diff --git a/doc/mpd.conf.5 b/doc/mpd.conf.5
index bfec4cd1a..787394774 100644
--- a/doc/mpd.conf.5
+++ b/doc/mpd.conf.5
@@ -72,19 +72,6 @@ never run as root, and you may use this option to make MPD change its
 user id after initialization.  Do not use this option if you start MPD
 as an unprivileged user.
 .TP
-.B bind_to_address <ip address or hostname or any>
-This specifies which address mpd binds to and listens on.  Multiple
-bind_to_address parameters may be specified.  The default is "any", which binds
-to all available addresses.
-
-You can set a port that is different from the global port setting,
-e.g. "localhost:6602".  IPv6 addresses must be enclosed in square
-brackets if you want to configure a port, e.g. "[::1]:6602".
-
-To bind to a Unix domain socket, specify an absolute path or a path starting
-with a tilde (~).  For a system-wide MPD, we suggest the path
-"\fB/var/run/mpd/socket\fP".
-.TP
 .B port <port>
 This specifies the port that mpd listens on.  The default is 6600.
 .TP
@@ -114,22 +101,6 @@ If Zeroconf is enabled, this is the service name to publish.  This name should
 be unique to your local network, but name collisions will be properly dealt
 with.  The default is "Music Player".
 .TP
-.B password <password@permissions>
-This specifies a password for access to mpd.  The format is
-"password@permissions" where permissions is a comma delimited list composed
-of "read", "add", "control", and/or "admin".  "read" allows for reading of the
-database, displaying the current playlist, and current status of mpd.  "add"
-allows for adding songs and loading playlists.  "control" allows for all other
-player and playlist manipulations.  "admin" allows the db to be updated and for
-the client to kill mpd.  An example value is "somePassword@read,add".  Multiple
-password parameters may be specified.
-.TP
-.B default_permissions <permissions>
-This specifies the permissions of a client that has not been authenticated
-using a password.  The format of permissions is specified in the description of
-the "password" config parameter.  If no passwords are specified, the default is
-"read,add,control,admin", otherwise it is "" (no permissions).
-.TP
 .B audio_output
 See \fBDESCRIPTION\fP and the various \fBAUDIO OUTPUT PARAMETERS\fP sections
 for the format of this parameter.  Multiple audio_output sections may be
diff --git a/doc/user.xml b/doc/user.xml
index d203e22f5..85f060a0b 100644
--- a/doc/user.xml
+++ b/doc/user.xml
@@ -1043,6 +1043,144 @@ systemctl start mpd.socket</programlisting>
       </section>
     </section>
 
+    <section id="config_clients">
+      <title>Client Connections</title>
+
+      <section id="config_listeners">
+        <title>Listeners</title>
+
+        <para>
+          The setting <varname>bind_to_address</varname> specifies
+          which addresses <application>MPD</application> listens on
+          for connections from clients.  The default is
+          "<parameter>any</parameter>", which binds to all available
+          addresses.
+        </para>
+
+        <para>
+          You can set a port that is different from the global port
+          setting, e.g. "<parameter>localhost:6602</parameter>".  IPv6
+          addresses must be enclosed in square brackets if you want to
+          configure a port, e.g. "<parameter>[::1]:6602</parameter>".
+        </para>
+
+        <para>
+          To bind to a local socket (UNIX domain socket), specify an
+          absolute path or a path starting with a tilde
+          (<parameter>~</parameter>).  Some clients default to
+          connecting to <filename>/var/run/mpd/socket</filename> so
+          this may be a good choice.
+        </para>
+
+        <para>
+          If no port is specified, the default port is
+          <parameter>6600</parameter>.  This default can be changed
+          with the <varname>port</varname> setting.
+        </para>
+      </section>
+
+      <section id="config_permissions">
+        <title>Permissions and Passwords</title>
+
+        <para>
+          By default, all clients are unauthenticated and have a full
+          set of permissions.  This can be restricted with the
+          settings <varname>default_permissions</varname> and
+          <varname>password</varname>.
+        </para>
+
+        <para>
+          <varname>default_permissions</varname> controls the
+          permissions of a new client.  Its value is a comma-separated
+          list of permissions:
+        </para>
+
+        <informaltable>
+          <tgroup cols="2">
+            <thead>
+              <row>
+                <entry>
+                  Name
+                </entry>
+                <entry>
+                  Description
+                </entry>
+              </row>
+            </thead>
+            <tbody>
+              <row>
+                <entry>
+                  <parameter>read</parameter>
+                </entry>
+                <entry>
+                  Allows reading of the database, displaying the current
+                  playlist, and current status of MPD.
+                </entry>
+              </row>
+
+              <row>
+                <entry>
+                  <parameter>read</parameter>
+                </entry>
+                <entry>
+                  Allows reading of the database, displaying the current
+                  playlist, and current status of MPD.
+                </entry>
+              </row>
+
+              <row>
+                <entry>
+                  <parameter>add</parameter>
+                </entry>
+                <entry>
+                  Allows adding songs and loading playlists.
+                </entry>
+              </row>
+
+              <row>
+                <entry>
+                  <parameter>control</parameter>
+                </entry>
+                <entry>
+                  Allows all other player and playlist manipulations.
+                </entry>
+              </row>
+
+              <row>
+                <entry>
+                  <parameter>admin</parameter>
+                </entry>
+                <entry>
+                  Allows database updates and allows shutting down MPD.
+                </entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>
+          <varname>password</varname> allows the client to send a
+          password to gain other permissions.  This option may be
+          specified multiple times with different passwords.
+        </para>
+
+        <para>
+          Note that the <varname>password</varname> option is not
+          secure: passwords are sent in clear-text over the
+          connection, and the client cannot verify the server's
+          identity.
+        </para>
+
+        <para>
+          Example:
+        </para>
+
+        <programlisting>default_permissions "read"
+password "the_password@read,add,control"
+password "the_admin_password@read,add,control,admin"</programlisting>
+      </section>
+    </section>
+
     <section id="config_other">
       <title>Other Settings</title>