// query their groups:
		opts.claims[ldapUserN] = targetUser // simple username
		var lookupResult *xldap.DNSearchResult
		lookupResult, targetGroups, err = globalIAMSys.LDAPConfig.LookupUserDN(targetUser)
		if err != nil {
			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
			return
		}
		targetUser = lookupResult.NormDN
		opts.claims[ldapUser] = targetUser // username DN

        "groups": ["cn=project.c,ou=groups,OU=swengg,DC=min,DC=io", "cn=projecty,ou=groups,ou=hwengg,dc=min,dc=io"],
        "claims": {
            "accessKey": "u4ccRswj62HV3Ifwima7",
            "ldapUser": "uid=svc.algorithm,ou=swengg,dc=min,dc=io",
            "ldapUsername": "svc.algorithm",
            "parent": "uid=svc.algorithm,ou=swengg,dc=min,dc=io",
            "sa-policy": "inherited-policy"
        },

		if err != nil {
			return nil, err
		}
		ldapUsers := make(map[string]madmin.UserInfo, len(stsMap))
		for user, policy := range stsMap {
			ldapUsers[user] = madmin.UserInfo{
				PolicyName: policy,
				Status:     statusEnabled,
			}
		}
		return ldapUsers, nil
	case <-ctx.Done():
		return nil, ctx.Err()
	}
}

type cleanEntitiesQuery struct {

	}
  ]
}
```

If the user is authenticating using an STS credential which was authorized from AD/LDAP we allow `ldap:*` variables.

Currently supports

- `ldap:username`
- `ldap:user`
- `ldap:groups`

Following example shows LDAP users full programmatic access to a LDAP user-specific directory (their own "home directory") in MinIO.

```
{
  "Version": "2012-10-17",
  "Statement": [