1 *pveum* `<COMMAND> [ARGS] [OPTIONS]`
3 *pveum acl delete* `<path> --roles <string>` `[OPTIONS]`
5 Update Access Control List (add or remove permissions).
7 `<path>`: `<string>` ::
11 `--groups` `<string>` ::
15 `--propagate` `<boolean>` ('default =' `1`)::
17 Allow to propagate (inherit) permissions.
19 `--roles` `<string>` ::
23 `--tokens` `<string>` ::
27 `--users` `<string>` ::
31 *pveum acl list* `[FORMAT_OPTIONS]`
33 Get Access Control List (ACLs).
35 *pveum acl modify* `<path> --roles <string>` `[OPTIONS]`
37 Update Access Control List (add or remove permissions).
39 `<path>`: `<string>` ::
43 `--groups` `<string>` ::
47 `--propagate` `<boolean>` ('default =' `1`)::
49 Allow to propagate (inherit) permissions.
51 `--roles` `<string>` ::
55 `--tokens` `<string>` ::
59 `--users` `<string>` ::
65 An alias for 'pveum acl delete'.
69 An alias for 'pveum acl modify'.
71 *pveum group add* `<groupid>` `[OPTIONS]`
75 `<groupid>`: `<string>` ::
77 no description available
79 `--comment` `<string>` ::
81 no description available
83 *pveum group delete* `<groupid>`
87 `<groupid>`: `<string>` ::
89 no description available
91 *pveum group list* `[FORMAT_OPTIONS]`
95 *pveum group modify* `<groupid>` `[OPTIONS]`
99 `<groupid>`: `<string>` ::
101 no description available
103 `--comment` `<string>` ::
105 no description available
109 An alias for 'pveum group add'.
113 An alias for 'pveum group delete'.
117 An alias for 'pveum group modify'.
119 *pveum help* `[OPTIONS]`
121 Get help about specified command.
123 `--extra-args` `<array>` ::
125 Shows help for a specific command
127 `--verbose` `<boolean>` ::
129 Verbose output format.
131 *pveum passwd* `<userid>`
133 Change user password.
135 `<userid>`: `<string>` ::
137 Full User ID, in the `name@realm` format.
139 *pveum pool add* `<poolid>` `[OPTIONS]`
143 `<poolid>`: `<string>` ::
145 no description available
147 `--comment` `<string>` ::
149 no description available
151 *pveum pool delete* `<poolid>`
155 `<poolid>`: `<string>` ::
157 no description available
159 *pveum pool list* `[OPTIONS]` `[FORMAT_OPTIONS]`
161 List pools or get pool configuration.
163 `--poolid` `<string>` ::
165 no description available
167 `--type` `<lxc | qemu | storage>` ::
169 no description available
171 NOTE: Requires option(s): `poolid`
173 *pveum pool modify* `<poolid>` `[OPTIONS]`
177 `<poolid>`: `<string>` ::
179 no description available
181 `--allow-move` `<boolean>` ('default =' `0`)::
183 Allow adding a guest even if already in another pool. The guest will be removed from its current pool and added to this one.
185 `--comment` `<string>` ::
187 no description available
189 `--delete` `<boolean>` ('default =' `0`)::
191 Remove the passed VMIDs and/or storage IDs instead of adding them.
193 `--storage` `<string>` ::
195 List of storage IDs to add or remove from this pool.
197 `--vms` `<string>` ::
199 List of guest VMIDs to add or remove from this pool.
201 *pveum realm add* `<realm> --type <string>` `[OPTIONS]`
203 Add an authentication server.
205 `<realm>`: `<string>` ::
207 Authentication domain ID
209 `--acr-values` `<string>` ::
211 Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
213 `--autocreate` `<boolean>` ('default =' `0`)::
215 Automatically create users if they do not exist.
217 `--base_dn` `<string>` ::
219 LDAP base domain name
221 `--bind_dn` `<string>` ::
223 LDAP bind domain name
225 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
227 Path to the CA certificate store
229 `--case-sensitive` `<boolean>` ('default =' `1`)::
231 username is case-sensitive
233 `--cert` `<string>` ::
235 Path to the client certificate
237 `--certkey` `<string>` ::
239 Path to the client certificate key
241 `--check-connection` `<boolean>` ('default =' `0`)::
243 Check bind connection to the server.
245 `--client-id` `<string>` ::
249 `--client-key` `<string>` ::
253 `--comment` `<string>` ::
257 `--default` `<boolean>` ::
259 Use this as default realm
265 `--filter` `<string>` ::
267 LDAP filter for user sync.
269 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
271 The objectclasses for groups.
273 `--group_dn` `<string>` ::
275 LDAP base domain name for group sync. If not set, the base_dn will be used.
277 `--group_filter` `<string>` ::
279 LDAP filter for group sync.
281 `--group_name_attr` `<string>` ::
283 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
285 `--issuer-url` `<string>` ::
289 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
293 `--password` `<string>` ::
295 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
297 `--port` `<integer> (1 - 65535)` ::
301 `--prompt` `(?:none|login|consent|select_account|\S+)` ::
303 Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
305 `--scopes` `<string>` ('default =' `email profile`)::
307 Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
309 `--secure` `<boolean>` ::
311 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
313 `--server1` `<string>` ::
315 Server IP address (or DNS name)
317 `--server2` `<string>` ::
319 Fallback Server IP address (or DNS name)
321 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
323 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
325 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=([acl];[properties];[entry])|none] [,scope=<users|groups|both>]` ::
327 The default options for behavior of synchronizations.
329 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
331 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
333 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
335 Use Two-factor authentication.
337 `--type` `<ad | ldap | openid | pam | pve>` ::
341 `--user_attr` `\S{2,}` ::
343 LDAP user attribute name
345 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
347 The objectclasses for users.
349 `--username-claim` `<string>` ::
351 OpenID claim used to generate the unique username.
353 `--verify` `<boolean>` ('default =' `0`)::
355 Verify the server's SSL certificate
357 *pveum realm delete* `<realm>`
359 Delete an authentication server.
361 `<realm>`: `<string>` ::
363 Authentication domain ID
365 *pveum realm list* `[FORMAT_OPTIONS]`
367 Authentication domain index.
369 *pveum realm modify* `<realm>` `[OPTIONS]`
371 Update authentication server settings.
373 `<realm>`: `<string>` ::
375 Authentication domain ID
377 `--acr-values` `<string>` ::
379 Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
381 `--autocreate` `<boolean>` ('default =' `0`)::
383 Automatically create users if they do not exist.
385 `--base_dn` `<string>` ::
387 LDAP base domain name
389 `--bind_dn` `<string>` ::
391 LDAP bind domain name
393 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
395 Path to the CA certificate store
397 `--case-sensitive` `<boolean>` ('default =' `1`)::
399 username is case-sensitive
401 `--cert` `<string>` ::
403 Path to the client certificate
405 `--certkey` `<string>` ::
407 Path to the client certificate key
409 `--check-connection` `<boolean>` ('default =' `0`)::
411 Check bind connection to the server.
413 `--client-id` `<string>` ::
417 `--client-key` `<string>` ::
421 `--comment` `<string>` ::
425 `--default` `<boolean>` ::
427 Use this as default realm
429 `--delete` `<string>` ::
431 A list of settings you want to delete.
433 `--digest` `<string>` ::
435 Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
441 `--filter` `<string>` ::
443 LDAP filter for user sync.
445 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
447 The objectclasses for groups.
449 `--group_dn` `<string>` ::
451 LDAP base domain name for group sync. If not set, the base_dn will be used.
453 `--group_filter` `<string>` ::
455 LDAP filter for group sync.
457 `--group_name_attr` `<string>` ::
459 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
461 `--issuer-url` `<string>` ::
465 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
469 `--password` `<string>` ::
471 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
473 `--port` `<integer> (1 - 65535)` ::
477 `--prompt` `(?:none|login|consent|select_account|\S+)` ::
479 Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
481 `--scopes` `<string>` ('default =' `email profile`)::
483 Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
485 `--secure` `<boolean>` ::
487 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
489 `--server1` `<string>` ::
491 Server IP address (or DNS name)
493 `--server2` `<string>` ::
495 Fallback Server IP address (or DNS name)
497 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
499 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
501 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=([acl];[properties];[entry])|none] [,scope=<users|groups|both>]` ::
503 The default options for behavior of synchronizations.
505 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
507 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
509 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
511 Use Two-factor authentication.
513 `--user_attr` `\S{2,}` ::
515 LDAP user attribute name
517 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
519 The objectclasses for users.
521 `--verify` `<boolean>` ('default =' `0`)::
523 Verify the server's SSL certificate
525 *pveum realm sync* `<realm>` `[OPTIONS]`
527 Syncs users and/or groups from the configured LDAP to user.cfg. NOTE:
528 Synced groups will have the name 'name-$realm', so make sure those groups
529 do not exist to prevent overwriting.
531 `<realm>`: `<string>` ::
533 Authentication domain ID
535 `--dry-run` `<boolean>` ('default =' `0`)::
537 If set, does not write anything.
539 `--enable-new` `<boolean>` ('default =' `1`)::
541 Enable newly synced users immediately.
543 `--full` `<boolean>` ::
545 DEPRECATED: use 'remove-vanished' instead. If set, uses the LDAP Directory as source of truth, deleting users or groups not returned from the sync and removing all locally modified properties of synced users. If not set, only syncs information which is present in the synced data, and does not delete or modify anything else.
547 `--purge` `<boolean>` ::
549 DEPRECATED: use 'remove-vanished' instead. Remove ACLs for users or groups which were removed from the config during a sync.
551 `--remove-vanished` `([acl];[properties];[entry])|none` ('default =' `none`)::
553 A semicolon-seperated list of things to remove when they or the user vanishes during a sync. The following values are possible: 'entry' removes the user/group when not returned from the sync. 'properties' removes the set properties on existing user/group that do not appear in the source (even custom ones). 'acl' removes acls when the user/group is not returned from the sync. Instead of a list it also can be 'none' (the default).
555 `--scope` `<both | groups | users>` ::
559 *pveum role add* `<roleid>` `[OPTIONS]`
563 `<roleid>`: `<string>` ::
565 no description available
567 `--privs` `<string>` ::
569 no description available
571 *pveum role delete* `<roleid>`
575 `<roleid>`: `<string>` ::
577 no description available
579 *pveum role list* `[FORMAT_OPTIONS]`
583 *pveum role modify* `<roleid>` `[OPTIONS]`
585 Update an existing role.
587 `<roleid>`: `<string>` ::
589 no description available
591 `--append` `<boolean>` ::
593 no description available
595 NOTE: Requires option(s): `privs`
597 `--privs` `<string>` ::
599 no description available
603 An alias for 'pveum role add'.
607 An alias for 'pveum role delete'.
611 An alias for 'pveum role modify'.
613 *pveum ticket* `<username>` `[OPTIONS]`
615 Create or verify authentication ticket.
617 `<username>`: `<string>` ::
621 `--new-format` `<boolean>` ('default =' `1`)::
623 This parameter is now ignored and assumed to be 1.
625 `--otp` `<string>` ::
627 One-time password for Two-factor authentication.
629 `--path` `<string>` ::
631 Verify ticket, and check if user have access 'privs' on 'path'
633 NOTE: Requires option(s): `privs`
635 `--privs` `<string>` ::
637 Verify ticket, and check if user have access 'privs' on 'path'
639 NOTE: Requires option(s): `path`
641 `--realm` `<string>` ::
643 You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>@<relam>.
645 `--tfa-challenge` `<string>` ::
647 The signed TFA challenge string the user wants to respond to.
649 *pveum user add* `<userid>` `[OPTIONS]`
653 `<userid>`: `<string>` ::
655 Full User ID, in the `name@realm` format.
657 `--comment` `<string>` ::
659 no description available
661 `--email` `<string>` ::
663 no description available
665 `--enable` `<boolean>` ('default =' `1`)::
667 Enable the account (default). You can set this to '0' to disable the account
669 `--expire` `<integer> (0 - N)` ::
671 Account expiration date (seconds since epoch). '0' means no expiration date.
673 `--firstname` `<string>` ::
675 no description available
677 `--groups` `<string>` ::
679 no description available
681 `--keys` `<string>` ::
683 Keys for two factor auth (yubico).
685 `--lastname` `<string>` ::
687 no description available
689 `--password` `<string>` ::
693 *pveum user delete* `<userid>`
697 `<userid>`: `<string>` ::
699 Full User ID, in the `name@realm` format.
701 *pveum user list* `[OPTIONS]` `[FORMAT_OPTIONS]`
705 `--enabled` `<boolean>` ::
707 Optional filter for enable property.
709 `--full` `<boolean>` ('default =' `0`)::
711 Include group and token information.
713 *pveum user modify* `<userid>` `[OPTIONS]`
715 Update user configuration.
717 `<userid>`: `<string>` ::
719 Full User ID, in the `name@realm` format.
721 `--append` `<boolean>` ::
723 no description available
725 NOTE: Requires option(s): `groups`
727 `--comment` `<string>` ::
729 no description available
731 `--email` `<string>` ::
733 no description available
735 `--enable` `<boolean>` ('default =' `1`)::
737 Enable the account (default). You can set this to '0' to disable the account
739 `--expire` `<integer> (0 - N)` ::
741 Account expiration date (seconds since epoch). '0' means no expiration date.
743 `--firstname` `<string>` ::
745 no description available
747 `--groups` `<string>` ::
749 no description available
751 `--keys` `<string>` ::
753 Keys for two factor auth (yubico).
755 `--lastname` `<string>` ::
757 no description available
759 *pveum user permissions* `[<userid>]` `[OPTIONS]` `[FORMAT_OPTIONS]`
761 Retrieve effective permissions of given user/token.
763 `<userid>`: `(?^:^(?^:[^\s:/]+)\@(?^:[A-Za-z][A-Za-z0-9\.\-_]+)(?:!(?^:[A-Za-z][A-Za-z0-9\.\-_]+))?$)` ::
765 User ID or full API token ID
767 `--path` `<string>` ::
769 Only dump this specific path, not the whole tree.
771 *pveum user tfa delete* `<userid>` `[OPTIONS]`
773 Delete TFA entries from a user.
775 `<userid>`: `<string>` ::
777 Full User ID, in the `name@realm` format.
781 The TFA ID, if none provided, all TFA entries will be deleted.
783 *pveum user tfa list* `[<userid>]`
787 `<userid>`: `<string>` ::
789 Full User ID, in the `name@realm` format.
791 *pveum user tfa unlock* `<userid>`
793 Unlock a user's TFA authentication.
795 `<userid>`: `<string>` ::
797 Full User ID, in the `name@realm` format.
799 *pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
801 Generate a new API token for a specific user. NOTE: returns API token
802 value, which needs to be stored as it cannot be retrieved afterwards!
804 `<userid>`: `<string>` ::
806 Full User ID, in the `name@realm` format.
808 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
810 User-specific token identifier.
812 `--comment` `<string>` ::
814 no description available
816 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
818 API token expiration date (seconds since epoch). '0' means no expiration date.
820 `--privsep` `<boolean>` ('default =' `1`)::
822 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
824 *pveum user token list* `<userid>` `[FORMAT_OPTIONS]`
828 `<userid>`: `<string>` ::
830 Full User ID, in the `name@realm` format.
832 *pveum user token modify* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
834 Update API token for a specific user.
836 `<userid>`: `<string>` ::
838 Full User ID, in the `name@realm` format.
840 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
842 User-specific token identifier.
844 `--comment` `<string>` ::
846 no description available
848 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
850 API token expiration date (seconds since epoch). '0' means no expiration date.
852 `--privsep` `<boolean>` ('default =' `1`)::
854 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
856 *pveum user token permissions* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
858 Retrieve effective permissions of given token.
860 `<userid>`: `<string>` ::
862 Full User ID, in the `name@realm` format.
864 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
866 User-specific token identifier.
868 `--path` `<string>` ::
870 Only dump this specific path, not the whole tree.
872 *pveum user token remove* `<userid> <tokenid>` `[FORMAT_OPTIONS]`
874 Remove API token for a specific user.
876 `<userid>`: `<string>` ::
878 Full User ID, in the `name@realm` format.
880 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
882 User-specific token identifier.
886 An alias for 'pveum user add'.
890 An alias for 'pveum user delete'.
894 An alias for 'pveum user modify'.