1 *pveum* `<COMMAND> [ARGS] [OPTIONS]`
3 *pveum acl delete* `<path> --roles <string>` `[OPTIONS]`
5 Update Access Control List (add or remove permissions).
7 `<path>`: `<string>` ::
11 `--groups` `<string>` ::
15 `--propagate` `<boolean>` ('default =' `1`)::
17 Allow to propagate (inherit) permissions.
19 `--roles` `<string>` ::
23 `--tokens` `<string>` ::
27 `--users` `<string>` ::
31 *pveum acl list* `[FORMAT_OPTIONS]`
33 Get Access Control List (ACLs).
35 *pveum acl modify* `<path> --roles <string>` `[OPTIONS]`
37 Update Access Control List (add or remove permissions).
39 `<path>`: `<string>` ::
43 `--groups` `<string>` ::
47 `--propagate` `<boolean>` ('default =' `1`)::
49 Allow to propagate (inherit) permissions.
51 `--roles` `<string>` ::
55 `--tokens` `<string>` ::
59 `--users` `<string>` ::
65 An alias for 'pveum acl delete'.
69 An alias for 'pveum acl modify'.
71 *pveum group add* `<groupid>` `[OPTIONS]`
75 `<groupid>`: `<string>` ::
77 no description available
79 `--comment` `<string>` ::
81 no description available
83 *pveum group delete* `<groupid>`
87 `<groupid>`: `<string>` ::
89 no description available
91 *pveum group list* `[FORMAT_OPTIONS]`
95 *pveum group modify* `<groupid>` `[OPTIONS]`
99 `<groupid>`: `<string>` ::
101 no description available
103 `--comment` `<string>` ::
105 no description available
109 An alias for 'pveum group add'.
113 An alias for 'pveum group delete'.
117 An alias for 'pveum group modify'.
119 *pveum help* `[OPTIONS]`
121 Get help about specified command.
123 `--extra-args` `<array>` ::
125 Shows help for a specific command
127 `--verbose` `<boolean>` ::
129 Verbose output format.
131 *pveum passwd* `<userid>`
133 Change user password.
135 `<userid>`: `<string>` ::
139 *pveum pool add* `<poolid>` `[OPTIONS]`
143 `<poolid>`: `<string>` ::
145 no description available
147 `--comment` `<string>` ::
149 no description available
151 *pveum pool delete* `<poolid>`
155 `<poolid>`: `<string>` ::
157 no description available
159 *pveum pool list* `[FORMAT_OPTIONS]`
163 *pveum pool modify* `<poolid>` `[OPTIONS]`
167 `<poolid>`: `<string>` ::
169 no description available
171 `--comment` `<string>` ::
173 no description available
175 `--delete` `<boolean>` ::
177 Remove vms/storage (instead of adding it).
179 `--storage` `<string>` ::
183 `--vms` `<string>` ::
185 List of virtual machines.
187 *pveum realm add* `<realm> --type <string>` `[OPTIONS]`
189 Add an authentication server.
191 `<realm>`: `<string>` ::
193 Authentication domain ID
195 `--autocreate` `<boolean>` ('default =' `0`)::
197 Automatically create users if they do not exist.
199 `--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
201 LDAP base domain name
203 `--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
205 LDAP bind domain name
207 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
209 Path to the CA certificate store
211 `--case-sensitive` `<boolean>` ('default =' `1`)::
213 username is case-sensitive
215 `--cert` `<string>` ::
217 Path to the client certificate
219 `--certkey` `<string>` ::
221 Path to the client certificate key
223 `--client-id` `<string>` ::
227 `--client-key` `<string>` ::
231 `--comment` `<string>` ::
235 `--default` `<boolean>` ::
237 Use this as default realm
243 `--filter` `<string>` ::
245 LDAP filter for user sync.
247 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
249 The objectclasses for groups.
251 `--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
253 LDAP base domain name for group sync. If not set, the base_dn will be used.
255 `--group_filter` `<string>` ::
257 LDAP filter for group sync.
259 `--group_name_attr` `<string>` ::
261 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
263 `--issuer-url` `<string>` ::
267 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
271 `--password` `<string>` ::
273 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
275 `--port` `<integer> (1 - 65535)` ::
279 `--secure` `<boolean>` ::
281 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
283 `--server1` `<string>` ::
285 Server IP address (or DNS name)
287 `--server2` `<string>` ::
289 Fallback Server IP address (or DNS name)
291 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
293 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
295 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
297 The default options for behavior of synchronizations.
299 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
301 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
303 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
305 Use Two-factor authentication.
307 `--type` `<ad | ldap | openid | pam | pve>` ::
311 `--user_attr` `\S{2,}` ::
313 LDAP user attribute name
315 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
317 The objectclasses for users.
319 `--username-claim` `<email | subject | username>` ::
321 OpenID claim used to generate the unique username.
323 `--verify` `<boolean>` ('default =' `0`)::
325 Verify the server's SSL certificate
327 *pveum realm delete* `<realm>`
329 Delete an authentication server.
331 `<realm>`: `<string>` ::
333 Authentication domain ID
335 *pveum realm list* `[FORMAT_OPTIONS]`
337 Authentication domain index.
339 *pveum realm modify* `<realm>` `[OPTIONS]`
341 Update authentication server settings.
343 `<realm>`: `<string>` ::
345 Authentication domain ID
347 `--autocreate` `<boolean>` ('default =' `0`)::
349 Automatically create users if they do not exist.
351 `--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
353 LDAP base domain name
355 `--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
357 LDAP bind domain name
359 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
361 Path to the CA certificate store
363 `--case-sensitive` `<boolean>` ('default =' `1`)::
365 username is case-sensitive
367 `--cert` `<string>` ::
369 Path to the client certificate
371 `--certkey` `<string>` ::
373 Path to the client certificate key
375 `--client-id` `<string>` ::
379 `--client-key` `<string>` ::
383 `--comment` `<string>` ::
387 `--default` `<boolean>` ::
389 Use this as default realm
391 `--delete` `<string>` ::
393 A list of settings you want to delete.
395 `--digest` `<string>` ::
397 Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.
403 `--filter` `<string>` ::
405 LDAP filter for user sync.
407 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
409 The objectclasses for groups.
411 `--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
413 LDAP base domain name for group sync. If not set, the base_dn will be used.
415 `--group_filter` `<string>` ::
417 LDAP filter for group sync.
419 `--group_name_attr` `<string>` ::
421 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
423 `--issuer-url` `<string>` ::
427 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
431 `--password` `<string>` ::
433 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
435 `--port` `<integer> (1 - 65535)` ::
439 `--secure` `<boolean>` ::
441 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
443 `--server1` `<string>` ::
445 Server IP address (or DNS name)
447 `--server2` `<string>` ::
449 Fallback Server IP address (or DNS name)
451 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
453 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
455 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
457 The default options for behavior of synchronizations.
459 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
461 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
463 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
465 Use Two-factor authentication.
467 `--user_attr` `\S{2,}` ::
469 LDAP user attribute name
471 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
473 The objectclasses for users.
475 `--verify` `<boolean>` ('default =' `0`)::
477 Verify the server's SSL certificate
479 *pveum realm sync* `<realm>` `[OPTIONS]`
481 Syncs users and/or groups from the configured LDAP to user.cfg. NOTE:
482 Synced groups will have the name 'name-$realm', so make sure those groups
483 do not exist to prevent overwriting.
485 `<realm>`: `<string>` ::
487 Authentication domain ID
489 `--dry-run` `<boolean>` ('default =' `0`)::
491 If set, does not write anything.
493 `--enable-new` `<boolean>` ('default =' `1`)::
495 Enable newly synced users immediately.
497 `--full` `<boolean>` ::
499 If set, uses the LDAP Directory as source of truth, deleting users or groups not returned from the sync. Otherwise only syncs information which is not already present, and does not deletes or modifies anything else.
501 `--purge` `<boolean>` ::
503 Remove ACLs for users or groups which were removed from the config during a sync.
505 `--scope` `<both | groups | users>` ::
509 *pveum role add* `<roleid>` `[OPTIONS]`
513 `<roleid>`: `<string>` ::
515 no description available
517 `--privs` `<string>` ::
519 no description available
521 *pveum role delete* `<roleid>`
525 `<roleid>`: `<string>` ::
527 no description available
529 *pveum role list* `[FORMAT_OPTIONS]`
533 *pveum role modify* `<roleid>` `[OPTIONS]`
535 Update an existing role.
537 `<roleid>`: `<string>` ::
539 no description available
541 `--append` `<boolean>` ::
543 no description available
545 NOTE: Requires option(s): `privs`
547 `--privs` `<string>` ::
549 no description available
553 An alias for 'pveum role add'.
557 An alias for 'pveum role delete'.
561 An alias for 'pveum role modify'.
563 *pveum ticket* `<username>` `[OPTIONS]`
565 Create or verify authentication ticket.
567 `<username>`: `<string>` ::
571 `--new-format` `<boolean>` ('default =' `0`)::
573 With webauthn the format of half-authenticated tickts changed. New clients should pass 1 here and not worry about the old format. The old format is deprecated and will be retired with PVE-8.0
575 `--otp` `<string>` ::
577 One-time password for Two-factor authentication.
579 `--path` `<string>` ::
581 Verify ticket, and check if user have access 'privs' on 'path'
583 NOTE: Requires option(s): `privs`
585 `--privs` `<string>` ::
587 Verify ticket, and check if user have access 'privs' on 'path'
589 NOTE: Requires option(s): `path`
591 `--realm` `<string>` ::
593 You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>@<relam>.
595 `--tfa-challenge` `<string>` ::
597 The signed TFA challenge string the user wants to respond to.
599 *pveum user add* `<userid>` `[OPTIONS]`
603 `<userid>`: `<string>` ::
607 `--comment` `<string>` ::
609 no description available
611 `--email` `<string>` ::
613 no description available
615 `--enable` `<boolean>` ('default =' `1`)::
617 Enable the account (default). You can set this to '0' to disable the account
619 `--expire` `<integer> (0 - N)` ::
621 Account expiration date (seconds since epoch). '0' means no expiration date.
623 `--firstname` `<string>` ::
625 no description available
627 `--groups` `<string>` ::
629 no description available
631 `--keys` `<string>` ::
633 Keys for two factor auth (yubico).
635 `--lastname` `<string>` ::
637 no description available
639 `--password` `<string>` ::
643 *pveum user delete* `<userid>`
647 `<userid>`: `<string>` ::
651 *pveum user list* `[OPTIONS]` `[FORMAT_OPTIONS]`
655 `--enabled` `<boolean>` ::
657 Optional filter for enable property.
659 `--full` `<boolean>` ('default =' `0`)::
661 Include group and token information.
663 *pveum user modify* `<userid>` `[OPTIONS]`
665 Update user configuration.
667 `<userid>`: `<string>` ::
671 `--append` `<boolean>` ::
673 no description available
675 NOTE: Requires option(s): `groups`
677 `--comment` `<string>` ::
679 no description available
681 `--email` `<string>` ::
683 no description available
685 `--enable` `<boolean>` ('default =' `1`)::
687 Enable the account (default). You can set this to '0' to disable the account
689 `--expire` `<integer> (0 - N)` ::
691 Account expiration date (seconds since epoch). '0' means no expiration date.
693 `--firstname` `<string>` ::
695 no description available
697 `--groups` `<string>` ::
699 no description available
701 `--keys` `<string>` ::
703 Keys for two factor auth (yubico).
705 `--lastname` `<string>` ::
707 no description available
709 *pveum user permissions* `[<userid>]` `[OPTIONS]` `[FORMAT_OPTIONS]`
711 Retrieve effective permissions of given user/token.
713 `<userid>`: `(?^:^(?^:[^\s:/]+)\@(?^:[A-Za-z][A-Za-z0-9\.\-_]+)(?:!(?^:[A-Za-z][A-Za-z0-9\.\-_]+))?$)` ::
715 User ID or full API token ID
717 `--path` `<string>` ::
719 Only dump this specific path, not the whole tree.
721 *pveum user tfa delete* `<userid>` `[OPTIONS]`
723 Delete TFA entries from a user.
725 `<userid>`: `<string>` ::
731 The TFA ID, if none provided, all TFA entries will be deleted.
733 *pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
735 Generate a new API token for a specific user. NOTE: returns API token
736 value, which needs to be stored as it cannot be retrieved afterwards!
738 `<userid>`: `<string>` ::
742 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
744 User-specific token identifier.
746 `--comment` `<string>` ::
748 no description available
750 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
752 API token expiration date (seconds since epoch). '0' means no expiration date.
754 `--privsep` `<boolean>` ('default =' `1`)::
756 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
758 *pveum user token list* `<userid>` `[FORMAT_OPTIONS]`
762 `<userid>`: `<string>` ::
766 *pveum user token modify* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
768 Update API token for a specific user.
770 `<userid>`: `<string>` ::
774 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
776 User-specific token identifier.
778 `--comment` `<string>` ::
780 no description available
782 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
784 API token expiration date (seconds since epoch). '0' means no expiration date.
786 `--privsep` `<boolean>` ('default =' `1`)::
788 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
790 *pveum user token permissions* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
792 Retrieve effective permissions of given token.
794 `<userid>`: `<string>` ::
798 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
800 User-specific token identifier.
802 `--path` `<string>` ::
804 Only dump this specific path, not the whole tree.
806 *pveum user token remove* `<userid> <tokenid>` `[FORMAT_OPTIONS]`
808 Remove API token for a specific user.
810 `<userid>`: `<string>` ::
814 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
816 User-specific token identifier.
820 An alias for 'pveum user add'.
824 An alias for 'pveum user delete'.
828 An alias for 'pveum user modify'.