Theaccountislocked

Theaccountislocked

SQL> select * from v$version where rownum=1;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
SQL> !cat /etc/issue
Enterprise Linux Enterprise Linux Server release 5.5 (Carthage)
Kernel \r on an \m

從oracle10g開始，對用戶默認登陸失敗次數有限制，默認用戶的failed_login_attempts設置口令的失敗次數為10，如果10次登陸失敗，則該用戶被鎖定：
SQL> select * from dba_profiles where resource_name='FAILED_LOGIN_ATTENMPTS';
未選定行

上面沒有選定的行是因為上次被我設置限制了,下面我們設置：
SQL> alter profile default limit failed_login_attempts 2;

配置文件已更改
SQL> select * from dba_profiles where resource_name='FAILED_LOGIN_ATTEMPTS';

PROFILE RESOURCE_NAME RESOURCE LIMIT
------------------------------ -------------------------------- -------- ----------------------------------------
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 2
MONITORING_PROFILE FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED
當然也可以無限制：
SQL> alter profile default limit FAILED_LOGIN_ATTEMPTS unlimited;


配置文件已更改


SQL> select * from dba_profiles where resource_name='FAILED_LOGIN_ATTEMPTS';


PROFILE RESOURCE_NAME RESOURCE LIMIT
------------------------------ -------------------------------- -------- ----------------------------------------
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED
MONITORING_PROFILE FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED

下面我們模擬當兩次失敗登陸提示：

[oracle@localhost ~]$ sqlplus /nolog


SQL*Plus: Release 11.2.0.1.0 Production on 星期三 6月 10 18:52:02 2015


Copyright (c) 1982, 2009, Oracle. All rights reserved.


SQL> conn hr/w
ERROR:
ORA-01017: invalid username/password; logon denied




SQL> conn hr/w
ERROR:
ORA-01017: invalid username/password; logon denied




SQL> conn hr/w
ERROR:
ORA-28000: the account is locked


失敗登陸次數的限制有利於數據庫的安全，生產庫可以使用。

但是如何知道當前失敗多次了呢？

用戶的狀態信息是通過dba_users來展現的：
SQL> select count(*) from dba_users;

執行計劃
----------------------------------------------------------
Plan hash value: 3953741735


-------------------------------------------------------------------------------------------------------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
-------------------------------------------------------------------------------------------------------
| 0 | SELECT STATEMENT | | 1 | 86 | 30 (10)| 00:00:01 |
| 1 | SORT AGGREGATE | | 1 | 86 | | |
|* 2 | HASH JOIN | | 11 | 946 | 30 (10)| 00:00:01 |
|* 3 | HASH JOIN | | 11 | 913 | 23 (14)| 00:00:01 |
|* 4 | HASH JOIN | | 11 | 880 | 20 (10)| 00:00:01 |
|* 5 | HASH JOIN | | 14 | 994 | 18 (12)| 00:00:01 |
|* 6 | HASH JOIN OUTER | | 14 | 952 | 10 (10)| 00:00:01 |
|* 7 | HASH JOIN | | 14 | 546 | 8 (13)| 00:00:01 |
| 8 | MERGE JOIN CARTESIAN| | 1 | 11 | 4 (0)| 00:00:01 |
|* 9 | TABLE ACCESS FULL | PROFILE$ | 1 | 9 | 2 (0)| 00:00:01 |
| 10 | BUFFER SORT | | 1 | 2 | 2 (0)| 00:00:01 |
| 11 | TABLE ACCESS FULL | PROFNAME$ | 1 | 2 | 2 (0)| 00:00:01 |
|* 12 | TABLE ACCESS FULL | USER$ | 36 | 1008 | 3 (0)| 00:00:01 |
|* 13 | TABLE ACCESS FULL | RESOURCE_GROUP_MAPPING$ | 1 | 29 | 2 (0)| 00:00:01 |
| 14 | TABLE ACCESS FULL | TS$ | 20 | 60 | 7 (0)| 00:00:01 |
|* 15 | TABLE ACCESS FULL | PROFILE$ | 2 | 18 | 2 (0)| 00:00:01 |
| 16 | TABLE ACCESS FULL | USER_ASTATUS_MAP | 9 | 27 | 2 (0)| 00:00:01 |
| 17 | TABLE ACCESS FULL | TS$ | 20 | 60 | 7 (0)| 00:00:01 |
-------------------------------------------------------------------------------------------------------

看下底層表USER$:
SQL> DESC USER$
名稱 是否為空? 類型
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
USER# NOT NULL NUMBER
NAME NOT NULL VARCHAR2(30)
TYPE# NOT NULL NUMBER
PASSWORD VARCHAR2(30)
DATATS# NOT NULL NUMBER
TEMPTS# NOT NULL NUMBER
CTIME NOT NULL DATE
PTIME DATE
EXPTIME DATE
LTIME DATE
RESOURCE$ NOT NULL NUMBER
AUDIT$ VARCHAR2(38)
DEFROLE NOT NULL NUMBER
DEFGRP# NUMBER
DEFGRP_SEQ# NUMBER
ASTATUS NOT NULL NUMBER
LCOUNT NOT NULL NUMBER
DEFSCHCLASS VARCHAR2(30)
.........
.........
以上的探索思路，來自eygle大師《循序漸進，ORACLE 數據庫管理，優化與備份恢復》一書，
LCOUNT很讓人敏感：
SQL> select name,lcount from user$ where name='HR';
NAME LCOUNT
------------------------------ ----------
HR 0

==========================================================
[oracle@localhost ~]$ sqlplus /nolog


SQL*Plus: Release 11.2.0.1.0 Production on 星期三 6月 10 19:03:40 2015


Copyright (c) 1982, 2009, Oracle. All rights reserved.


SQL> conn hr/s
ERROR:
ORA-01017: invalid username/password; logon denied

SQL> select name,lcount from user$ where name='HR';


NAME LCOUNT
------------------------------ ----------
HR 1


================================================

SQL> conn hr/s
ERROR:
ORA-01017: invalid username/password; logon denied


SQL> select name,lcount from user$ where name='HR';


NAME LCOUNT
------------------------------ ----------
HR 2


通過實驗，我們發現lcount這個字段記錄的是失敗登陸次數，如登陸成功後，自動清空為0
如果再繼續研究，則不得不提起之前文章中提起的重要腳本：sql.bsq,讀者感興趣自行研究