From 261fb98c6f034f3f96abee79ea73febd115420ae Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 21 Dec 2020 15:07:32 +0100
Subject: [PATCH] doc: Explain LDAP keyserver parameters

---
 doc/dirmngr.texi | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index ba4f1591e..843fdbf67 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -328,7 +328,26 @@ whether Tor is locally running or not.  The check for a running Tor is
 done for each new connection.
 
 If no keyserver is explicitly configured, dirmngr will use the
-built-in default of hkps://hkps.pool.sks-keyservers.net.
+built-in default of @code{hkps://hkps.pool.sks-keyservers.net}.
+
+Windows users with a keyserver running on their Active Directory
+should use @code{ldap:///} for @var{name} to access this directory.
+
+For accessing anonymous LDAP keyservers @var{name} is in general just
+a @code{ldaps://ldap.example.com}.  A BaseDN parameter should never be
+specified.  If authentication is required the value of @var{name} is
+for example:
+
+@example
+       keyserver ldaps://ldap.example.com/????bindname=uid=USERNAME
+       %2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=PASSWORD
+@end example
+
+       Put this all on one line without any spaces and keep the '%2C' as given.
+       Replace USERNAME, PASSWORD, and the 'dc' parts according to the
+       instructions received from the LDAP administrator.  Note that only
+       simple authentication (i.e. cleartext passwords) is supported and thus
+       using ldaps is strongly suggested.
 
 @item --nameserver @var{ipaddr}
 @opindex nameserver