From 159929181100c04167a6b8fce7a8efa54be67372 Mon Sep 17 00:00:00 2001
From: Przemyslaw Skibinski <przemyslaw.skibinski@percona.com>
Date: Thu, 9 Jun 2022 20:39:49 +0200
Subject: [PATCH] [plugin] PS-269: Initial Percona Server 8.0.12 tree

PS-5741: Incorrect use of memset_s in keyring_vault.

Fixed the usage of memset_s. The arguments should be:
void memset_s(void *dest, size_t dest_max, int c, size_t n)
where the 2nd argument is size of buffer and the 3rd is
argument is character to fill.

---------------------------------------------------------------------------

PS-7769 - Fix use-after-return error in audit_log_exclude_accounts_validate

---

*Problem:*

`st_mysql_value::val_str` might return a pointer to `buf` which after
the function called is deleted. Therefore the value in `save`, after
reuturnin from the function, is invalid.

In this particular case, the error is not manifesting as val_str`
returns memory allocated with `thd_strmake` and it does not use `buf`.

*Solution:*

Allocate memory with `thd_strmake` so the memory in `save` is not local.

---------------------------------------------------------------------------

Fix test main.bug12969156 when WITH_ASAN=ON

*Problem:*

ASAN complains about stack-buffer-overflow on function `mysql_heartbeat`:

```
==90890==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fe746d06d14 at pc 0x7fe760f5b017 bp 0x7fe746d06cd0 sp 0x7fe746d06478
WRITE of size 24 at 0x7fe746d06d14 thread T16777215

Address 0x7fe746d06d14 is located in stack of thread T26 at offset 340 in frame
    #0 0x7fe746d0a55c in mysql_heartbeat(void*) /home/yura/ws/percona-server/plugin/daemon_example/daemon_example.cc:62

  This frame has 4 object(s):
    [48, 56) 'result' (line 66)
    [80, 112) '_db_stack_frame_' (line 63)
    [144, 200) 'tm_tmp' (line 67)
    [240, 340) 'buffer' (line 65) <== Memory access at offset 340 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T26 created by T25 here:
    #0 0x7fe760f5f6d5 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x557ccbbcb857 in my_thread_create /home/yura/ws/percona-server/mysys/my_thread.c:104
    #2 0x7fe746d0b21a in daemon_example_plugin_init /home/yura/ws/percona-server/plugin/daemon_example/daemon_example.cc:148
    #3 0x557ccb4c69c7 in plugin_initialize /home/yura/ws/percona-server/sql/sql_plugin.cc:1279
    #4 0x557ccb4d19cd in mysql_install_plugin /home/yura/ws/percona-server/sql/sql_plugin.cc:2279
    #5 0x557ccb4d218f in Sql_cmd_install_plugin::execute(THD*) /home/yura/ws/percona-server/sql/sql_plugin.cc:4664
    #6 0x557ccb47695e in mysql_execute_command(THD*, bool) /home/yura/ws/percona-server/sql/sql_parse.cc:5160
    #7 0x557ccb47977c in mysql_parse(THD*, Parser_state*, bool) /home/yura/ws/percona-server/sql/sql_parse.cc:5952
    #8 0x557ccb47b6c2 in dispatch_command(THD*, COM_DATA const*, enum_server_command) /home/yura/ws/percona-server/sql/sql_parse.cc:1544
    #9 0x557ccb47de1d in do_command(THD*) /home/yura/ws/percona-server/sql/sql_parse.cc:1065
    #10 0x557ccb6ac294 in handle_connection /home/yura/ws/percona-server/sql/conn_handler/connection_handler_per_thread.cc:325
    #11 0x557ccbbfabb0 in pfs_spawn_thread /home/yura/ws/percona-server/storage/perfschema/pfs.cc:2198
    #12 0x7fe760ab544f in start_thread nptl/pthread_create.c:473
```

The reason is that `my_thread_cancel` is used to finish the daemon thread. This is not and orderly way of finishing the thread. ASAN does not register the stack variables are not used anymore which generates the error above.

This is a benign error as all the variables are on the stack.

*Solution*:

Finish the thread in orderly way by using a signalling variable.

---------------------------------------------------------------------------

PS-8204: Fix XML escape rules for audit plugin

https://jira.percona.com/browse/PS-8204

There was a wrong length specified for some XML
escape rules. As a result of this terminating null symbol from
replacement rule was copied into resulting string. This lead to
quer text truncation in audit log file.
In addition added empty replacement rules for '\b' and 'f' symbols
which just remove them from resulting string. These symboles are
not supported in XML 1.0.

---------------------------------------------------------------------------

PS-8854: Add main.percona_udf MTR test

Add a test to check FNV1A_64, FNV_64, and MURMUR_HASH user-defined functions.

---------------------------------------------------------------------------

PS-9218: Merge MySQL 8.4.0 (fix gcc-14 build)

https://perconadev.atlassian.net/browse/PS-9218
---
 include/my_bitmap.h                           |   4 +-
 include/my_sys.h                              |   3 +
 mysql-test/include/plugin.defs                |   7 +
 mysql-test/r/percona_udf.result               |  37 ++
 mysql-test/t/percona_udf.test                 |  65 ++++
 mysys/CMakeLists.txt                          |   2 +
 mysys/my_malloc.cc                            |  13 +
 plugin/daemon_example/daemon_example.cc       |   7 +-
 .../xcom_network_provider_ssl_native_lib.cc   |   5 +
 plugin/keyring/common/i_keyring_io.h          |   2 +-
 plugin/keyring/common/i_keyring_key.h         |   1 +
 plugin/keyring/common/keyring_key.cc          |  12 +-
 plugin/keyring/common/keyring_key.h           |   3 +-
 plugin/keyring/common/keyring_memory.h        |  53 ++-
 plugin/keyring/common/secure_string.h         |  34 ++
 plugin/keyring/keyring_file.version           |   8 +
 plugin/percona-pam-for-mysql/CMakeLists.txt   |  42 +++
 plugin/percona-pam-for-mysql/doc/make.bat     | 170 +++++++++
 .../_static/percona-pam-plugin-logo.jpg       | Bin 0 -> 36163 bytes
 .../doc/source/_static/percona_favicon.ico    | Bin 0 -> 894 bytes
 .../percona-pam-for-mysql/doc/source/conf.py  | 245 +++++++++++++
 .../percona-pam-for-mysql/doc/source/faq.rst  |  51 +++
 .../doc/source/glossary.rst                   |   8 +
 .../doc/source/index.rst                      |  51 +++
 .../doc/source/installation.rst               |  50 +++
 .../doc/source/intro.rst                      |  23 ++
 .../doc/source/manual.rst                     |  45 +++
 .../doc/source/percona-pam-plugin-logo.png    | Bin 0 -> 12447 bytes
 .../doc/source/percona_favicon.ico            | Bin 0 -> 894 bytes
 .../doc/source/release-notes.rst              |  19 +
 .../percona-pam-for-mysql/src/auth_mapping.cc | 227 ++++++++++++
 .../percona-pam-for-mysql/src/auth_mapping.h  |  73 ++++
 plugin/percona-pam-for-mysql/src/auth_pam.cc  | 179 ++++++++++
 .../src/auth_pam_common.cc                    | 208 +++++++++++
 .../src/auth_pam_common.h                     |  82 +++++
 .../src/auth_pam_compat.cc                    | 129 +++++++
 plugin/percona-pam-for-mysql/src/dialog.cc    | 327 ++++++++++++++++++
 plugin/percona-pam-for-mysql/src/groups.cc    | 146 ++++++++
 plugin/percona-pam-for-mysql/src/groups.h     |  45 +++
 .../src/lib_auth_pam_client.c                 |  72 ++++
 .../src/lib_auth_pam_client.h                 |  77 +++++
 .../src/test_auth_pam_client.c                |  69 ++++
 .../percona_pam/pam_mapping_test.py           | 118 +++++++
 plugin/semisync/semisync_replica.cc           |   2 +-
 44 files changed, 2702 insertions(+), 12 deletions(-)
 create mode 100644 mysql-test/r/percona_udf.result
 create mode 100644 mysql-test/t/percona_udf.test
 create mode 100644 plugin/keyring/common/secure_string.h
 create mode 100644 plugin/keyring/keyring_file.version
 create mode 100644 plugin/percona-pam-for-mysql/CMakeLists.txt
 create mode 100644 plugin/percona-pam-for-mysql/doc/make.bat
 create mode 100644 plugin/percona-pam-for-mysql/doc/source/_static/percona-pam-plugin-logo.jpg
 create mode 100644 plugin/percona-pam-for-mysql/doc/source/_static/percona_favicon.ico
 create mode 100644 plugin/percona-pam-for-mysql/doc/source/conf.py
 create mode 100644 plugin/percona-pam-for-mysql/doc/source/faq.rst
 create mode 100644 plugin/percona-pam-for-mysql/doc/source/glossary.rst
 create mode 100644 plugin/percona-pam-for-mysql/doc/source/index.rst
 create mode 100644 plugin/percona-pam-for-mysql/doc/source/installation.rst
 create mode 100644 plugin/percona-pam-for-mysql/doc/source/intro.rst
 create mode 100644 plugin/percona-pam-for-mysql/doc/source/manual.rst
 create mode 100644 plugin/percona-pam-for-mysql/doc/source/percona-pam-plugin-logo.png
 create mode 100644 plugin/percona-pam-for-mysql/doc/source/percona_favicon.ico
 create mode 100644 plugin/percona-pam-for-mysql/doc/source/release-notes.rst
 create mode 100644 plugin/percona-pam-for-mysql/src/auth_mapping.cc
 create mode 100644 plugin/percona-pam-for-mysql/src/auth_mapping.h
 create mode 100644 plugin/percona-pam-for-mysql/src/auth_pam.cc
 create mode 100644 plugin/percona-pam-for-mysql/src/auth_pam_common.cc
 create mode 100644 plugin/percona-pam-for-mysql/src/auth_pam_common.h
 create mode 100644 plugin/percona-pam-for-mysql/src/auth_pam_compat.cc
 create mode 100644 plugin/percona-pam-for-mysql/src/dialog.cc
 create mode 100644 plugin/percona-pam-for-mysql/src/groups.cc
 create mode 100644 plugin/percona-pam-for-mysql/src/groups.h
 create mode 100644 plugin/percona-pam-for-mysql/src/lib_auth_pam_client.c
 create mode 100644 plugin/percona-pam-for-mysql/src/lib_auth_pam_client.h
 create mode 100644 plugin/percona-pam-for-mysql/src/test_auth_pam_client.c
 create mode 100755 plugin/percona-pam-for-mysql/test/dbqp/percona_tests/percona_pam/pam_mapping_test.py

diff --git a/include/my_bitmap.h b/include/my_bitmap.h
index 0654edf8cc07..b81a8d07ba81 100644
--- a/include/my_bitmap.h
+++ b/include/my_bitmap.h
@@ -71,7 +71,7 @@ extern uint bitmap_bits_set(const MY_BITMAP *map);
 extern void bitmap_free(MY_BITMAP *map);
 extern void bitmap_set_above(MY_BITMAP *map, uint from_byte, bool use_bit);
 extern void bitmap_set_prefix(MY_BITMAP *map, uint prefix_size);
-extern void bitmap_intersect(MY_BITMAP *to, const MY_BITMAP *from);
+extern void bitmap_intersect(MY_BITMAP *map, const MY_BITMAP *map2);
 extern void bitmap_subtract(MY_BITMAP *map, const MY_BITMAP *map2);
 extern void bitmap_union(MY_BITMAP *map, const MY_BITMAP *map2);
 extern void bitmap_xor(MY_BITMAP *map, const MY_BITMAP *map2);
@@ -136,4 +136,4 @@ static inline void bitmap_set_all(MY_BITMAP *map) {
   memset(map->bitmap, 0xFF, 4 * no_words_in_map(map));
 }
 
-#endif  // MY_BITMAP_INCLUDED
+#endif /* MY_BITMAP_INCLUDED */
diff --git a/include/my_sys.h b/include/my_sys.h
index 3f41a739fd84..38a2261f42dd 100644
--- a/include/my_sys.h
+++ b/include/my_sys.h
@@ -611,6 +611,9 @@ extern size_t my_fwrite(FILE *stream, const uchar *Buffer, size_t Count,
                         myf MyFlags);
 extern my_off_t my_fseek(FILE *stream, my_off_t pos, int whence);
 extern my_off_t my_ftell(FILE *stream);
+#if !defined(HAVE_MEMSET_S)
+void memset_s(void *dest, size_t dest_max, int c, size_t n);
+#endif
 
 /* implemented in my_syslog.c */
 
diff --git a/mysql-test/include/plugin.defs b/mysql-test/include/plugin.defs
index feb8d3b95237..9463aa15723f 100644
--- a/mysql-test/include/plugin.defs
+++ b/mysql-test/include/plugin.defs
@@ -192,3 +192,10 @@ component_test_execute_prepared_statement  plugin_output_directory  no  COMPONEN
 
 # component_test_execute_regular_statement
 component_test_execute_regular_statement  plugin_output_directory  no  COMPONENT_TEST_EXECUTE_REGULAR_STATEMENT
+
+# Percona additions
+auth_socket        plugin_output_directory  no  SOCKET_AUTH
+ha_rocksdb         plugin_output_directory  no  ROCKSDB         rocksdb,rocksdb_cfstats,rocksdb_dbstats,rocksdb_perf_context,rocksdb_perf_context_global,rocksdb_cf_options,rocksdb_compaction_history,rocksdb_compaction_stats,rocksdb_active_compaction_stats,rocksdb_global_info,rocksdb_ddl,rocksdb_index_file_map,rocksdb_locks,rocksdb_trx,rocksdb_deadlock,rocksdb_sst_props,rocksdb_live_files_metadata
+auth_pam           plugin_output_directory  no  AUTH_PAM
+auth_pam_compat    plugin_output_directory  no  AUTH_PAM_COMPAT
+keyring_vault      plugin_output_directory  no  KEYRING_VAULT_PLUGIN keyring_vault
diff --git a/mysql-test/r/percona_udf.result b/mysql-test/r/percona_udf.result
new file mode 100644
index 000000000000..c7d9bb1de710
--- /dev/null
+++ b/mysql-test/r/percona_udf.result
@@ -0,0 +1,37 @@
+*** checking if UDF works without creating the function
+SELECT MURMUR_HASH('hello', 'world');
+ERROR 42000: FUNCTION test.MURMUR_HASH does not exist
+
+*** creating UDF functions
+CREATE FUNCTION fnv1a_64 RETURNS INTEGER SONAME 'libfnv1a_udf.so';
+CREATE FUNCTION fnv_64 RETURNS INTEGER SONAME 'libfnv_udf.so';
+CREATE FUNCTION murmur_hash RETURNS INTEGER SONAME 'libmurmur_udf.so';
+
+*** checking UDF functions
+include/assert.inc [checking hash value for FNV1A_64()]
+include/assert.inc [checking hash value for FNV_64()]
+include/assert.inc [checking hash value for MURMUR_HASH()]
+
+*** creating t1 table
+CREATE TABLE t1 (
+id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
+col1 INT,
+col2 VARCHAR(16),
+col3 TEXT,
+PRIMARY KEY(id)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1;
+INSERT INTO t1(col1, col2, col3) VALUES (1, "b", "c");
+INSERT INTO t1(col1, col2, col3) VALUES (2, "3240", "4000");
+INSERT INTO t1(col1, col2, col3) VALUES (3, "short", "words");
+
+*** checking UDF functions with t1 table
+include/assert.inc [checking hash value for BIT_XOR(FNV1A_64())]
+include/assert.inc [checking hash value for BIT_XOR(FNV_64())]
+include/assert.inc [checking hash value for BIT_XOR(MURMUR_HASH())]
+include/assert.inc [checking hash value for FNV1A_64(col1, col2, col3)]
+
+*** cleaning up
+DROP FUNCTION fnv1a_64;
+DROP FUNCTION fnv_64;
+DROP FUNCTION murmur_hash;
+DROP TABLE t1;
diff --git a/mysql-test/t/percona_udf.test b/mysql-test/t/percona_udf.test
new file mode 100644
index 000000000000..d7504e2ef6da
--- /dev/null
+++ b/mysql-test/t/percona_udf.test
@@ -0,0 +1,65 @@
+--echo *** checking if UDF works without creating the function
+--error ER_SP_DOES_NOT_EXIST
+SELECT MURMUR_HASH('hello', 'world');
+
+--echo
+--echo *** creating UDF functions
+CREATE FUNCTION fnv1a_64 RETURNS INTEGER SONAME 'libfnv1a_udf.so';
+CREATE FUNCTION fnv_64 RETURNS INTEGER SONAME 'libfnv_udf.so';
+CREATE FUNCTION murmur_hash RETURNS INTEGER SONAME 'libmurmur_udf.so';
+
+--echo
+--echo *** checking UDF functions
+
+--let $assert_text = checking hash value for FNV1A_64()
+--let $assert_cond = `SELECT FNV1A_64('hello', 'world') = 1214055856804091265`
+--source include/assert.inc
+
+--let $assert_text = checking hash value for FNV_64()
+--let $assert_cond = `SELECT FNV_64('hello', 'world') = 2924375256774005480`
+--source include/assert.inc
+
+--let $assert_text = checking hash value for MURMUR_HASH()
+--let $assert_cond = `SELECT MURMUR_HASH('hello', 'world') = -7857203399167365490`
+--source include/assert.inc
+
+--echo
+--echo *** creating t1 table
+CREATE TABLE t1 (
+  id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
+  col1 INT,
+  col2 VARCHAR(16),
+  col3 TEXT,
+  PRIMARY KEY(id)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1;
+
+INSERT INTO t1(col1, col2, col3) VALUES (1, "b", "c");
+INSERT INTO t1(col1, col2, col3) VALUES (2, "3240", "4000");
+INSERT INTO t1(col1, col2, col3) VALUES (3, "short", "words");
+
+--echo
+--echo *** checking UDF functions with t1 table
+
+--let $assert_text = checking hash value for BIT_XOR(FNV1A_64())
+--let $assert_cond = [SELECT BIT_XOR(CAST(FNV1A_64(col1, col2, col3) AS UNSIGNED)) FROM t1] = 9092447622868433808
+--source include/assert.inc
+
+--let $assert_text = checking hash value for BIT_XOR(FNV_64())
+--let $assert_cond = [SELECT BIT_XOR(CAST(FNV_64(col1, col2, col3) AS UNSIGNED)) FROM t1] = 3813096360487945067
+--source include/assert.inc
+
+--let $assert_text = checking hash value for BIT_XOR(MURMUR_HASH())
+--let $assert_cond = [SELECT BIT_XOR(CAST(MURMUR_HASH(col1, col2, col3) AS UNSIGNED)) FROM t1] = 9393970666296144275
+--source include/assert.inc
+
+--let $assert_text = checking hash value for FNV1A_64(col1, col2, col3)
+--let $assert_cond = ["SELECT FNV1A_64(col1, col2, col3) AS Hash_Val FROM t1", Hash_Val, 1] = 5882002141665055715
+--source include/assert.inc
+
+--echo
+--echo *** cleaning up
+DROP FUNCTION fnv1a_64;
+DROP FUNCTION fnv_64;
+DROP FUNCTION murmur_hash;
+
+DROP TABLE t1;
diff --git a/mysys/CMakeLists.txt b/mysys/CMakeLists.txt
index 212600450502..8f5457406576 100644
--- a/mysys/CMakeLists.txt
+++ b/mysys/CMakeLists.txt
@@ -27,6 +27,8 @@ SET(MY_TIME_SOURCES my_time.cc my_systime.cc)
 
 ADD_CONVENIENCE_LIBRARY(mytime ${MY_TIME_SOURCES})
 
+INCLUDE_DIRECTORIES(SYSTEM ${BOOST_PATCHES_DIR} ${BOOST_INCLUDE_DIR})
+
 SET(MYSYS_SOURCES
   array.cc
   charset.cc
diff --git a/mysys/my_malloc.cc b/mysys/my_malloc.cc
index 3d838fe762ac..3a914691e360 100644
--- a/mysys/my_malloc.cc
+++ b/mysys/my_malloc.cc
@@ -562,3 +562,16 @@ char *my_strndup(PSI_memory_key key, const char *from, size_t length,
   }
   return ptr;
 }
+
+#if !defined(HAVE_MEMSET_S)
+void memset_s(void *dest, size_t dest_max, int c, size_t n) {
+#if defined(WIN32)
+  SecureZeroMemory(dest, n);
+#else
+  volatile unsigned char *p = static_cast<unsigned char *>(dest);
+  while (dest_max-- && n--) {
+    *p++ = c;
+  }
+#endif
+}
+#endif
diff --git a/plugin/daemon_example/daemon_example.cc b/plugin/daemon_example/daemon_example.cc
index 423297607cad..7492c3c8529c 100644
--- a/plugin/daemon_example/daemon_example.cc
+++ b/plugin/daemon_example/daemon_example.cc
@@ -28,6 +28,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
+#include <atomic>
 
 #include "m_string.h"  // strlen
 #include "my_dbug.h"
@@ -63,6 +64,7 @@ static void init_deamon_example_psi_keys() {
 struct mysql_heartbeat_context {
   my_thread_handle heartbeat_thread;
   File heartbeat_file;
+  std::atomic_bool done;
 };
 
 static void *mysql_heartbeat(void *p) {
@@ -72,7 +74,7 @@ static void *mysql_heartbeat(void *p) {
   time_t result;
   struct tm tm_tmp;
 
-  while (true) {
+  while (!con->done.load()) {
     sleep(5);
 
     result = time(nullptr);
@@ -125,6 +127,7 @@ static int daemon_example_plugin_init(void *p) {
             MY_REPLACE_EXT | MY_UNPACK_FILENAME);
   unlink(heartbeat_filename);
   con->heartbeat_file = my_open(heartbeat_filename, O_CREAT | O_RDWR, MYF(0));
+  con->done.store(false);
 
   /*
     No threads exist at this point in time, so this is thread safe.
@@ -173,7 +176,7 @@ static int daemon_example_plugin_deinit(void *p) {
   struct tm tm_tmp;
   void *dummy_retval;
 
-  my_thread_cancel(&con->heartbeat_thread);
+  con->done.store(true);
 
   localtime_r(&result, &tm_tmp);
   snprintf(buffer, sizeof(buffer),
diff --git a/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/network/xcom_network_provider_ssl_native_lib.cc b/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/network/xcom_network_provider_ssl_native_lib.cc
index 92bf97a8e948..6daf24869cb7 100644
--- a/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/network/xcom_network_provider_ssl_native_lib.cc
+++ b/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/network/xcom_network_provider_ssl_native_lib.cc
@@ -52,6 +52,11 @@
 
 #include "openssl/engine.h"
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/evp.h>
+#include <openssl/provider.h>
+#endif
+
 #include "xcom/retry.h"
 #include "xcom/task_debug.h"
 #include "xcom/x_platform.h"
diff --git a/plugin/keyring/common/i_keyring_io.h b/plugin/keyring/common/i_keyring_io.h
index 8610c7e1e526..90e73cb479d4 100644
--- a/plugin/keyring/common/i_keyring_io.h
+++ b/plugin/keyring/common/i_keyring_io.h
@@ -31,7 +31,7 @@ namespace keyring {
 
 class IKeyring_io : public Keyring_alloc {
  public:
-  virtual bool init(std::string *keyring_storage_url) = 0;
+  virtual bool init(const std::string *keyring_storage_url) = 0;
   virtual bool flush_to_backup(ISerialized_object *serialized_object) = 0;
   virtual bool flush_to_storage(ISerialized_object *serialized_object) = 0;
 
diff --git a/plugin/keyring/common/i_keyring_key.h b/plugin/keyring/common/i_keyring_key.h
index f1bb924129b8..34f5bb70e89f 100644
--- a/plugin/keyring/common/i_keyring_key.h
+++ b/plugin/keyring/common/i_keyring_key.h
@@ -50,6 +50,7 @@ struct IKey : public Keyring_alloc {
   virtual size_t get_key_data_size() = 0;
   virtual size_t get_key_pod_size() const = 0;
   virtual uchar *release_key_data() = 0;
+  virtual void xor_data(uchar *data, size_t data_len) = 0;
   virtual void xor_data() = 0;
   virtual void set_key_data(uchar *key_data, size_t key_data_size) = 0;
   virtual void set_key_type(const std::string *key_type) = 0;
diff --git a/plugin/keyring/common/keyring_key.cc b/plugin/keyring/common/keyring_key.cc
index 73e31db3c118..c6a992b2647d 100644
--- a/plugin/keyring/common/keyring_key.cc
+++ b/plugin/keyring/common/keyring_key.cc
@@ -190,12 +190,16 @@ size_t Key::get_key_pod_size() const {
   return key_pod_size_aligned;
 }
 
-void Key::xor_data() {
-  if (key == nullptr) return;
+void Key::xor_data(uchar *data, size_t data_len) {
   static const char *obfuscate_str = "*305=Ljt0*!@$Hnm(*-9-w;:";
-  for (size_t i = 0, l = 0; i < key_len;
+  for (size_t i = 0, l = 0; i < data_len;
        ++i, l = ((l + 1) % strlen(obfuscate_str)))
-    key.get()[i] ^= obfuscate_str[l];
+    data[i] ^= obfuscate_str[l];
+}
+
+void Key::xor_data() {
+  if (key == nullptr) return;
+  xor_data(key.get(), key_len);
 }
 
 bool Key::is_key_id_valid() { return key_id.length() > 0; }
diff --git a/plugin/keyring/common/keyring_key.h b/plugin/keyring/common/keyring_key.h
index 2b1c80cadaf6..ca0cffeded8d 100644
--- a/plugin/keyring/common/keyring_key.h
+++ b/plugin/keyring/common/keyring_key.h
@@ -53,6 +53,7 @@ struct Key : IKey {
   size_t get_key_data_size() override;
   size_t get_key_pod_size() const override;
   uchar *release_key_data() override;
+  void xor_data(uchar *data, size_t data_len) override;
   void xor_data() override;
   void set_key_data(uchar *key_data, size_t key_data_size) override;
   void set_key_type(const std::string *key_type) override;
@@ -69,7 +70,7 @@ struct Key : IKey {
             const void *a_key, size_t a_key_len);
 
   void clear_key_data();
-  void create_key_signature() const;
+  virtual void create_key_signature() const;
   bool load_string_from_buffer(const uchar *buffer, size_t *buffer_position,
                                size_t key_pod_size, std::string *string,
                                size_t string_length);
diff --git a/plugin/keyring/common/keyring_memory.h b/plugin/keyring/common/keyring_memory.h
index 321bd7a65f01..6af08ae2e062 100644
--- a/plugin/keyring/common/keyring_memory.h
+++ b/plugin/keyring/common/keyring_memory.h
@@ -24,10 +24,13 @@
 #ifndef MYSQL_KEYRING_MEMORY_H
 #define MYSQL_KEYRING_MEMORY_H
 
-#include <mysql/plugin_keyring.h>
+#include <string.h>
 #include <limits>
 #include <memory>
 
+#include "my_sys.h"
+#include "mysql/service_mysql_alloc.h"
+
 namespace keyring {
 
 extern PSI_memory_key key_memory_KEYRING;
@@ -49,6 +52,54 @@ class Keyring_alloc {
   static void operator delete(void *ptr, std::size_t) { my_free(ptr); }
   static void operator delete[](void *ptr, std::size_t) { my_free(ptr); }
 };
+
+template <class T>
+class Secure_allocator {
+ public:
+  using size_type = size_t;
+  using difference_type = ptrdiff_t;
+  using pointer = T *;
+  using const_pointer = const T *;
+  using reference = T &;
+  using const_reference = const T &;
+  using value_type = T;
+
+  Secure_allocator() noexcept {}
+
+  template <class U>
+  Secure_allocator(const Secure_allocator<U> &) noexcept {}
+
+  T *allocate(size_t n) {
+    if (n == 0)
+      return nullptr;
+    else if (n > INT_MAX)
+      throw std::bad_alloc();
+    return keyring_malloc<T *>(n * sizeof(T));
+  }
+
+  void deallocate(T *p, size_t n) noexcept {
+    memset_s(p, n, 0, n);
+    my_free(p);
+  }
+
+  template <class U>
+  struct rebind {
+    typedef Secure_allocator<U> other;
+  };
+};
+
+template <typename T1, typename T2>
+bool operator==(const Secure_allocator<T1> &,
+                const Secure_allocator<T2> &) noexcept {
+  return true;
+}
+
+template <typename T1, typename T2>
+bool operator!=(const Secure_allocator<T1> &,
+                const Secure_allocator<T2> &) noexcept {
+  return false;
+}
+
 }  // namespace keyring
 
 #endif  // MYSQL_KEYRING_MEMORY_H
diff --git a/plugin/keyring/common/secure_string.h b/plugin/keyring/common/secure_string.h
new file mode 100644
index 000000000000..35fa7f6d366c
--- /dev/null
+++ b/plugin/keyring/common/secure_string.h
@@ -0,0 +1,34 @@
+/* Copyright (c) 2018 Percona LLC and/or its affiliates. All rights reserved.
+
+   This program is free software; you can redistribute it and/or
+   modify it under the terms of the GNU General Public License
+   as published by the Free Software Foundation; version 2 of
+   the License.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA */
+
+#ifndef MYSQL_KEYRING_SECURE_STRING
+#define MYSQL_KEYRING_SECURE_STRING
+
+#include <sstream>
+#include "keyring_memory.h"
+
+namespace keyring {
+typedef std::basic_string<char, std::char_traits<char>, Secure_allocator<char>>
+    Secure_string;
+typedef std::basic_ostringstream<char, std::char_traits<char>,
+                                 Secure_allocator<char>>
+    Secure_ostringstream;
+typedef std::basic_istringstream<char, std::char_traits<char>,
+                                 Secure_allocator<char>>
+    Secure_istringstream;
+}  // namespace keyring
+
+#endif  // MYSQL_KEYRING_SECURE_STRING
diff --git a/plugin/keyring/keyring_file.version b/plugin/keyring/keyring_file.version
new file mode 100644
index 000000000000..023b6b555b21
--- /dev/null
+++ b/plugin/keyring/keyring_file.version
@@ -0,0 +1,8 @@
+KEYRING_FILE_VERSION_1.0 {
+  global:
+     _mysql_*;
+     mysql_malloc_service;
+     my_plugin_log_service;
+     security_context_service;
+  local: *;
+};
diff --git a/plugin/percona-pam-for-mysql/CMakeLists.txt b/plugin/percona-pam-for-mysql/CMakeLists.txt
new file mode 100644
index 000000000000..7c7bb8de2808
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/CMakeLists.txt
@@ -0,0 +1,42 @@
+# (C) 2011-2013 Percona LLC and/or its affiliates
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+#
+IF(WITH_PAM)
+INCLUDE (CheckLibraryExists)
+CHECK_LIBRARY_EXISTS(pam pam_authenticate "" HAVE_PAM)
+IF(NOT HAVE_PAM)
+	MESSAGE(FATAL_ERROR "Required PAM dev library not found. Please install PAM development files!")
+ENDIF(NOT HAVE_PAM)
+CHECK_SYMBOL_EXISTS(getpwnam_r "pwd.h" HAVE_GETPWNAM_R)
+CHECK_SYMBOL_EXISTS(getgrgid_r "grp.h" HAVE_GETGRGID_R)
+CHECK_INCLUDE_FILES (security/pam_misc.h HAVE_SECURITY_PAM_MISC_H)
+CHECK_INCLUDE_FILES (security/openpam.h HAVE_SECURITY_OPENPAM_H)
+CHECK_INCLUDE_FILES (dlfcn.h HAVE_DLFCN_H)
+ADD_DEFINITIONS(-Dget_tty_password=dialog_mysql_get_tty_password)
+IF(HAVE_PAM AND HAVE_GETPWNAM_R AND HAVE_GETGRGID_R AND HAVE_DLFCN_H)
+  SET(AUTH_PAM_COMMON_SOURCES
+    src/auth_pam_common.cc src/lib_auth_pam_client.c src/lib_auth_pam_client.h
+    src/auth_mapping.h src/auth_mapping.cc src/groups.cc src/groups.h)
+  SET(AUTH_PAM_SOURCES ${AUTH_PAM_COMMON_SOURCES} src/auth_pam.cc)
+  SET(AUTH_PAM_COMPAT_SOURCES ${AUTH_PAM_COMMON_SOURCES} src/auth_pam_compat.cc)
+  MYSQL_ADD_PLUGIN(auth_pam ${AUTH_PAM_SOURCES} LINK_LIBRARIES pam MODULE_ONLY)
+  MYSQL_ADD_PLUGIN(auth_pam_compat ${AUTH_PAM_COMPAT_SOURCES} LINK_LIBRARIES pam MODULE_ONLY)
+  MYSQL_ADD_PLUGIN(dialog
+                   src/dialog.cc
+                   ../../sql-common/get_password.cc
+                   LINK_LIBRARIES perconaserverclient
+                   MODULE_ONLY)
+ENDIF(HAVE_PAM AND HAVE_GETPWNAM_R AND HAVE_GETGRGID_R AND HAVE_DLFCN_H)
+ENDIF(WITH_PAM)
diff --git a/plugin/percona-pam-for-mysql/doc/make.bat b/plugin/percona-pam-for-mysql/doc/make.bat
new file mode 100644
index 000000000000..4bc6b71e63ac
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/doc/make.bat
@@ -0,0 +1,170 @@
+@ECHO OFF
+
+REM Command file for Sphinx documentation
+
+if "%SPHINXBUILD%" == "" (
+	set SPHINXBUILD=sphinx-build
+)
+set BUILDDIR=build
+set ALLSPHINXOPTS=-d %BUILDDIR%/doctrees %SPHINXOPTS% source
+if NOT "%PAPER%" == "" (
+	set ALLSPHINXOPTS=-D latex_paper_size=%PAPER% %ALLSPHINXOPTS%
+)
+
+if "%1" == "" goto help
+
+if "%1" == "help" (
+	:help
+	echo.Please use `make ^<target^>` where ^<target^> is one of
+	echo.  html       to make standalone HTML files
+	echo.  dirhtml    to make HTML files named index.html in directories
+	echo.  singlehtml to make a single large HTML file
+	echo.  pickle     to make pickle files
+	echo.  json       to make JSON files
+	echo.  htmlhelp   to make HTML files and a HTML help project
+	echo.  qthelp     to make HTML files and a qthelp project
+	echo.  devhelp    to make HTML files and a Devhelp project
+	echo.  epub       to make an epub
+	echo.  latex      to make LaTeX files, you can set PAPER=a4 or PAPER=letter
+	echo.  text       to make text files
+	echo.  man        to make manual pages
+	echo.  changes    to make an overview over all changed/added/deprecated items
+	echo.  linkcheck  to check all external links for integrity
+	echo.  doctest    to run all doctests embedded in the documentation if enabled
+	goto end
+)
+
+if "%1" == "clean" (
+	for /d %%i in (%BUILDDIR%\*) do rmdir /q /s %%i
+	del /q /s %BUILDDIR%\*
+	goto end
+)
+
+if "%1" == "html" (
+	%SPHINXBUILD% -b html %ALLSPHINXOPTS% %BUILDDIR%/html
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The HTML pages are in %BUILDDIR%/html.
+	goto end
+)
+
+if "%1" == "dirhtml" (
+	%SPHINXBUILD% -b dirhtml %ALLSPHINXOPTS% %BUILDDIR%/dirhtml
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The HTML pages are in %BUILDDIR%/dirhtml.
+	goto end
+)
+
+if "%1" == "singlehtml" (
+	%SPHINXBUILD% -b singlehtml %ALLSPHINXOPTS% %BUILDDIR%/singlehtml
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The HTML pages are in %BUILDDIR%/singlehtml.
+	goto end
+)
+
+if "%1" == "pickle" (
+	%SPHINXBUILD% -b pickle %ALLSPHINXOPTS% %BUILDDIR%/pickle
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished; now you can process the pickle files.
+	goto end
+)
+
+if "%1" == "json" (
+	%SPHINXBUILD% -b json %ALLSPHINXOPTS% %BUILDDIR%/json
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished; now you can process the JSON files.
+	goto end
+)
+
+if "%1" == "htmlhelp" (
+	%SPHINXBUILD% -b htmlhelp %ALLSPHINXOPTS% %BUILDDIR%/htmlhelp
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished; now you can run HTML Help Workshop with the ^
+.hhp project file in %BUILDDIR%/htmlhelp.
+	goto end
+)
+
+if "%1" == "qthelp" (
+	%SPHINXBUILD% -b qthelp %ALLSPHINXOPTS% %BUILDDIR%/qthelp
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished; now you can run "qcollectiongenerator" with the ^
+.qhcp project file in %BUILDDIR%/qthelp, like this:
+	echo.^> qcollectiongenerator %BUILDDIR%\qthelp\PerconaXtraBackup.qhcp
+	echo.To view the help file:
+	echo.^> assistant -collectionFile %BUILDDIR%\qthelp\PerconaXtraBackup.ghc
+	goto end
+)
+
+if "%1" == "devhelp" (
+	%SPHINXBUILD% -b devhelp %ALLSPHINXOPTS% %BUILDDIR%/devhelp
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished.
+	goto end
+)
+
+if "%1" == "epub" (
+	%SPHINXBUILD% -b epub %ALLSPHINXOPTS% %BUILDDIR%/epub
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The epub file is in %BUILDDIR%/epub.
+	goto end
+)
+
+if "%1" == "latex" (
+	%SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished; the LaTeX files are in %BUILDDIR%/latex.
+	goto end
+)
+
+if "%1" == "text" (
+	%SPHINXBUILD% -b text %ALLSPHINXOPTS% %BUILDDIR%/text
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The text files are in %BUILDDIR%/text.
+	goto end
+)
+
+if "%1" == "man" (
+	%SPHINXBUILD% -b man %ALLSPHINXOPTS% %BUILDDIR%/man
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The manual pages are in %BUILDDIR%/man.
+	goto end
+)
+
+if "%1" == "changes" (
+	%SPHINXBUILD% -b changes %ALLSPHINXOPTS% %BUILDDIR%/changes
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.The overview file is in %BUILDDIR%/changes.
+	goto end
+)
+
+if "%1" == "linkcheck" (
+	%SPHINXBUILD% -b linkcheck %ALLSPHINXOPTS% %BUILDDIR%/linkcheck
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Link check complete; look for any errors in the above output ^
+or in %BUILDDIR%/linkcheck/output.txt.
+	goto end
+)
+
+if "%1" == "doctest" (
+	%SPHINXBUILD% -b doctest %ALLSPHINXOPTS% %BUILDDIR%/doctest
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Testing of doctests in the sources finished, look at the ^
+results in %BUILDDIR%/doctest/output.txt.
+	goto end
+)
+
+:end
diff --git a/plugin/percona-pam-for-mysql/doc/source/_static/percona-pam-plugin-logo.jpg b/plugin/percona-pam-for-mysql/doc/source/_static/percona-pam-plugin-logo.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..6c9f9d668bba9eb313a6c84c0d944073c9067bb3
GIT binary patch
literal 36163
zcmeFacUV(Rw>KO_MFHVfq=^&-M0%6nR7AQ+?=|$2AS8g)8&OfJ(u;sd?@}XOL<k+J
z0YX5emw?pJLcR^&^*PTu*SWv<J?H($&9x^pYpq$cX3gx`GrzrOLl_}^1^uFOU->?W
z=oAqV4-pRtM3}nxR>8}`76ejP2XTQwpmQJ+qDvrRAVviIfrzev&YZ+SAS)t<KjMx=
zH-D2k1;_}3fDpt0oNh!yC-KWbJUrL|bo#fvnZWNCKoThNMC-}#9c!qS4a-A&C=BXu
z4|Qdc*JjaofLKF4-9bVEf`XC)!jgg_EP}$4Lc)?F!az<Ci1;nhk8%kF5a{ixKlJav
zCH^CBc_Ik{oh2gv&Bn8Ttp^d)pY<TR@z;8sBKlni5#OmlbpPV`n?5Dr7w`z^<d^U_
zUjj6MO2C51PwHeYuMRpzSOrm>q(Iic9_J*WK~F*C=gyrwe~$e8dGd>7q+}PVDapwx
zsp+VwsHv#vE|Q-dzy173{A);bfsE_|#f4ueD1Nz2K|yi(IH0)vBg@7Ajsn6*(8Y5g
zS<qWzqU)ej7m0{35)m*!wMhw|iR1t)&k&s)fWgNHG0;&?pE*l%?mQ_O&>jBHBm$ix
z{+;;?i0CvC@u}0N&XAlvcZQf;7+_u`K7H+y;F&v`mQ>dt1qz+L{5rk#E-M?gR+E+R
zEw?9q@+9n0+TW+v!R{h7@5+L1+>6$+R``?w6Q%9f{bsXK{<L`jKD~LLBPR1%MeOIn
znXRnKmZ8~gJzJ0GaoJU^!*e@giu!h*!SOi=Bx)Xa5p?PlVD0G>n@G-{5jip8n&73=
zfCZ1PQ=JhCe0}-Yf+nrL@4{?WQ*KY9<h7~6?zh(2&mJ2<azo@(KVU=#t+j%#D9q;D
zA13_g7I6G&0$~h9PJB}4MUWh5TPI4#J6^wK@qpWZ+0Et1j;XW;>C14CSN_J5it`E)
z>>6j=eU`S=z)JYm7Yxo|4E^mJ=ulT|dm>@rR6hZ<R6zi_^*S}YHzR<|>bP<_^lH8_
zT6;m<5n}tPDfaaB8U^1#l5y;MI@6ctIyE-@?n_{u8cU4Qlizd@36fk5@b_|iAnR*l
zup98bYC=|v?L{<wCk`BS%KY2@ZX*&timEYAslY6z%|7Wndc>eRCle<iiy$c-tLzp!
zw{gu)%rCBUJ)fMXwd+v<IK3D7;rWUmZNSr3#8C0@QB;R>5qN4lY$DA9L49DSKL{@(
zfQIdk!t55QuC0^5dPV=#n&OSYs>l&}V_o-A1pV~~*TGy3^h<KBkvMZD<%bIxFhjvN
zzju*NV;&ggeYJqqv<c|G*pYWb#q_nCFYk>=KAC@T>1mj?xDC}kYPKk)A}wXMsF)~a
zwk)<NWlkWja!g1geAyO@8jc5<+<w*9zF}gqe7`O%=j)ZC&Tx!;f#Hp$WGTb@Ec<%8
z#*OlkfIk5%&jd8Ily47k?xyLvyMRNl%5#rn$YoZFdk-)4nm~;UcJ!Dv7B5ycKkV*0
z(j8XU6(E2(=)=nLhh!mc4E8MICHwtbpA`moJ<j!r@%pu2wUQfZVRmziUsD{SRNVU<
zzwNt{OmSF%9rt@%>l}?-aFk7!%dOz;=~~>C@RHaO<E*~0m1|!<OkSO{bpY6N`cS#V
zkAeWYu;?u}rO(&t>^{=*eA#5K>b(R%n`q;{Jzn8k;bD?|cWP`2c*T>yG{*+Vyo*l4
z6}BY?N{oj^X18zcuZ2wSKPasBqN3Ber<ngM>I=BJ`5>ZEnSV)?A`bi6CoSAvX;QxZ
zg8K-HX8*%51aI}6079bnc6h>4woGkk?(dr|O;&Vz3aogb{MRaV#j1-bz@bb7ygtfK
zfy{4^h;bA*eLPc!@#aVS&cX*iSBT|X!=ReQrC3~mSZb>uS%BdY1nqH=NZP{xjoiFE
zVwbE{`26I8M$YQY8Udt30A-{1tA|bd_q#=_`ywA-wthL_)HAjsw@y<VaA=-in_503
z^vL@;6T6}Kh_3kqg<<oU{`Fh6)Rn`N!vaUqZq7b<0_bae)WjY*__bMOWSDn2h9iI6
z$=&#w1zh8j>V_=R-K=|Z;i%UR|Di&bnYH;QQ&KShw83rhjlja<O9T+ftn(IAhNsq|
z&YW4RC^Ehx>7_`W9<G1<jT-?JFj|H-AA1B8;X(kNKm69YU%CBcHFsQba?o|9_C_E)
z;g;48;JeB-yZpm~#sv2&xh?JtK6?Qrk|yxhRY>{3y6e8b{-|kqa72fnQJP)unsQNI
z<krN;)>ZTx{(9YX`m!mMgEAj+zS_&{GXC|RY%y3hC>0fg7j3=IUs;H2+(Q<b#m7US
z>MdP0@mA>9s=WSEN6}Yzf@=_d%o%buxp1aHbDbrMwwkt95B|54YH?$o$xd$eo$n?y
zOk*UH3kaa6MvOAmL*MlEA6C_tjh*wWM1ak%SjO!udS>Iw!9^tt`c^9LrNWX3gWS2V
zrVp5i-%N#>YZsRdm-dukDe-*5ocY+=yaJahZz<kwr)?S1N<sg@aSwduP|Z#cZjj92
zHiy$#CnLCE$M1%BoHGHWRQ7&9KyTq-UGfpK<0GH@x_z6^V%e`7&VCoF^2?H=BaqdT
zc6e%0P5lMW@k+t_+K-ZV=Jl4pCad4BYIqP%BZ)jP#!l`LKpI;C-I+PuB;3W@VYcwA
zPWFqto(JET%W}+}79|H>znYtj=<xs2+wYgu=%-5nNxWV<3Mug8&z<xe6{qiVdAw_U
zA-jGeC3cK)!A7%jeAsBIxM-_3AOkLnS~BT<aNzXKVmmcjscCVVnfp{a;$k(8p>E83
zKXOlljxuztDKDOpA8*#HxaF}w?4L5TC?5W~qrF_1uP(JDv2u?=Ca`jt?9l?U)qSO`
z&e5}RvHqxN7~{FC@t`8}G9ElS?B?wcw<-*%5Mv<Yd4M!>$Y5Q0EPObuiVqlKJRH{F
zl<SvEtsM|9?rh9O+1o>yG?4}NEOFlAxbEc8`hzuZDsNGl*lnYlUrSi2^30cN%0F7<
zFw<4e<Hip44eQhH@IC7<UW}bB8_!69wuuSN|H?DEIG~_b-+kmUClonP05u0l*)4iz
zW;5CqjSiIL#p*5%J)~z;{yx2E6}{kHG<rle<T)lo0PRGQ$sO`%R}OQ_7F${y$G;v*
z>Z%LtWR(0MSOIcq{d@tl3cl&F9I)DYUt?d_Gt<iY>(<iy4c=``qzDR9o1$%E9KO`M
z8&JOQQcVC&@#3$m1Q7aGkE$Oo9~Ie&WO!x|k53&YnRSH*e3wkErd$srlf=*xKu>C^
z)2lq<WV_e#dKlyQjOrpERVL!3ukuOvo=~zp`?TGVrZCdAUp~k~x93&nP2=*OyCz{|
zT*`$Q?M{!N>3xga_u6C51g=f<1Y`>p-a>9p(ww~Ons`tJc~^lyd1;u9+<sam1xGT*
zTy4K?*mNa_Os4iF*3|P>Fad-%&s1Hekoh3vF2(fa-uQumuc1@;(1(CD#Qw4(YtGRG
zbhIc;u1MVZ@{HBw3cX8FV@749EXrE)_14j|v|VGH*y%ajS)sI1KQR3~>xHa@VM)W+
z+G;fY-@eY-SQ0?*zy#1TJ?WeEKq|&}HZ4>H&?64;<=y#9B5%M=ag0t|?$h`~7kS6A
z1r$sV7B=3HE+3&s9Y%-H*+3aAqix4k<(g_5zo3`)!vdBjciANc-%l=D&gzW&CNI%U
z*$N>gla-k>O1Ns7S8Ue6>-CPzkvnQ>^NyO!5=G)4{DcB^;ow{7XfweZ(b1MdYnr{a
zSkb=w9kPAP#z)jK{x8qTKbf&#)WzGX1!D>=RK!@+0;ljMp2N&y%$pBPWWMS(Rj)l4
z$*A_MOm7@BE7?vare#>_<bz{d8sC-1PubM?#cQ2`3jnta$*#tQIL#vl)Dd)O3w7;?
zf1j)-SO=<E-I#A7<;oFkCXyFU0KGW!BY?JJ7yJ}6QG?KCznwbGXRd7rQWip;hIo2Z
zTJ{{+aNkyUO9rYjc;sR{Go>jcmsS3Hy>2~D$?9bzWL9oXW6LC<fX+b1JlkfQDNFb9
zV;Q53l|!eItDJC(t=vTqZ5Q2u_J-8n{-J%fNMnvep(aEo>`g#kqoL5kCuGizg8dYc
ziH;;xRVlnuG|pgn)x|7+p~{a^-D4!>dZBDid|D)UWc)kI+Nx_1VzG5J+)4li)pR6v
ztd1Vya?I!Rhw(-&<r&))QIPk#gGFss=(Ct^34ZvFXd?tu=#Ed0&AHaTUlOT~@#M(e
znn>sg4^kJkm<3l3RSwUT4a-E-lAIX^53Z=-10EchE@SlU76>4{tzlWa;ng(rVcfR9
z-EgagwOHmG4k^frT|fu@#GK)3L7o%?1Ua;yqfzZ4!FUz{SCuTL-m#dS(OMEpdFbHs
z@fLz+Ilr_RT;`gBXIk3|C>Y&8BW)HqQ0h(WUsC$?YnUfkT1}$cN0rY9W7gY`soyc!
z33%$Q;<Z}+qARUX&XD1Na%Z*?+(P|&kwi=Vv1BQ(K9R@o{p12q*;=1J0hCz+U#%P%
z-B!(l9n@r)>l+pqI@LtK1gC|KHSeeDp}E@vO8j^a<Z_(EP_c>T`4x%VvSUT?1PoZ1
z9yhHS8n=(9vdLhK$S$aN4uMt`?2O=thmNQwinrDZycnfK>k8ez3a--!hN>NK=M`@|
zk4^U0UT+;<E-v3nd#9`+p+D@jA^X<cLlk`0ma%Zr6aEWDyO?(Hfx@$vv>wYD{R9*N
zl;w@F8!X9RNspyS)7z0Kp?AHnw^KVz>;J_P0xen!KgubN^c)%|E8i?DIx_@U^O&}?
zdL<*}C)1se6Q?vp2qiNrR`sSY0vE2%=r%Y{r2Fmm;q(A~m0-X<zUQw9Aa#s-EJAEx
zz;0k0&u>>8mFoGny53wQg{tr<D7&0hn49u40VFo)41t)&dzb7}<YY?$BY+J76nqr#
zxm3v)pH6vjeZMVWwMXn|beh$88%#P8eIVHDHTv4tOjgyhYQQhvI02pO3K^D6=J%lo
zCZ+pgZ*A~KT@o6-iz#{&DalbCi78;N>|ry9Ghx+(=En8hJGHj^DO++)nK@Cd8BA-1
zqt1<4{-bv2{ZhJG2N+`t?N(ok4PY1R;(l7DY0eN|TH-(rHC=Vs78A-~Y28oWb9Bis
zvYeR=%Xbv8Qc)eVpN9L45ngJbRd36<k<3%JbYHouQ#9Vx7Q9f)dL1VihQG0*Cz32D
z=$x5D=-<|rFWfSrsC>R6JqNMl@qzg;9z`LXR`vVu>MDjpsv4P@ulm(aH)@b{x8U_V
zYUYPZiWo&-hg*2+EDi+-IvFk{jgiciV`86SOC}c#cWl7Kc~fv-l}D1O#dT-IN>O|1
z$63o61F}5ytF?afXVHuGLp5_p!2?@Dc*n)!PCpUtF8u2fbVF~a9cr}eD0HuPHbC_4
z&b#y1tqKg<MshUP60_)#9Q=H;tWD8ZZ6bUFvYMHg=jCelI38{@1cvsdu9*vy2@6%B
zOg=oPQWdQX#~kjc^7|N7){yKrE~VV*uFVaG9ja5H6pN=03Udh{LA*~RHg-{b(lQ<&
z-JgOS+^WKJ;-I5@2eD6kooK0hEU;OqXrAg-*J;7#&K??@mgpzi()Z08E;cta8<9&(
zn_M+o7v#P?-7ktV_98wyocH6XpHydLi!Ig72<78rZSmFf`p^L3t5X4%GIxQsO-yE#
zGCL=*z&R#p9TNy3!YBbtWAZ0PBFrZM62GggewzJcf&R-$_?O_AM~wZ!`weXYkRBin
zEZ<M^-8kV<{Fz1WSI`fQ7fxu$hz-+;B>msh#G5DS^Cuw?5dFwSdXffkk>flZKkOkr
z!AXu8r%vqIK9NxZ@!Q%09A_W|5E<Yg`i+vFnDhrl=!9+rguly(oKSfGq@3v71=1jp
zD}cKE+k<%FnEh{Ag#Q!XiD%9o>joXy6{z>A+dt0VyvPJlK_@uU5C2>_P7)gf!H@bJ
zCqbZNjA|b^sX#E0J;(;+41$8}fD;UyE<mj;K@iYmkU2ne1LBVX$z$Z{Uyr}ij<p?Y
z{oC<Zf!`UwnSGpuz@43epJVXutQ8avv3A$6as&gZ-|}gJVS+&FxJ!U^0D#UJ3b8wm
zA0KKqwy?jZ@4}!izok#i(6Y1toqufFS$Ag#u#LN(vzj}QBKli7XHIwk`4VuFoFtU*
z{Y5v4of{PH`Zv;9sGEbG1H=XbcLDN{D`+2U*Epd8=?j){7*x>)V&i5Bv#|yUAf3mq
zHopmz{t!N<9CMUi>{x)G|LOV@!`+;96by8LqJDGkvGe~<QFphq`5Wb|r87*&((Z3G
z3a|~3&&CU;?5?Dvu4V;=Iv*=M_dEG-!sqRwZr*pC9qfMh6y=Y~EB#Iea*|lv*jmD!
zVL<e}hm9NT--zq|PX4<%nU$S9)EVmb7w2C5q5rPp9}FN1=m8XR?CbL|sH+AX=5F(Q
z$2jJZIs+Z)KTyf7pfI3A{RcW3(8TutDt>ZJ-aJ+YA_q<)x$h_OAJ^Z-lQ_|Dqt!7k
z{i8$w7!8l*LBBi)f@3GX1x{HY`V|C%-3I86AUXiI{fYGcM0)3Tej>d;k=~z3?@y%n
zC(`>9>HUfH{zQ6zBE3J6-k(VCPo(!J()$zX{lA3tp5PeQ01N^I(gscdvjBl8L3cpb
z04Qh$fP^fdhX7az1t3Ex$o(V+z@GqU_Fqe|faHIu`+<l2Kp{zh_xw&uAWYGnwuix7
zCHeUw?tGTVZ{+cTp)UMhmahDQd;<I+X*n-fOR$p-jK#_ZK-^?F)@mC$SRAZnIP^u-
z1=L;TZR{PCyxnZHy&vd+y`8`k)*N!Oq|#oJUM{XKHZV&TFBfNsyQG&4$BA-DAbw2d
z=U_PzfjP-=7^pvFfdM#{lLL$ez_)pY#Cce3-7H;fJfUt*EP{NZ9DqVMYg<XJd-s1+
z2c%>;ezV)t)059rm=Ee^$1f-$A;B*o#4jYo3rO&~KZd|8y?7z+tUzfeW;hu9k?n8Q
zbuc)oEl?0C%Slo9Y}~<a4z4f<D1_y>XiESeg~@Qh;SSc4BDUhfV%B2TytizuC3pn|
zZ3K8NMMSK4tt~|b1qCc^g#>MFI7nH3E7AsdyYk-`dd&H~SQZxP<D}#XZl(=*+(!16
zki;zsQ86J25o!K^<pJ7%$Uk)OvT-)J=ip)kaR+Rb6%rBnP5NIsf6rq0XBG*uzvlQ0
z18@cZaozvoi~j-txc;Rn|JEh|1MrS8KhP-uJBIxJBI>_yE!W@Ke`&HmXp%|}?l7p^
zV_9kb|494aF(2k&`=9i)W6ocUK2AykSh)>waUAz=SwU(3|3EwLEhj_+EgN^JGyFtQ
zSU`aPcj3R%{}49(PlW$U|3mmsSzU+&OjhVOEB=N2zvDb$xcm35{`)w1+zDBvfs~}Y
zn+@<(;T~|x9>1l`D<I4(D5CTGTgu!5B9g+uCHOCrzh_p5T07W2{_kY|i{u}ffpOE?
z5@z||%Klf`-xZvg4&e2`SSx$-YVyB*`T8%$|0est)&}b8|8*<4xSWgzCk>&lE_n|M
zh64j1O!=PdkDH4%6by{de_nyVjnv@(YNS4??%$RD@6^{C{6}S7fu}<!H!y23zm2oa
zah=?OD^~Eg+FFApZJ};1mM~cd7fU-Een(duJ8AwussG;IAA>h=&jjwC{D0h!kNffe
z{PDApf8^tz?)vGjf8>FGB>b~?{dCtq^1we5{@J^Jy6Yc#;2#P9>|H<I^^ZL8kA#2r
zuAlDuM;`b`!asZ0Pj~$z5BwwH|G&M9^iM?J1_HqNo&a9|m%Zw@kDm*i>{b7<6a2pw
zp8E43{^R&d&f}fgr~Y94cOyUcs#}8giHU&C-GA;?X94!AzXQxXdy4q@5y@`{$+@#<
zPM;?x1$Ob10pzp9K>5G(Kmd!F<kUH$^B_{PUqGjbh=JYe#K#t$I(r^Y1ngtKc;?dC
zYa~?HLFWW7-w|S^KCgL~#*$5#R_jq9oz-i0`SjB7H*UF+(l_;qa7<~7K3R`?cTdM%
z;l7w6_@=I&{*|&%{ogjMgJ985Z8FN62c|j2Z8zau5|T>FDh7r|cJ>aA9-dy0y`Mb~
ze(^FSCN?fUAu%a4D?2AQFTbL)3h|-3=5tFcvaP*iaA+7cGCDRhJ2$_uxU{vsgWKKP
z2daO(yZ$usnbW6FpFMlV1u*#{u)F?@;91ahsymt_LY9{wox2;z`kGoR-HJx|d?{N~
zpS;_5+NmeEfKB#v;Ct)u%5I3z>xe2?bC9|RMc;=V+pB8>*AsjC?8M+r&MPsQ7027`
zV}I<kzp1EiEB?n;`#<;DD;d~(y-3LY&^EHLE1_)Y@c3n7UUmEE;vSczijkvtNK$@H
z$Jo;T-?zh0PEXe0%y6sqsQQBv_?rJR#^?VHA%O7ZZ??b~S5rR)oqxC+-iX*tUW1Jo
z6IH#->AT;<@Okg>=&rZ)Sxn#y0w^ZwSxU@O1SjvR)LgHtwpHv-vDs`V{vgRAR8`>D
zYa;!S;yEuY?=NY%t#?}WeJ$*qU&^g#mBntx5kPQ^OI3GNBYK>sVBp1*b3^kf!H2x0
z#KEuyvT?eS1fMTz9}au<;i96qKXIv$zDZpeCu3k%(Vd-dsyx*bv^3bK0N&zQUc2(R
z*79J(=U0wMyE%WYnUt)ifvXo}@T<|Y>|Jr$zclZ@jgWgS?HyC)LjcvHcoVwkM(fvb
zL7{D>=sTKor95L>Y0C5sU|_>=y{w3DeXe2t6jmJJo281cGhTyz<6^U*#I~G)%kYVu
ze_uI!j{q{BxanRpj$6xu*)~9Z%>5EV78qKmA)g5#(#-r<l=0sDU2q|{wR*FUcfknA
zJ^Uo2L+%J#<*j$zeFw_kiZsMK)wF`O?$DY6ht;Cl+I{4s!L#BSwVv5u(IdX)1q;N?
z)&0d8kP7HEkUG1H_E{F`yfx}ci-S*Y{I`%D<Gnox^Sqm60pM+P%4`MID~EmkC;AmE
zZ_YF6KD|WTR&UK7xPwTnx<4suW`@S4WCc|2J1KF*T~ooKV+@;!LwH=SF_Vft5Rnu1
zH#zhfCkvd^)iu1Y)L$gv7yB}lo#sK{+PC7*5MS$x*imWUuTNrcZCBpHKHA>*N%4rR
z%b6$`b(t0A^BliXXF<HnP{Az_C;UkXdYzN46fqSi^%5*T-AB3q$%kq+Vi=vnd*>=B
zszG$}T3G9Jh$@uDIvn{1N)C}VWtNK!=qk^u^=@RY@B}u^-b1feMkPg&V`17WhZrY^
zdpVyWaVqwCj!PzKj55BkuGV&jj?d<@_%{dB8<f?T3|H#9iAE&yRk#X!nELHLW{TZ<
zScrV`pfr`Vh*j%D(`o=lD(&%=iFu#d>4W8X)-#FecM*bojy8w_8r`dAG_T0ZxhM*K
zmfL2S({TwhR*3)Ei;&Rw$JN!xyl1|dTyP|;h#!5$xI8AZRobmsS}L-v@+fB8YB2G_
zK&;Y|T;PBXaXy_cQ&pw`l1_e>ZeXo<!aPPM0U`D9>8dZ52OiPE(Kq#c*KF<~Lz8xk
z&e^0pcS9~O)03?<VkVRE=zxii0M8BI2lAM<q`Ld&FL|fgeQnLiKfj2+mhk?I6ON%e
zAfdOdji%87+ueea;$WRgV^j?`k}W`gi*oCKe7$XsixUyyz%dNhm`PAW$$ocKO=}>4
z>L2ZnBP@MN-3o^UkuDhyi2fmwOC6m);*N9b(8Bq`^fc##yaU~9RTDTVQ*?sWTaS3X
zY0>mM@>f-cOE0S3h~W|(>?nE4ERvlgK^l&EQBrdAYQLP*>Pzm#hHSYH`N$%A*8o`y
z#NolUx`R0U;_7v=flX`S39TB6O)u+`?3~-N1Q1js%{XX{5$7AB=|s~atv8gNUWI;|
zQyl9yNB}vR$19-x>>4b6t=ju9jK0A#hH%Z>KdQblzMY88i%TM_&dDyO9`&m=zIodm
zJIiExH37TII$3nIW%hAZwAp8l!g}mpq|(fOJB0TJcM8`L+fM%#yXHp)4^*`C6ysOw
zgK^J$z-8EE(HTuAwtxq(##<@4+TU@0(Z7PK`f$N4oWt<&S^R9=r>sT(C<AFHgyo=3
z)w~8yPc$xsj?+hj{{ANTy~Mubr7tdcl#ryl8YoLGi<_>Foqc#zyDfEo!tdMO4SpxT
zz0sl>m!Yg6`-$oB%QxmPQC$@~&+Jm)mutUp-8eV7S&%wf^O-~=S{xrW_qe`!C;CyM
zzLUZH_)fend(|QxNfM3!Vo~53>%3R!Hj&-HXeBl&aOuos8iW5GSenh{HXCmSP)hRP
zXh^$nB5#KN%Ly;jw0hBJ)Zpi_@98zBHDBbx&-JCeAh~BIE*#@2Q5`>;=7uks*PO;|
z)PEQkO*9!+6^&SBFs@Y^9}2s)TaeAQsAcdgEc@kw_iW5;FC1TiBZ*n2P7^XozR<yb
zIbznjGHz~o_RGWb8Q+t2Vg_$h%k<`#ZyL6|HZ>`@c3LP^H*kN6<cUnvP8=(>Sy{yJ
zV9~kDvh_we8#_n#iA*KE7T!`bqF>WEhY}?gT@U2myHjh(Di%4~Tqh;B^{;Vp*I#)&
z!+A-an_f`tbZOS<J86v`lXV``o!SO&VjmcSG&=e2dEm4J`E9*;+ywJ{z|YQvTePYf
zs0kc&;s=T(%9<bHh|#8%mU9cSS=Hq)Z>!GIKfZS7cD#jdNbbO+H|N8xNBbDr?nQ|i
zvcA^s>kDGd0Cg;MsFal@KM`l0RJ%h?%$c8BeYc~d#o(8ZUxGd}Rr^dDEl=Q4HMmCj
zYW*6<r^E+m_J4&y=sy`v6gp=~ppXYy%g|k<0SyL^Y~0ww1Ps*P7i4(Tu-kn{_m<(+
zCvBZqrQGem*)O^6Nz8DQ>%cUM;vdRRH@a7sxX(h2Ej#1Pb$e(xLQNY;^-a4%K1&ft
zlAhL2)%tu>sm=DG(_k8wpB-y5+s(S)`yrH15uNVT-7$mO!dh{WvJ2T(zs{%%R4~kn
zg$3P}EXpSrYhj*UDf5tP$86Gi9adx1`4&4~d{ghOjuwvL)x3o^h7NaLxG{#LN2|=a
z*(N!}Qa*d9s?En`>@3^kH=bnXiqr78+O)<#DqPKC@_^mDRCHb9JSpnboFB!YEWHB$
zTCA8<d|ldOw>Je?(NB+kMvVn{r}IR=(`8^!eX~B3<83|GRHTzONHG)>4;eagt)F_M
zlrPy_BD!Ya@+PjT*%on&3W8~g&UtwV)m3r~c!ni_DBkOa!75*KV|+7%R&UIgG?Y}M
zK8oGg=q~Q9Y|{wl{gj+IPVQ)GcJ*?}6~&t*SK1j>q!V%1b~d4Qk;!{W%bpmkw{bVm
zRXq_>xLcKW$#H;H=d~dH7ovsov^o6^{08d{pQKW2imRI0LnF(fqDRdSFH}wornS`r
z-<la`ne^tb<2ECk+-{B$5c$Gec*tL_IMAQARH8M1NZQcKn^$p^j?4^k6r=U$K$jqk
zyes5h5<ooP(<Ew82ygkBIA##{&Rkm_hTasdaN4U*9WwY_qcU&2zlpV-Vtl+-{u-Oe
zsdpp>29j+rnZpO?#LCUq4Dr*Cg;Ve!aG@@hPN9DFIZ?AZiVWzW%yDYALRy+0&Cf6H
zCOy|x=b^af)4kG-!^|g3aE$Xi@~`?QExQ`9R@n+E#h-RGAOg{Ut-igW*<^XQus2UB
zGa_=2!?e$MQJ7Ql?9NE+D329XCfQ_yR2}`YX*QZQxN~}zO_s##t7E#+imb}@=sw*?
z1)n!EEW|1g7vWfhVCZ0#@sV+yLCa9V6d&tzO*XBZH)0P3sEm4IqUZ%Ep2MB-I7&1b
z^pOO-(8vS57b2dyZ=Bg_tbEIcJsf$y$X3g$Ixs&9ndGEn!Qq>-R5xjY<w5zuCT7yg
zfw|qwC<zjaW>BO=g`*=v&G=no(ZQAHuXY6z4RE^T7jMn#U3qE$nN5-N=0^O7qjA%X
zIn0Mm92<nU`oN(plgcwY+BoiwiA>5jKGs(cUXWRuW{@d>GoRq|=8c)`F*^hhq<Y%P
zv;ZS(pd}ktX<4m{5MA`M#wLPAS641&y|(7pyOZa{z?sUMyL{BR9MFnyrWw}Bfp~X_
z^L)&fBrm6b)in4@H|Xr?Cv+FLEWB7Ek)`ZeDWF>ms}tix_MAs0+jd2H0a1$GAq~sR
zYN*zRrY@NP%dJ$Qh+11~r=_sb3!Q@lJqi1gkC}`+wGH13QBt3dFo>4dz9(VhAtQKD
za`0MCaATz|v2L6eQ`Oe=EMX|KviMa)=EpIu#*ckrv0&8oBfJ^%PW#m%n^jLf!xww*
zzOiw$7wum`Ku)%oKNXER#(?B1m3xRZhsq8k_h^UBsU_2dF^u(wDH)^UYOVbrb*e_u
zhAES&`CV(_120CC!3?43TK^~ne^fySL>kL0$tEaR7cWh`##Qt2!LOK?ho2k7p?qDV
z7_k(Y`hHB}$Tl_1)TQ!BeoGMo1AFk@e-dT1KQ4>x-Vy!MgiS%FK8ZLRz3V6Aq_6aA
z!j$WUdQ^?{5irCSNz-m>?{3$occ4}tyx$8QNx1r89+NC<I)rMZ@V^6<$udkGWr*ac
zK*-$ScC!$b@!+`mp{V(JUY6%`eRDQ7ek3qP7m`@5F7XmT<sPj&NGpUaMG)LlaBoan
zb{lONo?QDVW{(S&7ZUmitKO_E{{~&11dmqRg1fe8p8mBU*Fq7{5W;Uq00}_CmL?W4
zcw)mU+1t>Dwq<;2IU;TkxwVFjKw}U62hcv-ZoQRdhIMJ?F1~n~>$9|H^wT9?;cI`*
zd?IsD0<-Yuo}qnk7&r2AROVX4quMnGK0Ds3f~7^yGOxl^VweTT<!WqRP1S^dFm<&@
z+|nl<0hKz4N>p6co3iDX@|?2E81huWDc28hd%?bbW67H^xLHdEHtjVgxzzEf`Ms!q
zD^vD_%&0c1`cg<URih^#>aEMm^74rSQL$@rIc*$6Up0Gy>cn6~HUqK`BHyzt(SE{_
zJoLN(p<=CmBx5>>k!q9-g{|_|2H)yT=)ztJ?+p%ihH~-9>mqRhpWH;sw1V|wH4P1b
z+PDHMTbN?4_TE!p&t)@Y*H#0?gN`--CG^ERva3tba6jX^gJv&hFUNOO{Z#~zOMF-n
zI{B1iZlcjmVM9{VM9rW~=hPBlWqf}*ZH{$)+GmGpZ0W)ziIcAvwrGu8dxfuVPhzlk
zAkz&Wq!VJeAV~lT*FJi`Qoj~&%5fM(8<Srm%63;j4bZ@JtcK|OVff;r?A;lEp6<Gv
z_EH_eMFN;c)zS?%P1GtyLziuNGHiZlpyQMDxR-OoDT6Y>yJ~}X4VV-zc7^$&YA%ZH
z?4a=urJgz9)sB}7JH;Qzj3a#@jx~-dA^S<Djg_w3iR0Z0G8e8Z>l#bbEuE*o9&V&e
zcjlooF|e{Xkem*1DMl@K2aied<-e=7+j-D6c5vXRH`F&cou9um{Qc9z)vMIH4`j>4
z3vP082|lJvnTpj@N{F?fy9i7nveJNN38V<!qa9>sd&ICNHIUp8?Dee%U5Qvzg)G&a
z)eB`DVT8uerSyi97cbws_+XKZDsO#IyCW+7=GQd%D)6-$zz4@5gE?W~WEP>5cG%zG
z^;MR~?mar7*tTU}R&`d?)L#m!JKRE{$k=Zz<u;Tt?+F`ps~u>s^9-`evqTPb#2I;0
z-9iP{>5Av!p5x3YZhxo>w)j3fkF0>bOgL*yXT#Dd8vW2N`7ReHox!%4CD{!ae!ze2
zAh=e_Z*{7xorejf;2SBFck>{ti`19f_2VhtqB`X(cG~grceU;mbGd(B@%Deam_(U4
z$@v)*K8l}uRgk~CJ|wkNRl<2=xA0snJ>SaeMJ)p8vrw(r`ODvX?}S7tMBdmKI8Okz
z+v(tf3pxbckUW$g^&OG8cwtCSca`CI=_9Fir{yn5omYyw_ER^a1tZNDMJON`_p5dD
zJp%`fSXMq%hYz`9ZO@c_0bQlht7J2DrhUYm7Crk1P{OGWFy5dO*kF!{{ook^sda;d
zb?ZSTqF*T+n(OrCUAwL1kmq2bWWPSLB>rneYFw&#Ufw&+t4c4@@5@3qAPhtJ*7;hK
zI@Cr|xu|T*Ly(RF-M!nnA*b@6f#7m3b=6hQaWn^Jeb#XYzIQ`H%`3`<FZHarZAb~%
zUh3)koEje4Y!a`=I5~zMsH?)?*hTwk^chc<y=Ne1eHG0dIe|t}N1?r(nJ7x9U`g3$
zeK(cBR|Xw6gp^8SgcQqt6xqX<6LG~}V^If?u^r>k4=$!1>@6MAf-O|9?<&~vs)adn
zHK`;7P15bHIM=1U-#9yW;J;Y6d8Q}~^&)U$c<f%Pp^Z@pXXb6krk-Cr3@%cAXt?KW
zgs-R8N7fO;AX13$Bo`)Sv;*5ZW01(W(dzrYCO!e~dQD7je038r30Oh=FHDji#Tk}d
zl1O^7xg*;VJM<{N79G*zRCi};)k9DMhJwtzjj(09S^2?`dSddSJdd@2MZULZl;4Lr
zGQakBIDWUQP4F_4-P-$8Lg&Vj?u=~0w=+LOT~dXwjBCD8xOua~u;vEbI4pS|_`DV3
zQ1L@HZyl+oWO7s&C0|L#o|Z>r%OL?|y4vt72Ay+VY|UX>xEAVq=rd9IN@u$lI{Vs<
z`a?MSy_4IPsv<%xLfhqjLftdU$<LKkeNEa|uMJ(bo5V!A@9g^<jaPHH)y3nAr!K!%
zuj-LEnrL)q+gVx8<{aaazwY&`6dR=AVWvA`EubTH*}z@4Z&kFjQUPy1#vWqt8LG?e
zgSZdliNiTDIHrzCw5QVh(%dX-r;?58fTJcI;>MCQ++9ponc1t#jiGW0O*S5Lc3QKp
zA|o~XAu3__RkiY>5KMhuGp@JV^o{lne3}pHqx{MrHK12lCdhJaVD^*W!ed|D9Ovp(
zVNO`iG`_l%+&WOXx<gxPYJf3D^0+JF-xORwdx>MqtmfB4k@U6&wsu=+fNAgkVZi&H
znz62F#&h4Eq|ikMrm=C!iX65rL<~9(s0If4Oz%YCYAG+*()x8I>$@ioC29^Zs74!Y
z4LX<iwNC0bRtJxnZajE6pK3Ni9E+ejH@k6`(}#@%rBZ4k_wvpX&%sBZN6gi!U7KrM
zUXqBjr9PqNns7&HFV4lHSDzhPtS#q<$0vLG^Rt7$^39aIL+Z>q-SpY~#^}OyCB#vQ
z+npMg##s~cE}lw3^Hpj*^BLO*Uc=`ybK`DaQYKbf2uy%0mb~$g!t9mH8vAaIn_u;y
z@%$E{_-#^WTduwM?H)tDlzF9(dmc{A>iSkO#I!eZ%+Ii_#`BQ}Y5%-uxR;vWeWONh
zg$p<Myt97k>OTVjvqSC2t2Wcd+1IH@mOAFN1)Mchh5pPCzLL-xyUxkgBXH$G^oOdr
z{er|J&7JYYz=V%j*~AI)E0===Hj!!;CGnkVuWO%r*f1?)%p01MeFvTEi{xylcd9tv
z&oxbFP9$`{j_sHi^*cM`Xf5GrTAA2m<th=DN^_-NRYOLdnrGuak=Lszk{X=R4i4IB
ziv8Za7X^HU$853b(5DBN+S+{Ry~|2#H~Ze_fT%oUDeQte6#lRu8s4oK(=sPieIZ<)
z7gj#!cKOyO0Yv;ZD=ObBiJ{D=1a8gTS^idvw#dFg$rI;nU4s=vc0+)#Qrh0guz~H&
zC40jmpU`k0DhKR^<S;aP*u?A-BQCMarMvd5JpY@VjO?s-J)NaMHKi!I8k}m$oE@4m
zs4uN^bB@wwTUY&oT&XC>ogEse!|X!eOyNfx?ej8{5F<f)@=71aE5Rk<4KKE)!avFa
z(-iZ=n~M($ck%0XncnD}(u94P6h&06`7O6WTgea%Hf`L?=xWcm72cM(GxOt88NN38
zvu&uE8;{xZQ{7rB7Kt%F8F$!aq|2J5-^;TN7Ott@dd=FYw$b{f<BL*<8BG-J%@!qg
zWs)G^_W7=9Gq_v~rRFQTr-?STl;=|{l|)bDT-HouHOTKirgFn}M<#VxIqAJA2nh@?
z%r=T<jC^%Ze-p@>Nx3n#2q{_Qe{OmvbeSZp`%e8n%FZKobH&bU89@u(p#)=BJg^gt
zS#@H>P9@{X!Ctm*WrOwVYGrM&DqIWBy;CrUuf_+6>`Ubx-SstFHLG29RC67>P>Nuh
z$r<0a*0%PZbaU~Q@o<88JRj+1Z8EIFJ^0w6bwefeng);7Ks(9Om!6{4`Y!>8Wwp>!
zsmVS6!@Jnk(fl;l5%k)-9Z@F_Tdwq|)PhIWjnCOxFd~}Dw$xJDNpaF)&zlUFLT`cs
zk3B%SLHw;@WKa9B-zSYscD8pr-Vu&!G7mRCNcTZmSGcaN#;$b8?(9*WxiOFK6}+72
zEUK4$7%cU)kTRmz$~rD8%eieGn9*IE^EZKDXV**S(mt=nCP)LY*U(bq%li4m-YJ1@
zZCW$jq$$5K<c){$4DFra895)`GU4)PCdKS28$S9su?j{tzEs_-^?j?mz=yu9#lH6v
zK-8+!$fJGUbimBF(7lwyT#e94`hp%3uP@I2BWsM^&lV!m#w!P_d18#^+}DQVl4Ztp
zy~f!^{B1KX4kTY8Po2*d(C*D!e|=YPGglV)x?D*s#nG<AdgMH<B0RVS@+E7Wk$xj5
zw<;cqoeiYBF!|K9dPDAA)uzG#K0Us0+y{LAj^Ud%(-&?G0fG<9uGB?%GKNLnVeMLx
zLDh`let$4S7(AIb85t=IX>3OBec72bwX@DG9v#H5H@GoiXFLbJ(OI)OAA6rsG<>+;
zO#q$B_?*r>H;j0Qm)+|X<K(ZN^a@}4v_*q{J}>xYFM(HCUG}YbxYcQ2$-s?egdFPP
zisE>3j6^6zSADjMOs6u7bG!DH&`XDp33Y~i=Qahkd*5#ERpEv-Y!4?^!b_FeV72n^
zzO}-JyPF5jr6Z@WqhYQ(tG2*XG=r}>jwyYn+VrFuYL~yXdWC^59<)NWHYux(vyvXV
z)LIo~-W14ZWzJKeqmKFTarbWIC&|lxy%H2mx;y-F2#J`6?MC5MeIXIm>co(yyl~}#
zQyJEW53ntfx=0$o#vuZzjsR-$o8B~t6j|oD^2HnGAj=8I%RzVUJF0(Vmw7yx;?n4Y
ztQh6GAdokLcX;MoSL-`ikQa!Ed%Pep6*w4b)bqBCXvG1GyK$$>7}Gg<O^Od=BeOm1
zkk4Sv2QG;ZzwyH9vsWxVqk{jc`@Op4PEpmW*Ldp*F)8)pPZ@g21*7+@TqH^c6uylQ
z1PY$Hb$ZKa31>32O-(&eD9~#xJrpgkdPTdxiCw2i`jyte+lx)=WJ-Fs9#a1T5@%}C
zGV<#06lOUyk^};^bAT);@60ymi85C5PDf0L+D3?wl3gh!y-7wD)f&q-lN3F0Z*NCz
z8;y@dXd(N&wc>t#4C}AWE@w7WjzU^<t?%)`O-1~rSnp`_GJ421guwFN6{i>Ez;ZJS
zGxJ_rhX7wE!pNUG$JABCJBLW(#Lif!&<T}A(HmTOep>74)h9xf8Zu95e^GaFheR2x
zghfQ8zwQgvyRZGQqeIDt<;nTe+8M}ksfplue*Iybu8_9&VZ&ld5gBgvY=n4TZyQAh
zx}sE53)eb=yq#aRwpxvBxytbAId$F0+eGmgd38wzNvIiZ^#T8O{M`~cgS%&zLMV$6
zw@+c-GB13|C3Ac0dH-~$g7V#I;M2~|IHu3;YSIxa*p-QGj{sQ5=QNDe(=NlRyz%c9
zb#A=~6=ap4Ua@LBgNTW~&GsqycmFuC)6D7hdo;K!ckF2rmT!U)IdR_dHszF;g;mL)
z-FPk*$3c=X`%<;_Yh*{w6PXmlv0;N2DL6%#MWA7yiSGIIy`UgeAIS`f@|s*qBhh}m
zJ+`PFQ8m0UNw!W^o$oFc#}o4*TBA%1rH5nsnz{aMDzEUMt5}XmMuu}B-I4w742zXy
zd8tYLDze;6DL~6f$pl|?rIY}oH0LwHRkoCFA|;$(k;>cEU_Lf3T78HTJd7`3-EsP&
ze~im6B{qopLXYg2scPm~2QW4XyUaCJYBCuZ2H>ulIH`RYl!?*O+Ce$5@%3IdOc0=J
zdSUcN8`7-mB}4u`sGSX1S{0RBrfhkbp=45Pm3@Bsx;{CnJK~by7grmNjoy7fw)R0w
zdfKAJtOOzA$VKikEMg7}C<^ixhx$F(#-vG}2IW<rs==OZ0;sL{&F<bX9VTW=H`dUR
zQ!-ArE6BZSE~F-A%E|TMNt*AcR|*VDhO99vZ>dQzKG~Bm<!EZjzVTsKQp-lss52?M
z`mbJlYTSiq+myR`a3I5uz}GZ&YikNzX0t+as8be7suK%5@V7P<%n@BBcj!{XEd_uP
z9q!45X@cPEQ^tHUsN_@8#%UL#(dbZ;n4E|b`oyNW+?>|gQo}2T@(SAWuixfH(Pvob
zPP<W(0M*b97-nXWb@SzKRu~GPl_Jh+xa({Gky{&XuJ4=PwT5{%=Eq+ZrRW@B>N2r9
zlI&FKP)lNo-8Iqv2JUg$Elb#Ei%2ZUXMK5$eppLF88<scMg<^^uMUEy%|0z1`jhZ0
zst=@GQ)rYTbDc+=y|WH{+gG?Yty=0-D43m^<`f;*X|EOA(co3K+zY(gT<7qB9_Vsz
z?gmWPYb6}GL&#lI)l@K*HzbGOij9FklBU*))!F23krBCfNk~$Ft3!$9czTduwoCwp
z1n|q!@OmJ3^&9rx%VqiTcw2d^L+3qV;|9?x@VmSX5pC443q{77die86ddbzwkedAa
z$SJY2lf}tY=YP?jkv>;S316*Ufrb%4qW*T^V57sb6{e(x#;|Hzot26B-P*WGbnp9v
z##8JeDiQS)7;J-pjQ4?XiLeuMFux*VXJf_<=E5%6)=b{h0L+gn$j_3HRk|9OmR7Cn
z(DBwH1jSb<h|h;+hlJ7xf0|mDLVhbXSQ4jZ$$X3aGJqr(WI2D;{xXOJKng<UNTyq7
zKOZivl*9_#eb>TXz^;epdkY0Qw=jB*$M^(Uc<9?hog*BJ^`C+nC{6D)<V^)?$%`kQ
zC%dVY2{<ur5B1%>=*S&@!R+(+o^)~3it`1U>D<MMwK0mp<jp*s=rno=4dpNlDR|;&
z=$35kZdovcod53Lans#k)QJ9W+xu?H8k~F%@<CMx427HsT_VSLNO2@CrKT>+R&~sL
zU)D-^6Q>Av?&2FMY6G(tDlJVThX<|34D@s_@i-Hc9k<I{c!LB4-@ExlE`~9<T6D+Q
z5^kp|XXp!E-aqH&X6+GyUAbDa&a{cW&@N))I<4=zYI2{7EU=Z-TrlVJz|a!Rv6>3#
zr5b6XvbT^M=xIe8Sjr7Q58Lluecx~#dLE!>b9u`VUq=!P{Wq8D50s~vJtC{b8Yn{E
zL5U1Avo3wk!BGO<45MgKU!-XtyXYZZ>z(o53N3yU*L}ZVWD?_;f?*O$6r+AHPA}<g
z5@N9=v@G0TxSrWbeDhH*GXS`70U#KhF!W>Muo}Q^R%D{MDR<<|kYB?vjHPIacLB2}
zs;D!`ReJ6$u5exvZ+owj&vWMdpltq`53=heWB%sG{BXaqaW;)1)#th#5y>xS;twx!
zF29@f_IDO*giqE$`iPI7O^n}g6{jt&c=APOzd)5wMtN)5KqFovzkCBdOJD3E5;UU$
z<JoUV6-m)P;>bUoRATzxnZ|3lhkC<w8=lg?kVF7=doJf5^`h^}yxVzyyCQhMx~l&T
z=a%ahErd%tVjzu7HQJ(5q9~_I%vUosh(gTcTYAq_zv@UL`)A!I!9ycs_Z7i_GG(jp
zND+}b<r~sZLl^@bUj@iML)*+&VHsD3bGE+LrjDoSBit`P^?e%Bd4wvkJ~H)jRB!n{
zx%VD&=&Yfg)^zBKPWFFo8P=)Ibfq3wH9syZBlb#xS9B<>jpX#*^LW|0H3v}*s#o~M
z+IvNxu#euh!UUs~<*r|+K9KyJR_C!QN&r1RT9lIM3iR09i*rcI4za%Da$2OAiySMD
z=TFl)99@n?`9w$@Ufc$-0u9%5?>Dn0yP(<WIS*&Msqh&`!0Q}Ec$tPc`GFjo5&dlM
zuwD|>(a7e}<X9W_tYH6B#8IRk_<QnK+I9jc%Ji}J2J{<={dUvJMCv4xLCj=$zM!hn
z(o$$^@D=KtQ+iQ{RlcZ=KL_laBS!Da(hGYhi-RP?(O;9~+&vKus7)~emyD!pc@G3b
z)|)MXI8LrtTor>24BR0RJLd-BBI%4)z_WJ($V<)%kC?lOFU1AL;`o<Z*DVXpcvNLF
zUzbzAR>^!aYyCvwbcIs?{fVo&L^m;)dK2q)tGzj@9YsBMMugxr`<*UfG+Ps<YTSYn
zJOSo*IDSmGeh4~Inn_zYEO$)896`^cbIK!)LBS|SYst})=cx(s{B$L`H}EmSk8!%S
z1o$T<rBc>UZ+6wtX@1emFZ?A+r!>JYc@B?AtrnG;w3#ESU3p~E355n^-}Cv9-cO?(
zr4!!rNxvy&>sgZ082oLtO4NAq?Igz(wsJ3aQj(#B3<px#tnl3(bqCP8)#cXoBc^OJ
zuSPu~KgCgGNsj3FQcrW&;pNd3nfJ8}68((%1Q1=-gN`xAw4l~0q0tD$q}LImdHQ{F
zxIk?rZDP~xw@-EsVDBW!BnQ^~9K-8d@f7tUv&$Y8v-pUi7A9`-hmm(nbLGA+&z6jb
z?jp<|N#I}z*Doe(`u%xVN!#7IgZ7?K>VW$jdnQXI755wtGo$Bh1%;WrmcN=EXuL!p
z<SpL38O=S}$b!JQ=&?>yY>c8kp?%<Z&Pt!`B!hyvWCrCc8X6((!~GvC=2FfhZ#P6X
zwC|=I_KFce8*2*@)e{6zSCALXyeFh<n4_Y0vZ0ibd4TZ^@JU<bBl^XS6r#Y9ZMyoL
zvW1=2FS%XQdC&DON0nt4TwrVJ(zT%i?orMQOf^UDe(1x`{@%V+$$Qf~4=@?K#+656
ztCF&vp;N)FD=GSxsfQ!wP|igzkAf_6V`~??VC)d;nkmj=`8u})fNJzbPR2BLm6Qb}
zJ?}m;Hdfus@d$nhmQ3C=fFlB+s}p05j16-0Whn#W75Mo#%NM%qHV)+BUxjph<PL_y
zi*r&{r2X9cwM8zmX-2X(0%K#i{>IuK$)+dpUm$|p`DfiX?do?>oi*5J>jU7!vW2y%
z4?PuVKl!>cMtC)1Fy(R52qvv;$H67Pdd0)TD>cL$I_||e8>h@>^uj6&XST2!Ad;3y
zbx6I-F=4ulu#(^#i6&DWPGk0{yXZHk;dvN{m2BJ5*Z#V0P^rw`rJ+$>RyyOznW427
z`8F4FDhgPz-64Q(^d=nC&ILEgR%1*X&v<appj2lOw5{fGK2EnP-mglNwDp7+MA}2=
z#&uxM7U`Xk*eCH)JU3~?jX9?^t&hPUgD*1yiOfBebM1%2{$ksdn^G%j!Sx#7CknnL
zEX!n6G{|gmI8Qs$*3_6locB>f(5?%7J}rtL1hfY8>z(JcO_r{(g<n3NTm{6)buq_c
zqR|A9oGghi3R5fhp>}!CZ^zsKi`t`p?*Zp)YVzba!-;-rU&XwR>RDMabY>c#^y-ji
z3uZm@OGJu-j_b3>oU?hkfP2J_0+_o7YW&Y_Pa^R_>tZf5xcT<ft`*YN`F0m+YSLNm
zn@2o{8d*83k*}+rvqTfsMVV!)1RhQ0)8*HF=%{;{1O4#qc!p4n%czaEJPclJC|dI`
z?nI_67k?d*(l6by)e~mQFRHEmKKQr}I*z;=Me4ZAxqMnzfU21Esn=LnCNRgT+?xpC
zZcO0VG}tqroTP7z%W=h)1e;U%v#urXd(LR|c;iEZv3#8?t1B(t<jJ)K{!%V)W{}RB
zU$9)RU-V|P?dRm#;F^PM?pk+r0c0ay{X6mA$3v4|EK|$w^dZU<(OKw6v5dYjX3iw*
zxZT=X)CBF0yx~b#Teo7?i+&RS$e9<V5O|O$_=Wq9qV&F&_fyp+oY~@qb&kDKF>Pm!
zdG?7$$%A5qFtAd+ESI<z;Oo8MEYakW?}yT@*unGB*L1#<93VlI8c1Ss^}_Jz_6w(V
zd9{si<lV^6RWYzl;s@^fjV)@ZO-4)#`$p)zVwVi??Q4}D<dO@%#$Vu&zWJ-iudRos
zBXlWwK$F$soFOXpCHU_XaxB833L4rmS@{Jfwk&n8M6Rf_YJq{-9F1HQWgFiV0KgP9
zFyny#u>v(J{)|0p8%=KJs7GW$gh`&~_n^Q&+Wy%6D=$lHo#>x8^;gjOD%_&U$$Dm>
zko%<NC9qtnlS}IDNsFCimP?RPd;r5it*gv|cV(b^(;Jo^m3)}dYRN|vGK!@KU|y6D
zZmm4ooik1(8F~$2pBWL|dngMAQ4Mqyegt}^3TK&lFIkCPY=Aj1U&Y2Aj(x>00uyXn
zkKRtEkGlv=0F|UXW9g=`R)IYjmyI2}%=oPAYbyk-`=Ys1d#7LF%<1i3((BzStMq=T
znz807TpO2M9P{NP@x$b|P3o14wYbcER8{L(Zt|)PdSk6SD`XrlF0Y&Aj}?ULuANf1
z*}P8je#jCSlp>B_ge450%#w7uQ3fAsxc3@8C$3btFp<sST2~vfe#xvCE)U^@*T*V>
z+qVB#mMtT-H$EC};Ic0ME+M6W)8`r?RqD|gnf?5G#@%7soVoorRd~_c;!9uDf;)l>
z%jdYO=1Xd5ubF-lnRHVWG94MG;E7AF!J8K5^pSt>1RcH7oFC4b>`~2iH>EvnZn&*E
zq$MIsRZ)H!Gf=)XO!GXRHDrYgTHB?p=1iRw<fApqX@lsSYV3QqPBP(d<d-qdh)v?U
z1LqjL#{5Ec9Jvu~bl8zvGlUbJmy-25s5=PY(RQpKOP7Lw8qQ++vKYp^HQY^H(w;Xv
zs4+)7T;@`!*v$Wm!7a*j`Tr~KyTY34x^?jrMFB-rKm|lP0<qDgiwX#cNbgOg6G9I?
zDk>T!Nbf~Dp|=DG5Rnc6q=ptk?<9~&LZ~O-fA;h2i+y{_?YdYObImp9+r}7rKk%1>
zIlLPluVehAGa^Ti!S6QvX$TAB+x*sgw*{azS_<h#4SYYh;$|`}WOsZ5=;kT=0XHsZ
z)Fk<8E3=xo!^qPrmEZ$?YS2plO!@H&J)+>9qWQ>&`k0XVC$+}H7S{)MmwCJ{q9s^y
z<|pKf(a<S_K=h9c|2h>lN>V3bwxaOoMArSrp~lWsi;Wl^HS?ym0h26tq_}uSqPVM^
z=j_a+g}Adyu|$*-%Vvt&^^kLo+o<rvCerwhalr8cwpB)&mB##W=hoQL>rh;R=ItCj
z8gz%uN!+H2AI9}wks{7yH5|J#%P34EB7}N#B>^j+FY<V?2g1A};R7`A?rK=50`1&H
z*je;l_;`tnqf?T*v&feY-DcTKe&m+HSu-pb)WT!nE*Iu{7NQIq46glA&+aVmV|~gX
z=F7QQZSzw^PT^K^?4ws-nG$X|Ma;_>Cfs?8t+iS5u-Q2b>zg@csO-+<SbCy&MMf5@
z%}|f@Zojc4s-?=~C}e|W%IOlZOCz6<w;m%jBMt1nuptX3t3S>XK@{25EQ-pga4Jl&
z(B!`Q#)fJfHi!ahKh7niS2$&(_ahDbRn;84#`byINA!VVhqEci%b#-Bk8AffUBeGK
zjx_lJwo@C$P+0w47AkvXR&zRfromt&T|S@bu=oS!u1S%WXb`&{M~B~7&(9(Q4Vkm!
z*N%6BL=(d%aK})}hZS!=Spw>?JGS$zo;yMvB<Oj~bw2;^^Qz4p>6mL-mm-bkan`tr
zj8ldwZhSq;)O(ar{%ebMStG>TNt_8Ln`sPVei^P1rS*;XQ=7vaH1>0%qNc7Eqjv=h
z#5<f=PvB{7v;lGFb?Qvw4f%G?tkHWw+x^=J+CP~mttTDT%~MhB0~X)zbL~3}{YT8<
zru0qcfCbWv<-CLe8x1F=V0IObzbdB7e0_S+#~f;U$}hR8HL_dWQFBpw(u#Z+jgOb`
zLGlcU<RaP6w-GwA=d*J+G;3yGPQ0SSBb3UYuf~avmq=<UY==gy_$0N8V0psyG@mQ&
zFjF+fcuRKj<(*WwhL})pBR)C0kV7$|`R@t9q@mJKA+yCO&c{OxM$eycup4>7;gU>q
zA#2I>f`=~K`&*bTOlPUC)}FG9B8f<shDKD$5;*i=MR~Z2$L-;L_M__Xr+ZwTu-?8Q
zd$J4)wRB_Z0U@ek$`(MuT)&rGHZ9iy7(wr{1L42p+VpkQbqz$#?uuRkmH9Ulx@S>(
z)d8L(Tgsp6AEwnf5X+DsXSr4V?A;7%*y<6TOPwQ556qjat-_({;f6QOukX|!>(~El
zfY66`%-J5d^B?V@cW<0B+(RFeWd0@oWyF=-VO8lvGz~}H6D1wf&NVl(EK%u`??jXn
zCKW}LQw*Wm%Kf_UY36B#y?+t55{ZRH5iG|W1r_8)@quKAe*Iy<GhxL(Avyy!?;>58
zP-RD+G8lj=(s>;wRRu!O%Xse=33!Vg2$Zb2puA3!f`_n_-YJNX+Fg~=)O|OVj7zJd
zgzG1|F$a49<-1=Wrw>={s-Kf<q&_dC<sHQmvVP#{0{5b37aEpz<&b4n)9RE#;%#ea
z746KJwRcPKq5ZI2k7rk_<K1wjf~^_cr`KMuFPF7eI~T40G%14@_vqbz7f({4Uqd51
z4olR~BfpaX>qs@yv-$guM;F)8D>URH#v>|e!aAxF#dpS<toT!QTgnsI_71bR{BmDO
zkkZ-NdnV>X!DDxK>e=DyS~w+|u83W(*#9<dE2*04OdiSJz^9{yTR1baEO+#4VvqdO
zoD6#=BD_Mu@aWrMtLd6^si|^Pkl!nZXEp4+kDlflhJOpG@N-s;T?*-%cP2BPyix5f
ztgb!;p^z%rb|71-H2Ps-hv^U)0{#<Fy6;kR9U@$F^HNuXrF=7``PFuQ1ebW<KVf;s
zQj$76yKwruUK}{DF!c<^+F}Y<R>|D!kmaapJVtPF=lA&0+5NQU06fT_$=d&9cH?qg
z-xxCJt@q=W-jq$SJOM~kz?MHvy^s^hEnRz=giH{igTHNh!Uk1Qbue&0LA4i!KBx#e
z3fa03<zA_&Z&CKcyLeiO5b-zozF6;NbbDsxB9?J!o;gSmQF`OJCqcSSUR?gUEM|CQ
z|EG(E5FIV)(&tCPFmEWLosh&+hAT+FKMN|_q4qQ!iH~FUP@^edWjVDF?8)rbUpB#U
zz09@5i@Q4drVQXx@aNBY4t&q9U$Df5lqJB$UDxJP;pKs@uC9wgaB(-`7k56~7_E)%
zmoBa9xFy!$bmt6R%c;mD+8h}X6=si593Ysk#g)k-8gDZs$(D?!1x;{A&)+)$EoQh+
zHT%+;=`aXzIIj4{E%=KUT9m?ZZu5cpb7&4+O_OQ517OT618{DnTE=g&C4|WwwVpE2
z?<^YAZk%_)-lQ^eNI60GOYU(pm~$3a<54=G3cwzsIe5qjwqRiCDB9Ul8`CSqBBTdU
zs_Yk~Z)nuXHPh4%Cpw$gYc*}hj$rRexllZ>@y~g6MgzVPU;QcQer<Gr16q)3?_|Kl
z$ll6Gmvl^22M}h}_<o50pG97YP1&R)(Ii@|Ggt;7aj~FvLCR7BwKI`=l*2CqOXH7^
zvHO}iwd8nq<36EzT<?QwPh>+lkRIkFe!4OEgRkFonWDL1>lo^}hB<LqxYzn?4{N<G
zJTbi8jLQ7E;g&)CmRB}&bGsO7VdiR}y)P~jD`wnnE@?_%eN@2twkclAssLy6J<3_W
zI$1uOZEJM3tj$D+#*l+7Wpru+{_-~dx5HupSX;?P{Ii$?D`x7oRh%#VljMWwL;!t?
z{olB2@Tlj2yCy`UI3UYE)Zc88roSr@SQzN%@~|l~Kvw002gH64@J3SzX!vE@ItHMj
zq8&07Tw7r9`jXp))r?F!$N(X52>SdlflCOz+pI=)=Y+nk2*2bg8hu)P=W1|wGzy|j
z!UD)n+dbj)v0>#aeX2NAqU)Ty9VKbQ#jnS~=j!WIhWD(WBj3YSlTi1I(V1Ppbx|ai
zh3Vnp(DF5Ai%Fj_t;Djzg4yKak~woKQj3tx>$*f*-l!6&@o?n53WLM5o;-j;>pn=Y
zUaIh*M#j(M5RaH1n*a0Cn8>lepd?`+^K?nS$h5X*y%+5QZt*z$9)hhWF*VHNr^=4w
zg^%2HQ6HrdGuiUjqu%Zi?HRkj?B(uzCGqq13DzEHE~C53=8v*eJo;=a!LKCzSAFm|
zz@Bqo?B!&8@Hvf*p|I8*tM2@`o9KX+^|JD!ypAzOtL97oPBQOY7GX~`kyviMN2FtX
zUHZIP`Be>fQx9n$qp|aF{kBAYy{_U#X@xVH;bfkgf!UFePc_HHumm$Ar2!}q9sEIX
z;hC>{{!?qY$Rg#^KayHPJ%%93*E7)1P8P{D<c{T%^RL@oC+pP9{}fZkJYVT!mAeq@
zn~?et(k*k9h1lFnNlZ3Oeuf&~B==KO1S|5q%akhDiUQNpj$80FL9ZR+8<A=AodWGO
zuSXZ8+YBWOC06b}_34_l4GU|el9M38q)!KzdIb1Pkr>mBG9Bgzv8sQ~E()9YoxgjY
zTW2FmU3u`R^9@a6r2cXeZK%pexhH1g#`;<#WNEywqSLNL-G8>;F6v=g>dPiwL`byD
zXzE*;c=?+T$Ld&>I#GlVuL=!)n?ieP)oRFfUmFw8<;l6Y`ttoX`|-Tni@7CH9&}wc
zn0Y%3{F#DHzfT*Sz>xr{c&{I_^EFl_eYMt0u{&P|qmVPqS(nY84`pxdC<(ldA85pd
z`Brk4C{LU++%`ljU?m#hm1a>RakIQxqs9ffTsk`DmY;vG1laf>K@P|>9pmbz!ho=Q
zCT7p!ZB|M@#>dk<@e5W2ZYC_S;3<4-`1u5h754fTyG6-xE;&&?+H(bP)M4M3InNuB
zB7iV|`yQ}WF%H9&2*u1iuWqs!%VoR%<NUCu`;H9m{V1NdxX~nf#kND~dUO6*ebgQ@
z7>jC=KKfcb;CLvQ3+~*?FE5%*s3f$|-RdAi^g&<f=%Q18r)jCtn5th1Bb*#$a0WQr
z+IPy(h)tEZncnb7bcDHE#&*mFuo`WC`iZ@^&TsMcX`>lunLt!zT60@c`U=Gtr?Xo}
zem?$a7Kj=c7Jv=<BHqVa-TiPPQCHWDxLhHvo*{j8%~+a?^OPZF(36O(pmTvM;oQ!Z
z8DS$0WrfwG=H*%2+Xp&l?)7dCpl6liEcNIF`xy7JsK=>B-m`zoI!K$wTBl*sQeA55
zoLp5O^}ee<Egy#%><g_BdOd}SNm)g{_tS{JPjT7MauDx4D<9x=-r%Biw<ck**OGI6
z;Div;;Sg32;xq*pBeqfH%VPDYMr4h_{qj5ULf-lDR1bmocF@Ndlk78zy!6~(eMD*R
zrdQU!F1poi>pXYB(e{>=grPBr#~*C%$I7wO_)0d_)D?gHUXQ0L>H$HrKt<9-#gRWX
z6;}0Wp-97{h$0yGw(j$48fbxk`TXNEC$~=W;%PBIUtKs>`xSxZhcx-(Z`>!!W;w_Q
z|CKiJ0nDx$jRqb-I)GYC-(PGi!M$$3(CpwoQ$_6^$fT=!cUlxE)EEAEujODCKS}|n
z*TXG*_7||x8e1=GBIN~lpmK!Iwwo+h#&2f8r$>wphK-MVwW2fq;V{zEh*{0O-pmMm
z6yNy+u0_7z{a<&UxdWlP9YZKRxWqxO*BkI9$w!d9m*HzayVWOXQPX<olSR8JDu(hg
z<vo(Y4rJ38RiB=~mFc<{1b~hRQeB?jojbD2Czj!6n=Na><?B6u!NlffwQn=W`r{!V
znyc#x1!=0!5-Wh~&}sQw&=j%F!q2g9VR^r*@|C>Qxf-d~e?h;}MYTfrXmw<GbhR&c
zqzsv!%07?l+Z(gN{mgFPx^Ted*i+-;<{k2Z_4{7KNd3Z(QSBN-H3~tyL}4P@pHSd%
z!aV<w4(X9zrworc=()nQNUu=&j!?BY_$z#l6|agY*R<-ox!i98WC0KpCoHTlZR<!W
zx$-?lDZezA?)>xtA(C5sMv#YP(?`EfRKVxm3$lsIKhMw5+;_2jwGSHx%4ux%-V!ze
zc$ZNf5eF{AN|fp~nU{L^44}+$mN^gsw~B6My+*1wetGYx*^BR-;nM6{+1AWpAXTp~
z`o}bCNz|8evN&BEVk?o{;|z<UD~bETJmqdY;e!)KHDe-=vIsoS-JOToZ#wAt6X>Oi
zk5rep5vL5vAS3_sq42(ezs~M{&VhUQZksPe>%w<k1l|5|>o{x!XHh|UZrf5xmEWXQ
zxFxT?jIz39!o&9AKqtEuMnk&X!LdbLY9n!?SHQihDXO<l8B*nZj<g0t8<L7vwlk8j
z%^YJW6!(wt%+1n(U(+qDowS~1aeE`Pk`jR-Mj*?QjjZc)msvVd;0%_d$!_DLo7KoF
zaW0_+MBaHa_o~KF=~P%3xd!=JG(4bRSjxVd8^oBV>M^W?Ku~a<KvoeG$ByAPF&A-8
zCfCec3fh76-J^nMY7z9u{yJs&isRlDg)bMEO&;H^c9q4L_ing|kwR)z4ULV{W)-mj
z9qmC~orKvCl!SGB5meS?KC!6tV@?GfOT717Jh9n-)p=q^myzfzm5JGAMVbaAJ@d!g
z`3>3ww>-x?SH19e6hI+C5><!Sz@|oTckAkfCqrVZOC(?=@7>Hyv_CCMT#cZMf^1}G
znz9EdmUs6%En^pjM%m6e4}_Xr&GHyK`nJ}+n<9R>ds^CWT}K_M*j6HCU<ibbb_^M|
zGJ2<`xE9jU=t8E}e0~9x&!6xvm2H`w9MKGx?N!BC(wYM3QQ`2ci8Qna(JYuPFPOWu
zMZ}}|IAt=ZQMUt;yZybhqkPZ_jKIGfP|3{6y|Kyqa_1+^EaQ15ebFmH5m{%w@E56i
z{klWYtx~l8AX#dK%_X!EGvXMqefb~dZ%JEYUCd>1-($ZC|B!F;6x<JFAJ?uW^>UBh
z5Ll&eZqy>4^lKV_wFN|l^x8&Qw`FbKPN2!@iOdnRK6`J!47V(*IUeFK3R0}GceIpJ
zw;s1F<QIbaT(9*@xNiL0d|3U0%XlO`)a4*bvZiV7mQ*SlDjt=nrnHdv)kk^z(Z0=T
zjVDqdNOYJl$)QNLU?1nxp|XtG1ISYP>`N35BKajRs59Pu1c!GzJ?LWeqVq7pztJT1
z-yUUAWRMpa-#d$?>5!#Xqo05vFy%rLxe~E*_L^;t0u~Isg{#u7Ys`gLaSS3T;bZMa
zqiQz$qoslH!kqUU*<TqQa3Lic`(e9N5esr1(a~94yOudMAr8SzMHD&1*MuY3BUYJ!
z<^0JT%#zn{rZ(xyScj=71n;l4M=|S)cUrVgVgF-P{HqE6$36Y;0`>9ItbPevAo!G_
zQ)LbVd4ylCNW>|s23&MQvW5GXw?@I;mJ^n=o5qh?xBeCscM<{lDGzH8)6VGY8I-7$
zeq=`!w?954unB`KFE8I$B1u+obPE?kRaIrZ;&V&9V_w|3y}*ps)K{U$0RmsCQR%g7
zD%<EF7E8;1_%}{$ke^Go;md$(tE&|tC4UxYKiJ1I0PfQ@Yhf^3zbX{1a(5kU+DoYF
z4+YUoHFdN&RC|fv_g#?ZF?i!-vi3vcu)g6vTIs96(Lc3}<qk~o@V=2K0pY+LX#Df(
zXgMGJ<F%~hQa;d%OyT}m<vAYO&73!dw>@EIi<Lzz<8GwLn%nD#Y(gm8y3l^Mhlgfc
z?OP$3&l2Ap!z{3%83TENTvJ)<10lAI=Tf!JJcH4Yeq@a-VG{J+_F+I4UF4PG`z|vf
z4z(!jtG$!t8*n1!ylAKD9ghKKtbYCFsoO7$>uN|(AD6qCT)>{vsefegtK=<JgmQz+
zZpDlrAHb;>b;k7rGnK=ud`dGN`u)+Y*x4fA8Ma0+z*8}qDmQfr>qWuNjHW+o^Lj4J
z=Cyi}XPl(NDqwmG(y@|?+qg0nWfAN|IAvJc9<>z?Mj)5LB<QyGtJTdQ{w)6ba0O4E
z8b}^6#p-T<n9byL5Ko(0{7tynH_1T2uPT$?FSk-#Dz&awhY_dBYQn4Hl9lVxT%1id
zlhGR*t_CGm*df09?<HFL!!25ecrplaG{jT~39&H&rX|0>$hmzTvXI1LEg{{*YuM%x
z=j&!6BlOiSQs;*rB;g$AINp{YiT{=L<Az(k!r*et#7u^3TD#Ml<IjP;tdKo|q9Xk<
zWPZ&@>zoFDi#I<myT^gcKnUaBFWozo^!-y<?G+qIt|_VcsXA;fiu?Rcs2{7t4^#f3
z_fM3LG)x$;DkQb+84}X?kkedfo`}H6l%Q8D+}%r25$Zt*>n430i|!tMK;GIPjEi>k
zg%=-XZm=KcPT>}JSt<|p-1i13iiW-p$V=g^IRDXlkMmB<-_hno?Zo!gUFqp0j^x6&
zRSIRPz0OHg^i|B;hr^1}*EBF%O!PU%JjL~%oQYiFJS8HZvrRZO7}<+%J*uYE=T>kC
z79#_eZC+4)lNxOORscyGlpetN#yMBv?_Y?3uCLdUZKQ+@+U~#tt!fP!7{B~F^M@mS
zU{y}T9nc^r>kO!;-i8R8CJn5TCvRa|Kr#sxDTQS{jy@?D;S$vxd%p6n!U;HBwCLoe
zj&`b{mbb5zmSSqnL*cJVTB1UkLYbn<mrFf75PcHXC}0f~@A*LnCYGZPdpxAh!G7hO
zy8b&j1FzM6Qp$-TH*vM)pesQ1&0_W8vjwN2zFb1{=(^$e?tpwCW4Y4=ukY)jyTwrL
zFCWdn*J`%G-Zkk<nLH}>K_bE@XMMw_Jh?weTQy$;%c{jkx86K?**3p7_QacsXicq{
zXpWp9$cH4A^P{LXgllt8#Ma-GKJ*We_;6+nbcT>ngkijsc)$!SLn0}jxK<#b_;VK!
zSA}?ZW9$6vulaTU><;_N`qURi-pNh=913~YYmKD6guFH0iRZjiUMXw3GSzyiu2ws7
zx5(J|Ix}31;r0{O%k>u<JWUTf=fhB*$XF{+u#{4DpCD(DP|P<))U8CPH~+3r=5h1z
zz5k=N!~fz1>VNqDf43y~&-tpxhvB1L@MG(p$pqCY@CmE!_Mu1>#xa<Cs#n|&vLGv>
zL87rpKcEHYhg{%FNg-smXF-~FX(<y1H?W<N8JO+gO7A7vZofoW78gtN<@1Z=Revv5
zZLhm2lzYvlW`zF3Q+HSKZrh~|mYHRFEBCa%h-;SX%8ggOV=!}e`<nY&(LS^Gcixa#
zp+ylmi_}5a-B^*rDw~6T751fyni7|tK~ye{9@~~mvtEp~W)@$)i|;f*cqZhP%iE7S
z+)G8fBf<^(f2lCV3S>ID7cAiyF!?3wy?J&?k)T4I$ZKZ1mWb6S!5d(~<CSot4GB05
zG*MbdZlb<)-NQF9A`<8U0TJlj7iUIZp=Uzy&}a?O;uAXpEU9gqxB~d2$$_;dk2gow
zHiA~8pDt#fZ0%vY0qCY;a*B1r49R2vZgwZo>hnP{{lv1FgTXE=ba=)W_UL!Ls*7#A
zljgDFUWVWf_nVA=hH87%3h_KAm|-R*ImM8(@n=&^Up?;m7x>%kX!(jMKt*~vl?~OU
zvX6=s@U#p)jFj|*g}OJxEq!^w++OuUP3s;aP<KN?&dlx}pwtU{Q^T9&qy`m556DW)
z4x09UZ>#>`a`QIq+a@vjFqh@&Uq5-P^2J}zCd^{K7UdTL{vjOW&FjRx5-ilPaWGdQ
z$yrTNp6Q0I@$fkxto-CV1env?M&bKIueV#EI~e;vkiw!YsnMXVNYTSj&BqhU%M_+$
zPA&NeH~c+X_(g6*jUT;0zIIk0;P!aXJ%c8Gu@bd>bq#-TyI#sEgEY7k;=8BU)zXI#
z;w3lwrsc{sWKY*AhS-lRBQ-24<YQuU!#s08P5IU0!8Xg!Op@-p{}a|hu`1~goeonT
z$Jg}VP3hxeDNv{?E~#S=b20NzOdllRYiuxEiQLXIA@30r(-Tu&tX?S}ks6Qn9i9NP
zcSRlY)m?cd+F^(n`vAJU+3*`UbtL-cXcL!=TQ}AIgKhg`9b##Ldh#k?2$}{VR*F4J
zgNgOGkKU*+TDSg`TAm}&J<=r_!VYp3k~^C85{`KxaG_`9wRhQ$UcW&K-%Spt^l%y^
z5Jy-%N4$5)U8m*9@=u{3%J=~4B{DwUz%RPfC-q|PtvdJ6=aEAP4`6cwvJ$1^Jm+<2
z>kh>D-{U)j3^-AUWB>Sjq3Dg7*zN?zk@dCykp9Tip9YVIjGxSfbccil0`5Sk#yMcP
z>*DZt98c!xQ#bwlG6sETz-7P50XX7HBkrD%t1zAA3dKx}W#GO#z46f!%FGID9=`p5
z<;?icOaH6+!2jr%@<O+3tl6>YO+^IQf4m*{!11}@-OGzpiV%6u7lwmWqlFfwOuALb
z$RXIB`DDs=R5FMH3v2nkrZ6+nCV;%sU1p2O#*){lo+~iN$tk9(An3u^LU{x$snZ}Q
zQcKfX=7w~>#$^T1uD=z!3$Mf$4w6cD3(rM=yY}(%ab#W503X*SV{5<1Gx~)cnn$X9
z9KcYr<b$;+$4t$$hE;%qk-AQYhuesa*ZQuvE(zrQd2MGDM=u!+J<wNG@QuQbv6Oqv
zEM4n<8)rPay&!LFKr~gDfx{EsV&OTpXMf&h7kCbnrh7}qf>GB61nw{wL9@l-MU`jY
rDOb?Fr5kIq7_-DTI@b*JvaFhkW&aO4IsI4l=KuH%{~sPePAC5tYq!&3

literal 0
HcmV?d00001

diff --git a/plugin/percona-pam-for-mysql/doc/source/_static/percona_favicon.ico b/plugin/percona-pam-for-mysql/doc/source/_static/percona_favicon.ico
new file mode 100644
index 0000000000000000000000000000000000000000..f426064d6f505e77365a8980046b58ae465ea6b0
GIT binary patch
literal 894
zcma)*y-QnR6o=2f1!I;Hp`@aNT`C2!h#-ZEi~0xX;8Hu38qlQ<ii;p9IEZvnhb|pd
z5C;dpQ2H?>*ox_(f?^{iiV^YKL1IHplY4#M`^rTkf;YeS@;mQ&&U<do<%$^md_Lh`
zC~Z$f{37y-#g@Easr^S@W0S|_)vNx}FsiIw@95cmsBrP;xoum`pQ2(0je_4uyi0gb
z;jjBu^$i<ME!(zjw{|LCk&bQ)%^+E~k!HASp4!2oeT31x>SYFXmp^NlI@J9BQIe;k
z(7CLs*^{Tm%esmOqlG%$X{~wSukq}gkcBW*F#!N|rgw=JOye#;bCk`Wvs@9{nXJn&
zG3KUg_4yxH{sTW-un~rkj_S`kEr5%v){K&{_`^(+RM%$4oWA8TgglZOvOf$4T=hO?
zRIH<yjge&PI-1D7{;o<8hVWl9O-eI0fmr{<saf||3(si>$;{_SdMJ{{5as}k=y@QX
z_io42yoUznE;!H`sf8ibDehqUl@0$$7;OjM_CtiJ=s)`~et|G|_rHV^?kn#8c4_vU
zdHc?_@HruX3u`m6bzL@kl|PazHc92cZb*umznxDZ%zZLdBC_WZ3Gv<Z8q}%vz@_qP
JDOS~}+8cb5Xo~;<

literal 0
HcmV?d00001

diff --git a/plugin/percona-pam-for-mysql/doc/source/conf.py b/plugin/percona-pam-for-mysql/doc/source/conf.py
new file mode 100644
index 000000000000..31287b000008
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/doc/source/conf.py
@@ -0,0 +1,245 @@
+# -*- coding: utf-8 -*-
+#
+# Percona PAM authentication plugin documentation build configuration file, created by
+# sphinx-quickstart on Mon Jun 27 22:27:15 2011.
+#
+# This file is execfile()d with the current directory set to its containing dir.
+#
+# Note that not all possible configuration values are present in this
+# autogenerated file.
+#
+# All configuration values have a default; values that are commented out
+# serve to show the default.
+
+import sys, os
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#sys.path.insert(0, os.path.abspath('.'))
+
+# -- General configuration -----------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be extensions
+# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
+
+extensions = ['sphinx.ext.intersphinx', 'sphinx.ext.todo', 
+              'sphinx.ext.coverage', 'sphinx.ext.ifconfig', 
+              'sphinx.ext.extlinks']
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix of source filenames.
+source_suffix = '.rst'
+
+# The encoding of source files.
+#source_encoding = 'utf-8-sig'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+project = u'Percona PAM authentication plugin for MySQL'
+copyright = u'2012, Percona Inc'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+#
+# The short X.Y version.
+version = '0.1'
+# The full version, including alpha/beta/rc tags.
+release = '0.1'
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#language = None
+
+# There are two options for replacing |today|: either, you set today to some
+# non-false value, then it is used:
+#today = ''
+# Else, today_fmt is used as the format for a strftime call.
+#today_fmt = '%B %d, %Y'
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+exclude_patterns = []
+
+# The reST default role (used for this markup: `text`) to use for all documents.
+#default_role = None
+
+# If true, '()' will be appended to :func: etc. cross-reference text.
+#add_function_parentheses = True
+
+# If true, the current module name will be prepended to all description
+# unit titles (such as .. function::).
+#add_module_names = True
+
+# If true, sectionauthor and moduleauthor directives will be shown in the
+# output. They are ignored by default.
+#show_authors = False
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+
+rst_prolog = '''
+.. |check|  replace:: ``|[[---CHECK---]]|``
+
+.. |xtrabackup|  replace:: :program:`xtrabackup`
+
+.. |innobackupex|  replace:: :program:`innobackupex`
+
+.. |XtraBackup|  replace:: *XtraBackup*
+
+.. |Percona Server|  replace:: *Percona Server*
+
+.. |Percona|  replace:: *Percona*
+
+.. |MySQL|  replace:: *MySQL*
+
+.. |Drizzle|  replace:: *Drizzle*
+
+.. |MariaDB|  replace:: *MariaDB*
+
+
+'''
+
+extlinks = {'bug': ('https://bugs.launchpad.net/percona-pam-for-mysql/+bug/%s',
+                      '#')}
+
+# A list of ignored prefixes for module index sorting.
+#modindex_common_prefix = []
+
+
+# -- Options for HTML output ---------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+html_theme = 'percona-theme'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further.  For a list of options available for each theme, see the
+# documentation.
+#html_theme_options = {}
+
+# Add any paths that contain custom themes here, relative to this directory.
+html_theme_path = ['.', './percona-theme']
+
+# The name for this set of Sphinx documents.  If None, it defaults to
+# "<project> v<release> documentation".
+html_title = 'Percona PAM authenticatino plugin for MySQL Documentation'
+
+# A shorter title for the navigation bar.  Default is the same as html_title.
+html_short_title = 'PAM Plugin Docs'
+
+# The name of an image file (relative to this directory) to place at the top
+# of the sidebar.
+html_logo = 'percona-pam-plugin-logo.png'
+
+# The name of an image file (within the static path) to use as favicon of the
+# docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
+# pixels large.
+html_favicon = 'percona_favicon.ico'
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['_static']
+
+# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
+# using the given strftime format.
+#html_last_updated_fmt = '%b %d, %Y'
+
+# If true, SmartyPants will be used to convert quotes and dashes to
+# typographically correct entities.
+#html_use_smartypants = True
+
+# Custom sidebar templates, maps document names to template names.
+#html_sidebars = {}
+
+# Additional templates that should be rendered to pages, maps page names to
+# template names.
+#html_additional_pages = {}
+
+# If false, no module index is generated.
+#html_domain_indices = True
+
+# If false, no index is generated.
+#html_use_index = True
+
+# If true, the index is split into individual pages for each letter.
+#html_split_index = False
+
+# If true, links to the reST sources are added to the pages.
+#html_show_sourcelink = True
+
+# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
+#html_show_sphinx = True
+
+# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
+#html_show_copyright = True
+
+# If true, an OpenSearch description file will be output, and all pages will
+# contain a <link> tag referring to it.  The value of this option must be the
+# base URL from which the finished HTML is served.
+#html_use_opensearch = ''
+
+# This is the file name suffix for HTML files (e.g. ".xhtml").
+#html_file_suffix = None
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'PerconaPAMForMySQL'
+
+
+# -- Options for LaTeX output --------------------------------------------------
+
+# The paper size ('letter' or 'a4').
+#latex_paper_size = 'letter'
+
+# The font size ('10pt', '11pt' or '12pt').
+#latex_font_size = '10pt'
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title, author, documentclass [howto/manual]).
+latex_documents = [
+  ('index', 'PerconaPAMForMySQL.tex', u'Percona PAM Authentication Plugin for MySQL Documentation',
+   u'Percona Inc', 'manual'),
+]
+
+# The name of an image file (relative to this directory) to place at the top of
+# the title page.
+#latex_logo = None
+
+# For "manual" documents, if this is true, then toplevel headings are parts,
+# not chapters.
+#latex_use_parts = False
+
+# If true, show page references after internal links.
+#latex_show_pagerefs = False
+
+# If true, show URL addresses after external links.
+#latex_show_urls = False
+
+# Additional stuff for the LaTeX preamble.
+#latex_preamble = ''
+
+# Documents to append as an appendix to all manuals.
+#latex_appendices = []
+
+# If false, no module index is generated.
+#latex_domain_indices = True
+
+
+# -- Options for manual page output --------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+#    ('index', 'perconapamplugin', u'Percona PAM Authentication Plugin for MySQL Documentation',
+#     [u'Percona Inc'], 1)
+]
diff --git a/plugin/percona-pam-for-mysql/doc/source/faq.rst b/plugin/percona-pam-for-mysql/doc/source/faq.rst
new file mode 100644
index 000000000000..0188c77d35a2
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/doc/source/faq.rst
@@ -0,0 +1,51 @@
+============================
+ Frequently Asked Questions
+============================
+
+Is there a Windows version?
+===========================
+
+No, Windows does not support PAM, so there will not be a Windows version.
+
+Can I use it with MySQL?
+========================
+
+Yes.
+
+Can I use it with Percona Server?
+=================================
+
+Yes.
+
+
+Is it Free and Open Source Software?
+====================================
+
+Yes.
+
+
+Can I use the PAM plugin to authenticate against /etc/shadow?
+=============================================================
+
+Yes, you need to add the mysql user to the shadow group. Because PAM libraries, such as 'pam_unix.so', need to access /etc/shadow.
+
+For example this is how you can do it in *Ubuntu*: ::
+
+   root@lucid64:/var/lib/mysql# getent group shadow
+   shadow:x:42:mysql
+
+   root@lucid64:/var/lib/mysql# ls -alhs /etc/shadow
+   4.0K -rw-r----- 1 root shadow 912 Dec 21 10:39 /etc/shadow
+
+After you restart mysqld for changes to take effect, pam_unix authentication will work.
+
+The other option is to run mysqld as root. This should be used for testing only or as a last resort method.
+
+
+I'm getting the: "ERROR 2059 (HY000): Authentication plugin 'auth_pam' cannot be loaded"
+========================================================================================
+
+This means that the default client :option:`plugin-dir` setting doesn't work or it isn't set up properly. You'll need to add the location of the plugin folder to your client configuration: :: 
+  
+  [client]
+  plugin_dir='/usr/lib/mysql/plugin'
diff --git a/plugin/percona-pam-for-mysql/doc/source/glossary.rst b/plugin/percona-pam-for-mysql/doc/source/glossary.rst
new file mode 100644
index 000000000000..70834a733210
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/doc/source/glossary.rst
@@ -0,0 +1,8 @@
+==========
+ Glossary
+==========
+
+.. glossary::
+
+   PAM
+     Pluggable Authentication Module - allows integrating multiple authentication mechanisms which can be written independently of the underlying authentication scheme that's being used in the application.
diff --git a/plugin/percona-pam-for-mysql/doc/source/index.rst b/plugin/percona-pam-for-mysql/doc/source/index.rst
new file mode 100644
index 000000000000..b249b9fceff4
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/doc/source/index.rst
@@ -0,0 +1,51 @@
+============================================================
+ Percona PAM authentication plugin For MySQL - Documentation
+============================================================
+
+Percona PAM authentication plugin for MySQL.
+
+Introduction
+============
+
+.. toctree::
+   :maxdepth: 1
+   :glob:
+
+   intro
+
+Installation
+============
+
+.. toctree::
+   :maxdepth: 2
+   :glob:
+
+   installation
+
+User's Manual
+=============
+
+.. toctree::
+   :maxdepth: 2
+   :glob:
+
+   manual
+
+Miscellaneous
+=============
+
+.. toctree::
+   :maxdepth: 1
+   :glob:
+
+   faq
+   release-notes
+   glossary
+
+Indices and tables
+==================
+
+* :ref:`genindex`
+
+* :ref:`search`
+
diff --git a/plugin/percona-pam-for-mysql/doc/source/installation.rst b/plugin/percona-pam-for-mysql/doc/source/installation.rst
new file mode 100644
index 000000000000..30aec3add935
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/doc/source/installation.rst
@@ -0,0 +1,50 @@
+=======================================================
+ Installing Percona PAM Authentication Plugin for MySQL
+=======================================================
+
+.. toctree::
+   :hidden:
+
+Compiling from Source
+=====================
+
+You will need both the PAM headers and the MySQL 5.5 headers and corresponding `mysql_config` binary available on your system.
+
+If you are not using one of the pre-built binary packages, you will need to compile the plugin from source. You can either use a source tarball or the source repository.
+
+For getting a copy of the latest development bzr tree: ::
+
+  $ bzr branch lp:percona-pam-for-mysql
+
+If you are building from bzr, you will need to generate the configure script: ::
+
+  $ ./bootstrap
+
+You do not need to run `bootstrap` if you are using a source tarball.
+
+You then need to build the plugin: ::
+
+  $ ./configure
+  $ make
+
+To install, you can simply run (as root or using sudo or similar): ::
+
+  $ make install
+
+Installing server-side plugin
+=============================
+
+The shared library that holds the plugin, auth_pam.so, needs to be stored in the plugindir directory of mysql. You can get this value via the command: ::
+
+  $ mysql_config --plugindir
+
+Make sure that after installed, the library has got the appropiate permissions (file execution is required).
+
+Most packages should do this for you, so this is likely only required with the binary tarballs.
+
+In order to load the plugin into the working server, issue the following command: ::
+
+ mysql> INSTALL PLUGIN auth_pam SONAME 'auth_pam.so';
+
+
+You can now create a PAM configuration for the MySQL server and create users that are authenticated by PAM.
diff --git a/plugin/percona-pam-for-mysql/doc/source/intro.rst b/plugin/percona-pam-for-mysql/doc/source/intro.rst
new file mode 100644
index 000000000000..600e2f57a6a8
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/doc/source/intro.rst
@@ -0,0 +1,23 @@
+==================================================
+ About Percona PAM Authentication Plugin for MySQL
+==================================================
+
+Percona PAM Authentication Plugin is a free and Open Source implementation of the MySQL's authentication plugin. This plugin acts as a mediator between the MySQL server, the MySQL client, and the PAM stack. The server plugin requests authentication from the PAM stack, forwards any requests and messages from the PAM stack over the wire to the client (in cleartext) and reads back any replies for the PAM stack.
+
+ PAM plugin uses dialog as its client side plugin. Dialog plugin can be loaded to any client application that uses libmysqlclient library (or compatible client library such as libperconaserverclient).
+
+Here are some of the benefits that Percona dialog plugin offers over the default one:
+
+  * It correctly recognizes whether PAM wants input to be echoed or not, while the default one always echoes the input on the user's console.
+  * It can use the password which is passed to |MySQL| client via "-p" parameter.
+  * Dialog client `installation bug <http://bugs.mysql.com/bug.php?id=60745>`_ has been fixed.
+  * This plugin works on |MySQL| and |Percona Server|.
+
+Percona offers two versions of this plugin:  
+
+  * Full PAM plugin called *auth_pam*. This plugin uses *dialog.so*. It fully supports the PAM protocol with arbitrary communication between client and server.
+  * Oracle-compatible PAM called *auth_pam_compat*. This plugin uses *mysql_clear_password* which is a part of Oracle MySQL client. It also has some limitations, such as, it supports only one password input. You must use "-p" option in order to pass the password to auth_pam_compat.
+
+These two versions of plugins are physically different. To choose which one you want used, you must use *IDENTIFIED WITH 'auth_pam'* for auth_pam, and *IDENTIFIED WITH 'auth_pam_compat'* for auth_pam_compat.
+
+
diff --git a/plugin/percona-pam-for-mysql/doc/source/manual.rst b/plugin/percona-pam-for-mysql/doc/source/manual.rst
new file mode 100644
index 000000000000..f96e0883f2d6
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/doc/source/manual.rst
@@ -0,0 +1,45 @@
+.. _user-manual:
+
+==========================================================
+ *Percona PAM authentication plugin for MySQL* User Manual
+==========================================================
+
+.. toctree::
+   :maxdepth: 1
+   :hidden:
+
+Configuring PAM for MySQL
+=========================
+
+You will need to configure PAM on your system for how it should authenticate for MySQL. A simple setup can be to use the standard UNIX authentication method.
+
+*NOTE:* Using pam_unix means the MySQL Server needs to read the `/etc/shadow` file, which usually means it has to be run as `root` - usually not a recommended configuration.
+
+A sample `/etc/pam.d/mysqld` file: ::
+
+  auth       required     pam_unix.so
+  account    required     pam_unix.so
+
+For added information in the system log, you can expand it to be: ::
+
+  auth       required     pam_warn.so
+  auth       required     pam_unix.so audit
+  account    required     pam_unix.so audit
+
+
+Creating A User
+===============
+
+You will need to execute `CREATE USER` with specifying the PAM plugin. For example: ::
+
+  CREATE USER 'username'@'host' IDENTIFIED WITH auth_pam;
+
+This creates a user `username` that can connect from `host` and will be authenticated using the PAM plugin. If you are using the `pam_unix` method in PAM (or similar) you will need to have an account for `username` existing on the system.
+
+Supplementary groups support
+============================
+
+|Percona Server| has implemented PAM plugin support for supplementary groups. Supplementary or secondary groups are extra groups a specific user is member of. For example user ``joe`` might be a member of groups: ``joe`` (his primary group) and secondary groups ``developers`` and ``dba``. A complete list of groups and users belonging to them can be checked with ``cat /etc/group`` command.
+
+This feature enables using secondary groups in the mapping part of the authentication string, like "``mysql, developers=joe, dba=mark``". Previously only primary groups could have been specified there. If user is a member of both ``developers`` and ``dba``, PAM plugin will map it to the ``joe`` because ``developers`` matches first.
+
diff --git a/plugin/percona-pam-for-mysql/doc/source/percona-pam-plugin-logo.png b/plugin/percona-pam-for-mysql/doc/source/percona-pam-plugin-logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..32afd1cab4faa1ff52ee702ce965af2b95ba4c28
GIT binary patch
literal 12447
zcmaKTWl$VE7w+Qj#kD|jcbB)g7I!P|?oNxl6?b=cEm~}`;;^{8F1maB&Ha7vWKK?U
z=49q1KaxBrPolr6$YP+9paK8@40$;z^?&;HpJ*W?{;N&PU;d|H+|_0O1Jnb_PXBcf
zzbnd00igdYg?$yN|12mja(eCn02|H!1jeUK-0Pna$wOXQ8fgO!2alR@PT=Pd06+zh
zmy*=<S-;Hl_Awk?irii^vRz{B+7ELa%rwPQ;>8|(z=d_SLE&6N=}Vo<sVa&9iP=@6
zU?XF~{Krt9IS1Fy$k+ZG!_Z>ltY!(6b)6^(2CXeA=udEAHy`^x%`a{BxNp3xh+9*s
z`c7)(-=$TE95VjDn+c`;iG*6BZM~ZI)f{O>%1ZVK`W+;ARf)eewXkx#|4a>ZiyWT%
zV?Jctzs`Ycg?c_BW7KTgmm`eQ_=N3CWJ-96!sks}VP5Rfi7;%^rE<V+NBD7mMx#?8
zV!w}OzmRZQLhik*U++0H8u|V9g$@1vXX8SL%Gwbc@t>W3*T!)&l*ES+a}@HH!kG*@
zUpTk&q58ickGYh@d=le*2QD!W2-g4fym9~z?EVX61MqrA%2X-Rm%oJNSfVR<ykc`L
zQ*xS!XpSz!90w!iX7335&0H!4?dH-IDE4B4Gzcb!X&{>MErI;KQ-R<gGpcT<NSOqF
zE!Zxc5glWg8>31gEs^^EHpp9uzb^3B`ullsMP`tl5=LnKk8^-b2&W8l$&yH%kVju+
z&bFS54Z^voVL|Y|?`uKnpLL?v-Ow4B${x$XktKf3c6h3eFn)k9Ra<;>C9ifjb6!6d
z++>KPSsX&o2T=_^5zPP&D@@6O_c>|Zc7Cwjt-Z`S4B(y)JTvepau^CCEj=HIS=r{g
zAzoY-B6r+_`2)9MP*w#ZXk<!S7!!Dln?;wfm0jXT#!K4Aw!(fV;9%&Py)ad;!oSC4
z60-UsYnLhRD*>4~W^CwgKv~*q2ac6yTazfm$D@X1m{}t+`Se`J?f+EVwl*w8vI`{O
z1rcxOE0(l1e3r6GlDn|;s<zv@na+Mk|D$1Ce5?=;j)yCRw119Fc6g=5I3S7BhGA$4
z6Zwj30QP?i>?gUdz6d30Am{DRvum&@7_#ZhV~bk3^V?5)KcCg0I1yC;h{sP;&QkuU
zgRAFpjK|WC%)xS_j3byUXAQj-@u<c~wL_E0rh6RyY#q?EsWU6AzP1(UD6hm6eyg5o
zQL~kZG7aNjt3G)`jiD$G)tg^^|MV{~&+9M}3Q)q`*X`n~@=4*jSAp%Uqevj^(gp)6
z->cxLu!%ye8$6(nQe0+uTcvgI)2xub!KpJ@)wK<5UeyJYu>#bbvee?;7(h!HtT01!
zJpb_fUSdS;IKDxPXx~<g!(#g9<8|JLQxMYuBh~}Z;V$RR$g;P+MLx9?R>m<(vsQ7G
z^STH%W~1hv-B9A5ls}xRV?D&&#2R*84a#dq1YCR&-m{wY5+f;FaAs`tBaT(sfHfLW
z7~}fPJx^2;uRdx?>ip1=J$twKS=Dz*l=%-5<d>$<pRbG#9P2-HIlG;bmx{Un7(l8*
zHsGnizfXLC<o+8l1FpRn3TlB+#!Cszx%Ox7VthExe8S4-7>RTp#5gCr=Z92Lg&M0%
z<Fo=C-&aZX+HtA@^ABa^`^lcgkjx`p4Wi<cF}v&vXy_drrQBN|XGF1M0uASzo)T^T
zkr|fgrBei1sL|E>(_{!=Oo}oX=$D7^Rc5jMLNP9;eEbZ92xX771ikw*RoPet^Tnd$
z`&j?qOT!m22|c9kHds~(4gT#ZQ{QI60o=l-)N93%YRvvc3D`;`zY<d$fg5vEYg3x8
z0-2q!J0^pKgJ--%1IR=e7sw81=t=(1WIoEkmdYISe5_5ZfW8Q@*xwA!!5Ch$bEln?
zYxt8#ZwI;Cd2X#m<sTq!5;z6oc%Qb#FWiW|<s_)6io%)3>#&*A&)&##3#A=)$3?QZ
z4(r-%4*b2G5r3;2=9N7w!~XMFzy3;}&&A+4y`$<CEzbE=_Unh=4Os(h!qjf3I6%h>
zMlK{iG_l7Q!y0zQ^X|i92kJ(2ENzO~*otJe(?4heAGKx^yo0(HgeHKRxe@P<j#v+a
zd2iwx@zO=;l6}9m>n7?b7`Md)-o(;P?L5bQ=>g~lV~nklKeM{HvU3z%)m-6^&z7AY
z6)ncmMW{{s5C{q(mn0u4eYMAhzPJNKpbhFVM;%vTHX>;U#KvGHM(1XQz@7$AP-JVs
zlhwL!nz|<RG(c05tVB!Z572@Gw=Av#>)oQ`?!*6vY$JCfJ^uaU7=SUD$u_nq+8I$F
zwD0K}5Ap7qve>H0!42TOQ9}G9T1cSFxE_W!=@=?V9cnJfk$fKN9P%~K|Jx8x4MOfj
z+_os~Tl?i$AIrIv@Hu8%{qA)`(p&GlaMQfbw#d6RUHW_0d=Qg;_v95}E<C=Kj9D+A
zozo`nqT!Euit@JP*NWM~$Himv^xReseQl)Nw*fq3ZbVHpPQ}@+(C%Q6bhRJK#20s6
zpR*&L;5)>zdyXo;Dbr$vN}D2b`X#G@`>!sh9tL;vA$l8x4}ZIS!{u_fVF_Uu$=I%c
zoZdUd3E~Mzja{6$3)}?o*WZemCIv(QHehsOr8L~)XJfm!@h@rY+`3w>;Y^DGo$MUn
zrb!W$V8vV|21>{_a7IH%2Tv2=P1s1{QtmOa<;e&cUu)s~Xx4|dw&vV2CUm#)<Kfy<
z-h@#ZbQfXVwYTgWm`cuaWt56<aZ1vE+oYE(*u$;20Ay*KD=zue)R~W)@AiJ5SfG}L
z3~_yH^4PJX*W!aa$f^!JY8oTb6j6B;ttir<53`O+)5M`{BTo0HR9<UOjrvt_+*P67
zQ0h9yV^_YVc)lm-^Vl|7$<X2zwcR#BS~vc5lhqHeG}|2f1D*Gg%M9LVo`0~w-<O)#
zVl{Ca040duS2JUQ@IvZSU7zq}j<}OXx#WdwDEwr^XhOj7rR8|#twUzi6fU$ka`gM`
zN$0RW_^a|`;s%*Bw}Ko)xMqHE{*^{`j7IrpzYM9TyT<?4-RRG>!2#*gJDEJ9){=Bf
zJ1OUPH`H2BExr%a7sk}hj`OT6v_F&MQi>>Sgb|mL=qM<$q+FRU7AaGNY%YCTXg>AG
zCIPVluWXA0BRNecAJZJ#g{#&NPa?E3HDl!D5t38fsK4M#O)+h3nM`da>IU5I(h>y4
z#AIOH*`4b+Jh`es8goKZE&Y!%Loi)%U1A+(32(ed=B+25#Cxh_yrnck{4L)sc9vCW
zZT@Q~gryM{a3XIa|3G=kl>=WboDY@_QE{IJn!2y4#KeP)=s{WESKd|xrE{IK9{hLo
zj|FH<DM2&$FL+1Xw{0F7udp>-^<SGJif(dg{q6^xOD#4Q2k+~fy*eXwbDuj+)LvT*
z7JI4tKQIav-f*^0Dn2Ewp_SF9e*=%m(~7;L3C*+Yc#%09g>3R8tp6~~4aqMGs2H|+
zy)j|wIw7naLawY_VtU{7We-=;rQ7m`rk+60TNsEewk_vRl-F*WvQCZ=?+;JkwwixK
zm7$jG?q{}`b1TPh@^#<up9rfqvKE2Cm)B3&2mNRHb)`2JrfA1xG=3*l0|X5C6$FEU
zgTr|OC!hHKQ)i-hU>_NVI?m%02SslS&hGzeW1F{cAoYt;`Mdp7{gb0F*%yC9*0Cnk
zLC4leTVv^sVsE*C2l$DXhW#bB5g%A>DsA4FFwUMuJ}9gD5}Mp>xx1sw!m#Hh*TMU@
z99CU5#Mb3Bhi2yFI|z?bF#1=X$|P=b4(zREnbOWMwGQP9pND52+5CCqvKXoJ=Fww+
zhWRP(zxt1&X(#>1J~s3#o&Jb(XzmXV-jV7On(c`I3d7-BF_<9Q6@N4r1ti=pYq7)$
zZjM0*ht8Xgq>~_#6LV8;2OB;%rTTH+WkKP6kK)sJxl!ar@TPtYxKrq364#Tb-v@_z
zmaXvh4yQKAhpUdeV9dT&W_0pfxaBup8Cq?bYA50^1|REO2ow3|pALjb{{-#`Q90Y2
z{|TQ>sjexyeH`ax+VfeH2RHY41=7Z-@Ni%MVa*iw6)A7~@>h;}{@xwn>uvKj!~5>z
z3+2HQc|dSA+#T}@>>n(gB+^?-kySKv$e5Wvy|=3a84(@0;pZ*n&A{i1P+<BIc3ezn
zl`QJVGRa&#=ihhN2R>;7a`DEy13lEzO}x1}jM{#G?`n2pi79*j@2CMtIWnZ*^bror
z`7D=!@#!m9Qrr6lpT(>?8WFb;+<(RJ@$*qav>41e@@1hk4WkBqG0W_rmSa8zNcK*H
z3Fq<s3{}%OK+5*xPQyxtq3k8q`@>({mbF)|VE_2+OCrqZp4{1m#;W3qPeRK_B4)x%
z6<qel^3YH5IWyXo$AwJiSpKbwf`gkJn4u(m4$0QcHhIFyzy_E653PjK0f#ymBSz^%
z#+F3JwS9&CvoAA?4P~#zOetvFp>nQsBlAZEHHCetGln!LD3RJydu4w&g8(0@*)pZ2
z1qWT$A%Z!ys#8h#VCL^1D`j>Ir+@og2&GVI8?+?q@h5Fsoj2$=7|7Z`>))BQ<tW%o
z;E!gy|ADv54@550Y+Cjk4-q_&L7>Lj!;~0@Dfs?XQOqc7-=_z5rnuYlNwAA_<%BDN
zscGDMEaDEb(|hEQ5BiMxhx9buB7vo~&plxPyw^D^xY0GX{5BED#Hk1A{v`n+HCsmQ
zWZ3U9u!Lrk5o=;;f#rTTgdtsjsp|6MiDx%LY*LRquGwCP-Q=zm8+Kf)<Z;prQsp0r
zEQvTM)@u#CC;mtXCfmw(N#N8Q+{F3wyL9~|_<;A<OMr+dt2t01fc$UC8z;D!(*Ow?
zX_}$$B{5pUA_8{NR`#D`D8syrcy;=DPJgfu=Rv@S|2IQDBYI{vr?kg4enkMi7%^w=
z4z)4beOiS)#3!>wG?-QSH5B+n*e7tMbPQQOAG<$O%>=ZF-&C}@%w`BZy%-U18|@h?
zCgR$BH>$ea`^JDchcQ*zA0QwV3rD&JZ(F+XcmAG%=+0bUn^i`BA&y<SEtOE!jFXiT
z5+4%?EOR+nZe`2=VoHdT`)fibawqW<xX7XBL!RXsITaS4{byPvXZ~U$+j}1qOPR~6
zpDhT&(YI`kii%ni;JJ)bUASFn0vLZ7iq+)OOTd*?t$)D3Dc#RJv$??PaV4KX*BU?}
zEphsEdK;+{v^~D&v@;N^pKJYXeMU|yU8De+PqGR}pedu?-g!Rl1n_5Ra9fII6NR)X
zYujEzN1><<^p!DO=l;u*PCXVvS&HA8N5F3wPPO6>eyLMyID@tJh!k~Be42G@?5gZC
zS~1_O|IO(8_Pw6(BIHEQ3~=Y++%pO5_CwzHL3~W%eyjr$5kpv<TBmv8NBg)44U=z&
zUpe6}m6K--Kd()^ZN=yl1PZ0YyxX|Oz0hB63_w0ss+rnzb#rK<@@c1kYEZL^<H>KY
z{*dQDB1OAW7E<ZG*_eWQd+d`rQTQzB!<Krr&Is7&tDIHuih4%0|M^&+P!g8}9k2Dd
z7-a~qgUa$&uT#mYg5(-tj0VNj_*XK|nEAd{7sA((qsaM%MsY^iyiif&|CrAY)al2F
zQ^RI1exR3~znOF_#Ahu~K`OMk4~*8tlx{Firu#_8`%jVmSJPSGe5PaN<~={47V?${
zyMSB+4dSP93J4FkzKDn!Au|d6jLS?bb|;%z8Zl(kxZSq0wLhPYFn%elCSb?rK}sIE
z($B7mdO?NP_K8&g6`j=lDuzH{!=Aan7n|tI#(pU1Y<8dwt}_3DvT~dbHIQaM_si@}
zGjC_Pa?=YeByf8<^l6!nL{spF*+I(y7)C=#8d#IA6Q@n5{ryYbVim7r7wuZYlR=`K
znQdcX7_P8U2OW{i5%XW@es>`+cRn4bH{uu(V(tyHP?j8A7vH4SP*>Yo3PhjBk2%8R
zJ_4Upbz7=BDE;w{^ee6LpBR5Oi`6f|(j9FRx(kYI+H&)+`*V(BG`E-TWIdvrSUY7Y
z2KU3I7~~t*#@0igGHpM*0O6&P=>D<BUhV$ewx@&%sSOp=K3SE(pyl<lRhRv21@}gI
zN!i%;^cO*G2`93gesHd98(4|NZaw9c(}De=khEkAUp)$A9a(c)=rq7;$F>@?D>Q=8
z`M*&`2h<wAOkGY4c2I(POfjc;(KQZ#iAKI9=J%SC^uO)0A;`DMIh=PO1oVL;j5to7
zez3@tvnU3>4OV+f{b>oY<^>0e);AXOwe$IC0!><l)?OYXgFna{;cxgpAgs2I&6PdF
zJNnDF1MRNI&X&M2{Z2N1ryxJ}c;8a@f~D`ck7)!^NSl<`GBD<<xd}nWK?+1RU+D|{
z#?8F_8ejrP)Atc+#ex|D&FR4BEzRMlsi4gbMYYB&?G*GMqGKUWD&N|tP+Eb(v&qv0
ze=r(E73`M2pC7KB(?%FUIqB4~0etGqiIZ?Z%hf}6?z^iO^sbZZld+}0B7txwO4X(l
zf90i6(f*;Tkae&mp|c2#^lBrumURn*;+S$$toG&pz3m$YQ5%f7p&v;O&XMZ+sNnlp
z9lS6>&JR$|LxjNR!0tZ6vEFU9jfRu(+oSI-hiN4^m(t+uaKo!-xA)?l7!|R=5MlDV
zgK1-!Zd*fMhNR^&QxO^<mv<Je>;k=hv~wp7T^6=#2bspVkQk}xk*U1HUo5FnpYU5A
zdQpB0qAe2-`(dqc-l_6F2>UQ4HwV=Qoe2>Xv~Z&(ko*oCj<{Qj-q-WJ?mE#_FC8c#
zDhbmvj*(F;mCH=H_63vF?YDWnV`j$b2AejVKUfit-6P%&m$!uQTf#oVSb4a<2Moms
ziA%RuXd*kLT0(Jv&*SE#)(>eQZwX@>+)jQQ0>0!i*2@`Qf*L7hF!3;DPtn<%hkOIT
zsG}Y8j(O}R_Xrp9W(eXk39cpte_jrz?JgoQr{3j~N6GoD*SiF><9oX1M&hw=cSKH9
z_LODM>BvgN9v*}Lt?Rl9UF3-%hJOuzYn_S01D|cNREz3&+hX8y>lb2y(QJ;Hg5b1Y
z`w2)B>57coR^A>%Q+63hS(1_$Tbg&n733o=wT+Lb|FRn7VHk^y4wzo5xYjYFCHZw%
zAD#{vp;*O{r+NludOz`9Ac0SGeP|bZhSv2SO>ob`-KR9q75DF$Cgz3y>&)$Z?Wknm
zf1@(}K4V0!<0WEP_Ygm)FzlyN-osO)JpvZas?H9c$WciKBIQ4!C)>c(Q1nG1q`q-M
zGs>ogE7M*gHJhHpL~Z@9DY2QSZC)<?r@p+gRt9K%N+6RR9g%MhfQVIf`z;9lC6Jgp
zh8B4&7Fd+7mHUHTOGV0$`yL^&dG7Rcp8mCFK#NEJ&CC4#uAo?DhO;=8(TFdB*dLU9
zCR7>VrjmE7TK9N=bM8<6ImV;f*PcihPV8Y-TOtKH67HuYaCz-%s1m1wSr+-uIR*#B
zs%H8Ij9bfgIup{Au?nnp+GsJA!Sh^okby4pJOu<y{u+Wm?W@oeWTK5&BU|!-<7`w(
zIVEA+_OYEdT4FB<9DrruSiSf*Ebc}>?I^2VtmylAADoqC1C0gpdh(qIJ3@PhE#a+)
z_miITHLWwtgbQ$MK2-m5Q6YJ(4(M$BN&6jXsI$$DXm|_LMtKapW~2HNA3W{jP<d*v
zcKre5Ma|jtjEs9DIc?iC0I=7Nf*%aWTF&DVTpPh6Th7!k&O>x`G;U_~d2m}aW`?$>
zHD@Z${Ng{YG~@P^pWq8Ue<S@~kkbdO-<;9-VAL>dpUR;|I#M$iMyNEmvIrpiaUuzx
zCDDb#^^owJ7|mOE{9vSLL0~NimiVX%R_*9J%#84Mv?x2Ph%{SQUw(-|9Y+Ca{{i%W
zWdbnuJU>{eO)akehkK}04OGe?a46`M&D~~ja8=?3s%P(=yw$nKrN~3wFb9d)_n(h-
zk$faFa~p(%Qi{SEnr3@a1v|@UucF8<JXV1Ht&zvwBZ9M*_J|L<X7Nwx`lJ)z7Kvsj
z47`^a+21B`VDG?T@7|Z(Fc`_j-?cZt&qPaFi^s3zBI~&0q)NP?(b~mxCX`H5(lhY$
z{=S<ugT*>2ryXW*PR<IqzQ&S9&|7h_4}h`)Ua#Ddg^0B~&A4>j(|I>BJhyyc`hMdt
zBU-C%5kZw4+A^3=dy2n?GkX3#nn-s;8FE?K5;TU6uS%tmH<If%$Dc2tt#;mP+wZ=3
z$Y6a(ixX1Ng9w_jK?#XxyM!MY%uISwJk;1J&o_xPbR(L>nMlI#gxjzcG)geK+rsa*
z>W)_5fg0G%DbF4IGl<#Z0ioq!sO0Idw>j|OeP!U0-}vp}4;>`OtcgF`!-;D>YwnVs
zx#K%{4HEbxdO@>gv^s3kMYMU^!oHWN)Zd^-;#I3bs?|?|nM>>+yd^rl8m8tAWz0)w
zpVs-gbTyovoPT^64~^k<&9#dP$SMGWE0rGNQTAtQ;A?reJoGIWa#pGFzGRPCeWxZ;
zvlee-TX8Db*Z()bUZEo;U-D#uyYJb_-N|(A5QUK3$YG9YE-Q|}lbBiUH+CJ#WFx6V
z^88-v3Qe1z9`^Y1gm&7s+;Eu3kMTMzE64#%=C3jAk>9W}W>*13e2UipUP>hFHEW}q
z*!kzQd%{$`DWpm}scvx699ns+UiDLAkL8!iAJ#6ZWQ^VzFs=v2a!szKN~yB72lCrj
ze;kF^5uWr-Xyii_tIo&p^tF)An&|B_ke=FP{Ig?3YdI9zK5`FMOb|T}q|Lo8Kj=l6
zummW#mI=~Y>U+1BVbCETH0@GL&iA!Ov;D4<hKrI{HOu|-p%ugd#g=0xChqFUZkL?T
znNv|1WWYc6(69_S1m@o5_hEvhbZ5b2T`h4l)K&wD|MZv-?%y>h7O_ZAM#S!FW|JKF
zTP6MB<+<?vH}a7lp}lZ>(%J(4*?TiVlf7_g^3%Q<o<LucRHg56#ZQcAlM6FXg*L;E
z$U1(mU-i`@jBl*@Uj5-p3JfK;3krU!(EeD`Y{Rtw<C#;w4OvFgc-zDa-LG?7F;V|G
zF#6kfr_(QF&sB2mkDqr_ds%0?v`vX%x}!FL#&j3(2%7k%K?H(Q=F=D~+>a$fr+83S
zUk4CRd_Xxcougu78j>nLYbvq`k@Z0k?KGtBFTZ!(%bV^J@V+rAEJm_7UqsMUZC=Mw
zK|s&#j${kocbZD}_B(m9UvH268|Uw5(x4W&BdF28bhw^J&exvHtgJ(&P0DoA9GhA!
zd7MSr^TyC4kXcQDU)sK-Aj(bWD7(GjzFr2GE}>Ja{o1nR{*0t5NZv5<Ga0sndiFJT
zd-`{OO@=DDS7-!^UcyEchgvbs8H?}Ul~ez=j=xz#u9B0MW1nP@caEpO>$Ko%bz_?(
z2GHLGMPxSsOgMB{w463ivRvy@?p_!ySO%MSXN*3G0dyNJ%+asR^&kLvLOY40zN0^^
zy}^@|i^nm=AsM@}&ntZ>Vqr&*a?bykE!H?8YH4s0x^kwOFsi5vzO%L6()|$|Psn}N
z&d)L9_-rO_9uoD)NOv?VBTa)F%TL??yc#jdlPQ-beN6uQ5Azkhx@H8|-1}MuPcM`%
zd5HS;(pzFxWSAF+s%hrGttF}G*hv1E8F>mC&|gumgq#><{>!N1)tk8_mTgA~qU_1=
zpfE@EMp>+*QKZ`4Fqo}ELX<`E*u3L84U!m)mX}fL!v`R);#wtoj_fxU%po{==gKuw
z6rynA*>Z5G*jc~dvcJHsb1(MhZu4lwbA*A0fCmkrno@vN`V&5L(d?{B5#%s(s0}C$
z>pz3Bz=w)^Z;2rZ(@bE{vn@H`jO3D`zz52HuAKio%vreCt{2tehhG_`ITNnu6pBQy
z>-W*+-~(kYB@xvWnJiXxXf@5l1JW#&a_iXfN)<15--__lJJ2GZ)`V%ADzYh_blMIk
z-0>SYcvcVZx))6e5i@7J5#6%F1ZoV0v#6v-e;ks)nwt-m6AjBbD=%$4eCDgIlqv=f
zx2IpR`YFOsXxU?&?5ZIw&JhJ0@s{xlWtF-GPd(UE^uU+!8Y_l<&KMYKKF5^B*EJxY
zg+FiljLBb8<d~&Fd)N_eXHU})Dfd{4YqELxrLF#^Oohg>h^Fl~Zx*@AgC!Kx;M@~a
zJa10y@qAl|p<FOs`c$B*CgkO=z`sUI!@684$MWQZm4DuIx1!9`HIhY?;SKY!ozxG~
z<}_0qR}st&7IkPD2Zx_Nluj?7OT~Cf9SVkUEC4amg6bXWN)(0WOSvWzSu1ka4n6P1
z!m5^MtdHK@ULUa&$=f;<yxan-S3>GVuf_hMB{?TGsi{{DzTIOVWlv3U5qzbeVm+#o
z{C|@&-<)=~_*C$7T!ltXq%w~#DB*B=BkJ8X)Z;yiyg@|8U+}fjqQ=M~N!EreD)*3M
z%k!tB6rE-9e_=;UXL_GCz!16Jg=g}Sw@<*f=Wi_J)fap;MWaDephg=Io~A74PgGZ{
zFmoT7eK}}>{qIJMfUB5*axTuV-9Ki)e5LFToedYlBWnDKV_sgizv((R*|vF+T~sEM
z>?n3$&l;v6pYL+Ery$xdJ*zNXCaIz(JXHIYRanS3ITiyZ^{;%p*;n#A6fZ$3=857V
zGdFMiUh({dag1GwpH7XeY7Y6QEP4q9XB$=WJ(aG^Quc!<9!_o6$4@ZKcIQ3~<p)BV
zAaDPG=s;T6p?CYdTOfs?$J7MM38~2PL)<bGK8r@~U8T_6QwH?)uApR3ny7@x<E)Qm
z;L#`QMe%bD&*PSA!~+aTQUN(x^!&{jx5tua+wROUt^Le$PYo`!+`pW3Xp1VT<M{%4
zl6~}IgU>U?x?RoM&QryWJ`Y{`!PI?1*|r!GPR#}LN=<wWzQ|vUBvRkslyE&T_hgL_
z5X|ORkIfl(SqG9sr6EL!*xa$1f1v8co{&N#3Ulx<LHuU;W$gn0ex7Xe^bdVAc;ptL
zucbFG7bFh&6AjE&001`L|F{6KpeS?PcjBDZ=7Iom;+#IOvSFTjeEdH296^3`0g2uh
z&pkYW^<*2F0C)&0YkF~lebxb9BL*Kc0_{NZ_RJu`eu%PumqBU2^KpONjBf$c>^|m>
z^-m)sv?fI=BP#Hn!O)VmaPdrIO^+Dstk?#1Ld?a4EoU+WjLJ>Qmhi`%%p`oWIWRp_
zxNMc|ExtROu!}vX7S)Mk9jk?r2`rk`eSBShn99#thq5eqk3+KUA9|1?_*?&2rl(!h
zY;%JsN=QFLU6SJCEQ6xL@+y+N`dYDG6r*_lo4UQS<PtzwiG|IshhSWv?oTqXDdvk#
zfpWp6cZFMGLD4ss;2UUVFjzSvpKs~9u!MTlQU_uknd`5@03&JQaP@M6j?$w^s~CKd
zA|Y%+_V3t!21|1>Wbp*q9*qu3DV+As|JcTRw@T*eu#|fNR%SKcm^T5&3rtg`P=jbN
zc}$d{W#-ivOoJclnaVBhS8H5ZA7zEFleEgH-;7;zT~N#t?%_u~soPYB%7J_+U#o_H
zHHaPBi1hP4Ci`rrm#AD*r$F4y?C8y76)<O$p22_mK<9?`vJbf;vHiu-n`_FRA3As7
z<5kW5FMEH_<ANe*dhNZ6dGPJgAJ`MOl0qYmyozqoedfT0_i}amlXp3ZF!&`ln<{CJ
zU^H!zJDt?N$_jBRrVDxXU1iemDjSi(;L^enUyb(i-T0@#H$r0<hMN3NX#m^t4bS|f
zq_((1yF!!F5h|xZEWbWt(|gg|9IJ9%|Kn`w8E<kJashcO-j9mhxR_5wJ9TwdD*^p$
zr1#zT3)-n54Ggsbg%Q$Cs?^&wmYsXSyL0OJfiW*<K`qTm*(Q8FqqWl@odq3ui6Hj-
zR5uIl15<iFi&dbx^c{$Ku!gE{_MIQ-#kQqWvZs`jb=VWy>g<s`rMSMDe8$#C9UOSP
zzrbSWUGb~5a<lDc&D@cK<If@~e#V*__4PxbmkI{8JM3#^&(VVQ_M*NPOHibfW7+mW
z?918D+e}@uhNAS($B^)&HEubU%*)m=I)-m3XbPGDv7UtP>H0mlG)(_lMrxJ;_CBg{
zd#A#qhD1PeE3icfA^cnyZ?Z;j{_3r8!aU-Vf>E30WnYtev<zL`y83ZppVPhLHm>u*
zD&6iPoroa;)gZL4Q(w096>SJUVB%y0<W5c+r~xzI)qE|Ua4;=HFU+?s1Uxof3r^t3
zRzk|Sel}Q|@xTA_#FLx}Ikr)Iobn^Gy8D^skbl^tRb1Vj7Mrnwq;7>dFmM;`yaCp>
zKUJ!pHnr$i9dusZWt$c0?@-NeITM3+l&tMcyr#ZV`r^mVg2=ZtvBu`WJB!g;n5C~p
zRh7DA=9<VZw?S`Jb@d*PB>#<3)STES-v6%QP4}nB2JR_NG7=B?>dV(~n(BWRoAyF<
z(&M0K#R6TDEs7D#+&<=c={1;H8^*<CgsAZZLz=3BUXwGtbn}h|PZ=*6@E}52ol^%b
zlTGs#LbxAr#~omlq-?45htpIQ+E>e=-D_`Po6?XN^PypXcHj@W8JM507x}F}v)Rzk
zS<EOhqM1HcRC-5^)C`ppl2@sdP<_StzmsY_eKwpq@EFSUwQgN#+GYRLxWzy>p<yrh
z^SL{dY$KX-5RB5R&^fZW=vHu!+kX1`6xt6FH7QJ6cx(`b^ps~U*6lbcbDngHFSMW8
zlYoL44V~p9nM+$W3Z%0u?1rVqiUU{Vg;n@{G%rQFjD{nt`{>O@$m<WS21^TFDiQql
zBe@q8l)pw`r{$D$ha$5;Q+ZuwjNO>&EJLCeCXP(lg5M!mD$@?t*UJAcAT0h7m95rM
zj{U|F-m5y76;>Di24tLBz`S92fR49Iyv~#-1&vDm{Hj7TKD9FD)lU8%`A^UH`)jtd
ztEHhdHf&)qfL=r^$r6Y!^to&=&RtqMHj7TBU&xFh5TVrlKrD`<%2uz`GL*Z&q0fQ6
z{jIFnt$>N|2}b2l9Rr$7j30Iwvq%41`aRHKbl|2l^Sk0tdCcTDL%CNH*sG6`W|7&-
z{nhhi<z-`Qzju;X@&JN@kJc0SeP2>cfjzDzXi|%w*SYOql^${zZK2;VpV)RJ%;b2>
zi0+?RVwOqAi(?ZDugb>5_V<TnxR0Xa$|mB9>Z}kborN=XZCNT6b((Pb-U>qx_+y`K
za&V*+OJIUI#!ACixMII^eB*E-${FbS<7dW49JR6#u*-L!)7{gb4#m~ydLo?C!!vrX
z*P`>~qB%04t>wzvtzu2$RQ}b3OI|stFm`Xz>qZYU$TK^~N5fth>g@P0%k-+>^T0d4
z)LV%W*vSqRdJnu3eFZP4;54&jSU<$OJAXY~wd6_&j?da3Z>c=^0soFsYTaz<4;lq>
z(@ecxp7cyNp^ik8q*}Lf?LTwP*OUA_9iW*{vCe&)Ck7vJQwQ^sZt0<OSf6>{==CC0
z%IzkUvo`fYKQCWv+&?&0%F(vwBoBQGkSBrNjN%u;O<Z^e4lw9DlZAhkSsx*(9q)CU
zWr;RdP@8kc9xahw?Dmkv7Gfs0pXofKzxu3B;u=Ekm4=dH-&}cLXTnzQdi0j|;iK5{
zdj<<wzixRwwN1VlS$FJFu>$XCq55ERI(FSmo^vwzl6p4A+qpaN3q4X_*1n?6gVU)!
z`a>Dh+_EP@iV&=={N%ZwVbuk7*zfS#ojyDB^?t$>eq&2Md~I%9xMD91p5dGb@PxFn
zfEQCn^;VZe&SiX*ZG=rrtj~4gx<B%UVa`l~Nm3OMjJ_i;E8cI&z1%v4r5m%TCVYDf
ztD}fbe8mw;Z;s}P&#n%{Jm=`ueq5Zu?bjf3WFU3Uz<N6Z)`V4alN!7K`p;|G(EDwW
zvE-Zd&CC`*sf5;5?+Ram>RLk&)vQMT^3Up~qQ&SU;6y?(aOG)Pez|fnob#x@A*kb+
za|W7)DG>X4501&Ope|3y8QoYhhEh4_M+_mi|FLKEFPZ2^gUBX!maCHh+6)%cqY;d#
zG^zO+3iE=usPx3G(aC{L#_}KX2D<YI0eqgI^)t10y}x{tjE_!1pu<z)VzHljZraHd
z#UD?(u4@t%X+rJ3Pr^_xm4*%uFA#{>dNTqSk@}X%B+rv0{6~bw+yE+%=H-%WK~UMJ
z+ud^w0Sjy*29OPlXT$ps{6x@htF5-mHb4Ek^$@|5Enkmy6v3k)57wPX;J9X_a@b3A
zhh+a4Zs1eBR-Av=uQlN@E25Hid`VEheT_ZMK3kUqhrWi8lkn?>7nNeYP@bf0p5$&)
zvaPy6V=qASXZA5fX<ybECwlZ&U;i6UI$M!)C%Uk0p7~JI`<E;&$@erz!ZuJ!fweet
zb{Iy_Xru3Li=XXgp!{q!*p`J)-p)2*pDZChfws|hW(_y&Y53^#rwOpN^{oL}Ts++-
zv<^US`h>|j)|dQ!c_ihuGzHHw_Q1p0zv8UdncJTPKe||y9YBvcEC*N9jKD!>1Bd7L
zHc?z%QFZSn^21uQ)$V2<Pt3q;R@l5clcRzUD-{}~|MPK36&Jt<Ug#``s}+fQj5$_+
zegN>*W>KN{kjoQkP)5xppA;N+WTb!^56B(lJpSnGYz2~lWnyN7#KM$~?LpBt^95n)
z+R|E>4&U{F6GpaQ3?0-YY3&Ro7!jCInPQ@))FACK|4E5e4(=W`45j>%!jtpB6WAg{
zG@X-?e$%`Z+-<Q01ALR9E;bxqp<@mHI0r#z4pykHhNbsF!31}BKCA)V%rVBFw@~C|
znr)M@dw&pkm~P2XD)SMUJOflOS_t=kk`+D;DiP1=1^HN%R(_9p64{XCVz5HdF~qp=
ztVj+gz!!@rhM(Y7A+c}7^!I~}n`8)mbYEAF5Uod-snY!qA3y%znmmn)umvThvF2(k
z9Jk$l$qVR+eV;K5U1BE()se0oDeM>^_nobLcgK683fy`k5ri5#BrkMa$Jx`bnbcZc
z;oz-W_|1IG-$7{NW0q}`4<z?xDO=eFEg#iQxZbvN;zkJS<P+nC4;$9FcNa2aqyuYj
z<k|Ng*Pf<EibW`bTxglkUE3XGo9ri8hv_Q+nt#;`qUbU?{=nrcX(*9q^1`(>kj&gY
zf(s;WcO+VsNs4%wY_UEdYCN1U{|DVRted(raI`^|3zP@f#@m8(FnsTe!cWl|BZN+`
zUd0Ndd&i`zCA@Ti0J=eGE+q6p0gBf_12(&Ee}^6xemuIPfBQc=YI;l>cq?c_x(<mj
zakY>&F`AM#9=~F#1Xf7Z0YuAZ>GO%t{92q^G`$27T(X}~Cv47qC-%kR*dy2U*!vFp
zv`PXyu!rq%1Pb~oih_xhFm%*BAlZ2r=j`U89m;P4d4d`PwkjyadouMlGPog^N6a)@
za7aw}zU#W4>(5U@`ejSi*03TBj7uuh1|8Ojw(5pGxW=V^tv3gf0|G2!W-2r2A*`Ux
zoX8QZ)b|Bo`f7IQk46w!9yYC^QJF5lf33n_N*dUH;ZErg^np~&7&rKI(Sx2d3$=;x
zgUZUL4=BCEds_<}?5%c(P@0oQQ>h0Tj&+S=KP}wX-1om2!;tTcbCVpx+Z|d_(qU2I
zl1s8cLgr7aJ&E?8%34u=Y0!OD_7*)0I;~o^Ro{GW@1k}ylpF{e-C$Dybzf8=DN`Up
z-8FXs+ZC3WA@Sx&i_z-|t247PsL(h$?SYEH4a~U@>T+{wzk<uSLwjs_hpwB*1XL(;
zd)#9N+s{V(7SXWBPWx`-xVsIcZq=M#yR2`&cW`3)ppCw$5nMc}%CvksrM;K!OobSi
zH|QG%);>$a3yXlw!u*&|znllQ)Jxips;{{wG+|A98tw(4l(Z)L#`&Ymfe8=kCc^F`
zyg19J1+18DdaK4BVt6+>5v3vYqprVbFUnie0go$p!Jk$~)F#*oA|9+SU^7e=W7$)-
z(Tf6Ch@suF2Y4SUp%ehf3;T$9ad!K=rg-;Z?J{Swu350<Uyy!|uq3NS^Cx%hoGpv=
zXUgKg;ZkTFocYmCJyMjNGZ`4%@9s{b)}BG#P-nI2ti`F32r)8J6B8=+XN3jfP7lO~
zEqUjM=S;x1(YM9x*OsF9K9vB#vCw!gJ>N6UDtc#{0Or=0eA(!&APlq5u?8TKg|&nj
ztU>X5>310NlvlC7GU5{If2ikcyjf$I0>&2w4a8Co9(!|=-?cF#iv9UF((d2pAD-k^
zk80joX7TWv^z7=*&t+HLW|8@NF3n|eo!Fne9r?#{PC`gw9urns+VS@qg_&cqwW!m_
z&HJFLNn4BJ6b8cD5svV8#T<zmO}x+E=EB!$*2ouG9s^(Jz&}6~#1q|l6(WI&yr^G^
z%&(P6az@QE{!#8vg{e#~f&cjT4{+r(a?ZQ|eExql{Qt|-KOIPfP*w{{O?dkDKmYqZ
P0Fakfk*fdCH0=KXu+8I5

literal 0
HcmV?d00001

diff --git a/plugin/percona-pam-for-mysql/doc/source/percona_favicon.ico b/plugin/percona-pam-for-mysql/doc/source/percona_favicon.ico
new file mode 100644
index 0000000000000000000000000000000000000000..f426064d6f505e77365a8980046b58ae465ea6b0
GIT binary patch
literal 894
zcma)*y-QnR6o=2f1!I;Hp`@aNT`C2!h#-ZEi~0xX;8Hu38qlQ<ii;p9IEZvnhb|pd
z5C;dpQ2H?>*ox_(f?^{iiV^YKL1IHplY4#M`^rTkf;YeS@;mQ&&U<do<%$^md_Lh`
zC~Z$f{37y-#g@Easr^S@W0S|_)vNx}FsiIw@95cmsBrP;xoum`pQ2(0je_4uyi0gb
z;jjBu^$i<ME!(zjw{|LCk&bQ)%^+E~k!HASp4!2oeT31x>SYFXmp^NlI@J9BQIe;k
z(7CLs*^{Tm%esmOqlG%$X{~wSukq}gkcBW*F#!N|rgw=JOye#;bCk`Wvs@9{nXJn&
zG3KUg_4yxH{sTW-un~rkj_S`kEr5%v){K&{_`^(+RM%$4oWA8TgglZOvOf$4T=hO?
zRIH<yjge&PI-1D7{;o<8hVWl9O-eI0fmr{<saf||3(si>$;{_SdMJ{{5as}k=y@QX
z_io42yoUznE;!H`sf8ibDehqUl@0$$7;OjM_CtiJ=s)`~et|G|_rHV^?kn#8c4_vU
zdHc?_@HruX3u`m6bzL@kl|PazHc92cZb*umznxDZ%zZLdBC_WZ3Gv<Z8q}%vz@_qP
JDOS~}+8cb5Xo~;<

literal 0
HcmV?d00001

diff --git a/plugin/percona-pam-for-mysql/doc/source/release-notes.rst b/plugin/percona-pam-for-mysql/doc/source/release-notes.rst
new file mode 100644
index 000000000000..e025381cf6db
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/doc/source/release-notes.rst
@@ -0,0 +1,19 @@
+============================================================
+ |Percona| PAM authentication plugin for MySQL Release Notes
+============================================================
+
+General availability (GA)
+=========================
+
+Percona is pleased to announce that Percona's PAM Authentication plugin for MySQL has been merged to |Percona Server| `5.5.24-26.0 <http://www.percona.com/doc/percona-server/5.5/release-notes/Percona-Server-5.5.24-26.0.html#5.5.24-26.0>`_ on June 1st, 2012. With this release PAM Authentication plugin became GA. Further information on how to install and use the plugin can be found in the |Percona Server| documentation.
+
+Preview Release
+===============
+
+Percona is pleased to announce availability of an early access version of Percona's PAM Authentication plugin for MySQL on December 5th, 2011. This plugin supports |MySQL|-5.5.x, |Percona Server| 5.5.x and MariaDB 5.2.x. The PAM Authentication plugin can be used for:
+ * |MySQL| authentication using operating system users (``pam_unix``)
+ * |MySQL| authentication from LDAP server (pam_ldap)
+ * authentication against RSA SecurID server
+ * any other authentication methods that provides access via PAM
+
+Percona PAM Authentication Plugin for MySQL is fully open source, free of charge and can be used on an unlimited amount of servers. 
diff --git a/plugin/percona-pam-for-mysql/src/auth_mapping.cc b/plugin/percona-pam-for-mysql/src/auth_mapping.cc
new file mode 100644
index 000000000000..b5215674bad7
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/src/auth_mapping.cc
@@ -0,0 +1,227 @@
+/*
+(C) 2012, 2016 Percona LLC and/or its affiliates
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; version 2 of the License.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+*/
+
+#include "auth_mapping.h"
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+#include "groups.h"
+
+#include "auth_pam_common.h"
+
+/** Token representation:
+    token type, string repr, length of token */
+struct token {
+  enum class ctype { id, comma, eq, eof } type;
+  const char *token;
+  size_t token_len;
+};
+
+/** Iterator in key-value mapping:
+    position and length of key,
+    position and length of value,
+    current position in string */
+struct mapping_iter {
+  const char *key;
+  size_t key_len;
+  const char *value;
+  size_t value_len;
+  const char *ptr;
+};
+
+/** Get next token from buf. Returns new buf position. */
+static const char *get_token(struct token *token, const char *buf) {
+  const char *ptr = buf;
+
+  while (*ptr && isspace(*ptr)) ++ptr;
+
+  token->token = ptr;
+  switch (*ptr) {
+    case '\0':
+      token->type = token::ctype::eof;
+      break;
+    case ',':
+      token->token_len = 1;
+      token->type = token::ctype::comma;
+      ++ptr;
+      break;
+    case '=':
+      token->token_len = 1;
+      token->type = token::ctype::eq;
+      ++ptr;
+      break;
+    case '"':
+      token->token_len = 0;
+      ++ptr;
+      token->token = ptr;
+      while (*ptr && *ptr != '"') {
+        ++token->token_len;
+        ++ptr;
+      }
+      token->type = token::ctype::id;
+      if (*ptr) ++ptr;
+      break;
+    default:
+      token->token_len = 0;
+      while (*ptr && !isspace(*ptr) && *ptr != ',' && *ptr != '=') {
+        ++token->token_len;
+        ++ptr;
+      }
+      token->type = token::ctype::id;
+  }
+
+  return ptr;
+}
+
+/** Create iterator through mapping string.
+    Initially iterator set to position before first
+    key-value pair. On success non-NULL pointer returned, otherwise NULL */
+struct mapping_iter *mapping_iter_new(const char *mapping_string) {
+  struct mapping_iter *it = static_cast<mapping_iter *>(
+      my_malloc(key_memory_pam_mapping_iter, sizeof(struct mapping_iter), 0));
+  if (it != nullptr) {
+    it->key = nullptr;
+    it->value = nullptr;
+    /* eat up service name and move to (, key = value)* part */
+    struct token token;
+    it->ptr = get_token(&token, mapping_string);
+  }
+  return it;
+}
+
+/** Move iterator to next key-value pair.
+    On success pointer to key position in string returned,
+    otherwise NULL */
+const char *mapping_iter_next(struct mapping_iter *it) {
+  struct token token[4] = {{token::ctype::id, 0, 0}};
+
+  /* read next 4 tokens */
+  it->ptr = get_token(
+      token + 3,
+      get_token(token + 2, get_token(token + 1, get_token(token, it->ptr))));
+
+  /* was it ", id = id"? */
+  if (!((token[0].type == token::ctype::comma) &&
+        (token[1].type == token::ctype::id) &&
+        (token[2].type == token::ctype::eq) &&
+        (token[3].type == token::ctype::id))) {
+    /* we got something inconsistent */
+    return nullptr;
+  }
+
+  /* set key */
+  it->key = token[1].token;
+  it->key_len = token[1].token_len;
+
+  /* set value */
+  it->value = token[3].token;
+  it->value_len = token[3].token_len;
+
+  return it->key;
+}
+
+/** Finish iteration and release iterator */
+void mapping_iter_free(struct mapping_iter *it) { my_free(it); }
+
+/** Get mapped value for given user name.
+    Value is looked up by using all user groups as a key.
+    Auth string is iterated only once, while groups are iterated
+    for every key-value pair. This is mean than auth string order
+    is dominant.
+
+    Example:
+
+    given:
+      user "foo" is the member of "wheel", "staff" and "bar".
+      auth string is "mysql, root=user1, bar=user2, staff=user3"
+
+    result is "user2".
+
+    On success value_buf returned, otherwise NULL */
+char *mapping_lookup_user(const char *user_name, char *value_buf,
+                          size_t value_buf_len, const char *mapping_string) {
+  /* Iterate through the key-value list stored in auth_string and
+  find key (which is interpreted as group name) in the list of groups
+  for specified user. If match is found, store appropriate value in
+  the authenticated_as field. */
+  struct mapping_iter *keyval_it = mapping_iter_new(mapping_string);
+  if (keyval_it == nullptr) return nullptr;
+
+  struct groups_iter *group_it = groups_iter_new(user_name);
+  if (group_it == nullptr) {
+    mapping_iter_free(keyval_it);
+    return nullptr;
+  }
+
+  const char *key;
+  const char *group;
+  while ((key = mapping_iter_next(keyval_it)) != nullptr) {
+    while ((group = groups_iter_next(group_it)) != nullptr) {
+      if (keyval_it->key_len == strlen(group) &&
+          strncmp(key, group, keyval_it->key_len) == 0) {
+        /* match is found */
+        memcpy(value_buf, keyval_it->value,
+               std::min(value_buf_len, keyval_it->value_len));
+        value_buf[std::min(value_buf_len, keyval_it->value_len)] = '\0';
+        groups_iter_free(group_it);
+        mapping_iter_free(keyval_it);
+        return value_buf;
+      }
+    }
+    groups_iter_reset(group_it);
+  }
+
+  groups_iter_free(group_it);
+  mapping_iter_free(keyval_it);
+
+  return nullptr;
+}
+
+/** Get key in current iterator pos. On success buf returned,
+    otherwise NULL */
+char *mapping_iter_get_key(struct mapping_iter *it, char *buf, size_t buf_len) {
+  if (it->key == nullptr) return nullptr;
+  memcpy(buf, it->key, std::min(buf_len, it->key_len));
+  buf[std::min(buf_len, it->key_len)] = '\0';
+  return buf;
+}
+
+/** Get value in current iterator pos. On success buf returned,
+    otherwise NULL */
+char *mapping_iter_get_value(struct mapping_iter *it, char *buf,
+                             size_t buf_len) {
+  if (it->value == nullptr) return nullptr;
+  memcpy(buf, it->value, std::min(buf_len, it->value_len));
+  buf[std::min(buf_len, it->value_len)] = '\0';
+  return buf;
+}
+
+/** Get value by key. On success pointer to service_name
+    returned, otherwise NULL */
+char *mapping_get_service_name(char *buf, size_t buf_len,
+                               const char *mapping_string) {
+  struct token token;
+
+  get_token(&token, mapping_string);
+  if (token.type == token::ctype::id) {
+    memcpy(buf, token.token, std::min(buf_len, token.token_len));
+    buf[std::min(buf_len, token.token_len)] = '\0';
+    return buf;
+  }
+
+  return nullptr;
+}
diff --git a/plugin/percona-pam-for-mysql/src/auth_mapping.h b/plugin/percona-pam-for-mysql/src/auth_mapping.h
new file mode 100644
index 000000000000..7a98e30bcb0a
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/src/auth_mapping.h
@@ -0,0 +1,73 @@
+#ifndef AUTH_MAPPING_INCLUDED
+#define AUTH_MAPPING_INCLUDED
+/*
+  (C) 2012, 2013 Percona LLC and/or its affiliates
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; version 2 of the License.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+
+*/
+
+/**
+ @file
+
+ PAM authentication for MySQL, interface for user mapping.
+
+*/
+
+#include <stdlib.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** Mapping iterator. It's not exposed outsude */
+struct mapping_iter;
+
+/** Create iterator through mapping string.
+    Initially iterator set to position before first
+    key-value pair. On success non-NULL pointer returned, otherwise NULL */
+struct mapping_iter *mapping_iter_new(const char *mapping_string);
+
+/** Move iterator to next key-value pair.
+    On success pointer to key position in string returned,
+    otherwise NULL */
+const char *mapping_iter_next(struct mapping_iter *it);
+
+/** Finish iteration and release iterator */
+void mapping_iter_free(struct mapping_iter *it);
+
+/** Get key at current iterator position. On success buf returned,
+    otherwise NULL */
+char *mapping_iter_get_key(struct mapping_iter *it, char *buf, size_t buf_len);
+
+/** Get value at current iterator position. On success buf returned,
+    otherwise NULL */
+char *mapping_iter_get_value(struct mapping_iter *it, char *buf,
+                             size_t buf_len);
+
+/** Get value by given key. On success value_buf returned,
+    otherwise NULL */
+char *mapping_lookup_user(const char *key, char *value_buf,
+                          size_t value_buf_len, const char *mapping_string);
+
+/** Get service name for auth_string. On success buf returned,
+    otherwise NULL */
+char *mapping_get_service_name(char *buf, size_t buf_len,
+                               const char *mapping_string);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/plugin/percona-pam-for-mysql/src/auth_pam.cc b/plugin/percona-pam-for-mysql/src/auth_pam.cc
new file mode 100644
index 000000000000..5fabfe161466
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/src/auth_pam.cc
@@ -0,0 +1,179 @@
+/*
+(C) 2012, 2015 Percona LLC and/or its affiliates
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; version 2 of the License.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+
+*/
+
+/**
+ @file
+
+ PAM authentication for MySQL, server-side plugin for the
+ production use.
+
+ A general-purpose PAM authentication plugin for MySQL.  Acts as a mediator
+ between the MySQL server, the MySQL client, and the PAM backend. Dialog plugin
+ used as client plugin.
+
+ The server plugin requests authentication from the PAM backend, forwards any
+ requests and messages from the PAM backend over the wire to the client (in
+ cleartext) and reads back any replies for the backend.
+
+ This plugin does not encrypt the communication channel in any way.  If this is
+ required, a SSL connection should be used.
+
+ To install this plugin, copy the .so file to the plugin directory and do
+
+ INSTALL PLUGIN auth_pam SONAME 'auth_pam.so';
+
+ To use this plugin for one particular user, specify it at user's creation time
+ (TODO: tested with localhost only):
+
+ CREATE USER 'username'@'hostname' IDENTIFIED WITH auth_pam;
+
+ Alternatively UPDATE the mysql.user table to set the plugin value for an
+ existing user.
+
+ Also it is possible to use this plugin to authenticate anonymous users:
+
+ CREATE USER ''@'hostname' IDENTIFIED WITH auth_pam;
+
+*/
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+#include "auth_pam_common.h"
+#include "my_sys.h"
+#include "mysql/psi/mysql_memory.h"
+
+MYSQL_PLUGIN auth_pam_plugin_info;
+
+/** The maximum length of buffered PAM messages, i.e. any messages up to the
+    next PAM reply-requiring message. 10K should be more than enough by order
+    of magnitude. */
+static const constexpr auto max_pam_buffered_msg_len = 10240;
+
+static PSI_memory_key key_memory_pam_msg_buf;
+
+static PSI_memory_info pam_auth_memory[] = {
+    {&key_memory_pam_msg_buf, "auth_pam_msg_buf", PSI_FLAG_ONLY_GLOBAL_STAT,
+     PSI_VOLATILITY_UNKNOWN, PSI_DOCUMENT_ME},
+};
+
+struct pam_msg_buf {
+  unsigned char buf[max_pam_buffered_msg_len];
+  unsigned char *ptr;
+};
+
+static char pam_msg_style_to_char(int pam_msg_style) {
+  /* Magic byte for the dialog plugin, '\2' is defined as ORDINARY_QUESTION
+     and '\4' as PASSWORD_QUESTION there. */
+  return (pam_msg_style == PAM_PROMPT_ECHO_ON) ? '\2' : '\4';
+}
+
+int auth_pam_client_talk_init(void **talk_data) {
+  struct pam_msg_buf *msg_buf = static_cast<pam_msg_buf *>(my_malloc(
+      key_memory_pam_msg_buf, sizeof(struct pam_msg_buf), MY_ZEROFILL));
+  *talk_data = (void *)msg_buf;
+  if (msg_buf != nullptr) {
+    msg_buf->ptr = msg_buf->buf + 1;
+    return PAM_SUCCESS;
+  }
+  return PAM_BUF_ERR;
+}
+
+void auth_pam_client_talk_finalize(void *talk_data) { my_free(talk_data); }
+
+int auth_pam_talk_perform(const struct pam_message *msg,
+                          struct pam_response *resp, struct pam_conv_data *data,
+                          void *talk_data) {
+  struct pam_msg_buf *msg_buf = (struct pam_msg_buf *)talk_data;
+
+  /* Append the PAM message or prompt to the unsent message buffer */
+  if (msg->msg) {
+    unsigned char *last_buf_pos = msg_buf->buf + max_pam_buffered_msg_len - 1;
+    if (msg_buf->ptr + strlen(msg->msg) >= last_buf_pos) {
+      /* Cannot happen: the PAM message buffer too small. */
+      MY_ASSERT_UNREACHABLE();
+      return PAM_CONV_ERR;
+    }
+    memcpy(msg_buf->ptr, msg->msg, strlen(msg->msg));
+    msg_buf->ptr += strlen(msg->msg);
+    *(msg_buf->ptr)++ = '\n';
+  }
+
+  if (msg->msg_style == PAM_PROMPT_ECHO_OFF ||
+      msg->msg_style == PAM_PROMPT_ECHO_ON) {
+    int pkt_len;
+    unsigned char *pkt;
+
+    msg_buf->buf[0] = pam_msg_style_to_char(msg->msg_style);
+
+    /* Write the message.  */
+    if (data->vio->write_packet(data->vio, msg_buf->buf,
+                                msg_buf->ptr - msg_buf->buf - 1))
+      return PAM_CONV_ERR;
+
+    /* Read the answer */
+    if ((pkt_len = data->vio->read_packet(data->vio, &pkt)) < 0)
+      return PAM_CONV_ERR;
+
+    resp->resp = static_cast<char *>(malloc(pkt_len + 1));
+    if (resp->resp == nullptr) return PAM_BUF_ERR;
+
+    strncpy(resp->resp, (char *)pkt, pkt_len);
+    resp->resp[pkt_len] = '\0';
+
+    if (msg->msg_style == PAM_PROMPT_ECHO_OFF)
+      data->info->password_used = PASSWORD_USED_YES;
+
+    msg_buf->ptr = msg_buf->buf + 1;
+  }
+
+  return PAM_SUCCESS;
+}
+
+static int auth_pam_init(MYSQL_PLUGIN plugin_info) {
+  int count;
+  auth_pam_common_init("auth_pam");
+  count = array_elements(pam_auth_memory);
+  mysql_memory_register("auth_pam", pam_auth_memory, count);
+  auth_pam_plugin_info = plugin_info;
+  return 0;
+}
+
+static struct st_mysql_auth pam_auth_handler = {
+    MYSQL_AUTHENTICATION_INTERFACE_VERSION,
+    "dialog",
+    &authenticate_user_with_pam_server,
+    &auth_pam_generate_auth_string_hash,
+    &auth_pam_validate_auth_string_hash,
+    &auth_pam_set_salt,
+    0UL,
+    nullptr};
+
+mysql_declare_plugin(auth_pam) {
+  MYSQL_AUTHENTICATION_PLUGIN, &pam_auth_handler, "auth_pam", "Percona, Inc.",
+      "PAM authentication plugin", PLUGIN_LICENSE_GPL, auth_pam_init, nullptr,
+      nullptr, 0x0001, nullptr, nullptr, nullptr
+#if MYSQL_PLUGIN_INTERFACE_VERSION >= 0x103
+      ,
+      0
+#endif
+}
+mysql_declare_plugin_end;
diff --git a/plugin/percona-pam-for-mysql/src/auth_pam_common.cc b/plugin/percona-pam-for-mysql/src/auth_pam_common.cc
new file mode 100644
index 000000000000..f819d377ae56
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/src/auth_pam_common.cc
@@ -0,0 +1,208 @@
+/*
+(C) 2011-2015 Percona LLC and/or its affiliates
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; version 2 of the License.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+
+*/
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <string.h>
+#include "auth_mapping.h"
+#include "auth_pam_common.h"
+#include "groups.h"
+#include "my_sys.h"
+#include "mysql/psi/mysql_memory.h"
+
+/* The server plugin */
+
+PSI_memory_key key_memory_pam_mapping_iter;
+PSI_memory_key key_memory_pam_group_iter;
+
+static PSI_memory_info common_pam_memory[] = {
+    {&key_memory_pam_mapping_iter, "auth_pam_mapping_iterator",
+     PSI_FLAG_ONLY_GLOBAL_STAT, PSI_VOLATILITY_UNKNOWN, PSI_DOCUMENT_ME},
+    {&key_memory_pam_group_iter, "auth_pam_group_iterator",
+     PSI_FLAG_ONLY_GLOBAL_STAT, PSI_VOLATILITY_UNKNOWN, PSI_DOCUMENT_ME},
+};
+
+/** The MySQL service name for PAM configuration */
+static const char *service_name_default = "mysqld";
+
+void auth_pam_common_init(const char *psi_category) {
+  int count = array_elements(common_pam_memory);
+  mysql_memory_register(psi_category, common_pam_memory, count);
+}
+
+static bool valid_pam_msg_style(int pam_msg_style) {
+  switch (pam_msg_style) {
+    case PAM_PROMPT_ECHO_OFF:
+    case PAM_PROMPT_ECHO_ON:
+    case PAM_ERROR_MSG:
+    case PAM_TEXT_INFO:
+      return true;
+    default:
+      return false;
+  }
+}
+
+/** The maximum length of service name. It shouldn't be too long as it's
+    filename in pam.d directory also */
+static const constexpr auto max_pam_service_name_len = 64;
+
+static void free_pam_response(struct pam_response **resp, int n) {
+  for (int i = 0; i < n; i++) {
+    free((*resp)[i].resp);
+  }
+  free(*resp);
+  *resp = nullptr;
+}
+
+static int vio_server_conv(int num_msg, const struct pam_message **msg,
+                           struct pam_response **resp, void *appdata_ptr) {
+  struct pam_conv_data *data = (struct pam_conv_data *)appdata_ptr;
+
+  if (data == nullptr) {
+    MY_ASSERT_UNREACHABLE();
+    return PAM_CONV_ERR;
+  }
+
+  *resp = (struct pam_response *)calloc(num_msg, sizeof(struct pam_response));
+  if (*resp == nullptr) return PAM_BUF_ERR;
+
+  void *talk_data;
+  int error = auth_pam_client_talk_init(&talk_data);
+  if (error != PAM_SUCCESS) {
+    free_pam_response(resp, 0);
+    return error;
+  }
+
+  for (int i = 0; i < num_msg; i++) {
+    if (!valid_pam_msg_style(msg[i]->msg_style)) {
+      auth_pam_client_talk_finalize(talk_data);
+      free_pam_response(resp, i);
+      return PAM_CONV_ERR;
+    }
+
+    error = auth_pam_talk_perform(msg[i], &(*resp)[i], data, talk_data);
+    if (error != PAM_SUCCESS) {
+      auth_pam_client_talk_finalize(talk_data);
+      free_pam_response(resp, i);
+      return error;
+    }
+  }
+  auth_pam_client_talk_finalize(talk_data);
+  return PAM_SUCCESS;
+}
+
+int authenticate_user_with_pam_server(MYSQL_PLUGIN_VIO *vio,
+                                      MYSQL_SERVER_AUTH_INFO *info) {
+  /* Set service name as specified in auth_string. If no auth_string
+  provided or parsing error occurs, then keep default value */
+  char service_name[max_pam_service_name_len];
+  strcpy(service_name, service_name_default);
+  if (info->auth_string)
+    mapping_get_service_name(service_name, sizeof(service_name),
+                             info->auth_string);
+
+  info->password_used = PASSWORD_USED_NO_MENTION;
+
+  pam_handle_t *pam_handle;
+  struct pam_conv_data data = {vio, info};
+  struct pam_conv conv_func_info = {&vio_server_conv, &data};
+  int error =
+      pam_start(service_name, info->user_name, &conv_func_info, &pam_handle);
+  if (error != PAM_SUCCESS) return CR_ERROR;
+
+  error = pam_set_item(pam_handle, PAM_RUSER, info->user_name);
+  if (error != PAM_SUCCESS) {
+    pam_end(pam_handle, error);
+    return CR_ERROR;
+  }
+
+  error = pam_set_item(pam_handle, PAM_RHOST, info->host_or_ip);
+  if (error != PAM_SUCCESS) {
+    pam_end(pam_handle, error);
+    return CR_ERROR;
+  }
+
+  error = pam_authenticate(pam_handle, 0);
+  if (error != PAM_SUCCESS) {
+    pam_end(pam_handle, error);
+    return CR_ERROR;
+  }
+
+  error = pam_acct_mgmt(pam_handle, 0);
+  if (error != PAM_SUCCESS) {
+    pam_end(pam_handle, error);
+    return CR_ERROR;
+  }
+
+  /* Get the authenticated user name from PAM */
+  char *pam_mapped_user_name;
+  error = pam_get_item(pam_handle, PAM_USER,
+                       const_cast<const void **>(
+                           reinterpret_cast<void **>(&pam_mapped_user_name)));
+  if (error != PAM_SUCCESS) {
+    pam_end(pam_handle, error);
+    return CR_ERROR;
+  }
+
+  /* Check if user name from PAM is the same as provided for MySQL.  If
+  different, use the new user name for MySQL authorization and as
+  CURRENT_USER() value.  */
+  if (strcmp(info->user_name, pam_mapped_user_name)) {
+    strncpy(info->authenticated_as, pam_mapped_user_name,
+            MYSQL_USERNAME_LENGTH);
+    info->authenticated_as[MYSQL_USERNAME_LENGTH] = '\0';
+  }
+
+  if (info->auth_string) {
+    mapping_lookup_user(pam_mapped_user_name, info->authenticated_as,
+                        MYSQL_USERNAME_LENGTH, info->auth_string);
+  }
+
+  error = pam_end(pam_handle, error);
+  if (error != PAM_SUCCESS) return CR_ERROR;
+
+  return CR_OK;
+}
+
+int auth_pam_generate_auth_string_hash(char *outbuf, unsigned int *buflen,
+                                       const char *inbuf,
+                                       unsigned int inbuflen) {
+  /*
+    fail if buffer specified by server cannot be copied to output buffer
+  */
+  if (*buflen < inbuflen) return 1; /* error */
+  strncpy(outbuf, inbuf, inbuflen);
+  *buflen = strlen(inbuf);
+  return 0; /* success */
+}
+
+int auth_pam_validate_auth_string_hash(char *const buf __attribute__((unused)),
+                                       unsigned int len
+                                       __attribute__((unused))) {
+  return 0; /* success */
+}
+
+int auth_pam_set_salt(const char *password __attribute__((unused)),
+                      unsigned int password_len __attribute__((unused)),
+                      unsigned char *salt __attribute__((unused)),
+                      unsigned char *salt_len) {
+  *salt_len = 0;
+  return 0; /* success */
+}
diff --git a/plugin/percona-pam-for-mysql/src/auth_pam_common.h b/plugin/percona-pam-for-mysql/src/auth_pam_common.h
new file mode 100644
index 000000000000..9976adebe238
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/src/auth_pam_common.h
@@ -0,0 +1,82 @@
+#ifndef AUTH_PAM_COMMON_INCLUDED
+#define AUTH_PAM_COMMON_INCLUDED
+/*
+  (C) 2012 Percona Inc.
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; version 2 of the License.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+*/
+
+/**
+ @file
+
+ PAM authentication for MySQL, common definitions for side plugins.
+
+ For the general description, see the top comment in auth_pam_common.c.
+*/
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#ifdef HAVE_SECURITY_PAM_MISC_H
+#include <security/pam_misc.h>
+#elif defined(HAVE_SECURITY_OPENPAM_H)
+#include <security/openpam.h>
+#endif
+
+#include "mysql/client_plugin.h"
+#include "mysql/plugin.h"
+#include "mysql/plugin_auth.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct pam_conv_data {
+  MYSQL_PLUGIN_VIO *vio;
+  MYSQL_SERVER_AUTH_INFO *info;
+};
+
+extern MYSQL_PLUGIN auth_pam_plugin_info;
+
+extern PSI_memory_key key_memory_pam_mapping_iter;
+extern PSI_memory_key key_memory_pam_group_iter;
+
+void auth_pam_common_init(const char *psi_category);
+
+/** Define following three functions for your specific client plugin */
+
+int auth_pam_client_talk_init(void **talk_data);
+
+int auth_pam_talk_perform(const struct pam_message *msg,
+                          struct pam_response *resp, struct pam_conv_data *data,
+                          void *talk_data);
+
+void auth_pam_client_talk_finalize(void *talk_data);
+
+int authenticate_user_with_pam_server(MYSQL_PLUGIN_VIO *vio,
+                                      MYSQL_SERVER_AUTH_INFO *info);
+
+int auth_pam_generate_auth_string_hash(char *outbuf, unsigned int *buflen,
+                                       const char *inbuf,
+                                       unsigned int inbuflen);
+
+int auth_pam_validate_auth_string_hash(char *const buf, unsigned int len);
+
+int auth_pam_set_salt(const char *password, unsigned int password_len,
+                      unsigned char *salt, unsigned char *salt_len);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/plugin/percona-pam-for-mysql/src/auth_pam_compat.cc b/plugin/percona-pam-for-mysql/src/auth_pam_compat.cc
new file mode 100644
index 000000000000..c855f5f8f49c
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/src/auth_pam_compat.cc
@@ -0,0 +1,129 @@
+/*
+(C) 2012, 2015 Percona LLC and/or its affiliates
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; version 2 of the License.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+*/
+
+/**
+ @file
+
+ PAM authentication for MySQL, server-side plugin for the
+ production use.
+
+ Oracle MySQL-compatible plugin.  Acts as a mediator
+ between the MySQL server, the MySQL client, and the PAM backend.
+
+ The server plugin requests authentication from the PAM backend, and reads one
+ phrase from client plugin. mysql_clear_password plugin used as client plugin.
+
+ This plugin does not encrypt the communication channel in any way.  If this is
+ required, a SSL connection should be used.
+
+ To install this plugin, copy the .so file to the plugin directory and do
+
+ INSTALL PLUGIN auth_pam SONAME 'auth_pam_compat.so';
+
+ To use this plugin for one particular user, specify it at user's creation time
+ (TODO: tested with localhost only):
+
+ CREATE USER 'username'@'hostname' IDENTIFIED WITH auth_pam_compat;
+
+ Alternatively UPDATE the mysql.user table to set the plugin value for an
+ existing user.
+
+ Also it is possible to use this plugin to authenticate anonymous users:
+
+ CREATE USER ''@'hostname' IDENTIFIED WITH auth_pam_compat;
+
+*/
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+#include "auth_pam_common.h"
+#include "my_sys.h"
+
+MYSQL_PLUGIN auth_pam_plugin_info;
+
+int auth_pam_client_talk_init(void **talk_data) {
+  int *num_talks = static_cast<int *>(
+      my_malloc(PSI_NOT_INSTRUMENTED, sizeof(int), MY_ZEROFILL));
+  *talk_data = (void *)num_talks;
+  return (num_talks != nullptr) ? PAM_SUCCESS : PAM_BUF_ERR;
+}
+
+void auth_pam_client_talk_finalize(void *talk_data) { my_free(talk_data); }
+
+int auth_pam_talk_perform(const struct pam_message *msg,
+                          struct pam_response *resp, struct pam_conv_data *data,
+                          void *talk_data) {
+  if (msg->msg_style == PAM_PROMPT_ECHO_OFF ||
+      msg->msg_style == PAM_PROMPT_ECHO_ON) {
+    /* mysql_clear_password plugin has support for only single phrase */
+    int *num_talks = (int *)talk_data;
+    if (*num_talks > 1) return PAM_CONV_ERR;
+
+    /* Read the answer */
+    unsigned char *pkt;
+    int pkt_len = data->vio->read_packet(data->vio, &pkt);
+    if (pkt_len < 0) return PAM_CONV_ERR;
+
+    resp->resp = static_cast<char *>(malloc(pkt_len + 1));
+    if (resp->resp == nullptr) return PAM_BUF_ERR;
+
+    strncpy(resp->resp, (char *)pkt, pkt_len);
+    resp->resp[pkt_len] = '\0';
+
+    /**
+      we could only guess whether password was used or not
+      normally we would set PASSWORD_USED_NO_MENTION but
+      because of http://bugs.mysql.com/bug.php?id=72536
+      we set PASSWORD_USED_YES.
+    */
+    data->info->password_used = PASSWORD_USED_YES;
+    ++(*num_talks);
+  }
+
+  return PAM_SUCCESS;
+}
+
+static int auth_pam_compat_init(MYSQL_PLUGIN plugin_info) {
+  auth_pam_common_init("auth_pam_compat");
+  auth_pam_plugin_info = plugin_info;
+  return 0;
+}
+
+static struct st_mysql_auth pam_auth_handler = {
+    MYSQL_AUTHENTICATION_INTERFACE_VERSION,
+    "mysql_clear_password",
+    &authenticate_user_with_pam_server,
+    &auth_pam_generate_auth_string_hash,
+    &auth_pam_validate_auth_string_hash,
+    &auth_pam_set_salt,
+    0UL,
+    nullptr};
+
+mysql_declare_plugin(auth_pam) {
+  MYSQL_AUTHENTICATION_PLUGIN, &pam_auth_handler, "auth_pam_compat",
+      "Percona, Inc.", "PAM authentication plugin", PLUGIN_LICENSE_GPL,
+      auth_pam_compat_init, nullptr, nullptr, 0x0001, nullptr, nullptr, nullptr
+#if MYSQL_PLUGIN_INTERFACE_VERSION >= 0x103
+      ,
+      0
+#endif
+}
+mysql_declare_plugin_end;
diff --git a/plugin/percona-pam-for-mysql/src/dialog.cc b/plugin/percona-pam-for-mysql/src/dialog.cc
new file mode 100644
index 000000000000..e676ab046d19
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/src/dialog.cc
@@ -0,0 +1,327 @@
+/*  Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+
+    This program is free software; you can redistribute it and/or
+    modify it under the terms of the GNU General Public License as
+    published by the Free Software Foundation; version 2 of the
+    License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
+
+/**
+  @file
+
+  dialog client authentication plugin with examples
+
+  dialog is a general purpose client authentication plugin, it simply
+  asks the user the question, as provided by the server and reports
+  the answer back to the server. No encryption is involved,
+  the answers are sent in clear text.
+
+  Two examples are provided: two_questions server plugin, that asks
+  the password and an "Are you sure?" question with a reply "yes, of course".
+  It demonstrates the usage of "password" (input is hidden) and "ordinary"
+  (input can be echoed) questions, and how to mark the last question,
+  to avoid an extra roundtrip.
+
+  And three_attempts plugin that gives the user three attempts to enter
+  a correct password. It shows the situation when a number of questions
+  is not known in advance.
+*/
+#if defined(WIN32) && !defined(RTLD_DEFAULT)
+#define RTLD_DEFAULT GetModuleHandle(NULL)
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "mysql.h"
+#include "mysql/client_plugin.h"
+#include "mysql/plugin_auth.h"
+
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#if !defined(_GNU_SOURCE)
+#define _GNU_SOURCE /* for RTLD_DEFAULT */
+#endif
+
+/**
+  first byte of the question string is the question "type".
+  It can be an "ordinary" or a "password" question.
+  The last bit set marks a last question in the authentication exchange.
+*/
+#define ORDINARY_QUESTION "\2"
+#define LAST_QUESTION "\3"
+#define PASSWORD_QUESTION "\4"
+#define LAST_PASSWORD "\5"
+
+/********************* SERVER SIDE ****************************************/
+
+/**
+  dialog demo with two questions, one password and one, the last, ordinary.
+*/
+static int two_questions(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info) {
+  /* send a password question */
+  if (vio->write_packet(
+          vio,
+          (const unsigned char *)PASSWORD_QUESTION "Password, please:", 18))
+    return CR_ERROR;
+
+  /* read the answer */
+  unsigned char *pkt;
+  int pkt_len = vio->read_packet(vio, &pkt);
+  if (pkt_len < 0) return CR_ERROR;
+
+  info->password_used = PASSWORD_USED_YES;
+
+  /* fail if the password is wrong */
+  if (strcmp((const char *)pkt, info->auth_string)) return CR_ERROR;
+
+  /* send the last, ordinary, question */
+  if (vio->write_packet(
+          vio, (const unsigned char *)LAST_QUESTION "Are you sure ?", 15))
+    return CR_ERROR;
+
+  /* read the answer */
+  if ((pkt_len = vio->read_packet(vio, &pkt)) < 0) return CR_ERROR;
+
+  /* check the reply */
+  return strcmp((const char *)pkt, "yes, of course") ? CR_ERROR : CR_OK;
+}
+
+static struct st_mysql_auth two_handler = {
+    MYSQL_AUTHENTICATION_INTERFACE_VERSION,
+    "dialog", /* requires dialog client plugin */
+    two_questions,
+    nullptr,
+    nullptr,
+    nullptr,
+    0UL,
+    nullptr};
+
+/* dialog demo where the number of questions is not known in advance */
+static int three_attempts(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info) {
+  for (int i = 0; i < 3; i++) {
+    /* send the prompt */
+    if (vio->write_packet(
+            vio,
+            (const unsigned char *)PASSWORD_QUESTION "Password, please:", 18))
+      return CR_ERROR;
+
+    /* read the password */
+    unsigned char *pkt;
+    int pkt_len = vio->read_packet(vio, &pkt);
+    if (pkt_len < 0) return CR_ERROR;
+
+    info->password_used = PASSWORD_USED_YES;
+
+    /*
+      finish, if the password is correct.
+      note, that we did not mark the prompt packet as "last"
+    */
+    if (strcmp((const char *)pkt, info->auth_string) == 0) return CR_OK;
+  }
+
+  return CR_ERROR;
+}
+
+static struct st_mysql_auth three_handler = {
+    MYSQL_AUTHENTICATION_INTERFACE_VERSION,
+    "dialog", /* requires dialog client plugin */
+    three_attempts,
+    nullptr,
+    nullptr,
+    nullptr,
+    0UL,
+    nullptr};
+
+mysql_declare_plugin(dialog){
+    MYSQL_AUTHENTICATION_PLUGIN,
+    &two_handler,
+    "two_questions",
+    "Sergei Golubchik",
+    "Dialog plugin demo 1",
+    PLUGIN_LICENSE_GPL,
+    nullptr,
+    nullptr,
+    nullptr,
+    0x0100,
+    nullptr,
+    nullptr,
+    nullptr,
+    0,
+},
+    {
+        MYSQL_AUTHENTICATION_PLUGIN,
+        &three_handler,
+        "three_attempts",
+        "Sergei Golubchik",
+        "Dialog plugin demo 2",
+        PLUGIN_LICENSE_GPL,
+        nullptr,
+        nullptr,
+        nullptr,
+        0x0100,
+        nullptr,
+        nullptr,
+        nullptr,
+        0,
+    } mysql_declare_plugin_end;
+
+/********************* CLIENT SIDE ***************************************/
+/*
+  This plugin performs a dialog with the user, asking questions and
+  reading answers. Depending on the client it may be desirable to do it
+  using GUI, or console, with or without curses, or read answers
+  from a smartcard, for example.
+
+  To support all this variety, the dialog plugin has a callback function
+  "authentication_dialog_ask". If the client has a function of this name
+  dialog plugin will use it for communication with the user. Otherwise
+  a default fgets() based implementation will be used.
+*/
+
+/**
+  type of the mysql_authentication_dialog_ask function
+
+  @param mysql          mysql
+  @param type           type of the input
+                        1 - ordinary string input
+                        2 - password string
+  @param prompt         prompt
+  @param buf            a buffer to store the use input
+  @param buf_len        the length of the buffer
+
+  @retval               a pointer to the user input string.
+                        It may be equal to 'buf' or to 'mysql->password'.
+                        In all other cases it is assumed to be an allocated
+                        string, and the "dialog" plugin will free() it.
+*/
+typedef char *(*mysql_authentication_dialog_ask_t)(MYSQL *mysql, int type,
+                                                   const char *prompt,
+                                                   char *buf, int buf_len);
+
+static mysql_authentication_dialog_ask_t ask;
+
+static char *builtin_ask(MYSQL *mysql [[maybe_unused]],
+                         int type [[maybe_unused]], const char *prompt,
+                         char *buf, int buf_len) {
+  if (type == 2) /* password */
+  {
+    char *const password = get_tty_password(prompt);
+    strncpy(buf, password, buf_len - 1);
+    buf[buf_len - 1] = 0;
+    free(password);
+  } else {
+    if (!fgets(buf, buf_len - 1, stdin))
+      buf[0] = 0;
+    else {
+      const int len = strlen(buf);
+      if (len && buf[len - 1] == '\n') buf[len - 1] = 0;
+    }
+  }
+
+  return buf;
+}
+
+/**
+  The main function of the dialog plugin.
+
+  Read the prompt, ask the question, send the reply, repeat until
+  the server is satisfied.
+
+  @note
+   1. this plugin shows how a client authentication plugin
+      may read a MySQL protocol OK packet internally - which is important
+      where a number of packets is not known in advance.
+   2. the first byte of the prompt is special. it is not
+      shown to the user, but signals whether it is the last question
+      (prompt[0] & 1 == 1) or not last (prompt[0] & 1 == 0),
+      and whether the input is a password (not echoed).
+   3. the prompt is expected to be sent zero-terminated
+*/
+static int perform_dialog(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql) {
+  unsigned char cmd = 0;
+  char reply_buf[1024];
+  bool first = true;
+
+  do {
+    /* read the prompt */
+    unsigned char *pkt;
+    int pkt_len = vio->read_packet(vio, &pkt);
+    if (pkt_len < 0) return CR_ERROR;
+
+    char *reply;
+    if (pkt == nullptr && first) {
+      /*
+        in mysql_change_user() the client sends the first packet, so
+        the first vio->read_packet() does nothing (pkt == 0).
+
+        We send the "password", assuming the client knows what it's doing.
+        (in other words, the dialog plugin should be only set as a default
+        authentication plugin on the client if the first question
+        asks for a password - which will be sent in clear text, by the way)
+      */
+      reply = mysql->passwd;
+    } else {
+      cmd = *pkt++;
+
+      /* is it MySQL protocol packet ? */
+      if (cmd == 0 || cmd == 254)
+        return CR_OK_HANDSHAKE_COMPLETE; /* yes. we're done */
+
+      /*
+        asking for a password in the first packet mean mysql->password, if it's
+        set otherwise we ask the user and read the reply
+      */
+      if ((cmd >> 1) == 2 && first && mysql->passwd[0])
+        reply = mysql->passwd;
+      else
+        reply = ask(mysql, cmd >> 1, (const char *)pkt, reply_buf,
+                    sizeof(reply_buf));
+      if (!reply) return CR_ERROR;
+    }
+    /* send the reply to the server */
+    const int res =
+        vio->write_packet(vio, (const unsigned char *)reply, strlen(reply) + 1);
+
+    if (reply != mysql->passwd && reply != reply_buf) free(reply);
+
+    if (res) return CR_ERROR;
+
+    /* repeat unless it was the last question */
+    first = false;
+  } while ((cmd & 1) != 1);
+
+  /* the job of reading the ok/error packet is left to the server */
+  return CR_OK;
+}
+
+/**
+  initialization function of the dialog plugin
+
+  Pick up the client's authentication_dialog_ask() function, if exists,
+  or fall back to the default implementation.
+*/
+
+static int init_dialog(char *unused1 [[maybe_unused]],
+                       size_t unused2 [[maybe_unused]],
+                       int unused3 [[maybe_unused]],
+                       va_list unused4 [[maybe_unused]]) {
+  void *sym = dlsym(RTLD_DEFAULT, "mysql_authentication_dialog_ask");
+  ask = sym ? (mysql_authentication_dialog_ask_t)sym : builtin_ask;
+  return 0;
+}
+
+mysql_declare_client_plugin(AUTHENTICATION) "dialog", "Sergei Golubchik",
+    "Dialog Client Authentication Plugin", {0, 1, 0}, "GPL",
+    nullptr, init_dialog, nullptr, nullptr, nullptr, perform_dialog,
+    nullptr, mysql_end_client_plugin;
diff --git a/plugin/percona-pam-for-mysql/src/groups.cc b/plugin/percona-pam-for-mysql/src/groups.cc
new file mode 100644
index 000000000000..27b9f1f8114d
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/src/groups.cc
@@ -0,0 +1,146 @@
+/*
+(C) 2013, 2016 Percona LLC and/or its affiliates
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; version 2 of the License.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+*/
+
+#include <errno.h>
+#include <grp.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "auth_pam_common.h"
+
+#include "my_sys.h"
+
+static int gr_buf_size = 0;
+
+#ifdef __APPLE__
+using my_gid_t = int;
+#else
+using my_gid_t = gid_t;
+#endif
+
+/** Groups iterator. It's not exposed outsude */
+struct groups_iter {
+  char *buf;
+  my_gid_t *groups;
+  int current_group;
+  int ngroups;
+  int buf_size;
+};
+
+/** Create iterator through user groups.
+    Initially iterator set to position before first
+    group. On success non-NULL pointer returned, otherwise NULL */
+struct groups_iter *groups_iter_new(const char *user_name) {
+  if (gr_buf_size <= 0) {
+    long gr_size_max, pw_size_max;
+    gr_size_max = sysconf(_SC_GETGR_R_SIZE_MAX);
+    pw_size_max = sysconf(_SC_GETPW_R_SIZE_MAX);
+    gr_buf_size = gr_size_max > pw_size_max ? gr_size_max : pw_size_max;
+  }
+
+  struct groups_iter *const it = (struct groups_iter *)my_malloc(
+      key_memory_pam_group_iter, sizeof(struct groups_iter),
+      MYF(MY_FAE | MY_ZEROFILL));
+
+  it->buf_size = gr_buf_size;
+  if (it->buf_size <= 0) it->buf_size = 1024;
+
+  it->buf =
+      (char *)my_malloc(key_memory_pam_group_iter, it->buf_size, MYF(MY_FAE));
+
+  struct passwd pwd, *pwd_result;
+  int error;
+  while ((error = getpwnam_r(user_name, &pwd, it->buf, it->buf_size,
+                             &pwd_result)) == ERANGE) {
+    it->buf_size = it->buf_size * 2;
+    it->buf = (char *)my_realloc(key_memory_pam_group_iter, it->buf,
+                                 it->buf_size, MYF(MY_FAE));
+  }
+  if (error != 0 || pwd_result == nullptr) {
+    my_plugin_log_message(&auth_pam_plugin_info, MY_ERROR_LEVEL,
+                          "Unable to obtain the passwd entry for the user "
+                          "'%s'.",
+                          user_name);
+    my_free(it->buf);
+    my_free(it);
+    return nullptr;
+  }
+
+  gr_buf_size = it->buf_size;
+
+  it->ngroups = 1024;
+  it->groups = static_cast<my_gid_t *>(my_malloc(
+      key_memory_pam_group_iter, it->ngroups * sizeof(gid_t), MYF(MY_FAE)));
+  error = getgrouplist(user_name, pwd_result->pw_gid, it->groups, &it->ngroups);
+  if (error == -1) {
+    it->groups = static_cast<my_gid_t *>(
+        my_realloc(key_memory_pam_group_iter, it->groups,
+                   it->ngroups * sizeof(gid_t), MYF(MY_FAE)));
+    error =
+        getgrouplist(user_name, pwd_result->pw_gid, it->groups, &it->ngroups);
+    if (error == -1) {
+      my_plugin_log_message(&auth_pam_plugin_info, MY_ERROR_LEVEL,
+                            "Unable to obtain the group access list for "
+                            "the user '%s'.",
+                            user_name);
+      my_free(it->buf);
+      my_free(it->groups);
+      my_free(it);
+      return nullptr;
+    }
+  }
+
+  return it;
+}
+
+/** Move iterator to next group.
+    On success group name is returned,
+    otherwise NULL */
+const char *groups_iter_next(struct groups_iter *it) {
+  if (it->current_group >= it->ngroups) return nullptr;
+
+  int error;
+  struct group grp, *grp_result;
+  while ((error = getgrgid_r(it->groups[it->current_group], &grp, it->buf,
+                             it->buf_size, &grp_result)) == ERANGE) {
+    it->buf_size = it->buf_size * 2;
+    it->buf = (char *)my_realloc(key_memory_pam_group_iter, it->buf,
+                                 it->buf_size, MYF(MY_FAE));
+  }
+  if (error != 0 || grp_result == nullptr) {
+    my_plugin_log_message(&auth_pam_plugin_info, MY_ERROR_LEVEL,
+                          "Unable to obtain the group record for the group "
+                          "id %d.",
+                          (int)it->groups[it->current_group]);
+    return nullptr;
+  }
+  ++it->current_group;
+
+  return grp_result->gr_name;
+}
+
+/** Make iterator to point to the beginning again */
+void groups_iter_reset(struct groups_iter *it) { it->current_group = 0; }
+
+/** Finish iteration and release iterator */
+void groups_iter_free(struct groups_iter *it) {
+  my_free(it->buf);
+  my_free(it->groups);
+  my_free(it);
+}
diff --git a/plugin/percona-pam-for-mysql/src/groups.h b/plugin/percona-pam-for-mysql/src/groups.h
new file mode 100644
index 000000000000..30b937468aeb
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/src/groups.h
@@ -0,0 +1,45 @@
+#ifndef AUTH_PAM_GROUPS_INCLUDED
+#define AUTH_PAM_GROUPS_INCLUDED
+/*
+  (C) 2013 Percona LLC and/or its affiliates
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; version 2 of the License.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+*/
+
+/**
+ @file
+
+ PAM authentication for MySQL, interface for groups enumeration.
+
+*/
+
+struct groups_iter;
+
+/** Create iterator through user groups.
+    Initially iterator set to position before first
+    group. On success non-NULL pointer returned, otherwise NULL */
+struct groups_iter *groups_iter_new(const char *user_name);
+
+/** Move iterator to next group.
+    On success group name is returned,
+    otherwise NULL */
+const char *groups_iter_next(struct groups_iter *it);
+
+/** Make iterator to point to beginning again */
+void groups_iter_reset(struct groups_iter *it);
+
+/** Finish iteration and release iterator */
+void groups_iter_free(struct groups_iter *it);
+
+#endif
diff --git a/plugin/percona-pam-for-mysql/src/lib_auth_pam_client.c b/plugin/percona-pam-for-mysql/src/lib_auth_pam_client.c
new file mode 100644
index 000000000000..caed7563391a
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/src/lib_auth_pam_client.c
@@ -0,0 +1,72 @@
+/*
+  (C) 2011 Percona Inc.
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; version 2 of the License.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+*/
+
+/**
+ @file
+
+ PAM authentication for MySQL, common code for client-side plugins.
+
+ For the general description, see the top comment in auth_pam.c.
+*/
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "lib_auth_pam_client.h"
+
+#include <assert.h>
+#include <string.h>
+
+#define MY_ASSERT_UNREACHABLE() assert(0)
+
+int authenticate_user_with_pam_client_common(
+    MYSQL_PLUGIN_VIO *vio, struct st_mysql *mysql __attribute__((unused)),
+    prompt_fn echoless_prompt_fn, prompt_fn echo_prompt_fn,
+    info_fn show_error_fn, info_fn show_info_fn) {
+  do {
+    char *buf;
+    int pkt_len;
+
+    if ((pkt_len = vio->read_packet(vio, (unsigned char **)&buf)) < 0)
+      return CR_ERROR;
+
+    /* The first byte is the message type, followed by the message itself.  */
+
+    if (buf[0] == '\2' || buf[0] == '\3') {
+      /* '\2' - PAM_PROMPT_ECHO_OFF, '\3' - PAM_PROMPT_ECHO_ON */
+      char *reply = (buf[0] == '\2') ? echoless_prompt_fn(&buf[1])
+                                     : echo_prompt_fn(&buf[1]);
+      if (!reply) return CR_ERROR;
+      if (vio->write_packet(vio, (unsigned char *)reply, strlen(reply) + 1)) {
+        free(reply);
+        return CR_ERROR;
+      }
+      free(reply);
+    } else if (buf[0] == '\4') /* PAM_ERROR_MSG */
+      show_error_fn(&buf[1]);
+    else if (buf[0] == '\5') /* PAM_TEXT_INFO */
+      show_info_fn(&buf[1]);
+    else if (buf[0] == '\0') /* end-of-authorization */
+      return CR_OK;
+    else
+      return CR_ERROR; /* Unknown! */
+  } while (1);
+
+  /* Should not come here */
+  MY_ASSERT_UNREACHABLE();
+  return CR_ERROR;
+}
diff --git a/plugin/percona-pam-for-mysql/src/lib_auth_pam_client.h b/plugin/percona-pam-for-mysql/src/lib_auth_pam_client.h
new file mode 100644
index 000000000000..6aa1c7b27a41
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/src/lib_auth_pam_client.h
@@ -0,0 +1,77 @@
+#ifndef LIB_AUTH_PAM_CLIENT_INCLUDED
+#define LIB_AUTH_PAM_CLIENT_INCLUDED
+/*
+  (C) 2011 Percona Inc.
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; version 2 of the License.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+*/
+
+/**
+ @file
+
+ PAM authentication for MySQL, common definitions for client-side plugins.
+
+ For the general description, see the top comment in auth_pam.c.
+*/
+
+#define STDCALL
+
+#include "mysql/client_plugin.h"
+
+/**
+ Callback type for functions that prompt the user for (echoed or silent) input
+ and return it.  Should returns a pointer to malloc-allocated string, the
+ caller is responsible for freeing it.  Should return NULL in the case of a
+ memory allocation or I/O error. */
+typedef char *(*prompt_fn)(const char *);
+
+/**
+ Callback type for functions that show user some info (error or notification).
+*/
+typedef void (*info_fn)(const char *);
+
+struct st_mysql;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ Client-side PAM auth plugin implementation.
+
+ Communicates with the server-side plugin and does user interaction using the
+ provided callbacks.
+
+ @param vio TODO
+ @param mysql TODO
+ @param echoless_prompt_fn callback to use to prompt the user for non-echoed
+                           input (e.g. password)
+ @param echo_prompt_fn callback to use to prompt the user for echoed input
+                       (e.g. user name)
+ @param show_error_fn callback to use to show the user an error message
+ @param show_info_fn callback to use to show the user an informational message
+
+ @return Authentication conversation status
+   @retval CR_OK the authentication dialog is completed successfully
+   @retval CR_ERROR the authentication dialog is aborted due to error
+*/
+int authenticate_user_with_pam_client_common(
+    MYSQL_PLUGIN_VIO *vio, struct st_mysql *mysql, prompt_fn echoless_prompt_fn,
+    prompt_fn echo_prompt_fn, info_fn show_error_fn, info_fn show_info_fn);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/plugin/percona-pam-for-mysql/src/test_auth_pam_client.c b/plugin/percona-pam-for-mysql/src/test_auth_pam_client.c
new file mode 100644
index 000000000000..875068e30eb7
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/src/test_auth_pam_client.c
@@ -0,0 +1,69 @@
+/*
+  (C) 2011 Percona Inc.
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; version 2 of the License.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+*/
+
+/**
+ @file
+
+ PAM authentication for MySQL, the test version of the client-side plugin.
+*/
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <string.h>
+
+#define STDCALL
+
+#include "mysql/client_plugin.h"
+#include "mysql/plugin_auth.h"
+
+#include "lib_auth_pam_client.h"
+
+const char *echo_off_reply_1 = "aaaaaaa";
+const char *echo_off_reply_2 = "AAAAAAA";
+
+const char *echo_on_reply_1 = "bbbbbbbbbb";
+const char *echo_on_reply_2 = "BBBBBBBBBB";
+
+/* Returns alternating echo_off_reply_1 and echo_off_reply_2 */
+static char *test_prompt_echo_off(const char *prompt __attribute__((unused))) {
+  static unsigned call_no = 0;
+  return strdup((call_no++ % 2) == 0 ? echo_off_reply_1 : echo_off_reply_2);
+}
+
+/* Returns alternating echo_on_reply_1 and echo_on_reply_2 */
+static char *test_prompt_echo_on(const char *prompt __attribute__((unused))) {
+  static unsigned call_no = 0;
+  return strdup((call_no++ % 2) == 0 ? echo_on_reply_1 : echo_on_reply_2);
+}
+
+/* Pretend we have shown the message to the user */
+static void test_show_anything(const char *message __attribute__((unused))) {}
+
+static int test_pam_auth_client(MYSQL_PLUGIN_VIO *vio, struct st_mysql *mysql) {
+  return authenticate_user_with_pam_client_common(
+      vio, mysql, &test_prompt_echo_off, &test_prompt_echo_on,
+      &test_show_anything, &test_show_anything);
+}
+
+mysql_declare_client_plugin(AUTHENTICATION) "auth_pam_test", "Percona, Inc.",
+    "Test version of the client PAM authentication plugin. "
+    "DO NOT USE IN PRODUCTION.",
+    {0, 1, 0}, "GPL", NULL, NULL, /* init */
+    NULL,                         /* deinit */
+    NULL,                         /* options */
+    &test_pam_auth_client mysql_end_client_plugin;
diff --git a/plugin/percona-pam-for-mysql/test/dbqp/percona_tests/percona_pam/pam_mapping_test.py b/plugin/percona-pam-for-mysql/test/dbqp/percona_tests/percona_pam/pam_mapping_test.py
new file mode 100755
index 000000000000..03f84afe5209
--- /dev/null
+++ b/plugin/percona-pam-for-mysql/test/dbqp/percona_tests/percona_pam/pam_mapping_test.py
@@ -0,0 +1,118 @@
+#! /usr/bin/env python
+# -*- mode: python; indent-tabs-mode: nil; -*-
+# vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
+#
+# Copyright (C) 2013 Percona LLC and/or its affiliates
+#
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+import os
+import time
+import shutil
+import signal
+import subprocess
+import re
+import grp
+
+from lib.util.mysqlBaseTestCase import mysqlBaseTestCase
+from lib.util.mysql_methods import execute_cmd
+
+
+server_requirements = [[]]
+servers = []
+server_manager = None
+test_executor = None
+pamcfg = '/etc/pam.d/mysqld'
+
+def group_exists(groupname):
+    try:
+        grp.getgrnam(groupname)[0]
+    except KeyError:
+        return False
+    return True
+
+class basicTest(mysqlBaseTestCase):
+
+    def test_pam_basic(self):
+        percent_string = '%'
+        opt_matrix_req = ['pam_plugin_dir']
+        self.servers = servers
+        logging = test_executor.logging
+        master_server = servers[0]
+        output_path = os.path.join(master_server.vardir, 'pam.out')
+        test_executor.matrix_manager.matrix_check_req(opt_matrix_req)
+        # This is a master
+        if test_executor.matrix_manager.option_matrix['pam_user']:
+          pam_user = test_executor.matrix_manager.option_matrix['pam_user']
+        else:
+          pam_user = 'pamuser'
+
+        groups = ['grp%d' % (n) for n in xrange(3)]
+        users = ['user1%d' % (n) for n in xrange(3)]
+
+        for grp in groups:
+            if not group_exists(grp):
+                subprocess.call(["groupadd", grp])
+
+        # Create UNIX system account
+        if not test_executor.system_manager.user_exists(pam_user):
+            subprocess.call(["useradd", pam_user, "-g", groups[0], "-G", ",".join(groups[1:]) ])
+        else:
+            subprocess.call(["usermod", "-g", groups[0], "-G", ",".join(groups[1:]), pam_user ])
+
+        # Create PAM config
+        if (os.path.isfile(pamcfg)):
+            os.remove(pamcfg)
+
+        pamcfg_fh = open("/etc/pam.d/mysqld", "wb")
+        pamcfg_fh.write("auth\trequired\tpam_permit.so\n")
+        pamcfg_fh.write("account\trequired\tpam_permit.so\n")
+        pamcfg_fh.close();
+
+        master_server.stop()
+
+        # setup plugin, users, privileges
+        groups.reverse()
+        groups = [ "grp21", "grp22" ] + groups
+        users = [ "usr21", "usr22" ] + users
+        queries = [ "INSTALL PLUGIN auth_pam SONAME 'auth_pam.so';" ] + \
+                  [ "CREATE USER '%s'@'localhost';" % (user) for user in users ] + \
+                  [ "CREATE USER ''@'' IDENTIFIED WITH auth_pam AS 'mysqld, %s';" \
+                    % ( ",".join([ user + "=" + group for user, group in zip(groups, users) ] ) ) ] + \
+                  [ "GRANT PROXY ON '%s'@'localhost' TO ''@'';" % (user) for user in users ] + \
+                  [ "SELECT user, host, authentication_string FROM mysql.user;", \
+                    "FLUSH PRIVILEGES;", "SHOW VARIABLES LIKE 'plugin%'" ]
+
+        master_server.server_options.append('--plugin-dir=%s' %(test_executor.matrix_manager.option_matrix['pam_plugin_dir']))
+
+        master_server.start()
+        self.assertEqual( master_server.status, 1, msg = 'Server failed to restart')
+
+        cmd = "%s --protocol=tcp --port=%d -uroot -e \"%s\"" %(master_server.mysql_client
+              , master_server.master_port
+              , "\n".join(queries) )
+        retcode, output = execute_cmd(cmd, output_path, None, True)
+
+        query = "SELECT CONCAT(USER(), CURRENT_USER(), @@PROXY_USER) as res;"
+        expected_result = "res%s@localhostuser10@localhost''@''" % (pam_user)
+        cmd = "%s --plugin-dir=/usr/lib/mysql/plugin/ --protocol=tcp --port=%d --user=%s --password=\'\' -e \"%s\" test" %(master_server.mysql_client
+              , master_server.master_port
+              , pam_user
+              , query )
+        retcode, output = execute_cmd(cmd, output_path, None, True)
+        output = re.sub(r'\s+', '', output)
+        self.assertEqual(retcode, 0, msg = output)
+        self.assertEqual(output, expected_result, msg = "%s || %s" %(output, expected_result))
diff --git a/plugin/semisync/semisync_replica.cc b/plugin/semisync/semisync_replica.cc
index 2c4ea3dcbb0a..6f449194e1fd 100644
--- a/plugin/semisync/semisync_replica.cc
+++ b/plugin/semisync/semisync_replica.cc
@@ -112,7 +112,7 @@ int ReplSemiSyncSlave::slaveReply(MYSQL *mysql, const char *binlog_filename,
   function_enter(kWho);
 
   DBUG_EXECUTE_IF("rpl_semisync_before_send_ack", {
-    const char act[] = "now SIGNAL sending_ack WAIT_FOR continue";
+    const char act[] = "now WAIT_FOR continue";
     assert(opt_debug_sync_timeout > 0);
     assert(!debug_sync_set_action(current_thd, STRING_WITH_LEN(act)));
   };);