Beware of ‘over-federating’
During a recent DB2-LDAP configuration at a client site, I stumbled upon a bizarre security exposure.
Using any DB2 client tool, it was possible to connect to the database as any user without having to get the password right! Once connected to the database, you only had access to the tables that the user (group) had access to. However, this meant if anyone got the right username for the DB2 instance owner then they could select/add/delete any data they liked! Basically they had SYSADM authority. Yikes!
It so happened that in a desperate attempt to get federated technology to work, in addition to enabling the FEDERATED database manager parameter, the FED_NOAUTH (bypass federated authentication) parameter had also been enabled (set to YES). And therein was the problem. When FED_NOAUTH is set to YES, FEDERATED is set to YES, and authentication is set to SERVER or SERVER_ENCRYPT, then authentication at the instance is bypassed. It is assumed that authentication will happen at the data source. You do not need FED_NOAUTH enabled to implement federation in DB2.
I can “see” you checking your FED_NOAUTH setting! 😉
« Previous | Next »