Re: LDAP Binding - solved



Thanks so much for your help, Joe. It enabled me to tease a few things out
of the boys on the other end, and I finally got things working. Attached see
full sample code to bind successfully to OpenLDAP server.

Issues:

1) They are using some odd Certificate authority known by no one. It only
worked at all (for them) because the Java libraries they were using did not
check. Hooking the SSL bind Cert event and returning true solved that.

2) They set sample code for the Authorization Binding in ColdFusion which
explicitly suggested that a BASE binding was required for Authorization, and
SUBTREE for lookups. Subtree is required for all.

3) The user account is actually the Employee ID (PID) built in to a
distinguished name. I had to use
secureDistinguishedName = = "pid={pid},dc=unc,dc=edu"

as the Account portion of the Credential. The process turned into:



- User Enters Account/Password

- Use anonymous non-SSL look-up to find PID

- Bind using PID-DistinguishedName/Password





After that it worked no problem.



The attached partial class assumes a simple form, with two entry fields, and
two buttons - one to look up and one to authorize.



Thanks again



tc




"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OU7Qi02iHHA.4164@xxxxxxxxxxxxxxxxxxxxxxx
I think your main problem here is that you are doing a Base level query in
SDS.P and doing a Subtree query (the default) in SDS, so your searches are
not equivalent. Try setting the scope to subtree. I also have a feeling
like your code to create your array of strings as your attribute list
might
not be working correctly. You might consider using this method of
declaring
an array of known strings:

string[] shortList = new string[] {"dn", "pid", "givenName"};

Try that out and see if it works. Once you are finding matches, then the
rest should be in returning the results.

If you want to switch to SSL LDAP and don't have an easy way of dealing
with
certificate trust issues in Windows, then you can use SDS.P with the
VerifyServerCertificateCallback to essentially tell Windows to ignore any
SSL errors encountered. It would seem like that is your primary motivator
for switching to SDS.P in the first case, since you have the search
working
ok with SDS.

With SDS, note that if you want to do a true anonymous search (no LDAP
bind
operation), then you can specify empty strings for username and password
and
use AuthenticationTypes.Anonymous. If you want to do the LDAP "anonymous
user" bind, you typically do a simple bind (AuthenticationTypes.None) with
a
username and empty string password. They are semantically a little
different, so it depends on what the server wants. If you want to
authenticate, then that's different. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Toby Considine (UNC)" <Toby.Considine.nospam@xxxxxxx> wrote in message
news:e2KkrO2iHHA.1000@xxxxxxxxxxxxxxxxxxxxxxx
OK - I'm trying to bind securely to a third party LDAP Server. Following
the advice above. I have switched to the DirectoryServices.Protocols
(SS.P) rather than the AD oriented SS protocols.Problem is, I can't bind.
Heck, I can't even query. So assuming I want to use the SS.P Stack, I
figured if I could get the base query to work, I could thenm debug the
BINDing.



First, all the common information:



private string server = "ldap.unc.edu:389";

private string secureServer = "ldap.unc.edu:636";

private string distinguishedName = "dc=dum,dc=edu";

LdapDirectoryIdentifier idPublic;

LdapDirectoryIdentifier idSecure;

private string[] shortList;

private string[] longList;



protected void Page_Load(object sender, EventArgs e)

{

idPublic = new LdapDirectoryIdentifier(server);

idSecure = new LdapDirectoryIdentifier(secureServer);

shortList = "dn,pid,givenName".Split("'".ToCharArray());

longList =
"displayname,givenname,sn,ou,title,postaladdress,mail,telephoneNumber,pid,uid,facsimileTelephoneNumber".Split("'".ToCharArray());





Next, the first format, using the AD Aware stack works.



private string FindEntry(string Account)

{

string filterString;

string displayName = string.Empty;

System.DirectoryServices.SearchResultCollection results;

try

{

filterString = String.Format("(&(objectClass=Staff)
(uid={0}))", Account); ;

DirectoryEntry de = new DirectoryEntry(

string.Format(@"LDAP://{0}/{1}";,

server,

distinguishedName )

);

de.AuthenticationType = AuthenticationTypes.None; //Thanks
Ralph!

DirectorySearcher ds = new DirectorySearcher(de);

ds.Filter = filterString;

ds.PropertiesToLoad.Add("displayname");

ds.PropertiesToLoad.Add("givenname");

ds.PropertiesToLoad.Add("sn");

ds.PropertiesToLoad.Add("pid");

ds.PropertiesToLoad.Add("uid");

results = ds.FindAll();



if (results.Count == 0)

{

displayName = null;

return displayName;

}

foreach (SearchResult resEnt in results)

{

ResultPropertyCollection propcoll = resEnt.Properties;

foreach (string key in propcoll.PropertyNames)

{

foreach (object value in propcoll[key])

{

if (key.ToString().StartsWith("displayname"))

{

displayName = value.ToString();

}

}

}

}

}

return displayName;

}

}



Second Format using SS.P Only, no longer throws errors, but always
returns
0 matches. What am I missing?





private bool tryLookup( string Account)

{

LdapConnection ldap = new LdapConnection(

idPublic,

null,

AuthType.Anonymous);

ldap.Bind();



string filter = String.Format("(&(objectClass=Staff) (uid={0}))",
Account); ;



SearchRequest request = new SearchRequest(

distinguishedName,

filter,

System.DirectoryServices.Protocols.SearchScope.Base,

shortList

);

SearchResponse response =
(SearchResponse)ldap.SendRequest(request);



//lblDebug.Text = request.RequestId.

if (response.ResultCode != ResultCode.Success)

throw new Exception(response.ErrorMessage);



lblDebug.Text = response.Entries.Count.ToString();

//foreach (SearchResultEntry result in response.Entries)



SearchResultEntryCollection sre = response.Entries;

foreach (SearchResultEntry result in sre)

{

lblDebug.Text = String.Format(

"{0}<br>{1}",

lblDebug.Text,

result.DistinguishedName

);

}

lblDebug.Text = String.Format(

"{0}<br>{1}",

lblDebug.Text,

filter

);












"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OHOhDjHiHHA.4552@xxxxxxxxxxxxxxxxxxxxxxx
It sounds like an SSL error. "Server not available" is the standard
error message if the SSL connection cannot be negotiated. Are you
certain the directory supports SSL? If you are, it is likely a
certificate trust issue or a name mismatch.

For the name mismatch, just make sure you are binding using the same DNS
on the cert as what you use in your binding string. If there is a trust
issue, you need to make sure the root CA in the cert chain of the
server's cert is in the trusted roots container in the machine store.

If you want, you can also recode the whole thing using S.DS.Protocols
instead. With it, you can hook the SSL handshake via the
VerifyServerCertificateCallback and override the SSL validation to
potentially ignore the error if you like. S.DS.Protocols might make
some
OpenLDAP stuff easier to deal with as well (although S.DS might work
ok).

I hope that helps,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Toby Considine (UNC)" <Toby.Considine.nospam@xxxxxxx> wrote in message
news:997D10C5-A28B-4FB5-9E05-B3956A7112D1@xxxxxxxxxxxxxxxx
I am at a University wherein , use OpenLDAP for the central security. I
am trying to create a standard MemberShip provider to allow those of us
who like to program in asp.net to develop identity aware applications
for
IIS servers. (asp.net 2.0)

I can bind to the LDAP server anonymously. I can query same using the
normal DirectoryService namespace.

Every time I try to bind with a users account and password under SSL to
log the user in, I fail, with a "Server Not Available". I can use the
same connection string with the Anonymous settings and query
information
on the user just fine.

I see lots of people with similar problems on the web. Has anyone
solved
this?

thanks

tc









begin 666 Default.aspx.cs
M=7-I;F<@4WES=&5M.PT*=7-I;F<@4WES=&5M+D1A=&$[#0IU<VEN9R!3>7-T
M96TN0V]L;&5C=&EO;G,N1V5N97)I8SL-"G5S:6YG(%-Y<W1E;2Y#;VYF:6=U
M<F%T:6]N.PT*=7-I;F<@4WES=&5M+D1I<F5C=&]R>5-E<G9I8V5S+E!R;W1O
M8V]L<SL-"G5S:6YG(%-Y<W1E;2Y.970[#0IU<VEN9R!3>7-T96TN4V5C=7)I
M='DN0W)Y<'1O9W)A<&AY+E@U,#E#97)T:69I8V%T97,[#0IU<VEN9R!3>7-T
M96TN5V5B.PT*=7-I;F<@4WES=&5M+E=E8BY396-U<FET>3L-"G5S:6YG(%-Y
M<W1E;2Y796(N54D[#0IU<VEN9R!3>7-T96TN5V5B+E5)+E=E8D-O;G1R;VQS
M.PT*=7-I;F<@4WES=&5M+E=E8BY522Y796)#;VYT<F]L<RY796)087)T<SL-
M"G5S:6YG(%-Y<W1E;2Y796(N54DN2'1M;$-O;G1R;VQS.PT*#0IP=6)L:6,@
M<&%R=&EA;"!C;&%S<R!?1&5F875L=" Z(%-Y<W1E;2Y796(N54DN4&%G92 -
M"GL-"B @("!P<FEV871E('-T871I8R!3;W)T961$:6-T:6]N87)Y/$1A=&54
M:6UE+"!S=')I;F<^(')E<W5L=',@/2!N97<@4V]R=&5D1&EC=&EO;F%R>3Q$
M871E5&EM92P@<W1R:6YG/B@xxxx*(" @('!R:79A=&4@<W1R:6YG('-E<G9E
M<B ](")L9&%P+G5N8RYE9'4Z,S@Y(CL-"B @("!P<FEV871E('-T<FEN9R!S
M96-U<F5397)V97(@/2 B;&1A<"YU;F,N961U.C8S-B([#0H@(" @<')I=F%T
M92!S=')I;F<@9&ES=&EN9W5I<VAE9$YA;64@/2 B9&,]=6YC+&1C/65D=2([
M#0H@(" @3&1A<$1I<F5C=&]R>4ED96YT:69I97(@:610=6)L:6,[#0H@(" @
M3&1A<$1I<F5C=&]R>4ED96YT:69I97(@:61396-U<F4[#0H-"B @("!P<FEV
M871E('-T<FEN9UM=(&)I;F1,:7-T.PT*(" @('!R:79A=&4@<W1R:6YG6UT@
M<VAO<G1,:7-T.PT*(" @('!R:79A=&4@<W1R:6YG6UT@;&]N9TQI<W0[#0H-
M"B @("!P<F]T96-T960@=F]I9"!086=E7TQO860H;V)J96-T('-E;F1E<BP@
M179E;G1!<F=S(&4I#0H@(" @>PT*(" @(" @("!I9%!U8FQI8R ](&YE=R!,
M9&%P1&ER96-T;W)Y261E;G1I9FEE<BAS97)V97(I.PT*(" @(" @("!I9%-E
M8W5R92 ](&YE=R!,9&%P1&ER96-T;W)Y261E;G1I9FEE<BAS96-U<F5397)V
M97(I.PT*(" @(" @("!B:6YD3&ES=" ](")D:7-P;&%Y;F%M92QO=2(N4W!L
M:70H(BPB+E1O0VAA<D%R<F%Y*"DI.PT*(" @(" @("!S:&]R=$QI<W0@/2 B
M9&XL<&ED+&=I=F5N3F%M92(N4W!L:70H(BPB+E1O0VAA<D%R<F%Y*"DI.PT*
M(" @(" @("!L;VYG3&ES=" ](")D:7-P;&%Y;F%M92QG:79E;FYA;64L<VXL
M;W4L=&ET;&4L<&]S=&%L861D<F5S<RQM86EL+'1E;&5P:&]N94YU;6)E<BQP
M:60L=6ED+&9A8W-I;6EL951E;&5P:&]N94YU;6)E<B(N4W!L:70H(BPB+E1O
M0VAA<D%R<F%Y*"DI.PT*(" @(" @(" -"B @(" @(" @:68@*"%086=E+DES
M4&]S=$)A8VLI#0H@(" @(" @('L-"B @(" @(" @?0T*(" @('T-"B @(" -
M"B @("!P<F]T96-T960@=F]I9"!B=&Y,;V]K=7!?0VQI8VLH;V)J96-T('-E
M;F1E<BP@179E;G1!<F=S(&4I#0H@(" @>PT*(" @(" @("!B;V]L($]+(#T@
M;&]O:W5P57-I;F=34U H='AT06-C;W5N="Y497AT*3L-"B @("!]#0H-"B @
M("!P<F]T96-T960@=F]I9"!B=&Y,;V=I;E]#;&EC:RAO8FIE8W0@<V5N9&5R
M+"!%=F5N=$%R9W,@92D-"B @("![#0H@(" @(" @('-T<FEN9R!P:60@/2!L
M;V]K=7!0:615<VEN9U-34"AT>'1!8V-O=6YT+E1E>'0I.PT*(" @(" @("!I
M9B H<&ED("$]('-T<FEN9RY%;7!T>2D-"B @(" @(" @>PT*(" @(" @(" @
M(" @;&)L4F5S=6QT+E1E>'0@/2!S=')I;F<N1F]R;6%T*")';W0@4$E$('LP
M?2(L('!I9"D[#0H@(" @(" @(" @("!B;V]L($]+(#T@;&]G:6Y5<VEN9U-3
M4"AT>'1!8V-O=6YT+E1E>'0L('1X=%!A<W-W;W)D+E1E>'0I.PT*(" @(" @
M(" @(" @:68@*$]+*0T*(" @(" @(" @(" @(" @(&QB;%)E<W5L="Y497AT
M(#T@(DQO9V=E9"!);B([#0H@(" @(" @(" @("!E;'-E#0H@(" @(" @(" @
M(" @(" @;&)L4F5S=6QT+E1E>'0@/2 B9F%I;&5D(CL-"B @(" @(" @?0T*
M(" @(" @("!E;'-E#0H@(" @(" @(" @("!L8FQ297-U;'0N5&5X=" ]('-T
M<FEN9RY&;W)M870H(GLP?2!N;W0@9F]U;F0B+"!T>'1!8V-O=6YT*3L-"B @
M("!]#0H-"B @("!P<FEV871E('-T<FEN9R!L;V]K=7!0:615<VEN9U-34"AS
M=')I;F<@06-C;W5N="D-"B @("![#0H@(" @(" @('-T<FEN9R!P:60@/2!S
M=')I;F<N16UP='D[#0H@(" @(" @($QD87!#;VYN96-T:6]N(&QD87 @/2!N
M97<@3&1A<$-O;FYE8W1I;VXH#0H@(" @(" @(" @("!I9%!U8FQI8RP-"B @
M(" @(" @(" @(&YU;&PL#0H@(" @(" @(" @("!!=71H5'EP92Y!;F]N>6UO
M=7,I.PT*#0H@(" @(" @(&QD87 N0FEN9"@I.PT*#0H@(" @(" @('-T<FEN
M9R!F:6QT97(@/2!3=')I;F<N1F]R;6%T*"(H)BAO8FIE8W1#;&%S<SU53D-3
M=&%F9BD@*'5I9#U[,'TI*2(L($%C8V]U;G0I.R [#0H-"B @(" @(" @4V5A
M<F-H4F5Q=65S="!R97%U97-T(#T@;F5W(%-E87)C:%)E<75E<W0H#0H@(" @
M(" @(" @("!D:7-T:6YG=6ES:&5D3F%M92P-"B @(" @(" @(" @(&9I;'1E
M<BP-"B @(" @(" @(" @(%-Y<W1E;2Y$:7)E8W1O<GE397)V:6-E<RY0<F]T
M;V-O;',N4V5A<F-H4V-O<&4N4W5B=')E92P-"B @(" @(" @(" @('-H;W)T
M3&ES= T*(" @(" @(" I.PT*(" @(" @("!396%R8VA297-P;VYS92!R97-P
M;VYS92 ]("A396%R8VA297-P;VYS92EL9&%P+E-E;F1297%U97-T*')E<75E
M<W0I.PT*#0H@(" @(" @("\O;&)L1&5B=6<N5&5X=" ](')E<75E<W0N4F5Q
M=65S=$ED+@T*(" @(" @("!I9B H<F5S<&]N<V4N4F5S=6QT0V]D92 A/2!2
M97-U;'1#;V1E+E-U8V-E<W,I#0H@(" @(" @(" @("!T:')O=R!N97<@17AC
M97!T:6]N*')E<W!O;G-E+D5R<F]R365S<V%G92D[#0H@(" @(" @(%-E87)C
M:%)E<W5L=$5N=')Y0V]L;&5C=&EO;B!S<F4@/2!R97-P;VYS92Y%;G1R:65S
M.PT*(" @(" @("!F;W)E86-H("A396%R8VA297-U;'1%;G1R>2!R97-U;'0@
M:6X@<W)E*0T*(" @(" @("![#0H@(" @(" @(" @("!L8FQ$96)U9RY497AT
M(#T@4W1R:6YG+D9O<FUA="@-"B @(" @(" @(" @(" @(" B>S!]/&)R/CQB
M/GLQ?3PO8CXB+ T*(" @(" @(" @(" @(" @(&QB;$1E8G5G+E1E>'0L#0H@
M(" @(" @(" @(" @(" @<F5S=6QT+D1I<W1I;F=U:7-H961.86UE#0H@(" @
M(" @(" @(" I.PT*(" @(" @(" @(" @9F]R96%C:" H4WES=&5M+D-O;&QE
M8W1I;VYS+D1I8W1I;VYA<GE%;G1R>2!E;G1R>2!I;B!R97-U;'0N071T<FEB
M=71E<RD-"B @(" @(" @(" @('L-"B @(" @(" @(" @(" @("!I9B H96YT
M<GDN2V5Y+E1O4W1R:6YG*"D@/3T@(G!I9"(I#0H@(" @(" @(" @(" @(" @
M>PT*(" @(" @(" @(" @(" @(" @("!$:7)E8W1O<GE!='1R:6)U=&4@9&$@
M/2 H1&ER96-T;W)Y071T<FEB=71E*65N=')Y+E9A;'5E.PT*(" @(" @(" @
M(" @(" @(" @("!P:60@/2!D85LP72Y4;U-T<FEN9R@xxxx*(" @(" @(" @
M(" @(" @('T-"B @(" @(" @(" @('T-"@T*(" @(" @("!]#0H@(" @(" @
M(')E='5R;B!P:60[#0H@(" @?0T*#0H@(" @<')I=F%T92!B;V]L(&QO9VEN
M57-I;F=34U H<W1R:6YG($%C8V]U;G0L('-T<FEN9R!087-S=V]R9"D-"B @
M("![#0H@(" @(" @('-T<FEN9R!P:60@/2!L;V]K=7!0:615<VEN9U-34"A!
M8V-O=6YT*3L-"B @(" @(" @:68@*'!I9" ]/2!S=')I;F<N16UP='DI#0H@
M(" @(" @(" @("!R971U<FX@9F%L<V4[#0H@(" @(" @(&)O;VP@<W5C8V5S
M<R ](&9A;'-E.PT*(" @(" @("!S=')I;F<@<V5C=7)E1&ES=&EN9W5I<VAE
M9$YA;64@/2!S=')I;F<N1F]R;6%T* T*(" @(" @(" @(" @(G!I9#U[,'TL
M>S%](BP-"B @(" @(" @(" @('!I9"P-"B @(" @(" @(" @(&1I<W1I;F=U
M:7-H961.86UE#0H@(" @(" @("D[#0H@(" @(" @($YE='=O<FM#<F5D96YT
M:6%L(&-R960@/2!N97<@3F5T=V]R:T-R961E;G1I86PH<V5C=7)E1&ES=&EN
M9W5I<VAE9$YA;64L(%!A<W-W;W)D*3L-"@T*(" @(" @("!,9&%P0V]N;F5C
M=&EO;B!L9&%P(#T@;F5W($QD87!#;VYN96-T:6]N* T*(" @(" @(" @(" @
M:61396-U<F4L#0H@(" @(" @(" @("!N=6QL+ T*(" @(" @(" @(" @075T
M:%1Y<&4N0F%S:6,I.PT*#0H@(" @(" @(&QD87 N4V5S<VEO;D]P=&EO;G,N
M5F5R:69Y4V5R=F5R0V5R=&EF:6-A=&4@/2!N97<@5F5R:69Y4V5R=F5R0V5R
M=&EF:6-A=&5#86QL8F%C:RA397)V97)#86QL8F%C:RD[#0H@(" @(" @(&QD
M87 N4V5S<VEO;D]P=&EO;G,N4')O=&]C;VQ697)S:6]N(#T@,SL-"B @(" @
M(" @;&1A<"Y397-S:6]N3W!T:6]N<RY396-U<F53;V-K971,87EE<B ]('1R
M=64[#0H-"B @(" @(" @=')Y#0H@(" @(" @('L-"B @(" @(" @(" @(&QD
M87 N0FEN9"AC<F5D*3L-"B @(" @(" @(" @('-U8V-E<W,@/2!T<G5E.PT*
M(" @(" @("!]#0H@(" @(" @(&-A=&-H("A,9&%P17AC97!T:6]N(&4I#0H@
M(" @(" @('L-"B @(" @(" @(" @(&QB;$1E8G5G+E1E>'0@/2!S=')I;F<N
M1F]R;6%T*")#<F5D96YT:6%L('9A;&ED871I;VX@9F]R(%5S97(@86-C;W5N
M="![,'T@=7-I;F<@<W-L(&9A:6QE9#QB<B O/DQD87!%>&-E<'1I;VXZ('LQ
M?3QB<B O/GLR?2(L#0H@(" @(" @(" @(" @(" @06-C;W5N="P-"B @(" @
M(" @(" @(" @("!E+D5R<F]R0V]D92P-"B @(" @(" @(" @(" @("!E+DUE
M<W-A9V4-"B @(" @(" @(" @(" @(" I.PT*(" @(" @("!]#0H@(" @(" @
M(&-A=&-H("A$:7)E8W1O<GE/<&5R871I;VY%>&-E<'1I;VX@92D-"B @(" @
M(" @>PT*(" @(" @(" @(" @;&)L1&5B=6<N5&5X=" ]('-T<FEN9RY&;W)M
M870H(D-R961E;G1I86P@=F%L:61A=&EO;B!F;W(@57-E<B!A8V-O=6YT('LP
M?2!U<VEN9R!S<VP@9F%I;&5D/&)R("\^1&ER96-T;W)Y3W!E<F%T:6]N17AC
M97!T:6]N.B![,7T\8G(O/B(L#0H@(" @(" @(" @(" @(" @06-C;W5N="P-
M"B @(" @(" @(" @(" @("!E+DUE<W-A9V4-"B @(" @(" @(" @(" @(" I
M.PT*(" @(" @("!]#0H-"B @(" @(" @<F5T=7)N('-U8V-E<W,[#0H@(" @
M?0T*#0H@(" @<')I=F%T92!B;V]L(&QO;VMU<%5S:6YG4U-0*'-T<FEN9R!!
M8V-O=6YT*0T*(" @('L-"B @(" @(" @3&1A<$-O;FYE8W1I;VX@;&1A<" ]
M(&YE=R!,9&%P0V]N;F5C=&EO;B@-"B @(" @(" @(" @(&ED4'5B;&EC+ T*
M(" @(" @(" @(" @;G5L;"P-"B @(" @(" @(" @($%U=&A4>7!E+D%N;VYY
M;6]U<RD[#0H-"B @(" @(" @;&1A<"Y":6YD*"D[#0H-"B @(" @(" @<W1R
M:6YG(&9I;'1E<B ](%-T<FEN9RY&;W)M870H(B@F*&]B:F5C=$-L87-S/55.
M0U-T869F*2 H=6ED/7LP?2DI(BP@06-C;W5N="D[(#L-"@T*(" @(" @("!3
M96%R8VA297%U97-T(')E<75E<W0@/2!N97<@4V5A<F-H4F5Q=65S="@-"B @
M(" @(" @(" @(&1I<W1I;F=U:7-H961.86UE+ T*(" @(" @(" @(" @9FEL
M=&5R+ T*(" @(" @(" @(" @4WES=&5M+D1I<F5C=&]R>5-E<G9I8V5S+E!R
M;W1O8V]L<RY396%R8VA38V]P92Y3=6)T<F5E+ T*(" @(" @(" @(" @;&]N
M9TQI<W0-"B @(" @(" @*3L-"B @(" @(" @4V5A<F-H4F5S<&]N<V4@<F5S
M<&]N<V4@/2 H4V5A<F-H4F5S<&]N<V4I;&1A<"Y396YD4F5Q=65S="AR97%U
M97-T*3L-"@T*(" @(" @(" O+VQB;$1E8G5G+E1E>'0@/2!R97%U97-T+E)E
M<75E<W1)9"X-"B @(" @(" @:68@*')E<W!O;G-E+E)E<W5L=$-O9&4@(3T@
M4F5S=6QT0V]D92Y3=6-C97-S*0T*(" @(" @(" @(" @=&AR;W<@;F5W($5X
M8V5P=&EO;BAR97-P;VYS92Y%<G)O<DUE<W-A9V4I.PT*#0H@(" @(" @(&QB
M;$1E8G5G+E1E>'0@/2!3=')I;F<N1F]R;6%T* T*(" @(" @(" @(" @(" @
M("),;V]K:6YG(&9O<B![,'T@+2T@9F]U;F0@>S%](BP-"B @(" @(" @(" @
M(" @("!F:6QT97(L#0H@(" @(" @(" @(" @(" @<F5S<&]N<V4N16YT<FEE
M<RY#;W5N="Y4;U-T<FEN9R@I#0H@(" @(" @(" @(" @(" @*3L-"@T*(" @
M(" @("!396%R8VA297-U;'1%;G1R>4-O;&QE8W1I;VX@<W)E(#T@<F5S<&]N
M<V4N16YT<FEE<SL-"B @(" @(" @9F]R96%C:" H4V5A<F-H4F5S=6QT16YT
M<GD@<F5S=6QT(&EN('-R92D-"B @(" @(" @>PT*(" @(" @(" @(" @;&)L
M1&5B=6<N5&5X=" ](%-T<FEN9RY&;W)M870H#0H@(" @(" @(" @(" @(" @
M(GLP?3QB<CX\8CY[,7T\+V(^(BP-"B @(" @(" @(" @(" @("!L8FQ$96)U
M9RY497AT+ T*(" @(" @(" @(" @(" @(')E<W5L="Y$:7-T:6YG=6ES:&5D
M3F%M90T*(" @(" @(" @(" @*3L-"B @(" @(" @(" @(&9O<F5A8V@@*%-Y
M<W1E;2Y#;VQL96-T:6]N<RY$:6-T:6]N87)Y16YT<GD@96YT<GD@:6X@<F5S
M=6QT+D%T=')I8G5T97,I#0H@(" @(" @(" @("![#0H@(" @(" @(" @(" @
M(" @1&ER96-T;W)Y071T<FEB=71E(&1A(#T@*$1I<F5C=&]R>4%T=')I8G5T
M92EE;G1R>2Y686QU93L-"B @(" @(" @(" @(" @("!L8FQ$96)U9RY497AT
M(#T@4W1R:6YG+D9O<FUA="@-"B @(" @(" @(" @(" @(" @(" @(GLP?3QB
M<CX\8CY[,7T\+V(^.B H>S)]*2 B+ T*(" @(" @(" @(" @(" @(" @("!L
M8FQ$96)U9RY497AT+ T*(" @(" @(" @(" @(" @(" @("!E;G1R>2Y+97DL
M#0H@(" @(" @(" @(" @(" @(" @(&1A+D-O=6YT#0H@(" @(" @(" @(" @
M(" @(" @("D[#0H@(" @(" @(" @(" @(" @9F]R("AI;G0@:2 ](# [(&D@
M/"!D82Y#;W5N=#L@:2 K/2 Q*0T*(" @(" @(" @(" @(" @('L-"B @(" @
M(" @(" @(" @(" @(" @;&)L1&5B=6<N5&5X=" ](%-T<FEN9RY&;W)M870H
M#0H@(" @(" @(" @(" @(" @(" @(" @(" B>S!]/&)R/GLQ?2(L#0H@(" @
M(" @(" @(" @(" @(" @(" @("!L8FQ$96)U9RY497AT+ T*(" @(" @(" @
M(" @(" @(" @(" @(" @9&%;:5TN5&]3=')I;F<H*0T*(" @(" @(" @(" @
M(" @(" @(" @(" @*3L-"@T*(" @(" @(" @(" @(" @('T-"B @(" @(" @
M(" @('T-"@T*(" @(" @("!]#0H@(" @(" @(')E='5R;B!F86QS93L-"B @
M("!]#0H-"B @(" @<'5B;&EC('-T871I8R!B;V]L(%-E<G9E<D-A;&QB86-K
M*"!,9&%P0V]N;F5C=&EO;B!C;VYN96-T:6]N+"!8-3 Y0V5R=&EF:6-A=&4@
M8V5R=&EF:6-A=&4@*0T*(" @('L-"B @(" @(" @6#4P.4-E<G1I9FEC871E
M,B!N97=#97)T(#T@;F5W(%@U,#E#97)T:69I8V%T93(H8V5R=&EF:6-A=&4I
M.PT*(" @(" @("!,9&%P1&ER96-T;W)Y261E;G1I9FEE<B!I9" ]("A,9&%P
M1&ER96-T;W)Y261E;G1I9FEE<BEC;VYN96-T:6]N+D1I<F5C=&]R>3L-"B @
M(" @(" @;&]C:R H<F5S=6QT<RD-"B @(" @(" @>PT*+R\@(" @(" @(" @
M("!R97-U;'1S+D%D9"AN97=#97)T+DYO=$%F=&5R+"!I9"Y397)V97)S6S!=
M+"!C97)T:69I8V%T92Y)<W-U97(@*3L-"B\O(" @(" @(" @(" @<F5S=6QT
M<RY!9&0H;F5W0V5R="Y.;W1!9G1E<BP@8V5R=&EF:6-A=&4N27-S=65R("D[
M#0H@(" @(" @('T-"B @(" @(" @+R]73"@B1V]T('-E<G9E<B B("L@:60N
M4V5R=F5R<ULP72D[#0H@(" @(" @(')E='5R;B!T<G5E.PT*(" @('T-"@T*
M(" @(" @(" O+VYA;64@/2 B3VYY96Y!=71H;B(-"B @(" @(" @+R]S96-U
M<F4@/2 B0T934TQ?0D%324,B#0H@(" @(" @("\O<V5R=F5R(#T@(FQD87 N
M=6YC+F5D=2(-"B @(" @(" @+R]P;W)T(#T@(C8S-B(-"B @(" @(" @+R]U
M<V5R;F%M92 ]("(C9F]R;2Y/;GEE;F1N(R(-"B @(" @(" @+R]P87-S=V]R
M9" ]("(C9F]R;2YO;GEE;E]P87-S=V]R9",B(" @( T*(" @(" @(" O+W-T
M87)T(#T@(B-F;W)M+D]N>65N9&XC(@T*(" @(" @(" O+W-C;W!E(#T@(F)A
M<V4B#0H@(" @(" @("\O871T<FEB=71E<R ](")D;BP@<&ED+"!G:79E;DYA
6;64B/B @(" @(" @(" -"B -"GT-"@``
`
end

.