return madmin.BuiltinProvider // regular users are always internal
	}

	claims := credentials.Claims
	if _, ok := claims[ldapUser]; ok {
		return madmin.LDAPProvider // ldap users
	}

	if _, ok := claims[subClaim]; ok {
		providerPrefix, _, found := strings.Cut(credentials.ParentUser, getKeySeparator())
		if found {
			return providerPrefix // this is true for certificate and custom providers

	s := madmin.IDPSettings{}
	s.LDAP = madmin.LDAPSettings{
		IsLDAPEnabled:          globalIAMSys.LDAPConfig.Enabled(),
		LDAPUserDNSearchBase:   globalIAMSys.LDAPConfig.LDAP.UserDNSearchBaseDistName,
		LDAPUserDNSearchFilter: globalIAMSys.LDAPConfig.LDAP.UserDNSearchFilter,
		LDAPGroupSearchBase:    globalIAMSys.LDAPConfig.LDAP.GroupSearchBaseDistName,

import (
	"context"
	"encoding/json"
	"errors"
	"path"
	"strings"

	"github.com/minio/minio/internal/config"
	"github.com/minio/minio/internal/config/compress"
	xldap "github.com/minio/minio/internal/config/identity/ldap"
	"github.com/minio/minio/internal/config/identity/openid"
	"github.com/minio/minio/internal/config/notify"
	"github.com/minio/minio/internal/config/policy/opa"
	"github.com/minio/minio/internal/config/storageclass"

	},
	ErrAdminLDAPNotEnabled: {
		Code:           "XMinioLDAPNotEnabled",
		Description:    "LDAP is not enabled. LDAP must be enabled to make LDAP requests.",
		HTTPStatusCode: http.StatusNotImplemented,
	},
	ErrAdminLDAPExpectedLoginName: {
		Code:           "XMinioLDAPExpectedLoginName",
		Description:    "Expected LDAP short username but was given full DN.",
		HTTPStatusCode: http.StatusBadRequest,
	},

     */
    public static void resetPassword(final CreateForm form) {
        form.password = null;
        form.confirmPassword = null;
    }

    /**
     * Validates LDAP user attribute types using the configured LDAP manager.
     *
     * @param attributes the map of attributes to validate
     * @param throwError callback to report any validation errors
     */

labels.general_menu_suggest=Suggest
labels.general_menu_ldap=LDAP
labels.general_menu_notification=Notification
labels.general_storage=Storage
labels.ldapProviderUrl=LDAP URL
labels.ldapSecurityPrincipal=User DN
labels.ldapAdminSecurityPrincipal=Bind DN
labels.ldapAdminSecurityCredentials=Password
labels.ldapBaseDn=Base DN
labels.ldap_provider_url=LDAP URL
labels.ldap_security_principal=User DN

	xhttp "github.com/minio/minio/internal/http"
	"github.com/minio/minio/internal/mcontext"
)

var ldapPwdRegex = regexp.MustCompile("(^.*?)LDAPPassword=([^&]*?)(&(.*?))?$")

// redact LDAP password if part of string
func redactLDAPPwd(s string) string {
	parts := ldapPwdRegex.FindStringSubmatch(s)
	if len(parts) > 3 {
		return parts[1] + "LDAPPassword=*REDACTED*" + parts[3]
	}
	return s
}

## Introduction

MinIO provides a custom STS API that allows authentication with client X.509 / TLS certificates.

A major advantage of certificate-based authentication compared to other STS authentication methods, like OpenID Connect or LDAP/AD, is that client authentication works without any additional/external component that must be constantly available. Therefore, certificate-based authentication may provide better availability / lower operational complexity.

     * given user when the target object's ACL has local groups. Local groups
     * are not listed in a user's group membership (e.g. as represented by the
     * tokenGroups constructed attribute retrieved via LDAP).
     *
     * Domain groups nested inside a local group are currently not expanded. In
     * this case the key (SID) type will be SID_TYPE_DOM_GRP rather than
     * SID_TYPE_USER.
     *
     * @param tc

labels.general_menu_logging=日誌記錄
labels.general_menu_suggest=建議
labels.general_menu_ldap=LDAP
labels.general_menu_notification=顯示通知
labels.general_storage=儲存
labels.ldapProviderUrl=LDAP URL
labels.ldapSecurityPrincipal=使用者DN
labels.ldapAdminSecurityPrincipal=綁定DN
labels.ldapAdminSecurityCredentials=密碼
labels.ldapBaseDn=基本DN
labels.ldap_provider_url=LDAP URL
labels.ldap_security_principal=使用者DN
labels.ldap_admin_security_principal=綁定DN