For HOTP enabled users, the OTP digit is used for authentication. The ndsconfig utility uses the same OTP digit for subsequent authentication, which causes the ndsconfig add to fail. Similarly, ndsconfig upgrade also fails.
To work around this issue, do not enable HOTP for the user through which you are performing ndsconfig add/ upgrade.
If you perform LDAP login through the HOTP-enabled user by sending a request to the read-only replica, the LDAP chaining does not happen. The read-only replica does not forward the request to the server where the actual user resides. The replica fails giving an illegal replica type error.
If the value of the user resynchronization window is already set (say 2) and its value is changed by using the nmashotpconf utility, it displays the following error:
ldap_modify_ext_s on HOTP DN failed: error code=19: Constraint violation
One of the reasons for the error could be using a combination of the (the OTP enable or disable option), (OTP digit), (otpcouter) and (user_resync_window) options for modifying the user resynchronization value.