From 779d6af56da8facfcaf2a4ad7ed689dc36bd986a Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Sat, 1 Sep 2007 01:48:46 +0000
Subject: [PATCH] Sync 2.4 guide with HEAD for 2.4.5
---
doc/guide/COPYRIGHT | 6 +-
doc/guide/admin/Makefile | 26 +-
doc/guide/admin/README.spellcheck | 16 +
doc/guide/admin/appendix-changes.sdf | 208 ++++
doc/guide/admin/appendix-configs.sdf | 14 +
doc/guide/admin/aspell.en.pws | 1406 ++++++++++++++++++++++++++
doc/guide/admin/backends.sdf | 262 +++++
doc/guide/admin/config.sdf | 4 +-
doc/guide/admin/config_dit.gif | Bin 4599 -> 0 bytes
doc/guide/admin/config_dit.png | Bin 0 -> 19735 bytes
doc/guide/admin/config_local.gif | Bin 1910 -> 0 bytes
doc/guide/admin/config_local.png | Bin 0 -> 4172 bytes
doc/guide/admin/config_ref.gif | Bin 3134 -> 0 bytes
doc/guide/admin/config_ref.png | Bin 0 -> 7556 bytes
doc/guide/admin/config_x500fe.gif | Bin 1667 -> 0 bytes
doc/guide/admin/config_x500ref.gif | Bin 2395 -> 0 bytes
doc/guide/admin/dbtools.sdf | 2 +-
doc/guide/admin/guide.book | 3 +
doc/guide/admin/install.sdf | 12 +-
doc/guide/admin/intro.sdf | 148 ++-
doc/guide/admin/intro_dctree.gif | Bin 6054 -> 0 bytes
doc/guide/admin/intro_dctree.png | Bin 0 -> 21788 bytes
doc/guide/admin/intro_tree.gif | Bin 6622 -> 0 bytes
doc/guide/admin/intro_tree.png | Bin 0 -> 24714 bytes
doc/guide/admin/maintenance.sdf | 110 ++
doc/guide/admin/master.sdf | 27 +-
doc/guide/admin/monitoringslapd.sdf | 11 +-
doc/guide/admin/overlays.sdf | 413 ++++++++
doc/guide/admin/preface.sdf | 4 +-
doc/guide/admin/proxycache.sdf | 148 ---
doc/guide/admin/referrals.sdf | 7 +
doc/guide/admin/replication.gif | Bin 3538 -> 0 bytes
doc/guide/admin/replication.sdf | 897 ++++++++++------
doc/guide/admin/runningslapd.sdf | 4 +-
doc/guide/admin/sasl.sdf | 19 +-
doc/guide/admin/schema.sdf | 32 +-
doc/guide/admin/security.sdf | 3 +-
doc/guide/admin/slapdconf2.sdf | 137 +--
doc/guide/admin/slapdconfig.sdf | 138 +--
doc/guide/admin/syncrepl.sdf | 404 --------
doc/guide/admin/title.sdf | 2 +-
doc/guide/admin/tls.sdf | 5 +-
doc/guide/admin/troubleshooting.sdf | 89 ++
doc/guide/admin/tuning.sdf | 383 +++++--
doc/guide/plain.sdf | 2 +-
doc/guide/preamble.sdf | 5 +-
doc/guide/release/copyright.sdf | 6 +-
47 files changed, 3676 insertions(+), 1277 deletions(-)
create mode 100644 doc/guide/admin/README.spellcheck
create mode 100644 doc/guide/admin/appendix-changes.sdf
create mode 100644 doc/guide/admin/appendix-configs.sdf
create mode 100644 doc/guide/admin/aspell.en.pws
create mode 100644 doc/guide/admin/backends.sdf
delete mode 100644 doc/guide/admin/config_dit.gif
create mode 100644 doc/guide/admin/config_dit.png
delete mode 100644 doc/guide/admin/config_local.gif
create mode 100644 doc/guide/admin/config_local.png
delete mode 100644 doc/guide/admin/config_ref.gif
create mode 100644 doc/guide/admin/config_ref.png
delete mode 100644 doc/guide/admin/config_x500fe.gif
delete mode 100644 doc/guide/admin/config_x500ref.gif
create mode 100644 doc/guide/admin/guide.book
delete mode 100644 doc/guide/admin/intro_dctree.gif
create mode 100644 doc/guide/admin/intro_dctree.png
delete mode 100644 doc/guide/admin/intro_tree.gif
create mode 100644 doc/guide/admin/intro_tree.png
create mode 100644 doc/guide/admin/maintenance.sdf
create mode 100644 doc/guide/admin/overlays.sdf
delete mode 100644 doc/guide/admin/proxycache.sdf
delete mode 100644 doc/guide/admin/replication.gif
delete mode 100644 doc/guide/admin/syncrepl.sdf
create mode 100644 doc/guide/admin/troubleshooting.sdf
diff --git a/doc/guide/COPYRIGHT b/doc/guide/COPYRIGHT
index 27a4e73735..3e2fba9504 100644
--- a/doc/guide/COPYRIGHT
+++ b/doc/guide/COPYRIGHT
@@ -36,9 +36,11 @@ Public License.
---
-Portions Copyright 1999-2005 Howard Y.H. Chu.
-Portions Copyright 1999-2005 Symas Corporation.
+Portions Copyright 1999-2007 Howard Y.H. Chu.
+Portions Copyright 1999-2007 Symas Corporation.
Portions Copyright 1998-2003 Hallvard B. Furuseth.
+Portions Copyright 2007 Gavin Henry
+Portions Copyright 2007 Suretec Systems
All rights reserved.
Redistribution and use in source and binary forms, with or without
diff --git a/doc/guide/admin/Makefile b/doc/guide/admin/Makefile
index dfae7270e9..6b33980f98 100644
--- a/doc/guide/admin/Makefile
+++ b/doc/guide/admin/Makefile
@@ -18,16 +18,19 @@ sdf-src: \
../plain.sdf \
../preamble.sdf \
abstract.sdf \
+ appendix-configs.sdf \
+ backends.sdf \
config.sdf \
dbtools.sdf \
glossary.sdf \
guide.sdf \
install.sdf \
intro.sdf \
+ maintenance.sdf \
master.sdf \
monitoringslapd.sdf \
+ overlays.sdf \
preface.sdf \
- proxycache.sdf \
quickstart.sdf \
referrals.sdf \
replication.sdf \
@@ -36,21 +39,19 @@ sdf-src: \
schema.sdf \
security.sdf \
slapdconfig.sdf \
- syncrepl.sdf \
title.sdf \
tls.sdf \
+ troubleshooting.sdf \
tuning.sdf
sdf-img: \
../images/LDAPlogo.gif \
- config_local.gif \
- config_ref.gif \
+ config_dit.png \
+ config_local.png \
+ config_ref.png \
config_repl.gif \
- config_x500fe.gif \
- config_x500ref.gif \
- intro_dctree.gif \
- intro_tree.gif \
- replication.gif
+ intro_dctree.png \
+ intro_tree.png \
guide.html: guide.sdf sdf-src sdf-img
sdf -2html guide.sdf
@@ -62,6 +63,7 @@ admin.html: admin.sdf sdf-src sdf-img
sdf -DPDF -2html admin.sdf
guide.pdf: admin.html
- htmldoc --book --duplex --bottom 36 --top 36 \
- --toclevels 2 \
- -f guide.pdf admin.html
+ htmldoc --batch guide.book
+
+clean:
+ rm -f *.pdf *.html *~
diff --git a/doc/guide/admin/README.spellcheck b/doc/guide/admin/README.spellcheck
new file mode 100644
index 0000000000..729b247882
--- /dev/null
+++ b/doc/guide/admin/README.spellcheck
@@ -0,0 +1,16 @@
+# $OpenLDAP$
+# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
+#
+# README.spellcheck
+#
+
+aspell.en.pws
+ We use aspell to spell check the Admin Guide and Man Pages.
+
+ Please move aspell.en.pws to ~/.aspell.en.pws and run:
+
+ aspell --lang=en_US -c <filename>
+
+ If you add additional words and terms, please add
+ them or copy them to aspell.en.pws and commit.
diff --git a/doc/guide/admin/appendix-changes.sdf b/doc/guide/admin/appendix-changes.sdf
new file mode 100644
index 0000000000..4ee1dce248
--- /dev/null
+++ b/doc/guide/admin/appendix-changes.sdf
@@ -0,0 +1,208 @@
+# $OpenLDAP$
+# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
+
+H1: Changes Since Previous Release
+
+The following sections attempt to summarize the new features and changes in OpenLDAP
+software since the 2.3.x release and the OpenLDAP Admin Guide.
+
+H2: New Guide Sections
+
+In order to make the Admin Guide more thorough and cover the majority of questions
+asked on the OpenLDAP mailing lists and scenarios discussed there, we have added the following new sections:
+
+* {{SECT:When should I use LDAP?}}
+* {{SECT:When should I not use LDAP?}}
+* {{SECT:LDAP vs RDBMS}}
+* {{SECT:Backends}}
+* {{SECT:Overlays}}
+* {{SECT:Replication}}
+* {{SECT:Maintenance}}
+* {{SECT:Monitoring}}
+* {{SECT:Tuning}}
+* {{SECT:Troubleshooting}}
+* {{SECT:Changes Since Previous Release}}
+* {{SECT:Configuration File Examples}}
+* {{SECT:Glossary}}
+
+Also, the table of contents is now 3 levels deep to ease navigation.
+
+
+H2: New Features and Enhancements in 2.4
+
+H3: Better {{B:cn=config}} functionality
+
+There is a new slapd-config(5) manpage for the {{B:cn=config}} backend. The
+original design called for auto-renaming of config entries when you insert or
+delete entries with ordered names, but that was not implemented in 2.3. It is
+now in 2.4. This means, e.g., if you have
+
+> olcDatabase={1}bdb,cn=config
+> olcSuffix: dc=example,dc=com
+
+and you want to add a new subordinate, now you can ldapadd:
+
+> olcDatabase={1}bdb,cn=config
+> olcSuffix: dc=foo,dc=example,dc=com
+
+This will insert a new BDB database in slot 1 and bump all following databases
+ down one, so the original BDB database will now be named:
+
+> olcDatabase={2}bdb,cn=config
+> olcSuffix: dc=example,dc=com
+
+H3: Better {{B:cn=schema}} functionality
+
+In 2.3 you were only able to add new schema elements, not delete or modify
+existing elements. In 2.4 you can modify schema at will. (Except for the
+hardcoded system schema, of course.)
+
+H3: More sophisticated Syncrepl configurations
+
+The original implementation of Syncrepl in OpenLDAP 2.2 was intended to support
+multiple consumers within the same database, but that feature never worked and
+was removed from OpenLDAP 2.3; you could only configure a single consumer in
+any database.
+
+In 2.4 you can configure multiple consumers in a single database. The configuration
+possibilities here are quite complex and numerous. You can configure consumers
+over arbitrary subtrees of a database (disjoint or overlapping). Any portion
+of the database may in turn be provided to other consumers using the Syncprov
+overlay. The Syncprov overlay works with any number of consumers over a single
+database or over arbitrarily many glued databases.
+
+H3: N-Way Multimaster Replication
+
+As a consequence of the work to support multiple consumer contexts, the syncrepl
+system now supports full N-Way multimaster replication with entry-level conflict
+resolution. There are some important constraints, of course: In order to maintain
+consistent results across all servers, you must maintain tightly synchronized
+clocks across all participating servers (e.g., you must use NTP on all servers).
+
+The entryCSNs used for replication now record timestamps with microsecond resolution,
+instead of just seconds. The delta-syncrepl code has not been updated to support
+multimaster usage yet, that will come later in the 2.4 cycle.
+
+H3: Replicating {{slapd}} Configuration (syncrepl and {{B:cn=config}})
+
+Syncrepl was explicitly disabled on cn=config in 2.3. It is now fully supported
+in 2.4; you can use syncrepl to replicate an entire server configuration from
+one server to arbitrarily many other servers. It's possible to clone an entire
+running slapd using just a small (less than 10 lines) seed configuration, or
+you can just replicate the schema subtrees, etc. Tests 049 and 050 in the test
+suite provide working examples of these capabilities.
+
+
+H3: Push-Mode Replication
+
+In 2.3 you could configure syncrepl as a full push-mode replicator by using it
+in conjunction with a back-ldap pointed at the target server. But because the
+back-ldap database needs to have a suffix corresponding to the target's suffix,
+you could only configure one instance per slapd.
+
+In 2.4 you can define a database to be "hidden", which means that its suffix is
+ignored when checking for name collisions, and the database will never be used
+to answer requests received by the frontend. Using this "hidden" database feature
+allows you to configure multiple databases with the same suffix, allowing you to
+set up multiple back-ldap instances for pushing replication of a single database
+to multiple targets. There may be other uses for hidden databases as well (e.g.,
+using a syncrepl consumer to maintain a *local* mirror of a database on a separate filesystem).
+
+
+H3: More extensive TLS configuration control
+
+In 2.3, the TLS configuration in slapd was only used by the slapd listeners. For
+outbound connections used by e.g. back-ldap or syncrepl their TLS parameters came
+from the system's ldap.conf file.
+
+In 2.4 all of these sessions inherit their settings from the main slapd configuration,
+but settings can be individually overridden on a per-config-item basis. This is
+particularly helpful if you use certificate-based authentication and need to use a
+different client certificate for different destinations.
+
+
+H3: Performance enhancements
+
+Too many to list. Some notable changes - ldapadd used to be a couple of orders
+of magnitude slower than "slapadd -q". It's now at worst only about half the
+speed of slapadd -q. Some comparisons of all the 2.x OpenLDAP releases are available
+at {{URL:http://www.openldap.org/pub/hyc/scale2007.pdf}}
+
+That compared 2.0.27, 2.1.30, 2.2.30, 2.3.33, and HEAD). Toward the latter end
+of the "Cached Search Performance" chart it gets hard to see the difference
+because the run times are so small, but the new code is about 25% faster than 2.3,
+which was about 20% faster than 2.2, which was about 100% faster than 2.1, which
+was about 100% faster than 2.0, in that particular search scenario. That test
+basically searched a 1.3GB DB of 380836 entries (all in the slapd entry cache)
+in under 1 second. i.e., on a 2.4GHz CPU with DDR400 ECC/Registered RAM we can
+search over 500 thousand entries per second. The search was on an unindexed
+attribute using a filter that would not match any entry, forcing slapd to examine
+every entry in the DB, testing the filter for a match.
+
+Essentially the slapd entry cache in back-bdb/back-hdb is so efficient the search
+processing time is almost invisible; the runtime is limited only by the memory
+bandwidth of the machine. (The search data rate corresponds to about 3.5GB/sec;
+the memory bandwidth on the machine is only about 4GB/sec due to ECC and register latency.)
+
+H3: New overlays
+
+* slapo-constraint (Attribute value constraints)
+* slapo-dds (Dynamic Directory Services, RFC 2589)
+* slapo-memberof (reverse group membership maintenance)
+
+H3: New features in existing Overlays
+
+* slapo-pcache
+ - Inspection/Maintenance
+ -- the cache database can be directly accessed via
+ LDAP by adding a specific control to each LDAP request; a specific
+ extended operation allows to consistently remove cached entries and entire
+ cached queries
+ - Hot Restart
+ -- cached queries are saved on disk at shutdown, and reloaded if
+ not expired yet at subsequent restart
+
+* slapo-rwm can safely interoperate with other overlays
+* Dyngroup/Dynlist merge, plus security enhancements
+ - added dgIdentity support (draft-haripriya-dynamicgroup)
+
+H3: New features in slapd
+
+* monitoring of back-{b,h}db: cache fill-in, non-indexed searches,
+* session tracking control (draft-wahl-ldap-session)
+* subtree delete in back-sql (draft-armijo-ldap-treedelete)
+
+H3: New features in libldap
+
+* ldap_sync client API (LDAP Content Sync Operation, RFC 4533)
+
+H3: New clients, tools and tool enhancements
+
+* ldapexop for arbitrary extended operations
+* Complete support of controls in request/response for all clients
+* LDAP Client tools now honor SRV records
+
+H3: New build options
+
+* Support for building against GnuTLS
+
+
+H2: Obsolete Features Removed From 2.4
+
+These features were strongly deprecated in 2.3 and removed in 2.4.
+
+H3: Slurpd
+
+Please read the {{SECT:Replication}} section as to why this is no longer in
+OpenLDAP
+
+H3: back-ldbm
+
+back-ldbm was both slow and unreliable. Its byzantine indexing code was
+prone to spontaneous corruption, as were the underlying database libraries
+that were commonly used (e.g. GDBM or NDBM). back-bdb and back-hdb are
+superior in every aspect, with simplified indexing to avoid index corruption,
+fine-grained locking for greater concurrency, hierarchical caching for
+greater performance, streamlined on-disk format for greater efficiency
+and portability, and full transaction support for greater reliability.
diff --git a/doc/guide/admin/appendix-configs.sdf b/doc/guide/admin/appendix-configs.sdf
new file mode 100644
index 0000000000..81aaf86f86
--- /dev/null
+++ b/doc/guide/admin/appendix-configs.sdf
@@ -0,0 +1,14 @@
+# $OpenLDAP$
+# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
+
+H1: Configuration File Examples
+
+
+H2: slapd.conf
+
+
+H2: ldap.conf
+
+
+H2: a-n-other.conf
diff --git a/doc/guide/admin/aspell.en.pws b/doc/guide/admin/aspell.en.pws
new file mode 100644
index 0000000000..a28b908c2f
--- /dev/null
+++ b/doc/guide/admin/aspell.en.pws
@@ -0,0 +1,1406 @@
+personal_ws-1.1 en 1405
+nattrsets
+inappropriateAuthentication
+api
+olcAttributeTypes
+BhY
+reqEnd
+olcOverlayConfig
+shoesize
+olcTLSCACertificateFile
+CGI
+cdx
+DCE
+DAP
+attributename
+lsei
+dbconfig
+arg
+kurt
+authzID
+authzid
+authzId
+DAs
+ddd
+userApplications
+BNF
+attrs
+mixin
+wholeSubtree
+chainingRequired
+ldapport
+hallvard
+ASN
+acknowledgements
+Chu
+ava
+monitorCounter
+del
+DDR
+testObject
+OrgPerson
+IGJlZ
+olcUpdateref
+ECC
+deleteDN
+cli
+ltdl
+CAPI
+dev
+serverctrls
+olcDbDirectory
+xvfB
+BSI
+modv
+nonleaf
+errCode
+PhotoURI
+buf
+cdef
+monitorConnectionLocalAddress
+dir
+EGD
+dit
+retoidp
+ando
+edu
+caseExactSubstringsMatch
+bvstrdup
+AUTHNAME
+memrealloc
+auditExtended
+replog
+ludp
+metainformation
+CRL
+CRP
+olcReferral
+XLDFLAGS
+metadirectory
+csn
+siiiib
+stateful
+olcModulePath
+maxentries
+authc
+seeAlso
+searchbase
+searchBase
+realnamingcontext
+dn's
+DNs
+DN's
+dns
+dereference
+sortKey
+authzTo
+lossy
+gcc
+CWD
+lssl
+organizationalRole
+DSA
+derefInSearching
+pwdGraceUseTime
+DSE
+groupOfURLs
+modrdn
+ModRDN
+modrDN
+pwdFailureCountInterval
+homePhone
+eng
+paramName
+errUnsolicitedData
+Heimdal
+EOF
+authz
+XINCPATH
+LTFINISH
+plaintext
+indices
+reqAssertion
+olcDbUri
+dst
+env
+oplist
+MirrorMode
+mirrormode
+objclass
+Bint
+dup
+hdb
+gid
+stderr
+caseIgnoreOrderingMatch
+moduledir
+gif
+jpegPhoto
+lsasl
+judgmentday
+prepend
+subentry
+dbcache
+mkversion
+objectClasses
+objectclasses
+searchResultReference
+fmt
+qdescrs
+olcSuffix
+supportedControl
+GHz
+libpath
+INADDR
+compareDN
+sizelimit
+unixODBC
+APIs
+blen
+attrsOnly
+attrsonly
+slappasswd
+referralsPreferred
+oids
+OIDs
+wBDARESEhgVG
+syncIdSet
+olcTLSCipherSuite
+username
+sizeLimitExceeded
+subst
+idl
+chroot
+iff
+auditDelete
+numbits
+ZKKuqbEKJfKSXhUbHG
+reqRespControls
+TLSCertificateKeyFile
+olcAccess
+proxyTemplates
+neverDerefaliases
+RootDN
+rootdn
+loglevel
+args
+caseExactOrderingMatch
+olcDbQuarantine
+RELEASEDATE
+baseDN
+basedn
+argv
+GSS
+schemachecking
+whoami
+WhoAmI
+syslogd
+dataflow
+subentries
+attrpair
+BerkeleyDB's
+singleLevel
+entryDN
+dSAOperation
+includedir
+inplace
+LDAPAPIFeatureInfo
+logbase
+ing
+moduleload
+IPC
+Makefile
+getpid
+GETREALM
+numericString
+MANSECT
+XXXX
+domainstyle
+bvarray
+Choi
+iscritical
+subschema
+slapindex
+plugin
+distinguishedNameMatch
+derefAliases
+baseObject
+kdz
+reqMod
+ldb
+srcdir
+pwdExpireWarning
+localstatedir
+sockbuf
+PENs
+ipv
+IPv
+ghenry
+hyc
+multimaster
+noop
+DEFS
+joe
+testAttr
+syncrepl
+pwdFailureTime
+timestamp
+whitespaces
+ISP
+ldp
+monitorInfo
+bjensen
+newPasswd
+irresponsive
+len
+perl
+dynlist
+browseable
+attrvalue
+pers
+retcode
+rootpw
+matchedDN
+auditReadObject
+idletimeout
+intermediateResponse
+myOID
+structuralObjectClass
+integerMatch
+openldap
+OpenLDAP
+moddn
+rewriteEngine
+AVAs
+accesslog
+searchDN
+reqOld
+MDn
+aspell
+TLSCACertificateFile
+mem
+peername
+syncUUIDs
+database's
+krb
+bool
+logins
+jts
+memberAttr
+newpasswdfile
+newPasswdFile
+ucdata
+LLL
+confdir
+BerValues
+olcDbLinearIndex
+Elfrink
+AUTOREMOVE
+countp
+realloc
+bsize
+CThreads
+structs
+desc
+LTCOMPILE
+bindmethod
+olcDbCheckpoint
+modme
+refreshOnly
+PIII
+pwdPolicySubentry
+FIXME
+realanonymous
+caseExactMatch
+olcSizeLimit
+Bourne
+attr
+objectidentifier
+objectIdentifier
+refint
+msgtype
+OBJEXT
+LRL
+subtrees
+realdnattr
+entrymods
+admittable
+libtool's
+dupbv
+searchResultEntry
+lud
+modifyTimestamp
+TLSEphemeralDHParamFile
+LRU
+syncprov
+strvals
+preread
+auth
+nis
+regexec
+adamsom
+objclasses
+deallocation
+strdup
+gsMatch
+adamson
+UniqueName
+ppErrStr
+DESTDIR
+oid
+saslpasswd
+interoperate
+bindwhen
+Solaris
+oOjM
+msg
+submatch
+refreshAndPersist
+monitorServer
+attributeUsage
+soelim
+objectIdentiferMatch
+olc
+PEM
+Autoconf
+alloc
+PDU
+OLF
+inetorgperson
+inetOrgPerson
+deleteoldrdn
+monitorCounterObject
+pid
+CPAN
+sharedstatedir
+OLP
+LDFLAGS
+dereferencing
+errcodep
+xeXBkeFxlZ
+accessor's
+extendedop
+ple
+NTP
+reqSizeLimit
+ORed
+NUL
+namingContexts
+num
+reqAttrsOnly
+ldappasswd
+online
+libdir
+unindexed
+ObjectClassDescription
+attrdesc
+efgh
+exopPasswdDN
+ranlib
+olcAttributeOptions
+lineno
+storages
+nameAndOptionalUID
+png
+INCPATH
+organizationalPerson
+integerOrderingMatch
+OSI
+subschemaSubentry
+cond
+conf
+bvec
+rdn
+ECHOPROMPT
+RDBM
+subany
+runningslapd
+configs
+datagram
+crlcheck
+conn
+builddir
+OTP
+entrylimit
+attrdescN
+logold
+pos
+sbi
+PRD
+reqEntries
+pre
+bvals
+unixusers
+olcReadonly
+olcReadOnly
+pwdChangedTime
+mySQL
+sdf
+suffixmassage
+referralDN
+sed
+statslog
+perror
+ldapexop
+bvecadd
+distributedOperation
+sel
+versa
+TBC
+telephonenumber
+telephoneNumber
+DLDAP
+peernamestyle
+SHA
+filename
+rpath
+argsfile
+ptr
+INCDIR
+pwd
+dctree
+rnd
+quanah
+lastmod
+TCL
+sprintf
+shm
+logops
+dnattr
+subdir
+searchAttrDN
+cctrls
+tcp
+strlen
+spellcheck
+ludpp
+typedef
+olcDbIDLcacheSize
+ostring
+mwrscdx
+SMD
+UCD
+cancelled
+crit
+lucyB
+slp
+rdns
+CPUs
+TGT
+modulepath
+quickstart
+mySNMP
+tgz
+UDP
+RDBMs
+rdbms
+Matic
+qdstring
+gunzip
+librewrite
+UFl
+src
+lastName
+ufn
+cron
+sql
+pwdPolicyChecker
+uid
+olcDbConfig
+refreshDone
+ssf
+replogfile
+rwm
+TOC
+vec
+LDAPDN
+compareAttrDN
+endmacro
+tls
+repl
+monitoringslapd
+referralsp
+tmp
+SRP
+olcDbNosync
+conns
+SSL
+PDkzODdASFxOQ
+SRV
+rwx
+sss
+deallocators
+Contribware
+URLlist
+str
+subinitial
+CSNs
+sbin
+dbtools
+datasource
+sbio
+posp
+errText
+prepended
+labeledURI
+scdx
+startup
+const
+wBDABALD
+octetStringSubstringsStringMatch
+ttl
+bvalue
+bvdup
+stringa
+stringb
+hasSubordinates
+oldPasswd
+sys
+pwdPolicy
+slapd
+sasl
+slapauth
+MANCOMPRESS
+octetStringOrderingStringMatch
+updatedn
+UpdateDN
+slapdindex
+searchFilter
+uri
+slapi
+tty
+liblunicode
+url
+entryExpireTimestamp
+priv
+slapo
+UTF
+vlv
+ctrl
+TXN
+virtualnamingcontext
+eatBlanks
+slimit
+ldaprc
+usr
+txt
+proc
+generalizedTime
+loopback
+unmassaged
+mechs
+freemods
+initgroups
+auditCompare
+GDBM
+DSA's
+compareFalse
+resultCode
+resultcode
+noSuchObject
+params
+groupnummer
+searchEntryDN
+negttl
+chainingPreferred
+TABs
+retdatap
+errAuxObject
+postoperation
+realself
+olcPasswordHash
+concat
+debuglevel
+addAttrDN
+credp
+ldaphost
+pwdMaxFailure
+octetStringMatch
+extparam
+auditWriteObject
+colaligns
+Diffie
+attributevalue
+AttributeValue
+SIGTERM
+MyCompany
+al
+AAQSkZJRgABAAAAAQABAAD
+cd
+contextCSN
+ar
+pthreads
+monitorTimestamp
+de
+reqAuthzID
+backend's
+backends
+cn
+lcrypto
+infodir
+groupstyle
+ldapsearch
+cp
+displayName
+eg
+bv
+olcBackendConfig
+dn
+fd
+LDAPSync
+fG
+fi
+eq
+FIPS
+dx
+et
+eu
+hh
+olcLogLevel
+slurpd
+logevels
+IG
+addDN
+tbls
+ldapmodify
+kb
+syslog
+io
+ip
+dynacl
+aXRoIGEgc
+enum
+slapdconf
+reqFilter
+ld
+xyz
+TLSCertificateFile
+idassert
+failover
+kerberos
+lookups
+md
+iZ
+SysNet
+BerValue
+idlcachesize
+struct
+UCASE
+errno
+syslogged
+mk
+ng
+oc
+errOp
+pwdMaxAge
+truelies
+NL
+mr
+reindex
+newentry
+ok
+mv
+preinstalled
+regex
+saslmech
+rc
+config
+ou
+policyDN
+sb
+olcSyncrepl
+QN
+strtol
+runtime
+NOSYNC
+slapover
+RL
+sockname
+MANCOMPRESSSUFFIX
+makeinfo
+coltags
+ro
+rp
+EXEEXT
+sockurl
+th
+sn
+ru
+UG
+ss
+su
+TP
+reqMethod
+XLIBS
+PhotoObject
+tt
+keycol
+namingContext
+rlookups
+searchstack
+NOECHOPROMPT
+sldb
+wi
+AlmostASearchRequest
+xf
+param
+MChAODQ
+caseExactIA
+Vu
+Za
+idlecachesize
+ws
+errSleepTime
+INSTALLFLAGS
+pthread
+pwdHistory
+slen
+errUnsolicitedOID
+dyngroup
+filtertype
+rewriteRules
+criticality
+preoperation
+smbk
+subord
+reqVersion
+errp
+ZZ
+entryCSNs
+dlopen
+continuated
+newsuperior
+newSuperior
+Preprocessor
+XXLIBS
+deallocate
+reqScope
+llber
+bitstringa
+sbindir
+apache's
+noidlen
+monitorContext
+resync
+fqdn
+authPassword
+LDAPMatchingRule
+olcIdleTimeout
+treedelete
+auditAdd
+reqSession
+derated
+LDVERSION
+IANA
+olcDbSearchStack
+bitstrings
+rscdx
+schemas
+minssf
+ldapadd
+pseudorootdn
+lldap
+gssapi
+applicatio
+nelems
+liblutil
+wrscdx
+scherr
+internet
+logfilter
+lutil
+themself
+libexec
+dnpattern
+proxying
+reqType
+Kartik
+libexecdir
+inetd
+pwdSafeModify
+contrib
+FQDNs
+bjorn
+myLDAP
+SNMP
+myObjectClass
+thru
+olcLastMod
+commonName
+testTwo
+olcFrontendConfig
+LDAPObjectClass
+attributeTypes
+LTINSTALL
+hostname
+Symas
+numattrsets
+msgid
+ldapmodrdn
+ldapbis
+attributeoptions
+serverID
+memberof
+pseudorootpw
+CFLAGS
+substr
+pwdAllowUserChange
+rewriteRule
+XXXXXXXXXX
+credlen
+departmentNumber
+rewriteMap
+logfile
+vals
+LDAPAVA
+modifyAttrDN
+dcedn
+olcOverlay
+exop
+berelement
+BerElement
+olcRootDN
+octetString
+SampleLDAP
+expr
+PostgreSQL
+bvstr
+filesystem
+pathtest
+objectClass
+objectclass
+submatches
+newrdn
+armijo
+addBlanks
+reqMessage
+exts
+SSHA
+func
+filterlist
+modifyDN
+syncuser
+Masarati
+LDAPSyntax
+oldpasswdfile
+oldPasswdFile
+reqDN
+SSFs
+ietf
+unwillingToPerform
+oidlen
+searchFilterAttrDN
+CPPFLAGS
+slapadd
+Clatworthy
+urldesc
+substrings
+Apurva
+slapacl
+multiclassing
+monitoredInfo
+LTLINK
+ETCDIR
+reqId
+setspec
+scanf
+TLSv
+distinguishedname
+distinguishedName
+BerVarray
+caseIgnoreSubstrin
+ldapwhoami
+URLattr
+generalizedTimeOrderingMatch
+requestdata
+timelimit
+subr
+cachesize
+olcRootPW
+SSLv
+domainScope
+LDAPMessage
+LTVERSION
+memalloc
+refreshDeletes
+BerkeleyDB
+pathspec
+uint
+Poitou
+whitespace
+dynstyle
+slaptest
+zeilenga
+WebUpdate
+numericoid
+changelog
+ChangeLog
+creatorsName
+ascii
+wahl
+uniqueMember
+slapcat
+lwrap
+ldapfilter
+errDisconnect
+sermersheim
+rootdns
+searchResult
+libtool
+servercredp
+AttributeTypeDescription
+LTFLAGS
+authcDN
+TLSCipherSuite
+supportedSASLMechanisms
+rootDSE
+dsaparam
+cachefree
+UMich's
+schemadir
+attribute's
+extern
+varchar
+olcDbCacheSize
+olcDbCachesize
+authcid
+authcID
+POSIX
+hnPk
+ldapext
+authzFrom
+Google
+olcSchemaConfig
+newsup
+sbiod
+XXXLIBS
+LDAPBASE
+Supr
+olcDatabaseConfig
+rwxrwxrwx
+aeeiib
+reqStart
+sasldb
+somevalue
+LIBRELEASE
+starttls
+StartTLS
+LDAPSchemaExtensionItem
+reqReferral
+shtool
+Pierangelo
+attrstyle
+backend
+portnumber
+subjectAltName
+errObject
+valsort
+bervals
+berval's
+derefFindingBaseObj
+checkpointed
+keytab
+groupnaam
+frontend
+sctrls
+dbnum
+olcLdapConfig
+sessionlog
+attrset
+entryCSN
+strcast
+kbyte
+modifiersName
+keytbl
+olcHdbConfig
+README
+memcalloc
+inet
+saslargs
+givenname
+givenName
+olcDbMode
+pidfile
+olcLimits
+memvfree
+tuple
+superset
+directoryString
+proxyTemplate
+proxytemplate
+wildcards
+monitoredObject
+TTLs
+LxsdLy
+olcTimeLimit
+stringal
+init
+Locators
+bvalues
+reqResult
+impl
+outvalue
+returnCode
+returncode
+attributeDescription
+attrval
+dnssrv
+ciphersuite
+auditlog
+reqControls
+notypes
+myAttributeType
+stringbv
+keyval
+calloc
+chmod
+Subbarao
+setstyle
+subdirectories
+errlist
+slapdn
+uncached
+ldapapiinfo
+groupOfUniqueNames
+dhparam
+slapd's
+slapds
+inputfile
+RDBMSes
+wildcard
+Locator
+errAbsObject
+errABsObject
+SASL's
+html
+searchResultDone
+olcBdbConfig
+ldapmod
+LDAPMod
+olcHidden
+userPassword
+TLSRandFile
+use'd
+auditBind
+requestDN
+lockdetect
+selfstyle
+liblber
+ERXRTc
+printf
+AutoConfig
+localhost
+lber
+noprompt
+databasenumber
+hasSubordintes
+URIs
+lang
+auditSearch
+ldapdelete
+reqTimeLimit
+cacertdir
+queryid
+Warper
+XDEFS
+urls
+URL's
+postalAddress
+postaladdress
+passwd
+plugins
+george
+http
+uppercased
+Poobah
+libldap
+ldap
+ldbm
+ursula
+LDAPModifying
+slapdconfig
+dnSubtreeMatch
+olcSaslSecProps
+olcSaslSecprops
+auditModify
+groupOfNames
+jensen
+reloadHint
+prepending
+olcGlobal
+matchingRule
+matchingrule
+SmVuc
+MSSQL
+hostnames
+ctrlp
+lltdl
+ctrls
+rewriter
+secprops
+namespace
+whsp
+realusers
+dnstyle
+suffixalias
+proxyAttrset
+proxyAttrSet
+proxyattrset
+pwdMustChange
+ldif
+bvfree
+sleeptime
+pwdCheckQuality
+msgidp
+pwdAttribute
+PRNGD
+LDAPRDN
+entryUUIDs
+proxycache
+proxyCache
+SERATGCgaGBYWGDEjJR
+noanonymous
+accessee
+createTimestamp
+nretries
+auditAbandon
+LDAPAttributeType
+logdb
+procs
+realdn
+alwaysDerefAliases
+ppolicy
+jpeg
+functionalities
+pcache
+caseIgnoreMatch
+sysconfdir
+checkpointing
+rebindproc
+dryrun
+noplain
+exattrs
+Jong
+proxied
+firstName
+accesslevel
+login
+rewriteContext
+dcObject
+newparent
+numericStringMatch
+TLSVerifyClient
+subtree
+multi
+immSupr
+manpage
+assciated
+wZFQrDD
+serverctrlsp
+onelevel
+abcd
+reqcert
+referralsRequired
+Hyuk
+olcServerID
+reqDerefAliases
+newSuperiorDN
+passwdfile
+errMatchedDN
+everytime
+mkdep
+olcDbindex
+olcDbIndex
+syntaxOID
+reqData
+databasetype
+woid
+numericStringOrderingMatch
+clientctrls
+RetCodes
+pwdAccountLockedTime
+attrtype
+LIBVERSION
+proto
+endif
+reqNewRDN
+ldapi
+notoc
+matcheddnp
+mkdir
+mech
+pwdMinAge
+ldaps
+userCertificate
+LDAPv
+IPsec
+tokenization
+olcModuleList
+robert
+generalizedTimeMatch
+UMLDAP
+OpenLDAP's
+lookup
+ABNF
+olcDbShmKey
+pwdLockoutDuration
+TLSCACertificatePath
+ldapuri
+ldapurl
+ACIs
+behera
+olcObjectIdentifier
+endblock
+proxyAuthz
+pagedResults
+bitstring
+ACLs
+berptr
+olcModuleLoad
+attributetype
+attributeType
+auditModRDN
+cacert
+freebuf
+IDSET
+pwdGraceAuthnLimit
+invalue
+XKYnrjvGT
+srvtab
+referralAttrDN
+requestoid
+basename
+substring
+booleanMatch
+babs
+pPasswd
+msgfree
+slapdconfigfile
+olcDatabase
+builtin
+hardcoded
+SIGINT
+MAXLEN
+xpasswd
+cleartext
+extensibleObject
+pwdLockout
+SIGHUP
+reqDeleteOldRDN
+reqAttr
+subfinal
+berval
+octothorpe
+LTONLY
+filesystems
+urandom
+NDBM
+abcdefgh
+olcBackend
+errmsgp
+boolean
+updateref
+regcomp
+contextp
+filtercomp
+LDAPNOINIT
+deref
+preallocated
+syntaxes
+memberURL
+monitorRuntimeConfig
+bindDn
+bindDN
+binddn
+methodp
+timelimitExceeded
+pwdInHistory
+LTSTATIC
+requestors
+requestor's
+LDAPCONF
+saslauthd
+MKDEPFLAG
+gecos
+entryUUID
+gnutls
+GNUtls
+GnuTLS
+postread
+timeval
+DHAVE
+caseIgnoreSubstringsMatch
+monitorIsShadow
+syncdata
+olcPidFile
+hostport
+backload
+bindir
+olcObjectClasses
+auditObject
+LDIFv
+strcasecmp
+LTHREAD
+dereferenced
+entryTtl
+LDAPControl
+pwdMinLength
+ldapcompare
+readonly
+readOnly
+RANDFILE
+attrlist
+aci
+directoryOperation
+selfwrite
+pwdReset
+acl
+attrname
+ADH
+searchable
+bindmethods
+logpurge
+reqNewSuperior
+multiproxy
+dereferences
+datadir
+malloc
+UUIDs
+veryclean
+userid
+Kumar
+AES
+bdb
+manageDSAit
+ManageDsaIT
+bindpw
+monitorContainer
+pEntry
+baz
+memfree
+lresolv
+objectIdentifierMatch
+Blowfish
+mkln
+numericStringSubstringsMatch
+openssl
+OpenSSL
+ModName
+cacheable
+freeit
+pathname
+ber
+ali
+mandir
+changetype
+CAs
+CA's
+typeA
+bvecfree
+ODBC
+typeB
+unescaped
+devel
+pwdCheckModule
+LDAPURLDesc
+authzDN
diff --git a/doc/guide/admin/backends.sdf b/doc/guide/admin/backends.sdf
new file mode 100644
index 0000000000..013288f453
--- /dev/null
+++ b/doc/guide/admin/backends.sdf
@@ -0,0 +1,262 @@
+# $OpenLDAP$
+# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
+
+H1: Backends
+
+
+H2: Berkeley DB Backends
+
+
+H3: Overview
+
+The {{bdb}} backend to {{slapd}}(8) is the recommended primary backend for a
+normal {{slapd}} database. It uses the Oracle Berkeley DB ({{TERM:BDB}})
+package to store data. It makes extensive use of indexing and caching
+(see the {{SECT:Tuning}} section) to speed data access.
+
+{{hdb}} is a variant of the {{bdb}} backend that uses a hierarchical database
+layout which supports subtree renames. It is otherwise identical to the {{bdb}}
+ behavior, and all the same configuration options apply.
+
+Note: An {{hdb}} database needs a large {{idlcachesize}} for good search performance,
+typically three times the {{cachesize}} (entry cache size) or larger.
+
+H3: back-bdb/back-hdb Configuration
+
+MORE LATER
+
+H3: Further Information
+
+{{slapd-bdb}}(5)
+
+H2: LDAP
+
+
+H3: Overview
+
+The LDAP backend to {{slapd}}(8) is not an actual database; instead it acts
+as a proxy to forward incoming requests to another LDAP server. While
+processing requests it will also chase referrals, so that referrals are fully
+processed instead of being returned to the {{slapd}} client.
+
+Sessions that explicitly {{Bind}} to the {{back-ldap}} database always create
+their own private connection to the remote LDAP server. Anonymous sessions
+will share a single anonymous connection to the remote server. For sessions
+bound through other mechanisms, all sessions with the same DN will share the
+same connection. This connection pooling strategy can enhance the proxy’s
+efficiency by reducing the overhead of repeatedly making/breaking multiple
+connections.
+
+The ldap database can also act as an information service, i.e. the identity
+of locally authenticated clients is asserted to the remote server, possibly
+in some modified form. For this purpose, the proxy binds to the remote server
+with some administrative identity, and, if required, authorizes the asserted
+identity.
+
+H3: back-ldap Configuration
+
+LATER
+
+H3: Further Information
+
+{{slapd-ldap}}(5)
+
+H2: LDIF
+
+
+H3: Overview
+
+The LDIF backend to {{slapd}}(8) is a basic storage backend that stores
+entries in text files in LDIF format, and exploits the filesystem to create
+the tree structure of the database. It is intended as a cheap, low performance
+easy to use backend.
+
+When using the {{cn=config}} dynamic configuration database with persistent
+storage, the configuration data is stored using this backend. See {{slapd-config}}(5)
+for more information
+
+H3: back-ldif Configuration
+
+LATER
+
+H3: Further Information
+
+{{slapd-ldif}}(5)
+
+H2: Metadirectory
+
+
+H3: Overview
+
+The meta backend to {{slapd}}(8) performs basic LDAP proxying with respect
+to a set of remote LDAP servers, called "targets". The information contained
+in these servers can be presented as belonging to a single Directory Information
+Tree ({{TERM:DIT}}).
+
+A basic knowledge of the functionality of the {{slapd-ldap}}(5) backend is
+recommended. This backend has been designed as an enhancement of the ldap
+backend. The two backends share many features (actually they also share portions
+ of code). While the ldap backend is intended to proxy operations directed
+ to a single server, the meta backend is mainly intended for proxying of
+ multiple servers and possibly naming context masquerading.
+
+These features, although useful in many scenarios, may result in excessive
+overhead for some applications, so its use should be carefully considered.
+
+
+H3: back-meta Configuration
+
+LATER
+
+H3: Further Information
+
+{{slapd-meta}}(5)
+
+H2: Monitor
+
+
+H3: Overview
+
+The monitor backend to {{slapd}}(8) is not an actual database; if enabled,
+it is automatically generated and dynamically maintained by slapd with
+information about the running status of the daemon.
+
+To inspect all monitor information, issue a subtree search with base {{cn=Monitor}},
+requesting that attributes "+" and "*" are returned. The monitor backend produces
+mostly operational attributes, and LDAP only returns operational attributes
+that are explicitly requested. Requesting attribute "+" is an extension which
+requests all operational attributes.
+
+See the {{SECT:Monitoring}} section.
+
+H3: back-monitor Configuration
+
+LATER
+
+H3: Further Information
+
+{{slapd-monitor}}(5)
+
+H2: Null
+
+
+H3: Overview
+
+The Null backend to {{slapd}}(8) is surely the most useful part of slapd:
+
+* Searches return success but no entries.
+* Compares return compareFalse.
+* Updates return success (unless readonly is on) but do nothing.
+* Binds other than as the rootdn fail unless the database option "bind on" is given.
+* The slapadd(8) and slapcat(8) tools are equally exciting.
+
+Inspired by the {{F:/dev/null}} device.
+
+H3: back-null Configuration
+
+LATER
+
+H3: Further Information
+
+{{slapd-null}}(5)
+
+H2: Passwd
+
+
+H3: Overview
+
+The PASSWD backend to {{slapd}}(8) serves up the user account information
+listed in the system {{passwd}}(5) file.
+
+This backend is provided for demonstration purposes only. The DN of each entry
+is "uid=<username>,<suffix>".
+
+H3: back-passwd Configuration
+
+LATER
+
+H3: Further Information
+
+{{slapd-passwd}}(5)
+
+H2: Perl/Shell
+
+H3: Overview
+
+The Perl backend to {{slapd}}(8) works by embedding a {{perl}}(1) interpreter
+into {{slapd}}(8). Any perl database section of the configuration file
+{{slapd.conf}}(5) must then specify what Perl module to use. Slapd then creates
+a new Perl object that handles all the requests for that particular instance of the backend.
+
+The Shell backend to {{slapd}}(8) executes external programs to implement
+operations, and is designed to make it easy to tie an existing database to the
+slapd front-end. This backend is is primarily intended to be used in prototypes.
+
+H3: back-perl/back-shell Configuration
+
+LATER
+
+H3: Further Information
+
+{{slapd-shell}}(5) and {{slapd-perl}}(5)
+
+H2: Relay
+
+
+H3: Overview
+
+The primary purpose of this {{slapd}}(8) backend is to map a naming context
+defined in a database running in the same {{slapd}}(8) instance into a
+virtual naming context, with attributeType and objectClass manipulation, if
+required. It requires the rwm overlay.
+
+This backend and the above mentioned overlay are experimental.
+
+H3: back-relay Configuration
+
+LATER
+
+H3: Further Information
+
+{{slapd-relay}}(5)
+
+H2: SQL
+
+
+H3: Overview
+
+The primary purpose of this {{slapd}}(8) backend is to PRESENT information
+stored in some RDBMS as an LDAP subtree without any programming (some SQL and
+maybe stored procedures can’t be considered programming, anyway ;).
+
+That is, for example, when you (some ISP) have account information you use in
+an RDBMS, and want to use modern solutions that expect such information in LDAP
+(to authenticate users, make email lookups etc.). Or you want to synchronize or
+distribute information between different sites/applications that use RDBMSes
+and/or LDAP. Or whatever else...
+
+It is {{B:NOT}} designed as a general-purpose backend that uses RDBMS instead of
+BerkeleyDB (as the standard BDB backend does), though it can be used as such with
+several limitations. Please see {{SECT: LDAP vs RDBMS}} for discussion.
+
+The idea is to use some meta-information to translate LDAP queries to SQL queries,
+leaving relational schema untouched, so that old applications can continue using
+it without any modifications. This allows SQL and LDAP applications to interoperate
+without replication, and exchange data as needed.
+
+The SQL backend is designed to be tunable to virtually any relational schema without
+having to change source (through that meta-information mentioned). Also, it uses
+ODBC to connect to RDBMSes, and is highly configurable for SQL dialects RDBMSes
+may use, so it may be used for integration and distribution of data on different
+RDBMSes, OSes, hosts etc., in other words, in highly heterogeneous environment.
+
+This backend is experimental.
+
+H3: back-sql Configuration
+
+LATER
+
+H3: Further Information
+
+{{slapd-sql}}(5)
diff --git a/doc/guide/admin/config.sdf b/doc/guide/admin/config.sdf
index 05700cfe4d..f80ec4a1d3 100644
--- a/doc/guide/admin/config.sdf
+++ b/doc/guide/admin/config.sdf
@@ -15,7 +15,7 @@ directory service for your local domain only. It does not interact
with other directory servers in any way. This configuration is shown
in Figure 3.1.
-!import "config_local.gif"; align="center"; title="Local service via slapd(8) configuration"
+!import "config_local.png"; align="center"; title="Local service via slapd(8) configuration"
FT[align="Center"] Figure 3.1: Local service configuration.
Use this configuration if you are just starting out (it's the one the
@@ -32,7 +32,7 @@ referrals to other servers capable of handling requests. You may
run this service (or services) yourself or use one provided to you.
This configuration is shown in Figure 3.2.
-!import "config_ref.gif"; align="center"; title="Local service with referrals"
+!import "config_ref.png"; align="center"; title="Local service with referrals"
FT[align="Center"] Figure 3.2: Local service with referrals
Use this configuration if you want to provide local service and
diff --git a/doc/guide/admin/config_dit.gif b/doc/guide/admin/config_dit.gif
deleted file mode 100644
index 2327d03c72b10f9edee0971d3a9d8771517511f4..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 4599
zcmb_d2Uk<;5{=~nf_ksgo2VdFL5Xw)6@d^?loFaqKM;!a8bErJUJ?#S7eenf@K7nz
z0$!yz0jYv;uhOJk&-=n}c(Yd4$z*2s?7io(P*Ycxl{5c+g8RfCiWY&#pTOfsAjkq~
z@$TI_1pJPmkmCn<f^Q(eZ~wnQqfihE1*1?@+9r^p(I_;8Lc=ID6@^A<MF@?8AQS|n
zASwz%XuU8R1w$wpM!{4RjL=4@XcQGfQDGF7ilWk(q7XC+flvsHLa2Z?4VVTEu)r|r
zMreCz0in?_8cju`5!zaiK@b{((GV34Av6}C2t#NXM#EGzjL=AdUMhs9!e}ZLO+^4l
zFp5SXGy<a$DjES>0c!vTNCTFD7N~*602@F9EHI4F1krL3Fa%K{2%+f%Ye5FX5KM(&
zgeDiT07WVcQK=9W0qOxM&<i0jgis*_$OC==nqV5(0rUeBKp|iazyN8$60`yyU@^c3
z&;SdeIY%pl90V1H5t@-eA6N@ADix+8z*is_umD9Ep~4985jYJD0K7muFdC=@Rsuf&
zO)w4Y0Gxnepb)SIV1P831hfDTuoz$iXoPkmS~n<z90UR`28;yyz*>+|k6$vHugCYM
z6^~Cyv-$WcwBBQ*X|5l8M;kr1gLZ^tg*2pN(zKf#^PmAALxa}=TnU&5G=WvuX>T*_
zZvn-Cp!gVgFjYD4Ll~GvpY>Gbc0~NikA01)&g*)`fwr6Osm||?zpNb1qh9l-H(6Mx
z<XLY`K|krHW#4P{+QNYhS+}+6-dgg<?0X@Myx6*;Px+W+QIo#9;vw>rd~7DRzGS4-
zpw@1tufBAw(ySwzSEHe9qSkh(#H7EWe5%oTp)XUTv0|phduwf`zp--mZD7<%4$Y>j
z`Ho0tvFFsL>V@tEehqP+Cdsk)L@A3ws-bA$Ah%M;rE=Zd_?SYiQo3|skFL=Q%h^yz
zX0&5vqxE_KOn{uK-g+@9aq>VvD!L=Y=;4fi-hCY8RejlJczJs*obQci)---^X-<kC
zxqX96Vdwj3cBz(A=AHX{-|Ju6$Sbw_N7orEOZ+l^>-qaf7k&0i(u_?GW}o+=*@H7}
z>~k+qDjJyL>2a%1Ls0U<e7+ntjdOvVFQjtA1h|IheTC!5X5oAljX5}eqA-8xmBPKR
z(dRFY=S4_CtP3#$U+D6}8Q-hrCteT~;d8wwedej#@&!XHj}1rmt4Y(hzAX}&{uNFp
zsRZ?2^S1a|xRhp#72$Y+Z`hyHN~!(^rCV3vR$f=k_@rlfZ^{W~`^V7<+lJ8fP58N#
z;4L18O@^CA=W<f4y>xMt*YdBhme{JLW4SmAUOnJiQx5Sw5F}?w!><!W9`9wBa;qZv
ztEt?}k-XMZawRzhL)N6y)G9$yyAsxlzJ$cZEB#mF)bfPwYfoCFIg}2{mtKEUc(I>U
zP5RukQ21y2a(0|PWjw!eo_JW^%(Y7_Z}4?7woX|LHvUp%_eEndA#c=pgMuRWUv9nD
zS6cD*(+3gp+7qS(e#*gbv70TUpQFX!?{T(PhVm#MEk|7t<NVphpse81an>}(#XIL`
zw?yBi<g;eI=d(4o-pVYL{_N|2dQjRqB+6OUbCH?%M(uq9p}ZHRM0NXkQDj=QvhIN5
zRz-ZlV@7N_Y46fg5x}rMsKvBb@q{bi-E+dFe1NO?M)Sa~vFp}w4c6o14DL&PEHZQB
zi?2<Y-5lM|yQKNhTI*Z=kwR^IRtak2`->_16=@4;q|TYIu$ST}q(l%u&^PzGd+-gn
zzahR-)F{reZuOSFWxZ};v2oDk%k#s{4>JR+-&^UGk~U8nKWzP{$DYpbN70S!qpfqi
ze0Rx%%1-{Ni2(xt?)2*aArt(??d8EPv$aOsFE~5i6uXvh>UmgMefsTT@u1Tkr}?2-
zo8Mo%1j>HzEST=vS}38|Gy;oicu$@ydVSLF;|nIMoXo2|JhD%p1jEf{g?|;^KfBo#
zB#7q;kY9b@k?8D=IbnWgKJUT1)a6jIBc8KS3z?iBo;<wT%BO4Ot;{j;S6J4*`5y?W
zU3vD|(o1E5%s)+%l<RNYijo(}+i>1`D11;D6@T(EYkAW}k;&NW&lmHK8Vs1P2SmkK
zoIS^7pHIA5nCJ_A|GMy1_=D7DXdGjw<=Gi;mb=TL@lI9=yz^G<_vmVH_CNBq&Yn?G
z{cK|#w>@|HkRc88`D4<T>a&8`jlE>ypJCaHhC=xlu~#2U`je;UPisVxb$wN(^Zl~L
z$nAZXM{CS#%ldBMVGa2mNsryA0tqj;{nQy9z0NlYVF_tXmI3E6gAQ{NLFi&UV_&+t
zdg0mn-UkkfwU0g>rO5QR57dTk#St~g@?&_pf$FWye?o=Szp8)qon&_9;S}=6>LG(@
zNpiNrY36(E`|sLT@i~>lxj7eCN%B`xh(GwP5(~X9Ip1QDO1&_oTr7D7x4U9sq%fi)
z5!@7ezSQq?FE3heTjugrS9_6I-mNT_l=ub~jr4xZf~K!_`Um$yjgxqd5jO3@N4kag
z3W~5Jwf|jzVuSnonYBGQtUPO3hx}Wk=s{Te@YmDi7r5YJjPl5*BA5C*J@T3a2LW8c
zT`5QdEt(`9`RPYmgdeg#q9N8d{AS>l)ANhkqg66xRw@z7QIxoV&{X}E0X;*@g>(yl
ztRYcy=b03v{oq=Ce%ck*QV(8MBQZg#obvke`&04H7T6{e#LMqzjy!#)wQE$5Fb-IK
z#BMx`H=0QCa41YS!L@{P8++td)$4go7Jj()EV_B5@wPzm;I^J*;^t_xzCx<&tLUla
z_L$OH4bf+g+_*Hy-O8MPk_vs(NV|n+vj{im`1dZOZ@ZBcV!_`AOa0mjnIlarCY6D?
zOr|GDdsYm~62Z-c8Kxk%+8PzDvgs-DpV;22?z7+BBMN7>R!2I%&5%NwHJ&r+v$imP
z*(CU6%<7jnm7m$<u!-%zt#gKjA}VO_S5BCprMUa=Emifgv>G)%@Ghf@Z90=2Moug|
zu2X~zd|Z4d`Bh^29@PE_8OgBxo08W1=+u^tn62r~2LtG>e_2fYcf&btdt|^u@qAw1
z-gWqrtb2{ljoo)RDUydz|AjEujDi?6>g|4ul4@~Ii`W&ZS<kw7RmbFOj^)ZB74J_&
zw{E`I7?V`q>C`DP%KULO9r{i56C^b=9KdS$EYVXbd7xIeTF^#`R60@;yQ9@Xcvt{^
z8cKaAF6YnNu6t-(l=<Rs)7!7vD)YD|m{>iP3(l$9ejFMvX|5J5cGPq@jGE#*-8gqM
zRp_3C@$~y`X?$JgQ}<fUnZ?c7WURI0bNU0FO+n^X0+YjI1%si(xJGx}+TW`+60_^p
zjovQXdY75?=AauxUbn4>2*!RzJG~jxX#-9|>_=S|ZENqZ#1)T3adqq?&8&J(J9uNV
z?8gAb#11A!oBiJES(05`b2jxKEB1`VdFxcXR<!j*b^WkTK=UWXhAp-XLvw-MN#m9V
zgT1*)oDO1NxN%N9bLe0(qCrpB?Z0F50VeC!H3wtw+C0egGaH#wTL}b*McItTFTAF*
zZm)==`CdKd29Gy7FMV(+U~I6BdExwG*2w0ME{}!;Rr#-p-#sn*r)z(2{F8BtTCo=F
zH|8#$nZWD6BJ?+J*G)D`_lZH{k*#q{egcKWj`PaO-rv@wrz~xh{OsH`*s@qUYW#Cy
zz9B^Mi-e`~+9Tw!c+G2v3Gq)Lv<c(Z_cx=pDI4_?d+Jk)!womGkU^QVM=Ok`W`n=)
zRLA=Je+ZWCyeS^A-(hVrj2%Dp&Tjj?{)bzRE8l<x+5o@za#e-kL+>cf>XozW<*85T
z=!X7c_gC`puShkeSM?uS@qM4_zwar>xoZ7jInZV_FnlzSL=F(PeJb(Oo9GeLPqNk#
z^45reWa+&`BfYmqtd6evagR&zt{Sh9Z7RG7(#+OqOsJf8D5cw%Puc#Cn%*y08~d>U
z?U9#1Nx_=q7Gegv*H=T7$yNo@!M{jhGPdrCL;-OQT@1TV)sjg92~v&-OKEgui17UP
zWLW4<@GTpAMM2-)ZYfLQpu1AyLSA-!%OUz+5{=4MKL4>WMH=k<e)*@4aWd+M3|mEo
zF*`?mc2CF1d&u%|+6aC3aIwgJiq^(WNJmFQkAJcWyun12a7bKj)J&6gL>g{1rbP`T
z-#=oJ2+Y$mO3~W89n;Anx2YS`lNPg;5<?x2`R0z9IT`bpu)M!?>?p?Uvv;hoj>{wm
zraw7$hCzb4TW5YXy3`<!V0C9PGVZQU)OT<7_Fr)a9YX8E@#~|nc6-$2QsdjV#OHeA
zbACCXqU4gd<4^57YU;+*Pe`lQB?N`2(0xmwQ&D3SN$g-#VZ|qseyMQbg)eX>@;1xZ
zUrchhV7aWG#ICL`>=S*;BT3Bgveb4Gr3foI5yz97D24PUW)PE?mic9SlTW(~-s^pZ
zy`56kl&Fe-vbdeBE_X+>*W-~0yVkzKQ+0M7pEx~{BzLz|LpdkG;Z)oAspSmBi4=Bm
zbz*ZQyM;Q@CMwbP4FAS1Q9<OfE9b*dZBka9ko|rV!O+yZILYTT>EZ<O(fu@Ak+l2!
zq|;rp(cg&ZiL@x6dkJ!Zg9h-WNEspw@991Whed3L;5hufNRh~D?-!`s=~l8tH4()k
z_+`Cq`s$D{P8K?+4mIFID`CCreS0aKP9yv(@!HiE*g<8C`E5@|vzJ4e2*ys|-dQ$-
zu%zqrE2Cgvn-cCoC!1-#La3As)4csUSWv7J@d{58lGF)*T_ATEFJ;l>mW9Tc1g((9
z7EDc+ZA+K@E_esZMi4NmnTg9j2t97j&@36s9t+D3Y6?9R@i(crtsz?q$huCu`CPym
z`OCia^L)wA`U;lGVu{YxPqUa8%H4{x%(ls4S$_5#lj$a7_8YI;6lHqF#;w2Ee5W_8
zcPZSpD7%l2AT*gJXJmE)o6kHM+yon%?-?;gW|c&RE0u(5s9DFP<<uJFwbI-D){ph8
zFA%7G*zHrG))%zb<#}Z?qIftxtn*D$kLrKA^6b+|Qfq|@c7l#Z<Tq!?DkX)wc08_=
zZ}y8defl2wbCH6uG9l4UE_OwpzN9E*jm<PV0Vi7Y3LAAw-nl{`C%Hshq*0d3H)wR_
z9=CpRvt_u9P(m~8aXq30Q&K`mPmiD|w4oyuZJfCoom)I|bd<eDipl>nq~ZiUCPnNM
zy)%bIGVN?5+$aIQBoj|!=#TE#dSm*Q5gvNsW#!n|HpbhV%_V=;c&lw$@9vZP<fEuu
z3hyp@z6cNh;bUZF6KZS3j^E1Jq*&hh<@fc##h4rvJML3cD8DUF@MS1SjIKP7@fNfT
zrZ5K8V=I)?sw72A`J$^<*TTZ0y>z7Vtg!)?N=iAzN)6P*&%Mf5TdAIggN{h<nC%MO
zw^Ek0klCSJHjdn}we*Mj6`1MTTX>Gx0ruJ=QrUQ)$27@OfuYJAW3`8^Ww8(Z>}oDY
z&^_X;lhnwlSU|ry2w&1iv;GQxyjA3mt8f17uf1wDC0}rJyjE>WF4EP*i{Y9TCHQ1y
z4OzOjf>AHSsL{Bmj#t4Px7tv!XBR?uSCl~J(<qKDNyYaTg-xlpaye`=H#r?dhl-Y%
z`#452#Yb(saSGheDZZQitw~_1xvdD!E6we^MJa4~oD5S+S}0{xl!`-26?aRGLQ5U^
kA4F(r%4ngqw6spOv>mp*<8EzNXzes^{h+~i;si?Je}fG7*#H0l
diff --git a/doc/guide/admin/config_dit.png b/doc/guide/admin/config_dit.png
new file mode 100644
index 0000000000000000000000000000000000000000..fd51f296da616785f4a3a9b99c45409bfa0c60a7
GIT binary patch
literal 19735
zcmb`v30RKp-aULLDx?&W=0OQ5LNpsv8k9m44VvdkqeeoJCPk=3NogK5Pm~5yhUQX9
zC6(rR{?>)}-QV8te!pXX|Ko3aj{Q8{ch`Mg=lL7fZ>@FSx6dlcZrZ@KfkYy0k~=M}
zN+PW}Mk0}MQ&He2ZS*C&_&*AL1zBm*D)GOk#qpu|38jPFnNyU_R7~4<P<|4gJV_#P
zkmRI~pLdD;)#2)Le!5s{Y<A}(xzi`qC^X4U*Jy6C;8H!cZtI4YBn=-9Ke=NgX|I|X
zigmWVFOIvuJ#kvnT!UV1pZ~r$4AK{$zh^6pIev|oYVCnc6V8K=<cxnzF8UZ-^FBHp
z+Pm}7?2zk(c;uu+O+SlJ*Qi@v<Oh}8e%{rT?u)~@egOd&3aGh!ulx8ss~-px@DaV`
zzvq5p^p{f(hGg>Fk2R>(MT+>`-m*)-Dv(t^{6xdsccHrucq}-?)o@Jg@WeZ$rKKC1
z7`^@c{Hpu+lj!K^LOxz5ap6yNISH>xOZt-GH9vP6^38a0o`r$~uT6+h6TjGd<sZN3
zxMqHS{*&n;Mo|Yo(y=(z-IwU-R2C~q(hchk4Gr~b9_%}Mb&8MV{qZO-mwh0aUjkX|
zXTL`WO}KXMT<b%z>BQyB&$7?Nsa|eOyui3$kF>PB{Oq%7aCCGRS9^{Izso>e_~vcf
zZhrfwcX!7@inzEq>*0%Ws?SnWX@aCyj^f=ZlT2FadStk{r;X<0i(RWv)QLwrK%zT5
zwlI`t@ZsSBK0(2%?-l+bj~<!TKZ%YGl5m@OZ7FPkTdS_FPS1IHeovv)h~;8RZs&=Q
zPbBOHzVKWs^<>?`tN40vTG98WlA*L2KfjK>QWj0g$Bm45N)|`NSR}4)jW}X6vm#AL
z=jd>vm)q%A3+I+yN)82z`uZ{F)zsRo$T@g;c+ULDuW8K*y?3v-GJv^hz@j--ZnU$w
zqtm%Zlu0Q*KECGW#_h@Vlr$`33D)M!r%s)^ckf<|!;S{KFwq@t?=}^!k#2aMf2IFZ
zwuQRyuyd!YNs{H_uhuMVOuCY+jLi4<_xJA098D`-Ve(j*%1~<V;yWYVTeBuiz&k<W
zKt!!l`|=V?sfn$FZotxz!EW_-rwjgB9%2SUk6g|jqEq1}u79l5bNOlWP(*g>(hyr@
zC00UAK!9f3wrx!V6BG6cjf2LGpEd05h2Fn^pInbS+?T1%6%%+DJ9%x_6PGoGPQxd(
zwOMnl+HcLx%?Y>8Bx`1+doEx7IZgac)-7ctr=T_sS+0u`+ip|3ES#8>G`>9B)uUdz
zaKYa)+%JLKfW&34_vZS#mLk`KCr+Nsu<br!`86-&OwMxIM!~1a$<)Pevog_=9%nT)
z{DLGG5>CxTL`4N4BBq9#Y0b>cTn1mpKmBZ~W!Nq)&3a$n<qB!uFG|drYu7GHF{fW=
z3$~up#&(wb(pF)y!vt<J9d(`9`9e9mE{N})_Vx>VE=a}s|EzXd=a&#V)Re+3Iroj6
zk(%QC`SW_MnMQL1%3g^Mn$psD^hsQUy~K<B7jvjDU%t$E)RyC}3^#+IPV(>9zem5>
z;%FZvK0(Fi+DnH#<1$yrMgNl=Qt`F@{&szw0!NI}4XkU((vrLBA*O`$dxn(51+>Rn
zO`==*`+p9M&bVY+S|oQ}n(o*C`RUo6CNdJYY~ZU$YMBgNgL6nprs|I$tLl}d0`^_Z
zX%YV{apcH$B1>jQyV4wPTkYZICcl_t`Q~%1EE!2&Ql!fCP@Cf9Zb|9hO%xn46hcBm
zV=IfJJsDMOS&yVpDvBoS#O7wbR-FrnH2E2droJfn-MMqZ)^>m8-5ow(zNkhR$;->{
zcN{!_!`HW`+m}7()}4hMlo@U=t~E>n6t{2RZYl97ym**7K;}cF$QDjcPR2u~n>TFS
z*paI6ZxY_dDk&+cyeCMC#>>lVsOT00zXqxkm1(xt(#mY9^VJKLQCjv_uGm$vI&+AN
zvs~$~yQvhP)oQc6Ex$6`<x1r1RqX-Qq((+@m;E!t?fp&pyJ7<Ui6|{7DB$gm@0=Q_
zS2=rDFL(Ig=ed5?hlZEuG8_g}FXh{>+p%MZMuz^)?0r}>sg?1d@p4+JZwu2yE(-(k
z2TbZ%a?L%Lr<)HLe_#v?4>uV9UQzww!&E{lHV)ZIX`HnK3w>NhhQfQbuuRo!TXM!>
zi>9ZUne<&Av#fz^5_f7Nj)<kyM`?As_Or5xyKFWxGWywBET(gHfG5{{{KwI2tA$^T
z_A`#PS){c_p5z*Qexq9US4+l8UZu#N4m*@}=r@I*k(a;6e8gHKK25uj7b%jXIrI7&
zdDB2*;vTs(XB_jaeBS6~d6+oz@bbzV8O3!7I}h&Jz1z;^QowAxt*C^Aw!o!4y(mfB
zZ{GEy9WRYg`I-hYGllZ8>m7*|?L7_V+4sW3`_pG~&YnNNbNBAucbbl|%D;@_j1qrJ
z-%UBt%j`7r^>$<=3+}7DTL|6f-L_km>_ZK?M=lBT@ljnZX7lvS6-<0wYrJ;dI#les
zg5)=P$Mp0#yxZAZ*HTiJ>+RRbbsPJ3+<oHRF23EniNLg*`K4L7Xr8PPF7Rn++DXdO
zK3*WJ)zZqQD6MkQ>L@D{)1CM4<%g;aD16AY3moh;;>EI2W*i2-RJ5_Nuviw)R%!0*
zWa~$@Ibil>=T2VU?}+DeujOVh&7h=|NO4#C`gmno6&00;k#N!E|L&PfRClY_nb{tE
zwd;d%R;@$1_ZJtpB=s~IV`JWhnPGp|$sgUwE2|k#aqW`Jd}BA>8BQ$7^j2mcqGsh<
z<6rSbzun0x67^qNMTPExpl;wtsa2NJmFcvIVqLC5Mj|!OCN&BlsS*y0j;77lvdZ1}
zj~Y9{Tk}NJ@%_T+P;*+WdYVqt!2D#tL05^#LkTxwnE<Anj~_GTT8uQOu}@v~$Qm+F
z?d>%TyMJFZURyigHvYk__B{K(4P4yZ9f@%~fd_eb))Ad+b!Bw*`*3d8jHx!)pbK#W
zEty6epLi||@Ny<}M_08Uv}ocdsx!6;fAP^(-elyK4_sH~`-xyb7GHmPda#jE;_9pH
zeMsnN_lfn?6y$;IQh@{Y@rBxxTa?AGX%{*Xowz;6>ZH4Sk*wq4=CAoz#%J1XVhakG
zy1Z5;Jg1X%MYKDkv^?i)bYoD;8yg#4W;>j%N)~sa|5sF0BqS$WHswUg$;+2DrChu$
z^ysXXR+~O&h+kWVaIum9>Ek0`*Y4xWv}zYtNorj4dLdRV$q1h(Tyxlc{$Z{0BPp*E
z0Fu*&hR=aEs(~vkA9&ycctl0DfQ^j4=GjejICp8bJCAnmv$M0K-@KV)e0)69u16-<
z=6chBgOJhtt)EQ~-3trbDI3T#o{(A@Ih;E_Wsz3Qiy--uq%P>%ALT3^`}t@xk*;2=
z9s{3aeNmL=TR(d89<k|sl_RM2>NNUR9Afs2`S{FHS~hXM_3PJv@9#I6T`kx*#%nsU
z+2;BTz0Gyr=<d2RpBmho({!uGy36gl%WfK{jQ*0b(S059^xes#^=%3WM8C&z7jv!W
zzWLDV?PolzqH@is=0SJ7)bh(OMs#%fHv!8Y_xaFDzRonN+04Lj>l!&_ndu>Y)FAor
zQ_{T;NO2oEVgd(3WZB+u2Z<vxC;Ng*{St=9H~fDCx&IvjmQsbdzeh$rQ+)}fSuG%W
z^GU++*yRN2-UeV3TV(M03m4ve{74I+IQKco^M<6y0tdQpmdVG;BVF!3233L2a&j0*
z#NBq6`*I5i1YQeGaKsgKzHj5;$`pE}c+_+0XvxChUTmo!)kwjRz*6rnspHM5+QX?^
zHgEQBXgL4;#S5+e3l}bQ|NI==l4U|Gy>`$24F?V!IIXNK>)_yUk(Gun<Rs9kWHQRE
zFAeJnGqc?vj1L}S+H{M0$90ov4+b)_+EKQ$va+#HCuzH%`Lbo!6}pUbNiP06__fG&
z%j@B9VfXG`=RA4qSnOvP4}NLsCwe5V3C`_;I&a_jP^#$Y(2%HTX{#h=zxs^#ROK#|
z80hP7-m=9YO8Ai?-<~~Xi=(Bqv7f2#%ikOuv%SlBU`<9wMv4wC-MlcmtI~T*;hx@i
zp#&CI<lQ2@7I)4l<tYx>8YVzXMn*=!=UX(a=27aJnzzx_^=3ypnp~F`XJxNm6-9F2
z=L_`{-A!C62D#-+%U;=<Wx~ldHalB|_zp06;`*X|$x+3{<tTuruU${2W`C5F7hAOF
z!tOnL_K?1=D7;*73lx2C2XGF6-*DVxb$Rxv!_UpBx}`M!71z_#_dkz|yNp^cAKny0
zLCuJ2K%o&oG&nfc7p|*cerr=gQj(7!$DTbK0J(%~=;%a<%aCdCGen9yZn$~#=6*)%
zvoFv8Y)slN6U4SDMJ>s})k;1^&ETyc9peH08;&}zt|A*YY#1AekJjq%aBS8-t)Oty
z#U+p4h+ajk3fH1(Y-spa9m0Load7L>(h>*PX%vN5X7!sH850~_hn0}vq0IT{Q~m%o
zjQ8)~-%Pibf<nJKnDexp-1wm2SHFZSdV<FqXov<*Nz3;3{$6zsE~*V1%7{I~_C)LM
zY*ECn2z#9|KEyOmJXc47<NimAB=3X-zOPq4N(g&J$w-%618NAkO+`#lv9dwLdXqlI
z%F^Ct5uum3I(0U$pl<K}{hJ2{1`vC>b%l046nHL6wh$rPZ^y9lW!>AQ=vDe(<B{G2
zAO^CE-HM6f@}t5t?Kl0zA-*!#L$!XrN`ZJZ11oC)`|4a(lNsG{Il1*K6XB)bPz6cW
zl=06_`f}~weVaXs&XLRg@Rsa!OdI;EE6aHf1N4}B=#Uh2+%kH&$Fa%Da|Pn|CjhCw
zy}kxi`qc5s8@<<<{nDL=wT60*7dVdwPE9!g|H!^Ezg^9YB+&s9IDY&%8NfIvmtSCD
zWr9lV*w5IYJ=#p!-cO%$5RXbg%Q~QYCOllaK^4tV(cGL1HM=CsvuDrb!{nsd0Ej1!
z0s0d?A#|5=3{u?F(-V`a<3jq`LHAc$`*_bhHjGLwO|w{>8E)cWVPUyTJl25&bSo<>
z8`Kn}XE1n*s372dC~3c!-P}kb1<3dy*$kSJHH+A9B%j~2jh>!9I5=1@O8wk9pPs59
zgWAW3v0(_byq-X@;3rQ4b&9X<*4Rf!hNlviS5UC~_L>ai7gmFlpPxEbCZO!b`YmAs
z0iq8Dv<vha5>yxun}<1e_SJ;j^;XjnZIoU8UU0BCZfxR~ON=lESIHXWYK>s&TP)#O
zb#=;bGd@RlDMeP>(7sRuM4^pvE9Ym}s1z+3VAY<ZSxV1&=+M@azBH#!oLFP?c$fJp
z>SMhJtvd>CUcbI3Qo@aa!G9glFz^%W;N@ox`E&F0oV$0gmy?rgautoDsS0A3wYC-j
z>X^>hh0I!d!WYBvmLwh3G~4ABL{3Tb4f%}6rP{RV)YYq3<J~m)90dTS^F~V+ZGk2=
z`;iFUpPrp;ve`gOMRiPHp9^K=4jz_IW1mV@1+H|xLjMg>hOwbf(XDYmm=)i&WEjwG
z+ZN~GDy=hsoMm(SbztaKt7Rp+dxqnX8bB3sr)bhheROwm_UIG66cikT!BbZy0$D_^
zd#y}Hr)%&NJFz%YI6hUcJc-8}m|tAv77^L;?%lg4S2TN~-p!13Y@{P2A^s@wfPlG$
zs&Vw$7padma9%2L-+@|PhV3Bxy7Ewus1*`d4|NUGchA(;(~6Ig*j&Dm4HcoaUM7Mc
zKnF2__zwvSyFtVfAK&SG{o8G16ddNxgQe$FpFSlWK75#Dy*mA&c(&7DY$Wew_n@C>
zAUaZucxpK|b||g1^2M15y+cf7B;c0{KRWKs+qYL8+0uKC(fhQWOe`I0*&LVybUVEa
zjo^n5{qEkS?))a#aGm(v$B*xz84VSoLqAJT-|RN?i_CU$(`n4m!4DqX!nW_eutz1y
zfD|L_JluAeMbx2s!N~U7wQDGLJ>@5EZzU#q@u^QIU4B0EO`a6cDf07L>S51A4Iy!G
zaF7rt!~ipz5v$}w=BK4?XLkStQ%YBAa-;bH``*)%{9y@EcW&Q4uBdp|vCUAZ8$E?U
z3TH1~+(>s^T6(R_UB+uIEgI|g@|a6vQB<aBH!cq*r6ucrS6fX#E6Ed)V6cIT>UA*Z
z$^C}an}>>krddSn*A_aD=F|;!l}dg2@@1}ZO9SVAQiwVlhb_|SQjrTCdM(kUge@5}
zGc)JbTE-~xV+QM~3@FE~<2f$nd6%v(kLI~f@?wJ;%ny&0ELu~ui9hVhQ5pt?<k|~l
zc+`Dve_~=H2NzcKEwMdFFjO46-N|07D?htROC1XkpSm8?+k`D!^gKFs@H}7Y>ksI?
zCf!WjSr9<x#{#G@hsPm$5<pK`R~P&8!Zfk4)%(n|nTQ!5xGH7xeN7FK-o#+hBvn|7
zktXEHlRD3vZClAVYog|FB!Vut%hO`{%d5iC66TNMlhkY0%q5+W?)1mK0XOL%9BsEL
zt*B!6x{D<u<@(fP$!vivvqqn(m3Q&8tF7+K07<f$&SAK1+ia(sAe-mh<v0ayE_VB7
zZRhUP!jVj+=BB3as3ID<)~smyB%*nuYy50Zi&iyK-BnKN<sK|0n?WWfq@>)e&_9kS
z8XGI8ofH)IOV9=?C9uuas|Ajo0nA5i@jSoUvNv+A0m8`3J4zr7un;JttlP-X?ux4)
zAovjsH{^NCCdnu-4<$WBORMktiAMhXX{z{e{~Kc+L=$+bYnTv;2TH$O9vl|-HmI(e
zXXTayeYl`*<;wD+9l{pO1LiaCefw&Eyz!Hkj(Uf|@&KCK(5ug;ZvlQXtUE-9bfX+c
zJ6Va0ZqH4_^N3ZD8pv)_DMg9iBq|NM0mk6stJ7rwY|k3a?+XO^ou)%3FpAjklnG=p
zi~5})h&?gqkymy8K|xixAtF6^-amJ`PL@EP@bcyFk#J$kY$$i{E*_rCgAFg;HTdX4
zwrHg^{cw9Py>@k}UuyibEc-L`Xs+v^gs53Xw}N<BTBFWhMgpRc;-C5wr_dCXb!!vz
ztzW+^kw1Rb8xhSI0{nu4a_f@tA;c3I*E0Rao>!-SUVHWG(9}rB#W&_J4<8_9lVeKx
z9l1$K-J_#HKnhDgWu?9&=KR`@fu7lK-oSU4>F|5eQIK(be0;BUR~OXL?LkelN8P+}
z19doiE5%b`HFb60va%EI;0;hWH`7rw9ilq-Lb2Qbj$c9)(akJ7Z)gEciCm$;fa9YS
z5482S{Gzj@)j1!dK9=(9M{NXw+6WHPkBR`dwCr`hH|gmdInaAgD=JEZesp}I6km>q
z3W<oYD3$^We?kOO5Szr-<Og5hkQ&Mc*%`D{RLG>Hq@-nJ^n0sAh*eeDwS}JkI%+vB
zqCDEMlU8cU8wu6p%kJqdAD2lHf4ThDc#vA#4hjyzhl;%J^L^n*?Y`fbuFMBg)SKvi
zw=^lw#l_x`Wum;)Ub-CN*oJD0qTf>BxEDPGWdTFd0n3*CcyK@VsNH^K)#SO>9c7qb
zY`e?W`BAM|vxcZi;)}nsmYP(!xXg+4Mk6_`q?A*al$u(ZVNjLsJgNi8i2%h8F%!vz
zc5=OOfuRvNN_Ku}^5gx~*p5AW_m-zz%uSvh#h|9sF~8mCjknigu2;E1ki-jz-6_WP
zFV1`$D$l^ua0v^m4G6XIlt@-@!5oZ<1GEXrcJbr%;_N7GfQ*5&YwYKQ#ro)#sra1a
zjDr~({MYu7GVS~1<1C)hm=1i21Bd+j9*;tpKwKkkYi#;>?VDywmBqteEA9#;(uYR}
zWe2np$O}*zaa;EVVjIW*>n#_~o_*Tiq5dy~`u{$M{WlXIqof3)U3-m6q0=AUaNV3V
zX~K{+=8z5&HLLc@YZO3&|G07M7AA}}%98Ut1$0X+t(r{_fd=rGUF6`J;2D`ICrFzh
znb_l=o+Yx2%p&%N{>?AKDh*U6qLh3+mlqB{vawM#uR9=oDZV&5_NpYEw^seq{G{EF
z4?BjYF4`2|1R}gte03YxE0=HAD97r=Mm5?M<mCzA$s->pj3#^F$`8dGH*V;CdU~9X
zpZ^s>wkK<4ZvZFkU0PaN#p>wkDTy#f$Dp8PyX&zylb@~oZD!O+QIQ&W`PYc^=a^HU
z%(KCwz83Tx--y7AC{Rz<AWKp6AL%GGnEX-e(i3n55<#QkMeywp#a)F6DF6}z8uxH}
zZlT9r=_mAb5z(MTzhU&4`I&8Wi0NWRSx%#i;u>rAE|7k9n4NiR78f4w91&uq7BZ-$
zUQa{w0CD*~gj+V*DsNfwzyP`v@X&3olm`HP`Ptf}d!eD+=p<WG)b>UQTiwI-FHa08
z!>A&z;}zR^goIQJ90s^(C8mNe<=MVz)46zYucoFZJuB-z6vcZ$ce+e$vBf=(O)C*y
zOELwHL%iMH-4m11tCt1`2U$}0atWcZ%oDx4{)qM0-~$GgE&RyP?{#Kovk&++xdcm>
zGQSwT+M}$)&c(HHyFi%ZP}A+treO$td3*cJ+MLQDc0mwfTj)Y?%eeC#v)tKpX)D=!
zLXUdE@Pq*-<jyVvJjlz*-R@Za(c6nm3k2|cnUD~?iCMUMqOZoPDf)oHEpXx0xWS!3
zTR%QL;ueiceV2o&nrpOp_6hO+<m9lf<q_wYMso>K->7xE?1A}%Rm|4Sjd=#jJzX{5
zzw19bWOffUu|L-D#*MY_K7P!#j_nT0G8zgO6cBg-fVF<(#!yVHa*%^AE}CmxJa)_*
z6aV|pVmB*u=fgkp^hYC6WaX8fh!2dpA7%@^#2PEslbki(?(^Zphl_0Mp8jweNfmWc
z7Ht8RtckEG*)1BS<RBUavR)Bz&)CXqvi3+{>FQ!>TtR^r1_h(JvF=)$W2qDrbaW_$
z5oXv(&<jliZEbD5<V3}DzADDzG<N1Me_C$U=o|dQQa7nlUPnhKYv$smOTTPOPu`*q
zxpQYj#0)xegwYV?E}u6Xq+TqXHS5Xci4wmw+Nw*_J)3fe%)i>j3#-5RT5kmCv8VrI
zbU0YOceS<mlau*#o1JH5Dx;2Y*Hx;9yfC=uR}I+lYwDjKlRSw0tcByq6NhxPcKe>n
zO+!=J7R}E=Yc&mkQ)y2wwCO4_rsPm3_t8lU2Lln|l&!VTIIC6EDnsLKS67$uBaHZ;
zho;XA{xofQb7b4rtvea~E4p)-R;*nLmRZG|s7P{(iec)y9v2jOL)#av@+^CnDb}q!
zJaCqL%^H@bj=Ue0gisZ{ZX-iAl7>fE_yJkM7K@S9lqAohZYS*kvD%j@cKc@?S~0a~
z#3v;t?mT?Bad<kaIK+<FKva_I&vwH9wROAtPp^OU=uxhC0p(9%!=G*0N#!$Qqeb<h
zwXHxDf+P;i*d$x9{Vm!f{~~!c4V;TtdIkvIG=L#MxbOvF4^)S;9~6a?{U0y316ka}
zq}HCy%{4ZeC6R)0Q@9?Zd}XS3;bZOX*}7O4Gq;|ufLp&hKDCY+mjQ^zBqUJPgbP;n
zM|%aLgEw1`=8li*oy4>x6Z`px<eh>7(cB?xQ*ff7`lZ3n9<b>YcZVEcog!OOaY3px
zILWR`o1h&q$c{IhQ|1&AX-zWn-NbCX?0ow4=}<T8$dpnPMnfYbVgO7lo_Snr(cJj3
z=T7l~cdRp&J58#7)*T%hWXaxcy^A+nYj{fgMXalB5BGkPcJrgGjEts})(wV2t(QtR
z($M6X9bpPkn!TW|-k+`wLG`ogE4QNQ;V$>dfLd`xGKJ3@QLFuo&)sH6glo2L+jd(f
z)-JCj@cO82#GQbE`-6k#xw(A<Geg+-560RyGZ7CT@?n~cD)(@mSfEBOg8bHsFI`!%
z&><Uq`*_i7D3RSJPg}W))y*nNE#=;EABuO07m^GyludwT7X3Bbp_$X2htguXa7BH{
z|0^50<jS1E4h-Akt4otj^Qo0A>IN_Iq@P91E-9BA*gD=FxtmqjWJ4=nvZf(TR|<7R
zS&hs(dRw7XE#3C*zR0Q}2T(?kAsj_9Q4&<EQna}1mw}nOClW*H`-FuVK$bhUl$h1?
z7EQe0D?ItVr^jx2!Ewj|A}#*i>cM=Upx5o+Qj5Rni+>g?n|fC}nUP8aIsrCEL9p^1
zEpD{|;V*3c)ej5w(?OJ9GjlD-ODnYig4yg1RR$qzyEJE~7%f@M|M^tme|Z5k+n?3d
zA_UG}sf>aI6fs;IEyWJbqa1O209Cx9q2cJI<|rfOC{d&3+3BI?&)}7Vnv~__-hiDL
zBdU@MME#UW?EsO~N>w+5dt$!=<mv)HN7*&CE)3t4B}+Ig=IjjaV<U)qUmfCa71StV
zGO}1Ka-9qg52q~F34(mHG^k#hsi~Wy#w{hq&UGE7_d~>ykKHAgHc=C@0HWJEs}2)K
z#^rJf+}3No{dy2RUB=!}T0LkjbQa`QeE6+G^XZKF{}f~^a-t$4{7?Baa3V7ykO_Bn
zbk}<7x^%At{rij<;h>&k*l+(;(44I4)3q{_i>%%Yr8N+O#t{p#hJ2zeOgMZ+{U>Bf
ztH}l1Z68jaIC1vUC1T3TJpueC6~yj2M+RmD5tuXI@~&~AuCv-@(fDoW!(JM!OqPMe
z;kp8?QVF}odm&2kp}Wt$@RNxRdH#H7xL4rMksM~heoG+F8sHQjF0K=xPI<VwPl6{i
z$XdcEKnMddv9Wz1O|vyiSJK`CWf+1t%k)@u@(n*xYn)ZIG*LrzY4Br0o=Yyf_wLQg
zxyb*3*ZE`k{rm4AT?^tB&{AB4F4zY=UMng%%qlp(MWnLX*C2Ia{8qc;;gLft8ME8?
zF;+i7XIM`~6%44<nr9bVE6K1=YbPi)+{^axnl-`BT^{PVA)cd0HNf<kOwwg0P5)I8
zoJs{M|I~+<oU*IBGnJQ2s`$RUM>?8##2FbIcd9NY{S<z$6-9`|kvdA*vT>@17r9^0
z7y^|-S9$vvl{!3F-D~dV?h#Dy?y5K;t)`}SxD-mm%a<?nY`d?w*F=M)0<URWd>zIK
z6FWtF-FnJf!LsP|KEObr^_o)p06fyKP7kW3-hm~Au4?D(0g~(Pg9o>uf?ErA%`IL4
zK-1cQpO16z2mbmuK9Rq$c926U^5`>%^_VJU3Tcl08haW0GBL3XG5iTR0X~-t!kGVd
zL8tjwPR^hqGuQ30)ZP@Wqbxm4Sylhy@iuR$j_WZ3L*dVHkPt2!2LCw;%gBC*pPv{K
zs}DY*reHZL>Wf+L`Sa)B0KbVb5*-o*eqghXTkVh)b3i3SLU6+Jm?6Jet>l+_t0VCb
z79893b!QxI964*1qDf}j_x^r$U0o$AoK^uFbEnhXH0@n+EYZdb(!F0n=#G6j_>lwr
zBEffpJ@pqX@hd74cL&4(6>XNObmq(^LN<hd!opPjzcp#f*Ey4xEt~>cuc)+A7>JTm
zA?QgK`p(em+{^Qjo7aIdCCFM-EMVHsW9QFr1vH+RoMdJ5jTQB7PpkQ7-%M?RP4P5?
zzP|o9NKMXC`z~AoiOj3~<SrqbA7X;|sgEM0wCa`MVV0EfoZI51?D?@xVIFJ}$9{qJ
z2n8wT_eL+c#AES2;A^CS?&{cQZ*LOR<NMH)+g`2yI8qt{N=ptb{SqeaaP+|W=JI!z
zp1<HNnfUH62*~>!+UqH{t3NsOiC`Kc4~8N<(3BE^$*c91St!4D!FlB1u;lZ)&rs^j
zEi8EU?o~j*$Dw#nz;7VtUY%I%8qm%fwcWYS>|%F0TZH`S)4{9r(W@co@U2$tkRS;n
zM|cwIf8QgMCv<cfE1i!NdFMfu0EIMN-X|g=LcsB>#X6v@3_)0Cy3gB3^qG8k$O(!j
z6Kuu$4IA!>T>0S#$G{4W$oJ$xSV7(c(!Mo4^d5{m4|=t6G_B;^)3C5GKfgn*$_h>5
zm_=QIaHZ3l6`-FljX0MA><^7SY-7@8uX7cBKng~6eOFx_3}Ch6h;`&v1_rHme}8|Y
zFVE%Z+1Lckv$aqrc1lU<N=s8y_`ryCl8_`(Y=mjgXFIcaEw*<VLISK!t!Q=mX0GkF
zXg)Uz%|aecby!ld@pFrwjktqT$=BBKq$`7#)E2Zt2M^k~vUqz=Ms!tsEme6TU%giP
zz23*1@{bf4P3CrtKj>gQKhZbwBf{p6Qv8-ErCl&Ng__mB$S*G06_t|YQ9S=6Vxntx
zxl2`Bdmr3XLhf^81ZwQBXce(i`1LJf4<BDJCO^5eXM@ETe#U0%S8UkL$CsXC(@}7N
zs83mS-`@E2fp6yG0^H{j6#ST?MT`PiXEfmN-z^`c(GF1f94A!+hj)kyn>Zp23I9Pk
z6PAXxspIkCX2C9<vFYx}c!Tw%9ik2iky2hd=H})*j~r14xtKg$w<aU&Q|H`Klvl6n
zk6tTR(#!!H^R${fOPE&NmgdIoN4|>CnJrM1haNeb+IcLmEj;VWpgGn@oaPvBs2noS
zV))w~fB!f@Vtt`UEU7(zmWFrtZaM3(d6%O~oQ5BRKWHDGmKd<q9=5<JAUrez8mpD8
zy3y6nNvWM)%w-XrJggaK9|&mgLF?QcAj9o7SI#ai{X8{Q3AK<1UMMd6#o6AG!qJ@6
zLMS9;9H5>iFtN22<uEnVZ{6C^8>Njwrgj2&vwNW~uvU{5y+c1k<5w!>Q#r3swo?1F
zCsAV!(QJiaq`4gsU_>%EsFmod-Jw9L#w*G7m`UzEemrP9f9qO{rfFJNj$bucIwN>+
zl!k2M8BBVv#aDfHiA*RhFi-2if&?7)B=0uYt*d*PbRbz`>?mm&ASeXtSC?@o(Y(B%
z#A8Jgxg8sKh;9L@tk-<3$Q#r&`#j4rI}H?CghBm)12GxZ`Da~ed(iTxF#hS&*FU0K
z5M_oCX1KVBTO~5X@`2!<J@+8SX~3nx1It5Exz-`30LB2BT#MPAB$1?(DQaSyj@A9h
zHmv<OpizjFo$=$z=#RTRq_?nw#H073{<rb>@NE{`I6U1h={}dfbLY-#=-ii@MiYrg
z6~m+IZd&cIWikIc@{XC0uHS~^(r`_yh~wc~*_3RQPXXkGMfgZU;6CDqL<Ubw3{x{_
zZI?g4=YIQ;+n3gYHg#Lu^fQH@O&yrLi7`8;P*jjB@T1v9eafydwWMuPN+t)>a&pul
z6DQY$*7yQGavp{To;`cscNZoA42mqX%41G~{8BgECb8*Q;2;#Q-++3i)kR04iG_iI
z7o{y*$qPgu^)ajD{Qg1_M0$khXG0;t@C+rfjc@BtxGm>&xs6H?qc-Mn0%X+L%=K9B
ztE(heA8Jdg?JQ-jy)wHgEa}MR)S13tkp%~D?XHa_o!8RZLwJ4UQn|PwbbKjvw#j!H
zkEyXbH1hjd6_k{$Co;~L>pp)#eJpk6{(}d+ptQ1-P(&LB1nVL0uo92F>9AzH)ooVy
zb3~clUAjDM6ZiZ%QJnkQvMq?}@qTsDYxSdX{;p_u)yhEDy<p069z|nFfUhZpFjPh7
z``)-wEwwtYJQUYQjNH&w1VHEA19Eo7lN+Jj(fo;m9+349z$Tt0u8(}q0s&Y(Ak186
z@$NA+bfR9Xo;$}4qiQIm6)>euk&_)?GuC=X9<?hI^_ZV9BG?zlHcbvEhBjvQsyo~E
z8ZJx?C<VQ_@MpP1lWL<#=RY<w^Qr$0hiOCVbMnT<KlbIWQcJ=Ghu9QfLr!k>gL2)v
z%bi88)wQ+Rg*vLL^f}fY8$#dRfSWC$(cI$VzeE4oIe5~id3l85?363<?`$()C3Xho
zwKe}|Ks;)@Nq<<_bbHqd1K0KSTX;DjAA;p1gk8_o#jbY#*{tYgY9Pl-jKx+z`hWb;
z2M0z)P5sI<;AHW3U3WS{k%J6QMiML<TLVGmQ>mAi!%)*E40{!*(HDD<MmA>Xy;)<~
zS+oO4QzOszne3wFyT|_vD$jW=_JH*IpOJSZNc$A4|1tG+w9UNTqO6CIf*YV5p3lwf
z?4!2qt*xzuDwFQD>KR|voy?%#b1loUxZBdwRQ!pknC^(JlahA8<>A{k&kcnh!Ad5F
zoBoxfe*XMvu+<%IDl~r_Gft~_>ww%Lz4Cwl{2BFgCludYovT~(J<_C2O%n*0*N7*|
z#D{1pU7*aJ;Mm|=>;=eca#F8q%Ij!-mE>{TkH8!Rqz2UQ^qAF-m>%jnwKzXds2D~7
zL^Sm|Nt54yMdt97lv|a6Fi=obR7|prXrnBVd^};yPsV}dPL-CGRY0w{%Y3Bn$DVR<
zjXVMZN}#BBN=oWrLNrZLj<0_gw)-5cL8nz!@6|~8bY)wFgR>GXD*bX{A6H-%xpR}_
z`H14l4%;VL8PCRD27kHdX9=40H#9Ofu^Ilx??c{gLbfWq2-hJ*YyEfkc;v&sn1d?U
zTA04PpD`U)SO7VGoua%`xo3tcb=jqd)q&p~y}z8=JpUNF4m=y(uuQ5IY=v<fVsAqw
zIIk}}o9X6@oR$x{V3A^)U_`*5|H#k1mh_t0rs$aiYXe#FcqQ|hCq|7s{+q7OHm-eq
zwvoUcV{RW_wi3$hU3Mv*0U@ngY+16y`eD@z7q$`l&+FI62<90JHgJ!i))TTBsc$7h
zZxfRp5ET{L#=cfYdW4?NvhCG+@GBs1eC6X#z&R(mJatZd_Ujd@jT_GuNOS4hsl=&H
zpDXYq+{S)i?V%D7A&oz9ihG}lfXe~3U_WHh=kf7-&vS+-UnWh^gC!T?;hO7VU!@{F
z6t-eQ?JqZ4oyjc))Y@46{{8jRQm>2mPxtyWdKW=xm!=_nGH_Q^!fNs<E!xdv7#Iu#
zwJ+gwE2g1yy-QZD0Cz#d4Zm+_pt8q~kzOc84NfHn#ZH5m_51YcEMe(LInNWKZ1Csv
zTaP-Au%NWu0rKMH<*iJz^1x`&l7D5_kGiND=I6Jy7|4UeValT-L1M=2&3<SxF^C(U
z#=YvP(pp+f(8pT2+IMnMaM-}ePFJ!#bJ4P+VB10C5657H)-qxz$^#5QAuvLFdwZ+3
zQijm}dG-+6EDipa^vmQRpReD&dsnRsVc8sv!5t*)S9sY{N~B_x{yvgq;`8Tg2_YZk
zGBp5EVeQPtRg-C8l!rn_@)5(~388<l8uYSsa0~n!L_f$7CH9zbH$D_|7APw(-<IT)
z;G_Th(L-qG`=wTIgK+K!Qa_%iQyeBh2~8c(^%n9Tp_Rqea1NgSv-Z8@aA-m6^#(8Z
z{r0XWXA2^EXMVN%95ksToGnGiA6H9IAJh5myvBd~!2L~y*Q8PW?h8~s0~cZdKF$Th
zfgLp0-P$xNZdIgSp1*!8gW<MpIF<*`c2zD_Nv+U9z`oNN4bReklIv|)e6}Q(zHtGd
zA+)zJfhvP(^^_-WBO=HZKH^Gm|6b{>q0nUz{luL2TRsxed6|+@0j=+V%b4C*jPLT{
zCmTBdUNdwK&69A;5God-O?~Nm^^j2bk9sT|GXD5vQ?^!$gNXF-x<C6bdKAqE`xArG
zJ@-!8GsZzA<vU8aM)B3dFBBhL2X}zwGN=8sTn*Qv;9rF$rwkr@(Z&nxvcfi<)TD=^
zj)`UWH}4Mo6Q``f?+nWxAGRPYO9X_M53hd#FdTw|4~Q7<J$vK_?ES*Z{yZJc3(%f~
zg<nmL0prjM2a!8OWyj!)Iqohv)V<m?A@qMg{&+)UBd4GsEmWEc$lCV>;<e{61lmsY
z$`M(M?Q-Ar_qn{GPSAUyo#D{MZPcl_8Z&ihQW?<A#AjLzU<42T(ziK#8?;0Oc(y@y
zcD6>A@usweyvvwappO!!et7j0_WfPhC{erbYn?_r1HhMe{u+7#K=NJLYher4w05si
zLo4_QVo#&6H>cpIAq;Hjt$f-_zURDr9N>y!b00fStmVEx0c9>r__BzdK}k4)G4@NJ
zgDE7xDj>-HFn9xr?m-kN{K;q)F-Tb<s0oE51sh@U_rtrHF!E?*n{OiqZfF|BwdMX?
zTUF!oWzLeh?;8zGOeWv;rx0q3G>lTvA)r1=@4NYDqc$91q^_>1DJR5r>#x}8fhm|Q
zeIZnFh>0<4rKn+_iYk8Z6W2Pzq=DXb(#c5}8HeaMffSakQ_KXi{q4g824MoegtLpt
z74wrQB!qbxuAQ_6zMmM_2pbL&+npR|;1>8@dfKW%irB%siJRo+=T{uCch>=Ls+O#A
zO)iud47D6SUi{C;$Ec~ne)aY1CCqXY2H{So5U4*5I1py|-=0w4YVE%teTpzvfRo?v
zHe(56#DxL->TA%Z^dPtr>kL!lecUMP-*>MAge5{<RaJG)>Mbi=)tR2#>%mSEZ~Cv;
zNQVis2XF+x|NTNV4Gun>Bvf{QBf70ypCg$9|Axp-P{_oJz)VKK7hI$0?1c+AQO)%+
zG=i8>DPZAp`y0z^a7Mrvl7K$y%5OIwi#ca|u1yuxGZ&vj*|LA`aN;_Y^ufj?Lbm>!
z>M2iOz1qs|K1POFl~5;$S|RZ#j1SjCuCjw7OYD21@-7qM2qI=4K4kpeC++=66dY*?
zch>~i74q}*iw1jq;O@x)Z2ExHG4QkF4kxVsel)?=2EsT<><`Gn0sGTrgj|loGY;aT
z2UDjS-u-vs?Fqdb44paQV$6db1yA30ji{G>eSI!J9+}{wc3=AwcLKx_1t<lZGPAPg
zGbmg0;DRNL&A&@lYgYW1zF?cbWuF|=C$Mq_Vb*aQ$(J3lPl(FY;3rb`>g-6s?+l}v
zr}^{vt>ZYT(hX^-Xz-+UQt9!9{Qf6B%a<D%{x113gxAEx1knSCeyvU8xE~HNjeL6^
zf<B_&Ata5<U-^@8pG$vr7BidFMIJ}MN0Xh>X+`r)y_A1lGs_rGV`bu<e>%=QVPPV+
z9j*oTw1u<&`2f-cg%3+C1(a6R0+vDdKX)KGY~!`aj6*BIXq&(&aW&7BD)lq;&?gWt
zlsH?F;2_eF|0kT>RUtm0I}pZEc5a!wXK|fgqGk}*ejGmOGdPzJ_xG)JXp7hJGfw0!
zQ-BPDUY3YOjf^#f=!Cw9>=cC^3$-rfBTl0cjz8iM4H5-KW<CL2=67g@E;Fqru0Drc
zeSYs#?-oKq348E>Ywuovb&u0_7)J>wk#Sw*Z7_F;J4eOep%SAs3>KQGB*>ikV*Z9y
zKdPow?TwJgaT<qMXYs%9vw$2->^3(3nOYK&WT`}*j`o<@K~x7|Hr$RQ%inkRLt)S;
zblS%TV-s*KUJ6lwMS^JML7r3GD;K!({eRzS!^@@VG_MN6Fan?T19gvt^44sN?eHMp
zAgVRTnbbe)BzhC)-!5ad3Fk9m5F=`44n#M?)kzc+x-DB`u>+oein(YJ5x<zFE3!UH
z`h%Fn+b16T>A~?u7|4`8C$?Y*XKw$whs)Y9BH;Q&X9|goOh#eYmx|^_IG};L`~flW
z1lfXr9*)Kg#Wc@zSrnMIB1y90<qm3!-rioqAPT46xdIk*sXsBpihNT~2ZN~iM0^M6
z9irJA6F7A!+;w4b5v#j9=<f~m_V>dO$BgKg9KvrA8v^^w=QQ>zN%lXm#C#SmjJwc(
zdf-`tU-UY9;BI;8beu*YTx3BKGY^q`_P;;*c{(aP5t>EMhhJmBwi{~N_qMVU#@5~1
zN`<O06Jb~;v^7i&iNsO^81ZS#6kY*J-nw-wVaTDPp;0S{bV^c=mW0<yz2GiJ0RkP}
zJS8oyhxq$l61NWO5$AZYa@}YY#KkavfK4Twu5k)x&eChS$^_3i5Po!`CyxP1sSK!U
zk)w;aaNjHg`%JV;3XTa49Bd2;4UKi!ks`p$O959`Z}^&fRrdDw1VD(ZdFph>h8Z%!
z|LJkl$CqLDaAJR-R6p=bGU0seXX0$Bl?oF(^T}QqQ|%M%D0RW{6U_?~HAdIpxDf1t
zh1*4^F=_b-DKF1Zldv5DGKx{6+hFUr%yb7|j!bFi%^qJbE1in$JQ*N1m)m)DBkW;$
zSEu*j%;VT=a@ucE&Yc-Kxki-Ay?5Y%!@Nlcs}wX)SU^9uy-<CbZr-?unsGk~LNkuS
z;uPMj=^}CdMc=@{>PG+$t|~m>&nR?<zmJ%ab1h!|yOXU=Gk?$hHJZaY$%p{W5|LC6
zbo?I<n4r3KDza}$4cD?ADN9X0vJt22-n@B(?XD!;EOTR*E!-5G$KY~<94(EeL5xU4
z?oLg;fz7&JtOk{LkE6EX;Nsm69~2{qPyMGuYqyB=xUI`()t%(0VaB|$bJs4hWVy8F
zLhT;H^YcW)?K{LPB6%PddaLWWR<u0{3AqN`0yXhlcC(I!z558;5Jocsf)egg5Y0FO
zu(s24(aN`-Yw*yGt@rQU;{tzLtL2QTj3DR_Fa>17b}R?4R}NV)%xg6`S|TlN2&56C
zmSoj7ynG1xWpXg3(L63O@x7=v>@;uz8t=F--{%y78WIkR^EnK^kZm<{EFURG2-m(K
zMkEDC$86k#inKH$5sxA}b+wrAv%nB&2&$YdDz}a}BQ0e2T{^DD)Dh=0RJF7Q$FCyS
zRW&uuayNNH5;*jzU!Yh=5C$EZc2=vsfJ?Z_#lyTjJnvx5Os)qZ5{lk`F&^-~x34e%
zYiW`JtB|1|KB(nYRYgT>hqdfvr`zZ|Lh9YCEn~4e`^bw>%CHsoDaX#WPjg1THJWF`
zIW+XDLZ8md%PYc2E7K>}nK~*zYi28X@Rh%;aSmDfymo4Ie=2ylj}!3gi&{FrN<opY
ziC$eY$u*}2N%RslqZ~+Q$E$d%HOJ_;Z0T!M*WCt{$$2$3@Gu`=!aL??w-yJg8NI7_
zc&=@_hUP;9BeY|SCk{FZyR{SZ1=^w2kK3n1YY@=?uugnU9RC+1hH%Z)D6A!5<LZ&w
z>GK-jA-h_$Z=a{hYW?-9qf=I6`jW@m8Mq-tikhn)5hfv`h<r`W$hcLb9C?%uF`!Z6
zE+V<QbY*Fwxzs7|NtQvj2LFDhfX#G6%G%mdvW|3)(q~q0g^E(!h`G4+>Uv2`;Bwul
z^1@ajAt87tsIj%AhNh;rwT$1KD5c!zYzYS1+%kE5B4G7HUP)Gy=^-|&aChZD2c40+
z-^UBSe@{ygwrab9@LdPoH)~p0y3{9_;W}xYYkt??|KzDt>tbSJaBgO=B97~2Day-l
z07@kQpB|=b=m0C<R3u27nVJ28v|Y+t+ejqpXT<jc#Gu-;r71LojBhwgsn+ExEL-mE
zw#jR-(RplBMO9S~nrhPkAj{jTs&@XK1fSga5}!1aG#{Jfk}O{PK1{){(W-Fnz!yXG
z;d$-pO2Q&A-yiK()QJ!~aJg)4u6g8P3x=jNUD{$D{0%}wF?j7w)-(eVoS+GKL)RnY
z1a!p$!7}NiCncn&-U5(?9=sp^Ut=r(1n$eE!PjjCKI~#n{KNnbGZM}`6TeJ|V6{T~
zTHmyn*FFB4{ZBL^Cva7Zeml*E4JR&KxL-8{5e`Q?^Dp#l6fE+F`GD|b;%vcjj6aeK
zKe;X3fO8;s-vHJc(!FuGig+8$$A}qrOw{E>#!OwJ%f9&jYvHNsqWtw*|3s-_<ayg>
zJX+cmx@wIhmc4=nD962!48w6k1qbXxh@&(1lRwVHFWRcbwpu=b%RoU|`UX6$@-i~F
zV5F@yD>ly3)bX4*x*Zt!0Kc_E%CiV(KJq;-MXk5FuBHZ+t7<5{#_D3x`p1#o6319I
zaJ(5#PpMX`En>6#TO#`XU<B(NI+q3$EivnACCk7pMw|dg^T}$rPSYX&Q#13q=8>oL
z+0W6EVfK6WE?^;$IQl`T>K!qD)mAvw$C5but)qhGiTgX;*nXI)bHkNSpVqV8WiE?T
z;>4>K78V^^lAN5x>}K7U=-1|p@*Lk)@|AJ*Rb+w(zMa9h<;@m46_bjf*Z)x;b<`pb
z8h-SgIXLyJbqfxmfMzBR3q0mm*VYaQ*SWeLqm?i0pD<f`E)VI(78QLp&c_D9GC~XJ
zd;({6A?c;NjO$1E&I!AJO2=X>YTT}@$-BDXu3#2mMelf?`WS0uA*;Jv1<fNZ1!N6D
z3j!^EhXwB%Vh%d9KRjjIU^2-PFxk(zACoS;<vozhy<uW`c`kk|G<s<*jL;eDkAp`B
zCV2yu`z+>7n2&KsEQC?2Toi|DX`+<+U#Z!R+v;<fyW(RX7P5+m2wsI$K8A{L8G{_y
zp6gmE#PCPhTZr@PO?@k4zET7j(s*S`hurf8js(vAjxef1)grzyqO;)F|0?PGIugu=
z3j~deQ!P;9VKjKEmP9Z=zuI#@w&57rzZhIKXNlwGf848t3pG00roP1VGZ*A=5KG^-
zm(Hz&z3%rnUR2!K24^csA~Dc7caL<skmJPZnVbu%s@MPZ6uq1O6H2Z$z8S_N^mL<a
zw-zR91Z(h(77-s-5tD`}NKIy0t^9%|b1_8l!w%Am^Nsf~cx$wi5i;UVP~ju_{cJ-^
zT}wZXd`Y=@WIZiyIGRR3fMkC<;b|qTt^W}Jwc7t#u|C7rwg6^J9=^9zajJi9u&tKu
znye(Er-C}-1z~}Lx)Vor?!ywz+r9_JPJl7OJOFJ)4w^oIhI)K{$M^EHQOqEKYRes&
zF-$gj!S12~1Z(J=PmuBQ@^>6XIXRC**j|x^`=HOZbW`C45`<hs91kM2U*8&+#1-du
zL!o!@rt{%IUsKM%k@I!`OU|!eEw&!&`@iCDl~l9Asny=FFRMN!brGaqYsykM4O~I)
zo{F!(4L1^w>b?VyoIFf21d&OI>;Rfu>6%$D8~h4xXG1H8E8wn7Y)v1m0IWHfI#9?m
zl(ui(N*o~~47O|@Q!1MH>H%Q*mSl3V?jIO_2$R#%OO>C4xUt9>p?~H4_o050DtxHv
zojA67`qZhLXWTAbimc6?wt)-AhZGE0)ZU?HFkO=i)Ne08uzFm#{|w1K*GKtZzdJyQ
zJe?x=YN}{iWeaC6=!|}N^*gS5Kz#7Ea&&Y&(+1V$--zMK!?w1L{o_^a;rLFKquQ0)
z_`;3Nq<hc_(@GW+!BAOTM2W3setK&xZLexT|KUs915RiVl6WR0@yo*j@w6;QIW{uz
z2cr<kTUzpypRK`I|KK0%%T6fNW{(tK@J4C%1m#|Gyb+Lb(%OysSluQ>O<lB9mthGE
zuK=GK@u8uieIRR`a*3~SLBQD-MB@xz#NH>io2|jD5y$HgMMX5nxCrbyf!nUZxyN4g
z*4#R{bd+>$>VB9VVv6^;lhmwUK5!vP?cLMkK8E;anoOW}LI&R9{hPUW+2TMsv)W!5
z9h^|GKd>jri%$KHUXmS^OxD}yr<gCcaXmV9`r1bA+anv~1Kv74<1XWAczf+Shc83z
zQ!Dy-RjRel^)WdGKi5?}ex2|+BCrSNz!+I}Rmn{j)ATR4c8K+Nx(ZzBA2X;Exgx<9
zl$@ISVmR08;`KLrl?Jl{?c3;f^DBA?jEsz=T3T7fC7*sbm3}U*c`v(^=hm9cUet6P
zn!57MZCL&6S=(<Gtqq`lJFJ$b2F?xq{JA;2hKG=8VW%{7WU&uz9=Z<?aojNN%@dH)
z?tQhkuvi>cb)*Zas5q66uW_+2%*<33K62z-+ob{rxf1-uR06&5{)-p9t{Cfb!h=;j
zJc<t;Ia1To^6+k8An$Bp$H*(DtiExV%z_7&Q!_K~%gU}hI6A(=9Q`(DxYS<fn++$a
zFWpjX4pQ;_%Ceiin}>(?ojZ4go-FdQa<U33g<^K}Gt!)x8#e$#_ixGB_w4NHg2F;0
z^rN^AbjP=u{IJr8NON&Yc`gO#+H}1K9o!2z@h&GSDr(~AXKqa`t$Qxw0w`CZ<KuQ_
zHZ~s<U#zTnjxR1(mE^$2w4TBTBnWr3l$X-HWLJ^vIb#zO9=4#Gsi{{$lExmLfq^vZ
z*RG-WuP`()IC<;VtzHC{Y+^=ovSL|x`qIL*0^A84R#sNBqO`X9kxR=oRm^MrWn#6?
zor^UvFeu2$c@Ys2!9-1w9TRh+zrR0pct-hp4!^?3D6w$&W#`;$Mw)|@^HcDFGx=9E
z^iP_dJ6C@#8`$BvZi)NLaTjr`2|Hcg=vyZ^J32d?VAVSbw?IkxV2hXgi(z!=sL06k
zfQR(AO;4UAKdC43E#ahIVxoeALfe-w_b$ylW9;4JTW&V2pYgD>)Js=eAe>?A)`Xfq
z7zRdPe26-?Y%@0p{&#TP<yBsu#>YsJ*p7}4^LD4q02ZO5X@GbG<?A|^E;XPaTfpSj
zW?mH#u&LOt=N7~E?H1bF+HHw7%QGViJL%h+o8v)*YpJTnU<j%Qp+_F{@fE&#CLaH)
zrJ<1kW}k^_E#sQSLdG>>0`XGE>sfb^UK%&Q*+sv8czC!GuyLQDAWq6Pg*6(K7H*;$
zqMD68xw1;<?frr3SoKcj`=!i|Un=~!_u(H^UENWK-PH#U9z6JccCin@S1H^+=Bsrs
zKR^FzK+^g+j;gt3&-tl=P-wbGwcpFl?Se&V*nuwpuE;SG>GjdI93+w+%bLw3(ta8;
zDiVp&m$a5dx_gqehD565B$1IwJ)6BrByYP7v^Lj6UlkScmzS3>(Q&P`eE4t|=_aCG
zc^msoe_MJdQ-G-U27ASw^mYYnBlXvE_->-1dEeIdI5{m%jCjGopod-Jr;vJnhqde2
zw`*YXi1&Y(n8^HE;?X`JWGg?;M@=Hx(*~6t<^A#h`e>^Ee|P#HzkO-rGy2m<Ld@)*
QlJH0Fl#+Dn3BBw8591QSh5!Hn
literal 0
HcmV?d00001
diff --git a/doc/guide/admin/config_local.gif b/doc/guide/admin/config_local.gif
deleted file mode 100644
index 6690d46fa0bf4ac445af364e46ff7435bfcfbb92..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 1910
zcmW+#4LFur8a{QI%C*}zHIod=L4Ur<&g}Ffs_Bd*k!+cU5J%{Tov6s)(o=Rvea%QQ
zEGj4R`6$*;(U+N=sr+Or%NjGr-zh~=qFGWV_PjmU^<L-up7(j4`?>G?yc;$;thDiq
zn&g6BP9PcZ_JOwt$bSG_MmyKk4-$+hMt~8+h+`x$LIh!g2tkw}Aczsf2@(V$iZDfl
zB1#cZ#3<qv35w)A42S@tAO|A`hyxN5iy_PqVTdvW3^9f{LxLg15$1?+L^%SE7)P8V
z!4VP&3q%B>0)aqGATE#)2qA)%bqG~J2vb^#KtyhdF(H^xOaK#x3CBcWB5P$@1|<Xt
zVT5o(gd9K#rb?Dl0+cXHI3<D-NfLunN`U|n2806<KqPa_lzz$xFv1w&j0i@g9GELZ
zDJQ@Q<Aie}IFTA*K_n6t1O#D%a6yD1NKsdg1FFaaOd$;dfm97+1)E|33=9LuATS_>
zjj|9`){)2(M9u@LFQ&?tlmbv-6gUMz<w)5r3uR6T2EYLXfOG;gkbJ02F<=Zh1HnMr
zgE>f&RMv4|95@HTL3)M-Naj>F3t$4c03iS=_d?Q>Zp$L+p|ndnqqvB%q6NjuM20!X
zTwrOA^g$7b5(S1S@<=5VzcE!*qg26Wlyk}jm10QVlA>gzEX06wkjTo-z)aDXGG$A~
zIA>fi2`+KuNZBn5WsXmb4Kj8C0F=u<fhOJ_@|3@1n7z`Qq@<U~mq__0(6n(hp>N_?
z%zlWU_MXbSuK4`Tgm*2R&N!B2SD!Fk8q_{*Ce)t9>(nM2OE26`UcB~z_wCYL=QK<I
z`ZF8d<~x7;(ZLmZ`DJ+xSte1F=e~B;u0Ls?Y+zq-Io~a7Q`W3+j7}9a=cA&a4%<eR
zyLS7kxG#+kU1}{0Y?$m)nN;Yh4e53Y|Im8Tj`)cF8_hq?+2>oO|J(Qu%gEyU1qm@d
zR%cdPbk`)MIh4l?4h5)FKeE1eY5S7Sdsa5_Js(E@Z}V+Uyk@{VI-E8a&2<f2`N>Fd
zTj@LHHE*J<{3|M#Pgz@U?B9C7`b5#T&hk>Xhu6OE+?*JN!#aO<UFz;=ZMFHR>gIU#
z)R1l3EqBcJy8U}`+?ui0yD=fAraP=7`$wPkR{6~GJJkM6=iYH(s3Wf{PTN@f1r*N>
z-x@zzJ!}f=-t2OVn`We?NAG<w=f6j0IvHl$FK?XR71p*s%}0I5GSY8LSGfCwO%~=W
z&VOlbaBQbK!fKj%eEX3)A1A|>NYBI~Go63J`qy>lNu*S3dU)a4Jpl)uG^q=cottWN
z!vE+H?wxFxU6Fm*-8SW?)SME1vrzB2sXZA7UwHU@-4s5*_w-)d-i5)Qb|ZPa!bb8f
zSmp=n-0aUXRy_9kI{Ve*fMkdI+}zP^s>Pay{i<}$@#u{AwZ~_x3R3d=?ECyQszW|0
z<GTvgPf~X;wAChSqct7{v#<XnIA1rb#q2=E3n$@{_NNxrg$gUjpE5R`t-VxIu(`jh
z?BfTjMVC`_+YM6;)!Q{!non1rqW&!}A0DZVGJdKX%FVo=vi5e6WucGFlfabXuSSYO
zhYVV?zZy=hym;|NlW|ef8}t5sInRo&n$anl{TJ0ev9`NwDnD(%!~@3v5K=woy<c)_
zy46eCvN|lk8%R_2I+Ru|JLotVt3RWC{|{68?(D0pzURHPbWOw5(sDdDwx{s-ot3`l
z3iMr;ZED)(6_(z1Bk;Me*V12?@BNGKt1IXIf4;ILFEB6tkoWEe)o^omdF=DH8yZ!_
zg<#|KigC|~7?<VEhR-cU=bnESM%?Z4d@}ETiII<gVwGwjGV{BULT%vD;DnyzF-GrL
zh5oXy%|@WMHBrYNU)KhgI!yc?R`*+OWk}POtRS1#Z-)~+a@O?6SXQk~G>+;h&zk3V
zYsSF5fAwAW(qDbY%Gc%Z?KLw#wb*#t`tj5Bb8V|bp6)D|H#(f&aCg+>LG0*%{HsbE
z2FE^*aV^QKc&Yn-Aj7mTcW}_UVd6)Fn_j~$Wrj~5J^$;Fv&U<i$AzvapxL?g(H^&p
zkM_GB=+q@&)l0h)`b}bBbuu1kw!fys>bT39Lf>+>-OPgN%X+=ewrw4?yEfeg-rahB
zdS1f1C#@j~?vqxV^xv9t%Q!Lgn1$MJdiYh{0)xh5Cs*OVa~@WU%#*<BmX|^7f{a-~
zdry>2?$#acUT=5&RNQWp)Bg1v@;}+y_~*a9|G7zm{dL=4XC4lDSU>k=-G)XzJ+$io
DT3v~c
diff --git a/doc/guide/admin/config_local.png b/doc/guide/admin/config_local.png
new file mode 100644
index 0000000000000000000000000000000000000000..5337c7ffee4deb75235db038c47f50824845498a
GIT binary patch
literal 4172
zcmZvf2{e>%`^O*ICPawHI$6rDQT8Q6L-u6L&lZ!hrNP+AUMWkN&{&I@B0C{_k`R(z
zw#-QOY-8uW`@QG<&-tJ8KIhClGtar#>$$G)_jAXZ80nm1IL81%(5dUX+NKahRRMk*
z!cKtiTnD~W;709(ylw`A!G8QSo(6wUVs&r%KoI@6zaOgFCv({l#Ikx_ThlBcV|gOf
zfPGtl{?F>*cj~=I?_a83G>Smt*k~;--^}ocs5OZ4U_>~fp3<jw;3BQPK3qwGUz!m`
z_?AbYyD}1Jaf+fmH)ouMEeI@`=O0^HFFh`DeN_~*f9SPq`ynz${2RS`Nz+30)c!cp
zFl768=;~uunh3BYt5-^OR1kz!+AOpz=|m$i)l?{Pb#?Xg=N&^Rd1m5ra&j_u^>2n3
z<59VX9p1I72t-l`nwg0S7V}Z-A#>a3&k4raX4HLseXW#}&AJX$R8%F6d*Tmn_pHz`
zm6VjMj#arU+?(Xhp78beKi=#&4pG-oQwtUD(535dZf@?$R58v}zS5IjBb^-QzdC7X
zXc&61Q&z!4CFCfdZk(Zb`|wr*JX(^o>-BYf#xMt$SPYVtojun~yxoT=WWc-ViXceB
z;hMz$XU5!258`<gh6V;y1J{K`L}sU3q9!LN&&4}0k5z$jTUuHI0|R*!JnOw@8O&Rp
ziCPvHB_t%IrH5QDtMbceXoU4<sp;i`-JOq?wr}L+=U0DluM=BPP;mcXt$k+3@d5=x
zt$cf>g;Nd%EeBu|u@g`ty38s;K!cx;&oG|+>zB1;3Wegw)cXDVcfXbKTQ)Ws1VRUC
zZNRO{uEf69JMS<pN+M*lPlrd|V`rmRgETW!X?+)i!I+ww;&7FAB?6>j1ye~*_wmMU
zs5iEE?xp})SQjPhW+2L**uJ>DJnLO6B_&0E+2XLXQn$*l8qn-q!HRS&3)os1jERY<
zs;bJ&%mi-_T;Sngfw{4S3YxaeYH4;>B(*CB2~TV%tp#}3hJ@IOzJN`SU*@`^nBZPD
zmX(!NQ&Y3B;O1?TXL?IA<<TP;qA4jU38!r9@2?P#Vq{_xp8NXZQmfG@TmoA=o|cx@
z+1c6LeD#^`!1%c8FBujC;iqv9&&#adfnE*4+eu*~3^XT{GmA|wR$3QX6b{bg)YR0D
zj*h6Qscmg-$)ek<Q#!CqTyYnSvo^Q4g`x-Cu9#!LFu-1s$>h(UQSqn>@7d1HO`PHr
z7>ZR`sI=YXa$2|ZddnB%eblvU-RTOezx#4waOQ{jw6qVd{i5r^ym_XhBO_maVkZMg
z@kResQ?|C=4ld;6oR2oq)rH|Z-o1T$iC{p_%=@z7)Gf_dCIiF6Jn<;HsFt5tQNuLy
z+#E(ey{@iK=g<&hKmB*c_IAu<eV`~l_5k^mx88S=GrPCC>F3_oqQ1U<2X(WMPQo{r
z%0GXw^68mRpJEU9e51cv+J|nfHXX0;9<)6<TVmI64o;q(HMh3@;5niE%A^MS6S?RX
zB>^_9FU%Ge7RLF+{KgHhrIAZvVaFL68DK2_ME`xt@})qP({8S=V7X3ayfw^LRV1T~
zayJZb&48))zOstSSt;vE$F|24b^bnz8AQXvf&w=emzRwmw9-c6$qP8;MRN=6S6DbT
z5{aB4k-9oN9UUFl*Vi4Ss)><kn&wL)A|jfan$`EFj%J?72nwii2n%7=Uzz;o4AaBs
z8)qBcKc#n?hMY@`OrBgJR##W&=C+R78n}#(j&^r<lM93p0zbya78V!rc)SQ(Z04#!
zL|r%<r$HC>s;X-6Z_CioQ27f|CnJB)&({WS<m=@{qBo(ZaVt84r|UO*RC-n%k^9q8
zEMO~d!x(5HX&E`saB$qRmtr12CoBXd^v&ZiJsEHTEzuxxT@=K7)5>aOXo!yRdsL8{
z3L9=jR0&*1Bat5)L-z&Q)wn<xW|zBn8$ftnT;2ffaAHhih3M-K*1LK<sp9CZ=7AQ!
z2VJ3NPS6$_0YQMEf1bucki*}WkcTGX1Qad>rh-amojU@4edT6qH4{(nc7h<TYsD|(
zf*S0^lclXn!@Hg3xZ=**1;FLxHh{9p_hWfkV6cF!DN3XVEyUC@n^aa;ry?&;*<Wp%
zst??l?Ml5j)fl?-=k~ey_jiBDrxWy3rOn@(orq`_3q3LIH#RnAdh_OPh<c{c+{Uhc
zisUO#BArK#4Z<0N+27kc+8VZZb#=Xc`?j3(S6u@G)sUS(3R59Ya{YUc5(OU}?r-a8
zYs+%QO;1nrsrXq*axS`pz{SSLw|RxMMADL1`GlgA@OV~af4*U>EK_UgTJSR{P9>_P
zG+=E8h+{v|*dK?>Pz&}0T9L@F=3Uu?zhL}1N6nIC-SNhv(B0j=&GFJ!?&@=~oB1Q7
z*!BdzJ9qBn<>f6eFLQ8kBqt}!x4&SEB{xS<BM40J=LEua=KK50)v#AXLl$|a^MM*O
zOyN~2DV%wxySsDQO`G5KLE-_k00OA1uP>C%M;Xa!Y`ou>a}BI!ZEej%{)dCCNis;;
zd;<b-0KNjb#*!lf*xAP`87ltF@PWz6qso(8TU#)Ao~i4h6|w)P;{BCzB{%D9*J#tb
zMeWZjEia8$kZ*#uaXr|gP{z!B7+LsLUnu()RMbJOh40=O7#sWhojr!9cCjMaVn3k~
zr|$cKq60zJI6m;fVCH0+4%pb($^$o?*TvSGuA7;eX=!Qc=sdKM#vlmh=H>(M%gV|Y
zhfDk`d$^ix+LtC9>R!HV4*FD;w3euG6z~A88g`_L{4zY8x*JBmkYrtypD%WXVUa;R
z`EfX!#_2OH{+S@`t=VHzO?9=uhlhu!r>B+{wUT<0(-VRFI}t&C-Dy{1V`IrAU{-?B
z(suPbOujbl(`a1Lz8ngLa^w=lcR2TCD6JRm?eDW9iN@K?%*^lkw>LI&`TJdtcPGOI
zHQ1pSx**|FGBYOz288h)e-*o{tJ-tI+RSWVY|ITo07Cud-jDtL{dg29S0`~NL|uvP
z>{*?`TXlZR?j;TRCKn?kBZ2!xBjLO6a(!(G?jpHY1p_v^6~K#KpY8JEt-fDCBx2Ud
z9a^4SKuCfD1ATEgVPRp#N)_+6Uf}K(6vps$f@+|*-rtJ>`KGkA^!01>aIvkB(t8J4
zt^rb>ekvU;t+}P;+}xa{rDfCc(LTB6zmo|ee*?1xCBYi2{m*+35RlulTzBu@ZBG<f
zU05h6D&q5I*U)G>I5=R@IKVnMILv>~<9sp;Ru*=ASgn1&tVw1)Ys=TyS4>Qd>%k2H
zcgTRoXRhZ;dbe}MXrB`!C`jk-G^h52?re>w!otM~|0$97>|L%l+FBa~9Su!oW#!UT
z(_bh6QA4D61AYK&$PT3tGK>6HC;32zfYQ#$;8o7#2c_`r*`=k%j~_p(AMKEA>-=Va
z{YtWzj+<PBnyU^dKkk8QdHeP)nE#F}7lPmc@(m2;A<qLR|1N6-N&=EuQ?sS~PS+cu
zPZ)KS*NtKyI=T^hjKg>gV^&0M*ztV}3kx(_IDuqmXD5g0`P$Xh?^ZPsy}s^^xD4dh
z$<dLSUsX3jV_7>-R~QKcA^j1jV%^Tcq)r|6tYb%YcqGCr*W@B_0*Cp$#s6Byo8n?W
zKOqP0*QRfch=7FhQ8w;*3J_FtLKo#=4ARoUK@i_zpsVY0?_RasP3cr8uFsBTA)%pj
zz1d+P++OZ%;Wy|zU`qrgpI^xmmH=kZXmaps111cSKmwv!GAv`?s45}h9->U+AbAyW
zBA9`J;o$JFp}xMny!=aH&%<lEeE@#mvB;jH)3UHgxhgol7QoHTjml+(n^{=MhwkA-
z@!V(5m|0tkr*<_oG$isWA;3f6`*^(8MD5kwzSsHr-nBOB*-c&~)RQ)(k+g&aJB$Vn
zhyV2|gY+~%3UhcUfD>(L+Ye{>_|%dJAWL@ENJDrZAD^wD(BR<xD0-Fww=KY;0_q_(
zw_6{uUohfgdH^b1=AZXWaI}1SZ??v9ug39st&ff<9=ytD=@>M6TCvzn{N8v?-}ty>
zvR+4rTa|U5=^Zrs%$YNS(GT7!ktcPwGpYC)EtYE-F-2oHE}j7@T!;M`nW+SbSR3Y5
zYa=5gqn;hMI;rMuQ!?B?k6TCjMhZ&X)SNzdu3*s3i?`(6yMcM!Q2Nc(>TG3SaY@NI
zL0G2I!`oa}>?|!6f+-%}>!kL?laVz+TjD_cV2;>s;&SNoNseF}>>zWg)1Lx9MQ57U
z-^<IkWsYr><sT#xX}R~4mrdayWpndWTiXpr3*d8Yj<Js(fxrU{78AQp?DzVAgr|L^
zWI*f(;MP&({Pl&Vv{BH`pPvB7->iN6X0o1;p_qWzf6mQB7kFF<cW18ME(=Hve;9$L
zp)fHqy(SW$XrEsg8@c^|Xt=Ny6#ew7;LHAbh8SewAc$I~(Qto%)M-5<BTo;H0hh}X
zmc>A$bzlHQi;JbpzW|#f8fEHvPEJi3$4}My%LociyVmjBY`6x~H>-nG?HwxmCmto_
zEAJGYlauqSJKcZt_l@Y&4_mJr8ctNYvImytn~C%A@Nh6(3k_}Pb3w~;@iITG{|2?n
zmRXGt4-+j4Mc7Vq-?fq628KITen;Qleya5$i^eXQ-8-c8-(AfG>o-S3AlHGMxVpK`
zc-KmDKB*^t2BeAdUX0&b98OJ1Nm8&^@+QLoFte~=Dn?J9JULuqzq-1bsw)iGSCX?Z
zCue4)%n1gkiz;*J%lY%?&#emQ?o1U+NltuT<I$dbREw<d!oZt17oX{xSy?HP`5*q9
zN3)q!S*MDbaTl0v`CPz>hm#TC!Mj+Dim{PSOh}--5V?Z&eHk24NPU3@khAB+hZx4Q
zAM_<pOuN~vNTa6%T`r$1vkIXs-AdL2{x!Sg2VpIr#_>mXYOl|*Khv#r8x+SV%t8PG
zFNNt*vp^lcDIN$`_$S9Q`FoQ~<HZox{b`)12Uaxc*H;2QDGAvu)tMQw=XG&<NRWGC
zWU?W6abbZjyFi{`uo4s&xV;S&k1+;`@u$i<E1b)N*UQ`8-E}P68MY5=@R?)2as=Rg
zeB37D>hz~cFm|b1djn{YoSJI?0Vj6h0%qvlE%G!tM!feJof-f9@9bF)SoNc${Z+TB
zvC&Yf>0&`{HTvX4fTT2<fU%Y8grIQ_;auX{#>W17mkeNUWl$bga9DFigq&<vY}f4l
zy?J8K$_dDyw*7yCA8iNhe^DYX`WxWvpJ&U*k>Dsa?%OBzl^}=t@&2x2f=V5$?0Fi^
z4AsEzLD5+$DU?o$62(IJ^yx^!$)H6ku=@uJVMhll{wvMxFL(gmlpW0-L(S9WsmOlG
RE^zpUu3t0KE=D>;{s%=k3*7(!
literal 0
HcmV?d00001
diff --git a/doc/guide/admin/config_ref.gif b/doc/guide/admin/config_ref.gif
deleted file mode 100644
index 9108d3a7d417c486dbb867f1e16f7c4700e5c6c9..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 3134
zcmW+#2{=`27ykOoR5!PhqN{thDRXHcD)mvBql_oxju4XM5QRQNDxpCfp=?76$&@+T
zk<3IP6?P=i?UJ!n$G`Vo&$FNJoVC|l?|R?&+j<7N8k)xfm(+myML-Ao??L|^i2jEV
zNymFKt9cS)0LK8r0D%D#0~7`T1Q-Mm0vrMa0RaIC0R;iT0fqyJ0~`kk2LujC98fr*
z=V1sy1aL$T1_S~m0u+r!0E_^T05|~<0SE$+1fU22NPv+5k^m<GA^|}Hk^~e900l4#
zKnma#KolS-KvICB000nU)`2(!0tu!SQUKChVi<%N#4(64NMMk}AcaA?mQK@wLx><G
zAS5BA=m9vya3+i65aE!(A&El@hcrnHF{L<y2tfit5<v<<nmI-={Wt*;0SN+<1f&Q^
z%Yl*1P@IH_gaipm5>h0jHNq%JBjFT86eK7}Qjnq`VAQ3@A)Jv15e#WW0Ys~YVGK5o
zA%r0ULnMYM3;~7>vk=a#LnG55^gKlCi{Z?cIF1mG2po|(qHua7-AxzLIVK2%NQ5Ya
zXeTfN(R^?^MIeGeB!MUb(e_{@qDkU(9f=4MktCu>M0<u&h-Qw{%@iUiL{f;N5Mb^F
zO^<e)E}}i8?V_DwT*NR&3mju65*SHhB!$uD&^|B%;gEqL7<p(V7{4)`Q4Pl#Yyu}q
zoTPAC44OAhk!HgzL?DtxG%|BDFoMw+Czve>f+Pu&B4}_LhaO3H(}i@7T>Lpn5Sa)e
z=CUt>#s3caq<_&N`D57<Cap}r1k5)91bJXlNJ77Wcor@wqG;DxkXCnTm9$}seqnn3
zRk7_J?;8s<8m?jcqa-R;qoz1{^BlXTqI)e|Rnwa(2E|!z$r^I$tp>hw9jP#U`9_bI
zGM!1f*A(rWA1gf1G||(EF)YckOaYH>w&s-N_U5mv2>UJX|FEyvwIyApqBQT_1CK$c
zXr;18{kJ(2X05qp`GW-)woI)wE?2F67P(%^r1ks6(2IkTM(V!;wmoZ3*nXit<#zF>
z4ofZ5bt@}p%(|{0Np@Ii;pg1@(D_|NTVm-y?<Bp<U$p(?Otd@=7wEQ6ET0@UHCkxB
z^GaiCG)gVUZ||*LGhg_;UX=`Ns5)CDF2LiCBw4!7WskI^vKGB_sENtGNYloe>Ng8t
z1$62!3~J7QZ(Qy6_vr<p9d|<eB-upR3bT0@s?{uKg$jJqlMG#_{<$-J6>p9exZdo+
zns9Ne&-f*I-5JR%Sfp5An7CqqQ`C-anf=--&53yQx~a0^Xf^&T8Jyh-`UAmYQbNvG
zjMgZ8j1y}wNeR^r)gVGXA9QDhOlb@C$1nHMXR)2mW%ph_Hf7<e=b3cW+UQcYK~{3d
zGmFeioVj(c3}wb|kGgHnD|1WsTD{=rsjT(bE$)f<IeCW@k$j_9pJ^`0>jj+>8@pa{
z=yuONdoRT`iOyjbAC4x3<;Z6r@+sSBQ<I%z$jY^-@NiDR=Nj&wKiRB!>%K!CJLg95
zr#FLEHR^g_Tr;LToNm_7xqB38sr($X5~*yIxuzLw=v7=Ob#-mL!ol2JQ<umU_e#81
zzs*Y+H&B|098|pj@5xs+-<3}rddQ!uzM1vH?$+-YejZN;{`XKMzsk>WJf44j{K(Vg
zJD+bpHXmv8El=F~tX%^u-1t^wnpd=Rlk|m?Q!etX?jrLoT>nDXt=lbq-F8+<9IO9h
zr;P%s_4A5ciT0mg<sffynXnA|C8Zr9B)a+do0lK<Ulv>fF0(s_4n~XfnZ16~Ijnb4
zLOWLGXxB%BTMApFEc({S8gaL}v}Ya_kugrzWDULUdo^lG><kxHYmEDRB-7x+21~;@
z_gCp6;!{D(eTFQv50`j6tW<Nc&XdY@l@%<NG%1#QbuO<wAy2PN|7h%Qf$fi;ho9Xy
z9=y9G->AlL?5&EC|Eaz(ixnC1&EF=;+$++(cYawva4AXL-<5YYK>A|`aq!yQd(D}#
zhu03}he)t}9eVR68#dW!rm;IC4w-Z8UeAxcthANmH?dK-D{45q$=YPk$Ik<I&+9ox
zmvByx*4-QRGFhYKRnb$$+xN8k&eVKId8fm^Ee_=~6HZFuES4HC_}7owiP6DS-n;vP
z8L=9(A<}IR=FjZTEnnEcnN%8`)HzA^vu)cnx(l|O?jP0&n%uw2yEf)YE#YihD5w$<
zyQ|LFLiK={b8BPi3h^h`b^FcsT(6jBd!F3d^vCcKU8$>oeA_1-XR+ph43{(2G@KN1
z#!xZ$@sy!*@#`~2o2zD~j8yB^PHQVP?3gwd>a_4}yU~1n`jBdWgs+LprOauQJ)W(;
zrn^QyPMb>qUdA~r#wR=TlK<-gPN(upmzmC9iHn@B8ku`DT?MM$YYmNd&hB_%vQO0V
z{$V{ezbrFT%h_BDYrpO)>zmH;d6q{#?VGIZ`qI^`9e$6`_Gb9=`LmsTW+&Lk<1DS%
zx?I1xKDX+O!oA<3E*?5El2a{cyRAa4=iPy4@zLh4-D|l`kDKk6v;BH!yPN%oPjb=%
zLUXt+=le%awFDLZW9>Nit7O(O_3(3RtFR?Kz5{HL&FqF<t9je%Ht+sAUL(7)$9njZ
z%ap&Cnb%OcTom9f%>RkVF#bQKj31nqtcw(8>Fm*0m8y?eCb#YRiNntIv4WcCBm}`n
zotu)T>Ba`DGYsN4JJy^OGN%sQ-l1|z;>QuUwir##*w+eXpPLBnjc-%3Iqr3LjZ<}k
z6D{1$ZYr<vI6gMBsW+4ze9qFH^RPDiNJsnoDF3fVi?`kg`L%rAiQWQEogqilf5N^r
zB-P=UQb4wCwf=lq{P~@p_Ej47QzP#JR7cVSl$__p0=JJg`Xq14y7Ilqxjy5PLw{eO
z-)QTj-TWacw&R02fg>SSd${Uj*B_d92s@OPO%7eGuU%RFUER6MO3w3BN|lCRenalh
z>e#NiuaDXeo)Zw}J>eKO$rf5)i*YFTZ%IpYlZ}cW4Vv9A`?qL+4e#~uFH1z`S+2Y^
zJ;IZJxnNwdkZUC7Cv3$p8UBt><CxbvU6~K~1}AoB*hUAz^vkP!G^FfglM;_aDeZkB
zWy7j$TpP93OkFx=XWwPV5WA7f?_-qS>RUyrHow^zs--h89l3o@R_ca@mcNXxzM{Bj
zR7cGB%rHVzZt$Rv_^ea>CWk;V=iQNKU9XFt${unVx~D4}@4QZk3jCl}8gJz^cOvd?
z>(|nr6poINXi{L0s2mX#HTEgsqqc`^8YWdSe5O2GQ~?E_$&SC?)}-lvDZFRL2K&2_
zO`j4{c178qO?t~y7>~%@6qu7c;iY)u)__X$@U0>n_9r)P$n1%%it(gGn<2ip@&!WM
zekc~_56#LKg=LL@F>M|j{ik@5@3vQPd02$&y_}F1m&z|Icga+K5f<<covNMNTwOk(
zWLtIoZL;@M9&h>NmH)}<O?v)x{V`E3_}3o$y1=c*V|4;1(dN%Hdi)=F47p~0s9C=y
zTeaHP#z>`7HpI@y4ihj+5BfVPIzQDf^1+!x_2Hj!FaE7pQaRF>v|@n!t3OG(y=S9+
zuA6tiyG&Md`}&gHhI5|93H(dDla8Iz=~piFo=dXt(wDPW^fcyjl6;@2|AmJra8-()
zJni&yXzdzLRLt>y`LyAzx8KtC!e(oclXD(>bCOSVYzi(beLoU&sGK}%q$lZZKEL2M
zTu>_dV|c9e@$C_=b9?DnOanJFQ;+-pw55)&!1)T5fwP`3OIZi~x<$%j{UWzqv)|HQ
zz5ef@w(wEAC*PLX-q}McOS7t{f9N>+%uWw{otW+MHLaRzVNIOxhzoZduG=2xSo34h
zx4K|qX_o0iCHXY<TWv$<K6l>iiqd^|cspIrd#%QQ1AXbGhAwW(X4s<e3%E_IKt41X
W<5SWn`4j5HHoPZ3%dc4lcK;vc;P5a2
diff --git a/doc/guide/admin/config_ref.png b/doc/guide/admin/config_ref.png
new file mode 100644
index 0000000000000000000000000000000000000000..cca3dde77648e0a1616280fbb09ae672c12453c1
GIT binary patch
literal 7556
zcmcI}cRbbM`}gOVCo3Wjj;yRmR#rA;WfYPvGqN`!8JQVHWF#TkA%qa&n3cU(l$}}G
zp3C?9`u*`dzrUZ)9~@_V-1l`~*L$5vZB1oz5(W|kLC95Alx`yk>OMSfK;yyB<YYVo
z_=WGTpsI^TqsM2pX5h~=E-D7@@cTa(YT24L2SJ#)RF&j)ebUz^A4(<qp2%**^~ZdO
z(H(n{m=p5y9)ps__~QG5Yq>%sm6Dm?<)sa8-4|0E@6e!f>b)Fp<f#5z$@Q8CZ`dwv
z{^ilJ@V>`I={CQ%59VsU11l(W*oB9?ePmB+jkjw`eB;^*zb&|DBnq^lk?XGeJ9d|n
z3i9(+y;w<Bj*ku=KYm<bm5ll<*NnMh{83w9KY3MwW+;UCETuvxJdec7QeqLLOx^`S
zT8NrZ2qhx{F(T*i|MSU>ny9F#yL`0IJ97G$dV72ED~%i-*B*}z28ApXAR9G9B_?Sv
zUf9^%j|~p$nVHG59L#U}goTCSm-DIyT_8p>3-j|MeFzd$Q&STXsP-S&%D*ovE?!$%
zx#qd7tFGQvTPqp*y->fDmhbLoE1{mAp02L0NYOg)b(@OO+}vC*FRzv-o}Qk<Hr?hz
zFX1mGfitP9f80qP&mc4IzP`S_OCA*A)O2*igM)+m6|u1toX-tRO@IIVS!s!*2#t@6
z`!-eou&|)u$K0Hl(?kTNy|Z(5dHE$?-ioR!T8G8Cxr%#Vo)i=mtT!Bd#o?4czMPje
zW)?t5F0!%x_}P`*_h@=-Y%C%I4NDy?)VGYW6G@%nXxfTrRU8{17i?QwTl*4z7Ke$$
z2sW>3&Eev>#ynt^<J!u~;Un*hi=U2Ye|(upNJL~2b1xP@2xabYdacgR-n)N4g0lIM
zOjkzNPq!LlD#jOyiSG&vNdt4Vx$W)knFH#y95^KebeHlL7w>aEw}a>G?f2Ioofs*p
zLp><M*>}sPb$&81F!0evH<`a5U48cK+40(Zf5%K>pq-tar6v2Q-VU3XSh7k~LBS=9
zaz!nzIE?Z|F0O4KsW<d(;#aSpXN6O-fAAohvb?%l_TgW?%}bjC3#OxEW1L)E?4kU|
zALSfWWN!OiBbhlm_}8MKq0ysn7Qpc)_wC!a4GqU@<JFPOVb{tms2ozBKex288EVYf
znOn0`*3s#IcPsl&iLvkcRDHu(ypXOznMG?$BsD$RlbRY|S69I{abe;9@89ElY>0`8
zNdupYF!T%$C%0OZjjnQOy)ut6Yw)izZ^DzzaI&yCM@boUfSHpD*dJ(Xd(vb+GBPqS
zIC$^&iDyI>2?1`QHsGKtDJdy}NQB`sC+Dv;=LV|72*JR;t)GW`+mXK&4GczSzl5{1
zu?e)T440afTb*eW=iso$#WGF)RpfK2F>Z3JJ~EHVlnJnRa{6jf=Jk6*Rb*w)WVL26
zlA4QCGriqP=-=vSh#&<Tt$pXt3k9jjmBrp{G%E*3E+Hu`4K3|o2e~0EE-$``?>8|z
z_M0b6H9LFumBzy@_{VIiz4t}<lhyP3g@uJTGp8@;>kkJ9<HfjITSI$WySkPY7V@@@
zw6)pn?<`^F9LKA2^YXmM&z8l***H3C@WJCYpUoewXU?3#%%!AY;P5AmTy`eZl$G;p
zYUoM-<XCMRO$`mbEiJvWcx8NS%*MuMYtLUEA5EbeGK0aK?BZm9^`vpVL2Y_=w6~iJ
zV5Ba@?Us#u_(6*%B=ka2==hCyC%vZ!2L|5XEpmE<C_W(*6c%O_wuynMHJ|BsHw@g}
zm<^`iWmSAKGZmb@a7R;9Gn)3Ynuf;O;v%IJPl$zu1wm6*PEIJLh0x1|Z<*`M%gyCX
z*eF!6rMZWvryVreeU@F)bP0DG2Zy2=t?J@pjgK!gGA1|YaEgkGmKGL)`%8Hp&$<59
zGV>?b1sr(U+S*!Je>>VCqquzevV6W`IK`SL?}fPJ%*^$rB_6aqJz1>m@$TGcg{`%<
zH4zb!k`)?<`{+8y#>S?ZE{<wqy+w)53`?14#+ZHb>1}Jfp`_kqHdAa=z4PbK)vH$p
z+xYqU^E5NqhNc@IF<TxU{hMA{S)l_Q85mexS$XK^_qQ^$s;WxRvW?Q6TKeDI{JavG
z-j5$YBC<LYd31hH)kh0z-n@Bn$YVU}+rsehuw~42{X;Rgc@>MJjoB}`{%_@MZ5OhY
z<F>Z8V2~(jX{#O#^Lu;$lW_l)^77@<($X2O>t;}zYR7S+|1P!_hYN2qPf1DfKl(Ea
zOKedyG8%t%IqYP`w838@Nv*YBBhReH?YfCc28L&GdAY5vEowx|*f{<9bDh!y->vyG
zX+1V&ck8^?*hH5kzDzqpxx@nYJ#=(*h(f5CnYBK(zLI|E_t%ezAoE*kadA&a$KJv8
zNdv5lBHZ%cJwdnmcGC(u0|Vdg6hT^ATK8YwuAZKgRgP(ynbQ$e>;w`Dd}NHGtI+(8
zj*bGl2_kIbi5r==1xRalaq;B9fRYn=Mn*=p^K{_Wd`JDme*jp42W!<Q2aP8ye~THf
z+7FDBS(1~H!3q4?*@2%hAzi&tqYKi8>gt8#6#adD#>U13vJ^~`9x$H`4Gkg;<g7IG
z^feBnLO-lX@_8;@8mn?-jKj@s@3kz=_W67Bkdlx{y38Qy5+p?D+CBo112}#7@S(iC
zyriV0s_M>0!Lw(5p=YSEOiWMViaEW=$jNbW%v!m(Wsfc^C@Mx0UcFlRlu>N|;2@6S
zs(p~`la!WP$rre}{CDqE@&q~_&uClSUUV{#DJ(3Ej*ecRsL?SpGSb%mys#aaoS2xH
za`RWzdEP~j{rQgP8aHopYNX~A9U5@)F3is-CMEIk^48VV5E2qnEqFgKSr{xUHLc&;
z*(oY5&C})<6cp6S(;OTcGHnbz`m=I+?2{7{5vConOxNIswVo?VAGo&FM5$Dm_)#@G
zAQ1)z1_BQL_M`|Z?na$~a{vG}Gn)<#4ejhygY%woc64?=sct+fh6<Dt<#fAZrF?*l
zaILKzqM|QSZvFOsOO~Xjp|1V~0}VUe)P%C^Uf3olC!hZ0%U)Yw^f-DV2y;Q&&ttCb
zX>)V)!M}BVU0q6E9-7V=df~SkX*TyxFV>}#6IuUVmtWoVmX?;04eGMH2M6xr>2L|#
zex;$IX~E$Ze*L<muTNcC_2C0cC=?<iJ)Kg)LG++Cnhp-4va<3yr$%3IuRJ>P{*^Qq
zak<P3GX8gUbv@R`DpyxmfBmwt_z4A-mXZR(EGjCx%QuvV<zV6l#uG|m2zAoOu_Ywe
zOJ2K{mzSrnuTN@rG}72*)q&T9I{pzSd)(gM&VA{U8jR@iiXysqX$RPQd}PEQ8nUH{
zl!Z@B4E8Rss;cVZ$>%y+n4C<fu-Ftr%*n~wye5H-1>I0#`z<&)IO6J?@h%oLMbNJQ
zF`x%j74*>7_I6|vki8l3+UjTp-DSgzL$~7Ox%v5>R)&gcNW#=|&)K$whliIMRB&Fp
zL}K~LW2tXu#(efKbSKo>L(;@$9j|xInvwuFGuYSX_Gftz`Vw|2<~+p`3jO<n&p^og
z_r%`z0wV?!Z}NIVMNMtF>W03)n6R*pk481SaWMT;Er%-)Sj34ko;-Qdm3-yoaQhob
zoW<2uCG_a%sDY8uw@lgTp`kl^=Nrz=%*_}H-IaQDEF~>{WOlMY+><7@=ig9XzEy7B
z^;RqM_pe_=!%I`h4q>oj(^V0X93ZEhoQY4q)RsjB1+^}-&CU&bHqaALek*<A`SS$f
z7QmMcKARS|Z{IdGy%2}f(bF^e<g*DF51LRtOS`><qFowI5!U?Et)ilWnwt8GS;NHC
zRLPq+Le5j4!bs^9OoJX1Hf6C~kn*8qX3k7W8TtM_h_bw@%FEUD@g_Q+5>2r;G&Yv{
z?AbYL>h0;1V>(u)>|Q)PJb!=xCuf;8z3k)?<XzeemzS3}Ha4~wzEywt@b2BaBBScB
zt*zF7S4aD#h_Pgblvua7z_A=09IULYTwKJgRu&fJAo{L87`kt7|ICB|qr@UUf5Y9~
z{r>&Me4RWQ|J~O)IrFQlpMZv%@Ox14oM;LO7dTjIE={P*rjHapehA=2iBYv?r#B8?
z4nq*W`ePF`{^53+CC+K;QzYg7{z_?meLdY3(;`Id75)}Qup%wAJYf9EPQO;;@jgh>
zg1Wl8($dnGFX=};Q5zub%c1B$2l91513}O0>g&t8%mkH|uG5+M%X^t1hlB*-MfV*Y
zrTup|64;d`B_#nxVMePQM)C5TQKJM+@(s`m@87@g&(o@|tkg&mxcBXqbm5)i;D-x{
z0a26uTX-4ds`B;guojJ1QW7jIL0@J+PjJNtP-5qy8e<^5fl{F}K;Xd?EzZuOxB~Ee
zHx0CKsH5+LgXd{!Mg4Xbq0Fk!IiW)ahKEZHD@ktSw^J>;s%SlY_|VE~K1(rt>XWaf
zl@$#J^U<P}1e1dJ5;U=r`^%hwCOi1M_VD<yrljO|jr)SRIo>=2L3oQvV_?8wfnMXu
z@wFs1ax{A5-@ovO%ZM+rJNBHeiAg;)Agl{Oatwe4rlP5-DV{+NB^Rg21{#F|D^5vI
z-|^E8_$Ll4p&-?QMOu+2!OsG1R8&+C|NRD_w5}Kh)`bpcuj59DFa$WcTHozoRgUAG
zU0upg89cY<RkgIVtgSI*YDr;X*L{4%v4zjl>4j|oyad{;^xvST8UpG(SBB>2t@QK;
zL8t+ygV0Vep+TPENynm~hu7EECj0uf{tTO$eRP>EENx(`V?!>IO7>;u78G;>VfXjz
zC@Qi8>dVS9-^M2+qQo8zjE+JbG-;#Z*2OTD0IT08Cz-x3;e`;8>Fu-2%0Bw?gd8|h
zNKjB!Q`1K1rIkKGkgj~3q7*2jG*L$o?<Z^3(}BCQ;Zac}D&zuac#RB@z{S(k(ZNAP
zM5Md3GgZo0X!JZvj$+Z(|JjQdFUT21yI)BkKr?V@ru!W33g!@Dx?kfqUHA6(K-t;b
z*_D--!`KIBWwD-qPH53JqHk*IR4f4FfS#3_Cb*4{5J*!{0c?M?>Ug%iY)?uW4MfDF
z^ETdu3Mt3)!`6SsFv|u`ba$_U5{7f<<>7fefXHEX#A_ddKwlm#1Y`g_1aOE{_d}3o
z7V%>?S=s5)(Y?t!Zzm_G&CSh%f{g>zYdQhlJy3=#3kwS~Gth^gzb9&7;uY<Y?{vH4
za_FoVFKB_~e*CZ?3UOWP%RNKQdAbN8azE_iSmlEoH*U1Hwmujtf>KlD5FyN0--X~?
zt}ZP6gUVG^S95W3;o91osf|#(G$G#aw*Iaeojn@|cnq5{uJ;@K{5fbf3W;Y7`GDKp
zS<-QL--g%D^WI5(@j}5KVR_Mn!FF_XkP&4!G{^`D2=MUOEq>2BJ*RYfW5x3_na~(a
zR8(1og=tAiSKWWzEa%0O<0pSJbKl9yw8qUEY(-7Y9`L`N2m@4`rIe^kJGY@BaO{I!
zOU@0TTUc_Yr8WWX(eXC3Xxb4-Fc8FmXyo)lp{EOTj*`_?RabZS_SV<YQP<KswK=0d
zk=JON8r<Vk=i=h(+WY-GFk<ikV*Z-jAuhY3!u@Aw5{v{NEiXH}qM2DH+(;W6MUU0c
z(D?fGD|qYJ*x2MNW_NUS*rAPSqVOp60Q~`(K+_JDnw@lAX_T`^1ZHS1ivxt4TU+ay
zm@vURn3%}_!6~1kSzccT^Ic)n1ML(U8EH`Gb@_Br?`gQi%PT69`Ax<~M_;~tDd9XN
zRo;b?OW<kO=D2!wu($UX7>oTsEAb47O6s|`lvM^9eK5^!PZ`6>=x^)lTG`m#@RC5d
zWop)4m2TWP#bGV2_1}|qrymISCstNbX&)*!;<}llee0H>>klQkyZQV0xtWp1M~#`8
znURsI^72jZ?|o_KCk~QVGL0)(9j{*ho}~x}`0gFLB!O72b6!XsXht(bvel-d)TE9m
z9~HFIVdk>Cx0fO5+1cIAcjbzfx_b1g8-j_McZg-bczU%=OkiOu&hhv@eAw07{R3DT
zJ`4CP<XaO>m!x)de6XJT*9(k`rH983q#lqhD2ad*P7!xyOYX|m=1xdR7#bRS#;a;%
zR0p|`+W~QoHej_0IDk=W?xN41<?I?JCu-cKrKLe?Dv4!lbDuwd9-TEYF`<zrO4UW8
z=y5;zn^KmxuCDI9b1Z&@xt$%)odbgk8^}jkLrv@bel9H;n3-v1X@h5btC?Y_uU`%8
zyAWsV?99x_I6g3Nal)ID@884*h%Z=;?j<;n1hrgHaqsW)NoE{>dvxsnTGr_bXrNN#
z8X<5zJfDVV1^^o#odiOl5cRkPEAAq<@2r;HD^n(KZ(mSZd9`h1aIo_AYsAvnzyL5a
zQqc61kE?<LUYj^4=M8}OaVNqqX|aLcUOOkJHcaEAlVhDI`n&Y>^q_$feqEywZP91&
z!-m|lwdIO#^*i|M2&NHo1O;v}vFh5|RG-S+TtZgeyLVI4(_<*zU_7_BmLKR#i+!l5
z*xuN1@%Hw1b9=T!jIw$>gNccdptumXu(HC)z>xatRV?Kt9-dqJ`gCRIkGK6)_>&=z
zAzZ0*JoVf_uI>w8Tie>8ZhAtQNc_#O6u4ki&YL&q&Yin$XlQ6^>g4SF=<lk5#nFFK
zI&h5n`T6K9QaXOhge(xIckVo)RMXV_wdtcY=fr3c17=hZjFlxWmg=dVo?cyTZO-v*
zkd?d(cOsl^K)}(z^;08CP3!?0Sm^@@+p{G9xz3*b_Vufc0LDWy1Cxc74LpQA1*}8;
zqZ64Vwd-g|+%6kcbx%wjF7@ZNFobGXlMA+CDRAB0-Cw`*^YM|fe(+i|gk(mq@Q&(!
z1%7^T$E`><Yd4S2s=mS7?w{x1<xrW~ExP_USd^jAJR+Esb3yhtV5(rTO$J#)c)|GX
z;h>xJbai7G#o(Srm6b`WZbaA66f9zgM@L{FKr&y5INJyLWDSg6OA@a>TPQdi@=bYu
zc#{^qDJkjXUvAhGapX**dt?{DOnW;^9ZBmw2ZzIrS;d_No(&~`tc05t=oX_Y2iCgU
zCcI$99{~2$R8;a_=SiX?;vmFfmhy1{lWOL_NjQ3*oP-j4ZsF%oLN4R8H2ldA!2hg{
z3bS1SXC}}l!r(YuVlp)~1?iBm@bgs$VnQ@UBpA)$@ob93&`^ROUlo<C?%Ua&VGCL9
zBceOq%SYqi-~=MABgouNcao5pxU;)y38`nsHE#v0cv7eXFd!o+3oMo_ft8d+Jjfrk
z(<MGW$nLD@@F;_4kS&Xr2r8>&<XBeRod#hMMN=R_BP`+wVi7WfAQ2i*g4sDZT48Ft
zyB#1<fW6Lc?*SULs0W8>vEH#n<Ye1BZzY)p?wy(-{ZdmV3Ac-Jxaine+Q4}&V1&p@
z6jGazbO8qjTI-dRsub_t>({NffAusguSSN4eDeEa-xN%Ele2$f;?t*3Sk|24;((2r
zCcFN(^b8E=^u^Yu8#8@6%hJ*qRhbEqRxaKq*OTJ_(X`98PybhDy1ck3AS&7ba#&5R
z6B>d_0pu6RE<m0>Ur|Y9lIHyRvb%ho&sFpKv$L~1_?2&4S-%UW1ZQw=^7X>@Q)rnN
zSIlB5Q$-!e)*Dawmq<{%?<yY*zs=2knVRb5={Yz&9PQLSw+X0~qcigPS<(gK3{9>J
zS1%cYL%V)@wU#y>M^WC^(>s4SC7XH;QIXftd0tY&ub=|4WP3aMk6;UMjaXU_usPk1
zn%C+G6*V<`t+ZWc0kOfESd%(0$LWSsi;ZTL$z*0?ngokftnrPQ{U6CIH!_v^pFgkX
z^-Ewijg7IJ(yJ0JFxUUhiLV77if>vu$816x4D#}NHP@f#M`1-|df;^pjf@t)W^^rV
z!yMc6q~;ck)mMQP0cW9f{rbHaU^oUWc4DO@A`fe1Xvlf-qDq4ca@;&Uo%v;UetsUT
z(%aXsS!84y7ATD%r|jrB!`fm~aT-{SjNCOcx@OmRk%@_EU_9RVyQx>ZnhQ%Pq^hbD
zho*8H^YRw*0NvwHXG57axbK2#f!HaW!-y9N5EebX{%&jth=^Pqf-yMFl^L|TX&_y&
zfNe`iOV<NvewjrxMBKl^4o8I-WYON!!|^-ZP*3mrO|OUx7U1RKgWyTQty4dcaaGZT
z3BEqJv?Kv*f;igJQs>sKUVUK@Z?w^^<^m%QUT{*Sj)#YbH*emIn418(lF`LTM<?dH
zWySe?X>Cp8rq`43aESGUF=Ub%uhP>eitF?9?GzR9Gc@TAUno^4QwfRaqVStrTYrM5
z276RfQv=?mpr~lIl0Hm<)q+Dz%)9@sM*WSO9v&V*0N*;^I)%pZbgpl<K7N*%IN<nn
zkyTVdMId`Ka?KjGBTn-)JDYtoPsXw>27H+Rhod5ciim?J-q%RlXI-FKZ13HZPgmpm
zfw^aAm%p(E((p9jfYb^^nW5pOQ7zK;XaB=zK}FTav*FAWlamL2NjI{oNCD=7s4<rR
zSDc&cl4fd_dpjQ}uBEWK%XzwigBCX8_glG7NJt1!jJ>j&F*Kr7giMb{2j~MRSYBS<
zj2u!71HPg0YG<INsOach&dR8;NSPblpNxSU;Vuwg0$Kc!l78*OB2M!?S3Mc(Tw>O!
z*}eQPDrIhF(+B)oR#q0Mxp%l*pPiJj>@=p(01z5LU;+M^LAU=+2uZgqcPdDdgZ+IQ
zTU*E#{6CaMMX9N%sK9!CeQOr8gE9kS-d9$7?kx7Av);YqmdTvX{DxRvAP9fs>g~P0
zxai{L1rZ}3E$NZ3PH+SC6)~6~Lc&NHlHDa78qQ>Gb(IfXNowjl-Q|TxY%I~{Zn|$&
z(y>hG@SqQNzVlxUWa$C*!*BXY#p^t>Lrg$?W_e`=vJWYkTQHUhCZxy_D%>)+0Q5BI
zDpAoYh~B=;eqZtc<@{QfMLb7ITnN4t>+D3KP*!w=a<cL+D(Nm(=-<vC{rB7!osd1k
zCRTX}8ud$zB|H}6S%lylH;C*xz`6sUC78Tc$hw_xRPDr37j;T8w^P&7F7xp*Ffv9m
zN48V)g@=VD=q5M!0a47vGeDG{)q5Y}6th|nJ1~F1b1)sD6?40rb1ilm=CA#C8d%Md
zrgg($Zkj0gj>FH-&)@$Ld~oR8Twks_oGe$J9I}7r>s-7zN!V%n09X$NZVI!7@`2Qz
zrzMhWggr#M_{T6^qh$r>tm1VG*`X!~*FA$%4hWF;kPJ!>o?$^zF~>2>J{i|TBnX@2
z832O8kChi9r$zZ6b|DYO|KF7J|30a6nVb6~s0WaheAd<xHm`$pzkK=9QG!BPY-euB
v$Yo*Z=|TC}SXsrJL^LyqIbjtRPf-3VLa_-1Uz|?AJXO7}sZ^q19{hg*HF$7K
literal 0
HcmV?d00001
diff --git a/doc/guide/admin/config_x500fe.gif b/doc/guide/admin/config_x500fe.gif
deleted file mode 100644
index 916a26eae3241b5002231d5a03538e2a09e376e1..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 1667
zcmZ?wbhEHbRA<y-_`m=J{~7-O*8wp=BJCi7|NlYUQ7{?;BQFFv{xdLh$arj6aIl#}
zSS#klhJ}aQ1(dz!cx+sBv|GYB>&}Udi;wp!ICsf-Zd!73vPST#n3n<#r<?SWnG7t7
z7o3@{6L@cp=Y;fzxt7gbb6;Fuc6O0RKcDVN;pG?Sc};(I$8+ndtE&xF#YA6he(k@)
ze`}Jgw^)Yjdbf*3TO+pV-t09BKbE`WtM-lcS#vL)T~(xaWJ&htYq2lBKRLTOsGe`%
z=^J^M7uS4OyLMXOL-M*-Rqv%Sl^;V6vFrZ++B3n#`*PxSt-c<sl1In5qEE-hnCC~_
z?213^k{iAC?*1LYMax#+-um&rZ+29j#GjI<D^C9xv-hj5$~segc9Y$oJ60cCZq1$b
zf9dPLyMLbZ*l8?xKPcn#`E!lh%g>bm{(VdEV{+Tc`u$&iJpHOJ6WCj7dfA)fUb$T5
z^U9^y^3R+UO~_;pS`yQo87sc9?Jnnw+l}SC>{0Q;VeXfzZ?v{uPM)55G_jqvj$>wr
zfl;VZtJ*?|sa+?&W-QGAU-{xjhQ!Msk9)bhQl2z!`Fdkfw?N*D#BP73G>J)`ZCg|(
z{Mq<JshR84i}(_8Nlw*i@l{J6H-COQEg{eT-tpLqlc{bCI(2!sEonS3^<;8g)x51r
zO`2l6qGqP?Z4FInC`waH2$Hj09MQMPGk8(gxelf3ey+&JGv7Rolvw6?u|s9@D^siG
z^V|4Vi7#de`|tX4)wFLeSu69NN@-0Iw^|mpzW<fho3+aYU(1AwDM_oYmtXfod%E7K
zRas?QZ$;&1tvq!+WBI-^Zk;VZGjGW(zy53b#Lbp*yENCFZhQT9^ZQL(XRlnkF<Yl|
z`@P?qJ7zu9d{vjbDC_O4uU)M7w(gzxdflGzc|RuZv$!_PAW%n5{6@`}V_^?HemT9-
zuez}In%W$nd!7Y*?w4h!9`;JBS$6nL)oh~;vp=1F5G-;2jMnLCRdZ6)w=L=pKWA1R
zVH_cRTzjRTP(F{w^f;%zCA;sQtw}r;y!`g&%WrulXKYOl`nz(@jjPiWP8R6-C{44I
z*NMN-?o|8jbmpsT-}YU*`?jpp_mk(_dn-Tu+`GNJ>T&M(`@*xrERIgr&D*f3&;IWF
zl*_L7OrIX@y>0PuTJv?w3$xe0-Zbk?SlqA9<>q!)?l-xt-n{16&sTkZ6E}CD1B2p!
c?%)u|AQ#Ut1yel(PR1-b28K!&V3}eK0E8FKUjP6A
diff --git a/doc/guide/admin/config_x500ref.gif b/doc/guide/admin/config_x500ref.gif
deleted file mode 100644
index c986d865e14689a034b9f684e3854a09c9c16b8a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 2395
zcmeH@`9Bj10Klg_XGxCUBZL=bq^Ege#6!(kujd*$Hdn)pk=$}b8gn%=N5)LdopbJ-
z%N2R%+9q?8^m#>z#NO-gczu8Tet-L#TR`>n-H!mNfDeHG-~o6%r2~FG0N?~b^Sk(7
z@ZSTE_wD52ck_cE2mWUVgm{3Tgydj#l->j(Ns!A>U2#8NT=GONte(n9`2~zh9jY%G
z%uqBV$PL$f#AN|(D_w>g)<y^yJx2;G8omAmXx-bIXGz4375$MQLe?kJ{w~pv7DJ9S
zRoL?B5iQAtpk-#&?Z(Jd%jPP(Qm1}`{OEL*V~N{fCDNd2o7DngHjp(QQ+w0GgqORv
z&ed{rf=`}#Vi5kDdz)L0(fh-eyNKQg!n4!P6W;966nU(dx=h2&c#^tjEk_2pGL{C9
zT2J}y)9S31JLFm#<g;%xMdLhO^l89*E}tFOE5D=eZuubiB=6Gw)`@{97Ha0V-hAOu
zT`?sgg(1(w81-llZxzXU9-6Zern@m7)4AWiUQw38c@blq`eDrGRG~!2@bTPRZ*H71
zrm4umdT9U=ucke>nBZMw?iMW|3u8lfi(3@q#Bf8d4<*GMmQeB$VdQv($>t(nMparF
zCwta>!A;0$(;crKleC!frfb#{D|9ZzEf6TiQY0Ac0Dlcv)|y?mlK>qMGv=?cva?|~
z)Yr`H*myLFk4;yx0PpOt1sP)Wy|BIwVXFC?HNp~EK`(^Wyn{${>v5qA2e%8w{}u+O
z#i;80m_@yq+aM?7Smo5jkuV@NOH0b@nZ-3wX_=)~r3{U1zco>stDp`tqof}c6(I}r
zbE?j!@qq8D(S0CdjsKDprPic$qzc!)Af;*DFXFt7Y*NK8)e9c@mJtK#k=%lD`=2!{
zN<}OSVB_|13N1at0Mw$L3|DF`ip1vGED~vR?L%Fn@_GGK=cn!4eY%%BlGotK%Jp_f
z(31g_UO@Qq-plhec3-|y)Ad^R1-y6%kl8!fR`w4zLw7rnbPX|`<1A{#s&SVqkqZds
z?Va=Kk&1uC8j#FE?>gL}b81ocm#V>i^?h=UuP#>v?~a)-yU-@gB>g`z#kYKj&&V@Q
znj{)gbLVmNm7{{eK@a($bn7VKVw)RSRQkysxIdjRi@-Fq!%Xx)6RU!vTZ(%KJe5mt
z#>D&-8c^p`FD$AE8?`P?O%n913H{BrHy#-r>)G#lb!@MVqtn&9WA7<At}5;n&^PZr
zI8WKQtDMr_lNoyqc~;*Ty|>L3$n(rSKAZd{FL4F6m>rmd{6?@7eXaIUr{j%5N{hxn
zrT4Air+?qEgclt;FgpA_zwl#?m1cxR+S(69NEcr0bFyj`4x2gxw7;#4av?`b9`LVk
z_Z={?2}icl?^Y!{0Sh#b9$_+HQE9b+4emjKh9du8jBep&9PZpy;R$dOMB=Vhq{27K
z2Qjt2vtG|0s$NtQF>f{9x2Q`@k1yUw0sF0{ts-<fm-d5`%oI=)_{LEsHm^D~PjGx9
zK+JCu_VsgRDh8BnDRt_!%1gOZR029nCT$d&*b|HhbQY8<kalLaWb14Dcu09PlBnIU
zF&3VJU}dU+&(-;+wOD}M&!efWYLK1x;IfaN4`)gkTW)^o;X2vemszl$+m`4VUzr?P
zR?&^g>yJG=vcl(8%oCe7{}5+757&7Or&v!CXH4L`>~(|P1Ffjsgn4!AhzlHTD3+Vz
zMCx1CxQT<tyP7J_+I*sylv_jQ^U;5K-BWpQm|@J&QFSz3hEMUI34bofc|=tovmwFq
zzC?-b7GMl<IJ{<Z<@#mTkRh@G7G3MNayT<t7b!8}W1qQU$iVPgc0!WEHX51QPeXFA
zbYbq$4}ZPlswxvgg%Ti~J86~PuO_v%d<1^-zGZJ)+}sTI0DP6lThdImj3$cDNE4x|
zB3&zOcE(mWNzkj6lUWT?5tRFH({CkNj}!-k$)i374i8I6q5fArFP2~TW@l0aaOE$-
zp#4nmy3DC9TKcdn7{1>1iFL}tLAf09U|=eHAVdFMr>CPv1wySfyXfeqtPWFccHu3!
zU=+THoE4lUnA+aB3Ry6D?KFdB`(yQ@*JAm7%bEr7d3Xj|D`a&XsT*3;v%27-rs2S_
znQ0({{6I`8tH%vN#>jzp=w9{f)sGMeuzw9ya0G_FqQGpXAZ1m$e;I=A(4+TCYEU15
kF1pKmDvY(f!x-mg9n~BPrqkZnHp`A~^$|6FS_ok9FCZr}m;e9(
diff --git a/doc/guide/admin/dbtools.sdf b/doc/guide/admin/dbtools.sdf
index 3de7710d30..61b2aec692 100644
--- a/doc/guide/admin/dbtools.sdf
+++ b/doc/guide/admin/dbtools.sdf
@@ -18,7 +18,7 @@ special utilities provided with slapd. This method is best if you
have many thousands of entries to create, which would take an
unacceptably long time using the LDAP method, or if you want to
ensure the database is not accessed while it is being created. Note
-that not all database types support these utilitites.
+that not all database types support these utilities.
H2: Creating a database over LDAP
diff --git a/doc/guide/admin/guide.book b/doc/guide/admin/guide.book
new file mode 100644
index 0000000000..200a227edd
--- /dev/null
+++ b/doc/guide/admin/guide.book
@@ -0,0 +1,3 @@
+#HTMLDOC 1.8.27
+-t pdf14 -f "OpenLDAP-Admin-Guide.pdf" --book --toclevels 3 --no-numbered --toctitle "Table of Contents" --title --titleimage "../images/LDAPwww.gif" --linkstyle plain --size Universal --left 1.00in --right 0.50in --top 0.50in --bottom 0.50in --header .t. --header1 ... --footer ..1 --nup 1 --tocheader .t. --tocfooter ..i --duplex --portrait --color --no-pscommands --no-xrxcomments --compression=1 --jpeg=0 --fontsize 11.0 --fontspacing 1.2 --headingfont Helvetica --bodyfont Times --headfootsize 11.0 --headfootfont Helvetica --charset iso-8859-1 --links --embedfonts --pagemode outline --pagelayout single --firstpage p1 --pageeffect none --pageduration 10 --effectduration 1.0 --no-encryption --permissions all --owner-password "" --user-password "" --browserwidth 680 --no-strict --no-overflow
+admin.html
diff --git a/doc/guide/admin/install.sdf b/doc/guide/admin/install.sdf
index 18e113f529..1d4e7b5ab0 100644
--- a/doc/guide/admin/install.sdf
+++ b/doc/guide/admin/install.sdf
@@ -21,7 +21,7 @@ directly from the project's {{TERM:FTP}} service at
The project makes available two series of packages for {{general
use}}. The project makes {{releases}} as new features and bug fixes
-come available. Though the project takes steps to improve stablity
+come available. Though the project takes steps to improve stability
of these releases, it is common for problems to arise only after
{{release}}. The {{stable}} release is the latest {{release}} which
has demonstrated stability through general use.
@@ -63,16 +63,18 @@ installation instructions provided with it.
H3: {{TERM[expand]TLS}}
-OpenLDAP clients and servers require installation of {{PRD:OpenSSL}}
+OpenLDAP clients and servers require installation of either {{PRD:OpenSSL}}
+or {{PRD:GnuTLS}}
{{TERM:TLS}} libraries to provide {{TERM[expand]TLS}} services. Though
some operating systems may provide these libraries as part of the
-base system or as an optional software component, OpenSSL often
-requires separate installation.
+base system or as an optional software component, OpenSSL and GnuTLS often
+require separate installation.
OpenSSL is available from {{URL: http://www.openssl.org/}}.
+GnuTLS is available from {{URL: http://www.gnu.org/software/gnutls/}}.
OpenLDAP Software will not be fully LDAPv3 compliant unless OpenLDAP's
-{{EX:configure}} detects a usable OpenSSL installation.
+{{EX:configure}} detects a usable TLS library.
H3: {{TERM[expand]SASL}}
diff --git a/doc/guide/admin/intro.sdf b/doc/guide/admin/intro.sdf
index 8d40e9d724..fe8f23bb09 100644
--- a/doc/guide/admin/intro.sdf
+++ b/doc/guide/admin/intro.sdf
@@ -57,8 +57,8 @@ support browsing and searching.
While some consider the Internet {{TERM[expand]DNS}} (DNS) is an
example of a globally distributed directory service, DNS is not
-browsable nor searchable. It is more properly described as a
-globaly distributed {{lookup}} service.
+browseable nor searchable. It is more properly described as a
+globally distributed {{lookup}} service.
H2: What is LDAP?
@@ -96,7 +96,7 @@ units, people, printers, documents, or just about anything else
you can think of. Figure 1.1 shows an example LDAP directory tree
using traditional naming.
-!import "intro_tree.gif"; align="center"; \
+!import "intro_tree.png"; align="center"; \
title="LDAP directory tree (traditional naming)"
FT[align="Center"] Figure 1.1: LDAP directory tree (traditional naming)
@@ -106,7 +106,7 @@ for directory services to be located using the {{DNS}}.
Figure 1.2 shows an example LDAP directory tree using domain-based
naming.
-!import "intro_dctree.gif"; align="center"; \
+!import "intro_dctree.png"; align="center"; \
title="LDAP directory tree (Internet naming)"
FT[align="Center"] Figure 1.2: LDAP directory tree (Internet naming)
@@ -154,6 +154,12 @@ LDAP also supports data security (integrity and confidentiality)
services.
+H2: When should I use LDAP?
+
+
+H2: When should I not use LDAP?
+
+
H2: How does LDAP work?
LDAP utilizes a {{client-server model}}. One or more LDAP servers
@@ -205,22 +211,127 @@ H2: What is the difference between LDAPv2 and LDAPv3?
LDAPv3 was developed in the late 1990's to replace LDAPv2.
LDAPv3 adds the following features to LDAP:
- - Strong authentication and data security services via {{TERM:SASL}}
- - Certificate authentication and data security services via {{TERM:TLS}} (SSL)
- - Internationalization through the use of Unicode
- - Referrals and Continuations
- - Schema Discovery
- - Extensibility (controls, extended operations, and more)
+ * Strong authentication and data security services via {{TERM:SASL}}
+ * Certificate authentication and data security services via {{TERM:TLS}} (SSL)
+ * Internationalization through the use of Unicode
+ * Referrals and Continuations
+ * Schema Discovery
+ * Extensibility (controls, extended operations, and more)
LDAPv2 is historic ({{REF:RFC3494}}). As most {{so-called}} LDAPv2
implementations (including {{slapd}}(8)) do not conform to the
-LDAPv2 technical specification, interoperatibility amongst
+LDAPv2 technical specification, interoperability amongst
implementations claiming LDAPv2 support is limited. As LDAPv2
differs significantly from LDAPv3, deploying both LDAPv2 and LDAPv3
simultaneously is quite problematic. LDAPv2 should be avoided.
LDAPv2 is disabled by default.
+H2: LDAP vs RDBMS
+
+This question is raised many times, in different forms. The most common,
+however, is: {{Why doesn't OpenLDAP drop Berkeley DB and use a relational
+database management system (RDBMS) instead?}} In general, expecting that the
+sophisticated algorithms implemented by commercial-grade RDBMS would make
+{{OpenLDAP}} be faster or somehow better and, at the same time, permitting
+sharing of data with other applications.
+
+The short answer is that use of an embedded database and custom indexing system
+allows OpenLDAP to provide greater performance and scalability without loss of
+reliability. OpenLDAP, since release 2.1, in its main storage-oriented backends
+(back-bdb and, since 2.2, back-hdb) uses Berkeley DB concurrent / transactional
+database software. This is the same software used by leading commercial
+directory software.
+
+Now for the long answer. We are all confronted all the time with the choice
+RDBMSes vs. directories. It is a hard choice and no simple answer exists.
+
+It is tempting to think that having a RDBMS backend to the directory solves all
+problems. However, it is a pig. This is because the data models are very
+different. Representing directory data with a relational database is going to
+require splitting data into multiple tables.
+
+Think for a moment about the person objectclass. Its definition requires
+attribute types objectclass, sn and cn and allows attribute types userPassword,
+telephoneNumber, seeAlso and description. All of these attributes are multivalued,
+so a normalization requires putting each attribute type in a separate table.
+
+Now you have to decide on appropriate keys for those tables. The primary key
+might be a combination of the DN, but this becomes rather inefficient on most
+database implementations.
+
+The big problem now is that accessing data from one entry requires seeking on
+different disk areas. On some applications this may be OK but in many
+applications performance suffers.
+
+The only attribute types that can be put in the main table entry are those that
+are mandatory and single-value. You may add also the optional single-valued
+attributes and set them to NULL or something if not present.
+
+But wait, the entry can have multiple objectclasses and they are organized in
+an inheritance hierarchy. An entry of objectclass organizationalPerson now has
+the attributes from person plus a few others and some formerly optional attribute
+types are now mandatory.
+
+What to do? Should we have different tables for the different objectclasses?
+This way the person would have an entry on the person table, another on
+organizationalPerson, etc. Or should we get rid of person and put everything on
+the second table?
+
+But what do we do with a filter like (cn=*) where cn is an attribute type that
+appears in many, many objectclasses. Should we search all possible tables for
+matching entries? Not very attractive.
+
+Once this point is reached, three approaches come to mind. One is to do full
+normalization so that each attribute type, no matter what, has its own separate
+table. The simplistic approach where the DN is part of the primary key is
+extremely wasteful, and calls for an approach where the entry has a unique
+numeric id that is used instead for the keys and a main table that maps DNs to
+ids. The approach, anyway, is very inefficient when several attribute types from
+one or more entries are requested. Such a database, though cumbersomely,
+can be managed from SQL applications.
+
+The second approach is to put the whole entry as a blob in a table shared by all
+entries regardless of the objectclass and have additional tables that act as
+indices for the first table. Index tables are not database indices, but are
+fully managed by the LDAP server-side implementation. However, the database
+becomes unusable from SQL. And, thus, a fully fledged database system provides
+little or no advantage. The full generality of the database is unneeded.
+Much better to use something light and fast, like Berkeley DB.
+
+A completely different way to see this is to give up any hopes of implementing
+the directory data model. In this case, LDAP is used as an access protocol to
+data that provides only superficially the directory data model. For instance,
+it may be read only or, where updates are allowed, restrictions are applied,
+such as making single-value attribute types that would allow for multiple values.
+Or the impossibility to add new objectclasses to an existing entry or remove
+one of those present. The restrictions span the range from allowed restrictions
+(that might be elsewhere the result of access control) to outright violations of
+the data model. It can be, however, a method to provide LDAP access to preexisting
+data that is used by other applications. But in the understanding that we don't
+really have a "directory".
+
+Existing commercial LDAP server implementations that use a relational database
+are either from the first kind or the third. I don't know of any implementation
+that uses a relational database to do inefficiently what BDB does efficiently.
+For those who are interested in "third way" (exposing EXISTING data from RDBMS
+as LDAP tree, having some limitations compared to classic LDAP model, but making
+it possible to interoperate between LDAP and SQL applications):
+
+OpenLDAP includes back-sql - the backend that makes it possible. It uses ODBC +
+additional metainformation about translating LDAP queries to SQL queries in your
+RDBMS schema, providing different levels of access - from read-only to full
+access depending on RDBMS you use, and your schema.
+
+For more information on concept and limitations, see {{slapd-sql}}(5) man page,
+or the {{SECT: Backends}} section. There are also several examples for several
+RDBMSes in {{F:back-sql/rdbms_depend/*}} subdirectories.
+
+TO REFERENCE:
+
+http://blogs.sun.com/treydrake/entry/ldap_vs_relational_database
+http://blogs.sun.com/treydrake/entry/ldap_vs_relational_database_part
+
H2: What is slapd and what can it do?
{{slapd}}(8) is an LDAP directory server that runs on many different
@@ -243,7 +354,7 @@ SASL}} software which supports a number of mechanisms including
{{B:{{TERM[expand]TLS}}}}: {{slapd}} supports certificate-based
authentication and data security (integrity and confidentiality)
services through the use of TLS (or SSL). {{slapd}}'s TLS
-implementation utilizes {{PRD:OpenSSL}} software.
+implementation can utilize either {{PRD:OpenSSL}} or {{PRD:GnuTLS}} software.
{{B:Topology control}}: {{slapd}} can be configured to restrict
access at the socket layer based upon network topology information.
@@ -283,8 +394,7 @@ well-defined {{TERM:C}} {{TERM:API}}, you can write your own
customized modules which extend {{slapd}} in numerous ways. Also,
a number of {{programmable database}} modules are provided. These
allow you to expose external data sources to {{slapd}} using popular
-programming languages ({{PRD:Perl}}, {{shell}}, {{TERM:SQL}}, and
-{{PRD:TCL}}).
+programming languages ({{PRD:Perl}}, {{shell}}, and {{TERM:SQL}}.
{{B:Threads}}: {{slapd}} is threaded for high performance. A single
multi-threaded {{slapd}} process handles all incoming requests using
@@ -294,8 +404,10 @@ required while providing high performance.
{{B:Replication}}: {{slapd}} can be configured to maintain shadow
copies of directory information. This {{single-master/multiple-slave}}
replication scheme is vital in high-volume environments where a
-single {{slapd}} just doesn't provide the necessary availability
-or reliability. {{slapd}} includes support for {{LDAP Sync}}-based
+single {{slapd}} installation just doesn't provide the necessary availability
+or reliability. For extremely demanding environments where a
+single point of failure is not acceptable, {{multi-master}} replication
+is also available. {{slapd}} includes support for {{LDAP Sync}}-based
replication.
{{B:Proxy Cache}}: {{slapd}} can be configured as a caching
@@ -304,5 +416,7 @@ LDAP proxy service.
{{B:Configuration}}: {{slapd}} is highly configurable through a
single configuration file which allows you to change just about
everything you'd ever want to change. Configuration options have
-reasonable defaults, making your job much easier.
+reasonable defaults, making your job much easier. Configuration can
+also be performed dynamically using LDAP itself, which greatly
+improves manageability.
diff --git a/doc/guide/admin/intro_dctree.gif b/doc/guide/admin/intro_dctree.gif
deleted file mode 100644
index 5be4b171ac5a28e3b4e279aba0f0025b8b6815b9..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 6054
zcmZ{I2T&AI)9t7jQ85B4;E;oWs3=Kb5Xm_wfhA{@xL|-0$siz0j)TAwMI=ic1SBWP
zNfsnY&L}GUvtNDn>b+O*-KwqG?d{v$=bSrTbz4SGT2RP@=cwV4y+Z(7@P9t=e;zRQ
z3x-i_jibc2bqEA-AOM2^0s<%qkU#){01yHo2*5!A3;_rPpb$WU000MoH~_){I2-`u
z00al1IDmu$uy`O0Krn!VvA_TV11JoTuv`cLA^?N{I0S$Z06_p00Z0e{pa6&h5DMT>
z07d}>1yB?qp#VSvKoS6v02~Q`NdQ6uP!d2Q0RRAj<Z>V!ISGW2w?ZTU!m0#82m&D-
z2*DtPfDj5oBoM-UF*CMs5ClUI0zoJQk+1+b2*i=CI2;7yAOr`YIEaLUFpwZjcE!OE
z3_}PEp)f>(Aq+W)koV&d2u2_Tflve@ArM9fh?0ZiPzXjL1cgu(BB2n*5lDitOgIt*
zlOTiyp(Kbzf&enRSU4C*rUypIpkWdKW2}K7IX4c3VGu?@7zJSx2m@p^<brVIa<I%;
z5-c8!@eAU}RpM|kjDryzjN)Jt4hxCx#vCylc_A>2!Y~PjF(p6*#_-@U69OX$j3O`z
zfiZbN6vjZ}Fh3MVP#8sF5(;CQfg~71j>9&SV1xvtB$z~k0rI)P;9+WGPMC(6T$nOs
z6+w{91r8)fL_ib;Q4)xWgXusf2nUhVAY^(lCdhh&I5KNE962|FLs1+`!eL}!xG{(r
z8gfAhjG{1>nS3%pgv>7vAy<hYD2kvY1WS(P!9rrYF-OdX9{yQJkPH}x$%p+AIQ-88
zdt%?P#rT`z2-(by{RxoY3E<QLaCn+dwh*a*bLukJla|7?hJXvq@=3Cv-ZzEN-m@KV
z`IO!q4oU{o$rWX^5;!!jQvgtAdn}(>TasKcu``iH@1QTJIIBAqdUJ+ezQkPNHBUIT
zVOvQ~UzTdR{!Gx79Q7RCV%v$f(xv7+t&=`G@@4rW#nu7ptf$-^M$4c5XiFBkKQ)}}
zy0tjbzL!7dgU6p(Rj4SOYT!E=qLoei=|^(}v-sZ^g?B7k<L=psjmJ4ObR|lLFx2ea
zebnP4muJ+u&uQCDFlbLvdO@`LdhzMd_s*)l#-Ur@e;Aaj1<gqH-pm4B)k1T#t(=eW
z$~Bcn6X&x+1{`au@E^yI99W$_tf~H;Im{SY{=By4&o_pl+g>VlV!hj!W}lXK*Lf@b
z>vf_)yeX(Xl4OsqT9JIthQ(g?IVa6w;(l8D!6mQDmczz=S=TbB0?wH(AZm0z)~0r>
zqkiha>}A>Ufj2%?M27MXw&<Di_FDf4^Q<3!7j|!x!`uPN4g3)y8#(tw=PpnD48i&8
z=ZGl!M>echn$yw*f{uH<R*c4X3Sz7|v60o+G)!+U0ZjHxQ?V`LoDYPWY-W-?sAq`*
z;w$m<sf;7>$*Mj_ZLMve=V~pax$p`vyb6`JjZC$CKcAhUVs!n6MuKT2bEc5+@!YHc
z_gn@|Vr0Tp_U+8J3wcL(jvQ>OkRYGq=NKNxsZKreKSwX-ORF~hIQS~%(ZV>jA5CxR
zIZd}|)n{ZQS(Q>A$E(lE`+%2^K5PAE-Vwxaao*Q+%S<Uw)MlR|S7Sl-z0_OVk`ZUK
zZ)u7*g=<dlWJ5Wp9KPlYYb|LP7%JTD{OoF{?Psp#zaw8dClPDeSL=6U$gbO4_h-z9
zkQgrgRE>%04x89zLsWOmhb2GimSO$b`rPOndYdz!U?+y}H~7~qTHJ*GL=TtoSRpUP
z!@t{oc4@D>r}e`B$@NbI15pl>UzIkqM(cy|4JXcRl#gXJTpbcq?*FAR8gPH!pTSVr
zXwvfBv2a5@L7C;S5$C$Fqyx9!+4DE?sVPP^Y9mE7tAk6)t~MK1W8zPhpI6my4(FBe
zE{o;t6T<8E2POIH<4?FOvWEtzch~I$9UQf>*D1n3oC;}QzqidF+VbeaR(n|8xx{o;
ziK{x?dG{}_2(OF$dr6RM+!M@rCv?o^NvH7E!Shd&TjqZwq?p6)Ihv?$vYaiA4RcX%
zy}<LuskrMvghzoY=tkjtE~Su*HR};9#fnTd{p%8gh2!cU8*3kNDIMDL_txKOri*MW
zT};}lJ9VtFTT$Y2R8i+u%5#?mC@)I6s><Aabvt9^e6*(2!yI3J4W*__L0vzuD>>Gn
z!V@K$8gBVfQmUdXt{GY?eg~ym6CB9{-}KFzcKUVnu3l9>j#uK>F$t%L8B$T<(iR%>
zw{Y(<4+&izv2u$n)3a;O*VZ<EVYsXR)Mg@P>{(y?u7OJv{hqG*#U%Gpmr2oEtav?V
z{C5wvA{wJta!s*@p1n$V<JVKULz7+uw>)ruKjdkryy?X}OoFOx<HiGc!aPjhhTH0l
z!D&k#X77ZIhRk%7=J4jxeq1!9D8>U1i}<RVfmuz5U5?3k3&(4739r07t<ua2E{r3u
zyF9HkZECO0hPe{=<}<VAN`4xvJlMC%Emz*Re)GZox<)}WZ>1fxj$eX)ajWHvZoyW2
zeutPm$EsD%_OH7u)lHgZRZpilwzpN$S++IiFaKf$*F(<F$F(b7y-DTND!HXG)TW?C
zx7jN2v9IgNAN|WZJ(NGHU2n@geV}ThB~Y^ye+@6{J~EI}<38q4BZ{9$pO}z^4-WqS
z9hK&2%m3X`bNN3z{qG(1zQOc(>wi0HX^u;FZ@Mgj%dl<RyqBn&E}tx4%GH^r{hy9{
zODEr`A(&pFY+0euvM<-Lz3hWTi6hog6=FHZD?PA|y0pnVSqC4Z^k2YZ9W`)|TDha*
zlUY&7O@%H>q-eGs>!{y5J{Qk-BUne}8MT^e&7MtBo_JO&Ka_74>&Np4bjT`o>8tr*
z0Io&Wy`T)Z{t)l<t~ubAc)~;Xt?=$x1p(22Cfi{{d3JS`$tJs@lT{%H-lAeAze48Q
z^JHodcy@Nz-w>@Hrkeiy^^2W%?(gki7BLG`g9LB+iP%)l0?{1<wG)@h)Zd)fr(pCr
zc|HawQEhTR4Nq08)9Zgkn|9cb!omESe>9`7wgTItE7KeH{Xyg4yIp}J(BX(RQ}EeQ
z>(l_>%u{COcXk69!=%bunBGcL+pt7}!KcjaIHs*F-pY*58H5`c=`j<yZG&bByfF)`
zar;Vg7O}d#o@R+w&*g|A7G1RLN$Oov?~_at;xk{UgvnXPJhA1NM?8#LEgq}cHgcq0
z{HmAr-plK>4dOHRc`(In*OP<j#hYLg>UXrw?EM+{ggH3e|2k(9?%<t1=ldw1(QKkn
zY1@3v)2_wEG}m3d+>b>kgmW@e3p_O}2Mre^EE~Tqa1#5N&hQjCILSK@iNbbyNT2^7
z_M)%P6%q+ndeUu`%X8K#<*IY1hQdg>`gR}6O+yG}4QzJVHG7c?OXYPj27KAwMZZB{
z`N8sfrJ}nCUqJLXg~IHCGa?1GmKz36MZjfy_R{I=5A#Z@*n$g-m_?e_8~6n1oSF#K
z+Ab(ZRw!F8UGeOl)O&S)1^$n|iWC-hEDB~dRi{+j25r^QZS}9@>hec*ujVg=Fb4db
zi4gr$ty#<bfi|UIGfQbV+~inUSvsiUMpH?fmRvUKUb<4I7P#s)kkI*Ig2!Xv_~O5z
zu_`@*a$|R@u=1%0g>fSv%kGtmAAvFlx^uZdWn6n|4ZVcs6WFCI4X&M_eD3|;%&2lM
z%PJ%#(pBKQ@W7`!vFX>%4*pXs1xp3^)kL3pkua1>xq3Z#!$`oph248^vqNL<?{d!=
z@4tqA9b=unVw1^hOJgc)qAI|_zsrIVIEgnWFS2P?M3^-A1E6%2;5$>P5Slxd{T1)b
zWWwp`nYLwv&E*K}YDCS`pt(ZqZIiE2LIg{tL;<I{{?7y}l~i%JqpCtt3#u{DJ2tJ#
zC>xC|l{D$-Q4MRgJneAhfy!t*osY)#{#S1mE@~BX7Kdq7#W)z0Kb=w+6&W%gt-x>0
z4OGQG?JIKa99<EKduGxQuyb%c^s19tb2y`ncCN=Awfe|AR)f{o?#;H{5(=OeP2e}`
zPF;%8u1RoP%F0qBR4*sEJB*cI`*QH`2L9<}oz_x8#|;msAI&!?vlQq&UFN$dAB7r5
z3b`%~eNqt3O>){<o~#dOK8V-eHw`>i6QWa>Qq%Hg_86t|WQy0n<;JNSv!at;-iK%n
zVId>X`A;``?A?!W?jU{j3-u=%qdFuK*g|{0Q2x%1cyv~1neTHp|F&x5#jG>EY?tK}
z)tXXOA38PBnDiIqQJdxWO8Z&Ut$n5U%;#)Q@>*7Fx%h^{xrO;1cXkUBX|LYGiud`}
z%GpG?E6?>wu~$B&tm9kzbmh!u`<<I-30!x3m%9~H2NnC2I!Dd7I)&Dlxs?UP+cdgG
ze=qlSi?d%}Q5O37*tUmDN+hc15sj$2+68g*?GBckuU0<EXEk0CQHq@|QImVRc|}<5
zHItjVs-(lWeht>g_qF6jz#sNnH>^YpwCN?QcBBlCgoX~O7`pw`ne=~~qpSUf=hOk>
zee~p|zb6s!i|-klyY>s~jE#Yp*wr6<6f%7crM+#tys(ij5y2!A$!)V~E)jO=NTH_Z
zH&&@QdXu&&p&m=ABo6$g{`g`G1%jBsCU@I~1*|#a*_1|He#%GjUw+_F*~6t7uFI&*
z`uYC!Q2yi8V4ikYQ=Q^74bG*qr5~irY;U%S?z@{$_<PP5)U@wC9nZ#76;<o$vi2mN
zprou0jM^~$8f17v>&Xb;Oo{nvE60~YY`AJW#sE$GAs)++3?b%Kx#yPF-5->U-G0TF
zYK*9`dWX@|+D|r_`w4vS=>0S~(j0Kp*l4`Oa-l2PYJ6#o&22V3b)I)+;)ToT!HAUp
zp`ekl`e^Gp7w?qhef*@^)ccfkqUFy08}D4Q##0VoO*lNjy%1{MOY~YjM?>fGOGp;+
z2BQNIpGCu+QLn?}6(%oFs#_a8+r3H~?@vF-67NA3rmN?AwK8tV_vO@;v_MS<D@K@C
zn>Nk&Ztn1uTJptV<JUr8Ic{nXM{_U)PtH~t6Xu<U>AZPjVkQHvP2vX33>V!-ql}H>
zjQlNx-I+a~y9KdXOCCLKY93@Eo0$}~Gsmd!Gf+;77QfDkOMP7VdxiiVoMy0ZbUF=i
zz7^ijPB*9xG7B<N-e-GD#qd){KJ?MPO?qVTHOnM?Wh=W0b#5hBitFr%;lW#9?cm(t
z_2aoeKIAdj+9js&G+oNB_ir<EcoWuUQ_!k?+B&@8^sW5tvx^HFN>ciEc4_%#&$(YI
zf3ck@$YnZ#yjp*q$QrI|v}l_p<+;yYGWw;BrF=iSJp~D@b-i4@?#OCUGDxhLu2v|h
z;wgHvBi&~bm$|qSEuc(HOlJBPpWi^eN5dDlQrrKr?qrqrMy2G0=Z&Dnc&^bZ@Z_I0
zI|){)xt5m+75Z6p%t@e1;;Ma=vT*vWbBnmbAD#BcZx)Mtl^QssI+dT=ZFabF8kY3y
zB}8uzq~1-wKdi4%;XEwMl}|J>G~?MBlFa*OKV~67Up_9)E|i}Ar0(1S=Y(5U&0f0~
zrO^b*Z|}@t(7mG!AE#7*)_7#URrtO!6D^}OR6!IwFU0vurS|u9ih)?{LOOwADBgLu
z(UU}^Y<j*_pkP$FY`RivDPP!ZROMOuqVvU%l4BpE+$y$~L?#>d!d_;yQSnx9S=m@r
zOLT~zc{PDZhP~Q;?{@pwik-0Kzn#hX$6hmY0i8Abo!aaNCJO?SVmh06W%03JAH#+J
z@{D-b9US<J?H+%|`cDKrdN~_Cez)-T`Iq3)i5>ByMV($(xWN<mIM5@u5nR;E;3-Lt
z^wYuX9(3G{XEa)(sEDdB#xxkung!DQHZ1g+$xA!y(jr3Rf8PJ$_>G41ZXAuh|1JcI
zJ)F8g$bK9$&gU<sX>cKyL#j@6!&WURai>7AiKigkQ@_N3`ZI?#y>_pKF-7`Xm*Cg?
zO!=X9E=-&KEnkJ6x4f-tPorOxZ5DOs3!l|^fAg@VS;97gPc+IDJR;j7bz)smdYq{c
z;gFG5|K^ljG|e(gEqBkdC^BVv#2R8NVRXEtpZu4FD~&os-960SjN;6sbbOm0^{Qh5
z9ZRQmj>1T?b8PM3%oUik!zA}(Y~w?=yO*OoEW9YdgF}k*EV?};3E$IKdCiA=rX&L|
zvMOi%qJpGCuibZ?8Secd6Tv7I#-jIaMlS05ZKC<ew^@a_I~H9TdVOq7(E@I(Gb4TT
zDu~4Exhwkp3u+m1(Y$_gQ9m`Z)iRYc+xl#@^7Tp`XGfz+S|3fC!dMLkS#^tT1_~_3
z%0T^cr`fK|sw<9$)t)=64xX`V#^~$g;@cv_>n4rQDcLQ@hd=28AvaZsPeuwXI^yrM
zM^}$*&6hs==T0q~z-Qf`b1Xc}x-!jf;FAU3;@riuFJr}SYv1KuGy7U-^iB%UKFnHg
zc^V|r(K+^ei)gH%aQokwhjU1Cj!L(fYSrFQPt!s8;m^dXrgF;Hsq?iAH4d8_vqSuc
z-^KpCS*<h0t5p7e2^>qxu3bYLcxo2C8rCXiFYT*9r<fo1phw55lqDATC7(4+vuv+7
zygkML?6EI@M}*|1@?%a?)bU&A8@38v3ZcpT8=u6k81y^I%=#MeeV#H`?2*~NPIp(F
zfuOmWb28R-Q;v|}>nzVD6j>zCUF@r(z+0uc_K2qDic1Gc_Rf}~dg$^q#RsLKXO#qd
zuiR~Vu=HfJQ*i5{M$4_0?LHx3`--OW-vfTvCg`LVf2SCg+m+JCG+HISGPgRp)#cbr
zUHg9Xb!uuTOTOyrQ<1p3qd6kWqopdZ=63bAmVl1Mj+VYah}PgkgAZ;)C5}z^b&TFP
zbPO3!^=s*xmot?OixS+Z3oYXBZw*`JS*VXH=9Fqb_<vnZD35|t{~h+Q90%Y3AH$y9
zC#^-;)r5uJF-h(+Gn^>svbcQ8`F{<2$XAn)FHinE>=BOAD_&GgXY!QChCOM61vv86
zM4MGB&-%7Io$#jJNV(F)mt=+V0>dn;KH|Wcl8o^xc<cm&A~x*t^W4#%{nNKL)l7Bx
zC`Iw}-Tua48?TjH!$nrFBgI1)l!Te)I&Ms?QqYgu*|dEyZcj1X=eI3Ap+i+YLfD-e
zu6;u(VE@OxsZNM$^MU9~zV*4D^g13d5&kaU_AL4GKQF8H)>LxR56V*LO+5W3>H~DT
zYhP(@JU2@fpn6#IB5rqWX_D$<?ZEucP8n4%p5HU{um7@U;~c-zH%G#UU`6DUOWN8~
zKD3+j#<sUR@r?2<a(gEJEM?_sN{Z0}@8uX*iKe~}Sp`TTL+?sWg9I5om}CT`snd0N
zq$?6bB&j)BtRFK8X@?6vI6a{ha>wSnZ|tmPMr0x<`@6^|{;Zh<+=*C%{(biy3zbSY
zPxBb<^TV_8jP=*%l8S$7#w2x^WF^{K<n9vRx}M<T(Dm32Nbwxb`TZl>_x$2Qy3-NQ
z>_iz`J<gaY`7=L>NkmO+^T2DZY_Ts5f9Iqn6LW2!8r{{L%jAnq*;~y1P++_CA#FN1
zx1f6Qxh<h?munecKdrl5*zy3+9n{XYWS`v4bbY17<v~bVX}_h&wX!qLc`N0<o_UNF
zGrSzDUh^?|tI0FOs@1BuK1;mS+qFZEHNT_<J_h~Xz4b&LILW<^Qqb6E)tzF`U;lDe
rV0pdaf(-XY;}sqIjV4;F{Ee@4_~ngeFo1irg(cSBIq1j{K;(Y_8JOB#
diff --git a/doc/guide/admin/intro_dctree.png b/doc/guide/admin/intro_dctree.png
new file mode 100644
index 0000000000000000000000000000000000000000..099588c5bc62158236f6d16218eb96cb3d54273b
GIT binary patch
literal 21788
zcmbuncR1F6|37@%dsRjydnGHBnY}7Wkq{CxGP5_CSs^8|N71K2Qb=~Bk`XN`v+NmV
z=6;-?>$r~NzQ5o5_s@Mhj;pQ@InVR`dcR)J=VLwJafSxE477V_2?PSeQ9Z5G1OiDG
z{%1)|itm^oKTC<f$h<U;8dFnK4-B6i!hh0u=$U!p?|;8YrY^D-69_znqgv|5{@F9%
z0xa|gx8)a<W_u)D9VJDbjA(hUU%gt|eNOwC7|UtB8+^v;DTiJ}i;3TOdZx7a?rA4=
z!DG{voyJc#|5gwF+5FinefRc2PG;vXCMK`>nzD`CN-|}g-#S|jMRrjWKJSdy2v}XX
z5EQg=_e55ACxtZ)hhY!l@XGp%v!tXXZM4nBi`oT-zh}P4xP6tcOd~aHi}ocYNI8D_
z^5y5xpTY*&)O2*yb927FzHH3QQc_YLetu<-9_c745l-Y6lFSr8c+k<=>DGJqM9}Y<
zqbE)rI(#^WN6*-Jd11IEIyyQ&KHh7*)5ph0TvAe3$%wFz_&Wv9p80P4o;5KsIetsx
z-RswnD=MZwSkHWZJU2I|t*x!2ql52T*7~}JhN_6(BNZWKWw7>n`0%0bHO_;F51X7l
zD=8x4;q5&(vc5fdjy5`?$+}c>ZEelc(vpsj4!=1yG2!Uynv<G(Mdu?yQB9l7^eny{
z9VaTCdU>edbanap`Hhc{JJ_kaxy?Ow{$%s`^NFm(HMO;prsX^b53&r~k)#tu_cX@0
z+bw;o^?UmC>G9*oWu&DyH#fDkwANj}+)vh_i)?BPk#%>U4-Y5U+KztyZ0g~e_vA`E
zWqJ1Ms((nx)_7Omt5>hiKleVWqhp^zGOS{b5AZHa4r{^B&wo^4htX*YQ-*3T25a8k
zyLVGDag7ZRD+DZ!El>9DHq+A7936d?Y-3|X|EMrOp9kwMEc~jaWi&7B?*$JzHf#3$
zWXkfWvhxj(ENb4rd-rZ&U}JWmiaz}bZ}-QK*Af$h|854Dn55smYp<uLr>je)F-@w&
zRq9B16S}qjV`}QTO>6vz`)3^-9L|}V(qCFEn6)eY=O3$DU-3hSp8oUCvE#?z4i0k1
zwlMHAHeSL48uotu8oV&n^yP`e^wiYP@o^=2d3x`}y!rxh3ia-naXU3NG*m*?wRo7l
zy}e(&c=300O{UV2kU(H%P$S_=Rt;IN%+39tanP2QmiFt{udA!8-N)=VR~P^O{fisN
z$HymQ-|@M|%i+u!R`b_{7IM)&QiXZ~@3CB1{QLLs;|0b>NBIQ=WV6G)AART8b?Ve9
zNy)OpLOvg#m9<~vwbj)(Zrq?(6_aYlr`0iVae46Qk=yCh@3Z9GJ9CueLO1;@Wu{y^
zG7c*F&54PM-aZoaJD&Bx%*;%=saXF}l1Rd%?*yIZTEBTlE@cruz8xGKrT6c@ec3)W
zHI=6t#>U2GZ==r<rxl3L{5nne$Jp45x;lq<w_BIb5cH`;_k=%?JYVl05b)u{haBaA
z_Z=OHlZ&bM9i?caucxFiGcz~7eLFond*rjx<3?&StjV!6XKp4ZpENP~xH$Ui>_hX`
z8%35O_wL>M@$)C+FKbTz)2C09l9Jxe%BriYyCr$vAgD^YQL(XvRO-B~ZBcCOs}}*k
z^!4?Ze*JQFb!8EC;CK4|A^@AA-h1+Wj*=hl!QA({;{rQ+3}`19jAg?!6_u38NJ;7G
z=>-G@8-mv=F1}^s;^NZ!B;TyGJ0>Qkr>BRBOWA*G{psDiKW`p5OHJOaCq(GRg*9?&
z@f}oF4xZ|}cjCkeEXD7or9HS=?GFOSl)}x;&Hd)Thpa6LvL$@z>r)Q;?SeW(Jx*Ar
zGnTck7TNU%o4DjeR(fh`>h<fMKRYr{Es^iMc=5-9vyX~PO1A%QojZPf`txI3ytbq8
zp?(}6`s1FS6^|b;;xY;g3*Ejw7nGD#ZKjc$rXAo-OG{J2TNoHHX6k?J?N#y^Qgd|`
zk6%mlL{-s@YPAs;7f<F?@I*1IuCBgkR8pA3a=R^QuOCVa?vLKFW4ALhs%vV_7#rv3
z^f?lDnd4wX*!e2AoT8%9XRZV9dwU(aa+7SNOaJsZ($LXy%X{RPmg*T9c?~y5?>+1y
zA|aupbgzd37srg9;XB)Z@xq12)=i{hY_-8_o|Q5-+7S^EZf<U<V!y__s<3&VKHb7u
z=s%johR;av<nFHOJCl)`+EaWqtv+~dWMriI-Mb{;)66ezLS)Txa)|FDB2r#eHHdpW
z(wflw{(ZMW{4cD`rnaBopVkC+yd(`dDO<v~hOh<{pZ=qd86+em&Yc^;Zbs4ErxN_R
zuWuRua7bt0SU6Vns=g5MD$ku$QdLzwa^#4VRLbJ;CW$!*J>^^x1vz=PYFOy{@?<i%
zs!-Z%$MM!HI6~`x&>u84TV5q|ziMl<stfdKj-qjN=u=JqHa)}sRks$`9!bSi`SdA2
zA75Z#AU<PJxYCC!-%$m|e*DlD*l{vf*~!Hv(N{67ptRKV^y%hn$=;$85-L7ZeH(w~
zzkT~=X<<Q5LDAEBb!WKBo`vn3H*Y>Pd(!sdgU|f;y8Zk2KRDmX<2zl{^S-<L>eZ|M
zzkV_VKh-rfG<0@8fJ;7t9!4FJfBW`r*MVndW@h5&o{0$yJG{Ow=;$D8E+Q%#6CEA0
zx%#-EKpiXd>Q%|($1JnOpE*h$i!4#xhFfA!=<5re%(XBy9GaMDx8e_b?9QE(o|veQ
zw{UZlU}8$Hudl~Rn;&fGF^Cs`-0R0~{Rm$;&inT5laP3{xfzT$;;X!;^{9Y=KyYv{
zEgc=|f_+zRozL_~{8~}Yt}GH(S6RNa*M4(fGZlR<1q1}>=(OR)YintB8(g|7Ki`+0
zl9Cb|t9$BHDqj1}ogeEf)97J%N7wN9!&5I`y_%k!6ciA6;lIcyCZ?~WLphrmlR)-c
zabpKF^XKP2&iKVUckZA{BqhBoIhlvszz}|4PA3&N69+maIeC8Ubs8llrDI78XPVH7
z^~F)D_xwK!6ZC~}Tbs|y2L%OnWyvwkCYrKiX*4chUM$dz{pX*5NXf|9B`mJ`Dt5?T
z9(noZ%`vu`*SnlhVi>8ZC+6mU|Ni}~qGF`Ib5iO`eB1Cp_wR><g!K0I;?LQc8TolR
zseeTG%(TQZk&uuygl;MNFXTUbI9nPxA4YMl=<<V~KkZMRJZWTPgx%;*PThIHfw{z@
z?x2W_Lnj*7+QV~Ixhf%w*eNLAzJ7jK$@>J>B(mYfRrJCmN9rEizGB<83nzJTX{j)0
zSEJqY=g*nART7huPMkdX356)^Z?J=daR1Q)CS%!a8hoj4U#kz|<!}tb)|X$udgVaQ
z^)BJjsn5DacOE?o{q^%*adGj|lIMvN?;0B$)6>~1(=>LLI%e|=3F+wS3JVJUKyxi9
zC_pvSRpPgfYJd9{rBFpi=E>8iKK+$Wu}s{L%F1+=_IroNx6ypB3zGBt*>V4D*>^OQ
zxo@?{jvd3U^lZE*F6!hoiFbJMLKzFAsi}z*JvDWyGHs93kcDv20TGdf-@oxns=xsg
zFZ7R^m^{0CmvUCj)IeAF6@ZF_MYR+z4QqGi%$Z7=J-qqJZI46`9LUMeo|&D+pDLl7
z@``VFOQm3ip4Zm0v$6tPh+97Qp6!2%MvEG|LrvROm4SgF=+9h^YS`b7OqpLxOC}G^
z58Y-;BJ*DO^{e*zbF@1N%jbRQ3jO_x{QP9I#VHh`dz2<8Cgiah08mgB&Knw*2mJcU
zJGhkwoYiDaO-|}1LvG3}C-<lSsq<sg8KBLt-@dVnnWki9T=hMzN5Y!);graYYuB#f
zZCBUV4RV!hYHAb!Yu>(fMq_p?IV_(aQ~1AeRi{!Sqv)Ol(f#{r7#XeVgKH8K6R%zC
zEYwc;yY=Th3rlJOyQI0PsS9rLks~?3>aUgVWw^*bR}_uL79G7`M8x8S|G`6tR=V<3
zJ1ptU&+RalO;1Ztf9CR~B2&iU<A)EpxAULM&j0xF!&K}UN^oiERW+Wk^&ta&eSKYB
zCykB!1_rY91f)53$F`u(ph9#vHli<FRm{;SAg7|bfA8Mn;^ON!Z@5%~SIY{9=ADln
zi@$b_QB}1eF79=e`{0ln${m0Qr<_}Md3pJhCo){gu_aj<8EVV|A|h9ttQ)VWRt_z$
z0`-cYum9TITv$_MW@V)!Exq*q&T%?+iLvqVyhF|(Cwohrot=9Oc1HZ&xOPE`17-i<
z!Gl1PVPV_Po;|bjx_8$ghgO|gi^NnXB%}_70gd#DLl<D|`GHR#Ke`P(J7H<LFSK;_
zJdT*b*|TzB0D^+rW@fu1c$B$L78s(80U>a!1e*e&+`Q?tweCY3E$vJ2C`CchV3u|N
z{-UF!17!e(7tO!<3Ba8Gi4%`aT|z_af$*@|hbOTZ%;e~?SU!BwU)bng|2;c^ez=YM
zb?Q_P2ti%o$`ralqKoYM&>sqSHpX8+-m(h|ms}og+jk^TR$TmHNlA%&77##@ZZgUd
z-YXsW&cUZ;@VW>2DxJ~k(@R55WcUL9!+o~$y0GAF*kjr{Q030b$|`C3T=p|X*yid5
zVD8~zb-vUIS!Y+*AH%~(_4T99=N<`S``e6aa?rL-Ie4}F>_!Diqu21fk%<Z0rZgCa
znp(I<fw!+O02VtNTXSzwQ4zNM$=Y_Q1oTx&AO#^lJ{xQ6^2?(-=oI*j>l+(bmC&}t
z-4zuT*yA)bG`Q!9uUy>Rte$({3l9&kum790SFZHv_19y#CAg-grKLCR?VO6<S5qCg
zBtG=_KX?14$ji%n^ypD{clYY0=Dh;@_a6muQB$)9azgFGx&PGLJ32ltCoR4HcWWc%
z@M(9vOKxs%n()aOZl*WweE1N#(ih+0@J&rm?>^7sRb@9QNzax1>HYhNZ5_sCA5zvN
zL0q#T2nP1N=DBP&9(j5B&;9)%c#M5Qa&qhu`6$n;7d<_tH=|MLB6&(5KfY|}9My0V
zjjvJ?*n=~vzaTPCo#xZ63nrDNr6S-ASQb@)?EDCA9%e4pP#0(C`^ClHf95PHYhCnb
zo-<bVp|cI25fBzWe(YFGRFt7y`^=Xo_!S@nn@g82IXXJp+oxw{(lk_7RP5=0R=BdY
z;pgf)i?i9g=C+)mC%|<i&{$jh4vt-uc1Eq>##XZhxYg04PWd&vaOaz_zl71xEiI2^
z^VmrTfRKLt_>pWYaX3DvWq9aT*h9y}8K2V)C;M(Kn0tD8Io0}9T3+WhuEbr-%*r}<
z?wpL(;@h`xfws|!4Q9m|qiQTah2ENa8lRt^zu)Mt;okus6w`&}>T3CZH+Kt*Z1keY
zc|V?u7cb&gcI6(~>lyX(rIxmKYh`6+!!x_N^kVvj=%WS(pwR$U3l{zEKhwp}iR2d+
z%wacy8KV$#hKfjMy4c!!Esebn9dABgU0f`%deOr}YL<Pjr%1Q1U#8;Im#V_2RaL(h
z7wbYcp1G3(?NokKq!bhqdh`1AH(&t6<4u77{09zfOno?@=$bL$GwXNH>OSBu;3Z$G
z-qvrg4c{QDn}mn|{3F_y{P_Li#vgY<!8;KVr0egnl>5nyEAh7d@g}CGdRz8?*M7xn
z6nHF6%sfce7b>%?JuD{XGV(I6B{`<a8dMEk_8kaLVq)MsRyH<3!<G7w4Se52-on(B
zL)jAB6^j87%t7DQ-d_6X5o1Ct`tM~&Khowf(JI#gP>)AA(#FQ*=Z{dSr=S^9M#f#c
z_N=_T(OT;I_3L3tzX3kk*>9nG6bRb7x#eEJZiBrrKkx4Be7r<(bli$+PtLu%x{&TQ
zb!Kw)y4-91(}EXE*(aFeUJ4#hC#R%Dy<ik4z4_q549?ug2WGz(M}e_UttX{^zuwx~
z3KrV;ROG+`I%?|8lL<|12H|mNtwTdYjbAe+Cntr3gtj`dDRGoX#>YSP^wa>tXn76&
z2A0BYL(RiaAV#cBn^R5|p{YT)*xL95kpR6ETe&-TnwpmOdRkg!SY_f17Vw?-?@#M|
zKeW$Z*~-W$?YUeZomcH6ocWI*+upuCUi%5m?`T0S!$v*l10eddXFnB)50qhh0i7u_
z{CkJ;c7Lw*b8qmvfZcPqwl)a&!{cmb4V#1o2RC=uaykD!98y4ZG<p5F-zcWIzo;>x
z<BIa~6VuaBJ4)`{xmQ|h7$zLcxDSgACVLqm!q@k3u<}OPy5*bJR&6u{Fa$INRM*Y5
zU%Lbj^#7S3ym{kBsZzMUx=<RViziQ>OjcgN)~-`2s;t~qA87mL#{LCHm%;mTLwP$&
z9ZLh2Cwc$?Qm<|TV?!?BX9;*IucVZx5^_6^1gKb*)bi7nbSN|)o}Lk9-xn4aC;u4J
z>^#tqqrvfDPvnlBJD=FS-tq5c4~rA#U&mj)%CTq9`q~<J&&uuNf}*0wNLU%Pfl)vb
zs432#IrH%TeN7Sh_tMhRAh;YaJmW8;!-Rk^c-dCuqc0v!6Jq#HPalb6$<dHO#yTV+
z;_dC@gUt(RfW2TfJw090>V+C!!XR6o1!R3WmUaURxw<MPCqx&xFm&bV(?c3$yC0ly
zP!STMjBD>872Tr<_O=vORlsZ8Q>g7eSg$Ri;t3d>kdOd1CX?$+U*C<`*zw+yllsXW
zr*ToJE7uG?4jeeJ>UKCCXi5<^2<w@eP==#$=1jCj@E8$teECxINt?dI#@4oFM74dm
z#pW@{6*UE#w}hl*$u*V62sLd@T_2yPkUl&YFWT9e+L1>$9Xolls=QoHr26K~Ga4GC
z8ck;EK|xAf$qr-Y4ZP@T_CKhU!sBE1XzBK`?A*C`=}_K;hIbfhW!>}Vw<Gh^tj?d8
z6c&!15H;OQ76k5%Q{$1^YG0==y?2j=oqaxpRo>{tZP~b+wHyylo<4nDQExXLG`W4v
z&CT+hj5VvcGg$ogR$V<%tLn?6%$5`heg{pt8Dk@3jW0kZEYO4mmC(w^zK#7fW7?w=
zo{_<EfcrC-5DiUSObn&g*`|>&F?DUt*xXz$WfKyO(?&)~NlB>*UG->VM7GpPx*uRb
zi;tzJt{I3KHE?W%2@rjPL(YwpGE#jm+(1Jk;^s|OjiyupA|p%7BwWplgoD9XeYXJw
zcu}Cl#1aiRhatZl0?DrS{6V`Tb$WXG{y+bK#imkU69JZ@jed_tX&6i!y)^wvvh$JS
z-Me?otm-sG<fpgqkmENE3=E)n2&U@kClfUhkk5lhX4=&%6BYr^oO<u_dap?&n1b@u
z1^wX&)A*dP9J0R4ST;Wl3xwB#IBDbd8Q=-6YUXQATFnLB#G0A_Z*N(RrqR(+vrQ_6
zU}!&3K!H{r0>^;5o;`iqbaKC)rQ@Ke>OWg+zfi|6=U=XkY3uLb6DmcO)jaG0Vy7{(
z=4mHwcIM0q5D>Q9C2X$}gPi^kA6mbb)3J$h{N)(bBMXt0MaNuQUw8XlennqMMsNsX
z&w{`5hHp0y^$u26%W97c#>TsP`BnWF)Xtt|57l9D=!K-E<mYB>&9l>1C19!e;X~I|
z+hBgi+3U21*g?Pqld7(1ESZ^^qN1XafsK65ASBpxZca`YZ1nk3OA87XQICY$>@GsW
zMfvO#KF(kS-g^D|>5CTyjS6{bmwUSXe!OAjORe^qHhE*nokpT=sITAg=H>xgTU(a8
z;{il*5)u|S7;W6at<6pQ&g^@4?zFzlc%W};x{5vt@IpaB(Lx{nYV>TG)jlpRoR+Q|
zUsIxek5Y*2qK($#+b8eQ*w<HCSZGuJ77z?*;be~D3i>d0am=;3IX6&0@Mmeke*DD8
z+q-{YAah4jQt_QTuV24rC~+`9eOel%3}8pdK3W8LqaEspot+)z9uDplMRD;H=g)^h
zxM&F|=Xd_+!2@F>qoB2=A5x>n#>OK1_cLr~o_3i+kMQ*LWS6wETcG(>iOwl_;DFL*
zvb6v>v^lEvGq-P|;^MR8<9|>)uiVD5!q(5o%EB&f2>RnDAj5eSm>zdKJ|O{M15y=A
z;K6B+9a;aBl~sWNRD1A_)~!}lNIN@E1F~$c6f8fW)ZE?ncrSq$N?~YdC~iOS%Jj#F
zX*X`{+OcB?JG;B1BRb*RuC8t9sQ;X~&&kPY4`K7mr-Z+&i?*%ttU#+OptJcg!4s22
zY#)cO<YaD!ak*{iIdk0wnrJ7$O!rM5qFc@nP$s`pg%<#PiW-WyWMpK#dTk_@9E)ZS
z1go!4&lu|rgzM(U#?F2gA^^Tlox1R9xGRS8(TS6JDl5y&P%xn)ZB6q5NqG7BK}Da0
zY_h%1v2aT8(4j+$ii#>KR%&W$cs(qzsc8m;j_FTjxHSAUflb`g!y^L(Ju9>cTGnSx
z$Qqz}D5_Nu6s?;g(3k#*yPAsqZi=LWG`YUMKHiyQWN4@+c;;F6hYvT?(<!$f&rD6-
zRt~86=btI)+g~0TeWZhauEfhs4K*iVW$KKLO(77}X1CeVqpwkoIT_JmFWTBZ0g4Cu
zuau$aCV_tX2nFo2e0E&iQ6R?DRF<qcL6Q#C|Hkij7cVw>kr6}<R8CM58Xd_*_Yer#
zWX7@tf;<)8iQvHqjf*hE3Ehy;sDSGrgnL2GBM`=+suKvEc=i7uzfh~<5}_}Ym6gTL
z&R&$$J^{rJY)a0xKgySnu(18uS-Z$k1iNi0b+<_1(%4bZfqpYW<2E5E=l|<R8w$gL
zv6kW>y%O%rr}>J+{X)CWDQ(+V$(j2Vo{a9L3NILLjE~vfxWK=?xz-Cj0s{jgxtZCQ
z-rgrbd#e{Fhek(1-MKWDD$lsIs}sU!J*>6wubm7IRwh>m?^}3#A?9Iesg$g&i<48p
z`mz%gH-CSB(DBU7-CW5ft~z|F5T&I)Y2PU;gCL4spB%{C34#FhAtWN=Xl-q1Y^;@I
zP+%Al83{!jMg?vYq@@nMN`O2R!fSiw3`|WwfBCZeZ_Fn2YYPiyY3UtqUL!AQu=`de
zZM3wa{=@yFqN38$jLx0gyF55pJT_(rtxH|K$?S>!*6QLYN&$8qG=6C5_)n^@LW+v!
z=xTa;j<2rmvy;wj3YKS!KEe|Bl4hq+w>uHPQb(Xt&%PZS8$+MLIo!Q>@2y+6TAo1r
z@}2n%;>ar?fFJh3xRXQeSb=olRDy$qCXR~VoQnQ}!vW1D>-OzEd-kM@nep-PSX*0r
z{Q7yKUls?0LYPNFqW(fl%*T%=iZv^NbaHNAp@t6q{F$DXM#sp=C9>yE!}Vhf@Bar?
zmCn=;8>Jt^0R`w^9!MnY-kmv2Wd>Cp9*mWh6_y_*$;S(T3Y-KQNjZ4PfdkWEgu7@j
z&Jap_{@+vt=q3<HS3v`<thiKF!;T%JRo((%L-he}b#ijTb!Q!RE!_MQ*O7Z<1JazJ
zpdeZ-)Bt;Xd$gm4<3L-N_R4$h-+vFnqTzb5E9IM5{-o#ehyRz1@pnBH^^@2$@811=
zn`_S=#egL{`K1SDPk{96L$}aJpQ0+F#}kqC-Mc8(@9(OQPY=k+^;a!`PQge7=sW|c
zWpCfs*2cIiNu!|q_elr`PCEeyj%-e!FfbrW7&J5m4VNjK53)Xd`t)XOtT61x(171F
zX8vCPQ;$$mQbGZR8a#XpN*u1QL;@N{9l)`r<u~la-&q~dBA`8sY=`jumzh#W-~*RR
zq8Sb!uFO1{DILAkaDMOlnn&)bvpuDQaquajJkr{7E3hR*^ORyYd|C$g!^g)aS7W|`
z%6Bp<jJL0$v8k!4(y4oDWo0&N@9eqNr5|+U>fX-{`W)-ninqeb&bu2LGS9l_yOVl1
zvNFWB^ti`V4xg?3`qiSJiJfbiA^Fw#k00vHeV;$empU$-?z@%+K0~e!xnkif_8)dD
z7zz%`6!D`&;<|DDI@(d;vshJ@OHV@2-z_d)ev=I}t;N?9I<ow0Sb0WqWHbf0y=fcB
zfsdIQZZ8fT{sdTB@RrU@d^H*r7zhuJiq#Cz<!=`@&{ZwIl{@wIDy~nUTJh^%Lr?MX
z^}Vhq;BQIxL#H-BCZ_FcjTh8VAQM-3h7TVe<j`;EnXqFV*E!(?PXxAXF<0<pR^$2P
zddQ#tK|${Qm2nBqQP*CZoH<hm0TeDO2qlas03loem?exM^rwMmt~=S;xiw7Ny0WQh
zXjYW=sfbXzcc8WP+bb(?|Ivijz|Tz0tL$<8zgYkf2YlJKC0^kvEh=gO67B5lgaE0b
z!3UM}`}bTezNXnA*AG^b`**!LFH@4oG(P-U?r=)|AdQZSCl&*D5f-(A*UxT)uC6XH
zqv(dyiN=lUAtC#>gX9wv5)J?_?B73$M!#3i4RnZ}iD_Q0-`e@$tmuS5cNw+-M49oA
z56^+E+-18gkfK)%pbi}qHwuRuL`vME+7Rkka&odpfvlXI+@V8vN=jm5V-w=yYO1S=
zkhY2MeqmvAOAE|8TYGy-b>^=ZBYE^JEkmI30)2pwRn87GZm13QQUl_LROx^-K(0b5
zL}eI4&rL}os2d(VO2ZgSM^7I`w+KmQ_jiHq*u&sUD^~Nj4OBRt`p#6=bF8%^U~o&!
z48G#-{`ik5$!u)T;7eI04KJZGQpw%@tC4>pECe5{<KLx)7+r4DN(<5bO5tTMFU{?(
zkh@^XZ{EJmN=uW0u#VI7<VlHsrgZk)&Ft*2@Gqba%?=HfJN6Xf047|$O0UqbhI^bY
zd0qmlh@GA6h2|(LuY(+ksP<7&<mBqujpU@mSYg;FNKTxqbnH1Fi9-w)5ja>M!otEL
z&xv29&z0ceDR=1N!Wz<3+S=I}pFJDfYJ-YP&CRi|9hPVn^l8wGg$0i@XFh=YWM^|i
zt)-5Ds4jfsHo^jnU8>uTPEOxm1Q2_rl~wMoTXM3peXXs65b;#v<wRg$0h!5j&h_0h
zg4>%o-jXW6FqPC)7&-<}3-Ku!C<YB+&>raLZF_t9)2Hv++gI_~VY~e7%0q1#o1FY|
z{|@{&+$xx1*cPxzp{|l|RXM9|ts}wF_VOkD)HHC!-aUKFEi5)6*rCS2|AY>9rSSFJ
zw=Lr<z_0jeX>W8?6z9HuN0gPZf?#-&5fMPVily&9NYc?IpmJQkd>Q6WX=&*&Rq@p1
zq=Ls#BOFk6adSIc+uo||6+s>zDd&%3_{Vq`BoGY!rY5n*X*X{kl9k0l7M?Bp*45<>
z7>;xaBx3VtE@q$@{0ezTf_#BwfkeSkfK5SyBY8x4d53|saYrmHEO6Lx!-yISxOH*y
z7|fPOp!<OQDC_V@r7CF6;d$Z}GvU&Knf#gi_SRY@o3^Drmx2x=8!idvzjr?%PDVz?
z(4s%e?7Ac>65~EaZ>;a#yF$2+L?$)x?4f((n>TNu8rS<T5~Y3v1Gjg#4?$33VPl(P
z-5r6tL<z$Om;t_cwFT-`b?G;V0|NuKk01BEeEAY4DTF_NWv+zQ->A;ZsQD1|Vd8?g
zb8v9L@aTa<G3e-#0s$g61`YjV^N~YS%blGDa&lE5JrKTJ2J63l`otdD)IDgj6_J<i
zxj3TTABQTU<U0c$4lJd3@YV$_h*4PC+S*ziH0dZ!)m^lLXjzd>u-Gh&jlDBom-FbT
z-0g`;JFq8#nu!TP4ex*eh5k4xvj$cMHda=+Dl6Ei{#b~$S1|2u5jPUp5wx$C^8vp8
zRnsgwYuh-CE9)Drg!yp(fK!n8z*z}G*dpxj8r5u~PT%cA&gjnAW*`Sv=%<xD;P4X@
z6CCymkv#3~?Rq9AzLg>5MQo*xS9x~C!CN?c`ZQPo%$Ct1vd3h&%QOrONr{Qdfy<?J
zbz4xPsGhEZ+F<EW95SzWpz<LZ@!s9<`a>WqBavO*>P5imM7c8|J{~FzfP7?RWNfek
zMJ=4ppzXhPnVDaJ5P(T^>kKG#gwp=ZeChpDtqbx6zXL5H)5q@!WuzI%3+y<M{)`>W
z)@Fe7?a*cWD=r=fR&aBBl$v_V-d@P(BRUBjK}bp8oKuMo0W`s5$D|K3sH>}^;X~n<
zJ}5+#f5>zqZrm_N5Xr-10fiGss2^wN?Ah_zSqAlP&@QJkN#0aFl#&UbA_^n@Je94V
z@3Q1MuT7?sd<1Eb^8DGEgMwF7Tr7L>%?%tS)F4gfzV2?EH<C+PxbuyE^3ox*=p{s7
zVSboOp0(7m@#+X}<?=GD=n?FydplwL;}8#T>+0x0_~Nf5GVuNt(rhZEBZ__e{5ICt
z-{&&t8;YE(a*Lkt=z9G+H7!lk@dLI#+Bh`@l_?2cRS&@O?ml6*-z(FfAhd%=wzcU9
z%+W_LE-XMqJ$(2u-!5*oeZ=>NXjmP#9okUEMoCT%W`6L`E{F5bpum%_J|b0P*_&L)
z%fr(>A5zoU4on?;{rY?BTYHpz#gr+r9%$|lH_k6Ku2BnYsM3Vre=pBbYa)x5iFyO<
zQMq$>-Oyv<*cb9lOkE&+2)^klErL@*vEuf<wA|QrM$Ma*5dZmUp*nMMSy}SSGsg+>
z;0M4Mh4;g$619jwZM-ZS9*y)t^XNK%RXlLCVUIjA2L!s|k&)Bjmvi#STnQ8PDhttY
zMew_i(zb2%V==^nHGo>jLd#fAO8oZ7%nYhhqTvFNChGwco?V>Q6xcZrTHD*Hab&;O
zc8Xzxp@!Ri%y1?+6BBX@C~O7$ysw%;YP!a$&>UdvMOOKFMS+Y!#h<DNwgJGbSsmfW
z1H1#N3x3l0=%}rUemKPyl|7A~aMS0}zEe`VzkPdmBOE~OF)|Y@Ecw}&mGOy8ii?Us
za^i?0$&ZKuY!dV*3QqOC3^=xp&k=jDJb&KZ!9i}Uq&`ir82KCA%8?P9;&~1VQ<8}y
z5;5A)O}xh%0(HYZZd7#1uLe<VJF^wg+rXFgyO^!jiJ`VaC|{640V~jwQ0wqE7op(8
z&$0EmjIdv;4L&(H2gk(J6#C5z{1}o!TtWi>?Ze@U-MVC^2CzOOBU>7_|I!VH*C6Ny
zcLu(qWsRqxl2R?uN@oRh#Dv!GHD0l|Zm}n{VqG+tiwg=KUwoU6PnX=im(WeN?nrRv
z-4O>Z!TgE+JJ7?xci=1V;u?VpP(dZ3GJ<gM@H8Uj_wL=d?(XiszNlBDfUL8#vuNIh
zB_+DGVsToxWgM=Rl#F}msF9j-V=Fj+K?uRi>lgMr)g`q8Lo^OFpK?<d$RN=B&z`*n
zJsMxPZ}&Gx(@`ms8Je3v$C*R5#8vR7tAtDAcCalWUkSsavQjqc(F_v}&D!#$k)55u
zjwTWlVsudyFAI>8d;7Mc(|ds^6R7v&@3O|{=IT9v9E&m`$wxpdTyV%ke&^0K04!n#
zq=)t9ty_o#+S%J*Lwcl#m86s~u1K<+`g#nX6_jcBq$j0%3iJ^8r(kR;RxIJP_$bT!
zlzjEk3Lw?+KT$+~!B)eWN;TUjbsc*nyaIcH*z0g~0Rj1+z2{a9?Z{JA<>%KlHxGPi
zLYqjytH?rhfolUR$;8YoAnGhaWj}!6(ShxvKGE^e&iIg)IypNda8ZYlTl*~;Y9e^(
zfB&BJ(b$j_Hcoz|M!^HCI`i}A2L}fBKI8<$#1%tHqaqq+o`ej#<sO1}wxUnGzEDs=
zKtTrJM?_WCAE4b+9VFHg_zb&VARRdvww-kKs#-`#1u~&f=)cu?QGJso*pme1H0o`D
z<VH}?0qEb=&y4Vufcu0qm@VUA5E!@~MY9w6S`LX0xZrfOwA}`_%Tsf6Dj?@DQ+f>S
zqG0hudE!>^jJlJX6#x+q`v|+ID2H0gf&(lS4ZpINqYiEXe*KYEUA!+J|I419Q;-di
z#+=m(B(l+`PeEaHlvu1y{jspJhYt1NeIOf(i;8L}C9rrRKLZL36}TuzPxTSpJ0K=6
zFR!t=G%6i}ybK{R1;8Ik18p50#<hbYS7B2r;bh*we?Y#X<D=<fErmxeP_KfLlCHM)
z<0ZXqxY_6g-jrG7|L)%r92XZ?*R8Fs-C@f#=0N&L7Gkk`49Ge7u!t`aHF=A3+tfrd
ztM%7FM@I-M!)RNQ^<dfwq}X_fv>&<>x|*YKvj`Ox6%ql61Lk89b}2gw6Fe%g(~U|D
z>cX~jV`Fpbod7y>Vbmk<VOSH*#leU(o^tx^S)!DOz7IZA>9v~^tB2ol{aT%>FI1F6
zCnb+!NdyAUA0H?nd{j`t+h0T93KW5$4_ZbyJ}f6btkw*Q2^=iYAuXlU0^oEy8k+sY
zs4|N+v+1Kk7%cx0tOA)2TPhu>_M5k|xBm%*jN567q(oP?!sy5d>F*<7+RuyjqjDkC
z2EhnQ$BmmeA@~5Yv7ERH5eqw=I<lktV=6CI!A`II{UJS%LUx%{!TaRq&eKiif}T^5
z^VZ{`MUChC;-kQeno2C;r<O&{wY8%Q3NC;nq341!wzRYW*n-VM3v!j&5%=<Cg5UDW
z3SuF#YkIDC$uIOiEkYjUb!VppA76y6&QFD~znj3&aNTju*3@<J&!8kD*argwI2HcB
zBr-(`3N?4`2#SbM&jmtH0I68~^=s6l8l4yt3U(iKkHP0Y3D0bIu&@+>ns#+b0z5-&
z`uLGj67DSNNx6du*M86L{hIO2$P0QB&_5SfE~G1vBKlnnxo$Q#r0OY90Dh|Wk@xra
ze=IvMDJG^Iy1A+u%h<GX%YZS_dO^I~zSZC3ur^=nN9<eMSB$8Lm0lNaqwIk>V6&&_
z2~>KK{B>(YXZ^^=&E0^K(jN!H3^G?6wym-$&BMdP$5&Wh?t#Q7jzAeQyl>vn0{2r>
z=Uc{uq^LCS*}FIE)~zbsN&j`gGQ3lIUS8MRw|K*ARy44jU0|kzLSSPgU%O^<>Qn(Y
z1J~Do(4_$36%}tE?nA4_KEcnoCwhvI@_Ij~)!j8*_V>BGt4Sn7r!PV@Kqs-~yUnrz
zP2%H^!OriGBhaU$rWP#22Gd~fL-}+LJbiix(o)Ed@lYdh9VrZIytJ@@4caI<+{Kmr
z>JP)lNGtYZ+`riyY$%G80HdtT%;DQiUCpD5=j(%^6d<rPxa?T8VqX4fd-yAA$FM!l
zmeF1Pf@hO*RHFUzb$6wf*w&M}k9&JBqu2q;Prf+uY+>y6PBOAcFoMdR>RNE6@i|YO
zV!`JOJNUpW2Zwwi48>SSV8=blm6a8ztc&*cNLj(*!?l-L)KtK;E-9gk;6df7z5+Ah
ziW)j{q2)16P20JzH7G%_%77qlY%_jf*yYOO;nsKK?#VnWbMs?Ig0xj*8}|GhF-DU@
zcm;Bv<~dFu$S6QT0R4}#Px@<kG{7cNIH7@{UC&w&0x2Ij0y|>qAdA)Ag%Ahpu30x4
zlF#<@2q+Zr-(j_5pJZoe19Ku8z<qt<kOA9|u#=J=moKARV_QN#M3sP`mKs`FP>@F!
z{OsB@0~Ts>dP>bB3A$mI+aM!DrVuwRw_ch0fG~h2T|_#z8_@ary1+A7qFD>(N{DbU
zjBq4TyVbhFSx=an`XhVl(3xG3L)3<m7k76bynoQ*FTlspEy!$rW_W*4e+*C{B!qAQ
zT1%wfwS>1{zbebh5^oHErf}M8?|+pE=Dt7gd9f~5R^P$<S1<bd{=Tu_h=bFcD2!n8
zKxs%yjO~7DY5QtMG}*-u2{_82=LqzCdSn@dX%8H5L=O?2l&NOhg@6LX-ou-}x>S)w
zaU74RM&=X@zxkCW;iK04tpMDv#6)_;WRdAWtg$}empz(@hK2_2O`SRX_s^d{Lq&(*
zEqLU}7Gz~+@}@0$NbC4?fIYY;czZAw=?pUnz)14IZb9pY-7>7GA$<G4`3~e7;WgzO
zu<zL6iLJP>fSj}5i4zR8v^JY-iJ(O20-%}>pjucPpkH7u5SQH+FV32Txq_s*+S;Ze
zMUMW0GlCR8a73_S7@5v@pml75pd9rPV;oaJQ}T^mG1q(<vU2cCT)N)TqX>$Miin`v
zH$ZlMKS(maz8;AE0(%OI1Kt=_UOJP$3m2P`mWG5?o}4>koPT(zBl13ISiTt4oJ7xp
zHHbLa&mTW9<brJpJ^YY?p<xQ{&{Hz)obNq7D2b?_h;2=dj*<y~oEE3|rfz^Mgn%hr
zUFCm;5A^)lvWB83{$*x;57xgmFJxW`b%3us4$TK27pF!+LBU%^sFGNTot=>(FUV=X
z>gnTi1ldklFk2hPwfEk}M+U}{IwGc9Xw+l9@ar;gxeAOa{Dr2#@;0d+aaJg-2%do1
zIN^|D%bAL?&1!{*O3l`HA}bE=0;v)=3VE%~Jj|7tjGelcoZQvZvxtq2$qYDSC?lX1
zVvMoVRm4QT&d(?(UENqjd277JQ7Uz;eZ*i<jxGIoi}hGOSwU86ZLZD#|K#7u#MqeF
z5e|c%pwS_=gvceJl`DJ>tZ5|!(uqJ-kQd-9#CuDFHV{Kt&s=uDKVWkL*0t2(!z!0Y
z$WfW<E<jz;Y56fDc0fposJ!CearK>s@(NGB4q8e?L^H4#F}U1hjSU3=%&6WCS_S=w
zGSB`FG)q|h$Wnpu9@o=rfAdDV;x|AvToY(kAA=3PwL7}I%SlNQX=d4d$)L%psbl*3
z@RE?*pP!jAhTcVVD~)W&dP!nP<3=3`qkjWAlNhBlH?ah0vuM5G8Lfy%tv^Qow$}`C
z&jrYDxC~|>ZTLYL`RMC2hO6@9M-GB|h|1vg?g{$_g6t#eJ`p5Cvv+MeiIe`Afx*X~
z9(;l+rTfpH2SQKA?${}$kLAdPoq@`T>vXiS!Hev|fuo>f`wBi)nPa@0BtJQ(qF|*b
zaBXG!77#8t&3@Tit1+>$f9kpg6coM;4mP}a0q@?@$|@9@p}KW5P(rjb2}H<nE3WNR
z+T7Z5;$~UEhR2O=Yi&J|qv#_~Bg2O<aD5kd1P=%sAPJ-~qC{~(nk$)|nVG}B6ypbR
zSFf&aY#5cG0|o>IL5A(RedxHRX3-#(n4!oGTmtS3{>0gu`|^aUHPyV_bO!fKMn(oj
z68=>3KBZ@<u9eq!tM~@yQb?r$L@X>Vo&NjhS~Q3T%&b#NZm17PpyOX7+3wxemV()z
z8#l5KyP88aL*0WVjIpQ+|3w?>2#m78)HcXbJVg2<5nVhYFR!7Z!V@PFTQEK@ZujFe
zGJGh?5c{$1AfV1nOyDHynw$4S5t=;jp4epl@5|p<@ZZFGV9<$6*<Wp-mFplDkQfH7
ztb7r?CJl!wFi_D)DysovAc~hJm$7|D0+Zb`7uB!;mKTSqPU!dYGLn|*H*cylFaLbE
z7cT&U4W9><UdIN@?u#)KoNR9|uK{GpGxdETd7%(ZeYn5jdeWg?XsX;mlVkfdcoJsH
z&_-}bG1oFPHwP{|j^IsHbaYNm&OObQ9<v~CZzL%zK<Dwg>vaLP`5E+XcYs!iQFuv7
z1jsSxbqOjW!s+x967W9V-0ClV5Jek+8zWUg?N#LkJr=0}h-k3Y;^W`MFziLy7&6;(
zOSfvd3QzI9%9-a+o*3!ri3kctH?>}tw`kyxVSss^J%o?E^_LNP9ePsO#&1^#hjB=%
zr(<_mXP1^vJolOY-Vg?@a2YimaXrSq>zyelws!1kRGUR}kJBnd#0}0N2Dku^&_YW~
z`X(P7K~NRZJQbC{NPKMlwf{Z$ZNOchG81+Z2S-L`rnuD$Oul$iI~+%U!1hL{%O5zf
z;jsOjFBf7$<m#ZP)3rP~?=<%5bi95|yy0Lv(Iud87HHtmBIqT)1D(!az0g8(t*9Vz
z|EnGpM=0*%Vq#)^e5BiS+ZaKSl8|r%Qo#=Nj;G)U7X;gZy8mI`P2=3Ttf;7$SY^oP
zOzPdh&EU;u78YNpud>d*y^^b^F{|<ZFnS~geB7O!5KeD@{kjLj0gs4~kUcgfcJ}fo
zAam-IOpJ{65S+^%Ecm~uuJ#|yNOaG{90sZd&PrRY{Z^r&NHW(EG=^{Jy=ty0pF6Q)
z$oyPSPd|)A?vp3yo?c=lS0{62llL??-?P%#nyui4HX0Hf%tH+tiF|jR$1rJR0(u(G
z$I}-tviCowr^I{)DK<f9N!a#Zgy`OZrtT$*td77pkd3Zfx$^z{_mJ`5`zj`fnj)9y
zyBs{m*;QD(zkG4BwjP?CtO;DX1Z~8hEmOa3bP*hA`IA8odjCnKlwDwU51{S3>+7`L
zyut(J?4jx7X56xjAM_DCut8j1L*V5AybuE#1C(*IoE#k0Fxjw)goTAcrl6-IY0Xq=
zHgu~pCj@d1P7C^2WmT0hhGYU)X!rQv|81VFXp@0D56=QN_yW`YMdU&O3oq!9#LS?z
zQCkKY@TFqr0mECoVqzUP!f}i-I(Hr82rF6ZXY1<oD;w&r#JiN~{sNf;7lNpRe$g12
zkD;|*iH%PsPkXmh8}~CD7W#n3jfg>p&uCP5cq1weP6(6^mC`49Enhovw$2gf3@*Nn
zrelW@Fg8DbGVDordJq;ERT<F>+sCG;rPXXQ)$+<V$U?tIiGgwp3br=iur2-f(MId&
z^fX;ECqq62B?qYDdRj4IF2GzJwC!D84KSvl{GX1sFDzvILO#!MD%J%Y4YZ)XJ`_Zf
znVfakE<^T$eMNDMkoKnzu>l5vpI~X~7^xX6ef`}qO&7f9pq$)Uqyax&essk~nn-k@
zYkm0=P)_$AMs2}^2f@IIWK@jHISF5VW1Jivk&VCp+OAD5p|Wxrn60R=u-p^^tGLCv
z-RC*E4t8K#v?+q(fXRbu^av@*fuCS#dpnm1&JaWx>FK>aJrRS0od|vnn6v!cE>6*|
z7XSkyIaHY;vIA&)s9wMeM*^28aQmHf!)!dt(mwv5jIpvS9~pnGtRSoUa@Yfh07S}K
zN{D|Avu)oS8?7NcMTYP%zk~iHAYg~X8&Z2#f3TB?b^&XlNMKw68U_r|7ntV5beFm-
z8+I2q3-b4v|7kMfuuukSICRJdaZfB@A4>~mZA~D_xT1m)DlPIqy<slQ<e3>67;X8T
z6FS^X0nr|zBa{=j!TNonp|s$7=z8$a;1fYI;ZV4xJBWRL_JQf}&`^G1VFlbk956-a
zSRh<yY#NAw*xtn|4zZ~j%SeKN(1PbP{o1#JiLm0rLX8lWQ<5FuIuQs%Er1_l2+Ire
zF%=cWspVm_ME7*W`%H|Dfq#jXhOl%6pno^2g?&c`rkPG5uFcBYYTfT`Ez%LxC)B8j
zh{GWWZh-az5ioT@u|Pe!;)e8Jz6>H;k55kiv$&`}VHL7Ed|}~~ueG5XcM=&3brj_D
zs5iUG)nTro9chWk*XkJ<=*;bZi^`29=30vM*O7q|Zm6zKQkX1D^kyB>FevzP$WTzT
zv9<Nkg=X@pNF_oWa&T8*^WgGQ5+o%gtWKS}Vi9bQneV%XB6>5P8qCHP7Gmf%T6P(j
z!>e8np;pr#RYM_bX(&!-#7;#e=V8wihftvPN`5CZbLqo}2<DbR9_NsSjscQb`DDlg
zK-`+2iReD$9}G=nma>D`O>d=3+Ku4|G7v=G_2rS@zkRiscpp=MOKWv$@1Q0}Okr%q
zOB9!pf>?`@(N53Bf&Tu+<P%8v^hCx1VK0cEXw1g|*cF6}S&o#V10C_3vlttBLV+0L
z*kMnM3u1Z~(`6cq3NQsY9pP_*z1LAbwk`xDI`wkg<Q9RjtAzMmfDH>JQTUu_k373J
z;by@qDq1^rPLuNRZU+pU_2yGrT3hJq>LTVlp#u5^r=IAWMBMs!iV_)RPE5Xaj*W}}
zm$D1E^&_$W6_BF0rJ@KhgJ;p92=4HmI~1YIqEe>$g_nhJc^GGdf+Zv8f?<e&fHnA9
znS0Yuz&#I!*HvGiTXR7b4*mQ*6W1waS^Uleob8amn>A=9aR)(;eHMn)1t|C1=z=;9
z4-aD$#omTE&=933aGJZFoF3jBCv+%L4701K<eD{9;oXiOJ=()~gi_4%x$(Jk8`!q`
zaUVZ_&bWPh9S<b9tJ><hjKRM&Frs(a3NpOB7gn_&K7Xz#DLD_EIz(<E3E=PQ?%oA5
zX3t4_WdXBkVE+3>MWy-6PSFM{DSQRCj8*j=LJ5IThb|pGk;3J239tZ-`5q?SPoCuV
zOo7^g@hpsTNt#z)jjKu0z|~b?FTvgW2}2E_19orAu!kn~^_-lfRvV<?;W%gH@;WfH
zvYt48oImX~D%GCm*&i64^2eM!Jc6d-C&Qz2ejWbdWX#m$(9sY(`0@7EIdgMN{g9KB
zr@S5mw3YJDxQpVUsM!DVrGTR1p5@L7Y}?P}7sw<f!Im9Qo=k?s&o6uc-FOR<4Z?7U
zeG=&t`O=vGkOCR!G^iWEB@HcYp~1aJkAAPL09H-nlLNI<ik`;ShUx(q7DemAg$uY8
z{+rUmfYBJHtG_%N^X%Dg=++RIHdMBrK(B!~TwH7iR)Bx3>0izz#f%+qgw77$YHMS&
z&ee`01dI4HKn@xm8auSJw+J2Z@Tl=HBQ{IS?jay%|85Vq=gyrwJ>I)IUe&U(vm<71
zVVpu6#nq!}gR<}4yBF8>@Za3z=*$fLoVEi@F?oc46U)lxf#fGtPt=u^2unyX#<mc7
zo2+aix2hFfaeP4uvH1R43;z${4tOr0foO}?pLb}Xj5vW-z@>*?(5Ovl6d~{Q@w|aj
zj3GK41NIv-*4{YlUd+@{sE}NW-i~mX9LGrs6Noo*MrahsD=HdfNDYIz5x-kX5+cjU
z!ol$wsv`%-RRko%?|wh~hA<<dsJIR+3i3%NXGvPb`FYwd$W+Yt!#`&rAwk?C{;~*J
z*!wT%FunpvjDJY?W;a1Czwq%P(ks>&`x$FbMUyDZp(B)&mw$Tw2<b$0BLqCWk-3D}
zNiZQ<cbpOB;mI#5;^*NZ%xV$Bqr<&&Tqc1nQJg7-<w)|`@tdKjn*i%guTKyr=r*Gr
zWWbIfey{x*3{zJi3$Mr6r|`n-6WrX~QndV-&!6$BV4#hzK>h-@t;hYH1bXu2p3iNN
zQowWYC)8qsDZBiq*Ic>E0ZTYn*oGdSJO5oF7aojSLmfkk1Qnimkzx#+O%6VIO9ZjE
z|87W%I1m=j;woj8xf<ZW!TyOz%OW&V<AXlOC8EEfXg7T!5UiOeiXKaZVIw_~!0buo
zP7=a1l1`tBQf#+ZFJFe^x1>a@%hFg;XadlkAomYt4&Zx3^Qv#xwl=EZ<)f>r;S!s0
zN1q~iflYP(Jf4$aOI*I+n3Xo8j@G#B;bDky{GUI%O6&yd<CvS(fT;ng30BuN+|b5H
zjWq@)ix7071Q4$?h72ndH8bM^diL*s(|A*LQ{{byMn?XFo)AN0EPJEL&kb`a02O4A
zC&Op2)EUU064?b44=A3vq*4?UMFo?9ECM@dvcHnULmF2+wUd=~1>_wf06k@-uLPly
z7bck^au3+TkoJWPvab@qtDwg1Iss_}f)0KLA_aB@b^%=#jxhd=kEhL{2-{kx$ooqC
zJVbYkG6_@NFJDH*#u8_J5Fdc-^`Eb$r4f&6bTm%JPhY-FLhhKDK%&0ic@e4&m}8*7
z|L1`Lrb~5b0w@reQbNRQ(M;1#q4GB&T%ucdZ#E1Pgx}tRG)+xm)foF8U_bKn!`Imh
zZG$-Nl%5__g46_tIH7|uJ<C>S#`L<dxHtpja}wfXUk?6*r@jE$0D9tG!)D79_bGjR
z`O*$F7Udnl59|fN3~7!}pKfUsa4Pw_P}5*^38OEJf<6R}LyaHy(g&au0T%rmNMab>
zI1i!?j5Y}B3xEwjFc4J|mIIJd@4Ul*&71D&i)EAYoNj<r0GE&qP!J;nl|T;-G4Q!#
zNB?76s!aVDVI3_kBuX#>4XiJ(pa2HZ;~w@u%?wczf*SQi(UzsX{asuN5+O(nF|%<a
z#|wUp@#NjCtT*%WRP8%B?%F+trvM}iy9OhbK>JhPz$l>uRaI3++uR7+@7#&!s=Pp{
zgf`5?#6%qdgB$__lr=yp;$oq_A&A7#SC0p|fQuoM2}})8Ly@B!t{pBz7Iw<Q!o}YH
z86G}?&Tt_naB(F1%9W-&$8Sx@P5VgYuJ1@_JzW9~@u;32=+PzUy3FJhR8&F!{*6zN
zd)r{3%PR^mf+%;I{RP-27=KwCFq}n|n<buVqc#h%A86X#%F1B-fdnB@s#~|H1l%0v
zEVQr|Ne5<fGgH&A;PTSaL}9jter0w*4nrShWlRmlf2r2XJbQF&t-*9N^?#0xyy@sr
z_8im0okj{GP759e_#xTTPu<-aN`8+3N&m~*4#{66DJS*dOv*(N1Mu~rvmQO78fWgC
z%zk-Na_?T8!4s=HR|3CIm5E=_Aj@yChAIg$5yB33gn>aPI1vvugc!1?<0B(rVSra~
zMh2=cBaq9V<3~>5r!=l40qBR{b`iW^KM_>C6psD2jsYYY>Ij5=hHs%Vh73SvU07Ja
znQ4@Sje74%Ia$7Cwy!#lIA{WpFDD~A2ZuaT9N^r5ChN1j)R4HO<>Z(c7>G}TK+=2C
z*owe$(7Mb^4aQy;o@{_B?A3y|z%xG35xw${nBnDc15qc5ga@e;H2K*99f%Srvp5w<
z9yShppe6U2VTu(7JFW>w8kT2M2?bKEK<vm4!F)s)2zprQz5$m6yGT2M4F#aJtqt2L
zqQDQ)fcoeyJj@A=`!9N1CRZk`N#HI(J+ec{dDp`g3k(Dr3WWBq#$JYeCC1tj76<+7
z#hAXK!p#4jnm}-rBv(hq5UxWltaFS<c44B9nOUu&?tc@FL#5;d0`HK8!!{mkgt#XH
z=n+~AXv+Ak9Ub}t5oC>yl<SUL$4{QTm71z9QjLdkXlqk2#%hYF5E9Mv3s>fG*7a*_
zY<a+VrhF>72;rFKdKd-`=gxPlYf&(Xam_sJ+yotA!=80rfgLPI0)&aKCMPN3F4<Z4
z{K%}VTBu&Q3zo8YV8O~Z91h?Z9i<ZlYZ<%&)1*-&IjOp)CO>HJ;lt17E#SVPoblhr
z%!5Grr!T6gsr|#=8Q0W!pdLeYbHLng$T%2YNIownH}Ww``xmAWZ(#O)1p6>@s-*>3
z2jeWmH$6Xp2n(Hh?hwI43ZKux#^(L>cO4-Vh)Zs6G46WsQYH>j7Gu#fGtH3i^7E6^
zpdk>zULJ-WPZ!%SF0L)I3cVgfpL!2%kc{dZ$bc^cw2e)3<M!=;3JO>_IrWuJ^AiZm
zSK>daVpGA{1q0(_c~M;ava|D=Z+u=}9;{w+bzHUy<c7Y!7nr%abZH7`9ncTCp$Lmu
z7J@uYsUsO~^;u-^dt3hg-9m2W)tfg6Bw%F6&aN0CkSk<VrNoq!Kc2RO{281S^aG?n
zKv|@Ya1(|E@(URpv3vcM>!G^-%N;y0F;{OZg6SoUGvV<ARiC`EzQD>Tjm}O^;^vi(
zs3AkY_Y*j%If5c{(S2do!oXQrkQ#43BE~k*-JOz~t5Vq-r!|7JVvwf-+7*J-8YHp1
zb`%6oEPn$|E1njE+Wc<eRnIn#A7nlN_B+MJF*{>53WymG?0uj`+<a71LXkKrfgZod
zllB_u1*3Zv<>ed(*=RG!6+$6I67}GLs{e!%STPOxtrio(saQv|RFd!$R~lx+NVuQi
z3X+qO?x-BKD~FB%7O=W7tSOX^lnMX?5Y&!+`*Jcf?-dkW1~^A9OsI{D@Qh5fe-OqL
zBD5It!WP;9A&N9l*Wx1v%kk_hP*MD?$yW!n>pY*@vQ-U`~$+qZOyQzVJzC@IX+
zGBS986eh`>U0jqQ?lwHz#`H9XlkiX&e8`N9&(wBTTZSQs@8II9hh7x2@%!M?F4q6t
zAp@`y;3o{e@(KwZ#sohq2~a?P8YSQe_76lObW6lV@W3oF&!QlvsDB@gp#&8LG&Fa+
ztZswBX@p^j@OSg>w1F?J{S$3+XYqy4bnh}#$#odxtyp(&-ITub-XcujSBqJz@M~+S
z2p?@BJMWE@YcY0x(&7xg-Zgi064abho%%>~CVvMV+{60&zRT>Q-$tmF>uA8|KODgd
zzJ6W&)H+26-;fX-)r(FT9Y3DXGF%<9;R~QA#bIZbej%f&Nj=BFL5c&(0$g=oN{ZS+
zxN&0`|JFLCZ(zVi-ef0zik^&lpJQeF!dfuqk=O5^+o?YQ(MjtRk>Ix4d?~-6X<@+$
zh#f|^N8AJ&*Rktk-il276e|%%NWbVLOnOz>Vmgskr)Uvp!?(8X{{4jUH5^};GODFW
zodof~y1&S50fwvONgg@!&E_#S+ihQw@T=-Yt$ay3Mo0kn_7<7khvtLE{dI8gq|z=m
z@}aOw)A2tWNQhs0Y95fwPR^^Ol;z78KB-wm!W%_SdIetP(d*Ee$<<9UZJ(!_$;2Gu
zD7&fy*IpzZJod4v81PwQpY$<8&lR1>{oa0l$FJk@EtiKHufUS&sXN0l^lA7FL7$hO
zzX)1BXkJy-t?@O`B}}CC7Z5@jlPFayJ%*dX=wUN{p8q3hR#E)o#ipdIAQ|(1ycf+=
z^AL<URSnc(d=8um<JT%dzY}q7_lCn{R~h~@Tx4?pOi3?I1T0j<R~qHI9Tx^L?Dfr!
zUHhPfgaLCDEPxRcrVQS0N2w5;+(Hp(fiP>3xG=kC{N8~4F+NAwn;)J>ulIpMqDg@o
z-#n(R#PU)?c8^vYtU8>8BU~qe9%jYV(0I^819D6D3G{b6G9SfR`4w1KX+$`f^$und
zjD*Tat-W*K34}GZB9idn{2qduO1C3{hucw>kisOphtN*7hhgj|7~FO+hDwNWdjPH;
zMv7ArI%ENOM9Ixh)2@z=9yJ!oCaCUHRZxfvlDSAoqFj=Nu#=?o1kx_n5Q;-ma&p$Y
zpJ3du0uV1kW^3t(3jj@%wUiY7&i=+_$S~#)538tz0)YWg@kOl$*CTl=EF|>Lhbfe@
zn0QIqs(bhL;|VqwG9VKKDRVuKr6*6Ktav5WK}=IcQso$wv<&09hCYfph>FuN0l`1_
z{1HDeYjV%ns>}}x1z0|?8x(d-9kB2gS624T`a-fP2gipAif{r=7w+yV&><eL^pCM9
zvN0l@T*1QB%nEywVtk{lA!YH}VHlZ%o{@n8uZGiqkbcy+R+9`(s_&AIza1cu|D(4*
z_@anUq}qH9mWDeITDv#!z)_+v<?jaiGvSr>uC2nw_}cs}2n%@1!FvOBlFlBrTs+34
z<+2634O|^^^@WWs%&Kv|y3APxoCNfT@)xUPZ)X?fu&A7eR{fu++4Z|TvzD4z^anFR
zt<xlfE}RQdk(yk?oq<wwLK`m!#b|Iod4#ulSGnKrcEl)^TBJZup>)p8%?U**`!9r#
zRxgAvw1u3PoQ9Uj2{~c7d|(!(4ICMdMOaOCKP6JHAWS{dPwMI@n<AWJ@T$UPVuiSD
zV4cd!n=6x_lQBu0_8PN!Aic<I_<@n$IlTtZ16azUfterVIO`8cXDBSRgm2z6{s$!!
zJA&xST3hGi%mG%tNrmSJN;fw<yW+2WIP1jy4?=>1(C9f;f~%1dh1hgmVD?+B+?%!G
zPs5xHHW42#T{QE3n=X##8d&$;<?u;`#L;S)f?VK7E-oF8vPi?{FcTknhq{jEkClr-
zVTyOYEwkGsI7+WMK3Rs`B$%AAI*4NOe>wt$F|s5|!qOE7N}lVL=B^WKy7_O%f4O4P
z$(NRPp@X3H9)t>duu}=4&{%XO@W|}0U7K_l(&qTS^%VReKGgK6wt?0o4eN;i3&O0G
A?EnA(
literal 0
HcmV?d00001
diff --git a/doc/guide/admin/intro_tree.gif b/doc/guide/admin/intro_tree.gif
deleted file mode 100644
index 376e28778fec5ae85bfdb2c9989c73d55c35d710..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 6622
zcmZvA1yEGs*ZwuYKvF`amQD#N=?l^+-LiBENJxm_m6TArYpJC{N*b1y1`%+{r9lLw
zL`2}*{r%>f|9mt5cV_3^J$v4B&hwo2-g)LIsVF`Xvt+s6a_#gAz%J-NALu_Dg#86U
zDD0X?AqRhfFaQn%AQ*sv0Vo)NfdK#rz(4>50XPUiAb<b?6bN8I0DuE9H~_){I2?fB
z00Iu6-~a{=VB^6c0E7TIgbfTJAOHmc7;G*C07C#E0)Qg`2mv4v015$M5CDJzU?>1Y
z0dN!mp#TI5K%oE(3IH$w3<H1|0FD7541mA@C=7tX0002OaOHq-ToMq0I|^a|5L+b-
z27)jU4g(<=h=7487>I#^SYNCeyWk)Qfgl0|Q6PxH27rSwIL-=(gAg1<z(Euo#K1u;
zNEn23g+m|&fd~jhK_CVKvB+Tv+<7<xgb*MC0iqBf1_5H}fT3_f;V2M7fd~|cLV*|*
zh~)@|0kN6j7!bmM2n>kAfEWx2;Mm26gWx!NAOsFHgaIHdYcLotHyj2*FbDyIP%sDs
zg8&>FTtRSLIoQnDB-nTmmR}egS0x+{L2w8Ghfr_`1ILEMp2j+2ZMcPiAQS{)APCzD
z7y`oLfn!Yw2!Vi52nd6Ku<e1NAS_5Y)(-_CP!I|QVNejZXD|$eMGnUv#y|)Rgu*}=
z3<Tir1r{E*+gK-T53%jSb_Ul)7!1b+9EOXCfT2(@6b6QE4z>?Cg5V%74FX3GmI++H
zVQ?I4a5yeE0**q#Q5ZOu3@mOeL@XLyK?n$ig0Pu!Hv@*i@e4=bsze}AC<F?Fz$VA$
z!G^@1#yVncsH^i|2t)w{LAc9)1zi1S!|vE`*u{8u^BT^~gZ&f0Jrls~OW^7bt@0;C
zXYlR&TxMTB<#vaYFso)NSLgLcJrH!7|5Bab9|L<DNvl#*FpxlT4PiD=Q#h2uZ#|f)
zQj1hg688KtKTumVmIK<a^ibCoPvk2naG5`h=g>wz%U8`(t>+ply82|YFj!wUQ>9&R
zho|<r99`?65lNTvxni#2<#MGhO+)2Ei*MX0MWbldQU`Ry=jV{&r{(VV_eELEjH*}r
zV-Fs?(l*ts51F$Qe~WIa-5e7TbHmqYuG>z@Q_6Wh(p=y7t<-!dTZ4x2MNotD&SKUR
zQP)LOu+Q%c)5e3<@CYiU(N;h6b-Y}O98J37<E^P$=c?Cq=fC$cAO3lt(zmzzWia>W
zSd0a_tDNkv4i#kvwqKlcYIpUI<@~)2xjJD-xL>>e1oQ5K!T}a^udfIpM=ZjTYfsAi
zWH}VAf15FkR<me1j4q60KAa$qV<o~Z?KV>+PYu#4;!&T&Y!v^X1GAmb<HXeulJxb~
zAEfXdzsHE*b!36dQ~IsNk8Ss^CAhF|$0j~AI3rEcH7T*RQ@3ndPa*R=i%o?mH(90F
zA&tq?NUBTh(pRs+*bO|V(R9gHQns5JQhiOd=GART-RyVQ2ic<n<CQp+ba<P$ayc|b
zisC6R(<Xuwt{Z1&#Qx|@)qR5&OGF;K=)sDOBTTq#Ge_|+$7SB#xI-!AOJXS(N<b~*
z^@qetKH@&--J9dTR=T6_T=P0^tY+$uC6Im0;~0nNkK;D}>~%(Fr=BM0I9;c5z|xh;
zbSrS!*Mofs!5sc@*spF?qfjkP<keqtC%tg#l2Y{&(v{JiTTuq`CR6MK<z^J#Nv|ng
zOzNG{WWwisoP#B1C4<6Fr$5wV-8Jwp{*t<l)wtZD5_$9BK)3xNRYvq}y<g_(R5aF-
z;s%H7JsDy?zyFExjrPa&#)ok?ZJ1`++^7{X*AaF=*E-IyH9r=aAEd4LUG6N{u#?!b
z{rk7eytl{tP})(?LhG^T)?|rc1MjTuOZ04(#pxxTq}SzMa8=AcJ$=CIllLQ4ybQG$
zug{LQ{imFz+Ry)<pPf>@?r8oOaukEQPAIRzb`7ob5_N;_O{_FNsf}h=5LXCE_dT@Q
zhh_qeNs=CtjH6G&>&lWEJ>>cYyYl2pH(h%l*v^+LP^FYr_ffx^C(Y0BFuSWnA4*$O
z0<#E-`@)hGGNyEpZbml9vHLW>i@mUwY-kIR^r+!!`{yB-8ff#QN1#*Ev*WSE8p()A
zp`NGslZ8w{6|pAu*ip%d<8k%J4d3pMQ=j$hkAZ~x)m_q2HizSiq_&CA1n9E#<nbw9
z4eF>0<7uPRD4Yi-H57Jv+Mmg^xqQ=OV5#IgGh!X^*VDI^`l+99B~@lX;Fgs%)8#Qj
z(PrVZn`G1l(71lbi+fu6-Hz~H)TDJ*R`M)fSsSIPS?xlyX<_^><-A4*VamK>|061M
zsWFX|1(6vSs^@%5A5s=MHY=!>q>dIu=l#zvd=%bZqfgZhB6Kyt1XJ+xFNe};9xWFF
zmw(w`!a9TSiJ8=kUov)w5i!U`bGS40MpE)wncapl_kX093A)GW!7>ofrj@5&QnT8Z
z#B0$N&FRTDk}l#_`Xa)UeJor0?R7#fufow>#TX`yQZG*37=;YE4_vRfrb;<;Oh!sy
zanDq0SHC9Y_U1v?uym$tlzBfgt#_E~`oQhO`?bMqe`TbMs&Jt#@aj6z@TV$FR~Ydm
zYqYPxYM(iU1Rl)TeJC%UPtLpC&vSP8E~5-<^pxP{SL8*!qVgGhX`;xYTRQW#$NE4H
z%~yIOW4P;L%B!oE)(MgQpf+n}t?b0Q^_6zV{b^<X=FyGOV8g0FsXt!piyc=sqnEEg
z9q-ML<rB9pG<zRmmbz0o7ZF?GJ^4kV?TeB|D+gCMd?~$1=nQidJG5`jdv6+VX4>Ay
ze~=rJdRAl_x>k6LF0gdF9}%=Awv`=DfE3A%04_xyI1qR!Gej^xFQR|{GvLcgglKkZ
zUckk{W^A+|TcbrZ)5<CAqtc?0)dxzXZ?03nlqhX9%xVS`y@N)w#GASz*W=BCsO@y0
zM{*$3?C}-s!X0YRNDZgvEo7!A86H`t*Gk%^FXKW<QI7BLrj49nvdCQJca-T{$?xx$
z7UzdNHrdEe*r47{Nwk_p7N*$EmZWBQ{3t0_3UXR4F4}O=DJiaT`d(W0+4$j(Mb)5*
zGgR2+R8|?0RbN(xd6&LZ)$KjaUEQBe$x}0wY*+GWSgtIoc0y<9LH?LQ#;&2a(_97o
zoz+f7<B&V~UgPG&LS)lcO$IVv{4>qI*)Mtyx2M46#r-F-aM|Enq-=VPv6fH6i5V3W
zpTt=yL{SM4-2|ZJzGw#7FmkbY8<hlhZKPgPyscU|jTBkPcD$WNhN%0-x26R9u>^kW
zzvSYH4%+!jacs5&+K#$KTDgiz;;&eAOAV{-rkaz=)XK~|!zd(@%crYsCy@Fr$u5Jn
zF3WvM5<YvT%{~VkQ#4b1&pX~;yXA^Dd}-MoPTHZ~n(DsV8$zd)EGhQLW-vv-KH16G
z(|#<+&jVj7-ODi{Pov17?IDxXbd_bdH(iFe%XqEJ=JX@#Q`e>7clcD&nZE9;{c-Gu
z?U{Z@Y4ZM8$sZp#|M=lrWWVIMAat5D+qransrmZNz~S;l1JT=dr`M-kX#bB49+&>-
zk7uYV-d<e>4qpmfkL@_VnOTmCB%*!Ra+A*b8PhF_e}rBA$5G>QH;;n%x(J!cDjMIm
z-nc6fMV9%C@s`FK3E%wa%3c|{#9^u2A5c#~gp#0n@6iK_^w|E;2WwkOG;>{~9h*XT
zxs*au$-b7RJ(vGFz>fEjcOX^%h4ug^=flUjTd^;czXTWDBvoS_IgbC58?COBFIvWu
zFu-NuC8+r%*hyzpV!wcF^x^hDT`59|f0L?DQ+^()$Xs*r(rBAqyFX4z_(M%gmR+Mx
zQ|YXrPFwN3XTOtLOPyR<c6U}tPn%(cTStlSvNusz(l{w`)JRZRpN)r<LVrpY%~Lnc
zr@f%7V`lH7Uuh^R<z-|dV1E47?v;k;l$LOSfx3{R&Yqr&C%LA9Q2>P@nj-X(2-+#P
zp2FB{xkAL?nP<JefS~j2`^12=-3ANS{5E}gpZ*I9w5PeosZkKOi?5|ctxJlo7Ioo+
zdAA$pDi&|WHXgvW{Dp+4OqLY>@Y)#{rmR^~Nr^mv@oN3VGIf`t_UnynTSl87l`7NB
z(=GPA%o5OY)cTN*f~QhU0bRnp%E-v!bVNhz6Pw4^hW$1xu6k#mT32LI8x%x5R~ymp
z58@e)uG^S((HZ5H_|#bS+mD-A?C95So9A*eja0M0nFP<wm%aw2_A~r>H?L0XiLYIA
zikZ&6R7FvT3G6H07*$rS*28Vy2HH;Kqun?A<1&2W-4m1Kk{*-nS_`7zQf%kYT$VEC
zzZV>0%36tq2QPLPeYE^vkwqk^_%=lF1^!xX5h6NWxAs|Nfi5rqk9xFx3K0FTdc4DE
zbrXeEj~}mq*oXg7j~u#AJzxHxdSn|)62Yp+2om<*7*GaDtLjy(m5o!6gLRx^i2tg`
z(y20|S|=%0U7Lw2izacp|EkByQuFis<)-;BRtK}xaO%;at$jgFhi4J19tr5x8_S=!
zyIoK|A8y2|#~5N}A_AOxOckWb&NRZRN5s>p=NxH*^Ap9oWzQcq);T6d8e`RC%V&+5
zs`J^!k(P%2$VShE$cq-NdMpjjVEfqGbhH^4nqx!M)_k(#mBftv*w%8ouTk%FiLZrK
zkA)<?;p>6zZRe-dw>;K{wPF5${v0L9h|5%uo&Uw-fO`g>DCq^<y7mMUbnmNTrV`t`
zg4iHJ1BYe%(*SbPP%7^&Mr+#3<K_1(c9cvnS&_w7mh2|qRwDWPQYWK$2OU;Fgss0{
z{V4fEepN#XpR+(s=Cj^fta7DqL7a-nc7d!K+1Xm6isD&(lAax!KH1P|+cw&)i+m%+
zMqCt`YKwGSP7|mu*~qAALbGLhwX+wg`%IT?+WM_DZRX6Jh$SG5U2V5=-?No&<r!8h
zZXuvimGyjU?YoWzI-2RUcF9a=PTw3hiXVlk&xM?PivGU0EJ0F=o0OXOS4ZX{b308E
zD)?9KW>q@m^*Kj$kli-<R4_P5Qr*vJnxEe%y;f>B*f;w#WX!|KwC*0))`TWI{eVT#
zH*d#X#2mdp<>!sxETo}ZWH(`&pRCRvB@(@osLa_zIvcc5yNANtcI1*7+nfi~Udnz$
zI~yln#wSyD-1$4S*mM2XJy&JMikoDuWLERlin0Uj%b%|<cB%)cuO#@oei!oO1kgnp
zr5Ooy@9;Y^v_yF{2}-}H8Tob@Uj2p3Uh;T|-?{Z*NT4N?9lX4{NyPGp7?cgcBW5$Z
z4bMe|6Wx*)x-GyYA9nwa$hYs+c?vP)VqC)xzgCnI@94*yp}(%Hr3#Sh%s;3>s)UP4
zCHK5Pv{6le9Ewk2Qn#)ZN9n0ru6%?Ui&1|!`*ZvLwtSvqedTcJ<DD<1QdwbmYW1sA
z87jJpS;jh#^eW67MhjbxHqb3fg|l>G-YyHN9@n~$%aWa^+Ia}O@d)aFE_Hh0)xMAr
zuF|Qo6t@07AX+Pjl#NJsG4t`T`4-;B)&5gwb9g+Rp-5V_#bJ56ytj+(f|_roF44tJ
z%H_1-MR`Qb(8mSpCfm%GP(Hp#e*3>t)av<OnM*XfcMTL?y2bo?=x<xO)^LBOE$whJ
zb|hhsmH1!n(vf0Ri~WwDi`!QA(<t$46X%-ZU&5|)%2WZcb=lj@A-}|b@!t3(J@r!U
zr8s_v$1^z+h64VU-+3lgwFyFIB)qkYE3vX<6mQ15uHPw`Xu8_to@gWBPE;wl06aP5
znG|}oglXa=U$#;O(+-yqN8NLmXFXpXLz1h}lF0UF2OlV19ClSTQ4o{6<p20tdrz6(
zUUF3B2Gua1Drba^yRdLcD`~M%%fCZj@tsT^McR|&5!D1Dx|eDNn4kQ-M<SCYk`b?a
zB3jfmLWniG%S#hwc6;Q9$M+t12=UAA%nN<mVPm~FxppanN2aPX=Fg?CAMSLbyZ>gD
z2=&LVH*QS-D*9kZ_k+HOaFf#%@r+qY()4#Q7f%4~n9}Rr=;FV?Z~D?DV;DVIT5r(h
z+O6-C@0oAzv!J<jVemzHz1~pS!2JI3yf?G@>2t@kT^~89GxTKfErG#<7T8I7%EG%s
zb>C$oW?m1gNI@cX>yOJ*ZbIRY+8b9x@hGXS<8|A0Y?B=&lG=mW$&6Q$*M-qmiO$nc
z?6Y3=iPSx#NcUUICZtc_%1e+oa73==oyw=he6Dr0b(2nWD)$_Ey+b7vHVZ2$+IT(s
zsfsScDSM3fiTMc=*W8QxrhvJn#w5)a*NmLL@gJ9I`y1(QnFqYHZk^o=pLbO@!&+WW
zk{4yTC*KK|gzu1y4IK2dvlDre3TvS~#-CCJczsn9z3}>`5Kj85Oe!YIQ-{STz<ahV
zOzQV+c#!$;dH+*7;prP!3-t@(qL;o<FhlAoGRZB)Z!JG1kZm;Ae%8;qA}7#)t$Hlm
zKbLNX{>`E1DgErht$xXi!@1LcZ)DN?)R%u28m=zqdOC6f3l2`N-i8fp1pc@W0|<S=
zPi-#H&3kj#N&kTO^ds+%bYV9iHOiD|@COC7z;7+|%gob}gfJe%?=<*uFEhrzeJEr}
zFhf}%SpCUw(KDIA<+d0{R$16N!6K2{pYG;2ejNJJ$4jw#tWRNVaUQP)Rzm2fy9yCe
z?^O$!rXNz)a^Y7*n)WbKwf*TO4$_Xcj;1FY@KqFY;{M=lW4%25UGYhu_G6C%Yr0K)
zCCQCAYqxLK3_D+xWbkV~K;$-zW6H`;*$$)L>)9}ud{I_XJPeCXv|&|KR#9UjhW+Qo
zV>FJD4Y@<XYx8}4`RRL7R!zOz(27DdwXo~j_lZ@dSVo19EXH5g2I45SD{cP!;;|hq
zFuu<WB#FG*TSHH7Y9VCbZIGLM+tMyjN#YGqN!->g)-Kd6Y@T$~FE_4tU7yv*=vP_x
zeq=TEW;LpHoT{{)`(0+*=)OLh6q&qd-s*RfSJyJLZ-IJ8{hPw<`!CDp5K=z7`R`>`
z{c)^Xns?I<ZHLqBO{VA3NA|IqvN3Gt&AASfCHg6fZL=pkLlu@|$N(d6m-(iam9-C(
z%PtF@p)%_lgMZw0TDghr7vFGeu1&<9i`@QaxxYwSp*FuaFJZRzwfB;t=yG~Z|Jwp%
z>DA&Q4|H%)lp*u>nb7&t-pQ>nzNNQ^=YzG%O`#|zu9k*3G@n}Ek^Hmo#J^+4+jWD%
zX1ueCw~nOaLY$?f<Lcik4|~$hVG@bI4_S)k2$=N_6pn;KNEyj2g$_C?T)YGni2c9a
z=^;^&9BHTJ?)unE6&GENAdAY3Q>KlwnE=^z*T$82-0pg)^%lRW5$7+<*Bsz5q)kx7
z&-E%DV99-PG{mzi>8vJx=P16Pzf977fL%qhc3A3~{*f{_=ka|7uqx4WqH}Al1{BSg
zjMtEw;n5pZ&Fb+~eJC6ts3l8HA<P1!yQr#?cseDhtA4%~rz3kg;e4X2Z<+LMQrmO4
zSWkDoHeuSrP>N)l=05AR`ZMQ(7+t!QUVTFczLk1I3j!VkeL+&;V*?6SNq3ZClHm9p
zp|F&f2K7O-xA|^yK%%*Cb>_7B0r`j1#j%Y-LvjCu6Dq-g(+`zPZwb74;O_<meJvMA
zG@potF(XHoL)cl3tfJTRj4*hQ`uMG5spe7_$)wmsZ4wD-(q=u`HO_2%4EE~RV=O<P
z@ug|dC68zL<MV9#5LTe=^ER)GD<6}n*E%2<#7&gXzqU3ymWIA=o-IzOe7#dwSvm7X
zvx(A_r)u*C%}Dj+M(K<9w}SOt8p{qJb`-9DZh7oOk@eU0dei@J4&Zeg07`Ikfbu5-
zE8QPx|IZx2gLNpG*FrHf)g7sn0>D>>Oa6BbaMvquI7;4aqny)=a}ueUgPj9VY-krq
zS9~o0&m7=+N6>%g0Omz`xH-UFjH;}a3%97ve3LhJ4iHuAs@@hzb$G$;%fH-pwJ3M*
z#h=QR-j57V180qv*S<J%n~s+I)vET~6Y%uDD=xJC70G!j6<{p9GhIpWTJg!>`cZV9
z+v+93toL4WtN#t+z@|gDW%ei<txCx)o3){B=@?#fr=QK?1<0TMn5@9G&uZ(mC9
z|JmCZ^C>sYW?4G%T*!~%V-N{I?%pBmefwZr`@5>!20QxA4KgDgjbF0ti=ctP7ewH7
zvD=m*GZaR-p|l4|mI2dJ@23Ljq>GnBnd3Q3UrAavzys*%$qmD}A`SAQ1-lyctT~$>
zz{2@!9x#89`S>1YR$QMt9wiy(z!0luz)@f-&%{X+!p-K$oM1S*$r1)leP2zq*xM?M
zH;Q-6PA<{@o%7ahyD>k*Aenm8%RZg6C~Is2ZJzCOSTd76cY!WKc;IoF=LR!HPUrfv
z%{q9$=lxM!Ag54jR+wNF$yAW$@ep0u7cg5=%pLmBtRz3r34<)DQC%#p=#o+0Dy#n5
zJc}rrPA`kFJD4r2>bOqxBBPniw7j~XDWkk*=<!^6?U)=*Mct&1X+`~vRYt|<Igh!D
MhNU2GBM^}I9~A4)g8%>k
diff --git a/doc/guide/admin/intro_tree.png b/doc/guide/admin/intro_tree.png
new file mode 100644
index 0000000000000000000000000000000000000000..043b51e8130d2497e370101b6cf3307ebdb16831
GIT binary patch
literal 24714
zcmdSBcR1Jo|3CUNLN*DN6)FmevPWbUDJff|G9n{0d!$Gy4YD_tEwU0)Nz2ThNw(~4
z=l1ITJ?Hnk&UOAff1K;MuFvQFe)Ag7=VRROxAl02p4C>TquxzTAQ0$IYN(te5J+C*
ze-%`u_zlnEfff9N%vt&5c`7QZ?!hwy_|NT*8ivmJ=f5A4@vE$9cqQSaiqd(HxXIp|
zJm=T86lcUQQ|R#CyAt~FTpItmw3G`^(v;8H?<=Y7PI<!LTb^?+@?7Y-C#McRO1F-n
z)@e;I{PV~scKC1IO5e(g`A74moAR46($3%4Hev?lM(pMl*r|g93DqKd_wEg2I~*Aq
z`P*eLL6p31jMP7g=W#tHJ%`8g%-|gc?(gxk2l)BlkKHAV?ul&KMhIwZZZ5R=aCc#0
z;mMOHg@uJr59zzPx!ouiAgod_Z8yk$^TxX^+fYnQ>`a1O#M7shK5G&bL59WGcBb(U
z_%cTL7c2Oz9`#vW_>rYgNkQ>*)`MJW#$$b|yCnG5EuMWOe`~A9c2~<h;8yI*zjWgG
zasQ`JFO)=usHDWlb4F;;GBBv8?jVSe<C{Lz)s0MczGC23h?Bc{BTt+$RK?3{?fZ9a
zjg!^IJiH|HOrh`bv6&ee3Z4rZN=gBnaStE)$JP{RR9~T^qhn=dO;1m+udiR2XHsJ1
zpm(2W6PDw0u(j=OYN|<~CNbww;Wy6+3=G^QZmAU~HM_a7_Vee@dqRO3X(1t>K0iIQ
zcOOYfKnS_k<Cqv3=igs*j7t&}e0GOT)m5?5->JAcpAiy5Wv5AMPgciE;(Y7Qoj*Ng
z;uy)VU+v6=8AIP6vu!JS{aQ^$g^GqoyhM&bLBY#R%NndayR<}4Pahs0&ZX$PZXTno
zTbQ0cJl$J?Yu|HRB~Z!6!J)s@Y3T2ter`Dro<oOZmnlM3Qc_bdJ3EVGh$$R}m}yO}
zU(YEklaA2P($FwJrNB!SSUaeE;>3p!AFkWk4V3Z^NQG#K9`Aqa6N|~{DRXWT7uK>f
z)X)$(deo&O{}R4x$XtC7t;)G`k18uS##%C`CMOMAw}q<QaB;D-vwP$9SHzi*o$#?n
zkAJkpwmmn;@YV0WO0VoM>f}ndZrxH=R_5pD#|yi<yA9i!2rkul9i@vw&*;COBbPts
zC#y4u7P(Dzt*)+m{hh9P&2O$4qEY=E3lZaTR6+vdqH*d}VU8Jd=&xVD&g<*5?b@|n
zaC-->TM@~La{90@-@R2BRdB^pQU<3^U0azO&ab2Epyg#=$Qj8mwY#11D};$JJ0}N|
zBwG_MF-jJH$*J?63NL0U_x0-~OeXR5WW3CcEyUMT5I-7k4xjy>mzh<)EiYfi%TiKO
z;zTHCq@`H5dp70auNczNu3}rP{I<5X>({UU`)i0sV=v+MhpXay_a;xY=k1`nb@fZ6
z(kar&z!37S%hk0%3wN=GRk}^Z#Km!>@tX_c(>AMW7{b0-UJ>i;>?})3`B@W0>1e{7
zPpZOyoG}A8XlZ>aGAc^ZdztYZvnVIl;wG+BZU5t~<)H_Kg<@FbE<IlP+w&<85x-Z6
zbq@>6(QB;&hYn@6wdrX`ku6iJq#eK9`)@GP@cGT@niz~7HQ}!ZENcJzC`r4HvnD1S
zJ9i$t@`;i777{yEYJnwMe7S+p5|;Sq&z~_&&$hkh-A2E52VWx={l;nNV@e8dM<jU=
zC6l0m)G;BE*ogXHr(-2{varZ`E>N9grlpv)reUNf-h+XVgsA9QRn-s8&CE-sHRi`v
zsHww=w{3mu<;#~MhJ|VA>A@|-gp1o`yGR4Ph<73uJ^AzJ+)&*E^#@#`p`lLY9MxVt
zyer%#ba)#JHP-O(+TTA9ADI*I+g<Jdjnwav5p{L-6Q=@w11?8+hXvLCWZk**Iu`i)
z@~nl01urk}<&XCaE8MOd8SP%Z=It%_ThTyBPfhLP$B)19Y1vtnK{e#$<kr^K)lMfH
z%@`xrL-83I85!4XZT0o^5)}P5zeF9rdGls+a`O22I4*5UraS7e+2=1`G&MC-Q&SHe
zJjg0+^uGC}DEqyts;b+!ZwCi&tJ7uPc=Y_mi)8Uxe97zAud!&PIJAw7JW(MF3JT%`
z^agYY{WsT^asmUD&CLhQckhkRsC&T8EpACme`n9JYfqx0*!VOf>aV!EE-G%VziN+a
zq-;o3RA)>pFOOMmPE~)vNN#iO+HS2H+Q^ZgKgGP3CV&67)cdQd-f$+V`+a02E5?4G
zW+aCB>60f{u3TAOUcMC^?DYI%!0jQs<3Tm4X9W@!{d_mqZ+d!qo;-Q->eZ{4E)71{
zNkzr^yEJ92tE-C}6cl{1DN$k7kg!M6etBi(bfQ9KQPDzoi9>7DZF<gAwl7K?`Y{EH
z9y3WJn(VY0?W!2J6DLl%y1I7e7l+lDudlD0n3@U;387F?_VYz+Dcqd9a`x<59UZ2C
z;~j5qzN)BL8<<epdLk$&c<|sssz3n&fzk1C`nQIn1jY!tNmRR$@9`BkhVP>3l$DjC
za$^w&9A`gbp`xm)df~zaCnqNplb&!+*^l9zD881Il$0Fd$yFXcK9zZS4rk9k%*hcB
z<T-Wf6sD$CUtC<=M%X}4?>0}!y?eB-pC9eheDvs1V_k4?aC39>=w+AT%(DW*!oo&I
zMxzoe6E1FUZ#@^sSLR2yHrE_<bad?Pa{~k4jW(rjCl7q|s5x*O4XcQWlwC*uri5(%
z;YaA3%?^6n+Vn~f8yg!dz5dQEP-(6Ex5O5h^Pna&a7gj&-CKYXfw5nb-pbO?V?BIP
zNKo+RbdR)Jm*2+fu|OVN%7*ad{73^;;1x^DbD2-jqlbrkOP$D891b&|t}QAmdh_Ou
zL;qWObhp!|uMd5^zcCf2w6d~tNI#c_l~v-%k=ePqyW!#AKYc<~u(h`SR9}Dc)Twgc
zjn%o~FL&rUuUS|yb8?=R=V{FBukst3UB>J#tX|`~?lWzzEAXUhYtvXoMdkeY^JZrK
zA3p385wRELCS?~5(da|VdzqZ<G}@Sq8t5zh?CI0=<m3YDrj)yPsaKtwA80srp<}0|
z{fZX1Di>~c-T1SM5liIb(5wn?ftf?*nJV9n8%|CUsBf<0=Y4#966ewE49=W+aGdA;
z`}d;FoBmZA?4cS(o1Z>uxV!&F2jZjp`TKWUe|YtPlFHmOe}BTwn=9BU40cYu5gwBr
z1v;r}!^6W((K)%f_U7H{EYw&3^i|Hy%{_hk)RZlmJ7REfke&8+S?1ZmprET)u85eH
ztMEpw77t)@)WSK&#>cy?<jFR9PikwcF{V9#{(NE`(@Yh3^ytxru9%97ijWYEsy-@n
z>JW{KKPM)#GBWh^^dvsHVb$R6(UFmARtW$b*eiGL++o|fv(j%%fuH|Y%|~M+Bg?PP
zl2cM{ERO%cZ0%%Y!_9Zq)Q|+#w6?XK+YHkfS5-WG@y#>QOMzu&D?I%yJ400p3ksTA
zTE2Yy#%Vxv|Ni~&-@jvePtasstv2J|xpOBw?S5X~l!^7Vr708%mYlb|e0)dPzgG9r
zv(tuXBsh(H=cJ>%|L75OMiDC;o21425EPA;m;eoa?DB($4$*AiE+`=2;pHXX=V5Hz
zjp5DIidL?4@!nWn{L^2hZZ_p<NfA_o1+y_*$GuP+;-tdc)Ys=*6S!?^YAVR?ps1)L
z#vHrQ<@c@`w)*iOS?c$9?_^@q!A6UU8kv|tJ@lOWb#mbcie#=)@j>9h!-w;pKNpaZ
zF*<SLGCnBCTb)?KZ`O`9B%<n6OvTVOqv{{fde+!a7Gq-n<K+cFw4es{Cl4Ml1RPJ=
z(U0k|v9WP-cGlI`uN#_0XMVi@bh*bY@1mB@$&>XNr(-|f-*bSMH?VF91;Kr?qvq4#
z`D&M$J=eJ!o0=|}o6oeH`E_=8i<b-++qR$5)J&B3iY)tf<CL}a=<HA(YC^O}@>leH
zzx8D%CZ?Kf3KEBakY6NL-{V5V!cbawwHVvm*fcdZhJ=PT;S)WF?DPx_&@`Sse3+D;
z{^7l)tc(mT9i97B*YLnV^?OT_JpYhiZk(K)*REY_NRYog9dl-QXlNc^5i99XnBwGy
zc|Ia01~|diV*I_n{>YIdD1U)Ef#i%T{3R7`Q%2{{vv{gf9Xcv0nf2mDdPYWyqWho@
ziqIb*-zvW?k%I?6-(A8N95|Ek#(6|r?<jrgu6ql$Q}#Wj1+Ei%ZN-O0MBZ9{i!m;-
zFUX~lkOJ^-%P}^5@_;H3pD?n%G9MowFLaIDQ8+{+x2?7H$<wD-?d-lbUt|?BVC3d*
zXcjSenVQNcC)e}gL$Ir<wXN-gUE=$X9Eor>B}|hu)&F?(_%R(Vt%3Z*ntQv%#l*#9
zV`B}wXeN^Q&KIsGgrj_oj2&hc6=jSt5tf(d-0%_64840doLiCDPqU{(RDTW)ef#>=
zpf@Z!+E7`UG|P*mhl2M})&)Jia1QB5be#7&q|r6;F9phKYPSOdNV2@JGuBoY4~42&
zxT^bS9ap(g{PN{N(tzsQ;ed*O6&;OCht6NPP%s!q9#o^Dsp(!3OFH0%D*z^rmT&(F
zR53d}Y=+7(xx%}bk?PHwDk;$SqpbSRp9`&CrK7ceb0@i+0vz?)C!*R_F_8F2CMxnJ
z4&E!>T=IuLefk7M`YJhfeEgbTq9o<ND;7L-Xlr>kh>mk(dG>^%VKlCow3|L{Zh>t(
zJ39tf!nRFF!o>RA`SZ8Jt!l=@4O9#bSBThSI{ociuArL6G8?u5O<d*mcel1LE-vod
zw@+v)SiXH{Vfc#|f_vU-fPHA4K5f`bGa!Li(FN5A85ND9O$$vC=|LE)u!RkqQ1Hdp
zZ{y-~Z#Idyq_#Tf26TySgs$Krm#}lnZ*>7TdGPSz2dY!A?&Rj?=H(rp@cr7?*O!}}
zy*^k=iEm|fB`Muur+P#7`t_;M9S8cr5>%(Q<{K1c-KT$z0d`-h3+LQgpJ$lpVxXs&
zkdV0T&2l_{XFVBa9~~Zyf?rtpTTkSU9Xs@Mj27od&h%9ZF#l+3O3uyYLN&7Qk;;(N
z=8b6m@uRl3HWRyc;Uh^@P>u#yQdZW)uU|zrE&G2<tYK&tC)(9jRAxLuV0eXuywPqH
zH<yEURwV;Hq`iJE@hjClFh`@Wv9r_0+&mv_0u@+1T?x#>aq!*A$NS@DT<;3f-QWmT
zHhkj&yj2hzyJtu2=`&}{3a`|od31^=Pz^{(X|oa7Q8T#ZJ&#&_=aA$2Gd?c!sVzk1
zC(7DBets<0?@#7RNhpHKd^cpu%Ou^WO)`owbq*+<AkWGQ)IuFizjxiedlxGUFlByW
zf#d6IKl~M#yZ*`?uIlE7&}qpVH*TP6*tTU~`aCm$)hBNCy$3g2c=ZcK|Ly@D#)vm6
zIyy(BrB_gle*gYWR*@hlEqxORwgnB-{SQ~-FyH6u>H$;_KuHEJId&~s)HzU3Cl{BV
zS5^$Ku93-wl6ugEs>t}P7RAN&MDVEttg@RNR8;K8V#bFnC?up0I|WTnPJ)DGgX93u
zR(*L?{|gP((6Do6#!;`8!h^<6b&gAjwF1nnwY3!=(UhwGr=ws9eFCMX@_SEXBjfJf
z<CBwexEY(4jNxCuL?@&;C1a(WexjP+q1`2R>D?{OD3Rjg;v=O4udEu-0>K;Z0|Rt*
zbrlwARPPwLCjqW)OG8Z!h~f+W_N)Fe8aO^GEiDZY5c?QEZ++HYd(8g4IsaQ)M#iFm
z^zZ#=5fM&vzv@x%?7E7!%lF@}UA%F34s`|{j)9KugGB)rj@fIw=!Xv(*Rr;mQ1L!G
zb5`KV*RNjz?7(Nts(evW&S?{W?3>e0#);gYpPQdYXWl?DbpO*gHaaSRs`~jeW;5B0
zAFl^;M*WpMb}U$2JZVpe2G8+NSLV>ysA*^t<!;Vl*Wj<D0ZADd`wt&(7;7d(1y1k=
z5Na$6aI^RUjy!$(G>}qUE|sHffUMLu0^wdz2swce1DS&0zduBSKuFro%S<3xgD?L7
z`_}{4XJ=<Y0r1m(nOtdoV*_gx(vB!Qt+OmM2V(?5w7<GJt+dpm_BI{h_`7%SurB~v
zvCc1788I?3MLd37Yf(TI$g*?i#>z;d-^QXoz&*HERoB=nr<#Bv7ZO7LNh>QW;C&)S
zH824FykKNh4%9D=4RiA*WT4~|cW%4}K7IrBhMk?g=gm#s3m1yZ%VosG<^bD)?e0lh
z*x8xr=maQyZ)gD8|Bs&CD*;s4D<sroH57Ov|1G0GftNWHr6LisME<2(k&AB(E?fZE
z9mK8}8cNN~JRl?#7auPSaFd=6RFMloWAiolu3gd~IQSOe2v9fYk?(t{EbQ&Wc|x+Y
zg(!k9IUaDI|NTujL+j?kXj8V~E41Ckg#}a^-=U9mL}@HfJLc#~pzm|%h`14malAMp
z*EkO!q{?{fI8V|ss9o;v?*Hi8rPHUsB_$>0hQ0szarf@scSAz(#w1;kRt2DIT!FlN
zWn5gG{e5u*2E`;ob*2XYBXHDv_r9V&q3Qt$kA98A75we@gPP`zjS5ah>jp5#!_WU~
zdO9I0O8@-%C(oXF{OOaY4rXRz3gG$lAN&3C<x5la2b-+yY!ya+35iHO^_rR*ltF7Y
zP$vv&YZNXcoJRvpu%xc{8j<Q{XWM~OT)LE8Ri()FfPtDiMFgzy@xzB_4Gau0AKE}f
zr*KR4_0ck}FC!v!N<NOY)>>h!_<jEVy{)NfW$1z8^X(r(h&7Uu9u2;~+%+s>rT@*%
zAf8Vkr4^_D#OyzRv#8Q@ky`2D&z}}*GC=vc0G|;Wlbviibr{ZfgN~3sTh(4W^rH)E
z#|xw47|((LkG23RT`K5UT3Wi;f4;$UnU*7r+?yzj{hjVrP*A|sOt%L@Q$Wvz?unP7
zrb{~Xu`n~Ih*!ORyNN1tT1(6Fdz_86wUk4j92m5bcve<ci|6*<yJ<t{X<S@fhK7bY
zIXNIh`2XZ&rBkO~=1DI2VI!dHU^zV3wQNY38X9V8ZVpsH7rR!X3cA-wNlqG|wO>*~
zLacy`ixjeARhi>pU~FtR_~vTtgY!G~YiXQ0Q)f|t(tF*(AyfPS{hhG;_fdR`^YcG_
z`xdY0_ckbqEGPO-b4GG<01uVtr@YMa@^Y|Olsu@U0`l^`4Gj!RjLe~}{eM+Qo?AEQ
z9_{^ZqAS3X(O$d5{1EfZQxIBwJfQ#m-N&wpPMH^UJbd^ND?cVS7DDmBtcQ&FnP{=A
zpPvW<zf#lFUo5dVH8<xepE|k!amDw@=;)JK+eiaM-KTqqMLSk9Z(;%LQ}fg*ODikX
zSZrTt0DGyJckSxzFG+<wR6BUF(o=P#3wq!==zu$ROgQLL1=7C75HM|DR=;*_9IPK0
zks|tm0OU7ZpK2H@r>xu8mX=rTH_t)CeEb*?lZAx^C>$&8!uj*ym{@|0<Ts&lqy0j&
zfeN7PuD(Z!QBko9B}2%x+@(F&bW~Ll8)AK7Oc%=^Ad@u=zzj<n5TeRu?3`bJ803go
zujYZjFa-)uKi@xl#*R-QDGJ){E&t|L3*`wC^KkS9urU-7@sdt_$hK|4=&BdZzJ2~|
zRO-0bQ>hq483M!&XXmCUIeB^YaE{RFZm|x12r=A#>&Zz;{<VWt<nN%ziHnIfMv;<|
z0_Q^Z`1b8vo>^76i}dw(pT>4m2RAo06`+rS2@lSCK;icD+e!%gD-*n0G~pt%IJ1j3
z{mWhof=4^97AT#Jl=NBO+~Wgh+@^b07AN$T)-G*7&PdM7JQEZX69Wh`^6S^aL=^wM
zSl~WzE4%C04V$C}EN614mTS^Aqx5o3>Qjhl5Ij3mJKjQP2-><H|G-U9?_ZxHUc7jL
z{+&Ics;i4i7mKo(JwfWYx8p9k++kT+V?Djd^py~vkm6!jD3F>J1T<>qnK#SJ9-v`*
ze=RI6S;0QWFA|6nyWF2|v6B1u@6VpT3gHYK(9!%<<8c+z1brQy<mb;njbC(>>Oplz
zO*ZId8aN1-VFUz%nTlM(MTLhE*8xf}z(xFZvf>rX6Y5~?7(BaCDn|yW&htPV9j~^G
z!769hBnc8|&2kT}uT`OOO?IYI_CO_`d4o{}4#+Q$0vCtGwlvv9Hci5`-6J6)q6t*S
zuvZfcEjf9wuDu4G2bBuOVY2LbtUTLuGJ7(-tnb$L9k@Io4a4?r!OCTRTfQZGYXW%u
z@m&l-HFlka!wX|A*%LqOA0NP4MrXKW%H}UyqoL@}4WJB-58LBQeSJZS&yF3B<7M4N
zj9=f|d7sRl!Z^a8TjS)(9J8vvZ{P0kypPRPm62gN)|{Sg&EY7G0ryTRF1~Q)Ohb2f
zY+1J_<O7HRC|dbZ!p~4tx0aV@Q$fDe)F?d3-qr9uu18%(pOJSQAn5KUm!pK@zSY>$
zGXM8)qO7|;7Uh8P#N=dAaq)*iN1_1XZR@XI<5NUp29xK)<;$sPjwq5?;uJmfp(;jj
zekg)~VhaGsb{ryq12LJTsuQynOv6S?OPhPKQYN3ZxupeI5xim#dQ06<v@zF!FpP|u
zOuwy-_L>?cHMRXbJjcPRYSPi+zzlCpwB-P^mcFOt$=|ts`A0{=<^D=9D<Dd1>r(TY
zKzJ{_5gN9Z)WMG;Bi(*|VnV0HzdwDtZH4MA@f{q{AOYkd1<TL}qXqmYCra2E{3n8<
z3>g@7VA6g!B>D|hlK_EeN70sIVi{TZna75|ME#Evh_TesX?hn-10@h}1N9tzCX<G|
z2kV(CB_t#SmPcdbS#37bQciS||8KyZW1NV;^zJ=-a<a1_#7LP^jdDh7^<kla5M|Pk
zB>64#^ZIRVnxX+48GRm8KK=(avmsuV5-XQJQH4K{hn-eUOY2_C1^>R#kPvfGc5Qu<
z<5jTI{$BxCa(UjNp`jz}ptW?FG`o2Aw>3;~Z##2HK%m;90L7YxI=H3Sf2(GTDKz=M
z;1nAxtBkaC{g*E^G&ET+Uv4h8o1q+Q*+erz-$(B>m^{82-Ye!LdOAR<98&S?*KU|b
zhzgmuBwImS?RVz30E~F3pnkHAKdF%ftdVpbZv{dJp@%|UU0uy~_~O?%=~tkN?JLl7
zDEe*mVG&@<@TuJ!c$q;?7op+e?hZ!)oEmBgEj9J{pP%h{X8mQ(nK?OA@IuSqs=%Xx
zN__0tF*&Zhq$CJsM}AfPd0kps3aSM0V|-%55BsLK!d*908z21xat5|hxfHy=+1aMn
zR*1KH=g-S|FN;FrXscjlVR?HNs=;(x<Lvs1Gr7{stSm3>dtqTMEiF4(SrgD}fyD$^
zsIj8`HrKHen*6?<xI+*7GvRtnbo94q@jEKKI+>6%?{Uem=2dNuclly60|El_^BtjH
z0WL31b)%zyc>i8VSlFSbR4M16fPe-Z6$1mJ4V<Ny^D-wV-Rw$<q$?1hsi`SI<)urP
zjvXrow`;a}+<f^?uB|SVBuWOZ^XJaJ8=Adb7hZW|_*7ydyARMHI{hDKiPzg17~CBl
z&Gl@denmcgdjIa-gF-?JfB!<vQ&LiD)&F2~!pdW2pk`*U7P4vIo11(>LM9h3sG7Q=
z7lXb*!v!!!i=(5b&shI^K=kNQ@3p1t5aR;^YQP_%lmZ0KqnW{bfc)Sx8$`)~b@cK5
zdlojfx(^@jbIE&dZEk$^Y$qk<os$maQBzYxqXKKdR2&l%OA%eFx?pG+%JT_*vHbMk
zr6s+yXGgo<hKFmz)5IOaO@YP;nhN4~4ui8eegSX3cHuwJi;Kg}{s(*)!X{TUsHv%8
zhxYXL&d<#?vZC**XP!o%zW%CwV&sHXe5Nifr#DB$|AM1}K(G4x`k4yfQt9F^HKnMI
z?Qiq=KeGVFukDn$Cq_rtA;pXi{a=c`%LLQL4%n?pXKLTQE0^EN%zVwk!NJZB^vP%b
zH=Sz@;Mrj9oyYZ8GTu0mkT9)qC_PL|<6jtq6`F5=t}e{CWt?}hQkfB?tkf9RmOTCy
zN?DgL#K%?Uav3-gI#zwJtj;vN6kz#`b&LCKI^BLT%+A5#&uRwd=|9{(=1pqaJ-HHa
zHnG`kWQ^qm<?e_>df5Vkg2{>pG+o`?KnY>%LUr&3frs#bn!0P(t{|Ho8<GM-LTTDS
zV|y35lg{AdG1?HWMq7Y1?{mts`mC=mPS^{lHYzGzy}B<x6MJj4N~QfiBn=&MB^VmV
zp8Y*!y=>JwTZ4FlGB+a?xmff%U<X7ZXJ_YeT7Kpi*q(5a00+se{l;5gj0VAq<&BVX
z{;f5xi9HSoqs&cI=4)&D;Gq^5Kh@xWU0i(Z=+U!YlX_Rs*NTdc7IXUeY`_JIefA7x
zqNTCX5jT(9@_F5PsOXd7D@&csuL<(qb#<A*tunc?8y42lM{OP@B=kYFDY5GetS$KC
z_XltRcaM0)%IacPOiUMgA<!I@Ca}wn=H_!3F8pX~du`V#=IlHVD#$P?#}%JW^w}mL
z0B0m6@i2#`Wo2o`Yw$)~eB%+YxiUKHW|7maOC7Ad|1lGJ=>7Yg(l@TON8M)N)~>qR
zxD)kzVfn8zgU#QSDp1z|9t}6Q*C{C$?PH)JSfZwXnEx?eIv`sb=)P~gR|+oI!7?<f
z^eo2U=2EtM<&v2u{&Xzu=;%Q3162}`DNfqi^26PoZ{NOM=uQjrJ=b{nb|m&&S7+z-
z-tt9klg-Udm~Hojj<I8p0o9_jHnq1)9zBZO!}Oxhj~_oEl@87L>E&I#UpKUCQdv`z
z=1whG+ci+$(I;4>xS(;x<Cd2DbFQA`ZwASr=aji(YpWSgtP;=+p2fsmv#}YRUB(qj
z$;gPU-mYkDYhz_%g1a%g`jmE+hPRN7cGH20>Q<TaNP@hV8;pn6oq2#LXaXo}<E{}2
zSv$(bgNb9}rmOonDk=)LNgz)|L<HG$Z;%)uvCd*!eMiTca@UE;sj0CdLHIg6ROLBJ
zRiEr9*3F;4e5v5OzKjXR=f%J%?)TgJmf}2$Vgx4Xvoslv;)Ja~X7-hT-@f!r;*Y+8
z!RXYK&+o6%z}EM;6%!)Di31uR5B*8rdwB-3D{2;;R?v`8nIOm(Iai?#m>3z2!{mj_
zKdyq}?B(SJXO4+at+c#+x~o|8{CStvg)s<=Fi43iW7<J-B@_nK_LA$}61)-C*RGx7
zXGYg>zHtK(>YX_af$3J5FNObV)lLo$6IeHiiQG&~O%sZ3!1n+Ok;2B2F)>CaChPDD
zI-xLf$}FHZSH2e7w+}*Hk=I}Q1(maoj-sAwdxB~(5EcanxFTd`puxGD*0D!Cdh~N@
zY6Eu<#0?2<bkut1&ZpaV>~FNuRaM=l^bo8`Pha1?(ju<>yCOtOU?)-0#)bw5kcy3$
zcNA=GC!p(TYG}ZCNVT$w?vM)P85<izciDhgfrf(>va71Y87c}eCq7D2Osw2<@nDeV
z%Id0&jEsFpzLKfw#@A?ZHW3pfTgdomE|%T6`tjZ_Q>1<#f+!9;N-b~?;RW5VuXn$)
zdhqh)I8>3au&`Z1+lR--ZvK29iXMk10zqaB5FM7{#x;^^y(@n})ew33o*-WV!J30!
z^3pqUE31)&SHS9T0j54h@WCR)_2C`R{&1&}aEX4*eF$TNK>BlF04vqf((*S9waG~#
zD4xQ?QzIiI=y4Mhwsv-t!^6e)y)qwZBA+~gEmsT^+tsxg-K3zv3C$Y`ka!6Y6nXr}
z$(fj#2yAiwR>w_4Qo~IrmzNu<ss_)xCO82J$h(d|K}G@UI@E`a_4WN)&#Iq9K7RZd
z+s5wdRaL9``wB?1fTZ%Nhof&G3$P>&ZAKA<7E5upTL)~pA@sy;THKp5H{8SIwM|ni
zQE~B!)pX^pG3<4y`W^l62s>|&nGJC0n3%}HE?Zys)@EyVKu4+cUb%7d<n~OOOF3BQ
z=&dNYOWvW%$tG34y}i9Y-(rqod|*{_YpH|%6P4q_!gG3hTw1bJfv6UJWzKc=^`Q|@
z$k(aeiaMtth(mH&$DYILIBfRT8w~{%(Yahe`<=Nc0yqudzvt%U#7j9@<n7U;Jt!z>
zSa@Z-?i{9k?}^(T-Q9T03X*L>4s<gDAsX~Ev$Lqv&45m*$~R{QlpyG8>%YGV%mH9h
zf_d;>&QDLjivRF4PC6@qT7gTjI;D_;Fh!KG@$0K!Sl{-4r7SwGQrMk#@-d)wKL}7~
z=gP*~Uuaa-pP0@AYG4Z=Me90xRL<$AN<(7Nj!+ed1s9_#p(OxWzzcY0%p7pMvAvzU
z<Eo@TL-ptFr8M++x>5Lu@&W+i&ADHgGZ&vlY)D{*KR44ad3jYpo@>v_duH8LWCJuZ
z`rv|p5?FJOhK|lGQdya25;vikad2`1G&7RJV3dK<6QKd`LAT_KG@ue{bA5`Y&=K}~
z=u1eP9NJB3LeI<Wm<Ngm+6hEpq^^E|hsPXy1iYCl5WQh#ZOuJ?9-xcJ?6XjgMgR=R
zq?D;WkX0JEhP8t90X){Q(9ki@!nJ{#ATY4eA;`TDoa`0Ju8Ih;!qQy%RllQ+XgJ|b
zBq%xPNT!*s?d`A|$b2}sxfLzHvg@@cWoOee3HpPrGDx{i8Z^ZBRJi|v(Zr(ku(VVv
z(q1_QquuD#;D4NW-y)Kdf3cw}-xeWZfgc#f0d(iu597PRDB6T22~~mp)@1fkv9Y#R
zR{D#H*i5_;A#WF8Re>ghrYmjQMJUzYVaR*=a<_yX`<_)&lfW~)u<l%dhB1+GBIFCX
zSP#`~uEzg<+~b=Y8;_s<3gx7$%P51kwe0}Vjay$Ivm=>8s0OSRPz?M9G|;-awe^ag
zF7v;i)&OrgIXM|w*`^Bm{PXJSlzgdtWWMhXFop7jAWI=b;AK3DQGtSI*Rh4{9zP>h
z_VhN#ol>S`9ti+2uKuc#s7;R|A}*a!_xB=dB9cC<F5_2!W$PLlz0A#}zZ_1rd)bRD
z0sH06W?z9h0SzBn6=){^Nh=N2)kzQ>fOpa>vGu<tDki3z{tH-oaM9l}2Br7(l$j_;
zBEs6<etN#I&3_Bu;+u~Ohm7XA!-7`jfK`9GOBn79B_29X2wMKNbdexr_V!IdLBvi)
z?&p{~28P3j4qdKIkMi$E5^!J#YB6-myzJ~N_ODcUXQ4HbkdQol5C{uoW;^6D?El^>
zzr?bNZtU&2BbRR@yR)O4T#g)4gc+oR6Q@qyy?>uhH+&E95Naqe$^{7JGdUy|$svd2
zK}|`A&MqhCJ=6UN`vwxRv%C8pZ<Z^Nfczk*bar%*Q&Psp#9XZM^{KAg*WJ~HMdG`;
zzH85(iK!`5kl-E}5{3ZI>(vK7T`2?r&dr_1WddA<gg81m9XWb54ytUG?=e^pJGr_4
zOip_Le7~LOT^u;G|G<G-;a%jcSkXI>vLO-<{1%nFQ4p8_o*EquO{~QAF6^B(4&6Ca
zE0jDI>U}~&_dK6Ug{s6zJO92-x2G-7tf6_8#2t>%I?us_*C0Pb`I2`?$JLGh{_O_h
zgB=B|3^CPv85iXQX$E);>J7FedN8CDci;h3js$Tl?Go0va4%7n0b^nEx>fG27RG*R
z0QHM~@xlfzB{x?j=jNv?H;jzBz}Em|fC$c-n)dee2pv9r_`re8loZ&e%+Tj#^c51M
zo%f4~h)77V2G!*MK1~qW2C2XpC>dY}Nk%j^!*-fzErgJW=47c8--IX0KZ#G2I@kg)
zOG|S>=1lMJ)2JvbJG*rt1bB?E$`4n|52SEc*J{T}=@=V(jkgL)ED+rm+|=YGt?^FM
zZCD~N5k%WYL2>)eouOHerG--0i8iEu{rvovTqsLPCauX577!#s^hm*D2AtkMe#3Wb
z(+52tTL9WFt?b&iI8v;WztGeT@GYL6h0@$i<T|>#vM!^IU>fyT#9}KbI7o=Ek&==^
z+Qam%cQjumWN_R)*unMg*G_4KYHcj1x;Ts!S_xJv3lr1edAe=ewqX`Ps32C4oTu}b
z$0#4ZxiXhtS?P1_+Dqt6R)@CJ(t@Y{1`!y1U9e8KS?+HIAsKz?4zhW2xRy>Ne9@}B
zy}cpUm<vP1dy`yQ*$dseuP?zXoPcyA5|>kup-^$+a<}DEW3|!kk+1_!qM@T3cG<f%
z1ov7$@8ao`CzI(9lP}X^T(}(Jv!aoZQ&8L}e>ja5b{LtnrAb4SC4+4{SXdUOdu6qw
zNIcc|KZcOShCt((vXtPlV?VmOFf8p5QsZ*d*|2=D!nSYU4yKFm7UiaRP-j+lBe><N
ze;*(T#!4CigO*@Nt*cju(bRHH%EVxVXtyi304P9c!LIxE#Op3eZXgpYtG$E6h|8`d
zcSIC`m(Z98UG~N`!P2+1d<`2P4b-_jQbEYD@I6W>6wa1l!v3Jk5&m8q(0@?5uz-hL
z_WICZNbz#m&(at%G03{<_Ly#NZlvj46WB++TA%BH<3T2ZZ~e<f*gqQcBKi5#rw+h7
ze90ZUJs-!6*pb^w!rH`U#+W=qL2`^o+1|4!wz~RwLIuAp4^MS}{}!4*T7W1W23>@o
zxgL@*+@R*>M=iw*vGCmil`px+CZbMG|D2u<uN@?!?J;EvYh;?xT_AJfiv6Vr#6+r9
zk=()$w9C4d+7TdrB+-lv4Npgl5v8x1pM!oX)mFG@&_OsNg8TM;7&D?!)zfRMs{<l>
zk(wGrd>LwlN%GsbeV8WLPY|@?a)Y-ce~kqWl!^gi7s7x*ng0OY_uV^-;m=R;3LEfE
z514(Z-_GTXq5@dW^RQB&YrVJ9XTi{zyzywlm*nK!$Cm^QjfdQO@Sx6I6cEPb2MhO;
znhO9+H>SFZL1Je5*%?u`<K=D^-nl~wO_2=I4Txm_4}#s~3tA=EyiC&4WdZR$ldNh%
zHg|o$xa?nQEv608Bv*n)j$pFm-)U2T0qyp8%xD+L$ZMWHjb&}_KdP#B@nT==3tecv
z7`gfRc``CGvo{_`5QG4%yf|XDx*~h|@(|(}phk`tbiL0~M4@-VjD%U2Ame&4)ArI+
z{Aqb@Ee~mMbUxzUC9y?71qNk+q<{_&{~xvmT&Zhzc1Se~$dHwDvh3Ldby<Ly7X~QC
z5geHw`UMIvDgwl9mlI>ya)_ki&k;|an1IN_o_SuGbYISI(;JclR7$ADKxn3B$|bKb
z@dz;xfj^>rxw*cGev&JV9<}{nE^&>ysA(+h=jrKbTn^9+_Bs&gJ(gN2ihiAT>b34|
z+yJ9keMpj+l-P6P#)P4bVmx3CWBpR7z#DIl{rve9xe}(T`FeRtNl9QJ>FP2x45~mV
z)1Zg{sf~6$r8*ZcZo+*)vqRZ<`uOn)V#rtq_3y}$0`RgUM|3nbzqGYQcJXwDz?CIZ
zBJJ;(hx_;LmA^d?QSg7Wi|<I>_-7R>XLdq~CszX8K6jD$qka9Za<X0D8$+ZgVY%k#
zH}>~)Kd7VJwr$Z+t0b@~!!!QVC)shmOL=~z(Cee3proiyTu5+3E8ycxU0QO}W_w2u
zR)rBkjs5AeH>uxR?H4K?kgbTww8RGb2x6O(lDeD5gQ+PgjZr`c@DMS4&&B_AzRI+U
z>8bQ0+SwZXDQBA0KujAmf$-m16pY54pnC$G1ceyMXPG}~?UpZ0brVxmZ{NCgmaXTl
zPepmTXX1ymN7y44`k8Xv%9Z$T01-oDcCj3iMm+@gLQ9Slx#feCAPC3?<VyM95glCE
zws;(Y6Z!}ZNGAIi_g%hxd7%bvAEqR1J*Yo0wOT+C;anCojr%B4k&{MiO}mxqnwde*
zU4ik1r7i6^P>rw=yWQ&p|4V6-1$}_hRAa&Z{)yUIXw=V+*+v4FLh}y(`^UiW{P`ke
z|3DOA(>s^5E*X|OCWnUB2ar(`Jpk?)rWgMs2f3B}j}`=DyHyZlwXpU)E6X_FJOC#L
zkTQoq1K!9;j(GZ(ZrxUb?KCU76bIVB1e(LUcf694?zmE%Te){slV+pVZy^jDT!}HQ
zyUG3NrKTu$n=~`vT*xGsE?<7-(67MB84n$+PksrxB+Kj9eIVzcGdq^Ey2*Mi5#s?j
zZiu0XY#bNo-A?`vCsdH0>~`(7hq>duGWYUAmZz!8KeZ^?YxFtvcRs2|@$tQ_t-pqc
zuUcC_$6av^bNEBNnd~Z_03LzXjX6fDAiYJ%)9kWXbdOa8<R}zl(-Vnrv6C%CpV>z_
zp($IUPi*Yoda4&(iG2+4vOY5yl$h9$E`dxTlG|sYZ+p0#SfD(h(4uBwzR9qUL;!iQ
z)Zh(jx0AA~I;gKfM?ih}5-E(*B`hN1yENGe+D3$gU=bHbAT*({cU5}1YiVhria=sQ
zdt@XhLX>|-v#@|bDPT6Vm{sGefV?Foe?fb&$PlyxorjMNB7Z#75FP@#5|@Iv0l?Z~
z*9o9W=n!CI|93&<9vk0*10~mfyo5Q9Jy4RLFRG}x_47j*Vhuzx*&aJ?w0B4o7#Qv7
zFFpXS!I?7-5aZ-rzQrddnn5;1W+RhkkR75bkWfPD9)@MbBJK7h%<SOks0I(?jK`b8
z!Z~yi427ys@yPZ&sJl>_!`Y80YiS{aHHR9B{dw%zHga<0i{XbLH~>kQb8JfGR6}NK
z9g02;n~2KcatI$Lg;!46+lvG%C$|W}9YL;6`UZdbncm_~oR9KZTS5eZ`avCvGHQ8?
zr+U%%=jeE)Wo0k2vH%U?%OM14`o<$dYrptrc=-j5iTO-FwTc%n>Y*?Jlu}SoK+{L0
zt?2hJ3RDvW8qO;zk>CdNZ{MZ>lv&6Z8}Ri}`Nac8<Xj#jDOvR=RmCe}();&Q$P0le
zoZe!Q&V2IpDTW-U(a=P5A+{&IeA(65SPd7g|JnMUsWXWRy;xUJ!~hiEVD+NLqR4#h
z5jif&PHPE45~*LJj3Fqv3n6$Qf6oM~RCM1_Pk~4}G$g%jg8~3f2$+Sh%yN$*jSSf;
zIqE%$eO*t^C#Y&KbTjXUg$+5DBGZRV_hSwI{jU#OQ#g(-qyK2f%iySl7~Ta6mylS6
zg_D+c1=VQ&^JEYdA*2dkQ1TLjl_Bk%)76FW1#FVUklouv5p;CGtQ{xSKv}RR5MjY-
z1*pAT@u=hB7o*d1b1&-Z*0x%BxdUP$EQ*|i#KH$-fC|Ljl{Z=%+dDd*B_?h`YQ<H8
zWG}zHwC5f?CoeDA%#y20f6(dSNTN504G<k*A8&7zA7m3>+xNodJ;h1g-P*bUFtu>l
zHYYC+*;N}C7Z-Fu%nalb;A0$UK@<Y=6SQ?PUEP*k{UEn_@HCuw;XiNySIn?1JX3(>
zj`ilsxi2XTf)3;m=(X${>5;c?y@#6F-QB$htZ#fAyby@@3Rc9mYX_ex&RZcHkSnnq
zqJoWvvq9+R#TdMoFYn51JW$*$g}c?TBFOR?RHO3E8{9++RBoVqK|yJk(X-pPhhmBT
z$Hf4f(Pe;pF>f2tE%A;&ZAe5d0viK@l_KD%)Ygy(H0|Q*ia`K9?{M`*wg`8EUh$)~
z6$KGj2d-BkY>X}qdIsPNTnd>AIXKh~iMH?bFc0y4P}LzA#9a&Mr#P~$a<}x2Ur2%C
z{pEC70Qg6-QB5n{T;thy>=+stAQDG1vLMJjZr#c?gN_(}eDLV)OZZev%M7#%tXz<g
z=UX8vyiP!`aNUQ-ygAmX)e@gQ>i{Kyc1aBU3JQkuXaIB}$*z0u+`{4_;J~bhT+UTk
zWld&|0QSKA8wlQEbWu1jtH$3up;&OK_BO`$tY3IUe0&a|EDzO$LcRUAv$DI_j~AH8
zk4u@0Ku%8B0qVO3ooK-c00fhb@BE6B5uBU=qH8@twL`O`pYJ93QBhF=4N(PR|I=~G
zJjqfctZi;ofX6@zpuh7tGBV+qt)88oP-d7i;;6(%1OP{_gynh!Y5AC#-E3@8aA=$A
z>vFNEvJq3ee!V@%7(>xMBD&3v2UH1|bi4&v14k$rlHzL^lw_BgjP~+wQ$<k*v}+jq
zM+T-bKe$`Oaq2-YFoGa+t3RYDf}(+rA3ttE0l-3Y0dWBW18|%!<8-sNg&1ao$S|k{
zAlwdS=E%cl7m-LAD`zBELOopqMV9wkf&l}Q9_kk5hSRkwMygwwgOTCkUF__lVo&6A
zbaX4|ZY$;&%*MyX<(gL9R+t_g1wV$?yJPW(g8G9g8S?Axf%qfLU@Qft<g=JvYz}}v
zbP-TPEzY=r@5c*VC~l-5YZNAB5|qLV7|EHKnUSN=yKo^MGAU6_7d9%o0TyvcAA89I
z*cOWy=w#a2gxLrRF8~eXr*e!Y0uV4C8L~O`vMV9ngE|7uL*Udud$#e%k6vi*=m$;u
zW7$RLUG%<Otn;$$!M;WffPjJjrx0I_c=)gpJqqC)w8_<V1H8ozG#1~66K6P6+w$Yb
z&JAG>pA$9{GO<BHCm>&d&@hn`la)9F`aH;YFY);6cL-akMbIHJvk6h!P^|vIeFAv1
z?%PY%+|y%cV-p=8j{`6hD5D%QE}#1Q`*Fe;u`S>W21wr1c`kbdUXK_{-T3v1=#Pkt
z7Z^;UTsMZo=eZA<yM258w{H-x$5+FyNU;hEc>DN3ap;_Xt{BJzd40zLZ4MN8SV|O~
zG^}B;c5JY%fyHppS1w<TcwcZm0E^JZQKTS~T8Oe^^{r~U8f#VnZY!(1)6>zRFFQ2o
z&WxVQ%FRtkOss;&3F#ZBj@)BM8k0|8ugpWuhVl)$4p#?lk$7ALkd7EmC@bp)_*GHi
z2XJh^mClDVVgOgDRPaSNjPmute9+5)b#Q1b$+fNs7Xh2iq{8hR4sa?lVuzrmBuF`>
zG%!eui$9Lot#*(7l8w#Hsjg%2f)Rgpl_h<PV=D^*sCb!~BQeKpHTci9(^(-O3t5YY
zDsb}$?xZc(R2GNjAZ63;k;s1WVhl?P&N<e;IwLahO<%s)qS9dK!8S*&04o|VN1*vk
z>&1e=;0#D04=AU}D@!`h)mfAr;vsfcVP(cEm_0xV*c~h~iYjSINw03gXF)VJDKD?#
zNqD|N_S2_7uwg)uB(Hb1_J1%eT0)p&3pE)MxU}zjDZolXLIP}GSHARyr;*>Ufv2eP
zM&NYby@V=^(fFS=S4YSE!a@sZ|M%|S#}VuSI5tyLy%V&R;W3B=x40tPcf@x#^3}he
zurN&vi=R+pDlR^qU0t+gV0eJ_hcG?_XZrcB#VPlSs0jFV*jz3yN6Y;l1ID(sscm%c
zrBddN0KkNF_3e{Yhci!m`NFs1|1%4KSy<v2UD{IT4_21;S`rF!*pqLF6iwFQdZf~E
z3N6)=To=(yEDn75w|Lo-Dt(ng`zgq(TgdWZa?m88KqE`o)6;|8akyxHbF-oFiy`@j
z|J~TWSJe+pdd=Dz$&r{@RrVtwB#_jgJGFF*k1m>+l!W$DOr%!5=v#ad9gQ>2uDA<H
zNw}z)YWy-^C(!yIaLVo%7T&-%$H=?y`CZ(d%!N9R2uMa|=APZV&uK!-{byKrvdiVS
z^aq$Y!F(Nk9_~-0Bk%+mwXGP3238RSM^wy{FhV)H=ZM8Eyd*2j771_yt5s9ip?&+V
zVut~P3=g~Fm<ZAwKy2V9i)F;SDlmW+V(00(ilTu@{EmbVo?w705Sx>L9SS4N)Wn26
zy37pv8iKc#aB~(i_V=DuKb_8XKRrC=;NHD3%`v>?sa;bsCKT>POyo%S;{*Y`EpQj5
z_OaHc%T3>=pin8q&MhoJrbm~9^$`v68fyxN2LW5!rxafL($(G_U$JqyuhN6aXQYtf
zI}d07L=$+DU!NTzCk@znAK}>#{r!r_NE#c*&Zc+dFQx21lh6afp|i98(<x2AVq`91
zOpiWnK<WhB<gzF)#yA5@Jf;7mwT%sQhjA2%(d3fc=cyU=(7)m00b~05`i_QV0Z@V`
z!bO4ERfotaP9Ao+*7#2CD6ObSJ;CP|4;%L`{XCdaOhUr<fl(xlxuiJk0aIa(;Zr(s
zh6AMv$2)N<2@e>6VNzcYltI;emAwti?Z|S?Im&WW>o}Ak@KBjX;c_XCFcuRC{ZPEK
z*8<;L6hJ<NV1@|rC2v92oJu@|0a*cLMUcG*Z(M=R3TqEi-r@cGKYluOXzyMn+hQ&7
zHEnGPadF+VXK|)l39aH+JU9YO^#Xf>8!bgDAR-PC5Mgc}zTkg1LWhyh8y!PxDFUUM
zc&GrXmpE$Q%nbXC61yB%|GcsjT9cxpA_D`1nVA_-7bI_rKg`~kTn_pYoNR@4?egRU
zDx*D)o!qHC{Y*5#^SKeC8dyL$#)Q*xbNy5~J~)o}6Ag@mg9CdPsP|1}C0yzz=h$Zo
z?jK01PHAbmI5`!(dUe^94FCqj3m67o*(L86ka1wu2H(D&V*3ZJ`*}qQQfPjgD^@l(
zFHjqUf@)FecCFW_;lHDz+Myj|FCtToz72!}nXgH>1tKL1%<8HqZa`MH0>XImH@CGH
z6rNANV%nZ(4P);YzIyd{syiwn;UW%X@7;R|>U)FYmgtR3V}OD0YHKUF`mdDZVnD)(
zrrHXp{OA~f8zN?E4&DF+rN|TfogGp)@(TaT%*Ew9_-<Py1<8XLa2mARRj;SMe!Z}3
z`}_UCcX5KP9Y+oYWo5l!Mc|<V5S~!F<sfE&l{1yPm^?)2Ote%}iXHPsJR<3OSPp5m
z%A50Q7cM;g!3nogtn`)O08q&O(=kV}Y~iJF$$2z>`$iW}U&p(RC0H3Tnh9`i!`_HD
zZ`Q%Ha73=*MRqpJjvbe4H}i^$TtFeSyart%&7~}wQ5#2)!Wh#wF^QwAO6HPr8TEId
z`C12%zUrzuNV0>C?M{QAC=c&8(EXjB8G%3EfA|2Yv9poM0f}adhM902#4`~yqI?h-
z!g3byk~X~fm<CSQY48^&^YsOOu;_Hoc%q!_QbEhLK%<i8kI?DVQrHnz8+&`phTjJr
zaN-aqs@>@Gva(&Aw4}7O|Gfqb$LfSS{sIJUHyTm`a$I0FX&mxNiTFLx4zW6}*53Yw
z(%<1|!_<IhtL$SAwd;78{qm)<!(HO@L(VxyKYNBP5cH!GcEVR6o*$Jn973$JNQ0n#
z7M7>tFhr^Szq@M(rfNzwC};)sgb-!WOLN%hjR&a25zPvi2mlwBZ5m0i<jy$?o0QH#
zAHX`!o=CyL9jF&}%XHfh8<o3^{dc0vpj{PoAw7LxPC*?BAI2^UGXdbcDtp_Y>J75a
z@W8Td6El&+L5W!OY&e#|6QP01B!!T1SQi^3V+859-d=eG3eAQdh)n}=A;tnZDcd?u
z5qKVtafncD7lze`@TBga6aQ{D3G1Q0qeE)nzTh!ooL7JL>>1(<)uJXY_rUl-R<hZD
z6Caa;0h|6)$*y!plszU1C>z))1$Y-!4QByQp9Tomz*AD19(H-BA}5Vp4UVCQrlz3z
z;HDiq3$H@s`+7~+yhblA>2X9v8H^h!Vn)Ws(LWFlR)ki9U@FB*M<${L$d}6btUd|V
zXG1Hw_g_r;>$S5Fl~hQH4}QS{hqekIm&4l@J`oI5wf5$klKoVu@X(oR5ud~{fBLt@
zaJZn1K+b;mcZY6uxWsYbYrtRdIP}1)4i1XXl*-}f?MBFP&z`V8huxyn=&tA|M~)ri
zoOy5w#Rr0rz`lJ?LDTYNFA-!gDV#V5S#~2Grw!1*A&ufp5Y9bNI2Ii7{8fMn!|^^~
z)GMklybnuCwnORF;K$c4Ne&T>QBKY&toyOC`h+8K<m3QX^D{FV+S=h^VJF(NFqR0B
z&duGxQGN`mnh_#ukiOtoLLtPx1W!fP;8(J4lT`HdZ9jg*OI+X07sL;82%!lNNdON5
z*M0R?tp)|A5k-iYG=c_;4;WX$fg^nR@bJ^v*suf}7>0k!grc=XgoKFs4`4)~$jRyH
z+^noGAG=lzVL3r5ffy%u<Cg{)GwLf4EokRB4rbFqp2fIBh~YSPtrf%sm9s<i_8S7W
zm<bNPmlPFYl+%jGm>^K%D94^XpxYt`4jh06D<Y!J&y1c7$bwRpp&fti(xn2lTCj!u
zG7qK3t}Z;>g&35=I>Z*n+<|zb_qVmT<1l>q9?9=8US@xO0Q`;1eUhl8Lj4>`GicfX
z*rH;zXP^gQJ%CxlbRdTPco>P&MmXn}1Y;TksvIJ153#F}sB#e|CFecIn4Fo97Bbju
zK^P4RVUdEl16XNfB*Vkw-%?Ddo-%*JA22jH2p@G1E9=KGWx@anV?^LEyh=3Qlc!Gy
zYmN}i$?>R`hY-y`XmF2WPVdPH%X>^T_6gt~ftm2IguUFvM<JyhCt4^F9nb->v87CD
z2ybA=uW(~c6<7oV(-M_ITN3{|Jicku9VG(P0s9A<7{P-<g+CFbHY_B>V{J(|?j40W
z!CXBy5p!>k?S;Nh8{SDq7^To|pUFXmg4>2X(QyS*QFA<qWxITEB@|;Qj?h&J3_+aN
z6_Bvj&o<b5-~jScbz??^f$NUtw;4DUyi0NZ3ik(Zj*vjfRPSKlTkZ<ZzPwX{phY6v
z<-PBpmAPB{5?Qqn-r|Q;aGpT{FF!x|923D3XZ?4e{vt7gCL$>=KI9@ym|?)tUP?Tq
z=i^7%PMc^ma6Acb5h-7;!5Kqj>iKwiA*K`7aYlRuLLZLk%pq_m#j$>j#9Rz-zK*;y
zEYTHUPvUG6FZTq#`wsecXIB@j1>9&gFAo2{gf0nvv^s#yk$MlI4dH_X+$j2PE<)t9
zKUImhuZUyP2`*5}q4YpyAdc=bM;zI(Jc2u5@3(Y22>Ecp=h+unmVgitH6qT`I)hu$
z&69`++}(KykAWi2C_~5HU%RkX;T!>w;AapwONFOf^d0}_{Q|&&zDncGq?qQLwV<h}
zcsLSJhlRu_<ap`{B@zvYt=0(I5jybsWxc@DSTO@E5(Ey6wMh=Vowl|mgm51|AUKla
zKzSb08W6XURs@C$#Tw;F;^8f0iPpM^<GQfx@SF#%pyQ5sUQ-m1sV&N!^KV+%0LPPR
zcAc|#0cb;^0M4k!cS_N?6-7T#PDT_7Ke$}XWqWJur!QY{d;mXRK|O(c7uewcF5<p%
zpaIfYr>-c$pEX3o@|1=K6ui&KtKwW3axaMF@gmQ#e}5bJ5O5E!9OH{J3fAoT??~FB
z9Zq7IBeIF1#wM`z+t6a-=60~RC*mkRzFJHyyHLl2%i&l&M4u@+xu&B72PP|#WiI-?
z?l;xzb@a)~7GcK9@=mnC6Xs~w(Da?ddb>jRHlKPi)p+5KiJR_yF;%MvLfx(!IVK0Q
z41Oet7^&|wI$GvXtU@vT+Ejz-WfS{lkt)T6`S`>O;<Vx!U)C1e7ru_%^y`~<@%($!
zK9M2nOU{cIN5sWn<>x0gS>qPid_P<f!)^ht-W#<V5-G7D4k1eHDozVzG+9FdA4>d6
zr6f&JNKs<@aU4wq{1?1}pV<b~0=^TIF5(D~2I1x6*9Z??5xa>rJ_kLe5~D(5)umbr
zBtt+6XFqR{;h{fJQxT>CeqH+cfd=wqsGGXqmyVN%=n0p}_ubHf+ll<}#kbyLLqmK`
z=_hC@E+fvHd={Sz?GvH;LUaq5HB5c)e$TJKDiOouqaYQvwINccST3)q$Q@JzlgH55
z7y>_hS2&cRz7YsqU~S=PN1-a9zwiS*{!ViS@<2sNz)2~t2l~3Y0RE<UlFR@X3JDr8
zd<sY5KX68wLvcb3-yNK#9zs3m%Ypd4j_?Nr$gw9-!?7$?c#r&hrbwuw5TuZT{Cplp
zDi66noPqbDN%%617z#r9I6sM6keQZ7TkkBS&hBlLq!Qi-76xL8gK}fPe)0SM5}*z^
zJ~K1(4DAOlJ^YiyCZ(e9q~Pg<-@h*p(HOKC%k8#F8`?7Z5P%(ANkpUGP3=(istSYG
zgoOvY<j|o*d_+yl7ZC{DH)sZc142(%9f$Js^RcGUb*az%K<by3i;H-nTwL1e=RoYm
z?H<-Ry<MA@ofTHJ#?m~X9TyT7W@}@Ec7QXDAU|x*25^cCEx+xCg-j8I(<lqw4plf4
z&qJl0d={Gs$|P)PoEhB3!a|H2M{r!4SqbPqmbx%dLxyK}O;0Oe)fA{BYlz28KyKK?
zb3txjCx-DM2LgQH*uKpt{n27+nRsntT%CBD7c6OQbrsu?iTE@t=AB5^Gxo9xhmZ#N
zf3N_i#f(=bp2PD$N=n?JGwGZ81WyAX7K6ptNF#s)vuSaZ_25%a{1cQsl$y84){#R;
zxPPm1wD=RKCcYZ2AWVffxu2K<hxCfvERX=VoDk|Tx-_5&2JPK5{2JB++!8#7Ppt$b
znGZY)k=qVFS_MVN3d^H-9LB`&->(s91=e{%4zc6UpFar7yW$Bn`DFE|7|^E{5=SX<
z*-6}xS(m*P9@pb>A?l1*_@hWiT~@(@SG+d?A&G;yb0<z936d)zDG9DOf_a2^?o?(X
z5xW7N1*JIE3u~Pr^p$lJ@1PYW<sH1Q&>$N%CTzQyRQU3=!t;!b+utl{?%>4yjE5ZF
z2bD?Z&Q%;tz<NRA0a;bt8KB|b$Mx{dO+<+2>DcR<nvRHwgnzIAI0{vKH!x3jpeq$m
zq+-PY*!)m$#S^XY2|GAB<(JMHO!{pa1s|a1lWqc-L4F^RL?d)Gz%LwbzA1MR8UPw&
zs0vZ%!rFZN=n*vQ!}G~%Vz+logou9EFnar-VFVs+Y^?F3A`lsJaNt`h^a!`&8Alsy
zf2xoIo|u?`Yk(keh%cTP_I_dCI8{&s!#&=8YMCt#z2(CrBL@~g!A+G#78e=%<-r8d
zVmyTl-L_w`i4|GRQz=UZLXlsFm;U}mD_B@sqD~xsgDRiD2Av?=xP*Sg<otPfMy)+P
za_@LjN9mOqu?yw69w->dJX%sl<HrxgM8Hn?TnNs69CQqt&uke(eR;Q+e>vrN=#vht
zAF%r?v)2%toWn5Db4Wdmi8+`NjifwEm4*gYz;Tcp<iWD@^4Km)?YPW;pbJ3FL?o(V
z1ZTH5=e`^Uy#~I5NP*|$K?4vFcn)_AQMnE&q)#w1*whfFkto0qAA{K4X-0DVVLJ^C
z9@mD?(c14^)`I{9AQqmFrBi{{heu9H%gTbMRsoViD1aM*r3lIA{K1{y6oFs`1#NCg
z`!_JeS!-qhtrZvlfRms$i)T|{2vD>?NaCb;`dI-~BTO>lT*Ig}X-}&GXp4)Aa4h|w
zl-mrAfRTJ<bs`Uw49l)+W2qa2d>TlvLkblWR|yFj;@r{Q-=F~eQc~+<mapBJu%xD{
z3VgN<Apu2|c)Ik)uMiCOGk&;RSo_GZqXuJ?@JLXY;-c(Y-rnmFE1*vTwnNPTG^Q`f
zsWNa>Hx`4;e6_#;?=GC+#gk3GeVfWm^nGN?mUtf+i}>K9ygY{AYXmXURE_Oa<bjBx
z8=fK9o0~i0v{tm+?5+VvDJ(#QZ%m4;nOfC(WY6;Mt2P&fnJ#M6%pbiphhQ1#Ps*Pn
zf)46G6hV1WQGbQU<o@@n{i>MpFf~5r(8B3$cWQCO4k=xn!!Z22ICjI$?e^c&8YzFB
zG;%!TttslvmFqwtwS5I7gnMKH5zHPa`^$11>O71P;XWqw5&S(IQ-lMMyF`SOo+x#o
z5M3;Hd0}>xI+(Y@>H&cufVZ91*Y^W&kaBrH=!hX<-L=cm%xtR$t(yYuhx?8eVfkH6
z=xcJAT1ONlV><0#<C$-Xew#2O=V~a<A9QtT$s-}~lkPi5DsK7Jyue_nk?C=LYjZPZ
zR1c!)+Pt6^JnFhSD~@IY0ZY6ZYFYa7%S0@-lAIhIQ>Rv9gsfEa_+1L(q5Aq!*)7na
zF=((0@f-zI#6v9?k$Aa=gF0_qx$x`@50Yp&?^uw=hK6Mo6<D10M|ThiPc*jU=qSPo
zaMz=k;JL_o{Jt*4>V+ieAiq4?K2$&mDnKAmOEDIR0*syyB@kW&*$DAt(Zr)W;;!!|
z-f(Tj=0P_iN(j)GYPxsP;wh*<9i_0IvF=CJ0**Vvl-_;6t+$tR_wI7v4Nn6u0%0tW
zS?~xr9B+g`T#Q*c79J`h<>9geE;ud?{7P?VMU5n}a%vN70X#sAiII_KqU00F@(m0N
zo=t%V)<xmT8LbDNT@s5%<%GJxR(z#nU|6>gP6dVouodP4M3Gz^1@B!TER)t0YlPyN
zV~0)4i4Wd7_aF|>vE||tu{^0do2Q6Qx(Razo(&=?*z^D?*KKSfJRcFfb<A0$cUM+c
zf|a3&^BInt-@?Nt4Tbao;~%D{s%2(n9fE?1^BHh&07*dzE<e~_%|@jbk$ME@HbCw{
zqR^f+_nG6UO;8PjGll2J`2u+$?E(yf=m6tEB|&O0y=ClNC~Y;{HoRBg&~OYyA2Akl
zbJ0jC;&YyYYH)@xqUp;2(b&1hG<}9q{7<P;l_1v1fC&~XLJ<{<I0cc5$Sn)b%M#q`
z26B;Y4pDK%taBa6O>w}~DPcq|8j&z%!w^NLb%LcjSMdglf{2sp6cH66pzK$dEc>tz
z;~Ob$`M-VN=YO7a&U3m;HS>juHEM1ai<}6=;K`TV8w5>1SSOs}6r@eEE0{9~UH>Ap
zaW%~lv5qI|>s8lwJ|8Pi!>(?>qaQ^80h)*w@LOTOM7Kr=nHa02BV{j}5DHT;^yO1K
z3XI)*Aa~_*j}L0Aury7c=EV{xB_%=KP@k_~zs^p8kN#=Pa*1|{L$33Ia^N{s4MhYo
zNa^i8$*b&c@;vS~JOeUwL27SFMn+@mJq3A&Q%pnj#juR`Zr_du`yAhIrVF)-*guCx
z0_VU-bt&PdxrorL02#-9x<c{1zyBl|B7FGxtqgID*f=Sb%Z8=Ku5tzo;nEQ|8T@()
z^4*`B?x;1I?+Uv=Q6k2wz)aU?6lTPUhYvY*82VsU;I=4~eUZr(>~<8>hK68(25Lvj
zw@!i}a*;|HZ8nYMo;?fYm6e%UckEb`?^NOL_z3yHc*i_75-5~3v9IiICg%3GPu3Vp
zg44zi{dwe6;+z{uX@^!+=H(d&sy-d9(~pjjTX!=HGROW0@|jsBhDq@|?^K5fxzkf;
zO0&ICD#^g`DSq|%)QG*E-J|xOhu~`aBFAc<n7c?Vjf6;I*sQCw-`)rU9U2<)Cw8(u
z+|1LFcP+qIQP!MDRqfC`y}%xU<@%Bk!p*Luv}-v5p7v|!`uh33WG0H!2^j-4QNDjj
zBn+lW$AskRyW$fPE+rnN0x&8M^M1(KV5QXr=7^VZN40ivxYgPkc3>HRtI_z4mCjXs
zc(F(kRiF9<;gfzF^9vDlz@?U3w`M%vFXW5d3IaZ1k{NuBTkBGL`$7m%oH_Is24976
zRvaPESK@nM-8q4bqu~M{8W_N0VR|@Z3=ii(hE185TtZJyH%RAr=1h52)jM3UZ1%BL
z=5d&Mzo)gBHZ1}1n+pP$q`Pj_9TY{#ZCy1B{n<1=KG-cmODQ;H>2FL+8558r?xHcy
z4=JB*Yw5oG0lXE~%E!4nPZBKjp5Z4|{6!xLgT0_)QqIJYb^cp0+If5L4t6&9PMEJ%
zJ83nxc6Pvnt1T^zG#h;1^vq=)`1z{PMcR{SE@;EvB~~gx?p8pVmhNIk-<nGjglw@3
z5mUh|xga>RxPnkn5-jQ+!G<$?#4G;X8;G=!X-&Qg*%DsCwvrM|{4<UV+BBMP>7(<V
z$#J_T<&Wc)EwSa7Vp+gOp?>_KPw{UFHKRm<km{%w(18VEx!Ku-!6e3}+%9C!CN?%*
z-_=sJGBzeA@U=?}Q$GUK#RS#Nx0zpqbw&1lP3Fe;_Hc37A?dNW^(4q%Rp@+g2-#cp
zU4xp1dHOc=Z;lS{#JjU40s`nhb#O6TXD|SbQ-TTE=ymI+AWaPR#iQ+9xguAc$qFh3
z`0;`7Eh-{Dd#an8B>gmY>(UNhiyB*5Q9)y(kjYAp9$jH|%0`nf2=nK!za!2FDp1>u
zQ24WCVQbbL43I%VR3q(HS4S%g#iCL+MXQIO-zwA!WA`{U>3YPD{PF7p8j3}~e6Chw
z%X;=KrSm)L3>BrbC&kC%7JTYv51Y1*j#+IT3MVWsK&^AW;|8@$<-#HgiIarB52j&b
z&&}ibQsx#xy*jVebv<ca+mCM)<dU28BiZ5BasP?(C24F}dI$>(ix_cesGboio9!8|
znj0F#FH4{$x}VbflWsk4c$ue%>7!hH@G|+IWtEja<VA@CFJ5lHc~eCK)9DLnAQ}6b
zbG}|bPetj4TLo-m5d)CXC%^_})lTs8nr1V!?*wTwjnB)?T%_7kI+*4=+4v)H=78I3
zYiiyy^q8RazrZzCd;l-J0<s%K!=ko}_fuFOek&XnWPYaYm$_|QL{yY*Mo{O5<8jKu
z^S|RFf;(Ou5@Pl7N|g#IfA`@-BEC)1GLVpU<Bm)U<Iv#X(nI{??_mhzF8FtG-8^hB
zvol@mEO++^PCG!<f4JA&Dyzuvi`w3VXVK8Ilv_Mh$Q-Z~+(OP741vZY1XKV~!J!x_
z{*LH!w6^x_Ib|MZdF`;-hK+=rM(yp~S&efPlpVgWY-EA1yzBoQynoJV>WR@!J6=Z&
zq=A0wCz_psz9`1&P+yZj-t^$|O`E*;oZqdsiMHiXU<YgOmRt?y+XBXzz9V2|lYYc(
Y*6LV`c=tJRrmqkPUmO{HI4C;pFB=3CdjJ3c
literal 0
HcmV?d00001
diff --git a/doc/guide/admin/maintenance.sdf b/doc/guide/admin/maintenance.sdf
new file mode 100644
index 0000000000..5bba1a5f5a
--- /dev/null
+++ b/doc/guide/admin/maintenance.sdf
@@ -0,0 +1,110 @@
+# $OpenLDAP$
+# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
+
+H1: Maintenance
+
+System Administration is all about maintenance, so it is only fair that we
+discuss how to correctly maintain an OpenLDAP deployment.
+
+
+H2: Directory Backups
+
+MORE
+
+You can use {{slapcat}}(8) to generate an LDIF file for each of your {{slapd}}(8)
+back-bdb or back-hdb databases.
+
+> slapcat -f slapd.conf -b "dc=example,dc=com"
+
+For back-bdb and back-hdb, this command may be ran while slapd(8) is running.
+
+MORE
+
+
+H2: Berkeley DB Logs
+
+Berkeley DB log files grow, and the administrator has to deal with it. The
+procedure is known as log file archival or log file rotation.
+
+Note: The actual log file rotation is handled by the Berkeley DB engine.
+
+Logs of current transactions need to be stored into files so that the database
+can be recovered in the event of an application crash. Administrators can change
+the size limit of a single log file (by default 10MB), and have old log files
+removed automatically, by setting up DB environment (see below). The reason
+Berkeley DB never deletes any log files by default is that the administrator
+may wish to backup the log files before removal to make database recovery
+possible even after a catastrophic failure, such as file system corruption.
+
+Log file names are {{F:log.XXXXXXXXXX}} (X is a digit). By default the log files
+are located in the BDB backend directory. The {{F:db_archive}} tool knows what
+log files are used in current transactions, and what are not. Administrators can
+move unused log files to a backup media, and delete them. To have them removed
+automatically, place set_flags {{DB_LOG_AUTOREMOVE}} directive in {{F:DB_CONFIG}}.
+
+Note: If the log files are removed automatically, recovery after a catastrophic
+failure is likely to be impossible.
+
+The files with names {{F:__db.001}}, {{F:__db.002}}, etc are just shared memory
+regions (or whatever). These ARE NOT 'logs', they must be left alone. Don't be
+afraid of them, they do not grow like logs do.
+
+To understand the {{F:db_archive}} interface, the reader should refer to
+chapter 9 of the Berkeley DB guide. In particular, the following chapters are
+recommended:
+
+* Database and log file archival
+* Log file removal
+* Recovery procedures
+* Hot failover
+
+Advanced installations can use special environment settings to fine-tune some
+Berkeley DB options (change the log file limit, etc). This can be done by using
+the {{F:DB_CONFIG}} file. This magic file can be created in BDB backend directory
+set up by {{slapd.conf}}(5). More information on this file can be found in File
+naming chapter. Specific directives can be found in C Interface, look for
+{{DB_ENV->set_XXXX}} calls.
+
+Note: options set in {{F:DB_CONFIG}} file override options set by OpenLDAP.
+Use them with extreme caution. Do not use them unless You know what You are doing.
+
+The advantages of {{F:DB_CONFIG}} usage can be the following:
+
+* to keep data files and log files on different mediums (i.e. disks) to improve
+ performance and/or reliability;
+* to fine-tune some specific options (such as shared memory region sizes);
+* to set the log file limit (please read Log file limits before doing this).
+
+To figure out the best-practice BDB backup scenario, the reader is highly
+recommended to read the whole Chapter 9: Berkeley DB Transactional Data Store Applications.
+This chapter is a set of small pages with examples in C language. Non-programming
+people can skip this examples without loss of knowledge.
+
+
+H2: Checkpointing
+
+MORE/TIDY
+
+If you put "checkpoint 1024 5" in slapd.conf (to checkpoint after 1024kb or 5 minutes,
+for example), this does not checkpoint every 5 minutes as you may think.
+The explanation from Howard is:
+
+'In OpenLDAP 2.1 and 2.2 the checkpoint directive acts as follows - *when there
+is a write operation*, and more than <check> minutes have occurred since the
+last checkpoint, perform the checkpoint. If more than <check> minutes pass after
+a write without any other write operations occurring, no checkpoint is performed,
+so it's possible to lose the last write that occurred.''
+
+In other words, a write operation occurring less than "check" minutes after the
+last checkpoint will not be checkpointed until the next write occurs after "check"
+minutes have passed since the checkpoint.
+
+This has been modified in 2.3 to indeed checkpoint every so often; in the meantime
+a workaround is to invoke "db_checkpoint" from a cron script every so often, say 5 minutes.
+
+H2: Migration
+
+Exporting to a new system......
+
+
diff --git a/doc/guide/admin/master.sdf b/doc/guide/admin/master.sdf
index 7d7b4b2471..f9dc9ee61a 100644
--- a/doc/guide/admin/master.sdf
+++ b/doc/guide/admin/master.sdf
@@ -48,6 +48,12 @@ PB:
!include "dbtools.sdf"; chapter
PB:
+!include "backends.sdf"; chapter
+PB:
+
+!include "overlays.sdf"; chapter
+PB:
+
!include "schema.sdf"; chapter
PB:
@@ -60,25 +66,32 @@ PB:
!include "tls.sdf"; chapter
PB:
-!include "monitoringslapd.sdf"; chapter
+!include "referrals.sdf"; chapter
PB:
-#!include "tuning.sdf"; chapter
-#PB:
+!include "replication.sdf"; chapter
+PB:
-!include "referrals.sdf"; chapter
+!include "maintenance.sdf"; chapter
PB:
-!include "replication.sdf"; chapter
+!include "monitoringslapd.sdf"; chapter
PB:
-!include "syncrepl.sdf"; chapter
+!include "tuning.sdf"; chapter
PB:
-!include "proxycache.sdf"; chapter
+!include "troubleshooting.sdf"; chapter
PB:
# Appendices
+!include "appendix-changes.sdf"; appendix
+PB:
+
+# Config file examples
+!include "appendix-configs.sdf"; appendix
+PB:
+
# Terms
!include "glossary.sdf"; appendix
PB:
diff --git a/doc/guide/admin/monitoringslapd.sdf b/doc/guide/admin/monitoringslapd.sdf
index cc2311b605..a21ebcaf5b 100644
--- a/doc/guide/admin/monitoringslapd.sdf
+++ b/doc/guide/admin/monitoringslapd.sdf
@@ -55,7 +55,7 @@ First, ensure {{core.schema}} schema configuration file is included
by your {{slapd.conf}}(5) file. The {{monitor}} backend requires
it.
-Second, instanticate the {{monitor backend}} by adding a
+Second, instantiate the {{monitor backend}} by adding a
{{database monitor}} directive below your existing database
sections. For instance:
@@ -64,7 +64,7 @@ sections. For instance:
Lastly, add additional global or database directives as needed.
Like most other database backends, the monitor backend does honor
-slapd(8) access and other adminstrative controls. As some monitor
+slapd(8) access and other administrative controls. As some monitor
information may be sensitive, it is generally recommend access to
cn=monitor be restricted to directory administrators and their
monitoring agents. Adding an {{access}} directive immediately below
@@ -99,7 +99,7 @@ Note that unlike general purpose database backends, the database
suffix is hardcoded. It's always {{EX:cn=Monitor}}. So no {{suffix}}
directive should be provided. Also note that general purpose
database backends, the monitor backend cannot be instantiated
-multiple times. That is, there can only be one (or zero) occurances
+multiple times. That is, there can only be one (or zero) occurrences
of {{EX:database monitor}} in the server's configuration.
@@ -498,3 +498,8 @@ Write waiters:
> entryDN: cn=Write,cn=Waiters,cn=Monitor
> subschemaSubentry: cn=Subschema
> hasSubordinates: FALSE
+
+Add new monitored things here and discuss, referencing man pages and present
+examples
+
+
diff --git a/doc/guide/admin/overlays.sdf b/doc/guide/admin/overlays.sdf
new file mode 100644
index 0000000000..b153978ece
--- /dev/null
+++ b/doc/guide/admin/overlays.sdf
@@ -0,0 +1,413 @@
+# $OpenLDAP$
+# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
+
+H1: Overlays
+
+Overlays are software components that provide hooks to functions analogous to
+those provided by backends, which can be stacked on top of the backend calls
+and as callbacks on top of backend responses to alter their behavior.
+
+Overlays may be compiled statically into slapd, or when module support
+is enabled, they may be dynamically loaded. Most of the overlays
+are only allowed to be configured on individual databases, but some
+may also be configured globally.
+
+Essentially they represent a means to:
+
+ * customize the behavior of existing backends without changing the backend
+ code and without requiring one to write a new custom backend with
+ complete functionality
+ * write functionality of general usefulness that can be applied to
+ different backend types
+
+Overlays are usually documented by separate specific man pages in section 5;
+the naming convention is
+
+> slapo-<overlay name>
+
+Not all distributed overlays have a man page yet. Feel free to contribute one,
+if you think you well understood the behavior of the component and the
+implications of all the related configuration directives.
+
+Official overlays are located in
+
+> servers/slapd/overlays/
+
+That directory also contains the file slapover.txt, which describes the
+rationale of the overlay implementation, and may serve as guideline for the
+development of custom overlays.
+
+Contribware overlays are located in
+
+> contrib/slapd-modules/<overlay name>/
+
+along with other types of run-time loadable components; they are officially
+distributed, but not maintained by the project.
+
+They can be stacked on the frontend as well; this means that they can be
+executed after a request is parsed and validated, but right before the
+appropriate database is selected. The main purpose is to affect operations
+regardless of the database they will be handled by, and, in some cases,
+to influence the selection of the database by massaging the request DN.
+
+All the current overlays in 2.4 are listed and described in detail in the
+following sections.
+
+
+H2: Access Logging
+
+
+H3: Overview
+
+This overlay can record accesses to a given backend database on another
+database.
+
+
+H3: Access Logging Configuration
+
+
+H2: Audit Logging
+
+This overlay records changes on a given backend database to an LDIF log
+file.
+
+
+H3: Overview
+
+
+H3: Audit Logging Configuration
+
+
+H2: Chaining
+
+
+H3: Overview
+
+The chain overlay provides basic chaining capability to the underlying
+database.
+
+What is chaining? It indicates the capability of a DSA to follow referrals on
+behalf of the client, so that distributed systems are viewed as a single
+virtual DSA by clients that are otherwise unable to "chase" (i.e. follow)
+referrals by themselves.
+
+The chain overlay is built on top of the ldap backend; it is compiled by
+default when --enable-ldap.
+
+
+H3: Chaining Configuration
+
+
+H2: Constraints
+
+
+H3: Overview
+
+This overlay enforces a regular expression constraint on all values
+of specified attributes. It is used to enforce a more rigorous
+syntax when the underlying attribute syntax is too general.
+
+
+H3: Constraint Configuration
+
+
+H2: Dynamic Directory Services
+
+
+H3: Overview
+
+This overlay supports dynamic objects, which have a limited life after
+which they expire and are automatically deleted.
+
+
+H3: Dynamic Directory Service Configuration
+
+
+H2: Dynamic Groups
+
+
+H3: Overview
+
+This overlay extends the Compare operation to detect
+members of a dynamic group. This overlay is now deprecated
+as all of its functions are available using the
+{{SECT:Dynamic Lists}} overlay.
+
+
+H3: Dynamic Group Configuration
+
+
+H2: Dynamic Lists
+
+
+H3: Overview
+
+This overlay allows expansion of dynamic groups and more.
+
+
+H3: Dynamic List Configuration
+
+
+H2: Reverse Group Membership Maintenance
+
+
+H3: Member Of Configuration
+
+
+H2: The Proxy Cache Engine
+
+{{TERM:LDAP}} servers typically hold one or more subtrees of a
+{{TERM:DIT}}. Replica (or shadow) servers hold shadow copies of
+entries held by one or more master servers. Changes are propagated
+from the master server to replica (slave) servers using LDAP Sync
+replication. An LDAP cache is a special type of replica which holds
+entries corresponding to search filters instead of subtrees.
+
+H3: Overview
+
+The proxy cache extension of slapd is designed to improve the
+responsiveness of the ldap and meta backends. It handles a search
+request (query)
+by first determining whether it is contained in any cached search
+filter. Contained requests are answered from the proxy cache's local
+database. Other requests are passed on to the underlying ldap or
+meta backend and processed as usual.
+
+E.g. {{EX:(shoesize>=9)}} is contained in {{EX:(shoesize>=8)}} and
+{{EX:(sn=Richardson)}} is contained in {{EX:(sn=Richards*)}}
+
+Correct matching rules and syntaxes are used while comparing
+assertions for query containment. To simplify the query containment
+problem, a list of cacheable "templates" (defined below) is specified
+at configuration time. A query is cached or answered only if it
+belongs to one of these templates. The entries corresponding to
+cached queries are stored in the proxy cache local database while
+its associated meta information (filter, scope, base, attributes)
+is stored in main memory.
+
+A template is a prototype for generating LDAP search requests.
+Templates are described by a prototype search filter and a list of
+attributes which are required in queries generated from the template.
+The representation for prototype filter is similar to {{REF:RFC4515}},
+except that the assertion values are missing. Examples of prototype
+filters are: (sn=),(&(sn=)(givenname=)) which are instantiated by
+search filters (sn=Doe) and (&(sn=Doe)(givenname=John)) respectively.
+
+The cache replacement policy removes the least recently used (LRU)
+query and entries belonging to only that query. Queries are allowed
+a maximum time to live (TTL) in the cache thus providing weak
+consistency. A background task periodically checks the cache for
+expired queries and removes them.
+
+The Proxy Cache paper
+({{URL:http://www.openldap.org/pub/kapurva/proxycaching.pdf}}) provides
+design and implementation details.
+
+
+H3: Proxy Cache Configuration
+
+The cache configuration specific directives described below must
+appear after a {{EX:overlay proxycache}} directive within a
+{{EX:"database meta"}} or {{EX:database ldap}} section of
+the server's {{slapd.conf}}(5) file.
+
+H4: Setting cache parameters
+
+> proxyCache <DB> <maxentries> <nattrsets> <entrylimit> <period>
+
+This directive enables proxy caching and sets general cache
+parameters. The <DB> parameter specifies which underlying database
+is to be used to hold cached entries. It should be set to
+{{EX:bdb}} or {{EX:hdb}}. The <maxentries> parameter specifies the
+total number of entries which may be held in the cache. The
+<nattrsets> parameter specifies the total number of attribute sets
+(as specified by the {{EX:proxyAttrSet}} directive) that may be
+defined. The <entrylimit> parameter specifies the maximum number of
+entries in a cacheable query. The <period> specifies the consistency
+check period (in seconds). In each period, queries with expired
+TTLs are removed.
+
+H4: Defining attribute sets
+
+> proxyAttrset <index> <attrs...>
+
+Used to associate a set of attributes to an index. Each attribute
+set is associated with an index number from 0 to <numattrsets>-1.
+These indices are used by the proxyTemplate directive to define
+cacheable templates.
+
+H4: Specifying cacheable templates
+
+> proxyTemplate <prototype_string> <attrset_index> <TTL>
+
+Specifies a cacheable template and the "time to live" (in sec) <TTL>
+for queries belonging to the template. A template is described by
+its prototype filter string and set of required attributes identified
+by <attrset_index>.
+
+
+H4: Example
+
+An example {{slapd.conf}}(5) database section for a caching server
+which proxies for the {{EX:"dc=example,dc=com"}} subtree held
+at server {{EX:ldap.example.com}}.
+
+> database ldap
+> suffix "dc=example,dc=com"
+> rootdn "dc=example,dc=com"
+> uri ldap://ldap.example.com/dc=example%2cdc=com
+> overlay proxycache
+> proxycache bdb 100000 1 1000 100
+> proxyAttrset 0 mail postaladdress telephonenumber
+> proxyTemplate (sn=) 0 3600
+> proxyTemplate (&(sn=)(givenName=)) 0 3600
+> proxyTemplate (&(departmentNumber=)(secretary=*)) 0 3600
+>
+> cachesize 20
+> directory ./testrun/db.2.a
+> index objectClass eq
+> index cn,sn,uid,mail pres,eq,sub
+
+
+H5: Cacheable Queries
+
+A LDAP search query is cacheable when its filter matches one of the
+templates as defined in the "proxyTemplate" statements and when it references
+only the attributes specified in the corresponding attribute set.
+In the example above the attribute set number 0 defines that only the
+attributes: {{EX:mail postaladdress telephonenumber}} are cached for the following
+proxyTemplates.
+
+H5: Examples:
+
+> Filter: (&(sn=Richard*)(givenName=jack))
+> Attrs: mail telephoneNumber
+
+ is cacheable, because it matches the template {{EX:(&(sn=)(givenName=))}} and its
+ attributes are contained in proxyAttrset 0.
+
+> Filter: (&(sn=Richard*)(telephoneNumber))
+> Attrs: givenName
+
+ is not cacheable, because the filter does not match the template,
+ nor is the attribute givenName stored in the cache
+
+> Filter: (|(sn=Richard*)(givenName=jack))
+> Attrs: mail telephoneNumber
+
+ is not cacheable, because the filter does not match the template ( logical
+ OR "|" condition instead of logical AND "&" )
+
+
+H2: Password Policies
+
+
+H3: Overview
+
+This overlay provides a variety of password control mechanisms,
+e.g. password aging, password reuse and duplication control, mandatory
+password resets, etc.
+
+
+H3: Password Policy Configuration
+
+
+H2: Referential Integrity
+
+
+H3: Overview
+
+This overlay can be used with a backend database such as slapd-bdb (5)
+to maintain the cohesiveness of a schema which utilizes reference
+attributes.
+
+
+H3: Referential Integrity Configuration
+
+
+H2: Return Code
+
+
+H3: Overview
+
+This overlay is useful to test the behavior of clients when
+server-generated erroneous and/or unusual responses occur.
+
+
+H3: Return Code Configuration
+
+
+H2: Rewrite/Remap
+
+
+H3: Overview
+
+It performs basic DN/data rewrite and
+objectClass/attributeType mapping.
+
+
+H3: Rewrite/Remap Configuration
+
+
+H2: Sync Provider
+
+
+H3: Overview
+
+This overlay implements the provider-side support for syncrepl
+replication, including persistent search functionality
+
+
+H3: Sync Provider Configuration
+
+
+H2: Translucent Proxy
+
+
+H3: Overview
+
+This overlay can be used with a backend database such as slapd-bdb (5)
+to create a "translucent proxy".
+
+Content of entries retrieved from a remote LDAP server can be partially
+overridden by the database.
+
+
+H3: Translucent Proxy Configuration
+
+
+H2: Attribute Uniqueness
+
+
+H3: Overview
+
+This overlay can be used with a backend database such as slapd-bdb (5)
+to enforce the uniqueness of some or all attributes within a subtree.
+
+
+H3: Attribute Uniqueness Configuration
+
+
+H2: Value Sorting
+
+
+H3: Overview
+
+This overlay can be used to enforce a specific order for the values
+of an attribute when it is returned in a search.
+
+
+H3: Value Sorting Configuration
+
+
+H2: Overlay Stacking
+
+
+H3: Overview
+
+
+H3: Example Scenarios
+
+
+H4: Samba
diff --git a/doc/guide/admin/preface.sdf b/doc/guide/admin/preface.sdf
index c3d7f320b7..83db7c7c13 100644
--- a/doc/guide/admin/preface.sdf
+++ b/doc/guide/admin/preface.sdf
@@ -9,7 +9,7 @@ P1: Preface
# document's copyright
P2[notoc] Copyright
-Copyright 1998-2006, The {{ORG[expand]OLF}}, {{All Rights Reserved}}.
+Copyright 1998-2007, The {{ORG[expand]OLF}}, {{All Rights Reserved}}.
Copyright 1992-1996, Regents of the {{ORG[expand]UM}}, {{All Rights Reserved}}.
@@ -71,5 +71,5 @@ This document was produced using the {{TERM[expand]SDF}} ({{TERM:SDF}})
documentation system
({{URL:http://search.cpan.org/src/IANC/sdf-2.001/doc/catalog.html}})
developed by {{Ian Clatworthy}}. Tools for SDF are available from
-{{ORG:CPAN}} ({{URL:http://search.cpan.org/search?query=SDF}}).
+{{ORG:CPAN}} ({{URL:http://search.cpan.org/search?query=SDF&mode=dist}}).
diff --git a/doc/guide/admin/proxycache.sdf b/doc/guide/admin/proxycache.sdf
deleted file mode 100644
index 0d4dcab72b..0000000000
--- a/doc/guide/admin/proxycache.sdf
+++ /dev/null
@@ -1,148 +0,0 @@
-# $OpenLDAP$
-# Copyright 2003-2007 The OpenLDAP Foundation, All Rights Reserved.
-# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
-
-H1: The Proxy Cache Engine
-
-{{TERM:LDAP}} servers typically hold one or more subtrees of a
-{{TERM:DIT}}. Replica (or shadow) servers hold shadow copies of
-entries held by one or more master servers. Changes are propagated
-from the master server to replica (slave) servers using LDAP Sync
-replication. An LDAP cache is a special type of replica which holds
-entries corresponding to search filters instead of subtrees.
-
-H2: Overview
-
-The proxy cache extension of slapd is designed to improve the
-responseiveness of the ldap and meta backends. It handles a search
-request (query)
-by first determining whether it is contained in any cached search
-filter. Contained requests are answered from the proxy cache's local
-database. Other requests are passed on to the underlying ldap or
-meta backend and processed as usual.
-
-E.g. {{EX:(shoesize>=9)}} is contained in {{EX:(shoesize>=8)}} and
-{{EX:(sn=Richardson)}} is contained in {{EX:(sn=Richards*)}}
-
-Correct matching rules and syntaxes are used while comparing
-assertions for query containment. To simplify the query containment
-problem, a list of cacheable "templates" (defined below) is specified
-at configuration time. A query is cached or answered only if it
-belongs to one of these templates. The entries corresponding to
-cached queries are stored in the proxy cache local database while
-its associated meta information (filter, scope, base, attributes)
-is stored in main memory.
-
-A template is a prototype for generating LDAP search requests.
-Templates are described by a prototype search filter and a list of
-attributes which are required in queries generated from the template.
-The representation for prototype filter is similar to {{REF:RFC4515}},
-except that the assertion values are missing. Examples of prototype
-filters are: (sn=),(&(sn=)(givenname=)) which are instantiated by
-search filters (sn=Doe) and (&(sn=Doe)(givenname=John)) respectively.
-
-The cache replacement policy removes the least recently used (LRU)
-query and entries belonging to only that query. Queries are allowed
-a maximum time to live (TTL) in the cache thus providing weak
-consistency. A background task periodically checks the cache for
-expired queries and removes them.
-
-The Proxy Cache paper
-({{URL:http://www.openldap.org/pub/kapurva/proxycaching.pdf}}) provides
-design and implementation details.
-
-
-H2: Proxy Cache Configuration
-
-The cache configuration specific directives described below must
-appear after a {{EX:overlay proxycache}} directive within a
-{{EX:"database meta"}} or {{EX:database ldap}} section of
-the server's {{slapd.conf}}(5) file.
-
-H3: Setting cache parameters
-
-> proxyCache <DB> <maxentries> <nattrsets> <entrylimit> <period>
-
-This directive enables proxy caching and sets general cache
-parameters. The <DB> parameter specifies which underlying database
-is to be used to hold cached entries. It should be set to
-{{EX:bdb}} or {{EX:hdb}}. The <maxentries> parameter specifies the
-total number of entries which may be held in the cache. The
-<nattrsets> parameter specifies the total number of attribute sets
-(as specified by the {{EX:proxyAttrSet}} directive) that may be
-defined. The <entrylimit> parameter specifies the maximum number of
-entries in a cachable query. The <period> specifies the consistency
-check period (in seconds). In each period, queries with expired
-TTLs are removed.
-
-H3: Defining attribute sets
-
-> proxyAttrset <index> <attrs...>
-
-Used to associate a set of attributes to an index. Each attribute
-set is associated with an index number from 0 to <numattrsets>-1.
-These indices are used by the proxyTemplate directive to define
-cacheable templates.
-
-H3: Specifying cacheable templates
-
-> proxyTemplate <prototype_string> <attrset_index> <TTL>
-
-Specifies a cacheable template and the "time to live" (in sec) <TTL>
-for queries belonging to the template. A template is described by
-its prototype filter string and set of required attributes identified
-by <attrset_index>.
-
-
-H3: Example
-
-An example {{slapd.conf}}(5) database section for a caching server
-which proxies for the {{EX:"dc=example,dc=com"}} subtree held
-at server {{EX:ldap.example.com}}.
-
-> database ldap
-> suffix "dc=example,dc=com"
-> rootdn "dc=example,dc=com"
-> uri ldap://ldap.example.com/dc=example%2cdc=com
-> overlay proxycache
-> proxycache bdb 100000 1 1000 100
-> proxyAttrset 0 mail postaladdress telephonenumber
-> proxyTemplate (sn=) 0 3600
-> proxyTemplate (&(sn=)(givenName=)) 0 3600
-> proxyTemplate (&(departmentNumber=)(secretary=*)) 0 3600
->
-> cachesize 20
-> directory ./testrun/db.2.a
-> index objectClass eq
-> index cn,sn,uid,mail pres,eq,sub
-
-
-H4: Cacheable Queries
-
-A LDAP search query is cacheable when its filter matches one of the
-templates as defined in the "proxyTemplate" statements and when it references
-only the attributes specified in the corresponding attribute set.
-In the example above the attribute set number 0 defines that only the
-attributes: {{EX:mail postaladdress telephonenumber}} are cached for the following
-proxyTemplates.
-
-H4: Examples:
-
-> Filter: (&(sn=Richard*)(givenName=jack))
-> Attrs: mail telephoneNumber
-
- is cacheable, because it matches the template {{EX:(&(sn=)(givenName=))}} and its
- attributes are contained in proxyAttrset 0.
-
-> Filter: (&(sn=Richard*)(telephoneNumber))
-> Attrs: givenName
-
- is not cacheable, because the filter does not match the template,
- nor is the attribute givenName stored in the cache
-
-> Filter: (|(sn=Richard*)(givenName=jack))
-> Attrs: mail telephoneNumber
-
- is not cacheable, because the filter does not match the template ( logical
- OR "|" condition instead of logical AND "&" )
-
diff --git a/doc/guide/admin/referrals.sdf b/doc/guide/admin/referrals.sdf
index 0b41a2a355..8756553cb8 100644
--- a/doc/guide/admin/referrals.sdf
+++ b/doc/guide/admin/referrals.sdf
@@ -132,3 +132,10 @@ or with {{ldapsearch}}(1):
Note: the {{EX:ref}} attribute is operational and must be explicitly
requested when desired in search results.
+Note: the use of referrals to construct a Distributed Directory Service is
+extremely clumsy and not well supported by common clients. If an existing
+installation has already been built using referrals, the use of the
+{{chain}} overlay to hide the referrals will greatly improve the usability
+of the Directory system. A better approach would be to use explicitly
+defined local and proxy databases in {{subordinate}} configurations to
+provide a seamless view of the Distributed Directory.
diff --git a/doc/guide/admin/replication.gif b/doc/guide/admin/replication.gif
deleted file mode 100644
index 70814033e541e4f7b828f7777aceadb923268931..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 3538
zcmeH@`6Cky1AtK&<>*x}N<vyAQ|_Zz${Xg&eUn0txv!b4Y;$bb<j!r59SFIPP!z*!
znk#2w&KWNq?(F;eJHGGv@p*oG^bPdXHJ<jf^RVx*{TCJ+izRt@mYt1_gH7(Y_+1iz
z2Nvt(%<*sYfBt{qf9wE&#l{H`gVdG0M*)OnohWtq-bBIch6Ru}r5}?;l%R8zH)Z{)
z5`QO&8Pt~#WPmIyod)VFhH~z>4Hg(Q5Qg*BLl|=d4MbB68<GnPc=CjnsLu)fHPA>N
zBbr^3cOHBxJ4&)^fX*j{RMPN<oUxaDGD|+y>W?JoI>O{Ww*=A$P1duR4t3r`H8=8=
zYae&OcBxm5TLZ1|ZpYg{&rMZ+X~zm*DKc&gHu-3H!3g(O80<zxupGoq+8ZhDHVSTB
zZ$;~&G=keuk;%BPPj}U&?$eHZm92$$sD|x)J750>OyZwlDy(5=?NeEJ_M^`Bu$Q=6
zp9N~?)4lDly~(U=rd@9jzpsx~xr}sm9`ElIzeqLhJ{>;X`@R{lVdv+uaLft%s!P_|
zTZjb!0htdv7l~g{0)N7VeFbgo@Nsw(&&32DS9Cr~EJ5U&>j#sj0yK!=m7gT{81gjv
zPM7{tit?lv9jmYk5MyKiu})9D&n2_`QU^(*r=fNs%jw3d-qPu2T@~&bRyNc0408|6
zM5YbQKswtYVR}4ME!&%({v?SEG<AyHSWWe=ky(ognB-Y2fQzq|<@(Kt-Y<yYVptSE
zci<tFpa~DX@K)k^>t)j5K~M%x2fCr}{>^}%pY@nQ)=PhMv_dTZcC#|4Fq^lKP~FU^
zbd-F?f)Yq%<Pqa_E0rYcOx$yDH^3i75{=*U`gp$f`O`;^_-;G5%IwiMw4C0cd@`d3
zVD0l7KkV<g+;}!JO1AYW^p<?Ze9<}L3qqwMsLdg7bGtT;+OcMfnu(HY<{qf}xAP~%
z=u-8~!{dL8PZZ&G`8%?5f!$|Q-FLeA^fh*S*=O&%e3$}9`}KH`qjs}4sGAZUSEK#`
zQ}i$={_Smwn}Yo%m2VY?Tt$!8vhM3_GP5516#GF<w-Hn9gV20w6d=7i6F+L$u{M6!
zb{?4fA^{pY1QFttAKUhiDQ`B+c9tFq-1{r6F1CxoY)~p~YaA6sfa}LJY`tL<_XSvm
zDiZ<R!!X^vd-E!bg)=cVQ<~{m)k!bQn5LOvOZQdU<$#L{^9i#|=`T1(zJo7Osnq?K
ziA#1bt6LQ3E_8tQHzUeQHsy|HZ9HW|H%O*d1ZJX7kqxuzn0&DDV=4M=i`@~?r}<*B
z-u2pkTyo9WP{27?W}d;N&L1Op&o^zP7K{HJLAhxkuZ7b7iTGlF?6)<k%26ABn3faM
zG=1b!dvbK@c(uNssD>fqeD;kTPo+FHDOkf8w&*7z%KKVOCw@d^h{W<yoC^0IKk`Dk
z@UEiH{h8eI=Y^XV8>%AZ{2bdT*15%&b>Y@O_>Iil6@@pX`|p<QR=>zfmL#$m(zO@5
zYLF+p(+46Tb*@vh@C_lUUNlGvGf@|&hQjcfx7-#~9Yh)aRV={Q*9zt`PX=z5UX+Q~
z?qWBGz6f#d%hRh?{^JddCmO#zN$BUGD)=fXxYdf}T)&E>dCG^DUVA;ICRcgqrJ}L;
z&`DE|)@fZT(A|BNAu>?3_{Q9CPJ$H;(l;4Z03yXcAIm+X2<sR@pZmDVn4&)9l&9Np
zFXiwx*!DTBR%NIu<K%Nb4yCiFXS|c1X4Ewqx%^awZy5r6L>@x;=YuUq=A>mS$j0b2
zMqbL`stk={a#C$!5@<xMN{LW&C4Vmzc7mv^D34@%k7=!)wZGS~#2VUTT3YL!@Tj9S
zN+VUbi$jsXXhB|bEN^4+4+T(idrlUDL+<|hVIfSjE6tx5R5ma}veDEW<~O*gvseXs
zs1Rw9VPRFld)3THJ8u;H+KQkwY>I8w87<J`E?+blHe#2yATu+|)T{-~+E94Pd0*XW
zO<4=KNXg>M1TsE?k(_Nmo(7!Iz3wV#t9wSY-S|_LRVU62qgIEP^2EC~4MS7tW(#tc
z(!HA=Sr$7?V(nGr?VPDb`L?f$vTxP}$IHf&28!N6!`@7{Gi<9+c59i|vYXRY&Mh;y
z2UfG{gI4$g=Ah$0&_5c7#?9QdqDD#*U<wz*#+}17MSEH4#CivlIhO~Hj_{iA&9#L-
z38bdk;-xLc`Aw+5hK19j@_y@nguGw*Ip=)eM}&zjoFjuV!bEc4p0gGR>#WMypk=>Z
zPziWQyJAJ|$?7!LlDM~cWnp0e-8J)cB6_#V`Pd`7oBjar%^qEpC!YOosc_4;FZqeH
z>cRUdL|vSV+9I#zP>%@EDdBi?mOo>%{mP`jMpVyN!LhjV24)f_S97T_6aJBM)&t{m
zp6+KD(x*ZVNVYC;YuY}zr?t0>4bh=XuoQFY;QBOs<WedEK9Koq7lRjDk<`u|9QFQo
zy*6dV+CVhRnSje~fK=b{w2uduOXW6stt!nvVj(P@8o;wBmddFY!cCoozj07JG^3_r
z0n3u7%l%!7$M*MNdrv^ZAWz`6qY<8Q2`O;fniBPpMm15cxV6y--WMHvPg|s`YblRz
zeEL-KC9RMJyjA*fmx{Hqs#G%hCkPQSSy`hZAJmBli<{Po^EV?SVsbB}PLF*^7<%K~
z!qf#i8uqOc^ozBurF%yP$5*`@D_$@A+CH0g*;BR3!^#H>JItwGt#3O_*(O$ZgzNfB
zx{kh;zoFSNzs(gc?wqSCe|Tm305;h1;!?n%iXb&B`^h^_d0zpSE16s_%0ld2J5@F1
zUjf~PSJq5+lWt-LNTq55y(GO<Awq=+>+^LnnL^i$GkcWdBK2>PQ$aZ)<JqJob&ORF
z#cuZG&hq*F5rlZCuRv$1Lh~LitteFVc8t-@Y?wjuJ%VdUK7*sBX1oI%w!tr!VCN~M
zy%0ZeTSJ4nawAxMf*I1d5XqEHskpTwuddTDyM+i1qTKkhp<Z+H1+L#TV{6jYb+dj8
zVatQHq^=)i<)x~ao_vhyIq3TLa3?nBWLc&=9P1N^&>cUi&?x>sLT?*`wKT4q_x!9i
z3jWC{bTIk!w$HRn;oeQLeP+-#8Lj!E{Wmify(qquua+6FInD>{vS#h43eeR<-2u>i
zfnQyE3&pb^<*ZVBr#HFnz^et%S^oE!zy1vmYbpzSe7NiV^)r9C&gMvU6j|W%LH{+a
zZ}B2bi=m&#;m=M_Jtf&hVmYRspG8}&g~xJ|qIoG6y_2y#lP?4zq5|rOGad+$SBT54
z2(c-I_yIyf1SzGCl(s{jszrm~w}4)57Pi5+0KwpO<ZTjM0fbVbM5@5`)c`0BIP5MO
zrL~UIhU+{4#r=JtuL}>?hZq^WiZBwnWwIV;ik2~dWnk%LXbphb0^;pSk&f#ZYSxTh
z(DBae25yviuRnrtpP@wCfVjROQDU4YL`N_@LaN^zz^(Ty0UqL|5k`3sJ_Y|PC$I(>
zAJeM5|2HU*qLZYoQBFSVIU$AM6Vdecg2ybQwJqVnaCBS-+SeU}B_$l5NzA8Uy1pkO
z07)>?eU@s7jaSk*GKotcnghU8gOX~wlhFs5e4zH8M}SJ>-6VosIw|(4I;7oB=@}`0
zU_Ei@Rq`<4;s^jsvr`+J(wS&Y{tP#t24QC@*m*DPg1X<Lx)L3NTRHGsvrFNIr!;5d
dmeg@fNbGj2&yE*v6P^kQ!dWH?v9q(?{STAzl@$O0
diff --git a/doc/guide/admin/replication.sdf b/doc/guide/admin/replication.sdf
index 5f1ba20335..0df0beab28 100644
--- a/doc/guide/admin/replication.sdf
+++ b/doc/guide/admin/replication.sdf
@@ -1,356 +1,579 @@
# $OpenLDAP$
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
-H1: Replication with slurpd
-Note: this section is provided for historical reasons. {{slurpd}}(8)
-is deprecated in favor of LDAP Sync based replication, commonly
-referred to as {{syncrepl}}. Syncrepl is discussed in
-{{SECT:LDAP Sync Replication}} section of this document.
+H1: Replication
-In certain configurations, a single {{slapd}}(8) instance may be
-insufficient to handle the number of clients requiring
-directory service via LDAP. It may become necessary to
-run more than one slapd instance. At many sites,
-for instance, there are multiple slapd servers: one
-master and one or more slaves. {{TERM:DNS}} can be setup such that
-a lookup of {{EX:ldap.example.com}} returns the {{TERM:IP}} addresses
-of these servers, distributing the load among them (or
-just the slaves). This master/slave arrangement provides
-a simple and effective way to increase capacity, availability
-and reliability.
+Replicated directories are a fundamental requirement for delivering a
+resilient enterprise deployment.
+
+OpenLDAP has various configuration options for creating a replicated
+directory. The following sections will discuss these.
+
+H2: Replication Strategies
+
+
+H3: Push Based
+
+
+H5: Replacing Slurpd
+
+Slurpd replication has been deprecated in favor of Syncrepl replication and
+has been completely removed from 2.4.
+
+{{Why was it replaced?}}
+
+The slurpd daemon was the original replication mechanism inherited from
+UMich's LDAP and operates in push mode: the master pushes changes to the
+slaves. It has been replaced for many reasons, in brief:
+
+ * It is not reliable
+ * It is extremely sensitive to the ordering of records in the replog
+ * It can easily go out of sync, at which point manual intervention is
+ required to resync the slave database with the master directory
+ * It isn't very tolerant of unavailable servers. If a slave goes down
+ for a long time, the replog may grow to a size that's too large for
+ slurpd to process
+
+{{What was it replaced with?}}
-{{slurpd}}(8) provides the capability for a master slapd to
-propagate changes to slave slapd instances,
-implementing the master/slave replication scheme
-described above. slurpd runs on the same host as the
-master slapd instance.
+Syncrepl.
+{{Why is Syncrepl better?}}
+ * Syncrepl is self-synchronizing; you can start with a database in any
+ state from totally empty to fully synced and it will automatically do
+ the right thing to achieve and maintain synchronization
+ * Syncrepl can operate in either direction
+ * Data updates can be minimal or maximal
-H2: Overview
+{{How do I implement a pushed based replication system using Syncrepl?}}
-{{slurpd}}(8) provides replication services "in band". That is, it
-uses the LDAP protocol to update a slave database from
-the master. Perhaps the easiest way to illustrate this is
-with an example. In this example, we trace the propagation
-of an LDAP modify operation from its initiation by the LDAP
-client to its distribution to the slave slapd instance.
+The easiest way is to point an LDAP backend ({{SECT: Backends}} and {{slapd-ldap(8)}})
+to your slave directory and setup Syncrepl to point to your Master database.
+REFERENCE test045/048 for better explanation of above.
-{{B: Sample replication scenario:}}
+If you imagine Syncrepl pulling down changes from the Master server, and then
+pushing those changes out to your slave servers via {{slapd-ldap(8)}}. This is
+called proxy mode (elaborate/confirm?).
-^ The LDAP client submits an LDAP modify operation to
-the slave slapd.
+DIAGRAM HERE
-+ The slave slapd returns a referral to the LDAP
-client referring the client to the master slapd.
+BETTER EXAMPLE here from test045/048 for different push/multiproxy examples.
-+ The LDAP client submits the LDAP modify operation to
-the master slapd.
+Here's an example:
-+ The master slapd performs the modify operation,
-writes out the change to its replication log file and returns
-a success code to the client.
-+ The slurpd process notices that a new entry has
-been appended to the replication log file, reads the
-replication log entry, and sends the change to the slave
-slapd via LDAP.
+> include ./schema/core.schema
+> include ./schema/cosine.schema
+> include ./schema/inetorgperson.schema
+> include ./schema/openldap.schema
+> include ./schema/nis.schema
+>
+> pidfile /home/ghenry/openldap/ldap/tests/testrun/slapd.3.pid
+> argsfile /home/ghenry/openldap/ldap/tests/testrun/slapd.3.args
+>
+> modulepath ../servers/slapd/back-bdb/
+> moduleload back_bdb.la
+> modulepath ../servers/slapd/back-monitor/
+> moduleload back_monitor.la
+> modulepath ../servers/slapd/overlays/
+> moduleload syncprov.la
+> modulepath ../servers/slapd/back-ldap/
+> moduleload back_ldap.la
+>
+> # We don't need any access to this DSA
+> restrict all
+>
+> #######################################################################
+> # consumer proxy database definitions
+> #######################################################################
+>
+> database ldap
+> suffix "dc=example,dc=com"
+> rootdn "cn=Whoever"
+> uri ldap://localhost:9012/
+>
+> lastmod on
+>
+> # HACK: use the RootDN of the monitor database as UpdateDN so ACLs apply
+> # without the need to write the UpdateDN before starting replication
+> acl-bind bindmethod=simple
+> binddn="cn=Monitor"
+> credentials=monitor
+>
+> # HACK: use the RootDN of the monitor database as UpdateDN so ACLs apply
+> # without the need to write the UpdateDN before starting replication
+> syncrepl rid=1
+> provider=ldap://localhost:9011/
+> binddn="cn=Manager,dc=example,dc=com"
+> bindmethod=simple
+> credentials=secret
+> searchbase="dc=example,dc=com"
+> filter="(objectClass=*)"
+> attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp"
+> schemachecking=off
+> scope=sub
+> type=refreshAndPersist
+> retry="5 5 300 5"
+>
+> overlay syncprov
+>
+> database monitor
+
+DETAILED EXPLANATION OF ABOVE LIKE IN OTHER SECTIONS (line numbers?)
+
+
+ANOTHER DIAGRAM HERE
+
+As you can see, you can let your imagination go wild using Syncrepl and
+{{slapd-ldap(8)}} tailoring your replication to fit your specific network
+topology.
+
+H3: Pull Based
+
+
+H4: syncrepl replication
+
+
+H4: delta-syncrepl replication
+
+
+H2: Replication Types
+
+
+H3: syncrepl replication
+
+
+H3: delta-syncrepl replication
+
+
+H3: N-Way Multi-Master
+
+http://www.connexitor.com/blog/pivot/entry.php?id=105#body
+http://www.openldap.org/lists/openldap-software/200702/msg00006.html
+http://www.openldap.org/lists/openldap-software/200602/msg00064.html
+
+
+H3: MirrorMode
+
+MirrorMode is a hybrid configuration that provides all of the consistency
+guarantees of single-master replication while also providing the high
+availability of multi-master. In MirrorMode two masters are set up to
+replicate from each other (as a multi-master configuration) but an
+external frontend is employed to direct all writes to only one of
+the two servers. The second master will only be used for writes if
+the first master crashes, at which point the frontend will switch to
+directing all writes to the second master. When a crashed master is
+repaired and restarted it will automatically catch up to any changes
+on the running master and resync.
+
+H2: LDAP Sync Replication
+
+The {{TERM:LDAP Sync}} Replication engine, {{TERM:syncrepl}} for
+short, is a consumer-side replication engine that enables the
+consumer {{TERM:LDAP}} server to maintain a shadow copy of a
+{{TERM:DIT}} fragment. A syncrepl engine resides at the consumer-side
+as one of the {{slapd}}(8) threads. It creates and maintains a
+consumer replica by connecting to the replication provider to perform
+the initial DIT content load followed either by periodic content
+polling or by timely updates upon content changes.
+
+Syncrepl uses the LDAP Content Synchronization (or LDAP Sync for
+short) protocol as the replica synchronization protocol. It provides
+a stateful replication which supports both pull-based and push-based
+synchronization and does not mandate the use of a history store.
+
+Syncrepl keeps track of the status of the replication content by
+maintaining and exchanging synchronization cookies. Because the
+syncrepl consumer and provider maintain their content status, the
+consumer can poll the provider content to perform incremental
+synchronization by asking for the entries required to make the
+consumer replica up-to-date with the provider content. Syncrepl
+also enables convenient management of replicas by maintaining replica
+status. The consumer replica can be constructed from a consumer-side
+or a provider-side backup at any synchronization status. Syncrepl
+can automatically resynchronize the consumer replica up-to-date
+with the current provider content.
+
+Syncrepl supports both pull-based and push-based synchronization.
+In its basic refreshOnly synchronization mode, the provider uses
+pull-based synchronization where the consumer servers need not be
+tracked and no history information is maintained. The information
+required for the provider to process periodic polling requests is
+contained in the synchronization cookie of the request itself. To
+optimize the pull-based synchronization, syncrepl utilizes the
+present phase of the LDAP Sync protocol as well as its delete phase,
+instead of falling back on frequent full reloads. To further optimize
+the pull-based synchronization, the provider can maintain a per-scope
+session log as a history store. In its refreshAndPersist mode of
+synchronization, the provider uses a push-based synchronization.
+The provider keeps track of the consumer servers that have requested
+a persistent search and sends them necessary updates as the provider
+replication content gets modified.
+
+With syncrepl, a consumer server can create a replica without
+changing the provider's configurations and without restarting the
+provider server, if the consumer server has appropriate access
+privileges for the DIT fragment to be replicated. The consumer
+server can stop the replication also without the need for provider-side
+changes and restart.
+
+Syncrepl supports both partial and sparse replications. The shadow
+DIT fragment is defined by a general search criteria consisting of
+base, scope, filter, and attribute list. The replica content is
+also subject to the access privileges of the bind identity of the
+syncrepl replication connection.
+
+
+H3: The LDAP Content Synchronization Protocol
+
+The LDAP Sync protocol allows a client to maintain a synchronized
+copy of a DIT fragment. The LDAP Sync operation is defined as a set
+of controls and other protocol elements which extend the LDAP search
+operation. This section introduces the LDAP Content Sync protocol
+only briefly. For more information, refer to {{REF:RFC4533}}.
+
+The LDAP Sync protocol supports both polling and listening for
+changes by defining two respective synchronization operations:
+{{refreshOnly}} and {{refreshAndPersist}}. Polling is implemented
+by the {{refreshOnly}} operation. The client copy is synchronized
+to the server copy at the time of polling. The server finishes the
+search operation by returning {{SearchResultDone}} at the end of
+the search operation as in the normal search. The listening is
+implemented by the {{refreshAndPersist}} operation. Instead of
+finishing the search after returning all entries currently matching
+the search criteria, the synchronization search remains persistent
+in the server. Subsequent updates to the synchronization content
+in the server cause additional entry updates to be sent to the
+client.
+
+The {{refreshOnly}} operation and the refresh stage of the
+{{refreshAndPersist}} operation can be performed with a present
+phase or a delete phase.
+
+In the present phase, the server sends the client the entries updated
+within the search scope since the last synchronization. The server
+sends all requested attributes, be it changed or not, of the updated
+entries. For each unchanged entry which remains in the scope, the
+server sends a present message consisting only of the name of the
+entry and the synchronization control representing state present.
+The present message does not contain any attributes of the entry.
+After the client receives all update and present entries, it can
+reliably determine the new client copy by adding the entries added
+to the server, by replacing the entries modified at the server, and
+by deleting entries in the client copy which have not been updated
+nor specified as being present at the server.
+
+The transmission of the updated entries in the delete phase is the
+same as in the present phase. The server sends all the requested
+attributes of the entries updated within the search scope since the
+last synchronization to the client. In the delete phase, however,
+the server sends a delete message for each entry deleted from the
+search scope, instead of sending present messages. The delete
+message consists only of the name of the entry and the synchronization
+control representing state delete. The new client copy can be
+determined by adding, modifying, and removing entries according to
+the synchronization control attached to the {{SearchResultEntry}}
+message.
+
+In the case that the LDAP Sync server maintains a history store and
+can determine which entries are scoped out of the client copy since
+the last synchronization time, the server can use the delete phase.
+If the server does not maintain any history store, cannot determine
+the scoped-out entries from the history store, or the history store
+does not cover the outdated synchronization state of the client,
+the server should use the present phase. The use of the present
+phase is much more efficient than a full content reload in terms
+of the synchronization traffic. To reduce the synchronization
+traffic further, the LDAP Sync protocol also provides several
+optimizations such as the transmission of the normalized {{EX:entryUUID}}s
+and the transmission of multiple {{EX:entryUUIDs}} in a single
+{{syncIdSet}} message.
+
+At the end of the {{refreshOnly}} synchronization, the server sends
+a synchronization cookie to the client as a state indicator of the
+client copy after the synchronization is completed. The client
+will present the received cookie when it requests the next incremental
+synchronization to the server.
+
+When {{refreshAndPersist}} synchronization is used, the server sends
+a synchronization cookie at the end of the refresh stage by sending
+a Sync Info message with TRUE refreshDone. It also sends a
+synchronization cookie by attaching it to {{SearchResultEntry}}
+generated in the persist stage of the synchronization search. During
+the persist stage, the server can also send a Sync Info message
+containing the synchronization cookie at any time the server wants
+to update the client-side state indicator. The server also updates
+a synchronization indicator of the client at the end of the persist
+stage.
+
+In the LDAP Sync protocol, entries are uniquely identified by the
+{{EX:entryUUID}} attribute value. It can function as a reliable
+identifier of the entry. The DN of the entry, on the other hand,
+can be changed over time and hence cannot be considered as the
+reliable identifier. The {{EX:entryUUID}} is attached to each
+{{SearchResultEntry}} or {{SearchResultReference}} as a part of the
+synchronization control.
+
+
+H3: Syncrepl Details
+
+The syncrepl engine utilizes both the {{refreshOnly}} and the
+{{refreshAndPersist}} operations of the LDAP Sync protocol. If a
+syncrepl specification is included in a database definition,
+{{slapd}}(8) launches a syncrepl engine as a {{slapd}}(8) thread
+and schedules its execution. If the {{refreshOnly}} operation is
+specified, the syncrepl engine will be rescheduled at the interval
+time after a synchronization operation is completed. If the
+{{refreshAndPersist}} operation is specified, the engine will remain
+active and process the persistent synchronization messages from the
+provider.
+
+The syncrepl engine utilizes both the present phase and the delete
+phase of the refresh synchronization. It is possible to configure
+a per-scope session log in the provider server which stores the
+{{EX:entryUUID}}s of a finite number of entries deleted from a
+replication content. Multiple replicas of single provider content
+share the same per-scope session log. The syncrepl engine uses the
+delete phase if the session log is present and the state of the
+consumer server is recent enough that no session log entries are
+truncated after the last synchronization of the client. The syncrepl
+engine uses the present phase if no session log is configured for
+the replication content or if the consumer replica is too outdated
+to be covered by the session log. The current design of the session
+log store is memory based, so the information contained in the
+session log is not persistent over multiple provider invocations.
+It is not currently supported to access the session log store by
+using LDAP operations. It is also not currently supported to impose
+access control to the session log.
+
+As a further optimization, even in the case the synchronization
+search is not associated with any session log, no entries will be
+transmitted to the consumer server when there has been no update
+in the replication context.
+
+The syncrepl engine, which is a consumer-side replication engine,
+can work with any backends. The LDAP Sync provider can be configured
+as an overlay on any backend, but works best with the {{back-bdb}}
+or {{back-hdb}} backend.
+
+The LDAP Sync provider maintains a {{EX:contextCSN}} for each
+database as the current synchronization state indicator of the
+provider content. It is the largest {{EX:entryCSN}} in the provider
+context such that no transactions for an entry having smaller
+{{EX:entryCSN}} value remains outstanding. The {{EX:contextCSN}}
+could not just be set to the largest issued {{EX:entryCSN}} because
+{{EX:entryCSN}} is obtained before a transaction starts and
+transactions are not committed in the issue order.
+
+The provider stores the {{EX:contextCSN}} of a context in the
+{{EX:contextCSN}} attribute of the context suffix entry. The attribute
+is not written to the database after every update operation though;
+instead it is maintained primarily in memory. At database start
+time the provider reads the last saved {{EX:contextCSN}} into memory
+and uses the in-memory copy exclusively thereafter. By default,
+changes to the {{EX:contextCSN}} as a result of database updates
+will not be written to the database until the server is cleanly
+shut down. A checkpoint facility exists to cause the contextCSN to
+be written out more frequently if desired.
+
+Note that at startup time, if the provider is unable to read a
+{{EX:contextCSN}} from the suffix entry, it will scan the entire
+database to determine the value, and this scan may take quite a
+long time on a large database. When a {{EX:contextCSN}} value is
+read, the database will still be scanned for any {{EX:entryCSN}}
+values greater than it, to make sure the {{EX:contextCSN}} value
+truly reflects the greatest committed {{EX:entryCSN}} in the database.
+On databases which support inequality indexing, setting an eq index
+on the {{EX:entryCSN}} attribute and configuring {{contextCSN}}
+checkpoints will greatly speed up this scanning step.
+
+If no {{EX:contextCSN}} can be determined by reading and scanning
+the database, a new value will be generated. Also, if scanning the
+database yielded a greater {{EX:entryCSN}} than was previously
+recorded in the suffix entry's {{EX:contextCSN}} attribute, a
+checkpoint will be immediately written with the new value.
+
+The consumer also stores its replica state, which is the provider's
+{{EX:contextCSN}} received as a synchronization cookie, in the
+{{EX:contextCSN}} attribute of the suffix entry. The replica state
+maintained by a consumer server is used as the synchronization state
+indicator when it performs subsequent incremental synchronization
+with the provider server. It is also used as a provider-side
+synchronization state indicator when it functions as a secondary
+provider server in a cascading replication configuration. Since
+the consumer and provider state information are maintained in the
+same location within their respective databases, any consumer can
+be promoted to a provider (and vice versa) without any special
+actions.
+
+Because a general search filter can be used in the syncrepl
+specification, some entries in the context may be omitted from the
+synchronization content. The syncrepl engine creates a glue entry
+to fill in the holes in the replica context if any part of the
+replica content is subordinate to the holes. The glue entries will
+not be returned in the search result unless {{ManageDsaIT}} control
+is provided.
+
+Also as a consequence of the search filter used in the syncrepl
+specification, it is possible for a modification to remove an entry
+from the replication scope even though the entry has not been deleted
+on the provider. Logically the entry must be deleted on the consumer
+but in {{refreshOnly}} mode the provider cannot detect and propagate
+this change without the use of the session log.
+
+
+H3: Configuring Syncrepl
+
+Because syncrepl is a consumer-side replication engine, the syncrepl
+specification is defined in {{slapd.conf}}(5) of the consumer
+server, not in the provider server's configuration file. The initial
+loading of the replica content can be performed either by starting
+the syncrepl engine with no synchronization cookie or by populating
+the consumer replica by adding an {{TERM:LDIF}} file dumped as a
+backup at the provider.
+
+When loading from a backup, it is not required to perform the initial
+loading from the up-to-date backup of the provider content. The
+syncrepl engine will automatically synchronize the initial consumer
+replica to the current provider content. As a result, it is not
+required to stop the provider server in order to avoid the replica
+inconsistency caused by the updates to the provider content during
+the content backup and loading process.
+
+When replicating a large scale directory, especially in a bandwidth
+constrained environment, it is advised to load the consumer replica
+from a backup instead of performing a full initial load using
+syncrepl.
+
+
+H4: Set up the provider slapd
+
+The provider is implemented as an overlay, so the overlay itself
+must first be configured in {{slapd.conf}}(5) before it can be
+used. The provider has only two configuration directives, for setting
+checkpoints on the {{EX:contextCSN}} and for configuring the session
+log. Because the LDAP Sync search is subject to access control,
+proper access control privileges should be set up for the replicated
+content.
+
+The {{EX:contextCSN}} checkpoint is configured by the
+
+> syncprov-checkpoint <ops> <minutes>
+
+directive. Checkpoints are only tested after successful write
+operations. If {{<ops>}} operations or more than {{<minutes>}}
+time has passed since the last checkpoint, a new checkpoint is
+performed.
+
+The session log is configured by the
+
+> syncprov-sessionlog <size>
+
+directive, where {{<size>}} is the maximum number of session log
+entries the session log can record. When a session log is configured,
+it is automatically used for all LDAP Sync searches within the
+database.
+
+Note that using the session log requires searching on the {{entryUUID}}
+attribute. Setting an eq index on this attribute will greatly benefit
+the performance of the session log on the provider.
+
+A more complete example of the {{slapd.conf}}(5) content is thus:
+
+> database bdb
+> suffix dc=Example,dc=com
+> rootdn dc=Example,dc=com
+> directory /var/ldap/db
+> index objectclass,entryCSN,entryUUID eq
+>
+> overlay syncprov
+> syncprov-checkpoint 100 10
+> syncprov-sessionlog 100
+
+
+H4: Set up the consumer slapd
+
+The syncrepl replication is specified in the database section of
+{{slapd.conf}}(5) for the replica context. The syncrepl engine
+is backend independent and the directive can be defined with any
+database type.
+
+> database hdb
+> suffix dc=Example,dc=com
+> rootdn dc=Example,dc=com
+> directory /var/ldap/db
+> index objectclass,entryCSN,entryUUID eq
+>
+> syncrepl rid=123
+> provider=ldap://provider.example.com:389
+> type=refreshOnly
+> interval=01:00:00:00
+> searchbase="dc=example,dc=com"
+> filter="(objectClass=organizationalPerson)"
+> scope=sub
+> attrs="cn,sn,ou,telephoneNumber,title,l"
+> schemachecking=off
+> bindmethod=simple
+> binddn="cn=syncuser,dc=example,dc=com"
+> credentials=secret
+
+In this example, the consumer will connect to the provider {{slapd}}(8)
+at port 389 of {{FILE:ldap://provider.example.com}} to perform a
+polling ({{refreshOnly}}) mode of synchronization once a day. It
+will bind as {{EX:cn=syncuser,dc=example,dc=com}} using simple
+authentication with password "secret". Note that the access control
+privilege of {{EX:cn=syncuser,dc=example,dc=com}} should be set
+appropriately in the provider to retrieve the desired replication
+content. Also the search limits must be high enough on the provider
+to allow the syncuser to retrieve a complete copy of the requested
+content. The consumer uses the rootdn to write to its database so
+it always has full permissions to write all content.
+
+The synchronization search in the above example will search for the
+entries whose objectClass is organizationalPerson in the entire
+subtree rooted at {{EX:dc=example,dc=com}}. The requested attributes
+are {{EX:cn}}, {{EX:sn}}, {{EX:ou}}, {{EX:telephoneNumber}},
+{{EX:title}}, and {{EX:l}}. The schema checking is turned off, so
+that the consumer {{slapd}}(8) will not enforce entry schema
+checking when it process updates from the provider {{slapd}}(8).
+
+For more detailed information on the syncrepl directive, see the
+{{SECT:syncrepl}} section of {{SECT:The slapd Configuration File}}
+chapter of this admin guide.
+
+
+H4: Start the provider and the consumer slapd
+
+The provider {{slapd}}(8) is not required to be restarted.
+{{contextCSN}} is automatically generated as needed: it might be
+originally contained in the {{TERM:LDIF}} file, generated by
+{{slapadd}} (8), generated upon changes in the context, or generated
+when the first LDAP Sync search arrives at the provider. If an
+LDIF file is being loaded which did not previously contain the
+{{contextCSN}}, the {{-w}} option should be used with {{slapadd}}
+(8) to cause it to be generated. This will allow the server to
+startup a little quicker the first time it runs.
+
+When starting a consumer {{slapd}}(8), it is possible to provide
+a synchronization cookie as the {{-c cookie}} command line option
+in order to start the synchronization from a specific state. The
+cookie is a comma separated list of name=value pairs. Currently
+supported syncrepl cookie fields are {{csn=<csn>}} and {{rid=<rid>}}.
+{{<csn>}} represents the current synchronization state of the
+consumer replica. {{<rid>}} identifies a consumer replica locally
+within the consumer server. It is used to relate the cookie to the
+syncrepl definition in {{slapd.conf}}(5) which has the matching
+replica identifier. The {{<rid>}} must have no more than 3 decimal
+digits. The command line cookie overrides the synchronization
+cookie stored in the consumer replica database.
+
+
+H2: N-Way Multi-Master
+
+
+H2: MirrorMode
-+ The slave slapd performs the modify operation and
-returns a success code to the slurpd process.
-
-
-Note: {{ldapmodify}}(1) and other clients distributed as part of
-OpenLDAP Software do not support automatic referral chasing
-(for security reasons).
-
-
-
-H2: Replication Logs
-
-When slapd is configured to generate a replication logfile, it
-writes out a file containing {{TERM:LDIF}} change records. The
-replication log gives the replication site(s), a timestamp, the DN
-of the entry being modified, and a series of lines which specify
-the changes to make. In the example below, Barbara ({{EX:uid=bjensen}})
-has replaced the {{EX:description}} value. The change is to be
-propagated to the slapd instance running on {{EX:slave.example.net}}
-Changes to various operational attributes, such as {{EX:modifiersName}}
-and {{EX:modifyTimestamp}}, are included in the change record and
-will be propagated to the slave slapd.
-
-> replica: slave.example.com:389
-> time: 809618633
-> dn: uid=bjensen,dc=example,dc=com
-> changetype: modify
-> replace: multiLineDescription
-> description: A dreamer...
-> -
-> replace: modifiersName
-> modifiersName: uid=bjensen,dc=example,dc=com
-> -
-> replace: modifyTimestamp
-> modifyTimestamp: 20000805073308Z
-> -
-
-The modifications to {{EX:modifiersName}} and {{EX:modifyTimestamp}}
-operational attributes were added by the master {{slapd}}.
-
-
-
-H2: Command-Line Options
-
-This section details commonly used {{slurpd}}(8) command-line options.
-
-> -d <level> | ?
-
-This option sets the slurpd debug level to {{EX: <level>}}. When
-level is a `?' character, the various debugging levels are printed
-and slurpd exits, regardless of any other options you give it.
-Current debugging levels (a subset of slapd's debugging levels) are
-
-!block table; colaligns="RL"; align=Center; \
- title="Table 13.1: Debugging Levels"
-Level Description
-4 heavy trace debugging
-64 configuration file processing
-65535 enable all debugging
-!endblock
-
-Debugging levels are additive. That is, if you want heavy trace
-debugging and want to watch the config file being processed, you
-would set level to the sum of those two levels (in this case, 68).
-
-> -f <filename>
-
-This option specifies an alternate slapd configuration file. Slurpd
-does not have its own configuration file. Instead, all configuration
-information is read from the slapd configuration file.
-
-> -r <filename>
-
-This option specifies an alternate slapd replication log file.
-Under normal circumstances, slurpd reads the name of the slapd
-replication log file from the slapd configuration file. However,
-you can override this with the -r flag, to cause slurpd to process
-a different replication log file. See the {{SECT:Advanced slurpd
-Operation}} section for a discussion of how you might use this
-option.
-
-> -o
-
-Operate in "one-shot" mode. Under normal circumstances, when slurpd
-finishes processing a replication log, it remains active and
-periodically checks to see if new entries have been added to the
-replication log. In one-shot mode, by comparison, slurpd processes
-a replication log and exits immediately. If the -o option is given,
-the replication log file must be explicitly specified with the -r
-option. See the {{SECT:One-shot mode and reject files}} section
-for a discussion of this mode.
-
-> -t <directory>
-
-Specify an alternate directory for slurpd's temporary copies of
-replication logs. The default location is {{F:/usr/tmp}}.
-
-
-H2: Configuring slurpd and a slave slapd instance
-
-To bring up a replica slapd instance, you must configure the master
-and slave slapd instances for replication, then shut down the master
-slapd so you can copy the database. Finally, you bring up the master
-slapd instance, the slave slapd instance, and the slurpd instance.
-These steps are detailed in the following sections. You can set up
-as many slave slapd instances as you wish.
-
-
-H3: Set up the master {{slapd}}
-
-The following section assumes you have a properly working {{slapd}}(8)
-instance. To configure your working {{slapd}}(8) server as a
-replication master, you need to make the following changes to your
-{{slapd.conf}}(5).
-
-^ Add a {{EX:replica}} directive for each replica. The {{EX:binddn=}}
-parameter should match the {{EX:updatedn}} option in the corresponding
-slave slapd configuration file, and should name an entry with write
-permission to the slave database (e.g., an entry allowed access via
-{{EX:access}} directives in the slave slapd configuration file).
-This DN generally {{should not}} be the same as the master's
-{{EX:rootdn}}.
-
-+ Add a {{EX:replogfile}} directive, which tells slapd where to log
-changes. This file will be read by slurpd.
-
-
-H3: Set up the slave {{slapd}}
-
-Install the slapd software on the host which is to be the slave
-slapd server. The configuration of the slave server should be
-identical to that of the master, with the following exceptions:
-
-^ Do not include a {{EX:replica}} directive. While it is possible
-to create "chains" of replicas, in most cases this is inappropriate.
-
-+ Do not include a {{EX:replogfile}} directive.
-
-+ Do include an {{EX:updatedn}} line. The DN given should match the
-DN given in the {{EX:binddn=}} parameter of the corresponding
-{{EX:replica=}} directive in the master slapd config file. The
-{{EX:updatedn}} generally {{should not}} be the same as the
-{{EX:rootdn}} of the master database.
-
-+ Make sure the DN given in the {{EX:updatedn}} directive has
-permission to write the database (e.g., it is is allowed {{EX:access}}
-by one or more access directives).
-
-+ Use the {{EX:updateref}} directive to define the URL the slave
-should return if an update request is received.
-
-
-H3: Shut down the master server
-
-In order to ensure that the slave starts with an exact copy of the
-master's data, you must shut down the master slapd. Do this by
-sending the master slapd process an interrupt signal with
-{{EX:kill -INT <pid>}}, where {{EX:<pid>}} is the process-id of the master
-slapd process.
-
-If you like, you may restart the master slapd in read-only mode
-while you are replicating the database. During this time, the master
-slapd will return an "unwilling to perform" error to clients that
-attempt to modify data.
-
-
-H3: Copy the master slapd's database to the slave
-
-Copy the master's database(s) to the slave. For {{TERM:BDB}} and
-{{TERM:HDB}} databases, you must copy all database files located
-in the database {{EX:directory}} specified in {{slapd.conf}}(5).
-In general, you should copy each file found in the database {{EX:
-directory}} unless you know it is not used by {{slapd}}(8).
-
-Note: This copy process assumes homogeneous servers with identically
-configured OpenLDAP installations. Alternatively, you may use
-{{slapcat}} to output the master's database in LDIF format and use
-the LDIF with {{slapadd}} to populate the slave. Using LDIF avoids
-any potential incompatibilities due to differing server architectures
-or software configurations. See the {{SECT:Database Creation and
-Maintenance Tools}} chapter for details on these tools.
-
-
-H3: Configure the master slapd for replication
-
-To configure slapd to generate a replication logfile, you add a
-"{{EX: replica}}" configuration option to the master slapd's config
-file. For example, if we wish to propagate changes to the slapd
-instance running on host {{EX:slave.example.com}}:
-
-> replica uri=ldap://slave.example.com:389
-> binddn="cn=Replicator,dc=example,dc=com"
-> bindmethod=simple credentials=secret
-
-In this example, changes will be sent to port 389 (the standard
-LDAP port) on host slave.example.com. The slurpd process will bind
-to the slave slapd as "{{EX:cn=Replicator,dc=example,dc=com}}" using
-simple authentication with password "{{EX:secret}}".
-
-If we wish to perform the same replication using ldaps on port 636:
-
-> replica uri=ldaps://slave.example.com:636
-> binddn="cn=Replicator,dc=example,dc=com"
-> bindmethod=simple credentials=secret
-
-The host option is deprecated in favor of uri, but the following
-replica configuration is still supported:
-
-> replica host=slave.example.com:389
-> binddn="cn=Replicator,dc=example,dc=com"
-> bindmethod=simple credentials=secret
-
-Note that the DN given by the {{EX:binddn=}} directive must exist
-in the slave slapd's database (or be the rootdn specified in the
-slapd config file) in order for the bind operation to succeed. The
-DN should also be listed as the {{EX:updatedn}} for the database
-in the slave's slapd.conf(5). It is generally recommended that
-this DN be different than the {{EX:rootdn}} of the master database.
-
-Note: The use of strong authentication and transport security is
-highly recommended.
-
-
-H3: Restart the master slapd and start the slave slapd
-
-Restart the master slapd process. To check that it is
-generating replication logs, perform a modification of any
-entry in the database, and check that data has been
-written to the log file.
-
-
-H3: Start slurpd
-
-Start the slurpd process. Slurpd should immediately send
-the test modification you made to the slave slapd. Watch
-the slave slapd's logfile to be sure that the modification
-was sent.
-
-> slurpd -f <masterslapdconfigfile>
-
-
-
-H2: Advanced slurpd Operation
-
-H3: Replication errors
-
-When slurpd propagates a change to a slave slapd and receives an
-error return code, it writes the reason for the error and the
-replication record to a reject file. The reject file is located in
-the same directory as the per-replica replication logfile, and has
-the same name, but with the string "{{F:.rej}}" appended. For
-example, for a replica running on host {{EX:slave.example.com}},
-port 389, the reject file, if it exists, will be named
-
-> /usr/local/var/openldap/replog.slave.example.com:389.rej
-
-A sample rejection log entry follows:
-
-> ERROR: No such attribute
-> replica: slave.example.com:389
-> time: 809618633
-> dn: uid=bjensen,dc=example,dc=com
-> changetype: modify
-> replace: description
-> description: A dreamer...
-> -
-> replace: modifiersName
-> modifiersName: uid=bjensen,dc=example,dc=com
-> -
-> replace: modifyTimestamp
-> modifyTimestamp: 20000805073308Z
-> -
-
-Note that this is precisely the same format as the original replication
-log entry, but with an {{EX:ERROR}} line prepended to the entry.
-
-
-
-H3: One-shot mode and reject files
-
-It is possible to use slurpd to process a rejection log with its
-"one-shot mode." In normal operation, slurpd watches for more
-replication records to be appended to the replication log file. In
-one-shot mode, by contrast, slurpd processes a single log file and
-exits. Slurpd ignores {{EX:ERROR}} lines at the beginning of
-replication log entries, so it's not necessary to edit them out
-before feeding it the rejection log.
-
-To use one-shot mode, specify the name of the rejection log on the
-command line as the argument to the -r flag, and specify one-shot
-mode with the -o flag. For example, to process the rejection log
-file {{F:/usr/local/var/openldap/replog.slave.example.com:389}} and
-exit, use the command
-
-> slurpd -r /usr/tmp/replog.slave.example.com:389 -o
diff --git a/doc/guide/admin/runningslapd.sdf b/doc/guide/admin/runningslapd.sdf
index c96eaf0686..54a4145c80 100644
--- a/doc/guide/admin/runningslapd.sdf
+++ b/doc/guide/admin/runningslapd.sdf
@@ -104,9 +104,9 @@ H2: Starting slapd
In general, slapd is run like this:
-> /usr/local/etc/libexec/slapd [<option>]*
+> /usr/local/libexec/slapd [<option>]*
-where {{F:/usr/local/etc/libexec}} is determined by {{EX:configure}}
+where {{F:/usr/local/libexec}} is determined by {{EX:configure}}
and <option> is one of the options described above (or in {{slapd}}(8)).
Unless you have specified a debugging level (including level {{EX:0}}),
slapd will automatically fork and detach itself from its controlling
diff --git a/doc/guide/admin/sasl.sdf b/doc/guide/admin/sasl.sdf
index a67298e11a..5f30dc6bc2 100644
--- a/doc/guide/admin/sasl.sdf
+++ b/doc/guide/admin/sasl.sdf
@@ -1,3 +1,4 @@
+# $OpenLDAP$
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
@@ -352,7 +353,7 @@ allows zero or more repeats of the immediately preceding character
or pattern, and terms in parenthesis are remembered for the replacement
pattern.
-The replacement pattern will produce either a DN or URL refering
+The replacement pattern will produce either a DN or URL referring
to the user. Anything from the authentication request DN that
matched a string in parenthesis in the search pattern is stored in
the variable "$1". That variable "$1" can appear in the replacement
@@ -542,7 +543,7 @@ database could then be only allowed by that DN, and in order to
become that DN, users must first authenticate as one of the persons
on the list. This allows for better auditing of who made changes
to the LDAP database. If people were allowed to authenticate
-directly to the priviliged account, possibly through the {{EX:rootpw}}
+directly to the privileged account, possibly through the {{EX:rootpw}}
{{slapd.conf}}(5) directive or through a {{EX:userPassword}}
attribute, then auditing becomes more difficult.
@@ -576,7 +577,7 @@ or
In the first form, the <username> is from the same namespace as
the authentication identities above. It is the user's username as
-it is refered to by the underlying authentication mechanism.
+it is referred to by the underlying authentication mechanism.
Authorization identities of this form are converted into a DN format
by the same function that the authentication process used, producing
an {{authorization request DN}} of the form
@@ -617,7 +618,7 @@ authentication DN entry, and if none of the {{EX:authzTo}} rules
specify the authorization is permitted, the {{EX:authzFrom}}
rules in the authorization DN entry are then checked. If neither
case specifies that the request be honored, the request is denied.
-Since the default behaviour is to deny authorization requests, rules
+Since the default behavior is to deny authorization requests, rules
only specify that a request be allowed; there are no negative rules
telling what authorizations to deny.
@@ -661,7 +662,7 @@ comparison can be evaluated much faster than an LDAP search for
Also note that the values in an authorization rule must be one of
the two forms: an LDAP URL or a DN (with or without regular expression
characters). Anything that does not begin with "{{EX:ldap://}}" is
-taken as a DN. It is not permissable to enter another authorization
+taken as a DN. It is not permissible to enter another authorization
identity of the form "{{EX:u:<username>}}" as an authorization rule.
@@ -679,14 +680,14 @@ should be allowed to perform the proxy authorization.
By default, processing of proxy authorization rules is disabled.
The {{EX:authz-policy}} directive must be set in the
{{slapd.conf}}(5) file to enable authorization. This directive can
-be set to {{EX:none}} for no rules (the default), {{EX:from}} for
-source rules, {{EX:to}} for destination rules, or {{EX:both}} for
+be set to {{EX:none}} for no rules (the default), {{EX:to}} for
+source rules, {{EX:from}} for destination rules, or {{EX:both}} for
both source and destination rules.
-Destination rules are extremely powerful. If ordinary users have
+Source rules are extremely powerful. If ordinary users have
access to write the {{EX:authzTo}} attribute in their own
entries, then they can write rules that would allow them to authorize
-as anyone else. As such, when using destination rules, the
+as anyone else. As such, when using source rules, the
{{EX:authzTo}} attribute should be protected with an ACL that
only allows privileged users to set its values.
diff --git a/doc/guide/admin/schema.sdf b/doc/guide/admin/schema.sdf
index d27f6a50b2..543aaf7167 100644
--- a/doc/guide/admin/schema.sdf
+++ b/doc/guide/admin/schema.sdf
@@ -5,7 +5,7 @@
H1: Schema Specification
This chapter describes how to extend the user schema used by
-{{slapd}}(8). The chapter assumes the reader is familar with the
+{{slapd}}(8). The chapter assumes the reader is familiar with the
{{TERM:LDAP}}/{{TERM:X.500}} information model.
The first section, {{SECT:Distributed Schema Files}} details optional
@@ -72,7 +72,7 @@ matching rules and system schema, but this requires some programming
and hence is not discussed here.
There are five steps to defining new schema:
-^ obtain Object Identifer
+^ obtain Object Identifier
+ choose a name prefix
+ create local schema file
+ define custom attribute types (if necessary)
@@ -102,28 +102,18 @@ OID Assignment
!endblock
You are, of course, free to design a hierarchy suitable to your
-organizational needs under your organization's OID. No matter what
-hierarchy you choose, you should maintain a registry of assignments
-you make. This can be a simple flat file or something more
-sophisticated such as the {{OpenLDAP OID Registry}}
-({{URL:http://www.openldap.org/faq/index.cgi?file=197}}).
+organizational needs under your organization's OID. No matter what hierarchy you choose, you should maintain a registry of assignments you make. This can be a simple flat file or something more sophisticated such as the {{OpenLDAP OID Registry}} ({{URL:http://www.openldap.org/faq/index.cgi?file=197}}).
-For more information about Object Identifers (and a listing service)
+For more information about Object Identifiers (and a listing service)
see {{URL:http://www.alvestrand.no/harald/objectid/}}.
.{{Under no circumstances should you hijack OID namespace!}}
-To obtain a registered OID at {{no cost}}, apply for an OID under
-the {{ORG[expand]IANA}} (ORG:IANA) maintained {{Private Enterprise}}
-arc. Any private enterprise (organization) may request an OID to
-be assigned under this arc. Just fill out the IANA form
-at {{URL: http://www.iana.org/cgi-bin/enterprise.pl}} and your
-official OID will be sent to you usually within a few days. Your
-base OID will be something like {{EX:1.3.6.1.4.1.X}} where {{EX:X}}
-is an integer.
-
-Note: Don't let the "MIB/SNMP" statement on the IANA page confuse
-you. OIDs obtained using this form may be used for any purpose
+To obtain a registered OID at {{no cost}}, apply for a OID
+under the {{ORG[expand]IANA}} (ORG:IANA) maintained {{Private Enterprise}} arc.
+Any private enterprise (organization) may request a {{TERM[expand]PEN}} (PEN) to be assigned under this arc. Just fill out the IANA form at {{URL: http://pen.iana.org/pen/PenApplication.page}} and your official PEN will be sent to you usually within a few days. Your base OID will be something like {{EX:1.3.6.1.4.1.X}} where {{EX:X}} is an integer.
+
+Note: PENs obtained using this form may be used for any purpose
including identifying LDAP schema elements.
Alternatively, OID name space may be available from a national
@@ -140,7 +130,7 @@ prefixed with "x-" to place in the "private use" name space.
The name should be both descriptive and not likely to clash with
names of other schema elements. In particular, any name you choose
should not clash with present or future Standard Track names (this
-is assured if you registered names or use names begining with "x-").
+is assured if you registered names or use names beginning with "x-").
It is noted that you can obtain your own registered name
prefix so as to avoid having to register your names individually.
@@ -248,7 +238,7 @@ distinguishedName 1.3.6.1.4.1.1466.115.121.1.12 LDAP {{TERM:DN}}
integer 1.3.6.1.4.1.1466.115.121.1.27 integer
numericString 1.3.6.1.4.1.1466.115.121.1.36 numeric string
OID 1.3.6.1.4.1.1466.115.121.1.38 object identifier
-octetString 1.3.6.1.4.1.1466.115.121.1.40 arbitary octets
+octetString 1.3.6.1.4.1.1466.115.121.1.40 arbitrary octets
!endblock
>
diff --git a/doc/guide/admin/security.sdf b/doc/guide/admin/security.sdf
index 5665c3c5ff..8616d5dc37 100644
--- a/doc/guide/admin/security.sdf
+++ b/doc/guide/admin/security.sdf
@@ -1,3 +1,4 @@
+# $OpenLDAP$
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
@@ -142,7 +143,7 @@ this mechanism should generally remain disabled.
A successful user/password authenticated bind results in a user
authorization identity, the provided name, being associated with
the session. User/password authenticated bind is enabled by default.
-However, as this mechanism itself offers no evesdropping protection
+However, as this mechanism itself offers no eavesdropping protection
(e.g., the password is set in the clear), it is recommended that
it be used only in tightly controlled systems or when the LDAP
session is protected by other means (e.g., TLS, {{TERM:IPsec}}).
diff --git a/doc/guide/admin/slapdconf2.sdf b/doc/guide/admin/slapdconf2.sdf
index cbf61398d2..8b80c0014e 100644
--- a/doc/guide/admin/slapdconf2.sdf
+++ b/doc/guide/admin/slapdconf2.sdf
@@ -32,11 +32,6 @@ Note: some of the backends and of the distributed overlays
do not support runtime configuration yet. In those cases,
the old style {{slapd.conf}}(5) file must be used.
-Note: the current version of {{slurpd}} has not been updated for
-compatibility with this new configuration engine. If you must use
-slurpd for replication at your site, you will have to maintain an
-old-style {{slapd.conf}} file for slurpd to use.
-
H2: Configuration Layout
@@ -46,7 +41,7 @@ carry global configuration options, schema definitions, backend and
database definitions, and assorted other items. A sample config tree
is shown in Figure 5.1.
-!import "config_dit.gif"; align="center"; title="Sample configuration tree"
+!import "config_dit.png"; align="center"; title="Sample configuration tree"
FT[align="Center"] Figure 5.1: Sample configuration tree.
Other objects may be part of the configuration but were omitted from
@@ -403,7 +398,7 @@ H4: olcAccess: to <what> [ by <who> [<accesslevel>] [<control>] ]+
This directive grants access (specified by <accesslevel>) to a
set of entries and/or attributes (specified by <what>) by one or
-more requesters (specified by <who>).
+more requestors (specified by <who>).
See the {{SECT:Access Control}} section of this chapter for a
summary of basic usage.
@@ -431,74 +426,6 @@ perform" error.
> olcReadonly: FALSE
-H4: olcReplica
-
-> olcReplica: uri=ldap[s]://<hostname>[:<port>] | host=<hostname>[:<port>]
-> [bindmethod={simple|sasl}]
-> ["binddn=<DN>"]
-> [saslmech=<mech>]
-> [authcid=<identity>]
-> [authzid=<identity>]
-> [credentials=<password>]
-
-This directive specifies a replication site for this database for
-use with slurpd. The
-{{EX:uri=}} parameter specifies a scheme, a host and optionally a port where
-the slave slapd instance can be found. Either a domain name
-or IP address may be used for <hostname>. If <port> is not
-given, the standard LDAP port number (389 or 636) is used.
-
-{{EX:host}} is deprecated in favor of the {{EX:uri}} parameter.
-
-{{EX:uri}} allows the replica LDAP server to be specified as an LDAP
-URI such as {{EX:ldap://slave.example.com:389}} or
-{{EX:ldaps://slave.example.com:636}}.
-
-The {{EX:binddn=}} parameter gives the DN to bind as for updates
-to the slave slapd. It should be a DN which has read/write access
-to the slave slapd's database. It must also match the {{EX:updatedn}}
-directive in the slave slapd's config file. Generally, this DN
-{{should not}} be the same as the {{EX:rootdn}} of the master
-database. Since DNs are likely to contain embedded spaces, the
-entire {{EX:"binddn=<DN>"}} string should be enclosed in double
-quotes.
-
-The {{EX:bindmethod}} is {{EX:simple}} or {{EX:sasl}},
-depending on whether simple password-based authentication
-or {{TERM:SASL}} authentication is to be used when connecting
-to the slave slapd.
-
-Simple authentication should not be used unless adequate data
-integrity and confidentiality protections are in place (e.g. TLS
-or {{TERM:IPsec}}). Simple authentication requires specification
-of {{EX:binddn}} and {{EX:credentials}} parameters.
-
-SASL authentication is generally recommended. SASL authentication
-requires specification of a mechanism using the {{EX:saslmech}} parameter.
-Depending on the mechanism, an authentication identity and/or
-credentials can be specified using {{EX:authcid}} and {{EX:credentials}}
-respectively. The {{EX:authzid}} parameter may be used to specify
-an authorization identity.
-
-See the chapter entitled {{SECT:Replication with slurpd}} for more
-information on how to use this directive.
-
-
-H4: olcReplogfile: <filename>
-
-This directive specifies the name of the replication log file to
-which slapd will log changes. The replication log is typically
-written by {{slapd}}(8) and read by {{slurpd}}(8). Normally, this
-directive is only used if {{slurpd}}(8) is being used to replicate
-the database. However, you can also use it to generate a transaction
-log, if {{slurpd}}(8) is not running. In this case, you will need to
-periodically truncate the file, since it will grow indefinitely
-otherwise.
-
-See the chapter entitled {{SECT:Replication with slurpd}} for more
-information on how to use this directive.
-
-
H4: olcRootDN: <DN>
This directive specifies the DN that is not subject to
@@ -743,24 +670,6 @@ exceeded timelimit will be returned.
> olcTimeLimit: 3600
-H4: olcUpdateDN: <DN>
-
-This directive is only applicable in a slave slapd. It specifies
-the DN allowed to make changes to the replica. This may be the DN
-{{slurpd}}(8) binds as when making changes to the replica or the DN
-associated with a SASL identity.
-
-Entry-based Example:
-
-> olcUpdateDN: "cn=Update Daemon,dc=example,dc=com"
-
-SASL-based Example:
-
-> olcUpdateDN: "uid=slurpd,cn=example.com,cn=digest-md5,cn=auth"
-
-See the {{SECT:Replication with slurpd}} chapter for more information
-on how to use this directive.
-
H4: olcUpdateref: <URL>
This directive is only applicable in a slave slapd. It
@@ -825,7 +734,7 @@ This directive specifies how often to checkpoint the BDB transaction log.
A checkpoint operation flushes the database buffers to disk and writes a
checkpoint record in the log.
The checkpoint will occur if either <kbyte> data has been written or
-<min> minutes have passed since the last checkpont. Both arguments default
+<min> minutes have passed since the last checkpoint. Both arguments default
to zero, in which case they are ignored. When the <min> argument is
non-zero, an internal task will run every <min> minutes to perform the
checkpoint. See the Berkeley DB reference guide for more details.
@@ -842,7 +751,7 @@ This attribute specifies a configuration directive to be placed in the
no such file exists yet, the {{EX:DB_CONFIG}} file will be created and the
settings in this attribute will be written to it. If the file exists,
its contents will be read and displayed in this attribute. The attribute
-is multi-valued, to accomodate multiple configuration directives. No default
+is multi-valued, to accommodate multiple configuration directives. No default
is provided, but it is essential to use proper settings here to get the
best server performance.
@@ -872,7 +781,7 @@ cleanup procedure removes them. See the Berkeley DB documentation for the
Ideally the BDB cache must be
at least as large as the working set of the database, the log buffer size
-should be large enough to accomodate most transactions without overflowing,
+should be large enough to accommodate most transactions without overflowing,
and the log directory must be on a separate physical disk from the main
database files. And both the database directory and the log directory
should be separate from disks used for regular system activities such as
@@ -989,7 +898,7 @@ created database index files should have.
H4: olcDbSearchStack: <integer>
Specify the depth of the stack used for search filter evaluation.
-Search filters are evaluated on a stack to accomodate nested {{EX:AND}} /
+Search filters are evaluated on a stack to accommodate nested {{EX:AND}} /
{{EX:OR}} clauses. An individual stack is allocated for each server thread.
The depth of the stack determines how complex a filter can be evaluated
without requiring any additional memory allocation. Filters that are
@@ -1325,7 +1234,7 @@ the access directives and the {{EX:by <who>}} clauses. It also
shows the use of an attribute selector to grant access to a specific
attribute and various {{EX:<who>}} selectors.
-> olcAccess: to dn.subtree="dc=example,dc=com" attr=homePhone
+> olcAccess: to dn.subtree="dc=example,dc=com" attrs=homePhone
> by self write
> by dn.children=dc=example,dc=com" search
> by peername.regex=IP:10\..+ read
@@ -1351,7 +1260,7 @@ create a group and allow people to add and remove only
their own DN from the member attribute, you could accomplish
it with an access directive like this:
-> olcAccess: to attr=member,entry
+> olcAccess: to attrs=member,entry
> by dnattr=member selfwrite
The dnattr {{EX:<who>}} selector says that the access applies to
@@ -1375,7 +1284,7 @@ tags are maintained automatically by slapd and do not need to be specified
when originally defining the values. For example, when you create the
settings
-> olcAccess: to attr=member,entry
+> olcAccess: to attrs=member,entry
> by dnattr=member selfwrite
> olcAccess: to dn.children="dc=example,dc=com"
> by * search
@@ -1384,7 +1293,7 @@ settings
when you read them back using slapcat or ldapsearch they will contain
-> olcAccess: {0}to attr=member,entry
+> olcAccess: {0}to attrs=member,entry
> by dnattr=member selfwrite
> olcAccess: {1}to dn.children="dc=example,dc=com"
> by * search
@@ -1423,7 +1332,7 @@ This example deletes whatever rule is in value #1 of the {{EX:olcAccess}}
attribute (regardless of its value) and adds a new value that is
explicitly inserted as value #1. The result will be
-> olcAccess: {0}to attr=member,entry
+> olcAccess: {0}to attrs=member,entry
> by dnattr=member selfwrite
> olcAccess: {1}to dn.children="dc=example,dc=com"
> by * write
@@ -1513,7 +1422,7 @@ E: 29. olcRootPW: secret
E: 30. olcDbIndex: uid pres,eq
E: 31. olcDbIndex: cn,sn,uid pres,eq,approx,sub
E: 32. olcDbIndex: objectClass eq
-E: 33. olcAccess: to attr=userPassword
+E: 33. olcAccess: to attrs=userPassword
E: 34. by self write
E: 35. by anonymous auth
E: 36. by dn.base="cn=Admin,dc=example,dc=com" write
@@ -1550,16 +1459,16 @@ Line 42 is a blank line, indicating the end of this entry.
The next section of the example configuration file defines another
BDB database. This one handles queries involving the
{{EX:dc=example,dc=net}} subtree but is managed by the same entity
-as the first database. Note that without line 51, the read access
+as the first database. Note that without line 52, the read access
would be allowed due to the global access rule at line 19.
-E: 42. # BDB definition for example.net
-E: 43. dn: olcDatabase=bdb,cn=config
-E: 44. objectClass: olcDatabaseConfig
-E: 45. objectClass: olcBdbConfig
-E: 46. olcDatabase: bdb
-E: 47. olcSuffix: "dc=example,dc=net"
-E: 48. olcDbDirectory: /usr/local/var/openldap-data-net
-E: 49. olcRootDN: "cn=Manager,dc=example,dc=com"
-E: 50. olcDbIndex: objectClass eq
-E: 51. olcAccess: to * by users read
+E: 43. # BDB definition for example.net
+E: 44. dn: olcDatabase=bdb,cn=config
+E: 45. objectClass: olcDatabaseConfig
+E: 46. objectClass: olcBdbConfig
+E: 47. olcDatabase: bdb
+E: 48. olcSuffix: "dc=example,dc=net"
+E: 49. olcDbDirectory: /usr/local/var/openldap-data-net
+E: 50. olcRootDN: "cn=Manager,dc=example,dc=com"
+E: 51. olcDbIndex: objectClass eq
+E: 52. olcAccess: to * by users read
diff --git a/doc/guide/admin/slapdconfig.sdf b/doc/guide/admin/slapdconfig.sdf
index 64f5493e21..0e19d779ac 100644
--- a/doc/guide/admin/slapdconfig.sdf
+++ b/doc/guide/admin/slapdconfig.sdf
@@ -91,7 +91,7 @@ H4: access to <what> [ by <who> [<accesslevel>] [<control>] ]+
This directive grants access (specified by <accesslevel>) to a set
of entries and/or attributes (specified by <what>) by one or more
-requesters (specified by <who>). See the {{SECT:The access
+requestors (specified by <who>). See the {{SECT:The access
Configuration Directive}} section of this chapter for a summary of
basic usage.
@@ -284,69 +284,6 @@ perform" error.
> readonly off
-H4: replica
-
-> replica uri=ldap[s]://<hostname>[:<port>] | host=<hostname>[:<port>]
-> [bindmethod={simple|sasl}]
-> ["binddn=<DN>"]
-> [saslmech=<mech>]
-> [authcid=<identity>]
-> [authzid=<identity>]
-> [credentials=<password>]
-
-This directive specifies a replication site for this database. The
-{{EX:uri=}} parameter specifies a scheme, a host and optionally a port where
-the slave slapd instance can be found. Either a domain name
-or IP address may be used for <hostname>. If <port> is not
-given, the standard LDAP port number (389 or 636) is used.
-
-{{EX:host}} is deprecated in favor of the {{EX:uri}} parameter.
-
-{{EX:uri}} allows the replica LDAP server to be specified as an LDAP
-URI such as {{EX:ldap://slave.example.com:389}} or
-{{EX:ldaps://slave.example.com:636}}.
-
-The {{EX:binddn=}} parameter gives the DN to bind as for updates
-to the slave slapd. It should be a DN which has read/write access
-to the slave slapd's database. It must also match the {{EX:updatedn}}
-directive in the slave slapd's config file. Generally, this DN
-{{should not}} be the same as the {{EX:rootdn}} of the master
-database. Since DNs are likely to contain embedded spaces, the
-entire {{EX:"binddn=<DN>"}} string should be enclosed in double
-quotes.
-
-The {{EX:bindmethod}} is {{EX:simple}} or {{EX:sasl}}, depending
-on whether simple password-based authentication or {{TERM:SASL}}
-authentication is to be used when connecting to the slave slapd.
-
-Simple authentication should not be used unless adequate data
-integrity and confidentiality protections are in place (e.g. TLS
-or {{TERM:IPsec}}). Simple authentication requires specification of
-{{EX:binddn}} and {{EX:credentials}} parameters.
-
-SASL authentication is generally recommended. SASL authentication
-requires specification of a mechanism using the {{EX:saslmech}} parameter.
-Depending on the mechanism, an authentication identity and/or
-credentials can be specified using {{EX:authcid}} and {{EX:credentials}}
-respectively. The {{EX:authzid}} parameter may be used to specify
-an authorization identity.
-
-See the chapter entitled {{SECT:Replication with slurpd}} for more
-information on how to use this directive.
-
-H4: replogfile <filename>
-
-This directive specifies the name of the replication log file to
-which slapd will log changes. The replication log is typically
-written by slapd and read by slurpd. Normally, this directive is
-only used if slurpd is being used to replicate the database.
-However, you can also use it to generate a transaction log, if
-slurpd is not running. In this case, you will need to periodically
-truncate the file, since it will grow indefinitely otherwise.
-
-See the chapter entitled {{SECT:Replication with slurpd}} for more
-information on how to use this directive.
-
H4: rootdn <DN>
@@ -535,26 +472,6 @@ See the {{SECT:LDAP Sync Replication}} chapter of the admin guide
for more information on how to use this directive.
-H4: updatedn <DN>
-
-This directive is only applicable in a {{slave}} (or {{shadow}})
-{{slapd(8)}} instance. It specifies the DN allowed to make changes to
-the replica. This may be the DN
-{{slurpd}}(8) binds as when making changes to the replica or the DN
-associated with a SASL identity.
-
-
-Entry-based Example:
-
-> updatedn "cn=Update Daemon,dc=example,dc=com"
-
-SASL-based Example:
-
-> updatedn "uid=slurpd,cn=example.com,cn=digest-md5,cn=auth"
-
-See the {{SECT:Replication with slurpd}} chapter for more information
-on how to use this directive.
-
H4: updateref <URL>
This directive is only applicable in a {{slave}} (or {{shadow}})
@@ -871,7 +788,7 @@ the access directives and the {{EX:by <who>}} clauses. It also
shows the use of an attribute selector to grant access to a specific
attribute and various {{EX:<who>}} selectors.
-> access to dn.subtree="dc=example,dc=com" attr=homePhone
+> access to dn.subtree="dc=example,dc=com" attrs=homePhone
> by self write
> by dn.children="dc=example,dc=com" search
> by peername.regex=IP:10\..+ read
@@ -897,7 +814,7 @@ create a group and allow people to add and remove only
their own DN from the member attribute, you could accomplish
it with an access directive like this:
-> access to attr=member,entry
+> access to attrs=member,entry
> by dnattr=member selfwrite
The dnattr {{EX:<who>}} selector says that the access applies to
@@ -952,28 +869,20 @@ E: 7. suffix "dc=example,dc=com"
E: 8. directory /usr/local/var/openldap-data
E: 9. rootdn "cn=Manager,dc=example,dc=com"
E: 10. rootpw secret
-E: 11. # replication directives
-E: 12. replogfile /usr/local/var/openldap/slapd.replog
-E: 13. replica uri=ldap://slave1.example.com:389
-E: 14. binddn="cn=Replicator,dc=example,dc=com"
-E: 15. bindmethod=simple credentials=secret
-E: 16. replica uri=ldaps://slave2.example.com:636
-E: 17. binddn="cn=Replicator,dc=example,dc=com"
-E: 18. bindmethod=simple credentials=secret
-E: 19. # indexed attribute definitions
-E: 20. index uid pres,eq
-E: 21. index cn,sn,uid pres,eq,approx,sub
-E: 22. index objectClass eq
-E: 23. # database access control definitions
-E: 24. access to attr=userPassword
-E: 25. by self write
-E: 26. by anonymous auth
-E: 27. by dn.base="cn=Admin,dc=example,dc=com" write
-E: 28. by * none
-E: 29. access to *
-E: 30. by self write
-E: 31. by dn.base="cn=Admin,dc=example,dc=com" write
-E: 32. by * read
+E: 11. # indexed attribute definitions
+E: 12. index uid pres,eq
+E: 13. index cn,sn,uid pres,eq,approx,sub
+E: 14. index objectClass eq
+E: 15. # database access control definitions
+E: 16. access to attrs=userPassword
+E: 17. by self write
+E: 18. by anonymous auth
+E: 19. by dn.base="cn=Admin,dc=example,dc=com" write
+E: 20. by * none
+E: 21. access to *
+E: 22. by self write
+E: 23. by dn.base="cn=Admin,dc=example,dc=com" write
+E: 24. by * read
Line 5 is a comment. The start of the database definition is marked
by the database keyword on line 6. Line 7 specifies the DN suffix
@@ -984,19 +893,10 @@ Lines 9 and 10 identify the database {{super-user}} entry and associated
password. This entry is not subject to access control or size or
time limit restrictions.
-Lines 11 through 18 are for replication. Line 12 specifies the
-replication log file (where changes to the database are logged -
-this file is written by slapd and read by slurpd). Lines 13 through
-15 specify the hostname and port for a replicated host, the DN to
-bind as when performing updates, the bind method (simple) and the
-credentials (password) for the binddn. Lines 16 through 18 specify
-a second replication site. See the {{SECT:Replication with slurpd}}
-chapter for more information on these directives.
-
-Lines 20 through 22 indicate the indices to maintain for various
+Lines 12 through 14 indicate the indices to maintain for various
attributes.
-Lines 24 through 32 specify access control for entries in this
+Lines 16 through 24 specify access control for entries in this
database. As this is the first database, the controls also apply
to entries not held in any database (such as the Root DSE). For
all applicable entries, the {{EX:userPassword}} attribute is writable
diff --git a/doc/guide/admin/syncrepl.sdf b/doc/guide/admin/syncrepl.sdf
deleted file mode 100644
index 8907bdd200..0000000000
--- a/doc/guide/admin/syncrepl.sdf
+++ /dev/null
@@ -1,404 +0,0 @@
-# $OpenLDAP$
-# Copyright 2003-2007 The OpenLDAP Foundation, All Rights Reserved.
-# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
-
-H1: LDAP Sync Replication
-
-The {{TERM:LDAP Sync}} Replication engine, {{TERM:syncrepl}} for
-short, is a consumer-side replication engine that enables the
-consumer {{TERM:LDAP}} server to maintain a shadow copy of a
-{{TERM:DIT}} fragment. A syncrepl engine resides at the consumer-side
-as one of the {{slapd}}(8) threads. It creates and maintains a
-consumer replica by connecting to the replication provider to perform
-the initial DIT content load followed either by periodic content
-polling or by timely updates upon content changes.
-
-Syncrepl uses the LDAP Content Synchronization (or LDAP Sync for
-short) protocol as the replica synchronization protocol. It provides
-a stateful replication which supports both pull-based and push-based
-synchronization and does not mandate the use of a history store.
-
-Syncrepl keeps track of the status of the replication content by
-maintaining and exchanging synchronization cookies. Because the
-syncrepl consumer and provider maintain their content status, the
-consumer can poll the provider content to perform incremental
-synchronization by asking for the entries required to make the
-consumer replica up-to-date with the provider content. Syncrepl
-also enables convenient management of replicas by maintaining replica
-status. The consumer replica can be constructed from a consumer-side
-or a provider-side backup at any synchronization status. Syncrepl
-can automatically resynchronize the consumer replica up-to-date
-with the current provider content.
-
-Syncrepl supports both pull-based and push-based synchronization.
-In its basic refreshOnly synchronization mode, the provider uses
-pull-based synchronization where the consumer servers need not be
-tracked and no history information is maintained. The information
-required for the provider to process periodic polling requests is
-contained in the synchronization cookie of the request itself. To
-optimize the pull-based synchronization, syncrepl utilizes the
-present phase of the LDAP Sync protocol as well as its delete phase,
-instead of falling back on frequent full reloads. To further optimize
-the pull-based synchronization, the provider can maintain a per-scope
-session log as a history store. In its refreshAndPersist mode of
-synchronization, the provider uses a push-based synchronization.
-The provider keeps track of the consumer servers that have requested
-a persistent search and sends them necessary updates as the provider
-replication content gets modified.
-
-With syncrepl, a consumer server can create a replica without
-changing the provider's configurations and without restarting the
-provider server, if the consumer server has appropriate access
-privileges for the DIT fragment to be replicated. The consumer
-server can stop the replication also without the need for provider-side
-changes and restart.
-
-Syncrepl supports both partial and sparse replications. The shadow
-DIT fragment is defined by a general search criteria consisting of
-base, scope, filter, and attribute list. The replica content is
-also subject to the access privileges of the bind identity of the
-syncrepl replication connection.
-
-
-H2: The LDAP Content Synchronization Protocol
-
-The LDAP Sync protocol allows a client to maintain a synchronized
-copy of a DIT fragment. The LDAP Sync operation is defined as a set
-of controls and other protocol elements which extend the LDAP search
-operation. This section introduces the LDAP Content Sync protocol
-only briefly. For more information, refer to {{REF:RFC4533}}.
-
-The LDAP Sync protocol supports both polling and listening for
-changes by defining two respective synchronization operations:
-{{refreshOnly}} and {{refreshAndPersist}}. Polling is implemented
-by the {{refreshOnly}} operation. The client copy is synchronized
-to the server copy at the time of polling. The server finishes the
-search operation by returning {{SearchResultDone}} at the end of
-the search operation as in the normal search. The listening is
-implemented by the {{refreshAndPersist}} operation. Instead of
-finishing the search after returning all entries currently matching
-the search criteria, the synchronization search remains persistent
-in the server. Subsequent updates to the synchronization content
-in the server cause additional entry updates to be sent to the
-client.
-
-The {{refreshOnly}} operation and the refresh stage of the
-{{refreshAndPersist}} operation can be performed with a present
-phase or a delete phase.
-
-In the present phase, the server sends the client the entries updated
-within the search scope since the last synchronization. The server
-sends all requested attributes, be it changed or not, of the updated
-entries. For each unchanged entry which remains in the scope, the
-server sends a present message consisting only of the name of the
-entry and the synchronization control representing state present.
-The present message does not contain any attributes of the entry.
-After the client receives all update and present entries, it can
-reliably determine the new client copy by adding the entries added
-to the server, by replacing the entries modified at the server, and
-by deleting entries in the client copy which have not been updated
-nor specified as being present at the server.
-
-The transmission of the updated entries in the delete phase is the
-same as in the present phase. The server sends all the requested
-attributes of the entries updated within the search scope since the
-last synchronization to the client. In the delete phase, however,
-the server sends a delete message for each entry deleted from the
-search scope, instead of sending present messages. The delete
-message consists only of the name of the entry and the synchronization
-control representing state delete. The new client copy can be
-determined by adding, modifying, and removing entries according to
-the synchronization control attached to the {{SearchResultEntry}}
-message.
-
-In the case that the LDAP Sync server maintains a history store and
-can determine which entries are scoped out of the client copy since
-the last synchronization time, the server can use the delete phase.
-If the server does not maintain any history store, cannot determine
-the scoped-out entries from the history store, or the history store
-does not cover the outdated synchronization state of the client,
-the server should use the present phase. The use of the present
-phase is much more efficient than a full content reload in terms
-of the synchronization traffic. To reduce the synchronization
-traffic further, the LDAP Sync protocol also provides several
-optimizations such as the transmission of the normalized {{EX:entryUUID}}s
-and the transmission of multiple {{EX:entryUUIDs}} in a single
-{{syncIdSet}} message.
-
-At the end of the {{refreshOnly}} synchronization, the server sends
-a synchronization cookie to the client as a state indicator of the
-client copy after the synchronization is completed. The client
-will present the received cookie when it requests the next incremental
-synchronization to the server.
-
-When {{refreshAndPersist}} synchronization is used, the server sends
-a synchronization cookie at the end of the refresh stage by sending
-a Sync Info message with TRUE refreshDone. It also sends a
-synchronization cookie by attaching it to {{SearchResultEntry}}
-generated in the persist stage of the synchronization search. During
-the persist stage, the server can also send a Sync Info message
-containing the synchronization cookie at any time the server wants
-to update the client-side state indicator. The server also updates
-a synchronization indicator of the client at the end of the persist
-stage.
-
-In the LDAP Sync protocol, entries are uniquely identified by the
-{{EX:entryUUID}} attribute value. It can function as a reliable
-identifier of the entry. The DN of the entry, on the other hand,
-can be changed over time and hence cannot be considered as the
-reliable identifier. The {{EX:entryUUID}} is attached to each
-{{SearchResultEntry}} or {{SearchResultReference}} as a part of the
-synchronization control.
-
-
-H2: Syncrepl Details
-
-The syncrepl engine utilizes both the {{refreshOnly}} and the
-{{refreshAndPersist}} operations of the LDAP Sync protocol. If a
-syncrepl specification is included in a database definition,
-{{slapd}}(8) launches a syncrepl engine as a {{slapd}}(8) thread
-and schedules its execution. If the {{refreshOnly}} operation is
-specified, the syncrepl engine will be rescheduled at the interval
-time after a synchronization operation is completed. If the
-{{refreshAndPersist}} operation is specified, the engine will remain
-active and process the persistent synchronization messages from the
-provider.
-
-The syncrepl engine utilizes both the present phase and the delete
-phase of the refresh synchronization. It is possible to configure
-a per-scope session log in the provider server which stores the
-{{EX:entryUUID}}s of a finite number of entries deleted from a
-replication content. Multiple replicas of single provider content
-share the same per-scope session log. The syncrepl engine uses the
-delete phase if the session log is present and the state of the
-consumer server is recent enough that no session log entries are
-truncated after the last synchronization of the client. The syncrepl
-engine uses the present phase if no session log is configured for
-the replication content or if the consumer replica is too outdated
-to be covered by the session log. The current design of the session
-log store is memory based, so the information contained in the
-session log is not persistent over multiple provider invocations.
-It is not currently supported to access the session log store by
-using LDAP operations. It is also not currently supported to impose
-access control to the session log.
-
-As a further optimization, even in the case the synchronization
-search is not associated with any session log, no entries will be
-transmitted to the consumer server when there has been no update
-in the replication context.
-
-The syncrepl engine, which is a consumer-side replication engine,
-can work with any backends. The LDAP Sync provider can be configured
-as an overlay on any backend, but works best with the {{back-bdb}}
-or {{back-hdb}} backend.
-
-The LDAP Sync provider maintains a {{EX:contextCSN}} for each
-database as the current synchronization state indicator of the
-provider content. It is the largest {{EX:entryCSN}} in the provider
-context such that no transactions for an entry having smaller
-{{EX:entryCSN}} value remains outstanding. The {{EX:contextCSN}}
-could not just be set to the largest issued {{EX:entryCSN}} because
-{{EX:entryCSN}} is obtained before a transaction starts and
-transactions are not committed in the issue order.
-
-The provider stores the {{EX:contextCSN}} of a context in the
-{{EX:contextCSN}} attribute of the context suffix entry. The attribute
-is not written to the database after every update operation though;
-instead it is maintained primarily in memory. At database start
-time the provider reads the last saved {{EX:contextCSN}} into memory
-and uses the in-memory copy exclusively thereafter. By default,
-changes to the {{EX:contextCSN}} as a result of database updates
-will not be written to the database until the server is cleanly
-shut down. A checkpoint facility exists to cause the contextCSN to
-be written out more frequently if desired.
-
-Note that at startup time, if the provider is unable to read a
-{{EX:contextCSN}} from the suffix entry, it will scan the entire
-database to determine the value, and this scan may take quite a
-long time on a large database. When a {{EX:contextCSN}} value is
-read, the database will still be scanned for any {{EX:entryCSN}}
-values greater than it, to make sure the {{EX:contextCSN}} value
-truly reflects the greatest committed {{EX:entryCSN}} in the database.
-On databases which support inequality indexing, setting an eq index
-on the {{EX:entryCSN}} attribute and configuring {{contextCSN}}
-checkpoints will greatly speed up this scanning step.
-
-If no {{EX:contextCSN}} can be determined by reading and scanning
-the database, a new value will be generated. Also, if scanning the
-database yielded a greater {{EX:entryCSN}} than was previously
-recorded in the suffix entry's {{EX:contextCSN}} attribute, a
-checkpoint will be immediately written with the new value.
-
-The consumer also stores its replica state, which is the provider's
-{{EX:contextCSN}} received as a synchronization cookie, in the
-{{EX:contextCSN}} attribute of the suffix entry. The replica state
-maintained by a consumer server is used as the synchronization state
-indicator when it performs subsequent incremental synchronization
-with the provider server. It is also used as a provider-side
-synchronization state indicator when it functions as a secondary
-provider server in a cascading replication configuration. Since
-the consumer and provider state information are maintained in the
-same location within their respective databases, any consumer can
-be promoted to a provider (and vice versa) without any special
-actions.
-
-Because a general search filter can be used in the syncrepl
-specification, some entries in the context may be omitted from the
-synchronization content. The syncrepl engine creates a glue entry
-to fill in the holes in the replica context if any part of the
-replica content is subordinate to the holes. The glue entries will
-not be returned in the search result unless {{ManageDsaIT}} control
-is provided.
-
-Also as a consequence of the search filter used in the syncrepl
-specification, it is possible for a modification to remove an entry
-from the replication scope even though the entry has not been deleted
-on the provider. Logically the entry must be deleted on the consumer
-but in {{refreshOnly}} mode the provider cannot detect and propagate
-this change without the use of the session log.
-
-
-H2: Configuring Syncrepl
-
-Because syncrepl is a consumer-side replication engine, the syncrepl
-specification is defined in {{slapd.conf}}(5) of the consumer
-server, not in the provider server's configuration file. The initial
-loading of the replica content can be performed either by starting
-the syncrepl engine with no synchronization cookie or by populating
-the consumer replica by adding an {{TERM:LDIF}} file dumped as a
-backup at the provider.
-
-When loading from a backup, it is not required to perform the initial
-loading from the up-to-date backup of the provider content. The
-syncrepl engine will automatically synchronize the initial consumer
-replica to the current provider content. As a result, it is not
-required to stop the provider server in order to avoid the replica
-inconsistency caused by the updates to the provider content during
-the content backup and loading process.
-
-When replicating a large scale directory, especially in a bandwidth
-constrained environment, it is advised to load the consumer replica
-from a backup instead of performing a full initial load using
-syncrepl.
-
-
-H3: Set up the provider slapd
-
-The provider is implemented as an overlay, so the overlay itself
-must first be configured in {{slapd.conf}}(5) before it can be
-used. The provider has only two configuration directives, for setting
-checkpoints on the {{EX:contextCSN}} and for configuring the session
-log. Because the LDAP Sync search is subject to access control,
-proper access control privileges should be set up for the replicated
-content.
-
-The {{EX:contextCSN}} checkpoint is configured by the
-
-> syncprov-checkpoint <ops> <minutes>
-
-directive. Checkpoints are only tested after successful write
-operations. If {{<ops>}} operations or more than {{<minutes>}}
-time has passed since the last checkpoint, a new checkpoint is
-performed.
-
-The session log is configured by the
-
-> syncprov-sessionlog <size>
-
-directive, where {{<size>}} is the maximum number of session log
-entries the session log can record. When a session log is configured,
-it is automatically used for all LDAP Sync searches within the
-database.
-
-Note that using the session log requires searching on the {{entryUUID}}
-attribute. Setting an eq index on this attribute will greatly benefit
-the performance of the session log on the provider.
-
-A more complete example of the {{slapd.conf}}(5) content is thus:
-
-> database bdb
-> suffix dc=Example,dc=com
-> rootdn dc=Example,dc=com
-> directory /var/ldap/db
-> index objectclass,entryCSN,entryUUID eq
->
-> overlay syncprov
-> syncprov-checkpoint 100 10
-> syncprov-sessionlog 100
-
-
-H3: Set up the consumer slapd
-
-The syncrepl replication is specified in the database section of
-{{slapd.conf}}(5) for the replica context. The syncrepl engine
-is backend independent and the directive can be defined with any
-database type.
-
-> database hdb
-> suffix dc=Example,dc=com
-> rootdn dc=Example,dc=com
-> directory /var/ldap/db
-> index objectclass,entryCSN,entryUUID eq
->
-> syncrepl rid=123
-> provider=ldap://provider.example.com:389
-> type=refreshOnly
-> interval=01:00:00:00
-> searchbase="dc=example,dc=com"
-> filter="(objectClass=organizationalPerson)"
-> scope=sub
-> attrs="cn,sn,ou,telephoneNumber,title,l"
-> schemachecking=off
-> bindmethod=simple
-> binddn="cn=syncuser,dc=example,dc=com"
-> credentials=secret
-
-In this example, the consumer will connect to the provider {{slapd}}(8)
-at port 389 of {{FILE:ldap://provider.example.com}} to perform a
-polling ({{refreshOnly}}) mode of synchronization once a day. It
-will bind as {{EX:cn=syncuser,dc=example,dc=com}} using simple
-authentication with password "secret". Note that the access control
-privilege of {{EX:cn=syncuser,dc=example,dc=com}} should be set
-appropriately in the provider to retrieve the desired replication
-content. Also the search limits must be high enough on the provider
-to allow the syncuser to retrieve a complete copy of the requested
-content. The consumer uses the rootdn to write to its database so
-it always has full permissions to write all content.
-
-The synchronization search in the above example will search for the
-entries whose objectClass is organizationalPerson in the entire
-subtree rooted at {{EX:dc=example,dc=com}}. The requested attributes
-are {{EX:cn}}, {{EX:sn}}, {{EX:ou}}, {{EX:telephoneNumber}},
-{{EX:title}}, and {{EX:l}}. The schema checking is turned off, so
-that the consumer {{slapd}}(8) will not enforce entry schema
-checking when it process updates from the provider {{slapd}}(8).
-
-For more detailed information on the syncrepl directive, see the
-{{SECT:syncrepl}} section of {{SECT:The slapd Configuration File}}
-chapter of this admin guide.
-
-
-H3: Start the provider and the consumer slapd
-
-The provider {{slapd}}(8) is not required to be restarted.
-{{contextCSN}} is automatically generated as needed: it might be
-originally contained in the {{TERM:LDIF}} file, generated by
-{{slapadd}} (8), generated upon changes in the context, or generated
-when the first LDAP Sync search arrives at the provider. If an
-LDIF file is being loaded which did not previously contain the
-{{contextCSN}}, the {{-w}} option should be used with {{slapadd}}
-(8) to cause it to be generated. This will allow the server to
-startup a little quicker the first time it runs.
-
-When starting a consumer {{slapd}}(8), it is possible to provide
-a synchronization cookie as the {{-c cookie}} command line option
-in order to start the synchronization from a specific state. The
-cookie is a comma separated list of name=value pairs. Currently
-supported syncrepl cookie fields are {{csn=<csn>}} and {{rid=<rid>}}.
-{{<csn>}} represents the current synchronization state of the
-consumer replica. {{<rid>}} identifies a consumer replica locally
-within the consumer server. It is used to relate the cookie to the
-syncrepl definition in {{slapd.conf}}(5) which has the matching
-replica identifier. The {{<rid>}} must have no more than 3 decimal
-digits. The command line cookie overrides the synchronization
-cookie stored in the consumer replica database.
diff --git a/doc/guide/admin/title.sdf b/doc/guide/admin/title.sdf
index 066cec4825..74e47cee72 100644
--- a/doc/guide/admin/title.sdf
+++ b/doc/guide/admin/title.sdf
@@ -1,5 +1,5 @@
# $OpenLDAP$
-# Copyright 1999--2005, The OpenLDAP Foundation, All Rights Reserved.
+# Copyright 1999-2007, The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# Document: OpenLDAP Administrator's Guide
diff --git a/doc/guide/admin/tls.sdf b/doc/guide/admin/tls.sdf
index 9c4cf58e90..78725a6951 100644
--- a/doc/guide/admin/tls.sdf
+++ b/doc/guide/admin/tls.sdf
@@ -1,3 +1,4 @@
+# $OpenLDAP$
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
@@ -9,6 +10,8 @@ integrity and confidentiality protections and to support
LDAP authentication using the {{TERM:SASL}} {{TERM:EXTERNAL}} mechanism.
TLS is defined in {{REF:RFC4346}}.
+Note: For generating certifcates, please reference {{URL:http://www.openldap.org/faq/data/cache/185.html}}
+
H2: TLS Certificates
TLS uses {{TERM:X.509}} certificates to carry client and server
@@ -178,7 +181,7 @@ be configured on a system-wide basis, they may all be overridden by
individual users in their {{.ldaprc}} files.
The LDAP Start TLS operation is used in LDAP to initiate TLS
-negotatation. All OpenLDAP command line tools support a {{EX:-Z}}
+negotiation. All OpenLDAP command line tools support a {{EX:-Z}}
and {{EX:-ZZ}} flag to indicate whether a Start TLS operation is to
be issued. The latter flag indicates that the tool is to cease
processing if TLS cannot be started while the former allows the
diff --git a/doc/guide/admin/troubleshooting.sdf b/doc/guide/admin/troubleshooting.sdf
new file mode 100644
index 0000000000..18544c7fa4
--- /dev/null
+++ b/doc/guide/admin/troubleshooting.sdf
@@ -0,0 +1,89 @@
+# $OpenLDAP$
+# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
+
+H1: Troubleshooting
+
+If you're having trouble using OpenLDAP, get onto the
+OpenLDAP-Software mailing list.
+
+Browse the list archives at {{URL:http://www.openldap.org/lists/}}
+
+Chances are the problem has been solved and explained in detail many times before.
+
+H2: User or Software errors?
+
+More often than not, an error is caused by a configuration problem or a misunderstanding
+of what you are trying to implement and/or achieve.
+
+Sometimes you may encounter an actual OpenLDAP bug, in which case please visit
+our Issue Tracking system {{URL:http://www.openldap.org/its/}} and report it there,
+providing as much information as possible.
+
+Note: Our Issue Tracking system is {{B:NOT}} for OpenLDAP {{B:Support}}, please join our
+mailing Lists: {{URL:http://www.openldap.org/lists/}} for that
+
+We will now attempt to discuss common user errors
+
+H2: Checklist
+
+The following checklist can help track down your problem. Please try to use if {{B:before}}
+posting to the list, or in the rare circumstances of reporting a bug.
+
+.{{S: }}
+^{{B: Use the {{slaptest}} tool to verify configurations before starting {{slapd}}}}
+
+.{{S: }}
++{{B: Verify that {{slapd}} is listening to the specified port(s) (389 and 636, generally) before trying the {{ldapsearch}}}}
+
+.{{S: }}
++{{B: Can you issue an {{ldapsearch}}?}}
+
+.{{S: }}
++{{B: If not, have you enabled complex ACLs without fully understanding them?}}
+
+.{{S: }}
++{{B: Do you have a system wide LDAP setting pointing to the wrong LDAP Directory?}}
+
+.{{S: }}
++{{B: Are you using TLS?}}
+
+.{{S: }}
++{{B: Have your certificates expired?}}
+
+
+H2: 3rd party software error
+
+The OpenLDAP Project only supports OpenLDAP software.
+
+You may however seek commercial support ({{URL:http://www.openldap.org/support/}}) or join
+the general LDAP forum for non-commercial discussions and information relating to LDAP at:
+{{URL:http://www.umich.edu/~dirsvcs/ldap/mailinglist.html}}
+
+
+H2: How to contact the OpenLDAP Project
+
+* Mailing Lists: {{URL:http://www.openldap.org/lists/}}
+* Project: {{URL: http://www.openldap.org/project/}}
+* Issue Tracking: {{URL:http://www.openldap.org/its/}}
+
+
+H2: How to present your problem
+
+
+H2: Debugging {{slapd}}(8)
+
+After reading through the above sections and before e-mailing the OpenLDAP lists, you
+might want to try out some of the following to track down the cause of your problems:
+
+* Loglevel 256 is generally a good first loglevel to try for getting
+ information useful to list members on issues
+* Running {{slapd -d -1}} can often track down fairly simple issues, such as
+ missing schemas and incorrect file permissions for the {{slapd}} user to things like certs
+
+H2: Commercial Support
+
+The firms listed at {{URL:http://www.openldap.org/support/}} offer technical support services catering to OpenLDAP community.
+
+The listing of any given firm should not be viewed as an endorsement or recommendation of any kind, nor as otherwise indicating
+there exists a business relationship or an affiliation between any listed firm and the OpenLDAP Foundation or the OpenLDAP Project or its contributors.
diff --git a/doc/guide/admin/tuning.sdf b/doc/guide/admin/tuning.sdf
index af73744755..54dd7e6951 100644
--- a/doc/guide/admin/tuning.sdf
+++ b/doc/guide/admin/tuning.sdf
@@ -2,89 +2,344 @@
# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
-H1: Performance Tuning
+H1: Tuning
-Note: this chapter needs to be updated to discuss BDB tuning.
+This is perhaps one of the most important chapters in the guide, because if
+you have not tuned {{slapd}}(8) correctly or grasped how to design your
+directory and environment, you can expect very poor performance.
-There are several things you can do to tune the performance of
-slapd for your system. Most of them have to do with the LDBM
-backend. LDBM uses an index mechanism to store and retrieve
-information in slapd. Each entry is assigned a unique ID, used to
-refer to the entry in the indexes. A search for entries with a
-surname of "Jensen", for example, would look up the index entry
-"=JENSEN" in the surname index. The data returned is a list of
-IDs of entries having that value for the surname attribute. We
-have found several things to be useful in improving the
-performance of this indexing scheme, especially on modify
-operations.
+Reading, understanding and experimenting using the instructions and information
+in the following sections, will enable you to fully understand how to tailor
+your directory server to your specific requirements.
+It should be noted that the following information has been collected over time
+from our community based FAQ. So obviously the benefit of this real world experience
+and advice should be of great value to the reader.
-H2: The allIDs threshold
+H2: Performance Factors
-Some index entries become so large as to be useless. For
-example, if every entry in your database is a person entry, the
-"=PERSON" index entry in the objectclass index contains every
-entry. This returns very little useful information, and can cause
-significant delays, especially on updates. To alleviate this
-problem, we have introduced the idea of an allIDs index entry.
+Various factors can play a part in how your directory performs on your chosen
+hardware and environment. We will attempt to discuss these here.
-The allIDs entry stands for a real index entry containing the IDs
-of every entry in the database, but it takes up very little space,
-never needs updating, and can be manipulated quickly and
-efficiently. The trade-off is that it does not prune the set of
-candidate entries at all during a search. This must be done
-using other, more "high-powered" index entries.
-You can set the minimum number of IDs that an index entry may
-contain before it turns into an allIDs block by changing the
-{{EX: SLAPD_LDBM_MIN_MAXIDS}} variable in the
-{{EX: include/ldapconfig.h}} file. The actual number is determined at
-runtime by the LDBM backend, depending on the block size of
-the underlying device (i.e., the number you provide is rounded up
-to the nearest multiple of a block size).
+H3: Memory
+Scale your cache to use available memory and increase system memory if you can.
+More info here.
-H2: The entry cache
-The LDBM backend can be configured to keep a cache of
-entries in memory. Since the LDBM database spends much of its
-time reading entries from the id2entry file into memory, this cache
-can greatly speed performance. The trade-off is that the cache
-uses some extra memory. The default cache size is 1000
-entries. See the discussion of the cachesize option in Section
-5.2.3 on LDBM configuration.
+H3: Disks
+Use fast subsystems. Put each database and logs on separate disks.
+Example showing config settings
-H2: The DB cache
-The LDBM backend uses a number of disk-based index files. If
-the underlying hash or B-tree package supports in-memory
-caching of these files, performance can be greatly improved,
-especially on modifies. The size of this in-memory file cache is
-given by the dbcachesize option, discussed in more detail in
-section 5.2.3 on LDBM configuration. The default {{EX: dbcachesize}} is
-100K.
+H3: Network Topology
+http://www.openldap.org/faq/data/cache/363.html
+Drawing here.
-H2: Maintain the right indices
-Finally, one of the best performance tune-ups you can do is to
-make sure you are maintaining the right indices. Too few indices
-can lead to poor search performance. Too many indices can
-lead to poor update performance. For example, the LDBM
-backend would be perfectly happy to maintain substring and
-approximate indices for the {{EX: objectclass attribute}}, but this would
-not be useful and would just slow down update operations. If
-your database has many entries and is handling queries for
-substring equality on the surname attribute, you should make
-sure to maintain a surname substring index so these queries are
-answered quickly.
+H3: Directory Layout Design
-So, take a look at the index lines in your slapd configuration file to
-ensure that only those indices that make sense and are needed
-are being maintained.
+Reference to other sections and good/bad drawing here.
+
+H3: Expected Usage
+
+Discussion.
+
+
+H2: Indexes
+
+H3: Understanding how a search works
+
+If you're searching on a filter that has been indexed, then the search reads
+the index and pulls exactly the entries that are referenced by the index.
+If the filter term has not been indexed, then the search must read every single
+ entry in the target scope and test to see if each entry matches the filter.
+Obviously indexing can save a lot of work when it's used correctly.
+
+H3: What to index
+
+You should create indices to match the actual filter terms used in
+search queries.
+
+> index cn,sn,givenname,mail eq
+
+Each attribute index can be tuned further by selecting the set of index types to generate. For example, substring and approximate search for organizations (o) may make little sense (and isn't like done very often). And searching for {{userPassword}} likely makes no sense what so ever.
+
+General rule: don't go overboard with indexes. Unused indexes must be maintained and hence can only slow things down.
+
+See {{slapd.conf}}(8) and {{slapdindex}}(8) for more information
+
+
+H3: Presence indexing
+
+If your client application uses presence filters and if the
+target attribute exists on the majority of entries in your target scope, then
+all of those entries are going to be read anyway, because they are valid
+members of the result set. In a subtree where 100% of the
+entries are going to contain the same attributes, the presence index does
+absolutely NOTHING to benefit the search, because 100% of the entries match
+that presence filter.
+
+So the resource cost of generating the index is a
+complete waste of CPU time, disk, and memory. Don't do it unless you know
+that it will be used, and that the attribute in question occurs very
+infrequently in the target data.
+
+Almost no applications use presence filters in their search queries. Presence
+indexing is pointless when the target attribute exists on the majority of
+entries in the database. In most LDAP deployments, presence indexing should
+not be done, it's just wasted overhead.
+
+See the {{Logging}} section below on what to watch our for if you have a frequently searched
+for attribute that is unindexed.
+
+
+H2: Logging
+
+H3: What log level to use
+
+The default of {{loglevel 256}} is really the best bet. There's a corollary to
+this when problems *do* arise, don't try to trace them using syslog.
+Use the debug flag instead, and capture slapd's stderr output. syslog is too
+slow for debug tracing, and it's inherently lossy - it will throw away messages when it
+can't keep up.
+
+Contrary to popular belief, {{loglevel 0}} is not ideal for production as you
+won't be able to track when problems first arise.
+
+H3: What to watch out for
+
+The most common message you'll see that you should pay attention to is:
+
+> "<= bdb_equality_candidates: (foo) index_param failed (18)"
+
+That means that some application tried to use an equality filter ({{foo=<somevalue>}})
+and attribute {{foo}} does not have an equality index. If you see a lot of these
+messages, you should add the index. If you see one every month or so, it may
+be acceptable to ignore it.
+
+The default syslog level is 256 which logs the basic parameters of each
+request; it usually produces 1-3 lines of output. On Solaris and systems that
+only provide synchronous syslog, you may want to turn it off completely, but
+usually you want to leave it enabled so that you'll be able to see index
+messages whenever they arise. On Linux you can configure syslogd to run
+asynchronously, in which case the performance hit for moderate syslog traffic
+pretty much disappears.
+
+H3: Improving throughput
+
+You can improve logging performance on some systems by configuring syslog not
+to sync the file system with every write ({{man syslogd/syslog.conf}}). In Linux,
+you can prepend the log file name with a "-" in {{syslog.conf}}. For example,
+if you are using the default LOCAL4 logging you could try:
+
+> # LDAP logs
+> LOCAL4.* -/var/log/ldap
+
+For syslog-ng, add or modify the following line in {{syslog-ng.conf}}:
+
+ options { sync(n); };
+
+where n is the number of lines which will be buffered before a write.
+
+
+H2: BDB/HDB Database Caching
+
+We all know what caching is, don't we?
+
+In brief, "A cache is a block of memory for temporary storage of data likely
+to be used again" - {{URL:http://en.wikipedia.org/wiki/Cache}}
+
+There are 3 types of caches, BerkeleyDB's own cache, {{slapd}}(8)
+entry cache and {{TERM:IDL}} (IDL) cache.
+
+
+H3: Berkeley DB Cache
+
+BerkeleyDB's own data cache operates on page-sized blocks of raw data.
+
+Note that while the {{TERM:BDB}} cache is just raw chunks of memory and
+configured as a memory size, the {{slapd}}(8) entry cache holds parsed entries,
+and the size of each entry is variable.
+
+There is also an IDL cache which is used for Index Data Lookups.
+If you can fit all of your database into slapd's entry cache, and all of your
+index lookups fit in the IDL cache, that will provide the maximum throughput.
+
+If not, but you can fit the entire database into the BDB cache, then you
+should do that and shrink the slapd entry cache as appropriate.
+
+Failing that, you should balance the BDB cache against the entry cache.
+
+It is worth noting that it is not absolutely necessary to configure a BerkeleyDB
+cache equal in size to your entire database. All that you need is a cache
+that's large enough for your "working set."
+
+That means, large enough to hold all of the most frequently accessed data,
+plus a few less-frequently accessed items.
+
+ORACLE LINKS HERE
+
+H4: Calculating Cachesize
+
+The back-bdb database lives in two main files, {{F:dn2id.bdb}} and {{F:id2entry.bdb}}.
+These are B-tree databases. We have never documented the back-bdb internal
+layout before, because it didn't seem like something anyone should have to worry
+about, nor was it necessarily cast in stone. But here's how it works today,
+in OpenLDAP 2.4.
+
+A B-tree is a balanced tree; it stores data in its leaf nodes and bookkeeping
+data in its interior nodes (If you don't know what tree data structures look
+ like in general, Google for some references, because that's getting far too
+elementary for the purposes of this discussion).
+
+For decent performance, you need enough cache memory to contain all the nodes
+along the path from the root of the tree down to the particular data item
+you're accessing. That's enough cache for a single search. For the general case,
+you want enough cache to contain all the internal nodes in the database.
+
+> db_stat -d
+
+will tell you how many internal pages are present in a database. You should
+check this number for both dn2id and id2entry.
+
+Also note that {{id2entry}} always uses 16KB per "page", while {{dn2id}} uses whatever
+the underlying filesystem uses, typically 4 or 8KB. To avoid thrashing the,
+your cache must be at least as large as the number of internal pages in both
+the {{dn2id}} and {{id2entry}} databases, plus some extra space to accommodate the actual
+leaf data pages.
+
+For example, in my OpenLDAP 2.4 test database, I have an input LDIF file that's
+about 360MB. With the back-hdb backend this creates a {{dn2id.bdb}} that's 68MB,
+and an {{id2entry}} that's 800MB. db_stat tells me that {{dn2id}} uses 4KB pages, has
+433 internal pages, and 6378 leaf pages. The id2entry uses 16KB pages, has 52
+internal pages, and 45912 leaf pages. In order to efficiently retrieve any
+single entry in this database, the cache should be at least
+
+> (433+1) * 4KB + (52+1) * 16KB in size: 1736KB + 848KB =~ 2.5MB.
+
+This doesn't take into account other library overhead, so this is even lower
+than the barest minimum. The default cache size, when nothing is configured,
+is only 256KB.
+
+This 2.5MB number also doesn't take indexing into account. Each indexed attribute
+uses another database file of its own, using a Hash structure.
+
+Unlike the B-trees, where you only need to touch one data page to find an entry
+of interest, doing an index lookup generally touches multiple keys, and the
+point of a hash structure is that the keys are evenly distributed across the
+data space. That means there's no convenient compact subset of the database that
+you can keep in the cache to insure quick operation, you can pretty much expect
+references to be scattered across the whole thing. My strategy here would be to
+provide enough cache for at least 50% of all of the hash data.
+
+> (Number of hash buckets + number of overflow pages + number of duplicate pages) * page size / 2.
+
+The objectClass index for my example database is 5.9MB and uses 3 hash buckets
+and 656 duplicate pages. So:
+
+> ( 3 + 656 ) * 4KB / 2 =~ 1.3MB.
+
+With only this index enabled, I'd figure at least a 4MB cache for this backend.
+(Of course you're using a single cache shared among all of the database files,
+so the cache pages will most likely get used for something other than what you
+accounted for, but this gives you a fighting chance.)
+
+With this 4MB cache I can slapcat this entire database on my 1.3GHz PIII in
+1 minute, 40 seconds. With the cache doubled to 8MB, it still takes the same 1:40s.
+Once you've got enough cache to fit the B-tree internal pages, increasing it
+further won't have any effect until the cache really is large enough to hold
+100% of the data pages. I don't have enough free RAM to hold all the 800MB
+id2entry data, so 4MB is good enough.
+
+With back-bdb and back-hdb you can use "db_stat -m" to check how well the
+database cache is performing.
+
+
+H3: {{slapd}}(8) Entry Cache
+
+The {{slapd}}(8) entry cache operates on decoded entries. The rationale - entries
+in the entry cache can be used directly, giving the fastest response. If an entry
+isn't in the entry cache but can be extracted from the BDB page cache, that will
+avoid an I/O but it will still require parsing, so this will be slower.
+
+If the entry is in neither cache then BDB will have to flush some of its current
+cached pages and bring in the needed pages, resulting in a couple of expensive
+I/Os as well as parsing.
+
+As far as balancing the entry cache vs the BDB cache - parsed entries in memory
+are generally about twice as large as they are on disk.
+
+As we have already mentioned, not having a proper database cache size will
+cause performance issues. These issues are not an indication of corruption
+occurring in the database. It is merely the fact that the cache is thrashing
+itself that causes performance/response time to slowdown.
+
+
+MOVE BELOW AROUND:
+
+
+If you want to setup the cache size, please read:
+
+ (Xref) How do I configure the BDB backend?
+ (Xref) What are the DB_CONFIG configuration directives?
+ http://www.sleepycat.com/docs/utility/db_recover.html
+
+A default config can be found in the answer:
+
+ (Xref) What are the DB_CONFIG configuration directives?
+
+just change the set_lg_dir to point to your .log directory or comment that line.
+
+Quick guide:
+* Create a DB_CONFIG file in your ldap home directory (/var/lib/ldap/DB_CONFIG) with the correct "set_cachesize" value
+* stop your ldap server and run db_recover -h /var/lib/ldap
+* start your ldap server and check the new cache size with:
+
+ db_stat -h /var/lib/ldap -m | head -n 2
+
+* this procedure is only needed if you use OpenLDAP 2.2 with the BDB or HDB backends; In OpenLDAP 2.3 DB recovery is performed automatically whenever the DB_CONFIG file is changed or when an unclean shutdown is detected.
+
+
+--On Tuesday, February 22, 2005 12:15 PM -0500 Dusty Doris <openldap@mail.doris.cc> wrote:
+
+ Few questions, if you change the cachesize and idlecachesize entries, do
+ you have to do anything special aside from restarting slapd, such as run
+ slapindex or db_recover?
+
+
+ Also, is there any way to tell how much memory these caches are taking up
+ to make sure they are not set too large? What happens if you set your
+ cachesize too large and you don't have enough available memory to store
+ these? Will that cause an issue with openldap, or will it just not cache
+ those entries that would make it exceed its available memory. Will it
+ just use some sort of FIFO on those caches?
+
+
+It will consume the memory resources of your system, and likely cause issues.
+
+ Finally, what do most people try to achieve with these values? Would the
+ goal be to make these as big as the directory? So, if I have 400,000 dn's
+ in my directory, would it be safe to set these at 400000 or would
+ something like 20,000 be good enough to get a nice performance increase?
+
+
+I try to cache the most actively used entries. Unless you expect all 400,000 entries of your DB to be accessed regularly, there is no need to cache that many entries. My entry cache is set to 20,000 (out of a little over 400,000 entries).
+
+The idlcache has to do with how many unique result sets of searches you want to store in memory. Setting up this cache will allow your most frequently placed searches to get results much faster, but I doubt you want to try and cache the results of every search that hits your system. ;)
+
+--Quanah
+
+
+H3: {{TERM:IDL}} Cache
+
+
+http://www.openldap.org/faq/data/cache/1076.html
diff --git a/doc/guide/plain.sdf b/doc/guide/plain.sdf
index 57c59b4c9a..4e8c538589 100644
--- a/doc/guide/plain.sdf
+++ b/doc/guide/plain.sdf
@@ -13,7 +13,7 @@
!macro HTML_FOOTER
{{INLINE:<FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1">}}
{{INLINE:<B>________________<BR><SMALL>}}
-[[c]] Copyright 2005,
+[[c]] Copyright 2007,
{{INLINE:<A HREF="/foundation/">OpenLDAP Foundation</A>}},
{{EMAIL: info@OpenLDAP.org}}
{{INLINE:</SMALL><BR></B></FONT>}}
diff --git a/doc/guide/preamble.sdf b/doc/guide/preamble.sdf
index 4bdff5c537..46562992da 100644
--- a/doc/guide/preamble.sdf
+++ b/doc/guide/preamble.sdf
@@ -132,7 +132,7 @@ CVS|http://www.cvshome.org/
Cyrus|http://cyrusimap.web.cmu.edu/generalinfo.html
Cyrus SASL|http://asg.web.cmu.edu/sasl/sasl-library.html
GNU|http://www.gnu.org/software/
-GDBM|http://www.gnu.org/software/gdbm/
+GnuTLS|http://www.gnu.org/software/gnutls/
Heimdal|http://www.pdc.kth.se/heimdal/
JLDAP|http://www.openldap.org/jldap/
MIT Kerberos|http://web.mit.edu/kerberos/www/
@@ -142,7 +142,6 @@ OpenLDAP ITS|http://www.openldap.org/its/
OpenLDAP Software|http://www.openldap.org/software/
OpenSSL|http://www.openssl.org/
Perl|http://www.perl.org/
-TCL|http://www.tcl.tk/
SDF|http://search.cpan.org/src/IANC/sdf-2.001/doc/catalog.html
UMLDAP|http://www.umich.edu/~dirsvcs/ldap/ldap.html
!endblock
@@ -209,6 +208,7 @@ IDNA|Internationalized Domain Names in Applications
IDN|Internationalized Domain Name
ID|Identification
ID|Identifier
+IDL|Index Data Lookups
IP|Internet Protocol
IPC|Inter-process communication
IPsec|Internet Protocol Security
@@ -232,6 +232,7 @@ OSI|Open Systems Interconnect
OTP|One Time Password
PDU|Protocol Data Unit
PEM|Privacy Enhanced eMail
+PEN|Private Enterprise Number
PKCS|Public Key Cryptosystem
PKI|Public Key Infrastructure
PKIX|Public Key Infrastructure (X.509)
diff --git a/doc/guide/release/copyright.sdf b/doc/guide/release/copyright.sdf
index 204015082b..2050f462a6 100644
--- a/doc/guide/release/copyright.sdf
+++ b/doc/guide/release/copyright.sdf
@@ -55,9 +55,11 @@ Public License}}.
!block nofill
-Portions [[copyright]] 1999-2005 Howard Y.H. Chu.
-Portions [[copyright]] 1999-2005 Symas Corporation.
+Portions [[copyright]] 1999-2007 Howard Y.H. Chu.
+Portions [[copyright]] 1999-2007 Symas Corporation.
Portions [[copyright]] 1998-2003 Hallvard B. Furuseth.
+Portions [[copyright]] 2007 Gavin Henry
+Portions [[copyright]] 2007 Suretec Systems
{{All rights reserved.}}
!endblock
--
GitLab