OpenLDAP Push replication

I needed to setup a OpenLDAP push server because the master server is in a local network and the consumer in the internet from where it cannot reach the master server and setting up a network tunnel into the local network is because of security reasons not wanted. The desired setup is documented in the Administrator's Guide: www.openldap.org/doc/admin24/replication.html#Syncrepl Proxy

I failed to understand the configuration because the configuration always uses localhost and different ports 9011 and 9012. www.openldap.org/lists/openldap-software/200911/msg00113.html After reading the OpenLDAP Tests 045 and 048 it becomes clear what port is running what slapd instance.

Server/master configuration:

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        stats config
#loglevel       any
modulepath      /usr/lib/ldap
moduleload      back_hdb.la
moduleload      syncprov.la
moduleload      back_monitor.la
moduleload      back_ldap.la
sizelimit 500
tool-threads 1

#TLSCACertificateFile /etc/ldap/ca.crt
#TLSCertificateFile /etc/ldap/localhost.crt
#TLSCertificateKeyFile /etc/ldap/localhost.key.unsecure

backend         hdb
database        hdb
suffix          "dc=domain,dc=lan"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn          "cn=admin,dc=domain,dc=lan"
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
index           entryCSN,entryUUID eq
index           cn eq

# Replication
overlay syncprov
syncprov-checkpoint 1000 60
# remove all limits for the replication user
limits dn.exact="cn=replicator,dc=domain,dc=lan" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

lastmod         on
checkpoint      512 30

access to attrs=userPassword,shadowLastChange
        by dn="cn=replicator,dc=domain,dc=lan" read
        by dn="cn=admin,dc=domain,dc=lan" write
        by anonymous auth
        by self write
        by * none
access to dn.base="" by * read
access to *
        by dn="cn=replicator,dc=domain,dc=lan" read
        by dn="cn=admin,dc=domain,dc=lan" write
        by * read

database monitor

# Replication for push LDAP to a remote server which doesn't have access to the master
database ldap
hidden on
suffix "dc=domain,dc=lan"
# something not used by the direcory tree
rootdn "cn=slapd-ldap"
# destination push host
uri     ldap://localhost:9012/
lastmod         on
restrict        all
# credentials for the destination/push server
acl-bind        bindmethod=simple
                binddn="cn=replicator,dc=domain,dc=lan"
                credentials=secret
# replication from an LDAP server
# this data gets pushed to the destination push server
syncrepl        rid=001
                provider=ldaps://localhost:636/
                tls_reqcert=never
                binddn="cn=replicator,dc=domain,dc=lan"
                bindmethod=simple
                credentials=secret
                searchbase="dc=domain,dc=lan"
                type=refreshAndPersist
                retry="5 5 300 +"

OpenLDAP consumer configuration

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
pidfile         /var/run/slapd-consumer/slapd.pid
argsfile        /var/run/slapd-consumer/slapd.args
loglevel        sync stats
modulepath      /usr/lib/ldap
moduleload      back_hdb.la
moduleload      syncprov.la
moduleload      back_monitor.la
moduleload      back_ldap.la
sizelimit 500
tool-threads 1
backend         hdb
database        hdb
suffix          "dc=domain,dc=lan"
rootdn          "cn=admin,dc=domain,dc=lan"
rootpw          secret
directory       "/var/lib/ldap-consumer"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
index           entryCSN,entryUUID eq

# Replication
limits dn.exact="cn=replicator,dc=domain,dc=lan" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
# this sets the database to a slave and allow the user "cn=replicator,dc=domain,dc=lan" to write the data
updatedn "cn=replicator,dc=domain,dc=lan"
updateref   ldap://localhost:389

lastmod         on
checkpoint      512 30

# the user "cn=replicator,dc=domain,dc=lan" needs write access to everything
access to attrs=userPassword,shadowLastChange
        by dn="cn=replicator,dc=domain,dc=lan" write
        by dn="cn=admin,dc=domain,dc=lan" write
        by anonymous auth
        by self write
        by * none
access to *
        by dn="cn=replicator,dc=domain,dc=lan" write
        by dn="cn=admin,dc=domain,dc=lan" write
        by * read

database monitor

OpenLDAP sync problem entryAlreadyExists (68)

When setting up the testsystem and configuring the OpenLDAP servers I run into the error code 68 (entryAlreadyExists). The reason for it was that I added the required indexes but forgot to run slapindex.

index           entryCSN,entryUUID eq