1 *pveum* `<COMMAND> [ARGS] [OPTIONS]`
3 *pveum acl delete* `<path> --roles <string>` `[OPTIONS]`
5 Update Access Control List (add or remove permissions).
7 `<path>`: `<string>` ::
11 `--groups` `<string>` ::
15 `--propagate` `<boolean>` ('default =' `1`)::
17 Allow to propagate (inherit) permissions.
19 `--roles` `<string>` ::
23 `--tokens` `<string>` ::
27 `--users` `<string>` ::
31 *pveum acl list* `[FORMAT_OPTIONS]`
33 Get Access Control List (ACLs).
35 *pveum acl modify* `<path> --roles <string>` `[OPTIONS]`
37 Update Access Control List (add or remove permissions).
39 `<path>`: `<string>` ::
43 `--groups` `<string>` ::
47 `--propagate` `<boolean>` ('default =' `1`)::
49 Allow to propagate (inherit) permissions.
51 `--roles` `<string>` ::
55 `--tokens` `<string>` ::
59 `--users` `<string>` ::
65 An alias for 'pveum acl delete'.
69 An alias for 'pveum acl modify'.
71 *pveum group add* `<groupid>` `[OPTIONS]`
75 `<groupid>`: `<string>` ::
77 no description available
79 `--comment` `<string>` ::
81 no description available
83 *pveum group delete* `<groupid>`
87 `<groupid>`: `<string>` ::
89 no description available
91 *pveum group list* `[FORMAT_OPTIONS]`
95 *pveum group modify* `<groupid>` `[OPTIONS]`
99 `<groupid>`: `<string>` ::
101 no description available
103 `--comment` `<string>` ::
105 no description available
109 An alias for 'pveum group add'.
113 An alias for 'pveum group delete'.
117 An alias for 'pveum group modify'.
119 *pveum help* `[OPTIONS]`
121 Get help about specified command.
123 `--extra-args` `<array>` ::
125 Shows help for a specific command
127 `--verbose` `<boolean>` ::
129 Verbose output format.
131 *pveum passwd* `<userid>`
133 Change user password.
135 `<userid>`: `<string>` ::
139 *pveum pool add* `<poolid>` `[OPTIONS]`
143 `<poolid>`: `<string>` ::
145 no description available
147 `--comment` `<string>` ::
149 no description available
151 *pveum pool delete* `<poolid>`
155 `<poolid>`: `<string>` ::
157 no description available
159 *pveum pool list* `[FORMAT_OPTIONS]`
163 *pveum pool modify* `<poolid>` `[OPTIONS]`
167 `<poolid>`: `<string>` ::
169 no description available
171 `--comment` `<string>` ::
173 no description available
175 `--delete` `<boolean>` ::
177 Remove vms/storage (instead of adding it).
179 `--storage` `<string>` ::
183 `--vms` `<string>` ::
185 List of virtual machines.
187 *pveum realm add* `<realm> --type <string>` `[OPTIONS]`
189 Add an authentication server.
191 `<realm>`: `<string>` ::
193 Authentication domain ID
195 `--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
197 LDAP base domain name
199 `--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
201 LDAP bind domain name
203 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
205 Path to the CA certificate store
207 `--case-sensitive` `<boolean>` ('default =' `1`)::
209 username is case-sensitive
211 `--cert` `<string>` ::
213 Path to the client certificate
215 `--certkey` `<string>` ::
217 Path to the client certificate key
219 `--comment` `<string>` ::
223 `--default` `<boolean>` ::
225 Use this as default realm
231 `--filter` `<string>` ::
233 LDAP filter for user sync.
235 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
237 The objectclasses for groups.
239 `--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
241 LDAP base domain name for group sync. If not set, the base_dn will be used.
243 `--group_filter` `<string>` ::
245 LDAP filter for group sync.
247 `--group_name_attr` `<string>` ::
249 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
251 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
255 `--password` `<string>` ::
257 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
259 `--port` `<integer> (1 - 65535)` ::
263 `--secure` `<boolean>` ::
265 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
267 `--server1` `<string>` ::
269 Server IP address (or DNS name)
271 `--server2` `<string>` ::
273 Fallback Server IP address (or DNS name)
275 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
277 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
279 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
281 The default options for behavior of synchronizations.
283 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
285 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
287 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
289 Use Two-factor authentication.
291 `--type` `<ad | ldap | pam | pve>` ::
295 `--user_attr` `\S{2,}` ::
297 LDAP user attribute name
299 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
301 The objectclasses for users.
303 `--verify` `<boolean>` ('default =' `0`)::
305 Verify the server's SSL certificate
307 *pveum realm delete* `<realm>`
309 Delete an authentication server.
311 `<realm>`: `<string>` ::
313 Authentication domain ID
315 *pveum realm list* `[FORMAT_OPTIONS]`
317 Authentication domain index.
319 *pveum realm modify* `<realm>` `[OPTIONS]`
321 Update authentication server settings.
323 `<realm>`: `<string>` ::
325 Authentication domain ID
327 `--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
329 LDAP base domain name
331 `--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
333 LDAP bind domain name
335 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
337 Path to the CA certificate store
339 `--case-sensitive` `<boolean>` ('default =' `1`)::
341 username is case-sensitive
343 `--cert` `<string>` ::
345 Path to the client certificate
347 `--certkey` `<string>` ::
349 Path to the client certificate key
351 `--comment` `<string>` ::
355 `--default` `<boolean>` ::
357 Use this as default realm
359 `--delete` `<string>` ::
361 A list of settings you want to delete.
363 `--digest` `<string>` ::
365 Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.
371 `--filter` `<string>` ::
373 LDAP filter for user sync.
375 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
377 The objectclasses for groups.
379 `--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
381 LDAP base domain name for group sync. If not set, the base_dn will be used.
383 `--group_filter` `<string>` ::
385 LDAP filter for group sync.
387 `--group_name_attr` `<string>` ::
389 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
391 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
395 `--password` `<string>` ::
397 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
399 `--port` `<integer> (1 - 65535)` ::
403 `--secure` `<boolean>` ::
405 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
407 `--server1` `<string>` ::
409 Server IP address (or DNS name)
411 `--server2` `<string>` ::
413 Fallback Server IP address (or DNS name)
415 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
417 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
419 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
421 The default options for behavior of synchronizations.
423 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
425 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
427 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
429 Use Two-factor authentication.
431 `--user_attr` `\S{2,}` ::
433 LDAP user attribute name
435 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
437 The objectclasses for users.
439 `--verify` `<boolean>` ('default =' `0`)::
441 Verify the server's SSL certificate
443 *pveum realm sync* `<realm>` `[OPTIONS]`
445 Syncs users and/or groups from the configured LDAP to user.cfg. NOTE:
446 Synced groups will have the name 'name-$realm', so make sure those groups
447 do not exist to prevent overwriting.
449 `<realm>`: `<string>` ::
451 Authentication domain ID
453 `--dry-run` `<boolean>` ('default =' `0`)::
455 If set, does not write anything.
457 `--enable-new` `<boolean>` ('default =' `1`)::
459 Enable newly synced users immediately.
461 `--full` `<boolean>` ::
463 If set, uses the LDAP Directory as source of truth, deleting users or groups not returned from the sync. Otherwise only syncs information which is not already present, and does not deletes or modifies anything else.
465 `--purge` `<boolean>` ::
467 Remove ACLs for users or groups which were removed from the config during a sync.
469 `--scope` `<both | groups | users>` ::
473 *pveum role add* `<roleid>` `[OPTIONS]`
477 `<roleid>`: `<string>` ::
479 no description available
481 `--privs` `<string>` ::
483 no description available
485 *pveum role delete* `<roleid>`
489 `<roleid>`: `<string>` ::
491 no description available
493 *pveum role list* `[FORMAT_OPTIONS]`
497 *pveum role modify* `<roleid>` `[OPTIONS]`
499 Update an existing role.
501 `<roleid>`: `<string>` ::
503 no description available
505 `--append` `<boolean>` ::
507 no description available
509 NOTE: Requires option(s): `privs`
511 `--privs` `<string>` ::
513 no description available
517 An alias for 'pveum role add'.
521 An alias for 'pveum role delete'.
525 An alias for 'pveum role modify'.
527 *pveum ticket* `<username>` `[OPTIONS]`
529 Create or verify authentication ticket.
531 `<username>`: `<string>` ::
535 `--otp` `<string>` ::
537 One-time password for Two-factor authentication.
539 `--path` `<string>` ::
541 Verify ticket, and check if user have access 'privs' on 'path'
543 NOTE: Requires option(s): `privs`
545 `--privs` `<string>` ::
547 Verify ticket, and check if user have access 'privs' on 'path'
549 NOTE: Requires option(s): `path`
551 `--realm` `<string>` ::
553 You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>@<relam>.
555 *pveum user add* `<userid>` `[OPTIONS]`
559 `<userid>`: `<string>` ::
563 `--comment` `<string>` ::
565 no description available
567 `--email` `<string>` ::
569 no description available
571 `--enable` `<boolean>` ('default =' `1`)::
573 Enable the account (default). You can set this to '0' to disable the account
575 `--expire` `<integer> (0 - N)` ::
577 Account expiration date (seconds since epoch). '0' means no expiration date.
579 `--firstname` `<string>` ::
581 no description available
583 `--groups` `<string>` ::
585 no description available
587 `--keys` `<string>` ::
589 Keys for two factor auth (yubico).
591 `--lastname` `<string>` ::
593 no description available
595 `--password` `<string>` ::
599 *pveum user delete* `<userid>`
603 `<userid>`: `<string>` ::
607 *pveum user list* `[OPTIONS]` `[FORMAT_OPTIONS]`
611 `--enabled` `<boolean>` ::
613 Optional filter for enable property.
615 `--full` `<boolean>` ('default =' `0`)::
617 Include group and token information.
619 *pveum user modify* `<userid>` `[OPTIONS]`
621 Update user configuration.
623 `<userid>`: `<string>` ::
627 `--append` `<boolean>` ::
629 no description available
631 NOTE: Requires option(s): `groups`
633 `--comment` `<string>` ::
635 no description available
637 `--email` `<string>` ::
639 no description available
641 `--enable` `<boolean>` ('default =' `1`)::
643 Enable the account (default). You can set this to '0' to disable the account
645 `--expire` `<integer> (0 - N)` ::
647 Account expiration date (seconds since epoch). '0' means no expiration date.
649 `--firstname` `<string>` ::
651 no description available
653 `--groups` `<string>` ::
655 no description available
657 `--keys` `<string>` ::
659 Keys for two factor auth (yubico).
661 `--lastname` `<string>` ::
663 no description available
665 *pveum user permissions* `[<userid>]` `[OPTIONS]` `[FORMAT_OPTIONS]`
667 Retrieve effective permissions of given user/token.
669 `<userid>`: `(?^:^(?^:[^\s:/]+)\@(?^:[A-Za-z][A-Za-z0-9\.\-_]+)(?:!(?^:[A-Za-z][A-Za-z0-9\.\-_]+))?$)` ::
671 User ID or full API token ID
673 `--path` `<string>` ::
675 Only dump this specific path, not the whole tree.
677 *pveum user tfa delete* `<userid>` `[OPTIONS]`
679 Change user u2f authentication.
681 `<userid>`: `<string>` ::
685 `--config` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
687 A TFA configuration. This must currently be of type TOTP of not set at all.
689 `--key` `<string>` ::
691 When adding TOTP, the shared secret value.
693 `--password` `<string>` ::
695 The current password.
697 `--response` `<string>` ::
699 Either the the response to the current u2f registration challenge, or, when adding TOTP, the currently valid TOTP value.
701 *pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
703 Generate a new API token for a specific user. NOTE: returns API token
704 value, which needs to be stored as it cannot be retrieved afterwards!
706 `<userid>`: `<string>` ::
710 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
712 User-specific token identifier.
714 `--comment` `<string>` ::
716 no description available
718 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
720 API token expiration date (seconds since epoch). '0' means no expiration date.
722 `--privsep` `<boolean>` ('default =' `1`)::
724 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
726 *pveum user token list* `<userid>` `[FORMAT_OPTIONS]`
730 `<userid>`: `<string>` ::
734 *pveum user token modify* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
736 Update API token for a specific user.
738 `<userid>`: `<string>` ::
742 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
744 User-specific token identifier.
746 `--comment` `<string>` ::
748 no description available
750 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
752 API token expiration date (seconds since epoch). '0' means no expiration date.
754 `--privsep` `<boolean>` ('default =' `1`)::
756 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
758 *pveum user token permissions* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
760 Retrieve effective permissions of given token.
762 `<userid>`: `<string>` ::
766 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
768 User-specific token identifier.
770 `--path` `<string>` ::
772 Only dump this specific path, not the whole tree.
774 *pveum user token remove* `<userid> <tokenid>` `[FORMAT_OPTIONS]`
776 Remove API token for a specific user.
778 `<userid>`: `<string>` ::
782 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
784 User-specific token identifier.
788 An alias for 'pveum user add'.
792 An alias for 'pveum user delete'.
796 An alias for 'pveum user modify'.