diff --git a/install_config/configuring_authentication.adoc b/install_config/configuring_authentication.adoc
index d07628de1119..43be79a682ae 100644
--- a/install_config/configuring_authentication.adoc
+++ b/install_config/configuring_authentication.adoc
@@ -479,11 +479,9 @@ to create a search filter that looks like:
 
 For example, consider a URL of:
 
-====
 ----
 ldap://ldap.example.com/o=Acme?cn?sub?(enabled=true)
 ----
-====
 
 When a client attempts to connect using a user name of `bob`, the resulting
 search filter will be `(&(enabled=true)(cn=bob))`.
@@ -494,7 +492,6 @@ If the LDAP directory requires authentication to search, specify a `bindDN` and
 [[ldap-example-config]]
 
 .Master Configuration Using *LDAPPasswordIdentityProvider*
-====
 ----
 oauthConfig:
   ...
@@ -550,6 +547,12 @@ configured URL. If empty, system trusted roots are used. Only applies if
 `ldaps://` URLs connect using TLS, and `ldap://` URLs are upgraded to TLS.
 <13> An RFC 2255 URL which specifies the LDAP host and search parameters to use,
 xref:ldap-url[as described above].
+
+[NOTE]
+====
+To whitelist users for an LDAP integration, use the `lookup` mapping method.
+Before a login from LDAP would be allowed, a cluster administrator must create
+an identity and user object for each LDAP user.
 ====
 
 [[BasicAuthPasswordIdentityProvider]]