ldapPolicies, err := globalIAMSys.PolicyDBGet(targetUser, targetGroups...)
		if err != nil {
			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
			return
		}
		if len(ldapPolicies) == 0 {
			err = fmt.Errorf("No policy set for user `%s` or any of their groups: `%s`", opts.claims[ldapActualUser], strings.Join(targetGroups, "`,`"))

			}, nil
		}

		if !errors.Is(err, errNoSuchServiceAccount) {
			return nil, err
		}

		lookupResult, targetGroups, err = globalIAMSys.LDAPConfig.Bind(user, string(pass))
		if err != nil {
			return nil, err
		}

	} else if key != nil {

		lookupResult, targetGroups, err = globalIAMSys.LDAPConfig.LookupUserDN(user)
		if err != nil {
			return nil, err
		}

	}

		}

		var mcreds *credentials.Credentials
		if errors.Is(err, errNoSuchServiceAccount) {
			lookupResult, targetGroups, err := globalIAMSys.LDAPConfig.LookupUserDN(ctx.Sess.LoginUser())
			if err != nil {
				return nil, err
			}
			ldapPolicies, _ := globalIAMSys.PolicyDBGet(lookupResult.NormDN, targetGroups...)
			if len(ldapPolicies) == 0 {
				return nil, errAuthentication
			}

		return
	}

	if createReq.AccessKey == globalActiveCred.AccessKey {
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserInvalidArgument), r.URL)
		return
	}

	var (
		targetGroups []string
		err          error
	)

	// Find the user for the request sender (as it may be sent via a service
	// account or STS account):
	requestorUser := cred.AccessKey