diff --git a/README.md b/README.md
index b7dc446f32b5270075bc96213d17d7742a207cf7..48b090ed7c1f007a0b518bb43ba18ff88044f5df 100644
--- a/README.md
+++ b/README.md
@@ -59,3 +59,52 @@ using its [dict proxy
 protocol](https://wiki2.dovecot.org/AuthDatabase/Dict).
 
 TODO: explain the lookup protocol.
+
+# Configuration
+
+The *keystored* daemon loads its configuration from a YAML-encoded
+file, */etc/keystore/config.yml* by default. It can contain the
+following attributes:
+
+* `sso_public_key_file`: path to the SSO Ed25519 public key
+* `sso_service`: SSO service for this application
+* `sso_domain`: SSO domain
+* `ldap`: LDAP backend configuration
+  * `uri`: LDAP server URI
+  * `bind_dn`: bind DN (for simple bind, SASL is not supported)
+  * `bind_pw`: bind password
+  * `bind_pw_file`: bind password (load from this file), in
+    alternative to *bind_pw*
+  * `query`: Parameters for the LDAP search query
+    * `search_base`: base DN for the search
+    * `search_filter`: search filter. The filter string may contain a
+      literal `%s` token somewhere, that will be replaced with the
+      (escaped) username.
+    * `scope`: search scope, one of *sub* (default), *one* or *base*
+    * `public_key_attr`: attribute that contains the user's public key
+    * `private_key_attr`: attribute that contains the user's encrypted
+      key(s)
+* `http_server`: HTTP server configuration
+  * `tls`: contains the server-side TLS configuration:
+    * `cert`: path to the server certificate
+    * `key`: path to the server's private key
+    * `ca`: path to the CA used to validate clients
+    * `acl`: specifies TLS-based access controls, a list of entries
+      with the following attributes:
+      * `path`: regular expression to match the request URL path
+      * `cn`: regular expression that must match the CommonName part
+        of the subject of the client certificate
+  * `max_inflight_requests`: maximum number of in-flight requests to
+    allow before server-side throttling kicks in
+
+The *dovecot-keylookupd* daemon uses a similar configuration, read by
+default from */etc/keystore/dovecot.yml*:
+
+* `ldap`: LDAP backend configuration, see above
+* `keystore`: configures the connection to the keystore service
+  * `url`: URL for the keystore service
+  * `tls_config`: client TLS configuration
+    * `cert`: path to the client certificate
+    * `key`: path to the private key
+    * `ca`: path to the CA used to validate the server
+
diff --git a/cmd/dovecot-keylookupd/main.go b/cmd/dovecot-keylookupd/main.go
index 8416d52ee12a718b42e65e1dff7025ee7356abd7..dcaca03078abc956fc3d4c6d244b30f9ac2f1d06 100644
--- a/cmd/dovecot-keylookupd/main.go
+++ b/cmd/dovecot-keylookupd/main.go
@@ -20,7 +20,7 @@ var (
 	configFile              = flag.String("config", "/etc/keystore/dovecot.yml", "path of config file")
 	socketPath              = flag.String("socket", "/run/dovecot-keystored/socket", "`path` to the UNIX socket to listen on")
 	systemdSocketActivation = flag.Bool("systemd-socket", false, "use SystemD socket activation")
-	requestTimeout          = flag.Duration("timeout", 5*time.Second, "timeout for incoming requests")
+	requestTimeout          = flag.Duration("timeout", 10*time.Second, "timeout for incoming requests")
 )
 
 // Read YAML config.
diff --git a/cmd/keystored/main.go b/cmd/keystored/main.go
index ad0bd1f986af34a09b77f9ba39536a75b27e227f..cc85387e51e1f99fbf8ab921a76080b4fadc2214 100644
--- a/cmd/keystored/main.go
+++ b/cmd/keystored/main.go
@@ -23,11 +23,11 @@ var (
 	configFile = flag.String("config", "/etc/keystore/config.yml", "path of config file")
 )
 
-// Config wraps the keystore.Config together with the server setup in
-// a single configuration object.
+// Config wraps the keystore server.Config together with the HTTP
+// server config in a single object for YAML deserialization.
 type Config struct {
-	KeyStoreConfig *server.Config           `yaml:"keystore"`
-	ServerConfig   *serverutil.ServerConfig `yaml:"http_server"`
+	server.Config `yaml:",inline"`
+	ServerConfig  *serverutil.ServerConfig `yaml:"http_server"`
 }
 
 func loadConfig() (*Config, error) {
@@ -52,7 +52,7 @@ func main() {
 		log.Fatal(err)
 	}
 
-	ks, err := server.NewKeyStore(config.KeyStoreConfig)
+	ks, err := server.NewKeyStore(&config.Config)
 	if err != nil {
 		log.Fatal(err)
 	}