Chapter 13 User Databases
Generic LDAP
13-36
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Note With this option, Cisco Secure ACS submits usernames that are
non-domain qualified, too. Usernames are not required to be domain
qualified to be submitted to an LDAP server.
LDAP Failover
Cisco Secure ACS supports failover between a primary LDAP server and
secondary LDAP server. In the context of LDAP authentication with Cisco Secure
ACS, failover applies when an authentication request fails because Cisco Secure
ACS could not connect to an LDAP server, such as when the server is down or is
otherwise unreachable by Cisco Secure ACS. To use this feature, you must define
the primary and secondary LDAP servers on the LDAP Database Configuration
page. Also, you must select the On Timeout Use Secondary check box. For more
information about configuring an LDAP external user database, see Configuring
a Generic LDAP External User Database, page 13-43.
If the On Timeout Use Secondary check box is selected, and if the first LDAP
server that Cisco Secure ACS attempts to contact cannot be reached, Cisco Secure
ACS always attempts to contact the other LDAP server. The first server
Cisco Secure ACS attempts to contact may not always be the primary LDAP
server. Instead, the first LDAP server that Cisco Secure ACS attempts to contact
depends on the previous LDAP authentication attempt and on the value specified
in the Failback Retry Delay box.
Successful Previous Authentication with the Primary LDAP Server
If, on the previous LDAP authentication attempt, Cisco Secure ACS successfully
connected to the primary LDAP server, Cisco Secure ACS attempts to connect to
the primary LDAP server. If Cisco Secure ACS cannot connect to the primary
LDAP server, Cisco Secure ACS attempts to connect to the secondary LDAP
server.
If Cisco Secure ACS cannot connect with either LDAP server, Cisco Secure ACS
stops attempting LDAP authentication for the user. If the user is an unknown user,
Cisco Secure ACS tries the next external user database listed in the Unknown
User Policy list. For more information about the Unknown User Policy list, see
About Unknown User Authentication, page 15-4.