LDAP's hard. Security's hard. Replication's hard. Here's how it went for me.
I maintain a bunch of mostly self-signed SSL certificates. Too many not to automate. Here's how I do it.
A brief wander around two-factor authentication with smartcard tokens