1 *pveum* `<COMMAND> [ARGS] [OPTIONS]`
3 *pveum acl delete* `<path> --roles <string>` `[OPTIONS]`
5 Update Access Control List (add or remove permissions).
7 `<path>`: `<string>` ::
11 `--groups` `<string>` ::
15 `--propagate` `<boolean>` ('default =' `1`)::
17 Allow to propagate (inherit) permissions.
19 `--roles` `<string>` ::
23 `--tokens` `<string>` ::
27 `--users` `<string>` ::
31 *pveum acl list* `[FORMAT_OPTIONS]`
33 Get Access Control List (ACLs).
35 *pveum acl modify* `<path> --roles <string>` `[OPTIONS]`
37 Update Access Control List (add or remove permissions).
39 `<path>`: `<string>` ::
43 `--groups` `<string>` ::
47 `--propagate` `<boolean>` ('default =' `1`)::
49 Allow to propagate (inherit) permissions.
51 `--roles` `<string>` ::
55 `--tokens` `<string>` ::
59 `--users` `<string>` ::
65 An alias for 'pveum acl delete'.
69 An alias for 'pveum acl modify'.
71 *pveum group add* `<groupid>` `[OPTIONS]`
75 `<groupid>`: `<string>` ::
77 no description available
79 `--comment` `<string>` ::
81 no description available
83 *pveum group delete* `<groupid>`
87 `<groupid>`: `<string>` ::
89 no description available
91 *pveum group list* `[FORMAT_OPTIONS]`
95 *pveum group modify* `<groupid>` `[OPTIONS]`
99 `<groupid>`: `<string>` ::
101 no description available
103 `--comment` `<string>` ::
105 no description available
109 An alias for 'pveum group add'.
113 An alias for 'pveum group delete'.
117 An alias for 'pveum group modify'.
119 *pveum help* `[OPTIONS]`
121 Get help about specified command.
123 `--extra-args` `<array>` ::
125 Shows help for a specific command
127 `--verbose` `<boolean>` ::
129 Verbose output format.
131 *pveum passwd* `<userid>`
133 Change user password.
135 `<userid>`: `<string>` ::
139 *pveum pool add* `<poolid>` `[OPTIONS]`
143 `<poolid>`: `<string>` ::
145 no description available
147 `--comment` `<string>` ::
149 no description available
151 *pveum pool delete* `<poolid>`
155 `<poolid>`: `<string>` ::
157 no description available
159 *pveum pool list* `[FORMAT_OPTIONS]`
163 *pveum pool modify* `<poolid>` `[OPTIONS]`
167 `<poolid>`: `<string>` ::
169 no description available
171 `--comment` `<string>` ::
173 no description available
175 `--delete` `<boolean>` ::
177 Remove vms/storage (instead of adding it).
179 `--storage` `<string>` ::
183 `--vms` `<string>` ::
185 List of virtual machines.
187 *pveum realm add* `<realm> --type <string>` `[OPTIONS]`
189 Add an authentication server.
191 `<realm>`: `<string>` ::
193 Authentication domain ID
195 `--acr-values` `<string>` ::
197 Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
199 `--autocreate` `<boolean>` ('default =' `0`)::
201 Automatically create users if they do not exist.
203 `--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
205 LDAP base domain name
207 `--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
209 LDAP bind domain name
211 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
213 Path to the CA certificate store
215 `--case-sensitive` `<boolean>` ('default =' `1`)::
217 username is case-sensitive
219 `--cert` `<string>` ::
221 Path to the client certificate
223 `--certkey` `<string>` ::
225 Path to the client certificate key
227 `--client-id` `<string>` ::
231 `--client-key` `<string>` ::
235 `--comment` `<string>` ::
239 `--default` `<boolean>` ::
241 Use this as default realm
247 `--filter` `<string>` ::
249 LDAP filter for user sync.
251 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
253 The objectclasses for groups.
255 `--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
257 LDAP base domain name for group sync. If not set, the base_dn will be used.
259 `--group_filter` `<string>` ::
261 LDAP filter for group sync.
263 `--group_name_attr` `<string>` ::
265 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
267 `--issuer-url` `<string>` ::
271 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
275 `--password` `<string>` ::
277 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
279 `--port` `<integer> (1 - 65535)` ::
283 `--prompt` `(?:none|login|consent|select_account|\S+)` ::
285 Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
287 `--scopes` `<string>` ('default =' `email profile`)::
289 Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
291 `--secure` `<boolean>` ::
293 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
295 `--server1` `<string>` ::
297 Server IP address (or DNS name)
299 `--server2` `<string>` ::
301 Fallback Server IP address (or DNS name)
303 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
305 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
307 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
309 The default options for behavior of synchronizations.
311 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
313 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
315 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
317 Use Two-factor authentication.
319 `--type` `<ad | ldap | openid | pam | pve>` ::
323 `--user_attr` `\S{2,}` ::
325 LDAP user attribute name
327 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
329 The objectclasses for users.
331 `--username-claim` `<string>` ::
333 OpenID claim used to generate the unique username.
335 `--verify` `<boolean>` ('default =' `0`)::
337 Verify the server's SSL certificate
339 *pveum realm delete* `<realm>`
341 Delete an authentication server.
343 `<realm>`: `<string>` ::
345 Authentication domain ID
347 *pveum realm list* `[FORMAT_OPTIONS]`
349 Authentication domain index.
351 *pveum realm modify* `<realm>` `[OPTIONS]`
353 Update authentication server settings.
355 `<realm>`: `<string>` ::
357 Authentication domain ID
359 `--acr-values` `<string>` ::
361 Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
363 `--autocreate` `<boolean>` ('default =' `0`)::
365 Automatically create users if they do not exist.
367 `--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
369 LDAP base domain name
371 `--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
373 LDAP bind domain name
375 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
377 Path to the CA certificate store
379 `--case-sensitive` `<boolean>` ('default =' `1`)::
381 username is case-sensitive
383 `--cert` `<string>` ::
385 Path to the client certificate
387 `--certkey` `<string>` ::
389 Path to the client certificate key
391 `--client-id` `<string>` ::
395 `--client-key` `<string>` ::
399 `--comment` `<string>` ::
403 `--default` `<boolean>` ::
405 Use this as default realm
407 `--delete` `<string>` ::
409 A list of settings you want to delete.
411 `--digest` `<string>` ::
413 Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.
419 `--filter` `<string>` ::
421 LDAP filter for user sync.
423 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
425 The objectclasses for groups.
427 `--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
429 LDAP base domain name for group sync. If not set, the base_dn will be used.
431 `--group_filter` `<string>` ::
433 LDAP filter for group sync.
435 `--group_name_attr` `<string>` ::
437 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
439 `--issuer-url` `<string>` ::
443 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
447 `--password` `<string>` ::
449 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
451 `--port` `<integer> (1 - 65535)` ::
455 `--prompt` `(?:none|login|consent|select_account|\S+)` ::
457 Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
459 `--scopes` `<string>` ('default =' `email profile`)::
461 Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
463 `--secure` `<boolean>` ::
465 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
467 `--server1` `<string>` ::
469 Server IP address (or DNS name)
471 `--server2` `<string>` ::
473 Fallback Server IP address (or DNS name)
475 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
477 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
479 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
481 The default options for behavior of synchronizations.
483 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
485 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
487 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
489 Use Two-factor authentication.
491 `--user_attr` `\S{2,}` ::
493 LDAP user attribute name
495 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
497 The objectclasses for users.
499 `--verify` `<boolean>` ('default =' `0`)::
501 Verify the server's SSL certificate
503 *pveum realm sync* `<realm>` `[OPTIONS]`
505 Syncs users and/or groups from the configured LDAP to user.cfg. NOTE:
506 Synced groups will have the name 'name-$realm', so make sure those groups
507 do not exist to prevent overwriting.
509 `<realm>`: `<string>` ::
511 Authentication domain ID
513 `--dry-run` `<boolean>` ('default =' `0`)::
515 If set, does not write anything.
517 `--enable-new` `<boolean>` ('default =' `1`)::
519 Enable newly synced users immediately.
521 `--full` `<boolean>` ::
523 If set, uses the LDAP Directory as source of truth, deleting users or groups not returned from the sync. Otherwise only syncs information which is not already present, and does not deletes or modifies anything else.
525 `--purge` `<boolean>` ::
527 Remove ACLs for users or groups which were removed from the config during a sync.
529 `--scope` `<both | groups | users>` ::
533 *pveum role add* `<roleid>` `[OPTIONS]`
537 `<roleid>`: `<string>` ::
539 no description available
541 `--privs` `<string>` ::
543 no description available
545 *pveum role delete* `<roleid>`
549 `<roleid>`: `<string>` ::
551 no description available
553 *pveum role list* `[FORMAT_OPTIONS]`
557 *pveum role modify* `<roleid>` `[OPTIONS]`
559 Update an existing role.
561 `<roleid>`: `<string>` ::
563 no description available
565 `--append` `<boolean>` ::
567 no description available
569 NOTE: Requires option(s): `privs`
571 `--privs` `<string>` ::
573 no description available
577 An alias for 'pveum role add'.
581 An alias for 'pveum role delete'.
585 An alias for 'pveum role modify'.
587 *pveum ticket* `<username>` `[OPTIONS]`
589 Create or verify authentication ticket.
591 `<username>`: `<string>` ::
595 `--new-format` `<boolean>` ('default =' `0`)::
597 With webauthn the format of half-authenticated tickts changed. New clients should pass 1 here and not worry about the old format. The old format is deprecated and will be retired with PVE-8.0
599 `--otp` `<string>` ::
601 One-time password for Two-factor authentication.
603 `--path` `<string>` ::
605 Verify ticket, and check if user have access 'privs' on 'path'
607 NOTE: Requires option(s): `privs`
609 `--privs` `<string>` ::
611 Verify ticket, and check if user have access 'privs' on 'path'
613 NOTE: Requires option(s): `path`
615 `--realm` `<string>` ::
617 You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>@<relam>.
619 `--tfa-challenge` `<string>` ::
621 The signed TFA challenge string the user wants to respond to.
623 *pveum user add* `<userid>` `[OPTIONS]`
627 `<userid>`: `<string>` ::
631 `--comment` `<string>` ::
633 no description available
635 `--email` `<string>` ::
637 no description available
639 `--enable` `<boolean>` ('default =' `1`)::
641 Enable the account (default). You can set this to '0' to disable the account
643 `--expire` `<integer> (0 - N)` ::
645 Account expiration date (seconds since epoch). '0' means no expiration date.
647 `--firstname` `<string>` ::
649 no description available
651 `--groups` `<string>` ::
653 no description available
655 `--keys` `<string>` ::
657 Keys for two factor auth (yubico).
659 `--lastname` `<string>` ::
661 no description available
663 `--password` `<string>` ::
667 *pveum user delete* `<userid>`
671 `<userid>`: `<string>` ::
675 *pveum user list* `[OPTIONS]` `[FORMAT_OPTIONS]`
679 `--enabled` `<boolean>` ::
681 Optional filter for enable property.
683 `--full` `<boolean>` ('default =' `0`)::
685 Include group and token information.
687 *pveum user modify* `<userid>` `[OPTIONS]`
689 Update user configuration.
691 `<userid>`: `<string>` ::
695 `--append` `<boolean>` ::
697 no description available
699 NOTE: Requires option(s): `groups`
701 `--comment` `<string>` ::
703 no description available
705 `--email` `<string>` ::
707 no description available
709 `--enable` `<boolean>` ('default =' `1`)::
711 Enable the account (default). You can set this to '0' to disable the account
713 `--expire` `<integer> (0 - N)` ::
715 Account expiration date (seconds since epoch). '0' means no expiration date.
717 `--firstname` `<string>` ::
719 no description available
721 `--groups` `<string>` ::
723 no description available
725 `--keys` `<string>` ::
727 Keys for two factor auth (yubico).
729 `--lastname` `<string>` ::
731 no description available
733 *pveum user permissions* `[<userid>]` `[OPTIONS]` `[FORMAT_OPTIONS]`
735 Retrieve effective permissions of given user/token.
737 `<userid>`: `(?^:^(?^:[^\s:/]+)\@(?^:[A-Za-z][A-Za-z0-9\.\-_]+)(?:!(?^:[A-Za-z][A-Za-z0-9\.\-_]+))?$)` ::
739 User ID or full API token ID
741 `--path` `<string>` ::
743 Only dump this specific path, not the whole tree.
745 *pveum user tfa delete* `<userid>` `[OPTIONS]`
747 Delete TFA entries from a user.
749 `<userid>`: `<string>` ::
755 The TFA ID, if none provided, all TFA entries will be deleted.
757 *pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
759 Generate a new API token for a specific user. NOTE: returns API token
760 value, which needs to be stored as it cannot be retrieved afterwards!
762 `<userid>`: `<string>` ::
766 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
768 User-specific token identifier.
770 `--comment` `<string>` ::
772 no description available
774 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
776 API token expiration date (seconds since epoch). '0' means no expiration date.
778 `--privsep` `<boolean>` ('default =' `1`)::
780 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
782 *pveum user token list* `<userid>` `[FORMAT_OPTIONS]`
786 `<userid>`: `<string>` ::
790 *pveum user token modify* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
792 Update API token for a specific user.
794 `<userid>`: `<string>` ::
798 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
800 User-specific token identifier.
802 `--comment` `<string>` ::
804 no description available
806 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
808 API token expiration date (seconds since epoch). '0' means no expiration date.
810 `--privsep` `<boolean>` ('default =' `1`)::
812 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
814 *pveum user token permissions* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
816 Retrieve effective permissions of given token.
818 `<userid>`: `<string>` ::
822 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
824 User-specific token identifier.
826 `--path` `<string>` ::
828 Only dump this specific path, not the whole tree.
830 *pveum user token remove* `<userid> <tokenid>` `[FORMAT_OPTIONS]`
832 Remove API token for a specific user.
834 `<userid>`: `<string>` ::
838 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
840 User-specific token identifier.
844 An alias for 'pveum user add'.
848 An alias for 'pveum user delete'.
852 An alias for 'pveum user modify'.