The documentation for opncentral (https://docs.opnsense.org/vendor/deciso/opncentral.html#users-groups) says:
QuoteWhen users and groups are synchronized, the existing api key+secret is merged into the user with the same name to prevent access issues after reconfigure. To avoid issues, make sure there's a unique username with proper credentials before using the synchronization.
What conditions are required to make this work?
Running OPNcentral on OPNsense 25.10.2_4-amd64 if I have an 'opncentral' user on the firewall being managed, and I generate an API for that user and use it to connect to the firewall from OPNcentral, as soon as I provision the managed firewall the API key either gets erased if there isn't one on the OPNcentral machine, or overwritten by the one on the OPNcentral machine if there is. That immediately breaks access to the managed device until I regenerate an API key and add it back in to OPNcentral.
It seems like this is not the intended behaviour, but I can't figure out what the settings need to be to make this work.
Can anyone enlighten me?
Thanks.
Don't sync users if you want to keep the local copies or use different usernames here.
Cheers,
Franco
Hi Franco,
Thanks for the reply.
Quote from: franco on March 20, 2026, 12:26:54 PMDon't sync users if you want to keep the local copies or use different usernames here.
If that is the case, I think the documentation needs to be updated to be explicit about this.
Currenty it says the existing API key+secret (I assume this means the one on the machine, but that's ambiguous as the docs are written) will be merged - which is the correct and sensible behaviour - but that isn't happening and access breaks as soon as you sync users.
This is a major flaw for something billed as a central management solution.
I think the key merging should work.
I remember there was an issue there in an earlier version but that was fixed.
Can you give step by step reproduction so it can be evaluated? (try to be as precise as possible, with the names and everything)
1. Do this
2. Do that
3. Result
4. Expected result
> This is a major flaw for something billed as a central management solution.
Let's agree to the fact that whoever makes the first bug report gets this fixed?
I went through the code and found a typo in the API key sync code.
You can install the new extension on the target system and see if that fixes it:
# opnsense-revert -z os-OPNBEcore
(it should update to 1.7_4 from 1.7_3)
Cheers,
Franco
Apologies Franco, I completely missed that you'd replied.
Thank you for the fix.
I've applied that extension on my test firewall and it does prevent the API key from being overwritten.
It does leave the 'Users and groups' section always marked as out of sync though.
Thanks again.
> It does leave the 'Users and groups' section always marked as out of sync though.
This is expected as the moment. We will work on a better config diff/hash strategy in the future.
The fix can be installed on 25.10.x as mentioned above. It will be officially shipped in 26.4 tomorrow.
Cheers,
Franco
Brilliant, thank you.