The "FATAL: Ident authentication failed for user" error occurs when PostgreSQL cannot authenticate a connection using ident authentication. This happens when the OS username does not map to the requested database user, or the ident server is unavailable. Fixing requires either switching to password authentication in pg_hba.conf or configuring proper user mappings in pg_ident.conf.
PostgreSQL uses ident authentication by default on local Unix/Linux systems. This authentication method works by asking an ident server (listening on port 113) to confirm the operating system username of the connecting client, then checking if that OS user is allowed to connect as the requested database user. When ident authentication fails, it means one of three things: (1) the ident server on the client machine is not running or unreachable, (2) the OS username does not match the database username (and no mapping is configured), or (3) the pg_ident.conf mapping file is missing or improperly configured. Unlike password authentication which uses database-stored credentials, ident authentication relies entirely on the operating system's user identity, making it unsuitable for remote TCP/IP connections, application servers, or any scenario where the OS user does not correspond to a database user. The error is fatal because PostgreSQL cannot proceed without authentication.
The pg_hba.conf file controls PostgreSQL authentication rules. You need to check what authentication method is configured.
-- Query from psql (if you can connect as postgres user):
SHOW hba_file;# Common locations:
/var/lib/postgresql/VERSION/main/pg_hba.conf # Debian/Ubuntu
/var/lib/pgsql/VERSION/data/pg_hba.conf # RHEL/CentOS
/usr/local/var/postgres/pg_hba.conf # macOS Homebrew
/opt/homebrew/var/postgres/pg_hba.conf # Apple Silicon Homebrew
# View the file:
cat /var/lib/postgresql/14/main/pg_hba.confLook for lines that specify "ident" as the authentication method.
The most common fix is to replace ident authentication with password authentication. This allows connections with usernames and passwords rather than relying on OS user identity.
# Backup the original file first:
sudo cp /var/lib/postgresql/14/main/pg_hba.conf /var/lib/postgresql/14/main/pg_hba.conf.backup
# Edit the file:
sudo nano /var/lib/postgresql/14/main/pg_hba.confFind lines like:
local all all ident
host all all 127.0.0.1/32 ident
host all all ::1/128 identChange them to:
local all all md5
host all all 127.0.0.1/32 md5
host all all ::1/128 md5Use "md5" for PostgreSQL < 10, "scram-sha-256" for PostgreSQL >= 10 (more secure).
After modifying pg_hba.conf, you must reload the configuration for changes to take effect.
# Option 1: Reload configuration without restarting (preferred):
sudo systemctl reload postgresql
# or:
sudo -u postgres pg_ctl reload -D /var/lib/postgresql/14/main
# Option 2: Full restart (if reload does not work):
sudo systemctl restart postgresql
# Verify the service is running:
sudo systemctl status postgresqlReloading is faster and does not disconnect existing clients.
Now try connecting using password authentication. If no password is set, set one first.
# Connect as the postgres user (without password initially):
sudo -u postgres psql
# Inside psql, set a password for the user:
alter user postgres with password 'securepassword';
quit;
# Now try connecting with password prompt:
psql -U postgres -h 127.0.0.1 -W
# Enter the password you just set
# Verify the connection succeeds:
select version();If this works, your pg_hba.conf change was successful.
If you must use ident authentication (for local Unix domain socket connections), you need to configure user mappings in pg_ident.conf.
# Find pg_ident.conf:
SHOW ident_file; -- from psql
# Common location:
/var/lib/postgresql/14/main/pg_ident.conf
# Edit the file and add mappings:
sudo nano /var/lib/postgresql/14/main/pg_ident.confAdd a line like:
mymap osusername dbusernameFor example, to allow OS user "appuser" to connect as database user "app_db":
mymap appuser app_dbThen in pg_hba.conf, reference this map:
local app_db app_db map=mymapReload PostgreSQL:
sudo systemctl reload postgresqlIdent authentication only works for local Unix domain socket connections. Remote TCP/IP connections must use password, SCRAM, or other authentication methods.
# Check for ident in TCP/IP connection lines:
grep "host.*ident" /var/lib/postgresql/14/main/pg_hba.confIf found, change to:
host all all 0.0.0.0/0 scram-sha-256Remote connections require:
1. A password set on the database user
2. pg_hba.conf allowing the host (or range) with password/scram auth
3. PostgreSQL listening on the network interface (check "listen_addresses" in postgresql.conf)
Reload configuration:
sudo systemctl reload postgresqlThe ident protocol (RFC 1413) is fundamentally trust-based: it assumes the client machine's ident server honestly reports which OS user initiated the connection. This makes ident only appropriate for closed networks with trusted machines under tight administrative control. Modern PostgreSQL installations favor SCRAM-SHA-256 (Salted Challenge Response Authentication Mechanism) over MD5, which is cryptographically weak.
When debugging ident failures, enable PostgreSQL logging to see the full authentication attempt:
ALTER SYSTEM SET log_connections = on; ALTER SYSTEM SET log_disconnections = on; SELECT pg_reload_conf();
Then check the logs at /var/log/postgresql/postgresql.log.
For containerized PostgreSQL (Docker), ident authentication almost never works because the container OS user does not map to the host. Always use password/SCRAM authentication in containers.
On macOS with Homebrew, the default pg_hba.conf often uses "trust" for local connections, allowing any OS user to connect without authentication. While convenient for development, this is a significant security risk in any multi-user or networked setup. Prefer "md5" or "scram-sha-256" even locally.
PostgreSQL 10+ prefers "scram-sha-256" over "md5", but "password" (unencrypted) is never recommended. Always specify "scram-sha-256" when possible, as it resists dictionary attacks and is the modern standard.
ERROR: syntax error at end of input
Syntax error at end of input in PostgreSQL
Bind message supplies N parameters but prepared statement requires M
Bind message supplies N parameters but prepared statement requires M in PostgreSQL
Multidimensional arrays must have sub-arrays with matching dimensions
Multidimensional arrays must have sub-arrays with matching dimensions
ERROR: value too long for type character varying
Value too long for type character varying
insufficient columns in unique constraint for partition key
How to fix "insufficient columns in unique constraint for partition key" in PostgreSQL