Openldap 2.4.31

I create my read-only ldap hosts with a stub config that contains a syncrepl statement:

olcSyncrepl: {0}rid=001 provider=ldaps://ldap.savagebeast.com binddn="cn=
 admin,cn=config,cn=slave" bindmethod=simple credentials=$PW searchbase="cn=
 config,cn=slave" type=refreshAndPersist retry="60 +" timeout=3 suffixmassage=
 "cn=config" schemachecking=off

That on first run with a –c ‘rid=001’ flag syncs the rest of the configs and associated databases from the primary servers. Leaving the config database as:

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 3c65cc7d
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=admin,cn=config
olcUpdateRef: ldaps://ldap.savagebeast.com
structuralObjectClass: olcDatabaseConfig
entryUUID: fee78e38-2723-1030-8342-0d5a80dcc32a
creatorsName: cn=admin,cn=config
createTimestamp: 20110609203711Z
olcRootPW:: x==
olcSyncrepl: {0}rid=001 provider=ldaps://guess-who.savagebeast.com binddn="cn=
 admin,cn=config,cn=slave" bindmethod=simple credentials=x searchbase
 ="cn=config,cn=slave" schemachecking=off type=refreshAndPersist retry="60 +"
 timeout=3 suffixmassage="cn=config"
entryCSN: 20151119013205.450738Z#000000#000#000000
modifiersName: cn=admin,dc=savagebeast,dc=com
modifyTimestamp: 20151119013205Z

This works great for the first run, but subsequent changes to the cn=config,cn=slave entries on the primary servers generate a replication error on the downstream hosts.

564fc719 syncrepl_entry: rid=001 be_search (0)
564fc719 syncrepl_entry: rid=001 olcDatabase={2}hdb,cn=config
564fc719 <= acl_access_allowed: granted to database root
564fc719 send_ldap_result: conn=-1 op=0 p=3
564fc719 send_ldap_result: err=67 matched="" text="Use modrdn to change the entry name"
564fc719 null_callback : error code 0x43
564fc719 syncrepl_entry: rid=001 be_modify olcDatabase={2}hdb,cn=config (67)
564fc719 syncrepl_entry: rid=001 be_modify failed (67)

Which is LDAP_NOT_ALLOWED_ON_RDN.

The only change to be synced was the addition of an olcDbIndex to one of the databases.

The suffix massage seems to still be in place:
564fc719 syncrepl_message_to_entry: rid=001 DN: olcDatabase={2}hdb,cn=config,cn=slave, UUID: ef2a6d04-b2cf-1033-9ca0-37a633abeda5
564fc719 ==> rewrite_context_apply [depth=1] string='olcDatabase={2}hdb,cn=config,cn=slave'
564fc719 ==> rewrite_rule_apply rule='(.*)cn=config,cn=slave$' string='olcDatabase={2}hdb,cn=config,cn=slave' [1 pass(es)]
564fc719 ==> rewrite_context_apply [depth=1] res={0,'olcDatabase={2}hdb,cn=config'}
564fc719 >>> dnPrettyNormal: <olcDatabase={2}hdb,cn=config>



Any pointers on how to troubleshoot why this error is called?