]> git.proxmox.com Git - pve-docs.git/blob - pveum.1-synopsis.adoc
projects / pve-docs.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
update link qemu documentation non web.archive
[pve-docs.git] / pveum.1-synopsis.adoc
1 *pveum* `<COMMAND> [ARGS] [OPTIONS]`
2
3 *pveum acl delete* `<path> --roles <string>` `[OPTIONS]`
4
5 Update Access Control List (add or remove permissions).
6
7 `<path>`: `<string>` ::
8
9 Access control path
10
11 `--groups` `<string>` ::
12
13 List of groups.
14
15 `--propagate` `<boolean>` ('default =' `1`)::
16
17 Allow to propagate (inherit) permissions.
18
19 `--roles` `<string>` ::
20
21 List of roles.
22
23 `--tokens` `<string>` ::
24
25 List of API tokens.
26
27 `--users` `<string>` ::
28
29 List of users.
30
31 *pveum acl list* `[FORMAT_OPTIONS]`
32
33 Get Access Control List (ACLs).
34
35 *pveum acl modify* `<path> --roles <string>` `[OPTIONS]`
36
37 Update Access Control List (add or remove permissions).
38
39 `<path>`: `<string>` ::
40
41 Access control path
42
43 `--groups` `<string>` ::
44
45 List of groups.
46
47 `--propagate` `<boolean>` ('default =' `1`)::
48
49 Allow to propagate (inherit) permissions.
50
51 `--roles` `<string>` ::
52
53 List of roles.
54
55 `--tokens` `<string>` ::
56
57 List of API tokens.
58
59 `--users` `<string>` ::
60
61 List of users.
62
63 *pveum acldel*
64
65 An alias for 'pveum acl delete'.
66
67 *pveum aclmod*
68
69 An alias for 'pveum acl modify'.
70
71 *pveum group add* `<groupid>` `[OPTIONS]`
72
73 Create new group.
74
75 `<groupid>`: `<string>` ::
76
77 no description available
78
79 `--comment` `<string>` ::
80
81 no description available
82
83 *pveum group delete* `<groupid>`
84
85 Delete group.
86
87 `<groupid>`: `<string>` ::
88
89 no description available
90
91 *pveum group list* `[FORMAT_OPTIONS]`
92
93 Group index.
94
95 *pveum group modify* `<groupid>` `[OPTIONS]`
96
97 Update group data.
98
99 `<groupid>`: `<string>` ::
100
101 no description available
102
103 `--comment` `<string>` ::
104
105 no description available
106
107 *pveum groupadd*
108
109 An alias for 'pveum group add'.
110
111 *pveum groupdel*
112
113 An alias for 'pveum group delete'.
114
115 *pveum groupmod*
116
117 An alias for 'pveum group modify'.
118
119 *pveum help* `[OPTIONS]`
120
121 Get help about specified command.
122
123 `--extra-args` `<array>` ::
124
125 Shows help for a specific command
126
127 `--verbose` `<boolean>` ::
128
129 Verbose output format.
130
131 *pveum passwd* `<userid>`
132
133 Change user password.
134
135 `<userid>`: `<string>` ::
136
137 User ID
138
139 *pveum realm add* `<realm> --type <string>` `[OPTIONS]`
140
141 Add an authentication server.
142
143 `<realm>`: `<string>` ::
144
145 Authentication domain ID
146
147 `--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
148
149 LDAP base domain name
150
151 `--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
152
153 LDAP bind domain name
154
155 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
156
157 Path to the CA certificate store
158
159 `--case-sensitive` `<boolean>` ('default =' `1`)::
160
161 username is case-sensitive
162
163 `--cert` `<string>` ::
164
165 Path to the client certificate
166
167 `--certkey` `<string>` ::
168
169 Path to the client certificate key
170
171 `--comment` `<string>` ::
172
173 Description.
174
175 `--default` `<boolean>` ::
176
177 Use this as default realm
178
179 `--domain` `\S+` ::
180
181 AD domain name
182
183 `--filter` `<string>` ::
184
185 LDAP filter for user sync.
186
187 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
188
189 The objectclasses for groups.
190
191 `--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
192
193 LDAP base domain name for group sync. If not set, the base_dn will be used.
194
195 `--group_filter` `<string>` ::
196
197 LDAP filter for group sync.
198
199 `--group_name_attr` `<string>` ::
200
201 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
202
203 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
204
205 LDAP protocol mode.
206
207 `--password` `<string>` ::
208
209 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
210
211 `--port` `<integer> (1 - 65535)` ::
212
213 Server port.
214
215 `--secure` `<boolean>` ::
216
217 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
218
219 `--server1` `<string>` ::
220
221 Server IP address (or DNS name)
222
223 `--server2` `<string>` ::
224
225 Fallback Server IP address (or DNS name)
226
227 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
228
229 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
230
231 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
232
233 The default options for behavior of synchronizations.
234
235 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
236
237 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
238
239 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
240
241 Use Two-factor authentication.
242
243 `--type` `<ad | ldap | pam | pve>` ::
244
245 Realm type.
246
247 `--user_attr` `\S{2,}` ::
248
249 LDAP user attribute name
250
251 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
252
253 The objectclasses for users.
254
255 `--verify` `<boolean>` ('default =' `0`)::
256
257 Verify the server's SSL certificate
258
259 *pveum realm delete* `<realm>`
260
261 Delete an authentication server.
262
263 `<realm>`: `<string>` ::
264
265 Authentication domain ID
266
267 *pveum realm list* `[FORMAT_OPTIONS]`
268
269 Authentication domain index.
270
271 *pveum realm modify* `<realm>` `[OPTIONS]`
272
273 Update authentication server settings.
274
275 `<realm>`: `<string>` ::
276
277 Authentication domain ID
278
279 `--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
280
281 LDAP base domain name
282
283 `--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
284
285 LDAP bind domain name
286
287 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
288
289 Path to the CA certificate store
290
291 `--case-sensitive` `<boolean>` ('default =' `1`)::
292
293 username is case-sensitive
294
295 `--cert` `<string>` ::
296
297 Path to the client certificate
298
299 `--certkey` `<string>` ::
300
301 Path to the client certificate key
302
303 `--comment` `<string>` ::
304
305 Description.
306
307 `--default` `<boolean>` ::
308
309 Use this as default realm
310
311 `--delete` `<string>` ::
312
313 A list of settings you want to delete.
314
315 `--digest` `<string>` ::
316
317 Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.
318
319 `--domain` `\S+` ::
320
321 AD domain name
322
323 `--filter` `<string>` ::
324
325 LDAP filter for user sync.
326
327 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
328
329 The objectclasses for groups.
330
331 `--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
332
333 LDAP base domain name for group sync. If not set, the base_dn will be used.
334
335 `--group_filter` `<string>` ::
336
337 LDAP filter for group sync.
338
339 `--group_name_attr` `<string>` ::
340
341 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
342
343 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
344
345 LDAP protocol mode.
346
347 `--password` `<string>` ::
348
349 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
350
351 `--port` `<integer> (1 - 65535)` ::
352
353 Server port.
354
355 `--secure` `<boolean>` ::
356
357 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
358
359 `--server1` `<string>` ::
360
361 Server IP address (or DNS name)
362
363 `--server2` `<string>` ::
364
365 Fallback Server IP address (or DNS name)
366
367 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
368
369 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
370
371 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
372
373 The default options for behavior of synchronizations.
374
375 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
376
377 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
378
379 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
380
381 Use Two-factor authentication.
382
383 `--user_attr` `\S{2,}` ::
384
385 LDAP user attribute name
386
387 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
388
389 The objectclasses for users.
390
391 `--verify` `<boolean>` ('default =' `0`)::
392
393 Verify the server's SSL certificate
394
395 *pveum realm sync* `<realm>` `[OPTIONS]`
396
397 Syncs users and/or groups from the configured LDAP to user.cfg. NOTE:
398 Synced groups will have the name 'name-$realm', so make sure those groups
399 do not exist to prevent overwriting.
400
401 `<realm>`: `<string>` ::
402
403 Authentication domain ID
404
405 `--dry-run` `<boolean>` ('default =' `0`)::
406
407 If set, does not write anything.
408
409 `--enable-new` `<boolean>` ('default =' `1`)::
410
411 Enable newly synced users immediately.
412
413 `--full` `<boolean>` ::
414
415 If set, uses the LDAP Directory as source of truth, deleting users or groups not returned from the sync. Otherwise only syncs information which is not already present, and does not deletes or modifies anything else.
416
417 `--purge` `<boolean>` ::
418
419 Remove ACLs for users or groups which were removed from the config during a sync.
420
421 `--scope` `<both | groups | users>` ::
422
423 Select what to sync.
424
425 *pveum role add* `<roleid>` `[OPTIONS]`
426
427 Create new role.
428
429 `<roleid>`: `<string>` ::
430
431 no description available
432
433 `--privs` `<string>` ::
434
435 no description available
436
437 *pveum role delete* `<roleid>`
438
439 Delete role.
440
441 `<roleid>`: `<string>` ::
442
443 no description available
444
445 *pveum role list* `[FORMAT_OPTIONS]`
446
447 Role index.
448
449 *pveum role modify* `<roleid>` `[OPTIONS]`
450
451 Update an existing role.
452
453 `<roleid>`: `<string>` ::
454
455 no description available
456
457 `--append` `<boolean>` ::
458
459 no description available
460 +
461 NOTE: Requires option(s): `privs`
462
463 `--privs` `<string>` ::
464
465 no description available
466
467 *pveum roleadd*
468
469 An alias for 'pveum role add'.
470
471 *pveum roledel*
472
473 An alias for 'pveum role delete'.
474
475 *pveum rolemod*
476
477 An alias for 'pveum role modify'.
478
479 *pveum ticket* `<username>` `[OPTIONS]`
480
481 Create or verify authentication ticket.
482
483 `<username>`: `<string>` ::
484
485 User name
486
487 `--otp` `<string>` ::
488
489 One-time password for Two-factor authentication.
490
491 `--path` `<string>` ::
492
493 Verify ticket, and check if user have access 'privs' on 'path'
494 +
495 NOTE: Requires option(s): `privs`
496
497 `--privs` `<string>` ::
498
499 Verify ticket, and check if user have access 'privs' on 'path'
500 +
501 NOTE: Requires option(s): `path`
502
503 `--realm` `<string>` ::
504
505 You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>@<relam>.
506
507 *pveum user add* `<userid>` `[OPTIONS]`
508
509 Create new user.
510
511 `<userid>`: `<string>` ::
512
513 User ID
514
515 `--comment` `<string>` ::
516
517 no description available
518
519 `--email` `<string>` ::
520
521 no description available
522
523 `--enable` `<boolean>` ('default =' `1`)::
524
525 Enable the account (default). You can set this to '0' to disable the account
526
527 `--expire` `<integer> (0 - N)` ::
528
529 Account expiration date (seconds since epoch). '0' means no expiration date.
530
531 `--firstname` `<string>` ::
532
533 no description available
534
535 `--groups` `<string>` ::
536
537 no description available
538
539 `--keys` `<string>` ::
540
541 Keys for two factor auth (yubico).
542
543 `--lastname` `<string>` ::
544
545 no description available
546
547 `--password` `<string>` ::
548
549 Initial password.
550
551 *pveum user delete* `<userid>`
552
553 Delete user.
554
555 `<userid>`: `<string>` ::
556
557 User ID
558
559 *pveum user list* `[OPTIONS]` `[FORMAT_OPTIONS]`
560
561 User index.
562
563 `--enabled` `<boolean>` ::
564
565 Optional filter for enable property.
566
567 `--full` `<boolean>` ('default =' `0`)::
568
569 Include group and token information.
570
571 *pveum user modify* `<userid>` `[OPTIONS]`
572
573 Update user configuration.
574
575 `<userid>`: `<string>` ::
576
577 User ID
578
579 `--append` `<boolean>` ::
580
581 no description available
582 +
583 NOTE: Requires option(s): `groups`
584
585 `--comment` `<string>` ::
586
587 no description available
588
589 `--email` `<string>` ::
590
591 no description available
592
593 `--enable` `<boolean>` ('default =' `1`)::
594
595 Enable the account (default). You can set this to '0' to disable the account
596
597 `--expire` `<integer> (0 - N)` ::
598
599 Account expiration date (seconds since epoch). '0' means no expiration date.
600
601 `--firstname` `<string>` ::
602
603 no description available
604
605 `--groups` `<string>` ::
606
607 no description available
608
609 `--keys` `<string>` ::
610
611 Keys for two factor auth (yubico).
612
613 `--lastname` `<string>` ::
614
615 no description available
616
617 *pveum user permissions* `[<userid>]` `[OPTIONS]` `[FORMAT_OPTIONS]`
618
619 Retrieve effective permissions of given user/token.
620
621 `<userid>`: `(?^:^(?^:[^\s:/]+)\@(?^:[A-Za-z][A-Za-z0-9\.\-_]+)(?:!(?^:[A-Za-z][A-Za-z0-9\.\-_]+))?$)` ::
622
623 User ID or full API token ID
624
625 `--path` `<string>` ::
626
627 Only dump this specific path, not the whole tree.
628
629 *pveum user tfa delete* `<userid>` `[OPTIONS]`
630
631 Change user u2f authentication.
632
633 `<userid>`: `<string>` ::
634
635 User ID
636
637 `--config` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
638
639 A TFA configuration. This must currently be of type TOTP of not set at all.
640
641 `--key` `<string>` ::
642
643 When adding TOTP, the shared secret value.
644
645 `--password` `<string>` ::
646
647 The current password.
648
649 `--response` `<string>` ::
650
651 Either the the response to the current u2f registration challenge, or, when adding TOTP, the currently valid TOTP value.
652
653 *pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
654
655 Generate a new API token for a specific user. NOTE: returns API token
656 value, which needs to be stored as it cannot be retrieved afterwards!
657
658 `<userid>`: `<string>` ::
659
660 User ID
661
662 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
663
664 User-specific token identifier.
665
666 `--comment` `<string>` ::
667
668 no description available
669
670 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
671
672 API token expiration date (seconds since epoch). '0' means no expiration date.
673
674 `--privsep` `<boolean>` ('default =' `1`)::
675
676 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
677
678 *pveum user token list* `<userid>` `[FORMAT_OPTIONS]`
679
680 Get user API tokens.
681
682 `<userid>`: `<string>` ::
683
684 User ID
685
686 *pveum user token modify* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
687
688 Update API token for a specific user.
689
690 `<userid>`: `<string>` ::
691
692 User ID
693
694 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
695
696 User-specific token identifier.
697
698 `--comment` `<string>` ::
699
700 no description available
701
702 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
703
704 API token expiration date (seconds since epoch). '0' means no expiration date.
705
706 `--privsep` `<boolean>` ('default =' `1`)::
707
708 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
709
710 *pveum user token permissions* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
711
712 Retrieve effective permissions of given token.
713
714 `<userid>`: `<string>` ::
715
716 User ID
717
718 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
719
720 User-specific token identifier.
721
722 `--path` `<string>` ::
723
724 Only dump this specific path, not the whole tree.
725
726 *pveum user token remove* `<userid> <tokenid>` `[FORMAT_OPTIONS]`
727
728 Remove API token for a specific user.
729
730 `<userid>`: `<string>` ::
731
732 User ID
733
734 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
735
736 User-specific token identifier.
737
738 *pveum useradd*
739
740 An alias for 'pveum user add'.
741
742 *pveum userdel*
743
744 An alias for 'pveum user delete'.
745
746 *pveum usermod*
747
748 An alias for 'pveum user modify'.
749
750
PVE Documentation