├── sso/                       # SSO implementations (oic, saml, spnego, entraid)
├── auth/                      # Authentication management
├── ldap/                      # LDAP integration
├── filter/                    # Servlet filters
├── validation/                # Custom validators
├── dict/                      # Dictionary management

	}
  ]
}
```

If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables.

Currently supports

- `ldap:username`
- `ldap:user`
- `ldap:groups`

Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO.

```
{
  "Version": "2012-10-17",
  "Statement": [

| [**AD/LDAP**](https://github.com/minio/minio/blob/master/docs/sts/ldap.md)             | Let AD/LDAP users request temporary credentials using AD/LDAP username and password.                                                          |

    // LDAP Configuration Constants
    // ============================================================

    /** LDAP base DN configuration key. */
    public static final String LDAP_BASE_DN = "ldap.base.dn";

    /** LDAP security principal configuration key. */
    public static final String LDAP_SECURITY_PRINCIPAL = "ldap.security.principal";

    /** LDAP admin security principal configuration key. */

	// in obtaining service accounts by this cred.
	cred.ParentUser = lookupResult.NormDN

	// Set this value to LDAP groups, LDAP user can be part
	// of large number of groups
	cred.Groups = targetGroups

	// Set the newly generated credentials, policyName is empty on purpose
	// LDAP policies are applied automatically using their ldapUser, ldapGroups
	// mapping.

		// LDAP specific service accounts ops
		adminRouter.Methods(http.MethodPut).Path(adminVersion + "/idp/ldap/add-service-account").HandlerFunc(adminMiddleware(adminAPI.AddServiceAccountLDAP))
		adminRouter.Methods(http.MethodGet).Path(adminVersion+"/idp/ldap/list-access-keys").

        DynamicProperties systemProps = new DynamicProperties(file);

        // Get existing component and update it instead of registering new one
        DynamicProperties existingProps = SingletonLaContainerFactory.getContainer().getComponent("systemProperties");
        existingProps.setProperty("ldap.security.principal", "******@****.***");

			// in obtaining service accounts by this cred.
			cred.ParentUser = lookupResult.NormDN

			// Set this value to LDAP groups, LDAP user can be part
			// of large number of groups
			cred.Groups = targetGroups

			// Set the newly generated credentials, policyName is empty on purpose
			// LDAP policies are applied automatically using their ldapUser, ldapGroups
			// mapping.

	if err != nil {
		c.Fatalf("unable to setup LDAP for tests: %v", err)
	}

	s.RestartIAMSuite(c)
}

// SetUpLDAPWithNonNormalizedBaseDN - expects to setup an LDAP test server using
// the test LDAP container and canned data from
// https://github.com/minio/minio-ldap-testing
//
// Sets up non-normalized base DN configuration for testing.

	// in obtaining service accounts by this cred.
	cred.ParentUser = ldapUserDN

	// Set this value to LDAP groups, LDAP user can be part
	// of large number of groups
	cred.Groups = groupDistNames

	// Set the newly generated credentials, policyName is empty on purpose
	// LDAP policies are applied automatically using their ldapUser, ldapGroups
	// mapping.