`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
*pveum pool add* `<poolid>` `[OPTIONS]`
Automatically create users if they do not exist.
-`--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
+`--base_dn` `(?^:\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#]))(,\s*\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])))*)` ::
LDAP base domain name
-`--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
+`--bind_dn` `(?^:\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#]))(,\s*\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])))*)` ::
LDAP bind domain name
The objectclasses for groups.
-`--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
+`--group_dn` `(?^:\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#]))(,\s*\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])))*)` ::
LDAP base domain name for group sync. If not set, the base_dn will be used.
LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
-`--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
+`--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=([acl];[properties];[entry])|none] [,scope=<users|groups|both>]` ::
The default options for behavior of synchronizations.
Automatically create users if they do not exist.
-`--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
+`--base_dn` `(?^:\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#]))(,\s*\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])))*)` ::
LDAP base domain name
-`--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
+`--bind_dn` `(?^:\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#]))(,\s*\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])))*)` ::
LDAP bind domain name
The objectclasses for groups.
-`--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
+`--group_dn` `(?^:\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#]))(,\s*\w+=(?^:("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])))*)` ::
LDAP base domain name for group sync. If not set, the base_dn will be used.
LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
-`--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
+`--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=([acl];[properties];[entry])|none] [,scope=<users|groups|both>]` ::
The default options for behavior of synchronizations.
`--full` `<boolean>` ::
-If set, uses the LDAP Directory as source of truth, deleting users or groups not returned from the sync. Otherwise only syncs information which is not already present, and does not deletes or modifies anything else.
+DEPRECATED: use 'remove-vanished' instead. If set, uses the LDAP Directory as source of truth, deleting users or groups not returned from the sync and removing all locally modified properties of synced users. If not set, only syncs information which is present in the synced data, and does not delete or modify anything else.
`--purge` `<boolean>` ::
-Remove ACLs for users or groups which were removed from the config during a sync.
+DEPRECATED: use 'remove-vanished' instead. Remove ACLs for users or groups which were removed from the config during a sync.
+
+`--remove-vanished` `([acl];[properties];[entry])|none` ('default =' `none`)::
+
+A semicolon-seperated list of things to remove when they or the user vanishes during a sync. The following values are possible: 'entry' removes the user/group when not returned from the sync. 'properties' removes the set properties on existing user/group that do not appear in the source (even custom ones). 'acl' removes acls when the user/group is not returned from the sync. Instead of a list it also can be 'none' (the default).
`--scope` `<both | groups | users>` ::
User name
-`--new-format` `<boolean>` ('default =' `0`)::
+`--new-format` `<boolean>` ('default =' `1`)::
-With webauthn the format of half-authenticated tickts changed. New clients should pass 1 here and not worry about the old format. The old format is deprecated and will be retired with PVE-8.0
+This parameter is now ignored and assumed to be 1.
`--otp` `<string>` ::
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
`--comment` `<string>` ::
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
*pveum user list* `[OPTIONS]` `[FORMAT_OPTIONS]`
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
`--append` `<boolean>` ::
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
`--id` `<string>` ::
The TFA ID, if none provided, all TFA entries will be deleted.
+*pveum user tfa list* `[<userid>]`
+
+List TFA entries.
+
+`<userid>`: `<string>` ::
+
+Full User ID, in the `name@realm` format.
+
+*pveum user tfa unlock* `<userid>`
+
+Unlock a user's TFA authentication.
+
+`<userid>`: `<string>` ::
+
+Full User ID, in the `name@realm` format.
+
*pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
Generate a new API token for a specific user. NOTE: returns API token
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
`<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
*pveum user token modify* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
`<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
`<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
`<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::