diff --git a/doc/sample.config b/doc/sample.config
index 2a72bc02..af2c4fc8 100644
--- a/doc/sample.config
+++ b/doc/sample.config
@@ -220,8 +220,9 @@ try-mtu-discovery = false
 cert-user-oid = 0.9.2342.19200300.100.1.1
 
 # The object identifier that will be used to read the user group in the 
-# client  certificate. The object identifier should be part of the certificate's
-# DN. Useful OIDs are: 
+# client certificate. The object identifier should be part of the certificate's
+# DN. If the user may belong to multiple groups, then use multiple such fields
+# in the certificate's DN. Useful OIDs are: 
 #  OU (organizational unit) = 2.5.4.11 
 #cert-group-oid = 2.5.4.11
 
diff --git a/src/ocserv-args.def b/src/ocserv-args.def
index fa9117c8..e62bfd56 100644
--- a/src/ocserv-args.def
+++ b/src/ocserv-args.def
@@ -324,8 +324,9 @@ try-mtu-discovery = false
 #cert-user-oid = 0.9.2342.19200300.100.1.1
 
 # The object identifier that will be used to read the user group in the 
-# client  certificate. The object identifier should be part of the certificate's
-# DN. Useful OIDs are: 
+# client certificate. The object identifier should be part of the certificate's
+# DN. If the user may belong to multiple groups, then use multiple such fields
+# in the certificate's DN. Useful OIDs are: 
 #  OU (organizational unit) = 2.5.4.11 
 #cert-group-oid = 2.5.4.11