首页 / 数据库 / MySQL / ORA-28000 the account is locked错误模拟
错误信息如下: OCI-Call Error sql code 28000,the account is locked SQL> !oerr ora 28000 28000, 00000, "the account is locked" // *Cause: The user has entered wrong password consequently for maximum // number of times specified by the user"s profile parameter // FAILED_LOGIN_ATTEMPTS, or the DBA has locked the account // *Action: Wait for PASSWORD_LOCK_TIME or contact DBA Note: FAILED_LOGIN_ATTEMPTS=10 尝试登陆失败的次数为10次,10次之后该用户将被锁定。 PASSWORD_LOCK_TIME=15 在尝试登陆指定的次数10后,该用户将被锁定15天 目标:将账户hjj从OPEN状态变为LOCKED。 下面进行模拟28000错误 1.查看当前环境 SQL> select username,account_status,profile from dba_users where username="HJJ";USERNAME ACCOUNT_STATUS PROFILE ------------------------------ -------------------------------- ------------------------------ HJJ OPEN DEFAULT 账户hjj是OPEN的 SQL> select * from dba_profiles;PROFILE RESOURCE_NAME RESOURCE LIMIT ------------------------------ ------------------------------ -------- ------------------------------ DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 10 DEFAULT PASSWORD_LOCK_TIME PASSWORD UNLIMITED 默认是尝试登陆10次,之后账户一直被锁定。 为了测试,我们将FAILED_LOGIN_ATTEMPTS改为3 SQL> alter profile default limit FAILED_LOGIN_ATTEMPTS 3;Profile altered. SQL> select * from dba_profiles where resource_name in("FAILED_LOGIN_ATTEMPTS") and profile="DEFAULT";PROFILE RESOURCE_NAME RESOURCE LIMIT ------------------------------ ------------------------------ -------- ------------------------------ DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 3 2.登陆测试 故意输错密码3次,看账户hjj会不会被锁定。 [Oracle@ora10g ~]$ sqlplus hjj/hjjSQL*Plus: Release 10.2.0.5.0 - Production on Mon Nov 3 21:36:00 2014Copyright (c) 1982, 2010, Oracle. All Rights Reserved.ERROR: ORA-01017: invalid username/password; logon denied Enter user-name: ERROR: ORA-01017: invalid username/password; logon denied Enter user-name: ERROR: ORA-01017: invalid username/password; logon denied SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus [oracle@ora10g ~]$ sqlplus hjj/hjjSQL*Plus: Release 10.2.0.5.0 - Production on Mon Nov 3 21:36:04 2014Copyright (c) 1982, 2010, Oracle. All Rights Reserved.ERROR: ORA-01017: invalid username/password; logon denied Enter user-name: ERROR: ORA-01017: invalid username/password; logon denied Enter user-name: ERROR: ORA-01017: invalid username/password; logon denied SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus [oracle@ora10g ~]$ [oracle@ora10g ~]$ sqlplus hjj/hjjSQL*Plus: Release 10.2.0.5.0 - Production on Mon Nov 3 21:36:08 2014Copyright (c) 1982, 2010, Oracle. All Rights Reserved.ERROR: ORA-01017: invalid username/password; logon denied Enter user-name: ERROR: ORA-01017: invalid username/password; logon denied Enter user-name: ERROR: ORA-01017: invalid username/password; logon deniedSP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus 再来查看账户状态 SQL> select username,account_status,profile from dba_users where username="HJJ";USERNAME ACCOUNT_STATUS PROFILE ------------------------------ -------------------------------- ------------------------------ HJJ LOCKED DEFAULT 可以看到账户被锁定了。 3.普通账户登陆,必须在数据库处于OPEN状态才能登陆,而sys用户在数据库关闭状态下也可以,使用OS认证。 测试账户hjj在数据库处于关闭状态,尝试登陆3次失败后会不会被锁定。先将用户解锁。 SQL> alter user hjj account unlock;User altered.SQL> select username,account_status,profile from dba_users where username="HJJ";USERNAME ACCOUNT_STATUS PROFILE ------------------------------ -------------------------------- ------------------------------ HJJ OPEN DEFAULT [oracle@ora10g ~]$ sqlplus / as sysdbaSQL*Plus: Release 10.2.0.5.0 - Production on Mon Nov 3 21:42:43 2014Copyright (c) 1982, 2010, Oracle. All Rights Reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.5.0 - Production With the Partitioning, OLAP, Data Mining and Real Application Testing optionsSQL> shutdown immediate Database closed. Database dismounted. ORACLE instance shut down. SQL> exit [oracle@ora10g ~]$ sqlplus hjj/hjjSQL*Plus: Release 10.2.0.5.0 - Production on Mon Nov 3 21:44:18 2014Copyright (c) 1982, 2010, Oracle. All Rights Reserved.ERROR: ORA-01034: ORACLE not available ORA-27101: shared memory realm does not exist Linux Error: 2: No such file or directory Enter user-name: ERROR: ORA-01017: invalid username/password; logon denied Enter user-name: ERROR: ORA-01017: invalid username/password; logon deniedSP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus [oracle@ora10g ~]$ sqlplus hjj/hjjSQL*Plus: Release 10.2.0.5.0 - Production on Mon Nov 3 21:44:22 2014Copyright (c) 1982, 2010, Oracle. All Rights Reserved.ERROR: ORA-01034: ORACLE not available ORA-27101: shared memory realm does not exist Linux Error: 2: No such file or directoryEnter user-name: ERROR: ORA-01017: invalid username/password; logon denied Enter user-name: ERROR: ORA-01017: invalid username/password; logon denied SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus [oracle@ora10g ~]$ sqlplus hjj/hjjSQL*Plus: Release 10.2.0.5.0 - Production on Mon Nov 3 21:44:24 2014Copyright (c) 1982, 2010, Oracle. All Rights Reserved.ERROR: ORA-01034: ORACLE not available ORA-27101: shared memory realm does not exist Linux Error: 2: No such file or directory Enter user-name: ERROR: ORA-01017: invalid username/password; logon denied Enter user-name: ERROR: ORA-01017: invalid username/password; logon denied SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus [oracle@ora10g ~]$ sqlplus / as sysdbaSQL*Plus: Release 10.2.0.5.0 - Production on Mon Nov 3 21:44:33 2014Copyright (c) 1982, 2010, Oracle. All Rights Reserved.Connected to an idle instance.SQL> startup ORACLE instance started.Total System Global Area 503316480 bytes Fixed Size 1274548 bytes Variable Size 327159116 bytes Database Buffers 171966464 bytes Redo Buffers 2916352 bytes Database mounted. Database opened. SQL> select username,account_status,profile from dba_users where username="HJJ"; USERNAME ACCOUNT_STATUS PROFILE ------------------------------ -------------------------------- ------------------------------ HJJ OPEN DEFAULT 这也就证明了数据库没有处于OPEN状态,普通用户无法登陆,登陆的时候要去dba_users查找用户是否存在,如果存在,判断用户名和密码是否正确;如果找不到该用户,就会提示用户不存在。 4.oracle如何记录用户的登陆次数 在dba_users的基表user$记录着用户的登陆次数,我们看看user$表的创建语法 [oracle@ora10g db_1]$ cd rdbms/admin/ [oracle@ora10g admin]$ ls -ltr sql.bsq -rw-r--r-- 1 oracle oinstall 445473 Apr 2 2010 sql.bsq create table user$ ( user# number not null, name varchar2("M_IDEN") not null, type# number not null, password varchar2("M_IDEN"), datats# number not null, tempts# number not null, ctime date not null, ptime date, exptime date, ltime date, resource$ number not null, audit$ varchar2("S_OPFL"), defrole number not null,
defgrp# number, defgrp_seq# number, astatus number default 0 not null,
lcount number default 0 not null, ---失败登陆尝试次数。 defschclass varchar2("M_IDEN"), ext_username varchar2("M_VCSZ"), spare1 number, spare2 number, spare3 number, spare4 varchar2(1000), spare5 varchar2(1000), spare6 date ) SQL> select user#,name,ASTATUS,LCOUNT from user$ where name="HJJ"; USER# NAME ASTATUS LCOUNT ---------- ------------------------------ ---------- ---------- 55 HJJ 0 0 LCOUNT就是记录用户登陆次数(失败和成功) [oracle@ora10g ~]$ sqlplus hjj/hjjSQL*Plus: Release 10.2.0.5.0 - Production on Mon Nov 3 22:01:09 2014Copyright (c) 1982, 2010, Oracle. All Rights Reserved.ERROR: ORA-01017: invalid username/password; logon denied Enter user-name: ERROR: ORA-01017: invalid username/password; logon denied Enter user-name: ERROR: ORA-01017: invalid username/password; logon denied SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus SQL> / USER# NAME ASTATUS LCOUNT ---------- ------------------------------ ---------- ---------- 55 HJJ 0 1 --登陆一次 [oracle@ora10g ~]$ sqlplus hjj/oracleSQL*Plus: Release 10.2.0.5.0 - Production on Mon Nov 3 22:03:35 2014Copyright (c) 1982, 2010, Oracle. All Rights Reserved.Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.5.0 - Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> / USER# NAME ASTATUS LCOUNT ---------- ------------------------------ ---------- ---------- 55 HJJ 0 0 只要在FAILED_LOGIN_ATTEMPTS指定的范围之内登陆成功一次,LCOUNT会重置为0。 如果失败登陆三次,观察LCOUNT的值和状态。 SQL> / USER# NAME ASTATUS LCOUNT ---------- ------------------------------ ---------- ---------- 55 HJJ 0 1SQL> / USER# NAME ASTATUS LCOUNT ---------- ------------------------------ ---------- ---------- 55 HJJ 0 2SQL> / USER# NAME ASTATUS LCOUNT ---------- ------------------------------ ---------- ---------- 55 HJJ 8 3 SQL> select username,account_status,profile from dba_users where username="HJJ"; USERNAME ACCOUNT_STATUS PROFILE ------------------------------ -------------------------------- ------------------------------ HJJ LOCKED DEFAULT 再次用正确的密码登陆 [oracle@ora10g admin]$ sqlplus hjj/oracleSQL*Plus: Release 10.2.0.5.0 - Production on Mon Nov 3 22:10:17 2014Copyright (c) 1982, 2010, Oracle. All Rights Reserved.ERROR: ORA-28000: the account is locked5.总结 普通用户登陆需要访问oracle相关视图,在user$.lcount记录着用户失败登陆的次数,如果lcount>=profile.FAILED_LOGIN_ATTEMPTS时,账户会自动被锁定,锁定的时间由PASSWORD_LOCK_TIME决定。配置profile中的参数主要了为了安全性考虑。更多Oracle相关信息见Oracle 专题页面 http://www.linuxidc.com/topicnews.aspx?tid=12本文永久更新链接地址
易网时代-编程资源站