1 files changed, 45 insertions, 1 deletions

diff --git a/README-stackrpms.md b/README-stackrpms.md
index ee7b042..b0da7c5 100644
--- a/README-stackrpms.md
+++ b/README-stackrpms.md
@@ -5,4 +5,48 @@ The rpm deploys infcloud to /usr/share/infcloud. The easiest way to use this on
 
     sudo ln -s /usr/share/infcloud/radicale_infcloud/web /var/www/html/calendar
 
-The config.js is now stored in /etc/infcloud/. After updating it, be sure to run /usr/sbin/update-infcloud-cache
+The config.js is now stored in /etc/infcloud/. After updating it, be sure to run `/usr/sbin/update-infcloud-cache`.
+
+For a whole radicale+infcloud setup, an apache httpd VirtualHost entry WITHOUT TLS could resemble:
+
+   <VirtualHost *:80>
+      ServerName calendar.example.com
+      RewriteEngine On
+      RewriteRule ^/radicale$ /radicale/ [R,L]
+      <Location "/radicale/">
+         ProxyPreserveHost On
+         Order deny,allow
+         Deny from all
+         AuthType Basic
+         AuthName "LDAP protected"
+         AuthBasicProvider ldap
+         AuthLDAPGroupAttribute member
+         AuthLDAPSubGroupClass group
+         # If anonymous search is disabled, provide dn and pw.
+         #AuthLDAPBindDN uid=service-account,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
+         #AuthLDAPBindPassword mypw
+         AuthLDAPGroupAttributeIsDN On
+         AuthLDAPURL "ldaps://dns1.ipa.example.com:636 dns2.ipa.example.com:636/cn=users,cn=accounts,dc=ipa,dc=example,dc=com?uid,memberof,gecos?sub?(objectClass=person)"
+         #?sub?(objectClass=*)
+         Require valid-user
+         Satisfy any
+         # My radical set up uses HTTP_X_REMOTE_USER as username for authentication
+         RequestHeader set X_REMOTE_USER "%{AUTHENTICATE_uid}e"
+         # This does not populate correctly. Probably the ldap memberOf attribute is derived and not real?
+         RequestHeader set X_GROUPS "%{AUTHENTICATE_memberOf}e"
+         # This populates correctly
+         RequestHeader set X_GECOS "%{AUTHENTICATE_gecos}e"
+         ProxyPass        http://localhost:5232/ retry=20 connectiontimeout=300 timeout=300
+         ProxyPassReverse http://localhost:5232/
+         RequestHeader    set X-Script-Name /radicale
+      </Location>
+   </VirtualHost>
+
+Relevant config options for radicale (file `/etc/radicale/config`) include:
+
+   [server]
+   hosts = 127.0.0.1:5232
+   [auth]
+   type = http_x_remote_user
+   [web]
+   type = internal