From da4c048166f90efff51e8b0c73f0152fe37c319c Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Mon, 12 Jan 2026 01:59:45 -0800
Subject: [PATCH] feat(sts): add support for LDAPProviderName parameter

---
 weed/s3api/s3api_sts.go | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/weed/s3api/s3api_sts.go b/weed/s3api/s3api_sts.go
index 2a40f422c..590c210a2 100644
--- a/weed/s3api/s3api_sts.go
+++ b/weed/s3api/s3api_sts.go
@@ -37,8 +37,9 @@ const (
 	actionAssumeRoleWithLDAPIdentity = "AssumeRoleWithLDAPIdentity"
 
 	// LDAP parameter names
-	stsLDAPUsername = "LDAPUsername"
-	stsLDAPPassword = "LDAPPassword"
+	stsLDAPUsername     = "LDAPUsername"
+	stsLDAPPassword     = "LDAPPassword"
+	stsLDAPProviderName = "LDAPProviderName"
 )
 
 // STS duration constants (AWS specification)
@@ -353,21 +354,27 @@ func (h *STSHandlers) handleAssumeRoleWithLDAPIdentity(w http.ResponseWriter, r
 		return
 	}
 
+	// Optional: specific LDAP provider name
+	ldapProviderName := r.FormValue(stsLDAPProviderName)
+
 	// Find an LDAP provider from the registered providers
 	var ldapProvider *ldap.LDAPProvider
 	ldapProvidersFound := 0
 	for _, provider := range h.stsService.GetProviders() {
 		// Check if this is an LDAP provider by type assertion
 		if p, ok := provider.(*ldap.LDAPProvider); ok {
-			if ldapProvider == nil {
+			if ldapProviderName != "" && p.Name() == ldapProviderName {
+				ldapProvider = p
+				break
+			} else if ldapProviderName == "" && ldapProvider == nil {
 				ldapProvider = p
 			}
 			ldapProvidersFound++
 		}
 	}
 
-	if ldapProvidersFound > 1 {
-		glog.Warningf("Multiple LDAP providers found (%d). Using the first one found (non-deterministic).", ldapProvidersFound)
+	if ldapProvidersFound > 1 && ldapProviderName == "" {
+		glog.Warningf("Multiple LDAP providers found (%d). Using the first one found (non-deterministic). Consider specifying LDAPProviderName.", ldapProvidersFound)
 	}
 
 	if ldapProvider == nil {