2011 Posted by Iqbal Goralwalla

Beware of ‘over-federating’

During a recent DB2-LDAP configuration at a client site, I stumbled upon a bizarre security exposure.

Using any DB2 client tool, it was possible to connect to the database as any user without having to get the password right! Once connected to the database, you only had access to the tables that the user (group) had access to. However, this meant if anyone got the right username for the DB2 instance owner then they could select/add/delete any data they liked! Basically they had SYSADM authority. Yikes!

It so happened that in a desperate attempt to get federated technology to work, in addition to enabling the FEDERATED database manager parameter, the  FED_NOAUTH (bypass federated authentication) parameter had also been enabled (set to YES). And therein was the problem. When FED_NOAUTH is set to YES, FEDERATED is set to YES, and authentication is set to SERVER or SERVER_ENCRYPT, then authentication at the instance is bypassed. It is assumed that authentication will happen at the data source. You do not need FED_NOAUTH enabled to implement federation in DB2.

I can “see” you checking your  FED_NOAUTH setting! 😉

« | »
Have a Question?

Get in touch with our expert team and see how we can help with your IT project, call us on +44(0) 870 2411 550 or use our contact form…