Cause: The directory server replication protocol takes into account clock differences between servers. The clock skew accumulator can grow quite high, especially due to problems with ntp or clocks in virtual machines. Once the clock skew is greater than 1 day, replication will stop working.
Consequence: Updates made to one server are not replicated to other servers. Re-initialization does not help.
Fix: Add a new configuration parameter to cn=config
nsslapd-ignore-time-skew: on|off - default off
If nsslapd-ignore-time-skew: on, the replication consumer will log errors about excessive time skew, but will allow replication to proceed, and will not return a time skew error to the replication supplier.
Result: With nsslapd-ignore-time-skew: on, replication will continue despite excessive clock skew.