So, there are more tests I can do to help you to help me? :)
There's very little different about the two lookups. Nothing that I'd
expect would cause ldap_search_ext_s to fail.
Try applying the attached patch to courier-authlib, and rebuilding it.
With this modification, the authdaemon should print the return code of
an ldap operation to the syslog, when a failure is indicated. Hopefully
that will tell us what the ldap library *thinks* the problem is.