?*aJ5kJ
z{yEwvR_y^Ig0qcIu9DGoSdS2wBymT_eo+JmN3yT9*t4@m*2%6KLapL1D=qEs>FEi@
zpod2tX!GYO&_IcXO^2WkgMAsODp=Uq(!1wizp+>-z<`{FYO%bc!qF`4tS`Q-ws%N8
zqsYbAP8iZx$<E3?Uysw4l9Gb@Wp95W54ND%0~s6Y=E1>1e-h5j&!6Sw<qP1IBq!JQ
z_Hx38Z7eJ~rKNUI1p<Q&<Q7~Ob`ODyhn|fM6kZ8wX#rQ%7dN;2!ooEm%fV^Dqwf*6
zzO_X_`~dXFl9C;umVxk4R93!gHp)lh2Lk6?oSIw4z_!B&*srLlD5{F0&z}w9VNN+L
zO<mpO*jSCnj~|<xf9g<$J5QBT9^Ni=%CMc2y}`gFw{=Z5xW#wck;HR9(;(w2+10>1
z_JSV{(JmkYp8=yjJw1IGeuY8+5W$Or0rW)BY@b~V3k<A=eRS9t2aB4=#*kTAKCLfw
zuk}F>^fAgASbCu7F4t~uZLzbn*Rj;OmVpQYCHscfLs3zlyLVT$PP#mLdy6tNF(?b4
zH{#w59_Z|JL(=9CL5GUFELb!~ui@Z)(yhlfT)a+PvoK!u@uRE#noZk;3DNhK9KPU3
z)*^`aqKDil>!B<7^K1+^bSL@00wEhAdGk26vXWmoBQfy|C5O$Tvb!u0k5W=tvC{SW
zz)!<_hm9=YvFZaTl%71vFDR(REYL2Y3dbd?g-tRfB_(&+q$DL7nV8n*K&XIfexX0F
zJ(^p_vIJ_$U3a)Y*e9csu#BAHL;i=T#N0u?o!cA3(JpLlDuqR{8hVu`Je?M2J_aou
z;tM;CE2Vf+yIuaUb58e8Bmn-ya0?3yIOpywTOeg|pa~)B*0Zz6nn(Nl4qz&UUJmHp
z2@ckM`O+K5($=<qtd8hvNl586WoGDNB0SbJG-M!02-Abo#=~RZo2dZXbS3_;%B}>O
z>i19Iv<ac?M7D}lmMoEMMWhgEQ}!iAlvE;D_9aCNDJ5i!>}&R2C6ZG1Jxj7z7uUV>
zT>tsa%$YN1=1j+NI=9<*ec$)<d7sboJfGGv;bK&aCYmGOFKN$6M{jR@e;|DLtzqi}
zIr$6QTlxuO22aR`vYlPF64dCnZjHecI2geEdwzasco_C+QCjgEn)*gYPMMgv_f_11
z7X|>(Tkh@<t`y|v8l;?n6osi8XeHno#VyPlff})y?Gu0gTo2a`3K5c$3j1hVUsH4K
z#*LAYk*VHtRasefV#v|$m|{7n(?a<af*EbaZrr~cH*Q~?FyT4hu09DlOv~yDXP7>E
z9gS~Agd0NvtgWSGVY-^d%E}7$rZslvQrtkEpi)RJD=Py;8X5Vm>G^(K*(BDDix)3C
zIs&VPcHAEV5?=#Q2a;kuc{w<?T@}9~4OsgXtldOKN8zNiw3J~2UC>)s@{Pxj9^Df-
z@bt+OBreh~FLONmGc*%_U`OPRS8V+BgsMQQYuR4W$lB8aS<-~H>o#ncWOsUXF=Hr`
z<@xUt<;~4*Vgj1)^#{slBtBP%tF2S_e#cnLC+-+9^O2}5qQoG`kENl82+|nA&-aR(
zop>wf@2+jY1t@n&PP70;;Fho9^3+@mw-WRbtQ_(i2t9G?_FkJ@`Ih5&MX$)BWz+xl
z$SH~I^?B}{Jal-~tApXQ4@tE0F+<AiwIAF>{kV978aEIYFOSii$Ge}HXkTMr{z|UT
zSu|k@RgFG)O^`rO^WhA$k50_zk{-!;d;40uW&a1pf<WdZGbO4+S<W=$QnLP|uVRPl
z>Aa){s2QG`xAtvr5Y(1(6OuJ7*`w#!(VZP5`7N<~*!4<a@Hl^;>SwFP7IGG&9V<U$
z7_X+%g9;bi)ERG!&>}yZ9T_LKnGMV4Z75aj53$KFuHF!&D|7e5PjXJmLS<{P@BCsX
z%Z{zz=~bIoTXWK`JFU=x=SyX}s8a9^b;FZ!<I=efA4ACp?jF2tEc+$!9z7u|Q1xqu
zw(3<TYgW-GCE5kc6$L|S(Vm0r8T7;NiPrRXC26x9rsG+Iw?yF;->g&b`k*y@_uQpD
z#YvOW4AX{jVL{9r34TfsSgD~%K5iMsg@w|U+@&kocg)fF-Kh_Hrs45+3xu#0Dxgeg
zBezZdtvl`GYxyN#7mu3+GOs5Ttp{cxxK+0C39s!@+5?~5L<}_x7r3`ZhJN!=Q=qtK
z615jL+@Aw-OAw)->80fc1Sy9=NpkSKNd3PC2)DT42X=AQAlhfnqG9S`=CgEK3=J~0
zfkaDv2?YO*D-sd&HFsz)m~dB+Hb(w=7pp|pT1N>F?@$I<vhr^$!;4UnDfC~*%Kz^q
z?9q<aYg&YWXfyrCQI37zeB>JaOS3)$!vB80@s7?;_?*!OVD&2IwQ3RKhMt?vNE~DR
z+Jdg|?At9S#`^a%?B#+EU4)jSDXfC^&cRh-Hngb$MU3bL2M1B5HAr*BV4zA5o*fu=
zOzV8~k^+2v;Sne7J3BiIsg$go9HJ_X2j!s`9_r`kmt*_!b6Z<}Zm#n632qJg>P)CU
zu`9-OUMz)jY<@JnP)i+bt>lah7G`Ez-Bm+u$Bz2y>Vqi8R#gokDtrG;n7vs7=_7nl
z^Yi7yS3Qc1Y#p1QDqCuTA6P@fh4yTl?(Xh`#cbe}%3B=TADYO@Pe%&Cf-e&V7cf74
zfR+?^yoH8_A}+%(a0~MY>ZG!~zmP=;^8q=9`w|=;-}O6#<pzZpDpQY8NV2s2j6|um
zHRsBp7UY>s)raI6T2NGLY^;$=i;MHtieJXUhl9bgh#RQ@m;*4WWYxeEfW!jpF#<Wa
ze-P8lv@|B6d6ZvfZkB+aByCj}t>k*~=3j}?)ms?6b{Va#AW6p<wkxffW`Xe3L7uNV
z6R`%ne9#CrwY2K$>rvF58*xK<-NhxRq0ZNL4IKBJx}f(gFQ-`(+RL7`wjP4l7dTy%
zhz2boa@AH2j^Vz(3Ma7I5alIINs+tGR9VaHS5lfTIJC}-i-PA<A}uIr4tb|f$1$~z
zf5y;E(&FuvB#E>h%o6aRw?9;b!61B?`qt*bk?x)K>_}EY0a7htKDdlvO&=wOz&a{D
z{m=ZovfHdRqy~^(rlf$FB&?xr9lsCdIT>l`{&Ez%Qqt0Dk|ZQhBQwb`E5BFH&O@L?
zq^Ivui3OW+aOPEJj@NueEMaA$am1}A$n21o20c?AW8%vfcA=rk$$PApGEwB&AXXGK
zbMo^!+b>vK%UV>ep}Zl1czAA4!Ry!WySm7zu_LQf#N~jpQBZILb<Zg+)C4Nc;aRCt
zX_*B|3+WdK0Pt%gUBgX)E)8#78c8mxRdbzJZz3kH7Xkq0|0~N2_V%%cDN0I8-2R~M
z4gdH7-p&6Qk%JuO=jKx1yg2~Q7Lt0@yg^Vy7=(so_~*|LwmJ5)Pr*-w<T+G}tzC?r
z$xp)~r~TKjUtk6}$nS?CadGi}RaFq#mSbay%Vs6kGK%nitF?6OD%>O_D&y7P6J*}E
z@~Sk3ceH%tT`aSTTXr+9?yj$9W2%r!gJ`zWdo9ztYE%rAl|8`3L7|b`e;H187?JT>
zq1l<4`(V_kf?<T(e;FnrCIyBivZbl<@qw9}h`K1>pEz}@ATJMc%?hcb*70E=dKig4
z!fz|?h=&jNI(Fn9kJrjNorZK#;C_JFpws2cby5@1JL7smPqQYF<S0lrN;)el)JpUP
z_p^`v5Px}-wxUwY7n{S*aay^Rb}Ig}q}w;{j?Ucn<@ycMbp1Mn+X3daga$gSwNb@&
z%|8deBzEs!TDa=iao&_GVAL5ehTtc>*KcbzuL~mrLdub{_x2Y>lz3n6V<_8a&BvpD
z4XQsu2}Gip%S)>Ya*BP<>o{-|2$teT4UGGp*!b5H;u1PNUrOoEZ!#lMg=hGvzLF7@
za<qM%`E(#LdP-9C!M&fNNg^gczMZ?S-)+U-mvBgkjh_u)czFSVLWAY-&f^VQt4t?T
z+-YA?%GRuR-MqL|?!2mxU+hb30mH_BqJ`5W+h37->pHQVuZ)c+C24Wrm_@aaxhGtB
zIXK_aC!8+(=t`Q<yJO?tM1P)~sRh~%e&QNf0sjf+-)VFy0zr#)fU&$ybZ^{2LNL>R
z#xe1|%`~1n!F+UM-w#?E6dPhSD%RM%lNAV#TDs0QcZ)uMx-F+)(Hou^7abX?m>f5|
zTg$xXN&j{K+~84G_Ta8<UgsWK{;8_a;lkIL4Nn9wHtG*#{OhRyaq<-p@Ctf58XiyJ
zR$pP3BYOU~7`VdE_u90EMu8(pdH-|e|Nfta?flA1mw(3)<u~!K4cmP%oFmL$gn>z6
z^u9&I!+xFG*q!9|c9vzbN=r*rdWz!5uX6LB6HIO{!COZ3^H7tXp6hRk&GuJyb(g%}
zK39^<ed%>z%?zFW>y#9b%bvaHVPdceP8cRTl?DAA>o0S0B1dmh@G&?U_@Q)Fc(nag
zM5)Xk!9JtS_Sv6Qtp<yP?F7gIkYcl)jr8|7QH}gP6ZE}c%9{G^t6i?MdANw-f>-<<
zyG@%L*xvDcT?)&ys5ZsPO?w6@8F3{g{)e7+wanP6ZTiz1#!ktxgKF&*EVsv+p2sjS
z8fj?!Shx1}i)iw*K4m4P`5e2yuTxVuCXdwBolMbU@UK~#a>A~x_~y(~T-+R-sbHtK
z@WzDdG<tH!6OQF~rFZ_ccNW`Z+}-a<E;lwF!%ynT-O(!D8)BM1hHiZ;C$K-C-;9xx
z@oK1w^-Xf~jQ8r0lCZY*<nHM?Yqi5(1y02SgOV9ggDw9}S}YG1+O}NP+<z?~fLMI#
zTL<JBSo;MOnw)=iYzq&M8TvsPy#KteF5>0OX3(lbSa<I7P`T8$)6r31_rpT{y#!(3
z_a82eUb~Nw+tRLB(=clGA>#Je?(Q7(%EZORAANn2_qI|s$1PUdS4vG(`ouM>n*A7%
zdDnPXkw}@Z4xsw5$ZnQvYmPZJHm(PkmFMwVMGv(fiU?nyTauQ4@$A7><IK695Jp?g
zn4(AsVfwQ)bU$=gRZ;sYMVYD>AKHtHpL+iMAUBhwQn!ex^(DI<0Wqb*TvIN4tt<`w
z?WNXf96lWK?u(twZ#mg7V(c<1j^;0Y4*gP~7%B@$idv^W>&(v2|CZbvV-qVkK!u0I
zZVSr%d~^^S*Xz_`@VR)XyeCXe<I^V>W2jr^=g-+&v5|g%3z(_6by&i!q_09)Qj}QX
zr(#)Zv?=Jl@Vwqy?M%<#Dk}7Tw|^Y<kK&n2%}~MS|Ln122YSS=og}C(f7;J6IM5XJ
zgmm#j;Ra9Vb^4lT`DeO|PksONX|_M0%sVv3WA;wrLT87myL-mHz|+wY*OLni9VWZ-
z{Qcj`%iF$r!@qIk?!S}UWaaZa+IJt(DY`}RC`>Y{ArLmbp!EoNbf+@S*O&V7>9Fwc
z%saVZ+OIey=wJ&rGX9nEzybbW6T6nlC1i3**pn;))t<tvEMp_1(%kvad6)jSrH7I!
zOCNXcd|%+C>fl5ioSHH|b0*;LuB%rn(;AvQ#f1Lul=xXvdTOdYr@tewu&Qcg?#G*?
zmgF4UBJHN!+1aOIVQ=j1RY8<bC@HD?=y>MptkYiGeRE4wrG*(80Ye{87z%Ivc0v12
z!!jTa|9?Ro{4itX;R%qF`?^Fu!_53AJhQH6&i&?5(@gWhEUQkg-HX`L-?}gwxoXvv
zkZ(`P*u=z8*IU<;(&fD3rK=($rHU?HwVD#?F8eYYLR3N+sUmGHGj(6(PKa^fX5H;t
ziaB16kDns(Y6@)a>Y7+1ayLllOy0%*!YlsN#mJxi)$fY0YX)|z#fq?KjP_UCu?R$i
z`TefiYGJIEN28O{^okk^+R_;v9UcAqEzJwi0O)K_^;{Un>@#+7+zlK%IAni7Imf1~
zCx?W`#y=+=jcTwxb>zSasY3$;WgP`hR-T?Z2A@W*y*-TIq-h=QpT?<luC8N@TupI?
z;!#mW^szNH5|x!I*4aDDO*VuKijJ5bIg<GJvCg3yOJn25?;gHUS=u#U6I4z~iwLu~
zs=MnsJJfZT$Ec&jR6#a(bWHl<rJsJcIM0?ef3%j$?Q!d6R^70)TbbOMdTQ=-D~tWb
z*YS6V5k5ZUSkeZmU{^~L6Ex<M5={%Tq?h`96!FHldXD}akO@*9Ic2uYC-f>Mg)&8y
z+~>OUm`3h^($?$)>tCg*)~=-nb{EYh-`E-47^lwpQsq7i*r)D)(zZ}_6@)F1J2(XU
zc0Rt<nJ3|0`RS=tWleQ;e{INXilkW7eEAF??>%60L`u8pK4s*0zs3gwm3xd&e1Ryk
zbxeSyyC>4lUXeMb?Q6my8$2JB1@y;by@h7~I3kb550^&r+r_U<&krZ*Q%7q<bT`-C
znm7&Y^1%bc3!^1?etYfo6y4?L3VQF+Uzf1B5<S%Aj@MXY%~akEy&Z9nx<+Ek>(@2)
zW=fu9E@W!^_kXx|Pl0ZvD7>L|sq5&1utmA?$+o=w>*vZni9O2tveV61ug#Bmn`P(a
z%92_&=DxMH?TuQblO}VpJU;SctMN70yr1K|+YU*j&#n5kQSBv#or^58U4}!`wndQ9
zAf`Ux$&*Jo!>%^7q(WXk6aD9Jvn@5f3{+1~RWoSN3-LcM&kxZMV)?;oFZ5ZGtf$u&
zfA|vW5sWYHEKrt=va-Z&Y$Dy8ovdFeSa{p3tIJTb%gUlY47*;x9yAdxs-L8NIN8jz
zNMLhzUi#!t%I>gtUwZQ-g!fFIGd6zSkX4tF8%`1E$dn?k59q`9E?d7E8M5B}J*S~I
zT<xTG(*e#8ASvGOH9dPa)U1LtsMpSN;PLnGE{ck(QBP$yX-rOjSn686+<sIM4<;dT
zQeTha`1SR9{TI>kt#a$<&uG!}aF0HDcK???la|&kd;1$C8lC0FwL|o=O?u4bOv*%4
z#p`JlFRdtj<^UVfas4Zms+Ph=GhIcgr8yVE)@skr#Fj3*;-p``EdTj4I0FEyX^Zlc
zTuV)YXK6-p@v|e_M11kwYTj6iX;V*>2M6PI*ijdnD@)ypdnDY?n3}TjKhLx}JW<e_
zZe+MQOG#C=8R_ck^_zk0nwF7UJKf=?>|NL-&Mx!pe0vY&EG-Pp%tYDZkrF9MT#`Mz
zcJ741LeJr?zcRC=_sZG)u}k~-u^yHv9u&9vY#UDvry!H)7>)-nl2Xo`&(8C(J^b9=
z{V>KXn@H5SkUYJUM7oXrt5J$IKfjW{g^tcxQPJ8hdIduVq+ULXxV`xgUsM{eKv`g|
z%=bcRhK(N8e0(OUsb(7}Y=56`mvTO7Z~wa`e#HG&A);7L&eqx9j_lzj1ZW0^?`Ti3
zeODt<ExvL6dd{Lx)B)jtA6Q{Sg9j}wpS}>V!WgCSr(J5>b&E_|2<0os1Z(^Ba+y3=
zi*!h%Y8ZxfS5mnd4$kf~({AV*8afcUr~9e0+q+jf>UPbx+jmTD*sy6?P0A<sF#^@k
z429pn?Ua-}A?Pf0u`4WmQC&p_E7I)57giO^HS2<oZ0jw&()j%*G;h5fosy>6Lm|iG
zWo2ZTv19w~l7??zx;P%WhodZ1vunWnjF8Y@CZ=mxe0GSQYy0|qa*F!yt*b6%E5es0
zNVoTxsr0tAbbPt?BJa2N#6$p}ye~VaN@U6Ub&o!0>(6=`85%0xn*WJe&BLR(x_kP*
zN{96IwEKPKN%|jZYGDOT<yVPLOBfd5x}i61TiOzzckHMKii^cIy5B!1l&$8qQK3Zx
zPfo7z6fv2Qb!WUpw{EqxqUB!ne=00_8lMhd?Nf_;$~)W;{$@SP_Oa2M2?^c(y^~7H
zDcYNF*vA&EfQA!cS|YA?+Ns!)+-_dKs4hUunkC#hT>Fsp96jpM**SIL!Y6;XugD4a
zXdXKrHy;&aSXQTMQMCjoZQTO>aJXWHgct=_Xqv0}?_M?Zl*u-O%p9HgLstCHcAtZ*
zooAoL8H&CkKf2l<(A-GBeuH4r(3L)Vavh6*jB;Xf;{(chczH-M-3_fb|6W}-vYJ4C
z7`?1S%d-jVR{zhL^#75DuU=yDXbL;I@%R?CJ!*6f;@tZL2L&|)S_z)7Xj=)wEVCYs
zSoHtP-+i$wM5X~!9UFgxK|9FAAeL>?0HIrS^B6k396BuPv9c}TE=oQzp6}QR(OnR;
zHHm40I7vGh`-aCyy7Mk^wH#-XAknPOYEbJ|b?zgm@Uyal=<cN-qe|?ls<M=t`a|4J
zAB%bj+UF#vrUH%z#BsybbtV$ficQvO5Qsq)2E2XK3Jk)aARHJ>WssdK_-b7Z&z+kX
z9)=f?Je<?9Jta@vT7k88N=nv`^vAezePi+L?nl1_$V9R2@9F6QC{H3|Ve_Ca|Ha?I
zB%JG|Qchi!0!TkIJ#AoQG&en+{N_z9-&+0OG?5@uNK`Cjd7;ZLj*Fv<NlH#`Xl*ru
znR#WUkc`ad_wN~muzx-*91eo^=(SrY-xSu)^nsL!0>uT{4v>1GTuVCkEHOQOa%>Ey
z*SZ_rjl&vtze!6wSLiI{QwfXg^W~nm(E+EtEfDaeU={Q&c=GoxxbN3nNpXV=xB@P{
z0kIJ#_dad~)Jv68jkUGgq@*%4Go=8R^z?v{|C`$%)N2u6XjNb;1oK~hs1ea~$DI45
zfx*l4bWl)CPoBiPlE=lvVg1T;*gHkkS^~L)4hgsu#Hi4y;OoZ5eypgiREu;K-;nIt
zqxb}TLVSql1<E992B;x{vILw6)glxW>}+ht#>eYwYjv1y(PRQte~2ZwJ$y$x0wilj
z)c|lL4^thykU&offA(y@{pVMZcH$uI?TVMX3PCl;qoZ|GI(Ezv6hUtPexedh3<C<H
zo15DJXT8tg*;#b!krWpPFar$d?^Lf74aB)x6`<B-I?Ps-0ADOz-E##eQy?HGPe!Dq
zh?kixo)e*MSp~K50l>t_59qD}RwoK3jWnpEv9WOi9LAOBS#)L4AI??apH4@)piO|W
zaq-)?(*v-Y^DY3d)==ybFi@y7?()iwWB7CXgS)<r1~aH{3@8;j_j{XfG%328FjOU}
z_yiQEfnRW5fYg9QMi~o;SXC$3;}0J_5>0;y4w<IZ6Wl)|2L-h%>hctE3-kII45h0e
z#&i3F%dTf)0<Gw`n@jL`Tgym=qIu@}m5{+o$iVu4L3Vr7txn1TNFHEF05(IW99s^B
zn>>w<PK%9g`TW^i0sgk)5)!!0`68{tmC5If!jJPlP=hg%|4dJ#!Ui;zlamw0F6cE*
z9Y5|ia$~7H0+=GK_<+~)#_&{U0z$&p5i`%1mC95CA2h&f_Vy`YrPGR-kH11G3$^XZ
z^m96~2EgYuug{{)4H*O;O-XlcZ9-<IK^60+Z!7|hXt*(boj0_u-<eedb-tt9jr8?d
zoXm1BY|;QFS<89{KJ>1H(twMDV?+9R80iZO55Uk19C{2U7=q<wWvSD1u(O{wF=@RZ
z>miR$6ew|14AFVw0av|r)KL#_NNtkdS<86xXyAd|JvJ2KIrmWk^*EUBkt=|dKKlq{
zF``6^22ZFl$wVo`l@MYrYdgE8#l@>dUBJb09H`Ao8kv4{d#0l!R6wmI<P65n;b6_?
z7Ziy2l7<g!YOW=wBql~Yd*%*(0Y*ekeLWS(FjNQ}-!_D54bI#ob7CLi;f>~GP3^6%
z)iGhLOvEd`to|0H#0{?7VjuSGH%m^)&&TL@!!$+Z3?e%4?hBp!>B@e2o7`ER+u^w2
zZqhZd&trXXmj|4WO99i1b30BYB%gR~E+W7U8L&$ztyD;0wS|5ZHhIlWO?a>P)9~Q~
zx-&e0!(w0WuaUFx=ruck{#b$`+E(F@$=S1*|8*HINS8@9gZ20AWqCtt-@47&!WI|R
zJIeBs?vW$#L!woLT`e6Q&l?)TpWpk&>}ZRK2c6_wIMI=G<)4M>YcnS*K$nN%U00_?
zwn1MFEOa%lGFTK)g~V)&H77wV+B`S|zn4<ipKV1hBY?RF628>cB^DNvfG(08aM!Fn
zcMEHm4i1_Aa?!<#h;g(~EUln$>dcvTm^e=Twm>kUr}dPPiE=PE_bNwIuN~pq7!^Lm
zzx7**M~@sCchTDuc?p`?{{9)TztP>Ox~)xKP>`^+^gb70FiNE88IhAS7is1hWN{kw
z<=3w-!j=GdH?FC{`YNafg?cxYUjR*2Q>(yypef(Wi|*GC^6>FVo-346RaJ#RtP&kP
z9{BV-bwEJ^1G#C>EnBusQ?T(#&&VK7e3!oR95E2=JE%*rg_=N<D}*kMZzM#5loR8S
zXd}kyMekFOZ<)?>-nRvPOFn%v@DSh)wY9PFTfQ9{^U-$jc#z3CF%rt~Xcom619Ir!
zT>I9VU&fW{>_rKvdtf}HZyja}ils6N3P8f_iES_jBM<_u9UQi>v-|4ff<HkNy>kjI
zdUy<Gs=A;V&eFmHEC+v%j{5rf^(%z**IGd;kJoP}#f?!s*qhJE$9L)SWxeeWF-XuY
zX-_O0Q#Ila3{j578lX)M1ew+4?o=#Dc!}%`HW+mPlz$ZH(kI^Nua|-d5-cgj6FVQj
zvxWxy2y-G_0wF*}%*C40lkfP<pnqy?jAoz*@_1sREePh2<Qz#boY^6WIt&z+4c6Is
z0XJ_JqQ^yB>U4-niK?Gj*T2@bMYI`Gbor5-l7ccc;OH@op3)nqrsN)Edd7rcgb;e#
z(Za~k&=BQsq#@=PFI@@=4u*4IP<dC`ZFf^s(_6QcvW{<DcaB#1CDgzS06mM))h8JZ
zLUeV((bYCEU~N&~$k4UII1ZFUT*8%u0<u?GxeL2&2w>rJAgGkAe#ZzI9HD}KmTF$V
WctVnGFYspqK}S>XP`ZY>_rC$pz5QeW

literal 0
HcmV?d00001

diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/credential_auth_sequence.wsd b/odl-aaa-moon/aaa-authn-api/src/main/docs/credential_auth_sequence.wsd
new file mode 100644
index 00000000..383d4031
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/credential_auth_sequence.wsd
@@ -0,0 +1,18 @@
+title Credential Authentication Sequence
+
+# This walks through the credential authentication use case where a credential 
+# (typically username/password) is used to authenticate directly with the ODL 
+# controller. 
+
+Client -> ServletContainer: request access token
+note right of Client
+(credentials, scope=domain)
+end note
+ServletContainer -> TokenEndpoint: credentials, domain
+TokenEndpoint -> CredentialAuth: authenticate(Credentials, domain)
+CredentialAuth -> TokenEndpoint: Claim
+note left of CredentialAuth
+(user/domain/roles)
+end note
+TokenEndpoint -> TokenEndpoint: createToken
+TokenEndpoint -> Client: access token
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/federated_auth_sequence.png b/odl-aaa-moon/aaa-authn-api/src/main/docs/federated_auth_sequence.png
new file mode 100644
index 0000000000000000000000000000000000000000..799cc9095681dea6dc3f5709eca7cb710994bb4a
GIT binary patch
literal 40566
zcmcG$bzGHe*DZ`qg8>K#hzKYp-6bd?4bmlzq;xM(2@#MI>F$=6R+R2;knZk2bGe`A
zee#cUzH`2{_fHU6>%Q+R<{Wd(F)m+OX;Cb6B6JiK6fAMEXYwd0S1M3YE_0z?hM%CY
zbsxf?*L5XCpP^hJ|4XP&4@E(_k0So;=}X6$)o}+6g~1Df&CsT}x1N+AJZ|4m%Eh=w
zpmNWc#2D}SO43Iq(~{EC{;Z)9llt8Ir3^2<vrXzN@bGqLP^{h&g(Y6cy*eB;NtRw+
z>slo4fxGR@e@ZbH<I-^w=hCs)J~!`4c?TU0c_S!dKL>38e1n2T&|~oDyT~AhE68t}
zJZ%Y)Uj?aBT9IE-n8`J-BfkcrEiog%dPs_eUqXJPFI0hv{CfZP|Cf(=8fRI1_JwlP
z_cry*yrY>w0mA|nLqo%oySew=&-Rpcb(5mP`X0?M^``e~Eq5ip=MMPzoZqP9o|?Id
zNfvj1*1+-U(a!4?hmDE;9`BT_yu45T{;QL<wE+PEH8uR<t$X|X6E$uwii(PS#d(_R
z<CW?8`IF@~Ms_rjTsBmG^=d_i0jIhP9kIkb_BqMP$%%>N;jJW`Z+=fyyJTl)M_#7!
z59KCOlPoE8-R%}F8H#BM2??pHu9o`q;;~!)wXnlR5-hoABPAvwp;t7lS!s_)qKpy}
z#2`#@uszqR^V2)vF4Oeh%HZCBvADRnnHim%+r{}AF^5Hltgpy}{EGoLmk7_GmX?;A
z6e4XAOf%E<eq3B!VPRoTPEN{s8j)<KU*hAnot(-=l1#n|2?^2A(i*i#rAkx6KazVo
zy12B`$f~MxxgFb*k;M-U4dvwIY;SK@RaNaQbl$jj4U3fbTXFHr*a17G*RPj;|9GFT
zQ7*56e8ogXnV6bpFD0a8bealfE9G9ty!+;4f6aWfwBJrWp?{Z^1jX0~?n-Qe(!4(_
zOypf=@J}C{cwVQ%IAT8Q*`||&jYzVK)16Kj*TLdj0nZp}_uyNZINnHHU32qXJFMnH
z(?Nz~hg;Y_EQW1&U0hC#I^#&VZ8LImR#%6MRtEDg=A$i_xv!gB9q%sDD(6K+N6SPo
zKAn4EZEa1;=d7=*+mk9mplX0mr}EWiL0U*GluF9g%`KY4@_ey7St6X_rqKD(LVSMh
zxpV6m`m7QyQDM`rgr{wjvG8u&#V+!ZFZuaT#utD8mi24TobOH+-I%DR@Z4P=cUc=L
zp`@gwqN0kze(}+{hN>-!ZDp+720kX5+b*l1z-mniJK%bcfow|zlOC0HOvciq;s$s+
zG;(KWXC)=2%Wr?fVCv}Th=_<peUi|;O(iKyEo0(=byFz9=%d9%)o`JK#PM;ji~tFb
zJstV%_qSKX!U=0H&Uwi7n}W!fc}2p4f&@{QhKtf`YHIo}!xA1Zetnz#S5MFO?ouzG
z^KQau;61KexVW;4iY0oDpA1^RWZD}QfASs(A{X|?Boxwatgr93EmzLhN=!^FnfTJe
z?|LYxjd_prD~xg!R$AKfdK9C66Rw`#%-Go2*~x)SG<z;Xl!pikj-DXB<Ia40j%v{&
zg*O8OgUv#R+s=G|@!Phxw&qak(V?M;h={|(Lov5QNd#p);`p&&y|tAUm;1S^A3i-M
z7M9Dwy3}Na^<2wWou4r=F_@T`iwfyCu<s>UViB{iX6M%=<%@p0_xN~BJ@*%#qM_mZ
zaFG!jIX^%Du7m&Ssq671wO-5T$Gcp--9|UK?qTovC&x5pe*E~ct4o%EfPjJ`xg(Z`
zr4#YU#&-9TG5i%qr#+e@U$w{(h8qTStjH+v6cKuS_zD(vr@+NnqVNqpJw0M#VoS>n
zSfqZ}lk3nz_F|?Jg?(IIT^)JjU`881kq8S5M`8*_&V*#;<oMS(o}Y3RS@mVe!Qxjd
zx1LK85B<EVC?tkJoWoKexp&V$AmC(oDKsKNOjtKW!fQb@()%;7q}Rgpsi_amEiK$O
z^O)rNhnrKjer07GFhutDhAomYoWZ2O=UT&;zJyZC^w9IzuO_H3hThfE(kdiE$H7T|
zf;e8Hrc$Qz^uNbtJ^jn~$_?z(DIYQ#8XEmI2BWH*uZ6Q^;`!<Dk$*NfH~;j;D*B3i
z9q#tZ#0$8eLsWrqsiv+T9Ubky-As)`#{aojphb3#TjVp(Qh$GcG`sooNJ(~NWF)Mt
z_wRqgR#A|bkNCOTn~vjFty_<d?^p6>O2|<Ah($tah{i$leFfEBV&ap-L)_rEH|~4k
z3YOOU5%gLWI&5gE8Zfi4z<y(3&x?Xc6de2%L*K}Vhl|U%#?-{5WoBy;gOZkzN%t!G
zue!Rrv9XvM9)p%UiL#Dc)6cJ5xzhZ$+U39^QI^woQMO>sVSOw!H^Sg(E?j$&!DWB-
zX!7D*R2%0Wr))9iS@r|+*`u9>HW3L42_dm`>Dbw4q_=Jfxqm*L?b@1Y3|o~{^Nows
z8Z9+PBTpi6+@2NZ%I%Eikl7VYlvR<JpI%xLe|UPll3(m$LM>KE4%gIcz-)HrwqJdO
zi~5<DA#;&LK?pUv{d_i5hTU@F^!JY|&AR9=B^enRu)C5rh=_@MQ-TOt&^ujnWB3g^
z{OXh*o^3Uf6{{#I;g4^x<k$Al2a@t7sYj?5S<k(wFjyZe_r%5bt6zOiCduuxpOfP~
zHa`BE@`-lMXGQOjd(_*F(S4f6^G2{P&CJ>ii-uR-Hy)IK`_@G~)Ta3cg5kS&mygKN
zyoBZ*2Ay{1eXCPP>?AYB#M3qD8|vz&Ap^DPd_0CHTKa@;^d;x3;!4GJN2vsYOZa|a
z(b3tPr|&Ev_ii&T6{f%v>SCr4{ggrwh1{&<<T?=EAWnG(G3hmQT~<h!POY@vm^kap
zRIswL%FD~M#RwI7l;f$Dk4CP+-~eM<d%E44DiQ8^p_xxlN0*e8bnEu*$UdL6bl7<Y
z{Gr9JN82n$9e42Y2b9_hyH*Md3br8pdkN{lVl!5E<&S@y%xE5h#}&#D9T8zRTsU{U
zx1#O3b!~ilV<TVRh&hbaa)OtOOZCwmi?MIP7KD%lVg@KL8joRwm+)cJ!rec6{=C~$
zTt;T2KU<k5{(iG}giELf!@)wl`$Va^dYQ%eFKmq|D{)16`3KGzp|IJ`_eU)!tDJt`
zQ5edW_(GR>QffBLOhdB_fqAztlqjurIsR`G*)8B@Q?6my`u+xvF)ifYJLq1py9~JB
zK(;8BTp7qkBOkA@OBO&JZa$SkzVb6N#FT_t)0vo=Lliy8X%E8KCT3TKP`7q=TH)2)
z{CY5tWPJMf@1UqCH7zZEi!sg$N^Wj7otNmn2J$~wB4m9-<Kp8dQ^aozHGQ+1i4$;V
zz(svPL7_^APp%J3M<|hzlF|UKY#R>o>$D||))tqBrD)bivp3JwW6-lVU8Xm{2Zv0_
z5%H7*z?ajVv{uW>npB574WCF_SD!zzhxxsB?HWKER$@jrHUq>=t-}Usu4md!blRIA
zHS#&kM;;PQK`cDjnCu)=!9(}jjf<?T<T+!aqw`;PoNc;Uk*cKoh4S%ZUwjNy)C6^<
z9F?bKrx0W$nGAZUnwz{HC|^K4u1HNvdWYam1!VKWo=TxP-u+x0<E654?~9RAbJ}#f
z=8J;G8xeH$^pWbK5Mg(=wvLvw^B4K(@uY+Lyp0F?kx}*Yor+Y5xaWpKsNzymire2(
zjyI=%mQ5l|4GbvRo6OD3AY*3g=l9H*^rVQZsS(j{?k*`ry{Cz17#vs%b=Ug*`uVN1
z)Fj9|NyOu0V@>YEXlHLo4GayHR8^aKZR*C%_#M_`^eK}f6rXV3`;^0s*=&{crm9&y
zJTkGK7jtu`Q=pd~*1m1)NQo()NUCIoM(;{QU1*1`9YBK4SRQ31C8|5<mg5y+@$sE~
z;$-j1J?Yd-{f9H!+CuP3O*98l^3giu_>$`pM{@+^9;}BMWRDDHn}SJ6Nt4tUg$T<m
zC(~LLC%##|=Rbdr>a@3vN1jqxxDC6wqoV`n$rBe=)iL9h@iN%!PqeBM1ZZ-e?RI|9
z4dg8a#0CGWs;V+EF>%2DaNK&3TUuBsKTy#30(KkD5nu|L)T`I8GiX+P#sy532V1r0
zgl}2z7*=cN$OtzJOHoS7v&iJzYi;{$qrC)l_<l<A$&?j^MaUN#IZR&3*RKi0u%J44
zM_;_;ei~9(SQy9aBor9s^!vy6@2>!W?H;uP24ieYs<VoWh=73bq&56WE$n<q-Y`O<
zm2&rSUH6BL0N}|DWyf;cB{lYEDp1ewytA;dfTUbyv+!wKRE;)WX37chXz_L~BY<xS
z)Wl{!y`ir<u<fcGw{)LBzouC}9V)}mWiu}+C)d3;S{A8yaBz_R<PQHgvsbUWV7+8z
zWlc}(&K<8_$Qo5K;k;$+jAG$yv(+=t)k)vBlN=Ctu(!7u%o~U8oTpXI{pPnIfE=xA
zX8^lH-Q9AlpMA5I+CuE6P5SJxHlw~@eGC~O@RBV$63%7FC8y;1KMkjR;JJC^+Kjhh
zV*{aq!OdJxkK!0Vuu)H5#w+Z@+N0wcfK0WA(-_C9E<zt5lh)KA;NExcXp+>^DLOeF
z{dj+4$@I9<Le7={0;&**!FR?V-9e8WWILXG_j8Ide~Df)3Z*}T<@q2-LfD6fWZbjV
zcTJij;$F8O`l5}(ecJNu=xJ%iE$$PMD8mpcDM5ZkVi7<r#>W6Fe!?YcA(KM+<Lm2-
z?h<xn8$4u<Rp=}-;FKTMo4#4qmw_jOK=70Q>g#)Hn_OFa(GWn4fq`-R_U+ddya3TT
zEGNbw14DEf%+sXs<mBOTSnl)vl1}kdx<XQb=Me6Dd)t~neq(z2!SOm=$M56E)6>&m
zb+0mbCjiwMlid=EsFTEDsht}ze%F-vXYh>*R73+wvCz?zwAbY1<*m=*Qx-a(Xja%x
z*0?2$1cVTYNEv-m8G0#InRiL+cEr?66_pHE%mjt6%-1u#j%FKS-_ss7`ay7F;b339
zD8cO3p2kypP?5Y?5ivJ62eT?ICdSCf7{Otw1!JM5Me5e1(h*h$;c6MM{;f(8za!Yt
zOBnODxbs)eAq4L3e+|(mc@@B|(5^l%DLOYh%SbHo;)TUzja1<C5*Y91rz|Wi&&!PT
z^}7gkYlj}WYd~U~+j4~M`}FD4q|x#5aUU#V5p5$QBU%<i<K!ewa-u|)SA`u&FyOV2
zDw6v_v6b$j(B9f;_&}*%BldBtel6nc_+Uc@wfxQ0Ww+gT<s}-5ieZ2i2jzoCuGYJ{
z`3^ZVdj`Q){Y1#(-8jQUYxzOms7idTjVPdpNbZQ6%E+wDq<<MQCBQtu@UVhX9={S7
zZ!Uh_tM4XY0E5_P;A;wNcqdBs<;!Q<V*J6^1gF-SGrY=QKfBOQskt~m0W^(+69}N4
zhm&(?WTeLJgq?}0psFec@qwC;Pm?u3R>gPmV|`M1-^JO6`|gt_ZNw4fj#tHQ2ceCX
zehbT_l^QLRL_M!BlgqwYf#2S8e|Bq23pN?QhO8`r>*lexrk0i@ncw5(HlnNQDwGt;
zA~4F>25Js(-h3@9b3Z$_la~(>yr1CXx;j(<Kn-w?R5ZIAl*=?R_r>jDqgq%%;H-pV
z0XEdqq#`X1O+*RN@%~zN+f#8U>aPSgLOvCjl;nN$`}^V6%+h{L%soRsLzs$r9;(^h
ztjfw0SQ7H`^32T4iwnzuOvnTfbR#i!J6eBYjn1uUq7q#rqsE1u`gOjQl@%N!*2S(w
zVL3Uu;w5(Tk=>QSCv<eH8?_f{J`Jo6Q0)W0v0ocua{nGo!^s&Tof<}~?Cj#g5<hvo
zRyMgvpie|dD1P?wwgCew)-$PmJ#;?A=^+$l5crN(i#n0R4j)znRV;+Da@!?&1Oj1b
zn6~Kb?jO}bx99FIyOxxTnB8V_4=N}s%I==>SpPn5AnO+zdi!i<4+<FwD}JM8mK$T`
zJA>NpfILj~^&g(egin+Kw!px~?r3k9l954H+KYCwkuOqoNjY717jNdifns2nlyPUg
zUh>^G;397?FFrt?urGEY>>nOF3Vi^)pC%QJIIdk>7J~wJ_chi$#!UixHQT*q#i*7K
zijN4(--RY>8D$M{YxdWsr2J}aH3bxcti>VVFR4RmDYtf2-24MVKOMrbb}b@XIUgGb
z=U{s~$*&x_lGEa7x_Wz~S&XpV_;l*70_y-74KiGb#dy>NtvQ6{Ml$yt$^0I?D0mtl
zOu}0vB-OBE=C8<OdM#9!O2?n>B&pHv_F{xkf0*D+TL_<jG%+z@#vX0K#KEyKm`_HZ
zx%tB&3kqA?*HHkHA;kfW;<i;!03)Tx?{s>0Fez~scgLVX{mM&P9Vi%~4zPsE9WYa^
z^WHN21<-`}Z3S!}Jxj|crj6WDs)ej=rb5on+-~Fx(Ns?d#m_0RJrdh0T473WR))Sn
zEhsLovRlEY-#kBaF|;Gk5)Y-?Rcpw(oAC7()sExAI!Ujsq9R_=)d)X7j59ydYC=hY
zh$nyW0;SqQfnK8ttsxT(V=^TGX^CcsNXriirkC{%445v=WdU#Rc04Fz_U>zn#BuJm
zqkeQ;zCGU_O*<SZNr|l96n*;!C<S7)G&JbS(TU0R;W3wE0RLuXXH&W--}kg#>Y;q{
zMCNEF<Rze#@;=)7sW*$$3N5=P;^MwTx<m8x^Sh<2EQX)CHcG6IXX6PB)PjqlcvF+K
zRmDkcG9mR0f-Kt`AUQ%_!A#=z&K}})VbrV7U%nt9oy*HWDXsu>ZOl|)mDJ`KTEgrN
zJXr5>p+T#0BnAOP7ya&u>W8LVWY&+0m_=Yew8ZQJZKq@s_*_J!=d!$VgRG&UIF@=z
zo@vD3Rp<Ch7(Cl<ZWQrvm6*#W{aO97JPz;PzmH}!HGK8z_u?Wa?51D8p3PrK*x2j<
z#ORFS3T>PL$bos6@pqjU#_p2H9BuH&c0)2Adw+iZt>ZmYQ`42ECNbwJh#g7Vxq}c>
z6|<FwM@Nb8-i2W4O+{OBtLW~$IOg$Ovo4Yw5r}b^X$XJ{1)^e%fP0Pm#W_$trKP1%
z#8g?$cn>uir-<ZX_H!%vhvWil0ChE@{v+P{`ntEbH~bnzDgmqMtC}(|<{)|0>#j}K
z3Q$osG&VMljEpojWeEFVL!N#iCMLUMC4A+|`<cc-fRUq(jXte&%S%gEocACodtngp
zJMVr_#TC)Xhlm2BU@=nsdSGAxZUrI+tZ%#%jBm^f)k=Tc5&$uFS>y?xXx$mN(9`?*
zP_QjP->{Gohv7CQ|3V`pD=RWWLWn&(J2N*o-`m}F<eh+82ddIz2nH?A4+SH)22lEy
zhLF`<Foh_RDq}a#N>6W`vpzdLm5%49zwnD)u`m?xXUs?2JxRHaMU>J}Rw+EwaBHAv
z!Sxb~pd^Iq(2x*GDXGZLTdzyxl0`_ktRFsl^x<d@S8x<EEf*&z>eY7;kD0ZzF5kcI
z04%WJ<K1jY=~(XioYhMSYYZCS?&G4auC6{5Fhlt+h-8OfZ0+sA2-XVT=d@pqNYlHN
zL2~ovP0t_*yEGSaYF$r}T(Y1lkZES@E)e3Pu&*ZIR{`(@2m}i^-LC+p>7CKv_~yFt
z|MygNin8dQNRe}&T)Uk~45N52x!_rMk6c!NvFS%0&%VcNM3{n%6z3G&w%ycriI=qQ
zEz@WMeRJD;P;<_XJPI#o2{)nU_4uQHlM&8(Mxo^o?AX`uN8If3W;jl<XKVAjLfU|&
z$p7Dx=K)-r40NZP`{r?J$tW2G6?ZElu(>nvWw;w~STEmgAnN9<sD7H#iiYNJdbVIy
ze%99Ra<GhNJN?U`f{*VE&#%9{xR{q>2FtIXOQ80vNdNvS;pdPLr5juCI+|N<NyZ#j
z=dPg$|6I>i4^%05kW^UsVs0ejEq%7fP*)h+Q<G=swzB3Q-#+phWXg2O?AqB`$k!?0
zrluTMPzm8$az)_71u`;Jay+W5as2vKcPGmxE%b$M1>6f)$ariXbJK32SElw>v?-mE
z5kWY)JVv(rQ+Ae}JEpB|Z3@k9XQx5~dE?2h>gdVl_mpwk(_0G)j9lGn7l(^x`m-zL
z6=p79@ws}H?xXLKXfbAZt8aj&o{5P@a+Hk?h6$T|mnMZM14Qk!tr=ocUd}4Rc4Z#>
zds>D13gc|l+_qtn_t|n4LQE7e@6yDlMeVzaiw{p!Q>ROv*#7iBL&u=C!5aH!wUw>B
z)mBR>ktU9X1~+|kE%v6J{z6Cm;vEcZ(%$^Z#$7wz>4^$cCT8o%#XiLLtO^NR%I0Ub
zPuV`+y>r{!ABT(Fv9V%z&JKD<OYL4yjOld5bSmY?g-0B^Bc$5e+i_4;cBh2V$RDz?
zjW<#cwX{^)t=tR_7DXk8;q#f<Tgi8~U%`iXX}mp429ZxR;8^XxBM0KNjK_hrzpdb@
z9yu}tIe#_oo+ahuE;XKF)qPf*t6rO&94tm0w6v7(ScPCQ$}9f5_*2&o8|}y|v$5Vl
zOk+&7yM@w$fTRMQx~aspSxZZSp8llRgw1uP;fheAY~&IyfkUZ!nV{)P&Am^`uYQO0
z^jI5y6d%`|(y^E%RhFSnek#AsEplg%H+<9*HYqkq!_Y96M!^GJ7(G%_J#+ILP&x->
zl5-#1`r%6poOAAMPVK0wUapW^wI`|Odgz4Z|ABLMnY*v8EtD(Q6PK3OhMJmZKHkeK
zb8+v>t!(u7mu7pH3FSn;X-II_x3&3WVPP$ry0|a|+Y=h?Lzf2|Q)7CG>*(wR=h@P!
zXwLKF{MQP^Tyrxs`F4wp4SmIfLj{vv(d({=FPX3NH)=)~*Z6YXPP!$+EmGf#i_l)w
z28x9GFTE~3BIb~{vEHVZBBH6Vny5l6Y^im>_%V3k7ZhZbE^Y2~xOo&rZgcORBSfJ`
zj~=x&H`iL}X<Jx4O_$c2neHIvKdr2;?yPakc6D{`JF^nhYtSu7lRmSZZwu3QWoj6$
zG)<SzJv%!&J~^OdzOEn5&QM-{ZGJwjGcK0X{k$QDE1SdYP(&ubIgHi;9mCHDXX9jh
z&Qz_aZ~VEBg-{&{*X`N4*1?(@?bH3y)13thd4*mdtdpK!znU7;eNLCYFBo0B&cJ17
zvg2`S{OFWUrn8xe=>qd^S3st=^+BR=^(+}xbbD5QQ8(^mClZCB9Ve%2zz=6;T0vB(
zs!HpK;o|1vI&KanSQ`n5<KF9?Zzn+|A1!OVb|VnEUb_;s)XN$?y}g@0zF1AUEwn!7
z<hn9&&S44dC4K?N&0>}B)*qBo-?Xh9zCua5!jgn9UhRK!<aA5OQ)sIAb*pxbtK0Fe
zl8ueR+)n(~%-L-5Bh`u4?41lbj0Y6q0VF(&-`^f4B#`l+6$_B3e1kq!@#*$ltd|$r
z@$S)BcenlKZ~nrhFh!?i@dj2`2i5zIjfO?gSPG+aKRu+pa^;K+5s{dmzcAHpGLYl(
z;e+sQE=(M7AB{7>c9PSt8N_;FRy=wz-B@Bu@Q_*n4OQjWl;gFlbV+)W9Uhq2r0p|S
z4gOoe@$uSF1>@er+dDYiLR`OoELmc0pFS%S^z9pq`Dlf=r+@F@AasY;>b#!1pKfjB
zZ&;@Z_olHQY>*K#CY+ockXc)A!+jMMUDIXrTg%&I%*~}&Tptw?Y+i|A<`Zx`784Q!
z47q3uQ86vRFEw@8k6_p{sL}xnnYQ!`0=NPePGIQH)vA=PE?iSn2?qz|C;1FA@ioW!
z^>~Jcal6_F>$mZg-u*y9f4%3QVPwrPQ)G1Ex^E`$dWsL@E5CDUbb4qRnQ3k~4_z9f
zG`WIp(N7x2lQs38Xz%xSqa>qPi$w!JNj8(Y$2>&^oE^)g*LQxFKKqO|dz*Wu{5Wl@
zvK1Sf9hQgX<h*Z3HV)Yf=t-t(*=Scab+p`i!>P5~n3c6WkQ?1Q$V=)|W8CAZ39rVt
z?=2obeoV|?wXr$nhDJ_EXsMJp)}24On=T{ML>SZ_HGErW$jn~0>uW|v?G5ZzQev0+
zc=u9YC0Zkg7w1=<cBnf0OCA@E_xA^vThbeGFRrYtjk`cgHrb55QXzfd`Sbb*?#C4J
z4$6)Z+|qx>)6&4;DXLD<uqW=Z`$KZicEj$_Z*DFca&iSlJGEt>tZgv%H!fV3`()~A
zZoU|hKqdEVJ>$45EPQ3YC@Wj3oscPM(tUI<b^Q^<nL9lYXF6v!8epwz%F5bK)wS#V
ztP*eEiU0cbc@l>$J$-w`pza*ZthBWK1Ey2rz~JCZHZ_jC*@O8ubI8FX+7l5@o3e%G
z_2}@B3JE9flVhVOEaH71pGH1+gnVIDa&m5ErTU8(m}heL9hDUoHPzIpO04nEAEK5_
zEp}tPeJi0=%P;X{04|V7bD7lR?^=LF@|!n(fYhS56YRNBt8x)g`&hx-VTl=9pBSG$
zm6ExSNf#StR^ARyq;-GC$uk<y6aLH0eV^_<KN>Zjg3-&q$*C!yJk8O$`T1w4OT7y=
zUVI5{I?K$I`Fb?FRT*`4IC66CWL$;o$$=wX^y;P0EXN#Q!Kf|m;NaomiHKbH3>q7A
zRTGR1)iW|0FEn8Bs*lKGyemka8+UV0vcurCDcBCe&D9$|6SeLielq3DoeQHDlr7M(
zl%SEr4W>(L8X(%*?%1xqKqXI2oon0RU0Qk)%?1UrJGcM!p*5PW&7XIjou%sP@DT^&
z4Q!_N0`76m3r1dEYw9(;rwj25J(E=RhbJyZMi>M6fms>A#k#JnoIF<<;#UnLCL&5n
zt)`<pl?@j~34j*4rKsrWO^O<B#A(m_8=W2TwM=fu+xu(k-^#fjv)orNHJgVx(Vg_Q
zIrOZ4BBX?e#dc06s5{xMr$-B!*5u?OV@{#;a(nu8T8c4(duInDz#sFQ#wXcFyl?LF
zGcl!BRS6+*`iv)*?*DBFGcpuPO9y^>JF&!%L!W-N+GUC0$$96G9}R77`UmSX@X#mw
zv69jVA&1O*)B6f|*RMQE!C*-$Z7TOCzPkuedti7N@#Ed3czga&$PBP~o?SFoyytf=
z?kqAQ1jv$?lk?G!CpzejkCW-vG!}FW9zT8^%^@li$y_CJvBXI9sw`V@2c!Agb!=bX
zqqSeYt+71r0|k15W~)$7O<ul|`b5Oo+}vrtZNK)sLf?qvtLY$`+ljqqxpiqyRJtVL
zdB3u$`$aW2fypJ!SNi&IwscecBzjeg5a)}@R`G88xn5qwOTFsRtU9z@_u=>B!YCs+
z<xXuL7TN=Vu%`M@&BwuySgCQNcB(@B^y!S|IVdW(5eT)rBN-d-&YxsD2>j2_krLvt
zpf^V6r{DYfY>)V4lbzC|KbL<3*qBuJ6QJA;KMO1S(u1v~0)*S=f`X}1a|w0}-tTk!
ze0Iw;J5S@)s;)CD>M(jR6P@{I&~HDPfjXh_Q!1?Acz(CsGzH7!-MRLtBj0miNy>BX
zO2>^A+nM^O8pK0RNFp0ADk!kFBjMI>imCTYhyHBw--phFawU?K?Rk+i63ahtx1)~2
z<CTs``F4*Le}wZzNz{N8lYdY}vfcYjsD@X`pXn~L5AaXz6lrMs;Nxqtv9M$=q!G{8
zKMn0<sH_Zh-Tk1AgH>X_0%c3EvoR`ByfbmCnpAlDU6BuWHAyiAi=9OJ#=H6__?b91
zH2q3m@4-8l3itPk7P0;1gK#LW3f?jFd}zLU8*4(-B7(Jw`H$j;^$`Pulvf?k$JQmx
zcK1FUWFe98<Nr!^^OtZZ>!;<OpW!vAVNgmgC*PU<iFygwi;x`6EeS&fU|=s(pCD^?
zBd1OX)E8Y3+b#!r%3Z2Jnb9y<<Yt@F`6K#4`5(PdiosH$K_h+?_9elej2MEqM6NAf
z_O}U3T<J?O==@7l)JIKUS^4K}vhl@qnx76L5|(gLSTT!G9_qaGVEE3dOjsc;rS^q^
zV9X`!zyHf0ZBifgziX1jTYC)X?xA|9qJ%Kg2ok)C$;Q-7r^>0!QAfwX02<iL+?<W%
zgCv%K5R6^dV>NpR!oEJ}X+T>_N|ZeC6qSXUS%ppsYH~O4tMDrol7BuhBW-L<L&_&X
z@Moax%)dX>l6A5wCnFzUY~xIO3|DVmoi0dcGBYzl;{fWAT=g<gBBdB0)hVAyc%WI2
z1G*O=NTGKF%pNf4si~>O9?&3!b`%<UNF|0>9rWCh9PZH2?#AQ=C`~+rp!!C;`VI<y
zAPN=e;=X<RW-(r&s;+Ls8T0+S;K(x|UenXl%gf87qet^JD~-i7iNi1jmqp}sZ)#QA
zw*&ju(^CjU39{ko_9mmEf}4>MsJk6tH{`GU-Z{F5y#Vy%8szlk<eAy#P^d9X7G__o
zB}ZP9_4~(2G9)T-iB*_#dyWKu`67a<`t{XY!TX?{D6g(QgU$k6CNwmZgoH!}ln=qd
zI=Z^R&{Et%2RRiQx#>VoqD$E4&s{J0k7h&JOb71Vxg)ktN=CM^yc`u8s-UV`{_4kN
zZEfuezu4IENEV}C@0{S1-@g4(ZnLmxdgF%Ac%{R_{Jff~s+X5nSa>)PlH<RA%?{+M
z%X83>dE{g~W4c-6xK;P-mp&+3pnCv~IG|aUVALUZK1XeCZH;C&cmZ(&vJ^0Osn<78
zk8FgRfM)`M*R{(}d()(#L#nNuUW8zaQbj32O}=b<siC~3%g&^yu(CBk^35B@z{X1F
zy)3vX9D&n>{QQlnDJFQZ4<9~&a-igOFV+3~9=Oc*t3&*5$4yzYz+s0}0;yCB;D(ub
z8|Dvw85V;3tY<f{RlrK&0MP}L06H(=nudpm-7n5K!dqj3sDdUFq=kH~>gD-)D!b(E
zOMQ>BVBVoW=<VqV*a##PPE&PWfI@G$neML+gVZM=Fpz_TBfS4gvA&oXs$c!|mLrT=
zdaW5UQuLwr7)Sv+CM2JQ^#v`)n2Q|fm{Cv&-^b<T=4Pf;FAgfa>M#4~b4g`c*+Cqi
z%k<1lrR~!6{5(D$9wjxVo7)*Qkf2PkTkO&~+Mav<{JBu#Cg|CurKKe!1No0X{G1XS
z&u~Ry`?w6uHgKJ7f$#^YAX4%HQ>n_zzL~1KcAVUYvZ&5W8VI;CMcmG=BxW9YcPTx+
zwkT}9P59XQ1uCAnqN1V>4i1J~sBZ;9^kfGu$)O>YG<^^R`e2g`nX!|nBqh}~HGMce
z$mGnd1gbX+L{S6`8W15Tii~7rWrOnb^8tFB%Spa``O?wxu*7r_q)({iyV9k=y@%S~
z5_<690qi(x<j8&w3lk4`Q7D5-4jo!(3h0#zxa_x0OvKgjThEF~O2Wi%A}8tIr#_Sj
z>MG)R5q69OrC0wHs_Y$xpBU7p31_&SpP$1t0*MZ~fu^>$-Mu|53=Co}Ykg_y4kXh{
zOA933i`$|%Zrp%YElf}NmoMw1Wlum6F|Z!~M4Ob`)>us~%GVbyu#ttG9a=c#o_C3e
z(o$3L@bN!h4~mbs)YtztXYD04_4djQ*k7>efYICD*(oy{mRD7c{QP;honsPITYu)F
zFzHtPGfwB-MX0EtbX9)&@*y>KzIqu05P4sips~j1Qd(5B^X?jk{+=LT45!rV&qXMG
z|A_B)uMdY`Yf|nfR`WQlLpYj*QlO(_z4b{g9WCu`bT8;v!J?Rd!wJs~52Fn#O4&za
zl@69bio(EANk%Zf?s-@tXMM1|yi6(ag%i3gQBls0jxqdhQS8N_(hwH@33KOrUE$?R
zR+GL*!0*Bm?}+0&0i6vtDk?6z*Tu=?1*`x)9i8qh#cUuPd+K1v6C!uKuZSb)TcEYB
zuA%}hP1r3J6%|p4z74n+Se)<=*RNmS+S-!8l0ddcOGlT||A~}OZ8d{9r)o41y;u7+
zH&UB>82-gATf3_9>i8*Eb7yB~W1|u5EZ`oO$A0!#Dts}U*<bxl#F{d!LUzRzqu??(
z4~8JNKYG`-y9+eJgPG#3qz&Ke-X`4ktQ%W7IOkXy)RXd|@;{~8Sxj9nw4Rsx*Npjk
zSo93V_Jy6Q(|or?r05eu6?InPl^G&d&(WgyY41TA+(kbU&Jb@+c5r@EyH~EStP_nq
zT`!rSo`w!BK;CKMBz+V|U>u>+`xfqf@!pz5_zeO70b5iQyTz&H@yC<qc%zS;9k`;#
z6)4_9f?uSfmk2L-bARzpY2w?TzqRs0eYi2#>)BZoh?)K^Khx@=usWkFBRNWsV-Wr(
z=r}nn6x4WSs$x*rKZnmsSbse%WW7ato0a6U;CSKkm<S@z|6h~sUl&6$yd+kafuiYQ
zmB(xw8wFYZ4}{5(`FF9f!i)yoYJYMb#U)wM3ye{-6FWI`ZMt~0e@ftK4dp=^e-Oww
zKp;U3QFvxeMVtO-igW%*ZSpb}u&P}sokN6!m+@<>9o7E~jK^gF5PDOB#`nxlN|d<t
z8t72O@8Tt3Fm@<<=P87KNo`f(#3jNC13l`$0GijT6_{NS88(4`KKce|nWcmp0IYO<
z2klK4qkbD)5la>BnlORfR5ydH9sSD~BJm=}s_vmzr5?V=!+$Icv=xRctarL|UK#vR
zL}$o2-u;7H1phW8|2aqvb#GB3uH8rb=gecP>Nc34E*Y^I+gH}pt6iWHD<RRES`!_-
z<z2rV6R)ij-t8ML;EtqkA1`T{D>f|vsECF3y=k`4+}fBERI+xSxY&)f4C^_I>Iek+
zZmx{L*~j{2y8X_2gAX}tp12grq;2?mGo*2Gp)zq*4+d=4NK4|in?_1pUXGUK<WxCq
zJO;w3<Q7sb-gkvwolsZ`4-ZBzhZEuY9{t3+JZ5N!EiJ8~gfxr}DifE3xES`eUMPJ5
zzerS<sEd9gsr+Uv7j(+Z<8WT=Wb>H(AuH?lmfrb9b)qLOA0MBa8(-$=5<r#QyPRKn
z$Wu~M=y-W8+9JGwAG3Y)yMJjaqoJ$ock7eJ&ge34QlxyI)wROT!D+H4)WSj<)ZU&!
zDJd>+|LyHAmE~BYB`Z$~LaeNeD(x_eOV?Y0>$%SGn4Z4#f4J88`1-khC@!mneVFX+
zuPEny0AWh4Pos+Z=%v;#=AmXU3uzK%L4b4p#tky!=<~Ca&TlRU1%1ZJ$ueceQ@b;P
zEYPrv52H*V2EI+9S8LL(tb5c&?PNbWoMHUMAbYUc^A0AFXZN7qFaavYX*&>x%rgke
z9<umXw6q%oxuVZRNP{s&3Q^!*rX0_XSK`Mju5oi?Cn-wB9J+}$)kap!KC-nU6ta9s
zKoCAreKOR$Lvcj?p|!-;y3oeD5OfUetgH$7Yis3&rG9H5%(gLJi~-d!T%)-qjMpTS
zkC4ng7alMzt-9gUnRmGaeYuPCF)eBSWLqRHJ>9X{C_e2TT_E9%%e>@tDD{(Bhik}@
z#f6=dUH<0PvtNk?dO+pC+(R7=Rj91iMC#dzI~v;2-2R%6Bon^?E#sT!{MwGz)=Jw0
zi(M}a4n5uTo4M3a@)H1KvazjqC6>Twx@`VdwYJ_3qjmT67O8OzrdN|UQM@>{;bY&I
zG+9m@%<r^Ynm%vmSV<MB1pemDW(4q$*RhsM>`XC>s{e-$^!0Utg>?6(m6!>w^{1_l
z*v2x8wOS{Z<=JN18#r-@i}UyS8w6*^Zm0WeN8i4c2%Hsbt~y;;y@rnd5qLSvv7zvo
zdp1CoX^ag6gVNX#mzk6Ez*D2#I{oWc$HUDU&mb0~TQ@Kl2U41AXUyw7H~jsb8813w
z#9watpKC)AAI(9=3etn2g0R`jmU|_AacxbGEGB*Lpf`Yb=i%YWLACQ<UJQS8J3S)@
zhui+@RUbWuJvxrpb)-y5@qLrxpFQVTp8iWov{b0wf(Sb}+f1CDZ$AO8`a{ptGl$FJ
zrd;lbgqj*Hkjdw3jRSM@>$BNN-~9QR@RjSf(8Ls$mafUowX-i3%qd;!6}=@?;jkg7
zU8Iu3ZmvN`-~Ow|AXAZ$n7G<0l$g-z5Vl$r+s?(2Xba!cUtA-Zz(gSKty|3Oyu8x8
ziOc^+2BwrgSOA_(I475Wd|b1-s)E<;c=>Qk0vJ(&Q$}HJ?arUc{W+?afR}pqK3L)Y
zL;ZV5xXB4=S4_f%>y;n};L50Tk>_W8h^qLvZ~4h*hYI{CM0WLPG%D?Xj8}HI3CMIx
zvvGw^U%reV8R--i=|n_)pi*hyN#;&xWWnnvKcA7hKO0OzFj8j8q*M2bubL{93M*Au
zOgjGRjllUWPT-XaJFEjqNubS`xxJOef{{@0PZ`H{ad<9=?kRvrpl3aUfTN3zS&b;;
zKhD4+2M82@o{^tl=CI)#%M(~Qyeb{5Mu3MWfe7~t3%iCS5^oE&wM#9DutzIuYSODo
znkY_8Xzs6~jaME0E;Ja09S8Iw8s@zRN*DWUR=`YlbRc#c$Hv~Bom>EYt|0UwIQVTz
z3FUaljA}I^mbL^hvr$YSt7-1MvNAF8sewU1(7w<I!EW@k$jQorVy@hn(Hecz@!oNg
z_-%VTJGSU{Y;+=g;Gw_29oN(A?7CM_QE|LFoFWyC&w|HpZqi$ti?Nd&CF5y1_U)Vd
zg#{gcYhRy=Ns{Dan?89LW*+tXBcXYDQga95MTYyHO+2kq(IYj^dm^#Ikcd5;lMR-v
z0q}&m3nyioD=M;)|7vb#pqRN>poJ+NDX}RkyEyo%1GI{d4_Sr%+T>_~+p%k&^>_Jf
zkX6{VeradW7?RV_s4(jE1=`-t&1Ganjl~5IAMxSi@d?m@tc{eOX2Z9tt!6GoF#yD^
zb&D2lO@~rspiSC@Rz6UUbxn_xd!(YWGBxG&q{>Hd^V5FF>E+Z^19=>$md{g~75)Ow
zyYG^d*BZ&nC_FW4<EE#&v)1`3mwtaY9WGRrItX!=m3Qgs?%waq%x?P>8Tl?xGj&6n
z%oKb>&(>9;@GvY=r6J4bE<z!q{YOehVl`Q#sqbl0=1@kQwZ+888zB%=U+BBT!W6~D
z4{DAKt9^ZMDliMwb~QD5w9cV=)m^zUefzdTODpY5)0ZZS;ZG(3qg$wrNI-2%8VHK+
zM<d+i4{4S^=jQHx)tT76Z3g@;;NWV9Cuh_37u}cr2rM5xek>s_K3c`)49_O79_;R)
zbb3||T=L4GsN&0)hK4nJduI>m%(Mg0KbQ;`M*4_mKliJnlG#sJ{}uPk_<joM=f1dm
zd?O3PMgAl_*dS4@uaA`y`$l2v(0x1?11tSf^_5(re}zp*l+mwaX12IAymY*$FNEr&
zM@m+^_xne$hQ*|KC;}DdB2j|CA#HXcK5%iQBsO~VtNoe?<-@T^0Rh?N7Z@!;YW>hN
zpqAO+7<Gt>j9h35yXk{-VPR<aphDTvQRCI`SKag-9sB(Jd_c-335*P>lviMrFza_r
z*DFv--=itPJ8FE?GBUE=7P;nrX4l+d@oF&dHt4;;FS1I6hs$EnvYA8o<Cm}SQeb1C
z_V&SsdT(B~sXWdL6Pb}w8<~G5?+}PMAR2SEJ5*~BeD#B6>DNCY0h-At%FnKJWtaR6
z_wG_l%IB$ko81Sh4?a!Fe0=WuyUtF?ziKLuigZ7(o6Biwb;Ab6Ab9XRej+VN^~Vbw
z%ldl3^na@4xNRLGakq~aD8M#!zN+e-cIDDI-tC>hKpB~44dexh{*0;yr>wTNCA5IQ
z&<$&-Z=v*wsj42$w|B1$xaCSys_@_b7b0t)(K|$+&;L?a(BmUUBo6-HCcpr{qWmX3
zg-<|{jsFjW-hV~jU)Pxhh2PpCB@;yV|Alt@uUL~1<HqGz{{mu>lp6Aae+mNRH~(+~
z0#x?*x^n4X2{BK&77=<5lHcn>c|H7>M#JM6XhCLt?5p4Z8wyAH5906tklw@Wl6{4|
zkjHf~ncho%Va7^d(}a=tijtdd;1E8;M|GIGI%s<bCCc;PiWL|8|NAFSF@U-W`TGBJ
zS_QAfUjyC?g#U_(ZvyOd>hBWyT<51jF}e14hRXIY3Ie6;YgETO@cw}{2qa2GL`0<)
z<IW&y0wW<!SzKIPhi<_O2?+x{P*51Xc=0i$#25cdg&uTy{OVgeI~R72z;Fasn6&<Z
zCh%SXsiKlxdI$Ig^-6p5+?SO3cpAh{Z~To}<&(OBf?{V1>UUn!4Pd)?NuRK>*+DlM
z$f4S^eRUGHa4@K->16U)myZF3qoB|WqGIlkPy0YAhflATGExJ}L<PA_fVP!QR=xj6
zNmpXrodg@O*tlEw*N2;6_&D2~y5h#c#?}wItCp55yOjap7d?Y^cWp@nIY2!QN@sjO
zyj!>G`evr5ZxIkstCi2Lg8=y!>QxYAO_tlFt2_kFKgj8dN=t#Qc>DG((5^{d&$ay;
zzJf5#!vlrt_t&qC)YR0(#L+;MDk>}cjW4GiSk>zWVah+c!=P0)^aI*C4QYVAKrozI
z31Y*^YL~&@-q7>AH*ZcYFPj(|vO8_he*B1@sVL6JAS4EYWnim7Km}%q*0IztlcS*S
z4<!l<d1HR{Z-sG%r`p{8r933Zos(Ads==QySFPk2RE?GsRjOKA9cE7+Jpyg5cDc0y
zm_V(q3xS@6dF|=xK_$n)r^7|P+TGm^ED^NnfbIZ`BxuSE3=E0|K@QkA?j@A?H!4*Z
zNz(o+mFkCQsO8rX6cZzf>U6L^4!UhL@=KR4!5RbZ8XFtC(tb_%T_T$+_{xB^yqWvL
zBnXHU$g6*OQsL^GdwZ#sWB^&WXPa4tgqnW&-UbCd8L#8_IqQSfVTux(%tlZV(}E%&
z))RR8K%t5&G?1g3{Iv{-)+cOP+(dXNBdC8h68?mWj7*?XfvcmUroM6Y>Ko1&n3$+k
z5&^{6_wT=b$PitFg9n?N5p1SP&z@Z!rvx&oaVCI}rJ<>5u`QCtGYGB&Br9kE8T(s?
zHRXZP-2lDbtM49gy@lCXkVS)-xD_Y5;gz{LeFbto0Hp}LSUlX?`PoOZ`cR@2Ff@T~
z6bw4hk_Wv|l>7OS4?aI|x*u**M7RMc&dtpQk$81gRUE$?4e}xFVEu#Y7HL?Ok+B3?
z6Fi%;X=Ol!r;0#9MdSmDHKKCx3nNW9Wc)F>A;G}~pn?X~I3LI&{-R^=Vf)}`XJwg;
zSFpK_=cuwE9ctK6xP1Ib#QElxnOTm?Wojb_@#EuTu)cr>n>xCE9b8;;a=}2^lCcLo
z&AA1u_jshf9=xm~IUf44^6z)S^bFk%;2p#1)eS8zYhkH>|Nb4QIQS`W<G#b;t#dsD
zpmc=bAfFxLtO4AmWQ-@Sva<5g`18P*CNH-uQGsCr8pNYv73_nsaq_im**Q3<Jvq6!
zyu7_do;|B_-fMwnI6fY$`c&vX?n_0*?i=RdZW`w_X!#6Am3w^7ecjz#;OWNCRb5_B
zI)P{U2>!=f`?aX(XkzjdFksnM8tW90P_ATVWIO_z?nX##?Ar8nong_EJp~2DgKabc
zL+#9`0AT+M(Q65OsgI8jEZdy8&uU?PGuF1YymrfXiu7P|!R>&zU)q-eogagGNGp3H
zf3bBaY*E*s&GYHgCkhdNqz)B$#g2FZP-q|p)RpDsM<*wsJBNp@NlJRa!UDPv4mvtX
zvx6`6>Of!8sTG43t6A5wd1Sn+i;<o__v=^L;x`CHO>pqd@K*3xfd>|-W4b3#2x#f-
zM44=#v%eL@B_-uIA7TAB?l+Kskq&PAJ}~9HU{x+IW(C&<X`qprnVGKcgZ+oz{`@^|
zf7b#$L<W~U@Gk>JZ3ck_CJq7{8XB5)g&#Q^4cFF(A0;>c*0xygSq$w(kzD}eCK$_X
zfK+#LbA$K>5yTMe4`pCJ>#cQn2Tq!Yr}9bdsr+uJYuh^5RG~H0+R>3F@DV>~OcR2i
zdTCo%*BkILCo$c@!wVo{15j51MkQE9=U_{`a{2Nvbe8<*(T-qtI@(A^fUFhb!y;H`
zApn9EPsnuQ-zni^Ie~5y%J(^Wc_7B~egFPFOdkj(z<2^yLWq-*dMSS~wgR7sIo3gC
zAFdXbGlMi5i;}s49ejFag~xI86;asf#1|qwijDo`x?SZGrhC9qHmC?am%+V^;$g_A
zQO#q}%x=+%o%d8YDqxT4YiXD5GZYl=XMbA+5!bk1JZh^(Y`7O8_y%l^>zXW?1GTak
zXpJU*{S$k+nvA%15NE=D6$R@jU6)nA!5r|m2Bg*cugts6aso}eaN!dFN-m-ZqH@jg
zub)xW0A-0q+v##)dol&YttmGyiiZgH60^rX;VGjU2u!P;zd1X!IH=dNf1J?#WO&dg
z_6i!0C~&%h2fGe25hv#Q9Jf;j5VvN+SL%6?#T&4xe}OmdkM$u%%-8?XV)gWzg?Llp
z;6S>f9uZaYMqc9%U}WOIAIJb;(BsRG|04)?jaCoZF6+ZZkau6m<Uh?x4Cbj;*4IyA
zrlf~epOdr9P3m!cFp%C3aDt8G8Y|sD#vucw<OvDifl;p$a$O=%+Dt}T2pDK-vx|oQ
z04AcV4h{!^1YTGuzv&#Bm^g<}=othS?0#_#JCDu<9&T<}J@UZk_W4q;;1tIRX!Xho
z{(Sd8?Psq;R|IJJeSQWX=e@Iy<bU6tE)x%ZkpYCU9R)dgBETR>)<_kx^eeOX|Da|c
zKfHt93)ThJ*AMnIUH@vOBXR9!K6sa*Z)n1eE{oY}^zI+;$P}-)<$@+}y>8f-F9Q~=
zC5zDcf}*>vZ52#R6rQKx1i6O|6aX(Zb-MKE+}~i77^1+_^QybMJ43jsg~bFs{%vaM
zuC;9*b_$C3^}2Hl3$$dN;F?mUQ-U6DT?phMNpbODJ5&fqkk>6nOLMoSgh_sENB%P@
zY~tw<4!bsT5DaJ0mNn#_tI*1Vmc`Q25-+KYP2w3XJNv-kU>WoTL0b+dRA7OF3l;T)
zudm!UittuA6N8P7O|dW$QWA7;q(K@ET5EI+=&rUn9Y9in45L`62~*@Dl8oOo2d!#A
zAF66<r6&C*GYtW@2Hed7uKbgIeY=$#H9PzJ;I29Y@G+OKlO8oaJq^b(_?oZwXAdTe
z2EurLVbG*uV~-L6b^m|qjvIb)`sC*aj)~}!5;mWoXqcEO93CJ%=jG#TZ*K>OC-`&f
zi~k*Bb-!w9ZAG3TK}3XvOJxv@z<Xjd-=<paYzK#hs0@YBgBjxb)vK<Dn{PW8Y|6*L
zi0`o2^`oQ10>CgayV>UE=GT%E%~CT$1z}rT(5KQPPPZB%LmL?wbO-2ie1*2!K%OQK
zG^O4OGD3y`***>LRpi1QPh1ZV1X+3yz!8{z9ykrb#AF#xK!BDPDCr-TcQ-bsL$kKH
zco#hS0I49WSlQZQVq@op{Y?1i=l8mU#{Oat{9bV1AZaCGG4${AIN4hPv<%DS9FD{Q
zV-j?&y*xc*xb2n!H-H<*>dhOF@wtI>B2yt9j_CNlumjY&p02Jp9JS!M`5U|tS{1fS
z&=3dz*e*O>X(^Q_#NY+^3E;`C?QL%OEihF^yh2*9LqjPlyl|Ppja{HOwR03gkA0WX
z<8e@UxU!~ZY*bWKP|)wWIW`#5+1XiYnYd!pL5t<SOz7-Vdzwww@Nsf}gAsp!9cu(k
zOUA|-Ie9#;hhISm0LC*wzK5<gr+-SYE|O&kYkq#F5Y)xQz&?q94l7g@hu{qo8y9Q6
zIGhRe#0CEcA&Vg#*rGkY`MgU*^*%1hA8etwCvvH`3@jr~yc6IBhh>a7oVo#73``Yp
z1jO@a&sf3L1?2pd>zIxg=Wf!{pK^1}?d|s`-7nhbtQR`tp${w*pYz7XCRq{C3dk=i
zD=S@`oB(&Zlir2$z>Ix#U_j}7O3Yj?rwyE4VE=}ec|Pn%*cISqUXmY%2;z2nxCP}6
z8aceCrl#1O2Q)g!Jq%Ut%@RTJ|KrC$az$Tt<>`DoF#xD}QDx;p=;*!}7efVMX%dGv
z8aY%+5H?IoJ8;{>(j_C4^7FNmJ(gAgW!@Chs&Wht3#-pj&{S0HhcW%D-wruCwA~QA
znt+VN9^I)yoQ*U$`(`dD2l7Ag?CPAdD%Ys!26OhVstMBaC2VK62Y#~WEb~Y^QCJvL
ztT1ZuNYYS2m*o*0Jb)Z%n~LCeL%6@&LZz0IS}$MDuC7X!!PZ}&taXRW=!P{pKNLYe
z-BD`a{6=IK=ReUSFqPorOLMPG2Ymnl$|n$IQ;Lf}t7g$bY)ngEzTFxoB`Ik_#OT(p
zTYw7Uzfa(#Il6EHfdV)alc8(>^C#dO5cjr1Vb-e|6B7eozKAU7#^1Vi>yF3?oB{xc
zj@;vXBWODV>zdnPU9wl>g^6DabZ`AXe&hx#>-dH1$yymmSsq@b4z|rSwNalgP64z-
z@pxp{I|tAxJvG&QvZfkv8yA-oV0`d(%5(H=`w={0c>EZS-WjfP+5w|eA6Bh*d0~#n
zbBx3PhV|$K1SUaZ&^m{XqyVuWQc-;g4?j6Nf|zYNT$ox|$o%;65=39QA#U<#GBQYG
zAw)y<BExp5rH)(?Dk?+plu$hwMK#IGtG}#Khdm826x^lryYaAkVWDln89z{K0ZxVQ
z8R+T9%Ph66t(nK`{|8eZDG5@1b*1{}W@?{Q_}bdq%*@Qe+Gyj<mN(2ah(TbV!%Ay~
z!TVNGflbJ)zcpPCx#nfjUetU`;bnY!D0$rG+ahbvj{)1|K}>f$*$4IC9P(6!5>sUk
zjxva}ln)=a0Sabg3;Q|stFaM^xuDiL=_uC6yu4Kq)>}MD?%ut7`?d|7Rs!UJ!|D(d
zWGR4qjEu6y{(bmi8<CrvZwk<3V`JT1T?g{DEzQiTAjSm{a{vJVr%!bIM5B=_q)8%A
z20&b#In1eF3i$r7$xXLeyB(&_4XT2*-t<m5E~nqjw{xMgq5>ZuA85!-RXj=oWvHD>
z05uBUH%7&v=fDOGEO5H{6A}(9$%ni@Y~ah&YL*0re~6c4g@o#0kn|0zMvmDiX~vZQ
z>PSCMRca6e`_={R^NA`aVWfxmT|q%Xlp;us;7Ey3+$2V2dn+r|3fsqLx&pF|V6y_#
zzF4>o^6gzDEesDGz)-nIe6o}t4|y;b!T0%8V|ZeshM|T{)(E`uFM7$p*Z$iS-brb-
zHPD8x9#j(p61;3(a1s^o`%B!Y|Asl9R+znhEsknsZM_VurTQ0gm7{cd7=wi1>zn)k
zoBd-XZHbb={~zae{na1;Pk!+~IXxtKhx`yhx1K`V|4x|wr|J&qNFW`dc>Hr7SgeAI
z${}cQr9>0ih@>3YqOM%ZFhYs}Y^6cw1gFxNRF6Q=j{P|WM?XQS-uJ?5Fkd^KQAY^Q
zh48C~OiO@zHEF|sWgwtlw;FL)p)>+glqgQCBq+xd6LkPUDCelisj7-khKy(u5)#tk
z(+UXGDydO>KBT0CVon{jF%c2Apqc_!0L1N{xcu>*x&=^*KEse0&j>nRfMog?ynErM
ze8m5lmUack99;R_KT!IJ|3R*1EoC&dx99pX!ghhvbL#$(Q0WMB;9x*Ypi*Lj2bQrO
zW-2OgrvnH^fn)+oMZUl&NJlcKe)|@I%M2k5QVNh7r{L-bZe<t{a0sP@F;nJv{hT!%
z5(9v(-~TNXR<(c-2Elv@br!$#E|6kKQf(9t5z!ATD=6T4^V<WC2?$Wr!JY-TKZLjW
zoulPnbmB++OsuTPQyUiAqm`47t@ac^PpK(Xo~Kd14aZQ$^0_D>m|z{@!%-{xMZ-Ya
zK@6s+4`@AeUmbVScxiAVuz7-c!rz9;lSBtT%Wszp?h2`XjQU9YQ7z3^%`h!(@2<F4
zR1zW=CEWVQHCfu1Z~Rzawl!kbX$aoMzhn^H?)h~7^qiBe*6FU{cf!am#`uF)0dJOt
zv4tqpyc0(|?y>Dj#ECfwpuj!K4nZ1v?_a)rf&C4xOjkJ2M@J{o%j>zMWE)_r)wMN>
z2M?Y-2v(ufDz{FB=@z_ym(8RPVv2Fp{{H?ze?Qpwq25e*eGDKJih2NkU^NH4aT^xS
zf*Q<7VB-lKXL1AcE(AdmJiHPh5TQx{DdE|Iz=h5<93mxSZ2U;77fKq>An=!xk&!j0
zt3W7+u!=?wT0&N-GU9SzhQJgLo=Xt!T{Kh2f2h};9|CCPdU19DxUme-B)kQ@$Mw1e
zpFT;8h<NLtB2VFAW|n_i0Z>u`)oFK8uJUoxYmhVb!hr+uzyPPCK`aRPea?*n058Y@
zA+vp+hybCNv9TivMeFK-TQiDxoB#bA?378#$?EFrkpX}jS*0#OO9(4$-ntxM`~+}9
zHjZ#~L||Yb6w{#Ua+q`*oPQ4jxT?JYb;vPrvH(;FA#KIvJYsN^0yzjhsn_PK;JlEK
zQ0&@CD4j-zhTw_QS)OBb_1|%*GKT$G{3##+S=%kSSH=T`hSrl-EkaXU`vR&KRw)8}
z{E^||weiaE*R61D3^~3Z)FqIea7cM0;^Nj<SK%atJ$P7nr;n#6<4@pLIJmeX)0QAP
z11|_?g?xAhCX9>mi3ubwH1Bwhs>7YG?S2-9TL^N{0u|SjeRFId5Rtw{&NV1E1<ouh
zUC&RQ{#SW#0?hUL{*9|nk%UT0g=`T;vSuw?6e49QOOY&zl6@y~NJO$`ElP?IvLz{z
zeb1h3ktJJpp4SI;I^T1?Gr!;bXa4idJZ8>0&54iqdf(Ue+AjPw9N}T{?{%+3_66vs
z@+G0t9%Ix&MXyjhIXMZe8`}b2b!3@Pk^F%R1*M{?k&%CQH_ZLe)lLBzOV-LMn#l34
zy&n;A&}g&1%9+!rbuV3-XtVA}fBABcm_tY`+xnp~7<fq-;Ca28aVm`02oPr3G(4)f
z2aw#NAi@dcJ<>`_OiaTgknfZy%M6j6)wOGa*S|<X;s{m~_?;{>&<k%oLwKj-#7Q0|
zB@Hhvjx33Yh(MW$9IDplW_HIPR>b}<ONV+jv$cl5&&3(p6}YXZcbdLvkVqZPv47Y`
z<Hw;5D>RA*yXt#LSJ$s~1#E(<{HB}Rz_)Ke5T8AN4ozSvEj5?6ymBDk6>eQAtYZHD
z)#xd)W?AAoBbOoK$c^}N7dUoMpke7~sI5f+$hj2V_o(b1Rle^UC1F4v!|Lv{liST!
zLHP`JWaL3%xug?!a=^+5SMiA=UI77$&6`DSzVBt|#=)T6Lxx=0dEBWn#wEmSkucz~
z!#n;1D;+9NMA{Vlfc2w-U#Mgnpp}l}<XK!lb@iRWrO-+0os+cf*A;V<3a5&D^aufV
z*HG6$(T5d#6DjHGyGy_gQT&TVbzHWGjFOrD61@KL@$sns|Mc;>6!1nCD`#UPp{0N)
z8XY9!4g&Aqy*5y{Uo0vgVnZzPNSHz)BWKQ14o^!-01MLTwvhY*xuWs7RO**wRNa~q
z1yiMihp<Zf_>ip+HCm@89>-wGuB(x=x-kZMpT)XPA@OHqWII|9z`UX&BB<?<8)g)C
z+3K#yZ3IX%QQrnEhQ~cPGExlLd)VvWy?e*MPR!=}o2Dj>v4?4CH?Ch#naJ9Sg%9#9
zPe~GP9v(e@bHP0+>YA#m4b9EQsINr_5zQB(cpX8JFiHmujWG)F@&@vzuXT;a8?<-t
zXDs|w(v$tQ2H+0h7Y`%@DtQkWI8SCAwBm(bqcV4P)en!nlym;Wi+?}+!Go6O<^j1a
ziE3O;lFaaCV_h}L*-u3Z8+j<j*RNmMXinHw;$%?X4(IFY>VhhQ7@T=-o5ThRy0RYg
z7P9u5ngEDQvAqz?<#?;8Nj-{+ifV+}=%kLN%d$;7g*M^=DBIkx__qF(k!*ywdINO-
zE(2`d0Sm}A;uaHIMA`fP{d=rZ@(&x50s^+8`1JAdLDPvQ@3@rIOO41f1cA&p7L$^a
zGCxc|k}e|eSC982?>d4p0eM2cjCB{S@zYB=xy9jOVa%>5%XzL2qdFtBYp~$siNhz^
z*x2A1UHV=~fh!gh<J#0zUCk{dl#K`~quyqPU|m4<cjtGkWsthA^0liA{wDA`ta;qx
z;!7YD5HiW=4&|(@E(aG^u<2_A0b)m1n@e_cb3>$`kdP2=-iaS_va*o+2Kvq;zsthh
z9M=9?bQoy!A$-S=G)u9VQOfisO0P*#FLS6S;t~wpPvp`7^=&Z(^A;C;pq&7%AQpA1
zb^<Adh+~psRL=3#$+fwT<sZlkuI^gbHwYUjzf*!GyRWAQ7Z1x5^7qh*NY7rrX7H({
z1zrH$wEjC~H#g(Or641F`QpV_`EESfcGyuNKZX!KL}&A*?=$ltxKP?~2?>S8K0z)V
zM7hxEx@ypLp%*|t*`mvubs--p2$zQtq=7ackGV8sHJ*B;KYcI}N4tR)r)BV2Vqy*w
zBe4^sE%yX5gyX{dw2_?LX|i6e!=`KV<*4M>v)+^tCezT<FEyMulk>%@d60{%1061O
zjMz#gB_wq9^gj5|sGL7PH`%B|fZ(ysV$r_zdT$9aHy<A%bOodkdPKlj%?l)B8~P9R
zMPMgt7=CW&vSV{IsNd&2IH;)(XJ=^tYj&gX5kSx&UOF7P!R5<9un*uFYb!JWH;I2>
zngA7vg&4sSWk^i2BR+q=Wny9ieI7Cm@cIxkjQVThDyd>XG(zW(fP!Wd0!u_VZ{7}4
z#>~`I<jy%QOg5@LKL<C%GyaGDU%$dqq^zUUQC0OlSjVX!2w1H2ZM-*7Pgwxrz{ULb
z^=t9TU|lp#=tDu80Kh|o1MxI?9rwH2IaK!uS;$%~p(50Nb&Y|G3;bVkTiXKOHA0br
zGC5=pBxDf~JODx)NlDMWc9?PBxQ&^3%qEwB#-qx?XCssXP>E)~lW1@$OeW$E(}$ue
zar9OW4)e$ieI))TvcNJkGr#!lHM>iGqn!{hi`CeFe)?-sM3H?Q=?~&6suMphG8rK{
z5+KUd`1o$nvCX=t_qN^W4S8^rc7(Xf@glX$GgFQ2_(8nL`1(l8Nk!=VLWL751zuFJ
zad1HQ=NcTmW4sH@5#HB5G&D0PY6)R|^bX%$y}Nc$QK4B~1b~MyPj=!&8b<#o0QFG4
zV^b;%I?ru?qrstc>c=%-o4gNo7aSvP!zHuzBNB;EH!{4Z<tiQK>?+*=Nr6UNDm(Ua
zYZz}(6DSbJ`XH7HH9sMqM>j?A;K3odQ$XLk-^DE`ZSQtcMWuz#{Bc6UetUa;30Xu6
zA;jpB+9I)nn$FC4{%!twLvjA`JNKuYU+pzrT&lFOC>2tpc%&$uO*;bhX*3~o4=uYk
z>OFvSe6*!JyANG>gJS@yb6Qy$bg<p`&jl##C?!y_ouzlcMuohkxNdsdOAk?>qVQpx
z)*=3Kxq5+~vvsM{O{_8(XV~{=<4il<qZ|3Gq~BW!)+z#8uhAdL(;w6@+ajSrytc~2
zVq)?!@6ywLHua6p*DYkPe<+1H1zKjPC@$46*qZHfJX@<w^rTz0to?!CYoj#f+2OG*
zip2SmBx9es$hW6FBS^7bO#Sqt&8EWq#vi0uCC^+Vo8Y4*HxzzJ$awy)8_fpTpU9Au
z@L~~FiL|KY*}LE2x3nCzQ6rkfMrguab+(p)$Z+T7HN_HVj|yDquU8u-e{zGcPrl7A
zB|30ZgD6#Ld-P_dz7vuIXWpe+E%%^DBd`-Zwy&szR(;p4e|*b|^yI*q^@i)}vTE)M
ztsW}0F09MPMMPvCvzk49TYqR(O``FHv}(i3Z~kkCrhXbLY=r80`g=_LLz^uz758t|
zCH#q>K?^(8J2Vt=@7{Q;XIri<PjD&BdnlUhIM<<40TDVj;{aVPqKtr@9BLUKAK&k7
zjIXIDH8rQbV-b@ab&`x|pa5s|^KhlDPitwlZ7&3zF~y<!thllgo$6D+AY@l<-TGx{
z$Pw!ZDm((*{Ne?a&Eyo_<1_G005v)BfXXt77f;oJD+Gl;`gvSVi{03EkV^XiD>I7J
z&;~2ifOuq3%c5FCpV2pJqsb`%KqetUj*SYq3gBNdda>4m0^~{@K?}pHkbEv36==oB
zj{`_pT?F$=LWtZ2v4LWKq0$-l+$@Kg)cpK>bXnLd@fV7<FDJ58leNqH#(~nIC<Xf{
zHaD0?0M_m7fSbZJ;!DZ6)eFQpwl&bI--d??<T6YhC~Pk2>!;5Mrg8&U^h6Yu)4Vzx
z6}#B&11mSO-&lx%1WbRxx&{OcIj@v^_CR{4qos8f!Hr5vN}8I3U0wIk0#Z?dnn8^R
z24L;lwP32jAvpo=!=H}b+<>a^yG<?tY54Itg9%AuSePS`ABg{A$-sgNY-v9yC;7&W
zO=y#`A3q2W7e*u}x&?UX<f5*C=)j5qn-nPBjt*yBT2S678IVdtpi(rj5<m_KZneL-
z!+s=>KT4X7>XxTxrq>ZRHrZ531%*3qX%mA@D*WO`3-R?G)K<s7<m`zn<bK(!L1tkY
zLRrP3`z$HJKc30Wz=iPCe|}F$*mXU6!PL}gyjKC65LWu9PubyfLEheFPcU98R4kMv
zGCn)~gM$T(>z)u((1Fh3;N`VI*}F%vW$Dg?fPgQ<!|=B0O8gld+~~cX18^#2$8058
zs5v+OmpUDpQE)7!r>B1@Mnl%~{y@y<149|5$!$Vo&o(+7t9t$=-jmNSse@DK?qXwK
zhwb~<9eTzu;%~ZD=r$GZ#O*p4hgFmy&(Fgy4Jr<_H-cID`1xyi%Ln(`Qfq)vK0pnf
z#vuGl(C{P78r47Y39oK&z`~C$ru(>oK_BuP`)_aqO5eyJpNZRDWYT?2P&egMMTO!4
z>P(H-UD$3xN7bCCde<77CZZCg?GQ-*p;+;PctvI3wU-@!I{L|rv&ohDwH8WM8h?9J
zSgE8-7GZVTNl)(#xD(V9_Hwkxww}R(fv>W%^e<hitE(f}+!z^S6?DFJcjMt=5ywL&
zD|6+Bu`K}R%li88voZAF0bGCvD8TfFF#Qcy%W$E-&EIxBNPm3ol(F2H?c{@$mPd*z
zSiV*jc^*%{Dxw%czB&X}j|3pQ!GE!KgvG<&3EZ7!t5>t=Jjz`70%5;|lZ%?<4{UPF
zg|d94$PsMqoSaE<aV)~Z_ShRx+@sb=N-{Mu83e(N3Njvje~c2+n0IgAKKXu!j;#1x
z^-PE`$388+pIU$f;rgtY^f<GR!OqV<wa;45aSV&<wC%Ut<+>b^q`jAr=8aVeDDI&v
z4F^h!P|4wvfS6K0e;$eOu=@Y1ie}*dT)$xhSVI7<bbqgk;B~xK|MV>Kfw7dKdCIdM
zX;M`rp`gfo@!}H>m4F~4dK8gVSl%{n+b26xI}?(AFHTJ-k%+6))uM6zHa^--7A^sf
zcV*8Z0vsWc;MQdP=$>bUP{~d`@LG~sd(d-rKgiaJ2#(5rFlA}}rsPwSnDW%gwi}OM
zb?M`oT;1ei*pKeE$QR1oQ!`aPVqJGFb~spwPfugnQCuauQ(c2!O{~U(s*3yXyGE5u
z@5kdCRD;5N*9sN=wtlZSyg97a$Jb~!ek(h%Q>u;2(wOkq`HdT4BVOLca7a7o#jc2p
z9o@`2;FO@k6O_I@3t`AOSM6NH`>?nO`UR)QV_)uQr|HyM?5*O)-(%0_qh0HA3q{iM
zj%I7g`7|MahxOotk@<Uhk6V{UW5XVvR;(>N9vuISE_X(hmT4W|1M*;!?J0vglZ7ij
zpiO7jG)F5$+zyxSF;XL)iac;ChtX8EKdMnREo`YhTg38C>HJ2~_&*Z*d|pXCS=r!-
z4Ee&6Dn1@;wSLOn|KLfyc5Sr<bsM{>o%;CK*`e5V{rB_Rzc**+9{;pybc99HAbNRA
zwGwP%ea4-vUO=9y`=i~vDKW!F$giez=eh9%B5iw$<|sPSRU7MMYqu2e99_Q9gNJ^Y
zrhdsOT~MtYoj-h<Ddm_zQR?3g{BxAhW470oZ!UHug(+Fpj7-aTdb#dd=cwTMBesx5
zLi#|?&xV@%>Drga@W$=@DlAWC5wer*X#$s=klL#es@tmmDm<EuKP!l%VPci7lM!-B
zBl5WP&6*mC{nw&*6PByr9}V@s_#|HkGm6PS3OQFV%PM5@w^{)LRTOfH1dIz`-4ZK~
z^u0Sun^!I5|53sG-0%OTJi-0`?Es>Gl^g%>{90MH(H0=H?vx08A8tL8{;t+lWVcq^
z4yLU{3WO5&*OjLQ1i`ZOBQKRLEPneQ>}=*}*f_m55$?ffk80?xKyH6D9r-*w#*v&W
zK>)C->W40znk?2>NH-|cRXDyTS`HRD!mB|<D4voeK@>fI`jm9zMx&`V@?p+=LtiDP
z$JJ^Oqqyw*`TDIEl!I!kyb0<o7yhFW9GeqVwxEqz=2f0-`|VHv{t#phSK9wfHXuB;
zYX&rb0US7iC)<`QW+I}js+Er{e*d?HX0@)pxEfrSrH=do!ig^z#=mwJqN^@KYP(K9
zX8irJiVVg?2JpOMQD#^{ySl)@ZM<xc#9wJ;&;>(uXV0BGp?n6>L%W#jWq#Ge1QE7$
zz`c9uv2*kC(9{M(aJLLR2L%S!b-Fr;i61%Agb2pX$JV;cE?3uk8U5Kn2VlDg$cLH=
zJ+Ef!C4{odBh4V3z|??ntmqnjrD+OqMMXu$($W%CC)ivM35KXjKX30bRJtiCgnU#u
zd3*c&jjmqJGi?*P<G@Lz6p<89xYkv<!2fa6j8Vwc>|QRkayELrMU4!!B|3U<j1nB~
z;YejbIoK2vA1`x&8Vofm^x3&NF7+3Cg@xx(8lx<69xoTb{D1^sigiSl+j0MXT}34=
z5J#ScDH$26x#5r{{1YN=8RUU*L!y|V>udywHq_Gi_H8UAq_^D~x2|5ornVmLBgB8L
z<Q@aS%--paq707{?)~6Lk4kdfMx=y#rAk6A9bVW;wu|>kN{aH2D6SVTUoyL26Wk;5
zXJ{x*ntx&EpYOkLF70gFwffvF-~VV1vfcb;sMV2FTeBNdmfoHombPB>2Z)&j3Y7Bd
zl^~?gkSPrLuXV{r1Gg&O-*h%c2(1T{5^&!eqFMz0jWl@x0EoW7&Gq`i@HQTFEC5_)
z9K;lAp~VAbw$)2&7uos5pNkZQ-i6L(k3s##v%CmxO?uX2Z~ugqE(ik6|GK^NKu!X1
z6i^w;*y!kJ7`Wk3GiJYV^=4w!ug=Y-Vq1M(FmnV4wjv>p%#NodFH3265n|0jU}ZvL
zDHo{>TI<Omd0CDor&?+_#KjYO<$&2M#WjhPHW9Y(wmYvh&O}<pT^lJGd&%+TvIslY
z?5)dxvtB{Xpoe-`_-ufM;u)3XenY6{HvaX>pd1%n-P6Q=?rC?4B86!QJJ1`|>D!Xh
zfrD=TL_}{+kdAOpofrKuUMhR%-Fl)o#s|*Jl4D1R{par0dS@Mx63t&bMDv;TAC7ih
z)Q#>Ky|eA3BKe%v_6~!+F>DI&H+;|iJn(qAxBKNWIAD7=rjp0n(IDWP@VyYr;QBq=
z-;8_wcEyNTLb8RzvV|Z&BO+2=EyKZ}y07-noPV7jp$J;Jha_+r6BdzT51mQ;VVeH<
z6aO&s7-9P(UFW|kOY+jLf5USD&#^^isGd1F;iDDa5>{mIzHcOa=DTQ<``NM|Gu26~
zbImdv+rT1p`R7{M^w&Q4hVgZYnGX5+$?w4(QIkji)}E`T(bXUC_oX??w7lrKoQu)h
zV0CPHHyya;OQY`od#`@sp}|my@+vBDA0#AE_Ab?;uR_P4cw9A~`yQMVTxi9fsk*_%
zZrRX5q_mB8T^<guX^4i4D@;b`tg{GF#P8kr`WNp5<7tOX%`!br*R3|we_inZHI|T`
zWzJ&ITjm!z_aeu7>4on5ApYGSd^G0k)#f6*G)|nPR|-_SdbKc3hLJ-&-#s=rEKDjw
z-2O(|*SO%`hPpb-#k>4}VIIFq$bo8%@)^n$pPL_NsdVh7cb?aO>#khs_=$ho!PI<g
zADm=&q;xMtFAeALwA-8At6}>2dJ-TDmv|5%H5l>J)D%;mcea=RkV0*u>eaNgO&O_n
z7@^XE24A?0AXzRb*mUsVy4i_Pggad)Ot0}eddRrIZL+u53E%-(wuuk))((!u+azjg
zx$JG^xw%I}g)H^;x;n~8g1HRl=JJg$b~ffrO%JtDRP!FB3L2dO81O|@B>vMUpT)s6
z_p2@Bc6N&C8RX|OhtKyu2@JeZ=;=9b<EokDY%?7ezfalH@~ZkLPjKE_NK0R7E^XfZ
zdbgNJYeDDzBR9m1jBHPk_)FF7lV~D(RLeNGrYBDKW8mF1gS6rHg98I*q@QO1;XD{V
zqVgBE^yIk2+v)@r$?iORL@9Q6r)6aw=U}g(ps6wI`S{%Z?(FOb28I!zU3`O`g;6S}
zU(Zg|zPiWi%;J7Vtr6HI71e_fA-?Xxrf1R7okBt|M-$)McTgv-_jz_UcGEW}gBSO@
zQ|(Z5chBW<oJ~A?HlLa0YU_*6oVFb2z3%88z21LmZ4G>QJRc|AlE27aTp@-5F!r$z
zt+#K#zsW<tv-1kSiA{2R?^}B3Jtf7jf&wjMU~9}Sdit~(!oa%`5l|e|<2t!h$}!h$
zv9qTz5g?Mup?}eKhEl@9LU7wYAKi1tEPvhZUnL`-&HQvp`V|4->1<}iOiYEu6i=;(
zgsl2}uhquugC;+T0UCM8pqU!|VD_!Q-_Gub_Di+{44rIgOK&~ytzXOOXTV^)*f~Aw
zvu2$pzF$F2&EUsiN?F$F(-qk{!d%)SfQB1OOC8^P|0!y}*st1G>3oy&u&z7tIA{UP
zO4Cpeq27MKrR6+;GF~=ADaVDbr%%saxuR`rs~_&NgDX-7)!7?b?zc=_$sxreUIkLq
z<CXa(n~t^<n+R<8@n;e}d^l<U)b_tljvy!vyni+$!+U7x`K1nBIz<waovCIz7Iw2e
z43d{$z4AFJFCtB{pPikHBeC0jAyk~3yW@V4*d^bA>cSvOM(W#@5jnFTImF!Wj*Xo-
zetdVy3-}M+?-ElOhwNA~wP52+x}bgjT-Y`V!9C;*@5;*Dn~FP?bW_w%ow8n9+~(_>
zY-c0y<?U@|GC$``AHCO|($%Fjx2hW3vTncZBc?NyF1Zw+OxbrrRlveRA*3kq=C-^3
z5(z)yzz=B|T}cd~eA}tyeiuNMq@<&Stfl2aLRi7u^5@58iYoG#Oq(-Dq@>=lGBC80
zlQ%5PW&v^FzIjGf%=qed9tsu}DrpidFdu5u1jfHv<2#Iuf|(6+o%7AVDt+m`WWP9n
zwxr0-?ezKcPM+2K_C<R8iQCPLO>uJix>Jhh+tSi8(r&!zrF5NW$mxxh%EhbYOzt@H
zefC5L+;RvVDJ?+#FV_V1_3yh=3JY_nsC4DotAvM15tBbCt9X5qB+F(La_ivUp6!4Y
zNdM4eVp@lE>8dK1v9XWO&u=?_F0ws;=@4^w#HUZ|Y6?$?FCDTqzjo|cKb-cFVpkR9
zjs%C=-fRj9R@<{97&!yHsKSB{5;HPN2>U>{P*9~5RoPd=>-bd(bJ2Wd>td%VZLjFE
zkw>=?E^5d^=|}d^@CKp-Z+|O_J$CJ+p_!f~&o*ZXw_O;@ypmxi{;rQWK29r)TMsj}
zddnJn%QkK%bAY|sdSTXG?*o5$*sgIKYJ<w6g^AkryThv`JuAq__GCLbKAL!ukg!8S
za$RU+M#lU-)}@hfvjF4*Zr$qZOVd?qB7bVB_l@hlwFNK<b)3((fLx?j*vATSuacfW
ztgq8F<}W=eE8ATf<bh(7Lrh9&tC9CQ!>M%{;iQ+BIMmEhL<{@mYps-qv4%~LLvhVt
ze%fN(%`2pBWsjAruI_e1LQ5U}>8ZV2(<cUJ&dC&UT2E<TZ5NU__&`SI>d0QAa=jH#
zq(Z2G+1sHOkM-;0!pPm92Lx37L2O_8<0I(7-*@>sNj$q#!>1abHO2HFRZqy$c&Ycn
z|KNEsCA&XXw_y`~vK93e8dl?Nl!uu2UidTq;RQl0>a%B#PknxN6KyNt`Tr12C*b%*
zL`#zG*`-yMFb?Dv|1Y|gpS8&<BthgN^b@(?MA*^rI%)n6<o#;J8VH9tO|NdPvG9NC
zuhdc?{%*3Oy+aQvVvWKD4PmpyYAZ?T|6G!8c^a-cx(gl?!m0j7U;JLWuePs>((0={
zAZO688}$1F@cX6wwK@DodHio+41zb8a75j@tG-+!%il>8iQTYz{7*QL`kh8<$9|ph
zuZOQq+uYn78gImh0VXuRaib7lZ{NaYAS80PvJdt&j0AhaP@Ht@SAUCxX_jH$itzz5
z$B#pc(*R=~7(mSM0*;Kqdd38g>PMu%+ltUZB0@o7hH;;WecrUmettSdi49Z=hI^o+
zMbm?j$|iK2kbMA&XncPDv47?IH`Li-sO5=>sAiz~0he&OGV);FXx>!&m9%grHZlr|
zQzuVCTe6kZ1Bq+kWT6!fpatRcPWL)AWSHfFQ94M+!uTXYtbe}ql0b(8SdYko=|e;Z
z+?Q8fu9vXJV8R5NZyNzjbA#4z!}|5mp&;TF8GXUQ!I@1+yqs~rixHZKlJ|QLv}7iO
zc)@}1SWi*4`NiPyFEYz}xO^EG2W6|2tq0!w`i&brejo0cRM*xLemlC}BYP^MkKF|D
zuixkm5x~Fom+X?ikPW|*BTrT%6fecFXJ=k4yan+DA_!&ex^S^D9rRI4D+nCSc!Uaw
zddH5(@$s+?KNYP>@>sn~%a3IhKXf?I#X`)JA<G<gSf5l{8SO9H{pK_SiW^ZO%ID9+
z22k8LZWM;`lh;7b1HXwac(EpXGal?;9c%TFho>hi3rmFH^|u%}^7)M`s4!f2sOoFx
z%5dp0uLUduTKmefGR+JV4O7#k__f2NPj1-KwY{pfNj_6RPLPzKbN&g)dGPQ2pEZ@O
zoGwDakH1)`R)m>>X06zgJQcF*StXBI+ByQ-vhw=5WEf`8evDeudf9n=E+y3LS?*Hd
z`s-=3wcM8UfGn3^x3NFNrNIneTk_mAD>6=}ax;QSyU*U<P>8KT65mlp`)D#;)%iTz
zOm%Bs<CRR`3&I(CIs7I9FH)HgOYu!keerF(Eqr<IqimCPXQ)!@?ZdB&YeWrnxv8qm
ze?eQEmCr-+j?g>SUVb>y)-!ReQ#OKqSxAEghPU4;^grp_-RhaHo`i;qNZmJ<>Y2|P
zcHO3rzvH6O6+J1A_4X#(C%*S+5fIc&H5mdo`-?nYX(@YBCI%91hzX?R>e>D~Mta*d
z>0gjAtlES_!1Dg<hyQh<|Eq=m2TlBWeI4`@-#aA%^=YkL-Y#680=>FnZr+_I3`N}u
z83_KG+c32tF!l+a)g<rjky}=Px3lnVbJ$?NY{SGGd|_tE9zJ8LaUl+llUF-k2^a7e
zKty!4YP+QqwA;v>1mz2@2uArtQU*jtaZ!?B&MX)^I{Z%nW_$KPh1~>sq*jg<_i=(U
z4JO_XUDvY+q%P!Vm~wJfRkZ@+VeyOIDVrX``~r>?Ur<H3x~>^-ZfFRiG@lvMhY@Vk
zrrU_6gO6X!&I4gyd+6wfzkNFo(a7)%i5Q6OO`(Ow#4or4V7)OiGEzP@@N&~;T+?Vr
zFnVBjArOWZ2fQa{k^(M`3=Td{qVd|n7QS!DW}iPFf<#H0QQ68W0~3H?^+fV1#E_Ly
z;-_jY@C|T;<M$hdWk5h||Kor{E%3Y4<8q3#1;q5Zvjd3%^oS0_M?>4su+<Bswl$VC
zNc{mAQc7T9?5&9S*4L+|qr+wPX<3>IIueVezJ44)Hi)k3BaR=8PV6+L#UUTvMi>Ut
zHxBo)49Vz^AFnYX3HJ`mFzo9)I3dc!MFr(V5bSMafL;?OER0f-MYfUcczk&Hc@V*v
zq?Mj-iK)kg;w~ZeIKtvH+IE7b#f(h|-sDN(Yg&~pLINjA;^pH5q%_xYE(1GA?nS_9
z2rA9B;g(ij>v{oc0`fUr9M3ym&bGYmyN|(j7J|1LMDQ$=Z(D08?NiUkciNc@Pi(EI
zfiGd@WFz9;2wer?)exByLZ;(23yZ*cK{!t(NNPE!zE<C)JPm=Zs%lY>c_=Mta!iSR
z`1o-qQUai`f+P#1HGwf*nxkOOv=7YPNhf0Sd2sN+44QdN01dI#!u(}5wP1gLZm`tv
z3rYW2+v@=trTT#&(UaMIWsRn^{U+Mlhb$6b^<ON1_$~7``J<)D8Efs75yINlyYuf)
z^!L_pNXy3vqcdZAm=F!sU}&G$es4y1NW3uo>QrjGG#(QS(SfoLS|F%$@%u>_pqVbq
zDPtJ(4cKw>-o0AzbIT;@p*55ezVzaefq^ffbH~~Yt$~#%25t|OvFcB<xPc#P+UQd>
z)8sdvI5YCRRHc!(`~HNE@Tmyy7eLwx3qj;<s2J)R8VEuu;Pi;c8UR%f`BI!U$-nBr
zaBTm;E8QtESO+^5N)s!;fE|TUID)DL+k5WZIc&@bzTCQHOF?d2axy&)O@DVcW|W%S
z7Fg)pX-nl^TyRVKK{YIQP)@94w7rsIMbaVz0R?8CpssKba|Q;DWCQ4_{M%hWbU_{e
z<8hP|=9<zViW6o#yiWfvCkv)L{Fmlzh>nG8!@rBj0<5uR!z}|>H!i_~e4&-zt%ji2
z`*jvmbnU-&L}aHeYARi&du3Zd8zZCmF!?WtZbjN+nO~=0zF7Cs`NcOkuYn`9zoXpC
zT*0}ilUkKD$>0>-niW4_K_^`K=$<h4r>E@8BbA&^h(2CzI*6*w!GM<E_p7rKLXr8O
zB;_w$@A4!F$jbH0dX(kj{P|p5Qr4Ki>-{*wZ&-mNUuu?5w&cbP8w=B}tiBiSeJL~;
z`at|-$YO<6dwH%auV&zxro!=R4L_%R728pn<fi0=As@V9IUR&wLAv^K0VCMQWf>bb
zYk&Pi#Y}~Gll{j9dakEO*n4<I9W0DK4itoU)N&tIYLQD>-eFv*w+P(+SeryOEUFP{
zCEa>Jm;c8Kgj>F$A?7b~bfK~AY@e-Vz3uY0R7Lhbq(%+-KD@zo#P#{my{B$9IOZoG
zcyj7NQ*&KSh}yIMqk+fzuaP~srH(Wu?^>|`wSeU0v@W1nw^9AIohQA_79UY~n9Tk<
zr_9@vo7Y1>e*oDjL_{B>{|Pe#qW<uX{O1<>^z*+GqqQX89xKJ6>7SF6I(BA->u#2f
zG8mq%U~aVD$F~gT*INj3Eu+Rawh;7TtEh3q#Q}LOS_LiI`fX&pQ_w#W4ur_^ZSw4L
zdq7~Vj<nr~kC!B>I)wNkkEeg5r2h6%zl2rT^#8rd>t$TgHT}KG!wjU`h~`=TeRW>H
zL&U%JHmic`|Noda7fZ-E=)@d8#XUay8$n2Tyc@88Rg{$YPr*U3Us^dmJ$---d6+^J
zs8EhJq9-9Fuo6X!;6_x5{-Z|NCs7P(Gq$sGRJEF#ua_3>FIQR#K-PtP$@AyV{eXfS
znksk7uz2W6^^rWGuRjTi^%DG$WBeyzR6nh+kGNAFtC4nve~7m@^Z4P8A<X8RoP3^~
zY$iYyqg32uE@1NM5K3`GXG0+cV$I^})-^;floDwtn%~f@7H>ii5nQq2<|w;@7zh|i
zRMpgQL{O@DOT|Kk3keFMw)5KVpiltHgJ|O&UQ!TEp+aF*d>{*W!pbTM3OaaN;CBSm
zXc%T{t+yKu8QP>cqip0LfBIyDs0v2^uMp@$c8WY6139^k43FaDFGJvu-3J8<!C`as
z;zb6AOR#6_ro2i`twA6F^xS3p|D!~V=0R)-HUPsgI4%%V(~Ncq`x(MUM-Y|W)CWmC
z%mK#MU9kATU&_22g&0~DXQWR<1_rqhb~2pEVYBp{l+AKEkZSibNZyjofR_6GhYy}c
z!6-_GzkUU+R-9XJN+h47sjgmZ@<8yq?wK=zCyWp*q4)*@sjAH|(?B-X0o7SyArm{h
zw~-{I@_T4$S?0)Ke<|(B$Vma42&ws8GJY#Udt6*xV7iQZ{Fs8~@H+&xaC7@p)(p$o
z{@0?QVE&USQQ7&mt}eDQ%btQL$yAh83_k&aXdWa$!wCvUqPnK$gRn5reJ4p^H4o&C
zaKG#B?v7H(N<e6N^H2VvgV~Ib;U3t(A6;cB^yCQ%1iL%{OVF7uZJ+k-^o|YL0h0`b
zN2z(y(JmW(D9zz~=6XG?i*$jqtu#X$qCbzv{-T};@Xj(O@%7&{?A0iUaXc`be!~@o
zo81y}Jv>%Jrey!R_2VQk74B1Rt_Vt8DCRC*x@2O~I$XqG0MBVRyy(2V|E`=W6N9D>
zI&B;|h6u8{zufKOR(bo^qQ$NtzIn`q{N5ICYr|r$gzT}$c5Z8`{v<b8Q^gDNR1g8x
zbbfuq!*q}*qX>5Q@Tlfp=vZ28L~uoGE5dKvk=k?F%GA0GLU(Pa8GX#9M~VvERhd~?
z$hk?@NGpQa5=}HbH1Im%NzO^R1B)5W&YjPonvCx!Oi!MuIf=I&hX@CRZc2!))ePkH
zD;6#sJ>gN>@J1x36{G~2u<h8T%ksORa9Fd#Xi*(Z_o==;LZIs$&sya?iGR)9ui5!p
zrCuXzK~>tui6&w36H%RH`vIb>w|<>ABcQ72t=H3@hzy<RY`+Hu(Yta+1<z%!ux&FM
zFjT$nloGZ05RW;<`^*twYp)2g5v9)>P!q`>`)&E7E86S+U~pRlVaH=5>=d60R{B~)
zAyR5Rog8^tV(Z|!=aDy8Ci8vHx`2@Ar2~6pl^vp73twyT#SA_IK}x=D-H{EmVdR^S
zD!>l=Hw8wdmTB6xy(?5|;k%>#_qlnu?*<1rBmW<p&)C=TGOdo#?%9e*(5aW-PY)ws
z-bJ&$Olvq#{>GjXa<A2Y46byeLjMZ94Qdi-Uc62R|3Wsi2h<iIAIUN7=H$Ec8p9`!
zI;x+GdsdXR{}yTg=|OhFG{2<)POa`o9Jww#JUKOK^mfs9Sl+bu07<FfNi<ND&92YK
zugHBycE?3MZlVGo!(<Epdwt*D=L&va9hLD*9OChl)?L}W|B^TV0!jZNPFg9n{?eD!
zN3`_Zy7hsAz5(~b#h_t(-0l8okI1fI-&t2vBK>Du+L(s8q;ejF+A{G@h>AG}hBloP
z6WhY7sCg-)uP+#Erpmo1FDKSW+txSmi`2eoZ{GqtrWPfaVMJ=`M~$?GbLWX^cKUp+
zHF#?f#UkR^{B*)F;B8Q*WO&Vefn$+gU;3k4sn!|MYJX@JJ>gZxbw0x@HaAIoA+1o9
zMJHQHT}D~^&K>8>rh*3kkl5TugpmVUTLUb*Up;u6rrYK7RcIUQ>yFDw%7Mr!NzTkk
z8`yD4MWutk?=auwP<IMKyB7x%9V5imJgcqz5<PocFwZ#+grAK)MXp8v9H_bP-x~|x
zipif4V#=e4s#H*HM>f!eJQJc9L>py~+2@TGjUD$JP*KT51CpW;-rkWl{wa)asnPQB
zJ<hfY`MU<RDnaHdWXyq!VUc{}ry_YrI-JLzXYMm?v3gM$A&mKduN@H#n%!L)#%Gqk
zdn@PT@A997nX-$A+oBGum~_6~|4?SLp0<Jh&`37VaC5q%opDFroZgOzCxyw+>@`Js
zTRCq_9rX9tkvh($kz@5b$38hybSUURDBZSkZPkXQc>~>FoGF8QcW*B-G1tqNWP}Tz
zr1fDVgTzIe;BWaC3#~!43Jc~QHmG1dc<>af!fbTvShWvLqV>q)F`lT+*_*=RlXaH9
z6;ky1>^V|ZUw<70bBDwD7L_}X^4!WQxweqV98`bN-rDLHn@i2Lc>1s+F8Jd|5AM-v
z{<zj(Gjz>O^Yw$Fk)?PK51o<ru1qs=sagwzc*zqVvpNe4ZF7%uHj0ZlD5%_%J^a2|
zG`G-?W=C*rJXe=TUCFnd{cPh7i`eRHDE#*G^FI`yJAeqMn~{+!&!69Hcs{3k_^m(F
zV=XOO@tI2nDSG0;_s<^Q-O`$*XG&h8y>8o9Um;;XKEBEO4$zOCJjp}g_2_Th*w+8;
z;KOnywhc-?^*ph+zt2#YQStEc9X?cLpxx3uCTAafy+j#WZV`t&$s-Ry1V5@>I2F!w
z*m-d1In`iPq*GI&p0}4*WnBVCX!x+i#ZdhDIQ>-$5}PY;TuPQ^Dh1>(q*k*petX!$
ztCt-nx?q;yqk6U;qX$&&y6i{F12dh$c;3BhP0bY<6!c^A`FW4z{MYX)6c1f+xuT_|
zclPX%Sw8KPq@>-vhQ_!|V5VA{H_!`yx4rhgIB985RfICtWN-Mk9S78xDuh+muDwOR
ztB#eI7t>qs7Vj?x!Fu*5M?F2$*8#*E=yhCDQblrpyP@GU@a;EWzK~w-wxU3wIA|%-
zeX`fDOUo7u?-t;ko9T0JZJoc~)edk0<LeS^gh-aj=$aa<Ki1!&BrSDt>|<t$*hspI
zlSb#q_Y}Q_?auP#o~Ii#M;QmYEuR&ZHU1>G@zINmW}NDWjtI{cx8+DL%$;%?FZU9)
zZ{8yD<;!Vm&IdJVkJ~tsrya%>PFqaq+A62d)NEt`<eKHQ@cAY&-{Rspri8ccyRiO|
z=fI2J^xT~;h6O%0zRh_)h!#Id5@R&`JTun&Hiu%=BIaQ|8egdNq0ysyplk&=ELrYe
z&`5JSqGi;`X;1k5Ic@XhUGPQ*Xcg+}n6quJTT2$|f%*hjnw;0m%5~26rgivb`9ebe
z5j}?Mf{kXKI`!{7_;|yY_qA-^TS;Cq$=G!FY`4}Zj=r;Xs~EB;dZ78ovH^-2|Gs1_
zf9x2irl7{&&x)a2O$-gM{V<_sVCEjJ!(n282Xi62;DZ<&w?~g2SXx^nrX?&gG6_*2
z-rKj>|Ck?-8X=9pnU_~z9)A3$n@nA!IEvx)jNbdfY8f<H<(;%n@^qCF{jFB(B658#
z_hCG0{xK37?zcBrOtqL>CV$)eBhGmKdS3-C!?<-P(sR4IRH#JOaB&FPar+rmCr72_
zFWt4DI<Y9)We^|#x-4o7(`8FR67Mxa?*?dME|YS0VS#xdY|SUSaD|6w+t?uC3MaCt
zw16{hN>vEBm(jHJpE>}h<K%&ZGbOBMh`KJ5Z+Eh<DY$7w8hc;BCRksw4MP^2Dk@GK
zpcZ#fXA(_@=eMTyfbmq=`7>v<RaHxRW_iTH;sfj|$)zTFRkn$i7Le8Omp8|9L~LtB
zoE$z+kGi_wh1}v>;|LJg#XNgfDymC<bQuJz>$WZ2oVdDQtC<4sRYo2ee?IYol-z(V
zaxVp4ouF{b$qZp(VcFsH93c>!WY0}Seaf37CimnqREjDp%8y%Yq&J%SPA(oF^bHR(
zPiW>#Ue;xe9m%*gh5#1Egm7_la>k{Mnz251Hl@W&Mk``7P%gllLE|1o8%!xd618;d
z5R%LTI?gUYkOK+EtaXld4)F;|?xUXSqD*!21^T(KUd1LQaWi!_zq-DryJ;@!(<h2J
zv#;mWLr!RCHs$B$B6(Vd{g(3=Zr-|J2c5O9`qI+rZiYRZ7v-C5{Ec2|(eXdazkk0c
zMzX(VDf}{4!_m?G9v-avQ`XmB3^!J?u(Ep1q@<21UrBtGkdW0@uz#NGm<^rNGy@Y>
zS?TvjdUc1s8g8S_6J+Q#l#`RrSzjVDExmBw`9_~F{ozYR6ylcz1=T5bH|W@5fnYry
zmuTZAc%%vD&9j8cJ<xV*l2!mW0H^mK=<^(A?04)qF7annM=m)}Rj6M=xe$hcGLF}v
z*Ja%oDdgl(`nkX{^q`Kj<E6PDl4h@u_}ebV#KpY_p-%~OQ|Vw;DA$LgTYbF^4-4Cv
zC1Z9*OFoO-VjTbZFc_+!M~`?m?T|rMN?<9Uef**)rS6r|k+Qmd03FpI$7u!3+blWt
zRAJCVO&xQ<yuc|Zr|W)n{FM{IzV9}LSg{yRUnE1~)Td9|;d^kbjnDJ&nDTg=3JHR;
z@~DnOO5jX#2|q}E1aN1XDwr7A+AS>>Vp-PJqbT0p`sS!OSMsZv&g*JUYrifQ`Ph~e
z6xh9WpHflbnx9lFfCGr%*{RNDO%g;D5&LBYGU*~C^N?Y0Rq>#T->gJf^K`a1YjJl;
zfvxR(Xr!>Wg6T7DGT+M>JG7sfS+Ajif9I}&@fl5mv*SeN$B$dQ&QTeB4(*Mg#yTqR
zRd({EynI?l@15N{_Rh3LNZ*b};Ljqg(T%WQ)z#UIwAaP&t9D(-ijO_)De~b;^d&Z`
zbr!O_FTWd){d_nnIe7=ok@}JntC_L#?xy6z`g+T_IEqJ0#W^>{{wcnY9BX)bwk1-;
z2uMUrN>_1fR##L%7p>QhLqjL3<|WKKJCj*iu8Lg$5*yq&;kvF6@7F$-t7H^r&fF4o
zm0t#%UPU=&U(n;R`&t$1>MGfo>=!67h7Uo2L1KA$&b1iostvbp&F0Ui!XQ2;ef#xJ
z5u4_T{>1Wfg;P<BGRHk@OWd%|IB00}Jkz-9>?hUUSreCd!R=G?SZ!@S0!bc0a5g_Z
z6~q|<tlz>mO5$*DuI;v4<U=E04ktM;$%Tdr1RdOjF&t_STn)mkn-h2%xmgZ#9TXE|
z5t--fKd7jfQBc5y`;0LQ(?44HS~BUsjIXP$;goZ#?mMErj)m~>@nkRf*l1Jf6fNVb
zOLFoem=M)t5MejocYN|Ix6EuMbQNQ|g0^EzuV?m^ynV~X(D`H{c^JeeDh<blNtQ&_
z@(7G+<XMPg8eJQ&wJ|W)!0wEN`>rE*d`G<fb1JqNck<2}f0#RFT~LI29@GEM$TnWo
zBGmJH-HQWFt;@ZX)O!a-GGaOd5)x9vPA%wa@8O*pG|zW3Ykht2Orck6n>~`JG&i%l
z4IjUH_M>sL$a^J*tA;nYi7t-&e9f-WH&ZMt)3)<{m@@k%y2L6pPh;JXEBktU6H(0}
zrb{W@th;h^=5=ene<WD3h`vko*Ox}dn_1*WHB`;7;&iz$e#*@MKXek=-*qO1B@PZ|
z7p#fgbY?%>Ez&i2Z_zMpI#RuXN})E)cNwAkyxwDlTl~!@@t>{8e>n!s?>f6(T6tz>
zCXD=1q62*4?d|REcj0;WjwR$J_5WE%yrK!Q2#Sg6L=XxhE#lWHM{&-tPzcfCNVD<r
z^=+`AGWJ-;w%?E=$)Y{ml4INsIaC1dFKWZbO-Ootn%gpyMkxWA^FD<zLP{ve0GI?J
z9WO}%1Z0hDEk3?GfBtD`VseSU=>7X6!orvyN=_#-jlR81#`b0_J{6<!ii?X|T7(G^
zK8rB~nvo57+8~oHr$oD8**yjb&SAzxrW-s5hzZjB0b+h}w^{B*LfD1b5`v)E$$Q}i
zhOHaA2K*ZVGG#LTp4=GC2k#k<OV`8%=1?$4?*_*S#;ZU6fC_3e&0&O$6(L8L5*FfP
z%60gNEX`qne%-Vce?*0Zd>tHwD-&k&3HV8awe3pYy<<iM1T5~PsqD|&PMy=#6hXKK
zogXVDNxS1z8>mUe2!BFO)rFhj3l-t<k2gXFLD#5-rRBG8-;BbX`Xa1@4rs)F%!v@+
zq)>}Ipa&wh=BB2@V20pBoFC2^so~W^s1gam%#KyfyuXG89!BZg)YZIj(IR{>ATm;0
zUHz5S&^g5U6cynbir9`}nuHOMJ;VVZDo22uo92i)vqCKhS@*l(4EMc7{s?!=cH*v~
zAuTX@Dk?k(CPeH`SUjfl4Rm&nA{`7t%~9gc+IuOPnVH$hFC%j$)3mJ_;WV#bi`}S!
zGm-l$!kE_~+2`|33dkaY@89Qx0}WtaH7{yM!c<4Fvjp%7scabQ2+;+XLalruypRMt
zy=I=>+4fHP?+7$To&+8ppi3{))AMj13JT?j9STW4s;$b>yzuB$qzLXdjew~pG890K
zfiVktX<;L?+_b+Thdn;?<x99)A>6RKapM~z%MfB~6ow%lqPAm?*hj1u4<IPxHu6`n
z%9am0fCh$H0FPvR&j~rXiy4TSM!I!$LP9?h5fN6A?>NV=Pz!@Pate%$jRORV{lpj9
z+Gg?);^W<-|GogQ>ERXu<TfH!<gzn93wP>Ji{G9j<}fna-ke9+MNI*u6v+xX7==8F
zjG)_6jF&wDK|+60#p{R+A|x;1b>L|UKA^$a#)+55r-^gq+P-OI4_}@moP2yxd_NjG
zSTVxlTgsnK1b-T4RXA}1Zx6IJ`urG2hqMFmdR8_vBFmbH!OwkttXsVx00Pyg=Ip!#
zOC-QYP|cYB;k%3P1f0SB*22y~06^jP#8S*HT+7=AS2e)ZzHv;xG+>4uvjN6lB_#}|
zf#G#{ajE%8{@wWYL%vb|kr5Fr{%$;iS?eOp3#mWWF>v2{`=?Ri&X>{>Qg!!lsY&eE
zMPe0mp;^Ju!}(}G#RM_6TS099uJrZW)UNxQ>UtNLvdgbC8XmM5t+_ZDHJ38&_1z&U
za!Pb$T%@C~sl3pp@}kDgf-0QRP%~eaX2rNe(O$&p?7Ab9a3*#Es3i#WK110IL0O-3
z&t>MA<%)E<$qEI1AF@5o&D}Gk^Xl4~!WYO*)hBy<T{Cs(!|LMen&wvbPgpL@PJ&%j
zVtY3}4;XR6PW0AA-0`}83ud`kJ>a5NIc)(D3Y|5z{zF>17y^KRJ6(d=Yyl~WCC!Ib
zn>#uxQwL$2X1?gQSBh~<So{qG_v_21A(z56zFl}s;891C+2yp2Zr@Q+d&eS0rRth$
zaji(&yRK2JgosgN%^|$j1_s21hl~t?QA?b}_`s>TJniJt9wh2z;kfahrmbg?JM1qj
zD~#8+_-@Ii5>~i;E_G8fW$EqQ=gr7|kmZc;-v07aO<pn&WgaR&S8XxLfWvhC&11o(
z9>%AV*2V?h&5kIib=?(`;y_k-*y?Oz{k}wnDMk`T+ie@S{c*9w=lfH7!fr<7xgoKB
zVARGzEUL+bKfD}ZFXReH<p2KI_Hsf}(&FqS$1zH>!b4;TRH|=j;ZX4Gytb1Divyz^
z;!(^mUhD*)3f~j5!8@<1C!EP{8#Xy+A*3a^2S!whV@PGW>nc-^^&?iFdFwG5Q|^94
z-Y{G%q`^Pz!Lk6?b=vwPmIG(-1MTgKTbSS;#!E7aydJ0!uyo-3cwGi2?IQayhq5~5
z!l4jldHyMf;!pLC9QqnTeYOdAobs27{h7!L2cu3chr$vGG9zyIv!J%JvTG3g{S*7{
zjf&_@*Fv;_S8c@pG^IQCytJlV5HT>|s;KB?w!F_5FhwfvI5-suLTK(3ftm1*{W?B_
z>=>k$AZ8t>;M+Bgq>0q^a?D#nlUU_A+S<-wg{et&@{)3kH}WjpLh1nmLFwE%?;kgA
z`=5ZcxAxm4n<DTQ?~zfPGwk)#(>57<u}3u+rz<|b0Uik<GFU(rvU27jvvJ#-t33k6
zJ~H>^0;Du_Q+6uUBDPe<KsMl#hU&b%^^vV!d(Sqts=N!AkB6G&5~5{7<l{}W6c)Ge
zsAgwoen@@RX4)rM@on-j*$p^^9S*;Jwah5KxrpO?T<c}xS$M2=LfqCkMIAX^QI#b)
zkBkidxYHV{s#ZN8w@(c0+?54#ANm$R>+l~x!gAA*UwMekw~LIBsoPD$=>4Ur=vKY)
z{n8%D0}#1Xv*Qrr8Xwm7cbjL`8{>c6|8e6_Ir?B}Wn_z<ymAH450&(0a`IkkOnksh
zASzOif(u`Vh7@RmyGCt}AO8T?IR*kZx3pk3sT}1Wv))KoH8wGMcRd$EKzP?-I+NcW
zoR-zc!)fr%c+4*(r3O)AFkyK}V2(^Xbc#7S;q6HiK8LwSmhzUXBqEokI|yGT3=bWd
zqJMdJNrrb<k09o4MC(Iiw3ia`==B9p+5dR8q9P+An&*Kw9cwWH4Y0ysQ~&fSq_$tg
zP<j0tofYjU5z!)zaXP|AW)b3xY!xtWa8DJ1OQbk==GgoiiJR582A|*QAiPv^(uz_^
I5*OV559$+^Y5)KL

literal 0
HcmV?d00001

diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/federated_auth_sequence.wsd b/odl-aaa-moon/aaa-authn-api/src/main/docs/federated_auth_sequence.wsd
new file mode 100644
index 00000000..22d1d916
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/federated_auth_sequence.wsd
@@ -0,0 +1,24 @@
+title Federated Authentication Sequence (w/ Claim Transformation)
+
+# This walks through the federated authentication sequence where a claim from a
+# third-party IdP system is posted to the ODL token endpoint in exchange for an 
+# access token. The claim information is assumed to be in format specific to the 
+# third-party IdP system and assumed to be captured via either Apache environment
+# variables (Servlet attributes) or HTTP headers. 
+
+Client -> ServletContainer: request access token
+note right of Client
+(claim as Apache env/HTTP headers)
+end note
+ServletContainer -> ClaimAuthFilter: Servlet attributes/headers
+loop foreach ClaimAuth
+    ClaimAuthFilter -> ClaimAuth: transform(Map<String, Object> claim)
+    ClaimAuth -> ClaimAuth: transformClaim
+end
+ClaimAuth -> ClaimAuthFilter: Claim
+note left of ClaimAuth
+(user/domain/roles)
+end note
+ClaimAuthFilter --> TokenEndpoint: Claim
+TokenEndpoint -> TokenEndpoint: createToken
+TokenEndpoint -> Client: access token
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/mapping.rst b/odl-aaa-moon/aaa-authn-api/src/main/docs/mapping.rst
new file mode 100644
index 00000000..33635502
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/mapping.rst
@@ -0,0 +1,1609 @@
+Operation Model
+===============
+
+The assertions from an IdP are stored in an associative array. A
+sequence of rules are applied, the first rule which returns success is
+considered a match. During the execution of each rule values from the
+assertion can be tested and transformed with the results selectively
+stored in variables local to the rule. If the rule succeeds an
+associative array of mapped values is returned. The mapped values are
+taken from the local variables set during the rule execution. The
+definition of the rules and mapped results are expressed in JSON
+notation.
+
+A rule is somewhat akin to a function in a programming language. It
+starts execution with a set of predefined local variables. It executes
+statements which are grouped together in blocks. Execution continues
+until an `exit`_ statement returning a success/fail result is
+executed or until the last statement is reached which implies
+success. The remaining statements in a block may be skipped via a
+`continue`_ statement which tests a condition, this is equivalent to
+an "if" control flow of logic in a programming language.
+
+Rule execution continues until a rule returns success. Each rule has a
+`mapping`_ associative array bound to it which is a template for the
+transformed result. Upon success the `mapping`_ template for the
+rule is loaded and the local variables from the successful rule are
+used to populate the values in the `mapping`_ template yielding the
+final mapped result.
+
+If no rules returns success authentication fails.
+
+
+Pseudo Code Illustrating Operational Model
+------------------------------------------
+
+::
+
+    mapped = null
+    foreach rule in rules {
+        result = null
+        initialize rule.variables with pre-defined values
+
+        foreach block in rule.statement_blocks {
+            for statement in block.statements {
+                if statement.verb is exit {
+                    result = exit.status
+                    break
+                }
+                elif statement.verb is continue {
+                    break
+                }
+            }
+            if result {
+                break
+            }
+        if result == null {
+            result = success
+        }
+    if result == success {
+        mapped = rule.mapping(rule.variables)
+    }
+    return mapped
+
+
+
+Structure Of Rule Definitions
+=============================
+
+Rules are loaded by the rule processor via a JSON document called a
+rule definition. A definition has an *optional* set of mapping
+templates and a list of rules. Each rule has specifies a mapping
+template and has a list of statement blocks. Each statement block has
+a list of statements.
+
+In pseudo-JSON (JSON does not have comments, the ... ellipsis is a
+place holder):
+
+::
+
+    {
+        "mappings": {
+                        "template1": "{...}",
+                        "template2": "{...}"
+                    },
+        "rules": [
+                     {   # Rule 0. A rule has a mapping or a mapping name
+                         # and a list of statement blocks
+
+                         "mapping": {...},
+                         # -OR-
+                         "mapping_name": "template1",
+
+                         "statement_blocks": [
+                                                 [   # Block 0
+                                                     [statement 0]
+                                                     [statement 1]
+                                                 ],
+                                                 [   # Block 1
+                                                     [statement 0]
+                                                     [statement 1]
+                                                 ],
+
+                                              ]
+                     },
+                     {   # Rule 1 ...
+                     }
+                 ]
+
+    }
+
+Mapping
+-------
+
+A mapping template is used to produce the final associative array of
+name/value pairs. The template is a JSON Object. The value in a
+name/value pair can be a constant or a variable. If the template value
+is a variable the value of the variable is retrieved from the set of
+local variables bound to the rule thereby replacing it in the final
+result.
+
+For example given this mapping template and rule variables in JSON:
+
+template:
+
+::
+
+    {
+        "organization": "BigCorp.com",
+        "user: "$subject",
+        "roles": "$roles"
+    }
+
+local variables:
+
+::
+
+    {
+        "subject": "Sally",
+        "roles": ["user", "admin"]
+    }
+
+The final mapped results would be:
+
+::
+
+    {
+        "organization": "BigCorp.com",
+        "user: "Sally",
+        "roles": ["user", "admin"]
+    }
+
+
+Each rule must bind a mapping template to the rule. The mapping
+template may either be defined directly in the rule via the
+``mapping`` key or referenced by name via the ``mapping_name`` key.
+
+If the ``mapping_name`` is specified the mapping is looked up in a
+table of mapping templates bound to the Rule Processor. Using the name
+of a mapping template is useful when many rules generate the exact
+same template values.
+
+If both ``mapping`` and ``mapping_name`` are defined the locally bound
+``mapping`` takes precedence.
+
+Syntax
+------
+
+The logic for a rule consists of a sequence of statements grouped in
+blocks. A statement is similar to a function call in a programming
+language.
+
+A statement is a list of values the first of which is a verb which
+defines the operation the statement will perform. Think of the
+`verbs`_ as function names or operators. Following the verb are
+parameters which may be constants or variables. If the statement
+assigns a value to a variable left hand side of the assignment (lhs)
+is always the first parameter following the verb in the list of
+statement values.
+
+For example this statement in JSON:
+
+::
+
+    ["split", "$groups", "$assertion[Groups]", ":"]
+
+will assign an array to the variable ``$groups``. It looks up the
+string named ``Groups`` in the assertion which is a colon (:)
+separated list of group names splitting that string on the colon
+character.
+
+Statements **must** be grouped together in blocks. Therefore a rule is
+a sequence of blocks and block is a sequence of statements. The
+purpose of blocks is allow for crude flow of control logic. For
+example this JSON rule has 4 blocks.
+
+::
+
+    [
+        [
+            ["set", $user, ""],
+            ["set", $roles, []]
+        ],
+        [
+            ["in", "UserName", "$assertion"],
+            ["continue", "if_not_success"],
+            ["set", "$user", "$assertion[UserName"],
+        ],
+        [
+            ["in", "subject", "$assertion"],
+            ["continue", "if_not_success"],
+            ["set", "$user", "$assertion[subject]"],
+        ],
+        [
+            ["length", "$temp", "$user"],
+            ["compare", "$temp", ">", 0],
+            ["exit", "rule_fails", "if_not_success"]
+            ["append" "$roles", "unprivileged"]
+        ]
+    ]
+
+The rule will succeed if either ``UserName`` or ``subject`` is defined
+in the assertion and if so the local variable ``$user`` will be set to
+the value found in the assertion and the "unprivileged" role will be
+appended to the roles array.
+
+The first block performs initialization. The second block tests to see
+if the assertion has the key ``UserName`` if not execution continues
+at the next block otherwise the value of UserName in the assertion is
+copied into the variable ``$user``. The third block performs a similar
+operation looking for a ``subject`` in the assertion. The fourth block
+checks to see if the ``$user`` variable is empty, if it is empty the
+rule fails because it didn't find either a ``UserName`` nor a
+``subject`` in the assertion. If ``$user`` is not empty the
+"unprivileged" role is appended and the rule succeeds.
+
+Data Types
+----------
+
+There are 7 supported types which equate to the types available in
+JSON. At the time of this writing there are 2 implementations of this
+Mapping specification, one in Python and one in Java. This table
+illustrates how each data type is represented. The first two columns
+are definitions from an abstract specification. The JSON column
+enumerates the data type JSON supports.  The Mapping column lists the
+7 enumeration names used by the Mapping implemenation in each
+language. The following columns list the concrete data type used in
+that language.
+
++-----------+------------+--------------------+---------------------+
+|  JSON     |  Mapping   | Python             |       Java          |
++===========+============+====================+=====================+
+|  object   |  MAP       | dict               | Map<String, Object> |
++-----------+------------+--------------------+---------------------+
+|  array    |  ARRAY     | list               | List<Object>        |
++-----------+------------+--------------------+---------------------+
+|  string   |  STRING    | unicode (Python 2) | String              |
+|           |            +--------------------+                     |
+|           |            | str (Python 3)     |                     |
++-----------+------------+--------------------+---------------------+
+|           |  INTEGER   | int                | Long                |
+|  number   +------------+--------------------+---------------------+
+|           |  REAL      | float              | Double              |
++-----------+------------+--------------------+---------------------+
+|  true     |            |                    |                     |
++-----------+  BOOLEAN   | bool               | Boolean             |
+|  false    |            |                    |                     |
++-----------+------------+--------------------+---------------------+
+|  null     |  NULL      | None               | null                |
++-----------+------------+--------------------+---------------------+
+
+
+Rule Debugging and Documentation
+--------------------------------
+
+If the rule processor reports an error or if you're debugging your
+rules by enabling DEBUG log tracing then you must be able to correlate
+the reported statement to where it appears in your rule JSON source. A
+message will always identify a statement by the rule number, block
+number within that rule and the statement number within that
+block. However once your rules become moderately complex it will
+become increasingly difficult to identify a statement by counting
+rules, blocks and statements.
+
+A better approach is to tag rules and blocks with a name or other
+identifying string. You can set the `Reserved Variables`_
+``rule_name`` and ``block_name`` to a string of your choice. These
+strings will be reported in all messages along with the rule, block
+and statement numbers.
+
+JSON does not permit comments, as such you cannot include explanatory
+comments next to your rules, blocks and statements in the JSON
+source. The ``rule_name`` and ``block_name`` can serve a similar
+purpose. By putting assignments to these variables as the first
+statement in a block you'll both document your rules and be able to
+identify specific statements in log messages.
+
+During rule execution the ``rule_name`` and ``block_name`` are
+initialized to the empty string at the beginning of each rule and
+block respectively.
+
+The above example is augmented to include this information. The rule
+name is set in the first statement in the first block.
+
+::
+
+    [
+        [
+            ["set", "$rule_name", "Must have UserName or subject"],
+            ["set", "block_name", "Initialization"],
+            ["set", $user, ""],
+            ["set", $roles, []]
+        ],
+        [
+            ["set", "block_name", "Test for UserName, set $user"],
+            ["in", "UserName", "$assertion"],
+            ["continue", "if_not_success"],
+            ["set", "$user", "$assertion[UserName"],
+        ],
+        [
+            ["set", "block_name", "Test for subject, set $user"],
+            ["in", "subject", "$assertion"],
+            ["continue", "if_not_success"],
+            ["set", "$user", "$assertion[subject]"],
+        ],
+        [
+            ["set", "block_name", "If not $user fail, else append unprivileged to roles"],
+            ["length", "$temp", "$user"],
+            ["compare", "$temp", ">", 0],
+            ["exit", "rule_fails", "if_not_success"]
+            ["append" "$roles", "unprivileged"]
+        ]
+    ]
+
+
+
+
+Variables
+---------
+
+
+Variables always begin with a dollar sign ($) and are followed by an
+identifier which is any alpha character followed by zero or more
+alphanumeric or underscore characters. The variable may optionally be
+delimited with braces ({}) to separate the variable from surrounding
+text. Three types of variables are supported:
+
+* scalar
+* array (indexed by zero based integer)
+* associative array (indexed by string)
+
+Both arrays and associative arrays use square brackets ([]) to specify
+a member of the array. Examples of variable usage:
+
+::
+
+    $name
+    ${name}
+    $groups[0]
+    ${groups[0]}
+    $properties[key]
+    ${properties[key]}
+
+An array or an associative array may be referenced by it's base name
+(omitting the indexing brackets). For example the associative array
+array named "properties" is referenced using it's base name
+``$properties`` but if you want to access a member of the "properties"
+associative array named "duration" you would do this ``$properties[duration]``
+
+This is not a general purpose language with full expression
+syntax. Only one level of variable lookup is supported. Therefore
+compound references like this
+
+::
+
+    $properties[$groups[2]]
+
+will not work.
+
+
+Escaping
+^^^^^^^^
+
+If you need to include a dollar sign in a string (where it is
+immediately followed by either an identifier or a brace and identifier)
+and do not want to have it be interpreted as representing a variable
+you must escape the dollar sign with a backslash, for example
+"$amount" is interpreted as the variable ``amount`` but "\\$amount"
+is interpreted as the string "$amount" .
+
+
+Reserved Variables
+------------------
+
+A rule has the following reserved variables:
+
+assertion
+    The current assertion values from the federated IdP. It is a
+    dictionary of key/value pairs.
+
+regexp_array
+    The regular expression groups from the last successful regexp match
+    indexed by number. Group 0 is the entire match. Groups 1..n are
+    the corresponding parenthesized group counting from the left. For
+    example regexp_array[1] is the first group.
+
+regexp_map
+    The regular expression groups from the last successful regexp match
+    indexed by group name.
+
+rule_number
+    The zero based index of the currently executing rule.
+
+rule_name
+    The name of the currently executing rule. If the rule name has not
+    been set it will be the empty string.
+
+block_number
+    The zero based index of the currently executing block within the
+    currently executing rule.
+
+block_name
+    The name of the currently executing block. If the block name has not
+    been set it will be the empty string.
+
+
+statement_number
+    The zero based index of the currently executing statement within the
+    currently executing block.
+
+
+Examples
+========
+
+Split a fully qualified username into user and realm components
+---------------------------------------------------------------
+
+It's common for some IdP's to return a fully qualified username
+(e.g. principal or subject). The fully qualified username is the
+concatenation of the user name, separator and realm name. A common
+separator is the @ character. In this example lets say the fully
+qualified username is ``bob@example.com`` and you want to return the
+user and realm as independent values in your mapped result. The
+username appears in the assertion as the value ``Principal``.
+
+Our strategy will be to use a regular expression identify the user and
+realm components and then assign them to local variables which will
+then populate the mapped result.
+
+The mapping in JSON is:
+
+::
+
+    {
+        "user": "$username",
+        "realm": "$domain"
+    }
+
+The assertion in JSON is:
+
+::
+
+    {
+        "Principal": "bob@example.com"
+    }
+
+Our rule is:
+
+::
+
+    [
+        [
+            ["in", "Principal", "assertion"],
+            ["exit", "rule_fails", "if_not_success"],
+            ["regexp", "$assertion[Principal]", (?P<username>\\w+)@(?P<domain>.+)"],
+            ["set", "$username", "$regexp_map[username]"],
+            ["set", "$domain", "$regexp_map[domain]"],
+            ["exit, "rule_succeeds", "always"]
+        ]
+    ]
+
+Rule explanation:
+
+Block 0:
+
+0. Test if the assertion contains a Principal value.
+1. Abort the rule if the assertion does not contain a Principal
+   value.
+2. Apply a regular expression the the Principal value. Use named
+   groupings for the username and domain components for clarity.
+3. Assign the regexp group username to the $username local variable.
+4. Assign the regexp group domain to the $domain local variable.
+5. Exit the rule, apply the mapping, return the mapped values. Note, an
+   explicit `exit`_ is not required if there are no further statements
+   in the rule, as is the case here.
+
+The mapped result in JSON is:
+
+::
+
+    {
+        "user": "bob",
+        "realm": "example.com"
+    }
+
+Build a set of roles based on group membership
+----------------------------------------------
+
+Often one wants to grant roles to a user based on their membership in
+certain groups. In this example let's say the assertion contains a
+``Groups`` value which is a colon separated list of group names. Our
+strategy is to split the ``Groups`` assertion value into an array of
+group names. Then we'll test if a specific group is in the groups
+array, if it is we'll add a role. Finally if no roles have been mapped
+we fail. Users in the group "student" will get the role "unprivileged"
+and users in the group "helpdesk" will get the role "admin".
+
+The mapping in JSON is:
+
+::
+
+    {
+        "roles": "$roles",
+    }
+
+The assertion in JSON is:
+
+::
+
+    {
+        "Groups": "student:helpdesk"
+    }
+
+Our rule is:
+
+::
+
+    [
+        [
+            ["in", "Groups", "assertion"],
+            ["exit", "rule_fails", "if_not_success"],
+            ["set", "$roles", []],
+            ["split", "$groups", "$assertion[Groups]", ":"],
+        ],
+        [
+            ["in", "student", "$groups"],
+            ["continue", "if_not_success"],
+            ["append", "$roles", "unprivileged"]
+        ],
+        [
+            ["in", "helpdesk", "$groups"],
+            ["continue", "if_not_success"],
+            ["append", "$roles", "admin"]
+        ],
+        [
+            ["unique", "$roles", "$roles"],
+            ["length", "$temp", "roles"],
+            ["compare", $temp", ">", 0],
+            ["exit", "rule_fails", "if_not_success"]
+        ]
+
+    ]
+
+Rule explanation:
+
+Block 0
+
+0. Test if the assertion contains a Groups value.
+1. Abort the rule if the assertion does not contain a Groups
+   value.
+2. Initialize the $roles variable to an empty array.
+3. Split the colon separated list of group names into an array of
+   individual group names
+
+Block 1
+
+0. Test if "student" is in the $groups array
+1. Exit the block if it's not.
+2. Append "unprivileged" to the $roles array
+
+Block 2
+
+0. Test if "helpdesk" is in the $groups array
+1. Exit the block if it's not.
+2. Append "admin" to the $roles array
+
+Block 3
+
+0. Strip any duplicate roles that might have been appended to the
+   $roles array to assure each role is unique.
+1. Count how many members are in the $roles array, assign the
+   length to the $temp variable.
+2. Test to see if the $roles array had any members.
+3. Fail if no roles had been assigned.
+
+The mapped result in JSON is:
+
+::
+
+    {
+        "roles": ["unprivileged", "admin"]
+    }
+
+However, suppose whatever is receiving your mapped results is not
+expecting an array of roles. Instead it expects a comma separated list
+in a string. To accomplish this add the following statement as the
+last one in the final block:
+
+::
+
+            ["join", "$roles", "$roles", ","]
+
+Then the mapped result will be:
+
+::
+
+    {
+        "roles": "unprivileged,admin"]
+    }
+
+
+
+
+White list certain users and grant them specific roles
+------------------------------------------------------
+
+Suppose you have certain users you always want to unconditionally
+accept and authorize with specific roles. For example if the user is
+"head_of_IT" then assign her the "user" and "admin" roles. Otherwise
+keep processing. The list of white listed users is hard-coded into the
+rule.
+
+The mapping in JSON is:
+
+::
+
+    {
+        "user": $user,
+        "roles": "$roles",
+    }
+
+The assertion in JSON is:
+
+::
+
+    {
+        "UserName": "head_of_IT"
+    }
+
+Our rule in JSON is:
+
+::
+
+    [
+        [
+            ["in", "UserName", "assertion"],
+            ["exit", "rule_fails", "if_not_success"],
+            ["in", "$assertion[UserName]", ["head_of_IT", "head_of_Engineering"]],
+            ["continue", "if_not_success"],
+            ["set", "$user", "$assertion[UserName"]
+            ["set", "$roles", ["user", "admin"]],
+            ["exit", "rule_succeeds", "always"]
+        ],
+        [
+            ...
+        ]
+    ]
+
+Rule explanation:
+
+Block 0
+
+0. Test if the assertion contains a UserName value.
+1. Abort the rule if the assertion does not contain a UserName
+   value.
+2. Test if the user is in the hardcoded list of white listed users.
+3. If the user isn't in the white listed array then exit the block and
+   continue execution at the next block.
+4. Set the $user local variable to $assertion[UserName]
+5. Set the $roles local variable to the hardcoded array containing
+   "user" and "admin"
+6. We're done, unconditionally exit and return the mapped result.
+
+Block 1
+
+0. Further processing
+
+The mapped result in JSON is:
+
+::
+
+    {
+        "user": "head_of_IT",
+        "roles": ["users", "admin"]
+    }
+
+
+Black list certain users
+------------------------
+
+Suppose you have certain users you always want to unconditionally
+deny access to by placing them in a black list. In this example the
+user "BlackHat" will try to gain access. The black list includes the
+users "BlackHat" and "Spook".
+
+The mapping in JSON is:
+
+::
+
+    {
+        "user": $user,
+        "roles": "$roles",
+    }
+
+The assertion in JSON is:
+
+::
+
+    {
+        "UserName": "BlackHat"
+    }
+
+Our rule in JSON is:
+
+::
+
+    [
+        [
+            ["in", "UserName", "assertion"],
+            ["exit", "rule_fails", "if_not_success"],
+            ["in", "$assertion[UserName]", ["BlackHat", "Spook"]],
+            ["exit", "rule_fails", "if_success"]
+        ],
+        [
+            ...
+        ]
+    ]
+
+Rule explanation:
+
+Block 0
+
+0. Test if the assertion contains a UserName value.
+1. Abort the rule if the assertion does not contain a UserName
+   value.
+2. Test if the user is in the hard-coded list of black listed users.
+3. If the test succeeds then immediately abort and return failure.
+
+Block 1
+
+0. Further processing
+
+The mapped result in JSON is:
+
+::
+
+    Null
+
+Format Strings and/or Concatenate Strings
+-----------------------------------------
+
+You can replace variables in a format string using the `interpolate`_
+verb. String concatenation is trivially placing two variables adjacent
+to one another in a format string. Suppose you want to form an email
+address from the username and domain in an assertion.
+
+The mapping in JSON is:
+
+::
+
+    {
+        "email": $email,
+    }
+
+The assertion in JSON is:
+
+::
+
+    {
+        "UserName": "Bob",
+        "Domain": "example.com"
+    }
+
+Our rule in JSON is:
+
+::
+
+    [
+        [
+            ["interpolate", "$email", "$assertion[UserName]@$assertion[Domain]"],
+        ]
+    ]
+
+Rule explanation:
+
+Block 0
+
+0. Replace the variable $assertion[UserName] with it's value and
+   replace the variable $assertion[Domain] with it's value.
+
+The mapped result in JSON is:
+
+::
+
+    {
+        "email": "Bob@example.com",
+    }
+
+
+Note, sometimes it's necessary to utilize braces to separate variables
+from surrounding text by using the brace notation. This can also make
+the format string more readable. Using braces to delimit variables the
+above would be:
+
+::
+
+    [
+        [
+            ["interpolate", "$email", "${assertion[UserName]}@${assertion[Domain]}"],
+        ]
+    ]
+
+
+
+Make associative array lookups case insensitive
+-----------------------------------------------
+
+Many systems treat field names as case insensitive. By default
+associative array indexing is case sensitive. The solution is to lower
+case all the keys in an associative array and then only use lower case
+indices. Suppose you want the assertion associative array to be case
+insensitive.
+
+The mapping in JSON is:
+
+::
+
+    {
+        "user": $user,
+    }
+
+The assertion in JSON is:
+
+::
+
+    {
+        "UserName": "Bob"
+    }
+
+Our rule in JSON is:
+
+::
+
+    [
+        [
+            ["lower", "$assertion", "$assertion"],
+            ["in", "username", "assertion"],
+            ["exit", "rule_fails", "if_not_success"],
+            ["set", "$user", "$assertion[username"]
+        ]
+    ]
+
+Rule explanation:
+
+Block 0
+
+0. Lower case all the keys in the assertion associative array.
+1. Test if the assertion contains a username value.
+2. Abort the rule if the assertion does not contain a username
+   value.
+3. Assign the username value in the assertion to $user
+
+The mapped result in JSON is:
+
+::
+
+    {
+        "user": "Bob",
+    }
+
+
+Verbs
+=====
+
+The following verbs are supported:
+
+* `set`_
+* `length`_
+* `interpolate`_
+* `append`_
+* `unique`_
+* `regexp`_
+* `regexp_replace`_
+* `split`_
+* `join`_
+* `lower`_
+* `upper`_
+* `compare`_
+* `in`_
+* `not_in`_
+* `exit`_
+* `continue`_
+
+Some verbs have a side effects. A verb may set a boolean success/fail
+result which may then be tested with a subsequent verb. For example
+the ``fail`` verb can be used to indicate the rule fails if a prior
+result is either ``success`` or ``not_success``.  The ``regexp`` verb
+which performs a regular expression search on a string stores the
+regular expression sub-matches as a side effect in the variables
+``$regexp_array`` and ``$regexp_map``.
+
+
+Verb Definitions
+================
+
+set
+---
+
+``set $variable value``
+
+$variable
+    The variable being assigned (i.e. lhs)
+
+value
+    The value to assign to the variable (i.e. rhs). The value may be
+    another variable or a constant.
+
+**set** assigns a value to a variable, in other words it's an
+assignment statement.
+
+Examples:
+^^^^^^^^^
+
+Initialize a variable to an empty array.
+
+::
+
+    ["set", "$groups", []]
+
+Initialize a variable to an empty associative array.
+
+::
+
+    ["set", "$groups", {}]
+
+Assign a string.
+
+::
+
+    ["set", "$version", "1.2.3"]
+
+Copy the ``UserName`` value from the assertion to a temporary variable.
+
+::
+
+    ["set", "$temp", "$assertion[UserName]"],
+
+
+Get the 2nd item in an array (array indexing is zero based)
+
+::
+
+    ["set", "$group", "$groups[1]"]
+
+
+Set the associative array entry "IdP" to "kdc.example.com".
+
+::
+
+    ["set", "$metadata[IdP]", "kdc.example.com""]
+
+--------------------------------------------------------------------------------
+
+length
+------
+
+``length $variable value``
+
+$variable
+    The variable which receives the length value
+
+value
+    The value whose length is to be determined. May be one of array,
+    associative array, or string.
+
+**length** computes the number of items in the value. How this is done
+depends upon the type of value:
+
+array
+    The length is the number of items in the array.
+
+associative array
+    The length is the number of key/value pairs in the associative
+    array.
+
+string
+    The length is the number of *characters* (not octets) in the
+    string.
+
+Examples:
+^^^^^^^^^
+
+Count how many items are in the ``$groups`` array and assign that
+value to the ``$groups_length`` variable.
+
+::
+
+    ["length", "$groups_length", "$groups"]
+
+Count how many key/value pairs are in the ``$assertion`` associative
+array and assign that value to the ``$num_assertion_values`` variable.
+
+::
+
+    ["length", "$num_assertion_values", "$assertion"]
+
+Count how many characters are in the assertion's UserName and assign
+the value to ``$username_length``.
+
+::
+
+    ["length", "$user_name_length", "$assertion[UserName]"]
+
+
+--------------------------------------------------------------------------------
+
+interpolate
+-----------
+
+``interpolate $variable string``
+
+$variable
+    This variable is assigned the result of the interpolation.
+
+string
+    A string containing references to variables which will be replaced
+    in the string.
+
+**interpolate** replaces each occurrence of a variable in a string with
+it's value. The result is assigned to $variable.
+
+Examples:
+^^^^^^^^^
+
+Form an email address given the username and domain. If the username
+is "jane" and the domain is "example.com" then $email will be
+"jane@example.com"
+
+::
+
+    ["interpolate", "$email", "${username}@${domain}"]
+
+
+--------------------------------------------------------------------------------
+
+
+append
+------
+
+``append $variable value``
+
+$variable
+    This variable **must** be an array. It is modified in place by
+    appending ``value`` to the end of the array.
+
+value
+    The value to append to the end of the array.
+
+**append** adds a value to end of an array.
+
+Examples:
+^^^^^^^^^
+
+Append the role "qa_test" to the roles list.
+
+::
+
+    ["append", "$roles", "qa_test"]
+
+
+--------------------------------------------------------------------------------
+
+
+unique
+------
+
+``unique $variable value``
+
+$variable
+    This variable is assigned the unique values in the ``value``
+    array.
+
+value
+    An array of values. **must** be an array.
+
+**unique** builds an array of unique values in ``value`` by stripping
+out duplicates and assigns the array of unique values to
+``$variable``. The order of items in the ``value`` array are
+preserved.
+
+Examples:
+^^^^^^^^^
+
+$one_of_a_kind will be assigned ["a", "b"]
+
+::
+
+    ["unique", "$one_of_a_kind", ["a", "b", "a"]]
+
+
+--------------------------------------------------------------------------------
+
+regexp
+------
+
+``regexp string pattern``
+
+string
+    The string the regular expression pattern is applied to.
+
+pattern
+    The regular expression pattern.
+
+**regexp** performs a regular expression match against ``string``. The
+regular expression pattern syntax is defined by the regular expression
+implementation of the language this API is written in.
+
+Pattern groups are a convenient way to select sub-matches. Pattern
+groups may accessed by either group number or group name. After a
+successful regular expression match the groups are stored in the
+special variables ``$regexp_array`` and
+``$regexp_map``.
+
+``$regexp_array`` is used to access the groups by
+numerical index. Groups are numbered by counting the left parenthesis
+group delimiter starting at 1. Group 0 is the entire
+match. ``$regexp_array`` is valid irregardless of whether you used
+named groups or not.
+
+``$regexp_map`` is used to access the groups by
+name. ``$regexp_map`` is only valid if you used named groups in the
+pattern.
+
+Examples:
+^^^^^^^^^
+
+Many user names are of the form "user@domain", to split the username
+from the domain and to be able to work with those values independently
+use a regular expression and then assign the results to a variable. In
+this example there are two regular expression groups, the first group
+is the username and the second group is the domain. In the first
+example we use named groups and then access the match information in
+the special variable ``$regexp_map`` via the name of the group.
+
+::
+
+    ["regexp", "$assertion[UserName]", "(?P<username>\\w+)@(?P<domain>.+)"],
+    ["continue", "if_not_success"],
+    ["set", "$username", "$regexp_map[username]"],
+    ["set", "$domain", "$regexp_map[domain]"],
+
+
+This is exactly equivalent but uses numbered groups instead of named
+groups. In this instance the group matches are stored in the special
+variable ``$regexp_array`` and accessed by numerical index.
+
+::
+
+    ["regexp", "$assertion[UserName]", "(\\w+)@(.+)"],
+    ["continue", "if_not_success"],
+    ["set", "$username", "$regexp_array[1]"],
+    ["set", "$domain", "$regexp_array[2]"],
+
+
+
+--------------------------------------------------------------------------------
+
+regexp_replace
+--------------
+
+``regexp_replace $variable string pattern replacement``
+
+$variable
+    The variable which receives result of the replacement.
+
+string
+    The string to perform the replacement on.
+
+pattern
+    The regular expression pattern.
+
+replacement
+    The replacement specification.
+
+**regexp_replace** replaces each occurrence of ``pattern`` in
+``$string`` with ``replacement``. See `regexp`_ for details of using
+regular expressions.
+
+Examples:
+^^^^^^^^^
+
+Convert hyphens in a name to underscores.
+
+::
+
+    ["regexp_replace", "$name", "$name", "-", "_"]
+
+
+--------------------------------------------------------------------------------
+
+split
+-----
+
+``split $variable string pattern``
+
+$variable
+    This variable is assigned an array containing the split items.
+
+string
+    The string to split into separate items.
+
+pattern
+    The regular expression pattern used to split the string.
+
+**split** splits ``string`` into separate pieces and assigns the
+result to ``$variable`` as an array of pieces. The split occurs
+wherever the regular expression ``pattern`` occurs in ``string``. See
+`regexp`_ for details of using regular expressions.
+
+Examples:
+^^^^^^^^^
+
+Split a list of groups separated by a colon (:) into an array of
+individual group names. If $assertion[Groups] contained the string
+"user:admin" then $group_list will set to ["user", "admin"].
+
+::
+
+    ["split", "$group_list", "$assertion[Groups]", ":"]
+
+
+
+--------------------------------------------------------------------------------
+
+join
+----
+
+``join $variable array join_string``
+
+$variable
+    This variable is assigned the string result of the join operation.
+
+array
+    An array of string items to be joined together with
+    ``$join_string``.
+
+join_string
+    The string inserted between each element in ``array``.
+
+**join** accepts an array of strings and produces a single string
+where each element in the array is separated by ``join_string``.
+
+Examples:
+^^^^^^^^^
+
+Convert a list of group names into a single string where each group
+name is separated by a colon (:). If the array ``$group_list`` is
+["user", "admin"] and the ``join_string`` is ":" then the
+``$group_string`` variable will be set to "user:admin".
+
+::
+
+    ["join", "$group_string", "$groups", ":"]
+
+
+--------------------------------------------------------------------------------
+
+lower
+-----
+
+``lower $variable value``
+
+$variable
+    This variable is assigned the result of the lower operation.
+
+value
+    The value to lower case, may be either a string, array, or
+    associative array.
+
+**lower** lower cases the input value. The input value may be one of
+the following types:
+
+string
+    The string is lower cased.
+
+array
+    Each member of the array must be a string, the result is an array
+    with the items replaced by their lower case value.
+
+associative array
+    Each key in the associative array is lower cased. The values
+    associated with the key are **not** modified.
+
+Examples:
+^^^^^^^^^
+
+Lookup ``UserName`` in the assertion and set the variable
+``$username`` to it's lower case value.
+
+::
+
+    ["lower", "$username", "$assertion[UserName]"],
+
+Set each member of the ``$groups`` array to it's lower case value. If
+``$groups`` was ["User", "Admin"] then ``$groups`` will become
+["user", "admin"].
+
+::
+
+    ["lower", "$groups", "$groups"],
+
+To enable case insensitive lookup's in an associative array lower case
+each key in the associative array. If ``$assertion`` was {"UserName":
+"JoeUser"} then ``$assertion`` will become {"username": "JoeUser"}
+
+::
+
+    ["lower", "$assertion", $assertion"]
+
+--------------------------------------------------------------------------------
+
+upper
+-----
+
+``upper $variable value``
+
+$variable
+    This variable is assigned the result of the upper operation.
+
+value
+    The value to upper case, may be either a string, array, or
+    associative array.
+
+**upper** is exactly analogous to `lower`_ except the values are upper
+cased, see `lower`_ for details.
+
+
+--------------------------------------------------------------------------------
+
+in
+--
+
+``in member collection``
+
+member
+    The value whose membership is being tested.
+
+collection
+    A collection of members. May be string, array or associative array.
+
+**in** tests to see if ``member`` is a member of ``collection``. The
+membership test depends on the type of collection, the following are
+supported:
+
+array
+    If any item in the array is equal to ``member`` then the result is
+    success.
+
+associative array
+    If the associative array contains a key equal to ``member`` then
+    the result is success.
+
+string
+    If the string contains a sub-string equal to ``member`` then the
+    result is success.
+
+Examples:
+^^^^^^^^^
+
+Test to see if the assertion contains a UserName value.
+
+::
+
+    ["in", "UserName", "$assertion"]
+    ["continue", "if_not_success"]
+
+Test to see if a group is one of "user" or "admin".
+
+::
+
+    ["in", "$group", ["user", "admin"]]
+    ["continue", "if_not_success"]
+
+Test to see if the sub-string "BigCorp" is in
+the assertion's ``Provider`` value.
+
+::
+
+    ["in", "BigCorp", "$assertion[Provider]"]
+    ["continue", "if_not_success"]
+
+
+--------------------------------------------------------------------------------
+
+not_in
+------
+
+``in member collection``
+
+member
+    The value whose membership is being tested.
+
+collection
+    A collection of members. May be string, array or associative array.
+
+**not_in** is exactly analogous to `in`_ except the sense of the test
+is reversed. See `in`_ for details.
+
+--------------------------------------------------------------------------------
+
+compare
+-------
+
+``compare left operator right``
+
+left
+    The left hand value of the binary operator.
+
+operator
+    The binary operator used for comparing left to right.
+
+right
+    The right hand value of the binary operator.
+
+
+**compare** compares the left value to the right value according the
+operator and sets success if the comparison evaluates to True. The
+following relational operators are supported.
+
++----------+-----------------------+
+| Operator | Description           |
++==========+=======================+
+| ==       | equal                 |
++----------+-----------------------+
+| !=       | not equal             |
++----------+-----------------------+
+| <        | less than             |
++----------+-----------------------+
+| <=       | less than or equal    |
++----------+-----------------------+
+| >        | greater than          |
++----------+-----------------------+
+| >=       | greater than or equal |
++----------+-----------------------+
+
+
+The left and right hand sides of the comparison operator *must* be
+the same type, no type conversions are performed. Not all combinations
+of operator and type are supported. The table below illustrates the
+supported combinations. Essentially you can test for equality or
+inequality on any type. But only strings and numbers support the
+magnitude relational operators.
+
+
++----------+--------+---------+------+---------+-----+------+------+
+| Operator | STRING | INTEGER | REAL | BOOLEAN | MAP | LIST | NULL |
++==========+========+=========+======+=========+=====+======+======+
+| ==       |   X    |    X    |  X   |    X    |  X  |  X   |  X   |
++----------+--------+---------+------+---------+-----+------+------+
+| !=       |   X    |    X    |  X   |    X    |  X  |  X   |  X   |
++----------+--------+---------+------+---------+-----+------+------+
+| <        |   X    |    X    |  X   |         |     |      |      |
++----------+--------+---------+------+---------+-----+------+------+
+| <=       |   X    |    X    |  X   |         |     |      |      |
++----------+--------+---------+------+---------+-----+------+------+
+| >        |   X    |    X    |  X   |         |     |      |      |
++----------+--------+---------+------+---------+-----+------+------+
+| >=       |   X    |    X    |  X   |         |     |      |      |
++----------+--------+---------+------+---------+-----+------+------+
+
+
+Examples:
+^^^^^^^^^
+
+Test to see if the ``$groups`` array has at least 2 members
+
+::
+
+    ["length", "$group_length", "$groups"],
+    ["compare", "$group_length", ">=", 2]
+
+
+--------------------------------------------------------------------------------
+
+exit
+----
+
+``exit status criteria``
+
+status
+    The result for the rule.
+
+criteria
+    The criteria upon which will cause the rule will be immediately
+    exited with a failed status.
+
+**exit** causes the rule being executed to immediately exit and a rule
+result if the specified criteria is met. Statement verbs such as `in`_
+or `compare`_ set the result status which may be tested with the
+``success`` and ``not_success`` criteria.
+
+The exit ``status`` may be one of:
+
+rule_fails
+    The rule has failed and no mapping will occur.
+
+rule_succeeds
+    The rule succeeded and the mapping will be applied.
+
+The ``criteria`` may be one of:
+
+if_success
+    If current result status is success then exit with ``status``.
+
+if_not_success
+    If current result status is not success then exit with ``status``.
+
+always
+    Unconditionally exit with ``status``.
+
+never
+    Effectively a no-op. Useful for debugging.
+
+Examples:
+^^^^^^^^^
+
+The rule requires ``UserName`` to be in the assertion.
+
+::
+
+    ["in", "UserName", "$assertion"]
+    ["exit", "rule_fails", "if_not_success"]
+
+--------------------------------------------------------------------------------
+
+
+continue
+--------
+
+``continue criteria``
+
+criteria
+    The criteria which causes the remainder of the *block* to be
+    skipped.
+
+**continue** is used to control execution for statement blocks. It
+mirrors in a crude way the `if` expression in a procedural
+language. ``continue`` does *not* affect the success or failure of a
+rule, rather it controls whether subsequent statements in a block are
+executed or not. Control continues at the next statement block.
+
+Statement verbs such as `in`_ or `compare`_ set the result status
+which may be tested with the ``success`` and ``not_success`` criteria.
+
+The criteria may be one of:
+
+if_success
+    If current result status is success then exit the statement
+    block and continue execution at the next statement block.
+
+if_not_success
+    If current result status is not success then exit the statement
+    block and continue execution at the next statement block.
+
+always
+    Immediately exit the statement block and continue execution at the
+    next statement block.
+
+never
+    Effectively a no-op. Useful for debugging. Execution continues at
+    the next statement.
+
+Examples:
+^^^^^^^^^
+
+The following pseudo code:
+
+::
+
+    roles = [];
+    if ("Groups" in assertion) {
+        groups = assertion["Groups"].split(":");
+        if ("qa_test" in groups) {
+            roles.append("tester");
+        }
+    }
+
+could be implemented this way:
+
+::
+
+    [
+        ["set", "$roles", []],
+        ["in", "Groups", "$assertion"],
+        ["continue", "if_not_success"],
+        ["split" "$groups", $assertion[Groups]", ":"],
+        ["in", "qa_test", "$groups"],
+        ["continue", "if_not_success"],
+        ["append", "$roles", "tester"]
+    ]
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/resource_access_sequence.png b/odl-aaa-moon/aaa-authn-api/src/main/docs/resource_access_sequence.png
new file mode 100644
index 0000000000000000000000000000000000000000..728b86cebae2353c42ab382e9e95ab417479cd80
GIT binary patch
literal 38693
zcmce;1z43^*Dj2rf*_%kv@}RbOG^nzqjafsH%J?VfPjDk(%m7Aq>2*K-5}E4U1u!a
z`+c|j-QV?p|M|{2Y%gIi7tea0F~=Nn-}jjQit>^eXhdj8NJtpcQsT-;NXP|9Natx$
z&%-Mm?2JV4?b2fzNpYkz#D9r38R1AsH;|;oMIJnfT^@7M#u*q!S;sNZLq2DKbM9>b
zI)2_gTebDaIysIaxTbkCXr-FweXe<>YL;oMqr>M#b0}F}%9K9P&I&-)B*4zWe_#-<
z!)+Medek`D9)o`Q0_wZg>AjPENjp2E*;ae9u*OGr*owFka2H5Oy<wL|kbnO45F`5$
z;s-^&Oy6_x{f<Wx(IvzSJ3eOD5#M_W{;#~jvCwtLOoXGdvT}EKcdhnlmE7z2(=L)q
zlOMUKRAYu-ou@^JMCg~tw&LPnqS*AAn3zgRO2jF<nnJ0>#Kee+iHFFD{Ft@MUbRP5
zIj`L-OW<?7$;<oB<#3~syl1Str)R|Z#%UT24xh%j`<5K9Gna8YiEDURSeQI12NEkh
zW2vf|T4Z>*{pPeZ7FNiYFXCl>Dc8)*%!0`T?+Mp>ot*{|^9+)PBv*T$xGwf)1>!Rw
zp6pG?+`Fe+=c%Kr>a?@i_cf5f&CP9KV4zs=&S_J7dpxIUcW>5xbTl;FQia-d8l=qg
za%Ct;i5B-W<kJe6m2lyAa`YR6XQrn)IXRj1YDvfoy<g+d$v;q4WmoVzJ(!~q^L>At
zOkxNgsi5xk9_m#zpS7C3__uHS!s!%(N%`TPohLv0#PK`lYkvq^VYBOgO(BNQq<#mL
zje{daE0|oEjDR3xFlC*cxiN&?+QdXk*mHk<vQWPf6)t^cV{<c^I4>_xgP7#0W)f0w
zeYQ%@d~8TSK$t~GOG{5*Uz*-cMn-+}C)xVP`y1Zaa&mI$=;)#^73p)cvL3l9qTO;_
zeBc_v!OkAl5EXU3a-)rB!ob!-pjf{VlP{Z2KK3Eei|5bh8{GC*OZ5}n<zz0|&$umg
zr>zXS?=BB*&wl;-6^)!2X>C&evZ6CLH@Becb|QIXWMmH(8ag@wtFDE)c}_~o)c5c2
z4VuF~e-<^uDO5jBI6F4(Oce3;_0`nW?C<aAFlv>Okufit153KNx<<#uEG;bTtW9`L
zH3YHh)f(vT?CoW&ZMA&+_L#^=G-<l+c~80=4(bI=Ow33YoyD#czu@5Z_mAr5BhAds
z>kejPJWmc678W$r)nAeDZtibPg-Kc;;2Jcyv{czlo~QWI(_=qg?cyLiFQXc!Dd>vg
zH(=&H6MJ6T(a~}HMTSBGdr(h?!bFK_k1q!CY)1mC*ZjAZmPjUz$Cj3P85un8`|H!w
z28ZeDvwR5x;UkOB<~<e{7i*tvJO;yzRXT#zS0?JtPEU^Tt}oKw4JKj0MqOT6c^Bcb
zHQP03H}egzl7@vP*lMWQ7|YaYVm(zlT<B!`e&t-%TJ6ZO=MS(8cq-rR+w+Tyl^;H^
zsXRn~5*x8;esGfNf3&v-I|cp1c~a6iZ|@5(?egvJ$lvM8T5OSMLLDtDs;gsJ9>cyO
zA|j#>fV*BAuW<`ccw;qIIWs%k9mAwilzI>nR#;d#Em0s5h|jgwQ|IM1`wioy#Za^f
zp88#$tgI|51@fgUi3#1296|8)>eYPv>FFu1L|<?3lP6C&C%kNIZq+=>$+*!{KH(|j
zJYMG|yw&#EcB(;o*K}u|lw3FGYJ@Rb^kA7K@tB;L*cAEMe&gPR*V$Zx7x!BK;$U`8
z4m<|yL3Vun_{*zQs1%njUD{Nz%0WqHO^5BeyE+zwot&4~<`5Vdc>h6W3@RpO`jLS9
z{%fnk;^Gu7Zi~SigznGoyiQ0^Q0nbYlUcxYUL8%MH~aC$Uk+2UoMXT@#*1Tld!eVu
zD5zno#Gu68vZ8Mfr`fz7yfrvD*c<!V9h>#<BD@{)@nAg02la_8QD#pzetcE>`6YaI
zyw#tlH8wgrzl$Y&{Cf3ZwQ8-KoO)@XKtWb^w9+vrJ)M?fx@K=Yg+9Bwx>_cZ#rriZ
zrm)9hNkzqNN=nfi*w~^GOd6tV&uWeCqF(hEpK#x53lToO{bc=NrQzmuvjh1-&LdZ0
z;nV#ou%X+*reQ#G?eV5erN?wrDD1kI!NKV=_;PY>v9YnL3P~5YQIg{0bqx(^B$TYH
zH!jsA<mNJ^E96M7eP7oMdM|LlQybpfnIsnT02zXBj#>c=6O%z@DN!Ytd4J~!>{Jdu
zzQgs&dWSbs#5t3ySYO_Rj8!=+$jPPA-=wDYwt9ElHaXV5t6z41t3!B!)Yscv5qD>Q
zL!VZ4sxc(v=r%t;j_4&UGFf3uWsHd$H)pVwL(71km&fVxL3Z}d=AN#B0eF3HXKCQ<
zpu>y%AnCPFqiM5A5>dq5iFcOo*4CC}Fp0FV5t@e!yU1UxuAUuAB^mMNjUukfg9oWe
zNg}B4xXkg3nNJq-v$8alls+A=x(&X61d${+Cntq|5!Pj9W=7VlQhOd&UQ?53Oj%7$
z(kmH96cR)hw`x7&<EcA*POXCc{iP)&E{<)su+}|sb@e=4$k<yQGvC2A@S&%n@evwr
zeaEp7;dOR2;m~rpvos^%+W0dLygQ$zTkHM-a@qa+J+#Hvj~>}>&C1;i9?GB(sQuWV
zCPOfL3PvIC@$otCdoO_UI6FMS>-62~4gA2J?QK*FutJ0}%W&jnd3kx+cX)(^&En0S
zo$Fv3+4XlaU*)nNWtSfL@>q>Zl|#zt%z#aofNvDEXDV&}r?nQcBeAdH;(l2cQ98Kv
zQ7zL~M5ig+7xs+TVlTrX+2w%bA5&8cPADjTwq7a1L8uh|{{D{(D-;rhT4!BdT_K8&
z6&cEih@7kOtF9I}OzTRKl)-$s)Su^Y1WqVbT1Zsuw#U*#CoG&`MZ)it+sk43(=4}c
zy_ddPuTA7&V}l*|b(5rKs@|OIbDoolhK|nI!PcBwp5{)!mUS1+d5ToY5Hg4jdBJ(v
z*#VvcHs9|wdvw=5dR<2pVH_N_INcCL+$wKjX}OSxd(A9M%VV>d&KsMGD&_DHyk1ze
zN%(XFi%$`(fQpW89u{ty=esarEfpV}lA@2kl}2mIkV6!)h4380(9qD$1X3Ew+H>pI
zRn?J8aq#eV#@*Iv=;)3P4j}K2LT3H;mJzaPx}L|zkBcWa7#U?Y85K*qyOm*|Loom!
zc*u(0+uN&M=>QR01`NS(^Zg?P2pJifh4yWf%P(9sRaI$+<dtx@_F<uv8!fD?+6D46
zGZV>gp=)w=Eiy=rW!Ki8!VcQjpWVDh#mKk>7lQO;{zt&GDt*yA6%i3JJ2$tqxVXF6
z*V2Rd3di33{^`YK99jXl-Q|s`#^&bcyx^dN@vyYCv}u_ldDZ^uGSlEF*14;q^MRe)
zR{RV&v<mSg*RCn6sJxAhb%($p+5~AqOI`g5crR>hS{j<GqL58cu3W$2xTSj8=QC{v
z6@H+h<E)2fS$5tU-7CkX{)7GfP6B7VFl!_MUoM(Eqzj9SPy`)9CBw(Z=lwcQtK4d+
z$j8(FpmrGQmzc9X+i!0eykG0qxa!n-3UYBd!jr)tj$5~Gc!S-Tv@6~h7KUbpM+Neg
zjE-s_o~seZ^$??=fDQZ1vvY7z{r-I_$B)~RL_xJ*q)<bTQ|@zdag|$7r1M11;YRa2
zF22bPQ5o(KK4a?W!eg(Fpkh++qg@@ZF}Jc>U0l4Uw`@>RQ6U@6>F;@be6Xe3X!Q88
zsDgHQ-Tqfumb|`Z%N`OoH}m9h_D8*$O546*N|)VbLJEWJ`7Zs2R}|jV)YRJ5PeQRj
zAFmaXMlEe@es|XVCf2@(;|rxnrQ_24DZle-Dlx(y?)}Fo$WJ3v^BFeAoF}@1hKGl@
z+kAL=c^%NVXea`b`*SsLu3x`SM5KBD{uV5^PL<Qeix+ijT;F<@mX$dnK3}yXUNGgf
zcB=^D{x-7*<i&x3s)~wE4>Cblap_}Sb_$ATtM(8xD$@?)uCeM?zZM{1WMmY52@zaL
z>FSu>d?$tIOJCoH)v+oq!HZcNj{-h_{P?lpl;FhclAxgAA!buV$oR%&DbXXB^hAGO
z-%GQHd|S+J0m%V@f$vy{Cn{{k;yb(QFb4Yj)9YL%lzPEs7xJR`X*A=sT`<2aPk(xW
zB1`UC0ug?#S~ij1tl<^m^jcBh@Njf;rk>}4j}&f^aYwu%A5Y!=#{>B~4lPhkMp-Ej
z5L?;twQcY-)0EmwycbxbYmK{>m6f%#v$LHYN=r+-JwSo`7EB0jM6XY;Sw&%C*VtH`
zm9w*R#+pc~m!CZ9WmMD($0b#9@e3y^8|CA!fytR8<<>m~wHpn@5Tn47Y6ZG!!uj5!
z6eoRzMr^G1_FL9<C)}KzZ#3GT9$ezFADYc8AHOFnE8wze0CuK9r@iOIbzI<e5=dAN
z_Htex6wxE^?(9soeqeck8_meXl<GxeW@$M#I5;@1G8<W)l#~R4>jffkZOV$+L(Zo2
zB8E6am*CFsb?QD#?C5d09csMG;NMq!2oV)(>GgG+*+tU(7%dzh^2ns(7sV&v-5IHJ
zX2r?jwV#DN_~R>jIxaUmd)O7bEi*{(&#m4;Td=z_LN4qnTbe_p>IXH3B1X%WXZLi0
zwYa2Yk3uA~)?H^sDTrBk*^d+niu#E?*T0|JDxaTUOF7;d(3A5#kV0i+WBcH^gkRGP
zd(fZr>eZ_bD23|FQ&T<F^&g)hzY}(jOh~Y{uwXjKPD!EiU^U9=TZaG;&5C~)b*R>Z
ze=Mo*zRBaG-4%xf1)+n~gPc}9`s?flF9jsm_Ms}U$svu-$;mOV#buGB$L*H6*UV8C
z9UV=}I7>uG*tLXr3z8S2c%9CY$Bn<tX>|GgrgNUOQZIb;LIiD2F;{`F^;jj1O9jGX
z%+$DYG5^fxsnT3b_<=e)I+rP6`zXW<gw8E1V!YrJ<GQjas>&rRJ<3Xfi<ThlC9m|r
z%F61_ojc`LV<n}fmX?+t?(WpW6!Zanwm-a~OMncLo}Mm6y}7#^aXiMxOiSAUL9?}0
zR!yxO`o$P-OV^#nw+4PtC+W9Fu^k>BLWm{z*jBQ&-KemgdP&lEOF{`cgyX%svy~q|
zk|BGTn(`X8M(KH-s1%7oiRyoF_f4<kCFl#@SqpX5<yiiuK!qF!*4x_N#`PBm%ZMg*
z_Vqb_4ZxGD-I-V%yeA_=z@lwpWRzY|u(q-i7ZGtcQbU$YwwVp#CGCsih3`H-Ia(=S
zNa67Eoht4SO3?zBpc^W7;gVJAO_z(w&CP{}o_I2aap)B4^q}4>ETTm9jNQIvjjrvC
zeQTj7V*#I>oZO`yv+q_W$2p(1fb&QWud1rt?%fM`_Dsalk!wW%9MaRWPtn&9U3+4!
zA_k(te|jj&bp`RlBKqDRFMKZjKi=@0I(2)7p!zy>$Mg4D-1J$Y$RrI;N6V0&<^54`
z;fekNYHB9+@%pAp)dWp1HwNxe?XX7QEeZo}ynYw{wJVYr&RJlI$l0=}+|F}}r#g*8
zvt}ao!%ds?i!9*VXG!ukO<dno8D&7g6Yv~;w-DbmSs&CRzW>96{<q&Cq*kw@!WtOx
zZIJAujf(L!mR(Ue{jK*=RP$FxzcKb5Jo}+K+IxYOPJ$+T^2-<ga5`2z|GUJ57;Z<F
zb$VVkqUFX$v#1xWN=tV>eDFE{Ov}YZCB|uKbu}^~qU-Y1MW^XGf{vIyR+*MUK0dM7
zxQx@IiOB*zo-#LUS*Pa3PHHa$L(`a&*zlDW`<W>2mHW>=<~0kW_&KLKsrLFaX_ZOb
zu#u7eFkq%Y`(8ui06xHRCx@0aH&-C$is#NEwoz<Y^V2<y;2*95H_tJq7&`TR>e$$|
z%pX+1Q1J|m@JmWU*-A;u;%#bZFdr&n4hs5Fwwl2qL{e@UcnwYRIw1xl1A}$rENP=B
zm;3g-3u}Q_Wz}Atlclw*Yi_|BKZmg=8IHYtQHT_^fU85`vuC<7yV{zXNu8nRTgE+{
z4+06^W+<#3Zgos)mAO|McWiK(pZ2);g}0Ks6qV#1S>$`T<dcMkF4^1tfIrCR$B6|G
znGbF4>>kXK7N)1O+`MTu`PsC}iPWOBSU`B0f+A=BQO_BqRC=!OPbR+8lckzuJT@<B
z&F9<a9j|S}JIYG>X5D4S=U`&5(pQ?DZ7v}Z`MJLC_+U=YbDttTkALA6R%4BuLZ13$
z<U5ydquPW0mUz!+%qnVYDQ>OD1Q83L4%7)PkBua`IWL6>#}~V7bx%)22Vib$deHhV
zq0U`H3{_g8V|)9`EiTf9WdSbA9~UU785#BHNv@I{Z+-t%TUItjz_eeKG`X|Akbp-}
zx4xl4O6U?6XOHZYjOaFmh0okSbtav-ZNHD<bKJ%fb{EOG5E_B^?j7&!Y>M!q$&11b
zn`a-H>F2eKgfTJKzBK5*9(CDjquI*nW0JdfkCg2PGEVqpjjP<{%e>-BZv=P=iQOKp
zKh)zWRuY{=)tle~Uz3fO8LRH=xq=b2QoSE2PV3~Pv$9-CM6|dtZ_*Qzmn*KUkT7(Q
z3IFIYe`8%;QR6^)ao;eGfdYEPVnNqIkAoS>#t^-49jxiZG1^^wyO_h3j$T{jyX))v
z!NE8f7=qN!CT3>hSTU!@78W-S8br;D81a!YEx*3NU3m~dYRND3lE!OPS$Wmv3DYfh
zqS<Lq)3x#Y+e*=OG~b4`+sn0myv#~m(c1R1%p4p`F)()EPg|=jtsK$9%*<&c`QAcg
zG**0arb>>JhL)SA`YS>Xqpq>45UDx$+qEZU6ZL)y&dV=#%U31KDC_OG+^6okN=qLc
zAK=gsN3z6Kc^nxlAE~L<Zf_pW&39Sj;pqefja7Pjm}rlxh)PLFIKrEQh*6a9>$7M}
z`3Ke59Pe|ZqxXpUakFaQmLoJiA18YQ+kO30Nr=$!dk?o>z#WG=*IhTKm8zV*L=222
zOig`4LqCPn)sgXDL+pz~0t2;z@vLlDF2is1MjgsLk*x_4#hm<AA6u3Z>}QWtQm6N#
zqSl_j@JbgJ)ogFh&2@)``t(Vr<r@ohxzrSsM&W0&JQJ{Hv0N=VJsC-a8W{?x06|QC
zE+{TWZ;wCuG&p$Ylw8+!tFv?P>C?SR=W;UP)0Kz<UCy&db@p>zd0Hse<FA4Pt6cZj
zH4YRc?bNafZA=*B(@d%uY)VLvZ?G`tMBSR4(kO0-e5)h$WPKzt(b{^#^TrOd(&Fr9
z-Hg+ChHvlv*QE+?9d{O2yuF1-$8`K(J&omeKAG>@T3BdALu0`tnJ==Nk>9LaNXo=&
zTpHNho9|*~vanPi)a0fVL0#&zvE4w&z`&4^;ov<=5c1H_(lTEemeACU&d;yGXN@N$
z^L*vWKyOlZ=f*7_0!+egRw}Bh9^Wgum$A<5milM1vb@@24?ZZ~emvXSvEXk-!Fc|>
zQB(~2gj>gbHMP0p0|QYhhiz*iq4D8i%~mU|!PtJgh=zvvwXqR4xN1a1dW_Z@9^*0e
z=5-0B%+sksL0?af8XJO1l{F5EQd38}yO$5Pe$cvE6}jYOm>L;%uMU=Jp=Xd^-*59l
zXV}=N3VL-#irDMP+PKH|yi!C+2oD7{y@{&2x&^xP6P|Kg{nzi_`3DA0y}XJ{F5I3(
zEPT8^;p<DbT}L4{TUv?Jcja~oo}Y5b7QGX~<fkj;;-O6jL+pCY%yNf3%kuJ0o7FVk
z!`l%f(g{S$3Q2t-*HpeQRo$g0p}-C9>>=heZeN73bJ8Wr@$%Kv`Gp01{D`~aBwpL}
z<}DG1bM0I;HY0@O!4_Qxd+YuE_|T$fX3DZhv+DKt_Vvk}q(T?t;^|qac>B5M@F2aD
z)2h6%(JI$Mw}cpz)t1g=;-Q(@V!AA$#2JbpPq|IKuV9L#*Z%%S0keTbxs|FnHY}ZR
zope`M9l(Xtu<CN2slRLt_rc3Id}}2*xNK<X;`S82oieQP&BcMHrf@(8kuTj=Q>zQx
zpJ5KI1j9B5;L8j1S0yGV^HEIBrb<&ugGt52^mB6bhDO|aR?^b&P_RySKcUEZb%=3=
z5K(wzhtAink@4{jw?-OqTOK}H?CtU@H<un$3^Th#G8`brFzkZMKaA;#O@RAmc*xN(
zzV=|2csohULngI!fw??fh$}T-G>4of`(a}+-c)0qj=Fl~<FA;+#DQ-aPpTZcZm?ex
zwwwNVa>V0#b~0H|i&k26&2o6Vuwd=Xow*be-q2?|uH$|!4<;sAEYbkIN(Yvn3iE+a
z@81t*C`?7~m6w(}*xKHcIa;%J2?*5V<PI=5UrJrozA^ub0-0YvUUq#)=f0xNv)TZC
z;{j-P6CqOa@?KOfetvqb<og=+`d$LNO=3rL_~o*)2<w_YNjnG<bk`1g>>`Fov~;SY
zK9>l)gvm@~)8iF)%+F7J{v1q0v*Ku1MCE;j{M0k&>gzeqw*@{u!nTjyWLrNxeHyg4
zMvj9PG<`Oim+eYOdNSgVGqTWeU9@R+Oj1-7(_{S;CkDnjL_aN}rWS*(ta&(LP2Pg@
zG+(F9b$7YnjK}C#e85aIp;Ov7;oldrFdpFIDSz!kMCO^RK%N01D$ClxjVJPqxqJ&@
z-sia?*WNxhHJ$zbaO(TRt)&8r7br*VF?$6#bY(b%_R-<@JBy9Wy}bnsbo*8(&T<ka
zB6W3FBO;9AHYS_+BG%q?_AVFcHwLiQq7D@qPV{8BK*7TAM6!Rl^xnEwBRPq}&?1~J
z#Qn7T$z1!qukV11i-fN3*=XU^)7-eFc@tv;12vVJ<yH<PnvGpDBXe_J$Hj~c1-;X)
z4!TH|vHkV>0w}&Grw!;7RJWIh+WJZd<`UM_-#@eqk2J7spH^tm;M4atzI)fn#Kc0Z
zeyO*&uFP8a``o}b_7$UqnHiPJ%3;dT*U6b;em}y)dlr|7HG}WOgz1@T-u3{P{^LiD
z-Cfm|NNXxfLNAAHLK&H2>F~Sk6Hm0NpY+$by#sjOue8)BDe1J<BLkcRi{zz@+)3cL
z_%q?<*8B$?-#b;0WxC3gf7%-07A0NXQn$U(fdb<D%By+WAMWevsr73;-fEliYFVjP
zz{tw@nCE;22dBQ?kEijg4hDK44g2i&x3?oWbS%wHP5lF~S_F#=3-e1$VeJPt2Bb%f
zxd(@}I5=Bl1$DZ%_AxzmXRRrc9gSby2d2#g>RVf<j}JQUXRtW0@L6>xen`2CG5nrF
zu|NLgB*Xo1q2F?Z&(?=jkw`~pWx^}O#^$|7^?nS`M6953yP3XzeX+6EJcN<<T=3+u
z1U&)k@h`M1Mck0*@QZrC-NPk6tAB=U3l&U;tVX3lb1aR_Y!e^4QNmiCuw!SUki2~O
z;r6@us3*ol>=WDDtr1k6>C<Y_5ej+`7CPb`A>_mf#!#Q_*MENO;Xx-=HaMc?;)*%;
zfkRV4VXl#Uz}uVTn*ZH6Ui+Y0tT6g*zqp~dKO=(|!>}qExh0D5OCQmc{e5ywav{cR
zLD9lqkdua=A?p~_&~Q&^pO%ldAN9U=MT>Q7ynefLW~qR{Yj<e()hmmv7YY2%pPye0
zmkiQ0F_|xXBnIrx$Q6toX(%;{<ZmnqC1LVWUgwKJTY4qv98dN9>Cl6FODA`dDxz-2
z_EUFUJ!|*niNF*MU|+9qQ6qJURP5kX+&{V*vxiYtQGK-jDB>DsZ&i8y3zY1NP4Xsb
z)2z>?aglQ`>mEGOS0dF`P=cQ4Z9uh*4L!zS!1b8E_cv2fZO$wE=)4rpyq%iK^zsUJ
z>NAqTI_sZA>r>|ca}2EG4?QCxO4Rx4IOK#IDuX`zF9O5@zCCY35+S00{xq4stg-Ww
z<OMO~`wSK#=aI6Sh{Va>U}-esi|fAKFm<xYxbS<6bz2o9W_#_^E;bUX$ju^@P?Q<5
z{=$o)YKHF7q`_l6KO4-%J0w-yfBux?JEb#MBzOTy^mV|p$h648Yex%_X%)f*BR~B<
zo3AyE7Fg$=Vy9BNVY?^_8IWpWyQnl|3{9&4>Qxi({M`~?3(cYw0!PkeP~Z(cZ+fvw
zu{8L+DTiIC4YQwk);BvlJ35*O;91_0pA<G3+(|3PyLa!-KT9kt<L2Q}yMg^CGO}fH
zVRbb=B7)Y-txA&ej5aTr5FYc+j%_Z{Y|js;FkqJf`^LC(#lVrCnc4Dw)wL2nBhM-G
zo7qCYnFp+~WopYW4X7-KaXX-{z_aA2<`tEdmA!v|9q36wo-R`WQqRi5vb(Y2|LWD7
z(QIiqW#w+*uYfQElmhSCHBlvCeIuSd`$VAUp6Fuy>Q5~Io85F%t;bQmR(WtOTe^!v
z^VmI)ozV~WCr5h(Xg&a3!zDGUoR~R`M5SC^D>E`O0Cg)awg(uELVVGG{j%PDr5%dR
zME54XvKyP(uM~>w!FYS^z!?Jqy1l*q{Q2`|$S4T@7~Af6-xeJ`P|OdLS-V29sMx^G
z$*C+dav+x1{@%TNj~_pN{^G^LwS&GKwbIg3wR~-9dHK_sNWIVX^@cmC(jHtqJkG-<
zrU@Rq8q(6u)h=7XB)pWoufBb|$I4m&rX;|_``XZuuU99;!Xm%u|I??49@J+`C@2)X
ze}9XT@&~+0tIUGec{MhcxS^o|$UJ^}dSG{3+S)7uTM<6l#yRPZ)bo@^Wn*X8EHUW<
zuu^ND!CV+PNiYa}4fOWL3cBqM7V6Vr0aj;fX}MBrK44~Q`k}ItMYsC4fI#&a9YTST
zD4Xf4(gN~<y|oDdQiOqoprgx}pEu#<0dawYgM&dlz}-g1#yFx5j*e}ut@C#QZ+!mz
zyoR9Gpn{cEeoc*F&;0lAH(cfc4xO2sLq976igt8#)F}ZKuK$$%4?j`{ngMbY2L(k^
zZmtDT{+^zm5)u*!9`Q!0aF3O>b;8@XU!f$}{POKv0JgH0mdx5S?67z5hVry{etsAL
zVAPDWv9To0Y=gtYl@%3l&Q_Yk>1=Ini{!m|o+Jd^ME`vYs??90q70FV&Q$_m{KX#!
z2>R`vowl|%;F#ct%M|crgoK1DDk^e^94p|VO-)Ux7#NnI50H}^tM#Z#NFX0G?#osI
zAl}r}6xi3Ax;ig(!OIlNdU4?6VCt0Q<i(|>5K?}p$<G&?*<|Ad4uInUq};;9q^YH4
zYjbnBP~R^XXA)yPBl(-?zqfpWk>B}U0|NtWQDAH5bMgS<1}M$EKerIJ=B-;cj*hT=
zOk-O)1-0E>T?dOf1<}hQMS=_rroiMOd}4PuhQ}H|@GB5jG~VtYk^qz)+!1b@zeZ&%
zzEvu<_MXxMZSC0N;^L&FNg(3y1`+K5Y|5dZPQM6#52!yI7uU*g=@P)YKmgJ$iB}{q
z@78Cxl9Wjz0!Cc0zE>d2xFbu!DQkCgQBe^IDQQl2_7w~a{-T8A<6}@F@bK^)E&zxK
zXyMiC*E3(TWoM$q?4{)$C{2%dbgji%6$_NMy^3+TbF=8;?`t#0@G0Z#%I#?oi%{Kt
zRpD_|rp_c}Kidj0JizxuWDn+2GP{@dPSr_{1KYlQaaNm+t7gj2G1e9T`=t<C5|U0J
zN-RgpfKGM;fE)xAz!E1G7julfP$sk0@fdGzaiL>1k0Er9nOT_M3vQ|*A9;ar|F7Q%
z<E}x-4|3ywAk_NU?FNzo_uJ3A*u7m>KPf_ZyYjE-U*T-|<ns%vJm>TCQHW>s*boc9
z3v{?7=cooDB2&@hH)cN)VzxrjPD)C#6r8kdyoi%WSDlxXBF97d_xRkn`UXicSaskH
z{34R)9j+@kz6SD#l)S>Y;x<?)hz&2!Ym;a_Vg~Dvh#{3eT-?3el6Fful=-CqJ$X?u
z^ULa+Q$5Qzze4m!Qz;1uYQM*}pULyiv%lk=feA|(<X5k(EQcaty^`MVvfKW+YuS?F
zi2vdD1@g>)?<9W9fg7)3m;O!~>D3GKQN(T}7*@_Ah-4=4l%M8~hYN|$8%}$buC?+Z
zGQ?hg@2lT;D*?Y8xnCpL3EuhYfdM)t);GUgeRRr#Z~L75BssnZB^9KZ&z%Uq{L?Mp
zndGzcLELx+z`00hkKreT-s&kf?icuRF#zrzxg<L<xc{oiovmGOwm`_#c~-%H{}^@a
z>)*Xdu3l)m{}bC4{w{wRejT)2e|)|T(LWf{$kw(hJ3CTB!f??>Q6=$^uKhoa60A~B
z>U`olJo-WJ7SIzTl-Lz%siWqOV$RNWB_&rxrBqdG?|fI)Imwo5Y-?l2MIHUtk~3U_
zXWzMN*{;*-FVpwQ1iDr%;#oaa)voa_#4hv7RO1>2q@^p_%X)a5?WE*44A60;yBiZv
zfiiR*P=`yGTrGzKcukJD=khV{RvAL?nBe}S*kK`}ogYz}*!Z}r)T3a2;pH8I&b3=1
zgoJk_#cvD}g~RcF+VSz@N{~ZI-muBZ%gab`bwjZntMoeD?ttcQe?K?)m4I})pC7rs
zLoA{weE2C61Eb(Fg|u`Q)m`_8kJ+o$3K%FT{6G-X+RDa54*fdus~|t?VO%!***WOO
zEhfket%RaajSV<uZ`d3y6&QQJ9vno6hAH}85CE(Dhxu7~d65DpKrYmL=tVX(oI&@Y
z0(gi_U~r({Nq~d80pJKgbHlybSgm=;ktwKYX5#%C&r_v5f>L^SRZwE@&2UtF{K5j^
zLo>eaAr~|8FPBA85k<yIQQ2<E&l)4S%9*^`>`gEAa9c;@0t0@ahsVH^Crp{S?hKAd
zMU-3PZn|?FbUmRcU@pgoLbHk&fg?VC<S|?=fiBS06JxLI?ydGiH+@o%#l~#$<gX}M
zkkyC3flfoq%jW?fZhyBG5*9Y0|F{+%^YmT*^gS8ISFf%>Dsb%2-PrbRiR@ryIH&<U
zY<YQ~XMDca{lMLLZWUU=+FJAHFCrt}>VT9$O7wGERFr)i);-iv$Hahu#jvnVVjj%Y
z^akyU*Vl;MMC^{Cf4RvbZ?f6Zsi;>J(#!Vdt%_{a`bMtC6kuxP0{fPVo#o}$!mo$b
zH4eG~g-emFQ+eRP!0ohjxRYdStJV=$<+(k7u)VE+@ge~Vrh~=@J30z+vy@zu7Ct?M
zCD92y<KlE|c9*dl8ZIfL++bwasWg#|<BQIZ8u3$DVzT>>?OfBNS(hdf5y@(9HC`?3
zVB&SS0GK72;J3|<4O;ID7u(R#0}b<0TJ)zHZg6nm5D+w8rMe{K8H+>gR_kotn3y;O
zK$(?Qjau&d(L%-<zU8@d9Ib6WMn(-`F+BuadAY6S78-X^p{}X$IvX4;6uZf&2TB($
z&1gX{U8bE1W)k|}p*1Z#MgX4d?H`4E$?Y;ZUa32YpuhHxNozJIEp1_S{A{?i1|TVA
zVugg-+`PO}rxi+gyV`(mAVJ3!EaCKw3{VLWU9~;#O37u`iiqRiqe57Si8<E#;ddSa
zmeeneYrtaO@RlOIgC0uASE2{Y7GeD1BB`{*JnHZD@NW4$AEj_zMWK>~zP^Ys21Za`
zzNew}nw&5*a~|ZUax9^!egj4guQ+jP_9Swsx#~Q})Ya8z=S}LX7w1i4;&ko^ulBcP
zAIvhUt+uwdO5YpKL8yDWy1QQm9CER5rUC)}^jv#iUxC4i(i?otFSr%3U@yNuZq8%T
ztL1WBETXOY*1}KcLRHkuhWiUfI;;j5$y>@Aq=$dtW>yv!xcvOi<h*v@Pfv)Usb5#q
z^U>7s2T*EoV2?B_sJo-=>sDJkOJ-)Kyi^6RX}6RHvIzw{H+KXtuTN1hI_xF0=g`1Z
zFO52#>3Qe#6BB>+ehtAC(c<1NjLV-!rGR}2;QjU|lpapb3*N7Rkk`?%6qSNtFeY-t
z#B>gT1_IX8GxA$*o74l}?rrb+%9X={;N#&rPc@u7Os1uv<~uBZ|6X5O+AS`28I_{m
zua0#ok(ng(qL|-q9qga*yB;1o%^Av#4-u%&-kD4T08$=@x1}wCLHq;B!l3*5m6eG2
zE8tXuZcZ{%gIkL#E2k%QhX)>j!t1K3O;m$%W$kXY`j^|((#czd`12BAzu!1L(HBh$
z?LF7q-`^bIug;V{SLwkQ7SMV1_jJ50?;p%$Wvs6c1iFZq77O3utF*Ks00V)E=sp85
z*l|sFcCGI0k)`D$lgv8niG|_eLu8a6%J<Kbc?P<=+MAm4vt1b+=Qxa>7#SG&`8IHK
zR?Ewsm>=yTdwPba?Fx7axqJ;ErBhg)A0LZ0WnwMp?(4(%_r{eV<-<(?nVa6kjh)0z
za;dQV{IVA><X{tgbI8(P-`%BWEf}sjYFZiyVqn-)%^%GwC}1qL-JA~XNFZ1nB^>Kq
z=VL8sf}jELRE6El?iYU<cJ`v39mlpdA6Hkt!^28t;+QK@yc_uKYFb*1w`?M6YWg;3
zMo=k~Q94CsH@5=Qbju=f68bf!@qgb2su<4R@$tcajZc>b?q8;O^r*157Kd7|w7h(C
zo21g-xFkNlJw!Mkyo35$5TE@lk%vAT#g_@MZy5<zV`a?u7TbZm+1L;!xs7dXCFJ_;
zO`1$Zt45JQaBuvCNBLe~PBfc7KASoJ@|fG=$zBE~QEy|jsd9o)4-U>6?E9Gbcm{+?
zGV@Y{Md&#LLe3`FCyOb&G7q)}e0}mrZ+A+VrM!FBe6W?2A+NJK>^PbzVlNp)RPspd
z`{)N8e5NP?vtCg#u@DU6&mrU!Mkbl8rG?E8qj0Pb+_^Y8cb7E?0E!$cmIga~KG3a;
zpPiY>f8B{l?ar4C#t3qvgHe6k)0L-}@cXL;1&#+7der0-#``XdA+ux^SkI4ph>D7e
zuZ?5M>GDyczUFV#T)Twk_t$1Vm`I11*1P)bwAT+SLC7VnW%tfgLpHWK0l~4D$j|UO
ziB`~iJKNauGc&g}HSL)9yBB0`AQANS^?9A0gszMTFEz>Um$Xxs|E)&kr<tZ+lE3^^
zwb|t-w6TudnE$h4LZZiR%$|HQ@ZrD0BU+($f7<gp0MLuyL5!ay^wabIA(sE6G>-NC
z$6D=S%_De>($9tFKgnw(v@ic9u<>7B2x>co&5>|X|4wxO0Ze@7Or-=w<uAa>C)awU
zGi0bKfj7qs)*=2W@K?M6Ri3-%DCTX9tfv2PWdy?UpBMVyLufATlS8EnP)nXkk>JyI
zJ8|rf042fKoj%*;VTh*MYb7uK35dGwH1V^{mKXbbF9f%axBwEG_ur=!{_E1$LhfgE
zjCAqG;4cXT{G`rBvc?y=LV<++{DA@1Kh^O6SVR9|z`sin;BvnlW<NRrnr-O%EkcrM
z+=B!%+5ZJ{A=YC3>~MFb%6x!DK|vv_V0L!aX{mn&8br|~#b#t!q<QL}SXx|mNy!_y
zH)y%={&a`*!3VE`f=C6Pya#+sksi8x(DT!Hr>3TY+WI;nA&Apf#;PJ$8A{m%1;;=i
z1B$$%AzsiSVT&sDg5DpB0cIv95P8|}t?Fn5g{3Pb=xS?&kO+s6P#RVG-aR6=$KIfZ
zEzqrj{Yvc>LXD^`Jp=^=U^E~N6QP%+$GwDtf(7Mlf4|eG=NExkLi5KPzi{VIln+||
zA8+anP@$nqr1wex0Z<q;?9lj22?ItpUT&>tY6_s$0t_?&rcj_)mtRoewbaj?6@-U}
zr>d$-%x#fbPyl*k_^lIY<fo>lNJ&Y5jb7BaAK0<7vIZola&vb9(z7+!aUXXF;1&;$
z6G%9<pt}TN4a^pR?ho{n6y9&%zCAcP!Xg){E-DI3rq4ota=6VvVF2h7Fl-eSgAEO{
zAi6}mOz@WnK){p(zUTHE;U7Vm4-(ltkWe!)6qb~@gN7MIXtdY-Bbc?))6!;ES3OsT
zx#;NVvVuUH3-bxORZe*zJj%&g`tdcezP=tX7?^ILqND`HUx{H$g#BFmRnb)LZ`X*4
zK{vLRn0SMknVE;D9FI};c)LeoTjtrbXP_l|3H&5GJ0;X#NMjrTirv7DiiyD@WTysQ
zY&bG_awi#}r0Q@BU^GKx;{mWE%#6T54e0g&w&LgKPw$Aau4TYQOXC&-h(%afZ@;`P
zhG%Ye7H~Q{m^j$j*g%Hr*v>8>IGEO3%JNOx`}dt)U7;?E^Yc-0adN`#?d>3Im6DQ5
zOt?pibQ1RA1Mf*92pJz2s-OD=sDdKr&-s>BkW$ru{tUx4AV5bHELe2jgF{1XTr?Ea
zfWHB7qf88PE*)*{?(XjSh95tE0ImaXjTdyIrKYY1@ig2Fpk%tbx-eAHMhy0#L7~D%
zoks!i2gKY4!wCW|j|~kagoSK>hy#Lp=MJ!adobM5d#<xw2ocqUAgUoi+>fScvR^kh
z?Lco9DkZMen<VBJ79PH|v{X}5)6&x7yf%IU^6fWo-n?a01K*Rej0No=_z=tl40U$C
zj*Og}nJI<!W>m|UjlIoAMJ1-EHvuA6*r<AXdS?3JpXTT10nK`#qS6)x|4c>2$yt(=
zL;)&TAgJIO9LNEI{P^*Xo7>S$OC*kHD&`%fPo|jG=l=y-s1?`m2DKn9=2up_9&Rrf
z85w~H9P`SR<K^NGqxM)3)qx~|&3)fSUw;ZTwxmMtQL9X)8~+4k;Rg=nYUqP$A3prP
zxCq>z#?O7R(Wj=jFhB3U)2D_jK|@1>LCoC>ipTMB&#l?E$AwX+_+x<ttn>ku&TH`?
zQ+0Q*20Kn91LT$L3~1RE*92z9s+0FOIWkhtT|`1MK|kKXKvKlR;$D-{+Dd7vNl2OC
zA2V_>iy<r)q(nmcE*uOXR}Lh~me&DsKFRkACXV!N*IBu7a3*x#Id2wK<m+xa{$4BX
zGFJw;g$$9MN1~AW+D@0B)4}h;yEbiT$uR{`8tKXS)en1A=g<8;AfJ2CNEkWv7ONN(
zTW5WdDngior?<CnQ+&xZ<|*?7M{s{(c0DnUR^T>3Tl=%0W<5;xjyqEen@cCDo+stL
z!azdWM}xGPNr^#fxpdi@pC!r!04(^QpTAv=;2G3_XNaW0;}5*kxfy-!x4QSC4;R>h
zbyc97o%`1EqXAbnh|L#8{#4i@KpT{QKwN$~=0D*;h!l3`nWn~lN>)~D*aV<&jE=rp
zcqqQ$XDul%-qh3c<;$1e-jd=*WV4*6tsry)miK~aj^6*SnlRhs_4V~7Bz(%t%L@zN
zqy<RjOeBv~yV%1Hm_s}-d;p=gwzg4QG|f($YW}{ah6Vtxudusw)L6fU<k%Y+8V(H)
z!_Y_g$}^;dlhUo%TkPazl1agTsUVVun!kMmI0P5Xr--ja8KZ|s>I%7#`)GwN8kuH>
zw5%+QTR_mhK7xEsNbET<L;oU(NTNvtlG!;psvH(5bC7E#5OBm#4c~DHur|rblx32i
z&bezEhyGr$m>P4%zIz9gP$0#`<0ra!lb#+M^#Y7KO?d2)QW%VsS%UtusVNiE-u;l6
zw{K~%QDIKV&@qbJGCGkE1qCH5&febs;&~Al7Z()CQi~yWm;ee3>o!wxcHS!~;iQ}r
zr<ILL%*Ysk2#gu*hw=|qW4(Djgj6FkV?#rraKo^RAb3EGHZU@Rk+WhRPEk}~c3L6F
zG&h5i`MRJh=gDne-Va;Bpl^q<gHoHx&j_S?_yY`B`KWco^1_R06-kKN?Y-=|KAXSu
zL99dl)ohH6EgwIA4`i*q&TD5dQR^{~r!}zo!)j#<RKG2etURXfAR-0RS3ryc>Ao~6
zu?~&bc9$dsRA|Luj4eJs9-IgQck5;YfC(>9u($z^K=Xmbxb3*{<_#_u78XP;pgth#
zuuERS!g6+SfYB1|_YXzH#9mB46sHW0`}qae3l7FS83Z~<mD==i;UEk;*4L*%7RBy%
z_twzR5KX#u8@l`NpCGA+H455IO937Nb4e{Q@G>_y*Apa{zY6n_pbK_{I0w^ILPA0?
zpOF`jfKZXJ97>4bHg`8SqdAP_rKQ1(WNmD03=C3x?}|2obQzYu0PG$cdkix<-hO_J
zKX6Yc;Pv^iUWl(nh&T@LH%x@US2$N03~)eZq*I800-x#P5=16gnVCt?&Futl1m*<p
z7fkT!(<ehiLs&>TDXEwK{tS$aF}EIl&ebRe_r@d>xQ>hKaI|ZA_!80qh^_k}TTcD>
z0krezs#G_t5-ws*mzS4|jXQ{liPcn9xyfOwAvrlYH5D<!0woP1ZwCdX@nAtsgo-*p
zUULMDv)BHlAASSq(EiP}z5m5YeWW1G^M&mT^OB^vxT#Q0%+8iQ{u+?rc_?j0HFgFM
zPVEgv9kXW1JQOLUq_r0+aamYc5IiHNiDJwp**aWo?1xrXh!W&KnXl3RKjn+78VKJx
zIXLWXZ3)>Pf0=5u8&mK3{P8?8GOKn4HaWSqfq^(Gug9Uo*41u7nDV@E{@I5Q2QYrh
z&d!cX0VV}eRcJ^E)`=M)J29)fR*n9dm%~p52g#mC|Ah`pFv>{rvi|T}p}|}lik%GN
zb0ed>Jg~P2U=`NquQV$UPE6>@$mGZ&r;|G`^#@^ZE)NwSAG;g*&o(sNH8wT|bP14}
zrY0#soX#O%dZ4CuA6G?D@u9JC<MJYmrc!%%PCUW!7k5a3IlgI+R%Vk&4~K?^pkBIs
z`Eod|To{+=A)CFL1B``!dCW#Z4XGS-BID!nR;<j-g5cRG<nEo*^F^zgrih1G<CHkn
z!<_!DWtErAc?78*(kZ*buOfv89tJo)tp^VbOiiUxn_F8`b2@^}mC>LGDTlEa{bzUX
zpca;vI@;PM4XE7k#w8%&;pV<8De33q1G&0O&C3sqTpksM7l8ydbiyMe8_!T6Z$7M$
z)4V?Dk3$En?D_NOS10ONp|A^9T*RAzKng_(j1hOf<)biw!5<0=3Uc@LX8=9@p%IFd
za(4;Fgn|v}Y4rSj+_isX026xeR-QqF05lzxX|-pkZeCtz!I*VHY43B-$v8#*bD{L#
zthLHqw|6mQwY2ze-Rguo<Y05A=q|luLRVK8l*+IaMMoo0Ew7DL?H#Svf%S-qh*n3+
z3(CrNVZs15);8_GD9jb1t6ZP{gR+PVR;`ED0ZLjFOp;qXJPGWE-@<5QV6Kv~G;|f_
z@+Rl!_uKi`ay3iMV4Rm!z*S4;kp^<a@<SsdC#dORMB8y?800J>DR+a0VLTY_L)fJA
z1_VkWk3(u&S{AJ`CP6_RdfbM_MhL*_)YsY)goT-yEWUqywjvZ6fs&q-R0zy4ECs}e
zd!$Ld9=<+42Zx9EK<_f*=IRO|<-UT#S|hpFmCKi5%G0<#Hp!Za)_ecx2*BhF$Z6(#
z;AO3ee$jtw0fh33n|>$4P&IXDm%$_<FzGGiz7LEf-;-46O(Z27VX{(8tR8bUpx=%`
z8+O6Zg1hzbe7yh;F>#gC$}sp<ksx*i>D4Q7a;2vOvUetbOYsnZt6?e`y^l%l?C>ss
zJ{pu$NJyL%1LgDAaB%ofBiW&ixl93D2c`x|M^&KVg7|ouA}``Ij8?;#T*?^<sl%xE
zWgL*<ffrU4|D^YjzP@&r^EV&JcRYRw^EJk&LK2Oo+GtuD8jcMUmG|wz43FGUv!DMb
z>Yn$Y9#WY%HcT!;r*P9y!1DX-tS>S3Q|5mt7}AKi+1Mx$Z3k4lvJ6u{AreKhV2{Ay
ze-@7X*--xnQ1icmuK+Ca{{<BNArAOQ2J^p=w!j@CRsiWDVua%(&o4kBu8R=qsTYFm
z%#4N6muGhrwX|YlVi>VeVSYQt0RYf(7&*>u8yg$z>F(AP`T{)jTzlMznXv})>-#X7
z39b#vZn&Hm>FKq<(yEzS(-MCQV1`RnKnBo43Pce;<Q~%=S{FWNZy1{g0=)>PBHQ`B
zuVrfWXJP)*3;h*$x=nfjstBN_yFwTO>}+fx9nyGzX=s4#Itcemj|*ct&?K|Ryorct
zkLBHhCdvEt{{B7;;S*lJ-Wtu70}bqIr~3#@ybur&9PRIm-@SVcF|P}3Ih;oTr3tjs
z^Ldygx4%zMPtVT}rrQ6#l2XFuxCXOP5O60al{7RM9LxV!t)SyGnV6W|@U8|HeXb+n
zY^k7*Pp~%5w@0JV^k0PYC8X~x5CKypLux%wqOt8j$pMj;;eI+)%&@Hi0*QS4cC5yY
z2f{5aZTdmkhYueB>Ch`Sl9Q15I^7&zpi^}hHMDXCCOH9d!6fA?f%4%W#WBIy*T~3(
z%=?){UmDCUFI#|o28PL?ONHwH0t!kG4LgN*GJRz|jE%z(l;KL*-)fFT^Ai@GO5m^F
zGJH9Q^Z?_pzMVlO?6j;73lCi`jwp2MFja*Zud=X!90LCY_1(9yuxp^X0ZZ^q03MFx
zakPs#VIn<!7UnDcFiG#BnmUfaqnSfRrc<Q~Z-vn(80wy!oP=>I(EZTXph!cpiRfd|
z&>(r(+1qOsKK`m8d?H?ld;R(oII?1Y{|S_x8dYg-mo8qseBnH3Yv4o*=%hP?Kz;<}
zn4$sw+rWP>00Jp2oBY|)L*rz_w+X%o?KLC}7&Ya0-JS=E5|u(zQxk^pp{Rs^g;NMJ
z^YbIBg`aI4AJ_x@F`Jc=k|Hqj2lfF|Z3=K00{9P%m%|TWfM}BB_wQeiGuyuen;+Ub
zIXMAhCo1|Gj#w~QiSUH6UU^{{91jE<gnR@h2B)V>1RrKU|MyM8{sAxH1TO(aRlI;p
zcYpsbOe9iz!&u+1bPjObRZ(9oau!E1Ev*rd(%e!2smvt|B5HH3XLmkY%>4NAnTb$I
zTYGeHP-?;l{vJ#%uBkZzFz}riWL$(q$kQFpDu{}TdiwM!Om(CCh-Ov2tseVuxllbf
z=~JPe#QCR(A4hPIo^FEb2u_pOfuVf8_YcpFDeLOy=j1S6^M?sKhj~RiJ3GMfwlIua
zqc*@hp$UYeP51yQV`D4yv2=8BfI<!&943m7VcEd}V9;`UW(GQ_mBGS#sJO($s9*+s
zoTJAD&_now1_8=kNX{^|xwo~Ia%5s|j&kYJ@W=>wMJzU@V>xrIBdi(7nQ#f<+!+Z(
z97}uvr$Zcoc4)ROB>{?zqZgMj;LaAoy&gaQQDoQxJ3Yo4igY{zg1veyVR&w+{h_2U
zf1g)Zcb1XhS!p=}Eln}FGo1O74T%M=K*VL%3&(GO+DSk_00d|4ul!am;2PxQUf(~S
z17Cw}3#VDYsUkG3NYL#-yNg3g>H&aBR+Z)C8|d>^XJ*nek#6>bI3=4Lq>E@s55w;)
zVwk;xEeO>e^Z<x<_a5<m^dCBNo2C+2-&ua5>^`ViSa6gBjE85uwaJCx28oZ3ntFS6
zOzX0rdCotHg!V*!i6=>-<5Y7r5Wv;F(Pw)<IR?BRaK;Q`$`o{dZ)|emj1>T$`j~vq
z0{;P3S@p6~{o_*Zpu<EU;+?jzBVap#ylP<?8F&#7NX4)`Ys<(C-WB;mYtu8JFgktA
zu@Un1Q`*2<D882m8q)E{LN1!y4jN?pzyw67k6jINRIW9+w6e}ZAsNi6<ETC<L^B;W
zliDs6@c3__3x=TOadq+ewUR%DhJPm8Zgn-`n0t@ha6ghGaHFFiezZZuMhyTP@g3Gs
z*{w-lcuw_P{!AEI%Ewvr-{Q|sX-<a{5EHFbJWSs4F6VM686v|(qQ8ttg^JeaMOw`7
zAtBZMWL<U)cd+)XI2s9e-<#JkBCX>>)ce_QATT9~U7&!})2*yahEe{dY`R_cnaH}f
z236bd@8rzCa{kMo?5=j1AJQFE<xs)j(4W6%%fAs!zetFG5F!1c6Z%I2<KNs%d?akV
zfPjEOG9TH$$~J*Bd7ub0rFU**!U-pBZFr~`;5-XCK4@{Ft5)fsU0q#;L|vpC_ix<8
z5HO!R_`gv*x?laplOc~0UB6ypngj6}Ul-14`A_IVpUM*XUp&R{HO*U7D4In?M7H$<
zl1WHN9_#C0ruZAY0APJ9?Y}j#6x2dOwJ??o$F&q2wPok$r}J}8IQ<m}@P56$?EwCL
z|Nebr<GGhFQAJ-$Q5S)V59Dl|oV{ILN#sx^UKIsg`R=Rhj~+h;$g1G=YwUpJs8FE(
z0gr`)n;@TNRkeNlb`8x3ntOmd%1TRheqkBCw{QF@6Aq^RdE6D=%-WhT^!9+un3|aZ
zxC&#0W^kCnFK_@VQ9^zv3sB|y`AN#kzJkBQEdfRXSfA|bRW{gDkf|Va$;EKXEtbKd
z9_2+vd^X>oW@G?FlolDOrl{EYj>DKt;K@2P8tPhF3bD797T4j4YO1T@gsUn*&eLG3
zA(~SfK;@B<7z88p*#{k-7lzl(4GgFq%OUkbPfO3h@WFQKuBqw5({spRYe?CtWJ@m}
zW<J)>A$iV1R2gAJd*U`IPrC4(N2y0KWaa9)OiBb9bz=;Kuz;a=Kx^{ovo|O$K<Wzk
zFfnlqq>er4pF!Q2n);=?dlS@~ZRLW1rvu6a1)>b<J7KR=2wqUoTe<y9NPA6GTSo^V
zcoH%)mK>tspdcWZcszE7|E<r}!GM?#^Zw9{yskACTeNb9p)l0TXlU0^F95Rzr%u5{
z!)v?%kk<3RXu6rLq^<Q}_eX!dG0Km#(e2`qV1=r-O#?SYq?;%RK2s_KG@NsD1f-;b
zR-+Z*wDJ7T!Pv<^Sq?ZJB`Yb3?cv9#i;HH>M>yBvG0TgK^%26|Z^bLnc5QBL`M_xb
zC2-il(2z#|I&>@xW9)u#Hdi`100wFg9>D1jaCAi0%oqR-Jy>wW2PJ;s2rhXa-F$MA
zv1LAwX+>M=q@kC9RCH<jO{$EJx^ZJSZKQ0U-!`%u`~NWI=d%7v`Sj)%e^4CpLN1%$
zweO;^?fx;@8y+|D6_;xZgnL!)?}}0xA3@+N6eRhuPPOU&6_oRX<@5U>IQ&IcR)+y0
z_D_|-iJqG?*}#{f9gJf%(Lp@aqQIy3;H0?<MZ7{Zyqru&Nv7noQYlMQ^HRqTBjbY^
zu2ox=NY7O@a3%84?@8p8Hg$hR`w>8SzNm>34PWZU)+w99*0eA6rDw86n@66<RD?$P
zP`Aq3k@(4+lTd=n@mqU4KAO)84+zSQpaqBHrL;6Pm6esD)WEfX^9HmO6&3aL$g!~%
zb#+1X?i4Du4d)063)g|fwK>pow)Gu!5>Vk$hSG!99C}RH<J%$o?x#>Fz?_Zn(K3gq
zl%KC<2!~3B@gu&QGe=8|lv-!1yVmDhf5^`A`pX#m8IFNlWvT;<rJ*tO{37~%Ih^IT
z384qd4tx6+P(ov2b#!!C*S&rFRt0A0U=O%~LLUc5Ot_uVdgS%%*HFhgv_voiQv(2N
zhJ0L6NeNUM+aT?K`SLYE6#N=wT~X2JfQP}MDUne907==bP+C%gIGrjgYQIN8*wIAY
zieu+V-ky3$vNvZs@;OB+fp;Bl(og}zX(YCAUI7km=GVIH)DInV-4hZ|YZL=yMP@~I
zZmT-Z7;~UIk&?y?KdYLOom8LY^_4K5OB-WqS;eq7wc~%t^@j5PYZpbqV3oLq&VhK{
zsul;_dq3az=hGuO_*z-_%w}iEN}fx++xb)a@N`xbF}RT^5}gyjxXW$Ghla%UxyUL?
zCVb>vP7?0B=dCXmZF3jR&Z_li7e4=fMJ-RatGBVzns5!s9)#$tsJY)BGg?$nPf<i`
zWba_p=Hq8tLTD6v@72HPj<z7=V95cbeN|QGpk;DQS{CJe;$8KAjEoN*#(Xd#q8QMM
zcu)h?xc9pUFEXbH?$$)|J?x(fS9?I-$7tfZxxJXn>Su9~>Q~FsQ%HYtpo(v*d#KBZ
z?`iO4_q5YTGkS^i8(WF4-70ie_z?*$u1{{19&1NbXf$|9=areARmAZcm-e{z9JUg5
zI52(typ!Kv;ot-}0QknOr^#kTTjXQ{T6WXV-|zDFbkPTz;qeG&c^uBgNnSQpsXLu1
zJSi3`?)%{taZ!<R9`RVZlo~BEpA@XEZ`-)lpL=^TML-veSrENgclE?F!xbw;C&e<g
z!$BNr5f$NiA7xtcj2SC<mJeq{_tqlWu3blRAZzgq4F0R3cZfzq)}K7*xr8-RY^JHP
z7=?3I7`K{|)?&=ZvRePg9Xnb7wm8yiaS<#NPL&}m4&;wkw!)|g$jAg*k{9~aQGS`|
zk;cyj#@sg&Jo31mGU3NTMD~VTt&fcq6RDanLXhE8TJy@&zCRodS1nFSnE%<p4R|0W
zo0=RBmN?P~$9nDPQA~A=UrUXp(uixI8)v(){66=WhGbs!r$vzN*eCsZq3!G6TqtQV
z>Uryb_hR5SA2>gdz9+gD%FrZ`NtPYV&{U0BZFrQ{zuv5(BW#X7!pL^amdc+X$x{|@
ztDiz}PJ&-AbZY-kF81Yr@)ZAXOwy%#Jk{T?Dk`O<)a8Rt@Zeg946eGFd5$D?;^ZGo
z`iGSQ+vQD784fZs-ug=_y?MTJUs)M6tV27t;L8vh13;+&@!8;Xo@UQ?!gYz6EW{Yb
zUGh%CxKyatT69*4KSu?hM@nnD4!ivi7bu)x2389IcQ{q6S!)u0u}_ZOdRqIY-vT|7
zV!$iJhW^VM{mt9|;uB+k`VmvruQ9StAK00{g|!Ey5ZxRb(u(VgtoDb3P-OpCZ{HnO
zbN~N;tXp=JNP{RXL`K?!q@h7mi%LT(skDa%ccIddQ`#yb8Ik6Z_EH*3Q+v?f`}a77
z+kJoT&vkvj*Y9`zx?C=Q<ec+<pV#~KdOjcPNv_SM?(zO}fh>B@%02$JyAcS%x3T{R
z?M+^xe1e^O6>)X-iRweEh$;ryq#i8!?v8B3M!JY~S~C5<;5U>w0OCX=R(0|5fjjP+
zM_%++t>jMpv3dOZh{ye>5DCQSgDlaJileCXhKGkKm;fXQFeaju3AE;*CChm7+t7_Y
zxn?omDpUP(<FA)lLAWXc0?5H(7GO2Nn4yY5<I9&*FO&QtS1!*Y+tD^`P)Y$-XGh+x
zBQAq%1fPXOu126rh`8+bfSsvp$Og#Rs5*)gAhKl-4n+eCK6vmTVk5N}si@je2I}bn
zd=i5sf}*gjY+`H-Mjxx|*HO>0xKnT4N__C(3c6eLouKkYgDXxTys;!qa0V!ZyDx+q
z3el%%>FD@*dFKYRH;roH00*RDit|uM2g!3#7%`iT0NgV(8$eCHVf(>dh(C&ABigGN
zIV~gbEyp(K5|2BwUo$nytU1#xW9%~y*{#oP5i*LBU?(Cy(3p?<k>;nrA@*w)JurF#
zNOk~3SfCg{SfrrsFf$8F2lOnGXU?#=BOvWrYU(u75J8e;;L2cEn~9`gLJtBmflMf(
z=*7oWRjq|a2%Qy7Z^uj<P?Ou^_Mr}E;JtRTlblBid;(C!)925H;JX8f*YiAMt|^Vh
zhd|K0@!QJrSV1HKqJ*<=#flYVZRbTGQGPR7MXDsH3@EWs%OodHp#6{y7b@)<K~5Gq
z$h5zo5x^8Gi9}i&n!L85lG0L%JKGiH<#$;mp;}$L(iKYw(k9@2Xl?jlXQ-`h0C$i3
zg3>k-($*I**tocYQf!g(bNjZms_FwUS+{QGdu`=}$|-KP>5J<MrTnu?o8;n=I8-LB
z^W#))5$S|$3m*WLQcp6zageNlGE83wrx$)*wS3u}7=n|)IbxLoZy`r^eZYo-GI{z9
zS?Cjm&^`!#It{^>0UGm5Mkya@&47ji5wkHdW7FRfd5#<@SQq>16^vU7!=FEWf}l!u
zD&zI4)$!gjzn<Cc1ea<^ZK$ZI&<}}Dgu45p{SrTQ3hq2rY3bXPySI3vnEJCS@!61#
zz^WApiGqfy;+!C*7@Feq>gpYhS4@QiAlHXztlb2CSxAUFN<ujH&>8#tQ!(kGcp5$i
z{R7EnD5~A$;>Ac*a;}EU2vwBDVF6!%)(9^IN02H;Lql^eR_5i51iT*zLV$W4xq~Kp
zdX}JZ$ZUhVJJddQRKQEIWRO2dT=B=sl`xND-D)y#5p<fZMX3m`W_Y~Gi46}NJ}a5!
zPf7wh_)H_E;{E%G=g(!))$T&rvQ>9^B%sAec{Ym?bcQt4)F;Ko(Tl@0h*Uiw$ku0K
ztJc&%_0ITpw|*V*QO8F%Y?3m5HKIgQ!ij`WAgg{_I(WpseM1Jyb!<&Q@PLhD5kXP*
zX%h_<<a%O=hOI;@ashpLNeSqxIn<*d*dPi3_m0f4#ZOH|<&Vu9Dy?-ZU9FoPdHDG3
z@HzjrC=N<V`Pb@p_+z_-V2ho>+NF)mW;pDRb8?00_bi?S$tiCtZ^Qv~k7)a=DpB_j
z9Z2P<otwFIC+80hk8hzrj`b{yY{GlxR{e`pDbH@LK3iON$uq=5hOFaxMn2AKZ~n77
z!+DkV@)=#{&+pW5XsYnM)>`Fv87=SoHmp{p*>qJ)Zrf^&fnVi87!DYD2eaC-Vh<Z~
zg%FVcikF2zpzvX}(H(pt_%t>!#+!F&XMK;*`BaBkU2vptb$%;0?tM&OEV9Z_kr9>e
z^Ia+9$f9%e{IKwN`Pb^Nzixo)c*CzlMqIyh>K_%?6CsYT$A0@z<Pv4oo#`*MW3P2l
zcM~p9p&DB}jsH5oe*YAIKTbP;lv*CmQ7Z@=r8@8G@vW5SGSjNlJ!HyOsX%by)A^Fo
za%5s^-c}L?zsp&@JAOpD&btq##h>nCyx^hNbXIdDEZW=D;mytMHT=I$*RJ1-uk>IA
ziRQA08NG!a#)&WX|6YmVpdDPhFOSzcmgx_|#uMaod&ja3hX@6WCD@TwJ9G$!KELgq
ztBAK`?L2O7|EqeuLiVX$x*)s8_kM|bT`XgmMrIJN{Qzef_cDTp>lBJ?mo~fZUgnYe
zZ?&CzO3PCey?epvz4`Epm8GJg>o5Z#J~r{rT_b~Q^^f-9x{?>7+dCigp%3W2v()tb
z`;ouYmk<c4ls~IPa<L|oP+dc^8Gdvh#f!`9-|G*)@Tq6d(x*m9y?z%S<>t=4)5-mO
zY~9>k_AxV|S`T~n{R!<u0=>Px{5vG=QQQyOFrGQ{!8<RaebS5FV%HWett?yHRSb<@
zpBwhk3-UdBJN||94=IYQv5)k>>ge&mHtZg~PVuPw6U_?~cr2@whE7AAXj_+Lt|@ed
zZuyPEPthUBE}*^hNIFlYQ-t~Q<*<wo%11Ock*T!WX}B;}#dCP)yCyVlKg(@6TkrY$
z_O|PFbsN@qeq?i`3R;X^QdOTB@1N_$Vd^|LtvMYxH8tVr7!(}rZFN12hR)uV^4fxv
zXUf#OO+tTmf3c8JR4i(C=0Vn{b=6}gci*I>5>YpO+8vpP3_cd!yh-ZW%zfA*BV*e{
z?@|5tE>G^=gLRIBgM*49&vC|NG(z<CzWuDTGtGziuQR8lmA!niePOJ|zB}RU*#ql$
zGV1Af>gu#IP$#86k%VrF$DXYBJVLWIkodsHtl=G?@LlTl$utKvShu{P6l1=Z<oUvp
zP+?@`>@s|o$?;KNG61-wmqXnWK1Dq>ot<q(MZi&u)^BK@?0s7BQa5Nl{qYg)g}O5e
z0qr7nIbY^|4N4}{<9m%Rd<`-;7nXYK7j%}$OFUZ4B`7%4lpz6E65+l6@0~+viGxhZ
zOJ0lF_PNp7sb|p=l_MiQN{Slvd{tH*MSbqRU1i#nQ;x??8(y%=Imt?XnJwi}c=Cj_
z1$O5!6iqZVVZ_7vczOHT$reF7!@&E>A0G^T>8+Ly6D+2n7)-Gn<70aC?%jv7fou?I
z$|~9@M1<*h`h9NC+~X<#`sk+?0HTr^nSC@}U2*jMZ>PQ`PBf${K@mLrEpg^^qL1U~
z<MhXm_pup{<=qXh`aFMa&TcqHngpwp7GE9YO7Ty>InC^6;+ZJ$SjWrGzKw#(@ARWR
zqr*G)9VP^qtOy{k?HRgc`sV7z_c@+s4uhg6FJ9~!?x33(SooY5%fr+@Kne*Cc2{|x
zbID*QXsK&5C5L)e+{@wB$$3A1%VBo%epAMoO$>F&ZMQ7kJA9VoFe|PVK&f|sjrNA;
z*8lQg#vCR(4@C`4G@C(<tlG2|XKi5M(U&jt2b%WRC9$LQ6Lj~jjB{=ovHJYnQCmWy
zzR^*{u=|SS;bhAm84C-l!>_gcZmpJm`0mKn3#6$LRwLsHn~BE4(M-_6ni}-kA39+z
zv$uKoOm%a*S@XiNXe8-xWYWv|Q*_jr(PyI0cw>egt)QKvscz*=XQ?hkYc}(<;#O9n
z9v*7sBtI9t!my2ig@r$yd|Roh{jd8RD&IUmJ7PAx+}GNL`y7*CW_r>|iNrMX==b?u
z86N9aEMM-xY_FEw?<n@?%a<)P17)YB_-Z;ux{t5k(7RA^B9{HM(ab|iF@(H>L?0Ob
zI3xYn89FF@c!f(W8|Tx@CR;15IqM_B>9_M=@6K}jX5BA<6i@|aWmn8eU}Nj<!(uNk
ziicdI=cu}R?#GXgJvENgs++}fbcXQlE(|Or>~;?bQUL-gb<@f+iOF42`Ev!=yqcl9
zhK4BV*wH>ova@ct`*u3Iigj<2Y*6J%Nbn2I%V;$C0Le-u^~0w-;Vj%JLc!G8xp(w7
zqhL~w&Pz+?ip?ApE|j}R2$y2T>>O;3HdEM@5=TCJGe|NqonuKWuWSn;j!m=bS9*B`
zA6qS!|D=SelA2y2<Y9TD$(4OlQXH3jRuOh=LO)=*Hnr!9$yO?{q$C>zM4f&Vm(NNL
z58jMQo&!m%7CjYBqy<wxn?aeYgM7lmT<YrUR8->9)Ax+-Qc{w`Wsk1N5@7V9^a~8^
z>KAgEuRfrze%qq!xzzaNq<LT*>&xWiRGUK*uU@=(fe4$y3PUQYvQrW}i%Vv+3Jbj{
zx%Eq;f=qWathwtgZ%*LeB(Kl0cCA;8Ptu&SyDwDqux;wh&q~5kF!1o94FdxleCPZJ
z3;oZpTX$HjU~VSYaeB5{d;6od0P6w)t@=HEhElmYhaB^k5$bfm_#=Wdu_P}x`Tl)n
zHMOlwId!SYh?KjrA}%D@ea)IDDJc^aOo-D6!S*gH`trt&u#^<f%*^MASQL3*J3JiU
zS5Jk5Am1k(JIgy0b=T1s6`NQ~9`?Yp3C;G<{rjH-0@l&eI)7TXZmm~z)Y+3!_Zu4Q
z)sy!^ERcQ#^|PIzV5Z0g&<l|#jJ|xa6^lGQw0BtFUY_3N*Rx(-#SG17={D_s4Wxzo
zPW=|1=97}+uP#@6Lp7M5?i$MPA7e(xX;F}xI_v7%Iz7Ejic!J-(j}$QJ_CZw_}@-R
ze_Kb#MuljtvZA6G?SU_^`M8IDMZQ|}H&nkDaTY6>o${wSupVKFI(kPqcJJ<-9NK^C
z)F05jS5!vJhEC^JTyu@<a@e`E?9V?hRb+<=&E0NarpC!BdbxL@K4a!|qL!|Xj`!4z
zPt>;9m_FIlr;qaN<gw~yh22;^)1gT^S~JNoI4&;4zml3K8N9T!$F0>JUCk=#o>;Ne
zt9Siau0(amF{MXuulrO#4H}%{n;CaR0%TT6iH6-AHZKMSR?^(K#8YLDeX0jjPTZp3
z!aY_g$7A+oOJe)xH&A*&(He8ye(hg1pG`n|{wo4Om6OPG?ZDPXCtI8om2rs=g)&Zz
zF&RCJisF{YFB}_FLF(N0H6m=(V}1O{6Ib1~?bb12sm}eO(j5hL6oexbi|B)8UX*xc
ze}gTwlSP)hBKRb{AEHaY+zb&``QL6e(UyUs@7+5y<;12hN<%Ke#-=p=4a9V-Z(X6Z
zD}O8Icv;^4MAAabX5lB!_hzVL$#UVQr@zA1%N0BR{AqF7N1@t6(W@DUe*hwXVKDzY
z5asykCWmZ7#lhx-1j^5UAv*tGz`QKH^LtT1IRQ6NH@dv&Zvy5D26Wqhub%-K9ynvV
z`q|C1dTY5i#ovn8{n5tYM*qNpEVIck5|Q%rKK%C=BNyWvKR9GZtS><!>~1xIdJ;dW
zl>hZzl8754bboz0MFv8|<RtYy%SvzjYKs<u+lci7>(LrW=`3z1cuCDgI2m?~1HYqG
ze_?WfWiMo+v49Fd<F9Y>_r*gd34TY@e)XDUtp7Jq&T8@Mf4rf~ZZZJ4aTy_X^J2{`
zuA#DuT!35d`TNHZvG{8DZ?M{H^!`xBMhUf9Isr#pNvQqvZ@q!RLolaWT4C)b%F3T-
zrxvWwB3{T=KucEEd$<kQ)R0X&bpIc3DV{%H)HZ}#Tk)+e1RdR<q9I4(Pm++|^4$6d
zI{4f59EN)7)bM%cEg6uQkWB+~Z(qJVBqZbnpo#zb_wMrJnp^!ub{)4HeGC~((XpE9
z>bc1_AK|HX|BZc{1Khu9{(`w(4oLho&OxV5E}Jm{C{!yfJRGe!z`EY=-|6Y-z@Hw{
zJq3;4g$oxnH0YU_nV4|U6v9oVB@9;ph;Z^C0jF6TH8t9dL72(_4?cO~>GW-2fCRzZ
zu{KIED0>k+17;rOF54DQz5Wb{n{#sXAb3Kvj+DZfngGW5*jRn2S74^w<qpW<&W@u+
z&<qt8_F!&O#002vZa9YyL-J4M9}y9O(Id7Y2KxGT_VyFK)yD5#mO&gsEne8b&!mT>
zUC>z&YJQuiT19Ad(+SMhTUp6Okf$bts}9zPVY0BaeD?ggDe`gQO+pY3n-@GrL?8ku
zPrA#q0nGy5CTP*QUR(hn172+OCM;Z#;QE=P#6j^Zt)K|2R`5~dZV&Ky?!FKaP4_`y
z#$!^)Ecg)@wT1~&yvI+TKx}^>-v**=N-`>qpR2wU+ef3Kqy#t&sGsB}rL$+nC~QGW
zpE+|EzQMO9_3mO9m(sH^O=D`X<%CeU^H8g}T^yu^(Es|TOo2IGzkdDo{s#EpAX?Mc
z)qQO}pk-?x$JXn%Nocb5HdpGLfDxm{0J&jYO@3;Rgl1+s0SLQt<vU<Ld_>FnSzECJ
z2z#a+=Ih=VLm}1B*ofg%IE@}9+d=<^>Hx+1>FGXbEC-r0=(cY^O|b@fTHfCG8#XED
z!JvQ`De&j;p6wK{iMTKT*ieA6tf9dn=g-ZSPaB({=YvPZ#^xPRJ;ZJyXDjsK!z)*=
z0G{V{nw^BgNkv5khdw#HtU-W<1$ZS3LM$Qn&Cb?^gAtaqb1x<^6Gbc4QgX^|72!=(
zsU?9S`!A{_EgOOWST)}PBZ51yuBfON10pb?3JN+%BZ;1#YcgapbqN}TQDs~_%%o6+
zjn+d~5BWG`SJNhdmQhhdon8O^w%_4|IFVfu+L$%;HYtg%Htl~26rLTPT+NiT1Qcd9
zL4wykQ&j%uFSdz{Sp0<d9jqaP=)q{D80nz-`I!NLt3b>^IKZw1)J-bZ=P}e9CMGQI
zgEj(op7-z5Fu7}~YHNo-cwp0-vnF+b+5LOn8%}QSYxt^0FYms0T29XA^juM}9z9X7
zU$d#SbNmF{0D<@KOEu-?<h)Bs0njNfA%VvQNbF`Yh}`y=SuBbBrJ8^n!a2qMr}93U
z%3EtR*DX<OS=H+Z5k1IK<F*}chv^dFFa#rz*{xXN2Du)nfWG?V+b5$S7QqJxsePAh
zbXa1&&2)96V`9V?-fHORM0t4R2C$#|KEHX#4m&*Wu=<ci@U*lH$FD{_d4fC|CLW%k
zrYHF5OojDnGJUs(Cnge~KCORatb*J-S=o;mYJ%iCY>&WFS1$jZedp#02m21~j-q0~
zY38ERQuuL<ufB*{c$k9Fd6+X93XT&VQ~hl>&*U#bB0prCfDKQbItAnqR{%RIoLtg!
zAhUY|AoM}>oR5zjId=}Cigs|^m?Lu={@ce2FbTb)U;;vpcdgKcAaG`S+7tk)wze~r
zF4%&W-$3Mm#i(0uMO(po$)=`DmxTl1IX-{Bt|j}{s^wW&qjXS!Saz3V>=cH4;R}Jf
z_L80+w16nYiW?e=ia1~s#U_iV3FFyt!@#<yxUSTPICp9)<4D=Az8-CBI>rDFt)F!0
zmxYptC3L(&c2ke~35|=Krd9&veGeh<hkj3H^#|ri`C8;_fgebD_wFFWx{!vZtGmp`
z7{Q9>e@&h#8R`fbyF%Ld^T4skIT;}Yg|sCEGzbZcU2(Aj4<l%!PiskQz2XZ~ha|f5
z{Ezt`Zc>|?%-7B-6$8R}W)UXSy65dJ3)v@pUBr!#>^mG&q?>%8Nm+6pDJ$h=3%2UF
zwC!{*v@z(A3@LPWH+@!^DyllRspkE4o3qQmDn(Ee{YvNxEhz{QYxCx2s+zg7SQF}6
zD<*ao>#Mf?L`X-$EK65T6F4C(kf?^NgKlHH<D0Znu}rlxAqxivw`Llf4Z8&xgPi1U
z+rJwXEO<q}D#H6^6^$=|eA-ped9Pztm$N$|9aMJZLc|T#>x-<}ao7BF0&y!{F2DGm
z+&$>CH)8KE&apA;a#T&bD|K^8t<%nrzBOz2`~c-9ZiYA7yvOHt$47TtEICr$p5z;I
zX|7%(<o>E!e%4)!5{3U85>JouS6%Wus#74~()s>(A;4p;C9W?(dm~|=D;X$0QU!}K
z>JTtdU{8JW!SMJe$1c?>!^PUXTRM1bjY<d+%;Z`zqURS|*O4HPQBaW`9D@}PmWfFI
z{ar0@VRQs`eJ~ZSWGGG<A=)^BXJA$$i*cFsu<4+NfCC(swF>n&YGFiTPhTH-ln)F}
zK>N><Ctv9q8cxFEdlzARU@aD=Ye?N{XX+E#1)r6KhY34lct{r5oMp?F;dP*o4a|}G
zPu8zMfbw$|?!a-Y>umVG?<&g6i%=M0eh51|le>W9^btgCV4ucD3x){uDj=GUt^sWz
zBPVAj?5g+g=W7!zCR@Z%zp;DS&CjM_ItBKelA|p53TBNYCDG!}qws;t01vsXKojZ$
z=0n2v<0W{OF$Rr|8genPKViHUr<!gMMC_NAL%Aa|4lof1EGf>|G^5H`D1SLqF8(Vc
zCb3|M-OZg6)@kTyh1uC9vx0~7z<bdO*j$C>4}K!-JJ`#(GQL4^JTf&4dJt~+cWG(2
z5HXaKlRkWdV7TjVdm&?L_0k#o;Qsw%&{4w?glUm1JlH(JK?S6vF4%YAz+QJGdV>i3
zv<^B=P7aRtgeMms!jp(2v``F&)E-S?)SAzpm9+1KQx^H6jvXr$INvq>6fykPku=7`
z*6O@44_jJ%Lc$zIlDQ#<b4`_vKv>BbOL1Rc-)%21=3>|$kxD?pg!9>ty%u8rX86Qx
zjXAbMuP9W(aCq*HyE~3^`05&kp@YLZ?qHxu`%$DX0pY1-u)#y{O|}c+2dsZ$qS=KD
zA{3vhtM{|9A%wx~b*3JMBOFG>0MEh6-3pk&gsE!e4`ijBaK5^>_CZikGKvf6GFKUI
z5!0Kugiw?RY4tunh$}_Yi6M%vmg}(?p<IO$d7I}+c$daUM!=zkq_0>;pnc$UHAQ!$
z|7P;Ruds;fmwVJL(1fb)BMUU~g91G*ZH8<nNSs0%1SV!VAr->pl&=<^4qg;8a0lUx
zF{^zcio=;CK9RdkTNOu1T^$A)1~$dd1^b=Wn-7S3TveqAb`vg9)O0YGkgc?S57@mx
zWRl23LUD&+ZNSVklmco^H(sm*Zds+3cFvh}a)=Ll0fAl;>vaW-MVgB~Hku&9&iw~*
zH4Qrl$2HW+iHSHLdrOX^hywk{$jCTak4au7P*xxjTXS>t`RuWe0p#5`p=r<Hj`r=d
z*TZ=;9bSj^)wDq0f+p`Fls2{N7nL?g%CR_6HKK6cOLMy{lppv*$G30Amh$l~-$Es+
zmHe&Re9G^#n(Q@5e?2_pL;5qsqe8fg{5p#PGjF@&?X%r|VMPPQsjR3t`mKg*_ii1W
za++J1Tx61Y=nG~pTZeey?HxNO`Tij7AKY=WeO8NInk?fv#@od=F%`NSmq;i##L<$j
z=?ejv=Bbb#0^i<J$4qCfEufhqsA;n+d$NeE)h_!NF$4oI?unZzi_)rJ>WIHu&WM=e
z<gn43Z669h`!|(WbV%Q~_@yIqG0ksd4?E{7y|nMYUw9eZU2QPFGTQ07%<8D!OM;rO
z3lHql^DHSiJkaQCt@@`#C~Lhjx%Z7o`Ef!KBG!Q^l(h&i``d~0zfdFn4|F^gj>JS{
zmkhUi)_H#^j7)9ou4}8X%6es5E6nBDLyk*k=U%-eI*FO#9_Z)@3<`=X35Ib-fRT%p
zRbuK89%UN=Ep!!K*~oM27_xzSH@-nbQX}=i4>-c|EV>@<r$>(+gY%FJCI&oInnz=~
znNO@)=}K00@7NK4&0@p9NR}!-k*m0W9tSM$?Ok0c$Z!(z@$)0%WQ!P5O%;@swqlgo
zwrvs=w3wNRC`ERQ_h>L7dH_}34;wQU_UH$wh(~PF(N<2A-58yvA@z48DL|{6!$gjR
z-gj3cPc!?`O2U)l=~)Ol1r7vLV`FKYO^TQ~3H`Blx{W9W8e`g{mjfUmM;JSXW{M2J
z`FaWR6McPsoLs0Hv8fFoD=R4(9Ut$nep&+=^zJ=-*uDHxCi?mLFW>!pueziZV<>X?
z*E0sY1B$|}n>S<36pC}O{qW+SP(THH358`w3mj->P3i0wB`Dosqd!Z%m6Gy>e(4Uo
zi<pVX^a!KuocPUKb3kTD`jA^qu>y!lVUoq>g4hB0+Sm?nu`5L~z@NFT(A_|4{pb;M
zPb3s66inEO6P`Rl`fMY1J9NxNMcfAulBZ_EPEyb{LXN~4s6sRv9G%=e&M;6T4;n!q
z9%3yxm(U18Kgww~&}e?WivEX4DJcjoKCH>uZ(;a`2?{fR!zizzHx>#fUGF;&H3=dP
z%FD}PoH<4}JvoWZ?9I+W^rEn6qeEbJclYo>mm}T3no}2A7~Jva&!0CnHK9qAr<7Dx
z-R_frn1^TQA)S?tmy@mGkhvj3$;kK|YL<=;3=dI4(hV*Vk-T{0d5Fj%YeH{?&3)Jp
zUimFFG_m;AmKNB*ydY+0Cs}{2)aN5VnJynuu_FvEDBbGn)m`oaOUGeOj=L5@jsc=P
zYj=UH19~UFLqJu4WYBPFHRvDpiqbPZfGn78C`C~5uibr!hbK-OQPwB+(G=4sL`8l0
z_)&KFdVw#~=yL=G;WMC0(Q=*}L;q@<g^X>8!=;+=7tOY9ocJ`0d^O=&4Ngh&+^^xc
zki)|Q2jHN(T8Z27B+4&iV@@V_>`06WnVCX|4h;dZuxys3_=09jPp=)FFytN-On)_$
zt%ok1+C89eF$1y3cT56fF#|*ZjR$l`@Y?~5L03<~gc#y`$tg?TE*7(;)0_I_QzO;!
zM=SrqR>zzmhT{w^Mf^Zp8x{j5?j6v0CqkZ>2RRS~`)Q|{?Pe!mhKDx;3!z}btpUD*
z(R=Q`z(aT;nJP8>pKD!u4%Pc_^Zb9%Q(k>BoD%3MU9;*xu}`no5*`7zgu;2!fzL1>
zAch-W;B6Eu;U>n~a}a9&SGkHi#MeL7*Y3XLT7{W8iB<q#CIXS{Jjo|y;sAtDxN>+K
z5MYJG5IjB-!m17WCFAh3o|}n8tOOh{@Ney-q-b)SXvCq2P@n_nlMt>_iH)eVbU%!V
z0s;?Bztx+W;_wEP<?D-DNXV+U3VQ?kN)1udz^s^WuB-!_smLqYYR@xAt!wQcvfT`z
z&(Ty_mF7&kqooD=xtdx}ON%He6rmC*nlRTdPvg=19Vlc=o<M3_`m0Bhfv)78+9Y~H
z?j|+c3jN`ok#xqdOnnzJLnlUi&Ozmay4^Fk6@?YHUARr-1@tz2z(=@*^5%Qqir5o`
zT`OY>=$Fvn00SOIO0=6FooxoM6y96+p{{GKGUM^9UlCD-+!rM%MB#A5uGA6d<D&AO
z{4!)^GQrSWZ$H;6;fy8m471r8im9;Cy^nYbSxW~T!eufC<_Sj?A*YEw(Ji%j7>b-J
z{iS6tw8)OoK`kV6tNapK{z85|N=CWCyssDSmCtZWGg!0=zpZpkvYe91U#XFew(_4+
z;+_)Yo?(-?nOfP2dpP{FYF)5&^i@~jmBx*1<m)t)SO<6HSnhgn_wyuv`90;oL-+qu
zb1aEQ7j?lA>wYSft2IgD`4zmxuCu%{w<63{&vQK6tJzgRTKm;4=CFKJ#nqu})tt^!
zhF54U`?@akeB==b^6JmbN;|=A#$L%}$o4sK?bA1j7VRYU7PpuY`KTir=^E9Aa%(p1
zb33r0kxM53ey0w8wy^6KZ#mHWe{u`|!(Y(e!FY>6poy0}DXIunYjNXM$GO|Aa+itT
z%WLELdsiR*awhfQ%i|K|47Exsy%wS`In8#s`m>7fPi?t#hqQdT&}ND}S~?%6w!2>s
z8$2&B9%$xj84>`g9}^QO5GJ9i>3Hkr*znqq#SppM+@J-~w~po+)EbFT`9FNIts^Zk
zz)wD16fGGq-L%%ES3)cB`k$@A4sZBW?)Fp)cMJ*C&6;1eQSU6$wA$6u5@I9ZgG_%e
z&2xUWV8R&7q9a=dj&UNd_wAbbVy-<b=2F{M2=S<T^|8b+zjKn4Hr~IvE%B{wjg#@?
z5s4)3J9kb=9@t=F0?RIGaPUk*LaVoTC4;uN`rDk42R3wcJ~*`OJxcj~rc5WhKUoTs
zHf5y$p`9^(!pTWWzPuh2P0ZU1Y<sL$F87a?;Gx~oYi-yb9BiPugZ<$5P-`I=oThpz
z`Ar-7GL0(Z>?auUUl**J`yYLiAae9|Kj_OiANur^MgtEEixK`v2YuYZW4e6~^-|`{
zIPiA*o#7aSGRna3r<MAOdz-ypI|tvD=`yG~^!Cz+)9uT>v87L0M*N?b<+qWcPF~yj
zP3C;BKdW$l&a-;bLOX`~@bR6tcHo^K%zm<!({-R(_>!q<#V3=rmD!Ci<k`-@{qFoZ
zalx=Ocml-2^!S_k?r2-OV-9|ybK1_fC@(?;$@wEY)-e5tj_0hRqP|XRhI!k3OSan;
zlV;Rsp{J|3b@RHwp|4m$x&w^~QP=GNrox6hH%+(R_Shq_vA?Fw6rv+cLlX~Lc~5C8
zbWIOJd}hA7{TU{h4~5gki_Ow`_^SC?I$TG;_VENg4-ZntxUJ{O6RlbqdF!_yJjy*x
zDXvgdr6*P7fj2IJghnRa%~hG_=o%KQ0~RAejQWa-QWG88ySfovXM{g`j}o62$7!pp
zt<hu5)Z=`qN>80+SM}JVES%&^OG@9v;?B&vP?Z>t=6)x=@Vo_B^^6y#435qVFG@o;
zy(QJ^>Ui_=$sXh0!6FE}^bo_bxi|y46Fr+~&WA*9mpN`py;>?s-O3~>aZr4pV@gMR
z!}g<>BVP^~vc|Cs&tCOvlAiH7X&b^hb+5joc?XxE`?zjA9XRxR_io@1Q7w`ET;BAQ
z?c7lQnQ4hWw>Y-T)$t6UKWApxlcqXD2EgtFS(XL0(V4AmP8qpc|2D^Y&Un)~;>CA#
z7!x+z+nZ|L9J()K&|j|8tZ_P}WQ+{1c1^UrGtWkNHZRMi5s>dOvGY<Cw&TwtQ&ans
zo3~uE@IfB7zu&bM(B&ESA&h)U7YqG*;*W3X))!zj8*1&@=|K6?%6N9CbHf(T^N^lg
z@0<22Nc6%o&&xyfh=HF!52IkP?81sKK>n4q7bdEn2>IQ+WO_hT*y|}~&;N(yD2^mX
zU8AR<peA45dzVi5Ny1#m^jN!ekdxU+P|tV>Y4l)M$<Vj)%5v}YY*x&Cf1_8JoSTa&
z9Z6}p*&SRMVE6bjQfm#y`i$o=`kO7&{?oh;(iPI2=ZT{;1D?=DF$&H458v7&7+|-T
zp3h5{Wx6Q!V4bYf=9<q!AxC<mc`cga6XsahduCp|7(n~Ge`JqBXJ?Uf`}OAJn<XcF
zd1C9P$7+m&4$QT5bjY?dWA4#^XtLT##nDeQ>0iIvIR34MmCw$^a`gOOZc&Q1#;Z!z
z=TJjJ!@*Jm)AlwYZG*nL2}oob8&|vE{OIk;duoAg-<1Q4B`{Ku<V8izlReho@$^(n
zwjD8mZbQFp{zFa<vL(5?sS+YM?jHy>GBxEkzMmKtW@=}5jEVWs5KvO#@Wef|%2}O9
za+QMp{Q6s4x6>R`fr1HhQ*yn&I?l{bq$!J@sjD5$v>mCP9NGiWPC--C;NnGPEv;((
z_G9E*U0Pz7am`el=$fsK4d8%AfuwXjxT({8HbdYa0UAb;wH2pTYae!ZQ?HV<Nltch
zd_Yv=!hn0Tfyhma0p*yiH_&|QRCKrSo>Tj5dUo{^uXeN11R75C)EV+mi93v6xhYc4
zDIjoKLLy{-+jUk}{!2nzj2Na1`eMyC5N{1uByO>yq)w{K$*IrDQP*~EPq)=}8vWFO
zG;hgv=9AjmiLYMmJvKhsm?j=_%p+X5c|6Yq+ZeZa$d^XIn&gokVO3HFBe}QpI`tz<
z%!2>YEhQ%;=ooZmjv5!f-V33aXD)*i2Yr>cuI>od=%{wNv^3|Q-Q(VL6HRWb4X72x
z!-X)w4slOkzp{IJ8nDW2Hy<^$3z0s*c#FZyV1(Enwf^oUfs?YlKL!R24H>kyI#pFv
z*v(mWL8cfpKXkvKVK(MgA;qd&+8P=|-_^3Akdq^F-?toWz3U}qWH?#h)D*6zb#7!I
zd(ZdQT$6>+TbIL+icv5v&suPT9(9<7bY!H_dM8@J{_qYyZk~YHur;^5brd|Whd;mj
z)?Yhk>(-;!uiqz2<<n0MOvmi>Oxoz!e!Y^sbZvT6Jo#$hn&hgRWq^5mt&@9<E~JT5
z<>qL2q<H&EByp6xt*#kpu$}yt82#+oN|4qH^5xER=P#4*sYi>cP3^(tMU|b@OuPS-
zp9l1m;u3KJ4iD;_9Dk~#7UopK;^X6RT!JPhx{cU0ZstDNmcNs0)vAQ&kKc(j=OR~1
zgCw+XZ>OrHq(@17g!7u<3AxSg?lKH~M+WhWU+T`Ur|aA+_^PDTQ*n;%IRMP3x3^i4
z;YR5miLICX?m(G&jBi?1zjG7v<=uUeNu6<IMG<{$FZ=OXjEiIBz2?+YF~(!Yc=*sE
z<@wfxMCW@CY!EAwFlxP?Nw4O4dqKg8+uP)7Dq1&-A#5&;F`V-3xe*e{@tMr>efvux
z{u-&MW<K%6;6r4zs$x{*qvGhk_H8diLoXQ_#lQf7p$t56s40j$J^Of6=JzDeWFFOH
zbWKm(@<!+4#ia>$Frl^&wuqvF;WgLcyk{XR{qL%>b?aXDPhQib&z6%iG@c-TJ1W}Z
zrgfHITe9=T#V^&rWpRLpbz!#b+W!5tFITO+vmfc=nSu(;m*HLU3~#=L-zcEdPzlnO
zm)Fo<h~oDlC?e52DIp;jbCIBADo#-MfTN|}e!!9c>IGr)GZr7^ydc!yzan!|r~ZS-
zG7~3eGYd)F=?dau$N!LXB{zDw>y`YQpv(LZKE+v%=&yrQ4xyKdJ8SFJ9ml`WRNR|{
z&`nMC!5JdA@-UrQWTXXb)Xr1GJ3oKUfD#F@IgM4!GN(_&HX~tH;jt}Ek8O;6K2As_
zMW+gocjB2DA7m*uzu`=Yi8;#Jm4~r(8`h7uJ2Jm*)|m2X=%4xQYfJHcI;Xq3xO=b#
z`5&ZH5^<EgU6@~Ij1kFPY;4C4mIFfggei6h%l9;nbQB!#G*Df))^4WY-U9H@+-%*Z
zuUW5s7|&pAqp(STp7aCan3S9kpH=TR>EbnEVIz(X0(*AfFQnsT*6T$$def^II)mC}
zfuAbdv@_|yeZ4@nV_Nvc&5}@_f#NX1yH3+a);^5qrIf`_7gW7^6~AiT-ek1{W)?lu
z3i2^fO(rEZLUadlaIEZ{-qf%ybYuS3)P9Gy?GNtk>B0Qk+)|TMr}DJXxuJsEY7lWE
zH<8<G6Qbvg2b!E&_J+;%#L0BD`FP8&SsTopk<-*vRAb#f-sg#|c=(VoPlTCr5~EZD
zoi_Se_T(O*l@g@d$dH?{rSI_pAM&n%LFGn9X`6P=OYR!9ooIaX>67uTjaGpZ_iCLi
zI)tyK4XB^!WO~t0rQ0oEV@BFAH#?HBYE>?`8>)l~tPmj~X_Uj_Cv)h9Gjj_HTu^E3
zX@lj0s`rszQ$dQNrS+W#M?YI>G&Ee=n^LLiq&=$Zs(6Q+8way0B-s?!kQ)@D+?vwG
z2IbOl%0-nL(2VS7v%FDInl>xv6Bk4zIXJf}f6L^Pn7{O4_3h~k_MWY+9UMoe0xl@f
z9t=FRH|?So+vW?a0@l9vb(XhaQ?T`=-Nm+o<>10%=SLu%`zK}hzwdWahZdrwJNNfx
zX5EmM=O_`I7cGrE*&(X$60tsYxla^ZtS-5;B3$?*Y;l+nq15A_md~Gk;?Gv^AHN`u
zbq(GLydEgmv@7sH78l>9#6+n4wjrdmWm}%)`0+m|m`;M{Dh)mgN(u<{*~Urd#Thn)
z+hBPTv`Jw-Y>FEerCu(!utj~rEUGzjm@fh%VzhS(J2^mU6FT)|*nTm88cD&~K;)2n
z*HIJ*ddSZNPN<7!W{6azrl)TxFBjpu<K+bsp{lZyj$5yQOm%Pt@DxBhfaC|zUvL!y
zlNAwuD8DFz0<P3;#k^^M0o^U9E4qM#WMyTMJOe8m8Ka#Bzv9#tYK@q12rS66RCBXn
zDyyuoS6_^sNJ~$DsKqw-D2FUxfglOkGh_?EjNteB^sNEnfbX?0@p8BpgoU}?zP*l|
zap{`hX7c4#ZcYyK!GrQmotA^Zm!Mifx(DoY#bsqX5pE5;BbYM0`?Fn7EA$wR%*`>f
z<u&GcKq(|VKiLM@_|n8_vOeyh3GPH??3rjb45|(x5{-<Fg`MXgMm+`?JQ(dG)LSAK
z*t||$VGneW5HH}$^z}QDH7PVdi2xG#!YG)KIY-83mcpZP4eVYBKtpbbjI^{pkYtdH
zxB-X}Y~N5(TWe@$wsXstvsms3vNSY24%LoV)FMI)m*Jy54M|2+85-sXp<V(I4ay1M
zsoL8swBib=77;HLeB4|I#24(4`1XM9QLlb|A<LDVtAnWZvaU*g2ng64-yk3r*W!o~
zWdKu=IYCYWi4wof<^{C47r%{s5Mb%!1I^$J7V3->6{y80D)FAUj*o?f_mX)T(jll&
zQmRIf7GxYC7|BU`;IS@d-~1FOqNU7&n+nwkKy!#iATEK0uDiYcWSlrrFlx~h)Tx<n
z^9gyuZ{A=wUotpEB&?E$=!q+kZI5Tp^pWptF;FcaW)Q}i*>%9S$-ofW*{PozEhQ-#
z85DlpoNNn(%IZf(lttG@aRpp9#7Jg<WqArPi7tjN4bh5h{WrI+wgB>MHwB>SCUU|O
z6QiTgsi{eF$;rwJS$6xTi#p8?N%UNRM4~E|4pHKh{b>X4VoVty5Y~iD7g2>OK$|jW
z&X8FFu7&PspGRpe5aL%BcbLeocJ6QBwVOg-U3XYu)MJFMUxzOe;<b|aQON+?M-txj
z7z&6-I(i#2LY`ywf;uVszPW5s#5qEi?@+HD86E~%r~*I@0PmeUcfg_}c+Q)SM^;^Z
zCeS&4R*M`=2jO{|wVB-|FEE^+AWMTelIi3yAsg=vNd}<Wx!GA{DB}n5Qb^xKsw8AQ
z_K1olx`9tNz|#(m;^;6KgwC!m&eMOUn|EJ8#J@Bb&%uL~Ydze3;n;=NNKI9>ytu1`
zc!I*y%gc|q0IT7V8?BJTB>5i`(AmKzN<&81L-5*t%}z5W;P>5q)6)eoe-00+-5Z`J
zn>|ROe5C|8Dz%v`WLwc>F_x6p$dto0`$nQ#p!b>1dyqUXTsJrGfzp}z1uh)QB!nmi
z^>1Fppbq+!b@{+yGTc!NwKNRQrY0sBK98K5k)feT`^1m4iiH^f(Ggpz{qCx$oj>$3
zRW&tKV$6a>%<P*}*47s0=bwS%2x+_Ed7E(uAjV4<h2Rc00X^&s8|ScJNG5)P%fL2r
z*Y?6rcck`opD;cg;3`_jN-Fik;)MucqOab1xV;eBn{(hq<iZ3bcczUhl&9VI)l+Zk
zJi>Q_ds8^&?!!;9iYq?7ZI*(q(vFEi6?!#p`y4a!j_h*&!Ey6eD8!&mN(UaCkzsM|
z8gd2O1_qj^!Z}icYP9SV;8d5BOT^QFogbnp_1F4$A59_nnQ^Wa6cx5GWU!EsTMR7S
z!NK9JX`|ghlOVD*kr86+2L1$cKzMPz8Qa04jIK+iLT(uC+}nr<7pKVM561skzg-?y
z<8$XukRX66MjT%I25!Uh2#7@mo#)ff9NYrE!M5AEWOp;vKKNGq5Sp4wq6a{W9Uf71
zJ=JiP$Pu#&>NRM&Ur$%;K{jj(1_d(T#hO9Jad$I`bT$o6AVg}s$A_76$P5hJItL)#
zFTagEzHvmjk>tDpSX(O<vy(AWfz;pE=ZHrhC^A$SV4*^%yNpz@$77j7BZga#-uiyj
zV@&VD(~tN?&@H<8-a}Kf*bi*okgg;rR|b|GUu_qZwtme~RJU`n<08ok0<ycFo|vx|
z9mKiu)HOr&!nDV)?h^c19(kf?h)XjSvA2+Za+>*KQ$em1)Gp1~&jwqvAtW;iqmz}9
z!7-P1twRd@6*6D2Xu2~fJfM-d_4VroI|eLs<UaO>cin{Mp!;#VNz>j*IFy~S6OMkv
zk%hrtpN3y?IBvPb_~bP6HFI+!mM5Mci0~?K6IQLGVM~!%#8@K^AgM~fEbI&^?5Od5
zH@6c(vz8y+*C2#XQNI*w1{W6s&JEC87{<DwOw*`fQkT^8rbY{d4SWSD?GxExZ$NmK
zb&cR}vg`Q*RxzeH96@Rl48quzJ#OBV>hzwR>I!dcXu#M|R@jm3Crk^kt;$LoxCs>u
zP9mfUVlxLbgd;rS_=680K0p_M$<FpRHaHz)&+uSy{gxd&a7J9da)lmgiM>_q$hx$f
zzY7WpJIe5s1HKFlj=(p0t}pc>V5-WHqT;1Z5bpo*BSwCRwuXYR3m_iANg++{iGt{W
zO!LL`cTF7}(CqB&SV}UhD-MCELwG>&!Hdi1#<5Ot?np{Y>mG}j{Qxg6ej=zN<-4It
zhTj=GDpCMVq1c00U7zpq#}5yeu<ZbRZ8+O7z*Ps@2JA1GmVgkOLzSXdG(T&zv4v&Y
X;<p<jW1K0;FDof7d-A#11=s%r)biT%

literal 0
HcmV?d00001

diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/resource_access_sequence.wsd b/odl-aaa-moon/aaa-authn-api/src/main/docs/resource_access_sequence.wsd
new file mode 100644
index 00000000..3a1c1474
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/resource_access_sequence.wsd
@@ -0,0 +1,25 @@
+title Resource Access Sequence with Access Token
+
+ This walks through a listing request of a secured resource (MD-SAL topology) 
+ from a client to the ODL controller using an access token (either one generated
+ by the ODL token endpoint, or a token from a third-party IdP) and shows how the
+ authentication context get set upon successful token validation.  If token 
+ validation fails, the TokenAuthFilter will return a 401, and the REST layer 
+ will be oblivious to the failed request.
+
+Client -> ServletContainer: list topologies
+note right of Client
+(Authorization = access token)
+end note
+ServletContainer -> TokenAuthFilter: access token
+loop foreach TokenAuth
+    TokenAuthFilter -> TokenAuth: validate(token)
+    TokenAuth -> TokenAuth: validateToken
+end
+TokenAuth -> TokenAuthFilter: Authentication
+note left of TokenAuth
+(user/domain/roles/expiration)
+end note
+TokenAuthFilter -> AuthenticationService: set(Authentication)
+TokenAuthFilter -> RestConf: list topologies
+RestConf -> AuthenticationService: get: Authentication
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_01.diag b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_01.diag
new file mode 100644
index 00000000..28317393
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_01.diag
@@ -0,0 +1,6 @@
+blockdiag {
+   User <-> AAA;
+   User [numbered = 1, shape = actor]
+   AAA [numbered = 2, label = "App Server\nAAA"]
+}
+
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_01.svg b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_01.svg
new file mode 100644
index 00000000..4056b10a
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_01.svg
@@ -0,0 +1,32 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg viewBox="0 0 448 120" xmlns="http://www.w3.org/2000/svg" xmlns:inkspace="http://www.inkscape.org/namespaces/inkscape" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <defs id="defs_block">
+    <filter height="1.504" id="filter_blur" inkspace:collect="always" width="1.1575" x="-0.07875" y="-0.252">
+      <feGaussianBlur id="feGaussianBlur3780" inkspace:collect="always" stdDeviation="4.2" />
+    </filter>
+  </defs>
+  <title>blockdiag</title>
+  <desc>blockdiag {
+   User &lt;-&gt; AAA;
+   User [numbered = 1, shape = actor]
+   AAA [numbered = 2, label = "App Server\nAAA"]
+}
+
+</desc>
+  <polygon fill="rgb(0,0,0)" points="134,56 134,61 151,61 151,66 134,66 134,71 148,86 141,86 131,76 121,86 114,86 128,71 128,66 111,66 111,61 128,61 128,56" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" />
+  <ellipse cx="131" cy="51" fill="rgb(0,0,0)" rx="7" ry="7" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="259" y="46" />
+  <polygon fill="rgb(255,255,255)" points="131,50 131,55 148,55 148,60 131,60 131,65 145,80 138,80 128,70 118,80 111,80 125,65 125,60 108,60 108,55 125,55 125,50" stroke="rgb(0,0,0)" />
+  <ellipse cx="128" cy="45" fill="rgb(255,255,255)" rx="7" ry="7" stroke="rgb(0,0,0)" />
+  <ellipse cx="64" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="61" y="44">1</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="256" y="40" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="293" y="60">App Server</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="310" y="70">AAA</text>
+  <ellipse cx="256" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="253" y="44">2</text>
+  <path d="M 156 60 L 248 60" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="149,60 156,56 156,64 149,60" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="255,60 248,56 248,64 255,60" stroke="rgb(0,0,0)" />
+</svg>
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_02.diag b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_02.diag
new file mode 100644
index 00000000..2076dd16
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_02.diag
@@ -0,0 +1,18 @@
+blockdiag {
+   span_width = 30
+   User <-> Apache;
+   Proxy <-> AAA;
+   group {
+   Apache <-> Proxy;
+   group {
+       orientation = portrait
+       Apache <-> SSSD;
+   }
+   }
+   User [numbered = 1, shape = actor, width = 60]
+   Apache [numbered = 2, label = "Apache\nAuthenticates user"]
+   SSSD [numbered = 3, label = "SSSD\nProvides user info"]
+   Proxy [numbered = 4, label = "Proxy Transport\nRequest + Metadata"]
+   AAA [numbered = 5, label = "App Server\nAAA"]
+}
+
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_02.svg b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_02.svg
new file mode 100644
index 00000000..42196b60
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_02.svg
@@ -0,0 +1,79 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg viewBox="0 0 594 200" xmlns="http://www.w3.org/2000/svg" xmlns:inkspace="http://www.inkscape.org/namespaces/inkscape" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <defs id="defs_block">
+    <filter height="1.504" id="filter_blur" inkspace:collect="always" width="1.1575" x="-0.07875" y="-0.252">
+      <feGaussianBlur id="feGaussianBlur3780" inkspace:collect="always" stdDeviation="4.2" />
+    </filter>
+  </defs>
+  <title>blockdiag</title>
+  <desc>blockdiag {
+   span_width = 30
+   User &lt;-&gt; Apache;
+   Proxy &lt;-&gt; AAA;
+   group {
+   Apache &lt;-&gt; Proxy;
+   group {
+       orientation = portrait
+       Apache &lt;-&gt; SSSD;
+   }
+   }
+   User [numbered = 1, shape = actor, width = 60]
+   Apache [numbered = 2, label = "Apache\nAuthenticates user"]
+   SSSD [numbered = 3, label = "SSSD\nProvides user info"]
+   Proxy [numbered = 4, label = "Proxy Transport\nRequest + Metadata"]
+   AAA [numbered = 5, label = "App Server\nAAA"]
+}
+
+</desc>
+  <rect fill="rgb(243,152,0)" height="140" style="filter:url(#filter_blur)" width="292" x="117" y="30" />
+  <rect fill="rgb(243,152,0)" height="140" style="filter:url(#filter_blur)" width="134" x="117" y="30" />
+  <polygon fill="rgb(0,0,0)" points="66,56 66,61 83,61 83,66 66,66 66,71 80,86 73,86 63,76 53,86 46,86 60,71 60,66 43,66 43,61 60,61 60,56" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" />
+  <ellipse cx="63" cy="51" fill="rgb(0,0,0)" rx="7" ry="7" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="123" y="46" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="123" y="126" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="281" y="46" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="439" y="46" />
+  <polygon fill="rgb(255,255,255)" points="63,50 63,55 80,55 80,60 63,60 63,65 77,80 70,80 60,70 50,80 43,80 57,65 57,60 40,60 40,55 57,55 57,50" stroke="rgb(0,0,0)" />
+  <ellipse cx="60" cy="45" fill="rgb(255,255,255)" rx="7" ry="7" stroke="rgb(0,0,0)" />
+  <ellipse cx="30" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="27" y="44">1</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="120" y="40" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="166" y="60">Apache</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="133" y="70">Authenticates user</text>
+  <ellipse cx="120" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="117" y="44">2</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="120" y="120" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="170" y="139">SSSD</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="138" y="149">Provides user info</text>
+  <ellipse cx="120" cy="120" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="117" y="124">3</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="278" y="40" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="300" y="59">Proxy Transport</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="289" y="71">Request + Metadata</text>
+  <ellipse cx="278" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="275" y="44">4</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="436" y="40" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="473" y="60">App Server</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="490" y="70">AAA</text>
+  <ellipse cx="436" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="433" y="44">5</text>
+  <path d="M 88 60 L 112 60" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="81,60 88,56 88,64 81,60" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="119,60 112,56 112,64 119,60" stroke="rgb(0,0,0)" />
+  <path d="M 414 60 L 428 60" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="407,60 414,56 414,64 407,60" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="435,60 428,56 428,64 435,60" stroke="rgb(0,0,0)" />
+  <path d="M 184 88 L 184 112" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="184,81 180,88 188,88 184,81" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="184,119 180,112 188,112 184,119" stroke="rgb(0,0,0)" />
+  <path d="M 256 60 L 270 60" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="249,60 256,56 256,64 249,60" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="277,60 270,56 270,64 277,60" stroke="rgb(0,0,0)" />
+  <path d="M 184 88 L 184 112" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="184,81 180,88 188,88 184,81" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="184,119 180,112 188,112 184,119" stroke="rgb(0,0,0)" />
+  <path d="M 256 60 L 270 60" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="249,60 256,56 256,64 249,60" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="277,60 270,56 270,64 277,60" stroke="rgb(0,0,0)" />
+</svg>
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_03.diag b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_03.diag
new file mode 100644
index 00000000..6ece3760
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_03.diag
@@ -0,0 +1,31 @@
+seqdiag {
+    // Set edge properties
+    //edge_length = 300;  // default value is 192
+    //span_height = 80;  // default value is 40
+
+    // Set fontsize.
+    //default_fontsize = 12;  // default value is 11
+
+    // Numbering edges automaticaly
+     autonumber = False;
+
+    // Change note color
+    default_note_color = lightblue;
+
+    Client -> Apache [label = "Request"];
+    === Apache mod_auth_kerb ===
+    Client <- Apache [label = "401 Unauthorized"];
+    Client -> Apache [label = "Authorization: Credentials"];
+    Apache -> Apache [label = "Set\nUser Name\nAuth Type"];
+    === Apache mod_lookup_identity ===
+    Apache -> SSSD [label = "Get User Info"];
+    SSSD --> IdP [label = "Get User Info", leftnote = "Only if\nnot cached\nby SSSD"];
+    SSSD <-- IdP [label = "Return User Info"];
+    Apache <- SSSD [label = "Return User Info"];
+    Apache -> Apache [label = "Set User specific\nenvironment\nvariables"];
+    === Apache mod_proxy ===
+    Apache -> Container [label = "Proxy With User's Metadata"];    
+    Apache <- Container [label = "Response"];    
+    Client <- Apache [label = "Response"];    
+    
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_03.svg b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_03.svg
new file mode 100644
index 00000000..91e8b1be
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_03.svg
@@ -0,0 +1,143 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg viewBox="0 0 1024 1227" xmlns="http://www.w3.org/2000/svg" xmlns:inkspace="http://www.inkscape.org/namespaces/inkscape" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <defs id="defs_block">
+    <filter height="1.504" id="filter_blur" inkspace:collect="always" width="1.1575" x="-0.07875" y="-0.252">
+      <feGaussianBlur id="feGaussianBlur3780" inkspace:collect="always" stdDeviation="4.2" />
+    </filter>
+  </defs>
+  <title>blockdiag</title>
+  <desc>seqdiag {
+    // Set edge properties
+    //edge_length = 300;  // default value is 192
+    //span_height = 80;  // default value is 40
+
+    // Set fontsize.
+    //default_fontsize = 12;  // default value is 11
+
+    // Numbering edges automaticaly
+     autonumber = False;
+
+    // Change note color
+    default_note_color = lightblue;
+
+    Client -&gt; Apache [label = "Request"];
+    === Apache mod_auth_kerb ===
+    Client &lt;- Apache [label = "401 Unauthorized"];
+    Client -&gt; Apache [label = "Authorization: Credentials"];
+    Apache -&gt; Apache [label = "Set\nUser Name\nAuth Type"];
+    === Apache mod_lookup_identity ===
+    Apache -&gt; SSSD [label = "Get User Info"];
+    SSSD --&gt; IdP [label = "Get User Info", leftnote = "Only if\nnot cached\nby SSSD"];
+    SSSD &lt;-- IdP [label = "Return User Info"];
+    Apache &lt;- SSSD [label = "Return User Info"];
+    Apache -&gt; Apache [label = "Set User specific\nenvironment\nvariables"];
+    === Apache mod_proxy ===
+    Apache -&gt; Container [label = "Proxy With User's Metadata"];    
+    Apache &lt;- Container [label = "Response"];    
+    Client &lt;- Apache [label = "Response"];    
+    
+}
+</desc>
+  <rect fill="rgb(0,0,0)" height="1065" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="8" x="127" y="140" />
+  <rect fill="rgb(0,0,0)" height="142" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="8" x="319" y="140" />
+  <rect fill="rgb(0,0,0)" height="815" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="8" x="319" y="344" />
+  <rect fill="rgb(0,0,0)" height="200" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="8" x="511" y="586" />
+  <rect fill="rgb(0,0,0)" height="70" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="8" x="703" y="654" />
+  <rect fill="rgb(0,0,0)" height="64" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="8" x="895" y="1031" />
+  <polygon fill="rgb(0,0,0)" points="420,636 491,636 499,644 499,672 420,672 420,636" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="67" y="46" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="259" y="46" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="451" y="46" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="643" y="46" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="835" y="46" />
+  <path d="M 128 80 L 128 1215" fill="none" stroke="rgb(0,0,0)" stroke-dasharray="8 4" />
+  <rect fill="moccasin" height="1065" stroke="rgb(0,0,0)" width="8" x="124" y="134" />
+  <path d="M 320 80 L 320 1215" fill="none" stroke="rgb(0,0,0)" stroke-dasharray="8 4" />
+  <rect fill="moccasin" height="142" stroke="rgb(0,0,0)" width="8" x="316" y="134" />
+  <rect fill="moccasin" height="815" stroke="rgb(0,0,0)" width="8" x="316" y="338" />
+  <path d="M 512 80 L 512 1215" fill="none" stroke="rgb(0,0,0)" stroke-dasharray="8 4" />
+  <rect fill="moccasin" height="200" stroke="rgb(0,0,0)" width="8" x="508" y="580" />
+  <path d="M 704 80 L 704 1215" fill="none" stroke="rgb(0,0,0)" stroke-dasharray="8 4" />
+  <rect fill="moccasin" height="70" stroke="rgb(0,0,0)" width="8" x="700" y="648" />
+  <path d="M 896 80 L 896 1215" fill="none" stroke="rgb(0,0,0)" stroke-dasharray="8 4" />
+  <rect fill="moccasin" height="64" stroke="rgb(0,0,0)" width="8" x="892" y="1025" />
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="64" y="40" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="113" y="64">Client</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="256" y="40" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="302" y="65">Apache</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="448" y="40" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="498" y="64">SSSD</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="640" y="40" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="697" y="64">IdP</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="832" y="40" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="871" y="64">Container</text>
+  <path d="M 136 134 L 312 134" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="304,130 312,134 304,138" stroke="rgb(0,0,0)" />
+  <path d="M 136 276 L 312 276" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="144,272 136,276 144,280" stroke="rgb(0,0,0)" />
+  <path d="M 136 338 L 312 338" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="304,334 312,338 304,342" stroke="rgb(0,0,0)" />
+  <path d="M 328 422 L 416 422" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 416 422 L 416 438" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 416 438 L 328 438" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="336,434 328,438 336,442" stroke="rgb(0,0,0)" />
+  <path d="M 328 580 L 504 580" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="496,576 504,580 496,584" stroke="rgb(0,0,0)" />
+  <path d="M 520 648 L 696 648" fill="none" stroke="rgb(0,0,0)" stroke-dasharray="4" />
+  <polygon fill="rgb(0,0,0)" points="688,644 696,648 688,652" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(173,216,230)" points="417,630 488,630 496,638 496,666 417,666 417,630" stroke="rgb(0,0,0)" />
+  <path d="M 488 630 L 488 638" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 488 638 L 496 638" fill="none" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="425" y="642">Only if</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="425" y="652">not cached</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="425" y="664">by SSSD</text>
+  <path d="M 520 718 L 696 718" fill="none" stroke="rgb(0,0,0)" stroke-dasharray="4" />
+  <polygon fill="rgb(0,0,0)" points="528,714 520,718 528,722" stroke="rgb(0,0,0)" />
+  <path d="M 328 780 L 504 780" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="336,776 328,780 336,784" stroke="rgb(0,0,0)" />
+  <path d="M 328 864 L 416 864" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 416 864 L 416 880" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 416 880 L 328 880" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="336,876 328,880 336,884" stroke="rgb(0,0,0)" />
+  <path d="M 328 1025 L 888 1025" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="880,1021 888,1025 880,1029" stroke="rgb(0,0,0)" />
+  <path d="M 328 1089 L 888 1089" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="336,1085 328,1089 336,1093" stroke="rgb(0,0,0)" />
+  <path d="M 136 1153 L 312 1153" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="144,1149 136,1153 144,1157" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="140" y="132">Request</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="217" y="274">401 Unauthorized</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="140" y="336">Authorization: Credentials</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="328" y="398">Set</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="328" y="408">User Name</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="328" y="420">Auth Type</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="332" y="578">Get User Info</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="524" y="646">Get User Info</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="608" y="716">Return User Info</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="416" y="778">Return User Info</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="328" y="842">Set User specific</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="328" y="852">environment</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="328" y="862">variables</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="332" y="1023">Proxy With User's Metadata</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="841" y="1087">Response</text>
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="265" y="1151">Response</text>
+  <path d="M 40 202 L 442 202" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 40 206 L 442 206" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 581 202 L 984 202" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 581 206 L 984 206" fill="none" stroke="rgb(0,0,0)" />
+  <rect fill="rgb(208,208,208)" height="18" stroke="rgb(0,0,0)" width="139" x="442" y="195" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="452" y="209">Apache mod_auth_kerb</text>
+  <path d="M 40 506 L 429 506" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 40 510 L 429 510" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 594 506 L 984 506" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 594 510 L 984 510" fill="none" stroke="rgb(0,0,0)" />
+  <rect fill="rgb(208,208,208)" height="18" stroke="rgb(0,0,0)" width="165" x="429" y="499" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="439" y="513">Apache mod_lookup_identity</text>
+  <path d="M 40 948 L 455 948" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 40 952 L 455 952" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 568 948 L 984 948" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 568 952 L 984 952" fill="none" stroke="rgb(0,0,0)" />
+  <rect fill="rgb(208,208,208)" height="18" stroke="rgb(0,0,0)" width="113" x="455" y="941" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="465" y="955">Apache mod_proxy</text>
+</svg>
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_04.diag b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_04.diag
new file mode 100644
index 00000000..8f69a0b8
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_04.diag
@@ -0,0 +1,25 @@
+blockdiag {
+    Connector -> SssdFilter;
+    SssdFilter -> ClaimAuthFilter;
+    ClaimAuthFilter -> SssdClaimAuth;
+    SssdClaimAuth -> Assertion [folded];
+        
+    group {
+    orientation = portrait
+    Assertion -> JsonAssertion;
+    JsonAssertion -> IdPMapper;
+    IdPMapper -> JsonMapped;
+    }
+
+    JsonMapped -> Claim;
+
+    Connector [numbered = 1]
+    SssdFilter [numbered = 2]
+    ClaimAuthFilter [numbered = 3]
+    SssdClaimAuth [numbered = 4]
+    Assertion [numbered = 4.1]
+    JsonAssertion [numbered = 4.2]
+    IdPMapper  [numbered = 4.3]
+    JsonMapped [numbered = 4.4]
+    Claim [numbered = 5]
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_04.svg b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_04.svg
new file mode 100644
index 00000000..74850a85
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_04.svg
@@ -0,0 +1,100 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg viewBox="0 0 832 440" xmlns="http://www.w3.org/2000/svg" xmlns:inkspace="http://www.inkscape.org/namespaces/inkscape" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <defs id="defs_block">
+    <filter height="1.504" id="filter_blur" inkspace:collect="always" width="1.1575" x="-0.07875" y="-0.252">
+      <feGaussianBlur id="feGaussianBlur3780" inkspace:collect="always" stdDeviation="4.2" />
+    </filter>
+  </defs>
+  <title>blockdiag</title>
+  <desc>blockdiag {
+    Connector -&gt; SssdFilter;
+    SssdFilter -&gt; ClaimAuthFilter;
+    ClaimAuthFilter -&gt; SssdClaimAuth;
+    SssdClaimAuth -&gt; Assertion [folded];
+        
+    group {
+    orientation = portrait
+    Assertion -&gt; JsonAssertion;
+    JsonAssertion -&gt; IdPMapper;
+    IdPMapper -&gt; JsonMapped;
+    }
+
+    JsonMapped -&gt; Claim;
+
+    Connector [numbered = 1]
+    SssdFilter [numbered = 2]
+    ClaimAuthFilter [numbered = 3]
+    SssdClaimAuth [numbered = 4]
+    Assertion [numbered = 4.1]
+    JsonAssertion [numbered = 4.2]
+    IdPMapper  [numbered = 4.3]
+    JsonMapped [numbered = 4.4]
+    Claim [numbered = 5]
+}
+</desc>
+  <rect fill="rgb(243,152,0)" height="300" style="filter:url(#filter_blur)" width="144" x="56" y="110" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="67" y="46" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="259" y="46" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="451" y="46" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="643" y="46" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="67" y="126" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="67" y="206" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="67" y="286" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="67" y="366" />
+  <rect fill="rgb(0,0,0)" height="40" stroke="rgb(0,0,0)" style="filter:url(#filter_blur);opacity:0.7;fill-opacity:1" width="128" x="259" y="366" />
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="64" y="40" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="103" y="64">Connector</text>
+  <ellipse cx="64" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="61" y="44">1</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="256" y="40" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="294" y="64">SssdFilter</text>
+  <ellipse cx="256" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="253" y="44">2</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="448" y="40" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="471" y="64">ClaimAuthFilter</text>
+  <ellipse cx="448" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="445" y="44">3</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="640" y="40" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="665" y="64">SssdClaimAuth</text>
+  <ellipse cx="640" cy="40" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="637" y="44">4</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="64" y="120" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="103" y="144">Assertion</text>
+  <ellipse cx="64" cy="120" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="56" y="124">4.1</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="64" y="200" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="91" y="224">JsonAssertion</text>
+  <ellipse cx="64" cy="200" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="56" y="204">4.2</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="64" y="280" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="102" y="305">IdPMapper</text>
+  <ellipse cx="64" cy="280" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="56" y="284">4.3</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="64" y="360" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="97" y="385">JsonMapped</text>
+  <ellipse cx="64" cy="360" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="56" y="364">4.4</text>
+  <rect fill="rgb(255,255,255)" height="40" stroke="rgb(0,0,0)" width="128" x="256" y="360" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="307" y="384">Claim</text>
+  <ellipse cx="256" cy="360" fill="pink" rx="12" ry="12" stroke="rgb(0,0,0)" />
+  <text fill="rgb(0,0,0)" font-family="sansserif" font-size="11" font-style="normal" font-weight="normal" x="253" y="364">5</text>
+  <path d="M 192 60 L 248 60" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="255,60 248,56 248,64 255,60" stroke="rgb(0,0,0)" />
+  <path d="M 384 60 L 440 60" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="447,60 440,56 440,64 447,60" stroke="rgb(0,0,0)" />
+  <path d="M 576 60 L 632 60" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="639,60 632,56 632,64 639,60" stroke="rgb(0,0,0)" />
+  <path d="M 704 80 L 704 100" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 128 100 L 704 100" fill="none" stroke="rgb(0,0,0)" />
+  <path d="M 128 100 L 128 112" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="128,119 124,112 132,112 128,119" stroke="rgb(0,0,0)" />
+  <path d="M 128 160 L 128 192" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="128,199 124,192 132,192 128,199" stroke="rgb(0,0,0)" />
+  <path d="M 128 240 L 128 272" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="128,279 124,272 132,272 128,279" stroke="rgb(0,0,0)" />
+  <path d="M 128 320 L 128 352" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="128,359 124,352 132,352 128,359" stroke="rgb(0,0,0)" />
+  <path d="M 192 380 L 248 380" fill="none" stroke="rgb(0,0,0)" />
+  <polygon fill="rgb(0,0,0)" points="255,380 248,376 248,384 255,380" stroke="rgb(0,0,0)" />
+</svg>
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_05.svg b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_05.svg
new file mode 100644
index 00000000..f4657f06
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_05.svg
@@ -0,0 +1,613 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:osb="http://www.openswatchbook.org/uri/2009/osb"
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="689.19269"
+   height="212.05057"
+   id="svg2"
+   version="1.1"
+   inkscape:version="0.48.5 r10040"
+   sodipodi:docname="sssd_05.svg">
+  <defs
+     id="defs4">
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient12785"
+       osb:paint="gradient">
+      <stop
+         style="stop-color:#000000;stop-opacity:1;"
+         offset="0"
+         id="stop12787" />
+      <stop
+         style="stop-color:#000000;stop-opacity:0;"
+         offset="1"
+         id="stop12789" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient12777">
+      <stop
+         style="stop-color:#ffcc00;stop-opacity:1;"
+         offset="0"
+         id="stop12779" />
+      <stop
+         style="stop-color:#ffcc00;stop-opacity:0;"
+         offset="1"
+         id="stop12781" />
+    </linearGradient>
+    <marker
+       inkscape:stockid="Scissors"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Scissors"
+       style="overflow:visible">
+      <path
+         id="schere"
+         d="M 9.0898857,-3.6061018 C 8.1198849,-4.7769976 6.3697607,-4.7358294 5.0623558,-4.2327734 l -8.2124046,3.0779029 c -2.3882933,-1.3067135 -4.7482873,-0.9325372 -4.7482873,-1.5687873 0,-0.4973164 0.4566662,-0.3883222 0.3883068,-1.6831941 -0.065635,-1.2432767 -1.3635771,-2.1630796 -2.5903987,-2.0816435 -1.227271,-0.00735 -2.499439,0.9331613 -2.510341,2.2300611 -0.09143,1.3063864 1.007209,2.5196896 2.306764,2.6052316 1.5223406,0.2266616 4.218258,-0.6955566 5.482945,1.57086006 -0.9422847,1.73825774 -2.6140244,1.74307674 -4.1255107,1.65607034 -1.2548743,-0.072235 -2.7620933,0.2873979 -3.3606483,1.5208605 -0.578367,1.1820862 -0.0112,2.8646022 1.316749,3.226412 1.3401912,0.4918277 3.1806689,-0.129711 3.4993722,-1.6707242 0.2456585,-1.187823 -0.5953659,-1.7459574 -0.2725074,-2.1771537 0.2436135,-0.32536 1.7907806,-0.1368452 4.5471053,-1.3748244 L 5.6763468,4.2330688 C 6.8000164,4.5467672 8.1730685,4.5362646 9.1684433,3.4313614 L -0.05164093,-0.05372222 9.0898857,-3.6061018 z m -18.3078016,-1.900504 c 1.294559,0.7227998 1.1888392,2.6835702 -0.1564272,3.0632889 -1.2165179,0.423661 -2.7710269,-0.7589694 -2.3831779,-2.0774648 0.227148,-1.0818519 1.653387,-1.480632 2.5396051,-0.9858241 z m 0.056264,8.0173649 c 1.3508301,0.4988648 1.1214429,2.7844356 -0.2522207,3.091609 -0.9110594,0.3163391 -2.2135494,-0.1387976 -2.3056964,-1.2121394 -0.177609,-1.305055 1.356085,-2.4841482 2.5579171,-1.8794696 z"
+         style="fill:#000000"
+         inkscape:connector-curvature="0" />
+    </marker>
+    <marker
+       inkscape:stockid="DotL"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="DotL"
+       style="overflow:visible">
+      <path
+         id="path4170"
+         d="m -2.5,-1 c 0,2.76 -2.24,5 -5,5 -2.76,0 -5,-2.24 -5,-5 0,-2.76 2.24,-5 5,-5 2.76,0 5,2.24 5,5 z"
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt"
+         transform="matrix(0.8,0,0,0.8,5.92,0.8)"
+         inkscape:connector-curvature="0" />
+    </marker>
+    <marker
+       inkscape:stockid="StopL"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="StopL"
+       style="overflow:visible">
+      <path
+         id="path4278"
+         d="M 0,5.65 0,-5.65"
+         style="fill:none;stroke:#000000;stroke-width:1pt"
+         transform="scale(0.8,0.8)"
+         inkscape:connector-curvature="0" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow2Mstart"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Mstart"
+       style="overflow:visible">
+      <path
+         id="path4133"
+         style="fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z"
+         transform="scale(0.6,0.6)"
+         inkscape:connector-curvature="0" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow2Mend"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Mend"
+       style="overflow:visible">
+      <path
+         id="path4136"
+         style="fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z"
+         transform="scale(-0.6,-0.6)"
+         inkscape:connector-curvature="0" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow1Mend"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow1Mend"
+       style="overflow:visible">
+      <path
+         id="path4118"
+         d="M 0,0 5,-5 -12.5,0 5,5 0,0 z"
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt"
+         transform="matrix(-0.4,0,0,-0.4,-4,0)"
+         inkscape:connector-curvature="0" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow2Lend"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Lend"
+       style="overflow:visible">
+      <path
+         id="path4130"
+         style="fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z"
+         transform="matrix(-1.1,0,0,-1.1,-1.1,0)"
+         inkscape:connector-curvature="0" />
+    </marker>
+    <filter
+       color-interpolation-filters="sRGB"
+       height="1.5039999"
+       id="filter_blur"
+       inkscape:collect="always"
+       width="1.1575"
+       x="-0.078749999"
+       y="-0.252">
+      <feGaussianBlur
+         id="feGaussianBlur3780"
+         inkscape:collect="always"
+         stdDeviation="4.2" />
+    </filter>
+    <marker
+       inkscape:stockid="Arrow2Mstart"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Mstart-7"
+       style="overflow:visible">
+      <path
+         inkscape:connector-curvature="0"
+         id="path4133-8"
+         style="fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z"
+         transform="scale(0.6,0.6)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow2Mend"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Mend-1"
+       style="overflow:visible">
+      <path
+         inkscape:connector-curvature="0"
+         id="path4136-9"
+         style="fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z"
+         transform="scale(-0.6,-0.6)" />
+    </marker>
+    <filter
+       color-interpolation-filters="sRGB"
+       height="1.5039999"
+       id="filter_blur-1"
+       inkscape:collect="always"
+       width="1.1575"
+       x="-0.078749999"
+       y="-0.252">
+      <feGaussianBlur
+         id="feGaussianBlur3780-1"
+         inkscape:collect="always"
+         stdDeviation="4.2" />
+    </filter>
+    <filter
+       inkscape:collect="always"
+       id="filter18355">
+      <feGaussianBlur
+         inkscape:collect="always"
+         stdDeviation="6.2598764"
+         id="feGaussianBlur18357" />
+    </filter>
+  </defs>
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="1.4"
+     inkscape:cx="405.52492"
+     inkscape:cy="110.18507"
+     inkscape:document-units="px"
+     inkscape:current-layer="layer1"
+     showgrid="false"
+     inkscape:snap-grids="true"
+     inkscape:window-width="1920"
+     inkscape:window-height="992"
+     inkscape:window-x="0"
+     inkscape:window-y="27"
+     inkscape:window-maximized="1"
+     fit-margin-top="0"
+     fit-margin-left="0"
+     fit-margin-right="0"
+     fit-margin-bottom="0" />
+  <metadata
+     id="metadata7">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(-22.986913,-110.53072)">
+    <rect
+       y="136.89983"
+       x="254.85715"
+       height="185.19879"
+       width="456.83981"
+       id="rect12822"
+       style="fill:#f39800;fill-opacity:1;stroke:#000000;stroke-width:0.96499999999999997;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;filter:url(#filter18355)" />
+    <g
+       id="g18452">
+      <rect
+         y="244.58766"
+         x="105.58965"
+         height="41.710945"
+         width="129.83621"
+         id="rect2987"
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.41119610999999989px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;fill-opacity:1" />
+      <text
+         sodipodi:linespacing="125%"
+         id="text2991"
+         y="261.25369"
+         x="112.20991"
+         style="font-size:12px;font-style:normal;font-weight:normal;line-height:125%;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans"
+         xml:space="preserve"><tspan
+           id="tspan2995"
+           y="261.25369"
+           x="112.20991"
+           sodipodi:role="line">Apache mod_proxy:</tspan><tspan
+           id="tspan2997"
+           y="276.25369"
+           x="112.20991"
+           sodipodi:role="line">forward port 8383</tspan></text>
+    </g>
+    <g
+       id="g18364">
+      <rect
+         y="167.43681"
+         x="304.33868"
+         height="50.483749"
+         width="98.582535"
+         id="rect2987-7"
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.35282063000000008px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;fill-opacity:1" />
+      <text
+         sodipodi:linespacing="125%"
+         id="text2991-2"
+         y="181.34079"
+         x="353.99908"
+         style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans;-inkscape-font-specification:Sans"
+         xml:space="preserve"><tspan
+           id="tspan2997-2"
+           y="181.34079"
+           x="353.99908"
+           sodipodi:role="line">Connector:</tspan><tspan
+           id="tspan3813"
+           y="196.34079"
+           x="353.99908"
+           sodipodi:role="line">port = 80</tspan><tspan
+           id="tspan3908"
+           y="211.34079"
+           x="353.99908"
+           sodipodi:role="line">(web)</tspan></text>
+    </g>
+    <flowRoot
+       xml:space="preserve"
+       id="flowRoot3815"
+       style="font-size:40px;font-style:normal;font-weight:normal;line-height:125%;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans"><flowRegion
+         id="flowRegion3817"><rect
+           id="rect3819"
+           width="201.02036"
+           height="90.913727"
+           x="174.25131"
+           y="117.466" /></flowRegion><flowPara
+         id="flowPara3821" /></flowRoot>    <g
+       id="g18419">
+      <rect
+         y="240.20126"
+         x="304.33868"
+         height="50.483749"
+         width="98.582535"
+         id="rect2987-7-6"
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.35282063000000008px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;fill-opacity:1" />
+      <text
+         sodipodi:linespacing="125%"
+         id="text2991-2-6"
+         y="253.64822"
+         x="353.63287"
+         style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans;-inkscape-font-specification:Sans"
+         xml:space="preserve"><tspan
+           id="tspan2997-2-4"
+           y="253.64822"
+           x="353.63287"
+           sodipodi:role="line">Connector:</tspan><tspan
+           id="tspan3813-5"
+           y="268.64822"
+           x="353.63287"
+           sodipodi:role="line">port = 8383</tspan><tspan
+           id="tspan3908-2"
+           y="283.64822"
+           x="353.63287"
+           sodipodi:role="line">(auth proxy)</tspan></text>
+    </g>
+    <g
+       id="g7018"
+       transform="translate(-14,35.850205)">
+      <g
+         id="g7023"
+         transform="translate(218.19295,1.0101525)">
+        <g
+           id="g7028"
+           transform="translate(-97.984797,178.797)">
+          <polygon
+             id="polygon6858"
+             style="opacity:0.7;fill:#000000;fill-opacity:1;filter:url(#filter_blur)"
+             points="60,61 60,56 66,56 66,61 83,61 83,66 66,66 66,71 80,86 73,86 63,76 53,86 46,86 60,71 60,66 43,66 43,61 "
+             transform="translate(-115.02286,-17.004219)" />
+          <polygon
+             id="polygon6872"
+             points="57,55 57,50 63,50 63,55 80,55 80,60 63,60 63,65 77,80 70,80 60,70 50,80 43,80 57,65 57,60 40,60 40,55 "
+             style="fill:#ffffff;stroke:#000000"
+             transform="translate(-115.02286,-17.004219)" />
+          <ellipse
+             d="m 67,45 c 0,3.865993 -3.134007,7 -7,7 -3.865993,0 -7,-3.134007 -7,-7 0,-3.865993 3.134007,-7 7,-7 3.865993,0 7,3.134007 7,7 z"
+             id="ellipse6874"
+             ry="7"
+             rx="7"
+             cy="45"
+             cx="60"
+             sodipodi:cx="60"
+             sodipodi:cy="45"
+             sodipodi:rx="7"
+             sodipodi:ry="7"
+             style="fill:#ffffff;stroke:#000000"
+             transform="translate(-115.02286,-17.004219)" />
+        </g>
+      </g>
+    </g>
+    <rect
+       style="fill:#ffffff;stroke:#000000;stroke-width:1.35282063000000008px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;fill-opacity:1"
+       id="rect2987-7-5"
+       width="98.582535"
+       height="50.483749"
+       x="589.35858"
+       y="239.54141" />
+    <text
+       xml:space="preserve"
+       style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans;-inkscape-font-specification:Sans"
+       x="638.74945"
+       y="254.25693"
+       id="text2991-2-67"
+       sodipodi:linespacing="125%"><tspan
+         id="tspan10147"
+         sodipodi:role="line"
+         x="638.74945"
+         y="254.25693">AAA Servlet</tspan><tspan
+         id="tspan10204"
+         sodipodi:role="line"
+         x="638.74945"
+         y="269.25693">executes</tspan><tspan
+         id="tspan10206"
+         sodipodi:role="line"
+         x="638.74945"
+         y="284.25693">with roles</tspan></text>
+    <flowRoot
+       xml:space="preserve"
+       id="flowRoot10151"
+       style="font-size:40px;font-style:normal;font-weight:normal;line-height:125%;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans"><flowRegion
+         id="flowRegion10153"><rect
+           id="rect10155"
+           width="139.90613"
+           height="110.10663"
+           x="648.01288"
+           y="147.2655" /></flowRegion><flowPara
+         id="flowPara10157" /></flowRoot>    <g
+       id="g18431">
+      <rect
+         y="169.04143"
+         x="589.86121"
+         height="50.483749"
+         width="98.582535"
+         id="rect2987-7-5-0"
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.35282063000000008px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;fill-opacity:1" />
+      <text
+         sodipodi:linespacing="125%"
+         id="text2991-2-67-9"
+         y="191.07236"
+         x="638.61047"
+         style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans;-inkscape-font-specification:Sans"
+         xml:space="preserve"><tspan
+           y="191.07236"
+           x="638.61047"
+           sodipodi:role="line"
+           id="tspan10147-8">Non-AAA</tspan><tspan
+           y="206.07236"
+           x="638.61047"
+           sodipodi:role="line"
+           id="tspan10198">Servlet</tspan><tspan
+           y="221.07236"
+           x="638.61047"
+           sodipodi:role="line"
+           id="tspan10196" /></text>
+    </g>
+    <g
+       id="g18474">
+      <rect
+         y="168.30391"
+         x="437.00925"
+         height="122.27845"
+         width="121.29423"
+         id="rect2987-7-2-2"
+         style="fill:#ffffff;stroke:#000000;stroke-width:2.33539009000000020px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;fill-opacity:1" />
+      <text
+         sodipodi:linespacing="125%"
+         id="text2991-2-9-8"
+         y="181.0443"
+         x="497.75305"
+         style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans;-inkscape-font-specification:Sans"
+         xml:space="preserve"><tspan
+           id="tspan3908-4-7"
+           y="181.0443"
+           x="497.75305"
+           sodipodi:role="line">ClaimAuthFilter:</tspan><tspan
+           id="tspan4038"
+           y="196.0443"
+           x="497.75305"
+           sodipodi:role="line">localPort in</tspan><tspan
+           id="tspan4040"
+           y="211.0443"
+           x="497.75305"
+           sodipodi:role="line">secureProxyPorts?</tspan><tspan
+           id="tspan4044"
+           y="226.0443"
+           x="497.75305"
+           sodipodi:role="line" /></text>
+      <g
+         id="g18469">
+        <rect
+           style="fill:#ff0000;stroke:#000000;stroke-width:0.81352955000000005;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;fill-opacity:1"
+           id="rect10241"
+           width="98.994949"
+           height="23.733509"
+           x="448.15887"
+           y="220.00537" />
+        <text
+           xml:space="preserve"
+           style="font-size:12px;font-style:normal;font-weight:normal;line-height:125%;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans"
+           x="488.27258"
+           y="236.16118"
+           id="text10243"
+           sodipodi:linespacing="125%"><tspan
+             sodipodi:role="line"
+             id="tspan10245"
+             x="488.27258"
+             y="236.16118">No</tspan></text>
+      </g>
+      <g
+         id="g18461">
+        <rect
+           style="fill:#00ff00;stroke:#000000;stroke-width:0.81352955000000005;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;fill-opacity:1"
+           id="rect10241-9"
+           width="98.994949"
+           height="23.733509"
+           x="448.15887"
+           y="253.81883" />
+        <text
+           xml:space="preserve"
+           style="font-size:12px;font-style:normal;font-weight:normal;line-height:125%;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans"
+           x="488.27258"
+           y="269.97464"
+           id="text10243-4"
+           sodipodi:linespacing="125%"><tspan
+             sodipodi:role="line"
+             id="tspan10245-6"
+             x="488.27258"
+             y="269.97464">Yes</tspan></text>
+      </g>
+    </g>
+    <g
+       id="g7018-9"
+       transform="translate(-15.11838,-36.914245)">
+      <g
+         id="g7023-0"
+         transform="translate(218.19295,1.0101525)">
+        <g
+           id="g7028-1"
+           transform="translate(-97.984797,178.797)">
+          <polygon
+             id="polygon6858-6"
+             style="opacity:0.7;fill:#000000;fill-opacity:1;filter:url(#filter_blur-1)"
+             points="60,71 60,66 43,66 43,61 60,61 60,56 66,56 66,61 83,61 83,66 66,66 66,71 80,86 73,86 63,76 53,86 46,86 "
+             transform="translate(-115.02286,-17.004219)" />
+          <polygon
+             id="polygon6872-6"
+             points="57,65 57,60 40,60 40,55 57,55 57,50 63,50 63,55 80,55 80,60 63,60 63,65 77,80 70,80 60,70 50,80 43,80 "
+             style="fill:#ffffff;stroke:#000000"
+             transform="translate(-115.02286,-17.004219)" />
+          <ellipse
+             d="m 67,45 c 0,3.865993 -3.134007,7 -7,7 -3.865993,0 -7,-3.134007 -7,-7 0,-3.865993 3.134007,-7 7,-7 3.865993,0 7,3.134007 7,7 z"
+             id="ellipse6874-1"
+             ry="7"
+             rx="7"
+             cy="45"
+             cx="60"
+             sodipodi:cx="60"
+             sodipodi:cy="45"
+             sodipodi:rx="7"
+             sodipodi:ry="7"
+             style="fill:#ffffff;stroke:#000000"
+             transform="translate(-115.02286,-17.004219)" />
+        </g>
+      </g>
+    </g>
+    <text
+       xml:space="preserve"
+       style="font-size:12px;font-style:normal;font-weight:normal;line-height:125%;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;font-family:Sans"
+       x="430.15594"
+       y="119.6479"
+       id="text12879"
+       sodipodi:linespacing="125%"><tspan
+         sodipodi:role="line"
+         id="tspan12881"
+         x="430.15594"
+         y="119.6479">Java EE Container</tspan></text>
+    <path
+       style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow2Mstart-7);marker-end:url(#Arrow2Mend-1)"
+       d="m 57.185293,265.44314 48.404357,0"
+       id="path13365"
+       inkscape:connector-type="polyline"
+       inkscape:connector-curvature="0"
+       inkscape:connection-start="#g7018"
+       inkscape:connection-start-point="d4" />
+    <path
+       style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow2Mstart-7);marker-end:url(#Arrow2Mend-1)"
+       d="m 235.42587,265.44314 68.91281,0"
+       id="path14574"
+       inkscape:connector-type="polyline"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow2Mstart-7);marker-end:url(#Arrow2Mend-1)"
+       d="m 402.92122,265.52611 45.23767,0.0762"
+       id="path14999"
+       inkscape:connector-type="polyline"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow2Mstart-7);marker-end:url(#Arrow1Mend)"
+       d="m 402.92122,206.09216 51.12769,13.91321"
+       id="path15397"
+       inkscape:connector-type="polyline"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow2Mstart-7);marker-end:url(#Arrow2Mend-1)"
+       d="m 542.32654,220.00537 47.53467,-12.62771"
+       id="path15795"
+       inkscape:connector-type="polyline"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow2Mstart-7);marker-end:url(#Arrow2Mend-1)"
+       d="m 547.15383,265.36883 42.20475,-0.2701"
+       id="path16193"
+       inkscape:connector-type="polyline"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;marker-start:url(#Arrow2Mstart-7);marker-end:url(#Arrow2Mend-1)"
+       d="m 56.066913,192.67869 248.271767,0"
+       id="path17038"
+       inkscape:connector-type="polyline"
+       inkscape:connector-curvature="0"
+       inkscape:connection-start="#g7018-9"
+       inkscape:connection-start-point="d4" />
+  </g>
+</svg>
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.png b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.png
new file mode 100644
index 0000000000000000000000000000000000000000..9f9a0b496c7a40f51e7b14efe7903f96dba015a2
GIT binary patch
literal 39322
zcmcG$1z1&S_co3RiU<f2Qi4bdh?KO_(%m5?4blxNAR^M;(kUU`ilB6dw1RYZbN=f%
zGw;ke^IpI2e|^8txvm#p&N=(+{p@G2b+7xr*YcB<7R9)H<1z{g3dSQbA$b&(bJ8d%
zXSvYM!e5du29?5(i+U2GLMRC2e{X9u!%$FeqC66MsOS{GJZ_?iqk>>xXTfgBe}4Y_
znG1?^iq;SN<sFOk#x0736${JMOVP_rS8RsLjOpz^j#NFf8N$GNm^&rVq@`F`nvzm>
z0oPCoZ}?91gUy=g>aDI%-dOi8o!dC{a0`*_jOVnSp*-e#Bu(oh@DR=e<pb8GeNyBv
zDD&vzyvUzkKJu9G<HO_R{&Vp2t}4wA^3PZB{+D0&n(KUhojxmrgx5uJDG~K5v6x(V
zdV2a*(cI4=w?un;d+$5+rZCr^?2g)r*ShY_+H{ND@?5Lko3~_PVX3ss9q$no6kJF(
zGB7CVJ7+!A|J80svSntIgxlfG4Yt<7!NIRzRqx<olJU8XmRVq6V7Qo;*)8;nFj?5z
zZsluLcSbYc;^nOs_ChsYlU+Ph!Vm9^zi&MiPOI?R-(O?pZE0!grAwE#S4PXNbZT9c
z{H2`;otMZGCj0s?kt7PZyPv>2C!FUJZ09;7A|nTfhN7aPbZVTezc=`to}S8QE0T45
zH8nHa+T6T$?V7g7!3-S9mWTG4L*uKpGbrm%TEl6Va}{`9cYhe(Ww2TQ_EG;!VCm*V
z&x4t$oE*B@)h>Pnk8$_gNQZ{D<^eMI?zay=e*EZ-MMM<m;CNF@H%Q92tG_dWd%=H(
zB4mDNNT<BKyxwtb;`uq$L|#{i#s2I7A`V8KI?cHbg1!u?t?li+f`Wp)yqc%q8xpu3
zZ``<n$DsaWW`@ma{c%G4%?Cuj@|cM_1@)(gd1}S`q{7ujW<!huuR=mXN=xk@J!+|Q
zKcb+Zkd%@-AjMZ<F+%R73~~}NbQcn$t@Kxu9!Kv)gGjemvK2C6WxcSj;p2<q8&z3+
zj%L>X9A{PcXfm>GX00A^8p)usxU{5_uNe~`pO>j{(O6;q4C6D?AW~lSil@n`si}T`
ze*XS#NATYHo?9~)FI>0)*IiatHak1(;o(77|17;O48BDkcV=qJX0|<Mb-X$*I=bd~
zvu#@tpGh0;VM<t7m@G|N{cBt}34T`Vsm9w9k=^B)QgIo_Cv*vK)Y4zPc%hIfjV*9|
zd^~?xk&-g?;rY2%3jqOvc_!hR+1YzU!W7uTawms73j8*)l2jU{rV;-B{@K|kh|`mp
zE`K&o?n5(!jEoGKM4p57PnZb_2~tv0N81a<u6vd{mD$I!>RMXk<&z$x)s9xMTQxLB
zzkl*2<8hL8zN^mjP|BTb6}}Lz=9*t)dwZTt5?`+JJD0=l?Af^{cDMbfuT!cVR$9$t
z*v#<U=h5*QyEOtyxJ9gz`CH9d*#o;2Z*?W|rdo~FdnOIvcR$=7$W`(6@##q9)gbFo
zyoPq(Y$$)FKO2Yq$B&k<nVA{W8|MhFUie@;8z#e-OpSou5o@X-E8G1}qg;du&&X)*
z_}H!Lp`2U@EZb%(9v<E`KkvF^U2264Npf$y<*z-ht*<>;DJg}LW#hRWrD<^A>%6OW
zSdpi}#i5ckE`e2As=8sTP<OP-?GiO!?T9!%TH9WM+fGxS%zuW``{#LzA=F_17sQ4z
zY1c&8NvL?YhK7c+UI|-mY;Mj{DbV)Dnn4L7;m(+yC-c}(-qi9DkkimuT3V7&ZTR$Q
z;o=DI!{u|dxUU^2oPEb(z1+pc#aVfn%GTGPR((wJJbh%Po48k4c-IBFab(bvX>tk+
zgL&B*yKqP0^cL99K7Tw`Va<QC-3NPrdwh91h(9B)si}$0#rSxCV_T3~I^Ni{9p&Zu
zbW$G2X!)RkgWS6oBdmv*-&J(nBVuE#EXTQS-MS^vyi`yx&Ed54u6$nWBE}87sYbuX
zMj;gy6&G{`cDB(=T8r2Mjd~k{?=<R<R;#z>y6AB)AC72$2_(_i(}S26U2kD$5)l$o
z^z^%cOWTl+XF_PGyq4CxTxJfRe3th1_MDs?+{;bqOf?V4=s7r|O!~~Thx(gi&NhsV
zxoypMz;olgH}1H=5Jn}{dsi|e%yPVHyuw;AS=M}{#BbuBZo_#tQ6rVdh=VTAd4^BE
zn24Du9X&n0dHI&+W*R0YnI-C1?l)(@oY5=VAGN9<ud>e#3X)01vD&Tqx;j=V$nmwr
zBupT=xur$-$v%BSjX=4zqa(HV{{DWqBT+y=8%vY2hDO_|vgS~}mP(%L20Ws?YzhjC
z9ZCF29yDBBRoTqv2(E>@tdE(L^}8PL7d^On)4Lr4!m$5o8-!{_HMQaH?guJ&VVkuN
zL}`>;_9S#0DikNsgp1dbc^=C-dqWHh2nbNBlN8YD-dtaQyCxze)Xjam*~YYum++>N
zwtWis%$YOWkydpFFDEt!RCJg-Vi|T612vNsALOZ*zMh~6Yk`GCBTr0Byz#QdZgZ=P
zzYpVw4d?iy0`1y<;smYdocHfz32@mj3hm{|(p)9uTb`RMH)sikvoYB_pUs1%Wo19#
z{e8A0ZadPbE3rq3jhvE&Md8zyo~^CzEkvYFPft(#mGY7jh^R(<x<-tfMPD+;Sq8#0
zWs>q$iyB5os(R=<2M2c{0`!Tpu%&Ao8`GS0e-0oTctiN%@i!yF_2XD}i&#h)n|Oz)
zm7d2NzM72G-kP;816^G~9&n$6u;g`gJeLOFL8ekxR=y_S=I*|L`C!4l+J0&G+sAW<
zmc<Eob=q!uUm;?bbS9{E*;#}rpsV}+^yCPx(q(mwvugD4@GzrOm|EZR@`=|K0ko}-
zlecf*GSwf4V!el?h5RLjW{21KRm;cb=H}0zGvL*-GUc#hg{xal_&RA;vbe&I@+vBs
z2L!Kw{zD_5n3#b4n#LiW$m6{EqeYU4A@OEeLqh|^^*FvIKKH|JA|HY8u(4|G7UTt*
zoBZ)(Y)uxNr64Fn4w~ys2x~Ez>q?^begnDb_U-hHjM*Um(+ZChu5t6;v`4X+s%i>d
ziVE!=9mvNAnT#5I&@-hIxZDp}PvRrP!)p#^<2(^399peQWoio1$+2;9W{!s_D}Y^`
zJfxENv}Tx|Ch<56Og49PD4qJ8d6$<bc?Ykr+`_^lf-F>wQgXQ8oI1ckvCj2qcg1ni
zor8@nqRz}5`R`6xOaJkizLsdEQ1NtlHPxywDTS`Bql4FW7Iv_HI0qf><yi;+9I_Cx
z#<2|kq;&ckJfG|uV%BlLO{Z94{6?XbP#OsD=Iw<fBqR~#ERIAc#&3n^*i3rUq~h3>
zU?tPjd(tOLO!`Q9UBW{`tT(2b+M<|n1R&av0Lth<&CAO+5>J2s{(VD(fPz9FgzCeC
zgPx{Ch^k+L$PnK?dd0`bmz1#T=;(~IE3oXpcyaddWo>P(LndZ--8cLSlmKS_P}L&6
z3rFJn5d0S~Z(kz6e*JnYH!Pj;gx_Z1w&-KlY(*}Q<Nf}A#bnw2@4jSI)YPyM`*d;?
z6duhRw9}Dr+6bLsUiUmbFgm<wYav4w*24j4p<id&BrO}qTrQfJiTU0`fIRnz%*@OX
z`_q_*nkB9;zAi5>&l5?`JZ$Ug%CusoYt^vRz9sVJt>9>#JGWMA5HY7sf0mqga4|el
zeD1MNE7C;OZ88W62_XlzwV45)XdUI{;h~a_7n@|HqwBR`VVlk_D9Ef2ejtZCIN&vR
zK7a8H>u1fyw+M<}KE(0X>(`f=m<qmqdyI;T%FSI3>jTUCC|&+gG-P;qxSh;Iic3yA
zMEU@84xogzC+opSRI)s+>c|N(ok6|RuPiGu60}@|#p3Om<^FgKriyNWduE4=jZiU3
z^YZeR`?JG*d@j`1LLNEA8`)VJBGOvc4bsG6xU7I76}SrDYh|UQsTrS`s4XuqkhBR2
z{@l597tVf!4gIx1hadT506eR%tc07lHr3=`ZZ!#;CZfdvakA#Qa1qv~`$wAMJ$81F
znFy7u#P_jqa0HY3A@bj~`O*C9)vM_*L4B#FiWD3v<19^s03`f`<ki(<BO~$f@$m@=
z#H^SY7z~x0mqto+E#tBYyCA$QAZiFXEQu8?&Jo-XoZLBQ?8vHS?sFjU^~D8r2qa~I
zFt3tuVF_FWu+8zdUP>4Z5H2kPLq}_?9v_RI$5gjDb$i!6c(@ygV-K<$8~t#IZrp%;
zggiC_ugmt^(dDm2UM9u5pI*kt6Ke%jh5+d6A?t#G+U+IB?tW<JvS%?`MjK@N?Zflz
z>}=nwBznpfh8~g0Hb2^<P8P^`yXVQc?3M<lKHZIxUY)2NRivg1>O2*0m`n1MwsQXN
zgU@a?L5z+45Z~?W^KTH$)cGOtGxLu}h*3_u?~RvPj7Bd>F6-dsaxz6Ytd2c8-I<NE
zqQiYnEt7cnLVQHT0PL^m&&x$7Cz3_(I|C~1VxQj-Zo#c@Pvng|kn_pR%+zEYa%Pz|
zA}pxg9chiAuLtCqE)f+-%o#diY+w)`8JR)Fiz4^};4pV=xC=xZ$5eV%?_h{RTGb8#
zma<ApGYbpZ$Hs7R^Ac)5BMO~F?aP-JXV+@|{n1ZaZn|R!o*twLBv&}B#M&hJVv-FG
zL=z1c>Yf|l^upwO%-@<v2hjc|U>sG|=HtNUvx|%3I>Gwlyb-sC(w-UbF0<15DUv2=
z%^XASqT?SKg^xxd6L+O%r)HEq`{NJKHaBfLx+HGT8nykHRM$+Fy+UyJ*+fHlDC_Rm
z5|50p5IH_;X9ZDR^P9hJU^nrGcIPXX-8>c{VKx;P$~mvK#WPvmuu@Ay1x%`iABKn3
zXmGi>xGrA2n30~&>`4n@lTowcuIH(npOBuVC7;XoJiNPi(x<luC*u6skFePnf;0gV
zTbP?WEPs9IDXXfWAc$b1zj%e9&}GNe)zuY(O9MJn_k~F5&tqs?3k)Zo38p_FTc_72
zdP1^-s*3ymeJCQHKvV!|@8IA7XsI4Po2nC^MO;Z$f?kY`5oGz~i34DK$n~E;efrec
z*x1==2_Jx6mySTa2AjhiSGei(=heyj$*!)h&!0c{_m=>G$W<wjmXb0opzM{0%0co`
zt7eB@;_8$7tjryjCMw*^VWFWAa%bk|sPX&*-n<c_2#Jas>P?q`up%?7vJPd-6M$;~
zkkyKxq-SQbNGzS<!K4wE@QAyJtc6$5AQr(-f;-_Z$p3#4Jsnv?Kl><<jS4>>7eYY^
zKmV6rZWG(e*yw+J5+LX~A)CfhKDt25qjF{8K%NgjaKsgtn6Nj`ILPjPnDcYaRFaxi
zby517I(1n9q7$-0izdV_*JK!sOVY;^8f=?_6Pb1^pZ0sCerpbXBJ7&B71NI19uwKH
zly6_sxr9#k4M|b_FP(O7LWIk}fD9Qw<D4rl3QEAj^!TMUCzKV5QMZo8+<pnET0WCr
zU%d@6`rIfT7n9DORQ&ms;bCXof%<&u*d)ZOltUFo#qz9Ca>3cLnwWIojU2oiRgo!&
znVFNlO1_nqKJd<r*(AIbHtQ+WwR*D7F|Cq$jn|8w2b&m&`I5?3hC7=Z)7cDMdb+wT
zd1^_c!vXBfgg;jKX5y?;7MF<BS##KhI~I)hg0mMMzh0D)JK?rlFDoPEgTpzlj!n;v
zsi)*ii_4uTC=_sv<hLwj#jmsn;tou<n->;XtrzLz$B3q;Vlrq|J^Vzf&i`m!+Ge&k
zH~V71L_(|!raAV`n$t+F|BD+ubz!VK>Shj8MH}~-Go-Z|;xBA<HO(kR1XKp~_4bzc
z6y0HPXB!)u^xUYjuYP2^X2U>YORqwEqgNt3DmeI_!*aFY%k4@#6Qd_j^klnp&zx!7
zUE|Ll6S;$Tn=-Go@UEF$m!V+<7fCi(X=&H)GAD%4elm|&7NuS}Ki1Y<zc;YWuEOfN
zyB|^APRLx-u8jo@e%CZy#{V#$eI=DzCMPu1qr!IX+eoQInHB&3uo3^FP4_zq<l117
z8_acDZEl9HjdLF^6=+CG`Fwg=yYuZKHs)N$twkBp4)aXM_BM$+XO@pc<!eg?Obm2%
z>114P`(xp>x7e1Gcf!nP9_1gernR^}mN+u#Th+qt|F)MP)M55c*eRZ%r$?tJv+(i9
zrCXv`)2uSnS9&I~9hX%fk@=kN?M?cY&I@h*i0de0%f;<jsOt|CH}uDIuQnZUg__Ty
zK$~&AinC^KBF=2kEjn@+aZ>J~rY8L0!~0AbvrFVLF~c4n=y~satE**(i>C1f#4Ih7
z#aQp~92=1(-4y+z^1=&oD{Md}>D2mBOW21G*L!+=?fA^g_V;zF9UTw5JZGU|&nPVP
zo`{aqFxK7Z%}lbq!RI#N&s4WN6QzNB`2sm5^G0}(OmIL4T8Oc#Y`4+2=kxT;$;};%
zviB~-9Troa38K-7sVP@0s-z1`w$r;L49~V6pXk)t(^uEjgkpt;Y^Vqde%hQN7Y#fv
z=;yYbEtgAmYj2nA-^Rhlp8mnwIq1;8IKchGrt)Vp>3nba(F=8NVPf2*H9SP4%uSph
zpN_kwvolOgq%(<ZuxMKL^<ur#hNGPX!0@R}Q@yF|Cwn7h402y&g08V;rj84;7FC3W
zDa=`p6JNwwBq2l87TW?on#`^*?&jFZOtmSaUz`8YUuo2ppQ~J}qC(x#-cIEWQBh0e
zvrb*z3F~rlL|Fe9N~1zY6%R+#UEcN086wya1KEAuiM-TSBe<EeG_1~F^y^#huBFg9
zTJ5s#9Ojq@IeAi>ES8Fx**OPQ(%5hQh~RTSE0m%eM&(XGP%-7t#LmIZyzR?*K|+EB
z2Z!8!bV6HFQOflRQ>7*;?siOp)l;Pbg%s;Y-Se-u>lwAo2TEk5>&B}0mhkYHI--j-
z4?g8*gc=2@xtG1uOgEO^OP?6XjY&_xUTh>II{_e<g~NPb)$k}MCsY4R9k<Po4_|`1
zD5>&~7IQ7OOZ!?|V|#mF=c?>YR1_ilv$q=?6;Ltr%S%fG{WVyuCKMAe;{en&UO?Ag
z8|?TVp`tzV-jKieB*}AeaWM^_Q3!S|pWD8sV*m58v4*#AyBa?6-(liU3c>c=UA8*f
zOS;2UK+JzyOUR;4%fwGcbTmHIG<mY|MXSnpX$Vo}zyNikULZ+zh1Fz%)a?)RJ)ed<
zI-oRI@(xZ*L&u@Ivb9AN9~S1hrp-tGV|jRzN|GRh>XAV6I}J4e>1~y^-0W6?lf`oc
z!g5x%Z1$(eg&0J;$EQamF?k-nY1nZbo;ev|@865l)BC&b1%CeGOHG;9O(vsR<5XL9
znA8#`%33}2hERWJPcoa6WQA03sr%tw_rqx0Igg=9wGyh`1y;7vh=GAeo`)t$+1Z6M
zNr~RU;o&7csqS2MSjH1xt%6H_oz$Ft#jWEJlL`IxsC;g!JP@?3>NxXDw#QCSCVhPo
zk_aVPL}2Eolt`uL?&@(J-DqmrmUQoYX@-c$X==7Yl-u#fa&NC~@srvcWRv@?%&vOI
zH+-ep*j6r)U-r?Ps3{=hyK}lT#6ZHWZmfMRi=U#}9X`0w$A7q7>>Lr19Yz&UVMps#
z8)dU;`gyFMT)k4fCw^6;HZ+v_?DG$uog$xhA3d7$5twGGbNcf2Yja!fT!YUUIXTpM
zUpyucuM`?TAy#AAwY)rEF0z~(goK_aJ1Uls-|~|iY)lb`g!r}UMC^BYPLO-6s;Sj%
zb#8zCilbHab)wGw@%H>fB_$aN3Hs$_^VhG%1Ic8r`*Zueyhuny)RQz_QOVg;U7%k2
z^>ap;ukR8dIUAeJe##H)d!7f!2WH57yoE!3wY=~y5px4K?Sg<-!ggx}kzICXMiK@Q
zUs(yO=SI`2KVHYH0N#gaey<O^s_e<eD>fV-e7FZe2mY5!mo4Fr>UyjYh0BROzk)(o
zcsQ$om}L9LhX<a?-4(;N=H^@r3o$8d_FU@xjZe(Xq;yo-uC!*RdX%A_zf)YYU0Slu
z#zItMIlhWG-7`C^?}^~ARhsmQ6<mt2g!^hy%%r-r_T0~pw$`PRQTzC1QIQ<tv^J74
zVQUg`y0+#U>&O#fbuYlhvV?oBpmq1vq+@7?wwWm<RpMe_rjb~)!L8J*RyE9)+s4-?
ze|+Cyq802Y(J7f9RmkiO3**pGQwxraI{*AR{e1VlXL7Pxj2F8pqK(N&$F1n7J!U%K
z4HsZ{-SuyLk`fUuxrDX~zTG;{hzS>JL{U*SDm72{tt&UV$NMr%yAmHM)fEHFs;H_;
zaSbDNjh(f5e7w4+{Ps0$_f$dD=YaeVWCy;MF%$uA$k#eqsD`{*RP<%i#f*-;v0t${
z{*{oPmZs(tbMq3TuAcdM!L!fbTIuY?#(Lsjme<sr{m~z@P^eRnk4C=j$k{Z7Sh3Wj
z$Sbgt4MX`fIq5jlYSGkW2x&+E^A!qj$>_VwLpn^Z&O3Itwu^%u&sh`Fii)sVuHi>9
z9_?jf37DECNhR{Us8bF}LeShXKWYxKn)^Yl#6n<X<SOv$!OdtEBR#l_%=#B^Q>Ml9
zR4R2O$JB1W%kE=lyKcINb%Yg=Vdt9Z#%211o7|u;Lq;TEGnuBfq2bNJr(02NG6~{{
zjW05+3lBSzcf`xX;(M0Sl}}v1rHanv=W9i;<mU%sk^wU^P&1wF7G{#xvszP6H+sus
z@{wZQV61>A3P7+dvmt~lyOw5Ep~mKZRCw}}5q>vSO*J)Jh-<KCsTr6qQBXu49AG?g
zS?zBLtsKvCmy`3`Br}}Z$dc6Vh>qj(o_$_&Z(L`9=ze$K;2;+xqnh(HCV%7Z8X}|h
zCNaqh56>7K9b+$Ib)4H}Sv5>2A%i9%NX2JyF_W43i|2u%poj?1iB;3<$~g9>o}j^j
zM=?qAMn?R04y(jCwmkPXKlq^cV3H+@i64HP&=x?mwpok^<hZ~>w}^7&7{V%bjexCn
zu8V(-nkwT8*{YN$xm|;|Zg%z%tWGA=LiU0vRc=APhj=+H9i6@Pg3Wxlnx6q>aZgM3
zR*sTCI=aN>=IengFAq6Rf`eN`1LOJa=JQfh$3HwzT$Fj<i?Gd@wJULb<&IXV=`r6u
z40o!S%rq!mM)bs-+WY=}F_-P9s}tjo4y?K&=s9X@TzVCXhDl?&O0*Z;LRn%*5@Hq>
zC(l(oly-G67?e#`M-|KlarI@kauDw9yDOE6*3^e(xxHgPfA%#NaGLY5S+9Fz!RDAb
zyv4MJ?fRwcK}QMjyBHw8OuV>|J1;@bKz9j^e0O(>ls7)cv#e}Ts?^S|M1fTB;YWlP
zzDkUnzjn@>vV)Oc_iQ7BesT)E1%Nc_)eb`^M;8E3V`ID4pK@)ET211kDH2=urhOL{
zzD>mOx!GXn!iAtOf$kg>dR7VvanWeS?@8}5(ee8Eaq1cwu~<(%osCOG$M3ALr;j^$
z(L|keEUR&}Jlm0%<nbEwQjDgYoP{YJuD|eQ9|}fBPKK2XMY^rMy?0qz6E&Q5b#>&t
zCxZYZIy$73NTtKh-?`JS?b2d)a>$EAeOgesG%?=t@uNdmqP`@=M6$!t>f5(vC~o1*
zb;K>MA>PC72&a_@4egw)v|VeD$+fCK+3{y`aJ04UHMq;`avz>Q&9XZb_nks#GvD%?
zN{d$e&Re#%(rs;#@w%zH9c%_Xdp6V51Pnl@Nom+rO4^S{9;des$+pn_GNdzyhx0=>
zGs`=6KS+dfCH;7l;b1g@OmTI)u{z3wpDaeN8NNRx;y9fs)Lo0`48Z*O_)zhHDwXey
zhfc(b9FZrr_0z)A64uF5`s{q^D#x`VcrTSVu$UDf1_D&4if9Gu$9++;iV>%Wgso4T
zhE==7SY#-Fm(0B+vBYhncY_XLW-66Fq`g(`$mDsn>$S6k;pdkbTeY9k5<Os?K$o7r
z{r;;s)CEU-o}SzDK9Fyh`>1b{lN&;C_IjaMkf*QTM|<0FH00JCw<GEF3a@P=+FD_u
zu+$FmwR_Gjq4rBdOB+$6-oeeyjc?y>v}#m2l<sX2)mZCaaUU8S92u~0$StVbYoR7D
zej*jk?fAO9JTq=oNTzE69wb3QuX`-T!W6kbelQ&Ep3vb1Me`o{H#aj~ys|Fqd>;b`
z@*F2ec`)rV8aY6j+?*WegBg#-BW4bcciGt_cW*x3o<AUSXLSWYn~~9AJLgbQVW(EH
zKI(BY;k4Cp9n$^j;Zo#PlJhsNQc)V%{4C{g)a@?2q#&QY`AOU3-r?cN4hsRugbE6}
zri;>t<ysb#+Y4me+(&%~9^TA8qByRECq~uckpHQr4kwwe$F4k&qO|90A(UD{RwlE&
z-4ojJ@im5P6Z+R$np?v7-GE}A^h9)IbiP<nn2CFHc>d=DX>ptYdY!@2U>Cc^YaD-3
zptb!@P0i;zr%sOQbxKXERe5aS7@uD5sGMq>j3#@Gpr3!SGFtz}kMne?AWDPF3LaIn
z*_FW4y}6{lxEr5}^!Y7^-`6W-CIb*TK8gFL?P2<d7eMWKfiRPj$dV#0gD~ya$$eu1
z9=3f9;WTa0RNIaI7aX_?;*OPx0#MWBE_p95N<>D^#*3l`EF2$9$)(zUAJgCtd~r)K
z_WDYQrO`d6D^8ubc#%9Vii7o@Ooyw{%;?&#7VRm*EERiihP0N96NaJ!JtMz=XI|;z
zx3wS56o*_tRy*o+!kN(h12->Ed+<v#20?vSl;y&j=6%x>n)~<C)Otuuhk-%xiUB=X
z(@@z*@lrwcU{8j&4j1FjNT;8P)Cujk9BmDK6a{G&tPAJl9!Qi<a^eui5RldtS5%a^
zI?lm1RLBgRGNWAK5cJACYEr%u=P!ZplM=IL15`vwAYg8t!f*C<qGv2(wLKz{tO|<7
zng1&%f^yrb72!tzS>Axu0fG-erL4O#|8{b^olkwQj53KQ%dT_3a57yddTr<NrCXYu
zi!nHHHu$<@GuGF;^xJ2$-+w=+i9C`2I3+f87VQ`N64uB|R9*$5r)6>)G?Cmp&)$C7
z{XvfTv8M{sPl2-SjmZ7U7QLlDj&f<yW;q}gaP^t5c;FH%s60k4`1n&^H)>kzXU}XE
zXL{fNa;&J|kMN5pqscSd_x970m;X50u4Z1Yik6m^hK8Au(HB=0F5*jYDi4bH>vM)K
zzq~?dvo$M)tcw|i<=EKR#;RL^yr;=YNfD?XN3ON{8AQ4^{hj9u%E}pA`Hgzk0s=39
z71y~%uFCt0=+_I4a#3e`9u^%vKRvCluYc>BAIR)bBE2szrhT20o103se{@s;BHQ8i
z!tL9)pFe*NI@<PbRu&EDrxFrvK&i(_ilBjbx4pGhTvq1b=r~!Vk4jF-!J$HV&BxdG
zXn+4c7gsMsL^T~fJvthi)8RHPIVCUe_|VW$YinyqhXp81QWyn2VqZ}$O6Q;5tc`r|
z=gQ{1cwu$ae3N0f$`es1OTz<_lKbe#kGh~_s;Q}Y2ak-XS9MfaPY>p6<;v1<Ij+Ws
zh6<EZdbh{2<$@jnT)tkB)86WML`1~y?yjz`u6*`3@Zy1ifk-w|gHfwWkufSNJRD3W
zx7pd1D|2gVcm$fmsAb^P^4`6>MM04!zYsyM0^(MIR&|DrQ)_iDkMWWaD(kQ7s58(f
z9mS|+Iavpk`#dPZy}k0FaHOPAVC-pu6#?W?U*9i<x}R)pY(Pc#7Wj^@<ECqFzC1Hi
z3hoYA(5e{_9B5yI;N^7@BV|df48#Qgrm603S$+L!a>19HRdy{M9q)#}XLHiPZGM(d
zu)&MM00qn1a4|I(m-<aCr0*poL*(NjEwd}S6i8?sl9G~O+(4QbR8?t!R}KJA&Fbpv
zwuPUNz~p>)vX>^K%CLsDbx~Ltj%~S4y~lR)0H#dGL*zcP^FheVRNsCIN;Ji-TTD82
z%d@j0XoOsLG~_}zv9JUT?!{zh)5;xUoEMfet+KJR+g@LP>_MO*FW=kU{lV>f0k(sR
zw6yfW!9n{tT%L?f*Vvfm?s~YRinDA$*QsZr3l_eZjBWF4ZUZ#)=<A2i6o>Z_C_{)R
zd3df$ii**(v9Fu-d<3xZ@uMOmsUpNlh>7noFgUJ^fGAfEd@&J+Wp{v-q$DVBuu+v9
zkdj?WN(wk=S`FUAE-upl0xC4Cy{3Z-czZxmi{r4$FDQ_ak<qDhtAu~8-)Yw-QoPuO
ztLLA++-CL7s}Owo;iXzKrdUJ(Tsk-CtvkEB4q!dn-Ubg1EFBOltSl^}RrX66QgL7z
z@WY`#d+yxAXL53KiO4%@^&YjY`JhV5%gci@(OYS2WM#F6eM`jK$A=Ah8WbTkoSe>+
zb?&e!cbA93rgQG%6<JQ6nejN@`LHF=fge9O_;`@dy2LudvrTL_*6&9A%4)0@2mdG?
zY450gXKp9Uu{S%(umu*$Kh~~32f|5gnrygM<<3#V`X?=_G-(a(r}H((F^UJ)LSHWQ
z_7T6Ix=MJK=!p;CO(phI&&V?!q5NTZ#9TV?uI`M~tt<RPoCU9ax2a4$&5*3}gAuW8
z$A;;E9DdsaQep0!3<a&j4tI@49}2uu!ZfP$MS9IFwBl%XK2HYBxuRKgj<Z!;dQ_$N
zd=^pJnaciH^9BRnF@k<7!F%U<-<{`v-MYsT`5$qJKi5;<#lAO+{m-jFTwu&fYhikd
z+=2aq*+U|{m8VhGqUdd_(j6QZ;E%><5&rKeT|0ij_l4La@MGU?{mWu7?G&C59Q@Z8
z;20<mWPV}$bI0>?jUKmM2;!<9u>64%nDBV#=C2u~G_FY*F3O6A;(*l0vQYtDl9I$7
zr=e2C6?sV0Z|5{U_Ni)YIlqN{nLGXFdK3QmxOtyxC$a1H(`At=+k)N1u6er)3no|9
ztbMOM$0!yc3#KDNq)*sZpTD|ix>gw=P5n#Kf+WS;WoKi7Oh#{MX?C1mnj(MQMolM0
z$gaQ|JxeT!v){S$2o-1A$@Glt(Xbr)q->hmM3*f=!c}tK4s!a{VDds;<@s~+hM%fj
zEW~(9-wOXGe7NkR;KQ*#JccjPy+r)(pD7bwDE)H#X-;kupND4W9?giModxQzyGVj}
z;^2r$yWG;z-+}O+L1#xC#O32-Q6TzLQq&ELmzQ~7FY2gJ4}7HgnVqhtC$hJ;(k&3_
z715CEzVq=Rte-}{Ae%iN<+89)?&j|GE>GLRHV(*bYymL`heV-!Ho%VslK5JVMn=cP
ztjv{v7;&knJ_;w{_DJ3n|0}6jlQB!?a;w_#e<qFL6waQF<aJk<Kzk&~Gc%22pwA*e
zc>@oa%grVpAAyY)YX1B8_lHLUZ?G*Uym?cv&P@ep>BI<&Vy$*Iv!=%8cz^FnyHk42
zv77m_qd&gq-WM{*OXR>#C@bUbt&;5Q?U8Wrj)&Yr<@0c(VzwSv(XrrmSl0VD1`JDH
zX(xO<6iZ%BO+j7VdS?-$+int9L}Ikl;<t}GP!(ERn}N5b^$jIQ`CXd%;`MdRwze)K
zgT^G@qtVk7>KIX(#G26H;LsT7w-x)_&(4sxMOpRpG2Moo{||5z<#NiQUple3zoA%E
zp<rwrTvXH(OzzI8HL@@}E5u*&_@f!*ir(}q$=&<@OcTuP?3<g5l}~ja09&f#!Fe?0
zKW@}XY-P}|ySsb|xNUN8%G(J><!ROGHTxK^Qz)<XynR>;<z^1?qbSC*aw{?dUKd%V
z0nkk@b92X~q+FYoV`1qN4Qh2*zP~@DQ)xEzG7+efB?aZrx4C|WRtN-xm;cn%J?hNP
z_HmCB?VH}=k;+&C@d-dOVv^!s$BTR=^lAPg28NB}o+Z@2t*(_-4kkIb-8Cq%dpLmY
zY@V@+xCPfRQaopDw@v>1L3eq9t5gSntAqmBM<4I4D)FC`SOE_NHTXd8B>H6+C2Az#
zLdp7wP~v5j_;#PuzO&1-aV+39S8%LLLY<TxE_q{5Pv@sk?^32HPSz%BQ@;eB%+DJ~
z#c4DzE6K|CDz;?=O2`G2H#QOnz2O1d*!Cx1YS3#6%cE%cW202YQhm3Ei$~!O7N~9v
z#&aTiTGSc-{Z45{e%ScevO9uEGM2R_E6ZT|GeJyV-P>;)UyHzYwd}saR`0sES#HIz
zsxuiJ?eseTs#2NxVg(gd1Ms9E?!_=%zdn$WAyA~6CQCCl724NpDV~0Bwg(;mH2UuM
z6L{0?Y{oUe=Jxiqp8KU<1781vcE9+D8AL$wHCd<AG=*Jk<cUpq&;*;V6$5z7^fYsz
z>)qx$^=oR40tvp8;FUE`XuB<c4bmuEUh6k8R_s6H={cF9&Tc;j6pch=o<_X~X0hSw
z812MFqNODcFK=dMhBhV!Mr(Wf6Ve1uTeqj{Y1p@B)zlAP`UsQoR7~{tYGOJg@6oX*
zjnAfI>pqqYhKFECzFKj!G681LRQ82fq2zw;)cFUue*tPMM>#*O(^((?8~px^K&`mZ
zfLeh(JVO&~0pu^;I6re(D%-#0QDk!aFE9M|(O(4Tsrvp;*Y2we+G*bWXMjc<96)B(
z@hQY_=Q)1~kxm-<q31@*^x1!8j{p7w@{8v${Ze!N*FdkURm*;U38{ZSv)u4h`lIxb
z$CUVHjL~EL{2$=xzrTR|;%#tb!jC_tbx4B$o{kIiwTWKXBfaVm%HQmhK0t@8x=;EO
zdbl<qlxhtMVjxr<kO*@BOVNdJ{4Ym^uS1^3Ka#vZ;=f*z&Nt+jK1*Ex%hfXtn^8>)
z8W;R4ium{I`5(Ud-Sw2*{CqHSS!>LT``${{o%%Z#fO~JR?Y7YbcG{0!T}&JtLjwb)
zRaGOsy`lOl0HixRJHfq-?I)zZoIl<Jw<}TRSZBbi47^X0b6S2)Q{LX^(b3WCMBrl9
zkH7u4&-%Ek!0t*$Mn*(L6e5O;i>s)j5(VaGIYliklJO6dlb+xx?aP#5qNTlb<;t7D
zz>IQHVd2WEDs^@Bi>Rn=2KNNSo;=A&N=gEEeRcH_*qYJE0X_qo1t$2*moGg%A(q)=
zN>GqJc<=!ZbcuXnVF4&Y@IYExT5>zCnwvTWh&1pSn`P_~3;d(FtMl#FHo+f1IobpL
zbD=MDVf5<NtKe0J5{$yTe{itZ0xGt0hZS`nfu2g+x$tn@s@voSgL!I(hK3;dWBWIO
zS1Ug+ucW*j6CFKFJe|XG?5Uj{kIOdAxXnUux=m$GT3VV!6k}0QQL7estFZ;ZEG4h3
z{KUe71RI+?LcBn;5)3mQD<f<XpA;svW*%xV)Xw4j4J#KcKBQmjO>ct=3o1t~B_$<w
zbyFiFFgv7uuLC3a`=X+a^>qSvb5$sL<mE$UX^uf5eG?E+TT_F_s7Y}Bx^Ov&cg(_a
z*Zd5iEx?YX#R0ZKkt*?x8>Z&wJO<6daE7p|Y}`C-sDN{yiNN!KQo;_kAG8|?iHZU%
z1$O?y{(c%&{tjKMWWOf8!<T-3kD#f+3l;M+I(m$b3M(sXMRj!_XeXCIJMq10Q>kfa
z)zs7k=Y-6ihdsW^{C^x?c9GZd|4(UG;k-rVUJfgnoc#QtLFd+TKG+&Jx3*%c<>chR
zwhQOJ3<XvG=Gz-d5Hde(`5-W#76Aw^@y}05X#nfu9Xxv6*A>7am4Kab5tsuL6G;8}
zRaI5cDl$=F?PY1MrxzL#p#<LQ_qmV4sGw%E7^{$@3cHSr`-X&@oq{4Id-{F#=H6aG
zR@T=VXIpo7cNdq#%^5I!b|_tyao)otQN)ns`5Wq;uJ7NfCv4lp8lhiFiQ{(6hn|bL
zxVX$rBU4jTV`F33+Mxb``J2OHgc8qRCjLG)81*==Ub>|A-k=4H=t>TT`ubo#0*7A+
z5DH+E3L;>pxN|2Dc`n!dgj!l!z<G+}-vn-}z&CG*?>>HptSs|e9wuoba;d13vV8ph
z&Mv765MJs2St^w&@uZb6#j7M3?O(Fs+T^8xAmo9JK|cd;cItmA=6=a($A~+ro61*z
z#;OFWA6;n|d^_=pxtK~8=6ODKLDe`#UVBOSmudjk<s2iFGj5p4<H3<CGv?gU#Va?-
z8*_YFCO<)FF~*?T87T+G65ha2RsCeBL#CW{<m-G6X^sKlVA8k!=gv{z#pZhB*}~@Z
z;?sWAc`AXQ6=8SIAK^ZM3pf1~zv7o7zwqm2g16K|h<mHXy2Iny2N`h97cqX%7!6e}
zD+K>fQ(e(@_&yY`e@W~<r@enhXO&wYC8z&VEdP<@;Y~#M44OOQI4&WBAg=I0fB(}p
zI)477lq_(!t~ku0u>|~u(STHRMN&;IrnCB*e-k)2!9(vBa2|?cT0jLi9!W}WZ)`wd
zf|&mB;X`|Sd$7U6F$V^EFpf`7hG17huL$r(A3l5lfa&6@s2HA`o130)`1EO^B-Jf%
zgC|eGZLFrDQC(fV1~yNu(6~7IYktsw;qK-}OhU2{*{TKP*M;-vfjbMw3QbI0U0O0T
zG=zqkGT=8dUJe;kE_<Ct`C$9-W4XHl*6;a_L3|B-oC3+~+Y5c$7O1Gc;G%?Ziw*jx
z*#i6Y=Kzgrhj#+W^JA5^;^LQ~aJgqTm<L1*1p8M_Q(&G|QC1!q9fb~;N9nyl)BpvD
zv`<@Bg2lX26U?{Z+lzu;ubKSK%}q3NNNTk7^gtg5zIqibo(>HYAT`v35%cGRwE5Ph
z^|GSCpWIBYi|ScXvsZ!sc<DoM9Iz!qCsGw~ZY3rCot^nvSz@2uRo<z?V>=DxxcS#Y
zh*W85l;Cazi#!1lk*l*a12`q==w4e^I&J77E0&hG554BOLRa=TruB;Mv$FPo{p!>l
zOb(2mjjgSjgOlmioJ;Mjf7a40Q?4kDh$nacvtC{B0qF1nb`&W;Pu2l5dwK9h_%Z`)
zk*eh6U1nzRMSHG)d#J0MEJm5a!Tx_1sRzzKx$!534fyR$i90hhGcZR{Ogg|!K`#Lb
zS2z|078)A)y_oj?{&1R;i!V}W*t9sgxLll^?()B3prti2Hhx^UK7>|HPfeW(jYG4R
zu#F%90)_1QlhMrjYy_BZg#bbJP471*Ks{VrSl9>Lz^ZqYX>hHrtxZf!<g@#stE;!y
z2H02Fsjhpgwbs)Y$G<i<Qqt4s0$wmwfesfsI=Ybx>r_c9dKwx6ZU=KAAt8k?hK@69
zYdUgrMb2BZ(BZJXy*<+w1yMMcIB|28fs2Odm&^Q}k5CVvfE@;2`SGza9$sDr@T&?6
zLT?uEaAnX$W70=er0NFkJRd$hsInFlYYx3FF<78e@SYwT?!v>vZ;1xlt&R<kj=DC!
z!UpnJiX;l@Nfwuuo+!6UQoRF)TL%M!AJ5L5Q-tK<$cE}}b5al+?>68&L`N@s=})E%
zK~}NR{|#c{abR+S01~&4{7d+LKYH^oY|Atfz^_Xt(^T6m?fHE7t(Fu^D69F_?R>yO
zJE;!<ZTv&mJ(O>r{~oUWMs#8T!4iG>Pn9zNnBq<5#Vy{~?BeR$5ydNyJIlPhv2sZ}
zqfP!IL;xm6c_!*Ov|M$t5Gg`r4Osre<DZ~*1nn34ZIhQ6>Y6h^13v#lhCukHG&1cF
zR_uh)`h0nLx>-Bjj~%ec^EYKgXW&1@OYBJndFL7ZJJsCTCSHGMPcc!P48{=`>U<&A
zx->#Xg$%lHssE5b{%cM1TlI5S6<{s03_{`k{@;ov$Y1|CkzW)3Zy$a5r?FS%kFc8U
z#`=4xeyvQ3%ml$@vOn3cQvdn?NF|f!O!BnShD82)JApjwz6ZD#c-~6;rO0>hR-$w~
z2(MiWO-LAr#1BFQ^nQTXd3}8yT=tcke7X(Z^Yind0zk7K7~K^W6`fpNJ=Z^?LJ|Na
z#UGz(wLe?I&d$!-dIK6}pl!yiuImZ_Clq7_HWC7Xabx;RS2S}fXcFw~4qz^Wo+H#P
zW5Cq1va(K2PR`EGA|jum`(bZwa?;qbQZq3o#u+^PpjS))PzKZtt(BUkrUQTv)lbaf
zVy}?>w(#mpqK^NHKAD3Y7J6rPS4LAsgYu!Hm4TtOxR{=f&b0p%Gzdwd5waR%xyPks
z;cGi3Lo?<(U=IIY!o*=up8Ig^{)pMhJaptH#K%WhL$Bd2;A|p$9YF)xTOP(CAz{Em
zJKSB-P*C`E>hi3#l<hY`0jik!fV0mZFh-R(>__}^VBkqfOK$y5Pmlp9c4!F_2Ry?N
zP8KBG0rJimg~NreGoA8(@NsCIoCFe54|?!+c6Q+ALE{bw2Zs?UxESuTv0e9X`e|-p
zWMGh@i`cxc4j+7wZB%G#v)R^r5A@W34HeO%AXqJ}tgL_m9voV+vCwA|8<YK$!+hYs
zjyS^z)p~5}eA<kX^O4N>q<hUBhQ8@APQYOHuCgEqz@4YFTIfkd-AbrAhkCWpF`4YT
zpO7RAv?|UNY%ovmnn^`F{Y_qc2@J3IaZJg4W5iK);Pr$G3eVm8ASqtu^RDjYuO^=(
z>C+%k2T|i`a1Bjj_8iH&Mm-@)H0>F~D{n2nBXYFg4@n~8ijeV3{4OEYmo?Io-l8aU
z!?80sGJ;MaHh<xxReo00KjasPHd)zJcGl12-vB2&RB4vqgj@fVNcS&Ta*N7MMIBxl
zJ8TJW&=>SPn6O@iAQQaC3@7wJ1IeCsUxJ_mfBlkuE8O#W+umC^pJzriJ68g_GxYZy
zGaWr0U8JN>i$gE}CMLN3&W$LLB^WwV1LtpggJ<sU#xL5;AH_N}<-ze#E<#=ZzhA5W
zllQ>*$&i56{<Hw{ur(w{NOyqhpw4Bg-R|v46^-y{YSRA03qS@{&Fb=SG4z%B2tbqc
zbdB>C)JqG#B7wvQ&{VNta0N<wTwx`}tW*AR0A%vGN(u_8HOxqkG^?tLD*>Vb;KctB
zPd+afZc|c1A>{BIG68n%%H_+K(a^rud-9*m!((4lTML5N)bw<5aq;x@w3(^tOAMmH
zti>tmJ9yNTl&Y$#^JN+sx*30yAATp11j4pK>r4^$SAM6ya{yKcXify(7n=7cV%f}~
z4R-$G8h9u*tZGZ4B`I0Z7n(7k<1!h*D-N~vojZ5TbGo4Of&tko{7#leQ&aOA4$dWV
z=nUuM<6~!M2fBcUCM!Rmk(*nCBBVWuza9<)Js($pYQovAk#<(t*x2xZL-Pmx89L8f
zQ6bO&O;&cFm*G2T1Q0R^9_uVQXhb6}KD+ZDfdg667#HVj*8+3F<+^J=697cYcUS^6
za?lHF-H&#m(YWAe6OhO8hNz?CUdG{-OP3yriDeZOKr3gBQ&Clw3-m|=um?2${rh)d
z3*bwj`z@V`I5HvvC=S53R?wZay((1-UDBWgB3u4}h5&LNV%sO;qMRI4=(hss;RX>_
zPj3o(k?r9Rpea*PQUY9uPB2V@yN?exXR7?*29FRx9Uw(VON)(m9{OqM$QWp7ZhGJ6
z=I(QZF$x-Op6@g(-)Hjy>0n`M8Vl++8muVrG`N?2w5seX;hN@qQo*4kE+Mh9ybLX$
z^SkJHcY?(zVad0(*cdp>ze1gT0AvKCdI=3XdnBjcztR(iPo5x;1e@y^<`O_z&g;BM
zIaCPYLkb#Xx+$Sy4{6)n(4Pr_R&E9+CTefMRxwziQBk5+p3vURau4|r`m48L&u1Ls
zqMe5pOgPsN@pQ;|ppbfF{l;b7=j7a39Y2Dm?ELI(U5^`G;h`lN>NkjpxH&m{EMVV6
z9|mD<Lfa(tQ})yY&l8rE#P7Dh4l7ShO$}@Jp`(L=it44AD!>=2KRHd-M^=#hVD|u8
zZ6)#q2RW25Z8Mt_@Ep$f=tD2-wgccos6)2Ft_^&IdpVqyC@8gd^TF_VLU;cq^54KU
zKBK17{<<zKRBbJ9Uvvu1jC-6ZZCDHF%nPH!!orM<jO~nIA|NFty^a8f*aT?Jkgwsu
z)}ZUcZ`bLS+hbTV<%Dyu{89}bTYYAqL{ofdr)eCT7!o2UB-EIh<biA^J=$BF1BG2k
z$n9ij2sxYK!Ogcci}lcX2wRMpfB>8m3(&KB1gHVd8z9B<KyFm5rR(-QY|~Qn;rGC(
zxJdj9YFC`8GgZ&mC=bK}Vfq>&A*a;@&y%Qs<yWQviNJt>=GNAG(8w-E`Q*tHNOPL+
z|MHL_D<2dKb$}qy;|sovYG`AA`SK<75id{Hd%}Q>?bJ^%G1{7&(J(QSpdJJy0Zt0h
zfE)HRt=EBt+!=rA?R`hH;wjwO?Qy^<fWilXzkwz(xG%}c$uTi8bdKgZ>6MkvQc@iN
z&JFGji-OzCur(aa+AjFNVf!Gy!+97{fqmJ>s%Aq(RW%w2I2aQk@`gZ8NofFXITG}!
zt1nW$pX&u_ozStQaCx<H?*R(RjcEiTGGv(zhpoclcWO6B?I&U$R^AAn$hXzDPy9|@
zvhX$Q%wPOK&;0)Y$&i|F$kDXsj~%+}?tf>*k<Vmcx^Jg_x{ToS5&fe`#Xz=Y&4)tL
z{?>i)LU7K9odh_Z%1&n>d^je(&OV#N7q8uANW9Sw#1u1<&q=>v;;aOio^$l-CNCC>
zQ+{&4*(CIiZSi{V(k0$_v(4(A7i;g>ksp_2X;LD0kfUAm7>()NIh5aN-rwbfTs-V(
zG?LHtKW^}R1hM@r4tXv1pM{L)b99vM3AQ72@IuuAgM;$zG9<MJaZLz4`d{2l9q(5W
zFAljd|NQVD6v#h}1QNeXB>%@chaUa!dHXNss^3cbf6*%c`hpfwS7BAvApm1_R?D71
zE@CfT<LTm*1Oc#YA#GOOV$e>Xrv{?)GT_3o@$q`-JwH5jdFR^J*_lC;lb@fTeNph`
zl}hKWjF+{v9LkmY9v*zca=<kHLFSZ{jN<tP25MK?nfM0|-0}28*e?w(q|u{H5Q5(Z
zcrh5-U~<iml9u)nMF_<6y1fZkDE7g5SetkiXpamn{Rr;Yzf<x4Knd{%JRFAJ%P0no
zjPW{@u5+4D*%(77Qd6nf5DZpfcUu1j<4|N`?isd4GC*uiC;K(+kyHLPXW|MYbL_&G
zrl#A>%yN~syQ_aC?=4wF|H1ZWj;S7$Z4xLKXp>-JeYkR;f}#OPOUR+n(+TW&&ux*z
zL$y@qLey+o8oq-cI1uY$`iWesh@pW&cQpd~Ss@7mp}&pv@%+X2mGPcFVon(Ck+d{i
zK)H`k(;GsT=v=SGz6lsn(JFVQgyC{s!aPnhl6(C_H_J~atlR4322NYE-s1#}zu@eN
zS@~Cg7IZjMc)M-)h(fuvv9SS>{a%bD%roKlocR11+4XJb1!Y%6HL%LS%VwsfvEKOf
z4;8_*Kf3ZA&r9H-u#mLB4dT>YK<vST2S8u|^XujH2|gP0v6~l$8(6N4l(uSR6C2pr
zywA-w1I7cmb!6mmSXOn}gWBQ(Dr(=Yf11nas^y)vp%{Z;3F+frj5!$2yo2HHvd1}?
zo9DI4Etn`jqxxy}09mY%gwM?hI_DvWKxjpdOMtBdfN6Jie6-X|C8HxpDVItnQ4*gF
zx>=$Gl7XUr>fpfVaa<vg9L?`}3MR4Zh(TS@V(1)ISmhRb*ir<Nv-0weSIQ@$sH%R_
zal>asK8RFMTRYJv8>R$^a$H46cZGg+<iw4uo5u%R@V!9S0d{Z@6g;<uB=Imwd9wD)
z`+-MKFPBN+f>0gt^Qz+5EpFU@db1BX>Ig7_1^Y^d$c65VZ`JUuSx8%0tiZqm$V8H8
zEnQt8z7TQR7)VQZ{-#I3IG*vm<m8Xz;|X;DO(f9(;rs>(2w9#;3J5g7M<c40in-$;
zbVCwINlm?Q_93{V0Jh?GFjUF}CCgC*9^AG72N>K}4$}{-3NtsMGrJCeb&|)S37jRk
z`j8m%^5xLB8OTS68(+v`+?({6-J$O|t*%bnP=&55H!JHEAvJm9z<`pw=5|aDam3*(
z6m>Gh<ey9il0Z-o{|=~@^4cSNdp7r>mKKwN93>wgAGoo<Wcv9hxWYXgFn9={19Tsd
zi;8}M0Zw##WBse`b*;Z^Dw-AR>)$^C>*(rwB!a59*1Rf86~;_0uc-KAY6|$e`IT*v
z*&%}VIy%%C=wpT~2`oZnR8#>>f`Hu-M8;odGxHj5pO25Q!lRsJ@fl~J^x)3j<Hp0q
z&GPdneAf#0PXhLu_egi^pD^e*2N6SS_vGYcPmeVu<VTMl0YK%1wTBx11dw1=Wu;Us
zYj#$aF)+FJV)EX;eGCW{(072tT2HDkoX&g0wijMrM7;g|t5j4}0DC2+L|_^JQ8crg
z=GlA^nOBm4(LP`j1bhG7FS<^z&a%R)_{>cvAY6eG$;-O~^H`uk9Uc~t-1gVM(<)?S
zah9~^D<%$^71TNaP6v$*%%Rj&R4}Y5$In06M$z<hADXrrI0Tix?M&-KHT6~W;s)f!
z%YSIoW+pFT<`fXx_I7rx?CfQwr3q|i$`IO5x?u_gfDc0p3nbRS<lBF6pn~7N3Y;;=
zy?ek_rmWF%JYLI}rBTk;G||(0Z!;r4!`$EBFPX$Q4&zl|$`K5jINYBOI(PQ$4Ynti
z^kf1D)h=)!$lSMk5N2x=(|YYki07VEv8G&7Qe61yXnt6JKl)YJeeu+UmcO^Pj+B-x
zzvn17bS#dHTzlW5OIws<uj>0=)t|k{Oy!cCDHj$OSze&+$!W!IqN|4%OCPIBpVIV>
z+rIv6?9!p;+7eq*WlhKTDWES_SL<NDm&*?z&LIjve{k1oqUHiRUiaic7)hjBnh=E=
zu<}5%0Ehyw>A}_<?Q3AK!$@zPXw?EwakxrkRZ|2*ktzjgx$@z0#vtWUy@>?|U*O+k
z^2MD;Y;r^C5G=V=nX)a#Z&V_wZYoic4vaW5v91tUH4^n>SenhJV381s$=El)<~7*A
zTt#M0qrc)vVda?FJw*IO=0{vyiRzhR0i0kuoV}lo>BiKr>8d^Eg3>jlhc9N-)E#cL
z(1#vg%r|?Xa&@o%0~^WLxTR}VbV6S)_9~FP*TW>No1)yo2$IoucH6u>Io7DVD+GrY
znplm#9{Wr&rUC(;wQown{c8b>cbJEi9#HEoPpzvv=q)XsDfChX68r7Rc+maujh0nB
zbi>JkTbudT=ek!b5c#Bx&r{j|`Zadj`wkC1Qf1uOPFjX_C*NTQ5Q{nSv|pBbkRv$;
z_V1_<azrWm=N7WBsulTO(UIdx4AuFjr)+#y-f*f8Nlte24TjZ_yr3r7DYJ4{LXi^4
zg*gJ<r|mpPHd<#<$P>OJgCv{~`B=G2#reRIKNk*7^0%vb`kNN@uIc1|d~1c(&eKc8
zrQ}@f!HJ8(*Ik>jqVLkPp2@yvJ^6EN!Lyfde-ftM>c-%Gc;E%vW+K05r~P%50>)Jh
zUd^+j7Ow&^(lWUWnkI7NlgrB;MMOlZF{>>`*^_0B&CNB{)khf5Wu&D^CU7ZHUISM#
z41d{#8fJSF=uFZe*l*O1x!`7oU)9vIKa=Xrs3miXMfe>lGu@m<8@g?$^q1r7g5X8<
zk{71b0Zl0_9SHXGqaK*32a*<$`JP8B<uL3iI5_y*w{I||N|^)KPY7y6s3J_4x0MpF
z$9ln?wnAQqMhEbpX=w&9<_gNA%+dESod^cU34zaxips^=IVLU+-KPPL1awJ}>K)w6
z<>tdvGc$%pM&)3t{`^_wbqbUjU~KP$0Bb${dA!a&4(lE$xxh8T{3M7CI0Ett3ZNsy
zEI6>-L!5jh7rtD_ce<}1B35EOE#m0t2;xQ;-;p`Y1A}@mGBT2g-TbCENbO+jwV0@J
z2KNL|vH)n@fGdG<dq9<_6JIT!1vw0^4=C7IO?oq~XTFI$=A++iA>Hcs%0=xddcLjb
zoA=e#kc9^_duizoAVipF77cygU`#MKkB^Jfkd;MFl>x;a;I4m@9vN8@EEbGtQ&dud
zNj~t+#d&$=;3a?}8{!cxAXH8Q$xnYyl`1#|3a3D)eid{+&|H9+0Sz6VbWa$s0>e`z
zpss^ah%go8YmvU;Ua4Ulo}W-Cd_FXEYH6w3X=4f`8pyP}Ym<m~<r8#3?=UcE6+V7$
zK11fV{?K0^To+J;GMJL`d(_zZz+jWxt_y(3{Lh5(&dLRJ45;aK7!;`0SaKak&Sso*
z9hD;Mqh~Fw4mmS){bV}A{T=N`_gr6zZ&?_Btc2i8d7##dU>qDXbEWHEzQ4Z&Kr|DR
zY|uKbt(j{ZASF5RBm&5Uv<mbV+>Ik38i4<h0=xo4x45_%_}_?2N<!nNMwvMwd1GH6
z3lGmRRQ13!MXctQl|^E0c5<&_3B1H4lb)R2aDvYQaPI)44LyBdPft-viK2GpyLazW
zV$;KyeTEm6#+|n>+6x9;;Xaq6CcjrxGo`G2`uzutF<2u!NdC0!r-?6&rfs$f#$Pa7
z-3Ql-Hx`T#gy;;!G>}W+M2Cr%;s`;91;;gDil{=6b8T>NaKhr_!SDfHfpg%7z&pq1
zy4&8;^2h}+NA}yd4;*yBW6mOgHcktiNFO?6G|Fp!5Y>e!Og31)!+r{nifUt&lP{)o
zHBk^xAS;Lqd>-Jl65eym^DEC`|Ih;2TGigco+kc<&E)^DweJAyc@5vsI!Z=JQHqe3
zN>)QlNlT?PsJ>-1MbXwqNlT)Hw5L+h-cw4XC28-yG-?0uZ#m~Uj`REd|JU_*oy&DD
z@g48yeV_Mv?)!f3hZqw!w2xYT$OI^2JvEpPua*-h@}aW9_uO_(1Arh58G%Isvw#N@
zh|eT3x$fRxW-7OEbmN(XhbDhX-h+C6pfa==0H-$f@R!$x)zxQH#Li}St9VSmvfEm{
zv6GI6@Z`G7fU5AuB*eU+6INDMAY8Dx3FK^SY{1@^tQmn}$w*5ZKyR8k4dXL7FX1_^
zS$PXd7WztrcRwIpgl!D|Ap|A(zPRvkOG5>C?W_~9A5VApxz0y&;Qipi1`8O#<q-N1
z8Ql^)jh9ws@w;uM4+p;CG;$ufx}dh8r0*d5YZ(8=s+*=)8L~-e?kn~xtZRHZY{tvD
ziLDJl7WDObq09nugQBjq$p+^OdHneJI5Yt$Z@%FW!gWSV<yA@wlG26VP)|gby_D-f
z#O9zQQQWhB$|?520}9YU@Sw57`2(l{eBa&E6V`_rgM87oFZZzfZPN*`wRRt++$B4l
z&2z8tP||@K^Zd(pHA`1TtZR9=&WO}@lVcADL|PZ`Y$D3wgXo@Y=u;c*Srr%K@EBq7
zp+NTyf{2P!?-yaKXi?=s2GI*uIp>3G3t#4h-EN>s;#8XYUv3KrswmDE6$2OFnr*At
zqPkSnuI)-q_~4vzgRmyak$8=g)St-TM13{Vqb*~d9)kQY*Ws-fHRt7LqoNLY)P&FS
zDHH{6l8RfXG04|4e4l6FK~_uLcfBWRN@K`7IJ=9Uvq`@nOx^#f<Nd)nwkw3DaaXry
zqYX1x(hFaXs@JY$zp<FBjkk0N%L(S`vuX}bERw8coFw$+s<SP2*!2%4e;he29$3qJ
z1LVp-ukn@DLW#FSO5<9lFZVq@n{taKKHkn|Ov<-+JWA)?`}Qg(U4^*v=_A@!--Fmk
zCN(qf4TO;98_3WPBll;#{^{;dYZ#p|-g`B$wSI6V<3OV)kEu}m8E2m`J`HX<TWOQC
zo2WDOb2Mf@n{gj%%?Pn?O@8~vmU!QPy|T{ci7<2Y0rtb3-Rc+Titdi}Q?X6VT3+=1
z9!GDg(`fHNj=$C4K6-NR+Ksb@WfM%g;(^~wIZEWjJ<H8xf|S0-5w()vmeUbrBni2B
zT^Y<3fBYtEaMfAU(irwF^RQL!@z5!Gd0R>CwJJ3=ZOLyPm#GOocAKTXHDLp!1#Me+
zu85jm-7QeVz&7=O;o!wTbC+MgdBMwy)nTQ}-v{v6?WN~0Y_JqONGeo+^Fe;3FN7uB
z=l_5Df+j+$Z?V5*Y%90wI1v+4^*_HMaysIn(IfrOzxqq!Lw{)X{vY{W>W|cnm@JVv
zP>7%@%aUJ%K=5xA2V{f)h1g}S%9;a9YvAzN<zxtymCzo<k>5&b%lX&dX}3{^Q)wZz
zkYB!hsjHg?c+E}^CT3!63^*$FIw#zfxXtjQ;4U~dvMAh&_IMGCFZ5!8Jqom)s)MSM
zpPwJMECBnwqTo5|o)_jKX~eIX$A)HuMwk?UNCiR!Gs(}6WLp8e!tScQzn>_7gNG$J
zTW%;lV2pa{^_SveragNu;s0?b0onq(f{+E@u$HtNm!+g!<Kv0mcA+65^ny0vjusmm
z8&Q87+uD59Y|JI@Y7)9ZfCBi4MXuW*&ueaO1{dLnXgvXgSNP+O+(&teA3$$YRh58C
ztcVoc&_)I=)N>Qp=sjy;jEFc0r{4Sg6nfi!^MFzl+i?k@daud^T0phVsVWn%2QCSJ
zghc@u1JGF8?hnZGPLV=X!{7+r&Yzdz+ZdJg@kb+u)u|njLTvgwg~)p|^zv0|Dkm%J
z!)A~B_u(*>3wGI-n}fp;+8hve6Kb|d1iK?jQwj|{TxKDbKzzLeb(EsA@-R&KUcBf7
zZ4N|%igb0A`0wtn)>o<*R>dwo7I9`u_%JTQOBgGae|rt?S2V!fo2cY&u`vNN2DL6=
z3pq*2^RF+7>FDftu8~rjn+(Fi9T>Q^epo1vDD%9}ZQ5IbTI?MMZfGw%rjg=Z_F9G_
zLh!8&k1-o*CQKRFz+w9tt1pE}N%gq?4ujmSH#3hr<#Zpk-qX@}GBmS#BOcl>xm2Fx
z`QZJ(tGpKN(%coFUSB%7y)?t(J4?T7S-3gbm~3^f+v+c(iPzpr@A;^J?=bNuCux-E
z|8~mk@sk18B-ht&g$8vl>ME7#*B1%dTAnvo><~|j3y~K2DaJ5bfAF(e++M3>$`zXv
z<IB(NNPMZ^p2Nq8c*h=z^Rcf_ddjaL?kUH45{1|D!HjMn{Yu_=?8MSuB;1+YXXM;U
zb}D;FO>^7A(&CetZooa7&JjG2Z#J26@b9|ruPAYq*eixO_*0b7NGRrylkScFcOmw_
z+?OQ(tge0^p3c_#Z$rjY9w^k4v2HrUF#6e@rJyWK3!A?SNLRs<de7>?!x=`{st1s}
zMxHyM6Q>S9sI~QsygUQtx`u4opdTOD6n#Y6QuIx^_Vy4i0n~=H>Fs?w=@waO>48^c
zL2LfKrV$$hwjm?>Iy#DG7f^|UmS1->>|<goE-1JJ@d$7n<W)%V@i~xS4pc{$Lr>fr
z3zildWi+@tiCmPBkU#<p6c=z#_ecLs`$anuQWG{W2`!_gUs_sWk&)spKw|ehhDAg`
z$@L62%NZFc&(2Pnh`F3ZjR*GmEP=poaqhSESog*D<hP&v2Uen*o&33)<ug`BUJD@N
zCc+#9fDqXb!yIBFfP6^7A*Dt>3iDDBcIhCyP!^#g%$=$?0MUsyO1NT5N=eb6965Jj
zYIM}a(^Kf@!s;A>Ff=mKaw!H<vGk)5!T+WfIw34f!r&MZ1qa~FprBR&rSK*+cBVUc
zK^S^(ef>U&KHry?g5vak@`MMaB9(PMF^VkRmq+^likOZRP<gc2g}+*%@uwDGHWok<
zj<MqdxSE582ZkL`-eW)07wJf`X_F^JjHkrK!O%BmTi3$Z;-}Dh&io7D{llpWpZZbq
z0=Z*XOL3<F8nlC+-mW!oMMez-|I+Y!2W5BUh~kmKC3!yXiH=cAXiecJUH<Xo<IK=7
zJ0nG1mj<?s`)>v!LXGqd`Cg?qO>kw4tjeU_k@Wu6(oLAui1&iDCENmrs;5bV)dWBV
zh)CGkEdb>W%k_Zv2xNn2T$~{qm%*;0Ho<Br;!bFfd~TeopjZeHlPI>dfbs{@gx&_A
za#%a$$N`76UB@o6A2`rUi-P%)#6Dw-Bhw39J|cZKQ96=M<72LB=ck<?jo2<^>vlSC
zOzc{m3YV!MVjFtAfKY)v^ff_Gg*UBk3B-4Eq(FByB<)0sf(=@~Bi!6zM264`ee`He
zUENcPLsk=dGxAnj#nf1$^D8Syp*XFAv1_{N3daXH0&j|oInO6_BC{6>J~R9ZxAPFi
z$)2|Z5tlDqzIaeO3H4N$eWRRzcFO+DSBn|k=QqBeFF*7v27_I@`nQ)y0vmvo<g~Q!
z;3)O4UWFFmb#AV`mX?;bb~u<6NI;qULAQfrKwGgR1%?`+1OY~uj!*mhDkywc`}i~>
z0l;WBl{iI3cUSS~qwz<_FV63epes3kJ>y`T!hivrI9ALdWforPryv<v&JYSW3BeZH
zzIF&Isfl%<6>8Bk4+I7vNVEOoJdSaFeLX<=Cw_idA(UgWs>!T8JWoQRHqajH?d!Yt
z<<*H{<tl+V)#NL1d`>uuvyZmOQpnvZE4lXU5!vHKNkz3q1aK;|YlcbB#=vqpS=q<O
zuWD$}GvM#urN4s0&U8h6>|FWFz@3ptvn}80P^gO#)jL6tq}0BS(C6H-=G>@Yy&AV-
z(JzTPF+ClUPVQ-3ylK<F&TsSYgY}77g`>1psqN)!ubygM!skdx(kHB*)c7jC+OdLo
zVUsv~UV`XIDkSlTy^{woA71$_HsG`R%E*qNBN1>lycm0~kG9|^m;|PMAr1u*W(wax
zt%kKF>D`{}=~`NKC_PR@X`8(ubNY-*{F+B~>kDjSB5i&1`VRhygZ)T1&v;)Ey*U{g
z)j@6B%saq0F!~~fPTj|<KR{*f*g!{qgJ7>tP_fSQ;UT35^+_XJc<BE4DWAbLPR6d_
z^NE|1iBNvrG=--xBP{1uO!TKS3&r!F>J0o_o(>;0;C~;CMZsqysoyH*6Ru6HxZHEU
zoY5#VI~pDGjM1$8J)5C+*DhI(^eNvSZZ?3HuXa%_t%;szqU~*iL~`$!*M-_E=I@Ep
zDSP%?HknSam&pjI4@OK|4XM>Ol>`y)iY;Bn^?Scwygg<yIb)kufpSjvO2_JNLhmbb
zq+3n5|8fh@J!17_qT#*%#lj#$2*VfNsGz#xv$Bbk?pPnU^kS-U!C4sx7cOahNKZ)m
zU}qqr`NCpy>CETFge=uJ;Ux|J10sAI0VcN>i2Pd4h{U|0nM|<{pW(0Cp(>z$PU0_&
z^S@Gk6c$VME=g<=@F#Ne7eC=o#GHvt!iQ}6F{AETPK8Nm@MM4gSASC%ll=g{mlhYb
z$&Yt)`cYH;XIWOT)C5PYdtmd62kCJ4`p*?y7d=mz85x22wVpfufPMe2?|5^M`T#}e
z*CIX5L$3c9Kn>_;IfDvH#-i#4<F1B}y9vfL(5Y)M$*m$04*mNq@tiio$Q6;`iZ5T#
zprhzf1`^G)I3_k$DdGMST6{O;uhJ--##&_$6O(gs2O1TU`Etg_R4?rC9UNA4x$k1D
z4x@if`}w1O+v=r6<+zeKpBElo#;Mn6?QF|%j9XXvI{%^-E|~S3HkH472gt9Yf&(}F
zks}GLC-=z1tpxl<$hLY#`q{K|5taRIrXqyb-6|9x+m;vrZ1g0uCa(h;Sw!JELeAmC
zCXj%GPeP|e9h!|9w9u#n$_gTRlsrae+W*FY)iOfSO#wC0-o2qt<kZL@N<SaG{MH?f
z79fdGHUv^UeD(~^8K5FzhJuhLTNe`{y$=o66o6s-`>%+QCX)O!!6|O^RsXBNd!T0T
zHm1cT?c)(sR0@1nLqh`)tw`{}efz@V;$&x1_GGV|SKeV_@uBz0tdH##c%z%lTu(7-
zF&y26q=TP+1bDD9<o(Fs(Afb)?~efjYQwYlj8!fu@1b%N+f#`;rKzb2rq6=2gNcxB
z0ck&{s%nT(El*h$DLi~QN=svf164@c<0IEOe&F*P!ikN4r03I(wLuDkAO`RZCkrT8
ztE#KP(Smpsl~)7>yLHPJ#q+$pymf#ilai7!L<L+cTr?=fmip(q%L6r)mBG~sprLT<
z*6NV;z{oN4<P4=xU?3+2X$}Se0nHa$oP&WJk<!DR;`jg<qnI0&2U;~UGM<G*L0+u0
zVj>5vDvVq3X<Q(w#tb3vU9(W>_KiYx-1(VPE#N?Uc<Eb4HcVG2@6pUKb;-GQ`7(+t
z2K^Nie2`z(LuoKL+<A)0A~!)!#>$G%mZvHkZmO41e-W=qZ#6Vr+`4rFvNEs$r%$hE
zaEv=CHN4K4E!aRK*G@o89?cAU9kH9vLCvA9-PhX-xISH8B5-ATc~D5t8oup+?K`{O
zg{U}UQ19q53uK5vx3NM@9w527sj0VM5>R&i>IivvWx02y$X`KrgHVMu?3$rr#IBIV
zF)FvBi6%^Iz?GWBELz`q6~_%a&Z;heoV$39_cg5r+fv-zoCBcRPQnl?gY^oVCH7K`
zUG}{;+4)(HMQ^h6u@rvC&O|W|gP!Q<nfY%mYd6qPZr&VxDW-N0UpjF+g*l7HS2Q;6
zM4pRYwq0J0jj&zkz53-~Ujgh$lJGKdyHmGhbQ4DrM3FIY8#RZi96WqD6O3~svuctR
zd%y{?a&psy%SRW^Ne)xsb%lv6zx`OJ%U2=L9FQ8;CyhPf!i<zl4<9{pUcaM#aBwFz
zHB*xm3;?*nA0XaPDvb@+9mYZHBcSz!_;%(HRzjdf)N5x-Mf=!ELYQWVF1pE`-k(|`
z6rP%znc+bp2gT+_H6y|OlKt~Vj^N~bvhVErA|spt9QSl~?!^2ladBtnlGwDgFU`#w
z<{zl;ln_oxG9nB(QdoK73{8kYcnjc0ijqAb|Cj(LNkt9N96ft}dQXZ=y1KO>M@knl
zaRS86RX=5p0|y|)Pq&#izIk&RB{<qLqua$qd%4IMkZ@gkeJ+C^-MIDj&vI-LY&dhi
zUwZeDabo0%(#sSX${J2~xyKI`p0>BQL;hz10tWUo$fT<cs{9{JG&ojiUM^|!XPwnH
z+>XzL{-f>>JM?oIxw(%YKVHYROUSPA(#~|YB$gE{>GI5xQ&}q=;z(oZ9U}fCh4fR-
z0gQj)!Uc2l6ye>kK$#poNI|+fdQeqPjuTmNM1;<7arE%owx2S{s|Ly760$J-C`Ow(
zT2nP(uvAJ)JNo6zPqnqwE+;9)=me~eu(QWP!GYB*DZzmfMV5^H9+7)FQqSVb;5Uc`
zp^+sj5mC&V1~)e9e0&Z@4){<rsC#6G=+*6(eM<ahUGmH=Cx>pXAt7x37ON5CoA<(2
zQStHPI<6v9_B1OBTDk{lAe}}mwwvi=LNI|61AT4R>XTl`u$9BO2Lrk=dg;`uQ&6Pv
zp|C@6XU&A`UZwLcyEKrP1_lG2ot>z5)XtqdjlTm*17XBBE+RBE5g!K-72y8V7xie*
z005MtdN*Vyyz5=u%dAgS&ENp=c6`T=qmM#}kx?6<7s_P#>Jx_-KprHvM;;ApDDTw5
z7%Z4;zRg0sJ&$7t{H|lZ80OAh-DoAY#iIvJ;rHwrO1ZVGS0A(}RS%XSWA+r8-hZW>
zO;3}@*?@R8v&`_3_xu(aU+G}4j=pCoiP2Epo<V`qM+}^yo}@y{ndhbgBNcV+VFM3m
zlm+jSkjSEf)bQbcj!eM>7_;9XmnVe?bM)YhztCetUTxYZV>A85Oz}bG1~o#Jw^TtI
z)7w>#CDx;ag?H->h11kUA1Fw48J5{@2Wxlkf|8oo$JE-Cwh{A4MG#+i2Db3|%8sru
zY%N?ZB9Fd;n_NBXIyjGctE8R_ZYd@oB?v@Z&f5H>;)>{>JOom8NBohxZ$;nr#TCOs
zmi(0^w+eIA4ufK^WXee(AFHnHFd=NkI|$c)W@)Z@6dqcfN<NlIKK5vS4M(jQG4(N(
z1PbKJajTG<yKjEjy?Nwg6!wayLS4R+85wb}{E#2~$)cw%p8tdRne`+hr<Wn&B<_Es
zBYz{mN*46L@+ZGRz*XBezjhzkf)6T#(l}__{AWiZtxpp5bJBN0yufDFk5^v8YEfgf
zF92M#L|5o1e*1;z1FR$@8e~61=w7g;CUX*j78<=lM~_jv74g%@V}#E;KESNd*}2lg
zj2)DnkI%FD5eleIa^R(CzVpn@x+g|IQq-S60t-=^wcK<BAYj8#2&@1^_nJuT+k#$!
z?KCu{wv^)=e$omEI|tLI{l%g~^)36Hr*e6o8M>JFI=b)VJp|nI&>>^sFtKr`<v&6F
z4^Jy-o4E`d;ecr*Z9z##H`LjQVm4`+WUr&q`S1j1<Pb0sAfErC)LCYSF8+iK$&g;8
z+D+w#Zhy!hv$C>K`97Jw!hmc8F~6eXIu26RH@c^5a1sAc9DGnJ*xvs_*!2vQNJyTE
z-56SX==rk1<ZaAT4RiBj3|h!!ASi^a3*;;!1$w|G<m6Hl6XE2(UQC`yC`(A3(eA<*
z#FYgyAE6Ab6*IH5XDNN4rXzhSWDm#sI!KI>tpc2KJA^tKlQ)Fr747VDgm-_RYA`~=
zwg3Zm03-NofMK?Xl)isY&8~U`%ZTjJH3T>JlQk8y>o#qI${HUBkQ#t3dDB5;N{Bqb
zg28}7P3ZUlWMV111HCyO2c;Nsm<dG!(i^b#K0e{0p?j&^Fs$&q%>p2#-j3wguOViq
zAeci1-WaV>HvLEGGV4<Sfl2)HW$bAVpU*~cv06?D+56<zujin2MH`x*^09*liMC`w
z1?l-MUjcs$v|l)%QG<8{CUbUjpl4uUw%4nm{45|tG-Tr8Ma0Am{Dnl#1mh|~a}zLe
zI8AI7kqs1#jjD&Jb<~odoZJlwZS~L#b%-1QhvuOd2D<s23;DN^kT7$$`dh%Idp)K(
z=9G1eLdJ;1`&nS1k%0lEeodfWp+A8O90c8HpGf`U@2a$dL{AmLF%MvYbMF^RpK6oq
z*LOR1_Vftd96QNOSw)WSQVjR2j_@g7;@rm}k3@2uUtd21J?kbivS1Yomy;74fV@OR
z>=*Ol{|5>0kVAmLT}jCd_Xq@P%<;-I{srhbmE5;QY?hS+rbem0O}=9*mu8k>2#X^{
zMpM`b5}zgh{|gSmKyUAQnj=w2<}RrxM~f-NkJ+pe`%AL(cPTW=8d=;iO3DDh7Ek!m
z!j=>un}Dfg*r=(fGSbr2K`vt!(tR|2Y}f!xDV1yzk$dP?!1E4!4@49^eqRF?^`57v
zCj1I;13@0wxDr*1qR<s215hCLHDS)uCOSSv$rVy>e#OXomAP;F^w2WjUM_wi+R6%v
zko8wpSD!26Zh@8#%F{0`EkcJ5CCIR0rsh#38&D(frT~h$efxIO)hm_EV<RI`R}jvg
zJq(Q@PIFXL6fpstAo>wH-(46Fd^I{fhcpF3Nt~pV<a+E9bY-L#6~KfPbrDfL3@brw
zcSc4hji@LRMtDX3OEqw&D{ln}AN@~c(qS}-BLc|@%_DO^YTA27NGKOWyOQ<0kc^|l
zy8`27N=o$5`GEz1+)qKfmMG=}VUv2T0arFaO7xXn#O6fi&b~zBcU9HkEI^A(OHFOD
zFgJZni55638WX6<vC<%sGLbNW+5!~m;6P#({BR}ZO-KkZR;Yh)un}AupvYwj0c*?Z
zrNH~?%xLYMdT}u+WumZbu~@Iza&L2x;dM1p>Lm(ab+A6!02w$MHMi9|%~5yLf~k#a
zvwIWlp4{S+)dW(;<cWZnkzv)PHDGC%q+&w@0H=}AfN3D9SpOTI$I9l8$PO?#6|U}{
z7P##it~O`YVI(B3BjLnlft}<{+ewy&JfsUOnRd?C=TB(&d}0yIJ9=Y4$)B-1h1h#m
zvGO}f>Y8EBluLZCxb0|S13>!RlfCxS{d*-13c!v>P3%--Wik)|ny#~z=^P69llN&^
z(xjbnx*8LSd;TeZmHx$`vQ966K!)T4AJUdhR)v+8q;)H|0!Shr=buUWf|qB&{*2@e
zzHxamYn6Lk)G*K)+Aw>S`2PC^i|gpT|4DF1<$p+wAKOM$AN~oW{49%GCT;@y@|uyM
zDE)%@0i$TkSfYhh-Ij?#5@FH5@sWSa?*7JKe&N?wkz5GHkUZ!w)m2siZA97O5LedF
zaD4Ax(aKP?58=XxIBc&pIz;$^%m~+l1Ac1;&oO`MpLX|I|Hha9B4_9rI#KweqYeiQ
z{31}4uv+g-)Na3EAfPdh8ep347i`_j;HELiOgZVy=YLW=5?8K7W4<hSQN(d1y4sxk
z8NDPRY__qnL90{OueUUeZ19RvmFwHKITOQ$(#CZpK^`bmf80L}08(%gaCjkLa&vdT
zs;8G`H=iNAI}IJvjZPo}{(a@1hS(mWHvr){RhaBGKR*u-)XZ0F{@)P==JYj~jk{Uo
z7es;Ym<ox*lrs>x`j<I5f=k_%xPGC!C(h?Zkq*`wV*DyI<XQ3P*GMOaE!-e9Py|@s
z5Nmouy0O@93iud+ok>kke`+T&TtF2T+l;wpaO2%Wz=b(QoPHeJjL}$wLqi~``kXtd
zgi|3<yg7m4B0*4sCAgB21Z{0ySf&2A7E?zVNXXBecbHlfsC*b_NZ0Pb6?}#nk5))%
z5kmQbMNF4tW@V*;bRNGjj^Y7>=yQMnj`ns^24ia0|EbJ2CJ)+`@ak2N5pjmw9<M0h
z?OT_E3{lG3|Ius(#HlmOoal#_%O&h1fL}z#{tlFY3~x|h*B{(00)0LhH%^OSgnG1Y
zgbDc(ttH?g@n`8gh9#wgyp4vYA7&4ln&s+x`uZ$t>phD@jbH$RjvC2-RMAi~A|t_~
zsxVU`#aYM*zI!2O#SfVW6gsOMI3g1gFjG@=-xhgFGwftQQGk^k92@`_A{7GNiaDy6
zQE#Jbe7FF-DzXE6gk$7R5YSJ3`v%ci*6(U%W9k&<Q~xj3@;=8B_MlMF)qwxi?Qfr+
z7rx7;8N5I8)x?bdeU=CV{iA$mR`$KP|5OP*5jbR^Q;{KI$R?U;x9!}CEE;oCxxh$a
zc~n$t(Uy8k<NR;|vFRU&6QBhm0B(6ZTifj4skm_-oc^L>ZiPglxIlN#Q?QVHd}tU%
zvOkk)1)&F}7)0*Q<vjpg-eW=IG~ik*FbG_!kL##61Ie<0hMv)cYo+YY4iC#a8TsnX
zXEX@g?YSUcI<Kmedo-9{^RAf<ZpM&a;cY(!`epHToQ9ipt3*Go>!Y|HIzF}MrUZqS
zJS8Q<$~gKre+sz&WZ>}tXV?CNjc97mx7)?}W?Acet%gN4dzpJki$h&Sl5uQns>Y*{
zT^$*&ADw15U5Ai#jo|6LOsgvrQ%|TL+;ALV&0t*;F#iDe^UNlnq~(4o74pq%`@OnK
z-=FUHAI#u{xTg_yr!I9T6I$Wo+=%br`;d<i!&LN3(fQ7d7e6B*$n{*C40E??pe2gE
zmt;@h7jG;Q{voXXn{@DRU+!=VBKrr4@K3$#k7DixS_SDlJSy~9X!gvu&|6fBT88UY
zkJsE^>@rvJyv=y+**1c_%3^s3m+q%KwS?kchgy{eyIZq=B#Voh>6LIbKcte*Xk^Gz
zNa~xuL{BbF;9mDQNnhDiY)J4C?=9YHWy>Zr_xm?(iQ+lpSNRtw@u$vfi2?qbAo-KB
z_>Ujg6se-8fVw=;*MzVJhQ-f#j<>n5tw=WgSo<<UHQU=eH$rw^cpr_yRsJiTB^8Ht
z<Eq}97_Ym@U!IY1HzY)tKR{PoTgLD1<kZHpl9JED*<-QiUi%b}XWi(Kwcfx?CDb;`
zk4dG5)yiihvT|*vsrs5;z2dawFaPw(bjA>dT(3u?OnMaRlZu(-q`J#Bb@h2Q<cur>
z1*?T-4`jS}kuIZT#wxW@JllC<Qv9oB0NyXvP_*pB+tW|S7P76=8+WRyeX2Q%pRlml
zC!dQeZ7cB~s@iaqUvAZ%&4PmD<pJ6IZA}*!9<{YKDD4dHcyzTzl0(3PMK!pnPO_5s
zm5g`b=%?dux3}yJkfhB1tm<!hdZ(;=P|&7uafbQom|6p46&=k;FE2Sa+Z{Wm)o!2U
zAtBkZOY-Ci#i+Dvn06MQd!HfJzpGx=WUU1YYn4Qd?}O|4EsF%Bkz2X*=D5(g_H`z=
zwtBXA*gqzS@7uC}-_@f>j_6gFXlpACslGVGsrkA1ZGi3UP!Qem`=(!HyVj9@O}CnS
zJTd(AaIKBaAO3>2PC3@&Iy$hgPP?ITjb?nZRz+D+F;FnOqdB_+3e_}=k<ny>#dra?
z;d4t1Mar;tlb!OpC(r$?yXU5xW@c<OTT;iy-FSIY%tPj`dw(#uDl91Iba!99EAT|3
zjuYClsy6xaO%6=-U0zzE!B$BQYjcIJonJn4JzZLy#sEq0tk3n1g)Xn{7jyeW&n0Mm
zhJd)YL0|v%vxbfwTiV|23VV7%{_wZEqnTQ+q|nucN5##nVKV1iJnmygc1BGZ7LAQo
zlY{!>&DJJ+_6SNy&n_;+f_~VsbFLDF1aW2@?^Y%buEVsDv`pB}%2J5DX=f4%9(l~(
zVtv!;OWk~Vfzu*P_MUNFR+5w~YE0iX(qf;`^j?S0e9&g3d1`T{w!Nd+{^nSiqXsq}
z*O8sm@0gAkyWh0Vb9g#XI}*X{O7ZZCW#xOeH;s*Q%o7{P&Py+n55Dy{j(y_cA<lbT
zj@R-lQ(sACr4S$Q8k!x`6~&C)E6%T25jx!Xj)gORk7Hxbd=UDXC;P=P&Rj0$+k4Jj
zPud>s3qg@u&r3>ptY;+!tlVek#%(diJtRskbr{V>fa?F48onlEJM*O}Qz$r)JpE2*
zC#C8+cS4rsBbRr2^yMaX37maLSzP;T29n>raf>yC)bGnjInVWs&Y{hsN4!ctH8)4=
z%K5bwHhI#`mgeX8$HZ^EGR%BLW}3L$6KLxj)Y3Ef44da5eH7Kv*~rj2k~?77V%OSn
z_*~IuJ|0P#)5a{_-3hvp%H<dh3sXm<r_b)2oB6{#Ox`s_k+*|O?od@?RAZT%z-f;h
z*33O0%lElz7$i{{jYzh5&rJ6WtXlgAxl_*BNV|g;!^LQHkEwA9=B*Mvc<4|?bw_n-
zY^>PH<|JRkrM&a=%=ZH?<Lpi-8j`6FdM#WwXb^oj0|sh%IC1?3@s9!7s#Ap=V($(c
zC<k1_sfjjNR37Or`%qO?x`uqEHnrW?{H&n{m3M^Pj2Wlg#mvja8?6`SeBZo@M-M&o
zOm=m2G@LX`{kS(pMiy&kS?=W;Z6EDuu$nk{-0DdCQ0krf?5hz`QEwQfb%@(dXz{S|
zw_(e^vE0Qtw1cKunc1tVet2;<_mub|wh8<JGqvBZ?dno7Y!Nh{9vc}Q74r2}kqMY<
z9;{nDt6|qw;>GF9K0Ag<M%8;^s&EG#_;U-^jdh8&aHYr!SskXXz7saaafDen3gelH
znmpkam#yL$_u=iQc9Ila#J4<QO-9KrBG^SAOZi3z;%Ci=_^4>D9~XCIPbycm7x|?a
zdCqruT6=iNoQ<3rs-JXuc%rm4+TCM=iAnj+<0*^`Z7b(T-y|E@*L<22xb{plMy)Jh
zC_Y_R>RnsZH;S{VhJ45;zfaZ*9RaB4a+AkZC-WuZGui}CXa)*h4`O5JEO1I1?Z}2h
zsJ!j!^vur>%mX{Cyt?2VX0Bkj@c^?W=J^ai=Y1q4ZSUc^c;)@$k-pq*h>e{AT3W@r
zh98Gw64?6rbstj2A7ylP4Op|rHtkBy?W!uxo^t!4FRveu>^#hLH~K~rn^<)Kg^2v8
z1|uW9sMW%pAx10LsIBa>){4_qoVfbd-N&FdhoIzh$Sk_WD7Q(+kkK#eAtt4S+{vV@
zNw$wsQBZ)%%4L21xb~SyInB0lGaNO0GqX%<%QOxG%}%=cz4H|b+D2cAXjI$Rw&A+E
zHA5QFTVRxI`Bj+T!jObPt1h9=dTL*(ol?8z;*6%qz1OeXFptN5ulU2O*Q^_}XFI-+
z7RJPA!hjk>oe}<?ANSp}<!Rix%^@)j{tG*c>*@l)CUk3ecSp?6@J`Qcyg3ndMslSB
zA^{X_Vx+vbGw8>>yne%mxw*TTsGS@a*ETb0no)E1(8sBv7(~`pe@tv7_p|Mk*ut=n
zZ$?woKKqcs{Ke~E#YKXR@VjY&)E}^=jBs*-eS!-b+o?IiHjA{ke=PH-&FdLR$?!=}
ze{nZ}<ylCf{47HRy}*ZFZsp`VgKf-#L;3l;a1(9Ef7{)^&kQ_Swf0!m;wj(x3FT>0
zDf3wQq2uqu3sYupE7@&4eLAbPyF2M>9c@NN6J~W36pC)z`Mqak6QeGFI@43Cy{TWG
zkE>{_ycv3WveH1t1;J<4+6)fWBe6h7jIy}&=PY?KHSVjC0t;ic;DJFmH)^AOOe2_^
zz3-Y4S@*~JCmTH$5-$}g_sOcgv~PdYwPKYOSe|tJYjUd9_qTJM$%ts|^!fBskNO$;
zgYe-Y!4MCbO)e+L=5D4BJ{>M{^Tj|V<MIR3(?xOt-lR_GOz+l_3=|aTYoMYMnK^}h
zy~QQ0Nm^+SE9>i&DI@V>k{QGE=W8%cso9F{9z{rexi9@aC#SmVNNs$>%a_XsTkI9Y
z#dRx!1e25P&r;r;N&3*-EXCK_nr}-+oEs+=Vt=f*x&x!<*(8NocjxIA-bJbQ{?K6)
zOm>tdC0josU@urxSP1D^j;<VS2#+M8X}C(tYBIsYGgp}O=5&Hx{Sl#=Y*(Z{e#eGj
z4DT=Q`H`9BZGQeU3RG5GY4{j9h8rEp3b$_In4257kTPd)lB%YpyPqSdneF@}Q;#b=
zldrB&{!jxM158YJaDQ|w?$|*?BeB@-C9w~9+V|W=wb0VPo}{X6KC94LL2KpVPAxV9
zep5N~)jKD))1B$tzG@M-GG2Qnb1_`cojIQ=gM~=gS*^NzzqjZns&J}xKijz=!y2wt
zPff`m8y%gEK*VzP?Squm)m~n^WS;Yg@Fl!>;Wc6IHi;%Jtwn{$vEqhfQdg9d$ZJ;h
zT^L%7!(gp>>!qlA-n{KTojAWhPsxUYj~^2>g?dU$4JHB`8xQN2v(EJ&@vI%5ER{by
zz6amkWh;i537%S<{@%fDG0ZO|q^eT8d!EHiR`%ANJ4)(}=>pbvSqQ=>PE_?(AAcFk
zPMn&iEGAYSb{P@5WR9>;#%J|gk8#w7(x<Zy>U=meLk{Xc2l*Xt%sY0{a_@K$D32cH
z>@{<BleV5rfW=LMQ_;CT5o_z1GCyB|n+gi&zAH*{Wi5u~>QyG;wlW^;)INUv{l&r=
zHlfu4-GPUfZq^S3iG2?rF>%U0Ie2^ejLJT1o>JZ83~%1PEhs7qwlK1;%e9WvEdToT
zdU)ien7z#P$)}QM_xUO$rJF{u39ZGb7PlffB6#cOJr~YFcXn9v6tAJC4`FkU?w0iU
zqbziEP|dx5?UkdZtSm{2VPubogw~M<a&Zr?_dY$ll_>?oC9S0&UyW#4r+-#jnDliD
zReBna#NtHn#Rxr_<Hx1zXy}C&MrPZM9~o6kD@B{+q}1ou3^Zq}X=#0D3LI?Am^`D=
zeEIcvNv+N{587`qoHnMT<IVKrGdq3b#yjqoH%E^h6R?|WY*}n7DJgXQ0~=pgms&zo
zkp^=Rwe<A`wM)16aSQlz_}li#-k%_+GWa}bIh`Q5ckgV2ktbM=*o1^rnt_~K$XHzY
ztd8)qvxf!;bM4MUHLp_}cNwlOVD`^v&(Piy)*K#Il+3HBxX>x#d9C46<mu_i*8@!r
z&2J;buMVEqkBQXUxima(8{%@#y!jd7JZ3x(Ob~^gX(`h9+&SZMe~V)qw^uaO)oJ)#
z!j;O;uP!vhY}{7xB6`>DZf4${lk_3Z>})ZttX9frz8*PxRDj2FvN|%ntu2_&{LEEv
zZ$-*&0-=i%_6)(j*H!(8jNjQ=HT07{-&Z&MNL{M3yDIU~m`Ur0r&|*f$uYYC_A^!0
zyO1RD97*cp2n)MhD)5e3&Y=O}@YB0;*e(emj5}}ikBc$jvH5=0YDQF~1oz``vn?g9
zbxLqB911wGA43JU>I+Fl2n5E{QXOlkthB-ag0P|S$M;pHJVOjv%bxRcai{8`y&S9M
z;zGSGdpbm_Ov?1MZ<R7l`WGpQ5`)oEO<3dCRGWOvyOmEyM%~_#yN=AuUYpLuq?(*M
z1Vp;4PmN=+Xb)yRHYKr~t}Jn*l9~Nl7@vBrx|K7Pi~&n}*YWgYLVK^Cz>W5MMma8_
zBU8N>yE`er*Bgw)o=?<Un9JjCc`j(GXRq7CGCx}`AvtYO<oe*lhn>L{JiIr*Z4!D;
z?J`Go;JaygfSmLCJ|+tb*8LO|2c-_!?YV~GaX5Vth=rcope%S_I7m}%*0|(BdPgy*
zM!Io6iiXL_>D+~kcooiuaOvFb{NFuzO$3i|aq-#PSs;S5QYGRLE>(A%u2wVX-FsLl
zKN7sSv%_kwGl_0b9*U!h$!QjrwS6t-W_E{lUK(E~4O*NS5xS!hwfrDa18MhvvbTFt
z@zdi>&}Cxm5jHT8Hy#@<bS_6e?SE|OPS^XM1Db;3mGTnB-qsK014vTiOXH#*1xl`8
zKan$QIE10lVtaDK!diOc->RN>!CKd6-HewwGWE4BF()S=p@nUT-&@X_j?Nzn?&2c<
z<Mx8dvEx(Nno@EW6M-*Z@{1jPE--7KX;JL=42qHkuH8XCY+sZ6!dYv$2vTaJ%-!6A
zlss=~M^V>@)+A+K&SEq=!>u)(Ah7!Ncb7+JFUXV`ojSGhbIl3qp#_^8QAMv`(Z`aD
z=RZ7F<{B4et9ytk$?_v?&Bq4MKaGr}wY4a4WIU`ZOG@rnW~Y@k%y+6dE2n;1cgOrp
zc7P9~VGCE6vB`khqTTy}@?>(Qjrm_Jz4x2P7Nyzd)cbbdcM8A%C-e~M|L%FkGv4v{
zoZR6mPTu74nfEJSXlM>K_L~K)I_ozk3W&zvgX(np)NST4iZw|}wf={(vkdEuzxGvE
zHD}WuyS9#e9Zj(kBY|5qwswJ9t<o^ts!l<Xt)&Y-$i3U8AAe9y(4s;!e`JJLAh8jU
zL|E71hhXwQ(1-sGoJd(@@7QkSa<{+tpz3wfcuIavg?l3F<b~BPethM;K9hr9OkTZ~
z_)a7=x0aeL|F3b6rFU*sQc+bc?HEPdSQ^L4vtZ~A&>tZpp{>p6S&SBe_KcAGOKt=t
z8rz_*Mt5@Jt5>ZV5AIjvgP}E&Bxs<jwzehf=3#WoFlQ0PuoavC*hEjH+$vJ<+`bK5
zS)>KbTUtyEo1eH+3poSPXyvfZhl59sfS*#&wlV`$XxacFJ0L(zK6bi$7ub3gIhwkl
zzn_?#1T$c>Fn7}`IOGKMj3Yfgx)(0A4h_NZ{)D}bs-ohXj?p)lxU%n0Br1w^R0Qtd
z#dAFmt+()*ZfPL`&J#00Q0*WU2bOy6+BH;A_H3L)rVi?L5Y+e`zVZ_yb(^k3K~8Lr
z1?9bN^-6pDMHmcQ`GdCg*m3x6Ufu<0+<>v8L*DTLu<bF+tR?+J0d$tE_0Ks3IXFI|
z_jxx3KuRXC7;yCi!V4+pO(^CcDr&zIsDhRX?d#ALLE4iA|1*e?ScklbkX@Ntw$&s!
z-ld^w;1NN7#>d4)F!wiEwAi8<{|kTgj0UqS4cDbNczOJSfiTu(Zee!hETxiyf(U6}
zO-wD(f(OPZ>1k;P2pQfXQSR>RG2b0(B1jWJg2M^{12tJ`h!&$bxF8T&nVIi-cmR#r
z$#n^{&z7`}@Mz5_099Z0-iNwlXovuIR6_$DIIW;PT|=ORgBKN(%rozR06UDD1LFw&
zX;%?k5Es$WfW_(>pPrC~=CSv2Qbfet#zq^M&%o3gu70#U*IUs<AW0n8KmY+LDk6fX
z@D2JS+U?uHu=<8DXPlpyn!=oIO{2!NU_FxzOYoqOvO=l_p`e<Y8WwE?x=plkhX$?`
zdm)8IMMnk%PcWTg+`G2}tr6goOb^5kZzk%Ng~iiM`(Ore9`v%6RR)qgG%$Y*6q1uy
zgp?B>;eEG!&9^Za_|a_NK8Fu7Q3?tPR0b$p)654?o=9*C-Dr0V2mq?k1W+D)1?Vnj
zS8z>>a3vV%@2A{g-2aKCF0KotymE6t3uiacXM7AhW5bR^jvAUOD&NqcJu!yPeW=hB
zD|bU<=FQ%X({Z)3UjRB^Q20iAdO<26MYapt@QBF^Eqo7!jX&_9-Yz`(fU7Y?gIlZg
zkg~pZc=z`%eR<kLt|7+^8+q*JEL}r7BUoqml?qgS|85BtaA~QO75x4bQVp9xU#T_i
z%~?K_Xrh25<$;&i4NQm7)NH{ngQyJ<J|@k<^bgur!Vu1<G`=Gq51v@B4~r|XrVsDm
zZ*@88NYU35jb)FCk1sDP1A9;Gsb88W_ngnHADa%$xy9mwZTcM$*qFFM6ym-Yci-;y
z^y!Oz6gZbfFjIV_!9hWapO7*@3XzEE1xZO^zIY0L6kE1!W3+gH-SdvBqpJ(ef&z8f
zP<Nq2=qfb4=%0t6Ef*XXJoHEzAT5F{ftqyn#1)uRW?gT)Z5jg-o~`A%j**dEOGS0{
zqvmexLg)9!XMJL2hP~{j>fjJ=2>DA@!81Q%_oww_f4Gh35>CvwGO&CXrdi?ez?5>!
z_U&J=XFE$a!}&l+NGRj=h4Cm?YyB%%FcvV&ax`RcKRQuC*Emw>7glClTg=2klMBlc
zs5xObwT+e*mLM(A;}R-&gUZ?CCE*L1Ocgf_9|oVnnWKtU%GJwImNb~zRWON4lx2tG
z4m&qS1R&_Dq2FA;e*N=f*XnWnWc~TXc4ZFAS7bhZ7!j*yLPHnSSjgm9B9jbbwS<~O
zsR+Bi1PSWTXnF0YA58?y?Xd9>1_wec2m`V22-Y(*7)8;6cmW;z;4Y;boM88$$ihFg
zfGX$4jTbLps;3(ICnete{*}SD1GFhd)uX=%+$BVb5Gg_;W&iyvH0*7VGg5A-%C%p_
zNd&=Db*B;bBRMBh&w~k_XoBUy%-yj|Pt*wnD7SEH^kza5>~~oAe#i+#i(P^?Xj*Fu
z+5Q4^AR#?Rk7z6*b1J!3gN=hD!Y^{gsy~Q&17b_h73|uFYVILrN(|gJ%ATLf%7zeC
zs<va`7HlWF+uN&V7KkGwdnw@a)jB?nn__|hkr%xuaq~@i+984y4Mxq%u)R;*`C}Su
z08$gSlNjkpx^7*_!uW>6i0tSRf@Y1AGaiZy1WFu)Ww{G@F3?+E<vo!R5v(*P_jtjS
z{s`P&@fHjWCuS1YyPT{-Pc5Q&INArr#Uah9Mx5L$kTinaD$ilX1P?s<f{Ow3C;0f(
z;H@b)fc9&_eE|m*V#J1I1KLmaoEU0q>PQ&rgYpCI40i?SPpml6LWPT9-G&X}wUAw7
z&wjE;^C^_>D&czLR7IYc;0C}o%*cMa%Qy6thk|$X;3MX55>P3Dq{H=scxo}(uLM8`
zoPA7!_)_aDU8G992HLeJhVZ%ZelY}ke>hlSV<??Jdw>etwg#g)_ibTUO}e-6OsI+D
zYEwosjQ_EOMCIv1>jj)q@X9uVE$H1wn3wt^m>F{-?9o95e+)zgwG7i26TT@#I~M$S
za$;h?%(EmwAbrM+MF-UcTtn~`;RN?GJ|4-%E(pA{o?zROZQT#ujir?pgwt_iF}0sQ
zC1I!nE;lF&aj7m$RLfxxPsICFS63sH<oAq&lBc1f>TYX0!KEr7<`+}d&myHXCFyM)
z28BNw`=I-Jm6Sv@3daY3dV}j*NvNV-?q+NlVKH=am_gvJs!CJqlq3VIa_HIipME0T
z(u7f_ptYg=PLFlnuxvZfx(iPN$7b!uoh9Yva#B(=!<i%S5liQA-8Q$9IBc+W7mlmD
wi%VUS{#kf-dU%v!VOy*Q*yG$TbuF%-WS+cCw!ILlOA-=EG1-%GA{TD|AC7yDRR910

literal 0
HcmV?d00001

diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd
new file mode 100644
index 00000000..f97ed1ee
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_auth_sequence.wsd
@@ -0,0 +1,23 @@
+title Federated Authentication with SSSD
+
+# This walks through the federated authentication sequence where a claim from a
+# third-party IdP system is posted to the ODL token endpoint in exchange for an 
+# access token. The claim information is assumed to be in format specific to the 
+# third-party IdP system and assumed to be captured via either Apache environment
+# variables (Servlet attributes) or HTTP headers. 
+
+Client -> Apache WebServer: authenticate
+note right of Client
+credentials
+end note
+Apache WebServer -> SSSD: authenticate
+SSSD -> LDAP/AD : authenticate
+SSSD -> Apache WebServer: claim
+Apache WebServer -> ServletContainer: CGI variables
+ServletContainer -> SSSD Plugin: Servlet attributes/headers
+SSSD Plugin -> SSSD Plugin : transformClaim
+SSSD Plugin -> TokenEndPoint : claim
+TokenEndPoint -> TokenEndPoint : createToken
+TokenEndPoint -> Client : refresh token, list of authorized domains
+Client -> TokenEndPoint : refresh token, domain
+TokenEndPoint -> Client : access token
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_configuration.rst b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_configuration.rst
new file mode 100644
index 00000000..7f912d94
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/docs/sssd_configuration.rst
@@ -0,0 +1,1687 @@
+################################################
+Federated Authentication Utilizing Apache & SSSD
+################################################
+
+:Author: John Dennis
+:Email: jdennis@redhat.com
+
+.. contents:: Table of Contents
+
+************
+Introduction
+************
+
+Applications should not need to handle the burden of authentication
+and authorization. These are complex technologies further complicated
+by the existence of a wide variety of authentication
+mechanisms. Likewise there are numerous identity providers (IdP) which
+one may wish to utilize, perhaps in a federated manner. The potential
+to make critical mistakes are high while consuming significant
+engineering resources. Ideally an application should "outsource" it's
+authentication to an "expert" and avoid unnecessary development costs.
+
+For web based applications (both conventional HTML and REST API) there
+has been a trend to embed a simple HTTP server in the application or
+application server which handles the HTTP requests eschewing the use
+of a traditional web server such as Apache.
+
+.. figure:: sssd_01.png
+   :align: center
+
+   _`Figure 1.`
+
+But traditional web servers have a lot of advantages. They often come
+with extensive support for technologies you might wish to utilize in
+your application. It would require signification software engineering
+to add support for those technologies in your application. The problem
+is compounded by the fact many of these technologies demand domain
+expertise which is unlikely to be available in the application
+development team. Another problem is the libraries needed to utilize
+the technology may not even be available in the programming language
+the application is being developed in. Fundamentally an application
+developer should focus on developing their application instead of
+investing resources into implementing complex code for the ancillary
+technologies the application may wish to utilize.
+
+Therefore fronting your application with a web server such as Apache
+makes a lot of sense. One should allow Apache to handle complex tasks
+such as multiple authentication mechanisms talking to multiple
+IdP's. Suppose you want your application to handle Single Sign-On
+(SSO) via Kerberos or authentication based on X509 certificates
+(i.e. PKI). Apache already has extensions to handle these which have
+been field proven, it would be silly to try and support these in your
+application. Apache also comes with other useful extensions such as
+``mod_identity_lookup`` which can extract metadata about an
+authenticated user from multiple sources such as LDAP,
+Active Directory, NIS, etc.
+
+By fronting your application with Apache and allowing Apache to handle
+the complex task of authentication, identity lookups etc. you've
+greatly increased the features of your application while at the same
+time reducing application development time along with increasing
+application security and robustness.
+
+.. figure:: sssd_02.png
+   :align: center
+
+   _`Figure 2.`
+
+When Apache fronts your application you will be passed the results of
+authentication and identity lookups. Your application only needs a
+simple mechanism to accept these values. There are a variety of ways
+the values can be passed from Apache to your application which will be
+discussed in later sections.
+
+Authentication & Identity Properties
+====================================
+
+Authentication is proving that a user is who they claim to be, in
+other words after authentication the user has a proven identity. In
+security parlance the authenticated entity is call a
+principal. Principals may be humans, machines or
+services. Authorization is distinct from authentication. Authorization
+declares what actions an authenticated principal may perform. For
+example, does a principal have permission to read a certain file, run
+a specific command, etc. Identity metadata is typically bound to the
+principal to provide extra information. Examples include the users
+full name, their organization, the groups they are members of, etc.
+
+Apache can provide both authentication and identity metadata to an
+application freeing the application of this task. Authorization
+usually will remain the province of the application. A typical
+design pattern is to assign roles to a principal based on identity
+properties. As the application executes on behalf of a principal the
+application will check if the principal has the necessary role needed
+to perform the operation.
+
+Apache ships with a wide variety of authentication modules. After an
+Apache authentication module successfully authenticates a principal, it
+sets internal variables identifying the principal and the
+authentication method used to authenticate the principal. These are
+exported as the CGI variables REMOTE_USER and AUTH_TYPE respectively
+(see `CGI Export Issues`_ for further information).
+
+Identity Properties
+-------------------
+
+Most Apache authentication modules do not have access to any of the
+identity properties bound to the authenticated principal. Those
+identity properties must be provided by some other mechanism. Typical
+mechanisms include lookups in LDAP, Active Directory, NIS, POSIX
+passwd/gecos and SQL. Managing these lookups can be difficult
+especially in a networked environment where services may be
+temporarily unavailable and/or in a enterprise deployment where
+identity sources must be multiplexed across a variety of services
+according to enterprise wide policy.
+
+`SSSD`_ (System Security Services Daemon) is designed to alleviate many
+of the problems surrounding authentication and identity property
+lookup. SSSD can provide identity properties via D-Bus using it's
+InfoPipe (IFP) feature. The `mod_identity_lookup`_ Apache module is
+given the name of the authenticated principal and makes available
+identity properties via Apache environment variables (see `Configure
+SSSD IFP`_ for details).
+
+Exporting & Consuming Identity Metadata
+=======================================
+
+The authenticated principal (REMOTE_USER), the mechanism used to
+authenticate the principal (AUTH_TYPE) and identity properties
+(supplied by SSSD IFP) are exported to the application which trusts
+this metadata to be valid.
+
+How is this identity metadata exported from Apache and then be
+consumed by a Java EE Servlet?
+
+The architectural design inside Apache tries to capitalize on the
+existing CGI standard (`CGI RFC`_) as much as possible. CGI defines
+these relevant environment variables:
+
+  * REMOTE_USER
+  * AUTH_TYPE
+  * REMOTE_ADDR
+  * REMOTE_HOST
+
+
+Transporting Identity Metadata from Apache to a Java EE Servlet
+===============================================================
+
+In following figure we can see that the user connects to Apache
+instead of the servlet container. Apache authenticates the user, looks
+up the principal's identity information and then proxies the request
+to the servlet container. The additional identity metadata must be
+included in the proxy request in order for the servlet to extract it.
+
+.. figure:: sssd_03.png
+   :align: center
+
+   _`Figure 3.`
+
+The Java EE Servlet API is designed with the HTTP protocol in mind
+however the servlet never directly accesses the HTTP protocol stream.
+Instead it uses the servlet API to get access to HTTP request
+data. The responsibility for HTTP communication rests with the
+container's ``Connector`` objects. When the servlet API needs
+information it works in conjunction with the ``Connector`` to supply
+it. For example the ``HttpServletRequest.getRemoteHost()`` method
+interrogates information the ``Connector`` placed on the internal
+request object. Analogously ``HttpServletRequest.getRemoteUser()``
+interrogates information placed on the internal request object by an
+authentication filter.
+
+But what happens when a HTTP request is proxied to a servlet container
+by Apache and ``getRemoteHost()`` or ``getRemoteUser()`` is called? Most
+``Connector`` objects do not understand the proxy scenario, to them
+a request from a proxy looks just like a request sent directly to the
+servlet container. Therefore ``getRemoteHost()`` or ``getRemoteUser()``
+ends up returning information relative to the proxy instead of the
+user who connected to the proxy because it's the proxy who connected
+to the servlet container and not the end user. There are 2 fundamental
+approaches which allow the servlet API to return data supplied by the
+proxy:
+
+  1. Proxy uses special protocol (e.g. AJP) to embed metadata.
+  2. Metadata is embedded in an HTTP extension by the proxy (i.e. headers)
+
+Proxy With AJP Protocol
+-----------------------
+
+The AJP_ protocol was designed as a protocol to exchange HTTP requests
+and responses between Apache and a Java EE Servlet Container. One of
+its design goals was to improve performance by translating common text
+values appearing in HTTP requests to a more compact binary form. At
+the same time AJP provided a mechanism to supply metadata about the
+request to the servlet container. That metadata is encoded in an AJP
+attribute (a name/value pair). The Apache AJP Proxy module looks up
+information in the internal Apache request object (e.g. remote user,
+remote address, etc.) and encodes that metadata in AJP attributes. On
+the servlet container side a AJP ``Connector`` object is aware of these
+metadata attributes, extracts them from the protocol and supplies
+their values to the upper layers of the servlet API. Thus a call to
+``HttpServletRequest.getRemoteUser()`` made by a servlet will receive
+the value set by Apache prior to the proxy. This is the desired and
+expected behavior. A servlet should be ignorant of the consequences of
+proxies; the servlet API should behave the same regardless of the
+presence of a proxy.
+
+The AJP protocol also has a general purpose attribute mechanism whereby
+any arbitrary name/value pair can be passed. This proxy metadata can
+be retrieved by a servlet by calling ``ServletRequest.getAttribute()``
+[1]_ When Apache mod_proxy_ajp is being used the authentication
+metadata for the remote user and auth type are are automatically
+inserted into the AJP protocol and the AJP ``Connector`` object on
+the servlet receiving end supplies those values to
+``HttpServletRequest.getRemoteHost()`` and
+``HttpServletRequest.getRemoteUser()`` respectively. But the identity
+metadata supplied by ``mod_identity_lookup`` needs to be explicitly
+encoded into an AJP attribute (see `Configure SSSD IFP`_ for details)
+that can later be retrieved by ``ServletRequest.getAttribute()``.
+
+Proxy With HTTP Protocol
+------------------------
+
+Although the AJP protocol offers a number of nice advantages sometimes
+it's not an option. Not all servlet containers support AJP or there
+may be some other deployment constraint that precludes its use. In this
+case option 2 from above needs to be used. Option 2 requires only the
+defined HTTP protocol be used without any "out of band" metadata. The
+conventional way to attach extension metadata to a HTTP request is to
+add extension HTTP headers.
+
+One problem with using extension HTTP headers to pass metadata to a
+servlet is the expectation the servlet API will have the same
+behavior. In other words the value returned by
+``HttpServletRequest.getRemoteUser()`` should not depend on whether the
+proxy request was exchanged with the AJP protocol or the HTTP
+protocol. The solution to this is to wrap the ``HttpServletRequest``
+object in a servlet filter. The wrapper overrides certain request
+methods (e.g. ``getRemoteUser()``). The override method looks to see if
+the metadata is in the extension HTTP headers, if so it returns the
+value found in the extension HTTP header otherwise it defers to the
+existing servlet implementation. The ``ServletRequest.getAttribute()`` is
+overridden in an analogous manner in the wrapper filter. Any call to
+``ServletRequest.getAttribute()`` is first checked to see if the value
+exists in the extension HTTP header first.
+
+Metadata supplied by Apache that is **not** part of the normal Java
+EE Servlet API **always** appears to the servlet via the
+``ServletRequest.getAttribute()`` method regardless of the proxy
+transport mechanism. The consequence of this is a servlet
+continues to utilize the existing Java EE Servlet API without concern
+for intermediary proxies, *and* any other metadata supplied by a proxy
+is *always* retrieved via ``ServletRequest.getAttribute()`` (see the
+caveat about ``ServletRequest.getAttributeNames()`` [1]_).
+
+*******************
+Configuration Guide
+*******************
+
+Although Apache authentication and SSSD identity lookup can operate
+with a variety of authentication mechanisms, IdP's and identity
+metadata providers we will demonstrate a configuration example which
+utilizes the FreeIPA_ IdP. FreeIPA excels at Kerberos SSO authentication,
+Active Directory integration, LDAP based identity metadata storage and
+lookup, DNS services, host based RBAC, SSH key management, certificate
+management, friendly web based console, command line tools and many
+other advanced IdP features.
+
+The following configuration steps will need to be performed:
+
+1. Install FreeIPA_ by following the installation guides in the FreeIPA_
+   documentation area. When you install FreeIPA_ you will need to select a
+   realm (a.k.a domain) in which your users and hosts will exist. In
+   our example we will use the ``EXAMPLE.COM`` realm.
+
+2. Install and configure the Apache HTTP web server. The
+   recommendation is to install and run the Apache HTTP web server on
+   the same system the Java EE Container running AAA is installed on.
+
+3. Configure the proxy connector in the Java EE Container and set the
+   ``secureProxyPorts``.
+
+We will also illustrate the operation of the system by adding an
+example user named ``testuser`` who will be a member of the
+``odl_users`` and ``odl_admin`` groups.
+
+Add Example User and Groups to FreeIPA
+======================================
+
+After installing FreeIPA you will need to populate FreeIPA with your users,
+groups and other data. Refer to the documentation in FreeIPA_ for the
+variety of ways this task can be performed; it runs the gamut from web
+based console to command line utilities. For simplicity we will use
+the command line utilities.
+
+Identify yourself to FreeIPA as an administrator; this will give you the
+necessary privileges needed to create and modify data in FreeIPA. You do
+this by obtaining a Kerberos ticket for the ``admin`` user (or any
+other user in FreeIPA with administrator privileges.
+
+::
+
+  % kinit admin@EXAMPLE.COM
+
+Create the example ``odl_users`` and `odl_admin`` groups.
+
+::
+
+  % ipa group-add odl_users --desc 'OpenDaylight Users'
+  % ipa group-add odl_admin --desc 'OpenDaylight Administrators'
+
+Create the example user ``testuser`` with the first name "Test" and a
+last name of "User" and an email address of "test.user@example.com"
+
+::
+
+  % ipa user-add testuser --first Test --last User --email test.user@example.com
+
+Now add ``testuser`` to the ``odl_users`` and ``odl_admin`` groups.
+
+::
+
+  % ipa group-add-member odl_users --user testuser
+  % ipa group-add-member odl_admin --user testuser
+
+Configure Apache
+================
+
+A number of Apache configuration directives will need to be specified
+to implement the Apache to application binding. Although these
+configuration directives can be located in any number of different
+Apache configuration files the most sensible approach is to co-locate
+them in a single application configuration file. This greatly
+simplifies the deployment of your application and isolates your
+application configuration from other applications and services sharing
+the Apache installation. In the examples that follow our application
+will be named ``my_app`` and the Apache application configuration file
+will be named ``my_app.conf`` which should be located in Apache's
+``conf.d/`` directory. The web resource we are protecting and
+supplying identity metadata for will be named ``my_resource``.
+
+
+Configure Apache for Kerberos
+-----------------------------
+
+When FreeIPA is deployed Kerberos is the preferred authentication mechanism
+for Single Sign-On (SSO). FreeIPA also provides identity metadata via
+Apache ``mod_identity_lookup``. To protect your ``my_resource`` resource
+with Kerberos authentication identify your resource as requiring
+Kerberos authentication in your ``my_app.conf`` Apache
+configuration. For example:
+
+::
+
+  <Location my_resource>
+    AuthType Kerberos
+    AuthName "Kerberos Login"
+    KrbMethodNegotiate On
+    KrbMethodK5Passwd Off
+    KrbAuthRealms EXAMPLE.COM
+    Krb5KeyTab /etc/http.keytab
+    require valid-user
+  </Location>
+
+You will need to replace EXAMPLE.COM in the KrbAuthRealms declaration
+with the Kerberos realm for your deployment.
+
+
+Configure SSSD IFP
+------------------
+
+To use the Apache ``mod_identity_lookup`` module to supply identity
+metadata you need to do the following in ``my_app.conf``:
+
+1. Enable the module
+
+   ::
+
+     LoadModule lookup_identity_module modules/mod_lookup_identity.so
+
+2. Apply the identity metadata lookup to specific URL's
+   (e.g. ``my_resource``) via an Apache location directive. In this
+   example we look up the "mail" attribute and assign it to the
+   REMOTE_USER_EMAIL environment variable.
+
+   ::
+
+     <LocationMatch "my_resource">
+       LookupUserAttr mail REMOTE_USER_EMAIL
+     </LocationMatch>
+
+3. Export the environment variable via the desired proxy protocol, see
+   `Exporting Environment Variables to the Proxy`_
+
+Exporting Environment Variables to the Proxy
+--------------------------------------------
+
+First you need to decide which proxy protocol you're going to use, AJP
+or HTTP and then determine the target address and port to proxy to. The
+recommended configuration is to run both the Apache server and the
+servlet container on the same host and to proxy requests over the
+local loopback interface (see `Declaring the Connector Ports for
+Authentication Proxies`_). In our examples we'll use port 8383. Thus
+in ``my_app.conf`` add a proxy declaration.
+
+For HTTP Proxy
+
+::
+
+   ProxyPass / http://localhost:8383/
+   ProxyPassReverse / http://localhost:8383/
+
+For AJP Proxy
+
+::
+
+   ProxyPass / ajp://localhost:8383/
+   ProxyPassReverse / ajp://localhost:8383/
+
+AJP Exports
+^^^^^^^^^^^
+
+AJP automatically forwards REMOTE_USER and AUTH_TYPE making them
+available to the ``HttpServletRequest`` API, thus you do not need to
+explicitly forward these in the proxy configuration. However all other
+``mod_identity_lookup`` metadata must be explicitly forwarded as an AJP
+attribute. These AJP attributes become visible in the
+``ServletRequest.getAttribute()`` method [1]_.
+
+The Apache ``mod_proxy_ajp`` module automatically sends any Apache
+environment variable prefixed with "AJP\_" as an AJP attribute which
+can be retrieved with ``ServletRequest.getAttribute()``. Therefore the
+``mod_identity_lookup`` directives which specify the Apache environment
+variable to set with the result of a lookup must be prefixed with
+"AJP\_". Using the above example of looking up the principal's email
+address we modify the environment variable to include the "AJP\_"
+prefix. Thusly:
+
+   ::
+
+     <LocationMatch "my_resource">
+       LookupUserAttr mail AJP_REMOTE_USER_EMAIL
+     </LocationMatch>
+
+The sequence of events is as follows:
+
+  1. When the URL matches "my_resource".
+
+  2. ``mod_identity_lookup`` retrieves the mail attribute for the
+     principal.
+
+  3. ``mod_identity_lookup`` assigns the value of the mail attribute
+     lookup to the AJP_REMOTE_USER_EMAIL Apache environment variable.
+
+  4. ``mod_proxy_ajp`` encodes AJP_REMOTE_USER_EMAIL environment
+     variable into an AJP attribute in the AJP protocol because the
+     environment variable is prefixed with "AJP\_". The name of the
+     attribute is stripped of it's "AJP\_" prefix thus the
+     AJP_REMOTE_USER_EMAIL environment variable is transferred as the
+     AJP attribute REMOTE_USER_EMAIL.
+
+  5. The request is forwarded (i.e. proxied) to servlet container
+     using the AJP protocol.
+
+  6. The servlet container's AJP ``Connector`` object is assigned each AJP
+     attribute to the set of attributes on the ``ServletRequest``
+     attribute list. Thus a call to
+     ``ServletRequest.getAttribute("REMOTE_USER_EMAIL")`` yields the
+     value set by ``mod_identity_lookup``.
+
+
+HTTP Exports
+^^^^^^^^^^^^
+
+When HTTP proxy is used there are no automatic or implicit metadata
+transfers; every metadata attribute must be explicitly handled on both
+ends of the proxy connection. All identity metadata attributes are
+transferred as extension HTTP headers, by convention those headers are
+prefixed with "X-SSSD-".
+
+Using the original example of looking up the principal's email
+address we must now perform two independent actions:
+
+  1. Lookup the value via ``mod_identity_lookup`` and assign to an
+     Apache environment variable.
+
+  2. Export the environment variable in the request header with the
+     "X-SSSD-" prefix.
+
+   ::
+
+     <LocationMatch "my_resource">
+       LookupUserAttr mail REMOTE_USER_EMAIL
+       RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e
+     </LocationMatch>
+
+The sequence of events is as follows:
+
+  1. When the URL matches "my_resource".
+
+  2. ``mod_identity_lookup`` retrieves the mail attribute for the
+     principal.
+
+  3. ``mod_identity_lookup`` assigns the value of the mail attribute
+     lookup to the REMOTE_USER_EMAIL Apache environment variable.
+
+  4. Apache's RequestHeader directive executes just prior to the
+     request being forwarded (i.e. in the Apache fixup stage). It adds
+     the header X-SSSD-REMOTE_USER_EMAIL and assigns the value for
+     REMOTE_USER_EMAIL found in the set of environment variables. It
+     does this because the syntax %{XXX} is a variable reference for
+     the name XXX and the 'e' appended after the closing brace
+     indicates the lookup is to be performed in the set of environment
+     variables.
+
+  5. The request is forwarded (i.e. proxied) to the servlet container
+     using the HTTP protocol.
+
+  6. When ``ServletRequest.getAttribute()`` is called the ``SssdFilter``
+     wrapper intercepts the ``getAttribute()`` method. It looks for an
+     HTTP header of the same name with "X-SSSD-" prefixed to it. In
+     this case ``getAttribute("REMOTE_USER_EMAIL")`` causes the lookup of
+     "X-SSSD-REMOTE_USER_EMAIL" in the HTTP headers, if found that
+     value is returned.
+
+AJP Proxy Example Configuration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If you are using AJP proxy to the Java EE Container on port 8383 your
+``my_app.conf`` Apache configuration file will probably look like
+this:
+
+::
+
+  <LocationMatch "my_resource">
+
+    ProxyPass / ajp://localhost:8383/
+    ProxyPassReverse / ajp://localhost:8383/
+
+    LookupUserAttr mail AJP_REMOTE_USER_EMAIL " "
+    LookupUserAttr givenname AJP_REMOTE_USER_FIRSTNAME
+    LookupUserAttr sn AJP_REMOTE_USER_LASTNAME
+    LookupUserGroups AJP_REMOTE_USER_GROUPS ":"
+
+  </LocationMatch>
+
+Note the specification of the colon separator for the
+``LookupUserGroups`` operation. [3]_
+
+HTTP Proxy Example Configuration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If you are using a conventional HTTP proxy to the Java EE Container on
+port 8383 your ``my_app.conf`` Apache configuration file will probably
+look like this:
+
+::
+
+  <LocationMatch "my_resource">
+
+    ProxyPass / http://localhost:8383/
+    ProxyPassReverse / http://localhost:8383/
+
+    RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER}
+    RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE}
+    RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST}
+    RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR}
+
+    LookupUserAttr mail REMOTE_USER_EMAIL
+    RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e
+
+    LookupUserAttr givenname REMOTE_USER_FIRSTNAME
+    RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
+
+    LookupUserAttr sn REMOTE_USER_LASTNAME
+    RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e
+
+    LookupUserGroups REMOTE_USER_GROUPS ":"
+    RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
+
+  </LocationMatch>
+
+Note the specification of the colon separator for the
+``LookupUserGroups`` operation. [3]_
+
+
+Configure Java EE Container Proxy Connector
+===========================================
+
+The Java EE Container must be configured to listen for connections
+from the Apache web server. A Java EE Container specifies connections
+via a ``Connector`` object. A ``Connector`` **must** be dedicated
+**exclusively** for handling authenticated requests from the Apache
+web server. The reason for this is explained in `The Proxy
+Problem`_. In addition ``ClaimAuthFilter`` needs to validate that any
+request it processes originated from the trusted Apache instance. This
+is accomplished by dedicating one or more ports exclusively for use by
+the trusted Apache server and enumerating them in the
+``secureProxyPorts`` configuration as explained in `Locking Down the
+Apache to Java EE Container Channel`_ and `Declaring the Connector
+Ports for Authentication Proxies`_.
+
+Configure Tomcat Proxy Connector
+--------------------------------
+
+The Tomcat Java EE Container defines Connectors in its ``server.xml``
+configuration file.
+
+::
+
+    <Connector
+        address="127.0.0.1"
+        port="8383"
+        protocol="HTTP/1.1"
+        tomcatAuthentication="false"
+        connectionTimeout="20000"
+        redirectPort="8443"
+    />
+
+
+:address:
+  This should be the loopback address as explained `Locking Down the
+  Apache to Java EE Container Channel`_.
+
+:port:
+  In our examples we've been using port 8383 as the proxy port. The
+  exact port is not important but it must be consistent with the
+  Apache proxy port, the ``Connector`` declaration, and the port value
+  in ``secureProxyPorts``.
+
+:protocol:
+  As explained in `Transporting Identity Metadata from Apache to a
+  Java EE Servlet`_ you will need to decide if you are using HTTP or
+  AJP as the proxy protocol. In the example above the protocol is set
+  for HTTP, if you use AJP instead the protocol should instead be
+  "AJP/1.3".
+
+:tomcatAuthentication:
+  This boolean flag tells Tomcat whether Tomcat should perform
+  authentication on the incoming requests or not. Since authentication
+  is performed by Apache we do not want Tomcat to perform
+  authentication therefore this flag must be set to false.
+
+The AAA system needs to know which port(s) the trusted Apache proxy
+will be sending requests on so it can trust the request authentication
+metadata. See `Declaring the Connector Ports for Authentication
+Proxies`_ for more information). Set ``secureProxyPorts`` in the
+FederationConfiguration.
+
+::
+
+  secureProxyPorts=8383
+
+
+Configure Jetty Proxy Connector
+-------------------------------
+
+The Jetty Java EE Container defines Connectors in its ``jetty.xml``
+configuration file.
+
+::
+
+    <!-- Trusted Authentication Federation proxy connection -->
+    <Call name="addConnector">
+        <Arg>
+            <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
+                <Set name="host">127.0.0.1</Set>
+                <Set name="port">8383</Set>
+                <Set name="maxIdleTime">300000</Set>
+                <Set name="Acceptors">2</Set>
+                <Set name="statsOn">false</Set>
+                <Set name="confidentialPort">8445</Set>
+                <Set name="name">federationConn</Set>
+                <Set name="lowResourcesConnections">20000</Set>
+                <Set name="lowResourcesMaxIdleTime">5000</Set>
+            </New>
+        </Arg>
+    </Call>
+
+:host:
+  This should be the loopback address as explained `Locking Down the
+  Apache to Java EE Container Channel`_.
+
+:port:
+  In our examples we've been using port 8383 as the proxy port. The
+  exact port is not important but it must be consistent with the
+  Apache proxy port, the ``Connector`` declaration, and the port value
+  in ``secureProxyPorts``.
+
+
+Note, values in Jetty XML can also be parameterized so that they may
+be passed from property files or set on the command line. Thus
+typically the port is set within Jetty XML, but uses the Property
+element to be customizable. Thus the above ``host`` and ``port``
+properties could be specificed this way:
+
+::
+
+    <Set name="host">
+        <Property name="jetty.host" default="127.0.0.1"/>
+    </Set>
+    <Set name="port">
+        <Property name="jetty.port" default="8383"/>
+    </Set>
+
+
+The AAA system needs to know which port(s) the trusted Apache proxy
+will be sending requests on so it can trust the request authentication
+metadata. See `Declaring the Connector Ports for Authentication
+Proxies`_ for more information). Set ``secureProxyPorts`` in the
+FederationConfiguration.
+
+************************************************
+How Apache Identity Metadata is Processed in AAA
+************************************************
+
+`Figure 2.`_ and `Figure 3.`_ illustrates the fact the first stage in
+processing a request from a user begins with Apache where the user is
+authenticated and SSSD supplies additional metadata about the
+user. The original request along with the metadata are subsequently
+forwarded by Apache to the Java EE Container. `Figure 4.`_ illustrates
+the processing inside the Java EE Container once it receives the
+request on one of its secure connectors.
+
+
+.. figure:: sssd_04.png
+   :align: center
+
+   _`Figure 4.`
+
+:Step 1:
+  One or more Connectors have been configured to listen for requests
+  being forwarded from a trusted Apache instance. The Connector is
+  configured to communicate using either the HTTP or AJP protocols.
+  See `Exporting Environment Variables to the Proxy`_ for more
+  information on selecting a proxy transport protocol.
+
+:Step 2:
+  The identity metadata bound to the request needs to be extracted
+  differently depending upon whether HTTP or AJP is the transport
+  protocol. To allow later stages in the pipeline to be ignorant of
+  the transport protocol semantics the ``SssdFilter`` servlet filter
+  is introduced. The ``SssdFilter`` wraps the ``HttpServletRequest``
+  class and intercepts calls which might return the identity
+  metadata. The wrapper in the filter looks in protocol specific
+  locations for the metadata. In this manner users of the
+  ``HttpServletRequest`` are isolated from protocol differences.
+
+
+:Step 3:
+
+  The ``ClaimAuthFilter`` is responsible for determining if identity
+  metadata is bound to the request. If so all identity metadata is
+  packaged into an assertion which is then handed off to
+  ``SssdClaimAuth`` which will transform the identity metadata in the
+  assertion into a AAA Claim which is the authorizing token for the user.
+
+:Step 4:
+  The ``SssdClaimAuth`` object is responsible for transforming the
+  external federated identity metadata provided by Apache and SSSD into
+  a AAA claim. The AAA claim is an authorization token which includes
+  information about the user plus a set of roles. These roles provide the
+  authorization to perform AAA tasks. Although how roles are assigned is
+  flexible the expectation is domain and/or group membership will be the
+  primary criteria for role assignment. Because deciding how to handle
+  external federated identity metadata is site and deployment specific
+  we need a loadable policy mechanism. This is accomplished by a set of
+  transformation rules which transforms the incoming IdP identity
+  metadata into a AAA claim. For greater clarity this important step is
+  broken down into smaller units in the shaded box in `Figure 4.`_.
+
+:Step 4.1:
+  `The Mapping Rule Processor`_ is designed to accept a JSON object
+  (set of key/value pairs) as input and emit a different JSON object
+  as output effectively operating as a transformation engine on
+  key/value pairs.
+
+:Step 4.2:
+  The input assertion is rewritten as a JSON object in the format
+  required by the Mapping Rule Processor. The JSON assertion is then
+  passed into the Mapping Rule Processor.
+
+:Step 4.3:
+  `The Mapping Rule Processor`_ identified as ``IdPMapper`` evaluates
+  the input JSON assertion in the context of the mapping rules defined
+  for the site deployment. If ``IdPMapper`` is able to successfully
+  transform the input it will return a JSON object which we called the
+  *mapped* result. If the input JSON assertion is not compatible with
+  the site specific rules loaded into the ``IdPMapper`` then NULL is
+  returned by the ``IdPMapper``.
+
+:Step 4.4:
+  If a mapped JSON object is returned by the ``IdPMapper`` the mapping
+  was successful. The values in the mapped result are re-written into
+  an AAA Claim token.
+
+How Apache Identity Metadata is Mapped to AAA Values
+====================================================
+
+A federated IdP supplies metadata in a form unique to the IdP. This is
+called an assertion. That assertion must be transformed into a format
+and data understood by AAA. More importantly that assertion needs to
+yield *authorization roles specific to AAA*. In `Figure 4.`_ Step 4.3
+the ``IdPMapper`` provides the transformation from an external IdP
+assertion to an AAA specific claim. It does this via a Mapping Rule
+Processor which reads a site specific set of transformation
+rules. These mapping rules define how to transform an external IdP
+assertion into a AAA claim. The mapping rules also are responsible for
+validating the external IdP claim to make sure it is consistent with
+the site specific requirements. The operation of the Mapping Rule
+Processor and the syntax of the mapping rules are defined in `The
+Mapping Rule Processor`_.
+
+Below is an example mapping rule which might be loaded into the
+Mapping Rule Processor. It is assumed there are two AAA roles which
+may be assigned [4]_:
+
+``user``
+  A role granting standard permissions for normal ODL users.
+
+``admin``
+  A special role granting full administrative permissions.
+
+In this example assigning the ``user`` and ``admin`` roles
+will be based on group membership in the following groups:
+
+``odl_users``
+  Members of this group are normal ODL users with restricted permissions.
+
+``odl_admin``
+  Members of this group are ODL administrators with permission to
+  perform all operations.
+
+Granting of the ``user`` and/or ``admin`` roles based on
+membership in the ``odl_users`` and ``odl_admin`` is illustrated in
+the follow mapping rule example which also extracts the user principal
+and domain information in the preferred format for the site
+(e.g. usernames are lowercase without domain suffixes and the domain
+is uppercase and supplied separately).
+
+_`Mapping Rule Example 1.`
+
+::
+
+  1   [
+  2     {"mapping": {"ClientId": "$client_id",
+  3            "UserId": "$user_id",
+  4            "User": "$username",
+  5            "Domain": "$domain",
+  6            "roles": "$roles",
+  7           },
+  8      "statement_blocks": [
+  9        [
+  10         ["set", "$groups", []],
+  11         ["set", "$roles", []]
+  12       ],
+  13       [
+  14         ["in", "REMOTE_USER", "$assertion"],
+  15         ["exit", "rule_fails", "if_not_success"],
+  16         ["regexp", "$assertion[REMOTE_USER]", "(?<username>\\w+)@(?<domain>.+)"],
+  17         ["exit", "rule_fails", "if_not_success"],
+  18         ["lower", "$username", "$regexp_map[username]"],
+  19         ["upper", "$domain", "$regexp_map[domain]"],
+  20       ],
+  21       [
+  22         ["in", "REMOTE_USER_GROUPS", "$assertion"],
+  23         ["exit", "rule_fails", "if_not_success"],
+  24         ["split", "$groups", "$assertion[REMOTE_USER_GROUPS]", ":"],
+  25       ],
+  26       [
+  27         ["in", "odl_users", "$groups"],
+  28         ["continue", "if_not_success"],
+  29         ["append", "$roles", "user"],
+  30       ],
+  31       [
+  32         ["in", "odl_admin", "$groups"],
+  33         ["continue", "if_not_success"],
+  34         ["append", "$roles", "admin"]
+  35       ],
+  36       [
+  37         ["unique", "$roles", "$roles"],
+  38         ["length", "$n_roles", "$roles"],
+  39         ["compare", "$n_roles", ">", 0],
+  40         ["exit", "rule_fails", "if_not_success"],
+  41       ],
+  42     ]
+  43    }
+  44  ]
+
+:Line 1:
+  Starts a list of rules. In this example only 1 rule is defined. Each
+  rule is a JSON object containing a ``mapping`` and a required list
+  of ``statement_blocks``. The ``mapping`` may either be specified
+  inside a rule as it is here or may be referenced by name in a table
+  of mappings (this is easier to manage if you have a large number of
+  rules and small number of mappings).
+
+:Lines 2-7:
+  Defines the JSON mapped result. Each key maps to AAA claim.  The
+  value is a rule variable whose value will be substituted if the rule
+  succeeds.  Thus for example the AAA claim value ``User`` will be
+  assigned the value from the ``$username`` rule variable.
+:Line 8:
+  Begins the list of statement blocks. A statement must be contained
+  inside a block.
+:Lines 9-12:
+  The first block usually initializes variables that will be
+  referenced later. Here we initialize ``$groups`` and ``$roles`` to
+  empty arrays. These arrays may be appended to in later blocks and
+  may be referenced in the final ``mapping`` output.
+:Lines 13-20:
+  This block sets the user and domain information based on
+  ``REMOTE_USER`` and exits the rule if ``REMOTE_USER`` is not defined.
+:Lines 14-15:
+  This test is critical, it assures ``REMOTE_USER`` is defined in the
+  assertion, if not the rule is skipped because we depend on
+  ``REMOTE_USER``.
+:Lines 16-17:
+  Performs a regular expression match against ``REMOTE_USER`` to split
+  the username from the domain. The regular expression uses named
+  groups, in this instance ``username`` and ``domain``. If the regular
+  expression does not match the rule is skipped.
+:Lines 18-19:
+  These lines reference the previous result of the regular expression
+  match which are stored in the special variable ``$regexp_map``. The
+  username is converted to lower case and stored in ``$username`` and
+  the domain is converted to upper case and stored in ``$domain``. The
+  choice of case is purely by convention and site requirements.
+:Lines 21-35:
+  These 3 blocks assign roles based on group membership.
+:Lines 21-25:
+  Assures ``REMOTE_USER_GROUPS`` is defined in the assertion; if not, the
+  rule is skipped. ``REMOTE_USER_GROUPS`` is colon separated list of group
+  names. In order to operate on the individual group names appearing
+  in ``REMOTE_USER_GROUPS`` line 24 splits the string on the colon
+  separator and stores the result in the ``$groups`` array.
+:Lines 27-30:
+  This block assigns the ``user`` role if the user is a member of the
+  ``odl_users`` group.
+:Lines 31-35:
+  This block assigns the ``admin`` role if the user is a
+  member of the ``odl_admin`` group.
+:Lines 36-41:
+  This block performs final clean up actions for the rule. First it
+  assures there are no duplicates in the ``$roles`` array by calling
+  the ``unique`` function. Then it gets a count of how many items are
+  in the ``$roles`` array and tests to see if it's empty. If there are
+  no roles assigned the rule is skipped.
+:Line 43:
+  This is the end of the rule. If we reach the end of the rule it
+  succeeds. When a rule succeeds the mapping associated with the rule
+  is looked up. Any rule variable appearing in the mapping is
+  substituted with its value.
+
+Using the rules in `Mapping Rule Example 1.`_ and following example assertion
+in JSON format:
+
+_`Assertion Example 1.`
+
+::
+
+  {
+    "REMOTE_USER": "TestUser@example.com",
+    "REMOTE_AUTH_TYPE": "Negotiate",
+    "REMOTE_USER_GROUPS": "odl_users:odl_admin",
+    "REMOTE_USER_EMAIL": "test.user@example.com",
+    "REMOTE_USER_FIRSTNAME": "Test",
+    "REMOTE_USER_LASTNAME": "User"
+  }
+
+Then the mapper will return the following mapped JSON document. This
+is the ``mapping`` defined on line 2 of `Mapping Rule Example 1.`_ with the
+variables substituted after the rule successfully executed. Note any
+valid JSON data type can be returned, in this example the ``null``
+value is returned for ``ClientId`` and ``UserId``, normal strings for
+``User`` and ``Domain`` and an array of strings for the ``roles`` value.
+
+_`Mapped Result Example 1.`
+
+::
+
+  {
+    "ClientId": null,
+    "UserId": null,
+    "User": "testuser",
+    "Domain": "EXAMPLE.COM",
+    "roles": ["user", "admin"]
+  }
+
+
+**************************
+The Mapping Rule Processor
+**************************
+
+The Mapping Rule Processor is designed to be as flexible and generic
+as possible. It accepts a JSON object as input and returns a JSON
+object as output. JSON was chosen because virtually all data can be
+represented in JSON, JSON has extensive support and JSON is human
+readable. The rules loaded into the Mapping Rule Processor are also
+expressed in JSON. One advantage of this is it makes it easy for a
+site administrator to define hardcoded values which are always
+returned and/or static tables of white and black listed users or users
+who are always mapped into certain roles.
+
+.. include:: mapping.rst
+
+***********************
+Security Considerations
+***********************
+
+Attack Vectors
+==============
+
+A Java EE Container fronted by Apache has by definition 2 major
+components:
+
+* Apache
+* Java EE Container
+
+Each of these needs to be secure in its own right. There is extensive
+documentation on securing each of these components and the reader is
+encouraged to review this material. For the purpose of this discussion
+we are most interested in how Apache and the Java EE
+Container cooperate to form an integrated security system. Because
+Apache is performing authentication on behalf of the Java EE Container,
+it views Apache as a trusted partner. Our primary concern is the
+communication channel between Apache and the Java EE Container. We
+must assure the Java EE Container knows who it's trusted partner is
+and that it only accepts security sensitive data from that partner,
+this can best be described as `The Proxy Problem`_.
+
+Forged REMOTE_USER
+------------------
+
+HTTP request handling is often implemented as a processing pipeline
+where individual handlers are passed the request, they may then attach
+additional metadata to the request or transform it in some manner
+before handing it off to the next stage in the pipeline. A request
+handler may also short circuit the request processing pipeline and
+cause a response to be generated. Authentication is typically
+implemented an as early stage request handler. If a request gets past
+an authentication handler later stage handlers can safely assume the
+request belongs to an authenticated user. Authorization metadata may
+also have been attached to the request. Later stage handlers use the
+authentication/authorization metadata to make decisions as to whether
+the operations in the request can be satisfied.
+
+When a request is fielded by a traditional web server with CGI (Common
+Gateway Interface, RFC 3875) the request metadata is passed via CGI
+meta-variables. CGI meta-variables are often implemented as environment
+variables, but in practical terms CGI metadata is really just a set of
+name/value pairs a later stage (i.e. CGI script, servlet, etc.) can
+reference to learn information about the request.
+
+The CGI meta-variables REMOTE_USER and AUTH_TYPE relate to
+authentication. REMOTE_USER is the identity of the authenticated user
+and AUTH_TYPE is the authentication mechanism that was used to
+authenticate the user.
+
+**If a later stage request handler sees REMOTE_USER and AUTH_TYPE as
+non-null values it assumes the user is fully authenticated! Therefore
+is it essential REMOTE_USER and AUTH_TYPE can only enter the request
+pipeline via a trusted source.**
+
+The Proxy Problem
+=================
+
+In a traditional monolithic web server the CGI meta-variables are
+created and managed by the web server, which then passes them to CGI
+scripts and executables in a very controlled environment where they
+execute in the context of the web server. Forgery of CGI
+meta-variables is generally not possible unless the web server has
+been compromised in some fashion.
+
+However in our configuration the Apache web server acts as an identity
+processor, which then forwards (i.e. proxies) the request to the Java
+EE container (i.e Tomcat, Jetty, etc.). One could think of the Java
+EE container as just another CGI script which receives CGI
+meta-variables provided by the Apache web server. Where this analogy
+breaks down is how Apache invokes the CGI script. Instead of forking a
+child process where the child's environment and input/output pipes are
+carefully controlled by Apache the request along with its additional
+metadata is forwarded over a transport (typically TCP/IP) to another
+process, the proxy, which listens on socket.
+
+The proxy (in this case the Java EE container) reads the request and
+the attached metadata and acts upon it. If the request read by the
+proxy contains the REMOTE_USER and AUTH_TYPE CGI meta-variables the
+proxy will consider the request **fully authenticated!**. Therefore
+when the Java EE container is configured as a proxy it is
+**essential** it only reads requests from a **trusted** Apache web
+server. If any other client aside from the trusted Apache web server
+is permitted to connect to the Java EE container that client could
+present forged REMOTE_USER and AUTH_TYPE meta-variables, which would be
+automatically accepted as valid thus opening a huge security hole.
+
+
+Possible Approaches to Lock Down a Proxy Channel
+================================================
+
+Tomcat Valves
+-------------
+
+You can use a `Tomcat Remote Address Valve`_ valve to filter by IP or
+hostname to only allow a subset of machines to connect. This can be
+configured at the Engine, Host, or Context level in the
+conf/server.xml by adding something like the following:
+
+::
+
+  <!-- allow only LAN IPs to connect -->
+  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
+   allow="192.168.1.*">
+  </Valve>
+
+The problem with valves is they are a Tomcat only concept, the
+``RemoteAddrValve`` only checks addresses, not port numbers (although
+it should be easy to add port checking) and they don't offer anything
+better than what is described in `Locking Down the Apache to Java EE
+Container Channel`_, which is not container specific. Servlet filters
+are always available regardless of the container the servlet is
+running in. A filter can check both the address and port number and
+refuse to operate on the request if the address and port are not known to
+be a trusted authentication proxy. Also note that if the Java EE
+Container is configured to accept connections other than from the
+trusted HTTP proxy server (a very likely scenario) then filtering at
+the connector level is not sufficient because a servlet which trusts
+``REMOTE_USER`` must be assured the request arrived only on a
+trusted HTTP proxy server connection, not one of the other possible
+connections.
+
+SSL/TLS with client auth
+------------------------
+
+SSL with client authentication is the ultimate way to lock down a HTTP
+Server to Java EE Container proxy connection. SSL with client
+authentication provides authenticity, integrity, and
+confidentiality. However those desirable attributes come at a
+performance cost which may be excessive. Unless a persistent TCP
+connection is established between the HTTP server and the Java EE
+Container a SSL handshake will need to occur on each request being
+proxied, SSL handshakes are expensive. Given that the HTTP server and
+the Java EE Container will likely be deployed on the same compute node
+(or at a minimum on a secure subnet) the advantage of SSL for proxy
+connections may not be warranted because other options are available
+for these configuration scenarios; see `Locking Down the Apache to Java EE
+Container Channel`_. Also note that if the Java EE
+Container is configured to accept connections other than from the
+trusted HTTP proxy server (a very likely scenario), then filtering at
+the connector level is not sufficient because a servlet which trusts
+``REMOTE_USER`` must be assured that the request arrived only on a
+trusted HTTP proxy server connection, not one of the other possible
+connections.
+
+
+Java Security Manager Permissions
+---------------------------------
+
+The Java Security Manager allows you define permissions which are
+checked at run time before code executes.
+``java.net.SocketPermission`` and ``java.net.NetPermission`` would
+appear to offer solutions for restricting which host and port a
+request containing ``REMOTE_USER`` will be trusted. However security
+permissions are applied *after* a request is accepted by a
+connector. They are also more geared towards what connections code can
+subsequently utilize as opposed to what connection a request was
+presented on. Therefore security manager permissions seem to offer little
+value for our purpose. One can simply test to see which host sent the
+proxy request and on what port it arrived on by looking at the
+connection information in the request. Restricting which proxies can
+submit trusted requests is better handled at the level of the
+connector, which unfortunately is a container implementation
+issue. Tomcat and Jetty have different ways of handling connector
+specifications.
+
+AJP requiredSecret
+------------------
+
+The AJP protocol includes an attribute called ``requiredSecret``, which
+can be used to secure the connection between AJP endpoints. When an
+HTTP server sends an AJP proxy request to a Java EE Container it
+embeds in the protocol transmission a string (``requiredSecret``)
+known only to the HTTP server and the Java EE Container. The AJP
+connector on the Java EE Container is configured with the
+``requiredSecret`` value and will reject as unauthorized any AJP
+requests whose ``requiredSecret`` does not match.
+
+There are two problems with `requiredSecret``. First of all it's not
+particularly secure. In fact, it's fundamentally no different than
+sending a cleartext password. If the AJP request is not encrypted it
+means the ``requiredSecret`` will be sent in the clear which is
+probably one of the most egregious security mistakes. If the AJP
+request is transmitted in a manner where the traffic can be sniffed, it
+would be trivial to recover the ``requiredSecret`` and forge a request
+with it. On the other hand encrypting the communication channel
+between the HTTP server and the Java EE Container means using SSL
+which is fairly heavyweight. But more to the point, if one is using
+SSL to encrypt the channel there is a *far better* mechanism to ensure
+the HTTP server is who it claims to be than embedding
+``requiredSecret``. If one is using SSL you might as well use SSL
+client authentication where the HTTP identifies itself via a client
+certificate. SSL client authentication is a very robust authentication
+mechanism. But doing SSL client authentication, or for that matter
+just SSL encryption, for *every* AJP protocol request is prohibitively
+expensive from a performance standpoint.
+
+The second problem with ``requiredSecret`` is that despite being documented
+in a number of places it's not actually implemented in Apache
+``mod_proxy_ajp``. This is detailed in `bug 53098`_. You can set
+``requiredSecret`` in the ``mod_proxy_ajp`` configuration, but it won't
+be included in the wire protocol. There is a patch to implement
+``requiredSecret`` but, it hasn't made it into any shipping version of
+Apache yet. But even if ``requiredSecret`` was implemented it's not
+useful. Also one could construct the equivalent of ``requiredSecret``
+from other AJP attributes and/or an HTTP extension header but those
+would suffer from the same security issues ``requiredSecret`` has,
+therefore it's mostly pointless.
+
+Java EE Container Issues
+========================
+
+Jetty Issues
+------------
+
+Jetty is a Java EE Container which can be used
+as alternative to Tomcat. Jetty is an Eclipse project. Recent versions
+of Jetty have dropped support for AJP; this is described in the
+`Jetty AJP Configuration Guide`_ which states:
+
+  Configuring AJP13 Using mod_jk or mod_proxy_ajp. Support for this
+  feature has been dropped with Jetty 9.  If you feel this should be
+  brought back please file a bug.
+
+Eclipse `Bug 387928`_ *Retire jetty-ajp* was opened to track the
+removal of AJP in Jetty and is now closed.
+
+Tomcat Issues
+-------------
+
+You should refer the `Tomcat Security How-To`_ for a full discussion
+of Tomcat security issues.
+
+The tomcatAuthentication attribute is used with the AJP connectors to
+determine if Tomcat should authenticate the user or if authentication
+can be delegated to the reverse proxy that will then pass the
+authenticated username to Tomcat as part of the AJP protocol.
+
+The requiredSecret attribute in AJP connectors configures a shared
+secret between Tomcat and the reverse proxy in front of Tomcat. It is used
+to prevent unauthorized connections over AJP protocol.
+
+Locking Down the Apache to Java EE Container Channel
+====================================================
+
+The recommended approach to lock down the proxy channel is:
+
+  * Run both Apache and the servlet container on the same host.
+
+  * Configure Apache to forward the proxy request on the loopback
+    interface (e.g. 127.0.0.1 also known as ``localhost``). This
+    prohibits any external IP address from connecting, only processes
+    running on the locked down host can communicate over
+    ``localhost``.
+
+  * Reserve one or more ports for communication **exclusively** for
+    proxy communication between Apache and the servlet container. The
+    servlet container may listen on other ports for non-critical
+    non-authenticated requests.
+
+  * The ``ClaimAuthFilter`` that reads the identity metadata **must**
+    assure that requests have arrived only on a **trusted port**. To
+    achieve this the ``FederationConfiguration`` defines the
+    ``secureProxyPorts`` configuration option. ``secureProxyPorts`` is
+    a space delimited list of ports which during deployment the
+    administrator has configured such that they are **exclusively**
+    dedicated for use by the Apache server(s) providing authentication
+    and identity information. These ports are set in the servlet
+    container's ``Connector`` declarations. See `Declaring the
+    Connector Ports for Authentication Proxies`_ for more
+    information).
+
+  * When the ``ClaimAuthFilter`` receives a request, the first thing
+    it does is check the ``ServletRequest.getLocalPort()`` value and
+    verifies it is a member of the ``secureProxyPorts`` configuration
+    option. If the port is a member of ``secureProxyPorts``, it will
+    trust every identity assertion found in the request. If the local
+    port is not a member of ``secureProxyPorts``, a HTTP 401
+    (unauthorized) error status will be returned for the request. A
+    warning message will be logged the first time this occurs.
+
+
+Declaring the Connector Ports for Authentication Proxies
+--------------------------------------------------------
+
+As described in `The Proxy Problem`_ the AAA authentication system
+**must** confirm the request it is processing originated from a *trusted
+HTTP proxy server*. This is accomplished with port isolation.
+
+The administrator deploying a federated AAA solution with SSSD
+identity lookups must declare in the AAA federation configuration
+which ports the proxy requests from the trusted HTTP server will
+arrive on by setting the ``secureProxyPorts`` configuration
+item. These ports **must** only be used for the trusted HTTP proxy
+server. The AAA federation software will not perform authentication
+for any request arriving on a port other than those listed in
+``secureProxyPorts``.
+
+.. figure:: sssd_05.png
+   :align: center
+
+   _`Figure 5.`
+
+``secureProxyPorts`` configuration option is set either in the
+``federation.cfg`` file or in the
+``org.opendaylight.aaa.federation.secureProxyPorts`` bundle
+configuration. ``secureProxyPorts`` is a space-delimited list of port
+numbers on which a trusted HTTP proxy performing authentication
+forwards pre-authenticated requests. For example:
+
+::
+
+  secureProxyPorts=8383
+
+Means a request which arrived on port 8383 is from a trusted HTTP
+proxy server and the value of ``REMOTE_USER`` and other authentication
+metadata in request can be trusted.
+
+########
+Appendix
+########
+
+*****************
+CGI Export Issues
+*****************
+
+Apache processes requests as a series of steps in a pipeline
+fashion. The ordering of these steps is important. Core Apache is
+fairly minimal, most of Apache's features are supplied by loadable
+modules. When a module is loaded it registers a set of *hooks*
+(function pointers) which are to be run at specific stages in the
+Apache request processing pipeline. Thus a module can execute code at
+any of a number of stages in the request pipeline.
+
+The user metadata supplied by Apache is initialized in two distinct
+parts of Apache.
+
+  1. an authentication module (e.g. mod_auth_kerb)
+  2. the ``mod_lookup_identity`` module.
+
+After successful authentication the authentication module will set the
+name of the user principal and the mechanism used for authentication
+in the request structure.
+
+  * ``request->user``
+  * ``request->ap_auth_type``
+
+Authentication hooks run early in the request pipeline for the obvious
+reason a request should not be processed if not authenticated. The
+specific authentication module that runs is defined by ``Location``
+directive in the Apache configuration which binds specific
+authentication to specific URL's. The ``mod_lookup_identity`` module
+must run *after* authentication module runs because it depends on
+knowing who the authenticated principal is so it can lookup the data
+on that principal.
+
+When reading ``mod_lookup_identity`` documentation one often sees
+references to the ``REMOTE_USER`` CGI environment variable with the
+implication ``REMOTE_USER`` is how one accesses the name of the
+authenticated principal. This is a bit misleading, ``REMOTE_USER`` is
+a CGI environment variable. CGI environment variables are only set by
+Apache when it believes the request is going to be processed by a CGI
+implementation. In this case ``REMOTE_USER`` is initialized from the
+``request->user`` value.
+
+How is the authenticated principal actually forwarded to our proxy?
+===================================================================
+
+If we are using the AJP proxy protocol the ``mod_proxy_ajp`` module
+when preparing the proxy request will read the value of
+``request->user`` and insert it into the ``SC_A_REMOTE_USER`` AJP
+attribute. On the receiving end ``SC_A_REMOTE_USER`` will be extracted
+from the AJP request and used to populate the value returned
+by``HttpServletRequest.getRemoteUser()``. The exchange of the
+authenticated principal when using AJP is transparent to both the
+sender and receiver, nothing special needs to be done. See
+`Transporting Identity Metadata from Apache to a Java EE Servlet`_
+for details on how metadata can be exchanged with the proxy.
+
+However, if AJP is not being used to proxy the request the
+authenticated principal must be passed through some other mechanism,
+an HTTP extension header is the obvious solution. The Apache
+``mod_headers`` module can be used to add HTTP request headers to the
+proxy request, for example:
+
+::
+
+  RequestHeader set MY_HEADER MY_VALUE
+
+Where does the value MY_VALUE come from? It can be hardcoded into the
+``RequestHeader`` statement or it can reference an existing
+environment variable like this:
+
+::
+
+  RequestHeader set MY_HEADER %{FOOBAR}e
+
+where the notation ``%{FOOBAR}e`` is the contents of the environment
+variable FOOBAR. Thus we might expect we could do this:
+
+::
+
+  RequestHeader set REMOTE_USER %{REMOTE_USER}e
+
+The conundrum is the presumption the ``REMOTE_USER`` environment
+variable has already been set at the time ``mod_headers`` executes the
+``RequestHeader`` statement. Unfortunately this often is not the
+case.
+
+The Apache environment variables ``REMOTE_USER`` and ``AUTH_TYPE`` are
+set by the Apache function ``ap_add_common_vars()`` defined in
+server/util_script.c.  ``ap_add_common_vars()`` and is called by the
+following modules:
+
+  * mod_authnz_fcgi
+  * mod_proxy_fcgi
+  * mod_proxy_scgi
+  * mod_isapi
+  * mod_ext_filter
+  * mod_include
+  * mod_cgi
+  * mod_cgid
+
+Apache variables
+================
+
+Apache modules provide access to variables which can be referenced by
+configuration directives. Unfortunately there isn't a lot of
+uniformity to what the variables are and how they're referenced; it
+mostly depends on how a given Apache module was implemented. As you
+might imagine a bit of inconsistent historical cruft has accumulated
+over the years, it can be confusing. The Apache Foundation is trying
+to clean some of this up bringing uniformity to modules by utilizing
+the common ``expr`` (expression) module `ap_expr`_. The idea being modules will
+forgo their home grown expression syntax with its numerous quirks and
+instead expose the common ``expr`` language. However this is a work in
+progress and at the time of this writing only a few modules have acquired
+``expr`` expression support.
+
+Among the existing Apache modules there currently are three different
+sets of variables.
+
+  1. Server variables.
+  2. Environment variables.
+  3. SSL variables.
+
+Server variables (item 1) are names given to internal values. The set
+of names for server variables and what they map to are defined by the
+module implementing the server variable lookup. For example
+``mod_rewrite`` has its own variable lookup implementation.
+
+Environment variables (item 2) are variables *exported* to a
+subprocess. Internally they are stored in
+``request->subprocess_env``. The most common use of environment
+variables exported to a subprocess are the CGI variables.
+
+SSL variables are connection specific values describing the SSL
+connection. The lookup is implemented by ``ssl_var_lookup()``, which
+given a variable name looks in a variety of internal data structures to
+find the matching value.
+
+The important thing to remember is **server variables != environment
+variables**. This can be confusing because they often share the same
+name. For example, there is the server variable ``REMOTE_USER`` and
+there is the environment variable ``REMOTE_USER``. The environment
+variable ``REMOTE_USER`` only exists if some module has called
+``ap_add_common_vars()``. To complicate matters, some modules allow you
+to access *server variables*, other modules allow you to access
+*environment variables* and some modules provide access to both
+*server variables* and *environment variables*.
+
+Coming back to our goal of setting an HTTP extension header to the
+value of ``REMOTE_USER``, we observe that ``mod_headers`` provides the
+needed ``RequestHeader`` operation to set a HTTP header in the
+request. Looking at the documentation for ``RequestHeader`` we see a
+value can be specified with one of the following lookups:
+
+%{VARNAME}e
+  The contents of the environment variable VARNAME.
+
+%{VARNAME}s
+  The contents of the SSL environment variable VARNAME, if mod_ssl is enabled.
+
+But wait! This only gives us access to *environment variables* and the
+``REMOTE_USER`` environment variable is only set if
+``ap_add_common_vars()`` is called by a module **after** an
+authentication module runs! ``ap_add_common_vars()`` is usually only
+invoked if the request is going to be passed to a CGI script. But
+we're not doing CGI; instead we're proxying the request. The
+likelihood the ``REMOTE_USER`` environment variable will be set is
+quite low. See `Setting the REMOTE_USER environment variable`_.
+
+``mod_headers`` is the only way to set a HTTP extension header and
+``mod_headers`` only gives you access to environment variables and the
+``REMOTE_USER`` environment variable is not set. Therefore if we're
+not using AJP and must depend on setting a HTTP extension header for
+``REMOTE_USER``, we have a **serious problem**.
+
+But there is a solution; you can either try the machinations described
+in `Setting the REMOTE_USER environment variable`_ or assure you're
+running at least Apache version 2.4.10. In Apache 2.4.10 the
+``mod_headers`` module added support for `ap_expr`_. `ap_expr`_
+provides access to *server variables* by using the ``%{VARIABLE}``
+notation. `ap_expr`_ also can lookup subprocess environment variables
+and operating system environment variables using its ``reqenv()`` and
+``osenv()`` functions respectively.
+
+Thus the simple solution for exporting the ``REMOTE_USER`` HTTP
+extension header if you're running Apache 2.4.10 or later is:
+
+::
+
+  RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER}
+
+The ``expr=%{REMOTE_USER}`` in the above statement says pass
+``%{REMOTE_USER}`` as an expression to `ap_expr`_, evaluate the
+expression and return the value. In this case the expression
+``%{REMOTE_USER}`` is very simple, just the value of the server
+variables ``REMOTE_USER``. Because ``RequestHeader`` runs after
+authentication ``request->user`` will have been set.
+
+Setting the REMOTE_USER environment variable
+============================================
+
+If you do a web search on how to export ``REMOTE_USER`` in a HTTP
+extension header for a proxy you will discover this is a common
+problem that has frustrated a lot of people [2]_. The usual advice seems to
+be to use ``mod_rewrite`` with a look-ahead. In fact this is even
+documented in the `mod_rewrite documentation for REMOTE_USER`_ which says:
+
+  %{LA-U:variable} can be used for look-aheads which perform an
+  internal (URL-based) sub-request to determine the final value of
+  variable. This can be used to access variable for rewriting which is
+  not available at the current stage, but will be set in a later
+  phase.
+
+  For instance, to rewrite according to the REMOTE_USER variable from
+  within the per-server context (httpd.conf file) you must use
+  %{LA-U:REMOTE_USER} - this variable is set by the authorization
+  phases, which come after the URL translation phase (during which
+  mod_rewrite operates).
+
+One suggested solution is this:
+
+::
+
+  RewriteCond %{LA-U:REMOTE_USER} (.+)
+  RewriteRule .* - [E=RU:%1]
+  RequestHeader set X_REMOTE_USER %{RU}e
+
+1. The RewriteCond with the %{LA-U:} construct performs an internal
+   redirect to obtain the value of ``REMOTE_USER`` *server variable*,
+   if that value is non-empty because the (.+) regular expression
+   matched the rewrite condition succeeds and the following
+   RewriteRule executes.
+
+2. The RewriteRule executes, the first parameter is a pattern, the
+   second parameter is the replacement which can be followed by
+   optional flags inside brackets. The .* pattern is a regular
+   expression that matches anything, the - replacement is a special
+   value which indicates no replacement is to be performed. In other
+   words the pattern and replacement are no-ops and the RewriteRule is
+   just being used for it's side effect defined in the flags. The
+   E=NAME:VALUE notation says set the NAME environment variable to
+   VALUE. In this case the environment variable is RU and the value is
+   %1. The documentation for RewriteRule tells us that %N are
+   back-references to the last matched RewriteCond pattern, in this
+   case it's the value of ``REMOTE_USER``.
+
+3. Finally ``RequestHeader`` sets the request header
+   ``X_REMOTE_USER`` to the value of the ``RU`` environment variable.
+
+Another suggested solution is this:
+
+::
+
+  RewriteRule .* - [E=REMOTE_USER:%{LA-U:REMOTE_USER}]
+
+The Problem with mod_rewrite lookahead
+--------------------------------------
+
+I **do not recommend** using mod_rewrite's lookahead to gain access to
+authentication data values. Although the above suggestions will work
+to get access to ``REMOTE_USER`` it is *extremely inefficient* because
+it causes Apache to reprocess the request with an internal
+redirect. The documentation suggests a lookahead reference will cause
+one internal redirect. However from examining Apache debug logs the
+``mod_rewite`` lookahead caused ``mod_lookup_identity`` to be invoked
+**11 times** while handling one request. If the ``mod_rewrite``
+lookahead is removed and another technique is used to get access to
+``REMOTE_USER`` then ``mod_lookup_identity`` is invoked exactly once
+as expected.
+
+But it's not just ``REMOTE_USER`` which we need access to, we also need
+to reference ``AUTH_TYPE`` which has the identical issues associated
+with ``REMOTE_USER``. If an equivalent ``mod_rewrite`` block is added
+to the configuration for ``AUTH_TYPE`` so that both ``REMOTE_USER``
+and ``auth_type`` are resolved using a lookahead Apache appears to go
+into an infinite loop and the request stalls.
+
+I tried to debug what was occurring when Apache was configured this way
+and why it seemed to be executing the same code over and over but I
+was not able to figure it out. My conclusion is **using mod_rewrite
+lookahead's is not a viable solution!** Other web posts also make
+reference to the inefficiency but they seem to be unaware of just how
+bad it is.
+
+.. [1]
+   Tomcat has a bug/feature, not all attributes are enumerated by
+   getAttributeNames() therefore getAttributeNames() cannot be used to
+   obtain the full set of attributes. However if you know the name of
+   the attribute a priori you can call getAttribute() and obtain the
+   value. Therefore we maintain a list of attribute names
+   (httpAttributes) which will be used to call getAttribute() with so we
+   don't miss essential attributes.
+
+   This is the Tomcat bug, note it is marked WONTFIX. Bug 25363 -
+   request.getAttributeNames() not working properly Status: RESOLVED
+   WONTFIX https://issues.apache.org/bugzilla/show_bug.cgi?id=25363
+
+   The solution adopted by Tomcat is to document the behavior in the
+   "The Apache Tomcat Connector - Reference Guide" under the JkEnvVar
+   property where is says:
+
+   You can retrieve the variables on Tomcat as request attributes via
+   request.getAttribute(attributeName). Note that the variables send via
+   JkEnvVar will not be listed in request.getAttributeNames().
+
+.. [2]
+   Some examples of posts concerning the export of ``REMOTE_USER``  include:
+   http://www.jaddog.org/2010/03/22/how-to-proxy-pass-remote_user/ and
+   http://serverfault.com/questions/23273/apache-proxy-passing-on-remote-user-to-backend-server/
+
+.. [3]
+   The ``mod_lookup_identity`` ``LookupUserGroups`` option accepts an
+   optional parameter to specify the separator used to separate group
+   names. By convention this is normally the colon (:) character. In
+   our examples we explicitly specify the colon separator because the
+   mapping rules split the value found in ``REMOTE_USER_GROUPS`` on
+   the colon character.
+
+.. [4]
+   The example of using the `The Mapping Rule Processor`_ to establish
+   the set of roles assigned to a user based on group membership is
+   for illustrative purposes in order to show features of the
+   federated IdP and mapping mechanism. Role assignment in AAA may be
+   done in other ways. For example an unscoped token without roles can
+   be used to acquire a scoped token with roles by presenting it to
+   the appropriate REST API endpoint. In actual deployments this may
+   be preferable because it places the responsibility of deciding who
+   has what role/permission on what part of the controller/network
+   resources more in the hands of the SDN controller administrator
+   than the IdP administrator.
+
+.. _FreeIPA: http://www.freeipa.org/
+
+.. _SSSD: https://fedorahosted.org/sssd/
+
+.. _mod_identity_lookup: http://www.adelton.com/apache/mod_lookup_identity/
+
+.. _AJP: http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
+
+.. _Tomcat Security How-To: http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
+
+.. _The Apache Tomcat Connector - Generic HowTo: http://tomcat.apache.org/connectors-doc/generic_howto/printer/proxy.html
+
+.. _CGI RFC: http://www.ietf.org/rfc/rfc3875
+
+.. _ap_expr: http://httpd.apache.org/docs/current/expr.html
+
+.. _mod_rewrite documentation for REMOTE_USER: http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritecond
+
+.. _bug 53098: https://issues.apache.org/bugzilla/show_bug.cgi?id=53098
+
+.. _Jetty AJP Configuration Guide: http://wiki.eclipse.org/Jetty/Howto/Configure_AJP13
+
+.. _Bug 387928: https://bugs.eclipse.org/bugs/show_bug.cgi?id=387928
+
+.. _Tomcat Remote Address Valve: http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Authentication.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Authentication.java
new file mode 100644
index 00000000..25ba898b
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Authentication.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api;
+
+/**
+ * An immutable authentication context.
+ *
+ * @author liemmn
+ */
+public interface Authentication extends Claim {
+
+    /**
+     * Get the authentication expiration date/time in number of milliseconds
+     * since start of epoch.
+     *
+     * @return expiration milliseconds since start of UTC epoch
+     */
+    long expiration();
+
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationException.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationException.java
new file mode 100644
index 00000000..d4621527
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationException.java
@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api;
+
+/**
+ * A catch-all authentication exception.
+ *
+ * @author liemmn
+ *
+ */
+public class AuthenticationException extends RuntimeException {
+    private static final long serialVersionUID = -187422301135305719L;
+
+    public AuthenticationException(String msg) {
+        super(msg);
+    }
+
+    public AuthenticationException(String msg, Throwable cause) {
+        super(msg, cause);
+    }
+
+    public AuthenticationException(Throwable cause) {
+        super(cause);
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationService.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationService.java
new file mode 100644
index 00000000..24ae9238
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/AuthenticationService.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api;
+
+/**
+ * Authentication service to provide authentication context.
+ */
+public interface AuthenticationService {
+    /**
+     * Retrieve the current security context, or null if none exists.
+     *
+     * @return security context
+     */
+    Authentication get();
+
+    /**
+     * Set the current security context. Only {@link TokenAuth} should set
+     * security context based on the authentication result.
+     *
+     * @param auth
+     *            security context
+     */
+    void set(Authentication auth);
+
+    /**
+     * Clear the current security context.
+     */
+    void clear();
+
+    /**
+     * Checks to see if authentication is enabled.
+     *
+     * @return true if it is, false otherwise
+     */
+    boolean isAuthEnabled();
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Claim.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Claim.java
new file mode 100644
index 00000000..7d9a229a
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Claim.java
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api;
+
+import java.util.Set;
+
+/**
+ * A claim typically provided by an identity provider after validating the
+ * needed identity and credentials.
+ *
+ * @author liemmn
+ *
+ */
+public interface Claim {
+    /**
+     * Get the id of the authorized client. If the id is an empty string, it
+     * means that the client is anonymous.
+     *
+     * @return id of the authorized client, or empty string if anonymous
+     */
+    String clientId();
+
+    /**
+     * Get the user id. User IDs are system-created.
+     *
+     * @return unique user id
+     */
+    String userId();
+
+    /**
+     * Get the user name. User names are externally created.
+     *
+     * @return unique user name
+     */
+    String user();
+
+    /**
+     * Get the fully-qualified domain name. Domain names are externally created.
+     *
+     * @return unique domain name, or empty string for a claim tied to no domain
+     */
+    String domain();
+
+    /**
+     * Get a set of user roles. Roles are externally created.
+     *
+     * @return set of user roles
+     */
+    Set<String> roles();
+}
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClaimAuth.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClaimAuth.java
new file mode 100644
index 00000000..447ffb35
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClaimAuth.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api;
+
+import java.util.Map;
+
+/**
+ * An interface for in-bound claim transformation.
+ *
+ * @author liemmn
+ *
+ */
+public interface ClaimAuth {
+
+    /**
+     * Transform a map of opaque in-bound claims into a {@link Claim} object. An
+     * example of an opaque claim map entry is
+     * <code>"USER_NAME" -&gt; "joe".</code>
+     * <p>
+     * If there is no applicable claim information for the current
+     * implementation, this method should return a <code>null</code>.
+     * <p>
+     * In-bound claims are extracted from HttpServletRequest attributes,
+     * headers, and CGI variables as documented per Servlet specs.
+     *
+     * @param claim
+     *            opaque claim
+     * @return normalized claim, or null if not applicable
+     */
+    Claim transform(Map<String, Object> claim);
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClientService.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClientService.java
new file mode 100644
index 00000000..c11eec1c
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/ClientService.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api;
+
+/**
+ * A service for managing authorized clients to the controller.
+ *
+ * @author liemmn
+ *
+ */
+public interface ClientService {
+
+    void validate(String clientId, String clientSecret) throws AuthenticationException;
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/CredentialAuth.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/CredentialAuth.java
new file mode 100644
index 00000000..341e49ae
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/CredentialAuth.java
@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api;
+
+/**
+ * An interface for direct authentication with some given credentials.
+ *
+ * @author liemmn
+ */
+public interface CredentialAuth<T extends Credentials> {
+
+    /**
+     * Authenticate a claim with the given credentials and domain scope.
+     *
+     * @param cred
+     *            credentials
+     * @throws AuthenticationException
+     *             if failed authentication
+     * @return authenticated claim
+     */
+    Claim authenticate(T cred) throws AuthenticationException;
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Credentials.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Credentials.java
new file mode 100644
index 00000000..7d2f19e5
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/Credentials.java
@@ -0,0 +1,15 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api;
+
+/**
+ * An interface to represent user credentials.
+ */
+public interface Credentials {
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IDMStoreException.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IDMStoreException.java
new file mode 100644
index 00000000..026c11ce
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IDMStoreException.java
@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa.api;
+
+/*
+ * @author - Sharon Aicler (saichler@cisco.com)
+ */
+public class IDMStoreException extends Exception {
+
+    private static final long serialVersionUID = -7534127680943957878L;
+
+    public IDMStoreException(Exception e) {
+        super(e);
+    }
+
+    public IDMStoreException(String msg) {
+        super(msg);
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IDMStoreUtil.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IDMStoreUtil.java
new file mode 100644
index 00000000..07dd522f
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IDMStoreUtil.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa.api;
+
+import javax.naming.OperationNotSupportedException;
+
+/*
+ *  This class is a utility to construct the different elements keys for the different data stores.
+ *  For not making mistakes around the code constructing an element key, this class standardize the
+ *  way the key is constructed to be used by the different data stores.
+ *
+ *  @author - Sharon Aicler (saichler@cisco.com)
+ */
+
+public class IDMStoreUtil {
+    private IDMStoreUtil() throws OperationNotSupportedException {
+        throw new OperationNotSupportedException();
+    }
+
+    public static String createDomainid(String domainName) {
+        return domainName;
+    }
+
+    public static String createUserid(String username, String domainid) {
+        return username + "@" + domainid;
+    }
+
+    public static String createRoleid(String rolename, String domainid) {
+        return rolename + "@" + domainid;
+    }
+
+    public static String createGrantid(String userid, String domainid, String roleid) {
+        return userid + "@" + roleid + "@" + domainid;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IIDMStore.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IIDMStore.java
new file mode 100644
index 00000000..7b031e05
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IIDMStore.java
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa.api;
+
+import org.opendaylight.aaa.api.model.Domain;
+import org.opendaylight.aaa.api.model.Domains;
+import org.opendaylight.aaa.api.model.Grant;
+import org.opendaylight.aaa.api.model.Grants;
+import org.opendaylight.aaa.api.model.Role;
+import org.opendaylight.aaa.api.model.Roles;
+import org.opendaylight.aaa.api.model.User;
+import org.opendaylight.aaa.api.model.Users;
+
+/**
+ * @author - Sharon Aicler (saichler@cisco.com)
+ **/
+public interface IIDMStore {
+    public String DEFAULT_DOMAIN = "sdn";
+
+    // Domain methods
+    public Domain writeDomain(Domain domain) throws IDMStoreException;
+
+    public Domain readDomain(String domainid) throws IDMStoreException;
+
+    public Domain deleteDomain(String domainid) throws IDMStoreException;
+
+    public Domain updateDomain(Domain domain) throws IDMStoreException;
+
+    public Domains getDomains() throws IDMStoreException;
+
+    // Role methods
+    public Role writeRole(Role role) throws IDMStoreException;
+
+    public Role readRole(String roleid) throws IDMStoreException;
+
+    public Role deleteRole(String roleid) throws IDMStoreException;
+
+    public Role updateRole(Role role) throws IDMStoreException;
+
+    public Roles getRoles() throws IDMStoreException;
+
+    // User methods
+    public User writeUser(User user) throws IDMStoreException;
+
+    public User readUser(String userid) throws IDMStoreException;
+
+    public User deleteUser(String userid) throws IDMStoreException;
+
+    public User updateUser(User user) throws IDMStoreException;
+
+    public Users getUsers() throws IDMStoreException;
+
+    public Users getUsers(String username, String domain) throws IDMStoreException;
+
+    // Grant methods
+    public Grant writeGrant(Grant grant) throws IDMStoreException;
+
+    public Grant readGrant(String grantid) throws IDMStoreException;
+
+    public Grant deleteGrant(String grantid) throws IDMStoreException;
+
+    public Grants getGrants(String domainid, String userid) throws IDMStoreException;
+
+    public Grants getGrants(String userid) throws IDMStoreException;
+
+    public Grant readGrant(String domainid, String userid, String roleid) throws IDMStoreException;
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IdMService.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IdMService.java
new file mode 100644
index 00000000..1d698da5
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/IdMService.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api;
+
+import java.util.List;
+
+/**
+ * A service to provide identity information.
+ *
+ * @author liemmn
+ *
+ */
+public interface IdMService {
+    /**
+     * List all domains that the given user has at least one role on.
+     *
+     * @param userId
+     *            id of user
+     * @return list of all domains that the given user has access to
+     */
+    List<String> listDomains(String userId);
+
+    /**
+     * List all roles that the given user has on the given domain.
+     *
+     * @param userId
+     *            id of user
+     * @param domain
+     *            domain
+     * @return list of roles
+     */
+    List<String> listRoles(String userId, String domain);
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/PasswordCredentials.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/PasswordCredentials.java
new file mode 100644
index 00000000..e5fa346d
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/PasswordCredentials.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api;
+
+/**
+ * Good 'ole username/password.
+ */
+public interface PasswordCredentials extends Credentials {
+    String username();
+
+    String password();
+
+    String domain();
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/SHA256Calculator.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/SHA256Calculator.java
new file mode 100644
index 00000000..81f4b899
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/SHA256Calculator.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa.api;
+
+import java.security.MessageDigest;
+import java.util.concurrent.locks.ReentrantReadWriteLock;
+import java.util.concurrent.locks.ReentrantReadWriteLock.WriteLock;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * @author Sharon Aicler (saichler@cisco.com)
+ */
+public class SHA256Calculator {
+
+    private static final Logger LOG = LoggerFactory.getLogger(SHA256Calculator.class);
+
+    private static MessageDigest md = null;
+    private static ReentrantReadWriteLock lock = new ReentrantReadWriteLock();
+    private static WriteLock writeLock = lock.writeLock();
+
+    public static String generateSALT() {
+        StringBuffer salt = new StringBuffer();
+        for (int i = 0; i < 12; i++) {
+            int random = (int) (Math.random() * 24 + 1);
+            salt.append((char) (65 + random));
+        }
+        return salt.toString();
+    }
+
+    public static String getSHA256(byte data[], String salt) {
+        byte SALT[] = salt.getBytes();
+        byte temp[] = new byte[data.length + SALT.length];
+        System.arraycopy(data, 0, temp, 0, data.length);
+        System.arraycopy(SALT, 0, temp, data.length, SALT.length);
+
+        if (md == null) {
+            try {
+                writeLock.lock();
+                if (md == null) {
+                    try {
+                        md = MessageDigest.getInstance("SHA-256");
+                    } catch (Exception err) {
+                        LOG.error("Error calculating SHA-256 for SALT", err);
+                    }
+                }
+            } finally {
+                writeLock.unlock();
+            }
+        }
+
+        byte by[] = null;
+
+        try {
+            writeLock.lock();
+            md.update(temp);
+            by = md.digest();
+        } finally {
+            writeLock.unlock();
+        }
+        return removeSpecialCharacters(new String(by));
+    }
+
+    public static String getSHA256(String password, String salt) {
+        return getSHA256(password.getBytes(), salt);
+    }
+
+    public static String removeSpecialCharacters(String str) {
+        StringBuilder buff = new StringBuilder();
+        for (int i = 0; i < str.length(); i++) {
+            if (str.charAt(i) != '\'' && str.charAt(i) != 0) {
+                buff.append(str.charAt(i));
+            }
+        }
+        return buff.toString();
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenAuth.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenAuth.java
new file mode 100644
index 00000000..bbf6fa2b
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenAuth.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api;
+
+import java.util.List;
+import java.util.Map;
+
+/**
+ * An interface for in-bound token authentication.
+ *
+ * @author liemmn
+ */
+public interface TokenAuth {
+
+    /**
+     * Validate the given token contained in the in-bound headers.
+     * <p>
+     * If there is no token signature in the given headers for this
+     * implementation, this method should return a null. If there is an
+     * applicable token signature, but the token validation fails, this method
+     * should throw an {@link AuthenticationException}.
+     *
+     * @param headers
+     *            headers containing token to validate
+     * @return authenticated context, or null if not applicable
+     * @throws AuthenticationException
+     *             if authentication fails
+     */
+    Authentication validate(Map<String, List<String>> headers) throws AuthenticationException;
+
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenStore.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenStore.java
new file mode 100644
index 00000000..4cd7aa78
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/TokenStore.java
@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api;
+
+/**
+ * A datastore for auth tokens.
+ *
+ * @author liemmn
+ *
+ */
+public interface TokenStore {
+    void put(String token, Authentication auth);
+
+    Authentication get(String token);
+
+    boolean delete(String token);
+
+    long tokenExpiration();
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Claim.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Claim.java
new file mode 100644
index 00000000..180bddfb
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Claim.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api.model;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+
+import java.util.List;
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement(name = "Claim")
+public class Claim {
+    private String domainid;
+    private String userid;
+    private String username;
+    private List<Role> roles;
+
+    public String getDomainid() {
+        return domainid;
+    }
+
+    public void setDomainid(String id) {
+        this.domainid = id;
+    }
+
+    public String getUserid() {
+        return userid;
+    }
+
+    public void setUserid(String id) {
+        this.userid = id;
+    }
+
+    public String getUsername() {
+        return username;
+    }
+
+    public void setUsername(String name) {
+        this.username = name;
+    }
+
+    public List<Role> getRoles() {
+        return roles;
+    }
+
+    public void setRoles(List<Role> roles) {
+        this.roles = roles;
+    }
+
+}
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Domain.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Domain.java
new file mode 100644
index 00000000..a42e0b6d
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Domain.java
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api.model;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement(name = "domain")
+public class Domain {
+    private String domainid;
+    private String name;
+    private String description;
+    private Boolean enabled;
+
+    public String getDomainid() {
+        return domainid;
+    }
+
+    public void setDomainid(String id) {
+        this.domainid = id;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    public void setDescription(String description) {
+        this.description = description;
+    }
+
+    public Boolean isEnabled() {
+        return enabled;
+    }
+
+    public void setEnabled(Boolean enabled) {
+        this.enabled = enabled;
+    }
+
+    @Override
+    public int hashCode() {
+        return this.name.hashCode();
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        Domain other = (Domain) obj;
+        if (other == null)
+            return false;
+        if (compareValues(getName(), other.getName())
+                && compareValues(getDomainid(), other.getDomainid())
+                && compareValues(getDescription(), other.getDescription()))
+            return true;
+        return false;
+    }
+
+    private boolean compareValues(Object a, Object b) {
+        if (a == null && b != null)
+            return false;
+        if (a != null && b == null)
+            return false;
+        if (a == null && b == null)
+            return true;
+        if (a.equals(b))
+            return true;
+        return false;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Domains.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Domains.java
new file mode 100644
index 00000000..a8f2064b
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Domains.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api.model;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement(name = "domains")
+public class Domains {
+    private List<Domain> domains = new ArrayList<Domain>();
+
+    public void setDomains(List<Domain> domains) {
+        this.domains = domains;
+    }
+
+    public List<Domain> getDomains() {
+        return domains;
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Grant.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Grant.java
new file mode 100644
index 00000000..20c2d128
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Grant.java
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api.model;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement(name = "grant")
+public class Grant {
+    private String grantid;
+    private String domainid;
+    private String userid;
+    private String roleid;
+
+    public String getGrantid() {
+        return this.grantid;
+    }
+
+    public void setGrantid(String id) {
+        this.grantid = id;
+    }
+
+    public String getDomainid() {
+        return domainid;
+    }
+
+    public void setDomainid(String id) {
+        this.domainid = id;
+    }
+
+    public String getUserid() {
+        return userid;
+    }
+
+    public void setUserid(String id) {
+        this.userid = id;
+    }
+
+    public String getRoleid() {
+        return roleid;
+    }
+
+    public void setRoleid(String id) {
+        this.roleid = id;
+    }
+
+    @Override
+    public int hashCode() {
+        return this.getUserid().hashCode();
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        Grant other = (Grant) obj;
+        if (other == null)
+            return false;
+        if (compareValues(getDomainid(), other.getDomainid())
+                && compareValues(getRoleid(), other.getRoleid())
+                && compareValues(getUserid(), other.getUserid()))
+            return true;
+        return false;
+    }
+
+    private boolean compareValues(Object a, Object b) {
+        if (a == null && b != null)
+            return false;
+        if (a != null && b == null)
+            return false;
+        if (a == null && b == null)
+            return true;
+        if (a.equals(b))
+            return true;
+        return false;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Grants.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Grants.java
new file mode 100644
index 00000000..ce0d9b85
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Grants.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api.model;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement(name = "grants")
+public class Grants {
+    private List<Grant> grants = new ArrayList<Grant>();
+
+    public void setGrants(List<Grant> grants) {
+        this.grants = grants;
+    }
+
+    public List<Grant> getGrants() {
+        return grants;
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/IDMError.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/IDMError.java
new file mode 100644
index 00000000..f44c43d9
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/IDMError.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api.model;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+
+import javax.ws.rs.core.Response;
+import javax.xml.bind.annotation.XmlRootElement;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@XmlRootElement(name = "idmerror")
+public class IDMError {
+    private static final Logger LOG = LoggerFactory.getLogger(IDMError.class);
+
+    private String message;
+    private String details;
+    private int code = 500;
+
+    public IDMError() {
+    };
+
+    public IDMError(int statusCode, String msg, String msgDetails) {
+        code = statusCode;
+        message = msg;
+        details = msgDetails;
+    }
+
+    public String getMessage() {
+        return message;
+    }
+
+    public void setMessage(String msg) {
+        this.message = msg;
+    }
+
+    public String getDetails() {
+        return details;
+    }
+
+    public void setDetails(String details) {
+        this.details = details;
+    }
+
+    public Response response() {
+        LOG.error("error: {} details: {} status: {}", this.message, this.details, code);
+        return Response.status(this.code).entity(this).build();
+    }
+
+}
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Role.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Role.java
new file mode 100644
index 00000000..de707496
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Role.java
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api.model;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement(name = "role")
+public class Role {
+    private String roleid;
+    private String name;
+    private String description;
+    private String domainid;
+
+    public String getRoleid() {
+        return roleid;
+    }
+
+    public void setRoleid(String id) {
+        this.roleid = id;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    public void setDescription(String description) {
+        this.description = description;
+    }
+
+    @Override
+    public int hashCode() {
+        return this.name.hashCode();
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        Role other = (Role) obj;
+        if (other == null)
+            return false;
+        if (compareValues(getName(), other.getName())
+                && compareValues(getRoleid(), other.getRoleid())
+                && compareValues(getDescription(), other.getDescription()))
+            return true;
+        return false;
+    }
+
+    public void setDomainid(String domainid) {
+        this.domainid = domainid;
+    }
+
+    public String getDomainid() {
+        return this.domainid;
+    }
+
+    private boolean compareValues(Object a, Object b) {
+        if (a == null && b != null)
+            return false;
+        if (a != null && b == null)
+            return false;
+        if (a == null && b == null)
+            return true;
+        if (a.equals(b))
+            return true;
+        return false;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Roles.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Roles.java
new file mode 100644
index 00000000..33521028
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Roles.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api.model;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement(name = "roles")
+public class Roles {
+    private List<Role> roles = new ArrayList<Role>();
+
+    public void setRoles(List<Role> roles) {
+        this.roles = roles;
+    }
+
+    public List<Role> getRoles() {
+        return roles;
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/User.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/User.java
new file mode 100644
index 00000000..c6c1f9a6
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/User.java
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api.model;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement(name = "user")
+public class User {
+    private String userid;
+    private String name;
+    private String description;
+    private Boolean enabled;
+    private String email;
+    private String password;
+    private String salt;
+    private String domainid;
+
+    public String getUserid() {
+        return userid;
+    }
+
+    public void setUserid(String id) {
+        this.userid = id;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    public void setDescription(String description) {
+        this.description = description;
+    }
+
+    public Boolean isEnabled() {
+        return enabled;
+    }
+
+    public void setEnabled(Boolean enabled) {
+        this.enabled = enabled;
+    }
+
+    public void setEmail(String email) {
+        this.email = email;
+    }
+
+    public String getEmail() {
+        return email;
+    }
+
+    public void setPassword(String password) {
+        this.password = password;
+    }
+
+    public String getPassword() {
+        return password;
+    }
+
+    public void setSalt(String s) {
+        this.salt = s;
+    }
+
+    public String getSalt() {
+        return this.salt;
+    }
+
+    public String getDomainid() {
+        return domainid;
+    }
+
+    public void setDomainid(String domainid) {
+        this.domainid = domainid;
+    }
+
+    @Override
+    public int hashCode() {
+        return this.name.hashCode();
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        User other = (User) obj;
+        if (other == null)
+            return false;
+        if (compareValues(getName(), other.getName())
+                && compareValues(getEmail(), other.getEmail())
+                && compareValues(isEnabled(), other.isEnabled())
+                && compareValues(getPassword(), other.getPassword())
+                && compareValues(getSalt(), other.getSalt())
+                && compareValues(getUserid(), other.getUserid())
+                && compareValues(getDescription(), other.getDescription()))
+            return true;
+        return false;
+    }
+
+    private boolean compareValues(Object a, Object b) {
+        if (a == null && b != null)
+            return false;
+        if (a != null && b == null)
+            return false;
+        if (a == null && b == null)
+            return true;
+        if (a.equals(b))
+            return true;
+        return false;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/UserPwd.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/UserPwd.java
new file mode 100644
index 00000000..4750616d
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/UserPwd.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api.model;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement(name = "userpwd")
+public class UserPwd {
+    private String username;
+    private String userpwd;
+
+    public String getUsername() {
+        return username;
+    }
+
+    public void setUsername(String name) {
+        this.username = name;
+    }
+
+    public String getUserpwd() {
+        return userpwd;
+    }
+
+    public void setUserpwd(String pwd) {
+        this.userpwd = pwd;
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Users.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Users.java
new file mode 100644
index 00000000..a0a001bd
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Users.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api.model;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement(name = "users")
+public class Users {
+    private List<User> users = new ArrayList<User>();
+
+    public void setUsers(List<User> users) {
+        this.users = users;
+    }
+
+    public List<User> getUsers() {
+        return users;
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Version.java b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Version.java
new file mode 100644
index 00000000..a88c1f80
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-api/src/main/java/org/opendaylight/aaa/api/model/Version.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.api.model;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement(name = "version")
+public class Version {
+    private String id;
+    private String updated;
+    private String status;
+
+    public String getId() {
+        return id;
+    }
+
+    public void setId(String id) {
+        this.id = id;
+    }
+
+    public String getUpdated() {
+        return updated;
+    }
+
+    public void setUpdated(String name) {
+        this.updated = name;
+    }
+
+    public String getStatus() {
+        return status;
+    }
+
+    public void setStatus(String status) {
+        this.status = status;
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-basic/pom.xml b/odl-aaa-moon/aaa-authn-basic/pom.xml
new file mode 100644
index 00000000..f98e6294
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-basic/pom.xml
@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../parent</relativePath>
+    </parent>
+
+    <artifactId>aaa-authn-basic</artifactId>
+    <packaging>bundle</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-server</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.core</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.dependencymanager</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <!-- Testing Dependencies -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-all</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-bundle-plugin</artifactId>
+                <extensions>true</extensions>
+                <configuration>
+                    <instructions>
+                        <Bundle-Activator>org.opendaylight.aaa.basic.Activator</Bundle-Activator>
+                    </instructions>
+                    <manifestLocation>${project.basedir}/META-INF</manifestLocation>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/odl-aaa-moon/aaa-authn-basic/src/main/java/org/opendaylight/aaa/basic/Activator.java b/odl-aaa-moon/aaa-authn-basic/src/main/java/org/opendaylight/aaa/basic/Activator.java
new file mode 100644
index 00000000..bd57c9d3
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-basic/src/main/java/org/opendaylight/aaa/basic/Activator.java
@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.basic;
+
+import org.apache.felix.dm.DependencyActivatorBase;
+import org.apache.felix.dm.DependencyManager;
+import org.opendaylight.aaa.api.CredentialAuth;
+import org.opendaylight.aaa.api.TokenAuth;
+import org.osgi.framework.BundleContext;
+
+public class Activator extends DependencyActivatorBase {
+
+    @Override
+    public void init(BundleContext context, DependencyManager manager) throws Exception {
+        manager.add(createComponent()
+                .setInterface(new String[] { TokenAuth.class.getName() }, null)
+                .setImplementation(HttpBasicAuth.class)
+                .add(createServiceDependency().setService(CredentialAuth.class).setRequired(true)));
+    }
+
+    @Override
+    public void destroy(BundleContext context, DependencyManager manager) throws Exception {
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-basic/src/main/java/org/opendaylight/aaa/basic/HttpBasicAuth.java b/odl-aaa-moon/aaa-authn-basic/src/main/java/org/opendaylight/aaa/basic/HttpBasicAuth.java
new file mode 100644
index 00000000..eff47e63
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-basic/src/main/java/org/opendaylight/aaa/basic/HttpBasicAuth.java
@@ -0,0 +1,129 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.basic;
+
+import com.sun.jersey.core.util.Base64;
+import java.util.List;
+import java.util.Map;
+import org.opendaylight.aaa.AuthenticationBuilder;
+import org.opendaylight.aaa.PasswordCredentialBuilder;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.aaa.api.AuthenticationException;
+import org.opendaylight.aaa.api.Claim;
+import org.opendaylight.aaa.api.CredentialAuth;
+import org.opendaylight.aaa.api.PasswordCredentials;
+import org.opendaylight.aaa.api.TokenAuth;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * An HTTP Basic authenticator. Note that this is provided as a Hydrogen
+ * backward compatible authenticator, but usage of this authenticator or HTTP
+ * Basic Authentication is highly discouraged due to its vulnerability.
+ *
+ * To obtain a token using the HttpBasicAuth Strategy, add a header to your HTTP
+ * request in the form:
+ * <code>Authorization: Basic BASE_64_ENCODED_CREDENTIALS</code>
+ *
+ * Where <code>BASE_64_ENCODED_CREDENTIALS</code> is the base 64 encoded value
+ * of the user's credentials in the following form: <code>user:password</code>
+ *
+ * For example, assuming the user is "admin" and the password is "admin":
+ * <code>Authorization: Basic YWRtaW46YWRtaW4=</code>
+ *
+ * @author liemmn
+ *
+ */
+public class HttpBasicAuth implements TokenAuth {
+
+    public static final String AUTH_HEADER = "Authorization";
+
+    public static final String AUTH_SEP = ":";
+
+    public static final String BASIC_PREFIX = "Basic ";
+
+    // TODO relocate this constant
+    public static final String DEFAULT_DOMAIN = "sdn";
+
+    /**
+     * username and password
+     */
+    private static final int NUM_HEADER_CREDS = 2;
+
+    /**
+     * username, password and domain
+     */
+    private static final int NUM_TOKEN_CREDS = 3;
+
+    private static final Logger LOG = LoggerFactory.getLogger(HttpBasicAuth.class);
+
+    volatile CredentialAuth<PasswordCredentials> credentialAuth;
+
+    private static boolean checkAuthHeaderFormat(final String authHeader) {
+        return (authHeader != null && authHeader.startsWith(BASIC_PREFIX));
+    }
+
+    private static String extractAuthHeader(final Map<String, List<String>> headers) {
+        return headers.get(AUTH_HEADER).get(0);
+    }
+
+    private static String[] extractCredentialArray(final String authHeader) {
+        return new String(Base64.base64Decode(authHeader.substring(BASIC_PREFIX.length())))
+                .split(AUTH_SEP);
+    }
+
+    private static boolean verifyCredentialArray(final String[] creds) {
+        return (creds != null && creds.length == NUM_HEADER_CREDS);
+    }
+
+    private static String[] addDomainToCredentialArray(final String[] creds) {
+        String newCredentialArray[] = new String[NUM_TOKEN_CREDS];
+        System.arraycopy(creds, 0, newCredentialArray, 0, creds.length);
+        newCredentialArray[2] = DEFAULT_DOMAIN;
+        return newCredentialArray;
+    }
+
+    private static Authentication generateAuthentication(
+            CredentialAuth<PasswordCredentials> credentialAuth, final String[] creds)
+            throws ArrayIndexOutOfBoundsException {
+        final PasswordCredentials pc = new PasswordCredentialBuilder().setUserName(creds[0])
+                .setPassword(creds[1]).setDomain(creds[2]).build();
+        final Claim claim = credentialAuth.authenticate(pc);
+        return new AuthenticationBuilder(claim).build();
+    }
+
+    @Override
+    public Authentication validate(final Map<String, List<String>> headers)
+            throws AuthenticationException {
+        if (headers.containsKey(AUTH_HEADER)) {
+            final String authHeader = extractAuthHeader(headers);
+            if (checkAuthHeaderFormat(authHeader)) {
+                // HTTP Basic Auth
+                String[] creds = extractCredentialArray(authHeader);
+                // If no domain was supplied then use the default one, which is
+                // "sdn".
+                if (verifyCredentialArray(creds)) {
+                    creds = addDomainToCredentialArray(creds);
+                }
+                // Assumes correct formatting in form Base64("user:password").
+                // Throws an exception if an unknown format is used.
+                try {
+                    return generateAuthentication(this.credentialAuth, creds);
+                } catch (ArrayIndexOutOfBoundsException e) {
+                    final String message = "Login Attempt in Bad Format."
+                            + " Please provide user:password in Base64 format.";
+                    LOG.info(message);
+                    throw new AuthenticationException(message);
+                }
+            }
+        }
+        return null;
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-basic/src/test/java/org/opendaylight/aaa/basic/HttpBasicAuthTest.java b/odl-aaa-moon/aaa-authn-basic/src/test/java/org/opendaylight/aaa/basic/HttpBasicAuthTest.java
new file mode 100644
index 00000000..4ee439df
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-basic/src/test/java/org/opendaylight/aaa/basic/HttpBasicAuthTest.java
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.basic;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import com.sun.jersey.core.util.Base64;
+import java.io.UnsupportedEncodingException;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.junit.Before;
+import org.junit.Test;
+import org.opendaylight.aaa.ClaimBuilder;
+import org.opendaylight.aaa.PasswordCredentialBuilder;
+import org.opendaylight.aaa.api.AuthenticationException;
+import org.opendaylight.aaa.api.Claim;
+import org.opendaylight.aaa.api.CredentialAuth;
+
+public class HttpBasicAuthTest {
+    private static final String USERNAME = "admin";
+    private static final String PASSWORD = "admin";
+    private static final String DOMAIN = "sdn";
+    private HttpBasicAuth auth;
+
+    @SuppressWarnings("unchecked")
+    @Before
+    public void setup() {
+        auth = new HttpBasicAuth();
+        auth.credentialAuth = mock(CredentialAuth.class);
+        when(
+                auth.credentialAuth.authenticate(new PasswordCredentialBuilder()
+                        .setUserName(USERNAME).setPassword(PASSWORD).setDomain(DOMAIN).build()))
+                .thenReturn(
+                        new ClaimBuilder().setUser("admin").addRole("admin").setUserId("123")
+                                .build());
+        when(
+                auth.credentialAuth.authenticate(new PasswordCredentialBuilder()
+                        .setUserName(USERNAME).setPassword("bozo").setDomain(DOMAIN).build()))
+                .thenThrow(new AuthenticationException("barf"));
+    }
+
+    @Test
+    public void testValidateOk() throws UnsupportedEncodingException {
+        String data = USERNAME + ":" + PASSWORD + ":" + DOMAIN;
+        Map<String, List<String>> headers = new HashMap<>();
+        headers.put("Authorization",
+                Arrays.asList("Basic " + new String(Base64.encode(data.getBytes("utf-8")))));
+        Claim claim = auth.validate(headers);
+        assertNotNull(claim);
+        assertEquals(USERNAME, claim.user());
+        assertEquals("admin", claim.roles().iterator().next());
+    }
+
+    @Test(expected = AuthenticationException.class)
+    public void testValidateBadPassword() throws UnsupportedEncodingException {
+        String data = USERNAME + ":bozo:" + DOMAIN;
+        Map<String, List<String>> headers = new HashMap<>();
+        headers.put("Authorization",
+                Arrays.asList("Basic " + new String(Base64.encode(data.getBytes("utf-8")))));
+        auth.validate(headers);
+    }
+
+    @Test(expected = AuthenticationException.class)
+    public void testValidateBadPasswordNoDOMAIN() throws UnsupportedEncodingException {
+        String data = USERNAME + ":bozo";
+        Map<String, List<String>> headers = new HashMap<>();
+        headers.put("Authorization",
+                Arrays.asList("Basic " + new String(Base64.encode(data.getBytes("utf-8")))));
+        auth.validate(headers);
+    }
+
+    @Test(expected = AuthenticationException.class)
+    public void testBadHeaderFormatNoPassword() throws UnsupportedEncodingException {
+        // just provide the username
+        String data = USERNAME;
+        Map<String, List<String>> headers = new HashMap<>();
+        headers.put("Authorization",
+                Arrays.asList("Basic " + new String(Base64.encode(data.getBytes("utf-8")))));
+        auth.validate(headers);
+    }
+
+    @Test(expected = AuthenticationException.class)
+    public void testBadHeaderFormat() throws UnsupportedEncodingException {
+        // provide username:
+        String data = USERNAME + "$" + PASSWORD;
+        Map<String, List<String>> headers = new HashMap<>();
+        headers.put("Authorization",
+                Arrays.asList("Basic " + new String(Base64.encode(data.getBytes("utf-8")))));
+        auth.validate(headers);
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-federation/pom.xml b/odl-aaa-moon/aaa-authn-federation/pom.xml
new file mode 100644
index 00000000..0e84e185
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-federation/pom.xml
@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../parent</relativePath>
+    </parent>
+
+    <artifactId>aaa-authn-federation</artifactId>
+    <packaging>bundle</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-server</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.oltu.oauth2</groupId>
+            <artifactId>org.apache.oltu.oauth2.authzserver</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.oltu.oauth2</groupId>
+            <artifactId>org.apache.oltu.oauth2.common</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.oltu.oauth2</groupId>
+            <artifactId>org.apache.oltu.oauth2.resourceserver</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.core</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.dependencymanager</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <!-- Testing Dependencies -->
+        <dependency>
+            <groupId>com.sun.jersey.jersey-test-framework</groupId>
+            <artifactId>jersey-test-framework-grizzly2</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-servlet-tester</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-all</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-bundle-plugin</artifactId>
+                <extensions>true</extensions>
+                <configuration>
+                    <instructions>
+                        <Import-Package>*,com.sun.jersey.spi.container.servlet</Import-Package>
+                        <Web-ContextPath>/oauth2/federation</Web-ContextPath>
+                        <Web-Connectors>federationConn</Web-Connectors>
+                        <Bundle-Activator>org.opendaylight.aaa.federation.Activator</Bundle-Activator>
+                        <manifestLocation>${project.basedir}/META-INF</manifestLocation>
+                    </instructions>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>build-helper-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>attach-artifacts</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>attach-artifact</goal>
+                        </goals>
+                        <configuration>
+                            <artifacts>
+                                <artifact>
+                                    <file>${project.build.directory}/classes/federation.cfg</file>
+                                    <type>cfg</type>
+                                    <classifier>config</classifier>
+                                </artifact>
+                            </artifacts>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/Activator.java b/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/Activator.java
new file mode 100644
index 00000000..4ae027c8
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/Activator.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.federation;
+
+import java.util.Dictionary;
+import org.apache.felix.dm.DependencyActivatorBase;
+import org.apache.felix.dm.DependencyManager;
+import org.opendaylight.aaa.api.ClaimAuth;
+import org.opendaylight.aaa.api.IdMService;
+import org.opendaylight.aaa.api.TokenStore;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.Constants;
+import org.osgi.service.cm.ManagedService;
+
+/**
+ * An activator for the secure token server to inject in a
+ * <code>CredentialAuth</code> implementation.
+ *
+ * @author liemmn
+ *
+ */
+public class Activator extends DependencyActivatorBase {
+    private static final String FEDERATION_PID = "org.opendaylight.aaa.federation";
+
+    @Override
+    public void init(BundleContext context, DependencyManager manager) throws Exception {
+        manager.add(createComponent()
+                .setImplementation(ServiceLocator.getInstance())
+                .add(createServiceDependency().setService(TokenStore.class).setRequired(true))
+                .add(createServiceDependency().setService(IdMService.class).setRequired(true))
+                .add(createServiceDependency().setService(ClaimAuth.class).setRequired(false)
+                        .setCallbacks("claimAuthAdded", "claimAuthRemoved")));
+        context.registerService(ManagedService.class, FederationConfiguration.instance(),
+                addPid(FederationConfiguration.defaults));
+    }
+
+    @Override
+    public void destroy(BundleContext context, DependencyManager manager) throws Exception {
+    }
+
+    private Dictionary<String, ?> addPid(Dictionary<String, String> dict) {
+        dict.put(Constants.SERVICE_PID, FEDERATION_PID);
+        return dict;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/ClaimAuthFilter.java b/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/ClaimAuthFilter.java
new file mode 100644
index 00000000..10a1277d
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/ClaimAuthFilter.java
@@ -0,0 +1,249 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.federation;
+
+import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
+import static org.opendaylight.aaa.federation.FederationEndpoint.AUTH_CLAIM;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.opendaylight.aaa.api.Claim;
+import org.opendaylight.aaa.api.ClaimAuth;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * A generic {@link Filter} for {@link ClaimAuth} implementations.
+ * <p>
+ * This filter trusts any authentication metadata bound to a request. A request
+ * with fake authentication claims could be forged by an attacker and submitted
+ * to one of the Connector ports the engine is listening on and we would blindly
+ * accept the forged information in this filter. Therefore it is vital we only
+ * accept authentication claims from a trusted proxy. It is incumbent upon the
+ * site administrator to dedicate specific connector ports on which previously
+ * authenticated requests from a trusted proxy will be sent to and to assure
+ * only a trusted proxy can connect to that port. The site administrator must
+ * enumerate those ports in the configuration. We reject any request which did
+ * not originate on one of the configured secure proxy ports.
+ *
+ * @author liemmn
+ *
+ */
+public class ClaimAuthFilter implements Filter {
+    private static final Logger LOG = LoggerFactory.getLogger(ClaimAuthFilter.class);
+
+    private static final String CGI_AUTH_TYPE = "AUTH_TYPE";
+    private static final String CGI_PATH_INFO = "PATH_INFO";
+    private static final String CGI_PATH_TRANSLATED = "PATH_TRANSLATED";
+    private static final String CGI_QUERY_STRING = "QUERY_STRING";
+    private static final String CGI_REMOTE_ADDR = "REMOTE_ADDR";
+    private static final String CGI_REMOTE_HOST = "REMOTE_HOST";
+    private static final String CGI_REMOTE_PORT = "REMOTE_PORT";
+    private static final String CGI_REMOTE_USER = "REMOTE_USER";
+    private static final String CGI_REMOTE_USER_GROUPS = "REMOTE_USER_GROUPS";
+    private static final String CGI_REQUEST_METHOD = "REQUEST_METHOD";
+    private static final String CGI_SCRIPT_NAME = "SCRIPT_NAME";
+    private static final String CGI_SERVER_PROTOCOL = "SERVER_PROTOCOL";
+
+    static final String UNAUTHORIZED_PORT_ERR = "Unauthorized proxy port";
+
+    @Override
+    public void init(FilterConfig fc) throws ServletException {
+    }
+
+    @Override
+    public void destroy() {
+    }
+
+    @Override
+    public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)
+            throws IOException, ServletException {
+        Set<Integer> secureProxyPorts;
+        int localPort;
+
+        // Check to see if we are communicated over an authorized port or not
+        secureProxyPorts = FederationConfiguration.instance().secureProxyPorts();
+        localPort = req.getLocalPort();
+        if (!secureProxyPorts.contains(localPort)) {
+            ((HttpServletResponse) resp).sendError(SC_UNAUTHORIZED, UNAUTHORIZED_PORT_ERR);
+            return;
+        }
+
+        // Let's do some transformation!
+        List<ClaimAuth> claimAuthCollection = ServiceLocator.getInstance().getClaimAuthCollection();
+        for (ClaimAuth ca : claimAuthCollection) {
+            Claim claim = ca.transform(claims((HttpServletRequest) req));
+            if (claim != null) {
+                req.setAttribute(AUTH_CLAIM, claim);
+                // No need to do further transformation since it has been done
+                break;
+            }
+        }
+        chain.doFilter(req, resp);
+    }
+
+    // Extract attributes and headers out of the request
+    private Map<String, Object> claims(HttpServletRequest req) {
+        String name;
+        Object objectValue;
+        String stringValue;
+        Map<String, Object> claims = new HashMap<>();
+
+        /*
+         * Tomcat has a bug/feature, not all attributes are enumerated by
+         * getAttributeNames() therefore getAttributeNames() cannot be used to
+         * obtain the full set of attributes. However if you know the name of
+         * the attribute a priori you can call getAttribute() and obtain the
+         * value. Therefore we maintain a list of attribute names
+         * (httpAttributes) which will be used to call getAttribute() with so we
+         * don't miss essential attributes.
+         *
+         * This is the Tomcat bug, note it is marked WONTFIX. Bug 25363 -
+         * request.getAttributeNames() not working properly Status: RESOLVED
+         * WONTFIX https://issues.apache.org/bugzilla/show_bug.cgi?id=25363
+         *
+         * The solution adopted by Tomcat is to document the behavior in the
+         * "The Apache Tomcat Connector - Reference Guide" under the JkEnvVar
+         * property where is says:
+         *
+         * You can retrieve the variables on Tomcat as request attributes via
+         * request.getAttribute(attributeName). Note that the variables send via
+         * JkEnvVar will not be listed in request.getAttributeNames().
+         */
+
+        // Capture attributes which can be enumerated ...
+        @SuppressWarnings("unchecked")
+        Enumeration<String> attrs = req.getAttributeNames();
+        while (attrs.hasMoreElements()) {
+            name = attrs.nextElement();
+            objectValue = req.getAttribute(name);
+            if (objectValue instanceof String) {
+                // metadata might be i18n, assume UTF8 and decode
+                stringValue = decodeUTF8((String) objectValue);
+                objectValue = stringValue;
+            }
+            claims.put(name, objectValue);
+        }
+
+        // Capture specific attributes which cannot be enumerated ...
+        for (String attr : FederationConfiguration.instance().httpAttributes()) {
+            name = attr;
+            objectValue = req.getAttribute(name);
+            if (objectValue instanceof String) {
+                // metadata might be i18n, assume UTF8 and decode
+                stringValue = decodeUTF8((String) objectValue);
+                objectValue = stringValue;
+            }
+            claims.put(name, objectValue);
+        }
+
+        /*
+         * In general we should not utilize HTTP headers as validated security
+         * assertions because they are too easy to forge. Therefore in general
+         * we don't include HTTP headers, however in certain circumstances
+         * specific headers may be acceptable, thus we permit an admin to
+         * configure the capture of specific headers.
+         */
+        for (String header : FederationConfiguration.instance().httpHeaders()) {
+            claims.put(header, req.getHeader(header));
+        }
+
+        // Capture standard CGI variables...
+        claims.put(CGI_AUTH_TYPE, req.getAuthType());
+        claims.put(CGI_PATH_INFO, req.getPathInfo());
+        claims.put(CGI_PATH_TRANSLATED, req.getPathTranslated());
+        claims.put(CGI_QUERY_STRING, req.getQueryString());
+        claims.put(CGI_REMOTE_ADDR, req.getRemoteAddr());
+        claims.put(CGI_REMOTE_HOST, req.getRemoteHost());
+        claims.put(CGI_REMOTE_PORT, req.getRemotePort());
+        // remote user might be i18n, assume UTF8 and decode
+        claims.put(CGI_REMOTE_USER, decodeUTF8(req.getRemoteUser()));
+        claims.put(CGI_REMOTE_USER_GROUPS, req.getAttribute(CGI_REMOTE_USER_GROUPS));
+        claims.put(CGI_REQUEST_METHOD, req.getMethod());
+        claims.put(CGI_SCRIPT_NAME, req.getServletPath());
+        claims.put(CGI_SERVER_PROTOCOL, req.getProtocol());
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("ClaimAuthFilter claims = {}", claims.toString());
+        }
+
+        return claims;
+    }
+
+    /**
+     * Decode from UTF-8, return Unicode.
+     *
+     * If we're unable to UTF-8 decode the string the fallback is to return the
+     * string unmodified and log a warning.
+     *
+     * Some data, especially metadata attached to a user principal may be
+     * internationalized (i18n). The classic examples are the user's name,
+     * location, organization, etc. We need to be able to read this metadata and
+     * decode it into unicode characters so that we properly handle i18n string
+     * values.
+     *
+     * One of the the prolems is we often don't know the encoding (i.e. charset)
+     * of the string. RFC-5987 is supposed to define how non-ASCII values are
+     * transmitted in HTTP headers, this is a follow on from the work in
+     * RFC-2231. However at the time of this writing these RFC's are not
+     * implemented in the Servlet Request classes. Not only are these RFC's
+     * unimplemented but they are specific to HTTP headers, much of our metadata
+     * arrives via attributes as opposed to being in a header.
+     *
+     * Note: ASCII encoding is a subset of UTF-8 encoding therefore any strings
+     * which are pure ASCII will decode from UTF-8 just fine. However on the
+     * other hand Latin-1 (ISO-8859-1) encoding is not compatible with UTF-8 for
+     * code points in the range 128-255 (i.e. beyond 7-bit ascii). ISO-8859-1 is
+     * the default encoding for HTTP and HTML 4, however the consensus is the
+     * use of ISO-8859-1 was a mistake and Unicode with UTF-8 encoding is now
+     * the norm. If a string value is transmitted encoded in ISO-8859-1
+     * contaiing code points in the range 128-255 and we try to UTF-8 decode it
+     * it will either not be the correct decoded string or it will throw a
+     * decoding exception.
+     *
+     * Conventional practice at the moment is for the sending side to encode
+     * internationalized values in UTF-8 with the receving end decoding the
+     * value back from UTF-8. We do not expect the use of ISO-8859-1 on these
+     * attributes. However due to peculiarities of the Java String
+     * implementation we have to specify the raw bytes are encoded in ISO-8859-1
+     * just to get back the raw bytes to be able to feed into the UTF-8 decoder.
+     * This doesn't seem right but it is because we need the full 8-bit byte and
+     * the only way to say "unmodified 8-bit bytes" in Java is to call it
+     * ISO-8859-1. Ugh!
+     *
+     * @param string
+     *            The input string in UTF-8 to be decoded.
+     * @return Unicode string
+     */
+    private String decodeUTF8(String string) {
+        if (string == null) {
+            return null;
+        }
+        try {
+            return new String(string.getBytes("ISO8859-1"), "UTF-8");
+        } catch (UnsupportedEncodingException e) {
+            LOG.warn("Unable to UTF-8 decode: ", string, e);
+            return string;
+        }
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/FederationConfiguration.java b/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/FederationConfiguration.java
new file mode 100644
index 00000000..a68dc15c
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/FederationConfiguration.java
@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.federation;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Dictionary;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeSet;
+import java.util.concurrent.ConcurrentHashMap;
+import org.osgi.service.cm.ConfigurationException;
+import org.osgi.service.cm.ManagedService;
+
+/**
+ * AAA federation configurations in OSGi.
+ *
+ * @author liemmn
+ *
+ */
+public class FederationConfiguration implements ManagedService {
+    private static final String FEDERATION_CONFIG_ERR = "Error saving federation configuration";
+
+    static final String HTTP_HEADERS = "httpHeaders";
+    static final String HTTP_ATTRIBUTES = "httpAttributes";
+    static final String SECURE_PROXY_PORTS = "secureProxyPorts";
+
+    static FederationConfiguration instance = new FederationConfiguration();
+
+    static final Hashtable<String, String> defaults = new Hashtable<>();
+    static {
+        defaults.put(HTTP_HEADERS, "");
+        defaults.put(HTTP_ATTRIBUTES, "");
+    }
+    private static Map<String, String> configs = new ConcurrentHashMap<>();
+
+    // singleton
+    private FederationConfiguration() {
+    }
+
+    public static FederationConfiguration instance() {
+        return instance;
+    }
+
+    @Override
+    public void updated(Dictionary<String, ?> props) throws ConfigurationException {
+        if (props == null) {
+            configs.clear();
+            configs.putAll(defaults);
+        } else {
+            try {
+                Enumeration<String> keys = props.keys();
+                while (keys.hasMoreElements()) {
+                    String key = keys.nextElement();
+                    configs.put(key, (String) props.get(key));
+                }
+            } catch (Throwable t) {
+                throw new ConfigurationException(null, FEDERATION_CONFIG_ERR, t);
+            }
+        }
+    }
+
+    public List<String> httpHeaders() {
+        String headers = configs.get(HTTP_HEADERS);
+        return (headers == null) ? new ArrayList<String>() : Arrays.asList(headers.split(" "));
+    }
+
+    public List<String> httpAttributes() {
+        String attributes = configs.get(HTTP_ATTRIBUTES);
+        return (attributes == null) ? new ArrayList<String>() : Arrays
+                .asList(attributes.split(" "));
+    }
+
+    public Set<Integer> secureProxyPorts() {
+        String ports = configs.get(SECURE_PROXY_PORTS);
+        Set<Integer> secureProxyPorts = new TreeSet<Integer>();
+
+        if (ports != null && !ports.isEmpty()) {
+            for (String port : ports.split(" ")) {
+                secureProxyPorts.add(Integer.parseInt(port));
+            }
+        }
+        return secureProxyPorts;
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/FederationEndpoint.java b/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/FederationEndpoint.java
new file mode 100644
index 00000000..6ac76c0a
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/FederationEndpoint.java
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.federation;
+
+import static javax.servlet.http.HttpServletResponse.SC_CREATED;
+import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.List;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.oltu.oauth2.as.issuer.OAuthIssuer;
+import org.apache.oltu.oauth2.as.issuer.OAuthIssuerImpl;
+import org.apache.oltu.oauth2.as.issuer.UUIDValueGenerator;
+import org.apache.oltu.oauth2.as.response.OAuthASResponse;
+import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
+import org.apache.oltu.oauth2.common.message.OAuthResponse;
+import org.opendaylight.aaa.AuthenticationBuilder;
+import org.opendaylight.aaa.ClaimBuilder;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.aaa.api.AuthenticationException;
+import org.opendaylight.aaa.api.Claim;
+
+/**
+ * An endpoint for claim-based authentication federation (in-bound).
+ *
+ * @author liemmn
+ *
+ */
+public class FederationEndpoint extends HttpServlet {
+
+    private static final long serialVersionUID = -5553885846238987245L;
+
+    /** An in-bound authentication claim */
+    static final String AUTH_CLAIM = "AAA-CLAIM";
+
+    private static final String UNAUTHORIZED = "unauthorized";
+
+    private transient OAuthIssuer oi;
+
+    @Override
+    public void init(ServletConfig config) throws ServletException {
+        oi = new OAuthIssuerImpl(new UUIDValueGenerator());
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException,
+            ServletException {
+        try {
+            createRefreshToken(req, resp);
+        } catch (Exception e) {
+            error(resp, SC_UNAUTHORIZED, e.getMessage());
+        }
+    }
+
+    // Create a refresh token
+    private void createRefreshToken(HttpServletRequest req, HttpServletResponse resp)
+            throws OAuthSystemException, IOException {
+        Claim claim = (Claim) req.getAttribute(AUTH_CLAIM);
+        oauthRefreshTokenResponse(resp, claim);
+    }
+
+    // Build OAuth refresh token response from the given claim mapped and
+    // injected by the external IdP
+    private void oauthRefreshTokenResponse(HttpServletResponse resp, Claim claim)
+            throws OAuthSystemException, IOException {
+        if (claim == null) {
+            throw new AuthenticationException(UNAUTHORIZED);
+        }
+
+        String userName = claim.user();
+        // Need to have at least a mapped username!
+        if (userName == null) {
+            throw new AuthenticationException(UNAUTHORIZED);
+        }
+
+        String domain = claim.domain();
+        // Need to have at least a domain!
+        if (domain == null) {
+            throw new AuthenticationException(UNAUTHORIZED);
+        }
+
+        String userId = userName + "@" + domain;
+
+        // Create an unscoped ODL context from the external claim
+        Authentication auth = new AuthenticationBuilder(new ClaimBuilder(claim).setUserId(userId)
+                .build()).setExpiration(tokenExpiration()).build();
+
+        // Create OAuth response
+        String token = oi.refreshToken();
+        OAuthResponse r = OAuthASResponse
+                .tokenResponse(SC_CREATED)
+                .setRefreshToken(token)
+                .setExpiresIn(Long.toString(auth.expiration()))
+                .setScope(
+                // Use mapped domain if there is one, else list
+                // all the ones that this user has access to
+                        (claim.domain().isEmpty()) ? listToString(ServiceLocator.getInstance()
+                                .getIdmService().listDomains(userId)) : claim.domain())
+                .buildJSONMessage();
+        // Cache this token...
+        ServiceLocator.getInstance().getTokenStore().put(token, auth);
+        write(resp, r);
+    }
+
+    // Token expiration
+    private long tokenExpiration() {
+        return ServiceLocator.getInstance().getTokenStore().tokenExpiration();
+    }
+
+    // Space-delimited string from a list of strings
+    private String listToString(List<String> list) {
+        StringBuffer sb = new StringBuffer();
+        for (String s : list) {
+            sb.append(s).append(" ");
+        }
+        return sb.toString().trim();
+    }
+
+    // Emit an error OAuthResponse with the given HTTP code
+    private void error(HttpServletResponse resp, int httpCode, String error) {
+        try {
+            OAuthResponse r = OAuthResponse.errorResponse(httpCode).setError(error)
+                    .buildJSONMessage();
+            write(resp, r);
+        } catch (Exception e1) {
+            // Nothing to do here
+        }
+    }
+
+    // Write out an OAuthResponse
+    private void write(HttpServletResponse resp, OAuthResponse r) throws IOException {
+        resp.setStatus(r.getResponseStatus());
+        PrintWriter pw = resp.getWriter();
+        pw.print(r.getBody());
+        pw.flush();
+        pw.close();
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/ServiceLocator.java b/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/ServiceLocator.java
new file mode 100644
index 00000000..dd861514
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/ServiceLocator.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.federation;
+
+import java.util.List;
+import java.util.Vector;
+import org.opendaylight.aaa.api.ClaimAuth;
+import org.opendaylight.aaa.api.IdMService;
+import org.opendaylight.aaa.api.TokenStore;
+
+/**
+ * A service locator to bridge between the web world and OSGi world.
+ *
+ * @author liemmn
+ *
+ */
+public class ServiceLocator {
+
+    private static final ServiceLocator instance = new ServiceLocator();
+
+    protected volatile List<ClaimAuth> claimAuthCollection = new Vector<>();
+
+    protected volatile TokenStore tokenStore;
+
+    protected volatile IdMService idmService;
+
+    private ServiceLocator() {
+    }
+
+    public static ServiceLocator getInstance() {
+        return instance;
+    }
+
+    /**
+     * Called through reflection from the federation Activator
+     *
+     * @see org.opendaylight.aaa.federation.ServiceLocator
+     * @param ca the injected claims implementation
+     */
+    protected void claimAuthAdded(ClaimAuth ca) {
+        this.claimAuthCollection.add(ca);
+    }
+
+    /**
+     * Called through reflection from the federation Activator
+     *
+     * @see org.opendaylight.aaa.federation.Activator
+     * @param ca the claims implementation to remove
+     */
+    protected void claimAuthRemoved(ClaimAuth ca) {
+        this.claimAuthCollection.remove(ca);
+    }
+
+    public List<ClaimAuth> getClaimAuthCollection() {
+        return claimAuthCollection;
+    }
+
+    public void setClaimAuthCollection(List<ClaimAuth> claimAuthCollection) {
+        this.claimAuthCollection = claimAuthCollection;
+    }
+
+    public TokenStore getTokenStore() {
+        return tokenStore;
+    }
+
+    public void setTokenStore(TokenStore tokenStore) {
+        this.tokenStore = tokenStore;
+    }
+
+    public IdMService getIdmService() {
+        return idmService;
+    }
+
+    public void setIdmService(IdMService idmService) {
+        this.idmService = idmService;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/SssdFilter.java b/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/SssdFilter.java
new file mode 100644
index 00000000..9223c6dd
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-federation/src/main/java/org/opendaylight/aaa/federation/SssdFilter.java
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2014, 2015 Red Hat, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.federation;
+
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+class SssdHeadersRequest extends HttpServletRequestWrapper {
+    private static final String headerPrefix = "X-SSSD-";
+
+    public SssdHeadersRequest(HttpServletRequest request) {
+        super(request);
+    }
+
+    public Object getAttribute(String name) {
+        HttpServletRequest request = (HttpServletRequest) getRequest();
+        String headerValue;
+
+        headerValue = request.getHeader(headerPrefix + name);
+        if (headerValue != null) {
+            return headerValue;
+        } else {
+            return request.getAttribute(name);
+        }
+    }
+
+    @Override
+    public String getRemoteUser() {
+        HttpServletRequest request = (HttpServletRequest) getRequest();
+        String headerValue;
+
+        headerValue = request.getHeader(headerPrefix + "REMOTE_USER");
+        if (headerValue != null) {
+            return headerValue;
+        } else {
+            return request.getRemoteUser();
+        }
+    }
+
+    @Override
+    public String getAuthType() {
+        HttpServletRequest request = (HttpServletRequest) getRequest();
+        String headerValue;
+
+        headerValue = request.getHeader(headerPrefix + "AUTH_TYPE");
+        if (headerValue != null) {
+            return headerValue;
+        } else {
+            return request.getAuthType();
+        }
+    }
+
+    @Override
+    public String getRemoteAddr() {
+        HttpServletRequest request = (HttpServletRequest) getRequest();
+        String headerValue;
+
+        headerValue = request.getHeader(headerPrefix + "REMOTE_ADDR");
+        if (headerValue != null) {
+            return headerValue;
+        } else {
+            return request.getRemoteAddr();
+        }
+    }
+
+    @Override
+    public String getRemoteHost() {
+        HttpServletRequest request = (HttpServletRequest) getRequest();
+        String headerValue;
+
+        headerValue = request.getHeader(headerPrefix + "REMOTE_HOST");
+        if (headerValue != null) {
+            return headerValue;
+        } else {
+            return request.getRemoteHost();
+        }
+    }
+
+    @Override
+    public int getRemotePort() {
+        HttpServletRequest request = (HttpServletRequest) getRequest();
+        String headerValue;
+
+        headerValue = request.getHeader(headerPrefix + "REMOTE_PORT");
+        if (headerValue != null) {
+            return Integer.parseInt(headerValue);
+        } else {
+            return request.getRemotePort();
+        }
+    }
+
+}
+
+/**
+ * Populate HttpRequestServlet API data from HTTP extension headers.
+ *
+ * When SSSD is used for authentication and identity lookup those actions occur
+ * in an Apache HTTP server which is fronting the servlet container. After
+ * successful authentication Apache will proxy the request to the container
+ * along with additional authentication and identity metadata.
+ *
+ * The preferred way to transport the metadata and have it appear seamlessly in
+ * the servlet API is via the AJP protocol. However AJP may not be available or
+ * desirable. An alternative method is to transport the metadata in extension
+ * HTTP headers. However we still want the standard servlet request API methods
+ * to work. Another way to say this is we do not want upper layers to be aware
+ * of the transport mechanism. To achieve this we wrap the HttpServletRequest
+ * class and override specific methods which need to extract the data from the
+ * extension HTTP headers. (This is roughly equivalent to what happens when AJP
+ * is implemented natively in the container).
+ *
+ * The extension HTTP headers are identified by the prefix "X-SSSD-". The
+ * overridden methods check for the existence of the appropriate extension
+ * header and if present returns the value found in the extension header,
+ * otherwise it returns the value from the method it's wrapping.
+ *
+ */
+public class SssdFilter implements Filter {
+    @Override
+    public void init(FilterConfig fc) throws ServletException {
+    }
+
+    @Override
+    public void destroy() {
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
+            FilterChain filterChain) throws IOException, ServletException {
+        if (servletRequest instanceof HttpServletRequest) {
+            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
+            SssdHeadersRequest request = new SssdHeadersRequest(httpServletRequest);
+            filterChain.doFilter(request, servletResponse);
+        } else {
+            filterChain.doFilter(servletRequest, servletResponse);
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-federation/src/main/resources/OSGI-INF/metatype/metatype.properties b/odl-aaa-moon/aaa-authn-federation/src/main/resources/OSGI-INF/metatype/metatype.properties
new file mode 100644
index 00000000..4323c04d
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-federation/src/main/resources/OSGI-INF/metatype/metatype.properties
@@ -0,0 +1,11 @@
+org.opendaylight.aaa.federation.name = Opendaylight AAA Federation Configuration
+org.opendaylight.aaa.federation.description = Configuration for AAA federation
+org.opendaylight.aaa.federation.httpHeaders.name = Custom HTTP Headers
+org.opendaylight.aaa.federation.httpHeaders.description = Space-delimited list of \
+specific HTTP headers to capture for authentication federation.
+org.opendaylight.aaa.federation.httpAttributes.name = Custom HTTP Attributes
+org.opendaylight.aaa.federation.httpAttributes.description = Space-delimited list of \
+specific HTTP attributes to capture for authentication federation.
+org.opendaylight.aaa.federation.secureProxyPorts.name = Secure Proxy Ports
+org.opendaylight.aaa.federation.secureProxyPorts.description = Space-delimited list of \
+port numbers on which a trusted HTTP proxy performing authentication forwards pre-authenticated requests.
diff --git a/odl-aaa-moon/aaa-authn-federation/src/main/resources/OSGI-INF/metatype/metatype.xml b/odl-aaa-moon/aaa-authn-federation/src/main/resources/OSGI-INF/metatype/metatype.xml
new file mode 100644
index 00000000..e2efd3d4
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-federation/src/main/resources/OSGI-INF/metatype/metatype.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<metatype:MetaData xmlns:metatype="http://www.osgi.org/xmlns/metatype/v1.0.0"
+    localization="OSGI-INF/metatype/metatype">
+    <OCD id="org.opendaylight.aaa.federation" name="%org.opendaylight.aaa.federation.name"
+        description="%org.opendaylight.aaa.federation.description">
+        <AD id="httpHeaders" type="String" default=""
+            name="%org.opendaylight.aaa.federation.httpHeaders.name"
+            description="%org.opendaylight.aaa.federation.httpHeaders.description" />
+        <AD id="httpAttributes" type="String" default=""
+            name="%org.opendaylight.aaa.federation.httpAttributes.name"
+            description="%org.opendaylight.aaa.federation.httpAttributes.description" />
+        <AD id="secureProxyPorts" type="String" default=""
+            name="%org.opendaylight.aaa.federation.secureProxyPorts.name"
+            description="%org.opendaylight.aaa.federation.secureProxyPorts.description" />
+    </OCD>
+    <Designate pid="org.opendaylight.aaa.federation">
+        <Object ocdref="org.opendaylight.aaa.federation" />
+    </Designate>
+</metatype:MetaData>
diff --git a/odl-aaa-moon/aaa-authn-federation/src/main/resources/WEB-INF/web.xml b/odl-aaa-moon/aaa-authn-federation/src/main/resources/WEB-INF/web.xml
new file mode 100644
index 00000000..9fd9751f
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-federation/src/main/resources/WEB-INF/web.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+    version="3.0">
+
+    <servlet>
+        <servlet-name>federation</servlet-name>
+        <servlet-class>org.opendaylight.aaa.federation.FederationEndpoint</servlet-class>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>federation</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <!-- Federation Auth filter -->
+    <filter>
+        <filter-name>SssdFilter</filter-name>
+        <filter-class>org.opendaylight.aaa.federation.SssdFilter</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>SssdFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+    <filter>
+        <filter-name>ClaimAuthFilter</filter-name>
+        <filter-class>org.opendaylight.aaa.federation.ClaimAuthFilter</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>ClaimAuthFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+</web-app>
diff --git a/odl-aaa-moon/aaa-authn-federation/src/main/resources/federation.cfg b/odl-aaa-moon/aaa-authn-federation/src/main/resources/federation.cfg
new file mode 100644
index 00000000..60ef1c46
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-federation/src/main/resources/federation.cfg
@@ -0,0 +1,3 @@
+httpHeaders=
+httpAttributes=
+secureProxyPorts=
diff --git a/odl-aaa-moon/aaa-authn-federation/src/test/java/org/opendaylight/aaa/federation/FederationEndpointTest.java b/odl-aaa-moon/aaa-authn-federation/src/test/java/org/opendaylight/aaa/federation/FederationEndpointTest.java
new file mode 100644
index 00000000..ae098652
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-federation/src/test/java/org/opendaylight/aaa/federation/FederationEndpointTest.java
@@ -0,0 +1,121 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.federation;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Matchers.anyMap;
+import static org.mockito.Matchers.anyString;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.util.Arrays;
+import java.util.TreeSet;
+import org.eclipse.jetty.testing.HttpTester;
+import org.eclipse.jetty.testing.ServletTester;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.opendaylight.aaa.ClaimBuilder;
+import org.opendaylight.aaa.api.Claim;
+import org.opendaylight.aaa.api.ClaimAuth;
+import org.opendaylight.aaa.api.IdMService;
+import org.opendaylight.aaa.api.TokenStore;
+
+/**
+ * A unit test for federation endpoint.
+ *
+ * @author liemmn
+ *
+ */
+public class FederationEndpointTest {
+    private static final long TOKEN_TIMEOUT_SECS = 10;
+    private static final String CONTEXT = "/oauth2/federation";
+
+    private final static ServletTester server = new ServletTester();
+    private static final Claim claim = new ClaimBuilder().setUser("bob").setUserId("1234")
+            .addRole("admin").build();
+
+    @BeforeClass
+    public static void init() throws Exception {
+        // Set up server
+        server.setContextPath(CONTEXT);
+
+        // Add our servlet under test
+        server.addServlet(FederationEndpoint.class, "/*");
+
+        // Add ClaimAuth filter
+        server.addFilter(ClaimAuthFilter.class, "/*", 0);
+
+        // Let's do dis
+        server.start();
+    }
+
+    @AfterClass
+    public static void shutdown() throws Exception {
+        server.stop();
+    }
+
+    @Before
+    public void setup() {
+        mockServiceLocator();
+        when(ServiceLocator.getInstance().getTokenStore().tokenExpiration()).thenReturn(
+                TOKEN_TIMEOUT_SECS);
+    }
+
+    @After
+    public void teardown() {
+        ServiceLocator.getInstance().getClaimAuthCollection().clear();
+    }
+
+    @Test
+    public void testFederationUnconfiguredProxyPort() throws Exception {
+        HttpTester req = new HttpTester();
+        req.setMethod("POST");
+        req.setURI(CONTEXT + "/");
+        req.setVersion("HTTP/1.0");
+
+        HttpTester resp = new HttpTester();
+        resp.parse(server.getResponses(req.generate()));
+        assertEquals(401, resp.getStatus());
+    }
+
+    @Test
+    @SuppressWarnings("unchecked")
+    public void testFederation() throws Exception {
+        when(ServiceLocator.getInstance().getClaimAuthCollection().get(0).transform(anyMap()))
+                .thenReturn(claim);
+        when(ServiceLocator.getInstance().getIdmService().listDomains(anyString())).thenReturn(
+                Arrays.asList("pepsi", "coke"));
+
+        // Configure secure port (of zero)
+        FederationConfiguration.instance = mock(FederationConfiguration.class);
+        when(FederationConfiguration.instance.secureProxyPorts()).thenReturn(
+                new TreeSet<Integer>(Arrays.asList(0)));
+
+        HttpTester req = new HttpTester();
+        req.setMethod("POST");
+        req.setURI(CONTEXT + "/");
+        req.setVersion("HTTP/1.0");
+
+        HttpTester resp = new HttpTester();
+        resp.parse(server.getResponses(req.generate()));
+        assertEquals(201, resp.getStatus());
+        String content = resp.getContent();
+        assertTrue(content.contains("pepsi coke"));
+    }
+
+    private static void mockServiceLocator() {
+        ServiceLocator.getInstance().setIdmService(mock(IdMService.class));
+        ServiceLocator.getInstance().setTokenStore(mock(TokenStore.class));
+        ServiceLocator.getInstance().getClaimAuthCollection().add(mock(ClaimAuth.class));
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-keystone/pom.xml b/odl-aaa-moon/aaa-authn-keystone/pom.xml
new file mode 100644
index 00000000..ee1d3278
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-keystone/pom.xml
@@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../parent</relativePath>
+    </parent>
+
+    <artifactId>aaa-authn-keystone</artifactId>
+    <packaging>bundle</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-server</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.core</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.dependencymanager</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpcore-osgi</artifactId>
+            <version>${httpclient.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpclient-osgi</artifactId>
+            <version>${httpclient.version}</version>
+        </dependency>
+        <!-- Testing Dependencies -->
+        <dependency>
+            <groupId>com.sun.jersey.jersey-test-framework</groupId>
+            <artifactId>jersey-test-framework-grizzly2</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-bundle-plugin</artifactId>
+                <extensions>true</extensions>
+                <configuration>
+                    <instructions>
+                        <Bundle-Activator>org.opendaylight.aaa.keystone.Activator</Bundle-Activator>
+                    </instructions>
+                    <manifestLocation>${project.basedir}/META-INF</manifestLocation>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/odl-aaa-moon/aaa-authn-keystone/src/main/java/org/opendaylight/aaa/keystone/Activator.java b/odl-aaa-moon/aaa-authn-keystone/src/main/java/org/opendaylight/aaa/keystone/Activator.java
new file mode 100644
index 00000000..c3c3bfb1
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-keystone/src/main/java/org/opendaylight/aaa/keystone/Activator.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.keystone;
+
+import org.apache.felix.dm.DependencyActivatorBase;
+import org.apache.felix.dm.DependencyManager;
+import org.opendaylight.aaa.api.TokenAuth;
+import org.osgi.framework.BundleContext;
+
+/**
+ * An activator for {@link KeystoneTokenAuth}.
+ *
+ * @author liemmn
+ *
+ */
+public class Activator extends DependencyActivatorBase {
+
+    @Override
+    public void init(BundleContext context, DependencyManager manager) throws Exception {
+        manager.add(createComponent().setInterface(new String[] { TokenAuth.class.getName() }, null)
+                                     .setImplementation(KeystoneTokenAuth.class));
+    }
+
+    @Override
+    public void destroy(BundleContext context, DependencyManager manager) throws Exception {
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-keystone/src/main/java/org/opendaylight/aaa/keystone/KeystoneTokenAuth.java b/odl-aaa-moon/aaa-authn-keystone/src/main/java/org/opendaylight/aaa/keystone/KeystoneTokenAuth.java
new file mode 100644
index 00000000..6f4b4bb1
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-keystone/src/main/java/org/opendaylight/aaa/keystone/KeystoneTokenAuth.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.keystone;
+
+import java.util.List;
+import java.util.Map;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.aaa.api.TokenAuth;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * A Keystone {@link TokenAuth} filter.
+ *
+ * @author liemmn
+ */
+public class KeystoneTokenAuth implements TokenAuth {
+    private static final Logger LOG = LoggerFactory.getLogger(KeystoneTokenAuth.class);
+
+    static final String TOKEN = "X-Auth-Token";
+
+    @Override
+    public Authentication validate(Map<String, List<String>> headers) {
+        if (!headers.containsKey(TOKEN)) {
+            return null; // Not a Keystone token
+        }
+
+        // TODO: Call into Keystone to get security context...
+        LOG.info("Not yet validating token {}", headers.get(TOKEN).get(0));
+        return null;
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-api/pom.xml b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-api/pom.xml
new file mode 100644
index 00000000..fede7e5e
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-api/pom.xml
@@ -0,0 +1,99 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../../parent</relativePath>
+    </parent>
+
+    <artifactId>aaa-authn-mdsal-api</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.mdsal</groupId>
+            <artifactId>yang-binding</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.mdsal.model</groupId>
+            <artifactId>ietf-inet-types</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.mdsal.model</groupId>
+            <artifactId>ietf-yang-types</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.mdsal.model</groupId>
+            <artifactId>yang-ext</artifactId>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-bundle-plugin</artifactId>
+                <version>${bundle.plugin.version}</version>
+                <extensions>true</extensions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-javadoc-plugin</artifactId>
+                <configuration>
+                    <stylesheet>maven</stylesheet>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>aggregate</goal>
+                        </goals>
+                        <phase>site</phase>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.opendaylight.yangtools</groupId>
+                <artifactId>yang-maven-plugin</artifactId>
+                <version>${yangtools.version}</version>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>generate-sources</goal>
+                        </goals>
+                        <configuration>
+                            <yangFilesRootDir>src/main/yang</yangFilesRootDir>
+                            <codeGenerators>
+                                <generator>
+                                    <codeGeneratorClass>
+                                        org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl
+                                    </codeGeneratorClass>
+                                    <outputBaseDir>${salGeneratorPath}</outputBaseDir>
+                                </generator>
+                            </codeGenerators>
+                            <inspectDependencies>true</inspectDependencies>
+                        </configuration>
+                    </execution>
+                </executions>
+
+                <dependencies>
+                    <dependency>
+                        <groupId>org.opendaylight.mdsal</groupId>
+                        <artifactId>maven-sal-api-gen-plugin</artifactId>
+                        <version>${yangtools.version}</version>
+                        <type>jar</type>
+                    </dependency>
+                </dependencies>
+            </plugin>
+        </plugins>
+    </build>
+    <packaging>bundle</packaging>
+
+</project>
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-api/src/main/yang/aaa-authn-model.yang b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-api/src/main/yang/aaa-authn-model.yang
new file mode 100644
index 00000000..227cb313
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-api/src/main/yang/aaa-authn-model.yang
@@ -0,0 +1,154 @@
+module aaa-authn-model {
+  yang-version 1;
+  namespace "urn:aaa:yang:authn:claims";
+  prefix "authn";
+    organization "TBD";
+
+    contact "wdec@cisco.com";
+
+    revision 2014-10-29 {
+        description
+            "Initial revision.";
+    }
+
+//Main module begins
+
+// Following container provides the AuthN Claims data-structure
+
+  container tokencache {
+    config false;
+    list claims {
+      key "token";
+
+      leaf token {
+        type string;
+        description "Token";
+      }
+      leaf clientId {
+        type string;
+        description "id of the authorized client, or null if anonymous";
+      }
+      leaf userId {
+        type string;
+        description "Unique user-id. User IDs are system-created";
+      }
+      leaf user {
+        type string;
+        description "User name";
+      }
+      leaf domain {
+        type string;
+        description "Fully-qualified domain name";
+      }
+      leaf-list roles {
+        type string;
+        description "Assigned user roles";
+      }
+    }
+  }
+
+  container token_cache_times {
+
+    list token_list {
+      key userId;
+
+      leaf userId {
+        //TODO: Change to instance-ref
+        type string;
+      }
+
+    list user_tokens {
+      key tokenid;
+      leaf tokenid {
+        type leafref {path "/tokencache/claims/token";}
+      }
+      leaf timestamp {
+        type uint64;
+      }
+      leaf expiration {
+          type int64;
+          description "Expiration milliseconds since start of UTC epoch";
+      }
+      }
+    }
+  }
+
+  //authentication model is for generating objects to be stores in the
+  //data store for all the prev idm model objects.
+  container authentication{
+     list domain{
+         key domainid;
+         leaf domainid {
+             type string;
+         }
+         leaf name {
+             type string;
+         }
+         leaf description {
+             type string;
+         }
+         leaf enabled {
+             type boolean;
+         }
+     }
+
+     list user {
+         key userid;
+         leaf userid {
+             type string;
+         }
+         leaf name {
+             type string;
+         }
+         leaf description {
+             type string;
+         }
+         leaf enabled {
+             type boolean;
+         }
+         leaf email {
+             type string;
+         }
+         leaf password {
+             type string;
+         }
+         leaf salt {
+             type string;
+         }
+         leaf domainid {
+             type string;
+         }
+     }
+     list role {
+         key roleid;
+         leaf roleid {
+             type string;
+         }
+         leaf name {
+             type string;
+         }
+         leaf description {
+             type string;
+         }
+         leaf domainid {
+             type string;
+         }
+     }
+
+     list grant {
+         key grantid;
+         leaf grantid {
+             type string;
+         }
+         leaf domainid {
+             type string;
+         }
+         leaf userid {
+             type string;
+         }
+         leaf roleid {
+             type string;
+         }
+     }
+  }
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-config/pom.xml b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-config/pom.xml
new file mode 100644
index 00000000..f01969a4
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-config/pom.xml
@@ -0,0 +1,40 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../../parent</relativePath>
+    </parent>
+
+    <artifactId>aaa-authn-mdsal-config</artifactId>
+    <description>AuthN Token Store Service Configuration file </description>
+    <packaging>jar</packaging>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>build-helper-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>attach-artifacts</id>
+                        <goals>
+                            <goal>attach-artifact</goal>
+                        </goals>
+                        <phase>package</phase>
+                        <configuration>
+                            <artifacts>
+                                <artifact>
+                                    <file>${project.build.directory}/classes/initial/${config.authn.store.configfile}</file>
+                                    <type>xml</type>
+                                    <classifier>config</classifier>
+                                </artifact>
+                            </artifacts>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-config/src/main/resources/initial/08-authn-config.xml b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-config/src/main/resources/initial/08-authn-config.xml
new file mode 100644
index 00000000..e4a78f4d
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-config/src/main/resources/initial/08-authn-config.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- vi: set et smarttab sw=4 tabstop=4: -->
+<!--
+ Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+
+ This program and the accompanying materials are made available under the
+ terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ and is available at http://www.eclipse.org/legal/epl-v10.html
+-->
+<snapshot>
+    <configuration>
+        <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
+            <modules xmlns="urn:opendaylight:params:xml:ns:yang:controller:config">
+
+                <!-- defines an implementation module -->
+                <module>
+                    <type xmlns:authn="config:aaa:authn:mdsal:store">authn:aaa-authn-mdsal-store</type>
+                    <name>aaa-authn-mdsal-store</name>
+                    <dom-broker>
+                        <type xmlns:dom="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">
+                            dom:dom-broker-osgi-registry
+                        </type>
+                        <name>dom-broker</name>
+                    </dom-broker>
+                    <data-broker>
+                        <type xmlns:binding="urn:opendaylight:params:xml:ns:yang:controller:md:sal:binding">
+                            binding:binding-async-data-broker
+                        </type>
+                        <name>binding-data-broker</name>
+                    </data-broker>
+                    <timeToLive>3600000</timeToLive>
+                    <timeToWait>15</timeToWait>
+                    <password>CHANGE_ME</password>
+                </module>
+            </modules>
+        </data>
+
+    </configuration>
+    <required-capabilities>
+        <capability>config:aaa:authn:mdsal:store?module=aaa-authn-mdsal-store-cfg&amp;revision=2014-10-31</capability>
+    </required-capabilities>
+
+</snapshot>
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/pom.xml b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/pom.xml
new file mode 100644
index 00000000..c36febee
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/pom.xml
@@ -0,0 +1,169 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+  ~
+  ~ This program and the accompanying materials are made available under the
+  ~ terms of the Eclipse Public License v1.0 which accompanies this distribution,
+  ~ and is available at http://www.eclipse.org/legal/epl-v10.html
+  ~
+  -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../../parent</relativePath>
+    </parent>
+
+    <artifactId>aaa-authn-mdsal-store-impl</artifactId>
+    <packaging>bundle</packaging>
+
+    <properties>
+        <powermock.version>1.5.2</powermock.version>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-binding-util</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-common-util</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.yangtools</groupId>
+            <artifactId>yang-data-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>commons-codec</groupId>
+            <artifactId>commons-codec</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-binding-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>config-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-binding-config</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-core-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-mdsal-api</artifactId>
+        </dependency>
+
+        <!-- Test dependencies -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-all</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+          <groupId>org.powermock</groupId>
+          <artifactId>powermock-api-mockito</artifactId>
+          <version>${powermock.version}</version>
+          <scope>test</scope>
+        </dependency>
+        <dependency>
+          <groupId>org.powermock</groupId>
+          <artifactId>powermock-module-junit4</artifactId>
+          <version>${powermock.version}</version>
+          <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-bundle-plugin</artifactId>
+                <extensions>true</extensions>
+                <configuration>
+                    <instructions>
+                        <!-- <Bundle-Activator>/Bundle-Activator> -->
+                        <Export-Package>org.opendaylight.yang.gen.v1.config.aaa.authn.mdsal.store.*
+                        </Export-Package>
+                    </instructions>
+                </configuration>
+                <!-- <configuration> <Export-Package> </Export-Package> </configuration> -->
+            </plugin>
+            <plugin>
+                <groupId>org.opendaylight.yangtools</groupId>
+                <artifactId>yang-maven-plugin</artifactId>
+                <version>${yangtools.version}</version>
+                <executions>
+                    <execution>
+                        <id>config</id>
+                        <goals>
+                            <goal>generate-sources</goal>
+                        </goals>
+                        <configuration>
+                            <codeGenerators>
+                                <generator>
+                                    <codeGeneratorClass>
+                                        org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator
+                                    </codeGeneratorClass>
+                                    <outputBaseDir>${jmxGeneratorPath}</outputBaseDir>
+                                    <additionalConfiguration>
+                                        <namespaceToPackage1>
+                                            urn:opendaylight:params:xml:ns:yang:controller==org.opendaylight.controller.config.yang
+                                        </namespaceToPackage1>
+                                    </additionalConfiguration>
+                                </generator>
+                                <generator>
+                                    <codeGeneratorClass>org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl</codeGeneratorClass>
+                                    <outputBaseDir>${salGeneratorPath}</outputBaseDir>
+                                </generator>
+                            </codeGenerators>
+                            <inspectDependencies>true</inspectDependencies>
+                        </configuration>
+                    </execution>
+                </executions>
+                <dependencies>
+                    <dependency>
+                        <groupId>org.opendaylight.controller</groupId>
+                        <artifactId>yang-jmx-generator-plugin</artifactId>
+                        <version>${config.version}</version>
+                    </dependency>
+                    <dependency>
+                        <groupId>org.opendaylight.mdsal</groupId>
+                        <artifactId>maven-sal-api-gen-plugin</artifactId>
+                        <version>${yangtools.version}</version>
+                    </dependency>
+                </dependencies>
+            </plugin>
+        </plugins>
+    </build>
+
+
+</project>
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/AuthNStore.java b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/AuthNStore.java
new file mode 100644
index 00000000..09170182
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/AuthNStore.java
@@ -0,0 +1,263 @@
+/*
+ * Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authn.mdsal.store;
+
+import com.google.common.base.Optional;
+import com.google.common.util.concurrent.CheckedFuture;
+import com.google.common.util.concurrent.FutureCallback;
+import com.google.common.util.concurrent.Futures;
+import java.math.BigInteger;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.aaa.api.TokenStore;
+import org.opendaylight.aaa.authn.mdsal.store.util.AuthNStoreUtil;
+import org.opendaylight.controller.md.sal.binding.api.DataBroker;
+import org.opendaylight.controller.md.sal.binding.api.ReadTransaction;
+import org.opendaylight.controller.md.sal.binding.api.WriteTransaction;
+import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
+import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException;
+import org.opendaylight.controller.md.sal.common.api.data.TransactionCommitFailedException;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.TokenCacheTimes;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.TokenList;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.TokenListKey;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.token_list.UserTokens;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.tokencache.Claims;
+import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AuthNStore implements AutoCloseable, TokenStore {
+
+    private static final Logger LOG = LoggerFactory.getLogger(AuthNStore.class);
+    private DataBroker broker;
+    private static BigInteger timeToLive;
+    private static Integer timeToWait;
+    private final ExecutorService deleteExpiredTokenThread = Executors.newFixedThreadPool(1);
+    private final DataEncrypter dataEncrypter;
+
+    public AuthNStore(final DataBroker dataBroker, final String config_key) {
+        this.broker = dataBroker;
+        this.dataEncrypter = new DataEncrypter(config_key);
+        LOG.info("Created MD-SAL AAA Token Cache Service...");
+    }
+
+    @Override
+    public void close() throws Exception {
+        deleteExpiredTokenThread.shutdown();
+        LOG.info("MD-SAL AAA Token Cache closed...");
+
+    }
+
+    @Override
+    public void put(String token, Authentication auth) {
+        token = dataEncrypter.encrypt(token);
+        Claims claims = AuthNStoreUtil.createClaimsRecord(token, auth);
+
+        // create and insert parallel struct
+        UserTokens userTokens = AuthNStoreUtil.createUserTokens(token, timeToLive.longValue());
+        TokenList tokenlist = AuthNStoreUtil.createTokenList(userTokens, auth.userId());
+
+        writeClaimAndTokenToStore(claims, userTokens, tokenlist);
+        deleteExpiredTokenThread.execute(deleteOldTokens(claims));
+    }
+
+    @Override
+    public Authentication get(String token) {
+        token = dataEncrypter.encrypt(token);
+        Authentication authentication = null;
+        Claims claims = readClaims(token);
+        if (claims != null) {
+            UserTokens userToken = readUserTokensFromDS(claims.getToken(), claims.getUserId());
+            authentication = AuthNStoreUtil.convertClaimToAuthentication(claims,
+                    userToken.getExpiration());
+        }
+        deleteExpiredTokenThread.execute(deleteOldTokens(claims));
+        return authentication;
+    }
+
+    @Override
+    public boolean delete(String token) {
+        token = dataEncrypter.encrypt(token);
+        boolean result = false;
+        Claims claims = readClaims(token);
+        result = deleteClaims(token);
+        if (result) {
+            deleteUserTokenFromDS(token, claims.getUserId());
+        }
+        deleteExpiredTokenThread.execute(deleteOldTokens(claims));
+        return result;
+    }
+
+    @Override
+    public long tokenExpiration() {
+        return timeToLive.longValue();
+    }
+
+    public void setTimeToLive(BigInteger timeToLive) {
+        this.timeToLive = timeToLive;
+    }
+
+    public void setTimeToWait(Integer timeToWait) {
+        this.timeToWait = timeToWait;
+    }
+
+    private void writeClaimAndTokenToStore(final Claims claims, UserTokens usertokens,
+            final TokenList tokenlist) {
+
+        final InstanceIdentifier<Claims> claims_iid = AuthNStoreUtil.createInstIdentifierForTokencache(claims.getToken());
+        WriteTransaction tx = broker.newWriteOnlyTransaction();
+        tx.put(LogicalDatastoreType.OPERATIONAL, claims_iid, claims, true);
+
+        final InstanceIdentifier<UserTokens> userTokens_iid = AuthNStoreUtil.createInstIdentifierUserTokens(
+                tokenlist.getUserId(), usertokens.getTokenid());
+        tx.put(LogicalDatastoreType.OPERATIONAL, userTokens_iid, usertokens, true);
+
+        CheckedFuture<Void, TransactionCommitFailedException> commitFuture = tx.submit();
+        Futures.addCallback(commitFuture, new FutureCallback<Void>() {
+
+            @Override
+            public void onSuccess(Void result) {
+                LOG.trace("Token {} was written to datastore.", claims.getToken());
+                LOG.trace("Tokenlist for userId {} was written to datastore.",
+                        tokenlist.getUserId());
+            }
+
+            @Override
+            public void onFailure(Throwable t) {
+                LOG.error("Inserting token {} to datastore failed.", claims.getToken());
+                LOG.trace("Inserting for userId {} tokenlist to datastore failed.",
+                        tokenlist.getUserId());
+            }
+
+        });
+    }
+
+    private Claims readClaims(String token) {
+        final InstanceIdentifier<Claims> claims_iid = AuthNStoreUtil.createInstIdentifierForTokencache(token);
+        Claims claims = null;
+        ReadTransaction rt = broker.newReadOnlyTransaction();
+        CheckedFuture<Optional<Claims>, ReadFailedException> claimsFuture = rt.read(
+                LogicalDatastoreType.OPERATIONAL, claims_iid);
+        try {
+            Optional<Claims> maybeClaims = claimsFuture.checkedGet();
+            if (maybeClaims.isPresent()) {
+                claims = maybeClaims.get();
+            }
+        } catch (ReadFailedException e) {
+            LOG.error(
+                    "Something wrong happened in DataStore. Getting Claim for token {} failed.",
+                    token, e);
+        }
+        return claims;
+    }
+
+    private TokenList readTokenListFromDS(String userId) {
+        InstanceIdentifier<TokenList> tokenList_iid = InstanceIdentifier.builder(
+                TokenCacheTimes.class).child(TokenList.class, new TokenListKey(userId)).build();
+        TokenList tokenList = null;
+        ReadTransaction rt = broker.newReadOnlyTransaction();
+        CheckedFuture<Optional<TokenList>, ReadFailedException> userTokenListFuture = rt.read(
+                LogicalDatastoreType.OPERATIONAL, tokenList_iid);
+        try {
+            Optional<TokenList> maybeTokenList = userTokenListFuture.checkedGet();
+            if (maybeTokenList.isPresent()) {
+                tokenList = maybeTokenList.get();
+            }
+        } catch (ReadFailedException e) {
+            LOG.error(
+                    "Something wrong happened in DataStore. Getting TokenList for userId {} failed.",
+                    userId, e);
+        }
+        return tokenList;
+    }
+
+    private UserTokens readUserTokensFromDS(String token, String userId) {
+        final InstanceIdentifier<UserTokens> userTokens_iid = AuthNStoreUtil.createInstIdentifierUserTokens(
+                userId, token);
+        UserTokens userTokens = null;
+
+        ReadTransaction rt = broker.newReadOnlyTransaction();
+        CheckedFuture<Optional<UserTokens>, ReadFailedException> userTokensFuture = rt.read(
+                LogicalDatastoreType.OPERATIONAL, userTokens_iid);
+
+        try {
+            Optional<UserTokens> maybeUserTokens = userTokensFuture.checkedGet();
+            if (maybeUserTokens.isPresent()) {
+                userTokens = maybeUserTokens.get();
+            }
+        } catch (ReadFailedException e) {
+            LOG.error(
+                    "Something wrong happened in DataStore. Getting UserTokens for token {} failed.",
+                    token, e);
+        }
+
+        return userTokens;
+    }
+
+    private boolean deleteClaims(String token) {
+        final InstanceIdentifier<Claims> claims_iid = AuthNStoreUtil.createInstIdentifierForTokencache(token);
+        boolean result = false;
+        WriteTransaction tx = broker.newWriteOnlyTransaction();
+        tx.delete(LogicalDatastoreType.OPERATIONAL, claims_iid);
+        CheckedFuture<Void, TransactionCommitFailedException> commitFuture = tx.submit();
+
+        try {
+            commitFuture.checkedGet();
+            result = true;
+        } catch (TransactionCommitFailedException e) {
+            LOG.error("Something wrong happened in DataStore. Claim "
+                    + "deletion for token {} from DataStore failed.", token, e);
+        }
+        return result;
+    }
+
+    private void deleteUserTokenFromDS(String token, String userId) {
+        final InstanceIdentifier<UserTokens> userTokens_iid = AuthNStoreUtil.createInstIdentifierUserTokens(
+                userId, token);
+
+        WriteTransaction tx = broker.newWriteOnlyTransaction();
+        tx.delete(LogicalDatastoreType.OPERATIONAL, userTokens_iid);
+        CheckedFuture<Void, TransactionCommitFailedException> commitFuture = tx.submit();
+        try {
+            commitFuture.checkedGet();
+        } catch (TransactionCommitFailedException e) {
+            LOG.error("Something wrong happened in DataStore. UserToken "
+                    + "deletion for token {} from DataStore failed.", token, e);
+        }
+    }
+
+    private Runnable deleteOldTokens(final Claims claims) {
+        return new Runnable() {
+
+            @Override
+            public void run() {
+                TokenList tokenList = null;
+                if (claims != null) {
+                    tokenList = readTokenListFromDS(claims.getUserId());
+                }
+                if (tokenList != null) {
+                    for (UserTokens currUserToken : tokenList.getUserTokens()) {
+                        long diff = System.currentTimeMillis()
+                                - currUserToken.getTimestamp().longValue();
+                        if (diff > currUserToken.getExpiration()
+                                && currUserToken.getExpiration() != 0) {
+                            if (deleteClaims(currUserToken.getTokenid())) {
+                                deleteUserTokenFromDS(currUserToken.getTokenid(),
+                                        claims.getUserId());
+                                LOG.trace("Expired tokens for UserId {} deleted.",
+                                        claims.getUserId());
+                            }
+                        }
+                    }
+                }
+            }
+        };
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/DataEncrypter.java b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/DataEncrypter.java
new file mode 100644
index 00000000..ca0a74be
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/DataEncrypter.java
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authn.mdsal.store;
+
+import java.security.spec.KeySpec;
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.SecretKeySpec;
+import javax.xml.bind.DatatypeConverter;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * @author - Sharon Aicler (saichler@cisco.com)
+ **/
+public class DataEncrypter {
+
+    final protected SecretKey k;
+    private static final Logger LOG = LoggerFactory.getLogger(DataEncrypter.class);
+    private static final byte[] iv = { 0, 5, 0, 0, 7, 81, 0, 3, 0, 0, 0, 0, 0, 43, 0, 1 };
+    private static final IvParameterSpec ivspec = new IvParameterSpec(iv);
+    public static final String ENCRYPTED_TAG = "Encrypted:";
+
+    public DataEncrypter(final String ckey) {
+        SecretKey tmp = null;
+        if (ckey != null && !ckey.isEmpty()) {
+
+            try {
+                SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
+                KeySpec spec = new PBEKeySpec(ckey.toCharArray(), iv, 32768, 128);
+                tmp = keyFactory.generateSecret(spec);
+            } catch (Exception e) {
+                LOG.error("Couldn't initialize key factory", e);
+            }
+            if (tmp != null) {
+                k = new SecretKeySpec(tmp.getEncoded(), "AES");
+            } else {
+                throw new RuntimeException("Couldn't initalize encryption key");
+            }
+        } else {
+            k = null;
+            LOG.warn("Void crypto key passed! AuthN Store Encryption disabled");
+        }
+
+    }
+
+    protected String encrypt(String token) {
+
+        if (k == null) {
+            return token;
+        }
+
+        String cryptostring = null;
+        try {
+            Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
+            c.init(Cipher.ENCRYPT_MODE, k, ivspec);
+            byte[] cryptobytes = c.doFinal(token.getBytes());
+            cryptostring = DatatypeConverter.printBase64Binary(cryptobytes);
+            return ENCRYPTED_TAG + cryptostring;
+        } catch (Exception e) {
+            LOG.error("Couldn't encrypt token", e);
+            return null;
+        }
+    }
+
+    protected String decrypt(String eToken) {
+        if (k == null) {
+            return eToken;
+        }
+
+        if (eToken == null || eToken.length() == 0) {
+            return null;
+        }
+
+        if (!eToken.startsWith(ENCRYPTED_TAG)) {
+            return eToken;
+        }
+
+        try {
+            Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
+            c.init(Cipher.DECRYPT_MODE, k, ivspec);
+
+            byte[] cryptobytes = DatatypeConverter.parseBase64Binary(eToken.substring(ENCRYPTED_TAG.length()));
+            byte[] clearbytes = c.doFinal(cryptobytes);
+            return DatatypeConverter.printBase64Binary(clearbytes);
+
+        } catch (Exception e) {
+            LOG.error("Couldn't decrypt token", e);
+            return null;
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMMDSALStore.java b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMMDSALStore.java
new file mode 100644
index 00000000..88fba0ba
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMMDSALStore.java
@@ -0,0 +1,483 @@
+/*
+ * Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa.authn.mdsal.store;
+
+import com.google.common.base.Optional;
+import com.google.common.base.Preconditions;
+import com.google.common.util.concurrent.CheckedFuture;
+import java.util.List;
+import java.util.concurrent.ExecutionException;
+import org.opendaylight.aaa.api.IDMStoreException;
+import org.opendaylight.aaa.api.IDMStoreUtil;
+import org.opendaylight.aaa.api.SHA256Calculator;
+import org.opendaylight.controller.md.sal.binding.api.DataBroker;
+import org.opendaylight.controller.md.sal.binding.api.ReadOnlyTransaction;
+import org.opendaylight.controller.md.sal.binding.api.WriteTransaction;
+import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
+import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException;
+import org.opendaylight.controller.md.sal.common.api.data.TransactionCommitFailedException;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.Authentication;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.DomainBuilder;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.DomainKey;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.GrantBuilder;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.GrantKey;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.RoleBuilder;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.RoleKey;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.UserBuilder;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.UserKey;
+import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * @author Sharon Aicler - saichler@cisco.com
+ *
+ */
+public class IDMMDSALStore {
+
+    private static final Logger LOG = LoggerFactory.getLogger(IDMMDSALStore.class);
+    private final DataBroker dataBroker;
+
+    public IDMMDSALStore(DataBroker dataBroker) {
+        this.dataBroker = dataBroker;
+    }
+
+    public static final String getString(String aValue, String bValue) {
+        if (aValue != null)
+            return aValue;
+        return bValue;
+    }
+
+    public static final Boolean getBoolean(Boolean aValue, Boolean bValue) {
+        if (aValue != null)
+            return aValue;
+        return bValue;
+    }
+
+    public static boolean waitForSubmit(CheckedFuture<Void, TransactionCommitFailedException> submit) {
+        // This can happen only when testing
+        if (submit == null)
+            return false;
+        while (!submit.isDone() && !submit.isCancelled()) {
+            try {
+                Thread.sleep(1000);
+            } catch (Exception err) {
+                LOG.error("Interrupted", err);
+            }
+        }
+        return submit.isCancelled();
+    }
+
+    // Domain methods
+    public Domain writeDomain(Domain domain) {
+        Preconditions.checkNotNull(domain);
+        Preconditions.checkNotNull(domain.getName());
+        Preconditions.checkNotNull(domain.isEnabled());
+        DomainBuilder b = new DomainBuilder();
+        b.setDescription(domain.getDescription());
+        b.setDomainid(domain.getName());
+        b.setEnabled(domain.isEnabled());
+        b.setName(domain.getName());
+        b.setKey(new DomainKey(b.getName()));
+        domain = b.build();
+        InstanceIdentifier<Domain> ID = InstanceIdentifier.create(Authentication.class).child(
+                Domain.class, new DomainKey(domain.getDomainid()));
+        WriteTransaction wrt = dataBroker.newWriteOnlyTransaction();
+        wrt.put(LogicalDatastoreType.CONFIGURATION, ID, domain, true);
+        CheckedFuture<Void, TransactionCommitFailedException> submit = wrt.submit();
+        if (!waitForSubmit(submit)) {
+            return domain;
+        } else {
+            return null;
+        }
+    }
+
+    public Domain readDomain(String domainid) {
+        Preconditions.checkNotNull(domainid);
+        InstanceIdentifier<Domain> ID = InstanceIdentifier.create(Authentication.class).child(
+                Domain.class, new DomainKey(domainid));
+        ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction();
+        CheckedFuture<Optional<Domain>, ReadFailedException> read = rot.read(
+                LogicalDatastoreType.CONFIGURATION, ID);
+        if (read == null) {
+            LOG.error("Failed to read domain from data store");
+            return null;
+        }
+        Optional<Domain> optional = null;
+        try {
+            optional = read.get();
+        } catch (InterruptedException | ExecutionException e1) {
+            LOG.error("Failed to read domain from data store", e1);
+            return null;
+        }
+
+        if (optional == null)
+            return null;
+
+        if (!optional.isPresent())
+            return null;
+
+        return optional.get();
+    }
+
+    public Domain deleteDomain(String domainid) {
+        Preconditions.checkNotNull(domainid);
+        Domain domain = readDomain(domainid);
+        if (domain == null) {
+            LOG.error("Failed to delete domain from data store, unknown domain");
+            return null;
+        }
+        InstanceIdentifier<Domain> ID = InstanceIdentifier.create(Authentication.class).child(
+                Domain.class, new DomainKey(domainid));
+        WriteTransaction wrt = dataBroker.newWriteOnlyTransaction();
+        wrt.delete(LogicalDatastoreType.CONFIGURATION, ID);
+        wrt.submit();
+        return domain;
+    }
+
+    public Domain updateDomain(Domain domain) throws IDMStoreException {
+        Preconditions.checkNotNull(domain);
+        Preconditions.checkNotNull(domain.getDomainid());
+        Domain existing = readDomain(domain.getDomainid());
+        DomainBuilder b = new DomainBuilder();
+        b.setDescription(getString(domain.getDescription(), existing.getDescription()));
+        b.setName(existing.getName());
+        b.setEnabled(getBoolean(domain.isEnabled(), existing.isEnabled()));
+        return writeDomain(b.build());
+    }
+
+    public List<Domain> getAllDomains() {
+        InstanceIdentifier<Authentication> id = InstanceIdentifier.create(Authentication.class);
+        ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction();
+        CheckedFuture<Optional<Authentication>, ReadFailedException> read = rot.read(
+                LogicalDatastoreType.CONFIGURATION, id);
+        if (read == null)
+            return null;
+
+        try {
+            if (read.get() == null)
+                return null;
+            if (read.get().isPresent()) {
+                Authentication auth = read.get().get();
+                return auth.getDomain();
+            }
+        } catch (Exception err) {
+            LOG.error("Failed to read domains", err);
+        }
+        return null;
+    }
+
+    public List<Role> getAllRoles() {
+        InstanceIdentifier<Authentication> id = InstanceIdentifier.create(Authentication.class);
+        ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction();
+        CheckedFuture<Optional<Authentication>, ReadFailedException> read = rot.read(
+                LogicalDatastoreType.CONFIGURATION, id);
+        if (read == null)
+            return null;
+
+        try {
+            if (read.get() == null)
+                return null;
+            if (read.get().isPresent()) {
+                Authentication auth = read.get().get();
+                return auth.getRole();
+            }
+        } catch (Exception err) {
+            LOG.error("Failed to read domains", err);
+        }
+        return null;
+    }
+
+    public List<User> getAllUsers() {
+        InstanceIdentifier<Authentication> id = InstanceIdentifier.create(Authentication.class);
+        ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction();
+        CheckedFuture<Optional<Authentication>, ReadFailedException> read = rot.read(
+                LogicalDatastoreType.CONFIGURATION, id);
+        if (read == null)
+            return null;
+
+        try {
+            if (read.get() == null)
+                return null;
+            if (read.get().isPresent()) {
+                Authentication auth = read.get().get();
+                return auth.getUser();
+            }
+        } catch (Exception err) {
+            LOG.error("Failed to read domains", err);
+        }
+        return null;
+    }
+
+    public List<Grant> getAllGrants() {
+        InstanceIdentifier<Authentication> id = InstanceIdentifier.create(Authentication.class);
+        ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction();
+        CheckedFuture<Optional<Authentication>, ReadFailedException> read = rot.read(
+                LogicalDatastoreType.CONFIGURATION, id);
+        if (read == null)
+            return null;
+
+        try {
+            if (read.get() == null)
+                return null;
+            if (read.get().isPresent()) {
+                Authentication auth = read.get().get();
+                return auth.getGrant();
+            }
+        } catch (Exception err) {
+            LOG.error("Failed to read domains", err);
+        }
+        return null;
+    }
+
+    // Role methods
+    public Role writeRole(Role role) {
+        Preconditions.checkNotNull(role);
+        Preconditions.checkNotNull(role.getName());
+        Preconditions.checkNotNull(role.getDomainid());
+        Preconditions.checkNotNull(readDomain(role.getDomainid()));
+        RoleBuilder b = new RoleBuilder();
+        b.setDescription(role.getDescription());
+        b.setRoleid(IDMStoreUtil.createRoleid(role.getName(), role.getDomainid()));
+        b.setKey(new RoleKey(b.getRoleid()));
+        b.setName(role.getName());
+        b.setDomainid(role.getDomainid());
+        role = b.build();
+        InstanceIdentifier<Role> ID = InstanceIdentifier.create(Authentication.class).child(
+                Role.class, new RoleKey(role.getRoleid()));
+        WriteTransaction wrt = dataBroker.newWriteOnlyTransaction();
+        wrt.put(LogicalDatastoreType.CONFIGURATION, ID, role, true);
+        CheckedFuture<Void, TransactionCommitFailedException> submit = wrt.submit();
+        if (!waitForSubmit(submit)) {
+            return role;
+        } else {
+            return null;
+        }
+    }
+
+    public Role readRole(String roleid) {
+        Preconditions.checkNotNull(roleid);
+        InstanceIdentifier<Role> ID = InstanceIdentifier.create(Authentication.class).child(
+                Role.class, new RoleKey(roleid));
+        ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction();
+        CheckedFuture<Optional<Role>, ReadFailedException> read = rot.read(
+                LogicalDatastoreType.CONFIGURATION, ID);
+        if (read == null) {
+            LOG.error("Failed to read role from data store");
+            return null;
+        }
+        Optional<Role> optional = null;
+        try {
+            optional = read.get();
+        } catch (InterruptedException | ExecutionException e1) {
+            LOG.error("Failed to read role from data store", e1);
+            return null;
+        }
+
+        if (optional == null)
+            return null;
+
+        if (!optional.isPresent())
+            return null;
+
+        return optional.get();
+    }
+
+    public Role deleteRole(String roleid) {
+        Preconditions.checkNotNull(roleid);
+        Role role = readRole(roleid);
+        if (role == null) {
+            LOG.error("Failed to delete role from data store, unknown role");
+            return null;
+        }
+        InstanceIdentifier<Role> ID = InstanceIdentifier.create(Authentication.class).child(
+                Role.class, new RoleKey(roleid));
+        WriteTransaction wrt = dataBroker.newWriteOnlyTransaction();
+        wrt.delete(LogicalDatastoreType.CONFIGURATION, ID);
+        wrt.submit();
+        return role;
+    }
+
+    public Role updateRole(Role role) {
+        Preconditions.checkNotNull(role);
+        Preconditions.checkNotNull(role.getRoleid());
+        Role existing = readRole(role.getRoleid());
+        RoleBuilder b = new RoleBuilder();
+        b.setDescription(getString(role.getDescription(), existing.getDescription()));
+        b.setName(existing.getName());
+        b.setDomainid(existing.getDomainid());
+        return writeRole(b.build());
+    }
+
+    // User methods
+    public User writeUser(User user) throws IDMStoreException {
+        Preconditions.checkNotNull(user);
+        Preconditions.checkNotNull(user.getName());
+        Preconditions.checkNotNull(user.getDomainid());
+        Preconditions.checkNotNull(readDomain(user.getDomainid()));
+        UserBuilder b = new UserBuilder();
+        if (user.getSalt() == null) {
+            b.setSalt(SHA256Calculator.generateSALT());
+        } else {
+            b.setSalt(user.getSalt());
+        }
+        b.setUserid(IDMStoreUtil.createUserid(user.getName(), user.getDomainid()));
+        b.setDescription(user.getDescription());
+        b.setDomainid(user.getDomainid());
+        b.setEmail(user.getEmail());
+        b.setEnabled(user.isEnabled());
+        b.setKey(new UserKey(b.getUserid()));
+        b.setName(user.getName());
+        b.setPassword(SHA256Calculator.getSHA256(user.getPassword(), b.getSalt()));
+        user = b.build();
+        InstanceIdentifier<User> ID = InstanceIdentifier.create(Authentication.class).child(
+                User.class, new UserKey(user.getUserid()));
+        WriteTransaction wrt = dataBroker.newWriteOnlyTransaction();
+        wrt.put(LogicalDatastoreType.CONFIGURATION, ID, user, true);
+        CheckedFuture<Void, TransactionCommitFailedException> submit = wrt.submit();
+        if (!waitForSubmit(submit)) {
+            return user;
+        } else {
+            return null;
+        }
+    }
+
+    public User readUser(String userid) {
+        Preconditions.checkNotNull(userid);
+        InstanceIdentifier<User> ID = InstanceIdentifier.create(Authentication.class).child(
+                User.class, new UserKey(userid));
+        ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction();
+        CheckedFuture<Optional<User>, ReadFailedException> read = rot.read(
+                LogicalDatastoreType.CONFIGURATION, ID);
+        if (read == null) {
+            LOG.error("Failed to read user from data store");
+            return null;
+        }
+        Optional<User> optional = null;
+        try {
+            optional = read.get();
+        } catch (InterruptedException | ExecutionException e1) {
+            LOG.error("Failed to read domain from data store", e1);
+            return null;
+        }
+
+        if (optional == null)
+            return null;
+
+        if (!optional.isPresent())
+            return null;
+
+        return optional.get();
+    }
+
+    public User deleteUser(String userid) {
+        Preconditions.checkNotNull(userid);
+        User user = readUser(userid);
+        if (user == null) {
+            LOG.error("Failed to delete user from data store, unknown user");
+            return null;
+        }
+        InstanceIdentifier<User> ID = InstanceIdentifier.create(Authentication.class).child(
+                User.class, new UserKey(userid));
+        WriteTransaction wrt = dataBroker.newWriteOnlyTransaction();
+        wrt.delete(LogicalDatastoreType.CONFIGURATION, ID);
+        wrt.submit();
+        return user;
+    }
+
+    public User updateUser(User user) throws IDMStoreException {
+        Preconditions.checkNotNull(user);
+        Preconditions.checkNotNull(user.getUserid());
+        User existing = readUser(user.getUserid());
+        UserBuilder b = new UserBuilder();
+        b.setName(existing.getName());
+        b.setDomainid(existing.getDomainid());
+        b.setDescription(getString(user.getDescription(), existing.getDescription()));
+        b.setEmail(getString(user.getEmail(), existing.getEmail()));
+        b.setEnabled(getBoolean(user.isEnabled(), existing.isEnabled()));
+        b.setPassword(getString(user.getPassword(), existing.getPassword()));
+        b.setSalt(getString(user.getSalt(), existing.getSalt()));
+        return writeUser(b.build());
+    }
+
+    // Grant methods
+    public Grant writeGrant(Grant grant) throws IDMStoreException {
+        Preconditions.checkNotNull(grant);
+        Preconditions.checkNotNull(grant.getDomainid());
+        Preconditions.checkNotNull(grant.getUserid());
+        Preconditions.checkNotNull(grant.getRoleid());
+        Preconditions.checkNotNull(readDomain(grant.getDomainid()));
+        Preconditions.checkNotNull(readUser(grant.getUserid()));
+        Preconditions.checkNotNull(readRole(grant.getRoleid()));
+        GrantBuilder b = new GrantBuilder();
+        b.setDomainid(grant.getDomainid());
+        b.setRoleid(grant.getRoleid());
+        b.setUserid(grant.getUserid());
+        b.setGrantid(IDMStoreUtil.createGrantid(grant.getUserid(), grant.getDomainid(),
+                grant.getRoleid()));
+        b.setKey(new GrantKey(b.getGrantid()));
+        grant = b.build();
+        InstanceIdentifier<Grant> ID = InstanceIdentifier.create(Authentication.class).child(
+                Grant.class, new GrantKey(grant.getGrantid()));
+        WriteTransaction wrt = dataBroker.newWriteOnlyTransaction();
+        wrt.put(LogicalDatastoreType.CONFIGURATION, ID, grant, true);
+        CheckedFuture<Void, TransactionCommitFailedException> submit = wrt.submit();
+        if (!waitForSubmit(submit)) {
+            return grant;
+        } else {
+            return null;
+        }
+    }
+
+    public Grant readGrant(String grantid) {
+        Preconditions.checkNotNull(grantid);
+        InstanceIdentifier<Grant> ID = InstanceIdentifier.create(Authentication.class).child(
+                Grant.class, new GrantKey(grantid));
+        ReadOnlyTransaction rot = dataBroker.newReadOnlyTransaction();
+        CheckedFuture<Optional<Grant>, ReadFailedException> read = rot.read(
+                LogicalDatastoreType.CONFIGURATION, ID);
+        if (read == null) {
+            LOG.error("Failed to read grant from data store");
+            return null;
+        }
+        Optional<Grant> optional = null;
+        try {
+            optional = read.get();
+        } catch (InterruptedException | ExecutionException e1) {
+            LOG.error("Failed to read domain from data store", e1);
+            return null;
+        }
+
+        if (optional == null)
+            return null;
+
+        if (!optional.isPresent())
+            return null;
+
+        return optional.get();
+    }
+
+    public Grant deleteGrant(String grantid) {
+        Preconditions.checkNotNull(grantid);
+        Grant grant = readGrant(grantid);
+        if (grant == null) {
+            LOG.error("Failed to delete grant from data store, unknown grant");
+            return null;
+        }
+        InstanceIdentifier<Grant> ID = InstanceIdentifier.create(Authentication.class).child(
+                Grant.class, new GrantKey(grantid));
+        WriteTransaction wrt = dataBroker.newWriteOnlyTransaction();
+        wrt.delete(LogicalDatastoreType.CONFIGURATION, ID);
+        wrt.submit();
+        return grant;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMObject2MDSAL.java b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMObject2MDSAL.java
new file mode 100644
index 00000000..0b58ced7
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMObject2MDSAL.java
@@ -0,0 +1,224 @@
+/*
+ * Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa.authn.mdsal.store;
+
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.opendaylight.aaa.api.model.Domain;
+import org.opendaylight.aaa.api.model.Grant;
+import org.opendaylight.aaa.api.model.Role;
+import org.opendaylight.aaa.api.model.User;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.DomainBuilder;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.GrantBuilder;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.RoleBuilder;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.UserBuilder;
+import org.opendaylight.yangtools.yang.binding.DataObject;
+/**
+ *
+ * @author saichler@gmail.com
+ *
+ * This class is a codec to convert between MDSAL objects and IDM model objects. It is doing so via reflection when it assumes that the MDSAL
+ * Object and the IDM model object has the same method names.
+ */
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * @author Sharon Aicler - saichler@cisco.com
+ *
+ */
+public abstract class IDMObject2MDSAL {
+    private static final Logger LOG = LoggerFactory.getLogger(IDMObject2MDSAL.class);
+    // this is a Map mapping between the class type of the IDM Model object to a
+    // structure containing the corresponding setters and getter methods
+    // in MDSAL object
+    private static Map<Class<?>, ConvertionMethods> typesMethods = new HashMap<Class<?>, ConvertionMethods>();
+
+    // This method generically via reflection receive a MDSAL object and the
+    // corresponding IDM model object class type and
+    // creates an IDM model element from the MDSAL element
+    private static Object fromMDSALObject(Object mdsalObject, Class<?> type) throws Exception {
+        if (mdsalObject == null)
+            return null;
+        Object result = type.newInstance();
+        ConvertionMethods cm = typesMethods.get(type);
+        if (cm == null) {
+            cm = new ConvertionMethods();
+            typesMethods.put(type, cm);
+            Method methods[] = type.getMethods();
+            for (Method m : methods) {
+                if (m.getName().startsWith("set")) {
+                    cm.setMethods.add(m);
+                    Method gm = null;
+                    if (m.getParameterTypes()[0].equals(Boolean.class)
+                            || m.getParameterTypes()[0].equals(boolean.class))
+                        gm = ((DataObject) mdsalObject).getImplementedInterface().getMethod(
+                                "is" + m.getName().substring(3), (Class[]) null);
+                    else {
+                        try {
+                            gm = ((DataObject) mdsalObject).getImplementedInterface().getMethod(
+                                    "get" + m.getName().substring(3), (Class[]) null);
+                        } catch (Exception err) {
+                            LOG.error("Error associating get call", err);
+                        }
+                    }
+                    cm.getMethods.put(m.getName(), gm);
+                }
+            }
+        }
+        for (Method m : cm.setMethods) {
+            try {
+                m.invoke(
+                        result,
+                        new Object[] { cm.getMethods.get(m.getName()).invoke(mdsalObject,
+                                (Object[]) null) });
+            } catch (Exception err) {
+                LOG.error("Error invoking reflection method", err);
+            }
+        }
+        return result;
+    }
+
+    // This method generically use reflection to receive an IDM model object and
+    // the corresponsing MDSAL object and creates
+    // a MDSAL object out of the IDM model object
+    private static Object toMDSALObject(Object object, Class<?> mdSalBuilderType) throws Exception {
+        if (object == null)
+            return null;
+        Object result = mdSalBuilderType.newInstance();
+        ConvertionMethods cm = typesMethods.get(mdSalBuilderType);
+        if (cm == null) {
+            cm = new ConvertionMethods();
+            typesMethods.put(mdSalBuilderType, cm);
+            Method methods[] = mdSalBuilderType.getMethods();
+            for (Method m : methods) {
+                if (m.getName().startsWith("set")) {
+                    try {
+                        Method gm = null;
+                        if (m.getParameterTypes()[0].equals(Boolean.class)
+                                || m.getParameterTypes()[0].equals(boolean.class))
+                            gm = object.getClass().getMethod("is" + m.getName().substring(3),
+                                    (Class[]) null);
+                        else
+                            gm = object.getClass().getMethod("get" + m.getName().substring(3),
+                                    (Class[]) null);
+                        cm.getMethods.put(m.getName(), gm);
+                        cm.setMethods.add(m);
+                    } catch (NoSuchMethodException err) {
+                    }
+                }
+            }
+            cm.builderMethod = mdSalBuilderType.getMethod("build", (Class[]) null);
+        }
+        for (Method m : cm.setMethods) {
+            m.invoke(result,
+                    new Object[] { cm.getMethods.get(m.getName()).invoke(object, (Object[]) null) });
+        }
+
+        return cm.builderMethod.invoke(result, (Object[]) null);
+    }
+
+    // A struccture class to hold the getters & setters of each type to speed
+    // things up
+    private static class ConvertionMethods {
+        private List<Method> setMethods = new ArrayList<Method>();
+        private Map<String, Method> getMethods = new HashMap<String, Method>();
+        private Method builderMethod = null;
+    }
+
+    // Convert Domain
+    public static org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain toMDSALDomain(
+            Domain domain) {
+        try {
+            return (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain) toMDSALObject(
+                    domain, DomainBuilder.class);
+        } catch (Exception err) {
+            LOG.error("Error converting domain to MDSAL object", err);
+            return null;
+        }
+    }
+
+    public static Domain toIDMDomain(
+            org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain domain) {
+        try {
+            return (Domain) fromMDSALObject(domain, Domain.class);
+        } catch (Exception err) {
+            LOG.error("Error converting domain from MDSAL to IDM object", err);
+            return null;
+        }
+    }
+
+    // Convert Role
+    public static org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role toMDSALRole(
+            Role role) {
+        try {
+            return (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role) toMDSALObject(
+                    role, RoleBuilder.class);
+        } catch (Exception err) {
+            LOG.error("Error converting role to MDSAL object", err);
+            return null;
+        }
+    }
+
+    public static Role toIDMRole(
+            org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role role) {
+        try {
+            return (Role) fromMDSALObject(role, Role.class);
+        } catch (Exception err) {
+            LOG.error("Error converting role fom MDSAL to IDM object", err);
+            return null;
+        }
+    }
+
+    // Convert User
+    public static org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User toMDSALUser(
+            User user) {
+        try {
+            return (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User) toMDSALObject(
+                    user, UserBuilder.class);
+        } catch (Exception err) {
+            LOG.error("Error converting user to MDSAL object", err);
+            return null;
+        }
+    }
+
+    public static User toIDMUser(
+            org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User user) {
+        try {
+            return (User) fromMDSALObject(user, User.class);
+        } catch (Exception err) {
+            LOG.error("Error converting user from MDSAL to IDM object", err);
+            return null;
+        }
+    }
+
+    // Convert Grant
+    public static org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant toMDSALGrant(
+            Grant grant) {
+        try {
+            return (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant) toMDSALObject(
+                    grant, GrantBuilder.class);
+        } catch (Exception err) {
+            LOG.error("Error converting grant to MDSAL object", err);
+            return null;
+        }
+    }
+
+    public static Grant toIDMGrant(
+            org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant grant) {
+        try {
+            return (Grant) fromMDSALObject(grant, Grant.class);
+        } catch (Exception err) {
+            LOG.error("Error converting grant from MDSAL to IDM object", err);
+            return null;
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMStore.java b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMStore.java
new file mode 100644
index 00000000..69bc1d52
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/IDMStore.java
@@ -0,0 +1,182 @@
+/*
+ * Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa.authn.mdsal.store;
+
+import java.util.List;
+import org.opendaylight.aaa.api.IDMStoreException;
+import org.opendaylight.aaa.api.IDMStoreUtil;
+import org.opendaylight.aaa.api.IIDMStore;
+import org.opendaylight.aaa.api.model.Domain;
+import org.opendaylight.aaa.api.model.Domains;
+import org.opendaylight.aaa.api.model.Grant;
+import org.opendaylight.aaa.api.model.Grants;
+import org.opendaylight.aaa.api.model.Role;
+import org.opendaylight.aaa.api.model.Roles;
+import org.opendaylight.aaa.api.model.User;
+import org.opendaylight.aaa.api.model.Users;
+
+/**
+ * @author Sharon Aicler - saichler@cisco.com
+ *
+ */
+public class IDMStore implements IIDMStore {
+    private final IDMMDSALStore mdsalStore;
+
+    public IDMStore(IDMMDSALStore mdsalStore) {
+        this.mdsalStore = mdsalStore;
+    }
+
+    @Override
+    public Domain writeDomain(Domain domain) throws IDMStoreException {
+        return IDMObject2MDSAL.toIDMDomain(mdsalStore.writeDomain(IDMObject2MDSAL.toMDSALDomain(domain)));
+    }
+
+    @Override
+    public Domain readDomain(String domainid) throws IDMStoreException {
+        return IDMObject2MDSAL.toIDMDomain(mdsalStore.readDomain(domainid));
+    }
+
+    @Override
+    public Domain deleteDomain(String domainid) throws IDMStoreException {
+        return IDMObject2MDSAL.toIDMDomain(mdsalStore.deleteDomain(domainid));
+    }
+
+    @Override
+    public Domain updateDomain(Domain domain) throws IDMStoreException {
+        return IDMObject2MDSAL.toIDMDomain(mdsalStore.updateDomain(IDMObject2MDSAL.toMDSALDomain(domain)));
+    }
+
+    @Override
+    public Domains getDomains() throws IDMStoreException {
+        Domains domains = new Domains();
+        List<org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain> mdSalDomains = mdsalStore.getAllDomains();
+        for (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain d : mdSalDomains) {
+            domains.getDomains().add(IDMObject2MDSAL.toIDMDomain(d));
+        }
+        return domains;
+    }
+
+    @Override
+    public Role writeRole(Role role) throws IDMStoreException {
+        return IDMObject2MDSAL.toIDMRole(mdsalStore.writeRole(IDMObject2MDSAL.toMDSALRole(role)));
+    }
+
+    @Override
+    public Role readRole(String roleid) throws IDMStoreException {
+        return IDMObject2MDSAL.toIDMRole(mdsalStore.readRole(roleid));
+    }
+
+    @Override
+    public Role deleteRole(String roleid) throws IDMStoreException {
+        return IDMObject2MDSAL.toIDMRole(mdsalStore.deleteRole(roleid));
+    }
+
+    @Override
+    public Role updateRole(Role role) throws IDMStoreException {
+        return IDMObject2MDSAL.toIDMRole(mdsalStore.writeRole(IDMObject2MDSAL.toMDSALRole(role)));
+    }
+
+    @Override
+    public User writeUser(User user) throws IDMStoreException {
+        return IDMObject2MDSAL.toIDMUser(mdsalStore.writeUser(IDMObject2MDSAL.toMDSALUser(user)));
+    }
+
+    @Override
+    public User readUser(String userid) throws IDMStoreException {
+        return IDMObject2MDSAL.toIDMUser(mdsalStore.readUser(userid));
+    }
+
+    @Override
+    public User deleteUser(String userid) throws IDMStoreException {
+        return IDMObject2MDSAL.toIDMUser(mdsalStore.deleteUser(userid));
+    }
+
+    @Override
+    public User updateUser(User user) throws IDMStoreException {
+        return IDMObject2MDSAL.toIDMUser(mdsalStore.writeUser(IDMObject2MDSAL.toMDSALUser(user)));
+    }
+
+    @Override
+    public Grant writeGrant(Grant grant) throws IDMStoreException {
+        return IDMObject2MDSAL.toIDMGrant(mdsalStore.writeGrant(IDMObject2MDSAL.toMDSALGrant(grant)));
+    }
+
+    @Override
+    public Grant readGrant(String grantid) throws IDMStoreException {
+        return IDMObject2MDSAL.toIDMGrant(mdsalStore.readGrant(grantid));
+    }
+
+    @Override
+    public Grant deleteGrant(String grantid) throws IDMStoreException {
+        return IDMObject2MDSAL.toIDMGrant(mdsalStore.readGrant(grantid));
+    }
+
+    @Override
+    public Roles getRoles() throws IDMStoreException {
+        Roles roles = new Roles();
+        List<org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role> mdSalRoles = mdsalStore.getAllRoles();
+        for (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role r : mdSalRoles) {
+            roles.getRoles().add(IDMObject2MDSAL.toIDMRole(r));
+        }
+        return roles;
+    }
+
+    @Override
+    public Users getUsers() throws IDMStoreException {
+        Users users = new Users();
+        List<org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User> mdSalUsers = mdsalStore.getAllUsers();
+        for (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User u : mdSalUsers) {
+            users.getUsers().add(IDMObject2MDSAL.toIDMUser(u));
+        }
+        return users;
+    }
+
+    @Override
+    public Users getUsers(String username, String domain) throws IDMStoreException {
+        Users users = new Users();
+        List<org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User> mdSalUsers = mdsalStore.getAllUsers();
+        for (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User u : mdSalUsers) {
+            if (u.getDomainid().equals(domain) && u.getName().equals(username)) {
+                users.getUsers().add(IDMObject2MDSAL.toIDMUser(u));
+            }
+        }
+        return users;
+    }
+
+    @Override
+    public Grants getGrants(String domainid, String userid) throws IDMStoreException {
+        Grants grants = new Grants();
+        List<org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant> mdSalGrants = mdsalStore.getAllGrants();
+        String currentGrantUserId, currentGrantDomainId;
+        for (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant g : mdSalGrants) {
+            currentGrantUserId = g.getUserid();
+            currentGrantDomainId = g.getDomainid();
+            if (currentGrantUserId.equals(userid) && currentGrantDomainId.equals(domainid)) {
+                grants.getGrants().add(IDMObject2MDSAL.toIDMGrant(g));
+            }
+        }
+        return grants;
+    }
+
+    @Override
+    public Grants getGrants(String userid) throws IDMStoreException {
+        Grants grants = new Grants();
+        List<org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant> mdSalGrants = mdsalStore.getAllGrants();
+        for (org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant g : mdSalGrants) {
+            if (g.getUserid().equals(userid)) {
+                grants.getGrants().add(IDMObject2MDSAL.toIDMGrant(g));
+            }
+        }
+        return grants;
+    }
+
+    @Override
+    public Grant readGrant(String domainid, String userid, String roleid) throws IDMStoreException {
+        return readGrant(IDMStoreUtil.createGrantid(userid, domainid, roleid));
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/util/AuthNStoreUtil.java b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/util/AuthNStoreUtil.java
new file mode 100644
index 00000000..6ef58109
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/aaa/authn/mdsal/store/util/AuthNStoreUtil.java
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authn.mdsal.store.util;
+
+import java.math.BigInteger;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import org.opendaylight.aaa.AuthenticationBuilder;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.aaa.api.Claim;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.TokenCacheTimes;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.Tokencache;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.TokenList;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.TokenListBuilder;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.TokenListKey;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.token_list.UserTokens;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.token_list.UserTokensBuilder;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.token_list.UserTokensKey;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.tokencache.Claims;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.tokencache.ClaimsBuilder;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.tokencache.ClaimsKey;
+import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
+
+public class AuthNStoreUtil {
+
+    public static InstanceIdentifier<Claims> createInstIdentifierForTokencache(String token) {
+        if (token == null || token.length() == 0)
+            return null;
+
+        InstanceIdentifier<Claims> claims_iid = InstanceIdentifier.builder(Tokencache.class)
+                                                                  .child(Claims.class,
+                                                                          new ClaimsKey(token))
+                                                                  .build();
+        return claims_iid;
+    }
+
+    public static InstanceIdentifier<UserTokens> createInstIdentifierUserTokens(String userId,
+            String token) {
+        if (userId == null || userId.length() == 0 || token == null || token.length() == 0)
+            return null;
+
+        InstanceIdentifier<UserTokens> userTokens_iid = InstanceIdentifier.builder(
+                TokenCacheTimes.class)
+                                                                          .child(TokenList.class,
+                                                                                  new TokenListKey(
+                                                                                          userId))
+                                                                          .child(UserTokens.class,
+                                                                                  new UserTokensKey(
+                                                                                          token))
+                                                                          .build();
+        return userTokens_iid;
+    }
+
+    public static Claims createClaimsRecord(String token, Authentication auth) {
+        if (auth == null || token == null || token.length() == 0)
+            return null;
+
+        ClaimsKey claimsKey = new ClaimsKey(token);
+        ClaimsBuilder claimsBuilder = new ClaimsBuilder();
+        claimsBuilder.setClientId(auth.clientId());
+        claimsBuilder.setDomain(auth.domain());
+        claimsBuilder.setKey(claimsKey);
+        List<String> roles = new ArrayList<String>();
+        roles.addAll(auth.roles());
+        claimsBuilder.setRoles(roles);
+        claimsBuilder.setToken(token);
+        claimsBuilder.setUser(auth.user());
+        claimsBuilder.setUserId(auth.userId());
+        return claimsBuilder.build();
+    }
+
+    public static UserTokens createUserTokens(String token, Long expiration) {
+        if (expiration == null || token == null || token.length() == 0)
+            return null;
+
+        UserTokensBuilder userTokensBuilder = new UserTokensBuilder();
+        userTokensBuilder.setTokenid(token);
+        BigInteger timestamp = BigInteger.valueOf(System.currentTimeMillis());
+        userTokensBuilder.setTimestamp(timestamp);
+        userTokensBuilder.setExpiration(expiration);
+        userTokensBuilder.setKey(new UserTokensKey(token));
+        return userTokensBuilder.build();
+    }
+
+    public static TokenList createTokenList(UserTokens tokens, String userId) {
+        if (tokens == null || userId == null || userId.length() == 0)
+            return null;
+
+        TokenListBuilder tokenListBuilder = new TokenListBuilder();
+        tokenListBuilder.setUserId(userId);
+        tokenListBuilder.setKey(new TokenListKey(userId));
+        List<UserTokens> userTokens = new ArrayList<UserTokens>();
+        userTokens.add(tokens);
+        tokenListBuilder.setUserTokens(userTokens);
+        return tokenListBuilder.build();
+    }
+
+    public static Authentication convertClaimToAuthentication(final Claims claims, Long expiration) {
+        if (claims == null)
+            return null;
+
+        Claim claim = new Claim() {
+            @Override
+            public String clientId() {
+                return claims.getClientId();
+            }
+
+            @Override
+            public String userId() {
+                return claims.getUserId();
+            }
+
+            @Override
+            public String user() {
+                return claims.getUser();
+            }
+
+            @Override
+            public String domain() {
+                return claims.getDomain();
+            }
+
+            @Override
+            public Set<String> roles() {
+                return new HashSet<>(claims.getRoles());
+            }
+        };
+        AuthenticationBuilder authBuilder = new AuthenticationBuilder(claim);
+        authBuilder.setExpiration(expiration);
+        return authBuilder.build();
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/mdsal/store/rev141031/AuthNStoreModule.java b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/mdsal/store/rev141031/AuthNStoreModule.java
new file mode 100644
index 00000000..0631170e
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/mdsal/store/rev141031/AuthNStoreModule.java
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ *
+ */
+
+package org.opendaylight.yang.gen.v1.config.aaa.authn.mdsal.store.rev141031;
+
+import org.opendaylight.aaa.api.IIDMStore;
+import org.opendaylight.aaa.api.TokenStore;
+import org.opendaylight.aaa.authn.mdsal.store.AuthNStore;
+import org.opendaylight.aaa.authn.mdsal.store.IDMMDSALStore;
+import org.opendaylight.aaa.authn.mdsal.store.IDMStore;
+import org.opendaylight.controller.md.sal.binding.api.DataBroker;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.ServiceRegistration;
+
+public class AuthNStoreModule
+        extends
+        org.opendaylight.yang.gen.v1.config.aaa.authn.mdsal.store.rev141031.AbstractAuthNStoreModule {
+    private BundleContext bundleContext;
+
+    public AuthNStoreModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier,
+            org.opendaylight.controller.config.api.DependencyResolver dependencyResolver) {
+        super(identifier, dependencyResolver);
+    }
+
+    public AuthNStoreModule(
+            org.opendaylight.controller.config.api.ModuleIdentifier identifier,
+            org.opendaylight.controller.config.api.DependencyResolver dependencyResolver,
+            org.opendaylight.yang.gen.v1.config.aaa.authn.mdsal.store.rev141031.AuthNStoreModule oldModule,
+            java.lang.AutoCloseable oldInstance) {
+        super(identifier, dependencyResolver, oldModule, oldInstance);
+    }
+
+    @Override
+    public void customValidation() {
+        // add custom validation form module attributes here.
+    }
+
+    @Override
+    public java.lang.AutoCloseable createInstance() {
+
+        DataBroker dataBrokerService = getDataBrokerDependency();
+        final AuthNStore authNStore = new AuthNStore(dataBrokerService, getPassword());
+        final IDMMDSALStore mdsalStore = new IDMMDSALStore(dataBrokerService);
+        final IDMStore idmStore = new IDMStore(mdsalStore);
+
+        authNStore.setTimeToLive(getTimeToLive());
+
+        // Register the MD-SAL Token store with OSGI
+        final ServiceRegistration<?> serviceRegistration = bundleContext.registerService(
+                TokenStore.class.getName(), authNStore, null);
+        final ServiceRegistration<?> idmServiceRegistration = bundleContext.registerService(
+                IIDMStore.class.getName(), idmStore, null);
+        final class AutoCloseableStore implements AutoCloseable {
+
+            @Override
+            public void close() throws Exception {
+                serviceRegistration.unregister();
+                idmServiceRegistration.unregister();
+                authNStore.close();
+            }
+        }
+
+        return new AutoCloseableStore();
+
+        // return authNStore;
+
+        // throw new java.lang.UnsupportedOperationException();
+    }
+
+    /**
+     * @param bundleContext
+     */
+    public void setBundleContext(BundleContext bundleContext) {
+        this.bundleContext = bundleContext;
+    }
+
+    /**
+     * @return the bundleContext
+     */
+    public BundleContext getBundleContext() {
+        return bundleContext;
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/mdsal/store/rev141031/AuthNStoreModuleFactory.java b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/mdsal/store/rev141031/AuthNStoreModuleFactory.java
new file mode 100644
index 00000000..b1e278fa
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/mdsal/store/rev141031/AuthNStoreModuleFactory.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ *
+ */
+
+/*
+ * Generated file
+ *
+ * Generated from: yang module name: aaa-authn-mdsal-store-cfg yang module local name: aaa-authn-mdsal-store
+ * Generated by: org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator
+ * Generated at: Thu Mar 19 18:06:18 CET 2015
+ *
+ * Do not modify this file unless it is present under src/main directory
+ */
+package org.opendaylight.yang.gen.v1.config.aaa.authn.mdsal.store.rev141031;
+
+import org.opendaylight.controller.config.api.DependencyResolver;
+import org.osgi.framework.BundleContext;
+
+public class AuthNStoreModuleFactory
+        extends
+        org.opendaylight.yang.gen.v1.config.aaa.authn.mdsal.store.rev141031.AbstractAuthNStoreModuleFactory {
+
+    @Override
+    public AuthNStoreModule instantiateModule(String instanceName,
+            DependencyResolver dependencyResolver, BundleContext bundleContext) {
+        AuthNStoreModule module = super.instantiateModule(instanceName, dependencyResolver,
+                bundleContext);
+        module.setBundleContext(bundleContext);
+        return module;
+    }
+
+    @Override
+    public AuthNStoreModule instantiateModule(String instanceName,
+            DependencyResolver dependencyResolver, AuthNStoreModule oldModule,
+            AutoCloseable oldInstance, BundleContext bundleContext) {
+        AuthNStoreModule module = super.instantiateModule(instanceName, dependencyResolver,
+                oldModule, oldInstance, bundleContext);
+        module.setBundleContext(bundleContext);
+        return module;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/yang/aaa-authn-mdsal-store-cfg.yang b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/yang/aaa-authn-mdsal-store-cfg.yang
new file mode 100644
index 00000000..eac344b8
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/main/yang/aaa-authn-mdsal-store-cfg.yang
@@ -0,0 +1,77 @@
+module aaa-authn-mdsal-store-cfg {
+
+    yang-version 1;
+    namespace "config:aaa:authn:mdsal:store";
+    prefix "aaa-authn-store-cfg";
+
+    import config { prefix config; revision-date 2013-04-05; }
+    import rpc-context { prefix rpcx; revision-date 2013-06-17; }
+    import opendaylight-md-sal-binding { prefix mdsal; revision-date 2013-10-28; }
+    import opendaylight-md-sal-dom {prefix dom;}
+
+
+    description
+        "This module contains the base YANG definitions for
+        AuthN MD-SAL backed data cache implementation.";
+
+    revision "2014-10-31" {
+        description
+            "Initial revision.";
+    }
+
+    identity token-store-service{
+           base config:service-type;
+           config:java-class "org.opendaylight.aaa.api.TokenStore";
+    }
+
+
+    // This is the definition of the service implementation as a module identity.
+    identity aaa-authn-mdsal-store {
+            base config:module-type;
+            // Specifies the prefix for generated java classes.
+            config:java-name-prefix AuthNStore;
+            config:provided-service token-store-service;
+    }
+
+    // Augments the 'configuration' choice node under modules/module.
+
+    augment "/config:modules/config:module/config:configuration" {
+        case aaa-authn-mdsal-store {
+            when "/config:modules/config:module/config:type = 'aaa-authn-mdsal-store'";
+
+    //Defines reference to the Bundle context and MD-SAL data broker
+            container dom-broker {
+               uses config:service-ref {
+                   refine type {
+                       mandatory true;
+                       config:required-identity dom:dom-broker-osgi-registry;
+                   }
+               }
+           }
+           container data-broker {
+               uses config:service-ref {
+                   refine type {
+                       mandatory true;
+                       config:required-identity mdsal:binding-async-data-broker;
+
+                   }
+               }
+           }
+
+           leaf timeToLive {
+             description "Time to live for tokens. When set to 0 = never expire";
+             type uint64;
+             default 360000;
+           }
+           leaf timeToWait {
+             description "Time to wait for future from data store. 10 by default = never expire";
+             type uint16;
+             default 10;
+           }
+           leaf password {
+             description "Encryption password for the Store";
+             type string;
+           }
+       }
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/DataBrokerReadMocker.java b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/DataBrokerReadMocker.java
new file mode 100644
index 00000000..f821cf16
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/DataBrokerReadMocker.java
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2016 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authn.mdsal.store;
+
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Method;
+import java.lang.reflect.Proxy;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+public class DataBrokerReadMocker implements InvocationHandler {
+    private Map<Method, List<StubContainer>> stubs = new HashMap<Method, List<StubContainer>>();
+    private Class<?> mokingClass = null;
+
+    @Override
+    public Object invoke(Object arg0, Method arg1, Object[] arg2) throws Throwable {
+        List<StubContainer> stList = stubs.get(arg1);
+        if (stList != null) {
+            for (StubContainer sc : stList) {
+                if (sc.fitGeneric(arg2)) {
+                    return sc.returnObject;
+                }
+            }
+        }
+        return null;
+    }
+
+    public DataBrokerReadMocker(Class<?> cls) {
+        this.mokingClass = cls;
+    }
+
+    public static Object addMock(Class<?> cls) {
+        return Proxy.newProxyInstance(cls.getClassLoader(), new Class[] { cls },
+                new DataBrokerReadMocker(cls));
+    }
+
+    public static DataBrokerReadMocker getMocker(Object o) {
+        return (DataBrokerReadMocker) Proxy.getInvocationHandler(o);
+    }
+
+    public static Method findMethod(Class<?> cls, String name, Object args[]) {
+        Method methods[] = cls.getMethods();
+        for (Method m : methods) {
+            if (m.getName().equals(name)) {
+                if ((m.getParameterTypes() == null || m.getParameterTypes().length == 0)
+                        && args == null) {
+                    return m;
+                }
+                boolean match = true;
+                for (int i = 0; i < m.getParameterTypes().length; i++) {
+                    if (!m.getParameterTypes()[i].isAssignableFrom(args[i].getClass())) {
+                        match = false;
+                    }
+                }
+                if (match)
+                    return m;
+            }
+        }
+        return null;
+    }
+
+    public void addWhen(String methodName, Object[] args, Object returnThis)
+            throws NoSuchMethodException, SecurityException {
+        Method m = findMethod(this.mokingClass, methodName, args);
+        if (m == null)
+            throw new IllegalArgumentException("Unable to find method");
+        StubContainer sc = new StubContainer(args, returnThis);
+        List<StubContainer> lst = stubs.get(m);
+        if (lst == null) {
+            lst = new ArrayList<>();
+        }
+        lst.add(sc);
+        stubs.put(m, lst);
+    }
+
+    private class StubContainer {
+        private Class<?>[] parameters = null;
+        private Class<?>[] generics = null;
+        private Object args[] = null;
+        private Object returnObject;
+
+        public StubContainer(Object[] _args, Object ret) {
+            this.args = _args;
+            this.returnObject = ret;
+        }
+
+        public boolean fitGeneric(Object _args[]) {
+            if (args == null && _args != null)
+                return false;
+            if (args != null && _args == null)
+                return false;
+            if (args == null && _args == null)
+                return true;
+            if (args.length != _args.length)
+                return false;
+            for (int i = 0; i < args.length; i++) {
+                if (!args[i].equals(_args[i])) {
+                    return false;
+                }
+            }
+            return true;
+        }
+    }
+}
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/DataEncrypterTest.java b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/DataEncrypterTest.java
new file mode 100644
index 00000000..eec69bc0
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/DataEncrypterTest.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2016 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authn.mdsal.store;
+
+import static org.junit.Assert.assertEquals;
+
+import javax.xml.bind.DatatypeConverter;
+import org.junit.Test;
+
+public class DataEncrypterTest {
+
+    @Test
+    public void testEncrypt() {
+        DataEncrypter dataEncry = new DataEncrypter("foo_key_test");
+        String token = "foo_token_test";
+        String eToken = dataEncry.encrypt(token);
+        // check for decryption result
+        String returnToken = dataEncry.decrypt(eToken);
+        String tokenBase64 = DatatypeConverter.printBase64Binary(token.getBytes());
+        assertEquals(tokenBase64, returnToken);
+    }
+
+    @Test
+    public void testDecrypt() {
+        DataEncrypter dataEncry = new DataEncrypter("foo_key_test");
+        String eToken = "foo_etoken_test";
+        assertEquals(dataEncry.decrypt(""), null);
+        // check for encryption Tag
+        assertEquals(eToken, dataEncry.decrypt(eToken));
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/IDMStoreTest.java b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/IDMStoreTest.java
new file mode 100644
index 00000000..f376dd5f
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/IDMStoreTest.java
@@ -0,0 +1,175 @@
+/*
+ * Copyright (c) 2016 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authn.mdsal.store;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.opendaylight.aaa.api.IDMStoreUtil;
+import org.opendaylight.aaa.api.SHA256Calculator;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User;
+
+public class IDMStoreTest {
+
+    @Test
+    public void testWriteDomain() throws Exception {
+        IDMStoreTestUtil util = new IDMStoreTestUtil();
+        IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker);
+        util.addMokitoFordomain();
+        Domain domain = testedObject.writeDomain(util.domain);
+        Assert.assertNotNull(domain);
+        Assert.assertEquals(domain.getDomainid(), util.domain.getName());
+    }
+
+    @Test
+    public void testReadDomain() throws Exception {
+        IDMStoreTestUtil util = new IDMStoreTestUtil();
+        IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker);
+        util.addMokitoFordomain();
+        Domain domain = testedObject.readDomain(util.domain.getDomainid());
+        Assert.assertNotNull(domain);
+        Assert.assertEquals(domain, util.domain);
+    }
+
+    @Test
+    public void testDeleteDomain() throws Exception {
+        IDMStoreTestUtil util = new IDMStoreTestUtil();
+        IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker);
+        util.addMokitoFordomain();
+        Domain domain = testedObject.deleteDomain(util.domain.getDomainid());
+        Assert.assertEquals(domain, util.domain);
+    }
+
+    @Test
+    public void testUpdateDomain() throws Exception {
+        IDMStoreTestUtil util = new IDMStoreTestUtil();
+        IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker);
+        util.addMokitoFordomain();
+        Domain domain = testedObject.updateDomain(util.domain);
+        Assert.assertEquals(domain, util.domain);
+    }
+
+    @Test
+    public void testWriteRole() throws Exception {
+        IDMStoreTestUtil util = new IDMStoreTestUtil();
+        IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker);
+        util.addMokitoForrole();
+        util.addMokitoFordomain();
+        Role role = testedObject.writeRole(util.role);
+        Assert.assertNotNull(role);
+        Assert.assertEquals(role.getRoleid(),
+                IDMStoreUtil.createRoleid(role.getName(), role.getDomainid()));
+    }
+
+    @Test
+    public void testReadRole() throws Exception {
+        IDMStoreTestUtil util = new IDMStoreTestUtil();
+        IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker);
+        util.addMokitoForrole();
+        Role role = testedObject.readRole(util.role.getRoleid());
+        Assert.assertNotNull(role);
+        Assert.assertEquals(role, util.role);
+    }
+
+    @Test
+    public void testDeleteRole() throws Exception {
+        IDMStoreTestUtil util = new IDMStoreTestUtil();
+        IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker);
+        util.addMokitoForrole();
+        Role role = testedObject.deleteRole(util.role.getRoleid());
+        Assert.assertNotNull(role);
+        Assert.assertEquals(role, util.role);
+    }
+
+    @Test
+    public void testUpdateRole() throws Exception {
+        IDMStoreTestUtil util = new IDMStoreTestUtil();
+        IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker);
+        util.addMokitoForrole();
+        Role role = testedObject.updateRole(util.role);
+        Assert.assertNotNull(role);
+        Assert.assertEquals(role, util.role);
+    }
+
+    @Test
+    public void testWriteUser() throws Exception {
+        IDMStoreTestUtil util = new IDMStoreTestUtil();
+        IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker);
+        util.addMokitoForuser();
+        User user = testedObject.writeUser(util.user);
+        Assert.assertNotNull(user);
+        Assert.assertEquals(user.getUserid(),
+                IDMStoreUtil.createUserid(user.getName(), util.user.getDomainid()));
+    }
+
+    @Test
+    public void testReadUser() throws Exception {
+        IDMStoreTestUtil util = new IDMStoreTestUtil();
+        IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker);
+        util.addMokitoForuser();
+        User user = testedObject.readUser(util.user.getUserid());
+        Assert.assertNotNull(user);
+        Assert.assertEquals(user, util.user);
+    }
+
+    @Test
+    public void testDeleteUser() throws Exception {
+        IDMStoreTestUtil util = new IDMStoreTestUtil();
+        IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker);
+        util.addMokitoForuser();
+        User user = testedObject.deleteUser(util.user.getUserid());
+        Assert.assertNotNull(user);
+        Assert.assertEquals(user, util.user);
+    }
+
+    @Test
+    public void testUpdateUser() throws Exception {
+        IDMStoreTestUtil util = new IDMStoreTestUtil();
+        IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker);
+        util.addMokitoForuser();
+        User user = testedObject.updateUser(util.user);
+        Assert.assertNotNull(user);
+        Assert.assertEquals(user.getPassword(),
+                SHA256Calculator.getSHA256(util.user.getPassword(), util.user.getSalt()));
+    }
+
+    @Test
+    public void testWriteGrant() throws Exception {
+        IDMStoreTestUtil util = new IDMStoreTestUtil();
+        IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker);
+        util.addMokitoFordomain();
+        util.addMokitoForrole();
+        util.addMokitoForuser();
+        util.addMokitoForgrant();
+        Grant grant = testedObject.writeGrant(util.grant);
+        Assert.assertNotNull(grant);
+    }
+
+    @Test
+    public void testReadGrant() throws Exception {
+        IDMStoreTestUtil util = new IDMStoreTestUtil();
+        IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker);
+        util.addMokitoForgrant();
+        Grant grant = testedObject.readGrant(util.grant.getGrantid());
+        Assert.assertNotNull(grant);
+        Assert.assertEquals(grant, util.grant);
+    }
+
+    @Test
+    public void testDeleteGrant() throws Exception {
+        IDMStoreTestUtil util = new IDMStoreTestUtil();
+        IDMMDSALStore testedObject = new IDMMDSALStore(util.dataBroker);
+        util.addMokitoForgrant();
+        Grant grant = testedObject.deleteGrant(util.grant.getGrantid());
+        Assert.assertNotNull(grant);
+        Assert.assertEquals(grant, util.grant);
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/IDMStoreTestUtil.java b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/IDMStoreTestUtil.java
new file mode 100644
index 00000000..39eeadb4
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/IDMStoreTestUtil.java
@@ -0,0 +1,181 @@
+/*
+ * Copyright (c) 2016 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authn.mdsal.store;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import com.google.common.base.Optional;
+import com.google.common.util.concurrent.CheckedFuture;
+import java.util.concurrent.ExecutionException;
+import org.opendaylight.aaa.api.IDMStoreUtil;
+import org.opendaylight.controller.md.sal.binding.api.DataBroker;
+import org.opendaylight.controller.md.sal.binding.api.ReadOnlyTransaction;
+import org.opendaylight.controller.md.sal.binding.api.WriteTransaction;
+import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
+import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.Authentication;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.DomainBuilder;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.DomainKey;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.GrantBuilder;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.GrantKey;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.RoleBuilder;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.RoleKey;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.UserBuilder;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.UserKey;
+import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
+
+public class IDMStoreTestUtil {
+    /* DataBroker mocked with Mokito */
+    protected static DataBroker dataBroker = mock(DataBroker.class);
+    protected static WriteTransaction wrt = mock(WriteTransaction.class);
+    protected static ReadOnlyTransaction rot = null;
+
+    static {
+        rot = (ReadOnlyTransaction) DataBrokerReadMocker.addMock(ReadOnlyTransaction.class);
+        when(dataBroker.newReadOnlyTransaction()).thenReturn(rot);
+        when(dataBroker.newWriteOnlyTransaction()).thenReturn(wrt);
+    }
+
+    /* Domain Data Object Instance */
+    public Domain domain = createdomain();
+
+    /* Domain create Method */
+    public Domain createdomain() {
+        /* Start of Domain builder */
+        DomainBuilder domainbuilder = new DomainBuilder();
+        domainbuilder.setName("SETNAME");
+        domainbuilder.setDomainid("SETNAME");
+        domainbuilder.setKey(new DomainKey("SETNAME"));
+        domainbuilder.setDescription("SETDESCRIPTION");
+        domainbuilder.setEnabled(true);
+        /* End of Domain builder */
+        return domainbuilder.build();
+    }
+
+    /* Role Data Object Instance */
+    public Role role = createrole();
+
+    /* Role create Method */
+    public Role createrole() {
+        /* Start of Role builder */
+        RoleBuilder rolebuilder = new RoleBuilder();
+        rolebuilder.setRoleid("SETNAME@SETNAME");
+        rolebuilder.setName("SETNAME");
+        rolebuilder.setKey(new RoleKey(rolebuilder.getRoleid()));
+        rolebuilder.setDomainid(createdomain().getDomainid());
+        rolebuilder.setDescription("SETDESCRIPTION");
+        /* End of Role builder */
+        return rolebuilder.build();
+    }
+
+    /* User Data Object Instance */
+    public User user = createuser();
+
+    /* User create Method */
+    public User createuser() {
+        /* Start of User builder */
+        UserBuilder userbuilder = new UserBuilder();
+        userbuilder.setUserid("SETNAME@SETNAME");
+        userbuilder.setName("SETNAME");
+        userbuilder.setKey(new UserKey(userbuilder.getUserid()));
+        userbuilder.setDomainid(createdomain().getDomainid());
+        userbuilder.setEmail("SETEMAIL");
+        userbuilder.setPassword("SETPASSWORD");
+        userbuilder.setSalt("SETSALT");
+        userbuilder.setEnabled(true);
+        userbuilder.setDescription("SETDESCRIPTION");
+        /* End of User builder */
+        return userbuilder.build();
+    }
+
+    /* Grant Data Object Instance */
+    public Grant grant = creategrant();
+
+    /* Grant create Method */
+    public Grant creategrant() {
+        /* Start of Grant builder */
+        GrantBuilder grantbuilder = new GrantBuilder();
+        grantbuilder.setDomainid(createdomain().getDomainid());
+        grantbuilder.setRoleid(createrole().getRoleid());
+        grantbuilder.setUserid(createuser().getUserid());
+        grantbuilder.setGrantid(IDMStoreUtil.createGrantid(grantbuilder.getUserid(),
+                grantbuilder.getDomainid(), grantbuilder.getRoleid()));
+        grantbuilder.setKey(new GrantKey(grantbuilder.getGrantid()));
+        /* End of Grant builder */
+        return grantbuilder.build();
+    }
+
+    /* InstanceIdentifier for Grant instance grant */
+    public InstanceIdentifier<Grant> grantID = InstanceIdentifier.create(Authentication.class)
+                                                                 .child(Grant.class,
+                                                                         creategrant().getKey());
+
+    /* Mokito DataBroker method for grant Data Object */
+    public void addMokitoForgrant() throws NoSuchMethodException, SecurityException, InterruptedException, ExecutionException {
+        CheckedFuture<Optional<Grant>, ReadFailedException> read = mock(CheckedFuture.class);
+        DataBrokerReadMocker.getMocker(rot).addWhen("read",
+                new Object[] { LogicalDatastoreType.CONFIGURATION, grantID }, read);
+        Optional<Grant> optional = mock(Optional.class);
+        when(read.get()).thenReturn(optional);
+        when(optional.get()).thenReturn(grant);
+        when(optional.isPresent()).thenReturn(true);
+    }
+
+    /* InstanceIdentifier for Domain instance domain */
+    public InstanceIdentifier<Domain> domainID = InstanceIdentifier.create(Authentication.class)
+                                                                   .child(Domain.class,
+                                                                           new DomainKey(
+                                                                                   new String(
+                                                                                           "SETNAME")));
+
+    /* Mokito DataBroker method for domain Data Object */
+    public void addMokitoFordomain() throws NoSuchMethodException, SecurityException, InterruptedException, ExecutionException {
+        CheckedFuture<Optional<Domain>, ReadFailedException> read = mock(CheckedFuture.class);
+        DataBrokerReadMocker.getMocker(rot).addWhen("read",
+                new Object[] { LogicalDatastoreType.CONFIGURATION, domainID }, read);
+        Optional<Domain> optional = mock(Optional.class);
+        when(read.get()).thenReturn(optional);
+        when(optional.get()).thenReturn(domain);
+        when(optional.isPresent()).thenReturn(true);
+    }
+
+    /* InstanceIdentifier for Role instance role */
+    public InstanceIdentifier<Role> roleID = InstanceIdentifier.create(Authentication.class).child(
+            Role.class, createrole().getKey());
+
+    /* Mokito DataBroker method for role Data Object */
+    public void addMokitoForrole() throws NoSuchMethodException, SecurityException, InterruptedException, ExecutionException {
+        CheckedFuture<Optional<Role>, ReadFailedException> read = mock(CheckedFuture.class);
+        DataBrokerReadMocker.getMocker(rot).addWhen("read",
+                new Object[] { LogicalDatastoreType.CONFIGURATION, roleID }, read);
+        Optional<Role> optional = mock(Optional.class);
+        when(read.get()).thenReturn(optional);
+        when(optional.get()).thenReturn(role);
+        when(optional.isPresent()).thenReturn(true);
+    }
+
+    /* InstanceIdentifier for User instance user */
+    public InstanceIdentifier<User> userID = InstanceIdentifier.create(Authentication.class).child(
+            User.class, createuser().getKey());
+
+    /* Mokito DataBroker method for user Data Object */
+    public void addMokitoForuser() throws NoSuchMethodException, SecurityException, InterruptedException, ExecutionException {
+        CheckedFuture<Optional<User>, ReadFailedException> read = mock(CheckedFuture.class);
+        DataBrokerReadMocker.getMocker(rot).addWhen("read",
+                new Object[] { LogicalDatastoreType.CONFIGURATION, userID }, read);
+        Optional<User> optional = mock(Optional.class);
+        when(read.get()).thenReturn(optional);
+        when(optional.get()).thenReturn(user);
+        when(optional.isPresent()).thenReturn(true);
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/MDSALConvertTest.java b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/MDSALConvertTest.java
new file mode 100644
index 00000000..9b7c9712
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/MDSALConvertTest.java
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2016 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authn.mdsal.store;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.opendaylight.aaa.api.model.Domain;
+import org.opendaylight.aaa.api.model.Grant;
+import org.opendaylight.aaa.api.model.Role;
+import org.opendaylight.aaa.api.model.User;
+
+public class MDSALConvertTest {
+    @Test
+    public void testConvertDomain() {
+        Domain d = new Domain();
+        d.setDescription("hello");
+        d.setDomainid("hello");
+        d.setEnabled(true);
+        d.setName("Hello");
+        org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Domain mdsalDomain = IDMObject2MDSAL.toMDSALDomain(d);
+        Assert.assertNotNull(mdsalDomain);
+        Domain d2 = IDMObject2MDSAL.toIDMDomain(mdsalDomain);
+        Assert.assertNotNull(d2);
+        Assert.assertEquals(d, d2);
+    }
+
+    @Test
+    public void testConvertRole() {
+        Role r = new Role();
+        r.setDescription("hello");
+        r.setRoleid("Hello@hello");
+        r.setName("Hello");
+        r.setDomainid("hello");
+        org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Role mdsalRole = IDMObject2MDSAL.toMDSALRole(r);
+        Assert.assertNotNull(mdsalRole);
+        Role r2 = IDMObject2MDSAL.toIDMRole(mdsalRole);
+        Assert.assertNotNull(r2);
+        Assert.assertEquals(r, r2);
+    }
+
+    @Test
+    public void testConvertUser() {
+        User u = new User();
+        u.setDescription("hello");
+        u.setDomainid("hello");
+        u.setUserid("hello@hello");
+        u.setName("Hello");
+        u.setEmail("email");
+        u.setEnabled(true);
+        u.setPassword("pass");
+        u.setSalt("salt");
+        org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.User mdsalUser = IDMObject2MDSAL.toMDSALUser(u);
+        Assert.assertNotNull(mdsalUser);
+        User u2 = IDMObject2MDSAL.toIDMUser(mdsalUser);
+        Assert.assertNotNull(u2);
+        Assert.assertEquals(u, u2);
+    }
+
+    @Test
+    public void testConvertGrant() {
+        Grant g = new Grant();
+        g.setDomainid("hello");
+        g.setUserid("hello@hello");
+        g.setRoleid("hello@hello");
+        g.setGrantid("hello@hello@Hello");
+        org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.authentication.Grant mdsalGrant = IDMObject2MDSAL.toMDSALGrant(g);
+        Assert.assertNotNull(mdsalGrant);
+        Grant g2 = IDMObject2MDSAL.toIDMGrant(mdsalGrant);
+        Assert.assertNotNull(g2);
+        Assert.assertEquals(g, g2);
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/util/AuthNStoreUtilTest.java b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/util/AuthNStoreUtilTest.java
new file mode 100644
index 00000000..10c18790
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/aaa-authn-mdsal-store-impl/src/test/java/org/opendaylight/aaa/authn/mdsal/store/util/AuthNStoreUtilTest.java
@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 2016 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authn.mdsal.store.util;
+
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import java.util.ArrayList;
+import java.util.List;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.token_cache_times.token_list.UserTokens;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.tokencache.Claims;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.tokencache.ClaimsBuilder;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authn.claims.rev141029.tokencache.ClaimsKey;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+@RunWith(PowerMockRunner.class)
+public class AuthNStoreUtilTest {
+
+    private String token = "foo_token_test";
+    private String userId = "123";
+    private Long expire = new Long(365);
+    @Mock
+    private Authentication auth;
+    @Mock
+    private UserTokens tokens;
+    @Mock
+    private Claims claims;
+
+    @Test
+    public void testCreateInstIdentifierForTokencache() {
+        assertTrue(AuthNStoreUtil.createInstIdentifierForTokencache("") == null);
+        assertNotNull(AuthNStoreUtil.createInstIdentifierForTokencache(token));
+    }
+
+    @Test
+    public void testCreateInstIdentifierUserTokens() {
+        assertTrue(AuthNStoreUtil.createInstIdentifierUserTokens("", "") == null);
+        assertNotNull(AuthNStoreUtil.createInstIdentifierUserTokens(userId, token));
+    }
+
+    @Test
+    public void testCreateClaimsRecord() {
+        assertTrue(AuthNStoreUtil.createClaimsRecord("", null) == null);
+        assertNotNull(AuthNStoreUtil.createClaimsRecord(token, auth));
+    }
+
+    @Test
+    public void testCreateUserTokens() {
+        assertTrue(AuthNStoreUtil.createUserTokens("", null) == null);
+        assertNotNull(AuthNStoreUtil.createUserTokens(token, expire));
+    }
+
+    @Test
+    public void testCreateTokenList() {
+        assertTrue(AuthNStoreUtil.createTokenList(null, "") == null);
+        assertNotNull(AuthNStoreUtil.createTokenList(tokens, userId));
+    }
+
+    @Test
+    public void testConvertClaimToAuthentication() {
+        ClaimsKey claimsKey = new ClaimsKey(token);
+        ClaimsBuilder claimsBuilder = new ClaimsBuilder();
+        claimsBuilder.setClientId("123");
+        claimsBuilder.setDomain("foo_domain");
+        claimsBuilder.setKey(claimsKey);
+        List<String> roles = new ArrayList<String>();
+        roles.add("foo_role");
+        claimsBuilder.setRoles(roles);
+        claimsBuilder.setToken(token);
+        claimsBuilder.setUser("foo_usr");
+        claimsBuilder.setUserId(userId);
+        Claims fooClaims = claimsBuilder.build();
+
+        assertTrue(AuthNStoreUtil.convertClaimToAuthentication(null, expire) == null);
+        assertNotNull(AuthNStoreUtil.convertClaimToAuthentication(fooClaims, expire));
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-mdsal-store/pom.xml b/odl-aaa-moon/aaa-authn-mdsal-store/pom.xml
new file mode 100644
index 00000000..38d29147
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-mdsal-store/pom.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../parent</relativePath>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>aaa-authn-mdsal-store</artifactId>
+    <name>${project.artifactId}</name>
+    <packaging>pom</packaging>
+
+    <modules>
+        <module>aaa-authn-mdsal-api</module>
+        <module>aaa-authn-mdsal-config</module>
+        <module>aaa-authn-mdsal-store-impl</module>
+    </modules>
+</project>
diff --git a/odl-aaa-moon/aaa-authn-sssd/pom.xml b/odl-aaa-moon/aaa-authn-sssd/pom.xml
new file mode 100644
index 00000000..b70c2466
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-sssd/pom.xml
@@ -0,0 +1,88 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.opendaylight.aaa</groupId>
+    <artifactId>aaa-parent</artifactId>
+    <version>0.3.1-Beryllium-SR1</version>
+    <relativePath>../parent</relativePath>
+  </parent>
+
+  <artifactId>aaa-authn-sssd</artifactId>
+  <packaging>bundle</packaging>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.opendaylight.aaa</groupId>
+      <artifactId>aaa-authn</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.opendaylight.aaa</groupId>
+      <artifactId>aaa-authn-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.glassfish</groupId>
+      <artifactId>javax.json</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.opendaylight.aaa</groupId>
+      <artifactId>aaa-authn-idpmapping</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.sun.jersey</groupId>
+      <artifactId>jersey-server</artifactId>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>javax.servlet</groupId>
+      <artifactId>javax.servlet-api</artifactId>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.osgi</groupId>
+      <artifactId>org.osgi.core</artifactId>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.felix</groupId>
+      <artifactId>org.apache.felix.dependencymanager</artifactId>
+      <scope>provided</scope>
+    </dependency>
+    <!-- Testing Dependencies -->
+    <dependency>
+      <groupId>com.sun.jersey.jersey-test-framework</groupId>
+      <artifactId>jersey-test-framework-grizzly2</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-simple</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.felix</groupId>
+        <artifactId>maven-bundle-plugin</artifactId>
+        <extensions>true</extensions>
+        <configuration>
+          <instructions>
+            <Bundle-Activator>org.opendaylight.aaa.sssd.Activator</Bundle-Activator>
+          </instructions>
+          <manifestLocation>${project.basedir}/META-INF</manifestLocation>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>
diff --git a/odl-aaa-moon/aaa-authn-sssd/src/main/java/org/opendaylight/aaa/sssd/Activator.java b/odl-aaa-moon/aaa-authn-sssd/src/main/java/org/opendaylight/aaa/sssd/Activator.java
new file mode 100644
index 00000000..b6d5259f
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-sssd/src/main/java/org/opendaylight/aaa/sssd/Activator.java
@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.sssd;
+
+import org.apache.felix.dm.DependencyActivatorBase;
+import org.apache.felix.dm.DependencyManager;
+import org.opendaylight.aaa.api.ClaimAuth;
+import org.osgi.framework.BundleContext;
+
+public class Activator extends DependencyActivatorBase {
+
+    @Override
+    public void init(BundleContext context, DependencyManager manager) throws Exception {
+        manager.add(createComponent().setInterface(new String[] { ClaimAuth.class.getName() }, null)
+                                     .setImplementation(SssdClaimAuth.class));
+    }
+
+    @Override
+    public void destroy(BundleContext context, DependencyManager manager) throws Exception {
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-sssd/src/main/java/org/opendaylight/aaa/sssd/SssdClaimAuth.java b/odl-aaa-moon/aaa-authn-sssd/src/main/java/org/opendaylight/aaa/sssd/SssdClaimAuth.java
new file mode 100644
index 00000000..0ae23b48
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-sssd/src/main/java/org/opendaylight/aaa/sssd/SssdClaimAuth.java
@@ -0,0 +1,220 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.sssd;
+
+import java.io.StringWriter;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import javax.json.Json;
+import javax.json.JsonValue;
+import javax.json.stream.JsonGenerator;
+import javax.json.stream.JsonGeneratorFactory;
+import org.apache.felix.dm.Component;
+import org.opendaylight.aaa.ClaimBuilder;
+import org.opendaylight.aaa.api.Claim;
+import org.opendaylight.aaa.api.ClaimAuth;
+import org.opendaylight.aaa.idpmapping.RuleProcessor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * An SSSD {@link ClaimAuth} implementation.
+ *
+ * @author John Dennis &lt;jdennis@redhat.com&gt;
+ */
+public class SssdClaimAuth implements ClaimAuth {
+    private static final Logger LOG = LoggerFactory.getLogger(SssdClaimAuth.class);
+
+    private static final String DEFAULT_MAPPING_RULES_PATHNAME = "etc/idp_mapping_rules.json";
+    private JsonGeneratorFactory generatorFactory = null;
+    private RuleProcessor ruleProcessor = null;
+
+    // Called by DM when all required dependencies are satisfied.
+    void init(Component c) {
+        LOG.info("Initializing SSSD Plugin");
+        Map<String, Object> properties = new HashMap<String, Object>(1);
+        properties.put(JsonGenerator.PRETTY_PRINTING, true);
+        generatorFactory = Json.createGeneratorFactory(properties);
+
+        String mappingRulesFile = DEFAULT_MAPPING_RULES_PATHNAME;
+        if (mappingRulesFile == null || mappingRulesFile.isEmpty()) {
+            LOG.warn("mapping rules file is not configured, " + "SssdClaimAuth will be disabled");
+            return;
+        }
+
+        Path mappingRulesPath = Paths.get(mappingRulesFile);
+
+        if (!Files.exists(mappingRulesPath)) {
+            LOG.warn(String.format("mapping rules file (%s) "
+                    + "does not exist, SssdClaimAuth will be disabled", mappingRulesFile));
+            return;
+        }
+
+        try {
+            ruleProcessor = new RuleProcessor(mappingRulesPath, null);
+        } catch (Exception e) {
+            LOG.error(String.format("mapping rules file (%s) "
+                    + "could not be loaded, SssdClaimAuth will be disabled. " + "error = %s",
+                    mappingRulesFile, e));
+        }
+    }
+
+    /**
+     * Transform a Map of assertions into a {@link Claim} via a set of mapping
+     * rules.
+     *
+     * A set of mapping rules have been previously loaded. the incoming
+     * assertion is converted to a JSON document and presented to the
+     * {@link RuleProcessor}. If the RuleProcessor can successfully transform
+     * the assertion given the site specific set of rules it will return a Map
+     * of values which will then be used to build a {@link Claim}. The rule
+     * should return one or more of the following which will be used to populate
+     * the Claim.
+     *
+     * <dl>
+     * <dt>ClientId</dt>
+     * <dd>A string.
+     *
+     * @see org.opendaylight.aaa.api.Claim#clientId() </dd>
+     *
+     *      <dt>UserId</dt> <dd>A string.
+     * @see org.opendaylight.aaa.api.Claim#userId() </dd>
+     *
+     *      <dt>User</dt> <dd>A string.
+     * @see org.opendaylight.aaa.api.Claim#user() </dd>
+     *
+     *      <dt>Domain</dt> <dd>A string.
+     * @see org.opendaylight.aaa.api.Claim#domain() </dd>
+     *
+     *      <dt>Roles</dt> <dd>An array of strings.
+     * @see org.opendaylight.aaa.api.Claim#roles() </dd>
+     *
+     *      </dl>
+     *
+     * @param assertion
+     *            A Map of name/value assertions provided by an external IdP
+     * @return A {@link Claim} if successful, null otherwise.
+     */
+
+    @Override
+    public Claim transform(Map<String, Object> assertion) {
+        String assertionJson;
+        Map<String, Object> mapped;
+        assertionJson = claimToJson(assertion);
+
+        if (ruleProcessor == null) {
+            LOG.debug("ruleProcessor not configured");
+            return null;
+        }
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("assertionJson=\n{}", assertionJson);
+        }
+
+        mapped = ruleProcessor.process(assertionJson);
+        if (mapped == null) {
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("RuleProcessor returned null");
+            }
+            return null;
+        }
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("RuleProcessor returned: {}", mapped);
+        }
+
+        ClaimBuilder cb = new ClaimBuilder();
+        if (mapped.containsKey("ClientId")) {
+            cb.setClientId((String) mapped.get("ClientId"));
+        }
+        if (mapped.containsKey("UserId")) {
+            cb.setUserId((String) mapped.get("UserId"));
+        }
+        if (mapped.containsKey("User")) {
+            cb.setUser((String) mapped.get("User"));
+        }
+        if (mapped.containsKey("Domain")) {
+            cb.setDomain((String) mapped.get("Domain"));
+        }
+        if (mapped.containsKey("Roles")) {
+            @SuppressWarnings("unchecked")
+            List<String> roles = (List<String>) mapped.get("roles");
+            for (String role : roles) {
+                cb.addRole(role);
+            }
+        }
+        Claim claim = cb.build();
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("returns claim = {}", claim.toString());
+        }
+
+        return claim;
+    }
+
+    /**
+     * Convert a Claim Map into a JSON object.
+     *
+     * Given a Map of name/value pairs convert it into a JSON object and return
+     * it as a string. This is not a general purpose routine used to convert any
+     * Map into JSON because a claim has the restriction that each value must be
+     * a scalar and those scalars are restricted to the following types:
+     *
+     * <ul>
+     * <li>String</li>
+     * <li>Integer</li>
+     * <li>Long</li>
+     * <li>Double</li>
+     * <li>Boolean</li>
+     * <li>null</li>
+     * </ul>
+     *
+     * See also {@link ClaimAuth}.
+     *
+     * @param claim
+     *            The Map containing assertion claims to be converted into a
+     *            JSON assertion document.
+     * @return A string formatted as a JSON object.
+     */
+
+    public String claimToJson(Map<String, Object> claim) {
+        StringWriter stringWriter = new StringWriter();
+        JsonGenerator generator = generatorFactory.createGenerator(stringWriter);
+
+        generator.writeStartObject();
+        for (Map.Entry<String, Object> entry : claim.entrySet()) {
+            String name = entry.getKey();
+            Object value = entry.getValue();
+
+            if (value instanceof String) {
+                generator.write(name, (String) value);
+            } else if (value instanceof Integer) {
+                generator.write(name, ((Integer) value).intValue());
+            } else if (value instanceof Long) {
+                generator.write(name, ((Long) value).longValue());
+            } else if (value instanceof Double) {
+                generator.write(name, ((Double) value).doubleValue());
+            } else if (value instanceof Boolean) {
+                generator.write(name, ((Boolean) value).booleanValue());
+            } else if (value == null) {
+                generator.write(name, JsonValue.NULL);
+            } else {
+                LOG.warn(String.format("ignoring claim unsupported value type "
+                        + "entry %s has type %s", name, value.getClass().getSimpleName()));
+            }
+        }
+        generator.writeEnd();
+        generator.close();
+        return stringWriter.toString();
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-store/pom.xml b/odl-aaa-moon/aaa-authn-store/pom.xml
new file mode 100644
index 00000000..744c4df1
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-store/pom.xml
@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../parent</relativePath>
+    </parent>
+
+    <artifactId>aaa-authn-store</artifactId>
+    <version>0.3.1-Beryllium-SR1</version>
+    <packaging>bundle</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>net.sf.ehcache</groupId>
+            <artifactId>ehcache</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.core</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.dependencymanager</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <!-- Testing Dependencies -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-all</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-bundle-plugin</artifactId>
+                <extensions>true</extensions>
+                <configuration>
+                    <instructions>
+                        <Bundle-Activator>org.opendaylight.aaa.store.Activator</Bundle-Activator>
+                    </instructions>
+                    <manifestLocation>${project.basedir}/META-INF</manifestLocation>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>build-helper-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>attach-artifacts</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>attach-artifact</goal>
+                        </goals>
+                        <configuration>
+                            <artifacts>
+                                <artifact>
+                                    <file>${project.build.directory}/classes/tokens.cfg</file>
+                                    <type>cfg</type>
+                                    <classifier>config</classifier>
+                                </artifact>
+                            </artifacts>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/odl-aaa-moon/aaa-authn-store/src/main/java/org/opendaylight/aaa/store/Activator.java b/odl-aaa-moon/aaa-authn-store/src/main/java/org/opendaylight/aaa/store/Activator.java
new file mode 100644
index 00000000..f3299723
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-store/src/main/java/org/opendaylight/aaa/store/Activator.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.store;
+
+import java.util.Dictionary;
+import org.apache.felix.dm.DependencyActivatorBase;
+import org.apache.felix.dm.DependencyManager;
+import org.opendaylight.aaa.api.TokenStore;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.Constants;
+import org.osgi.service.cm.ManagedService;
+
+/**
+ * An activator for the default datastore implementation of {@link TokenStore}.
+ *
+ * @author liemmn
+ */
+public class Activator extends DependencyActivatorBase {
+
+    private static final String TOKEN_PID = "org.opendaylight.aaa.tokens";
+
+    @Override
+    public void init(BundleContext context, DependencyManager manager) throws Exception {
+        DefaultTokenStore ts = new DefaultTokenStore();
+        manager.add(createComponent().setInterface(new String[] { TokenStore.class.getName() },
+                null).setImplementation(ts));
+        context.registerService(ManagedService.class.getName(), ts,
+                addPid(DefaultTokenStore.defaults));
+    }
+
+    @Override
+    public void destroy(BundleContext context, DependencyManager manager) throws Exception {
+    }
+
+    private Dictionary<String, ?> addPid(Dictionary<String, String> dict) {
+        dict.put(Constants.SERVICE_PID, TOKEN_PID);
+        return dict;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-store/src/main/java/org/opendaylight/aaa/store/DefaultTokenStore.java b/odl-aaa-moon/aaa-authn-store/src/main/java/org/opendaylight/aaa/store/DefaultTokenStore.java
new file mode 100644
index 00000000..df65be32
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-store/src/main/java/org/opendaylight/aaa/store/DefaultTokenStore.java
@@ -0,0 +1,154 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.store;
+
+import java.io.File;
+import java.lang.management.ManagementFactory;
+import java.util.Dictionary;
+import java.util.Hashtable;
+import java.util.concurrent.locks.ReentrantLock;
+import javax.management.MBeanServer;
+import net.sf.ehcache.Cache;
+import net.sf.ehcache.CacheManager;
+import net.sf.ehcache.Element;
+import net.sf.ehcache.config.CacheConfiguration;
+import net.sf.ehcache.management.ManagementService;
+import org.apache.felix.dm.Component;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.aaa.api.TokenStore;
+import org.osgi.service.cm.ConfigurationException;
+import org.osgi.service.cm.ManagedService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * A default token store for STS.
+ *
+ * @author liemmn
+ *
+ */
+public class DefaultTokenStore implements TokenStore, ManagedService {
+    private static final Logger LOG = LoggerFactory.getLogger(DefaultTokenStore.class);
+    private static final String TOKEN_STORE_CONFIG_ERR = "Token store configuration error";
+
+    private static final String TOKEN_CACHE_MANAGER = "org.opendaylight.aaa";
+    private static final String TOKEN_CACHE = "tokens";
+    private static final String EHCACHE_XML = "etc/ehcache.xml";
+
+    static final String MAX_CACHED_MEMORY = "maxCachedTokensInMemory";
+    static final String MAX_CACHED_DISK = "maxCachedTokensOnDisk";
+    static final String SECS_TO_LIVE = "secondsToLive";
+    static final String SECS_TO_IDLE = "secondsToIdle";
+
+    // Defaults (needed only for non-Karaf deployments)
+    static final Dictionary<String, String> defaults = new Hashtable<>();
+    static {
+        defaults.put(MAX_CACHED_MEMORY, Long.toString(10000));
+        defaults.put(MAX_CACHED_DISK, Long.toString(1000000));
+        defaults.put(SECS_TO_IDLE, Long.toString(3600));
+        defaults.put(SECS_TO_LIVE, Long.toString(3600));
+    }
+
+    // Token cache lock
+    private static final ReentrantLock cacheLock = new ReentrantLock();
+
+    // Token cache
+    private Cache tokens;
+
+    // This should be a singleton
+    DefaultTokenStore() {
+    }
+
+    // Called by DM when all required dependencies are satisfied.
+    void init(Component c) {
+        File ehcache = new File(EHCACHE_XML);
+        CacheManager cm;
+        if (ehcache.exists()) {
+            cm = CacheManager.create(ehcache.getAbsolutePath());
+            tokens = cm.getCache(TOKEN_CACHE);
+            LOG.info("Initialized token store with custom cache config");
+        } else {
+            cm = CacheManager.getInstance();
+            tokens = new Cache(
+                    new CacheConfiguration(TOKEN_CACHE,
+                            Integer.parseInt(defaults.get(MAX_CACHED_MEMORY))).maxEntriesLocalDisk(
+                            Integer.parseInt(defaults.get(MAX_CACHED_DISK)))
+                                                                              .timeToLiveSeconds(
+                                                                                      Long.parseLong(defaults.get(SECS_TO_LIVE)))
+                                                                              .timeToIdleSeconds(
+                                                                                      Long.parseLong(defaults.get(SECS_TO_IDLE))));
+            cm.addCache(tokens);
+            LOG.info("Initialized token store with default cache config");
+        }
+        cm.setName(TOKEN_CACHE_MANAGER);
+
+        // JMX for cache management
+        MBeanServer mBeanServer = ManagementFactory.getPlatformMBeanServer();
+        ManagementService.registerMBeans(cm, mBeanServer, false, false, false, true);
+    }
+
+    // Called on shutdown
+    void destroy() {
+        LOG.info("Shutting down token store...");
+        CacheManager.getInstance().shutdown();
+    }
+
+    @Override
+    public Authentication get(String token) {
+        Element elem = tokens.get(token);
+        return (Authentication) ((elem != null) ? elem.getObjectValue() : null);
+    }
+
+    @Override
+    public void put(String token, Authentication auth) {
+        tokens.put(new Element(token, auth));
+    }
+
+    @Override
+    public boolean delete(String token) {
+        return tokens.remove(token);
+    }
+
+    @Override
+    public long tokenExpiration() {
+        return tokens.getCacheConfiguration().getTimeToLiveSeconds();
+    }
+
+    @Override
+    public void updated(@SuppressWarnings("rawtypes") Dictionary props)
+            throws ConfigurationException {
+        LOG.info("Updating token store configuration...");
+        if (props == null) {
+            // Someone deleted the configuration, use defaults
+            props = defaults;
+        }
+        reconfig(props);
+    }
+
+    // Refresh cache configuration...
+    private void reconfig(@SuppressWarnings("rawtypes") Dictionary props)
+            throws ConfigurationException {
+        cacheLock.lock();
+        try {
+            long secsToIdle = Long.parseLong(props.get(SECS_TO_IDLE).toString());
+            long secsToLive = Long.parseLong(props.get(SECS_TO_LIVE).toString());
+            int maxMem = Integer.parseInt(props.get(MAX_CACHED_MEMORY).toString());
+            int maxDisk = Integer.parseInt(props.get(MAX_CACHED_DISK).toString());
+            CacheConfiguration config = tokens.getCacheConfiguration();
+            config.setTimeToIdleSeconds(secsToIdle);
+            config.setTimeToLiveSeconds(secsToLive);
+            config.maxEntriesLocalHeap(maxMem);
+            config.maxEntriesLocalDisk(maxDisk);
+        } catch (Throwable t) {
+            throw new ConfigurationException(null, TOKEN_STORE_CONFIG_ERR, t);
+        } finally {
+            cacheLock.unlock();
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-store/src/main/resources/OSGI-INF/metatype/metatype.properties b/odl-aaa-moon/aaa-authn-store/src/main/resources/OSGI-INF/metatype/metatype.properties
new file mode 100644
index 00000000..b88d5c10
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-store/src/main/resources/OSGI-INF/metatype/metatype.properties
@@ -0,0 +1,14 @@
+org.opendaylight.aaa.tokens.name = Opendaylight AAA Token Configuration
+org.opendaylight.aaa.tokens.description = Configuration for AAA tokens
+org.opendaylight.aaa.tokens.maxCachedTokensInMemory.name = Memory Configuration
+org.opendaylight.aaa.tokens.maxCachedTokensInMemory.description = Maximum number of \
+tokens in memory
+org.opendaylight.aaa.tokens.maxCachedTokensOnDisk.name = Disk Configuration
+org.opendaylight.aaa.tokens.maxCachedTokensOnDisk.description = Maximum number of \
+tokens in memory
+org.opendaylight.aaa.tokens.secondsToLive.name = Token Expiration
+org.opendaylight.aaa.tokens.secondsToLive.description = Maximum number of \
+seconds a token can exist regardless of use.  Zero (0) means never expires.
+org.opendaylight.aaa.tokens.secondsToIdle.name = Unused Token Expiration
+org.opendaylight.aaa.tokens.secondsToIdle.description = Maximum number of \
+seconds a token can exist without being accessed.  Zero (0) means never expires.
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn-store/src/main/resources/OSGI-INF/metatype/metatype.xml b/odl-aaa-moon/aaa-authn-store/src/main/resources/OSGI-INF/metatype/metatype.xml
new file mode 100644
index 00000000..d04874f4
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-store/src/main/resources/OSGI-INF/metatype/metatype.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<metatype:MetaData xmlns:metatype="http://www.osgi.org/xmlns/metatype/v1.0.0"
+    localization="OSGI-INF/metatype/metatype">
+    <OCD id="org.opendaylight.aaa.tokens" name="%org.opendaylight.aaa.tokens.name"
+        description="%org.opendaylight.aaa.tokens.description">
+        <AD id="maxCachedTokensInMemory" type="Long" default="10000"
+            name="%org.opendaylight.aaa.tokens.maxCachedTokensInMemory.name"
+            description="%org.opendaylight.aaa.tokens.maxCachedTokensInMemory.description" />
+        <AD id="maxCachedTokensOnDisk" type="Long" default="1000000"
+            name="%org.opendaylight.aaa.tokens.maxCachedTokensOnDisk.name"
+            description="%org.opendaylight.aaa.tokens.maxCachedTokensOnDisk.description" />
+        <AD id="secondsToLive" type="Long" default="3600"
+            name="%org.opendaylight.aaa.tokens.secondsToLive.name"
+            description="%org.opendaylight.aaa.tokens.secondsToLive.description" />
+        <AD id="secondsToIdle" type="Long" default="3600"
+            name="%org.opendaylight.aaa.tokens.secondsToIdle.name"
+            description="%org.opendaylight.aaa.tokens.secondsToIdle.description" />
+    </OCD>
+    <Designate pid="org.opendaylight.aaa.tokens">
+        <Object ocdref="org.opendaylight.aaa.tokens" />
+    </Designate>
+</metatype:MetaData>
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn-store/src/main/resources/tokens.cfg b/odl-aaa-moon/aaa-authn-store/src/main/resources/tokens.cfg
new file mode 100644
index 00000000..d3dda90e
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-store/src/main/resources/tokens.cfg
@@ -0,0 +1,4 @@
+maxCachedTokensInMemory=10000
+maxCachedTokensOnDisk=1000000
+secondsToLive=3600
+secondsToIdle=3600
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn-store/src/test/java/org/opendaylight/aaa/store/DefaultTokenStoreTest.java b/odl-aaa-moon/aaa-authn-store/src/test/java/org/opendaylight/aaa/store/DefaultTokenStoreTest.java
new file mode 100644
index 00000000..e5c837bf
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-store/src/test/java/org/opendaylight/aaa/store/DefaultTokenStoreTest.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.store;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import static org.mockito.Mockito.mock;
+import static org.opendaylight.aaa.store.DefaultTokenStore.MAX_CACHED_DISK;
+import static org.opendaylight.aaa.store.DefaultTokenStore.MAX_CACHED_MEMORY;
+import static org.opendaylight.aaa.store.DefaultTokenStore.SECS_TO_IDLE;
+import static org.opendaylight.aaa.store.DefaultTokenStore.SECS_TO_LIVE;
+
+import java.util.Dictionary;
+import java.util.Hashtable;
+import org.apache.felix.dm.Component;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.opendaylight.aaa.AuthenticationBuilder;
+import org.opendaylight.aaa.ClaimBuilder;
+import org.opendaylight.aaa.api.Authentication;
+import org.osgi.service.cm.ConfigurationException;
+
+public class DefaultTokenStoreTest {
+    private static final String FOO_TOKEN = "foo_token";
+    private final DefaultTokenStore dts = new DefaultTokenStore();
+    private static final Dictionary<String, String> config = new Hashtable<>();
+    static {
+        config.put(MAX_CACHED_MEMORY, Long.toString(3));
+        config.put(MAX_CACHED_DISK, Long.toString(3));
+        config.put(SECS_TO_IDLE, Long.toString(1));
+        config.put(SECS_TO_LIVE, Long.toString(1));
+    }
+
+    @Before
+    public void setup() throws ConfigurationException {
+        dts.init(mock(Component.class));
+        dts.updated(config);
+    }
+
+    @After
+    public void teardown() {
+        dts.destroy();
+    }
+
+    @Test
+    public void testCache() throws InterruptedException {
+        Authentication auth = new AuthenticationBuilder(new ClaimBuilder().setUser("foo")
+                                                                          .setUserId("1234")
+                                                                          .addRole("admin").build()).build();
+        dts.put(FOO_TOKEN, auth);
+        assertEquals(auth, dts.get(FOO_TOKEN));
+        dts.delete(FOO_TOKEN);
+        assertNull(dts.get(FOO_TOKEN));
+        dts.put(FOO_TOKEN, auth);
+        Thread.sleep(1200);
+        assertNull(dts.get(FOO_TOKEN));
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-sts/pom.xml b/odl-aaa-moon/aaa-authn-sts/pom.xml
new file mode 100644
index 00000000..25ac0fe6
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-sts/pom.xml
@@ -0,0 +1,112 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../parent</relativePath>
+    </parent>
+
+    <artifactId>aaa-authn-sts</artifactId>
+    <packaging>bundle</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-server</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.oltu.oauth2</groupId>
+            <artifactId>org.apache.oltu.oauth2.authzserver</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.oltu.oauth2</groupId>
+            <artifactId>org.apache.oltu.oauth2.common</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.oltu.oauth2</groupId>
+            <artifactId>org.apache.oltu.oauth2.resourceserver</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.core</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.dependencymanager</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <!-- Testing Dependencies -->
+        <dependency>
+            <groupId>com.sun.jersey.jersey-test-framework</groupId>
+            <artifactId>jersey-test-framework-grizzly2</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-servlet-tester</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-all</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-bundle-plugin</artifactId>
+                <extensions>true</extensions>
+                <configuration>
+                    <instructions>
+                        <Import-Package>
+                            *,
+                            com.sun.jersey.spi.container.servlet
+                        </Import-Package>
+                        <Web-ContextPath>/oauth2</Web-ContextPath>
+                        <Bundle-Activator>org.opendaylight.aaa.sts.Activator</Bundle-Activator>
+                        <manifestLocation>${project.basedir}/META-INF</manifestLocation>
+                    </instructions>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/Activator.java b/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/Activator.java
new file mode 100644
index 00000000..1bf4591d
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/Activator.java
@@ -0,0 +1,207 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.sts;
+
+import com.google.common.base.Function;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableList.Builder;
+import com.google.common.collect.Lists;
+import java.util.List;
+import org.apache.felix.dm.DependencyActivatorBase;
+import org.apache.felix.dm.DependencyManager;
+import org.opendaylight.aaa.api.AuthenticationService;
+import org.opendaylight.aaa.api.ClaimAuth;
+import org.opendaylight.aaa.api.ClientService;
+import org.opendaylight.aaa.api.CredentialAuth;
+import org.opendaylight.aaa.api.IdMService;
+import org.opendaylight.aaa.api.TokenAuth;
+import org.opendaylight.aaa.api.TokenStore;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.ServiceReference;
+import org.osgi.util.tracker.ServiceTracker;
+import org.osgi.util.tracker.ServiceTrackerCustomizer;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * An activator for the secure token server to inject in a
+ * {@link CredentialAuth} implementation.
+ *
+ * @author liemmn
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ */
+public class Activator extends DependencyActivatorBase {
+
+    private static final Logger LOG = LoggerFactory.getLogger(Activator.class);
+
+    // Definition of several methods called in the ServiceLocator through
+    // Reflection
+    private static final String AUTHENTICATION_SERVICE_REMOVED = "authenticationServiceRemoved";
+    private static final String AUTHENTICATION_SERVICE_ADDED = "authenticationServiceAdded";
+    private static final String TOKEN_STORE_REMOVED = "tokenStoreRemoved";
+    private static final String TOKEN_STORE_ADDED = "tokenStoreAdded";
+    private static final String TOKEN_AUTH_REMOVED = "tokenAuthRemoved";
+    private static final String TOKEN_AUTH_ADDED = "tokenAuthAdded";
+    private static final String CLAIM_AUTH_REMOVED = "claimAuthRemoved";
+    private static final String CLAIM_AUTH_ADDED = "claimAuthAdded";
+    private static final String CREDENTIAL_AUTH_REMOVED = "credentialAuthRemoved";
+    private static final String CREDENTIAL_AUTH_ADDED = "credentialAuthAdded";
+
+    // A collection of all services, which is used for closing ServiceTrackers
+    private ImmutableList<ServiceTracker<?, ?>> services;
+
+    @Override
+    public void init(BundleContext context, DependencyManager manager) throws Exception {
+
+        LOG.info("STS Activator initializing");
+        manager.add(createComponent().setImplementation(ServiceLocator.getInstance())
+                                     .add(createServiceDependency().setService(CredentialAuth.class)
+                                                                   .setRequired(true)
+                                                                   .setCallbacks(
+                                                                           CREDENTIAL_AUTH_ADDED,
+                                                                           CREDENTIAL_AUTH_REMOVED))
+                                     .add(createServiceDependency().setService(ClaimAuth.class)
+                                                                   .setRequired(false)
+                                                                   .setCallbacks(CLAIM_AUTH_ADDED,
+                                                                           CLAIM_AUTH_REMOVED))
+                                     .add(createServiceDependency().setService(TokenAuth.class)
+                                                                   .setRequired(false)
+                                                                   .setCallbacks(TOKEN_AUTH_ADDED,
+                                                                           TOKEN_AUTH_REMOVED))
+                                     .add(createServiceDependency().setService(TokenStore.class)
+                                                                   .setRequired(true)
+                                                                   .setCallbacks(TOKEN_STORE_ADDED,
+                                                                           TOKEN_STORE_REMOVED))
+                                     .add(createServiceDependency().setService(TokenStore.class)
+                                                                   .setRequired(true))
+                                     .add(createServiceDependency().setService(
+                                             AuthenticationService.class)
+                                                                   .setRequired(true)
+                                                                   .setCallbacks(
+                                                                           AUTHENTICATION_SERVICE_ADDED,
+                                                                           AUTHENTICATION_SERVICE_REMOVED))
+                                     .add(createServiceDependency().setService(IdMService.class)
+                                                                   .setRequired(true))
+                                     .add(createServiceDependency().setService(ClientService.class)
+                                                                   .setRequired(true)));
+
+        final Builder<ServiceTracker<?, ?>> servicesBuilder = new ImmutableList.Builder<ServiceTracker<?, ?>>();
+
+        // Async ServiceTrackers to track and load AAA STS bundles
+        final ServiceTracker<AuthenticationService, AuthenticationService> authenticationService = new ServiceTracker<>(
+                context, AuthenticationService.class,
+                new AAAServiceTrackerCustomizer<AuthenticationService>(
+                        new Function<AuthenticationService, Void>() {
+                        @Override
+                        public Void apply(AuthenticationService authenticationService) {
+                            ServiceLocator.getInstance().setAuthenticationService(
+                                    authenticationService);
+                            return null;
+                        }
+                    }));
+        servicesBuilder.add(authenticationService);
+        authenticationService.open();
+
+        final ServiceTracker<IdMService, IdMService> idmService = new ServiceTracker<>(context,
+                IdMService.class, new AAAServiceTrackerCustomizer<IdMService>(
+                        new Function<IdMService, Void>() {
+                            @Override
+                            public Void apply(IdMService idmService) {
+                                ServiceLocator.getInstance().setIdmService(idmService);
+                                return null;
+                            }
+                        }));
+        servicesBuilder.add(idmService);
+        idmService.open();
+
+        final ServiceTracker<TokenAuth, TokenAuth> tokenAuthService = new ServiceTracker<>(context,
+                TokenAuth.class, new AAAServiceTrackerCustomizer<TokenAuth>(
+                        new Function<TokenAuth, Void>() {
+                            @Override
+                            public Void apply(TokenAuth tokenAuth) {
+                                final List<TokenAuth> tokenAuthCollection = (List<TokenAuth>) Lists.newArrayList(tokenAuth);
+                                ServiceLocator.getInstance().setTokenAuthCollection(
+                                        tokenAuthCollection);
+                                return null;
+                            }
+                        }));
+        servicesBuilder.add(tokenAuthService);
+        tokenAuthService.open();
+
+        final ServiceTracker<TokenStore, TokenStore> tokenStoreService = new ServiceTracker<>(
+                context, TokenStore.class, new AAAServiceTrackerCustomizer<TokenStore>(
+                        new Function<TokenStore, Void>() {
+                            @Override
+                            public Void apply(TokenStore tokenStore) {
+                                ServiceLocator.getInstance().setTokenStore(tokenStore);
+                                return null;
+                            }
+                        }));
+        servicesBuilder.add(tokenStoreService);
+        tokenStoreService.open();
+
+        final ServiceTracker<ClientService, ClientService> clientService = new ServiceTracker<>(
+                context, ClientService.class, new AAAServiceTrackerCustomizer<ClientService>(
+                        new Function<ClientService, Void>() {
+                            @Override
+                            public Void apply(ClientService clientService) {
+                                ServiceLocator.getInstance().setClientService(clientService);
+                                return null;
+                            }
+                        }));
+        servicesBuilder.add(clientService);
+        clientService.open();
+
+        services = servicesBuilder.build();
+
+        LOG.info("STS Activator initialized; ServiceTracker may still be processing");
+    }
+
+    /**
+     * Wrapper for AAA generic service loading.
+     *
+     * @param <S>
+     */
+    static final class AAAServiceTrackerCustomizer<S> implements ServiceTrackerCustomizer<S, S> {
+
+        private Function<S, Void> callback;
+
+        public AAAServiceTrackerCustomizer(final Function<S, Void> callback) {
+            this.callback = callback;
+        }
+
+        @Override
+        public S addingService(ServiceReference<S> reference) {
+            S service = reference.getBundle().getBundleContext().getService(reference);
+            LOG.info("Unable to resolve {}", service.getClass());
+            try {
+                callback.apply(service);
+            } catch (Exception e) {
+                LOG.error("Unable to resolve {}", service.getClass(), e);
+            }
+            return service;
+        }
+
+        @Override
+        public void modifiedService(ServiceReference<S> reference, S service) {
+        }
+
+        @Override
+        public void removedService(ServiceReference<S> reference, S service) {
+        }
+    }
+
+    @Override
+    public void destroy(BundleContext context, DependencyManager manager) throws Exception {
+
+        for (ServiceTracker<?, ?> serviceTracker : services) {
+            serviceTracker.close();
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/AnonymousPasswordValidator.java b/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/AnonymousPasswordValidator.java
new file mode 100644
index 00000000..55b5b61f
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/AnonymousPasswordValidator.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.sts;
+
+import javax.servlet.http.HttpServletRequest;
+import org.apache.oltu.oauth2.common.OAuth;
+import org.apache.oltu.oauth2.common.validators.AbstractValidator;
+
+/**
+ * A password validator that does not enforce client identification.
+ *
+ * @author liemmn
+ *
+ */
+public class AnonymousPasswordValidator extends AbstractValidator<HttpServletRequest> {
+
+    public AnonymousPasswordValidator() {
+        requiredParams.add(OAuth.OAUTH_GRANT_TYPE);
+        requiredParams.add(OAuth.OAUTH_USERNAME);
+        requiredParams.add(OAuth.OAUTH_PASSWORD);
+
+        enforceClientAuthentication = false;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/AnonymousRefreshTokenValidator.java b/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/AnonymousRefreshTokenValidator.java
new file mode 100644
index 00000000..5b50c7da
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/AnonymousRefreshTokenValidator.java
@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.sts;
+
+import javax.servlet.http.HttpServletRequest;
+import org.apache.oltu.oauth2.common.OAuth;
+import org.apache.oltu.oauth2.common.validators.AbstractValidator;
+
+/**
+ * A refresh token validator that does not enforce client identification.
+ *
+ * @author liemmn
+ *
+ */
+public class AnonymousRefreshTokenValidator extends AbstractValidator<HttpServletRequest> {
+
+    public AnonymousRefreshTokenValidator() {
+        requiredParams.add(OAuth.OAUTH_GRANT_TYPE);
+        requiredParams.add(OAuth.OAUTH_REFRESH_TOKEN);
+
+        enforceClientAuthentication = false;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/OAuthRequest.java b/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/OAuthRequest.java
new file mode 100644
index 00000000..2a2b34b6
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/OAuthRequest.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.sts;
+
+import javax.servlet.http.HttpServletRequest;
+import org.apache.oltu.oauth2.as.request.AbstractOAuthTokenRequest;
+import org.apache.oltu.oauth2.as.validator.UnauthenticatedAuthorizationCodeValidator;
+import org.apache.oltu.oauth2.common.exception.OAuthProblemException;
+import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
+import org.apache.oltu.oauth2.common.message.types.GrantType;
+import org.apache.oltu.oauth2.common.validators.OAuthValidator;
+
+/**
+ * OAuth request wrapper.
+ *
+ * @author liemmn
+ *
+ */
+public class OAuthRequest extends AbstractOAuthTokenRequest {
+
+    public OAuthRequest(HttpServletRequest request) throws OAuthSystemException,
+            OAuthProblemException {
+        super(request);
+    }
+
+    @Override
+    public OAuthValidator<HttpServletRequest> initValidator() throws OAuthProblemException,
+            OAuthSystemException {
+        validators.put(GrantType.PASSWORD.toString(), AnonymousPasswordValidator.class);
+        validators.put(GrantType.REFRESH_TOKEN.toString(), AnonymousRefreshTokenValidator.class);
+        validators.put(GrantType.AUTHORIZATION_CODE.toString(),
+                UnauthenticatedAuthorizationCodeValidator.class);
+        return super.initValidator();
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/ServiceLocator.java b/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/ServiceLocator.java
new file mode 100644
index 00000000..2c1f84c3
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/ServiceLocator.java
@@ -0,0 +1,141 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.sts;
+
+import java.util.List;
+import java.util.Vector;
+import org.opendaylight.aaa.api.AuthenticationService;
+import org.opendaylight.aaa.api.ClientService;
+import org.opendaylight.aaa.api.CredentialAuth;
+import org.opendaylight.aaa.api.IdMService;
+import org.opendaylight.aaa.api.PasswordCredentials;
+import org.opendaylight.aaa.api.TokenAuth;
+import org.opendaylight.aaa.api.TokenStore;
+
+/**
+ * A service locator to bridge between the web world and OSGi world.
+ *
+ * @author liemmn
+ *
+ */
+public class ServiceLocator {
+
+    private static final ServiceLocator instance = new ServiceLocator();
+
+    protected volatile List<TokenAuth> tokenAuthCollection = new Vector<>();
+
+    protected volatile CredentialAuth<PasswordCredentials> credentialAuth;
+
+    protected volatile TokenStore tokenStore;
+
+    protected volatile AuthenticationService authenticationService;
+
+    protected volatile IdMService idmService;
+
+    protected volatile ClientService clientService;
+
+    private ServiceLocator() {
+    }
+
+    public static ServiceLocator getInstance() {
+        return instance;
+    }
+
+    /**
+     * Called through reflection by the sts activator.
+     *
+     * @see org.opendaylight.aaa.sts.Activator
+     * @param ta
+     */
+    protected void tokenAuthAdded(TokenAuth ta) {
+        this.tokenAuthCollection.add(ta);
+    }
+
+    /**
+     * Called through reflection by the sts activator.
+     *
+     * @see org.opendaylight.aaa.sts.Activator
+     * @param ta
+     */
+    protected void tokenAuthRemoved(TokenAuth ta) {
+        this.tokenAuthCollection.remove(ta);
+    }
+
+    protected void tokenStoreAdded(TokenStore ts) {
+        this.tokenStore = ts;
+    }
+
+    protected void tokenStoreRemoved(TokenStore ts) {
+        this.tokenStore = null;
+    }
+
+    protected void authenticationServiceAdded(AuthenticationService as) {
+        this.authenticationService = as;
+    }
+
+    protected void authenticationServiceRemoved(AuthenticationService as) {
+        this.authenticationService = null;
+    }
+
+    protected void credentialAuthAdded(CredentialAuth<PasswordCredentials> da) {
+        this.credentialAuth = da;
+    }
+
+    protected void credentialAuthAddedRemoved(CredentialAuth<PasswordCredentials> da) {
+        this.credentialAuth = null;
+    }
+
+    public List<TokenAuth> getTokenAuthCollection() {
+        return tokenAuthCollection;
+    }
+
+    public void setTokenAuthCollection(List<TokenAuth> tokenAuthCollection) {
+        this.tokenAuthCollection = tokenAuthCollection;
+    }
+
+    public CredentialAuth<PasswordCredentials> getCredentialAuth() {
+        return credentialAuth;
+    }
+
+    public synchronized void setCredentialAuth(CredentialAuth<PasswordCredentials> credentialAuth) {
+        this.credentialAuth = credentialAuth;
+    }
+
+    public TokenStore getTokenStore() {
+        return tokenStore;
+    }
+
+    public void setTokenStore(TokenStore tokenStore) {
+        this.tokenStore = tokenStore;
+    }
+
+    public AuthenticationService getAuthenticationService() {
+        return authenticationService;
+    }
+
+    public void setAuthenticationService(AuthenticationService authenticationService) {
+        this.authenticationService = authenticationService;
+    }
+
+    public IdMService getIdmService() {
+        return idmService;
+    }
+
+    public void setIdmService(IdMService idmService) {
+        this.idmService = idmService;
+    }
+
+    public ClientService getClientService() {
+        return clientService;
+    }
+
+    public void setClientService(ClientService clientService) {
+        this.clientService = clientService;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/TokenAuthFilter.java b/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/TokenAuthFilter.java
new file mode 100644
index 00000000..3fa7a66c
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/TokenAuthFilter.java
@@ -0,0 +1,148 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.sts;
+
+import com.sun.jersey.spi.container.ContainerRequest;
+import com.sun.jersey.spi.container.ContainerRequestFilter;
+import java.util.List;
+import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.Status;
+import org.apache.oltu.oauth2.common.exception.OAuthProblemException;
+import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
+import org.apache.oltu.oauth2.common.message.types.ParameterStyle;
+import org.apache.oltu.oauth2.rs.request.OAuthAccessResourceRequest;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.aaa.api.AuthenticationException;
+import org.opendaylight.aaa.api.TokenAuth;
+
+/**
+ * A token-based authentication filter for resource providers.
+ *
+ * Deprecated: Use <code>AAAFilter</code> instead.
+ *
+ * @author liemmn
+ *
+ */
+@Deprecated
+public class TokenAuthFilter implements ContainerRequestFilter {
+
+    private final String OPTIONS = "OPTIONS";
+    private final String ACCESS_CONTROL_REQUEST_HEADERS = "Access-Control-Request-Headers";
+    private final String AUTHORIZATION = "authorization";
+
+    @Context
+    private HttpServletRequest httpRequest;
+
+    @Override
+    public ContainerRequest filter(ContainerRequest request) {
+
+        // Do the CORS check first
+        if (checkCORSOptionRequest(request)) {
+            return request;
+        }
+
+        // Are we up yet?
+        if (ServiceLocator.getInstance().getAuthenticationService() == null) {
+            throw new WebApplicationException(
+                    Response.status(Status.SERVICE_UNAVAILABLE).type(MediaType.APPLICATION_JSON)
+                            .entity("{\"error\":\"Authentication service unavailable\"}").build());
+        }
+
+        // Are we doing authentication or not?
+        if (ServiceLocator.getInstance().getAuthenticationService().isAuthEnabled()) {
+            Map<String, List<String>> headers = request.getRequestHeaders();
+
+            // Go through and invoke other TokenAuth first...
+            List<TokenAuth> tokenAuthCollection = ServiceLocator.getInstance()
+                                                                .getTokenAuthCollection();
+            for (TokenAuth ta : tokenAuthCollection) {
+                try {
+                    Authentication auth = ta.validate(headers);
+                    if (auth != null) {
+                        ServiceLocator.getInstance().getAuthenticationService().set(auth);
+                        return request;
+                    }
+                } catch (AuthenticationException ae) {
+                    throw unauthorized();
+                }
+            }
+
+            // OK, last chance to validate token...
+            try {
+                OAuthAccessResourceRequest or = new OAuthAccessResourceRequest(httpRequest,
+                        ParameterStyle.HEADER);
+                validate(or.getAccessToken());
+            } catch (OAuthSystemException | OAuthProblemException e) {
+                throw unauthorized();
+            }
+        }
+
+        return request;
+    }
+
+    /**
+     * CORS access control : when browser sends cross-origin request, it first
+     * sends the OPTIONS method with a list of access control request headers,
+     * which has a list of custom headers and access control method such as GET.
+     * POST etc. You custom header "Authorization will not be present in request
+     * header, instead it will be present as a value inside
+     * Access-Control-Request-Headers. We should not do any authorization
+     * against such request. for more details :
+     * https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+     */
+
+    private boolean checkCORSOptionRequest(ContainerRequest request) {
+        if (OPTIONS.equals(request.getMethod())) {
+            List<String> headerList = request.getRequestHeader(ACCESS_CONTROL_REQUEST_HEADERS);
+            if (headerList != null && !headerList.isEmpty()) {
+                String header = headerList.get(0);
+                if (header != null && header.toLowerCase().contains(AUTHORIZATION)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    // Validate an ODL token...
+    private Authentication validate(final String token) {
+        Authentication auth = ServiceLocator.getInstance().getTokenStore().get(token);
+        if (auth == null) {
+            throw unauthorized();
+        } else {
+            ServiceLocator.getInstance().getAuthenticationService().set(auth);
+        }
+        return auth;
+    }
+
+    // Houston, we got a problem!
+    private static final WebApplicationException unauthorized() {
+        ServiceLocator.getInstance().getAuthenticationService().clear();
+        return new UnauthorizedException();
+    }
+
+    // A custom 401 web exception that handles http basic response as well
+    static final class UnauthorizedException extends WebApplicationException {
+        private static final long serialVersionUID = -1732363804773027793L;
+        static final String WWW_AUTHENTICATE = "WWW-Authenticate";
+        static final Object OPENDAYLIGHT = "Basic realm=\"opendaylight\"";
+        private static final Response response = Response.status(Status.UNAUTHORIZED)
+                                                         .header(WWW_AUTHENTICATE, OPENDAYLIGHT)
+                                                         .build();
+
+        public UnauthorizedException() {
+            super(response);
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/TokenEndpoint.java b/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/TokenEndpoint.java
new file mode 100644
index 00000000..a456d702
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-sts/src/main/java/org/opendaylight/aaa/sts/TokenEndpoint.java
@@ -0,0 +1,242 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.sts;
+
+import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
+import static javax.servlet.http.HttpServletResponse.SC_CREATED;
+import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
+import static javax.servlet.http.HttpServletResponse.SC_NOT_IMPLEMENTED;
+import static javax.servlet.http.HttpServletResponse.SC_NO_CONTENT;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.List;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.oltu.oauth2.as.issuer.OAuthIssuer;
+import org.apache.oltu.oauth2.as.issuer.OAuthIssuerImpl;
+import org.apache.oltu.oauth2.as.issuer.UUIDValueGenerator;
+import org.apache.oltu.oauth2.as.response.OAuthASResponse;
+import org.apache.oltu.oauth2.common.OAuth;
+import org.apache.oltu.oauth2.common.exception.OAuthProblemException;
+import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
+import org.apache.oltu.oauth2.common.message.OAuthResponse;
+import org.apache.oltu.oauth2.common.message.types.GrantType;
+import org.apache.oltu.oauth2.common.message.types.TokenType;
+import org.opendaylight.aaa.AuthenticationBuilder;
+import org.opendaylight.aaa.ClaimBuilder;
+import org.opendaylight.aaa.PasswordCredentialBuilder;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.aaa.api.AuthenticationException;
+import org.opendaylight.aaa.api.Claim;
+import org.opendaylight.aaa.api.PasswordCredentials;
+
+/**
+ * Secure Token Service (STS) endpoint.
+ *
+ * @author liemmn
+ *
+ */
+public class TokenEndpoint extends HttpServlet {
+    private static final long serialVersionUID = 8272453849539659999L;
+
+    private static final String DOMAIN_SCOPE_REQUIRED = "Domain scope required";
+    private static final String NOT_IMPLEMENTED = "not_implemented";
+    private static final String UNAUTHORIZED = "unauthorized";
+
+    static final String TOKEN_GRANT_ENDPOINT = "/token";
+    static final String TOKEN_REVOKE_ENDPOINT = "/revoke";
+    static final String TOKEN_VALIDATE_ENDPOINT = "/validate";
+
+    private transient OAuthIssuer oi;
+
+    @Override
+    public void init(ServletConfig config) throws ServletException {
+        oi = new OAuthIssuerImpl(new UUIDValueGenerator());
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+        try {
+            if (req.getServletPath().equals(TOKEN_GRANT_ENDPOINT)) {
+                createAccessToken(req, resp);
+            } else if (req.getServletPath().equals(TOKEN_REVOKE_ENDPOINT)) {
+                deleteAccessToken(req, resp);
+            } else if (req.getServletPath().equals(TOKEN_VALIDATE_ENDPOINT)) {
+                validateToken(req, resp);
+            }
+        } catch (AuthenticationException e) {
+            error(resp, SC_UNAUTHORIZED, e.getMessage());
+        } catch (OAuthProblemException oe) {
+            error(resp, oe);
+        } catch (Exception e) {
+            error(resp, e);
+        }
+    }
+
+    private void validateToken(HttpServletRequest req, HttpServletResponse resp)
+            throws IOException, OAuthSystemException {
+        String token = req.getReader().readLine();
+        if (token != null) {
+            Authentication authn = ServiceLocator.getInstance().getTokenStore().get(token.trim());
+            if (authn == null) {
+                throw new AuthenticationException(UNAUTHORIZED);
+            } else {
+                ServiceLocator.getInstance().getAuthenticationService().set(authn);
+                resp.setStatus(SC_OK);
+            }
+        } else {
+            throw new AuthenticationException(UNAUTHORIZED);
+        }
+    }
+
+    // Delete an access token
+    private void deleteAccessToken(HttpServletRequest req, HttpServletResponse resp)
+            throws IOException {
+        String token = req.getReader().readLine();
+        if (token != null) {
+            if (ServiceLocator.getInstance().getTokenStore().delete(token.trim())) {
+                resp.setStatus(SC_NO_CONTENT);
+            } else {
+                throw new AuthenticationException(UNAUTHORIZED);
+            }
+        } else {
+            throw new AuthenticationException(UNAUTHORIZED);
+        }
+    }
+
+    // Create an access token
+    private void createAccessToken(HttpServletRequest req, HttpServletResponse resp)
+            throws OAuthSystemException, OAuthProblemException, IOException {
+        Claim claim = null;
+        String clientId = null;
+
+        OAuthRequest oauthRequest = new OAuthRequest(req);
+        // Any client credentials?
+        clientId = oauthRequest.getClientId();
+        if (clientId != null) {
+            ServiceLocator.getInstance().getClientService()
+                          .validate(clientId, oauthRequest.getClientSecret());
+        }
+
+        // Credential request...
+        if (oauthRequest.getParam(OAuth.OAUTH_GRANT_TYPE).equals(GrantType.PASSWORD.toString())) {
+            String domain = oauthRequest.getScopes().iterator().next();
+            PasswordCredentials pc = new PasswordCredentialBuilder().setUserName(
+                    oauthRequest.getUsername()).setPassword(oauthRequest.getPassword())
+                                                                    .setDomain(domain).build();
+            if (!oauthRequest.getScopes().isEmpty()) {
+                claim = ServiceLocator.getInstance().getCredentialAuth().authenticate(pc);
+            }
+        } else if (oauthRequest.getParam(OAuth.OAUTH_GRANT_TYPE).equals(
+                GrantType.REFRESH_TOKEN.toString())) {
+            // Refresh token...
+            String token = oauthRequest.getRefreshToken();
+            if (!oauthRequest.getScopes().isEmpty()) {
+                String domain = oauthRequest.getScopes().iterator().next();
+                // Authenticate...
+                Authentication auth = ServiceLocator.getInstance().getTokenStore().get(token);
+                if (auth != null && domain != null) {
+                    List<String> roles = ServiceLocator.getInstance().getIdmService()
+                                                       .listRoles(auth.userId(), domain);
+                    if (!roles.isEmpty()) {
+                        ClaimBuilder cb = new ClaimBuilder(auth);
+                        cb.setDomain(domain); // scope domain
+                        // Add roles for the scoped domain
+                        for (String role : roles) {
+                            cb.addRole(role);
+                        }
+                        claim = cb.build();
+                    }
+                }
+            } else {
+                error(resp, SC_BAD_REQUEST, DOMAIN_SCOPE_REQUIRED);
+            }
+        } else {
+            // Support authorization code later...
+            error(resp, SC_NOT_IMPLEMENTED, NOT_IMPLEMENTED);
+        }
+
+        // Respond with OAuth token
+        oauthAccessTokenResponse(resp, claim, clientId);
+    }
+
+    // Build OAuth access token response from the given claim
+    private void oauthAccessTokenResponse(HttpServletResponse resp, Claim claim, String clientId)
+            throws OAuthSystemException, IOException {
+        if (claim == null) {
+            throw new AuthenticationException(UNAUTHORIZED);
+        }
+        String token = oi.accessToken();
+
+        // Cache this token...
+        Authentication auth = new AuthenticationBuilder(new ClaimBuilder(claim).setClientId(
+                clientId).build()).setExpiration(tokenExpiration()).build();
+        ServiceLocator.getInstance().getTokenStore().put(token, auth);
+
+        OAuthResponse r = OAuthASResponse.tokenResponse(SC_CREATED).setAccessToken(token)
+                                         .setTokenType(TokenType.BEARER.toString())
+                                         .setExpiresIn(Long.toString(auth.expiration()))
+                                         .buildJSONMessage();
+        write(resp, r);
+    }
+
+    // Token expiration
+    private long tokenExpiration() {
+        return ServiceLocator.getInstance().getTokenStore().tokenExpiration();
+    }
+
+    // Emit an error OAuthResponse with the given HTTP code
+    private void error(HttpServletResponse resp, int httpCode, String error) {
+        try {
+            OAuthResponse r = OAuthResponse.errorResponse(httpCode).setError(error)
+                                           .buildJSONMessage();
+            write(resp, r);
+        } catch (Exception e1) {
+            // Nothing to do here
+        }
+    }
+
+    // Emit an error OAuthResponse for the given OAuth-related exception
+    private void error(HttpServletResponse resp, OAuthProblemException e) {
+        try {
+            OAuthResponse r = OAuthResponse.errorResponse(SC_BAD_REQUEST).error(e)
+                                           .buildJSONMessage();
+            write(resp, r);
+        } catch (Exception e1) {
+            // Nothing to do here
+        }
+    }
+
+    // Emit an error OAuthResponse for the given generic exception
+    private void error(HttpServletResponse resp, Exception e) {
+        try {
+            OAuthResponse r = OAuthResponse.errorResponse(SC_INTERNAL_SERVER_ERROR)
+                                           .setError(e.getClass().getName())
+                                           .setErrorDescription(e.getMessage()).buildJSONMessage();
+            write(resp, r);
+        } catch (Exception e1) {
+            // Nothing to do here
+        }
+    }
+
+    // Write out an OAuthResponse
+    private void write(HttpServletResponse resp, OAuthResponse r) throws IOException {
+        resp.setStatus(r.getResponseStatus());
+        PrintWriter pw = resp.getWriter();
+        pw.print(r.getBody());
+        pw.flush();
+        pw.close();
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-sts/src/main/resources/WEB-INF/web.xml b/odl-aaa-moon/aaa-authn-sts/src/main/resources/WEB-INF/web.xml
new file mode 100644
index 00000000..83a9fa51
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-sts/src/main/resources/WEB-INF/web.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+    version="3.0">
+
+    <servlet>
+        <servlet-name>STS</servlet-name>
+        <servlet-class>org.opendaylight.aaa.sts.TokenEndpoint</servlet-class>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>STS</servlet-name>
+        <url-pattern>/token</url-pattern>
+    </servlet-mapping>
+    <servlet-mapping>
+        <servlet-name>STS</servlet-name>
+        <url-pattern>/revoke</url-pattern>
+    </servlet-mapping>
+    <servlet-mapping>
+        <servlet-name>STS</servlet-name>
+        <url-pattern>/validate</url-pattern>
+    </servlet-mapping>
+</web-app>
diff --git a/odl-aaa-moon/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/RestFixture.java b/odl-aaa-moon/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/RestFixture.java
new file mode 100644
index 00000000..0f806d91
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/RestFixture.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.sts;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+
+/**
+ * Fixture for testing RESTful stuff.
+ *
+ * @author liemmn
+ *
+ */
+@Path("test")
+public class RestFixture {
+
+    @Context
+    private HttpServletRequest httpRequest;
+
+    @GET
+    @Produces("text/plain")
+    public String msg() {
+        return "ok";
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/TokenAuthTest.java b/odl-aaa-moon/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/TokenAuthTest.java
new file mode 100644
index 00000000..7f888455
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/TokenAuthTest.java
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.sts;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+import static org.mockito.Matchers.anyMap;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import com.sun.jersey.api.client.ClientResponse;
+import com.sun.jersey.api.client.UniformInterfaceException;
+import com.sun.jersey.test.framework.JerseyTest;
+import com.sun.jersey.test.framework.WebAppDescriptor;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.opendaylight.aaa.AuthenticationBuilder;
+import org.opendaylight.aaa.ClaimBuilder;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.aaa.api.AuthenticationService;
+import org.opendaylight.aaa.api.TokenAuth;
+import org.opendaylight.aaa.api.TokenStore;
+import org.opendaylight.aaa.sts.TokenAuthFilter.UnauthorizedException;
+
+public class TokenAuthTest extends JerseyTest {
+
+    private static final String RS_PACKAGES = "org.opendaylight.aaa.sts";
+    private static final String JERSEY_FILTERS = "com.sun.jersey.spi.container.ContainerRequestFilters";
+    private static final String AUTH_FILTERS = TokenAuthFilter.class.getName();
+
+    private static Authentication auth = new AuthenticationBuilder(new ClaimBuilder().setUserId(
+            "1234").setUser("Bob").addRole("admin").addRole("user").setDomain("tenantX").build()).setExpiration(
+            System.currentTimeMillis() + 1000).build();
+
+    private static final String GOOD_TOKEN = "9b01b7cf-8a49-346d-8c47-6a61193e2b60";
+    private static final String BAD_TOKEN = "9b01b7cf-8a49-346d-8c47-6a611badbeef";
+
+    public TokenAuthTest() throws Exception {
+        super(new WebAppDescriptor.Builder(RS_PACKAGES).initParam(JERSEY_FILTERS, AUTH_FILTERS)
+                                                       .build());
+    }
+
+    @BeforeClass
+    public static void init() {
+        ServiceLocator.getInstance().setAuthenticationService(mock(AuthenticationService.class));
+        ServiceLocator.getInstance().setTokenStore(mock(TokenStore.class));
+        when(ServiceLocator.getInstance().getTokenStore().get(GOOD_TOKEN)).thenReturn(auth);
+        when(ServiceLocator.getInstance().getTokenStore().get(BAD_TOKEN)).thenReturn(null);
+        when(ServiceLocator.getInstance().getAuthenticationService().isAuthEnabled()).thenReturn(
+                Boolean.TRUE);
+    }
+
+    @Test()
+    public void testGetUnauthorized() {
+        try {
+            resource().path("test").get(String.class);
+            fail("Shoulda failed with 401!");
+        } catch (UniformInterfaceException e) {
+            ClientResponse resp = e.getResponse();
+            assertEquals(401, resp.getStatus());
+            assertTrue(resp.getHeaders().get(UnauthorizedException.WWW_AUTHENTICATE)
+                           .contains(UnauthorizedException.OPENDAYLIGHT));
+        }
+    }
+
+    @Test
+    public void testGet() {
+        String resp = resource().path("test").header("Authorization", "Bearer " + GOOD_TOKEN)
+                                .get(String.class);
+        assertEquals("ok", resp);
+    }
+
+    @SuppressWarnings("unchecked")
+    @Test
+    public void testGetWithValidator() {
+        try {
+            // Mock a laxed tokenauth...
+            TokenAuth ta = mock(TokenAuth.class);
+            when(ta.validate(anyMap())).thenReturn(auth);
+            ServiceLocator.getInstance().getTokenAuthCollection().add(ta);
+            testGet();
+        } finally {
+            ServiceLocator.getInstance().getTokenAuthCollection().clear();
+        }
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/TokenEndpointTest.java b/odl-aaa-moon/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/TokenEndpointTest.java
new file mode 100644
index 00000000..06dd6302
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn-sts/src/test/java/org/opendaylight/aaa/sts/TokenEndpointTest.java
@@ -0,0 +1,164 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.sts;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Matchers.any;
+import static org.mockito.Matchers.anyString;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.util.Arrays;
+import org.eclipse.jetty.testing.HttpTester;
+import org.eclipse.jetty.testing.ServletTester;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.opendaylight.aaa.AuthenticationBuilder;
+import org.opendaylight.aaa.ClaimBuilder;
+import org.opendaylight.aaa.api.AuthenticationService;
+import org.opendaylight.aaa.api.Claim;
+import org.opendaylight.aaa.api.ClientService;
+import org.opendaylight.aaa.api.CredentialAuth;
+import org.opendaylight.aaa.api.IdMService;
+import org.opendaylight.aaa.api.PasswordCredentials;
+import org.opendaylight.aaa.api.TokenAuth;
+import org.opendaylight.aaa.api.TokenStore;
+
+/**
+ * A unit test for token endpoint.
+ *
+ * @author liemmn
+ *
+ */
+public class TokenEndpointTest {
+    private static final long TOKEN_TIMEOUT_SECS = 10;
+    private static final String CONTEXT = "/oauth2";
+    private static final String DIRECT_AUTH = "grant_type=password&username=admin&password=admin&scope=pepsi&client_id=dlux&client_secret=secrete";
+    private static final String REFRESH_TOKEN = "grant_type=refresh_token&refresh_token=whateverisgood&scope=pepsi";
+
+    private static final Claim claim = new ClaimBuilder().setUser("bob").setUserId("1234")
+                                                         .addRole("admin").build();
+    private final static ServletTester server = new ServletTester();
+
+    @BeforeClass
+    public static void init() throws Exception {
+        // Set up server
+        server.setContextPath(CONTEXT);
+
+        // Add our servlet under test
+        server.addServlet(TokenEndpoint.class, "/revoke");
+        server.addServlet(TokenEndpoint.class, "/token");
+
+        // Let's do dis
+        server.start();
+    }
+
+    @AfterClass
+    public static void shutdown() throws Exception {
+        server.stop();
+    }
+
+    @Before
+    public void setup() {
+        mockServiceLocator();
+        when(ServiceLocator.getInstance().getTokenStore().tokenExpiration()).thenReturn(
+                TOKEN_TIMEOUT_SECS);
+    }
+
+    @After
+    public void teardown() {
+        ServiceLocator.getInstance().getTokenAuthCollection().clear();
+    }
+
+    @Test
+    public void testCreateToken401() throws Exception {
+        HttpTester req = new HttpTester();
+        req.setMethod("POST");
+        req.setHeader("Content-Type", "application/x-www-form-urlencoded");
+        req.setContent(DIRECT_AUTH);
+        req.setURI(CONTEXT + TokenEndpoint.TOKEN_GRANT_ENDPOINT);
+        req.setVersion("HTTP/1.0");
+
+        HttpTester resp = new HttpTester();
+        resp.parse(server.getResponses(req.generate()));
+        assertEquals(401, resp.getStatus());
+    }
+
+    @Test
+    public void testCreateTokenWithPassword() throws Exception {
+        when(
+                ServiceLocator.getInstance().getCredentialAuth()
+                              .authenticate(any(PasswordCredentials.class))).thenReturn(claim);
+
+        HttpTester req = new HttpTester();
+        req.setMethod("POST");
+        req.setHeader("Content-Type", "application/x-www-form-urlencoded");
+        req.setContent(DIRECT_AUTH);
+        req.setURI(CONTEXT + TokenEndpoint.TOKEN_GRANT_ENDPOINT);
+        req.setVersion("HTTP/1.0");
+
+        HttpTester resp = new HttpTester();
+        resp.parse(server.getResponses(req.generate()));
+        assertEquals(201, resp.getStatus());
+        assertTrue(resp.getContent().contains("expires_in\":10"));
+        assertTrue(resp.getContent().contains("Bearer"));
+    }
+
+    @Test
+    public void testCreateTokenWithRefreshToken() throws Exception {
+        when(ServiceLocator.getInstance().getTokenStore().get(anyString())).thenReturn(
+                new AuthenticationBuilder(claim).build());
+        when(ServiceLocator.getInstance().getIdmService().listRoles(anyString(), anyString())).thenReturn(
+                Arrays.asList("admin", "user"));
+
+        HttpTester req = new HttpTester();
+        req.setMethod("POST");
+        req.setHeader("Content-Type", "application/x-www-form-urlencoded");
+        req.setContent(REFRESH_TOKEN);
+        req.setURI(CONTEXT + TokenEndpoint.TOKEN_GRANT_ENDPOINT);
+        req.setVersion("HTTP/1.0");
+
+        HttpTester resp = new HttpTester();
+        resp.parse(server.getResponses(req.generate()));
+        assertEquals(201, resp.getStatus());
+        assertTrue(resp.getContent().contains("expires_in\":10"));
+        assertTrue(resp.getContent().contains("Bearer"));
+    }
+
+    @Test
+    public void testDeleteToken() throws Exception {
+        when(ServiceLocator.getInstance().getTokenStore().delete("token_to_be_deleted")).thenReturn(
+                true);
+
+        HttpTester req = new HttpTester();
+        req.setMethod("POST");
+        req.setHeader("Content-Type", "application/x-www-form-urlencoded");
+        req.setContent("token_to_be_deleted");
+        req.setURI(CONTEXT + TokenEndpoint.TOKEN_REVOKE_ENDPOINT);
+        req.setVersion("HTTP/1.0");
+
+        HttpTester resp = new HttpTester();
+        resp.parse(server.getResponses(req.generate()));
+        assertEquals(204, resp.getStatus());
+    }
+
+    @SuppressWarnings("unchecked")
+    private static void mockServiceLocator() {
+        ServiceLocator.getInstance().setClientService(mock(ClientService.class));
+        ServiceLocator.getInstance().setIdmService(mock(IdMService.class));
+        ServiceLocator.getInstance().setAuthenticationService(mock(AuthenticationService.class));
+        ServiceLocator.getInstance().setTokenStore(mock(TokenStore.class));
+        ServiceLocator.getInstance().setCredentialAuth(mock(CredentialAuth.class));
+        ServiceLocator.getInstance().getTokenAuthCollection().add(mock(TokenAuth.class));
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn/pom.xml b/odl-aaa-moon/aaa-authn/pom.xml
new file mode 100644
index 00000000..06027a60
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/pom.xml
@@ -0,0 +1,103 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright (c) 2014-2015 Hewlett-Packard Development Company, L.P. and others.
+    All rights reserved. This program and the accompanying materials are made
+    available under the terms of the Eclipse Public License v1.0 which accompanies
+    this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../parent</relativePath>
+    </parent>
+
+    <artifactId>aaa-authn</artifactId>
+    <packaging>bundle</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-server</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.core</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.compendium</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.dependencymanager</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <!-- Testing Dependencies -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-bundle-plugin</artifactId>
+                <extensions>true</extensions>
+                <configuration>
+                    <instructions>
+                        <Bundle-Activator>org.opendaylight.aaa.Activator</Bundle-Activator>
+                    </instructions>
+                    <manifestLocation>${project.basedir}/META-INF</manifestLocation>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>build-helper-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>attach-artifacts</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>attach-artifact</goal>
+                        </goals>
+                        <configuration>
+                            <artifacts>
+                                <artifact>
+                                    <file>${project.build.directory}/classes/authn.cfg</file>
+                                    <type>cfg</type>
+                                    <classifier>config</classifier>
+                                </artifact>
+                            </artifacts>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/Activator.java b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/Activator.java
new file mode 100644
index 00000000..cfe27ef0
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/Activator.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa;
+
+import java.util.Dictionary;
+import org.apache.felix.dm.DependencyActivatorBase;
+import org.apache.felix.dm.DependencyManager;
+import org.opendaylight.aaa.api.AuthenticationService;
+import org.opendaylight.aaa.api.ClientService;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.Constants;
+import org.osgi.service.cm.ManagedService;
+
+/**
+ * Activator to register {@link AuthenticationService} with OSGi.
+ *
+ * @author liemmn
+ *
+ */
+public class Activator extends DependencyActivatorBase {
+
+    private static final String AUTHN_PID = "org.opendaylight.aaa.authn";
+
+    @Override
+    public void init(BundleContext context, DependencyManager manager) throws Exception {
+        manager.add(createComponent().setInterface(
+                new String[] { AuthenticationService.class.getName() }, null).setImplementation(
+                AuthenticationManager.instance()));
+
+        ClientManager cm = new ClientManager();
+        manager.add(createComponent().setInterface(new String[] { ClientService.class.getName() },
+                null).setImplementation(cm));
+        context.registerService(ManagedService.class.getName(), cm, addPid(ClientManager.defaults));
+        context.registerService(ManagedService.class.getName(), AuthenticationManager.instance(),
+                addPid(AuthenticationManager.defaults));
+    }
+
+    @Override
+    public void destroy(BundleContext context, DependencyManager manager) throws Exception {
+    }
+
+    private Dictionary<String, ?> addPid(Dictionary<String, String> dict) {
+        dict.put(Constants.SERVICE_PID, AUTHN_PID);
+        return dict;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/AuthenticationBuilder.java b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/AuthenticationBuilder.java
new file mode 100644
index 00000000..948cbac6
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/AuthenticationBuilder.java
@@ -0,0 +1,122 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa;
+
+import static org.opendaylight.aaa.EqualUtil.areEqual;
+import static org.opendaylight.aaa.HashCodeUtil.hash;
+
+import java.io.Serializable;
+import java.util.Set;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.aaa.api.Claim;
+
+/**
+ * A builder for the authentication context.
+ *
+ * The expiration defaults to 0.
+ *
+ * @author liemmn
+ *
+ */
+public class AuthenticationBuilder {
+
+    private long expiration = 0L;
+    private Claim claim;
+
+    public AuthenticationBuilder(Claim claim) {
+        this.claim = claim;
+    }
+
+    public AuthenticationBuilder setExpiration(long expiration) {
+        this.expiration = expiration;
+        return this;
+    }
+
+    public Authentication build() {
+        return new ImmutableAuthentication(this);
+    }
+
+    private static final class ImmutableAuthentication implements Authentication, Serializable {
+        private static final long serialVersionUID = 4919078164955609987L;
+        private int hashCode = 0;
+        long expiration = 0L;
+        Claim claim;
+
+        private ImmutableAuthentication(AuthenticationBuilder base) {
+            if (base.claim == null) {
+                throw new IllegalStateException("The Claim is null.");
+            }
+            claim = new ClaimBuilder(base.claim).build();
+            expiration = base.expiration;
+
+            if (base.expiration < 0) {
+                throw new IllegalStateException("The expiration is less than 0.");
+            }
+        }
+
+        @Override
+        public long expiration() {
+            return expiration;
+        }
+
+        @Override
+        public String clientId() {
+            return claim.clientId();
+        }
+
+        @Override
+        public String userId() {
+            return claim.userId();
+        }
+
+        @Override
+        public String user() {
+            return claim.user();
+        }
+
+        @Override
+        public String domain() {
+            return claim.domain();
+        }
+
+        @Override
+        public Set<String> roles() {
+            return claim.roles();
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) {
+                return true;
+            }
+            if (!(o instanceof Authentication)) {
+                return false;
+            }
+            Authentication a = (Authentication) o;
+            return areEqual(expiration, a.expiration()) && areEqual(claim.roles(), a.roles())
+                    && areEqual(claim.domain(), a.domain()) && areEqual(claim.userId(), a.userId())
+                    && areEqual(claim.user(), a.user()) && areEqual(claim.clientId(), a.clientId());
+        }
+
+        @Override
+        public int hashCode() {
+            if (hashCode == 0) {
+                int result = HashCodeUtil.SEED;
+                result = hash(result, expiration);
+                result = hash(result, claim.hashCode());
+                hashCode = result;
+            }
+            return hashCode;
+        }
+
+        @Override
+        public String toString() {
+            return "expiration:" + expiration + "," + claim.toString();
+        }
+    }
+}
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/AuthenticationManager.java b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/AuthenticationManager.java
new file mode 100644
index 00000000..5f6420a3
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/AuthenticationManager.java
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa;
+
+import java.util.Dictionary;
+import java.util.Hashtable;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.aaa.api.AuthenticationService;
+import org.osgi.service.cm.ConfigurationException;
+import org.osgi.service.cm.ManagedService;
+
+/**
+ * An {@link InheritableThreadLocal}-based {@link AuthenticationService}.
+ *
+ * @author liemmn
+ */
+public class AuthenticationManager implements AuthenticationService, ManagedService {
+    private static final String AUTH_ENABLED_ERR = "Error setting authEnabled";
+
+    static final String AUTH_ENABLED = "authEnabled";
+    static final Dictionary<String, String> defaults = new Hashtable<>();
+    static {
+        defaults.put(AUTH_ENABLED, Boolean.FALSE.toString());
+    }
+
+    // In non-Karaf environments, authEnabled is set to false by default
+    private static volatile boolean authEnabled = false;
+
+    private final static AuthenticationManager am = new AuthenticationManager();
+    private final ThreadLocal<Authentication> auth = new InheritableThreadLocal<>();
+
+    private AuthenticationManager() {
+    }
+
+    static AuthenticationManager instance() {
+        return am;
+    }
+
+    @Override
+    public Authentication get() {
+        return auth.get();
+    }
+
+    @Override
+    public void set(Authentication a) {
+        auth.set(a);
+    }
+
+    @Override
+    public void clear() {
+        auth.remove();
+    }
+
+    @Override
+    public boolean isAuthEnabled() {
+        return authEnabled;
+    }
+
+    @Override
+    public void updated(Dictionary<String, ?> properties) throws ConfigurationException {
+        if (properties == null) {
+            return;
+        }
+
+        String propertyValue = (String) properties.get(AUTH_ENABLED);
+        boolean isTrueString = Boolean.parseBoolean(propertyValue);
+        if (!isTrueString && !"false".equalsIgnoreCase(propertyValue)) {
+            throw new ConfigurationException(AUTH_ENABLED, AUTH_ENABLED_ERR);
+        }
+        authEnabled = isTrueString;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/ClaimBuilder.java b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/ClaimBuilder.java
new file mode 100644
index 00000000..4e4a8ef3
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/ClaimBuilder.java
@@ -0,0 +1,160 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa;
+
+import static org.opendaylight.aaa.EqualUtil.areEqual;
+import static org.opendaylight.aaa.HashCodeUtil.hash;
+
+import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableSet;
+import java.io.Serializable;
+import java.util.LinkedHashSet;
+import java.util.Set;
+import org.opendaylight.aaa.api.Claim;
+
+/**
+ * Builder for a {@link Claim}. The userId, user, and roles information is
+ * mandatory.
+ *
+ * @author liemmn
+ *
+ */
+public class ClaimBuilder {
+    private String userId = "";
+    private String user = "";
+    private Set<String> roles = new LinkedHashSet<>();
+    private String clientId = "";
+    private String domain = "";
+
+    public ClaimBuilder() {
+    }
+
+    public ClaimBuilder(Claim claim) {
+        clientId = claim.clientId();
+        userId = claim.userId();
+        user = claim.user();
+        domain = claim.domain();
+        roles.addAll(claim.roles());
+    }
+
+    public ClaimBuilder setClientId(String clientId) {
+        this.clientId = Strings.nullToEmpty(clientId).trim();
+        return this;
+    }
+
+    public ClaimBuilder setUserId(String userId) {
+        this.userId = Strings.nullToEmpty(userId).trim();
+        return this;
+    }
+
+    public ClaimBuilder setUser(String userName) {
+        user = Strings.nullToEmpty(userName).trim();
+        return this;
+    }
+
+    public ClaimBuilder setDomain(String domain) {
+        this.domain = Strings.nullToEmpty(domain).trim();
+        return this;
+    }
+
+    public ClaimBuilder addRoles(Set<String> roles) {
+        for (String role : roles) {
+            addRole(role);
+        }
+        return this;
+    }
+
+    public ClaimBuilder addRole(String role) {
+        roles.add(Strings.nullToEmpty(role).trim());
+        return this;
+    }
+
+    public Claim build() {
+        return new ImmutableClaim(this);
+    }
+
+    protected static class ImmutableClaim implements Claim, Serializable {
+        private static final long serialVersionUID = -8115027645190209129L;
+        private int hashCode = 0;
+        protected String clientId;
+        protected String userId;
+        protected String user;
+        protected String domain;
+        protected ImmutableSet<String> roles;
+
+        protected ImmutableClaim(ClaimBuilder base) {
+            clientId = base.clientId;
+            userId = base.userId;
+            user = base.user;
+            domain = base.domain;
+            roles = ImmutableSet.<String> builder().addAll(base.roles).build();
+
+            if (userId.isEmpty() || user.isEmpty() || roles.isEmpty() || roles.contains("")) {
+                throw new IllegalStateException(
+                        "The Claim is missing one or more of the required fields.");
+            }
+        }
+
+        @Override
+        public String clientId() {
+            return clientId;
+        }
+
+        @Override
+        public String userId() {
+            return userId;
+        }
+
+        @Override
+        public String user() {
+            return user;
+        }
+
+        @Override
+        public String domain() {
+            return domain;
+        }
+
+        @Override
+        public Set<String> roles() {
+            return roles;
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o)
+                return true;
+            if (!(o instanceof Claim))
+                return false;
+            Claim a = (Claim) o;
+            return areEqual(roles, a.roles()) && areEqual(domain, a.domain())
+                    && areEqual(userId, a.userId()) && areEqual(user, a.user())
+                    && areEqual(clientId, a.clientId());
+        }
+
+        @Override
+        public int hashCode() {
+            if (hashCode == 0) {
+                int result = HashCodeUtil.SEED;
+                result = hash(result, clientId);
+                result = hash(result, userId);
+                result = hash(result, user);
+                result = hash(result, domain);
+                result = hash(result, roles);
+                hashCode = result;
+            }
+            return hashCode;
+        }
+
+        @Override
+        public String toString() {
+            return "clientId:" + clientId + "," + "userId:" + userId + "," + "userName:" + user
+                    + "," + "domain:" + domain + "," + "roles:" + roles;
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/ClientManager.java b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/ClientManager.java
new file mode 100644
index 00000000..e7e51424
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/ClientManager.java
@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa;
+
+import java.util.Dictionary;
+import java.util.HashMap;
+import java.util.Hashtable;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import org.apache.felix.dm.Component;
+import org.opendaylight.aaa.api.AuthenticationException;
+import org.opendaylight.aaa.api.ClientService;
+import org.osgi.service.cm.ConfigurationException;
+import org.osgi.service.cm.ManagedService;
+
+/**
+ * A configuration-based client manager.
+ *
+ * @author liemmn
+ *
+ */
+public class ClientManager implements ClientService, ManagedService {
+    static final String CLIENTS = "authorizedClients";
+    private static final String CLIENTS_FORMAT_ERR = "Clients are space-delimited in the form of <client_id>:<client_secret>";
+    private static final String UNAUTHORIZED_CLIENT_ERR = "Unauthorized client";
+
+    // Defaults (needed only for non-Karaf deployments)
+    static final Dictionary<String, String> defaults = new Hashtable<>();
+    static {
+        defaults.put(CLIENTS, "dlux:secrete");
+    }
+
+    private final Map<String, String> clients = new ConcurrentHashMap<>();
+
+    // This should be a singleton
+    ClientManager() {
+    }
+
+    // Called by DM when all required dependencies are satisfied.
+    void init(Component c) throws ConfigurationException {
+        reconfig(defaults);
+    }
+
+    @Override
+    public void validate(String clientId, String clientSecret) throws AuthenticationException {
+        // TODO: Post-Helium, we will support a CRUD API
+        if (!clients.containsKey(clientId)) {
+            throw new AuthenticationException(UNAUTHORIZED_CLIENT_ERR);
+        }
+        if (!clients.get(clientId).equals(clientSecret)) {
+            throw new AuthenticationException(UNAUTHORIZED_CLIENT_ERR);
+        }
+    }
+
+    @Override
+    public void updated(Dictionary<String, ?> props) throws ConfigurationException {
+        if (props == null) {
+            props = defaults;
+        }
+        reconfig(props);
+    }
+
+    // Reconfigure the client map...
+    private void reconfig(@SuppressWarnings("rawtypes") Dictionary props)
+            throws ConfigurationException {
+        try {
+            String authorizedClients = (String) props.get(CLIENTS);
+            Map<String, String> newClients = new HashMap<>();
+            if (authorizedClients != null) {
+                for (String client : authorizedClients.split(" ")) {
+                    String[] aClient = client.split(":");
+                    newClients.put(aClient[0], aClient[1]);
+                }
+            }
+            clients.clear();
+            clients.putAll(newClients);
+        } catch (Throwable t) {
+            throw new ConfigurationException(null, CLIENTS_FORMAT_ERR);
+        }
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/EqualUtil.java b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/EqualUtil.java
new file mode 100644
index 00000000..17204d0e
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/EqualUtil.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa;
+
+/**
+ * Simple class to aide in implementing equals.
+ * <p>
+ *
+ * <em>Arrays are not handled by this class</em>. This is because the
+ * <code>Arrays.equals</code> methods should be used for array fields.
+ */
+public final class EqualUtil {
+    static public boolean areEqual(boolean aThis, boolean aThat) {
+        return aThis == aThat;
+    }
+
+    static public boolean areEqual(char aThis, char aThat) {
+        return aThis == aThat;
+    }
+
+    static public boolean areEqual(long aThis, long aThat) {
+        return aThis == aThat;
+    }
+
+    static public boolean areEqual(float aThis, float aThat) {
+        return Float.floatToIntBits(aThis) == Float.floatToIntBits(aThat);
+    }
+
+    static public boolean areEqual(double aThis, double aThat) {
+        return Double.doubleToLongBits(aThis) == Double.doubleToLongBits(aThat);
+    }
+
+    static public boolean areEqual(Object aThis, Object aThat) {
+        return aThis == null ? aThat == null : aThis.equals(aThat);
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/HashCodeUtil.java b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/HashCodeUtil.java
new file mode 100644
index 00000000..c295b3ed
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/HashCodeUtil.java
@@ -0,0 +1,104 @@
+/*****************************************************************************
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ *****************************************************************************/
+
+package org.opendaylight.aaa;
+
+import java.lang.reflect.Array;
+
+/**
+ * Collected methods which allow easy implementation of <tt>hashCode</tt>.
+ *
+ * Example use case:
+ *
+ * <pre>
+ * public int hashCode() {
+ *     int result = HashCodeUtil.SEED;
+ *     // collect the contributions of various fields
+ *     result = HashCodeUtil.hash(result, fPrimitive);
+ *     result = HashCodeUtil.hash(result, fObject);
+ *     result = HashCodeUtil.hash(result, fArray);
+ *     return result;
+ * }
+ * </pre>
+ */
+public final class HashCodeUtil {
+
+    /**
+     * An initial value for a <tt>hashCode</tt>, to which is added contributions
+     * from fields. Using a non-zero value decreases collisions of
+     * <tt>hashCode</tt> values.
+     */
+    public static final int SEED = 23;
+
+    /** booleans. */
+    public static int hash(int aSeed, boolean aBoolean) {
+        return firstTerm(aSeed) + (aBoolean ? 1 : 0);
+    }
+
+    /*** chars. */
+    public static int hash(int aSeed, char aChar) {
+        return firstTerm(aSeed) + aChar;
+    }
+
+    /** ints. */
+    public static int hash(int aSeed, int aInt) {
+        return firstTerm(aSeed) + aInt;
+    }
+
+    /** longs. */
+    public static int hash(int aSeed, long aLong) {
+        return firstTerm(aSeed) + (int) (aLong ^ (aLong >>> 32));
+    }
+
+    /** floats. */
+    public static int hash(int aSeed, float aFloat) {
+        return hash(aSeed, Float.floatToIntBits(aFloat));
+    }
+
+    /** doubles. */
+    public static int hash(int aSeed, double aDouble) {
+        return hash(aSeed, Double.doubleToLongBits(aDouble));
+    }
+
+    /**
+     * <tt>aObject</tt> is a possibly-null object field, and possibly an array.
+     *
+     * If <tt>aObject</tt> is an array, then each element may be a primitive or
+     * a possibly-null object.
+     */
+    public static int hash(int aSeed, Object aObject) {
+        int result = aSeed;
+        if (aObject == null) {
+            result = hash(result, 0);
+        } else if (!isArray(aObject)) {
+            result = hash(result, aObject.hashCode());
+        } else {
+            int length = Array.getLength(aObject);
+            for (int idx = 0; idx < length; ++idx) {
+                Object item = Array.get(aObject, idx);
+                // if an item in the array references the array itself, prevent
+                // infinite looping
+                if (!(item == aObject)) {
+                    result = hash(result, item);
+                }
+            }
+        }
+        return result;
+    }
+
+    // PRIVATE
+    private static final int fODD_PRIME_NUMBER = 37;
+
+    private static int firstTerm(int aSeed) {
+        return fODD_PRIME_NUMBER * aSeed;
+    }
+
+    private static boolean isArray(Object aObject) {
+        return aObject.getClass().isArray();
+    }
+}
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/PasswordCredentialBuilder.java b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/PasswordCredentialBuilder.java
new file mode 100644
index 00000000..d8a2e87a
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/PasswordCredentialBuilder.java
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa;
+
+import static org.opendaylight.aaa.EqualUtil.areEqual;
+import static org.opendaylight.aaa.HashCodeUtil.hash;
+
+import org.opendaylight.aaa.api.PasswordCredentials;
+
+/**
+ * {@link PasswordCredentials} builder.
+ *
+ * @author liemmn
+ *
+ */
+public class PasswordCredentialBuilder {
+    private final MutablePasswordCredentials pc = new MutablePasswordCredentials();
+
+    public PasswordCredentialBuilder setUserName(String username) {
+        pc.username = username;
+        return this;
+    }
+
+    public PasswordCredentialBuilder setPassword(String password) {
+        pc.password = password;
+        return this;
+    }
+
+    public PasswordCredentialBuilder setDomain(String domain) {
+        pc.domain = domain;
+        return this;
+    }
+
+    public PasswordCredentials build() {
+        return pc;
+    }
+
+    private static class MutablePasswordCredentials implements PasswordCredentials {
+        private int hashCode = 0;
+        private String username;
+        private String password;
+        private String domain;
+
+        @Override
+        public String username() {
+            return username;
+        }
+
+        @Override
+        public String password() {
+            return password;
+        }
+
+        @Override
+        public String domain() {
+            return domain;
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) {
+                return true;
+            }
+            if (!(o instanceof PasswordCredentials)) {
+                return false;
+            }
+            PasswordCredentials p = (PasswordCredentials) o;
+            return areEqual(username, p.username()) && areEqual(password, p.password());
+        }
+
+        @Override
+        public int hashCode() {
+            if (hashCode == 0) {
+                int result = HashCodeUtil.SEED;
+                result = hash(result, username);
+                result = hash(result, password);
+                hashCode = result;
+            }
+            return hashCode;
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/SecureBlockingQueue.java b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/SecureBlockingQueue.java
new file mode 100644
index 00000000..3ded52da
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/main/java/org/opendaylight/aaa/SecureBlockingQueue.java
@@ -0,0 +1,258 @@
+/*
+ * Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.TimeUnit;
+import org.opendaylight.aaa.api.Authentication;
+
+/**
+ * A {@link BlockingQueue} decorator with injected security context.
+ *
+ * @author liemmn
+ *
+ * @param <T>
+ *            queue element type
+ */
+public class SecureBlockingQueue<T> implements BlockingQueue<T> {
+    private final BlockingQueue<SecureData<T>> queue;
+
+    /**
+     * Constructor.
+     *
+     * @param queue
+     *            blocking queue implementation to use
+     */
+    public SecureBlockingQueue(BlockingQueue<SecureData<T>> queue) {
+        this.queue = queue;
+    }
+
+    @Override
+    public T remove() {
+        return setAuth(queue.remove());
+    }
+
+    @Override
+    public T poll() {
+        return setAuth(queue.poll());
+    }
+
+    @Override
+    public T element() {
+        return setAuth(queue.element());
+    }
+
+    @Override
+    public T peek() {
+        return setAuth(queue.peek());
+    }
+
+    @Override
+    public int size() {
+        return queue.size();
+    }
+
+    @Override
+    public boolean isEmpty() {
+        return queue.isEmpty();
+    }
+
+    @Override
+    public Iterator<T> iterator() {
+        return new Iterator<T>() {
+            Iterator<SecureData<T>> it = queue.iterator();
+
+            @Override
+            public boolean hasNext() {
+                return it.hasNext();
+            }
+
+            @Override
+            public T next() {
+                return it.next().data;
+            }
+
+            @Override
+            public void remove() {
+                it.remove();
+            }
+        };
+    }
+
+    @Override
+    public Object[] toArray() {
+        return toData().toArray();
+    }
+
+    @SuppressWarnings("hiding")
+    @Override
+    public <T> T[] toArray(T[] a) {
+        return toData().toArray(a);
+    }
+
+    @Override
+    public boolean containsAll(Collection<?> c) {
+        return toData().containsAll(c);
+    }
+
+    @Override
+    public boolean addAll(Collection<? extends T> c) {
+        return queue.addAll(fromData(c));
+    }
+
+    @Override
+    public boolean removeAll(Collection<?> c) {
+        return queue.removeAll(fromData(c));
+    }
+
+    @Override
+    public boolean retainAll(Collection<?> c) {
+        return queue.retainAll(fromData(c));
+    }
+
+    @Override
+    public void clear() {
+        queue.clear();
+    }
+
+    @Override
+    public boolean add(T e) {
+        return queue.add(new SecureData<>(e));
+    }
+
+    @Override
+    public boolean offer(T e) {
+        return queue.offer(new SecureData<>(e));
+    }
+
+    @Override
+    public void put(T e) throws InterruptedException {
+        queue.put(new SecureData<T>(e));
+    }
+
+    @Override
+    public boolean offer(T e, long timeout, TimeUnit unit) throws InterruptedException {
+        return queue.offer(new SecureData<>(e), timeout, unit);
+    }
+
+    @Override
+    public T take() throws InterruptedException {
+        return setAuth(queue.take());
+    }
+
+    @Override
+    public T poll(long timeout, TimeUnit unit) throws InterruptedException {
+        return setAuth(queue.poll(timeout, unit));
+    }
+
+    @Override
+    public int remainingCapacity() {
+        return queue.remainingCapacity();
+    }
+
+    @Override
+    public boolean remove(Object o) {
+        Iterator<SecureData<T>> it = queue.iterator();
+        while (it.hasNext()) {
+            SecureData<T> sd = it.next();
+            if (sd.data.equals(o)) {
+                return queue.remove(sd);
+            }
+        }
+        return false;
+    }
+
+    @Override
+    public boolean contains(Object o) {
+        Iterator<SecureData<T>> it = queue.iterator();
+        while (it.hasNext()) {
+            SecureData<T> sd = it.next();
+            if (sd.data.equals(o)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    @Override
+    public int drainTo(Collection<? super T> c) {
+        Collection<SecureData<T>> sd = new ArrayList<>();
+        int n = queue.drainTo(sd);
+        c.addAll(toData(sd));
+        return n;
+    }
+
+    @Override
+    public int drainTo(Collection<? super T> c, int maxElements) {
+        Collection<SecureData<T>> sd = new ArrayList<>();
+        int n = queue.drainTo(sd, maxElements);
+        c.addAll(toData(sd));
+        return n;
+    }
+
+    // Rehydrate security context
+    private T setAuth(SecureData<T> i) {
+        AuthenticationManager.instance().set(i.auth);
+        return i.data;
+    }
+
+    // Construct secure data collection from a plain old data collection
+    @SuppressWarnings("unchecked")
+    private Collection<SecureData<T>> fromData(Collection<?> c) {
+        Collection<SecureData<T>> sd = new ArrayList<>(c.size());
+        for (Object d : c) {
+            sd.add((SecureData<T>) new SecureData<>(d));
+        }
+        return sd;
+    }
+
+    // Extract the data portion out from the secure data
+    @SuppressWarnings("unchecked")
+    private Collection<T> toData() {
+        return toData(Arrays.<SecureData<T>> asList(queue.toArray(new SecureData[0])));
+    }
+
+    // Extract the data portion out from the secure data
+    private Collection<T> toData(Collection<SecureData<T>> secureData) {
+        Collection<T> data = new ArrayList<>(secureData.size());
+        Iterator<SecureData<T>> it = secureData.iterator();
+        while (it.hasNext()) {
+            data.add(it.next().data);
+        }
+        return data;
+    }
+
+    // Inject security context
+    public static final class SecureData<T> {
+        private final T data;
+        private final Authentication auth;
+
+        private SecureData(T data) {
+            this.data = data;
+            this.auth = AuthenticationManager.instance().get();
+        }
+
+        @SuppressWarnings("rawtypes")
+        @Override
+        public boolean equals(Object o) {
+            if (o == null) {
+                return false;
+            }
+            return (o instanceof SecureData) ? data.equals(((SecureData) o).data) : false;
+        }
+
+        @Override
+        public int hashCode() {
+            return data.hashCode();
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn/src/main/resources/OSGI-INF/metatype/metatype.properties b/odl-aaa-moon/aaa-authn/src/main/resources/OSGI-INF/metatype/metatype.properties
new file mode 100644
index 00000000..75537f6b
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/main/resources/OSGI-INF/metatype/metatype.properties
@@ -0,0 +1,12 @@
+org.opendaylight.aaa.authn.name = Opendaylight AAA Authentication Configuration
+org.opendaylight.aaa.authn.description = Configuration for AAA authorized clients
+org.opendaylight.aaa.authn.authorizedClients.name = Authorized Clients
+org.opendaylight.aaa.authn.authorizedClients.description = Space-delimited list of authorized \
+ clients, with client id and client password separated by a ':'. \
+ Example:  dlux:secrete <client_id:client_secret>
+org.opendaylight.aaa.authn.authEnabled.name = Enable authentication
+org.opendaylight.aaa.authn.authEnabled.description = Enable authentication by setting it \
+to the value 'true', or 'false' if bypassing authentication. \
+Note that bypassing authentication may result in your controller being more \
+vulnerable to unauthorized accesses.  Authorization, if enabled, will not work if \
+authentication is disabled.
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn/src/main/resources/OSGI-INF/metatype/metatype.xml b/odl-aaa-moon/aaa-authn/src/main/resources/OSGI-INF/metatype/metatype.xml
new file mode 100644
index 00000000..10150587
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/main/resources/OSGI-INF/metatype/metatype.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<metatype:MetaData xmlns:metatype="http://www.osgi.org/xmlns/metatype/v1.0.0"
+    localization="OSGI-INF/metatype/metatype">
+    <OCD id="org.opendaylight.aaa.authn" name="%org.opendaylight.aaa.authn.name"
+        description="%org.opendaylight.aaa.authn.description">
+        <AD id="authorizedClients" type="String" default="dlux:secrete"
+            name="%org.opendaylight.aaa.authn.authorizedClients.name"
+            description="%org.opendaylight.aaa.authn.authorizedClients.description" />
+        <AD id="authEnabled" type="String" default="true"
+            name="%org.opendaylight.aaa.authn.authEnabled.name"
+            description="%org.opendaylight.aaa.authn.authEnabled.description" />
+    </OCD>
+    <Designate pid="org.opendaylight.aaa.authn">
+        <Object ocdref="org.opendaylight.aaa.authn" />
+    </Designate>
+</metatype:MetaData>
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn/src/main/resources/authn.cfg b/odl-aaa-moon/aaa-authn/src/main/resources/authn.cfg
new file mode 100644
index 00000000..e7326f86
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/main/resources/authn.cfg
@@ -0,0 +1,2 @@
+authorizedClients=dlux:secrete
+authEnabled=true
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/AuthenticationBuilderTest.java b/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/AuthenticationBuilderTest.java
new file mode 100644
index 00000000..2f69fe5b
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/AuthenticationBuilderTest.java
@@ -0,0 +1,129 @@
+/*
+ * Copyright (c) 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Arrays;
+import java.util.LinkedHashSet;
+import java.util.Set;
+import org.junit.Test;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.aaa.api.Claim;
+
+public class AuthenticationBuilderTest {
+    private Set<String> roles = new LinkedHashSet<>(Arrays.asList("role1", "role2"));
+    private Claim validClaim = new ClaimBuilder().setDomain("aName").setUserId("1")
+            .setClientId("2222").setUser("bob").addRole("foo").addRoles(roles).build();
+
+    @Test
+    public void testBuildWithExpiration() {
+        Authentication a1 = new AuthenticationBuilder(validClaim).setExpiration(1).build();
+        assertEquals(1, a1.expiration());
+        assertEquals("aName", a1.domain());
+        assertEquals("1", a1.userId());
+        assertEquals("2222", a1.clientId());
+        assertEquals("bob", a1.user());
+        assertTrue(a1.roles().contains("foo"));
+        assertTrue(a1.roles().containsAll(roles));
+        assertEquals(3, a1.roles().size());
+        Authentication a2 = new AuthenticationBuilder(a1).build();
+        assertNotEquals(a1, a2);
+        Authentication a3 = new AuthenticationBuilder(a1).setExpiration(1).build();
+        assertEquals(a1, a3);
+    }
+
+    @Test
+    public void testBuildWithoutExpiration() {
+        Authentication a1 = new AuthenticationBuilder(validClaim).build();
+        assertEquals(0, a1.expiration());
+        assertEquals("aName", a1.domain());
+        assertEquals("1", a1.userId());
+        assertEquals("2222", a1.clientId());
+        assertEquals("bob", a1.user());
+        assertTrue(a1.roles().contains("foo"));
+        assertTrue(a1.roles().containsAll(roles));
+        assertEquals(3, a1.roles().size());
+    }
+
+    @Test(expected = IllegalStateException.class)
+    public void testBuildWithNegativeExpiration() {
+        AuthenticationBuilder a1 = new AuthenticationBuilder(validClaim).setExpiration(-1);
+        a1.build();
+    }
+
+    @Test(expected = IllegalStateException.class)
+    public void testBuildWithNullClaim() {
+        AuthenticationBuilder a1 = new AuthenticationBuilder(null);
+        a1.build();
+    }
+
+    @Test
+    public void testToString() {
+        Authentication a1 = new AuthenticationBuilder(validClaim).setExpiration(1).build();
+        assertEquals(
+                "expiration:1,clientId:2222,userId:1,userName:bob,domain:aName,roles:[foo, role1, role2]",
+                a1.toString());
+    }
+
+    @Test
+    public void testEquals() {
+        Authentication a1 = new AuthenticationBuilder(validClaim).setExpiration(1).build();
+        assertTrue(a1.equals(a1));
+        Authentication a2 = new AuthenticationBuilder(a1).setExpiration(1).build();
+        assertTrue(a1.equals(a2));
+        assertTrue(a2.equals(a1));
+        Authentication a3 = new AuthenticationBuilder(validClaim).setExpiration(1).build();
+        assertTrue(a1.equals(a3));
+        assertTrue(a3.equals(a2));
+        assertTrue(a1.equals(a2));
+    }
+
+    @Test
+    public void testNotEquals() {
+        Authentication a1 = new AuthenticationBuilder(validClaim).setExpiration(1).build();
+        assertFalse(a1.equals(null));
+        assertFalse(a1.equals("wrong object"));
+        Authentication a2 = new AuthenticationBuilder(a1).build();
+        assertFalse(a1.equals(a2));
+        assertFalse(a2.equals(a1));
+        Authentication a3 = new AuthenticationBuilder(validClaim).setExpiration(1).build();
+        assertFalse(a1.equals(a2));
+        assertTrue(a1.equals(a3));
+        assertFalse(a2.equals(a3));
+        Authentication a4 = new AuthenticationBuilder(validClaim).setExpiration(9).build();
+        assertFalse(a1.equals(a4));
+        assertFalse(a4.equals(a1));
+        Authentication a5 = new AuthenticationBuilder(a1).setExpiration(9).build();
+        assertFalse(a1.equals(a5));
+        assertFalse(a5.equals(a1));
+    }
+
+    @Test
+    public void testHashCode() {
+        Authentication a1 = new AuthenticationBuilder(validClaim).setExpiration(1).build();
+        assertEquals(a1.hashCode(), a1.hashCode());
+        Authentication a2 = new AuthenticationBuilder(a1).setExpiration(1).build();
+        assertTrue(a1.equals(a2));
+        assertEquals(a1.hashCode(), a2.hashCode());
+        Authentication a3 = new AuthenticationBuilder(validClaim).setExpiration(1).build();
+        assertTrue(a1.equals(a3));
+        assertEquals(a1.hashCode(), a3.hashCode());
+        assertEquals(a2.hashCode(), a3.hashCode());
+        Authentication a4 = new AuthenticationBuilder(a1).setExpiration(9).build();
+        assertFalse(a1.equals(a4));
+        assertNotEquals(a1.hashCode(), a4.hashCode());
+        Authentication a5 = new AuthenticationBuilder(a1).build();
+        assertFalse(a1.equals(a5));
+        assertNotEquals(a1.hashCode(), a5.hashCode());
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/AuthenticationManagerTest.java b/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/AuthenticationManagerTest.java
new file mode 100644
index 00000000..540df287
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/AuthenticationManagerTest.java
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Arrays;
+import java.util.Dictionary;
+import java.util.Hashtable;
+import java.util.List;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import org.junit.Test;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.aaa.api.AuthenticationService;
+import org.osgi.service.cm.ConfigurationException;
+
+public class AuthenticationManagerTest {
+    @Test
+    public void testAuthenticationCrudSameThread() {
+        Authentication auth = new AuthenticationBuilder(new ClaimBuilder().setUser("Bob")
+                .setUserId("1234").addRole("admin").addRole("guest").build()).build();
+        AuthenticationService as = AuthenticationManager.instance();
+
+        assertNotNull(as);
+
+        as.set(auth);
+        assertEquals(auth, as.get());
+
+        as.clear();
+        assertNull(as.get());
+    }
+
+    @Test
+    public void testAuthenticationCrudSpawnedThread() throws InterruptedException,
+            ExecutionException {
+        AuthenticationService as = AuthenticationManager.instance();
+        Authentication auth = new AuthenticationBuilder(new ClaimBuilder().setUser("Bob")
+                .setUserId("1234").addRole("admin").addRole("guest").build()).build();
+
+        as.set(auth);
+        Future<Authentication> f = Executors.newSingleThreadExecutor().submit(new Worker());
+        assertEquals(auth, f.get());
+
+        as.clear();
+        f = Executors.newSingleThreadExecutor().submit(new Worker());
+        assertNull(f.get());
+    }
+
+    @Test
+    public void testAuthenticationCrudSpawnedThreadPool() throws InterruptedException,
+            ExecutionException {
+        AuthenticationService as = AuthenticationManager.instance();
+        Authentication auth = new AuthenticationBuilder(new ClaimBuilder().setUser("Bob")
+                .setUserId("1234").addRole("admin").addRole("guest").build()).build();
+
+        as.set(auth);
+        List<Future<Authentication>> fs = Executors.newFixedThreadPool(2).invokeAll(
+                Arrays.asList(new Worker(), new Worker()));
+        for (Future<Authentication> f : fs) {
+            assertEquals(auth, f.get());
+        }
+
+        as.clear();
+        fs = Executors.newFixedThreadPool(2).invokeAll(Arrays.asList(new Worker(), new Worker()));
+        for (Future<Authentication> f : fs) {
+            assertNull(f.get());
+        }
+    }
+
+    @Test
+    public void testUpdatedValid() throws ConfigurationException {
+        Dictionary<String, String> props = new Hashtable<>();
+        AuthenticationManager as = AuthenticationManager.instance();
+
+        assertFalse(as.isAuthEnabled());
+
+        props.put(AuthenticationManager.AUTH_ENABLED, "TrUe");
+        as.updated(props);
+        assertTrue(as.isAuthEnabled());
+
+        props.put(AuthenticationManager.AUTH_ENABLED, "FaLsE");
+        as.updated(props);
+        assertFalse(as.isAuthEnabled());
+    }
+
+    @Test
+    public void testUpdatedNullProperty() throws ConfigurationException {
+        AuthenticationManager as = AuthenticationManager.instance();
+
+        assertFalse(as.isAuthEnabled());
+        as.updated(null);
+        assertFalse(as.isAuthEnabled());
+    }
+
+    @Test(expected = ConfigurationException.class)
+    public void testUpdatedInvalidValue() throws ConfigurationException {
+        AuthenticationManager as = AuthenticationManager.instance();
+        Dictionary<String, String> props = new Hashtable<>();
+
+        props.put(AuthenticationManager.AUTH_ENABLED, "yes");
+        as.updated(props);
+    }
+
+    @Test(expected = ConfigurationException.class)
+    public void testUpdatedInvalidKey() throws ConfigurationException {
+        AuthenticationManager as = AuthenticationManager.instance();
+        Dictionary<String, String> props = new Hashtable<>();
+
+        props.put("Invalid Key", "true");
+        as.updated(props);
+    }
+
+    private class Worker implements Callable<Authentication> {
+        @Override
+        public Authentication call() throws Exception {
+            AuthenticationService as = AuthenticationManager.instance();
+            return as.get();
+        }
+    }
+}
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/ClaimBuilderTest.java b/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/ClaimBuilderTest.java
new file mode 100644
index 00000000..372eb6d2
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/ClaimBuilderTest.java
@@ -0,0 +1,208 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import org.junit.Test;
+import org.opendaylight.aaa.api.Claim;
+
+/**
+ *
+ * @author liemmn
+ *
+ */
+public class ClaimBuilderTest {
+    @Test
+    public void testBuildWithAll() {
+        Claim c1 = new ClaimBuilder().setClientId("dlux").setDomain("pepsi").setUser("john")
+                .setUserId("1234").addRole("foo").addRole("foo2")
+                .addRoles(new HashSet<>(Arrays.asList("foo", "bar"))).build();
+        assertEquals("dlux", c1.clientId());
+        assertEquals("pepsi", c1.domain());
+        assertEquals("john", c1.user());
+        assertEquals("1234", c1.userId());
+        assertTrue(c1.roles().contains("foo"));
+        assertTrue(c1.roles().contains("foo2"));
+        assertTrue(c1.roles().contains("bar"));
+        assertEquals(3, c1.roles().size());
+        Claim c2 = new ClaimBuilder(c1).build();
+        assertEquals(c1, c2);
+    }
+
+    @Test
+    public void testBuildWithRequired() {
+        Claim c1 = new ClaimBuilder().setUser("john").setUserId("1234").addRole("foo").build();
+        assertEquals("john", c1.user());
+        assertEquals("1234", c1.userId());
+        assertTrue(c1.roles().contains("foo"));
+        assertEquals(1, c1.roles().size());
+        assertEquals("", c1.domain());
+        assertEquals("", c1.clientId());
+    }
+
+    @Test
+    public void testBuildWithEmptyOptional() {
+        Claim c1 = new ClaimBuilder().setDomain("  ").setClientId("  ").setUser("john")
+                .setUserId("1234").addRole("foo").build();
+        assertEquals("", c1.domain());
+        assertEquals("", c1.clientId());
+        assertEquals("john", c1.user());
+        assertEquals("1234", c1.userId());
+        assertTrue(c1.roles().contains("foo"));
+        assertEquals(1, c1.roles().size());
+    }
+
+    @Test
+    public void testBuildWithNullOptional() {
+        Claim c1 = new ClaimBuilder().setDomain(null).setClientId(null).setUser("john")
+                .setUserId("1234").addRole("foo").build();
+        assertEquals("", c1.domain());
+        assertEquals("", c1.clientId());
+        assertEquals("john", c1.user());
+        assertEquals("1234", c1.userId());
+        assertTrue(c1.roles().contains("foo"));
+        assertEquals(1, c1.roles().size());
+    }
+
+    @Test(expected = IllegalStateException.class)
+    public void testBuildWithDefault() {
+        ClaimBuilder c1 = new ClaimBuilder();
+        c1.build();
+    }
+
+    @Test(expected = IllegalStateException.class)
+    public void testBuildWithoutUser() {
+        ClaimBuilder c1 = new ClaimBuilder().setUserId("1234").addRole("foo");
+        c1.build();
+    }
+
+    @Test(expected = IllegalStateException.class)
+    public void testBuildWithNullUser() {
+        ClaimBuilder c1 = new ClaimBuilder().setUser(null).setUserId("1234").addRole("foo");
+        c1.build();
+    }
+
+    @Test(expected = IllegalStateException.class)
+    public void testBuildWithEmptyUser() {
+        ClaimBuilder c1 = new ClaimBuilder().setUser("  ").setUserId("1234").addRole("foo");
+        c1.build();
+    }
+
+    @Test(expected = IllegalStateException.class)
+    public void testBuildWithoutUserId() {
+        ClaimBuilder c1 = new ClaimBuilder().setUser("john").addRole("foo");
+        c1.build();
+    }
+
+    @Test(expected = IllegalStateException.class)
+    public void testBuildWithNullUserId() {
+        ClaimBuilder c1 = new ClaimBuilder().setUser("john").setUserId(null).addRole("foo");
+        c1.build();
+    }
+
+    @Test(expected = IllegalStateException.class)
+    public void testBuildWithEmptyUserId() {
+        ClaimBuilder c1 = new ClaimBuilder().setUser("john").setUserId("  ").addRole("foo");
+        c1.build();
+    }
+
+    @Test(expected = IllegalStateException.class)
+    public void testBuildWithoutRole() {
+        ClaimBuilder c1 = new ClaimBuilder().setUser("john").setUserId("1234");
+        c1.build();
+    }
+
+    @Test(expected = IllegalStateException.class)
+    public void testBuildWithNullRole() {
+        ClaimBuilder c1 = new ClaimBuilder().setUser("john").setUserId("1234").addRole(null);
+        c1.build();
+    }
+
+    @Test(expected = IllegalStateException.class)
+    public void testBuildWithEmptyRole() {
+        ClaimBuilder c1 = new ClaimBuilder().setUser("john").setUserId("1234").addRole("  ");
+        c1.build();
+    }
+
+    @Test
+    public void testEquals() {
+        Claim c1 = new ClaimBuilder().setClientId("dlux").setDomain("pepsi").setUser("john")
+                .setUserId("1234").addRole("foo").build();
+        assertTrue(c1.equals(c1));
+        Claim c2 = new ClaimBuilder(c1).addRole("foo").build();
+        assertTrue(c1.equals(c2));
+        assertTrue(c2.equals(c1));
+        Claim c3 = new ClaimBuilder().setClientId("dlux").setDomain("pepsi").setUser("john")
+                .setUserId("1234").addRole("foo").build();
+        assertTrue(c1.equals(c3));
+        assertTrue(c3.equals(c2));
+        assertTrue(c1.equals(c2));
+    }
+
+    @Test
+    public void testNotEquals() {
+        Claim c1 = new ClaimBuilder().setClientId("dlux").setDomain("pepsi").setUser("john")
+                .setUserId("1234").addRole("foo").build();
+        assertFalse(c1.equals(null));
+        assertFalse(c1.equals("wrong object"));
+        Claim c2 = new ClaimBuilder(c1).addRoles(new HashSet<>(Arrays.asList("foo", "bar")))
+                .build();
+        assertEquals(2, c2.roles().size());
+        assertFalse(c1.equals(c2));
+        assertFalse(c2.equals(c1));
+        Claim c3 = new ClaimBuilder().setClientId("dlux").setDomain("pepsi").setUser("john")
+                .setUserId("1234").addRole("foo").build();
+        assertFalse(c1.equals(c2));
+        assertTrue(c1.equals(c3));
+        assertFalse(c2.equals(c3));
+        Claim c5 = new ClaimBuilder().setUser("john").setUserId("1234").addRole("foo").build();
+        assertFalse(c1.equals(c5));
+        assertFalse(c5.equals(c1));
+    }
+
+    @Test
+    public void testHash() {
+        Claim c1 = new ClaimBuilder().setClientId("dlux").setDomain("pepsi").setUser("john")
+                .setUserId("1234").addRole("foo").build();
+        assertEquals(c1.hashCode(), c1.hashCode());
+        Claim c2 = new ClaimBuilder(c1).addRole("foo").build();
+        assertTrue(c1.equals(c2));
+        assertEquals(c1.hashCode(), c2.hashCode());
+        Claim c3 = new ClaimBuilder(c1).addRoles(new HashSet<>(Arrays.asList("foo", "bar")))
+                .build();
+        assertFalse(c1.equals(c3));
+        assertNotEquals(c1.hashCode(), c3.hashCode());
+        Claim c4 = new ClaimBuilder().setClientId("dlux").setDomain("pepsi").setUser("john")
+                .setUserId("1234").addRole("foo").build();
+        assertTrue(c1.equals(c4));
+        assertEquals(c1.hashCode(), c4.hashCode());
+        assertEquals(c2.hashCode(), c4.hashCode());
+        Claim c5 = new ClaimBuilder().setUser("john").setUserId("1234").addRole("foo").build();
+        assertFalse(c1.equals(c5));
+        assertNotEquals(c1.hashCode(), c5.hashCode());
+    }
+
+    @Test
+    public void testToString() {
+        Claim c1 = new ClaimBuilder().setUser("john").setUserId("1234").addRole("foo").build();
+        assertEquals("clientId:,userId:1234,userName:john,domain:,roles:[foo]", c1.toString());
+        c1 = new ClaimBuilder(c1).setClientId("dlux").setDomain("pepsi").build();
+        assertEquals("clientId:dlux,userId:1234,userName:john,domain:pepsi,roles:[foo]",
+                c1.toString());
+        c1 = new ClaimBuilder(c1).addRole("bar").build();
+        assertEquals("clientId:dlux,userId:1234,userName:john,domain:pepsi,roles:[foo, bar]",
+                c1.toString());
+    }
+}
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/ClientManagerTest.java b/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/ClientManagerTest.java
new file mode 100644
index 00000000..059ba9a3
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/ClientManagerTest.java
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa;
+
+import static org.junit.Assert.fail;
+
+import java.util.Dictionary;
+import java.util.Hashtable;
+import org.junit.Before;
+import org.junit.Test;
+import org.opendaylight.aaa.api.AuthenticationException;
+import org.osgi.service.cm.ConfigurationException;
+
+/**
+ *
+ * @author liemmn
+ *
+ */
+public class ClientManagerTest {
+    private static final ClientManager cm = new ClientManager();
+
+    @Before
+    public void setup() throws ConfigurationException {
+        cm.init(null);
+    }
+
+    @Test
+    public void testValidate() {
+        cm.validate("dlux", "secrete");
+    }
+
+    @Test(expected = AuthenticationException.class)
+    public void testFailValidate() {
+        cm.validate("dlux", "what?");
+    }
+
+    @Test
+    public void testUpdate() throws ConfigurationException {
+        Dictionary<String, String> configs = new Hashtable<>();
+        configs.put(ClientManager.CLIENTS, "aws:amazon dlux:xxx");
+        cm.updated(configs);
+        cm.validate("aws", "amazon");
+        cm.validate("dlux", "xxx");
+    }
+
+    @Test
+    public void testFailUpdate() {
+        Dictionary<String, String> configs = new Hashtable<>();
+        configs.put(ClientManager.CLIENTS, "aws:amazon dlux");
+        try {
+            cm.updated(configs);
+            fail("Shoulda failed updating bad configuration");
+        } catch (ConfigurationException ce) {
+            // Expected
+        }
+        cm.validate("dlux", "secrete");
+        try {
+            cm.validate("aws", "amazon");
+            fail("Shoulda failed updating bad configuration");
+        } catch (AuthenticationException ae) {
+            // Expected
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/PasswordCredentialTest.java b/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/PasswordCredentialTest.java
new file mode 100644
index 00000000..2dabb77b
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/PasswordCredentialTest.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa;
+
+import static org.junit.Assert.assertEquals;
+
+import java.util.HashSet;
+import org.junit.Test;
+import org.opendaylight.aaa.api.PasswordCredentials;
+
+public class PasswordCredentialTest {
+
+    @Test
+    public void testBuilder() {
+        PasswordCredentials pc1 = new PasswordCredentialBuilder().setUserName("bob")
+                .setPassword("secrete").build();
+        assertEquals("bob", pc1.username());
+        assertEquals("secrete", pc1.password());
+
+        PasswordCredentials pc2 = new PasswordCredentialBuilder().setUserName("bob")
+                .setPassword("secrete").build();
+        assertEquals(pc1, pc2);
+
+        PasswordCredentials pc3 = new PasswordCredentialBuilder().setUserName("bob")
+                .setPassword("secret").build();
+        HashSet<PasswordCredentials> pcs = new HashSet<>();
+        pcs.add(pc1);
+        pcs.add(pc2);
+        pcs.add(pc3);
+        assertEquals(2, pcs.size());
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/SecureBlockingQueueTest.java b/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/SecureBlockingQueueTest.java
new file mode 100644
index 00000000..16627d9f
--- /dev/null
+++ b/odl-aaa-moon/aaa-authn/src/test/java/org/opendaylight/aaa/SecureBlockingQueueTest.java
@@ -0,0 +1,191 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Arrays;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.concurrent.ArrayBlockingQueue;
+import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ThreadPoolExecutor;
+import java.util.concurrent.TimeUnit;
+import org.junit.Before;
+import org.junit.Test;
+import org.opendaylight.aaa.SecureBlockingQueue.SecureData;
+import org.opendaylight.aaa.api.Authentication;
+
+public class SecureBlockingQueueTest {
+    private final int MAX_TASKS = 100;
+
+    @Before
+    public void setup() {
+        AuthenticationManager.instance().clear();
+    }
+
+    @Test
+    public void testSecureThreadPoolExecutor() throws InterruptedException, ExecutionException {
+        BlockingQueue<Runnable> queue = new SecureBlockingQueue<>(
+                new ArrayBlockingQueue<SecureData<Runnable>>(10));
+        ThreadPoolExecutor executor = new ThreadPoolExecutor(5, 10, 500, TimeUnit.MILLISECONDS,
+                queue);
+        executor.prestartAllCoreThreads();
+        for (int cnt = 1; cnt <= MAX_TASKS; cnt++) {
+            assertEquals(Integer.toString(cnt),
+                    executor.submit(new Task(Integer.toString(cnt), "1111", "user")).get().user());
+        }
+        executor.shutdown();
+    }
+
+    @Test
+    public void testNormalThreadPoolExecutor() throws InterruptedException, ExecutionException {
+        BlockingQueue<Runnable> queue = new ArrayBlockingQueue<Runnable>(10);
+        ThreadPoolExecutor executor = new ThreadPoolExecutor(5, 10, 500, TimeUnit.MILLISECONDS,
+                queue);
+        executor.prestartAllCoreThreads();
+        for (int cnt = 1; cnt <= MAX_TASKS; cnt++) {
+            assertNull(executor.submit(new Task(Integer.toString(cnt), "1111", "user")).get());
+        }
+        executor.shutdown();
+    }
+
+    @Test
+    public void testQueueOps() throws InterruptedException, ExecutionException {
+        BlockingQueue<String> queue = new SecureBlockingQueue<>(
+                new ArrayBlockingQueue<SecureData<String>>(3));
+        ExecutorService es = Executors.newFixedThreadPool(3);
+        es.submit(new Producer("foo", "1111", "user", queue)).get();
+        assertEquals(1, queue.size());
+        assertEquals("foo", es.submit(new Consumer(queue)).get());
+        es.submit(new Producer("bar", "2222", "user", queue)).get();
+        assertEquals("bar", queue.peek());
+        assertEquals("bar", queue.element());
+        assertEquals(1, queue.size());
+        assertEquals("bar", queue.poll());
+        assertTrue(queue.isEmpty());
+        es.shutdown();
+    }
+
+    @Test
+    public void testCollectionOps() throws InterruptedException, ExecutionException {
+        BlockingQueue<String> queue = new SecureBlockingQueue<>(
+                new ArrayBlockingQueue<SecureData<String>>(6));
+        for (int i = 1; i <= 3; i++)
+            queue.add("User" + i);
+        Iterator<String> it = queue.iterator();
+        while (it.hasNext())
+            assertTrue(it.next().startsWith("User"));
+        assertEquals(3, queue.toArray().length);
+        List<String> actual = Arrays.asList(queue.toArray(new String[0]));
+        assertEquals("User1", actual.iterator().next());
+        assertTrue(queue.containsAll(actual));
+        queue.addAll(actual);
+        assertEquals(6, queue.size());
+        queue.retainAll(Arrays.asList(new String[] { "User2" }));
+        assertEquals(2, queue.size());
+        assertEquals("User2", queue.iterator().next());
+        queue.removeAll(actual);
+        assertTrue(queue.isEmpty());
+        queue.add("hello");
+        assertEquals(1, queue.size());
+        queue.clear();
+        assertTrue(queue.isEmpty());
+    }
+
+    @Test
+    public void testBlockingQueueOps() throws InterruptedException {
+        BlockingQueue<String> queue = new SecureBlockingQueue<>(
+                new ArrayBlockingQueue<SecureData<String>>(3));
+        queue.offer("foo");
+        assertEquals(1, queue.size());
+        queue.offer("bar", 500, TimeUnit.MILLISECONDS);
+        assertEquals(2, queue.size());
+        assertEquals("foo", queue.poll());
+        assertTrue(queue.contains("bar"));
+        queue.remove("bar");
+        assertEquals(3, queue.remainingCapacity());
+        queue.addAll(Arrays.asList(new String[] { "foo", "bar", "tom" }));
+        assertEquals(3, queue.size());
+        assertEquals("foo", queue.poll(500, TimeUnit.MILLISECONDS));
+        assertEquals(2, queue.size());
+        List<String> drain = new LinkedList<>();
+        queue.drainTo(drain);
+        assertTrue(queue.isEmpty());
+        assertEquals(2, drain.size());
+        queue.addAll(Arrays.asList(new String[] { "foo", "bar", "tom" }));
+        drain.clear();
+        queue.drainTo(drain, 1);
+        assertEquals(2, queue.size());
+        assertEquals(1, drain.size());
+    }
+
+    // Task to run in a ThreadPoolExecutor
+    private class Task implements Callable<Authentication> {
+        Task(String name, String userId, String role) {
+            // Mock that each task has its original authentication context
+            AuthenticationManager.instance().set(
+                    new AuthenticationBuilder(new ClaimBuilder().setUser(name).setUserId(userId)
+                            .addRole(role).build()).build());
+        }
+
+        @Override
+        public Authentication call() throws Exception {
+            return AuthenticationManager.instance().get();
+        }
+    }
+
+    // Producer sets auth context
+    private class Producer implements Callable<String> {
+        private final String name;
+        private final String userId;
+        private final String role;
+        private final BlockingQueue<String> queue;
+
+        Producer(String name, String userId, String role, BlockingQueue<String> queue) {
+            this.name = name;
+            this.userId = userId;
+            this.role = role;
+            this.queue = queue;
+        }
+
+        @Override
+        public String call() throws InterruptedException {
+            AuthenticationManager.instance().set(
+                    new AuthenticationBuilder(new ClaimBuilder().setUser(name).setUserId(userId)
+                            .addRole(role).build()).build());
+            queue.put(name);
+            return name;
+        }
+    }
+
+    // Consumer gets producer's auth context via data element in queue
+    private class Consumer implements Callable<String> {
+        private final BlockingQueue<String> queue;
+
+        Consumer(BlockingQueue<String> queue) {
+            this.queue = queue;
+        }
+
+        @Override
+        public String call() {
+            queue.remove();
+            Authentication auth = AuthenticationManager.instance().get();
+            return (auth == null) ? null : auth.user();
+        }
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-config/pom.xml b/odl-aaa-moon/aaa-authz/aaa-authz-config/pom.xml
new file mode 100644
index 00000000..4e19ed42
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-config/pom.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../../parent</relativePath>
+    </parent>
+
+    <artifactId>authz-service-config</artifactId>
+    <description>AuthZ Service Configuration files </description>
+    <packaging>jar</packaging>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>build-helper-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>attach-artifacts</id>
+                        <goals>
+                            <goal>attach-artifact</goal>
+                        </goals>
+                        <phase>package</phase>
+                        <configuration>
+                            <artifacts>
+                                <artifact>
+                                    <file>${project.build.directory}/classes/initial/${config.authz.service.configfile}</file>
+                                    <type>xml</type>
+                                    <classifier>config</classifier>
+                                </artifact>
+                            </artifacts>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-config/src/main/resources/initial/08-authz-config.xml b/odl-aaa-moon/aaa-authz/aaa-authz-config/src/main/resources/initial/08-authz-config.xml
new file mode 100644
index 00000000..5b59ca20
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-config/src/main/resources/initial/08-authz-config.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- vi: set et smarttab sw=4 tabstop=4: -->
+<!--
+ Copyright (c) 2013 Cisco Systems, Inc. and others.  All rights reserved.
+
+ This program and the accompanying materials are made available under the
+ terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ and is available at http://www.eclipse.org/legal/epl-v10.html
+-->
+<snapshot>
+    <configuration>
+        <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
+            <modules xmlns="urn:opendaylight:params:xml:ns:yang:controller:config">
+
+                <!-- defines an implementation module -->
+                <module>
+                    <type xmlns:authz="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">authz:aaa-authz-service</type>
+                    <name>aaa-authz-service</name>
+
+                    <dom-broker>
+                        <type xmlns:dom="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">dom:dom-broker-osgi-registry</type>
+                        <name>dom-broker</name>
+                    </dom-broker>
+
+                    <data-broker>
+                        <type xmlns:binding="urn:opendaylight:params:xml:ns:yang:controller:md:sal:binding">binding:binding-data-broker</type>
+                        <name>binding-data-broker</name>
+                    </data-broker>
+
+                    <policies xmlns="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">
+                        <service xmlns="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">RestConfService</service>
+                        <action xmlns="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">Any</action>
+                        <resource xmlns="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">*</resource>
+                        <role xmlns="urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv">admin</role>
+                    </policies>
+
+                </module>
+            </modules>
+
+            <services xmlns="urn:opendaylight:params:xml:ns:yang:controller:config">
+                <service>
+                    <type xmlns:dom="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">dom:dom-broker-osgi-registry</type>
+                    <instance>
+                        <name>authz-connector-default</name>
+                        <provider>
+                            /modules/module[type='aaa-authz-service'][name='aaa-authz-service']
+                        </provider>
+                    </instance>
+                </service>
+            </services>
+
+        </data>
+
+
+    </configuration>
+    <required-capabilities>
+        <capability>urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv?module=aaa-authz-service-impl&amp;revision=2014-07-01</capability>
+    </required-capabilities>
+
+</snapshot>
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-model/pom.xml b/odl-aaa-moon/aaa-authz/aaa-authz-model/pom.xml
new file mode 100644
index 00000000..a1d3a28f
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-model/pom.xml
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../../parent</relativePath>
+    </parent>
+
+    <artifactId>aaa-authz-model</artifactId>
+    <name>${project.artifactId}</name>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.opendaylight.mdsal</groupId>
+            <artifactId>yang-binding</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.mdsal.model</groupId>
+            <artifactId>ietf-inet-types</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.mdsal.model</groupId>
+            <artifactId>ietf-yang-types</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.mdsal.model</groupId>
+            <artifactId>yang-ext</artifactId>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-bundle-plugin</artifactId>
+                <extensions>true</extensions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-javadoc-plugin</artifactId>
+                <configuration>
+                    <stylesheet>maven</stylesheet>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>aggregate</goal>
+                        </goals>
+                        <phase>site</phase>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.opendaylight.yangtools</groupId>
+                <artifactId>yang-maven-plugin</artifactId>
+                <version>${yangtools.version}</version>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>generate-sources</goal>
+                        </goals>
+                        <configuration>
+                            <yangFilesRootDir>src/main/yang</yangFilesRootDir>
+                            <codeGenerators>
+                                <generator>
+                                    <codeGeneratorClass>
+                                        org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl
+                                    </codeGeneratorClass>
+                                    <outputBaseDir>${salGeneratorPath}</outputBaseDir>
+                                </generator>
+                            </codeGenerators>
+                            <inspectDependencies>true</inspectDependencies>
+                        </configuration>
+                    </execution>
+                </executions>
+
+                <dependencies>
+                    <dependency>
+                        <groupId>org.opendaylight.mdsal</groupId>
+                        <artifactId>maven-sal-api-gen-plugin</artifactId>
+                        <version>${yangtools.version}</version>
+                        <type>jar</type>
+                    </dependency>
+                </dependencies>
+            </plugin>
+        </plugins>
+    </build>
+    <packaging>bundle</packaging>
+
+</project>
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang b/odl-aaa-moon/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang
new file mode 100644
index 00000000..2e0cf9cb
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-model/src/main/yang/authorization-schema.yang
@@ -0,0 +1,190 @@
+module authorization-schema {
+  yang-version 1;
+  namespace "urn:aaa:yang:authz:ds";
+  prefix "authz";
+  organization "TBD";
+
+  contact "wdec@cisco.com";
+
+  revision 2014-07-22 {
+    description
+      "Initial revision.";
+  }
+
+  //Main module begins
+
+  //TODO: Refactor service type as URI
+
+  //Define the servicetype; Service is used to identify the requestors' name, which would correspond to an ODL component eg Restconf. Possibly
+  //the naming will derive from the OSGi bundle name of the AuthZ requesting party.
+
+  typedef service-type {
+    type string;
+  }
+
+  //Resource denotes the actual resource that is the subject of the AuthZ request.
+
+  typedef resource-type {
+    type string;
+    default "*";
+
+    //Examples of resources:
+    //Data : /operational/opendaylight-inventory:nodes/node/openflow:1/node-connector/openflow:1:1
+    //Wildcarded data: /operational/opendaylight-inventory:nodes/node/*/node-connector/*
+    //RPC: /operations/example-ops:reboot
+    //Wildcarded RPC: /operations/example-ops:*
+    //Notification: /notifications/example-ops:startup
+  }
+
+  //Role denotes the normalized role that is attributed to the AuthZ requestor, eg "admin"
+
+  typedef role-type {
+    type string;
+  }
+
+  //Domain denotes the customer domain that is the attributed of the AuthZ requestor, eg cisco.com
+
+  typedef domain-type {
+    type string;
+  }
+
+  //Action denotes the requested AuthZ action on the resource
+  //TODO: Refactor as identities to allow for augmentation.
+
+  typedef action-type {
+    type enumeration {
+      enum put;
+      enum commit;
+      enum exists;
+      enum getIdentifier;
+      enum read;
+      enum cancel;
+      enum submit;
+      enum delete;
+      enum merge;
+      enum any;
+    }
+    default "any";
+  }
+
+  typedef authorization-response-type {
+    type enumeration {
+        enum not-authorized { value 0; }
+        enum authorized { value 1; }
+    }
+  }
+
+  typedef authorization-duration-type {
+    type uint32;
+  }
+
+  // Following grouping is the core AuthZ policy permissions data-structure, dual keyed by service and action.
+  // Permissions will be set-up per application. NOTE: Group and role can be equivalent. do we need both?
+
+  grouping authorization-grp {
+    list policies {
+      key "service";
+      leaf service {
+        type service-type;
+      }
+      leaf action {
+        type action-type;
+      }
+      leaf resource {
+        type resource-type;
+        mandatory true;
+      }
+      leaf role {
+        type role-type;
+        mandatory true;
+      }
+      leaf authorization {
+        type authorization-response-type;
+      }
+    }
+  }
+
+  // Following container provides the simple, non-domain specific AuthZ policy data-structure, dual keyed by service and action.
+
+  container simple-authorization {
+    uses authorization-grp;
+  }
+
+  // Following container provides the domain AuthZ policy data-structure. Each Policy is extended with a authz-domain-chain,
+  // which contains a prioritized list of the leafrefs to additional domain policies that also apply to this domain.
+  // The construct allows the chaining of policies like foo.com -> customer.sp.com -> customer.carrier.com.
+
+
+  container domain-authorization {
+    list domains {
+      key "domain-name";
+      leaf domain-name {
+        type domain-type;
+      }
+      uses authorization-grp;
+      list authz-domain-chain {
+        key "priority";
+        leaf priority {
+        type uint32;
+      }
+      leaf domain-name {
+        type leafref  {
+          path "/additional-domain-authz/domains/domain-name";
+        }
+      }
+    }
+  }
+}
+
+container additional-domain-authz {
+  list domains {
+    key "domain-name";
+    leaf domain-name {
+      type domain-type;
+       }
+      uses authorization-grp;
+     }
+  }
+
+
+
+  /* The following is the AuthZ RPC definition */
+
+  rpc req-authorization {
+    description
+      "Check Authorization for a given combination of action and role.
+      A not-authorized  will be returned if unsuccessful.";
+
+    input {
+      leaf domain-name {
+        type domain-type;
+      }
+      leaf service {
+        type service-type;
+      }
+      leaf action {
+        type action-type;
+        mandatory true;
+      }
+
+      leaf resource {
+        type resource-type;
+        mandatory true;
+      }
+      leaf role {
+        type role-type;
+        mandatory true;
+      }
+
+    }
+
+    output {
+
+      leaf authorization-response {
+        type authorization-response-type;
+        mandatory true;
+      }
+
+    }
+  }
+}
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-restconf-config/pom.xml b/odl-aaa-moon/aaa-authz/aaa-authz-restconf-config/pom.xml
new file mode 100644
index 00000000..95db7458
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-restconf-config/pom.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../../parent</relativePath>
+    </parent>
+
+    <artifactId>authz-restconf-config</artifactId>
+
+    <description>AuthZ Restconf Connector Configuration file </description>
+    <packaging>jar</packaging>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>build-helper-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>attach-artifacts</id>
+                        <goals>
+                            <goal>attach-artifact</goal>
+                        </goals>
+                        <phase>package</phase>
+                        <configuration>
+                            <artifacts>
+                                <artifact>
+                                    <file>${project.build.directory}/classes/initial/${config.restconf.configfile}</file>
+                                    <type>xml</type>
+                                     <classifier>config</classifier>
+                                </artifact>
+                            </artifacts>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-restconf-config/src/main/resources/initial/09-rest-connector.xml b/odl-aaa-moon/aaa-authz/aaa-authz-restconf-config/src/main/resources/initial/09-rest-connector.xml
new file mode 100644
index 00000000..deba6558
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-restconf-config/src/main/resources/initial/09-rest-connector.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Copyright (c) 2014 Cisco Systems, Inc. and others.  All rights reserved.
+
+This program and the accompanying materials are made available under the
+terms of the Eclipse Public License v1.0 which accompanies this distribution,
+and is available at http://www.eclipse.org/legal/epl-v10.html
+-->
+<snapshot>
+    <configuration>
+        <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
+            <modules xmlns="urn:opendaylight:params:xml:ns:yang:controller:config">
+
+                <module>
+                    <type xmlns:rest="urn:opendaylight:params:xml:ns:yang:controller:md:sal:rest:connector">rest:rest-connector-impl</type>
+                    <name>rest-connector-default-impl</name>
+                    <websocket-port>8185</websocket-port>
+                    <dom-broker>
+                        <type xmlns:dom="urn:opendaylight:params:xml:ns:yang:controller:md:sal:dom">dom:dom-broker-osgi-registry</type>
+                        <name>authz-connector-default</name>
+                    </dom-broker>
+                </module>
+            </modules>
+
+            <services xmlns="urn:opendaylight:params:xml:ns:yang:controller:config">
+                <service>
+                    <type xmlns:rest="urn:opendaylight:params:xml:ns:yang:controller:md:sal:rest:connector">rest:rest-connector</type>
+                    <instance>
+                        <name>rest-connector-default</name>
+                        <provider>
+                            /modules/module[type='rest-connector-impl'][name='rest-connector-default-impl']
+                        </provider>
+                    </instance>
+                </service>
+            </services>
+
+        </data>
+    </configuration>
+    <required-capabilities>
+        <capability>urn:opendaylight:params:xml:ns:yang:controller:md:sal:rest:connector?module=opendaylight-rest-connector&amp;revision=2014-07-24</capability>
+    </required-capabilities>
+</snapshot>
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/pom.xml b/odl-aaa-moon/aaa-authz/aaa-authz-service/pom.xml
new file mode 100644
index 00000000..a0afef82
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/pom.xml
@@ -0,0 +1,152 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- ~ Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved.
+    ~ ~ This program and the accompanying materials are made available under
+    the ~ terms of the Eclipse Public License v1.0 which accompanies this distribution,
+    ~ and is available at http://www.eclipse.org/legal/epl-v10.html -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../../parent</relativePath>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>aaa-authz-service</artifactId>
+    <packaging>bundle</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-binding-util</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-common-util</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.yangtools</groupId>
+            <artifactId>yang-data-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>commons-codec</groupId>
+            <artifactId>commons-codec</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-binding-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>config-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-binding-config</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authz-model</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-core-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-core-spi</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.jboss.resteasy</groupId>
+            <artifactId>jaxrs-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+
+        <!-- Test dependencies -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-all</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-bundle-plugin</artifactId>
+                <extensions>true</extensions>
+                <configuration>
+                    <instructions>
+                        <!-- <Bundle-Activator>org.opendaylight.aaa.authz.srv.AuthzProvider</Bundle-Activator> -->
+                        <Export-Package>org.opendaylight.aaa.config.yang.aaa_srv,</Export-Package>
+                    </instructions>
+                </configuration>
+                <!-- <configuration> <Export-Package> </Export-Package> </configuration> -->
+            </plugin>
+            <plugin>
+                <groupId>org.opendaylight.yangtools</groupId>
+                <artifactId>yang-maven-plugin</artifactId>
+                <version>${yangtools.version}</version>
+                <executions>
+                    <execution>
+                        <id>config</id>
+                        <goals>
+                            <goal>generate-sources</goal>
+                        </goals>
+                        <configuration>
+                            <codeGenerators>
+                                <generator>
+                                    <codeGeneratorClass>
+                                        org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator
+                                    </codeGeneratorClass>
+                                    <outputBaseDir>${jmxGeneratorPath}</outputBaseDir>
+                                    <additionalConfiguration>
+                                        <namespaceToPackage1>
+                                            urn:opendaylight:params:xml:ns:yang:controller==org.opendaylight.controller.config.yang
+                                        </namespaceToPackage1>
+                                    </additionalConfiguration>
+                                </generator>
+                                <generator>
+                                    <codeGeneratorClass>org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl</codeGeneratorClass>
+                                    <outputBaseDir>${salGeneratorPath}</outputBaseDir>
+                                </generator>
+                            </codeGenerators>
+                            <inspectDependencies>true</inspectDependencies>
+                        </configuration>
+                    </execution>
+                </executions>
+                <dependencies>
+                    <dependency>
+                        <groupId>org.opendaylight.controller</groupId>
+                        <artifactId>yang-jmx-generator-plugin</artifactId>
+                        <version>${config.version}</version>
+                    </dependency>
+                    <dependency>
+                        <groupId>org.opendaylight.mdsal</groupId>
+                        <artifactId>maven-sal-api-gen-plugin</artifactId>
+                        <version>${yangtools.version}</version>
+                    </dependency>
+                </dependencies>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java
new file mode 100644
index 00000000..d4ac79af
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzBrokerImpl.java
@@ -0,0 +1,150 @@
+/*
+ * Copyright (c) 2014 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authz.srv;
+
+import java.util.Collection;
+
+import org.opendaylight.aaa.api.AuthenticationService;
+import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker;
+import org.opendaylight.controller.sal.core.api.Broker;
+import org.opendaylight.controller.sal.core.api.Consumer;
+import org.opendaylight.controller.sal.core.api.Provider;
+import org.osgi.framework.BundleContext;
+
+/**
+ * Created by wdec on 26/08/2014.
+ */
+public class AuthzBrokerImpl implements Broker, AutoCloseable, Provider {
+
+    private Broker broker;
+    private ProviderSession providerSession;
+    private AuthenticationService authenticationService;
+
+    public void setBroker(Broker broker) {
+        this.broker = broker;
+    }
+
+    @Override
+    public void close() throws Exception {
+
+    }
+
+    // Implements AuthzBroker handling of registering consumers or providers.
+    @Override
+    public ConsumerSession registerConsumer(Consumer consumer) {
+
+        ConsumerSession realSession = broker.registerConsumer(new ConsumerWrapper(consumer));
+        AuthzConsumerContextImpl authzConsumerContext = new AuthzConsumerContextImpl(realSession,
+                this);
+        consumer.onSessionInitiated(authzConsumerContext);
+        return authzConsumerContext;
+    }
+
+    @Override
+    public ConsumerSession registerConsumer(Consumer consumer, BundleContext bundleContext) {
+
+        ConsumerSession realSession = broker.registerConsumer(new ConsumerWrapper(consumer),
+                bundleContext);
+        AuthzConsumerContextImpl authzConsumerContext = new AuthzConsumerContextImpl(realSession,
+                this);
+        consumer.onSessionInitiated(authzConsumerContext);
+        return authzConsumerContext;
+    }
+
+    @Override
+    public ProviderSession registerProvider(Provider provider) {
+
+        ProviderSession realSession = broker.registerProvider(new ProviderWrapper(provider));
+        AuthzProviderContextImpl authzProviderContext = new AuthzProviderContextImpl(realSession,
+                this);
+        provider.onSessionInitiated(authzProviderContext);
+        return authzProviderContext;
+    }
+
+    @Override
+    public ProviderSession registerProvider(Provider provider, BundleContext bundleContext) {
+
+        // Allow the real broker to do its thing, while providing a wrapped
+        // callback
+        ProviderSession realSession = broker.registerProvider(new ProviderWrapper(provider),
+                bundleContext);
+
+        // Create Authz ProviderContext
+        AuthzProviderContextImpl authzProviderContext = new AuthzProviderContextImpl(realSession,
+                this);
+
+        // Run onsessionInitiated on injected provider with the AuthZ provider
+        // context.
+        provider.onSessionInitiated(authzProviderContext);
+        return authzProviderContext;
+
+    }
+
+    // Handle the AuthZBroker registration with the real broker
+    @Override
+    public void onSessionInitiated(ProviderSession providerSession) {
+
+        // Get now the real DOMDataBroker and register it with the
+        // AuthzDOMBroker together with the provider session
+        final DOMDataBroker domDataBroker = providerSession.getService(DOMDataBroker.class);
+        AuthzDomDataBroker.getInstance().setProviderSession(providerSession);
+        AuthzDomDataBroker.getInstance().setDomDataBroker(domDataBroker);
+        AuthzDomDataBroker.getInstance().setAuthService(this.authenticationService);
+    }
+
+    @Override
+    public Collection<ProviderFunctionality> getProviderFunctionality() {
+        return null;
+    }
+
+    public void setAuthenticationService(AuthenticationService authenticationService) {
+        this.authenticationService = authenticationService;
+    }
+
+    // Wrapper for Provider
+
+    public static class ProviderWrapper implements Provider {
+        private final Provider provider;
+
+        public ProviderWrapper(Provider provider) {
+            this.provider = provider;
+        }
+
+        @Override
+        public void onSessionInitiated(ProviderSession providerSession) {
+            // Do a Noop when the real broker calls back
+        }
+
+        @Override
+        public Collection<ProviderFunctionality> getProviderFunctionality() {
+            // Allow the RestconfImpl to respond to this
+            return provider.getProviderFunctionality();
+        }
+    }
+
+    // Wrapper for Consumer
+    public static class ConsumerWrapper implements Consumer {
+
+        private final Consumer consumer;
+
+        public ConsumerWrapper(Consumer consumer) {
+            this.consumer = consumer;
+        }
+
+        @Override
+        public void onSessionInitiated(ConsumerSession consumerSession) {
+            // Do a Noop when the real broker calls back
+        }
+
+        @Override
+        public Collection<ConsumerFunctionality> getConsumerFunctionality() {
+            return consumer.getConsumerFunctionality();
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java
new file mode 100644
index 00000000..07ba51cd
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImpl.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2014 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authz.srv;
+
+import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker;
+import org.opendaylight.controller.sal.core.api.Broker;
+import org.opendaylight.controller.sal.core.api.Broker.ConsumerSession;
+import org.opendaylight.controller.sal.core.api.BrokerService;
+import org.opendaylight.controller.sal.core.spi.ForwardingConsumerSession;
+
+/**
+ * Created by wdec on 28/08/2014.
+ */
+public class AuthzConsumerContextImpl extends ForwardingConsumerSession {
+
+    private final Broker.ConsumerSession realSession;
+
+    public AuthzConsumerContextImpl(Broker.ConsumerSession realSession, AuthzBrokerImpl authzBroker) {
+        this.realSession = realSession;
+    }
+
+    @Override
+    protected ConsumerSession delegate() {
+        return realSession;
+    }
+
+    @Override
+    public <T extends BrokerService> T getService(Class<T> tClass) {
+        T t;
+        // Check for class and return Authz broker only for DOMBroker
+        if (tClass == DOMDataBroker.class) {
+            t = (T) AuthzDomDataBroker.getInstance();
+        } else {
+            t = realSession.getService(tClass);
+        }
+        // AuthzDomDataBroker.getInstance().setDomDataBroker((DOMDataBroker)t);
+        return t;
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java
new file mode 100644
index 00000000..4cc232bc
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDataReadWriteTransaction.java
@@ -0,0 +1,129 @@
+/*
+ * Copyright (c) 2014 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authz.srv;
+
+import com.google.common.base.Optional;
+import com.google.common.util.concurrent.CheckedFuture;
+import com.google.common.util.concurrent.Futures;
+import com.google.common.util.concurrent.ListenableFuture;
+
+import org.opendaylight.controller.md.sal.common.api.TransactionStatus;
+import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
+import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException;
+import org.opendaylight.controller.md.sal.common.api.data.TransactionCommitFailedException;
+import org.opendaylight.controller.md.sal.dom.api.DOMDataReadWriteTransaction;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType;
+import org.opendaylight.yangtools.yang.common.RpcResult;
+import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier;
+import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode;
+
+/**
+ * Created by wdec on 26/08/2014.
+ */
+public class AuthzDataReadWriteTransaction implements DOMDataReadWriteTransaction {
+
+    private final DOMDataReadWriteTransaction domDataReadWriteTransaction;
+
+    public AuthzDataReadWriteTransaction(DOMDataReadWriteTransaction domDataReadWriteTransaction) {
+        this.domDataReadWriteTransaction = domDataReadWriteTransaction;
+    }
+
+    @Override
+    public boolean cancel() {
+        if (AuthzServiceImpl.isAuthorized(ActionType.Cancel)) {
+            return domDataReadWriteTransaction.cancel();
+        }
+        return false;
+    }
+
+    @Override
+    public void delete(LogicalDatastoreType logicalDatastoreType,
+            YangInstanceIdentifier yangInstanceIdentifier) {
+
+        if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier,
+                ActionType.Delete)) {
+            domDataReadWriteTransaction.delete(logicalDatastoreType, yangInstanceIdentifier);
+        }
+    }
+
+    @Override
+    public CheckedFuture<Void, TransactionCommitFailedException> submit() {
+        if (AuthzServiceImpl.isAuthorized(ActionType.Submit)) {
+            return domDataReadWriteTransaction.submit();
+        }
+        TransactionCommitFailedException e = new TransactionCommitFailedException(
+                "Unauthorized User");
+        return Futures.immediateFailedCheckedFuture(e);
+    }
+
+    @Deprecated
+    @Override
+    public ListenableFuture<RpcResult<TransactionStatus>> commit() {
+        if (AuthzServiceImpl.isAuthorized(ActionType.Commit)) {
+            return domDataReadWriteTransaction.commit();
+        }
+        TransactionCommitFailedException e = new TransactionCommitFailedException(
+                "Unauthorized User");
+        return Futures.immediateFailedCheckedFuture(e);
+    }
+
+    @Override
+    public CheckedFuture<Optional<NormalizedNode<?, ?>>, ReadFailedException> read(
+            LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) {
+
+        if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier,
+                ActionType.Read)) {
+            return domDataReadWriteTransaction.read(logicalDatastoreType, yangInstanceIdentifier);
+        }
+        ReadFailedException e = new ReadFailedException("Authorization Failed");
+        return Futures.immediateFailedCheckedFuture(e);
+    }
+
+    @Override
+    public CheckedFuture<Boolean, ReadFailedException> exists(
+            LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) {
+
+        if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier,
+                ActionType.Exists)) {
+            return domDataReadWriteTransaction.exists(logicalDatastoreType, yangInstanceIdentifier);
+        }
+        ReadFailedException e = new ReadFailedException("Authorization Failed");
+        return Futures.immediateFailedCheckedFuture(e);
+    }
+
+    @Override
+    public void put(LogicalDatastoreType logicalDatastoreType,
+            YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) {
+
+        if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier,
+                ActionType.Put)) {
+            domDataReadWriteTransaction.put(logicalDatastoreType, yangInstanceIdentifier,
+                    normalizedNode);
+        }
+    }
+
+    @Override
+    public void merge(LogicalDatastoreType logicalDatastoreType,
+            YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) {
+
+        if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier,
+                ActionType.Merge)) {
+            domDataReadWriteTransaction.merge(logicalDatastoreType, yangInstanceIdentifier,
+                    normalizedNode);
+        }
+    }
+
+    @Override
+    public Object getIdentifier() {
+        if (AuthzServiceImpl.isAuthorized(ActionType.GetIdentifier)) {
+            return domDataReadWriteTransaction.getIdentifier();
+        }
+        return null;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java
new file mode 100644
index 00000000..911f5a48
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzDomDataBroker.java
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 2014 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authz.srv;
+
+import java.util.Map;
+import org.opendaylight.aaa.api.AuthenticationService;
+import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
+import org.opendaylight.controller.md.sal.common.api.data.TransactionChainListener;
+import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker;
+import org.opendaylight.controller.md.sal.dom.api.DOMDataBrokerExtension;
+import org.opendaylight.controller.md.sal.dom.api.DOMDataChangeListener;
+import org.opendaylight.controller.md.sal.dom.api.DOMDataReadOnlyTransaction;
+import org.opendaylight.controller.md.sal.dom.api.DOMDataReadWriteTransaction;
+import org.opendaylight.controller.md.sal.dom.api.DOMDataWriteTransaction;
+import org.opendaylight.controller.md.sal.dom.api.DOMTransactionChain;
+import org.opendaylight.controller.sal.core.api.Broker;
+import org.opendaylight.controller.sal.core.api.BrokerService;
+import org.opendaylight.yangtools.concepts.ListenerRegistration;
+import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier;
+
+/**
+ * Created by wdec on 26/08/2014.
+ */
+public class AuthzDomDataBroker implements BrokerService, DOMDataBroker {
+
+    private DOMDataBroker domDataBroker;
+    private Broker.ProviderSession providerSession;
+
+    private volatile AuthenticationService authService;
+
+    final static AuthzDomDataBroker INSTANCE = new AuthzDomDataBroker();
+
+    public static AuthzDomDataBroker getInstance() {
+        return INSTANCE;
+    }
+
+    public void setDomDataBroker(DOMDataBroker domDataBroker) {
+        this.domDataBroker = domDataBroker;
+    }
+
+    public void setProviderSession(Broker.ProviderSession providerSession) {
+        this.providerSession = providerSession;
+    }
+
+    public void setAuthService(AuthenticationService authService) {
+        this.authService = authService;
+    }
+
+    public AuthenticationService getAuthService() {
+        return this.authService;
+    }
+
+    @Override
+    public DOMDataReadOnlyTransaction newReadOnlyTransaction() {
+        // new Authz transaction + inject real DOM Transaction
+        DOMDataReadOnlyTransaction ro = domDataBroker.newReadOnlyTransaction();
+
+        // return domDataBroker.newReadOnlyTransaction(); //Return original
+        return new AuthzReadOnlyTransaction(ro);
+    }
+
+    @Override
+    public Map<Class<? extends DOMDataBrokerExtension>, DOMDataBrokerExtension> getSupportedExtensions() {
+        return domDataBroker.getSupportedExtensions();
+    }
+
+    @Override
+    public DOMDataReadWriteTransaction newReadWriteTransaction() {
+        // return new Authz transaction + inject real DOM Transaction
+        DOMDataReadWriteTransaction rw = domDataBroker.newReadWriteTransaction();
+        return new AuthzDataReadWriteTransaction(rw);
+    }
+
+    @Override
+    public DOMDataWriteTransaction newWriteOnlyTransaction() {
+        DOMDataWriteTransaction wo = domDataBroker.newWriteOnlyTransaction();
+        return new AuthzWriteOnlyTransaction(wo);
+    }
+
+    @Override
+    public ListenerRegistration<DOMDataChangeListener> registerDataChangeListener(
+            LogicalDatastoreType logicalDatastoreType,
+            YangInstanceIdentifier yangInstanceIdentifier,
+            DOMDataChangeListener domDataChangeListener, DataChangeScope dataChangeScope) {
+        return domDataBroker.registerDataChangeListener(logicalDatastoreType,
+                yangInstanceIdentifier, domDataChangeListener, dataChangeScope);
+    }
+
+    @Override
+    public DOMTransactionChain createTransactionChain(
+            TransactionChainListener transactionChainListener) {
+        return domDataBroker.createTransactionChain(transactionChainListener);
+    }
+}
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java
new file mode 100644
index 00000000..dbfea6ed
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzProviderContextImpl.java
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2014 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authz.srv;
+
+import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker;
+import org.opendaylight.controller.sal.core.api.Broker;
+import org.opendaylight.controller.sal.core.api.Broker.ProviderSession;
+import org.opendaylight.controller.sal.core.api.BrokerService;
+import org.opendaylight.controller.sal.core.spi.ForwardingProviderSession;
+
+/**
+ * Created by wdec on 28/08/2014.
+ */
+public class AuthzProviderContextImpl extends ForwardingProviderSession {
+
+    private final Broker.ProviderSession realSession;
+
+    public AuthzProviderContextImpl(Broker.ProviderSession providerSession,
+            AuthzBrokerImpl authzBroker) {
+        this.realSession = providerSession;
+    }
+
+    @Override
+    protected ProviderSession delegate() {
+        // TODO Auto-generated method stub
+        return realSession;
+    }
+
+    @Override
+    public <T extends BrokerService> T getService(Class<T> tClass) {
+        T t;
+        // Check for class and return Authz broker only for DOMBroker
+        if (tClass == DOMDataBroker.class) {
+            t = (T) AuthzDomDataBroker.getInstance();
+        } else {
+            t = realSession.getService(tClass);
+        }
+        // AuthzDomDataBroker.getInstance().setDomDataBroker((DOMDataBroker)t);
+        return t;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java
new file mode 100644
index 00000000..c46ffe7c
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzReadOnlyTransaction.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2014 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authz.srv;
+
+import com.google.common.base.Optional;
+import com.google.common.util.concurrent.CheckedFuture;
+import com.google.common.util.concurrent.Futures;
+
+import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
+import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException;
+import org.opendaylight.controller.md.sal.dom.api.DOMDataReadOnlyTransaction;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType;
+import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier;
+import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode;
+
+/**
+ * Created by wdec on 28/08/2014.
+ */
+
+public class AuthzReadOnlyTransaction implements DOMDataReadOnlyTransaction {
+
+    private final DOMDataReadOnlyTransaction ro;
+
+    public AuthzReadOnlyTransaction(DOMDataReadOnlyTransaction ro) {
+        this.ro = ro;
+    }
+
+    @Override
+    public void close() {
+        ro.close();
+    }
+
+    @Override
+    public CheckedFuture<Optional<NormalizedNode<?, ?>>, ReadFailedException> read(
+            LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) {
+
+        if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier,
+                ActionType.Read)) {
+            return ro.read(logicalDatastoreType, yangInstanceIdentifier);
+        }
+        ReadFailedException e = new ReadFailedException("Authorization Failed");
+        return Futures.immediateFailedCheckedFuture(e);
+    }
+
+    @Override
+    public CheckedFuture<Boolean, ReadFailedException> exists(
+            LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) {
+
+        if (AuthzServiceImpl.isAuthorized(ActionType.Exists)) {
+            return ro.exists(logicalDatastoreType, yangInstanceIdentifier);
+        }
+        ReadFailedException e = new ReadFailedException("Authorization Failed");
+        return Futures.immediateFailedCheckedFuture(e);
+    }
+
+    @Override
+    public Object getIdentifier() {
+        if (AuthzServiceImpl.isAuthorized(ActionType.GetIdentifier)) {
+            return ro.getIdentifier();
+        }
+        return null;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java
new file mode 100644
index 00000000..fb344812
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzServiceImpl.java
@@ -0,0 +1,121 @@
+/*
+ * Copyright (c) 2014 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authz.srv;
+
+import java.util.List;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.aaa.api.AuthenticationService;
+import org.opendaylight.controller.config.yang.config.aaa_authz.srv.Policies;
+import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.AuthorizationResponseType;
+import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier;
+
+/**
+ * @author lmukkama Date: 9/2/14
+ */
+public class AuthzServiceImpl {
+
+    private static List<Policies> listPolicies;
+
+    private static final String WILDCARD_TOKEN = "*";
+
+    public static boolean isAuthorized(LogicalDatastoreType logicalDatastoreType,
+            YangInstanceIdentifier yangInstanceIdentifier, ActionType actionType) {
+
+        AuthorizationResponseType authorizationResponseType = AuthzServiceImpl.reqAuthorization(
+                actionType, logicalDatastoreType, yangInstanceIdentifier);
+        return authorizationResponseType.equals(AuthorizationResponseType.Authorized);
+    }
+
+    public static boolean isAuthorized(ActionType actionType) {
+        AuthorizationResponseType authorizationResponseType = AuthzServiceImpl
+                .reqAuthorization(actionType);
+        return authorizationResponseType.equals(AuthorizationResponseType.Authorized);
+    }
+
+    public static void setPolicies(List<Policies> policies) {
+
+        AuthzServiceImpl.listPolicies = policies;
+    }
+
+    public static AuthorizationResponseType reqAuthorization(ActionType actionType) {
+
+        AuthenticationService authenticationService = AuthzDomDataBroker.getInstance()
+                .getAuthService();
+        if (authenticationService != null && AuthzServiceImpl.listPolicies != null
+                && AuthzServiceImpl.listPolicies.size() > 0) {
+            Authentication authentication = authenticationService.get();
+            if (authentication != null && authentication.roles() != null
+                    && authentication.roles().size() > 0) {
+                return checkAuthorization(actionType, authentication);
+            }
+        }
+        return AuthorizationResponseType.NotAuthorized;
+    }
+
+    public static AuthorizationResponseType reqAuthorization(ActionType actionType,
+            LogicalDatastoreType logicalDatastoreType, YangInstanceIdentifier yangInstanceIdentifier) {
+
+        AuthenticationService authenticationService = AuthzDomDataBroker.getInstance()
+                .getAuthService();
+
+        if (authenticationService != null && AuthzServiceImpl.listPolicies != null
+                && AuthzServiceImpl.listPolicies.size() > 0) {
+            // Authentication Service exists. Can do authorization checks
+            Authentication authentication = authenticationService.get();
+
+            if (authentication != null && authentication.roles() != null
+                    && authentication.roles().size() > 0) {
+                // Authentication claim object exists with atleast one role
+                return checkAuthorization(actionType, authentication, logicalDatastoreType,
+                        yangInstanceIdentifier);
+            }
+        }
+
+        return AuthorizationResponseType.Authorized;
+    }
+
+    private static AuthorizationResponseType checkAuthorization(ActionType actionType,
+            Authentication authentication, LogicalDatastoreType logicalDatastoreType,
+            YangInstanceIdentifier yangInstanceIdentifier) {
+
+        for (Policies policy : AuthzServiceImpl.listPolicies) {
+
+            // Action type is compared as string, since its type is string in
+            // the config yang. Comparison is case insensitive
+            if (authentication.roles().contains(policy.getRole().getValue())
+                    && (policy.getResource().getValue().equals(WILDCARD_TOKEN) || policy
+                            .getResource().getValue().equals(yangInstanceIdentifier.toString()))
+                    && (policy.getAction().toLowerCase()
+                            .equals(ActionType.Any.name().toLowerCase()) || actionType.name()
+                            .toLowerCase().equals(policy.getAction().toLowerCase()))) {
+
+                return AuthorizationResponseType.Authorized;
+            }
+
+        }
+
+        // For helium release we unauthorize other requests.
+        return AuthorizationResponseType.NotAuthorized;
+    }
+
+    private static AuthorizationResponseType checkAuthorization(ActionType actionType,
+            Authentication authentication) {
+
+        for (Policies policy : AuthzServiceImpl.listPolicies) {
+            if (authentication.roles().contains(policy.getRole().getValue())
+                    && (policy.getAction().equalsIgnoreCase(ActionType.Any.name()) || policy
+                            .getAction().equalsIgnoreCase(actionType.name()))) {
+                return AuthorizationResponseType.Authorized;
+            }
+        }
+        return AuthorizationResponseType.NotAuthorized;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java
new file mode 100644
index 00000000..1123b928
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/aaa/authz/srv/AuthzWriteOnlyTransaction.java
@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 2014 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authz.srv;
+
+import com.google.common.util.concurrent.CheckedFuture;
+import com.google.common.util.concurrent.Futures;
+import com.google.common.util.concurrent.ListenableFuture;
+
+import org.opendaylight.controller.md.sal.common.api.TransactionStatus;
+import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
+import org.opendaylight.controller.md.sal.common.api.data.TransactionCommitFailedException;
+import org.opendaylight.controller.md.sal.dom.api.DOMDataWriteTransaction;
+import org.opendaylight.yang.gen.v1.urn.aaa.yang.authz.ds.rev140722.ActionType;
+import org.opendaylight.yangtools.yang.common.RpcResult;
+import org.opendaylight.yangtools.yang.data.api.YangInstanceIdentifier;
+import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode;
+
+/**
+ * Created by wdec on 02/09/2014.
+ */
+public class AuthzWriteOnlyTransaction implements DOMDataWriteTransaction {
+
+    private final DOMDataWriteTransaction domDataWriteTransaction;
+
+    public AuthzWriteOnlyTransaction(DOMDataWriteTransaction wo) {
+        this.domDataWriteTransaction = wo;
+    }
+
+    @Override
+    public void put(LogicalDatastoreType logicalDatastoreType,
+            YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) {
+
+        if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier,
+                ActionType.Put)) {
+            domDataWriteTransaction.put(logicalDatastoreType, yangInstanceIdentifier,
+                    normalizedNode);
+        }
+    }
+
+    @Override
+    public void merge(LogicalDatastoreType logicalDatastoreType,
+            YangInstanceIdentifier yangInstanceIdentifier, NormalizedNode<?, ?> normalizedNode) {
+
+        if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier,
+                ActionType.Merge)) {
+            domDataWriteTransaction.merge(logicalDatastoreType, yangInstanceIdentifier,
+                    normalizedNode);
+        }
+    }
+
+    @Override
+    public boolean cancel() {
+        if (AuthzServiceImpl.isAuthorized(ActionType.Cancel)) {
+            return domDataWriteTransaction.cancel();
+        }
+        return false;
+    }
+
+    @Override
+    public void delete(LogicalDatastoreType logicalDatastoreType,
+            YangInstanceIdentifier yangInstanceIdentifier) {
+
+        if (AuthzServiceImpl.isAuthorized(logicalDatastoreType, yangInstanceIdentifier,
+                ActionType.Delete)) {
+            domDataWriteTransaction.delete(logicalDatastoreType, yangInstanceIdentifier);
+        }
+    }
+
+    @Override
+    public CheckedFuture<Void, TransactionCommitFailedException> submit() {
+        if (AuthzServiceImpl.isAuthorized(ActionType.Submit)) {
+            return domDataWriteTransaction.submit();
+        }
+        TransactionCommitFailedException e = new TransactionCommitFailedException(
+                "Unauthorized User");
+        return Futures.immediateFailedCheckedFuture(e);
+    }
+
+    @Deprecated
+    @Override
+    public ListenableFuture<RpcResult<TransactionStatus>> commit() {
+        if (AuthzServiceImpl.isAuthorized(ActionType.Commit)) {
+            return domDataWriteTransaction.commit();
+        }
+        TransactionCommitFailedException e = new TransactionCommitFailedException(
+                "Unauthorized User");
+        return Futures.immediateFailedCheckedFuture(e);
+    }
+
+    @Override
+    public Object getIdentifier() {
+        if (AuthzServiceImpl.isAuthorized(ActionType.GetIdentifier)) {
+            return domDataWriteTransaction.getIdentifier();
+        }
+        return null;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModule.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModule.java
new file mode 100644
index 00000000..a590b982
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModule.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2014 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.controller.config.yang.config.aaa_authz.srv;
+
+import org.opendaylight.aaa.api.AuthenticationService;
+import org.opendaylight.aaa.authz.srv.AuthzBrokerImpl;
+import org.opendaylight.aaa.authz.srv.AuthzServiceImpl;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.ServiceReference;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AuthzSrvModule extends
+        org.opendaylight.controller.config.yang.config.aaa_authz.srv.AbstractAuthzSrvModule {
+    private static final Logger LOG = LoggerFactory.getLogger(AuthzSrvModule.class);
+    private static boolean simple_config_switch;
+    private BundleContext bundleContext;
+
+    public AuthzSrvModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier,
+            org.opendaylight.controller.config.api.DependencyResolver dependencyResolver) {
+        super(identifier, dependencyResolver);
+    }
+
+    public AuthzSrvModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier,
+            org.opendaylight.controller.config.api.DependencyResolver dependencyResolver,
+            org.opendaylight.controller.config.yang.config.aaa_authz.srv.AuthzSrvModule oldModule,
+            java.lang.AutoCloseable oldInstance) {
+        super(identifier, dependencyResolver, oldModule, oldInstance);
+    }
+
+    @Override
+    public void customValidation() {
+        // checkNotNull(getDomBroker(), domBrokerJmxAttribute);
+    }
+
+    @Override
+    public java.lang.AutoCloseable createInstance() {
+
+        // Get new AuthZ Broker
+        final AuthzBrokerImpl authzBrokerImpl = new AuthzBrokerImpl();
+
+        // Provide real broker to the new Authz broker
+        authzBrokerImpl.setBroker(getDomBrokerDependency());
+
+        // Get AuthN service reference and register it with the authzBroker
+        ServiceReference<AuthenticationService> authServiceReference = bundleContext
+                .getServiceReference(AuthenticationService.class);
+        AuthenticationService as = bundleContext.getService(authServiceReference);
+        authzBrokerImpl.setAuthenticationService(as);
+
+        // Set the policies list to authz serviceimpl
+        AuthzServiceImpl.setPolicies(getPolicies());
+
+        // Register AuthZ broker with the real Broker as a provider; triggers
+        // "onSessionInitiated" in AuthzBrokerImpl
+        getDomBrokerDependency().registerProvider(authzBrokerImpl);
+        // TODO ActionType is of type string, not ENUM due to improper
+        // serialization of ENUMs by config/netconf subsystem. This needs to be
+        // fixed as soon as config/netconf fixes the problem.
+        getAction();
+
+        LOG.info("AuthZ Service Initialized from Config subsystem");
+        return authzBrokerImpl;
+
+    }
+
+    public void setBundleContext(BundleContext bundleContext) {
+        this.bundleContext = bundleContext;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModuleFactory.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModuleFactory.java
new file mode 100644
index 00000000..3ff67f54
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/java/org/opendaylight/controller/config/yang/config/aaa_authz/srv/AuthzSrvModuleFactory.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2014 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+/*
+ * Generated file
+ *
+ * Generated from: yang module name: aaa-authz-service-impl yang module local name: aaa-authz-service
+ * Generated by: org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator
+ * Generated at: Thu Jul 24 11:19:40 CEST 2014
+ *
+ * Do not modify this file unless it is present under src/main directory
+ */
+package org.opendaylight.controller.config.yang.config.aaa_authz.srv;
+
+import org.opendaylight.controller.config.api.DependencyResolver;
+import org.opendaylight.controller.config.api.DynamicMBeanWithInstance;
+import org.opendaylight.controller.config.spi.Module;
+import org.osgi.framework.BundleContext;
+
+public class AuthzSrvModuleFactory extends
+        org.opendaylight.controller.config.yang.config.aaa_authz.srv.AbstractAuthzSrvModuleFactory {
+
+    @Override
+    public org.opendaylight.controller.config.spi.Module createModule(String instanceName,
+            org.opendaylight.controller.config.api.DependencyResolver dependencyResolver,
+            org.osgi.framework.BundleContext bundleContext) {
+
+        final AuthzSrvModule module = (AuthzSrvModule) super.createModule(instanceName,
+                dependencyResolver, bundleContext);
+
+        module.setBundleContext(bundleContext);
+
+        return module;
+
+    }
+
+    @Override
+    public Module createModule(final String instanceName,
+            final DependencyResolver dependencyResolver, final DynamicMBeanWithInstance old,
+            final BundleContext bundleContext) throws Exception {
+        final AuthzSrvModule module = (AuthzSrvModule) super.createModule(instanceName,
+                dependencyResolver, old, bundleContext);
+
+        module.setBundleContext(bundleContext);
+
+        return module;
+    }
+}
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/yang/aaa-authz-service-impl.yang b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/yang/aaa-authz-service-impl.yang
new file mode 100644
index 00000000..954d0480
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/main/yang/aaa-authz-service-impl.yang
@@ -0,0 +1,115 @@
+module aaa-authz-service-impl {
+
+    yang-version 1;
+    namespace "urn:opendaylight:params:xml:ns:yang:controller:config:aaa-authz:srv";
+    prefix "aaa-authz-srv-impl";
+
+    import config { prefix config; revision-date 2013-04-05; }
+    import rpc-context { prefix rpcx; revision-date 2013-06-17; }
+    import opendaylight-md-sal-binding { prefix mdsal; revision-date 2013-10-28; }
+    import opendaylight-md-sal-dom {prefix dom;}
+    import authorization-schema { prefix authzs; revision-date 2014-07-22; }
+    import ietf-inet-types {prefix inet; revision-date 2010-09-24;}
+
+    description
+        "This module contains the base YANG definitions for
+        AuthZ  implementation.";
+
+    revision "2014-07-01" {
+        description
+            "Initial revision.";
+    }
+
+
+    // This is the definition of the service implementation as a module identity.
+    identity aaa-authz-service {
+            base config:module-type;
+            // Specifies the prefix for generated java classes.
+            config:java-name-prefix AuthzSrv;
+            config:provided-service dom:dom-broker-osgi-registry;
+    }
+
+    // Augments the 'configuration' choice node under modules/module.
+
+    augment "/config:modules/config:module/config:configuration" {
+        case aaa-authz-service {
+            when "/config:modules/config:module/config:type = 'aaa-authz-service'";
+
+//Defines reference to the intended broker under the AuthZ broker
+
+            container dom-broker {
+                uses config:service-ref {
+                    refine type {
+                        mandatory true;
+                        config:required-identity dom:dom-broker-osgi-registry;
+                    }
+                }
+            }
+
+            container data-broker {
+                uses config:service-ref {
+                    refine type {
+                        mandatory true;
+                        config:required-identity mdsal:binding-data-broker;
+
+                    }
+                }
+            }
+
+//Simple Authz data leafs:
+
+                leaf authz-role {
+                    type string;
+                }
+                leaf service {
+                  type authzs:service-type;
+                }
+
+                // ENUMs cannot be used right now (config subsystem + netconf cannot properly serialize enums), using strings instead
+                // In the generated module use Enum.valueOf from that string.
+                // Expected values are following strnigs: create, read, update, delete, execute, subscribe, any;
+                leaf action {
+                  type string;
+                  description "String representation of enum authzs:action-type expecting following values create, read, update, delete, execute, subscribe, any";
+                  //type authzs:action-type;
+
+                }
+                leaf resource {
+                  type authzs:resource-type;
+
+                }
+                leaf role {
+                  type authzs:role-type;
+                }
+
+
+
+                  //TODO: Check why uses below doesn't make the outer list be part of the source name-space in yang code generator.
+                  //uses authzs:authorization-grp;
+                     list policies {
+                                 key "service";
+                                 leaf service {
+                                   type authzs:service-type;
+                                 }
+                                 // Grouping uses ENUMs and enums are not correctly serialized in Config + Netconf
+                                 // Same as with action one level ip
+                                 leaf action {
+                                   type string;
+                                   description "String representation of enum authzs:action-type expecting following values create, read, update, delete, execute, subscribe, any";
+                                   //type authzs:action-type;
+                                 }
+                                 leaf resource {
+                                   type authzs:resource-type;
+
+                                 }
+                                 leaf role {
+                                   type authzs:role-type;
+
+                                 }
+                       }
+
+
+            }
+        }
+
+}
diff --git a/odl-aaa-moon/aaa-authz/aaa-authz-service/src/test/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImplTest.java b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/test/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImplTest.java
new file mode 100644
index 00000000..fb033341
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/aaa-authz-service/src/test/java/org/opendaylight/aaa/authz/srv/AuthzConsumerContextImplTest.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2014 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.authz.srv;
+
+import org.junit.Assert;
+import org.junit.Before;
+import org.mockito.Mockito;
+import org.opendaylight.controller.md.sal.dom.api.DOMDataBroker;
+import org.opendaylight.controller.sal.core.api.Broker;
+import org.opendaylight.controller.sal.core.api.Provider;
+
+public class AuthzConsumerContextImplTest {
+
+    private Broker.ConsumerSession realconsumercontext;
+    private Provider realprovidercontext;
+    private AuthzBrokerImpl authzBroker;
+    private Broker realbroker;
+
+    @Before
+    public void beforeTest() {
+        realconsumercontext = Mockito.mock(Broker.ConsumerSession.class);
+        realprovidercontext = Mockito.mock(Provider.class);
+        realbroker = Mockito.mock(Broker.class);
+        realbroker.registerProvider(realprovidercontext);
+        authzBroker = Mockito.mock(AuthzBrokerImpl.class);
+    }
+
+    @org.junit.Test
+    public void testGetService() throws Exception {
+        AuthzConsumerContextImpl authzConsumerContext = new AuthzConsumerContextImpl(
+                realconsumercontext, authzBroker);
+
+        Assert.assertEquals("Expected Authz session context",
+                authzConsumerContext.getService(DOMDataBroker.class).getClass(),
+                AuthzDomDataBroker.class);
+        // Assert.assertEquals("Expected Authz session context",
+        // authzConsumerContext.getService(SchemaService.class).getClass(),
+        // SchemaService.class);
+    }
+}
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-authz/pom.xml b/odl-aaa-moon/aaa-authz/pom.xml
new file mode 100644
index 00000000..bdc1852f
--- /dev/null
+++ b/odl-aaa-moon/aaa-authz/pom.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../parent</relativePath>
+    </parent>
+
+    <artifactId>aaa-authz</artifactId>
+    <name>${project.artifactId}</name>
+    <packaging>pom</packaging>
+
+    <modules>
+        <module>aaa-authz-model</module>
+        <module>aaa-authz-service</module>
+        <module>aaa-authz-config</module>
+        <module>aaa-authz-restconf-config</module>
+    </modules>
+</project>
diff --git a/odl-aaa-moon/aaa-credential-store-api/pom.xml b/odl-aaa-moon/aaa-credential-store-api/pom.xml
new file mode 100644
index 00000000..e7dfb81c
--- /dev/null
+++ b/odl-aaa-moon/aaa-credential-store-api/pom.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+(c) Copyright 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+
+This program and the accompanying materials are made available under the
+terms of the Eclipse Public License v1.0 which accompanies this distribution,
+and is available at http://www.eclipse.org/legal/epl-v10.html
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.opendaylight.mdsal</groupId>
+    <artifactId>binding-parent</artifactId>
+    <version>0.8.1-Beryllium-SR1</version>
+    <relativePath/>
+  </parent>
+
+  <groupId>org.opendaylight.aaa</groupId>
+  <artifactId>aaa-credential-store-api</artifactId>
+  <version>0.3.1-Beryllium-SR1</version>
+  <packaging>bundle</packaging>
+</project>
diff --git a/odl-aaa-moon/aaa-credential-store-api/src/main/yang/credential-model.yang b/odl-aaa-moon/aaa-credential-store-api/src/main/yang/credential-model.yang
new file mode 100644
index 00000000..7d1f55a3
--- /dev/null
+++ b/odl-aaa-moon/aaa-credential-store-api/src/main/yang/credential-model.yang
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+module credential-store {
+    namespace "urn:opendaylight:params:xml:ns:yang:aaa:credential-store";
+    prefix "cs";
+
+    description "Defines and extensible model for storing various types of security credentials.";
+
+    revision "2015-02-26" { description "Initial revision."; }
+
+    identity credential-type {
+        description
+          "Credential base type.  All credential types must be derived from this identity.";
+    }
+
+    typedef credential-type-ref {
+        description "reference to an entry in the credential store based on id.";
+        type instance-identifier;
+    }
+
+    container credential-store {
+        list credential {
+            key "id";
+
+            leaf id {
+                description "Unique identifier for this credential entry.";
+                type string;
+            }
+
+            leaf type {
+                description "The type of credential represented in this entry.";
+                type identityref {
+                    base credential-type;
+                }
+            }
+
+            choice value {
+                description "Extension point. Contains the data specific to the credential type.";
+            }
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-h2-store/.gitignore b/odl-aaa-moon/aaa-h2-store/.gitignore
new file mode 100644
index 00000000..1dd33310
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/.gitignore
@@ -0,0 +1,2 @@
+/target/
+/target/
diff --git a/odl-aaa-moon/aaa-h2-store/pom.xml b/odl-aaa-moon/aaa-h2-store/pom.xml
new file mode 100644
index 00000000..2b31525c
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/pom.xml
@@ -0,0 +1,160 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../parent</relativePath>
+    </parent>
+
+    <artifactId>aaa-h2-store</artifactId>
+    <packaging>bundle</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>config-api</artifactId>
+            <version>${config.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-binding-config</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-binding-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-common-util</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.dependencymanager</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-all</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <!-- JDBC -->
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+        </dependency>
+        <!-- Testing Dependencies -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-bundle-plugin</artifactId>
+                <version>${bundle.plugin.version}</version>
+                <extensions>true</extensions>
+                <configuration>
+                    <instructions>
+                        <Import-Package>com.google.*,org.opendaylight.aaa.api.*,org.apache.felix.*,org.slf4j.*,org.opendaylight.*,org.osgi.*,org.apache.commons.lang3</Import-Package>
+                        <Private-Package>org.h2.*</Private-Package>
+                        <Embed-Dependency>h2</Embed-Dependency>
+                    </instructions>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.opendaylight.yangtools</groupId>
+                <artifactId>yang-maven-plugin</artifactId>
+                <version>${yangtools.version}</version>
+                <executions>
+                    <execution>
+                        <id>config</id>
+                        <goals>
+                            <goal>generate-sources</goal>
+                        </goals>
+                        <configuration>
+                            <codeGenerators>
+                                <generator>
+                                    <codeGeneratorClass>org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator</codeGeneratorClass>
+                                    <outputBaseDir>${jmxGeneratorPath}</outputBaseDir>
+                                    <additionalConfiguration>
+                                        <namespaceToPackage1>urn:opendaylight:params:xml:ns:yang:controller==org.opendaylight.controller.config.yang</namespaceToPackage1>
+                                    </additionalConfiguration>
+                                </generator>
+                                <generator>
+                                    <codeGeneratorClass>org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl</codeGeneratorClass>
+                                    <outputBaseDir>${salGeneratorPath}</outputBaseDir>
+                                </generator>
+                            </codeGenerators>
+                            <inspectDependencies>true</inspectDependencies>
+                        </configuration>
+                    </execution>
+                </executions>
+                <dependencies>
+                    <dependency>
+                        <groupId>org.opendaylight.mdsal</groupId>
+                        <artifactId>maven-sal-api-gen-plugin</artifactId>
+                        <version>${yangtools.version}</version>
+                        <type>jar</type>
+                    </dependency>
+                    <dependency>
+                        <groupId>org.opendaylight.controller</groupId>
+                        <artifactId>yang-jmx-generator-plugin</artifactId>
+                        <version>${config.version}</version>
+                    </dependency>
+                </dependencies>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>build-helper-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>attach-artifacts</id>
+                        <goals>
+                            <goal>attach-artifact</goal>
+                        </goals>
+                        <phase>package</phase>
+                        <configuration>
+                            <artifacts>
+                                <artifact>
+                                    <file>${project.build.directory}/classes/initial/08-aaa-h2-store-config.xml</file>
+                                    <type>xml</type>
+                                    <classifier>config</classifier>
+                                </artifact>
+                            </artifacts>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/config/IdmLightConfig.java b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/config/IdmLightConfig.java
new file mode 100644
index 00000000..a35ca48f
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/config/IdmLightConfig.java
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.h2.config;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Responsible for providing configuration properties for the IDMLight/H2
+ * data store implementation.
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+public class IdmLightConfig {
+
+    private static final Logger LOG = LoggerFactory.getLogger(IdmLightConfig.class);
+
+    /**
+     * The default timeout for db connections in seconds.
+     */
+    private static final int DEFAULT_DB_TIMEOUT = 3;
+
+    /**
+     * The default password for the database
+     */
+    private static final String DEFAULT_PASSWORD = "bar";
+
+    /**
+     * The default username for the database
+     */
+    private static final String DEFAULT_USERNAME = "foo";
+
+    /**
+     * The default driver for the databse is H2;  a pure-java implementation
+     * of JDBC.
+     */
+    private static final String DEFAULT_JDBC_DRIVER = "org.h2.Driver";
+
+    /**
+     * The default connection string includes the intention to use h2 as
+     * the JDBC driver, and the path for the file is located relative to
+     * KARAF_HOME.
+     */
+    private static final String DEFAULT_CONNECTION_STRING = "jdbc:h2:./";
+
+    /**
+     * The default filename for the database file.
+     */
+    private static final String DEFAULT_IDMLIGHT_DB_FILENAME = "idmlight.db";
+
+    /**
+     * The database filename
+     */
+    private String dbName;
+
+    /**
+     * the database connection string
+     */
+    private String dbPath;
+
+    /**
+     * The database driver (i.e., H2)
+     */
+    private String dbDriver;
+
+    /**
+     * The database password.  This is not the same as AAA credentials!
+     */
+    private String dbUser;
+
+    /**
+     * The database username.  This is not the same as AAA credentials!
+     */
+    private String dbPwd;
+
+    /**
+     * Timeout for database connections in seconds
+     */
+    private int dbValidTimeOut;
+
+    /**
+     * Creates an valid database configuration using default values.
+     */
+    public IdmLightConfig() {
+        // TODO make this configurable
+        dbName = DEFAULT_IDMLIGHT_DB_FILENAME;
+        dbPath = DEFAULT_CONNECTION_STRING + dbName;
+        dbDriver = DEFAULT_JDBC_DRIVER;
+        dbUser = DEFAULT_USERNAME;
+        dbPwd = DEFAULT_PASSWORD;
+        dbValidTimeOut = DEFAULT_DB_TIMEOUT;
+    }
+
+    /**
+     * Outputs some debugging information surrounding idmlight config
+     */
+    public void log() {
+        LOG.info("DB Path                 : {}", dbPath);
+        LOG.info("DB Driver               : {}", dbDriver);
+        LOG.info("DB Valid Time Out       : {}", dbValidTimeOut);
+    }
+
+    public String getDbName() {
+        return this.dbName;
+    }
+
+    public String getDbPath() {
+        return this.dbPath;
+    }
+
+    public String getDbDriver() {
+        return this.dbDriver;
+    }
+
+    public String getDbUser() {
+        return this.dbUser;
+    }
+
+    public String getDbPwd() {
+        return this.dbPwd;
+    }
+
+    public int getDbValidTimeOut() {
+        return this.dbValidTimeOut;
+    }
+}
diff --git a/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/AbstractStore.java b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/AbstractStore.java
new file mode 100644
index 00000000..ba00eb84
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/AbstractStore.java
@@ -0,0 +1,187 @@
+/*
+ * Copyright © 2016 Red Hat, Inc. and others.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa.h2.persistence;
+
+import java.sql.Connection;
+import java.sql.DatabaseMetaData;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Base class for H2 stores.
+ */
+abstract class AbstractStore<T> {
+    /**
+     * Logger.
+     */
+    private static final Logger LOG = LoggerFactory.getLogger(AbstractStore.class);
+
+    /**
+     * The name of the table used to represent this store.
+     */
+    private final String tableName;
+
+    /**
+     * Database connection, only used for tests.
+     */
+    Connection dbConnection = null;
+
+    /**
+     * Table types we're interested in (when checking tables' existence).
+     */
+    public static final String[] TABLE_TYPES = new String[] { "TABLE" };
+
+    /**
+     * Creates an instance.
+     *
+     * @param tableName The name of the table being managed.
+     */
+    protected AbstractStore(String tableName) {
+        this.tableName = tableName;
+    }
+
+    /**
+     * Returns a database connection. It is the caller's responsibility to close it. If the managed table does not
+     * exist, it will be created (using {@link #getTableCreationStatement()}).
+     *
+     * @return A database connection.
+     *
+     * @throws StoreException if an error occurs.
+     */
+    protected Connection dbConnect() throws StoreException {
+        Connection conn = H2Store.getConnection(dbConnection);
+        try {
+            // Ensure table check/creation is atomic
+            synchronized (this) {
+                DatabaseMetaData dbm = conn.getMetaData();
+                try (ResultSet rs = dbm.getTables(null, null, tableName, TABLE_TYPES)) {
+                    if (rs.next()) {
+                        LOG.debug("Table {} already exists", tableName);
+                    } else {
+                        LOG.info("Table {} does not exist, creating it", tableName);
+                        try (Statement stmt = conn.createStatement()) {
+                            stmt.executeUpdate(getTableCreationStatement());
+                        }
+                    }
+                }
+            }
+        } catch (SQLException e) {
+            LOG.error("Error connecting to the H2 database", e);
+            throw new StoreException("Cannot connect to database server", e);
+        }
+        return conn;
+    }
+
+    /**
+     * Empties the store.
+     *
+     * @throws StoreException if a connection error occurs.
+     */
+    protected void dbClean() throws StoreException {
+        try (Connection c = dbConnect()) {
+            // The table name can't be a parameter in a prepared statement
+            String sql = "DELETE FROM " + tableName;
+            c.createStatement().execute(sql);
+        } catch (SQLException e) {
+            LOG.error("Error clearing table {}", tableName, e);
+            throw new StoreException("Error clearing table " + tableName, e);
+        }
+    }
+
+    /**
+     * Returns the SQL code required to create the managed table.
+     *
+     * @return The SQL table creation statement.
+     */
+    protected abstract String getTableCreationStatement();
+
+    /**
+     * Lists all the stored items.
+     *
+     * @return The stored item.
+     *
+     * @throws StoreException if an error occurs.
+     */
+    protected List<T> listAll() throws StoreException {
+        List<T> result = new ArrayList<>();
+        String query = "SELECT * FROM " + tableName;
+        try (Connection conn = dbConnect();
+             Statement stmt = conn.createStatement();
+             ResultSet rs = stmt.executeQuery(query)) {
+            while (rs.next()) {
+                result.add(fromResultSet(rs));
+            }
+        } catch (SQLException e) {
+            LOG.error("Error listing all items from {}", tableName, e);
+            throw new StoreException(e);
+        }
+        return result;
+    }
+
+    /**
+     * Lists the stored items returned by the given statement.
+     *
+     * @param ps The statement (which must be ready for execution). It is the caller's reponsibility to close this.
+     *
+     * @return The stored items.
+     *
+     * @throws StoreException if an error occurs.
+     */
+    protected List<T> listFromStatement(PreparedStatement ps) throws StoreException {
+        List<T> result = new ArrayList<>();
+        try (ResultSet rs = ps.executeQuery()) {
+            while (rs.next()) {
+                result.add(fromResultSet(rs));
+            }
+        } catch (SQLException e) {
+            LOG.error("Error listing matching items from {}", tableName, e);
+            throw new StoreException(e);
+        }
+        return result;
+    }
+
+    /**
+     * Extracts the first item returned by the given statement, if any.
+     *
+     * @param ps The statement (which must be ready for execution). It is the caller's reponsibility to close this.
+     *
+     * @return The first item, or {@code null} if none.
+     *
+     * @throws StoreException if an error occurs.
+     */
+    protected T firstFromStatement(PreparedStatement ps) throws StoreException {
+        try (ResultSet rs = ps.executeQuery()) {
+            if (rs.next()) {
+                return fromResultSet(rs);
+            } else {
+                return null;
+            }
+        } catch (SQLException e) {
+            LOG.error("Error listing first matching item from {}", tableName, e);
+            throw new StoreException(e);
+        }
+    }
+
+    /**
+     * Converts a single row in a result set to an instance of the managed type.
+     *
+     * @param rs The result set (which is ready for extraction; {@link ResultSet#next()} must <b>not</b> be called).
+     *
+     * @return The corresponding instance.
+     *
+     * @throws SQLException if an error occurs.
+     */
+    protected abstract T fromResultSet(ResultSet rs) throws SQLException;
+}
diff --git a/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java
new file mode 100644
index 00000000..aa8f4b30
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/DomainStore.java
@@ -0,0 +1,166 @@
+/*
+ * Copyright (c) 2014, 2016 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.h2.persistence;
+
+import com.google.common.base.Preconditions;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.opendaylight.aaa.api.model.Domain;
+import org.opendaylight.aaa.api.model.Domains;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+public class DomainStore extends AbstractStore<Domain> {
+    private static final Logger LOG = LoggerFactory.getLogger(DomainStore.class);
+
+    protected final static String SQL_ID = "domainid";
+    protected final static String SQL_NAME = "name";
+    protected final static String SQL_DESCR = "description";
+    protected final static String SQL_ENABLED = "enabled";
+    private static final String TABLE_NAME = "DOMAINS";
+
+    protected DomainStore() {
+        super(TABLE_NAME);
+    }
+
+    @Override
+    protected String getTableCreationStatement() {
+        return "CREATE TABLE DOMAINS "
+                + "(domainid   VARCHAR(128)      PRIMARY KEY,"
+                + "name        VARCHAR(128)      UNIQUE NOT NULL, "
+                + "description VARCHAR(128)      , "
+                + "enabled     INTEGER           NOT NULL)";
+    }
+
+    @Override
+    protected Domain fromResultSet(ResultSet rs) throws SQLException {
+        Domain domain = new Domain();
+        domain.setDomainid(rs.getString(SQL_ID));
+        domain.setName(rs.getString(SQL_NAME));
+        domain.setDescription(rs.getString(SQL_DESCR));
+        domain.setEnabled(rs.getInt(SQL_ENABLED) == 1);
+        return domain;
+    }
+
+    protected Domains getDomains() throws StoreException {
+        Domains domains = new Domains();
+        domains.setDomains(listAll());
+        return domains;
+    }
+
+    protected Domains getDomains(String domainName) throws StoreException {
+        LOG.debug("getDomains for: {}", domainName);
+        Domains domains = new Domains();
+        try (Connection conn = dbConnect();
+             PreparedStatement pstmt = conn.prepareStatement("SELECT * FROM DOMAINS WHERE name = ?")) {
+            pstmt.setString(1, domainName);
+            LOG.debug("query string: {}", pstmt.toString());
+            domains.setDomains(listFromStatement(pstmt));
+        } catch (SQLException e) {
+            LOG.error("Error listing domains matching {}", domainName, e);
+            throw new StoreException("Error listing domains", e);
+        }
+        return domains;
+    }
+
+    protected Domain getDomain(String id) throws StoreException {
+        try (Connection conn = dbConnect();
+             PreparedStatement pstmt = conn.prepareStatement("SELECT * FROM DOMAINS WHERE domainid = ? ")) {
+            pstmt.setString(1, id);
+            LOG.debug("query string: {}", pstmt.toString());
+            return firstFromStatement(pstmt);
+        } catch (SQLException e) {
+            LOG.error("Error retrieving domain {}", id, e);
+            throw new StoreException("Error loading domain", e);
+        }
+    }
+
+    protected Domain createDomain(Domain domain) throws StoreException {
+        Preconditions.checkNotNull(domain);
+        Preconditions.checkNotNull(domain.getName());
+        Preconditions.checkNotNull(domain.isEnabled());
+        String query = "insert into DOMAINS (domainid,name,description,enabled) values(?, ?, ?, ?)";
+        try (Connection conn = dbConnect();
+             PreparedStatement statement = conn.prepareStatement(query)) {
+            statement.setString(1, domain.getName());
+            statement.setString(2, domain.getName());
+            statement.setString(3, domain.getDescription());
+            statement.setInt(4, domain.isEnabled() ? 1 : 0);
+            int affectedRows = statement.executeUpdate();
+            if (affectedRows == 0) {
+                throw new StoreException("Creating domain failed, no rows affected.");
+            }
+            domain.setDomainid(domain.getName());
+            return domain;
+        } catch (SQLException e) {
+            LOG.error("Error creating domain {}", domain.getName(), e);
+            throw new StoreException("Error creating domain", e);
+        }
+    }
+
+    protected Domain putDomain(Domain domain) throws StoreException {
+        Domain savedDomain = this.getDomain(domain.getDomainid());
+        if (savedDomain == null) {
+            return null;
+        }
+
+        if (domain.getDescription() != null) {
+            savedDomain.setDescription(domain.getDescription());
+        }
+        if (domain.getName() != null) {
+            savedDomain.setName(domain.getName());
+        }
+        if (domain.isEnabled() != null) {
+            savedDomain.setEnabled(domain.isEnabled());
+        }
+
+        String query = "UPDATE DOMAINS SET description = ?, enabled = ? WHERE domainid = ?";
+        try (Connection conn = dbConnect();
+             PreparedStatement statement = conn.prepareStatement(query)) {
+            statement.setString(1, savedDomain.getDescription());
+            statement.setInt(2, savedDomain.isEnabled() ? 1 : 0);
+            statement.setString(3, savedDomain.getDomainid());
+            statement.executeUpdate();
+        } catch (SQLException e) {
+            LOG.error("Error updating domain {}", domain.getDomainid(), e);
+            throw new StoreException("Error updating domain", e);
+        }
+
+        return savedDomain;
+    }
+
+    protected Domain deleteDomain(String domainid) throws StoreException {
+        domainid = StringEscapeUtils.escapeHtml4(domainid);
+        Domain deletedDomain = this.getDomain(domainid);
+        if (deletedDomain == null) {
+            return null;
+        }
+        String query = String.format("DELETE FROM DOMAINS WHERE domainid = '%s'", domainid);
+        try (Connection conn = dbConnect();
+             Statement statement = conn.createStatement()) {
+            int deleteCount = statement.executeUpdate(query);
+            LOG.debug("deleted {} records", deleteCount);
+            return deletedDomain;
+        } catch (SQLException e) {
+            LOG.error("Error deleting domain {}", domainid, e);
+            throw new StoreException("Error deleting domain", e);
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/GrantStore.java b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/GrantStore.java
new file mode 100644
index 00000000..ee86e0ba
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/GrantStore.java
@@ -0,0 +1,158 @@
+/*
+ * Copyright (c) 2014, 2016 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.h2.persistence;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.opendaylight.aaa.api.IDMStoreUtil;
+import org.opendaylight.aaa.api.model.Grant;
+import org.opendaylight.aaa.api.model.Grants;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+public class GrantStore extends AbstractStore<Grant> {
+    private static final Logger LOG = LoggerFactory.getLogger(GrantStore.class);
+
+    protected final static String SQL_ID = "grantid";
+    protected final static String SQL_TENANTID = "domainid";
+    protected final static String SQL_USERID = "userid";
+    protected final static String SQL_ROLEID = "roleid";
+    private static final String TABLE_NAME = "GRANTS";
+
+    protected GrantStore() {
+        super(TABLE_NAME);
+    }
+
+    @Override
+    protected String getTableCreationStatement() {
+        return "CREATE TABLE GRANTS "
+                + "(grantid    VARCHAR(128) PRIMARY KEY,"
+                + "domainid    VARCHAR(128)         NOT NULL, "
+                + "userid      VARCHAR(128)         NOT NULL, "
+                + "roleid      VARCHAR(128)         NOT NULL)";
+    }
+
+    protected Grant fromResultSet(ResultSet rs) throws SQLException {
+        Grant grant = new Grant();
+        try {
+            grant.setGrantid(rs.getString(SQL_ID));
+            grant.setDomainid(rs.getString(SQL_TENANTID));
+            grant.setUserid(rs.getString(SQL_USERID));
+            grant.setRoleid(rs.getString(SQL_ROLEID));
+        } catch (SQLException sqle) {
+            LOG.error("SQL Exception: ", sqle);
+            throw sqle;
+        }
+        return grant;
+    }
+
+    protected Grants getGrants(String did, String uid) throws StoreException {
+        Grants grants = new Grants();
+        try (Connection conn = dbConnect();
+             PreparedStatement pstmt = conn
+                     .prepareStatement("SELECT * FROM grants WHERE domainid = ? AND userid = ?")) {
+            pstmt.setString(1, did);
+            pstmt.setString(2, uid);
+            LOG.debug("query string: {}", pstmt.toString());
+            grants.setGrants(listFromStatement(pstmt));
+        } catch (SQLException s) {
+            throw new StoreException("SQL Exception : " + s);
+        }
+        return grants;
+    }
+
+    protected Grants getGrants(String userid) throws StoreException {
+        Grants grants = new Grants();
+        try (Connection conn = dbConnect();
+             PreparedStatement pstmt = conn.prepareStatement("SELECT * FROM GRANTS WHERE userid = ? ")) {
+            pstmt.setString(1, userid);
+            LOG.debug("query string: {}", pstmt.toString());
+            grants.setGrants(listFromStatement(pstmt));
+        } catch (SQLException s) {
+            throw new StoreException("SQL Exception : " + s);
+        }
+        return grants;
+    }
+
+    protected Grant getGrant(String id) throws StoreException {
+        try (Connection conn = dbConnect();
+             PreparedStatement pstmt = conn.prepareStatement("SELECT * FROM GRANTS WHERE grantid = ? ")) {
+            pstmt.setString(1, id);
+            LOG.debug("query string: ", pstmt.toString());
+            return firstFromStatement(pstmt);
+        } catch (SQLException s) {
+            throw new StoreException("SQL Exception : " + s);
+        }
+    }
+
+    protected Grant getGrant(String did, String uid, String rid) throws StoreException {
+        try (Connection conn = dbConnect();
+             PreparedStatement pstmt = conn
+                     .prepareStatement("SELECT * FROM GRANTS WHERE domainid = ? AND userid = ? AND roleid = ? ")) {
+            pstmt.setString(1, did);
+            pstmt.setString(2, uid);
+            pstmt.setString(3, rid);
+            LOG.debug("query string: {}", pstmt.toString());
+            return firstFromStatement(pstmt);
+        } catch (SQLException s) {
+            throw new StoreException("SQL Exception : " + s);
+        }
+    }
+
+    protected Grant createGrant(Grant grant) throws StoreException {
+        String query = "insert into grants  (grantid,domainid,userid,roleid) values(?,?,?,?)";
+        try (Connection conn = dbConnect();
+             PreparedStatement statement = conn.prepareStatement(query)) {
+            statement.setString(
+                    1,
+                    IDMStoreUtil.createGrantid(grant.getUserid(), grant.getDomainid(),
+                            grant.getRoleid()));
+            statement.setString(2, grant.getDomainid());
+            statement.setString(3, grant.getUserid());
+            statement.setString(4, grant.getRoleid());
+            int affectedRows = statement.executeUpdate();
+            if (affectedRows == 0) {
+                throw new StoreException("Creating grant failed, no rows affected.");
+            }
+            grant.setGrantid(IDMStoreUtil.createGrantid(grant.getUserid(), grant.getDomainid(),
+                    grant.getRoleid()));
+            return grant;
+        } catch (SQLException s) {
+            throw new StoreException("SQL Exception : " + s);
+        }
+    }
+
+    protected Grant deleteGrant(String grantid) throws StoreException {
+        grantid = StringEscapeUtils.escapeHtml4(grantid);
+        Grant savedGrant = this.getGrant(grantid);
+        if (savedGrant == null) {
+            return null;
+        }
+
+        String query = String.format("DELETE FROM GRANTS WHERE grantid = '%s'", grantid);
+        try (Connection conn = dbConnect();
+             Statement statement = conn.createStatement()) {
+            int deleteCount = statement.executeUpdate(query);
+            LOG.debug("deleted {} records", deleteCount);
+            return savedGrant;
+        } catch (SQLException s) {
+            throw new StoreException("SQL Exception : " + s);
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/H2Store.java b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/H2Store.java
new file mode 100644
index 00000000..da40a17b
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/H2Store.java
@@ -0,0 +1,316 @@
+/*
+ * Copyright (c) 2015 Cisco Systems and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.h2.persistence;
+
+import java.sql.Connection;
+import java.sql.DriverManager;
+
+import org.opendaylight.aaa.api.IDMStoreException;
+import org.opendaylight.aaa.api.IDMStoreUtil;
+import org.opendaylight.aaa.api.IIDMStore;
+import org.opendaylight.aaa.api.model.Domain;
+import org.opendaylight.aaa.api.model.Domains;
+import org.opendaylight.aaa.api.model.Grant;
+import org.opendaylight.aaa.api.model.Grants;
+import org.opendaylight.aaa.api.model.Role;
+import org.opendaylight.aaa.api.model.Roles;
+import org.opendaylight.aaa.api.model.User;
+import org.opendaylight.aaa.api.model.Users;
+import org.opendaylight.aaa.h2.config.IdmLightConfig;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class H2Store implements IIDMStore {
+
+    private static final Logger LOG = LoggerFactory.getLogger(H2Store.class);
+
+    private static IdmLightConfig config = new IdmLightConfig();
+    private DomainStore domainStore = new DomainStore();
+    private UserStore userStore = new UserStore();
+    private RoleStore roleStore = new RoleStore();
+    private GrantStore grantStore = new GrantStore();
+
+    public H2Store() {
+    }
+
+    public static Connection getConnection(Connection existingConnection) throws StoreException {
+        Connection connection = existingConnection;
+        try {
+            if (existingConnection == null || existingConnection.isClosed()) {
+                new org.h2.Driver();
+                connection = DriverManager.getConnection(config.getDbPath(), config.getDbUser(),
+                        config.getDbPwd());
+            }
+        } catch (Exception e) {
+            throw new StoreException("Cannot connect to database server" + e);
+        }
+
+        return connection;
+    }
+
+    public static IdmLightConfig getConfig() {
+        return config;
+    }
+
+    @Override
+    public Domain writeDomain(Domain domain) throws IDMStoreException {
+        try {
+            return domainStore.createDomain(domain);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while writing domain", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Domain readDomain(String domainid) throws IDMStoreException {
+        try {
+            return domainStore.getDomain(domainid);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while reading domain", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Domain deleteDomain(String domainid) throws IDMStoreException {
+        try {
+            return domainStore.deleteDomain(domainid);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while deleting domain", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Domain updateDomain(Domain domain) throws IDMStoreException {
+        try {
+            return domainStore.putDomain(domain);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while updating domain", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Domains getDomains() throws IDMStoreException {
+        try {
+            return domainStore.getDomains();
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while reading domains", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Role writeRole(Role role) throws IDMStoreException {
+        try {
+            return roleStore.createRole(role);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while writing role", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Role readRole(String roleid) throws IDMStoreException {
+        try {
+            return roleStore.getRole(roleid);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while reading role", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Role deleteRole(String roleid) throws IDMStoreException {
+        try {
+            return roleStore.deleteRole(roleid);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while deleting role", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Role updateRole(Role role) throws IDMStoreException {
+        try {
+            return roleStore.putRole(role);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while updating role", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Roles getRoles() throws IDMStoreException {
+        try {
+            return roleStore.getRoles();
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while getting roles", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public User writeUser(User user) throws IDMStoreException {
+        try {
+            return userStore.createUser(user);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while writing user", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public User readUser(String userid) throws IDMStoreException {
+        try {
+            return userStore.getUser(userid);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while reading user", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public User deleteUser(String userid) throws IDMStoreException {
+        try {
+            return userStore.deleteUser(userid);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while deleting user", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public User updateUser(User user) throws IDMStoreException {
+        try {
+            return userStore.putUser(user);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while updating user", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Users getUsers(String username, String domain) throws IDMStoreException {
+        try {
+            return userStore.getUsers(username, domain);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while reading users", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Users getUsers() throws IDMStoreException {
+        try {
+            return userStore.getUsers();
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while reading users", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Grant writeGrant(Grant grant) throws IDMStoreException {
+        try {
+            return grantStore.createGrant(grant);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while writing grant", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Grant readGrant(String grantid) throws IDMStoreException {
+        try {
+            return grantStore.getGrant(grantid);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while reading grant", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Grant deleteGrant(String grantid) throws IDMStoreException {
+        try {
+            return grantStore.deleteGrant(grantid);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while deleting grant", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Grants getGrants(String domainid, String userid) throws IDMStoreException {
+        try {
+            return grantStore.getGrants(domainid, userid);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while getting grants", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Grants getGrants(String userid) throws IDMStoreException {
+        try {
+            return grantStore.getGrants(userid);
+        } catch (StoreException e) {
+            LOG.error("StoreException encountered while getting grants", e);
+            throw new IDMStoreException(e);
+        }
+    }
+
+    @Override
+    public Grant readGrant(String domainid, String userid, String roleid) throws IDMStoreException {
+        return readGrant(IDMStoreUtil.createGrantid(userid, domainid, roleid));
+    }
+
+    public static Domain createDomain(String domainName, boolean enable) throws StoreException {
+        DomainStore ds = new DomainStore();
+        Domain d = new Domain();
+        d.setName(domainName);
+        d.setEnabled(enable);
+        return ds.createDomain(d);
+    }
+
+    public static User createUser(String name, String password, String domain, String description,
+            String email, boolean enabled, String SALT) throws StoreException {
+        UserStore us = new UserStore();
+        User u = new User();
+        u.setName(name);
+        u.setDomainid(domain);
+        u.setDescription(description);
+        u.setEmail(email);
+        u.setEnabled(enabled);
+        u.setPassword(password);
+        u.setSalt(SALT);
+        return us.createUser(u);
+    }
+
+    public static Role createRole(String name, String domain, String description)
+            throws StoreException {
+        RoleStore rs = new RoleStore();
+        Role r = new Role();
+        r.setDescription(description);
+        r.setName(name);
+        r.setDomainid(domain);
+        return rs.createRole(r);
+    }
+
+    public static Grant createGrant(String domain, String user, String role) throws StoreException {
+        GrantStore gs = new GrantStore();
+        Grant g = new Grant();
+        g.setDomainid(domain);
+        g.setRoleid(role);
+        g.setUserid(user);
+        return gs.createGrant(g);
+    }
+}
diff --git a/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/RoleStore.java b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/RoleStore.java
new file mode 100644
index 00000000..e7defa4a
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/RoleStore.java
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2014, 2016 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.h2.persistence;
+
+import com.google.common.base.Preconditions;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.opendaylight.aaa.api.IDMStoreUtil;
+import org.opendaylight.aaa.api.model.Role;
+import org.opendaylight.aaa.api.model.Roles;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+public class RoleStore extends AbstractStore<Role> {
+    private static final Logger LOG = LoggerFactory.getLogger(RoleStore.class);
+
+    protected final static String SQL_ID = "roleid";
+    protected final static String SQL_DOMAIN_ID = "domainid";
+    protected final static String SQL_NAME = "name";
+    protected final static String SQL_DESCR = "description";
+    private static final String TABLE_NAME = "ROLES";
+
+    protected RoleStore() {
+        super(TABLE_NAME);
+    }
+
+    @Override
+    protected String getTableCreationStatement() {
+        return "CREATE TABLE ROLES "
+                + "(roleid     VARCHAR(128)   PRIMARY KEY,"
+                + "name        VARCHAR(128)   NOT NULL, "
+                + "domainid    VARCHAR(128)   NOT NULL, "
+                + "description VARCHAR(128)      NOT NULL)";
+    }
+
+    protected Role fromResultSet(ResultSet rs) throws SQLException {
+        Role role = new Role();
+        try {
+            role.setRoleid(rs.getString(SQL_ID));
+            role.setDomainid(rs.getString(SQL_DOMAIN_ID));
+            role.setName(rs.getString(SQL_NAME));
+            role.setDescription(rs.getString(SQL_DESCR));
+        } catch (SQLException sqle) {
+            LOG.error("SQL Exception: ", sqle);
+            throw sqle;
+        }
+        return role;
+    }
+
+    protected Roles getRoles() throws StoreException {
+        Roles roles = new Roles();
+        roles.setRoles(listAll());
+        return roles;
+    }
+
+    protected Role getRole(String id) throws StoreException {
+        try (Connection conn = dbConnect();
+             PreparedStatement pstmt = conn
+                     .prepareStatement("SELECT * FROM ROLES WHERE roleid = ? ")) {
+            pstmt.setString(1, id);
+            LOG.debug("query string: {}", pstmt.toString());
+            return firstFromStatement(pstmt);
+        } catch (SQLException s) {
+            throw new StoreException("SQL Exception: " + s);
+        }
+    }
+
+    protected Role createRole(Role role) throws StoreException {
+        Preconditions.checkNotNull(role);
+        Preconditions.checkNotNull(role.getName());
+        Preconditions.checkNotNull(role.getDomainid());
+        String query = "insert into roles (roleid,domainid,name,description) values(?,?,?,?)";
+        try (Connection conn = dbConnect();
+             PreparedStatement statement = conn.prepareStatement(query)) {
+            role.setRoleid(IDMStoreUtil.createRoleid(role.getName(), role.getDomainid()));
+            statement.setString(1, role.getRoleid());
+            statement.setString(2, role.getDomainid());
+            statement.setString(3, role.getName());
+            statement.setString(4, role.getDescription());
+            int affectedRows = statement.executeUpdate();
+            if (affectedRows == 0) {
+                throw new StoreException("Creating role failed, no rows affected.");
+            }
+            return role;
+        } catch (SQLException s) {
+            throw new StoreException("SQL Exception : " + s);
+        }
+    }
+
+    protected Role putRole(Role role) throws StoreException {
+
+        Role savedRole = this.getRole(role.getRoleid());
+        if (savedRole == null) {
+            return null;
+        }
+
+        if (role.getDescription() != null) {
+            savedRole.setDescription(role.getDescription());
+        }
+        if (role.getName() != null) {
+            savedRole.setName(role.getName());
+        }
+
+        String query = "UPDATE roles SET description = ? WHERE roleid = ?";
+        try (Connection conn = dbConnect();
+             PreparedStatement statement = conn.prepareStatement(query)) {
+            statement.setString(1, savedRole.getDescription());
+            statement.setString(2, savedRole.getRoleid());
+            statement.executeUpdate();
+        } catch (SQLException s) {
+            throw new StoreException("SQL Exception : " + s);
+        }
+
+        return savedRole;
+    }
+
+    protected Role deleteRole(String roleid) throws StoreException {
+        roleid = StringEscapeUtils.escapeHtml4(roleid);
+        Role savedRole = this.getRole(roleid);
+        if (savedRole == null) {
+            return null;
+        }
+
+        String query = String.format("DELETE FROM ROLES WHERE roleid = '%s'", roleid);
+        try (Connection conn = dbConnect();
+             Statement statement = conn.createStatement()) {
+            int deleteCount = statement.executeUpdate(query);
+            LOG.debug("deleted {} records", deleteCount);
+            return savedRole;
+        } catch (SQLException s) {
+            throw new StoreException("SQL Exception : " + s);
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/StoreException.java b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/StoreException.java
new file mode 100644
index 00000000..7d2f2b9a
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/StoreException.java
@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2014, 2016 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.h2.persistence;
+
+/**
+ * Exception indicating an error in an H2 data store.
+ *
+ * @author peter.mellquist@hp.com
+ */
+
+public class StoreException extends Exception {
+    public StoreException(String message) {
+        super(message);
+    }
+
+    public StoreException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public StoreException(Throwable cause) {
+        super(cause);
+    }
+}
diff --git a/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/UserStore.java b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/UserStore.java
new file mode 100644
index 00000000..96b8013f
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/aaa/h2/persistence/UserStore.java
@@ -0,0 +1,202 @@
+/*
+ * Copyright (c) 2014, 2016 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.h2.persistence;
+
+import com.google.common.base.Preconditions;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.opendaylight.aaa.api.IDMStoreUtil;
+import org.opendaylight.aaa.api.SHA256Calculator;
+import org.opendaylight.aaa.api.model.User;
+import org.opendaylight.aaa.api.model.Users;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+public class UserStore extends AbstractStore<User> {
+    private static final Logger LOG = LoggerFactory.getLogger(UserStore.class);
+
+    protected final static String SQL_ID = "userid";
+    protected final static String SQL_DOMAIN_ID = "domainid";
+    protected final static String SQL_NAME = "name";
+    protected final static String SQL_EMAIL = "email";
+    protected final static String SQL_PASSWORD = "password";
+    protected final static String SQL_DESCR = "description";
+    protected final static String SQL_ENABLED = "enabled";
+    protected final static String SQL_SALT = "salt";
+    private static final String TABLE_NAME = "USERS";
+
+    protected UserStore() {
+        super(TABLE_NAME);
+    }
+
+    @Override
+    protected String getTableCreationStatement() {
+        return "CREATE TABLE users "
+                + "(userid    VARCHAR(128) PRIMARY KEY,"
+                + "name       VARCHAR(128)      NOT NULL, "
+                + "domainid   VARCHAR(128)      NOT NULL, "
+                + "email      VARCHAR(128)      NOT NULL, "
+                + "password   VARCHAR(128)      NOT NULL, "
+                + "description VARCHAR(128)     NOT NULL, "
+                + "salt        VARCHAR(15)      NOT NULL, "
+                + "enabled     INTEGER          NOT NULL)";
+    }
+
+    @Override
+    protected User fromResultSet(ResultSet rs) throws SQLException {
+        User user = new User();
+        try {
+            user.setUserid(rs.getString(SQL_ID));
+            user.setDomainid(rs.getString(SQL_DOMAIN_ID));
+            user.setName(rs.getString(SQL_NAME));
+            user.setEmail(rs.getString(SQL_EMAIL));
+            user.setPassword(rs.getString(SQL_PASSWORD));
+            user.setDescription(rs.getString(SQL_DESCR));
+            user.setEnabled(rs.getInt(SQL_ENABLED) == 1);
+            user.setSalt(rs.getString(SQL_SALT));
+        } catch (SQLException sqle) {
+            LOG.error("SQL Exception: ", sqle);
+            throw sqle;
+        }
+        return user;
+    }
+
+    protected Users getUsers() throws StoreException {
+        Users users = new Users();
+        users.setUsers(listAll());
+        return users;
+    }
+
+    protected Users getUsers(String username, String domain) throws StoreException {
+        LOG.debug("getUsers for: {} in domain {}", username, domain);
+
+        Users users = new Users();
+        try (Connection conn = dbConnect();
+             PreparedStatement pstmt = conn.prepareStatement("SELECT * FROM USERS WHERE userid = ? ")) {
+            pstmt.setString(1, IDMStoreUtil.createUserid(username, domain));
+            LOG.debug("query string: {}", pstmt.toString());
+            users.setUsers(listFromStatement(pstmt));
+        } catch (SQLException s) {
+            throw new StoreException("SQL Exception : " + s);
+        }
+        return users;
+    }
+
+    protected User getUser(String id) throws StoreException {
+        try (Connection conn = dbConnect();
+             PreparedStatement pstmt = conn.prepareStatement("SELECT * FROM USERS WHERE userid = ? ")) {
+            pstmt.setString(1, id);
+            LOG.debug("query string: {}", pstmt.toString());
+            return firstFromStatement(pstmt);
+        } catch (SQLException s) {
+            throw new StoreException("SQL Exception : " + s);
+        }
+    }
+
+    protected User createUser(User user) throws StoreException {
+        Preconditions.checkNotNull(user);
+        Preconditions.checkNotNull(user.getName());
+        Preconditions.checkNotNull(user.getDomainid());
+
+        user.setSalt(SHA256Calculator.generateSALT());
+        String query = "insert into users (userid,domainid,name,email,password,description,enabled,salt) values(?,?,?,?,?,?,?,?)";
+        try (Connection conn = dbConnect();
+             PreparedStatement statement = conn.prepareStatement(query)) {
+            user.setUserid(IDMStoreUtil.createUserid(user.getName(), user.getDomainid()));
+            statement.setString(1, user.getUserid());
+            statement.setString(2, user.getDomainid());
+            statement.setString(3, user.getName());
+            statement.setString(4, user.getEmail());
+            statement.setString(5, SHA256Calculator.getSHA256(user.getPassword(), user.getSalt()));
+            statement.setString(6, user.getDescription());
+            statement.setInt(7, user.isEnabled() ? 1 : 0);
+            statement.setString(8, user.getSalt());
+            int affectedRows = statement.executeUpdate();
+            if (affectedRows == 0) {
+                throw new StoreException("Creating user failed, no rows affected.");
+            }
+            return user;
+        } catch (SQLException s) {
+            throw new StoreException("SQL Exception : " + s);
+        }
+    }
+
+    protected User putUser(User user) throws StoreException {
+
+        User savedUser = this.getUser(user.getUserid());
+        if (savedUser == null) {
+            return null;
+        }
+
+        if (user.getDescription() != null) {
+            savedUser.setDescription(user.getDescription());
+        }
+        if (user.getName() != null) {
+            savedUser.setName(user.getName());
+        }
+        if (user.isEnabled() != null) {
+            savedUser.setEnabled(user.isEnabled());
+        }
+        if (user.getEmail() != null) {
+            savedUser.setEmail(user.getEmail());
+        }
+        if (user.getPassword() != null) {
+            // If a new salt is provided, use it.  Otherwise, derive salt from existing.
+            String salt = user.getSalt();
+            if (salt == null) {
+                salt = savedUser.getSalt();
+            }
+            savedUser.setPassword(SHA256Calculator.getSHA256(user.getPassword(), salt));
+        }
+
+        String query = "UPDATE users SET email = ?, password = ?, description = ?, enabled = ? WHERE userid = ?";
+        try (Connection conn = dbConnect();
+             PreparedStatement statement = conn.prepareStatement(query)) {
+            statement.setString(1, savedUser.getEmail());
+            statement.setString(2, savedUser.getPassword());
+            statement.setString(3, savedUser.getDescription());
+            statement.setInt(4, savedUser.isEnabled() ? 1 : 0);
+            statement.setString(5, savedUser.getUserid());
+            statement.executeUpdate();
+        } catch (SQLException s) {
+            throw new StoreException("SQL Exception : " + s);
+        }
+
+        return savedUser;
+    }
+
+    protected User deleteUser(String userid) throws StoreException {
+        userid = StringEscapeUtils.escapeHtml4(userid);
+        User savedUser = this.getUser(userid);
+        if (savedUser == null) {
+            return null;
+        }
+
+        String query = String.format("DELETE FROM USERS WHERE userid = '%s'", userid);
+        try (Connection conn = dbConnect();
+             Statement statement = conn.createStatement()) {
+            int deleteCount = statement.executeUpdate(query);
+            LOG.debug("deleted {} records", deleteCount);
+            return savedUser;
+        } catch (SQLException s) {
+            throw new StoreException("SQL Exception : " + s);
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/h2/store/rev151128/AAAH2StoreModule.java b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/h2/store/rev151128/AAAH2StoreModule.java
new file mode 100644
index 00000000..fe7dd2a6
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/h2/store/rev151128/AAAH2StoreModule.java
@@ -0,0 +1,49 @@
+package org.opendaylight.yang.gen.v1.config.aaa.authn.h2.store.rev151128;
+
+import org.opendaylight.aaa.api.IIDMStore;
+import org.opendaylight.aaa.h2.persistence.H2Store;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.ServiceRegistration;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AAAH2StoreModule extends org.opendaylight.yang.gen.v1.config.aaa.authn.h2.store.rev151128.AbstractAAAH2StoreModule {
+
+    private BundleContext bundleContext;
+    private static final Logger LOG = LoggerFactory.getLogger(AAAH2StoreModule.class);
+
+    public AAAH2StoreModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier, org.opendaylight.controller.config.api.DependencyResolver dependencyResolver) {
+        super(identifier, dependencyResolver);
+    }
+
+    public AAAH2StoreModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier, org.opendaylight.controller.config.api.DependencyResolver dependencyResolver, org.opendaylight.yang.gen.v1.config.aaa.authn.h2.store.rev151128.AAAH2StoreModule oldModule, java.lang.AutoCloseable oldInstance) {
+        super(identifier, dependencyResolver, oldModule, oldInstance);
+    }
+
+    @Override
+    public java.lang.AutoCloseable createInstance() {
+        final H2Store h2Store = new H2Store();
+        final ServiceRegistration<?> serviceRegistration = bundleContext.registerService(IIDMStore.class.getName(), h2Store, null);
+        LOG.info("AAA H2 Store Initialized");
+        return new AutoCloseable() {
+            @Override
+            public void close() throws Exception {
+                serviceRegistration.unregister();
+            }
+        };
+    }
+
+    /**
+     * @param bundleContext
+     */
+    public void setBundleContext(BundleContext bundleContext) {
+        this.bundleContext = bundleContext;
+    }
+
+    /**
+     * @return the bundleContext
+     */
+    public BundleContext getBundleContext() {
+        return bundleContext;
+    }
+}
diff --git a/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/h2/store/rev151128/AAAH2StoreModuleFactory.java b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/h2/store/rev151128/AAAH2StoreModuleFactory.java
new file mode 100644
index 00000000..dc9e7f99
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/h2/store/rev151128/AAAH2StoreModuleFactory.java
@@ -0,0 +1,29 @@
+/*
+* Generated file
+*
+* Generated from: yang module name: aaa-h2-store yang module local name: aaa-h2-store
+* Generated by: org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator
+* Generated at: Sat Nov 28 11:00:15 PST 2015
+*
+* Do not modify this file unless it is present under src/main directory
+*/
+package org.opendaylight.yang.gen.v1.config.aaa.authn.h2.store.rev151128;
+
+import org.opendaylight.controller.config.api.DependencyResolver;
+import org.osgi.framework.BundleContext;
+
+public class AAAH2StoreModuleFactory extends org.opendaylight.yang.gen.v1.config.aaa.authn.h2.store.rev151128.AbstractAAAH2StoreModuleFactory {
+    @Override
+    public AAAH2StoreModule instantiateModule(String instanceName, DependencyResolver dependencyResolver, AAAH2StoreModule oldModule, AutoCloseable oldInstance, BundleContext bundleContext) {
+        AAAH2StoreModule module =  super.instantiateModule(instanceName, dependencyResolver, oldModule, oldInstance, bundleContext);
+        module.setBundleContext(bundleContext);
+        return module;
+    }
+
+    @Override
+    public AAAH2StoreModule instantiateModule(String instanceName, DependencyResolver dependencyResolver, BundleContext bundleContext) {
+        AAAH2StoreModule module = super.instantiateModule(instanceName, dependencyResolver, bundleContext);
+        module.setBundleContext(bundleContext);
+        return module;
+    }
+}
diff --git a/odl-aaa-moon/aaa-h2-store/src/main/resources/initial/08-aaa-h2-store-config.xml b/odl-aaa-moon/aaa-h2-store/src/main/resources/initial/08-aaa-h2-store-config.xml
new file mode 100644
index 00000000..cfe60812
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/main/resources/initial/08-aaa-h2-store-config.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- vi: set et smarttab sw=4 tabstop=4: -->
+<!--
+ Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+
+ This program and the accompanying materials are made available under the
+ terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ and is available at http://www.eclipse.org/legal/epl-v10.html
+-->
+<snapshot>
+    <configuration>
+        <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
+            <modules xmlns="urn:opendaylight:params:xml:ns:yang:controller:config">
+                <module>
+                    <type xmlns:authn="config:aaa:authn:h2:store">authn:aaa-h2-store</type>
+                    <name>aaa-h2-store</name>
+                </module>
+            </modules>
+        </data>
+    </configuration>
+    <required-capabilities>
+        <capability>config:aaa:authn:h2:store?module=aaa-h2-store&amp;revision=2015-11-28</capability>
+    </required-capabilities>
+
+</snapshot>
+
diff --git a/odl-aaa-moon/aaa-h2-store/src/main/yang/aaa-h2-store.yang b/odl-aaa-moon/aaa-h2-store/src/main/yang/aaa-h2-store.yang
new file mode 100644
index 00000000..af2d9bdc
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/main/yang/aaa-h2-store.yang
@@ -0,0 +1,28 @@
+module aaa-h2-store {
+  yang-version 1;
+  namespace "config:aaa:authn:h2:store";
+  prefix "aaa-h2-store";
+    organization "OpenDayLight";
+
+    import config { prefix config; revision-date 2013-04-05; }
+    import opendaylight-md-sal-binding { prefix mdsal; revision-date 2013-10-28; }
+
+    contact "saichler@gmail.com";
+
+    revision 2015-11-28 {
+        description
+            "Initial revision.";
+    }
+
+    identity aaa-h2-store {
+        base config:module-type;
+        config:java-name-prefix AAAH2Store;
+    }
+
+    augment "/config:modules/config:module/config:configuration" {
+        case aaa-h2-store {
+            when "/config:modules/config:module/config:type = 'aaa-h2-store'";
+        }
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/DomainStoreTest.java b/odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/DomainStoreTest.java
new file mode 100644
index 00000000..f11a99eb
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/DomainStoreTest.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.h2.persistence;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.*;
+
+import java.sql.Connection;
+import java.sql.DatabaseMetaData;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.opendaylight.aaa.api.model.Domains;
+import org.opendaylight.aaa.h2.persistence.DomainStore;
+
+public class DomainStoreTest {
+
+    Connection connectionMock = mock(Connection.class);
+    private final DomainStore domainStoreUnderTest = new DomainStore();
+
+    @Before
+    public void setup() {
+        domainStoreUnderTest.dbConnection = connectionMock;
+    }
+
+    @After
+    public void teardown() {
+        // dts.destroy();
+    }
+
+    @Test
+    public void getDomainsTest() throws SQLException, Exception {
+        // Setup Mock Behavior
+        String[] tableTypes = { "TABLE" };
+        Mockito.when(connectionMock.isClosed()).thenReturn(false);
+        DatabaseMetaData dbmMock = mock(DatabaseMetaData.class);
+        Mockito.when(connectionMock.getMetaData()).thenReturn(dbmMock);
+        ResultSet rsUserMock = mock(ResultSet.class);
+        Mockito.when(dbmMock.getTables(null, null, "DOMAINS", tableTypes)).thenReturn(rsUserMock);
+        Mockito.when(rsUserMock.next()).thenReturn(true);
+
+        Statement stmtMock = mock(Statement.class);
+        Mockito.when(connectionMock.createStatement()).thenReturn(stmtMock);
+
+        ResultSet rsMock = getMockedResultSet();
+        Mockito.when(stmtMock.executeQuery(anyString())).thenReturn(rsMock);
+
+        // Run Test
+        Domains domains = domainStoreUnderTest.getDomains();
+
+        // Verify
+        assertTrue(domains.getDomains().size() == 1);
+        verify(stmtMock).close();
+    }
+
+    public ResultSet getMockedResultSet() throws SQLException {
+        ResultSet rsMock = mock(ResultSet.class);
+        Mockito.when(rsMock.next()).thenReturn(true).thenReturn(false);
+        Mockito.when(rsMock.getInt(DomainStore.SQL_ID)).thenReturn(1);
+        Mockito.when(rsMock.getString(DomainStore.SQL_NAME)).thenReturn("DomainName_1");
+        Mockito.when(rsMock.getString(DomainStore.SQL_DESCR)).thenReturn("Desc_1");
+        Mockito.when(rsMock.getInt(DomainStore.SQL_ENABLED)).thenReturn(1);
+        return rsMock;
+    }
+}
diff --git a/odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/GrantStoreTest.java b/odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/GrantStoreTest.java
new file mode 100644
index 00000000..168b67e2
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/GrantStoreTest.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2014, 2016 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.h2.persistence;
+
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Matchers.anyString;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+
+import java.sql.Connection;
+import java.sql.DatabaseMetaData;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.opendaylight.aaa.api.model.Grants;
+
+public class GrantStoreTest {
+
+    Connection connectionMock = mock(Connection.class);
+    private final GrantStore grantStoreUnderTest = new GrantStore();
+    private String did = "5";
+    private String uid = "5";
+
+    @Before
+    public void setup() {
+        grantStoreUnderTest.dbConnection = connectionMock;
+    }
+
+    @Test
+    public void getGrantsTest() throws Exception {
+        // Setup Mock Behavior
+        String[] tableTypes = { "TABLE" };
+        Mockito.when(connectionMock.isClosed()).thenReturn(false);
+        DatabaseMetaData dbmMock = mock(DatabaseMetaData.class);
+        Mockito.when(connectionMock.getMetaData()).thenReturn(dbmMock);
+        ResultSet rsUserMock = mock(ResultSet.class);
+        Mockito.when(dbmMock.getTables(null, null, "GRANTS", tableTypes)).thenReturn(rsUserMock);
+        Mockito.when(rsUserMock.next()).thenReturn(true);
+
+        PreparedStatement pstmtMock = mock(PreparedStatement.class);
+        Mockito.when(connectionMock.prepareStatement(anyString())).thenReturn(pstmtMock);
+
+        ResultSet rsMock = getMockedResultSet();
+        Mockito.when(pstmtMock.executeQuery()).thenReturn(rsMock);
+
+        // Run Test
+        Grants grants = grantStoreUnderTest.getGrants(did, uid);
+
+        // Verify
+        assertTrue(grants.getGrants().size() == 1);
+        verify(pstmtMock).close();
+    }
+
+    public ResultSet getMockedResultSet() throws SQLException {
+        ResultSet rsMock = mock(ResultSet.class);
+        Mockito.when(rsMock.next()).thenReturn(true).thenReturn(false);
+        Mockito.when(rsMock.getInt(GrantStore.SQL_ID)).thenReturn(1);
+        Mockito.when(rsMock.getString(GrantStore.SQL_TENANTID)).thenReturn(did);
+        Mockito.when(rsMock.getString(GrantStore.SQL_USERID)).thenReturn(uid);
+        Mockito.when(rsMock.getString(GrantStore.SQL_ROLEID)).thenReturn("Role_1");
+
+        return rsMock;
+
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/H2StoreTest.java b/odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/H2StoreTest.java
new file mode 100644
index 00000000..f583a302
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/H2StoreTest.java
@@ -0,0 +1,187 @@
+/*
+ * Copyright (c) 2016 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.h2.persistence;
+
+import java.io.File;
+import java.sql.SQLException;
+
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.opendaylight.aaa.api.IDMStoreUtil;
+import org.opendaylight.aaa.api.IIDMStore;
+import org.opendaylight.aaa.api.model.Domain;
+import org.opendaylight.aaa.api.model.Grant;
+import org.opendaylight.aaa.api.model.Role;
+import org.opendaylight.aaa.api.model.User;
+
+public class H2StoreTest {
+    @BeforeClass
+    public static void start() {
+        File f = new File("idmlight.db.mv.db");
+        if (f.exists()) {
+            f.delete();
+        }
+        f = new File("idmlight.db.trace.db");
+        if (f.exists()) {
+            f.delete();
+        }
+    }
+
+    @AfterClass
+    public static void end() {
+        File f = new File("idmlight.db.mv.db");
+        if (f.exists()) {
+            f.delete();
+        }
+        f = new File("idmlight.db.trace.db");
+        if (f.exists()) {
+            f.delete();
+        }
+    }
+
+    @Before
+    public void before() throws StoreException, SQLException {
+        UserStore us = new UserStore();
+        us.dbClean();
+        DomainStore ds = new DomainStore();
+        ds.dbClean();
+        RoleStore rs = new RoleStore();
+        rs.dbClean();
+        GrantStore gs = new GrantStore();
+        gs.dbClean();
+    }
+
+    @Test
+    public void testCreateDefaultDomain() throws StoreException {
+        Domain d = new Domain();
+        Assert.assertEquals(true, d != null);
+        DomainStore ds = new DomainStore();
+        d.setName(IIDMStore.DEFAULT_DOMAIN);
+        d.setEnabled(true);
+        d = ds.createDomain(d);
+        Assert.assertEquals(true, d != null);
+    }
+
+    @Test
+    public void testCreateTempRole() throws StoreException {
+        Role role = H2Store.createRole("temp", "temp domain", "Temp Testing role");
+        Assert.assertEquals(true, role != null);
+    }
+
+    @Test
+    public void testCreateUser() throws StoreException {
+        User user = H2Store.createUser("test", "pass", "domain", "desc", "email", true, "SALT");
+        Assert.assertEquals(true, user != null);
+    }
+
+    @Test
+    public void testCreateGrant() throws StoreException {
+        Domain d = H2Store.createDomain("sdn", true);
+        Role role = H2Store.createRole("temp", "temp domain", "Temp Testing role");
+        User user = H2Store.createUser("test", "pass", "domain", "desc", "email", true, "SALT");
+        Grant g = H2Store.createGrant(d.getDomainid(), user.getUserid(), role.getRoleid());
+        Assert.assertEquals(true, g != null);
+    }
+
+    @Test
+    public void testUpdatingUserEmail() throws StoreException {
+        UserStore us = new UserStore();
+        Domain d = H2Store.createDomain("sdn", true);
+        User user = H2Store.createUser("test", "pass", d.getDomainid(), "desc", "email", true,
+                "SALT");
+
+        user.setName("test");
+        user = us.putUser(user);
+        Assert.assertEquals(true, user != null);
+
+        user.setEmail("Test@Test.com");
+        user = us.putUser(user);
+
+        user = new User();
+        user.setName("test");
+        user.setDomainid(d.getDomainid());
+        user = us.getUser(IDMStoreUtil.createUserid(user.getName(), user.getDomainid()));
+
+        Assert.assertEquals("Test@Test.com", user.getEmail());
+    }
+    /*
+     * @Test public void testCreateUserViaAPI() throws StoreException { Domain d
+     * = StoreBuilder.createDomain("sdn",true);
+     *
+     * User user = new User(); user.setName("Hello"); user.setPassword("Hello");
+     * user.setDomainid(d.getDomainid()); UserHandler h = new UserHandler();
+     * h.createUser(null, user);
+     *
+     * User u = new User(); u.setName("Hello"); u.setDomainid(d.getDomainid());
+     * UserStore us = new UserStore(); u =
+     * us.getUser(IDMStoreUtil.createUserid(u.getName(),u.getDomainid()));
+     *
+     * Assert.assertEquals(true, u != null); }
+     *
+     * @Test public void testUpdateUserViaAPI() throws StoreException { Domain d
+     * = StoreBuilder.createDomain("sdn",true);
+     *
+     * User user = new User(); user.setName("Hello"); user.setPassword("Hello");
+     * user.setDomainid(d.getDomainid()); UserHandler h = new UserHandler();
+     * h.createUser(null, user);
+     *
+     * user.setEmail("Hello@Hello.com"); user.setPassword("Test123");
+     * h.putUser(null, user, "" + user.getUserid());
+     *
+     * UserStore us = new UserStore();
+     *
+     * User u = new User(); u.setName("Hello"); u.setDomainid(d.getDomainid());
+     * u = us.getUser(IDMStoreUtil.createUserid(u.getName(),u.getDomainid()));
+     *
+     * Assert.assertEquals("Hello@Hello.com", u.getEmail());
+     *
+     * String hash = SHA256Calculator.getSHA256("Test123", u.getSalt());
+     * Assert.assertEquals(u.getPassword(), hash); }
+     *
+     * @Test public void testUpdateUserRoleViaAPI() throws StoreException {
+     * Domain d = StoreBuilder.createDomain("sdn",true); Role role1 =
+     * StoreBuilder.createRole("temp1",d.getDomainid(),"Temp Testing role");
+     * Role role2 =
+     * StoreBuilder.createRole("temp2",d.getDomainid(),"Temp Testing role");
+     *
+     * User user = new User(); user.setName("Hello"); user.setPassword("Hello");
+     * user.setDomainid(d.getDomainid());
+     *
+     * UserHandler h = new UserHandler(); h.createUser(null, user);
+     *
+     * user.setEmail("Hello@Hello.com"); user.setPassword("Test123");
+     * h.putUser(null, user, user.getUserid());
+     *
+     * Grant g = new Grant(); g.setUserid(user.getUserid());
+     * g.setDomainid(d.getDomainid()); g.setRoleid(role1.getRoleid());
+     * GrantStore gs = new GrantStore(); g = gs.createGrant(g);
+     *
+     * Assert.assertEquals(true, g != null); Assert.assertEquals(g.getRoleid(),
+     * role1.getRoleid());
+     *
+     * g = gs.deleteGrant(IDMStoreUtil.createGrantid(user.getUserid(),
+     * d.getDomainid(), role1.getRoleid())); g.setRoleid(role2.getRoleid()); g =
+     * gs.createGrant(g);
+     *
+     * Assert.assertEquals(true, g != null); Assert.assertEquals(g.getRoleid(),
+     * role2.getRoleid());
+     *
+     * User u = new User(); u.setName("Hello"); u.setDomainid(d.getDomainid());
+     * UserStore us = new UserStore(); u =
+     * us.getUser(IDMStoreUtil.createUserid(u.getName(),u.getDomainid()));
+     *
+     * Assert.assertEquals("Hello@Hello.com", u.getEmail());
+     *
+     * String hash = SHA256Calculator.getSHA256("Test123", u.getSalt());
+     * Assert.assertEquals(true, hash.equals(u.getPassword())); }
+     */
+}
diff --git a/odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/RoleStoreTest.java b/odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/RoleStoreTest.java
new file mode 100644
index 00000000..37cb17a6
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/RoleStoreTest.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.h2.persistence;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.*;
+
+import java.sql.Connection;
+import java.sql.DatabaseMetaData;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.opendaylight.aaa.api.model.Roles;
+import org.opendaylight.aaa.h2.persistence.RoleStore;
+
+public class RoleStoreTest {
+
+    Connection connectionMock = mock(Connection.class);
+    private final RoleStore RoleStoreUnderTest = new RoleStore();
+
+    @Before
+    public void setup() {
+        RoleStoreUnderTest.dbConnection = connectionMock;
+    }
+
+    @After
+    public void teardown() {
+        // dts.destroy();
+    }
+
+    @Test
+    public void getRolesTest() throws SQLException, Exception {
+        // Setup Mock Behavior
+        String[] tableTypes = { "TABLE" };
+        Mockito.when(connectionMock.isClosed()).thenReturn(false);
+        DatabaseMetaData dbmMock = mock(DatabaseMetaData.class);
+        Mockito.when(connectionMock.getMetaData()).thenReturn(dbmMock);
+        ResultSet rsUserMock = mock(ResultSet.class);
+        Mockito.when(dbmMock.getTables(null, null, "ROLES", tableTypes)).thenReturn(rsUserMock);
+        Mockito.when(rsUserMock.next()).thenReturn(true);
+
+        Statement stmtMock = mock(Statement.class);
+        Mockito.when(connectionMock.createStatement()).thenReturn(stmtMock);
+
+        ResultSet rsMock = getMockedResultSet();
+        Mockito.when(stmtMock.executeQuery(anyString())).thenReturn(rsMock);
+
+        // Run Test
+        Roles roles = RoleStoreUnderTest.getRoles();
+
+        // Verify
+        assertTrue(roles.getRoles().size() == 1);
+        verify(stmtMock).close();
+
+    }
+
+    public ResultSet getMockedResultSet() throws SQLException {
+        ResultSet rsMock = mock(ResultSet.class);
+        Mockito.when(rsMock.next()).thenReturn(true).thenReturn(false);
+        Mockito.when(rsMock.getInt(RoleStore.SQL_ID)).thenReturn(1);
+        Mockito.when(rsMock.getString(RoleStore.SQL_NAME)).thenReturn("RoleName_1");
+        Mockito.when(rsMock.getString(RoleStore.SQL_DESCR)).thenReturn("Desc_1");
+        return rsMock;
+    }
+}
diff --git a/odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/UserStoreTest.java b/odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/UserStoreTest.java
new file mode 100644
index 00000000..e214c261
--- /dev/null
+++ b/odl-aaa-moon/aaa-h2-store/src/test/java/org/opendaylight/aaa/h2/persistence/UserStoreTest.java
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.h2.persistence;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.*;
+
+import java.sql.Connection;
+import java.sql.DatabaseMetaData;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.opendaylight.aaa.api.model.Users;
+import org.opendaylight.aaa.h2.persistence.UserStore;
+
+public class UserStoreTest {
+
+    Connection connectionMock = mock(Connection.class);
+    private final UserStore userStoreUnderTest = new UserStore();
+
+    @Before
+    public void setup() {
+        userStoreUnderTest.dbConnection = connectionMock;
+    }
+
+    @After
+    public void teardown() {
+        // dts.destroy();
+    }
+
+    @Test
+    public void getUsersTest() throws SQLException, Exception {
+        // Setup Mock Behavior
+        String[] tableTypes = { "TABLE" };
+        Mockito.when(connectionMock.isClosed()).thenReturn(false);
+        DatabaseMetaData dbmMock = mock(DatabaseMetaData.class);
+        Mockito.when(connectionMock.getMetaData()).thenReturn(dbmMock);
+        ResultSet rsUserMock = mock(ResultSet.class);
+        Mockito.when(dbmMock.getTables(null, null, "USERS", tableTypes)).thenReturn(rsUserMock);
+        Mockito.when(rsUserMock.next()).thenReturn(true);
+
+        Statement stmtMock = mock(Statement.class);
+        Mockito.when(connectionMock.createStatement()).thenReturn(stmtMock);
+
+        ResultSet rsMock = getMockedResultSet();
+        Mockito.when(stmtMock.executeQuery(anyString())).thenReturn(rsMock);
+
+        // Run Test
+        Users users = userStoreUnderTest.getUsers();
+
+        // Verify
+        assertTrue(users.getUsers().size() == 1);
+        verify(stmtMock).close();
+
+    }
+
+    public ResultSet getMockedResultSet() throws SQLException {
+        ResultSet rsMock = mock(ResultSet.class);
+        Mockito.when(rsMock.next()).thenReturn(true).thenReturn(false);
+        Mockito.when(rsMock.getInt(UserStore.SQL_ID)).thenReturn(1);
+        Mockito.when(rsMock.getString(UserStore.SQL_NAME)).thenReturn("Name_1");
+        Mockito.when(rsMock.getString(UserStore.SQL_EMAIL)).thenReturn("Name_1@company.com");
+        Mockito.when(rsMock.getString(UserStore.SQL_PASSWORD)).thenReturn("Pswd_1");
+        Mockito.when(rsMock.getString(UserStore.SQL_DESCR)).thenReturn("Desc_1");
+        Mockito.when(rsMock.getInt(UserStore.SQL_ENABLED)).thenReturn(1);
+        return rsMock;
+    }
+}
diff --git a/odl-aaa-moon/aaa-idmlight/pom.xml b/odl-aaa-moon/aaa-idmlight/pom.xml
new file mode 100644
index 00000000..5a86b0d1
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/pom.xml
@@ -0,0 +1,229 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../parent</relativePath>
+    </parent>
+
+    <artifactId>aaa-idmlight</artifactId>
+    <packaging>bundle</packaging>
+
+    <dependencies>
+        <!--Yang Binding -->
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>config-api</artifactId>
+            <version>${config.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-binding-config</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-binding-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-common-util</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-server</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.dependencymanager</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-all</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.core</artifactId>
+        </dependency>
+
+        <!-- JSON JAXB Stuff -->
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.datatype</groupId>
+            <artifactId>jackson-datatype-json-org</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.jaxrs</groupId>
+            <artifactId>jackson-jaxrs-base</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.jaxrs</groupId>
+            <artifactId>jackson-jaxrs-json-provider</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.module</groupId>
+            <artifactId>jackson-module-jaxb-annotations</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-servlets</artifactId>
+            <scope>provided</scope>
+        </dependency>
+
+        <!-- Testing Dependencies -->
+        <dependency>
+            <groupId>com.sun.jersey.jersey-test-framework</groupId>
+            <artifactId>jersey-test-framework-grizzly2</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.opendaylight.yangtools</groupId>
+                <artifactId>yang-maven-plugin</artifactId>
+                <version>${yangtools.version}</version>
+                <executions>
+                    <execution>
+                        <id>config</id>
+                        <goals>
+                            <goal>generate-sources</goal>
+                        </goals>
+                        <configuration>
+                            <codeGenerators>
+                                <generator>
+                                    <codeGeneratorClass>org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator</codeGeneratorClass>
+                                    <outputBaseDir>${jmxGeneratorPath}</outputBaseDir>
+                                    <additionalConfiguration>
+                                        <namespaceToPackage1>urn:opendaylight:params:xml:ns:yang:controller==org.opendaylight.controller.config.yang</namespaceToPackage1>
+                                    </additionalConfiguration>
+                                </generator>
+                                <generator>
+                                    <codeGeneratorClass>org.opendaylight.yangtools.maven.sal.api.gen.plugin.CodeGeneratorImpl</codeGeneratorClass>
+                                    <outputBaseDir>${salGeneratorPath}</outputBaseDir>
+                                </generator>
+                            </codeGenerators>
+                            <inspectDependencies>true</inspectDependencies>
+                        </configuration>
+                    </execution>
+                </executions>
+                <dependencies>
+                    <dependency>
+                        <groupId>org.opendaylight.mdsal</groupId>
+                        <artifactId>maven-sal-api-gen-plugin</artifactId>
+                        <version>${yangtools.version}</version>
+                        <type>jar</type>
+                    </dependency>
+                    <dependency>
+                        <groupId>org.opendaylight.controller</groupId>
+                        <artifactId>yang-jmx-generator-plugin</artifactId>
+                        <version>${config.version}</version>
+                    </dependency>
+                </dependencies>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>build-helper-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>attach-artifacts</id>
+                        <goals>
+                            <goal>attach-artifact</goal>
+                        </goals>
+                        <phase>package</phase>
+                        <configuration>
+                            <artifacts>
+                                <artifact>
+                                    <file>${project.build.directory}/classes/initial/08-aaa-idmlight-config.xml</file>
+                                    <type>xml</type>
+                                    <classifier>config</classifier>
+                                </artifact>
+                            </artifacts>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>attach-artifacts-idmtool</id>
+                        <goals>
+                            <goal>attach-artifact</goal>
+                        </goals>
+                        <phase>package</phase>
+                        <configuration>
+                            <artifacts>
+                                <artifact>
+                                    <file>${project.build.directory}/classes/idmtool.py</file>
+                                    <type>py</type>
+                                    <classifier>config</classifier>
+                                </artifact>
+                            </artifacts>
+                        </configuration>
+                    </execution>
+
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-bundle-plugin</artifactId>
+                <!-- override default version so we don't use bnd 2.3.0 when embedding sqlite -->
+
+                <extensions>true</extensions>
+                <configuration>
+                    <instructions>
+                        <Import-Package>org.opendaylight.aaa.shiro.realm,org.apache.shiro.web.env,org.apache.shiro.authc,org.opendaylight.aaa.shiro.web.env,org.opendaylight.aaa.shiro.filters,javax.servlet.http,javax.ws.rs,javax.ws.rs.core,javax.xml.bind.annotation,org.apache.felix.dm,org.opendaylight.aaa,org.opendaylight.aaa.api.*,org.osgi.framework,org.slf4j,org.eclipse.jetty.servlets,com.sun.jersey.spi.container.servlet,com.google.*,org.opendaylight.*,org.osgi.util.tracker</Import-Package>
+                        <Web-ContextPath>/auth</Web-ContextPath>
+                        <!--<Web-Connectors>adminConn</Web-Connectors> -->
+                        <!--Bundle-Activator>org.opendaylight.aaa.idm.Activator</Bundle-Activator-->
+                    </instructions>
+                    <manifestLocation>${project.basedir}/META-INF</manifestLocation>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/IdmLightApplication.java b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/IdmLightApplication.java
new file mode 100644
index 00000000..6fcba5d6
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/IdmLightApplication.java
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idm;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.ws.rs.core.Application;
+
+import org.opendaylight.aaa.idm.rest.DomainHandler;
+import org.opendaylight.aaa.idm.rest.RoleHandler;
+import org.opendaylight.aaa.idm.rest.UserHandler;
+import org.opendaylight.aaa.idm.rest.VersionHandler;
+
+/**
+ * A JAX-RS application for IdmLight.  The REST endpoints delivered by this
+ * application are in the form:
+ * <code>http://{HOST}:{PORT}/auth/v1/</code>
+ *
+ * For example, the users REST endpoint is:
+ * <code>http://{HOST}:{PORT}/auth/v1/users</code>
+ *
+ * This application is responsible for interaction with the backing h2
+ * database store.
+ *
+ * @author liemmn
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ * @see <code>org.opendaylight.aaa.idm.rest.DomainHandler</code>
+ * @see <code>org.opendaylight.aaa.idm.rest.UserHandler</code>
+ * @see <code>org.opendaylight.aaa.idm.rest.RoleHandler</code>
+ */
+public class IdmLightApplication extends Application {
+
+    //TODO create a bug to address the fact that the implementation assumes 128
+    // as the max length, even though this claims 256.
+    /**
+     * The maximum field length for identity fields.
+     */
+    public static final int MAX_FIELD_LEN = 256;
+    public IdmLightApplication() {
+    }
+
+    @Override
+    public Set<Class<?>> getClasses() {
+        return new HashSet<Class<?>>(Arrays.asList(VersionHandler.class,
+                                                   DomainHandler.class,
+                                                   RoleHandler.class,
+                                                   UserHandler.class));
+    }
+}
diff --git a/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/IdmLightProxy.java b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/IdmLightProxy.java
new file mode 100644
index 00000000..d17d2b13
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/IdmLightProxy.java
@@ -0,0 +1,208 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idm;
+
+import com.google.common.base.Preconditions;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import org.opendaylight.aaa.ClaimBuilder;
+import org.opendaylight.aaa.api.AuthenticationException;
+import org.opendaylight.aaa.api.Claim;
+import org.opendaylight.aaa.api.CredentialAuth;
+import org.opendaylight.aaa.api.IDMStoreException;
+import org.opendaylight.aaa.api.IIDMStore;
+import org.opendaylight.aaa.api.IdMService;
+import org.opendaylight.aaa.api.PasswordCredentials;
+import org.opendaylight.aaa.api.SHA256Calculator;
+import org.opendaylight.aaa.api.model.Domain;
+import org.opendaylight.aaa.api.model.Grant;
+import org.opendaylight.aaa.api.model.Grants;
+import org.opendaylight.aaa.api.model.Role;
+import org.opendaylight.aaa.api.model.User;
+import org.opendaylight.aaa.api.model.Users;
+import org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AAAIDMLightModule;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * An OSGi proxy for the IdmLight server.
+ *
+ */
+public class IdmLightProxy implements CredentialAuth<PasswordCredentials>, IdMService {
+
+    private static final Logger LOG = LoggerFactory.getLogger(IdmLightProxy.class);
+
+    /**
+     * claimCache is responsible for storing the active claims per domain.  The
+     * outer map is keyed by domain, and the inner map is keyed by
+     * <code>PasswordCredentials</code>.
+     */
+    private static Map<String, Map<PasswordCredentials, Claim>> claimCache = new ConcurrentHashMap<>();
+
+    // adds a store for the default "sdn" domain
+    static {
+        claimCache.put(IIDMStore.DEFAULT_DOMAIN,
+                new ConcurrentHashMap<PasswordCredentials, Claim>());
+    }
+
+    @Override
+    public Claim authenticate(PasswordCredentials creds) {
+        Preconditions.checkNotNull(creds);
+        Preconditions.checkNotNull(creds.username());
+        Preconditions.checkNotNull(creds.password());
+        String domain = creds.domain() == null ? IIDMStore.DEFAULT_DOMAIN : creds.domain();
+        // FIXME: Add cache invalidation
+        Map<PasswordCredentials, Claim> cache = claimCache.get(domain);
+        if (cache == null) {
+            cache = new ConcurrentHashMap<PasswordCredentials, Claim>();
+            claimCache.put(domain, cache);
+        }
+        Claim claim = cache.get(creds);
+        if (claim == null) {
+            synchronized (claimCache) {
+                claim = cache.get(creds);
+                if (claim == null) {
+                    claim = dbAuthenticate(creds);
+                    if (claim != null) {
+                        cache.put(creds, claim);
+                    }
+                }
+            }
+        }
+        return claim;
+    }
+
+    /**
+     * Clears the cache of any active claims.
+     */
+    public static synchronized void clearClaimCache() {
+        LOG.info("Clearing the claim cache");
+        for (Map<PasswordCredentials, Claim> cache : claimCache.values()) {
+            cache.clear();
+        }
+    }
+
+    private static Claim dbAuthenticate(PasswordCredentials creds) {
+        Domain domain = null;
+        User user = null;
+        String credsDomain = creds.domain() == null ? IIDMStore.DEFAULT_DOMAIN : creds.domain();
+        // check to see domain exists
+        // TODO: ensure domain names are unique change to 'getDomain'
+        LOG.debug("get domain");
+        try {
+            domain = AAAIDMLightModule.getStore().readDomain(credsDomain);
+            if (domain == null) {
+                throw new AuthenticationException("Domain :" + credsDomain + " does not exist");
+            }
+        } catch (IDMStoreException e) {
+            throw new AuthenticationException("Error while fetching domain", e);
+        }
+
+        // check to see user exists and passes cred check
+        try {
+            LOG.debug("check user / pwd");
+            Users users = AAAIDMLightModule.getStore().getUsers(creds.username(), credsDomain);
+            List<User> userList = users.getUsers();
+            if (userList.size() == 0) {
+                throw new AuthenticationException("User :" + creds.username()
+                        + " does not exist in domain " + credsDomain);
+            }
+            user = userList.get(0);
+            if (!SHA256Calculator.getSHA256(creds.password(), user.getSalt()).equals(
+                    user.getPassword())) {
+                throw new AuthenticationException("UserName / Password not found");
+            }
+
+            // get all grants & roles for this domain and user
+            LOG.debug("get grants");
+            List<String> roles = new ArrayList<String>();
+            Grants grants = AAAIDMLightModule.getStore().getGrants(domain.getDomainid(),
+                    user.getUserid());
+            List<Grant> grantList = grants.getGrants();
+            for (int z = 0; z < grantList.size(); z++) {
+                Grant grant = grantList.get(z);
+                Role role = AAAIDMLightModule.getStore().readRole(grant.getRoleid());
+                if (role != null) {
+                    roles.add(role.getName());
+                }
+            }
+
+            // build up the claim
+            LOG.debug("build a claim");
+            ClaimBuilder claim = new ClaimBuilder();
+            claim.setUserId(user.getUserid().toString());
+            claim.setUser(creds.username());
+            claim.setDomain(credsDomain);
+            for (int z = 0; z < roles.size(); z++) {
+                claim.addRole(roles.get(z));
+            }
+            return claim.build();
+        } catch (IDMStoreException se) {
+            throw new AuthenticationException("idm data store exception :" + se.toString() + se);
+        }
+    }
+
+    @Override
+    public List<String> listDomains(String userId) {
+        LOG.debug("list Domains for userId: {}", userId);
+        List<String> domains = new ArrayList<String>();
+        try {
+            Grants grants = AAAIDMLightModule.getStore().getGrants(userId);
+            List<Grant> grantList = grants.getGrants();
+            for (int z = 0; z < grantList.size(); z++) {
+                Grant grant = grantList.get(z);
+                Domain domain = AAAIDMLightModule.getStore().readDomain(grant.getDomainid());
+                domains.add(domain.getName());
+            }
+            return domains;
+        } catch (IDMStoreException se) {
+            LOG.warn("error getting domains ", se.toString(), se);
+            return domains;
+        }
+
+    }
+
+    @Override
+    public List<String> listRoles(String userId, String domainName) {
+        LOG.debug("listRoles");
+        List<String> roles = new ArrayList<String>();
+
+        try {
+            // find domain name for specied domain name
+            String did = null;
+            try {
+                Domain domain = AAAIDMLightModule.getStore().readDomain(domainName);
+                if (domain == null) {
+                    LOG.debug("DomainName: {}", domainName + " Not found!");
+                    return roles;
+                }
+                did = domain.getDomainid();
+            } catch (IDMStoreException e) {
+                return roles;
+            }
+
+            // find all grants for uid and did
+            Grants grants = AAAIDMLightModule.getStore().getGrants(did, userId);
+            List<Grant> grantList = grants.getGrants();
+            for (int z = 0; z < grantList.size(); z++) {
+                Grant grant = grantList.get(z);
+                Role role = AAAIDMLightModule.getStore().readRole(grant.getRoleid());
+                roles.add(role.getName());
+            }
+
+            return roles;
+        } catch (IDMStoreException se) {
+            LOG.warn("error getting roles ", se.toString(), se);
+            return roles;
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/StoreBuilder.java b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/StoreBuilder.java
new file mode 100644
index 00000000..111665c6
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/StoreBuilder.java
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idm;
+
+import org.opendaylight.aaa.api.IDMStoreException;
+import org.opendaylight.aaa.api.IIDMStore;
+import org.opendaylight.aaa.api.model.Domain;
+import org.opendaylight.aaa.api.model.Grant;
+import org.opendaylight.aaa.api.model.Role;
+import org.opendaylight.aaa.api.model.User;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * StoreBuilder is triggered during feature installation by
+ * <code>AAAIDMLightModule.createInstance()</code>. StoreBuilder is responsible
+ * for initializing the H2 database with initial default user account
+ * information. By default, the following users are created:
+ * <ol>
+ * <li>admin</li>
+ * <li>user</li>
+ * </ol>
+ *
+ * By default, the following domain is created:
+ * <ol>
+ * <li>sdn</li>
+ * </ol>
+ *
+ * By default, the following grants are created:
+ * <ol>
+ * <li>admin with admin role on sdn</li>
+ * <li>admin with user role on sdn</li>
+ * <li>user with user role on sdn</li>
+ * </ol>
+ *
+ * @author peter.mellquist@hp.com
+ * @author saichler@cisco.com
+ */
+public class StoreBuilder {
+
+    private static final Logger LOG = LoggerFactory.getLogger(StoreBuilder.class);
+
+    public static void init(IIDMStore store) throws IDMStoreException {
+        LOG.info("creating idmlight schema in store");
+
+        // Check whether the default domain exists. If it exists, then do not
+        // create default data in the store.
+        // TODO Address the fact that someone may delete the sdn domain, or make
+        // sdn mandatory.
+        Domain defaultDomain = store.readDomain(IIDMStore.DEFAULT_DOMAIN);
+        if (defaultDomain != null) {
+            LOG.info("Found default domain in Store, skipping insertion of default data");
+            return;
+        }
+
+        // make domain
+        Domain domain = new Domain();
+        User adminUser = new User();
+        User userUser = new User();
+        Role adminRole = new Role();
+        Role userRole = new Role();
+        domain.setEnabled(true);
+        domain.setName(IIDMStore.DEFAULT_DOMAIN);
+        domain.setDescription("default odl sdn domain");
+        domain = store.writeDomain(domain);
+
+        // Create default users
+        // "admin" user
+        adminUser.setEnabled(true);
+        adminUser.setName("admin");
+        adminUser.setDomainid(domain.getDomainid());
+        adminUser.setDescription("admin user");
+        adminUser.setEmail("");
+        adminUser.setPassword("admin");
+        adminUser = store.writeUser(adminUser);
+        // "user" user
+        userUser.setEnabled(true);
+        userUser.setName("user");
+        userUser.setDomainid(domain.getDomainid());
+        userUser.setDescription("user user");
+        userUser.setEmail("");
+        userUser.setPassword("user");
+        userUser = store.writeUser(userUser);
+
+        // Create default Roles ("admin" and "user")
+        adminRole.setName("admin");
+        adminRole.setDomainid(domain.getDomainid());
+        adminRole.setDescription("a role for admins");
+        adminRole = store.writeRole(adminRole);
+        userRole.setName("user");
+        userRole.setDomainid(domain.getDomainid());
+        userRole.setDescription("a role for users");
+        userRole = store.writeRole(userRole);
+
+        // Create default grants
+        Grant grant = new Grant();
+        grant.setDomainid(domain.getDomainid());
+        grant.setUserid(userUser.getUserid());
+        grant.setRoleid(userRole.getRoleid());
+        grant = store.writeGrant(grant);
+
+        grant.setDomainid(domain.getDomainid());
+        grant.setUserid(adminUser.getUserid());
+        grant.setRoleid(userRole.getRoleid());
+        grant = store.writeGrant(grant);
+
+        grant.setDomainid(domain.getDomainid());
+        grant.setUserid(adminUser.getUserid());
+        grant.setRoleid(adminRole.getRoleid());
+        grant = store.writeGrant(grant);
+    }
+}
diff --git a/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/DomainHandler.java b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/DomainHandler.java
new file mode 100644
index 00000000..7ddc0748
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/DomainHandler.java
@@ -0,0 +1,591 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idm.rest;
+
+import java.util.ArrayList;
+import java.util.List;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.UriInfo;
+import org.opendaylight.aaa.api.IDMStoreException;
+import org.opendaylight.aaa.api.model.Claim;
+import org.opendaylight.aaa.api.model.Domain;
+import org.opendaylight.aaa.api.model.Domains;
+import org.opendaylight.aaa.api.model.Grant;
+import org.opendaylight.aaa.api.model.Grants;
+import org.opendaylight.aaa.api.model.IDMError;
+import org.opendaylight.aaa.api.model.Role;
+import org.opendaylight.aaa.api.model.Roles;
+import org.opendaylight.aaa.api.model.User;
+import org.opendaylight.aaa.api.model.UserPwd;
+import org.opendaylight.aaa.api.model.Users;
+import org.opendaylight.aaa.idm.IdmLightProxy;
+import org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AAAIDMLightModule;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * REST application used to manipulate the H2 database domains table. The REST
+ * endpoint is <code>/auth/v1/domains</code>.
+ *
+ * The following provides examples of curl commands and payloads to utilize the
+ * domains REST endpoint:
+ *
+ * <b>Get All Domains</b>
+ * <code>curl -u admin:admin http://{HOST}:{PORT}/auth/v1/domains</code>
+ *
+ * <b>Get A Specific Domain</b>
+ * <code>curl -u admin:admin http://{HOST}:{PORT}/auth/v1/domains/{id}</code>
+ *
+ * <b>Create A Domain</b>
+ * <code>curl -u admin:admin -X POST -H "Content-Type: application/json" --data-binary {@literal @}domain.json http://{HOST}:{PORT}/auth/v1/domains</code>
+ * Example domain.json <code>{
+ *   "description": "new domain",
+ *   "enabled", "true",
+ *   "name", "not sdn"
+ * }</code>
+ *
+ * <b>Update A Domain</b>
+ * <code>curl -u admin:admin -X PUT -H "Content-Type: application/json" --data-binary {@literal @}domain.json http://{HOST}:{PORT}/auth/v1/domains</code>
+ * Example domain.json <code>{
+ *   "description": "new domain description",
+ *   "enabled", "true",
+ *   "name", "not sdn"
+ * }</code>
+ *
+ * @author peter.mellquist@hp.com
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ */
+@Path("/v1/domains")
+public class DomainHandler {
+
+    private static final Logger LOG = LoggerFactory.getLogger(DomainHandler.class);
+
+    /**
+     * Extracts all domains.
+     *
+     * @return a response with all domains stored in the H2 database
+     */
+    @GET
+    @Produces("application/json")
+    public Response getDomains() {
+        LOG.info("Get /domains");
+        Domains domains = null;
+        try {
+            domains = AAAIDMLightModule.getStore().getDomains();
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error getting domains");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+        return Response.ok(domains).build();
+    }
+
+    /**
+     * Extracts the domain represented by <code>domainId</code>.
+     *
+     * @param domainId the string domain (i.e., "sdn")
+     * @return a response with the specified domain
+     */
+    @GET
+    @Path("/{id}")
+    @Produces("application/json")
+    public Response getDomain(@PathParam("id") String domainId) {
+        LOG.info("Get /domains/{}", domainId);
+        Domain domain = null;
+        try {
+            domain = AAAIDMLightModule.getStore().readDomain(domainId);
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error getting domain");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+
+        if (domain == null) {
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Not found! domain id :" + domainId);
+            return Response.status(404).entity(idmerror).build();
+        }
+        return Response.ok(domain).build();
+    }
+
+    /**
+     * Creates a domain.  The name attribute is required for domain creation.
+     * Enabled and description fields are optional.  Optional fields default
+     * in the following manner:
+     * <code>enabled</code>: <code>false</code>
+     * <code>description</code>: An empty string (<code>""</code>).
+     *
+     * @param info passed from Jersey
+     * @param domain designated by the REST payload
+     * @return A response stating success or failure of domain creation.
+     */
+    @POST
+    @Consumes("application/json")
+    @Produces("application/json")
+    public Response createDomain(@Context UriInfo info, Domain domain) {
+        LOG.info("Post /domains");
+        try {
+            if (domain.isEnabled() == null) {
+                domain.setEnabled(false);
+            }
+            if (domain.getName() == null) {
+                domain.setName("");
+            }
+            if (domain.getDescription() == null) {
+                domain.setDescription("");
+            }
+            domain = AAAIDMLightModule.getStore().writeDomain(domain);
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error creating domain");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+        return Response.status(201).entity(domain).build();
+    }
+
+    /**
+     * Updates a domain.
+     *
+     * @param info passed from Jersey
+     * @param domain the REST payload
+     * @param domainId the last part of the path, containing the specified domain id
+     * @return A response stating success or failure of domain update.
+     */
+    @PUT
+    @Path("/{id}")
+    @Consumes("application/json")
+    @Produces("application/json")
+    public Response putDomain(@Context UriInfo info, Domain domain, @PathParam("id") String domainId) {
+        LOG.info("Put /domains/{}", domainId);
+        try {
+            domain.setDomainid(domainId);
+            domain = AAAIDMLightModule.getStore().updateDomain(domain);
+            if (domain == null) {
+                IDMError idmerror = new IDMError();
+                idmerror.setMessage("Not found! Domain id :" + domainId);
+                return Response.status(404).entity(idmerror).build();
+            }
+            IdmLightProxy.clearClaimCache();
+            return Response.status(200).entity(domain).build();
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error putting domain");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+    }
+
+    /**
+     * Deletes a domain.
+     *
+     * @param info passed from Jersey
+     * @param domainId the last part of the path, containing the specified domain id
+     * @return A response stating success or failure of domain deletion.
+     */
+    @DELETE
+    @Path("/{id}")
+    public Response deleteDomain(@Context UriInfo info, @PathParam("id") String domainId) {
+        LOG.info("Delete /domains/{}", domainId);
+
+        try {
+            Domain domain = AAAIDMLightModule.getStore().deleteDomain(domainId);
+            if (domain == null) {
+                IDMError idmerror = new IDMError();
+                idmerror.setMessage("Not found! Domain id :" + domainId);
+                return Response.status(404).entity(idmerror).build();
+            }
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error deleting Domain");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+        IdmLightProxy.clearClaimCache();
+        return Response.status(204).build();
+    }
+
+    /**
+     * Creates a grant.  A grant defines the role a particular user is given on
+     * a particular domain.  For example, by default, AAA installs a grant for
+     * the "admin" user, granting permission to act with "admin" role on the
+     * "sdn" domain.
+     *
+     * @param info passed from Jersey
+     * @param domainId the domain the user is allowed to access
+     * @param userId the user that is allowed to access the domain
+     * @param grant the payload containing role access controls
+     * @return A response stating success or failure of grant creation.
+     */
+    @POST
+    @Path("/{did}/users/{uid}/roles")
+    @Consumes("application/json")
+    @Produces("application/json")
+    public Response createGrant(@Context UriInfo info, @PathParam("did") String domainId,
+            @PathParam("uid") String userId, Grant grant) {
+        LOG.info("Post /domains/{}/users/{}/roles", domainId, userId);
+        Domain domain = null;
+        User user = null;
+        Role role = null;
+        String roleId = null;
+
+        // validate domain id
+        try {
+            domain = AAAIDMLightModule.getStore().readDomain(domainId);
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error getting domain");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+        if (domain == null) {
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Not found! domain id :" + domainId);
+            return Response.status(404).entity(idmerror).build();
+        }
+        grant.setDomainid(domainId);
+
+        try {
+            user = AAAIDMLightModule.getStore().readUser(userId);
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error getting user");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+        if (user == null) {
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Not found! User id :" + userId);
+            return Response.status(404).entity(idmerror).build();
+        }
+        grant.setUserid(userId);
+
+        // validate role id
+        try {
+            roleId = grant.getRoleid();
+            LOG.info("roleid = {}", roleId);
+        } catch (NumberFormatException nfe) {
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Invalid Role id :" + grant.getRoleid());
+            return Response.status(404).entity(idmerror).build();
+        }
+        try {
+            role = AAAIDMLightModule.getStore().readRole(roleId);
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error getting role");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+        if (role == null) {
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Not found! role :" + grant.getRoleid());
+            return Response.status(404).entity(idmerror).build();
+        }
+
+        // see if grant already exists for this
+        try {
+            Grant existingGrant = AAAIDMLightModule.getStore().readGrant(domainId, userId, roleId);
+            if (existingGrant != null) {
+                IDMError idmerror = new IDMError();
+                idmerror.setMessage("Grant already exists for did:" + domainId + " uid:" + userId
+                        + " rid:" + roleId);
+                return Response.status(403).entity(idmerror).build();
+            }
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error creating grant");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+
+        // create grant
+        try {
+            grant = AAAIDMLightModule.getStore().writeGrant(grant);
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error creating grant");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+
+        IdmLightProxy.clearClaimCache();
+        return Response.status(201).entity(grant).build();
+    }
+
+    /**
+     * Used to validate user access.
+     *
+     * @param info passed from Jersey
+     * @param domainId the domain in question
+     * @param userpwd the password attempt
+     * @return A response stating success or failure of user validation.
+     */
+    @POST
+    @Path("/{did}/users/roles")
+    @Consumes("application/json")
+    @Produces("application/json")
+    public Response validateUser(@Context UriInfo info, @PathParam("did") String domainId,
+            UserPwd userpwd) {
+
+        LOG.info("GET /domains/{}/users", domainId);
+        Domain domain = null;
+        Claim claim = new Claim();
+        List<Role> roleList = new ArrayList<Role>();
+
+        try {
+            domain = AAAIDMLightModule.getStore().readDomain(domainId);
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error getting domain");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+        if (domain == null) {
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Not found! Domain id :" + domainId);
+            return Response.status(404).entity(idmerror).build();
+        }
+
+        // check request body for username and pwd
+        String username = userpwd.getUsername();
+        if (username == null) {
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("username not specfied in request body");
+            return Response.status(400).entity(idmerror).build();
+        }
+        String pwd = userpwd.getUserpwd();
+        if (pwd == null) {
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("userpwd not specfied in request body");
+            return Response.status(400).entity(idmerror).build();
+        }
+
+        // find userid for user
+        try {
+            Users users = AAAIDMLightModule.getStore().getUsers(username, domainId);
+            List<User> userList = users.getUsers();
+            if (userList.size() == 0) {
+                IDMError idmerror = new IDMError();
+                idmerror.setMessage("did not find username: " + username);
+                return Response.status(404).entity(idmerror).build();
+            }
+            User user = userList.get(0);
+            String userPwd = user.getPassword();
+            String reqPwd = userpwd.getUserpwd();
+            if (!userPwd.equals(reqPwd)) {
+                IDMError idmerror = new IDMError();
+                idmerror.setMessage("password does not match for username: " + username);
+                return Response.status(401).entity(idmerror).build();
+            }
+            claim.setDomainid(domainId);
+            claim.setUsername(username);
+            claim.setUserid(user.getUserid());
+            try {
+                Grants grants = AAAIDMLightModule.getStore().getGrants(domainId, user.getUserid());
+                List<Grant> grantsList = grants.getGrants();
+                for (int i = 0; i < grantsList.size(); i++) {
+                    Grant grant = grantsList.get(i);
+                    Role role = AAAIDMLightModule.getStore().readRole(grant.getRoleid());
+                    roleList.add(role);
+                }
+            } catch (IDMStoreException se) {
+                LOG.error("StoreException: ", se);
+                IDMError idmerror = new IDMError();
+                idmerror.setMessage("Internal error getting Roles");
+                idmerror.setDetails(se.getMessage());
+                return Response.status(500).entity(idmerror).build();
+            }
+            claim.setRoles(roleList);
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error getting user");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+
+        return Response.ok(claim).build();
+    }
+
+    /**
+     * Get the grants for a user on a domain.
+     *
+     * @param info passed from Jersey
+     * @param domainId the domain in question
+     * @param userId the user in question
+     * @return A response containing the grants for a user on a domain.
+     */
+    @GET
+    @Path("/{did}/users/{uid}/roles")
+    @Produces("application/json")
+    public Response getRoles(@Context UriInfo info, @PathParam("did") String domainId,
+            @PathParam("uid") String userId) {
+        LOG.info("GET /domains/{}/users/{}/roles", domainId, userId);
+        Domain domain = null;
+        User user = null;
+        Roles roles = new Roles();
+        List<Role> roleList = new ArrayList<Role>();
+
+        try {
+            domain = AAAIDMLightModule.getStore().readDomain(domainId);
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error getting domain");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+        if (domain == null) {
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Not found! Domain id :" + domainId);
+            return Response.status(404).entity(idmerror).build();
+        }
+
+        try {
+            user = AAAIDMLightModule.getStore().readUser(userId);
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error getting user");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+        if (user == null) {
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Not found! User id :" + userId);
+            return Response.status(404).entity(idmerror).build();
+        }
+
+        try {
+            Grants grants = AAAIDMLightModule.getStore().getGrants(domainId, userId);
+            List<Grant> grantsList = grants.getGrants();
+            for (int i = 0; i < grantsList.size(); i++) {
+                Grant grant = grantsList.get(i);
+                Role role = AAAIDMLightModule.getStore().readRole(grant.getRoleid());
+                roleList.add(role);
+            }
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error getting Roles");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+
+        roles.setRoles(roleList);
+        return Response.ok(roles).build();
+    }
+
+    /**
+     * Delete a grant.
+     *
+     * @param info passed from Jersey
+     * @param domainId the domain for the grant
+     * @param userId the user for the grant
+     * @param roleId the role for the grant
+     * @return A response stating success or failure of the grant deletion.
+     */
+    @DELETE
+    @Path("/{did}/users/{uid}/roles/{rid}")
+    public Response deleteGrant(@Context UriInfo info, @PathParam("did") String domainId,
+            @PathParam("uid") String userId, @PathParam("rid") String roleId) {
+        Domain domain = null;
+        User user = null;
+        Role role = null;
+
+        try {
+            domain = AAAIDMLightModule.getStore().readDomain(domainId);
+        } catch (IDMStoreException se) {
+            LOG.error("Error deleting Grant  : ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error getting domain");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+        if (domain == null) {
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Not found! Domain id :" + domainId);
+            return Response.status(404).entity(idmerror).build();
+        }
+
+        try {
+            user = AAAIDMLightModule.getStore().readUser(userId);
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException : ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error getting user");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+        if (user == null) {
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Not found! User id :" + userId);
+            return Response.status(404).entity(idmerror).build();
+        }
+
+        try {
+            role = AAAIDMLightModule.getStore().readRole(roleId);
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error getting Role");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+        if (role == null) {
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Not found! Role id :" + roleId);
+            return Response.status(404).entity(idmerror).build();
+        }
+
+        // see if grant already exists
+        try {
+            Grant existingGrant = AAAIDMLightModule.getStore().readGrant(domainId, userId, roleId);
+            if (existingGrant == null) {
+                IDMError idmerror = new IDMError();
+                idmerror.setMessage("Grant does not exist for did:" + domainId + " uid:" + userId
+                        + " rid:" + roleId);
+                return Response.status(404).entity(idmerror).build();
+            }
+            existingGrant = AAAIDMLightModule.getStore().deleteGrant(existingGrant.getGrantid());
+        } catch (IDMStoreException se) {
+            LOG.error("StoreException: ", se);
+            IDMError idmerror = new IDMError();
+            idmerror.setMessage("Internal error creating grant");
+            idmerror.setDetails(se.getMessage());
+            return Response.status(500).entity(idmerror).build();
+        }
+        IdmLightProxy.clearClaimCache();
+        return Response.status(204).build();
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/RoleHandler.java b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/RoleHandler.java
new file mode 100644
index 00000000..34a60c0c
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/RoleHandler.java
@@ -0,0 +1,228 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idm.rest;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.UriInfo;
+
+import org.opendaylight.aaa.api.IDMStoreException;
+import org.opendaylight.aaa.api.model.IDMError;
+import org.opendaylight.aaa.api.model.Role;
+import org.opendaylight.aaa.api.model.Roles;
+import org.opendaylight.aaa.idm.IdmLightApplication;
+import org.opendaylight.aaa.idm.IdmLightProxy;
+import org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AAAIDMLightModule;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * REST application used to manipulate the H2 database roles table. The REST
+ * endpoint is <code>/auth/v1/roles</code>.
+ *
+ * The following provides examples of curl commands and payloads to utilize the
+ * roles REST endpoint:
+ *
+ * <b>Get All Roles</b>
+ * <code>curl -u admin:admin http://{HOST}:{PORT}/auth/v1/roles</code>
+ *
+ * <b>Get A Specific Role</b>
+ * <code>curl -u admin:admin http://{HOST}:{PORT}/auth/v1/roles/{id}</code>
+ *
+ * <b>Create A Role</b>
+ * <code>curl -u admin:admin -X POST -H "Content-Type: application/json" --data-binary {@literal @}role.json http://{HOST}:{PORT}/auth/v1/roles</code>
+ * An example of role.json:
+ * <code>{
+ *  "name":"IT Administrator",
+ *  "description":"A user role for IT admins"
+ * }</code>
+ *
+ * <b>Update A Role</b>
+ * <code>curl -u admin:admin -X PUT -H "Content-Type: application/json" --data-binary {@literal @}role.json http://{HOST}:{PORT}/auth/v1/roles/{id}</code>
+ * An example of role.json:
+ * <code>{
+ *  "name":"IT Administrator Limited",
+ *  "description":"A user role for IT admins who can only do one thing"
+ * }</code>
+ *
+ * @author peter.mellquist@hp.com
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ */
+@Path("/v1/roles")
+public class RoleHandler {
+    private static final Logger LOG = LoggerFactory.getLogger(RoleHandler.class);
+
+    /**
+     * Extracts all roles.
+     *
+     * @return A response with all roles in the H2 database, or internal error if one is encountered
+     */
+    @GET
+    @Produces("application/json")
+    public Response getRoles() {
+        LOG.info("get /roles");
+        Roles roles = null;
+        try {
+            roles = AAAIDMLightModule.getStore().getRoles();
+        } catch (IDMStoreException se) {
+            return new IDMError(500, "internal error getting roles", se.getMessage()).response();
+        }
+        return Response.ok(roles).build();
+    }
+
+    /**
+     * Extract a specific role identified by <code>id</code>
+     *
+     * @param id the String id for the role
+     * @return A response with the role identified by <code>id</code>, or internal error if one is encountered
+     */
+    @GET
+    @Path("/{id}")
+    @Produces("application/json")
+    public Response getRole(@PathParam("id") String id) {
+        LOG.info("get /roles/{}", id);
+        Role role = null;
+
+        try {
+            role = AAAIDMLightModule.getStore().readRole(id);
+        } catch (IDMStoreException se) {
+            return new IDMError(500, "internal error getting roles", se.getMessage()).response();
+        }
+
+        if (role == null) {
+            return new IDMError(404, "role not found id :" + id, "").response();
+        }
+        return Response.ok(role).build();
+    }
+
+    /**
+     * Creates a role.
+     *
+     * @param info passed from Jersey
+     * @param role the role JSON payload
+     * @return A response stating success or failure of role creation, or internal error if one is encountered
+     */
+    @POST
+    @Consumes("application/json")
+    @Produces("application/json")
+    public Response createRole(@Context UriInfo info, Role role) {
+        LOG.info("Post /roles");
+        try {
+            // TODO: role names should be unique!
+            // name
+            if (role.getName() == null) {
+                return new IDMError(404, "name must be defined on role create", "").response();
+            } else if (role.getName().length() > IdmLightApplication.MAX_FIELD_LEN) {
+                return new IDMError(400, "role name max length is :"
+                        + IdmLightApplication.MAX_FIELD_LEN, "").response();
+            }
+
+            // domain
+            if (role.getDomainid() == null) {
+                return new IDMError(404,
+                        "The role's domain must be defined on role when creating a role.", "")
+                        .response();
+            } else if (role.getDomainid().length() > IdmLightApplication.MAX_FIELD_LEN) {
+                return new IDMError(400, "role domain max length is :"
+                        + IdmLightApplication.MAX_FIELD_LEN, "").response();
+            }
+
+            // description
+            if (role.getDescription() == null) {
+                role.setDescription("");
+            } else if (role.getDescription().length() > IdmLightApplication.MAX_FIELD_LEN) {
+                return new IDMError(400, "role description max length is :"
+                        + IdmLightApplication.MAX_FIELD_LEN, "").response();
+            }
+
+            role = AAAIDMLightModule.getStore().writeRole(role);
+        } catch (IDMStoreException se) {
+            return new IDMError(500, "internal error creating role", se.getMessage()).response();
+        }
+
+        return Response.status(201).entity(role).build();
+    }
+
+    /**
+     * Updates a specific role identified by <code>id</code>.
+     *
+     * @param info passed from Jersey
+     * @param role the role JSON payload
+     * @param id the String id for the role
+     * @return A response stating success or failure of role update, or internal error if one occurs
+     */
+    @PUT
+    @Path("/{id}")
+    @Consumes("application/json")
+    @Produces("application/json")
+    public Response putRole(@Context UriInfo info, Role role, @PathParam("id") String id) {
+        LOG.info("put /roles/{}", id);
+
+        try {
+            role.setRoleid(id);
+
+            // name
+            // TODO: names should be unique
+            if ((role.getName() != null)
+                    && (role.getName().length() > IdmLightApplication.MAX_FIELD_LEN)) {
+                return new IDMError(400, "role name max length is :"
+                        + IdmLightApplication.MAX_FIELD_LEN, "").response();
+            }
+
+            // description
+            if ((role.getDescription() != null)
+                    && (role.getDescription().length() > IdmLightApplication.MAX_FIELD_LEN)) {
+                return new IDMError(400, "role description max length is :"
+                        + IdmLightApplication.MAX_FIELD_LEN, "").response();
+            }
+
+            role = AAAIDMLightModule.getStore().updateRole(role);
+            if (role == null) {
+                return new IDMError(404, "role id not found :" + id, "").response();
+            }
+            IdmLightProxy.clearClaimCache();
+            return Response.status(200).entity(role).build();
+        } catch (IDMStoreException se) {
+            return new IDMError(500, "internal error putting role", se.getMessage()).response();
+        }
+    }
+
+    /**
+     * Delete a role.
+     *
+     * @param info passed from Jersey
+     * @param id the String id for the role
+     * @return A response stating success or failure of user deletion, or internal error if one occurs
+     */
+    @DELETE
+    @Path("/{id}")
+    public Response deleteRole(@Context UriInfo info, @PathParam("id") String id) {
+        LOG.info("Delete /roles/{}", id);
+
+        try {
+            Role role = AAAIDMLightModule.getStore().deleteRole(id);
+            if (role == null) {
+                return new IDMError(404, "role id not found :" + id, "").response();
+            }
+        } catch (IDMStoreException se) {
+            return new IDMError(500, "internal error deleting role", se.getMessage()).response();
+        }
+        IdmLightProxy.clearClaimCache();
+        return Response.status(204).build();
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/UserHandler.java b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/UserHandler.java
new file mode 100644
index 00000000..24fefd7b
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/UserHandler.java
@@ -0,0 +1,419 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idm.rest;
+
+import java.util.Collection;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.UriInfo;
+
+import org.opendaylight.aaa.api.IDMStoreException;
+import org.opendaylight.aaa.api.model.IDMError;
+import org.opendaylight.aaa.api.model.User;
+import org.opendaylight.aaa.api.model.Users;
+import org.opendaylight.aaa.idm.IdmLightApplication;
+import org.opendaylight.aaa.idm.IdmLightProxy;
+import org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AAAIDMLightModule;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * REST application used to manipulate the H2 database users table. The REST
+ * endpoint is <code>/auth/v1/users</code>.
+ *
+ * The following provides examples of how curl commands and payloads to utilize
+ * the users REST endpoint:
+ *
+ * <b>Get All Users</b>
+ * <code>curl -u admin:admin http://{HOST}:{PORT}/auth/v1/users</code>
+ *
+ * <b>Get A Specific User</b>
+ * <code>curl -u admin:admin http://{HOST}:{PORT}/auth/v1/users/{id}</code>
+ *
+ * <b>Create A User</b>
+ * <code>curl -u admin:admin -X POST -H "Content-type: application/json" --data-binary {@literal @}user.json http://{HOST}:{PORT}/auth/v1/users</code>
+ * An example of user.json file is:
+ * <code>{
+ *   "name": "admin2",
+ *   "password", "admin2",
+ *   "domain": "sdn"
+ * }</code>
+ *
+ * <b>Update A User</b>
+ * <code>curl -u admin:admin -X PUT -H "Content-type: application/json" --data-binary {@literal @}user.json http://{HOST}:{PORT}/auth/v1/users/{id}</code>
+ * An example of user.json file is:
+ * <code>{
+ *   "name": "admin2",
+ *   "password", "admin2",
+ *   "domain": "sdn",
+ *   "description", "Simple description."
+ * }</code>
+ *
+ * <b>Delete A User</b>
+ * <code>curl -u admin:admin -X DELETE http://{HOST}:{PORT}/auth/v1/users/{id}</code>
+ *
+ * @author peter.mellquist@hp.com
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ */
+@Path("/v1/users")
+public class UserHandler {
+
+    private static final Logger LOG = LoggerFactory.getLogger(UserHandler.class);
+
+    /**
+     * If a user is created through the <code>/auth/v1/users</code> rest
+     * endpoint without a password, the default password is assigned to the
+     * user.
+     */
+    private final static String DEFAULT_PWD = "changeme";
+
+    /**
+     * When an HTTP GET is performed on <code>/auth/v1/users</code>, the
+     * password field is replaced with <code>REDACTED_PASSWORD</code> for
+     * security reasons.
+     */
+    private static final String REDACTED_PASSWORD = "**********";
+
+    /**
+     * When an HTTP GET is performed on <code>/auth/v1/users</code>, the salt
+     * field is replaced with <code>REDACTED_SALT</code> for security reasons.
+     */
+    private static final String REDACTED_SALT = "**********";
+
+    /**
+     * When creating a user, the description is optional and defaults to an
+     * empty string.
+     */
+    private static final String DEFAULT_DESCRIPTION = "";
+
+    /**
+     * When creating a user, the email is optional and defaults to an empty
+     * string.
+     */
+    private static final String DEFAULT_EMAIL = "";
+
+    /**
+     * Extracts all users. The password and salt fields are redacted for
+     * security reasons.
+     *
+     * @return A response containing the users, or internal error if one occurs
+     */
+    @GET
+    @Produces("application/json")
+    public Response getUsers() {
+        LOG.info("GET /auth/v1/users  (extracts all users)");
+
+        try {
+            final Users users = AAAIDMLightModule.getStore().getUsers();
+
+            // Redact the password and salt for security purposes.
+            final Collection<User> usersList = users.getUsers();
+            for (User user : usersList) {
+                redactUserPasswordInfo(user);
+            }
+
+            return Response.ok(users).build();
+        } catch (IDMStoreException se) {
+            return internalError("getting", se);
+        }
+    }
+
+    /**
+     * Extracts the user represented by <code>id</code>. The password and salt
+     * fields are redacted for security reasons.
+     *
+     * @param id the unique id of representing the user account
+     * @return A response with the user information, or internal error if one occurs
+     */
+    @GET
+    @Path("/{id}")
+    @Produces("application/json")
+    public Response getUser(@PathParam("id") String id) {
+        LOG.info("GET auth/v1/users/ {}  (extract user with specified id)", id);
+
+        try {
+            final User user = AAAIDMLightModule.getStore().readUser(id);
+
+            if (user == null) {
+                return new IDMError(404, String.format("user not found! id: %d", id), "").response();
+            }
+
+            // Redact the password and salt for security purposes.
+            redactUserPasswordInfo(user);
+
+            return Response.ok(user).build();
+        } catch (IDMStoreException se) {
+            return internalError("getting", se);
+        }
+    }
+
+    /**
+     * REST endpoint to create a user. Name and domain are required attributes,
+     * and all other fields (description, email, password, enabled) are
+     * optional. Optional fields default in the following manner:
+     * <code>description</code>: An empty string (<code>""</code>).
+     * <code>email</code>: An empty string (<code>""</code>).
+     * <code>password</code>: <code>changeme</code> <code>enabled</code>:
+     * <code>true</code>
+     *
+     * If a password is not provided, please ensure you change the default
+     * password ASAP for security reasons!
+     *
+     * @param info passed from Jersey
+     * @param user the user defined in the JSON payload
+     * @return A response stating success or failure of user creation
+     */
+    @POST
+    @Consumes("application/json")
+    @Produces("application/json")
+    public Response createUser(@Context UriInfo info, User user) {
+        LOG.info("POST /auth/v1/users  (create a user with the specified payload");
+
+        // The "enabled" field is optional, and defaults to true.
+        if (user.isEnabled() == null) {
+            user.setEnabled(true);
+        }
+
+        // The "name" field is required.
+        final String userName = user.getName();
+        if (userName == null) {
+            return missingRequiredField("name");
+        }
+        // The "name" field has a maximum length.
+        if (userName.length() > IdmLightApplication.MAX_FIELD_LEN) {
+            return providedFieldTooLong("name", IdmLightApplication.MAX_FIELD_LEN);
+        }
+
+        // The "domain field is required.
+        final String domainId = user.getDomainid();
+        if (domainId == null) {
+            return missingRequiredField("domain");
+        }
+        // The "domain" field has a maximum length.
+        if (domainId.length() > IdmLightApplication.MAX_FIELD_LEN) {
+            return providedFieldTooLong("domain", IdmLightApplication.MAX_FIELD_LEN);
+        }
+
+        // The "description" field is optional and defaults to "".
+        final String userDescription = user.getDescription();
+        if (userDescription == null) {
+            user.setDescription(DEFAULT_DESCRIPTION);
+        }
+        // The "description" field has a maximum length.
+        if (userDescription.length() > IdmLightApplication.MAX_FIELD_LEN) {
+            return providedFieldTooLong("description", IdmLightApplication.MAX_FIELD_LEN);
+        }
+
+        // The "email" field is optional and defaults to "".
+        final String userEmail = user.getEmail();
+        if (userEmail == null) {
+            user.setEmail(DEFAULT_EMAIL);
+        }
+        if (userEmail.length() > IdmLightApplication.MAX_FIELD_LEN) {
+            return providedFieldTooLong("email", IdmLightApplication.MAX_FIELD_LEN);
+        }
+        // TODO add a check on email format here.
+
+        // The "password" field is optional and defautls to "changeme".
+        final String userPassword = user.getPassword();
+        if (userPassword == null) {
+            user.setPassword(DEFAULT_PWD);
+        } else if (userPassword.length() > IdmLightApplication.MAX_FIELD_LEN) {
+            return providedFieldTooLong("password", IdmLightApplication.MAX_FIELD_LEN);
+        }
+
+        try {
+            // At this point, fields have been properly verified. Create the
+            // user account
+            final User createdUser = AAAIDMLightModule.getStore().writeUser(user);
+            user.setUserid(createdUser.getUserid());
+        } catch (IDMStoreException se) {
+            return internalError("creating", se);
+        }
+
+        // Redact the password and salt for security reasons.
+        redactUserPasswordInfo(user);
+        // TODO report back to the client a warning message to change the
+        // default password if none was specified.
+        return Response.status(201).entity(user).build();
+    }
+
+    /**
+     * REST endpoint to update a user account.
+     *
+     * @param info passed from Jersey
+     * @param user the user defined in the JSON payload
+     * @param id the unique id for the user that will be updated
+     * @return A response stating success or failure of the user update
+     */
+    @PUT
+    @Path("/{id}")
+    @Consumes("application/json")
+    @Produces("application/json")
+    public Response putUser(@Context UriInfo info, User user, @PathParam("id") String id) {
+
+        LOG.info("PUT /auth/v1/users/{}  (Updates a user account)", id);
+
+        try {
+            user.setUserid(id);
+
+            if (checkInputFieldLength(user.getPassword())) {
+                return providedFieldTooLong("password", IdmLightApplication.MAX_FIELD_LEN);
+            }
+
+            if (checkInputFieldLength(user.getName())) {
+                return providedFieldTooLong("name", IdmLightApplication.MAX_FIELD_LEN);
+            }
+
+            if (checkInputFieldLength(user.getDescription())) {
+                return providedFieldTooLong("description", IdmLightApplication.MAX_FIELD_LEN);
+            }
+
+            if (checkInputFieldLength(user.getEmail())) {
+                return providedFieldTooLong("email", IdmLightApplication.MAX_FIELD_LEN);
+            }
+
+            if (checkInputFieldLength(user.getDomainid())) {
+                return providedFieldTooLong("domain", IdmLightApplication.MAX_FIELD_LEN);
+            }
+
+            user = AAAIDMLightModule.getStore().updateUser(user);
+            if (user == null) {
+                return new IDMError(404, String.format("User not found for id %s", id), "").response();
+            }
+
+            IdmLightProxy.clearClaimCache();
+
+            // Redact the password and salt for security reasons.
+            redactUserPasswordInfo(user);
+            return Response.status(200).entity(user).build();
+        } catch (IDMStoreException se) {
+            return internalError("updating", se);
+        }
+    }
+
+    /**
+     * REST endpoint to delete a user account.
+     *
+     * @param info passed from Jersey
+     * @param id the unique id of the user which is being deleted
+     * @return A response stating success or failure of user deletion
+     */
+    @DELETE
+    @Path("/{id}")
+    public Response deleteUser(@Context UriInfo info, @PathParam("id") String id) {
+        LOG.info("DELETE /auth/v1/users/{}  (Delete a user account)", id);
+
+        try {
+            final User user = AAAIDMLightModule.getStore().deleteUser(id);
+
+            if (user == null) {
+                return new IDMError(404,
+                        String.format("Error deleting user.  " +
+                                      "Couldn't find user with id %s", id),
+                                      "").response();
+            }
+        } catch (IDMStoreException se) {
+            return internalError("deleting", se);
+        }
+
+        // Successfully deleted the user; report success to the client.
+        IdmLightProxy.clearClaimCache();
+        return Response.status(204).build();
+    }
+
+    /**
+     * Creates a <code>Response</code> related to an internal server error.
+     *
+     * @param verbal such as "creating", "deleting", "updating"
+     * @param e The exception, which is propagated in the response
+     * @return A response containing internal error with specific reasoning
+     */
+    private Response internalError(final String verbal, final Exception e) {
+        LOG.error("There was an internal error {} the user", verbal, e);
+        return new IDMError(500,
+                String.format("There was an internal error %s the user", verbal),
+                e.getMessage()).response();
+    }
+
+    /**
+     * Creates a <code>Response</code> related to the user not providing a
+     * required field.
+     *
+     * @param fieldName the name of the field which is missing
+     * @return A response explaining that the request is missing a field
+     */
+    private Response missingRequiredField(final String fieldName) {
+
+        return new IDMError(400,
+                String.format("%s is required to create the user account.  " +
+                              "Please provide a %s in your payload.", fieldName, fieldName),
+                              "").response();
+    }
+
+    /**
+     * Creates a <code>Response</code> related to the user providing a field
+     * that is too long.
+     *
+     * @param fieldName the name of the field that is too long
+     * @param maxFieldLength the maximum length of <code>fieldName</code>
+     * @return A response containing the bad field and the maximum field length
+     */
+    private Response providedFieldTooLong(final String fieldName, final int maxFieldLength) {
+
+        return new IDMError(400,
+                getProvidedFieldTooLongMessage(fieldName, maxFieldLength),
+                "").response();
+    }
+
+    /**
+     * Creates the client-facing message related to the user providing a field
+     * that is too long.
+     *
+     * @param fieldName the name of the field that is too long
+     * @param maxFieldLength the maximum length of <code>fieldName</code>
+     * @return
+     */
+    private static String getProvidedFieldTooLongMessage(final String fieldName,
+            final int maxFieldLength) {
+
+        return String.format("The provided {} field is too long.  " +
+                             "The max length is {}.", fieldName, maxFieldLength);
+    }
+
+    /**
+     * Prepares a user account for output by redacting the appropriate fields.
+     * This method side-effects the <code>user</code> parameter.
+     *
+     * @param user the user account which will have fields redacted
+     */
+    private static void redactUserPasswordInfo(final User user) {
+        user.setPassword(REDACTED_PASSWORD);
+        user.setSalt(REDACTED_SALT);
+    }
+
+    /**
+     * Validate the input field length
+     *
+     * @param inputField
+     * @return true if input field bigger than the MAX_FIELD_LEN
+     */
+    private boolean checkInputFieldLength(final String inputField) {
+        return inputField != null && (inputField.length() > IdmLightApplication.MAX_FIELD_LEN);
+    }
+}
diff --git a/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/VersionHandler.java b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/VersionHandler.java
new file mode 100644
index 00000000..f865162a
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/aaa/idm/rest/VersionHandler.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idm.rest;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+
+import org.opendaylight.aaa.api.model.Version;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ *
+ * @author peter.mellquist@hp.com
+ *
+ */
+@Deprecated
+@Path("/")
+public class VersionHandler {
+    private static final Logger LOG = LoggerFactory.getLogger(VersionHandler.class);;
+
+    protected static String CURRENT_VERSION = "v1";
+    protected static String LAST_UPDATED = "2014-04-18T18:30:02.25Z";
+    protected static String CURRENT_STATUS = "CURRENT";
+
+    @GET
+    @Produces("application/json")
+    public Version getVersion(@Context HttpServletRequest request) {
+        LOG.info("Get /");
+        Version version = new Version();
+        version.setId(CURRENT_VERSION);
+        version.setUpdated(LAST_UPDATED);
+        version.setStatus(CURRENT_STATUS);
+        return version;
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/idmlight/rev151204/AAAIDMLightModule.java b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/idmlight/rev151204/AAAIDMLightModule.java
new file mode 100644
index 00000000..d6872635
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/idmlight/rev151204/AAAIDMLightModule.java
@@ -0,0 +1,90 @@
+package org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204;
+
+import org.opendaylight.aaa.api.CredentialAuth;
+import org.opendaylight.aaa.api.IDMStoreException;
+import org.opendaylight.aaa.api.IIDMStore;
+import org.opendaylight.aaa.api.IdMService;
+import org.opendaylight.aaa.idm.IdmLightProxy;
+import org.opendaylight.aaa.idm.StoreBuilder;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.ServiceReference;
+import org.osgi.framework.ServiceRegistration;
+import org.osgi.util.tracker.ServiceTracker;
+import org.osgi.util.tracker.ServiceTrackerCustomizer;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AAAIDMLightModule extends org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AbstractAAAIDMLightModule {
+
+    private static final Logger LOG = LoggerFactory.getLogger(AAAIDMLightModule.class);
+    private BundleContext bundleContext = null;
+    private static volatile IIDMStore store = null;
+
+    public AAAIDMLightModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier, org.opendaylight.controller.config.api.DependencyResolver dependencyResolver) {
+        super(identifier, dependencyResolver);
+    }
+
+    public AAAIDMLightModule(org.opendaylight.controller.config.api.ModuleIdentifier identifier, org.opendaylight.controller.config.api.DependencyResolver dependencyResolver, org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AAAIDMLightModule oldModule, java.lang.AutoCloseable oldInstance) {
+        super(identifier, dependencyResolver, oldModule, oldInstance);
+    }
+
+    @Override
+    public void customValidation() {
+        // add custom validation form module attributes here.
+    }
+
+    @Override
+    public java.lang.AutoCloseable createInstance() {
+        final IdmLightProxy proxy = new IdmLightProxy();
+        final ServiceRegistration<?> idmService = bundleContext.registerService(IdMService.class.getName(), proxy, null);
+        final ServiceRegistration<?> clientAuthService = bundleContext.registerService(CredentialAuth.class.getName(), proxy, null);
+
+        final ServiceTracker<IIDMStore, IIDMStore> storeServiceTracker = new ServiceTracker<>(bundleContext, IIDMStore.class,
+                new ServiceTrackerCustomizer<IIDMStore, IIDMStore>() {
+                    @Override
+                    public IIDMStore addingService(ServiceReference<IIDMStore> reference) {
+                        store = reference.getBundle().getBundleContext().getService(reference);
+                        LOG.info("IIDMStore service {} was found", store.getClass());
+                        try {
+                            StoreBuilder.init(store);
+                        } catch (IDMStoreException e) {
+                            LOG.error("Failed to initialize data in store", e);
+                        }
+
+                        return store;
+                    }
+
+                    @Override
+                    public void modifiedService(ServiceReference<IIDMStore> reference, IIDMStore service) {
+                    }
+
+                    @Override
+                    public void removedService(ServiceReference<IIDMStore> reference, IIDMStore service) {
+                    }
+                });
+
+        storeServiceTracker.open();
+
+        LOG.info("AAA IDM Light Module Initialized");
+        return new AutoCloseable() {
+            @Override
+            public void close() throws Exception {
+                idmService.unregister();
+                clientAuthService.unregister();
+                storeServiceTracker.close();
+            }
+        };
+    }
+
+    public void setBundleContext(BundleContext b){
+        this.bundleContext = b;
+    }
+
+    public static final IIDMStore getStore(){
+        return store;
+    }
+
+    public static final void setStore(IIDMStore s){
+        store = s;
+    }
+}
diff --git a/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/idmlight/rev151204/AAAIDMLightModuleFactory.java b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/idmlight/rev151204/AAAIDMLightModuleFactory.java
new file mode 100644
index 00000000..de277da8
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/src/main/java/org/opendaylight/yang/gen/v1/config/aaa/authn/idmlight/rev151204/AAAIDMLightModuleFactory.java
@@ -0,0 +1,29 @@
+/*
+* Generated file
+*
+* Generated from: yang module name: aaa-idmlight yang module local name: aaa-idmlight
+* Generated by: org.opendaylight.controller.config.yangjmxgenerator.plugin.JMXGenerator
+* Generated at: Fri Dec 04 11:37:37 PST 2015
+*
+* Do not modify this file unless it is present under src/main directory
+*/
+package org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204;
+
+import org.opendaylight.controller.config.api.DependencyResolver;
+import org.osgi.framework.BundleContext;
+
+public class AAAIDMLightModuleFactory extends org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AbstractAAAIDMLightModuleFactory {
+    @Override
+    public AAAIDMLightModule instantiateModule(String instanceName, DependencyResolver dependencyResolver, AAAIDMLightModule oldModule, AutoCloseable oldInstance, BundleContext bundleContext) {
+        AAAIDMLightModule module = super.instantiateModule(instanceName, dependencyResolver, oldModule, oldInstance, bundleContext);
+        module.setBundleContext(bundleContext);
+        return module;
+    }
+
+    @Override
+    public AAAIDMLightModule instantiateModule(String instanceName, DependencyResolver dependencyResolver, BundleContext bundleContext) {
+        AAAIDMLightModule module = super.instantiateModule(instanceName, dependencyResolver, bundleContext);
+        module.setBundleContext(bundleContext);
+        return module;
+    }
+}
diff --git a/odl-aaa-moon/aaa-idmlight/src/main/resources/WEB-INF/web.xml b/odl-aaa-moon/aaa-idmlight/src/main/resources/WEB-INF/web.xml
new file mode 100644
index 00000000..9a19155a
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/src/main/resources/WEB-INF/web.xml
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+    version="3.0">
+
+    <servlet>
+        <servlet-name>IdmLight</servlet-name>
+        <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
+        <init-param>
+            <param-name>javax.ws.rs.Application</param-name>
+            <param-value>org.opendaylight.aaa.idm.IdmLightApplication</param-value>
+        </init-param>
+        <init-param>
+           <param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name><param-value>true</param-value>
+        </init-param>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+
+    <servlet-mapping>
+        <servlet-name>IdmLight</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <!-- Shiro Filter -->
+    <context-param>
+      <param-name>shiroEnvironmentClass</param-name>
+      <param-value>org.opendaylight.aaa.shiro.web.env.KarafIniWebEnvironment</param-value>
+    </context-param>
+
+    <listener>
+        <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
+    </listener>
+
+    <filter>
+        <filter-name>ShiroFilter</filter-name>
+        <filter-class>org.opendaylight.aaa.shiro.filters.AAAFilter</filter-class>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>ShiroFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <filter>
+        <filter-name>cross-origin-restconf</filter-name>
+        <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
+        <init-param>
+            <param-name>allowedOrigins</param-name>
+            <param-value>*</param-value>
+        </init-param>
+        <init-param>
+            <param-name>allowedMethods</param-name>
+            <param-value>GET,POST,OPTIONS,DELETE,PUT,HEAD</param-value>
+        </init-param>
+        <init-param>
+            <param-name>allowedHeaders</param-name>
+            <param-value>origin, content-type, accept, authorization, Authorization</param-value>
+        </init-param>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>cross-origin-restconf</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>NB api</web-resource-name>
+            <url-pattern>/*</url-pattern>
+            <http-method>POST</http-method>
+            <http-method>GET</http-method>
+            <http-method>PUT</http-method>
+            <http-method>PATCH</http-method>
+            <http-method>DELETE</http-method>
+            <http-method>HEAD</http-method>
+        </web-resource-collection>
+    </security-constraint>
+
+</web-app>
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-idmlight/src/main/resources/idmtool.py b/odl-aaa-moon/aaa-idmlight/src/main/resources/idmtool.py
new file mode 100644
index 00000000..d0a31ba2
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/src/main/resources/idmtool.py
@@ -0,0 +1,247 @@
+#!/usr/bin/env python
+
+#
+# Copyright (c) 2016 Brocade Communications Systems and others.  All rights reserved.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License v1.0 which accompanies this distribution,
+# and is available at http://www.eclipse.org/legal/epl-v10.html
+#
+
+'''
+idmtool
+
+Used to manipulate ODL AAA idm on a node-per-node basis.  Assumes only one domain (sdn)
+since current support in ODL is limited.
+'''
+
+__author__ = "Ryan Goulding"
+__copyright__ = "Copyright (c) 2016 Brocade Communications Systems and others"
+__credits__ = "Ryan Goulding"
+__license__ = "EPL"
+__version__ = "1.0"
+__maintainer__ = "Ryan Goulding"
+__email__ = "ryandgoulding@gmail.com"
+__status__ = "Production"
+
+import argparse, getpass, json, requests, sys
+
+parser = argparse.ArgumentParser('idmtool')
+
+user=''
+hostname='localhost'
+protocol='http'
+port='8181'
+target_host='{}://{}:{}/'.format(protocol, hostname, port)
+
+# main program arguments
+parser.add_argument('user',help='username for BSC node', nargs=1)
+parser.add_argument('--target-host', help="target host node", nargs=1)
+
+subparsers = parser.add_subparsers(help='sub-command help')
+
+# users table related
+list_users = subparsers.add_parser('list-users', help='list all users')
+list_users.set_defaults(func=list_users)
+add_user = subparsers.add_parser('add-user', help='add a user')
+add_user.set_defaults(func=add_user)
+add_user.add_argument('newUser', help='new user name', nargs=1)
+change_password = subparsers.add_parser('change-password', help='change a password')
+change_password.set_defaults(func=change_password)
+change_password.add_argument('userid', help='change the password for a particular userid', nargs=1)
+delete_user = subparsers.add_parser('delete-user', help='delete a user')
+delete_user.add_argument('userid', help='name@sdn', nargs=1)
+delete_user.set_defaults(func=delete_user)
+
+# domains table related
+# only read is defined;  this was done on purpose since the "domain" concept
+# is mostly unsupported in ODL.
+list_domains = subparsers.add_parser('list-domains', help='list all domains')
+list_domains.set_defaults(func=list_domains)
+
+# roles table related
+list_roles = subparsers.add_parser('list-roles', help='list all roles')
+list_roles.set_defaults(func=list_roles)
+add_role = subparsers.add_parser('add-role', help='add a role')
+add_role.add_argument('role', help='role name', nargs=1)
+add_role.set_defaults(func=add_role)
+delete_role = subparsers.add_parser('delete-role', help='delete a role')
+delete_role.add_argument('roleid', help='rolename@sdn', nargs=1)
+delete_role.set_defaults(func=delete_role)
+add_grant = subparsers.add_parser('add-grant', help='add a grant')
+add_grant.set_defaults(func=add_grant)
+add_grant.add_argument('userid', help="username@sdn", nargs=1)
+add_grant.add_argument('roleid', help="role@sdn", nargs=1)
+get_grants = subparsers.add_parser('get-grants', help='get grants for userid on sdn')
+get_grants.set_defaults(func=get_grants)
+get_grants.add_argument('userid', help="username@sdn", nargs=1)
+delete_grant = subparsers.add_parser('delete-grant', help='delete a grant')
+delete_grant.add_argument('userid', help='username@sdn', nargs=1)
+delete_grant.add_argument('roleid', help='role@sdn', nargs=1)
+delete_grant.set_defaults(func=delete_grant)
+
+def process_result(r):
+    ''' Generic method to print result of a REST call '''
+    print ''
+    sc = r.status_code
+    if sc >= 200 and sc < 300:
+        print "command succeeded!"
+        try:
+            res = r.json()
+            if res is not None:
+                print '\njson:\n', json.dumps(res, indent=4, sort_keys=True)
+        except(ValueError):
+            pass
+    elif sc == 401:
+        print "Incorrect Credentials Provided"
+    elif sc == 404:
+        print "RESTconf is either not installed or not initialized yet"
+    elif sc >= 500 and sc < 600:
+        print "Internal Server Error Ocurred"
+    else:
+        print "Unknown error; HTTP status code: {}".format(sc)
+
+def get_request(user, password, url, description, outputResult=True):
+    if outputResult:
+        print description
+    try:
+        r = requests.get(url, auth=(user,password))
+        if outputResult:
+            process_result(r)
+        return r
+    except(requests.exceptions.ConnectionError):
+        if outputResult:
+            print "Unable to connect;  are you sure the controller is up?"
+            sys.exit(1)
+
+def post_request(user, password, url, description, payload, params):
+    print description
+    try:
+        r = requests.post(url, auth=(user,password), data=payload, headers=params)
+        process_result(r)
+    except(requests.exceptions.ConnectionError):
+        print "Unable to connect; are you sure the controller is up?"
+        sys.exit(1)
+
+def put_request(user, password, url, description, payload, params):
+    print description
+    try:
+        r = requests.put(url, auth=(user,password), data=payload, headers=params)
+        process_result(r)
+    except(requests.exceptions.ConnectionError):
+        print "Unable to connect; are you sure the controller is up?"
+        sys.exit(1)
+
+def delete_request(user, password, url, description, payload='', params={'Content-Type':'application/json'}):
+    print description
+    try:
+        r = requests.delete(url, auth=(user,password), data=payload, headers=params)
+        process_result(r)
+    except(requests.exceptions.ConnectionError):
+        print "Unable to connect; are you sure the controller is up?"
+        sys.exit(1)
+
+def poll_new_password():
+    new_password = getpass.getpass(prompt="Enter new password: ")
+    new_password_repeated = getpass.getpass(prompt="Re-enter password: ")
+    if new_password != new_password_repeated:
+        print "Passwords did not match;  cancelling the add_user request"
+        sys.exit(1)
+    return new_password
+
+def list_users(user, password):
+    get_request(user, password, target_host + 'auth/v1/users', 'list_users')
+
+def add_user(user, password, newUser):
+    new_password = poll_new_password()
+    description = 'add_user({})'.format(user)
+    url = target_host + 'auth/v1/users'
+    payload =  {'name':newUser, 'password':new_password, 'description':'', "domainid":"sdn", 'userid':'{}@sdn'.format(newUser), 'email':''}
+    jsonpayload = json.dumps(payload)
+    headers={'Content-Type':'application/json'}
+    post_request(user, password, url, description, jsonpayload, headers)
+
+def delete_user(user, password, userid):
+    url = target_host + 'auth/v1/users/{}'.format(userid)
+    description = 'delete_user({})'.format(userid)
+    delete_request(user, password, url, description)
+
+def change_password(user, password, existingUserId):
+    url = target_host + 'auth/v1/users/{}'.format(existingUserId)
+    r = get_request(user, password, target_host + 'auth/v1/users/{}'.format(existingUserId), 'list_users', outputResult=False)
+    try:
+        existing = r.json()
+        del existing['salt']
+        del existing['password']
+        new_password = poll_new_password()
+        existing['password'] = new_password
+        description='change_password({})'.format(existingUserId)
+        headers={'Content-Type':'application/json'}
+        url = target_host + 'auth/v1/users/{}'.format(existingUserId)
+        put_request(user, password, url, 'change_password({})'.format(user), json.dumps(existing), headers)
+    except(AttributeError):
+        print "Unable to connect;  are you sure the controller is up?"
+        sys.exit(1)
+
+def list_domains(user, password):
+    get_request(user, password, target_host + 'auth/v1/domains', 'list_domains')
+
+def list_roles(user, password):
+    get_request(user, password, target_host + 'auth/v1/roles', 'list_roles')
+
+def add_role(user, password, role):
+    url = target_host + 'auth/v1/roles'
+    description = 'add_role({})'.format(role)
+    payload = {"roleid":'{}@sdn'.format(role), 'name':role, 'description':'', 'domainid':'sdn'}
+    data = json.dumps(payload)
+    headers={'Content-Type':'application/json'}
+    post_request(user, password, url, description, data, headers)
+
+def delete_role(user, password, roleid):
+    url = target_host + 'auth/v1/roles/{}'.format(roleid)
+    description = 'delete_role({})'.format(roleid)
+    delete_request(user, password, url, description)
+
+def add_grant(user, password, userid, roleid):
+    description = 'add_grant(userid={},roleid={})'.format(userid, roleid)
+    payload = {"roleid":roleid, "userid":userid, "grantid":'{}@{}@{}'.format(userid, roleid, "sdn"), "domainid":"sdn"}
+    url = target_host + 'auth/v1/domains/sdn/users/{}/roles'.format(userid)
+    data=json.dumps(payload)
+    headers={'Content-Type':'application/json'}
+    post_request(user, password, url, description, data, headers)
+
+def get_grants(user, password, userid):
+    get_request(user, password, target_host + 'auth/v1/domains/sdn/users/{}/roles'.format(userid), 'get_grants({})'.format(userid))
+
+def delete_grant(user, password, userid, roleid):
+    url = target_host + 'auth/v1/domains/sdn/users/{}/roles/{}'.format(userid, roleid)
+    print url
+    description = 'delete_grant(userid={},roleid={})'.format(userid, roleid)
+    delete_request(user, password, url, description)
+
+args = parser.parse_args()
+command = args.func.prog.split()[1:]
+user = args.user[0]
+password = getpass.getpass()
+if "list-users" in command:
+    list_users(user,password)
+if "list-domains" in command:
+    list_domains(user,password)
+if "list-roles" in command:
+    list_roles(user,password)
+if "add-user" in command:
+    add_user(user,password, args.newUser[0])
+if "add-grant" in command:
+    add_grant(user,password, args.userid[0], args.roleid[0])
+if "get-grants" in command:
+    get_grants(user,password, args.userid[0])
+if "change-password" in command:
+    change_password(user, password, args.userid[0])
+if "delete-user" in command:
+    delete_user(user, password, args.userid[0])
+if "delete-role" in command:
+    delete_role(user, password, args.roleid[0])
+if "add-role" in command:
+    add_role(user, password, args.role[0])
+if "delete-grant" in command:
+    delete_grant(user, password, args.userid[0], args.roleid[0])
diff --git a/odl-aaa-moon/aaa-idmlight/src/main/resources/initial/08-aaa-idmlight-config.xml b/odl-aaa-moon/aaa-idmlight/src/main/resources/initial/08-aaa-idmlight-config.xml
new file mode 100644
index 00000000..695ce762
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/src/main/resources/initial/08-aaa-idmlight-config.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- vi: set et smarttab sw=4 tabstop=4: -->
+<!--
+ Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+
+ This program and the accompanying materials are made available under the
+ terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ and is available at http://www.eclipse.org/legal/epl-v10.html
+-->
+<snapshot>
+    <configuration>
+        <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
+            <modules xmlns="urn:opendaylight:params:xml:ns:yang:controller:config">
+                <module>
+                    <type xmlns:authn="config:aaa:authn:idmlight">authn:aaa-idmlight</type>
+                    <name>aaa-idmlight</name>
+                </module>
+            </modules>
+        </data>
+    </configuration>
+    <required-capabilities>
+        <capability>config:aaa:authn:idmlight?module=aaa-idmlight&amp;revision=2015-12-04</capability>
+    </required-capabilities>
+
+</snapshot>
+
diff --git a/odl-aaa-moon/aaa-idmlight/src/main/yang/aaa-idmlight.yang b/odl-aaa-moon/aaa-idmlight/src/main/yang/aaa-idmlight.yang
new file mode 100644
index 00000000..4f28d755
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/src/main/yang/aaa-idmlight.yang
@@ -0,0 +1,28 @@
+module aaa-idmlight {
+  yang-version 1;
+  namespace "config:aaa:authn:idmlight";
+  prefix "aaa-idmlight";
+    organization "OpenDayLight";
+
+    import config { prefix config; revision-date 2013-04-05; }
+    import opendaylight-md-sal-binding { prefix mdsal; revision-date 2013-10-28; }
+
+    contact "saichler@gmail.com";
+
+    revision 2015-12-04 {
+        description
+            "Initial revision.";
+    }
+
+    identity aaa-idmlight {
+        base config:module-type;
+        config:java-name-prefix AAAIDMLight;
+    }
+
+    augment "/config:modules/config:module/config:configuration" {
+        case aaa-idmlight {
+            when "/config:modules/config:module/config:type = 'aaa-idmlight'";
+        }
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/persistence/PasswordHashTest.java b/odl-aaa-moon/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/persistence/PasswordHashTest.java
new file mode 100644
index 00000000..44fadf7a
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/src/test/java/org/opendaylight/aaa/idm/persistence/PasswordHashTest.java
@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2015 Cisco Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idm.persistence;
+
+import java.util.ArrayList;
+import java.util.LinkedList;
+import java.util.List;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.opendaylight.aaa.api.IDMStoreException;
+import org.opendaylight.aaa.api.IIDMStore;
+import org.opendaylight.aaa.api.PasswordCredentials;
+import org.opendaylight.aaa.api.SHA256Calculator;
+import org.opendaylight.aaa.api.model.Domain;
+import org.opendaylight.aaa.api.model.Grant;
+import org.opendaylight.aaa.api.model.Grants;
+import org.opendaylight.aaa.api.model.Role;
+import org.opendaylight.aaa.api.model.User;
+import org.opendaylight.aaa.api.model.Users;
+import org.opendaylight.aaa.idm.IdmLightProxy;
+import org.opendaylight.yang.gen.v1.config.aaa.authn.idmlight.rev151204.AAAIDMLightModule;
+
+/*
+ * @Author - Sharon Aicler (saichler@cisco.com)
+*/
+public class PasswordHashTest {
+
+    @Before
+    public void before() throws IDMStoreException{
+        IIDMStore store = Mockito.mock(IIDMStore.class);
+        AAAIDMLightModule.setStore(store);
+        Domain domain = new Domain();
+        domain.setName("sdn");
+        domain.setDomainid("sdn");
+
+        Mockito.when(store.readDomain("sdn")).thenReturn(domain);
+        Creds c = new Creds();
+        Users users = new Users();
+        User user = new User();
+        user.setName("admin");
+        user.setUserid(c.username());
+        user.setDomainid("sdn");
+        user.setSalt("ABCD");
+        user.setPassword(SHA256Calculator.getSHA256(c.password(),user.getSalt()));
+        List<User> lu = new LinkedList<>();
+        lu.add(user);
+        users.setUsers(lu);
+
+        Grants grants = new Grants();
+        Grant grant = new Grant();
+        List<Grant> g = new ArrayList<>();
+        g.add(grant);
+        grant.setDomainid("sdn");
+        grant.setRoleid("admin");
+        grant.setUserid("admin");
+        grants.setGrants(g);
+        Role role = new Role();
+        role.setRoleid("admin");
+        role.setName("admin");
+        Mockito.when(store.readRole("admin")).thenReturn(role);
+        Mockito.when(store.getUsers(c.username(), c.domain())).thenReturn(users);
+        Mockito.when(store.getGrants(c.domain(), c.username())).thenReturn(grants);
+    }
+
+    @Test
+    public void testPasswordHash(){
+        IdmLightProxy proxy = new IdmLightProxy();
+        proxy.authenticate(new Creds());
+    }
+
+    private static class Creds implements PasswordCredentials {
+        @Override
+        public String username() {
+            return "admin";
+        }
+        @Override
+        public String password() {
+            return "admin";
+        }
+        @Override
+        public String domain() {
+            return "sdn";
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-idmlight/tests/cleardb.sh b/odl-aaa-moon/aaa-idmlight/tests/cleardb.sh
new file mode 100644
index 00000000..6385b48d
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/tests/cleardb.sh
@@ -0,0 +1,5 @@
+sudo service idmlight stop
+echo "dropping all tables..."
+sleep 3
+sudo sqlite3 /opt/idmlight/dmlight.db < ../sql/idmlight.sql
+sudo service idmlight start
diff --git a/odl-aaa-moon/aaa-idmlight/tests/domain.json b/odl-aaa-moon/aaa-idmlight/tests/domain.json
new file mode 100644
index 00000000..4dfd25e9
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/tests/domain.json
@@ -0,0 +1,5 @@
+{
+    "domainid": "1",
+    "name":"R&D",
+    "enabled":"true"
+}
diff --git a/odl-aaa-moon/aaa-idmlight/tests/domain2.json b/odl-aaa-moon/aaa-idmlight/tests/domain2.json
new file mode 100644
index 00000000..69244b30
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/tests/domain2.json
@@ -0,0 +1,5 @@
+{
+    "domainid": "1",
+    "name":"ATG",
+    "enabled":"true"
+}
diff --git a/odl-aaa-moon/aaa-idmlight/tests/grant.json b/odl-aaa-moon/aaa-idmlight/tests/grant.json
new file mode 100644
index 00000000..0c4a9e90
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/tests/grant.json
@@ -0,0 +1,4 @@
+{
+    "roleid":"2",
+    "description":"role grant"
+}
diff --git a/odl-aaa-moon/aaa-idmlight/tests/grant2.json b/odl-aaa-moon/aaa-idmlight/tests/grant2.json
new file mode 100644
index 00000000..ad685b7a
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/tests/grant2.json
@@ -0,0 +1,4 @@
+{
+    "roleid":"3",
+    "description":"role grant"
+}
diff --git a/odl-aaa-moon/aaa-idmlight/tests/result.json b/odl-aaa-moon/aaa-idmlight/tests/result.json
new file mode 100644
index 00000000..a3dd995d
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/tests/result.json
@@ -0,0 +1 @@
+{"domainid":2,"userid":2,"username":"peter","roles":[{"roleid":2,"name":"user","description":"A user role with limited access"},{"roleid":3,"name":"user","description":"A user role with limited access"}]}
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-idmlight/tests/role-admin.json b/odl-aaa-moon/aaa-idmlight/tests/role-admin.json
new file mode 100644
index 00000000..cf93caae
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/tests/role-admin.json
@@ -0,0 +1,4 @@
+{
+    "name":"admin",
+    "description":"An admin role with full access"
+}
diff --git a/odl-aaa-moon/aaa-idmlight/tests/role-user.json b/odl-aaa-moon/aaa-idmlight/tests/role-user.json
new file mode 100644
index 00000000..78588c9a
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/tests/role-user.json
@@ -0,0 +1,4 @@
+{
+    "name":"user",
+    "description":"A user role with limited access"
+}
diff --git a/odl-aaa-moon/aaa-idmlight/tests/test.sh b/odl-aaa-moon/aaa-idmlight/tests/test.sh
new file mode 100644
index 00000000..3589be58
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/tests/test.sh
@@ -0,0 +1,308 @@
+# GLOBAL VARS
+TARGET="localhost:8282/auth"
+TESTCOUNT=0
+PASSCOUNT=0
+FAILCOUNT=0
+
+getit() {
+((TESTCOUNT++))
+echo '['$TESTCOUNT']' $NAME
+echo GET $URL
+echo "Desired Result=" $PASSCODE
+STATUS=$(curl -X GET -k -s -H Accept:application/json -o result.json -w '%{http_code}' $URL)
+if [ $STATUS -eq $PASSCODE ]; then
+   ((PASSCOUNT++))
+   cat result.json | python -mjson.tool
+   echo "[PASS] Status=" $STATUS
+else
+   cat result.json | python -mjson.tool
+   echo "[FAIL] Status=" $STATUS
+   ((FAILCOUNT++))
+fi
+echo
+}
+
+
+deleteit() {
+((TESTCOUNT++))
+echo '['$TESTCOUNT']' $NAME
+echo DELETE $URL
+echo "Desired Result=" $PASSCODE
+STATUS=$(curl -X DELETE -k -s -H Accept:application/json -o result.json -w '%{http_code}' $URL)
+if [ $STATUS -eq $PASSCODE ]; then
+   ((PASSCOUNT++))
+   echo "[PASS] Status=" $STATUS
+else
+   cat result.json | python -mjson.tool
+   echo "[FAIL] Status=" $STATUS
+   ((FAILCOUNT++))
+fi
+echo
+}
+
+postit() {
+((TESTCOUNT++))
+echo '['$TESTCOUNT']' $NAME
+echo POST $URL
+echo "Desired Result=" $PASSCODE
+echo "POST File=" $POSTFILE
+STATUS=$(curl -X POST -k -s -H "Content-type:application/json" --data-binary "@"$POSTFILE -o result.json -w '%{http_code}' $URL)
+if [ $STATUS -eq $PASSCODE ]; then
+   ((PASSCOUNT++))
+   cat result.json | python -mjson.tool
+   echo "[PASS] Status=" $STATUS
+else
+   cat result.json | python -mjson.tool
+   echo "[FAIL] Status=" $STATUS
+   ((FAILCOUNT++))
+fi
+echo
+}
+
+putit() {
+((TESTCOUNT++))
+echo '['$TESTCOUNT']' $NAME
+echo PUT $URL
+echo "Desired Result=" $PASSCODE
+echo "PUT file=" $PUTFILE
+STATUS=$(curl -X PUT -k -s -H "Content-type:application/json" --data-binary "@"$PUTFILE -o result.json -w '%{http_code}' $URL)
+if [ $STATUS -eq $PASSCODE ]; then
+   ((PASSCOUNT++))
+   cat result.json | python -mjson.tool
+   echo "[PASS] Status=" $STATUS
+else
+   cat result.json | python -mjson.tool
+   echo "[FAIL] Status=" $STATUS
+   ((FAILCOUNT++))
+fi
+echo
+}
+
+
+#
+# DOMAIN TESTS
+#
+
+NAME="get all domains"
+URL="http://$TARGET/v1/domains"
+PASSCODE=200
+getit
+
+NAME="create a new domain"
+URL="http://$TARGET/v1/domains"
+POSTFILE=domain.json
+PASSCODE=201
+postit
+
+NAME="get domain 1"
+URL="http://$TARGET/v1/domains/1"
+PASSCODE=200
+getit
+
+NAME="delete domain 1"
+URL="http://$TARGET/v1/domains/1"
+PASSCODE=204
+deleteit
+
+NAME="create a new domain"
+URL="http://$TARGET/v1/domains"
+POSTFILE=domain.json
+PASSCODE=201
+postit
+
+NAME="get all domains"
+URL="http://$TARGET/v1/domains"
+PASSCODE=200
+getit
+
+NAME="update domain 2"
+URL="http://$TARGET/v1/domains/2"
+PUTFILE=domain.json
+PASSCODE=200
+putit
+
+NAME="create a new domain"
+URL="http://$TARGET/v1/domains"
+POSTFILE=domain2.json
+PASSCODE=201
+postit
+
+NAME="get all domains"
+URL="http://$TARGET/v1/domains"
+PASSCODE=200
+getit
+
+#
+# USER TESTS
+#
+
+NAME="get all users"
+URL="http://$TARGET/v1/users"
+PASSCODE=200
+getit
+
+NAME="create a new user"
+URL="http://$TARGET/v1/users"
+POSTFILE=user.json
+PASSCODE=201
+postit
+
+NAME="get all users"
+URL="http://$TARGET/v1/users"
+PASSCODE=200
+getit
+
+NAME="get user 1"
+URL="http://$TARGET/v1/users/1"
+PASSCODE=200
+getit
+
+NAME="delete user 1"
+URL="http://$TARGET/v1/users/1"
+PASSCODE=204
+deleteit
+
+NAME="get all users"
+URL="http://$TARGET/v1/users"
+PASSCODE=200
+getit
+
+NAME="create a new user"
+URL="http://$TARGET/v1/users"
+POSTFILE=user.json
+PASSCODE=201
+postit
+
+NAME="update a user"
+URL="http://$TARGET/v1/users/2"
+PUTFILE=user.json
+PASSCODE=200
+putit
+
+NAME="create a new user"
+URL="http://$TARGET/v1/users"
+POSTFILE=user2.json
+PASSCODE=201
+postit
+
+NAME="get all users"
+URL="http://$TARGET/v1/users"
+PASSCODE=200
+getit
+
+# ROLE TESTS
+
+NAME="get all roles"
+URL="http://$TARGET/v1/roles"
+PASSCODE=200
+getit
+
+NAME="create a new role"
+URL="http://$TARGET/v1/roles"
+POSTFILE=role-user.json
+PASSCODE=201
+postit
+
+NAME="get all roles"
+URL="http://$TARGET/v1/roles"
+PASSCODE=200
+getit
+
+NAME="get role 1"
+URL="http://$TARGET/v1/roles/1"
+PASSCODE=200
+getit
+
+NAME="delete role 1"
+URL="http://$TARGET/v1/roles/1"
+PASSCODE=204
+deleteit
+
+NAME="create a new role"
+URL="http://$TARGET/v1/roles"
+POSTFILE=role-user.json
+PASSCODE=201
+postit
+
+NAME="update role 2"
+URL="http://$TARGET/v1/roles/2"
+PUTFILE=role-user.json
+PASSCODE=200
+putit
+
+NAME="create a new role"
+URL="http://$TARGET/v1/roles"
+POSTFILE=role-admin.json
+PASSCODE=201
+postit
+
+NAME="get all roles"
+URL="http://$TARGET/v1/roles"
+PASSCODE=200
+getit
+
+# Grant tests
+
+NAME="grant a role"
+URL="http://$TARGET/v1/domains/2/users/2/roles"
+POSTFILE=grant.json
+PASSCODE=201
+postit
+
+NAME="try to create a double grant"
+URL="http://$TARGET/v1/domains/2/users/2/roles"
+POSTFILE=grant.json
+PASSCODE=403
+postit
+
+NAME="get all roles for domain and user"
+URL="http://$TARGET/v1/domains/2/users/2/roles"
+PASSCODE=200
+getit
+
+NAME="delete a grant"
+URL="http://$TARGET/v1/domains/2/users/2/roles/2"
+PASSCODE=204
+deleteit
+
+NAME="delete a grant"
+URL="http://$TARGET/v1/domains/2/users/2/roles/2"
+PASSCODE=404
+deleteit
+
+NAME="get all roles for domain and user"
+URL="http://$TARGET/v1/domains/2/users/2/roles"
+PASSCODE=200
+getit
+
+NAME="grant a role"
+URL="http://$TARGET/v1/domains/2/users/2/roles"
+POSTFILE=grant.json
+PASSCODE=201
+postit
+
+NAME="grant a role"
+URL="http://$TARGET/v1/domains/2/users/2/roles"
+POSTFILE=grant2.json
+PASSCODE=201
+postit
+
+NAME="get all roles for domain and user"
+URL="http://$TARGET/v1/domains/2/users/2/roles"
+PASSCODE=200
+getit
+
+NAME="get all roles for domain, user and pwd"
+URL="http://$TARGET/v1/domains/2/users/roles"
+POSTFILE=userpwd.json
+PASSCODE=200
+postit
+
+
+#
+# RESULTS
+#
+echo "SUMMARY"
+echo "======================================"
+echo 'TESTS:'$TESTCOUNT 'PASS:'$PASSCOUNT 'FAIL:'$FAILCOUNT
+
diff --git a/odl-aaa-moon/aaa-idmlight/tests/user.json b/odl-aaa-moon/aaa-idmlight/tests/user.json
new file mode 100644
index 00000000..6f30d705
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/tests/user.json
@@ -0,0 +1,7 @@
+{
+    "name":"peter",
+    "description":"peter test user",
+    "enabled":"true",
+    "email":"user1@gmail.com",
+    "password":"foobar"
+}
diff --git a/odl-aaa-moon/aaa-idmlight/tests/user2.json b/odl-aaa-moon/aaa-idmlight/tests/user2.json
new file mode 100644
index 00000000..9864cdb2
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/tests/user2.json
@@ -0,0 +1,7 @@
+{
+    "name":"liem",
+    "description":"liem test user",
+    "enabled":"true",
+    "email":"user1@gmail.com",
+    "password":"foobar"
+}
diff --git a/odl-aaa-moon/aaa-idmlight/tests/userpwd.json b/odl-aaa-moon/aaa-idmlight/tests/userpwd.json
new file mode 100644
index 00000000..e5258b98
--- /dev/null
+++ b/odl-aaa-moon/aaa-idmlight/tests/userpwd.json
@@ -0,0 +1,4 @@
+{
+    "username":"peter",
+    "userpwd":"foobar"
+}
diff --git a/odl-aaa-moon/aaa-idp-mapping/pom.xml b/odl-aaa-moon/aaa-idp-mapping/pom.xml
new file mode 100644
index 00000000..99c2322d
--- /dev/null
+++ b/odl-aaa-moon/aaa-idp-mapping/pom.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.opendaylight.aaa</groupId>
+    <artifactId>aaa-parent</artifactId>
+    <version>0.3.1-Beryllium-SR1</version>
+    <relativePath>../parent</relativePath>
+  </parent>
+
+  <artifactId>aaa-authn-idpmapping</artifactId>
+  <version>0.3.1-Beryllium-SR1</version>
+  <packaging>bundle</packaging>
+
+    <properties>
+        <powermock.version>1.5.2</powermock.version>
+    </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.glassfish</groupId>
+      <artifactId>javax.json</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.osgi</groupId>
+      <artifactId>org.osgi.core</artifactId>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.felix</groupId>
+      <artifactId>org.apache.felix.dependencymanager</artifactId>
+      <scope>provided</scope>
+    </dependency>
+
+    <!-- Test dependencies -->
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-all</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-simple</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.powermock</groupId>
+      <artifactId>powermock-api-mockito</artifactId>
+      <version>${powermock.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.powermock</groupId>
+      <artifactId>powermock-module-junit4</artifactId>
+      <version>${powermock.version}</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.felix</groupId>
+        <artifactId>maven-bundle-plugin</artifactId>
+        <extensions>true</extensions>
+        <configuration>
+          <instructions>
+            <Bundle-Activator>org.opendaylight.aaa.idpmapping.Activator</Bundle-Activator>
+          </instructions>
+          <manifestLocation>${project.basedir}/META-INF</manifestLocation>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>
diff --git a/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/Activator.java b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/Activator.java
new file mode 100644
index 00000000..7342485e
--- /dev/null
+++ b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/Activator.java
@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2014 Red Hat, Inc.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idpmapping;
+
+import org.apache.felix.dm.DependencyActivatorBase;
+import org.apache.felix.dm.DependencyManager;
+import org.osgi.framework.BundleContext;
+
+public class Activator extends DependencyActivatorBase {
+
+    @Override
+    public void init(BundleContext context, DependencyManager manager) throws Exception {
+    }
+
+    @Override
+    public void destroy(BundleContext context, DependencyManager manager) throws Exception {
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/IdpJson.java b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/IdpJson.java
new file mode 100644
index 00000000..00328b60
--- /dev/null
+++ b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/IdpJson.java
@@ -0,0 +1,248 @@
+/*
+ * Copyright (c) 2014 Red Hat, Inc.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idpmapping;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import javax.json.Json;
+import javax.json.JsonValue;
+import javax.json.stream.JsonGenerator;
+import javax.json.stream.JsonGeneratorFactory;
+import javax.json.stream.JsonLocation;
+import javax.json.stream.JsonParser;
+import javax.json.stream.JsonParser.Event;
+
+/**
+ * Converts between JSON and the internal data structures used in the
+ * RuleProcessor.
+ *
+ * @author John Dennis &lt;jdennis@redhat.com&gt;
+ */
+
+public class IdpJson {
+
+    public IdpJson() {
+    }
+
+    public Object loadJson(java.io.Reader in) {
+        JsonParser parser = Json.createParser(in);
+        Event event = null;
+
+        // Prime the pump. Get the first item from the parser.
+        event = parser.next();
+
+        // Act on first item.
+        return loadJsonItem(parser, event);
+    }
+
+    public Object loadJson(Path filename) throws IOException {
+        BufferedReader reader = Files.newBufferedReader(filename, StandardCharsets.UTF_8);
+        return loadJson(reader);
+    }
+
+    public Object loadJson(String string) {
+        StringReader reader = new StringReader(string);
+        return loadJson(reader);
+    }
+
+    /*
+     * Process current parser item indicated by event. Consumes exactly the
+     * number of parser events necessary to load the item. Caller must advance
+     * the parser via parser.next() after this method returns.
+     */
+    private Object loadJsonItem(JsonParser parser, Event event) {
+        switch (event) {
+        case START_OBJECT: {
+            return loadJsonObject(parser, event);
+        }
+        case START_ARRAY: {
+            return loadJsonArray(parser, event);
+        }
+        case VALUE_NULL: {
+            return null;
+        }
+        case VALUE_NUMBER: {
+            if (parser.isIntegralNumber()) {
+                return parser.getLong();
+            } else {
+                return parser.getBigDecimal().doubleValue();
+            }
+        }
+        case VALUE_STRING: {
+            return parser.getString();
+        }
+        case VALUE_TRUE: {
+            return Boolean.TRUE;
+        }
+        case VALUE_FALSE: {
+            return Boolean.FALSE;
+        }
+        default: {
+            JsonLocation location = parser.getLocation();
+            throw new IllegalStateException(String.format(
+                    "unknown JSON parsing event %s, location(line=%d column=%d offset=%d)", event,
+                    location.getLineNumber(), location.getColumnNumber(),
+                    location.getStreamOffset()));
+        }
+        }
+    }
+
+    private List<Object> loadJsonArray(JsonParser parser, Event event) {
+        List<Object> list = new ArrayList<Object>();
+
+        if (event != Event.START_ARRAY) {
+            JsonLocation location = parser.getLocation();
+            throw new IllegalStateException(
+                    String.format(
+                            "expected JSON parsing event to be START_ARRAY, not %s location(line=%d column=%d offset=%d)",
+                            event, location.getLineNumber(), location.getColumnNumber(),
+                            location.getStreamOffset()));
+        }
+        event = parser.next(); // consume START_ARRAY
+        while (event != Event.END_ARRAY) {
+            Object obj;
+
+            obj = loadJsonItem(parser, event);
+            list.add(obj);
+            event = parser.next(); // next array item or END_ARRAY
+        }
+        return list;
+    }
+
+    private Map<String, Object> loadJsonObject(JsonParser parser, Event event) {
+        Map<String, Object> map = new LinkedHashMap<String, Object>();
+
+        if (event != Event.START_OBJECT) {
+            JsonLocation location = parser.getLocation();
+            throw new IllegalStateException(String.format(
+                    "expected JSON parsing event to be START_OBJECT, not %s, ",
+                    "location(line=%d column=%d offset=%d)", event, location.getLineNumber(),
+                    location.getColumnNumber(), location.getStreamOffset()));
+        }
+        event = parser.next(); // consume START_OBJECT
+        while (event != Event.END_OBJECT) {
+            if (event == Event.KEY_NAME) {
+                String key;
+                Object value;
+
+                key = parser.getString();
+                event = parser.next(); // consume key
+                value = loadJsonItem(parser, event);
+                map.put(key, value);
+            } else {
+                JsonLocation location = parser.getLocation();
+                throw new IllegalStateException(
+                        String.format(
+                                "expected JSON parsing event to be KEY_NAME, not %s, location(line=%d column=%d offset=%d)",
+                                event, location.getLineNumber(), location.getColumnNumber(),
+                                location.getStreamOffset()));
+
+            }
+            event = parser.next(); // next key or END_OBJECT
+        }
+        return map;
+    }
+
+    public String dumpJson(Object obj) {
+        Map<String, Object> properties = new HashMap<String, Object>(1);
+        properties.put(JsonGenerator.PRETTY_PRINTING, true);
+        JsonGeneratorFactory generatorFactory = Json.createGeneratorFactory(properties);
+        StringWriter stringWriter = new StringWriter();
+        JsonGenerator generator = generatorFactory.createGenerator(stringWriter);
+
+        dumpJsonItem(generator, obj);
+        generator.close();
+        return stringWriter.toString();
+    }
+
+    private void dumpJsonItem(JsonGenerator generator, Object obj) {
+        // ordered by expected occurrence
+        if (obj instanceof String) {
+            generator.write((String) obj);
+        } else if (obj instanceof List) {
+            generator.writeStartArray();
+            @SuppressWarnings("unchecked")
+            List<Object> list = (List<Object>) obj;
+            dumpJsonArray(generator, list);
+        } else if (obj instanceof Map) {
+            generator.writeStartObject();
+            @SuppressWarnings("unchecked")
+            Map<String, Object> map = (Map<String, Object>) obj;
+            dumpJsonObject(generator, map);
+        } else if (obj instanceof Long) {
+            generator.write(((Long) obj).longValue());
+        } else if (obj instanceof Boolean) {
+            generator.write(((Boolean) obj).booleanValue());
+        } else if (obj == null) {
+            generator.writeNull();
+        } else if (obj instanceof Double) {
+            generator.write(((Double) obj).doubleValue());
+        } else {
+            throw new IllegalStateException(
+                    String.format(
+                            "unsupported data type, must be String, Long, Double, Boolean, List, Map, or null, not %s",
+                            obj.getClass().getSimpleName()));
+        }
+    }
+
+    private void dumpJsonArray(JsonGenerator generator, List<Object> list) {
+        for (Object obj : list) {
+            dumpJsonItem(generator, obj);
+        }
+        generator.writeEnd();
+    }
+
+    private void dumpJsonObject(JsonGenerator generator, Map<String, Object> map) {
+
+        for (Map.Entry<String, Object> entry : map.entrySet()) {
+            String key = entry.getKey();
+            Object obj = entry.getValue();
+
+            // ordered by expected occurrence
+            if (obj instanceof String) {
+                generator.write(key, (String) obj);
+            } else if (obj instanceof List) {
+                generator.writeStartArray(key);
+                @SuppressWarnings("unchecked")
+                List<Object> list = (List<Object>) obj;
+                dumpJsonArray(generator, list);
+            } else if (obj instanceof Map) {
+                generator.writeStartObject(key);
+                @SuppressWarnings("unchecked")
+                Map<String, Object> map1 = (Map<String, Object>) obj;
+                dumpJsonObject(generator, map1);
+            } else if (obj instanceof Long) {
+                generator.write(key, ((Long) obj).longValue());
+            } else if (obj instanceof Boolean) {
+                generator.write(key, ((Boolean) obj).booleanValue());
+            } else if (obj == null) {
+                generator.write(key, JsonValue.NULL);
+            } else if (obj instanceof Double) {
+                generator.write(key, ((Double) obj).doubleValue());
+            } else {
+                throw new IllegalStateException(
+                        String.format(
+                                "unsupported data type, must be String, Long, Double, Boolean, List, Map, or null, not %s",
+                                obj.getClass().getSimpleName()));
+            }
+        }
+        generator.writeEnd();
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidRuleException.java b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidRuleException.java
new file mode 100644
index 00000000..1e42f4f2
--- /dev/null
+++ b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidRuleException.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2014 Red Hat, Inc.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idpmapping;
+
+/**
+ * Exception thrown when a mapping rule is improperly defined.
+ *
+ * @author John Dennis &lt;jdennis@redhat.com&gt;
+ */
+
+public class InvalidRuleException extends RuntimeException {
+
+    private static final long serialVersionUID = 1948891573270429630L;
+
+    public InvalidRuleException() {
+    }
+
+    public InvalidRuleException(String message) {
+        super(message);
+    }
+
+    public InvalidRuleException(Throwable cause) {
+        super(cause);
+    }
+
+    public InvalidRuleException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidTypeException.java b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidTypeException.java
new file mode 100644
index 00000000..fb8b132f
--- /dev/null
+++ b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidTypeException.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2014 Red Hat, Inc.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idpmapping;
+
+/**
+ * Exception thrown when the type of a value is incorrect for a given context.
+ *
+ * @author John Dennis &lt;jdennis@redhat.com&gt;
+ */
+
+public class InvalidTypeException extends RuntimeException {
+
+    private static final long serialVersionUID = 4437011247503994368L;
+
+    public InvalidTypeException() {
+    }
+
+    public InvalidTypeException(String message) {
+        super(message);
+    }
+
+    public InvalidTypeException(Throwable cause) {
+        super(cause);
+    }
+
+    public InvalidTypeException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidValueException.java b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidValueException.java
new file mode 100644
index 00000000..2f83c13f
--- /dev/null
+++ b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/InvalidValueException.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2014 Red Hat, Inc.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idpmapping;
+
+/**
+ * Exception thrown when a value cannot be used in a given context.
+ *
+ * @author John Dennis &lt;jdennis@redhat.com&gt;
+ */
+
+public class InvalidValueException extends RuntimeException {
+
+    private static final long serialVersionUID = -2351651535772692180L;
+
+    public InvalidValueException() {
+    }
+
+    public InvalidValueException(String message) {
+        super(message);
+    }
+
+    public InvalidValueException(Throwable cause) {
+        super(cause);
+    }
+
+    public InvalidValueException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/RuleProcessor.java b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/RuleProcessor.java
new file mode 100644
index 00000000..0f86fde6
--- /dev/null
+++ b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/RuleProcessor.java
@@ -0,0 +1,1368 @@
+/*
+ * Copyright (c) 2014 Red Hat, Inc.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idpmapping;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.nio.file.Path;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.EnumSet;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+enum ProcessResult {
+    RULE_FAIL, RULE_SUCCESS, BLOCK_CONTINUE, STATEMENT_CONTINUE
+}
+
+/**
+ * Evaluate a set of rules against an assertion from an external Identity
+ * Provider (IdP) mapping those assertion values to local values.
+ *
+ * @author John Dennis &lt;jdennis@redhat.com&gt;
+ */
+
+public class RuleProcessor {
+    private static final Logger LOG = LoggerFactory.getLogger(RuleProcessor.class);
+
+    public String ruleIdFormat = "<rule [${rule_number}:\"${rule_name}\"]>";
+    public String statementIdFormat = "<rule [${rule_number}:\"${rule_name}\"] block [${block_number}:\"${block_name}\"] statement ${statement_number}>";
+
+    /*
+     * Reserved variables
+     */
+    public static final String ASSERTION = "assertion";
+    public static final String RULE_NUMBER = "rule_number";
+    public static final String RULE_NAME = "rule_name";
+    public static final String BLOCK_NUMBER = "block_number";
+    public static final String BLOCK_NAME = "block_name";
+    public static final String STATEMENT_NUMBER = "statement_number";
+    public static final String REGEXP_ARRAY_VARIABLE = "regexp_array";
+    public static final String REGEXP_MAP_VARIABLE = "regexp_map";
+
+    private static final String REGEXP_NAMED_GROUP_PAT = "\\(\\?<([a-zA-Z][a-zA-Z0-9]*)>";
+    private static final Pattern REGEXP_NAMED_GROUP_RE = Pattern.compile(REGEXP_NAMED_GROUP_PAT);
+
+    List<Map<String, Object>> rules = null;
+    boolean success = true;
+    Map<String, Map<String, Object>> mappings = null;
+
+    public RuleProcessor(java.io.Reader rulesIn, Map<String, Map<String, Object>> mappings) {
+        this.mappings = mappings;
+        IdpJson json = new IdpJson();
+        @SuppressWarnings("unchecked")
+        List<Map<String, Object>> loadJson = (List<Map<String, Object>>) json.loadJson(rulesIn);
+        rules = loadJson;
+    }
+
+    public RuleProcessor(Path rulesIn, Map<String, Map<String, Object>> mappings)
+            throws IOException {
+        this.mappings = mappings;
+        IdpJson json = new IdpJson();
+        @SuppressWarnings("unchecked")
+        List<Map<String, Object>> loadJson = (List<Map<String, Object>>) json.loadJson(rulesIn);
+        rules = loadJson;
+    }
+
+    public RuleProcessor(String rulesIn, Map<String, Map<String, Object>> mappings) {
+        this.mappings = mappings;
+        IdpJson json = new IdpJson();
+        @SuppressWarnings("unchecked")
+        List<Map<String, Object>> loadJson = (List<Map<String, Object>>) json.loadJson(rulesIn);
+        rules = loadJson;
+    }
+
+    /*
+     * For some odd reason the Java Regular Expression API does not include a
+     * way to retrieve a map of the named groups and their values. The API only
+     * permits us to retrieve a named group if we already know the group names.
+     * So instead we parse the pattern string looking for named groups, extract
+     * the name, look up the value of the named group and build a map from that.
+     */
+
+    private Map<String, String> regexpGroupMap(String pattern, Matcher matcher) {
+        Map<String, String> groupMap = new HashMap<String, String>();
+        Matcher groupMatcher = REGEXP_NAMED_GROUP_RE.matcher(pattern);
+
+        while (groupMatcher.find()) {
+            String groupName = groupMatcher.group(1);
+
+            groupMap.put(groupName, matcher.group(groupName));
+        }
+        return groupMap;
+    }
+
+    static public String join(List<Object> list, String conjunction) {
+        StringBuilder sb = new StringBuilder();
+        boolean first = true;
+        for (Object item : list) {
+            if (first) {
+                first = false;
+            } else {
+                sb.append(conjunction);
+            }
+            sb.append(item.toString());
+        }
+        return sb.toString();
+    }
+
+    private List<String> regexpGroupList(Matcher matcher) {
+        List<String> groupList = new ArrayList<String>(matcher.groupCount() + 1);
+        groupList.add(0, matcher.group(0));
+        for (int i = 1; i < matcher.groupCount() + 1; i++) {
+            groupList.add(i, matcher.group(i));
+        }
+        return groupList;
+    }
+
+    private String objToString(Object obj) {
+        StringWriter sw = new StringWriter();
+        objToStringItem(sw, obj);
+        return sw.toString();
+    }
+
+    private void objToStringItem(StringWriter sw, Object obj) {
+        // ordered by expected occurrence
+        if (obj instanceof String) {
+            sw.write('"');
+            sw.write(((String) obj).replaceAll("\"", "\\\""));
+            sw.write('"');
+        } else if (obj instanceof List) {
+            @SuppressWarnings("unchecked")
+            List<Object> list = (List<Object>) obj;
+            boolean first = true;
+
+            sw.write('[');
+            for (Object item : list) {
+                if (first) {
+                    first = false;
+                } else {
+                    sw.write(", ");
+                }
+                objToStringItem(sw, item);
+            }
+            sw.write(']');
+        } else if (obj instanceof Map) {
+            @SuppressWarnings("unchecked")
+            Map<String, Object> map = (Map<String, Object>) obj;
+            boolean first = true;
+
+            sw.write('{');
+            for (Map.Entry<String, Object> entry : map.entrySet()) {
+                String key = entry.getKey();
+                Object value = entry.getValue();
+
+                if (first) {
+                    first = false;
+                } else {
+                    sw.write(", ");
+                }
+
+                objToStringItem(sw, key);
+                sw.write(": ");
+                objToStringItem(sw, value);
+
+            }
+            sw.write('}');
+        } else if (obj instanceof Long) {
+            sw.write(((Long) obj).toString());
+        } else if (obj instanceof Boolean) {
+            sw.write(((Boolean) obj).toString());
+        } else if (obj == null) {
+            sw.write("null");
+        } else if (obj instanceof Double) {
+            sw.write(((Double) obj).toString());
+        } else {
+            throw new IllegalStateException(
+                    String.format(
+                            "unsupported data type, must be String, Long, Double, Boolean, List, Map, or null, not %s",
+                            obj.getClass().getSimpleName()));
+        }
+    }
+
+    private Object deepCopy(Object obj) {
+        // ordered by expected occurrence
+        if (obj instanceof String) {
+            return obj; // immutable
+        } else if (obj instanceof List) {
+            List<Object> new_list = new ArrayList<Object>();
+            @SuppressWarnings("unchecked")
+            List<Object> list = (List<Object>) obj;
+            for (Object item : list) {
+                new_list.add(deepCopy(item));
+            }
+            return new_list;
+        } else if (obj instanceof Map) {
+            Map<String, Object> new_map = new LinkedHashMap<String, Object>();
+            @SuppressWarnings("unchecked")
+            Map<String, Object> map = (Map<String, Object>) obj;
+            for (Map.Entry<String, Object> entry : map.entrySet()) {
+                String key = entry.getKey(); // immutable
+                Object value = entry.getValue();
+                new_map.put(key, deepCopy(value));
+            }
+            return new_map;
+        } else if (obj instanceof Long) {
+            return obj; // immutable
+        } else if (obj instanceof Boolean) {
+            return obj; // immutable
+        } else if (obj == null) {
+            return null;
+        } else if (obj instanceof Double) {
+            return obj; // immutable
+        } else {
+            throw new IllegalStateException(
+                    String.format(
+                            "unsupported data type, must be String, Long, Double, Boolean, List, Map, or null, not %s",
+                            obj.getClass().getSimpleName()));
+        }
+    }
+
+    public String ruleId(Map<String, Object> namespace) {
+        return substituteVariables(ruleIdFormat, namespace);
+    }
+
+    public String statementId(Map<String, Object> namespace) {
+        return substituteVariables(statementIdFormat, namespace);
+    }
+
+    public String substituteVariables(String string, Map<String, Object> namespace) {
+        StringBuffer sb = new StringBuffer();
+        Matcher matcher = Token.VARIABLE_RE.matcher(string);
+
+        while (matcher.find()) {
+            Token token = new Token(matcher.group(0), namespace);
+            token.load();
+            String replacement;
+            if (token.type == TokenType.STRING) {
+                replacement = token.getStringValue();
+            } else {
+                replacement = objToString(token.getObjectValue());
+            }
+
+            matcher.appendReplacement(sb, replacement);
+        }
+        matcher.appendTail(sb);
+        return sb.toString();
+    }
+
+    Map<String, Object> getMapping(Map<String, Object> namespace, Map<String, Object> rule) {
+        Map<String, Object> mapping = null;
+        String mappingName = null;
+
+        try {
+            @SuppressWarnings("unchecked")
+            Map<String, Object> map = (Map<String, Object>) rule.get("mapping");
+            mapping = map;
+        } catch (java.lang.ClassCastException e) {
+            throw new InvalidRuleException(String.format(
+                    "%s rule defines 'mapping' but it is not a Map", this.ruleId(namespace), e));
+        }
+        if (mapping != null) {
+            return mapping;
+        }
+        try {
+            mappingName = (String) rule.get("mapping_name");
+        } catch (java.lang.ClassCastException e) {
+            throw new InvalidRuleException(String.format(
+                    "%s rule defines 'mapping_name' but it is not a string",
+                    this.ruleId(namespace), e));
+        }
+        if (mappingName == null) {
+            throw new InvalidRuleException(String.format(
+                    "%s rule does not define mapping nor mapping_name unable to load mapping",
+                    this.ruleId(namespace)));
+        }
+        mapping = this.mappings.get(mappingName);
+        if (mapping == null) {
+            throw new InvalidRuleException(
+                    String.format(
+                            "%s rule specifies mapping_name '%s' but a mapping by that name does not exist, unable to load mapping",
+                            this.ruleId(namespace)));
+        }
+        LOG.debug(String.format("using named mapping '%s' from rule %s mapping=%s", mappingName,
+                this.ruleId(namespace), mapping));
+        return mapping;
+    }
+
+    private String getVerb(List<Object> statement) {
+        Token verb;
+
+        if (statement.size() < 1) {
+            throw new InvalidRuleException("statement has no verb");
+        }
+
+        try {
+            verb = new Token(statement.get(0), null);
+        } catch (Exception e) {
+            throw new InvalidRuleException(String.format(
+                    "statement first member (i.e. verb) error %s", e));
+        }
+
+        if (verb.type != TokenType.STRING) {
+            throw new InvalidRuleException(String.format(
+                    "statement first member (i.e. verb) must be a string, not %s", verb.type));
+        }
+
+        return (verb.getStringValue()).toLowerCase();
+    }
+
+    private Token getToken(String verb, List<Object> statement, int index,
+            Map<String, Object> namespace, Set<TokenStorageType> storageTypes,
+            Set<TokenType> tokenTypes) {
+        Object item;
+        Token token;
+
+        try {
+            item = statement.get(index);
+        } catch (IndexOutOfBoundsException e) {
+            throw new InvalidRuleException(String.format(
+                    "verb '%s' requires at least %d items but only %d are available.", verb,
+                    index + 1, statement.size(), e));
+        }
+
+        try {
+            token = new Token(item, namespace);
+        } catch (Exception e) {
+            throw new StatementErrorException(String.format("parameter %d, %s", index, e));
+        }
+
+        if (storageTypes != null) {
+            if (!storageTypes.contains(token.storageType)) {
+                throw new InvalidTypeException(
+                        String.format(
+                                "verb '%s' requires parameter #%d to have storage types %s not %s. statement=%s",
+                                verb, index, storageTypes, statement));
+            }
+        }
+
+        if (tokenTypes != null) {
+            token.load(); // Note, Token.load() sets the Token.type
+
+            if (!tokenTypes.contains(token.type)) {
+                throw new InvalidTypeException(String.format(
+                        "verb '%s' requires parameter #%d to have types %s, not %s. statement=%s",
+                        verb, index, tokenTypes, statement));
+            }
+        }
+
+        return token;
+    }
+
+    private Token getParameter(String verb, List<Object> statement, int index,
+            Map<String, Object> namespace, Set<TokenType> tokenTypes) {
+        Object item;
+        Token token;
+
+        try {
+            item = statement.get(index);
+        } catch (IndexOutOfBoundsException e) {
+            throw new InvalidRuleException(String.format(
+                    "verb '%s' requires at least %d items but only %d are available.", verb,
+                    index + 1, statement.size(), e));
+        }
+
+        try {
+            token = new Token(item, namespace);
+        } catch (Exception e) {
+            throw new StatementErrorException(String.format("parameter %d, %s", index, e));
+        }
+
+        token.load();
+
+        if (tokenTypes != null) {
+            try {
+                token.get(); // Note, Token.get() sets the Token.type
+            } catch (UndefinedValueException e) {
+                // OK if not yet defined
+            }
+            if (!tokenTypes.contains(token.type)) {
+                throw new InvalidTypeException(String.format(
+                        "verb '%s' requires parameter #%d to have types %s, not %s. statement=%s",
+                        verb, index, tokenTypes, item.getClass().getSimpleName(), statement));
+            }
+        }
+
+        return token;
+    }
+
+    private Object getRawParameter(String verb, List<Object> statement, int index,
+            Set<TokenType> tokenTypes) {
+        Object item;
+
+        try {
+            item = statement.get(index);
+        } catch (IndexOutOfBoundsException e) {
+            throw new InvalidRuleException(String.format(
+                    "verb '%s' requires at least %d items but only %d are available.", verb,
+                    index + 1, statement.size(), e));
+        }
+
+        if (tokenTypes != null) {
+            TokenType itemType = Token.classify(item);
+
+            if (!tokenTypes.contains(itemType)) {
+                throw new InvalidTypeException(String.format(
+                        "verb '%s' requires parameter #%d to have types %s, not %s. statement=%s",
+                        verb, index, tokenTypes, statement));
+            }
+        }
+
+        return item;
+    }
+
+    private Token getVariable(String verb, List<Object> statement, int index,
+            Map<String, Object> namespace) {
+        Object item;
+        Token token;
+
+        try {
+            item = statement.get(index);
+        } catch (IndexOutOfBoundsException e) {
+            throw new InvalidRuleException(String.format(
+                    "verb '%s' requires at least %d items but only %d are available.", verb,
+                    index + 1, statement.size(), e));
+        }
+
+        try {
+            token = new Token(item, namespace);
+        } catch (Exception e) {
+            throw new StatementErrorException(String.format("parameter %d, %s", index, e));
+        }
+
+        if (token.storageType != TokenStorageType.VARIABLE) {
+            throw new InvalidTypeException(String.format(
+                    "verb '%s' requires parameter #%d to be a variable not %s. statement=%s", verb,
+                    index, token.storageType, statement));
+        }
+
+        return token;
+    }
+
+    public Map<String, Object> process(String assertionJson) {
+        ProcessResult result;
+        IdpJson json = new IdpJson();
+        @SuppressWarnings("unchecked")
+        Map<String, Object> assertion = (Map<String, Object>) json.loadJson(assertionJson);
+        LOG.info("Assertion JSON: {}", json.dumpJson(assertion));
+        this.success = true;
+
+        for (int ruleNumber = 0; ruleNumber < this.rules.size(); ruleNumber++) {
+            Map<String, Object> namespace = new HashMap<String, Object>();
+            Map<String, Object> rule = (Map<String, Object>) this.rules.get(ruleNumber);
+            namespace.put(RULE_NUMBER, Long.valueOf(ruleNumber));
+            namespace.put(RULE_NAME, "");
+            namespace.put(ASSERTION, deepCopy(assertion));
+
+            result = processRule(namespace, rule);
+
+            if (result == ProcessResult.RULE_SUCCESS) {
+                Map<String, Object> mapped = new LinkedHashMap<String, Object>();
+                Map<String, Object> mapping = getMapping(namespace, rule);
+                for (Map.Entry<String, Object> entry : ((Map<String, Object>) mapping).entrySet()) {
+                    String key = entry.getKey();
+                    Object value = entry.getValue();
+                    Object newValue = null;
+                    try {
+                        Token token = new Token(value, namespace);
+                        newValue = token.get();
+                    } catch (Exception e) {
+                        throw new InvalidRuleException(String.format(
+                                "%s unable to get value for mapping %s=%s, %s", ruleId(namespace),
+                                key, value, e), e);
+                    }
+                    mapped.put(key, newValue);
+                }
+                return mapped;
+            }
+        }
+        return null;
+    }
+
+    private ProcessResult processRule(Map<String, Object> namespace, Map<String, Object> rule) {
+        ProcessResult result = ProcessResult.BLOCK_CONTINUE;
+        @SuppressWarnings("unchecked")
+        List<List<List<Object>>> statementBlocks = (List<List<List<Object>>>) rule.get("statement_blocks");
+        if (statementBlocks == null) {
+            throw new InvalidRuleException("rule missing 'statement_blocks'");
+
+        }
+        for (int blockNumber = 0; blockNumber < statementBlocks.size(); blockNumber++) {
+            List<List<Object>> block = (List<List<Object>>) statementBlocks.get(blockNumber);
+            namespace.put(BLOCK_NUMBER, Long.valueOf(blockNumber));
+            namespace.put(BLOCK_NAME, "");
+
+            result = processBlock(namespace, block);
+            if (EnumSet.of(ProcessResult.RULE_SUCCESS, ProcessResult.RULE_FAIL).contains(result)) {
+                break;
+            } else if (result == ProcessResult.BLOCK_CONTINUE) {
+                continue;
+            } else {
+                throw new IllegalStateException(String.format("%s unexpected statement result: %s",
+                        result));
+            }
+        }
+        if (EnumSet.of(ProcessResult.RULE_SUCCESS, ProcessResult.BLOCK_CONTINUE).contains(result)) {
+            return ProcessResult.RULE_SUCCESS;
+        } else {
+            return ProcessResult.RULE_FAIL;
+        }
+    }
+
+    private ProcessResult processBlock(Map<String, Object> namespace, List<List<Object>> block) {
+        ProcessResult result = ProcessResult.STATEMENT_CONTINUE;
+
+        for (int statementNumber = 0; statementNumber < block.size(); statementNumber++) {
+            List<Object> statement = (List<Object>) block.get(statementNumber);
+            namespace.put(STATEMENT_NUMBER, Long.valueOf(statementNumber));
+
+            try {
+                result = processStatement(namespace, statement);
+            } catch (Exception e) {
+                throw new IllegalStateException(String.format("%s statement=%s %s",
+                        statementId(namespace), statement, e), e);
+            }
+            if (EnumSet.of(ProcessResult.BLOCK_CONTINUE, ProcessResult.RULE_SUCCESS,
+                    ProcessResult.RULE_FAIL).contains(result)) {
+                break;
+            } else if (result == ProcessResult.STATEMENT_CONTINUE) {
+                continue;
+            } else {
+                throw new IllegalStateException(String.format("%s unexpected statement result: %s",
+                        result));
+            }
+        }
+        if (result == ProcessResult.STATEMENT_CONTINUE) {
+            result = ProcessResult.BLOCK_CONTINUE;
+        }
+        return result;
+    }
+
+    private ProcessResult processStatement(Map<String, Object> namespace, List<Object> statement) {
+        ProcessResult result = ProcessResult.STATEMENT_CONTINUE;
+        String verb = getVerb(statement);
+
+        switch (verb) {
+        case "set":
+            result = verbSet(verb, namespace, statement);
+            break;
+        case "length":
+            result = verbLength(verb, namespace, statement);
+            break;
+        case "interpolate":
+            result = verbInterpolate(verb, namespace, statement);
+            break;
+        case "append":
+            result = verbAppend(verb, namespace, statement);
+            break;
+        case "unique":
+            result = verbUnique(verb, namespace, statement);
+            break;
+        case "split":
+            result = verbSplit(verb, namespace, statement);
+            break;
+        case "join":
+            result = verbJoin(verb, namespace, statement);
+            break;
+        case "lower":
+            result = verbLower(verb, namespace, statement);
+            break;
+        case "upper":
+            result = verbUpper(verb, namespace, statement);
+            break;
+        case "in":
+            result = verbIn(verb, namespace, statement);
+            break;
+        case "not_in":
+            result = verbNotIn(verb, namespace, statement);
+            break;
+        case "compare":
+            result = verbCompare(verb, namespace, statement);
+            break;
+        case "regexp":
+            result = verbRegexp(verb, namespace, statement);
+            break;
+        case "regexp_replace":
+            result = verbRegexpReplace(verb, namespace, statement);
+            break;
+        case "exit":
+            result = verbExit(verb, namespace, statement);
+            break;
+        case "continue":
+            result = verbContinue(verb, namespace, statement);
+            break;
+        default:
+            throw new InvalidRuleException(String.format("unknown verb '%s'", verb));
+        }
+
+        return result;
+    }
+
+    private ProcessResult verbSet(String verb, Map<String, Object> namespace, List<Object> statement) {
+        Token variable = getVariable(verb, statement, 1, namespace);
+        Token parameter = getParameter(verb, statement, 2, namespace, null);
+
+        variable.set(parameter.getObjectValue());
+        this.success = true;
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format("%s verb='%s' success=%s variable: %s=%s",
+                    statementId(namespace), verb, this.success, variable, variable.get()));
+        }
+        return ProcessResult.STATEMENT_CONTINUE;
+    }
+
+    private ProcessResult verbLength(String verb, Map<String, Object> namespace,
+            List<Object> statement) {
+        Token variable = getVariable(verb, statement, 1, namespace);
+        Token parameter = getParameter(verb, statement, 2, namespace,
+                EnumSet.of(TokenType.ARRAY, TokenType.MAP, TokenType.STRING));
+        long length;
+
+        switch (parameter.type) {
+        case ARRAY: {
+            length = parameter.getListValue().size();
+        }
+            break;
+        case MAP: {
+            length = parameter.getMapValue().size();
+        }
+            break;
+        case STRING: {
+            length = parameter.getStringValue().length();
+        }
+            break;
+        default:
+            throw new IllegalStateException(String.format("unexpected token type: %s",
+                    parameter.type));
+        }
+
+        variable.set(length);
+        this.success = true;
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format("%s verb='%s' success=%s variable: %s=%s parameter=%s",
+                    statementId(namespace), verb, this.success, variable, variable.get(),
+                    parameter.getObjectValue()));
+        }
+        return ProcessResult.STATEMENT_CONTINUE;
+    }
+
+    private ProcessResult verbInterpolate(String verb, Map<String, Object> namespace,
+            List<Object> statement) {
+        Token variable = getVariable(verb, statement, 1, namespace);
+        String string = (String) getRawParameter(verb, statement, 2, EnumSet.of(TokenType.STRING));
+        String newValue = null;
+
+        try {
+            newValue = substituteVariables(string, namespace);
+        } catch (Exception e) {
+            throw new InvalidValueException(String.format(
+                    "verb '%s' failed, variable='%s' string='%s': %s", verb, variable, string, e));
+        }
+        variable.set(newValue);
+        this.success = true;
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format("%s verb='%s' success=%s variable: %s=%s string='%s'",
+                    statementId(namespace), verb, this.success, variable, variable.get(), string));
+        }
+
+        return ProcessResult.STATEMENT_CONTINUE;
+    }
+
+    private ProcessResult verbAppend(String verb, Map<String, Object> namespace,
+            List<Object> statement) {
+        Token variable = getToken(verb, statement, 1, namespace,
+                EnumSet.of(TokenStorageType.VARIABLE), EnumSet.of(TokenType.ARRAY));
+        Token item = getParameter(verb, statement, 2, namespace, null);
+
+        try {
+            List<Object> list = variable.getListValue();
+            list.add(item.getObjectValue());
+        } catch (Exception e) {
+            throw new InvalidValueException(String.format(
+                    "verb '%s' failed, variable='%s' item='%s': %s", verb,
+                    variable.getObjectValue(), item.getObjectValue(), e));
+        }
+        this.success = true;
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format("%s verb='%s' success=%s variable: %s=%s item=%s",
+                    statementId(namespace), verb, this.success, variable, variable.get(),
+                    item.getObjectValue()));
+        }
+
+        return ProcessResult.STATEMENT_CONTINUE;
+    }
+
+    private ProcessResult verbUnique(String verb, Map<String, Object> namespace,
+            List<Object> statement) {
+        Token variable = getVariable(verb, statement, 1, namespace);
+        Token array = getParameter(verb, statement, 2, namespace, EnumSet.of(TokenType.ARRAY));
+
+        List<Object> newValue = new ArrayList<Object>();
+        Set<Object> seen = new HashSet<Object>();
+
+        for (Object member : array.getListValue()) {
+            if (seen.contains(member)) {
+                continue;
+            } else {
+                newValue.add(member);
+                seen.add(member);
+            }
+        }
+
+        variable.set(newValue);
+        this.success = true;
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format("%s verb='%s' success=%s variable: %s=%s array=%s",
+                    statementId(namespace), verb, this.success, variable, variable.get(),
+                    array.getObjectValue()));
+        }
+
+        return ProcessResult.STATEMENT_CONTINUE;
+    }
+
+    private ProcessResult verbSplit(String verb, Map<String, Object> namespace,
+            List<Object> statement) {
+        Token variable = getVariable(verb, statement, 1, namespace);
+        Token string = getParameter(verb, statement, 2, namespace, EnumSet.of(TokenType.STRING));
+        Token pattern = getParameter(verb, statement, 3, namespace, EnumSet.of(TokenType.STRING));
+
+        Pattern regexp;
+        List<String> newValue;
+
+        try {
+            regexp = Pattern.compile(pattern.getStringValue());
+        } catch (Exception e) {
+            throw new InvalidValueException(String.format(
+                    "verb '%s' failed, bad regular expression pattern '%s', %s", verb,
+                    pattern.getObjectValue(), e));
+        }
+        try {
+            newValue = new ArrayList<String>(
+                    Arrays.asList(regexp.split((String) string.getStringValue())));
+        } catch (Exception e) {
+            throw new InvalidValueException(String.format(
+                    "verb '%s' failed, string='%s' pattern='%s', %s", verb,
+                    string.getObjectValue(), pattern.getObjectValue(), e));
+        }
+
+        variable.set(newValue);
+        this.success = true;
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format(
+                    "%s verb='%s' success=%s variable: %s=%s string='%s' pattern='%s'",
+                    statementId(namespace), verb, this.success, variable, variable.get(),
+                    string.getObjectValue(), pattern.getObjectValue()));
+        }
+
+        return ProcessResult.STATEMENT_CONTINUE;
+    }
+
+    private ProcessResult verbJoin(String verb, Map<String, Object> namespace,
+            List<Object> statement) {
+        Token variable = getVariable(verb, statement, 1, namespace);
+        Token array = getParameter(verb, statement, 2, namespace, EnumSet.of(TokenType.ARRAY));
+        Token conjunction = getParameter(verb, statement, 3, namespace,
+                EnumSet.of(TokenType.STRING));
+        String newValue;
+
+        try {
+            newValue = join(array.getListValue(), conjunction.getStringValue());
+        } catch (Exception e) {
+            throw new InvalidValueException(String.format(
+                    "verb '%s' failed, array=%s conjunction='%s', %s", verb,
+                    array.getObjectValue(), conjunction.getObjectValue(), e));
+        }
+
+        variable.set(newValue);
+        this.success = true;
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format(
+                    "%s verb='%s' success=%s variable: %s=%s array='%s' conjunction='%s'",
+                    statementId(namespace), verb, this.success, variable, variable.get(),
+                    array.getObjectValue(), conjunction.getObjectValue()));
+        }
+
+        return ProcessResult.STATEMENT_CONTINUE;
+    }
+
+    private ProcessResult verbLower(String verb, Map<String, Object> namespace,
+            List<Object> statement) {
+        Token variable = getVariable(verb, statement, 1, namespace);
+        Token parameter = getParameter(verb, statement, 2, namespace,
+                EnumSet.of(TokenType.STRING, TokenType.ARRAY, TokenType.MAP));
+
+        try {
+            switch (parameter.type) {
+            case STRING: {
+                String oldValue = parameter.getStringValue();
+                String newValue;
+                newValue = oldValue.toLowerCase();
+                variable.set(newValue);
+            }
+                break;
+            case ARRAY: {
+                List<Object> oldValue = parameter.getListValue();
+                List<Object> newValue = new ArrayList<Object>(oldValue.size());
+                String oldItem;
+                String newItem;
+
+                for (Object item : oldValue) {
+                    try {
+                        oldItem = (String) item;
+                    } catch (ClassCastException e) {
+                        throw new InvalidValueException(String.format(
+                                "verb '%s' failed, array item (%s) is not a string, array=%s",
+                                verb, item, parameter.getObjectValue(), e));
+                    }
+                    newItem = oldItem.toLowerCase();
+                    newValue.add(newItem);
+                }
+                variable.set(newValue);
+            }
+                break;
+            case MAP: {
+                Map<String, Object> oldValue = parameter.getMapValue();
+                Map<String, Object> newValue = new LinkedHashMap<String, Object>(oldValue.size());
+
+                for (Map.Entry<String, Object> entry : oldValue.entrySet()) {
+                    String oldKey;
+                    String newKey;
+                    Object value = entry.getValue();
+
+                    oldKey = entry.getKey();
+                    newKey = oldKey.toLowerCase();
+                    newValue.put(newKey, value);
+                }
+                variable.set(newValue);
+            }
+                break;
+            default:
+                throw new IllegalStateException(String.format("unexpected token type: %s",
+                        parameter.type));
+            }
+        } catch (Exception e) {
+            throw new InvalidValueException(String.format(
+                    "verb '%s' failed, variable='%s' parameter='%s': %s", verb, variable,
+                    parameter.getObjectValue(), e), e);
+        }
+        this.success = true;
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format("%s verb='%s' success=%s variable: %s=%s parameter=%s",
+                    statementId(namespace), verb, this.success, variable, variable.get(),
+                    parameter.getObjectValue()));
+        }
+        return ProcessResult.STATEMENT_CONTINUE;
+    }
+
+    private ProcessResult verbUpper(String verb, Map<String, Object> namespace,
+            List<Object> statement) {
+        Token variable = getVariable(verb, statement, 1, namespace);
+        Token parameter = getParameter(verb, statement, 2, namespace,
+                EnumSet.of(TokenType.STRING, TokenType.ARRAY, TokenType.MAP));
+
+        try {
+            switch (parameter.type) {
+            case STRING: {
+                String oldValue = parameter.getStringValue();
+                String newValue;
+                newValue = oldValue.toUpperCase();
+                variable.set(newValue);
+            }
+                break;
+            case ARRAY: {
+                List<Object> oldValue = parameter.getListValue();
+                List<Object> newValue = new ArrayList<Object>(oldValue.size());
+                String oldItem;
+                String newItem;
+
+                for (Object item : oldValue) {
+                    try {
+                        oldItem = (String) item;
+                    } catch (ClassCastException e) {
+                        throw new InvalidValueException(String.format(
+                                "verb '%s' failed, array item (%s) is not a string, array=%s",
+                                verb, item, parameter.getObjectValue(), e));
+                    }
+                    newItem = oldItem.toUpperCase();
+                    newValue.add(newItem);
+                }
+                variable.set(newValue);
+            }
+                break;
+            case MAP: {
+                Map<String, Object> oldValue = parameter.getMapValue();
+                Map<String, Object> newValue = new LinkedHashMap<String, Object>(oldValue.size());
+
+                for (Map.Entry<String, Object> entry : oldValue.entrySet()) {
+                    String oldKey;
+                    String newKey;
+                    Object value = entry.getValue();
+
+                    oldKey = entry.getKey();
+                    newKey = oldKey.toUpperCase();
+                    newValue.put(newKey, value);
+                }
+                variable.set(newValue);
+            }
+                break;
+            default:
+                throw new IllegalStateException(String.format("unexpected token type: %s",
+                        parameter.type));
+            }
+        } catch (Exception e) {
+            throw new InvalidValueException(String.format(
+                    "verb '%s' failed, variable='%s' parameter='%s': %s", verb, variable,
+                    parameter.getObjectValue(), e), e);
+        }
+        this.success = true;
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format("%s verb='%s' success=%s variable: %s=%s parameter=%s",
+                    statementId(namespace), verb, this.success, variable, variable.get(),
+                    parameter.getObjectValue()));
+        }
+        return ProcessResult.STATEMENT_CONTINUE;
+    }
+
+    private ProcessResult verbIn(String verb, Map<String, Object> namespace, List<Object> statement) {
+        Token member = getParameter(verb, statement, 1, namespace, null);
+        Token collection = getParameter(verb, statement, 2, namespace,
+                EnumSet.of(TokenType.ARRAY, TokenType.MAP, TokenType.STRING));
+
+        switch (collection.type) {
+        case ARRAY: {
+            this.success = collection.getListValue().contains(member.getObjectValue());
+        }
+            break;
+        case MAP: {
+            if (member.type != TokenType.STRING) {
+                throw new InvalidTypeException(String.format(
+                        "verb '%s' requires parameter #1 to be a %swhen parameter #2 is a %s",
+                        TokenType.STRING, collection.type));
+            }
+            this.success = collection.getMapValue().containsKey(member.getObjectValue());
+        }
+            break;
+        case STRING: {
+            if (member.type != TokenType.STRING) {
+                throw new InvalidTypeException(String.format(
+                        "verb '%s' requires parameter #1 to be a %swhen parameter #2 is a %s",
+                        TokenType.STRING, collection.type));
+            }
+            this.success = (collection.getStringValue()).contains(member.getStringValue());
+        }
+            break;
+        default:
+            throw new IllegalStateException(String.format("unexpected token type: %s",
+                    collection.type));
+        }
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format("%s verb='%s' success=%s member=%s collection=%s",
+                    statementId(namespace), verb, this.success, member.getObjectValue(),
+                    collection.getObjectValue()));
+        }
+        return ProcessResult.STATEMENT_CONTINUE;
+    }
+
+    private ProcessResult verbNotIn(String verb, Map<String, Object> namespace,
+            List<Object> statement) {
+        Token member = getParameter(verb, statement, 1, namespace, null);
+        Token collection = getParameter(verb, statement, 2, namespace,
+                EnumSet.of(TokenType.ARRAY, TokenType.MAP, TokenType.STRING));
+
+        switch (collection.type) {
+        case ARRAY: {
+            this.success = !collection.getListValue().contains(member.getObjectValue());
+        }
+            break;
+        case MAP: {
+            if (member.type != TokenType.STRING) {
+                throw new InvalidTypeException(String.format(
+                        "verb '%s' requires parameter #1 to be a %swhen parameter #2 is a %s",
+                        TokenType.STRING, collection.type));
+            }
+            this.success = !collection.getMapValue().containsKey(member.getObjectValue());
+        }
+            break;
+        case STRING: {
+            if (member.type != TokenType.STRING) {
+                throw new InvalidTypeException(String.format(
+                        "verb '%s' requires parameter #1 to be a %swhen parameter #2 is a %s",
+                        TokenType.STRING, collection.type));
+            }
+            this.success = !(collection.getStringValue()).contains(member.getStringValue());
+        }
+            break;
+        default:
+            throw new IllegalStateException(String.format("unexpected token type: %s",
+                    collection.type));
+        }
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format("%s verb='%s' success=%s member=%s collection=%s",
+                    statementId(namespace), verb, this.success, member.getObjectValue(),
+                    collection.getObjectValue()));
+        }
+
+        return ProcessResult.STATEMENT_CONTINUE;
+    }
+
+    private ProcessResult verbCompare(String verb, Map<String, Object> namespace,
+            List<Object> statement) {
+        Token left = getParameter(verb, statement, 1, namespace, null);
+        Token op = getParameter(verb, statement, 2, namespace, EnumSet.of(TokenType.STRING));
+        Token right = getParameter(verb, statement, 3, namespace, null);
+        String invalidOp = "operator %s not supported for type %s";
+        TokenType tokenType;
+        String opValue = op.getStringValue();
+        boolean result;
+
+        if (left.type != right.type) {
+            throw new InvalidTypeException(String.format(
+                    "verb '%s' both items must have the same type left is %s and right is %s",
+                    verb, left.type, right.type));
+        } else {
+            tokenType = left.type;
+        }
+
+        switch (opValue) {
+        case "==":
+        case "!=": {
+            switch (tokenType) {
+            case STRING: {
+                String leftValue = left.getStringValue();
+                String rightValue = right.getStringValue();
+                result = leftValue.equals(rightValue);
+            }
+                break;
+            case INTEGER: {
+                Long leftValue = left.getLongValue();
+                Long rightValue = right.getLongValue();
+                result = leftValue.equals(rightValue);
+            }
+                break;
+            case REAL: {
+                Double leftValue = left.getDoubleValue();
+                Double rightValue = right.getDoubleValue();
+                result = leftValue.equals(rightValue);
+            }
+                break;
+            case ARRAY: {
+                List<Object> leftValue = left.getListValue();
+                List<Object> rightValue = right.getListValue();
+                result = leftValue.equals(rightValue);
+            }
+                break;
+            case MAP: {
+                Map<String, Object> leftValue = left.getMapValue();
+                Map<String, Object> rightValue = right.getMapValue();
+                result = leftValue.equals(rightValue);
+            }
+                break;
+            case BOOLEAN: {
+                Boolean leftValue = left.getBooleanValue();
+                Boolean rightValue = right.getBooleanValue();
+                result = leftValue.equals(rightValue);
+            }
+                break;
+            case NULL: {
+                result = (left.getNullValue() == right.getNullValue());
+            }
+                break;
+            default: {
+                throw new IllegalStateException(String.format("unexpected token type: %s",
+                        tokenType));
+            }
+            }
+            if (opValue.equals("!=")) { // negate the sense of the test
+                result = !result;
+            }
+        }
+            break;
+        case "<":
+        case ">=": {
+            switch (tokenType) {
+            case STRING: {
+                String leftValue = left.getStringValue();
+                String rightValue = right.getStringValue();
+                result = leftValue.compareTo(rightValue) < 0;
+            }
+                break;
+            case INTEGER: {
+                Long leftValue = left.getLongValue();
+                Long rightValue = right.getLongValue();
+                result = leftValue < rightValue;
+            }
+                break;
+            case REAL: {
+                Double leftValue = left.getDoubleValue();
+                Double rightValue = right.getDoubleValue();
+                result = leftValue < rightValue;
+            }
+                break;
+            case ARRAY:
+            case MAP:
+            case BOOLEAN:
+            case NULL: {
+                throw new InvalidRuleException(String.format(invalidOp, opValue, tokenType));
+            }
+            default: {
+                throw new IllegalStateException(String.format("unexpected token type: %s",
+                        tokenType));
+            }
+            }
+            if (opValue.equals(">=")) { // negate the sense of the test
+                result = !result;
+            }
+        }
+            break;
+        case ">":
+        case "<=": {
+            switch (tokenType) {
+            case STRING: {
+                String leftValue = left.getStringValue();
+                String rightValue = right.getStringValue();
+                result = leftValue.compareTo(rightValue) > 0;
+            }
+                break;
+            case INTEGER: {
+                Long leftValue = left.getLongValue();
+                Long rightValue = right.getLongValue();
+                result = leftValue > rightValue;
+            }
+                break;
+            case REAL: {
+                Double leftValue = left.getDoubleValue();
+                Double rightValue = right.getDoubleValue();
+                result = leftValue > rightValue;
+            }
+                break;
+            case ARRAY:
+            case MAP:
+            case BOOLEAN:
+            case NULL: {
+                throw new InvalidRuleException(String.format(invalidOp, opValue, tokenType));
+            }
+            default: {
+                throw new IllegalStateException(String.format("unexpected token type: %s",
+                        tokenType));
+            }
+            }
+            if (opValue.equals("<=")) { // negate the sense of the test
+                result = !result;
+            }
+        }
+            break;
+        default: {
+            throw new InvalidRuleException(String.format(
+                    "verb '%s' has unknown comparison operator '%s'", verb, op.getObjectValue()));
+        }
+        }
+        this.success = result;
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format("%s verb='%s' success=%s left=%s op='%s' right=%s",
+                    statementId(namespace), verb, this.success, left.getObjectValue(),
+                    op.getObjectValue(), right.getObjectValue()));
+        }
+        return ProcessResult.STATEMENT_CONTINUE;
+    }
+
+    private ProcessResult verbRegexp(String verb, Map<String, Object> namespace,
+            List<Object> statement) {
+        Token string = getParameter(verb, statement, 1, namespace, EnumSet.of(TokenType.STRING));
+        Token pattern = getParameter(verb, statement, 2, namespace, EnumSet.of(TokenType.STRING));
+
+        Pattern regexp;
+        Matcher matcher;
+
+        try {
+            regexp = Pattern.compile(pattern.getStringValue());
+        } catch (Exception e) {
+            throw new InvalidValueException(String.format(
+                    "verb '%s' failed, bad regular expression pattern '%s', %s", verb,
+                    pattern.getObjectValue(), e));
+        }
+        matcher = regexp.matcher(string.getStringValue());
+
+        if (matcher.find()) {
+            this.success = true;
+            namespace.put(REGEXP_ARRAY_VARIABLE, regexpGroupList(matcher));
+            namespace.put(REGEXP_MAP_VARIABLE, regexpGroupMap(pattern.getStringValue(), matcher));
+        } else {
+            this.success = false;
+            namespace.put(REGEXP_ARRAY_VARIABLE, new ArrayList<Object>());
+            namespace.put(REGEXP_MAP_VARIABLE, new HashMap<String, Object>());
+        }
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format(
+                    "%s verb='%s' success=%s string='%s' pattern='%s' %s=%s %s=%s",
+                    statementId(namespace), verb, this.success, string.getObjectValue(),
+                    pattern.getObjectValue(), REGEXP_ARRAY_VARIABLE,
+                    namespace.get(REGEXP_ARRAY_VARIABLE), REGEXP_MAP_VARIABLE,
+                    namespace.get(REGEXP_MAP_VARIABLE)));
+        }
+
+        return ProcessResult.STATEMENT_CONTINUE;
+    }
+
+    private ProcessResult verbRegexpReplace(String verb, Map<String, Object> namespace,
+            List<Object> statement) {
+        Token variable = getVariable(verb, statement, 1, namespace);
+        Token string = getParameter(verb, statement, 2, namespace, EnumSet.of(TokenType.STRING));
+        Token pattern = getParameter(verb, statement, 3, namespace, EnumSet.of(TokenType.STRING));
+        Token replacement = getParameter(verb, statement, 4, namespace,
+                EnumSet.of(TokenType.STRING));
+
+        Pattern regexp;
+        Matcher matcher;
+        String newValue;
+
+        try {
+            regexp = Pattern.compile(pattern.getStringValue());
+        } catch (Exception e) {
+            throw new InvalidValueException(String.format(
+                    "verb '%s' failed, bad regular expression pattern '%s', %s", verb,
+                    pattern.getObjectValue(), e));
+        }
+        matcher = regexp.matcher(string.getStringValue());
+
+        newValue = matcher.replaceAll(replacement.getStringValue());
+        variable.set(newValue);
+        this.success = true;
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format(
+                    "%s verb='%s' success=%s variable: %s=%s string='%s' pattern='%s' replacement='%s'",
+                    statementId(namespace), verb, this.success, variable, variable.get(),
+                    string.getObjectValue(), pattern.getObjectValue(), replacement.getObjectValue()));
+        }
+
+        return ProcessResult.STATEMENT_CONTINUE;
+    }
+
+    private ProcessResult verbExit(String verb, Map<String, Object> namespace,
+            List<Object> statement) {
+        ProcessResult statementResult = ProcessResult.STATEMENT_CONTINUE;
+
+        Token exitStatusParam = getParameter(verb, statement, 1, namespace,
+                EnumSet.of(TokenType.STRING));
+        Token criteriaParam = getParameter(verb, statement, 2, namespace,
+                EnumSet.of(TokenType.STRING));
+        String exitStatus = (exitStatusParam.getStringValue()).toLowerCase();
+        String criteria = (criteriaParam.getStringValue()).toLowerCase();
+        ProcessResult result;
+        boolean doExit;
+
+        if (exitStatus.equals("rule_succeeds")) {
+            result = ProcessResult.RULE_SUCCESS;
+        } else if (exitStatus.equals("rule_fails")) {
+            result = ProcessResult.RULE_FAIL;
+        } else {
+            throw new InvalidRuleException(String.format("verb='%s' unknown exit status '%s'",
+                    verb, exitStatus));
+        }
+
+        if (criteria.equals("if_success")) {
+            if (this.success) {
+                doExit = true;
+            } else {
+                doExit = false;
+            }
+        } else if (criteria.equals("if_not_success")) {
+            if (!this.success) {
+                doExit = true;
+            } else {
+                doExit = false;
+            }
+        } else if (criteria.equals("always")) {
+            doExit = true;
+        } else if (criteria.equals("never")) {
+            doExit = false;
+        } else {
+            throw new InvalidRuleException(String.format("verb='%s' unknown exit criteria '%s'",
+                    verb, criteria));
+        }
+
+        if (doExit) {
+            statementResult = result;
+        }
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format(
+                    "%s verb='%s' success=%s status=%s criteria=%s exiting=%s result=%s",
+                    statementId(namespace), verb, this.success, exitStatus, criteria, doExit,
+                    statementResult));
+        }
+
+        return statementResult;
+    }
+
+    private ProcessResult verbContinue(String verb, Map<String, Object> namespace,
+            List<Object> statement) {
+        ProcessResult statementResult = ProcessResult.STATEMENT_CONTINUE;
+        Token criteriaParam = getParameter(verb, statement, 1, namespace,
+                EnumSet.of(TokenType.STRING));
+        String criteria = (criteriaParam.getStringValue()).toLowerCase();
+        boolean doContinue;
+
+        if (criteria.equals("if_success")) {
+            if (this.success) {
+                doContinue = true;
+            } else {
+                doContinue = false;
+            }
+        } else if (criteria.equals("if_not_success")) {
+            if (!this.success) {
+                doContinue = true;
+            } else {
+                doContinue = false;
+            }
+        } else if (criteria.equals("always")) {
+            doContinue = true;
+        } else if (criteria.equals("never")) {
+            doContinue = false;
+        } else {
+            throw new InvalidRuleException(String.format(
+                    "verb='%s' unknown continue criteria '%s'", verb, criteria));
+        }
+
+        if (doContinue) {
+            statementResult = ProcessResult.BLOCK_CONTINUE;
+        }
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format(
+                    "%s verb='%s' success=%s criteria=%s continuing=%s result=%s",
+                    statementId(namespace), verb, this.success, criteria, doContinue,
+                    statementResult));
+        }
+
+        return statementResult;
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/StatementErrorException.java b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/StatementErrorException.java
new file mode 100644
index 00000000..6abab3ee
--- /dev/null
+++ b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/StatementErrorException.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2014 Red Hat, Inc.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idpmapping;
+
+/**
+ * Exception thrown when a mapping rule statement fails.
+ *
+ * @author John Dennis &lt;jdennis@redhat.com&gt;
+ */
+
+public class StatementErrorException extends RuntimeException {
+
+    private static final long serialVersionUID = 8312665727576018327L;
+
+    public StatementErrorException() {
+    }
+
+    public StatementErrorException(String message) {
+        super(message);
+    }
+
+    public StatementErrorException(Throwable cause) {
+        super(cause);
+    }
+
+    public StatementErrorException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/Token.java b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/Token.java
new file mode 100644
index 00000000..402fb064
--- /dev/null
+++ b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/Token.java
@@ -0,0 +1,401 @@
+/*
+ * Copyright (c) 2014 Red Hat, Inc.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idpmapping;
+
+import java.util.List;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+enum TokenStorageType {
+    UNKNOWN, CONSTANT, VARIABLE
+}
+
+enum TokenType {
+    STRING, // java String
+    ARRAY, // java List
+    MAP, // java Map
+    INTEGER, // java Long
+    BOOLEAN, // java Boolean
+    NULL, // java null
+    REAL, // java Double
+    UNKNOWN, // undefined
+}
+
+/**
+ * Rule statements can contain variables or constants, this class encapsulates
+ * those values, enforces type handling and supports reading and writing of
+ * those values.
+ *
+ * Technically at the syntactic level these are not tokens. A token would have
+ * finer granularity such as identifier, operator, etc. I just couldn't think of
+ * a better name for how they're used here and thought token was a reasonable
+ * compromise as a name.
+ *
+ * @author John Dennis <jdennis@redhat.com>
+ */
+
+class Token {
+
+    /*
+     * Regexp to identify a variable beginning with $ Supports array notation,
+     * e.g. $foo[bar] Optional delimiting braces may be used to separate
+     * variable from surrounding text.
+     *
+     * Examples: $foo ${foo} $foo[bar] ${foo[bar] where foo is the variable name
+     * and bar is the array index.
+     *
+     * Identifer is any alphabetic followed by alphanumeric or underscore
+     */
+    private static final String VARIABLE_PAT = "(?<!\\\\)\\$" + // non-escaped $
+                                                                // sign
+            "\\{?" + // optional delimiting brace
+            "([a-zA-Z][a-zA-Z0-9_]*)" + // group 1: variable name
+            "(\\[" + // group 2: optional index
+            "([a-zA-Z0-9_]+)" + // group 3: array index
+            "\\])?" + // end optional index
+            "\\}?"; // optional delimiting brace
+    public static final Pattern VARIABLE_RE = Pattern.compile(VARIABLE_PAT);
+    /*
+     * Requires only a variable to be present in the string but permits leading
+     * and trailing whitespace.
+     */
+    private static final String VARIABLE_ONLY_PAT = "^\\s*" + VARIABLE_PAT + "\\s*$";
+    public static final Pattern VARIABLE_ONLY_RE = Pattern.compile(VARIABLE_ONLY_PAT);
+
+    private Object value = null;
+
+    public Map<String, Object> namespace = null;
+    public TokenStorageType storageType = TokenStorageType.UNKNOWN;
+    public TokenType type = TokenType.UNKNOWN;
+    public String name = null;
+    public String index = null;
+
+    Token(Object input, Map<String, Object> namespace) {
+        this.namespace = namespace;
+        if (input instanceof String) {
+            parseVariable((String) input);
+            if (this.storageType == TokenStorageType.CONSTANT) {
+                this.value = input;
+                this.type = classify(input);
+            }
+        } else {
+            this.storageType = TokenStorageType.CONSTANT;
+            this.value = input;
+            this.type = classify(input);
+        }
+    }
+
+    @Override
+    public String toString() {
+        if (this.storageType == TokenStorageType.CONSTANT) {
+            return String.format("%s", this.value);
+        } else if (this.storageType == TokenStorageType.VARIABLE) {
+            if (this.index == null) {
+                return String.format("$%s", this.name);
+            } else {
+                return String.format("$%s[%s]", this.name, this.index);
+            }
+        } else {
+            return "UNKNOWN";
+        }
+    }
+
+    void parseVariable(String string) {
+        Matcher matcher = VARIABLE_ONLY_RE.matcher(string);
+        if (matcher.find()) {
+            String name = matcher.group(1);
+            String index = matcher.group(3);
+
+            this.storageType = TokenStorageType.VARIABLE;
+            this.name = name;
+            this.index = index;
+        } else {
+            this.storageType = TokenStorageType.CONSTANT;
+        }
+    }
+
+    public static TokenType classify(Object value) {
+        TokenType tokenType = TokenType.UNKNOWN;
+        // ordered by expected occurrence
+        if (value instanceof String) {
+            tokenType = TokenType.STRING;
+        } else if (value instanceof List) {
+            tokenType = TokenType.ARRAY;
+        } else if (value instanceof Map) {
+            tokenType = TokenType.MAP;
+        } else if (value instanceof Long) {
+            tokenType = TokenType.INTEGER;
+        } else if (value instanceof Boolean) {
+            tokenType = TokenType.BOOLEAN;
+        } else if (value == null) {
+            tokenType = TokenType.NULL;
+        } else if (value instanceof Double) {
+            tokenType = TokenType.REAL;
+        } else {
+            throw new InvalidRuleException(String.format(
+                    "Type must be String, Long, Double, Boolean, List, Map, or null, not %s",
+                    value.getClass().getSimpleName(), value));
+        }
+        return tokenType;
+    }
+
+    Object get() {
+        return get(null);
+    }
+
+    Object get(Object index) {
+        Object base = null;
+
+        if (this.storageType == TokenStorageType.CONSTANT) {
+            return this.value;
+        }
+
+        if (this.namespace.containsKey(this.name)) {
+            base = this.namespace.get(this.name);
+        } else {
+            throw new UndefinedValueException(String.format("variable '%s' not defined", this.name));
+        }
+
+        if (index == null) {
+            index = this.index;
+        }
+
+        if (index == null) { // scalar types
+            value = base;
+        } else {
+            if (base instanceof List) {
+                @SuppressWarnings("unchecked")
+                List<Object> list = (List<Object>) base;
+                Integer idx = null;
+
+                if (index instanceof Long) {
+                    idx = new Integer(((Long) index).intValue());
+                } else if (index instanceof String) {
+                    try {
+                        idx = new Integer((String) index);
+                    } catch (NumberFormatException e) {
+                        throw new InvalidTypeException(
+                                String.format(
+                                        "variable '%s' is an array indexed by '%s', however the index cannot be converted to an integer",
+                                        this.name, index, e));
+                    }
+                } else {
+                    throw new InvalidTypeException(
+                            String.format(
+                                    "variable '%s' is an array indexed by '%s', however the index must be an integer or string not %s",
+                                    this.name, index, index.getClass().getSimpleName()));
+                }
+
+                try {
+                    value = list.get(idx);
+                } catch (IndexOutOfBoundsException e) {
+                    throw new UndefinedValueException(
+                            String.format(
+                                    "variable '%s' is an array of size %d indexed by '%s', however the index is out of bounds",
+                                    this.name, list.size(), idx, e));
+                }
+            } else if (base instanceof Map) {
+                @SuppressWarnings("unchecked")
+                Map<String, Object> map = (Map<String, Object>) base;
+                String idx = null;
+                if (index instanceof String) {
+                    idx = (String) index;
+                } else {
+                    throw new InvalidTypeException(
+                            String.format(
+                                    "variable '%s' is a map indexed by '%s', however the index must be a string not %s",
+                                    this.name, index, index.getClass().getSimpleName()));
+                }
+                if (!map.containsKey(idx)) {
+                    throw new UndefinedValueException(
+                            String.format(
+                                    "variable '%s' is a map indexed by '%s', however the index does not exist",
+                                    this.name, index));
+                }
+                value = map.get(idx);
+            } else {
+                throw new InvalidTypeException(
+                        String.format(
+                                "variable '%s' is indexed by '%s', variable must be an array or map, not %s",
+                                this.name, index, base.getClass().getSimpleName()));
+
+            }
+        }
+        this.type = classify(value);
+        return value;
+    }
+
+    void set(Object value) {
+        set(value, null);
+    }
+
+    void set(Object value, Object index) {
+
+        if (this.storageType == TokenStorageType.CONSTANT) {
+            throw new InvalidTypeException("cannot assign to a constant");
+        }
+
+        if (index == null) {
+            index = this.index;
+        }
+
+        if (index == null) { // scalar types
+            this.namespace.put(this.name, value);
+        } else {
+            Object base = null;
+
+            if (this.namespace.containsKey(this.name)) {
+                base = this.namespace.get(this.name);
+            } else {
+                throw new UndefinedValueException(String.format("variable '%s' not defined",
+                        this.name));
+            }
+
+            if (base instanceof List) {
+                @SuppressWarnings("unchecked")
+                List<Object> list = (List<Object>) base;
+                Integer idx = null;
+
+                if (index instanceof Long) {
+                    idx = new Integer(((Long) index).intValue());
+                } else if (index instanceof String) {
+                    try {
+                        idx = new Integer((String) index);
+                    } catch (NumberFormatException e) {
+                        throw new InvalidTypeException(
+                                String.format(
+                                        "variable '%s' is an array indexed by '%s', however the index cannot be converted to an integer",
+                                        this.name, index, e));
+                    }
+                } else {
+                    throw new InvalidTypeException(
+                            String.format(
+                                    "variable '%s' is an array indexed by '%s', however the index must be an integer or string not %s",
+                                    this.name, index, index.getClass().getSimpleName()));
+                }
+
+                try {
+                    value = list.set(idx, value);
+                } catch (IndexOutOfBoundsException e) {
+                    throw new UndefinedValueException(
+                            String.format(
+                                    "variable '%s' is an array of size %d indexed by '%s', however the index is out of bounds",
+                                    this.name, list.size(), idx, e));
+                }
+            } else if (base instanceof Map) {
+                @SuppressWarnings("unchecked")
+                Map<String, Object> map = (Map<String, Object>) base;
+                String idx = null;
+                if (index instanceof String) {
+                    idx = (String) index;
+                } else {
+                    throw new InvalidTypeException(
+                            String.format(
+                                    "variable '%s' is a map indexed by '%s', however the index must be a string not %s",
+                                    this.name, index, index.getClass().getSimpleName()));
+                }
+                if (!map.containsKey(idx)) {
+                    throw new UndefinedValueException(
+                            String.format(
+                                    "variable '%s' is a map indexed by '%s', however the index does not exist",
+                                    this.name, index));
+                }
+                value = map.put(idx, value);
+            } else {
+                throw new InvalidTypeException(
+                        String.format(
+                                "variable '%s' is indexed by '%s', variable must be an array or map, not %s",
+                                this.name, index, base.getClass().getSimpleName()));
+
+            }
+        }
+    }
+
+    public Object load() {
+        this.value = get();
+        return this.value;
+    }
+
+    public Object load(Object index) {
+        this.value = get(index);
+        return this.value;
+    }
+
+    public String getStringValue() {
+        if (this.type == TokenType.STRING) {
+            return (String) this.value;
+        } else {
+            throw new InvalidTypeException(String.format("expected %s value but token type is %s",
+                    TokenType.STRING, this.type));
+        }
+    }
+
+    public List<Object> getListValue() {
+        if (this.type == TokenType.ARRAY) {
+            @SuppressWarnings("unchecked")
+            List<Object> list = (List<Object>) this.value;
+            return list;
+        } else {
+            throw new InvalidTypeException(String.format("expected %s value but token type is %s",
+                    TokenType.ARRAY, this.type));
+        }
+    }
+
+    public Map<String, Object> getMapValue() {
+        if (this.type == TokenType.MAP) {
+            @SuppressWarnings("unchecked")
+            Map<String, Object> map = (Map<String, Object>) this.value;
+            return map;
+        } else {
+            throw new InvalidTypeException(String.format("expected %s value but token type is %s",
+                    TokenType.MAP, this.type));
+        }
+    }
+
+    public Long getLongValue() {
+        if (this.type == TokenType.INTEGER) {
+            return (Long) this.value;
+        } else {
+            throw new InvalidTypeException(String.format("expected %s value but token type is %s",
+                    TokenType.INTEGER, this.type));
+        }
+    }
+
+    public Boolean getBooleanValue() {
+        if (this.type == TokenType.BOOLEAN) {
+            return (Boolean) this.value;
+        } else {
+            throw new InvalidTypeException(String.format("expected %s value but token type is %s",
+                    TokenType.BOOLEAN, this.type));
+        }
+    }
+
+    public Double getDoubleValue() {
+        if (this.type == TokenType.REAL) {
+            return (Double) this.value;
+        } else {
+            throw new InvalidTypeException(String.format("expected %s value but token type is %s",
+                    TokenType.REAL, this.type));
+        }
+    }
+
+    public Object getNullValue() {
+        if (this.type == TokenType.NULL) {
+            return this.value;
+        } else {
+            throw new InvalidTypeException(String.format("expected %s value but token type is %s",
+                    TokenType.NULL, this.type));
+        }
+    }
+
+    public Object getObjectValue() {
+        return this.value;
+    }
+}
diff --git a/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/UndefinedValueException.java b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/UndefinedValueException.java
new file mode 100644
index 00000000..7200da3d
--- /dev/null
+++ b/odl-aaa-moon/aaa-idp-mapping/src/main/java/org/opendaylight/aaa/idpmapping/UndefinedValueException.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2014 Red Hat, Inc.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa.idpmapping;
+
+/**
+ * Exception thrown when a statement references an undefined value.
+ *
+ * @author John Dennis &lt;jdennis@redhat.com&gt;
+ */
+
+public class UndefinedValueException extends RuntimeException {
+
+    private static final long serialVersionUID = -1607453931670834435L;
+
+    public UndefinedValueException() {
+    }
+
+    public UndefinedValueException(String message) {
+        super(message);
+    }
+
+    public UndefinedValueException(Throwable cause) {
+        super(cause);
+    }
+
+    public UndefinedValueException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/odl-aaa-moon/aaa-idp-mapping/src/test/java/org/opendaylight/aaa/idpmapping/RuleProcessorTest.java b/odl-aaa-moon/aaa-idp-mapping/src/test/java/org/opendaylight/aaa/idpmapping/RuleProcessorTest.java
new file mode 100644
index 00000000..84d403f9
--- /dev/null
+++ b/odl-aaa-moon/aaa-idp-mapping/src/test/java/org/opendaylight/aaa/idpmapping/RuleProcessorTest.java
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 2016 Red Hat, Inc.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idpmapping;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.powermock.api.mockito.PowerMockito;
+import org.powermock.api.support.membermodification.MemberMatcher;
+import org.powermock.api.support.membermodification.MemberModifier;
+import org.powermock.core.classloader.annotations.PrepareForTest;
+import org.powermock.modules.junit4.PowerMockRunner;
+import org.powermock.reflect.Whitebox;
+
+@PrepareForTest(RuleProcessor.class)
+@RunWith(PowerMockRunner.class)
+public class RuleProcessorTest {
+
+    @Mock
+    private RuleProcessor ruleProcess;
+
+    @Before
+    public void setUp() {
+        ruleProcess = PowerMockito.mock(RuleProcessor.class, Mockito.CALLS_REAL_METHODS);
+    }
+
+    @Test
+    public void testJoin() {
+        List<Object> list = new ArrayList<Object>();
+        list.add("str1");
+        list.add("str2");
+        list.add("str3");
+        assertEquals("str1/str2/str3", RuleProcessor.join(list, "/"));
+    }
+
+    @Test
+    public void testSubstituteVariables() {
+        Map<String, Object> namespace = new HashMap<String, Object>() {
+            {
+                put("foo1", new HashMap<String, String>() {
+                    {
+                        put("0", "1");
+                    }
+                });
+            }
+        };
+        String str = "foo1[0]";
+        String subVariable = ruleProcess.substituteVariables(str, namespace);
+        assertNotNull(subVariable);
+        assertEquals(subVariable, str);
+    }
+
+    @Test
+    public void testGetMapping() {
+        Map<String, Object> namespace = new HashMap<String, Object>() {
+            {
+                put("foo1", new HashMap<String, String>() {
+                    {
+                        put("0", "1");
+                    }
+                });
+            }
+        };
+        final Map<String, Object> item = new HashMap<String, Object>() {
+            {
+                put("str", "val");
+            }
+        };
+        Map<String, Object> rules = new HashMap<String, Object>() {
+            {
+                put("mapping", item);
+                put("mapping_name", "mapping");
+            }
+        };
+        Map<String, Object> mapping = ruleProcess.getMapping(namespace, rules);
+        assertNotNull(mapping);
+        assertTrue(mapping.containsKey("str"));
+        assertEquals("val", mapping.get("str"));
+    }
+
+    @Test
+    public void testProcess() throws Exception {
+        String json = " {\"rules\":[" + "{\"Name\":\"user\", \"Id\":1},"
+                + "{\"Name\":\"Admin\", \"Id\":2}]} ";
+        Map<String, Object> mapping = new HashMap<String, Object>() {
+            {
+                put("Name", "Admin");
+            }
+        };
+        List<Map<String, Object>> internalRules = new ArrayList<Map<String, Object>>();
+        Map<String, Object> internalRule = new HashMap<String, Object>() {
+            {
+                put("Name", "Admin");
+                put("statement_blocks", "user");
+            }
+        };
+        internalRules.add(internalRule);
+        MemberModifier.field(RuleProcessor.class, "rules").set(ruleProcess, internalRules);
+        PowerMockito.suppress(MemberMatcher.method(RuleProcessor.class, "processRule", Map.class,
+                Map.class));
+        PowerMockito.when(ruleProcess, "processRule", any(Map.class), any(Map.class)).thenReturn(
+                ProcessResult.RULE_SUCCESS);
+        PowerMockito.suppress(MemberMatcher.method(RuleProcessor.class, "getMapping", Map.class,
+                Map.class));
+        when(ruleProcess.getMapping(any(Map.class), any(Map.class))).thenReturn(mapping);
+        Whitebox.invokeMethod(ruleProcess, "process", json);
+        verify(ruleProcess, times(3)).getMapping(any(Map.class), any(Map.class));
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-idp-mapping/src/test/java/org/opendaylight/aaa/idpmapping/TokenTest.java b/odl-aaa-moon/aaa-idp-mapping/src/test/java/org/opendaylight/aaa/idpmapping/TokenTest.java
new file mode 100644
index 00000000..d6181051
--- /dev/null
+++ b/odl-aaa-moon/aaa-idp-mapping/src/test/java/org/opendaylight/aaa/idpmapping/TokenTest.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2016 Red Hat, Inc.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.idpmapping;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.Map;
+import org.junit.Test;
+
+public class TokenTest {
+
+    private final Map<String, Object> namespace = new HashMap<String, Object>() {
+        {
+            put("foo1", new HashMap<String, String>() {
+                {
+                    put("0", "1");
+                }
+            });
+        }
+    };
+    private Object input = "$foo1[0]";
+    private Token token = new Token(input, namespace);
+    private Token mapToken = new Token(namespace, namespace);
+
+    @Test
+    public void testToken() {
+        assertEquals(token.toString(), input);
+        assertTrue(token.storageType == TokenStorageType.VARIABLE);
+        assertEquals(mapToken.toString(), "{foo1={0=1}}");
+        assertTrue(mapToken.storageType == TokenStorageType.CONSTANT);
+    }
+
+    @Test
+    public void testClassify() {
+        assertEquals(Token.classify(new ArrayList<>()), TokenType.ARRAY);
+        assertEquals(Token.classify(true), TokenType.BOOLEAN);
+        assertEquals(Token.classify(new Long(365)), TokenType.INTEGER);
+        assertEquals(Token.classify(new HashMap<String, Object>()), TokenType.MAP);
+        assertEquals(Token.classify(null), TokenType.NULL);
+        assertEquals(Token.classify(365.00), TokenType.REAL);
+        assertEquals(Token.classify("foo_str"), TokenType.STRING);
+    }
+
+    @Test
+    public void testGet() {
+        assertNotNull(token.get());
+        assertTrue(token.get("0") == "1");
+        assertNotNull(mapToken.get());
+        assertTrue(mapToken.get(0) == namespace);
+    }
+
+    @Test
+    public void testGetMapValue() {
+        assertTrue(mapToken.getMapValue() == namespace);
+    }
+}
diff --git a/odl-aaa-moon/aaa-shiro-act/pom.xml b/odl-aaa-moon/aaa-shiro-act/pom.xml
new file mode 100644
index 00000000..d8507c6d
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro-act/pom.xml
@@ -0,0 +1,84 @@
+<!-- Copyright (c) 2015 Brocade Communications Systems, Inc. and others.
+  All rights reserved. This program and the accompanying materials are made
+  available under the terms of the Eclipse Public License v1.0 which accompanies
+  this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.opendaylight.aaa</groupId>
+    <artifactId>aaa-parent</artifactId>
+    <version>0.3.1-Beryllium-SR1</version>
+    <relativePath>../parent</relativePath>
+  </parent>
+
+  <artifactId>aaa-shiro-act</artifactId>
+  <packaging>bundle</packaging>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.opendaylight.aaa</groupId>
+      <artifactId>aaa-shiro</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.felix</groupId>
+      <artifactId>org.apache.felix.dependencymanager</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>commons-beanutils</groupId>
+      <artifactId>commons-beanutils</artifactId>
+      <version>1.8.3</version>
+    </dependency>
+
+    <!-- Testing Dependencies -->
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-all</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+  <build>
+    <pluginManagement>
+      <plugins>
+        <plugin>
+          <groupId>org.apache.felix</groupId>
+          <artifactId>maven-bundle-plugin</artifactId>
+          <version>${bundle.plugin.version}</version>
+          <extensions>true</extensions>
+          <configuration>
+            <instructions>
+              <Bundle-Name>${project.groupId}.${project.artifactId}</Bundle-Name>
+            </instructions>
+            <manifestLocation>${project.basedir}/META-INF</manifestLocation>
+          </configuration>
+        </plugin>
+      </plugins>
+    </pluginManagement>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.felix</groupId>
+        <artifactId>maven-bundle-plugin</artifactId>
+        <extensions>true</extensions>
+        <configuration>
+          <instructions>
+            <Bundle-Activator>org.opendaylight.aaa.shiroact.Activator</Bundle-Activator>
+          </instructions>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+      </plugin>
+    </plugins>
+  </build>
+</project>
diff --git a/odl-aaa-moon/aaa-shiro-act/src/main/java/org/opendaylight/aaa/shiroact/Activator.java b/odl-aaa-moon/aaa-shiro-act/src/main/java/org/opendaylight/aaa/shiroact/Activator.java
new file mode 100644
index 00000000..0012a0bd
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro-act/src/main/java/org/opendaylight/aaa/shiroact/Activator.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.shiroact;
+
+import org.apache.felix.dm.DependencyActivatorBase;
+import org.apache.felix.dm.DependencyManager;
+import org.opendaylight.aaa.shiro.ServiceProxy;
+import org.osgi.framework.BundleContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Responsible for activating the aaa-shiro-act bundle. This bundle is primarily
+ * responsible for enabling AuthN and AuthZ. If this bundle is not installed,
+ * then AuthN and AuthZ will not take effect.
+ *
+ * To ensure that the AAA is enabled for your feature, make sure to include the
+ * <code>odl-aaa-shiro</code> feature in your feature definition.
+ *
+ * Offers contextual <code>DEBUG</code> level clues concerning the activation of
+ * the <code>aaa-shiro-act</code> bundle. To enable the enhanced debugging issue
+ * the following line in the karaf shell:
+ * <code>log:set debug org.opendaylight.aaa.shiroact.Activator</code>
+ *
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ */
+public class Activator extends DependencyActivatorBase {
+
+    private static final Logger LOG = LoggerFactory.getLogger(Activator.class);
+
+    @Override
+    public void destroy(BundleContext bc, DependencyManager dm)
+            throws Exception {
+        final String DEBUG_MESSAGE = "Destroying the aaa-shiro-act bundle";
+        LOG.debug(DEBUG_MESSAGE);
+    }
+
+    @Override
+    public void init(BundleContext bc, DependencyManager dm) throws Exception {
+        final String DEBUG_MESSAGE = "Initializing the aaa-shiro-act bundle";
+        LOG.debug(DEBUG_MESSAGE);
+        ServiceProxy.getInstance().setEnabled(true);
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-shiro-act/src/test/java/org/opendaylight/aaa/shiroact/ActivatorTest.java b/odl-aaa-moon/aaa-shiro-act/src/test/java/org/opendaylight/aaa/shiroact/ActivatorTest.java
new file mode 100644
index 00000000..23eef9db
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro-act/src/test/java/org/opendaylight/aaa/shiroact/ActivatorTest.java
@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2016 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.shiroact;
+
+import static org.junit.Assert.*;
+
+import org.junit.Test;
+import org.opendaylight.aaa.shiro.ServiceProxy;
+
+public class ActivatorTest {
+
+    @Test
+    public void testActivatorEnablesServiceProxy() throws Exception {
+        // should toggle the ServiceProxy enable status to true
+        new Activator().init(null, null);;
+        assertTrue(ServiceProxy.getInstance().getEnabled(null));
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-shiro/pom.xml b/odl-aaa-moon/aaa-shiro/pom.xml
new file mode 100644
index 00000000..2f848215
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/pom.xml
@@ -0,0 +1,156 @@
+<!-- Copyright (c) 2015 Brocade Communications Systems, Inc. and others.
+  All rights reserved. This program and the accompanying materials are made
+  available under the terms of the Eclipse Public License v1.0 which accompanies
+  this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.opendaylight.aaa</groupId>
+    <artifactId>aaa-parent</artifactId>
+    <version>0.3.1-Beryllium-SR1</version>
+    <relativePath>../parent</relativePath>
+  </parent>
+
+  <artifactId>aaa-shiro</artifactId>
+  <packaging>bundle</packaging>
+
+  <dependencies>
+     <!-- moon add -->
+     <dependency>
+       <groupId>com.sun.jersey</groupId>
+       <artifactId>jersey-client</artifactId>
+       <scope>provided</scope>
+     </dependency>
+     <dependency>
+       <groupId>org.json</groupId>
+       <artifactId>json</artifactId>
+       <version>20140107</version>
+    </dependency>
+    <!-- OAuth2 dependencies for moon -->
+    <dependency>
+        <groupId>org.apache.oltu.oauth2</groupId>
+        <artifactId>org.apache.oltu.oauth2.authzserver</artifactId>
+        <scope>provided</scope>
+    </dependency>
+    <dependency>
+        <groupId>org.apache.oltu.oauth2</groupId>
+        <artifactId>org.apache.oltu.oauth2.common</artifactId>
+        <scope>provided</scope>
+    </dependency>
+    <dependency>
+        <groupId>org.apache.oltu.oauth2</groupId>
+        <artifactId>org.apache.oltu.oauth2.resourceserver</artifactId>
+        <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.felix</groupId>
+      <artifactId>org.apache.felix.dependencymanager</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.opendaylight.aaa</groupId>
+      <artifactId>aaa-authn-sts</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.opendaylight.aaa</groupId>
+      <artifactId>aaa-authn-basic</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.shiro</groupId>
+      <artifactId>shiro-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.shiro</groupId>
+      <artifactId>shiro-web</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>commons-beanutils</groupId>
+      <artifactId>commons-beanutils</artifactId>
+      <version>1.8.3</version>
+    </dependency>
+    <dependency>
+      <groupId>javax.servlet</groupId>
+      <artifactId>javax.servlet-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+    </dependency>
+
+    <!-- Testing Dependencies -->
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-all</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+  <build>
+    <pluginManagement>
+      <plugins>
+        <plugin>
+          <groupId>org.apache.felix</groupId>
+          <artifactId>maven-bundle-plugin</artifactId>
+          <version>${bundle.plugin.version}</version>
+          <extensions>true</extensions>
+          <configuration>
+            <instructions>
+              <Bundle-Name>${project.groupId}.${project.artifactId}</Bundle-Name>
+            </instructions>
+            <manifestLocation>${project.basedir}/META-INF</manifestLocation>
+          </configuration>
+        </plugin>
+      </plugins>
+    </pluginManagement>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.felix</groupId>
+        <artifactId>maven-bundle-plugin</artifactId>
+        <extensions>true</extensions>
+        <configuration>
+          <instructions>
+            <Import-Package>
+              *
+            </Import-Package>
+            <Web-ContextPath>/moon</Web-ContextPath>
+            <Bundle-Activator>org.opendaylight.aaa.shiro.Activator</Bundle-Activator>
+          </instructions>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+      </plugin>
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>build-helper-maven-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>attach-artifacts</id>
+            <phase>package</phase>
+            <goals>
+              <goal>attach-artifact</goal>
+            </goals>
+            <configuration>
+              <artifacts>
+                <artifact>
+                  <file>${project.build.directory}/classes/shiro.ini</file>
+                  <type>cfg</type>
+                  <classifier>configuration</classifier>
+                </artifact>
+              </artifacts>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
+</project>
diff --git a/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/Activator.java b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/Activator.java
new file mode 100644
index 00000000..2f1c98f7
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/Activator.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.shiro;
+
+import org.apache.felix.dm.DependencyActivatorBase;
+import org.apache.felix.dm.DependencyManager;
+import org.osgi.framework.BundleContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * This scaffolding allows the use of AAA Filters without AuthN or AuthZ
+ * enabled. This is done to support workflows such as those included in the
+ * <code>odl-restconf-noauth</code> feature.
+ *
+ * This class is also responsible for offering contextual <code>DEBUG</code>
+ * level clues concerning the activation of the <code>aaa-shiro</code> bundle.
+ * To enable these debug messages, issue the following command in the karaf
+ * shell: <code>log:set debug org.opendaylight.aaa.shiro.Activator</code>
+ *
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ */
+public class Activator extends DependencyActivatorBase {
+
+    private static final Logger LOG = LoggerFactory.getLogger(Activator.class);
+
+    @Override
+    public void destroy(BundleContext bc, DependencyManager dm) throws Exception {
+        final String DEBUG_MESSAGE = "Destroying the aaa-shiro bundle";
+        LOG.debug(DEBUG_MESSAGE);
+    }
+
+    @Override
+    public void init(BundleContext bc, DependencyManager dm) throws Exception {
+        final String DEBUG_MESSAGE = "Initializing the aaa-shiro bundle";
+        LOG.debug(DEBUG_MESSAGE);
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/ServiceProxy.java b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/ServiceProxy.java
new file mode 100644
index 00000000..e4485d73
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/ServiceProxy.java
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2016 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.shiro;
+
+import org.opendaylight.aaa.shiro.filters.AAAFilter;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Responsible for enabling and disabling the AAA service. By default, the
+ * service is disabled; the AAAFilter will not require AuthN or AuthZ. The
+ * service is enabled through calling
+ * <code>ServiceProxy.getInstance().setEnabled(true)</code>. AuthN and AuthZ are
+ * disabled by default in order to support workflows such as the feature
+ * <code>odl-restconf-noauth</code>.
+ *
+ * The AAA service is enabled through installing the <code>odl-aaa-shiro</code>
+ * feature. The <code>org.opendaylight.aaa.shiroact.Activator()</code>
+ * constructor calls enables AAA through the ServiceProxy, which in turn enables
+ * the AAAFilter.
+ *
+ * ServiceProxy is a singleton; access to the ServiceProxy is granted through
+ * the <code>getInstance()</code> function.
+ *
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ * @see <a
+ *      href="https://github.com/opendaylight/netconf/blob/master/opendaylight/restconf/sal-rest-connector/src/main/resources/WEB-INF/web.xml">resconf
+ *      web,xml</a>
+ * @see <code>org.opendaylight.aaa.shiro.Activator</code>
+ * @see <code>org.opendaylight.aaa.shiro.filters.AAAFilter</code>
+ */
+public class ServiceProxy {
+    private static final Logger LOG = LoggerFactory.getLogger(ServiceProxy.class);
+
+    /**
+     * AuthN and AuthZ are disabled by default to support workflows included in
+     * features such as <code>odl-restconf-noauth</code>
+     */
+    public static final boolean DEFAULT_AA_ENABLE_STATUS = false;
+
+    private static ServiceProxy instance = new ServiceProxy();
+    private volatile boolean enabled = false;
+    private AAAFilter filter;
+
+    /**
+     * private for singleton pattern
+     */
+    private ServiceProxy() {
+        final String INFO_MESSAGE = "Creating the ServiceProxy";
+        LOG.info(INFO_MESSAGE);
+    }
+
+    /**
+     * @return ServiceProxy, a feature level singleton
+     */
+    public static ServiceProxy getInstance() {
+        return instance;
+    }
+
+    /**
+     * Enables/disables the feature, cascading the state information to the
+     * AAAFilter.
+     *
+     * @param enabled A flag indicating whether to enable the Service.
+     */
+    public synchronized void setEnabled(final boolean enabled) {
+        this.enabled = enabled;
+        final String SERVICE_ENABLED_INFO_MESSAGE = "Setting ServiceProxy enabled to " + enabled;
+        LOG.info(SERVICE_ENABLED_INFO_MESSAGE);
+        // check for null because of non-determinism in bundle load
+        if (filter != null) {
+            filter.setEnabled(enabled);
+        }
+    }
+
+    /**
+     * Extract whether the service is enabled.
+     *
+     * @param filter
+     *            register an optional Filter for callback if enable state
+     *            changes
+     * @return Whether the service is enabled
+     */
+    public synchronized boolean getEnabled(final AAAFilter filter) {
+        this.filter = filter;
+        return enabled;
+    }
+}
diff --git a/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/accounting/Accounter.java b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/accounting/Accounter.java
new file mode 100644
index 00000000..e768ea59
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/accounting/Accounter.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa.shiro.accounting;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Accounter is a common place to output AAA messages. Use this class through
+ * invoking <code>Logger.output("message")</code>.
+ *
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ */
+public class Accounter {
+
+    private static final Logger LOG = LoggerFactory.getLogger(Accounter.class);
+
+    /*
+     * Essentially makes Accounter a singleton, avoiding the verbosity of
+     * <code>Accounter.getInstance().output("message")</code>.
+     */
+    private Accounter() {
+    }
+
+    /**
+     * Account for a particular <code>message</code>
+     *
+     * @param message A message for the aggregated AAA log.
+     */
+    public static void output(final String message) {
+        LOG.debug(message);
+    }
+}
diff --git a/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/authorization/DefaultRBACRules.java b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/authorization/DefaultRBACRules.java
new file mode 100644
index 00000000..9e84c988
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/authorization/DefaultRBACRules.java
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa.shiro.authorization;
+
+import com.google.common.collect.Sets;
+import java.util.Collection;
+import java.util.HashSet;
+
+/**
+ * A singleton container of default authorization rules that are installed as
+ * part of Shiro initialization. This class defines an immutable set of rules
+ * that are needed to provide system-wide security. These include protecting
+ * certain MD-SAL leaf nodes that contain AAA data from random access. This is
+ * not a place to define your custom rule set; additional RBAC rules are
+ * configured through the shiro initialization file:
+ * <code>$KARAF_HOME/shiro.ini</code>
+ *
+ * An important distinction to consider is that Shiro URL rules work to protect
+ * the system at the Web layer, and <code>AuthzDomDataBroker</code> works to
+ * protect the system down further at the DOM layer.
+ *
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ *
+ */
+public class DefaultRBACRules {
+
+    private static DefaultRBACRules instance;
+
+    /**
+     * a collection of the default security rules
+     */
+    private Collection<RBACRule> rbacRules = new HashSet<RBACRule>();
+
+    /**
+     * protects the AAA MD-SAL store by preventing access to the leaf nodes to
+     * non-admin users.
+     */
+    private static final RBACRule PROTECT_AAA_MDSAL = RBACRule.createAuthorizationRule(
+            "*/authorization/*", Sets.newHashSet("admin"));
+
+    /*
+     * private for singleton pattern
+     */
+    private DefaultRBACRules() {
+        // rbacRules.add(PROTECT_AAA_MDSAL);
+    }
+
+    /**
+     *
+     * @return the container instance for the default RBAC Rules
+     */
+    public static final DefaultRBACRules getInstance() {
+        if (null == instance) {
+            instance = new DefaultRBACRules();
+        }
+        return instance;
+    }
+
+    /**
+     *
+     * @return a copy of the default rules, so any modifications to the returned
+     *         reference do not affect the <code>DefaultRBACRules</code>.
+     */
+    public final Collection<RBACRule> getRBACRules() {
+        // Returns a copy of the rbacRules set such that the original set keeps
+        // its contract of remaining immutable. Calls to rbacRules.add() are
+        // encapsulated solely in <code>DefaultRBACRules</code>.
+        //
+        // Since this method is only called at shiro initialiation time,
+        // memory consumption of creating a new set is a non-issue.
+        return Sets.newHashSet(rbacRules);
+    }
+}
diff --git a/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/authorization/RBACRule.java b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/authorization/RBACRule.java
new file mode 100644
index 00000000..0da95eb4
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/authorization/RBACRule.java
@@ -0,0 +1,170 @@
+/*
+ * Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa.shiro.authorization;
+
+import com.google.common.base.Preconditions;
+import com.google.common.collect.Sets;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.HashSet;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * A container for RBAC Rules. An RBAC Rule is composed of a url pattern which
+ * may contain asterisk characters (*), and a collection of roles. These are
+ * represented in shiro.ini in the following format:
+ * <code>urlPattern=roles[atLeastOneCommaSeperatedRole]</code>
+ *
+ * RBACRules are immutable; that is, you cannot change the url pattern or the
+ * roles after creation. This is done for security purposes. RBACRules are
+ * created through utilizing a static factory method:
+ * <code>RBACRule.createRBACRule()</code>
+ *
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ *
+ */
+public class RBACRule {
+
+    private static final Logger LOG = LoggerFactory.getLogger(RBACRule.class);
+
+    /**
+     * a url pattern that can optional contain asterisk characters (*)
+     */
+    private String urlPattern;
+
+    /**
+     * a collection of role names, such as "admin" and "user"
+     */
+    private Collection<String> roles = new HashSet<String>();
+
+    /**
+     * Creates an RBAC Rule. Made private for static factory method.
+     *
+     * @param urlPattern
+     *            Cannot be null or the empty string.
+     * @param roles
+     *            Must contain at least one role.
+     * @throws NullPointerException
+     *             if <code>urlPattern</code> or <code>roles</code> is null
+     * @throws IllegalArgumentException
+     *             if <code>urlPattern</code> is an empty string or
+     *             <code>roles</code> is an empty collection.
+     */
+    private RBACRule(final String urlPattern, final Collection<String> roles)
+            throws NullPointerException, IllegalArgumentException {
+
+        this.setUrlPattern(urlPattern);
+        this.setRoles(roles);
+    }
+
+    /**
+     * The static factory method used to create RBACRules.
+     *
+     * @param urlPattern
+     *            Cannot be null or the empty string.
+     * @param roles
+     *            Cannot be null or an emtpy collection.
+     * @return An immutable RBACRule
+     */
+    public static RBACRule createAuthorizationRule(final String urlPattern,
+            final Collection<String> roles) {
+
+        RBACRule authorizationRule = null;
+        try {
+            authorizationRule = new RBACRule(urlPattern, roles);
+        } catch (Exception e) {
+            LOG.error("Cannot instantiate the AuthorizationRule", e);
+        }
+        return authorizationRule;
+    }
+
+    /**
+     *
+     * @return the urlPattern for the RBACRule
+     */
+    public String getUrlPattern() {
+        return urlPattern;
+    }
+
+    /*
+     * helper to ensure the url pattern is not the empty string
+     */
+    private static void checkUrlPatternLength(final String urlPattern)
+            throws IllegalArgumentException {
+
+        final String EXCEPTION_MESSAGE = "Empty String is not allowed for urlPattern";
+        if (urlPattern.isEmpty()) {
+            throw new IllegalArgumentException(EXCEPTION_MESSAGE);
+        }
+    }
+
+    private void setUrlPattern(final String urlPattern) throws NullPointerException,
+            IllegalArgumentException {
+
+        Preconditions.checkNotNull(urlPattern);
+        checkUrlPatternLength(urlPattern);
+        this.urlPattern = urlPattern;
+    }
+
+    /**
+     *
+     * @return a copy of the rule, so any modifications to the returned
+     *         reference do not affect the immutable <code>RBACRule</code>.
+     */
+    public Collection<String> getRoles() {
+        // Returns a copy of the roles collection such that the original set
+        // keeps
+        // its contract of remaining immutable.
+        //
+        // Since this method is only called at shiro initialiation time,
+        // memory consumption of creating a new set is a non-issue.
+        return Sets.newHashSet(roles);
+    }
+
+    /*
+     * check to ensure the roles collection is not empty
+     */
+    private static void checkRolesCollectionSize(final Collection<String> roles)
+            throws IllegalArgumentException {
+
+        final String EXCEPTION_MESSAGE = "roles must contain at least 1 role";
+        if (roles.isEmpty()) {
+            throw new IllegalArgumentException(EXCEPTION_MESSAGE);
+        }
+    }
+
+    private void setRoles(final Collection<String> roles) throws NullPointerException,
+            IllegalArgumentException {
+
+        Preconditions.checkNotNull(roles);
+        checkRolesCollectionSize(roles);
+        this.roles = roles;
+    }
+
+    /**
+     * Generates a string representation of the <code>RBACRule</code> roles in
+     * shiro form.
+     *
+     * @return roles string representation in the form
+     *         <code>roles[roleOne,roleTwo]</code>
+     */
+    public String getRolesInShiroFormat() {
+        final String ROLES_STRING = "roles";
+        return ROLES_STRING + Arrays.toString(roles.toArray());
+    }
+
+    /**
+     * Generates the string representation of the <code>RBACRule</code> in shiro
+     * form. For example: <code>urlPattern=roles[admin,user]</code>
+     */
+    @Override
+    public String toString() {
+        return String.format("%s=%s", urlPattern, getRolesInShiroFormat());
+    }
+}
diff --git a/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AAAFilter.java b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AAAFilter.java
new file mode 100644
index 00000000..b53588d8
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/AAAFilter.java
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.shiro.filters;
+
+import org.apache.shiro.web.servlet.ShiroFilter;
+import org.opendaylight.aaa.shiro.ServiceProxy;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * The default AAA JAX-RS 1.X Web Filter. This class is also responsible for
+ * delivering debug information; to enable these debug statements, please issue
+ * the following in the karaf shell:
+ *
+ * <code>log:set debug org.opendaylight.aaa.shiro.filters.AAAFilter</code>
+ *
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ * @see <code>javax.servlet.Filter</code>
+ * @see <code>org.apache.shiro.web.servlet.ShiroFilter</code>
+ */
+public class AAAFilter extends ShiroFilter {
+
+    private static final Logger LOG = LoggerFactory.getLogger(AAAFilter.class);
+
+    public AAAFilter() {
+        super();
+        final String DEBUG_MESSAGE = "Creating the AAAFilter";
+        LOG.debug(DEBUG_MESSAGE);
+    }
+
+    /*
+     * (non-Javadoc)
+     *
+     * Adds context clues that aid in debugging. Also initializes the enable
+     * status to correspond with
+     * <code>ServiceProxy.getInstance.getEnabled()</code>.
+     *
+     * @see org.apache.shiro.web.servlet.ShiroFilter#init()
+     */
+    @Override
+    public void init() throws Exception {
+        super.init();
+        final String DEBUG_MESSAGE = "Initializing the AAAFilter";
+        LOG.debug(DEBUG_MESSAGE);
+        // sets the filter to the startup value. Because of non-determinism in
+        // bundle loading, this passes an instance of itself along so that if
+        // the
+        // enable status changes, then AAAFilter enable status is changed.
+        setEnabled(ServiceProxy.getInstance().getEnabled(this));
+    }
+
+    /*
+     * (non-Javadoc)
+     *
+     * Adds context clues to aid in debugging whether the filter is enabled.
+     *
+     * @see
+     * org.apache.shiro.web.servlet.OncePerRequestFilter#setEnabled(boolean)
+     */
+    @Override
+    public void setEnabled(boolean enabled) {
+        super.setEnabled(enabled);
+        final String DEBUG_MESSAGE = "Setting AAAFilter enabled to " + enabled;
+        LOG.debug(DEBUG_MESSAGE);
+    }
+}
diff --git a/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/MoonOAuthFilter.java b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/MoonOAuthFilter.java
new file mode 100644
index 00000000..06038c54
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/MoonOAuthFilter.java
@@ -0,0 +1,187 @@
+/*
+ * Copyright (c) 2014, 2015 Hewlett-Packard Development Company, L.P. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa.shiro.filters;
+
+
+import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
+import static javax.servlet.http.HttpServletResponse.SC_CREATED;
+import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
+import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.oltu.oauth2.as.response.OAuthASResponse;
+import org.apache.oltu.oauth2.common.exception.OAuthProblemException;
+import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
+import org.apache.oltu.oauth2.common.message.OAuthResponse;
+import org.apache.oltu.oauth2.common.message.types.TokenType;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.subject.Subject;
+import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
+import org.opendaylight.aaa.AuthenticationBuilder;
+import org.opendaylight.aaa.ClaimBuilder;
+import org.opendaylight.aaa.api.Authentication;
+import org.opendaylight.aaa.api.Claim;
+import org.opendaylight.aaa.shiro.moon.MoonPrincipal;
+import org.opendaylight.aaa.sts.OAuthRequest;
+import org.opendaylight.aaa.sts.ServiceLocator;
+
+
+public class MoonOAuthFilter extends AuthenticatingFilter{
+
+    private static final String DOMAIN_SCOPE_REQUIRED = "Domain scope required";
+    private static final String NOT_IMPLEMENTED = "not_implemented";
+    private static final String UNAUTHORIZED = "unauthorized";
+    private static final String UNAUTHORIZED_CREDENTIALS = "Unauthorized: Login/Password incorrect";
+
+    static final String TOKEN_GRANT_ENDPOINT = "/token";
+    static final String TOKEN_REVOKE_ENDPOINT = "/revoke";
+    static final String TOKEN_VALIDATE_ENDPOINT = "/validate";
+
+    @Override
+    protected UsernamePasswordToken createToken(ServletRequest request, ServletResponse response) throws Exception {
+        // TODO Auto-generated method stub
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
+        OAuthRequest oauthRequest = new OAuthRequest(httpRequest);
+        return new UsernamePasswordToken(oauthRequest.getUsername(),oauthRequest.getPassword());
+    }
+
+    @Override
+    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
+        // TODO Auto-generated method stub
+        Subject currentUser = SecurityUtils.getSubject();
+        return executeLogin(request, response);
+    }
+
+    protected boolean onLoginSuccess(AuthenticationToken token, Subject subject,
+            ServletRequest request, ServletResponse response) throws Exception {
+        HttpServletResponse httpResponse= (HttpServletResponse) response;
+        MoonPrincipal principal = (MoonPrincipal) subject.getPrincipals().getPrimaryPrincipal();
+        Claim claim = principal.principalToClaim();
+        oauthAccessTokenResponse(httpResponse,claim,"",principal.getToken());
+        return true;
+    }
+
+    protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e,
+            ServletRequest request, ServletResponse response) {
+        HttpServletResponse resp = (HttpServletResponse) response;
+        error(resp, SC_BAD_REQUEST, UNAUTHORIZED_CREDENTIALS);
+        return false;
+    }
+
+    protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
+        /**
+         * Here, we will call three functions depending on whether user wants to:
+         * create Token
+         * refresh token
+         * delete token
+         */
+        HttpServletRequest req= (HttpServletRequest) request;
+        HttpServletResponse resp = (HttpServletResponse) response;
+        try {
+            if (req.getServletPath().equals(TOKEN_GRANT_ENDPOINT)) {
+                UsernamePasswordToken token = createToken(request, response);
+                if (token == null) {
+                    String msg = "A valid non-null AuthenticationToken " +
+                            "must be created in order to execute a login attempt.";
+                    throw new IllegalStateException(msg);
+                }
+                try {
+                    Subject subject = getSubject(request, response);
+                    subject.login(token);
+                    return onLoginSuccess(token, subject, request, response);
+                } catch (AuthenticationException e) {
+                    return onLoginFailure(token, e, request, response);
+                }
+            } else if (req.getServletPath().equals(TOKEN_REVOKE_ENDPOINT)) {
+                //deleteAccessToken(req, resp);
+            } else if (req.getServletPath().equals(TOKEN_VALIDATE_ENDPOINT)) {
+                //validateToken(req, resp);
+            }
+        } catch (AuthenticationException e) {
+            error(resp, SC_UNAUTHORIZED, e.getMessage());
+        } catch (OAuthProblemException oe) {
+            error(resp, oe);
+        } catch (Exception e) {
+            error(resp, e);
+        }
+        return false;
+    }
+
+    private void oauthAccessTokenResponse(HttpServletResponse resp, Claim claim, String clientId, String token)
+            throws OAuthSystemException, IOException {
+        if (claim == null) {
+            throw new AuthenticationException(UNAUTHORIZED);
+        }
+
+        // Cache this token...
+        Authentication auth = new AuthenticationBuilder(new ClaimBuilder(claim).setClientId(
+                clientId).build()).setExpiration(tokenExpiration()).build();
+        ServiceLocator.getInstance().getTokenStore().put(token, auth);
+
+        OAuthResponse r = OAuthASResponse.tokenResponse(SC_CREATED).setAccessToken(token)
+                                         .setTokenType(TokenType.BEARER.toString())
+                                         .setExpiresIn(Long.toString(auth.expiration()))
+                                         .buildJSONMessage();
+        write(resp, r);
+    }
+
+    private void write(HttpServletResponse resp, OAuthResponse r) throws IOException {
+        resp.setStatus(r.getResponseStatus());
+        PrintWriter pw = resp.getWriter();
+        pw.print(r.getBody());
+        pw.flush();
+        pw.close();
+    }
+
+    private long tokenExpiration() {
+        return ServiceLocator.getInstance().getTokenStore().tokenExpiration();
+    }
+
+    // Emit an error OAuthResponse with the given HTTP code
+    private void error(HttpServletResponse resp, int httpCode, String error) {
+        try {
+            OAuthResponse r = OAuthResponse.errorResponse(httpCode).setError(error)
+                                           .buildJSONMessage();
+            write(resp, r);
+        } catch (Exception e1) {
+            // Nothing to do here
+        }
+    }
+
+    private void error(HttpServletResponse resp, OAuthProblemException e) {
+        try {
+            OAuthResponse r = OAuthResponse.errorResponse(SC_BAD_REQUEST).error(e)
+                                           .buildJSONMessage();
+            write(resp, r);
+        } catch (Exception e1) {
+            // Nothing to do here
+        }
+    }
+
+    private void error(HttpServletResponse resp, Exception e) {
+        try {
+            OAuthResponse r = OAuthResponse.errorResponse(SC_INTERNAL_SERVER_ERROR)
+                                           .setError(e.getClass().getName())
+                                           .setErrorDescription(e.getMessage()).buildJSONMessage();
+            write(resp, r);
+        } catch (Exception e1) {
+            // Nothing to do here
+        }
+    }
+
+}
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/ODLHttpAuthenticationFilter.java b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/ODLHttpAuthenticationFilter.java
new file mode 100644
index 00000000..90b0101e
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/filters/ODLHttpAuthenticationFilter.java
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.shiro.filters;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.shiro.codec.Base64;
+import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
+import org.apache.shiro.web.util.WebUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Extends <code>BasicHttpAuthenticationFilter</code> to include ability to
+ * authenticate OAuth2 tokens, which is needed for backwards compatibility with
+ * <code>TokenAuthFilter</code>.
+ *
+ * This behavior is enabled by default for backwards compatibility. To disable
+ * OAuth2 functionality, just comment out the following line from the
+ * <code>etc/shiro.ini</code> file:
+ * <code>authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter</code>
+ * then restart the karaf container.
+ *
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ *
+ */
+public class ODLHttpAuthenticationFilter extends BasicHttpAuthenticationFilter {
+
+    private static final Logger LOG = LoggerFactory.getLogger(ODLHttpAuthenticationFilter.class);
+
+    // defined in lower-case for more efficient string comparison
+    protected static final String BEARER_SCHEME = "bearer";
+
+    protected static final String OPTIONS_HEADER = "OPTIONS";
+
+    public ODLHttpAuthenticationFilter() {
+        super();
+        LOG.info("Creating the ODLHttpAuthenticationFilter");
+    }
+
+    @Override
+    protected String[] getPrincipalsAndCredentials(String scheme, String encoded) {
+        final String decoded = Base64.decodeToString(encoded);
+        // attempt to decode username/password; otherwise decode as token
+        if (decoded.contains(":")) {
+            return decoded.split(":");
+        }
+        return new String[] { encoded };
+    }
+
+    @Override
+    protected boolean isLoginAttempt(String authzHeader) {
+        final String authzScheme = getAuthzScheme().toLowerCase();
+        final String authzHeaderLowerCase = authzHeader.toLowerCase();
+        return authzHeaderLowerCase.startsWith(authzScheme)
+                || authzHeaderLowerCase.startsWith(BEARER_SCHEME);
+    }
+
+    @Override
+    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response,
+            Object mappedValue) {
+        final HttpServletRequest httpRequest = WebUtils.toHttp(request);
+        final String httpMethod = httpRequest.getMethod();
+        if (OPTIONS_HEADER.equalsIgnoreCase(httpMethod)) {
+            return true;
+        } else {
+            return super.isAccessAllowed(httpRequest, response, mappedValue);
+        }
+    }
+}
diff --git a/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/moon/MoonPrincipal.java b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/moon/MoonPrincipal.java
new file mode 100644
index 00000000..a95b4e7f
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/moon/MoonPrincipal.java
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.aaa.shiro.moon;
+
+import com.google.common.collect.ImmutableSet;
+
+import java.io.Serializable;
+import java.util.Set;
+
+import org.opendaylight.aaa.api.Claim;
+
+public  class MoonPrincipal {
+
+    private final String username;
+    private final String domain;
+    private final String userId;
+    private final Set<String> roles;
+    private final String token;
+
+
+    public MoonPrincipal(String username, String domain, String userId, Set<String> roles, String token) {
+        this.username = username;
+        this.domain = domain;
+        this.userId = userId;
+        this.roles = roles;
+        this.token = token;
+    }
+
+    public MoonPrincipal createODLPrincipal(String username, String domain,
+            String userId, Set<String> roles, String token) {
+
+        return new MoonPrincipal(username, domain, userId, roles,token);
+    }
+
+    public Claim principalToClaim (){
+        return new MoonClaim("", this.getUserId(), this.getUsername(), this.getDomain(), this.getRoles());
+    }
+
+    public String getUsername() {
+        return this.username;
+    }
+
+    public String getDomain() {
+        return this.domain;
+    }
+
+    public String getUserId() {
+        return this.userId;
+    }
+
+    public Set<String> getRoles() {
+        return this.roles;
+    }
+
+    public String getToken(){
+        return this.token;
+    }
+
+    public class MoonClaim implements Claim, Serializable {
+        private static final long serialVersionUID = -8115027645190209125L;
+        private int hashCode = 0;
+        private String clientId;
+        private String userId;
+        private String user;
+        private String domain;
+        private ImmutableSet<String> roles;
+
+        public MoonClaim(String clientId, String userId, String user, String domain, Set<String> roles) {
+            this.clientId = clientId;
+            this.userId = userId;
+            this.user = user;
+            this.domain = domain;
+            this.roles = ImmutableSet.<String> builder().addAll(roles).build();
+
+            if (userId.isEmpty() || user.isEmpty() || roles.isEmpty() || roles.contains("")) {
+                throw new IllegalStateException("The Claim is missing one or more of the required fields.");
+            }
+        }
+
+        @Override
+        public String clientId() {
+            return clientId;
+        }
+
+        @Override
+        public String userId() {
+            return userId;
+        }
+
+        @Override
+        public String user() {
+            return user;
+        }
+
+        @Override
+        public String domain() {
+            return domain;
+        }
+
+        @Override
+        public Set<String> roles() {
+            return roles;
+        }
+        public String getClientId() {
+            return clientId;
+        }
+
+        public void setClientId(String clientId) {
+            this.clientId = clientId;
+        }
+
+        public String getUserId() {
+            return userId;
+        }
+
+        public void setUserId(String userId) {
+            this.userId = userId;
+        }
+
+        public String getUser() {
+            return user;
+        }
+
+        public void setUser(String user) {
+            this.user = user;
+        }
+
+        public String getDomain() {
+            return domain;
+        }
+
+        public void setDomain(String domain) {
+            this.domain = domain;
+        }
+
+        public ImmutableSet<String> getRoles() {
+            return roles;
+        }
+
+        public void setRoles(ImmutableSet<String> roles) {
+            this.roles = roles;
+        }
+
+        @Override
+        public String toString() {
+            return "clientId:" + clientId + "," + "userId:" + userId + "," + "userName:" + user
+                    + "," + "domain:" + domain + "," + "roles:" + roles ;
+        }
+    }
+}
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/moon/MoonTokenEndpoint.java b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/moon/MoonTokenEndpoint.java
new file mode 100644
index 00000000..a954a606
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/main/java/org/opendaylight/aaa/shiro/moon/MoonTokenEndpoint.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.shiro.moon;
+
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class MoonTokenEndpoint extends HttpServlet{
+
+    private static final long serialVersionUID = 4980356362831585417L;
+    private static final Logger LOG = LoggerFactory.getLogger(MoonTokenEndpoint.class);
+
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+        LOG.debug("MoonTokenEndpoint Servlet doPost");
+    }
+
+}
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-shiro/src/main/resources/WEB-INF/web.xml b/odl-aaa-moon/aaa-shiro/src/main/resources/WEB-INF/web.xml
new file mode 100644
index 00000000..63288c23
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/main/resources/WEB-INF/web.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+    version="3.0">
+
+    <servlet>
+        <servlet-name>MOON</servlet-name>
+        <servlet-class>org.opendaylight.aaa.shiro.moon.MoonTokenEndpoint</servlet-class>
+        <load-on-startup>1</load-on-startup>
+    </servlet>
+
+    <servlet-mapping>
+        <servlet-name>MOON</servlet-name>
+        <url-pattern>/token</url-pattern>
+    </servlet-mapping>
+    <servlet-mapping>
+        <servlet-name>MOON</servlet-name>
+        <url-pattern>/revoke</url-pattern>
+    </servlet-mapping>
+    <servlet-mapping>
+        <servlet-name>MOON</servlet-name>
+        <url-pattern>/validate</url-pattern>
+    </servlet-mapping>
+    <servlet-mapping>
+        <servlet-name>MOON</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <!-- Shiro Filter -->
+    <context-param>
+      <param-name>shiroEnvironmentClass</param-name>
+      <param-value>org.opendaylight.aaa.shiro.web.env.KarafIniWebEnvironment</param-value>
+    </context-param>
+
+    <listener>
+        <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
+    </listener>
+
+    <filter>
+        <filter-name>ShiroFilter</filter-name>
+        <filter-class>org.opendaylight.aaa.shiro.filters.AAAFilter</filter-class>
+    </filter>
+
+    <filter-mapping>
+        <filter-name>ShiroFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+</web-app>
\ No newline at end of file
diff --git a/odl-aaa-moon/aaa-shiro/src/main/resources/shiro.ini b/odl-aaa-moon/aaa-shiro/src/main/resources/shiro.ini
new file mode 100644
index 00000000..d84f9fa0
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/main/resources/shiro.ini
@@ -0,0 +1,95 @@
+#
+# Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License v1.0 which accompanies this distribution,
+# and is available at http://www.eclipse.org/legal/epl-v10.html
+#
+
+###############################################################################
+# shiro.ini                                                                   #
+#                                                                             #
+# Configuration of OpenDaylight's aaa-shiro feature.  Provided Realm          #
+# implementations include:                                                    #
+# - TokenAuthRealm (enabled by default)                                       #
+# - ODLJndiLdapRealm (disabled by default)                                    #
+# - ODLJndiLdapRealmAuthNOnly (disabled by default)                           #
+# Basic user configuration through shiro.ini is disabled for security         #
+# purposes.                                                                   #
+###############################################################################
+
+
+
+[main]
+###############################################################################
+# realms                                                                      #
+#                                                                             #
+# This section is dedicated to setting up realms for OpenDaylight.  Realms    #
+# are essentially different methods for providing AAA.  ODL strives to provide#
+# highly-configurable AAA by providing pluggable infrastructure.  By deafult, #
+# TokenAuthRealm is enabled out of the box (which bridges to the existing AAA #
+# mechanisms).  More than one realm can be enabled, and the realms are        #
+# tried Round-Robin until:                                                    #
+# 1) a realm successfully authenticates the incoming request                  #
+# 2) all realms are exhausted, and 401 is returned                            #
+###############################################################################
+
+# ODL provides a few LDAP implementations, which are disabled out of the box.
+# ODLJndiLdapRealm includes authorization functionality based on LDAP elements
+# extracted through and LDAP search.  This requires a bit of knowledge about
+# how your LDAP system is setup.  An example is provided below:
+#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm
+#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
+#ldapRealm.contextFactory.url = ldap://<URL>:389
+#ldapRealm.searchBase = dc=DOMAIN,dc=TLD
+#ldapRealm.ldapAttributeForComparison = objectClass
+
+# ODL also provides ODLJndiLdapRealmAuthNOnly.  Essentially, this allows
+# access through AAAFilter to any user that can authenticate against the
+# provided LDAP server.
+#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly
+#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
+#ldapRealm.contextFactory.url = ldap://<URL>:389
+
+# Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms.
+# This realm is enabled by default, and utilizes h2-store by default.
+tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm
+moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm
+
+# The CSV list of enabled realms.  In order to enable a realm, add it to the
+# list below:
+securityManager.realms = $moonAuthRealm
+
+
+# adds a custom AuthenticationFilter to support OAuth2 for backwards
+# compatibility.  To disable OAuth2 access, just comment out the next line
+# and authcBasic will default to BasicHttpAuthenticationFilter, a
+# Shiro-provided class.
+authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter
+# OAuth2 Filer for moon token AuthN
+rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter
+
+
+
+[urls]
+###############################################################################
+# url authorization section                                                   #
+#                                                                             #
+# This section is dedicated to defining url-based authorization according to: #
+# http://shiro.apache.org/web.html                                            #
+###############################################################################
+#Filtering REST requests with AAAFilter
+/v1/users** = authcBasic
+/v1/domains** = authcBasic
+/v1/roles** = authcBasic
+
+#Filter OAuth2 request$
+/token = rest
+
+# General access through AAAFilter requires valid credentials (AuthN only).
+/** = authcBasic
+
+# Access to the credential store is limited to the valid users who have the
+# admin role. The following line is only needed if the mdsal store is enabled
+#(the mdsal store is disabled by default).
+/config/aaa-authn-model** = authcBasic,roles[admin]
diff --git a/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/ServiceProxyTest.java b/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/ServiceProxyTest.java
new file mode 100644
index 00000000..2d9c8976
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/ServiceProxyTest.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.shiro;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import org.junit.Test;
+import org.opendaylight.aaa.shiro.filters.AAAFilter;
+
+/**
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ */
+public class ServiceProxyTest {
+
+    @Test
+    public void testGetInstance() {
+        // ensures that singleton pattern is working
+        assertNotNull(ServiceProxy.getInstance());
+    }
+
+    @Test
+    public void testGetSetEnabled() {
+        // combines set and get tests. These are important in this instance,
+        // because getEnabled allows an optional callback Filter.
+        ServiceProxy.getInstance().setEnabled(true);
+        assertTrue(ServiceProxy.getInstance().getEnabled(null));
+
+        AAAFilter testFilter = new AAAFilter();
+        // register the filter
+        ServiceProxy.getInstance().getEnabled(testFilter);
+        assertTrue(testFilter.isEnabled());
+
+        ServiceProxy.getInstance().setEnabled(false);
+        assertFalse(ServiceProxy.getInstance().getEnabled(testFilter));
+        assertFalse(testFilter.isEnabled());
+    }
+}
diff --git a/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/authorization/DefaultRBACRulesTest.java b/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/authorization/DefaultRBACRulesTest.java
new file mode 100644
index 00000000..38658f0c
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/authorization/DefaultRBACRulesTest.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.shiro.authorization;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
+import com.google.common.collect.Sets;
+import java.util.Collection;
+import org.junit.Test;
+
+/**
+ * A few basic test cases for the DefualtRBACRules singleton container.
+ *
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ *
+ */
+public class DefaultRBACRulesTest {
+
+    @Test
+    public void testGetInstance() {
+        assertNotNull(DefaultRBACRules.getInstance());
+        assertEquals(DefaultRBACRules.getInstance(), DefaultRBACRules.getInstance());
+    }
+
+    @Test
+    public void testGetRBACRules() {
+        Collection<RBACRule> rbacRules = DefaultRBACRules.getInstance().getRBACRules();
+        assertNotNull(rbacRules);
+
+        // check that a copy was returned
+        int originalSize = rbacRules.size();
+        rbacRules.add(RBACRule.createAuthorizationRule("fakeurl/*", Sets.newHashSet("admin")));
+        assertEquals(originalSize, DefaultRBACRules.getInstance().getRBACRules().size());
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/authorization/RBACRuleTest.java b/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/authorization/RBACRuleTest.java
new file mode 100644
index 00000000..825fe626
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/authorization/RBACRuleTest.java
@@ -0,0 +1,106 @@
+/*
+ * Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.shiro.authorization;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+import com.google.common.collect.Sets;
+import java.util.Collection;
+import java.util.HashSet;
+import org.junit.Test;
+
+public class RBACRuleTest {
+
+    private static final String BASIC_RBAC_RULE_URL_PATTERN = "/*";
+    private static final Collection<String> BASIC_RBAC_RULE_ROLES = Sets.newHashSet("admin");
+    private RBACRule basicRBACRule = RBACRule.createAuthorizationRule(BASIC_RBAC_RULE_URL_PATTERN,
+            BASIC_RBAC_RULE_ROLES);
+
+    private static final String COMPLEX_RBAC_RULE_URL_PATTERN = "/auth/v1/";
+    private static final Collection<String> COMPLEX_RBAC_RULE_ROLES = Sets.newHashSet("admin",
+            "user");
+    private RBACRule complexRBACRule = RBACRule.createAuthorizationRule(
+            COMPLEX_RBAC_RULE_URL_PATTERN, COMPLEX_RBAC_RULE_ROLES);
+
+    @Test
+    public void testCreateAuthorizationRule() {
+        // positive test cases
+        assertNotNull(RBACRule.createAuthorizationRule(BASIC_RBAC_RULE_URL_PATTERN,
+                BASIC_RBAC_RULE_ROLES));
+        assertNotNull(RBACRule.createAuthorizationRule(COMPLEX_RBAC_RULE_URL_PATTERN,
+                COMPLEX_RBAC_RULE_ROLES));
+
+        // negative test cases
+        // both null
+        assertNull(RBACRule.createAuthorizationRule(null, null));
+
+        // url pattern is null
+        assertNull(RBACRule.createAuthorizationRule(null, BASIC_RBAC_RULE_ROLES));
+        // url pattern is empty string
+        assertNull(RBACRule.createAuthorizationRule("", BASIC_RBAC_RULE_ROLES));
+
+        // roles is null
+        assertNull(RBACRule.createAuthorizationRule(BASIC_RBAC_RULE_URL_PATTERN, null));
+        // roles is empty collection
+        assertNull(RBACRule.createAuthorizationRule(COMPLEX_RBAC_RULE_URL_PATTERN,
+                new HashSet<String>()));
+    }
+
+    @Test
+    public void testGetUrlPattern() {
+        assertEquals(BASIC_RBAC_RULE_URL_PATTERN, basicRBACRule.getUrlPattern());
+        assertEquals(COMPLEX_RBAC_RULE_URL_PATTERN, complexRBACRule.getUrlPattern());
+    }
+
+    @Test
+    public void testGetRoles() {
+        assertTrue(BASIC_RBAC_RULE_ROLES.containsAll(basicRBACRule.getRoles()));
+        basicRBACRule.getRoles().clear();
+        // test that getRoles() produces a new object
+        assertFalse(basicRBACRule.getRoles().isEmpty());
+        assertTrue(basicRBACRule.getRoles().containsAll(BASIC_RBAC_RULE_ROLES));
+
+        assertTrue(COMPLEX_RBAC_RULE_ROLES.containsAll(complexRBACRule.getRoles()));
+        complexRBACRule.getRoles().add("newRole");
+        // test that getRoles() produces a new object
+        assertFalse(complexRBACRule.getRoles().contains("newRole"));
+        assertTrue(complexRBACRule.getRoles().containsAll(COMPLEX_RBAC_RULE_ROLES));
+    }
+
+    @Test
+    public void testGetRolesInShiroFormat() {
+        final String BASIC_RBAC_RULE_EXPECTED_SHIRO_FORMAT = "roles[admin]";
+        assertEquals(BASIC_RBAC_RULE_EXPECTED_SHIRO_FORMAT, basicRBACRule.getRolesInShiroFormat());
+
+        // set ordering is not predictable, so both formats must be considered
+        final String COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_1 = "roles[admin, user]";
+        final String COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_2 = "roles[user, admin]";
+        assertTrue(COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_1.equals(complexRBACRule
+                .getRolesInShiroFormat())
+                || COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_2.equals(complexRBACRule
+                        .getRolesInShiroFormat()));
+    }
+
+    @Test
+    public void testToString() {
+        final String BASIC_RBAC_RULE_EXPECTED_SHIRO_FORMAT = "/*=roles[admin]";
+        assertEquals(BASIC_RBAC_RULE_EXPECTED_SHIRO_FORMAT, basicRBACRule.toString());
+
+        // set ordering is not predictable,s o both formats must be considered
+        final String COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_1 = "/auth/v1/=roles[admin, user]";
+        final String COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_2 = "/auth/v1/=roles[user, admin]";
+        assertTrue(COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_1.equals(complexRBACRule.toString())
+                || COMPLEX_RBAC_RULE_EXPECTED_SHIRO_FORMAT_2.equals(complexRBACRule.toString()));
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/realm/ODLJndiLdapRealmTest.java b/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/realm/ODLJndiLdapRealmTest.java
new file mode 100644
index 00000000..22ce203f
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/realm/ODLJndiLdapRealmTest.java
@@ -0,0 +1,246 @@
+/*
+ * Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.shiro.realm;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+import java.util.Vector;
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.BasicAttributes;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
+import javax.naming.ldap.LdapContext;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.authz.AuthorizationInfo;
+import org.apache.shiro.realm.ldap.LdapContextFactory;
+import org.apache.shiro.subject.PrincipalCollection;
+import org.junit.Test;
+
+/**
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ */
+public class ODLJndiLdapRealmTest {
+
+    /**
+     * throw-away anonymous test class
+     */
+    class TestNamingEnumeration implements NamingEnumeration<SearchResult> {
+
+        /**
+         * state variable
+         */
+        boolean first = true;
+
+        /**
+         * returned the first time <code>next()</code> or
+         * <code>nextElement()</code> is called.
+         */
+        SearchResult searchResult = new SearchResult("testuser", null, new BasicAttributes(
+                "objectClass", "engineering"));
+
+        /**
+         * returns true the first time, then false for subsequent calls
+         */
+        @Override
+        public boolean hasMoreElements() {
+            return first;
+        }
+
+        /**
+         * returns <code>searchResult</code> then null for subsequent calls
+         */
+        @Override
+        public SearchResult nextElement() {
+            if (first) {
+                first = false;
+                return searchResult;
+            }
+            return null;
+        }
+
+        /**
+         * does nothing because close() doesn't require any special behavior
+         */
+        @Override
+        public void close() throws NamingException {
+        }
+
+        /**
+         * returns true the first time, then false for subsequent calls
+         */
+        @Override
+        public boolean hasMore() throws NamingException {
+            return first;
+        }
+
+        /**
+         * returns <code>searchResult</code> then null for subsequent calls
+         */
+        @Override
+        public SearchResult next() throws NamingException {
+            if (first) {
+                first = false;
+                return searchResult;
+            }
+            return null;
+        }
+    };
+
+    /**
+     * throw away test class
+     *
+     * @author ryan
+     */
+    class TestPrincipalCollection implements PrincipalCollection {
+        /**
+     *
+     */
+        private static final long serialVersionUID = -1236759619455574475L;
+
+        Vector<String> collection = new Vector<String>();
+
+        public TestPrincipalCollection(String element) {
+            collection.add(element);
+        }
+
+        @Override
+        public Iterator<String> iterator() {
+            return collection.iterator();
+        }
+
+        @Override
+        public List<String> asList() {
+            return collection;
+        }
+
+        @Override
+        public Set<String> asSet() {
+            HashSet<String> set = new HashSet<String>();
+            set.addAll(collection);
+            return set;
+        }
+
+        @Override
+        public <T> Collection<T> byType(Class<T> arg0) {
+            return null;
+        }
+
+        @Override
+        public Collection<String> fromRealm(String arg0) {
+            return collection;
+        }
+
+        @Override
+        public Object getPrimaryPrincipal() {
+            return collection.firstElement();
+        }
+
+        @Override
+        public Set<String> getRealmNames() {
+            return null;
+        }
+
+        @Override
+        public boolean isEmpty() {
+            return collection.isEmpty();
+        }
+
+        @Override
+        public <T> T oneByType(Class<T> arg0) {
+            // TODO Auto-generated method stub
+            return null;
+        }
+    };
+
+    @Test
+    public void testGetUsernameAuthenticationToken() {
+        AuthenticationToken authenticationToken = null;
+        assertNull(ODLJndiLdapRealm.getUsername(authenticationToken));
+        AuthenticationToken validAuthenticationToken = new UsernamePasswordToken("test",
+                "testpassword");
+        assertEquals("test", ODLJndiLdapRealm.getUsername(validAuthenticationToken));
+    }
+
+    @Test
+    public void testGetUsernamePrincipalCollection() {
+        PrincipalCollection pc = null;
+        assertNull(new ODLJndiLdapRealm().getUsername(pc));
+        TestPrincipalCollection tpc = new TestPrincipalCollection("testuser");
+        String username = new ODLJndiLdapRealm().getUsername(tpc);
+        assertEquals("testuser", username);
+    }
+
+    @Test
+    public void testQueryForAuthorizationInfoPrincipalCollectionLdapContextFactory()
+            throws NamingException {
+        LdapContext ldapContext = mock(LdapContext.class);
+        // emulates an ldap search and returns the mocked up test class
+        when(
+                ldapContext.search((String) any(), (String) any(),
+                        (SearchControls) any())).thenReturn(new TestNamingEnumeration());
+        LdapContextFactory ldapContextFactory = mock(LdapContextFactory.class);
+        when(ldapContextFactory.getSystemLdapContext()).thenReturn(ldapContext);
+        AuthorizationInfo authorizationInfo = new ODLJndiLdapRealm().queryForAuthorizationInfo(
+                new TestPrincipalCollection("testuser"), ldapContextFactory);
+        assertNotNull(authorizationInfo);
+        assertFalse(authorizationInfo.getRoles().isEmpty());
+        assertTrue(authorizationInfo.getRoles().contains("engineering"));
+    }
+
+    @Test
+    public void testBuildAuthorizationInfo() {
+        assertNull(ODLJndiLdapRealm.buildAuthorizationInfo(null));
+        Set<String> roleNames = new HashSet<String>();
+        roleNames.add("engineering");
+        AuthorizationInfo authorizationInfo = ODLJndiLdapRealm.buildAuthorizationInfo(roleNames);
+        assertNotNull(authorizationInfo);
+        assertFalse(authorizationInfo.getRoles().isEmpty());
+        assertTrue(authorizationInfo.getRoles().contains("engineering"));
+    }
+
+    @Test
+    public void testGetRoleNamesForUser() throws NamingException {
+        ODLJndiLdapRealm ldapRealm = new ODLJndiLdapRealm();
+        LdapContext ldapContext = mock(LdapContext.class);
+
+        // emulates an ldap search and returns the mocked up test class
+        when(
+                ldapContext.search((String) any(), (String) any(),
+                        (SearchControls) any())).thenReturn(new TestNamingEnumeration());
+
+        // extracts the roles for "testuser" and ensures engineering is returned
+        Set<String> roles = ldapRealm.getRoleNamesForUser("testuser", ldapContext);
+        assertFalse(roles.isEmpty());
+        assertTrue(roles.iterator().next().equals("engineering"));
+    }
+
+    @Test
+    public void testCreateSearchControls() {
+        SearchControls searchControls = ODLJndiLdapRealm.createSearchControls();
+        assertNotNull(searchControls);
+        int expectedSearchScope = SearchControls.SUBTREE_SCOPE;
+        int actualSearchScope = searchControls.getSearchScope();
+        assertEquals(expectedSearchScope, actualSearchScope);
+    }
+
+}
diff --git a/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/realm/TokenAuthRealmTest.java b/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/realm/TokenAuthRealmTest.java
new file mode 100644
index 00000000..f2eb92b5
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/realm/TokenAuthRealmTest.java
@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.shiro.realm;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import com.google.common.collect.Lists;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.junit.Test;
+
+/**
+ *
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ *
+ */
+public class TokenAuthRealmTest extends TokenAuthRealm {
+
+    private TokenAuthRealm testRealm = new TokenAuthRealm();
+
+    @Test
+    public void testTokenAuthRealm() {
+        assertEquals("TokenAuthRealm", testRealm.getName());
+    }
+
+    @Test(expected = NullPointerException.class)
+    public void testDoGetAuthorizationInfoPrincipalCollectionNullCacheToken() {
+        testRealm.doGetAuthorizationInfo(null);
+    }
+
+    @Test
+    public void testGetUsernamePasswordDomainString() {
+        final String username = "user";
+        final String password = "password";
+        final String domain = "domain";
+        final String expectedUsernamePasswordString = "user:password:domain";
+        assertEquals(expectedUsernamePasswordString, getUsernamePasswordDomainString(username, password, domain));
+    }
+
+    @Test
+    public void testGetEncodedToken() {
+        final String stringToEncode = "admin1:admin1";
+        final byte[] bytesToEncode = stringToEncode.getBytes();
+        final String expectedToken = org.apache.shiro.codec.Base64.encodeToString(bytesToEncode);
+        assertEquals(expectedToken, getEncodedToken(stringToEncode));
+    }
+
+    @Test
+    public void testGetTokenAuthHeader() {
+        final String encodedCredentials = getEncodedToken(getUsernamePasswordDomainString("user1",
+                "password", "sdn"));
+        final String expectedTokenAuthHeader = "Basic " + encodedCredentials;
+        assertEquals(expectedTokenAuthHeader, getTokenAuthHeader(encodedCredentials));
+    }
+
+    @Test
+    public void testFormHeadersWithToken() {
+        final String authHeader = getEncodedToken(getTokenAuthHeader(getUsernamePasswordDomainString(
+                "user1", "password", "sdn")));
+        final Map<String, List<String>> expectedHeaders = new HashMap<String, List<String>>();
+        expectedHeaders.put("Authorization", Lists.newArrayList(authHeader));
+        final Map<String, List<String>> actualHeaders = formHeadersWithToken(authHeader);
+        List<String> value;
+        for (String key : expectedHeaders.keySet()) {
+            value = expectedHeaders.get(key);
+            assertTrue(actualHeaders.get(key).equals(value));
+        }
+    }
+
+    @Test
+    public void testFormHeaders() {
+        final String username = "basicUser";
+        final String password = "basicPassword";
+        final String domain = "basicDomain";
+        final String authHeader = getTokenAuthHeader(getEncodedToken(getUsernamePasswordDomainString(
+                username, password, domain)));
+        final Map<String, List<String>> expectedHeaders = new HashMap<String, List<String>>();
+        expectedHeaders.put("Authorization", Lists.newArrayList(authHeader));
+        final Map<String, List<String>> actualHeaders = formHeaders(username, password, domain);
+        List<String> value;
+        for (String key : expectedHeaders.keySet()) {
+            value = expectedHeaders.get(key);
+            assertTrue(actualHeaders.get(key).equals(value));
+        }
+    }
+
+    @Test
+    public void testIsTokenAuthAvailable() {
+        assertFalse(testRealm.isTokenAuthAvailable());
+    }
+
+    @Test(expected = org.apache.shiro.authc.AuthenticationException.class)
+    public void testDoGetAuthenticationInfoAuthenticationToken() {
+        testRealm.doGetAuthenticationInfo(null);
+    }
+
+    @Test
+    public void testExtractUsernameNullUsername() {
+        AuthenticationToken at = mock(AuthenticationToken.class);
+        when(at.getPrincipal()).thenReturn(null);
+        assertNull(extractUsername(at));
+    }
+
+    @Test(expected = ClassCastException.class)
+    public void testExtractPasswordNullPassword() {
+        AuthenticationToken at = mock(AuthenticationToken.class);
+        when(at.getPrincipal()).thenReturn("username");
+        when(at.getCredentials()).thenReturn(null);
+        extractPassword(at);
+    }
+
+    @Test(expected = ClassCastException.class)
+    public void testExtractUsernameBadUsernameClass() {
+        AuthenticationToken at = mock(AuthenticationToken.class);
+        when(at.getPrincipal()).thenReturn(new Integer(1));
+        extractUsername(at);
+    }
+
+    @Test(expected = ClassCastException.class)
+    public void testExtractPasswordBadPasswordClass() {
+        AuthenticationToken at = mock(AuthenticationToken.class);
+        when(at.getPrincipal()).thenReturn("username");
+        when(at.getCredentials()).thenReturn(new Integer(1));
+        extractPassword(at);
+    }
+}
diff --git a/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/web/env/KarafIniWebEnvironmentTest.java b/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/web/env/KarafIniWebEnvironmentTest.java
new file mode 100644
index 00000000..141d0ce5
--- /dev/null
+++ b/odl-aaa-moon/aaa-shiro/src/test/java/org/opendaylight/aaa/shiro/web/env/KarafIniWebEnvironmentTest.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2015 Brocade Communications Systems, Inc. and others.  All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.aaa.shiro.web.env;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import org.apache.shiro.config.Ini;
+import org.apache.shiro.config.Ini.Section;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+/**
+ * @author Ryan Goulding (ryandgoulding@gmail.com)
+ */
+public class KarafIniWebEnvironmentTest {
+    private static File iniFile;
+
+    @BeforeClass
+    public static void setup() throws IOException {
+        iniFile = createShiroIniFile();
+        assertTrue(iniFile.exists());
+    }
+
+    @AfterClass
+    public static void teardown() {
+        iniFile.delete();
+    }
+
+    private static String createFakeShiroIniContents() {
+        return "[users]\n" + "admin=admin, ROLE_ADMIN \n" + "[roles]\n" + "ROLE_ADMIN = *\n"
+                + "[urls]\n" + "/** = authcBasic";
+    }
+
+    private static File createShiroIniFile() throws IOException {
+        File shiroIni = File.createTempFile("shiro", "ini");
+        FileWriter writer = new FileWriter(shiroIni);
+        writer.write(createFakeShiroIniContents());
+        writer.flush();
+        writer.close();
+        return shiroIni;
+    }
+
+    @Test
+    public void testCreateShiroIni() throws IOException {
+        Ini ini = KarafIniWebEnvironment.createShiroIni(iniFile.getAbsolutePath());
+        assertNotNull(ini);
+        assertNotNull(ini.getSection("users"));
+        assertNotNull(ini.getSection("roles"));
+        assertNotNull(ini.getSection("urls"));
+        Section usersSection = ini.getSection("users");
+        assertTrue(usersSection.containsKey("admin"));
+        assertTrue(usersSection.get("admin").contains("admin"));
+        assertTrue(usersSection.get("admin").contains("ROLE_ADMIN"));
+    }
+
+    @Test
+    public void testCreateFileBasedIniPath() {
+        String testPath = "/shiro.ini";
+        String expectedFileBasedIniPath = KarafIniWebEnvironment.SHIRO_FILE_PREFIX + testPath;
+        String actualFileBasedIniPath = KarafIniWebEnvironment.createFileBasedIniPath(testPath);
+        assertEquals(expectedFileBasedIniPath, actualFileBasedIniPath);
+    }
+
+}
diff --git a/odl-aaa-moon/artifacts/pom.xml b/odl-aaa-moon/artifacts/pom.xml
new file mode 100644
index 00000000..8efad137
--- /dev/null
+++ b/odl-aaa-moon/artifacts/pom.xml
@@ -0,0 +1,231 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- vi: set et smarttab sw=4 tabstop=4: -->
+<!--
+ Copyright (c) 2013 Robert Varga. All rights reserved.
+
+ This program and the accompanying materials are made available under the
+ terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ and is available at http://www.eclipse.org/legal/epl-v10.html
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+      <groupId>org.opendaylight.odlparent</groupId>
+      <artifactId>odlparent-lite</artifactId>
+      <version>1.6.1-Beryllium-SR1</version>
+      <relativePath/>
+    </parent>
+
+    <groupId>org.opendaylight.aaa</groupId>
+    <artifactId>aaa-artifacts</artifactId>
+    <version>0.3.1-Beryllium-SR1</version>
+    <packaging>pom</packaging>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authn</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authn</artifactId>
+                <version>${project.version}</version>
+                <type>cfg</type>
+                <classifier>config</classifier>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authn-api</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authn-basic</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authn-federation</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authn-federation</artifactId>
+                <version>${project.version}</version>
+                <type>cfg</type>
+                <classifier>config</classifier>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authn-keystone</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authn-mdsal-api</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authn-mdsal-store-impl</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authn-mdsal-config</artifactId>
+                <version>${project.version}</version>
+                <type>xml</type>
+                <classifier>config</classifier>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-shiro</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-shiro-act</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authn-sssd</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authn-store</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authn-store</artifactId>
+                <version>${project.version}</version>
+                <type>cfg</type>
+                <classifier>config</classifier>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authn-sts</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authz-model</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authz-service</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>authz-service-config</artifactId>
+                <version>${project.version}</version>
+                <type>xml</type>
+                <classifier>config</classifier>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>authz-restconf-config</artifactId>
+                <version>${project.version}</version>
+                <type>xml</type>
+                <classifier>config</classifier>
+            </dependency>
+
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-credential-store-api</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-idmlight</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-idmlight</artifactId>
+                <version>${project.version}</version>
+                <type>xml</type>
+                <classifier>config</classifier>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-authn-idpmapping</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>features-aaa-api</artifactId>
+                <version>${project.version}</version>
+                <classifier>features</classifier>
+                <type>xml</type>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>features-aaa-authn</artifactId>
+                <version>${project.version}</version>
+                <classifier>features</classifier>
+                <type>xml</type>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>features-aaa-authz</artifactId>
+                <version>${project.version}</version>
+                <classifier>features</classifier>
+                <type>xml</type>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-h2-store</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>aaa-h2-store</artifactId>
+                <version>${project.version}</version>
+                <classifier>config</classifier>
+                <type>xml</type>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>features-aaa-shiro</artifactId>
+                <version>${project.version}</version>
+                <classifier>features</classifier>
+                <type>xml</type>
+            </dependency>
+            <dependency>
+                <groupId>${project.groupId}</groupId>
+                <artifactId>features-aaa</artifactId>
+                <version>${project.version}</version>
+                <classifier>features</classifier>
+                <type>xml</type>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+  <properties>
+    <nexusproxy>http://nexus.opendaylight.org/content</nexusproxy>
+  </properties>
+
+  <distributionManagement>
+    <!-- OpenDayLight Released artifact -->
+    <repository>
+      <id>opendaylight-release</id>
+      <url>${nexusproxy}/repositories/opendaylight.release/</url>
+    </repository>
+    <!-- OpenDayLight Snapshot artifact -->
+    <snapshotRepository>
+      <id>opendaylight-snapshot</id>
+      <url>${nexusproxy}/repositories/opendaylight.snapshot/</url>
+    </snapshotRepository>
+  </distributionManagement>
+</project>
diff --git a/odl-aaa-moon/commons/docs/AuthNusecases.vsd b/odl-aaa-moon/commons/docs/AuthNusecases.vsd
new file mode 100644
index 0000000000000000000000000000000000000000..ddd59fb3f05301f2a2f652757404ccb089e3fd4e
GIT binary patch
literal 206336
zcmeF42S5|q)`0I!Dm5fPu%HPY6%0kOn^5frkYGbY3!oxF1nefDDAr)XzJ_93b&U<|
z2C?gE5WA}e1wqB#1PdxE`Okp5u5bI>ef#$PJG)<)xw&)Cz2}@;=T0osFe~zRwYrBs
zJ9;A$YBU%j>L=l3ILAL+TOdS%a|~!S7z{)(3Ge_s0WSc8|2h84HSiAdN7(P5<Nv1y
zLXi~yOGR81h?3xM3Yr2n_tzh6Xazpi+^@OwLwoUS;{KXAzg7OPN%ObF`8&)1BkfQ0
z4OXq1dx(-|1qOYp$K+kA{l&927}2K)h|U6za5M%@1f(bch(T#+Jd!kdV)OUE^l6K5
zjL<*PHxYk-DL(PNH?ZkQb3Q3(NR!O*D5}Z#`+@8@$Vm$1BMRyRk+Y<qNz@hO6MZ02
zoL?)S4smx1n-it{OSykre!9LdKOvhqnp6GxPa?lh-go59cQxzpLtjADPa4D_{u;qw
zW55J31<U|*fC0b|05Jg;U<p_O)&Lu@0a^epfmT3kz!qo&v;{Z-7qA2D0SCYlZ~~kG
z7r+&02ebz|0B(Rg&=KGPME;08f1neDbq0KZE<jhH8_*r-0rUiV0lfh}AOL&;KfoUd
z00IHRY5M?ufqp=LU;r=>7z7Lk2=fI4AwVcF1PB8}KsYcI7zPXnMgSv$2w)U28W01K
zKok%S!~n5?1c(FTfdpU-FcugGBm(0B!XKqTGB5#10VV>eKpKz^OadkYL~A}3m<CJ-
zW&kq*86XF~uYbSQ^WkPV>|sO*Cir+XhyL;>;R}D%@liOO{84HCmURBk@`*ZxLt#k(
z86d{=MEgwCf1;iGy#5pM|2h75G|&h&hW!1k4lMrL4&r_)MtIN<4<ZD=dg1E2j;$@0
zt)!z4Zm)L`?JMQ8u&xmCIo9lJ@TaNGCHfAcZ6*2~q75bbnMi=>V~949=wFDokLZht
zHje0*4#Ula%qnnV!k39&inyORe(G;qNSNryh<+<zOo}8Xm76}18zhO9q(r4kVw>a+
zNRm!Ul*GnMxY1D)B`AuB8!DNQCYhMZjgzKuV-lj0;-S$d>PoOAWui0*af$OGl9Y5w
z3gQxZ3yMmLnZk`qNs&%!lGUj*H&zm#B9U+>j!BA7ln{-+BgFHUCdG}3PXpm&q)FWI
zQAttplJSzHRBmikYE+Z>7zvS{FL5vN1sWqI@-t*iEM!kQnHv+8m?%w4MQ~pW2oH`*
zNgWfF$c;{kiWw(K<)%s|ry{tmsk~E?qQ;Mj;l@allAz$y6f`-NsQ+P6@lECSOH2d7
z6H}v7qSI0)rZ(l<k4PSJ1_etU1F}H-sivSq;y$8JZ_)wCCi)`6282C7gb#|Em<sA?
z3Ma-7djX=YAr23Kh)eWOgbil{#Qiw{k@mXx*Ti?kz2e}00pfxE1`qJ_9TM0SlNfb~
z!--(ufnkB6gMGsS2m1~R9MW_<p)zrpWPEZWShZik_kQ9FUl3^$2a!)g7I6^gP%ISY
z@9E*$rL(7(r>BRvH}TE?-tklQm#{}gmh$OqVS>fBB~X7|_S_`wB!__y(Kis^3jjiA
zeE}jY79f0JKR}ELuK+|HeF6~U#8&{JZ=#M8Iwt&ZaD3VnNs=3P;26nx?x3io1PCL(
z8wmJ!j|fhY#-~J$=LU^QluV2mG$tlRI#C*z$`!`Njfs&&H2?AJ6p=n=;utC6%&Fkt
z5rnxS`i1oyC>C`L9})&h{h~a=-rpx5P9)b<J`4WZra4O=_+AbJKceL)e2^&rLg2$8
zhZC<47w|V93S0>tDK~Hs3@0%(8Sed1Cx|vD@qJu5C~ha{V<RYLGm+>g$5oLr+L%U#
zF<L(uU-oMna|Xa@FA7F?V_*~*|2{6Es~g0?^!*`+zn|tM1Fi}8<)W|Q^TQ$Me>j7Z
zeLRQaH3bv4bOneq4urIc^AG7@O(Xl}a0vdv@xRkE{yj@V7~}7m^Z%V(|6_x{-j@H^
z;2#_O^&0r=bMSA~gRg&h+`M`7KU1J)v8S32IRB5y{gX=fZ`l9}FBXeUOiWs}YBguh
z98kxzXV3nmjDDJId3pJW5hExR3dl`KN%@b-{WK4M;Q8;d0iWMnv3T*zmoLM@!dkQ>
zR<Xa_ccky&V0U--&Ye3?o;-Q&+O?xbjrs#~`B_pR*V2lZ+k)KTQ4%JTm_@NzEGtWv
znW@R~<HtXX|6hLj+ialGXp*H#77X)%-ra_VhkJN<FfFYLH*fv=?t@i_&$qRAAd-Vg
z6^^kjXl-m;|4D`S^73lg+IG{I+nePwESSc|#u$cC$vB%qwXw1JljQzM$r392Ea~Rf
zR;^Y;!_wTgT)%#O@}zW5+ctC>jbU!q{Hao@1OkB@&+`jq-j&M7U!J}a9wo7`u%OXs
zj+~Zc5*98B`z+-@>hitZy!Ub!6l{Yk*s^8I8Pleim>55N`0$Ss^q)!RM{EGC{DOJe
zbQ*PRf<z{p>Ei4JN;fqzrjW^S4k3pQ9g;|5A%DY$4O^_pv9`88clGAM@;mvZWug%y
zt*oqSYHFa06ciMIA^-LGcM7J}YMbRQT)g;GxkAy<wr$%&HSOECucxOc80oVkI5=3R
z)BQW5|GayD#0F5#KtA!jkZWUVZe|LqXIop17(T4Dw6r-NU<MmDd*zB1LZNU-SeQg2
zdHkLJ?CmPB0qA1*@ZrhH$(fm%R4Vl|MZhIg6tK$gD-W0!awQx*2#)^!2Y}q~>Yjdm
zx4K#G`0?XG(a;r{o10IWGG*e#iL#~x&f(y4xxZWP@5}A4zw2`wfU|(tQ>m0zRt#u-
z#G^;=+_|$kIZ(mMl`HwZdP0OD0|KE}=-Rbw=B!z--@a{l`|f4Ko3eWkLx&Duvt|tx
z`0(Mw&_=ttxj8#KdwY9#>Cy#i23&#-z*~QP{valF{+l;%9vUuUFwCJP?CjwVsm-06
z{i@;3t2b}!UpHK<dOT#<2&Ga9B9<*%X4iDs+uOrs$BrGF<wE^{{QoAo|FOtFumP0z
z^y$;$(W4UL;-J`Y3Hbo4G^-vg0}T{t0kjYQCnqI=XSuk#j!hhY<?j9a-{~LLKIzTp
z!;LUbg<gS3`iBSfmLDtAkCt%Pu3a$h933%g&z?OH0lJ)K)w8Ww&HWIM*Rh2S`~3Oy
zVE(Z1@C(;(X=`;A_bYw6bb-hpE1#>YYeGW8kBay&3?!7)oUJ7b=9n7OTUeQcLlr9X
zA$-)Z5m52L>!C%0F`u!q5j>56qC$KyRkMZQe8GYROeQNfehi1hojZ3fgxt7s0~(^l
z#Kidc__(+@IDwV{8U&~W%?*09#DD#)uC5Le_=D&`Uq3K2$OWlzxVkulAAmQ2P#7RI
z-w6E;$PFJh0^~xTArNX9Oje+_feoNN{MYpVJ44>v0CZ|&VZ1>W7C*utrd=HzUEqth
zEE{N)Km|Q}_E^7uee)RUUyA{?0V0nZH}2C;4=zFVU;ya1lai9)1Z<#CDE{?!2!U2&
z?kqV}5vYPJQwGb#oXKDq(dnRixm^BJZAi1+Ns}gh^ae-@TF&C)V)*LQz#kR*-xK(~
z4IJ87pD9|@v%6=YzaNcCfk7U$1K?jj@3~-@W?jJN?<>`g&H2vuZ3Dg9nwpwIZp_Wh
zI=Z`owSH0VzJ2>3K79T@x&J+Py|)2m$gj^JBW4TF?g3EvFTVKVSNc(HZEdU8#AYvN
z7nfgo%V&l6?BFybCScF9csiY)laurFs{eRzlU!no?(E|H`{aI1>MuX}#0J5mTG+c;
zw{?NKPp8xR1P1&{*Pc0Zra6NFEx_+9On{#tF(xD;a%5Cg6pVbj_;hOSa(*$j?Ck7+
zNA54C{~wF+y$v3JTNg4q@yx|5(CNXb)W+J<#@g!FXaqXaUumr$E!EeWa-2k=7&F#y
z*a~w%5DG&eIBD)?fAp5-z_PNke@E`mr2HTL>U$e}CKy!kiyDDW7>0n5go}&I?^Z`;
z^&_eY18i{k_&LY}R05cSG+P2(p?Puev%G;^n5Mx}ovp3yr<LZ?rArkR6`w`^@4x&>
z8#HHq)~s2)j_y`0CJYn*RU@E!hJ^);`qzEAvrG3L{el7<Y}tJSe1B`Pq4G5w;Ny+Z
zC->;y-OQ926Wg$@Wiw}dI_Lt4re@}CIh?{>2mJf=?c&+N+?dv@XAfAm!*RT*sOV!l
ze~Xh}umO|-Mn0=ouZHO^j98$RXx0dL-}?1mz|D>>?T@OD?KxhSwSLclfrDCDnps;}
zeX6hDtp$*~Y11a~0I&o!jLow`m;f$bya?pFdvw02DQlMN?aAY|wsv%MG&3^;8^pxK
zz%-?Kq2kle-(6FGcM*Q&jlXPz=7c~auoTlLC<tawpb_GeP3%{+vbNr{x9Gs}i;DHT
zrY+q}rWyP64uW-?Un%|<qk&w|`{02C!S+NK#kPX#2y&qn+FP`*S#H#n#Sk($bZB&R
zG)x#B92{V^;#2LzIZWAL1?3mT{Us58tqqzp2O5E~W8Xe~dUo-KF$}atQ>RXA-MY29
z^y2C-c0yIKb##LWP+(|G!0$dge)k{}<icnzSSWOM;KIDUM~@yLm*|8(%5`uBxzIVm
zbQ(kxrTUixRt*0V75}18BB#F?>9YvXUBiMBOs$86h9-_1m!6h>`_?^WVG-B>+Gx-P
z#BbleJv`X@blnu(uz4lpv($e5<>pPB;4uaa+k%3Ez~vV&T72(LW#OiMALW9Lc|0D-
z?bWLnh;IIbHSK>>?yt|`?~D0+Z17PM+zghuclFM9HMKhZvqNXEe6#_~@}PBw6;tR)
zpxuBq9H=gTlrBK-$rC59ohqxXdIWNhetn(u!S;Wu+>ZtSV^97q8$e6#?Cg?0ang~Z
z(yvdI-MDrGR^>h}?-UjmLR<9JS6{(oYWw!>Fp2x!ZP90Ch7keC9XlrR!0w}GOD}3J
zYW_2FKg-4+b@^}E05SnXAb5xm3l*cqQLtM1>1h3r%Hofv1LlNU1#&||hk)F_^{Uao
zYlCJ5K_38};UDGZKdST}4TL%eb@4~P`WprQF*f)c75Kj}tN+;GuQ$p+Hu%Q|f4v6&
z`W*a*dH@gHVfz<6lKh!Hwh#w8$q5rCz+kjF{$F3j|N0#K1{=V0f&ky1a6|J<_+!yv
zJUS<9cJn2u9_C^lI&^@k8LXWhJg{%;=1p6+Y=N~*7{&hWRy04B@lQSZ1sj0kRxDi%
zT88;BEYw(-P}ml9*vClR_Q}z)z01rQ(;=g<7aD?ne7fwtcxzPL7*jgghz4)&Ay`$W
zkV!^V5<I5=Q_J&rOq@{UPv!emshZcp)td_|*2Xa1C8GYsF))xX9u)!U!1uiZ`_??F
zJ#q8?qOHZIrY1CFQ<%iUb|Y&GV>%UwjY2;q?*DB#q12x$eDc^>VGpO>i^R6AtUqmk
zpiyc*U^x@+g^hKiMviDs1X7zkLk_!IG!-?wFWlgI^deDcu#gE)U0^;1d*6QRCcB@?
z+y7Gd&)Fbr_ALJ%9cL|G0GryN%%3epf4qbh<354@&6DJjBS*pt9lV8btL6#p0)`Fo
z3<e`TJsr#d3)-;%4pvV;T}=IW4%6)aCAI#hvizJ4K&=$IiLo_j%Iq8%?GRCa;utF)
zCLA;n1jCYb`lQJxPo09Dpk);giI)=Ewgs!eV_wkykt0V)BoeHl!q({SO^1(<PxH38
z$jHdwl<)tg$b?dVraUZLC%U=yqE!X3YR~W83!b+7bn^D{^l)q6-r30sKB13=7n0x+
z{Jy5WEztDCj=XQ5ztX>W^{%n;!FNwNTrNBcg(qw9Fso0WKHa)?gC#bw0ldf2e1I9I
zO`8U_>Swa?zx~xO*x=6n>Ye*aepCg}B{YXa6W?qAxP(R@JQ^OPY~5XS`F_o`88blR
zFt~y?r@2>$6L_=&dWUKNCvd>lu1`CgAC>jL9rz12_<e;3tAMVdPJr(>_Y)8Tol5WC
zz2T`2v{z0}PR(1=;SzSGgOPrpp#P1#{uCQDtLC$%?9rn~lgY$f;nU;)b2sqOfe3|s
zy!ca3;0-EhcADSIfPD|`+O>mEs04qi(7#3E|2Z3gI==k!%jS*gFjR$A4S3l3@xkZc
zLRo)OCjX;0_>;=;cTe^o8~pVa{Kp3W*x;|%z+ayOq8<>xGe`VJ9&r%APxs-xDc}$K
zAb!&=6PN|e2C{%Tz+503m<P-U768O=!4dm<iCv_`w#6J^39uAc1}q11ffc|?U=^?$
zSOcsDh~IG}_9L$clt3OpyyI8^6apK7jld>=Sb^CBd<kp?wgKA#VwHFYpaOORyMW!m
z9$+s}1QY|r>sZ9^5FP*y0*8RZz!BgmK)k9~0vrQMf#bjl;3RMgI1QWu&I0Fv^T5}@
z1>ho}0m^_&Ksj(3xB^@St^wD98^BHA7Vr&l8@L191++i~a1Xc-R037N1E3nH0UiR6
zfX6^B@C5i4_zutkdY}$?3Ooaz122Gj;3Yu(-r{SZ0eAzv1>OOT0I`w|KT8M?FW@&B
z0phU-8K3}EfCkV3BfuCi0Zaiiz#L!z7621q0hWLjU=6SV8=wWy5@-dq25f;gKwE$V
zZ~;5O9&i900Vlv2Z~<I_c0hZe1K<X@104Y#-~o67UVt~y3Fr*?09}BtKsTT}&;#fR
z^a6SVd_VyB0)Bu$5C8-MK|mj%FVGL@4-5bX0)v3TfDi}<LV!?U2oMH{fN)?aFbo(D
zi~vRg5x^*5G#~~dfhZsvhyh{&2@nUw0|~$wU@R~WNCd_MNq`hc1||S0z(gPwNCVP=
zNx)=a3NRIz222NL05bs@AO|vlOkfr;8^{9Y0CRzCU>-0ZSO6>p76FR^1&{+Q0si?-
z=)b<d_`Nx3`lVB@YuKQ6+<=s*N$`8bX2wL*K>TWQ)4!1bPGJRCH<r4R!Vcq2z8>22
zee=f$+m9<fU)f0e-WMtk^&k^5N@UJW5d}@3-+%P2^lrNNW&>8MCnY?33jgGQ0U7F_
z8lJt;)38@{mPr1%j!l-c5f}au0fQWsl$0P?eym0pE?hu+_GtGYcqnCu<j4RoRU>%k
z3dvwq3&HB}i+TgGgb(ZRNCwM{sH&>U9XH&&cMqMqREZ2LR2np8%`s$9U%ZD34_rou
zt?HZT{EZr9xOd|ix^w3aGMqcK5`FW{H^@+&Hy#aMT#5``yQZL9w{F4hD^{Rsd&`mG
z)<Pe2>%as!S=<G!s?Z^W|J-e8>W*)bVSlv_h0k7x42g$sqL<GeB7<b{epLD5HI(qx
zPV{x0H!^tVxuJI9bCKbCNH^p>bQ;peu2Q4bI;1*fxQ&8R3()=t1|6Dt@jklvo#8p!
za`y@9B{vkKLuYTI-1Ua-=$og{kadV*4QeNvi?-cr9EeuOp_-}-$e_Qq9X-2Wf(&Jc
zzX1I}b?<#(8XA10+iSgHH8Ma)*3e*RKzHt6K)O0Z6}qaeMI{=;eZ=WA11;JGC#P=c
z(Y7^)5_IR<19ag8{~;3fOnm>luisno$Ie>(Sm0-2qE@wf!&7~mTD|SVXL$|JX^dKZ
zeO>j7{x#3Z-D~v$wR#MNb;ce(lRvHN#~8_YT37ML6RUoa@VMr=MXi2VtsX~VSuJYy
z0`1%7*mC#=+p!vlUaTXTQmdzKt<}?N_4Hc3QLWw>E=+3mrnP#rTD>`3FlwGJt9->f
zgNth5$$cqS1HWD#4b6398y4ok#vRyVQZ)GS<GQR8@~y{pt1T=&M59<){4+;Mh1Am+
zKG1SG+`)}tJ6ro%c-qKV5bSI@lpKvaSy6J?)LgcNmdmCeV9HoVc3au3$8~c~kRR8P
zjw4H^lv*~(($q25lG`r0;*Fj!Z^c<|+rws$m7{ejOU9yF)k1o-1#a{OZjW2EVQn<d
za5iypF0eGc>SngLGn|;$TIu-#thw?tWIeoZ<-p_d2U&LQRN>9%iaeg`b-pHygT`Sq
zt**LZSKaWdZltR&@(H|IPQgCQ9f$kevR+|r<eJMq=UUr3Zw9@>!g3rR9V4}|T4BAs
z<qGS>b}Ot)Il)(2zvG{?Z^JUlWt--*MP|8d^ISF~mu&$T%v?4rmu=~5y`hX;{<zMY
z>Tv({J1K5N*7qJFaPaG1395-gqDFBjCK2Hh5lJEvktHIEL`0Q{Xp-QHLSfP1Tf!#+
zwHR&@8Kz>2Lzxm0OCqv_h*lDjwM4|0h-@UH7cDl3TIRA_MH`Vr?+<DHC{)I>rSzD6
zh3xgXj@el_$Ql*iAUjdGmKME3HjJ6jqcRjd3at#y#m>azXW~hZLLb*{=H4bxNa!6>
zGWK!Zz6vnGqL&tyTy7ziCo81VnRH*-Xjza8*NHtVxxjnNmo|lMWGwQE>69;Rss7RQ
zl|k2&H#)4CZnR>$lktk_CSTe-t~*i%sl3~jK1R>aw#>E^^b$_&*~Vt6cdb=rXMFNP
zYtjNY@&Y%?0=N0Rt*tj~hddm82zP{7SmE69lHm$&>w^{(Mq!yE!E*AFkjHiECuDcr
zO`NVAXpO|;3F2AeT=8ack?^$etT?z<_)f?e-iBqB%eKyCJF$JOOZ1RfgJjilEWD6h
z!dHA%mbc@^?j6P}woDwwdT?#iWaTT>93@(%+^RgRyr`^DK2?(Q9j*IXsO&e$SQaNY
z6<9L&9&X3VhZD;yhpqO&->cTo53~0kw%L2Q1vlXO#sbTholXm4S6H_OW83Dk+vKv_
z`dXiPPNufzm+@C>zC6``WPlwEmTfF@CC9PM?%x!x?EFp9=FaGwqJ6|kmZ`_?`KBI<
zfKW$kngf%)n{HcVWLqRMwk<LlS!ChBW;(EkvZ87JmP=pJ^I%k+pggGkT6<Tk*Wx-W
z-Gh3G?WRj+*Rj)3H^)o-NthPvUa7^-W7u8%%CP%GYDi(#<a!AS3$Db5RnDo-sv*s(
zCbRblRy@EQY9Oez`dAIAv>GF~u`Gw6(wK|KY9aUvy`J`xM6V}5&mv*mXIOOQ8wd@k
zhsI-ArQfi6EGT1GWn%rfm!!n{3FM%R?v+6h(MnWpwWWUZOVXBl@|L>pm0RixFb8W<
zbya=kOHx%m*`f*ptLmWL5LI)j99kBMOC@t5$6O3^uyGYtM^H!7ND)+W1cU`dVBw?|
zqUu%Dl{C^SsvUV11g?UxmZIt_RO8Du(iJNC3WQyOu#i@wY6~{QhGfAeTQIwJue4xd
zPB0vt+G&O-#kQg}Y!&7fnAR;j?q%$Q<wXf$l9ll`7B1+5hfk^KWc3b8XSIiY;|`;E
zc6MApNAgJFcp;Mc^R!C>a~)LdP;IQX?H-Y-ZIPL6k-2RV!**xzjy;#yNA})W=uLI*
zM0IxR?C9)shHbFy78KPGl|Qzd^>EHO4x>kIQ9{>Yt87BT`||C)W4)f0+2EJhSg)|t
zHr1+pK691!9Q^AD&rgO*$XCBekMU8Z=D9H`c`p3B6(ahh&;&IrE8wmRqulglmz;eK
zQR76_bi`-z*YwXWN=O@Xu2P;HJmbU{Q85`knE{WUhUt9Ks~BoBE~X~W#H>cG9?+A?
z8jzMSD)&vK>!Lo<b$iDIS20)is|j=!Eh|ds_-?jES;>@14l5mUap5(eT@6uASy>70
zooA`6vPw@Rrx)~O;?da*`-Z4FU553scsG03_+2p}{NU9C&K{#BX3fnUwsXn3-qMu`
z%f=E7>LNKcS?9Zjzl$$8&cDiEH7#MFgZ<<Cl*xgp-Y$%@Lbyff(Y-vxmp_D0mhe-<
z8#DOVWshW5YkJuuZD50wPRLVOik-wU(}P6#Ow6(Gq=;OJXeKsvUQHmHCtfT5N~{)N
z5?6{}h-p&PQrbbfOeT~@N$>m34s5GHhn1yE_vc<&JyOwoR8Qu?NYp=V`UCFTC(8Yb
zbBf!F?-o8!jr!Jl-QZ<jwx=gh*W_*IuU2i_#MrY-TBQuSD#g*ZP2Zh(vmJl49V5Nj
ztPQMU)(Q_Odn<w!$Xgs3?sM-FGd%1Zw9G#D=z<4RMpZE>-BklsqgBbO)Ypp!E%%ZP
zGaws|GWFRe_5kcH8;`c>p+tj}V&w$oEah0~{F5tGTk<0JYjXA+SKU?BsBk>bZ4}9R
zAoPUQ$2TZj`1-6po^#;jL>;%_lztyOVt&Dn`&bk<%}-siKcM@i^(C|b?PKMc%Scm3
zK6`D)eOz-Tm@`Nwmd$A!m~y5MdBE{6t&aJZ?BmGKa=zhw+j?55pX1^O)BMhMuh`#n
zejbK`_Z%p_kB%3e-u>v3!;2OL9xu+6_j)m#l-d6U^7bA2VnJr?3pCy==@l}c_6jkw
zU+o-GzUsv(zl|>tOZ5twSss3ctj@mr_UX+R?Qm}O3km-0MLw=7?rlt_vVz-f^kd0=
z<-V<t`zCslx!v#G_dC6-^j_d$vPgYFiL^@7m;8u_cA>|@!$L#)Jwk))zgFKZKE3PF
zrIz`DPahuk?eOX#LuXg*peYIH`}%}oaO;PAGX{_2+tYC@RP$`paO=i<b!7WfODw0(
zYLhchv-S+5`gnEqybZfF$2C{aW6@(6)taRn+iWOU$G7Go7w03Y&e|Z|vrQZ)a?#`t
z6nv5!X_8CU9i!#_9&ORiK6v}MZ(hZII(E|S__s&<p4e}Vtv`mJK5+8M5!V;JkGeN?
zS*M>)<<CF)WHx(C8!CT(!NLr@4=x|D&idM=Hx%bD`RF_Ti`5-<0$r#s_PbXn`VXP+
zDVkqlIB_^vw^?^USHFV0fb)gL-O9wE$%Q7e4Lv4s*;y@x9fad#v3?6?$$Z4}&9VcN
z((_KqGQ`Wo-;6bro9CNNbf6UG)(J`CGI}<>jQ&+!LT8M8(j@!QC116?Ix?1#pq{E;
zsE+Zk#oSQl+$&GZ=(Sj7(RIc<27}Yrj^oXFH?Ln|&fC+8e1~tapac$@_FW8;7ge>%
zDM-u6^W3VBR5SdEf2J)yS)xNRC{>c2f`;xGmplf=r^-{e>Zh80(<Y~|%fnsKvQ$}{
zoV1Mj`8V6-<j5=6F(-^ZcR4imv<J%TDxT2Ke2GjuA#r_*YDS^DZr-x0lHwUM`^wPN
zPFSAETRg!+D+>-zPF<I5ElI6N%1H0FAf=~bup(%;OwhR2VtT=liOKbLqR!$8%tS@#
z(&V(|$xgARf~0B5nQ1*1q#RO|T~I7itYdE3O&+UALAinCr9(^wQ&%NtrZyg29!<F;
zOF@3ClH(^|&m5e42*at7rlXaqf@OnqJ56WOBU$s6!;)79eNnp$HwsCUgQQ;jGOTwi
z!%{1vmM0ILh?0YoQ&uG>tx2X#$w>EKkW#Ott6FU<o-sS?>U7D<JNzrWgSQ{}l8V~2
zlVGlK7<OnAzV*;1(xFY{Lz^gvHc|T@+C)FJ$>`A~aUE8<JMzid+FfroJ=NxASgSM4
zNIq|+*znE#2_teCe!<CEG0vde3M{v7CZ~i%AGdh}Ge2<P+6%`xmpKn?sSE0GN>$0Y
z&1S+Y;%YI9{VqFdO1068`S->PWx^#wdEZ`lt29BqC?0jELI#<VkgrtA$Y7u=Go{-Z
zM;Uvik@p$T8M97TNX=xhgf=0)tA~fEraX(^vTm1Y9A{@A17cLJ;cREMOn%$dLs#C4
znC@{nt%(_*uKb0XrrDxr-p&wC3ahvC*_UDTAc$9z=#6%$t&p5@$1t_6S*FF~;u#*t
z&P~b<znX5mK<Bkix1)CRCFJ<*gzjV@zBi07XglAM6kUOaJ!?_9#}6YjbbIZ`N_JXh
ztJbIn_^|CUQk(BiV&9&siL7@-Cr(oMHv9(HPW;#WVV?FB6w6QNw_~jFj_ACFe~|xm
zXF*=)+x&9I@N>A`hN}^wmS~{PoYRe$sJ_97@qggkNrQqk!!(=`115Ng{lsD7I5C<m
zHsT36ZYLiJr*Rf>#-3xQi-hx!*IYgcqcF`O4caO^-0wzzr>Ikxo@&TiwidZ+yK4t(
zM{AR{ncC&rP1=h6+H=>!d|Re<d}OQD%Cx9$8<+_P=(yp!1l?5KLLKepZI<DXuHu4D
ztE<zI-i#40i`HI35B#%){CB;B>tQ{z<&Y@D#75`pQijs7%dkHWZ*;=mIp278`O;X4
zR$He<B%Sr+yN1&YoMFYFNxL#oe+Eg~T`FfRWo%#+Gt#AKn)C^ykzpgV=XBzTWWzY9
z3$Gt<BrlJ%n{$G5jq{L$8aS;LQ8Eu+mTaXgjyIWy=JVF^cJNAg<-96h^~r2cg!8TV
z&it<Y{`?4j5?{_2Eah+D7xT~XZ}Hd4^F8)79tv$stPgNGG??a7gf>FU)2^Y+s)g3o
z4`-L4(S<E4{Tc++;QD)LR-wJv`tjvU&JWPGQ7bY_#19nd22s)oaiSQloc*2nx|Ah#
zlnzz*m5z|2A?o?+9BF}cuk@7kl={3Hy_K5F;x%5f0NF-Of~=1M4Ofg)?39(tuE?ro
zuVlswG)}uqBT!t`)M(Nb*@`s^!FI(_MVaEh;<=*U$z<6ToV^ZrR(4hPS6<pAQBG2#
zdCIlQuas)#C1vFo%8;7Q?tQlp@e11$ntMw1b$BKz6ouCh-S|*d=@}?mg0>H-E<ZG+
z=w(~2yNbVsUrW9!R%|4_GUTf2RdjVLHF8t;R=a4T)v4;uj8*EbYE;O$#i&p}Rg*Pr
z4V%-Ng9d6wYxZ$6HOn<GI9YekYS0$#rz3D@9hzt8uNz_&qf67F&V?c7z37FyqHhaB
z9PM31Owkunt5cspXz{K?I|D3UY8)P5g`M%j&OKm3*}F0Ld2mxNH<GKhj5VacyxIAS
z#*B01Q+4r1NM8QH-VYY7txQVz-2&Bj4aY0{<P9ntE%w8rjSxOE01GoR=@x_!G4%_I
zWLfiEcqh8?26PM(<V8Aj>s^qg*U)rcqP<toyGow!wCR**6E|205(4AV_^q*`T+;Xm
z^7shKBBvz*v<=j7jRT#OQ@zyah{$;95s?`wXUbCx*YLzbX4oRfSdsVmh)&}pd^q82
z5(~RcEOgA-SZKV&4Bh8F=TZ4B`0e>U`Gfh9e3Zg(W8fK%^ACM_k3XRyW#jV=!Ry~G
zwC&4<b);Fy!ClA~h6rQ)4>_Jvqv%U0x-w3MNOIo{;WFVy;XdJ6;Wt7O8aArko4%>M
zIlT5_1qY`sHxH18OHa*vc<;)hY$+<zoz~sd)#~2q7>2>KMN8-};_0#j+ghg;@?^f#
z;t^~8yFsewv`vo8f{LXlIrQ5Ge*XBaegTYdMgn6h11)5vadt9F84Fd_j8_a}4q2`0
zXv@r0=}$>Gb5)oct>t{hS)#tgspM$XG~PQIouRN(2-{B>)lRu=h(e+eOj68K$Vvx4
zFc}~IfU!k^4l1sl4cJw6;fbPAVWG5FqE5;n<uK(~<#eUZO#QNr%IEu(>)-X#`P;)H
zngKZyD`>4+orbnomn)YU!GoFc@#{OutK3mRSW5mVpME8gMnSrriTx@jK`-5}0{(5)
zekE_Fe&dd!p*g-Y)*WS>^}Okh3fsy(ZM&GnS3}3_j_G%8^=#j{GCU=}tM5JIARQ-U
z;Rs#g!_7!rDbtlsN6hY*We;S$ZG8r*gH_Snom#b=&}QGU&iPnz>9nWltXG;UR1M={
z)fR(Bbx(yh7``#ssN1P~sQHY^j0tKqOTAvbS$zQNbS6Wm#x!J0jguy-tERsuLX)JC
zYtYhjH=W*iAAt>Y6;|Ufeb)xP)tGC!S}$#YHe8#aovIZq)TX2q-gTFWtr-2xbp8e>
zVj0o-{0&)6b4#mJaxs;IuCuO>uC(U%1zozXB3rjcw_SI%b`&34S`6Lvp29Cpb~o@1
zA%++OiPWYp#)9b^G~YlM?l7PdL%E^KP;a0!@`P@T-V7AXh-UN>&ta@$VEh^4iwso3
z=p!a`*c?|*cg{f0Xbwu|WO9~sHgR^GqKBO1T<73h<4kVOK0JoXYr$*J>&cT3=0);S
zc(ZvcuUuHN@@g-1YngKC0f(uRW{a8pmidaSZkKYubo2`A6rH<%*-;*97wf4q6LN&{
zs!_s&;tU~LCJa{)j(t$^t<WGmt3VFo{)!Wd;o@=PFr`AAFGfq1C&kyrkHl}pW>SvS
zQ<~#16-nczQ>3gj%a<jRQK5AH2GjgiUtL&xe)VJNTWOBDj4Oi%b!Nwf?P2sSCZ2{g
z`tQd270<)_?OIVvlE-$-Sb4Qnz*G*K=f9UFAG9~Gh^#CY;mTr?vY4(croshHSxiwD
zGnB=qaABb=Hc=KED~pYk#ertZVsquLy0m*&k4;nizOz<H*N!M?$cfy8FFF|;w`)WJ
zCXe*r-6}e<Wd4W(%A%9xEho!%k0@X*-Ey*Jhw~!}nDWTOQTPyxNM^<{maW@He&ime
zr93tv<8@j{nqt^||DzQA@F^^^DDFz`se{K>J7xCWxcW@$E+^wc#fp1n8254NzJ13m
z*IX+&LhD!j-9GZI-N#r)ZX3?*izxeQZ$z2jF&0U&qTcJeU1Aog%0Zs5-0+QJMTbk9
zXRO|Lj76nWo@{{|Xp|=ryN^MDF9ht~ZP3;h9b=iatFb@EGHqAW`t&iD*~Du68PlA8
zy;p9htGC=PN9o2J<oOPY<yp#22BqUMOQW|Kx#io&8r<lu>qF8r$`kHsjNEV6lFG&P
z^<KB<x#d4myj5GT)T8h(dS3RW*L$tXpy#gKsQA(_l(ED^?zW)^di<=!bj7#9<;Pg$
zY)XwoWrHb&QiF2siVnzyj37>))7(?%51XFubeh%o!l})t+Mi~2KHvIl%L}Kha*w?`
zY^5x==AYcFJf$SxP(EHiBA|xhVv)DzN-GuDP1Re~FgK27mM<tca#)>n|4~b8M%jzo
zw4u(Cd+75Qoiti>(s<EHasG$`)Aox_nk_nMzUU-F9(lU_ON#@ZX0Mo(C*I29PW_d|
zosVDhNp>E%r`xV$ex~_j52qp?i+8wZZvB>BT?H=b24%gSH_Pvtk$SMtU>{6!Lh7P4
z2!-+@!)b%*Yh5EV=oxu%PYQQ%m#cgG7gg<kSxSFb>h!h1^(BL{%)`>)dD1k0TzzWa
z?fj$spor}HEf42mtM*&WlB~jBPgs^nnx)EBZC0VpVI`_^Rn_}WIdN1@&jY7+?@N1=
z)z$5?<%X<@{Fd^RJ214h4!_*mfcC{qoz)oZRjp2YJwV{FGTMcB48d>fN<4{J86B(K
zn=jilVSKceys9y{Ks3T9qo-M3WD9*vr({F(Kb7r|u1is(AUVa}Z|XNk8-t04^>$-$
zMyod&HyeWs+dA*sH*Q2a4I0+cs8%VPOYCKxWKV;px`xT(Cfq~OH%_DIV-sYhQA78(
zMZFq#MU$fMAo8q|82eq(<bBeh(ublxojFOz!xA+M=CpFV)FxMiEe}V%c8=S-(8)KX
zE9c^T&ZQm?>{_~MpDmt>UCeTy%TOvdTvPZOw^^yE$TS_cTh1I%Dsg4bq&Rn1%9Qr)
z$RTwDBoU`(J(nI-R?I56f^rSdly|c?c)sNXh{MHqyJOSp=N?yzotZ&XoToT<KxE!P
zar;MC#f{3BtSx*Ol~p&DSNrt(x#Zl;V8_L=^3l9x-u_Jscyo?(J$J!B-I*Pd=}{8D
zB*bckc#HU;7=10iE7pr~sg=}O+Ev<LDvyvRN#)X|(hbsL>6vl<jn@;}5f6R1?fbxU
zpC{5r>5Ljl>#3B`6%#tGm3<`}Axo6al<9M1{k45$ad*$5=tG-P^vao9{bcUj^lvc4
ztTa<_6rKuyg-8*fjc+Z&zAT=tSfSXWIH>qqf$l2w3S4<d*F5x#P@+DDg@&cd4ax-7
z8RaeI6D3+<uu$os#|}~rQzbE`tI%Rqo@%#>%($j<Wprnls!?0DhuTjarjAojhH>e-
zL+I489qJNwxw=YSucm8SX^@+yw<cH<tx46)(X7&J)#wkyZ@iqB9<c8K&$0N31M>ha
zrnS_<4)Jx`9omvRcP?quwb@#|A3u!0OEww0rDCLv&O_1Tm+|$JIn=l5TIB5CO6R8Q
ztqa!CqjmAw`>e5I_7WY833cfEvCC7Tw;|Agh8o5gBA^=}W(#SIs|HkKcx~7wZo_!X
zFy{<mNEm3AbRJ_Z<12=m(NbE;=p{u$X-iHAPA`s-6UCXx$>NY#a@HMU@8_K3+~$18
zfq&?m#dGBO@cQyb@Dh15c{#kPZnOJ7^e0xmPRU6N`C%zXdBZ2fWS*R}LuOvZgGbU2
z{liiYI5@6E3#Bk=@VsolFLibCWu8|c`Z8ne`tHJk18hdb3#SO(W~1%GTydH3zL2e=
zid%?TD%4LkSR5%%5ziK9sphMi9LHHrI8LnESxS-F$mH#0Nn@Va&6E=Jf)(lS%8p9Q
zq+XifjV3V}^hk7d$y@1C^#(ODMF^KA$hcEw3uWtNuN7a}*j$ilWvEU@Qdlco6x|d9
z6r&VUMMZ{UnPQ`&fVbD)y=&LuDdh@{Ygg3&UJ6y&Fu&aYwF5EOL<TqFA*8G8ox(eJ
zyp@4UuP%~a-9wk|_w00pukrCt>^!~KDSq=96bU!-AMWE{&?R-beP0(n80@(iMVG$S
zvHH4F+Xmf1if3z-+m%CvWlH*e<-ESGS234sn}kNH)+z*(3RQ?IMwO--$sk5g=!i<A
zItjx{irPl~4UC@9AhlR+#hIlZuaRjEsHaNN6OK;3Q%a1UGC8lLn>c7cXTD~gW{0Lk
zQ?9Af)N2r3dvux|siRh)CDxt6p|Z7WwA-~uwPo7-+UHuTuA+tRqN3*$4xgzMwXS$m
zQE}J->j=+U=`!6C-O%+F>VV`mOO=cCq+95*|0=^)!xY9vLxll7SGHw@@%$KJj5rw7
z&1az7;vI|<MmeL3QP1crZN))u96cwP6U|BGgi2R&Ch^cb-bKzC^?WIr*Qj>ob?2dl
zvLKCwS1WxdUCaB5r{<wcyh`2+9*tinY<qo4NWTocS5NXFzL-COzijq={yKi%4t@#0
zoL|K^U%`Wak+WU2BiGCi6R*I<D_FvYR*`*|4)G$E`dnbG&qvs!+M>nMRV&J36w!fW
zqoN+HTe{r#wAqALIotU!l}4NLrF*1XW=}6(jcsf^v=ke@9WNNZoiuzichdb?-Nsgq
zG7wK_N9*dUNC;cxw@9cIZqOC$+zqEwkk=hu#IqdzeME}BFvehR;2LP^07Lj|nGQwQ
zq39|fHLB=~M!puB4C|M5+~6UuF`(CVONJbp;C{-2I!_cWP8Fl#VN1m4r9~m{M90LJ
z#W@=Ea)_sdBDImWlXS`LChew0cc&IjxF<a?yCc(0b(~C_j~i_`Y^&&~5GX<w=av0-
z;)j;f_Fo%z|4!5anN*vhMb|j(WIbeqWNmp9WV2)sb$&)=;~MLG=mzOpG-R8uLcArf
z&U<>kd^$%lkiS)NSb;M66^f?{vXZTIRd!bnRHD(!WMzwi>9MPnoY%$5GfJyS{}7zq
zjY{u^#R)S@(ZPcJWk#6?RbQ)i4JuJz7NSs!pzUR~h4`h~NE0L;CPtSy)5SA1H#xh-
zdo;ax*EOg?{6=G@^^kta8^nu~PL`raymeAnl?$KcI$UdEus0xuHeb6(ds2H{`$+pn
zYo<dSou_Une+)nVyR0SCb&GW+dAc0iW4g;aH@^BgPIVkgnUT@jJ|N~THql@chIZ6B
zjk+w{{q99w3lF!z)lT#+YkkEn8KQojyv>K9K4f%E6wc7^OQAk_mcdxYILJWX^=aq(
zR%kBfioL`{pNA5}Q^gC#c63MIuZA8I`5E;+Ke`;Nh@h;gw{pPh8FV^FyV09Wxi&<^
ze)N=Ft8ZDWhsWrY*6<MhHf#kG$!qnUYV|#9o>Qt{9BMSsk*u@e;WN7p=Hy3DaSl8>
zgva0shD)aSUOU*U)ljSVcgMq4knl5BU0@5A@1v*K?dL?&&FMn26x&*T8zO1qAa-+n
zBBECRE&jOfy_8H4(<B9cUKO6UH`eO=f*6K9>{_#G5_3C%whedaf{bhRgdFrEg4+H*
zL9QTZ^7n%DgrJ2#5S01oDU^j%tLN70MRv7%`&zw2t=<tXoND#XwR)FYy(?U_tJSx!
z)pw}XyTOHft-fQeo>!~)fD6xBy;rT?yGgsE&b4}<T78#VeOLIVTdf{;EA#-R!-j=k
zKVATk`m>r!FsI@7hyo-wX^I|5Q{#giVACC_3U9IrY@P$%^9ds~9Y3@L{^t24*n#!l
z+Lyo%uirH7c(4tW(eT3NlxFz4<9++n@UOa1!D?XV<}?NGQ~cbzKbfWnk><<hG~Yp*
zJ0VTXk=&Kil&HwLN!86N`hjvNzO{P4AJ-3T(fDco%mhzLsKW<3TB50hdPspZe0&#V
z{oap$#Ek+7DWCZ1PgeyxQ5DpVAFD#7oh5$xld90HqQKv(qGUovt>95D<gu5pJ81w7
zckDt1{e0AVH%M~$Pb5qFIc-3_ddMZ?<DI};%)vdtrUPgL@M+-gJwBLqC?q`WCldcj
zv)T@XJYQ_iGvO)`km(yAT!m;7paOxfCqR=hrdB`p#|;S^Z+_a4koANzQ{3M9W0P<u
z5NfK=r!}=%;p2a6<|Be2^9x{?87MrL(1|z7ZBqFAR;D@ckZ;P^T7A;*%lnpcQ~d7t
zd8hY*yg&Uk@5C0lgRm9y(}Vfx#V?!-;QQ?BM))~snhBTtbc@}GTZuUINK4$^9=4-4
z#UVnrK*)+8g!GNF#D_v19r!U$cC;nF4?>9ep-rEzF_yRq_`dJQkTVc62}1gQ3`vN!
z#IHg~bAE_>=@Lu4Be)6C7B#1Hrmq#A1tI-DhTIrvgx`k{B7Sq6$%Bk=0odpJJl_~-
zg)1TC`*gMlt?;)W<G`)RdLT5bcN)pJ4Qz(1`QP*E-}MSY^EbdNR=YO84De%KLBtsb
zKCt;?93tcugcSWCWEFVD@gIcT0I#_8gOJJK1KJ;iv;ZIY_6H&RA>_>uLMDR`7`6M5
zLqd9sepa~64?<kQ2b_Koat1=Ye-Pq2$O`xUK?vQ$2p4_~frODLsA=OMjD7+hK8tI3
zj!1P+&EXec9@hnP%qrdxdk7P1p2HyI2=u$KhY+?1(u1{chhxKuJ%TmQmsY-d*E<{G
zNW_nvW|%VydwQSG-)~q^)ZKaV6F&de!)GOXsp@_YpXvFor>TKPm9L0>dPQU^r!j+K
zAR%&3bTEjDnNg^?7;|UB_^ZoPMD1ve(K@mRFrA0PuB8Ml(9)<QdklLUX55i&(vfYN
z&B0=qFo#>3b!4m9n0YvRBO{z`(UJYQZbKIR_Tz9|bpLfD7dFwod+0$m(6Vt=IMzBc
z)G!VuAt{=KWQj<EVo|&gSLTMIVSnAkp7ulgp|JkkfxYe10=QSlbmU3`xD$JGlhMW$
z4{pq8=aF`C9^8~|XuKacbp%)1k?Xc~Hdm6!P3UN!=)sNOhNh%Cr}){YCUDcXCUR55
zxhXyE6Gw2P?YG*e<Z*HC<2p$eIUBRH9ZkDwcH8Ox>sghrW-zVtkUO)_gZlW6R>QGa
zY)cfmKYyyp*~(YUa6BwD8*3@+l#TDrq6;Q_?|CH7CY#z}*jy%Fi$!8~&VKl8tZe!|
z(!=K`7~4!>#AH}3K#>cdQFfz2p0zu%$93Fi(03O!>YmOuNI3?>+pQ$@ii9diNKS$c
z^&G=nHqx_E37gmr%z>8}IB%b~V{|d%cSW+d2<zSg(OTed5x)hDRbP<Eh(RX3m2EN@
zaKu;yrkiA7EHseylO{2=3k(!JEd$LrJfO}+ar5yUY!YLh+CYQdxi2$Nwwf4C)k~LP
zb4MDC@{!cA2Ai{pcuQGosGl_nGcd9YxSlb~prh7HUoJ&i2CTFU(e{&Xkx!xxSe8LW
zW7Nl;MA9=P6DcEpqI5rcX@3K|MYWjo2ECL$z)cw9ggH`!!PX*<#4^PANDZ==lj82W
zF^w5<ah;jzaXljE^s+D*CIzsLBApS#@G{tPu7Q4?@zT)VB62gL(Qd^v<Gw&tMhX+n
ze`BEJpg6R^KsM0Q<Iq9_iMlo}auT9OrlVA}4KuupfZBpmz;6ukhzlN-gwj&q=(z@c
z0+PJef0_K^sWBGyP9IC6CfSqlDQ3hAAEc<($d+UyL6Z&ojzp(<C%W?06*cwI)7$(f
z&!3aXx7E*I6eRb$ZhXBErzzWz)H@Bmj_*KI9;p)z+WWHNIdy7*!RT4QyVmFUXJqy6
zjq&65t3`d9sxNHLh3Xpw)fc8FPwSXwB;E4@2P2Dn4eu*39Y%XFz;3R<`P`2c820^c
zf#Ex5gb~|({pf2ODqn3|NK|J*q+uFSoy++G!_A{74T)xz{5vrHsp1QW*A~*Ad`-FX
zHRU!xc!tqF4T(JuBd0Ayk#`fw6?{q~Vo}mMIUwVf#@X=i$*#h(u?`sQ&V%WX(Mnvv
z%EEfG$?Gs5)>_<$g=g2-jkZi;<HNDhmYHmPwb4lS3N~&$lD!o!Oh&SgvT@Uq>~gp;
z8_BL_<K`pT4QzZKV<g+$8Ser&**oK+`b8MYi%sdtri@^Vun}xh5*tfmlQQ8VlTBK|
z##XRNTj63Wn{<?o9c7cs;i8;Ps%B%=Y*GVUG_XnL&X~C~$=-Q2X76m{MWU_3%30L*
zZeDb+F0B?}RIe^UHn0VCb{4S(bso{k;1Vy#MVOFP&hi9$*uy_B?B->*3S*AOEXtV%
z9GAnGLC|;~wk*#hU-T*>c}&|osC-seggw>Q>iN|#hQ0Nvg8@72B|_Hoa6|MQ6rGNu
zzc_@Zj`a{UrY?frzw0muEYZ@}e>mprzk=!OkG8_cQJ@^C1_TZ8VQ%N^@8-3x52;s>
zpo8~tmapF~Z=t=fAEl@F)?Pt$H!q`JK}K#~#&BWm=4H|=$i&UdG_+Tc>2B{{L1u1V
z=DmV2^Rpfb)F&taUx>*aeEmvt?L|XI2AO$@hvWyLv0;O}`UFu!f~X^dsFENNRT@N{
z5=5O9L|qh=PhA<*!@G;u%1~OLAllZDAlk?vnk0xOg^MXcv{^y4MM1QcK{Utwpg=rp
z5vb248(t<eculq1(dXXO*{rwT*ah-@5<V0<nJ#`-dOvZf(a3P4;g~9B1rw=awlY;Q
zM}bnWdcSHSpaCvsg*W)AVn$)YAxIqh4a;HTn>ZVLhlz~z2pl7gXNf~Eu|`6enf=I#
zaz=Wdzn$0IVUf||&_H}$M=BNGUYZ^wNb;^mFPHUxbT0Y0T3|cv^n}aFhxvl#=Tin;
z=9i~#Ka;Mf%Cktt_I`NUS&zt!Y|MS{IZwnQnPjGM=oaz=9nX2jf{juHmL=^iGH<xe
z!F*<6y|R&2nRA8-CjpI}=QR(brlr^GBh!YXNV)wvkE;a&W}dlS+By_j*u9#$Y+I&f
zPUB*)FM7@f53<1qdR>?s=pymja3UA<G+|QbYn`iK7?JZE>%Cj~$!QBwr+Jvg&}ew6
zDref`x?|@&Y$7q3GiNwpjmcp-0UhKcRyLmZ4~EUvg{#T*$94Yleb~FF`n5}3mbk2J
z$fS7A!y_%j(HI??h{R@sP&7;plc$a-CK!!ZBRk}PI!B;xQsj+bTHZLXU#20FPizKD
zMnk8dl+v8|V3Zn<(p<}P+QlO;<iW@jb&E%XN^@df=SWZFxJcn`tAeLXQeNbA%ojy%
zh#d1QC#ful8;^$iqQriA+}Eon4k{2yPUJ{l=cJ4CV#{)@YI0y-w;#Rbq)t8kD&EY_
zi*D*H?R^{SqR4JY`}Qc)-uH3cR_0M=IkTD>+`u%q>w+EjWYy{|YxP-HHP2^V-*9c?
zeyAyZ(Sv&9T}PR${q=QrhsxnEyf0>Vs2WaIFzpUC5CL1^#N3Xx|0w+JLSgSk<!}P2
z?XM<c<U@=GIBA3vb3403coBOqxeI2uFMbi(0lMfY@&ZlRg!spG&`GzQhlef1`VRCQ
z=qd4Pec{A)eDAofM|cO0zwx}a@WB$)uyzS%7if*5HzMz7xktdAXe?5?@y;=iYn=yr
z9xh2By9r*G9<j$;+(^zPFT^r5_ZqBMZ$B$I3}0qr0;Yf|@!C4BtJC5lJgh`ks--MM
zuS*w{!25xSYMJECV%j!LkHWTPhPb*1go)qS842V;If8W0b7u<+eC+ZX^QUJ<;|fGA
ztlT|^^~AFBwSsR_pmwWv&ggc3`@`LtogZw=lrQ!WQ04v2xq{3}SH(RVlhW-TYtenu
z*y_wm=Xo_W=FA$ws(Tx&#?2|JSybtqLCLJ?xu|kR28C2b8M$<;g<6o4Q)SsWD-_@B
zlV$&mG&rlV-8_u$63GY^=XvE%EY0b@aVQssiSs6Jh;9tKv<D~qWCi6IRduVNOsVq8
zqO#1YqRBFS7gAb8f;``8ONQy3kdvWHhAml$9Y5!>)B$@|U{jb;&5Wj?!h>6x%Yt%p
zNR4qz@RpRpS(D#kCAKWZizBnpO1#{%C)<-1X1Tbh&}MTNL|%F{e}px@E4B<Tn$f$l
z(=cnf>XgT<u%7%pDJjose3!h58zN)#dm}+^-=;nkuYC@^C{!gF3zHB<_nc|gj-`7J
zz378_c%`boZbL6vm4U&q3Fg)tZ+cnAO8eFXGr_u<k*?rSS=Uy+dhLgc1a}9KuJ8p$
zM9*#zxMo<1YsTIm%7<neuRTF2zd)Jv4L>-;sD#wY55JlUErSWh9Ym_&x280{!m-rl
z2)A5CYA|QxjkHY{xvOq$oAfQin$*JPB@@?;U|6tW?_8Pz<34=0(3}|w9c@eIxE5V7
z(ny@zn~aecvPetW^X2%Q{`953@J8?BI)j)GuSOXLk)YElZR&Myu^%;cIt{*v;fF(8
zBKL*YTLnz3Xm1oPgNIdaXzDBz?l~g|4|hvTWJTqg6pXj2)#sUYb|{2Z0r4`}Q;=ii
zVBN=ZRU*P!LtM$J!?`i;l+~$`7BTKryBF3&Txmzw^AJu?EnC1dI+S|p9M3rQj+SR~
zDE01ho@uJqh;P;-wW2NGJoTP;_s4aVEI<0@uSo6eDqk5x(Sqvr@L~`NxxqqeZjXGN
z>O9<Gn$N1Pl-wTF(A*w0A@@@I3w?VRE+HF7b!~jAhZe5AZ+qYSuU}$lo+XQDvJ6C<
z1x*%u3ENh~VC2R{FcphI?V<!;NaQhI&@D<ZXt*F|s9>cOO$-sliT#3oQ?3jVEcA^M
z3&w;9l8~rllz=<cBXP5UJG8H8;x<2tOduI5NIxQQk5vlb{Zy~KTzUc)y%S+8SUpLD
zD40V6b`Nb9@JUOV?d&ilf>%x({i|LsWiDmTW{^m7N?Bju>KDtg5+(+1?fmHebir5T
z>K7NO7>Z<tptzPJk=PQO-crx7c>1_*fggR!=q&egzZzQj)g|IWG1sIMN1q%LedEZm
z)`3$*=oGaZtyX+EWUF{nNQr0_rO_oRAUEmJN$I_}55*x;ZhF+r$*H7oD~}A5Q>KU)
zh@Xp9Vq}~A1CQ?y9*^Tq{toVL{Jp;u?mp(Dzr)1O?t6bH+`Z_7zk|EK;lt4IHXpp*
z(B$rX!JEe)+#S4q$9s1tynX6>cPG4kNVB^)GI1@#`rQYIpCoE__*dZY3=8+~9p0RI
z>Jx{@-Dw{kUXIs+!|%a%q5-|+#aH^6JbLO|-Zq4IC2XuOTJW00L{?L?4_X+a$?$wf
zkK|XQnRbZcI`5!`Nx=o^>GI%ZHd}6CyZg2JWi7ZZxDFl2Ra~`u%gnUBQz9&?YRNfN
zm-z=RxG`FTLrP|H4WBYKZT3M6`7H}UBg2xl+?Jd5zOvYIO==5lI<+(QwTDXbILno?
z1YT^zsHqp%A*;)-v{cQ#_V6xTgC9NYh^1E`JlQf3yV(8Ujm13(yTxwye9o=cBy(gf
z6b<&g%5O)>a)63JbtAEPuDrM1c>~=a&X_-7PUKrZ3klE1-i1CXM(%1McU|My1#RFJ
z^R7FRTyL>Y@Uoq#UIS<)+{>;jjZ!bvcZB)^uW`-(ie%4(8e`A2XWoB}y+-pqtSy>)
zdBgiEGv>{QD&tCQ0B?5~s*K0hGlFi11%vhqVs;Cp1JK0ng1Ccz+k8`Y2p-q?MjaH4
z*$!2v<JQ9h?oEqCJea$?@5HUtP{}QUWVax_MQ|*;0jdn%TxE8mU7u7LRD}ogNz_{X
zn)h{P_>iiX@geac&2?sHVN;#i2`|?#utTva+=0|cqSgo+%E<5<btLOUy~&ww$s|QE
z7qZY&rU_<D^}$J)UEClXITTxcMSj=rG{wKEcAUNUBw`RrKg!xTHZ6(+Rpi@BhD8ra
zdLSB*)Qtwuv&O#}+C#F6GC<OJJDjM0Q2pLM5jTpt#+{)0Sw`PbB*-aVSH(4=1@`_Z
z#TProo$okdBG!J$A5*nne5hJ06^1<x)(E;2g`slrx=Dks!F0@@kw$xd;2v}?Q?9>z
z5m-}o@C4=31<L<1_a^XA{cr#OIkOm&%#5ww7!j!ql~O*=K}w4xMjMU2M2$7=GuqQa
z(yp{;skCUNMx|YmrH!%_71h`&%lTjD%&0z}@BRDU_v8Qj-jDzP(L)T=X>hLhwY{$A
zRZMx6bkeOTy$Vqt?zxA9RA7gGyOuSw@`oM$*Syixp>=n&g8Obcb;I-PPs+jgW5MaS
zf<Juv<zp=1B>wGVmV%R^sVYp)6r2p@W2TZmrVBg^GWL3n94XPS`q5)}D;3@aMZid2
z;oW<*v?wF&R_FP$5C$0Ge5o(b01A^sx2p5TsvlQcp&4)62~)7bp}e6yOEU)Xk;guJ
z;#r6Gc`!ppy!(jQ0K?I;nRf>`A1)6!SZTUJo!8^0%y_TVkLx*@_L|ApN2Y*(LikKG
z_$pZ6Con%m`yFY0+I6J)QQqdHLB77d1D$j<LrRUn!ki~K(%zcU-|9X$-!w+Wd4d<~
ztr-{&LOGg#N=H*=0e^lpp@<DnVK)CqPt%X`G)A~}Kirvv`)N|1Mhy?tvsVRAqmECs
z^U=eD)F@BWk1`t(&eH@><7Xc*77x(Gmqmf6nGI&sTWK~qoZpTHf+}z{kou3dr3n|I
zF$2pxbM12NNSjedRlGknBfrcBF?ft@2D6z*nT-MFbNBL`<;9)svFHgJ638{<Ezm|+
zYb{A0-lZn+NaStPLPjTWSgyTD16u9jOd~y!jq3&U&hyg)yON%wJHoje2KUR4&nB%;
z=*IKIQk|yy5OOb_0C%Dx{F>;+$^F^8n7u6zx)zNYe~$4$Wri$k)p|yFiL)oV*2{Ct
zf!%qQi~Dfe_kz>v5`G<P7=QWG&uZJ}Dzf=kJ4*CxufA-ujn(pZH}pmJ3Z=}`LXW^n
zvxCH|e7r?l!d>?YSwc%Ik&_TH41aEi_Cj)mqxB-t9QZN)ui4)WqH^x=PLHa;*`HC%
zGp`Nlr3(9d`aiP2Q8IDys!J^&{|oyw={q+wJUF@h-`StqKkV-kX@A6Ya)jM^&ym?@
zkzWRwUXT6qe8d(A@4)KlBGUIMT;Gzd90==tP}1|&g6n(6*==aXJKI4tzK%Uwi813p
zlYS7q9)}06kVrWFJmasARhWqRk+E_EhX+PI6z`7F(qfsZ^>`(t0uP49(5N5z^LhSe
zyfqVNutnb=e8-ql6Nn>kKp=Sr{zp&^_gau=;H!_sZ#2}5=0=_Y*Qs!ji1rM}abTiu
z5D<ce8bCnU+ah0|vQQgK_Xh@6<IpP;X!aApLW`}i?_*T1OkmkhP>VeEY!PXqF_eYE
z*!EPrsSpdI$aS#LU-_$q3<jxKkRXFWG8XhQjUheT4%|8hk8)mt`$gjr3x?rS0wwmL
zcHt5DSvwyI?iCb9dbSwSLWLm@abC1j#8dl#WV|FG8ejGf_m_c%@*{gZ8|Bz^6~Q3#
zkctI$Y$y{QQr<~Mf+<Q9RSeaGp)UGms5TZ`k)>d$?#ig}ffbE3&@;SPEgHIaHP;t?
z=1w=8746z<6KR_@V4H~H=ce)9r@h{l={{WV`nLU+NTgNb#(Vm`bmIEA;%;7~C1Nna
zk-an+YmzM5>{)Cg9=});8ti((di$pti`w@y&w^o_OYZc3-~AMQ6h<0${3jdIu<yI^
z#KV#kX1yj28~48|v3-fE964^|vanssWCuJ@seHPR8U5k%)fFLSt`ma%`dVs^{D421
zu}JL7l;k0jUgMkF8g6GBNV>-_9vstt%OSZyb;hCynA0A8T6A6XL{#QF5ebMETAr2M
zj>;GXZge4-@~zQ&>(QLZ|Fk7<UrrR}za91h!<z`Tz8x<jNlTsqu6^&dci>6)g_Nt0
zl@-3iaOa1#XU~{-F|VE+4V-BgnWIe_dQFmB4#}IsnRb$in)ZqTi=OJWRFl@svQ1f(
z{EGA76Xi?`zK9GhUxbuU#+<Iq*ebkqm|;B$8?BcuW12EyqkQRK`RC~40d7G?uVZ?=
zC`|0q3Ewuvw+Zq6EP=cXEE#MsnhHB1b<;MiRwQXW(zaeIle7fRZW6%|uWiEQk<sTu
z%K!O-|I21;hnw^`KvQsl>nQW;&mU``ZT{Mbc3edIKR5VLrO=EuQbhW{jbz|>#AKr)
z(OPJ+5d0t7(UWM2|4&il5dj%BrU|T%2%Pr{{1OFZ)VNa+m}I%bB0OGD``E%KNf5MC
zKt_#61Z33sQNT+a7m@baG9X(JkSJL8Q{b;#CIAH@pGvg;5jDDh6#T>gO|hHuhyUAX
zL8e+{*x27-8xlKJ72MxzdLHrv+m=}nQ+?o<|8r6Jzs)iS+Oz)suWr>L-QRXQ%Kf2W
zVko#jXS)k1nWz;_n~zAhalcHgupc0tGsY5(r<nMb{wntIcnp_(@V)flVec26>`rg)
zTL+%)M*3Edrq|QGbZRG7@#e>|!uo&HWDfwRXC}Nm3AbjIID5>U<vIXd-1saP-ZPhS
zmxjp$gxei0VR|`We4ZiL1eip>A+dgRG-nt8KkVH&#zgSyypReg=@WSJ5B7&ru!)TF
z@g|cTQ@|#^sHCI%jI-}^nfoEVE1)I)t4+)}@qYKY^2xP-+Qf=$hQ;6Cw?IY*HX)Pj
z+4Snj;>(mxJi96KDVs;T@NaBF{U0_l2y6n%7e44z)qgPxC{~cQivQLquKuoE?9L!7
z7YeI*P9<fCHfa?m+3Y{9f}wOeJyzjJ`_n4CSih~J*AbIHt>S-Beju$vDEPxF$nryv
zRTReyep`ib<R4ZcjQGPUM)?0>6@M>3q#}P<1#J-uQQ>c^xTEr^`L|WP><=Xf$|~}z
zMFz7~4~;Hop6z7+BoivFvrED@w+tAzYO6L4UCnjj#cBsZR`ts$o;cIMD5%h`U%Wp4
zymod{C%ex6twVdOy*IbsftMjX#G{v*hjU0Pakev`XU&pM@~WFM9|`s#Z+}SNFm-0Q
zhm2<Lb=h^T$6Wm_?`AFSHsK(oHGp}z6uZ>8WX{>{_<}M9r7iTMjNuPkpi^bL{})9J
zHJUwxiPkF0b~~VKCnwsj{k7`#9k784jSnxmNIBTR;2qv6z0L0v7{0j04Cfk0J;`NW
zdB(g+#(J}%gtvnh8IOQ>Ab6Ly&+Xi`BX6wI6k6+PS`v=yX^Wbxm5SO%-;<X&g*LVn
zP^O^vmnHIQLDe%bg&k1OTTB)7NcRBVp^U2M(R!1i-Ylw~N4bZ$=jg-?5>e!$<2w5w
zV%(EyL2I3K627H~FVRT)3GflGC?`Qy^mJg7&K2=J*vC}xlPczc&*-V<;XTznW3UM-
z7IWZf8|px-i_Dg0EFsgSRb;lbgK@LA;lnw)rK|9&L6iiWNdl6fR^btkkYzf3s#ftK
zCGE38I9q#|DdKA`M0_`!m`9F9Y|XhdO;Asx2tK%#1?IEHRIALNz_Jo7F#*St7C-U?
zm5Gry6xvvS-r_vzT1e0G@58og(zP@Qtg8i4&hG?%r2?>_62X+f50=Fi;jaX2JD(2%
zub>jrwN#UyMHpg+^Ge4>nA-=?A#5uZEVIM?4au-AsmHZYVcTA1*k(p%R>OKyE3lz>
zJ9d1JYx&fi2c9LQwSjak{*(=MK|x|i+JFb=jLhMzRG-bg(8>1Zc7Yvfog3J%%ckY7
zmkwlD-%WPh*q4}E3?3$dQ)JicG#SLr01tETxXGRFbBxCGHOIb7Pr}{CzSC$`u=nyq
z?AxGkgTBO`8iID&44k{}ic`za_O9pVo-OCCHw}8v{Hn>G6UlF}Yv+D~GNWX%2J$d5
zv@(7Hp&dT+uI1CynB?u9tnu7iU*Z?kC-FmE9hu98d3uNCgvYSE82(YXOmp$5%scU-
z<Dx|Eta*~G;_EkZLhH;uCAO@F$OUQD)uQe;Vg8x!q(uF)&PD#wVwaXrCp#;M8q7jE
ztlZ>5<=2toMc~es3w<kLlR-hB91OpCNWVI1S7hQM@k;SddiTxwM+?u{-?97LZSHBf
zP(FX2>W$7@;<owq*o2sC4sFDsclg?8?Qe^S>ASyU&gRnVEY)6*RV0hx6j&})TY%U}
z+$0leH|Lv(#?Rj`iK7vH&q^<jsfY5%e9KEY(=T7P`T1?oL)UeM7{6?hOCs^`#(N2r
zP79naTB32<LVrG4pXn8h<oFq)KOnM9;=`D2Jjz5v&;TSvqqbo`6H2WwKD485?(5Kk
zUSAq>p#GdJLB(2PBQesV<FxC?w0X&o#Basq6bq8M|CG_g<TuF>v`Pvj=Z_$c6y`%Q
znldm}>7xI0$C3&W^Ww)+qkC{H-QCc<;eOG3IF_o^zNl>*ngchA^Jm7$0i{v*bD0;O
zF|YjVvGj7Zi|MrE&;NETCEVB+y63R+SX!KFx9t7vmdDhw^yTBe(XST$eDrUQC5`{$
zSaMB&>x_V#o<00`{@HUZrNgoG7V&ld`>`|%jwRB0|NU4BAe#&c90#7V%K$mze{(L`
zLp}2xeKf?eJIOjuia+1pV1Wtx&WyI$jGjWCIJ#q0-kGr$o2gBUd`2BN=Z3&(QwjCY
zaEoxoY16If7(l~-pgIPSBz7x029P9XA*QM1X>&zjU7IR!J|^%>CQqA$1A@RamisNj
z4+)Abd~Ti*1RWqxn^XZW4FXxYfR{WjqRBEK?V%tbS+I<W`+pLE@bAylW_VA>0Fgr+
zd-E-4pdA7&gGDIgs57&u?_1rin!RXH6lH;PQ>D;rLIY5oPXY2;0;f;$kg+JIu3l=0
zPT&R8A`HAaP6mt6ekbed+tC3+kOu<`ZZK#&o^gUXN|AONrP5Z4wBdnCT|E@q;FL2<
zSik^<wzeGzv_~6Qz?XjMv&X;#D9kDJ+1Bs?8e|H6_FwQ1ZK0h6%(zd@@fNRZT7Dmh
z?Ne1Ht}x2*K|ftUY{Br`WbLHr<$dx{gflT}pUC@YWXm<`Oq6`p+Tzys11kOCi^+5F
z9HZWp3QQ9*{MZ8h%SofS_gA^r_y0DilsX7)9?jiZR(_MS`#^4~XJWR<)a1>Z@6<Wi
z_n2!tcefjWV}-TCZ-a<6`Z1e>mfgd!_rat4EVVlzZu01KWHJJVx9_*UuR<IH?7?%W
z-`oqy9Vi|tPSl>fIQ&5Qid?;S1*M+-3X<pCTm9)<n0S4_5#m7eq3rDYSUaXRD$_CI
zd-KxaQIG7Svcz@u+xDoQ6K1Ipd#}Y@J&ECuWTxL_1E1#J_iUD}aWZ?pzPQx$fqoyI
zt@px0eVXA+>t+N5UMt_<t2iBuH_X+^WlnZQ6AVJd1O0PS@H~?^x#QQk(o)ZF?h9Fw
zLp(#p>jF!o8lvF4sgb;$vhCzstYUG%Zb^&#K073+r6rPhO>;}Z@aT7%j@O^e;Kz-Q
zi$_`;x+evjxI{QD*L%IT)YEoBQ^l<;CrS6Zz-I*xcFwEHBv@m8{EVgVc1dzZ?U}OY
zZd{A|A-LRYCXq8O+w~NNufWD0JN4Q5UPqipawnZWDR>QD@L>C(u98yEvqN&m9&@Pt
zIx~5FKy0#nKtbYiqO<j05$5)A)@H*a(`RNhc_hQdx{2-IR#n!dLRNG-sbAekx4T8j
z?bXTi;bLK5KF?a&app~_C;r5pzPqWU)+A$nfGIbwoLIa3C6*R5VtU)j@pb9vr>(@~
zL`=bJtmsbpoO_FNO=L|TC*ay{vGU+?yRP?>-qkK-Y3aJ8Wn^c>Bm3+o1<TYeq()aG
zeRd2<u6*=y%X1=QUEn@qPQumjwQsRivRCQrtgFAQzuis@bItdEQ;K<GpCua;*VImt
zH48h121wAFr*2OYQiwDRH`Sc)J@rmnVRE7@9ytWpo>EkPJ;rt6+fvWwkbL~ihbKef
z;`(EWj8!alDHi-%KA@{h-$|zVz=7DgSN;aeE6LIHzmoRVAir6d4zHT9_c<4om3AJJ
z;5=6-hi;gcUmubmk0isjuN=;FYD*KnFZH~`YZ=m%xH}_%UEung4~&Tm@7`if%&UTq
zUA67`Cts!<_(@p4!=7ZEW=yKQdZE0@BLgly=aL(7=$OwX3?H&pQ|7HAUMHJa9*>-`
zgBzh}yH&pvqpRRXP@S@P(DbfXGPn^Q*v?JuiY=F5ZxgJy`-B#h6Y)b=mM&<i#IQMQ
z?QWl%@H!uiC4qwkH5|TwS3HQgh~e`EK?TisIKAWp<?)EnU{Y}8_I&-q*rssZ5AIw>
z{>urfQ6l-ez`e~xe&vp7A22ju{!ahaCnW#;P!aJ~u&@#vcKz<=*8ZhDxb`)8)h6YO
z<^;bz{~mczq`yq~Mfc7Jd5b*NVeO>g$^jRKF*X@=Ng~frFN<b=8Ao)l52#$P)sP^q
zkYLW!yBb?Hr35iiywmrIQw1hj@@m$T>h{kuM0>L^X%@PO_c^E0s;dC4=(3qSwZpvP
zCXq+v@iO2C9oTiMEywiuly8<}jgK}BAEv3fE^zIm7mXmctH6x6TCVO;<#-bt55}tt
zh{09ZFxNA&+{!Svev`*`_+i|O+t8+#@B5}ga~Nyk<_F_*c59x}yy!3qq<CAGPr=7k
z9?biI-JcX|a_`e;&GiAq<fiXQFN{B6vQNBS4vtlGG^Y^*YKD6suf$yS9TO`ZwtR*Q
z-?Lkb1ntXR@oM;|i}e!A#;Eg4``!-LZ(pN-1+KhSFy=;H*R3C2_XDbKo2mY&$<bdQ
zV6@G4$8+L&1@>S{b&h&RSB=9+!Ju8@93rg(JKR)~m{a*E$GpGsL--*VuGJ^x!Oa;M
z-h5u4ZDl$z+reCDe!~Io3>~XQk4K#@?>?AUH<);*o%peHzj>PR#5c4z1r-ElS4^9~
z->JHL0A{>!h9_Eqt)I{AxKwHGpz{<iYbcVefw<&iefgS8l{XGxBd}Wz)g2SBHnn|~
zP5RMAd;FK(2ma<Ml@XZEWge}SI6tKvYquUWyUqCfhbG&k?}Kn6#Hs?56`PCi5xh{B
zM&o?A>dy0Wo!w(>O$!EOEz>k^ce&YwF<lG{t2-o*s>^jpHorTVCut9OwMXFa!N~<~
ziMrXo)2<2O#fr0pdH26nc0ZkQzYou9fV7;zCLNohV^meuyvxNwM`!!llPTiw9emGY
zM~@f0T`a%T{=}usWs0=Jpt{5AyWGlObMTjQUy8!o6L|Wfb%A-=$!$2Xs0=GMS)8BU
zbu!*1WmnP6u^B`uHd0ID!q}e$JaMD(;X84u%mwVqYisX@c8}dYe;RUJRG%rDA}zA0
z?r1)dv7%$x#>zE5hBI%K{ZMTaz0i%Gb};%AvHc}BbazFOM%M;h96X|R<&f`05tiN1
zl04S!%SSu0gO1+zvqi-kZIFYy=ET*`GThvE*wt0y9pY5@32T(6Jkw_seL1&eV%!@2
zBI_RwMPjFQtBGcGSaJUnEVkS&b2m-qBr3Z^4E%A!_a)|2mRxX4d(yjp5(k~W-P_NG
zCFKP8b({t7Gns9Xrx|y2mc(E3y?(uGb;n{Oc6di-*}*&=_wnAheyl$uvG8a-ymrzI
z!r>j3)}LE(sH>nr5;XMwWT&&{ApL~G`Kpw-M&qu2+s_)rwyOu$cN<8re2$(s=|pC|
zS=?W7bN#A2f=XM{I^t4;c2wo<xFBvA8}?#-+?ZLx@`KI9q3kkjVSTT4tjm4NQ{!wB
zUH3eR6X7M>M0o!f8}N`TAN1SO1?-FU8%uj@BnLZZV(2{Ix|R#&&C~bZdNKDen*f)m
zoi}f&xnABgAUjF6-YPuvSp3EMQ!<@fkC&sDN|Sb%zb;&&v*<^chMP<4)@siKcP{T4
z2+uUjn7Cne2U;;fMl8u6eEMQ(l4rT;>_FzTDc|gwE{Tptuf80+yk}5$l0+BE!!cJg
z56&!KIAqY~e2a54*5;F5U2Jjqan2eSU+aCbcP?JuGdMemu;v-woIK_l9PaI{=-F4X
z7UwYksFR7yJNFqJek^;FyE|3ISp9~6cXrY>Zs(bqwKw25aCO!G8JZ{8ZaEkBs8+W!
z?Gw88@Z<M==E!-)nW<g8?4+_44Mp*tL>7jhSf##dd`HNI(j*tv@EMvN*Xs`E^)9VW
zj;~XH%}O!IP8#{Kh0tw{yoKQhzn0ruZSFo_nshR~{Pnof;olDC9k3U*Rvo_Zl9j@T
z@4r#7r8w<`WzPL_+dWu2{Pzd1%C{XKG~e~vTp90GdEw#ARKx6~K@|i$Q9bQ8hKH6H
zd7j6HTAaJmt31Y_bHVp{HZ?~w?0Sz$^hzC)on%ACAhXmU^^+M4-DtS1x5YU>*$T%^
z{9O4wn{Ua3tkOF}yiS$J7<K1<{c1XsxVkVKzW0Zoz4=#aD--F-I>{Ch)g4s_%H<a3
z{IBzD`bMACR8={8drq>YaArwhN#}v`NVlEA85c*`eR+B;*+IuR_iJ=}5aG0T$`uTM
z6^>Co3mZLodU<EBb=4g&Jp<}}b-JqO*%$>zWLEBKx@Pmee3bj(W7}+q3l5*L#DtW+
ztn`|LR^L;qZ&#0%CpLEtUGZ-Iy{);ouEGm55zW)PWL=r0D_<wCTwmQ`wsUWryx*qj
zw-&!X+qn61YVNmkOCcfWbPOeiocJ_{^BLnOcipc_d6S^oXl&BGqHMQ{+Q+kNFT<r;
z@@%Co^D0j`5%Y)}yARgc6utO#s(D7fkC*kynhE(C*&ca^2}|LYZN#m?TRT2NU$)#~
z{EeuGHQmw-Vt6Hc-v?})VX}2c@XaSRgoBRh+7)Hp*&F{FbX9Ux;<$3f)VbVro@TqH
zCi}#}y4z;m-(9-4969H;?}H&6%|%g~mcn*F2Zv#V$_LCS-PTW|qv_f0K4BMH-)9ml
zt1#WDHQH%Kwneu!2N(@oQ8uub9NHouB}d)g252UHJ#~SkA1#Cn%leGH2m#cQa|`qz
zMfU0C&Au~Jf6OdGHs0F!z}_lMl6g5y&n>Wc@8FrLMuUy^>Gv--%T8K-%Z><ynBkrJ
z^eG)ixgT#`U$j!=Ovi-Ec{YCIKBi7-+0K4EJUi*=`@2Uv`pmzBA4(7v9_{+_<=IoZ
z$Hp9X=j>fx))&xuCeJVY^t~}6J849|JaaoSDILSTCOIByGdy*<Hm|U<&&{Ssbl;2B
zbAN6~%P*R9FDT~no{`x}S%u}3{g1y%;Y$<HwtBAk?ct19@@Y-alh}8v=Q`&eDXc^5
zR8q~elOCd_#G@CRPGk72kw2#PN8TRZnY=vX+z*$9cg{WuPiQq_G|%33d5<7FDbedu
z4N*`IDFY<ja>%%^)aFfBGt@L;XTGTN<VQ?~1Eb3#J89=uGT<PRF}!Bkfg!6pg09u(
z`7{N)q8;b*t32`PC&!=oVtC8o@*c}<IG!F7AjLR<;mGUq`LBz7Zr0|FTU%ar>#FVJ
zDo>LME~VZMGxL2e?->Qh%cXTr=f*$T4Y~iFbs({-&F-$vlXm=E^Z3BMweSK)$(AlP
zJ74+JEnxJDvSZ@!d`}`^ABKN9{>Ezau~Rn+^sDr5!|yUvcKY^oz2Og$GD82SiTj!d
zeGE*@FEzG{g&T$95xf1PwuKTUxtK+z!QnE~o9*H=x?@(9xvxA<;F4SJvjf*0zjjU3
z{#c}Q`CwgyVRLO&SJq%JS#ISxk#qYk15NRzrqM6cmTe>+WAoTEtd15PeH8aF;9Y=+
zxPP%#WL_uXa&>TY6{K|%(`7Ta$J*Se&BNON8qq#GBdLM@25W9MzqNBkAA@nib7Ld(
z4li)Fi^J*{%eUVcu~Xz_-t8&3c)Cl5l*MVTJo9$@r<P;mgySOfJ`yu)L!R8(3KzY%
zr&6auPga{J8T^IS=k~fANEvpSx#-xqd($tD6Lwig<}E(#yS_w9Y{u}cPCp%$j;fs6
zylY3Eg*Zn{zJ`?L8>n9Y%u4ARADQ=KPe=B_%|tAQkDc@>YfneoopXOp)G$e#)O8an
zlgf3{&%bLv0T-PRndhn%Y0<Hz_=fc5(woJq9h>gf=2h=HJfpNL;q?x`Qr5Q4!Sz4k
znW5G9_Eel7_O7FFo3B*7;?~B$Iu75f&8v8(QeoaTD`v;>v|RH?*P36x7$^KIGB3Gg
z&s-weWF3ZYnc*fcFLTVT&FfRM#@ugs=f%`#TfW4&-uXFBXd9WgEq;SqKH(dN;o*k|
zJ9RWfJv_WN79!D(amSFdh!cU6*>_r+4vdI85wqciX8>+lB#ZJ5eYlH#_>(WJE<sB%
zGS=5hA?}2h1f0r>DSp54j?KnRvmEcoiI0gx;MY7FJ95=%jLKD{V8wA2)goVX)6q}j
zOO2iZdrozaT=OGK<IVcXrwMF%JDZ<yS$=ecWVu1P!R3bg7q$0QBFEfgF2>%ve`UGB
z3%~2$3obO06}IL4oM^+YN%`NR_K{Tp;u@x?0CX>qDHC>yGGYHBt4g_uo`co0C7+HQ
zAmarx2Ui=_206H`Ed0QVTmo`+tY5*Ldn`!Rd*z#6ADVBSUxE<LirgEMJ)lx=&-@xf
znLQ`!XOjhk{QQ)Q84c}w^HcIKG*ekIv8qgw6?eT`ov%oqiPxAScV^g^r(9&Hl=m$!
z`Q%>in?*p<OXa*|(hE8775H)kb4B?!_&S-!N|b5rYrLyYbeqg#V+!D6WEQ(PccO_r
z<)X^h@@{zYK6M^JWu}mrwn1hpy4?<mDM4kXkeCi7GgEm9!V<~D<lV;C^v6=UrUa5r
zD%X^^L9!WBPo|p5Ib^Dt4Nq2WFO+|j8($-{#|wlqd)(DkJCdNXM@vGPJzmX?AyO`?
zITEu8<7*FW2`V9kd{9m%gvZEyP(meybJp%XmfHuO+Uq*;1fKfO{O*wa&-`vE<ab%{
z4XT@I{-p^o`5#H!X3c*|+O}v`oh;~mMDv2C@ioZAh(={5*0x%evrv=F#0Y^h6Vu{`
zIqRof)ZpkF>KkACXLj}TkL)U$%C2(Y$$i>4=<kJR|4Ygwy8ZW*Y3rj=<|!97+w|4U
z2bfGGs4NJQAUT-@jTR%u3nf$*G@rS*D#zXYWWkDKOUxzaTGc!n(W=aD+GZPncNhOH
zxzQqc{jijaoOkAOb9l+hgawl+5|-hT`-CE2!6spfd}Ta#vY>%G6Z6H4uaRj8fh*IH
zj_i}x7?p+)8Ok(d>rVo%twqwbjju%$WOhL&7v*Gju|eM@cmzRa7i4mwPi7Y%c`j=+
ztz9~&xwQGOrV<7MG6pJP=-!T%U7`{O0x||FVaVO>a<V`t)g{Zt_*&y(0@45~3y?z^
zP*CjxS%3u605S`(62z>UBTBirF-BixA!_pv?vNjxnL~y4@^ui}&lN!mK*Xh%VPpz0
zR6O?m3em{|J(6w*H;A7iQY4_$K?aI%JI|O0Wh$b*txvzg6Z=w-scVA?h~KF2O$PBB
zgm0qTF9|BrtHz8lD$u*;x+k~xPQNJeX0h?Ldt%?Lp+g8|gw~ZzMre0L;*$ma+dqqc
z!V|V^gP@C`qAm!!I-(wmZc8&D=pv}73xY1Kn@=1iCkqD5mn@OMua1hPAe53&u~gGD
z(QSf?r681&P_dM4(RB&j$^)NED&YAL9}!f51o4ra43I>(A&~0cSy6>8Amb=4@7HE=
zCkqDI#ks}7)s?;+lPO&J1M}Sk>5WNeoJ@M-o8c}g7YDaz#yyDZz5MT9wtKmVa>iMY
zC78k)`z0eO7rz}FmTZ$uA{w1#*wX)aU*i97?b1Gf_9Zq>RfTqC8}uvhbE2SKnN0R8
zL1hK~%KM6jWdfU~m6BH6#tCOj3)y6+6!@#YWZM#1xph6tBeXzPGZuy$e9Os(DK-7j
zYDP6o$>|5jctT5OGPe+j{-9w?9LZZ?qO#bG<;a_2qGkw+QEfsChW^M=H>2EhbkN6^
z5lA5nF*;M4bUOsvQd^7@{Q2l&WBnmoL(Q#+A>$?+`44yDL+|y#Fc<!8=)E3Lc1M-M
zoBbC1|7XIRe6nAWRw}U07dSr@_}!<3H!?xsGt1i+;dcbJKP`No34&yl@FritE8>Od
z;Jo`Fyy<5j@J$eKU$D#!_t({c_UI`^cl4&goIiA@I(XV2x|@M`dFM*ImA{*#7p_8g
z^j9yS1r!F#<|uK_2%4iFx1YO|XneTP%A<M#5=Da)`lDUYAl<#A<Wq3kDMf?y7Nx*R
zMaPj1(sZ&h&`2m6q|ghy4+Xx0y$`XFPa{5!_!4`52x_A;SE6W;KJVu#IY>1~p+9;D
z8l>fRjr<qTAk`}^FEuv}tz5Z4JDgB7NJrn*ry8Uy7o6gIxI%ltmuirD3?mc`(#50h
zW!@n<LW$a^=4BO^Qw`F7p0=!HszI7Bsubp9iU#Q{e;+ZSXpq)m64OgFmL)#;+E?5@
z3mT-pRD-mDARDA}4pt{^h6d>@u|G6OPtHFoQ#45Xd4^*FRD<-4xN<(BXpj<vy50?w
zIJz<)C448S{wTCZk$Ukg=q30Hn`W3v{(|;s#mV_x(UAG;pg$UZR!UI)QD~2f$o^>d
zrx6b)tRo7sRo&?-H=di`ctrL`Z#r4lNxB`!|5R#>R7ZbU4;rIW{NK&dctv-VYL3=9
zxX*^zP0<|PDnaT*T_R1f+{kj*hiMa&FNu*{@k{Y%@sa)KjV>nNOWrF%XmK|s`;Ry>
zhh$h~ERB=KAqjCRu|mbH6^vNT{M-~Zky<0fB8RPJaWr~{tpM4Q*xCSq7Z^^q1p``?
zNzGhMrIGLfZMfUWnX8%>XEjGA$mF|z%mD31cIwtWM4tK^41aq1wZwZ2QiS2!4-uk*
z4)e=bhMmu-oOrw>k9oI*dH)9Xv)PFb(v2Ck$e*sHc7wOq{aCatRP7@*xs3jZv_pDn
ztstwgb=OMtbZ9Diyqtv@LZqlnPlwLadnOaGr$yX&t;g2&m;u@i76)YV6#+UQm{A6t
z2yzsQrnz@2Xg3nM^n<!vXd6FHh3~@M875xgJnDW12NF5#0UPe%KypQCSz7w2mUACf
zos=|!vyvPs0k!<L0a_eY7+L97<N4C5krhzO4+gco*3hkLf2ie6m1=n-o)J$#spS=u
zA+m262zBGNhQ`7bc#08`<Z_r=*`UT_845zjz}eP|Yf5Sc?M%IT%^+u0ScW<--2HEL
zS%wEWG^Q!<m5ECD2Q$_O<41hZYN%?TWEsMlHUqwy+$(hSBz2~})qSf=9%)lBXXG6p
zxefma{b0=9KSb-O`K4h<j?uf}kNBkeo;&^#AC9y%uI-6gs%NgyNyP^!bvbq%N~t@Z
zH|SrLx}L}%N?j*Xsq2ngJAqOc$Ng+crS3RT>Q1sBYZpEqkFfKZ1WMg;q*B)j=S>#~
zLw4dkTc?Nw`+z`@eAwd4PU8NX;7p?pwmfRD8j6mxIKp+JXX|W34MS06Cq9kd+F(MP
zN)v{nV_Bb@S{odhQ#3CkBkir#u7l9yAO~rd@UnFAD~w<$K@f)3FQ9*DpXzeibn^qT
zU=bHtswLS}bIy3-V|f4^W*f9B9fuB_l8UV4)HZ1FT|H}BUaEx6U#)^{nYU=nVYlh7
zLgpONV$o_5vQzYVqAS|u!W8L=Ohpq!oz9|XtU%u0n((fMD-T6-_pw37D?Ye>5<3(m
ziI{<^*++?{cT>kedo-bZ#fqtK@&||bdzSA_8S-V;=#Y>5^&bW?cYbOT-4f@EkxFrs
z_>-d@(@QKC$B1`}SDz9So`+7aTzf{#r?V#7AZXAEzd+X~^`n-&oXwP6rB`^?og$(P
zrh$s(CnnEyIG;N>go|&MpWD%Q(ddw}J?}N&XzhDHS7I19CT=o`YoB28pHU_L`*E_)
z|NC*WAOFob+3>Nb9r{a;`{z8_OK{#jdffjH$H`zp<i8sylYu^q9H@_jiF(Wi)K;wx
zw6f{+H+&?rPo+5;Iei=N!w4EkvObJ}FOH_B!wSq;kptn=|8_iVgmTX1|0whwN{xq&
z!mWqm&ic6DAZk2J4-Yi5*R>1phu6-s^D)AM^r-Q$q12qq5}Y>(#>2ww103;yLHM%u
z5N`yKw%H@1|J!(&`;vbSx)j<K_5>WDpYH<)sY2+x&0s4+&WHU&KR@udem>ZpZbj2k
z>gPA~=;u4h85QN|WaWI%m9F002shsE;jkmZ$}!#N7YuUZEo?E{{=?>>=*?VDatLN~
zzj&K(v-dO43#WN(!W5%o^F^=cNvKIN-`8K~NTtk|c9TUU(fhlHj?nToY(EItrcfmz
z{c>W5Xu#wO&9a<J16EXB{Y?}gPC~>3kpm$@BrF*e0eTOjH$uSrU$O4aWgp9nVMq?`
z0^%GII%>s?;>;VLYpZ^6J~ac$XG?atjF~YEAV+QWFFO!J2Q)38v3YnjtV(UGw<m#K
z#OvnXv=1X-k1aS~e|q}?I&EmyNTjO~M*!7#J)@;J%`^sajG#@vU01*SwHj?{3^MTt
zYbM&*u%%3mb}3^FtjCqt7dA9rCpPHPPmY64tX=eMrs`2HjhFya#L{OfpO0~A&{>8(
zzt2=2ose*8Qyf62{!B%ba*9jyvPXJ9Qz5pT;nISpz(3x{$YwgFf3KgxM!Nbos$A#N
z_6Ndp-AzMvKWA}igXO`n0{EFq-`m`ww5FwrurByzS)=eKY#xNM)uv`zZNuC_2&1(D
z8LYv8c~zl)e+IDOu%QeVJitej1Oz)fh8jGWID^rvw!v{eLmeK>UBu{J+b}zdp#c|I
zw2sl(fGmk)Xu=%w(j*4Etl>X_MS1`nB8)vaPm5@gzr`@8`ZKZz)2`KF7%-8ndZ0)o
z6DjsL6bYC}G75@h4@{&NzoAHtNHq(fNQ(fwgraJ*M(XyOuB06urjPG|9g(b~pFOan
zaHKo{2}7c;vLlf4NEoCBz=IFcwiH=-l|3BrVkPc{?CE#ezBl3PUxJ>nZ*d~-vO|&Z
z6NosM{YmEoC$N!C@{S&{BdgfrC+y*AIqZO3?$SnfNF#gUG-O4mZuld%j1zv7eabI~
z9aYcH=Y&+TefgIBa1&lE`)|M_e+BSJq@^SL2k)rR{BOJ?mXddbjEW$6M~NI1Rrf%F
zceIuB2k*!gJ*N)JrQf`x5`(%!J-nkGz&lz;pxx^Uw56Sa)H9Hr^@L{z;D)-jkajJk
zVyYIB1IthiHOFY8P7EP^CWAGHp*arGABSW}2qK1oY-S*FtqerAOAXlxWTGxag0MnK
z<Pi}a3dkcQI=Ultn;II8hQ<<vN<Aw&dRgdJ*tc5Gl0+|C*nJvhwY9Y_j1DEX5UTYA
z(JEd=EW617*wMn9^sRw8$PHFouI5YRI-~W%6SSJyh8D1vd3P~e)5V&qx`YXvRZMHW
zUw;N|%|UFmasX8t?!*<#5LY%@zd;S@idCZlE-98^uDy-aYXYaJKAbH9Oi?|dxkF0V
zMC%XzhY&?e08vyRBL};io0~AStEr>8K$c`DU$uYR92!e~7)}`GA1IS;U^NjFyRvFz
z7qj#T*Ds<5S$lmyVi|KwA;!*HrO(;ZedT`zRP=%3j^S(qY^+881d>AEX!GNRvMLHx
z1XB%LPz9){pyc0yiV{gs(P=>KkeniP&mWv3)c#LSQENl)pPVAKygxWa>SrlVQG$X(
zlty8QloX;g3PYr%5T#KVA|-`r9$<(dTL8>Z?**t(#h<UbcqqvkT0HdRB;dDfA~{2a
zzzo_9+i};iL<q$Ux=_=SXZ(v9)V-CaWCjt3k(C=@HmDo5AHh{HgE*t+qMT9Ey&TS{
zG<drWZ~lBbTf@rFa4wf)$?)gb!Mjvuq@jkDsy|;%!%8j9pWjQvs+T`sUBgNp9`x3*
z>g~_h(6G|z@6Yd}Vby2k4w|0TAb!qvRA9)lyv*$y<%QB!()6rU46IbltW?HWsia|6
zDth)TJu8-h6>F-Q6>E$Y3$p_7&sN6I+J<KUP9nn;a}xZMXGn2>>}XA}gqCHw)3VD_
zt+ip|Q->c`YI`|P9W*AX-R97qIt<xC`(f34@<XnM8+{fM!|k$6<yyG?nB+8SF28G(
zlfU5)01G9N)fSs8j50NP4FXJ`?KAJm<Ty~x_sj&Q&xphwvx=}p_p`Ac^(r?2>eI-l
zMNL;_#}oq8hfXqmp3REVe+y8bFF;-*p*}*A>QgxD^>+`n-7N+s<{;XiT}i0V@F2^p
zB-ICC1|-xcSjwjhNT?6&-1VZcJ}^<adx<X#xIRPO78}3fF6B?qJBDuH$1SYXdqq15
z@SzV#*nWo{lS#5qcfkY0T7D1N$2T3Qkf9{mhc1BBR6+L1nW-E4#ez0yS$EJVlI%kh
z>;uP#y5<M0RX28Xf$MJ!an~w-JW4^HT53R}jgUT{iNnrafB@AtFqqyH1n7R)7oRT+
z*D<?#AV5ePK!D!y00M-R_dtM<@*W5fa%)s?DQxcDs_yGeC?P;A(vk45p$jPpkjc%?
zPz40YT56pJ5TLK2euh%<_fYX}B+zW#z?g7->6{p!G&5<?AnDSdp}d8NT{;pHA>|ov
ziHKeoFzkD1fT48RR;mBbP>vLwGYJ98_wQ|4(UEP>r5s2SDp<hsN2`9sC!trjZqfYQ
z1l&9g2O$kuKh>?gU8jwPL#<%!AtcUmc;Z}i?4bzZ@Wj0w_{4*N;fZPR!HlTkiMKgp
z_o2T4KAp*7vuhi4NPv%80swqA7;G?@^@=vY_GFxW<_Qz?VJDJFfR9ye!~HO{yTOP8
z`1neDBcp%VquvKL&Nvq5xWQoih@&LHXYuiwZn0-V5fb3jm|XeuRnVZ+q_7c3XR7WZ
z0Y0y2X(vo}Zbu%CIJ!<WN(Ka<#m94y;|NLcQKJLF=L(8;FY%=aJ{<=8fZ(GVihG28
zX;goDyfwf_Yq1aJqh$C*2CmQEa9P3dIehiAYucr=pCf%wUs>WSrO(8H;S=PIH(fSC
z?f}Cl?IO4P620_l(`DnI*H|3+HC*kEZtjRc<A>dsKf5wP5Yc@Z^C1~NgTj9?e1d#v
zL9}+^?t650K)0#dE*DjR_-vJW#zcG#9qGRjAU<2A%gv-5Y2f{1G)B8n6)Gla7n+zK
z+l2~>&(iuFp!f{)K4!Go=lFAv``Tgs!+_#L7bMgeqQ~_Dd?I{+;uCcOC_bv8K=Juv
zF^UFrq+gzq6d$Ank@)SSE#*7vkrbb$t6lVlY>u80J{%}kyR;Y3U%c?XzVk!-tC`iU
zjc)EXLDD^9*i_{sjWCn$jIl-D7W^#>{ZC+gx<5A+K>s(=_rB~H57;K%jSV1U#BhP*
zQ8$me5@7i}dB*%N;3iNEqGo`a6mXM^#h!bno#IkFp9l0>m<0ls&o|~$UEBOIAbM8P
zO;~-EXcHDyKpOFz<s+pDp_+Z>99>Y+0eMa>WOdW&3T)3gvU1&B!$rRipdJ6JOVy+0
zeVJbesEq$QfYpma7ii11V!@Z#t8OMI#eoJiB!*9+fG85se&gN>6p$TKqu<`|9w%JD
zhB@tAvMy9tUwTyIv$Eo?2lXKh)5s7+WTM3%#fa46>Hft8+K=vEMJfiDjWkSHt{6g#
z2HcM=rWW~P4HgZ!p9D-j^8Fbs8gM_^m_}s93rr7iKVIZC>Gi%3P*Q{c0DS<~4HG~A
zg$Dm8Xz*3o6tm~N3LC0FzPPmt+xg}U+;2Kr{h5RZo^-c&v<r8_W9)p~@u2gQ$P`nB
z&3nNPNlStvkW<7_`+!J1VDWT(*(KaR5i-mmK1VrAN)7xtGpCWz9wbSTVd^MY3NY}4
zx}vU#Vo*B)3OIjJDQ5q*2Iy^S;0I7MX!iq^8vo~(vLWx?Z&JnVet;B#BDQ4j3G_+3
zTV)T!CtP@baa01aW<3-oThC_6&6~&8#CpzdA0{`hJp1XW=RNO0&0C?{zFeKdb_|EX
zIOMs?Hql(#@p%Vk-+<C_xR6M`QZ+MYzdeXQ9&YkFB29eWJual_(S@g4@gChrJv%ov
zeX&Y>p?Vc4KjFg8hfHhMgrEns7{XK6W3jW(4dFy#xbSDfL*}Oqq9Arht2l_g54kY!
zZw52<|C$1{pI!ipr>ENvk6%zOhe6U#FqgORiYap`sRKrW!dw6a^e3a_{eD1S{V`E}
z#A8xP=G#+>=~2pF=-oZ`^6&9iziB{If1^pD^CD58NdSy+rKgAkWRmv)zM{}1c=wea
zGzpMNfLThSNu<6nf1yc!1A@$yfFLEB1gHoKG|49{gDkcx*d*l?o5TcQC2lMKfRmgz
zBW+3nC)rKHvwGkpJ!7aOoWwN$PdLd2<rJzCP7>=p;SV^;P3H-};3V3+7=OY^YDj}p
z!bu23iNTU9&<8+1kWuIZQ-G7CBZ6OWl98IENh#qZso{UXNz###zu+WknohsrB=e&1
z-*6J|MF6$>-6V2FNH|FX=Qo?Ahk>R3FKm*n6q|%X`Tz*a5y%5QK%dq9Ues^Zxo59L
zk>sv}dW{lAa&|Ehm7p*w+1V`8q?|oHlG}%YNrmwO=H0`*14*0GWG4xmi^iN4{)F2f
zjCCPctFvd71p&s<9qhhOVW~*{9N-`bNu1V9(Q?;7QN6Eg5;R!O3Qu3Hnn{qRM_Qho
zG(Bg}(N8YONz;2vTAmAOdi8TCAjt-bNMeWH=LtufMxe-M2W7tlrg-Kk`W>*oL7nV(
zaDVqZ)X~<4G)21u$a7$a#Z=d0yy|eW<$==}RX@~GFQ`R-Zu-^l*!j)A4-uN4kKy|l
zv58pULtt=)Ma1%ip9`Vk5g@CcSO4%pMKSa4_jk+!Z00VKHkSqs4@JKtmtIcJgQ;@S
zNFl=2lKGANUPIe4SeI7ZNAD%QN?(U=qPMRyW1;k8`z($w^f*eQG^r-X5|~fDZpv9j
z`6$%`4Ah8`#HAnC^`dPg<IEe-<j5hL93`A6Leb<v?cAv*$2~25HLX5uouZU9mccr<
zv<e*8m2HMv95ysLIAC{*CI{G^F*G>_45i>CJzy>irQMC-jo^(V!CZu*$?;8LcLPX9
z2~VbIatvm#R0BMTrlH_3XmN1478Dd{ifJzoXmL2kYZ~gz=2q!y8ftFlCR*^yO;qa4
zSarq)e6nlH*4FIla2Vy@Qg&^tbgPtITW6%2k38Tdl$)S+#z%)}rI_D@uI(eE>fr@s
z*S7!o0{%W|arB1{2mCP3^twegIU4Kx+4X}S2LOZYc}5gx>u<my|3A=lGog?w6nNs+
zGjV4p+;0*E48rli8TJ?egY5BDc0M!kARN4$aO6y!=Pn4@i}NM{FzBFtz*0P5629y#
z0D}MnjTl=VJ*B!Fy)ePzG<P38R|hp*jv^*|@q_fasL27Ea5?likk3tX(G=!>sDX_I
z_a;R5=0KmL+5pV)o-W>fi=lC3_o`F#AH%U;>>+LSD*f^%S`f-bmTBckhGobY>NQJr
z(Cu2L*sJd@uj)SQL(QjChd<XdzW&>^@uz=iy<@GI@Ai88U#IBW7CSvd$DDF=ckSiq
zEkej`P<uu7(DUeU(Gcm2+ATy5BB2Q16lfIJ@mW}g7-|@=KG`w-g>lH@H>V=^bX3S~
zLcDJuNbzepyN+{4belfu!p%uU=H-bPUSZQJKTugyY8+xTRYl(PvD?Qc<k`rbnqEO4
zYdb{u#jnI)#7Ku&?kHpih@-_@#fQY_#A{h07yD%ib~}|J67PfCw$5feG!Btnt|FT^
z$JXd#!`PSg&0qGCXashXn6dULuUGbOcxfDBtzx@)`R7~ytQ*eNJ`z&l?h@w{hsYgk
zqNt5N5;RULjuq1VQspU8Q6^t@wf#_Bn>!XHUG@HZNz>{3p>Z04iLohm#K=3)y*aC=
zFF)EmvA{Uw>bfL3*}bs|VSLwR)vxv(%y|-*n0z|<dNT4PxzS!79g&PByC(Z3M<sV}
zPR7&YuYc<|rM(QfdB!w|PBw5VpB!70w)su+ZTh*-8;E?X>(IbS9#fuDJi_3<aR?{9
zJeF+W*o5rO)?fB0%&T}rMq7rO3>hFBA#><y;4rCC`u=bN!L%U^k&z(jzauc+l?Y5Y
z&jhwKI@yq21mT+(>V;aXodQZcoyMTLvOl`XiTYJ{dTkj-T!gOdrs8GpM89!W7>+fk
z60-DGkhHga7immbrB(2Vnf`(qokP)+$btG2a-zPqfp?w$g#?#%QcO%0EftxKpI%_$
zM=c#%F-`9Y{i&7?eW0HA3DFvdMWRA2a*iG_D|G6d@*y!RgE(U9oC0JLU{>O}K!J9o
z0VQz7R68V-iU}sGSAA*3UJm|7(J;|heI<Lk=o|)|NKkDjc}Wc43^EqbF+kKzwl38H
z4-T`CBrr*r2S*ZQ`2%?ac|*+zIFhJHK%xy`K!^mUjOdD;XE>UQ1eTO9G+4PohbOhu
z;jM?g&0HRDx1kR@nyux@(59d*<4k)w@@GSUz1xJDYz*V~WWSW5T}h7L50MY6ZP-j!
zHasuV-|Nq@z?|vhM^|8Cc12_TMR_7G02|Mg^#0tmkwLNjF4BF_5AA+d@u(&ZLD_c5
z0X}B1+dTHk7}|R?x}Q~{`I9j!H*+Vj-jmq@!}f$WjS;T|o6WVGYu6Yt9<ku{``2Si
zF%K)EqVag#(i@pAK&<0&=PkJ3ChC}y;(<HuC2&lw!?WyscH%)&>X?ehd8vYsmpE?|
z98+)Y1J2_CoA6~{;h1_3#}u1v#R5Sy6Z)%4f@TO^EyR}L#S)V1c(;SoyAVyq-kESV
z9WX#Xu7>uG_eB!_H@1!FOqZsd$57<BKNnft&jIn%LZw<&*r|aTbJsuLp`(f%bf8lh
zmliT|XxAN=;hKp)sAw{`OHTBLiKt@6o%s_m75$3p_5>fD_wM!_x?GE`8L)kfet_*$
zrsU@lmm1#2q#Vyq&xLR14qiKF!Y<#2Y`;ZQ9rXh`zB3=>bNb%IGCc0gx6#li7S1gD
z<{XkgTQh*~$h1rqWeIPSP@~7Z#Qj4YBLD;%6zpz?4m|41n(An+_5uto@k9HZ)p71o
zE7?O4f$&ba>HYCmH7y1|v}K2ERM7Lwm!YzuiRkivmWvUwdyr(6q`Z@1P}7phIU6~A
zJQldgVAP6rO_kAy06L9$*}YuxXzi7_@l0Zh?R8$Tt7?iX+cKEO;AzDf#g%tz^Qv1}
zsnG`R|CzY|7ow1OMj+F790MayA%;|&{7eEPCv@X~B=3pHhVcKTXKJCG$ODMXS(w!*
zpk@CJBGW?3FEYW<ncX!#@Y@mD+2$iJI4YP*59lp<)MWa-<9ao(u!I6-#{6FaGk~Y`
z8<+t(v%4MAeF3q&LR?8bvzkz<F3?oCo2VR`q*km&bRL-R?eu*d&i0~`>1`CHuw&&G
zRH3^NllHF*A&L6XcU#e(17JA7P!$KjAl@Kew+R`OkRb`N$y=ej_^CcL7FFmjB+-79
z?gHiA{iP{0fD8T5vo<9$O<?!@Kec2AyeIi4Dy3$uQsW%ZUAXpW$?R1@NM;B542g##
zrDPzx*iE88O8CfCUcL#sq0~5jh!#xnnZGcX8LC7?KJPU?htyp3vQ1ThKhO23F4XMQ
zAR<8#%m0>-hLf$`>9{oxs*7>BpB0%T2tajVYj18BZixrm`PhQ$LO|x-IL@00s*6oH
z&&nwx);?eXs4lGVWl6aITCjAQuA;STW}!$D6lwP+ND{!A^ofU_CQQD+1C3Ul9a2a2
zcBRarl;H!@6+uf3kZ98I0pqFjkh$@4nQ+0vDT@~hC=D4HtwKJQw)&^bIsT~~TS>kK
z5I_O1aSS~LrqASmYR1noWZ1c;q}zQ%pRvN`OY}$kX<q1me3NH|WVTHBb4)(Tq}lP8
zzH@7@z86A0BUQG{lQ3Lfw@tnKLTgdyerCRKW&7lV2QD>bVIu;==I>E$uy<%Q-st7L
zPzI@j<y_H*U|}$6@Cob{qg(t?<h;Xw#?*c(BNQq2lYdFE&B=<?|2)M${9mTnbyP{}
z->29>XHp6zYNa%=FoonmMnU{RazMuVlxgXZKp5?BJ>{uLP2=zSr1GGC5bRxO(MqK8
zR<M07hpFJkHC&c;B+jcJ1m4IST-_e1RQ(c6j#l30<Xt|VKN~h#k1|DZV<k)wClhLL
z$LBPVQ6w*7H_nSM8*SdM1K!iyoE3R0KS~L_h5P<4#fXlyh@^-QT}no@7<%YR;zO5`
z5p9A*1MoJTR8U?Mlvt+=oKFb+jsfw(DB_SHFxB#)MfhRCON%I<R6)=oQbCz65b`p3
zAq@iFv2hVCmcoF?f`DU!Wh~tPi$EPgViXF>y#{-^zkv@80DRC<g_Rr>7BE=5y7j1s
zokx$N0a_s-YDoA+FB`9*m;FQ2fK!?Vr`6mtU^Bt(ewb8CYSGc&iX6ERcx41xcOr9S
z0&i2~$nAwtsH$_|&4EPu6BM7kbUGY(_r3L%xw5e^V9XB+>O>W`J`8#PVLHuq;ao_Q
zUC4^oN=TDO@AQ&dvr@cTr!?9b!;Nnx+)OCTQ@A8oQJ$LNDS53ZPx*UFIuzxpm2;#A
z?B32Ta;bJ{n{F&T>}dHJ^hg0OmHNZpABTMPLvv#IqIl@qfe>PxyuKU=*9h$FGc9~I
zC<0<MkU@az;h-=QVen>6Y*Wf0{QP7wPU9a-v8o@ve^N4tzPH1f59ARDa#3FY5;25b
zX{zV*8PQQl7NRL9br25dPf2gurez2MDhOMD`nZF1+7mI--2kjrkU_KuBY8l6nFcBd
zpk!Qr&cO6QLgA}IsvrobtIruL)*wiS1wD=V`r30wnp}z?{#h!EZakMT`alovG$V~k
zjLUw`$OP<W*Y_-y>$jgXj&BEXL~xeM9PfOFzD7KPjLxF<<NPOd2D*y%OYu#_!1L)%
z<ro%E4F7RILI2;cU%Cxa15#-aN28zkWBXF$p<mmVbkY5bPzx=QE(+V1B6QJyuzhK>
zF7)FW2ecfuQhO&U6bN}BbNHtOA(`B_G&K}~b=u*uXF`lfmVyESHY{;@Uenn;UnHs*
zFQ^Z%B%l{Bg3Sw6<-r0`KVxG<gTUUraAb)KC>0|4JPpH06<!JG7MAwrh4hB*k#L2L
zarjhT#B^TxV4l!#Ixk9<7r^F)@Oh5D;r#GLytfM3f&CVg+Ou?0Av-YH%=vTA(oAxT
z1NYaSrBm*(XKAuhcklooMd}Vdat>&t-s9gWMF+5BskJR#9iS?ZT6=4fE0%OD>UQ=h
z4y2$s*hHX}>xm@<$P79W2~nS>j#Q{4IqHZM&H(oTng$4AL6eR}(QybtCx{#tK~$K-
zo~`z2NWBX>8R_)UoKEl52hoCrI0CJF1a>Qd(ts5mx{aU_$TC=yq`8%7gRM(jX<MM<
z-x8gm!b)OnhQ&)Q3(v4vmsm8`!cCp`G)vS`)`n=h<W+R&mO6S{BdvbDJenaPI#r0a
z=%4!#)**O#1SMR6JxI$pYu<{@Kr|ypN!KFvZDXSaYY{<obg0_)IwTg|mW43c6ZNwI
z(#c_Ov(-I_hVF=iBU5uHfoksiUl1Amgf&Q{#^7tmBVu2lvlUo>ujGzBRcfk70`w<c
zB04|GI!39zS0&!o%W_BGi8w^46ky&G<2wUbcIp2s5`$5ST}aD`y=(eDZiI3hXgIjp
zoXkp0h(n(zj|pp#3i6oI)E*>i4N@Jo2Wb(x2FaP)gG8zep6@{CD&z$Ub%80h2B~KY
z(nM+v(yuK@dDI#t<rX9m8NeDO<rXA(0BevGTaa$1{ju=~P5Wcx5t{bL#v?TCkBvuY
z+OLgApgTxa>^I8ftKJ;ipAWi&n?rxe4*s&Db`?>wgAK}EMFSP9idq!Aib&Z3LGCId
zWe1v|JMid{9UwlSJMbB`m*WGn10Rqb;69@Y;e#4@%jDC&thQVR{eh1qBa^Si_pxNU
z=Nfuhsb=!kysXqR`NCdaR=qO$>Rwjr@SwMsRqsr`hL@E_CZE~I%c{?8%ZW4}%UP2h
zf#T(`$|{-b<FL`{GW=c0nXw(TQPWHK3$0Ybtb{77tW-8ysl-{S9DoNWtW-|evld#h
z;47?ER;-OytT-#y0jnvj6AEQQZ9^sOU!s%=AWSgYFi^RXXaH;^Qk`wtXnEKklnD~I
zxv0bq6crM;G<drWZwDr+F>2sFNEFU_lyXbl?s%Zc(^<E;hwWc*f54-&qj;(O!w#8-
zcRZ9Dg)ke~euP%2fJVXHTShJ(dKl*AoqY`!4+(vXFi-!p{<8w9#Y6U%w5SvKG-~mX
z8>vy)<9mo&JT%gc+&culc#tR@^nHCb5T)h#p$``!+82CCi9&PG5^C{~LZa{r77w{8
zBntED>M4l=EFKyYPAU}SZa0kya(NXf6pHz?qt%9f<0};k)7|W5D-;U4qsCkQsZc1O
z6bf#?6$)Ft--llDrhSa=enu%2W+@d4`=ZvWe+Pv^A=h~|C=^CGC=?0@>}gWn6ZkKI
z!ZYu6lt5ue%*C*a(XgZlbS>1DA|#>%5seU#0)@G9<(4AEK#mwvTZ$0N_l4klySEnk
zdSiqG_!%;q6NYC>l>&uash2{afX2g;q7vs!sb8H`d{rt&rUW*v`xq1cNy^*h(<Chk
zs+KOjD<uUAh%jVAJg;s`1eOqRRjLzECtc<m?|)bNMhfCUQlPLe(h~#<p|A)Hg_VAL
zIbNFLUVAx#!rF%Tc{=gTxv1_&&?ua66Vh56K%-E<tJSCzBnhl^#6j4Zn1r&@Cj@kY
zGyy)bGpZA`39NM8jh%@#<R{j`2Xo;WtC^jNg&fuyg=pdIuGGXnGHX~mM2QxttwY5I
z#Rjv!@dwPzbeNUdWHQC(a*t?XM-19+H>O9lFmv>|S*Z8xm|}jx>==HIkAvqG2Vt=R
zcHu(eaGbsRQVjo4W^Dtte~2MNDt{)gFu&m+gI(A{?H?NUji1(JLhc`$Di-C>1^L42
zOF7j3p+PMJC;Fgc!b#<V%$?djR1k`L4vqoo!tvG-VOo}9Ygu8wG;;fp&9c=Qc^B^e
zAh!=aelYQZ&&#`KZNdxhj|rDPojDt%3l^ccev!%W7YQI;czI`7A)WP7zsMLde#PPp
zcs1sQeQ`_RtXIQ|sxJ62_2E4$43rB$nAIR%ptcV=cUy$fXgLA0BKqrqRn-0=P%gN}
zhY#5mktrR%2b2r0@fORQ;CI+?k;cdgC<r~I_VHy7^J7i`C>Nq(0nxw;P%bojYaKJP
z4BH!czbvc@lnZ0-xseNqj_ZvGtKnpTbb(YZ6okefqIcJa(U`9TbiSdabYXb)<cOaA
zLr2}UthT%8xop;5H~htZZRzRVU6s-!AKH_>t6OjSxeIM9;>8*9OHAV<nxr(3UA8Lq
z$`%pST&I6-(t&ss@&cwRQs4AP@f9kotqloq$5EXjY8*yaIS->4hk?Y)nMsHJeIMGL
z?GV_|D8vJYInIaW5#X~nEtpRjO3y)ysNocm{(h(Gdkim<Wk-y(8D95@`TY9}QpK>5
zY7yDeVEBcs$y`^oh{)pWe$cAOs`xMI*N$<aMMTzKzf-kW-NmA3$2&BjV5V#Px7uqE
zReQa;2c@Y@Wx(dYy&T}y_1eQd$?cV_$K1>5eM<K(H<^2vyY3cO<CJa%d|bi3#qGm8
zrP~c3cf-e;r*sGM@nr5m{w?lUG(~GXpBc|Zp@e%2uHwQ!ub-ps!bkG--^06F{Z9B>
z)x7@@+=Xv!K5mE$e<In(naZfDZAfs2VlT)ZM!ns)b1cz&6ckWE`5>riv9wZ@eVvhk
z2Ji!;wjhD<7}wGE1zh1y4DlTc$U;AX&!}pFg_agWdw~G*%}bDQR&W*wsD#s;EZ+Ex
z(wU|eisY$q)5kF)FAB0i7ct$Ro%R3F_U7?W_J8~EdCp=<VP<TtW{9*gV<}RdGfGm)
zkTt}}D3P(3wz0HakwjA3Xi-|FeIF%lDoSaQ(1NIDh!Ey{-sg<2>-)X$`}@3}*Zur{
z*B_OxoHO{mm(TG&-p4URh2>&%%2xFkR<E!@`UJd)y5~l&z>Apbsu5TBVSy{~A_T6(
z;tn(<xB@RCeI6*S4q2#n94>{)oKHQ$Y<ra>C`rT0XS$Ci`h7l$zhp{@RrMU%T<Z7v
zD&OaiS3S-iKksS5!XvvV*X9oH2&TBDxB;>Q;@tWQ7o>mV?E5H2O-f6bYkaujo-F6v
zUE{ly@Rt_z332Wd{Lm}zMQ$;t_^qGa1XuWBC-`u~J$a4Ke8G*t`OIRU*puX7;cLFI
zn4h2<6r$J7N08GFfZ;}<7s1kHFD%pywLy&|P^1Xw&nHKqt6`re0u4&4?~g#emZoX_
zYS%y^8Inj8^+MVqox8LKnw&O@1wM`-W@wE5#TJoDI3YCdE>3HEfm>789@Kz?j$%PK
zs&31@J&SwhF+OH7%NrCsnz6Gfr~6GBJlG*1w7P<^A`01b;Az(tfi6J6OFllEHZGX*
zi2)aa^o44}<8jmKClj5EkAgf8Iw1U^qR(D09(n&_24%=)r*+~}H?ocIb$kqn>ne-#
zxiccpM|WjEK1pLEh{ao#;U`x8uEl=6IaSP9y5ys!wXA-_*Y9a=6m+_E;=7^WrK0hE
zyPVb?s=lJ{AWBT2`LtUOi{@MQ<4eiN;}P?=cY-=X?V`G)QBfb|^&3##i&t(}=i!*N
zntRG9s}UY{Il+<oAimIRWjemmd^N_6*G$#gaKpRCa*B(M;|wIFe=mJVT72!sm=9$G
zTb<VB+}U{Gm22-i>&!Wu4tloR#o|k|uuGhMhur#J*In7JHYdOG6~1U2W|ed6?6op}
z?Un6;2^*=y<IULkmhbAKFpMjZ{4SjK)aeCh-8RV$&%;5(*E+46fqfVFjo<R>;_6&l
ze_0|RVOtMQPufS`R&gcsQ6@%KPhYL#yhi+^XCYl;TQxLaK4+7Dn!$p0Y8;Mzxfm9n
zF!rUq>0t8u;hEk)eQ<1?x684J=;t!e{44RN1Z9aszHhU}$!2FU?nTWQt!HCu%9`?f
z@^j&_VwQE>lRMg_@Kfkq*m-7#{{#DCc(@V$<BwQjuvn7nCi-Fg*Oz=;WnuM!I|)UY
z7^U!ry7oTUSln|Zo{E+w>T0bvj>hNS$G9IPJ<GSCjFQ{MRmHR5+2<s6KlQqAy>?nR
z97~x!JZ0oXhGfnr-0c3zpm`T7FtIq!59v8kntK~}u{!%D`@}O$ysEECZ^ok={t|fj
z1$g5(Z1k)y;cl?%WnC4Uwq;lQp<GFkBoH31p3n2=sKi}}o|kBfjgCH9z$$Dbp1#%R
zaQ5iKAK>X)3&&6QJ`?$@^jP`La+}Jlafdl&iKFc6b+0s=z0Nq-=c5(W`DtEcWm09~
zQus#5m|L8fXIkJJ!3>O`HlB1XtAuX^vOwE=8~O#ubk?shm^UX#KIcP4=!SKt>YH#3
zVVHYhXN1m@VfAgY9fx#U+ehhIiMjg<2ee*>!uF$eSt$Qu@?L;{s`?gEwh7+CBsV3|
zIpx_1JQd@6f@@$O&gzvg-38hse_H4*;_Q7advI)ApXGO_b=PG*b7!|r%@^pBRxkp;
zO$L2MjW&TUIf;Qw(nnoCCf>}@o+cO4nHQHXs5tzv-?rgCpwZ0Bv(oX1=Ds?Nxhw&5
zvkB^J#a7Uh=o(4ZOF0f}=|`lOqz{@8#4I;Pl5Cc8;1*J~((Ko(yEM|*-U_M>AHTHT
zbKWHo#KCLxVmXuR;KCI}XPnLFp1}0^_$2Gki>6CgYCDn#WKQdRgfp9W(g&_Ze!G(1
zv(izoKS*!e=V+5N{ljhzoY~v#yOCmKQJ~r*VIDm4U0N=E{rNSHe8oxKn~mx68pf|z
z4e+9p56@2+sc-j{k?Px1`y-ei5e@h5B}cbg?cnx!YKsfWA@?vo$x6DxI&rLldVJja
zAU(Nj+>@cK$XU0ZZ;1S6QR@@@xZ?7F_`3VDY;W?zz0KIx^y{rlbM%pBDKbgxdFv3v
zQHG@Mqwt!YjGkYw!0PO4{Cmp&Jp*%mWveC(r_N-7_#5|D_;LQyfpA~h8j@iCQ-jLq
z7(X&k%R2GPa_PWwFV3xDztmPqTc>TQiTqak=6d&=tv+9e`QLlGyW7*~<=$rdtMAvS
zt}y*Q-!Q<i^4kmxSBoT4_g#3&LL;+ZYB5uKX5ch0?Z{m~Vw4Pg%2?*yI=xD-{^04%
z^P0Z0b%A*0x3siZ7=LB|6GQ97TdUqNvf~DRIITP0e!Qt^{J{IjZ=Xm$z7M+kji+q;
ztiIGIg0p1c?cU}xo-|Bmh^)8Bw0QPC3QNIA-A-;NEUF#{XXuM*mAum<;$FK*_ss7I
zxU5a{evOCiwP*xe#3|Cv4F#xa!y(BziB+rC2aI3g$i!o3TK9gamSTOVwsm6r4Asuu
zzQdo#WL)`j(qcxx*PMjUQ}?H4Jv}<my7627*Qz~f7rr!ZY#24cedkmaW(}5CvFk}i
zf57T$!3N#LTaFsOdwnl!i}{7yt(K5Ja@I*M*iE(kb->HzH&!qyKg8zC#nrC`^0LJJ
znjR-FcGW;sgq*tLwb>YCt>4AWy!Slf&fDe$+W;ixlt4Y*=CD-WpPjI=uDtNu1GB~S
z6yCx5+~8y~K73N)izY1fhBTPbVKoIL7zXf^@vbe{h<E;4<NQB0PhB#)rWR5N9ub&V
z!PI>UVOXtfx@2?eed^;bMAd$tTM)G6Q2z&~b-J%I0&_yX;E6>s7B(%|dI>3YbncGt
zLq7=d^yLd`=YGcSVqsQ?8a_*h){lABUk}gi{Km-F6l-0@xWOC`ZIO}4<*q!c_Sj#O
zcAXvmxWj4P-OYjAboR=-r}F14e}&zFopSdv*sqN6Yax#}iS+6Qbo0+J`hu>Rl)=}(
zHhkk{`LKqj_#Yx<jp_5K+TTMc&3VP4maOf)!dLR<X5CpDZdhF5$MaHkqmGa9q08T<
z;o?zq9%F%wQPNt6@6DSwcr9qgUo{V{!hX}PZMi*rR+A_+cS~bzUKZYWDf7{t<Dk$K
zuHlgW$g-hmC^qWY%QqB$!7u7X@kbMueLUmSjXeYU<KCZnOq6#V>U$GW-f@!#>_v0b
zT1u*RqpO!RL-nv6-rNd_qSjwY?+?g_LLW@In~cS|NIsss%s$Z=A36=+$+-~x<SMpZ
zVsd*#zUHSN+vzw~a%0c@t5{dQ$%zen)Wh>fzlexC`!Yc=cI9)#)4;q3so9kvNDy!w
zr^(J$zq@mL|K=Jdf<87{DR`T8&$$d2oIOAM3kdv5+F$99o28$dF+|dS(9Cbv<@A0h
z!yu}b#?RAt#=NTAwZZ(A(6$HLbbELKZWDfbbiOW#T!sn8UVXRVcDzis=4}08PJ2{s
zQe_3&#~opN=GQi}WutoAPv61fpv7P;9au7Ui^oUa_=7g$%h;8Z6CQ;cC&|~InM$sW
zX&rYN!*1=3YP$2ZVC|WYqhCxqo)dyT5P+*U|A8=QYY6oo@44WwptCQE37w@fhtj*V
z=Ew`{)c#8w(u=(<+#av!MDXf7WhX+;YCLjVP(m(TDG^J`xwxXUfW{(U(OIM;OET1O
zqO%|x3ykP2__YDs1tqe&T@8{BNkuZz3*gi^WiQY-_GQ3!MK6H=^ilQ#snO4;R6gFb
zs8U#2&Naf7)m@S*QB?PefbA;yV0lL|WqCgV|4z2?=e^3B%5yJ>ij6BuHdO3xDA@tq
ziHeOAC7Y<&s!*~=)t7TSEvMAat(W^887#s$Hdut^0o&CT<@zIznJSBQX(oKa1*?<w
zH|u?mEYQY@DoYeuDN$tuwnLHahAQiyMATT-GeQYj>bGd5bh0!*5Ge^P3w*UiP+}w4
zE-jF*5+TXreIk;yoI5NU#TmG(81cqq#h~E8iN;fV$7HfI5r<5V%qQ1$vYPSDzg+SI
z^O5NM)chycuI*Z)mDcgLxUCo&DAtl}j~|>ED&^zT6jYqS%OG9nU(IM|P+$Cu8Lfc>
zC?gD-(GtEEFTvPCVMj}_aPaS4MZbSkJc9f)eS>JO|CkpL@C|pq?@t(ygWu8DZm+_Z
zZ3zwcs1KeJTtTH*r_$Gg@ant>%4`Hb7wGJSr^Wejap~^9i!T-KF89gJO6$NTY=p|s
z@T!l4y74$_Lueu>?JU9#6wZNz^xVIl1NRerbbR`!u3iLO(Y;?FtUrbp3g@z2O3%(e
z&SjK;aW1P<kOLJ=92mqCuAMOaBh1R=3fImz&zsicY4e*DOq}12lheG6_x%jly5@KK
z;Zk7Y&<N`?C$3yTSeLOZjI75y>+)E}6L&;TO#9<g1|FUY3r};N5ewOoNmyfyVouLA
ze#9cda1qh5upI|;^%;as89~h<jLLrfk)SuV^sr|!ZP9#t(j<jZ854VBqmpm0I!R$v
z<~|b~FGSXZ@(0#DYsDa*Sh4<pcf1HE2Jx%7cHuCHU&>u7;KCr@4+imJ4vTp)0o+`k
zAPffae#9U?TxnER!et8P#$Iv|ZiPX-fSd4u8*+jRju%V*>{$Ps<3$Nf;)iOsbt>lY
z3Db4m_1yLY{hf*+FrUw+se#)zOyKl68qJ;VFqWUB6nHV^Agf_4PuO3aRn0_ay5n$x
zS*w}4;YPK0&7j)5OH5$xd(zV#N^bm&J%#3pm%nV)wf1*ksdN}@fr({TS%~eOGt}?v
zuc+gr;oj9_Rd%A1xOXZ2FMchvMyFr)ec(DZulwPneUJRNP3{TQ|BKxQy6;mgGeP!U
zo(#J0laF?4Ex;49v5XN{T@w1znkGcLsmEmA!jI-+OU|UFsHYaROo&`!sUmQs(uE!M
zx;4j=mVZF1QNwFvrsdR65KRXa_zj*bqBJLWrB95}lRx+9YMwz_c<x8PSd=Af30^WF
zJ&zy7E?e4;nG!J|C2i2U%X3`#0>6ia#^+2(td`NlZ$tOMvon3Rr{V|rVAn~$)1p;v
znS6sJ))8+fdxT@pvxSMvUwTD9@fBb7mp?gs{js-Lo+T8#i*eVHL4FdsJ3n4;`(6HS
zLt5z7kDqSKaEv~F_DtBU^e7;dTh<ev!Ho~7;vRKh;sSBO|2LSKKJw4M+wM?b#sZ6I
zlF-*pGc4&Q{=;ClJ6v5NFu1$G)#aV|o49`#ya&f7<`u^u{SLGzz7FgNdqz}miA83X
z@I1fq#!>vlcWie5<gj_&pQ0t-N6(l!dj)=GMjM9wyg6};;rkV<Gf6`59|$`j88u$I
z-T6K%NMhKt9By6e`6KhmWVuK9jXS~HiXMNEKl1<ZDj}<UcWJ|t{461Fm-nvkqkkc@
z@gBXpPnhG&a4k>oDOZo@lY|0zx44C|+tM|Y&O(;Ds~JPw5M_<|KS3_uBiv=F$fvva
z^}R>_MvqtfH2<7aJ*7BHNK-Aq=bZmojYYTM(urTc-@kVDbxkQg@>=(EtX@jf3O$@u
zAuc8fg~Y>|8{cT(c#p#Ee>ZWh-R32cJ%$^NubW3WJ-vNNclH^BNB&l$=CPW~%in2A
zvV>Q%<M9|;c`=qeOCnvr<6(8y?PV1>{={5&nIt{3Nb5WMYK^yqB-H1?)7NA_e!K2+
z7`*l6%A2(;OL9cwx5y)W+ni@#x`&q~Kk|3FdHiVe`?AI+czF7xJ9u4YM-ZmcWGQ{~
z{L%ZcXDheA!b6w%uE7dQR%cEbpWk3nnYL-Ar={Bdz_Xrt1gk`!ecXCpHHyBSB>?*p
zft%94<Y8-jUZFyvXCK&?O#EA+2WYOy8IeTPrJMJBr{AgiU~!xn*(}~8rnW4zF_2D>
z&dK!2L{?<t9~`Oa(gV`?{4M!;`3U|2Or)jSxJz+hada{M0ZF1l3Bye!Qzgz4{KMBx
z$Y=Z)J|NMmWL4rH?(Fi`Lc+9ORW?`lR?0>U)~^49G*V|d4<WG3{l5<2#R<)@j#Xoh
ztM4k2z{T(lp76ePBmNdBrCiE+gM+hgBag{-kDgNpnWUbB-b@N6sfgGyQ8Gz4s4&+2
zwVPdy)Ade}2r%=j0?dq*jJF%LV>dx01t#erk(5pgp;uECXr^rzN>Vc=_%FG%98>{j
z9s(%yS9=lTDjl#%GLoxz0kFxZ^s}R$((i)$R~K+iJxdgheuFD0!$0=6W2WYVbW?)?
zaX(q<?1u-pD4qTMl6XR<e3w20Sg1fk6DqB86(lq<kkI0QgeHXA^r!ZvDQn+m=4Pfm
ziy)y9EL6O2kcImD!sN7jN*3zK1NG0L_6bc1;^{R2Gt-C)cX<2|^J1gn$d2X4T5IWP
z%xTL9&7UYb(-jqN9#l95`E-*%bQ0zk+kkz#%ep~VNk5f_F-w7cI$uFQRj^OjTgeFe
z>208&66{kx53#a5!J2G~8qO!#*}IW%PnnGQII0-VSGBVzBu4^g9wAZMY~>CLcFslK
zMc%V%$UdfA$v^#{{aD(N@ofbE6zHd|ZCsa6+@*~~EzGXvhJJN;$BU`s>bVK7f8~bN
z61A|6%REWpMsWDd#<{UJ?!uGmd|@Lu!HFL-o{u;p;Y$9gf_^$k&xs%_=%?u4{L>c-
z7FsUBKegf@O#}-~zTS$9WLp}f*dB*<3p-VUeai5XSp690yRr!YNb4lvqRIi?KrZSj
zNI4hvfPNZn%Me^d2i{dswZ4~V#T}_G#zuuh>gGiJGR?1|qhl%wxN^tu&$g#2A)hMp
z7G&U>u(^D_W#8;Rp80LWgR{8=#jRdq+?962zIA_zfA~$688_2fthhO&+GE1RhwEy-
z`ObdMi4d<nS~fs>DHVXN`U*x;;J~)~@4H$Q_|3}3-395_G#5sXTFW5QlISWp^OybV
zb5X6I8g7R~3JM+92m$_EaNKbD4`I~9><I2M>oDy1`g^bV>I<Xq2s<392PvYskQ^7Y
z$9Ny}F2;@IL}l)N*mkc^G%RZPteA5=bS!(^Y<4P&*ssZ#9NHNh!mn{%7l4`0uut3h
zStwq$0S&tkOxU<&A*B$QurAccpx**i*jA6CH0^P_fePE1Qof5|!hUofEBOUf*i)N<
z2|EO+uyK|v9((N1JPU-@(nwZQ7ll>7aTk`C%d)aOo&8g1_pd47`pQ$!+tatbB_F7;
zGa2mrZfX>=Ae^AW&dK-5ukYW$Bmoun{g!oqsIdPBGnR{dhazM3sDH$b=H7yJQN!hU
zVh?3U1;!nR|CIBb;@~?bKGeucy)yF6Lu%dm=hTNv>ifSZEW%PznXu$4jI4dUv(%(Y
zci_Gg8S8~2V~KZ)a>yYWwG8bu|75I&W59h^j$a^QxhU*{b7?z>ghe_^hlG^_!<4Hq
zWVuR5F3_p)K@EIRL%%==4V5BBCw$Ne9|XYvpc|>>)9FSR=&FT!Y@>WS+lWf!Ic1uI
z5zHvW)#$F_OBlU07<Ry~a>FET7`=?LFo$2KO@;wX$2>LY@|9eBG129}Anc*qu?aK(
zq`<bn8TTM?qh#F6yn%5W#z6vXw}!F*u?3G~D{aA}*ir1Y_W#&|OO%ZJ12fX(XRVZs
z`})f_IBPbBv6FaVY`L32pAl%Eh#76O)6D}2(tgK%`;WE?{yjzKY#cGu*=9E+&(cr>
z+0kqTX)uo6Y{lYL5{*7ZXUkmGIOob;Fqu(u@H0pPPfP5zs|&edHbKHK2Nu4xg{=`t
zknrii!dIlhhftzF^-NdyQl>#3vcbV)Cuj9sbcG*j<9xEZ*UQzeM?6(l_^EE3PnZ{<
zTnK4!iVtxo*wG=w-Eg<zi;+!i$bx^b-An#>7sug<(z|&4^(jHhG&m*5<+^#$(n&#(
z22F!Pk6H(t2x82F1OkC|P}o`1AV`B#f|#!Sh?DDrn3I;rCIt&Uf`lt31tnw$g~SCR
z$Ylqbf`<P$3m?e2iZqx@1LI;U5Ocw~IG2`7+o+YRN(n&OEVbs&(E>tr=^_H;+zmXW
ziVbP;;j95Jq>k7y$}{`GPu0N7SJ3i12YLCotvkGSRtxDgNQ@1^lcJUOcgGW4NIP!M
zJuUZ(i`;p9p2jE%Tu%*-|8_n3nz)`)4<BErj(-I$^9=6TwC;3n4J5sgf0AB&B1XHE
z6#TV^PD@V|t37WWdb)5h>rMOOWQX49x~Ir`ulu(~>d)Q!ouNIL_HY&E1KQ!MV;(zE
zxYWxI<<XX&fS%)Aqo9(Ti)E$oCboay^!=bF0nf5XhblG?tUjFNZ?C<4+D=f-<wyRF
zo-Z0i&)IQnGS)D@{PYM6Nls5Jv)&NiePI4qyKM(AuNc?8E%Te}HqL|vv)k;C(6Xih
zZeFlfyy1b=__u_aL<X%#W<#-BSrQ&`7h}@#xXGd=ve#JTmL%)1oI`+{bMj~9M{bE(
zXN-`OY~ZhAlFjbK%RF;7;g9F_J+c?yf!@<>Rlrm8zNhfU%R(+kVYc#DJATX?dvP88
zc{9e3x|127STiA4>a6Ge!+2YM+E^*O^2;Z?Z5MZ@Hf!LuUp9Mhv^C9@2AP~_GTVL5
z>7i=sjR`UN8}t1S2#Z%0C+*n1*SO$dE8|YQBQ<B!NO=WyhyQZJxA;YPxjER0)RT01
z6{5ar`NNti_jY4^YUeJuf&7))Z9O!S?dBbEH>RIV+}BrMVYiL52Bg({y=>w2j?U{{
z`=syXJG0$o6GwlW=6W8mdN%9yDV^kEBq(o><fLTB?yK;sYQ}fs`;*{h-+y*=J|e)c
zW85d5mal7Y?>vm_rhCV-?`i(wq`iIZ8u9t+MHpXgoFqOG&!_iwC)O`Ml%BXja&M-?
z)8}A#y}tg<tc%C0X$LIt)*o0>)+{mG9d}M^{*C=N-bh*{{s$^5k-EwqyKCS@P2oi~
ztFyP@L0*R03uCk48$7zY;Hg!}c=(E^{~T?3Y6*S@<J!j#p&rTqAj0_Wi!0+3^YRz0
zDd)>e@1!TLl!R&DMc;Alwna&F+O6*;ymj4nQ*!Uyn3JZP%yvf_e!1dzyRdhMW<9e$
zDR8g6UR%0j_cVB6`M7kW@vALCbT~d_5%m2cu1<`{#ZTzbrD3!<9=bfaKuD2!5>-=K
zG}rOsKDR3NN7x<X%NyoE)pW6z@cdzaq`67CKO%8hfn-tMNL!`#{XRe|R^yE9oYdg@
z>KDtZrQ;{Ro96|!nk;baohl!zr5+FaBTKlnXtl-BmmR`~#~~?r4sO@KobBYrW{vE8
z5b}Qmqw?D|I&%%F3ckyF_*WmR+D7;;C+<Jdrul%-VLjIDZ#S-O&Bc4v^G~Tq|0j&<
zZ^;D$qZ&T<?%CbbmVX|^s9q>BsyxYdo?7^_D}Q5D9KfhFX+d<tb9E4;Qml|{qyG(3
z{iOh@6qU<fxZV3I0xi69iCh6v36vm}1bDvOV1x=gVl?Qhjg&iLUOLPpx`0gSPu!t0
z?hLG`4q{K-pYmh^ds0Ej!OLL1M2E?+&^RnWe@`?uw6S0=XuUnX{<2XEMs=FR{0mo^
z^!1Bt8%BNXMSxSF&5#VQ(5r8z*d2k^{jMK@P9-z_jI9Bjf~5~cXQVBFQ{$(Bf{Fs2
z0&wahfKv_%gG9Qe1#74+nr`n%G9b{Yq1Zhem2~?6RRch$p3Wq|sUdy}bgDzf<S_x9
zg1uGNpa9^%?X4;o!s-<ZVcv?p)umiJZ?20gcd3hFA<T&z>gg~C7Q&plDLjEEH_Qnd
za!+$_g#h3IF4F}T!VWnI<GDf?Zo&mv2-^kd)I23P^<O=W4=Cjsh;8x|g{LvejpU|)
zr&1A>=FXYWqALKYLX^%y+@VDWh~y@|XUQxVx0TRtk=jdFx9lkS<855Ft>oF5w!S?I
zL~08DVcfxx*q6+Cmg#)kSWkTGf`!uA2GMX7AK9-lv=tndr~6}7Xn7s$fc%jEQrFUg
zZ&%;9Uhyb%Py<QgXWCowRR-_R!GL%#wmbJ{*E$7c1y+TN0J7Td>rzp<Rmc6tFu_q@
zTqh7~{8?}rFe@WVgJl3(`2uFu?x`xACIYdMDFwG3{Kr0hcqLLBAfy|FBH@C|hOdyT
zMcG$G^8uK;Hhn6Z?E##V!+wTXS^Kggv!~ld1;U<a;TGZd(Yrsece3!W-!ZM>De)Jb
z67idFL^nLZSo{nHTmE}Sz18_AYTNw8FV<Tvi+?ZOs?$*9F*k-Lbo68iFSty^-xw|f
z=x(30VXDXKFC{dwF@RO_rQvNZy^Drb9NlopzsaLaFRlBsTf<Ti8SaRmk=f1oK7S0(
z{Brj*W*?4eja!vo^IFu}4(J56KnYHG!bS}ks|GE}AQ1xzg?KPJXOHNl$S(64KocXg
zT&T#ne7pQr;;rI+;^c#iZ1(0Or}GOk&u8At6zu)Kk!WJ)Z(6H)trC8^s{_hRYzJVB
z&RxpLB(=Z70bUrL*0J2MP2=S~YUxudjDG(+7!JE!|A66VS-C2^yB$H)1+32RlN*$Y
zW=`VqFUH|5HUE}q9R5Ag3~tgW6Af(AcoB)_k6!ugy!=qBKYHb_lzQcw2<QXHb<-Ra
za^><22E8{*1MNXOkWx?yhHW)eAzT3}!NUP4(3k+rYS27`p(nAfI+odX1hUf3iRR2%
z`glOxb4Tc!cXVh>NL#{c`3b28cIMH4B+th(cSBo@jUTdrHH!J~+i7E&kDr?nhN`2O
zH^IR<>(6!?0fQU;zQq7~6+(z79YM@K_WoJl84vqAuZ@sC)0HX~21b<e7WPaNZ2WT6
z)gs(ti^W#PUW?Nc%&wcfo^;oU$Y4XK-6hu6hR*baYy{bh=!-jKd%}2O3as3g$VUG|
zV|)W)+Oc7Gr+`ZcTb$<F6>welaF?3r67awdZs<XWOx}r@Y;FZlaF83egBuCL76q_A
z&yHvUkRW$%Y^#ItHdmO-O<3H|4fz1c$bd*jAZ#&taA%EBiaCKaK`t8H-AP)G63aXD
z-R3Kkkp=;lt2TFTQRJiCa{w8<W+90LWS~$OO?x&fcG=GpWnqfFHHBQvhINb=_?&O7
zcbc>p+vu>zvt0>_zZ@0{s^?<>6sHt~ZqZtoSBJjGL#!6h0PYbBGE1%R=Q(R09P!09
zY3;soDsmrLv(ZI2q2)11DZXcLjJY^nigjkyZ{a))dl(q0^$F%@SJGRsn;BTe%EQHt
zHy6(^uw+jJAbcuu-Cy&<gD+wRi*_;AtT?c&-S?W@>$pgsNjehz(wz1DY5y0|QtOY#
zvY2N#1X1Op?v;Ds(|#`Jh1?laMKKdkgOrdMzHq+ER#6bsh5X%341aMsUcBxn)_7L<
zRcpIEH(qaq(~J1aQnhmNIAId?(Vaje@zBi35S3r;==2`7Y+92K-9R%N8SwVb%p`pf
z=4OUi-4-Tf(tDPtr+c)vTb5>4d#<!{gO2C|v&I-L-HB>0l3jGm_H+^)*?msJJ&H}T
znAJS&?VCVwsI8J@iV&m|JZ0PegWGc{z@>k?J)aeoie895i;!TO&_h@KRu^v(=ZQ~=
z3yP5!MJ$^yuqz*)xjr*9^T}Cod-jp6kj&2y$QR|;{?RiB)sFuk<jo?2y!or0(%cF3
z&0aawIIi(z&IA?w!vl~Vnd18%w^;N9oIUqk!mrBOK<5yh8F();eW3aw^*U_Mmkp9P
zXTs+EAM)nwKb!NvWGajslHZovTP>>oY|g(^zz3#p11XF1-_-m!_U1pE^F!zTy*a-T
z*8M0k3K{c@gu=%o8Z6Xu$9sXTf+x>Topgm^I6&5<5c(c{v;^&>8il@x0>@nQ7geFF
zLk=c(X=_G6deR!Vl?rXlAAJuKfH6NpdSWqI%t`-U-$QF$8Wr?CjxQ*WecGBp=zCC^
zWMd#@PDNDcCJKFz8RLh{Ga~do$i}+!={0&}0?^DcVOE=|)K65cH@#=1egxLtb;t^R
z54C&QC4=f7HF`CAZl(==GSDvvrR3}I8O~_EY0g;2ev7jckeep^-%h$msC#HmyJw_&
zDy~wKXpxSW{MjfR#v7(cO8rv?m*)R%rErjNsaPqTO$_k(+*fw9xh~VWOQ%6rGKsb3
zhB`P{@nT@FmKQH@;D%Wfpyh0?Cvz@4B8|(OHaB*=gQqZ<E1bqnDBy;qaABQjgk?b<
z5H2k^d+C$rlCOfc2k<S^K)-y*e$-6Cw<Pq-_oGSssoOx?W1=D%0eoqKzGWe6nOF3<
z#QHqWeY1Yso8Xe$v%`Tw3ET6k%I$gav&avUZ#&*Fw1GCOZsZbpY*96JWuQ1P#0JS*
zG#4!7Jpw}mD+AL4KhH*ZsMHk=WCWT7P7QPpe59JRZrNzj54ZP$7J_|&HzV}084l6H
z!w*M5Y~jqjhuQ^OuY5wJf!g8<k+oPVn)*k2;{U_E`=nyt4fz$6Cp?n>O?iS;<Upa4
z74kT}fK%gK!{8a#KfS7;v_}PAxGR2z1M}&uj`LYIJ`}jmnFR}GyiS@xaGwe4a{wPC
zsR-c-(4A21qhD1hQZ*6i8xcM)9`@{hk0%26SwVgNt%#n*k(zUm@Sz0vSvf5rE)&GK
zKncDnCf*9C^c`@S$kp3V+Bi>*RziM{zi5*wx^hVgsCA1$uDem8)=g}s16s6z4DxWA
z?<hJ+atI*05gO;BHNt{eogFoqEY~w*8JjcLYX>ixpb}w9H;Pq_i(rnL42}D?39vg$
ztj;RV^<%>@M6M@S2=hbfH4im{)!D%DXavCjF(5oa(TO17|2CO#K`t#qVYa?Af_ZI6
zki}RNIO^LhROiQ49x?||3S?|b$b;140#3o8{mB17EgrN>FGipMzh)D-)G5U7HQS|<
zz4WQVe&hi=^p)j(PRt{AD~Ts~#SVKwEYF^N&1TjzBSv$XPr-hK<sj^03!kzRthgb1
zx=?`67{N(jj^1VY{G$#5=)BoDHcWj0p+^_g_owjqDX=-4s~Ui+D#-KWVNT8C0OK5l
zvvX<4a3*Rw6|||0ff8{WF25H+$CZYLDpcHp<Rz3hF{*o_ItXfH@Xp#J5!=6}%b5y1
zUp3-*arBVGKzam1@pvq!a`d}tJ2G?|9QGP3Hp|f{m|K_qt~0n(Lizn;uAX>6y$Tr;
zxvn#Qdda13MyHt+d`TK~(1GbQeJLisd8`3oDEfMQ%?V-EkT+dpX!|4>>AU?lQeOnv
zXFlcGDGOT|^}gv0u=99u3OT=|)e{j)C!aCe4k5SK6JPY}Xsv}=9W<_A{AYZwx$shU
zKJZ@P9-X?y!bul$`^<;Q0@6;8-O~Is_>HP)xbXHj^aUQ+B*oTs8eQym&v}p*nQ^#f
z6TaR|idkRXnz_ZA_L?tB^USi@>v<E`IiOkl2!_?-In<*5lX?wlqMrSt3$xz)(MRn4
z-P$+1#m%1_^=NIz&z~Rb;o<2Y&FABym><~TQCA|mcgpI6H|&!2EynrRzhbV}gkzoR
zv5#irG|&CiM<o>eu{rhQ><D5Dxr3iJEPF!Z9%33fi;Pb1SIea_#c#KsobFrvnK5!h
zbjpnT1r^(D*CqE~hYn(3OtGF99fw}^_t5H@TLwN&+unW8U|g3J|AJLL%h(<L`=uoF
zj1e&rFQHUaNaL_wi`hxrxH9Rdeey<o{~p!5&0(qg*Cl)SerI`Uop7`K!q86he8kK3
zl^pSIZ#??TCyIq-?iD^}HBHN0kO@xb@BRL|d9d<8oV;MYd(|_iURrDa?#$uB$<rq;
zPF90=;(}P7oV=_*D*wc;p>eXC)rO5N4Vh`4PvMcV?bTY-Q2nRRRSDc|2uc3l@9q1Q
z<39fW(BS6ZZSo-h{Ol9ETAUctuNpqzozMRK9HLeDHR`kTQJ-Q#=yRSt*B95`y1p{y
zYQysUhT^9_0qA=_bC-%t+sz{$pUc0SuN$@kI~+f4q0X!N;-0Y$zL!di{UUgrT;IE=
z*Wf|D)@9)6drGUr*j*bJTY_czBObg1>h|?r@o_IVxcQ&`CcSO$<e1fyD9I%GUb>lF
zJP#Wfu34Ni6rZyOEW5Eq=e<sN`pKA*_RVj3@~zm&D=qlr%RqU%-7r%+Fi*F^-ao7N
zfpmhe)@3*UNgj8$y#3LBIXca=4!-usxQ(97YCI4(#4GyZ9^k)fdnG*@l@)M;GB;jF
zGW%BVa`Rt0dvtnq@@hKGtum9;Q2wjj?!z!#xI#y|4-0VA5^Px{EUa(eoJ*5$#oq-n
zPyAHTgd>wUx!}gBO%-x`{|4`{H{rhx<!=7*A+gTqZK`_a?D+z(-H|hq?>@j7Q}u~<
zpfEtQK~-!A*5}W8@BJ!EpLQ?f2}0`@&&YIEEi|iGUq4)^^~L1N@*lWiXDc~pnFPf;
zG~8#7dwRb<&9k5GzT0P<&8qf|7C11~j~sZVZc$cQ<}D4AR>K!^Vnu!MuS$BUn}2I@
z{_-=Ko)1n-hYR21UplW{b3Tu)lPqz`efRagh5RtSOm&9kSqV1NFvH&HwAf232%Som
z&r8^FVMQVEF>vlL4btkGSBGR4I1hgfkKXgSeBkHfn9I=~zWrva`<myG3OC}zg*TS7
z@mW=kRamI)r|u>4D<y$dqQ)V(A-K(FmPX^M(ds2n@ib4+-SeHe1X0r(q4nP3z2Ce*
zf4@L26(c;4qw;l4J-CyNiF;BU*l?s?6VI;FPy^f-6Pwl7MVu7nx6uANq4g`d%hB?o
z))Y^YRSds`$75?-moiYtS(DDs9@6k!=d6QA3+>6|hF6WO#OKe=j1`S@gAui~-gpj8
zWGu1~If=SW5G~e7KbA$Ss9&ThW{TIEA=#eWEeb3MGqetIy!i?tf?^EpY-VZZi_Ca)
zhxj-Q*^JfYOY_m<c=HjPnz3FCxm5h1_$_?+d(&dq2-ge=k}oNd#GAYAdg@y5Dy&>p
ziEOQmHy>Zf4RjC8sh4V9tw-X`(MuNs%LB`#Ujv(^@#e_eOQs@Q(LVePF2Uo?OUjWv
z(J4`^)+VjpTJh#;uZD_|F=B!!Ei(KxB=8=p&>DzPXbnt3L2KakL(m$a{?QsJmKVRR
zYq=_wg4O^c{|Q$sapTNckyj^hKlXNMD#QlV&c#vd&2tds1|c>uVB98q$Qnxex@#3^
zo+!iy;8_O7bW&UHAJc`^pf+G}ZTAwSO{SC^I2n#`k`ZT+8(4;JpQ=Y*lZ;$Zhz($S
zIQnGHL0e=RB0o*OYNt=ePQ#AU%@ZmHGxf=R_2&`fJctd<y@TtM&s;%}DXQ|5)S_~I
z@~7MI&%)|eRzK7yFOZfY$l-dGJr(+5@{b1y!Xs1k@TdA@iwXqUfU5D)8Gm#LNNuv&
zEk9L$cOt(!+J|X%$XeSChZQyS{c3OOTHf3VJ8EW2+GM~th4xFkzQ4#9{0N%5PzMSb
z^ePsA>iO(I^5lWi%Bf+eO0ip1$tjAgoGROj?V#58^P9AW7_L{xFOhxFpbT`FiUS2b
zg{n@`Q=6hUB!l>~hKHV}hn|*)9xdBLkM05T0uKoZ^tmGn$>5n#g&i}zs#irNRZ-C`
zXofaM+ej@XIjA}BC?uz<aBovJCs!Go`@Z3r>zc)Sdb7TGn)3AwS6MU-Z<8I(P}_hT
zOl$6xGfC={0k%q&?(bbXZVsSQU<~#Mgi1leN25syz7!E5D`AVYJ06K^85;tcnVzvd
z%oq|o_}AEwZ_K*LkIXn^l?+4*oWn1%20acyYe0J)TuQc^eeHnN&qcH%gbF9fX`N}?
zfj=4nnV=Dnfup^tcracH3;0QfI4(g{aXEt05agpSijB~kq%~6u!SJpm52Vxskr8|P
z{e*1+ITgpzObIv<Xk{ow0SM85@Euqc)gA>l0Jy3uf^_R^<63{=>ar+M$Y_s_j?w~Y
z09=M3s@<vj=z#VfG%9*kdup_l6oqWgL!wtjS9fnb1S?ysP9PhjC!$d$B;<;kYMI*Q
zA>X6!sYa<@Rf$qXe%w<*R%s#nTHRuKIT@S|x>v2j*A$?eBN6e&Rg|6R^(nM&du_44
zz71U!-?WO1M@MbJLB3#>{>D`#T&xWS2*@h^<+MuKR$O%%BN?Hp%9m>+glB>3s+qWq
zBtwqj1AF1v!H+<I;L8vu`~)JA__#h96PGPVguSx5sICqnV%{rrN4mngWy^8dWau&j
zB1Xcm;k`1!fXp+bSGH6Y5%tMp)k&WGpEA)fMEFw{Hxh9Z@(>D2LK8emt9m;MV|r!6
zfet>(v_S+TaG5|CQT}%+_-jXKXGaZq9W=CI%e#JJ{hbo<Id#tObbc)v^`I_#6w-k0
z(IsQKl5-u6d!ifqI(vp%4Yi~;{E;1ieiK4x4up={*A7BCk1Xxv8>{~vJ0MVVi~A>b
z%=q>FgRui9XKk{R#wf%VoEZW>I;lcYS3m)T_`ns!lh^W7hLx#?w$_lEDl}^<s0}cE
zT(7QB8z966YJ-^VR6@;@8V^<mbV6)EsWrf&>_=zP_mO7ONd@R!hLMjRNgaNV&?6NQ
zA13LMeBt*TJz`OrF{en6G}KY=rru6{@*Wf}TdKQBc7-VAvmWBeaMin)fxe~Bq*G_>
zd7`uR$Ub_gj~+P!K8VmGC+VR{dgL6v6KIuwksey4N4}|t@^9)1#@W$7(9zF&)E>S0
zWbF(T1P5-?Rqh*^s6Cma@?;$J<3xNP7!H;I2&v1c@i$7Bn;hK=e;2I^)-5eRRY4xV
zLw1jvq{`5~Zxm16LkQw`Al6&aVr^n!lT8Tad-)+jXdEZm7){z{xywA;4rK2)5_qKB
z(5ZGQs>s+3w8SXR>WS%UJNixfRwEKAX~9X(<NHR#6wB!MS;+o-#Mpk^Uq~t1Lgnu4
zoB4Grw~ScJzZK2p0s|+<)}dM-rocRh(>8N@RQ9r0Y(aJVEaOowv6&w>`6Ne;PG0R0
zZ>S9_Vg+ojTx%;Sri0N{x_=gWWENT~AHlWJyGj2}@3d0W*~w#Ck&zL!8xC*b?T9Qd
z%o?M^(0)%J-a;d(#1|kz@sa8XEbRLshex-`))Me7V7o`|vu^EV=*T2Hi1qzK>KRMe
z`fP2lQMDQ<=#YiGxpCa4rck$@arke@C`k3+4rMFGG@)z)89mFl3uU|P<u5hg!zYMS
z{LljTEVmOeIsB(?f&zY6Hb1ft?u=|E!b2iXw(yyId}6=33rqRJ);;_LIX|R<4?FjD
z7O<jE_u9*kMZ|%~BE$h%*uWnEv6htx;UBQx<}}|HnSxkp3c#x1IH3-^A1y`PIC5jO
z-~fCSf=;uRn<S~|I(Q?<X0GiFRV&neN|N08Xo&w5|0%ud4@mN{n-&+U8LL{cJ$r*U
z`CGYx%;eXOZ76B=GT6L_Q)|0Kl>zXpI_gOM3)Rk1_oN!5<~FG-hn6BmC}9wg5G^-J
ziR+<dtTnemQsQpXezZrevZAKM{c6uxi;QthiQA86tbM1O5?27fBTEuX5q0>(I`|j9
zXvQk)%B_@9;UNM_PUgncrY>Up-g%sZhYE*5W6(%)BUa5ubIVEmFDX`}b^)_pFvg*V
zQ^R>jHyM)CWu$JZpA#B9ZfuS^X*n48WEYXf&&*jznlL}dku-6rPtHvmGD(;-#Vwf^
zm(9|IZCAKnAK)Q$0bNj}%{$BAyAuX@oMSmU@cpyAkQ2kR51uYiqa|9-Tf+el2%C2~
zSt(PRb2h7Rkg1(HH+U0bCPt406yS27SqMl3Oi6I#*or*E-M-Qhv>^a#50;XGhPu?i
zLT~)Mdwjt$ew=5)fLn~F;5NsNL<v%Nv|-0j*vpTa93=d}kDDQ+9ZE8{aYI?fR>c9x
zxU2;QnuYwE?jfE9{)d<*LGh%?LBUIl<BPW(v!W)k_Z6=`Q#|`nT?#2kgI~i(V`_?9
zihmc6oV%oikQg-!Ku*9D7!_w`%iV9daidG#dIm{iB(y{Cbp5j=vyVs|PVq|lsDLk#
z$2d4qf~X4~Y%0>SSu&#X+@wl}Bg5d6hb<xnhjDB8ZEil5D=LQ-h6+70D$nJ^{~da0
zL4n$WZ2r=u8lSh7DW_)Hp!JM;llKl2y3a=p2@3nbUpA{g{z+0173GTRlj~<6>Y*(t
zplou_=8M*+l+<rLv5q>c;7xsG0Jm@_cmAOv)g@7X&A%v@%vK4qm$ueBoLV@+?e3~4
z?%|K`3RZvA3er@uqy(uxXxmh@G+VE7>=CJ-)cHx!7q^fhK?94DV?Rh`Qqj(>l_PLl
z$s!}qg5VE)_cH#W*sf2W_+Oph)@MJ7S}n%2aEBxI^PG<u%x+&<^kS4C?xmNes(^_&
zCmkjWe2&yf)n4O&<vfWB?Zj2I9FFj^CM+n>^0>yl>&|=<^wbUMcJtC&uC+URS8<ls
zrDngZlM4#8v)oor4vGhpH&QO2$qKSYPt??Cb$&aVjXa5JE+HH08eYBn;Cr>?%SCNZ
z!_IFd@J_tMhFOLVM;2)F78H<YJqeo5k=LbYQGztQpMADOr@b3iSb95K4X0b^sJ?-p
zf{M!!Ie+C7_e6UO7mF>&Dzc59L`6kgq*{y}>6*hQ3)EgOI`w=uEs;YiWEET7u{c+4
z@+Nz#)LDw40pA@a$oUcP-Iw*adt~!B70u4tl=Hde+~-6r9b0seze%8PIje<#r~NtU
z+j&I0Ly~&31KyxdIrbWJIAZ?oJSj-Md#cAowgG39Gk2d65~Lz2Qxz;ZUr=p=XRpOO
zEb?)eCjKlY4~Cf?KZYKD5|wbu^_FYer5khSpAWfB&vTnep2hubx%kjb#uRKW7RrfU
z7FYT*d2_NwoIE}`G(m*q-8}eLl(8poMX1cJW+cW7v1-6n6I2tNXI-BhHT}^}5)!W+
z6?BVP7fTQh#ss6(_!Ut>rXFlT$S$wwm&r&;mPJ&b?u~$(!uYJ4Ld)n0Ko)5_C#pzV
zS=up|jLvKrtDB`AotC*jZAW2AMy|OL;_))st~=yq%E`xjR`c$r@?`FveD2QLnP107
zl}Sd3NvgFdq6In=cnTSvq?YwtpiXv8psHmp&ANf2X;~z4%%T`{Eh0ZdBK$fcKe9x3
zWix4?E}Y^BJ7lH~X3jCH*^6RGt_hT-30t#okVvtyNU6Ljnbb?Ej2|0JNOTOl^tmmH
z+7?BYS7njDP-Ejtrv<mI1;LB8G1Hc@VZxXsY`DUul2c}(@uvJBlz}ZD6UGfc^V}%Q
zDC??7ZGT#Cc}a%*^jW%DhRKG>$jg*5=or%5JgxJsyRNv83}QB<sAUg5H1v>e_C<Qp
zG*%kyppWxKzh)Z+MKOae9lCNS{&iJQvhJaB57nTY#^fD`%2b20kGiRtrpUFAt^JzP
zm%O8}E-Mt4l>&8->Sv>-uEDQ2qE$l6(h#dTZ*eP%B=+g0g{k5ln-|^oCC%yHWT16v
zWz1MF9d7E*?oC%bNs@iG&-T;GCHwe0s`hRyKYf^I>^+I=5QA=OB%x?d<39K1l91;Y
zMfXMNneMGCXB;|;r<~~j>+$qiTq|EwuVrj4^nIZ)QidmOxN;W>8fJn7K17mD@0~ZW
zYAh+EIdh#3llol_s|!fvAcKWSfMa--H{yCIY5pv_$=uIe{*-eMQ1|KQ=9hT7hgUgI
zIk#wDmYZvqyVGG!m%~nnwPLSmyBuSMS$r-EydJoATTaSy`&sLzv5KxLcs(8GKb2!^
zGG6hPv1JmrLE?5jBod}ugVS+}LbZ86p%6kQl;vr|7=IC)VxPNF5=EicyrQ{t5H^Qv
z8}lE*W|9htOn#}MTotn+nD$anUU29&v<Bnh;q_#{J2$^#@+*`kj5pJ)^TY$*(6<k%
zw~=b{Bf!k3{EeA^C-g%4Xe5}75BpoK`3_Y_XBUYyTB<<HtEp5!`9CC8mxeziRdW?I
zj})Nr-3$O%-yubWNC;?zD0rq+et}*Y{p@JqvCLE3p7D=7)2cXZILw(*Zd2D|C1{>O
zBAX`h;L1(NcYs-^arK(isZ1MVEe<^x4M1GY$iYa!c<PFY&MGTR0VyZiL%#ure5ld5
z#y5A6F=o=bx;kX25rPoXAQDq0KNZA)#yXFQu*fh`>ZcAc2BGi~oDm!wjji%QARLLp
z2UR4O$p?XOWGV2}-4sAL@YLPdF3#+wPM{(go6Tc~x>|BMF|*j~ID+f0>@XeyguAhs
z#YDfgo6U3rBz&KxP{bBGu@la)LsT-^;QVRC;5bqPP<`t(7xK|OwaEjFkG-Z=>LwJ^
zsWOS_mtX&dv~CMXcMdwDgM)f1kZwBbB8u-n5ju4i0ss_m4RuyJHoE!sOeIB=v2SCb
z^PY{)ZxmQJj-6D$p0{OSW;u0-QF^Y~KF7x@c~Zkh9hEVajm*o=?@Z*6=iBujJ(AM!
zNygCr=%`_{&r$VS*2v~-S+&nqFV0uDFHvRKm)N*HaUSmd(b19Gzt6F$i$|kBG57go
zRW>B>YscgHI}L{)k36vDArC0;d1|9Jlu)GpD&;uo1Xo_<b!XzOih@12ag2AU?Pp_Q
zz`&_*<c58+o6I@+x27DLR@A_{>^vnuXkYM3mxnG7{7Lc^j0?YK;5Xit|5mU)`!4jX
z)M#6K2Q&(RYFXGO-crb)nJr=F852}XCVlH{BRs1GsFoLOCRZ-Yd#?~FNV0aA$^x=w
zj_8=^>av)#jNKqoFqNgPf;Nr{qXf?e?dD)rN2-!~_lh8_OQ%w%&(R*|4UF{-G37c7
zS?|V<mk6Lq{W{)8-6p|#&3}who&QaYMiViLd-8r~VNH9f_#KQ_%{_30i!XSC@tVgy
zJ+eClc`l*0K#;2O&;ApjL2?Mtm%-wdrf#B#f78laR2W2%!cc2xz!h)ri_Vku$fHKL
z{0BDq0u^ABD^@rM+2j;OoGKS!2r-`_cNJSON`an6dI6!((@1|Z7`%iWyuzHeQM%?&
z@aFuPcx8|<(<CYHPw*aFZ@eZomKm)G-Ww>AP6Th>cxv{si7Lnb4&Ht{<GDuTAK%!G
zFzYAO*483(A$SE?Q&->L!JC~mmRV%+XfSw(*cmH{BwidZ2;PA|0y+Pa1ng^=Vr3|U
z_my1++hr4bX{tg3c0D^Z-Eti#M$Enn60qs)u=PanX0QVlm!)bpGu75J_O+$(6kC|e
zPWZ|m7E%Gh`^3mq5xhE!td+rQXZ*1@*lNByC3vc=PZ_+Ve^ES-gW$E!LCtw+mLhl;
zvVLDgn<}XOuQtoh?M(bMS~0L?cyaJH9JtOfo?2a>>RM-T?5kpd<b~PWQN)Co_v$5e
zpEv$yj`jB27*9{4b8KO{#TN)9oQR~k5J;)hibiodoSV8-{9q3SLI-w5BJ-&4mbcw`
zuZW|-?oGwnx0~9OafBDPDdT8>`N|mL=!wI8e1@p-1;*T`g+-2>e7o(B*hef8M-_o}
zfl}{)nBU;GX%kDt(LLM%78qySzIL4ArAf>G67}fz9l`;dDOUY)e$1044@UZYcBGnn
zey*TS@uJt4bU$r;xsd;^WXQzs8*_@jQBF&5GPlkN30$e&hr4bP9rPF`No!2~My@;U
z&yaW>OT6AweAj!mxJPHeJv>IT-3!qdNdwVfFY$8mgk?_{(;{U?<2(iXsjnS(#!c44
ziw3GN-oc>zeZwApUpNzUh<v;LHzi<=Q^LZj!@bnQ4*qMzpH#AKCpuA9&(SU><l1vn
z%J~af?t0eBh!@(ZyKF`TY5y_gb^kXZPt3EyF5<>;(qBy<AaVbk^a+1Crxp^UiE-$z
ztxx0+ke%`S+A{6iu0Nz!D3rV)@WEh7xxfv9kFx}HQvtmR8~JCUgb4iKipW1RqxQm#
zirP<qinRQH+$4b?9BHx|vHGSc%lk=PL_H?v*E(k<Fuzs?^iHB2E2^<EN?MOR&`VNA
z^i-(FREX$4ZEyrp)MJDJ5xomxji;JVR52$a`m>@QmyoOI6E7FwD-pv{_4W0LW)&Uk
zaZ^{SBBB*q=flSuvMt<9j(7~39VjEZ<pb*j3+l0=9RFv>BVD%TS;gL%F56`od#Skw
zQIDzYP=+Oib0S8S&E*If>@X^ufIoBx;SWDHQ^Phk&{Al{7Ov1>Cq%PD7C}UN7!|x`
z5%sustTLi~O2{93TaDEzt>a{=ru4yjJh($v(DJjNMbzWV9CSDfX-u1^Rzrh`?&AH}
zn149cB<@ooF>-EMF?_F*gR$FJZQO_MS~?hyr7t!MT!`4Iu5sPwQs;EcvC<?E%CY#+
z_^nO8mCshW_8&6ZKEKQ0{GnkZ&=*JMI#P!%siv9++6Jb3CmnO#PYra9c75l%%e74w
zMlt=@1Krf6C}9_-QjozC78+dsW+v<4pAz=nM16E9XT{)o{?{ET@}M~gO>eN#B$`if
zRVFoe!ju4}@W9j6AZ7&Mqo(u*ad$z<B(P})t}fwWq-ZvYTbBG5(QM9!UPPh~2rDo6
z76}NMyft5w%Ae!W(kIlr$ZK*v2Hob3QZk$?O1ujK*Dru+p^hPRYFK;@$g7T+hmzt{
zX*ICw34N$^ye>ITdo*n-{WW!h4q~aFgPIy#Ll@|m14;@F=ipY<UfA6nl1KL_q94(x
z=FrJ|^{7Yn=02dGCrTEfvllmyRPSjC+MH_4ZP-Hah$9ZT3rgx{^y<zdsY1UA73+pv
zYcjN$h@BaEVld(~p6W4C#RHCXAuNCTp~l)qM58(y%^s&X$tS?Mb#t4H&@;y@g2sbA
zr}7}9gQcm3!l4k2<yu0!?LQx6dj*c?#J00%yI8?N<`4&YB0JR1asnLW$?Q;$0M`zi
zs5r>>g9ka8&E(j|Zn6~m!a?S+6Lzyh65$}PG2#xe2(^d;6t(VQ9Cc7DnT$ep(za5k
zXit^poPg@I@qilbE%xP?W_FjskYI9C*N|lPe6kwg)}UXWWuyTRTmUbCmjomXjU=j(
zqVv3ppc!Z-RIe@rJ=RrpiM*0J%S{q*$!nWk!9?gFDL7ppp`)W1f!j?|U-`ChscVdS
z)90zZaKx`>jlA|VtM-*@+kCQp2}9Ms<P+k5&qUw5%jAV4`0?=S-`e$Wp3~max&UTR
ze$*%CnvExO`TE`$Y+g9Nd3PLtr2cj+#v4MbSJao*1@-~;I!y0}lM#QdpT}=7K7Hrw
zFWTXtHcEbp@<q{dJ|Dogc(X3#x-YE9p;9u=51DwQZ%&a+QEvu2&d03p&f_pe$N9!P
z@TBhmNrfTwd)q#BSl4|beKNdM=g+A7;1xubPebX<EBLDqe(ft_Buse^W3c7Kjfj?W
zqtD{}gd?*%FctbJdXlC9q;nng=@p_nk#t!=%z2_#+7q?1>dUCnZUxjAj((NYb$bF0
zv_5}%*1F)=Z&$gxcD>7j^V&_%{?hYFq6#+5`|P?&tmd(cq`f$dMB$-8zNTETu~UE9
zqpK`hqn#+oI&CAE*%5VXY09N?`ApWmu@boId?hh#)JJSK|IcNM{J$w%&V!w*z>Lw>
zJP(&(yhnMOn!E7Z5bcMwYro-LACF?Z`V+;)yNk8XJf!A4ryjsD{>6ts=NWk4sKI8U
zN=DXiumXY_mYH^MiG;EEzOs3Zjx&bybBBoL40He**ge-AncUUgCo$?MeZ%)-&P&d|
zkHM&93kF$E($8IM{XT`cQSLNcqj8%)zV*c7#k7B}qInGr?QIIu)^3BbmmxVQHb8Fc
z4)MCBH-vJPPQI;2eW-V`QE$k8!aFDm%JBffadx-L3q^(-PA40%5Tpw_esj|SK0zZy
zQA8K+g~3)xa2_Zmhbs5F<?D&cXNbUhx9K=)FcLj>a5<wtgn0o~cE<bG#F-lp7SXW_
z$R0+>LDLvBbc1QwSVuH^Jo){^_2a^fR5nZ)bn~Dol15dB%$8$IBn_hab<aXXTFgWk
zrgeuQgN_DD&mIxc&U(Yrw21ApjJ;II-VHe;kR7_xatSBqr51B9N3fC|76|R^dUKI7
zXIuhj1EFo~HA`UzTPS4PBvi0N&OpxCY{cR4iQ;E7*v`_7Cw=Ul4H;whRGB#>jB62F
z)ppYqN+N1Veg9?SsT!^AUXT}z!I5Y(8pc90=c%2e8P{s9el)Cf&PSCq7>aD8(~xXK
z16t8&Z4Uj1LmQJ+phGSiz0FYD>o~*E9k_^LS#Y@jzJd+z3=eZ!>#e+j-E%LuT*z`B
zs}B8GL!bIuugt}s;3I%{5K}e2Qd<=$VS{oy$uOTIKoVnc-veRQY?#9himU!=XR9d1
zRin_4y}#NWsqW6hC@LfczwnHULS2=20It%YI1E>?fX+6&o=Lxt@eYWjy}6>^N`#di
zRE&fdlvhzNzolNfhW+lGONR3d{(HaO6z6&OM&~_}jn2enj6z2b!FkqXJfe=$Aq~;r
zB~c06p%PX#QkVRGtbQ#Va>9Tweuaj@*eVQ`drfHXRvE0A3Cf`Jpe37qkmiOCIY2*6
zKdw(L()H9R(bG7tr%|pqv_x<6(BpbTse9<;gL>t9=nz$-%Z3kiMw-4cBqJkDkNz4?
z04q@FQWugu{VZu4jgqmsWCBxhLrJm5x(i9EP~+;M$jP+~>42Xgm(0L3vur&1&O{UH
zorx-Uh}LZ(JfJITy)h9Ki<&<#dy0&iOCG~PkaXkK9J?;y;t?@XXpE!5%}DTPBzW9Y
zWX(F}L(?&h79<<bBkpR)*AG^|t4BFU74{rk4e3Er!f;xb4M$nwT<K3pmkv5t)<Pe*
zoY?=bWxG^E`Fl>3zY2EfTg%5#{&d+YJi%LbScRhe)ee?F7MJ<lHrB*J*bC+FIXhu0
zH)J>v45^j{2RH?&fO^O}&iLpdwaGr~q4=GHqkL|v%zBDD^l|ej#^_jJ)kdKR_5We+
zJ)ok>m+sNuIh_bXCul@aPIr^Vu>nCabvJ^DN)854VuJ_*62vhKje?@0prT_yK@oKv
z6$f(!N6~Q{6J|#RvtpnD5d&~uoztNAes{iqSnGT1y;)0%f+MG@cGcds3v)4WhQ+(4
zmfs!Sb^AFQU?-r$&9YrBJ_%qhTq$|L#89#TrJGuEP?8WU5N1j>W}rd8Rjlu3evDaq
zgVhv8vgHfDRLhl9K<)MA_0vNzYcu+?S*%QjYe@mC%k!i+fA1h`hy|RfeS+|dt&S0J
z-6ql4KZH9ta%banqX&t`c)BoW_PO@bj0KMpK`vS#92Mn|8n4^_+>AGDrhs5Md?34h
z&0(2R&Lh_^EjraICxS`qH5cQYF3JhgUbMU}=C?oO4(WmdfqKXhvBx5TL29N&s$)Vr
zA%*I5M2zu9VOF+#yaHJ#{jc~p`hRNmXGV%5k@D^5Em!wndR$B0>mxknLvAlQ|K-)x
z$kfR8PYZ*#6-?T3vERZAcx&~>$UTv#BME71eb8TbBby=#(w4<}KUwEaASX3Abzthq
zRGrQo!=j8h{duX6gnPVBt7<D!52ap6y_fnXwJQ}Vb7IaOKQn2}(Y`s|_Bn)l`X26z
z_Q#JsbHZ}OVavi|od$F3mb~7Uo3kdTGRI(Z=Y^csNzIbjub01Km)_(IE%GT67d4i(
zmZc^5^oc2ow@KW}^u^3)Z~}t83UxEBv{ms(@6+>l(iO38Tiv)Veq#S2HHlQ_n7;!R
z?+%62ACNkLlLuOVCD8i4pqEijC5~^rK6@@Gl6!gma_Ut1cVd4Z8%KyqyE4D-rmu7;
zo0xk@l-X7*R~GIh&ohhc9?O-l$=NoaLJt2SSLW=>TbbA0_UAd)!=sm3$K?SFV9I){
z-%>oYkUoj`m^{^v+=fElFn}c_4DtppJjLP}b;0_PCPek+%8uvP>1$b6sk{-k6cPuC
zQD}LpG1!<;TaE=#;`;2%hs0s9#u$}~@C}BWMf*iKceCgmyusTnx+}u@n?-L$_%DLZ
zB4mvh3K*+Jtlgy|tW?C<FT(bV7`xAjuyZ2DT@iLy#IS!W!rqD)$Qnb|&Uj)4Md|MZ
zMju);>cH~>@c}V)YU-a3Ja+>(jp%K57?w5>P7$=JM-$=ugote<AgEX0C*og8?upYM
z5XLYpeMKbRCt%*vL}-VlG8xfmo3VR{lS)UXY9wZlk;NI>LV@buWfRQVZ@FFSvz=-z
z2kn)<Y6De<YYp^gH8vW#nv-N?x0q@nNA87966@_!Mg5Syu6tcy>;B@j-7?=pXRmax
zR2FLEk-yg&(}k1>q;rM!7};XRWUg%zcLBG^5QIK@d!?m(ie@fVZnxUyxu1Vve2fd)
z<#`TXac1rEybCYSx~O+~zJ*u3;2lVOz&jD{^yMkdr+A-rneXE{=H-Xy)F827=#Nmv
zP>{7}-CoM~V#ko0$x0la#UH~~O!=pYLLX|-{}0ei+k8>Im$;|-deIJrO^WUQ*h1+`
zwEdUXR!8}Iwhajn-ch+SU{;N#efER1@)OKIp#PfcyDPE(v{@&${ns9<|2hH%Y$>!^
z@E}sIaFiy6>cCtOyMLpJG4&|w33JjXUEh~i^3sI2LPR}#9KKy&KLP7?)^NUEf5tEq
zGykb~wtc)U<FAIN(1146*~l-%pbOh2z*rkWqP<6WQg8&UDE0`^H9>{o8oW^o?|cuh
ztKY*L<?u!yNrj+~goV>R+Y$Jq10~hw110D@{C3~st<gZqCks8xfszmr<v{^$7(9$a
z^>yT^=Z?h-Xu^boW&mnjjB4F#=tiy^#5`+akkJqjk5CE}{`QN5o_?bJ92Q-aI_1Eu
zgBo?bkPgHYdAgKPe<_~miW|FOV%I+M1-zZZiJ|+QLfPVB)PBfCs-$g&$Dg5OC;^+f
z2>wHt0Yt%RL+y2QLms8e7^84E<oP<m#+nRvLo)0Y@opY=u(9T#P${F`6p8i<YA|8Q
z)9NzR3PLtEBhN!M3C^3#6tmYU;^sg>vvVr%bUY&2%tW3rnAof{$YHpgJ6e~?_13%q
zWcDwo6_r>arY>QXW7S?_B?Zm?5@WabJ0ciPL|v3B*OO0{4^JI37s^wPHW$m^V8~B^
zLWDbt9jf-nb(D`c#%2huYjjp0<Hx));qgk?;E;r_24OnZVCnE>u-l%cA*-+4;t5|~
zx*)$Od)212P9+yQ1#JFZt{hRr=a!Z)S*GC-H9ycJeU6ORT`_qd$IE`|)%ULsN4#jC
zV1$PVS8knN)m7f_)p%pZ4B_wcc<&>g?@pQUtOGwy=W+Nm1Z?7PXCjx?HQ=cUuQ}A2
zMTT~j>8M7Iojh&v&Z<>%<ts>qH)C>F+f5(jk~)!BGai2XQ_k9-I=t!Zc;nPKdnm69
zl9yYiA6S!G8TI<mFDYIu^Fz$T&cV%h$7JRaQMXt#$n>u#<Vyb7#17*@gMUYwhOv)2
zf*$VHFo>fqCp$kTY@6~|5OdnR`CYpYN4V}iT~%G&DW9Dhr+IQ{W@kWG!-C{de||R7
z__jYX;duZZ;jZbBuV)Lvc-fC{#3zZ1j)|Xx`(1*ay(7je?=(8Tsg;)|q$g9g*yB&f
zVg3S1(U79j1a&kLE3O33vTY8n_A)%gES^RxUCy-*Su!jfLN=PaZp(tKu45WTaUc8?
zF~Z@*?EOv%w&nD8Dz-X*?1Byd#2K4BS6g?8w&pHKepMa4wu5u@t?81ES^jEy*W8X8
zLMOFIUW7!_iOa{9O(|Piv?;IJrY*3uoRy!|QKCEYmLbWMD+lbKeseK-^0-_XRevp*
zoc=6EuJo%EHg|<{PimOY`<-edlqYf~^4e7~vJQ*Sc84QaMkhbEX>0@HQ{!eXxRBDZ
ze|EuwWO<lNXPfO#`7HB1OP@K<IpML*tI8_M{M5_f+biZ(t*F{pwkZ#XbuB>sY9(eJ
zsDjI~J+23>kTEaXm>r>t_pQ*l>bfpJG0&(*hCl4qH9I``_<tr$4E=Wr6M6#~8}4lX
zJ2Ogo(Nh_dPM1@mnI%DockN2H%7NSmh;5R)4Vb}Q1N3hZxRbp5r{^BIGNm!n>dHQg
zZGW&zVJUAll{0G@&}jb6%z`GC9$9UoCa|n5=w40xy#SS7CIgNX67QchI5*Dqt+#@)
zRi`Q6SukKnc78@)d!3ar`oUz)h>r7jS_KcRjIpsM>wkzW{X@s*IhW_L3fqJmYVF9t
z-AAW~H(dugbe9mQ7%hWJ9ZR?)*k=(?Yjj8O7kHAv;C2yBr23h?I+*L19WJMEJJoc4
zBT@%`1O3^M9kb9>TRd?fFfd7WR;(oh*-LsEn9pfe(jgLn{FjltWCX(n`e2yVKCnL7
z<L!g_N-?qr^Iu+r=2{YI){>=zclQo&t$Jr(6C5W{?Q1qQ^ZJTXPtomb;@95x)t25V
zT12xkuv4^1<~vUo`y;(mlp%}HbxL<kKSea{bBxZFC1y};%;`m1%zsfv?EcX$<FXT+
z<5T@8o87NL7Iy~F!Cr|Muran%F`u6H)e0d0x=DcfCk@p+px7AuQ98D49M+3K<NUEj
z4eByjqnknZua-*eb}UWGL|I9dHeG&yF@L>>H{3I;@`fI^69+)H{Z?mdOEcFP>nmLQ
ztgKR89$&)cr79U4&}mVM2Ln4TqO#)wTi|FqH&t&NO2&lAm0i-~PG8MGJwfGH*Dah!
z_9>Suoo{AcA#biNmj@gUaV38k_Z$#Cn%(eA|1~;aA5Qpirs1pWs;~`h6Fglay#^Yu
zc@0bGxG?AM*;j_2w|~Ng#-OiISy=byhOzDMxV&LqIC0MHMMnm+DJ3B91Ivo6w(OJ>
zUy|fx;6qd;C$2n}?~Yjb+jcoF=qqqm4~Y~P^KsU_$TyM0x+bP;sIgR}xKGd@?R^~}
z%WgUEe|NO9p1gJRo#TpSP$LXK<Khc$^Pq)MciZ{@_~;RNn)u_&TY0#1Dk;Z!u@Wj3
zCFr5r7|VmPSnZA}IfERsK1CT`IUbSI;b{~yQ0EUW@3Xm3*d4|un4NC^Bc5v4ceUaF
zDO$x`<TH{*o1ReNFZN#KO=I`aIq7v{{KOrW(DhS*Y0;R`|H!)jck%y!1ekh!2$g=d
zrKGCuDgdUPlgMlz^-}2LHj=4S*AM-FPVvpED_G#~f3Y4OzQwB6W`MoDsEMLtE{^hO
zcv16C{)U21h;4G*BqG&o9j^yKb?XW1)_qJh#&1tC;q?G0$Qy++K7c5|P?P(@1*q;}
zCigDQe~#BYzi+~G102Prl7J-zo@g8eFsc+YqHvUUs7(Q+^6P?X^Xr21kN~I|))xRo
zU>iw=u5^QR1fvHRIaznMXxsHOFv4;X^u#U+{rVzm2++NekK-{=m6U#o)-c1$vZSFB
zs1*6eHV?aLs5G7EK7u)Elgrw0Crd3<nj}G<e_GGB#THu6wA3BO&>0?*Yco^AUT9BY
zC1Yuisv^!Yj!Fcl0W49?zmWLxA6&2YZIZzr?M|8dCYkT?HL}=MRP(=F7QcOi(=x|&
zA#vU@dV?(S{c<W3Y@!muuPFJkj9BHC@!UzZ`<P6%N;bPg7I#mEa?vu$R7VD2rD!S<
zR0CKl9h?SfAZ@5-yAzcMMls7V*ftGClz{We=W?u^HIh|`mFSi?wJfC5L0>Vpk&o&q
z%w#OJry$Ns(Onn<P&f(59ADuvfJoCFNwOL6Q63vVDnbrHH#|-XsB6^4w)e!Z$4#Qp
zRoj@OUH;riLRF{Oshc{a7>J+ZqqciKz3{xkemACiHuLc><j{jKF%`e+({ZbBCBP=H
zQ?3(12@y>2vLiL)jX#)$EQ$cUG%%v*_dD&j4`{r!{)WYo8JB0)oA8pc>AVM8yp%U6
zDx&C2Q+Y^0pcgA5^a?xvQkl<@&?CDtBe7H>N09Z?JMquA$|to7y|%pYzsK~yu(Rsx
zAj21E_=_*I&0^Vyfz=I|NeA?AdO8Z+S&)ID{xeS249I^Ic=VBD@-g|jvZwr!PrXwo
zr(pEZj+#hot9Q@T&e&!}wsvZFJH2k2pV$|scJq}GzAI*L{eLff72m@5R4(aZJnJ<4
zi~jOGeCs+Z=8T?tLL0un{zLda{4e4A+kXvT*Sw>5uaw{YUxe>Z!%U>sIZGFelJRF!
z(aWQvcOzfW(*;5FQq7OvzeewMK|pWxQstXIQ`b|zlj!n|Aj(wQj>HU#w=Dsr6ofB^
zd~NYxV^FvqWBNeW^nq;4=}^11&5g120SS)IbPpU}HOQA?DLqS-?+?%$Q4_l*&>h8C
zPO;Aik$#0e9i&>S)!*@hKNY0f82xVzffhrMhRRmU+!xDyf0D({r>D)cW$}4VSuky$
zBm2!UI!~53o1Qi=)|TtPVA?$2E#sP#YP(D|AEwPuWO3)9TyK_)bqt`QbOIHn5TsRu
z*M&orh7Z+zpn}w>H%hfZioQo_Q_D;U(t}d0T8ss2YxXB&sUM_Nr5glY4a}FIW<#jH
z(#9%;>gYnptLOX1zBS=(<TKC^Dwpb+2Qjezu<E<ExWabNb<a&#S$D^rAa&LxTblwD
z%voa>`s(2P3JoWR@T40VW0^7Ujn7*kBF7uELpmmOK~!$n7+>MUwm+n!a`)TyL7W>G
zZ)>BH3QF*zJ5`Z3Qtyr~bTPpBUb3|Z((DR5$Mg~vnFX)>I|WYUcvWe}75A6QlN}+$
zA#}Y%?~b`}*D&Xc{q~xch+VTH(V~bB|1iEUV`%)5kSXSuLvnN??q0}W@Zj%A!MlKy
zEz`PPoUZ#n^$M0OryGMdS+LYA1H(T!|67oj^g4@Kde6z$N*&Im*ZKH~1>7Mu2~?2I
znO*olAEe@*p~UwZ`{)5V>Rk7k|LGcgJ38%)jo1HijkSa*<x^3*{d<jt(Srxg7oQST
zYl~`o+P9)Ay}V&Kv!|x&{cmdO0%`;Si!4f|wJvLXZ+LFxYm9#Hsi+D93Tls0K&G4_
z8Q(L0kV()s>wSK<SPbTChc^yngp41Ixv{6vCG}meP;rFgh<`1qZ+QP$QZuNMnj>@1
zfRdUdi%q0TYAlr0SxzyI>2G*j9HVDJNsXmSYDP~<JtiX(-7-!=NnIsVCCX-BmBsx=
zmDCuCi{syd%}n>+lA1YqEClP=p_&jqx}@sZLP4F5X`!_jT~D1^QylM769^!UF)s+z
z{o{0ggXbTp-jz^Hy}nmdh)_R;wwgkeOt<Ym<VTm!F-JS84N<Cm>ZaOh%V)9ep2JW*
zyH9D$=TLAeq|4{6zFj@#bL%kUT>}Z84OKqhcsfT=fl8IncH8#e@_A$i=Ue%t0yUdW
z<UI_CC~Erb`Mt7b(7?2(vb{6O0ANZf0_Vomx%!E%EcI(-(3fV6@#>XQ{F`F;zr&?k
zhaq~9M`%?P|31j0eTFuDdHP9AQLUj$KeDz|3r)!tGz_f<wa`W_G@U3{7XOL=PSa7@
zJ-8HL=^J{Q2e|a&C{l|{S>0cl0;EUbQm=KJc#UTCV9!u^tA>W0x6F8=#nfO=pP$Se
z!VeO#0<+}&sePFO#we3}K7vEQKv3Z#fN=3)ZlNG4MN9z$l@AmYYnSMZ;4l>~O#niB
z!=>oi<!=~N^P=6*x`#44^A#DpYcVK^Vzd~v1DGh5fP$c#m0lDC4WuBbB|WZdG3g1I
zPEX=Q52G4BH`5RpReD^vdWZz=unw}trdj(~V%q}k7|#YywegX#r`eb9_W+ZLc|Z6v
zFmy;-5kf61?Q9YDXp2%EQ>hSg?`cn)c@(>v_=avzlMw7xoj`U;2m+{D=H8Tqe7DGA
zOQ`@_y$&MCX{}>=Gw(XguD8n)*HHnKgtW8kw=$v>guWUl)j64}R5lw|#Ic`2xr>)f
z2SSR{W0WLQF$A2{F!?-6=sRzy#;_Na8f&A7?oS7J)sEDSa#=wG(vuKEA|JZg4QUZx
z=eTp?S1WNWMKFzEbu)tO&?G?{!HSnG_s}^c?tVKio-Q!EsOB|D&^I`lsqr`N)(IxG
zD3Iw#0nw>$gB&S>>prK3!h(Ygo6ztY3JbCie}M5F08zl9g9%=_a56VcC&VH!NPtfg
z_ToW*V@7w1@R$}7J~88&CkplXDKNLotAR*^P|6NT1b0d$W(+-E?}&#Uino|dNPr&i
zS6S%Vn7Twiv7KcNiwdO)@li8+m|fVK1mmSFPulo{Ny*<O^yVeS?1H@gRhv)m$;^)}
zV2wkIlIVXlFP4vPlQRp%NV9yY_~}r_#vh`zNI&J!+M@>f0cPck6RhTQtm8V=am>FN
zaO9Gi1qMsRBdz@C6O3{W0s~_j28S+%z{UD7?O~pyXD4tIu<ZG`64SR6Ob~brq*#D3
zN?_zI_(6ay1q^$UH+)8Ij=;k_M-T?TW|(9B;(^c2BtZgCbn<c2W_{i@0VC6x|F_^O
z>u*+f8rZ3K<1zSh#0C|Vk$@|KQO*a7yIl&|6yyUnS|1s>a|z>Vuwxo1H6Dczx6aXy
zwz<~@*#HM;QbO8!b}ClEKz4!kG>I;Fzx|>~h8SAxr&Ho0W%J1v&EFCSipzbY87--8
zYH788t$R%3i!#7L#*01A4jV9hj?FX)`;fzwX%fz%!Kh-b&Q6!!25zzAVv4`*c9vpv
z2lriC`!IpFLW)DMxNCQcDmNEp?x$o~zK3M72dHS-EAxpz;k3swy-N1VG5Un;Vd7pY
zT24W^nFz9YhJrZYmcaolq`zgV1G3qsiny<`@d!yJz|XQUw{bWYnv5|(iNwNKSOIr5
zLr))r(H>`zEmc_dBQu0$KvdY-juY?abpM4swPK`VBiSchSIRKb=o_0#iO51qjC4-H
zl7bk?PiLPO8&vI-80j+S!gvrO(PE?r6K;98dpWcA(PE@0Jz}Ku{;yjfj@OEj(gWJO
zp|uJN*maSlwMc#W&zmW&Yi7jHOyg!si}YYZzqS)=gikL9w2dxyfy;e+x~n|j_o|U%
zCn~<Fks3k$N~w`v(P|{`NIKetGG6xN9A~W@$vN`N;>mb7V=g5}dSh^2-<V+}Bsk-T
zk9_0=awK!Eki@!;AmXfMIQA{8xYW@)cD{1APxJ-WboqK(SCkpC%(3&Cu)*g7EiB?+
zX&tNfx|}km*1sk7nJ2dL?KnrJlBHsd_DJI{<Z4QE3;Z|w@9|cfoVxV2e7$|tVq=gN
ze;xchGh*0VP~m^QU-w|b9}l0s{^eS0+NX(uEIpM*sG4?*1o`rhPl5U*lfM*Bj-Uun
z!?6<!3Cm}%7&aj9ADP<Ca1Bevcx8W{8Y;Z(qs~ZLUgNvcY-#-Ug5-(ZHOk77;p(!~
z-)43P-gJg9y6SmW!TU_*$%fYLL+6ACtEbrvF7{b1jaWK1u?XWm9>XkJmD_J|R^rl+
zr#oz3srIi(f43+4Sk-{yKZ@9d^}!j5Xf5!<D^?{kH~#3uasXcV*-i0__DN?mf1V48
zXSpoYU|U_Q^^5i>ml|CVON||)yK(m2jge76>w>aGr&)6~6z#y8AzHlL-;BuUZXx@?
zLisK-iSP5|QF$M%qsKL3OJvPxWnS@3t0$k0zR<1_>wn8+9VTxgG!aAS_E!Y95o4|T
z;0DdN5wiA29!RhIjiw-wgFD|rZRn>rnmEQDu#L$2Efqn|1KWsDtja-vA4)|dz&7GE
zm`>a<VYH;8AHT$-+bwMkCX5+Rni1O00C$M3$7-0+zN5Ai>_5ngV@#|Gp=+JZnmvqN
zmB*OZ-*zDM@&x<t&ST7mqZ)*6HL!Jd=Nx0M0K1Ffd8q65CVbA`W6VD~;PaL@uqRa=
zW7Y(JLCBHS%69U;%*^AWMVP&jizlxc3TRCWXXs^S!)OkMDo?N{4a>RAe5Hq>At%^m
z!HCODb3+VujX%MD^|uKlfe)WF-&pX=f7(yL1oi*ce&YVqPkEI61W>(-!@nBP{u4ex
zQ(l)}WzW}r`iWL&?Rmk4EpxIM5wBa1WKvYMe<g#*gZcMgV=bnLn9L~_*%sK@KVP^0
z;h{6OlA&XCO@4Hb#c2^{1~L{`BhE6hi2F*geMO&L=*j2ql|6P69Fw5})lZb2#Gq(s
zt%#abl#Lva!e;uup+q!_^C9BL6DiG*{eJWzG7w;CA^{~2B^*%9uP7_YQk6tx_z-Ce
zM@wQCSsD{VtO~FK%sgNk=dnR0JTny6T**L_u}c0&Y1YfvtwbCAobJ7DB{z^*+aeNs
z{Dq0mFwvq#q#cI@#|SRv95E4bKA9nn8ETX=OC{I<#O<^&!kCEjp$|h3f67E1B#D!x
z&PsBj1}h?0kPI%#EhL*68d4K(s8djI1S?t;gD*w%FpLDB36`daB+WF-3)#44F>^DX
z!&sFcfrq0ww6dBThKkq)a9*?P&;O;D!&KVK!GXa}`K*~0*Y=Uk8i2*23<iE0$6`=2
z%F@N>>;%iM5m;vnF&s?~YS*Ocq7j&Fn?@x?*#t@)iYKDjc1>ueiW&R06;|bANlpL6
zudQ})>q9e%5rsLqVad8M1%N<=|9Yq(t$G<0kW8FOUDh_GG#nnVB1b8g=_R?B9}a;<
zg95zefC{4g8MMM>5V?YI8K@wtn9wLgw}~c&;%L~t7aq4y@(Tu<tE^XFuCf|oHXsk^
zJE#UOtBQ3MN`!S3Fa`nBlhp@xz-Iqc6vccN6Nw{EmVpsp-&Ayjq2@=TZpjLa?I7tZ
z=&KgE@J&|WCIWkbfYG1No+89-1QNmhBqLg~ND)aJ-?CT*LhyP(YfLSj;K&1uUY}!O
zLf!#{9T!{_ARvbrf)gSZ3l0V8G4T?tMHt0`-!6h3!$kqcTZK(#*NNbtX!AIo!z=Lk
z^DLye#=XGCxQ7HhCSD_$X>;6!eaJj}@KUQ>?1bo$P41vaCN+a?E%V|iLB-G!QWpc%
z@4jf?5FWzxtzG+E<l{DAtKb4~v7FLXq)o^A4D)5Jw?e3t&0d1g;4^xyI`_DR^1wh_
zk~xa8RDc(mYD$fD8I`6_T~U!mreKG;nPk}&6XsGQ3p4+R@Rw!%QD#)aTVpzAn6Mm0
z1(InQgWQ77Xyo&R2J?K7LN~V<v+5s-0$;TM?y6qO^K@Pd<K){Tq(HmZE4x43@dVhO
zLC=!E&8f0`Rgp=wC!=lvAQ9t$Tkg66zF0sk3B0>i#%D!5C+L$h{i|X~U{*9IAn~&T
zkce)8cE`s*fFQxRIygvW6QCj$vsD47;=BVub24}Z9`#iahJhgh_#wPOF(U(hFbJ5A
zX4W9e5W!_*fa_|G%qc6dsbxE5fH3ijt_uUle3_4cp5O7vTO)Vplq2I6n7(tSpDA3!
zR%f{I-v;^gX^m)Vso4sD!dh3pUgbWFQ(}Y`SHjyPyGKZ;K74W+O=~V|d4@3424z+Z
zSk^oWdlW`zJ6~pd{x3Sx5mIU*-vE4HlAMyU+fo~9u&EJ0l=9N!{eW;<s_D?s`7Rp0
ziv}4tcNa^|(ts+!a+Xma$FspO-ySzYdO7|Bn}K0Mf2%RbG8{9L9FiE#$6=D)Wjk|(
z<%O6{L+f5uL|OGuFA-G=SkEG327$SGBvL0McZJR96`24*4;Zyt1Za##WS^bo=MsHw
z?xU-$W6vw1O87WRe<!T%S7KEADT~ovrYM}hXz^C&mN~mH<&p(1iPz@Vdt7Bbs)$l3
zW)&^UXA1nK=$W<GAqi;s`$?I&&UW}bFP8HN`%2d*x!i>}@zMPjax(<!m;|dOyqwO?
z+8>&dxn*R1Y#Fl*eL<!hTvnf+JwR0fR%E}f?l*fin!g6sX00v9ayP6FSGk82HMJZy
z+-bL{mRVD_P|eC)w}&-;?Vb71Ch@nw%QIXy8s)81vp$w&<sj}3P^Iqrx@}>}Jw9?V
z6L+i7v&~<^xpx~$5A~GtX<yZc85<JBbEd-(+`net(59ASU?gGhh$FaxW41l-pr6yh
z@oxNzkP;(@(TdJi&Dr2fxhIT4=(;QJ*htp!nUp}tCV|-*>NKF*22mRc_5Es3J_-Y!
zP}z_gnI5RPAA9M>9UeY|^09%RZ6o;D+-(QXq(%nwZjIS15`Oe%jc~U+Cy}w)^{(99
zm~lpK&iwj8kM*McOFNYO4*);jXkdvr6m@{l<?GfLd*7wEgJ6gTG(UeN|N8K&o@EP$
zzzB;41JtQW^2iCn3ltttK7*vFYs?$X-Rex1iwTJ#2MW;8K3F;vaXh+jHiovm(Ey-%
zqluh;f`OA$QDHQjYy>p3+!RCY6r5>keHDL|nN^gF-siy|9thuelA{1$FaVxbw`hDX
z77E`1)Oe7Md;F>Xe+v-odjNvYj!M`F>fdWPMInT)A1Q<|6cEBsN>I0H5yBntI2um?
zLKuQVU3`eRi9~{uP)#Iq91s8nl#)nPCZ|eb#uJ(1*c?gL?hH#+1`QSfD~$aaz`}PE
zD%-~f$G)M3$$-E3dd^w9d(c8DpoK~jD+7pN0foPtgF3++%J>r(X}GA-gek%VsDs-n
z*Fkas6y1Zd8j?H#mQ!TWN)ks!E65H&38N9t1t+Hh00v<4M0RMFqCgA-Y>-2P1I_Xn
zcEAWUm63smGV;e`E4@&25j+ybNCT!&rDRw2|99Zv0U)MtaDYwk%rDcPSJm1znd(rG
z;9n5IEm&phMFbuI3H}8U{KCL>KDPX?;Xq^eV?(&6+855mH1}YE0!CL47C=#5Jy-xo
zcY3h^Lp`V$3s6vC`8O;8P+-}2EC5j8Fl9MQVS%SC){b5*@B=`B3B6dLsfEqN<H5og
z0Kp9bg5z~o3;+amW>EgGie3rU-JoFr`>Mzb-|R%AfL;)=1mjw+!cT~341lIfj+;<0
zfGw#JP%vQZD=iM_fdMZl9Pms;!+^Pf18x9COu+!~tf6s0FARY7r&7vImWBa^G!E#6
z0pn;K&<g_sv^d~y4-D{pDZC+IeS-nrA2m^dGz@3}9H4~(11TKP3j<!$IG}>fh8(oI
z7YWcnpj(Rs{`IEZdwN$t2~fG+z8)k%0fFN^NPq$Y+rJ?J3JARKK>}J<nMMK>5ZK*|
z1SlYotwjP95XhmC00jiPv`7Gez(g$);K&>S2mliB(3wcXfMhKW(87RWA2k#X(87Q<
zS{$H-0eL+*pa%xL*5Uvf1^`b#t(k%W8?-n;3j@MvYip(!29Q0>e9{UU2lT*zAQ}hk
z!Qj*r4Cc{vkn8Tj_OJ@L8@Wv_8f5^50(wBelo10b_y&9gg4;}tdB$)MPvCFq%>+L&
zJ$3p)>2K-FXf)tF!qQB<(XG+GB8uBTJ^iAv*4ATf=AsyEW!i--KbNQczvrgOf$geD
zyVacYHmG!6#-|LdmdRUOXY7KYgv*?k40FOqk1L8;de*D+$Kcro78JESU};@JVQV_J
zEuXj8i{*swF1Wm;b^g<$Khp=O?&J((qt+be;uW(lWQD8nwJABOwGvRj+5LQEb#q=^
ze>j~ZhLT!m?5;a}<`$Pe>@xFub%{_tM&YmWiyyu70ECo>pQ=#~(52&9%#@@Oyq2kM
z*Wwoii?}@KuO(X_$Qd52jUH2xuA+GE<wduw$6XX25-@S~+6oqCIjg?nV@rL-c1#bQ
ztzb*;ZevSW0C{xb*SRO#d~uKQZf0T?nw18Mu~#Rad9Cft$%w55sb2!lBv>FZP%)?0
zyxc^CgP*nNU^N8}GRM2cuc6QZ1r9vU1}Cza_sibGAv*vD&naXO>f}HHgP#Ez*!BQ}
zFbWxHfkDGz^l!-ES`RX~_8-XL+W!U_ET)jbE(#ey(Wa5X;TrO3$BCQ2!E@7t3{H2P
z^;e{}#e8ge{;>xd^gWo#3bTMZ;Qk#N1at5r0-(W)9%w)ogm7?kF@_fW6wNl;#K1SE
zqAxlaAOjuwW#*RSspzwg78$sa?gIR0P@B7<|3PF>tsNa`<jY`maFSi~D_84TNrjJg
zX27^V34?tz0}gmqqI4G#<^ohb6u)tz)xAcQ^t@n}Jkw&ac3!XqBf@zuJwBDRO{E?9
zR6gi`?cIR8<bbDr^)o`P#LuPHA`7p<2Th?Iflnn~fUX&XQRVm1LWJN}Hw7G2u?WoN
zQ&2p>f&`S41vEr7$~;W$`%UbCW}YTeP7?{gBGsRSs+!3BgNWOAS`v+7P7`q2#-R%N
zppaH#!XHG;?&CzpVIt)wk@1#r7>?3T0u+g5yD}Ur<M$Kke@f2SWZooVn*vbEej<54
z%qe~hF?T&B&Zs5Qj}x)AM92wovpD%M5pz<KK2~O#_b&iszV5C(R)p3C69yJ6fNS34
ztl!K7I)k2A%mfq6d@{X}0W%6U0`E&C?<5hj_yiXLG&ulA8WCdj<CarKm=ic6OoX@s
zWbwri$=Mj$$k+lln3{aF6i`VGCm$Z3CG)W*-MMHniE)-@WAnIqv(d6_ENv|!Im@$|
zFa*)~7iKflD!E7W@;0J|MF`_8I>K0#{S`;`NIwl_XLldNva`{WY#q)|&l#v78;mcH
zVKr&XvKOW;oR2LRX0y_eE}v=0Kg_i<b-0YS;23up4{cy9K#Nyl`Q!t%6wAZa*i!av
zyprsi@Nf7g6HP~1U|^ZirHKZMnAVBlZ247_`uS5_TkFnjl*mV)TBvyl1O1>yCwpU_
zerl}w@Il_$S##po-NsmB%|7s)oNtVa(I(@a)hA35P#PNNK0chD^%MXoJ+70Se{h`~
zr2~$WgSB?8wys=Hy-JvOzz;?1Hn|(t0oY9787a5PxlcdkXg5?|wMiT0XW3KXQ#CgY
zZ?Ln$ZnDR15~Qpk|0mADa>)+LZjy4F%!KL2g!M44!f3ZiaF{F}CD6gg3fE)qY&^zT
zH$KUP$@Le3+a%v#6b5dSGge@XVIpvn^kVplFh9{=LA(HLBtu!fK9X38=+_>*$Uf6B
z_Bc31+1G*H7o;fL^O?)Q91^(0S8dyYk<wj6`9t2O{UHSs*75KDki3aNtCtd#KV&%i
zH3};hQ~r><BtMMXXGi%%Qk-F6upN6L?GM=?D3<oMb{A|nm++-v3t1xInTzqC0m_`W
zDy5)~&4W{nmz*`DUI)w0)-;1N<g5r87()&!330k14<E88(Df7h=3!z9W^Ch>HAohf
zTVH?;IxhxW$P%Y4i~BsD`Xr&~RzsV6D?LqEd(;`LamH$e-Thod<`QO~p*luYj!4+|
zj?-R&xn#NIs&kJgWIW{w33iZKDcjM1dO`~R-4pVn<TN#VF%7oFOO%wG<~S?bB=YXU
zU}`3EL^)GD(*{f;yDvIv>6!1gMPFbOXCXnGMDANiz)<9i!hIp(d;EnW_8AOCG9CdG
zdh78}nck={4UB%PNPPc@8j36=v`}bB0P$>Wh8sYkJ^`v{irM1=;v8rw<On8_!mt+#
zl7d13C<xt|geE%#&^D1d^jHMBsd#+n+<@?aZ#I$BYtc;cIB7YB;^MIKFw1e^6Dbgb
zTq(jf91oUaDc0kpts!%)=U9K%wY>)!^OzGJrcj?nM~3iOrG#57uw#`vL-@6b)UMXf
z%@fR#Vz-#f7`TsgRPr$=FZPNg#)_mN2`imYTs-(LgQ29kcsdr%yc_cTV?YUJE>`RA
z!r<8bqG5fQwWyR@^O4RPXEitz%K5N)yI6xW)%;=e%(4b&!ti2PcEVETb}SD5{HdI&
z14E&NM}h~VE;gbylQ&LMEG`z;ONRH!bH<kiS}qHm<Kb$Zw+jw`<S8XSW)wet(A)Ny
zbBNGLeSz2+I8G9fTW>W<{5~yu&WrXP!FIV|I~T#@3Ab9k(Uc6W+a=y7F2q!4!_n$$
zNfp?Q3M92jCc8WWa-CVr0^g^-j?5fqnY_q)6%HP0uUorn!I$<P<&j2GCTWyMnm3rF
zO~{|)6|tO`ROq=2UYaKrE`=9ABo*F07<$JsYKep5h!Vqe%x2wFEDudz#Vo`Q<UIa@
z>aFfCDB-_PE5PFU@qD<sa?IPdO#N=wOKwJdMtt!iok-N4rXxUx7JoWgf|EjS+FItl
zvNvU2W!x(9uHC<T+bU1tqjm+m8lJ{E<1ut{b!|$Osla4$#Wq`|P}p~HY|U`S6<510
zOEJpMZd^eBz>J6&3ad~8g^UZB6A>fsZk1&9O%~}7MPn8Eyv`bztZgxrhut&1m-|^S
z_cN*vG{A@Zc-LX;B&;hgmV%cjVpvHiy;xfN$3hn4qD0qW1G4}#n#P!RX1O1XR<_8V
ze>@o+GQvI}bs<qXQxcHzR^cBw>WyY*Bb!-*{aW=g<w_Mo1JRodDQ2EOPGXl|FLBLx
z#*Ghq+s41icy&a%GXKPQIi|~`oi?jv`|M;<dcgrGx>2FpEec59`g_KdKxt%fpK%YB
zDfR)XR)tmI?Df^ykIO@?uGd=~&UI<<ZkURUe3enxbmQ)XJW<TJ9v-kSq8>%*ExHj~
zT%9={Wk~{(H{JuOOjX02GYw%k=GB9pXRv<bjTrQ}Av{1B8O-z?D+yYfdr^{D3IBg!
zN^Sf1#XQ!9snqx=*yisGk+fdA=}Fxj>t!%Hit++3J>**YRp6-p=h*ZvnoaLg@WHi1
zF~FV^ta*40gPL{Du<<tMAw{HXdGx~+k$x8n39#siP)Kmo)xe^&$1#N%u;>(S2aep?
z1Op;nij5G437iFCf<S>ikm@5v`pzQ#K-dyf%n`1J53Gg{(A2svaO<fey%Pctix8s|
z0(F!{y3tk9LJJ+MQVRzoY(>9bk{$ToKKi_|5{hCE9;^Uvy@q;*DDJ)J(n&@%#j!7u
zAaK&2(aCvyn$ca~vnox~?WA@WEKj}z_;#$0DQDnEq{f}2@C%^6M4*&@$n}xHu=6u*
zbHj0G84YI}xi(331I6cApS2f=O3p~7Y@pi{oQ`Vgc61du{hwe1@gfc@<_=Agi)`hH
zCJ9G5f&}iplFf0)p1Oh<6Zm$$Gd-&l0;NFt<Z~BR)5Euu;9TCTP656>j7sRBP6?wD
zdZ@y^DU9${Dq`hSLSOB!i1+qzQ>G7BWGbVNdn*#%se~TZvsqcBAmn2+cCYbJB`8#K
z#q3H&+`1(SgsLdMJ(?4$PUil^EjFkHwv=Mm(F%+NcKwiT9kw5vK}PrWp3>3`w;+zv
zlHeERGS5$Vu9R>J?PIh_N(>LZ#j27N`{|hPWd`ESIm<q-bPMR)eTp1rvili)Gymor
zwR7*e1*|<|OHN!_^;{m1nN8YX^_C^p5QpSR{-4v9e)Wi08d@+pd^LPUV7@oO3&sN@
z;r38)-}sCZ7;92h$l)U)6Rjs&cjHC^ef5y9Vh^rhK&mX&BVlv;O=_LttN5mpp}E(0
z7VI<Rh6Xn^wVnza8W?yb{DnMF(J<_gTKHpm;KP{kO)<NI3f-zgjvR@EoAxJFlf&y&
zP2pEmDCv%>TNJ-KCcvZ0OcztUil33{ks1;cloOY;AVJY8T#+(Ec+5))f&{ley-}|?
z;jRB@hCXJ`59CmaZ}GICQ!0n^akZnvqw*(*C+4R{=7z#y^|bi+i!P2*{M^wL(ta^!
zkintSi~~21BasrM<d0I3N5m2M?ArXM@Qe8<sXkxrle0EwXHHH|P+45r!g&3Hnw$bq
zS}k9zV-GhN6*<MU)TZ7eqV`4m<nXq&n_*a<8=5rbja!Io(ESf33bSWdHwtjhBlb$!
zq{FBxa?B)U<>c^jl}+Knm2l@scW2+Y=j#&otS?I|3yDE@s$N$uNccf|V#^L;{o0Bc
z)Uf3*)K-Q}riq1BR+YC`A$$Jxn!nKS$fBCa$ojSR`GkGsts1|`&o$sfM3L^8c|7Np
zj}Pl8knT~ST>3mop7(qlouOjtey{rpmSB}GR0oT<&enZ3rufhQ-0A9ZyVU(pe-gm7
z;6OwXc~-Cl%b5aRXtdX55NJYv1cU^tAF-15aZnVH!&1npEs(6_uNUVe_#Ay9S1dh+
zlkoH|9MmeC`LyVXb_uo~OxNj+E=vDah~{ZGx~M%4*sLz5Oo*uM*f<Wg(RBrUhZvdt
z`32uBh)%+Lun4UM5v7oukKKmq%G_wIw*hQM#`W3{f#--mb_3;8=yWBZT&HiTW~$ck
zl9sZ)pDP4UEpzbHf`(9`R@xBVToVBWc<pW3t^*ma15LoE!OapjRNF-MQn1dbpfK#t
zca)@!T1s6nUQgL&fy>Z8oKYlE&wcTISE;=5H{pI2fZzopwhkJ_j2a?-`(?>#arznJ
zi#Yl+k@&ub+Q`1z0|db~tIjsV6l9_AK#WPu9w>`5pk$$H$ttkRD#g}<UDo1flymvO
zLyS%V*nE)<Xh8pG&z>Q}POaP5GFM81{)X~MN?3|VBlXN@HpI3NIArMx?PQehm<xo+
z@w7Pkvjp@FbN{v>VvNwQ>IXJNt`fUvLsUE;0GH&<2R6ADtDgorh!f`t4!eZaIJ%v4
zROwxmJKdMR9o~RqMtkD^Q)~vf*||_{#Rg_fQ;YXIu+-cx)n#tCanvkxeckH7XY`*B
z6lx$g4}a_7i|2t4QkDM`dNHIB)29qhU^7Im%dw&SO%6jYEXJl(E8#pk<!^HGo$!)k
z`6<?-CMHf4+mZIicaKuEYld}vT(xU^z|EJ<v%Y>Ne@E<3ZF}NG51<Isu1LNNf#@~Z
zBHfJuf1!#6O_5#G&+i^(WCR97a;N>5AM7y}h*(B76ULQI3FHX+cUk;0E3k$10N&L^
zseU_p2IISiu4E$=euIfj_&YYW@CH-XKL=y#ZjS#A3#-%)hjv=&CdH$if7GSYPO^Ic
z8C(CkF9mWl%1CxM1Q*SWQ!bSqC{#hI<P^tp=n`-n7RxI&XIU>Gm~^Pk$bWUHb3F+-
z0L-8=!OKe+Qpf6RgtPl=OpF;s|3fcKc$D=dwdAyvnL=51%@oWRWSg*lPvPq<5N#A>
z3pNT^qA}D&oWtk#oi1Rch|pU2oU4Mx7VC|!3btFUL=~(oF?<jLVVurR5qS7$wVk8I
zqs3n!5X`g-NB>$rVKhuHXG8gf?QA4lOt?3}c6K@un?{Af>KR1*97&=$J(;K!M<1U<
zB+j710G6|97uQ;XNCRVna}w2hLX}3$zD>ljj}m|(B_qI!pd3?J20<K9&06?KscC?i
z98g<ZiwKLy*^eKi0Z#NLWuprO!gXAUQmC~nk^qr7g)RKToj~{+3v24MSJz0`UG#@%
z*55|6-Np6!$9zh>x^krSd*-mFDBlJqef_zgurN*5<ve#$yev*`=*2#6GM-^F9+E}u
z5M$dF_)XW0q0~dZ49vblfg6T6)DDF)%ZAQ%%5~J4HT|iu@l+0He&KO1!B#k8DSWgQ
z_~8cZD91o?6!hAa=%4@{hwZ2Cg95C?TnY=;c9zSVZMoCh<(gse^w--&x<`^kg6jO(
zV(<H(f+ulZxYOtg^|@$4WKm=kvCwni#AHLuUqUIHu0u>Rd5T*Ig($u%{=OQbsCc$f
z(1vq<M{?Ka>+G+RG%z@v<X=PqgIf{is!`!@J->z>6yV2&Kd459FwE_aj|d!gNI+y{
zd&C_o9~U=TG*xsQI&C$$Zwb4>Z0lWL4-?66sb^D%-AYJ*MWKT%mnng$&V?I(6J3cs
zX)=!gKJu5zsGQ~f6A?Kh$1^f4RL$asa%TY6A!4d>PV&358ZYMrOw@^f>}8}vXhTD?
zYQ~LGti_6>%^&`3V>?H;ar;*7aD9AVgC=>z9YNz#PYJ>nSr!EZ=Oo7GuSv@BJ*vL+
z_T3W`9{bn0Lbthv206D<U#j*A7430NMV&A$WlLpq694psZRqd&RPaNf!aM^Uz8*S(
z!58gJd1G~5)hKb;6(&6b4zki+whnFC_-|5}el+*h>uJK*{}=M>|H8=c6zxb$hdSKP
z<E>?UdQX0BfLPbS^>&vF-HUW?U?<sk;GSZSVe~jW(-$3z`q)DB#Qat|=zC*6oeFxB
zJCF__=r?KCE>ifuu;1Jh^(lN7xSehkBx}Qd93Az{p0MwYdYLxt$0Kdj19q>Vtetj(
ziBGo&eM^`Md^+yQo<Ru8p>Z=M>RzA?d@AlIY6G8+`>EQ%r{g}TH}L7W@6ZN5Qlijg
zZQ#>!f2$|(skm2s5Bwogi2G_f@F6fE_A$c&L+OCm#`_l~(k^eQl~CUl-E_EH((z6a
zXoIMLU)K}ybim*D(8+{&5548IRxTLegq>iHXW-7#86(1-tk_+{8C}DphJs(=O;-;(
zxaSCqhCu}b)hwVS@bByI#0Aytd?lJsM>qJ%(SdywnPFHsxIsADp1_V`<TTAtgNYD<
zq+;0ll`jI1zKEMBqrzPH*^32nz5p|qHraJw@!|wD*-MMZLDaI#84~gxVA$k4tJ=HS
zfr{$E=SvUV{BjA+xyuYdlX?U9NKfGEMg)Ws;R9@(u}4n9bnM22Rud4s($Qj)91u9n
z5CXW+ZFYn<c!z1DR~x)rA$p%jc0}sZ!MmJ_-sOGVTD&OeyGjdv^QO&z)kcIDjF*iK
zS{3!lbz-i|*w7hNUis3k{Ch>5!W^=Svo@>zd24p0!6fE=6%k&4EdIdcx2g-_+Y&?#
zApngt4-ZSlQ;m|*KA~M)TF%0pkOa0gF4+sr@{?|&!c;0%>`6VXN{t>-&SI^kIv{qW
zL(zbf{Bt=UZa7U$jaIV;w0Kc@<5A4aBGYu8lX=UFoF;yA?hD8T>%JiXi>bbSvUeL3
z3WC<TZ^kWWDz3F*&3X-SZM@EIV}k=ut5I)aas+_nBODzArA7G7{uywR2uK<jupe3Z
z#Pf|;jaeyF0_utxiS)0|^*%k)<5uO9&jMPHI_XeOCM(SbZp(LQI&M>P)IV(d;0*#h
z3^h>{%>tM->+E3Sol{ZQh-mg$U})UzVFa%gqmIU|<_ho;xo8;%pXv?D)%wfKgk03-
zN1rh(xO16Vc1Q+SZ1T_^#wYUrW#%Lo3`Jm!0PH&VDYu==u`sn5Xwf;+qP4~L;brDQ
zx0e`tahW?_w5#E=oVjrXhVD!i^@u>=Tf)pcp0Z?WX*Gl?e^X0<g~2yNCYW!ZB6<y(
zbU?`0<Hz*!!)kCIy&r~$%FAyzttT6!o8<CFCb#Cr(tgk7AeO0hJ;<)16r=JBY%kqq
zTE*xgCfg#HMb<D7a|8-wV+Pk*Y&;Sh#D@ghidL|HFvd6@qUo5IP<QtaB0Ue0ei#!g
zz_-`u>(p-s0SK-CxDFS`NKOG>83r^C=^G97O*#U%Cf>{|ycDoN($X^zcoXjPVrozp
zCH%O}Q#Cd5GVb%z{^9{Y6QU8l<HvXM((8HAcX^?SoxGI$yv!>+7^G&Ubn=ordBD@K
ztwYm|h>W|u^jEytyS%koe+e8Mh{PAXk>d2RPQ(`2EQB#9JsQ%vXON<miX`&O(I7s{
z`}xO&AB-l`Bg_YbchA*_5hgzj4=KP*Z}Nu};0N<{6nf6DBPSIwckyQ#VNsj;)*kpv
z7%(1Ty!vpebI(_OxK^}MfuagIZLI1B@tgI%tj{uFeO8gOPjJqRY_tI82YzHEVt_&w
zkreBbQwtPOKUBtPgmdW<tRG^WmLNvsA|$nEa_-X{5QiL%!7$f?Y=rx0pWr4MeH0BV
z>Yj`m?tl^{jY}4SK9!RVuPg(4h_fggYff86a*}{l%FaP>7!75oC7~K1dlr+-d~DHz
z>|(fVmPZ<_M<eo48H2lsG|oXA&~vhqNgAW&Xb~Czc0EeMNX>HiejnlBS`y+MKuPEZ
zN=-Wjn%GlVACyYQzhG=Xh5DfQcJvHs3=kQD1h-HsNT>C9nwu#383J2F&9Cqo5~C-k
z{QMvIOra@{n@_gsBe798{B2m=lWo{!1ozsQB>MQ%WCR2kTf==02mF@D3(yKs=Nc5n
z@XnK65&y<6{ns;TzW|k_hru<pI8fJ082FC{2z1wsXftHaFj1j7q=sgh9s<YopoaIl
z^``vohYt+q&6*GG@o6JFfQ`pF%}aD9l6xv{)&wMFO&~S0cQs2V{~Aj!{P|stx-z7c
zTrlUb{HSx~6Yks52jo2z6f^`qnk<Hvg3@P6bpv^izw{gpgfer=tv4Qt@9_vs6q^|e
z!A#jw(H?1C`f%_J8i(@RWYhY_==*YofIJX(fjRhZxZeD#?X6rfpYiN3)`Rzdv2ONo
zQn$6;c+_-eBX#i{9D#u?(K9_>4LyUFlv<CO2LZ+PGp-O|BSgSa6}ZAlG*<zfkD4Y-
z5#j46W7C8S;WApdXdM`!>4l4Si*WsL(P_Aj)+bz4FT!`QF@_V+QzJyIDI#o&2pWt~
zEJegvD8d$s;I?xpwhk=OMA&W-n1zOdy$7RSgw=}}L$P26Ts*56unQ$Rt8Kjcu`%{)
zn=x>^X>mTYwW;Mx0Xm9g^A6VQEaXHYg7Izr8hYOX1kHQQVnoKwMlqYw+&l{k3rrXU
zZdkxSBn#c0Cu8o;>-g@@yWtmc8h)#XUxgBei|cZ!=VXDq6SGi4!V6ZZbhnGEPN78C
z#Z|XZq6cs26-xA7T=fejec+8gg%Sf7SA#-{p`MGY;Z%&_iMu;FN~}gV2D=^*SdBgn
z23;8D5wcezcV+vyvV&dOQ(Z&Z39jr}@P-FR?i$MRapeTNa;Ca+5?q&ZX1RLdFu>5q
zVSe$Qe)%B9E>rXi2U7E3CuXgauZQl(7PH{Vm|5^TKF=(8H{UGSXN+z=yfE`dz8;hC
zgkX8t1wle^a99M6F=h&UJ#qzQ@V-;<yE-^*u5+%$cXXjNILr$#O`*7=5qG4DFMNFC
zCA7gX=2%VF7=yTrC4aH{#~;(M)%lEmPWYg#!NAP{H8;=^31%|<W3nuCc<LVpI_`^u
z4Xbp8ur?&-u3lO^Ha8Z_osNuVMC)4|oR0P-IxWT6Ss*@|nl+i?;RedKDfn;7xo<So
zHMR-^@Bm!X93w35wj3nl)eGJT>IK71ussrfcDsq7PO_cq^k%&p{m}bG`w}>5M=*ts
zYEB^<GHoeF-LYGi20Z1|GXrH&)P1{LU5w`uwLUF1YD;$aCg%WnV8+_Zeg;WZU|`ly
z`Up=~_`^5g%nuQMb*4|)&Ey3K;p)M_1U0pYE2s`|Nz@Sx20h-nuaagZWiMoDdAJ%-
z4ge9yk_C|ncsTR}iUkWk?ZGyelnCUGoEN2cFI^Gy4Hi!XSe&9x0Cq3|W!e6uwo5>O
ziBG6Q-4l>+iaNGZotmb$Nk#E{7jDT-->SZ!8ydY=omi$$nXd-v0JXZ+t|lrAGCnU1
zRi&v_mFn60#c}i1Mr+h?{m(<kG%$0BQ{z`=9~e?WZTi@fH!GT{;1|0ac<B~!U6;V-
zgFHACr|GvHtFBm8mwaqFwFxzNRhLZ0PHk!rtu9%|hj)z4sxH|LuUvzdr{N{fEx)>?
zo`34+1URM$MJ*tjSy9zCv8e^h+JNP&#UU$K?Gf)0*GbHtZ*TBuKX}P@@b!wXj`s^+
z!;IZK7c+G+Mln|_QH<Jlh>r&rRcp4keQSf)9`Vic=}ZTO4!?TrXvZVKZLM6jp$cfR
z$v>X^WkBxD@@1<Od<DNwvUc|++m(m#5N7KA8rGhb#r$e0a+K@!=iP89N60h3BgUFz
z0!dqt2U6-lm3mp4;_j>}#<q_yqdyDZMxTkM2#Jc8ryt|({~CDqvs`~0zsB?YjOf7M
z_k4`;t!s{%s>ah4Z1tNc#m2KfwmZ*o_^iM)mA^9<p2s(ywcdJx!(Vq{|Cv+gs^SYS
zU#L7gBbv1lUYv<$y<|LNm8I|IDT<4SJ`;AoiN^7{s$n<YF;=U(?Ut_s+U;VHe(|H+
zj1={Yd;-;l=oin~t6rl{{tag)&s8l;(|s0L%X&6f^@uGncoxI_`5Gh3H)2oJR;#zs
z0r7R~X5B2EwQ|+jfwI-Q*fx`sFQeO|;gnRxZvL8-WogBX?%lI+)@l{I_#swnF4%bs
z%lH|u7pg~y90egl&3u0o-6hx39he)K%T@tLH|O!NEl)p9j@tA5V`gl~h&Srg1T<6d
zRGqO`&094pxA8l31rEQ|9w<2ca;QDfAijZsYHE4UKQe$drA>Z&J$?_q{Gg9HXgz+7
z6b+sFuy+a8?z&#oKIps8V27*lVmy#5$Y;w{JDN!9a{0%;H!?TdzMd#o6r9JO{>8d?
zi<NQXyRq-BOs%nRAdK-+wchktrV@dp&-n(OI}gc*FDAw~+vHc(u(kug*1o0NT<3v;
zX38mqviIds?!JX0{&Xl{Vtz*7p%^2aV#6>dJsK7ifcZ3p^=e-z8L$mNdLMn>Or8{C
zc|AS@PeinDM?2gn=lbE0QndF}OpRiWLJfJ2Vw%Ckr$k8br7{<xP{+uS(Eodz3CvUt
zMoKI6V0~;2@Kwcpsj<von2GcR;kL}oXd-ElGb?jCFKG~4++`eYyMVJ}Fv4{*udNxJ
zt($qhez0EV!<U1z^)nxJ4(^lLz?WwmWHwsM4Kp7PA0`08jIsvad5GaCe)_3E0RMkr
zD||wz<DetKJT?!<4XvZ4i(JdySeu7uu{RIroEWZ~c{yN|9XJBd9HO1iIVm4F0l@|4
zq11$q1WzEE;A(*VYm`7a0_XIMsuLAdtDdEBPgM9uE2hRqDqu!8SrMP$5j07e9<C@+
zMkgo|Co3jGtDdMJ7Rr*V6rn`q*o*@nswE0lq~g%*Iz`-01ws){<pmx(X_OVg7QtA?
zNn@}s2It=@#dwB(_XmuDzy~-HgEhWDqrgJ$E{e+8$nQ}CgV-iW49$qrUH1<@rX#+D
zmL2P>I0Wp2B3b^*<>=_H>r7(0;5te%jYSFY!xL^@SN1@-{Er8;=|^Xb+uG2#A6^_o
zkH~7dVqA2qh3VIyuk4Mm{0Tccqm4YGGQJctK5ZEL!q+)>?@bD2tqomiNye;QE4nRL
zgxAb{xNGZzLwh5t%bZ^Bb?<vO@ciTkxy*iEl;fFuli&o?T5$ULMR>ep;BPIr_C_Mf
zxp1%eIi?p%r#!wlsQ|u~{}Qr))|am5a)o2fQ_n>wqwiHGH`grQx&7UzH~o^0<+_7J
zWBi`oo3xSNy=rpQmz7x`kHe`3#nzw?{T_(B9#tm~3HB)Pecd^Ze}1xB@9<EWS<9<?
zlfna6O}@B(r{?KYHJox_9Y}hfI)^)A81bZE@|lDOp^<^`#nx2(@OnjE5`3}a6BaH%
zR@QZ=I{97WACHoL>6+CqnKRJ9)#HWcuUQX5W8sU5_MQJke)(`fu6PkXx>@(ygPYYe
zeJeL~C}WQGOV-nG8O1odU&Mb9nh?4+a%beRNZzGL-H<>mGSJO*;-8COen63d@3Z8Q
zf#FG!3nDc+_`;mes|yp4`&~3F>L!Ya65c9HzWnpedyy536WT9*ZTb`tJ>ch>rME5x
z`R>r9rd(R$oLZVZ=92IIm+J$soh&++N+d2Uv#c0xet$`7#p1;c9-kJCdK#AYT+yHj
zpZ%rYX;1B~29M)Q&EL(MnckQC^X{pS9#Je|YJBRaIjL?rhZ!AhhrgC|z4#Kq{N>!^
z%93uz%<A>SoI~`E{?soS@A}h?l|48S{k$NvY;oE8vfUf|1S+Y0FH6&jEO-p-4h`7s
zQ5I5$Olt<#jI8mmi9Y@;@?)e<D(aW&Fuf-^LjHp#d1FY9fW>?4&+U4XBecsOTULVu
zdXM`#Bt}tBX4EFeU62`BA6uC8Z2$9n5D6=QCI?7PGS{`9-0uwM#Co$M`~>~>p3+_H
zob~t**1hYj>vACcCxUV8C>)X@82QiZxf2IAh;3NrM-5vT6LzHJ&ddD2g<xI>=`j-W
zW9?h|98Heg_@YNeKAaxfOK;vYXan@~y_e%4L*j!tREDIF(&XVjbcP(~iw+{#U(Z2f
zf4cGnnLqh_NO^leAgzK%+()Be){WGUc#7^rYfXfFrqSF2E)her5i>@E)G@a$#R!?&
zEaejV+b#p$L>=E9OjOuCfdn~_7)ZDdWIiKE-kyrfUyWYMt60yN#ghgtOO&2$xPJ5V
zp(SH@&zQk;^SFe8ROToYGL7~PhA(8|ZKoF^F<*m<4Wvv7YcPD&_{u1Zoq2_6^w^e@
z`ODR2INO@<r*juh>X-$F+B;@}5BnpL61#;T5n6OH44KBecI!kq&gRwIVvnqMSq??j
zg9Ybov1?W@CGd&$gHO0*vCj?XJQ@folsPJta#j0{q0OP|O_U~d4pk7Qy#L_)Kqc^<
z@AFeY5}l%O_fz;DAESu%q>|_;5PnVY7^zHGD1KB%Pf#T88%5~^{1n7PUh?h|1>re1
zW4(te8BAzB6|;9M;tC;&@|<$ZH|Qi|=lB~ThaNS?yrjt(DuEpOZB;+@+p0e70nw}a
z>wv>@QNC#Z*s|^*3<8*9w4691it7H2`8_{;p+oicMMRy;nIVKEQ3Y9I7Igy4=#a%3
zjrX!UD~#nq>-fHUt~dib5q4AnYy4e`-<T;2pPU)cOyyOpr?cEGzLs8D9O2<)Fj@B1
z_-JXwqvX7R$7km}5b|z?da<7WLtb6nn^$e4%O>BFkJsCu)OFTwdMT^>dFWy~=BZ@(
zTtNkWSN-CM+W&{U_W)}u?b?N(XQxw4g8(*?AOW$3W*@VIfQo{&V8fv!D1tP_3Sz?w
zD%h2xsDOP&N3ei(EQ30>QAY()Q9&gj3aDhCwF5f7|M}kceAj=@^`Gndooi;0gs=&F
zJ?mcgTI;^=(Lvw-Zbx80E9XYLeb1itj#>(@e2oofN9H3qJC+BwnVQ60wv77gmnlzs
zM-BIRHpx<d;*1HAPFOj~Qh(w^#ip?PM9N8x13eeOv`X;ASEbBor_w}xdSs(ojfeZ}
zmm%z5Kk`M(aGxQ`y@Jv?qk~!}2gOXFvkoMk-y!P|sf&|xCoTSvdGpiWQ)?tD=z|+-
zFHYQ^emCeSbIFl}pI$kpJ^qukV#@KAJNYJ-(wewblcc_JZ(~yT>l4Pk&`h04s<cdz
zkr~(zzetN47Uvlk6c-=&Xy%q=rf=r4xrXKQ52pznI$I2ce!a$n-nJ$5eMC5H4D?V8
zhDtm3ZKGkk29BDJF1^g8<ER;847;{qCjcm{4d$^)0|8aIuIHhLDl)OkqIU{oK^Z!8
zohp2#%!Mv}Uilvf`E8sh7g_h;SF$Qq-iv8R$~qSU&K24-#4wFYTr_IZ6OgH{rM1$t
zL7KB{UfJO`=dc$bm8s*%%IBZqE`9{MnGBt|nZRJRQTC8mllcOP3ji{TmbhLEy6GLV
z>3Te-x4_cNp?jp!W*{DFbfn{~8FS-(bH`b8yW^|@691`-{;YYVKWoHdA%e5U5Y8IT
zx3fkHXN{@NO2Z${nm(Opjg8bs>Oh}0<sD~Dpx{M4Gt0l<stBvT$&2D>eZB<QyrqWH
zYdkAuKd~5@^nq7NHXGU7z+2uOW$~<TBRQ*&lxJn?0td~I8_47doHRG<;h;$ddGiMc
z84f-gh5hbi)o{im$)`q8kF)IB#^{3Jq?u@+Ah=<x#*Y+x;G{V;pu!gaVO{WC4o|!>
z;5TP>#V}6)NAyX9M(AxZP4^w_JZr>ivAUMVYs00c0_d##dj}&Al2*J9AcuI6o-Uwx
zP10x0P%?6~%Meh!9!@5!Lq?O)L&?|@)Zc@YJ`}`ck<wyvbYiwkL=+i8lCvl8CBrk|
ztTA%P%i#t`;R@j<(Qt+*3tL6uB9uj{7#*EzO<EML?Aqk|5!xFJKx^#aSIzct%w*GJ
zOBl(D&<g1|cJM*w>EBt-DjKWzzVlTOEGj~gV(45>HN^|Wm&?0;UU}T|<w{fJv_Ux7
zM}N5d0+MhaK}Lr>$Xqh)-d)x0(NHlI++wCqQI+kw?mQ0L3O7$m2U|V9pi;whd!nDi
z*}=TFqip=uMS)+F*qbJ&ATM!nZR6jvs4c7~nimHz_Pyy`bx$=cGIh$m)s{)~W@?{i
z2Tqw*sri})kJ~PqAI)D&0YID1vAy#8%jzqO0vDV%+A!qHg7?{hC8Iu^S+TOqoan(C
zhiO4`HOMMKpvIS^5l)j6@yU_@ha>adFslEnB^%*dN~sZVM~Rj{06Z|G%+Ism+7o~W
z$}cF)uDX<zU1aU8WNp`nCN%uNhbFbqRZzZZ|7)7E`xcsO%C`itlXpF*LsQ4O;IcHo
z?o#Pzy_rGQj+1Vj88?rA4^3x?&F`TZOCtduEzq_`)Ele{{t3<T9{ZoZ9cB2YNqxKL
zK|KUeqntK|P)CO%@M)p!)XrEG%90VwcBK%42(tb!blUF@p$J*O)m&;WwW34ur%ROe
z$Rq1&RV+Fd-TJKxu=+W`s3lwLZVPFD-qN8$X&N2ue6gsz^jc<TTz1#TrBiPMwHykp
zOxtAEc7;ABAtb%N$0UTL45Da{?55>N2E<~H+;*5ObAX>S@u-hJ?CSiS*`C8V`mpoW
z$DPIC&ir0u5C1^S^`m3%KhE=5(D~h(9AW|aT}X!U>6qg|em8UBsuK)JS9ORP<aZvO
z-!1epR~$r2`J)rVTp|WRe&>_3lgaQ2`j`_!&_zK6;f|nNO-CIHf}oqq(Qu>q^Z0A{
zFniq*Wn&S}k)afbG6)sQ<P;I+TC!F(h1_`y7HNV-5ND}Ja`Qbaj4n+z&4Flp0LqDc
zS_QG$h1*XP`#WpM+=D0gX}Rfcfo=@#lt8W}?^Z-spUFN+nmf+AewreGG=ZCXtWnj^
zXE<~8q~nGYt2r-6)J+Ne+dVO03#*?7Ji|!C!87L+7c~~T1)5L$dD7#%X-v-9nQ!9#
z{}0E-@!{061|l5NQ&*~Vln@^Q5}RrhG0Mi-fxQcfL`JXrWu5v<MSlLBI8ezdfxfst
zZRta!olaXJZd<NAt=jYk(iR;WU+J{<FnCDPwn-mf>eJRQ=kSBS`j}VfLu0)<X!o*4
zqs#ixDEY_jgB7oL`=CPu46Vk}vGFZ5-h4}2Xwb>SwGGI!rVZl5=ROUQA#KrF>lD)8
z$vKd<K6R!o$XZo;h)id#vd*+cBjiaCD|Fg|Sh10Q?Mz#cwJ1GA288^vBX2o*pYJxv
zb7xgY-r`xk{3majEg0E*gK#6*WBs=im(>r6t5VqYEBgOQ<`U{N7X(p9422-2%Ri~=
z&9_t)xc5lr6>{q@m1rm%0!SAr{yTxGnd(|Ar_+_i6tr55Ho&Ar2MR8ML<M=OHP+_{
zuw3MyCokBn=w7q$t6=V=?GrL56|3$)%NbMlH(zi`qhz|>(>!4Ofpo$@8SjGzw+Yuy
z5z`~57LcKY4naY~SddrLc!MCqiP#ecd8M<&1a*{&9sHX~z1EQC-$eiLZ-!v8RSXrT
ze)kB9QRZEJtvQsdr{G9}S<_~Sr?STI^$uI@dj8G)m%mn1f+&D~XP5145r-CEL!vP4
zQEF~5RG!_8vJVeQw!D3pb^QtJ{3(_9dK&uuW3Sb1ziNK@ARZ0<xFXz^q(LHa?_FlI
zz3MYwSeg=D%&zBLJ-qkum?}$ChOOD#@&lzGWz=I!fh2(D;`sVPbEfHYR&sCQe42_Q
z3^#3s{IWyDD3DAgmc5`Ec7IP)fdEA5?g^7sE{X~Bksk(F0UXx_u_aIJ*+l?QiX%%G
zq}2%iB6X{+#6kh29i31b%0LVVr73Bl3W%j{Hjs7(>GKYqcI>6A^|91X+D|&T50iQ!
zeZ6qi*yX_>8ctW6-E3CDD@X^*ZMbv76uyFaONCOtmGUR?AQUJP*+a518`Ik$KyC)f
zhHqs$K~y8*Tlw%;z(ZBG?D{^Odd0e1a=>l^6FxnNo=tOf7tb)DVtz~^ry5C(q_b9j
zDIbF_!x!OtMP4uQ{sA>*cIb-r%f7edP`Czm9ePU+c(Ut=-M&n~l>5$fB0vlE9~Sy*
z(?x0x2=M<w*@gc=*?H?JyFhY?H|aSVC_8sL8<AwBmy54To!~;wSBH3!(WIWT^CqSK
z%9u?+*}0ES+~yJyOGdZ@Wp{uKhlVp!IOJ6na#Qdy`@N#gjEkn&svrfUP2@JlBy77C
z)VovgAkOO#lkk4l7SQn@q@Gy&Q3LH{gkQ=aqCQ`ckY|{;?q}esqZBt(!9JUrvqWgN
zI5lMQ#r`$Bp3O8}jMrGG;M<tWCxI&onJU<%J+^4>xjD+#`IB}|SU*XYxP4VK<Iz(~
zfw#uMEjTD4XlW4I6r^?a!C%H32U!Nuc3C=25ZUFzJVAT6_B(gc$d*Ock@>otfioA(
z_}e0&RyRCmd~@yEYbVcs{o-E|q#<)%JQ69=<uH^!6HhlB3~#w~Gf<mk(BS@u>-pg^
z2QB>gl?TJ0e+jx2_gCDTIP@j1!A--8h?^6)GH!d^!8jc!=Jg)|oOy%(f~r(ym}M<2
zX+L%|u;1B?RW?@b^}}P_c_z{7`E9ohQjH_WnI)=zq8utz<S#pC&TaYi?`t;${}`W8
z(lY)1?cp&Z#S8<^xD&5JQu}27lsP^#Boj5b)h1t0eUjRciZjKToEY7G_OBAT#^3vN
z>&>7<ho5HbGfsTs_JMjZE7Lf#n=`LJRlDelimaa0t>J0Ok(<Rk3>SBO75_9pM&cSi
zaUYvw`15DZ`fHilxqEX@=Avu4O)iGGU#=?GCpRoNIajwLmqcbg)!Hc(WYdD?YoGr7
zVsT~Sf#Sp!{&T+Ed_O#9tEE9-iw~n--p@6T+|xS1?bYFPH=l59W_)~u`Ht?HHN)ek
z?@=E9e3)xg-m_d;{!J9>f3r+Y{#K>}9Y(>aG#qlYDTVH;^mG^n-2xT4Vs*q}=pa15
z$a+}Gx&tTGw`~8Yqeun2+NvK>uw8l9d=nw6?m)r%c0tA44ixM_Hxg!00F62eRC_?d
zw!&cO7|_OEdKhff0fUS5xgNyA%c0KuK0@w0oS~;z0AHH6F^+dZCTX_;uhxq2_9Xs$
zOCo6y()M6@-<Et76VkbYPzO6Usi>_Lags=>wg;RU{=pFH%U!q^57OtwZ8$J)Lw{U<
zUIePqP&o?4j=eFd=uGV-eHxvhNi^iR8^(t=CXmuBrva^|aDW64*bK)<a({gRxzFHR
z0hwf<1X#8O2!FADB=@^+(?4#ORr)2x5|EJ8D1TE9DN%avR)*#4^~JX<Ba0lifxh@o
z<$e2*B4zY;kdV~$FHuSlOJf?9(tPk{|L72LRSAY5vpHnH@Ha|?7Rx)J>?YYi^&{Hf
zs8lhA%KY_;2*aU6G*mWJ)>%K+YjZmJ{(7ycy&<aCZV(#Vzk`X24Y0?MjRWYqa;^()
z2>@`nlN$o;_d?GN-EO`u)nndsKoI=}w6MOwtWK~rr>WtUrbk>#)g5WusUvN-4L!)b
z%+~WTOOD>VEggi}{*R@SDQ+rY?}5DM3%oR+Bb)(RpBOS;4BE(0lL=n#+}Pq9{E!+a
zDwmYCq<pS74Lms^A>;R6o-cMx+`>An3HjVW6Zjv=-M-BYz~4Wm#yR`ByaN8-MQA>0
ziNT3X;O}4W0DIY=HP=+Y-%m|@T**OGQfuQ<X!d@kNp*MsrM_O8t?Ck*zo%#dUqzlC
zS49)}e^KM!Raemje!OWQuMeLl@K=R+X?DVssmH9u>|v?Dz&kQuP*jj!b5}==6P(Qb
zdEp-?7nufnRK4vr>bR{?>!rz8PoC64Vr9~;li7h&klEw{)h2z%WXHrpwXS4RoSxP@
z28UcPn%3LVeuEk}lBV@cbq)(RZ2qmDTJS)-W1^{jaop)(n&^K8O#kJ$2XWFIfhEoK
z-`z3sAbcN6&%8k+<!jh%G(}InnWt@yUl+Y3-b=GVI63GK<gNnJA9%ajL1vRvr>E;F
z{~Z&Nv3<#;hVeK^9Aq8fr73k2I_NS5IrnLlWU748i%8yxEk*_vWBrVtZ-cf<gCZFq
zqrklLSC2%93cZX1mGPv?^7iLt%^;$npU^`$QoCPJ$4iXf)U<sx?of<8k;JN+qQ>Z8
zgSJCoX>?yBf;;jZ{@CP#xcKBUk&2k?iV^Vq;f&l2n9$o5hjfkPeAH(oUM?c?;?PGA
z5R06P3vMv$YU9u{{czs?!W*f~I9SE(!764^5BA+)uJOj`OFXlfb+YINv%Sh6qiwW|
zWJ&4`=H`hQnOCu?2M2C24^IIpN3x0?b?64O;b#ci<CW~uM{h70d%~`<`uwY=qxt9N
zhGu$Jj|0O&)nEKOXM>oatMh$B9dvmoVgE^hQLzh?p&!>fs8@7+)l7mY!%Wo~R>yeW
zO}5i_K}TAfVYOb+v7AB6IcDuCWGrEW%EI^_w}N{<=$p_pz&ug2Mfh@)L}F=s(sC(S
zI(0}p?lpOSOZCo@>X2%%18ql8Zt5)u2?j@D(nwl@p;O$knbvOFNGmY7CQ{IO3`Y^D
zZ#fD@aVRB28rFb9P|PN297--hNg2|l<<gX0^3eBN<Y8z=mOKv4?0;Gsfns;bW7kM`
z%QStL$|KXIvFTFSx7Ng+m%^TOM7A{ift)ohLmIh8dR=zaIsh~kxEy=E2qdimY2sYd
z#_AA(gttc+;h22mO@{_#1*kgZQTP=|HhlmM$TlYWx`ZNhRO%ASW;o(dnk^RSiUq2+
zKw1mb-rAe~73`&mRBa~cGI29qj3@?|qE>*Q6SWNH=rXk{5ajgb6v5TTpmyyHtW8^@
zWx<>t(q^sz1&@YhS_ZWkr)xP&7vWXJ@(jZ?#w^A`yuuQO<Tg_6_y6OF+K=jwJwW|2
z21U1P4RB9f6wV+(0J5K6|FM5tvlJzAPzXK1W;*waHn~kZ=c88FID%C?3xk3}(noC)
zkFfOxO~_${5{C~!VJn!0iEUaCgml252N~T(uLs#7s?b@Xz%Bzc!IpJ2!9F$8B9L8Q
zcTBw#^zaZa*1IEiiavF=z(DjV1c%^)+K(K9>j`}~x_W^pvb?yE{Oce+w385#=(UPG
zPf23VNn#qI-j^M#U41C`h3akulswwUth+Bc-nOawNsl&_2mWm|@l8s4Ax&gKm0~mk
zPs7Q^<^pRmN>&Jd3)WeTz^vpD6#Ra$$lygXEdR4~kycQN?8mS>$J~zt6tI3YLByCU
zVNH{~BNQScxtkzZ$6qu8bLjTJIt*>tB<Ajv)HUv;CkIY^zQoiCiJSCV+q(z%1vRSc
ze9Rx5HL=@1Vm?e5vG;*qwLv8|vSza5yIU&QSk^zEAO@HWP{;)Nc!(`D^q10Q+o(%0
z)p|zcpI|dX#E3T&dSJr}g|*RYaoT6?FXA1vK9Nx3iLPKRYfSCOTH_b|33pXKgh{yv
zquU64ijn+T8=P!uE=VI>rDUG?qAXM3Bg_*|Fx&I1)ien+zWdBUtl<vGq?<$n^74b3
zqa5=^!ySBB1%oySk2sk^->lz2(UZX#4Lod?N2?&lVBbx)_>0LHhTEH_-9=1;y2iVg
z7%=?gr>+!M3O{e{v(n~&-tU3NSH7}iJvN_~quvDTvH42RbTTZBE<`rWBO^0h=Bg7G
zkjG&?HiL|wN7G{Y03~3~Kjs!GO@sB=yDky?VRVO_T}y^Py#l3(uHOhEShz4CozzP|
z4I$h6uOmSM66uAXoVJmU7Tyk@)OE1D<Hen@(Hit0`<^ig8p&e@jneXjqnSH=&~pb6
zeli#A$7$AyRRfLULH%(Vy}s9Ob&1iT-!uqx9HF0vyE%O}-FwCqEvK6%KV4#2D1+6<
z{f_(A`XV$nU~0fYy$IwPlNB!9z}UV1AX+gj_<(9?+{AH_XT($et5w|u)lJ&yhJ3+`
zmN%gu2yYg`7#6Gs?9m$@!?#cfVIvN|wjRS;WgV|Bjb3#HVHdwuW#&WGSMX(OyTj{(
zip%BX?K9$5%is|rBoT!Ya}YaWgjEGY*TbbACv>%{=$D8pm>$21R<E%2yu{RY!A0_H
zdCE^>>}sh?uz}?c(HT+n2-pdQl~8}{(^KrKztE%a8*P|%e*0u&ZP2*z(^F}&!&l6)
z<;r=nyc@G?=1tFM+LovOnOgNV=XvXvjW+E;lBoeQ$D8RN2CW#pe6&W{e?`w#=`r&%
zQI8i6St-4C3VP2<69|40hZi!VGw;sNtojObMGGz&RF}JM-PFwl<vSnC9g9Vd;@RtG
zGj)G%z{!U0LYIC*X2HTDt1*hBiCxsAi_#+*wI5wiyG+YhCKXRafFl#r$#8W+l*d^z
zwuy|Xbs3%?m#^$4@bS%`rY;y!IA>JBi2NdHvCHs%Nws83hD)g3Ei!H$IpYdxur(B>
zg?#Yf#l_)<%W6L!E4(^$53kq5xNIxD)3+ts=@JtU=bn(U_8q{6MYf}loe}xX<#rR=
zl=le13KJip*X-BUyuQKnEC%E0B6*UvX;vBXw~jq79=<|y>DTeeu5NN4^MrB_Vly~W
zd*ZsRO=43_UclCVF54z1$f6Ooxna)MlF}(-sC`7)`YsDfjw}Wxs{OEC6wS=J8NB_f
z(eqZAtMT{5w2jDX`I}!~+77+o-;EZc0y9+?zjl}<zI!?tj=QQuxp!5pH%(eqyR`j7
zc@NrLkOIlciRs>%W2yUhVJPSkxzEg4t1@8$_;KJoZvPj}$@?@U8sMx;_}r<Xy-@+u
z=|e6)6~M{df@sOf?KKa*4sYH);;UYA(p?A8;banv7mX=cB%mcHt>9DKvkW3)IuMv!
z^tw_S9Q>DvXrGF*Lf9v_r!t7OGxRG93qe;ZBlIS7{bE!<h2@Pwa57~bz^At`>hsh8
zq$)+P8W8{0ssX^4Gk{+@1a<`fj5h1x%W+sY$N?8YHNcmDt4IA-uPxP*g``Lb^TCWW
zY_YC_pn=R7y<QXmncyC`;(Jbdu%zcS05V0wm-{5%63eSU0GZ3bfk?H^QlOwUs*mGQ
zCLCB;;18AWxxJQq!^gZ6$k00o9JA4)d^Wv<Fg8@L9u-ExKzjteflz{G<wz5DN~3e6
zF~zykr0vp_o${~}dCUNSImtWaq37gVWbeylfM@=u;Y`9#dF%!0F;Jcg-!3hTERx0+
zN%za*o=N)_1E9%~hPTM4<w_&b1!<k^we>UrGzvYQ$p>AEXU2{IXlOh`fJjuc$x_F9
zxIH^0qExUfkWKM)xEDxR6JscVGrZKV)fv>+b3y|~>YLH3ueY;O4T<s^q3Y{Jxt#GL
zC?oajRe=GFfuMGo0po>h`PVBeKgluYE0ghp!mZSj3|3}FYi35(3Ti20O+&4j6hIkn
zCdK0hQLPynt*L0mT)Yo7s8-=5hQWN)`Xn;~Wn?VR!F;q?tL3i*ttV&|Wu}y&d}0+s
z0EP~7m+ru&X!$at2o<9wgG^S&5{`Bq?-Y(e<%}yR<|;bK#N1H+MXLSlf5b%pX>5OU
z$Jl<Gwy9-q84txwf#1cPHf{K76#Y><^Gj2A#z5Be26|zH(n?XN*M}y+oIJD~&zXia
z;Vc3av16v8S#4TP<QHv1n>K-mX7dm$VF`-Z%|Fh6+=So{9mH?T{a;#?A8vg9Kt-!h
zHJ4L*d(dug%Tw1JUvhq3*M|(YW>pUc=*qS_8dZ;EceYIoe$debgYBk909F5$j%LRq
zslT~Py%sh}X=UwNT3l8Gv@vG{6Go7rP4O2(fT<+3toGmZMxj=9!T2jwiS(5<K7U<y
zo%Qw!t*$+g_xl${x2>3wJPx5R!Sn!jT7TGaf<^eQ0-eiFO!QqtPe_4c4Ztc}(da><
z)kHrLV-4J5?A64fx<(F?Y{g8mNIIeeeGT4;y+!hVB9^1XTQo?7r$}~*oQF)tI0Cqp
zJQQbfPp}hnd`y{H807_fK;x?djbo4I0@cgl?V!nE!5M@1+<Sb>0UDoyhNfG=4n!2{
zCUET`4wo}ZMR7JDh%=+RONK2j?cM`~t%sX2xuQ|bWXq!iu86bESX_}6D|wb+OaE{=
zTchY9rm+?+5#6uO<U^0EqQSdFW5t7LWlg@IpJVUcbh^J=CkBYK%KnWm(+M^ii{<~Z
z-F{9<x7#a~L(VBZOO;{$f1@oojw&O|9gf%+CH$g%Yaddsj6SNQ4W`d^*s&FJz<FwL
zqM=Jfl`^94H|6XeWH<$UiSE71F<2N-ssw~{82KSLN*U(=P2}3?fWUD)8i?%ssR6aD
zWVY5d_7s$N7(&K<lb^o8%<f|{j=}#`6l&wV#f80empjl(G{oV<b1i0VwqG=IkxQkE
zekqcC;oipkolv7K<6x?NJ+rK?F)+>*pp3oufe@84$R)rNLcUrxOHc?{rXg1S^3$8G
zL(v$#1+HLEAy=hBn;ggTn41P^U${3)V5!+|4Lx=ON|!KnvIY{c=})X3yt>ByK;GoR
zFSZZHo&=CLW9q~gn3rx1vB8^1{-#_@ROpsQhz{9lFPp9g#dSBvYN@g9EMWzws~{i}
zPjfhAh59>e4H@Ko0T)dl!if-Vv_q><Y#cWsCt|+yLE#wqq<3(*nlUr3$DA(4wxiVu
zwuEax`un4ZbIR=avO&Hz_R?}?c4ATwGNs%>6M9sca!wi2PJ7l`N1M8aR4J?N!%CH(
z><8Pb&&D^~L#X#4E9_TBw<{mnNBou0Q@uAnq2Qb{ya!3FeGo4_u8doak}oBMUr#uZ
zjMV-cjw+?@E?45G9Zkwkoa0-n3_qB#cVXC3<xCIKEuvkSROKyM+-yIsFkxkEPQw2A
zi8InSC0<F4@#x{w-xWpg1cx44l6t=LvauZiZRZ4L-#<s1%50E}|LGU*wIBP*F2cs~
zte<&rmN#~lO(&R-GT#Eu0)VzPY@(aPi}8PLk~!9G_~5%a&2Q5|&6v$YwxtB-<OVnp
zr`RB89~??Zlfu1MGMDCV0&z=#XYo#{8M)JbJ$$(Y|E}DIcaaI34vJ8PShRQt{-h<*
z$AYQod@pwplFQ4_!Xby5iHEDcZhhX`+yB7K0gAdPG*G(PL5*ADcyne+N=33nJZn8{
z0MSC5)#Y74_`#Ika@$IP4);OfL1DTlQS8AT5+bbFcUXOsFjB+zD_$5b4qdctnnrxa
zc`Ha#nR*^ohL@EpBacIvxHK#nN32etb}(UztCes+>#8sUQJ0^5+4=m2atw7M=%A6Z
ze*ZK)Z8BKY+%JFj*|8Mg6rUf>6>^1x9Da2g93199%Y@OF%sT2A_AhYAoe6O0;xJvp
zM@c6`v}ZE4Eb>=_@-1-YbudI`zf1`7yfrMM>bnGYRB00Hay(S&ae6$|ZUuN~BZqKK
zggwp2op?yql}8AZfHDea1ib}{=%C(Dq=lq4x3_E(5ih}D#5sg$YK$6V(v1L;$QR(z
zcl~WBe>+z%@i#nl>-*{@0abLr?j2s*Oq$ENI|(LK0R=6E#vh#Nuwuz2bHSKn;L%PZ
z=K?#**x*$&U8dwR2}^<{M~2J=Z<^wgxl{RZ{O7Hv`=7T)Zl#O4WT6A25)TkyoGfG!
zUk&FV)MG0V%p0i?ER4+;M1Y8Il0xt?p<b)oC_n@bc0CLOK?XZ455Zv?v6a~0&r)SM
zzY7gIw(5l`M;l1$_k2Sgn*epJrG8FJh0Vh9R9G%drM`YPM6HI9>%lLBVx+b-b5dJc
zj^|2|rIeY5`Z1`53!IH+nYB>CV~D2`Oi{s>0kE7{MJ)s_CK%&$AXeGBBn79gZlQ2X
z2+CYVv8fM(9UZCERTQ-ZF&I?lO5npj03*YoQX5uMtQG4JX9YkL5ZC6U^4p$ffxskA
z%|n?ecWV}($}C2?1hutoDk@@AXdU{Eqt%_~Ffu9a5=VS<$r8u(QbLTEqm4|)1(b}J
zUB_97O3y_w4s{k82?<LR%giduaigQEuSCmh*@{#>C0Z(1s~aU;k;0w@YMC!nHX`=V
zg2xDUC{t6lOVDbHsSq?|uA!Jrl)8p8Ua}MYO0_Sq*ZPCBB@_^efLm!*QcWzSjR0b%
zokkfGLQpb?n8`=L(`dr@2#oCK0`_Rv)`@ULOB1v|lhB-E28saC!a-3CB(-bNM)A=s
zM`kn!eQxI`!eUY<!052b1JVYhRy*(or=gjob-H=bRQ_h%LBorV`>q#&@E?sk3hCuS
zTJVzFp>gTJ19(BBi;`A=7uvh*@(axB*z2t7a_@l#MEA8sYO(<WxkV#^fMUF$S8zJl
z@S%^KY-lGC8k=@E1I0_RsEf#rIn<mn0Gv9!O~6s36qb~DfI7N?63Iaj1Oj~^7Awk}
zu`Nl$S_C*E8)ft~y$wDeZS0=nE^9F-#P_xZx5|{}XSnOu5^vA59<vc?+7EnYtoU8m
z6G@UmHiUyb(M+W7hm#~TY#0vmU1rHN5u=x+G(2M<6#x~R0LifX@6S|mWN!1AO6g72
zg<doNyl!2tYBL}~`Xvtb+9pmWDqyRu=z&xS!1ychNQ3QetHt940;WShsUVc~1truq
zGB_2i#YS0pD!plFV<K264H)<fQ!-K9&pz2wAV}l&mkOslFq0itnr$(k?68(K-GP<7
zQm|?WXnkLyH{3p1Y4osYz(LQ+_6UZM|6p6S!-fi>)^Wg#W1un<1yjNRxN!hGP&9VX
zZ=eBs0Di;@Im|~&wJRWu#nvJ!cv#1_$CJ6km7Sg)8mY?FK9cn8O@<9u?u_e0!rEE5
zi$<N`KapIi4hbit1ISoMa;h|v1d3)4DGdalj{PnXeaML6%GqV)`fx|mgVd}209|sK
zZN(+BaDkP98V)BOvkPs&!RA`6W};XTC>6EK-H38M3R6@%IdyR|UTK1&_tEs0`0F5y
zlmcHXH6HB(NUf0T>==~xrYQzbx9aW}Fi<lXNECx_7V@z`p?qr0=<twV`Mfn7Fb3{}
z2h=qJ$S`5som3E;tXJpSy2n*BgQi_{j-SDN%-v!&Yb~HnI#K-@=bs0eicVB(X+_D2
z?Xq?m4+|kvHBn*8l(^ohJMe7Z=g7gP9nj+-#8->HT90=;F(GJ>DNaaWm^ka+H>L~v
z4J^DQ6$IC7-5oAS1^EF9@wBAmhHMO*jBoN5_zYF<<_plq&?<zobiH4T=q<1^a;-YC
zH<{xmMb`dhWJ)-B-4(22d05I7MlhMtKe0y9>Vg`4dZ0g(w(3(}lE?E-GikD>iZxmt
zYcy~z`#o&Io||wt<i`Xz=LDVLxa;jeol@TbIW!&xr*f};EP`?$j_~e~zz#mYEp(e;
z(7UCh-iJK6zbuJ$e;!6p?$tvF#0q0lR8Ex4$7oP@<no0!n8=9X5jB|$Fp8jiAV5~W
zTqtFbkEzC{)?$${==9zO#ewhH4C)TZX8&(n6MJaI=>Jt~qF&#cm_{&IEIUv>1I>W`
zVy3fM1<_02tmy1j#Px`{mDcmYhMu#b#6KxizdQlWiU;3Hd<*cQx(p@0@c>IG@h8Cf
z5TNf>jFIozgR@vCf;&t6-AsLnKS8t-dKIw2nS^Me0q~JXf)YPvzx1!ZD6BvV%FR&F
zCm)iBo}@bzN91#$q`ys<^oQi7v1QUCx}-0bMivhi#10lD4Hm>bkoNU}n!Z39{$5@v
zi!76-J(E>g&xVq|M@Nf7?^9*hS<)9Wkh732o9|d}^ewyUbZ?sSC=ybs>ToqemK?<A
zAkHm5U)H4y?gGOZXwDKyl3zwb7Tr!!t235@&hskNLU1!jA}!>iFWQXBcs0f1X4X?w
zB!;#`2E}P<&7czS5^WdgPEa5vkV$3g5{MO)MQaPE^=ksbfZR<{t=hk4A+(O8-OAMR
z2OEK0a}kk2ap$2T;^Asv6vn`4GJ~!CLh)k&uY&`YBR|s@HRESgd)<Gm+kfn36zQF;
z=0b%&1jUu0IWnT7J`dkPw>4&=<RQf8#^eo<?>=gcaGV=-<suS3XrVk$VM&qSAYuaG
z7ie32X@Z1U6ygczlD?bKoN)JxHW(+mp?N$a4%tKF@KfU=hz<Hraws$rX|ETsGW+`$
zUAOlH=FOa<sW;l}CG{3<_Hs*Q!Yok@{9d}Fk?hWfNEiLc7QGb&BU?rt$yM03qay-Y
zlU|tAd>`3@9ID~GYKHCzoohRdG@+EAiD%*=JYWbXv6x<5I>|n7omojQP|^kb9pl5*
zDzX*kIsaze(!FC<sl4fhSMbAVEBC-R8Ilw9ycKLtN^4mxPn|iWNez-)^!LS;#10mQ
ziUTq#qpuonBsP@vL#7k1qNP(sULuyiWQ-`ZyC+7ychKF9hDruB8-A0xsT&w?UT}Vs
zykz?rm^@T@Fcx5faI$DsElda%SFo6A>KegyozM$2dWyQ*vXaBC1a`dyiIRyTmZ=vO
zvfoL%TKUSEzez%D%gr`~*y8lQaKh6=Qa!Yl(D=v|@!$p1#`zXl!{if`;gvKvz1=9&
zed=|l&&mx@hX03|CtD@Grs$*`VypC&DyN3^q|0z~Wu(Hv*UUbltJ2RtM4^l}S0=~C
z3#7J6$YQZdjkM?B!~};3cV$FR<?-1|mErLsT|Y1Ini2*`=^~u=nsSR5goV>-v;p#{
z(+q(l8n_V+&bEiTx(KfFCx=Rgg-!-jQTUm|V~5=ceH6ZF`Y@0N-i50DCd=r?j#VYh
zigftO&rm6!Io@H8GubCWD+1uLCxLc!%{_xWpgJ;r`~vs=;tx*MDl0+t>n7Yy3f%)V
z6k&e)tLD7PFo;#w_Z%E{dyX9EZgD(q*KWmQwu3s^hk;)1&|5fw!H1Qe$#Rj=J`<JB
zV_+tWZx35$8eAsBQ;AiD=FtZ#8HKKYsIHp4H6^>3c@aQg8=?w<b!Zh698h)V)dcQ;
z-49pj0LqYr5AJP15*lpa=gXKTVusq~iq@3a#+FRJT{@xA^;w=v@B*uzqU*i}sNx>8
zdaAfxl;DF63Cju^-!=G+fiLMbM&yHyEh1~IJxYRpie*0Yz2;|-qkJ~eJh<9#P8i34
zs3?^G<l}?gf+hs*j}Dq2v~~jC5_ICo^eYvmlTN_Pr-j@JSRBmM^|ss~cd~fRx797c
z&3;Lf!#-&YsQ^RdVi?JN6ZR?K%WOk_WS1pd!*;MVT`Xc#j!eIMHulKaICRq|BrY**
zN6PPs*^wK=Y7@vYlD;eU#m!$ZA>&SzVbu(5_<qL1U@G!gR)xJul9dU1`ROD+$r@vP
z077FDZ)_^DDG2?hyuquHOcuJxNkTpq8}XtpZpam_F0qXf4&S}?s!6>H<MmcfB0^xz
zR9j6G`HLQIs<Hkk^!R03#XAnZ9U<(cyCF|Il&H2Mi36C&c)GsQ*;#&M`hzh=UeOwC
zl(;y&$mCJZ8q)!l2Gyk+oL6bZ^$V-k_+X=V-j8yoxLFBZtBX{lh?b&9Ia65<dAX!t
z&YdV8s-E;9t56<Z#3ViOC7)#GfVr-ts=q*yf9|hg2h@9qZ2D9_WD{6K*cB&kOkg0k
zlgQ>=7l9S3Sj-ITA-yLx4kwqJ-JbJ@U+`ttitI=ue&miT*;02lw(ug<dlP<|PV4bh
zunNHu%zKS#?)qe!TnSW8i*(TVEmg)WRfZ`XLc*1ra9d?kcjc_5%Kq)%=qH~^Sc4Z}
zlO!Hv{`MMcG=`U)J1O<|RV~Io`7W}o6xXm~?G)qfY&XW!t;1$LZn|pn&Uc?DHbxaX
z?tPcqfR+db6*(1msghP@IaIk;1ysFij{CE!squZr>#EOH3qlwT6JtcHB^(fe@ttNi
zRl<3=Ytr!=s}WCct?*0gwK?Zaj96Gvt=T5lh0Qw7^uZ}OE15ZwI?w_6q;ixGhii;5
zMwlxqE;N6TviyS)wY-4=lk<(T4|vw2nyeIZSg|k_ES>fZXXxa|z8dT~c2O<-z3k-L
zAa))MjV3Q8uKO<Q()T07lJU;FZ1dFhUEcDdAcE{C!>+&B+V|!8xW3A%_7S$qM;AP5
z&L#D9h)q$RcZ#1WvfWXBsJ!Cr)_JX7X$>2mcL^>>=&MdXY5kq3UhK45KS#V*^E7xP
zzmR|KO!l>TtrOW3nAMKv@iyr80@u?Y1~%o$y114riDEC_fZ6BDj-C6O=4k0=x$4}R
zoO!MD*%Lmf>=iPWqpSSG0keaW_rW@=JrcCB>#=bS-5Yb3;6?cce|k~e;oGLTCAark
z{vl+2u}`s2*6H+P=Z>A5+0>2ebm9E3PP<y`Hu`ffYE?*>ac4`j-?0l-ACi2I&ib@I
z$<5c-iM@g_x1aej$y#-OkaFy0zed@K3hu=U)hpvXNlR9ib0`-m^YtO?3oiNO8MkB|
z4h5B}^XiRR&RJ;{@5Y|LW@B!D;nJNjJLkTONhgQX>2KrD+AkG7H{nxVUe%0W;kFX1
zMi&Nrv9|pY-?k{|F4q_rAaFnxNsn;X456q!uS4Y);KNE2IIUXl-(IIDRCt+x$F~`$
zlUREeW0V@9=Wnb44|V4eyd@Y_yzjJ0;Z7o+6IZ9APmSS>(K{IBM8wh#4X!UVfiw8L
zh=^`ljE3k5oRt!Walv9Vf%D&myuj}C`aX?g^usg`mnLysh`&3`RrdjfbE349!nw|7
zIyr(*kiOMi1H(9dFg1yGSG__5T#M293?@KV(Bqc08`99#!GzO8!e1mR1og@r`JDn;
zdgRJ5a}?$4kt;N(zzGzk>ZP$z;uAp-Sf-)Shk}G>qN#nK0NIoBL=^T?;1=_jAnu{y
zsqnrqjuK3r(JlfgYblNR+oUv>BmE=<Alo8{EJ4wK3!<M0qB+u7k19b_iy*{VI$Sob
zN`NCd(*Cl()+MlPGF_H|UG&mePmJeuC}Xh<@)@kbCReQL-M%5&LBJE`P`<h+z!N>*
zN>OVzQeUYG#=cg>=6{WY4wBA{VcBYl;%M4Pf%w&yjJy4?1x}S9l^m(sC?qSV<S?X1
zB@UygmQ=7sW3|%Am1cr6DQ;^fc&q}p)n-r`;JgO9RYm|-sSGYkJ3_U>GnY_CT5d)f
zeCDJfzm<z%YKOU+YiPKHI>kJRj$|yOs<1ZW6af@PYpUUjQ^XPe(tW6%n~yRw0ac@_
zm8ZbwBozS$PFr~jgUS_Snl^29J}$-Dl?PCJMkSH9;uIszuq|yTE<s!v1;XWq%TJ{r
z!8;H^X^$*B#Wdum>2@GPE#DBGOrwryPr}p?#Z5)pBVV{wS|oVI(w7XnS*a9|Q~Xy{
z`-A_8r2m^8u&6pSX3PLC^sqo4tpv>*z>SPYNh$+Wm&k<vSI7r#C`wj-&~C#i{8gL|
zjNIvmsD-}O>r*P?;|G<FGRCi{az5RTHr7(*-Su!89yBr~np74&h`0U9n?In6SIren
zFi2!*%R8B<A1&iLy;i#0H8gi?Xl8)Z291~fJL#y7W|!V-{(G~_jRkEk7p5a-u>d3=
z2b5g89zb$726C@e1z`Ca@??@TNEp#+xy#b3o-%)XMYp<cGQib*89}$Qh%ORi5%jf8
zp?AdSBEeliFhwEyn<ZHf7#i5~Z?^Q_fTH(1qRAEj{yexponf%XQk1&^Oze^fB&KYO
zC2hQV0#6a|pgEiM-PNc9Iv#27xfhsibq%b>>#R2otY<2pw*w9P0M-q#fK{ZDH1*#|
z*H_Mnv3TvFvO@vpX`uqOEsp7aLv0IvtYrh-p@Wq@MNrUR!0X1mA-6YUxtXrV>>dg=
ztQjob%B%qdeTLy|EEEBJE*wW$cXYANFxvB)v|jdAxC%oXYmxjvZ?G++M|IXKhb&Wi
zmMv6<&8P8mvNCed5{D%FggMG1_907@(eIOK=lErG8><AxTvtlx4^F%ZiqyN65%ZO^
zpDDvHC~23re(PaWCt#s6Rga;O+XZDi-N@2YQ9Yb;l#XbS3E8BqYkaeUmg5dQ!vN<^
z<M^R~frpGA>+Z=YHtAEXnnI7zG`Ii;ws<pj=r}gYbAkS#+3;h-m{?6~zwLqHvZLsu
zqs7q4jy&e%LE5{;k}P+yC$VyL_39Qx-+nWS#rO}Ve=n2FQP7`K)N7B7AXw0#+EVq^
z%g4)S2rnDw?O?3|!gCL6DmH)x8#}%U?214I2MSa-WEwDw71e9S`by6Kz06x^R^Vz;
zuLX(1j6T>3i|s)YJ6F0)iM#|PLUL387;OEjxjF_~UXIwzzFZ9wRCO?~e1-|N+GQ2#
zE+m5L14(buv|cSj!u~{<X?ibDf~*M>+>o2BCX7Q2PWm#2iPnUA5`V6~XZ{DSz+i2Y
zsVX7Ac!s|5i&-QjQYFzbMaA0Sx)jsBA&#t=V-X`mQ?Gf1m)H8m9RKupXjybjfM!(u
z(^;RQRL;jD;$X?B$RoT@RkdHtQz5Z6IwscY&-<UE?A(q;eEmE0mg+j$_IK!GznBZ5
zsTJL$W4z!Dz5OZ5jm4WcfI6oln-g#O#WiW2k4DGr*M<~d{uK3x+lk-iQ4cRCQI(1{
zpG89A>dREHR{a#UpLHyP>fS#7x0N}Mp}l;L<LGa{Yge6OP1j55e?-UhW6Al0XGdp$
zib{hgRuMtDFi_njB+3+P*v$#K_o8D)h7DU>5RvbrI~0Aw;;?|A>TIvGRJixbUlTVx
zT9>+l(b^hW=)>P-2^#W^$Am<wVoiC1WmR;Hr*>3Az}5>choe;Wlj8hxPVp3rcaD%1
zJlm4%UA*I<&!Om3VISl<XBBG#s))?z(J{NnrT_XVD)6Y!j6*@6RMV1nuQ+TsKDahI
zCVgD`wog&VeMB=3Rb4|@60i2jO`0`HdOjzUdJ$g`aYHuaP-^>z%gGm<%bx_li;kJS
zr1Zh3s59_7<G=P;T7HkYru_bqx6v_Gj5qM3ob&ORRZjI-cK<m%yP-NRT^oGkQ`9A&
z-^<gFyxUzP7<%*mk^D2UR`3#6;U(HBWyQYF{w-gJwMrK@CyuXNv-|QGpCyG)K1IEk
z%{ct<$kW6+^!n!6;MOxi7u@m-BD{q?Z${{@Gs)`$bye#7=oq&H<I-P#in`}xQU3Wl
zvnV*HDlxt;I%dMC_<ODA9!B9q(Zl|#nsue!=i!l7$=0tMAHDpbSTn@Aru9rg&p%dp
zUrHgK6+}Gov3gpre2L!e9{H|{D1Q|lGb-WPy%EyZ$Y=0QmfZJlxww7KOLW>zL2cgi
z>62nj@$;G^@Al{2NH6)bAfgWjl%8?vBii1OG;2{v@y*tw1rb*8omF#k=hldvc+x5s
zVY7Pn`X;x-b&Qs2Vtf9sv8itxn7O0d%M%|TZP1!lC$%-gcM3RlpvdOk`P$7?fLNm<
zcE=wnrLMPqgd0Hh{5o^i)#i6qPb%(2#}tQ>^{t<x{0o1Z?KWh-Z4Y{xWrK5s=cIdn
zjqg6cBd$fq%o@diESz&O|L8(iyU#DFOPf%mXu!yKYtkjNy6`oPIhWty5Z1iE3>lGB
z-%BczxlkQca?5Owam#km@wU^)EcYJhJ>y#38*?9n%!oe>dR4!DqD-JppW>&*Yd_>K
zWbs1&xEi6c-P0%?^HsC&a8=*l#t{y~<Gdogj{88DV4+XGx9*tS6oVs)bY%1*|Ajtp
zd{)44(?cJX^MENqQ?hG9Cr-RKO69cB8@S%J%25fLOP}2%G>#@(!*b<ZFJ8T3b7+L-
zsLyMhT-_@|Gxn;|1&tT&QhEx=LVJT9%78f=LUb>rcb8sn>0za#Min&<ojU!~ScZC<
zjq6IEhdwWQ)vDg~8FDpr;u*Lg`2H___Pq4L3BT&1j#>FXX7)vA6MFw^r*snyv`bw9
zXhXMC545v;Qz2Oow`u!)@06NqZUm9C=gfoOJEd37B(XNH0X#HZkF<4M%-zHx?yQBu
zF>*Wtui}w7BvnL+GclT7uRR;iNC75qCA3OEfmtyE2*2gB=sK}B4!I^mt2D)PkO}c;
z99sY1M%v8()!h4ki(CeAQWzYg$>mAd^apNv8FK>+!hh$MZyo!ATYj1MFWmCzH9vC8
z+CD#U%lLK{>()1Jnb|QuHbJzTo`a{x%?3(20VU}M3&Kzcp!L3|Q0M`942mn0#@Zc`
zCKX6i_QEJwuToiZ@|8}i`I>w);PbcAh_lkGve>{f=>?i<E|5kJ7We?wyiaz<Dyl#l
zLMZKc_S23?Bg^DTt%})F0Oy1L8HIOsHs}}~D}?Pnwk*dnxwdl@{(*iJp3qrB|Mec9
zg;uc81s1AaLQw;>sXzp)RG>PGR5~f&!B}U3@+d}Y26!8TxiNPgXsmw3UYPI4$XEy6
zSU&A{4F1LxcQs6pG5A`FyCegUuyzRr2FTF7#oSNxfrDNS^fL!l@%dViZ{?<IsdT6V
z5Hxgk+YPt~oRtw;aF_=ZW0?PeYQOxyi-PO5pBod(?3uI1AYhGwZMNh6LmQhjio?IL
z#$U8CuML^aADSCyap0+Q9A+Sx2J?V>o&M7aXn8-(ZW(mWZhf<R=%9az+Z~KACTW=#
znB9VLcph*<uRp*7ln>Vh_*qXFNoN9Ee6Pd$!JeMpYSV<!bMGqBb|H1!X5no}gEFdf
zB%aiIGHw7fQv-UfKHq2JN8m5!L=4zJB^#m!=)M}82n<5;PSisnPLl+ob~dX-XXJsg
znTRI*ieUc6Nr;)m5EsJ5U?*m{OR%>j+AIh<qYv3`G)88*O9;XAotW(|0U`+{I|+6M
zJBo>9>2RU70No*2<$@MQavn_8f6?(hIwt1FsDsc$F}IqYm>)sU8C?UOk_O~euwCT+
zdC&OId%8=cSGr(+|0$9+qG(a@8d1I|9X?1GF?;QVy_*36cFuA)`me+q_}3_1v{1ri
zhspD7@&+7}dH@dg;Ev*1fo1Xz(Vl3LhloLnf<(d**l@DhK%<l5v~kU*J9aXCfr~xI
ze8jl>j8*-N>;1^+XXSY3c2@ZahR9fa{{RXWKNokSmG667nh35*Sh<5)XGKR;X#+)f
zh1XSwM4ss72(mj<z)_7hSua{6BD&e17TgsE<PK&eJ1B!o9MYVn%g83PJbI2S3cs_(
z+1q;kq@SLr=jrdJ^E%uD1u_9GlCN{_n4Sj*OVlZn|D$p8ds<Wi+ydW&sKo!mE$}_r
z0m=WZTVOvA8j{zNL3&8OlkDF_QXSLtR%oG<AJE!^ko{!6Z*mcLLY;nm9`(8~lE=I-
zO3M-sXAV7pOkp7*$;(8*!eE^IQh3wX=pH>m-@1}H(t&5CAE5s}iB``Zx7`X^BmMB%
zPduv-i;HTDFpE$R*q}HUF!@}7p4C9TV1WKfpg}k=;JLxTfbWVs5{azN!2o@^p!znz
z{}=QC{bd-SXFdWEt68)(Mg-F&bu7n0-?(*iK`>$DFU<BAB6)GU`DvHLdbawCC!-p@
z?Sk_V80{skM;Aq3hVDhWFj<vTXcZ9C33^7ez2aeb1+aJw9l1j|nLL?%H({Dpy4bN!
zG$Gi;^C=l#OGeg^FuEHYS4+my#&uGUZQjuV-bwyMiwOAkKruZIgP@$~TlEz=Ep}Qw
zgtvpg$}o*}54J)5^YA+v#-Xd)&3$>jq;J_n*aF9B5e(%=ixv=z@o^g#Xm%}GQoa05
z(`tbSmn9rKXh8}dBl_(0P&^DLz|IJ+c#+5?g7dJ^W|ec#UC&t<JrZ?836IiIg`??R
z;foZ+B9L6Pev#>9Vd<)6yT)xm+q2xVf8OA;Z9ja`ez(oxTVhhzZelSibO)4ARSE2L
zaRoyqjusujPnTrjUMDvnU<LE69!8`&?jIR;?3zRzS{Sm2Q4zYE=~rPmcEhy1#h$bS
z`0@uPIKjBUC#y>ij&NUoVpVndqb>ImUXcFsir>Y+jV@Sk_2*s|qu1BH!y;yHKDbEy
z;LzcU!!EZAyZn9lxnH$ob0PCZ3U^6*=_at3?sahfZ!dF4uP4)Xf7zGDYB^&WCAx-O
zw+mMKor}){&K;)V7MV(Ctg8M(uOQUfgv6Z-ko9n^KmUQY-S}|%fQC8O`zoXSTtH1+
z&du5azR&=iJdcSCss*QK^%Av+a5w>557(fTJ}g2uxA$BFWDR_H+&Lz)`dNA1)ac6W
zYbM(AyZ7$gQ{jycJC2IS-Dc{{oXtccW)HnU$8h&ir{k*ytb|x`#c#94&z~23(z-lH
zJj8e1q*yLqgI_Oo6MfvBkpRN|X$9!kis>~|UiVx&VWj7Mo>bUFF!j!%8YU81PQ4=>
zwDet=T<Ws)UF0ii!98SM<vsEyn7n}f<m_#eDQtY3AVwWGsR>=n>UV-=tTJEvuCB3*
zZ{g_lP<kUm>O1W{=^<Mj@t#cVo?g`$CHJ<D4e*Zf@O{`A_nu7h@oi|F_O$8mk8`>&
zmv-^>f7l{kobuKs)X6)piDb>_>upd=7BiOJ+<en@O-}Z4?!-D9rdOCwX2U{9!cUt$
zsy)xY_u+DFB##%$-hXWx@$0&LgH-ob%yotK3;VbvZeKhW!vdq6JQsg1{+YbczR-TZ
z%dhR`SG?ohW<9z8H79;!4S~8P`DE`#NypPRiJm8sZRzI{BTb)K`->O!7@M^*Wh}ll
zYxS=cD&xHE@n>sHffnYi-@drOcLL5csIGdpTXt?^jp^bnzb*ZqN1E<;%iOrY6d2*<
zqNxej)`uR)_H%B@sZre?tiP;NZ%plKu&VFb-Wxtbi&jFnXqCrOJ66Jgf@+63xTmLk
zLg5eHw(9cX+qN6WwU@nsJ}tO!Gco?y{QARC))>ye@X2g8z})hY0CPb<TMu)0x>HG8
z;(m>bMhLtTSX@ZCZWh;q+=ES?9s7=Rx#dYLyyb_9z>#<gLCo3;IJc;iQO=;kM1;jQ
zjFz1ZVIKgP3rnNS&j529n<grGM8W+yG#zj)y&-V}AhA(_enSEs#8q|#La_bNg#8~=
zHElpf2wyd;;Ofk;HWH(3U<JvmMe9v(qej`F`l-G9vU)n>(gar3-~@#FwrKrO`&Dq6
zILRQw6Jho{6t2gOcyJ7sOw}6^dRMP)_j4nztd%eh-g$)(&yR4&DR<1u8P82I@?FW^
zLPg$W9`A`!{-QbTlOrmbHx<P^YB2at#FMa>T3612EmzYh`~@|ab70k@cRajJI}d{A
zC`^#F@0!ErmL;$(7XO9O>N)I*LP6W=&rFN`LP6+ejB-EEVYdneW8i1aJ1_?fHE5d)
zdXfy3<T=K`wgANkG>pbjFE?x~W&#a^1x%(%2f+Hb|26-&kNoq%ljrn8iRts!FR;o@
zon+l%Fi|OG0GLUuDmKU4TDp-X=Gaa^;{7n!q8-kdW{co*<iU3QpZT-+>HL~DN@dGO
zPMov+TR3$tfIb326QZ5_ytOa7!GK>{gBE5$`Bvb%G>SioKZAd3AwQF!&wu%ec%pN~
z?FJ3nk<iZ#M5*3@@#E06$A}66VoZwMQED`R{Rou!0NwL^i^3igiBC}^(j>h`<C%iU
zRwCj7I%H^JkDMN$*>6!|@mm!48ihSYv1~y^*-%knFM$#{dI$o`p~zArzdAHdXCMed
z8W;ovvk8G;2}*@w)s8D(`0a`twG8^A1$;T*iSN#z$WNQjU%+3-&*Q&nF~HSdT)$ug
z1EjxZ3Uywy?lIIQ`fH|FcJ<d>`~dxP&9JNc{h9+GpntAella3mCrA8q%^w5rqVb>L
z_5Dz4=M_&BVET%azg_V^?=ih7`r{Sn{d2|ioBaRD1y=>qrtjW@afs@?US#YSEC9oe
z|Kg^=aEJfjzF;a)KNIMS76$l=^p_kUF!uBQcUKGn`G5P0;Vo7pUths^L`{Her?1%z
z?&Qh(8~ML_mtl_P$7>G$;kHPt{rJ8M>tg4v3`=btxAGS{{`9vp1@Wi9l}qUO>%5f@
z(ec-LD<|mVuk%*c(DC=}R=!8aU+1lyOvm3{xbATV0uUqcM?n(>{n4NR<QER_bdUku
z%y6pTuGfzLg>{4Rn1X6g%=}!}Xb02e6A6Mmyayw%dhJLVk#X2VM6BxrVzg{-)m9Ec
z7LG93!Ko*j#-pQZj?{?wvU~3cUWSzsp=sEM(XVQbjS*o9w%X{#0B|#CfD`~Dc<qfH
zhbv|?nHp2bA5GdP_1fUqAHIHWZfrv6b~iNmJuOaFY=yUVBYTus(Wl?j_NGQ2WA8XV
zf?jCtNB39FOt4OXWP{QDxzMh|3>S8mF^jW@Q~f0wwvFz==n~v8ed$qjeQO4`KOW!*
z@W`L|39%fX=Rl7$ko$f))~Iz&jj7JC_xt*TY@jKq;+U4N8)TwYjp@cZ#(&e~trZ({
zgqfB)4h5z_0~Vkx&T<5w;S29!wg@=)CIbn^8GPYs@qGzS#;3(~61?RB{9h-*>{5wH
zfyrM42BKb8x5T!B-o1=$6dGe2MHd@|pi&~Nln7qoTjKYPx5Q?ZlIQSYe)m$zF2zo{
zomCGTg{5t&<g)CtSXwEOl}cVH9I?Dq(yG8#r4ploj<{E;L^=>#+bEpuSKSgTY!vWx
zU;E4A-m5Alc9oJom6FGB9sS^M{cRNXrIG@8%(1vq;$)+6E|m<lQ4E7GcnY5!UMcyh
zRPuG87>_8G2;6ZP{4~AXh1dbUe6TwnB($>{BrLckcCk^+#CBGrY!su5Z4@4rlChN%
zuS&^y_+~zp65mRRrc`oKZFgB5P$`*EDw*`$<FYtna;0QSsl*@v2bM}Adj{aCr4ok#
z{Bx;<?H+)GY!s7yZizoP+F3=`xZ{bXlJo!^3Qyb=fWt~9#Q`|nM&UD~RC2}VvUp~t
zBo^MjxKhb18^s(OMGE|7u8m@TrDQ>+Bo)4UTBRhtQnI8{vb<Dc`*Y;fP&=y?Hj0&{
zlI74O5X1Yhx>B;HQnGecsbpQHB-2K57QS}`{3y{jibNYll8qu8-kzLF$(BmV)=J5C
z_=+8sl3k?|*Z9lgT!%_YUa2H>HqI}V%%1It3rZ!cX5-!P`<lHQ@3B!Fi@zl<v{CHe
zUn;o;&xcnku~8f-E|naF$7~e8*eHI5Z*`(l@>`{(tWt8yu2OQQQgXIZat?mp<t7p7
zc2?(Y6c^#z7GD-?E>%h{S4w`blw2v5m|m@vT(eQ!gx?nZ(4Uo(J2r~DrILF#3faR_
zN!Lvl8|<te*(jtALRJ>vf2-7i>7TpFSQ&q9jp_PjU@Xhd->Fp%{$=O>E%Pm45-(J4
zD2!!`FjMjbhy_Ez%HT(`I}BZ@oG)zH$YOumz)FVc;G&Ttu1Q^^ENlBli@XXk*tnd^
z86}B$5O%0Kd7tm$M9ud6XD_$zWtbj4yt6yv46lG^ECW|-bss?(OaVx>hlvw`-Bt-X
z0^)WaGQFVX3k#eUgGlH|jdZK@Qtsq(E;p<^tsJ{4U1g{`gd>c!KmCM*j>XrsMcPN&
zQ~X5611ysHD?pB?1A_qs+v6(pk^usXk<m>s0dQCASIM4Ziwh<bWuY?HSNMHnw|ea^
z*=ZTH!O&%y)ZW+L$^Mb-g{)O(WKWE?w|Uj<50y^)(LMs0(@9d#`TbDg%8Ttsv#$?@
z|D)dL7Qv^U!H1WH+1D?!5PTrZzW#-^@}jSO_H~hrSawBu=SJV-D=!wn--pVi%dUv<
z{p)Q<mt7fh=SKTcczo!c8~EI^D^KC^oyVlhf1iu9uY1XsUGckfV<P?a{&#K|!{cw&
z+1EqqufGT%#K7az@7ypw2Y<iflYQL+o{(_o#w(WmfAI9}@l5{z-`6mwFvCQtZE{Ge
znNuiTBho?5MCTgiRLPukD4S!cG%G}>5h^M(hoXa-V<qNXO3j>gnuU<V^}Brf-uFM-
z<JxuY+O_NOy5868c}lMHWwrd0B)+-Z(ej6-oA@S-)p8kLI)T+P01xEfBzdMa8No~6
zVs$q)paGkimFVs!JHE|~Lr_}NJ-n37%)^eBS9qJ5R(N_3U)N@a)6voZPZzUV5cyKc
zbv#zfAUt_3Hmzv}56^zz(V|4OnQ885!4ctaw{*0a!;@d(**l2v><_G#u=?b>-i{Vm
z;(eQ$_KtV&Vr}xTEu>0q16+KFd-!|!nmOnOyh8(ifs3}cv$r$iqr-EqhUZN1(c5gQ
z(f9^D`jU=FN90OGhuVeO?QcVCy@C(eeInY?rrHso*@i}+wmWTC*@lj>i?RCzPhPUS
zWcQVbzHWEjPDiu`?QBz>gtrx;H`;Bq+kRYx-eXgpjfZ(qckCSQ*!{3WKd^gXrzb&w
zU^#qX@kQujyJEXH6!Z%_hZlCz67)yAk9Iy1G(d3xC>JGYMT#ON$rHVr;;@=>i-k6&
zm{MR@3tN$ct;kV=J}x>gatK0ir#Nh<tVf^^Q{Z|Pgbtuw4WI-d(4IEcfkY+(eJO*I
z0UIu&mnciuV$qkXC{>i-2y~xkpQkz+P4uy;<`T`(=pdWwDx&V!ShSu*Pf~$Kk5k4e
zQsHRyU&>#~O?1i745&y3bjTaYB(f{{liBJU+iFY77^L#H%A%*OL9z8*;u&CpaU!+c
zF8Ml`x|LOKXHqhM9#IV^-2<>X>a$6DfQaN>>Js|dL|U@A4#Af?>$=!&uh>ieW#4Bb
zi9&1UOmTHYFv<hyh-@UJQq7z(?g^HI`#!4bD+fkHa+i(7Z_}iNtB(ds%9Mv<>({dU
zx@7M=d^8D~iLH0U-@Ex2B&F$rJFn{{uOOACB|WhC@iM*jB@C{9xFyO3E=ml#N<`ap
zT3%WIE(vn#3fi#I+a^D@9*#ls-VdxOk9l*ye3qNpR#Jv|KsyK&cG=`RwQ1&v%BQ#n
zT^9rh_qFgzeE<Czx4WtKy(tUm7TC-<wb@1^dnH`kXoFs07JhT;9fDtzd#AXsmIHc{
zGmcr3k}@e~>h5>3vGpo@_|kxzDQkj1!7sWG*zxW7->(l5$GDSpS*8|KYOS9e&2bf?
z=zam(sS88&D=9AG#MbvomHhzsQ`I4;hxeVg{#Ti14n|Vlt%{inVUm4g>&YT%V6%%$
zPH`~oRpUC6D^HHq%rQQSOxf<>?$kEQWSpR;?v8V(kz>iVPwJ`e5Xonq<B`(80=S!;
zbo|H~#?vLwI7$BFuh$^?uOO-8RmjEzTh@O!&u_8K|Ezol7$}HfUuN%ck#Gyx<?Kdw
zUl02`dx4GObi4eVdIbIb)$|tjoQr{IJC3eyht2gM{?9w%MzFOkI5xdMzcXCoVp581
z+*ICrkaId$mKDmGDF&E#r?|Ns4u{X_;0$r5Ir9p<ZkIcM?sCFM7NtG9H!7rad0*fS
z{21Q*Edl=LAc-VXqID1NAnmcPR<GEsw%V0<Iu|&Y7|gRhTG)1%SHOG8Yvzp$c@mzq
zpxb3ep<fr;@ft=pv3`-zj7(}1NHUy&7VVruYv8C5o(LcReC0>ot`aHZt~btt)46ZF
zBRIB4Q_;XpL9U=&&?x8;d>1STP_4Wp>8qGgQqmrp5Hxns?6U|Y@gnaOd{=2)*ZKe)
zIcjYfRi-nvrB%vsAaA?ybgpi?kI?q$gdM;V-W76$d|`)hNH{HoR}`{4F<PZ^U3LU?
ztXAJ@0k-Dlom6K^NxGyxR`D+X_QNjg)SRl0!%o$a#HVx1JdcV4#1N20xgx$PE)c&I
zH;aX0i8uz;x@H4$o$S{g#ZaT=p<cqi_b_=tFSER2{QEn2k0G|!1zcIcbf_X<Xd`QF
zpwqb(o=W>6KL}Dj4_$*jnkxMmd7gK@!VkUjK7Ohu@dxBiCt*+6nosPP_J9JZr8V@f
zUXV^I(%4yKqO>I&WM(_tGS)d}tEvNgv$fR^Z~*g~#0@krUt>HR)DwpAZ()V8)19do
zQOpon?H6@yMfzPY;$1~ng?GODs7lr_N~z<$3I2x~>5u3@X4W=549NJ?KR-MB`PnpR
zr>7xt*}Y~&`3y?OXLpz@)`R6lAr^%t=#|?cfC+oR$8?43PS2<A?mmgj{b*6X^@v>W
zJMSYDyW9+V7a$+5=C@iN=`&c^CUgt=ZD@f9^uL;!_8VF%`!M2Z@KMO3ojp8Z*EuDd
z#X7h4+#oI1Js3YnV?|8Z>Cjmbuo_;&j-DQxfIkjTWl`vKfE5vj$c875vG~#HL9B>G
zRhy`@A(<Y`>!<`Kki3(bYR1q$Z%!xH#NqX@Zsa)K^=>Oqtg&|U58iQ&a*dJ_tiR8#
zDA>TmE$*qS;aN99FejE1TXDij@1k3w{kk-_8>YrNZqbtJRo7Ru>ebvm-93-7fQ?>n
z+=6upU2X|@z@*>pfrcGG6uS|xo6fso3RyvB3SOG5AahNx<=0t37Hhmd*;|@;p(y}j
zldYFcYzRy`a*Ev-R}_S^4(cG+tNbCSU$)Nos)^$limX0T%otek4NVHpp#a2&--C5o
zCupIxB--`VU{{m)q9B{?p*3-vN&7;{aR%P!b<Mor{N553ddbh;DX}QHOk@>|H)D7L
zHHl)w0G8{N9DRsvOwUM0+sY>tCW-Vz!^{dD-_K%vz_{Tr3FAY|gwALQDGYIp6^yU6
zOTcT`sT-yNa-JHVc+b|LO8jaThiJfl^qIbkeKdWa_w{h^>u|>;=&U(RR)Ch>$*Q)}
z7^0}O-FDwV8q(jF!HvxRl=#He!;Qlj(kDl%Iv2&5z=FJ2fuW-enmXX0oBA_W(MhTj
ze<n!5`D~-BM7GG3sU06nVFKJ$rHJ$TD_90$TnNct&YoOOSk{^0uAkKwYmBILVfp3m
zzy;+}aDGK*Sk>HA*g;kjYUUmdrkK?zq$=m131VBn*H2#1xny{`S7cQZD-BR0ABqoA
z?WeO$C;#eQk=n6(LwU#cfI-jV*oWJn&z#raQ0|toLHO;K-@t;zvBD&OL;0H9{m?to
z@J5id&zj2DMeTX_S1;9j$N5mA*L`5G=1WVH>P5GV;+5YOzx6dN6=XDjJ9A-ydnfOS
z_!Z9SHOex_=FzOaGxwpzhVq59ZTjQmgxyU;=x)b~_xc-3-3f2N7sWY1DS}PBK&j5F
zv@<VY6HN-nM+&5Q7@pxvhmWU%=aQey7RwtwyL)cHN8C_h5Y|&lA!RN0mwPzoK8^kI
z1O8cBpvi+YWeBd`mJe=BuG;+R=bhZX+v7^j&D_rO`aR{8(fVbQI?_5}(w2gsO6yv)
z-xI1<?Cvq^*@1c&Z3je4N)gd^F&bI5O?Pi#T7>{pLAl_j{$pe=@j2?PqMzevdc6y0
z-I{cFeccyEY{YA|3DA9T2d)i!%%fnOxyxk#aL@pv{SN2e8k77dget@0{D(wf2>wH@
z7akHHS`2V}oGJzLO#<WR6GHF0C#H)d#nFOq2`lgt$=2<>4ds5rbG<dOhF+)-fxPw4
zIz7vShUV|^;;Y66-r}}~oqFHE`}pi;f0fh7SRH+z(oF`(sqFF)O7aS~o%uBkktcj6
zL_lXK9YUc{B9s<m#D?N|Yq9>?pGSSa-n4<>+uMd@ubKxJ5W7sa=b7*Qx<dl|l(sVY
zBmGVOiukUWBj$^N4)Kt9TC4!Agf>6}HPgtPV>+EPf}ZlaKN|r|ws7O7enH-B@vwpF
z?^-n!9g44VtgbT2?<t?PpGMaGkvUlrWrFFMEsk4w0bFS{BKSGR?5od?cb*q)94W>U
z$sfhJLd|Hq28xU+$^ixOgFI1ZQFIgwHNIq^(ug|tC>34$4ssZVZ!1W8&h$cqrBCt3
zZ9v;xZ<bH-2lIh(f8&jl4=g%47K2*Yby#2vb}!Zg8;niBW?&y-UtnXBUdkX>4D9Uc
z!?YfTk}FIfZz510Zekuql@gbCfo~tYezf&5fwZqap8UZeBzBPShXCos;?zMbNCdU>
zp&UJzO_Ax<hjv2w>Ged%IFOXNZOHIDX92#@hBFfK_YdQ+CvS5;gFivYJYnOGgI<g>
z=2H%j)5ftTPjTGI?ng&MX=DoNdUXCzkY{i3s@by~>&+v_SFKCuZ8Ufl^HWq=3Rd&l
zUtuowS7l9>Ke<jo2@GC2rbg#OHUj7OI!P18QL3(#bFq7=9#kkd_5wATT78?k4Ri;6
z!AS7fqeElR_uUUo8bOkm@F`w?;uE9Kaut-FJ2hDZlKOcYN=o)8m#<B~w@6IS2VKhE
zOze`@I$#{<NIO8A16A+0#gmFo^fFNoE0ZT^zK%@0N4TEyE%%J>$~>^oC{O?B&r;oK
zXYCn~kliL9buE&W&IEE&K6~d2YMEWk5#}uOgW~L@!|!iE0`N%P06NkN-w0D>Pfe%F
zwv85l>PZt}WD(E!%gU>*Xvf)sYyjBJ<yY=2I#EaEG(JsfWM4(n&(cW<m9l<peb|{r
zWck6@b2+oPSMUXFuV0uvYz4tRqQRfhDZ!9hJ?L^hJ7EpfSu@SUotHa?QgW60edhgX
z-g(|N-gq{zgjdIFoG7U?=RZt9z8&CA@%-g$o-C@oF<6-0>8J4uzzIy>c+@)z4hT*O
zq6H~}MYaGS9qB4RxV?6P|3dIyQ1?f*VR8$5M$#?!WLi)X>Lj(TSS_nFC^jHLa3ea!
zunq9#<fPQ(zw~D3-^_W;d2nlHbI%XVSB^VrVRCVrQH=ctxK>ydLn0dNPrUjPL40|e
zOZzGhx8;!sPR@2b9jbXYRBOOfwJQCA+0Hxo+*@w%(f(Cr9Rk^o3;^*Je$laj2SVL9
zVgEEQ-EUGmC}i#jM%Ql=6S#OY-)~YgaIrgI%5QRc;Nl)fzsX~wkm=L0IGV(Vxr6k*
zjh?K$bd>|e%sY>)B$d>6x2$Fx3X;VO?$smKF9sq<Xba6xM~A+ok5?fT>UpDc(&cU9
z;FDuNF4M9%mF;nqh!66<dzu&c>HsPJ-#tGba)2zS_X&N;FAbr_7F_SyGx6XADd>u@
zDvCmC$`Fry_?}bJ)3>1lLiA<8W6|h!!lqXm1vfO7;|Q&DQI$bA^L6yQ^!2~-A?(+*
zb+<s$D#hZV%nQ1gw-ZVty7TM9Ao>6s7<0J>5B6T%ezqz5RULfTyZX{nR{U7hDgLc5
zOvxB6y{Ccs{R+3yb>r&`Xb1(zN4-!6N%T0WQx|r$)_%r842&5F_`@INmiqR4Hq~ih
zP%B^Kwz+P!nyL?*T@Cwuk51G*+TaDR`jWX|`Oh!5H5wSH*Erj`sME2k+Cl43n*%{*
z6&KVAR4A(N4(E{g1*)C%=g6#O-84ZRty!JYbI}h{_In4CIH@@C(BI!>QMkn-n*&dJ
z3%wol0vvB?U{$Sn9@wKVT_kG@d{4wOPgRG-4}v%Io3LN7winM|TRi2^=j{-N#!==K
z2zB8|@eWN!1}q{bB}$AGzb>4U$^N<}CFjUn=pjgY`vWNX38g&(U7opFZiIFX&G2wQ
zcmZ?O4f(l)@Rx0llOWk`#(>4s8}M!`%h~Yk==uZ*bYUzSkt4rCU#oEMT7G~>YR#Yn
zm$;H#a0?1%T)hRCYE%*`6IF<Mh1y2uX@q1ngC`sN+Mp`AXK|4)LDIr$Wcgj5GO1Bt
zbqkJnQm6RM$(PAw1FRJm*o7@1za(R(FRST6me3AJRgtPg-JD$5aO<s?)Wxx(nx-mu
z>5V5h@O%mzP?6BFJhkc9AW4Ncc1@+lfs?-0vG1BqPms0a{d%5Ha3_b^f}oWAAygXF
z#E^J6cGWYhgPPULun*+uwyydW4p$!%<=Z9GR0SH;YiB?+r8&^D_tW5UGVLm@O-ZrH
zdkyrwiPBY71#fdWvb<k#<+_iPY8&qEjZe4-H_Ak`2^x|PET<dMH`Djfsq`RvJUyLW
z_mEym-y%)GtbZar_6AZd-0sK&N!9EJhd$1Vnp<xgY<JmyEzkXa{oM?!pt$P~34fEB
z0}t;xZr&S+lvXJzW41@QO=WTl3*oJskSvuxNG?Z)t;*JASDUl9vk$UQvtjDWNwX>x
z?10q#iq=BwqqVYue)c3=mZQaaPyR|CCreR*s7DzNS2^D!{-4D=@LE@kxsG{?w@Mac
zSIVpBA)q(he%>!0Adqs*g~`37u)<tzBfGu%?t;gDnK$czD8W_1JwdUcMv%FEZ~l+~
zm=-7qR|+=>K_NwWQrIK}E()p4plf-@t|#>k=P}2HQW=)oPI(Wv?9KH>Xxll9fYqX{
z;$33rhl+v?`5N{%oMLCraSlg(?V>!%p_K7@rMU($587p^_gyyD|FIp@Iy;g<%5b<_
z$dfm?av5R18fCs5VWQ)y1g)N{K>~L$^7<<u9nji}{fVWlf$}VO*cQ?AVf)Pths8bp
z3Va#&H7$r67ELmt66sa2WltU@V_OpaQtit%C!vOq<G^vTWY8BtXzvj{(ggrNgFZil
zzhhpy8Kld2DZukNz!=PA+z;70p1rVn>$r!4GYr(g@+EJ0h)vVYeog~|w~j}B&SadR
zxd4nGnGD82Cc`~8!>%Wjk^6*lLqf=t1~E3N8m6lY6}FCV0Zvaxi3Sz?iT=b{)UxGM
z2p~(O?U)B8a4z!>X%0YHor!j#6RmQF0MFEIxl<r$3#YdSb~!UMd&gyQ&g6ub{yVUV
z-zjnxtLqo6rjV+8?~}8JvQ^2wi_a~Fz-b#5*MsYiy1M=yb_YTTCczs_&cO&1!Gr(=
z3UTfsdtA<KGW9}v_^uoz1)!G=F#40I0<Ep%Z-?a-?Izp;&?{fMy=p%tiAy$#>GMU1
zs3(p3z+1|`2&B_iSaguELbQA^cu4Cc;7@#nh>N|2dZ65bc+VX}0&4Z|x!tHy#j~gK
zhe|D&7EiRXsR?};Ta30XrW0t-pY(Z>3WWXr_Ee3Ft;GT+kUg~Gfh9g`$lidU#;^vC
z5(11@crpw>p`TmmuY8g^ePip`P$2v$suSH9^egZc+=&_v-rWKI41F>XK0C}9ksH5^
zXIiYudDD6#h1;(S%p%}CGeWyQfjnUZs%^I1;%K${zPDapqUh8FiP0Yl#ees+*ehv4
z#Gmjdy=kqYsEbA~)*$~T=t$jjU|Rf5SS59DIPq`7YN=bKKnj}}LA^}9Lv5C#mhDr`
z5(N?ii2-Uh@6y%=|HSM4#J_5{7)-O#wUnd@ToLw*X;V^F?pggd#ML4;5f{TAR9qXD
zOD*4T?UNUvhN$GpCwe}2foKlTN91mwlWIW(zIR*0vEVpy4sp&r;=^ZlXlzp9Q26>P
zDLEvfsNihKU=;f*dyLa8g)lDL_o{6qJwR<TeQhuzpV6@Yxy3O_Oy3I6F<wsOIDiOv
zgjnHOMbTv`3CtU}v4BSiFP1IEpBRA7YO{06Y8#B?jmT{nmR|w4wOoEB#0CI97Z`Bn
z_g-rgPayOH;}#!xz$M>vpQ~>y;~*uVpc<!h#^n*;6F5P2eHg1QQmb)y))={jkkvl1
z>D2lmKvlSREOYkoSin#KT9*|wSbb^srbTjP9j&3m9S`f@YT@3Mn@ZnH;C9<D8hot?
zjzKgi7PgR{sRrA@$v<#rga1d&pM^l5qy6ud<=2Mckh~C2rsm<wg}{5zg|iBGJK^U8
zULiW6;>XBB;9s8P_m7~JP48MGpmhQ#lT$ogIe3OV8<;$&jKazaL)+UAbRQHA@#lV1
zJwzmjAd@Grzo(1RHrvByT~={<gU_FQ6P6}Pf7mzPjssZ!mk=qDx51~I@M1IZmEH9r
zEkn;g40?%i$dY-Oee-RQvz25!tzQ`Ysej8_iJkiR;GNctjt;SSEjiU$bH9nX85;4t
zWYk7Ke25col^c4XKNT%Q;_2SCyICWj^~hxz@GNie+3;dAxv*1pnQAeaE`Rj<XR^Di
z_|{1$7O=0w@rHpHa$vT(!c$#%=q#|gCn`Vkl<mGl?cU7-%GpyhNKpkXL0B#v^!jw+
z&z)9gt{?x%XVL7la<zrP{)&wkcC0aLti#-C6{tUdC)^bR*ytampFXD-By=>PuekEu
zVm?D}Q=AU`;03Hktr{F0d_p+LY$fy)fD23}QwuC7G!piLfniJwfDu(tkVSudUYAvM
z?rYaJ34oPoO{PQ+=8qOc<x`=csRCxyO!(0Aa?C)#1_`Db{XKNJEOjfLWcu`N$TL?v
zKsYpRF*0|%P417J$w%8x)ls?a{68ppECN~`q>m+Hw_%;S`eQw@xR4c@m?yMb*v=T=
zqy3YCz!O=?w%)$cy<^zj!E4W>2-Wydm-99Re8O6NljPOaP<1tc!-_;AAb`LioM!$Y
zEE2F*AIeQZzyaJ3J`38;4+Q&T>sVTo2tAg6e{9)K5UL?pf<X|l0F|K(!=Xhf$Di=I
zh(;CCek7P7uWv!VcSL0XdE$Std>*|7Ri{D`&y<XQC=VY3NW8|yX@`ofDoLba?(4bY
zH#-qC3IfBLW$&wXTn-*YIiz{9){&*QkfAM<Lu7CAIdU@jHhKIhnMZCT5A0rND|O_;
zRNki#H4Ax)&prWrZoCz4pu$na)RWXO>c!(yxvq$y61X5x8>v0i?=bI~ilX6ZW;8$I
zUj81MD#Xx*;%Vu$$F$epA3ERDC_>WaKlXlY{cp}qn0nlT^e+Pr_7-&W;;p3Zd;Zi-
zEEjy4Yo6%do94#Up+DM4C(&s?;>?h&Eyy)eq4e%^JovEEU(;0tBKq1o6p|UP?i8Pj
zeUK;S13&5zL&>#@{7%V}`j>(=JwRQ40>-JUAm>}hq4p`^yT=uyPgk?kI_VlDb}8<u
zwsR-Y%IWImbX7}ny59TTCfn(*QLHaw+Yig=n?6Y2!1K<x{ty?!NwW^RqrbLqH?0*e
z+?svhQsr(8!uCy*SZT}ql^EE8CmO>(84Rho<=zMVp5_k4Rd6zv*CygrSX^RXenF06
zeSEAI18qM@!iOb17~xt}46dpE1=J>13?>n4zo(X03<h}Ces|DCRt)M_|5B{47&NT@
z<?tZAVo<mG7bU-9(4hKTtZ&+*QPx1hJE-tueCk_=SgjkmZoN6nFkI7>N-|Qlae;Dm
zy*brT+SUOmAsz3=h3~`uM6PLJk=2SE+}ya|hqVJbeagR(z1h7V5~gY%q#x~zzryc8
zMWFjEEn(Q8N&vgq@RNuDPn0O>69sr~lRS`kNrbU*=ax(S7CXTBmhyRl-<E(0Q<<4?
zG0cWB1mkR0Kv+T&F_r5ad9ffz4!B(N=&cIt4~mo0oBuMUBaz{Q97uRs-dZ4>-5~7W
z<^%l)C%_{_=pUTW1dp}<gA?Ri;OB@XIAP0r%;#PDRr~ateAp42Mp=l6qK8?mH0x0o
zLE$4u>Gs+f&tsAsET#BVWj_tFog1PpiKP~ws_tEfiBGN9j89!I;k>3{s-C`sRv*S6
z$N)(rU{TzYdHvRL+Cn(ppyR#qPEOji33b8ym+bQW7PToAi-+<^2Qg>o*Dr%YLDGa-
zZNWL{Zxi_E<74%cXO8z<mW@B%I(C_(IFn3#S)Oi@zyIu&1ZbllND5PlkGc5rK*LDy
z@R#>nWd#(7wASR}PX*c`_|JI$&9`ZG64k_6JxEWt$bOc5ZwrcX`|3*sS)JTwJD$Io
zZlU<|s=4&qd+@?#D#0zQyG5l8@^yG7<p~Lcf+E%g?RW-~zJk0NKZJTtCwZ7W(`LJv
zm~QdXLes2#j>5-Rw}xC!m+)C@sW#L$+hY=zwa#WC=K09lMy$)+L6pbjfX#X8HEOYf
zEqDF~OF#K`{sOAgXK^Rayw=C%P3&d(ms{ud%3Sqa>RZJ{?u=`JR)l~q?y%ntwB&b#
zqj;)bTuIQ3$+zVW;q{Ye7x(B}xRhUT-<7`@*!npugt(y@K7xU2>P2i)76EjD*4ucw
z+6Ro`WAu~1wiW0qT#NSLNlD`8{c&EnWkT2EdDlKfd(5~)s`=7hWuS}HxHZkX{0v$@
zIjmRa&Rpj9XpeL2w2@mE@TZDjpLytV^2}niN0gN3?q)6iMbIVS1HAOb4*qjnA$q@R
zKst%BFd$Cx-TAG-Mf2X1X=aH^w8wd>;0Jj5GThWSYe2UypGS1nmVeljx%>CA#Z$%T
z10PP^BDBH(Tfs7^FB`GA-Xn)sZ1xS+vKU~93)yNu`?W(Nc7Kz^`WyM$aoM4{TZc{+
zyX0RpJ3b)Q9%r?HXIbA-af1rWreMXX*JFskKWR-j_$e5>wXV&-r`&Q~%3bO_V9K)g
zr)D+bFtM-q8MaXesO?+6!G~=U`k~HNp+5piu_x9f#4uBt?OPOx6}!}-Igd(xI2=A2
zdnV!8qVhu6N9H%?%z*}FVt*uSuAKQ6;@<>GXO`Jt+4j~n)*5Y5ndoFWOfjdoj|4``
zsEW!hf&9C_ujb^u*4LGA^Y(eqKOW~0FrXpW7hUUFR5GVM6k#IiT5h;)hGFA`tW5N_
zngJ6Rsv=A*&OBMg#z3v$DNntMPtHKurr4*yuO>@)qSyFjNvej_eZK6S)h6iY*muoB
z?Pz4*ckBWdMZgne2mgoXRsMfG4+hKng#Y1r4K8ETs3kb>SZhS-r{dUByK4A$XE+3}
zaxl$Asuvi-f6uBUG!ee&t8?@@Cz^Oga!kZl*J+dJnK_%I9IxV^7oIDuipw>bd1!9H
zwqpOenqvD~i0OX7@JlW3Kwv9Z+oTC%1gU~HFsAeh^We4kyDnG;U7A1IVH*3mT`)Q*
z&?omriz3Ts6b{Y5KX{bvPGY?JrM1k#HQ2>JoVw(CQcQ;2Nq2RO#MgG#tah2vrE-O}
zLK!&4j7L~QIT^M79jRu#g^Uz07axQ_#3eu<RbTc>wvuj+N0ASS&xoJEpGI9Lyz4pt
zY&Xddj%^hKFT|8?8Sl-4Ih$ljqNIWY+#A2UstZ5DncyIK%Xvn;na#XCJhjCCu*;ZS
z;2(AgUm^dX%k>^4>=JV6kPB!@`xi^$rHgOz7>0aAJ$EqesS&V>&qwf)BHqCd7=fXH
zFbx9NO|{~z!is<1{&gIrkUnW6Q9rp%RA?@Hhu;Ux>`AyD4K!srr>H!EPxu$3w;k*@
zE-C?T#3U}lY^f!5)>`?;P*`FGKO(d_Mr1J@7P#FReCYSfJFsGh-{G$LS??wlQre!i
z@8%#J96}yI47|DK&G!xuN9^MVYuq7USX(3M!C!<2!1>T~=q>aan*Rx%a##XXcf5w+
z#tsaq&d5Nia2v#MV$p8SDYR5IX9-SSw(`v#{rma)_F4`oBp<OwbhD3jzzE4d>K==l
z;EiXY9;03>1v!SCl4)t&JW#vCZ-c%zCg2A2aMv;&4oK1xKKx5A{1DiRybnD*uP}BI
zB&G03dY7+|8u$@j^UYDpSa*`H2lo|pc)S=SUHh3h{qvrRY9L-Jr)e%J;)}`A&8mJj
z$v1)m^~3ks2gr8KdcT8q&Ar`B=fcDDwdamCZ=4HZ)C#?x1%g)VNxyax^vcew=>`VQ
zgYnqE2h3Ko^;3`fVS8Y66j*l-7R1jLs+FoLB>KJSPPFXsK!(xh-4o%J_CkY>J99k?
z;oIH&Nz)JA2a;j1l!D=#HnYE&K)2>3%fb{g!CDvjTjY879{39$`yuT0y&-Tzd=;-F
zyV=Z3`)u(9w954H@w*^tGZdnT%>7CQT@bEgWY?|@LvXL!<^{L!2JnLOzNky2OwcA6
z6Kn}&!i*;&gmA>|KR9|pN(s>X4~~v03jBvgm#Tsf{zIb^NOmV3p5b<#Osgh5dEV1z
zF1iW)p!_}5)7H}^2WoFJ25rH`zUWt($G7dF9D~moDM@w2XzKh-S3inEN_O5Wh8(m!
z;pW=rC;`^W^Lk`vNpp)TlzdLBHyb3GgST#GOicMtiRGY~KZ4RLc0SI}x`2w>M{&pL
zf%IL%Z)g1eGHr!sB~E_P!pg)_;U43USl^x1w|6q*-6Do&gtheCB7Go+no5n77)gq$
zuc$55KI-^ystiq&cEoK7C5Kchc_1m`SS<wO<lP|Yq`G(sCszViUH&Zx<K)(=MmN5g
znBI7$rFxcz;4h;Lrs00vLGU*WRTt8<H!sC%8P6GITy7EQg!oQ44;>b`ld#!7sPkDQ
zR^L@?ru=TECH?5ps9(1XI98lwy5<qL2|sk+YO}OZP7()b_;I-FMg1WAE$1`mV{~Fy
z-?;ZOUQ<R-SMTj?9*Lf}p0I61`K>@J-+-6q9B>iAhl2-|046hsnUztT@`kzOHoeG<
zIpX#YsDD%aKcIdoc=sPr{{r6a|A2bcVUx49??~abrMubAa<Xm6wIV}Rz4x+hYu;vL
zm9S^(*e9?)t{*R4{dhu}TO?0M3B&6b8_}4<#{vB3PW&y_W5H{IKp+xK2>Osh|He+#
zu=3dkO<Q}zAn*Hh%weJXtZ>&f+R%p?!HkqB3wR=4DHBkD8Cl^hox00e<K<ODHDilT
zOM7UE1hBB*5co#|fZl`uNC1#h3rJdG0UThg`%IjwvYBdP3YG&vLR%)f=aYU@r#@2s
zm#UY@@F~~eZI&cU0+b1}*-5N9`~#S9)WS^@>8t!wMP+q{N!03vAA~U-_dW*8Wd{D9
z2k0kme9ra17Cp(1aSZ?aYlkLX!Frso7;t_vY)k%1-pmHxHV!Fz-=DnC1ZZtDNE$k7
zJ6PLY+Q7Mn%HV+KUug*Ms(gOikVry4Ld_Rywzi=LP~YKi@ZN1i_B;3woBRe{E-PPO
z*QSr%gq;U@-_A5Og@WmaV}?zxlEw#aFGgTylw+mcw}<5(kcjdY{;X8RGjDmn!}Gf%
zu~)D=SGmHoLL{gT8^m%8(w3=N>@vd4E*(gJdl;med_f=`_ehL&C-@QyWgbxMBcYln
zQ697AOObL;kAJUmRc-Hs1($^G3)f<QoB~%qheqE$OM`=C`%qgKc471|%JAMfwgR%y
z95*w9N2&DFbD@pUpQcH|xGdOxAx-q-)F%&I0W=}IxRn&SA)EQ~apFtaOY;)@$lt;=
zV;5KTQzipw?A`ohD$hf}L~!S-c>rM_X=rgyl0bm&fu!8KT?z!gU<FT_JgIW0OIb6f
z6gr*n3foltS%#I0=<Z@|Cm$s5Tm^)|tF%YmAs3N9Mk^t0P*To{PS-k<SW%*LgE~lN
z2k^lC>d*yh(O6u%7E-A`iB-+&SY2~Rc<J_oyULI|>E*2~d5`4fq_Z94LM;+$v)KyI
z9x#RU(5xNQ^4bABG^<f{pEKBYN-`XV4~IIh%ODO&OWOobBG#Jbsazs%z$0hJbPx(M
z({c-Yu8)o1Iah&7w^;8j@0oQmtCDy2!|2H!fW*IYm-`=vrkr>EWE9t2yOE*AH+UPx
zjViB$x~Fvz@$wk?0E!-96gU`qt}{I;6us_ROw~|QsPVNJ68wf(e=VlCD=GAbCo6g`
zKPi;5@mkDNOj0P}T9of9nQRR{makKHj%m^K79+oU7hcNkM9_*S37ywhRwhVQ^#^uM
zo(MY29Q~Eb44Fc^Y1C`+JFgcK<oCrsVmN%IZDJ!Q6;s=vVh(E8eq^;V*gA+G;LyMz
zD9fNi5UVXEs3=GfG#<pb;b|JXFLpdAimSmtz?Fh~TnD)4nVNDpJhhMqO250<c`$+v
z0=<E=Dh7eD?Ns1kN>Fjzeu>Pv!4@w31E&u?Mdz{$e==I9Dujvx9l=Jy4{Ep1)|mC)
zKNcq6{D4wP&~g(=c}iY4c!hLp`hMF&{z_H(Qa<1g<ur~<qD1MP<3SY#;}T%4#bJ6k
zG&;4UX0Z@DwbPrwW&D0+QoUBV`1)B$FZm%bmkpOGQ;C7}!o`^ei!WT#cM9n{E`Qn@
zCpuq!#jSDh;<*F4-4(@MCKk{GSM1}%^`8=5yS{Muc`uq+G|vLkbMHFfHLUQ_3;*+B
zwxPS?>8ex>UupDQSf_09g|OX`tH*=k)w+h6ScqvRzvEv#*a66we|SDLWMc6VTK|QT
zwRjM|D$YMX@@~SuzPn<cp>Ja0Y^kk|`2*#EBzOPh%`c@JYPu^r^?kkyUM6;Bu@F|*
zKYS9U9UB_+=M5dn<joiI#ss9%RhcuNCK{e~^IkvW7`0(UXYu^!kL3l9Z}2(#f>%$d
zuh$D+KO5XUKgrLnwvp4XysIJN9}uVu^aW2>nS@EEcT`I0wN?|oVq)LaTb2n-T!w`y
zQ?(s{G@y5HdY{G1&nd!EVZ9J25?71ogx2`qyqyxu*rFh{Jrd{r2eMdlyNg_dd^o_>
zW7i8TX76!|IW?S4&S&$5P3yfK?e<>G`?FBB@MvL^?&AZ06k1RfNzzq#p4oFhVU&=x
z4!S3_ft;c8S3{#?VquKYmX^=Eqx}^1T0sYG1|#k&Ah;;LlqGf-`wndm6t5RcmFfbH
zzfzi2#VukY_V>?Uh!j4;#Qu42N(w)vei%jZRm6_#U_oIEudk~3%!&kjS~EWh8Hxp4
zD3q3hRlqfD6Sk4iV`LdC2>OMvj0Fz4MU*-}&0>v0SC3i1y}dpi)J7Bu<%%+P`!e}g
ztX;0t_+9m#q+;%lczN;3O_<Ya3rBOSz0c@eYrtXN9dNAkaD2f=nLQ_*V>p#;rMu97
zp>7eL5Z10b5p&p4@bjUQ5BNqqM)dk-`BmQQ&>%qKd(uG>tg7<dq?0niZ*<ZwShere
z^00}W91NiiOG=fzoPK=RJEFQwR<BGtVY!obN|Oq;aArIx3zT{cLMm-<z)o-&T%xSb
zEKyd?^p4&s7&BTp6H)#24F2IZwZ-Mdz>%hz&%5*B^V7VTwsG_lCbP~vt=aohG}-KV
zKoB5x(y3(hZa~m!iyAUaQ6(=vtFk9weO(#_=8`b2UU;hSlysxFD~P+J1a1!8O+B_B
z+~mxNy_i2;e2Y3?urk7`a47nWHXVPXa7I2ymZn96-16<1j3q9?DOxlwg~q0B!l8t#
zjDrLQxz)%NsJf<E<_#Pv4zUEvj)w~16ThqAz%ypcqmD#mR&QeFDD5vziN2a{LZ7jx
zyU|C^UpawXc~O+B*V;)Jy^gZ1yPCm-<Dk=v=?^lxk~*@53BC05>}!{~l8v2i2W7TA
z^p&U@T|3HkU<N<!-dWv14q!5v*O_@tn_aCh#Gfxb`m($jVttx+IH<jcbdy(AIhUQ=
z&Y%QYt%x@!SO3nhn9DDoW^(1^3v)Kc*2<_peo~lISP)$><I478d(JT@8%L4`bYEU!
z-(^Qx);!$B4BHjT+1Po78?(|KxW_yE*_7wN+t2gkMe(lkAky*k0c+ox^5OkI^LRfu
zoHENyr1PIGY&L3<ozuNjtvbdODAyxOKk<kLv4Yue8Uh1>m0)I<;HV%#K+5}mOLh)F
z6hxAAo68$bG-tB}{AV*pf@RQV!>91wO?fBktnT`XR|2BJNnw#Jfa&@xP!g^dnh5QM
z>yJ(4-~JjU#fUBl5%Qn4&v62nt#D7~#a*mcv~S|8dqSdtqZlZXHD!GieiP0MRm3>4
zsaQa|DDtgU-9yT<XS=Yvi_6``{AU7?`t`u`v{!QvW5t((EexS2e+X(!J?6d~C14ll
zD2K{S<=p4Mxgi`+6hzu0wQQ3*P_q~<pY>m@Zi6E}y`}k@Jgyw70&tV6mfNDPbPI6{
zAreobs)#Peo;I;NbNCYFG?L11v4#v3a&PDb#-?`lon}37p3m+`GaB(=sl8vUaamZQ
zQc>L9aQ+*+^uSVy4Wp9icm6A}O;m6z|Ct1?uP+wy-pH9|YJ0kk!G)!oI$&Qf)_URC
zo*q+i>jP5f>gCi&jh;<4)nctGVim8GFf6nE@8{jqaILwVx(zNh7vrwJ6l>YU!VzD%
zQS4GpZ3sKGGp8jByHr%qx)C4o_>y^7><Iuat8i6CycTQCB3iOwt4+-Xq%l^;c15<t
zq|+^XJ|y=7vC0BaLo`7jprFUovmrSbh|6RE6$C~hBqt=l9@V_u5;Yn2U7keM)86F>
z1FY+osrQZQ|2XQ{8Y3qS6dK6f)tE65M<I6YMXlTAgm^8Luv-hQwxYu(9=H>(wR!j1
z9d2Z4Dy36h=_`<zqh+gxk(RPR7|1Ms`mG>yW}h;eI4;&u)OahBUUh+pMt?JqPI|9Z
ztEPUk;UgR}x&*VrD694-NtG)A#O#mRPgj_Ua+L<MVLu>GfN^%v2X`NqoMvzS3PAs0
z)&M~GAIz$lN&|ide+8mG``}Kv07n=<d~l2bA6%?7VndG)F4yWSa6^u!O;a>Jox1MC
zqFmM(q5!cn4WXy5G=_-QS0{f!A+YM$>{0p`Pug||?5|L}w*##+s}9hx1~Gw40IPIh
zR~Gi?c^#J%bivBF2yh8utyryX^miq&KB9uIZ@fOHsM5t4LFa{LFCe~8RSn!jm?fM%
z$?$FhLQXMoWDmbs8eknp_V9^S1blNeq!Fnqh-EUFOuc1qyZt)1xxrM?mCXr}YE>cu
z#@cfkka>YP!HhiA2Nv62AUa8X1&IAJ4<&h%XY$wGcwhlM6BUE6Y#r^p{rar;CDe=i
zu34XYI5G<}bsVatNf5~Z=H&0R(YmzD@o)C$lU<|wO2wZ~)~m)WdoAruF+gtU_x?VW
z<--W3Vid;hzE9aBTg{Y;!=anN?(s%Gk3=tX&*dTFM^f_j&H$OYA5tE~$TB|ozOj=R
zVBij_llNPzAK)TbNYmBb72oYwDH-xGjWY+II~X7-WoCz}zE4rg%nwyLL}Dmq7Kf_T
z;7=_NRV4`E$xVk|I3>$T(`CtpW~t6+8KFBp&NzAmc+e9v+^;dSnI%kMbwj*;x#x<+
zIs>WJ#P7dP#a~)0htfuM`=xdJ9qjk5Y=oBb2A0Av3Un&6_ch}W<?+Uu3M(ob5Venh
zz|z5T&+P)nt9RQ9Dw$1jMf@VZfm9)&F_S5I%ShzB5SDqmKP>*8&}wl{+HE~cT8!Uk
zApHYSzh@v?&pODB<lf@G<o0r<7P#xb$`tbVqgPh%N4pD(Kls|@^myOg=Hlw;5#)A`
z;TIcvmf^GK1nwjQ={MyP5X<<JlPx*Oy#oOi)$3V1vs#G;;#c4pGzayS2^s{=>@B-g
zv)6u5;JHO=!5&^`D9}RV2yW1<q6+BKur;|fQOcaEi$SHz>EnT0-1{<S61!P_yuQ8>
zkLNqyMjN0l8ejVJq-llE1oL*L_TE)UT=5ZTizCctso=ktTQgmt78$w9!+<q)n!dOn
z6QJrAi5oJ8%RNTFA>2b;S8pU(wU9ie!hCn0G$)lj^>nA=dr>6!jhNi}<tLzzpB76)
z7|0N^hIT{8phf!Ak8A%tP8z90fZya;f4)m+LnRPA@P~j==r5#%T8+XpGf{3Rc_Lcs
z4C(^POL~4e_7Q3brG&ovS$P&+15<k*67I{9-ivN=TZv=**1;19)!tvQi=!7da8<C;
z3BomOHns#iUx)2pvCgzaF|8VU4w8cQUL8qZDEqDY(zg8b^lb=kdublLH2T<Rcri72
z+v7;bisgg|Utq1>%^O!w+-Do?p0$o5TqVRDU3U3dk<Kd_WgLCAU0+0!SM4jp;#Jv?
zqk};QA{P)_qqa*Q*m+)us&D9nFDCcZkpF`M$cj|bTWxVgcP}G?RH|+*c=6|V<p%0i
zSwDG5>-05c0!VrYK8-Ll`dN37`XC(EQyUmmdS_4{QD0EsQ@>JUjwmHR(0beJA3>rw
zmacthw~dRUEnY>vh}xvvd!rh#p*;u}(F_c3ct_AK)9%p5i)hufBTB*BKkyz6jhOXh
zOK8&JV&AP0x8DT^!iFQ*jpG5n6*_doq*^*)VBpfWpYBJGqF<%oqZiX*E@DsG;DfUf
zq<Ks5uyR~c?n<L~kU89gbeXTJljd?3=~0&X%(a>?xfWQNsp2m`72bfKKsr{1j3dvO
zk{!rB%XQH5!@>mzGm|%4OBVIrAeb9RIL8wJ&@9}B3m8uOxX)_UnChn+X`=K;X=K32
zaPgt7t}+kHTL8nD7n$?tz!IEa<pRTFaW<oaE*);v_OsD*+t(c*7=vk}gcHb(pVR3!
z&tE?IcrsB9T$B#q5|ZGid_9-(gt^`J3dcaJm%D=PgoS`V+?{N9wl6!9y)=N~uwy0@
z=(m7bBWp7g-rTbTw&%WoNL7W_&uuE+pAQesvXRi230}EoJu)3zpFhu5;ovx?90$(F
z{Tx3|6o-V;uD_qe_O4E9-glQH9exi=IQxB-KKwKzVe8ht<)o;%_J#zFsOn`-aJ0IQ
z{4JL=o2c(gh1<!mn*_U`X}O3F@=o)hWih-|-hG}&84o5f^S<$Vu%r(^SKIYNtEmH;
zgtcoMiB?vI2%PedMq(rJg23N+zy4hTjw2xOjt}<=P9SAI5)_1ShFcyhfd?TI&{ODx
z*e%6Js+|DUgc?x$#D0ARXh+J{OcBU(zWt$*sPwHL$P~Toa>X1+b@jkeKCJIU@=8Nf
zUFrPwQX}RP)L1&dFTI{8UMK#H8ER)NCoSHZV5}y=ts`^V+Z($DS+F+*Qe%Oqy!^j>
zg}HtB*=7lD@b0S7qmv0x@9%Vl&Cg+Mp0vTJKtgZQ{z95SA(U21^@sUT0oZQK_X67c
zf~s*;U<qz9Obro@O;Nr4U6f!ngCGCK7;%b~_Lj~Rq2D52wgGu=Gso=5hhX9qZg8=)
z9d=%lU4vGylT+%$NQr!5<E2d13*4xXhZyu7`plLgEzHh%OO%chb~z8Etkd8Pjckd<
z4gJm>aLW{NH!S63Z-Rren<vLXPvuMz-m7kKL5LDV>+cPYW{MW4V@*!Elp1ayhIl0B
zBS)-(_W0kt++im$_lLi?SfmFWX>^nx`dNd51v>q>!3FW+aT4au{Pr*7@IW`!{85kk
znmGUuDavZC-VwcD;3v2XUKIf4;2*If>NYe_qpsfrnNL;IHby{V@*U_pIS*#I4ypL<
z*f^;hIjn`-H3!fpTLS=X-1@5feOkCc!1KI`-gn?!oJ;U9P8$bH<zrQE^o#L-@zZ)Q
zsj8c;--hn^f`-LrVtg1{J`9a+ztv_<K-tO3c#=_oB`pM%h`Na?K)pmYqlBm!7(wc-
zd-CDlUx0p)t(>yER!2sQj%WUG&PkZi)M_2_Hd^s~V2ieaX=NV<B9Te}n-xB?N>tT%
z0SMG%>}#xGxr`_91uMoP2<jU@_8G2~@w6n!>>wOA(ilDyhLgQ|k&s0I{@`UiO9}Oa
zO{Zi$M+mconPuQAa55pgcF+4L=;vo1$z<wIhMe)p&+VX?c^W(qUIWLo!60%SXm{v`
zU-&9Q<-!<mUgqy_P=*W)d9Nm$knPF0X+Go#@)<U;gIYwk;7DKkLPqY!T#~2am_@rd
zw$yDL&!aYJ@#m;7lHKi+7-xY~Ne5j(z#9kzLM)4Os6Z*Tp8A10MxEQQ%9W=%$N;Kb
zeOf<nC+!IBER9ZM(PnaK<+Mict#DuK0q<T%@X(f(GFq~l!=5rznp)WFbr5YcR&!0@
zt*nmf<iD~OVbO0HA=pIhqM!hqR_aNQzmUpE3%?VXO)sJA8E=X04q0&>m$OWjdoLD&
zDye8ks1>y<l?fX<6<dV&Li*@Zzv;mJhCfaQKMa}H%#2ugd-gHCnFE!o+>6XC=40mk
zYbG|#&Ck2$VFP?RdVI6qaG(Y8d6<cU6xllLjcgJd&6)RNiwZur{jdq1qjm5|><)g<
z^mR6n$Ih*<Vz;vU*-nBbq9q)wHp<z{aYwBgy})4>rK5lnP93M4a}@QLqr}_z;>tev
zlXqOaue*dg6jPI26ub|rX6-xU%sb9=5XSK|(s)NEoW{mCSC{d)s$RfmMAbkm+88mw
zm0$qEM5X*@L`5ySNzUd^W&aMyVojjsTNLty;B<Z;NTNtnWP9qa;H{;9j3HackkY+i
z_<k+K(Ft;pG4cpq^=#xa<BLHk<OUM*@z5qD5F=bJtvxB<x<aaq>o@p91nAD!lt|aV
zazr6GBG~a6z0MdJZ!WJ$lD1uNyS<4-K|VEaL{w~k<@nTmOZisP(W$5A-{9%0p{M3{
z<y#$$;rZLjx1!*;t>s&RHTqA@Zv<6r3POX3rN*z!U964N>T-1~qNuH?4Ic7OxLdR<
zx2}`ol55FbWX>v}R8%UWNF5cSkni}<`&!W^anws|a`dGM5Y&qPLj=l*QFe`pZwM>9
z8$pNc*6@K%c#dczyy(Vet7B?J9c_&Y)otA19mO=O;`7`75M?-`k2*+!+D~m1BA*I#
zj9R}huU`_D6#54fVEpo*W^)usg8q|ieum+ve;kXiaI^Uz$Kt!9#JlCM_vaVJ*3vO{
zWki`xw4F3)6W)gwOiQ3;(8eFpUeMmt;&Cv_`xpA3YLf>2PqoR1{-@d;WB;exyo&o7
z(kL|<){3E@-xg&@q?Z;up9R9u9&~?t3_X>8pI%09pvT1H{;4*LanS!%oACDhgFbuU
z!QOwWO$XIt+(^7Aa6G;m#XP^Qv<6tu+{!HD9%e3~5|^2Gm@`GpYGyp{Kag?m^{1Tb
zC5$n3X)v&aF*-s2i8f)7@c=B^6sDJqroT~OtDfKX4WZB8Mu(mf-Pj)N>R|R#UgsnB
z3wAv2NV<4QwONdVQ8MVCYBTbVcuBQ6k_y9Q%q7)kPyTG`U~V2xnsa`el^vEt<UnoZ
zj=bvQoIp+-Cyn!f<J}UnTf8LN90mRdM#1Wu|AA4(I2erLEQvNd%By?J>u?JkROxLy
zZJsd?+K%7BW4Q5rcoDqIyrt-hc-$J{f1*t!qtO!jC)y<G@&1W6Q*c|UOPbA&=K2@i
z_59jt9;)<^-BR-rQU<IAy9LJt;a1v`n7TDakrv}47FLG}1m%b&!RBHy?tg+!cvt@u
zY{txb{1a?S1p>_-%L2PQH0Vuw6l9rt-#Wlj_C4B&W!h$RZ!^M(b<`V}#X1PBrA^xm
zH@FhVCm1!r92Bx?GZKZ^gb%~y3K?q_=1+)VqC2Vg83gM!Q&dT$%$O&VtZ`Vm@_9~_
zI}J)rUd1U*jJz;LeY25D%6M~{B<=P17P5MO4?=B?m8F&COCxjB`S5BrA}j-kgG}8|
zULW^9t{U3yLK_(W<cl^NgZaqU0mgv+bzt$GzPuw!oZ0wLNq$Ac<boOw0c_=_jF<EQ
z<-cW#hxN;d+hi-pU;xuH__yvVBi2(#0Jwu&J0GKu`O~|wBnE|GBG;+M+vyYNeG`Gv
z(qF63CQ2b0(K4`WHY4%FE{m<){osmqTe;P&`b55u(NnXbO*x?ZPMD+lU~>$<2Q091
zeygzvsy#K|twnyYdAl|IavDuKMlP^|_5Qn`5(}($MenjZd$m)WDxum^&$RChua+7o
zX}8F<A>{f$;XmO=On2(W=*io!xuTa?qnD|7J<C)-Ur*80phQna$`HrXqqqB0{3&6k
zMm>7-Y6|Oy^@gO3C-kiNpIkpvOyc@gJXJhbcmf+&n4A61AsCvwQL_4PiPZeth#Ge0
zzg$iCnq&Oi9!efc+%^5%%>B%l`?pzynVaVKTgI86!~>g{=5uyHy;K82o}%hnjAyp#
z6XL$=?I5@www^YZ>o3fBvyK=sP6|S;Aj6qp08x(g$i7)r1~z~n!87fyKetI0<83k>
z<ocbxZ?s2PRQ+ZoS|rxIq`aiOP?K>l)-99Icw;7+F!7WdBFY(iwhaM?$eRck$iJ+4
zlnr6+h9!NJ(CAu|^h<AjSgynVlW-RN2{8m2u^yq{VqEml%kUS`KIlCqeS1s#kmTS=
zN{T~|r!*0P4(9{T#F%PlQ)6mUce3PSmlpBGgvq{)@n9g_>co;rlqVA|xFk5{pOx@Y
z=9Z`}_O|B2%A7Op`99Kzs@HqNzKVUj5bhps27p&w=(wV42|rh`Z$ny}NLFTJzw?;-
z62s$Kd)3q)PtuL90Krlt_M^BZAwzQtyQB%NyziM8qA(6T4N)7<iy0SYk4J^Hi5jF4
z?#(E{0KI2tm>WW(pn_CLe(~eo^yLc?&cy6<3gdL~q5l-2{*#ec+_X+5E-6CqGWuSh
zi@R7gbt>_J53C4f-tt?J#9s0bJC(Qwy50Xz5lY`@{huP#e^QeAT&n>AlkZ?f=$vIw
zp5K3hP^b^)BP|I+r<n`fkD*I~P|)f1k|1<5@>1;NFud|KnW-f~s9e)fckCq<q!&B-
z@{b^Z+2$W4z|V*7LeL`pgZv}M*Cc~X3iITZ|EWPOQvXwf=K6@GGH-NY(z8~ldqDrR
zpzv+wpBA(oF5~}cK|lRe`4|FgL3i9$U{y_F(x)hT`O7xsk=7+`nTEBXKH1stt5z)A
z-9szbvHMmt`VpGh1~j8L4|d&<yWldU#B=W1843I!WA_5i^#A{l|23ybnaQc7Z9+*I
zqEcx?5|ufPj%G3?F+@7r=1_E+IaE50P?VZEcAkmO85KIuiq182$l2@vd~N#tuJ7;j
zyS~@|y55)fn~=A|%U;jN<95GK>e}9V3v(-bTU;aWhEYrId(XX@ObRL2u;1(!(MsV#
z^Qyq7vPI!RKV7LV!jq~iU%X~69uck@oC8Z=i=bI^KYZ}`08LlyXZI(E#xcM-TxUi1
zMMgzOZ2qtv2QGji5_?Om!JCTi!Zf>VPw^&k)FV`8Iml+qZZ(_?dlJxx+8{605=_9P
zPx74!e_&|RuLP(Zf9CUeT(PWk0L!^y)Xy88#NT#!!kNy_{EstD=0v2G)%<g&Wt{DY
zUY$>?t{#2O5uW(xOjUULCr{0~;PKU>=$|ufs#ZADr`LC2I`}<&6nqzt7Mchb2#G>p
z;a1^jg7C1Aq=2UI(#J|@I&ukhyIcWH)oNO{_V(=P4;e%T_q|oH)sx$&KuzsC)pzgI
z#D?Oz;-zA?I9m+Gh{1L_`jYsD_=)(v_|J1_2Z#&Smsm=cNW3JQCD9UHmLyAJcr~hj
z%laY*zCrG=<w={}{rLz>om%9W`Nh(vkR|&q5uV_>kDl0>V36w?)o*!Hjf%L`H;$Rf
zPG_Xh!~DnCdEmPau+#zIQfFr(EY+ouX(;j)`R2<iWbhL_B$mCC{g%Np3_Kflggszz
z0|a0yaH-%|6o9F~r6yfuAu#oQ-bEHu0aI=Iyd4`~1vz#i@dQ29)-`Z`6ogeQg(D|C
z$N`TF+8=F;mJ=aWayS~)s-VxI|2!A@)}tY?@PHmfPsYx~+F(goKkR{zSaUN4WMvsN
zKaw=2NAGXPQpo=x>;Ak?$9-0;A*8RPQa2vJd$I}Hgi5>??h4@!p^4zPXBm5bXkrAL
z#n`K3w=AtCcQbbu@#OxqD}>c<T>!II#Fo{#oUBVYQ!})+otd(HhwO%HsXa>OT1vc4
ze7<PG6E|o!*^wMb-cH^}K1ROaGLxoxiF||nWKHUZ)00xW*Or{peeY6=H{jmO!F8`K
z#h2o7lc>{!HggZ>&Y@C{IJi(xQAk;G`tO1>JE@fWr01GlLv${6D0rTP2VnV_{5G|u
zEeZZDRbE5B6Z>ba`<)*AC(q=k5isO7xH5afN}D-p!>?L1<)GLYXmM`WtqoV`_b>Fm
zJ#ql=rD@6_FvzsYs~GDUI~W~=jvj&<(GcVVY>;mF{u7?yvDah>k8LPlWSS38@Yn@Z
z1&@^!U-(uGPw-e{dC)CCEYohE-@?3bRS0`9#f!O_8O>xdvzWR?%o^q+=3AyIra;bA
z<v>r!$!VeNZ!33aB(W<CDvLF@mtN#JQ8*DLIu^axJFe+xJ{Y=G&Hc8<IAB_=X%T9Q
zPqJf_x@aZe=b8~E={V`%qp}<P^`H7GUW|uyD;({nX7HVbIND5&gDqhlh@;iW1&^b6
zt#x`#1L2|s|F7uI=g=%ip@(pTFj5E|6mo<GLWGais?~`;33dB~8shgZM!x1<9xp}O
z-$@Jo1NmfeImeink%hYWsxKL<V-cCxifCIHa9f48g#ov%L$oanxUE9l!hqW<v@H{G
zTSVK^a-i2P(<tq-@3IluR2U0`st|~TklR%C(#LDzV0dS2Pg&xiB~eLkGvKp>tjGP=
z;X3#Q+zJ1MHPH~PB)4OtZX_l1r{Uheeai>smjSsALDO<PMoDWSy&@-?Y0;+pj!`c~
zy<(qh(Bj5@Y1XYKzKbOr-fCDZZX6VMMN6Kf0CdYLAHyDNM$oO40e@GZ+aqoxJ}(9k
zbh~xP;N>if`Z*T&Z%Lj>79~JlbN^v@CmFA6M=JzwN4}D!XDOS0>`sZ6v1FP&QUE6J
zEB%dkqn?b6qMn!rPH|G0OO_Ta_F1QESafdjn#Su6-Zd+Bv|e{Wk!x0*rCfJ#!{1!y
zl6&0&<6E;L5WL*4X6Z$jYCBy6{tTZ0j8nwaBy1*@%7^B@p2I%MIKLywX-7+7%OC8h
z=&HTtKbkvh?mwDqJJ-{{+LaJM2q)|zKt~AY2#Bkib?DuEC(bBAGgyWr+7nHy?ecyG
zwtgn)i)3fm4u>Yqj9h+(eI~8r5V3E~9kd<24NW0EgeTlCX(+Z29rx_%Nq~083QVR0
zwF}TLax=1j9zeS$rP-lDIKq`P+qs6h!+RTBS10@s0klh1s9n6p>HIk9kq9R3v`g;Z
zMu2u<h1vyZ7gnfUfOaJcwOif{(5^!5hEjU&^x|w1l6IcQ0JIA$)Gk1~GDPi;#{jeo
zE7UGPyD~)WhEf39mAWM)4ZH7coS6jBF04?y0PPADYPUX=qB04n-79C}UE1to$c-$O
zv~@Zs$tC1l<hhc1>{`iSu*8`9kPF-{VcHmm*^Ri}soRnDPT+RChDUm;&c^_^TlU`I
zN@i|RUhbJtYCQGhTa;N2^%C_4^$GPob(L%`0~{!?Wwckd+2zTQk#>+Bbld2t%5vU&
z6O#{!rs|k9a^OTxjso=d;(X^b-zz{b%sLsO0KEf~KPG0@A)puD^!Ty@^uiUtm7o`1
zWTOPV#NDL`=-m(Aczo$Sk`na7*<isQ0lo12R3+$z_kL7@UNmvjLb&?TfZYR5G8uFz
zAj^2VJS8d}RH26REGY`oJGONRu0=t5W#CkQM_wx+y@!G6rN%tGKNiz`|MvDO-UHsD
zfV?j)d9%Opph4bb{!G3N{|^;n=rO$cPzXPcf8^VMT?C_;U&{|#1|3yV9$QTo&J=z`
zKf!sPX=(8Pe3W)tTZdwqG<fLX!w0hr(R%^<g%#=-pkE`PesAn?7aXaP78H+at3P}I
z)Gt84@`~x4_q%x@sh)Rl0I1&uy4nE!PIC6EGlFZ=e~1QzT4EIZzQ9s!FJ37|&J_2F
zzaiGOBW`j{<Lug}OeOo>ZD>GLvfsX#WL34Xn4_vy-^C;1LsYE9P6D|}D3WcGy<mGq
z8CC?nl&o+lMgayZ)0bJwmdHq6G9-tHCA%wAl`pqs4qF_H{QGCiBY=Wog$f2J*l0*v
zc4N<~+2dO7r@Fk7HI{hyWIbVq!=I1oFcm0Rr-BPZ{BJ(FeuS`jHF75xWORdqMHnfp
zWKYP&Z4k)-E`Pf49x%bE=MCaE@i%cbddfQ;^Y>`z4;sSiVa>6Nu&c2fu{*I4a+L@P
zjj&T3KVl#Ap?Cb>e3)-%ow#xpAqwWpSZa)aksKDpXa_${<V$nTPA{8SOsplEokmS+
zC4P0D8av`NV5dzsC9B-5KfPh)a<Vr$gd9iKkwD5Hmwy&np9)!0mr%W^8HE>V*;fY~
z4^W{K)O>0MwSn43{YD+8hBBa8jODQRc+uUR;mqA^_%OruM~y$q{L0ROh3~kU&%&T;
zS}Q}!=wIAG{Ayqn*M}|FAQ%(8ndO4hc^C7ik3gg;Vc=fd5y#B9^!%|3$%Rq)u7g-n
z)I+>o)J%kZ(wAAVX_oI_4aSzopI=yFd95lW{Ox$bpJNtUr2N7>%~>TyED*;$Q#79w
zepI780XpZt=UQXq^$I>s7!zT)iZgPEb_kr9m&dc>Ifppko8NK6gUVv5{rAUfQo!6B
z8GB<DbMF^|nf0%jgI}0~v1PFn18*E~#i9B6%R=+1ih;K_i;hmeH!~H?xLLn&Y3zBe
z>^C@8;Q&6HE>0BtWjx88eYhn}D>Q%k$HOS|z_JcehbW3aYtDe()L3YgtIu0Xn8(m=
zd44H~ryiE;@-3zLS#ifrLW<;{BDR7F;ob2yb&?g%@iqSxaqQ~>$JCF8GTQ`Ps>J7l
zb?XL6<XfG%xtRFtlUe~H)?&qJvuL-WC@mI1#Qt@=hD9BT2FYO%7<98L!dlss0)zNr
zncI!f{Kxugud7o6TG=LqzSVIb*df#*gP3<*3fz9PgQ#;2ddIy&tChORuk3W|t(Afg
z8sh8mwc6eK7hQ9cW0*gdX1eujOAhn%uH=>H8&_&vFDdRMk_HyOK4$T1JVN~u(Z?8=
zo5R4|e7tD=@;l#qDx{@0wYow>3oEn}x(S2!LGd~?v@Z6Pu=Lhw>@DFlA>?7&l2*?a
z(4?tj@@0?f**NeIdb(tk+aa1fU$R1i^N~c+530vW)akQK4CWiep9lYi6YGHuUANwq
z4<zPuW{UOfNY*c#dL+pf=Dub|HwbfonHi0y)Mu`iT_WfZlYaW9%o$i%0vRk(ZGB;}
z!E&c;(7=+gWS(E~cf-QayxjpttOQX9Dqhs_>2o-xTc!f*!<H~<$>3<(n!egEn_za%
zw}f$(TB*m~Ps7;)+V!x$v^+P+O)iq(aeqqgiU4Q8t*C=)G7(B`N?_R(yzO3W>k{<e
z$m}Q2{Cswrl1Rk&NcdNjL3OggtZCY>9rW1prfKg_?_a$OYDKyAOVPcPDC~%0x?!ml
zn(3K@ZJw4oTZ{Gf;hH{50W==a<)zwM+C|!1O&jI9^<z>V8xLaWtf1_^z-{FTX4}I;
zW1>sDwuc4AM6X7k-5L`;nzlVGEGF8mA3Pf#6CF{!J#2kUv~?@AJxraJvrSG^B^!|E
zcx}L^E+LglXYk`=_3ZmgKgB>&edS>%VI3dO$H(fWegGfW=JDQbN0vP~+xiPi7!P4z
z^%c+<G{@LX+6x-gOH-%m$BxNWd|TP2b|{FXIkop79rMhfSb8<a=l-X(U03U(v-<?J
zm9)aO>d+Ox8=esbA)L45{{8ZP!?Ze-+7^Rn(+BoCQ3ndc=fR4cK5z)|za08%mgOG7
z)n>m-+tf5I2YeuEJsdS2%<nhm+wt7MNOKUGX%cmiGv7b3GO3TT8dfItiGIV%q`vP1
zWQ6vll$R7f<QJown|WDV9b<p-Bz2R{^IRYk{v5s&e+_>Np8>+mB+WwQneTp|HdvX|
z2aXLU&U}f?i8J5*KC3TQp3A>lS@(pW>$c$>8M^NAUT}x3Bc8?RS=S*T%0Wv>?aL=d
zYw1>7{JRbaRUKgriIiy$c0~$3bsE+8uP=9~JMQ=_J#AC7%IS^xOVn7s+7?x9)wqiR
zs7HDt>dSyg&$=(vNUt%Jf0vd?U0wEyvG0k^O3L|>)r=tgJuhAo^_Z{9657%NSx=1A
z8AgmuE5<U$ItDdrQw)O^xy76do^GrFPl8{9CtB1#@RVl2q(v@dJ26$lwub~UTbR~x
zKa<B4Fj@DLp4s8yNH6O*svHB(mE=54f}`8bhZ!#qHb;L{H-2X8+-}K%0^SQ8&^{a}
zXzF`Gs1zq%$aayYNQ<P<BzdFsB&URPi}Q^0@p!0IZwh{GS8a!2(z}YGn?^jyNZe-B
zJl$DH7Se>fgxm|o!ou9A_jqNw_o{QBUT+XW(9Riyd+hWmP^Ns6Jkm2$o;gG^7;24s
ztoxz0zz)-b@tyiu?X}2Hbfwr=?@#lzOAZDt4n|o{`Wc3s|2#ZG_*Uw84Sq7AD4AcC
ziZXJ^=rhMsN2Q~L!G<~tft0OAwHEhdzd2hutT%uWNeNcedtpRUB9KyuNXp<(kq+I5
zbbzGPo%{peN&jn63?q^ffs{-{QUXZ1`hADThXpHy_)m@b7JyR1h^0g*B^I%i^`GZj
zCj7M+k2D|wObINd=yoVEo@noELHTPj`8TY<l;EKrQGqEdrNmz1puMvPcoPFOz?85;
zQvysm31~`3vIp7TS=##70#;~BUlBOOa!_zeZU-Wu?VY#NRsl|FFaS7ZUH-?B^&uXB
zQ+^=J$QZ3mqWR!*Onu9a7KNxB3%{bP6qWFi2~jylJD0Bjl{4T8P&oomfJzfLf?*GZ
z=DP|Xv0+G*%bWm}qB?j2RFdEcP)Rfbpz>^hUtzEpcwM0qRKE97ktjfAqpr4}3;~tz
zeFiDIAQ(geD$h^{w@{v;A~qnP^7PoM_dW_xiATZ<6ryr0^1Y8zRH8*dR4!p`p}f8y
z83a2kMCCK^Lpk;tA(eIcLSQNZseJEq00yQ~K`NzDhr#RnHAYbYsT=^NGByMul`t@s
z3Q{=$Oy#+Jgj5ayQz<q=NF@iDO4*IMb@FpocO}47p4ku^;!}(Trc&ia&5~gJDkm72
zN(HHefvHrGN*I_*1*z;XTy*r{IGJX)3L%wfU@GrEJY`Q^NnN;nG++I%MW2FHqDzRR
z(A0PdQ_ci0-+`a*HBCV(!QK9T1*xnHPH^I^;oP!}#-Fp|j=;cFDo7<3n99fYpRD36
z{#p!|SbnK6SCGmSU8&(Bjr0D;K4TmV%vs$=Rg@%aUBYfcI^m4<eF-3y)4Sf_<gE_@
zsg%yU58jx*L<UIZy*D@@Dq%n>6{2zyAe9D-KY{n-4t}t8@8jL2e~Nkq8e=;4cw;PN
z@|-l?zH2Qu7#o94#%_BBD=xfGZ-Vc{<w;0FYCZV)I~1ZaX$~Nj$YobhuJWd^wxjsI
zu)}y2cz?b6C|mz$tMF^{W)S8RR#?RIMi24MSSvl{r}eh`H!r=*Ys?3pQd`SZ&2~`J
z0htU39ZUMNphw{;<@wB)D21n#2nXdtd*aGv3Qsxa!-`RQ%7Uv4#qQ!m#52~?x5b0K
zS{oLuze_|sCE<_pO23z+o$cgo@o2FaLsoi9?Gv6%(qIZ%Phu{iBgj(eDeJ9C^#pRb
zWRK(~ctseOs`QliNvGZskyC`JR4}^SmxXxBGTZG?`BE*Ji41(fs?P~GFV&W-%~LhG
zK6y-M5q>p4fFI89*uy`<KgYk$-<1G3<;d=@YD!KyCVcOs{QZ)2+($W5RD(44g1z75
z-trN?)W{5FDS&$Qb*z?S%ur_PuELuScMC_;g%{>1IpvME{GgvgFh_m6uOChPEkHPB
z>H2An<586V!jw_n|BWfl_QcyHxjLF_ym0)7DNEPiZXAuG%>RF2N{5h3=qZ=B)W{ym
zpl{Np_;0d4nFeeO&x4o4qu%h{fd2(k>i-8*ju~9kuqf0l1|g@Y<*uh(xIy2;1$W&)
z!2!Z<WaI5Vy4C(4rYv25!XS$BUzl=^&wpb|Gk_^=_C<pOkN?7yu^|(fa>YMP`6A>{
zxPM{rHgIkDFHHF=W&%?lx1GS0DIqaih@I%+d;TWSe`8Ahf0)uCM7<4MaK3<d`oCbx
z75@WMju5v{mbOMwLjDU=Hs$|6FeTg1i%e8M(ON@zG!Ih{48jiQ@}n_}q|w-Y*kjlW
z*zR&{J@ys$u0m6e>{E&AR%ptxcjyUCnWV3))RbMe=@<Qta990v@Pw(g!2$=!_0&4w
zpzpzgrLEfu`{o=Yj9wtzeX7)y@RkWpIh47f)eU@#fu@9I6Pl8@57CtG9!-1R1nihn
zQ!*Wtnlez<y<HY0UjFW4AfhP`-zZ5IGFlkG_C4K>9Y!=|$@=%=ldZx^g{HhxeirMA
zXvz%|bEevL6jef&lQF*00u0rZN}zVQQ2nWNY9jTEKG2jfm|qJKO$j5Z!-%GoC{l-`
zx=oLuk<{Tc(2<lCw%I8-Q{yITs6dLxR^is23l*?Vv}!Z<S<hiOG44J+a_9)J3DK0-
zT5k&}M3O>N7O-88>7HShF;6k>uH8pIbC{RMoBxCHMZb4@T+XbV)K(t!l{e?t?Z%U>
z?!0;Y<$S08bzd5tdE_&8+@-BIuI3A2(uAh;vNaAFO<lXvC{!@%V-jjgH&cZ(d<b*g
zinENfjx$Q-e9>2G%5keYW$ZB$d#Kcu@U00=i68T@ZK|{;wO3Y_aTd;*yiGLMb&hV@
zoo%Ajn*$l$(|8uVYVt!@L{m-*6<m*C#E9EL$O(@Q#fnp&IO3<Xr-)~XZN;wQx&U#w
z_<1cTCYst*W9W=_1)8!${kC|6WMh??8;16f`G)Bvm})C@6+-%)9XGJjcJ{%lpBcW@
z*sjsp-%Er_PC3#WnBJ`z(Zj71oD#O3;FNrjs{Agi>)zR}r#9W-fn93u4b0NF2d_?c
zw3x<-33HvJBRE((EQN-p1`-tSD|<73lCLb5An@vM(P6}(ha1|YdX|#WC6et;N=`Yx
z1)AWLqZHn7xRO(jpXr$3l-&pTC-_CY{z!yV!h{J<dAPH!at>bx5AgbS-Vy36IOP{x
zb!-X3DUqnrwfv<1NF}HAux0irIprbr;AwO|KX*jIDaST?OmNEXH|jd5F!wvT2&Wt=
z`g;IUaLN>X+gtQ6^p&ZV;E#4;<p`%dX?wnFBer`d_Ue=ni#xdpr<^2CF7d(EU>{+%
z)h79l4@69GO7MkNa!Sz)uwX`5d{7p9YKUk8*G_OsYzM+A)4*R%5RBiOJi#ep(gdgM
zK!E1rgZ(Y1h5)C8OD8xbHXq@X+xBdc4@3xi6rA!2?lTdi;FJJA5C*SIrGY<Fa7vgk
z!6{P+;{E(EB1LDcF<K)DuAJbML~RA9yiB}Fgsx0&lMX}_!ec}<*=c`Nzvfx^+VHEE
z(A=tbEw5i0Nl{vddJfBfw@NXvMEm#b?;R1s{leoyo-isM{9=Fsvsc8H!^jE@vH=4l
zD=^3g3{&CkO<wP$m}|u(`ai0Xy?D8mPX_N%{eky7xs?2y43ja`+0;Qtst2{8PC>;-
zRGN=BE2#KvDN!Xp-X~;NRXBai9*9eQ`C?pJM!iS<!~8_;qvj(>X&z%aBj%`>nf4_;
zJ#BMHcFL=C&Jo6omvji(g0mLBVf<u_G0;prbLB#&;NHXg)!dGz$|tSWn3vClsmvEI
z!_PDMOt}Pl$?RfU%baCo8BMlJmevulIppZ)_gP&Z&vyOHlKCWY9?9Oy3_g2k>uw9|
zgKE5uq<6SFn8)nev|qe8$2Bz_2lh%awwi}^*gl>*m^!J!!G7nV`MkB;WZC9mfz%6t
zf~-_s8Q4e3;}(E*6nN)EqPQ2QsN+=e*8^t{FFZ6m{qBzC3&B209sWCtbWN4Iin{7x
z-X>S8?gh7d+QB*s2qQTQn585h$;VTzV?ecW&_Zq9eebT+vC=+YsT)6*tEYaBXL0zl
zzP7P{)tD?3<<m2xTwB-7wW4Sd_IaLgrP}&Q!5-655SI=D`|fb{P}#lmb6Tgp=@%~{
zD=Dxdpd75EkeR*y?HY}dtSG(ubRU*x!-115<HP3?p3;^;nuk$bAJ5=|3=1o{<B*Z`
z(K@*v3fq-plz!qqB^zpab^2j;|CNT3*y^X)t}6}rlhrw=AL^-JX~?Z;(n~YD(hyP6
zbPGJYtD@=9(?UvoMU$h&m4=*(CsCx^eO7WEwsz_riTTmTM(NI;R-nTyVET9}ikp?)
zgCBo|{bZ)ysi!jA+_+OO+1#S@mWqXar;eVdC9%^<Z_e7zDOqzjbY@BQtin4T&F1au
z%rLW7V|7-U%|G6$X>TYn6fCsYvbo%O*q%_;NpPK0FsGm*s>iOWlZ%J!-*p<4%wjtT
z90Z2oU;Uj%S+m%VDt-1Bf$iyTf!r6*?3*!*?Jx2dnapCdW3=^g+zJW$LaW5LIzZ2i
z?UdS=lXYcwdad+#^UQJKWf<(MT-Cgt<%G#}f&F1RY?|zMuvZ7ORLw#yCu^C#8ZJw{
ze@%s6f3jZk@(pUYR2<|Eavi;@)w9zN+x>2)<>V%KL~kmAzQ7HV$>{w<xtLr`PFBd5
z{Fw5@7H!rY?iADTS$ba<QCD^oWjq+Z!*y&S1-2x%2t=n_^jmsGr(((tPREqz#gw1f
zR`gRa5({NYe~HZ4T)Z~x&8Hja>4%yP1vAo$!N===HYN@--QB1ML9zQgk+XvQA2WAg
z<OXvJh<0ZSuaO|RfxYD}&zlBS7VUyhy3#h+f)Jmdb^BXJV%G@P)_Uj#7iiqhdXqQp
z3vZD3xgJ_mJ%qvKjxam1f3bA_a)*N_3yT$7D+D}bxA0{C(uKTyyA=m{3(B*y)q)HB
z?^8C4Hy2LHYqMA*Fi(1XwmQS3EdSJz$xDv9kGn0J*jeeOu4KC4a*w(rODlErNM4Kg
zdaS8F>b}r&fds1<H|wk(vN-AvgB)|kz!?TP=8C12PlYQpSHAWaEwBemD+9L|y|J5%
zEUmyG#$2(qA_Fnz0=ffOT4911b7X1dQT4Y-mtEC(_Z)69SXx1Y81pur)n}{aWKAz<
zuN{s%gx@U9aA+5xordroLssQZ&xjw1CTqab%0OI3Sv?6^TJcB>mvL6(axc2)U3G^i
z0?fg^)x^>Y_)Vc)S~2}iUkH{~TGyR)SyTPvqPwqvqJ1j>EUn0p0P|iSu(V<X0?bD@
ztbXmazs0cy!g2SvJjx06&sp#xH;)15L2Xt!xt}aNT0H#w%>1bC?KgrcZC0k>9x1o5
z*o=8gxwK*#KdwfaSXx=VIH4rpb=M0zvEi!lWeGfIVrhl*0W7Wj;E(cks*^uT>yf3E
zrR5hHpJK}M56fo?ZG>QH1r&|HSz2DGC(mwUeq*W(@5ywoJte^97T!9hbq72)SkzwW
z*dncE2!<@cuZmh|uj4MkoWi5__Wan|GNOC?U@|p_iuF(|t&G{1laxy<pXDpiWW2l6
zZm_gMW`l5aCo*o;t9kB&t_gJVT5rYD%FBdj9CE>`Q&+t`zK&M}OoXG)+LVBVqpy#C
zQLsw@#qQiy`Jy1W;2doTe~wYYfMRPKq8=aaGeaVcMmZSf9SfHsGuAj5hu<HaC0NM<
zqYKrAb8w6AkMt0=s+x&DAI=b$r=FVKD%7&wrzSl=d5Npk!bMj3gGg%Ir-~vC6lrd%
z{!3IxReVa7K0-+;$M&hTS7@nP6-ZF1qn~~X)LRFtHK*N!ghHWjHrAazWMQhRW0nbK
z8T-`2IJ*yL*UC+;3OFfWq$*S5y;EPsSQYFGY$m2KVm(^#kDIwo3^&loa3d=&iwRZ}
zc7J2U-cJl{$#+D7amFWi-RMT$>4z<lamF;(uRi8{dG>4Z5AgyHL`>Q17$)6}%5az~
zMLUH_p%HZ<|K749M<md;nrBiIK<43Bx_sW+Jfpf}FK_&>M4|LzTI-5<HD}ue3uOcJ
zb$`H0IHL3#Ka%mX3>l=qdHe&)(M4M1_)PNgZ2;cq4*hi)Y5<+G%TpJJV|hEt8BhX_
zg<(&A(*vm{l%P*zpP@f$MW{EK4WMvmJbQ3f1r2aqM#q9#Rt4%Fd-EgDzB+<GY~D;C
z>4p4?2WXr5w-%gpL^&QSea&EP*jQUSK%2yr@{I%og&~wNf%_wYd#k|xhQJ-wxM@G5
zVr6ntzW`J7;tn0!(Pkq?JCzCU(5)N~6iOj@_XNaal9Uk77I!jaS_^TzetWRtrrj(O
zJSSc-Krc>>gZJjs>reO~zMU;maYz}TJK4+)x7RL~raLF8-^@H}p3NP)iko@#Jewv9
zH}mJQ3#^AM%-qal=GhF;-OOX>%`+aN%(NIGt3hiyw(&Dq>`1+2-(F4{h<AiR<-OLd
zQ@wX+GXfpl>I?esghEHzstMoBjqJiV5E~ac5k*}&={MF_wuc7+kw;XJyqOug=FX`s
z!2*o%Ior^5*@GNVeR>T)K)XXTB1(SfPd@^m>zVrv{|)a}e`Vnk!l~XsEOeB7n`UWr
zt>-}TJoy6Bm|XJ}`9tNRg}*w-2VBPFA~wzoABle+dkx=&pMSs8O$5=n3rIAsB{8E`
z8?&s@t#VC(pB^iAb+?l|enmGWd{#0}m$khiCYl`rJ;cP)MC>R=Q~sEIhE^5>T7s@&
zq?dx$38L=KLiF9-aVZ2)9%AxFh$Kr4{1BY+F_kLsRS@01GKAi+iRsz?K<dzR82W~n
ze19N)&^3(BY`-X}l8kOTyCEDgd7QID4>~0wClQpl9G*aVvsDL5Kfg&m-+MBYzD!2T
zg(pxRxPB^8UQHcc7ILzTy(Ls4JNpZ;yp8m0GxiDaUidsJxB2=O=z;VR^%eCCb&xul
zF_U4#822&#56ioq7#e<OS1bcbhP=#xZZe)SJ}_jAAZ7&9g87AuQCZIPW_D(eeq-(h
zi$PO9{fhZLgvn+$GxzXzC6WZ-Q+gP6%T6aXBUblXFo?c)<hUGn%Uj3;@ywhQ&S);@
z@{#{ydG}fW#qz|ETjf=+>KorUp6$?N{C3qXFLt2^u0APU!`s43O4+Yuc^_H-Sl)5o
zc>3=Du)H-juWADi{t*rwqOjS*j%;DEuvYk3_)hqb<$0F>V|nAk^xgl>@~p%U#n79l
zqwFKC+r)dtN5$vGd~s6p0VT`xEdR&yI>h5^`2Sd*wxm>Y``suztkqMpNfIULW=gn{
z<O6Os|5#qVB>n%v@_tJ|`@~OZl<mfyBXg3ik!_JNWNg_#mgiXxHW{rC{x{1L%c5ZB
zhyXv`SA(PGio3o=E02Gb@57Ps<@`aUH{{CU36@6<`CnL`6uPRKQ=wi$7ed2_#YQ?=
zAF<uoCjKgTJv`bXNy+@j@`_~X|6zG0-PLM0c^L^dW$OP}-e=?s@Q>vkgpK&Y*rDB~
zzCU4O4h)6iXP_<7OVD2E&FE+}3!QW%Udi&PArmaG1p055_tio@x7(r^u}yNcD%Jq|
zdJfhJy9P@_|FHPS@}jZn|AXcAnxDb0z5b8oHGn^zV0i-Q8@BA=IpR!9W4x~wVHp9|
zCKHe>u8=gsDMBgXHsK0~)PC=T%ctfOw*H{zA^mj060K7x+{d-23r-h!6P?e_$&DuB
zSj2BcLf|!GMuJ)??=3NT@Z8l8JSzr@Z%;lRyGA7|L2n`dCAEvXZtI*}0V6B;dYp%?
zE^6&gkJBJbz}F9^9dn<ZMqpm@tZ~sr>E5AyaDU+L#-0DtqgS*uBE*gRwm6eILM}^d
zdiEd&UOSBhHuP(v;CH*hQ0*Vj+d=Opw#APLKPLW%=Ut%nr=I__dh@!{G1jXX#q`bd
zwhpO*30z*KYl1Lb;qtuM^o`!EeHJ*<_^M>oT24+d%g;Bpay3S@@unA)P~<$ADWa&V
zsPv~!9WQp(QhS*4X_t3UTmBY<N*7@9B3K(dY_0e0+QOdEC(?##Z3R}S@z6<GsIlZJ
zsyu@ngUO~ml(GG}x2va8z9+<b23+bm@PP@W-bg%NxHf32T<#v>9{|(p&NC6J2c+JG
zuxZ^y`-3nota4=&xr2OBr|d#bdW7$QsN+HGGue9~2{)ge^+||}4-DkTZ+31a$<604
zHr!QLvn88ZPVKKZc4z`;)9{VG?Sa>PKM0LT4hu&L270JH556Zs(|^t(IuXnGTZj$(
zhtzirXeZ;jB>LPehW_o;)1HiR;f*N9Gq6DjK{}p~Y~HIDdQ$+>`_jD~k|>bgE+1oD
zB0zda^Ua~eFWt^@{h0viL4K?-Kb*0hmq4TFi5PqJ@vBG2QcwZLcB|N{*rc9FmqAuI
z8Ny4eL{*|-fqiV5uRZf38LA?O@15GKdC?f=?8j$^wT}y!l>cjC7`}x11VZbI90=YY
z?ccm^?UA;&zkc9Fg$~Us$>(O3gHX#eb&z6rm<g7L-@SvTQ(or3J@odF#`n*0#<s~@
zU(njY<5FSB#jo;wr+b^q5vs8@rGtJww+`GJf9c*?TEB2(AN!p!g!Ne%!Zx;B@J1L?
zxM)*(HcOTzb1nLoS@3CpatS-U)%iHb_95rZVPC)FEvlx|TISL&8ZW#&x#U>tRvHQ$
zr=kjlXv<BAE<%4HU6?5RmLWVVbPQS9*}BEO5RKFkT?nf}-c9jvXSmJpR>g)gTm)_^
zzF5|r9{>;k)w_^~raZ+x#SfvMn8b8f-jWOsc1|sJE_Ur~?F<KfIs;&F*&0d)`}3#3
zt%!P8_X@O^IA5Zu)cM|QN1g*Jb^iX1bcsjSq@h(Ubl+7HKS`Kmw<KM1MlxC^xhGMs
zF2fU@I%DvIMPR`L>@E+0<>dxlWOvzPr%hj@!6KjLX`Sk_Q6rgEmvs%Yyo^S+mzT-b
z$*8he8FWMTM0QyQj*AH&WHK2FhNi(5V*@B9ZAa3^>;9!JQqX5r)MrcrH9Q0T4}}}W
zE|2C$jXyNxY(`3W+DL}t>EvdEdUOM^ZK+41t$ISD?bJkD4UDS3pReC8DBH!M^?2+&
z>>^V?-%~E$6ev7FH8zf!y3a4+l4A)aof2JurI1D+xK1U(4j>N=9G-;veu-&{yIM0q
zqjc<`eEn{MhSuq^*mLQ}I2R7jvD@dkkf`atxP<+RzTm2p>4rgq_q2}fMP#lcWm9fK
zAUNTGCo0&kh!quV&0bqy65U821428Ry~4g5vaSa~K`h7&7h9VXZWmjIiNnRN_BP0J
z+~+tMz0%7d<=Xl~&08t^y4BupLs|R^+pXCb?Pc&Q?BKDLZ@1~W{|dt#=!>3O{3|T6
zFZ!h8udwNR`l262Qug*mH`BgtPut(OBWmDuo%n^gQw+-4P`Hu0>F2|?7og1W=A=|F
zJ+pPGdakoKrcS-M`dGoSf|K?Z@u~alE!nBbzy0Q%NOklJ2Np#Il(UtjK8>4Komv%Y
zU7vdDA~fzY?()U8-?!g)mnf;8DRRyBBm7N$?z_=`lbxP7#>!4NN6XLNG{?XjBfwt~
z;0?Vo4vTY)yfNTgIVapc2cLttXG4pFbL?hR<~kRsv_LV54qh0jj|q8s8GIEFJqW>v
z;8A9xE91sP?2$SW<2w(WZlL7m>-2On%Ue=-xxCA~taW;RgZKB@E!|dxGFwK9FY?m!
z$klTV$aQvIezqw6q`gY(KKrV1<80rNI+_~FLU&tqwV1%4%BkRu)#D_13HTc>9_rHw
z$ae9*TOA%!@ns7*+IT<)yLZ_xiLs|+Z^ri0-o^&T&U1`SO0;F}4`V0Vu0slM^<&3f
znrSF}hx|{z))pW2yZyeAk4NhK^Ko&v%e^&4;8f#87z#i0=Ve`Icganyo8Fkb_cu1#
zb;?m^cW?Pid{H`5{XChS`X~R0q?&w&w3Zig8DEHxJ5pk{b5i}}aTWboJ(soSkWo2J
zBg?hibJ|_9n9Ryp<Z8On00}kod+$u8jF3+5rYO!hpjc7H%Lt#WmvKHBAAexI7eVE;
z+^sbGe8$3{WMcic-<0kP#B$=tfwOJM$wqIU{btXv&d8xgcXG$Yc1`j|9i*4-E7+g6
zCrkc<(+s9^f8Kwm&ge<UH1(5;GPa~_EoBv(HFWS$>10I(n~P50KF5y!oG=O^ZB(Cj
z*?In^c)}q+$adiC$;E_EquIw|$?r73o68o-lA5#;WRp>54Y_Gr*{bfEgd9xgsrE}0
zXB9sn5(8Frt%0gF=7g`g`!c2DY%N3>!J_oshr4`-wbZrs)DU1(I`VtU8VCV4Yt-Ka
zXsxy#hEa*JBj`+B=-2ZqcR6|~7EGEAzP0=*${&5>R-9%UEAep4-A(z=0mW|pqzE77
z0YzkpTB2drv=?_J7Q_~+Cvg+8E{b>`<`N~a9A53(E0H11YMR~P>;Rhzn$=cplexQR
z7%~y@0?rP&vig;)UL|*B8Qhf>{rUcxhcv4_`zjmya_X<@xX0JYYRK8a0BBabYJgmz
zb<1^5$2Owd(XgFwAK2ck`#<ZOi?;vX3?t2Ih<A}7&1$H~kX1#KK(kr|UdL@ih>@H2
zYN!l*58I6Wgzdv3Taxn#y2}aP1T__7_btw9)6v6S!)0G=@a_|WB^~-=IZbsTF`rQM
zhYKe154(oDT#en!zDx*~bSQZin5Ariyr_5F#a$DEMYCHeSfIeW;77rqNGHPOG$<Ls
z^L%0j5nN=!L$;*X@C0B1TNFybQil^N0ZSdOU5GTR+4Mc6zfx(YcRG>RkhhSLs?}_A
zM=`mU{FwZXeEBCRRzoi7D9V1qm2ZBx*HgzRkG3hV=}^ef!{3jipHa^-ukX{M<p|V}
z9VPe@+kru1_%XuhD!2mkpO?=x?%TVw{}kOX;XomS_DEq-Vnr$$h9`?#6Aek(cO;_>
z9i|E{K9#&@Z%(VQNzx(dkv!VSG?eXTQZ|Pn+R7s9T<h-;na8i^$z7z}&JJeLpLsRl
zSx~Iz_x3YUD(n4~t~#D)(C=GTNwtMNer29(g*U-!HbA}iuD!C0eOkcausJBWL2!X{
zg>#1!#@NkBXN;a<B)tZ71jrHiAqdb$iq*#6M$`d10^|scG^-)SYCkioJsU6hH3B(8
zM4Hu%gVt7r^PoMvnatLTo=T^<G2yG)w>Q=F`RNIqcQ=N+wlsM?w`iNZ^+9!w=7AXv
z8@ZgSE;dT@jm{ZSjj;Z1c)|m?Q<(Wzs41Qy-Z7((Zl+C2g^^;lP0iqEO9?_+w7RJZ
z5MuU4G`|Z~w}HnLbH(`m=>>07oZ{-bIEOAb-TfxE1d}lm>Kma`mHMSP(y|Lk4;U#{
zL!<|c6ssZ914fF~5a|IU#cGK3fRSP~M0!BSM*sByB0I-t3z<sg@mLN1VF>TE>M0`(
zf?hQ=Qmh6}t_Ruu;c&+u7@R%8i1q-zYDA=1ZA|nI>_d;9zGSCR9&MAX%8bz^MIPjs
zgD<PH1Q4gH`~JDRt5NBa`n%5>KP0f~TGI=jNgh7gtkqTxODJH=2QeO4Z4#_B9^b*8
zJt$T~dexFvWGajYsPR^>Z#TH_A=~h|t$Lg6=qV9>Zc;}wlFAp#gdj}HyFF!sLorF|
zRf%&xR-0v*Gr2Zx)fwh2u1$I|c$Uqz8EDNgPv+W0CqNnI2k|*`jtVmIhlPKer(jg_
zZ%##4v|EICUvI#_<uw0%vcc->n=4p~)X3?U1nE_K-elbMfrs>}HFg-!bgPDXu-Vy@
z=U?Tm?~G2+BkYw;o>Ji8kT~<&xhVxh8FWH-(42U5I`j0Thk$1gkzO@YY#CZo1_F7J
zQni;_9k9Y@fJqrs;WJ9J9X;G|gqgSA7Ni${DQ;awffYUj@C<8`X^X+>3w}qoQD2sf
z4zzwL20jDu4EO|ye?v;u;5!Y<Qnis8znnXO&p3W^|F=p<_a0EHwkvr2<2A%*0G<KP
znU$q#WA{gWl%;CmMaoh&=LSc2q*QHJ@CJ*~FU2#0m8EL%f-vAS0M8is{h{8`9Vt~K
z&AfF~Ai%F7E{X|p)`=yuQi!?4yOMp_cf?+a_0u5<qBAgy0nUICoq^yCA)+&Ss?Pe1
zQxTnU<xoNqC&A^6BS<f2lMnvf7&~{xB$V#8b0;g+nd!y9$m8VG2*EfK|BqnIqjp_F
zI@SIM!LVrl|3@(Pf;S%DbmIRf!Ps--1-^l?g$M}74+e61LZ+iniK8EgVN7MG+W0qJ
zCBV2n004$%7t*Qb_RwOBPe-<M$M@{pSD26oc>_6;{Dk?QxoD1?iaUW6M2H|*bDTLR
z(JkF)e&lF+*KW(bKTa_ZPTkURvhNG5;1xhuz$6`Ir&@B&dUyVg;ew3`_xn3e#t{{~
zqQZ#rHgNp&b%a*{U6Hi78{rkseyhIW=yx8`dhy1*c|3S5)`Q3L=h1nIybRu1-Zfs&
z^2y`kT%aouTme4j-IiSlu5b(Y=<&ICf5hkE{VEkcq|ZlUrIGx<Xg-Ud#n&z3*YF?l
z)rHH=srS&$Q(y(30D6K+s#A2T{efI>1g_e4uhZgw|GfuGvMRo3J)&L_ety&h_yjse
zU8kZ|*jtidaZ`eO`t}h`-wwIz!E;+I#E_lXO-vChkD7$MmTaQJPdxv?lkp%FUoKXa
z7)a(woFu=QFcZRXW^>NIHi^F`5eR$vC(sa*UysDsACt9q3N2pCRBX=a4a-1P8EiY)
z-~v8}C*L-BGBJ$S-SD&1r*HH@V3Z9D;THHad~-LWRRawfqvxTQqrK4~=s0vLnDIj;
zXqGVRUh0;54U}c05QCkZtmk2EK6z)enD#8}j=ReI*;;}6W;7}`(liBg%nqU_%uYCF
z=ku~aZ<FNBvIhqF4K7P#OYNGlT-9e@E>n=5;K9=22Pd>!|MscB+UVWm6YXv?ufdr+
z-`a5*!6fc1MpbnIHz*zj-C2dY;}VK5Kr!&h#Gm-0sMgqdX8xO{dqKr}v|$yUrN1f{
zuWD+8Z^4`FI=6Vw`v<wvt3dxtqR)My4C#Mi`G8CQf}A~mFNw^6vV_1HmJRw`mi{5@
z)hk;HL2;M1;1hc~Dtg+Iz$JkuR(%eBCNYGV*+|J63{8}*MY}bFlC_=9``+CwmxL|{
zG~#AC>$BR;a^eems{SR+k=X@$xdc{`i3#|heB)}R|I(?jISsPY-?z;q;aFIW@2N-|
z_hVtchjXI$(2s?s=j_;aK%caRJ#NR-pTSHsO2Ir{ygHYfsS?1mTTYH&le|=Ib39XT
zSwwte@&%U*E`gss7p24(R=8%yGhUdSkB4~nvuJ@*CPo+Bc`ywYAN2a+7O;lxGzi}G
zW~#AE*y>$T<dc(@cq|B-k*RX%4jF}7lPq?vTbF`~A>~(9Gm%Y~pUkm6S5l2*G-$?0
z5(9fqs7ykU(o>+Q9DO8^l+Q`lvxZjhYQgVK_-uA4fvK0B@Ii%j1dpYxY~ktJ;Q73T
z8@i_gAPd7b_-tB@?+c#p@TpeXF!wKQ{w0Uccn(UJr^`VRdEmoXygJivP0V#e8Yun(
z&2Ou9<H#UzF&-TfQh=MCNugmvXsR*v*_m`qNJ4yKepu8+Q2iB^kKeT<^b{?d)`DNl
zT|CbPrLn-Q*lC?X8=o=#rq%xGY76^6<7b{TDz!>6Am`bWN4csCe3j*2Xr%p%CfH1l
zCOhz1NrX(oMM4$f0pXJ5rp6~K(*E_A;}dRHKlH3c^0`e>{WW%z<8wh#{RM-Eu!`!h
zv9BDTVMX=V*wf7NJ&Nit7<7Lrs=tOtY>1!R6xClJXNkH*Jyc5(X{8KwfBoDf0@Ysz
zBU|q;+0jrN_oO&`uA5qCOH~!lef~Tb?1udkoX6a+!Xe>;pSyAzYtJ{#6OVVcR*WjD
zzl5Os3sisQ*DvRR?yv67(DKcdFV|O#ak86ehlTAewQFR-of=5(muY=w`zt0%S^H(3
zZsY^i>}aSd`&cZCse;<xO|}c}C;l;eI@#`)0Y(hXesT(Yk!-O|<-%(`yEl9&5_=H)
z)ycSkr*D02vGkqOpjco@_7YCCeub7RTE7ZJLpA$*I6nVczmD{Wmgn}?W(o&;A#wE&
za{L?{JV-Aklx@ON#_r!=uPpr{BBfu@^taSs)H~yp8=sN!=y~X3+Ah83{GG8=7_%6*
zH1@pD_&4)I3cFC*d(lVHD(5F>61Hjh2KVc2T$W)?g`79n`1%ADRcp(;L{(MT4LEu6
z^^DIJ7LvuS9Nj?|$Nt*={hv$vNT3o7R&;`aN-!DH2{x$%RDz9s9ia&({RNd^xHH|?
zzqZoufZSyGn9ENYg!DO2tuD0#DTKqp{WHjFA#ix`HnaLeKG8L`voF>`*KPQ)sE26L
z1b2*lS_`2ED+4A|>Nm`)1C?M{9MTEqfL?_jr9z;;3*DuOr6{HPYG0_8wg?-9_ly15
zP~)=QDhLnlvr?C&6PVb=ps{41Y=tGM@#7-{BviUx;`l6esMR1#rR$lt?Bouyt;|&h
zlD&3N_sEXO&dI{shZ>hRf(MbH6by8NCA|tnO2Nt>p`}bkDcG~RPdJzLvt)ApzqD?w
z3ISHJgRm2w638(&a*BPg)EX%T>)&y!9gUQN9k?}Z7f0AjAgL3Lh*rd9#C0no>`{xe
zpa>!|sp1g@#QQ|x=ZMe{(FUVmFpZ38Jx}r`a(68Ghygh#3#<b#`@7$D`>FaziS{8O
zlJTD#ky0?w2_{2I!H&EHonR{2FWdCvXD~jI`^Xwp$7ht}p;oR+*X*U#HfJ70rN&ZI
zsIPdJsW+)lsYkb>JZ`6Mlvfv26tUdzq^y!d5wvD*1S28pNLoby)as3LQh6n|;<hmJ
z==I~B49Y8ixJFO;yF+*)_b;g0h{<|mL?lf;7W%@Z+P}`S5??=mzX5*I?B-lNj&okm
zaK4^umS;R_L+nqLkzAJrY3`BJ&xbm3Dk9ERrti39;b>c(_p9QjkbbJ<SEYYl|DBuj
zce92r)Adh;)vz5dZJWtFP{XcC(>%lJx_q3LGFY-oo=$qrhE~w_JUnl3q`{Ay`!s`o
zqycj*t0^$|NW<~0CL_v`2GohHre^SL9wztc2>7?!L2mBDZ5z|eXr*EMC7f+nj?*3w
zmdv7N1!T}>n3umguV-@iRYqt`XHf=CH&(K7R*u9gAz&rORpcs4KCgG>#P*KZvgS|1
zWioZ$jF5`j+ZRW2*I(LtFQX#z-7jJm=-N%?1BZT({hIB^eJSb_8MNeK4sxMlS`B+8
zCYW0qQXX~e!zn>oM1OF0fJ<0&-0v9rGAQad*prH17WSI0Y2>>g)-`O(x)=A@(WN6?
z=&~#!>QY+p^V|rduF^0gO7q6YnQwaeA=xWztACBbNGd&O958|>V(CegGb24MU}bHx
zx@bNVT4A&y)}5A^T1=~m*bsZD0y+v)$rr+WT5fR;k;iyDvi{}L*O13W8vl1L{m|_-
zJdp+nrFX)ON!xXiQ2N9mX`#BY5hXZRRm1P<MllGbzuyR6>G_ZhNu+<_1M=v_Advn+
zH+W&Dz6?oAo*r}NV1gI~(myrfi!@{mG)POn^u2tFx`t6!+IVp8Yh@Tcc#N+Mqn9_T
z8#mB{bCEE5*x;`+j2^x0_JewL;~e#R^sC8`sY?b8xm~8C6VbWo%jnUYIs=A^Ao>SG
zHE+=?Eftx`-4>XN$SGJ)V<a(o8wjGe#jdpMTsDXqpB|$Oq8D{<!Wv<%up{R|5dG?r
zn<{g0ND%!aRGQj!%WK~Wr}i|?c5sO|hrHw!5gP6X8At~clID|%BKD!@Z?gs)>)Vdv
zCqd-#O8gEuA?oB%TEs=T3jX#0ehpJ|7TZ>X1bP{WpudOG1PSzH5JBHGP4kHVJqt8M
z=fo2Z5l$1X5RjsXPsE|`y@U_P6#4UGljq`AD)Q%XYS^R1^TZ9rNXKRIL|dYYhN_w8
zijnjBpg+@*@z+^xuw{g6+Yr?8VT3!9`-587woQkDW4IAsppSc(M;@M$n$v<gLfOM`
zo8=2pW-T+#Vu%@_@^|mjmX{)Euw`k>mZD*QpRtd=zsQ-_SWcevyKq#5iv&`sIUj_5
z!$|(TEaZtye&d|X1OoZ<13UCKWAc&wd5;IUC!2ChGsClQ6;h$<poI_DsJMy)#646b
zz;w9&U}$izB7lB~_$(qQN)bTc82`O|+qN7X&h8Vm#p0RAMGx0RxE=S85E~_U@~1N+
zIiyU9{5A-nKcHKsfi|y7HChwFHPz>ruhQ%jo#*g5a3<;*2icA380F~ja6EfnXAuaX
zANXz+c|aElpdWG5%LB>KAb=iTQ=|-_5BipV`cZXGOLaPv2R_bdwh!uIz^~uY?C7)y
zyul7$53fE+5kSw`2O@M|Rax*O-Brh*R{JRf=ts$X+9hQGefJ1-f$w%a2{g3sk32k`
znSFirb15RyVQ787yTnttNf;$$3c12UVbZsJv?73hYbLCITp2(QlT4HW^x&Ia89;AP
z(%zca(R%uqa9pS>?l2QOh*yc%i^JA}0Q$owhYRQ8UW<dGk`6TxkDWvU=&Qt6z9heC
zd-?fQhnOWZ@meV7=)nQ&NduNrUGjJsYPAH~J@z*52`^5PDmf`Bk%Vp(Hs3-5=<|GF
z3HL1sp!dx@C6wK}nP1q}3<Bu+Gg8QPfBSF1{pE8<B-KG~?70m=x--_gu{*90F^2+W
z+hz1MAb+0o^^n<Zj;uhIbf}(q*$c^^w>RgYpya4RG<Du0^lJ1*^iFgVdOQ<75kHSy
zm=y8zy}q0baiazjKR=*hcCI1hJBXiGZLIu=K7c)8qT+6hormpSj`hZdVB@ez{QQ6h
zzAGUUiJ$*!^*kShz-oZ_d02ZQeje+I#Lw4Zg9$O#P_6HD3lN!3Fe5k+RuOEkEgI_o
zxKE>be`zA2QDfi*KRO#%1I{0a=N0ku7YQUH<hQKWH=6yP@P_~q^@!%g3yX+I{QScZ
z-^@Ist0I0Lth{J2#me}3ctAIe2y$n<Oj|MyC37V~a?})WI0W7*$$>AyH{d7mIGs8X
zKR;H_T(69u_iW*=kMI}GKvxH$M|{)+8iJM^ZNA`p!MBSzNX@Tj69g+-*2x=PrnYD5
z%>7H$BnR4b-J>sk7@coAIG58XTbrtgpC5bnAYU0jKlI>_toE`Zetvvw=0yDbfvucI
z4MqIC3VSeu(!yVq^e=qAcl*8Ewyufr`4b%_PX!=+zIS^)yB__T`6Ix~OBp_YqT^rq
zeDC%ZEh<d?n2GTDy`}5qFTN|o=hw5#(2Xvmp!_`KU-*3Q_Ay^;hBIS){X&k*j>$zX
z+#dmJi#_Vu)+uZ@w64E|CMLgIr;lMKcz=i8>x{l){E);0uis0N$*@K#cW=>CJrYb>
zjqDnCs(|2AFh>U|w_{=>mNFZ)pSV6p7;*|3rt<@U^X{dg0(PDMVZMD2HT78`cM1l)
zwc_Tr_3sDbDjsTz)yz*Zsc|vgPM`dnPN5*yy6zy-zJ)tt#vf&&ns}KV7i_qL+<XIT
z!yQM0X6PBxRN3qj8j6*?_F|A(LeakMu7-3lWe+l6H~tY!*_nkl-0t46VT&+>nNl!j
zhoA)^gWP?)42#bdZ(l_@5}E56wp)MeS!yOYE;~x}J(weOJXLQOWU*v$ia(n@@2+B)
zewNqS8`e#%I?iT?>0<Oj8WDBRoeK`9@q%^?tO#cX*{rZ4oE2oVrU-HNlse&ynqMXc
zG;?U?S14_2qyY~cT89Ri&t||B5)##Vb8PW<A&D8s8unmp+N~LRp~-rjW;^riF2UZL
z<1}cTZo+HXwm@vc*vS0Nyo-j~ukB(aJ^fR1fwBGLY{|>0%o!4!EEH{8?$W4Ady26P
z=LIpwNno~q8#lkD+!*IVEsq)jcipdjkR;a;XcxKz8L;p083{xBC0u{yI-K4=^e{f_
z(g7Ks?6<I2SSng?la>GFU@?S0S|rT6WM;$t-m&_<%$~CCOTa6UkF#`X=TzAL=VOP{
zn4x-i@FEk}zH4ShE?LPOD2END1j;XR(%}dH^SZt=H*y;3HYw8&EKa~*O1=s=-JBln
z+ZS>AXUP&ZP`+_yGc`4Q531(Ly3FBgS%Z~1crDbFV0XC+ln`E$pD@s|I3$5ylD{wJ
zH}^c4{uQE)_)dMc{LR<Sxx^G|sV4F>_^8XY{E}ZHe&I#ei`s$mwS^lEQLY!Kq=FO-
z{mJpzjfFS)Px%nET4VjGXEPz8p3q4eD4#EcRtPhO0_7pX<uY&CN#T|RSQ!}$zAEb#
zk+E-tLa3VXS=cX}B%Tfy9i7E$8E~^AGPXr%LW<mjvK)vM9~674L#M>0;@jfiutY2u
z+Yv<)XpUrr_}Dm5vi;*S@=?ioNgZFJLVhXfl1%!c_IWF`CC;=1+_IZ?P~qkT`Zy_Z
zq&W_XwD?3q?x#%P1uzjlkeprbpm~seJhg<TX6R?+J5I}xLmTB8aPF9n(}3gMeyiBW
zaNWCMs{~cl2}d0#O`xfMp3QTjb)1X=L0rPIny*Asu2X0?_%(GB3Gb_k9av3Y5#qn~
zE74~$Req>%$vo+ITV(hDC^Y@F993X{Iy6NFwLno3CoYO?7j&A1Olb#84sSx}aC1D=
z<u=m1bBf=uOwik~YDWy~vsgW(V5_5ZCwlHIEcY@tRQHRW>2BXHJHLU2mlIZhRvRnz
zLA{EDUWJ&(&M2;S{EU8XEwTgODEP|nW{>92@C#N2fnbi+cFk(^H^lkG6^pah(0^|b
zBT<1ao?D%tueu-I8OZY8=0=|9J#Ql0D~g<W=>KGUF^S5(hRoDKZOpg+%hl-<`G6b`
z5{Ubn*tIUhh!nflJL%mZA8?goErMITligSCIL|$EjUocf1FTwSrmN9SFZ4PbF-!8z
zNu*{_OMNFJ@g-0L_135gev7$Ftiy)qPE+Wk#*8wP|C;Bl2>I`Mj#Kdk*W%*;%yS&F
z_A-)=?m(izAZ+_CsEAR+c*J<i_{A7!=rYZiDh^E3NbVZu7A9kVaY7>~CB}a>Z{Azb
zztyovYn1uZk<C$^zrkhQ^`+N9Zpx)<Qpjn#bdO6EEwnF6u6ZIDO6>O%=M4#l-tT?F
zd(ZpB8$<#*-0b@#U~mcBgOeB}4-B?M=09NkBLjh8EgTXU|5!^kWDi6`jdeR241Q83
z-Ty0+2gcz;1^h~WBfp*hoj<}yGUXvsJYBk6=q(HpzK{L?D7(+7rnbIq^eYqvETP4&
z0RhE=0V#qgE1`&$5ClZG8c?xAC<1~?5{eW{=yn50QA8suMMOhy0s$$4EeS<X#L$bB
zb>>Rg_j#UkzvCU_d~!f!?+9dN&H2CP@8S~%2x<-V$6R?3K+LhgOqI$m9zJdur*&?q
z?EfzX7HrHYGt?7Vpe0Qrf6+A&gv>%<RZVH4Jkj|N?U@ZdYo_rN=!mF86m0y3P^gS(
zB1Xtg<Ph@G`k!XJctCUoVId`pW*UE>3>Z+rRP&Lj5bHYKgl`uDqW$8a>{qNKzXta4
zG9E-{-?D0RU|b|c^X8sCv5um(&#H#^pApfI!vDjFh$3OY8ZUwo5ffK}=3=5;w>$0O
zLr3^DK9e8IpJ+aAC@=E%gPt_(v&#Nl?_J6N%>P~g93wUK$yHA#X3ILeB={9v23rFN
z%wb7f^iSPeDy8A0YYk-O3~no$9XFISxFe@%w$Dn=;I5+CMev8clAMZZ1Ni)X#jW1a
zSUnnB&X4#U6MJw$EA|)m4Lhh3YE|!|jvZ=U*P}kHz7xOx+|2bw5(unz<{}s-iDyYN
zkxL#~WZ%a>#~0#1;ydxsC|-`RjBwG{aAPdpk&wriL2DUSV)cf;3~OyCEEg#Zdm0GF
zRwP^=_8j&R5c+NQEW%!M&;^&7iaJE?t7OnLWrMA_E*Uh<_{d8jun*vhBN;R;h%K;I
zBgovn;o=cm7dqXX>?#>Faqfby&r7)5e~(4>m(bpZW4h`>(LodP(^fKQLbfDI22G;4
z8_Rwxpb(hoMncc4@zB8nwTVqU_wpO!K@*a{Kr(0=0}z-K3W320bY3!O8Uqm6cqlq(
z>gTz)YSo4Mx}$?8r1Y_5(8T9027{*YP^ov)YTIS*dPnQ(Rm0tC{Oy>9{jd~Sl^n!d
zfk(l}DKGMw0Wk!oG}9)KKw#D2-zbK_2B%+-Ig25%jL2W1DMO)m3&?e3<Ik(1KV*oi
zOx2_sQ4{&-=>sT@dRtRhZ;0Pa?WS&Y!7XNV4JNRRmiyH1q#dH2KXrNf=ARJp6iRJ^
za+PKzhQJueECi-7`Q7i=3v>$g4>AjZy+mdqFe79Z0`tX-A+Tof#c|J(*(p>kc&cIu
zY$GxYf%zk|5EvW=ATVqtMNf_O6-F@F9V{o-S=Jh|F?l!nFnOvFv~kVOp<@2$9BQa+
zb`JH%S-s?d$NG}D3)u#0Y=Pw+B7ne%Y&$k|g6+!=XYZsQqMoOs;51ajj?<>-l~56Y
zuV-!O8f26bS_nOa6C7WTF*YIUuI7f)kyqE+DqUwB814eMDfM!<QOTqVc?U}-Rr4%4
z$``HXMJfs><6TE))Mp{Em*d`aBj1Vd;z`w{u~Qf%o>T?f6?%%4!oBoRL==IHk{F;>
z>mm0Ax0u_+{lOg`=iWc2pol_X6fT%mfl-x*Y&#yzs!m$lczhi?;33sD^co!<3CNO^
zGQ{B(@fvvx_+vbI{&Kz!AG)pSr6<8dQ9Cq+ua?6{U+#-V9G7hjn(pQ4bG8x)%nISc
zl1bJ)VW#rM9asJwHymjGI+|+yxIIRbUMTALF=GXr+Mt81UXgqcV^|A>JC<oOa|X~+
z69O$)G6hoTLF62QUf+_CsaJ@C1OfxsY4LenEcWDw)2iqa4w9_lqOi%>*VuAwD;D~N
z&A0Q^lNIlhXmAWUkTvHZ=i2fV)kJ)SNM3Z5O4Jd-B8up^h)$@~ykANPX(5cNEB6r)
zf)ac=d@e+QN!w4kIG7w$a)te1m14~8R|X02V>lnKflu@LVF-P>{QGO;PG*oHw4tFR
zc8XHC=NPVq+(U-`lIK%bQFW>2RC{Ux^&%BY5Iz1g^Q`Je+sQ8?A=NTR{Q*@~=KL`g
z!)UoRC%~o|0U$Kai&w!UoaZrgRoUu=e@r`0aXmQ|m7orm8e$@;51Eg0U_b+-p&Xbn
zRshdW0cUD(fCB>>7+%bQ*?AtYH;n##z+uhY*VQ#niN9BkN~OvX|HkHM5Q&%EzsM%~
z0u;<Q3%W`#ymY`}((aYd+%o+0`JCdn911wC>FF5y))$<l!5px!qYLO3^@h=f)^j}n
zzUeBt@ko4dhCbVdW#%IAeYuHFq}zGUK~=C^uvbs_NcPSVBwjJi5r|bVSC0wTGZ%d?
zh*hwR03RkVx{dDf=#x_HPA<2B+mRo2#cvBvK1U$C%{WZ+#r>^CTZ<~#7Z*b%(WhJ-
zqup6?_z-G)^x8E0EEd(CWFB0<CRLz9nEA&0_fSo+D8jKWZ5jWzPF>o+hiX1lmc)Or
zV|ef*UBB}(Zibe<;+0h|%ws-2cj9_BP{EFSc!2_J7s&0n2T;L&J$vE3T;NCZLRGLO
z#~hhwia61<6ZWD9k8=d;s(Nl?gYC~0EsyAY<yE+a`Q|6h*)W<T(t9I-RZl-KjJCcj
zc(^}qo{QWG$R_kh#{=Q%X!(&P2z;hJ8VW62ZQ>ZcCD`+rIm=|yzv^NKTU&!5y#}PQ
zy_2ks77|a|e@F};`uYPGvM?%qsAllorDS^YgD!Qa8ytd^<x6Q!L<(jF6MF7d67T5A
z^$JO)l&|N46NgijNY@<K@=-9Z42HNRTy$J{9V*BL#!-k=BYaIJQ<VuOu8gQLSN+P=
zPEIsN?Zth^=p$tzsdvw~k38tY1+&H##)cBN#;GiRTDDqCHCbm>NUD}9TW8fPA1N)>
zM>?w<L$y>np1R8)bb*J{bXJwbYpEvbtO_jy52xxZGZPkCNi;weXjM>0WAw7~nk!yj
z?~)2h_PE>G7_CEiad(TnkH{{peMJ*^B;#=<A*e&KY%E?n0t#3t+ZeTLu2GPAN&MmS
z$9sfCc%bSx?+<ibuSe*vv{7kLX`d2HiQ@^Ws5dB`b2;U5rpVWY=Ira1xKqc`^LjSY
z5Gt@;+3vlX=Hb3I&RwaHv{&|&V>D)Ncf0JwN>_C<eCA}to-+{DwNZ<9!ZE_NZ11{A
zq%0VbG$)|L_N(IR1itfZb3z@MZ%djJzC`9)y)U%-Fi2Y$#)-ZN8HcTAzPR)B!5QAA
z4_k}0loVDl=ie19m}<I|baVjA%+PXCDGb5g6)d_dSUi4}cbk_{_Y5_akOK)Y5jB;D
zrnIVgMPVqYgzVx-K&6U5a~794oOqQTKy*TIvz`(%H0vqRM<t%pc+-vkW$r&CS8P3z
zC09U1QfE0OggDD7_1n+izre(OKi`3<t&4=sVoLB|F{UJPDv6(xavi<;uchQpW6;dp
zo;6Fk{<o#nM?+}iW^Ule>-yi85{bT_Zsv9bJobOEl;Y{>;6W{=nS;Pm5&=u8;<^X0
zl;#3U=_h@XzS5+fxl$^yH(U%Uos^A2B#=@h_=eX{+Q?jYsRD1>{})NgFx!o3NBI>o
zk#F^{r1ZA`|12q`huCp$I#PThW+kN_#;l~&K%AA7dKmvhQc7cup9w`8d?IEgr5?tA
zNlHD8{~;+^vd@He4*7-sm!zc6n3a@z82?jJiUoiF=!k#ltfX`$>c1qVJB)uNrIxY(
zNJ`1A*OR`s%}PpFqW+bXL{4WZGY9`~lG5svx1K4m-0Wr!{wpaJTAQ(KS@8L(OhYNx
z{~;+wr2xK~gDsfyrDz5Ge<h`}saD(rTwY56<!jr2NlJeX20BQ&{(bHE<GuaAlG5sv
z%C*!25s7G}$(XV(42}F}1r@yu{QPBBQtGmmNJ@Q&s5mLtSxKqO_Wvs>sh|1-{yU@K
z^{+@IjVcXy(nxdUZOkZ|WN7X5-d$!mC-PbHW%5mOqUHZhQqpHgB&Ga*g|5cj-_3<z
z$bHs!lu;!q#8Q_!Wk+$U66>7~;|yL5FXi0xxh#xXncWHJOQ+9P@fzy;t}M=#U#aLk
zu6hDJ@->Am_<KY`Da}mR&r(YLy`pK68BOgiN-0e~u)Urrrj#t0pmCOh#L!aC34b(q
zkINr439q67N{L#4Qc8S}^BweYHj;&`1QE;!E7mO*-Q0D}W1K}_1wiu|Pw+`Gr4+hx
zi$}339SzZx(H#)tETt4?M!eNcLvM4IvcTd^LMi1rV@?;G#o^cD-;V}#Jr<ol3ymr<
z^|biAY!&vIQ|$T9{K9|t*7N!F)X@iH9N%t5U9_NOGK<^85L-&qh-Tt!J&U4ls771;
zO^p|GMSa$r^q|c`#B$leL+YFKHW}K8%ErcnL~)|Wr^J?$r*V7z!4Ds(z*4%ZMaN1k
zrR?yjzYhMP5=#lm1iRTi_bf@%oBY)zmJ$MDb#5jLes|6D$=me!!q(@eTDnHxUFmz%
zPlNa6yzKDt3h<&aHY3LE)2>D))n0<`H$4yQTa~@UsF(1PmgHhQ)Px^a+Cdq{Lj+}l
zCc%g>4*I1CEu~^h33&&?ad=P~gUCby%NLZ!i~%x3jfjF7i*uJ($~z=0J8+D%2vT0c
zZQ9-YiVjwJ39Eem5CqPmIq(vg2jk3vrNpW;?I_6(zg*@Y>W;*w@1D1U0~5JR(*Ke(
zK7H$#MUvAm%l`}mLBktF&B$xS@=cE?PHfExfW?*)QgEpM1x&ozCkpL*xbR98u$0C=
zT)nv4`LL<tX_c+9-=ks@_V+$4vhoi_s&`LTnbNbsdy=-_k=jj@f<$h~i5w5u_>S`*
z>Tb=~mz7yj9%pEvj_gy(^7#%?hfm{?HUx}{cEC@@f-{uWi1MMQE9bQs5u;?=!6j!9
zeD{#AomRUZxnzKgY|ZfIPb~)`z(tmVE81Mkp4shucXD8!kNoX0*j8>X{Y>Z%S^rRH
z#1S83;~fP4Ju4d%YxPeo{alX>t=#<d=mX$sn0hP7KKf3DrETpT>D-aKvc=S<Lu-YY
zM?1*|`~Z@#Fo1lOe48xDAfqcn0lB3Va3f=&bH^X;+;N)J|FS&M|2}BknXXVHN-QPC
z0q5tz8n(H?aXQqc-Diau1MTjE%!5^Dg*#*~P_G^szfH}ct~V81N(kkM#8MjSiE@=C
zgKu%fUc_eBQi4szmeP+r{4`QGYbgQgPhu$vj^Quhk0WYtpI-%*5*7lM(g*f8b}q8s
z6h8eIwUl0m_aK35vL%*MjsU(Vwv=44x*RFR?<pYcL|@4a5UymcV-=$KkmLYrOR4uB
z1nmL>Yn_Y8ky%TLdt7WO`KztON1~Qenr_0Y-Ofbzt93g+v)qM!lntF~2WudA;a%Cq
z?5qFivw?$TnverWiY=u#vK1n50T5eC&$86^6{K<UIFHy>mjnK(j^#O}@<!RaONUMe
zmaa;C4GDQeJpC0FBWp(}JR|;2KEvwi;0WlrsNP<*L$>rwBEp@ul;W$l?M#&`-TNio
zT{u^&ZPk204{+y{uY89J_~R&nU)ChHl%~HM_Dd`!1mxbtmJ-sNFR_#?u1)WE{@k&}
zqod<h9#{3v+9;v6%>l*e-%-M-p91MBJWr2TM8~0)61EjsN<Qq%NJrPXF(}Xwtl|EW
zDCdhL;28rQM0p`?-6VMb_Rl{S;kTof(r?2G#1(7#tdmSiYvgostb_};i69%18rQey
zd{IYMMCaI>BVFU?%Lq$fi^P`F80b5S6W1Lf^jS*@c|L0?QTL*j(nH+)bli~-QzBp~
z*~=;IP*9ETB{`_rCZ4c4uuK^J6PlwwM_nDefH#zNnxev-Oo}rVVw4uzCSvEvv@0o(
zquP=EL$ReaJ$Ob}Vku2ra^by95L-&q@@a|^OG%iD9ua%Ndv*_4O30U4O9{IjSW5c*
zNrE&#^FF;mVkr$e!?I#a$qek1PC4<P-IG{KGy9!qEv5b#I0eq+*NQEr$@oM2ov#!7
zJMIZ*x(t`;dHB3SEu}GG%4oPQYAMaFR&PO@&2zSM!9%dO*iuS%eu5LAJ$Sj>&O5w9
zEhX#~U@09YqqU-o4W?9>oI4Ur33)YZDFrKjTtLNBEuKv#@g`to`K+Y`zZY9d(cphQ
zWh$)RDzTKng+yX06@74_dV?>*DDi-$gs9D0O0bUDQu2O$Mm>;oM`9_p*wQ;BmXd(l
zKS<5l?xxPUgIY>R$gHI_SDwHN;{$}%OkOs?2nn3El<1=pOX(F2Dx>9WZ&%{n;Sl8M
z%js5675%l+32)X5FzKqLf`vXxP`>9-);y&s;XJVTznre~PHGuR_iFcb@WWn4T4tq3
zD4?VV;2nsrCz*^iM16KuJ=P~h{5*sr75OKF1@1D8LHKS6D3Jh41&UPcZ|2%F%3eRX
zuYI`6!L8;S<M*ntP+1~9nBM{x)Opt!ZeREa435WM{ZDPBe6*{46sWDt>7T*GVCJ%y
zMk#*8oiA(0KkB}}-1u^K%1z5?mM@#~8~-sWs>|-C)+w;wE_;1KUtZ?KmfL6j%3gYc
zTx!1Oc6H2K2zM2o<!MHJO0Z1~@YavNYWsMZz5_B#SPbycUg|e`JCY%&@SN{C-;$+%
zUiJ*_Bq@l4X6JJHlkthrWTNR<zj!_VpJ3{9Y(EI5E>HTB(|?SHlHED|jE<as2c|u<
zEvNrcYgR0a69P8GGooH58^zRQ_mQ?qwdHC?|L!C8S=q8I2v-P17NHh7#mu~V5!*OS
zl9w*4e;O*dm-lRbcCN>EJSe92Xug*h)z$d7|7P?r?#5J^x_{N~dwI+DX6F)l-Cv>X
zcfRs=xL|I4{u%YO?3p1S`@D+dy@jrj_dubE+NZ?+A^=}}O8iqKtpF{Eniw?6x-N|9
zRO2fr_g1-uTgTd)WMQH)(a<xgnSqU|MM)8Ye9ue#lm7b!aNm`DPwTP%$E!P`Zp^CA
zQ_PKzUN?03OvrZf6_+nP#k5<xGGgP^?#6*NZO&F&n}4obaGn(yvPLZ|<evx9Q6W&J
zyKJ+&tZbgUY+3R0*yG&j1G1I&km)PKwobO;D{Dn0_H~2&BLOu&E&D2NnZ<npfH4qB
zMfGb3{v&QgZr8ez23S#lI99M>xOfr6xm!Ewne4l>YsCiD`K6fCdpV$8E>&moN9Xy!
z$`*q}74NZrTk3dvixRXk)tY_qmU5KbRn)xO%w0{545s!RRCjyvgnQxeTuU#UyG(}f
z!nAC6nWw%BEms-3%Vhd4^a6i8^Ie#-G1Xn>xvv7RYQ@(NyVlFA*^U%mXh=L)F(}ul
z3yLa1C}1leT4mFimZiQdSrr%L)SUM6%)C|u)x_gUUWVrKK}!z`<ETAOQ)hEq7E21P
z(<?kz*!O#^RKIY6tBuDjFKAhWp^ig~qc$W%X<5hdpO&R%Z|9R+43rF%<ZwX=7+fg9
zrcoXFL`cnoPHg#Hyv#~i<gfO+K@E<JmBI!8zW3ci?{$L@CIOR+fm$&Wm}N?Mp%rO2
zX1&l~&31iX;L7}g_>na>jdrz(Pdt&r{-O&bg(sVn)fD;)PhUxNm#<gB6npw$WYV&V
zFU!38*wD6sX#r2rq3ySDH!ARL_``dTigL>C3y@hs1D+-_J;j1XCoJx@ZhB;Oz}Eb^
zMQK{EzlBuxl_CRdE@Yr|c-NJpD`h*d#=S?lH15>%iqswdA{zI&3BLb@Xxx3%P>@^x
zY{wuM+^YW<qEWhnm*6{{W|hFRs{w{an$@$Dhl)KDFkSG5#J}62D@CfH{&+KaWoTN~
znBbyT;oP55T5;=ep>(p^c&j!nZn=i%o_fBcQ119Ua>^O)r1!sX44$mTmi9pS!@J_k
z<I6MeL;VS0jWg@Lq1;<Ihgx*d?}$`5^)7YA(3G<Qt&A!~yHm5ac0!3yg;vm3u($^t
zU0n3cgmcsnose2DRGct#$YRoNxNZIUi7t3bdk11yLYm7Tpll$Z{Tgg7dD@6T`}J!T
z51?!yp#2)$S}$@UgZAqmk%HdXr-SiF@{GZmq0oil8mcN|n<)-PNj~r?2kf@<5GKC-
z*?p;O7Z>PDiR#OoR~5I0^=s)3*+cXxS=OI0iNZ0n$z!%0drFVh<S0=%q^He>5^~a$
zkJNMS`KDzR9_RRQ0J0B+igz4h6@MvOjy(|dN`-BLmSYPzO^&A#x!H1Tdb*?>dma~h
z!hQQT(Ub4<Z{BGtn)~y*MB$hjh?*_Oo+{>wSQ3Q;Q`pA^TE~Y(&mCnOz%*Py=DF~^
zc`s^u6M(|O>jLH2DZC~}(J91iwj3LNBreD1@!a?j{Y#?fA&g|>9OhH_GspR}<=Eo`
zQBPUD&%_D`Qf(k9$DUi7#mVB6MThq|y0l{C>}bl0f49p67?XXU7R>ICXYb&=VSl)X
zDjbu1%cn%K!hzU>GfrqZHUdq6r2r_$PH#0{so)Vk6nA^%vDyO8Zu(Zi39l=wKvDOa
zHPGvcIJ&VkQT@e*%Q`Ziy*`4o?6+a-McYK#JmTp$Y_u{v;VQq$aUG0SW`ExqDY!R0
ze1t`J*c3B@HfDE&%Iq-kQvoyw7Ol*tir%trV+(&QIipuAIzdAehD5T+VnnbGF-7(v
zROG`wAajg?#_Xp=v@m<pulHuZB3hV@ppDsRVfF#gn60H1zey|g6*2|-Hj}cE>?i4$
zAydvi4j!wA1!5}p6xJX6cgr%YHh?-nefCi8{>RuR$A_Rk8y5Fxv-LEaurvKPQK$pd
zXHU(5M*-9U>a*2u^{>W{A5n!1e>_K1T2e7e^CIx~@XzqvC3Wh#p2Ux;3x8H?b^e{f
zBj-LX3?#Ly1wOXeLVs|vP09F~A5^C#Bj2XfwzQ7$)BA(Z4}#h_!5L29p#@up%Iss=
z!9n-0KV`C#sHv<Bcqem@tRgQ&`4ejo^$3-=|AUX_I-1l&POt8uaPNv+ZAzH=7tH-!
zWULstbeiLx-Xyg_p@G8(hhkh{^hVxdOJ<>rd|-57yd2e=+z@~2<cyhz(OM$$GYWR(
zxQWFMJ{mRRwLA2~e{C*s9VKE%ItUppa>-YHVC{6cAiZlU2;ErT<?+Q2>@06X$&Rm^
z={^#&quleEYq>{&$6ChBdoPT3DZRx*(=)`&Ny+38f6^!Afm4(TDt6?nE|_tMk(Ysk
z7b?uN{iAyX_f-$veh57t_M&1(v*$7;$~-@pKYHshzQ^c67@wf|msmGKa0>A(Ouq8{
zN~eZ+7a(?wUv;|dKnG%nHxN5E_=y_waY74wKNsWwh#iYiu_MFH&*j8d12jzP%-ML3
znWH5nWe5vv-bW+fxkNQU|L>X$)Q;af>e#>c;>%jpF`6lBZyw)tWFB3c+B}%AI<tf7
zKop}LT%dLkjrF|~Utz}1Qk!yI0w+JP30VY94%AH8#(}B(X`NIK@5l87D&zXosqiAI
zFSm<o$=$$(K0phL@;32Qs#BM!je%rQks_*gT-jKwD6ZC)PW%Me4*5baH=uTayO3&+
zR^|4j;-rtN<~-&0$*T1iWrFS7liqv2_gr7_(YjanMX&CHUfo}MP`81mXZ7)GMK?$p
zE~AtT8nkSmrYEbYI<*)#C<JHV&N^4SN@c4#wBgo)W#9W^K2{6dQSS8oGRZ<MhQkd<
zJ(9h09L5ed3yw8+7wy67epDRyENGTtb&RF2I{l#O3uPtd)-fr_c^h*@sHOu(XYLzZ
zn-%N(qu-Vl%r@LqW2jrp|67FmB?FKQm%ImwU5zmD``&i>cH)ns9gHoXcpk!J84^T@
z>mh$qks*CgU2;&jAzbOiuOxzDuu*GeheNi&ApB!@KCZJf>-QgmVP|KaVo2%7?(edl
zow>jNd~oROjDGq1&nWow)$c!ry$+PuzyE|Q33_sV|8k?<zHQ9g%{$D4cC{yZ7cSlT
zLA6dPUs>H)hOl|Hl?>y%)EV_N>L2W6l4O!b?X)z{%iJ(u<1eFWxAv+`oAOSLXpQLV
zW9t%SN(R?Ilab17-;ghJ^Vn$7XwmoLz6Q0vhTg2vmt$GiJ`(=Olr_ZVB<Ch6>o(}g
zsbW5E&cvxYGa>!es*7|R40aP#7wa|{Zc{BzHrk~+XFUem;;8Dw6qsj6zxTvIO&)5;
z2ztMfudA?Fw`zHl_o_zb8MwRwjCY~22omCrm~!14iZv;qg&xnw$LM~v^C-DN+Dg?l
zGB+ij*CcF)aqcho;y&1Ii`8U|+69!|FwYt=vbxsb4J-yDE4glW9o|}kEH(r0Q>?yS
z-N4BF?wnrT3zuTA6|LB@-OTgk$sZK<S>tO(4B9}{K-NI7@Z*5ZfX=|1j9%URUfs97
zx&^(u@1%Nl-}may9~dpF6t*YXyAT7TFyE$i`Wiakco*(x2>d`fDzX`H4Dlzz(V28f
z<{hKf+@yHVdkpt)joj*W-PzdG%b3YLaz;$yUOmV{zR-P}u9vcW;rWb2h@|j(aQ?ur
zBxU;fIg!PWt5mW9U)7aXxZ&A%S9IiAl4;0yAYMsuZx%BQXGjop|51;~{b%c$M*}~n
zrne_S-${hncgeR!8$NyK<ac*9_oLO})w!{bD8$fxXY;T>Cou;|48qO;=eq|^aBJQJ
ziGhbU8Q$b3=4jkQX4_Er&!(MTpV-KpD$UN0myit8ZRd7MOa`P}(uT^KoX)z^B(@pw
z;<VGTH}9HjvZvz?H={zshb~OZ>(gD$B)Zetr%546c|sYD=(j0~C7F4`T?e5vD`-=j
zXbI;eO2dq@hqwy$q^O5~IwUna{?4Q;fEp0gp@9J^iRh-qEdW%55jQP%c;)B5D~$q+
zd;MBh7Bk(!Go)Zbr{^hzh^2<U>G>86vDDBewKrm?c0l$3Z6G8md*D_n^wPU?UuM})
z*205?Cu`$3J3ysbn=$70!v_~Rlx9EoIYa$x(HQUEyc$I%yOoDv_c*c#FdM9&^s|l&
zXbF+AAG4`YZsVP7a2V)Ql>?et%BA=J<e<iGVh)NvPG)X~JjCc@1%Ml<w3=*Y!sJ)B
z7;cE5CFV5s2e?MYXVYrlqv&HgfE)O<)mLv#x?4|oONB_#$L+7LG^23C<C`IRGVfSC
z7Sh%5n>EftTjl#Vfm(SxwplA$REkL8hKLhm0B$%g*pXsjgZb`~G^d0jz?Mi?0`!m#
zRkA;`f3s)Uik#IP1I`Xk$ds32*%8AKZ~`^dZO5j-rDbBcAw}84;>VhK!5g@@InB?l
z+T1&9Q#C@(70cXq0Kw+~5PXz9f))ip4vcYgK69iw6~GNsyepd^4-{^AG+wTl4PH5W
zxJS6icTxcND!1@9H-lTit>X%~zD`j}h`4za6p!-7&7*YZO%@;m`1KCm8Q?t}6mH;l
zHC1+X{;y-SsMt1+W+B+;0Nl{Ai_|<(=FLeyP5sA~?@-tcOW+14|Jr9z(VtQ@V*R&*
zbX{+nj}<YIhnS6Mh8W~ZPk3rV@PQaBuZa^r&wX}}+!Gz#$ri&6XGqM11jYjgT7t34
zYpS>#U^oP_9`{tOh0Cd})L&FPWFgJV9dX#35{`g6&^QPAJ}26~%-R4~V_YlJ{QS-O
z=ioyCH+(z}+qcnHTo0dgzq7z6^C@3do4zkID$W7fPhSHk>?aLbuCE|P>7ln(NP!-d
zAdXE)8r@<<gL#M~=vM)DqQ!8-=Q~k|B<S}X>?4cehKTIHB&&zJtw7N4btM*s8!R`Y
z?G~yCRJ-|?zTV&nynpRSllcV32$Qu|TO-uL#(dvO$A5NYn?DcFr4HLEg&BOq$Ti%A
zVo1;7{Ow0a-qXLre_)8*sZ8$AA3l;ST?m4Ehy-ppAH_$TJR2|`pW6<ACeLLji!@ye
zDR{__96??>d34~TwBF!1Y~Whm^6dihDsVc5h*^7LlJ{35^xP^}G?zDl%vN+pAQHHt
z?-DXw(V2+MR&-v5C2&K?<zQMN$`wkq!a<FfrEIjGvkE<~e*UkzSLWJ_0B+cIT3WTh
zgudsZzt2&+2R(>B9!F23=g|S&(437$;Rf`jSTVZJmp+@zQ)DS5YFbnK^S;_g>V+Bf
zSU_>xiA)AHe|xEw*+`zl(E&jzmAl(MqRwy(+|f+)#c+dkp<Nz=mUI3D-JDzr++d_=
zPesc)8_VO1dGVwYm_|8XXGo<5FLqU%@o1HjBm_a+?$Pa#6urRyHx~?O>Fc$aDf!_M
z&+81CDQ_d5Gr)%h;KKv1%#?Q#&pRBLDeoB(8NqttNp#qyUncst$pQ#{iC4kdPL!mN
z*pA(lC&T=M$!v$VTWHj747d&Dx6!EGTHrRc-c~Ki{>8qg!jQ^*gttA>;h@0rq}l2j
zNNpTjVU}sDHz0q6Lry=>nqnYPVW`{Sc8-U-4JoWo8$Tq7P`BX&kW2Fr(5ng7G?&)%
zL9gbMSe*(rLcQwNbqx%y?^?}f&A*Be(5ngD2I5MEs`%RpA0w&!584M@ziS~9x8WxE
z9TmF`1*Kq%vRPcKIb-My;&f=5?xCC^h|_I4_q|0&36Z!BVALUT8%l=j5sBLXJ|%G*
zO63f(Xq@iccS`DaE#>cs#BI<y0shmd+tBxId$F7$>Ncou4c1e9l4QY+e&O_Pp+s*N
zWK+G^joe-;b~(t>jRCiT;DKi85Q*Cmr6xk%hS++Lr8@xJhQN`Ou#vkuJX;FQpXYP#
zOp>-yn4(!`;Z6N%5ksq!H_D3&yL@vdXjqb%qfD*l2e+VZ10w;ERA(xDpY~g6D^AQ+
zA?f1k%$I$Lq&m}R6C$b3^nJoYt1~^p7w=yP&NNtTfDE6-g72CnF&6?hJsC6W$o}6E
zNp&XtPl-O_VO*V5AadX$Sg2jxT*BsNfy7BO_b|eh<mCiW4T!in6Kn`fpIzmO=H)81
z6dmeYRScblDsPh!m`CA3$9cs_6S67YG-x{qoKNB?qBV~<Sydi)+f|ouq2h|)20E<x
ze)(JLqPthI{s^eW1a1RyAy?uyJa4rUr2iUJ&mVc~)4B+>VzNLj=1Z(7xaG?xB3I%z
z5IpAL#cqSy=_A_;g>t<~iul!dWMlva+T#&?A`Q>P$Kq4*zX}v8a2kljZ2-^Nca^K8
z6jSk6eU8OYJ=fy(U;KQ+DgvZS__s_}(j{A3NSG#UTfxs^RbD?*iGbQmaqA^p>^A&h
zylB~BOEvqN`qn3BhjHZQm_q*FWVoZyMqGO-z3^o%+^fA~B#T;d2t2#_S?E;{QKPIR
zuOpk13-^(!WKVK1ITv50qW>NXdM|66@!j|d{7*78Nk+Hl^{8FQ7$T1aDqF0Rg-j~-
z3EWG#%EH3xFhd`<f<tJvCv>uEXy0iFMtP7XLtjK+GG0)$g?{spT0xax^eG2-dg+qe
zFD}H=p;US<y^8*Y-sgMDVTP{Af>yH(SdvKOWmYFEkp*3ZBh4;<%fC92@D7$|m&M?$
z4WhUPQ3?i86~fX^nb&23ujFmwb_^U~AAe954TWU=<FI@rBx~pXJ2CsI4Q~tI#}^cB
z9!Sb6XGer9g33VR>td&6hUKy&zeAhs>VDOqEK|uaRBG3JYN*e#kcy3#maa)Kh{Hgy
z%Q3Hu4kcl1PbKZ+P&r%dQaHD_-#)l-^8|n!P9|h_tu4Kgq#?bMkyVvsA$^}PzP0+#
zxgwB+qM>DPV;~82QC#+x;PJ5$_G`*?Yf(;PwCh$})u`M?xo3OqMwV>5{~gT9Slt%g
z7L_L(KmPT$C7gbQx(yJ0)@?Ag%>~=z22lZDvUHEpP`4pVm(h`>E49VWwKe5obkL(a
zF*i8(??ri2lCm0#4Wfc83+~w#Dz1z3>b8&#=`6bbXH8j1C#CrMACIn(&XViDPQk-O
zZ^~%atvF?*Eqz^46`?YodeP4QR@OG_VGF6PGWNrMF{UoV@1zon5{mK%cNtw8zPH&t
zeE5{z^7vus*2_i0Ezy3_a>#hTUp!%YcYBGwH^rnMeCeCk$D|X)Ay?kbFx?8RPs=Xa
zU46~NU@W96it}pM6?qVE8~m$ujErZrKK7VtP*k9`{8|Xy24gwkHe8RBK^7tD*mcDl
zAmUI}lIO^m<iHWXm}?`=L5!fJ#m(C&x1tzX>G%z8z-@TNMG!{THDRW(8m~CGxK=o*
z^hdby;cIV77*p|9R2Xv$UbjMrP#K<O(f?<m5V#F<1*ae%8ytEFWUjzTU2VCdgNwYt
zWm4d}T+vlt;B$edcEWWva2s6J)V+1vS;A|=s-(RUxvPsXbLcN0ys?U}Bb>UE^~C#*
z%myEC%8IyKNl$1F)=Ss(#&wQsH7KaT#BKHqr3G&f>Y+U?8wtLgaE{<ECzJD@^N^Z#
zwS61y0AL%!>Q62+uc@L2esL7D4R6Bg5eeH+1@3pmY(sZgJzc^!e7IYWNZ1Ch8ePIR
zOs?U+|KccS8y1ne#sJ%}ibS;Z)V-A1yPpKuhRJ^{WQ~tm=APaCKt-+OD<#taqc&Es
zx@d8mH+4w`A0B`swa$58x5|yTTuuJ!@Dh=*4Q50U$~N3K-=;mV7O)M6bnW#UpOKf)
z60%qZ`aDXm1?}tA;7@>Uz?nz!?1`)S4@kF)<uv4MA=#W`mN_X$AJ9%4)cqrs1v&a`
zabLDaD(hvuJbC$UmJrGmYO{@^a&>NHH4u)oeb^BHjiUOkI1L?wOXHg@(W`iY=CGJ;
z7(Jv*6|)U@NIBkKGhy{&wn4u_F39JQ?hWtUaJb*Q!mynOoljqr^fG=kC*{lH=0C#s
z&4|QpSlNk1-G-0+PX1`~^9DC5S2adwJgA5@h)PO4F(4yaB+?c#r%7#*nu15)n6aqg
z93L44t?iyEa`aL7tS_&@H~iYE1nvBE-%#4~8!6LZaobO=H2IxhQbC821IyUSBs<sJ
zXSyTt0tz=AJcPWCG6Qf!mG@+h9byaMhVDtTgL-1PA;u%^lw7UwHLaY6gcNlEbs9s5
zWDS$D&}w=|A7!2s{pfehsb%JY^(T!ukM0uFo~P5HH(py(%jvC`KG%%XpEgM~&*Zm>
z;RZGQTmUz0WSOys`6zP+eG6aQ+|QC?tFnm=wZctoh@7;0pvCfek@FLBlGl@IGQ{Bc
zu?f_-R4<xQ+PkBL@wQK?@2EVg&fbs#hnT+(vNh7QgkxlF8d{fqj9=(M3!=r*4j&k>
zGOz+}g9L7<X(95(aKl`ead|3lZE;QE=R~JPG{v8Be}p~kzii}h(qfJVhhfM;1J36-
zS2!$A($n=K6mB@S^;7Y*bc(`-t@DP$U~$rmtEkS^=UTmYd5Iw?qivE<C>J!%a^G@m
zxqR*bcTF_3D0o3Fn%yAr_Vdp0g5syFRU>&Q++cqCA<G<v8=R;epCLp7HxPHc-8UMv
zAHWUQ_O}q{4=am4^M3PYcshH71{`qFe;qV7^IHt@2l!|B#7q1dJe!{dEQ^*7>q~kN
z`NA{x49$yW)*5D>F2YJB$VKGV7bI)$BWq~q`B;DP=Kfc3_`I|QU%{}ywq`~~w-fAa
zg0~O)GQ+DQz-~CLOlSjk!>`pJRSfqK%~$CcYfdgm5_nhQ)R$m4#>Z&JNY|2vL2Y(N
zP|y%g=Stb}JMry$*o>d|o1V%&Of}Rtywkb)4cGR_;!gcN#J+8BG)EZ&YuC9pfc7kd
zhutfl{C<v6d@dV<{kHa(dT_tCnJ1%Ay-dH;!#X}b$g(`rhS{|`$g(2R#s(K;Ss7`A
zZ3Z7!McPz?533_>hHwf&mLDQ_pR$un8%XN(rrLg-`%8TR#oT8VBgUR7+_mhneSFOF
zY<p(AN13V`Q+S4I_wYK^e8m0`X)8%)D=9uEqd~59AjS4GtWQ&yWePI3yjnekb9&gZ
zOa1(1+AsCraHMo6e3>APAiLBfNExILq~D|k6lfELOnD%DjyXhfR7w&&?t2k(gr#Th
z<EUa!I&ACpr>ox;a_i~`gGM#|&Il5=L2F=Z=X@)>UFy)ubu~gZ&8_dDtmD2LKe4XF
zq)u$J-LCM1y@c=5X4;0x?`a9$fDji;=!OF@@$QgU!-P+{R4Aqh98S7L8Q3nQ$vhBd
z{Dde2ft!Qr2Y3mcJHcIAAa7~}e@wadSHfU{?nL2pp4J*M-GEFc!o<x3YoxoU!`@op
zwblT-Va!BL$csYhhA_VakEX-1&5pQ9Upx5eA(U=-2mTVbb^@gvs_U1*CpA&Jp$GkB
zl=!5vQvY4}iVsRRs1UT)z#<w-HwblQLdR#qB4r(MV!8pDagxvt6+`A_)8PeOj<~%>
z$Wj#v-2k7DK<S3*@av%vC}xes6)}bAg82xG#_GSpVzaVtiV{$|q5E@r&PSFON;j0?
z+*U?s^vbYFx7Cx_S_Ob^&}M6`>6|d_k5=jz(+wr6Mf=%UwmN%grLK=?VCNetwM0NS
z%nhszor+kcBjm8g-#vmh7M)Kq_ssY?lkFqQ;*@Y0ncVl>3C?epW_Jc@SJ7UXE#1LM
zbFBlPCLN=@_1*L*UipbOuDu6v{x_K|+J<zXH=uaK#6>#L8&JGqUbs|H<NKAYBiQqt
zKu#1VnNw-Tv*mr}{_N#6&#(I;+H>i&f?6WL8|E^Cu1~SRES?Kakz^~Gp66<FXS`RF
z-Vd#u&sD4D>WKcl>!)<6>lS=!Jpy&858>MRb=`ABOGKueYL;1O-HUSoZ>Wk6YL@X3
znLecKd#L{)QdA)-L7?V|&6Ia8{S+`1)EsQwc?D`|=;Vd#=v8UDF5$1|Z{ttd@SU5!
ziSdRj72Ser6mL*raDm<c@CJD`R~YCG0B_ijOH!0Ns*-<?|LoHSYm1<*<h|tjU;G5*
zF_J%h%n`@y<E2}lgiC*t`)*|uu5;gA5bB<ys?Na%x-WFug5nJpKLbq{>_3Cz4NAz&
zaV#-Pj5h>ch<ZH-#TzVs5+feWCp<1MazULAB%BGAV(YQ(*kSA(JbLcmxrqz(27otQ
zh<e5cdV__s3IqBF0eXWNZ{WV5Z31{hp<$d<m0`Fa{@JIKn4L^+Q>R<uNz6&v_xM))
zFMR%tIhlU_-KzkAH`EvmuOu8VlP)nt@rG{L)We#fGYasAFlJcl5F>$Ly1;i%1`PBD
zfH$O7mbu7C!K$GC-Df)$WT*gA+V2NP!1v%2^(fvj$y@V}q8M*LWGZ1X-hfygd?Lmh
zI617k$2^BStq!-LP8dDHzl^+*Y(};vAFhFc-T?3hwZwYz6uHlLPN^7gP>Rna>x?!y
zHh!^hC10e)sZ?+9tR8D}GWJ{Lq6k&h9cB`#?pHo8EykavUZ#%Uq$W}ieHP;l)8AAW
zh!}4O+@*Mni{cG+wsfF3pm@U{AFI4EpBF>aXP-<l+6A95ipn*nm^6Pse;b-J?Z^i@
z&>K*^A&fS4hvqw{Sd2GdIO|iwm;rtFSO+pTv52gGI~M4AVTH3$yaCa!-Ymu&*p6Ag
z6c!Ua>uD~~8vx!=Aoz&~dPCW(7S;v!)q9M;*=SLV0ec7AiG7w$<O00`;0<ny12E7V
z0N!wetuu-My+MpOAjHuHV!Q#$V>@zAKjkzirH-=YILkOMHge23+ByS1-vefdm)<;~
zadbuj-f%532W$}Ji}40b!Cj6qclTRP!%0jN=Le^MoP)v}o46?6FvS(@QoJL^8z!<T
zT%A!d-VhvDFy?oKyPT&}jiY>!TS!#{Yr^?E=uY&1sMqQJs8Ui)Kf*`x2GJH3sMxO+
z;0<Iz>NG^Ox-=Fkv(`WRg#F`eU+`%g_G>}|l+f^v+t1I(tkpB3Sb4rHvRd%RdEp-}
z#It$cmD5$UmHX%R12ybBnx)LTZjp1ea?N`+fH&~+UbK||pmEl!o*Dxj&OeGM-p~!M
zssCVgMgiVXGMN8&z@@p0uxaMXQ~W>G;40eNlY^^s<pRAycE$Cp&X4Dm=zS>e?a9aF
zv+9xdruXL6U(oB!Rc8xWti-(S?J=TE0bH<Og5ZpMuCwy2J|k9e1h$wI*1IAbk+T5c
z4OsMI+S@bIpdm68*^ahuz?%HJUsTiHwD&;;l#kJn_QzQHBnm5djkUL<!J*(CXU58~
zr{q5ZDvW0CHnSN_ELOT7YdMFAz&%9T!$vQp>#&p<Z$QwIDol(q=DySqRsIg!s&Z$X
z7E8Ji)Ey>zg_ylV4_5SCbeNb{v{IC;Uf+(uW_Tbslz;T-;yw_VtQsm`4CIFARvtiZ
zIMzQ?sEpAr$G5IpqZDG@vti+{pif%M6olY8CJHeZr7TzfA}6PK^_Va00>jq3<dm6~
zVtE-qjWtUB!@Zp=J8|U=DBSQ5<lL_m;Jr}m{)3)Uv*zQtU57^xtvG<^!X%21YQK`E
zYJL_u)mWx+${(|OyQBkQUuSP;Kb*P1A9JF-DIDP`@jbRZ+_+?^o_RweQnIfm0I&^2
zM0ezV0$>}sBsJNtJh<AZ^WFlXrs^ri_=s%p0{k@JNs64ZTm%B=61L&z7A|qApE~jz
z7Cjl2JHD#?>8Maw_0%~%Pm@t0G}@(tuj<w!tBCB7F3`6O@pR6KeE0m&P7paCT~7Vb
z$55uOQJ!d+hdZZtTDQk)38E$j8X#{3EVU&<!%(L)>;*45AHQ+Qr2*>;k!$Q|>ee5D
z(2zuOTBGcH(nkwY57y*Hu35cC>1S)@OInZBsqalSBwL|<=05t@HOf^Rmnij_TiMr;
zmM^)GntZ>gHUJA<$BYkc^t_8bN(aCuxONNvy?AfK!E1rSv3GlVSGCE^%y;c>3DHpR
zvSdN%1^m@zhY!fq)~qKpI;|9QQkBP^s*d?z0)upLzRl-kqS`l~T4z8sB&r2?$aE=r
z2VwkKSOWHfHo;y;E6R0^G>yO{VA#Uj+TmG6=^9&C&)eu}siB*IQQo?GzAoE5PGL9O
zP9ux3u!H~+dlz2&p_Y7qoB%1nSeK2Sny?W}_21~}1otb`G-)?shY{3hK+?;(MAT@Q
zd!Vi@7rw^%0{6iP+^<A#CmWKdCQze+?lsxKC7wH}{X%-p*m1HCc|j;>@glz>LnZW2
z<e%iZ+&5tNsDaDA4cSngk1FwksqxfwYAg2xHKWaQYx@z>>O{8*Tlf5j9%>@n<B->o
zt;<vB!jLVsw9vJw&~F|@t1CP=X;(|*(*|gA(sUgCf>fPvsSi-69_2!N8`K9V^yBpC
z-1k1U*|GG*fA^Lc?XKEcqlo5g($ddu4)J7ZCrlje7-)4ZGl51sDq-6tx7UT-dZEvP
z*31<x74%(_CZ6e&BVw>mSkPP6tL)3s8f9B>oB!Ye!>2@<!*^1*DbsOXYo{^Dg2L9N
zWZcTy=NXQ9m-4njp$*#SSv%6s_ba)U<<@W=qw9%Lc+Ab`)^K@Rrd{BwS5~yDt?O6U
zQXW(m|ELZwBYtjdw&3A%2uTpMxELndcGTI)`SUtD6@9VSvZEH-loZ>^xiz?8)x4n^
ztZj!e_Gjl~J2|=!1H14PFK46^8U5Q#G09%EzWpEjx<a2Z+Y4j1y(LifzzA<He<^<h
zf91v2Xq&RAr3QN&)Ci&LdMwQLHdsp?f_Q&QO+Ae-ylOt6;nNI#ZlLqefksk!+|#ye
zS#SA_+RxYCd~S%D809Z{WmC*Z9o&PHS=IIZNAn(B-oib&GT4^4^k#cg(AN>t_75W_
z*~KH<kfKq=iUG{ZgX*tv0kJ08zkIH}BIzPtU^{F@MG@DH*s$5Npw6%XZZ%k!S!cAz
zh#|Y>DnSl%Ia=3`vKZwN7<X^MKeW9jH#W!gYXFnPnS-`|oF=-K7G8J?S+p0PZ!gwY
zkNz^p!j{pI8u7WAE!vkJ!YGU$Je_Np?8il`J5VuN#yDr7uD_nrggNkaWVMQY!}6mh
z*(&yp%a3Z5fe)LOAGIk{v2R{}^mDV6ihaxSLsyr=o-Zmn_#!;ii0@jq7&EG9l4Tif
z8U1xIWVw&Y%QLPCIvkjD=4{-cjIq;)u~VneM55fVq39tL$336ryS;md%uWmx!D#+y
zk~K^{bM}JC54`QT@?n?5E?);T+Qtb(Dl+BpX}YY*i>q5c#dKJ`EQ)e=KB%5WpHUa=
z5gvkmLkpibc^*_>Mlq!vrd$E)5yYjGs=GCaNIZ3CXPyq$%}HaRc;r}zz1?{*xllaf
znx?D<oop{wJ57{5{jt#fcVQmMzF`@~BumQvtBliX-*p|NCi*qL>|93rHz(RzTHkeP
z*bPV0)kY+JUNCXSXh4!i)F<b?hXlp~qu5v5<CRMHm^w_lH5lZlyGbkGg4`Ou%l4AL
zZFrB=Bd&{$66lgFV)+y@gUb<T5v|^VTaLV<8jZ0hMfGd3C-HFnek@exu87$Ct95Mv
z_n5F&xv#S*=L!~=Lz&(ZzYqUv!Q__sXJdCE`vy~rFRQu!+6}j6EEinED_H72=9sRK
z%ysHM7fim6OewO<j3upJ(xve2bU5M8BOCU!pIFk=@ok&UPu8L_M5#X!B;>u!)XvfK
z>_B!Dn~}_Z%`RuRvWXnKCvz7_$t~q<;GBLmRmO4T#Byv`%n4sGq2$4N#(BoGO%GsV
zJ_;-Yu6J0ZG&~<r&VsU`CjRPo9adZ46_P)akMKrq3Yc6sRR;K1CYMNWT5ABp+H*?<
zTbows&de<p_X%zbA)|eQW`g9>2kgpvQt+3;4;Q>T=LB@g5$AYyLPRJ1DAHWnN|!|P
z<_8ASDGh@llf^OAPh}kIjqAB2+KMc#`N!~xtlh%sG7!d2F1@NB0zcg`je~`tK@gN4
z%}Hqp@D3-j^-~(2Y{8QLhRc?m`rpT)2eJ|sq_&WEk*hqhB&p*JhEHcOF}blHN;Flg
zUkuXMWM}vDL~m=lB~^SHI@pS7Cd9P`6CW*7kKK<2FrWe@>Z-L~nSs(avkFb0?U3G*
zts>tFlcG$m5MBb0&X-I0QNm+3k=T0ogbt&Bcr#wB{yhb~gwOb5H}D)E@oeAdzo($x
z`S<ZM1n6*?7yi-nOf75t!DY1vRXT07aJ!%rYoVje^T!#t&OmPaUR($uo?v=Q9SCt#
zw(X(VyUwAnV6CS^+x#tD^^@;;##x18o_eG-$XLVIO#}^r;9J2wOxY}yyX6uXf@3O1
z-Yjc=0k3|;xL7rfm3S#$+=GACBb#4Jf}>nd8#FkY^5QMBJzEkSr7v<qgQJy>Rz6Ru
zR(Vz6$`QJ4$v2HtkH8Y~5y=Mz!BI3fI=6h;UP!NuMY-qMA`_ruU>zDfgzeW)Rmbb&
zz1E_+(a8cC?hA2lbm&A074Mpc=0>px{HM*FcW4~Yf3}?pZ7i2dst50vs4KdJx}Hi0
z^=)Ww^eB-I>f6xV=sxO<Yuaf^ZWR2QNpho@(u>qZH0^VGMIDAY)JkeU%F@nI-8Q1R
z(aEppj}pbX(IJa00*%2(bE9*=#ugr;jnfn^=@q?lW!$D^&<bdEGy!epWv3mVVD4iy
zH>yN;O+!SdB)L(9$dKelp>6cf^xxp?`UiaJ;q<%oamlJ)oEz;(b2~~rM36&sqsa1g
zlH4eM>OIJft^!+<LmQO4lbQsaOH75^W&@a4Fr$O7%N>Gc$vI%O6q&bz50ayNOOyIa
zGvwurmN+<yfaIt+I0}R0C<u<;dodF$8z-CkIDq_xo6Z<{IkgGGVb@~U*I>I_rB;b_
zMSQp)wC=Ig=-v?8<<<=XqeFDk$#o5VSTry?#*j<7hG#ZUZ$jeHz-a67iO_63>7=;J
z%_8Pe4eKXfmV2+Ic?(;nTmQ~>1!uMwJA|FUe#{=vXV<WGCdE~5(<UbMXkgT@cV;q5
z92j*>1wRoqFgnD=Wyh4o-z!U1<6I{{B*Buv=wos|nQ@(i)=U<2&~;WyK6WO)OdJ@k
z-9Lrnl1`$5(Un>(u<OHqSW4n*2HL@r!00*fAS?-t$|SP5;Ysh9e4T_AbW0S;nx`hI
zlh{~k+OT3<#ifYCEzOjSbG$_{gvJGlpR_q>HXBUqF9|DV2BX>~k#aeO5er+~P-zZN
z>eEuC?fOuwlxb1v&!tK`s!aLV#bkb=3%`o5>xCPM;cNQHs3D+{QC!G~7hk}SE_HRA
zKT3ZpE^RFD=8vml=ZTWu?NJ1mas<7WD}zh<TyQO)M?l{YNE;tu&k8!M4WUoFV<6~&
z5VG$S3P~EB7;5~UhD)NbK1e7W$$BtCC>zOQYcA&NG%~g<UEz6S<h(jHx?SX}U5}ul
zQM4_4Zq5Rtt<3WNycG__YTSClU+fL#5dOGf+F$MTeVWMw(qBKVS+WMRME&kkJ&dOi
zO5fPJRNujO{s0E@6oT6YLnw6ShEht795Lni*n<)I5}BD|BYN6(l~YXVmEoP3)PdZg
z`xccCm+_QhC(V8~s)^Zxcb;F-fJR)?>P9X2i)LoSnoXmOxWxuZmm_i4k2`>AUHhIV
zNtj}Na8lyAe?P%qLmojVb?BhZ53T7&fptS@GT_U+7h+&NZQct;$GjIuR=d6)o(~<o
zN-93Zx~K0sL5((CZ3xK+Z(Q-Dzja?{%a+`c9s{MeezQnikHP1DvnInH0~xyRpz*1I
zVgG?cN^q$!IfMMPDs~AqdC>k1W}D_y%iO`Od6p}@Ov@}6NbUTq^jGOpkP+W<&qwp$
zmQsX|%O@<~NCoI!Vy^H!PuAX5$0A#5+4~Qe*xTn0%D#C$ej>%93ST)lZgIrgrOT2B
zmk=<Rbh{0!SLjIHQ1Wn=L95!)=>9>cqKwz$$Mh~7YFuOEE;V-n=Dri;mLqeT96+8&
zle(e2A;ltfpxG*Su-$5f7bLP;Aa$7OHX_pi7j|Oi(Ty%W>4z8N5u_6%(jzL8HqjmZ
z^hl1LcBG9`szm>RCs}aeldOBRxWziLOY#l~(}`YsU`TgP_mnB*<F5;bbmw#nJRQ{N
z&Mt1cE>xl`-MQJ-P4~jq!V^_qE>P&PDi80t&9*|3Uh2SJ8Tgjlz?=>#%u+&wBOUy<
zU5mK&^Qq{ah$p&%pKOXypG1(sC@`H9yoKH|^YGR9D7s8DgPEjnKUkOv2VV1^h)2?q
zxAWS!aZp;lSM6kAOijCvOca0IW*}J!4C=-f9eUHNh7RhG2Tefr0)x7-yx-luYUrSD
z%yapN-wbq6hv=S>`05oN5tE^}7s%d@zwmMF<AIidXjE7a42ni)b(y`n(HwME$Bi{E
zkIRMX?qa-AQtLbth(sZ_>_x}eMDPCi+=;lW?CyAER#rFTi)Hnxm~Gl*R94r3@`4+c
zI2)y~g+Nx<&&uUKW`rK?jz?{E|ClKK*Z<n;VPHD}$|;Y_k$b<gulg#q`E4XNDKGF|
zHrAWHy+@G*?G@1(%Wu5F7_!1dcSIITp$ne=Az@ecG;CSQU<TpSSX{|?P6J{Q9-S`w
zXF59PQ*o~veRe$eqfAD5V6Zs%H_KRq5xRrmw3hfs>5c6ArU*LLz#+8+Z~VXKb4Kt^
z_>iHpo|{ya2cwgro9t}}sV7#FPQwB4bv>p_k|OaM@sUwdY%{-`Kk+#Vy0+z*dVZPv
z`dbIX2zNGuC!Dz!ia%9EO4^#@@MMmw!kL}9BTP<gD(n8^?)cnKWz!upP5(WgJN`m4
zpL@p?&*w%96)NQPNK1I@c}S0vHJCQJ@}M)J8q8o`e06@AFTQ|Rya{tEFs5Ct`l^cb
zOq9aHd3?xZ^}P|WQ~bqj<6%D5;En9eDwF>)pNrxr^PS*@A~g|2>TyW57o8Mc6s4%^
zkzz!U2J<;-Yl^aZP=p4vWx|C6bs}Fxu^c?Ng?o2Y{k`UhEtZQ8$D;3tIAq5h&6ce>
z#Z4$@O8}*ELLn+BjdKgr9a6jF|1+P{HJY8zoy+=nK4%6w1#lJj4cn3SB1aMADCQCp
zhA{3RPmy;B4-q0mi0nMce6BoFGM{UWq*?T`$XFMwH&!tedkgzyVVM*r_83}}1^vWM
zVi(}?cs;xY-T@yeggiWH_{|(kPAWbZUyJACrk<YogP)zx4aK1IxdM*$*8er1`|$|O
z=R}WMh#r={uo=OYaEuUrKgb~)7kxBaBZ1IzhxV3GOCa(Ix^!t6?2W(*6<_}vNGV*O
zZ)*O`Gn-VV$6%Jh5Q&vn0oaC!jh+~CeDy}3@lonlvXpG(>zU=>k!WyKVQ25=7Gzr^
z_J8iHsk6Ah_a=o5!66~snd@Qy*;h+<!Tj0(!0_}%XMd!A_RUB11-$uqvB1V!^`xDL
z>wpQT<Zl=Tdcepgf_*ija5xAP^_MmOp?Pzc;fBl9#`a~(-;|`Ed3vj3GQBRwG`3&Z
zDSYW_F2sRtwZ_gKun~Qru^l%_L61&0*1HY_)YO}I+{d?q=X@)4SMf<z*0pPld70b|
zFy%=I*CkAQ^f!<zo_T)V_wR06IzUkWpXROvJgO>7pLeS&scck&5J15c2pF~`EFl3E
z62cOcC1im>qah?A34|nMAw<Oh_F#4QOk<Dx$|8<YWa;T;u<a3T$7ytCl&`gcae@iB
zu)L<dmBk{2;>~~FtGt);YiN4>`kSuLQ`Gz4x#ynsp8H<Clx>^$Zz%4`-FA7&(BY5N
zj>`DK$6uZt_~MmSo_mthesa9&-8;0CN7C9JYRiZS{ruRGPnZ7T;HN7O*gm_79*y}p
z_up!d4@=*H{bSYg2ed=~Ir^mq?%y0~O4~5`%=mwN?BKSv*u>6fcW!T=S3A64VbZH-
zDLi|Xr(fZ+`guFXHY`8#RU93zdS}hkM}Acq@p5z3Yj57%yk*;OYezl);o^_RH)Vbl
zcdTDc>(S}MA0GN1{$HaDvrd)G%NpVy|4Q3n_si)&+O>X8cEazo=4bJbq0YgHa4Jp1
zA1}TWzGUS0D_VcC@BLMt@a7Bvx9t8T{ht*g$^*>@>92iLl?&dRRe6glhrXuDVXC}U
zm2s+c<6yWdN2u~PRgT2LC{>PD<?X7B$H5p?j#cG2RgTBO1XU)eGEtRDIGCu)NvfQz
z$|>2ZOjf<BOi^X3D)XkPa=I$-Q01LCxJ#8YRhg#BbR5i5Wriwet8xww=Bjd@Dl=6%
z9|w1<@*Y(#P~}1#EK=oSRc5Jj2@W7UN0qtwg#VVRa)m0tr^=N$xL1|;sj@(ot8h@L
z%GIhYQe`m?N>sT<m8GhzQl+C>l^a^5;R8GV$=d>zq1@R{%ym&*@LtuN)RdgI?Oez3
ze)jY2LJ>lh5m%wxEn#B9<3c5T&X^#ai$afxaZd;ehc)7SyVBA*0P=1&M4RvIcz&gU
zF8w}CBxA$^e9i_D4TOz%p1Nvp(PCZk{jN8D4!F-94--Gb_<s0ojOP&*pxzhH##Zrb
zAn57;@QS-$RjBm>(Z}>Yki8!aunm1&Pz*k&(M-G_e%~v$LTUm&XVGlDJ3sJ>cT5C;
z{>np$wRUMkCY<XSI8>F9EgF5}{l@!M*At2=#o5lqXFDe-vwt&M<fSX4Z0+7Wm!`Qd
zc-KU=^-OSF@Rp5mDoUcD+`+1}w_X{e<c?9!bpQJEOXFfi-UQJYb};HQzY<5z^X=)S
zqn-PdX8X9fA4a_Y`K2dfVnx;%#j$F@yW;07-gdfTMXvj+uB+{GiSn*k5c96%*3n|g
z1jTtIe28O$$Q)}QqoljOh!Yq3hkV_6Wynum#;?bXJ$?DP&o9l16-yH0evoK?E^&V%
z`H>qX@LM`*HQ00(!k?{f)JkQyETYybDkl7*>Ov~dY0+A*Xj5(HXC^v)%FI<$6cG_(
zcZh7oK2l*J4hYF1t&!H#YO12$6)jqS*GSh?*Om)jhvra(5*i{LN@$A7y^NZ8ms?83
zzRumXEgJu?mCkfCJEes8ip(I5bt;F@(=|QP<{Ic~>(K=5Y|~!Hvt06g`%a%iaI<hZ
z#7rUVHW5(hWnG~LT>p2;da7*E>iWA*UA3KW-w_{jwiAQ&^bR4LP03LV8+b?-X)ssU
z>%9ftGLLif^kq#n(XPu^K8lY$+u5K{G%7<lMmkwb9<-3O9CBmqJkqMDj>;gxThyZ6
z?E3N>DBITB<Nxj2{%1S!o0uYv=tQfC&_XCwIGn;x*4(qHiAUGd`WEd<v}=Tm4hlNd
z^Yw!#%9D7oQwt0Z2_-VMo}(M;Yov;cvJe*yUf4Ro)q3TT5VC)Erh6x`dz5g^Asn_4
zo6Uv^FGBA*ij-7KS{>CO?3JXIVr&IMm*?)1#Wt$-$-)-x*3*|W+=QS^!#XgO{cUrG
z7>4t_OO3RtM4n6px9(x;ke^?AE7c()9KybYgkm!+H1yQUFkd~a+)&=jZ$EwcL6#gC
zU=w`?ETjTfuGA-yP=Bw>-_q8jb8B{o%^_^Kn<cCXa;XWyMp8kWJ9QV@DDCv+4*8ZT
z-&AOx?zq+x@E3Q>M)G0|J5C!*r&|SnZ@`)8P!!Eg6z@j1N7$`wXIrvqSfNjDB-p_d
z?I0Too(U6G1xybZ!V@93WpHpM)%V7hrxEz^4r3a(7MP}QQSmejC=Qn_ROXYK7UTNy
zZ7v%{2c}6x2?pylk6H`ayFR&IcQBh{BlmS2i~_^;CE{1kmFA{JoIwpn>e`65wx8)%
z<`C*D!uD;=(y1x1X7n+sE#vD=^mZ6LM`;gDLB1P0_AV1I!y;4**EF7)B&`xt&O_2Q
z8AXGdx#D)I5_$h<&w~vo6cmlZOCl=9VH0Q_z4gMb$t4Zt4TWpz1T^oF4VuiR7pl5Z
z2PlG5S2g&!EuHoGqplF^BeW2k1E$zm(qJO0MyS92V*F3PP5}07juca$62x6;7BS)k
z@&FL-A_n4lFjBk<WR!_GfqV#LhKYC{h!l}e3z}>qP9QUZB%6rm{zy>=1ivucI~R~Q
zflN0MPh+I$0+M1PP9Wo-5m?rHM|n0yiuFK}OvDM~1t1em#M1x`gL!~l4MIE{BSpfq
zg6=R!If0Y|>0^6+q<9L*G>ZqwF(4C6#8Ve3{6O%xe7$x7NqnxaWKV6RSPLZ8;sLS;
z2yf&9ey)iWDv-N%1aE}IfVb+A&}d%x+|^%|=+L=Xm77XXhgDS6BD)6YU<Q`H%@y7F
zsSp$m&=ER1594qXkXPawpF}^LOH~>wDypytd#3=?J*Z`rP6INzgnY$Rs!2DxR7xSf
z{bjDvx~TQM#BM}YRUsD3Fo|Dg_+@1TrIb(+>WjLtm4J40AqI<o1Il4hw`{FJT4Qm+
zY3vqo8ux){GkP)xad9g(rUhAq3U;IQvbjnLaKl{2o7^aoDyjw;tBVOR&qcvkQ7E30
z!x`*?F+t$WV)g?yal^&^CsWugz{Bd;O_e5=162mqP)Uzu%y3*L+=-GdhO0}+U(o}P
z@LUd5Bv0kmrwU@)tTRFT9;qvjZ8)?EVlm{fAqrb!`1Mb4u<iwQSTD=rCosnAqGm%A
zZ4LCQhlkPZ*i{?pUi>0W9W`n?qv2wnps4}eHRSGU*QYW<!zZ-B3EDi@&tB-`xuDan
zdK~mDF^uK2t@_}LaxrP_U3P9%rOwkEsuJF6Ra1o?abqAqNT4sT)l_y-`g1g_X~pb=
z2ABrL>?*e&^3_sKPkS|(<BCufvvCsUIB=an>v(mnL>g3)qe7FMGKh6QV;s_ZDcjmD
z<I2InAw-H`91Cq=p(vPqO(I3R#$tP`Vqry^Z=iag<jO#5t--h&8)-#|HuvZ#G-+_d
zCU6JTuMNmHz#NE3!5{GY+QElNgKr^*wxTK08Xq>Cr|NnnQVP2p;$+d~)Nqv*gQJLi
zb+pKjI$TXrCHh>jN9RG-)j+95;A-X5CEcuvp?4MnYDz$x;e<ei7I5pTRybJ{SYHp9
zLR30$d$f{(tU-_kh2R@QS=JvD8QbJ0o(&AXcJ>jRhv5rgZc`CVs-tpLX~3&E!3ES>
zj?iPHQAtW^i{z%04fZO?z<9$FJz1+Uo~=n<?~|4KQex=Fof!$-fFU(>YF!r+0vs5N
zfMbgJ*naxbsaW?QMb+wyiy<}#vumrlq9L}4U0zG;VAY6#&BfHT9#&P-e80pDTmox&
zAuDoNfnaMj-M2W4Y+XZH3O<F_Q7t5m)FpAM`PX;zb{pafP+*i}qZ);m8kigiNRS;3
z>u5G-RFNi^As*eb9IK<@oeUVn7wv(JS_r+MCL7;q&bSy=gK+T<w$4cRQq*@tBS#od
z0)x+R&MXYpcyr5J!<1Ue)yogw!S!4Y@)sKtuAvM{Ml-0@&BnmslerYt*u$A?ICUWw
z^sWq_EcSEC!r^_K#j8^*Z>na)AS&31^EnFL@4yz3LIQzrpaQ-1awoz>`ho_<z`BVP
ztd<<V9B5pD_e^#Jq6I##PZaM0@RcH3yx6h<h*q_qlfh7qlU`p^P$zZdfKw4AZj7_^
z;FqJAz-#2yTtH2gKpM&IlfzKb=tJ-v7Fwj$6zoONU$~W)Qdf;%qPA+GLo!mcLZ1<L
zEx^aIhc;_)s+9NOdPw~8z$LGn);p-uL8besB!)|~&PBxs90Gq2<DlAGxM7?1RZsra
zU6R+6YQn}mml_omN}vhynu7Av*A$9Nz_w|k8Q^rxdP46;>(P*O2L=q_6<K5TxjXx+
zXp<ic4R?J!^n;w{zBFF%6xU$%_cHR7$&_O9U&}LjhG!DGWU9$~W3rjwXbH19%A8hc
z_W+TLdXEmaKbfYP=Xh!I=}T(@O(n&e`C3|b1+>KGN||hm`L>HwDfv3*czWa;RO>ta
zL<&tJ7Kz(qIQ3^0(D|o=f0E9h&6ZrR&-l@25>Prxq;N2dS+3z=Gs+jGW8xs1V)9>0
ztNLEIOvL)l;tl(P{L;j;CzIu4jusMAj}{fUvA?KQXl{>uL0^muH5sXJl3T872t;b4
z&9I?&tJ26Ngk>G_P85+_A#9u~X<&(hKP;m_AA(DHk<d0_#mhnpFRSIvQ@N&Z!whF+
zK?ar|y$My24~frLL`8IB9dFm%Jy;r}Ht8!M?khsx|Gjn-X2KPdX%ZY|Y+Jrnhv+8k
ztjT{_sNyCP;$z0@&&O6Dz$tX&DK}NG<i9ZG0+n^6DF?MubUUob_tq$qK80B0?;L?D
z_;(s#X<au0(@3%Wa{~^Ygz~bg<pu|E$gmSYMg{j2ztK~W3UMsgQsi1yXf95ZC=`Wm
zw60uabt&xRofBVt@I3_m`p#(a>FDi9w{rbloPHAO7}q^|KQ2d4LU%`V;Hv}lKIpj|
z68!r0A76Q;pnG+5hc}Fvg$b}@$7UbrHrM)5Lp5AVQ8ju~GA=~8p?0wZ>|4NwYdzkM
z)KLn0tiI3v&H<i@Yh<i9(D_F5&M|2aJMBgn)Oub}FUlmY2>A9pzxd|K3Kzi**6U$>
zWa1a!?kIaY!4~$SplE!aqa&V}t@a^6_{RM_9oY*c0Z6Qg<QICyY#^gd!~>)p$Y>Ke
z3}gq8coWHAxz+wJK;lfKY}yw4aUlG4g)!ILm`eg--3_D#h;wIOeLNU742U(#1IZ~s
zZZ$_a`){@90pYJE3^^l#lm{W_py6g9mKBE}XAh9u%uy$Sya!~2i40!t6=#8rF_BCl
z(YyL0&CqZfkRc|I^WLrYY#^5HNkBFLv2@M{vIEFSb5t61{uvM}79Q{%1!8G<2#5+~
zm^tbwW_Ruuge_gb_LJbb4T!~a4m@c<EDcki=@iR>@a-eRV=FQHBS8Ah4&-?tH<>)n
z`?lH-0&$y25|EF8SXSf%=>TF`T8+74_87OJjJZ7EnE}M&IRs=Skm06e=kzW1%|I-j
z<AFRGgm{q82Z8j%C?lUwLe9Sev21r1Y_)$1#EL~G<a7hEJeCBW0WbB{XA`1435b>9
z`QXV1Vp-Y@o(F??nqlc4AmdCcR(_ah`!67oriOdr)&B-!`S~Q|{1J#%J7v%?cCVnJ
zrW_Aup9I9R%LAUpK&-kr1fKGsQ73`?9S|#jcEMxKK&%zuZRm3th*g7!!E-E#$64eR
zZ9pt<I1hP6$jf~-JcdytfLM}~z%vPm73EaO$pT_onu#w9Hv!?V0FB(p$EaTevEtPX
zOaBLm<&C32d_XMQ%OE-CpZZp18)7jXNRlae@Uxv_Es*ghk_F_+Af6U@<KKZ;(K*Mn
z1F>dz-htVHSefa8oak5jR#QB9W&p89Wdd0dgm_@-Mj%!mz707)0b=QV^v<pJcYsVa
zb-n~1Ul32ybDiS$W<iN2&ml-&3dHh!8F=b|@U39O&nLmN8;Iq@r{Tjlfmmyu^QT_%
z1rWD6Y8T|#U+t@*^Op&>DM0Qqd6F=y35b<-CoyUd5WeYc%pU!Gr}#Js$pm75ElBcR
zTkTVTShjBg&srdsoP5mn91zQgWzgrBKrDSc;8FJV)#otej09rIkwEf-kfZR%b|AN#
zI>*1zDfR=gqEn6PJ_W?8?sKSu^FXXBC_~)4fmoT~0W$FQzWH+q8YTd-s{0aVzXyob
zt>TNlq8dmaeM$$|o&sW7dhEDeoB?8Km<b>D-!HJU@Adp2YPZ|x0<i;0*E{|tAa@5L
z&bsaPMM1~_AlX5P8_3ciWIT`+K}af)`+|^6AghCrTp(+LkX1m|1|bzdDua+sKx%>z
z50H&P$m2ln4?=bUc_;{Z9muvI<S>x!CITnvUv2RA*9Ky*IY4|riEo%XL1Cb9Py~oG
zAqvDD37auJ4`T3de-QUk-l6c?!n><MAYOHO9pNhE9Of+HEa1xJ70?ahp2#~At|#t3
zoD;kfb0+Xg%Jn)HG!DdT8`n7ZbzToR6FAE!fp`bVd5{d^n&L06QbE%|(?NHD?gZTh
zngN;#N&}^XW`Qz5yiU&n%>~T^WrF5|_=_OU!v&y)phcj?pe)c5P&OzBlncrOEd?zD
z<%5=kR)D?-S_!%rbRVbyv<g%RS`8`!6@yAZYe1!-GEg~aEodF60<<1f3915BgEoM8
zS6mCK1J#2zf*L@ZK#idLK@Wf)1Z@UA1Zo0p0c{0s1Mw?w^_Sn^zFUYYL-CZ4Q<Y(=
z#KSldIEYkblzyil-=yY6t1?EFxUF;(4sfq=pek`uGzbT{ZknOWbt=AEmxfF`%iYrZ
zND$6n_mQB(^<hFD#v?(C^hbiK`H`R*Z}fd6$jDe5q;jVAm2GR$es}7sh_hetLgUoi
zn(X3n4DF}N&FK@wCs+seq)_+>B^{3zMcX-7w=22`^Nn-*ulq`acxQ5$z%Lo-*~FRi
zxAjVcI;kyTVlOo0`Y|*Neyl3^=>Nx)T&MZ)WcZtXAKwD_H}hf*2Y(hO1_x=_GZ=T=
zk#|n<<4(CS;^qt94k_D1a#3jxd;y1wEA5cVh!$;%YpyFFPcL;yVSDjh$M0^T)a}Y=
z{zrR$@l32j@eSKjwdEaUU!=u9R`B)sH^R#I)59YM?cV)!@k+lES7Z2qvz@VTsnYYS
zF9oXaz#lvCg%K(=wZXnmB={t5tz|{@KY1Z0I(uNOrpo*eyr1~wxsFwzxXAB4`dCW5
zZKF@li2FXxiaWkBj_^3+rsdJ+_uxsTn>z5t-N?Kc?c*?U<t2rNb`I&kKW?}x%RUJc
zCx-4-1`QbVqnLk)Jz_i3tk6UFny-g$pBVF=S9CnFOi<a7{&?=K`F!-wf+q!?cvv|Q
zN8KlVG0D-%&kH(spaWm@;U3zh<mex2=v1rGcyfDa=7iy&hKZIpP6!%%`-s_bF)d-C
PV)UDtqY8)r^#cCC;^bEC

literal 0
HcmV?d00001

diff --git a/odl-aaa-moon/commons/docs/direct_authn.png b/odl-aaa-moon/commons/docs/direct_authn.png
new file mode 100644
index 0000000000000000000000000000000000000000..f63f038e9715cb7b8b754ccaba74b0b3ec93f481
GIT binary patch
literal 22058
zcmY)V1z41A7d8sR0Ma4dA>9MgDcvQF#30?><&e@XE!`kUHv=f$A>G~GwTI{ZzW?8w
z;{axe>soQHUU#^vvJ5&3F$xR}47!}G<YyQdz$fVIVI%<bD=uE-A@m!p%V!yJm|vr$
z`_MP=7Gg?bFfhMkQJ;(vpzo0#Wp!O(U@&^#K4JSDN=#v3G&|)a#WXw(kFyYUaAzOF
z{9a~D!qw!aB~3IGSyFX?;SmuL+WCZubJXFqge2}!C4ZzV=6>hsh)E$Zf0e+3hnIRU
zCTaCSs^InmXymog*JXD!E5r=EY~~?+dMUigZ!wzrv3B&Q$Ji0@%OS<Ppf1qUWo$=>
zKdbcp+V#32V?7u-stW|90Y&Y6j;c}ZnGJgm;~+!}g{K3~1Ho^v(!1g5Na%pje^pga
zg_!oh_kw_g)+jiswy6+8w09Cp#(+e0975>HC5+b0)g>hiU%q@{Qy)xXRBuW`F$S0b
z3DLNvyuXF=kdl$bpWWQBF)-waQyt2$b8e6SG7x0D?))S^FfgEB<g41(-3>^-CxeXU
zC~0eJ4{9MU@Os4n{tq1=h;xiFBqSu{O?)v?Q1a^HP{RECi-za1uc*gZB5q)#A^D~(
z{b(SI>H>ioFg%a*maO7MiR3#)5Zb$-+@kOAETi_@OgzDARMNibX}P2y#E^|}kSoLy
zR(Q>nmw}D><$)#N(o4o7v1t1fvd0-$IbpMrckSjPYAl1j|Bz31s0sSkS|SSP!CM`?
z$D;(=j?TvaU&cA#S)!fO0PljZv0&(=8R+vN=%&OBuvW4Prs)?s53;I3b65(d#so|<
zf|hA0uv@{{6?wh!l+UW%G$ovRo7~cPCDcbkXkmkUNV@6Z0p$P5llt%9zj!EUpuJ-3
zJ=hTVnkObh<o>+4NzS#yOC>R&EaX!X0u9XtP7Xf~kEBvTsgXubuqE#u$|M<VhbsC1
z)I;|B_wUjqh~<F<<xtf|@;4R~Mpn3ZZGDAKlAh3~;cyumlCoHMfo`oi3R_uicC~)(
zqWd4!!K+x`7n1%DcVvu=j4drKW*FnHN|;)dB*uTjSY@@ja6S-eFaW;?XNx0?`ElYO
z<YNfIyXBgtgT-WBmocq4ahOa3U=B>ev8Rje;-zd{x3Q9~Bx;D=f@vuW)iQi@h5o14
z1>>(@H@3DkR$!vR<eWKN?5qi4e`pGkALNmdD-x!ev+{D|CSmZwR!vbbpD`Npz5ro(
zB=G}tfBeSpphAY-Lv;QypoV;mU3d?l<9>%8Qa(;lqjO=i{Xbw&M}GST0|y63lO*sd
zh5s3VHws>(H_Vny`=9~)KVTT{9Ug`S2UDt1!__%{E!g=VRm8?7CMNdw%2wQ@IWs8#
zgFnIN&!4ZZuAH5n8HWCUHbF2vJbZL?)P#nkBlW+3)x*NZ&a0{#Gn4=STL!{YJBg4Y
zsOCR&h)VD4>gt-FP8xbb{J&-<jh>j8m|t9+l9157{TdV#gVAd#?e+gM(Y7zC85xUn
zbB;uzbpP4l3RS`BGRTtcjf+jP?*9JoKRNox0dHFGZ4HE;79NhAVr(h$-|w?>nwoT=
zCiSp_9=g;0X2L7TbL}Jxh;Kj}_y6$W!`1aQ2lD0xTIIJlhhQn%+uLhzZ?7Mk%laQz
ztbKp~n*I6y9{Pj-v1wNXJyAu4osBJK=wltyn}l*lbdtNx2p15bhvtqnH8&HHkO=be
zIo^AqDYgNhzuwwgGDE2eb;riW2DqWW_~%^yZpZ13otm8uKs^0Q$niBeG7=R^Guhi;
zHN+<*d^I=!S8tP&*mpxK{iyEQ!Y^SiEiDZT3#%_|7iOLfB_{ffx&;X*r{BrRnuq@?
z8}0QH3H{Us^p*LqjwZ-1u`4@EVc8MrvfjUcumAIZf36ppm6c_G_%DFf5bLr3bbb?t
z$Z6W2*ZS*^qQ7IBH4P07b#+^uXsjVnNsN28wYPIDrattY=7Pz`zS<8FE%H=>dx0iH
z0|V>CllYY81_lQ1r=kDelwt{lUIUff^8=A#r?<fVK-QqN{-2S~A5X~9^K)~SQ;rV*
zf&Gse6Q&5dqp0|>D!|jLnV@CijSXVt<<f~<iLgX^3_4-t3T4TVhvA?61}Z8lf+r1q
zzSB?@4{0Ey)#yj$!sFgu)V$KaljzA2<j(nJmoZD*x1y;5zuY3=)E17vWEU%egp9n-
zsTqi@So(JMDTA`Ia)KcD50)s5)_81!g0r)8KHj@Wv2>rt_UP#7=4SqsQYJ-^{2SAr
zyU<g6V~FtFPrc=rgbRB^YGZ_buEv{MkJbM(fwBM<XaM;9hUOJ2D0tQq{GT5l^j+kl
zF|~9_1#7fxPa1f+xi$M|J^$~K^xyc0M@9r)_h3>A=z^zZ=WKPW-g_)UEsx>ghKCMV
z_=ZYLeyGR$_wS!KnSia%tH;9BczX1o)K&#n*6Anv$Ai_@E^6U!I(m8^A0L;r8i?LJ
z9tsMIt({%-@ax9jUVq_WZg=lczChOCSc}_XQ<Cq0;D}00#F?&l>}u;<hy9Q;4FXy0
z45#P*^jKV+pHE9mb4s&@9vVZ+kByNJpZpy{$>u{E1|D3(-&QYDT%S5#sLziH)|lhd
zi;0NX-~<dF;#S5(#>toniHWtkEL5rI-$$#4Xa08+vNS0iT+nY583aV{LRt~k9!QK*
z=2?c`vR!s!B3vcYS){-O5(zGDFxAgVaS8}g8&5xnBW4waJm|~dR|)@Qth(V@@Bqw0
zE(?TiFOayH<%e(aQ)r&@J<7J*AafW7A`bV_JEKI0AD{SFDL?7W(YX)L%p?!>zgcmv
z-JidIqX{|k0y;Zpe`U(4ps8P;UAF-}&u*=q8{3<ko1>%AQ`F!msVh{GlOW$6jE!Me
zRgrt0k|-l-(f7ET#mJH<nO(nO8S`5wC@@6ozON528W(93w*wpyDAcKtd}TEPv$I#J
zPZz*5sRLMZIK3s2AM%`O?o1?!X=PQBD-pKcsNkS}K*9$C50I$-Wq-ISb6YIxQzGVc
z-ljhGliRnk9dNq57SGW=*&hS`i3V%A*QcsX>j+1L#0HKo0kESHo!RA~)&O`4@Ks}O
z?tfU}(T<~<{npX}4>H4FPjE6u)cD3i&GShN)*4H}{~@IQ+hlU!o0Yzch>YZL`_{sv
zS2Zf@U6AXvbPj`&TLeWR5U6^`QY{Wf?z2Zb2O=7Ee+kw`nh%-e{4|7xOq>fZe}`Y<
zl$&kI3p10;7L0diXV&8&t7{wb1KGjB;UL8*gmySWvztg~e{itt4WUA8Y-~_?4yW1O
z&>YxHJ2w^e-Pn=ja^S7noo;QJe*M~Qh712<WExd%iZuMg5~~<nQT}csvk|EZD*?U`
zwup~w=zSo*X9|p=0@rf<PjJ_Vq&1t#P+x=&kGwWiKVLz39)c4Rfx@1G<$Q5UXLqwV
zBjX|*CImX%-4|1wBHo+Q$yh4U^o6lK+Pvo~N^d=$2>JEvS9h`BLt$**E++tL4;)LV
zc;dP({k^d}g!5`K@Kso*YO+?4S=_+h`$#vK3=lwa6|6=u7wnM6q#Ee`#<(Ovf?8+D
z4F2pI85$?1C8=@_^9r98ps5%DTb1~SxP><Un{KId1-ZR%j+~AU?uV0PE2HN2a=b2g
zn4WwXt#JKM-$AZWU&T;JjSIW>*oEQLnc|{lHJm@2NezU)X$c4ooh+=Z*8;AN0_NGt
z#Fdrt*@;&-BZpB1NQDA0!NI{G{PHs|@@MY43wQE^?&*l35|rV>z0aoqNr5myrr_|P
z!LZ$0YH&(Mw=}k%(|K~!u$_r<SfSP98KT*TFo>TD&3C$Av7$S3)#e3XW1wDnoQdw)
zzHDb~zMK=PJJs1G{*Rj!t7FQM6NCLD-~H}4yqt{PHO{1BHzSu~Sv49Ud*T!+YNVDp
ztkhlbMH<k6s)wMww-WkXH*5?IJ<tFo`ua2#6qhl-uTsYyk-aN4HugRC>{_^SVQSzr
z0ziGTous>y-UOfy^`~f+0Q#%<1frErguPlgIEg=nee|0>>F9;EzT^YhkB=95iR9kH
zYTN$G);n=?F13a?*F=F{{&a;31T*5%0YkOGI1gH;zwr5@PNv6a?EL2ZjqIf}8>Ib}
zCo_1fP+Zg{97wPETL&Mbk_X}O2?&azA7?(i<1FTG`k}~*15n3Qhk~72BskpLE3H!1
zlRl$WIxx|kcD_I~uVU26#OU>tglNlq^T~VF#YTe#xGp3I{(jPL0j1uWs=8zxB3k^y
zX{^H@q};OVd%c}%49D|J_m`QG2~Y!$9f<Bm7^+cXbCRhWn=gJ*gI&jMn1q{zyG<*-
z+T!Mwk$w1X231k+*1n*i0Q5kcIkUgF2YMxv2e7l>ifd<-Wt#5Bo}Mn&M=L)Im>{}x
zlFayAKCL&PhO!ba`#Cm_xgE?tpRWpM_loS4aS}Rzb4e#iHRorcq50F_Z+SN+x{P`?
zG~``Ysdgc>d%W1VKh_=8cC*^jHuJhcH-m~6I59gL`~CacMT7)V0M>{qda~faMa^UY
ziTT|6Wvm^3n(1;wiX@~<@zsxr*S*+hvA|15hL82`aQ0`m-&0p_GHSCOVN?VbvLZEU
zXzX!OQPG1zt6}?5LUvY3<++gP^Kr)P{rp(BJ^yk?3-wxrk`nUp!otGjWWo>w#{NEm
zL{P~expzL-(>6RFnQF@8;h8?8{9VN~LpeC}U>REC%i5u{`S_h?j_ZgSzsEGVR)2GW
z-qgi}uDI|z2$uCB@F*cU8Be<X*~eqog5Jsocc-Y`|2pr^OIdMm=2Psl$CAfP4kW3V
zXt*5+x5<g7B(ajn!pi^t##u)YZe`HVQH1?Se5FT0=R+2Wvvl5X!7vWI#NnQ$*+PB8
zc-NCLD+z%Yu4>*!;UF~;GZeJkP>kBz+Nr6-YTtPyqSA8&{(%MJDntBE1~yr5XWl=L
zs&Tt3#004cC(Ga7uS?Cv4}Ii9_fn~G5Nud6<0t<W*myy`g!-WhPtuDjZq&yWfw;$(
z<*=cBOK;=4vedpjfn7&LP<S_1?6^4fX_&hUlqBH=kSIy+f##mYD%lS-0u_|>QeWU!
zm>35Y0`OlTub$PnT|S17Hu|8Il@+Mr=}YHU@23<|&&oCUzEFsgxYPKE8H8|jjBNrK
zP_pmjxbRPYka%NUR#$urN<a-K|Hqi}!vy<><5#`MF=BlYmnfU>T@0v1&`V=`s<Rzd
z+t`Mcn1_{SIvBiuKHeN>JY{b6Q_eo}#suH-l>|Y6a-2ZmTOM^05v0^v_bo!DW^V7S
z2>p=ukzy3JmGZat(a0{cN94~CeEKkB-K#5dE-kEM*0ivY%y@m-t6GKI1(vknETgBR
zX_ni1(FV(fI6s-eIIu04YWk1y+}Pfu_G*XUm!#}-A$BF3ye7)Skqqs>V=f!reiTbW
z?+<oML;&h5Gz0&qS^#n-LMdQ0d8a~V{|y<xNH^7?%kVEFrov>tk?9|hZUV7k5+R_x
z%MQxA7(J)MiOOw*TzgCCuMZ-^<_oocn|_P`97i|^KSRs5U;#d~M<Ul}kYpUQIg=DZ
z+Suh3w<xDkr}udtpC~Qc-TJY*abxC;JSdfXe}A8GUo^{~KV%3>0*Z1?MIDV|=Z9Z&
z@<m2!hN-s38whUg!~PGP?Du9TwFGIu&xk7M(t?HCXzuA))<B`BY%LLYN5gH!eXo4Y
ze@aFyC|p=M2|xE!10|ycqu}w6HnF@;KahroqZWNlC#f>TZHI6aNXj4@p>(=vp(BJ6
zVeiO6HP5i`kVnK+6qtBaa@@jZ<d4EC*YO;26Iue?4s18XGw)y<^m`T}!RQfE<V5z_
zpueZ9xMKRiUR_YT6HZ^$OYu^#nTYx1C)6ZO6!j{l45qUFXWRx6w<it9=+M_sHMkH$
zROg6}Orb@1ZS%{>&cb~hXXfnZ-uM+sjKV@m34uVq4KWb&JWpaU@eL@-5Gqm33)0_d
ztmHF85h$f{np`0D_2jyU@ANoB+d&@1aJ%@cxYiX*9q?u+0KwhFBYjtTVC3rc{oENj
z>q|OsvW>>Q>&YbEDMe_}c#bi3e2J+fx&T`1AS%oBDPibKcUv8SRP)~u-E?gBhzp<x
z3lyS9=f`_-Luy?FGg_cQ7qkq2D|Ea}Q=@uoU*{o~0W?L1>LrU*|8~D;aeuH~=5)Qs
zY=eIOAff~LL`k1`MqUvq9X4U_L&=&#h}S;!&`4C5X(9QDi<LI7>jN_<y{~hLh~yl(
z+B3Q!cXxMlb8~&^35NZuLBg`)z{CotAOWgfp6_f_9sLmjnsFFm?M%Z-`r?X_6=&Fa
zix>Xcd(*qbn$UVvkAiyxXax>I$c*X;D7^DJDJPIh{a0cKz2$<oD1zwxe7)m0rtpkD
z2-;Xk^=I6F=P`UR&Ic|0_-d4Eo`wtP&<_!^e~%&yh~18h#-c(@%V~u5oN;7MJ`O06
z5^*GC@NJwvjVY0e2u?1|(i-W@^E&+zj6z)y+6!u_Z+1_{#F^_AR?fpdMx7C?Py`FN
zxX>M}{DlgX*TK-_N51{}f!ToQYa467k{`Ycy+}9jNqpl2s$!|itmfSns=%KvPL0^D
z<lPsX!4FJZ=82(h6h;e~WS+R{%ma2;932UZdx<^3!-OS?Y;trTJmGfwW`DwU!xg)$
z^BWVB<Ip_OUk2Mj9g;y=DBadmA|iG^SJ;7LWg;#9Hk3?ix>v6+GLN+)dE&Go5oDp4
zWs2Ys#GjE!&LgrBo=_(=lpr22Zp~!)L#Xcs8cB;q{LZ)@w8RUtrI8d%Khl_S{Thsq
zrh>0(t4MiSS%&<}=8|pt8ZDQ+#q{Bs%4I)05RW!g_9cR!1Kw(Y0xaca{2(=p*(_?>
z@ilqt>-o`i1$^J?CPp;I>iM(J>%)JfZemBfG9jTY`Fi&T;vtEYZ+w#vcr^J{qG|@~
zQKkq&(iA}3O-2JtAs7YHQ%3O?2Iy)gs(rqLCT`m7k+tgCLXpUdzP?|A;LSlGEG#UD
z8E!PRu*%9JOHsqp6!|R8-Nnp)Sg0Z=H&JTD`?666jkjFLiM}{m4-Aa53KyiMa~W3*
zi~}Zo;$vp3!lC;qXKJ6rN2hRNqGA_Cm;Ah{ilRl<7Bofp*d~C*feh*(N8~}Tv@YiU
z$!lR2D^_fVzRxXmr@7g^id)Pk_F?d%>tC9_);dbS*Nkchu{}uTVGLR^C*@-uQ${Mq
zNg)h+BhXVRa8K|tsrzZHd3?j3CTQqpVk%gc#*dz2!b3&N<qTVIOJJ?ui(^(H_ujUk
zH$J#LFq?=>0L=73lP+j!5B8G{$CQg{FV+R9A53uoa~L<{Z!`rzOJ8>}8+9qfqQqvh
zaQb=}W4{xXBgJ>85?w+k4r;7U5*j9OVfV)RAUvG%lNzcQg-)2r<=d$jA_D=xi72Q?
z05wXPWTF6ic(X&%un4F2Ka->1mVEjOVZc<$0YqP)A!3^%RRp@JifdD<$<|oSKPb?Q
zV_=s^WKc$m8?strA;Y^x{7@r0&LK`#O=pU8unfTRg|-}5?UHg3XsQ+J==X?q6Y#N1
zLa`_DCS`L_ZS%f@sWdi$nc8?LM@}U^igWc_O=|>y5gb-K{O|Kr&CYkOhi0pc@bOFw
z=|hU?f~_+lNzabrw0`wkA=G9J@NE}(ZC91)y!`dnESc~h<9ldCi?O{ii1XJ1lo4(c
z^o0tt)pPe}<!XcTaiFmCud(PiqFx{-DLWaZAWgCSrY<In8inFj1u`vmW-7?h<a(g)
zBIy1gdzO(Xi{;B+hx|ho^#CMSo<jtWU8ki(gp5tkA6n#UDxZKaTAq*o8{fa1N$(>1
z4DT+1^YOFO+9$Nfo83{E?QfUz%HY2uZR8Z|DH&<sDk+mw*ncu}1GgV`kH0W{6ug#u
zs6DIu160CI{d~HtI(dbvu`Wx50$b&a!2ZlGik>N2Lz0=~@5fB~!^<V$CaVWKdcr~P
z<rGtIGM2O0@OOexZ%UC-Sis*a=3e)l+?Bq?*_XfEWxkI3c@s(qU~t9`FVbFc3M@8P
zQz8#TT!^f!GLrvzvACj>rMZN2o?U5C9b{Z&l`eV8eq7JkEL}>Ce?~^hRkB+mhuxZj
z+bTVzH@?XIt`e(G)EBv4t~_`~1D_m>EbMcuep8F*XgI)L-Q;M*2ZztdG~C;eO5X0R
zTM*3P#eCnP;5-6krWK%O{49YG`YH%*er^k2FHTNQE-a)EF(eI=GfJqfC0DH#dI;~|
zX)0tT4KeeD-5-4`$>AVGRc9N(KDby-S#L$P;rB79PI|gexpYnU|GR+h*EC<P_AFpE
z5dIcZ`e=#QG_bfHOpbcTRr2`_khiMV;+a%oLv*Bm<=NefWuvH}FF-;q;|`MOfk>em
zG9#088nCpUWaGFuVLbFyxx}To+a<9mdw`Hs6JxmyYVeJmZAlbc+@~K8dC;nSxyafQ
z>sWnLqa<B5x*f)FY!C%)N7mPuUie(?{8GQ}Z0FjBK}PNT=J*Sjc52GcWMXP$CH&O*
z`1r;~-V`-1`F1`=zXCoiXfZ1<BPE50i>sQB81mNA;oSZvpf69?-N8k$Phh&$AFp5L
zdp4-;o3QVzGZv7-NczLuO$i#TCkdlMkkd?&-MkhHeC$HkUu>!p%@bO86*`~0uWS}2
z+fO?tx6{>;p<aowI304P^e&LFB)H}b)@%Tu<{d7|P%f7-)l4ulLnPOXBtg;|?|XNY
z<8!=fRym|{O8TT6z$63Ms+#pj(qATxHIm$s_@Wy%FprF?Q5|w+o&b_HEbW|ehblrY
zrw?qVwm3LTz;?M_y|ptXU6Y}@fZii<Gw@?#J~VodV~nJg;aI|`x8wy@9C3v=-i@n*
z86W4B<)7E(_o=zLxVAnQTJ8VlV_=Zgkx7R(DNs>S*{E^mk2StmR#xUcX=fElvLj&_
z{oL$kHah=bYJFpwwe>aL*NG9Ab|N*5Td@~mQZ;3<EJ<M~ag6<?svYB%xG~@^QCNc9
z;dHh^_qlvm#d)L@9%|94J~DvbjVT(SNO^Lu{QqdbKBm1#{f8;~1d3A|du&wJW~ffO
zdn{Gy$w|xWK7vMN2~(X8w)RW$7l!4t?1VgM!b}g$W8hK)4R&})%pXU_;F@qauqeg?
ze?xSl-lwtaHrkWD^Cr%ThdiN4h>nPaVB`ds1R|*!S*GpS#l*zOf|v^?xUm@+D{0dX
zbBMD;=wR(=%NX;9g~iMc5YCj&!@hCVqggVWhO|?IvFjkHXu8u|9&$XM+sq;ZhMm3>
z4S!`Uw4!ANZs~CmqK$dz(&EI-wJT_>N>Fjw2_h{lcAjSq5v6+<(4*&#>$(amnX&_A
z*P0}$mjww^-<_+|R-)l8qOP@Jqu91yXQLBO%NQRoyjm~UG%q%{Um&qO&*w*N^&d^A
zcDK0>7s``_4nWEy#PfbZ<EisUY|cdLAvCCCy6DLIkR<R7;Ech&>2{2QO_%nHIwCBx
zlH26|0mSNck{@TX?Z({8bC%0D6T_><Gx%;Z`-==)6+y|&k^+QKA<kb$6%8L8+zb0p
zeioOion96+rWWXItUi|+L!fJoqEHsDbhn~5dP+~m&bqBe0M<7Al{kDnyv~#Df7kDS
zQ9I=V><cWX!QmWkl*hp$nZAam4}WmfaYzGRtJ>Ysn;e#FOGgoZPps=plmVa~;Yi0)
zw`9c-W;c0HusSP)AmB+&Vt}MntCEi5@M!KTB@-|t@0FQ#Lqkv9K`AJ8QPDkHRTA0g
zKs&{`4`G^PV?WfD{v3QX&H{$^f#1rG(-rh@H`E_KG(};@ITaAb{HEch1jCY<aA9+O
zR!3m!qKrAu!hZV3Rt6KtfYV_H_?iPRDc%e4r9u-MluUPM7)}?L^a+$MfmaP2RD&(A
z7Og|hf&bB+Rls%^qZ-4t#@rvYWza{<-0lCY|IAJ-Dg>mO@DeD}9mg}J)9wC3Ka#_y
z*oF<wLmDYa8Uy&|57+5}$nD%PPFMQ5bH$;){yZjxM=E*_s_KM}@Se>la>dSrnexc`
zXks41k6-)qbA~QZS=c{vhzgcc^46CCAEo5h4`<npISw#5gGS{~r#;nDQ>2{}=(%J;
zgZ{v_noa|W$89pkB1Xb^4r@4?yZ033)mt*|OkLw+^bD*9u#{?azTALiH9$s=#{&MO
zII<ZBV&09FW*WED_ZxVtD{-rI2ep>EUj>{P6uNbC>Re1)9tqyNw>aAjuw0FaIBgdf
zC`Z>r1Vz+QEq?QS>wA)lwK>cv1+=hk{85QZE={M!^gf{wL$xnHn0GDV*ERP`H)Vxt
z)MNv{Ik@24t6IO~(o$Ow8p5<Pu~y4?j0WFjKN&l&zN3(5qyJa_rBN<1mh{HHqymz|
zAQFL6YlutG=B*p`N#G+tr|^01Q!XPwy}{sHM?ydo_M_2C{N$XHRZI0d%kMHjq#aqj
zn7?098o;Uo6y95=v4|&oaX=7Ve`A0?^z$+c!{N*n1Y_+Bi^+-YqyNyzW=FI{35$K0
zet%37aK}Jj7!EHTQ_QmsTh*oyKt)0Va&mH#^SG`aSZQk!N*$9R7&sY=YH=P40I?4e
z6x(bOMOIc$|CNzPDtQOIq#cmAca2**l1H#;8cyf5!`##=f+wK%q%}M-vCc-%V|!-Y
z_{(VZN`SQ!GKl7iLZV4EZ3Kd%)Z5$J$;nCI5Sigi9JHJnN#|xhm9>hZ1O7=QS49Hm
zsN*X{Ey(5stElR=06qm$TuG@8#laVrVnK-NBDTQqV9SidS=`ae8Cc600dA5$;_A$l
z%eb!Jxr}5(;dGeiL0hucD9B8^u>^LLR8X{L_0kT(788tqb7&3lIZ04(w)g(5{P2*q
zXh(q7+R|n;7nA$jCrqx}zQpvOnIO<rz4MS6Eps=Zap3FZQe`odZDtpxW7&5}P4npr
zD4Xh`ki0<lW`RW>t0%SP7B?CPR?7<GAl)hYUZJb<7|7>rkrMfmc1T5KB`YgybCk2{
zfeRR{$%sc@3IOxp>5@rYkZ&e@Uh4^IZuTnIVvQvg&HS12BRxYI@a4ceV81luu+c8K
zH)iD6|6q)~!3FU&<AwF>Zd>l*5BBQ04dB#2m)=nu0RaJdVIM+0xKWAt@`C){V}$DL
z8U%bY=WXM)zjB??soXAf%Y0`$Bjs?9x2FpYMF8-2K@yQAEK`|YNi77}#<1U|EX1do
zbX&{vty9qGCY}jDy{QDozf5xcN_H8-Y}Bg|`%36rVY%9|EO5xJ>t#jcW%U89+Y-#e
z@8fV@np1c~@Z;D?zu~YS;FIlj<L`obH#)!jap*(<`Dm#U#uv~X#!~pR2#pnHH&<3W
zPZiMz_NZ7E#26kwsj|^88{>VS2V|$GqCb=~RQ8>?97ZKz<FcFd9O%|n!*obytcG@$
zIN`FyeKgUp@#c`WUrRb`TGy&n21P!HUO<@H{r8WLj(~?XPeUKptz6v=)9WDEE|Xqh
zT|UGYucw>9{KjF-M+H<CKI%(D?|(<z%sCu|hWqB00(_WKz1X4YbEqIuDL~Jo8R(VV
zqm48K5R~?lpvb~PWOO8kxnDsXVhkPTx*h(rny&8pb8ZrJ>KTrprJSSgSu&XW6VRhz
zY->AgmK0P|Yy=bb4NgqFH=Z*I#qj>sYya{3SlE2{duku%#f7@d<>VmF+*Ib(-4Pl;
zf;+G9VQLDdGM&1*y5`G+phOVFiy;A@;=qLc+cPdQTFAe0{5pr?!=vhO0v+3?+sKW;
zz$a5|9b>VD%kC&>QLzRms8?dp>i+yd;VU}6x7I;+&Vfl;-Bw|-jj*5+)2e-~DhkFU
zAlSsIta+747JlxgcQ!CMIroG*NQwEi<kwS$SoH&!_Ft$mO;s%qs<>t-ENp_Ca_-WK
zTGFms(i&RkrdsBnT08l}!_~vXh(u|(A343i2t{TFkulsxwWH99s)4epY|y3Z7As19
z4FSYo9<@TwBumMLwZ-kY$?@d$DUlER!*lkog}5HOJW52QbG7et%T`wqqH4;Pfwp|m
zJBojm>cv&Yr@{@3KYK+6hXM!wfNv5_g353X=zwOT1aRXcV0~$Rq-^rfD^Q_EZy883
zdKStJ@dS`x>m0wxx@#zb8mDRilQk7&r2AzYK~(Tigc%^Y)&7qfh2k5AYyq#~s?Mjm
zs@ulfr?Cr_4cTzi(Ggh&|DRtzC&lvXsu`acF0zh@JQt|-yi2%U2`Dk@^oJU=fXBl@
z!r{QuaB=siM>&-fE&6GB5L1%}9K*H8Uzi)CJIBAAu}QfA8V7Ru^-kZ^v~7V{NB(?k
zKx<mMU4w05&1sgIB`F`~%&H;GBO`0|r%v_G7_v}J;f}*L+kxS+FI<ZqR;5SuPMJdf
zkm^|2A|t3&l<p{qd0+1S{0?#?r?8}WS7u%k3sF>3A|oYjg1QedbyjAkqN3v4!o&!b
z*VtNiW@hF)3SM15e$(grGkGaI_?_(ZWsg0e+3L4H<1CKkWu0$+N)MFlp$~A#eDImi
z6mVO4+{>3{X5GEof36hs@EcQz*+z~!5s!+*m~XdHFzPWBPegyc56g`56d8Z1?Q1M2
zvi?y04Q9Y@KwsL5!RG-%Qq-U*zvt(p`bSwquP4N{j}sme()L#oC3+fKpr6Q$c7kqN
z2b<hP=?J4z*NsqBM8MxXTo1`~*<+<<@1FNO^42}+U+9OzKBMCgXFcg&suVrF4E0cA
z>O!>>EAdAZW4YbsqvF4g<rG<UDg*%~UsBa)RYYiBUaAa(!;WSxpXG17HaRu5$r+Un
zjsM1mqV~V9cMjt<W8{&Kq^%n+mmdfH;khM())0zDZvc}3pC?Fr0iP(-(K~qe<>US|
z96@w%S$~?NAk39lyCuiO-=f?OHv<nd3WGR0?%owgpNhj%do%^D_5ag&Ne%(t@EPF+
zHU9vy@6w-xidX#8{sYNE_?^UbVe<z?cXA*Sc53<}sw^rC%Nh;5YFtJ-;VlxN^}zeA
zd*5$}#e&=Jf`h5?sqMaEALsFAfBtSWmZ!pin8Hnlr8)wTB@*3I8do9)E_|Ex{9V1y
zp^?1RVt~VQ?JB`dNJJ}6k5<vR&i@Q>QIWO!SA!>rM+jq)^RS4T#0d1pmVwsdZJDm8
z<$YAuAC((qFm1`tr`B#)%A=K_cF1M%Z%d@TMZyFh)m#LlQwf?xMwbG|t;7pD1M_;}
zp?yko3yVIpq)?P1BMb}-=$Hn&81l{$uy{gJ85d^+S}C2c)vD6&(nJV-2>Ph{e2id<
z#PXq^n`*GLnsT>c6%T26|LleuvB6fSeXl&`xEk+Hy7Tghe=79Vv|_4cJ<6(6CU|8~
zKBR{U$ra_Cfyr7DbmyRXBf;^_dPjQDUjUe2Gu<8FRck)telM)0(a#QSywl)8Hu?6i
z((TQ5f@=P2o<(>$9((yqf8M}JNqnTLhHITYUFk62sS9tZ{PIJu;)h{a1Af5hL(f%X
ztjOg4RO{}qW0Iee2xdi+DFl05A{(I_dGFwh(#5g^ICC#lqr-`k^YDdn{{9n{22&M7
z+CDp**T@k{xIl7PzJRW1Vv>R%p~IV1)HdTzkEt$U5{#31SIg6#zo-_**jm=V_3T`~
zu<CMoY_{M@L?iOtRloGF_h8J~DMa|hrIFI2xDr#GltWa1Lp0n+ln@&EY8H8?<Mdp$
zOO{6nrT*H#5)Sul;m+Nc+{KFC2QSC;k0SvYhN!Dkt8JWOeVspMo0}E-G`I3CobtJQ
z?w(UO(8nCD7}qugbQ+$v-;$@7sqeOfUr$=ylec@XhXM!%O01@OMF}wnWn*yP34}P~
zk}%=uC@W+1;^XOmRqMJ!HPL{|cWz35CR*=*!yq3AVKt3@>gsl}^M*!~#?`2KZ|W9_
z*p4ezi+2(u@kVbl*qY1P*yWcCclxP4mMQGDwlom5tGw8n>Ey`Qbjh1I!TP1)Q&5gr
z5T*>qtMTHG8CeS&DHOP@UXhkxYpTf*4IVS-)kCABqr<~dL%`{G${<AhJ|-GZ@cf;$
z0_yO&+T=Q7IHJT)6a*gkaPHRMVY%-?s=tyT*z(zb;?qc<FaBO$)fEWxRy7+4I9=CF
z%?yoxx3MoK!(3E;Ht{7{*20cWPWXvSh2~29IIb{}`vFWuNLaGAff5aZI;s*#d=!&v
zr1@&t$)9r$_xf5ObHI1_h8aP524Hc25+{PW)1T;PGeHSzNRB=Ncp{On=Cg@>fC(+H
z5X*SqC27d1Tgu`~$|<6kp|dcL!>C3$<Yx#fT$Tv(rG{^bB&d6rl@ZhI)folU=upC1
zPfALP7C^e`$on%krc(#C);ZJ`oE0v|tO6ow&$pf}9qM>zQX)F@o=`ZP`s22foSLDW
zoSLoTT>B@Lxkz~Ym$lx+lEp%R4-GUwo@by=Vyf;mfBj~XOQ2L*BF$QMFUTW}7l%}F
zs$voY|MwCWj10X24cz?4tRG+JlKpz_Dl_**!w3Xz3ru2Dm={Un;hDF4Ju`{2Us^5Y
zhf#^F=XR)kfEyS2_og8sM{RiqB@hAGPQXGzt~Gp7;68!K7v{(Nh$trYp}|4xEmxO5
zA7tN8pzaDGwVx0kFDY@*?$;?Z)C#L1_PJU=qJvm*c)F;gt0rg*qS3){cekjRPAcC|
z4Z#&<ih(hSrrJsLI`t_s7X@l_`za{oXI&+n*x=~&-)o*{>LQdt<A&}yR$xh_cql~A
z{b=x|BP;iX;S&fMb1-Ttsu()P(`&S5WRfY4J#A%VOrolm$SC%me@H~VanYm%&Ma;B
z+pnrxSnKNPr4QG-wq*As!qW{8#^6vv-O<9wjp<E|U^K8B(OD35eW_6fEwm*M2^^xu
zG|tGC-=^9G@eY_BweE6!!Awh*iIDeS(&g?n?k(Z0hele9Un}mMT=AGlimAzD7f45@
z8ca|cA2Jkc8ya?QzIUl=m$6q5z7vR+u9Zjqi()&|t%gMyK=7g6QeK>UiXAN$L;eNX
zO4=<B$@X8mT`{@PCL93A+$=Z~5Y)l|&HvU)1HOLfKYqWtY%+OTM0_3<WR1#FPy<$8
zCoBwo0<=1sZU@T2MR!ab&$XO)wl*5@_%x}4?ECN=pDKQD-t04BrCJvm@zG~++w}e?
z1L&S0d!wK`4@>wP&8+OB!2`_IIPV8=w~=kH@~)2@(pJrYbJsja#V;7;MUXPAJ+6Zl
zgu>8Fz+$a?`bjZ5qQ~pS>AonRj*|X`O}3$THle%C=6YKoJdc&)s$4#LNC2WVdpc(|
zQ^*hly8C13gZdD3fgrkvC?!np4I#E(RGpBR5PJ0_`s(v?+vI14kD&rVT_@iovmXR2
z^Z=3V+998cv7&17#lg>30(Xc1lmf>Vw?tbK2;8Z7w_LR#xvpbM3QFFtvo<Fubw|Vg
zm*z?&2K?5!0I;!qLAp`$^wgAzhfFy?Hn>vIx0hQe?LSUGGSLD(BV#!cc-#)(;|ZaK
z<~D$;Tk+D$p?t<b621n#vAS{MwH?L+CR?_eXz=Qp&bbWv%^UgiopBn)I&7HP!?ALE
zORw$Rtmw_5<y?D@btK0V1t+s6s4R`JbO%{8%K9^Ewi$-kJHsg1^*22hZi;(Gpn;<w
z7UgKFdyL0kNX(Fjm)1Fb(x+R|kQJZFv>3q%D~=p{6X+R)*N1M4w}F3*lQCUUT1zOQ
zvj?9(e8C@zzT^R|G~63f<}5#CO~`-v?E>kH-}misJ>|r_%vRoa!l{=*o#!(r2ZwQ^
zbh#)tc;08ZoiuIm4dW3TpG^?}Jv$%3{6ez0p>+_J7_YCqO~PN>e9i#sE@7JTAfx^I
z`nh)Z{LZP8`dZQF7Nu`hhqd(JWOP?za!)NhwHS!)?8w2~1+`*x#Lwk`w2Z43J_3aT
zwFJLgori0?0Rk4$$Gf21Q17z$sn$PHs?swg31?(J0Eg^+mh(Q}e**{Ws%eOUZf>(t
zB=kUsLexpFEg!i6xsd63;|tVb<I{I=)Dp9@uVjs5Y}Z1-ua8evf(-%qF2zug_e^xi
z=P81fp3NY0FWxlO+V@rtM#&&X?71RQw2mp8B4Tjq&RE3!F-dyhmK-V0j$V_f@+RCn
zZ1WH`Zg7`Q9tdE9^d4E!j*PAo@`F81*!iLgYcBp#Tl=0g&23;u{kb6~tbtynL%sA<
zajbo|mQoU9wV}a6MV1KP>qK&1u^2n23CD9cwpG$N?Vqj7NVdv{-1|O?l20I}yLEX0
z#o^}0MiZJubo^7MeD-OWVWiyd+wJ#fo|%T+U@|0StdKg0tB76KXsQRk6?7G09Llrp
z)WTnB>L}wXKQRIh<j2bc`)B0Uv7a1_=jX@r2m&G68u*g{n}w1Ux=W7cTs8zX!!s=>
z=hQ8c7($~Y)0L%^9pfxl`>sR@I!`lPhHB{2HFSM$pS?xn<Fm7i%SRrb9Zt0CA}yzV
z6*G!k^c(L4F<7{BD`O2^(0H;dbVtc^5SLJVnG`CLUj{-?R)_c`&so4{ah7YLai5)j
z<jxphV!!gwU}cJTeB~?!2t2(d`SY@HiVdKOCnQWuG=-KR>K+S=!NTqEVsnEA;<*B~
z_A+F&*JkL}>yIBlqzggJ?^Drom;U@QU21ZIdxy5hqfW=<*)1%gCacUjAd!XsK-#o*
zOqK!u24<j&IzSpevCnk<4qvob*lO+n5|bMW%ET^>#H@EFyitG2;OmVgu@?#e>=@Rv
z%|ETT{9cYbIeay|;yN%d1Z0ISLs#CQaoT)zY*~;itQ=GU-TP^#D*i2*ev+#q(#g<u
z?lGiB_UK`wsS93z#?X`{z3$|)p6<`lcK9=E<gpO}53$hF(i#+`n1iAS!6U)=#smZc
z-e7)|se<VtYUnsm>plw~s)&KOBlgO@ZGR%dCH8;mR;36t7TqS$G3~FX3VLuSvg2~R
zrV!qVJt=y1yMj9nF3CuSrgfo)8iXIfUfFu9b;j+8$_kTJ4ncL$ZIK>qs~YXRsjDUl
zlb7Yv{ipEfZ303Xs!ZE`k4N)!Bj%%60fVLuB77qHh@5fR3O(Cq{oVZ7be`v6o{5PG
zwaF><2^OD<tas<DiD(o8wzjs=UHOCQ%GT|E#?D}t2ohx78C*hrO>-oKe|Bd`H{-(|
z_-Jw;tir{WNJF2Kj6hE79TT~R3NKtA_a=^ajf1)YRdkXM+C1a?K^c9Tq~hS^%LUQh
z6vH0xI=SXL(n<Nt>fSe!+j^RUYN3W#+9Mj>Ar5YCYWgIqvsi7MPgFZB>~|U}6j23y
zheq0Fx9d-XLF&$P)Hi^c-Hi8wXl&_neK4bx&ZS#xj;{Sj)nt%w0I29YHFVamx%wr1
z{`&!{tu`c)GYC0K3<Sg`QV^K#f^O}|BeRH1R;7cLC7xqT1zxm49>0$EDi%Fg15Xo2
zS#xBCxDWTwML|^=htaMX{%du9EtvopXXk{}Vy#Ll(I;QwwXWr`^NT;{AGH?_{b*T!
zi=IqwT>h|>(asH+KHA-#ZS!)ubDK%$cGOvHu-n|+Y<5GdFE~<>gZ3F6=bFE%h9KGY
zRi<)EFjRMJ7S$MOcv*DG(oAZmscmBP_-iSH-t(3b?coZj`5__TZ#B<agXJQN(A#H;
zWENvp_&CWAylrn?*52i7Wpm9{I|iTKLZF+fi;K|3Hg5)_I^X5WanE~`xO0_q-V<y*
z?>o^wGlsN?{li1;S7zq#C@xh3ZU-!SH3eHEUm^z7i>7}W_&}fa(Wec4P-}pEl9Ysh
zk;!U1h30WQFR??Yh9GGi^U}5RNwjOp|E=64<LO+(Wvz5N)zJmwr1tHz1|j;+E>_2;
z9q&i~8@d@Ls<ya+S!@ov9p+s6%JI^Jd7zvP+}nt!y+A@M5?j9;_~<9Gv5iSE);c2c
z__UD4pvJ#(5slblR40|e!!z?>T;1%lD{iogNuH39rg`-c4b1!b$A7+o)!ZaC)2W{5
zK(ZMC=W5YM#hY!7Vq3nt>AWcl_{j4m4<hP!x>U%lZ1ex!$I&AK-)o4D@B6LxaASK2
z-Hc`Nv=}_PKOWr{ZWW0R$r(A{tmGwn5b!s#FYF53u0_xLv{%6+W{iG(EqmUjcOQ#q
z1@iLpCUMzcgfCVyROLXWd*u)?{NPep5*Iu3<tBgLd?ejzSt9`s5ySUxJ&g5BeG3`s
z=evXYkmIySSYz4mU$@I<fJ<>y5=|q7)<G;_STr2RxvRg-Wz^NIym@Bu$hLpF-B6z7
zfSFTyYO&CPgc5(nXF#OimcjF<;#A~P5%W}xDuZJCPAB!0toHWa=l94gRP@3;f}2kN
zHOV}+%yrCno}-3+_H~QxSM19l_nj8!IpNLi?4lE#I>%fwqf$gOmrwi`o-QL_)bgB-
zxft8If7h%AhlGYUSkIu`EYv#$yp+$P+Kn|KN=X-*Dz5q-HFjbyMSF#c8`GGZ-T;B0
z{P<#R0(0MKPy$u;^=+-J?ll`vkJ$99(jh$e(gV;ZNbohk6Fcc_!xw%3RNN(U!xU3#
zv+Fx!vG!oIKB-m&0Zi3qK0A0E+IiaU4qw2V+uBAYY?Is?VaUdbhQ?-aF8daisN#AX
zxrq&3yuQa6B^oXS=BIP`D4z_?;=Ugs>a6nkMCl~VwbS>v^<^R8Mb4Ye2>f+-<=K%?
zWNNk_0Vb3S4>bx232A(G_EgmN4^<TeI&+RlAj6v58VQ>anboZ~2KW$&Ut=U1fuMUK
zj5Om`)wfi5eK0-tomCCXzQQ$aario)^#1L)-Y&Wy_?|%8I1&C;8HpxUtT+u{n+Ik(
zEeJm3_bRD0g@q4FO_aHj+#`gJZK!JB{(N_vZ&G8}rU&wQxL8J_VTgNKSu)SRtWWCR
zfYS!VHSixsa~Xm2HfOV5uB!r^SUIh6y%41N`1$t_4*X5{K<hig%3>;8xT)9Ivh(LB
z!w}n8Lp|scOi7$nvczAE@?c1}5FYm4)yj1cQ_QWXZPUr*vYm(;r??*IrF7ngjMOJ!
z_7`;IVZ=6;`ZzmJg6!P8)yy0~Dk!DFKt{o9&k_q^GwP_w&%d;)HBb5Vn0hL3yoHmg
zcENe1`|!sN1BoV1iUtqY&ava2n*j=1?8u<e=3Z!h9m?-RNEd#k-l5ycMZoKAfPQNf
zaiKGSdTD71+5}AJwlU}OJ-UFSXT~Lb(lBPY;mCqML-?}#I#+X@k|&NogRCi_=nrOO
z8s8VLdS=2P-BIrB!-M9GzUsBtJ|y;rHws<=o6El`7WP8I`-!T?q?h0A7mhCdb^|51
z^BnnH+D{%Sa?FSTk+HF-|0+r73~hKE<e0s}k^Fv$O!ZpLZ5W)~=Et{V5n`C=3K}V}
zFl;c#&Bf(lOOACsx450IKLbB^7I#@>`}Nk3mZ+6|00JaJgM#2j6?}i)|Fb;%Lu)ge
z*``$l`DcilLiVg!#CQ`6aTJdX<#+oY=^t;<$({NegdmE%*wlwC|9BkRob+rpENQCt
zz3y^`a_|F~rN~}3UovS2PM0gvxu8_HBXFk3uRqUdFi%h<(g6D=hPI*bK{m(6I_ySl
zy5b>tkTmpCo~HWmPN&MVUx5w?QwSGtkE`D%I|44Oc~MmQXB>X&u~}@4T}BE$Fwv+l
zmOIV!$y+>x!|6tTb3$D*ByTR@#{F?rc+oX(Da+_5L^_I4t=0WFR}@o)(LX%3^RVtP
z%TfMON|?;T4b&}wNP~S5`A^V*#MHj0N{TWXJITaO!~eX&29~VzSmdwo`s4NCZ29d=
zcL=Jc*L}JgohAVx<_m#=zW(s=Ff{(B*T2+U_S1d<SKfGP7*@35F4;`eguEgUDqBLA
zCNN;TC}mChyHR945$MHab-K}kh=Xz<ose{f;=$BLs%UJrbWGelC+N1EDfH=-X!z?u
zmYH22aN`<qI=3Dvoj4DRmZA7pJS22ZLanwg{2|!-O+Mc58bJT<eq}8@HdAQ*fC$}|
z@j0eG!hK~%Yt8ryK1PpNbvhh)q~H;%b-*XiC5Wa3+ttrETb@rkwBF7+E!|dI1V-J}
zm^6|V2TF!?SFd>0Z4;1H9#?tnEy1y-Fjj{~ySj=z+$o!0)$X!01Y%G2R@KW;iqWz)
z_5|qE*{qCC84t`)+L*XxR|&3zu?u=?va_Sd9%jDk9t*fht8hK%yo6EkSOQIY(QdX@
zi6vnHIN0ysgFm`;PezM_E1d&0%oSIB36sn3WxksQ;^=WfN+lqOrtjrH;XPF#QMJ_}
z$x$lc#eKrRB!{<SQ@reQh*6>>^#78is-=ORk(gbL`zsGU9_v@0vs&!|eszWM>dO*Q
z4ymJIvKR8ifPW7`OEyKFfhJRRISQJq_icI>6g*yg%A{Y9tS#ha`??mf!N*PSl>mb8
z<B!fL<Kb`IR>jomF{UOapu$>1a6fKYbzgioYOuQ<3TEUPg+&y?W+KVJY+37(Z#0DS
z$ifhErOlH_aYoqL-w$85EL`jryb}{QMy9X;kfUch)b0fLZDxuy&7b-gpB{}c$Lf0}
z{bX+c@j>9D$I2vL=j-+Dy<k`Fe8~6hFCNoAuW%FboEqVQ2=C4q=ccDMs$@Dl$5v>-
zx(0szeKn}Jp(6&Rvp$r7UDr>aU>eiJ)g-`TgoL;2Fz|mq;ZS}?2pLDA!DM;wdXE8y
zB@Ri#D`LDGnV=&sw(}Y={wKw=Q9dyoC6I@$_xCi}5iePRw_IfXed>6vhp5@>g0U9>
z6;p^{&o9s6)M0m&kiu_O2@F<-6Lv3$LP`euv@cn}@1kG^jMZoYl%u0W*IbBydTpI?
zPv{+s0y{AkZtCN82Eng~VGg4wtJ<AalGi%V=*r`JN5RJ88k0kg&UyR*kCREwDuq~D
z5)46o<l;{aLg4q%`ot63B;8>*AWusp(bf@vpRC^W5R544Cb0J2sAfHhfU9BTFE5KQ
zfla^{o3UBZBWJNjgU5Mht>qDx96lGprkNBwr-BrAqaE+BC8U2*qa0maZ2nc~hMo8!
zDyIvZK5VT1o4ckEy*zx85Pd2cXcT?g_>7{hiCmHk0X|$B`Ar;!X(Js4a{ZB>g&CmG
zsdtLSsg%N3s9K{@Y%2*?Q4c~|QGA+40pqLUG~|m{Z2NTWOmjjX%gu^_56$s|?C3<K
z7ou2Wm;EM)qXIr)paBl=4G2z|F(z)S7@%P@C#>=fb3%8F06=~)Loh%PCovQY#rC-#
z(GqOPK^_nJW!UNVmwByb_SmeP2c7i7<QbC$bj-VYy*E?5>X2xmlw~8wagc({FfldN
zv#`Uu_;fck&D}ai>g2<K*3P#4yFu}7a)?RFch)Z8);IQ3)NI1YsNr<Yar9bFjDw<a
zL*3uNCiYXHy!eze0fnm+vJw53?!n$U4*HAm-cfs4<K*Rg@>m@D(Z|czm(y1PkCWl+
zKP6O2v_JrHZA}d)G^OL=k?tNCkmEM;*$BpucG8UT4+^bZ@s`!l3HipehOLHA_l?!_
zcf63LA%d~$53V2qv!eS?$l0OJmS1Qr@v^1A^A!6*6695*tHOnI?HHM@wUoroZUB5$
zl7KJ2JrBYq4nugI_{itZLhKb%S&l}%Ov{P(u3{e9@DMRBH7q~8$quL-{1gjm@RSjd
zDndeN7~n-=9cS)U{|RC9UU9lcb8U9NU8>Ky7Q}dM_j)}w$2Xx%js6MZvF;w;N1bI`
zHtjrzAoP_RZ%g%EAlw+|OJ8$HM0g)$q=)f&@mBP8B3_el&Fva*Z9aV!$#f8Yy7kTI
zjBOPiWWxGEZF>~kV7<8F+(&K=``funSR_3^>;90p)96*=MrMRN(iuTZeJvOt-9;0F
zi`#vv$(>BFe5Pb1P&^sRBatNFvZJobruYWcT!r#&wOCrH>6p`^*P(DVqOvG~2~nWk
z#jW@aB|I$1uwb>o*eT4Pa;Qh1o}76P0BGiVS|@WRcZ+3l`$+#Qbdbo%?H+?Q<(5om
zsz}K#oy*|&X|;tjTgdhKN7luLY?EddE>=O#s_z?O<{dK}9*Nvxci69cO&viU6hPmr
z(nqzr^<R;*0{)9+i+Kng^(uOGrmNr?N<|PJd^(f=^N#traF72p`U8f*#s+;EB(F&P
z?;96`ZNYrUw`zVq0WPz*rlmbiP5%3;t1GJ?;;?>bLz5P}Mlxv9Qe@-F2~`$6g&E4x
zUXKORUlhd`s9oe~R~eR!7pAO-suNVv>`;#O6~q`-Z$;ja-DJC=k1;1;FlS^zssFO+
z8G1m08FTP@SrVJ>&uQ_@!z5-avU_t*KLTREA=5$chSw6yDb1U8Krw6|^*SHC@BUlW
z>Pp6Q(fF3GTeE18mO*Ej1F9<?phpiqx1+Pa13h0poEqTvf(-&pn9MoNOa7le&NC2>
zxcTF9x<m9DL9`I%q6b0rkQ|~!&neMcM2&iC2qB0rS~yWJ?(}wqgos{px=ZvfdOQF1
zJkRU@yM4Diznz)gnfcD=ceiSx(LW+ND$nVvpSwP@76|uQoey8g$l~c3?!Xi9)3HP(
zKKi?$^5@l`R+qirq^2r><d<$g`?88XWk*|-V7#>R)bYR?FiOUiQ}#&4P=ZC=wK==m
zMMe4#rvH4Ng-Y_)LF;+MZcO8#peRYS_txAu|IS5v>sO_(<>X$DB!ATVy=uB_7%uC7
z5B*JMc4O>|t&>ylb<Aa8gvcZhFBk=o2g&KZ>SA@<^1A`$6Z8l%42w|NFBK_$p6hpE
zH`9gl*@Go|$X`A1d$!mL?j)m<-9LUIVIFkUi{uWrgt{_Ue&kq{T!>2$`iqg?e}6XL
zqy$w}hNUW7#L|H&T^_@LQO>hn(CGMh!n=1x%n2FNZfsVqnW&YYOeTzlYl!|~uS@~e
z%jksl@#;{1(RVh9FM7i6w-<`1X&K;Zz9GzlCf%2li~S5x%jT66mu35BueZ_8dy1O3
zwDR&a_CC@oWk3;m#?~)_zYtCdA~h1cJ+p);usU~<h(Vn@;$F=7))Mvd2@5KX!=dx0
zcUt=5g(aKB$nrbz$(_2Ut$;|P=!VdZ1If{0OL;#}U#uEmC$?!$r8+qK_PlSW_fvFP
zi!!2K)WhKANrS8Ng?@x>+p$94XH|WZXFW75E!~;{AQUR)BEa<cHi<ZqaTHQ%4PPC4
z2^L8|{oNH365=*pS7}f^=ZOk{>Wbg>JtH~hbPIp*XQ)?V(_KlWcX-#KXhq~rwfij2
ze*c3;uW_RJi^I*)s%gLS!G=9{sJRCr2T%?QNlK<}gz1kuA}|bObL@>`FRp5@TIP#n
ztzch?`G!xs>*=5I|H|1n%|2>8CAM(W_=tHYTw@rZA8`bFNl}sD4i-44qV*fx$GNuC
zQcJM9-SWR|K<51EnX3&B4Bn60UO^!;Efn4EncbuCezQNq#P}n&_1$#vUS`{)JY9K~
zlkX09?7*&muv?tGkX&8!w?t{l$<La7-CDu|kEemL-JuzyZ5Ni@aTJTq*eDUs$<57{
z@xVX&rtvqu^1+#Gu1)q}Yg^G1Z*Omn0Za7poNe2!HSQ9LEVSc;K6}m=4cmpfe+LyE
zlt@aVA#fvtx!aRsR#9Ducr*L@tzSL`nA=NC4|@Xe`scUXq1ivi?G4Ev5F4YehxlNy
z>{{RwY%Sp}{kNSavTr{}D%AINkqjRVEacqe1E(6qyv@0il#LDHpxn8Z2Gc{_cFUWM
zd4pyj{J(?BBnslXdkf^8yvQ_;W^JV+*g(z${~PQw?p_C7tOb~|TcPG2h_!SDL?p25
z?LA()hLEV+k!Q%&_&O|KI(WDDb??)(s!8@E2AxuugU**)22qxe66Fs$^bpWoplRYo
zb$^VUA4!3k=0Pnob~|g<f6&=dNkK(|&TURE-cTvpq#)P15;4v*R{21w=m#4O;gmv#
z4$51-*V>0~Ht4J7*MIXZk6P+%@OEbQs1b3wVyIL{;F)E{wXp7W7cHqN_>LOlx=Z_b
z2p3Y?GEi&Y=tD}%Xya>#mS~{HY?(b${(>pH4Q3J(2sB!MTn2P*ciOK)MvdKs-#2e3
zJSi|)VZ^#D%1Vw8+KupE>9qy*95m{s!{LvDf)wf>s`kS`<pensYkXq;ez}S``uMI|
zqyXW{G&YcU59FfcZd%>(ZIZV_Zb6-CO`BmI2FR3z4Pc4eIqI7;Xf+^;=wm7b`$)B$
zLieSN-K?6G(b_EO(CySYrrfg^z$6)2Z#j3_>;cqFw9n((+VErQeJ{y?7Lu(spm8UN
z0rXW=Vmv1ST^T@XY6_SwbKRWtTg=|!O-uxRtYIDmh&Zs4G!A*wPsdY?pYCu-9N!LX
zw=P=l&ptmreKidkqq{!*Y~JFNms&Pwzucfo!c#tcvT_PMerLuAQ+X&c|4I_(wt6@6
zv55~5GU92Fu`WQFWBMM`uq)e6x?lOFJ+WmgK+WX6>_)><%+5L55#RfhZ#3dEN6n=V
z?7hC?Tv^lL>Dqtudqh0`n7bHB%`Ym_?kMk(+mFk}jezJcF>-~#c+~D9v_p>WbgV2&
zaO^lD#;mf=w><>aDI3@kjQjI4SI)24Z3ED6<^CAP<-;5uH~Y3*jV-`4N03a=8WV?n
zfd%VLR)@Q{uFWy$`?5+L<zd$;W_<pmy0-o3Zph&HG<{`aGDa`qX=fRsmE8yQi5};*
zo(_$<J*Ox_v2Xf!8twiyAfd7J7H+#{C0#$lT+&0%XXNcWf%<n7+N5%a^6gf{ua>&9
zoKix^$HzqmDFE&Uq2~KhrxEn;q&$R~+vI{*1T*$cHJNpVH<jx|Mdl_aYe(qa3vOC{
zLBOZ*>2A|L>oYGeA|D$d`mxR^dh6C#eV^wA64@Rym7CR16oaD|T94->WMqJ~CEQdQ
z$==@H<@s?;RU5v3uPmF^WTMKFUH*Heed$BsA0bSJ@=~0J)4@ZDt;vzu9wtLC&V}^g
zuU6c6o%lZ+>+g;MqS?Ry^7cz&iJ3gL<$^@FIM0Ifw&#O_hbJ}A6!6+*iO`5e8dOQV
z2#T6muJu(&?z6vVnLf*}`8U?qdL>rE(g3LxFyAd`y2)101+Q#m8u+1bt|KDv`*F{L
zk{f6bXC%}*kCz!fVH_>eyeTg)A62TO<>+|V65Ev=JX>sfovff6z^7(;Tft}X4GkRw
zkdHIqtOHXmUHFkT(pM?<500~28xLhJfiQ6f!sH9M!2ReBWFae_11M(VlV<GZo4QjU
z^SE20m@5k#7FyhvQ}5e}^R|d>(Hkizwu!oYWG+wZhsSy9J@|NqvT$*6nXNt)sKCkv
z>|1vw?i;WBu2It(Z^<MtD1=FWl>jOopxXw-{;d%R)6elONmwcQ^?81kszNUM2CW}d
zLNoju=iaHLZL3iB_PkiyoOGC2PGG*!Rg9A{t*wV%lFZo0|Kt*Z9HN<V3kwj})rICc
zO+HZbl7)4~;Kd<o`KiGB^N#aBR>MMyqOy;l)Y%L(=s#%Me^{@<YF+O`Zf9$6Z=6d`
zW%1I+#>S8$E8MApkuqBQI+Mg#UWgF}D8zB1ysoNUwmvNEsI+{@kn)>9)i0+$`@B>j
zUe8)24h)F~j_z1kSddUj0-xx`4iSNXKP5j3y7vX7oGK)OOhTU{Dhq4HLBXdvmc>}v
zuO5xooP+>fXxIZP&ca5@?s<>EcH{5GA0WUv4k!!r$h_JPhx~`3czI-?X_TKh_+oTF
zI1^JArw3d25CfqS+M-*l8@Ia^p5RSTzbc+?4B}^Z<e!A8l>@@$#n(q3>QQ~Tk31o_
z%K!*bi8kd{7*)gdi3+v%h=~TQPtfm9Og7W@-0^)umA`|55ZZ#u`CBlO-Bv_Lqdh&V
z|1xI_WONOMTq~|NZHE}?YrgW3aMW0en%$#3_!IoS><s7I>0GuZ`|#mI0fF9%_Z>sj
z*f8@OEaqzh;WX)--xI99hR$TEYH{_2lGdG#`RpvZ@*{;*L8HQfw1A6}kdRaj)D_@=
z++(+5_7$r?`P=NyksU;tLZyIqX)FbSEG?8;YvgdRyq50lUt_1FrKM{;+#Dd1)Y1#a
z1m7os|HuBiyqQ3eq>%eP!%D7iyP>Hk0-wR{*M^Au&q@wksX^Bgp(2(FVq-fd<DGpz
z$N!>Iti@5iMQY_k_(OwxWw)}Q5B{j=8yTsgkYN>PS-<(8m*8SDu)lHtaj2`}4UY%&
zvC2$e_q7R@tv2ZjRWKVR1wb62;JjySM@NlbyKQ+zAi{*eTr;aEtOu$=XQle-lP3_(
z&$)IG^v(Z1=uplIL)A?i%_{71-#Ty}figUamMVs1mF64HRjvQw3e8U1v<feN*H<Ub
zI+SZfKf^UR^kQxVC&b627x-R6?7orAP=uv~qrg$Pg<}}9dthx^_stIkcb_P?xIX~X
z0FnVI;B`S$(p|?|hlFl#<gWM}a{NwQW-{`CrTW>K8OKl-%B^U?0fzGRdG1ZOJ~AaP
z#J)K-&NIyx-V{6Ix3AH8OUb=UT4Ezn0&Q9gfpi^v`hY3}<V=lO(%+j6<UM%&{Q2*W
z4)_tg!=D*O=uQk^W^fWd=TJ*&P9KV2!ZhFe$8s12st!NZ##*Y_X#tK+Sai|q+QBiX
z+M!5o1V+E!>Y|(c>Wwoz8Tt7$Zq}~H|2K@V$|5pVQQ<sWG5EN_sxjA;i?SM#xk-1Y
z=m}sJ01A3+i+_GhdX5Fge{X;6sV_zKPX#zy=qK9$&k;btc$tT%C`9SPA3J?zuh9m<
z@~LSAU_?KEZA9T4LaYZL?x_AFl|Ghr=jI5k7hT0$%AEB-UXSYVC$%PYF9tjjfJ1OP
zi{lSkV?x$WuTepEVUrn)ds|ISMH(0Wp2t)98>D~$Wi`aL00P}YvB)jXpKuw~#<WSW
zOcAkrmcNaNi1_qr4!ef3=qxM{1t4M3uB*rB_=E)WdiPpS{6V>cAF-tp7Y{PF`EMS>
z3bp8k?TE=;q+Gk&FPI~}E2dJ8B_0@)=HE8}_vsAlPL8g!{!?vVB4hVi8*w^IjV1M~
zCjU1j#!(t@xEih#!~9DkJ51u~r}-Q^$Q%a{bC$qSLFlYKGi#@^$m8`*Ra8{+`F{0!
z{-b1bJXpC{OUhgcm~Q@bPE(5X+LQFBUSSEm#Sp<APSp?xZ!7hfs9;TZfCwdKXS1sj
zXX4aAyO{tOP%89wa>tO(HAc*bXe4|P%gGN^a)4$5!1zUL{0AMzLYWW=;9LL<AlrXI
zbr4CqYyKC24dVrfC&0y!)_>r05d|MwR6$@NJ|UsFzVvY6j{*V$uhon5Tk`Y6`V5l=
z4NBg=v4%*3fgL?yB~6<LE?mq?S^FoKhULP}(NPuv__Z)j*Sf?I)&I#0P3jf`Ew%V3
zSputH#p<cg2O`{td4Qd9L6*@y&V>CKnoo@AI8uk)-M_R@2^^~lKd=UdO)~qw!d+z;
zwcv>)Ow}mteEq4Tly;6Bj^l82ap`-htx1EYioFq@PDR2NFo(uQ>Rgfz2Z5*41d-xk
zbqS?t4T6rbG9$198D96sfM|h}9(09q!6;G^Xol%EJz2G7lG@(dO0e&fXS}E8U-q2B
zwR?w`&S>riiRu@}b_|5#ZED0LxESqw;jqE9<C5;TVIROcY?Y<2dczFQ9%Zj{^~;3s
zfywQ3%C++8!l;JHw38OVtZX;%eQF3&JgL4GrzVoZNl3u6b3rL<q}bt6Bj{TUcMhy@
z|B=5G`wAURuzjI$nu$6efs=RSC>^=;4IS-WKB5}s6I1PIOli8fpK?=9hn~<*Bu4Eo
zvG&OxF}a-}m0rrSbD>Nn4GtUWJj7kB4|NjiO6H7CDzSoSkTsW3cz4HAu&&?CRT?pH
zU>ND;5rO2~9HOJzK50+en-^&nxtZH*qN5YisksEe2=m`3DI*M31SHbDGvQ*~JB5)H
zrxHvq`YKKU*)ZR#RJ`IzR3`^u6(u8vh@Xk2H73f#jP|0Ah5tknGo+jiGY^R)(K0hp
z2kso{8OpMrxT~a3b}7cAZ%>>$lo>rrs8=8<K2d0KS42{4MQDVEv0dAQ%4v!(+&8|S
zAvZH9O*Aq&LqBDns*QF`jW}dIT9VuxO-LF2b0`EJD@nMkxHz9<qW+BnE_`+0^kjg!
zvz}iSc3_N1bIMT8LZHt=rys>4Iij;v*%rh>C$CF>QFv2x!JWe>iUmDHpwc1Kn)z%`
z{nS=&zF9F>4)=|vsRG#viyBbWT<|_?qV*=_b?_8~7-!03V5RYXOZ?RMzuey8!lC96
zr3wN(75Rxwr6gAEggaG~y)aVO)*LO^0_mv+b-D?5%w1(g9W?0XCk?O)t21gTd6(cS
z7IZ0{JW0|Tjn8;-)3lXBqYooJ8EIa^cWFMeKLRl#7YlZRC&_=63Ia}SeS&FF-gzjz
zCczIEh8rD-@|7xb3zJHACDB?78s`5DlCpCu?VM(J;)RKoefJ>KQz1XX{}%4ixNzW7
zIT2wVAQ}!WMG~zL<fA3+G@ITFL_+DTAB2h;X~GIG)zYf&rcIL3c`Lqy2|$WU`~?8|
z)m^4D;m(c7lEaGyQ98mLqWV3~Y(07)5|AQ7yAnR7A3leB(UEgG=ry{+_c$}cJQ=y@
z_kWW_ZZk-!Ts|WX`QZ=b1*vO3pgtp{!glO?GF|5v^60>~H=-0;S_#&{zmwS`F{ESs
zA~*VvR^J&t4lQ14$+RPjpNSPdyknuBPiviRr^ZzgOVpks`@}j}PLv;_@${O@Wk~xA
z1_`$vLfnf{ft1jXlta346Cdw9EZ}Y!zd8+1!_=)(=f-6*8mmTh)@s?(udAcul*u`W
zl?sSDv$V+klGknL_$$PwbV*dDu32sX*p%m*y!HPjy`)h5X{hT{SMVa2_ci>L;ITSX
Jtx5$J{(mDnHedh%

literal 0
HcmV?d00001

diff --git a/odl-aaa-moon/commons/docs/federated_authn1.png b/odl-aaa-moon/commons/docs/federated_authn1.png
new file mode 100644
index 0000000000000000000000000000000000000000..199f6f4d691a4227248d5f9a4d946a51ffeb6237
GIT binary patch
literal 36542
zcmZ6yWmpu>_daaUNG_m)bT^8`lF}thcPk(rOSiOubO|gVATA{(A>C3E(p`ddcRz!l
z@9+QOdEw=?%k0dVGv}N+=RWs@DZ^xNut>4)-Mfb)Co8FX@7{x#_wL<~!gv6_!BfVa
z0{`82Qk4<ESKR+>9ehA}C#EQN?_OCn_LT`L_>AcwtK)R<9&X#+zx$o`d8YU7MXAY2
zimAIBZl|N`6RloUUEe^N8J}AbZia>b&if=u|5Kb${f&~%6R*xFa$;gu>A*ZDZDmOm
zbs{z<8jTnRrf{Y=5;pIH4W&9#4`+MpQn*us&D<vYovwGbcGJtbH_cP5GbcUf^Y@Jc
zs4xNsU&z8xRK8*2;_i%>WQK-@x~EcAJdA^gsjCq}AX&L{4PKtxZWMy%Ut(hkB<T&M
z@l!*VCGkh2e*JoljU92aJtd}qXD9g`adH}v_gYc$&(c!+CPC0&Dky;@Pj*Gc$j_fY
zo12?`+bB;<WE6gO_I`6(g_)b1=jZ1yt>OnU+>LW-nVfv8t7~QE!AgBKS82h#Kk*&M
zI=faplHT`)Sl(kG&6;RzY^=1jbbKG9{zu#&X+-RAx3+KIXDeG0laPe-N#bt=0I4os
z!{P8I-|Jcz9!!ySmsP8Z`Wgbt#`Ye<aJaKG8#_C(eFBv_UUwMP5yW*=Vsq>pt|vc|
zPFjmTc_2Ll`nDh|i`u{umWOk<BH2~}x`pMR3sF0xFip*DrOapCsm1(^BPe%2$FjG#
zfA}!4BZ3X`2F7R<rRn)V$^CdoN(%vD2?dgPKB(I;S=*K94@IYAlq`HHBeWjwBwiVV
zzz|=RgTX==Yh8IT`FC74RV${--5%d9igmXrS7|_Qt{D(a-_5q}Ddo3Vo6=m?e#{jK
zI1NVn7og7meq3GMI?s;Ch~KGwiB5|VkB5j?gI-WW34(SOx3_WF`_i~K-?Xo9KF+SB
zbAL`Uyav{V-mRPb;p4}byu3F)T`_y_<Hwh>E4kcF-b()_UX|3i`?+0AYAQ?ZMoath
zMAk#O)tpKpUzrBa<1b+Oj=R5CscCClSTbKob#_=zk2?JpNRXhgOBV#c52Cr7-;0@@
z-No5CC~2%nKlTaPx17msNuUn+o#^Zx<KxvXg_^@iSR{_H&x%b&@w;o?+9gEHovB%n
zJ32Z7JGu6|+&=1#PtM6XW_aAz_Bb&;6RaL4f44eGOR?wLO#blVH9BE-_VJ5%60m_3
z;pwg}*(-a74+p@Ef;5$ZfVQ@?wHk#6(^UrHAIHXLnmjhQ)A*p#_M>@X=#=85N9R-+
zeQm{_rH1v(-WKlOk`;yw=Le%&xttM)ltvhiSW|qN%aXF8B9tgua^5~ZS-F;KU!~D9
z8lO;nOO_LI+n*eci_6|>w-{*l!45ppi9>vl&l*4%vk3X|gI`T;_@?QG#C>ZynESV9
zN>HAYlm{xOJeHk-5V3c&fWtgZ9E6(oP6U_uloY7dNFFR*VB5(t0y|=C+*HI{Up2vL
zSJ!kci^rcr;el|GEG%eia5a!>1ifxU%$fc8Yu~Cw&M{AZ^=^~b=}vdxm%X<q{uE<i
zupBI?{@=);oSe6tn%|N*bm6>ISKhJ}hJX7<^-7Ey`g^?{#_Zp{?+m{ey+X$*{(S9F
z44)-5@|er^V8l4{y;BR2xP2mMXq7Ykkef5a6V1H{YfoDaPE+u}M+8GWn2v!VH8u6-
zWYfM=IQl1=)Vdjmlp#|;r>CK+JI`O!_noQt@W|pIDlY#frsn1zo|&mPn0B?RJNbzs
zy>5L_4p#_2P$e8d+cDbR-AC^ZQzp4n1^t~_y?y)E*x0ywY{%wRLgU}XhND$_DLlLO
zP*3|~x7*=)A9gUB=5Dmv($>~Yfd*?YG-<K%UG{a((Th|28L!K~w&oY<+%oCcv*VX_
z({TulT!~D)0A*6!X<tFdR>|A88x>^s(TlLMuo8Kr6*G~K`=ahWK7W``aeywQ?o^k6
zhWn%ATnTI{{3v4Rd%KJw3p0y{q3ScgpSuZ{f7N!<z;XOLYbKm$4v+y);?;NUGWy~C
zPje}uWcYfYwA5AA9j?WXnB79vcJ#nt($By!?gn!rT;)EVgk*Ar7-5ML<ZgC*CS2Dq
zuWz$H4is{`tg-zT0)O%1MXLfmi@3|_3Joyjq2_s(WoK&BfyA}8f$&4Z0RurNA$b|6
zTXQQp6%(t2NPJE=(dunqyXgWX!g<BT3Tw1M^r#UMG_<fx^mvKX@9!%WU+Fhnm0X!j
zvptm&)pPZ}@z-l6KcbT}r(vRejNqUM=okYA@1Ma1DC<w(e0ry1$PjfLkkd5wSJm{*
z`r%OaRs96jZM<E-uU(xijE-^r&d1U5yVmt%rh^9q_lA$pmIvReOd-DeKh7XYN+2RO
z4FAZ#UbXrq4ZAx`3?7FI;-vFEIcNu3tr5S^nxz=*Bz|UCCZ~dHk@2k)H+DvHf_`+J
zyH#eV9G_MkgfcGP8C*qK4-;6C6ZfK@-1^|{8v5y6u=L!Dcf~So%Uz^*Dq%;c78_#o
zJFG1mp2pjG$-y4T!iMg`11^;m?A`ULQ4{`6{g<<;;N^uj6;h>xL@)dKMlWa4<D*4L
zqu1&A&M_4<F@m?LpIPne2R$=>C^YxWmk*31sQ+YLhlh)-JbetW|3OvFRdV)m_nc~%
zDUxn~=9?C$(W<$r%o*Cn&hgQ#*ZXBU)b4T2``S7>St_ckgioJ#n;*!@%078v`oTT>
zLFofch|=DBV<BPT4v1=t6$1kUB66^qci)*;hgi4DCQL@>hWI_WB?MmO!oyDlpST<>
zT&IN%WRf81a?w1c^10syatM1}WHXiQ>C29UH5fK};l&|Xqz+ufF`qttYO%0qYi-?Y
ze$e7wM4OTK9<J4F&gw(+uuu%9OzU;u*Vp%#t2}eYCq${4j=Bs8zvQo^p;8wV;W#IK
zy*=(grviJb%`HqCj5DX=zOKIy<KAKZ-e)|a5Gfl^Tc)FpD~T^;<cGGPt9^al;;nha
z1vMe~%cb#o=*`W7zN%e!M^zx2W}9@Wh}#lwhH<=2;Db;TAK!*xxvxrF7@z&$l@b5g
zE+zi)I7Du&`56PF-T42Gs18Bn-O#4=tdW$=;NnWh(N|8rnci=JiJ1P-WM{Y)*_~{E
z?t$PhJ7wyY<M>h!gTa(hrz{p0a5q0k{t>k1idcwE$80Caw2uv680(~+M)e}0D8qhP
zO8)YPVvFz=^J@bx{L|J?Z}&co2cFx+d3?~jUlMPd_2mo7CKt3D<KG#3tPuHL$p-E2
zClqQK33(aD=soj&aWmr2ME@5Y?W$7de1k9FnsGCxRwl$NIu@}Ea+nHLs3Y2g(qLm;
z!NIqL+`pSum8&F4XD(*GDo?&58^o(NTSGBiWVnA4B_{+&qMJ~SEl^CF)35FsJ-N#j
zaO9xD&s^d-klZ3NZBgWcPBW)Bk$TGNCUe7U&Aq;tIR&4{l6M+Bu6b#<<+>KBVw1FG
zVemJ0b{xqF?e5mh93trR$<KX9ZDS@5)-NV5EEWh>2v`&M*ot9Gnn?$(cV1(UvHa3o
zd0t86#&n|DH?fELC{JlE_Rk{Ym0Fx#Bb$%T#nR|E)_lfODdw0@pCyHa`Dht8)ZJ4e
zQK+Ha;UMiJf-Zg-NOx-c{fxo*&3jpXiBc(dw(<M#HAI&%DYP?%Q5C44>>$Vr5nN$t
zN$}!Ux+xo<Dj&N(Z~@n&v30!u%Tn}{)JA42xXj>lBr+bvih2C5{0^<YEv;=HN@$&8
zVG<*rO^G@T8I8bzZjo*Iyx7+lhe@9p?cVfwe{$nx`aMo7pCpN>S5GiHs9)C6pQw3(
zsX-K{25u`xvZqhwpx-*f>Bd50B>T%M&61&|Ms^c4Rk#e#Avi_NV<uc}VT|t05bdB<
z__Rs9JIC-NQe}*4BF=l$Vjk_bhz7c`zof59b#{X9pAkpwb-7a0{tJI7aQIYd``+f5
z-Z({R<=p79Xk_&yN3se`%+OaX6efju<QH?b;L#mXZ9i}JWmOuTA;Te>h3^I(M6ieq
z5|IXyWTq^d?id71R%t1|xxAvHlwNMh_nC4`2h>O+6wN?&<!caM{<A%QL_cZ`IlRnv
zxO_BVz3{{q=d8bUwmnwDELm-V`u2U`{hJK`-}lQ-?Q>r!th{^7$oMt*qMgz$;*E#9
zDA}m$K_b}=It(%4B^d%1Z29%;*Z6pHCC`DtIcj9mU7AJyN)=Y-ze6qKdct+?_-Z%H
zP*6hVQR-lKSJ$*zp+5XT6yMp(uXO$<hUwO+ngeMn+V69{(N|Z!D<3W;Y(+^ok1gO_
z{u){yx~xte6&00~l(dA2(=8WzmtNs27b7M{J)OQr*-n2=-~0<<{cCSEleeEoZQddy
zw309^O6YsAl{jHNkssu4irJm-O+!n2dAzBmtILwX0M$VI=YPy_fz77*$+@pJVoqI{
z^dl4VNS-_`zin04$rW|G(%~1wO!#r}F`&AjrKJ@LNA^-d<?a${f%nc(smz0;+3N4{
zu`0>9qILGi5f~rlf6V#LtUce+tJYM68HNWh(>0HbB=|9t2QJf*-zC)d5_`f7zE!`Q
z{+pZ&0_@+%EANs;IH7(!-nSyx2tK<c1|(KM`o)g$7YkX~ZQIvJ`zUz-cN59>bekdH
zcEzSYfSQTQ_xc_zXfAcMA3lz$<FlJ>NT0f?+nx3qc0H!qgs-Tpl&WE_bWy~`KQS^g
z;^yYwZx^NhPxM5tH_Le*hwKmtq+>W09MRm|oNbfscB3u35lo3<rn_7AEj&Crybj;-
zM!NO*YHNunqRRFBX7$2_jIH#O8$2`m7d+rC5pMT-6DXTN6%-sCytMA8iiDBZt7p^f
z-F%p5HUsB>6y$Np*2KLr@^{)*F_n}}$0{9xU^DzIy;sc=12Ly?bhEou+^kXSbO0Bf
z%MX50PEJ<Zb#b9(A_$ygN!`ZId`=|!ZRd&PcDdkH@4&Ul`44lxKXwY{oY0*e)&n)v
zmJ@n!TCIXQguH@+;(xW?aM0MRyOn`4{#1OF9akO|YLr%Kp?FxLS8X%uSs975xmrTe
zlNcXut={##NkszPh3AHP&>C+uh|FbUt$|E#cdn70nZx5~!O^Ox?c)(bkl9U{w~x2_
zWa??SHcao@X_cZ>UF*+I#5+#*an%Xm6yt(8D|SX~Z0vXM-tD7gDT2i0`hG|J3cT*H
zIzqcXa0%I87E(4<Wxcz$mWQU0$cilegH*vo^$fNx)%jg6b!b2~z9;kH2N8kq>BaFS
zpZ#o;<K{(2(6ykxr^_a$)bTFQFW*r^p;-HTlZPSb?r3{~+sTu;;rU<TZzSr%88O%c
zmnGNm^!MA(!_1oOe_0&rXpfXRJ@!^4aW++<S?OVZ{@1j^Z*adMwvmEB=A_ogdZN}S
z+D?R`Usd`8e}(n@(Y{)f)l|LjY>2nQ^-O-}mfZJ;xM&VQy{~g#733g(WEpe}2PKIC
z#bSx=(|y>CEzNrSb);~<`HQuiw{`IvpF?oIEDTe{x2)wR=1#SHi!o+NhiSZaLe>XC
z@-iPBoSeajDJ?}kE(M>_BkMY1S3>xd(Tchtv_+09UfTB)ooNu*1u-$PQUE_W#uI*L
zn{QK<=(wask_vJ?>)UDLr}l_Y1V_kay685g!`>sS&+!xlj3<<20>%yzC8@jG_N-Dc
zfAkJVH|I1FyNxM&>mN|I3Ck4Sf{YD%#+$+7AXjl9KhAnbJQW!Nw?#ECHzfMW`u4U#
zN4!uRycXZHlxo${{DQn|U3?<{kQyl-g?jlzT3iK*8?-%B(V)oMX5@P_+2^Qt4liJv
zV6M+jP^W}qhPcvKK;j@-_FdXS`+<q$c8;5Z4o|G|_aO`{SLwQ{Fq@zcBg?(?9jM7U
zN)oW=V!kSj*Vn>r3yj(uBRBY)9tx>f$bF@Bf$8ZYdT4&?zp_p3B46$jq>-K<^gAG;
zr6X8%2ErGQ@-*sj*@&O9k=DapS>n__-Zr*Re11G2Z%42H9?^f18Gdw#2PJiGWq%MZ
z(8#wm(io$Gtyy*XHQl6Fv+yzdr5-F1UGR8zvp7K=9l971QC3za;Pn_E>&{d0QNtO<
z#QzMNFhhptjyL%}iOh<_g$CiVG|2BamjkGj-2=V{Yd7hK)GaZ?DUh42&MOrt`82IS
zuba31mwA8XPEm5djVral3!J~NGdzBcl7+`nY#n_`OFPJ3g|oO>Xo(Ag4PAt_0`=dN
zF-MH^J71JpPrGh+q!m9|hrgkf6#9{JR{v$$yw!{WIV|%a01rKVigH8kD^q4e><xOq
z`;Gut>F)c~%#o|Ioc*Di2&J7<%mV=pI}qnu)aftSkm3J#7Mbb|?n|95qe!jY#wA6q
zk8JR80gpZXz5Okjb<`S<RSDWQ?+4;O4<w>dGek(2{iukJ<7HL6vaj%hGEXosojOu8
zW?x&66;0OZ4QOEZ!cMQbfg!0RJh@JQU@;^pE@6s41~-srM0q&lm)&L)5I>i;H9vm5
z+l4-qZ2xL~xFW$z<tFQ06ne%!Ce|S))-fh7KauN<;uoghH6qn{%@PDip8!p5_MMx<
zfj*o@tdoO3=z@u*3dA{~@HmkQ)~s|8MH)K#`-{)VzoDe6P-X3}A8+u*tXy!^EVoO4
z_~CXv1=8eG`#BLZ2ZkBGvyb*&DG+4ruuR(nAzIj#Ewj;SS4<AUgm3AooG-Y>(wX=?
z=^3x0bFvIv2=454!FYLLLA%K}&|jjH0<VdIEAoL({ZEq%XYBp4+-zV_XU`%}PL&iJ
zL2BHQbD6&ilaanizY)y(eUr7w*cN~*bLRPhO~W6tK$t7zw`^)@xxTi>ltJZ;4rUi6
zA|WZ(wGCu>cl1RE9QT7xCd3K3K<`<D-g9Uf0SyfdQJe0*ZDwgX*2b7jGa#nG_U@s?
zTZz{G(2x$a%=}j{{4kbmJov%M2?dW;f_uOqGbmt1VgO2EpFv;o(ze*e!n?MaLnF*h
z*}GTsTSr~~$AYdfGU}y^;NF4oOp@j0Ik{Sj$0QUGX8~TiBX5hfVD795-w)NCq97em
zPasZDhTv=$3<E9CGVt)YTm^*<#;w2w%?#2y2il)vkCjwIc8gvl&@d(itsO>FerfW!
z7U1LNUYV-IUVO(9l-#|(ORQZw9B)^r0hvvLAS5N~HeQ0-T}$ru>u3BH4u2TXShrj;
zKW4YT@?z?3uPb^)-xH=VbguApJ$kO*BR)A%#~*>vAWBb)uc@iI!#M*6#lRkS2%bK*
z9IEt6v!Awg5TJ7igVVk}Wr!;1T|ZhpfVlqRT=(|QLBl~kEK~Cb7CD=Ew+(c#4TDwy
zY1!7Dr2B4dI8(i%BGi!lxuf_@J|-T~0_!Epu3gJOSXgLXgF0^wje>##T*yaj+{R7z
zA74?kgm2BJ@fWZ$)&!;}olE5YriTI;ll1A+--E@T_qxLdtrF%e<xaZh8p1#x6M;z5
zIXeGaSi5^Ye|xz!jMr#CX)*W3!~;6Hg;OMOeQ_M`#^&+Q-*x59&A+k;uy<2T*6}&2
z%fV!#S@E|jUQ-lA!Izge1)8cId;7nU39yrT9<SB@kg%T7il&_XlQyQf+0ltG*)`Gl
zoMmu~2`tLx%h#{{Y40X~g!vB%g86D{!F-Caa1_B~r|GN<CK=dvlO31+nbNt|wY+L;
zCPOF*{W*#LOfp%e@Pu!G*tJr@8YAhH#sF|!T}e3n;0zOzMNjOa8z&5Rv0sYOf>BJ9
zS6!Jv)>i11qqbUL^pe@(Okyx@=}$-3Sx+mDmP}eBI<@xCwhUihCAjs|3y#>WUKxs3
zJU6z_dGNWP_r;62>uf*qyRfY*rmsKKEEbsNH>;bQo@5%W545`+H(b;W+2FC9Db+ZP
zZp!;UJx6gI{{WoLudEQDnG9TRGM}6M<9o<e%g2U)XM7BfmNn)co~^I<Q4uLY32>hx
zi|Q&0HkV4H8sgz9^1$9e$spc_f{vc%ygk<_@lL}HZ05ifY{mfQ^^EtW&Cm#ZwQ8Ls
zt#2#Y`*%V98{bw~Z$(xH69<x6!tdsr+IM7kR$hwn*QU98@57gMFaHQ&<p(IBryy<+
zgXhVx`BFDk4q!43;9|CTWN*J)wLO*g=|ocrNl&6~-gNYo>Kc(%54L8SJUr;%bVB*O
z-*X^CheNNkZX&f9F_o>u?GF-fSC%aNQ7K2L%T4im!9D{5G1uT3BIA$n*18=lG9f>K
z^+c7Fl%%Aj01u!A9#9K#TeI|}g?p7Qx&e`F$<w2S^TxnGAq<}sYA~}N{9911iDDK#
zMJWXFcX#r6x7i=%<k3vt{HAGNwTZGEII3VU_XtVwihA{!Oe0xeL`f!L`dF{LZ{q2K
zS-(L=2lBYzriZ`gEb8*d>HMWA5J46WFE1;5J}afn2@Y`MAvys%x{QTfdU_I7nx)gX
z#Waw~P7cWOXY<_FRvPngU^)L&GeidW+S1tX6K3MDb8=sf{uu8~{`S)3cMv=iSts%{
z>vE>DOA!}WgU%@)nXSE{Dnc!CoD>WT1ZHX~OJ(&=96HpS83=9srsLBo%BF!iIi2Rm
z7{E%S?}T{oqH8tN{tC!YO1p)t+ggljR16X#{ohLZ|CZn6Lvp5Gq4Ny8Kh{HmTV1FL
zb}T!~FF&f35`#u=%(~i?RGmB8l@b)tGhszryoJGnB+Q$8Waft5be-1+Hx$6OAAsO7
z4}!;Nb}USRsaF{>S~7nxSht384Peb);Dp^tvb9eca3@!Y7B_`U?RTTzqT{;g2v3+v
zi6W(NHpc~P$5%cM5Yz;uCt*sYt4PA8lWyjI*eSYWxTv;t_@E}^()@a@BgV^=HYCgl
z+nx2E`Mk50UPNSp2`5y-zW{ZpGBN3TMa4WH+L-0g$mgNmkr;e+I``T)|6E4xEUeAP
z@A-AM#_->Vz6HYt`%6&nfoGyL_TWm>%Y(vunVb6xEU!};`9AhSzhjE`L{3G0?)!DL
zH@K{>^*t%l>Vh&hpD;VipztAZmUBsI>4K)=xMBbIFi}_A>0;pmn*Gfftnh;0@#dJk
z|F-%MkST4O8ihzdnl`D%wM7j`m;WSz6RQUUz;+cI`Baf_-*o6-Gqj?h_`Oe#Jr`vI
z`mrf9A&T3UT*bH1Teb<fINQ34AkOrlyy04(B9Bvkhos*s?5o}`HIh}i5-`0tUuQj9
z+{d|2v@_S9^&V011cXH5jp!LT)=}w2gIA$zpNNvE(BbdjI@#_@N~Z`6?qhDNJ%huL
zfr!J2X(n<|&OL4N!xz8->ca)GJWtp2=&7<DGB>iWzVmek>nEM#&o8WJ+V5%TzIl^<
z=F-(x?~!z6-9rr4qpn62Jli@-sB2)L$wc7VrO$qgSX5#V<<u_Qns^hxcI;DPLzb{%
z<?5r?#9ipudU>+e`1<ke<m9A|o?ZkaMgwTKsbh{%_V@R1Z8)r_Cr#ZNvwg~OI7?3|
zfP04eDSBvt(A-6j`~Z>10KSiNEQt$E!P}fG*HC!umi#Llv4Sivb``90oQ?aYAYJqN
z*5tC@X#AVumE||xzkmNG`nG|XUq}p&OAHGed%UDNFexM|Mb#2XfBHw|VQ6G#nQ@|V
zWBq=#B7w7R0nH50ipDxnBQ>-ILMpcc7btf!sdJrY*XG)7X%mEYOvViVX+<2hB06L^
z*oB_FtKoFrnfw0TO$N=Nrrf-4*iF>=B{z3ro(%hq+wfrVC}?|8^YOm|#p>*juojRC
zn66j6G(XTsF}Hd%C|)Xi((ISR*cX6JFUYQex|4cP03yL)41x+%Q7RPy+tRU`SnBOQ
zxg1Mx><;c;7Zcl=y_!k5s@FUB7(YBH{`=RUzdPC|!K9|YDtij!aOFZVcF+Yxy=UNl
z%dUT)WX`Uu2DX}}$dQ*cxPU+rW!E(um@4lSWb$1YEE`mn0&1288IOvPMy?kmR0w{c
zDqpJhL_82=>WkNY8-gxbvni(C0JJ_sT>aR(^02mLXJ?<h>=u)#)06-Uy#|ewa+m^0
zz`KSl^SyTOV^~+;woHir<s}W3AY8s!={}Zy(nD$?k^As|vq$Dwfk7fjBg%W3hsG6{
zTVSYF%1&Rp*1u2j*hY2QMb#Uq^dzd;Xo`&+T^^QnN~DFjegk082YF*)7~a#cBoJ0U
zYTGV5Q@uYN{An;}5o+WSAdY2{9Y=w#l?j}1d!i<Sl!H{7$J}`EHM6LB7cJuoxYOOL
zhb>qVAagjKYl1^+#R%_`S-Y{Kr-gAUMF4wa-k0RaVg<`!`9Cq;tw34%tR4_g#rT!}
zHJl=~%$S(LgqfF_-n#mSSWtuK>1YS#6S@`Wu8yi_&~%|MMaD?NyG?X=GoRSy#wMsa
zYqkuob5D8*jl2#&hEO>JoJIu~BpH}5%nxSTs4*P~-JVl?Cpt}wXA6_>d6S+5>c;#!
zbXqy6&L_N0s~PIEJ&s01HjF}56GSCp3tr-$?(-R89U5lF5(O<4p)$9`ybK`ht%|O0
z&+Je(m|9F0gVZ7Ja-V79gBpOcRl4El5+I=k38+PWczROB{eNwW>2HYXau2m?+f8@4
zsxFwD&q8RW*K#))JrNB)<$8k4$QW%M?aKJYR?zSEdx+7{6RFXsz<jeyOC3h7$Sf>D
z@}20ai`8_15{<6}2_zXLWTE?-eIokAerBbwf4BRfjc~I9g`K%@IPNF27Od<(Mdu8!
z-*jz9Yf5}U8bWAEEtbF<?|X<T3j9F6e_?rKe|%oUlloECN(`bvu=IhOLWDfnj8rKu
zT~KP+aiJ6$4}>fgBVvLcuP8f?5M)<F{KVbNKmF!Y{&=C^PUXBCr<92HkQ7sq$8yzW
zK(m#F!Vl^ZQ58>3I!Obb$;z%SS3nO=_AjB{&`6zaV^h=iIqhsxad<%^a1VHOMP9`)
zVPU8;b(T#)(xCLiXp1(bEi4S3><ySgs#G{)!X8%m&D`%g(Z8W@$wE{q_s)`xkmSrV
zFvBoBg03(gl*QilwOO_xPNd>*=7|ShZ^NuGuA54tfK%X7J}1=GHK|tcMAGwH{$}wy
z>AJn&Z61%kN>^c4^9T<$iBy2yl0*)AJ+`^(F)V#pJa%|AQ&Z*?>S_?_w>P`mKK}7d
z3rtFLFiy5>eWJ1xW4WF53S&8_r~A^Cp*w8h^X=(qL|0drVZ&wBdDZL`yWIni1Tsys
zGRl-eX)3xCY{(&``fGxXgTTmoXEB38U18R6oOx^lgat_uc<IcugYP_{Lx*fST!r_B
z9B;xhxoCcMri&WQ86(9dEVu~a0*-$$A3)2{lHn`M9*39!?s#%^+gN+=x%1WxYMg_^
zF+rCE{)ikt9tFV~I$Zom?iPZAk6AeH7gei&AevUZ%I`a0e&2aPeAs9^+iJU+`A&&^
z0sgbocB}M0dm3M*(c6wpPOVZkCNVFXn0P-p!`*5T^WPpdB0`Gy&EZpS*U$f3)$n$I
zZ_i?~z$IGbp?-7_<}!5(xSJL!Mx={a?y!2o;x`>?x#NP8^k(daf0~PNOEiU<SpR_<
zf&FBSw%5nmDSsc-J)5a4QwVj{Hm&n+G>&C!fn5uaStxx%xZ3F-^znscjuen5#09^C
z6}8aBK$2cSYm9ulTD$W>8~Y`%WM%O3m+C!1b`SIp>?`U#UuBl(E2Wf4+I>MOHq2?J
zw(FRYN|}`wI2A8_YNdF#zR>(@*?q@8@!g(0UiRPqwA|@&xKaF5^ktEe+wY<<ZN*Y`
zdEkYV778;}#cL*0eIp}Bdy8%CQ{InVInn)nwI9aPFpjgXv)#t4J>1w(_o0TaQ<ppI
z1|U8^d$~YYto~-4r&;bT!+=@xVi^y54;NL2pG^<AVm{~6D|{>5R&=9Vd1-fMPceOK
z41c3z4z0BOBkhEYTKww(-Kau63CL!M<i!@)V$;?I$aMLzMe0E8Y+>lF2rw!pe*RAl
zWO-gBMc<>{W3aCm2%t_zsfYzSj@Pi`)R#)Iq;=eypc^sx5bIsUBr7wDGp4Hez0gDZ
zmz{x8CxkQL7TmHA9v2(gYxOC$%J!_sL~K`wuqWxkBKPM9=+8<IKeYJh@!HpV9a`OZ
zlQcb?rbeb_dSChINf4=iA}VUeb7hGMx^S8qHQ)Id)|biy(GLxqnr&@;uq(HHTOpK|
zL7AS!XaE!ZqgKNO^%-sCo^8vY5{C~#w2`@<$7J9(!dzT#-=O1#@QPChUtr?cvC%M3
z?vk|$utNm}H;s_=s7$97hV5a(O(!p&Umhp#L5iQ>zx?sT-U!>?BsO!E_r{xJdb?=9
zXh5`(y?kUVY^69P9nc2GjFUJ%nOInWu0HL`Lt{I;#@3d6Rj8Qk6^LR`I>vOy=g%D%
zKDQJN$GxHm_)M|X-!BH!Z=%n`$OfS^NCQ?L1Tt}uEaGsrAzSAW4^CP*lz+F(x_Vbq
zF%>)_<s;>*_mc`2=T``0DfQz3MHWZo@GIUDgAZ2SL#ki1kPAp?;cWs3W9UTP)hn2-
z?@s>dEZ&E3D(E`bnd<+F{cgAdwz_y;%w894sYSZT|MPuz7fv#HL|<&&#;~Q_eE|5`
zG>f$76sec%L8BGnn9%axH%oicI2$)(y~~4kf-S1+;CAj;mH@snv>%EKI8AVaZ}%cA
z&u`E}Y5j@2Ex9Q?{1J`2+(C`k>VOX*fZ6`O05vW~im_`k2E{csD!p7Hkdsj|DK)>=
zMOXEG_zE2i^coBz1)a~cwx9EP-FVY2wP&m(sVPgD1e3cepenFpxsooFsoFv-tUa0<
zh5v)#Cq#8P_SoLO{Zrh8W4P$8tO_HeRYS2HX^j!F86}B}kMie?`wx8hJfx>f#T0`7
zsay1~E4ZF4oU}sUG8oC?6W6ILy-<<UnPF!y(6~EyBanLs*yz;Z6Q&B8I|S`gw9vHM
zt<3CBlUCWx5wSjl>u_qbVB85Kjsq?CI$y@5P2;iFJPx0no~|=$@|{qhf39YOi{b#+
zrOfy>@F4mX=;mCof4{Ro9AJMJ$7GM52~+`jN;AH1!5tDb9SF_g@3!~4ir*U_=F+_s
zNw3RAb>WLem67RGq4kZ%nP4}7VN{@;zEZ(YG$x4Xj1rx|di|DI2TKrVPrG;s;jAa(
z_7g=yLc-Nr*UVpuh!^A9`>G?k7cb-$%v!=8zAo%>|3o&kcH>dE+_Xu0(#EJgm*-HC
zyuBrX?+Rw!g`LV|U(&?uuk=Jp7F08p9#_Mj0md>D<P|{%TGKFvaQ~sI+Y%odm;g64
z9ospXkn&XVr)Y)LiH#1mc6&!}N7DC^q)KcQg)$j`g@iPX2zKSAiHW?ueg>w_ET$Za
z>&t#^fsv`X2^*mbQ(Id_9yOlO<u47TFoi+Fp2zE2p%Ow4gmr{?us4zZZ9koI<JiW7
zzkg=?V`nKw+sP#D;85B<AR3%G!ycy=<CQyEZr1{0MWg*Yi)yPVV*&tK=SxHdq)ZsR
z?|h+QTDUDP+uGVHjx!Hipaw)W1%+Of9O*1Xc0kxYI!0R*KZHJ#e!aTl74MDHOQDw&
zcnU@8Z#Er7dE~l%=RY+*3>8y2+fg#oEyO59gLw!hp38mZx78ln?%XBg$*X(QvMgIR
z!Gd=}ykPQe=7+7p!J(4D#qp+04mUn&(DE09t~txFh-C}+nM7QsPZP5oU(j<C!z}O6
zj6c(bXD;{}X!BejBO{|d`4M>Vc;QZA-jm&HZXzDDEh_tDQB(!`Kyp-1ZB|ypx*~ME
zE%a|gJn*2O)KE+8Y$vf7Zn|$q3F(}F*i>kq2*zK|=Pb6!5gT|iVw{WuNM<XU3@=id
z27nu1zka3YC+kPA>n8T&MDObUEJrJ8nlJ2!rMVE$fa1ya%@g)RS1E(5b#O4I@iV^e
zgKoLQ1qa}umDrbIvht-5>YxIGMxlVgK+D3&fRyKJ4d^KX*sw}2^O#9+Of1l^@AU=L
zR>w)iz2t#^QV-iGz8LMuyE<dkEt<i%avDpkRi=y24$b>gp#mF=k%ySG;Cg)SKm`)@
z3*2X#pyv3O^tc*4JZdvoxX0ejLrT#!On9CBnPN|L>enxukq`52N;@QZQYTyrP+NVr
zPtn`hrnFkTMHy`zkvS1Y7`B1SU+z0lE$mdNgV{zTihj3$MjbcLB_#D$k;4PIAln(u
z1Dt2@%4qDl!gk|ce~Jj=uHs1S>8fkjkvx?n6DrV2iP!D^^-I5U3N0iicbHI~M)re2
zNN7)3-6K4)KqtcQ2?@$bdiMMFjb&x~&my{?-{)|oE|$mSC0jG0*P5y3*f5zI1r67q
zmsAx`<Kk1BPt|r{3W;+=0S14YduUN82=zlk9o~j3U~X2ZH~Bu?sQ4m0F*zCLyD<4f
z_4Ct?035WP?{Uv%3`p>9eclu7`o2fW0whUw*#7~B%;`zS<eK+vXI5~C%gV?G-)HW1
zjY?bex<8!*rb^+120UnKT+9N8DN8z%bTt1DUg(M4M+i<k(!I2@*(ZXfFRVe+iT$To
z_>l*dGiqEsR#-#?8NiD{e=>R6GR#i^*9@O;j{LOkuIOmhN;q230f_EYm4R1nZg5gt
z$Qs2PUaGyd6Kv!u6NwF@!@T%<nITt4Y5C=S!k{WKxGHARu<9jldM-#i?0?M1;Jfxj
zUH1nW6Q-Jo@|zIa+VzD8_*9-(k)J3CGr3>@ZzOto?YAAsB2Pu36Tpt4-ahcR(y7$(
z=`Ok~zAkFFTsLqZ%tZWKK05ag>3x3~%+58!P!n|kzMVI;#%M>5YQ|B(6rbtmJX;2H
z9>z%tTt(Z_qe?MIV-vjDYp6ecNQbfQzx?Id@<v5_?#xnH<js4jnXB+t0rvmldd`oA
z9x5N4Y>t<hw1qgaF{BGEJM32|<hFbdIMF%y(_p<=;^W2SE&3{8kWdz;kqe5OYfr(a
zpgx0ta_el`V^ul}PB^-YTtoF9&OfE+n{Sl`1qCG}+FZ9AFNe)l2Fq+8OBk?VjjdKV
z|1xV?#%xPv{&RP-j<T@uz`(A!+-$pVkaujLxKNc63l3t_HH)^AOJd#EM$%hYj#?4V
zy$Kye1MFjVHpyx=tJ#8;3g$ohZbc1GYW47oNGj}anB977NZu}Tugu}aP`$+HmLpJA
zQ$s3M|6e(uEC2R;H!8f~=#7vslD>AUKsOeFc(i%6Ilh|{E%M^|IYIW+(dy7!^sN+x
zCT9wkfBw;(e7>@<1Aor%MZ-f&Jh+Jff!E1`DWE(wk_SWvY8EFaCtBJZQXZ>U3L7<)
zRAPC+;ENVMb2$ty@XlAoU&9nMq5}(o-_d+|^|%%P0;@Y8PK6d<JWGwKvs3Y<sAzTx
zjo@TsHd%n307V4{kOSJ<+8$~s0D+GEHRM6-99)cxw9=|b`T(i|b~+@S2@q;sUCp&Z
zd*>|k!$J1Ex>F&!YK0My_csP{bAQ~@a_tlIfvc`6KWO>Pq$jN<+X71WD>z|J0!-lm
z?S@R)l0;uNJqaU#>MRD4Fk>nA(;dA7@0kFJZZ_DM7=E0(HI)8;m6$33&Bkd>K;ILT
z5j<cQV3`kAEXe;~0hPxA?7g$!Aa9s3%UM-bwf&pl3$q>~Mn=Yc6tOkjQ5X#W;n6+0
zSHurI@;F8;!<3n;s;b!as)&@X0RI8PW@cN|=6{ZfiD@GuW<fnF3j=T(yI$qa?|1Jv
zW4Zi=)QL7KB=gWGSK2F8R5Xr=0tV5Jj9|IBxwyDdAYpV<u5YGfk+<-^D3Y@NOn*1_
zzCQx6C%Mo+tHdIJK!8;%)&a??T>FjyaF*7$D*q&DrPSPhm;x}l_en`?m0w{BL7wm7
z{7@-r>FmhXuAUw&9Kd04CIIcmA}-MHdi313xKcon9fzD7l|#R2E()C31}I^v%}RM^
z)M63FoJ1N$iuk%88oQZ!coJuaTH!V6Qv&SUr;#ADK%}SV1LgRh!NmjpJPf5COTIED
zHdv6spL&1O6}DMX(Q20r21Cg))_%Wx1v;{Kqs36*OPNKGuI`?maM%igfWJtW9Bq0M
zFF*Ol(OWHGM0bN6!5|wHmRhO+s)}c`N%7JG>{%}YF#tyW8XPjaKPThKTU9wZOzZJH
zl{<<8jQ|@GmR^@v^Ut6GdI;2ILF^5^--Q|9+|y&#6+;bBzsD;2FlM=ZY-H4v@mrZc
zyQwZ`Upq=~nrsZ4q|>$X`_kT7*37^@<7)(M-c@d>z%-l#K7M@U7(wL>ky<8Nb1L-;
z)pQX#H$LN>*SWfhzrJdLVP9}QnaZ#JoeaKrP_~cn#G?$?(x3+yGk%DCiO=VM=0_?f
z0u}bs71}?Y`_@?Ww#nGy2Gvbv>Ev%m?Q+I!3S|8gxmEI3gK_tVD5J4!=iW@#_5l_8
z0@e&*d}8=PXt5G7u3@F^ri}ATC4hXB7>ek-ujH*gZz-g@c`vK-yq`uieex5rsZ)oo
zXS8dic}g_CsG1p|lktJ3LNlwzum7?gl{<&Sz@aHbgdaNj+Dv;7Y=k+e{;rJg7*`^m
z$7rUVk_r=1CMsY`PzDoL^*z!)Uv6)8Z1NWNIl8xhsPPlDp7{952{EM00F#32`SvWh
zJwTw}AHxLmDpD09YTYa<yWvlSP#A?3MGWAAMRfGf#Olt>l~sl?)m8T5*RBlPlZqBZ
zU%+%kMR?zx4fK)dzQ(r~=K(MYfG*NsaUY<0TF+;FmmA+{X=z#7CIrr#D!~B#rYDqR
zl&tyd_2AHVuipa{2(Jv%P@y_XTGf$n#<7{oq8;0PkyA<JR-NHU!AnNJ;UBKr&6xWk
z>Jl2^NMhHzRKHnLy$=x)5c?>qqX3Z8U_uxMIll%)sn#GUW@?Tz2Sk1GcXYk46S`iX
zzRf@ydG7P)gT57okx>03sl=HuqEV$V5!A=0VZPp2)dN`N-TXDn`@eNWSTA_3k5b(A
z3R*yyR3`KOgH2f_b=4#QxQ$sdL!mnL)B%H!7rqo5_{~+A;ZSrd1#y5S|0+EbDsV$5
zl4gqjlp@b<U;nG-kmZzu;<xWU6G1Rhy@vBPT{yDd$qP<H{#|^mjN1zjFV)TRI5?tB
zVE?bW1aPL)%bysJ)a?MZ0@+s?lJvLl`xoHuhONJrDYsm17tMs?GBFIk5JFepiRNo<
z<}6b&s!S#jM$urRLMo1G7Zx{{K8{O88?6Yx&opLJ*>|RWb=0diGdHtFzV&PFZKekv
zo}x(k$Wh^~H^*GIRZOn?LA2si5N9hYtSWJUYa9_brf7HFZ6^$Y%RgCV{rg@I!S$3g
zBO#$@iVL>6=ONqfc0_jd0QLgoh*I{_y6?xeWMnzF7Xp#-tlE2-hsSn)?W>DuR7519
zy*f{Y&1h{l*(@Lo{Is)NTv(9x%MPNTwPZMeWaX&SFgkG$uS@u{)Wa*z%m;x5a8elh
zrudNY4A%`UHO)16oR%;54YLuca#An~dpYd*!3FBLFMs{~)vSR)pt;?^C+qW<A`8$y
zpa;jkQUFB(9v&Wu5o>(JDPh4^l4~T1UF&IIjh;;kDX2sDSJaQ5m<=1*8+CIaasEu-
zUiq-@OKUuwd5GzF+K>xVkgOE1{kL~ql`ur(*->CSgbW3FY`B7KVD9$MoD=GWfUaPp
z!MbI`LgMVk__<`gN@7bmBUn+L&-6J2`#fxr_)GV?<y?GirAY14TdhwE9mTYMz@%x`
z&HBlIqY_9(gK)Y$2Qk2pb={|YEGcQ*D`K0r*n|LI{C)nSrE$EI@<yTFAklv*-*sC6
z+&_7mU3Ls4KwS{ocs2Q@8ZdJ`nXwVR-#z-+HPr*J-`NV?+{HP%0om=zaiaBX0?1_V
zTJYWQOsJ^CO{H|Ce8I~As%0rd?y{InjBS}zE)Jt`zPwvY&lvJ>>fb5CzKk<6Vc8Tv
zq6vSKxWMHxWhUGE*B#RxGS75{MFd!9o!%5o4_?+?fHw)^HB9FJWLc4gNCUheT}kBi
z;VmuaSTM0two!(A+v7!oV#1Vs8}|m#7FOZi59Rc9cK5uvDa-dl%QQTH+b~5LQLTV4
znV28`Ptm+;ay)_X)vwhWc1O5GN)FLoO5;kx4aAS6TIAe`aIV5r!*Gf^(R`&Qk4~FQ
zw$PF291l<Xc&%nDGTd`e#MC1T((caLf<3V--!i9G=JpBhe6zqWrEEQOy7c$i+Bc59
zk6aayP4+4KYagU8{P(vI8GWUi!nNLvb4+6R8n1NB-%yJZOv%y1NuQUlUQy4t@j(gn
z7VcaWi(?1E%+gZ0cVMD|!bkR~5`uT$)AQ9QM}>FRX=CzFT`idwCn0!`g&`ID=4(5d
zN}Kc}!e7e)Qrco%@pnQ|1LN!RZ`f|S5aM=7oKRAkrlMxT;(c>!@z|1ijGoUEJt@4;
zxkq=TVSUe8lULZ`<~XE5Zd*yDtKXgOPCP8?+1H}CHu^czI4#~B+Cjv?EsK@I?#PRq
zBUel&1L|kYtfmGhDUq*LN(r!-f74bFt$%{p;dxyTyp~~;)QU;Io(d}OwjAQy*5x6v
zkEOy0&Kr3h78W+N^8Y4l{*iUfcHwu~KF-qS2R))yRnH@5qsN^ZRNbRYxzEZC<2cVu
zIf;bLa-ZE4H@a23TH7mQ6Mu4dLJ{kVW;1WKii00u3w4qHpLjKh3}N<St;;{yf}Nt!
zGW-kwY-Oo1Eand^UD6{VNy=R3y22+Zr=r|7xE>2vn+>*K$)tU*)h<gqrfD$5scT&}
zH(X4ko9Qv;U%!u6%k*tpaGd(MZ&At{4~f}f+(Ny4V@()@mah*pP8{9xPfvR#6dm0s
zW{ZLc))<j9!;!_-_4IZgqb<o_&w$*%`%2!VU%5F{^!pvA<L@OL0+cL#@DNY*dPa(h
z&_CrKBa$HJS21I!^Ok84FHx`z4EC8uRL%}0<-xDv57MW78_Wv!+a%&C$ul_0M}F(z
zC$15|1m4_d&oY*u7v=5qao@;j`Sse3+;`*3g<NC)VKP+#c#5d^^)<v&I$ZV)9+09x
z^K8&Oe5n^x_9E;TNMFi(m^m5i`m`dwla6IYxhPf$)Y}89m<HoIWq((Ca6H`I-N5F~
zwK>nXzx1>w86XnPr24?Z{ic1-R*+AY0Fx2Pt-`1sXpOy$a^_3JO)wQw1ZQDqH)yb0
z(J~stF&O?cmyx9$%fHhmH5#{xZy~471wF2>tJIsB>c@pN7M^yzTVjNuWIft@H<9lo
zQ$p*-LWs%8cp?aCVrOP-z9RCO%LHPQCHCf*mJa^>`BiS1fwuEwcpcm%r_B?IdQCf?
zIybYw88~|_<#?l^&JI0(JvGAqCUJl9oScu7^t<t}Km7IyNWQTE*B1><k(ChhW=)x~
zMY^xis)r+ZZK7K?9C43#v|<T|Fz9Q{U%acQ+S=M9_R4-`m7|pjWKX4_N?1-wmj(uo
zbe{3sL+OVX6shy;Ypwk-r^_F&Z|_fv>}pLXVi)mx{c;xIe(R;3F5t4(D36i_`_W_B
z&cr>oAZ|p0Ih%bo!20C{$fmz4rrEg89PwY8z#LsQRX`KWdcHlklamvgTH1Qt9&P|Y
z^_hxhVXF+UU;5)~P!5&v2-;5w7$TaRmlq`e9Cyzylc_K?TDvWK$6VZxu!TO9hgE_n
zYj)IE^%oZx;8~gL#!+Beor0L7tFNQ0og=RiEE>y+AF4whW#qor8t`zH{j@{AXI<WI
zZUu2Q$*Lu$!qnO>NQEJ8hQWf2O8@vN6Lebp_oD}_tBXaCcSdQM_9XX*i?Wxt!k3Rq
zxfs7uX-Pv3db&lQP?(vTn%ddHga<Iia~<FTNhItkeMB7;cjD|f4X}o%g|I(*yd`=q
z(}g1j+A~&SJJ$g-UgtG#2Tp1Shjy#0vpoZKDamfaoV&VqbE7jtFxdX&xrrNvcJX&9
z#jizb-hpU18GQ3`z8&-!A_zpkWV-fuJ7(+eXn@zn-kzz&-!?etu;@QniL{pwYlYXw
zq*ErR+pjKKnw$ST(I#G6T6)xE%jX9wdi!Y}ORLhUpA2^i(?_a;=LiHHAddpZ;Ogkm
zP<c~urR^H~)0|I;elue2B5hk++dkI<E`=oB0o{tfSKBnp?q`+xPDOwgRclr_wmCli
zJ6ccDB_tkF7xip?qC0Pf0ECQQ0v|)br6%LG`N7NO=rh4y1IUPPzGKziOwEJm1>1(t
z7pQkXyE8CyeByTe830J$cg*UoEksHRvtb%l0nUmh%vlU2E8>Gl38>}BFL5WIWE5#H
zCl03^{VHj)F5C;_7b0+pYkqyTbsG6pz+ArJ0_SzDYiRBo%cJZI@Tef~uJ-!9Iyy7s
zy-X;0`C%GMh69@3$HMQu4j$xYy?HECWMm(TB}erI{>Pc>UQ&TZ-3ds!sg28tvQ8b~
zRwo*29C0~ukf0OVi+bM+4}-KnWofkbTJ-R4W|l(ZiK7(olwnJ%OA3^&cfBzoI$=Oa
z#sOt;<;WfZZ9_vtz8Y6nNrE1<?2eu&e&o@C9DB}^yAi7ZLk@G3@mjL%a!P1ZMiKmw
z`3V|m-)5J_+!nZOOaMtr<7zg7ssbMd+j3(7@BuLCq~WnOLHV#Pc=#`tPnE6>xw-US
z<S)RpMIq;3ME)+zilBD=fBfS9qjeGxPnW(yf}+~Gf%kpq*-W}Xr7#72Bmo(m5gHsa
z-WdWXEuB~cSc|330f`dmue;ne7Nr-PRsTooy}rOPX5JW5SQEGcZyh9~21h+X`bo>f
zQ>pXa99DLk@Z{+VQHBn`TE-HHNu`F@XaMSe(5WsAP=ivU&7nHed>)r|dS{|1AN<n9
z{_R5LA^IDDrLQ`jCM2epohplVGa=)dEi=bUIR6l10sgHIIxfUrss>8oYde<BQ>3tK
zMMicf0tr{la)}}vC@ZV;?wFNUR<)N`K4wxR&~2EkQ|+GdW{sC#|D5G)jWxiu&sJp3
z&OXEf;sB;|b~eB!l+xe!)gB252*l-Lq`&VDyUY&*j|m5%?QnR*-Ye$C<>e<nGODl)
zzRaz<6ASw#3D5}TtmNk7d)$Nw7jw}l@eLe2bM}`~Prq(_p40cPMYTwQ6GuqQf}2aZ
zvwXh`^*_D-_d=sOB40nGMEF-`g75>VZP@F@UeGu;uYs3OQQBBoF!@4>12=lwE2^8H
zZ9Li>!WL6aHWaruNrbquL{kEWq~1ug<CtkPSG0nq{?y0PKT17-SA9^EY!Hj!mHv9Q
z8HmSvJ!yI29MNI@45f8YRy%o4x6)b-Ofvo6pU!@;A9QY=v11XnxX-FYsUxwM+cOiM
zt1d66rLr2pB6Xi=dOmdn#1r%@5!XA?C^6}s5DF^b_X_X*QD94VKaU{g<>i(5s^@74
zTYUiCXEc+Of=?0olEDS`sbp#qfc<E=J~|C965s*0)0Or!?Zy@7Y~3o|tcul!*BXw(
zQtGNC<GGKMvN;-p(13D017%@N1KJL2JrW!-5Wn&v*<?sXJLuFZPE|yMI<YCc$2dux
zdh}{@Ol?)W*N*whG3v?la<jB582SU0hy+63J(TfWtrI^2F(z!FB)*Z-swxVefvL+4
z+Peu=J?jZsW8-I2mUG;`<1@ppPJ8X|=-gU#+)P!P(-T|@eMaVPLRYEHBmoQ2hsT9(
zkCzB*UAOIKDw8+*@yj_HwgsK-hDMC%ycK}G-M!QYYjE-LW!8)>$`1W+4b#}+*aSAo
za71l%s`<NjjJ{F_fjOej?m;S;>)gDgl3FQOdxxqyGnzb3jw%Pr)NGrq$NjpVe2^?n
zB@EOG7;gjapg>Rnm{)5!G|)cXRfnUgxBtYKH%$QgP>n@gyf)B2_NoqSZ<jRB2fP}o
zZ5n*M8-4|&dJ{Mci@Q#YUae1|Li|s(KS)kxms94k|0((IF}tTkB<LM{a~5&Gx`6ys
zbM~2jvIfks`zagf8?G%KmmjqyrUT?{eVBb?-2R@zx6<j3nLyG0#{+Xz2n75^CUU-4
zuj(lJXJlG-yGlo%Pk@7gr=aVOxPd2T?%n%>5K_<p*%b2jwijBwGYr=7Ex3R?YhW%7
zH1fI)K>n|<!V|FAczj#ibt^XkG5MY!VsNNR6c-`v6CAHLmh(<&NZwB0<E6*aub;P;
z1Q~nUpCQB@fU2}PG+pRs1a$x3`F>b7tsCgv)kJ&T6(*`<w;TsSwCCzW6=%ySIVG;b
z)dNdPIB)nfNgCuE;w$H@PJ2?K<n~XYP~rO1mpr+7D}GaWmp--4GzC!rJKY=-bQm-S
zbF1G`=J`e}#)?v=Q`~QtU;k773#6TyeC+V9bv^1G^<n>3H3PvW{J`vKOJ4Xw^!FbN
z#JwGBY1o}5^HnDc>0~LO#&ylOTJLlj(G<cgZ&}CR9O^~Oz;Ch$h`A%p^L<!ertoFn
zb0xWxomsYdTYfnRiM_n+xJ@7$2QL?JNBg%0v>X1210#W{Ej;0;q0(Y@>tWZ6PSQ7J
zelpF0%idj<Ke`cfv*>wE?n|L{$wHe$tbg3MQCjXEEC6TPJn=+DnmYO$oW%z)Q8Att
z;+@AP#BZmV@?5PLKgJ)L)q9#&bee4w9#J0~e|{w<pV9mCZK1i{JGi`DV@}4>x`S+h
zaTHaNLP?mV{a9`?S_YM=|D9cC6VUwZs}%6zOT*r3&0Lmw4sDSRu#ks&Omb=$8~&(%
z6Oz-1Ajf>}_G8#H2BImkf8;Y=%t9&^pa43*0Z`&#m-TG`ErKa`=#^yun^MpGYUXmh
z)C;O_{P>10d9V%|-rapHUrQASFBo1>&^Wzmp?qieH-f$J1pN{r^DqpnvD|pZ^KylP
zk5kki!EjU-{-{=2Q)u+&eAUhdUsU4}oyqrZvxU<A0BD5f<l(Aph|9X!X&jQHL9zzi
zwGCO)mj545UmXzj7HzE}>Y#u~sH7q=42|SSi3my!-Q5i`bV~~eDBVaobayw>-QC^Y
z-{HRZzWcX#IKOlD*=NUEYa1Cg`CwuTYC!4|J0DbiGjqj@z?G$V9rzChT|D1TZ6k`@
z@($H*%GG(l+0UZUyS6SMzpd<cWcqKL@8wR(nalC151)8EQvl!47C?63y)rIMw%+CW
zE~o!|;3s<47_n_Kw$+u6dC@Qp23<?#QK{*0Oy$uFXYf|fyt$|b)NI1nw_7eJB1@jC
z4{fzDT{Fp{tD+epIR7$~st}nsO6YEJk~pHDy5g4yNlf(vBsO`z_So5RvrU^0zg_K1
z|AV*rT7~x}{qLEPo<KK1bD-)ai}1bU2Z>l57&f4a7{S|aOs&L*kN_r#f?Ou`!#ppW
zb#ML*QO5iKE#anm;mpL;)YQD9`E-Cj^fjX2$l>a9+KQau9dd&*1qZIj?c6F+eyb-s
zV^p&Vi4MxDi4dQ(y_PnwaBH8EEE;&cA4&?~i+wK$#lAlAhq6D`!!<FTTBhgRh4Ngw
z=qN_2-<6L=Eo}bU#!sBBMLZ?&Qy_n$Hs|K6>AYK7P+&BcKmVA_wcO#hKkCRiqG<hG
zE)17j*8B{4Q5*a^D03k)nQ-saj~qgCz(*YL=;cl^=~5UnXKp0C+JC9J0dt{^j&gLZ
zVCz`|z}F!VQ*fTH24_|Zx3CcA<PTfB3^n$A;A`J<fx;!AD##oszUBY-6@K@}clJ`+
zZ+-!~2ga|=PNOeV*T@uCI1j?baeF|3i&mktU^B%dS3AU;D`&NUZBE%)J`K5`8KLcY
zCXB_VVqPBbFNwVTA?ZTmplAB?u8g%}(iI)_2C??OnkC41L)$CmjlrtbdC#i0KoTQe
zU0LxDWAhsRb=IE*=eF_d`Z1(#-g2_B;k$moiA=?V14v)q)ZX%t&C*cj6q^9So<8tU
zVU!FDCxsbU;68rw?Ebx6oPbxJq%SV!WF^oog3ZdJ(~v2cwKZ<zs4DPWUWfndR7M?A
zftEuxas~iw?v^3^o`r>;j&7pN!fxqLX9`yVoq-3ofGqIMj&4n24!2#9iu8p^mHANc
zU)^S3Ki7fw@bc0tr?TX4$oC{1ovp1x)fU6w?P#{m_k~P?Lm%t(eMBUdv%3AHUs08?
ze+HkfQlefo;(^W4LOF)Ae@1A#yLRM6l+$3a5x7bJ0uV5Ct1~S%$Ni9WQO1Uk%z<^B
zK(&TGc7&(W3h}=73s0r>jxL~#v_*P`#L4<+E<GHRdtu%nB^Ndr5mkl1VgWxcQZzO)
zg3S~d*K?txslgNVtG;2!S+B^FQ~lQ2`90XZblELTAo;gmnp#P+{ExHLmMby9wT=n%
z5g7W3C;NMJmCvR%=5cF9rYaETiZap(sySxS12A*<vu6?XN_%rF<85}mqV4zXpxJ&K
zB8++HfR%@b-vI%Prbdau$m~r2IQGPvca&lX{Q%Q&CsC;I9)hP_t@#B}j46*^r%1rI
zq2@u)v8vr;L079xJZHXRz+vLm)&*=vtqe?r@59nxr0#JKSC9Ji5h49zSM}21cmVth
z+z7V&f<?c7_Ybw>hAs$@%~rk9A>JD0mr5@_+WI6J5-K8<6L$|QZ)9X-)_J!7T-Hk)
z#8&a-l*XYlIT9vSRcBLGO8+R=46myDONk=Np{+cPx^j1G(9Zzyz5s?aq7U-6qDfyp
z62}Ce-&M}2UWyfV_*M8ro>9qY4y7&5j{@{@Q{~Z}*JxY)mI*(*>Ce-sGoKbC{}jYi
z;U+bcN|mTmYW)^(88BHnMn^$s+`nVF85HcBUgqvxcTY7gE{EeDz2o^cXs;4Uqdp-8
z<J|JU;S_fiN~m>Q6}lhUlsiAzB@e%Lpjemoc_FbW_psK<(cZpZ8j#ywebD#c`Tzlt
zE0{k~WH8)sle2}jm2?~f*#gkd3qR38?2PqsC{4jaQ-P=0eEQ<Y=nV99F)Ji2HGP}~
zMMOxr(T2ZD0S!;4f-~<;*MV$<M9fu5x2}_GzV;`wFrb_sEG%E|Bt<Cj#ja2|V9qQ`
znDlg|jWYPTYH3$Ez}tprEG9IU6GuWHV7&%50Wg>>q7|eN+_B{3k9_IT&sS);k<+Pf
zm_{^h@KyL{@}1g?7;0GeybwUb=X(V4mKh7Fs<ixz9^ap2To|)dHrM`#$lER+pu3TC
z@Pkf(Tk1Y2KrD>#HQ<Vhh&1CayQcwBi3NzmuY=F)x5O3o45@Xl_l?7G(GtJ@NCoZi
zzn;E%);!V~adQbGp4gQWu5ku#1>JSV>y?{p+o{eBelHU^b9qyf2OXs~BQ^k(T2-L?
zqHRiF?qyc!926m_y4*~5Nxa!)ycNRt+H<?e9SYnpq5Y?_=Pu!_Op2w}{qdUyEHb!Z
z3F&>fE{>-I>$E+Tw_Wr2wya;?y?yK6z2tfR5v=;IVOnNCmv64EO`brl@<p0x?428l
z@E>0!<-={v*Y7`bH=rG&#G*YOMLaN_0zE_e5E65gy`zW-Ml9?p;V)dz_=LtUMF5w{
z7j^Qw?x@%1OJhg)V4_x8Drz#_D063t0>ag4a3Is0|DCohcWFOGA8t8EX(`a%!TW=(
zsxS^0+b$xwsyJA0k-=i5{pBz|ZN4rD&;H9l;_vxVI8PGsZk=vMzI!jjn8k_;a<W~Y
zQu>m|8F|IBTHP2aBP8@_R3F($T)&e4$Zn`rnvaifWTh$L-$dVwxVL=}+xt;*W9$|2
zNKC8-j4`}Z$1_b6QxbEHF-EB1jlPm_bD}5aft(k1c(wLmR2-)!3}kGeNC7YgK9A^s
z3gzPbGcsEfhpm4w&dhY;6n2kaj%9P%UoLOsU|1~#K@jm7mx1S5JMR#k3|?dWGOp@G
z8)MERETY~XOr)qD1UyP58KQZ%ApjL1VZAxRM$^SXyX`-L{B~=uR=uEl&>P3~L4YDV
zFa=(38Eu4i*k4b~{T`C!F2JY4|Lx-{NG5RaX_^#%5nF&67SZ49a(`DKzJ(q<)yiBa
z_Kmy=2%wzfZ->POhby5;@V{<8`5~^wJ8>3S=u+?{+edIqBQQ<xvUpj&ddpB9;k;Mo
zo@dI!QMJE()V3bGtiO`GNL@Xo!2;1VIIlGx8F0A7G4vBGLN3%_!geK#;?gA9EzKU%
zEHKo5gm{1IxVFcu`lsFMA$P?_i+LB~6gssp(uSWczlcGT&o3@Eovvi#{vDo>{+rWW
zJx@g;PV}6mZT^+7>EGw<z9b{eWSC;wFcq&a`Wb~f_LK%!_sY5pi}aEQ_4@8jJ|G<@
zFZXS~7uxkZyJ7ni5`A40{8s4evM;v0zb?z}vA&_`TEd_+M;#=qAs?Kn0#r$FzEv4p
zTQ4(w+-qvCaA9cq#!7+cW@s?I>^19Oo;Ehyh}~5(C$BTLT7twBO60;EHXH5k8&|ri
zT?xssKl+WtH;|9xO^*^Z)f@q$;}1g(;r-d%J<Q&Gn@zxf(&ekp9OtflSvNHyqL9l8
z^hB;w*n?KKm@t{z=^Nio7=8;#MSDBn7t98i`=&Bi+8(c_Yx7KV^IO%N{9FPpiT)dN
zaqg#@RP~RT$wH^dO9``*%RBt&!=L7a;=beLEC)Vd_GT(;)oWZJ(wwlUr{Z!fde-)~
zWW~V7?aa&z5a(>w{X2RNl*9@K*x{BR?|~?H+&4zg-F3`D>gt8R&7vTF%aX1PJK=}e
zCi!2?rgIRG`MpSEs4;GuoFr0KF4mlxR<Rt%4lM@iY*zZ+eFwBXmUtlt23S^eujtd`
zB*ngcG2Z#!L(*L#NX%Inpu(Nc%k7KGr`IGg{2mUw>c}uvt5~M^V52y5&SB2=EElP*
z`Sc32Ff{PvoQ^}kH1NcAWNbI-QYm0J-T5fC^G?T=c%$UFb8`Ny=|+UOJm-@awba9{
zvTm$1y;5Q?0*sVCxwCL6b<tRd$HCJq<|a8jTSkYGG`o_(K!%&IxwLa=nx>}Q&S$#{
z3r$62YJ-h)-hpHsLMC~fZBJ=W*B~l$_X0iHxP*!>gk-g^u63SqNiTlyS(*F2?yk~Y
zFUBp!z0YB~xZqbvgE48qQa~b~ty!BIH>O^$wx^)!Wblpl$y{lZ=0J<sJx1-PV{caO
zRX@u9{^h%HkHnTAGHDn|K6J14{+@44I9U6TME-9OW^xxQ`*T(JJ}Q1F)gbhQHdQgY
zWrtJF=zp{yRw|D|(!!q1h_SE~?Mzqtpr0>sSLQDJ@mgg{B+g9Ow!m+U_ee939zw8o
zHg3lse1Mf9Ll70DIUhjTs%tjl1?B>DQL>2Xd2>?-)efPxml8(kmLuPgw4y&!#Bp5K
z9Qbrak;%#<1S`jAg~<YNOn~we%f`ZKttrv7Nb~{kHgra<(hw-)QO5!plN=3n$KyfC
zeR|kmfq%l1$}sd0+<okC^~X0(=}Hxk_7`)<7gaC>@u~Xj$zKKFD@HZt&^hg?j--_V
zK0V>?KtP?=)iNh1r$4HM^vXi;J_fy6zDn%j(%+z!Untre2w~j<F~Gd{NoK@70aO}Z
z&bWsA7|+<A?*B<{e1}2x>WOQkSeRtCzeky*QGv>v!a<h<+jUSx>_7YOibcI|s}z<&
zi>FSI#3d><=P@X4xegPpcwJ`Aqe8;|Ns6#~ff${5Mw<02g2o$g(H>yk?~(>)za!1F
z?w<IEG8gILub9!?bM|(tjfNG(k6TlJROc&?8l|^1lh{G|Vva2Kz2g8KJ!1l>Z3E!v
zV<3sf_Lhe6osvb!?}%dUacydmYlS!~J=`}S^aFevTJY=U=}NC3?+cV)_~DD0QdRLj
zzy!hLM0WZM)kP=|xK+8Ld4#!J{y%?ifh2Z|&~;#9!B6eDFHLkc|5vC(blLHH>>Y}(
zSdK^;Z^yX~s*gx%7&u+?sI;*+u7%iaosF&z+I;-;IA*!}p8~z3pW~AzQG4O5yax#?
z8}l|OLT2tPFqk^;6Fx4Lp{GlbTvt|60lTy9(nrrnE2wc;ytl8hJF~(oERTBo=L(=a
z{h(lfK*fj}>qdTDvIq(CBE&+$!4u3K?zfq=?6~;&D=Z4_%TNMvt}ebkAfX?4oS?aS
zRPJIVx8I!WsCe0y+2zY|ShTaDhhZf>TkUY3&3TFRGWq9@zQO7R%E&WX`w!cNTR`4S
zS^r<w)d}3D>bTcO!4OQ_N{NDeh8nY4v$o138ofElP8{h=dRW4L5{4C4`hTZulz+KM
zFv^5o&K+m1ruAY-=brhJDm!1yk=t~@SXglNaBl;?f>uzz-Tx&>Kz`)rei5EO<j%p3
zmv_cqKWxcO)ntK-$}xk`kjVbQtaH|Yf{z;_Sa7jLMpZQ~BV+v!KUyAT0`0$wygZnT
z`q`C{xiZpvXum{jW@IBW^p7cdG4Y*^`nh4VO#;9!Fn^Wejs&&2wp+M}l6x8`k_N?B
zQG==k_|<^F{?O_h0A03OAAtXxMKP_q*RCj8o@lt$bh?BPzg&85X}uiX)H%!uZ7=le
zLw-ekrkr!)A!?SGNz%XLWiIM%Vl@9(voaYdsoGL=r0iWU0EHTD1s+xt{rukPG$szY
zyR&Ssva?9Q*Q1Q*d2Zt@zEm(A6M}0@B@05uPcQp0;h2Q1iuim#agpxtxQfEI1iCZd
zCSPQOJ*bMTwr=>EFu0i9vjBN4BG5FlIWnQEHwEhu9qh&9cD`I$?pzft!$l<U7!kQ>
z$3I&3l0fgELf<g`<hk}e?wgqDY!b_*7O{p!yEI{2<XsBqd6w~ZOZ{M~9(Q5%LZX8Q
z)s~#F0I?t`X0_|du7dfsoUdQRC@_ku*HXLMuU?&h^nJz071-(5L8bQj@lx|`X_kLy
z*%R-EqzK@~E+vaHu{H-(*!R3Z0ysMTLe?5=t4ILUIpsYY8wt1J-11q}!j<nuOl0rV
z+l$S-xVEwvjcPsUra{NEsg`i5@zfNs&W`KS&N}A+x-_M|wqBo@9ECb}Rj^K0umi?i
z&aQjcKJlU1YjLCj{{B#6g6?jBIV!`39Jwg(ebqR;GU@?0g_qvm`MUbld(O;~A4{1W
z3Xmq%w_tni`fTBH7iN(~c+(tT7r%L)`MKUF{4mlm{AG_%^qo6$j>6gBcsNt7AI`(j
zL7%YaGd4ChXL6Y^&6P;N-9O4r+u?e-BDa3nSS9>+KZ%PmVJ1lqscqNxT;h49XK81~
zfJK#R`Q@YEX{=a9vUxKu%Y?@AM9Iwy?SNq0mw()W--#?55W!$MVzW?>tfirMK;907
ze=QR=ur-N|bM7>!xs%wyFpCTg)5xdwADNlXCG_A(Br=wt;lE<VPs5WqE9G^W7`n8}
zjl|R6Fqun@Wc0TpovkKt+Cw(ac<u2hQ$uNDtzYIu$fT_vr9RdetH@>2g>`#ykS%9x
z151JfrM_?VF2GWXlId!?fVsF`AMY4xwQfJG%j&;;kup^xgOFukXH}+$j`yw$V;jIm
z@P%5jV!dc2HPe-jQ5!9|Smm!X6lQ82j<Y#c5)YCoZl|j_(t4lDSO}_d*-^t<Wn!0`
z>$n~zSs9kZ;c=p%JgN$>3d36GvDvsx`U%G$@5=~es&mhOcY+UW@7DwXMJ9(E)-Q}9
zk4I~1Tw<afms`D4Mthx1D&k%^aNtu|<7|h^;NPvK2+tUXIRlH+td|yz@ZX7I0P!h}
zIDP;?%+pGduESO(jjQcrvIYUKt0ik7<f@Cyj^T2)axDcHnOrD5+OH0WZN?>p?R_xy
z_r-rBYV_QB7*x>~L?Jh$v}J}79CCCCoN&qnp1r-Eb33ps>h{5wYFDL$*}5A?<-Mhb
z<Go3UYx_Rb`qSMO-JhU^rX>!BzUTpBLl2uUo^SZtM72Ert|TJkc_x=;zt9PToy?_F
zy}Y^DR9i3d7%(`m3{hb87tA|%z)`=7Z>|sPya7SL|4K`Fg?!)MlZG6>aV%@GsE$Y)
zuyT}c#H4)#Kf_FN{qG^!ATutdX~DgzJVRF6_Hgkmt41ecbmFBAJDex4finOmrO#LG
zx~sf4o%(z_MCPyYPEgX(sPI>Q3TjK4PRS-X&-!oTE1|27C*t2NAg1X`Y}gB^Z~GK5
z)TZT^L5sGl<57(~(ZpJ3_0$rF(-k15#^{e6955H0u5%T7xty9DixCnx<ag4M0UEq$
zu4Gx5HClVeuVX&H{t_|p2t0Mhz*6TIGF0Ky)oY=Sv=?$l?Xjbb8nx6TrE_xEr*&@O
zczV3GcFf!I)*IbV)WSmj|9dN;U?+1qo^2LofFI-(oi`LL+wP;|JW4l9S8DM``7c>-
zhU~^S&l$8NGfShJ_i3uvIR}O8EC-;Ju=9At;Jz3VcFTb0Vg{No36eAvP@CkM|7v$N
zTE(foRCbeC!2EEYv1R%5U*XXv0D`k^V@4S5{fgHxYMBm(e%H+QYUfAdwGL{^zif8*
zYtFvdEm|uh&Sq09t8{*WFUI=k=Q(R2BkI`H*PT}USRcmzBXPhtM(&S&rYyoP_Yq&E
z(|yOY&AhTa^$0_XT>yo<Tp1qpfJSF1yeFktbC25-l(zw<49~z-3&DL%T<_TQZ_=Ph
zCGUo&(hqG~Rm7>jOrL!yd%kS@;cYBlPnUPHh2R3oKOZ_|Wvul@L*S1_;{LsJpf2io
zy%9Zeu(Q2cW}#6>-QMfqOiRln%(s*}PzVXT{P15b0wceq1ivg(EbVdt^3dX|;BGLY
z!%tv_H}<UUWPP&i_7`(z6?wEdLmDM@7HuQw4hP1*`kBZiHFFz&mfubeCB7z``f2aH
zE1h9TJzO_a3j?Zs6(XL}>vh0aWEQ8s*>vq$j2*|$+YF48Rc626KI(@?3w?%*8wzwz
z^Vt(4=vDkx@V`U-Rix*4Mepyu{2dZPo{&yRNl6LBLKh(CIMr|QYxwNTY!ng1*>~p-
zOXGNUQ;=pcyKQS_VyyXn_@QVxQDsG#eulP!S9&U4=dx|~ms0K9-94>PHAF^PGBDN^
zy%~qY6}{+W^;(DPPv{M;vjvCtV+uQ=la5qS&`l0cDE{RfKjqH$?wt;R9zW=&prDxJ
z>=|jmuwOd*{wTI-!X7XC4dnJs5Pi`jCjz&SI`rZS;d0D;_UG9!i2S_;zxU-ef8N4m
z&Gm8{X1QY9OY5%%^6?lm$b09fM;^m1>!q_f#423a_k+FTL}seRJ9|jjTs<sD)s4^Q
z{lV_y?1`rhh*VC^v7ph<-;M%}2D$S@Z|vA=q$7AqQ=DD~AP48MsW-Ye6~N7<q197%
zyw2u?@@<kPyCDzcuBVwPG@y3XrG<r`l$uD#iHU2O{l3`J389^QGV*=|Qf1qJD|z*a
zjNd0;%GVn!zJ6?XLdTsP*j-4!h?8Y$R!Vj9pj_~~ip)JPcT8;@(rEZzaH9|tS#VVI
zJ9h6cT?Q&2(P&fLNeXP3+PCAylik0Zh%ouq+!ISyW3Vqf233vhUaH#j1E;1rvdd&K
zgm>P|Qnj<ozur2*tPz%%6MMnpnNNY~no-*#u$5!jM=Lj!wda~zBST{cGkJM_q6L{|
z$s#0npt^t61TE2`ufX-MaXKZ)%@om0v(w{a#Mhne?5%DBA1mD?j-FPHXh@3o!@$f%
zHezgj3_b^?Gs7Pk(S_1N`42eiRLkjE_UO9!(Rg+8K;4S$X#Aw2TSO_;eRzza90L-3
z=KH5Xox2XHjY&nyx~E!AdK1v>y!9Y>%jQ8fX%r;C-M_vnClRUrtwu{RQT$3riwc2w
z&8R-z%~+^del~d$e+SjTlKbzAhW|Msu-OO(2Qr7*J1%D3v57Pg$D6J`@Dh{ZslB!<
zk>#-8j_8fw+5Hd6fN<0U72IJSy-22i_&+dvUCtMb_(!g*f8y~U2_uZDV?PS!;Xc+N
z{?>_gQ))Q3);nPeTP2mh(BvJ}-29qbzY-as2|K0Z*5>;45RJk8nPRM2qEqrxOfu&F
zT%O-{N`nU3>{a>sJu4=^FWl%(x`!3?_Z0neg1@joR%y~rt5XKHXaKil5}hYgxw@cl
zY+s*0jKmgEC&dglpUpTtTYoylPK|YUPJ;hj5!hLQ39MPdGJ3{-|9w@8@A37V=P7g1
z2rBVv1hrZ66sr4Mre{$F<YNH`18-mH$JG7Fu(QzpVW{^bhnj<janZJ-9}0g>MAX*O
z;s=#QyHe=i{ESn-0jW2BO8i$zuRbqstpD{Fv)qQDxe(g?^AI-7xtEmRoe1hkwe!1?
znC3+xCKz)g%@N}<_DftpW3l&wTk7x_A$bJ;+J_Zxy!FJTUrs*USI5puV@m9Xy{w)b
z{)BjTrIVEAjc7w8)U`$q#-q|W0@S<8lvL`BI`cav9=0*Ed4c=(S(h6HdijJK3Wn_s
z4N~|PoV=zUvvEGp&d~K6uY!3m^7Wp2{`=$dz5~X$Y0iIwM!g{@d;{LNIjCt}m-JkY
zZvN4BtU`JvGLb?w*!7<<k6oLlKu7@e27<a@k5y$jCnalm<x(x=X@xziiKQvAnpeMa
zh`r`K7P0@slk1f3p1?P*779|WC)|ZEzt=rwjbeESzE%BRX_x%R@TQ#Juy&Aho78W%
zwe|~n#uq#^)yr;`^=Ci*FkbgkqCt!urMhRXzzAQibF^9%-Wd{q{AIj6p(eg3a<HUv
zHL+x4%A$*|K}yVwe_DtmGV?=t!k}lwp4>fUq^+&|G}lk;*d=rvTay*neFu_$4YfeR
zL^t_Kv&ft+Bu$q%ZI9bgF;hw^^=6tOakaGl55G(?IdYYGKErh-OWSCB^Y-U1zd{Mk
zY5rX)w2Z=Dig7Ra8T+jTf1b*IG)ETT;kSG=%vDD}Q($=N*BN{WhqIA!-!@6`4SwBk
z1~H;7tSIw#@8}t9_2}fXm5JWL-u}m^{OhxPAnv##nD|`>5lA@VbgOaOh*83uV>C6s
zrd@2vs#vjfl+Ee8d_Fieuqv3R!RvOp!e)KEpyaCFx*hk0LpM0LQ<z5&_b~B8a0Inv
zYT~gp!IXpy@dA3xqg~tM5E=RP&2z3G68}mMq1FHeF0`KGxLrdh3U208*wT>kl0Vty
zv)tK*DnAy2bhGDmK<vW<uKH<xMH(p$0(?V=g${u55C5Tj#A~|Tu|7gMn|jEr=C*N<
z#qZ_{KoOM=7tf2jb}0n^y+fI{Yof-%a!5!bLkT<n4h;=~Bs@tfd{p>fz?y}?f4lVb
zt(rrW+5B8!A#AN9-nUmny^}$?fbrYX2M#J!EbNr`;)o@dZ=`_#N|tA63&^F2KT`&5
zG{z{#CkC)Ebn8hh7)b7{K0Mddo*+_|E}Gca%KD1fGOp1J_&b_=ow3H4FBBMjdo5K{
znMgLa`6eZ<1JgF<dN1ZdzZzUmU!UD{Op-h4eR-7t?CJvq{rR=lkJ#aRS2|>M_AM`L
zxLmxt6AIiaeW%415u5x7Ma-7LHKW76IiHwtyXT;P5OXIN1LO<h?-Y2X1ou&~qQc&8
zz_&LN=>f?)0HCrjAZ+jzuZ-JK#pHEC?sE9h)9H6<l2|V+E}EIjpIzF^lA{{Cke>8&
zO8$ah{)-n6V03g|w__He!yASfmjBszl59-X_1evkhpfLAUz*=k+P7t!ed$eG{e&Q)
z%HbikiN==@l(@B9rwAgsO48S>7ONPj7u&<_qNs{1{}$1hl{{(7RBq)6Ky@X%eXo@V
z{#5U4;r`2b1C>L1{Yb9%&C}qaWpGrCa;r-{+s}%W*xnj(n_i#|<_W@Y&q&rpMH?yL
z|HSHm=!N<NbNA&_*C_d*Y)lM1jVQvXS6yAKGp4qM2=T!Njvfj;=?+GP=KD_945#`6
zlZ;SeEW21Ui@qc-+JuL|>2AWYJiZCY(Xo9Sv;PNp?(9&|vXY8w`q`o(<0#o%FlqZM
zO;W^mbC}Gc1%L?UrZ>~1_rPk~0s62ZyWjzwhq0ZO!CCQ_U0FF(P3jrsU_;NZq{Iev
z{9JF&4Nh#?gJnW*-l9C9_~=~SVxqE4AE=>hVd6|=Zc&HEHpN4n_GMX-aev4o@?(vf
z6n0-9o*LCOPodn1c@GciE(1~8!Bb*H$89^<yyvo4#Rv5YNMeltR6wOcVojZovjntz
z?gaxwWP+F6HoVFOk_ft8OBGR{i7FQoq>VU5<t8U>i_OiR&>Q(B-0d@j1uFhZ`(W|3
z0Cj4GbacKQh~-EVM8}SbOW^BtxuM(5tD6Ca_*~`ew2m+Hyd4?}4f4an)<n|uxT#9z
zUq9m%nqLcx`xE%VW+T1Q^#4mhE~TpfXC2eDu=twobQSvtg#UgYa$L~Q^u&*FT~fQ{
zcDB#njuC~c(JgY}5);$urH}hJ@&&iiKmi<~OPG#2VUDKDU>Ki6BjPSdzwhiyv3wM|
ze`>o)P-?0*SJ4(k^p<>czJw!BREjCQmfBuPS=JW2eiVV=`s^0xCX+RS(mYDnaz_P4
zz%t`BFQ1FaB?|zWoS6)X$Nt41fs;B<Nwj1;m8(_-v^{Ku!v#4No6ZISBj@^Anywf*
zm%zf95zoJMZFOPOo<YOt<>q;n8OfqTuXaE0SO_#JSKDkzn#j&U2djh599`)XN94ep
zvnwFP5x}_NyzdY%zDZDKVZb@6O~>)+vocc5b);rh!V08LuICHucggJ3Pn@PlE*D1K
z*nC%#N0ApCB_^X6Ybn8xus7VcJI;aOUuj-S>}X_)SPLRNip*%p-@hLi8j=NYM2`(h
z)Y8IBI(`mm-`oin<9H&%s3pW^4i6ztwA7#Paj(vbKyqHyu>R}gtK~-*K*C&vGE6dR
z5D>h}@FF~-`!xAP3ZjwM41yey(tQ7|TI~Cz-E3)da>hziTM(h{P;THY^Gn#f&r@Hy
zxh#5$8F_D?h2ti)po~IWM|0z7JH%H#wwoB_ej>oLsuxP=D2X$Wp^mInI`T;LEa13M
zHY*#W;m$$j$8kobJ;EZSBOJ9^Q+!R2ew`m`{~Z6+6Lb(B1n&{76r}+VwfvdVX>CQ?
z7%h=Z7*5$rQfGg%_G9)^%cu=&Hb)I!7tO!ej_X6E_AHF|(`Re@`X%AT+OsRG9_ihh
z(}eDhH17%{)%@$WQwDkF2}bB~n7E(uYkQAhh~tpK<K$JAQc_E-fG?h%Cv%)bVxX0w
zfCCh;0oXWS7GQ~ij7npCb|~oxI);1J-oMY@tL9V7fsbVH2nrmZ(&jsgo@mNgTfxFT
zdV@bAK)@Smy-xuYuN@7S2ci?55B3dgjJr!;ak&0e0$zMFw;+TZ+CS_F&-gd~qrQD5
zf5;$5x%6vQY_oo$CQ4FtIAt06i7myaN+*3@`eU+mW@KClMq*;cscuM(0$JAf%*#;b
zb|kD!5r#TWy?6g3+OPYdVrciv<Co@}H7~C4$M^+>kbp5gJTYYqFHrO<6{r9v2Qpj(
z%5z~z!!H^8zFHoH8~cs4weZX+{j&(h1igvwazQIJKC&|ZCD~sx!uf+=`c%TfI$o%z
z{=wKoW%`iHeom8Rgi{i5>+FkH^67?m?v<Dueq#x@SC+u&k|yD@Gx`ttnGH~}5465M
z!XHSMJ9$Ew{gsf@l$#bcN6$abs?$JIE;6HhmnW$L^)8+r>Y!uBgyq><f~Row#3`q(
zzLSEKM>V&#hR??m>aMsgMpE-)*v``?C3t6?D3+}21~gH7{?f@MNNI_2T_DYEW=5az
zhV=_u$RMi3WS4Wp34Z(f<!RBV<R@_}?iasfx>u;L0iXsjw@FAyCQD7QMcYB|d8(=B
z%+ec=tFtZ5kN@e-udh=U3h#ZuqVPcfx;uaurtlzPh0it4_3{XYU6<0stB$BD&DqvG
zA{og$HtL?QJ56M^QSHpDGafkOV?e}m0;b<|7VFr0Q<!4fXOrbrpF&}tIwPDy$-t$D
zukRS)Z3#6Jlrz;~8jX6QbLWZrW`)SpV8<{N0(8W^L1?f<XdH3P;Qhj%5y~DqtN(sc
zj7kUCx?C#xow9BrsX8OwKP>DMpSbE1_|BvbpGAa&=Y`FFwgg|!dDVEH{8Ix$yB*2A
znU^O-Bf6=x&+XHvG*Q3&3zNN((!C|q0QNvYKmaPCDYEb2%pRVen3$L-1|{1Q;T`Yl
z7ZFj}jp6EAl0#%PcQ~6&(9t%g+VLWd^Af%-{7p5-)RLR<Csq{ZV+~Jo6_J3S9<&Uq
zj4lS-?|hF_jT_;b$n%I8%VFicIjwtqHDYo-v3z}Ta<*0UA?3@B>rf{>-(hZ;Cd#PY
zAe>-3G}JM7TVB9Y=-=0pP~49=nqVqVUtxIDZ`@U@L?k>kfy<yQFVoE`1pUh48$b%M
z{UB3de+yo!kD^=2hX4qLt{}l=WJ#+)2nq$NvNR|z1<zfzr?mfEB~`=72)5AR+v7%M
z2BWQNlcT{zEX6x76Lp^M*4?@WYgC$Bomu$}6EF7gIq$a^5DZcYdB=Bke*OK-79)k4
zS(y@gtU8&KFkAfObw&_UJHN<T&GG1i?YWR?kBloT0~G5@ybx59UKtbEgnZ<i8pgH%
z>;yXE_F<<#$v~z>p!*vaXcf=LA2Ny@Byx)!^K7iF7i`bfZu_2aIgpIO?M}k<ABpFa
z^cA;99<GQ@ua>&_4R5jg(5tXooT${PgY4_P0Rif%G%OPocm8Q({OQ|w!wQIJwh<Ns
z+M6uFg}p0yMTWs~oB$xEN7fvCz0%yXX!*z^a7^b6zkhm7N)VHd2p^IhGAcb~#`RA+
zWbW`?O5E5Jobh1uTG!)+mE(tXi==JA<q4dXqo+|-dBJTP`0~?LH%ASRcLRv!Qhc;F
z^G37PorgN{x2K?Y%PD{@3yChJCIEwWdaH}7?1X@Q5mzalSaRW}sftP);Cm(RZee>D
zvJp22`}wQ!xFh{x817|b6};vMIXY0&o2y?1T#K~XAQ$V?PnHdfb`~0Z<#x31yEx8<
zk~H1&G~FyH{>?gdXSUQh+1wuO##VX8LEEo1QP}2Qv>c#}e{Ai?#=)U5sdfcXdIR^<
zGC2Qmy0&byuKZbED$R|FaMeQ8@6mp!NxG7)-ovaoO*$0X{U=$8&-GznpISYy_?*_w
z5gB7>p4;;jYybSW!kv2i&&LXPX}rrJ&7rVzW6NGT3sg~?{F))*sYoU9PO;f_{_Nu)
zOGjq}d}FZEzek3uh>i6Zq9hh2&qD_J0AzxSu5iQ^w82-KG1+J@-?$QW`oIkgu9!gf
z#HQ#D>NGEN3fm}%a7k!CYHn2&ex5XEz<>SP?=}ewYlG;QkQUtX-RF-|pa4Wbu#`#x
zRsDhaIVvv1qM5tgsz40E0XBYD16#%sSRJqf01mUYwFS4A>kS+NzMhcXlsaJqXRmPl
zjVn^gAD#5m?<IBi4R{eAz|$B#3s}lYRxDmxksd^;h(+rJIwH(80<#!UTfU=3WYg4L
z;!Ys8m@Kn6K$1>Z#s3QXMs<EM{uuT$--T}ZF;|V<b}>ydKRg5Vr{N@HF^2%CDRJNt
z851Bpk`>3j*e~B=xTjq?*m3E;{L7+d$)e|{Z^0l3WLIv-!hqmvMvi@EWgKu=t0C8C
z@|F#u3XF+04u_dce1}pKY^I5I4?N;$L@}fUS*fAU;tv-f;qKU}ggXuV|DLuBTQqR+
z-+<`p*+ScU@KhkaUU7-?D|e~SD<phN3$K>C?M?$K8C=(6_*FnAPM#aak60h22t^ZJ
z=5syFEH)Z!^$;9eS2LAi>;DlqB;WUnkZ=Gq1)N#vO%q)UFcHgiC5C()8X9?M5~fAL
zQ%V2>epxcDYWzP0iZR46_)P)C0XkQW6Wdq8yC0G1JCklxG4o!M4g47G!Dp{1lFNVf
z2FeM+<n#+<aNp}amSYBYO;#6XiwNEpHEWT<Uk;15l>_>HcKJ%-g55}Im2q8TV-d9@
zAcP}h<3-dQtR&LPe}&~s@kf&o;CHPl6;s2$MMy80ae@3sbx4L=P6^?6@Q6#iVj-_F
zT>-K2`g{0?8Dka-lriT2c1pdI@ybmla;f)Mq_3<T={8^qnbc6AY5P}|H*FwY=D+`?
zm3BZMpnsnbKN*uO0)&PLknRnqZE!>aEbC&j&q9VVvNHQ)zRW*?VX5G_p+hc7Dx2zI
zb1>`b8xlzagW*WXVuM~fsPBV5e^xTJvlXlz{4HbZgiLZ26q^BPezTqr2#2FEkQkhr
z+vWO=#mqc^e{P#x6iIz~*W_r!*F+>&q%STbBQy4|wY3!t6}%mtC^13ZJ&w~(5bu5-
zxOnvYG`-FU0FbsX2G#4{>s>eI_ImQ0tG5C^d(d-GyZr%5%HndBLA4$_5C5kt`r%+k
zRpbD4p5<OjAlui)z8lP{tGR6rXf;%4V4KG~A#X!~0Cy<kc_ueTyU}=c5>MsL_tVcp
zGfulTpv{|c<V92)!wQmSSe?lWnon&@4+nwPVEpgj_Z{pV9SemG{rnyto@YT+TOLc`
zl+pb8(CLTP_5?r$KpR;`O}DxNuS;2K8MUzh`J(uGIn0@IsmM{I%Sx3;r!AAL?Rq57
z?)0)un`|~Xl4ES0{!V203qrog^|nyT<u7qxMQ3o)N>`a`dGq3T4&<UO&C}RsXSy7@
ztO)yULbez-lfTIgis0Ivq=*7=zA(<(LwyfE#n@0>Y8b46V&qE|Ih<ef?C6lqhdsgj
z`1<N<j2MBCmzM{1Q&TDx%wW??Q>+MWJ#&|uhgg~boyIkky+OXbB8?vp4t-z&LPr03
zx!C;JgI~v&tOBQCyK#TnK($KjHK)x$ItYzBh_>)1BqcyOus(^;)o?abjG3+0bV}Dd
za67svGIvHKG~pf8Lz&3cldZsYv2|fmDLN*G<~jxmq~SnjGLoY*Ix(Tl9nkmQS{T8(
zv$)2XK#gX_skXoTFrSJxv+q|LQrm;y(<~I1h)RpGwth_Ca%)lj*@yuxlVCyg1x6+&
z=!dMuSinKMP)!m-f3w=1mKryxBW1MjC6M_ONvJ<!(ce1kTBf7+;_CLt1mB|9b=&cV
zDxB<SZATC&R?k#_6XVH{MbuuJ)|$#<TQs6djOkU(V!yo;Z;d+HDsq@4HGk0y_M5%b
z^M#0?r(bh(Gwc5hNp#CrX(M!ZcVE!+8u`<U)Gp*tk%j{%=Qp!^gZZer3PXXfro5U?
zT6=cggjdmy*c?B|h>Y)=$ls1ezk>eNANjlfF;ETx(&<YO0VqR!&8_j1rDEn0C#`=y
zt?`pv(<S@;(@+0b$s7zRvT_d95=E;<<FmeCezPDwRl@q(YR*tnw8`QjOM$n%&+L0X
zxf)kMB^T%hFEkmQdgak@Rh=R`7pG>=>8x9D+QRV@`j2f(6r4v-J6>kjPkfIJ16d%w
zj>~^Gq1c=|uCt0iE-f^^F)WK9?ve(?K0$g)(6FC)K8!C>*lBcnQeswR2Pog{Z##R-
zOSi@?JAJ~jcbnVsw~mCSa7uvws?hBW+O6}e<*t^nB0r--l)<b!JCW@ZeR6(-JZ3(*
z0+pSq3ahtCGcFhU%gd3qF3^8}8uV{3M(c!vN$J&N`&d8N@;}77p2B~Aj}3G7d0gBX
zY7~S@ABm1}O%`EOFn&{9iB*5-jWO|*Ef_S&xz`f$f1PhIH>R+2y`lSu#k0DEg+fBM
z!R&i&?XE;bF0%*q>b|~qJ)QVlc#V<<fJ1xc*G=Yn_V(u7soH~_0o6{L*e8m4JIG1F
zAjp)6uF}Nrt_?j^Ra3hg0g`Go7~tpEJ6kJ|ZF})hwY*_M)qK{iZza~^26&)B%9V-l
zLG6&9`hK!ZO?1ptndkKss*Uv+Q^OchO9TbDF2qru^qMk;O&_ClNgqsMh}lQIQ^X9N
znt{KSv%2dL0ca7rPmG+EtSt9D6HQgz1Bvq2b~m-Fg^;=``fFEXx53<2(6?T~v~|3W
zi~InjkW0sVTI*^AP>DcOWT|5}1*$@)NFUYS8%$NF*?FL@kq{O(RBR*@W#rqLfU=lj
zKpw#3zYzt7bxp0GJZ{Ujtg+r@raIr>JIGW+VI_F4`j>q&d_WS4i-vVC&h=H4?jd?O
zCe^s}oADF^mWtyF`h4N~S#%B!WQqTT*M9(kOzMQC5SfjfHLLlyi<1rIyq(oWq3CI0
z|F3l<v=;d?W1qTzhYdam&^jx_e$7L<_Nj6Uju+MUM`|(DVE4(&A&Ys8Asu9VS3yNl
zaSY5c!{$BHY~6wj=FJvT7%U-FcisQExBp0WLW|f^EL~l?jw3fGA>iKBxV=y~-I>l{
z4Ex(B4Cttj-O|UE0!IFE4rMzg`!5Kq!_%gNGPLstO~!sZzJsBR7Ts{$jh0enRtNNY
z|NNHu+oM7s1^Y4nPk5~G=P7A%X{k@d2ODNYrB&YCa4cvZ1bx=v_oQ5tMp}rriTgGc
zCWLDvEhLGl%1DECLsbU~tpF?Ursi}8*CI@k5rDUH{tsjTE{XAvfdFU)aPg)74TvO+
zW0We~<}$6<FUtD06~z@IzIW5%k;coem(63TzH~^8XV0=_PzX<-zz5_h2kJFi6*m-i
z5sULTqPAX?(|T6#6T;28i624HRYh8LjrrR@^v*#_NljtM&H0qK?}TnHLnYq8_y0nU
z0q2qx4WM+`pDmz{?zTXVXKa1A=rQZBgC*H2+wG=#yI>(yXNaGb{3#i)Ad}2<)9u;B
zA3{OD$WdU9AV_vd8I%m_;FrrL&B!+9ymZ>^z~;Z)#72uBW=7C3*`e!}SX4Ny<-@=5
zH*ZY)GmojtTmr%1knKr@YP3%^0Q!a5^r36y761puF&9u%3&IGvAXo#8JLxwlBdjKh
z3k8w7QIppUY(1@z$<tbl=Y@Ejdpsk7=hj#<!jSJ-aMhmNZ2oD8PRsiZ3ian|)!}E<
z27f(IEduNwLT9uNak|=wv%j%qeUBaN9I&jhQ@j{_c`B-I`+j{Q<+k3+=rs-uJHKsi
zPII64$=!AoqyN`?zW}{=^L>iMICCL+o-rfsVqbmow<riMlwQ5?Dl)<4<cx9$TOu-q
zxk&z$<bxnnD4D@5?O&eDD8_suPJM(R66lVCQ{$_PLay!yD9}N$i`s71gZ|+BS0yI}
z!nyKeM2-cMrcSYF{AGv!%;$g3Dst?oNBA#gowc)exe!rx&(Dh^3@6=g&QbOfUW9;W
zsr(omRSbBpwD&1|<IF!(Q;w~NQ`?CPN+Yyzm`jODfn4DV-L%Wb%1qx8a<IDlR0RwA
zM89wgQfX4rRjReP5@Dit`e=q!wji!24vyx{YIY(gyKoE|36^lzdHLS+AU8+v8Cu66
zc8tFjlfjgFc=>5j73+$hN5@Z8TzZqcd7cWpoFJEej)OWEW8zrAWKEE(a@C35tV?8g
zIOPmk5&;MUPZ~k=GAUUkLU;E(T@%fVKx`e+orWZV>ookF-J8)@fcux#aLjP299G&>
zTO~l+@nVt(GzPjeC+9k6^l{^YTB;sXzVmGJca#)9?_Q78aCNx7KBbS$6KkgxaXJZE
zM$8x4s3%E=Nlb~0?Z91d*p*B8)`WuWNmwIxc-U4X?AZOhG=w*1s(K}OoXCQ!oZ)#7
z;m-+`in6_4?D|PQ1-Ea~oqh-e0AK_Yd?__m6UF592sp=2<UNnQ6Ztk?vYXrt>`vV7
zjjw84omrKc^EgVxn(*ia9apN=(y<VXX(EDa(ejH=3~W?hm6EaOtlQ?TT{m!4L<Ppn
z{f^s%tdAG1UXnR;+MZm&0wPNchbI=jX0Jn}8CD11f4K#g@LN?<+m5w*lkSopn%uvV
z7jedEGOz`IM6UuT<;96S#IwZ2$~!!NN#=YuKdRvtcp+BJ_lX|dn0S7sp==tk#q#?U
zDRDb$*fKyiz7r>x@FyM|-A7}O&#He{th(*@uaa0b`H7uZysoW#mMpbKqc}!`xr6n;
zWqf|d>s2^T9t4si)TI&{I4C^vfjV&aL<wKs>>KLk`SEP+rM0w8P?6Xe$&wffoU}`f
zK*F7Ggo4k5Ot9i>qcuXJ<ci0JEsj3enXiK(teCN^@l_*1W)D?}xGmqGD3)oZxVcFW
zj*Ue*E@lEj`6MSMQBZga;~mPD_J<0?F?TFB3T?b45u=~N@wZstP6-x)Fbdkl5dTD!
zlhpBCaV<Org^Qh7yMZ5KO}!LDckVLP1-N;xR>r!0rW#_O?1h*+eFWNKU8jwE3h_sg
z7%~YFg{r-b1#oM}A+RW{!c#A@5#kSK5wqLATNSkN(?AYFu}FS9qjU5jN?!+Y%^2Hf
z#KU$cKJf~K+f5de5aN_?`V4r1x^HLPlY#4Tj`D2}p6yLwm-a?}C{ihs`iPi8h3a<o
zSrXv4`)TRw9=Y9~y6L=RIIc>>zbb#uj~3dkQZi#T#aMCXt^0tH67>D5QjB_er1rO9
zmkS|Gek3+zS5*qy7%Qf{I9CpyK1{gNhr-==2MR4LjGgI-0{Ufy9L%ryw6uqJO`tHS
ztui)p<4R!CN-IGOA@a=D5!R)&2s9j!dS~UY@!KKc#X!Wgj_+Kzr!}Y5<#N<w%DUTK
z2SrMdzs2KL;%Ouis$L_ZQDu{|1{YOzY(0y%A}lj(*Rb+9-T=MobQ|BG6Q}_5IzgoF
zSkmBQGUtzWox@MS%~;Ji`dc=D8y==tF_jC{6-4@9q>#g>E0>(=TS~<@R}!2!W@-qN
zn>A7UT2-v1?0dlf>JKb0;W`S=JUertD^=a8&jZrx*Zt5$Vu?-zC8x8YNP1=0*&39U
zDLIGL@=Zz<+-m(mROwuF#KNndDyMWgV&Xi3os~6PChx|BB-gaZVr4KXt=8poKtepm
z1JHxH!Av<x)1wrihF}O8211<?a&?_FWH4l9{5OnnnaH5+73H5buKP>zS^U7=5Rz@A
z?sHD|w$;_>b;?UGr79|y7zNNrI(7bxii*msySeZT<|Q;`zTNZWj)2hKdYSrkYb-=x
zd3A$x+;uyfw+N-5%AGM_>0jd+A!gZEWw)xFmQN2dkG>QA^fFHw1KnMt2~`t0L%+8$
zXlJxevggUouE&q&KNT#k$zBsxRwNU0*tU-QM_7TYUHjs<j=MZpha6m{j0y<<7R%GO
zriUONi440{^2H`IA4>0UD=`jMtLQmY$67!xn+G%FZnB#fj$JdwzWcY8!vJJ6u98mk
zf}|puD|p{*1l+RbDi!_B%F41&@mc}Q?8?CE)gwtAX8Iguvy@5}_7LQUCF4uEBF58g
z^)|q6rF;(IogX+xkvU!;ELP-ung%sCAQ*j2M}2<28p6E2ay;H}a3opmTn|g$hxi*!
z6~8Wp8}tyLoQO2^_ZMKLkJf8v1zg6P>IQ0*Yegnb*lrfU-n)16_qE0eb*nJ!AGM^)
zG*0hU-W-73p(~zCq5AEo|7N2Jome?4nt?eI;xU=>qR)ikYQbEN^IbQfF3MqWvGyK*
z&B#@jeRaTxNze@jx-~)?$j3e7)t`+2#e^J=@5v4N*gxJF$tfFd4{sNqFSjQ)+P9%K
z-Hx@W{e68KQ&MtVcYD2iAzr8KycX8EO{cpNF|FY|u3Jw`i%LCu`&3~lQ^l>hu*6iV
zZrv)05@e3W#jN{>5c<0*W=!uB2DyOX2M`_Y3-R<!DfF=oM^qrS>)`x|csD~LBFDKC
zJvRnn%QjRjw#iI(!8D=hjWbwYE4sySh}Zd;%lO*UYRFy7=X@v{>Y4I~+QHL6Jdy3T
z37fCcmXO0dyS{`5%$#<&i77reA8-GLQi%@oGpg%WKf3WHyLqn_bKQd16<u*TS7$N|
zj6h24=bCw-mplNfTStlXuJenc`38C432+XlQ2OA(rxBbsn!#%xJlr$2&i;wtZfgV{
zon&9O7<3Yd2L>My(1nw3u`>LVa#|>`(gQ5?J>Gjy^q1E5olYI%gE*n0SoY^)3Hnk+
zE2yn?9;Xx8Gdq4f6`<QDDI0*`%f$+?tNz{KVY|pat5utl^4{XTF!h~mLDN?_s%)0S
z$EdxjNuauvu;Hy7;Qhz5iy_(}u3x*>UE<x&uxLJccF%jjaa*5V9Pk~ZqOrqOm8J3r
z58bgQe*H>0N%4t&{rWZf<Hsq*Z0zj%LHBJo0kVAB+Ibw4jh)NXZq|;8j(p|MD06XS
zo~q}0&E=8FSpM(3GKF%Px!TUM!$C+y#7K>kUHaN2>Gep0XzOC#%`xLw(dwu^5pW@M
z|ASj(0AWU;3Nrd5;uU8;#!_)JQu}gOIUaNWYpr!ir(>)`cPyKF={F2FDpBX=B=4d&
zxAF9wU-x<9wjv=BB9FLu$jSwaAbeVNnmb_td;ytpxJo2s(eG*_bL$F|fq`h3w<`&c
zeqUHb<l^RXx4?yapjUJP8wk3{QS`0@0aPaDZA^ODbvYFy=L3<1kwc`4#n?ucOVwzS
z>jIK_Va}@`jd^y`<((U^=t4zGDZ7<ZjP3c+poC@y$;pTZez_)U^=g|fDqPe6kWnYb
z#=gQ`Fhu9wFh>diM9&C)Pl(N8hB#0-luC;?+s9_e;Xy>7^4-@r@}VBnC;5YzR!!7A
zQ!O{nT>S`6v^8_?yQ?oj<Uo7#kPnJw&aZZ?LKezYH|-%v_p*t{OrdvuT+I~LKAb<O
zcq>lm7h1!XNhvBCe)Q@ckn4qhg3kA>gBgNDfYx9Lv1;xt{tj@mhYOavBSSdxADoFu
zmRhMQ#%?R-I)#qiHqDSzRz;dPkxvb<#&TocRXngIbTUqfS==eklxe%0CeT56;`fFV
zEEn+}%*z0BEtAfZ=3s1srKROUg|a{k@`XX-A(>B3%y@20cVhbkK`orEWe_H4{stW#
zW>;I|&J52@*UiyR&~kn{>->oi_`MIpn<GAb(qKrHy>chD0)m5qco9m|H=JE(1Wx{(
zIR7QxCvMvuW@dJev>R16E(X&?%?#cA!Kl#9;a_j^YzC<U!C0W^R=2TtM?_$}GIb&V
z4cJ$j|N12ZhZm0$JR;=FbW@G;)x=q_(!_muvW`kT+L~GKl`HB{^F`<4aT<_M^V=&Z
ziDPL8y6YE@aEyUtdES8nvP58NKvh}Ja;LCJgd*aqW3E$9^e<$^YP{5PUsEx21<F%t
zb78fd?X@Q0fuBEERO^<>V4~2)U!tp%a_~Fxi3e~3Pr@aYm5ufFOUKQ<6%ni0q7tdM
zJ2(Q4w<xI^xd0T!X9tW3<anu8|J==VJV^v(MJKo)I+8)&qY{y<T$rE#Ct&}H4ajMp
z;Dh1o<|Ud`OV-=fVi0((OY<*v$)PToK(BWtuzbh~zReZ(a%-nvT6=FR^?g9zALsLZ
zGXxaA-pB?726jhD3FO5ehVbB^Y`f#QL8Hs2HSmh9*&tTasG=b#IVev`-uX0#o#-eF
zh(F1z{gIHRy&K|=<mTpnbTx7+ebkU@rCtc-McytrEJ_KMm>Yc;%I{@wz_`+6{LRZQ
zCy^i7EqnOe$H!*|h>-q#!-@|6@{oI8o<&|lU9<PLs6P*dMUZ1Q8AtN$EuD>NmL~ec
zsvn%Cl{65ZLdSwMLtXAKU)ZJ<z22k(;o~Q4K&fdQjD^;DTuRkKEKB!g+DtIQSh3gg
z`auJ^Dc`~xjkivnEpH~JiHS+&tKd6X@P|pfA)%pxfq{{X(N1iwG8GN2O~JXcZ=8rD
zi%l-K0sYYM3HhfiU~*oS{O%qvX!;Bc7RJ#!FxZJ)b-h*hr}U-|Bh7&hf-+a%BdK_h
zta&{Gw04&F@0E3paL9IkzpAO*XkhOpR;SWIIMNZpP2Z@0k9f9#cpd^Gz)vh;5fR|N
zvzm;Uwyg~N^<QSbGTr-GW|Ict)Z}qndAKF(X{Sx`1hk}Zyr_WM4KbUs>?(qfc)adh
zB+R$5;csJggh=m!pbTvdQ1Ui}+|7dL1{Vv|!fPC39CxO_QFf@gYracT7p3t}+2)oN
zwdVWy>Ax}PrO%0pO^uEHX^c-x`53-bw&Qd29Q_K{wY5;{%UC?U`**8%f7aHW27|!}
zh?f_(6um=iR}&W~M9lf2uo)Is(*uTq#CqTLJqQUP)IFcL8-@rVM&Jc<I%X{?E2(|H
z5%PSVhSI*nsMnhgdcqLHt!2+rN%khG^X}ubfI=cW2S*;LXxwUCj^!%hEfn#*bq?0e
z*Z;BV@%{Sgiqg*%AWwfcN%W2N_kjWFFn-WtPWM$VGlsi#l>fiQ_L(Uj-xh22_)t?R
z@bvSxr64zhN{5y{;4$evhfbV1!=vTodiCm)<E@{UO9O8u1-i5r*s2t;;^|s);)F+t
z_m|H?3)6va0iJKX7I@OM0E=UWEHDg#2lBlJngcwXIEo!;H%HS2D_~Lq9@Tselskc^
zR`UVN41uo4&!119H0jVS;K2AA;3=Y@>)ltW8W|Oxnxd(e8W9-@9N6s;pCWrRx3a*!
zk}ZtwQ76{}vp)ANM~km=l=X(6y9L}H@8jW-klVCE321A8;=FnDOtY>uSk9;`(0DF?
z@TN+%Ny-U<ZEDdh8$>$PPcdshewp)ljqZinZyvntx@ud|dc!(<GH@FmD6fY$Dsdjq
zKIkYf^k_<O+Wh}7*_ZMci_R9&5p7t-ZS*+Y`$nv%XJ>_z-v;Hp{Y3}sm4J5uf^8MO
zAk=sLQRn_dHsI*xsW+eb|88LF*s41H(?f4RhF9u3N6Q$lJ#1m@X3*Bw-qvBA-eG2Q
zJk99xgO?R^EA*aiSbn%QM<^ll=4Y1#wQ8;hVQhEeHZaXQoi^=le9V)=^GY2>piHq!
z<GQ>7yUzi>M-f^P2QOb1X3x7eE#{Q_sgJVV3Jlkt-R65;+&x1%@?q=r7FkF2iqJLR
z4yjCYTKA?j$#hRz7?acLh*Li~bKj*t(9Ed?p39<^@J&A{_Z@42wG!w;9H0dU7^OPY
zD+<^PPl_7Idq+kWY09q&TQ}!NRdRxm@x_F53C4`K?uh-!ZSeHVXUP30%z9M*yUUrB
z|9S_rAMa<_a?_`20w1W{W97T^C)vvR>Qv!0u6ak-YDTn}ZD*~M_LzU9`}u$29j-S7
z)zul-ygD>1Vt-C-(+U<~N?5@q(_I)N=KrU+<nM=Uk&{bnw4$^$8@lc^m^~K-YW4f1
zpOs#e6wdbP`jI{h%Z)*v4G&laT0}s_kCxG?b=MxtKLwuaP*C#h+>C{1?IRvH^flX+
z|7=KD$*|4nKH~<~ZRhQuv)wrF>Z8JBzToU$vn@Y=J=AA<^NQ``5&Na5<AsfP7IoE!
zO>q9e#NosRPDwt%*)5)fg)?Oz{d7;?a#M!wR*mWg%N)UktNijD4Yw`iHX4PWWjMn!
z<76e%<QeC0HLN{+>&@20Nh>Gr=P)>3^q*^=$j|H~Sv7Svk2m7o4A(TT_pvAf_xn1o
z5R;jH(^0a$v~D4DLer+j+c^#@9f;>DI3lk9pb>aK)|I27-VBoqIKLdYuM_r6nlJaC
znPKPGn=%KL8hVrU-^43ch?#ea?#TXd<JXz=J6stb;u#!4r#2DHdec7M|NpOkZqULu
TkHb4{7=Xaj)z4*}Q$iB}FU8(l

literal 0
HcmV?d00001

diff --git a/odl-aaa-moon/commons/docs/federated_authn2.png b/odl-aaa-moon/commons/docs/federated_authn2.png
new file mode 100644
index 0000000000000000000000000000000000000000..b71e9aa779f2ad1d2fc2788cd73cf620ea3d135d
GIT binary patch
literal 35203
zcmYIw1yq#L*0xHAfG~7RHwe-pG14)Fq@;v&cSs2gDcv!E3<yYfNF&|d4bmme|Kh#(
z`&o;{8rI=G=iPgs9nZ5jVJb?}FVRWRpFMl_QdUMv_1Uu*yw9FJk3xL`{01X`X&d<Q
z+(}hh;#uhs*)H$_(Og_n{MobeXpB1}B;Yfey^OZgvu9WxPv6gb?BJiCJqsg}l@eEX
z*FVTW(Ni;jy!3fg)}7b+VMAVp1&_1DUziC{Es^`v9$CZevc_t=*B*&i1q($N|Beu5
zZA!xkW3=r=;@5)0;dNPm(cL^VdHiD(aebGEO-29K5C8U&z})UX+K3=|q(cp$LM;gb
zfpI2-dwXSASblu@@@$ny+(IOeF<``RY<!%$K-9<c)~oR)C2!}%1dphwK7TY-6_F}P
ze23e^!^73pmHuG<_Q<KxN8sD07TgaT!^z6(PecUfsv}}fLJSO5LX3%x&BfW7hlgjO
z%6GFwJ}h?iU}>tsg#{Ip1Wz=CstWVzVbr#^wlU+d>r2gXV>^9?_*g|H7HZ~ROgTK!
z6sjuZrzQ9&Cnw*(f5)@#$*2FiSQo=6Kc*JNmTrfgf8s8@%7~al{<NKPZ*Ol|Ma7<x
z5rs$R<IS~{hZ8gPe(h*(b}jIRtD%UH$){!8Mm<thwu^m9+leWeaD~@b4?ez!FDLU0
z3NWM@LW=?ckqBZ6(Z6t<E3@6Kb_y$kMi->X-d@(!)Hu^3L8_mgp^1iy%E`l{$2ly@
zwyV`WE0xe=T8Y;k@*+GuJopDK>YxPlHR@s@IUbkwPE1_65%K4+z5Zaeauuo~9zH(4
z)dn<)z^CUVJslZ%a2Y4I(7xY=0?f?uHT{0{$$CU&<h6Ipu?tSndn)j&AlsOvBy&3s
zMvKe+1=mey*p?IP)yS8JRvjIkv2UQD?x!_1YC1Z58ykoMB|0q|j+Vxg^oCi|x0eSt
z*47mj6+u6vsV0z_pj1_<fTDXpUk>aRI`pt-$W6r7HCT85aJ0A2reQ*@emXcCov7&2
zzyNS`>T)A#_V2Wox?{1%gd92+78W~eYp=b#5OXYLAc#3GpG-~BqQW@&#5T5lRzJab
z8R#x&CVt07L`3Y!piBJIN;o4sdrd8&9{cd3%ltK7SVQbi49&gYJ^ot*IXUPt12w9~
zJ7CX}?5e7Xt}Y};opNVcPe&O0R(7=8H2X)D$5G$~i+~rDn(Wv<)2+3AYkHcuv176w
zi|ZoTSYsDx0l|2Z!6_h57_+RbEEhNTpT|Exd!on$(vsnP4tf=cFh@s6*u2WCK47QN
zB7btc(Q5gm``e~*T-*zeo@k0RKDW}s!op(|dem!bK$PE^*x6m}?JX9ICWmb1hdLSd
zOl?2b-&_u+wR;i2wH$f>RfX*49MBD5O8l%^?r)eco%LW3bnE-qn)w`AphY1UXX&6M
z5hkb#^3%GnD`(d+;~QadYaP+~-Sm3~W6F7=UOK9$byOmwd<#~#b<<?3pd8xsU24?o
zxY$_Z&!1->lMFhr$p!G^;C{05{3lndxrB7lrQg3wc|PJFzRd!G;fPO<Ci&gpUs+zh
zJC+}w)F>_I4AZAS8fuR13FhOVm%1)N-DbnwW&@;G6d)>sm_snb_3G=_uk56JSrKv*
z{hvNIUK}nq-qvz-Q_O+7Z&}i7LxBeqJUw{N!NK7(AOM&LMs!F|rf?$Muikfc?~mqB
z$}LlJ?4?)Tx+LAY3eeXR&wV^mB@$3e@kWa#H_+l<BXlT9J-uVxxLj7NyJ~zA$tG#H
zE=9NQdtfoj)8e;z1qHe~IuAGfKSO-5=%s0Q42C+hJXO!HJY-L<^Hx-r`Z$-+0g2e|
zj7#G5#RA4}Wi{XO(JMN`E3O^y{0;UQWxTL&a*D68ca|D_n;BS2{InFRrl+^Rv%^?N
zw8&hrZiMEUBE;vEnIzoebM37Dt43wGIw$joEF`EqTNzuNF*Ger_s55lee=1VQxjZC
zymO9P_GRzeEgSuzi{wDtoJ_{dsc$gUmy%f&0V;@icyZ;ekuMi1Q*mOm{bZGu{4{R%
zjFvL;RF-juBdIh0$U>wN-u+u@?GcVn(S^dWqpj4F#pI!P+O+X|H+cnTc#t|XO$H)`
zFY(`HM~ey_Q^JQb0lpjVT8<|jJ#^8O9|aSL_IGjDb^+NI{WG)IhW%c9$+v^@Xl3fG
zV&c<rezhwezsIe%RcX8z0!3;*D1%c{Q`aVO@ga1z53d0Oe!ap+0F@JHxZUdNB&6do
z#$wp9u>JU(*+VZq!QmR-YF^fJX&Bx5qXg!>lm7ut<Md&~4^5o$MFBj%x0#QfVj3*}
zQLg!B>mn_n(arb;LV$=XvR7R!EQk#z{B-fTLz(wJ<@H2j$o`Zw=nA2gMxnRx8|o}b
z66NsGJLeR5eID9VN<(3r$M_B!iv@TcXJjsLM(A;qqu`$D?vJ{a4Y(wlPTKlvK_)>G
zph<6f(ZkT5Od5*AJVq?lc;|n6$S^Ytq`L{cy;+=hGmkb9cI6bG$MvGU7GKKUrlTWN
zQ<ZFLigMql1BZ$KcayJ<_z9q`1OmT}**Ms(_O&!Nt%b5<>9Uv39sk)~KBt}EgZ|Ph
zY;4td+C0YHCkJc}mx0LU+{Sj?Iaa<g5N3%KaeU+GCoxICzA#v8x4hV#;A8EF<98(b
zpwFSI4z@Uu9~>BPc5%U1isy1zlQNS3=f=%rVDNS7rLZ<p&GA^k-0FR~SYA`*$i@1u
z?fpplNx4DLc|vpL<#X-TEDIU?=3U4sZfna<A}T6cEFD2D`86*;AB~|8!KpmLer;KO
zf&*Fq*WLBmi5&2yg{>b^UoX(qMUVg0%O>Fg^e<*&CNMKo&;0$gu?o9e7~AHEmQF|e
zt30Ar)?lt|AndE<y=GxNq7S^Sm})$0X!FF%ieaf%p$vmc@Ok9zT(wmfIu&xU+P6z7
z|Ex0T)s;JI#B?Bq0xXguVjvMh)Z`fP71^s8^b~qAD;SwqLk)zNAC2Y4&I*(d&GCb-
z>ES}<cWPjy=qxdx%tUv3izEN+=37}v1<j>u4#5z6I&1~4>N%~yEIp=zWBZp$Eo^Q%
zu-C@Oa3572H1hZRcMN7mu_Yt~uSmre7#8#*I`F-Tf=E%~c0T13A;f7Bn&m`}mbqS5
zs-yoiomqT*LQo8mBR`+epM!ZfKKAXP8(KJ%hZ}`3n{TSarDYj|n8gvbYJ8K7N8wEN
z`m1>#>v4HNb`F6Q!WEIC-oHMLRG7-oAoUv(IDK`VIkhmvS3xoyZXYifocgtr4wmXd
z7%?*?>o&?*z%aSD)~YIhW*x*;E=bQSToG*glq3lT>Or9*O=4Te{u9aY_S?Tmu!eZN
zwT$d`!*}XReC&&%$1gGF@EB2<<do#(<yka9Q0xzXo>?!?M!hk6VN0N(!u#kK8-rCV
z%=aQ90QsiAAQy$>iw9B}de|(IP5@2$Gm3J|^X|N^dK3&po>7X!;4s&|7ysTK351X5
z&UrJE6Aw=g@OlARZ1Lo9HwcKW_ukq{o3?YRJfd8rq>jg9lA|szDcMv7nZKy1-!@|^
zWK2fZh}!8TTZqN9ea>^t`eD@w@o?9gO97@<72*Z6C}90}18_9dC5}r8mPvdewTH_}
zSb%Bm8LpHggeX%)4i47eR-Bu*-Ag;PnMb+P^`_;8o{tg!q}U*!59&-rlYNuNsO?~H
zZ|~^H{5K!=?zsZC0>VrM3JOYPq)=@=$5}WJSRDTyKlO{mZS*%0*k?J1MpjY`bM6Er
zL}Zm^&#XIdW-*>wl<}IaYFmp@lemAg);ceHKf4y7**?{qVEpDO9mx<^hlDiq@?3vE
zQ7X7!CatZlCT0$YMIB%ZHe^xuL^ru?3QAqvY41)}YJ2Mku!adaZaF}HpT(LpjWPsW
zQWW#&F{YrRqL!7Hi{~yRp|iZho>{1r?aftqZ<T^pR&U-DkQAnH?DEPCEfFuJ>kD?B
zxRk&AObb6RVFxU7+c;JvV-_{qG#ukYP=VodUbK-8`V-Z9UtTQ3pXicdqDVFa#zlCp
zzn}fn76hCTaeie|<s#PaAL7aoLB>-mj}m9^=cWz9C$^_;7vo>xpcUD*UcGOh{;4nK
zb^7{DLMg^vq8{x+(KqJr)#sD(aHd^ciC9dgB1ctKRaQ1Od3pKK4}au?VL>H+2+OFt
z_|IlT=a8~>aBFxl{=aKY7xYCeV*FWRB>%85GjKegL8{qX3b$V#;mj(_MS+be>-9Fq
zJ>E>F#WHXlE->>u?5`O`BN8aU9Q*j)1SW*w3St#OAiBunVpeYM%BCh^UTr!K{K<&2
z{EL5P5~Hr}$bV$V5JJDqqyMMOsbKuUb-6lAc<MbnIQS+g#9bQkC_Dl+R3OQliRDb`
z_qzGW<d3oGXi9?Rp*rGKx4Z#C$6%0#C_H_o;QZWq)fwL=zy<Z6i`ismW*T6bxwVU{
zv9XaJJYIhFc4K-}vE_4>Z%SYj6!)cb0<IIXRlI$41T{DzIw3*h)2BRp80P;1g?b)5
zZ^VbopP~c#&Uop70T6<&riYvL^kxYAM{Li!emFeF=UZ$WN#G?iBS=+UU}k>4v91o4
z;lUq7NB-{!s-Ui@9bH~KvyPjW-|u)CCjM?bKf?LbCi#7C?(6L>OAe!7mjo2IV{mYA
zXh;dLXC^tpr$ULC8Mr-VcFD_`k$<LIJhg8&MgzBpGh4iFU03gdUDqG^_jlP8A)826
zAiU^(YH%1XC8eFIX&2TiUf}=sHikmQ)`rA(SUg<NSUuMJX8S)E5~?awV`HG-HDmL@
zr|o+=5D;8XXz}s)$RW0zN-3W~SWI&7K72?lEd1=?P;P&-90SXf1g=U7kwBl>W!5FE
z$M`daELdAtH=1mL@A6n*3DP5ZnI!7x`o~fb<ig9eslFhax1#SWw@)|!jk^VY)-^2R
z*=V;!T?xx3HdS53N8(ONNiqHO3AKO@u3O8l&jxwr?iX|vj|}9;4L$p_m&<9c*QGYM
z^olPD*&SmlMj@0}k@)kYAw%`t3^i8cb8g$nrBFF#sE78A@a@gp@9@rJJSMIJj8hEZ
zT4c((49<?JoY85;7MnTizN0u{Jz+#>5fzc1guv<d1{S$f98rner>#)ZCyK#;;-)Dm
zqni1Bme8woYb=`=M!8s6<m-ZNm^2|dqUB3Mj}I-1e>Ts|?KPA5@yQ=J#r|r1-t7oL
znVmjb7^*wl-wp4=3irDiwH&W##=)n!eH3mI7YVdW<IOss2VoN`bBR$CrMFH?*Q;BB
zXJ=>Y>+8`NP#66{;2l~7l$ZKPdnoedh*Ig9JmWbIcpa_>ih6o_JS#<x_%59+hsR4-
zDvy#rtZc~I7g2&cT^S8t!opXomVG5Gnn2m$d3HL<?a;HWm^L|3Hv6}m9-iM+^EIrY
z$i>N|pi9X})JTuhJ;fwm;jIQp6!-G-vK>vL0La({(Xxh*Cf%MDFtXoX$>!P=bZBHW
zx^@^0E>zp7E7d~<<8W|SDG_F+kfnyx1O~H>0!`1%WLq0LZ}P3Ybno>3j1M=sa&GHY
zPZ@0!y0i$F-M&k<Bf>yVI*xo%7zKq!L{wE&;40xX09E0LhE9!T<eIDkMDLO;l!DjH
z_#XM?Ae-l@dlM9EO*I*K(MxxG9dDU|RT+ydR1Wr-?eTe7$nIYocRwLbPnWQKr$oon
z3UYz7a6tpalYoa3M%4G$>KtIef|65G3h(@~Mu_qlB{UseU5W2|oVmDVyC;RLSIU+}
zf2x_UWVbOpCnUpEbA3iV9zG$05=cnXaY%e;XeeOlf5Tn%t4lxUb_18&^An{q6jsNY
zQTeHC((rGjEi8kmX@H$s)&&B3_^GI<`1blGU5=v+B&bwXM+g0cR<D=PNfoRO=ub1J
zl!VJs{oT8F^$d1>QJ?S=z7gE6&8|mO%BrZ#srR0gji^wzDYbTZt#{l<&&?`Xj=@iO
zbmuu+zc_+637JK-XeMAq>L}pV$LYR4=ptL#$VXrwEN-uw=6hoXE__++_!`S_=~n-a
zoZ9mB?z3y}RV~NYh42mgrIeXp1<~k73r*-?I_a;p!68zVP}I}VK=@T=d5e&Di68kw
znQzB(NVM?&sw7mE#Thlr7pPR7i4J$1kX~rAIn2%eIQlaDXCnB=hKR{`J#hIC`GtCi
z!YiY;!ekjnW-eNuL`vK}Csunmi4?eT(?=gaQr@lb1_R7%m+a}~#z%-cT^q@@mxu;_
zvu1o;TwGvapnbrIDR6#U8rSps7h!@K2%0Inm!C(nSL2yn-yD*}{!3_+RE>e0xZe8)
z1j6sZ4ihEwJb%ZJ&ZGqmgC60(ak-oL`jX^wchu{CtooHN^;qCr3V$7S{N@iJW)mwb
zt5w9Dbs%&seuw1_<I7k$ZUx{EeQeOJva)+k)@+=|!pt?Zy)oJWMydxR1v5l<y@NnP
zB%;YtG0sFt&ZFT0?hfB>a|s91%}<-d!~?(5puBWjZsKki%UdvvG}VU~ovT51cX!Rq
z%;bDWWh}4(^V<IAdtTq<u!MKzl;zu=!}4AANmP3L#E*Boak`q^CfBQ@A?+}%U}<v9
z=wmU@puf>@;q?v#<GTf)?-5xeRkC;;^orjjGJ5B07}~|Oc(hDX)YVCS)YSF$Dej~~
zj(73??Q*i?L_BV{a{L6Djo{Pd!q%=I(ArS!44UumKL5VPE94Si<qGM@MWBhvMTz>l
zA8xt~p>A6`frJ>}xq3yB2%hI+i=i+4q1>e$K(dO*i8vi)0p~bYR8=X+%Dz&vLR3>z
zyZaK9iqq8G?v_gBOu)xid-IY6n)1F}Dr2ZkrDC7H{U|yDYOI+g6NTxOoTYh}y`y(p
zsO3wG+aX4R=gi8?$^4p%-aTuDmN}8L)g6<9*k0=CZ6N9t_mKF=$VgT{T{uDHz4Ihq
zQ}g))ZUeehz)hj7T8Dp!uMn9RM1dD-+J?T(q}EqY`GfXq@tZtke-HOF8d@|uhCGE>
zeY__-`<2DQHxpJgY6w~m1P*KWMk;Mz*<`Y;C4n(Oi;5(#Ebxjx9AA#z%I{Egb#?V8
z3P~vCJ|>qk3zR22?=!DwzP>wT%w}|T35)A7MnBw4Y;kuuxZBJ-PVO9G6mN&czJ@80
zg^Lp7N4E8=ft+DcJ54YZ;hZ2`B@2SNpd$SLoLfp?e+h_2k!eIqnVUGN=}h!Qba*%p
z4W>V)+TUs*`?`TXfEpX5jCabtYMrQxZnbB(W0mQ_WRk$M<-(%cSELcHU~MFHz~$bl
zfgLjh=jWShkhe>xsZ<BlCM_9A@b&ifrM~IHa;z}e2e}AJ1McScRiV>Vi4$(=&o{@7
zxp}at!)=-q>DSytAH8+%uDUAC-E5Zx-PWY!6jES)TaIlc{d%zPJ4LYLLQZaOwdIR_
zmSEl-OC&pv=GLH^xXesZ*9G_9&u!@Dvp;(a-tF;OFy3}!wF)sqKuLL_$!SU4nIazO
znnw2J^;$Giu$CPdOhuqg`N|!&;Kz&qlf<07xA)yI@xWHAdEc;cC9Vv(@S9AmF8^in
ze0&XGK$xUH<BVJOa0`YhMtc0o_k{SSHZ~>4bOai~8_FTrHuhyJwEnTNxKlJ=t%%#h
z(23rB3N5>^n=1X7mX_8(_xbbZVrsekKyx!QblpefdprgukkTFLRP^L?+XF}c+JI(K
z{Chooap>!+cmQp63eN<tI-`dJ%`DCOt_oQn^WM7{JwOtyu&JF`7#SH^ditkDmLH<D
zeu7R;PE%i$`l?ZH{Ow`F+0SipAcn7O@s8Hl$APL%c3EBU3aEzrCoz#bSyzKlaVSV}
zIM7};eSs>_Bk_}}pF7C{f!c!nSgP@oek;*Oueqa>71q-0D+mf1gT``bnUwWly_Gfx
zX#|HHhf!aSx5=i1%f!v0?ccSl>R$1GI?!Q!UPi%FhAEgLoDFrfBEOWH>ed+{s769=
zV?Nfa!Hoan8C3$xbx@WPn_eM!hCj)-V=jhN`;4bUpCU8LNMO}SwHPI^GV4`;Ak>$g
z3GjI~&plU8+!a$vV5ze`%D8Hw4K%la6!PFuP}j1ExpV8~GO=%1?T%LmheG5Yy)+tM
zIP>#)aR7xc5)4wtWJ*)9E}qTgvL0VWurAhq>F>+KiPpyHluaQ)+TW}7sf=rMC9!9U
zlEzR0vumoKWT)qidk|Z)31?XS!V5jW{7`0ej%Ow>A_9FCVE(?Cz4yuPpTyqI?Vy+r
zCt|CDAQvD)!XI~-dLI8y)yK%Zw_@ZG_%@MAY7z1QBAQk}!gp<~K&gf;Js<x?W9iR#
zC5nkjxX}R}cTf3WMOgq&R!~%|-gtjROiY}>jE=QZGc=Q$TVU<Pwqum$!eba-aV_Cj
zRs-Use}|wGP&T^q-Z0RK2BEYq(dY-x$1h%`&SgaUVwqj~!t}HJI0+jhv$SV;j9w7H
zxlS9JukhNw=10)nWDxjGQLhxTrlJIKM6rq=2@{0H!!B(yjVF%JBz3n%2Sb^ENBDTs
ztvTG}z(CQBul^vX`Uve54DFYw5qTR93=B{quR15Jt*y1Qk1(VsezB<o*A8()EwF2~
zw`tpW4~yB5Sdo)CwH!Jke<5$bN49?cD^Xl*3(EdWL{o5qA5%EI1jAkfl-BjZ9~poo
z>aDqWHQ539Zt~aAuaf2L)eUVdOTpi=m%T24sWn084y(S_4uS>1ZImRTYtX$1pY^xg
z#aW9A-VR5?r^2@&Jq>Ty$H1W0Ga9l+Qa)!Foq;8hE`YI!{W}!5_bf}l3D?W(c5F-)
zP(MAbx`6e%zN%_F@7ls;>U^<g9%GxE5Uv|X|G>bfVPpF>BYER|B0Y7YQ)cuFVxb!)
zOfIkyZXhZ{pD#f~ptNw(OH}UFZwHtgzMnjRJUW%0g~e*W?j$A-NLH#dH)y>!1j(V2
zu3&PJmHW7B?3Zc8lU(pelj%|;-{;0R-{^o?A<TmZ2333CP>q{iK!nAWeo`#?-tP?c
z-$j_$Dhs##@^fz&dED9SjpSv+6lGzq8(w<n;g72V)Kx`TqFHv<)&nUO3yO?@Z3H;Y
zJ6mVW(h8~j&nu$L{$jMSmp4{D|MCLBM`B@D@#F;5>5RI_jseIs%rknnpMJfa(V1bE
zA~d`wQz6_!XOLP+G&fACz(@a*c>Lm6iud>BQI3B>nK_!TVHl+p0g%UR$tWvR@>|%i
z(|;x5e^QATpptzk3GYghzGTRKz1J<}A!&m$DVlun?QL#)EX$Ku;8g^_0$&{7m2_OS
zFy<J3uN@9wYW75y&x!GLWXfag%BAYt^&LrPXKR@&_hk1%*ld3)|CCzRwbhk?va6(|
zq`JC#htJ4zG02#O!}>FND9R9?QZIs9yuE}A-~|-Fw4P@BAI;TF&&VpFN?oZfKTjaA
zJO#Wmbt9~$Sl6v>t9AQmNubN8GV->_&dV*+%!<V<TQ2aeT&R=}L<%z4TG;3}j;RE(
zlc&s0#MPK+{-tfgnx;sykkRa45jd=zK-r!I&;@2@-Rmbo<B!=>iWc=k3lq?GD-c`1
zIx4_FaCnQhI!)UG&Ny4^l~Z8q3x-(^SBVl{*M%#Gb?Z?A-FH0b>HiK?wo$Q2fz{}y
z?6xd8<x{dbCOa4z0mCMbXVJ?2MMe^S2feA<LeZ4q6B`WmbYM6zU43~~$nzIBqU&HM
z5cc72YP3w;<`TJ2=KXu*1(oWMV*!4Cb?0Pc8;MB(##14@@~Q-aa`O$=j1!fP0;VOp
zH@8P3!Um65jY#8LcOb!{&j+dg_bfWzR{UnOFfli~5ZHtLGUtGgKqe`kyGp5H<j7b0
z+%K>(?9wkW*>oUfoXN_0hD`l1cjxZE;_b^GM)F6<3bO*$PV%|$_g}^%CI6n7h`+b{
zfTj?m%5EYKgmnN?QpaS*1!y?eShaVZpSkGZOgX<(fYbzwluh@L(RBsEnJzy@b;X$x
zYZm|QwHvA05B(TCIY!dI8t5#{QrRyR-;08M?kCOfE^4Axn+=(g(KaXI<f*&N|K<iU
zhdTC&R8aMp-(6)ze2*X>TKXl|X8yacPwq5^H_~6Ml1gSb3+E|n1DwU1W0a!?7p0i-
zGA_KguE^{kf+mgfhlbcU4>4j@Wtd$5*|4DJug1^0cF3h^7y>U{4aPptjZikahM@^l
zX_j@rF}L7%WZX+SEHTq@lW0?qU-R#ijZx>gD&#cF%?=Xe7fIvWYwWHL#70%#E(Qq+
z3EkDxq>r%fmpSU{&da&I7^hb+0ZbMD%kp+`IHK1~w{k{qIk)}alQ<Q)xY7(%b~#F2
z{eMS+VxS*8%`e^Q=6-J$dP{mN8TURCC;%~rHWC=LOhUH_BBimw2l_U*gGpItCrNFx
zIQXhW+YvWtz72%@EauC0-}*gyiyrGEmhbB8>Hri5gW=ONN{I<wZ_(v)%qstgKe#k+
z-r#n{MKBnS{^wx%y*Jyuf#cgHBQwNxrAtPD{a8#dNu3@SITpfWRQCZT)r0W8-2KXG
zd(OqWBS{7BVtUvW`bdi*?SLC5gQBnBzjd)^2zQMvMVi@`=6@ZdcK8hmp5^G>Z7?rT
zrno-bf#5US$UwgH92{W}dvWX+(y9aisgV&8h@=%zf54Afzj*P2`7Hs#yWOuE{SR%w
zuG$H5kP#pK+Udo6CEvgQYG%vLNU|;B4_vZj-Shar?BcP(@$ChY4l8cb>|iG1;&KI|
z)M(%+vmyl<qe&S$yk8Qv4zCp7-N#q=%r*R(uI#=vx65#5775}I5g|9jwQiEK7_TYO
z{!95j`oX7rK<wLd1QeqR**N<4SyS)3lOFg0^O&-n9Qr5vqtdPhmp|yz3=>~g4)9yX
z5vfV96e$2tSV>UAB8cEN5TwoA8r@yQMzLINgI(Cka=uyri8}un$VRU2zez&GZxb-5
zw9LYp!xW$uSu?G&<McG|UoIc;vm0M47w}#T&%6b7jsJFOzMOaKn(tcT+g<TP_buAN
z5q0mMnyRs$r^|NB@|7o_?xxGAPyWV6*S1=Y@u*`vmqX)4Aho%&LiGV6ARwUOtR?V|
zI@b<kZ5+&&?I|4_{`FF^VXAWYS-Dczi^6w7W&NSwa^ssGYb~hr2Y}<v%=|88+ys1K
zvZP6&6yy>Qh1X{8)43h*XTsqvQFdqk*p}`tkFyFUp@OudWTW~vqqRH5ra70rcL-z4
zP6O3dRmD4~f>#~Cem%4E8ccoL6Oo3K;l8zyU|o-E&u@Gj^U5@{$Owp1=x=v$90RIm
zbWm*o@?RY*YdGniH!w2<PeCw+Nn57vH7EK850IiKq!ZBS$S^qxf>3y!NHjs}5RF0=
z2myf@Ced+!u>5E2ED%VTJqUJ4K*)}%kVY9J*u$`?tUoreh&Jxl9h@a(E;O%yBdfGe
zO0(M8+EzK^ru2SL$NlO=jl+~By~Or*Z_@5d&atuU{*1qLu(B`}4*)60AU6&g{%k?`
z)HF!7S5WAb7@5K;zbYYjj;S}>TAheg8l$@9%otUqGV!%Y{u+8ZD_H9rXO~1KT75Hv
z&#t0=nTt|OAyTJ*zM?bQ!GcYx?|sF2-_}vp{yJ+0aYA-e2mNhgyejhRHd5QmT+@Z!
zfenmVxh;#+E&{elu9ezlUzSaI4hd2KkJ?lL`V02=$FjvGiS4*i83uK0!X}lAQJ`~v
zJdwKZ63e*l|L|GVS=Z+Z@{$$D1Xv{q02u}rxbU?WjW8q_fa(HoT}e3)eqL}9#{!=U
zk-#D2W4gY}O8bw5rVT(SwU>B7NJ!W;Z!l?v<HF3ns#kM5yVLN~Vcbsa?pP9&WxZ`v
zN&~1c9*}CtIT3}aZ*7os=oq0^mB<lq?XR?^N_ont^iXNq!{vOzwB#UF13ufLCrhee
zkpu9LuJoMM_#bdP9dAB!K0mdEYAArt#36zGP=Z7C33x?B76%3t`W}S{x*J7o4o{P-
ztm*I^-i&v<>LgKmQV6@6%_N5r)%0;>E6Id_z^LNi{Mq>TFtu&DiBg?y_R>wGNEb)n
zBN*M=;}3wm4n>O?wL!tD-!+$?17$#;du&|niaF2;qx$<nG6g?B6@V~e;d7xZdvU{}
z285YgvF;z`Xz>%`A1$upKksiTU$w?KqEfEMDT}r>k`p=YT3ANCnO()3ZPG{+`_8dO
z&t<(m)VG9@til2$&F*R9y}y0S<5<mCY-fm{-MdpL{i6AiRkwyFUcl;g4OBz}Y`0Ii
z%aN>-PCy>O8BQnUGU7i$4_~*=IKW5;`Zuf6Z)+JA;XJWW^!|Z2yu4qt04JDF`6CRQ
zVQEj<Y7$-kH-vt@fbGpgOGoLwgI=`s2wKEKwm8CS>Qf()MoHV0QD-kCW*oO5qaxkE
zA1mM&&0VKwDiLoFO;sl|vv$SO<ZzyeCQum)-oO2l42vRnJQx{rpW5IuhN@}+p-fWU
z<Dq~tTJh4rXL06WqeN~!)mu^lf_5F<J*c~}v(vkzz{CmmIsIKA9qR<b;GjLY#WL&g
z&GO|uY_NDdlzahxYrCLTM=!xb4c1Uwd#oQ^0o<N3`Zvrz`YA)G#AYWN+6A67eyVe%
z?t3|^b~82|Y%(4#Y^*bUHBb?p|Kadk;O*t15y7jnKa}7?Rv-nYsG^nt3$Rt#ERI?a
z7tW6XphYRXdDqP~eJHhMae8blwmC)B5PCE0_pnZwLg6kfy)<xT<&^t<P}5e3YASl*
zV*?ruDKRnHw3G#19^4WoYgihIX4(eXh`xp;`d~RQhO_?BBK3zGQC#AAwy17dJ8|{g
zjKliH7NV~#xcmtAfi-!m#swp~#Ohohf^qQG?T=858@<;?(Y<>yqXL9IY&r)X$am^f
zx?m2SBXYZ5A7*YXVpUULY;ZxrCVz#KMdKwb!EsSV;-5{;i*XX(GFsY<#v}(o>l!rf
z!W6!2UKiw4{T|hvIOsHH^sYsCcR|Qr>~VN*R0d!G732mG_ukKaAR%k3pr4W){~^o0
z-E1w!8@d)g`=PSt!we&HGOem;B*2OkHj{P(Qb&~n%aP9QCiUN7jN2Qe21GnX=P+so
z2r@D<1_2ud@7`Y@2%q<wBXeZ#pKo@lyjd0Ym0DsL$ix;R#_@}9RO2rtp<{l>A<S-R
z;@U&MOr<5u0?*0#8Y=rfFI6a7bZ9NKd5z(vrVIG)k@bFFeT|YpCSG781DQC%IogrT
z3@q`~PIg)Is;5W3Wuz=FA9$&Q>koT>&R3gqfMfr_4hok3eU*8e1Y2R?0>8B}QQc)X
zP=aus$hvZy`7IB9T3_PScUA(=lKVEd4xVo<yUch}DOwYR$LXrXnJwRQ^?YtNXZ<I@
zU2Xu?0+O|uIM!NXsoBnR8c!a?7vLO}XbTg6Iqb=GTkbmBj5vy{29ED=9I>Rt!PJ{W
z$2F{^cT;z!b|cwK@eVXbtV+C4fEx-G_iESuEa1LzJ~@QKu@ne9W+YzrW3iO9e*ddl
z7y?c?-!s_l@&@DM<0m!s^e@*b&Sy5?urBYl-fBgCnscoo6Eym!#n2CJMQC`O>8SIW
zu0CANd__#^!Ij5&5CY22%C^_8S$GAGh%jGi@C+%pM6;1WRgzHQE?@La?gG(?JbzVS
z+BBF=LG_){bwq%*+PIC!A12|g1w#<=BNZ(Jb9X4R5ZGs+BU*uyq$a=CR%DcqTK;_Z
zkf6ti9&HS`b6-s-F#g4Q*~$JsBU32Tp2b2~?@Zi}sYd5L<IAojgUBnJwbPR4R<5TX
zU;NyUsG~__3t=~zG9Ya#)5_r3tN!z;#iE&zV~x3=UZ3Yb0w%pmNW90?n+YXP>p2*~
zE6GyfehNBi@v$N(Fu-s}Dm1JH)BS(E{MRW$NLp3khF#g#dJaW9{{pYOI$RhjG4aBv
zRFb~5Av{O|5d7k7jn8*3%^60r)S746jKa|O>W~giWP9jogERIjXwvR<L5_n<zZBMP
zqSkJ#bRa~;b)X!A^|8UvZme+1yt<r7)E^#)!^3&~xnyp+`e>}s%WgiUzxI~FU0R<Y
zvT~a1Kjuq$+&_@v&(aUXdQ{ZQP}vz&CF3|!S7dvkzj+~xW@SJ@Cg_P=+8+Od@$%zD
z)8`r+-P$jSojjGUCs_u*knN-;0t(&f(7_@AvSqXj{*Z6f+#nRyDP^`L331=RO+4WM
z8?hHK4xhQ<C_y?11!w2xD*jf!&SPYzrGLwR!y|U1pyI4!I8h%6*-rm^nq+gT)i7$Z
zo{6)Zo0QjMO35ULLIvJM0MK)Q-TIo|*E~q|iAFFifQe_9#A;=9Qm8o0$Z4uW(3A@g
z@Y>2L^O$>rsvs9(=d7NZNgG|h$9`YjIb(72elx{J7t30kMFZo?JVYzj#_QmkPLn^e
zTZ1jtDS|?K@2P2nq}f$L)!TYl7;5o@V{E*<y!-dXsP&-g$C>LdCWLp<eepK8h=lK6
zgFg%8F)ku|a@OvkX~@(MQVH3U85z9EQJ27W!nF=s3;TGAFJjHEt0gyMgG}8e7fm!}
z(h0&}+cv)cqg*cTl?;msy|-mdrefZKa=%PcWZ81FFvrwP_`&ttFw#g^+NRh4W4|;e
z`6o-uy`!V$Dvy4jQ3mRqt9fj#JQhn$9bOEziBIN7a>Gjrnve?fMmNO&7$NgMZy=D^
zm(h^q1!+Jyaf;|%g()<dxxB<77M+=m(KYb^%T#Nyuih#ysj+CLQt;|2m~=VOqhswk
z>0-+}%vO5{2ufoe64oy(R%LZL&0AXRSL$S~IV{G`8asgl-$Dx|&IFoz9Hu5tX1+Tu
z^RL-~Oib1}QmX`#(|v^-;i}*^1-(z|PaMS39>4+>0__kR14>z(5esk#&40pgz89l?
zn)uY0ME<ODt3N=Fh~ZdN<!D?>9F%VM<Ayh|Av_Nj+u_mDn6AQGqQ%L^G$GGZNgv5&
zeRpAeD{Fku`t8=uI5Ake=Z$7cQoWovP_yi_?`tH2oxZofkBW+l?Xi6S{=MstErt83
zcRqB^^^|~+(K5%cm=&yWFjswIODRmo3WkK_4)u{1*ys~o-X66QmVO<PlYs~#@V?xq
zWdIT-M$b!J+D`h}Qek0F=z^DuC!k4EJ}&if8)TQHf2~{i9){*e6pO`vO!K>hTU~TB
z=JOn4X&6y*2K<Uu20ZTU+ssv9bE8P3CR2^r!5>=^w3nA-4}#(vk)9R?=d!!dfJ7;P
zj`6)(MQNHJHybFDfk5*gS0F@}(P9rc|2@yM#zCqLL|t`eh9IB(An6a>IfLYKQA$BR
zXPutR=pQ<j90Letm12Qhaf6d1@tV84_O0z<ZGYGwqt*N7y={uc7F#WBj83G3S7|JC
zTDi#rJTc^?1g?h@qjPgQiT4d!-4hee?RWX&+m$S;6I<)kVBkns-l9tf!=gXPL5}Kr
z5Uv9Jev0Ll$GdF=Ox=uD<w-Odh|bFg+f60M*b|Dnv%XUGAmoA07JFO`P#zMv+!YMK
z$a{SD{2QI?C+82CdclS7AdeVFM+xv0U&>K2c8gjIF~?pLygt@Y%l70pYEj*;twhpd
zu83N7lau-SnIZ!_(0j*^Kr|viK?&&|)R|#37#4ESP=%1Laf8>192;yG8`>G<^A*#0
z-8){sjC>&(<p4#Gl+|EeLZNB7E22Q&Uv6!+M+&NufR3pi^X&pW;geQ@2)+4g?l?}C
zfxD{yXT}Vga&e^L2e9<}6(-=~B<Lr8PYtZVou6_9T^x0uxXsUEg+S92hj7z^gRX3Y
zVVs06lTfg$mX`JNQNw(rCOQ(}nuaq(kOr^4U&UKI9<8pd<mTku;j-w2eY^$ZS066#
z3V2q;#VPRZ_9RD=@_kjeoPJm^z0C}r0R^u&`3#$z8rW7_O-H$6TZrW`me7cZWMud^
z8U{P%o3A*AM05xq<EXuIbEo(LSCI%~E?OvdyZAG<C^2ov4d*KRTv<`!I9n#w0Mp8T
z9ezj-c(?8C7A0$f7u;>iWfSJrq6urv#XJ$US|tK&<?d4x4&B||3HtFe1S*gmbZK&A
z;ya!(SG99GMoWze{KVi}JY83=q|L;yWI)Hf*!?-)dxVU})PtGkBZ~#u`hWuGy@iCx
zkw!PW(>SGf(6QHR>+2|3BzGU@FE=y&SqRjHaj?(uYLBAG5&gA`W7_o;VBN8ft>VQP
zR-K+dwu$S|0~O06BM0|3&-lR^s7Z-zKeno@r<^BNM5$ZYjVra*t`AuV6*u)<_OpNN
z=oLc-7>fogkX(Tt984GMy45CR#k3S`Qa;P;niEoYvni8u_O1saiOGvLlz^j{FaB-Q
zc=Yr22V3ASI(amLU&dO=B7Zut#p27IX{w&9#((%?py`?>&IAb7NLr8+yPTr*`R8&D
z7<1%~4e~CjNpN{(W!h&xaX7pW*RRv(GJe#+2eLgaDt6QO6F;pVDO`XpElhe;shB0=
zZ<1hz%YmM{(v|pxr=a+U4+K&GJr&u2{!#(mycb)aLH%a8AnVO0=fhdnBM}M7Tf0%m
zow8S`B*{_*_O8V4(DQX%G&Z0N=|V(A1S%b4+u4xYJsG(f5#(1j>sT(h<M>sb2Yqp>
zoKFmDxxqf7!0xgQ@(;v2SzB($oiJ1_xhd8Z?zXbu(;^LS_8(hStUrL;pzZEhMUg#I
z!D0_1g8+mlZ5KSSeby5}Y+`BIH>nY8NbpZ6QTL-@8HfhLyxMYJp%KslU@DA2XyjHO
zDdLuupjbvCWQM&;qKXUTtWSWal=(^#!JX#ip{a-Pr{UkI*t3<svjb5Fy0w7j+6KyV
ze20vkx&o?$&dAj9A2YB5QFM&vOO(Cb#>dA`*6R}dkq<~muw@{r-><UfG5Z{m*#lJ3
zB-Sv40?=&gpb3h}8oR;aIK>v{l;h>9f(V+5Qh?*$U0}Klz5OkNU0-1rvL5r02xtPO
z0k^JiS=;(KLGkPKTA6Fa1BYZz+r08}F7hhb9mG7w!RLIvzG>oci^owOqR@l7K=@4N
zyANVHaUa{@W1*S;@<M_W=nvK*`ByFTO6XYGF+!!J1fg|%ZsqkvV(GOiDTrRI=|baE
zz>q^%uqay45Mbhn9;W6iQ+6XNiSw8eV7+ghKJ!6JRod9{`Ca3pzN!Gy0pNV?)8g<H
zV3I^lZT#gA@=in=&6Og^l#j%HZK$iUJ=bP$!bQJ1(9{piERdv*u*pF7=zaj+=3gfM
zNpmbPvJPGLe4buO)0&H^t+K(n_6agvt>i!p7WX#>I>{T8Hp_pJGkx>Yz>gps(#?M7
zYMVS?`capZlvI%C>j)U6sqTAO-Ksh8(Cqj3@F3O2a@z6^E-qAK3nND*+f}vWW+XTy
zr7u-qE6p)K9d6F}bUhTdXg0C{W60Q0uLcATvz#sKrrzA4NI*3CdbZV%KU{L=sjZ_0
z%xm}~1RcUcVX?UZx6ZeR<EfO+R^v0aJJ^@JA~l11eARxp6gDp{eePDXMYsMQF1%vb
zVe_Z(JselQu|e)?Z!t195M6~-xl1&TRiNd}V_K2|We8)zfFJM&(*#`0j5wG?hi?tK
z$(#*1jdz{_odgXZP;>tD7QkzN8Yn*c#6UWRr-z8ry%w5x;>{s_OCi4xv7?R{Bixum
z9UInex7)vEkWT(+HXX!Wbt=O9Kl*_G2o0o$is9D8AJB(3iR)%aF>NLu&1#DG6iuaS
zi6@kf|DvmNJ^Y3AU>)J;vB{1a!tH;0Bmm99ciOJ4q+ts#F;vbZ0-%fi-MAr}h;AL1
zKA|=i(ME%0o=53|W+a%Lqe)_4w7u{)SH9-$&w}|VkZ2{z7dDCh4<$gdU$*_ODjAGp
z`;+_yeh#NZpcDQJfpVwJGTQlR&Cft0F)OP?%fQwHFf=nW?uYwK4sAlp<ntx(IA!Xl
z^>!VSxnEf^{Vfed%*pL7f-``F7w6y3H+y@Z)CWd$Ad1w3PB$EhC@2ktPx(b~U=m=u
zs)_RICpH0P@czDlK<zy?j;MihTg@|F%Ky>^;r9NK{PJze3KI6XESWQ+BEl82kgNpK
z(Rs`<;<^S22M4YV{~NRKi<A&?p-xQo&zu3tF;bNtlL`?Ent!R!v9<9hD@}exUUnGK
zB=7D{_QqO`(xsHUd#5^Jio_69#v4W(?0>)OO{k~F`inJqSFN^=kMSKXWQ3!vOS^Um
z&5;CX(*lB8MJ{!nY-x<Ke@fl0fGjq^A(Y3Z@9Y?TM0~VTQc@cEy@A#mLb>3&m)sc9
z=G4)=C1bYz{&pxsu-AQBJYYoNlj_7Cl3GbawXttNVkW>=y54r46@xZrOK9u%ekY)6
z?Tr#I!{VE<acl6U1j;4$Zd%a3URY%)L0@6z5w2iQ{*O1HS+_xcRW1P~#@JhnT8qo{
zxuXR*4Jhv%Q0cGujR3<vus4t8x7}~Um4X`cDV&lhgjw4A^?9BPZ9k0tOloo?r$t?a
zIf55kd@s^C#G1()w}0p3_-EPDi3|&zt=Zm$dl4emI}tSC>M)BOLyD3N-6+uuQF|6>
zFpkL64{MLNKPc{@^^7?H;6dZy%DD#%vj~DF>sg|W@iH&<Q~9+l{M#{B4e&8@)qFV|
zzb>MI)^~sg0RZ&52(kwA+r0_KztDhS0ReKyEN-I(d!nczFPihrKKzUAt2SOAL70rE
z=UdzhygT(&uU*r&YE5k07S<;HR5xvlLaWhe4hklvGe37@H=`!`htWxEgJp7qdE1f}
zM>l;oG9|v>y}dC2u#Ars3>x5Z8G17cm6J>Vi&z2JOQKAxI3&1Lthl&X^x<kf%S)I2
z(dzP*-}VIjBdpE%mA>Cs_qpMU+d(bxlavk$Z~-V_;pgLZ5Amzg09<D7OOFrGU&_JL
z24W3oH?oI+dj3)|YoRYO*Hb)hIBK2D-Y>MYER1yhePO<Ql2&G-^Eax51WkJ4Ezn_%
zj773g47LI?xe}gz-a6xqSncYr^~Rb5zr*op;FlkMX?*+k4d_dZiODfi+pz@hmRHSB
zDArt5eLta+#Ae?2Ml9SQSJg0B)5qx=yCs~pSKb&dA{5M?DSr6Ao@%OBmtE_8!xZhR
zoKxYAyTi70IRnPGHx#tCgudi1GY_SYdDcHiFD$2<Ja^OWRmlATM+)GCv%|kM-oS@}
zXh8Em3dU{!LqJ<w`wCG)240GZiD@|jH!?AiMA?5e87T)cwXzW~?Zxie#uBZ^J=r%~
z3l}msAkdS%KQBH1eOvo;shQQ|jE6FK0<fUWMbQ&6F!?eBr;?h(o45d;HP7d)b6Q}p
zQW7$}-4DdOgdo7BW%$d-WB4$K?#a?YEyvG)Afy$r{DjkW%%9)pG~27NeFZX~HhmwI
zrvOPu<B80EAE|(YNG(SPy(zks-WC6ousphbX3l3LTKW^1Y@40U2U^(PESag$8U2fY
zF}B<?IEWDTG0?^N>b+-{pEvtRA^)I3N(WtqNA8-YjxpnE-5lb=Gs$0g6$@r68b&}Z
z_iC3n5K$aQHRd~f;2iHl^rr`n^?2_1QXiRf=7GTL^&?-(hwaCpbxRZv(^_Kdh0doa
zTg2>~CJqdH&VKt2uQXR8<%MV9t*Sfssg?ay&QWu7^6obG!0caGs(l|R=gMpuQ4AQQ
zgwkbr1`j=h<`Jh;zv%z{{mThr7putuEZuv~*^eqRzx|%)HQp9%?BB9k{ap#|GJCl<
zg&U>o0!(*B6A7R@>a10%t#aFM4ti>e#YKGt`bozIy@0vX4Ona+a{h3_muqa?+71y;
zoXQEc6b_pHme7U+(Gio>!t!ta_9I1KfJ^)jz=at653Eftg}ui?%z2i;ShPERfmKQd
zA*w|>G)j!UHzRYyp4oJd9y}#-wK8wb@6dU;lSEm~P7NO3&JFnH2&fh1VixE?+@~#g
zno<2jg{l#w`xThC!6be|3$$hNi{p5T(?LlD%Km0a3jPutP{mf>_l@79!%3LXB|&cq
zHl~Z8wuo2Z`{?yJb0a^k$PyfAiB1tcUD_=Bv*oejELaE6MbP}F2|s2WsEwRU>2k0J
z`f-%*(h}Kpzvt)YJcr~AK6fcc0wz%5QV^7;zp380rutWJa`JI&CBZoO=|L5;F@DQL
z`YQ!EC~dncw*_Umdo}YMgnX%fI%k3A%2}u=8r=D>flv!v3V^X*FBtMqCt!EX=C((>
zpbm!}YvsOwIraW`@aAvTpeW!zmev2fo$dMD$k3*GEv-q|X^j)gY(%Pu#D+$JS1YL$
zT%NX4_ISPfC1XYFtimowMWTdcX{@5M++NB>6_}&j-+v+S8xWjEFrWy4rglbV&#?s{
z7fQ-j*8?3*&FR?KSVw#$PQps9G%DwCIS`UBrJ3n;>w(Y19pGzXV&17klwN3x%X5(;
z+VnCxn(EJt0lxZio8jlEb|cF2-0V^J6vfvIF~v~f*JMf}|AQ#$0cJ3iU$K^$mL~!Z
zqhf$tJltIa{bo`OK%=r4v*tu)f%4w;_4!0p`QN}T2??BpY*@gLzJQu{N{pFTXGcgw
z4_R54nDqyj{ew1%^2KQvZ>?C!<X-~As-GV)7ydtXD2R|W!U=;0xEnG}U7nn*R?!wQ
z*5qPivFHK=YY~0;NQr}4TxC{xJKIY+DeyQ$8gU5H#~f=3Aq(~m=cASL#)mk7MSdJs
zp7#?xnkW%p)Zr^F+HApvnXgy^wK3ozhCViq64yy3{9=N7$eiPdmNTQrVV>gUH1_5(
zj#PgPXNwyEc;LE5KXhx_-kg-;=Pu&FJ2*D=n4P_M@NHNHOgL9iUx*hqM1}l+Xq`Hs
z65`6G$!NfXs0#qc_tj!Rh=V~TK6cTgNw|H}fM8=_wA^0)`PJ&#CdrsUMY|)HO_y~N
zuz#ya#Sm>&yNI$hH;e7tw{R*c7I(u!pnxZ80DgzPMIe%c9=T|S^W<qjfTxj4=wL#>
zz^moMmJ!ekpmHYE#@Eo%Y4DyMvm>1h*BSk@b!dbW%b7`oBfhyIs-hxXf7w!AE!|gC
zI<(&M^Kp`}o#Dp|KnU!MY&<~D)E?}8+og0t%9A&bi93f-z&K?lbTUJzl%5Fm?<}d*
z!=T~e<mBXOJT`AEBNY4U)kxE)>xXtJTl-G?E)5WM<|Zl4aMhJcn>noaU)2s+KW1g{
z4U=-4=koc=21zn1CY3Jo_yI&%7$6r5Qpr9;8yT77k7~sGWg<!tJ-|XqJ`;%V8k(C=
z1FiB%SZ5q&`a?c??yYt94#(GYD7bv3AFE7U#ahK0$<pU1T|OB6Wy*+YHGiyd-A%tv
z^BC7N`TjuuvDWsZ#>X_QqIcpn^tdiT0GR85C)qGamBTUujz$&v?hO`y0yzN~Wp=;f
zM87SgodM}O8bbgqa6C>(F4}l(I2S7tlC*!WU2n8bHXJmYDO-6-JLIgKd`Qp(!gqet
z1@x`8wTWLleO2juM`|fz9S!Uut0rk~P8f?PjuXU7Rmuo-R{;~k`SJ|d%73Mm(V>|j
zVRu!kB6wq0a5`)YC2#0L=xxt!UbALJ9&AX&-MyyFqI=8~C*gE?6aF)1?*BtcJD7lC
zQ4dxPpnFCql37_^;2;zckJQI2S#dD5K}|3De#buoDyXKlL7HZ0X=!O?^+UlW_S?5n
zAYtHYWF$W14SfFmdHW;|5S4T~9znqpJ=ygq={`LlD4JOl0Z8v+r>#U9+ZOc1KvPxj
ztX9K9G{Y(MJ+6+&Izk93g@qqis0-lZNZ`?FyZN8`;Wr8?Z%l!CfFi*uvUTTOTXDb(
zpazVX1wjJ@fSLGhPw5gtSFjxD!$e^KEI!~hLuPb!^;_NC7eLJMo33e2w%!;72uLEt
znq0su22fRz<-qn24sPcKiX$7CO+acBVRzDaTO5wg&YxH`o&{qt{U==y%7p0Y3EM94
z3l4;gh#^AT8RmceGSqOtY1sMU2!0Nx+ZL<1%5QBatn0vgqRhTi?gI3fN$U(6Fj$U>
z>xt&;$HwZrP-lun0XW}GY86m)&z}Xm-mf#5U9W$_Ucaf-@m^Lk`q%uvF3<#c?>KXT
zcmG`KPfoGm_czN8P6W}Pm?VaA82hHCTqh(76dk5PQF>6p%ts451sE`mV;rK?t13ed
z%)#75?<%GOMMjV)%^m|m1t`ZH6{K<7?->;m$Jb+^M(@bPO#L`|%rp*+smz4OBqf&U
zph%??jN^vy5Z5`!;^p+n+=Q`$cPL+gC*hC|I%>7+-h6lm;ZI_o&qc}LY)X)<u_It6
z5-wdszwp_maXjU~zQ)w@uRH@)Ai8)zf6!L2FpEBp=5<A3VPWmN^dfa4<2&$ual60*
zur%05FTCLBb}CeIiH0n#UezF96&enXVL+Z<V=pzpu3)g)b}rDm^A7ogO!+)!s_uDS
zTzaTw0PBCYc=t4dMngk0y^+Qo5dnn`vSij+W;8c9A6NGxpce|d?2XwVhgk;i|6AUm
z1T^YknwXf>;_+!DkpJd`$p41JX;Nn4t2=eb0dSDVeWyg?Yv)uF;D1OYCMGs2EvagJ
zf=rZFSx>9g)@Ih#Z(dzYePr8_@Ia&{@4EZ9m@o%+nch$mYY%mlZDKEE%wqZ5%)Ydk
z<}0lZp&<|e=oWMXEO8uM#`S;F&z%6~`=_R+C<?Xp-WSht2r_wff~x66)zl%+r%(Gd
zChq=UV{aK(<?@9MD;=T;8xRmssSQYX3$j5%V3X1zAkvc3Qc@z_B^!~H?(R+r>F(~1
zXSV16zR%a^eDinM_dWNTHM7>Nxvp!uhl4s{bL?yU)&}^j!b>pEB-u?%2fdgN){?tc
z4`<%c4@r|!>%hHuaT%3HzMl6!63LO)lX~n+lXFOjs}VHFj}}z?gwIV+lZON<W3SZy
z1`ZM3^0J4y&rHWX?4`zH|9Q@EW81tR?$atz1<F$RTSj2Is$qCiQXS8gx83_!ZM+Z?
z^v2RKa82xr7lc!-1J!|_By#n1cH-B+@P5X4G#o0L0KDOKUMjAM!F}LVm{<^Q`^~2f
zc21SA;E2d*$!ZXci5Y^-4wI#k(hWq9CCW0DM1gRItU84F8Ssu*c!2qtIPviQ+MX@)
zbr~I^bp$Z}HlwGt;h}HfDv4CC!)3u(-p_+m3*&wwyj$EgPyq`Rd>^XW_~fL#){5JF
zvkr@5)cVikPDB=J`~{FBaG)?<T3w}cgQ3CeHilZ7?;5Sx)1M(cP~_n3*kX~H-(l$m
zqY7B&oUr>FG0mEVEafy}rt~PVw|YBn`-{T=o)*=a1?>#XcmX>h<9!`p(?;kk@|cS1
zt|fG))&9jQeIvvV+%7khhV{K6H<v4xl866zAuIjx4Zh|ZJb=m0u&VcGomoSH1<I>M
zHOdw<c8gNSf`{SV4i5n~;CT=hVsdG_)_BoKOqd2nF9(0K#`5cp%p^OSAH+q12%Ux*
z=JCSbj|{k9uCv#5&si1Ho<v|JT<G>0XTO0r{I)MEFDFLM!|l~vIJK0;RFQ6wJReM_
z`;8$U4c&9BP{SY;M9d4(#{#~u;O2EGJ_W1)EZh^K9poKf3GOPSwN4j|vGg8`;T!)w
z-1}2ja_2QewBgGTw6p%+L%jPp;z_SkApPqu1>cA87EqC+UbQ!sr2OYi9N;$eC)8{`
z=pH-FS*QA}Au1E<s>`Q?8u+Xgupc<MEHuOA=hK+A)SY$>&5kXV9rMs84gF;UywVcX
zgr13+K1YE$x2Iq?#0;PZ5hO!o$IE0Oewo1xK~4wxrZhy{bG#U=uYsAo!|vw?X%@LW
zW=gA6LDDCITie>q62-?4pnrdy3<*XFIu!Dh0vHrc@<_1;6}0Cha`1o}e@;p`JT1&H
zQ*y|fFpU>0pXJ~x@1nyBV&nB*f*zJ0hnS}+0w6|l={Q8?9zwv09j4Xo1Y`<=v8>t;
z-lysztch)re_ACm167fOyY{aHz?9$)<UHNo-30Ye;Qc-fjKIp8WFOy$fD{ctY6i04
znwn<%`tz}$Sx(1LiTS>o2TK~j#NI@}mEb-YcquoT!tMvMDq3*}e5XerRx@Qur7be4
zK!!?=MrCZV{<hC!nvj^v^XfiIN8wk~D0tLV{L8KYhVCr)SWtC1O<<&@rEROUyb`^$
zz5I_y87nC8$L~+zCPpT-3w%wT*g0Gh{k@3^kD+(6f<@4U%HP&)e}r_WOV&380H8#C
z;|S8M>@)x;4*CLN$%h@fNr0ZH5j@7MRp$8VQ(B#$1h?0}>1V$z&t66k!xGQDn3Jk1
zErle01{aK>W@FQ}d-_W9k9!W1UeFSulSh-oVGir&eE>_$n!%x;{v}`-5CR7|Cmme?
zt{RXJ0aK%=r-zW`E&gSI5fRbTUD==)$KPy4x<Lt&q9$=qFyZszF13U+%u=CB)e54l
z0-(TVbnK#mCIepU2Jh)W-FJUY<c5uI#_G$UEDezZ19jlT*k{Mz4n@1c>Ap}!u^T-a
zYBtrCxB_nGiPPx-au8dcHQHe-3E)zxe`VM%)zaJik2MIuMj-cq68gQy_uXxQ5Jln}
z0oP>NuEYk&T3!`kydnUMCdN<AsYPf<SgSzf;V}&gu?HSc!I!*FrZJ)30ELe9xyA*X
zQ2@Ewm<{yxc%}jS1kmy>KBb`?f?u1dImD!4meSR5gIjo1^vnxaSJ#CgCOTHu0uP_B
zh8Pj-*d&Lsd^_8tPK|30oAU97^jAZqXlZ_IFm(T`;;qBLuYf^{7wr}WWPuE_8E|76
z(zE(H3S_aBqfTnUiZ5?2Q~Q>fI0fLpZPV1&2>G>_?-r&rYGA;@HkKL1r519s>eWQ6
zT=`m5-@tg6KuFCv47L6EG26%Ib>hS18SzDs(X_Y9F#vv+=-I|vExn=~KMp+?f24f=
z3wy{fC|}^rpD@4g>(s{&G(@`@7#M(zlJJ$5Yiml3Iy@}w_!ZpK;;{L=Ia>9eOf{gG
z(E-LJXUJh%WG+@RDy1QJq!BVXe>Nw@|Lj>~XJ=OWg~Acf&Vx5KwCRYX#eC^U5N`d`
zLzz9i(6TdfKJ8wX9K2+0*gDQWzF@015C;&qR$NYhN=o_>L}-0|eg4m_e}pj^RUr>(
zgqf)O6XR7q=m#HDOZ}c)d`?Hi?FU9(`t);v&WtwKu?|RUpttaLHS#GdS=k;?q;o9Z
z7IYj+7{x^NsE#D8=l&UPF|o~{hegN4h(Cd6+O=vUb_csueI1)2+|~;Zh6<<1BarI|
zoyxc}Xkcw>VuBP@_@D4t^BRT6A=F?x+0dSreg{%EnHWxlVl^N@K0flNdrhzYSQA}H
zLhur+PO6P+1*8`vstv5OAis|8$d5`C<#8tE;stAgP(*`K`PVq}yM>p(@cR6bV@LZO
zK+!-?igduN+w^Y;kjjl!nuikkE3m=%DeHQTr8_5XOJd0H25Vp+>^kL6mudl@Sy+GF
z8c=)<`?GSu@Fhl39tFk+0&4#t`N#?U`?qggY;2}8ZHTi<(wko|pO#GiUb7yaJiT5i
zVcm4Nbf8Hc=s;<P8B;Sc^|ZBR=(t9<zkMJzB_CV+$5|D2yqx0~{B#{S6K5DAVDpQM
zX!m|tdU`s@r=p{Y$iNEfrXuUm_Cw@=og>mjz%(=$xs!-kqYGA<%?Qv7R0Sa+h6sTl
zEmX!MOg$77@wti}jrhpHHYR`)gjkt>LMZt55j2LNtcU9@Ql$9_H<|8{zrM~z&oJvc
zs-K)!HQ=yj(!?X{!M4#=Fa_i@ng2agooWSW0j%bLBO-C0&BM3-5WBDM_7kTItQ&4$
zw`X11Gl2?}qwOf*wISC7?Y~d(@Q7MkTFR6wG9Uc$T)V9G;|CZ<v-RPY`rh=6@PkA$
zL-wMo%}!8r0zU+hV&u1z0@jYhs{zsOe@k7oK)C|oG9&U0gIo@-`)+Fd-nW0_E;-lW
z)H9{k?$j%5^GVkBi<JV7fCG5AIjEy6>E9yIIkM({JP&%Z?xn**(a^;zJ0}hYOn;B-
z^_4W#CT6YD1fIWe6?!wgDC|$gk-3VeL%<cckt2R}atV!%iNQca`}Tx?^GLv9p7ENl
zMIi}6DGaSk)ZsF3uPvw3S*|;)jlh1}uU*(25A10KK&C2~IU7>(RX7b@1G2i*NeG;y
zl(ji`;^xpT(@Ep)DE`e#-soeb$AA0xnzCEy5-+LkWci<~^CCM$P<5=1?b_<FpB)9c
z=dcjZPD&h%ix3z;3@GwsJydam3A<l2Zn@l6U)03N+f~_I#$+L^^jxP8$s-qDX9je=
zZUOs1fGyY%N4+-lp%8_a*@5b--*qZ1qxVjFoRbh3j>(Ew!_}&)Zvv4^SK@zvnYHN8
zs`K;=Mj<V>H01N=hkFsH)bHsE;cZ9B#}MvjH<Q#9)Ot%JA%Nfu(RpA4ZWoIvi@;}~
z0hIB-H<@m<k4}d?bcKs&wCb_+x_Ss6E#%|*$Gp8tWMJf662QrhW>WjO+FS;T`dsW5
zBGwahMIK$?38O$p3r>->8|3nC-+SdcJ5lymHDCX9N{oH-)DR}jfE}U)R)>^Njm_^`
z64WU6tW=j%QZ|$3JOHc??28}}sLF9s%Cw?z`_hA6;*0y(_q*~8kzeu09*%;5MncnP
z*x_rd*Y#GzhO^NnXK7iV+}Ap!k_`PuhUpdj6bP%HJhM~HKt6Y$@FluvR|b>?L9f2B
z0vtgC1}+6PH8jxC(6BPG#kI0`gBUCCgqE)BPH@kf<+_Gq+2TFVG{O`Xqn`IT<_Uhj
zUN7UeJDbGQnQc19RC^QHq}|4X0qyZK&oG+bFH%%7{lhH}2N?CimRj0sqYN=;%>Uo%
z&@e@c!j$Jk>dvlq$=KZjva=a>UeJ}sgDJ!cq-EZ?Tx96~&gm<7Y4ri(EZ{F!q`SIC
z9E~5o!RFADN##lBrs-@$lFwbSO})}wMuaZ!jX>+z#-o~QE#y~@0yvK+OsCT~?1Ux;
z1PJfa%FNCPkSBnhqcAcT95>gOb2cB`p6zUJ%gIer?K?EM3dhsZ*?NXju7bT##g1@N
z+Cg1qH~B+i>}Nj;J}(Rca+fh(BdNKJQlZ$DThF(%jvKwGFJHPPsJx)2&d{zbM+EFn
zyjP7{l5{em19Bxv;-Y{RI8hRs$~EaIAXwGi*B2t6pQ9EP6C)rXKt@JpHBouFdqNm-
zaB6QkQ_YPg>Dh`uDe0gN!TA;Z(J6U#ujtNFM|>Gw?#1+X5h&x)VtVcxWp_UGyDh6W
zlWZK~U8TH=N?w!WCA)ec%d_{2S$O1};mO)<O9x;lsl)UPe?m%jTV~V0!_=`i!^c3|
zpQ!d)C5+Ua5o;%{nrU-)C-Y_IV!;jfg!9C4!%!nlMS5rj_x9q38#<&-p9FQ8MY{%I
z>Uv36=ztjqf0_>x(D+_<9oe8{LeY}*8WSok2nB^GaH*$JiqQ&uld-=2mDEezqWw<-
zF_P|EgN?xEY@c%R^5jKj196|<pZ&F98;Ez7QcewGciN3H0qT)(6X!sFr{pH32V+xD
zb9}7A*5VO4q#8yz{0M?>T_j%$7sq=lLhR8@y~%j|N)sW7Vf;X_DrZ|lzo`p(+0z^=
zyUqc)ooZ@o!Y*+g6vFm*YB{x4HguO~a~3~%Z_b70F`HPeqkUqZyNUS<ft|#7?sIXI
zms2Y*HXe(Y?m<>+)bx=0V~`e}6B6a;0InoRadZGNw-j#0v;E*p%s2`B?SsS;dC0qc
zLcvay$fVxFCniP4Mqn7-)5VVjt3Y}TJGaG7_6A~oAoQc&y6(*h{FYn%j&Ztk#Ho_G
z^<gr5lUH53blG_Q>8K7I8r`4LsVnGomim575;OCC#L8s`Cga2qJ-Wr)>FMcSW)}|i
zE)Rc36<HesoR|6ehQg+eMtL#fK7HbqZARGOwcyT4ph~7fzeD1ce1GED>a0k5&eP*L
zbHhKgV`FMgp+5m+k_)`4f+I*H0+G*>P-z@E!^2f6Pqe!piDIX^mOn$r%l_0-(49(D
zT8=zI>;QSmH=>~USdbw3su%~ahydqw@hP1va3hKr&z`-qk!wXb|7E2Z=#f!&cC?!F
zJxF_{BSahp$rx7Ia@skXbP$?Bwbo@=CHS;|ygg+8m-Sdqp{mD4r9NE&XYfmKuq+@v
z+eB}Zp!&MT`HnYvU}ZAJ(0%RWk8IMlN!0F80~_KbP_i^^-A{|{Z(lJ^R@JlRP)>WL
z^6}hGrqYVS>%TYQ$>6)?TFeUGj$drWQhl0epm!`j;rPpq$&%DH`V+yo-#p%SZ>8FX
z8PfJJ9bXl4_Lc}G1ORcd^P3HAHG;s-|A&!-g9Fe7T#pOi1gx%oNFA1ANexcr8X6lP
zf9KCqq!9Gy<GK!El0~pyRlFlEYf^umV_Lw9t!C5iTPeCnx~m(A{5^!x{lw?AtlGGu
zpQMa_BpF6-zjKUI+aAZszm8yk;sw^YxMJtz)KvP9gP95@QF@&tX?{u(Q+-dMkCe<8
z;SD}!u!io7`{?xcR7{Q2(_TKkR$Aee`Xdfe2Tu}OTm(se^p@clZEU~AKvnfH!d!%+
zN>MsvT+3jKBStqRnERG_A0VJ<G+lji>A-}un^Z9Adw2u3v8nNK(~GmHpU~v5vt@Tp
zr&sZJgMtFv)1!8eV9F~&i(hhqfru)R22xeQ3Zg%@nS-Z=Y~q9-606$VMw>KJ-47eC
z<u9?;e#=m4CnmdC^+8ZK8i;U=?VdBA@j7*eJ^u_e<#cKsnJK{$OQT`CHP#E`E6@>p
zpRDu@#(+_0zF2tUF`W65FVS}Ia02t?WIFWWwF?{YX!ciX{6)g9+AF@&T>5m576O}$
zYM+Zds>JElv$3!B6651Tp0FQJZ;X4_kd!eyS!evV*S0YFpN!|E@3QqS;MTjlxee+&
zicL*VYwOAy$9Q3+^tb>$A*BZ{f4jYQ&aTF?GN#IJNEAqlO?T+O={yJn@$(xAs!`3A
zKJ}a6Da_8xAykJ?!qfTU6VxEZ%TK-1@cU6*QC_|~(egszMdAJ~t!01Tw~=_xZ6FO=
zy7LC7Yi>G_ke;KaP!s1z42tOwggCwVYt2HE$#v|94^4zWv(N$kw!s$tGL?)l1jJ{y
z49DQ=#$$Vy>9BJGH+wP{`rT8Tw(`jjZIXOraYI!|Z5xF`Q=d3$qz%!FzgDk6=I3NN
zRT7z7x+yV#P+mUi_CpFVc0tk`9-fwZw%hC)>p;7axrBlD^h<(*tC=Z7Lsb%D@XN<}
zddRytBf)!c{W6OQf*UqMrf5F(`(DG{a&**y5&XmHH^I1vXieae!wTWoKC4Di;8Zt;
zU&wE(8VNWFOVRk#nsl;>O9sEB>T|s8m49k75KX(ioCByPU@$q?xQ^?!CVipF$z`89
zAh(zY#A5Q~NovBCo-h(Z3g=3#iu|m*(uFrTU^w`X@=)h#c(7q&LZ2n*A#FRYuYGn1
zBt)5jfMkN#Y*{xj2)GFM9Tq^*<*5Od$Tu_)_x9ye|8#W|*DLghzEcZc1Y$DSlZ@!q
zRYwCGKWl*;+v?AV;uH=;<#46L7MKnz;}qvGSJlj=wGt8pjQO3Pl+yf7R7Q|t<LfYd
z6*RU$DRx*|)9FbOM=&Jg{<_YvXQ7wkd~=y1<f<OW@)VtDYwc%S^Y;e*KZ^p!*t!_H
z4|E9xt7Iaz*grqsYBPTVw0?FNegc#MxYYp0wh>`oFtGYMYveO*7SP?*l`V5irXR~s
zBL4>P4$iSJ88}tQWN3vJs|w*jRIVq6x#%95B4mxeF$IeIpZUp}STH(uD%E0w?-vK?
zat7A)3pDe;Je_vW?~UNyUS_OCo-r_ZjKD#KzR$if=XE4!87LifNZ4<UabK>7`#b*y
zGM@#R%-Vc<M^5Rlu>E+|g2?A-47RAo4<6rR^adIu?9Yo@n0`P@Cv?U5zU>@DK30k{
z9IR2JFvvFq$=yM7nf5#l<XxVLIQgleKOC9|z+lUam1clmKVFHYmrG^}&LvJF8l%KY
zSrimcpMKM-c({K8?H(BE5n`@CyPcWBJmchQ2q`Zu^@TxnS&?+{j{vAFwx?N!;n`4v
z`?uSH{S_3)L>$$`@NecTiL+Y<LPuLwBsQ)~)%GTh5jTtqV@*xn&kq82_t9=+XQzC~
z%G_WBgv6xI`RH&Wvbp4w>-US^(S05PfPWpe#3`uw`O}w3juCA6Pmc2+qf`dp2l4PT
zd*jXB^ghWSg2W6r@N9r{&pKVs@$$h4rr<|hh~p#x_;_DZjQi4cx_9DbY{w(329J~4
z<B9ZMJA<KH-1O^Jb6q&d>+*>I67c?8sN9QsZ0b!o#d?**2&MT!k%{!?$lOX)T8Z>7
zaS+qn{`|2W{NY71tRTc#n-R<4u6upG;j{g1DNro;{pp=5ZP20&&<sU}3+isnhUM+%
zGCGQyZddkK+^~y(4{AktiQ_ny0?FI4-{umg`kxjo>v~J*(f8&WT;p7sX${S%(~OHS
zV^pFM;0C+$N;4c`Pv-9NSEZ7vYI~l7$dduVH2=uck5xPO7u3x*dfkfv0XKi%24svm
zIF1kPSv|rsVx2YJ?q+HLXk|_B&7t%IO(LpF1P+nkfKPb%<Ff{7Fuvnu9a*Ltl|Y+C
zDv3v(P1+bvI4RKW040Vfim!|v{P-@|G|YQ`=A#r<^7#aUisCQL7=J46kdjyE)^)Rs
zo?R~aPq@TMInCBPUmRX6nSXd4;hp^b=&wo@^1AAv9G4yd=jFMTAe@n*p`ptWD=xAS
zr6}n5nB9L-Y%};Jy}C3d^f_5HiPGoTXPFwDnRA_To=Q>avCb#O%PYb3P6e4ieQRj^
zEe0`QfzgUzKzv+JLwNi6q&;Qxymb>QmY0X;B{SJB+<=`JfhlX7nNUKHA}^bS7{6G{
zBMdI0w^fg6efhF6g~?g%$F0|IHn7XolH{u@|4h<W-Sr|cgsVP}PD!!)2#8CAjU}0p
zDUg|=o?18E>)V?v%(MJoZ95{QyKXP+BV(Z89ytfPAVKP|HP)7s`?U7K0`7}tu{j9(
znGKIO+mE2)i#uf%H#Z?ICCJNm><5g71dI#}Vxm_(poqMYX_4*8{PlkP5gW-5e^=qr
z``2yVEZR)t3v_F3_eLRIk-3ZlisD?|Bue;cK$IanuxrTXc38^kgkvC;xZd;ZbR+#L
zR{1oO@<x!>Hun^YbLRw2GrF^i81y)P3m<>-iCB#OZ@YFWoPGg**obLw8`K=3ooGiu
zNWe?>irlV<W<G_5M?ORE(+25u+r0@t^W-zMApTcJUJhW*q<ZRRPNUMcB5a=frOpfu
zJ)Y{Asd3al`W@?hS~<UysGczpY^^KgNawP)0adqDjxxfAtqWZKf<lCo-oy#LBe%=g
zb|zHD{ktluAJqI(-rBTe>y%TGKdl7uDTlmQ6_oY-t7T4c|C+sqF#QCn?6(jtR-MDY
zKG)k3i`sR)iGMQ+WMp^e1R_)B<B7NOlY=<e*nSYm3=HzZKH)vfVcKZMSH+!7>V5XS
zoHx`tV25Vef@VWVDeB3%E;!~zpBa8pC341P09adwNcx#-kL;g(3aqG{b#4dCO*gqD
z3g@Z8XME%pQi4QntTm>2Ksby9SnXcQ7j=D-a;;DY84`@Czz&O6q1I(z`BPd#Wr%qp
zdsW+D3&jU7jh|VzUb))cEErjhe&*ay!Fw#6_3Az!Zhxx3U0FHm0IT*jcC<6kvUr4(
z3nG?>3CEKuYm-sK_w)xnxbYBqmH5_n4kNIindD_7b8mhN>m@`*KJPP%wrItZ;V1Yv
zhk;t(@L@&3I()W7O5=ybqMaV9m&X&4D0N-I5eTQf*(ed#{{A<$_8jwu#RV};K{8Nx
zm?tR95`%m&S;X4!8%h4C+%n_O!j-o2tAm!LzXd76o|;)#&gZ9nx#}6T&J!Ez@)Xrc
zwy!`C-mQ6_^z0a@R>IpFRdGr9UtxodP7O7@F047`%%Zl#k0!O_(O#|d$zt0uW;J=O
zM`t#4ul>YsL0tiJBM2eEN+!Eb3aX-7^DNrAcp#Y6g&77luU<7{-$|iY%+`8bAePhm
zS5A5&?&>}Dl#&u1_<4>j-n7S41GUNBdUD@eKz}a%e(ni^pth<ictBCuBE&(YYfZd(
zF1>lmdam}RyV_4CFo3SBvproAPq)3*Z1Oegf>hjLW*8hh11Lpe?f6v%={!(80<&Kf
zMxZ>B5qTAiTY{EZDZ(^%SPSMIY<<?cvBcALZd*#neZd{}a5&;@=GigO4oXAazpJwO
z{go91D*K!^JF6%2A=2h|yUa3#zx!%<3-lUX4$j5o9orA4V&6Ncz?}(5LTHbHYH^xu
zVeox3u%Q=2lvWrwWi}U@Yt&~OJnt@7>>x~<(cq`IXAOI)!u<`NTlVtp2YI>J)w$53
zD=Yj<Oi&CJo_`RcQ(68;Jm&?>fGO3EIr~`SV2Zb(l?JZr#cI$O%bEg4Y=7p`o!o1b
ztOkiz9K8?T+7bY=1qu?>ywWfrY6mu2EA4MCO7?p<HBJS(BCe{JrQL^z6IV{wa8Y5#
zN{73#cvoKKlUMM~O4B@0Inkw0BQ@gh_X8e-+N-*4_=T~-=J&BUPQynfNOU}<$Bmm&
z(@am6{%oE5&8BhS>e22D`8ZfYysTGlR%84(ijZ4V#SV8~m8%!n8=Z$%!*`fz>d5kn
z)s${87tV)C?Iu+=U#75E#ITv#C(-WA;J14XU|BfpTwacH_Ms_B=n65p*odaj_ru(k
zq7rs%#De|+`D#Q0kP@BCsPT*Y2<Zfn2cUrVoq|^c=wkAfqH!>8j;)O6F&&^gvD7)=
z9Nt_x73hhn42;HBSnG=UBR^clhTMa()>UHwlJV=xDh$De4T^%l<l+r0^!-ZWtc?`@
zhu7)ZWnqQMKd6F4Cx5!`KZ&A;InC8S4#25)IlA=Ap?*Rd<f56R73H~PVD;;kLB<`-
zHtZt-SRrqLnqZpYUxgqbF36u|n;<-;+b;TNMO8(9HL!+P$<{j6PyAWLnYWH7ezckQ
z5Qu~~+tLQ`+rHxUOvH%O9G+4X9kQVKxb5^%Odh}`I%(;@#v$mwQ;amEwq-xD-UzC8
zIy%0Y`j8g#A@m4-cuivFe1*}j#0O16(-Vw_fa%nTa!L*cqxucJ_rFn5ggdcPZ8Fnk
z8uw5jn>D0&0*u-BbIZ%+$OJ04{Zx#ThUKd&m7J{F?c?htT)(sYD4~8I6Sf3>s+p<3
zwktC=6`vP-NEE16=Dfpb(mw<#ZMpM;j2wtWt4JBm_4v0*-m%w7E2FQpf}?UyR(|p%
z0(0cI@|3}@ga$;_<_yH!2bIgxL&8nia(i>wDkrxyfd9i7{7T+h7dQX?G259YY=|C~
zeT67mseiLuJ_+s#w|A!uv39$3bVdDhbD5kJR5s+2_`+*oIlJCYa>pt8M0KLYZZzPg
zM)&!WZhcD;iGN5u7C*mW4b<5g<vJk{h_y#a1)IDz8@tB3N&TB|eDFF`HoJ*~F$a2Q
z^2uN<5>dmNBJ6Th4M}J|H!gNzBJCAlK+kP@6)kBE$=JQJdQ;zdakO@IeqP8U_Z~=>
zYqY4AVy|L7d`MjW)4S~lbir4=)M7$uT#3y1YjX{N(LIqp{=WPac<Cg3Lsz8pBe=7B
zMh_%+qO}F3<lwRLyP~es*6WSB`-CR$=S`S%Pew$Ew}C1WrD(6$XPKa*6j5e3Rm~UY
zDbkAS*kAGo+ePg~T$P^L4AkXvz*r#}UdS=M;q#fQHSEC+wt*2fYRfG?4iY~>O-*Ym
z@7yO<m-|6w*G8;Q9pIgLkBco9FBoGCOUf|9`60E9Wv?;o7h&AceVq0WM2YJW5%YnF
z78D_h$lfx<YXj->dshsDjf6#JRy%SF+nMief||9DOW0|V&iIhQ_2Tp(GA`+}P>Rh*
z)o0mIM~S)1Xitw5W1U{~)X_`(=_gybnc_f(o91|1`gsosLSSR6cRoQG9S!~fdt_J8
zBw!1B^xqdahmXH_?-Pts-jL^SnOuY|`KY{k9QwZGI~gvyI~N<Su!TW+*DCS+C6hOE
zXm}Buq)B8U`dH^T6kdH|{r*Oj&(0QZLI^1fX|C4Bh<*I_Ry%gANk!btp?MEtE9jWM
zD1>agtwg<zxRG&OxlpN=pjZ46<-{S;^ByU0u%SIV{|yDJVR;0oivmqs6()KNkG^hI
zNcrJoe<u%1#XG?DYUJQH_dt7ZIkyO{LC8?9$zqtltaOzQU#~<Qa@h{OV_+rFvMFy`
zAsc@Y+xK{Py@e;ivgUsIWFF9Z)3O^vuUwOPQT;^Ur-Ub^jgDPptMvmV-tm%#g;z0p
zkA~6%E9uk8{eV<l*~Rd>&sO)Z3)fqN#$TR42t}|G;DTupHZ3G+q+<f3Rbiz$JFIf?
z2e))yNh4?I;A&MzkldC%+8Q|Xq_N;l<A+rD$=djZA$;o$h{GDfaOflK<9t2&dDt6Z
z=T*bu2ZcArQ-)U5-z|&AdB}o`Ftjjk;+U%MooP!;kf2)FjJ21H^WBTI!3d%(oj6C1
zuq`&qS1Ur8B$O>={SZ-rZ&$>kM!C>t!(?n%)f~JfhMGKW1nWEu2lp12KI_2Gv5CO_
z)&R2GjK#?pJx+!oL#g8`OP!&59j)@Em7A-xp&__uf0E1QXH(iBM%E|y72q#HjO&Y1
z1lSOwx;G>ENe=gT>ht0nzsB_uOiA`+L4_y^DdB}rM3|qDhN6hwq-TL_-O%})kA_79
zRjoG<Ap!9`nW1cq@RgnohG7BT(maD{VP+xv;A+f$(^o3%A6!X>8hcte;`}Jbpjy{@
z?~7CZUFcw4>lT6Vu5%+N;OLh$Zk<pauA*`pf*YY8`}uCyvMchc4OT%ZT79$qaW;{c
z^>^Oo&3K*c`QubuqLWg-3LwGC7ScQfhh=XdiV%hGfy{u+@ltF3Co!K3RLfpJY`!`D
ztzNQTmh}$pA@p~m<@4K*NZ8r*CmOwtTh&4y4-T|@J$Xm&qi=J}mQhp=)?i`NePaEd
zCGK=WHq^j}ek6_UO}I-KM&_8?D}lH6({bAA+Taq8+prr_Ln(T82OtyRn40<XCzk7I
zXdGhkwUdGD+Df^MHhgbR)WwD($mQ~!MH^kV&i#nMv)uF6c_)User9cfF+WS{tOsu_
zU{ZDg2x*Sk&*8CKSXw#@rEpNH-rInE#Swc;9aLD6gIw(aW4}Y5({t-ozr`^O5-0Kt
z`I!08l78wTq3Q@owpc-@g=?tnkE~4RfmC6rJN%n^aHh|I`QO{a9@f<f1yT1GUm0?M
zK*r!Vjv;>7#~;3njx>zdFUm+q*z=|r!jvXV2{dLcl^|kJbdSDPh+jVgp`?7G(Bw~@
zEkgGC=}}rrqG`q&<#x`_jg_8EQ;;fI^~Mc7@j6JoyUujn8K~zm<@21~=FD6KEoY)1
zU;rZ8FFAX8xLNhySLk=+A8Gr+G>}&@PKmdoSmF%(=5*OmdylzaD_=*C61i?&_P&pT
zckIscsYZEjId`=n_bJG9aozHti;+~<lPuLOWg)*MA5ZPF<$??T3Kmh1&;Ga={_mr{
z0rm0UBq7EDyKhvsVFW?Xdura^QK6+l&bcF1qW<nW=(%g0l?;gJ)PFVs2J86t)P`{(
zEGkzvNtlS!%=e^&%JceSt&IJd6p&>~<mT*daJo70c}o1?`x+xfGCb;Xx26f8<G{3N
zXcdu2L%+V<<GJy~_f?wzE2jkipn&$3Vs^A?S+JLaeWcrJab0qbOS{}uGDAIfe`ZbO
z^I!oYKj&gdYJ!&)q^2fK^GJPNY^42B5X36;FajLv|2tqXm7~M{pmu->%V^ybrCc%R
zM2Hfb9)~m`s+99CPp?<EzGAv*XXxp8!{&3m8b<POCRXusE9KG5TZdKgbrhpC_iBJ7
z*t=jGP=VG!HZE~&g*aS{JP%kl5OXwJd=6z4m^R-)Y?PU~d$(0PZOyZJYHq3ZU7c)%
zN8oGcBPfYxV<__uc26Q117nzQqC=`#$#7d)0KW>E=6Nd$8U|IX0F~UUia#mQkkq%>
z{)lF8$14|$jo~e+mluE*`|i=Epu-<)J@<>Y&IQ!>FHVD*a^_=>^+TLE6tbY2zo8Cu
zPN>T(E2K}J0DZ_TE%nbUdg7?_GsN|KL`c>6j7IB(pNRaQl=Th_t8FDxq_IjrptrZl
zm~Q32-yMD^u}(C+_=>mrHu-!i4n7t_?mp9VD0M4FnVAKo3Rksd)ig>~;Ry_BTsAYJ
z;?hVHK!_M{v@Uv&3p*a!?#|VbI*y|T9iG^qj+Ys<4&J7^9kQp4u9N!|z5hBfkZ_#*
zNtQbO*KCSltA&bHVSAFfG-Gf%qYUcV43wD}hMloL6NBA{Y!U@(!AQN}+U+BSR7hsZ
zH^ZRGGWVSXq9f1Ep_`URXuKO)XQQ#6-%37dmbB(+WwJJ8nG0Iki_7h|)NTQ}quzeL
z{ASZMM5VbfR_3S=28*T`^bu&G5QR{J>4;Kc;|VeMyDP@^h_>1}=~TG-52qxP^H{$V
zF?}_sAWHO98eU<Q%%1*rd$Q=`ZmJ`*7S9#%4&1dqIey9uHeO|*7<4)+K_rPwlo5Yp
z4G^E;3Jr+4Yk{rASE=*g(5I(9=tYavxLj=CpG&T<wXD~jx;d-bJsKC-t$2L0^|ytu
zab)=l{mA5eUpsT^W+*S-pyT0Aev*Pmm}>~`Seyf`ZrKnc?Bg%rKfR>t|C(NjGZd~w
z!{K3K;K(KASCJ~hAmX`;b{8f!=p`(Md3N~7`4F{k`-A*NnrkeF0yf)S(bU&6*`d!i
zcL}D2?NjQDDo-tyqD)R300JxfO486*281(TCH)?zScENy!t$&<lXKGDqH|Xn(;9;M
zp~Tm7*jJ2aQY~lxhwd>z$!6lnKY?46ATCETr1^>zXek>&qNQXZv@TUbCu#95=-AQ!
zrmitYT^BaP478Ya``bXiE~_V0lW4cJd=TIp_bi66<MpsSg<vAtO0jdsEBIM{5QcfJ
z1A`>q5YE4kZCvpF*96R036xub3wYPW$_5?H*1PMxvpF+#`IEhDgBDcnCbDojN@yHZ
z{emp-fLK!bb*UJfta9(GN&VIf6?Ei8i%Y|>3s^qwbw^5_&DOHGpB%yrJmgoSm1BpO
z3iPDg=i`{j@*cCmm2=eK3H-iZ-?{$+dNFY5ZYIXNep;4Cww$TNYt5<!da)ueYkitv
zYcJj{_2Ej5M&+nRVeHnV#qU*P5h1&lWGH$eY*}Phn{LbpC`kZiop`o}aWa%!oMuy2
zl|hD+7D8d3Z-+!JGN`0M`MtSyJK{EFi5QS>e~%10f;IZzQ<UJ&6Kg9tV_3mi+zIMY
zCf`vq-}gB@Mn(<4|KyEVs}xTpmxBH@y7PW9857SU{`dblg1Y+z=&cJSp%ODgKM`EY
z(}P8;0zioq7=a(wMUi))saaT^E)Dy*Dxuk@oe-l4^jEwUacCjYzg`tee#`SRl?030
zYW<zv3^@Jb%RG-o@DyC-_Bk<=^Ip0XO#Qm5=!fFxu`fN)Lmm2te8CTy*T3nKp4o%W
zU0`tAL7F9Q-zNr$Wp66_CK}oX^L`(-ubf#W$MC+RUIv63EjZbgM*y%e5Yh)0E@sNP
zsCaw!RIqaIdI+!UzFp|<d9m?Q*sD-*AO{Bc%+0OH39mqK*)bzPhQ-9hw1Ado{?C9$
z>LXIzqBvC%Zu7R&<;wmf9orYiJ0rU@0<(4DjOvAwKtd3nir_lE!3Rbk{@-s@mLxH>
zUYu5C`iaAt2v6S%749Aln9tRHk^wTKPxS2I;_#`z<5n8CQ>8_9?GJAj&YsU4NVau!
z*a=Q^DT{;F22aSzap|!rkPU)lz~KescGCQMlb<{Sb)H@Y4#wYTx2LTT&h(DDG_4CX
zV|ndL+@G*-z7_NKz)rOrM8R564qaR{Jmty378uk1`){AnH)l#mG(Xz=I9`k0>nr!j
zj&!H2)T6Fo*C-_nJPC-{spLTaIyffFX|kWOZH{EWAG`5Si4pCKyP)q`W*8py!HPY{
z1gutoqCYjsAwCDd`!Di;N5KsPF!Fe3cNP$Ms!G$CN{#tmV)OLFVAZJOS~Pz={W37|
zhHt}HY8Ze!=2km>Y%w~zSaa~8U^8ur*~uLEpxfCQ6G6<Z^){8e!ikFMRN@{yyB6`M
zw_ZXVDIp5>A?Iiv_ylQ(Q;mRzrakA@q`_4T5&z$a6}+*}2fnGll)Vr_<^8{PYKUjO
z61dIf<E>I{HWw$DCZbJx=4zN-&y05lvzF)D-@c4g!2=9{(HLc*?hlkRa@7m+)eC0x
zG)jEyeC0t241}z5RTh}Bo~#nxyCrn2*GJ)sDun~xE_&`>R1L|}9jMQXvSW*l<vLhQ
ztWvIEu0q%6b3Eo=X@Enb`c8HSNSOe=ll|eK(cDBH%gZkM)WI_)0Z?TEi^B@WK$3TW
zqNaj=5sQ%bwKhL?K)v1;)xwhzNo98ZjQK*d+=_ZEur<R(+~Em+#v|AF(a#we0{K5i
zmK^ms?P<7OqsA5eU|F#B9s3tt!(`za>V!aL^Yd+`Q?vwdj7+?aN4KhV81PIE!hYi(
z%A?fF{E1?%yhvK;r5s3!*z-6t*^NJZcx_ANemqnfU$VM~^+3?!;$q4Pp;2$fJu-@b
z1>=&So%z$00>BekYe_*eiX88jobz%SU*tf8snCc9y8CM0|0y;Ot?`sNQnPFofN{RR
zwSAB~esT<WR-j5QdOq)ydUaZNHgC|CSn>CWQf^{d(4;M;H1Uj$A>n|KPG9<856)Di
zhR?s{xp^A>8R&8TqTkP9OhSkNNyh7WFZS5)zg9a_ZeM$*mYM#3muc#FE@3$CxHDOF
zrsinUm*Cgk)mqxJLSB(l>mfM6y}urBZu;zi#OmR@%A0~2DJv2Y6XBOmI8@>$_(ZM0
zc85!_{Qe7<X<0p=x-rd#V&^rC8I)B5<^--sQav=8UeZdPp8IBSUsr!pTy!Y%82XHs
z+}Mdn#-+da`(<TirQ7Mmhmb^`5V<#TTVzk1S2Yi|D%9<$zG-#59&Dspd>sF$!(*$w
z<p6y^ub46>nAZwOi7blVU4+{3iTC`Ae4Y8wXf$(Q`W!a!l^4s(9=6}NN%?FSeJ6U_
z1lkro-u%d-dz(;rrY5kku%PF8<B(kKP*Gh)Qs?5MU4N%Ptx4&PLDw>1bX?>#Q79^~
zr@=s1LKU5N5ZJ0+&KB`$ZFev{z5b)w`Q7c@9pOV6Q&12F`>qB+LrVgg%7ONs-+!=(
zfCLNGzPAE}Knk_&=~L-k>%no+)#`T*?}+oqy~6?LW!zQkF$s&d>F}>UDJpj^*QVy?
z*n*u3DjZ>VB0S<!gI_0C>3h+&uLc``uA{t^RWJBBn{#3^;O^r=uAZyLyfEk+^KT)A
z!Qs5Duw0sVOB3TWs^q`2SnJOhGiTjV7wwF?DoJ}hNk!m!$}c^JcmZiXJU<J_siz3L
zip#&2oLr8rH{tiJu-Qg_@mAH*v7hp*<AGC_rfl^dogay?(7nkDg_=aqldj-jeOmVG
zgJP8^|Fba=h%<`vuZsUT@|gD%EF1dny=I>4=vRhrz!GXgw4wf%`utVzAh0i-V4!pB
z<N;X?r3~Q~2_DAAS<kDfs;vyD+41@ibf#MCm@nCx`mAkBw1P??!Ug%|3qKw14^1fO
z7N*!a;dtt`ydK2Ydd9ufo>jC2tX|pdpxzfM`f;+9VTMOn@Sm>*FyN?0&CQmz|E_nK
zIgYJ{5S8Sb5iZum08)U+$Adpa$<_8cd;MqM`m>?wnaq2f_6XqUPb)r?a#@))m<_lL
zj0ZtZoRh1eDG23(S@+u@TIS683hopvvb?pir8V>GbdTF%+Vv4tEB4YMACF#R+<68I
zweHa^(bLlFhP$f<9=cytZs!a83oRQ7C6mZDtx@7i@K^;3A)=+3sp6?~b|02shiO^l
zB;T_c-z~+PR^+@5*dvpN!#{Po)?QB~+Ha3k<+cc%&2-q(3~$#wOgzgBbSQo~Q+Rdd
z2rf|191mm<zjcmx24{nQhtkr_nx*Ia>7f=ozdne%cG0q}$n1&gs9j0vuzIw+D3u&_
z<Q+&1>I=vDp@U{;8mCf{4(pRAnR=Lq3dyppE{^->*+6G^<hPc3rHHuTzeV$(l%3uY
zox{#Fi%2tW3{ui_7%rH@(<G8BLFB--D`B+V#XNO(e4efFd%)}w>BZIbiq_cnatp5@
z^=^Q1wAK@ox5*W&f16rFf2-DL4d|&?V;sE5FSb~O0rC5Gz=}a`IVvi*k2|blql&d%
zRf@a!o=7<CFB|6*S{{RPUzL1JAz`-g)$z`8y59$*=?zTU&NSt<1Rm>yi?vjLe}7yc
z!-@HCwJ`)$JMt`lIg8oT<kf00>pwYq%!obqS)jYjjBvX|NeRAC#9+XliSoU*SGTZs
z?u)@(qCJP%ELpJoIlOOI^z_vr2J^SK_2zRKsVCzb4-*~HfBk<FfG?H95kQCfEcKCy
z>4p1M8;hX8wf@kD#>PRyY+hLz4SA!r5Z$G~A5AX#B8(avP7j2qIk469@t%mFP+MSQ
z3BdOu{Ej!f;}dpwdv~`AUPpe|c>iV4bgJ7nfg6#MNwSjz6fEJ6*Moy%?s8M4n0roj
zDU@kOh3zBnr*e6uYMFp!x15>H@kfv2_#f+~jahb>>HQbJzgVW0i|o_=_l9Jn+l}@7
zf-dvqDS9=Ri#ea~VfT=w=mnSWe7)u2xjih~Qjpa^k=NZl$?U;tcpn=qQz^gP8e%cE
z!HJi^rL()*74n70BPd_==6bFAZR*G+fOmXj;Y_pqmj{4S2BTT{%{dFjRJ-psF?3U#
zugA;X+t%zluIU58BU_}3q@3`j)97kvJy9`}*<I1m{SKCMs%VC(Q*4$mDnm|ifQ5n)
zsn+b0FbQ2Fc12C%_lirTgVmNY2juEg9Co^Jmls<yzt?wIsJRw)4Lcp02)z6_{xf?9
zhkjRMN<6(`YaCrcdyBl&fyZ>jw?6m}&%YQJ0gecpKN|caKjm7VS?Gm3v&eA;uPIoW
zjEsNut9#e5-9)AUv&x;^uY0<p6tz9EO92l@D9-)pzWAxeOn8*??w5|!k<LM8%Pxdk
zjQ5aUFyDN-cE#SmEz{PvK**!tmZiZoeE93vki_rtC0IR$e(wDyr%$+!gD>$+^6X56
zJHNJs>+!ICNnNjjBDJRRW#IY9bGHb^+J}SJ9Sr3y1<80sZ*8N_!o2F>a7&GfR~9iZ
zo5+-3RH#`tU!(iWx*c}WM>B4QB~5G)ehnw*Hfx>Lf}6SPt_5S@UGT#?H&LI@CEf(k
zV#=2u)!8RHAlSP-4ANJbNdzq4^ss7{4A+S*{X*bAtxW+;isI@M@(0OQ0}i_)&h-u*
zEFjwm2dFfgx4u08LIaR{-LA>1Drt`|HBWw8_Q-N*|EA(}@59h~A_miKg5z^qMT`6>
z{Sb!7EUGD*sUF{`uICr@8G;0!I;hR^SspbP&UxMmyIR8lT`&jaZ)<uUWt)oQO?m#E
zC{EVtJag&C@wFzLTVjr>^^>07GydG>nh&W$c>c1!8}D52@Ote?le{G0S(J>z501v6
z_1=Fp|4pM|kc{m9!j8RBQ1=^L$<req9!@hMr&T^4hJ?5<VV;(}XE~(G77^c_1N)eH
z-z|07tTBd4Pnn!IW%k9Xh9e-dcTMSNE%J%&vs%(>1-f|IZhv?Dg*Pg$t%P6wvYOUy
z06pG#=2%Zen_XIq88(-lW;`s0(vG?t-{jjJ3dDw*kD4LF$GBq8zwq&fF~@0uWyt~~
zN%WJVes*!v_oGA$!3T)R3Uj=_U9=le>vp3=Nj={4vVyjlvLlI9C@I)p$5(US_AZ3@
zT;2h*l?<3&ol_C0tMq<sEAHSu2l>domS35fC1>T@<HnaFV6!%`yFILi2W(flIrT=2
zI&AW;^XPY$N5*Q<7awhh)R!x7ahq}UwIy$9QzYz<@`i|BZI=kUo?=PS{Oj2c^@~G{
zf3Jtx-L6k=TrEjCs}Jl~`BK=z)(YJF+AcNzC_J66bp#;od>!0S({w2dQZ#d+$JN<5
zCH6x|daaa{6d_>~t=`sXLBoJ(n6iqgT#n&^$djSLdGZH*_UnqL?K1uVD!3h7Kz!l9
z-PJ2qp4|16&(0&+1#iFd2+&2^a_h}TjMi&uP47w?Ps)i!)36e`&0}mJ;#>dB2sn&P
z+5V_Pe|b60N?oUlb2EK_T2i0(@j#pqBlnn;1+lEl;r*8_RWcUrdF=f5@1t8CA^{*L
zysl2TW|1)`9>~Mbcif#vDy*_-6Fg2t*sQ+P);xOO6swgi=oGWX=xouT*TXWyn`yG!
z+xdEoUT2-#>JaI3<KJE<I=r~~g=N(v>*W2H|DThA3Kl=nlI3h&%g=+?<1{443aMPh
zLx1twCmsX{EYk7B_Ei16@wC?VMGDxl^BehmUD~M5lU@4`;838FvYlztsG2O`&@6aQ
zle}VLecOd=_osG~vSvAt33a0a&eQV7owF@b*M)MXs)+dNp0mhFhx*$~bBJ#98h$k@
zG6O)F8asp#bsF~{&&kzWuj~QbHX%PziS^J^t$=QqMg@O&p5VUUAaznIjBF=ZthrRr
zO=V_gR#s9PA7BcMj2zBP_2}kO&a|3odi~YXcD7!WjfRn>Y8uV&X&VYE23}M1wnmxR
zX!En?1&H^~S?)<&ENAUSBJ0ct4FZSiA*Z?Y&$gdFJ!X+wC;JyOEevRhkcG{m^Bo;r
z*^sA`ytI?D7R1FS6AzZuBv(y-C8|xO3h%P=sDnb-pKu4VH@<h9U7p`~I5-xM(DlAZ
zV`e<yQaqztu^GwNsc{aDp%Ad&{!>Oy7J>Vt16+)FEoN(vdo)-JIyuSJPnO4yVp6$%
z=~mzi9ej(N5k7Db9PgyWwT)I(;n%3Qu}v@7T7u`L8vh+@YdF3r0-7YBr%NvfN;+;@
ziS?UgLa8)z$6C?z%Th1=i;9X++N3~(tmUpq&?XS<n>3|iXdt}-5V69-{f{|5J7+DL
z0`}{#^aMBVBfl23M|=Q)#r1b;^6*%thbmE#Ln+k$#~<(9Wd|s}18K!S1n#`~mq)Q8
zq9eBt@-GdhzFrvO>W2hgb8q%^({jT3vvZ1@p6%oN=j6~LE|CG;7<2*g&bSuh!6s7G
zxIWF>{ZoWjY<VM8q@n$Xz>OzA0pLIfBH@&Xn|C^fgJuq`mOU?2<e^sU#2db+$OjO8
zxoiZC)ftDrw#fS&?JW)(1(eAR7uC0$w2mJLYTH)TAbCs+`!b{LbMDy}p(dYivalvX
zU*l^c8wsnt2DCvSvOjF*A54F3JTTN~>EpR`AAa-k10hMVvPHg8A;PzXNrkBXukDst
zLtH{ad+vhyb8kgTaKg+Y5EQJru=}OMx4^1y_}WqaiD1^Ox`UvTX^DLknp_ZbBYJMY
zBYPE*@Z0Z^7E*v_hlz&8$mu;OkDNKfrxX+&;}2@WwliM|m9tV9%+$=r+Kf8MuC=HN
zwh}j<fAWuEip)aoAsJWT;@|*I7rv$R5G~Ca`D2&QLb`uhlBrRgbl)7RzNGYI^~$a1
zzNX{11(K&2p@Nli3l^Fu^o;a?dM;4;eGnV@BVvF!1ud#7^7L#)x}^M?I*Tx48N+5+
zaHlHF&ELPLc6>|?L?w`a$pTQ;mX?;DyEn?>=PAcavy9kZLxc<8<)3eBk6h8?0w37m
zt$Kz9v?XEqo3tDpe}KGPTLk|`;8oNkjBgWnvETTcugpjGy`Zc6WaGilv1Y(!CB9iE
z=x;JRTknvoCRE|D5vbdZmfnWOr;@;C?Jt@c!U>kd!RKvmd|wu1l@AZ>Vg|;>CwA6N
zqY?eI`w-mrz*9XM;o!Bm;xnu3>u-S0RW-7WI+qOSd<&Ys-sxQ(-01Yve(om!hQCtr
z15ue5&+LMfb8`S61xMe%a0}>ezQ#-y-Wq6k?W7dq?Y6Era<q&e&alJmLh5zNgW5y@
zBejUg?4Liy4!JSr>b;?O6XC=a6@TV6I^5O*SASex>s_8icp#q&M?SU9$jE3Ma44TV
zc~C}KXgU0+v{G2fdnNRu*BE<J(7L(uF~=-Y;}2PzG{ptXLZE{J3S54<WBGATT>E>a
z<1>a$hEjEFzRrE|mS;6Z;z%ts3Z%IvVL&ZU+pijD1-_-m+!0Dq_HhT%B9b`JT1ov*
z|Dw4oE~EJ>o6vU*X{{YvYU&oC^9MHCk&#l#5HjM`ndkH>n)Z#9@VCgrNIyOm)!yQw
zcpD+y9sC=qO@gd@0v!=0@Et%yB?kEzAP$1;a1P|8z_kMS7Zx+J%!wvu3R*vTKQl4}
zsC>`|))WmBb0AeT)q%iQ6B(w=I(vItC2Lni0RjWgm;Rua;|{YF;OBigyHf&I4xmXa
zk1Fq@7KgK=&^%8{6D!;-E#=|@K{fbqqX71Qbux6ezQz~h0jSWQa*}sb-`}$^KH?$4
zD`!jeOCjSnn-700gCc6+9Kb9hLK$3DU2Ukury##?@0S`(UrZt$^nwd{JXE=NeczYR
zn61EOlwfkaxP<46#SdDZ3MH6<5ra%)(7tw2W{ETpZfIV~Paw=~^veME-q;tzD#}JW
znClk^Oq!)PNc<G#-6Jt5=rQt4<x5rwUm?X>E$uI8V_%!3b~R!jXt6d2dbZ$jJn)lh
z#PjB1Dj$D&I{EI=n4i?Ma+<$B>V7<~FDNzW8)?Y(RN(6d!S}f;dGAL~7b<yhc_SHy
z&!W&1=WQuCKP^gFWNVOXnX$u~SS+ky3LoCY_e4urC|Nj|rdx<7e*AXw-XOmZUx%Pj
zY@CL2Xw~tJ?H15ICYv5;OKP25UyGstuO?Ki|5`gACc(Qht_x71iCRO$q)MxZX#<BR
zKFnRGg@K#*@%o=4EHUT+JJgTRIFc>I2C)sZ?MZKHU)JTn!eHU!dvbGcNk5|Q-phO3
zI4P3&GXJ*aCdn%8V13R$o|Su3R{sXck^+UnEo|VyHuD>Z_d(xVHhfRsD-|Qh81Pm`
z9YR+m+4P73<!TcbuP8P483b4qpYdLzbr<43U_X18uhZ24xOHL=&oROfA63@YbxOhu
zL*j}ZCC2FMD<AT(6WMZ7ge;0&kViIMFyh?=4VY3zY-HHEZ=uYhx%G;2x}D-jpJlPZ
zV~eH<HOfM~x-9xu07?0h#UJ-@!b#LnkGhB_lkf}1nasOH!S+W1EZD7%l!mW1=3r^c
zDzNF`CKSXCS{i7%>#c~_D?QGII)*=UoGt}1{c?mx?BfNzRsRN2_?q$_c~S{h1<Tm{
z7<5t+H8Kxx5aV4+BE&s;dyBUGo-3puUqeX+-qh4&!HzMRM+Gjc(}a)@B`thtMgidk
zO(ijSZq|*kY9#Rc&oK@58k*)U@=fv322n`^+%^2<4RRk8N!Px~2iY5Hx<PLchFCUD
wx!t3l;G2<mUvjgs#0~ymRwV7+&E6fR{hfG5$OosEd*DB5n7l;3xW4!Q0kEYRcK`qY

literal 0
HcmV?d00001

diff --git a/odl-aaa-moon/commons/federation/README b/odl-aaa-moon/commons/federation/README
new file mode 100644
index 00000000..dd9cdbf0
--- /dev/null
+++ b/odl-aaa-moon/commons/federation/README
@@ -0,0 +1,271 @@
+README
+===============================================================================
+Federated AAA is deployed using several config files.  This file explains a
+simple scenario utilizing two servers:
+a) ipa.example.com
+   - Runs the IPA Server Software
+b) odl.example.com
+   - Runs the IPA Client Software
+   - Runs an Apache proxy frontend (AuthN through mod_lookup_identity.so)
+   - Runs ODL
+
+This setup for this scenario is illustrated in Figure 1 below:
+
+      -----------------------
+     | odl.example.com       |
+     | (Fedora 20 Linux)     |
+     |                       |
+     |  -------------------  |
+     | | ODL Jetty Server  | |
+     | | (Port 8181 & 8383)| |
+     |  -------------------  |
+     |   ^              .    |
+     |   .   (Apache    .    |  SSSD Requests/Responses
+     |   .    Reverse   .    |           /
+     |   .     Proxy)   .    |          /
+     |   .              v    |         /
+     |  -------------------  |        |          ------------------
+     | | Apache            |<|..................| ipa.example.com  |
+     | | (Port 80)         |.|.................>| (FreeIPA         |
+     |  -------------------  |                  |   Kerberos And   |
+     | ______________________|                  |     LDAP)        |
+                                                 ------------------
+Figure 1: Shows the setup for a simple Federated AAA use case utilizing
+FreeIPA as an identity provider.
+
+
+These instructions were written for Fedora 20, since SSSD is unique to RHEL based
+distributions.  SSSD is NOT a requirement for Federation though;  you can use
+any supported linux flavor.  At this time, SSSD is the only Filter available
+with regards to capturing IdP attributes that can be used in making advanced mapping
+decisions (such as IdP group membership information).
+
+
+
+1) Install FreeIPA Server on ipa.example.com.  This is achieved through running:
+# yum install freeipa-server bind bind-dyndb-ldap
+# ipa-server-intall
+
+
+
+2) Add a FreeIPA user called testuser:
+$ kinit admin@EXAMPLE.COM
+$ ipa group-add odl_users --desc "ODL Users"
+$ ipa group-add odl_admin --desc "ODL Admin"
+$ ipa user-add testuser --first Test --last USER --email test.user@example.com
+$ ipa group-add-member odl_users --user testuser
+$ ipa group-add-member odl_admin --user testuser
+
+
+
+3) Install FreeIPA Client on odl.example.com.  This is achieved through running:
+# yum install freeipa-client
+# ipa-client-install
+
+
+
+4) Set up Client keytab for HTTP access on odl.example.com:
+# ipa-getkeytab -p HTTP/odl.brcd-sssd-tb.com@BRCD-SSSD-TB.COM \
+    -s freeipa.brcd-sssd-tb.com -k /etc/krb5.keytab
+# chmod 644 /etc/krb5.keytab
+NOTE: The second command allows Apache to read the keytab.  There are more
+secure methods to support such access through SELINUX, but they are outside
+the scope of this tutorial.
+
+
+
+5) Install Apache on odl.example.com.  This is achieved through running:
+# yum install httpd
+
+
+
+6) Create an Apache application to broker federation between ODL and FreeIPA.
+Create the following file on odl.example.com:
+
+[root@odl /]# cat /etc/httpd/conf.d/my_app.conf
+<Location "/*">
+  AuthType Kerberos
+  AuthName "Kerberos Login"
+  KrbMethodNegotiate On
+  KrbMethodK5Passwd on
+  KrbAuthRealms EXAMPLE.COM
+  Krb5KeyTab /etc/krb5.keytab
+  require valid-user
+</Location>
+
+
+<LocationMatch "/*">
+
+ RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER}
+ RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE}
+ RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST}
+ RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR}
+ LookupUserAttr mail REMOTE_USER_EMAIL
+ RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e
+ LookupUserAttr givenname REMOTE_USER_FIRSTNAME
+ RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
+ LookupUserAttr sn REMOTE_USER_LASTNAME
+ RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e
+ LookupUserGroups REMOTE_USER_GROUPS ":"
+ RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
+</LocationMatch>
+
+ProxyPass / http://localhost:8383/
+ProxyPassReverse / http://localhost:8383/
+
+
+
+7) Install the ODL distribution in the /opt folder on odl.example.com.
+
+
+
+8) Add a federation connector to the jetty server hosting ODL on
+odl.example.com:
+
+[user@odl distribution]$ cat etc/jetty.xml
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
+DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
+
+<Configure class="org.eclipse.jetty.server.Server">
+
+    <!-- =========================================================== -->
+    <!-- Set connectors -->
+    <!-- =========================================================== -->
+    <!-- One of each type! -->
+    <!-- =========================================================== -->
+
+    <!-- Use this connector for many frequently idle connections and for
+        threadless continuations. -->
+    <Call name="addConnector">
+        <Arg>
+            <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
+                <Set name="host">
+                    <Property name="jetty.host" />
+                </Set>
+                <Set name="port">
+                    <Property name="jetty.port" default="8181" />
+                </Set>
+                <Set name="maxIdleTime">300000</Set>
+                <Set name="Acceptors">2</Set>
+                <Set name="statsOn">false</Set>
+                <Set name="confidentialPort">8443</Set>
+                <Set name="lowResourcesConnections">20000</Set>
+                <Set name="lowResourcesMaxIdleTime">5000</Set>
+            </New>
+        </Arg>
+    </Call>
+    <!-- Trusted Authentication Federation proxy connection -->
+    <Call name="addConnector">
+     <Arg>
+         <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
+           <Set name="host">127.0.0.1</Set>
+     <Set name="port">8383</Set>
+     <Set name="maxIdleTime">300000</Set>
+     <Set name="Acceptors">2</Set>
+     <Set name="statsOn">false</Set>
+     <Set name="confidentialPort">8445</Set>
+     <Set name="name">federationConn</Set>
+     <Set name="lowResourcesConnections">20000</Set>
+     <Set name="lowResourcesMaxIdleTime">5000</Set>
+    </New>
+   </Arg>
+ </Call>
+    <!-- =========================================================== -->
+    <!-- Configure Authentication Realms -->
+    <!-- Realms may be configured for the entire server here, or -->
+    <!-- they can be configured for a specific web app in a context -->
+    <!-- configuration (see $(jetty.home)/contexts/test.xml for an -->
+    <!-- example). -->
+    <!-- =========================================================== -->
+    <Call name="addBean">
+        <Arg>
+            <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
+                <Set name="name">karaf</Set>
+                <Set name="loginModuleName">karaf</Set>
+                <Set name="roleClassNames">
+                    <Array type="java.lang.String">
+                        <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
+                        </Item>
+                    </Array>
+                </Set>
+            </New>
+        </Arg>
+    </Call>
+    <Call name="addBean">
+        <Arg>
+            <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
+                <Set name="name">default</Set>
+                <Set name="loginModuleName">karaf</Set>
+                <Set name="roleClassNames">
+                    <Array type="java.lang.String">
+                        <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
+                        </Item>
+                    </Array>
+                </Set>
+            </New>
+        </Arg>
+    </Call>
+</Configure>
+
+
+
+9) Add the idp_mapping rules file on odl.example.com
+
+[user@odl distribution]$ cat etc/idp_mapping_rules.json
+[
+   {
+      "mapping":{
+         "ClientId":"1",
+         "UserId":"1",
+         "User":"admin",
+         "Domain":"BRCD-SSSD-TB.COM",
+         "roles":"$roles"
+      },
+      "statement_blocks":[
+         [
+            [
+               "set",
+               "$groups",
+               [
+
+               ]
+            ],
+            [
+               "set",
+               "$roles",
+               [
+                  "admin",
+                  "user"
+               ]
+            ]
+         ]
+      ]
+   }
+]
+
+NOTE:  This is a very basic mapping example in which all federated users are
+mapped into the default "admin" account.
+
+
+
+10) Start ODL and install the following features on odl.example.com:
+# bin/karaf
+karaf> feature:install odl-aaa-authn-sssd-no-cluster odl-restconf
+
+
+
+11) Get a refresh_token on odl.example.com through Apache proxy port (80 forwarded to 8383):
+[user@odl distribution]$ kinit testuser
+[user@odl distribution]$ curl -s --negotiate -u : -X POST http://odl.example.com/oauth2/federation/
+
+
+
+12) Obtain an access_token on odl.example.com through normal port (8181):
+[user@odl distribution]$ curl -s -d 'grant_type=refresh_token&refresh_token=<PUT RESULT FROM ABOVE STEP HERE>&scope=sdn' http://odl.example.com:8181/oauth2/token
+
+
+
+13) Use the access_token to make authenticated rest calls from odl.example.com through normal port (8181):
+[user@odl distribution]$ curl -s -H 'Authorization: Bearer <PUT RESULT FROM ABOVE STEP HERE>' http://odl.brcd-sssd-tb.com:8181/restconf/streams/
+
diff --git a/odl-aaa-moon/commons/federation/idp_mapping_rules.json.example b/odl-aaa-moon/commons/federation/idp_mapping_rules.json.example
new file mode 100644
index 00000000..98bacb0a
--- /dev/null
+++ b/odl-aaa-moon/commons/federation/idp_mapping_rules.json.example
@@ -0,0 +1,30 @@
+[
+   {
+      "mapping":{
+         "ClientId":"1",
+         "UserId":"1",
+         "User":"admin",
+         "Domain":"BRCD-SSSD-TB.COM",
+         "roles":"$roles"
+      },
+      "statement_blocks":[
+         [
+            [
+               "set",
+               "$groups",
+               [
+
+               ]
+            ],
+            [
+               "set",
+               "$roles",
+               [
+                  "admin",
+                  "user"
+               ]
+            ]
+         ]
+      ]
+   }
+]
diff --git a/odl-aaa-moon/commons/federation/jetty.xml.example b/odl-aaa-moon/commons/federation/jetty.xml.example
new file mode 100644
index 00000000..c4cb2a7d
--- /dev/null
+++ b/odl-aaa-moon/commons/federation/jetty.xml.example
@@ -0,0 +1,85 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
+DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
+
+<Configure class="org.eclipse.jetty.server.Server">
+
+    <!-- =========================================================== -->
+    <!-- Set connectors -->
+    <!-- =========================================================== -->
+    <!-- One of each type! -->
+    <!-- =========================================================== -->
+
+    <!-- Use this connector for many frequently idle connections and for
+        threadless continuations. -->
+    <Call name="addConnector">
+        <Arg>
+            <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
+                <Set name="host">
+                    <Property name="jetty.host" />
+                </Set>
+                <Set name="port">
+                    <Property name="jetty.port" default="8181" />
+                </Set>
+                <Set name="maxIdleTime">300000</Set>
+                <Set name="Acceptors">2</Set>
+                <Set name="statsOn">false</Set>
+                <Set name="confidentialPort">8443</Set>
+                <Set name="lowResourcesConnections">20000</Set>
+                <Set name="lowResourcesMaxIdleTime">5000</Set>
+            </New>
+        </Arg>
+    </Call>
+    <!-- Trusted Authentication Federation proxy connection -->
+    <Call name="addConnector">
+     <Arg>
+         <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
+           <Set name="host">127.0.0.1</Set>
+     <Set name="port">8383</Set>
+     <Set name="maxIdleTime">300000</Set>
+     <Set name="Acceptors">2</Set>
+     <Set name="statsOn">false</Set>
+     <Set name="confidentialPort">8445</Set>
+     <Set name="name">federationConn</Set>
+     <Set name="lowResourcesConnections">20000</Set>
+     <Set name="lowResourcesMaxIdleTime">5000</Set>
+    </New>
+   </Arg>
+ </Call>
+    <!-- =========================================================== -->
+    <!-- Configure Authentication Realms -->
+    <!-- Realms may be configured for the entire server here, or -->
+    <!-- they can be configured for a specific web app in a context -->
+    <!-- configuration (see $(jetty.home)/contexts/test.xml for an -->
+    <!-- example). -->
+    <!-- =========================================================== -->
+    <Call name="addBean">
+        <Arg>
+            <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
+                <Set name="name">karaf</Set>
+                <Set name="loginModuleName">karaf</Set>
+                <Set name="roleClassNames">
+                    <Array type="java.lang.String">
+                        <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
+                        </Item>
+                    </Array>
+                </Set>
+            </New>
+        </Arg>
+    </Call>
+    <Call name="addBean">
+        <Arg>
+            <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
+                <Set name="name">default</Set>
+                <Set name="loginModuleName">karaf</Set>
+                <Set name="roleClassNames">
+                    <Array type="java.lang.String">
+                        <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
+                        </Item>
+                    </Array>
+                </Set>
+            </New>
+        </Arg>
+    </Call>
+</Configure>
+
diff --git a/odl-aaa-moon/commons/federation/my_app.conf.example b/odl-aaa-moon/commons/federation/my_app.conf.example
new file mode 100644
index 00000000..71c8ad87
--- /dev/null
+++ b/odl-aaa-moon/commons/federation/my_app.conf.example
@@ -0,0 +1,31 @@
+LoadModule lookup_identity_module modules/mod_lookup_identity.so
+
+<Location "/*">
+  AuthType Kerberos
+  AuthName "Kerberos Login"
+  KrbMethodNegotiate On
+  KrbMethodK5Passwd on
+  KrbAuthRealms EXAMPLE.COM
+  Krb5KeyTab /etc/krb5.keytab
+  require valid-user
+</Location>
+
+
+<LocationMatch "/*">
+
+ RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER}
+ RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE}
+ RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST}
+ RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR}
+ LookupUserAttr mail REMOTE_USER_EMAIL
+ RequestHeader set X-SSSD-REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e
+ LookupUserAttr givenname REMOTE_USER_FIRSTNAME
+ RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
+ LookupUserAttr sn REMOTE_USER_LASTNAME
+ RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e
+ LookupUserGroups REMOTE_USER_GROUPS ":"
+ RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
+</LocationMatch>
+
+ProxyPass / http://localhost:8383/
+ProxyPassReverse / http://localhost:8383/
diff --git a/odl-aaa-moon/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection b/odl-aaa-moon/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection
new file mode 100644
index 00000000..15193a70
--- /dev/null
+++ b/odl-aaa-moon/commons/postman_examples/AAA_AuthZ_MDSAL.json.postman_collection
@@ -0,0 +1,77 @@
+{
+	"id": "273974a1-2df8-b0a6-57f9-1397cd1628d7",
+	"name": "AAA AuthZ MDSAL",
+	"description": "This Postman collection contains some of the common operations that are necessary to \"provision\" authorization services on top of ODL.",
+	"order": [
+		"7959a1f4-703a-417a-9d4c-70ab56c0e57f",
+		"262c9b05-04a6-8dfa-5eb3-c9f9f90b3c4a",
+		"4df58109-fd50-dbdf-b982-7e59d3475544"
+	],
+	"folders": [],
+	"timestamp": 1439405060911,
+	"owner": 0,
+	"remoteLink": "",
+	"public": false,
+	"requests": [
+		{
+			"id": "262c9b05-04a6-8dfa-5eb3-c9f9f90b3c4a",
+			"headers": "Authorization: Basic YWRtaW46YWRtaW4=\n",
+			"url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/",
+			"pathVariables": {},
+			"preRequestScript": "",
+			"method": "GET",
+			"collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7",
+			"data": [],
+			"dataMode": "raw",
+			"name": "Get configuration authorization schema with admin role",
+			"description": "",
+			"descriptionFormat": "html",
+			"time": 1439405954342,
+			"version": 2,
+			"responses": [],
+			"tests": "",
+			"currentHelper": "normal",
+			"helperAttributes": {},
+			"rawModeData": ""
+		},
+		{
+			"id": "4df58109-fd50-dbdf-b982-7e59d3475544",
+			"headers": "Authorization: Basic dXNlcjp1c2Vy\n",
+			"url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/",
+			"preRequestScript": "",
+			"pathVariables": {},
+			"method": "GET",
+			"data": [],
+			"dataMode": "params",
+			"version": 2,
+			"tests": "",
+			"currentHelper": "normal",
+			"helperAttributes": {},
+			"time": 1439406616859,
+			"name": "Get configuration authorization schema with user role",
+			"description": "",
+			"collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7",
+			"responses": []
+		},
+		{
+			"id": "7959a1f4-703a-417a-9d4c-70ab56c0e57f",
+			"headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n",
+			"url": "http://localhost:8181/restconf/config/authorization-schema:simple-authorization/policies/RestConfService/",
+			"preRequestScript": "",
+			"pathVariables": {},
+			"method": "PUT",
+			"data": [],
+			"dataMode": "raw",
+			"version": 2,
+			"tests": "",
+			"currentHelper": "normal",
+			"helperAttributes": {},
+			"time": 1439405844861,
+			"name": "Secure RestConfService for admin role",
+			"description": "",
+			"collectionId": "273974a1-2df8-b0a6-57f9-1397cd1628d7",
+			"responses": [],
+			"rawModeData": "{\n    \"policies\": {\n        \"resource\": \"*\",\n        \"service\":\"RestConfService\",\n        \"role\": \"admin\"\n    }\n}"
+		}
+	]
+}
\ No newline at end of file
diff --git a/odl-aaa-moon/distribution-karaf/pom.xml b/odl-aaa-moon/distribution-karaf/pom.xml
new file mode 100644
index 00000000..dc65d84f
--- /dev/null
+++ b/odl-aaa-moon/distribution-karaf/pom.xml
@@ -0,0 +1,274 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.aaa</groupId>
+        <artifactId>aaa-parent</artifactId>
+        <version>0.3.1-Beryllium-SR1</version>
+        <relativePath>../parent</relativePath>
+    </parent>
+
+    <artifactId>distribution-karaf</artifactId>
+    <packaging>pom</packaging>
+    <prerequisites>
+        <maven>3.0</maven>
+    </prerequisites>
+
+    <dependencies>
+        <!-- Basic Karaf dependencies -->
+        <dependency>
+            <groupId>org.apache.karaf.features</groupId>
+            <artifactId>framework</artifactId>
+            <version>${karaf.version}</version>
+            <type>kar</type>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.karaf.features</groupId>
+            <artifactId>standard</artifactId>
+            <version>${karaf.version}</version>
+            <classifier>features</classifier>
+            <type>xml</type>
+            <scope>runtime</scope>
+        </dependency>
+
+        <!-- ODL Branding -->
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>karaf.branding</artifactId>
+            <version>${karaf.branding.version}</version>
+            <scope>compile</scope>
+        </dependency>
+
+        <!-- ODL Resources needed for karaf -->
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>opendaylight-karaf-resources</artifactId>
+            <version>${karaf.resources.version}</version>
+        </dependency>
+
+        <!-- Project local feautures -->
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>features-aaa-api</artifactId>
+            <classifier>features</classifier>
+            <version>${project.version}</version>
+            <type>xml</type>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>features-aaa</artifactId>
+            <classifier>features</classifier>
+            <version>${project.version}</version>
+            <type>xml</type>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>features-aaa-authz</artifactId>
+            <classifier>features</classifier>
+            <version>${project.version}</version>
+            <type>xml</type>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>features-aaa-shiro</artifactId>
+            <classifier>features</classifier>
+            <version>${project.version}</version>
+            <type>xml</type>
+            <scope>runtime</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <pluginManagement>
+            <plugins>
+                <plugin>
+                    <groupId>org.eclipse.m2e</groupId>
+                    <artifactId>lifecycle-mapping</artifactId>
+                    <version>1.0.0</version>
+                    <configuration>
+                        <lifecycleMappingMetadata>
+                            <pluginExecutions>
+                                <pluginExecution>
+                                    <pluginExecutionFilter>
+                                        <groupId>org.apache.felix</groupId>
+                                        <artifactId>maven-bundle-plugin</artifactId>
+                                        <versionRange>[0,)</versionRange>
+                                        <goals>
+                                            <goal>cleanVersions</goal>
+                                        </goals>
+                                    </pluginExecutionFilter>
+                                    <action>
+                                        <ignore></ignore>
+                                    </action>
+                                </pluginExecution>
+                                <pluginExecution>
+                                    <pluginExecutionFilter>
+                                        <groupId>org.apache.maven.plugins</groupId>
+                                        <artifactId>maven-dependency-plugin</artifactId>
+                                        <versionRange>[0,)</versionRange>
+                                        <goals>
+                                            <goal>copy</goal>
+                                            <goal>unpack</goal>
+                                        </goals>
+                                    </pluginExecutionFilter>
+                                    <action>
+                                        <ignore></ignore>
+                                    </action>
+                                </pluginExecution>
+                                <pluginExecution>
+                                    <pluginExecutionFilter>
+                                        <groupId>org.apache.karaf.tooling</groupId>
+                                        <artifactId>karaf-maven-plugin</artifactId>
+                                        <versionRange>[0,)</versionRange>
+                                        <goals>
+                                            <goal>commands-generate-help</goal>
+                                        </goals>
+                                    </pluginExecutionFilter>
+                                    <action>
+                                        <ignore></ignore>
+                                    </action>
+                                </pluginExecution>
+                                <pluginExecution>
+                                    <pluginExecutionFilter>
+                                        <groupId>org.fusesource.scalate</groupId>
+                                        <artifactId>maven-scalate-plugin</artifactId>
+                                        <versionRange>[0,)</versionRange>
+                                        <goals>
+                                            <goal>sitegen</goal>
+                                        </goals>
+                                    </pluginExecutionFilter>
+                                    <action>
+                                        <ignore></ignore>
+                                    </action>
+                                </pluginExecution>
+                                <pluginExecution>
+                                    <pluginExecutionFilter>
+                                        <groupId>org.apache.servicemix.tooling</groupId>
+                                        <artifactId>depends-maven-plugin</artifactId>
+                                        <versionRange>[0,)</versionRange>
+                                        <goals>
+                                            <goal>generate-depends-file</goal>
+                                        </goals>
+                                    </pluginExecutionFilter>
+                                    <action>
+                                        <ignore></ignore>
+                                    </action>
+                                </pluginExecution>
+                            </pluginExecutions>
+                        </lifecycleMappingMetadata>
+                    </configuration>
+                </plugin>
+            </plugins>
+        </pluginManagement>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.karaf.tooling</groupId>
+                <artifactId>karaf-maven-plugin</artifactId>
+                <extensions>true</extensions>
+                <configuration>
+                    <bootFeatures>
+                        <feature>standard</feature>
+                        <!-- Optional TODO: Add entries here for the features
+                            you want in your local distro Note: odl-restconf is a separate feature from
+                            odl-mdsal-broker. If you want restconf, you need to list it here explicitely.
+                            Examples: <feature>odl-toaster</feature> <feature>odl-restconf</feature> -->
+                        <!-- Final TODO: Remove TODO Comments ;) -->
+                    </bootFeatures>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>process-resources</id>
+                        <goals>
+                            <goal>install-kars</goal>
+                        </goals>
+                        <phase>process-resources</phase>
+                    </execution>
+                    <execution>
+                        <id>package</id>
+                        <goals>
+                            <goal>instance-create-archive</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <version>2.6</version>
+                <executions>
+                    <execution>
+                        <id>copy</id>
+                        <goals>
+                            <goal>copy</goal>
+                        </goals>
+                        <phase>generate-resources</phase>
+                        <configuration>
+                            <artifactItems>
+                                <artifactItem>
+                                    <groupId>org.opendaylight.controller</groupId>
+                                    <artifactId>karaf.branding</artifactId>
+                                    <version>${karaf.branding.version}</version>
+                                    <outputDirectory>target/assembly/lib</outputDirectory>
+                                    <destFileName>karaf.branding-${karaf.branding.version}.jar</destFileName>
+                                </artifactItem>
+                            </artifactItems>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>unpack-karaf-resources</id>
+                        <goals>
+                            <goal>unpack-dependencies</goal>
+                        </goals>
+                        <phase>prepare-package</phase>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/assembly</outputDirectory>
+                            <groupId>org.opendaylight.controller</groupId>
+                            <includeArtifactIds>opendaylight-karaf-resources</includeArtifactIds>
+                            <excludes>META-INF\/**</excludes>
+                            <excludeTransitive>true</excludeTransitive>
+                            <ignorePermissions>false</ignorePermissions>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-antrun-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <phase>prepare-package</phase>
+                        <goals>
+                            <goal>run</goal>
+                        </goals>
+                        <configuration>
+                            <tasks>
+                                <chmod perm="755">
+                                    <fileset
+                                        dir="${project.build.directory}/assembly/bin">
+                                        <include name="karaf" />
+                                        <include name="instance" />
+                                        <include name="start" />
+                                        <include name="stop" />
+                                        <include name="status" />
+                                        <include name="client" />
+                                        <include name="shell" />
+                                    </fileset>
+                                </chmod>
+                            </tasks>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+    <scm>
+        <connection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</connection>
+        <developerConnection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</developerConnection>
+        <tag>HEAD</tag>
+        <url>https://git.opendaylight.org/gerrit/gitweb?p=aaa.git;a=summary</url>
+    </scm>
+</project>
diff --git a/odl-aaa-moon/features/api/pom.xml b/odl-aaa-moon/features/api/pom.xml
new file mode 100644
index 00000000..b64242ae
--- /dev/null
+++ b/odl-aaa-moon/features/api/pom.xml
@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.
+    All rights reserved. This program and the accompanying materials are made
+    available under the terms of the Eclipse Public License v1.0 which accompanies
+    this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.odlparent</groupId>
+        <artifactId>features-parent</artifactId>
+        <version>1.6.1-Beryllium-SR1</version>
+        <relativePath/>
+    </parent>
+
+    <groupId>org.opendaylight.aaa</groupId>
+    <artifactId>features-aaa-api</artifactId>
+    <version>0.3.1-Beryllium-SR1</version>
+    <packaging>jar</packaging>
+
+    <properties>
+        <yangtools.version>0.8.1-Beryllium-SR1</yangtools.version>
+        <mdsal.version>2.0.1-Beryllium-SR1</mdsal.version>
+    </properties>
+
+    <dependencyManagement>
+        <dependencies>
+            <!-- This project -->
+            <dependency>
+                <groupId>org.opendaylight.aaa</groupId>
+                <artifactId>aaa-artifacts</artifactId>
+                <version>${project.version}</version>
+                <scope>import</scope>
+                <type>pom</type>
+            </dependency>
+
+            <!-- YANG tools -->
+            <dependency>
+                <groupId>org.opendaylight.yangtools</groupId>
+                <artifactId>yangtools-artifacts</artifactId>
+                <version>${yangtools.version}</version>
+                <scope>import</scope>
+                <type>pom</type>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <dependencies>
+        <dependency>
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-api</artifactId>
+        </dependency>
+        <dependency>
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-simple</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-server</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-credential-store-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.yangtools</groupId>
+            <artifactId>features-yangtools</artifactId>
+            <classifier>features</classifier>
+            <type>xml</type>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.mdsal</groupId>
+            <artifactId>features-mdsal</artifactId>
+            <version>2.0.1-Beryllium-SR1</version>
+            <classifier>features</classifier>
+            <type>xml</type>
+        </dependency>
+    </dependencies>
+
+    <scm>
+        <connection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</connection>
+        <developerConnection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</developerConnection>
+        <tag>HEAD</tag>
+        <url>https://git.opendaylight.org/gerrit/gitweb?p=aaa.git;a=summary</url>
+    </scm>
+</project>
diff --git a/odl-aaa-moon/features/api/src/main/features/features.xml b/odl-aaa-moon/features/api/src/main/features/features.xml
new file mode 100644
index 00000000..c526e174
--- /dev/null
+++ b/odl-aaa-moon/features/api/src/main/features/features.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- vi: set et smarttab sw=4 tabstop=4: -->
+<!-- Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.
+    All rights reserved. This program and the accompanying materials are made
+    available under the terms of the Eclipse Public License v1.0 which accompanies
+    this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html -->
+<features name="odl-aaa-${project.version}" xmlns="http://karaf.apache.org/xmlns/features/v1.2.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://karaf.apache.org/xmlns/features/v1.2.0 http://karaf.apache.org/xmlns/features/v1.2.0">
+    <repository>mvn:org.opendaylight.yangtools/features-yangtools/{{VERSION}}/xml/features</repository>
+        <repository>mvn:org.opendaylight.mdsal/features-mdsal/{{VERSION}}/xml/features</repository>
+    <feature name='odl-aaa-api' description='OpenDaylight :: AAA :: APIs'
+        version='${project.version}'>
+        <bundle>mvn:com.sun.jersey/jersey-server/{{VERSION}}</bundle>
+        <bundle>mvn:com.sun.jersey/jersey-core/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-api/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-credential-store-api/{{VERSION}}</bundle>
+        <feature version='${yangtools.version}'>odl-yangtools-common</feature>
+        <feature version='${mdsal.version}'>odl-mdsal-binding-base</feature>
+    </feature>
+</features>
diff --git a/odl-aaa-moon/features/authn/pom.xml b/odl-aaa-moon/features/authn/pom.xml
new file mode 100644
index 00000000..d7d0def8
--- /dev/null
+++ b/odl-aaa-moon/features/authn/pom.xml
@@ -0,0 +1,304 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright (c) 2014-2015 Hewlett-Packard Development Company, L.P. and others.
+    All rights reserved. This program and the accompanying materials are made
+    available under the terms of the Eclipse Public License v1.0 which accompanies
+    this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.odlparent</groupId>
+        <artifactId>features-parent</artifactId>
+        <version>1.6.1-Beryllium-SR1</version>
+        <relativePath/>
+    </parent>
+
+    <groupId>org.opendaylight.aaa</groupId>
+    <artifactId>features-aaa</artifactId>
+    <version>0.3.1-Beryllium-SR1</version>
+    <packaging>jar</packaging>
+
+    <properties>
+        <config.version>0.4.1-Beryllium-SR1</config.version>
+        <mdsal.version>2.0.1-Beryllium-SR1</mdsal.version>
+        <controller.mdsal.version>1.3.1-Beryllium-SR1</controller.mdsal.version>
+        <yangtools.version>0.8.1-Beryllium-SR1</yangtools.version>
+        <shiro.version>0.3.1-Beryllium-SR1</shiro.version>
+    </properties>
+
+    <dependencyManagement>
+        <dependencies>
+            <!-- This project -->
+            <dependency>
+                <groupId>org.opendaylight.aaa</groupId>
+                <artifactId>aaa-parent</artifactId>
+                <version>${project.version}</version>
+                <scope>import</scope>
+                <type>pom</type>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <dependencies>
+        <!-- shiro dependencies -->
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-shiro</artifactId>
+            <version>${shiro.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-shiro-act</artifactId>
+            <version>${shiro.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-web</artifactId>
+        </dependency>
+        <!-- odl-aaa-authn -->
+        <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-servlet</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-server</artifactId>
+        </dependency>
+        <!-- jersey client for moon APIs calls -->
+        <dependency>
+           <groupId>com.sun.jersey</groupId>
+           <artifactId>jersey-client</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-json</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.dependencymanager</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.metatype</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>net.sf.ehcache</groupId>
+            <artifactId>ehcache</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.geronimo.specs</groupId>
+            <artifactId>geronimo-jta_1.1_spec</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.oltu.oauth2</groupId>
+            <artifactId>org.apache.oltu.oauth2.common</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.oltu.oauth2</groupId>
+            <artifactId>org.apache.oltu.oauth2.authzserver</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.oltu.oauth2</groupId>
+            <artifactId>org.apache.oltu.oauth2.resourceserver</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>commons-codec</groupId>
+            <artifactId>commons-codec</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.json</groupId>
+            <artifactId>json</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.glassfish</groupId>
+            <artifactId>javax.json</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.datatype</groupId>
+            <artifactId>jackson-datatype-json-org</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.jaxrs</groupId>
+            <artifactId>jackson-jaxrs-base</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.jaxrs</groupId>
+            <artifactId>jackson-jaxrs-json-provider</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.module</groupId>
+            <artifactId>jackson-module-jaxb-annotations</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>features-aaa-api</artifactId>
+            <classifier>features</classifier>
+            <type>xml</type>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-sts</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-store</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-basic</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-idmlight</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-idmlight</artifactId>
+            <type>xml</type>
+            <classifier>config</classifier>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-idmlight</artifactId>
+            <version>${project.version}</version>
+            <type>py</type>
+            <classifier>config</classifier>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-federation</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-mdsal-config</artifactId>
+            <type>xml</type>
+            <classifier>config</classifier>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn</artifactId>
+            <type>cfg</type>
+            <classifier>config</classifier>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-store</artifactId>
+            <type>cfg</type>
+            <classifier>config</classifier>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-federation</artifactId>
+            <type>cfg</type>
+            <classifier>config</classifier>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-h2-store</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-h2-store</artifactId>
+            <type>xml</type>
+            <classifier>config</classifier>
+        </dependency>
+
+
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.enterprise</artifactId>
+            <version>4.2.0</version>
+        </dependency>
+
+        <!-- AuthN MD-SAL Cache dependencies -->
+
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-mdsal-store-impl</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-mdsal-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.yangtools</groupId>
+            <artifactId>features-yangtools</artifactId>
+            <classifier>features</classifier>
+            <type>xml</type>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>features-mdsal</artifactId>
+            <classifier>features</classifier>
+            <type>xml</type>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>features-config</artifactId>
+            <classifier>features</classifier>
+            <type>xml</type>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>sal-common-impl</artifactId>
+        </dependency>
+
+        <!-- odl-aaa-sssd -->
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-sssd</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-idpmapping</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-keystone</artifactId>
+        </dependency>
+    </dependencies>
+    <scm>
+        <connection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</connection>
+        <developerConnection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</developerConnection>
+        <tag>HEAD</tag>
+        <url>https://git.opendaylight.org/gerrit/gitweb?p=aaa.git;a=summary</url>
+    </scm>
+</project>
diff --git a/odl-aaa-moon/features/authn/src/main/features/features.xml b/odl-aaa-moon/features/authn/src/main/features/features.xml
new file mode 100644
index 00000000..2c48d2c1
--- /dev/null
+++ b/odl-aaa-moon/features/authn/src/main/features/features.xml
@@ -0,0 +1,247 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- vi: set et smarttab sw=4 tabstop=4: -->
+<!-- Copyright (c) 2014-2015 Hewlett-Packard Development Company, L.P. and others.
+    All rights reserved. This program and the accompanying materials are made
+    available under the terms of the Eclipse Public License v1.0 which accompanies
+    this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html -->
+<features name="odl-aaa-${project.version}" xmlns="http://karaf.apache.org/xmlns/features/v1.2.0"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://karaf.apache.org/xmlns/features/v1.2.0 http://karaf.apache.org/xmlns/features/v1.2.0">
+    <repository>mvn:org.opendaylight.aaa/features-aaa-api/{{VERSION}}/xml/features</repository>
+    <repository>mvn:org.opendaylight.yangtools/features-yangtools/{{VERSION}}/xml/features</repository>
+    <repository>mvn:org.opendaylight.controller/features-config/{{VERSION}}/xml/features</repository>
+    <repository>mvn:org.opendaylight.mdsal/features-mdsal/{{VERSION}}/xml/features</repository>
+    <repository>mvn:org.opendaylight.controller/features-mdsal/{{VERSION}}/xml/features</repository>
+
+    <feature name='odl-aaa-authn-no-cluster' description='OpenDaylight :: AAA :: Authentication - NO CLUSTER'
+             version='${project.version}'>
+        <feature version='${project.version}'>odl-aaa-api</feature>
+
+        <!-- MD-SAL -->
+        <feature version='${yangtools.version}'>odl-yangtools-common</feature>
+        <feature version='${mdsal.version}'>odl-mdsal-binding-base</feature>
+        <feature version='${controller.mdsal.version}'>odl-mdsal-broker</feature>
+        <feature version='${config.version}'>odl-config-core</feature>
+
+        <!-- REST -->
+        <feature>war</feature>
+        <bundle>mvn:com.sun.jersey/jersey-servlet/{{VERSION}}</bundle>
+        <bundle>mvn:com.sun.jersey/jersey-core/{{VERSION}}</bundle>
+        <bundle>mvn:com.sun.jersey/jersey-server/{{VERSION}}</bundle>
+
+        <!-- OSGi -->
+        <bundle>mvn:org.apache.felix/org.apache.felix.dependencymanager/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.felix/org.apache.felix.metatype/{{VERSION}}</bundle>
+
+        <!-- EhCache -->
+        <bundle>mvn:net.sf.ehcache/ehcache/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.geronimo.specs/geronimo-jta_1.1_spec/{{VERSION}}</bundle>
+
+        <!-- OAuth -->
+        <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.common/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.authzserver/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.resourceserver/{{VERSION}}</bundle>
+        <bundle>mvn:commons-codec/commons-codec/{{VERSION}}</bundle>
+        <bundle>wrap:mvn:org.json/json/{{VERSION}}</bundle>
+
+        <!-- commons-lang -->
+        <bundle>wrap:mvn:org.apache.commons/commons-lang3/{{VERSION}}</bundle>
+
+        <!-- AuthN -->
+        <bundle>mvn:org.opendaylight.aaa/aaa-shiro/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-shiro-act/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.shiro/shiro-core/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.shiro/shiro-web/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-sts/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-store/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-basic/{{VERSION}}</bundle>
+        <bundle>mvn:com.google.guava/guava/{{VERSION}}</bundle>
+
+        <!--H2 Store -->
+        <bundle>mvn:org.osgi/org.osgi.enterprise/4.2.0</bundle>
+        <bundle>wrap:mvn:com.h2database/h2/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-h2-store/{{VERSION}}</bundle>
+        <configfile finalname="etc/opendaylight/karaf/08-aaa-h2-store-config.xml">mvn:org.opendaylight.aaa/aaa-h2-store/{{VERSION}}/xml/config</configfile>
+
+        <!-- IDMLight -->
+        <bundle>mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}</bundle>
+        <configfile finalname="etc/opendaylight/karaf/08-aaa-idmlight-config.xml">mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}/xml/config</configfile>
+        <configfile finalname="etc/idmtool">mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}/py/config</configfile>
+
+        <bundle>mvn:com.fasterxml.jackson.core/jackson-core/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.core/jackson-annotations/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.core/jackson-databind/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.datatype/jackson-datatype-json-org/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.jaxrs/jackson-jaxrs-base/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.module/jackson-module-jaxb-annotations/{{VERSION}}</bundle>
+
+        <!-- Federation -->
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-federation/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-idpmapping/{{VERSION}}</bundle>
+        <bundle>mvn:org.glassfish/javax.json/{{VERSION}}</bundle>
+
+        <configfile finalname="/etc/org.opendaylight.aaa.authn.cfg">mvn:org.opendaylight.aaa/aaa-authn/{{VERSION}}/cfg/config</configfile>
+        <configfile finalname="/etc/org.opendaylight.aaa.tokens.cfg">mvn:org.opendaylight.aaa/aaa-authn-store/{{VERSION}}/cfg/config</configfile>
+        <configfile finalname="/etc/org.opendaylight.aaa.federation.cfg">mvn:org.opendaylight.aaa/aaa-authn-federation/{{VERSION}}/cfg/config</configfile>
+    </feature>
+
+    <feature name='odl-aaa-authn' description='OpenDaylight :: AAA :: Authentication - NO CLUSTER'
+             version='${project.version}'>
+        <feature version='${project.version}'>odl-aaa-api</feature>
+
+        <!-- MD-SAL -->
+        <feature version='${yangtools.version}'>odl-yangtools-common</feature>
+        <feature version='${mdsal.version}'>odl-mdsal-binding-base</feature>
+        <feature version='${controller.mdsal.version}'>odl-mdsal-broker</feature>
+        <feature version='${config.version}'>odl-config-core</feature>
+
+        <!-- REST -->
+        <feature>war</feature>
+        <bundle>mvn:com.sun.jersey/jersey-servlet/{{VERSION}}</bundle>
+        <bundle>mvn:com.sun.jersey/jersey-core/{{VERSION}}</bundle>
+        <bundle>mvn:com.sun.jersey/jersey-server/{{VERSION}}</bundle>
+        <bundle>mvn:com.sun.jersey/jersey-client/${jersey.version}</bundle>
+
+        <!-- OSGi -->
+        <bundle>mvn:org.apache.felix/org.apache.felix.dependencymanager/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.felix/org.apache.felix.metatype/{{VERSION}}</bundle>
+
+        <!-- EhCache -->
+        <bundle>mvn:net.sf.ehcache/ehcache/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.geronimo.specs/geronimo-jta_1.1_spec/{{VERSION}}</bundle>
+
+        <!-- OAuth -->
+        <bundle>mvn:org.opendaylight.aaa/aaa-shiro/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-shiro-act/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.shiro/shiro-core/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.shiro/shiro-web/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.common/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.authzserver/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.resourceserver/{{VERSION}}</bundle>
+        <bundle>mvn:commons-codec/commons-codec/{{VERSION}}</bundle>
+        <bundle>wrap:mvn:org.json/json/{{VERSION}}</bundle>
+
+        <!-- commons-lang -->
+        <bundle>wrap:mvn:org.apache.commons/commons-lang3/{{VERSION}}</bundle>
+
+        <!-- AuthN -->
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-sts/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-store/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-basic/{{VERSION}}</bundle>
+        <bundle>mvn:com.google.guava/guava/{{VERSION}}</bundle>
+
+        <!--H2 Store -->
+        <bundle>mvn:org.osgi/org.osgi.enterprise/4.2.0</bundle>
+        <bundle>wrap:mvn:com.h2database/h2/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-h2-store/{{VERSION}}</bundle>
+        <configfile finalname="etc/opendaylight/karaf/08-aaa-h2-store-config.xml">mvn:org.opendaylight.aaa/aaa-h2-store/{{VERSION}}/xml/config</configfile>
+
+        <!-- IDMLight -->
+        <bundle>mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}</bundle>
+        <configfile finalname="etc/opendaylight/karaf/08-aaa-idmlight-config.xml">mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}/xml/config</configfile>
+        <configfile finalname="etc/idmtool">mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}/py/config</configfile>
+
+        <bundle>mvn:com.fasterxml.jackson.core/jackson-core/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.core/jackson-annotations/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.core/jackson-databind/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.datatype/jackson-datatype-json-org/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.jaxrs/jackson-jaxrs-base/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.module/jackson-module-jaxb-annotations/{{VERSION}}</bundle>
+
+        <!-- Federation -->
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-federation/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-idpmapping/{{VERSION}}</bundle>
+        <bundle>mvn:org.glassfish/javax.json/{{VERSION}}</bundle>
+
+        <configfile finalname="/etc/org.opendaylight.aaa.authn.cfg">mvn:org.opendaylight.aaa/aaa-authn/{{VERSION}}/cfg/config</configfile>
+        <configfile finalname="/etc/org.opendaylight.aaa.tokens.cfg">mvn:org.opendaylight.aaa/aaa-authn-store/{{VERSION}}/cfg/config</configfile>
+        <configfile finalname="/etc/org.opendaylight.aaa.federation.cfg">mvn:org.opendaylight.aaa/aaa-authn-federation/{{VERSION}}/cfg/config</configfile>
+    </feature>
+
+    <feature name='odl-aaa-authn-mdsal-cluster' description='OpenDaylight :: AAA :: Authentication :: MD-SAL'
+             version='${project.version}'>
+
+        <!-- MD-SAL -->
+        <feature version='${yangtools.version}'>odl-yangtools-common</feature>
+        <feature version='${mdsal.version}'>odl-mdsal-binding-base</feature>
+        <feature version='${controller.mdsal.version}'>odl-mdsal-broker</feature>
+        <feature version='${config.version}'>odl-config-core</feature>
+
+
+        <!-- OSGi -->
+        <bundle>mvn:org.apache.felix/org.apache.felix.dependencymanager/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.felix/org.apache.felix.metatype/{{VERSION}}</bundle>
+
+        <!-- OAuth -->
+        <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.common/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.authzserver/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.resourceserver/{{VERSION}}</bundle>
+        <bundle>mvn:commons-codec/commons-codec/1.8</bundle>
+        <bundle>wrap:mvn:org.json/json/{{VERSION}}</bundle>
+
+        <!-- AuthN -->
+        <bundle>mvn:org.opendaylight.aaa/aaa-shiro/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-shiro-act/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.shiro/shiro-core/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.shiro/shiro-web/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-api/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-sts/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-mdsal-api/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-mdsal-store-impl/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-basic/{{VERSION}}</bundle>
+        <bundle>mvn:com.google.guava/guava/{{VERSION}}</bundle>
+
+        <!-- IDMLight -->
+        <bundle>mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}</bundle>
+        <configfile finalname="etc/opendaylight/karaf/08-aaa-idmlight-config.xml">mvn:org.opendaylight.aaa/aaa-idmlight/{{VERSION}}/xml/config</configfile>
+        <bundle>mvn:com.fasterxml.jackson.core/jackson-core/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.core/jackson-annotations/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.core/jackson-databind/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.datatype/jackson-datatype-json-org/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.jaxrs/jackson-jaxrs-base/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.jaxrs/jackson-jaxrs-json-provider/{{VERSION}}</bundle>
+        <bundle>mvn:com.fasterxml.jackson.module/jackson-module-jaxb-annotations/{{VERSION}}</bundle>
+        <bundle>wrap:mvn:com.h2database/h2/{{VERSION}}</bundle>
+
+        <!-- Federation -->
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-federation/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-idpmapping/{{VERSION}}</bundle>
+        <bundle>mvn:org.glassfish/javax.json/1.0.4</bundle>
+
+        <!-- REST -->
+        <feature>war</feature>
+        <bundle>mvn:com.sun.jersey/jersey-servlet/{{VERSION}}</bundle>
+        <bundle>mvn:com.sun.jersey/jersey-core/{{VERSION}}</bundle>
+        <bundle>mvn:com.sun.jersey/jersey-server/{{VERSION}}</bundle>
+
+        <configfile finalname="etc/opendaylight/karaf/08-authn-config.xml">mvn:org.opendaylight.aaa/aaa-authn-mdsal-config/{{VERSION}}/xml/config</configfile>
+        <configfile finalname="/etc/org.opendaylight.aaa.authn.cfg">mvn:org.opendaylight.aaa/aaa-authn/{{VERSION}}/cfg/config</configfile>
+        <configfile finalname="/etc/org.opendaylight.aaa.federation.cfg">mvn:org.opendaylight.aaa/aaa-authn-federation/{{VERSION}}/cfg/config</configfile>
+
+    </feature>
+
+    <feature name='odl-aaa-keystone-plugin' description='OpenDaylight :: AAA :: Keystone Plugin - NO CLUSTER'
+             version='${project.version}'>
+        <feature version='${project.version}'>odl-aaa-authn</feature>
+        <bundle>mvn:org.apache.httpcomponents/httpclient-osgi/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.httpcomponents/httpcore-osgi/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-keystone/{{VERSION}}</bundle>
+    </feature>
+
+    <feature name='odl-aaa-sssd-plugin' description='OpenDaylight :: AAA :: SSSD Federation Plugin'
+             version='${project.version}'>
+        <feature version='${project.version}'>odl-aaa-authn</feature>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-sssd/{{VERSION}}</bundle>
+    </feature>
+
+    <feature name='odl-aaa-authn-sssd-no-cluster' description='OpenDaylight :: AAA :: SSSD Federation - NO CLUSTER'
+             version='${project.version}'>
+        <feature version='${project.version}'>odl-aaa-authn-no-cluster</feature>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authn-sssd/{{VERSION}}</bundle>
+    </feature>
+</features>
diff --git a/odl-aaa-moon/features/authz/pom.xml b/odl-aaa-moon/features/authz/pom.xml
new file mode 100644
index 00000000..41808378
--- /dev/null
+++ b/odl-aaa-moon/features/authz/pom.xml
@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.
+    All rights reserved. This program and the accompanying materials are made
+    available under the terms of the Eclipse Public License v1.0 which accompanies
+    this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.odlparent</groupId>
+        <artifactId>features-parent</artifactId>
+        <version>1.6.1-Beryllium-SR1</version>
+        <relativePath/>
+    </parent>
+
+    <groupId>org.opendaylight.aaa</groupId>
+    <artifactId>features-aaa-authz</artifactId>
+    <version>0.3.1-Beryllium-SR1</version>
+    <packaging>jar</packaging>
+
+    <properties>
+        <config.version>0.4.1-Beryllium-SR1</config.version>
+        <mdsal.version>2.0.1-Beryllium-SR1</mdsal.version>
+        <controller.mdsal.version>1.3.1-Beryllium-SR1</controller.mdsal.version>
+        <yangtools.version>0.8.1-Beryllium-SR1</yangtools.version>
+    </properties>
+
+    <dependencyManagement>
+        <dependencies>
+            <!-- This project -->
+            <dependency>
+                <groupId>org.opendaylight.aaa</groupId>
+                <artifactId>aaa-parent</artifactId>
+                <version>${project.version}</version>
+                <scope>import</scope>
+                <type>pom</type>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>features-aaa-api</artifactId>
+            <classifier>features</classifier>
+            <type>xml</type>
+        </dependency>
+        <!-- odl-aaa-authz -->
+        <dependency>
+            <groupId>org.opendaylight.yangtools</groupId>
+            <artifactId>features-yangtools</artifactId>
+            <classifier>features</classifier>
+            <type>xml</type>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.mdsal</groupId>
+            <artifactId>features-mdsal</artifactId>
+            <classifier>features</classifier>
+            <version>${mdsal.version}</version>
+            <type>xml</type>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>features-config</artifactId>
+            <classifier>features</classifier>
+            <type>xml</type>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.controller</groupId>
+            <artifactId>features-mdsal</artifactId>
+            <classifier>features</classifier>
+            <type>xml</type>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>authz-restconf-config</artifactId>
+            <type>xml</type>
+            <classifier>config</classifier>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authz-model</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authz-service</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>authz-service-config</artifactId>
+            <type>xml</type>
+            <classifier>config</classifier>
+        </dependency>
+    </dependencies>
+    <scm>
+        <connection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</connection>
+        <developerConnection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</developerConnection>
+        <tag>HEAD</tag>
+        <url>https://git.opendaylight.org/gerrit/gitweb?p=aaa.git;a=summary</url>
+    </scm>
+</project>
diff --git a/odl-aaa-moon/features/authz/src/main/features/features.xml b/odl-aaa-moon/features/authz/src/main/features/features.xml
new file mode 100644
index 00000000..c5239045
--- /dev/null
+++ b/odl-aaa-moon/features/authz/src/main/features/features.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- vi: set et smarttab sw=4 tabstop=4: -->
+<!-- Copyright (c) 2014 Hewlett-Packard Development Company, L.P. and others.
+    All rights reserved. This program and the accompanying materials are made
+    available under the terms of the Eclipse Public License v1.0 which accompanies
+    this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html -->
+<features name="odl-aaa-${project.version}" xmlns="http://karaf.apache.org/xmlns/features/v1.2.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://karaf.apache.org/xmlns/features/v1.2.0 http://karaf.apache.org/xmlns/features/v1.2.0">
+    <repository>mvn:org.opendaylight.yangtools/features-yangtools/{{VERSION}}/xml/features</repository>
+    <repository>mvn:org.opendaylight.controller/features-config/{{VERSION}}/xml/features</repository>
+    <repository>mvn:org.opendaylight.mdsal/features-mdsal/{{VERSION}}/xml/features</repository>
+    <repository>mvn:org.opendaylight.controller/features-mdsal/{{VERSION}}/xml/features</repository>
+    <repository>mvn:org.opendaylight.aaa/features-aaa-api/{{VERSION}}/xml/features</repository>
+
+    <feature name='odl-aaa-authz' description='OpenDaylight :: AAA :: Authorization'
+        version='${project.version}'>
+        <feature version='${project.version}'>odl-aaa-api</feature>
+        <feature version='${yangtools.version}'>odl-yangtools-common</feature>
+        <feature version='${mdsal.version}'>odl-mdsal-binding-base</feature>
+        <feature version='${controller.mdsal.version}'>odl-mdsal-broker</feature>
+        <feature version='${config.version}'>odl-config-core</feature>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authz-model/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-authz-service/{{VERSION}}</bundle>
+        <configfile
+            finalname="/etc/opendaylight/karaf/08-authz-config.xml">mvn:org.opendaylight.aaa/authz-service-config/{{VERSION}}/xml/config</configfile>
+        <configfile
+            finalname="/etc/opendaylight/karaf/09-rest-connector.xml">mvn:org.opendaylight.aaa/authz-restconf-config/{{VERSION}}/xml/config</configfile>
+    </feature>
+
+</features>
diff --git a/odl-aaa-moon/features/pom.xml b/odl-aaa-moon/features/pom.xml
new file mode 100644
index 00000000..261f73c4
--- /dev/null
+++ b/odl-aaa-moon/features/pom.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.opendaylight.aaa</groupId>
+    <artifactId>aaa-parent</artifactId>
+    <version>0.3.1-Beryllium-SR1</version>
+    <relativePath>../parent</relativePath>
+  </parent>
+  <groupId>org.opendaylight.aaa</groupId>
+  <artifactId>features-aggregator</artifactId>
+  <packaging>pom</packaging>
+  <modules>
+    <module>shiro</module>
+    <module>api</module>
+    <module>authn</module>
+    <module>authz</module>
+  </modules>
+</project>
diff --git a/odl-aaa-moon/features/shiro/pom.xml b/odl-aaa-moon/features/shiro/pom.xml
new file mode 100644
index 00000000..50a9971e
--- /dev/null
+++ b/odl-aaa-moon/features/shiro/pom.xml
@@ -0,0 +1,179 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright (c) 2015 Brocade Communications Systems and others.
+    All rights reserved. This program and the accompanying materials are made
+    available under the terms of the Eclipse Public License v1.0 which accompanies
+    this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.odlparent</groupId>
+        <artifactId>features-parent</artifactId>
+        <version>1.6.1-Beryllium-SR1</version>
+        <relativePath/>
+    </parent>
+
+    <groupId>org.opendaylight.aaa</groupId>
+    <artifactId>features-aaa-shiro</artifactId>
+    <version>0.3.1-Beryllium-SR1</version>
+    <packaging>jar</packaging>
+
+    <properties>
+        <javax.annotation.api.version>1.2</javax.annotation.api.version>
+        <servicemix.version>1.8.3_2</servicemix.version>
+    </properties>
+    <dependencyManagement>
+        <dependencies>
+            <!-- This project -->
+            <dependency>
+                <groupId>org.opendaylight.aaa</groupId>
+                <artifactId>aaa-parent</artifactId>
+                <version>${project.version}</version>
+                <scope>import</scope>
+                <type>pom</type>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <dependencies>
+        <dependency>
+        <groupId>com.google.code.findbugs</groupId>
+        <artifactId>jsr305</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+             <artifactId>features-aaa</artifactId>
+             <version>0.3.1-Beryllium-SR1</version>
+             <classifier>features</classifier>
+             <type>xml</type>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-shiro-act</artifactId>
+            <version>0.3.1-Beryllium-SR1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-shiro</artifactId>
+            <version>0.3.1-Beryllium-SR1</version>
+            <type>cfg</type>
+            <classifier>configuration</classifier>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-shiro</artifactId>
+        </dependency>
+        <dependency>
+              <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-sts</artifactId>
+            <version>0.3.1-Beryllium-SR1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-api</artifactId>
+            <version>0.3.1-Beryllium-SR1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-servlet</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-server</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.dependencymanager</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.metatype</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-shiro</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.opendaylight.aaa</groupId>
+            <artifactId>aaa-authn-sts</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>javax.annotation</groupId>
+            <artifactId>javax.annotation-api</artifactId>
+            <version>${javax.annotation.api.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.dependencymanager</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.metatype</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.servicemix.bundles</groupId>
+            <artifactId>org.apache.servicemix.bundles.commons-beanutils</artifactId>
+            <version>${servicemix.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.oltu.oauth2</groupId>
+            <artifactId>org.apache.oltu.oauth2.resourceserver</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.oltu.oauth2</groupId>
+            <artifactId>org.apache.oltu.oauth2.authzserver</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.oltu.oauth2</groupId>
+            <artifactId>org.apache.oltu.oauth2.common</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>javax.ws.rs</groupId>
+            <artifactId>javax.ws.rs-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.json</groupId>
+            <artifactId>json</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>commons-codec</groupId>
+            <artifactId>commons-codec</artifactId>
+        </dependency>
+    </dependencies>
+
+    <scm>
+        <connection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</connection>
+        <developerConnection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</developerConnection>
+        <tag>HEAD</tag>
+        <url>https://git.opendaylight.org/gerrit/gitweb?p=aaa.git;a=summary</url>
+    </scm>
+</project>
diff --git a/odl-aaa-moon/features/shiro/src/main/features/features.xml b/odl-aaa-moon/features/shiro/src/main/features/features.xml
new file mode 100644
index 00000000..c6073a2a
--- /dev/null
+++ b/odl-aaa-moon/features/shiro/src/main/features/features.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright (c) 2015 Brocade Communications Systems and others.
+    All rights reserved. This program and the accompanying materials are made
+    available under the terms of the Eclipse Public License v1.0 which accompanies
+    this distribution, and is available at http://www.eclipse.org/legal/epl-v10.html -->
+<features name="odl-aaa-${project.version}" xmlns="http://karaf.apache.org/xmlns/features/v1.2.0"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://karaf.apache.org/xmlns/features/v1.2.0 http://karaf.apache.org/xmlns/features/v1.2.0">
+
+    <repository>mvn:org.opendaylight.aaa/features-aaa/{{VERSION}}/xml/features</repository>
+
+    <!-- odl-aaa-shiro feature which combines all aspects of AAA into one feature -->
+    <feature name='odl-aaa-shiro' description='OpenDaylight :: AAA :: Shiro'
+             version='${project.version}'>
+
+        <!-- OSGI -->
+        <bundle>mvn:org.apache.felix/org.apache.felix.dependencymanager/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.felix/org.apache.felix.metatype/{{VERSION}}</bundle>
+
+        <!-- Existing AAA infrastructure -->
+        <feature version='${project.version}'>odl-aaa-authn</feature>
+
+        <bundle>mvn:org.apache.shiro/shiro-web/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.shiro/shiro-core/{{VERSION}}</bundle>
+
+        <bundle>mvn:com.google.guava/guava/{{VERSION}}</bundle>
+        <bundle>wrap:mvn:javax.annotation/javax.annotation-api/{{VERSION}}</bundle>
+        <bundle>wrap:mvn:com.google.code.findbugs/jsr305/{{VERSION}}</bundle>
+        <bundle>wrap:mvn:commons-codec/commons-codec/{{VERSION}}</bundle>
+        <bundle>wrap:mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.resourceserver/{{VERSION}}</bundle>
+        <bundle>wrap:mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.authzserver/{{VERSION}}</bundle>
+        <bundle>wrap:mvn:org.apache.oltu.oauth2/org.apache.oltu.oauth2.common/{{VERSION}}</bundle>
+        <bundle>wrap:mvn:org.json/json/{{VERSION}}</bundle>
+        <bundle>mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-beanutils/{{VERSION}}</bundle>
+        <bundle>mvn:org.opendaylight.aaa/aaa-shiro/{{VERSION}}</bundle>
+
+        <!-- AAA configuration file -->
+        <configfile finalname="/etc/shiro.ini">mvn:org.opendaylight.aaa/aaa-shiro/{{VERSION}}/cfg/configuration</configfile>
+    </feature>
+
+</features>
diff --git a/odl-aaa-moon/parent/pom.xml b/odl-aaa-moon/parent/pom.xml
new file mode 100644
index 00000000..37bf3ad2
--- /dev/null
+++ b/odl-aaa-moon/parent/pom.xml
@@ -0,0 +1,278 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.opendaylight.odlparent</groupId>
+        <artifactId>odlparent</artifactId>
+        <version>1.6.1-Beryllium-SR1</version>
+        <relativePath/>
+    </parent>
+
+    <groupId>org.opendaylight.aaa</groupId>
+    <artifactId>aaa-parent</artifactId>
+    <version>0.3.1-Beryllium-SR1</version>
+    <packaging>pom</packaging>
+    <prerequisites>
+        <maven>3.0.4</maven>
+    </prerequisites>
+
+    <properties>
+        <!-- Karaf -->
+        <karaf.branding.version>1.2.1-Beryllium-SR1</karaf.branding.version>
+        <karaf.resources.version>1.6.1-Beryllium-SR1</karaf.resources.version>
+
+        <!-- OSGi -->
+        <osgi.metatype.version>1.0.10</osgi.metatype.version>
+
+        <!-- Local project version, needed for import -->
+        <aaa.version>${project.version}</aaa.version>
+        <parent-path>${basedir}</parent-path>
+
+        <!-- AuthZ -->
+        <yangtools.version>0.8.1-Beryllium-SR1</yangtools.version>
+        <jmxGeneratorPath>src/main/yang-gen-config</jmxGeneratorPath>
+        <salGeneratorPath>src/main/yang-gen-sal</salGeneratorPath>
+        <mdsal.version>2.0.1-Beryllium-SR1</mdsal.version>
+        <mdsal.model.version>0.8.1-Beryllium-SR1</mdsal.model.version>
+        <controller.mdsal.version>1.3.1-Beryllium-SR1</controller.mdsal.version>
+        <restconf.version>1.3.1-Beryllium-SR1</restconf.version>
+        <config.version>0.4.1-Beryllium-SR1</config.version>
+        <config.authz.service.configfile>08-authz-config.xml</config.authz.service.configfile>
+        <config.restconf.configfile>09-rest-connector.xml</config.restconf.configfile>
+        <config.configfile.directory>etc/opendaylight/karaf</config.configfile.directory>
+
+        <!-- AuthN -->
+        <glassfish.json.version>1.0.4</glassfish.json.version>
+        <ehcache.version>2.8.3</ehcache.version>
+        <jta.version>1.1.1</jta.version>
+        <oltu.version>1.0.0</oltu.version>
+
+        <config.authn.store.configfile>08-authn-config.xml</config.authn.store.configfile>
+
+        <!-- IdmLight -->
+        <h2.version>1.4.185</h2.version>
+
+        <!-- Keystone plugin -->
+        <httpclient.version>4.4</httpclient.version>
+
+        <!-- Test -->
+        <javax.inject.version>1</javax.inject.version>
+        <servlet.tester.version>7.0.0.M2</servlet.tester.version>
+        <features.test.version>1.6.1-Beryllium-SR1</features.test.version>
+    </properties>
+
+    <dependencyManagement>
+        <dependencies>
+            <!-- ODL -->
+            <dependency>
+                <groupId>org.opendaylight.aaa</groupId>
+                <artifactId>aaa-artifacts</artifactId>
+                <version>${aaa.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.opendaylight.yangtools</groupId>
+                <artifactId>yangtools-artifacts</artifactId>
+                <version>${yangtools.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.opendaylight.mdsal</groupId>
+                <artifactId>mdsal-artifacts</artifactId>
+                <version>${mdsal.version}</version>
+                <scope>import</scope>
+                <type>pom</type>
+            </dependency>
+            <dependency>
+                <groupId>org.opendaylight.mdsal.model</groupId>
+                <artifactId>mdsal-model-artifacts</artifactId>
+                <version>${mdsal.model.version}</version>
+                <scope>import</scope>
+                <type>pom</type>
+            </dependency>
+            <dependency>
+                <groupId>org.opendaylight.controller</groupId>
+                <artifactId>mdsal-artifacts</artifactId>
+                <version>${controller.mdsal.version}</version>
+                <scope>import</scope>
+                <type>pom</type>
+            </dependency>
+            <dependency>
+                <groupId>org.opendaylight.controller</groupId>
+                <artifactId>config-artifacts</artifactId>
+                <version>${config.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+
+            <!-- Third-party -->
+            <dependency>
+                <groupId>org.glassfish</groupId>
+                <artifactId>javax.json</artifactId>
+                <version>${glassfish.json.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>org.apache.felix.metatype</artifactId>
+                <version>${osgi.metatype.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>net.sf.ehcache</groupId>
+                <artifactId>ehcache</artifactId>
+                <version>${ehcache.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.geronimo.specs</groupId>
+                <artifactId>geronimo-jta_1.1_spec</artifactId>
+                <version>${jta.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.oltu.oauth2</groupId>
+                <artifactId>org.apache.oltu.oauth2.common</artifactId>
+                <version>${oltu.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.oltu.oauth2</groupId>
+                <artifactId>org.apache.oltu.oauth2.authzserver</artifactId>
+                <version>${oltu.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.oltu.oauth2</groupId>
+                <artifactId>org.apache.oltu.oauth2.resourceserver</artifactId>
+                <version>${oltu.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.h2database</groupId>
+                <artifactId>h2</artifactId>
+                <version>${h2.version}</version>
+            </dependency>
+
+            <!-- Test stuff -->
+            <dependency>
+                <groupId>org.opendaylight.odlparent</groupId>
+                <artifactId>features-test</artifactId>
+                <version>${features.test.version}</version>
+                <scope>test</scope>
+            </dependency>
+            <dependency>
+                <groupId>javax.inject</groupId>
+                <artifactId>javax.inject</artifactId>
+                <version>${javax.inject.version}</version>
+                <scope>test</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.eclipse.jetty</groupId>
+                <artifactId>jetty-servlet-tester</artifactId>
+                <version>${servlet.tester.version}</version>
+                <scope>test</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.jacoco</groupId>
+                <artifactId>jacoco-maven-plugin</artifactId>
+                <configuration>
+                    <includes>
+                        <include>org.opendaylight.aaa.*</include>
+                    </includes>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>pre-test</id>
+                        <goals>
+                            <goal>prepare-agent</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>post-test</id>
+                        <goals>
+                            <goal>report</goal>
+                        </goals>
+                        <phase>test</phase>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-checkstyle-plugin</artifactId>
+                <configuration>
+                    <!-- checkstyle is evil -->
+                    <skip>false</skip>
+                    <failOnViolation>true</failOnViolation>
+                    <configLocation>checkstyle-logging.xml</configLocation>
+                    <consoleOutput>true</consoleOutput>
+                    <includeTestSourceDirectory>true</includeTestSourceDirectory>
+                    <sourceDirectory>${project.basedir}</sourceDirectory>
+                    <includes>**\/*.java,**\/*.xml,**\/*.ini,**\/*.sh,**\/*.bat,**\/*.yang</includes>
+                    <excludes>**\/target\/,**\/bin\/,**\/target-ide\/,**\/src/main/yang-gen-config\/,**\/src/main/yang-gen-sal\/</excludes>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>check</goal>
+                        </goals>
+                        <phase>process-sources</phase>
+                    </execution>
+                </executions>
+                <dependencies>
+                    <dependency>
+                        <groupId>org.opendaylight.yangtools</groupId>
+                        <artifactId>checkstyle-logging</artifactId>
+                        <version>${yangtools.version}</version>
+                    </dependency>
+                </dependencies>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>build-helper-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>add-source</goal>
+                        </goals>
+                        <configuration>
+                            <sources>
+                                <source>${jmxGeneratorPath}</source>
+                                <source>${salGeneratorPath}</source>
+                            </sources>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+    <url>https://wiki.opendaylight.org/view/AAA:Main</url>
+    <scm>
+        <connection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</connection>
+        <developerConnection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</developerConnection>
+        <tag>HEAD</tag>
+    </scm>
+
+    <reporting>
+        <plugins>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>findbugs-maven-plugin</artifactId>
+                <version>${findbugs.maven.plugin.version}</version>
+                <configuration>
+                    <effort>Max</effort>
+                    <threshold>Low</threshold>
+                    <goal>site</goal>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>jdepend-maven-plugin</artifactId>
+                <version>${jdepend.maven.plugin.version}</version>
+            </plugin>
+        </plugins>
+    </reporting>
+</project>
diff --git a/odl-aaa-moon/pom.xml b/odl-aaa-moon/pom.xml
new file mode 100644
index 00000000..3d6591e2
--- /dev/null
+++ b/odl-aaa-moon/pom.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.opendaylight.aaa</groupId>
+    <artifactId>aaa-parent</artifactId>
+    <version>0.3.1-Beryllium-SR1</version>
+    <relativePath>parent</relativePath>
+  </parent>
+
+  <groupId>org.opendaylight.aaa</groupId>
+  <artifactId>aaa.project</artifactId>
+  <version>0.3.1-Beryllium-SR1</version>
+  <packaging>pom</packaging>
+  <name>aaa</name> <!-- Used by Sonar to set project name -->
+  <prerequisites>
+    <maven>3.0</maven>
+  </prerequisites>
+
+  <modules>
+    <module>aaa-authn-api</module>
+    <module>aaa-authn</module>
+    <module>aaa-idp-mapping</module>
+    <module>aaa-authn-sts</module>
+    <module>aaa-authn-store</module>
+    <module>aaa-authn-federation</module>
+    <module>aaa-authn-sssd</module>
+    <module>aaa-authn-keystone</module>
+    <module>aaa-authn-basic</module>
+    <module>aaa-idmlight</module>
+    <module>aaa-authn-mdsal-store</module>
+    <module>aaa-authz</module>
+    <module>aaa-credential-store-api</module>
+    <module>artifacts</module>
+    <module>features</module>
+    <module>distribution-karaf</module>
+    <module>parent</module>
+    <module>aaa-shiro</module>
+    <module>aaa-shiro-act</module>
+    <module>aaa-h2-store</module>
+  </modules>
+
+  <scm>
+    <connection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</connection>
+    <developerConnection>scm:git:ssh://git.opendaylight.org:29418/aaa.git</developerConnection>
+    <tag>HEAD</tag>
+    <url>https://wiki.opendaylight.org/view/AAA:Main</url>
+  </scm>
+
+</project>
-- 
2.16.6