Loosen requirements to detach policies for LDAP (#18419)

cmd/iam.go

@@ -1663,18 +1663,25 @@ func (sys *IAMSys) PolicyDBUpdateLDAP(ctx context.Context, isAttach bool,
 			return
 		}
 		if dn == "" {
-			err = errNoSuchUser
+			// Still attempt to detach if provided user is a DN.
-			return
+			if !isAttach && sys.LDAPConfig.IsLDAPUserDN(r.User) {
+				dn = r.User
+			} else {
+				err = errNoSuchUser
+				return
+			}
 		}
 		isGroup = false
 	} else {
-		var exists bool
+		if isAttach {
-		if exists, err = sys.LDAPConfig.DoesGroupDNExist(r.Group); err != nil {
+			var exists bool
-			logger.LogIf(ctx, err)
+			if exists, err = sys.LDAPConfig.DoesGroupDNExist(r.Group); err != nil {
-			return
+				logger.LogIf(ctx, err)
-		} else if !exists {
+				return
-			err = errNoSuchGroup
+			} else if !exists {
-			return
+				err = errNoSuchGroup
+				return
+			}
 		}
 		dn = r.Group
 		isGroup = true