multi-master syncrepl with sasl/gssapi authentication

[travis.bean@assuretech.net]

I am having trouble getting multi-master syncrepl to sync when using
"bindmethod=sasl" and "saslmech=gssapi".  I achieved success when I tried
"bindmethod=simple", so at least I know it has been narrowed down to a
sasl/gssapi authentication problem (incorrect/missing sasl AuthzRegexp or
perhaps an incorrect/missing slapd ACL?).

My syncrepl config is as follows (do I need to specify an authcid/authzid
or is this id automatically obtained from gssapi?):

olcMirrorMode: TRUE
olcSyncRepl:
  rid=001
  provider=ldap://or-dc1-db.example.corp
  retry="5 10 30 +"
  bindmethod=sasl
  saslmech=gssapi
  type=refreshAndPersist
  searchbase="cn=config"
olcSyncRepl:
  rid=002
  provider=ldap://or-dc2-db.example.corp
  retry="5 10 30 +"
  bindmethod=sasl
  saslmech=gssapi
  type=refreshAndPersist
  searchbase="cn=config"

# Syncprov overlay
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

olcMirrorMode: TRUE
olcSyncRepl:
  rid=003
  provider=ldap://or-dc1-db.example.corp
  retry="5 10 30 +"
  bindmethod=sasl
  saslmech=gssapi
  type=refreshAndPersist
  searchbase="dc=example,dc=corp"
olcSyncRepl:
  rid=004
  provider=ldap://or-dc2-db.example.corp
  retry="5 10 30 +"
  bindmethod=sasl
  saslmech=gssapi
  type=refreshAndPersist
  searchbase="dc=example,dc=corp"

# Syncprov overlay
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

My access control:

olcAccess: to attrs=userPassword,shadowLastChange
  by dn="uid=ldap-admin,ou=people,dc=example,dc=corp" write
  by
dn="uid=ldap/or-dc1-db.example.corp,cn=example.corp,cn=gssapi,cn=auth"
write
  by
dn="uid=ldap/or-dc2-db.example.corp,cn=example.corp,cn=gssapi,cn=auth"
write
  by anonymous auth
  by self write
  by * none
olcAccess: to dn.subtree="ou=krb5,dc=example,dc=corp"
  by dn="cn=kdc-srv,ou=krb5,dc=example,dc=corp" read
  by dn="cn=adm-srv,ou=krb5,dc=example,dc=corp" write
  by * none
olcAccess: to *
  by dn="uid=ldap-admin,ou=people,dc=example,dc=corp" write
  by
dn="uid=ldap/or-dc1-db.example.corp,cn=example.corp,cn=gssapi,cn=auth"
write
  by
dn="uid=ldap/or-dc2-db.example.corp,cn=example.corp,cn=gssapi,cn=auth"
write
  by peername.ip="192.168.0.0%255.255.255.0" read

My sasl AuthzRegexp:

olcAuthzRegexp: uid=([^,]+),cn=example.corp,cn=gssapi,cn=auth
  uid=$1,ou=people,dc=example,dc=corp

I know sasl/gssapi are working since ldapwhoami on or-dc1-db returns:

SASL/GSSAPI authentication started
SASL username: ldap/or-dc1-db.example.corp@EXAMPLE.CORP
SASL SSF: 56
SASL data security layer installed.
dn:uid=ldap/or-dc1-db.example.corp,ou=people,dc=example,dc=corp

ldapwhoami on or-dc2-db returns:

SASL/GSSAPI authentication started
SASL username: ldap/or-dc2-db.example.corp@EXAMPLE.CORP
SASL SSF: 56
SASL data security layer installed.
dn:uid=ldap/or-dc2-db.example.corp,ou=people,dc=example,dc=corp

I get the following /var/log/syslog errors on or-dc1-db:

OR-DC1-DB slapd[5446]: slap_client_connect:
  URI=ldap://or-dc2-db.example.corp ldap_sasl_interactive_bind_s failed (-2)
OR-DC1-DB slapd[5446]: do_syncrepl: rid=004 rc -2 retrying
OR-DC1-DB slapd[5446]: slap_client_connect:
  URI=ldap://or-dc2-db.example.corp ldap_sasl_interactive_bind_s failed (-2)
OR-DC1-DB slapd[5446]: do_syncrepl: rid=002 rc -2 retrying

 /var/log/syslog errors on or-dc2-db:

OR-DC2-DB slapd[5455]: slap_client_connect:
  URI=ldap://or-dc1-db.example.corp ldap_sasl_interactive_bind_s failed (-2)
OR-DC2-DB slapd[5455]: do_syncrepl: rid=003 rc -2 retrying
OR-DC2-DB slapd[5455]: slap_client_connect:
  URI=ldap://or-dc1-db.example.corp ldap_sasl_interactive_bind_s failed (-2)
OR-DC2-DB slapd[5455]: do_syncrepl: rid=001 rc -2 retrying