It seems we don't have much input on syncrepl filtering, but I found this thread, and it might serve as a starting point for testing: http://www.openldap.org/lists/openldap-technical/200906/msg00311.html
Here is the working setup on the syncrepl consumer:
syncrepl rid=123 provider=ldap://rh-test3.kvm.rla:389 type=refreshOnly interval=00:00:01:00 retry="30 10 600 20" searchbase="dc=local" filter="(|(objectClass=sambaGroupMapping)(uid=user1))" scope=sub schemachecking=off bindmethod=simple binddn="uid=syncrepl,ou=sysusers,dc=local" credentials=pwdsyncrepl # BEGIN Session TLS starttls="critical" tls_cacert=__CACERTFILE__ # End Session TLS
Obviously the binddn should have (just read ?) access to the part of the DIT being replicated.
In that thread, the user is using syncrepl type=refreshOnly with a filter on Openldap 2.3.
From an older thread (on openldap v2.3.11): http://www.openldap.org/lists/openldap-bugs/200512/msg00014.html, you can see another working setup. The user mentions some problems with type = refreshAndPersist replication but these are reported as corrected in subsequent openldap versions.
Nick