OpenLDAP chain overlay configuration

I'm trying to get OpenLDAP's chain overlay to work, but unfortunately, the documentation is rather sparse.

I'm using the OpenLDAP version 2.4.39 packages that come with RHEL 6, and the LDAP master and slave are using TLS to communicate. The TLS certs and keys are stored with Mozilla NSS, so the tls_certdir and tls_cert statements below should be correct (they definitely work in this form for replication).

My configuration (in slapd.conf form, which I convert to OLC notation before using) is:

overlay chain
chain-uri              ldap://my.ldap.master.example.com
chain-rebind-as-user   FALSE
chain-idassert-bind    bindmethod="simple"
                       binddn="cn=Manager,dc=example,dc=com"
                       credentials="xxxxxxxxxxxxxxxx"
                       mode="self"
                       starttls=yes
                       tls_reqcert=demand
                       tls_cacertdir=/etc/openldap/certs
                       tls_cert=my.ldap.slave.example.com
chain-tls              start tls_reqcert=demand tls_cacertdir=/etc/openldap/certs tls_cert=my.ldap.slave.example.com
chain-return-error     TRUE

[...syncrepl...]

updateref       ldap://my.ldap.master.example.com

I want to get this working so that policy updates get forwarded onto the master (eg, when someone gets their password wrong five times or more, the slave will send the pwdAccountLockedTime to the master, rather than storing it locally). I have ppolicy_forward_updates set in the config file, for this purpose.

I have tested this and am not seeing any traffic going to the LDAP master when I make changes on the slave.

Does anyone know what I'm doing wrong here?