xhttp "github.com/minio/minio/internal/http"
	"github.com/minio/minio/internal/mcontext"
)

var ldapPwdRegex = regexp.MustCompile("(^.*?)LDAPPassword=([^&]*?)(&(.*?))?$")

// redact LDAP password if part of string
func redactLDAPPwd(s string) string {
	parts := ldapPwdRegex.FindStringSubmatch(s)
	if len(parts) > 3 {
		return parts[1] + "LDAPPassword=*REDACTED*" + parts[3]
	}
	return s
}

     * @return The role query helper.
     */
    public static RoleQueryHelper getRoleQueryHelper() {
        return getComponent(ROLE_QUERY_HELPER);
    }

    /**
     * Gets the LDAP manager component.
     * @return The LDAP manager.
     */
    public static LdapManager getLdapManager() {
        return getComponent(LDAP_MANAGER);
    }

    /**
     * Gets the activity helper component.

## Introduction

MinIO provides a custom STS API that allows authentication with client X.509 / TLS certificates.

A major advantage of certificate-based authentication compared to other STS authentication methods, like OpenID Connect or LDAP/AD, is that client authentication works without any additional/external component that must be constantly available. Therefore, certificate-based authentication may provide better availability / lower operational complexity.

Dex is an identity service that uses OpenID Connect to drive authentication for apps. Dex acts as a portal to other identity providers through "connectors." This lets dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory. Clients write their authentication logic once to talk to dex, then dex handles the protocols for a given backend.

## Prerequisites

		return madmin.BuiltinProvider // regular users are always internal
	}

	claims := credentials.Claims
	if _, ok := claims[ldapUser]; ok {
		return madmin.LDAPProvider // ldap users
	}

	if _, ok := claims[subClaim]; ok {
		providerPrefix, _, found := strings.Cut(credentials.ParentUser, getKeySeparator())
		if found {
			return providerPrefix // this is true for certificate and custom providers

	s := madmin.IDPSettings{}
	s.LDAP = madmin.LDAPSettings{
		IsLDAPEnabled:          globalIAMSys.LDAPConfig.Enabled(),
		LDAPUserDNSearchBase:   globalIAMSys.LDAPConfig.LDAP.UserDNSearchBaseDistName,
		LDAPUserDNSearchFilter: globalIAMSys.LDAPConfig.LDAP.UserDNSearchFilter,
		LDAPGroupSearchBase:    globalIAMSys.LDAPConfig.LDAP.GroupSearchBaseDistName,

labels.general_menu_suggest=Suggest
labels.general_menu_ldap=LDAP
labels.general_menu_notification=Notification
labels.general_storage=Storage
labels.ldapProviderUrl=LDAP URL
labels.ldapSecurityPrincipal=User DN
labels.ldapAdminSecurityPrincipal=Bind DN
labels.ldapAdminSecurityCredentials=Password
labels.ldapBaseDn=Base DN
labels.ldap_provider_url=LDAP URL
labels.ldap_security_principal=User DN

     */
    public static void resetPassword(final CreateForm form) {
        form.password = null;
        form.confirmPassword = null;
    }

    /**
     * Validates LDAP user attribute types using the configured LDAP manager.
     *
     * @param attributes the map of attributes to validate
     * @param throwError callback to report any validation errors
     */

     * given user when the target object's ACL has local groups. Local groups
     * are not listed in a user's group membership (e.g. as represented by the
     * tokenGroups constructed attribute retrieved via LDAP).
     *
     * Domain groups nested inside a local group are currently not expanded. In
     * this case the key (SID) type will be SID_TYPE_DOM_GRP rather than
     * SID_TYPE_USER.
     *
     * @param tc

    //                                                                      ==============

    /**
     * Resolves login credentials using various authentication methods.
     * This method handles local user authentication, LDAP authentication,
     * and SSO authentication through configured authenticators.
     *
     * @param resolver the credential resolver to use
     */
    @Override