fix #3645: Improve LDAP docs

- Be clearer about the fact that LDAP is only for spam quarantine
  access.
- Specify spam quarantine url and that users must log in with their
  email.

Signed-off-by: Dylan Whyte <d.whyte@proxmox.com>

pmg-administration.adoc

@@ -72,6 +72,7 @@ output.
 Quarantine
 ----------
 
+[[pmgadministration_spam_quarantine]]
 Spam
 ~~~~
 
@@ -84,8 +85,10 @@ The email preview on the web interface is very secure, as malicious
 code (attacking your operating system or email client) is removed by
 {pmg}.
 
-Users can get access to their personalized quarantine via the daily
+Users can access their personalized quarantine via the daily spam report or by
-spam report or by logging in with their LDAP credentials.
+navigating to the URL configured for the quarantine (defaults to
+`https://<pmg-host>:8006/quarantine`) and logging in with their LDAP credentials
+(email address and password).
 
 You can additionally enable user self-service for sending an access link from
 the Quarantine Login page.

pmgconfig.adoc

@@ -902,20 +902,33 @@ LDAP/Active Directory
 
 [thumbnail="pmg-gui-ldap-user-config.png", big=1]
 
+With {pmg}, users can use LDAP and Active directory as authentication methods to
+access their individual xref:pmgadministration_spam_quarantine[Spam Quarantine].
+Additionally, if users have extra email aliases defined in the LDAP directory,
+they will have a single spam quarantine for all of these.
+
+NOTE: Authentication via LDAP must first be enabled using the `Authentication
+mode` (`authmode`) parameter in the
+xref:pmgconfig_spamdetector_quarantine[Spam Detector's Quarantine configuration settings].
+
 You can specify multiple LDAP/Active Directory profiles, so that you can
-create rules matching those users and groups.
+create rules matching particular users and groups.
 
 Creating a profile requires (at least) the following:
 
-* profile name
+* `Profile Name`:  The name assigned to the LDAP profile.
-* protocol (LDAP or LDAPS; LDAPS is recommended)
+* `Protocol`:  LDAP, LDAPS, or LDAP+STARTTLS (LDAP+STARTTLS is recommended).
-* at least one server
+* `Server`: The domain name/IP address of the LDAP server. A fallback can also
-* a username and password (if your server does not support anonymous binds)
+    be configured using the second field.
+* `User name`: The Bind DN for authentication on the LDAP server.
+    This is required if your server does not support anonymous binds.
+* `Password`: Password for the Bind DN user.
+* `Base DN`: The directory which users are searched under.
 
 All other fields should work with the defaults for most setups, but can be
 used to customize the queries.
 
-The settings are saved to `/etc/pmg/ldap.conf`. Details for the options
+The settings are saved to `/etc/pmg/ldap.conf`. Details about the options
 can be found here: xref:pmg_ldap_configuration_file[ldap.conf]
 
 Bind user
@@ -926,7 +939,7 @@ LDAP server only has permission to query the server. For LDAP servers
 (for example OpenLDAP or FreeIPA), the username has to be of a format like
 'uid=username,cn=users,cn=accounts,dc=domain', where the specific fields
 depend on your setup. For Active Directory servers, the format should be
-like 'username@domain' or 'domain\username'.
+'username@domain' or 'domain\username'.
 
 Sync
 ^^^^