Noob question:
I've set up chaining from my slave LDAP to the master. It seemed everything was working fine, until I realize that ANY user can now make modifications in the LDAP DB if it is done from the slave.
My ALCs allow full write access to the chain binddn. If I don't set this, chaining fails. But with it set, any valid, authenticated user can make DB changes (full write access).
I am confused as to why this is happening.
Well, of course you're supposed to configure slapo-chain so that it uses the binddn only to authorize as the original request identity. Within the wealth of info you provided you did not show how the chain overlay is configured (unless I missed it), but in any case you should follow indications here http://www.openldap.org/doc/admin24/overlays.html#Chaining (specifically, see the "chain-idassert-bind" stanza).
p.