This document describes errors you might encounter when you integrate Active
Directory in AlloyDB Omni. Examples of errors and recommended
fixes are also provided.
Active Directory isn't working
Description
Active Directory isn't working in AlloyDB Omni, which is caused
by incorrectpg_hba.confentries. If the entries that you added to thepg_hba.conffile aren't valid, AlloyDB for PostgreSQL ignores those entries. As a
result, the specified authentication mechanism won't work.
Recommended fix
To view the error message, including information about how to resolve the issue,
sign intopsqland run the following command:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Troubleshoot Active Directory integration in AlloyDB Omni\n\nSelect a documentation version: 16.3.0keyboard_arrow_down\n\n- [Current (16.8.0)](/alloydb/omni/current/docs/troubleshoot-active-directory-integration)\n- [16.8.0](/alloydb/omni/16.8.0/docs/troubleshoot-active-directory-integration)\n- [16.3.0](/alloydb/omni/16.3.0/docs/troubleshoot-active-directory-integration)\n\n\u003cbr /\u003e\n\n|\n| **Preview\n| --- [AlloyDB Omni](/alloydb/omni/16.3.0/docs/overview)**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| You can process personal data for this feature as outlined in the\n| [Cloud Data Processing\n| Addendum](/terms/data-processing-addendum), subject to the obligations and restrictions described in the agreement under\n| which you access Google Cloud.\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis document describes errors you might encounter when you integrate Active\nDirectory in AlloyDB Omni. Examples of errors and recommended\nfixes are also provided.\n\nActive Directory isn't working\n------------------------------\n\n**Description**\n\nActive Directory isn't working in AlloyDB Omni, which is caused\nby incorrect `pg_hba.conf` entries. If the entries that you added to the\n`pg_hba.conf` file aren't valid, AlloyDB for PostgreSQL ignores those entries. As a\nresult, the specified authentication mechanism won't work.\n\n**Recommended fix**\n\nTo view the error message, including information about how to resolve the issue,\nsign into `psql` and run the following command: \n\n docker exec -it alloydb_docs psql -h localhost -U postgres\n psql (16.3)\n Type \"help\" for help.\n postgres=# table pg_hba_file_rules ;\n rule_number | file_name | line_number | type | database | user_name | address | netmask | auth_method | options | error\n -------------+--------------------------------------+-------------+---------+----------+--------------------+-----------+-----------------------------------------+-------------+--------------------------+-----------------------------------------------------\n 1 | /var/lib/postgresql/data/pg_hba.conf | 1 | host | {all} | {alloydbadmin} | 127.0.0.1 | 255.255.255.255 | trust | |\n | /var/lib/postgresql/data/pg_hba.conf | 2 | hostssl | {all} | {alloydbadmin} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | trust | | hostssl record cannot match because SSL is disabled\n | /var/lib/postgresql/data/pg_hba.conf | 3 | hostssl | {all} | {alloydbpgbouncer} | 0.0.0.0 | 0.0.0.0 | cert | {clientcert=verify-full} | hostssl record cannot match because SSL is disabled\n | /var/lib/postgresql/data/pg_hba.conf | 4 | hostssl | {all} | {alloydbpgbouncer} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | cert | {clientcert=verify-full} | hostssl record cannot match because SSL is disabled\n | /var/lib/postgresql/data/pg_hba.conf | 5 | hostssl | {all} | {alloydbadmin} | all | | reject | | hostssl record cannot match because SSL is disabled\n | /var/lib/postgresql/data/pg_hba.conf | 6 | | | | | | | | invalid CIDR mask in address \"0.0.0.0/1000\"\n 2 | /var/lib/postgresql/data/pg_hba.conf | 7 | local | {all} | {all} | | | trust | |\n\n| **Note:** For more information about this issue, open the `postgres.log` file.\n\npsql: error: connection to server on socket \"/tmp/.s.PGSQL.5432\" failed: FATAL: role \"user2\" does not exist\n-----------------------------------------------------------------------------------------------------------\n\n**Description**\n\nThis error occurs when a system user, who is trying to connect, doesn't have a\nPostgreSQL user created, or doesn't have a role mapped.\n\n**Recommended fix**\n\nCreate a role in PostgreSQL with the required username, or add an entry for this\nuser to the `pg_ident.conf` file. \n\n psql (16.3)\n Type \"help\" for help.\n\n postgres=# CREATE ROLE user2 WITH LOGIN;\n CREATE ROLE\n\nServer restart fails with error: \"could not load /var/lib/postgresql/data/pg_hba.conf\"\"\n---------------------------------------------------------------------------------------\n\n**Description**\n\nThe server restart failed because the `pg_hba.conf` contains invalid entries.\n\n**Recommended fix**\n\nCheck the `pg_hba.conf` file for invalid entries.\n\nWhat's next\n-----------\n\n- [Integrate Active Directory with AlloyDB Omni](/alloydb/omni/16.3.0/docs/integrate-active-directory)"]]
