I've had mixed results including encrypted replication passwords. In
fact, I've read messages that say you CANNOT encrypt the replication
credentials. YMMV. If you're worried about "anyone who can read the
slapd.conf file", set its permissions as 0750 root:ldap and trust the
filesystem. Nobody's in the ldap group but the ldap user, probably
created by your package installer.
The details of a secure (TLS) replication environment are plastered all
over the list archives. I posted my entire config a couple months ago
personally. It's an extremely active subject. I'd recommend some time
in the archives to anybody who needs hands-on documentation of a number
of successful "secure environment" deployments.