LDAP config: fix substitution variables (#11586)

- In username search filter and username format variables we support %s for
replacing with the username.

- In group search filter we support %s for username and %d for the full DN of
the username.

cmd/config/identity/ldap/config.go

@@ -301,7 +301,8 @@ func (l *Config) Bind(username, password string) (string, []string, error) {
 	var groups []string
 	if l.GroupSearchFilter != "" {
 		for _, groupSearchBase := range l.GroupSearchBaseDistNames {
-			filter := strings.Replace(l.GroupSearchFilter, "%s", ldap.EscapeFilter(bindDN), -1)
+			filter := strings.Replace(l.GroupSearchFilter, "%s", ldap.EscapeFilter(username), -1)
+			filter = strings.Replace(filter, "%d", ldap.EscapeFilter(bindDN), -1)
 			searchRequest := ldap.NewSearchRequest(
 				groupSearchBase,
 				ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,

docs/sts/ldap.md

@@ -123,7 +123,13 @@ export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
 
 ### Variable substitution in AD/LDAP configuration strings ###
 
-`%s` is replaced with *username* automatically for construction bind_dn, search_filter and group_search_filter.
+In the configuration variables, `%s` is substituted with the *username* from the STS request and `%d` is substituted with the *distinguished username (user DN)* of the LDAP user. Please see the following table for which configuration variables support these substitution variables:
+
+| Variable                                    | Supported substitutions |
+|---------------------------------------------|-------------------------|
+| `MINIO_IDENTITY_LDAP_USERNAME_FORMAT`       | `%s`                    |
+| `MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER` | `%s`                    |
+| `MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER`   | `%s` and `%d`           |
 
 ## Managing User/Group Access Policy