olcRootPW vs. userPassword of olcRootDN

[Zev Weiss <zev@bewilderbeest.net>]

Hello,

I recently set about changing the rootdn password of my OpenLDAP 2.4 
server.

I constructed an LDIF file looking something like this:

 dn: olcDatabase={1}mdb,cn=config
 changetype: modify
 replace: olcRootPW
 olcRootPW: {SSHA}new_passwd_hash

and fed that into ldapmodify.  The server then started accepting the new 
password and I figured I was done.

What I noticed a few minutes later, however, was that the server was 
*also* still accepting the *old* password.

After some peeking around, my guess is that this is due to the fact that 
while my config database ended up containing, as expected:

 dn: olcDatabase={1}mdb,cn=config
 # etc...
 olcSuffix: dc=mydomain,dc=tld
 olcRootDN: cn=admin,dc=mydomain,dc=tld
 olcRootPW:: [base64 of {SSHA}new_passwd_hash]

the "main" database entry for cn=admin,dc=mydomain,dc=tld still had a 
userPassword attribute of [base64 of {SSHA}old_passwd_hash].  Prior to 
the password change the same base64 hash had been present in both, but 
my change of course only updated the config database.

So I'm left with a few questions:

Is it "normal" to have both olcRootPW and the rootdn's userPassword 
stored redundantly like this?  If not, is the fact that I do a sign that 
I did something inappropriate when initially configuring the server?  
(Unfortunately I no longer remember exactly what I did at the time.)

If so, I assume the recommended password update procedure would be to 
update both in tandem, though I have to wonder what the point of the 
redundancy (and resulting potential for inconsistency) is.  And should 
section 5.2.5.5 of the admin guide perhaps make some mention of this?


Thanks,
Zev Weiss