It would be great if you could detail the exact use case where the intruder lockout happens in both the directories simultaneously. SSPR usually searches for the CN across multiple LDAPs as per the configuration and go for the authentication with the first match. Prompting the user for clearing the intruder lockout happens only with that LDAP. More details about the user scenario will help us to evaluate the idea further.