Thank you, adding attributes directly to cn=schema,cn=config was my problem! No more schema issues now.
For posterity, and in case I managed to klutz something else, ahem:
---------- dn: cn=postfix,cn=schema,cn=config changetype: add cn: postfix objectClass: olcSchemaConfig olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.200 NAME 'mailacceptinggeneralid' DESC 'Postfix mail local address alias attribute' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.201 NAME 'maildrop' DESC 'Postfix mail final destination attribute' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) olcObjectClasses: ( 1.3.6.1.4.1.4203.666.1.100 NAME 'postfixUser' DESC 'Postfix mail user class' SUP top AUXILIARY MAY ( mailacceptinggeneralid $ maildrop )) ----------
That did three things for me:
a) schema errors on slapcat/slapschema stopped b) postfix attributes no longer available from cn=schema,cn=config via ldapsearch c) fixed other slapd after replication
I had a look under the hood and the attributes still exist in cn=schema,cn=config. Removing a specific attribute is being a bit recalcitrant ("olcObjectClasses: no such value"), I will figure that out later. The attributes under cn=schema,cn=config are at least defanged.
Very much appreciate it!