fix: remove LDAP groups claim and store them on server (#9637)

Groups information shall be now stored as part of the
credential data structure, this is a more idiomatic
way to support large LDAP groups.

Avoids the complication of setups where LDAP groups
can be in the range of 150+ which may lead to excess
HTTP header size > 8KiB, to reduce such an occurrence
we shall save the group information on the server as
part of the credential data structure.

Bonus change support multiple mapped policies, across
all types of users.

cmd/sts-handlers.go

@@ -61,8 +61,7 @@ const (
 	parentClaim = "parent"
 
 	// LDAP claim keys
-	ldapUser   = "ldapUser"
-	ldapGroups = "ldapGroups"
+	ldapUser = "ldapUser"
 )
 
 // stsAPIHandlers implements and provides http handlers for AWS STS API.
@@ -491,9 +490,8 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
 
 	expiryDur := globalLDAPConfig.GetExpiryDuration()
 	m := map[string]interface{}{
-		expClaim:   UTCNow().Add(expiryDur).Unix(),
-		ldapUser:   ldapUsername,
-		ldapGroups: groups,
+		expClaim: UTCNow().Add(expiryDur).Unix(),
+		ldapUser: ldapUsername,
 	}
 
 	if len(sessionPolicyStr) > 0 {
@@ -511,6 +509,10 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
 	// in obtaining service accounts by this cred.
 	cred.ParentUser = ldapUsername
 
+	// Set this value to LDAP groups, LDAP user can be part
+	// of large number of groups
+	cred.Groups = groups
+
 	// Set the newly generated credentials, policyName is empty on purpose
 	// LDAP policies are applied automatically using their ldapUser, ldapGroups
 	// mapping.