Self Service Password Reset contains a built-in intruder detection independent of what your LDAP directory provides. The intruder detection for the LDAP directories is meant to stop any human attacks on the Self Service Password Reset user store. You want to ensure that the intruder detection limits in the LDAP directory are lower than the Self Service Password Reset intruder detection limits.
Self Service Password Reset can be exposed directly to the internet, NetIQ added this additional layer of detection to help protect against robotic or automatic attacks. Self Service Password Reset always honors the internal intruder detection (if enabled) of the LDAP directory. The intruder detection setting in Self Service Password Reset must be much higher than the LDAP directory intruder detection settings.
Set the triggers to be sufficiently high so that normal user usage does not cause an application-level intruder detection. Self Service Password Reset honors the configured timeout period because the system is under a robotic or automatic attack. The help desk or administrator cannot unlock accounts due to the Self Service Password Reset intruder detection.
To configure the intruder lockout settings:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Settings > Intruder Detection > Intruder Settings.
Follow the help to configure the intruder settings.
Click Settings > Intruder Detection > Intruder Timeouts.
Follow the help to configure the intruder timeout settings.
In the toolbar, click Save changes.