IMO, OTP is inherently incompatible with replicas because a client
can
authenticate to each replica with what is intended to be a one time
password. The only way to preclude this is, as was basically suggested,
is to chain it to the master such that each password can only be used one
time.
I have an "easy" fix in this direction; however, I stumbled into another
issue: if slapo-chain(5) gets involved in an internal operation, it does
not honor custom callbacks registered for the internal operation, and
rather attempts to return the result to the caller. As a consequence, I
need to address this issue first, before solving the original one.
p.