support 'ldap:user' variable replacement properly (#10391)

also update `ldap.go` examples with latest
minio-go changes

Fixes #10367

cmd/bucket-policy.go

@@ -151,9 +151,10 @@ func getConditionValues(r *http.Request, lc string, username string, claims map[
 		if ok {
 			// Special case for AD/LDAP STS users
 			if k == ldapUser {
-				args[ldapUserPolicyVariable] = []string{vStr}
+				args["user"] = []string{vStr}
+			} else {
+				args[k] = []string{vStr}
 			}
-			args[k] = []string{vStr}
 		}
 	}
 

cmd/sts-handlers.go

@@ -61,8 +61,7 @@ const (
 	parentClaim = "parent"
 
 	// LDAP claim keys
-	ldapUser               = "ldapUser"
+	ldapUser = "ldapUser"
-	ldapUserPolicyVariable = "ldap:user"
 )
 
 // stsAPIHandlers implements and provides http handlers for AWS STS API.

docs/sts/ldap.go

@@ -18,12 +18,13 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"log"
 	"net/url"
 
-	miniogo "github.com/minio/minio-go/v7"
+	"github.com/minio/minio-go/v7"
 	cr "github.com/minio/minio-go/v7/pkg/credentials"
 )
 
@@ -53,39 +54,34 @@ func main() {
 	// LDAP STS API.
 
 	// Initialize LDAP credentials
-	li, err := cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword)
+	li, _ := cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword)
-	if err != nil {
-		log.Fatalf("INIT Err: %v", err)
-	}
 
-	// Generate temporary STS credentials
+	stsEndpointURL, err := url.Parse(stsEndpoint)
-	v, err := li.Get()
-	if err != nil {
-		log.Fatalf("GET Err: %v", err)
-	}
-	fmt.Printf("%#v\n", v)
-
-	stsEndpointUrl, err := url.Parse(stsEndpoint)
 	if err != nil {
 		log.Fatalf("Err: %v", err)
 	}
 
-	secure := false
+	opts := &minio.Options{
-	if stsEndpointUrl.Scheme == "https" {
+		Creds:  li,
-		secure = true
+		Secure: stsEndpointURL.Scheme == "https",
 	}
 
+	fmt.Println(li.Get())
 	// Use generated credentials to authenticate with MinIO server
-	minioClient, err := miniogo.NewWithCredentials(stsEndpointUrl.Host, li, secure, "")
+	minioClient, err := minio.New(stsEndpointURL.Host, opts)
 	if err != nil {
 		log.Fatalln(err)
 	}
 
 	// Use minIO Client object normally like the regular client.
-	fmt.Println("Calling list buckets with temp creds:")
+	fmt.Println("Calling list objects with temp creds: ")
-	b, err := minioClient.ListBuckets()
+	objCh := minioClient.ListObjects(context.Background(), ldapUsername, minio.ListObjectsOptions{})
-	if err != nil {
+	for obj := range objCh {
-		log.Fatalln(err)
+		if obj.Err != nil {
+			if err != nil {
+				log.Fatalln(err)
+			}
+		}
+		fmt.Println(obj)
 	}
-	fmt.Println(b)
 }

docs/sts/list-objects-with-ldap-user.json

@@ -0,0 +1,14 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${ldap:user}"
+      ]
+    }
+  ]
+}