diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 909c81b..e2f2e59 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1374,8 +1374,8 @@ omicron bryanh guest1
In the second mode, which we will call the search+bind mode,
the server first binds to the LDAP directory with
- a fixed user name and password, specified with ldapbinduser
- and ldapbinddn, and performs a search for the user trying
+ a fixed user name and password, specified with ldapbinddn
+ and ldapbindpasswd, and performs a search for the user trying
to log in to the database. If no user and password is configured, an
anonymous bind will be attempted to the directory. The search will be
performed over the subtree at ldapbasedn, and will try to
@@ -1493,13 +1493,14 @@ omicron bryanh guest1
An RFC 4516 LDAP URL. This is an alternative way to write most of the
other LDAP options in a more compact and standard form. The format is
-ldap://[user[:password]@]host[:port]/basedn[?[attribute][?[scope]]]
+ldap://host[:port]/basedn[?[attribute][?[scope]]]
scope must be one
of base, one, sub,
typically the latter. Only one attribute is used, and some other
components of standard LDAP URLs such as filters and extensions are
- not supported.
+ not supported. For non-anonymous binds, ldapbinddn
+ and ldapbindpasswd must be specified.