Hi,
We have a 3 node multi master replication configuration setup with many consumers replicating from all 3 provider nodes.
The consumers and providers replicate the from the MDB tree dc=example,dc=com. They do not replicate their config databases.
The root password we are rotating is for cn=admin,dc=example,dc=com.
Upon updating the olcRootPW we see the provider where the password was updated commit a new CSN and then syncrepl seems to fail for connected consumers with
slapd[9227]: conn=1439 op=1 syncprov_op_search: consumer 2102 state 20230712210938.878334Z#000000#836#000000 is newer than provider 2102 state 20230712210402.018624Z#000000#836#000000
It seems as if the consumers reconnect with a state newer than the provider that just committed a new CSN for the new root password?
It did not seem like the root password was replicated across the cluster however which I imagine is a deliberate choice to not replicate root db DNs.
Is there a recommended workflow to rotate the root credential for a replicated database to avoid syncrepl disruption?
OpenLDAP 2.4.56 (we are working to upgrade to OpenLDAP 2.5 LTS)