Verbose output format.
-*pveum passwd* `<userid>`
+*pveum passwd* `<userid>` `[OPTIONS]`
Change user password.
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
+
+`--confirmation-password` `<string>` ::
+
+The current password of the user performing the change.
*pveum pool add* `<poolid>` `[OPTIONS]`
no description available
-*pveum pool list* `[FORMAT_OPTIONS]`
+*pveum pool list* `[OPTIONS]` `[FORMAT_OPTIONS]`
-Pool index.
+List pools or get pool configuration.
+
+`--poolid` `<string>` ::
+
+no description available
+
+`--type` `<lxc | qemu | storage>` ::
+
+no description available
++
+NOTE: Requires option(s): `poolid`
*pveum pool modify* `<poolid>` `[OPTIONS]`
-Update pool data.
+Update pool.
`<poolid>`: `<string>` ::
no description available
+`--allow-move` `<boolean>` ('default =' `0`)::
+
+Allow adding a guest even if already in another pool. The guest will be removed from its current pool and added to this one.
+
`--comment` `<string>` ::
no description available
-`--delete` `<boolean>` ::
+`--delete` `<boolean>` ('default =' `0`)::
-Remove vms/storage (instead of adding it).
+Remove the passed VMIDs and/or storage IDs instead of adding them.
`--storage` `<string>` ::
-List of storage IDs.
+List of storage IDs to add or remove from this pool.
`--vms` `<string>` ::
-List of virtual machines.
+List of guest VMIDs to add or remove from this pool.
*pveum realm add* `<realm> --type <string>` `[OPTIONS]`
Authentication domain ID
-`--acr-values` `<string>` ::
+`--acr-values` `^[^\x00-\x1F\x7F <>#"]*$` ::
Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
Automatically create users if they do not exist.
-`--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
+`--base_dn` `<string>` ::
LDAP base domain name
-`--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
+`--bind_dn` `<string>` ::
LDAP bind domain name
Path to the client certificate key
+`--check-connection` `<boolean>` ('default =' `0`)::
+
+Check bind connection to the server.
+
`--client-id` `<string>` ::
OpenID Client ID
The objectclasses for groups.
-`--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
+`--group_dn` `<string>` ::
LDAP base domain name for group sync. If not set, the base_dn will be used.
LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
-`--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=[acl];[properties];[entry]] [,scope=<users|groups|both>]` ::
+`--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=([acl];[properties];[entry])|none] [,scope=<users|groups|both>]` ::
The default options for behavior of synchronizations.
Authentication domain ID
-`--acr-values` `<string>` ::
+`--acr-values` `^[^\x00-\x1F\x7F <>#"]*$` ::
Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
Automatically create users if they do not exist.
-`--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
+`--base_dn` `<string>` ::
LDAP base domain name
-`--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
+`--bind_dn` `<string>` ::
LDAP bind domain name
Path to the client certificate key
+`--check-connection` `<boolean>` ('default =' `0`)::
+
+Check bind connection to the server.
+
`--client-id` `<string>` ::
OpenID Client ID
`--digest` `<string>` ::
-Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.
+Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
`--domain` `\S+` ::
The objectclasses for groups.
-`--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
+`--group_dn` `<string>` ::
LDAP base domain name for group sync. If not set, the base_dn will be used.
LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
-`--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=[acl];[properties];[entry]] [,scope=<users|groups|both>]` ::
+`--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,remove-vanished=([acl];[properties];[entry])|none] [,scope=<users|groups|both>]` ::
The default options for behavior of synchronizations.
DEPRECATED: use 'remove-vanished' instead. Remove ACLs for users or groups which were removed from the config during a sync.
-`--remove-vanished` `[acl];[properties];[entry]` ::
+`--remove-vanished` `([acl];[properties];[entry])|none` ('default =' `none`)::
-A semicolon-seperated list of things to remove when they or the user vanishes during a sync. The following values are possible: 'entry' removes the user/group when not returned from the sync. 'properties' removes the set properties on existing user/group that do not appear in the source (even custom ones). 'acl' removes acls when the user/group is not returned from the sync.
+A semicolon-seperated list of things to remove when they or the user vanishes during a sync. The following values are possible: 'entry' removes the user/group when not returned from the sync. 'properties' removes the set properties on existing user/group that do not appear in the source (even custom ones). 'acl' removes acls when the user/group is not returned from the sync. Instead of a list it also can be 'none' (the default).
`--scope` `<both | groups | users>` ::
User name
-`--new-format` `<boolean>` ('default =' `0`)::
+`--new-format` `<boolean>` ('default =' `1`)::
-With webauthn the format of half-authenticated tickts changed. New clients should pass 1 here and not worry about the old format. The old format is deprecated and will be retired with PVE-8.0
+This parameter is now ignored and assumed to be 1.
`--otp` `<string>` ::
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
`--comment` `<string>` ::
no description available
-`--keys` `<string>` ::
+`--keys` `[0-9a-zA-Z!=]{0,4096}` ::
Keys for two factor auth (yubico).
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
*pveum user list* `[OPTIONS]` `[FORMAT_OPTIONS]`
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
`--append` `<boolean>` ::
no description available
-`--keys` `<string>` ::
+`--keys` `[0-9a-zA-Z!=]{0,4096}` ::
Keys for two factor auth (yubico).
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
`--id` `<string>` ::
The TFA ID, if none provided, all TFA entries will be deleted.
+*pveum user tfa list* `[<userid>]`
+
+List TFA entries.
+
+`<userid>`: `<string>` ::
+
+Full User ID, in the `name@realm` format.
+
+*pveum user tfa unlock* `<userid>`
+
+Unlock a user's TFA authentication.
+
+`<userid>`: `<string>` ::
+
+Full User ID, in the `name@realm` format.
+
*pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
Generate a new API token for a specific user. NOTE: returns API token
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
`<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
*pveum user token modify* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
`<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
`<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
`<userid>`: `<string>` ::
-User ID
+Full User ID, in the `name@realm` format.
`<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::