+Full User ID, in the `name@realm` format.
+
+`--confirmation-password` `<string>` ::
+
+The current password of the user performing the change.
+
+*pveum pool add* `<poolid>` `[OPTIONS]`
+
+Create new pool.
+
+`<poolid>`: `<string>` ::
+
+no description available
+
+`--comment` `<string>` ::
+
+no description available
+
+*pveum pool delete* `<poolid>`
+
+Delete pool.
+
+`<poolid>`: `<string>` ::
+
+no description available
+
+*pveum pool list* `[OPTIONS]` `[FORMAT_OPTIONS]`
+
+List pools or get pool configuration.
+
+`--poolid` `<string>` ::
+
+no description available
+
+`--type` `<lxc | qemu | storage>` ::
+
+no description available
++
+NOTE: Requires option(s): `poolid`
+
+*pveum pool modify* `<poolid>` `[OPTIONS]`
+
+Update pool.
+
+`<poolid>`: `<string>` ::
+
+no description available
+
+`--allow-move` `<boolean>` ('default =' `0`)::
+
+Allow adding a guest even if already in another pool. The guest will be removed from its current pool and added to this one.
+
+`--comment` `<string>` ::
+
+no description available
+
+`--delete` `<boolean>` ('default =' `0`)::
+
+Remove the passed VMIDs and/or storage IDs instead of adding them.
+
+`--storage` `<string>` ::
+
+List of storage IDs to add or remove from this pool.
+
+`--vms` `<string>` ::
+
+List of guest VMIDs to add or remove from this pool.
+
+*pveum realm add* `<realm> --type <string>` `[OPTIONS]`
+
+Add an authentication server.
+
+`<realm>`: `<string>` ::
+
+Authentication domain ID
+
+`--acr-values` `^[^\x00-\x1F\x7F <>#"]*$` ::
+
+Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
+
+`--autocreate` `<boolean>` ('default =' `0`)::
+
+Automatically create users if they do not exist.
+
+`--base_dn` `<string>` ::
+
+LDAP base domain name
+
+`--bind_dn` `<string>` ::
+
+LDAP bind domain name
+
+`--capath` `<string>` ('default =' `/etc/ssl/certs`)::
+
+Path to the CA certificate store
+
+`--case-sensitive` `<boolean>` ('default =' `1`)::
+
+username is case-sensitive
+
+`--cert` `<string>` ::
+
+Path to the client certificate
+
+`--certkey` `<string>` ::
+
+Path to the client certificate key
+
+`--check-connection` `<boolean>` ('default =' `0`)::
+
+Check bind connection to the server.
+
+`--client-id` `<string>` ::
+
+OpenID Client ID
+
+`--client-key` `<string>` ::
+
+OpenID Client Key
+
+`--comment` `<string>` ::
+
+Description.
+
+`--default` `<boolean>` ::
+
+Use this as default realm
+
+`--domain` `\S+` ::
+
+AD domain name
+
+`--filter` `<string>` ::
+
+LDAP filter for user sync.
+
+`--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
+
+The objectclasses for groups.
+
+`--group_dn` `<string>` ::
+
+LDAP base domain name for group sync. If not set, the base_dn will be used.
+
+`--group_filter` `<string>` ::
+
+LDAP filter for group sync.
+
+`--group_name_attr` `<string>` ::
+
+LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
+
+`--issuer-url` `<string>` ::
+
+OpenID Issuer Url
+
+`--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
+
+LDAP protocol mode.
+
+`--password` `<string>` ::
+
+LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
+
+`--port` `<integer> (1 - 65535)` ::
+
+Server port.
+
+`--prompt` `(?:none|login|consent|select_account|\S+)` ::
+
+Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
+
+`--scopes` `<string>` ('default =' `email profile`)::
+
+Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
+
+`--secure` `<boolean>` ::
+
+Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
+
+`--server1` `<string>` ::
+
+Server IP address (or DNS name)
+
+`--server2` `<string>` ::
+
+Fallback Server IP address (or DNS name)
+
+`--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
+
+LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
+
+`--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=([acl];[properties];[entry])|none] [,scope=<users|groups|both>]` ::
+
+The default options for behavior of synchronizations.
+
+`--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
+
+Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
+
+`--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
+
+Use Two-factor authentication.
+
+`--type` `<ad | ldap | openid | pam | pve>` ::
+
+Realm type.
+
+`--user_attr` `\S{2,}` ::
+
+LDAP user attribute name
+
+`--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
+
+The objectclasses for users.
+
+`--username-claim` `<string>` ::
+
+OpenID claim used to generate the unique username.
+
+`--verify` `<boolean>` ('default =' `0`)::
+
+Verify the server's SSL certificate
+
+*pveum realm delete* `<realm>`
+
+Delete an authentication server.
+
+`<realm>`: `<string>` ::
+
+Authentication domain ID
+
+*pveum realm list* `[FORMAT_OPTIONS]`
+
+Authentication domain index.
+
+*pveum realm modify* `<realm>` `[OPTIONS]`
+
+Update authentication server settings.
+
+`<realm>`: `<string>` ::
+
+Authentication domain ID
+
+`--acr-values` `^[^\x00-\x1F\x7F <>#"]*$` ::
+
+Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
+
+`--autocreate` `<boolean>` ('default =' `0`)::
+
+Automatically create users if they do not exist.
+
+`--base_dn` `<string>` ::
+
+LDAP base domain name
+
+`--bind_dn` `<string>` ::
+
+LDAP bind domain name
+
+`--capath` `<string>` ('default =' `/etc/ssl/certs`)::
+
+Path to the CA certificate store
+
+`--case-sensitive` `<boolean>` ('default =' `1`)::
+
+username is case-sensitive
+
+`--cert` `<string>` ::
+
+Path to the client certificate
+
+`--certkey` `<string>` ::
+
+Path to the client certificate key
+
+`--check-connection` `<boolean>` ('default =' `0`)::
+
+Check bind connection to the server.
+
+`--client-id` `<string>` ::
+
+OpenID Client ID
+
+`--client-key` `<string>` ::
+
+OpenID Client Key
+
+`--comment` `<string>` ::
+
+Description.
+
+`--default` `<boolean>` ::
+
+Use this as default realm
+
+`--delete` `<string>` ::
+
+A list of settings you want to delete.
+
+`--digest` `<string>` ::
+
+Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+
+`--domain` `\S+` ::
+
+AD domain name
+
+`--filter` `<string>` ::
+
+LDAP filter for user sync.
+
+`--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
+
+The objectclasses for groups.
+
+`--group_dn` `<string>` ::
+
+LDAP base domain name for group sync. If not set, the base_dn will be used.
+
+`--group_filter` `<string>` ::
+
+LDAP filter for group sync.
+
+`--group_name_attr` `<string>` ::
+
+LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
+
+`--issuer-url` `<string>` ::
+
+OpenID Issuer Url
+
+`--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
+
+LDAP protocol mode.
+
+`--password` `<string>` ::
+
+LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
+
+`--port` `<integer> (1 - 65535)` ::
+
+Server port.
+
+`--prompt` `(?:none|login|consent|select_account|\S+)` ::
+
+Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
+
+`--scopes` `<string>` ('default =' `email profile`)::
+
+Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
+
+`--secure` `<boolean>` ::
+
+Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
+
+`--server1` `<string>` ::
+
+Server IP address (or DNS name)
+
+`--server2` `<string>` ::
+
+Fallback Server IP address (or DNS name)
+
+`--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
+
+LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
+
+`--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=([acl];[properties];[entry])|none] [,scope=<users|groups|both>]` ::
+
+The default options for behavior of synchronizations.
+
+`--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
+
+Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
+
+`--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
+
+Use Two-factor authentication.
+
+`--user_attr` `\S{2,}` ::
+
+LDAP user attribute name
+
+`--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
+
+The objectclasses for users.
+
+`--verify` `<boolean>` ('default =' `0`)::
+
+Verify the server's SSL certificate
+
+*pveum realm sync* `<realm>` `[OPTIONS]`
+
+Syncs users and/or groups from the configured LDAP to user.cfg. NOTE:
+Synced groups will have the name 'name-$realm', so make sure those groups
+do not exist to prevent overwriting.
+
+`<realm>`: `<string>` ::
+
+Authentication domain ID
+
+`--dry-run` `<boolean>` ('default =' `0`)::
+
+If set, does not write anything.
+
+`--enable-new` `<boolean>` ('default =' `1`)::
+
+Enable newly synced users immediately.
+
+`--full` `<boolean>` ::
+
+DEPRECATED: use 'remove-vanished' instead. If set, uses the LDAP Directory as source of truth, deleting users or groups not returned from the sync and removing all locally modified properties of synced users. If not set, only syncs information which is present in the synced data, and does not delete or modify anything else.
+
+`--purge` `<boolean>` ::
+
+DEPRECATED: use 'remove-vanished' instead. Remove ACLs for users or groups which were removed from the config during a sync.
+
+`--remove-vanished` `([acl];[properties];[entry])|none` ('default =' `none`)::
+
+A semicolon-seperated list of things to remove when they or the user vanishes during a sync. The following values are possible: 'entry' removes the user/group when not returned from the sync. 'properties' removes the set properties on existing user/group that do not appear in the source (even custom ones). 'acl' removes acls when the user/group is not returned from the sync. Instead of a list it also can be 'none' (the default).
+
+`--scope` `<both | groups | users>` ::
+
+Select what to sync.