Messages

Well, the idea is that when you save your LDAP authentication settings in 25.4.3 you likely get a validation error that prompts you to either allow memberOf sync checkbox and/or set a default group.

Ah! Yup, after I set a default group I can log in with my LDAP account again. Thanks!  :)

Does this mean I need to change something in my configuration after updating to 25.4.3 for things to work?

Looks like the bug is still present in 25.4.3?

I just updated our backup unit 25.4 -> 25.4.3, and I'm unable to log in with the LDAP-connected account. Only local user account works.

Whatever version you're on is fine. This is output from the current config.xml.

You got email  :)

Hi Evert,

Would you mind sharing the following output with us privately? Either forum PM or via mail franco@opnsense.org

# pluginctl -g system.group

Sure, no problem. Does it matter that I reverted to 25.4.1? I can update to 25.4.2 again temporarily, if that gives you the proper output.

Ok, progress :)

You can update back to 25.4.2 now and apply the patch again on your end to avoid the bad behaviour for now and we'll have a closer look internally.

Thanks  :)

I created a snapshot before updating to 25.4.2, so I think I'll revert to 25.4.1 for now, to keep our OPNsense units on the same version.

Code Select Expand

opnsense-patch https://github.com/opnsense/core/commit/5d4317ee21be31
Fetched 5d4317ee21be31 via https://github.com/opnsense/core
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From 5d4317ee21be317700ebef5eff9fdd395aa71863 Mon Sep 17 00:00:00 2001
|From: Ad Schellevis <ad@opnsense.org>
|Date: Mon, 9 Jun 2025 18:52:02 +0200
|Subject: [PATCH] Auth: regression in setGroupMembership() introduced with
| https://github.com/opnsense/core/pull/8046
|
|As members are comma separated now, we should split them before processing. To keep old and new formats (arrays/csv) compatible as we now do in the rest of the codebase, we normalize arrays with cvs strings into a single list of members.
|---
| src/opnsense/mvc/app/library/OPNsense/Auth/Base.php | 3 ++-
| 1 file changed, 2 insertions(+), 1 deletion(-)
|
|diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
|index a9e545a9a6f..fe3c52d4070 100644
|--- a/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
|+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
--------------------------
Patching file opnsense/mvc/app/library/OPNsense/Auth/Base.php using Plan A...
Hunk #1 succeeded at 156.
done
All patches have been applied successfully.  Have a nice day.

Patch applied. Rebooted.

Yup, that's the one!  Now I can't log in with evertm anymore. If I add evertm back to Admins, and then try to log in again, he gets removed from Admins.

Ok, let's try to narrow down the issue by reverting the core package to the previous version:

# opnsense-revert -r 25.4.1 opnsense-business

If it's still not working it wasn't 25.4.2 but if it works again we can go through the commits.

Applied:

Code Select Expand

Fetching opnsense-business.pkg: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20241217... done
opnsense-business-25.4.2: already unlocked
Installing opnsense-business-25.4.1...
package opnsense-business is already installed, forced install
Extracting opnsense-business-25.4.1: 100%
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
configd already running?  (pid=84996).
>>> Invoking update script 'refresh.sh'
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
=====
Message from opnsense-business-25.4.1:

--
What are you looking at?

After the revert I have done a reboot. Now I can log in again with the AD user evertm

(I had to add evertm to the admins group again, but now he remains in the group when I log in with the AD user)

Nope, no 'Synchronize groups'...

I'm not aware of a bug, but there have been bug-related patches. Are you using a group sync? It may remove the admin group from your user which means you don't have any privileges to view any GUI page.

Hi Franco,
No, group sync is not enabled, as far as I can tell.

I did spot this in the Audit log just now. Don't know whether it's relevant:

Code Select Expand

2025-08-13T09:54:44    Notice    audit    User: policy change for evertm unlink group admins
Hmm, I do see on System: Access: Users that user evertm is no longer a member of group admins. When I add it back to the group admins, and try to log in as evertm, the group membership gets stripped again.

[This user is a member of these groups:]

Hi all,

After upgrading from 25.4.1 to 25.4.2 AD login no longer works. When I log in as local user I see that the AD user does get authenticated successfully, but then logs out right away.

The output of System: Access: Tester is different as well:

25.4.1	25.4.2
User: evertm authenticated successfully. This user is a member of these groups: admins Attributes received from server: [more stuff]	User: evertm authenticated successfully. This user is a member of these groups: May access the following locations, depending on source address: Uri   Networks Attributes received from server: [more stuff]

How do I fix this? Any pointers?

Hi,

Is it possible to modify threshold.conf via the GUI?  If not, are there plans to implement this?


Oh, and do modifications to /usr/local/etc/suricata/threshold.config survive an update of OPNsense?

Hi all,

When we were on OPNsense BE 24.10.2, Wireguard worked flawlessly. Now, after upgrading to 25.4, it still works flawlessly, but... when a peer goes offline they don't switch from 'Online' to 'Offline', but from 'Online' to 'Stale'...

Just a minor issue, I know. But still... 

Is this something I can fix, or is this how it will be from now on?  ;-)

I see that a hotfix has been released, version 24.10.2_6

Does this hotfix resolve the issues in this thread?

The current suspicion is around os-mdns-repeater plugin, which apparently causes a lot of packets and associated states and lookup operations.


Cheers,
Franco

We have a DEC2750 v2, and we use the os-mdns-repeater plugin. Should we hold off on installing 24.10.2 for now?