It is not related to your problem, but considering your acl, the userpassword (and shadowlastchange) of the cn=sync user won't be replicated. If this behaviour is not intended, you should refer to the openldap admin guide http://www.openldap.org/doc/admin24/access-control.html
On the MAIN SERVER I HAVE
access to attrs=userPassword,shadowLastChange
by self =xw
by anonymous auth
by dn="cn=sync,dc=my company,dc=com" read
by * none--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration