### 4. Test with MinIO STS API

Once etcd is configured, **any STS configuration** will work including Client Grants, Web Identity or AD/LDAP.

	xhttp "github.com/minio/minio/internal/http"
	"github.com/minio/minio/internal/mcontext"
)

var ldapPwdRegex = regexp.MustCompile("(^.*?)LDAPPassword=([^&]*?)(&(.*?))?$")

// redact LDAP password if part of string
func redactLDAPPwd(s string) string {
	parts := ldapPwdRegex.FindStringSubmatch(s)
	if len(parts) > 3 {
		return parts[1] + "LDAPPassword=*REDACTED*" + parts[3]
	}
	return s
}

labels.general_menu_system=System
labels.general_menu_crawler=Crawler
labels.general_menu_logging=Logging
labels.general_menu_suggest=Suggest
labels.general_menu_ldap=LDAP
labels.general_menu_notification=Notification
labels.general_storage=Storage
labels.ldap_provider_url=LDAP URL
labels.ldap_security_principal=User DN
labels.ldap_admin_security_principal=Bind DN
labels.ldap_admin_security_credentials=Password
labels.ldap_base_dn=Base DN

## Introduction

MinIO provides a custom STS API that allows authentication with client X.509 / TLS certificates.

A major advantage of certificate-based authentication compared to other STS authentication methods, like OpenID Connect or LDAP/AD, is that client authentication works without any additional/external component that must be constantly available. Therefore, certificate-based authentication may provide better availability / lower operational complexity.

            });
        }
        return itemList;
    }

    protected static boolean isMaskedValue(final String key) {
        return "http.proxy.password".equals(key) //
                || "ldap.admin.security.credentials".equals(key) //
                || "spnego.preauth.password".equals(key) //
                || "app.cipher.key".equals(key) //
                || "oic.client.id".equals(key) //

     * given user when the target object's ACL has local groups. Local groups
     * are not listed in a user's group membership (e.g. as represented by the
     * tokenGroups constructed attribute retrieved via LDAP).
     * <p/>
     * Domain groups nested inside a local group are currently not expanded. In
     * this case the key (SID) type will be SID_TYPE_DOM_GRP rather than
     * SID_TYPE_USER.
     * 
     * @param tc

labels.general_menu_system=System
labels.general_menu_crawler=Crawler
labels.general_menu_logging=Logging
labels.general_menu_suggest=Suggest
labels.general_menu_ldap=LDAP
labels.general_menu_notification=Уведомление
labels.ldap_provider_url=LDAP URL
labels.ldap_security_principal=User DN
labels.ldap_admin_security_principal=Bind DN
labels.ldap_admin_security_credentials=Password
labels.ldap_base_dn=Base DN

labels.general_menu_crawler	=	Crawler
labels.general_menu_logging	=	Enregistrement
labels.general_menu_suggest	=	Suggérer
labels.general_menu_ldap	=	LDAP
labels.general_menu_notification	=	Notification
labels.general_storage	=	Stockage
labels.ldap_provider_url	=	URL LDAP
labels.ldap_security_principal	=	DN de l'utilisateur
labels.ldap_admin_security_principal	=	Lier le DN
labels.ldap_admin_security_credentials	=	Mot de passe

labels.general_menu_system=System
labels.general_menu_crawler=Crawler
labels.general_menu_logging=Protokolle
labels.general_menu_suggest=Vorschläge
labels.general_menu_ldap=LDAP
labels.general_menu_notification=Benachrichtigung
labels.ldap_provider_url=LDAP-URL
labels.ldap_security_principal=Benutzer-DN
labels.ldap_admin_security_principal=Bind-DN
labels.ldap_admin_security_credentials=Passwort
labels.ldap_base_dn=Base-DN

- Access to bucket(s) and object(s) are governed via IAM policies associated with the incoming
  login credentials.

- Allows authentication and access for all
  - Built-in IDP users and their respective service accounts
  - LDAP/AD users and their respective service accounts
  - OpenID/OIDC service accounts

- On versioned buckets, FTP/SFTP only operates on latest objects, if you need to retrieve