1 *pveum* `<COMMAND> [ARGS] [OPTIONS]`
3 *pveum acl delete* `<path> --roles <string>` `[OPTIONS]`
5 Update Access Control List (add or remove permissions).
7 `<path>`: `<string>` ::
11 `--groups` `<string>` ::
15 `--propagate` `<boolean>` ('default =' `1`)::
17 Allow to propagate (inherit) permissions.
19 `--roles` `<string>` ::
23 `--tokens` `<string>` ::
27 `--users` `<string>` ::
31 *pveum acl list* `[FORMAT_OPTIONS]`
33 Get Access Control List (ACLs).
35 *pveum acl modify* `<path> --roles <string>` `[OPTIONS]`
37 Update Access Control List (add or remove permissions).
39 `<path>`: `<string>` ::
43 `--groups` `<string>` ::
47 `--propagate` `<boolean>` ('default =' `1`)::
49 Allow to propagate (inherit) permissions.
51 `--roles` `<string>` ::
55 `--tokens` `<string>` ::
59 `--users` `<string>` ::
65 An alias for 'pveum acl delete'.
69 An alias for 'pveum acl modify'.
71 *pveum group add* `<groupid>` `[OPTIONS]`
75 `<groupid>`: `<string>` ::
77 no description available
79 `--comment` `<string>` ::
81 no description available
83 *pveum group delete* `<groupid>`
87 `<groupid>`: `<string>` ::
89 no description available
91 *pveum group list* `[FORMAT_OPTIONS]`
95 *pveum group modify* `<groupid>` `[OPTIONS]`
99 `<groupid>`: `<string>` ::
101 no description available
103 `--comment` `<string>` ::
105 no description available
109 An alias for 'pveum group add'.
113 An alias for 'pveum group delete'.
117 An alias for 'pveum group modify'.
119 *pveum help* `[OPTIONS]`
121 Get help about specified command.
123 `--extra-args` `<array>` ::
125 Shows help for a specific command
127 `--verbose` `<boolean>` ::
129 Verbose output format.
131 *pveum passwd* `<userid>`
133 Change user password.
135 `<userid>`: `<string>` ::
139 *pveum realm add* `<realm> --type <string>` `[OPTIONS]`
141 Add an authentication server.
143 `<realm>`: `<string>` ::
145 Authentication domain ID
147 `--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
149 LDAP base domain name
151 `--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
153 LDAP bind domain name
155 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
157 Path to the CA certificate store
159 `--case-sensitive` `<boolean>` ('default =' `1`)::
161 username is case-sensitive
163 `--cert` `<string>` ::
165 Path to the client certificate
167 `--certkey` `<string>` ::
169 Path to the client certificate key
171 `--comment` `<string>` ::
175 `--default` `<boolean>` ::
177 Use this as default realm
183 `--filter` `<string>` ::
185 LDAP filter for user sync.
187 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
189 The objectclasses for groups.
191 `--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
193 LDAP base domain name for group sync. If not set, the base_dn will be used.
195 `--group_filter` `<string>` ::
197 LDAP filter for group sync.
199 `--group_name_attr` `<string>` ::
201 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
203 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
207 `--password` `<string>` ::
209 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
211 `--port` `<integer> (1 - 65535)` ::
215 `--secure` `<boolean>` ::
217 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
219 `--server1` `<string>` ::
221 Server IP address (or DNS name)
223 `--server2` `<string>` ::
225 Fallback Server IP address (or DNS name)
227 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
229 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
231 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
233 The default options for behavior of synchronizations.
235 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
237 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
239 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
241 Use Two-factor authentication.
243 `--type` `<ad | ldap | pam | pve>` ::
247 `--user_attr` `\S{2,}` ::
249 LDAP user attribute name
251 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
253 The objectclasses for users.
255 `--verify` `<boolean>` ('default =' `0`)::
257 Verify the server's SSL certificate
259 *pveum realm delete* `<realm>`
261 Delete an authentication server.
263 `<realm>`: `<string>` ::
265 Authentication domain ID
267 *pveum realm list* `[FORMAT_OPTIONS]`
269 Authentication domain index.
271 *pveum realm modify* `<realm>` `[OPTIONS]`
273 Update authentication server settings.
275 `<realm>`: `<string>` ::
277 Authentication domain ID
279 `--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
281 LDAP base domain name
283 `--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
285 LDAP bind domain name
287 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
289 Path to the CA certificate store
291 `--case-sensitive` `<boolean>` ('default =' `1`)::
293 username is case-sensitive
295 `--cert` `<string>` ::
297 Path to the client certificate
299 `--certkey` `<string>` ::
301 Path to the client certificate key
303 `--comment` `<string>` ::
307 `--default` `<boolean>` ::
309 Use this as default realm
311 `--delete` `<string>` ::
313 A list of settings you want to delete.
315 `--digest` `<string>` ::
317 Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.
323 `--filter` `<string>` ::
325 LDAP filter for user sync.
327 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
329 The objectclasses for groups.
331 `--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
333 LDAP base domain name for group sync. If not set, the base_dn will be used.
335 `--group_filter` `<string>` ::
337 LDAP filter for group sync.
339 `--group_name_attr` `<string>` ::
341 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
343 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
347 `--password` `<string>` ::
349 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
351 `--port` `<integer> (1 - 65535)` ::
355 `--secure` `<boolean>` ::
357 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
359 `--server1` `<string>` ::
361 Server IP address (or DNS name)
363 `--server2` `<string>` ::
365 Fallback Server IP address (or DNS name)
367 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
369 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
371 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
373 The default options for behavior of synchronizations.
375 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
377 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
379 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
381 Use Two-factor authentication.
383 `--user_attr` `\S{2,}` ::
385 LDAP user attribute name
387 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
389 The objectclasses for users.
391 `--verify` `<boolean>` ('default =' `0`)::
393 Verify the server's SSL certificate
395 *pveum realm sync* `<realm>` `[OPTIONS]`
397 Syncs users and/or groups from the configured LDAP to user.cfg. NOTE:
398 Synced groups will have the name 'name-$realm', so make sure those groups
399 do not exist to prevent overwriting.
401 `<realm>`: `<string>` ::
403 Authentication domain ID
405 `--dry-run` `<boolean>` ('default =' `0`)::
407 If set, does not write anything.
409 `--enable-new` `<boolean>` ('default =' `1`)::
411 Enable newly synced users immediately.
413 `--full` `<boolean>` ::
415 If set, uses the LDAP Directory as source of truth, deleting users or groups not returned from the sync. Otherwise only syncs information which is not already present, and does not deletes or modifies anything else.
417 `--purge` `<boolean>` ::
419 Remove ACLs for users or groups which were removed from the config during a sync.
421 `--scope` `<both | groups | users>` ::
425 *pveum role add* `<roleid>` `[OPTIONS]`
429 `<roleid>`: `<string>` ::
431 no description available
433 `--privs` `<string>` ::
435 no description available
437 *pveum role delete* `<roleid>`
441 `<roleid>`: `<string>` ::
443 no description available
445 *pveum role list* `[FORMAT_OPTIONS]`
449 *pveum role modify* `<roleid>` `[OPTIONS]`
451 Update an existing role.
453 `<roleid>`: `<string>` ::
455 no description available
457 `--append` `<boolean>` ::
459 no description available
461 NOTE: Requires option(s): `privs`
463 `--privs` `<string>` ::
465 no description available
469 An alias for 'pveum role add'.
473 An alias for 'pveum role delete'.
477 An alias for 'pveum role modify'.
479 *pveum ticket* `<username>` `[OPTIONS]`
481 Create or verify authentication ticket.
483 `<username>`: `<string>` ::
487 `--otp` `<string>` ::
489 One-time password for Two-factor authentication.
491 `--path` `<string>` ::
493 Verify ticket, and check if user have access 'privs' on 'path'
495 NOTE: Requires option(s): `privs`
497 `--privs` `<string>` ::
499 Verify ticket, and check if user have access 'privs' on 'path'
501 NOTE: Requires option(s): `path`
503 `--realm` `<string>` ::
505 You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>@<relam>.
507 *pveum user add* `<userid>` `[OPTIONS]`
511 `<userid>`: `<string>` ::
515 `--comment` `<string>` ::
517 no description available
519 `--email` `<string>` ::
521 no description available
523 `--enable` `<boolean>` ('default =' `1`)::
525 Enable the account (default). You can set this to '0' to disable the account
527 `--expire` `<integer> (0 - N)` ::
529 Account expiration date (seconds since epoch). '0' means no expiration date.
531 `--firstname` `<string>` ::
533 no description available
535 `--groups` `<string>` ::
537 no description available
539 `--keys` `<string>` ::
541 Keys for two factor auth (yubico).
543 `--lastname` `<string>` ::
545 no description available
547 `--password` `<string>` ::
551 *pveum user delete* `<userid>`
555 `<userid>`: `<string>` ::
559 *pveum user list* `[OPTIONS]` `[FORMAT_OPTIONS]`
563 `--enabled` `<boolean>` ::
565 Optional filter for enable property.
567 `--full` `<boolean>` ('default =' `0`)::
569 Include group and token information.
571 *pveum user modify* `<userid>` `[OPTIONS]`
573 Update user configuration.
575 `<userid>`: `<string>` ::
579 `--append` `<boolean>` ::
581 no description available
583 NOTE: Requires option(s): `groups`
585 `--comment` `<string>` ::
587 no description available
589 `--email` `<string>` ::
591 no description available
593 `--enable` `<boolean>` ('default =' `1`)::
595 Enable the account (default). You can set this to '0' to disable the account
597 `--expire` `<integer> (0 - N)` ::
599 Account expiration date (seconds since epoch). '0' means no expiration date.
601 `--firstname` `<string>` ::
603 no description available
605 `--groups` `<string>` ::
607 no description available
609 `--keys` `<string>` ::
611 Keys for two factor auth (yubico).
613 `--lastname` `<string>` ::
615 no description available
617 *pveum user permissions* `[<userid>]` `[OPTIONS]` `[FORMAT_OPTIONS]`
619 Retrieve effective permissions of given user/token.
621 `<userid>`: `(?^:^(?^:[^\s:/]+)\@(?^:[A-Za-z][A-Za-z0-9\.\-_]+)(?:!(?^:[A-Za-z][A-Za-z0-9\.\-_]+))?$)` ::
623 User ID or full API token ID
625 `--path` `<string>` ::
627 Only dump this specific path, not the whole tree.
629 *pveum user tfa delete* `<userid>` `[OPTIONS]`
631 Change user u2f authentication.
633 `<userid>`: `<string>` ::
637 `--config` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
639 A TFA configuration. This must currently be of type TOTP of not set at all.
641 `--key` `<string>` ::
643 When adding TOTP, the shared secret value.
645 `--password` `<string>` ::
647 The current password.
649 `--response` `<string>` ::
651 Either the the response to the current u2f registration challenge, or, when adding TOTP, the currently valid TOTP value.
653 *pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
655 Generate a new API token for a specific user. NOTE: returns API token
656 value, which needs to be stored as it cannot be retrieved afterwards!
658 `<userid>`: `<string>` ::
662 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
664 User-specific token identifier.
666 `--comment` `<string>` ::
668 no description available
670 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
672 API token expiration date (seconds since epoch). '0' means no expiration date.
674 `--privsep` `<boolean>` ('default =' `1`)::
676 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
678 *pveum user token list* `<userid>` `[FORMAT_OPTIONS]`
682 `<userid>`: `<string>` ::
686 *pveum user token modify* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
688 Update API token for a specific user.
690 `<userid>`: `<string>` ::
694 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
696 User-specific token identifier.
698 `--comment` `<string>` ::
700 no description available
702 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
704 API token expiration date (seconds since epoch). '0' means no expiration date.
706 `--privsep` `<boolean>` ('default =' `1`)::
708 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
710 *pveum user token permissions* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
712 Retrieve effective permissions of given token.
714 `<userid>`: `<string>` ::
718 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
720 User-specific token identifier.
722 `--path` `<string>` ::
724 Only dump this specific path, not the whole tree.
726 *pveum user token remove* `<userid> <tokenid>` `[FORMAT_OPTIONS]`
728 Remove API token for a specific user.
730 `<userid>`: `<string>` ::
734 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
736 User-specific token identifier.
740 An alias for 'pveum user add'.
744 An alias for 'pveum user delete'.
748 An alias for 'pveum user modify'.