if err = l.LDAP.LookupBind(conn); err != nil {
		return "", err
	}

	// Check if the passed in username is a valid DN.
	if !l.ParsesAsDN(username) {
		// We consider it as a login username and attempt to check it exists in
		// the directory.
		bindDN, err := l.LDAP.LookupUserDN(conn, username)
		if err != nil {
			if strings.Contains(err.Error(), "User DN not found for") {
				return "", nil
			}

	EnvLookupBindDN       = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN"
	EnvLookupBindPassword = "MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD"
)

var removedKeys = []string{
	"sts_expiry",
	"username_format",
	"username_search_filter",
	"username_search_base_dn",
	"group_name_attribute",
}

// DefaultKVS - default config for LDAP config
var (
	DefaultKVS = config.KVS{
		config.KV{
			Key:   config.Enable,
			Value: "",

		// We still need to ensure that the target user is a valid LDAP user.
		//
		// The target user may be supplied as a (short) username or a DN.
		// However, for now, we only support using the short username.

		isDN := globalIAMSys.LDAPConfig.ParsesAsDN(targetUser)
		opts.claims[ldapUserN] = targetUser // simple username
		targetUser, targetGroups, err = globalIAMSys.LDAPConfig.LookupUserDN(targetUser)
		if err != nil {

		var username string
		if u, err := user.Current(); err == nil {
			username = u.Username
		} else {
			username = "<your-username>"
		}
		var hint string
		if endpoint.URL != nil {
			hint = fmt.Sprintf("Run the following command to add write permissions: `sudo chown -R %s %s && sudo chmod u+rxw %s`",
				username, endpoint.Path, endpoint.Path)
		} else {

## conditionsexample policy creates all access to example bucket with aws:username="johndoe" and source ip range 10.0.0.0/8 and 192.168.0.0/24 only
# - name: conditionsexample
#   statements:
#     - resources:
#       - 'arn:aws:s3:::example/*'
#       actions:
#       - 's3:*'
#       conditions:
#         - StringEquals: '"aws:username": "johndoe"'
#         - IpAddress: |
#             "aws:SourceIp": [

"s3:GetBucketLocation" # - "s3:ListBucket" # - "s3:ListBucketMultipartU" ## conditionsexample policy creates all access to example bucket with aws:username="johndoe" and source ip range 10.0.0.0/8 and 192.168.0.0/24 only # - name: conditionsexample # statements: # - resources: # - 'arn:aws:s3:::example/*' # actions: # - 's3:*' # conditions: # - StringEquals: '"aws:username": "johndoe"' # - IpAddress: | # "aws:SourceIp": [ # "10.0.0.0/8", # "192.168.0.0/24" # ] # ## Additional Annotations for the Kubernetes...

	if err != nil {
		c.Fatalf("bucket create error: %v", err)
	}

	// Create policy
	policy := "mypolicy-username"
	policyBytes := []byte(`{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "s3:*"
   ],
   "Resource": [
    "arn:aws:s3:::${aws:username}-*"
   ]
  }
 ]
}`)
	err = s.adm.AddCannedPolicy(ctx, policy, policyBytes)
	if err != nil {

type iamCache struct {
	updatedAt time.Time

	// map of policy names to policy definitions
	iamPolicyDocsMap map[string]PolicyDoc

	// map of regular username to credentials
	iamUsersMap map[string]UserIdentity
	// map of regular username to policy names
	iamUserPolicyMap *xsync.MapOf[string, MappedPolicy]

	// STS accounts are loaded on demand and not via the periodic IAM reload.

	var parentUsers []string
	// Map of LDAP user to list of active credential objects
	parentUserToCredsMap := make(map[string][]auth.Credentials)
	// DN to ldap username mapping for each LDAP user
	parentUserToLDAPUsernameMap := make(map[string]string)
	for _, cred := range allCreds {
		// Expired credentials don't need parent user updates.
		if cred.IsExpired() {
			continue

		// query their groups:
		opts.claims[ldapUserN] = targetUser // simple username
		targetUser, targetGroups, err = globalIAMSys.LDAPConfig.LookupUserDN(targetUser)
		if err != nil {
			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
			return
		}
		opts.claims[ldapUser] = targetUser // username DN

		// NOTE: if not using LDAP, then internal IDP or open ID is