1 *pveum* `<COMMAND> [ARGS] [OPTIONS]`
3 *pveum acl delete* `<path> --roles <string>` `[OPTIONS]`
5 Update Access Control List (add or remove permissions).
7 `<path>`: `<string>` ::
11 `--groups` `<string>` ::
15 `--propagate` `<boolean>` ('default =' `1`)::
17 Allow to propagate (inherit) permissions.
19 `--roles` `<string>` ::
23 `--tokens` `<string>` ::
27 `--users` `<string>` ::
31 *pveum acl list* `[FORMAT_OPTIONS]`
33 Get Access Control List (ACLs).
35 *pveum acl modify* `<path> --roles <string>` `[OPTIONS]`
37 Update Access Control List (add or remove permissions).
39 `<path>`: `<string>` ::
43 `--groups` `<string>` ::
47 `--propagate` `<boolean>` ('default =' `1`)::
49 Allow to propagate (inherit) permissions.
51 `--roles` `<string>` ::
55 `--tokens` `<string>` ::
59 `--users` `<string>` ::
65 An alias for 'pveum acl delete'.
69 An alias for 'pveum acl modify'.
71 *pveum group add* `<groupid>` `[OPTIONS]`
75 `<groupid>`: `<string>` ::
77 no description available
79 `--comment` `<string>` ::
81 no description available
83 *pveum group delete* `<groupid>`
87 `<groupid>`: `<string>` ::
89 no description available
91 *pveum group list* `[FORMAT_OPTIONS]`
95 *pveum group modify* `<groupid>` `[OPTIONS]`
99 `<groupid>`: `<string>` ::
101 no description available
103 `--comment` `<string>` ::
105 no description available
109 An alias for 'pveum group add'.
113 An alias for 'pveum group delete'.
117 An alias for 'pveum group modify'.
119 *pveum help* `[OPTIONS]`
121 Get help about specified command.
123 `--extra-args` `<array>` ::
125 Shows help for a specific command
127 `--verbose` `<boolean>` ::
129 Verbose output format.
131 *pveum passwd* `<userid>`
133 Change user password.
135 `<userid>`: `<string>` ::
137 Full User ID, in the `name@realm` format.
139 *pveum pool add* `<poolid>` `[OPTIONS]`
143 `<poolid>`: `<string>` ::
145 no description available
147 `--comment` `<string>` ::
149 no description available
151 *pveum pool delete* `<poolid>`
155 `<poolid>`: `<string>` ::
157 no description available
159 *pveum pool list* `[FORMAT_OPTIONS]`
163 *pveum pool modify* `<poolid>` `[OPTIONS]`
167 `<poolid>`: `<string>` ::
169 no description available
171 `--comment` `<string>` ::
173 no description available
175 `--delete` `<boolean>` ::
177 Remove vms/storage (instead of adding it).
179 `--storage` `<string>` ::
183 `--vms` `<string>` ::
185 List of virtual machines.
187 *pveum realm add* `<realm> --type <string>` `[OPTIONS]`
189 Add an authentication server.
191 `<realm>`: `<string>` ::
193 Authentication domain ID
195 `--acr-values` `<string>` ::
197 Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
199 `--autocreate` `<boolean>` ('default =' `0`)::
201 Automatically create users if they do not exist.
203 `--base_dn` `(?^:\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*)` ::
205 LDAP base domain name
207 `--bind_dn` `(?^:\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*)` ::
209 LDAP bind domain name
211 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
213 Path to the CA certificate store
215 `--case-sensitive` `<boolean>` ('default =' `1`)::
217 username is case-sensitive
219 `--cert` `<string>` ::
221 Path to the client certificate
223 `--certkey` `<string>` ::
225 Path to the client certificate key
227 `--client-id` `<string>` ::
231 `--client-key` `<string>` ::
235 `--comment` `<string>` ::
239 `--default` `<boolean>` ::
241 Use this as default realm
247 `--filter` `<string>` ::
249 LDAP filter for user sync.
251 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
253 The objectclasses for groups.
255 `--group_dn` `(?^:\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*)` ::
257 LDAP base domain name for group sync. If not set, the base_dn will be used.
259 `--group_filter` `<string>` ::
261 LDAP filter for group sync.
263 `--group_name_attr` `<string>` ::
265 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
267 `--issuer-url` `<string>` ::
271 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
275 `--password` `<string>` ::
277 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
279 `--port` `<integer> (1 - 65535)` ::
283 `--prompt` `(?:none|login|consent|select_account|\S+)` ::
285 Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
287 `--scopes` `<string>` ('default =' `email profile`)::
289 Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
291 `--secure` `<boolean>` ::
293 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
295 `--server1` `<string>` ::
297 Server IP address (or DNS name)
299 `--server2` `<string>` ::
301 Fallback Server IP address (or DNS name)
303 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
305 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
307 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=([acl];[properties];[entry])|none] [,scope=<users|groups|both>]` ::
309 The default options for behavior of synchronizations.
311 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
313 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
315 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
317 Use Two-factor authentication.
319 `--type` `<ad | ldap | openid | pam | pve>` ::
323 `--user_attr` `\S{2,}` ::
325 LDAP user attribute name
327 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
329 The objectclasses for users.
331 `--username-claim` `<string>` ::
333 OpenID claim used to generate the unique username.
335 `--verify` `<boolean>` ('default =' `0`)::
337 Verify the server's SSL certificate
339 *pveum realm delete* `<realm>`
341 Delete an authentication server.
343 `<realm>`: `<string>` ::
345 Authentication domain ID
347 *pveum realm list* `[FORMAT_OPTIONS]`
349 Authentication domain index.
351 *pveum realm modify* `<realm>` `[OPTIONS]`
353 Update authentication server settings.
355 `<realm>`: `<string>` ::
357 Authentication domain ID
359 `--acr-values` `<string>` ::
361 Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
363 `--autocreate` `<boolean>` ('default =' `0`)::
365 Automatically create users if they do not exist.
367 `--base_dn` `(?^:\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*)` ::
369 LDAP base domain name
371 `--bind_dn` `(?^:\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*)` ::
373 LDAP bind domain name
375 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
377 Path to the CA certificate store
379 `--case-sensitive` `<boolean>` ('default =' `1`)::
381 username is case-sensitive
383 `--cert` `<string>` ::
385 Path to the client certificate
387 `--certkey` `<string>` ::
389 Path to the client certificate key
391 `--client-id` `<string>` ::
395 `--client-key` `<string>` ::
399 `--comment` `<string>` ::
403 `--default` `<boolean>` ::
405 Use this as default realm
407 `--delete` `<string>` ::
409 A list of settings you want to delete.
411 `--digest` `<string>` ::
413 Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.
419 `--filter` `<string>` ::
421 LDAP filter for user sync.
423 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
425 The objectclasses for groups.
427 `--group_dn` `(?^:\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*)` ::
429 LDAP base domain name for group sync. If not set, the base_dn will be used.
431 `--group_filter` `<string>` ::
433 LDAP filter for group sync.
435 `--group_name_attr` `<string>` ::
437 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
439 `--issuer-url` `<string>` ::
443 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
447 `--password` `<string>` ::
449 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
451 `--port` `<integer> (1 - 65535)` ::
455 `--prompt` `(?:none|login|consent|select_account|\S+)` ::
457 Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
459 `--scopes` `<string>` ('default =' `email profile`)::
461 Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
463 `--secure` `<boolean>` ::
465 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
467 `--server1` `<string>` ::
469 Server IP address (or DNS name)
471 `--server2` `<string>` ::
473 Fallback Server IP address (or DNS name)
475 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
477 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
479 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=([acl];[properties];[entry])|none] [,scope=<users|groups|both>]` ::
481 The default options for behavior of synchronizations.
483 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
485 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
487 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
489 Use Two-factor authentication.
491 `--user_attr` `\S{2,}` ::
493 LDAP user attribute name
495 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
497 The objectclasses for users.
499 `--verify` `<boolean>` ('default =' `0`)::
501 Verify the server's SSL certificate
503 *pveum realm sync* `<realm>` `[OPTIONS]`
505 Syncs users and/or groups from the configured LDAP to user.cfg. NOTE:
506 Synced groups will have the name 'name-$realm', so make sure those groups
507 do not exist to prevent overwriting.
509 `<realm>`: `<string>` ::
511 Authentication domain ID
513 `--dry-run` `<boolean>` ('default =' `0`)::
515 If set, does not write anything.
517 `--enable-new` `<boolean>` ('default =' `1`)::
519 Enable newly synced users immediately.
521 `--full` `<boolean>` ::
523 DEPRECATED: use 'remove-vanished' instead. If set, uses the LDAP Directory as source of truth, deleting users or groups not returned from the sync and removing all locally modified properties of synced users. If not set, only syncs information which is present in the synced data, and does not delete or modify anything else.
525 `--purge` `<boolean>` ::
527 DEPRECATED: use 'remove-vanished' instead. Remove ACLs for users or groups which were removed from the config during a sync.
529 `--remove-vanished` `([acl];[properties];[entry])|none` ('default =' `none`)::
531 A semicolon-seperated list of things to remove when they or the user vanishes during a sync. The following values are possible: 'entry' removes the user/group when not returned from the sync. 'properties' removes the set properties on existing user/group that do not appear in the source (even custom ones). 'acl' removes acls when the user/group is not returned from the sync. Instead of a list it also can be 'none' (the default).
533 `--scope` `<both | groups | users>` ::
537 *pveum role add* `<roleid>` `[OPTIONS]`
541 `<roleid>`: `<string>` ::
543 no description available
545 `--privs` `<string>` ::
547 no description available
549 *pveum role delete* `<roleid>`
553 `<roleid>`: `<string>` ::
555 no description available
557 *pveum role list* `[FORMAT_OPTIONS]`
561 *pveum role modify* `<roleid>` `[OPTIONS]`
563 Update an existing role.
565 `<roleid>`: `<string>` ::
567 no description available
569 `--append` `<boolean>` ::
571 no description available
573 NOTE: Requires option(s): `privs`
575 `--privs` `<string>` ::
577 no description available
581 An alias for 'pveum role add'.
585 An alias for 'pveum role delete'.
589 An alias for 'pveum role modify'.
591 *pveum ticket* `<username>` `[OPTIONS]`
593 Create or verify authentication ticket.
595 `<username>`: `<string>` ::
599 `--new-format` `<boolean>` ('default =' `0`)::
601 With webauthn the format of half-authenticated tickts changed. New clients should pass 1 here and not worry about the old format. The old format is deprecated and will be retired with PVE-8.0
603 `--otp` `<string>` ::
605 One-time password for Two-factor authentication.
607 `--path` `<string>` ::
609 Verify ticket, and check if user have access 'privs' on 'path'
611 NOTE: Requires option(s): `privs`
613 `--privs` `<string>` ::
615 Verify ticket, and check if user have access 'privs' on 'path'
617 NOTE: Requires option(s): `path`
619 `--realm` `<string>` ::
621 You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>@<relam>.
623 `--tfa-challenge` `<string>` ::
625 The signed TFA challenge string the user wants to respond to.
627 *pveum user add* `<userid>` `[OPTIONS]`
631 `<userid>`: `<string>` ::
633 Full User ID, in the `name@realm` format.
635 `--comment` `<string>` ::
637 no description available
639 `--email` `<string>` ::
641 no description available
643 `--enable` `<boolean>` ('default =' `1`)::
645 Enable the account (default). You can set this to '0' to disable the account
647 `--expire` `<integer> (0 - N)` ::
649 Account expiration date (seconds since epoch). '0' means no expiration date.
651 `--firstname` `<string>` ::
653 no description available
655 `--groups` `<string>` ::
657 no description available
659 `--keys` `<string>` ::
661 Keys for two factor auth (yubico).
663 `--lastname` `<string>` ::
665 no description available
667 `--password` `<string>` ::
671 *pveum user delete* `<userid>`
675 `<userid>`: `<string>` ::
677 Full User ID, in the `name@realm` format.
679 *pveum user list* `[OPTIONS]` `[FORMAT_OPTIONS]`
683 `--enabled` `<boolean>` ::
685 Optional filter for enable property.
687 `--full` `<boolean>` ('default =' `0`)::
689 Include group and token information.
691 *pveum user modify* `<userid>` `[OPTIONS]`
693 Update user configuration.
695 `<userid>`: `<string>` ::
697 Full User ID, in the `name@realm` format.
699 `--append` `<boolean>` ::
701 no description available
703 NOTE: Requires option(s): `groups`
705 `--comment` `<string>` ::
707 no description available
709 `--email` `<string>` ::
711 no description available
713 `--enable` `<boolean>` ('default =' `1`)::
715 Enable the account (default). You can set this to '0' to disable the account
717 `--expire` `<integer> (0 - N)` ::
719 Account expiration date (seconds since epoch). '0' means no expiration date.
721 `--firstname` `<string>` ::
723 no description available
725 `--groups` `<string>` ::
727 no description available
729 `--keys` `<string>` ::
731 Keys for two factor auth (yubico).
733 `--lastname` `<string>` ::
735 no description available
737 *pveum user permissions* `[<userid>]` `[OPTIONS]` `[FORMAT_OPTIONS]`
739 Retrieve effective permissions of given user/token.
741 `<userid>`: `(?^:^(?^:[^\s:/]+)\@(?^:[A-Za-z][A-Za-z0-9\.\-_]+)(?:!(?^:[A-Za-z][A-Za-z0-9\.\-_]+))?$)` ::
743 User ID or full API token ID
745 `--path` `<string>` ::
747 Only dump this specific path, not the whole tree.
749 *pveum user tfa delete* `<userid>` `[OPTIONS]`
751 Delete TFA entries from a user.
753 `<userid>`: `<string>` ::
755 Full User ID, in the `name@realm` format.
759 The TFA ID, if none provided, all TFA entries will be deleted.
761 *pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
763 Generate a new API token for a specific user. NOTE: returns API token
764 value, which needs to be stored as it cannot be retrieved afterwards!
766 `<userid>`: `<string>` ::
768 Full User ID, in the `name@realm` format.
770 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
772 User-specific token identifier.
774 `--comment` `<string>` ::
776 no description available
778 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
780 API token expiration date (seconds since epoch). '0' means no expiration date.
782 `--privsep` `<boolean>` ('default =' `1`)::
784 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
786 *pveum user token list* `<userid>` `[FORMAT_OPTIONS]`
790 `<userid>`: `<string>` ::
792 Full User ID, in the `name@realm` format.
794 *pveum user token modify* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
796 Update API token for a specific user.
798 `<userid>`: `<string>` ::
800 Full User ID, in the `name@realm` format.
802 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
804 User-specific token identifier.
806 `--comment` `<string>` ::
808 no description available
810 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
812 API token expiration date (seconds since epoch). '0' means no expiration date.
814 `--privsep` `<boolean>` ('default =' `1`)::
816 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
818 *pveum user token permissions* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
820 Retrieve effective permissions of given token.
822 `<userid>`: `<string>` ::
824 Full User ID, in the `name@realm` format.
826 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
828 User-specific token identifier.
830 `--path` `<string>` ::
832 Only dump this specific path, not the whole tree.
834 *pveum user token remove* `<userid> <tokenid>` `[FORMAT_OPTIONS]`
836 Remove API token for a specific user.
838 `<userid>`: `<string>` ::
840 Full User ID, in the `name@realm` format.
842 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
844 User-specific token identifier.
848 An alias for 'pveum user add'.
852 An alias for 'pveum user delete'.
856 An alias for 'pveum user modify'.