When multiple external authentication servers are linked, user authentication is performed in a redundant configuration or a multi-domain configuration.
A redundant configuration is used when each external authentication server manages the same user information. If a failure occurs on one external authentication server, user authentication can be performed by using another external authentication server.
A multi-domain configuration is used to manage different user information for each external authentication server. If a user logs in with a user ID that includes a domain name, the user will be authenticated by an external authentication server in the domain whose name is included in the user ID. When a Kerberos server is used as an external authentication server, you can create a configuration similar to a multi-domain configuration by managing different user information for each realm.
The following table shows external authentication servers for which redundant configurations and multi-domain configurations are supported.
|
External authentication server |
Redundant configuration |
Multi-domain configuration |
|---|---|---|
|
LDAP directory server |
Y#1 |
Y#1 |
|
RADIUS server |
Y |
N |
|
Kerberos server |
Y |
Y#2 |
- #1
- You can use either a redundant configuration or a multi-domain configuration.
- #2
- By managing different user information for each realm, you can create a configuration that is similar to a multi-domain configuration.
When an LDAP directory server is used for user authentication in a multi-domain configuration, the user authentication process varies depending on whether you log in by entering a user ID that includes a domain name.
If you log in with a user ID that includes a domain name, as in the following figure, user authentication will be performed by using the LDAP directory server of the specified domain.
If you log in with a user ID that does not include a domain name, user authentication will be performed sequentially on all LDAP directory servers that are linked until the user is authorized, as shown in the following figure. If a large number of LDAP directory servers are linked, user authentication will take a long time. For this reason, you should log in with a user ID that includes a domain name.