* Constructs a new FessSystemException with the specified detail message and suppression settings.
     *
     * @param message the detail message describing the exception
     * @param enableSuppression whether suppression is enabled or disabled
     * @param writableStackTrace whether the stack trace should be writable
     */
    protected FessSystemException(final String message, final boolean enableSuppression, final boolean writableStackTrace) {

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_connect_timeout 300;
            # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            chunked_transfer_encoding off;

            proxy_pass http://minio;
        }
    }

    server {

#      Ex. public_cache_push -- Use TF's public cache (read and write, Googlers only)
#      Ex. rbe        -- Use RBE for faster builds (Googlers only; see below)
#      Ex. no_docker  -- Disable docker on enabled platforms
#    See full examples below for more details on these. Some other modifiers are:
#      Ex. versions_upload -- for TF official release versions

     * @return The query string.
     */
    public String getQueryString() {
        return queryString;
    }

    /**
     * Checks if role-based query filtering is enabled.
     * @return True if role query is enabled, false otherwise.
     */
    public boolean roleQueryEnabled() {
        return !disableRoleQuery;
    }

    /**
     * Disables role-based query filtering for this context.

### Enable Keycloak Admin REST API support

Before being able to authenticate against the Admin REST API using a client_id and a client_secret you need to make sure the client is configured as it follows:

- `account` client_id is a confidential client that belongs to the realm `{realm}`
- `account` client_id is has **Service Accounts Enabled** option enabled.

        assertTrue(testLdapManager.changePasswordCalled);
    }

    public void test_changePassword_success_withSync() {
        // Test successful password change when LDAP admin sync is enabled
        testLdapManager.changePasswordResult = true;
        testFessConfig.ldapAdminSyncPassword = true;

        boolean result = ldapChain.changePassword("testuser", "newpassword");

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_connect_timeout 300;
            # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            chunked_transfer_encoding off;

            proxy_pass http://minio;
        }
    }

    server {

# it enables a derived --config setting.  If RBE is not available (i.e. there
# is no --config setting), bazel would fail and quit. This script does a quick
# check This script checks for such errors early
if ! grep "rbe_$TFCI_BAZEL_TARGET_SELECTING_CONFIG_PREFIX" .bazelrc; then
  cat <<EOF
ERROR: RBE was enabled via the 'rbe' env in the 'TFCI' variable.
       TFCI: $TFCI

	// Check authorization.

	objectAPI, cred := validateAdminReq(ctx, w, r, policy.UpdatePolicyAssociationAction)
	if objectAPI == nil {
		return
	}

	// fail if ldap is not enabled
	if !globalIAMSys.LDAPConfig.Enabled() {
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminLDAPNotEnabled), r.URL)
		return
	}

	if r.ContentLength > maxEConfigJSONSize || r.ContentLength == -1 {

				writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAdminResourceInvalidArgument), r.URL)
				return
			}
		}

		if globalIAMSys.LDAPConfig.Enabled() {
			// We don't allow internal group manipulation in this API when LDAP
			// is enabled for now.
			err = errIAMActionNotAllowed
		} else {
			updatedAt, err = globalIAMSys.AddUsersToGroup(ctx, updReq.Group, updReq.Members)
		}
	}
	if err != nil {