User ID
+*pveum pool add* `<poolid>` `[OPTIONS]`
+
+Create new pool.
+
+`<poolid>`: `<string>` ::
+
+no description available
+
+`--comment` `<string>` ::
+
+no description available
+
+*pveum pool delete* `<poolid>`
+
+Delete pool.
+
+`<poolid>`: `<string>` ::
+
+no description available
+
+*pveum pool list* `[FORMAT_OPTIONS]`
+
+Pool index.
+
+*pveum pool modify* `<poolid>` `[OPTIONS]`
+
+Update pool data.
+
+`<poolid>`: `<string>` ::
+
+no description available
+
+`--comment` `<string>` ::
+
+no description available
+
+`--delete` `<boolean>` ::
+
+Remove vms/storage (instead of adding it).
+
+`--storage` `<string>` ::
+
+List of storage IDs.
+
+`--vms` `<string>` ::
+
+List of virtual machines.
+
*pveum realm add* `<realm> --type <string>` `[OPTIONS]`
Add an authentication server.
Authentication domain ID
+`--acr-values` `<string>` ::
+
+Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
+
+`--autocreate` `<boolean>` ('default =' `0`)::
+
+Automatically create users if they do not exist.
+
`--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
LDAP base domain name
Path to the CA certificate store
+`--case-sensitive` `<boolean>` ('default =' `1`)::
+
+username is case-sensitive
+
`--cert` `<string>` ::
Path to the client certificate
Path to the client certificate key
+`--client-id` `<string>` ::
+
+OpenID Client ID
+
+`--client-key` `<string>` ::
+
+OpenID Client Key
+
`--comment` `<string>` ::
Description.
LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
+`--issuer-url` `<string>` ::
+
+OpenID Issuer Url
+
`--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
LDAP protocol mode.
Server port.
+`--prompt` `(?:none|login|consent|select_account|\S+)` ::
+
+Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
+
+`--scopes` `<string>` ('default =' `email profile`)::
+
+Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
+
`--secure` `<boolean>` ::
Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
Use Two-factor authentication.
-`--type` `<ad | ldap | pam | pve>` ::
+`--type` `<ad | ldap | openid | pam | pve>` ::
Realm type.
The objectclasses for users.
+`--username-claim` `<string>` ::
+
+OpenID claim used to generate the unique username.
+
`--verify` `<boolean>` ('default =' `0`)::
Verify the server's SSL certificate
Authentication domain ID
+`--acr-values` `<string>` ::
+
+Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
+
+`--autocreate` `<boolean>` ('default =' `0`)::
+
+Automatically create users if they do not exist.
+
`--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
LDAP base domain name
Path to the CA certificate store
+`--case-sensitive` `<boolean>` ('default =' `1`)::
+
+username is case-sensitive
+
`--cert` `<string>` ::
Path to the client certificate
Path to the client certificate key
+`--client-id` `<string>` ::
+
+OpenID Client ID
+
+`--client-key` `<string>` ::
+
+OpenID Client Key
+
`--comment` `<string>` ::
Description.
LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
+`--issuer-url` `<string>` ::
+
+OpenID Issuer Url
+
`--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
LDAP protocol mode.
Server port.
+`--prompt` `(?:none|login|consent|select_account|\S+)` ::
+
+Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
+
+`--scopes` `<string>` ('default =' `email profile`)::
+
+Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
+
`--secure` `<boolean>` ::
Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
User name
+`--new-format` `<boolean>` ('default =' `0`)::
+
+With webauthn the format of half-authenticated tickts changed. New clients should pass 1 here and not worry about the old format. The old format is deprecated and will be retired with PVE-8.0
+
`--otp` `<string>` ::
One-time password for Two-factor authentication.
You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>@<relam>.
+`--tfa-challenge` `<string>` ::
+
+The signed TFA challenge string the user wants to respond to.
+
*pveum user add* `<userid>` `[OPTIONS]`
Create new user.
Only dump this specific path, not the whole tree.
+*pveum user tfa delete* `<userid>` `[OPTIONS]`
+
+Delete TFA entries from a user.
+
+`<userid>`: `<string>` ::
+
+User ID
+
+`--id` `<string>` ::
+
+The TFA ID, if none provided, all TFA entries will be deleted.
+
*pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
Generate a new API token for a specific user. NOTE: returns API token