Initial writing about chroot mode

doc/man/man8/slapd.8

@@ -251,7 +251,12 @@ used as a security mechanism, it should be used in conjunction with
 .B \-u
 and
 .B \-g
-options.
+options.  The chroot directory must contain the Cyrus SASL plugins, the
+TLS certificates, dev/urandom.  For Kerberos V: the keytab and the /var/tmp
+directory, unless the value of the variable KRB5RCACHEDIR is changed.
+For systemd service with type=notify the file /run/systemd/notify within
+the chroot must be bind-mounted to /run/systemd/notify outside chroot.
+The file can be mounted on ExecStartPre= and unmounted in ExecStartPost=.
 .TP
 .BI \-u \ user
 .B slapd