add support for ldap replication

roles/ldap/server/templates/slapd.conf.j2

@@ -81,6 +81,25 @@ constraint_attribute uniqueMember uri ldap:///ou=People,{{ ldap_basedn }}?entryD
 # access without access to clear text data
 directory /srv/ldap
 
+{% if ldap_master is not defined %}
+# replication
+syncrepl rid={{ 999 | random(seed=inventory_hostname) }}
+    provider=ldaps://ldap01.foo.sh
+    type=refreshAndPersist
+    retry="10 10 60 +"
+    searchbase="{{ ldap_basedn }}"
+    filter="(objectClass=*)"
+    scope="sub"
+    sizelimit=500000
+    timelimit=360000
+    schemachecking="off"
+    bindmethod="simple"
+    tls_reqcert="demand"
+    binddn="uid=replicator,cn={{ inventory_hostname }},ou=Hosts,{{ ldap_basedn }}"
+    credentials="{{ ldap_replicator_pass[inventory_hostname] }}"
+updateref ldaps://ldap01.foo.sh
+
+{% endif %}
 # for syncrepl
 index entryCSN,entryUUID,objectClass eq
 # for kerberos kdc
@@ -110,6 +129,13 @@ access to *
     by anonymous auth
     by * break
 
+{% if ldap_master is defined %}
+# allow replicator to read everything
+access to *
+    by dn.regex="uid=replicator,cn=[^,]+,ou=Hosts,{{ ldap_basedn }}" read
+    by * break
+
+{% endif %}
 # allow self to change password
 access to attrs=userPassword
     by self write