2FA issue for users created via LDAP group synchronization

[lina]

Hi

I’m testing LDAP user and group synchronization. Everything works fine overall, but I noticed some strange behavior related to two-factor authentication.
When I enable TOTP for a user that was added via group synchronization, nothing indicates in Datacenter - Permissions - Users that 2FA is enabled for that user. However, the user appears in Datacenter - Permissions - Two Factor, and /api2/json/access/tfa clearly shows that TOTP is configured.

but when I look

/api2/json/access/users?full=1

the LDAP-synchronized user does not have the keys field at all, as if 2FA does not exist for that user.

{
  "expire": 0,
  "groups": "admin-SYN_LDAP",
  "userid": "user@SYN_LDAP",
  "tokens": null,
  "lastname": "user",
  "enable": 1,
  "email": "",
  "realm-type": "ldap"
},
{
  "userid": "user@infra-ldap",
  "groups": "Admins",
  "keys": "x!oath",
  "expire": 0,
  "tokens": null,
  "enable": 1,
  "email": ""
}

As you can see, the regular user has the keys field, but the LDAP-synchronized user does not.

Then I checked the TFA endpoint:

/api2/json/access/tfa

And it shows that user@SYN_LDAP does have a TOTP entry:

{
  "userid": "user@SYN_LDAP",
  "entries": [
    {
      "description": "user@SYN_LDAP",
      "created": 1770277060,
      "type": "totp",
      "id": "00000000-0000-0000-0000-000000000000"
    }
  ]
},
{
  "entries": [
    {
      "description": "",
      "created": 0,
      "type": "totp",
      "id": "v1-entry"
    }
  ],
  "userid": "user@infra-ldap"
}

This behavior only occurs for users created via group synchronization.
I also noticed that during recurring cron synchronization, these users seem to be overwritten - there were cases where they got logged out.
Is this expected behavior or a bug? Why is the keys field missing in /access/users if TOTP is actually configured? Can LDAP sync overwrite local user parameters?