1 *pveum* `<COMMAND> [ARGS] [OPTIONS]`
3 *pveum acl delete* `<path> --roles <string>` `[OPTIONS]`
5 Update Access Control List (add or remove permissions).
7 `<path>`: `<string>` ::
11 `--groups` `<string>` ::
15 `--propagate` `<boolean>` ('default =' `1`)::
17 Allow to propagate (inherit) permissions.
19 `--roles` `<string>` ::
23 `--tokens` `<string>` ::
27 `--users` `<string>` ::
31 *pveum acl list* `[FORMAT_OPTIONS]`
33 Get Access Control List (ACLs).
35 *pveum acl modify* `<path> --roles <string>` `[OPTIONS]`
37 Update Access Control List (add or remove permissions).
39 `<path>`: `<string>` ::
43 `--groups` `<string>` ::
47 `--propagate` `<boolean>` ('default =' `1`)::
49 Allow to propagate (inherit) permissions.
51 `--roles` `<string>` ::
55 `--tokens` `<string>` ::
59 `--users` `<string>` ::
65 An alias for 'pveum acl delete'.
69 An alias for 'pveum acl modify'.
71 *pveum group add* `<groupid>` `[OPTIONS]`
75 `<groupid>`: `<string>` ::
77 no description available
79 `--comment` `<string>` ::
81 no description available
83 *pveum group delete* `<groupid>`
87 `<groupid>`: `<string>` ::
89 no description available
91 *pveum group list* `[FORMAT_OPTIONS]`
95 *pveum group modify* `<groupid>` `[OPTIONS]`
99 `<groupid>`: `<string>` ::
101 no description available
103 `--comment` `<string>` ::
105 no description available
109 An alias for 'pveum group add'.
113 An alias for 'pveum group delete'.
117 An alias for 'pveum group modify'.
119 *pveum help* `[OPTIONS]`
121 Get help about specified command.
123 `--extra-args` `<array>` ::
125 Shows help for a specific command
127 `--verbose` `<boolean>` ::
129 Verbose output format.
131 *pveum passwd* `<userid>` `[OPTIONS]`
133 Change user password.
135 `<userid>`: `<string>` ::
137 Full User ID, in the `name@realm` format.
139 `--confirmation-password` `<string>` ::
141 The current password of the user performing the change.
143 *pveum pool add* `<poolid>` `[OPTIONS]`
147 `<poolid>`: `<string>` ::
149 no description available
151 `--comment` `<string>` ::
153 no description available
155 *pveum pool delete* `<poolid>`
159 `<poolid>`: `<string>` ::
161 no description available
163 *pveum pool list* `[OPTIONS]` `[FORMAT_OPTIONS]`
165 List pools or get pool configuration.
167 `--poolid` `<string>` ::
169 no description available
171 `--type` `<lxc | qemu | storage>` ::
173 no description available
175 NOTE: Requires option(s): `poolid`
177 *pveum pool modify* `<poolid>` `[OPTIONS]`
181 `<poolid>`: `<string>` ::
183 no description available
185 `--allow-move` `<boolean>` ('default =' `0`)::
187 Allow adding a guest even if already in another pool. The guest will be removed from its current pool and added to this one.
189 `--comment` `<string>` ::
191 no description available
193 `--delete` `<boolean>` ('default =' `0`)::
195 Remove the passed VMIDs and/or storage IDs instead of adding them.
197 `--storage` `<string>` ::
199 List of storage IDs to add or remove from this pool.
201 `--vms` `<string>` ::
203 List of guest VMIDs to add or remove from this pool.
205 *pveum realm add* `<realm> --type <string>` `[OPTIONS]`
207 Add an authentication server.
209 `<realm>`: `<string>` ::
211 Authentication domain ID
213 `--acr-values` `^[^\x00-\x1F\x7F <>#"]*$` ::
215 Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
217 `--autocreate` `<boolean>` ('default =' `0`)::
219 Automatically create users if they do not exist.
221 `--base_dn` `<string>` ::
223 LDAP base domain name
225 `--bind_dn` `<string>` ::
227 LDAP bind domain name
229 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
231 Path to the CA certificate store
233 `--case-sensitive` `<boolean>` ('default =' `1`)::
235 username is case-sensitive
237 `--cert` `<string>` ::
239 Path to the client certificate
241 `--certkey` `<string>` ::
243 Path to the client certificate key
245 `--check-connection` `<boolean>` ('default =' `0`)::
247 Check bind connection to the server.
249 `--client-id` `<string>` ::
253 `--client-key` `<string>` ::
257 `--comment` `<string>` ::
261 `--default` `<boolean>` ::
263 Use this as default realm
269 `--filter` `<string>` ::
271 LDAP filter for user sync.
273 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
275 The objectclasses for groups.
277 `--group_dn` `<string>` ::
279 LDAP base domain name for group sync. If not set, the base_dn will be used.
281 `--group_filter` `<string>` ::
283 LDAP filter for group sync.
285 `--group_name_attr` `<string>` ::
287 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
289 `--issuer-url` `<string>` ::
293 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
297 `--password` `<string>` ::
299 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
301 `--port` `<integer> (1 - 65535)` ::
305 `--prompt` `(?:none|login|consent|select_account|\S+)` ::
307 Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
309 `--scopes` `<string>` ('default =' `email profile`)::
311 Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
313 `--secure` `<boolean>` ::
315 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
317 `--server1` `<string>` ::
319 Server IP address (or DNS name)
321 `--server2` `<string>` ::
323 Fallback Server IP address (or DNS name)
325 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
327 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
329 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=([acl];[properties];[entry])|none] [,scope=<users|groups|both>]` ::
331 The default options for behavior of synchronizations.
333 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
335 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
337 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
339 Use Two-factor authentication.
341 `--type` `<ad | ldap | openid | pam | pve>` ::
345 `--user_attr` `\S{2,}` ::
347 LDAP user attribute name
349 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
351 The objectclasses for users.
353 `--username-claim` `<string>` ::
355 OpenID claim used to generate the unique username.
357 `--verify` `<boolean>` ('default =' `0`)::
359 Verify the server's SSL certificate
361 *pveum realm delete* `<realm>`
363 Delete an authentication server.
365 `<realm>`: `<string>` ::
367 Authentication domain ID
369 *pveum realm list* `[FORMAT_OPTIONS]`
371 Authentication domain index.
373 *pveum realm modify* `<realm>` `[OPTIONS]`
375 Update authentication server settings.
377 `<realm>`: `<string>` ::
379 Authentication domain ID
381 `--acr-values` `^[^\x00-\x1F\x7F <>#"]*$` ::
383 Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
385 `--autocreate` `<boolean>` ('default =' `0`)::
387 Automatically create users if they do not exist.
389 `--base_dn` `<string>` ::
391 LDAP base domain name
393 `--bind_dn` `<string>` ::
395 LDAP bind domain name
397 `--capath` `<string>` ('default =' `/etc/ssl/certs`)::
399 Path to the CA certificate store
401 `--case-sensitive` `<boolean>` ('default =' `1`)::
403 username is case-sensitive
405 `--cert` `<string>` ::
407 Path to the client certificate
409 `--certkey` `<string>` ::
411 Path to the client certificate key
413 `--check-connection` `<boolean>` ('default =' `0`)::
415 Check bind connection to the server.
417 `--client-id` `<string>` ::
421 `--client-key` `<string>` ::
425 `--comment` `<string>` ::
429 `--default` `<boolean>` ::
431 Use this as default realm
433 `--delete` `<string>` ::
435 A list of settings you want to delete.
437 `--digest` `<string>` ::
439 Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
445 `--filter` `<string>` ::
447 LDAP filter for user sync.
449 `--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
451 The objectclasses for groups.
453 `--group_dn` `<string>` ::
455 LDAP base domain name for group sync. If not set, the base_dn will be used.
457 `--group_filter` `<string>` ::
459 LDAP filter for group sync.
461 `--group_name_attr` `<string>` ::
463 LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
465 `--issuer-url` `<string>` ::
469 `--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
473 `--password` `<string>` ::
475 LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
477 `--port` `<integer> (1 - 65535)` ::
481 `--prompt` `(?:none|login|consent|select_account|\S+)` ::
483 Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
485 `--scopes` `<string>` ('default =' `email profile`)::
487 Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
489 `--secure` `<boolean>` ::
491 Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
493 `--server1` `<string>` ::
495 Server IP address (or DNS name)
497 `--server2` `<string>` ::
499 Fallback Server IP address (or DNS name)
501 `--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
503 LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
505 `--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=([acl];[properties];[entry])|none] [,scope=<users|groups|both>]` ::
507 The default options for behavior of synchronizations.
509 `--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
511 Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
513 `--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
515 Use Two-factor authentication.
517 `--user_attr` `\S{2,}` ::
519 LDAP user attribute name
521 `--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
523 The objectclasses for users.
525 `--verify` `<boolean>` ('default =' `0`)::
527 Verify the server's SSL certificate
529 *pveum realm sync* `<realm>` `[OPTIONS]`
531 Syncs users and/or groups from the configured LDAP to user.cfg. NOTE:
532 Synced groups will have the name 'name-$realm', so make sure those groups
533 do not exist to prevent overwriting.
535 `<realm>`: `<string>` ::
537 Authentication domain ID
539 `--dry-run` `<boolean>` ('default =' `0`)::
541 If set, does not write anything.
543 `--enable-new` `<boolean>` ('default =' `1`)::
545 Enable newly synced users immediately.
547 `--full` `<boolean>` ::
549 DEPRECATED: use 'remove-vanished' instead. If set, uses the LDAP Directory as source of truth, deleting users or groups not returned from the sync and removing all locally modified properties of synced users. If not set, only syncs information which is present in the synced data, and does not delete or modify anything else.
551 `--purge` `<boolean>` ::
553 DEPRECATED: use 'remove-vanished' instead. Remove ACLs for users or groups which were removed from the config during a sync.
555 `--remove-vanished` `([acl];[properties];[entry])|none` ('default =' `none`)::
557 A semicolon-seperated list of things to remove when they or the user vanishes during a sync. The following values are possible: 'entry' removes the user/group when not returned from the sync. 'properties' removes the set properties on existing user/group that do not appear in the source (even custom ones). 'acl' removes acls when the user/group is not returned from the sync. Instead of a list it also can be 'none' (the default).
559 `--scope` `<both | groups | users>` ::
563 *pveum role add* `<roleid>` `[OPTIONS]`
567 `<roleid>`: `<string>` ::
569 no description available
571 `--privs` `<string>` ::
573 no description available
575 *pveum role delete* `<roleid>`
579 `<roleid>`: `<string>` ::
581 no description available
583 *pveum role list* `[FORMAT_OPTIONS]`
587 *pveum role modify* `<roleid>` `[OPTIONS]`
589 Update an existing role.
591 `<roleid>`: `<string>` ::
593 no description available
595 `--append` `<boolean>` ::
597 no description available
599 NOTE: Requires option(s): `privs`
601 `--privs` `<string>` ::
603 no description available
607 An alias for 'pveum role add'.
611 An alias for 'pveum role delete'.
615 An alias for 'pveum role modify'.
617 *pveum ticket* `<username>` `[OPTIONS]`
619 Create or verify authentication ticket.
621 `<username>`: `<string>` ::
625 `--new-format` `<boolean>` ('default =' `1`)::
627 This parameter is now ignored and assumed to be 1.
629 `--otp` `<string>` ::
631 One-time password for Two-factor authentication.
633 `--path` `<string>` ::
635 Verify ticket, and check if user have access 'privs' on 'path'
637 NOTE: Requires option(s): `privs`
639 `--privs` `<string>` ::
641 Verify ticket, and check if user have access 'privs' on 'path'
643 NOTE: Requires option(s): `path`
645 `--realm` `<string>` ::
647 You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>@<relam>.
649 `--tfa-challenge` `<string>` ::
651 The signed TFA challenge string the user wants to respond to.
653 *pveum user add* `<userid>` `[OPTIONS]`
657 `<userid>`: `<string>` ::
659 Full User ID, in the `name@realm` format.
661 `--comment` `<string>` ::
663 no description available
665 `--email` `<string>` ::
667 no description available
669 `--enable` `<boolean>` ('default =' `1`)::
671 Enable the account (default). You can set this to '0' to disable the account
673 `--expire` `<integer> (0 - N)` ::
675 Account expiration date (seconds since epoch). '0' means no expiration date.
677 `--firstname` `<string>` ::
679 no description available
681 `--groups` `<string>` ::
683 no description available
685 `--keys` `[0-9a-zA-Z!=]{0,4096}` ::
687 Keys for two factor auth (yubico).
689 `--lastname` `<string>` ::
691 no description available
693 `--password` `<string>` ::
697 *pveum user delete* `<userid>`
701 `<userid>`: `<string>` ::
703 Full User ID, in the `name@realm` format.
705 *pveum user list* `[OPTIONS]` `[FORMAT_OPTIONS]`
709 `--enabled` `<boolean>` ::
711 Optional filter for enable property.
713 `--full` `<boolean>` ('default =' `0`)::
715 Include group and token information.
717 *pveum user modify* `<userid>` `[OPTIONS]`
719 Update user configuration.
721 `<userid>`: `<string>` ::
723 Full User ID, in the `name@realm` format.
725 `--append` `<boolean>` ::
727 no description available
729 NOTE: Requires option(s): `groups`
731 `--comment` `<string>` ::
733 no description available
735 `--email` `<string>` ::
737 no description available
739 `--enable` `<boolean>` ('default =' `1`)::
741 Enable the account (default). You can set this to '0' to disable the account
743 `--expire` `<integer> (0 - N)` ::
745 Account expiration date (seconds since epoch). '0' means no expiration date.
747 `--firstname` `<string>` ::
749 no description available
751 `--groups` `<string>` ::
753 no description available
755 `--keys` `[0-9a-zA-Z!=]{0,4096}` ::
757 Keys for two factor auth (yubico).
759 `--lastname` `<string>` ::
761 no description available
763 *pveum user permissions* `[<userid>]` `[OPTIONS]` `[FORMAT_OPTIONS]`
765 Retrieve effective permissions of given user/token.
767 `<userid>`: `(?^:^(?^:[^\s:/]+)\@(?^:[A-Za-z][A-Za-z0-9\.\-_]+)(?:!(?^:[A-Za-z][A-Za-z0-9\.\-_]+))?$)` ::
769 User ID or full API token ID
771 `--path` `<string>` ::
773 Only dump this specific path, not the whole tree.
775 *pveum user tfa delete* `<userid>` `[OPTIONS]`
777 Delete TFA entries from a user.
779 `<userid>`: `<string>` ::
781 Full User ID, in the `name@realm` format.
785 The TFA ID, if none provided, all TFA entries will be deleted.
787 *pveum user tfa list* `[<userid>]`
791 `<userid>`: `<string>` ::
793 Full User ID, in the `name@realm` format.
795 *pveum user tfa unlock* `<userid>`
797 Unlock a user's TFA authentication.
799 `<userid>`: `<string>` ::
801 Full User ID, in the `name@realm` format.
803 *pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
805 Generate a new API token for a specific user. NOTE: returns API token
806 value, which needs to be stored as it cannot be retrieved afterwards!
808 `<userid>`: `<string>` ::
810 Full User ID, in the `name@realm` format.
812 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
814 User-specific token identifier.
816 `--comment` `<string>` ::
818 no description available
820 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
822 API token expiration date (seconds since epoch). '0' means no expiration date.
824 `--privsep` `<boolean>` ('default =' `1`)::
826 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
828 *pveum user token list* `<userid>` `[FORMAT_OPTIONS]`
832 `<userid>`: `<string>` ::
834 Full User ID, in the `name@realm` format.
836 *pveum user token modify* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
838 Update API token for a specific user.
840 `<userid>`: `<string>` ::
842 Full User ID, in the `name@realm` format.
844 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
846 User-specific token identifier.
848 `--comment` `<string>` ::
850 no description available
852 `--expire` `<integer> (0 - N)` ('default =' `same as user`)::
854 API token expiration date (seconds since epoch). '0' means no expiration date.
856 `--privsep` `<boolean>` ('default =' `1`)::
858 Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
860 *pveum user token permissions* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
862 Retrieve effective permissions of given token.
864 `<userid>`: `<string>` ::
866 Full User ID, in the `name@realm` format.
868 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
870 User-specific token identifier.
872 `--path` `<string>` ::
874 Only dump this specific path, not the whole tree.
876 *pveum user token remove* `<userid> <tokenid>` `[FORMAT_OPTIONS]`
878 Remove API token for a specific user.
880 `<userid>`: `<string>` ::
882 Full User ID, in the `name@realm` format.
884 `<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
886 User-specific token identifier.
890 An alias for 'pveum user add'.
894 An alias for 'pveum user delete'.
898 An alias for 'pveum user modify'.