The attribute would use something like a "policy rule name"
matching rule -
i.e. each pwdPolicyRule value must have a unique name. This
would allow
multiple instances of a given rule OID.
A combination of required chars and excluded character
policies might look
like (pardon my XML):
# requires 2 special characters, 1 from each of these sets:
pwdPolicyRule: rule1 requiredchars-oid <rule count="1" chars="!@#$" />
pwdPolicyRule: rule2 requiredchars-oid <rule count="1" chars="%^&" />
# vowels not allowed
pwdPolicyRule: rule3 excludedchars-oid <rule chars="aeiouAEIOU" />
I suppose a better version might be:
pwdPolicyRule: <excludedCharsRule name="rule3" chars="aeiouAEIOU" />
As I hinted in my last message, we may need an optional "Required Rule" field. For example, let's suppose I want to encode the following policy...
"Password must have at least 4 characters and not be in a dictionary. It must also contain 3 of the following: 1 upper case character, 1 lower case character, 1 character of '!@#$%^&*()_+=[]-' or 1 numeric digit.
To encode this, I would need a way to specify that "min 4" and "not in dictionary" are required. And in addition, I would need a rule that says at least 3 of the "non-required" rules must pass.
Yes, this is getting ugly. And I don't want to hinder the progress of the pwd-policy draft.