From 85ce481e325dad5ae758db5b2485a5dae4a38627 Mon Sep 17 00:00:00 2001
From: lordratner <49489398+lordratner@users.noreply.github.com>
Date: Tue, 9 Sep 2025 11:20:05 -0500
Subject: [PATCH] Update opnsense.md

Added instruction for using/not using Constraint Groups. This option is selected by default and the current instructions do not address it, but if it is left on and the Authentication Containers are not updated, the group sync will fail.
---
 example_configs/opnsense.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/example_configs/opnsense.md b/example_configs/opnsense.md
index 53ec65c..eaa1377 100644
--- a/example_configs/opnsense.md
+++ b/example_configs/opnsense.md
@@ -92,6 +92,9 @@ Enable the following options on the OPNsense configuration page for your LLDAP s
 - Synchronize groups: `Checked`
 - Automatic user creation: `Checked`
 
+### Constraint Groups
+This limits the groups to prevent injection attacks. If you want to enable this feature, you need to add ou=groups,dc=example,dc=com to the Authentication Containers field. Be sure to separate with a semicolon. Otherwise disable this option.
+
 ### Create OPNsense Group
 
 Go to `System > Access > Groups` and create a new group with the **same** name as the LLDAP group used to authenticate users for OPNsense.