Summary: it seems having a modifiersdn outside of cn=config in cn=config breaks
replication once slapd is restarted.
Yeah, using DNs other than the cn=config rootDN is frequently a problem. This
is why when cn=config was introduced in 2.3 only the cn=config rootDN was
allowed access to the tree.
In this particular case, there's a simpler solution - add schema definitions
for the missing RDN attributes directly to the cn=config entry. In your case,
move the "ou" definition from the cn=core schema entry.
There's nothing dirty about this solution - it has always been valid to define
schema elements in the top-level slapd.conf file as well as in the top
cn=config global config entry. The feature doesn't get used much because most
3rd party schemas are distributed as their own files, so it's simpler to just
use the include directive to reference them. But for your current situation,
you need to define these schema elements as early as possible, so that they
can be processed as valid later on.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/