Alas, even I cannot stretch this topic into a full CS article...

basic issue is passwords not syncing? Well turns out SSPR is point at
serverA. But IDM AD/LDAP drivers are on ServerB.

ndsrepair -T or -E show a -699 error on a specific object.

Turns out that the oidpInstances attribute is Case Ignore String syntax,
which has an implicit 32K limit, and OSP has somehow written 32K + 1
into it. But eDir refuses to replicate it. Every change since that
happened backs up behind that failed replication.

Quick fix is delete the attribute value on the user. It is base64
encoded binary, that I do not see a pattern in. Only reference to this
attribute was me asking Steve what it used for, as it is in the schema
update for OSP, and never getting an answer.

This has happened before with srvprvUserPrefs, which is why there is now
srvprvUserPrefsPlus which is Steam syntax so size can get bigger.

Seems like trivial fix is change schema and put a 32K limit on it. Then
you cannot write more than 32K. Or else fix whatever OSP is doing to
break stuff.