```

To associate the policy with an LDAP user or group, use the full DN of the user or group:

```sh
mc idp ldap policy attach myminio mypolicy --user='uid=james,cn=accounts,dc=myldapserver,dc=com'
```

```sh
mc idp ldap policy attach myminio mypolicy ----group='cn=projectx,ou=groups,ou=hwengg,dc=min,dc=io'
```

To remove a policy association, use the similar `detach` command:

```sh

	}

	// 4. Verify the policy appears in listing
	ps, err := s.adm.ListCannedPolicies(ctx)
	if err != nil {
		c.Fatalf("policy list err: %v", err)
	}
	_, ok := ps[policy]
	if !ok {
		c.Fatalf("policy was missing!")
	}

	// 5. Check that policy cannot be deleted when attached to a user.
	err = s.adm.RemoveCannedPolicy(ctx, policy)
	if err == nil {

		c.Fatalf("Unable to detach user policy: %v", err)
	}

	_, err = ldapID.Retrieve()
	if err == nil {
		c.Fatalf("Expected to fail to create a user with no associated policy!")
	}

	// Set policy via group and validate policy assignment.
	groupDN := "cn=projectb,ou=groups,ou=swengg,dc=min,dc=io"
	groupReq := madmin.PolicyAssociationReq{
		Policies: []string{policy},
		Group:    groupDN,
	}

	defer cancel()

	bucket := getRandomBucketName()
	err := s.client.MakeBucket(ctx, bucket, minio.MakeBucketOptions{})
	if err != nil {
		c.Fatalf("bucket creat error: %v", err)
	}

	// Create a policy policy
	policy := "mypolicy"
	policyBytes := fmt.Appendf(nil, `{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "s3:PutObject",
    "s3:GetObject",
    "s3:ListBucket"
   ],

	ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
	defer cancel()

	// we need to do this so that the user has a policy before authentication.
	// ldap user accounts without policies are denied access in sftp.
	policy := "mypolicy"
	policyBytes := []byte(`{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "s3:PutObject",

myminio else echo "User '$USER' already exists." fi #clean up credentials files. rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP # set policy for user if [ ! -z $POLICY -a $POLICY != " " ] ; then echo "Adding policy '$POLICY' for '$USER'" set +e ; # policy already attach errors out, allow it. ${MC} admin policy attach myminio $POLICY --user=$USER set -e else echo "User '$USER' has no policy attached." fi } # Try connecting to MinIO instance {{- if .Values.tls.enabled }} scheme=https {{- else }} scheme=http {{-...

myminio else echo "User '$USER' already exists." fi #clean up credentials files. rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP # set policy for user if [ ! -z $POLICY -a $POLICY != " " ] ; then echo "Adding policy '$POLICY' for '$USER'" set +e ; # policy already attach errors out, allow it. ${MC} admin policy attach myminio $POLICY --user=$USER set -e else echo "User '$USER' has no policy attached." fi } # Try connecting to MinIO instance {{- if .Values.tls.enabled }} scheme=https {{- else }} scheme=http {{-...

	return args
}

// PolicyToBucketAccessPolicy converts a MinIO policy into a minio-go policy data structure.
func PolicyToBucketAccessPolicy(bucketPolicy *policy.BucketPolicy) (*miniogopolicy.BucketAccessPolicy, error) {
	// Return empty BucketAccessPolicy for empty bucket policy.
	if bucketPolicy == nil {
		return &miniogopolicy.BucketAccessPolicy{Version: policy.DefaultVersion}, nil
	}

	data, err := json.Marshal(bucketPolicy)

	"github.com/minio/mux"
	"github.com/minio/pkg/v3/policy"
)

const (
	// As per AWS S3 specification, 20KiB policy JSON data is allowed.
	maxBucketPolicySize = 20 * humanize.KiByte

	// Policy configuration file.
	bucketPolicyConfig = "policy.json"
)

// PutBucketPolicyHandler - This HTTP handler stores given bucket policy configuration as per

	"github.com/minio/pkg/v3/policy"
	"github.com/minio/pkg/v3/policy/condition"
)

func getAnonReadOnlyBucketPolicy(bucketName string) *policy.BucketPolicy {
	return &policy.BucketPolicy{
		Version: policy.DefaultVersion,
		Statements: []policy.BPStatement{
			policy.NewBPStatement(
				"",
				policy.Allow,
				policy.NewPrincipal("*"),
				policy.NewActionSet(policy.GetBucketLocationAction, policy.ListBucketAction),