some LDAP users was automaticaly removed

Started by bran.ko, April 11, 2026, 11:43:18 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 11, 2026, 11:43:18 AM
HI, last night I have strage behavior. Some users was removed - by script I think
only in configuration backup is logged
Code Select
  <revision>
    <username>(root)</username>
    <description>The users "user1,...,user6(changed real name)" where successfully removed.</description>
    <time>1775862000.71</time>
  </revision>
This 6 users was LDAP users not local on firewall. But there are another 32 users without any problems.
I try to find some differencies but unsucessfully.

Which script is stared at 01:00 ? My cron is empty (thru web UI). User root is disabled for web logon.
April 11, 2026, 02:42:42 PM #1 Last Edit: April 21, 2026, 02:39:17 PM by ahro_john
QuoteHI, last night I have strage behavior. Some users was removed - by script I think
only in configuration backup is logged
CodeSelect
  <revision>
    <username>(root)</username>
    <description>The users "user1,...,user6(changed real name)" where successfully removed.</description>
    <time>1775862000.71</time>
  </revision>

This 6 users was LDAP users not local on firewall. But there are another 32 users without any problems.
I try to find some differencies but unsucessfully.

Which script is stared at 01:00 ? My cron is empty (thru web UI). User root is disabled for web logon. It feels like some kind of automated process or external sync triggered this — similar to how scheduled systems operate on online platforms (even outside networking), for example services like goranked.gg that rely on backend automation for account-related actions.
Have you checked /var/log/system.log or the audit logs around 01:00? Even if the GUI cron is empty, system-level cron or package tasks might still trigger something
April 11, 2026, 05:08:16 PM #2
/var/log/system/latest.log is clear only systemctl log is here with some activity, and acme logs
Code Select
<13>1 2026-04-11T00:15:04+02:00 firewall configctl 63706 - [meta sequenceId="26"] event @ 1775859304.15 msg: Apr 11 00:15:04 firewall config[56811]: config-event: new_config /conf/backup/config-1775859304.1084.xml
<13>1 2026-04-11T00:15:04+02:00 firewall configctl 63706 - [meta sequenceId="28"] event @ 1775859304.15 exec: system event config_changed response: OK
/var/log/audit/latest - is clear also

crontab -e 
yes there is some scheduled scripts - byt nothing suspisious

firewall has installed all patches/updates
April 12, 2026, 10:23:08 AM #3
Make sure to mention what version you're using.

We hotfixed 25.10.2 now due to the side effect from the security update:

https://github.com/opnsense/changelog/commit/055b8d6


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
April 12, 2026, 10:59:00 AM #4
HI, today was deleted one user (which was recovered). 
So I install new hotfix.We will see
April 13, 2026, 09:55:31 AM #5
it seems to be fixed. Any LDAP user wasn't automaticaly deleted.
Thanks
April 13, 2026, 10:03:19 AM #6
Nice, thanks for the feedback!


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
Print
Go Up Pages1
User actions