[[chapter_user_management]]
+
+[[user_mgmt]]
+
ifdef::manvolnum[]
pveum(1)
========
`/etc/pve/user.cfg`.
+Attributes to Properties
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+If the sync response includes user attributes, they will be synced into the
+matching user property in the `user.cfg`. For example: `firstname` or
+`lastname`.
+
+If the names of the attributes are not matching the {pve} properties, you can
+set a custom field-to-field map in the config by using the `sync_attributes`
+option.
+
+How such properties are handled if anything vanishes can be controlled via the
+sync options, see below.
+
Sync Configuration
^^^^^^^^^^^^^^^^^^
down the scope of a sync. Information on available LDAP filter types and their
usage can be found at https://ldap.com/ldap-filters/[ldap.com].
-
[[pveum_ldap_sync_options]]
Sync Options
^^^^^^^^^^^^
- `Entry` (`entry`): Removes entries (i.e. users and groups) when they are
not returned in the sync response.
- - `Properties` (`properties`): Removes properties of entries which were
- not returned in the sync response. This includes custom properties
- which were never set by the sync. Exceptions are tokens and the enable
- flag. Those will be retained even with this option.
+ - `Properties` (`properties`): Removes properties of entries where the user
+ in the sync response did not contain those attributes. This includes
+ all properties, even those never set by a sync. Exceptions are tokens
+ and the enable flag, these will be retained even with this option enabled.
* `Preview` (`dry-run`): No data is written to the config. This is useful if you
want to see which users and groups would get synced to the `user.cfg`.
your information:
----
-pveum realm add myrealm2 --type openid --issuer-url https://your.server:8080/auth/realms/your-realm --client-id XXX --username-claim username
+pveum realm add myrealm2 --type openid --issuer-url https://your.server:8080/realms/your-realm --client-id XXX --username-claim username
----
Using `--username-claim username` enables simple usernames on the
This is done via `/etc/pve/datacenter.cfg`. For instance:
----
-webauthn:
-rp=mypve.example.com,origin=https://mypve.example.com:8006,id=mypve.example.com
+webauthn: rp=mypve.example.com,origin=https://mypve.example.com:8006,id=mypve.example.com
----
[[pveum_configure_u2f]]
* `Sys.Syslog`: view syslog
* `Sys.Audit`: view node status/config, Corosync cluster config, and HA config
* `Sys.Modify`: create/modify/remove node network parameters
+* `Sys.Incoming`: allow incoming data streams from other clusters (experimental)
* `Group.Allocate`: create/modify/remove groups
* `Pool.Allocate`: create/modify/remove a pool
* `Pool.Audit`: view a pool
* `VM.Config.Network`: add/modify/remove network devices
* `VM.Config.HWType`: modify emulated hardware types
* `VM.Config.Options`: modify any other VM configuration
+* `VM.Config.Cloudinit`: modify Cloud-init parameters
* `VM.Snapshot`: create/delete VM snapshots
Storage related privileges::
`Permissions.Modify` privilege or,
depending on the path, the following privileges as a possible substitute:
+
-* `/storage/...`: additionally requires 'Datastore.Allocate`
-* `/vms/...`: additionally requires 'VM.Allocate`
-* `/pool/...`: additionally requires 'Pool.Allocate`
+* `/storage/...`: requires 'Datastore.Allocate`
+* `/vms/...`: requires 'VM.Allocate`
+* `/pool/...`: requires 'Pool.Allocate`
+
If the path is empty, `Permission.Modify` on `/access` is required.