SR OS supports local and LDAP public key storage, the order of which is configured using the config>system>security>password>authentication-order command.
If the client chooses the public key and LDAP is first in authentication order, then the SR OS will try to authenticate using public key retrieval from the LDAP server. If the public key retrieval from LDAP server fails and exit-on-reject was not configured, the SR OS will try the next method (local) in authentication order for the public key. If the next method also fails, a user authentication fail message will be sent to the client.
If the public key retrieval from the LDAP server fails and exit-on-reject is configured, the SR OS will not try the next method in the authentication order. A user authentication fail message will be sent to the client. At this point, the client can be configured to only use public key authentication, or use both public key authentication followed by password authentication. If the client is configured to use password authentication, it will go through the authentication order again, (for example, it will try all the configured methods in the configured authentication-order) as long as exit-on-reject is not configured.