1 *pveum* `<COMMAND> [ARGS] [OPTIONS]`
3 *pveum acl delete* `<path> --roles <string>` `[OPTIONS]`
5 Update Access Control List (add or remove permissions).
7 `<path>`: `<string>` ::
11 `--groups` `<string>` ::
15 `--propagate` `<boolean>` ('default =' `1`)::
17 Allow to propagate (inherit) permissions.
19 `--roles` `<string>` ::
23 `--tokens` `<string>` ::
27 `--users` `<string>` ::
31 *pveum acl list* `[FORMAT_OPTIONS]`
33 Get Access Control List (ACLs).
35 *pveum acl modify* `<path> --roles <string>` `[OPTIONS]`
37 Update Access Control List (add or remove permissions).
39 `<path>`: `<string>` ::
43 `--groups` `<string>` ::
47 `--propagate` `<boolean>` ('default =' `1`)::
49 Allow to propagate (inherit) permissions.
51 `--roles` `<string>` ::
55 `--tokens` `<string>` ::
59 `--users` `<string>` ::
65 An alias for 'pveum acl delete'.
69 An alias for 'pveum acl modify'.
71 *pveum group add* `<groupid>` `[OPTIONS]`
75 `<groupid>`: `<string>` ::
77 no description available
79 `--comment` `<string>` ::
81 no description available
83 *pveum group delete* `<groupid>`
87 `<groupid>`: `<string>` ::
89 no description available
91 *pveum group list* `[FORMAT_OPTIONS]`
95 *pveum group modify* `<groupid>` `[OPTIONS]`
99 `<groupid>`: `<string>` ::
101 no description available
103 `--comment` `<string>` ::
105 no description available
109 An alias for 'pveum group add'.
113 An alias for 'pveum group delete'.
117 An alias for 'pveum group modify'.
119 *pveum help* `[OPTIONS]`
121 Get help about specified command.
123 `--extra-args` `<array>` ::
125 Shows help for a specific command
127 `--verbose` `<boolean>` ::
129 Verbose output format.
131 *pveum passwd* `<userid>`
133 Change user password.
135 `<userid>`: `<string>` ::
137 Full User ID, in the `name@realm` format.
139 *pveum pool add* `<poolid>` `[OPTIONS]`
143 `<poolid>`: `<string>` ::
145 no description available
147 `--comment` `<string>` ::
149 no description available
151 *pveum pool delete* `<poolid>`
155 `<poolid>`: `<string>` ::
157 no description available
159 *pveum pool list* `[FORMAT_OPTIONS]`
163 *pveum pool modify* `<poolid>` `[OPTIONS]`
167 `<poolid>`: `<string>` ::
169 no description available
171 `--allow-move` `<boolean>` ('default =' `0`)::
173 Allow adding a guest even if already in another pool. The guest will be removed from its current pool and added to this one.
175 `--comment` `<string>` ::
177 no description available
179 `--delete` `<boolean>` ('default =' `0`)::
181 Remove the passed VMIDs and/or storage IDs instead of adding them.
183 `--storage` `<string>` ::
185 List of storage IDs to add or remove from this pool.
187 `--vms` `<string>` ::
189 List of guest VMIDs to add or remove from this pool.
191 *pveum realm add* `<realm> --type <string>` `[OPTIONS]`
193 Add an authentication server.
195 `<realm>`: `<string>` ::
197 Authentication domain ID
199 `--acr-values` `<string>` ::
201 Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
203 `--autocreate` `<boolean>` ('default =' `0`)::
205 Automatically create users if they do not exist.
207 `--base_dn` `<string>` ::
209 LDAP base domain name
211 `--bind_dn` `<string>` ::
213 LDAP bind domain name
215 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
217 Path to the CA certificate store
219 `--case-sensitive` `<boolean>` ('default =' `1`)::
221 username is case-sensitive
223 `--cert` `<string>` ::
225 Path to the client certificate
227 `--certkey` `<string>` ::
229 Path to the client certificate key
231 `--check-connection` `<boolean>` ('default =' `0`)::
233 Check bind connection to the server.
235 `--client-id` `<string>` ::
239 `--client-key` `<string>` ::
243 `--comment` `<string>` ::
247 `--default` `<boolean>` ::
249 Use this as default realm
255 `--filter` `<string>` ::
257 LDAP filter for user sync.
259 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
261 The objectclasses for groups.
263 `--group_dn` `<string>` ::
265 LDAP base domain name for group sync. If not set, the base_dn will be used.
267 `--group_filter` `<string>` ::
269 LDAP filter for group sync.
271 `--group_name_attr` `<string>` ::
273 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
275 `--issuer-url` `<string>` ::
279 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
283 `--password` `<string>` ::
285 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
287 `--port` `<integer> (1 - 65535)` ::
291 `--prompt` `(?:none|login|consent|select_account|\S+)` ::
293 Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
295 `--scopes` `<string>` ('default =' `email profile`)::
297 Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
299 `--secure` `<boolean>` ::
301 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
303 `--server1` `<string>` ::
305 Server IP address (or DNS name)
307 `--server2` `<string>` ::
309 Fallback Server IP address (or DNS name)
311 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
313 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
315 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=([acl];[properties];[entry])|none] [,scope=<users|groups|both>]` ::
317 The default options for behavior of synchronizations.
319 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
321 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
323 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
325 Use Two-factor authentication.
327 `--type` `<ad | ldap | openid | pam | pve>` ::
331 `--user_attr` `\S{2,}` ::
333 LDAP user attribute name
335 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
337 The objectclasses for users.
339 `--username-claim` `<string>` ::
341 OpenID claim used to generate the unique username.
343 `--verify` `<boolean>` ('default =' `0`)::
345 Verify the server's SSL certificate
347 *pveum realm delete* `<realm>`
349 Delete an authentication server.
351 `<realm>`: `<string>` ::
353 Authentication domain ID
355 *pveum realm list* `[FORMAT_OPTIONS]`
357 Authentication domain index.
359 *pveum realm modify* `<realm>` `[OPTIONS]`
361 Update authentication server settings.
363 `<realm>`: `<string>` ::
365 Authentication domain ID
367 `--acr-values` `<string>` ::
369 Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
371 `--autocreate` `<boolean>` ('default =' `0`)::
373 Automatically create users if they do not exist.
375 `--base_dn` `<string>` ::
377 LDAP base domain name
379 `--bind_dn` `<string>` ::
381 LDAP bind domain name
383 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
385 Path to the CA certificate store
387 `--case-sensitive` `<boolean>` ('default =' `1`)::
389 username is case-sensitive
391 `--cert` `<string>` ::
393 Path to the client certificate
395 `--certkey` `<string>` ::
397 Path to the client certificate key
399 `--check-connection` `<boolean>` ('default =' `0`)::
401 Check bind connection to the server.
403 `--client-id` `<string>` ::
407 `--client-key` `<string>` ::
411 `--comment` `<string>` ::
415 `--default` `<boolean>` ::
417 Use this as default realm
419 `--delete` `<string>` ::
421 A list of settings you want to delete.
423 `--digest` `<string>` ::
425 Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
431 `--filter` `<string>` ::
433 LDAP filter for user sync.
435 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
437 The objectclasses for groups.
439 `--group_dn` `<string>` ::
441 LDAP base domain name for group sync. If not set, the base_dn will be used.
443 `--group_filter` `<string>` ::
445 LDAP filter for group sync.
447 `--group_name_attr` `<string>` ::
449 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
451 `--issuer-url` `<string>` ::
455 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
459 `--password` `<string>` ::
461 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
463 `--port` `<integer> (1 - 65535)` ::
467 `--prompt` `(?:none|login|consent|select_account|\S+)` ::
469 Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
471 `--scopes` `<string>` ('default =' `email profile`)::
473 Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
475 `--secure` `<boolean>` ::
477 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
479 `--server1` `<string>` ::
481 Server IP address (or DNS name)
483 `--server2` `<string>` ::
485 Fallback Server IP address (or DNS name)
487 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
489 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
491 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=([acl];[properties];[entry])|none] [,scope=<users|groups|both>]` ::
493 The default options for behavior of synchronizations.
495 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
497 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
499 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
501 Use Two-factor authentication.
503 `--user_attr` `\S{2,}` ::
505 LDAP user attribute name
507 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
509 The objectclasses for users.
511 `--verify` `<boolean>` ('default =' `0`)::
513 Verify the server's SSL certificate
515 *pveum realm sync* `<realm>` `[OPTIONS]`
517 Syncs users and/or groups from the configured LDAP to user.cfg. NOTE:
518 Synced groups will have the name 'name-$realm', so make sure those groups
519 do not exist to prevent overwriting.
521 `<realm>`: `<string>` ::
523 Authentication domain ID
525 `--dry-run` `<boolean>` ('default =' `0`)::
527 If set, does not write anything.
529 `--enable-new` `<boolean>` ('default =' `1`)::
531 Enable newly synced users immediately.
533 `--full` `<boolean>` ::
535 DEPRECATED: use 'remove-vanished' instead. If set, uses the LDAP Directory as source of truth, deleting users or groups not returned from the sync and removing all locally modified properties of synced users. If not set, only syncs information which is present in the synced data, and does not delete or modify anything else.
537 `--purge` `<boolean>` ::
539 DEPRECATED: use 'remove-vanished' instead. Remove ACLs for users or groups which were removed from the config during a sync.
541 `--remove-vanished` `([acl];[properties];[entry])|none` ('default =' `none`)::
543 A semicolon-seperated list of things to remove when they or the user vanishes during a sync. The following values are possible: 'entry' removes the user/group when not returned from the sync. 'properties' removes the set properties on existing user/group that do not appear in the source (even custom ones). 'acl' removes acls when the user/group is not returned from the sync. Instead of a list it also can be 'none' (the default).
545 `--scope` `<both | groups | users>` ::
549 *pveum role add* `<roleid>` `[OPTIONS]`
553 `<roleid>`: `<string>` ::
555 no description available
557 `--privs` `<string>` ::
559 no description available
561 *pveum role delete* `<roleid>`
565 `<roleid>`: `<string>` ::
567 no description available
569 *pveum role list* `[FORMAT_OPTIONS]`
573 *pveum role modify* `<roleid>` `[OPTIONS]`
575 Update an existing role.
577 `<roleid>`: `<string>` ::
579 no description available
581 `--append` `<boolean>` ::
583 no description available
585 NOTE: Requires option(s): `privs`
587 `--privs` `<string>` ::
589 no description available
593 An alias for 'pveum role add'.
597 An alias for 'pveum role delete'.
601 An alias for 'pveum role modify'.
603 *pveum ticket* `<username>` `[OPTIONS]`
605 Create or verify authentication ticket.
607 `<username>`: `<string>` ::
611 `--new-format` `<boolean>` ('default =' `1`)::
613 This parameter is now ignored and assumed to be 1.
615 `--otp` `<string>` ::
617 One-time password for Two-factor authentication.
619 `--path` `<string>` ::
621 Verify ticket, and check if user have access 'privs' on 'path'
623 NOTE: Requires option(s): `privs`
625 `--privs` `<string>` ::
627 Verify ticket, and check if user have access 'privs' on 'path'
629 NOTE: Requires option(s): `path`
631 `--realm` `<string>` ::
633 You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>@<relam>.
635 `--tfa-challenge` `<string>` ::
637 The signed TFA challenge string the user wants to respond to.
639 *pveum user add* `<userid>` `[OPTIONS]`
643 `<userid>`: `<string>` ::
645 Full User ID, in the `name@realm` format.
647 `--comment` `<string>` ::
649 no description available
651 `--email` `<string>` ::
653 no description available
655 `--enable` `<boolean>` ('default =' `1`)::
657 Enable the account (default). You can set this to '0' to disable the account
659 `--expire` `<integer> (0 - N)` ::
661 Account expiration date (seconds since epoch). '0' means no expiration date.
663 `--firstname` `<string>` ::
665 no description available
667 `--groups` `<string>` ::
669 no description available
671 `--keys` `<string>` ::
673 Keys for two factor auth (yubico).
675 `--lastname` `<string>` ::
677 no description available
679 `--password` `<string>` ::
683 *pveum user delete* `<userid>`
687 `<userid>`: `<string>` ::
689 Full User ID, in the `name@realm` format.
691 *pveum user list* `[OPTIONS]` `[FORMAT_OPTIONS]`
695 `--enabled` `<boolean>` ::
697 Optional filter for enable property.
699 `--full` `<boolean>` ('default =' `0`)::
701 Include group and token information.
703 *pveum user modify* `<userid>` `[OPTIONS]`
705 Update user configuration.
707 `<userid>`: `<string>` ::
709 Full User ID, in the `name@realm` format.
711 `--append` `<boolean>` ::
713 no description available
715 NOTE: Requires option(s): `groups`
717 `--comment` `<string>` ::
719 no description available
721 `--email` `<string>` ::
723 no description available
725 `--enable` `<boolean>` ('default =' `1`)::
727 Enable the account (default). You can set this to '0' to disable the account
729 `--expire` `<integer> (0 - N)` ::
731 Account expiration date (seconds since epoch). '0' means no expiration date.
733 `--firstname` `<string>` ::
735 no description available
737 `--groups` `<string>` ::
739 no description available
741 `--keys` `<string>` ::
743 Keys for two factor auth (yubico).
745 `--lastname` `<string>` ::
747 no description available
749 *pveum user permissions* `[<userid>]` `[OPTIONS]` `[FORMAT_OPTIONS]`
751 Retrieve effective permissions of given user/token.
753 `<userid>`: `(?^:^(?^:[^\s:/]+)\@(?^:[A-Za-z][A-Za-z0-9\.\-_]+)(?:!(?^:[A-Za-z][A-Za-z0-9\.\-_]+))?$)` ::
755 User ID or full API token ID
757 `--path` `<string>` ::
759 Only dump this specific path, not the whole tree.
761 *pveum user tfa delete* `<userid>` `[OPTIONS]`
763 Delete TFA entries from a user.
765 `<userid>`: `<string>` ::
767 Full User ID, in the `name@realm` format.
771 The TFA ID, if none provided, all TFA entries will be deleted.
773 *pveum user tfa list* `[<userid>]`
777 `<userid>`: `<string>` ::
779 Full User ID, in the `name@realm` format.
781 *pveum user tfa unlock* `<userid>`
783 Unlock a user's TFA authentication.
785 `<userid>`: `<string>` ::
787 Full User ID, in the `name@realm` format.
789 *pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
791 Generate a new API token for a specific user. NOTE: returns API token
792 value, which needs to be stored as it cannot be retrieved afterwards!
794 `<userid>`: `<string>` ::
796 Full User ID, in the `name@realm` format.
798 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
800 User-specific token identifier.
802 `--comment` `<string>` ::
804 no description available
806 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
808 API token expiration date (seconds since epoch). '0' means no expiration date.
810 `--privsep` `<boolean>` ('default =' `1`)::
812 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
814 *pveum user token list* `<userid>` `[FORMAT_OPTIONS]`
818 `<userid>`: `<string>` ::
820 Full User ID, in the `name@realm` format.
822 *pveum user token modify* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
824 Update API token for a specific user.
826 `<userid>`: `<string>` ::
828 Full User ID, in the `name@realm` format.
830 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
832 User-specific token identifier.
834 `--comment` `<string>` ::
836 no description available
838 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
840 API token expiration date (seconds since epoch). '0' means no expiration date.
842 `--privsep` `<boolean>` ('default =' `1`)::
844 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
846 *pveum user token permissions* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
848 Retrieve effective permissions of given token.
850 `<userid>`: `<string>` ::
852 Full User ID, in the `name@realm` format.
854 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
856 User-specific token identifier.
858 `--path` `<string>` ::
860 Only dump this specific path, not the whole tree.
862 *pveum user token remove* `<userid> <tokenid>` `[FORMAT_OPTIONS]`
864 Remove API token for a specific user.
866 `<userid>`: `<string>` ::
868 Full User ID, in the `name@realm` format.
870 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
872 User-specific token identifier.
876 An alias for 'pveum user add'.
880 An alias for 'pveum user delete'.
884 An alias for 'pveum user modify'.