OPNcentral Overwriting API Keys

[amuckart]

The documentation for opncentral says:

When users and groups are synchronized, the existing api key+secret is merged into the user with the same name to prevent access issues after reconfigure. To avoid issues, make sure there's a unique username with proper credentials before using the synchronization.

What conditions are required to make this work?

Running OPNcentral on OPNsense 25.10.2_4-amd64 if I have an 'opncentral' user on the firewall being managed, and I generate an API for that user and use it to connect to the firewall from OPNcentral, as soon as I provision the managed firewall the API key either gets erased if there isn't one on the OPNcentral machine, or overwritten by the one on the OPNcentral machine if there is. That immediately breaks access to the managed device until I regenerate an API key and add it back in to OPNcentral.

It seems like this is not the intended behaviour, but I can't figure out what the settings need to be to make this work.

Can anyone enlighten me?

Thanks.

[franco]

Don't sync users if you want to keep the local copies or use different usernames here.


Cheers,
Franco

[amuckart]

Hi Franco,

Thanks for the reply.

Don't sync users if you want to keep the local copies or use different usernames here.

If that is the case, I think the documentation needs to be updated to be explicit about this.

Currenty it says the existing API key+secret (I assume this means the one on the machine, but that's ambiguous as the docs are written) will be merged - which is the correct and sensible behaviour - but that isn't happening and access breaks as soon as you sync users.

This is a major flaw for something billed as a central management solution.

[Monviech (Cedrik)]

I think the key merging should work.

I remember there was an issue there in an earlier version but that was fixed.

Can you give step by step reproduction so it can be evaluated?

1. Do this
2. Do that
3. Result
4. Expected result