diff --git a/examples/server_container.toml b/examples/server_container.toml
index ce4154de3..71c239fc0 100644
--- a/examples/server_container.toml
+++ b/examples/server_container.toml
@@ -1,10 +1,12 @@
 #   The webserver bind address. Will use HTTPS if tls_*
-#   is provided.
+#   is provided. If set to 443 you may require the
+#   NET_BIND_SERVICE capability.
 #   Defaults to "127.0.0.1:8443"
 bindaddress = "[::]:8443"
 #
 #   The read-only ldap server bind address. The server
-#   will use LDAPS if tls_* is provided.
+#   will use LDAPS if tls_* is provided. If set to 636
+#   you may require the NET_BIND_SERVICE capability.
 #   Defaults to "" (disabled)
 # ldapbindaddress = "[::]:3636"
 #
@@ -92,4 +94,4 @@ origin = "https://idm.example.com:8443"
 # schedule = "03 */6 * * *"
 #   Number of backups to keep (default 7)
 # versions = 7
-#
\ No newline at end of file
+#
diff --git a/kanidm_book/src/server_configuration.md b/kanidm_book/src/server_configuration.md
index 06984f8bd..6e139d839 100644
--- a/kanidm_book/src/server_configuration.md
+++ b/kanidm_book/src/server_configuration.md
@@ -35,5 +35,14 @@ Then you can setup the initial admin account and initialise the database into yo
 
 Now we can run the server so that it can accept connections. This defaults to using `-c /data/server.toml`
 
-    docker run -p 8443:8443 -v kanidmd:/data kanidm/server:latest
+    docker run -p 443:8443 -v kanidmd:/data kanidm/server:latest
+
+### Using the NET\_BIND\_SERVICE capability
+
+If you plan to run without using docker port mapping or some other reverse proxy, and your bindaddress
+or ldapbindaddress port is less than `1024` you will need the `NET_BIND_SERVICE` in docker to allow
+these port binds. You can add this with `--cap-add` in your docker run command.
+
+    docker run --cap-add NET_BIND_SERVICE --network [host OR macvlan OR ipvlan] \
+        -v kanidmd:/data kanidm/server:latest