diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index c53be6ff9..d81cf35c9 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -334,25 +334,40 @@ If no keyserver is explicitly configured, dirmngr will use the
 built-in default of @code{hkps://hkps.pool.sks-keyservers.net}.
 
 Windows users with a keyserver running on their Active Directory
-should use @code{ldap:///} for @var{name} to access this directory.
-As an alternative it is also possible to add @code{gpgNtds=1} as
-extension (i.e. after the fourth question mark).
+may use the short form @code{ldap:///} for @var{name} to access this directory.
 
 For accessing anonymous LDAP keyservers @var{name} is in general just
 a @code{ldaps://ldap.example.com}.  A BaseDN parameter should never be
-specified.  If authentication is required the value of @var{name} is
-for example:
+specified.  If authentication is required things are more complicated
+and two methods are available:
+
+The modern method (since version 2.2.28) is to use the very same syntax
+as used with the option @option{--ldapserver}.  Please see over
+there for details; here is an example:
+
+@example
+       keyserver ldap:ldap.example.com::uid=USERNAME,ou=GnuPG Users,
+       dc=example,dc=com:PASSWORD::starttls
+@end example
+
+       The other method is to use a full URL for @var{name}; for example:
 
 @example
        keyserver ldaps://ldap.example.com/????bindname=uid=USERNAME
        %2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=PASSWORD
 @end example
 
-       Put this all on one line without any spaces and keep the '%2C' as given.
-       Replace USERNAME, PASSWORD, and the 'dc' parts according to the
-       instructions received from the LDAP administrator.  Note that only
-       simple authentication (i.e. cleartext passwords) is supported and thus
-       using ldaps is strongly suggested.
+       Put this all on one line without any spaces and keep the '%2C'
+       as given.  Replace USERNAME, PASSWORD, and the 'dc' parts
+       according to the instructions received from your LDAP
+       administrator.  Note that only simple authentication
+       (i.e. cleartext passwords) is supported and thus using ldaps is
+       strongly suggested (since 2.2.28 "ldaps" defaults to port 389
+       and uses STARTTLS).  On Windows authentication via AD can be
+       requested by adding @code{gpgNtds=1} after the fourth question
+       mark instead of the bindname and password parameter.
+
+
 
 @item --nameserver @var{ipaddr}
 @opindex nameserver