set -e ; # reset `e` as active
  return 0
}

# runCommand ($@)
# Run custom mc command
runCommand() {
  ${MC} "$@"
  return $?
}

# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme

{{ if .Values.customCommands }}
# Run custom commands
{{- range .Values.customCommands }}
runCommand {{ .command }}
{{- end }}

# Avoid creating a bunch of RBAC rules for features we are not enabling
rbac:
  create: false
  pspEnabled: false

# Disable test pods
testFramework:
  enabled: false

podLabels:
  sidecar.istio.io/inject: "false"

# Demo only, so we will have no authentication
admin:
  existingSecret: ""
ldap:
  existingSecret: true
env:
  GF_SECURITY_ADMIN_USER: "admin"
  GF_SECURITY_ADMIN_PASSWORD: "admin"

// initStore initializes IAM stores
func (sys *IAMSys) initStore(objAPI ObjectLayer, etcdClient *etcd.Client) {
	if sys.LDAPConfig.Enabled() {
		sys.SetUsersSysType(LDAPUsersSysType)
	}

	if etcdClient == nil {
		var group *singleflight.Group
		if env.Get("_MINIO_IAM_SINGLE_FLIGHT", config.EnableOn) == config.EnableOn {
			group = &singleflight.Group{}
		}
		sys.store = &IAMStoreSys{

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_connect_timeout 300;
            # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            chunked_transfer_encoding off;

            proxy_pass http://minio;
        }
    }

    server {

OPA is enabled through MinIO's Access Management Plugin feature.

## Get started

### 1. Start OPA in a container

```sh
podman run -it \
    --name opa \
    --publish 8181:8181 \

```
mc admin policy attach myminio putonly --group=newgroup
```

### 7. List all users or groups

List all enabled and disabled users.

```
mc admin user list myminio
```

List all enabled or disabled groups.

```
mc admin group list myminio
```

### 8. Configure `mc`

```

	user, found := strings.CutSuffix(c.User(), "=ldap")
	if found {
		if !globalIAMSys.LDAPConfig.Enabled() {
			return nil, errSFTPLDAPNotEnabled
		}
		return processLDAPAuthentication(key, pass, user)
	}

	user, found = strings.CutSuffix(c.User(), "=svc")
	if found {
		goto internalAuth
	}

	if globalIAMSys.LDAPConfig.Enabled() {
		perms, _ := processLDAPAuthentication(key, pass, user)
		if perms != nil {

### Enable Keycloak Admin REST API support

Before being able to authenticate against the Admin REST API using a client_id and a client_secret you need to make sure the client is configured as it follows:

- `account` client_id is a confidential client that belongs to the realm `{realm}`
- `account` client_id is has **Service Accounts Enabled** option enabled.

// along with this program.  If not, see <http://www.gnu.org/licenses/>.

//go:build fips && linux && amd64
// +build fips,linux,amd64

package fips

import _ "crypto/tls/fipsonly"

    /**
     * 
     * @return selected dialect
     */
    DialectVersion getSelectedDialect ();


    /**
     * 
     * @return whether the server has singing enabled
     */
    boolean isSigningEnabled ();


    /**
     * 
     * @return whether the server requires signing
     */
    boolean isSigningRequired ();


    /**