After further investigation it looks like Synology's LDAP client is just screwy. Since I was in testing mode, I was trying to use a simple login/password to get the Synology to connect to Zentyal's LDAP, so I did not notice this issue until finalizing my settings.
Basically, my conclusion is that Synology DOES NOT READ the nslcd.conf for the bindPW and instead ONLY uses a password of "1234" to connect. This is why I kept getting an "invalid credentials" error when trying to use "zentyalro": because no matter what password I tried in nslcd.conf, the Synology box was trying to connect with "1234".
I tested this by creating a user "Synology" on the Zentyal server with password "1234". If I used "Synology" as the "uid=" in nslcd.conf, I could successfully connect every time. But if I changed the "uid=" in any way (including commenting it out with #), I would get an "invalid credentials" error. This shows that the Synology box was refreshing the nslcd.conf and was indeed using the bindDN config line and is NOT connecting anonymously.
Any change I made to the bindPW configuration line had NO EFFECT, including commenting out the line with #. As long as the "uid=" was correct, and the password on the Zentyal server was "1234", I would get a successful connection. This shows that the Synology box is NOT USING the bindPW line AT ALL.
To further test this, I tried changing the login password for "Synology" on the Zentyal server. Of course, now the Synology LDAP Client would fail to connect, even if I updated the bindPW line to match. Even a simple change to "12345" for the login password would not work no matter what I tried.
This MAY be a side effect of using Synology's own LDAP Directory Server package to "trick" my Synology's LDAP Client into starting the client service. In other words, I'm thinking that IF you connect your Synology LDAP Client to a Synology LDAP server, it may use some special configuration to connect and ignore the bindPW line, which is causing these symptoms. This idea is supported by the fact that the Synology LDAP Client specifically recognizes when it is connected to a Synology LDAP Server AND that it puts "1234" as the bindPW in the nslcd.conf (even if it doesn't use it). OR it may be a bug in the general Synology LDAP Client configuration.
The conclusion is that I removed the user "Synology" as a Domain Admin (the LDAP connection still works fine as a regular user). I also removed all mailbox, mail connection, and groupware options for that user. I'm not sure how much of a security threat it represents to have this one standard user with a password of "1234", but I don't see any way around it for now.
Edit: Final followup: I was right and yet I was also an idiot. Synology seems to store the password in a different file than nslcd.conf (on a fresh installation of Synology I noticed that it writes "secret" to the nslcd.conf when creating a connection to the Synology's local LDAP server). The reason I could only use a password of "1234" is because that is the password I used when setting up the temporary LDAP server on the Synology box.
There is an easy solution to this "problem" as well. Simply setup the temporary LDAP server WITH THE SAME PASSWORD as the "zentyalro" account on the Zentyal server you intend to connect to. The Synology will then write this password wherever it writes it, and then you can edit the rest of the nslcd.conf to connect to your Zentyal box with "zentyalro".