LDAP Authentication

[ericdude101]

I just finished setting up LDAP which so far is flaky at best. The first major thing I notice is that it is fully manual. although it binds to users, I still have to manually add each user rather than it monitoring or checking a user against a security group membership for permissions.

The second thing I notice that is a major concern is that all the information it uses seems to be cached. I am able to import a user and login, but if I disable the user in AD afterwards, they can still login without issues. I changed the password for one of these users and was able to login using the new password as well as the old interchangeably, another major security concern.

Is there a way to clean this functionality up or should I just disable all LDAP based access on the system?

[ericdude101]

May I also ass that ad administrative (added to admin group in GUI and given all rights) still cannot make a number of changes, for example when I tried to delete a static route, I didn't get an error but it wasn't deleted but it works fine as root. Same with any changes made in the system access section, no error but no change.

[AdSchellevis]

ldap password's aren't cached/saved, however you can choose to fallback to a local password (which can be set manually in the gui).

[ericdude101]

Then why am I running into issues where old password and still working after a change in LDAP. and its not just the old password, I am able to use the users new AND old password to login.

[AdSchellevis]

Maybe some strange issue with your ldap server behind it, definitely not a password reuse on OPNsense, it doesn't know the old or current password.
It might be a good idea to share more information about your issue, software version steps performed, etc.