I missed a few lines from the replica definitions in slapd.conf. Not
sure if it matters much, but for the sake of completeness, here are the
full replica definitions (with some information obfuscated):
replogfile /var/lib/ldap/replog
replica uri=ldap://host1.domain.tld:389
starttls=critical
bindmethod=simple
binddn="cn=replicationuser,o=MYORG"
credentials=XYZ
replica uri=ldaps://host2.domain.tld:636
bindmethod=simple
binddn="cn=replicationuser,o=MYORG"
credentials=XYZ
attrs=account,MYORGGroup,MYORGPerson,organization,organizationalRole,organizationalUnit,posixAccount,posixGroup,simpleSecurityObject,top
suffix="ou=ou3,ou=ou1,o=MYORG"
suffix="ou=ou4,ou=ou1,o=MYORG"
suffix="ou=ou5,ou=ou2,o=MYORG"
suffix="ou=ou6,ou=ou2,o=MYORG"
suffix="ou=ou7,o=MYORG"
suffix="ou=ou8,o=MYORG"