some automation deletes ldaps synct users from opnsense

Started by steronz, September 26, 2025, 12:22:37 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 26, 2025, 12:22:37 PM
Hello,

i hope I'm in the right place.

We're observing a very strange behavior on our OPNsense system.

Initial situation:
We synchronize users from our Active Directory to OPNsense via LDAPS. So when users log in through the portal, they are automatically created.
After that, they download their VPN configuration, connect via OpenVPN – everything works perfectly.

Our Setup:
Type: opnsense-business (active license)
Version: 25.4.3
HA-Cluster with 2 Nodes

Problem:
Three users – always the same ones – are being deleted every night at 01:00 AM.
Attached is a screenshot showing the related messages.

Does anyone have an idea how we can prevent this?

The users are still available in Active Directory; nothing has changed there.
Thank you very much!


best regards
Ronny
September 26, 2025, 12:29:14 PM #1
oh - im sorry. i posted it under 25.7 :(

September 26, 2025, 12:33:05 PM #2
Maybe these users exist in the AD but not in the configured group/ou constraints that are configured for the authentication servers on OPNsense.
Hardware:
DEC740
September 26, 2025, 01:50:08 PM #3
Did you verify the AD replication? Might be that there are some lingering objects and users exist on one DC but not on the other.
September 26, 2025, 02:03:28 PM #4
Hi there,

thank you for your answers.

Quote from: Monviech (Cedrik) on September 26, 2025, 12:33:05 PMMaybe these users exist in the AD but not in the configured group/ou constraints that are configured for the authentication servers on OPNsense.
The Users are same configured like all other Users - there are 180 Users with no Problems.
same Groups and same Auth. Servers

Quote from: amichel on September 26, 2025, 01:50:08 PMDid you verify the AD replication? Might be that there are some lingering objects and users exist on one DC but not on the other.
we have 2 Auth-Servers in opnsense configured, with the same LDAPs backend server (our DC Server).
one auth config is for first logon and no OTP and the second auth config is with OTP for VPN.

 
September 26, 2025, 02:45:02 PM #5
Is there anything different about the users compared to the other users, any certain characters in their usernames?
Hardware:
DEC740
September 26, 2025, 08:30:21 PM #6
i cannot see any diff to other users. no special characters or anything like that.
they are very normal users.

if these users logged on via User WebPortal (and create own OTP and download OVPN conf) - they can use the OVPN the whole day. no problems with authentication via LDAPS the whole day.


so what problem have the opnsense automation at every night?

and how can i stopp this behavior?


btw - its very interresting, that opnsense just have some cleanup job for like old/ deleted LDAP Users (offboarded Users).

oh - i see, my screenshot is missing at my first post. here is it again:

You cannot view this attachment.
September 26, 2025, 09:46:33 PM #7
Its a feature of the business edition.

A bug is very unlikely as the script that runs has been used and battle tested for years.

A configuration issue or an edge case is the most likely issue.

To troubleshoot that, the deciso business support channel would be the proper way to go. (If you have a business support subscription)

Troubleshooting this without remote access is unfeasable due to the complicated nature of ldap and the possible configuration combinations.

Hardware:
DEC740
September 27, 2025, 10:30:42 AM #8
thanks for your answers.

this night the user which i create manualy yesterday is still alive.
but a new one was deleted :(
this one appears for weeks on the opnsense...


how can i contact the deciso business support? is it there in the forum?

we only have the business subscription for opnsense...
September 27, 2025, 10:44:41 AM #9
Its a paid subscription:

https://shop.opnsense.com/product-categorie/support/

Channel is email, and remote support can be done as well via microsoft teams and anydesk.
Hardware:
DEC740
September 27, 2025, 10:49:36 AM #10
thanks a lot.

btw - i cannot found anything about this feature. no documentation about this "feature" - not in this forum or anywhere else.

do you have an idea where i can looking for?


many thanks :)

September 27, 2025, 10:54:36 AM #11
Its this script

/usr/local/opnsense/scripts/OPNBEcore/ldap_sync_cleanup

And this cronjob

crontab -e

#minute hour    mday    month   wday    command
0       1       *       *       *       (configctl opnbe-core auth cleanup) > /dev/null

Hardware:
DEC740
September 29, 2025, 11:05:17 AM #12
Good Morning,

thanks a lot for your input.

i think we have found the/ our issue:
alle the users which where deleted have upercase letters in our AD!
for example: RStein instead of rstein

we changed the upn of these users this morning and wait for tomorrow morning.

(or can i run the script with:
configctl opnbe-core auth cleanup
directly from cli?)


regards
Ronny
September 29, 2025, 11:07:32 AM #13
Hello, in the authentication server (System - Access - Servers) there should be an option "Match case insensitive".

This might do the same as changing the UPN of the users.

You can run the script via:

# configctl opnbe-core auth cleanup
Hardware:
DEC740
September 30, 2025, 10:21:56 AM #14
Hi,

Quote from: Monviech (Cedrik) on September 29, 2025, 11:07:32 AMHello, in the authentication server (System - Access - Servers) there should be an option "Match case insensitive".

i've changed it yesterday on both LDAP Server configs - no User was deleted this Morning :)

it looks very good - thank you a lot.


regards
Ronny
Print
Go Up Pages1
User actions