ORA-28000: the account is locked用户锁定问题排查解决
今天同事反映一个问题,某个测试库修改了密码,并改了相关应用使用的密码后,仍出现一会账户就被锁住,报ORA-28000: the account
今天同事反映一个问题,某个测试库修改了密码,并改了相关应用使用的密码后,仍出现一会账户就被锁住,报ORA-28000: the account is locked的错误。
检查过程:
1. 查看资源限制生效参数
SQL> show parameter resource
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
resource_limit boolean FALSE
FALSE表示未启动资源限制。
2. 查看该用户所用的PROFILE
SQL> select resource_name, limit from dba_profiles where profile='DEFAULT';
RESOURCE_NAME LIMIT
-------------------------------- ----------------------------------------
COMPOSITE_LIMIT UNLIMITED
SESSIONS_PER_USER UNLIMITED
CPU_PER_SESSION UNLIMITED
CPU_PER_CALL UNLIMITED
LOGICAL_READS_PER_SESSION UNLIMITED
LOGICAL_READS_PER_CALL UNLIMITED
IDLE_TIME UNLIMITED
CONNECT_TIME UNLIMITED
PRIVATE_SGA UNLIMITED
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LIFE_TIME UNLIMITED
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
PASSWORD_VERIFY_FUNCTION NULL
PASSWORD_LOCK_TIME 1
PASSWORD_GRACE_TIME 7
其中FAILED_LOGIN_ATTEMPTS表示连续登陆失败的次数,这里表示连续登陆10次失败则锁定用户。
3. 解除用户锁定ALTER USER pss3 ACCOUNT UNLOCK;后观察现象
SQL> select name, lcount from user$ where;
NAME LCOUNT
------------------------------ ----------
PSS3 10
不到一分钟,登陆失败次数就到10次了。
初步结论:
可能有应用仍使用旧的密码登陆,登陆失败后重复尝试,直到10次为止。
但问题就来了:
1. FAILED_LOGIN_ATTEMPTS设置为10次,但未启动resource_limit,为什么还受到10次的限制呢?
2. 怎么知道还有哪些应用由于未修改密码导致ORA错误呢?
问题1:FAILED_LOGIN_ATTEMPTS设置为10次,但未启动resource_limit,为什么还受到10次的限制呢?
这篇MOS文章160528.1(Profile Limits (Resource Parameter(s)) Are Not Enforced / Do Not Work)文章说了一些:
After creating a new profile or altering an old one to limit the following profile resources there is no change:
SESSIONS_PER_USER
CPU_PER_SESSION
CPU_PER_CALL
CONNECT_TIME
IDLE_TIME
LOGICAL_READS_PER_SESSION
COMPOSITE_LIMIT
PRIVATE_SGA
The resource usage limits are not enforced and the users that are assigned the profile continue to use resources beyond profile's limits.
CAUSE
The initialization parameter RESOURCE_LIMIT is set to FALSE (default).
由于未设置RESOURCE_LIMIT为TRUE,以上变量修改后不会生效。
这里没有提到FAILED_LOGIN_ATTEMPTS,换句话说,像FAILED_LOGIN_ATTEMPTS这些变量是不受RESOURCE_LIMIT参数限制的,再看FAILED_LOGIN_ATTEMPTS这种变量属于用户口令管理方面的,像上面这些变量则属于资源管理方面的,猜测Oracle对于资源管理的限制则需要RESOURCE_LIMIT为TRUE,对于口令管理方面的限制并不受RESOURCE_LIMIT的影响。
OCP教材中正好说了:“Profiles are a useful way of managing passwords and resources but can really only apply in an environment where every application user has their own database user account.”注意到这里他将profile分成管理密码和资源两大类,虽然没有明说,但结合以上两段参考,以及上述实际碰到的问题,有理由相信口令管理方面的限制并不受RESOURCE_LIMIT参数的影响。
问题2:怎么知道还有哪些应用由于未修改密码导致ORA错误呢?
上面尝试了UNLOCK账户后不到一分钟LCOUNT登录失败次数就到了10次,说明这段时间有应用频繁重试密码,进一步,如果我们能找到这段时间访问库的IP,再筛选可能的IP和密码修改的应用,就可能找到“罪魁祸首”。
要想找到访问库的IP,可以通过设置监听日志,查找IP。
监听器的日志类似于alert日志,帖子中说日志默认路径是$ORACLE_HOME/network/log/listener.log,但我用的11g,不知道是否修改过,并没有找到这个目录。至于怎么找到的,接下来会说到。
按照@secooler的教程,开启监听器日志的方式有两种:
1. 不需要重启监听器的情况下通过设置log_status参数为off来实现。
2. listener.ora文件中增加LOGGING_
可以根据不同需要选择不同的方式。
这里我选择第一种,执行lsnrctl后执行set log_status on,然后需要找到日志路径:
ora11g@vm-kvm-ora$ lsnrctl status
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 20-AUG-2014 11:56:27
Copyright (c) 1991, 2011, Oracle. All rights reserved.
Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 11.2.0.3.0 - Production
Start Date 30-APR-2014 15:22:19
Uptime 111 days 20 hr. 34 min. 8 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /oracle/ora11g/product/11.2.0/network/admin/listener.ora
Listener Log File /oracle/ora11g/diag/tnslsnr/vm-kvm-ora/listener/alert/log.xml
这里我们看到有个信息Listener Log File,,后面就是对应的日志路径和日志文件名。
11g中使用了log.xml这种xml格式记录监听日志。
内容类似于:
因此只需要找到解锁用户后仍登录的IP,然后再筛选可能的应用就行了。
这里还有个知识点,就是FAILED_LOGIN_ATTEMPTS设置的是连续登录失败的次数,还是累计登录失败的次数?
FAILED_LOGIN_ATTEMPTS表示连续登录失败的次数。
Oracle 11g 在RedHat Linux 5.8_x64平台的安装手册
Linux-6-64下安装Oracle 12C笔记
在CentOS 6.4下安装Oracle 11gR2(x64)
Oracle 11gR2 在VMWare虚拟机中安装步骤
Debian 下 安装 Oracle 11g XE R2
本文永久更新链接地址:
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1384
52
Explain InnoDB Full-Text Search capabilities.
Apr 02, 2025 pm 06:09 PM
InnoDB's full-text search capabilities are very powerful, which can significantly improve database query efficiency and ability to process large amounts of text data. 1) InnoDB implements full-text search through inverted indexing, supporting basic and advanced search queries. 2) Use MATCH and AGAINST keywords to search, support Boolean mode and phrase search. 3) Optimization methods include using word segmentation technology, periodic rebuilding of indexes and adjusting cache size to improve performance and accuracy.
How do you alter a table in MySQL using the ALTER TABLE statement?
Mar 19, 2025 pm 03:51 PM
The article discusses using MySQL's ALTER TABLE statement to modify tables, including adding/dropping columns, renaming tables/columns, and changing column data types.
When might a full table scan be faster than using an index in MySQL?
Apr 09, 2025 am 12:05 AM
Full table scanning may be faster in MySQL than using indexes. Specific cases include: 1) the data volume is small; 2) when the query returns a large amount of data; 3) when the index column is not highly selective; 4) when the complex query. By analyzing query plans, optimizing indexes, avoiding over-index and regularly maintaining tables, you can make the best choices in practical applications.
Can I install mysql on Windows 7
Apr 08, 2025 pm 03:21 PM
Yes, MySQL can be installed on Windows 7, and although Microsoft has stopped supporting Windows 7, MySQL is still compatible with it. However, the following points should be noted during the installation process: Download the MySQL installer for Windows. Select the appropriate version of MySQL (community or enterprise). Select the appropriate installation directory and character set during the installation process. Set the root user password and keep it properly. Connect to the database for testing. Note the compatibility and security issues on Windows 7, and it is recommended to upgrade to a supported operating system.
How do I configure SSL/TLS encryption for MySQL connections?
Mar 18, 2025 pm 12:01 PM
Article discusses configuring SSL/TLS encryption for MySQL, including certificate generation and verification. Main issue is using self-signed certificates' security implications.[Character count: 159]
Difference between clustered index and non-clustered index (secondary index) in InnoDB.
Apr 02, 2025 pm 06:25 PM
The difference between clustered index and non-clustered index is: 1. Clustered index stores data rows in the index structure, which is suitable for querying by primary key and range. 2. The non-clustered index stores index key values and pointers to data rows, and is suitable for non-primary key column queries.
What are some popular MySQL GUI tools (e.g., MySQL Workbench, phpMyAdmin)?
Mar 21, 2025 pm 06:28 PM
Article discusses popular MySQL GUI tools like MySQL Workbench and phpMyAdmin, comparing their features and suitability for beginners and advanced users.[159 characters]
How do you handle large datasets in MySQL?
Mar 21, 2025 pm 12:15 PM
Article discusses strategies for handling large datasets in MySQL, including partitioning, sharding, indexing, and query optimization.
