X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=pveum.adoc;h=b0bb72afadd4c21f6252bb1ad1978a94947a9816;hp=14fff2563f0df0e9dd6b6a71e3b1a8708afec541;hb=94958b8b9230d5b9b5e2e70c481f115b18a5fa0b;hpb=7d48940bf00be72473ffe9dfc4b5a03e3d948445 diff --git a/pveum.adoc b/pveum.adoc index 14fff25..b0bb72a 100644 --- a/pveum.adoc +++ b/pveum.adoc @@ -2,7 +2,6 @@ ifdef::manvolnum[] pveum(1) ======== -include::attributes.txt[] :pve-toplevel: NAME @@ -23,7 +22,6 @@ endif::manvolnum[] ifndef::manvolnum[] User Management =============== -include::attributes.txt[] :pve-toplevel: endif::manvolnum[] @@ -87,7 +85,7 @@ realm, the realms have to be configured in `/etc/pve/domains.cfg`. The following realms (authentication methods) are available: Linux PAM standard authentication:: -In this case a system user has to exist (eg. created via the `adduser` +In this case a system user has to exist (e.g. created via the `adduser` command) on all nodes the user is allowed to login, and the user authenticates with their usual system password. + @@ -102,13 +100,13 @@ usermod -a -G watchman heinz Proxmox VE authentication server:: This is a unix like password store (`/etc/pve/priv/shadow.cfg`). Password are encrypted using the SHA-256 hash method. -This is the most convenient method for for small (or even medium) +This is the most convenient method for small (or even medium) installations where users do not need access to anything outside of {pve}. In this case users are fully managed by {pve} and are able to change their own passwords via the GUI. LDAP:: -It is possible to authenticate users via an LDAP server (eq. +It is possible to authenticate users via an LDAP server (e.g. openldap). The server and an optional fallback server can be configured and the connection can be encrypted via SSL. + @@ -139,7 +137,7 @@ If {pve} needs to authenticate (bind) to the ldap server before being able to query and authenticate users, a bind domain name can be configured via the `bind_dn` property in `/etc/pve/domains.cfg`. Its password then has to be stored in `/etc/pve/priv/ldap/.pw` -(eg. `/etc/pve/priv/ldap/my-ldap.pw`). This file should contain a +(e.g. `/etc/pve/priv/ldap/my-ldap.pw`). This file should contain a single line containing the raw password. Microsoft Active Directory:: @@ -225,7 +223,7 @@ of predefined roles which satisfies most needs. You can see the whole set of predefined roles on the GUI. -Adding new roles can currently only be done from the command line, like +Adding new roles can be done via both GUI and the command line, like this: [source,bash] @@ -251,7 +249,7 @@ Node / System related privileges:: * `Sys.PowerMgmt`: Node power management (start, stop, reset, shutdown, ...) * `Sys.Console`: console access to Node * `Sys.Syslog`: view Syslog -* `Sys.Audit`: view node status/config +* `Sys.Audit`: view node status/config, Corosync cluster config and HA config * `Sys.Modify`: create/remove/modify node network parameters * `Group.Allocate`: create/remove/modify groups * `Pool.Allocate`: create/remove/modify a pool @@ -358,7 +356,7 @@ option is specified, then its specified parameter is required even if the API call's schema otherwise lists it as being optional. `["userid-group", [ ... ], ...]`:: -The callermust have any of the listed privileges on `/access/groups`. In +The caller must have any of the listed privileges on `/access/groups`. In addition there are two possible checks depending on whether the `groups_param` option is set: + @@ -377,7 +375,7 @@ privileges.) `["userid-param", "Realm.AllocateUser"]`:: The user needs `Realm.AllocateUser` access to `/access/realm/`, with -`` refering to the realm of the user passed via the `userid` +`` referring to the realm of the user passed via the `userid` parameter. Note that the user does not need to exist in order to be associated with a realm, since user IDs are passed in the form of `@`. @@ -485,7 +483,7 @@ Example1: Allow user `joe@pve` to see all virtual machines Delegate User Management ~~~~~~~~~~~~~~~~~~~~~~~~ -If you want to delegate user managenent to user `joe@pve` you can do +If you want to delegate user management to user `joe@pve` you can do that with: [source,bash]