This document describes errors you might encounter when you integrate Active Directory in AlloyDB Omni. Examples of errors and recommended fixes are also provided.
Active Directory isn't working
Description
Active Directory isn't working in AlloyDB Omni, which is caused
by incorrect pg_hba.conf entries. If the entries that you added to the
pg_hba.conf file aren't valid, AlloyDB for PostgreSQL ignores those entries. As a
result, the specified authentication mechanism won't work.
Recommended fix
To view the error message, including information about how to resolve the issue,
sign into psql and run the following command:
docker exec -it alloydb_docs psql -h localhost -U postgres
psql (16.3)
Type "help" for help.
postgres=# table pg_hba_file_rules ;
rule_number | file_name | line_number | type | database | user_name | address | netmask | auth_method | options | error
-------------+--------------------------------------+-------------+---------+----------+--------------------+-----------+-----------------------------------------+-------------+--------------------------+-----------------------------------------------------
1 | /var/lib/postgresql/data/pg_hba.conf | 1 | host | {all} | {alloydbadmin} | 127.0.0.1 | 255.255.255.255 | trust | |
| /var/lib/postgresql/data/pg_hba.conf | 2 | hostssl | {all} | {alloydbadmin} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | trust | | hostssl record cannot match because SSL is disabled
| /var/lib/postgresql/data/pg_hba.conf | 3 | hostssl | {all} | {alloydbpgbouncer} | 0.0.0.0 | 0.0.0.0 | cert | {clientcert=verify-full} | hostssl record cannot match because SSL is disabled
| /var/lib/postgresql/data/pg_hba.conf | 4 | hostssl | {all} | {alloydbpgbouncer} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | cert | {clientcert=verify-full} | hostssl record cannot match because SSL is disabled
| /var/lib/postgresql/data/pg_hba.conf | 5 | hostssl | {all} | {alloydbadmin} | all | | reject | | hostssl record cannot match because SSL is disabled
| /var/lib/postgresql/data/pg_hba.conf | 6 | | | | | | | | invalid CIDR mask in address "0.0.0.0/1000"
2 | /var/lib/postgresql/data/pg_hba.conf | 7 | local | {all} | {all} | | | trust | |
psql: error: connection to server on socket "/tmp/.s.PGSQL.5432" failed: FATAL: role "user2" does not exist
Description
This error occurs when a system user, who is trying to connect, doesn't have a PostgreSQL user created, or doesn't have a role mapped.
Recommended fix
Create a role in PostgreSQL with the required username, or add an entry for this
user to the pg_ident.conf file.
psql (16.3)
Type "help" for help.
postgres=# CREATE ROLE user2 WITH LOGIN;
CREATE ROLE
Server restart fails with error: "could not load /var/lib/postgresql/data/pg_hba.conf""
Description
The server restart failed because the pg_hba.conf contains invalid entries.
Recommended fix
Check the pg_hba.conf file for invalid entries.