The ldapQueryPassword setParameter now accepts either a string or an array of strings as password for running LDAP queries. If set to an array of passwords, it will try each one until one succeeds. This can be used to perform a rollover of the LDAP account's password without downtime for mongodb.
When an externally stored password for the LDAP service account gets changed, MongoDB Enterprise Server must somehow be able to obtain the fresh password. This can be accomplished by allowing it to know multiple potential passwords for service accounts in order to enable rotation.