Over the weekend I decided to create a new policy for system users. The new policy would not enforce password expiration for these special system users.
Everything worked great except the internal aka operational attributes did not replicate over to the consumer.
After reading the man pages, I found that there was an entry in the slapd.conf file. The entry was "attrs=*". This omitted the operational attributes. To correct this, I simply deleted this entry. According to the man pages, the default is "attrs=*,+" which would replicate everything including operational attributes. But wait.... after restarting, it still didn't work. I had to go and modify the affected accounts. The modification must have triggered something and so the modified attribute and all the operational attributes now came over to the consumer.
This is OpenLDAP 2.3.x running on RHEL 5.x using syncrepl.
