/** Returns a new {@code TypeResolver} with {@code variable} mapping to {@code type}. */
    final TypeTable where(Map<TypeVariableKey, ? extends Type> mappings) {
      ImmutableMap.Builder<TypeVariableKey, Type> builder = ImmutableMap.builder();
      builder.putAll(map);
      for (Entry<TypeVariableKey, ? extends Type> mapping : mappings.entrySet()) {
        TypeVariableKey variable = mapping.getKey();
        Type type = mapping.getValue();

    /** Returns a new {@code TypeResolver} with {@code variable} mapping to {@code type}. */
    final TypeTable where(Map<TypeVariableKey, ? extends Type> mappings) {
      ImmutableMap.Builder<TypeVariableKey, Type> builder = ImmutableMap.builder();
      builder.putAll(map);
      for (Entry<TypeVariableKey, ? extends Type> mapping : mappings.entrySet()) {
        TypeVariableKey variable = mapping.getKey();
        Type type = mapping.getValue();

						</mapping>
						<!-- temp (empty) -->
						<mapping>
							<directory>${packaging.fess.temp.dir}</directory>
						</mapping>
						<!-- dictionary (empty) -->
						<mapping>
							<directory>${packaging.fess.dictionary.dir}</directory>
							<filemode>755</filemode>
							<username>opensearch</username>
							<groupname>opensearch</groupname>
						</mapping>
						<!-- es/modules -->

	var policies set.StringSet
	var updatedAt time.Time

	if store.getUsersSysType() == LDAPUsersSysType {
		// For LDAP policy mapping is part of STS users, we only need to lookup
		// those mappings.
		mp, ok := c.iamSTSPolicyMap.Load(name)
		if !ok {
			// Attempt to load parent user mapping for STS accounts

			// on the parent user, so we load them. This is not needed for the
			// initial server startup, however, it is needed for the case where
			// the STS account's policy mapping (for example in LDAP mode) may
			// be changed and the user's policy mapping in memory is stale
			// (because the policy change notification was missed by the current
			// server).
			//

	}

	// We map the X.509 subject common name to the policy. So, a client
	// with the common name "foo" will be associated with the policy "foo".
	// Other mapping functions - e.g. public-key hash based mapping - are
	// possible but not implemented.
	//
	// Group mapping is not possible with standard X.509 certificates.
	if certificate.Subject.CommonName == "" {

    /** The user's password has expired */
    int NT_STATUS_PASSWORD_EXPIRED = 0xC0000071;
    /** The referenced account is currently disabled */
    int NT_STATUS_ACCOUNT_DISABLED = 0xC0000072;
    /** No mapping between account names and security IDs was done */
    int NT_STATUS_NONE_MAPPED = 0xC0000073;
    /** The security ID structure is invalid */
    int NT_STATUS_INVALID_SID = 0xC0000078;

				delete(policyMap, origKeys[i])

				// Remove the mapping from storage by setting the policy to "".
				if entityKeysInStorage.Contains(origKeys[i]) {
					// Ignore any deletion error.
					_, delErr := sys.PolicyDBSet(ctx, origKeys[i], "", stsUser, isGroup)
					if delErr != nil {
						logErr := fmt.Errorf("failed to delete extraneous LDAP DN mapping for `%s`: %w", origKeys[i], delErr)
						iamLogIf(ctx, logErr)

    /** The user's password has expired */
    int NT_STATUS_PASSWORD_EXPIRED = 0xC0000071;
    /** The referenced account is currently disabled */
    int NT_STATUS_ACCOUNT_DISABLED = 0xC0000072;
    /** No mapping between account names and security IDs was done */
    int NT_STATUS_NONE_MAPPED = 0xC0000073;
    /** The security ID structure is invalid */
    int NT_STATUS_INVALID_SID = 0xC0000078;
    /** The disk is full */

		mp, ok := globalIAMSys.store.GetMappedPolicy(mapping.Policy, mapping.IsGroup)
		if ok && mp.UpdatedAt.After(updatedAt) {
			return nil
		}
	}

	// When LDAP is enabled, we verify that the user or group exists in LDAP and
	// use the normalized form of the entityName (which will be an LDAP DN).
	userType := IAMUserType(mapping.UserType)
	isGroup := mapping.IsGroup
	entityName := mapping.UserOrGroup