[OpenVPN] New users unable to use VPN with LDAP provider and enforced local group.

[Whidix]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

When using OpenVPN with LDAP authentication, if a user does not exist in the local database and local group enforcement is enabled, the user will be unable to connect to the VPN.

It appears that OpenVPN checks whether the user is part of the enforced group before synchronizing the user's groups to the local database. This prevents authentication for new users who should be automatically created upon first login.

To Reproduce

Steps to reproduce the behavior:

1. Add an ldap provider with memberOf support and enable group synchronization.
2. Create a VPN instance that enforces a local group and uses the LDAP provider.
3. Create the required group locally in OPNsense.
4. Download the OpenVPN configuration file from the client export menu.
5. Attempt to connect using OpenVPN with a user who does not exist in OPNsense (the user should be created automatically on first login).

Expected behavior

New users should be able to connect to the VPN. If a user successfully binds to LDAP:

Their account and groups should be synchronized before verifying group membership.
Or the user should be created if they belong to the enforced group in LDAP.

Describe alternatives you considered

Manually synchronizing all users beforehand, but this feature is no longer available.

Screenshots

Relevant log

OpenVPN 'xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' requires the local group ldap-group. Denying authentication for user test

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 25.1.1 (amd64).