diff --git a/misc/pam_authentication/ldap.env b/misc/pam_authentication/ldap.env
index 57862d116f6c02aa96bb5e94fa005eec58c9d063..fbfac2d4ce297dd9a7a59d0fe25c9d5724b0d9f0 100644
--- a/misc/pam_authentication/ldap.env
+++ b/misc/pam_authentication/ldap.env
@@ -6,8 +6,8 @@
 # REQUIRED - Set the ldap server here,
 export LDAPURI="ldap[s]://<ldap-service>[:<port>]/"
 
-# REQUIRED - Set the base domain here. This is used to generate a fully qualified
-# user name, a Distinguished Name (DN), with the BIND_DN_PATTERN:
+# REQUIRED - Set the base domain here. This is used to generate a fully
+# qualified user name, a Distinguished Name (DN), with the BIND_DN_PATTERN:
 export USER_BASE="dc=example,dc=org" # for actual LDAP servers
 #export USER_BASE="example.org" # for MS Active Directory
 
@@ -22,8 +22,10 @@ export USER_BASE="dc=example,dc=org" # for actual LDAP servers
 # Directory chooses to return "u:<domain>\<user_name>" instead. Be sure to
 # surround it with single quotation marks "'" because the variables inside are
 # to be expanded by the script. Defaults to the first.
-#export WHO_AM_I_PATTERN='dn:cn=${USER_NAME},${USER_BASE}' # for actual LDAP servers.
-#export WHO_AM_I_PATTERN='u:<domain>\${USER_NAME}' # for MS Active Directory
+#export WHO_AM_I_PATTERN='dn:cn=${USER_NAME},${USER_BASE}' # for actual LDAP
+                                                           # servers.
+#export WHO_AM_I_PATTERN='u:<domain>\\${USER_NAME}' # for MS Active Directory.
+                                                    # Mind the double back-slash.
 
 # TLS SETTINGS