Hi Glenn,
In term of security, IMHO there is no much difference:
(on LDAPS the handshake is started when the connection is open
while with startTLS it is started when receiving the 1.3.6.1.4.1.1466.20037 ldap extended operation)
And once handshake is completed both connections are handled the same way until they are closed.
The main risk is that for some reason (bad configuration or user error)
the EXT 1.3.6.1.4.1.1466.20037 operation is not sent and the bind is attempted in clear.
(Note: nsslapd-require-secure-binds prevents such bind to success but the password has still been sent in clear ... )
That said for replication there is not much risks once the agreements are properly configured.