t.Fatalf("CreateInBatches failed: %v", err)
	}

	userIds := []uuid.UUID{}
	if err := gorm.G[User](DB).Select("name").Where("id in ?", []uint{users[0].ID, users[1].ID, users[2].ID}).Order("age").Scan(ctx, &userIds); err != nil || len(users) != 3 {
		t.Fatalf("Scan failed: %v, userids %v", err, userIds)
	}

	if s3Err != ErrNone {
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
		return
	}

	users := r.Form["users"]
	isAll := r.Form.Get("all") == "true"
	selfOnly := !isAll && len(users) == 0

	if isAll && len(users) > 0 {
		// This should be checked on client side, so return generic error
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)

				if err != nil {
					return err
				}
				c.mustNotListObjects(ctx, uClient, bucket)
				return nil
			}
		}(i), i)
	}
	if errs := g.Wait(); len(errs) > 0 {
		c.Fatalf("unable to remove users: %v", errs)
	}

**Please note that when AD/LDAP is configured, MinIO will not support long term users defined internally.** Only AD/LDAP users (and the root user) are allowed. In addition to this, the server will not support operations on users or groups using `mc admin user` or `mc admin group` commands except `mc admin user info` and `mc admin group info` to list set policies for users and groups. This is because users and groups are defined externally in AD/LDAP.

<img src="/img/tutorial/security/image05.png">

### Get your own user data { #get-your-own-user-data }

Now use the operation `GET` with the path `/users/me`.

You will get your user's data, like:

```JSON
{
  "username": "johndoe",
  "email": "******@****.***",
  "full_name": "John Doe",
  "disabled": false,
  "hashed_password": "fakehashedsecret"
}
```

### Why use password hashing { #why-use-password-hashing }

If your database is stolen, the thief won't have your users' plaintext passwords, only the hashes.

So, the thief won't be able to try to use that password in another system (as many users use the same password everywhere, this would be dangerous).

## Install `passlib` { #install-passlib }

					return true
				}
			}
			if pset.Contains(policy) {
				users = append(users, u)
			}
			return true
		})
		cache.iamGroupPolicyMap.Range(func(g string, mp MappedPolicy) bool {
			pset := mp.policySet()
			if pset.Contains(policy) {
				groups = append(groups, g)
			}
			return true
		})
		if len(users) != 0 || len(groups) != 0 {
			return errPolicyInUse
		}

So, let's review it from that simplified point of view:

* The user types the `username` and `password` in the frontend, and hits `Enter`.
* The frontend (running in the user's browser) sends that `username` and `password` to a specific URL in our API (declared with `tokenUrl="token"`).
* The API checks that `username` and `password`, and responds with a "token" (we haven't implemented any of this yet).

	return u, nil
}

func (iamOS *IAMObjectStore) loadUserConcurrent(ctx context.Context, userType IAMUserType, users ...string) ([]UserIdentity, error) {
	userIdentities := make([]UserIdentity, len(users))
	g := errgroup.WithNErrs(len(users))

	for index := range users {
		g.Go(func() error {
			userName := path.Dir(users[index])
			user, err := iamOS.loadUserIdentity(ctx, userName, userType)

		return
	}

	dnList := r.Form["userDNs"]
	isAll := r.Form.Get("all") == "true"
	selfOnly := !isAll && len(dnList) == 0

	if isAll && len(dnList) > 0 {
		// This should be checked on client side, so return generic error
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
		return
	}

	// Empty DN list and not self, list access keys for all users
	if isAll {