1 *pveum* `<COMMAND> [ARGS] [OPTIONS]`
3 *pveum acl delete* `<path> --roles <string>` `[OPTIONS]`
5 Update Access Control List (add or remove permissions).
7 `<path>`: `<string>` ::
11 `--groups` `<string>` ::
15 `--propagate` `<boolean>` ('default =' `1`)::
17 Allow to propagate (inherit) permissions.
19 `--roles` `<string>` ::
23 `--tokens` `<string>` ::
27 `--users` `<string>` ::
31 *pveum acl list* `[FORMAT_OPTIONS]`
33 Get Access Control List (ACLs).
35 *pveum acl modify* `<path> --roles <string>` `[OPTIONS]`
37 Update Access Control List (add or remove permissions).
39 `<path>`: `<string>` ::
43 `--groups` `<string>` ::
47 `--propagate` `<boolean>` ('default =' `1`)::
49 Allow to propagate (inherit) permissions.
51 `--roles` `<string>` ::
55 `--tokens` `<string>` ::
59 `--users` `<string>` ::
65 An alias for 'pveum acl delete'.
69 An alias for 'pveum acl modify'.
71 *pveum group add* `<groupid>` `[OPTIONS]`
75 `<groupid>`: `<string>` ::
77 no description available
79 `--comment` `<string>` ::
81 no description available
83 *pveum group delete* `<groupid>`
87 `<groupid>`: `<string>` ::
89 no description available
91 *pveum group list* `[FORMAT_OPTIONS]`
95 *pveum group modify* `<groupid>` `[OPTIONS]`
99 `<groupid>`: `<string>` ::
101 no description available
103 `--comment` `<string>` ::
105 no description available
109 An alias for 'pveum group add'.
113 An alias for 'pveum group delete'.
117 An alias for 'pveum group modify'.
119 *pveum help* `[OPTIONS]`
121 Get help about specified command.
123 `--extra-args` `<array>` ::
125 Shows help for a specific command
127 `--verbose` `<boolean>` ::
129 Verbose output format.
131 *pveum passwd* `<userid>`
133 Change user password.
135 `<userid>`: `<string>` ::
139 *pveum pool add* `<poolid>` `[OPTIONS]`
143 `<poolid>`: `<string>` ::
145 no description available
147 `--comment` `<string>` ::
149 no description available
151 *pveum pool delete* `<poolid>`
155 `<poolid>`: `<string>` ::
157 no description available
159 *pveum pool list* `[FORMAT_OPTIONS]`
163 *pveum pool modify* `<poolid>` `[OPTIONS]`
167 `<poolid>`: `<string>` ::
169 no description available
171 `--comment` `<string>` ::
173 no description available
175 `--delete` `<boolean>` ::
177 Remove vms/storage (instead of adding it).
179 `--storage` `<string>` ::
183 `--vms` `<string>` ::
185 List of virtual machines.
187 *pveum realm add* `<realm> --type <string>` `[OPTIONS]`
189 Add an authentication server.
191 `<realm>`: `<string>` ::
193 Authentication domain ID
195 `--autocreate` `<boolean>` ('default =' `0`)::
197 Automatically create users if they do not exist.
199 `--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
201 LDAP base domain name
203 `--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
205 LDAP bind domain name
207 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
209 Path to the CA certificate store
211 `--case-sensitive` `<boolean>` ('default =' `1`)::
213 username is case-sensitive
215 `--cert` `<string>` ::
217 Path to the client certificate
219 `--certkey` `<string>` ::
221 Path to the client certificate key
223 `--client-id` `<string>` ::
227 `--client-key` `<string>` ::
231 `--comment` `<string>` ::
235 `--default` `<boolean>` ::
237 Use this as default realm
243 `--filter` `<string>` ::
245 LDAP filter for user sync.
247 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
249 The objectclasses for groups.
251 `--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
253 LDAP base domain name for group sync. If not set, the base_dn will be used.
255 `--group_filter` `<string>` ::
257 LDAP filter for group sync.
259 `--group_name_attr` `<string>` ::
261 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
263 `--issuer-url` `<string>` ::
267 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
271 `--password` `<string>` ::
273 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
275 `--port` `<integer> (1 - 65535)` ::
279 `--secure` `<boolean>` ::
281 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
283 `--server1` `<string>` ::
285 Server IP address (or DNS name)
287 `--server2` `<string>` ::
289 Fallback Server IP address (or DNS name)
291 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
293 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
295 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
297 The default options for behavior of synchronizations.
299 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
301 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
303 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
305 Use Two-factor authentication.
307 `--type` `<ad | ldap | openid | pam | pve>` ::
311 `--user_attr` `\S{2,}` ::
313 LDAP user attribute name
315 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
317 The objectclasses for users.
319 `--username-claim` `<email | subject | username>` ::
321 OpenID claim used to generate the unique username.
323 `--verify` `<boolean>` ('default =' `0`)::
325 Verify the server's SSL certificate
327 *pveum realm delete* `<realm>`
329 Delete an authentication server.
331 `<realm>`: `<string>` ::
333 Authentication domain ID
335 *pveum realm list* `[FORMAT_OPTIONS]`
337 Authentication domain index.
339 *pveum realm modify* `<realm>` `[OPTIONS]`
341 Update authentication server settings.
343 `<realm>`: `<string>` ::
345 Authentication domain ID
347 `--autocreate` `<boolean>` ('default =' `0`)::
349 Automatically create users if they do not exist.
351 `--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
353 LDAP base domain name
355 `--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
357 LDAP bind domain name
359 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
361 Path to the CA certificate store
363 `--case-sensitive` `<boolean>` ('default =' `1`)::
365 username is case-sensitive
367 `--cert` `<string>` ::
369 Path to the client certificate
371 `--certkey` `<string>` ::
373 Path to the client certificate key
375 `--client-id` `<string>` ::
379 `--client-key` `<string>` ::
383 `--comment` `<string>` ::
387 `--default` `<boolean>` ::
389 Use this as default realm
391 `--delete` `<string>` ::
393 A list of settings you want to delete.
395 `--digest` `<string>` ::
397 Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.
403 `--filter` `<string>` ::
405 LDAP filter for user sync.
407 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
409 The objectclasses for groups.
411 `--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
413 LDAP base domain name for group sync. If not set, the base_dn will be used.
415 `--group_filter` `<string>` ::
417 LDAP filter for group sync.
419 `--group_name_attr` `<string>` ::
421 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
423 `--issuer-url` `<string>` ::
427 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
431 `--password` `<string>` ::
433 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
435 `--port` `<integer> (1 - 65535)` ::
439 `--secure` `<boolean>` ::
441 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
443 `--server1` `<string>` ::
445 Server IP address (or DNS name)
447 `--server2` `<string>` ::
449 Fallback Server IP address (or DNS name)
451 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
453 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
455 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
457 The default options for behavior of synchronizations.
459 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
461 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
463 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
465 Use Two-factor authentication.
467 `--user_attr` `\S{2,}` ::
469 LDAP user attribute name
471 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
473 The objectclasses for users.
475 `--verify` `<boolean>` ('default =' `0`)::
477 Verify the server's SSL certificate
479 *pveum realm sync* `<realm>` `[OPTIONS]`
481 Syncs users and/or groups from the configured LDAP to user.cfg. NOTE:
482 Synced groups will have the name 'name-$realm', so make sure those groups
483 do not exist to prevent overwriting.
485 `<realm>`: `<string>` ::
487 Authentication domain ID
489 `--dry-run` `<boolean>` ('default =' `0`)::
491 If set, does not write anything.
493 `--enable-new` `<boolean>` ('default =' `1`)::
495 Enable newly synced users immediately.
497 `--full` `<boolean>` ::
499 If set, uses the LDAP Directory as source of truth, deleting users or groups not returned from the sync. Otherwise only syncs information which is not already present, and does not deletes or modifies anything else.
501 `--purge` `<boolean>` ::
503 Remove ACLs for users or groups which were removed from the config during a sync.
505 `--scope` `<both | groups | users>` ::
509 *pveum role add* `<roleid>` `[OPTIONS]`
513 `<roleid>`: `<string>` ::
515 no description available
517 `--privs` `<string>` ::
519 no description available
521 *pveum role delete* `<roleid>`
525 `<roleid>`: `<string>` ::
527 no description available
529 *pveum role list* `[FORMAT_OPTIONS]`
533 *pveum role modify* `<roleid>` `[OPTIONS]`
535 Update an existing role.
537 `<roleid>`: `<string>` ::
539 no description available
541 `--append` `<boolean>` ::
543 no description available
545 NOTE: Requires option(s): `privs`
547 `--privs` `<string>` ::
549 no description available
553 An alias for 'pveum role add'.
557 An alias for 'pveum role delete'.
561 An alias for 'pveum role modify'.
563 *pveum ticket* `<username>` `[OPTIONS]`
565 Create or verify authentication ticket.
567 `<username>`: `<string>` ::
571 `--otp` `<string>` ::
573 One-time password for Two-factor authentication.
575 `--path` `<string>` ::
577 Verify ticket, and check if user have access 'privs' on 'path'
579 NOTE: Requires option(s): `privs`
581 `--privs` `<string>` ::
583 Verify ticket, and check if user have access 'privs' on 'path'
585 NOTE: Requires option(s): `path`
587 `--realm` `<string>` ::
589 You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>@<relam>.
591 *pveum user add* `<userid>` `[OPTIONS]`
595 `<userid>`: `<string>` ::
599 `--comment` `<string>` ::
601 no description available
603 `--email` `<string>` ::
605 no description available
607 `--enable` `<boolean>` ('default =' `1`)::
609 Enable the account (default). You can set this to '0' to disable the account
611 `--expire` `<integer> (0 - N)` ::
613 Account expiration date (seconds since epoch). '0' means no expiration date.
615 `--firstname` `<string>` ::
617 no description available
619 `--groups` `<string>` ::
621 no description available
623 `--keys` `<string>` ::
625 Keys for two factor auth (yubico).
627 `--lastname` `<string>` ::
629 no description available
631 `--password` `<string>` ::
635 *pveum user delete* `<userid>`
639 `<userid>`: `<string>` ::
643 *pveum user list* `[OPTIONS]` `[FORMAT_OPTIONS]`
647 `--enabled` `<boolean>` ::
649 Optional filter for enable property.
651 `--full` `<boolean>` ('default =' `0`)::
653 Include group and token information.
655 *pveum user modify* `<userid>` `[OPTIONS]`
657 Update user configuration.
659 `<userid>`: `<string>` ::
663 `--append` `<boolean>` ::
665 no description available
667 NOTE: Requires option(s): `groups`
669 `--comment` `<string>` ::
671 no description available
673 `--email` `<string>` ::
675 no description available
677 `--enable` `<boolean>` ('default =' `1`)::
679 Enable the account (default). You can set this to '0' to disable the account
681 `--expire` `<integer> (0 - N)` ::
683 Account expiration date (seconds since epoch). '0' means no expiration date.
685 `--firstname` `<string>` ::
687 no description available
689 `--groups` `<string>` ::
691 no description available
693 `--keys` `<string>` ::
695 Keys for two factor auth (yubico).
697 `--lastname` `<string>` ::
699 no description available
701 *pveum user permissions* `[<userid>]` `[OPTIONS]` `[FORMAT_OPTIONS]`
703 Retrieve effective permissions of given user/token.
705 `<userid>`: `(?^:^(?^:[^\s:/]+)\@(?^:[A-Za-z][A-Za-z0-9\.\-_]+)(?:!(?^:[A-Za-z][A-Za-z0-9\.\-_]+))?$)` ::
707 User ID or full API token ID
709 `--path` `<string>` ::
711 Only dump this specific path, not the whole tree.
713 *pveum user tfa delete* `<userid>` `[OPTIONS]`
715 Change user u2f authentication.
717 `<userid>`: `<string>` ::
721 `--config` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
723 A TFA configuration. This must currently be of type TOTP of not set at all.
725 `--key` `<string>` ::
727 When adding TOTP, the shared secret value.
729 `--password` `<string>` ::
731 The current password.
733 `--response` `<string>` ::
735 Either the the response to the current u2f registration challenge, or, when adding TOTP, the currently valid TOTP value.
737 *pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
739 Generate a new API token for a specific user. NOTE: returns API token
740 value, which needs to be stored as it cannot be retrieved afterwards!
742 `<userid>`: `<string>` ::
746 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
748 User-specific token identifier.
750 `--comment` `<string>` ::
752 no description available
754 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
756 API token expiration date (seconds since epoch). '0' means no expiration date.
758 `--privsep` `<boolean>` ('default =' `1`)::
760 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
762 *pveum user token list* `<userid>` `[FORMAT_OPTIONS]`
766 `<userid>`: `<string>` ::
770 *pveum user token modify* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
772 Update API token for a specific user.
774 `<userid>`: `<string>` ::
778 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
780 User-specific token identifier.
782 `--comment` `<string>` ::
784 no description available
786 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
788 API token expiration date (seconds since epoch). '0' means no expiration date.
790 `--privsep` `<boolean>` ('default =' `1`)::
792 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
794 *pveum user token permissions* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
796 Retrieve effective permissions of given token.
798 `<userid>`: `<string>` ::
802 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
804 User-specific token identifier.
806 `--path` `<string>` ::
808 Only dump this specific path, not the whole tree.
810 *pveum user token remove* `<userid> <tokenid>` `[FORMAT_OPTIONS]`
812 Remove API token for a specific user.
814 `<userid>`: `<string>` ::
818 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
820 User-specific token identifier.
824 An alias for 'pveum user add'.
828 An alias for 'pveum user delete'.
832 An alias for 'pveum user modify'.