The returned user's DN and their password are then verified with the LDAP server. The user DN may also be associated with an [access policy](#managing-usergroup-access-policy).

The User DN attributes configuration parameter:
```
MINIO_IDENTITY_LDAP_USER_DN_ATTRIBUTES      (list)      "," separated list of user DN attributes e.g. "uid,cn,mail,sshPublicKey"
```

			if policiesDiffer {
				return []string{}, fmt.Errorf("multiple DNs map to the same LDAP DN[%s]: %v; please remove DNs that are not needed",
					normKey, origKeys)
			}

			if len(origKeys[1:]) > 0 {
				// Log that extra DN mappings will not be imported.
				iamLogEvent(ctx, "import-ldap-normalize: extraneous DN mappings found for LDAP DN[%s]: %v will not be imported", origKeys[0], origKeys[1:])
			}

		}) {
			writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
			return
		}
	} else if len(dnList) == 1 {
		var dn string
		foundResult, err := globalIAMSys.LDAPConfig.GetValidatedDNForUsername(dnList[0])
		if err == nil {
			dn = foundResult.NormDN
		}
		if dn == cred.ParentUser || dnList[0] == cred.ParentUser {
			selfOnly = true
		}
	}

	if !globalIAMSys.IsAllowed(policy.Args{

        modifyList.add(mod);
    }

    /**
     * Modifies an entry.
     *
     * @param dn The DN of the entry.
     * @param modifyList The list of modification items.
     * @param envSupplier The environment supplier.
     */
    protected void modify(final String dn, final List<ModificationItem> modifyList, final Supplier<Hashtable<String, String>> envSupplier) {
        if (modifyList.isEmpty()) {

		Policies: []string{"readwrite"},
	}

	cases := []struct {
		username string
		dn       string
		group    string
	}{
		{
			username: "slashuser",
			dn:       "uid=slash/user,ou=people,ou=swengg,dc=min,dc=io",
		},
		{
			username: "dillon",
			dn:       "uid=dillon,ou=people,ou=swengg,dc=min,dc=io",
			group:    "cn=project/d,ou=groups,ou=swengg,dc=min,dc=io",
		},

        }
    }

    public void test_throwAndCatchAsFessSystemException() {
        // Test catching as parent exception type
        String errorMessage = "LDAP bind DN is invalid";

        try {
            throw new LdapConfigurationException(errorMessage);
        } catch (FessSystemException e) {
            assertEquals(errorMessage, e.getMessage());

	}

	if isAll && len(userList) > 0 {
		// This should be checked on client side, so return generic error
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
		return
	}

	// Empty DN list and not self, list access keys for all users
	if isAll {
		if !globalIAMSys.IsAllowed(policy.Args{
			AccountName:     cred.AccessKey,
			Groups:          cred.Groups,
			Action:          policy.ListUsersAdminAction,

Create a file called `cert.cnf` with the content below. This file contains all of the information necessary to generate a certificate using `certtool.exe`:

```
# X.509 Certificate options
#
# DN options

# The organization of the subject.
organization = "Example Inc."

# The organizational unit of the subject.
#unit = "sleeping dept."

# The state of the certificate owner.
state = "Example"

          throw SSLPeerUnverifiedException(
            """
            |Hostname ${address.url.host} not verified:
            |    certificate: ${CertificatePinner.pin(cert)}
            |    DN: ${cert.subjectDN.name}
            |    subjectAltNames: ${OkHostnameVerifier.allSubjectAltNames(cert)}
            """.trimMargin(),
          )
        } else {
          throw SSLPeerUnverifiedException(

	issClaim = "iss"

	// JWT claim to check the parent user
	parentClaim = "parent"

	// LDAP claim keys
	ldapUser       = "ldapUser"       // this is a key name for a normalized DN value
	ldapActualUser = "ldapActualUser" // this is a key name for the actual DN value
	ldapUserN      = "ldapUsername"   // this is a key name for the short/login username
	// Claim key-prefix for LDAP attributes
	ldapAttribPrefix = "ldapAttrib_"