Am I understanding correctly that the auth_bind option, regardless of whether it is set to yes or no, and even if anonymous access to the LDAP directory is blocked, must be used with dn=cn=manager,dc=example,dc=com and dnpass=password to enable authentication?
Forget about using manager, always create a different entity so you can create acl's specific for this entity and change passwords etc.
cn=dovecot,cn=mail,ou=hosts,dc=example,dc=com
It seems to me that there are no other cases where Dovecot can query the
I think it queries to get file locations (home dir) and maybe searches for uid's so you need something like this
to dn.subtree="ou=mailaccounts,ou=mail,dc=example,dc=com" by ssf=256 dn.exact="cn=dovecot,cn=mail,ou=hosts,dc=example,dc=com" read by ssf=256 self read by anonymous auth by * none
But this is something old that I had and am not using. This allows the cn=dovecot to also access the password field. I am not sure if that is necessary/wanted.
LDAP server directly using the login and password provided by the client. To perform authentication, it must execute a BIND by an intermediate user, regardless of where the password check takes place - in LDAP or in Dovecot.
Are there any other ways for the client to log in directly with their credentials on the Dovecot server?
Yes forget about using ldap in dovecot, and configure ldap for the os and let dovecot authenticate against the os.