diff --git a/.env.example b/.env.example
index 5b7e147c97..df98aea824 100644
--- a/.env.example
+++ b/.env.example
@@ -167,164 +167,43 @@ MAP_DEFAULT_ZOOM=6
 # Firefly III authentication settings
 #
 
-
-
-# update me.
-# Firefly III has two options for user authentication. "eloquent" is the default,
-# and "ldap" for LDAP servers.
-# For full instructions on these settings please visit:
+#
+# Firefly III supports a few authentication methods:
+# - 'web' (default, uses built in DB)
+# - 'ldap'
+# - 'remote_user_guard' for Authelia etc
+# Read more about these settings in the documentation.
 # https://docs.firefly-iii.org/advanced-installation/authentication
-# If you use Docker or similar, you can set this variable from a file by appending it with _FILE
-#
-# If you enable 'ldap' AND you run Docker, the Docker image will contact packagist.org
-# This is necessary to download the required packages.
-#
-# It's also possible to change the way users are authenticated. You could use Authelia for example.
-# Authentication via the REMOTE_USER header is supported. Change the value below to "remote_user_guard".
-#
-# This will also allow Windows SSO.
-#
-# If you do this please read the documentation for instructions and warnings:
-# https://docs.firefly-iii.org/advanced-installation/authentication
-#
-# This function is available in Firefly III v5.3.0 and higher.
-#AUTHENTICATION_GUARD=web
-
-# If the guard is changed, Firefly III uses the 'REMOTE_USER' header as per RFC 3875.
-# You can also use another header, like AUTH_USER when using Windows SSO.
-# Some systems use X-Auth headers. In that case, use HTTP_X_AUTH_USERNAME or HTTP_X_AUTH_EMAIL
-# Depending on your system, REMOTE_USER may need to be changed to HTTP_REMOTE_USER
-#
-# If this header is 'unexpectedly empty', check out the documentation.
-# https://docs.firefly-iii.org/advanced-installation/authentication
-#
-# AUTHENTICATION_GUARD_HEADER=REMOTE_USER
 
 #
-# Firefly III uses email addresses as user identifiers. When you're using an external authentication guard
-# that doesn't do this, Firefly III is incapable of emailing you. Messages sent to "Bill Gates" always fail.
+# Set to 'ldap' to enable LDAP
 #
-# However, if you set this value, Firefly III will store the value from this header as the user's backup
-# email address and use it to communicate. So user "Bill Gates" could still have
-# the email address "bill@microsoft.com".
+AUTHENTICATION_GUARD=web
+
 #
-# Example value: AUTHENTICATION_GUARD_EMAIL=HTTP_X_AUTH_EMAIL
+# LDAP connection settings:
 #
-# AUTHENTICATION_GUARD_EMAIL=
+LDAP_HOST=ldap.yourserver.com
+LDAP_USERNAME="uid=X,ou=,o=,dc=something,dc=com"
+LDAP_PASSWORD=super_secret
+LDAP_PORT=389
+LDAP_BASE_DN="o=something,dc=site,dc=com"
+LDAP_TIMEOUT=5
+LDAP_SSL=false
+LDAP_TLS=false
+LDAP_AUTH_FIELD=uid
 
-
-# It's impossible to log out users who's authentication is handled by an external system.
-# Enter a custom URL here that will force a logout (your authentication provider can tell you).
-# Setting this variable only works when AUTHENTICATION_GUARD != web
 #
-# CUSTOM_LOGOUT_URI=
-
-# LDAP connection configuration
-# OpenLDAP, FreeIPA or ActiveDirectory
-# # If you use Docker or similar, you can set this variable from a file by appending it with _FILE
-#ADLDAP_CONNECTION_SCHEME=OpenLDAP
-#ADLDAP_AUTO_CONNECT=true
-
-# LDAP connection settings
-# You can set the following variables from a file by appending them with _FILE:
-# ADLDAP_CONTROLLERS, ADLDAP_PORT, ADLDAP_BASEDN
-#ADLDAP_CONTROLLERS=
-#ADLDAP_PORT=389
-#ADLDAP_TIMEOUT=5
-#ADLDAP_BASEDN=""
-#ADLDAP_FOLLOW_REFFERALS=false
-
-# SSL/TLS settings
-#ADLDAP_USE_SSL=false
-#ADLDAP_USE_TLS=false
-#ADLDAP_SSL_CACERTDIR=
-#ADLDAP_SSL_CACERTFILE=
-#ADLDAP_SSL_CERTFILE=
-#ADLDAP_SSL_KEYFILE=
-#ADLDAP_SSL_CIPHER_SUITE=
-#ADLDAP_SSL_REQUIRE_CERT=
-
-# You can set the following variables from a file by appending them with _FILE:
-#ADLDAP_ADMIN_USERNAME=
-#ADLDAP_ADMIN_PASSWORD=
-
-# You can set the following variables from a file by appending them with _FILE:
-#ADLDAP_ACCOUNT_PREFIX=
-#ADLDAP_ACCOUNT_SUFFIX=
-
-# LDAP authentication settings.
-#ADLDAP_PASSWORD_SYNC=false
-#ADLDAP_LOGIN_FALLBACK=false
-
-#ADLDAP_DISCOVER_FIELD=distinguishedname
-#ADLDAP_AUTH_FIELD=distinguishedname
-
-# field to sync as local username.
-# You can set the following variable from a file by appending it with _FILE:
-#ADLDAP_SYNC_FIELD=userprincipalname
-
-
-# Login provider is obsolete
-#LOGIN_PROVIDER=eloquent
-#AUTHENTICATION_GUARD=ldap
-#CUSTOM_LOGOUT_URI=https://nu.nl
-
-# start new LDAP settings
-#LDAP_LOGGING=true
-#LDAP_CONNECTION=default
-#LDAP_HOST=ldap.jumpcloud.com
-#LDAP_USERNAME="uid=authelia,ou=Users,o=5fdddb09ae7868233b9d26d6,dc=jumpcloud,dc=com"
-#LDAP_PASSWORD=FZWhDnXVb_.ciGFVwuQC@m9CVo@vdVMx
-#LDAP_PORT=389
-#LDAP_BASE_DN="ou=Users,o=5fdddb09ae7868233b9d26d6,dc=jumpcloud,dc=com"
-#LDAP_TIMEOUT=5
-#DAP_SSL=true
-#LDAP_TLS=false
-# end new LDAP settings
-
-# start custom LDAP settings
-#LDAP_AUTH_FIELD=uid
-# end custom LDAP settings
-
-
-# LDAP connection configuration
-# OpenLDAP, FreeIPA or ActiveDirectory
-#ADLDAP_CONNECTION_SCHEME=OpenLDAP
-#ADLDAP_AUTO_CONNECT=true
-
-# LDAP connection settings
-#ADLDAP_CONTROLLERS=
-#ADLDAP_PORT=389
-#ADLDAP_TIMEOUT=5
-#ADLDAP_BASEDN=""
-#ADLDAP_FOLLOW_REFFERALS=false
-#ADLDAP_USE_SSL=false
-#ADLDAP_USE_TLS=false
-#ADLDAP_SSL_CACERTDIR=
-#ADLDAP_SSL_CACERTFILE=
-#ADLDAP_SSL_CERTFILE=
-#ADLDAP_SSL_KEYFILE=
-#ADLDAP_SSL_CIPHER_SUITE=
-#ADLDAP_SSL_REQUIRE_CERT=
-#ADLDAP_ADMIN_USERNAME=
-#ADLDAP_ADMIN_PASSWORD=
-#ADLDAP_ACCOUNT_PREFIX=
-#ADLDAP_ACCOUNT_SUFFIX=
-# LDAP authentication settings.
-#ADLDAP_PASSWORD_SYNC=false
-#ADLDAP_LOGIN_FALLBACK=false
-#ADLDAP_DISCOVER_FIELD=distinguishedname
-#ADLDAP_AUTH_FIELD=distinguishedname
-
-# Will allow SSO if your server provides an AUTH_USER field.
-#WINDOWS_SSO_DISCOVER=samaccountname
-#WINDOWS_SSO_KEY=AUTH_USER
-
-# field to sync as local username.
-#ADLDAP_SYNC_FIELD=userprincipalname
-
+# Remote user guard settings
+#
+AUTHENTICATION_GUARD_HEADER=REMOTE_USER
+AUTHENTICATION_GUARD_EMAIL=
 
 
+#
+# Extra authentication settings
+#
+CUSTOM_LOGOUT_URI=
 
 # You can disable the X-Frame-Options header if it interferes with tools like
 # Organizr. This is at your own risk. Applications running in frames run the risk