diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/user-federation.xml b/docbook/auth-server-docs/reference/en/en-US/modules/user-federation.xml
index 93ce15e..f44e6ab 100755
--- a/docbook/auth-server-docs/reference/en/en-US/modules/user-federation.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/user-federation.xml
@@ -135,6 +135,23 @@
</variablelist>
</para>
</section>
+ <section>
+ <title>Connect to LDAP over SSL</title>
+ <para>
+ When you configure secured connection URL to LDAP (for example <literal>ldaps://myhost.com:636</literal> ) the Keycloak will
+ use SSL for the communication with LDAP server. The important thing is to properly configure truststore on the Keycloak server side,
+ because SSL won't work if Keycloak can't trust the SSL connection with LDAP (Keycloak acts as the <literal>client</literal> here, when LDAP acts as server).
+ </para>
+ <para>
+ The global truststore for the Keycloak can be configured with Truststore SPI in the <literal>keycloak-server.json</literal> file and it's described in the details <link linkend="truststore">here</link>.
+ If you don't configure truststore SPI, the truststore will fallback to the default mechanism provided by Java (either the file provided by system property <literal>javax.net.ssl.trustStore</literal> or finally
+ the cacerts file from JDK if even the system property is not set).
+ </para>
+ <para>There is configuration property <literal>Use Truststore SPI</literal> in the LDAP federation provider configuration, where you can choose
+ whether Truststore SPI is used. By default, the value is <literal>ldaps only</literal>, which is fine for most of deployments, because attempt
+ to use Truststore SPI is done just if connection to LDAP starts with <literal>ldaps</literal> .
+ </para>
+ </section>
</section>
<section>
<title>Sync of LDAP users to Keycloak</title>
