Active directory LDAP\u服务器\u策略\u提示\u OID控件在AD LDS Windows服务器2012R2中不工作

Active directory LDAP\u服务器\u策略\u提示\u OID控件在AD LDS Windows服务器2012R2中不工作,active-directory,Active Directory,我试图让AD LDS的SetPassword方法遵守密码历史域策略,但它允许我在使用LDAP_服务器_策略_提示_OID后设置密码。不知道我做错了什么。代码如下: public SetPasswordResult SetPasswordHonoringHistory ( FeiUser feiUser, string password ) { if ( password == null ) { throw new ArgumentN

我试图让AD LDS的SetPassword方法遵守密码历史域策略,但它允许我在使用LDAP_服务器_策略_提示_OID后设置密码。不知道我做错了什么。代码如下:

public SetPasswordResult SetPasswordHonoringHistory ( FeiUser feiUser, string password )
    {
        if ( password == null )
        {
            throw new ArgumentNullException ( "password" );
        }
        try
        {
            using (var ldapConnection = new LdapConnection( _identityProvider.LdapUrl ))
            {
                // enable Kerberos encryption
                ldapConnection.SessionOptions.Sealing = true;
                if ( !_identityProvider.LdapUseIntegratedCredentials )
                {
                    ldapConnection.AuthType = AuthType.Negotiate;
                    ldapConnection.Credential = new NetworkCredential(
                        _identityProvider.LdapAdminUser, 
                        _identityProvider.LdapAdminPassword,
                        _identityProvider.Domain);
                }
                ldapConnection.Bind ();

                const string attribute = "unicodePwd";
                const string LDAP_SERVER_POLICY_HINTS_OID = "1.2.840.113556.1.4.2239";

                // modification control for the replace operation
                var attributeModification = new DirectoryAttributeModification
                {
                    Name = attribute
                };
                attributeModification.Add ( Encoding.Unicode.GetBytes ( String.Format ( "\"{0}\"", password ) ) );
                attributeModification.Operation = DirectoryAttributeOperation.Replace;

                var modifyRequest = new ModifyRequest ( feiUser.DistinguishedName, attributeModification );
                var passwordHistoryFlag = new DirectoryControl (
                    LDAP_SERVER_POLICY_HINTS_OID,
                    BerConverter.Encode ( "{i}", new object[] {0x1} ),
                    true,
                    true );
                modifyRequest.Controls.Add ( passwordHistoryFlag );

                try
                {
                    var result = ldapConnection.SendRequest(modifyRequest);
                    if ( result.ResultCode == ResultCode.Success )
                    {
                        return new SetPasswordResult ( true, true );
                    }
                }
                catch ( DirectoryOperationException exception )
                {
                    switch ( exception.Response.ResultCode )
                    {
                        case ResultCode.UnwillingToPerform:
                            return new SetPasswordResult ( true, false );
                        case ResultCode.ConstraintViolation:
                            return new SetPasswordResult ( false, true );
                    }
                }
            }
        }
        catch ( Exception e )
        {
            Logger.Error ( e );
        }
        return null;
    }

如果我使用与你相同的OID,我也会遇到同样的问题。如果我使用不推荐使用的OID 1.2.840.113556.1.4.2066,它就可以工作

根据我提供的参考链接,它已被弃用,但仍然支持Windows Server 2008 R2、2012、2012 R2和2016技术预览版。它还提到以下内容:

LDAP\u服务器\u策略\u提示\u不推荐的\u OID控件具有精确的 LDAP\u服务器\u策略\u提示\u OID部分的语义和行为 3.1.1.3.4.1.27; 当服务器不支持LDAP\u服务器\u策略\u提示\u OID时,客户端可能会使用此控件。客户应使用 LDAP\u服务器\u策略\u提示\u OID(当服务器支持时)

参考链接: