Question: 

We have 2 User Directories in a siteminder Domain where a user ID exists on both, but the passwords are different and a user authenticates with the password from the second UD then the invalid password account on the first increments. After a few authentication attempts that account is then be locked.

Is this a defect?

Environment:  

SiteMinder Policy Server Version: R12 SP3 & R12.52

User Store Database1: oracle 11g

User Store Database2: oracle 11g

Answer: 

This is working as expected and not a defect.

Use Case1) If User Directories configured in this order UD1, UD2 and user makes login attempt with correct password from UD1 ( first in the list), Policy server will not try to authenticate against second Directory and user will not be locked.

Use Case2) If you try to Authenticate using password from UD2 , Policy Server will first try UD1 will fail and move to next directory UD2 and succeed, but failed login attempt will be registered against UD1 and this is expected behavior.

You may want to consult CA services to consider other config/options that may suit your business needs.