Ok, thank you. I got some error logging and it said:
Oct 12 19:24:07 openldap2 slapd[1713088]: slap_client_connect: URI=ldaps://openldap.plmail.de/ DN="uid=replica,dc=plmail,dc=de" ldap_sasl_bind_s failed (-1) Oct 12 19:24:07 openldap2 slapd[1713088]: do_syncrepl: rid=001 rc -1 retrying (1 retries left)
So, I switched from ldaps to ldap, and suddenly, the synchronozation worked.
Ok that is bad, because that means your SSHA is going over a unencrypted connection and afaik this ssha can be (easily?) brute forced with something like john the ripper (only tried one account of mine, so could be not as bad as I write)
But I have no idea what the the problem with ldaps is. Isn't it enough to just write an ldaps uri instead of an ldap uri?
Most likely your cert. If it is self signed make sure you have things like this in your ldap.conf, and your hostnames are correct.
TLS_CACERTDIR TLS_REQCERT demand