diff -r 0188e957ce84 -r cbc46f94081d doc/book/en/admin/ldap.rst
--- a/doc/book/en/admin/ldap.rst	Fri Feb 14 14:39:55 2014 +0100
+++ b/doc/book/en/admin/ldap.rst	Fri Feb 14 12:03:20 2014 +0100
@@ -85,7 +85,9 @@
 
 If the LDAP server accepts anonymous binds, then it is possible to
 leave data-cnx-dn and data-cnx-password empty. This is, however, quite
-unlikely in practice.
+unlikely in practice. Beware that the LDAP server might hide attributes
+such as "userPassword" while the rest of the attributes remain visible
+through an anonymous binding.
 
 LDAP schema mapping options: