The returned user's DN and their password are then verified with the LDAP server. The user DN may also be associated with an [access policy](#managing-usergroup-access-policy).

The User DN attributes configuration parameter:
```
MINIO_IDENTITY_LDAP_USER_DN_ATTRIBUTES      (list)      "," separated list of user DN attributes e.g. "uid,cn,mail,sshPublicKey"
```

# Create hardware engg org unit
dn: ou=hwengg,dc=min,dc=io
objectClass: organizationalUnit
ou: hwengg

# Create people sub-org
dn: ou=people,ou=hwengg,dc=min,dc=io
objectClass: organizationalUnit
ou: people

# Create Alice, Bob and Cody in hwengg
dn: uid=alice1,ou=people,ou=hwengg,dc=min,dc=io
objectClass: inetOrgPerson
cn: Alice Smith
sn: Smith
uid: alice1
mail: ******@****.***
userPassword: {SSHA}Yeh2/IV/q/HjG2yzN3YdE9CAF3EJFCLu

# Create hardware engg org unit
dn: ou=hwengg,dc=min,dc=io
objectClass: organizationalUnit
ou: hwengg

# Create people sub-org
dn: ou=people,ou=hwengg,dc=min,dc=io
objectClass: organizationalUnit
ou: people

# Create Alice, Bob and Cody in hwengg
dn: uid=alice1,ou=people,ou=hwengg,dc=min,dc=io
objectClass: inetOrgPerson
cn: Alice Smith
sn: Smith
uid: alice1
mail: ******@****.***
userPassword: {SSHA}Yeh2/IV/q/HjG2yzN3YdE9CAF3EJFCLu

			if policiesDiffer {
				return []string{}, fmt.Errorf("multiple DNs map to the same LDAP DN[%s]: %v; please remove DNs that are not needed",
					normKey, origKeys)
			}

			if len(origKeys[1:]) > 0 {
				// Log that extra DN mappings will not be imported.
				iamLogEvent(ctx, "import-ldap-normalize: extraneous DN mappings found for LDAP DN[%s]: %v will not be imported", origKeys[0], origKeys[1:])
			}

		}) {
			writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
			return
		}
	} else if len(dnList) == 1 {
		var dn string
		foundResult, err := globalIAMSys.LDAPConfig.GetValidatedDNForUsername(dnList[0])
		if err == nil {
			dn = foundResult.NormDN
		}
		if dn == cred.ParentUser || dnList[0] == cred.ParentUser {
			selfOnly = true
		}
	}

	if !globalIAMSys.IsAllowed(policy.Args{

        modifyList.add(mod);
    }

    /**
     * Modifies an entry.
     *
     * @param dn The DN of the entry.
     * @param modifyList The list of modification items.
     * @param envSupplier The environment supplier.
     */
    protected void modify(final String dn, final List<ModificationItem> modifyList, final Supplier<Hashtable<String, String>> envSupplier) {
        if (modifyList.isEmpty()) {

		Policies: []string{"readwrite"},
	}

	cases := []struct {
		username string
		dn       string
		group    string
	}{
		{
			username: "slashuser",
			dn:       "uid=slash/user,ou=people,ou=swengg,dc=min,dc=io",
		},
		{
			username: "dillon",
			dn:       "uid=dillon,ou=people,ou=swengg,dc=min,dc=io",
			group:    "cn=project/d,ou=groups,ou=swengg,dc=min,dc=io",
		},

	exit 1
fi

# Kill MinIO and LDAP to start afresh with missing groups/DN
pkill minio
docker rm -f $(docker ps -aq)
rm -rf /tmp/ldap{1..4}

# Deploy the LDAP config witg missing groups/DN
echo "Copying docs/distributed/samples/bootstrap-partial.ldif => minio-iam-testing/ldap/50-bootstrap.ldif"

labels.ldapProviderUrl=LDAP URL
labels.ldapSecurityPrincipal=User DN
labels.ldapAdminSecurityPrincipal=Bind DN
labels.ldapAdminSecurityCredentials=Password
labels.ldapBaseDn=Base DN
labels.ldap_provider_url=LDAP URL
labels.ldap_security_principal=User DN
labels.ldap_admin_security_principal=Bind DN
labels.ldap_admin_security_credentials=Password
labels.ldap_base_dn=Base DN
labels.ldapAccountFilter=Account Filter

labels.ldapProviderUrl=LDAP URL
labels.ldapSecurityPrincipal=Gebruikers-DN
labels.ldapAdminSecurityPrincipal=Bind-DN
labels.ldapAdminSecurityCredentials=Wachtwoord
labels.ldapBaseDn=Basis-DN
labels.ldap_provider_url=LDAP URL
labels.ldap_security_principal=Gebruikers-DN
labels.ldap_admin_security_principal=Bind-DN
labels.ldap_admin_security_credentials=Wachtwoord
labels.ldap_base_dn=Basis-DN
labels.ldapAccountFilter=Accountfilter