Automatically create users if they do not exist.
-`--base_dn` `(?^:\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*)` ::
+`--base_dn` `(?^:\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#]))(,\s*\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])))*)` ::
LDAP base domain name
-`--bind_dn` `(?^:\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*)` ::
+`--bind_dn` `(?^:\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#]))(,\s*\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])))*)` ::
LDAP bind domain name
The objectclasses for groups.
-`--group_dn` `(?^:\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*)` ::
+`--group_dn` `(?^:\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#]))(,\s*\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])))*)` ::
LDAP base domain name for group sync. If not set, the base_dn will be used.
Automatically create users if they do not exist.
-`--base_dn` `(?^:\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*)` ::
+`--base_dn` `(?^:\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#]))(,\s*\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])))*)` ::
LDAP base domain name
-`--bind_dn` `(?^:\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*)` ::
+`--bind_dn` `(?^:\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#]))(,\s*\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])))*)` ::
LDAP bind domain name
The objectclasses for groups.
-`--group_dn` `(?^:\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*)` ::
+`--group_dn` `(?^:\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#]))(,\s*\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])))*)` ::
LDAP base domain name for group sync. If not set, the base_dn will be used.
User name
-`--new-format` `<boolean>` ('default =' `0`)::
+`--new-format` `<boolean>` ('default =' `1`)::
-With webauthn the format of half-authenticated tickts changed. New clients should pass 1 here and not worry about the old format. The old format is deprecated and will be retired with PVE-8.0
+This parameter is now ignored and assumed to be 1.
`--otp` `<string>` ::
The TFA ID, if none provided, all TFA entries will be deleted.
+*pveum user tfa list* `[<userid>]`
+
+List TFA entries.
+
+`<userid>`: `<string>` ::
+
+Full User ID, in the `name@realm` format.
+
+*pveum user tfa unlock* `<userid>`
+
+Unlock a user's TFA authentication.
+
+`<userid>`: `<string>` ::
+
+Full User ID, in the `name@realm` format.
+
*pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
Generate a new API token for a specific user. NOTE: returns API token