Glad you determined the ACL. Now, you have to pair down the access to be a little more restrictive. But now that you see it was the ACL, you can focus on that. Remember order matters.
As for the referrals, as Aaron mentioned, try a different client. Apache has a directory client, I've used that and found it very handy. There is also LDAPBrowser. Google those and you should see results. Also, make sure your client can resolve the ldap url and hostname. (I notice you don't have fully qualified names in the list, which may be to protect yourself from attacking but something to check in case you didn't scrub to post on the list)