And my next concern would become a non-issue if the above was supported, but is there a way to set the dnpass equal to a SSHA password? When I try setting it like this: dnpass = {SSHA}VhxqnmwCLVQj7g3rQV+g9F3XnaJ6bRXR
No, you need to supply the actual password. This password is (presumably) already stored hashed in your LDAP database. Your LDAP server will hash what it receives as the password and compare that with the password stored for that DN. Setting it like you have shown just causes Dovecot to use it as the literal password {SSHA}Vhxqnm.....
I'd prefer not to have the password for the authentication admin user stored in plain text in the conf file.
There's no way to store an encrypted password in a conf file and have a plaintext version of that password used to authenticate (without e.g. manually typing a password each time that config file is read).
The DN used with the current Dovecot LDAP code obviously only needs read access to mail users' details, you don't have to give it any kind of write access, and you don't have to give it the ability to read passwords for non-mail-users (i.e. passwords for DNs with write access to the directory). You can also additionally restrict access to userPassword by IP addresses, too. So, if you aren't already doing this, at least there are a few ways you can reduce the exposure with the current code.
Of course, if someone has sufficient access to the machine running Dovecot that they can read the config file, they will already have some degree of access to user's passwords...