This stays out quite long and I faced absolutely the same behavior
adding 4.10.1 replica to 4.8.7.
Fiddled almost a week with that so posting my solution here in order to
(hopefully) save someone's time.
Problem was with password encryption scheme: 4.8.7 on an older CentOS
did not support PBKDF2-SHA512 used by 4.10.1 on FC37 so password
verification on older OS failed simply due to missing mechs. Logs did
not help to find the problem.
Switching to PBKDF2_SHA256 (not PBKDF2-SHA256) with
dsconf -D "cn=Directory Manager" -W ldaps://auth01.infra.ipa.local
config replace passwordStorageScheme=PBKDF2_SHA256
on FC37 made it work.
Use
dsconf -D "cn=Directory Manager" -W ldaps://auth01.infra.ipa.local
plugin list
to compare available mechs on master and new-added replica.
--
BR,
Oleg