This document discusses a security issue that occurred when improperly configuring DB2 federation. Specifically: 1. A client site configured DB2-LDAP federation but also enabled the FED_NOAUTH parameter, bypassing authentication. 2. This meant any user could connect to the database as any other user without providing the correct password. 3. If the database owner username was guessed, full access to all data could be obtained, potentially exposing the database to a major security breach. The issue was caused by incorrectly enabling the FED_NOAUTH parameter when federation was set up. Proper authentication should have occurred at the database rather than being bypassed. The moral is to not enable