}
			}
			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
			return
		}
		targetUser = lookupResult.NormDN
		opts.claims[ldapUser] = targetUser // DN
		opts.claims[ldapActualUser] = lookupResult.ActualDN

		// Check if this user or their groups have a policy applied.
		ldapPolicies, err := globalIAMSys.PolicyDBGet(targetUser, targetGroups...)
		if err != nil {

	issClaim = "iss"

	// JWT claim to check the parent user
	parentClaim = "parent"

	// LDAP claim keys
	ldapUser       = "ldapUser"       // this is a key name for a normalized DN value
	ldapActualUser = "ldapActualUser" // this is a key name for the actual DN value
	ldapUserN      = "ldapUsername"   // this is a key name for the short/login username
	// Claim key-prefix for LDAP attributes
	ldapAttribPrefix = "ldapAttrib_"

			if err != nil {
				return nil, err
			}
			claims := make(map[string]any)
			claims[expClaim] = UTCNow().Add(expiryDur).Unix()

			claims[ldapUser] = lookupResult.NormDN
			claims[ldapActualUser] = lookupResult.ActualDN
			claims[ldapUserN] = ctx.Sess.LoginUser()

			// Add LDAP attributes that were looked up into the claims.
			for attribKey, attribValue := range lookupResult.Attributes {

			}
			if err != nil {
				// skip this cred - session token seems invalid
				continue
			}

			ldapUsername, okUserN := jwtClaims.Lookup(ldapUserN)
			ldapActualDN, okDN := jwtClaims.Lookup(ldapActualUser)
			if !okUserN || !okDN {
				// skip this cred - we dont have the
				// username info needed
				continue
			}

			// Collect each new cred.ParentUser into parentUsers

			continue
		}

		subClaimValue := cred.ParentUser
		if v, ok := claims.Lookup(subClaim); ok {
			subClaimValue = v
		}
		if v, ok := claims.Lookup(ldapActualUser); ok {
			subClaimValue = v
		}

		roleArn := openid.DummyRoleARN.String()
		s, ok := claims.Lookup(roleArnClaim)
		if ok {
			roleArn = s
		}
		v, ok := res[cred.ParentUser]