diff --git a/docs/extensions/idm/_index.md b/docs/extensions/idm/_index.md
index 19306118e6..9f926ade2b 100644
--- a/docs/extensions/idm/_index.md
+++ b/docs/extensions/idm/_index.md
@@ -10,6 +10,20 @@ geekdocCollapseSection: true
## Abstract
+The IDM service provides a minimal LDAP Service (based on https://github.com/libregraph/idm) for oCIS. It is started as part of
+the default configuration and serves as a central place for storing user and group information.
+
+It is mainly targeted at small oCIS installations. For larger setups it is recommended to replace IDM with a "real" LDAP server
+or to switch to an external Identity Management Solution.
+
+IDM listens on port 9325 by default. In the default configuration it only accepts TLS protected connections (LDAPS). The BaseDN
+of the LDAP tree is `o=libregraph-idm`. IDM gives LDAP write permissions to a single user
+(DN: `uid=libregraph,ou=sysusers,o=libregraph-idm`). Any other authenticated user has read-only access. IDM stores its data in a
+[boltdb](https://github.com/etcd-io/bbolt) file `idm/ocis.boltdb` inside the oCIS base data directory.
+
+Note: IDM is limited in its functionality. It only supports a subset of the LDAP operations (namely BIND, SEARCH, ADD, MODIFY, DELETE).
+Also IDM currently does not do any Schema Verification (e.g. structural vs. auxiliary Objectclasses, require and option Attributes,
+Syntax Checks, ...). So it's not meant as a general purpose LDAP server.
## Table of Contents
diff --git a/docs/extensions/idm/configuration_hints.md b/docs/extensions/idm/configuration_hints.md
new file mode 100644
index 0000000000..67c61efced
--- /dev/null
+++ b/docs/extensions/idm/configuration_hints.md
@@ -0,0 +1,49 @@
+---
+title: Configuration Hints
+date: 2022-04-27:00:00+00:00
+weight: 20
+geekdocRepo: https://github.com/owncloud/ocis
+geekdocEditPath: edit/master/docs/extensions/idm
+geekdocFilePath: configuration_hints.md
+geekdocCollapseSection: true
+---
+
+## TLS Server Certificates
+By default IDM generates a self-signed certificate and key on first startup to be
+able to provide TLS protected services. The certificate is stored in
+`idm/ldap.crt` inside the oCIS base data directory. The key is in
+`idm/ldap.key` in the same directory. You can use a custom server
+certificate by setting the `IDM_LDAPS_CERT` and `IDM_LDAPS_KEY`.
+
+## Default / Demo Users
+On startup IDM creates a set of default services users that are needed
+internally to provide access to IDM to other oCIS services. These users are stored
+in a separate subtree. The base DN of that subtree is:
+`ou=sysusers,o=libregraph-idm`. The service users are:
+
+* `uid=libregraph,ou=sysusers,o=libregraph-idm`: This is the only user with write
+ access to the LDAP tree. It is used by the Graph service to lookup, create, delete and
+ modify users and groups.
+* `uid=idp,ou=sysusers,o=libregraph-idm`: This user is used by the IDP service to
+ perform user lookups for authentication.
+* `uid=reva,ou=sysusers,o=libregraph-idm`: This user is used by the "reva" services
+ `user`, `group` and `auth-basic`.
+
+IDM is also able to create [Demo Users](../../../ocis/getting-started/demo-users)
+upon startup.
+
+## Access via LDAP command line tools
+For testing purposes it is sometimes helpful to query IDM using the ldap
+command line clients. To e.g. list all users, this command can be used:
+
+```
+ldapsearch -x -H ldaps://127.0.0.1:9235 -x -D uid=libregraph,ou=sysusers,o=libregraph-idm -w idm -b o=libregraph-idm objectclass=inetorgperson
+```
+
+When using the default configuration with the self-signed server certificate
+you might need to switch off the Certificate Validation using `LDAPTL_REQCERT` env
+variable:
+
+```
+LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://127.0.0.1:9235 -x -D uid=libregraph,ou=sysusers,o=libregraph-idm -w idm -b o=libregraph-idm objectclass=inetorgperson
+```
diff --git a/docs/extensions/idm/setup.md b/docs/extensions/idm/setup.md
deleted file mode 100644
index 6d434dd605..0000000000
--- a/docs/extensions/idm/setup.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Service Setup
-date: 2022-03-22T00:00:00+00:00
-weight: 20
-geekdocRepo: https://github.com/owncloud/ocis
-geekdocEditPath: edit/master/docs/extensions/idm
-geekdocFilePath: setup.md
-geekdocCollapseSection: true
----
-
-{{< toc >}}
-
-## Using ocis with libregraph/idm
-
-Currently, oCIS still runs the accounts and glauth services to manage users. Until the default is switched
-to libregraph/idm, oCIS has to be started with a custom configuration in order to use libregraph/idm as
-the users and groups backend (this setup also disables the glauth and accounts service):
-
-
-```
-export GRAPH_IDENTITY_BACKEND=ldap
-export LDAP_URI=ldaps://localhost:9235
-export LDAP_INSECURE="true"
-export LDAP_USER_BASE_DN="ou=users,o=libregraph-idm"
-export LDAP_USER_SCHEMA_ID="ownclouduuid"
-export LDAP_USER_SCHEMA_MAIL="mail"
-export LDAP_USER_SCHEMA_USERNAME="uid"
-export LDAP_USER_OBJECTCLASS="inetOrgPerson"
-export LDAP_GROUP_BASE_DN="ou=groups,o=libregraph-idm"
-export LDAP_GROUP_SCHEMA_ID="ownclouduuid"
-export LDAP_GROUP_SCHEMA_MAIL="mail"
-export LDAP_GROUP_SCHEMA_GROUPNAME="cn"
-export LDAP_GROUP_SCHEMA_MEMBER="member"
-export LDAP_GROUP_OBJECTCLASS="groupOfNames"
-export GRAPH_LDAP_BIND_DN="uid=libregraph,ou=sysusers,o=libregraph-idm"
-export GRAPH_LDAP_BIND_PASSWORD=idm
-export GRAPH_LDAP_SERVER_WRITE_ENABLED="true"
-export IDP_INSECURE="true"
-export IDP_LDAP_BIND_DN="uid=idp,ou=sysusers,o=libregraph-idm"
-export IDP_LDAP_BIND_PASSWORD="idp"
-export IDP_LDAP_LOGIN_ATTRIBUTE=uid
-export PROXY_ACCOUNT_BACKEND_TYPE=cs3
-export OCS_ACCOUNT_BACKEND_TYPE=cs3
-export STORAGE_LDAP_BIND_DN="uid=reva,ou=sysusers,o=libregraph-idm"
-export STORAGE_LDAP_BIND_PASSWORD=reva
-export OCIS_RUN_EXTENSIONS=settings,storage-metadata,graph,graph-explorer,ocs,store,thumbnails,web,webdav,storage-frontend,storage-gateway,storage-userprovider,storage-groupprovider,storage-authbasic,storage-authbearer,storage-authmachine,storage-users,storage-shares,storage-public-link,storage-appprovider,storage-sharing,proxy,idp,nats,idm,ocdav
-export OCIS_INSECURE=true
-bin/ocis server
-```
-
diff --git a/docs/ocis/getting-started/demo-users.md b/docs/ocis/getting-started/demo-users.md
index 5eba9483f5..15179f98bd 100644
--- a/docs/ocis/getting-started/demo-users.md
+++ b/docs/ocis/getting-started/demo-users.md
@@ -11,7 +11,7 @@ oCIS has the option to create demo users during the first startup. These enable
{{< hint info >}}
To create the demo users, run the initial setup step with an additional environment variable.
-`ACCOUNTS_DEMO_USERS_AND_GROUPS=true ./bin/ocis server` will generate the demo users listed in the table below. By default, it only generates the admin and one user for IDP and Reva respectively.
+`IDM_CREATE_DEMO_USERS=true ./bin/ocis server` will generate the demo users listed in the table below. By default, it only generates the admin and one user for IDP and Reva respectively.
{{< /hint >}}
Following users are available in the demo set:
diff --git a/docs/ocis/static/ocis-services-communication.drawio.svg b/docs/ocis/static/ocis-services-communication.drawio.svg
index 809ba40251..06d30268e8 100644
--- a/docs/ocis/static/ocis-services-communication.drawio.svg
+++ b/docs/ocis/static/ocis-services-communication.drawio.svg
@@ -1,4 +1,4 @@
-
\ No newline at end of file
+
\ No newline at end of file