I have a requirement to generate random initial passwords for new users in an Identity Vault, sourced from an Oracle database via a JDBC driver and then write the password back to the database. I've used the Generate Password token to do this and pointed it at a password policy that I've created specifically for this purpose. This works fine under normal circumstances but in this case the requirement is to generate a password of 8 alpha characters with certain letters disallowed where they could be confused with a number, such as l or o. The way I'm trying to do this is to specify in the password policy a password length of 1 character and exclude 'words' like l or o, do this 8 times and concatenate the results into an 8 character password. This is because there is no way to exclude individual letters in a password policy. This does successfully generate an 8 character random password but the disallowed characters are still being generated and appearing in the password. Is this a bug?

Of course I could generate the individual characters and perform a check on each one in the IDM policy to verify whether they are one of the excluded characters but this would be less efficient.

I'm using IDM 3.5.1 on SLES 10.1 with eDir 8.8.2. This is the rule I'm using:

<rule>
<description>Generate initial password</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-operation mode="case" op="equal">add</if-operation>
</and>
</conditions>
<actions>
<do-set-local-variable name="pwdchar1" notrace="true" scope="policy">
<arg-string>
<token-generate-password notrace="true" policy-dn="\[root]\Security\Password Policies\Initial password character generation"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="pwdchar2" notrace="true" scope="policy">
<arg-string>
<token-generate-password notrace="true" policy-dn="\[root]\Security\Password Policies\Initial password character generation"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="pwdchar3" notrace="true" scope="policy">
<arg-string>
<token-generate-password notrace="true" policy-dn="\[root]\Security\Password Policies\Initial password character generation"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="pwdchar4" notrace="true" scope="policy">
<arg-string>
<token-generate-password notrace="true" policy-dn="\[root]\Security\Password Policies\Initial password character generation"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="pwdchar5" notrace="true" scope="policy">
<arg-string>
<token-generate-password notrace="true" policy-dn="\[root]\Security\Password Policies\Initial password character generation"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="pwdchar6" notrace="true" scope="policy">
<arg-string>
<token-generate-password notrace="true" policy-dn="\[root]\Security\Password Policies\Initial password character generation"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="pwdchar7" notrace="true" scope="policy">
<arg-string>
<token-generate-password notrace="true" policy-dn="\[root]\Security\Password Policies\Initial password character generation"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="pwdchar8" notrace="true" scope="policy">
<arg-string>
<token-generate-password notrace="true" policy-dn="\[root]\Security\Password Policies\Initial password character generation"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="initial-password" notrace="true" scope="policy">
<arg-string>
<token-local-variable name="pwdchar1" notrace="true"/>
<token-local-variable name="pwdchar2" notrace="true"/>
<token-local-variable name="pwdchar3" notrace="true"/>
<token-local-variable name="pwdchar4" notrace="true"/>
<token-local-variable name="pwdchar5" notrace="true"/>
<token-local-variable name="pwdchar6" notrace="true"/>
<token-local-variable name="pwdchar7" notrace="true"/>
<token-local-variable name="pwdchar8" notrace="true"/>
</arg-string>
</do-set-local-variable>
<do-set-dest-password class-name="User" notrace="true">
<arg-string>
<token-local-variable name="initial-password" notrace="true"/>
</arg-string>
</do-set-dest-password>
<do-set-src-attr-value name="INITIAL_PASSWORD" notrace="true">
<arg-value>
<token-local-variable name="initial-password" notrace="true"/>
</arg-value>
</do-set-src-attr-value>
</actions>
</rule>