PostgreSQL Peer Authentication Failure: Fixing “provided user name and authenticated user name do not match” Error


2 views

When configuring TinyRSS with PostgreSQL, a common authentication challenge arises with the following error pattern:

LOG:  provided user name (tinyrss) and authenticated user name (apache) do not match
FATAL:  Peer authentication failed for user "tinyrss"

This occurs because PostgreSQL's peer authentication method requires the operating system user (in this case 'apache') to match exactly with the database username ('tinyrss').

PostgreSQL offers several authentication methods in pg_hba.conf:

  • peer: Matches OS user with DB user (Unix sockets only)
  • ident: Similar to peer but works for TCP/IP connections
  • md5: Password-based authentication
  • trust: No authentication (not recommended for production)

For web applications like TinyRSS where the service user (apache/nginx) differs from the DB user, we need a username mapping solution:

# In pg_ident.conf
# Format: MAPNAME SYSTEM-USERNAME PG-USERNAME
tinyrss_mapping apache tinyrss
tinyrss_mapping www-data tinyrss  # For Debian/Ubuntu systems

Then modify pg_hba.conf accordingly:

# TYPE  DATABASE  USER     ADDRESS         METHOD        OPTIONS
host    all       tinyrss  127.0.0.1/32    ident         map=tinyrss_mapping
local   all       tinyrss                  peer          map=tinyrss_mapping

For simpler setups, consider switching to md5 authentication:

# In pg_hba.conf
host    all       tinyrss  127.0.0.1/32    md5

# Then set a password:
ALTER USER tinyrss WITH PASSWORD 'secure_password123';
  • Verify pg_ident.conf permissions (should be readable by postgres user)
  • Check for typos in mapping names
  • Reload PostgreSQL after config changes: sudo systemctl reload postgresql
  • Confirm Apache's runtime user with ps aux | grep apache

Enable verbose logging in postgresql.conf:

log_connections = on
log_disconnections = on
log_statement = 'all'

Then check logs with:

sudo tail -f /var/log/postgresql/postgresql-[version]-main.log

When setting up TinyRSS with PostgreSQL, you might encounter this authentication error where the system user (typically the web server process) doesn't match your database user. PostgreSQL's peer authentication is strict about matching system and database usernames by default.

LOG:  provided user name (tinyrss) and authenticated user name (apache) do not match
FATAL:  Peer authentication failed for user "tinyrss"

The solution involves correctly configuring both pg_hba.conf and pg_ident.conf. Here's the proper way to set it up:

pg_ident.conf

# MAPNAME     SYSTEM-USERNAME   PG-USERNAME
tinymap      apache            tinyrss
tinymap      www-data          tinyrss
tinymap      nginx             tinyrss

pg_hba.conf

# TYPE  DATABASE    USER        ADDRESS         METHOD
local   all         tinyrss                     peer map=tinymap
host    all         tinyrss     127.0.0.1/32    md5
host    all         tinyrss     ::1/128         md5

For web applications, password authentication is often more practical:

# In pg_hba.conf
host    all     tinyrss     127.0.0.1/32    md5

# Then connect using:
psql -h 127.0.0.1 -U tinyrss -d tinyrss_db

If issues persist:

  1. Verify PostgreSQL service is running: sudo systemctl status postgresql
  2. Check connection logs: tail -f /var/log/postgresql/postgresql-*.log
  3. Test basic connectivity: psql -U postgres -c "SELECT version();"

When using ident/peer authentication:

  • Ensure system users are properly secured
  • Consider using connection pooling for web applications
  • Regularly audit your pg_hba.conf rules

For production environments, combining multiple authentication methods often works best, allowing both local peer authentication for admins and password authentication for application users.