Update docs

- Add note about allowedGroups option
- Fix typos

readme.md

@@ -16,7 +16,7 @@
 
 # Traefik ldapAuth Middleware
 
-This project is an in progress effort to create an open source middleware that enables authentication via LDAP in a similar way to [Traefik Enterprise](https://doc.traefik.io/traefik-enterprise/middlewares/ldap/).
+This project is an in-progress effort to create an open-source middleware that enables authentication via LDAP in a similar way to [Traefik Enterprise](https://doc.traefik.io/traefik-enterprise/middlewares/ldap/).
 
 ## Requirements
 
@@ -103,11 +103,11 @@ labels:
 
 ### Bind Mode
 
-If no `searchFilter` is specified in its configuration, the middleware runs in the default bind mode, meaning it tries to make a simple bind request to the LDAP server with the credentials provided in the request headers. If the bind succeeds, the middleware forwards the request, otherwise it returns a 401 Unauthorized status code.
+If no `searchFilter` is specified in its configuration, the middleware runs in the default bind mode, meaning it tries to make a simple bind request to the LDAP server with the credentials provided in the request headers. If the bind succeeds, the middleware forwards the request, otherwise, it returns a 401 Unauthorized status code.
 
 ### Search Mode
 
-If a `searchFilter` query is specified in the configuration, then the middleware runs in search mode. In this mode, a search query with the given filter is issued to the LDAP server before trying to bind. If `bindDN` and `bindPassword` have also been provided, then the search query will use this crentials. If result of this search returns only `1` record, it tries to issue a bind request with this record, otherwise it aborts a 401 Unauthorized status code.
+If a `searchFilter` query is specified in the configuration, then the middleware runs in search mode. In this mode, a search query with the given filter is issued to the LDAP server before trying to bind. If `bindDN` and `bindPassword` have also been provided, then the search query will use these credentials. If the result of this search returns only `1` record, it tries to issue a bind request with this record, otherwise, it aborts a 401 Unauthorized status code.
 
 ## Options
 
@@ -149,7 +149,7 @@ Needs `traefik` >= [`v2.8.5`](https://github.com/traefik/traefik/releases/tag/v2
 
 _Optional, Default: `super-secret-key`_
 
-The key used to criptography cookie session informations. You `must` use a strong value here.
+The key used to cryptography cookie session information. You `must` use a strong value here.
 
 ##### `useTLS`
 _Optional, Default: `false`_
@@ -159,12 +159,12 @@ Set to true if LDAP server should use an encrypted TLS connection, either with S
 ##### `startTLS`
 _Optional, Default: `false`_
 
-If set to true, instructs `ldapAuth` to issue a `StartTLS` request when initializing the connection with the LDAP server. This is not used if the `useTLS` option is set to `false`.
+If set to true, instruct `ldapAuth` to issue a `StartTLS` request when initializing the connection with the LDAP server. This is not used if the `useTLS` option is set to `false`.
 
 ##### `certificateAuthority`
 _Optional, Default: `""`_
 
-The `certificateAuthority` option should contain one or more PEM-encoded certificates to use to establish a connection with the LDAP server if the connection uses TLS but that the certificate was signed by a custom Certificate Authority.
+The `certificateAuthority` option should contain one or more PEM-encoded certificates to use to establish a connection with the LDAP server if the connection uses TLS but the certificate was signed by a custom Certificate Authority.
 
 
 Example:
@@ -194,21 +194,21 @@ When `useTLS` is enabled, the connection to the LDAP server is verified to be se
 
 _Optional, Default: `cn`_
 
-The attribute used to bind a user in [`Bind Mode`](#bind-mode). Bind queries use this pattern: `<attribute>=<username>,<baseDN>`, where the username is extracted from the request header. If [`AllowedGroups`](#allowedGroups) option was used in [`Bind Mode`](#bind-mode), the same pattern is added when searching if the user belongs to group.
+The attribute used to bind a user in [`Bind Mode`](#bind-mode). Bind queries use this pattern: `<attribute>=<username>,<baseDN>`, where the username is extracted from the request header. If [`AllowedGroups`](#allowedGroups) option was used in [`Bind Mode`](#bind-mode), the same pattern is added when searching if the user belongs to the group.
 
 ##### `searchFilter`
 
 _Optional, Default: `""`_
 
 If not empty, the middleware will run in [`Search Mode`](#search-mode), filtering search results with the given query.
 
-Filter queries can use the `{{.Option}}` format, from [text/template](https://pkg.go.dev/text/template#pkg-overview) go package, as placeholders that are replaced by the equivalent value from config. Additionaly, the username provided in the Authorization header of the request can also be used.
+Filter queries can use the `{{.Option}}` format, from [text/template](https://pkg.go.dev/text/template#pkg-overview) go package, as placeholders that are replaced by the equivalent value from config. Additionally, the username provided in the Authorization header of the request can also be used.
 
 For example: `(&(objectClass=inetOrgPerson)(gidNumber=500)({{.Attribute}}={{.Username}}))`.
 
 Will be replaced to: `(&(objectClass=inetOrgPerson)(gidNumber=500)(uid=tesla))`.
 
-Note1: All filters options must be start with Uppercase to be replaced correctly.
+Note1: All filter options must start with Uppercase to be replaced correctly.
 
 Note2: `searchFilter` must **not** escape curly braces when using [labels](examples/conf-from-labels.yml).
 
@@ -232,7 +232,7 @@ The domain name to bind to in order to authenticate to the LDAP server when runn
 
 _Optional, Default: `""`_
 
-The password corresponding to the `bindDN` specified when running in [`Search Mode`](#search-mode), used in order to authenticate to the LDAP server.
+The password corresponding to the `bindDN` specified when running in [`Search Mode`](#search-mode), is used in order to authenticate to the LDAP server.
 
 ##### `forwardUsername`
 
@@ -250,7 +250,7 @@ Name of the header to put the username in when forwarding it. This is not used i
 
 _Optional, Default: `false`_
 
-The `forwardAuthorization` option determines if the authorization header will be forwarded or stripped from the request after it has been approved by the middleware. `Attention`, enabling this option may expose the password of the LDAP user who is making the request.
+The `forwardAuthorization` option determines if the authorization header will be forwarded or stripped from the request after the middleware has approved it. `Attention`, enabling this option may expose the password of the LDAP user who is making the request.
 
 ##### `forwardExtraLDAPHeaders`
 
@@ -276,6 +276,8 @@ Needs `traefik` >= [`v2.8.2`](https://github.com/traefik/traefik/releases/tag/v2
 
 _Optional, Default: `[]`_
 
-The list of LDAP group DNs that users must be members of to be granted access. If a user is in any one of the listed groups, then that user is granted access.
+The list of LDAP group DNs that users must be members of to be granted access. If a user is in any of the listed groups, then that user is granted access.
 
-If setted to an empty list will allow all users that have an LDAP account to log in, without performing any group membership checks.
+If set to an empty list, all users with an LDAP account can log in, without performing any group membership checks.
+
+`allowedGroups` is not supported with labels, because multiple value labels are separated with commas. You must use `toml` or `yaml` configuration file. For more details, check [examples](https://github.com/wiltonsr/ldapAuth/tree/main/examples) page.