I've been noticing various data discrepancies between our LDAP master and LDAP consumers.  We are running OpenLDAP v2.4.44.  We have two masters running "mirromode TRUE" and all updates go through a VIP that points to the first one unless it's not available (doesn't happen very often except for during patches and restarts).  We have 13 consumers that replicate through that same VIP.

Here's an example of our syncrepl for a client:

syncrepl rid=221
  type=refreshAndPersist
  schemachecking=on
  provider="ldap://ldapmastervip.rutgers.edu/"
  bindmethod=sasl
  saslmech=EXTERNAL
  starttls=yes
  tls_reqcert=demand
  tls_protocol_min="3.1"
  searchbase="dc=rutgers,dc=edu"
  attrs="*,+"
  retry="10 10 20 +"
  logbase="cn=accesslog"
  logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
  syncdata=accesslog
  network-timeout=30
  keepalive=180:3:60

I check the contextCSN attributes on all the instances every day and they are all in sync (except during any major changes, of course).  But I occasionally notice discrepancies in the data.... even though the contextCSNs and entryCSNs are the same.  For example (note hostnames have been changed):

$ ldapsearch ... -H ldap://ldapmaster.rutgers.edu uid=XXXX postalAddress createTimestamp modifyTimestamp entryCSN
dn: uid=XXXX,ou=People,dc=rutgers,dc=edu
createTimestamp: 20121220100700Z
postalAddress: Business And Science Bldg$227 Penn Street$Camden, NJ 081021656
entryCSN: 20180505002024.083133Z#000000#001#000000
modifyTimestamp: 20180505002024Z

$ ldapsearch ... -H ldap://ldapconsumer3.rutgers.edu uid=XXXX postalAddress createTimestamp modifyTimestamp entryCSN
dn: uid=XXXX,ou=People,dc=rutgers,dc=edu
createTimestamp: 20121220100700Z
postalAddress: BUSINESS AND SCIENCE BLDG$227 PENN STREET$CAMDEN, NJ 081021656
entryCSN: 20180505002024.083133Z#000000#001#000000
modifyTimestamp: 20180505002024Z

So I'm trying to figure out why this happens (config issue, bug, ???) and second, if I can't use the contextCSN to report that everything is fine, what else can I do besides trying to compare ldif dumps.

thanks,
ds
-- 
Dave Steiner steiner@rutgers.edu
IdM, Enterprise Application Services    ASB101; 848.445.5433
Rutgers University, Office of Information Technology