So... I need to add an extra "auth" line for my replication DN? I
never saw that mentioned in the "OpenLDAP Administrator's Guide"; I
assumed that mentioning it as the "updatedn" would be sufficient.
Well, let's take a look at the logs to figure it out:
Sep 13 10:44:07 titan slapd[5789]: conn=0 op=0 BIND
dn="uid=slapd,ou=Services,dc=precidia" mech=SIMPLE ssf=0 Sep 13
10:44:07 titan slapd[5789]: conn=0 op=0 RESULT tag=97 err=0 text=
So you're not failing on the BIND. "auth" privs aren't at issue.
Sep 13 10:44:07 titan slapd[5789]: => access_allowed: delete access to
"uid=bcwhite,ou=People,dc=precidia" "userPassword" requested
Sep 13 10:44:07 titan slapd[5789]: => access_allowed: delete access
denied by none(=0)
You're failing on "delete". As slapd.access(5) man page points out, this
requires "write" access. Your replication identity has to be able to
write to the database. It currently cannot.