Then there's something different what Dovecot and ldapsearch does. They have the same dn, dnpass, neither uses tls, same base, deref, scope?
I figured it out, there certainly is something different! The AuthDatabase/LDAP documentation on the Dovecot Wiki says "When connecting to AD, use port 3268". Port 3268 is used for Global Catalog searching. By default the Active Directory Global Catalog wouldn't include attributes like otherMailbox, but would include mail and sn. The solution here would be to either use port 389 and search the domain like ldapsearch or to add the otherMailbox attribute (or any others I want to search on) to the global catalog.
It might be worth updating the wiki to mention the reasoning behind using port 3268 and the implications it can cause.
Thanks for the help!