Multi-master syncrepl config: excluding olcSaslHost from replication

[Kyle Brantley <kyle@averageurl.com>]

I'm working on a full multi-master slapd setup, where both the cn=config 
database as well as the actual database are fully replicated. All access 
to the slapd instances is gated with GSSAPI (the only notable exception 
being the syncrepl users, which I'm working on converting over to GSSAPI 
anyway).

However, I need to be able to configure olcSaslHost on a per-server 
basis. Server A will have a different value for olcSaslHost than server 
B will. While I want to replicate cn=config, I don't want to replicate 
the olcSaslHost attribute.

I've tried two things, and neither have worked:

1) Configuring exattrs="olcSaslHost" in the olcSyncrepl statements for 
cn=config.
    * This allows me to configure the attribute, but as soon as there 
is any other change to cn=config, it wipes the attribute out across all 
of the nodes.

2) Updating the ACL for the syncrepl user to not have access to the 
olcSaslHost attribute.
    * Unfortunately, this has similar behavior to the above: making a 
change on one node will wipe the olcSaslHost attribute out of all of the 
nodes.

How best can I go about doing this? I was hoping that olcSaslRealm was 
multi-value and could be configured in a manner similar to olcServerID, 
but that isn't the case. I was hoping that denying access to the 
attributes (via ACL or olcSynrepl config) would make the syncrepl engine 
ignore the attribute, but because it can't see it on the node where the 
attribute was changed, but it can see it on the downstream nodes, it 
wipes the attribute out entirely.

Any help / suggestions welcome.

Thanks,
--Kyle