if !regexp.MustCompile("SELECT .* FROM .users. left join pets.*join accounts.*").MatchString(stmt.SQL.String()) {

### Lookup-Bind

A low-privilege read-only LDAP service account is configured in the MinIO server by providing the account's Distinguished Name (DN) and password. This service account is used to perform directory lookups as needed.

```
MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN*          (string)    DN for LDAP read-only service account used to perform DN and group lookups

		t.Errorf("should update two records, but got %v", rowsAffected)
	}

	var results []User

	// account or STS account):
	requestorUser := cred.AccessKey
	requestorParentUser := cred.AccessKey
	requestorGroups := cred.Groups
	requestorIsDerivedCredential := false
	if cred.IsServiceAccount() || cred.IsTemp() {
		requestorParentUser = cred.ParentUser
		requestorIsDerivedCredential = true
	}

	// Check if we are creating svc account for request sender.

        if (username != null) {
            AccountAttempts account = accountAttempts.computeIfAbsent(username, k -> new AccountAttempts());
            account.recordFailure();

            if (account.getFailedAttempts() >= maxAttemptsPerAccount) {
                account.lockOut(lockoutDuration);
                totalAccountsLocked.incrementAndGet();

			stsPolicyMappingsCount++
			// If a service account's parent user is not in iamUsersMap, the
			// parent is an STS account. Such accounts may have a policy mapped
			// on the parent user, so we load them. This is not needed for the
			// initial server startup, however, it is needed for the case where
			// the STS account's policy mapping (for example in LDAP mode) may

	}

	var users2 []User
	DB.Preload("Account", clause.Eq{Column: "number", Value: users[0].Account.Number}).Find(&users2, "id IN ?", userIDs)
	sort.Slice(users2, func(i, j int) bool {
		return users2[i].ID < users2[j].ID
	})

	for idx, user := range users2[1:2] {
		if user.Account.Number != "" {
			t.Errorf("No account should found for user %v but got %v", idx+2, user.Account.Number)
		}
	}

		// Service accounts ops
		adminRouter.Methods(http.MethodPut).Path(adminVersion + "/add-service-account").HandlerFunc(adminMiddleware(adminAPI.AddServiceAccount))
		adminRouter.Methods(http.MethodPost).Path(adminVersion+"/update-service-account").HandlerFunc(adminMiddleware(adminAPI.UpdateServiceAccount)).Queries("accessKey", "{accessKey:.*}")

		AccessKey: DefaultAccessKey,
		SecretKey: DefaultSecretKey,
	}
)

// claim key found in credentials which are service accounts
const iamPolicyClaimNameSA = "sa-policy"

const (
	// AccountOn indicates that credentials are enabled
	AccountOn = "on"
	// AccountOff indicates that credentials are disabled
	AccountOff = "off"
)

// Credentials holds access and secret keys.

- `svcaccts[].accessKey` - accessKey of service account
- `svcaccts[].secretKey` - secretKey of svcacctsecretRef
- `svcaccts[].existingSecret` - secret name that contains the secretKey of service account
- `svcaccts[].existingSecretKey` - data key in existingSecret secret containing the secretKey
- `svcaccts[].user` - name of the parent user to assign to service account

## Uninstalling the Chart