qm: Add section explaining fs-freeze/-thaw QGA option

[pve-docs.git] / pveum.adoc

diff --git a/pveum.adoc b/pveum.adoc
index 52de14d3e2b5616800f7428ea6b20657a4baa136..147f3174f5e57d9efecde312fcb404c61de8a936 100644 (file)
--- a/pveum.adoc
+++ b/pveum.adoc
@@ -164,6 +164,7 @@ OpenID Connect is implemented as an identity layer on top of the OATH 2.0
 protocol. It allows clients to verify the identity of the user, based on
 authentication performed by an external authorization server.
 
+[[user-realms-pam]]
 Linux PAM Standard Authentication
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -175,6 +176,7 @@ authentication with logins from the realm and to set the realm as the default
 authentication realm.
 
 
+[[user-realms-pve]]
 {pve} Authentication Server
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -188,6 +190,7 @@ through {pve}, rather than authenticating against another system. Hence, you are
 required to set a password for this type of user upon creation.
 
 
+[[user-realms-ldap]]
 LDAP
 ~~~~
 
@@ -252,6 +255,7 @@ you must also add them as a user of that realm from the {pve} server. This can
 be carried out automatically with <<pveum_ldap_sync, syncing>>.
 
 
+[[user-realms-ad]]
 Microsoft Active Directory (AD)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -390,6 +394,32 @@ The main options for syncing are:
 * `Preview` (`dry-run`): No data is written to the config. This is useful if you
   want to see which users and groups would get synced to the `user.cfg`.
 
+[[pveum_ldap_reserved_characters]]
+Reserved characters
+^^^^^^^^^^^^^^^^^^^
+
+Certain characters are reserved (see https://www.ietf.org/rfc/rfc2253.txt[RFC2253]) and cannot be
+easily used in attribute values in DNs without being escaped properly.
+
+Following characters need escaping:
+
+* Space ( )
+* Comma (`,`)
+* Plus sign (`+`)
+* Double quote (`"`)
+* Forward slashes (`/`)
+* Angle brackets (`<>`)
+* Semicolon (`;`)
+* Equals sign (`=`)
+
+To use such characters in DNs, surround the attribute value in double quotes.
+For example, to bind with a user with the CN (Common Name) `Example, User`, use
+`CN="Example, User",OU=people,DC=example,DC=com` as value for `bind_dn`.
+
+This applies to the `base_dn`, `bind_dn`, and `group_dn` attributes.
+
+NOTE: Users with colons and forward slashes cannot be synced since these are
+reserved characters in usernames.
 
 [[pveum_openid]]
 OpenID Connect
@@ -461,7 +491,7 @@ example, you need to replace the `--issuer-url` and `--client-id` with
 your information:
 
 ----
-pveum realm add myrealm2 --type openid --issuer-url  https://your.server:8080/auth/realms/your-realm --client-id XXX --username-claim username
+pveum realm add myrealm2 --type openid --issuer-url  https://your.server:8080/realms/your-realm --client-id XXX --username-claim username
 ----
 
 Using `--username-claim username` enables simple usernames on the
@@ -781,6 +811,7 @@ Virtual machine related privileges::
 * `VM.Config.Network`: add/modify/remove network devices
 * `VM.Config.HWType`: modify emulated hardware types
 * `VM.Config.Options`: modify any other VM configuration
+* `VM.Config.Cloudinit`: modify Cloud-init parameters
 * `VM.Snapshot`: create/delete VM snapshots
 
 Storage related privileges::
@@ -894,9 +925,9 @@ The `path` is a templated parameter (see
 `Permissions.Modify` privilege or,
 depending on the path, the following privileges as a possible substitute:
 +
-* `/storage/...`: additionally requires 'Datastore.Allocate`
-* `/vms/...`: additionally requires 'VM.Allocate`
-* `/pool/...`: additionally requires 'Pool.Allocate`
+* `/storage/...`: requires 'Datastore.Allocate`
+* `/vms/...`: requires 'VM.Allocate`
+* `/pool/...`: requires 'Pool.Allocate`
 +
 If the path is empty, `Permission.Modify` on `/access` is required.