On two Debian 9 Webmin vps I was able to configure syncrepl with cn=config, using the guide here: https://wiki.debian.org/LDAP/OpenLDAPSetup.
But I cannot get SSL or TLS working… The Debian guide mentions that ‘recent’ distros are using gnutls instead of OpenSSL. So I tried both the OpenSSL Letsencrypt pems and the self-issued pems I created with certtool, but OpenLDAP would not start… I did not test too deep as I assume the full switch from OpenSSL to gnutls is going to take more time.
There are really good test tools on the internet for DNS and for HTTPS, is there one or two for LDAP? I am going to keep working on this only if it turns out running an LDAP server without SSL or TLS enforced is a really bad idea. Otherwise I am going to be happy with the fact that only syncrepl puts any trafic on the wire, all other LDAP access happen on local, replicated servers.