mirror of
git://git.proxmox.com/git/pve-docs.git
synced 2025-01-07 17:17:48 +03:00
4772952b60
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
751 lines
14 KiB
Plaintext
751 lines
14 KiB
Plaintext
*pveum* `<COMMAND> [ARGS] [OPTIONS]`
|
|
|
|
*pveum acl delete* `<path> --roles <string>` `[OPTIONS]`
|
|
|
|
Update Access Control List (add or remove permissions).
|
|
|
|
`<path>`: `<string>` ::
|
|
|
|
Access control path
|
|
|
|
`--groups` `<string>` ::
|
|
|
|
List of groups.
|
|
|
|
`--propagate` `<boolean>` ('default =' `1`)::
|
|
|
|
Allow to propagate (inherit) permissions.
|
|
|
|
`--roles` `<string>` ::
|
|
|
|
List of roles.
|
|
|
|
`--tokens` `<string>` ::
|
|
|
|
List of API tokens.
|
|
|
|
`--users` `<string>` ::
|
|
|
|
List of users.
|
|
|
|
*pveum acl list* `[FORMAT_OPTIONS]`
|
|
|
|
Get Access Control List (ACLs).
|
|
|
|
*pveum acl modify* `<path> --roles <string>` `[OPTIONS]`
|
|
|
|
Update Access Control List (add or remove permissions).
|
|
|
|
`<path>`: `<string>` ::
|
|
|
|
Access control path
|
|
|
|
`--groups` `<string>` ::
|
|
|
|
List of groups.
|
|
|
|
`--propagate` `<boolean>` ('default =' `1`)::
|
|
|
|
Allow to propagate (inherit) permissions.
|
|
|
|
`--roles` `<string>` ::
|
|
|
|
List of roles.
|
|
|
|
`--tokens` `<string>` ::
|
|
|
|
List of API tokens.
|
|
|
|
`--users` `<string>` ::
|
|
|
|
List of users.
|
|
|
|
*pveum acldel*
|
|
|
|
An alias for 'pveum acl delete'.
|
|
|
|
*pveum aclmod*
|
|
|
|
An alias for 'pveum acl modify'.
|
|
|
|
*pveum group add* `<groupid>` `[OPTIONS]`
|
|
|
|
Create new group.
|
|
|
|
`<groupid>`: `<string>` ::
|
|
|
|
no description available
|
|
|
|
`--comment` `<string>` ::
|
|
|
|
no description available
|
|
|
|
*pveum group delete* `<groupid>`
|
|
|
|
Delete group.
|
|
|
|
`<groupid>`: `<string>` ::
|
|
|
|
no description available
|
|
|
|
*pveum group list* `[FORMAT_OPTIONS]`
|
|
|
|
Group index.
|
|
|
|
*pveum group modify* `<groupid>` `[OPTIONS]`
|
|
|
|
Update group data.
|
|
|
|
`<groupid>`: `<string>` ::
|
|
|
|
no description available
|
|
|
|
`--comment` `<string>` ::
|
|
|
|
no description available
|
|
|
|
*pveum groupadd*
|
|
|
|
An alias for 'pveum group add'.
|
|
|
|
*pveum groupdel*
|
|
|
|
An alias for 'pveum group delete'.
|
|
|
|
*pveum groupmod*
|
|
|
|
An alias for 'pveum group modify'.
|
|
|
|
*pveum help* `[OPTIONS]`
|
|
|
|
Get help about specified command.
|
|
|
|
`--extra-args` `<array>` ::
|
|
|
|
Shows help for a specific command
|
|
|
|
`--verbose` `<boolean>` ::
|
|
|
|
Verbose output format.
|
|
|
|
*pveum passwd* `<userid>`
|
|
|
|
Change user password.
|
|
|
|
`<userid>`: `<string>` ::
|
|
|
|
User ID
|
|
|
|
*pveum realm add* `<realm> --type <string>` `[OPTIONS]`
|
|
|
|
Add an authentication server.
|
|
|
|
`<realm>`: `<string>` ::
|
|
|
|
Authentication domain ID
|
|
|
|
`--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
|
|
|
|
LDAP base domain name
|
|
|
|
`--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
|
|
|
|
LDAP bind domain name
|
|
|
|
`--capath` `<string>` ('default =' `/etc/ssl/certs`)::
|
|
|
|
Path to the CA certificate store
|
|
|
|
`--case-sensitive` `<boolean>` ('default =' `1`)::
|
|
|
|
username is case-sensitive
|
|
|
|
`--cert` `<string>` ::
|
|
|
|
Path to the client certificate
|
|
|
|
`--certkey` `<string>` ::
|
|
|
|
Path to the client certificate key
|
|
|
|
`--comment` `<string>` ::
|
|
|
|
Description.
|
|
|
|
`--default` `<boolean>` ::
|
|
|
|
Use this as default realm
|
|
|
|
`--domain` `\S+` ::
|
|
|
|
AD domain name
|
|
|
|
`--filter` `<string>` ::
|
|
|
|
LDAP filter for user sync.
|
|
|
|
`--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
|
|
|
|
The objectclasses for groups.
|
|
|
|
`--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
|
|
|
|
LDAP base domain name for group sync. If not set, the base_dn will be used.
|
|
|
|
`--group_filter` `<string>` ::
|
|
|
|
LDAP filter for group sync.
|
|
|
|
`--group_name_attr` `<string>` ::
|
|
|
|
LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
|
|
|
|
`--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
|
|
|
|
LDAP protocol mode.
|
|
|
|
`--password` `<string>` ::
|
|
|
|
LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
|
|
|
|
`--port` `<integer> (1 - 65535)` ::
|
|
|
|
Server port.
|
|
|
|
`--secure` `<boolean>` ::
|
|
|
|
Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
|
|
|
|
`--server1` `<string>` ::
|
|
|
|
Server IP address (or DNS name)
|
|
|
|
`--server2` `<string>` ::
|
|
|
|
Fallback Server IP address (or DNS name)
|
|
|
|
`--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
|
|
|
|
LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
|
|
|
|
`--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
|
|
|
|
The default options for behavior of synchronizations.
|
|
|
|
`--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
|
|
|
|
Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
|
|
|
|
`--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
|
|
|
|
Use Two-factor authentication.
|
|
|
|
`--type` `<ad | ldap | pam | pve>` ::
|
|
|
|
Realm type.
|
|
|
|
`--user_attr` `\S{2,}` ::
|
|
|
|
LDAP user attribute name
|
|
|
|
`--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
|
|
|
|
The objectclasses for users.
|
|
|
|
`--verify` `<boolean>` ('default =' `0`)::
|
|
|
|
Verify the server's SSL certificate
|
|
|
|
*pveum realm delete* `<realm>`
|
|
|
|
Delete an authentication server.
|
|
|
|
`<realm>`: `<string>` ::
|
|
|
|
Authentication domain ID
|
|
|
|
*pveum realm list* `[FORMAT_OPTIONS]`
|
|
|
|
Authentication domain index.
|
|
|
|
*pveum realm modify* `<realm>` `[OPTIONS]`
|
|
|
|
Update authentication server settings.
|
|
|
|
`<realm>`: `<string>` ::
|
|
|
|
Authentication domain ID
|
|
|
|
`--base_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
|
|
|
|
LDAP base domain name
|
|
|
|
`--bind_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
|
|
|
|
LDAP bind domain name
|
|
|
|
`--capath` `<string>` ('default =' `/etc/ssl/certs`)::
|
|
|
|
Path to the CA certificate store
|
|
|
|
`--case-sensitive` `<boolean>` ('default =' `1`)::
|
|
|
|
username is case-sensitive
|
|
|
|
`--cert` `<string>` ::
|
|
|
|
Path to the client certificate
|
|
|
|
`--certkey` `<string>` ::
|
|
|
|
Path to the client certificate key
|
|
|
|
`--comment` `<string>` ::
|
|
|
|
Description.
|
|
|
|
`--default` `<boolean>` ::
|
|
|
|
Use this as default realm
|
|
|
|
`--delete` `<string>` ::
|
|
|
|
A list of settings you want to delete.
|
|
|
|
`--digest` `<string>` ::
|
|
|
|
Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.
|
|
|
|
`--domain` `\S+` ::
|
|
|
|
AD domain name
|
|
|
|
`--filter` `<string>` ::
|
|
|
|
LDAP filter for user sync.
|
|
|
|
`--group_classes` `<string>` ('default =' `groupOfNames, group, univentionGroup, ipausergroup`)::
|
|
|
|
The objectclasses for groups.
|
|
|
|
`--group_dn` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
|
|
|
|
LDAP base domain name for group sync. If not set, the base_dn will be used.
|
|
|
|
`--group_filter` `<string>` ::
|
|
|
|
LDAP filter for group sync.
|
|
|
|
`--group_name_attr` `<string>` ::
|
|
|
|
LDAP attribute representing a groups name. If not set or found, the first value of the DN will be used as name.
|
|
|
|
`--mode` `<ldap | ldap+starttls | ldaps>` ('default =' `ldap`)::
|
|
|
|
LDAP protocol mode.
|
|
|
|
`--password` `<string>` ::
|
|
|
|
LDAP bind password. Will be stored in '/etc/pve/priv/realm/<REALM>.pw'.
|
|
|
|
`--port` `<integer> (1 - 65535)` ::
|
|
|
|
Server port.
|
|
|
|
`--secure` `<boolean>` ::
|
|
|
|
Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
|
|
|
|
`--server1` `<string>` ::
|
|
|
|
Server IP address (or DNS name)
|
|
|
|
`--server2` `<string>` ::
|
|
|
|
Fallback Server IP address (or DNS name)
|
|
|
|
`--sslversion` `<tlsv1 | tlsv1_1 | tlsv1_2 | tlsv1_3>` ::
|
|
|
|
LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!
|
|
|
|
`--sync-defaults-options` `[enable-new=<1|0>] [,full=<1|0>] [,purge=<1|0>] [,scope=<users|groups|both>]` ::
|
|
|
|
The default options for behavior of synchronizations.
|
|
|
|
`--sync_attributes` `\w+=[^,]+(,\s*\w+=[^,]+)*` ::
|
|
|
|
Comma separated list of key=value pairs for specifying which LDAP attributes map to which PVE user field. For example, to map the LDAP attribute 'mail' to PVEs 'email', write 'email=mail'. By default, each PVE user field is represented by an LDAP attribute of the same name.
|
|
|
|
`--tfa` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
|
|
|
|
Use Two-factor authentication.
|
|
|
|
`--user_attr` `\S{2,}` ::
|
|
|
|
LDAP user attribute name
|
|
|
|
`--user_classes` `<string>` ('default =' `inetorgperson, posixaccount, person, user`)::
|
|
|
|
The objectclasses for users.
|
|
|
|
`--verify` `<boolean>` ('default =' `0`)::
|
|
|
|
Verify the server's SSL certificate
|
|
|
|
*pveum realm sync* `<realm>` `[OPTIONS]`
|
|
|
|
Syncs users and/or groups from the configured LDAP to user.cfg. NOTE:
|
|
Synced groups will have the name 'name-$realm', so make sure those groups
|
|
do not exist to prevent overwriting.
|
|
|
|
`<realm>`: `<string>` ::
|
|
|
|
Authentication domain ID
|
|
|
|
`--dry-run` `<boolean>` ('default =' `0`)::
|
|
|
|
If set, does not write anything.
|
|
|
|
`--enable-new` `<boolean>` ('default =' `1`)::
|
|
|
|
Enable newly synced users immediately.
|
|
|
|
`--full` `<boolean>` ::
|
|
|
|
If set, uses the LDAP Directory as source of truth, deleting users or groups not returned from the sync. Otherwise only syncs information which is not already present, and does not deletes or modifies anything else.
|
|
|
|
`--purge` `<boolean>` ::
|
|
|
|
Remove ACLs for users or groups which were removed from the config during a sync.
|
|
|
|
`--scope` `<both | groups | users>` ::
|
|
|
|
Select what to sync.
|
|
|
|
*pveum role add* `<roleid>` `[OPTIONS]`
|
|
|
|
Create new role.
|
|
|
|
`<roleid>`: `<string>` ::
|
|
|
|
no description available
|
|
|
|
`--privs` `<string>` ::
|
|
|
|
no description available
|
|
|
|
*pveum role delete* `<roleid>`
|
|
|
|
Delete role.
|
|
|
|
`<roleid>`: `<string>` ::
|
|
|
|
no description available
|
|
|
|
*pveum role list* `[FORMAT_OPTIONS]`
|
|
|
|
Role index.
|
|
|
|
*pveum role modify* `<roleid>` `[OPTIONS]`
|
|
|
|
Update an existing role.
|
|
|
|
`<roleid>`: `<string>` ::
|
|
|
|
no description available
|
|
|
|
`--append` `<boolean>` ::
|
|
|
|
no description available
|
|
+
|
|
NOTE: Requires option(s): `privs`
|
|
|
|
`--privs` `<string>` ::
|
|
|
|
no description available
|
|
|
|
*pveum roleadd*
|
|
|
|
An alias for 'pveum role add'.
|
|
|
|
*pveum roledel*
|
|
|
|
An alias for 'pveum role delete'.
|
|
|
|
*pveum rolemod*
|
|
|
|
An alias for 'pveum role modify'.
|
|
|
|
*pveum ticket* `<username>` `[OPTIONS]`
|
|
|
|
Create or verify authentication ticket.
|
|
|
|
`<username>`: `<string>` ::
|
|
|
|
User name
|
|
|
|
`--otp` `<string>` ::
|
|
|
|
One-time password for Two-factor authentication.
|
|
|
|
`--path` `<string>` ::
|
|
|
|
Verify ticket, and check if user have access 'privs' on 'path'
|
|
+
|
|
NOTE: Requires option(s): `privs`
|
|
|
|
`--privs` `<string>` ::
|
|
|
|
Verify ticket, and check if user have access 'privs' on 'path'
|
|
+
|
|
NOTE: Requires option(s): `path`
|
|
|
|
`--realm` `<string>` ::
|
|
|
|
You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>@<relam>.
|
|
|
|
*pveum user add* `<userid>` `[OPTIONS]`
|
|
|
|
Create new user.
|
|
|
|
`<userid>`: `<string>` ::
|
|
|
|
User ID
|
|
|
|
`--comment` `<string>` ::
|
|
|
|
no description available
|
|
|
|
`--email` `<string>` ::
|
|
|
|
no description available
|
|
|
|
`--enable` `<boolean>` ('default =' `1`)::
|
|
|
|
Enable the account (default). You can set this to '0' to disable the account
|
|
|
|
`--expire` `<integer> (0 - N)` ::
|
|
|
|
Account expiration date (seconds since epoch). '0' means no expiration date.
|
|
|
|
`--firstname` `<string>` ::
|
|
|
|
no description available
|
|
|
|
`--groups` `<string>` ::
|
|
|
|
no description available
|
|
|
|
`--keys` `<string>` ::
|
|
|
|
Keys for two factor auth (yubico).
|
|
|
|
`--lastname` `<string>` ::
|
|
|
|
no description available
|
|
|
|
`--password` `<string>` ::
|
|
|
|
Initial password.
|
|
|
|
*pveum user delete* `<userid>`
|
|
|
|
Delete user.
|
|
|
|
`<userid>`: `<string>` ::
|
|
|
|
User ID
|
|
|
|
*pveum user list* `[OPTIONS]` `[FORMAT_OPTIONS]`
|
|
|
|
User index.
|
|
|
|
`--enabled` `<boolean>` ::
|
|
|
|
Optional filter for enable property.
|
|
|
|
`--full` `<boolean>` ('default =' `0`)::
|
|
|
|
Include group and token information.
|
|
|
|
*pveum user modify* `<userid>` `[OPTIONS]`
|
|
|
|
Update user configuration.
|
|
|
|
`<userid>`: `<string>` ::
|
|
|
|
User ID
|
|
|
|
`--append` `<boolean>` ::
|
|
|
|
no description available
|
|
+
|
|
NOTE: Requires option(s): `groups`
|
|
|
|
`--comment` `<string>` ::
|
|
|
|
no description available
|
|
|
|
`--email` `<string>` ::
|
|
|
|
no description available
|
|
|
|
`--enable` `<boolean>` ('default =' `1`)::
|
|
|
|
Enable the account (default). You can set this to '0' to disable the account
|
|
|
|
`--expire` `<integer> (0 - N)` ::
|
|
|
|
Account expiration date (seconds since epoch). '0' means no expiration date.
|
|
|
|
`--firstname` `<string>` ::
|
|
|
|
no description available
|
|
|
|
`--groups` `<string>` ::
|
|
|
|
no description available
|
|
|
|
`--keys` `<string>` ::
|
|
|
|
Keys for two factor auth (yubico).
|
|
|
|
`--lastname` `<string>` ::
|
|
|
|
no description available
|
|
|
|
*pveum user permissions* `[<userid>]` `[OPTIONS]` `[FORMAT_OPTIONS]`
|
|
|
|
Retrieve effective permissions of given user/token.
|
|
|
|
`<userid>`: `(?^:^(?^:[^\s:/]+)\@(?^:[A-Za-z][A-Za-z0-9\.\-_]+)(?:!(?^:[A-Za-z][A-Za-z0-9\.\-_]+))?$)` ::
|
|
|
|
User ID or full API token ID
|
|
|
|
`--path` `<string>` ::
|
|
|
|
Only dump this specific path, not the whole tree.
|
|
|
|
*pveum user tfa delete* `<userid>` `[OPTIONS]`
|
|
|
|
Change user u2f authentication.
|
|
|
|
`<userid>`: `<string>` ::
|
|
|
|
User ID
|
|
|
|
`--config` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
|
|
|
|
A TFA configuration. This must currently be of type TOTP of not set at all.
|
|
|
|
`--key` `<string>` ::
|
|
|
|
When adding TOTP, the shared secret value.
|
|
|
|
`--password` `<string>` ::
|
|
|
|
The current password.
|
|
|
|
`--response` `<string>` ::
|
|
|
|
Either the the response to the current u2f registration challenge, or, when adding TOTP, the currently valid TOTP value.
|
|
|
|
*pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
|
|
|
|
Generate a new API token for a specific user. NOTE: returns API token
|
|
value, which needs to be stored as it cannot be retrieved afterwards!
|
|
|
|
`<userid>`: `<string>` ::
|
|
|
|
User ID
|
|
|
|
`<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
|
|
|
|
User-specific token identifier.
|
|
|
|
`--comment` `<string>` ::
|
|
|
|
no description available
|
|
|
|
`--expire` `<integer> (0 - N)` ('default =' `same as user`)::
|
|
|
|
API token expiration date (seconds since epoch). '0' means no expiration date.
|
|
|
|
`--privsep` `<boolean>` ('default =' `1`)::
|
|
|
|
Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
|
|
|
|
*pveum user token list* `<userid>` `[FORMAT_OPTIONS]`
|
|
|
|
Get user API tokens.
|
|
|
|
`<userid>`: `<string>` ::
|
|
|
|
User ID
|
|
|
|
*pveum user token modify* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
|
|
|
|
Update API token for a specific user.
|
|
|
|
`<userid>`: `<string>` ::
|
|
|
|
User ID
|
|
|
|
`<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
|
|
|
|
User-specific token identifier.
|
|
|
|
`--comment` `<string>` ::
|
|
|
|
no description available
|
|
|
|
`--expire` `<integer> (0 - N)` ('default =' `same as user`)::
|
|
|
|
API token expiration date (seconds since epoch). '0' means no expiration date.
|
|
|
|
`--privsep` `<boolean>` ('default =' `1`)::
|
|
|
|
Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.
|
|
|
|
*pveum user token permissions* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`
|
|
|
|
Retrieve effective permissions of given token.
|
|
|
|
`<userid>`: `<string>` ::
|
|
|
|
User ID
|
|
|
|
`<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
|
|
|
|
User-specific token identifier.
|
|
|
|
`--path` `<string>` ::
|
|
|
|
Only dump this specific path, not the whole tree.
|
|
|
|
*pveum user token remove* `<userid> <tokenid>` `[FORMAT_OPTIONS]`
|
|
|
|
Remove API token for a specific user.
|
|
|
|
`<userid>`: `<string>` ::
|
|
|
|
User ID
|
|
|
|
`<tokenid>`: `(?^:[A-Za-z][A-Za-z0-9\.\-_]+)` ::
|
|
|
|
User-specific token identifier.
|
|
|
|
*pveum useradd*
|
|
|
|
An alias for 'pveum user add'.
|
|
|
|
*pveum userdel*
|
|
|
|
An alias for 'pveum user delete'.
|
|
|
|
*pveum usermod*
|
|
|
|
An alias for 'pveum user modify'.
|
|
|
|
|