This can be done using slapo-chain. The slave will proxy the changes to the master on behalf of the requesting DN. Here is a sample setup:

In the slave's slapd.conf, you need a chain overlay in the global section:

overlay                  chain
chain-uri                ldaps://master.example.net
chain-idassert-bind      bindmethod=sasl
                         saslmech=EXTERNAL
                         binddn="cn=bugworkaround"
                         mode=self
chain-idassert-authzFrom "*"
chain-return-error       TRUE

In this setup, TLS is used for communication between slave and master, hence the saslmech=EXTERNAL. binddn="cn=bugworkaround" is a bug workaround (OpenLDAP <= 2.3.38) that is required when using SASL EXTERNAL mechanism, but is useless otherwise.

On the master, the following is needed:

authz-policy    to
authz-regexp    cn=slave1.example.net
                cn=slave1.example.net,ou=pseudo-user,dc=example,dc=net
authz-regexp    cn=slave2.example.net
                cn=slave2.example.net,ou=pseudo-user,dc=example,dc=net

access to attrs=authzTo 
    by * read stop

authz-policy to specify that an user can perform a change on behalf of anyone matching its authzTo attribute.

authz-regexp clauses are needed for mapping the identity obtained from TLS certificates to an existing user's DN in the DIT.

The ACL clause is very important on the security front. If random user are allowed to change their authzTo attribute, then they can perfom a change on behalf on ay other user.

In the DIT, you need the following for each slave:

dn: cn=slave1.example.net,ou=pseudo-user,dc=example,dc=net
objectClass: organizationalRole
cn: slave1.example.net
ou: pseudo-user
authzTo: *