I don't think using multiple domains sovles the problem here though. Employees are not using LDAP, but Cache authentication. If I were to enable LDAP, it's going to lead to cascading authentication, and LDAP has higher priority, so, according to documentation, Cache will try to authenticate via LDAP first, fail, log the error and then attemp the next option, which will be Cache Authentication.