The customer needed to reset a lost Directory Manager password, so used the encode-password tool to construct a new value, and then edited it into config.ldif while the server was shut down. Unfortunately they included a trailing space after the hashed value, e.g.
The trailing space prevents authentication from working - the server returns error 49 (invalid credentials).
Although you shouldn't edit config.ldif by hand, resetting a lost manager password is a reasonable use case. Also, you can use ldapmodify to set/reset a pre-encoded userPassword value over protocol with a trailing space.
It seems like it might be sensible to trim trailing whitespace on hashed passwords during comparisons to avoid this sort of hard to diagnose problem!