1 *pveum* `<COMMAND> [ARGS] [OPTIONS]`
3 *pveum acl delete* `<path> --roles <string>` `[OPTIONS]`
5 Update Access Control List (add or remove permissions).
7 `<path>`: `<string>` ::
11 `--groups` `<string>` ::
15 `--propagate` `<boolean>` ('default =' `1`)::
17 Allow to propagate (inherit) permissions.
19 `--roles` `<string>` ::
23 `--tokens` `<string>` ::
27 `--users` `<string>` ::
31 *pveum acl list* `[FORMAT_OPTIONS]`
33 Get Access Control List (ACLs).
35 *pveum acl modify* `<path> --roles <string>` `[OPTIONS]`
37 Update Access Control List (add or remove permissions).
39 `<path>`: `<string>` ::
43 `--groups` `<string>` ::
47 `--propagate` `<boolean>` ('default =' `1`)::
49 Allow to propagate (inherit) permissions.
51 `--roles` `<string>` ::
55 `--tokens` `<string>` ::
59 `--users` `<string>` ::
65 An alias for 'pveum acl delete'.
69 An alias for 'pveum acl modify'.
71 *pveum group add* `<groupid>` `[OPTIONS]`
75 `<groupid>`: `<string>` ::
77 no description available
79 `--comment` `<string>` ::
81 no description available
83 *pveum group delete* `<groupid>`
87 `<groupid>`: `<string>` ::
89 no description available
91 *pveum group list* `[FORMAT_OPTIONS]`
95 *pveum group modify* `<groupid>` `[OPTIONS]`
99 `<groupid>`: `<string>` ::
101 no description available
103 `--comment` `<string>` ::
105 no description available
109 An alias for 'pveum group add'.
113 An alias for 'pveum group delete'.
117 An alias for 'pveum group modify'.
119 *pveum help* `[OPTIONS]`
121 Get help about specified command.
123 `--extra-args` `<array>` ::
125 Shows help for a specific command
127 `--verbose` `<boolean>` ::
129 Verbose output format.
131 *pveum passwd* `<userid>`
133 Change user password.
135 `<userid>`: `<string>` ::
139 *pveum realm add* `<realm> --type <string>` `[OPTIONS]`
141 Add an authentication server.
143 `<realm>`: `<string>` ::
145 Authentication domain ID
147 `--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
149 LDAP base domain name
151 `--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
153 LDAP bind domain name
155 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
157 Path to the CA certificate store
159 `--cert` `<string>` ::
161 Path to the client certificate
163 `--certkey` `<string>` ::
165 Path to the client certificate key
167 `--comment` `<string>` ::
171 `--default` `<boolean>` ::
173 Use this as default realm
179 `--filter` `<string>` ::
181 LDAP filter for user sync.
183 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
185 The objectclasses for groups.
187 `--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
189 LDAP base domain name for group sync. If not set, the base_dn will be used.
191 `--group_filter` `<string>` ::
193 LDAP filter for group sync.
195 `--group_name_attr` `<string>` ::
197 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
199 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
203 `--password` `<string>` ::
205 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
207 `--port` `<integer> (1 - 65535)` ::
211 `--secure` `<boolean>` ::
213 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
215 `--server1` `<string>` ::
217 Server IP address (or DNS name)
219 `--server2` `<string>` ::
221 Fallback Server IP address (or DNS name)
223 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
225 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
227 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
229 The default options for behavior of synchronizations.
231 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
233 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
235 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
237 Use Two-factor authentication.
239 `--type` `<ad | ldap | pam | pve>` ::
243 `--user_attr` `\S{2,}` ::
245 LDAP user attribute name
247 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
249 The objectclasses for users.
251 `--verify` `<boolean>` ('default =' `0`)::
253 Verify the server's SSL certificate
255 *pveum realm delete* `<realm>`
257 Delete an authentication server.
259 `<realm>`: `<string>` ::
261 Authentication domain ID
263 *pveum realm list* `[FORMAT_OPTIONS]`
265 Authentication domain index.
267 *pveum realm modify* `<realm>` `[OPTIONS]`
269 Update authentication server settings.
271 `<realm>`: `<string>` ::
273 Authentication domain ID
275 `--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
277 LDAP base domain name
279 `--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
281 LDAP bind domain name
283 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
285 Path to the CA certificate store
287 `--cert` `<string>` ::
289 Path to the client certificate
291 `--certkey` `<string>` ::
293 Path to the client certificate key
295 `--comment` `<string>` ::
299 `--default` `<boolean>` ::
301 Use this as default realm
303 `--delete` `<string>` ::
305 A list of settings you want to delete.
307 `--digest` `<string>` ::
309 Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.
315 `--filter` `<string>` ::
317 LDAP filter for user sync.
319 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
321 The objectclasses for groups.
323 `--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
325 LDAP base domain name for group sync. If not set, the base_dn will be used.
327 `--group_filter` `<string>` ::
329 LDAP filter for group sync.
331 `--group_name_attr` `<string>` ::
333 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
335 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
339 `--password` `<string>` ::
341 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
343 `--port` `<integer> (1 - 65535)` ::
347 `--secure` `<boolean>` ::
349 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
351 `--server1` `<string>` ::
353 Server IP address (or DNS name)
355 `--server2` `<string>` ::
357 Fallback Server IP address (or DNS name)
359 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
361 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
363 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
365 The default options for behavior of synchronizations.
367 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
369 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
371 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
373 Use Two-factor authentication.
375 `--user_attr` `\S{2,}` ::
377 LDAP user attribute name
379 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
381 The objectclasses for users.
383 `--verify` `<boolean>` ('default =' `0`)::
385 Verify the server's SSL certificate
387 *pveum realm sync* `<realm>` `[OPTIONS]`
389 Syncs users and/or groups from the configured LDAP to user.cfg. NOTE:
390 Synced groups will have the name 'name-$realm', so make sure those groups
391 do not exist to prevent overwriting.
393 `<realm>`: `<string>` ::
395 Authentication domain ID
397 `--dry-run` `<boolean>` ('default =' `0`)::
399 If set, does not write anything.
401 `--enable-new` `<boolean>` ('default =' `1`)::
403 Enable newly synced users immediately.
405 `--full` `<boolean>` ::
407 If set, uses the LDAP Directory as source of truth, deleting users or groups not returned from the sync. Otherwise only syncs information which is not already present, and does not deletes or modifies anything else.
409 `--purge` `<boolean>` ::
411 Remove ACLs for users or groups which were removed from the config during a sync.
413 `--scope` `<both | groups | users>` ::
417 *pveum role add* `<roleid>` `[OPTIONS]`
421 `<roleid>`: `<string>` ::
423 no description available
425 `--privs` `<string>` ::
427 no description available
429 *pveum role delete* `<roleid>`
433 `<roleid>`: `<string>` ::
435 no description available
437 *pveum role list* `[FORMAT_OPTIONS]`
441 *pveum role modify* `<roleid>` `[OPTIONS]`
443 Update an existing role.
445 `<roleid>`: `<string>` ::
447 no description available
449 `--append` `<boolean>` ::
451 no description available
453 NOTE: Requires option(s): `privs`
455 `--privs` `<string>` ::
457 no description available
461 An alias for 'pveum role add'.
465 An alias for 'pveum role delete'.
469 An alias for 'pveum role modify'.
471 *pveum ticket* `<username>` `[OPTIONS]`
473 Create or verify authentication ticket.
475 `<username>`: `<string>` ::
479 `--otp` `<string>` ::
481 One-time password for Two-factor authentication.
483 `--path` `<string>` ::
485 Verify ticket, and check if user have access 'privs' on 'path'
487 NOTE: Requires option(s): `privs`
489 `--privs` `<string>` ::
491 Verify ticket, and check if user have access 'privs' on 'path'
493 NOTE: Requires option(s): `path`
495 `--realm` `<string>` ::
497 You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>@<relam>.
499 *pveum user add* `<userid>` `[OPTIONS]`
503 `<userid>`: `<string>` ::
507 `--comment` `<string>` ::
509 no description available
511 `--email` `<string>` ::
513 no description available
515 `--enable` `<boolean>` ('default =' `1`)::
517 Enable the account (default). You can set this to '0' to disable the account
519 `--expire` `<integer> (0 - N)` ::
521 Account expiration date (seconds since epoch). '0' means no expiration date.
523 `--firstname` `<string>` ::
525 no description available
527 `--groups` `<string>` ::
529 no description available
531 `--keys` `<string>` ::
533 Keys for two factor auth (yubico).
535 `--lastname` `<string>` ::
537 no description available
539 `--password` `<string>` ::
543 *pveum user delete* `<userid>`
547 `<userid>`: `<string>` ::
551 *pveum user list* `[OPTIONS]` `[FORMAT_OPTIONS]`
555 `--enabled` `<boolean>` ::
557 Optional filter for enable property.
559 `--full` `<boolean>` ('default =' `0`)::
561 Include group and token information.
563 *pveum user modify* `<userid>` `[OPTIONS]`
565 Update user configuration.
567 `<userid>`: `<string>` ::
571 `--append` `<boolean>` ::
573 no description available
575 NOTE: Requires option(s): `groups`
577 `--comment` `<string>` ::
579 no description available
581 `--email` `<string>` ::
583 no description available
585 `--enable` `<boolean>` ('default =' `1`)::
587 Enable the account (default). You can set this to '0' to disable the account
589 `--expire` `<integer> (0 - N)` ::
591 Account expiration date (seconds since epoch). '0' means no expiration date.
593 `--firstname` `<string>` ::
595 no description available
597 `--groups` `<string>` ::
599 no description available
601 `--keys` `<string>` ::
603 Keys for two factor auth (yubico).
605 `--lastname` `<string>` ::
607 no description available
609 *pveum user permissions* `[<userid>]` `[OPTIONS]` `[FORMAT_OPTIONS]`
611 Retrieve effective permissions of given user/token.
613 `<userid>`: `(?^:^(?^:[^\s:/]+)\@(?^:[A-Za-z][A-Za-z0-9\.\-_]+)(?:!(?^:[A-Za-z][A-Za-z0-9\.\-_]+))?$)` ::
615 User ID or full API token ID
617 `--path` `<string>` ::
619 Only dump this specific path, not the whole tree.
621 *pveum user tfa delete* `<userid>` `[OPTIONS]`
623 Change user u2f authentication.
625 `<userid>`: `<string>` ::
629 `--config` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
631 A TFA configuration. This must currently be of type TOTP of not set at all.
633 `--key` `<string>` ::
635 When adding TOTP, the shared secret value.
637 `--password` `<string>` ::
639 The current password.
641 `--response` `<string>` ::
643 Either the the response to the current u2f registration challenge, or, when adding TOTP, the currently valid TOTP value.
645 *pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
647 Generate a new API token for a specific user. NOTE: returns API token
648 value, which needs to be stored as it cannot be retrieved afterwards!
650 `<userid>`: `<string>` ::
654 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
656 User-specific token identifier.
658 `--comment` `<string>` ::
660 no description available
662 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
664 API token expiration date (seconds since epoch). '0' means no expiration date.
666 `--privsep` `<boolean>` ('default =' `1`)::
668 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
670 *pveum user token list* `<userid>` `[FORMAT_OPTIONS]`
674 `<userid>`: `<string>` ::
678 *pveum user token modify* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
680 Update API token for a specific user.
682 `<userid>`: `<string>` ::
686 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
688 User-specific token identifier.
690 `--comment` `<string>` ::
692 no description available
694 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
696 API token expiration date (seconds since epoch). '0' means no expiration date.
698 `--privsep` `<boolean>` ('default =' `1`)::
700 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
702 *pveum user token permissions* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
704 Retrieve effective permissions of given token.
706 `<userid>`: `<string>` ::
710 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
712 User-specific token identifier.
714 `--path` `<string>` ::
716 Only dump this specific path, not the whole tree.
718 *pveum user token remove* `<userid> <tokenid>` `[FORMAT_OPTIONS]`
720 Remove API token for a specific user.
722 `<userid>`: `<string>` ::
726 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
728 User-specific token identifier.
732 An alias for 'pveum user add'.
736 An alias for 'pveum user delete'.
740 An alias for 'pveum user modify'.