return true
		})
	}

	return entityKeysInStorage
}

// NormalizeLDAPMappingImport - validates the LDAP policy mappings. Keys in the
// given map may not correspond to LDAP DNs - these keys are ignored.
//
// For validated mappings, it updates the key in the given map to be in
// normalized form.
func (sys *IAMSys) NormalizeLDAPMappingImport(ctx context.Context, isGroup bool,

        "description": ""
    }
}
`,
		// Built-in user-to-policies mapping should be imported without errors
		// even if LDAP is enabled.
		userPolicyMappingsFile: `{
  "foo": {
    "version": 0,
    "policy": "readwrite",
    "updatedAt": "2024-04-23T21:34:43.815519816Z"
  }
}
`,
		// Contains:
		//
		// 1. duplicate mapping with same policy, we should not error out;
		//

	if ok {
		if !u.Credentials.IsValid() {
			return nil, time.Time{}, nil
		}
	}

	// For internal IDP regular/service account user accounts, the policy
	// mapping is iamUserPolicyMap. For STS accounts, the parent user would be
	// passed here and we lookup the mapping in iamSTSPolicyMap.
	mp, ok := c.iamUserPolicyMap.Load(name)
	if !ok {

		mp, ok := globalIAMSys.store.GetMappedPolicy(mapping.Policy, mapping.IsGroup)
		if ok && mp.UpdatedAt.After(updatedAt) {
			return nil
		}
	}

	// When LDAP is enabled, we verify that the user or group exists in LDAP and
	// use the normalized form of the entityName (which will be an LDAP DN).
	userType := IAMUserType(mapping.UserType)
	isGroup := mapping.IsGroup
	entityName := mapping.UserOrGroup

	sleep 5

	set -x
	mc alias set new-minio http://localhost:9000 minioadmin minioadmin
	echo "BEFORE IMPORT mappings:"
	mc idp ldap policy entities new-minio
	mc admin cluster iam import new-minio ./old-minio-iam-info.zip
	echo "AFTER IMPORT mappings:"
	mc idp ldap policy entities new-minio
	set +x

	# mc admin service stop new-minio
}

verify_iam_content_in_new_minio() {

	}

	// We map the X.509 subject common name to the policy. So, a client
	// with the common name "foo" will be associated with the policy "foo".
	// Other mapping functions - e.g. public-key hash based mapping - are
	// possible but not implemented.
	//
	// Group mapping is not possible with standard X.509 certificates.
	if certificate.Subject.CommonName == "" {

//
//	user=... -> repeatable query parameter, specifying users to query for
//	policy mapping
//
//	group=... -> repeatable query parameter, specifying groups to query for
//	policy mapping
//
//	policy=... -> repeatable query parameter, specifying policy to query for
//	user/group mapping
//
// When all query parameters are omitted, returns mappings for all policies.

			cred.Groups = targetGroups

			// Set the newly generated credentials, policyName is empty on purpose
			// LDAP policies are applied automatically using their ldapUser, ldapGroups
			// mapping.
			updatedAt, err := globalIAMSys.SetTempUser(context.Background(), cred.AccessKey, cred, "")
			if err != nil {
				return nil, err
			}

			// Call hook for site replication.

			cred.Groups = targetGroups

			// Set the newly generated credentials, policyName is empty on purpose
			// LDAP policies are applied automatically using their ldapUser, ldapGroups
			// mapping.
			updatedAt, err := globalIAMSys.SetTempUser(context.Background(), cred.AccessKey, cred, "")
			if err != nil {
				return nil, err
			}

			// Call hook for site replication.

	allUsersFile              = "users.json"
	allGroupsFile             = "groups.json"
	allSvcAcctsFile           = "svcaccts.json"
	userPolicyMappingsFile    = "user_mappings.json"
	groupPolicyMappingsFile   = "group_mappings.json"
	stsUserPolicyMappingsFile = "stsuser_mappings.json"

	iamAssetsDir = "iam-assets"
)

var iamExportFiles = []string{
	allPoliciesFile,
	allUsersFile,
	allGroupsFile,