Well looks like I figured it out. In the bottom of slapo-chain man page, it says
"All URIs not listed in the configuration are chained anonymously. " my chain-uri was "ldap://ldap.provider.net:389/"; but my updateref was ldap://ldap.provider.net After changing chain-uri to the same as updateref, chaining with the correct binddn started to work. This really _has_ to go into OpenLDAP FAQ It cost 2 days of my life.
