zendframework · arueckauer · Jan 24, 2019
diff --git a/docs/book/adapter/ldap.md b/docs/book/adapter/ldap.md
@@ -172,7 +172,7 @@ Name                     | Description
 `password`               | The password of the account used to perform account DN lookups. If this option is not supplied, the LDAP client will attempt an “anonymous bind” when performing account DN lookups.
 `bindRequiresDn`         | Some LDAP servers require that the username used to bind be in DN form like `CN=Alice Baker,OU=Sales,DC=foo,DC=net` (basically all servers except Active Directory). If this option is `TRUE`, this instructs `Zend\Ldap\Ldap` to automatically retrieve the DN corresponding to the username being authenticated, if it is not already in DN form, and then re-bind with the proper DN. The default value is `FALSE`. Currently only Microsoft Active Directory Server (ADS) is known not to require usernames to be in DN form when binding, and therefore this option may be `FALSE` with AD (and it should be, as retrieving the DN requires an extra round trip to the server). Otherwise, this option must be set to `TRUE` (e.g. for OpenLDAP). This option also controls the default `accountFilterFormat` used when searching for accounts. See the `accountFilterFormat` option.
 `baseDn`                 | The DN under which all accounts being authenticated are located. This option is required. if you are uncertain about the correct baseDn value, it should be sufficient to derive it from the user’s DNS domain using `DC=` components. For example, if the user’s principal name is `alice@foo.net`, a `baseDn` of `DC=foo,DC=net` should work. A more precise location (e.g., `OU=Sales,DC=foo,DC=net`) will be more efficient, however.
-`accountCanonicalForm`   | A value of 2, 3, or 4 indicating the form to which account names should be canonicalized after successful authentication. Values are as follows: 2 for traditional username style names (e.g., `alice`), 3 for backslash-style names (e.g., `FOO\alice`) or 4 for principal style usernames (e.g., `alice@foo.net`). The default value is 4 (e.g., `alice@foo.net`). For example, with a value of 3, the identity returned by `Zend\Authentication\Result::getIdentity()` (and `Zend\Authentication\AuthenticationService::getIdentity()`, if `Zend\Authentication\AuthenticationService` was used) will always be `FOO\alice`, regardless of what form Alice supplied, whether it be `alice`, `alice@foo.net`, `FOO\alice`, `FoO\aLicE`, `foo.net\alice`, etc. See the []Account Name Canonicalization](http://framework.zend.com/manual/current/en/modules/zend.ldap.introduction.html#account-name-canonicalization) section in the zend-ldap documentation for details. Note that when using multiple sets of server options it is recommended, but not required, that the same `accountCanonicalForm` be used with all server options so that the resulting usernames are always canonicalized to the same form (e.g., if you canonicalize to `EXAMPLE\username` with an AD server but to `username@example.com` with an OpenLDAP server, that may be awkward for the application’s high-level logic).
+`accountCanonicalForm`   | A value of 2, 3, or 4 indicating the form to which account names should be canonicalized after successful authentication. Values are as follows: 2 for traditional username style names (e.g., `alice`), 3 for backslash-style names (e.g., `FOO\alice`) or 4 for principal style usernames (e.g., `alice@foo.net`). The default value is 4 (e.g., `alice@foo.net`). For example, with a value of 3, the identity returned by `Zend\Authentication\Result::getIdentity()` (and `Zend\Authentication\AuthenticationService::getIdentity()`, if `Zend\Authentication\AuthenticationService` was used) will always be `FOO\alice`, regardless of what form Alice supplied, whether it be `alice`, `alice@foo.net`, `FOO\alice`, `FoO\aLicE`, `foo.net\alice`, etc. See the [Account Name Canonicalization](http://framework.zend.com/manual/current/en/modules/zend.ldap.introduction.html#account-name-canonicalization) section in the zend-ldap documentation for details. Note that when using multiple sets of server options it is recommended, but not required, that the same `accountCanonicalForm` be used with all server options so that the resulting usernames are always canonicalized to the same form (e.g., if you canonicalize to `EXAMPLE\username` with an AD server but to `username@example.com` with an OpenLDAP server, that may be awkward for the application’s high-level logic).
 `accountDomainName`      | The FQDN domain name for which the target LDAP server is an authority (e.g., `example.com`). This option is used to canonicalize names so that the username supplied by the user can be converted as necessary for binding. It is also used to determine if the server is an authority for the supplied username (e.g., if `accountDomainName` is `foo.net` and the user supplies `bob@bar.net`, the server will not be queried, and a failure will result). This option is not required, but if it is not supplied, usernames in principal name form (e.g., `alice@foo.net`) are not supported. It is strongly recommended that you supply this option, as there are many use-cases that require generating the principal name form.
 `accountDomainNameShort` | The ‘short’ domain for which the target LDAP server is an authority (e.g., `FOO`). Note that there is a 1:1 mapping between the `accountDomainName` and `accountDomainNameShort`. This option should be used to specify the NetBIOS domain name for Windows networks, but may also be used by non-AD servers (e.g., for consistency when multiple sets of server options with the backslash style `accountCanonicalForm`). This option is not required but if it is not supplied, usernames in backslash form (e.g., `FOO\alice`) are not supported.
 `accountFilterFormat`    | The LDAP search filter used to search for accounts. This string is a `printf()`-style expression that must contain one `%s` to accommodate the username. The default value is `(&(objectClass=user)(sAMAccountName=%s))`, unless `bindRequiresDn` is set to `TRUE`, in which case the default is `(&(objectClass=posixAccount)(uid=%s))`. For example, if for some reason you wanted to use `bindRequiresDn = true` with AD you would need to set `accountFilterFormat = '(&(objectClass=user)(sAMAccountName=%s))'`.