
**Section type** '``ad``':  AD realm configuration properties.


*Required properties:*

``server1`` : ``<string>``
  AD server address

*Optional properties:*

``base-dn`` : ``<string>``
  LDAP Domain
``bind-dn`` : ``<string>``
  LDAP Domain
``capath`` : ``<string>``
  CA certificate to use for the server. The path can point to either a file,
  or a directory. If it points to a file, the PEM-formatted X.509 certificate
  stored at the path will be added as a trusted certificate. If the path points
  to a directory, the directory replaces the system's default certificate store
  at `/etc/ssl/certs` - Every file in the directory will be loaded as a trusted
  certificate.
``comment`` : ``<string>``
  Comment.
``default`` : ``<boolean>   (default=false)``
  True if you want this to be the default realm selected on login.
``filter`` : ``<string>``
  Custom LDAP search filter for user sync
``mode`` : ``ldap|ldap+starttls|ldaps   (default=ldap)``
  LDAP connection type
``port`` : ``<integer> (0 - 65535)``
  AD server Port
``server2`` : ``<string>``
  Fallback AD server address
``sync-attributes`` : ``[[email=<string>] [,firstname=<string>] [,lastname=<string>]]``
  Comma-separated list of key=value pairs for specifying which LDAP attributes
  map to which PBS user field. For example, to map the LDAP attribute ``mail``
  to PBS's ``email``, write ``email=mail``.

  ``email`` = ``<string>``
    Name of the LDAP attribute containing the user's email address
  ``firstname`` = ``<string>``
    Name of the LDAP attribute containing the user's first name
  ``lastname`` = ``<string>``
    Name of the LDAP attribute containing the user's last name

``sync-defaults-options`` : ``[[enable-new=<1|0>] [,remove-vanished=<string>]]``
  sync defaults options

  ``enable-new`` = ``<boolean>``
    Enable new users after sync
  ``remove-vanished`` = ``[acl|entry|properties, ...]``
    A semicolon-separated list of things to remove when they or the user vanishes
    during user synchronization. The following values are possible: ``entry``
    removes the user when not returned from the sync; ``properties`` removes any
    properties on existing user that do not appear in the source. ``acl`` removes
    ACLs when the user is not returned from the sync.

``user-classes`` : ``[<string>, ...]   (default=inetorgperson,posixaccount,person,user)``
  Comma-separated list of allowed objectClass values for user synchronization.
  For instance, if ``user-classes`` is set to ``person,user``, then user
  synchronization will consider all LDAP entities where ``objectClass: person``
  `or` ``objectClass: user``.
``verify`` : ``<boolean>   (default=false)``
  Verify server certificate

**Section type** '``ldap``':  LDAP configuration properties.


*Required properties:*

``base-dn`` : ``<string>``
  LDAP Domain
``server1`` : ``<string>``
  LDAP server address
``user-attr`` : ``<string>``
  Username attribute. Used to map a ``userid`` to LDAP to an LDAP ``dn``.

*Optional properties:*

``bind-dn`` : ``<string>``
  LDAP Domain
``capath`` : ``<string>``
  CA certificate to use for the server. The path can point to either a file,
  or a directory. If it points to a file, the PEM-formatted X.509 certificate
  stored at the path will be added as a trusted certificate. If the path points
  to a directory, the directory replaces the system's default certificate store
  at `/etc/ssl/certs` - Every file in the directory will be loaded as a trusted
  certificate.
``comment`` : ``<string>``
  Comment.
``default`` : ``<boolean>   (default=false)``
  True if you want this to be the default realm selected on login.
``filter`` : ``<string>``
  Custom LDAP search filter for user sync
``mode`` : ``ldap|ldap+starttls|ldaps   (default=ldap)``
  LDAP connection type
``port`` : ``<integer> (0 - 65535)``
  Port
``server2`` : ``<string>``
  Fallback LDAP server address
``sync-attributes`` : ``[[email=<string>] [,firstname=<string>] [,lastname=<string>]]``
  Comma-separated list of key=value pairs for specifying which LDAP attributes
  map to which PBS user field. For example, to map the LDAP attribute ``mail``
  to PBS's ``email``, write ``email=mail``.

  ``email`` = ``<string>``
    Name of the LDAP attribute containing the user's email address
  ``firstname`` = ``<string>``
    Name of the LDAP attribute containing the user's first name
  ``lastname`` = ``<string>``
    Name of the LDAP attribute containing the user's last name

``sync-defaults-options`` : ``[[enable-new=<1|0>] [,remove-vanished=<string>]]``
  sync defaults options

  ``enable-new`` = ``<boolean>``
    Enable new users after sync
  ``remove-vanished`` = ``[acl|entry|properties, ...]``
    A semicolon-separated list of things to remove when they or the user vanishes
    during user synchronization. The following values are possible: ``entry``
    removes the user when not returned from the sync; ``properties`` removes any
    properties on existing user that do not appear in the source. ``acl`` removes
    ACLs when the user is not returned from the sync.

``user-classes`` : ``[<string>, ...]   (default=inetorgperson,posixaccount,person,user)``
  Comma-separated list of allowed objectClass values for user synchronization.
  For instance, if ``user-classes`` is set to ``person,user``, then user
  synchronization will consider all LDAP entities where ``objectClass: person``
  `or` ``objectClass: user``.
``verify`` : ``<boolean>   (default=false)``
  Verify server certificate

**Section type** '``openid``':  OpenID configuration properties.


*Required properties:*

``client-id`` : ``<string>``
  OpenID Client ID
``issuer-url`` : ``<string>``
  OpenID Issuer Url

*Optional properties:*

``acr-values`` : ``[<string>, ...]``
  OpenID ACR List
``autocreate`` : ``<boolean>   (default=false)``
  Automatically create users if they do not exist.
``client-key`` : ``<string>``
  OpenID Client Key
``comment`` : ``<string>``
  Comment.
``default`` : ``<boolean>   (default=false)``
  True if you want this to be the default realm selected on login.
``prompt`` : ``<string>``
  OpenID Prompt
``scopes`` : ``[<string>, ...]   (default=email profile)``
  OpenID Scope List
``username-claim`` : ``<string>``
  Use the value of this attribute/claim as unique user name. It is up to the
  identity provider to guarantee the uniqueness. The OpenID specification only
  guarantees that Subject ('sub') is unique. Also make sure that the user is not
  allowed to change that attribute by himself!

**Section type** '``pam``':  Built-in PAM realm configuration properties.


*Required properties:*

``type`` : ``pam|pbs|openid|ldap|ad``
  type of the realm

*Optional properties:*

``comment`` : ``<string>``
  Comment.
``default`` : ``<boolean>   (default=false)``
  True if you want this to be the default realm selected on login.

**Section type** '``pbs``':  Built-in Proxmox Backup Server realm configuration properties.


*Required properties:*

``type`` : ``pam|pbs|openid|ldap|ad``
  type of the realm

*Optional properties:*

``comment`` : ``<string>``
  Comment.
``default`` : ``<boolean>   (default=false)``
  True if you want this to be the default realm selected on login.

