realm: sync: allow explicit 'none' for 'remove-vanished' option

[pve-access-control.git] / src / PVE / Auth / Plugin.pm

diff --git a/src/PVE/Auth/Plugin.pm b/src/PVE/Auth/Plugin.pm
index 7e431f3d7095038563f0e4907aed5b93e00ebd1e..bae9fb9e69bcde0cfdbe2d31657414a05f0e0add 100755 (executable)
--- a/src/PVE/Auth/Plugin.pm
+++ b/src/PVE/Auth/Plugin.pm
@@ -63,10 +63,12 @@ my $realm_sync_options_desc = {
            ." vanishes during a sync. The following values are possible: 'entry' removes the"
            ." user/group when not returned from the sync. 'properties' removes the set"
            ." properties on existing user/group that do not appear in the source (even custom ones)."
-           ." 'acl' removes acls when the user/group is not returned from the sync.",
+           ." 'acl' removes acls when the user/group is not returned from the sync."
+           ." Instead of a list it also can be 'none' (the default).",
        type => 'string',
-       typetext => "[acl];[properties];[entry]",
-       pattern => "(?:$remove_options\;)*$remove_options",
+       default => 'none',
+       typetext => "([acl];[properties];[entry])|none",
+       pattern => "(?:(?:$remove_options\;)*$remove_options)|none",
        optional => '1',
     },
     # TODO check/rewrite in pve7to8, and remove with 8.0
@@ -285,7 +287,7 @@ sub delete_user {
 
 # called during addition of realm (before the new domain config got written)
 # `password` is moved to %param to avoid writing it out to the config
-# die to abort additon if there are (grave) problems
+# die to abort addition if there are (grave) problems
 # NOTE: runs in a domain config *locked* context
 sub on_add_hook {
     my ($class, $realm, $config, %param) = @_;