Well looks like I figured it out. In the bottom of slapo-chain man page, it says
"All URIs not listed in the configuration are chained anonymously. "
my chain-uri was "ldap://ldap.provider.net:389/"
but my updateref was ldap://ldap.provider.net
After changing chain-uri to the same as updateref, chaining with the correct binddn started to work.
This really _has_ to go into OpenLDAP FAQ
It cost 2 days of my life.