+There is a large number of configuration directives not covered in
+this file, nor in the default configuration file. Please see the
+doldacond.conf(5) manual page for information on the rest.
+
+ Running clients over the network
+
+For convenience of setup, the default configuration file disables
+running clients over the network. Using the default configuration
+file, the daemon will only enable clients to connect over a local Unix
+socket. They will use Unix socket credentials passing for
+authentication, for maximum security. It is also likely that many will
+want to keep it that way. However, for those who want to be able to
+run clients over the network, just follow the instructions in this
+section to enable UIs over TCP.
+
+First, you need to choose how you will authenticate to the server. If
+you are an administrator of a Kerberos-enabled network using the MIT
+Kerberos libraries, you can use Kerberos V authentication and get
+secure single sign-on, which gives the best of all worlds, but for
+normal users, there are two choices:
+
+ * PAM based password authentication -- The clients will ask for your
+ password every time they connect to the server. This option can be
+ somewhat cumbersome, but should be perfectly secure. Note, however,
+ that the password is transmitted to the server unencrypted.
+ * Password-less authentication -- The server will simply trust the
+ clients not to lie. This option is completely insecure, but may be
+ a better option where all users are trusted and/or Kerberos is not
+ available.
+
+PAM authentication is always enabled. To enable password-less
+authentication, set the "auth.authless" setting in the configuration
+file to "1". If your network is not completely trusted (especially the
+host running doldacond is globally accessible via the Internet), you
+really should make sure to set up some firewalling rules.
+
+Note that doldacond does *not* support tcp-wrappers, but it does
+support very simple internal firewalling in the form of the
+"ui.onlylocal" options. When "ui.onlylocal" is set to true, the
+daemon will only accept UI connections over a loopback interface. That
+includes 127.0.0.1, ::ffff:127.0.0.1, ::1 and Unix sockets.
+