syncrepl binding DN privileges?

If im doing multi master replication, what privileges does the bind DN
need? i know its bad practice to use the manager DN, does the binding
user need write access to anything on the remote ldap tree or just
full read access?