Hello,
i hope I'm in the right place.
We're observing a very strange behavior on our OPNsense system.
Initial situation:
We synchronize users from our Active Directory to OPNsense via LDAPS. So when users log in through the portal, they are automatically created.
After that, they download their VPN configuration, connect via OpenVPN – everything works perfectly.
Our Setup:
Type: opnsense-business (active license)
Version: 25.4.3
HA-Cluster with 2 Nodes
Problem:
Three users – always the same ones – are being deleted every night at 01:00 AM.
Attached is a screenshot showing the related messages.
Does anyone have an idea how we can prevent this?
The users are still available in Active Directory; nothing has changed there.
Thank you very much!
best regards
Ronny
oh - im sorry. i posted it under 25.7 :(
Maybe these users exist in the AD but not in the configured group/ou constraints that are configured for the authentication servers on OPNsense.
Did you verify the AD replication? Might be that there are some lingering objects and users exist on one DC but not on the other.
Hi there,
thank you for your answers.
Quote from: Monviech (Cedrik) on September 26, 2025, 12:33:05 PMMaybe these users exist in the AD but not in the configured group/ou constraints that are configured for the authentication servers on OPNsense.
The Users are same configured like all other Users - there are 180 Users with no Problems.
same Groups and same Auth. Servers
Quote from: amichel on September 26, 2025, 01:50:08 PMDid you verify the AD replication? Might be that there are some lingering objects and users exist on one DC but not on the other.
we have 2 Auth-Servers in opnsense configured, with the same LDAPs backend server (our DC Server).
one auth config is for first logon and no OTP and the second auth config is with OTP for VPN.
Is there anything different about the users compared to the other users, any certain characters in their usernames?
i cannot see any diff to other users. no special characters or anything like that.
they are very normal users.
if these users logged on via User WebPortal (and create own OTP and download OVPN conf) - they can use the OVPN the whole day. no problems with authentication via LDAPS the whole day.
so what problem have the opnsense automation at every night?
and how can i stopp this behavior?
btw - its very interresting, that opnsense just have some cleanup job for like old/ deleted LDAP Users (offboarded Users).
oh - i see, my screenshot is missing at my first post. here is it again:
opnsense_delete_users.png
Its a feature of the business edition.
A bug is very unlikely as the script that runs has been used and battle tested for years.
A configuration issue or an edge case is the most likely issue.
To troubleshoot that, the deciso business support channel would be the proper way to go. (If you have a business support subscription)
Troubleshooting this without remote access is unfeasable due to the complicated nature of ldap and the possible configuration combinations.
thanks for your answers.
this night the user which i create manualy yesterday is still alive.
but a new one was deleted :(
this one appears for weeks on the opnsense...
how can i contact the deciso business support? is it there in the forum?
we only have the business subscription for opnsense...
Its a paid subscription:
https://shop.opnsense.com/product-categorie/support/
Channel is email, and remote support can be done as well via microsoft teams and anydesk.
thanks a lot.
btw - i cannot found anything about this feature. no documentation about this "feature" - not in this forum or anywhere else.
do you have an idea where i can looking for?
many thanks :)
Its this script
/usr/local/opnsense/scripts/OPNBEcore/ldap_sync_cleanup
And this cronjob
crontab -e
#minute hour mday month wday command
0 1 * * * (configctl opnbe-core auth cleanup) > /dev/null
Good Morning,
thanks a lot for your input.
i think we have found the/ our issue:
alle the users which where deleted have upercase letters in our AD!
for example: RStein instead of rstein
we changed the upn of these users this morning and wait for tomorrow morning.
(or can i run the script with:
configctl opnbe-core auth cleanup
directly from cli?)
regards
Ronny
Hello, in the authentication server (System - Access - Servers) there should be an option "Match case insensitive".
This might do the same as changing the UPN of the users.
You can run the script via:
# configctl opnbe-core auth cleanup
Hi,
Quote from: Monviech (Cedrik) on September 29, 2025, 11:07:32 AMHello, in the authentication server (System - Access - Servers) there should be an option "Match case insensitive".
i've changed it yesterday on both LDAP Server configs - no User was deleted this Morning :)
it looks very good - thank you a lot.
regards
Ronny