Why is the userPassword attribute null for some users when I query all users in an Active Directory group through LDAP?

Here is the code I use:

Hashtable<String, String> environment = new Hashtable<String, String>();
environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
environment.put(Context.SECURITY_PRINCIPAL, "Administrator@ABC");
environment.put(Context.SECURITY_CREDENTIALS, "testing123");
environment.put(Context.PROVIDER_URL, "ldap://192.168.64.222");
DirContext dirContext = new InitialDirContext(environment);
SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration searchResults = dirContext.search("cn=users,dc=ABC,dc=DEF,dc=COM", "(&(objectClass=user))", searchControls);
while (searchResults.hasMore()) {
  SearchResult searchResult = (SearchResult) searchResults.next();
  Attributes attributes = searchResult.getAttributes();
  System.out.println(attributes.get("userPassword"));
}
dirContext.close();

And the result I get:

null
userPassword: [B@开发者_如何学Python13a328f
userPassword: [B@1cd8669
userPassword: [B@337838
null
...
null
userPassword: [B@18a47e0
null
...

The answer is because it's certainly not provisioned.

The explanation is that userPassword attribute is not the native attribute to put password in Active-Directory. The native attribute is unicodePwd which is a special attribute you CAN write thru LDAPS, but you CAN'T read thru LDAP.

According to Microsft documentation about userPassword this attribute can behave as a normal attribute or behave like unicodePwd attribute, all depends on the configuration of your Active-Directory or your Lightweight Directory Service (LDS).

As far as I know, by default dSHeuristics is false and most of the time it's not set at all, you can see it in :

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,Root domain in forest

So that's why I think that userPassword is just not set by some provisionning in your infrastructure.