Aaron and Phil had a thread where they asked if there was a way to allow
an NMAS INtruder locked out user to Challenge Response login, and
instead of resetting it, to unlock it?

Reading the docs, for 3.3.x, it says about the Forgot Password module:
https://www.netiq.com/documentation/.../b1ggnqpg.html

There is an option in Forgot Password called: Allow Unlock

"Enable this setting if you want to provide users the facility to unlock
their password instead of resetting it.

This setting is applicable if the user's account is locked because of
multiple invalid login attempts, and the user's password is not expired."

Now this clearly does not work when the user is NMAS Intruder locked,
since C/R is a login event that fails due to Intruder Lock. You get the
following in the log:

January 21, 2016 at 4:04:44 PM Eastern Standard Time, ERROR,
http.PwmRequest, {7a} 5069 ERROR_INTRUDER_LDAP (nmas account is intruder
locked-out) [171.21.10.130] January 21, 2016 at 4:04:44 PM Eastern
Standard Time, FATAL, servlet.PwmServlet, 5069 ERROR_INTRUDER_LDAP (nmas
account is intruder locked-out)

So first off, should the docs note this important point? Or are the docs
right and this should just work and it is a bug that it is not working?

I can see how this would work in the Helpdesk case, where the Helpdesk
user can Unlock the account instead of resetting it.

So is this a missing function, a bug, or a doc bug?